1
/*-
2
 * SPDX-License-Identifier: BSD-2-Clause
3
 *
4
 * Copyright 2005, Gleb Smirnoff <[email protected]>
5
 * All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in the
14
 *    documentation and/or other materials provided with the distribution.
15
 *
16
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26
 * SUCH DAMAGE.
27
 */
28

29
#include "opt_inet.h"
30
#include "opt_inet6.h"
31

32
#include <sys/param.h>
33
#include <sys/systm.h>
34
#include <sys/kernel.h>
35
#include <sys/lock.h>
36
#include <sys/mbuf.h>
37
#include <sys/malloc.h>
38
#include <sys/ctype.h>
39
#include <sys/errno.h>
40
#include <sys/rwlock.h>
41
#include <sys/socket.h>
42
#include <sys/syslog.h>
43

44
#include <net/if.h>
45
#include <net/if_var.h>
46

47
#include <netinet/in.h>
48
#include <netinet/in_systm.h>
49
#include <netinet/in_var.h>
50
#include <netinet/ip_var.h>
51
#include <netinet/ip_fw.h>
52
#include <netinet/ip.h>
53
#include <netinet/ip6.h>
54
#include <netinet6/ip6_var.h>
55

56
#include <netpfil/ipfw/ip_fw_private.h>
57

58
#include <netgraph/ng_message.h>
59
#include <netgraph/ng_parse.h>
60
#include <netgraph/ng_ipfw.h>
61
#include <netgraph/netgraph.h>
62

63
static int		ng_ipfw_mod_event(module_t mod, int event, void *data);
64
static ng_constructor_t	ng_ipfw_constructor;
65
static ng_shutdown_t	ng_ipfw_shutdown;
66
static ng_newhook_t	ng_ipfw_newhook;
67
static ng_connect_t	ng_ipfw_connect;
68
static ng_findhook_t	ng_ipfw_findhook;
69
static ng_rcvdata_t	ng_ipfw_rcvdata;
70
static ng_disconnect_t	ng_ipfw_disconnect;
71

72
static hook_p		ng_ipfw_findhook1(node_p, uint32_t );
73
static int	ng_ipfw_input(struct mbuf **, struct ip_fw_args *, bool);
74

75
/* We have only one node */
76
static node_p	fw_node;
77

78
/* Netgraph node type descriptor */
79
static struct ng_type ng_ipfw_typestruct = {
80
	.version =	NG_ABI_VERSION,
81
	.name =		NG_IPFW_NODE_TYPE,
82
	.mod_event =	ng_ipfw_mod_event,
83
	.constructor =	ng_ipfw_constructor,
84
	.shutdown =	ng_ipfw_shutdown,
85
	.newhook =	ng_ipfw_newhook,
86
	.connect =	ng_ipfw_connect,
87
	.findhook =	ng_ipfw_findhook,
88
	.rcvdata =	ng_ipfw_rcvdata,
89
	.disconnect =	ng_ipfw_disconnect,
90
};
91
NETGRAPH_INIT(ipfw, &ng_ipfw_typestruct);
92
MODULE_DEPEND(ng_ipfw, ipfw, 3, 3, 3);
93

94
/* Information we store for each hook */
95
struct ng_ipfw_hook_priv {
96
        hook_p		hook;
97
	uint32_t	cookie;
98
};
99
typedef struct ng_ipfw_hook_priv *hpriv_p;
100

101
static int
102
ng_ipfw_mod_event(module_t mod, int event, void *data)
103
{
104
	int error = 0;
105

106
	switch (event) {
107
	case MOD_LOAD:
108

109
		if (ng_ipfw_input_p != NULL) {
110
			error = EEXIST;
111
			break;
112
		}
113

114
		/* Setup node without any private data */
115
		if ((error = ng_make_node_common(&ng_ipfw_typestruct, &fw_node))
116
		    != 0) {
117
			log(LOG_ERR, "%s: can't create ng_ipfw node", __func__);
118
                	break;
119
		}
120

121
		/* Try to name node */
122
		if (ng_name_node(fw_node, "ipfw") != 0)
123
			log(LOG_WARNING, "%s: failed to name node \"ipfw\"",
124
			    __func__);
125

126
		/* Register hook */
127
		ng_ipfw_input_p = ng_ipfw_input;
128
		break;
129

130
	case MOD_UNLOAD:
131
		 /*
132
		  * This won't happen if a node exists.
133
		  * ng_ipfw_input_p is already cleared.
134
		  */
135
		break;
136

137
	default:
138
		error = EOPNOTSUPP;
139
		break;
140
	}
141

142
	return (error);
143
}
144

145
static int
146
ng_ipfw_constructor(node_p node)
147
{
148
	return (EINVAL);	/* Only one node */
149
}
150

151
static int
152
ng_ipfw_newhook(node_p node, hook_p hook, const char *name)
153
{
154
	hpriv_p	hpriv;
155
	uint32_t cookie;
156
	const char *cp;
157
	char *endptr;
158

159
	/* Protect from leading zero */
160
	if (name[0] == '0' && name[1] != '\0')
161
		return (EINVAL);
162

163
	/* Check that name contains only digits */
164
	for (cp = name; *cp != '\0'; cp++)
165
		if (!isdigit(*cp))
166
			return (EINVAL);
167

168
	/* Convert it to integer */
169
	cookie = (uint32_t)strtoul(name, &endptr, 10);
170
	if (*endptr != '\0')
171
		return (EINVAL);
172

173
	/* Allocate memory for this hook's private data */
174
	hpriv = malloc(sizeof(*hpriv), M_NETGRAPH, M_NOWAIT | M_ZERO);
175
	if (hpriv== NULL)
176
		return (ENOMEM);
177

178
	hpriv->hook = hook;
179
	hpriv->cookie = cookie;
180

181
	NG_HOOK_SET_PRIVATE(hook, hpriv);
182

183
	return(0);
184
}
185

186
/*
187
 * Set hooks into queueing mode, to avoid recursion between
188
 * netgraph layer and ip_{input,output}.
189
 */
190
static int
191
ng_ipfw_connect(hook_p hook)
192
{
193
	NG_HOOK_FORCE_QUEUE(hook);
194
	return (0);
195
}
196

197
/* Look up hook by name */
198
static hook_p
199
ng_ipfw_findhook(node_p node, const char *name)
200
{
201
	uint32_t n;	/* numeric representation of hook */
202
	char *endptr;
203

204
	n = (uint32_t)strtoul(name, &endptr, 10);
205
	if (*endptr != '\0')
206
		return NULL;
207
	return ng_ipfw_findhook1(node, n);
208
}
209

210
/* Look up hook by rule number */
211
static hook_p
212
ng_ipfw_findhook1(node_p node, uint32_t cookie)
213
{
214
	hook_p	hook;
215
	hpriv_p	hpriv;
216

217
	LIST_FOREACH(hook, &node->nd_hooks, hk_hooks) {
218
		hpriv = NG_HOOK_PRIVATE(hook);
219
		if (NG_HOOK_IS_VALID(hook) && (hpriv->cookie == cookie))
220
                        return (hook);
221
	}
222

223
	return (NULL);
224
}
225

226
static int
227
ng_ipfw_rcvdata(hook_p hook, item_p item)
228
{
229
	struct m_tag *tag;
230
	struct ipfw_rule_ref *r;
231
	struct mbuf *m;
232
	struct ip *ip;
233

234
	NGI_GET_M(item, m);
235
	NG_FREE_ITEM(item);
236

237
	tag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL);
238
	if (tag == NULL) {
239
		NG_FREE_M(m);
240
		return (EINVAL);	/* XXX: find smth better */
241
	}
242

243
	if (m->m_len < sizeof(struct ip) &&
244
	    (m = m_pullup(m, sizeof(struct ip))) == NULL)
245
		return (ENOBUFS);
246

247
	ip = mtod(m, struct ip *);
248

249
	r = (struct ipfw_rule_ref *)(tag + 1);
250
	if (r->info & IPFW_INFO_IN) {
251
		switch (ip->ip_v) {
252
#ifdef INET
253
		case IPVERSION:
254
			ip_input(m);
255
			return (0);
256
#endif
257
#ifdef INET6
258
		case IPV6_VERSION >> 4:
259
			ip6_input(m);
260
			return (0);
261
#endif
262
		}
263
	} else {
264
		switch (ip->ip_v) {
265
#ifdef INET
266
		case IPVERSION:
267
			return (ip_output(m, NULL, NULL, IP_FORWARDING,
268
			    NULL, NULL));
269
#endif
270
#ifdef INET6
271
		case IPV6_VERSION >> 4:
272
			return (ip6_output(m, NULL, NULL, 0, NULL,
273
			    NULL, NULL));
274
#endif
275
		}
276
	}
277

278
	/* unknown IP protocol version */
279
	NG_FREE_M(m);
280
	return (EPROTONOSUPPORT);
281
}
282

283
static int
284
ng_ipfw_input(struct mbuf **m0, struct ip_fw_args *fwa, bool tee)
285
{
286
	struct mbuf *m;
287
	hook_p	hook;
288
	int error = 0;
289

290
	/*
291
	 * Node must be loaded and corresponding hook must be present.
292
	 */
293
	if (fw_node == NULL || 
294
	   (hook = ng_ipfw_findhook1(fw_node, fwa->rule.info & IPFW_INFO_MASK)) == NULL)
295
		return (ESRCH);		/* no hook associated with this rule */
296

297
	/*
298
	 * We have two modes: in normal mode we add a tag to packet, which is
299
	 * important to return packet back to IP stack. In tee mode we make
300
	 * a copy of a packet and forward it into netgraph without a tag.
301
	 */
302
	if (tee == false) {
303
		struct m_tag *tag;
304
		struct ipfw_rule_ref *r;
305
		m = *m0;
306
		*m0 = NULL;	/* it belongs now to netgraph */
307

308
		tag = m_tag_alloc(MTAG_IPFW_RULE, 0, sizeof(*r),
309
			M_NOWAIT|M_ZERO);
310
		if (tag == NULL) {
311
			m_freem(m);
312
			return (ENOMEM);
313
		}
314
		r = (struct ipfw_rule_ref *)(tag + 1);
315
		*r = fwa->rule;
316
		r->info &= IPFW_ONEPASS;  /* keep this info */
317
		r->info |= (fwa->flags & IPFW_ARGS_IN) ?
318
		    IPFW_INFO_IN : IPFW_INFO_OUT;
319
		m_tag_prepend(m, tag);
320

321
	} else
322
		if ((m = m_dup(*m0, M_NOWAIT)) == NULL)
323
			return (ENOMEM);	/* which is ignored */
324

325
	if (m->m_len < sizeof(struct ip) &&
326
	    (m = m_pullup(m, sizeof(struct ip))) == NULL)
327
		return (EINVAL);
328

329
	NG_SEND_DATA_ONLY(error, hook, m);
330

331
	return (error);
332
}
333

334
static int
335
ng_ipfw_shutdown(node_p node)
336
{
337

338
	/*
339
	 * After our single node has been removed,
340
	 * the only thing that can be done is
341
	 * 'kldunload ng_ipfw.ko'
342
	 */
343
	ng_ipfw_input_p = NULL;
344
	NG_NODE_UNREF(node);
345
	return (0);
346
}
347

348
static int
349
ng_ipfw_disconnect(hook_p hook)
350
{
351
	const hpriv_p hpriv = NG_HOOK_PRIVATE(hook);
352

353
	free(hpriv, M_NETGRAPH);
354
	NG_HOOK_SET_PRIVATE(hook, NULL);
355

356
	return (0);
357
}
358

359