1 /* 2 * Copyright (c) 2015 The DragonFly Project. All rights reserved. 3 * 4 * This code is derived from software contributed to The DragonFly Project 5 * by Bill Yuan <bycn82@gmail.com> 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in 15 * the documentation and/or other materials provided with the 16 * distribution. 17 * 3. Neither the name of The DragonFly Project nor the names of its 18 * contributors may be used to endorse or promote products derived 19 * from this software without specific, prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 22 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 25 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, 27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 29 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 30 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 31 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35 #include <sys/systm.h> 36 #include <sys/kernel.h> 37 #include <sys/malloc.h> 38 #include <sys/socketvar.h> 39 #include <sys/sysctl.h> 40 #include <sys/systimer.h> 41 #include <sys/param.h> 42 #include <sys/ucred.h> 43 44 #include <netinet/in_var.h> 45 #include <netinet/ip_var.h> 46 #include <netinet/in.h> 47 #include <netinet/in_systm.h> 48 #include <netinet/in_var.h> 49 #include <netinet/in_pcb.h> 50 #include <netinet/ip.h> 51 #include <netinet/ip_var.h> 52 #include <netinet/ip_icmp.h> 53 #include <netinet/tcp.h> 54 #include <netinet/tcp_timer.h> 55 #include <netinet/tcp_var.h> 56 #include <netinet/tcpip.h> 57 #include <netinet/udp.h> 58 #include <netinet/udp_var.h> 59 #include <netinet/if_ether.h> 60 61 #include <net/ethernet.h> 62 #include <net/netmsg2.h> 63 #include <net/netisr2.h> 64 #include <net/route.h> 65 66 #include <net/ipfw3/ip_fw.h> 67 68 #include "ip_fw3_layer4.h" 69 70 void 71 check_tcpflag(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 72 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len); 73 void 74 check_uid(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 75 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len); 76 void 77 check_gid(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 78 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len); 79 80 /* 81 * ipfw_match_guid can match the gui and uid 82 */ 83 static int 84 ipfw_match_guid(const struct ipfw_flow_id *fid, struct ifnet *oif, 85 int opcode, uid_t uid) 86 { 87 struct in_addr src_ip, dst_ip; 88 struct inpcbinfo *pi; 89 boolean_t wildcard; 90 struct inpcb *pcb; 91 92 if (fid->proto == IPPROTO_TCP) { 93 wildcard = FALSE; 94 pi = &tcbinfo[mycpuid]; 95 } else if (fid->proto == IPPROTO_UDP) { 96 wildcard = TRUE; 97 pi = &udbinfo[mycpuid]; 98 } else { 99 return 0; 100 } 101 102 /* 103 * Values in 'fid' are in host byte order 104 */ 105 dst_ip.s_addr = htonl(fid->dst_ip); 106 src_ip.s_addr = htonl(fid->src_ip); 107 if (oif) { 108 pcb = in_pcblookup_hash(pi, 109 dst_ip, htons(fid->dst_port), 110 src_ip, htons(fid->src_port), 111 wildcard, oif); 112 } else { 113 pcb = in_pcblookup_hash(pi, 114 src_ip, htons(fid->src_port), 115 dst_ip, htons(fid->dst_port), 116 wildcard, NULL); 117 } 118 if (pcb == NULL || pcb->inp_socket == NULL) { 119 return 0; 120 } 121 122 if (opcode == O_LAYER4_UID) { 123 #define socheckuid(a,b) ((a)->so_cred->cr_uid != (b)) 124 return !socheckuid(pcb->inp_socket, uid); 125 #undef socheckuid 126 } else { 127 return groupmember(uid, pcb->inp_socket->so_cred); 128 } 129 } 130 131 void 132 check_tcpflag(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 133 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 134 { 135 /* XXX TODO check tcpflag */ 136 *cmd_val = 0; 137 *cmd_ctl = IP_FW_CTL_NO; 138 } 139 140 void 141 check_uid(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 142 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 143 { 144 *cmd_val = ipfw_match_guid(&(*args)->f_id, (*args)->oif, cmd->opcode, 145 (uid_t)((ipfw_insn_u32 *)cmd)->d[0]); 146 *cmd_ctl = IP_FW_CTL_NO; 147 } 148 149 void 150 check_gid(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 151 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 152 { 153 *cmd_val = ipfw_match_guid(&(*args)->f_id, (*args)->oif, cmd->opcode, 154 (gid_t)((ipfw_insn_u32 *)cmd)->d[0]); 155 *cmd_ctl = IP_FW_CTL_NO; 156 } 157 158 static int 159 ipfw3_layer4_init(void) 160 { 161 register_ipfw_module(MODULE_LAYER4_ID, MODULE_LAYER4_NAME); 162 register_ipfw_filter_funcs(MODULE_LAYER4_ID, O_LAYER4_TCPFLAG, 163 (filter_func)check_tcpflag); 164 register_ipfw_filter_funcs(MODULE_LAYER4_ID, O_LAYER4_UID, 165 (filter_func)check_uid); 166 register_ipfw_filter_funcs(MODULE_LAYER4_ID, O_LAYER4_GID, 167 (filter_func)check_gid); 168 return 0; 169 } 170 171 static int 172 ipfw3_layer4_stop(void) 173 { 174 return unregister_ipfw_module(MODULE_LAYER4_ID); 175 } 176 177 static int 178 ipfw3_layer4_modevent(module_t mod, int type, void *data) 179 { 180 switch (type) { 181 case MOD_LOAD: 182 return ipfw3_layer4_init(); 183 case MOD_UNLOAD: 184 return ipfw3_layer4_stop(); 185 default: 186 break; 187 } 188 return 0; 189 } 190 191 static moduledata_t ipfw3_layer4_mod = { 192 "ipfw3_layer4", 193 ipfw3_layer4_modevent, 194 NULL 195 }; 196 DECLARE_MODULE(ipfw3_layer4, ipfw3_layer4_mod, SI_SUB_PROTO_END, SI_ORDER_ANY); 197 MODULE_DEPEND(ipfw3_layer4, ipfw3_basic, 1, 1, 1); 198 MODULE_VERSION(ipfw3_layer4, 1); 199