search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Expand PMF_FN_* macros.
[netbsd-mini2440.git] / sys / dist / ipf / netinet / ip_state.c
blobeb4d7b98ac2e102276efd880dff11606b15a0683
1 /* $NetBSD: ip_state.c,v 1.34 2009/08/19 08:36:13 darrenr Exp $ */
2
3 /*
4 * Copyright (C) 1995-2003 by Darren Reed.
5 *
6 * See the IPFILTER.LICENCE file for details on licencing.
7 *
8 * Copyright 2008 Sun Microsystems, Inc.
9 */
10 #if defined(KERNEL) || defined(_KERNEL)
11 # undef KERNEL
12 # undef _KERNEL
13 # define KERNEL 1
14 # define _KERNEL 1
15 #endif
16 #include <sys/errno.h>
17 #include <sys/types.h>
18 #include <sys/param.h>
19 #include <sys/file.h>
20 #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
21 defined(_KERNEL)
22 # if (__NetBSD_Version__ < 399001400)
23 # include "opt_ipfilter_log.h"
24 # else
25 # include "opt_ipfilter.h"
26 # endif
27 #endif
28 #if defined(_KERNEL) && defined(__FreeBSD_version) && \
29 (__FreeBSD_version >= 400000) && !defined(KLD_MODULE)
30 #include "opt_inet6.h"
31 #endif
32 #if !defined(_KERNEL) && !defined(__KERNEL__)
33 # include <stdio.h>
34 # include <stdlib.h>
35 # include <string.h>
36 # define _KERNEL
37 # ifdef __OpenBSD__
38 struct file;
39 # endif
40 # include <sys/uio.h>
41 # undef _KERNEL
42 #endif
43 #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
44 # include <sys/filio.h>
45 # include <sys/fcntl.h>
46 # if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
47 # include "opt_ipfilter.h"
48 # endif
49 #else
50 # include <sys/ioctl.h>
51 #endif
52 #include <sys/time.h>
53 #if !defined(linux)
54 # include <sys/protosw.h>
55 #endif
56 #include <sys/socket.h>
57 #if defined(_KERNEL)
58 # include <sys/systm.h>
59 # if !defined(__SVR4) && !defined(__svr4__)
60 # include <sys/mbuf.h>
61 # endif
62 #endif
63 #if defined(__SVR4) || defined(__svr4__)
64 # include <sys/filio.h>
65 # include <sys/byteorder.h>
66 # ifdef _KERNEL
67 # include <sys/dditypes.h>
68 # endif
69 # include <sys/stream.h>
70 # include <sys/kmem.h>
71 #endif
72
73 #include <net/if.h>
74 #ifdef sun
75 # include <net/af.h>
76 #endif
77 #include <netinet/in.h>
78 #include <netinet/in_systm.h>
79 #include <netinet/ip.h>
80 #include <netinet/tcp.h>
81 #if !defined(linux)
82 # include <netinet/ip_var.h>
83 #endif
84 #if !defined(__hpux) && !defined(linux)
85 # include <netinet/tcp_fsm.h>
86 #endif
87 #include <netinet/udp.h>
88 #include <netinet/ip_icmp.h>
89 #include "netinet/ip_compat.h"
90 #include <netinet/tcpip.h>
91 #include "netinet/ip_fil.h"
92 #include "netinet/ip_nat.h"
93 #include "netinet/ip_frag.h"
94 #include "netinet/ip_state.h"
95 #include "netinet/ip_proxy.h"
96 #ifdef IPFILTER_SYNC
97 #include "netinet/ip_sync.h"
98 #endif
99 #ifdef IPFILTER_SCAN
100 #include "netinet/ip_scan.h"
101 #endif
102 #ifdef USE_INET6
103 #include <netinet/icmp6.h>
104 #endif
105 #if (__FreeBSD_version >= 300000)
106 # include <sys/malloc.h>
107 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
108 # include <sys/libkern.h>
109 # include <sys/systm.h>
110 # endif
111 #endif
112 /* END OF INCLUDES */
113
114
115 #if !defined(lint)
116 #if defined(__NetBSD__)
117 #include <sys/cdefs.h>
118 __KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.34 2009/08/19 08:36:13 darrenr Exp $");
119 #else
120 static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
121 static const char rcsid[] = "@(#)Id: ip_state.c,v 2.186.2.98 2009/07/21 09:40:56 darrenr Exp";
122 #endif
123 #endif
124
125 static ipstate_t **ips_table = NULL;
126 static u_long *ips_seed = NULL;
127 static int ips_num = 0;
128 static u_long ips_last_force_flush = 0;
129 ips_stat_t ips_stats;
130
131 #ifdef USE_INET6
132 static ipstate_t *fr_checkicmp6matchingstate __P((fr_info_t *));
133 #endif
134 static ipstate_t *fr_matchsrcdst __P((fr_info_t *, ipstate_t *, i6addr_t *,
135 i6addr_t *, tcphdr_t *, u_32_t));
136 static ipstate_t *fr_checkicmpmatchingstate __P((fr_info_t *));
137 static int fr_state_flush_entry __P((void *));
138 static ips_stat_t *fr_statetstats __P((void));
139 static int fr_delstate __P((ipstate_t *, int));
140 static int fr_state_remove __P((void *));
141 static int ipf_state_match __P((ipstate_t *is1, ipstate_t *is2));
142 static int ipf_state_matchaddresses __P((ipstate_t *is1, ipstate_t *is2));
143 static int ipf_state_matchipv4addrs __P((ipstate_t *is1, ipstate_t *is2));
144 static int ipf_state_matchipv6addrs __P((ipstate_t *is1, ipstate_t *is2));
145 static int ipf_state_matchisps __P((ipstate_t *is1, ipstate_t *is2));
146 static int ipf_state_matchports __P((udpinfo_t *is1, udpinfo_t *is2));
147 static void fr_ipsmove __P((ipstate_t *, u_int));
148 static int fr_tcpstate __P((fr_info_t *, tcphdr_t *, ipstate_t *));
149 static int fr_tcpoptions __P((fr_info_t *, tcphdr_t *, tcpdata_t *));
150 static ipstate_t *fr_stclone __P((fr_info_t *, tcphdr_t *, ipstate_t *));
151 static void fr_fixinisn __P((fr_info_t *, ipstate_t *));
152 static void fr_fixoutisn __P((fr_info_t *, ipstate_t *));
153 static void fr_checknewisn __P((fr_info_t *, ipstate_t *));
154 static int fr_stateiter __P((ipftoken_t *, ipfgeniter_t *));
155 static int fr_stgettable __P((char *));
156
157 int fr_stputent __P((void *));
158 int fr_stgetent __P((void *));
159
160 #define ONE_DAY IPF_TTLVAL(1 * 86400) /* 1 day */
161 #define FIVE_DAYS (5 * ONE_DAY)
162 #define DOUBLE_HASH(x) (((x) + ips_seed[(x) % fr_statesize]) % fr_statesize)
163
164 u_long fr_tcpidletimeout = FIVE_DAYS,
165 fr_tcpclosewait = IPF_TTLVAL(2 * TCP_MSL),
166 fr_tcplastack = IPF_TTLVAL(30),
167 fr_tcptimeout = IPF_TTLVAL(2 * TCP_MSL),
168 fr_tcptimewait = IPF_TTLVAL(2 * TCP_MSL),
169 fr_tcpclosed = IPF_TTLVAL(30),
170 fr_tcphalfclosed = IPF_TTLVAL(2 * 3600), /* 2 hours */
171 fr_udptimeout = IPF_TTLVAL(120),
172 fr_udpacktimeout = IPF_TTLVAL(12),
173 fr_icmptimeout = IPF_TTLVAL(60),
174 fr_icmpacktimeout = IPF_TTLVAL(6),
175 fr_iptimeout = IPF_TTLVAL(60);
176 int fr_statemax = IPSTATE_MAX,
177 fr_statesize = IPSTATE_SIZE;
178 int fr_state_doflush = 0,
179 fr_state_lock = 0,
180 fr_state_maxbucket = 0,
181 fr_state_maxbucket_reset = 1,
182 fr_state_init = 0;
183 ipftq_t ips_tqtqb[IPF_TCP_NSTATES],
184 ips_udptq,
185 ips_udpacktq,
186 ips_iptq,
187 ips_icmptq,
188 ips_icmpacktq,
189 ips_deletetq,
190 *ips_utqe = NULL;
191 #ifdef IPFILTER_LOG
192 int ipstate_logging = 1;
193 #else
194 int ipstate_logging = 0;
195 #endif
196 ipstate_t *ips_list = NULL;
197
198
199 /* ------------------------------------------------------------------------ */
200 /* Function: fr_stateinit */
201 /* Returns: int - 0 == success, -1 == failure */
202 /* Parameters: Nil */
203 /* */
204 /* Initialise all the global variables used within the state code. */
205 /* This action also includes initiailising locks. */
206 /* ------------------------------------------------------------------------ */
207 int fr_stateinit()
208 {
209 #if defined(NEED_LOCAL_RAND) || !defined(_KERNEL)
210 struct timeval tv;
211 #endif
212 int i;
213
214 KMALLOCS(ips_table, ipstate_t **, fr_statesize * sizeof(ipstate_t *));
215 if (ips_table == NULL)
216 return -1;
217 bzero((char *)ips_table, fr_statesize * sizeof(ipstate_t *));
218
219 KMALLOCS(ips_seed, u_long *, fr_statesize * sizeof(*ips_seed));
220 if (ips_seed == NULL)
221 return -2;
222 #if defined(NEED_LOCAL_RAND) || !defined(_KERNEL)
223 tv.tv_sec = 0;
224 GETKTIME(&tv);
225 #endif
226 for (i = 0; i < fr_statesize; i++) {
227 /*
228 * XXX - ips_seed[X] should be a random number of sorts.
229 */
230 #if !defined(NEED_LOCAL_RAND) && defined(_KERNEL)
231 ips_seed[i] = arc4random();
232 #else
233 ips_seed[i] = ((u_long)ips_seed + i) * fr_statesize;
234 ips_seed[i] += tv.tv_sec;
235 ips_seed[i] *= (u_long)ips_seed;
236 ips_seed[i] ^= 0x5a5aa5a5;
237 ips_seed[i] *= fr_statemax;
238 #endif
239 }
240 #if defined(NEED_LOCAL_RAND) && defined(_KERNEL)
241 ipf_rand_push(ips_seed, fr_statesize * sizeof(*ips_seed));
242 #endif
243
244 /* fill icmp reply type table */
245 for (i = 0; i <= ICMP_MAXTYPE; i++)
246 icmpreplytype4[i] = -1;
247 icmpreplytype4[ICMP_ECHO] = ICMP_ECHOREPLY;
248 icmpreplytype4[ICMP_TSTAMP] = ICMP_TSTAMPREPLY;
249 icmpreplytype4[ICMP_IREQ] = ICMP_IREQREPLY;
250 icmpreplytype4[ICMP_MASKREQ] = ICMP_MASKREPLY;
251 #ifdef USE_INET6
252 /* fill icmp reply type table */
253 for (i = 0; i <= ICMP6_MAXTYPE; i++)
254 icmpreplytype6[i] = -1;
255 icmpreplytype6[ICMP6_ECHO_REQUEST] = ICMP6_ECHO_REPLY;
256 icmpreplytype6[ICMP6_MEMBERSHIP_QUERY] = ICMP6_MEMBERSHIP_REPORT;
257 icmpreplytype6[ICMP6_NI_QUERY] = ICMP6_NI_REPLY;
258 icmpreplytype6[ND_ROUTER_SOLICIT] = ND_ROUTER_ADVERT;
259 icmpreplytype6[ND_NEIGHBOR_SOLICIT] = ND_NEIGHBOR_ADVERT;
260 #endif
261
262 KMALLOCS(ips_stats.iss_bucketlen, u_long *,
263 fr_statesize * sizeof(u_long));
264 if (ips_stats.iss_bucketlen == NULL)
265 return -1;
266 bzero((char *)ips_stats.iss_bucketlen, fr_statesize * sizeof(u_long));
267
268 if (fr_state_maxbucket == 0) {
269 for (i = fr_statesize; i > 0; i >>= 1)
270 fr_state_maxbucket++;
271 fr_state_maxbucket *= 2;
272 }
273
274 ips_stats.iss_tcptab = ips_tqtqb;
275 fr_sttab_init(ips_tqtqb);
276 ips_tqtqb[IPF_TCP_NSTATES - 1].ifq_next = &ips_udptq;
277 ips_udptq.ifq_ttl = (u_long)fr_udptimeout;
278 ips_udptq.ifq_ref = 1;
279 ips_udptq.ifq_head = NULL;
280 ips_udptq.ifq_tail = &ips_udptq.ifq_head;
281 MUTEX_INIT(&ips_udptq.ifq_lock, "ipftq udp tab");
282 ips_udptq.ifq_next = &ips_udpacktq;
283 ips_udpacktq.ifq_ttl = (u_long)fr_udpacktimeout;
284 ips_udpacktq.ifq_ref = 1;
285 ips_udpacktq.ifq_head = NULL;
286 ips_udpacktq.ifq_tail = &ips_udpacktq.ifq_head;
287 MUTEX_INIT(&ips_udpacktq.ifq_lock, "ipftq udpack tab");
288 ips_udpacktq.ifq_next = &ips_icmptq;
289 ips_icmptq.ifq_ttl = (u_long)fr_icmptimeout;
290 ips_icmptq.ifq_ref = 1;
291 ips_icmptq.ifq_head = NULL;
292 ips_icmptq.ifq_tail = &ips_icmptq.ifq_head;
293 MUTEX_INIT(&ips_icmptq.ifq_lock, "ipftq icmp tab");
294 ips_icmptq.ifq_next = &ips_icmpacktq;
295 ips_icmpacktq.ifq_ttl = (u_long)fr_icmpacktimeout;
296 ips_icmpacktq.ifq_ref = 1;
297 ips_icmpacktq.ifq_head = NULL;
298 ips_icmpacktq.ifq_tail = &ips_icmpacktq.ifq_head;
299 MUTEX_INIT(&ips_icmpacktq.ifq_lock, "ipftq icmpack tab");
300 ips_icmpacktq.ifq_next = &ips_iptq;
301 ips_iptq.ifq_ttl = (u_long)fr_iptimeout;
302 ips_iptq.ifq_ref = 1;
303 ips_iptq.ifq_head = NULL;
304 ips_iptq.ifq_tail = &ips_iptq.ifq_head;
305 MUTEX_INIT(&ips_iptq.ifq_lock, "ipftq ip tab");
306 ips_iptq.ifq_next = &ips_deletetq;
307 ips_deletetq.ifq_ttl = (u_long)1;
308 ips_deletetq.ifq_ref = 1;
309 ips_deletetq.ifq_head = NULL;
310 ips_deletetq.ifq_tail = &ips_deletetq.ifq_head;
311 MUTEX_INIT(&ips_deletetq.ifq_lock, "state delete queue");
312 ips_deletetq.ifq_next = NULL;
313
314 RWLOCK_INIT(&ipf_state, "ipf IP state rwlock");
315 MUTEX_INIT(&ipf_stinsert, "ipf state insert mutex");
316 fr_state_init = 1;
317
318 ips_last_force_flush = fr_ticks;
319 return 0;
320 }
321
322
323 /* ------------------------------------------------------------------------ */
324 /* Function: fr_stateunload */
325 /* Returns: Nil */
326 /* Parameters: Nil */
327 /* */
328 /* Release and destroy any resources acquired or initialised so that */
329 /* IPFilter can be unloaded or re-initialised. */
330 /* ------------------------------------------------------------------------ */
331 void fr_stateunload()
332 {
333 ipftq_t *ifq, *ifqnext;
334 ipstate_t *is;
335
336 while ((is = ips_list) != NULL)
337 fr_delstate(is, ISL_UNLOAD);
338
339 /*
340 * Proxy timeout queues are not cleaned here because although they
341 * exist on the state list, appr_unload is called after fr_stateunload
342 * and the proxies actually are responsible for them being created.
343 * Should the proxy timeouts have their own list? There's no real
344 * justification as this is the only complicationA
345 */
346 for (ifq = ips_utqe; ifq != NULL; ifq = ifqnext) {
347 ifqnext = ifq->ifq_next;
348 if (((ifq->ifq_flags & IFQF_PROXY) == 0) &&
349 (fr_deletetimeoutqueue(ifq) == 0))
350 fr_freetimeoutqueue(ifq);
351 }
352
353 ips_stats.iss_inuse = 0;
354 ips_num = 0;
355
356 if (fr_state_init == 1) {
357 fr_sttab_destroy(ips_tqtqb);
358 MUTEX_DESTROY(&ips_udptq.ifq_lock);
359 MUTEX_DESTROY(&ips_icmptq.ifq_lock);
360 MUTEX_DESTROY(&ips_udpacktq.ifq_lock);
361 MUTEX_DESTROY(&ips_icmpacktq.ifq_lock);
362 MUTEX_DESTROY(&ips_iptq.ifq_lock);
363 MUTEX_DESTROY(&ips_deletetq.ifq_lock);
364 }
365
366 if (ips_table != NULL) {
367 KFREES(ips_table, fr_statesize * sizeof(*ips_table));
368 ips_table = NULL;
369 }
370
371 if (ips_seed != NULL) {
372 KFREES(ips_seed, fr_statesize * sizeof(*ips_seed));
373 ips_seed = NULL;
374 }
375
376 if (ips_stats.iss_bucketlen != NULL) {
377 KFREES(ips_stats.iss_bucketlen, fr_statesize * sizeof(u_long));
378 ips_stats.iss_bucketlen = NULL;
379 }
380
381 if (fr_state_maxbucket_reset == 1)
382 fr_state_maxbucket = 0;
383
384 if (fr_state_init == 1) {
385 fr_state_init = 0;
386 RW_DESTROY(&ipf_state);
387 MUTEX_DESTROY(&ipf_stinsert);
388 }
389 }
390
391
392 /* ------------------------------------------------------------------------ */
393 /* Function: fr_statetstats */
394 /* Returns: ips_state_t* - pointer to state stats structure */
395 /* Parameters: Nil */
396 /* */
397 /* Put all the current numbers and pointers into a single struct and return */
398 /* a pointer to it. */
399 /* ------------------------------------------------------------------------ */
400 static ips_stat_t *fr_statetstats()
401 {
402 ips_stats.iss_active = ips_num;
403 ips_stats.iss_statesize = fr_statesize;
404 ips_stats.iss_statemax = fr_statemax;
405 ips_stats.iss_table = ips_table;
406 ips_stats.iss_list = ips_list;
407 ips_stats.iss_ticks = fr_ticks;
408 return &ips_stats;
409 }
410
411 /* ------------------------------------------------------------------------ */
412 /* Function: fr_state_remove */
413 /* Returns: int - 0 == success, != 0 == failure */
414 /* Parameters: data(I) - pointer to state structure to delete from table */
415 /* */
416 /* Search for a state structure that matches the one passed, according to */
417 /* the IP addresses and other protocol specific information. */
418 /* ------------------------------------------------------------------------ */
419 static int fr_state_remove(data)
420 void * data;
421 {
422 ipstate_t *sp, st;
423 int error;
424
425 sp = &st;
426 error = fr_inobj(data, &st, IPFOBJ_IPSTATE);
427 if (error)
428 return EFAULT;
429
430 WRITE_ENTER(&ipf_state);
431 for (sp = ips_list; sp; sp = sp->is_next)
432 if ((sp->is_p == st.is_p) && (sp->is_v == st.is_v) &&
433 !bcmp((void *)&sp->is_src, (void *)&st.is_src,
434 sizeof(st.is_src)) &&
435 !bcmp((void *)&sp->is_dst, (void *)&st.is_src,
436 sizeof(st.is_dst)) &&
437 !bcmp((void *)&sp->is_ps, (void *)&st.is_ps,
438 sizeof(st.is_ps))) {
439 fr_delstate(sp, ISL_REMOVE);
440 RWLOCK_EXIT(&ipf_state);
441 return 0;
442 }
443 RWLOCK_EXIT(&ipf_state);
444 return ESRCH;
445 }
446
447
448 /* ------------------------------------------------------------------------ */
449 /* Function: fr_state_ioctl */
450 /* Returns: int - 0 == success, != 0 == failure */
451 /* Parameters: data(I) - pointer to ioctl data */
452 /* cmd(I) - ioctl command integer */
453 /* mode(I) - file mode bits used with open */
454 /* */
455 /* Processes an ioctl call made to operate on the IP Filter state device. */
456 /* ------------------------------------------------------------------------ */
457 int fr_state_ioctl(data, cmd, mode, uid, ctx)
458 void * data;
459 ioctlcmd_t cmd;
460 int mode, uid;
461 void *ctx;
462 {
463 int arg, ret, error = 0;
464 SPL_INT(s);
465
466 switch (cmd)
467 {
468 /*
469 * Delete an entry from the state table.
470 */
471 case SIOCDELST :
472 error = fr_state_remove(data);
473 break;
474
475 /*
476 * Flush the state table
477 */
478 case SIOCIPFFL :
479 error = BCOPYIN(data, (char *)&arg, sizeof(arg));
480 if (error != 0) {
481 error = EFAULT;
482 } else {
483 WRITE_ENTER(&ipf_state);
484 ret = fr_state_flush(arg, 4);
485 RWLOCK_EXIT(&ipf_state);
486 error = BCOPYOUT((char *)&ret, data, sizeof(ret));
487 if (error != 0)
488 error = EFAULT;
489 }
490 break;
491
492 #ifdef USE_INET6
493 case SIOCIPFL6 :
494 error = BCOPYIN(data, (char *)&arg, sizeof(arg));
495 if (error != 0) {
496 error = EFAULT;
497 } else {
498 WRITE_ENTER(&ipf_state);
499 ret = fr_state_flush(arg, 6);
500 RWLOCK_EXIT(&ipf_state);
501 error = BCOPYOUT((char *)&ret, data, sizeof(ret));
502 if (error != 0)
503 error = EFAULT;
504 }
505 break;
506 #endif
507 #ifdef IPFILTER_LOG
508 /*
509 * Flush the state log.
510 */
511 case SIOCIPFFB :
512 if (!(mode & FWRITE))
513 error = EPERM;
514 else {
515 int tmp;
516
517 tmp = ipflog_clear(IPL_LOGSTATE);
518 error = BCOPYOUT((char *)&tmp, data, sizeof(tmp));
519 if (error != 0)
520 error = EFAULT;
521 }
522 break;
523
524 /*
525 * Turn logging of state information on/off.
526 */
527 case SIOCSETLG :
528 if (!(mode & FWRITE))
529 error = EPERM;
530 else {
531 error = BCOPYIN((char *)data, (char *)&ipstate_logging,
532 sizeof(ipstate_logging));
533 if (error != 0)
534 error = EFAULT;
535 }
536 break;
537
538 /*
539 * Return the current state of logging.
540 */
541 case SIOCGETLG :
542 error = BCOPYOUT((char *)&ipstate_logging, (char *)data,
543 sizeof(ipstate_logging));
544 if (error != 0)
545 error = EFAULT;
546 break;
547
548 /*
549 * Return the number of bytes currently waiting to be read.
550 */
551 case FIONREAD :
552 arg = iplused[IPL_LOGSTATE]; /* returned in an int */
553 error = BCOPYOUT((char *)&arg, data, sizeof(arg));
554 if (error != 0)
555 error = EFAULT;
556 break;
557 #endif
558
559 /*
560 * Get the current state statistics.
561 */
562 case SIOCGETFS :
563 error = fr_outobj(data, fr_statetstats(), IPFOBJ_STATESTAT);
564 break;
565
566 /*
567 * Lock/Unlock the state table. (Locking prevents any changes, which
568 * means no packets match).
569 */
570 case SIOCSTLCK :
571 if (!(mode & FWRITE)) {
572 error = EPERM;
573 } else {
574 error = fr_lock(data, &fr_state_lock);
575 }
576 break;
577
578 /*
579 * Add an entry to the current state table.
580 */
581 case SIOCSTPUT :
582 if (!fr_state_lock || !(mode &FWRITE)) {
583 error = EACCES;
584 break;
585 }
586 error = fr_stputent(data);
587 break;
588
589 /*
590 * Get a state table entry.
591 */
592 case SIOCSTGET :
593 if (!fr_state_lock) {
594 error = EACCES;
595 break;
596 }
597 error = fr_stgetent(data);
598 break;
599
600 /*
601 * Return a copy of the hash table bucket lengths
602 */
603 case SIOCSTAT1 :
604 error = BCOPYOUT(ips_stats.iss_bucketlen, data,
605 fr_statesize * sizeof(u_long));
606 if (error != 0)
607 error = EFAULT;
608 break;
609
610 case SIOCGENITER :
611 {
612 ipftoken_t *token;
613 ipfgeniter_t iter;
614
615 error = fr_inobj(data, &iter, IPFOBJ_GENITER);
616 if (error != 0)
617 break;
618
619 SPL_SCHED(s);
620 token = ipf_findtoken(IPFGENITER_STATE, uid, ctx);
621 if (token != NULL) {
622 error = fr_stateiter(token, &iter);
623 WRITE_ENTER(&ipf_tokens);
624 if (token->ipt_data == NULL)
625 ipf_freetoken(token);
626 else
627 ipf_dereftoken(token);
628 RWLOCK_EXIT(&ipf_tokens);
629 } else {
630 error = ESRCH;
631 }
632 SPL_X(s);
633 break;
634 }
635
636 case SIOCGTABL :
637 error = fr_stgettable(data);
638 break;
639
640 case SIOCIPFDELTOK :
641 error = BCOPYIN(data, (char *)&arg, sizeof(arg));
642 if (error != 0) {
643 error = EFAULT;
644 } else {
645 SPL_SCHED(s);
646 error = ipf_deltoken(arg, uid, ctx);
647 SPL_X(s);
648 }
649 break;
650
651 case SIOCGTQTAB :
652 error = fr_outobj(data, ips_tqtqb, IPFOBJ_STATETQTAB);
653 break;
654
655 default :
656 error = EINVAL;
657 break;
658 }
659 return error;
660 }
661
662
663 /* ------------------------------------------------------------------------ */
664 /* Function: fr_stgetent */
665 /* Returns: int - 0 == success, != 0 == failure */
666 /* Parameters: data(I) - pointer to state structure to retrieve from table */
667 /* */
668 /* Copy out state information from the kernel to a user space process. If */
669 /* there is a filter rule associated with the state entry, copy that out */
670 /* as well. The entry to copy out is taken from the value of "ips_next" in */
671 /* the struct passed in and if not null and not found in the list of current*/
672 /* state entries, the retrieval fails. */
673 /* ------------------------------------------------------------------------ */
674 int fr_stgetent(data)
675 void *data;
676 {
677 ipstate_t *is, *isn;
678 ipstate_save_t ips;
679 int error;
680
681 error = fr_inobj(data, &ips, IPFOBJ_STATESAVE);
682 if (error != 0)
683 return error;
684
685 READ_ENTER(&ipf_state);
686 isn = ips.ips_next;
687 if (isn == NULL) {
688 isn = ips_list;
689 if (isn == NULL) {
690 RWLOCK_EXIT(&ipf_state);
691 if (ips.ips_next == NULL)
692 return ENOENT;
693 return 0;
694 }
695 } else {
696 /*
697 * Make sure the pointer we're copying from exists in the
698 * current list of entries. Security precaution to prevent
699 * copying of random kernel data.
700 */
701 for (is = ips_list; is; is = is->is_next)
702 if (is == isn)
703 break;
704 if (is == NULL) {
705 RWLOCK_EXIT(&ipf_state);
706 return ESRCH;
707 }
708 }
709 ips.ips_next = isn->is_next;
710 bcopy((char *)isn, (char *)&ips.ips_is, sizeof(ips.ips_is));
711 ips.ips_rule = isn->is_rule;
712 if (isn->is_rule != NULL)
713 bcopy((char *)isn->is_rule, (char *)&ips.ips_fr,
714 sizeof(ips.ips_fr));
715 RWLOCK_EXIT(&ipf_state);
716 error = fr_outobj(data, &ips, IPFOBJ_STATESAVE);
717 return error;
718 }
719
720
721 /* ------------------------------------------------------------------------ */
722 /* Function: fr_stputent */
723 /* Returns: int - 0 == success, != 0 == failure */
724 /* Parameters: data(I) - pointer to state information struct */
725 /* */
726 /* This function implements the SIOCSTPUT ioctl: insert a state entry into */
727 /* the state table. If the state info. includes a pointer to a filter rule */
728 /* then also add in an orphaned rule (will not show up in any "ipfstat -io" */
729 /* output. */
730 /* ------------------------------------------------------------------------ */
731 int fr_stputent(data)
732 void *data;
733 {
734 ipstate_t *is, *isn;
735 ipstate_save_t ips;
736 int error, out, i;
737 frentry_t *fr;
738 char *name;
739
740 error = fr_inobj(data, &ips, IPFOBJ_STATESAVE);
741 if (error)
742 return EFAULT;
743
744 KMALLOC(isn, ipstate_t *);
745 if (isn == NULL)
746 return ENOMEM;
747
748 bcopy((char *)&ips.ips_is, (char *)isn, sizeof(*isn));
749 bzero((char *)isn, offsetof(struct ipstate, is_pkts));
750 isn->is_sti.tqe_pnext = NULL;
751 isn->is_sti.tqe_next = NULL;
752 isn->is_sti.tqe_ifq = NULL;
753 isn->is_sti.tqe_parent = isn;
754 isn->is_ifp[0] = NULL;
755 isn->is_ifp[1] = NULL;
756 isn->is_ifp[2] = NULL;
757 isn->is_ifp[3] = NULL;
758 isn->is_sync = NULL;
759 fr = ips.ips_rule;
760
761 if (fr == NULL) {
762 READ_ENTER(&ipf_state);
763 fr_stinsert(isn, 0);
764 MUTEX_EXIT(&isn->is_lock);
765 RWLOCK_EXIT(&ipf_state);
766 return 0;
767 }
768
769 if (isn->is_flags & SI_NEWFR) {
770 KMALLOC(fr, frentry_t *);
771 if (fr == NULL) {
772 KFREE(isn);
773 return ENOMEM;
774 }
775 bcopy((char *)&ips.ips_fr, (char *)fr, sizeof(*fr));
776 out = fr->fr_flags & FR_OUTQUE ? 1 : 0;
777 isn->is_rule = fr;
778 ips.ips_is.is_rule = fr;
779 MUTEX_NUKE(&fr->fr_lock);
780 MUTEX_INIT(&fr->fr_lock, "state filter rule lock");
781
782 /*
783 * Look up all the interface names in the rule.
784 */
785 for (i = 0; i < 4; i++) {
786 name = fr->fr_ifnames[i];
787 fr->fr_ifas[i] = fr_resolvenic(name, fr->fr_v);
788 name = isn->is_ifname[i];
789 isn->is_ifp[i] = fr_resolvenic(name, isn->is_v);
790 }
791
792 fr->fr_ref = 0;
793 fr->fr_dsize = 0;
794 fr->fr_data = NULL;
795 fr->fr_type = FR_T_NONE;
796
797 fr_resolvedest(&fr->fr_tifs[0], fr->fr_v);
798 fr_resolvedest(&fr->fr_tifs[1], fr->fr_v);
799 fr_resolvedest(&fr->fr_dif, fr->fr_v);
800
801 /*
802 * send a copy back to userland of what we ended up
803 * to allow for verification.
804 */
805 error = fr_outobj(data, &ips, IPFOBJ_STATESAVE);
806 if (error) {
807 KFREE(isn);
808 MUTEX_DESTROY(&fr->fr_lock);
809 KFREE(fr);
810 return EFAULT;
811 }
812 READ_ENTER(&ipf_state);
813 fr_stinsert(isn, 0);
814 MUTEX_EXIT(&isn->is_lock);
815 RWLOCK_EXIT(&ipf_state);
816
817 } else {
818 READ_ENTER(&ipf_state);
819 for (is = ips_list; is; is = is->is_next)
820 if (is->is_rule == fr) {
821 fr_stinsert(isn, 0);
822 MUTEX_EXIT(&isn->is_lock);
823 break;
824 }
825
826 if (is == NULL) {
827 KFREE(isn);
828 isn = NULL;
829 }
830 RWLOCK_EXIT(&ipf_state);
831
832 return (isn == NULL) ? ESRCH : 0;
833 }
834
835 return 0;
836 }
837
838
839 /* ------------------------------------------------------------------------ */
840 /* Function: fr_stinsert */
841 /* Returns: Nil */
842 /* Parameters: is(I) - pointer to state structure */
843 /* rev(I) - flag indicating forward/reverse direction of packet */
844 /* */
845 /* Inserts a state structure into the hash table (for lookups) and the list */
846 /* of state entries (for enumeration). Resolves all of the interface names */
847 /* to pointers and adjusts running stats for the hash table as appropriate. */
848 /* */
849 /* Locking: it is assumed that some kind of lock on ipf_state is held. */
850 /* Exits with is_lock initialised and held. */
851 /* ------------------------------------------------------------------------ */
852 void fr_stinsert(is, rev)
853 ipstate_t *is;
854 int rev;
855 {
856 frentry_t *fr;
857 u_int hv;
858 int i;
859
860 MUTEX_INIT(&is->is_lock, "ipf state entry");
861
862 fr = is->is_rule;
863 if (fr != NULL) {
864 MUTEX_ENTER(&fr->fr_lock);
865 fr->fr_ref++;
866 fr->fr_statecnt++;
867 MUTEX_EXIT(&fr->fr_lock);
868 }
869
870 /*
871 * Look up all the interface names in the state entry.
872 */
873 for (i = 0; i < 4; i++) {
874 if (is->is_ifp[i] != NULL)
875 continue;
876 is->is_ifp[i] = fr_resolvenic(is->is_ifname[i], is->is_v);
877 }
878
879 /*
880 * If we could trust is_hv, then the modulous would not be needed, but
881 * when running with IPFILTER_SYNC, this stops bad values.
882 */
883 hv = is->is_hv % fr_statesize;
884 is->is_hv = hv;
885
886 /*
887 * We need to get both of these locks...the first because it is
888 * possible that once the insert is complete another packet might
889 * come along, match the entry and want to update it.
890 */
891 MUTEX_ENTER(&is->is_lock);
892 MUTEX_ENTER(&ipf_stinsert);
893
894 /*
895 * add into list table.
896 */
897 if (ips_list != NULL)
898 ips_list->is_pnext = &is->is_next;
899 is->is_pnext = &ips_list;
900 is->is_next = ips_list;
901 ips_list = is;
902
903 if (ips_table[hv] != NULL)
904 ips_table[hv]->is_phnext = &is->is_hnext;
905 else
906 ips_stats.iss_inuse++;
907 is->is_phnext = ips_table + hv;
908 is->is_hnext = ips_table[hv];
909 ips_table[hv] = is;
910 ips_stats.iss_bucketlen[hv]++;
911 ips_num++;
912 MUTEX_EXIT(&ipf_stinsert);
913
914 fr_setstatequeue(is, rev);
915 }
916
917
918 /* ------------------------------------------------------------------------ */
919 /* Function: ipf_state_matchipv4addrs */
920 /* Returns: int - 2 addresses match (strong match), 1 reverse match, */
921 /* 0 no match */
922 /* Parameters: is1, is2 pointers to states we are checking */
923 /* */
924 /* Function matches IPv4 addresses it returns strong match for ICMP proto */
925 /* even there is only reverse match */
926 /* ------------------------------------------------------------------------ */
927 static int
928 ipf_state_matchipv4addrs(is1, is2)
929 ipstate_t *is1, *is2;
930 {
931 int rv;
932
933 if (is1->is_saddr == is2->is_saddr && is1->is_daddr == is2->is_daddr)
934 rv = 2;
935 else if (is1->is_saddr == is2->is_daddr &&
936 is1->is_daddr == is2->is_saddr) {
937 /* force strong match for ICMP protocol */
938 rv = (is1->is_p == IPPROTO_ICMP) ? 2 : 1;
939 }
940 else
941 rv = 0;
942
943 return (rv);
944 }
945
946
947 /* ------------------------------------------------------------------------ */
948 /* Function: ipf_state_matchipv6addrs */
949 /* Returns: int - 2 addresses match (strong match), 1 reverse match, */
950 /* 0 no match */
951 /* Parameters: is1, is2 pointers to states we are checking */
952 /* */
953 /* Function matches IPv6 addresses it returns strong match for ICMP proto */
954 /* even there is only reverse match */
955 /* ------------------------------------------------------------------------ */
956 static int
957 ipf_state_matchipv6addrs(is1, is2)
958 ipstate_t *is1, *is2;
959 {
960 int rv;
961
962 if (IP6_EQ(&is1->is_src, &is2->is_src) &&
963 IP6_EQ(&is1->is_dst, &is2->is_dst))
964 rv = 2;
965 else if (IP6_EQ(&is1->is_src, &is2->is_dst) &&
966 IP6_EQ(&is1->is_dst, &is2->is_src)) {
967 /* force strong match for ICMPv6 protocol */
968 rv = (is1->is_p == IPPROTO_ICMPV6) ? 2 : 1;
969 }
970 else
971 rv = 0;
972
973 return (rv);
974 }
975
976
977 /* ------------------------------------------------------------------------ */
978 /* Function: ipf_state_matchaddresses */
979 /* Returns: int - 2 addresses match, 1 reverse match, zero no match */
980 /* Parameters: is1, is2 pointers to states we are checking */
981 /* */
982 /* function retruns true if two pairs of addresses belong to single */
983 /* connection. suppose there are two endpoints: */
984 /* endpoint1 1.1.1.1 */
985 /* endpoint2 1.1.1.2 */
986 /* */
987 /* the state is established by packet flying from .1 to .2 so we see: */
988 /* is1->src = 1.1.1.1 */
989 /* is1->dst = 1.1.1.2 */
990 /* now endpoint 1.1.1.2 sends answer */
991 /* retreives is1 record created by first packat and compares it with is2 */
992 /* temporal record, is2 is initialized as follows: */
993 /* is2->src = 1.1.1.2 */
994 /* is2->dst = 1.1.1.1 */
995 /* in this case 1 will be returned */
996 /* */
997 /* the ipf_matchaddresses() assumes those two records to be same. of course */
998 /* the ipf_matchaddresses() also assume records are same in case you pass */
999 /* identical arguments (i.e. ipf_matchaddress(is1, is1) would return 2 */
1000 /* ------------------------------------------------------------------------ */
1001 static int
1002 ipf_state_matchaddresses(is1, is2)
1003 ipstate_t *is1, *is2;
1004 {
1005 int rv;
1006
1007 if (is1->is_v == 4) {
1008 rv = ipf_state_matchipv4addrs(is1, is2);
1009 }
1010 else {
1011 rv = ipf_state_matchipv6addrs(is1, is2);
1012 }
1013
1014 return (rv);
1015 }
1016
1017
1018 /* ------------------------------------------------------------------------ */
1019 /* Function: ipf_matchports */
1020 /* Returns: int - 2 match, 1 rverse match, 0 no match */
1021 /* Parameters: ppairs1, ppairs - src, dst ports we want to match */
1022 /* */
1023 /* performs the same match for isps members as for addresses */
1024 /* ------------------------------------------------------------------------ */
1025 static int
1026 ipf_state_matchports(ppairs1, ppairs2)
1027 udpinfo_t *ppairs1, *ppairs2;
1028 {
1029 int rv;
1030
1031 if (ppairs1->us_sport == ppairs2->us_sport &&
1032 ppairs1->us_dport == ppairs2->us_dport)
1033 rv = 2;
1034 else if (ppairs1->us_sport == ppairs2->us_dport &&
1035 ppairs1->us_dport == ppairs2->us_sport)
1036 rv = 1;
1037 else
1038 rv = 0;
1039
1040 return (rv);
1041 }
1042
1043
1044 /* ------------------------------------------------------------------------ */
1045 /* Function: ipf_matchisps */
1046 /* Returns: int - nonzero if isps members match, 0 nomatch */
1047 /* Parameters: is1, is2 - states we want to match */
1048 /* */
1049 /* performs the same match for isps members as for addresses */
1050 /* ------------------------------------------------------------------------ */
1051 static int
1052 ipf_state_matchisps(is1, is2)
1053 ipstate_t *is1, *is2;
1054 {
1055 int rv;
1056
1057 if (is1->is_p == is2->is_p) {
1058 switch (is1->is_p)
1059 {
1060 case IPPROTO_TCP :
1061 case IPPROTO_UDP :
1062 /* greinfo_t can be also interprted as port pair */
1063 rv = ipf_state_matchports(&is1->is_ps.is_us,
1064 &is2->is_ps.is_us);
1065 break;
1066
1067 case IPPROTO_ICMP :
1068 case IPPROTO_ICMPV6 :
1069 /* force strong match for ICMP datagram. */
1070 if (bcmp(&is1->is_ps, &is2->is_ps,
1071 sizeof(icmpinfo_t)) == 0) {
1072 rv = 2;
1073 } else {
1074 rv = 0;
1075 }
1076 break;
1077
1078 default:
1079 rv = 0;
1080 }
1081 } else {
1082 rv = 0;
1083 }
1084
1085 return (rv);
1086 }
1087
1088
1089 /* ------------------------------------------------------------------------ */
1090 /* Function: ipf_state_match */
1091 /* Returns: int - nonzero match, zero no match */
1092 /* Parameters: is1, is2 - states we want to match */
1093 /* */
1094 /* ------------------------------------------------------------------------ */
1095 static int ipf_state_match(is1, is2)
1096 ipstate_t *is1, *is2;
1097 {
1098 int rv;
1099 int addrmatch;
1100 int portmatch;
1101
1102 if (bcmp(&is1->is_pass, &is2->is_pass,
1103 offsetof(struct ipstate, is_authmsk) -
1104 offsetof(struct ipstate, is_pass)) == 0) {
1105
1106 portmatch = ipf_state_matchisps(is1, is2);
1107 addrmatch = ipf_state_matchaddresses(is1, is2);
1108 rv = (addrmatch != 0) && (addrmatch == portmatch);
1109 } else {
1110 rv = 0;
1111 }
1112
1113 return (rv);
1114 }
1115
1116
1117 /* ------------------------------------------------------------------------ */
1118 /* Function: fr_addstate */
1119 /* Returns: ipstate_t* - NULL == failure, else pointer to new state */
1120 /* Parameters: fin(I) - pointer to packet information */
1121 /* stsave(O) - pointer to place to save pointer to created */
1122 /* state structure. */
1123 /* flags(I) - flags to use when creating the structure */
1124 /* */
1125 /* Creates a new IP state structure from the packet information collected. */
1126 /* Inserts it into the state table and appends to the bottom of the active */
1127 /* list. If the capacity of the table has reached the maximum allowed then */
1128 /* the call will fail and a flush is scheduled for the next timeout call. */
1129 /* */
1130 /* NOTE: The use of stsave to point to nat_state will result in memory */
1131 /* corruption. It should only be used to point to objects that will */
1132 /* either outlive this (not expired) or will deref the ip_state_t */
1133 /* when they are deleted. */
1134 /* ------------------------------------------------------------------------ */
1135 ipstate_t *fr_addstate(fin, stsave, flags)
1136 fr_info_t *fin;
1137 ipstate_t **stsave;
1138 u_int flags;
1139 {
1140 ipstate_t *is, ips;
1141 struct icmp *ic;
1142 u_int pass, hv;
1143 frentry_t *fr;
1144 tcphdr_t *tcp;
1145 grehdr_t *gre;
1146 int out;
1147
1148 /*
1149 * If a packet that was created locally is trying to go out but we
1150 * do not match here here because of this lock, it is likely that
1151 * the policy will block it and return network unreachable back up
1152 * the stack. To mitigate this error, EAGAIN is returned instead,
1153 * telling the IP stack to try sending this packet again later.
1154 */
1155 if (fr_state_lock) {
1156 fin->fin_error = EAGAIN;
1157 return NULL;
1158 }
1159
1160 if (fin->fin_flx & (FI_SHORT|FI_STATE|FI_FRAGBODY|FI_BAD))
1161 return NULL;
1162
1163 if ((fin->fin_flx & FI_OOW) && !(fin->fin_tcpf & TH_SYN))
1164 return NULL;
1165
1166 /*
1167 * If a "keep state" rule has reached the maximum number of references
1168 * to it, then schedule an automatic flush in case we can clear out
1169 * some "dead old wood". Note that because the lock isn't held on
1170 * fr it is possible that we could overflow. The cost of overflowing
1171 * is being ignored here as the number by which it can overflow is
1172 * a product of the number of simultaneous threads that could be
1173 * executing in here, so a limit of 100 won't result in 200, but could
1174 * result in 101 or 102.
1175 */
1176 fr = fin->fin_fr;
1177 if (fr != NULL) {
1178 if ((ips_num >= fr_statemax) && (fr->fr_statemax == 0)) {
1179 ATOMIC_INCL(ips_stats.iss_max);
1180 fr_state_doflush = 1;
1181 return NULL;
1182 }
1183 if ((fr->fr_statemax != 0) &&
1184 (fr->fr_statecnt >= fr->fr_statemax)) {
1185 ATOMIC_INCL(ips_stats.iss_maxref);
1186 return NULL;
1187 }
1188 }
1189
1190 pass = (fr == NULL) ? 0 : fr->fr_flags;
1191
1192 ic = NULL;
1193 tcp = NULL;
1194 out = fin->fin_out;
1195 is = &ips;
1196 bzero((char *)is, sizeof(*is));
1197 is->is_die = 1 + fr_ticks;
1198
1199 /*
1200 * Copy and calculate...
1201 */
1202 hv = (is->is_p = fin->fin_fi.fi_p);
1203 is->is_src = fin->fin_fi.fi_src;
1204 hv += is->is_saddr;
1205 is->is_dst = fin->fin_fi.fi_dst;
1206 hv += is->is_daddr;
1207 #ifdef USE_INET6
1208 if (fin->fin_v == 6) {
1209 /*
1210 * For ICMPv6, we check to see if the destination address is
1211 * a multicast address. If it is, do not include it in the
1212 * calculation of the hash because the correct reply will come
1213 * back from a real address, not a multicast address.
1214 */
1215 if ((is->is_p == IPPROTO_ICMPV6) &&
1216 IN6_IS_ADDR_MULTICAST(&is->is_dst.in6)) {
1217 /*
1218 * So you can do keep state with neighbour discovery.
1219 *
1220 * Here we could use the address from the neighbour
1221 * solicit message to put in the state structure and
1222 * we could use that without a wildcard flag too...
1223 */
1224 flags |= SI_W_DADDR;
1225 hv -= is->is_daddr;
1226 } else {
1227 hv += is->is_dst.i6[1];
1228 hv += is->is_dst.i6[2];
1229 hv += is->is_dst.i6[3];
1230 }
1231 hv += is->is_src.i6[1];
1232 hv += is->is_src.i6[2];
1233 hv += is->is_src.i6[3];
1234 }
1235 #endif
1236 if ((fin->fin_v == 4) &&
1237 (fin->fin_flx & (FI_MULTICAST|FI_BROADCAST|FI_MBCAST))) {
1238 if (fin->fin_out == 0) {
1239 flags |= SI_W_DADDR|SI_CLONE;
1240 hv -= is->is_daddr;
1241 } else {
1242 flags |= SI_W_SADDR|SI_CLONE;
1243 hv -= is->is_saddr;
1244 }
1245 }
1246
1247 switch (is->is_p)
1248 {
1249 #ifdef USE_INET6
1250 case IPPROTO_ICMPV6 :
1251 ic = fin->fin_dp;
1252
1253 switch (ic->icmp_type)
1254 {
1255 case ICMP6_ECHO_REQUEST :
1256 is->is_icmp.ici_type = ic->icmp_type;
1257 hv += (is->is_icmp.ici_id = ic->icmp_id);
1258 break;
1259 case ICMP6_MEMBERSHIP_QUERY :
1260 case ND_ROUTER_SOLICIT :
1261 case ND_NEIGHBOR_SOLICIT :
1262 case ICMP6_NI_QUERY :
1263 is->is_icmp.ici_type = ic->icmp_type;
1264 break;
1265 default :
1266 return NULL;
1267 }
1268 ATOMIC_INCL(ips_stats.iss_icmp);
1269 break;
1270 #endif
1271 case IPPROTO_ICMP :
1272 ic = fin->fin_dp;
1273
1274 switch (ic->icmp_type)
1275 {
1276 case ICMP_ECHO :
1277 case ICMP_TSTAMP :
1278 case ICMP_IREQ :
1279 case ICMP_MASKREQ :
1280 is->is_icmp.ici_type = ic->icmp_type;
1281 hv += (is->is_icmp.ici_id = ic->icmp_id);
1282 break;
1283 default :
1284 return NULL;
1285 }
1286 ATOMIC_INCL(ips_stats.iss_icmp);
1287 break;
1288
1289 case IPPROTO_GRE :
1290 gre = fin->fin_dp;
1291
1292 is->is_gre.gs_flags = gre->gr_flags;
1293 is->is_gre.gs_ptype = gre->gr_ptype;
1294 if (GRE_REV(is->is_gre.gs_flags) == 1) {
1295 is->is_call[0] = fin->fin_data[0];
1296 is->is_call[1] = fin->fin_data[1];
1297 }
1298 break;
1299
1300 case IPPROTO_TCP :
1301 tcp = fin->fin_dp;
1302
1303 if (tcp->th_flags & TH_RST)
1304 return NULL;
1305 /*
1306 * The endian of the ports doesn't matter, but the ack and
1307 * sequence numbers do as we do mathematics on them later.
1308 */
1309 is->is_sport = htons(fin->fin_data[0]);
1310 is->is_dport = htons(fin->fin_data[1]);
1311 if ((flags & (SI_W_DPORT|SI_W_SPORT)) == 0) {
1312 hv += is->is_sport;
1313 hv += is->is_dport;
1314 }
1315
1316 /*
1317 * If this is a real packet then initialise fields in the
1318 * state information structure from the TCP header information.
1319 */
1320
1321 is->is_maxdwin = 1;
1322 is->is_maxswin = ntohs(tcp->th_win);
1323 if (is->is_maxswin == 0)
1324 is->is_maxswin = 1;
1325
1326 if ((fin->fin_flx & FI_IGNORE) == 0) {
1327 is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen -
1328 (TCP_OFF(tcp) << 2) +
1329 ((tcp->th_flags & TH_SYN) ? 1 : 0) +
1330 ((tcp->th_flags & TH_FIN) ? 1 : 0);
1331 is->is_maxsend = is->is_send;
1332
1333 /*
1334 * Window scale option is only present in
1335 * SYN/SYN-ACK packet.
1336 */
1337 if ((tcp->th_flags & ~(TH_FIN|TH_ACK|TH_ECNALL)) ==
1338 TH_SYN &&
1339 (TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2))) {
1340 if (fr_tcpoptions(fin, tcp,
1341 &is->is_tcp.ts_data[0]) == -1) {
1342 fin->fin_flx |= FI_BAD;
1343 }
1344 }
1345
1346 if ((fin->fin_out != 0) && (pass & FR_NEWISN) != 0) {
1347 fr_checknewisn(fin, is);
1348 fr_fixoutisn(fin, is);
1349 }
1350
1351 if ((tcp->th_flags & TH_OPENING) == TH_SYN)
1352 flags |= IS_TCPFSM;
1353 else {
1354 is->is_maxdwin = is->is_maxswin * 2;
1355 is->is_dend = ntohl(tcp->th_ack);
1356 is->is_maxdend = ntohl(tcp->th_ack);
1357 is->is_maxdwin *= 2;
1358 }
1359 }
1360
1361 /*
1362 * If we're creating state for a starting connection, start the
1363 * timer on it as we'll never see an error if it fails to
1364 * connect.
1365 */
1366 ATOMIC_INCL(ips_stats.iss_tcp);
1367 break;
1368
1369 case IPPROTO_UDP :
1370 tcp = fin->fin_dp;
1371
1372 is->is_sport = htons(fin->fin_data[0]);
1373 is->is_dport = htons(fin->fin_data[1]);
1374 if ((flags & (SI_W_DPORT|SI_W_SPORT)) == 0) {
1375 hv += tcp->th_dport;
1376 hv += tcp->th_sport;
1377 }
1378 ATOMIC_INCL(ips_stats.iss_udp);
1379 break;
1380
1381 default :
1382 break;
1383 }
1384 hv = DOUBLE_HASH(hv);
1385 is->is_hv = hv;
1386 is->is_rule = fr;
1387 is->is_flags = flags & IS_INHERITED;
1388
1389 /*
1390 * Look for identical state.
1391 */
1392 for (is = ips_table[is->is_hv % fr_statesize]; is != NULL;
1393 is = is->is_hnext) {
1394 if (ipf_state_match(&ips, is) == 1) {
1395 break;
1396 }
1397 }
1398 if (is != NULL)
1399 return NULL;
1400
1401 if (ips_stats.iss_bucketlen[hv] >= fr_state_maxbucket) {
1402 ATOMIC_INCL(ips_stats.iss_bucketfull);
1403 return NULL;
1404 }
1405 KMALLOC(is, ipstate_t *);
1406 if (is == NULL) {
1407 ATOMIC_INCL(ips_stats.iss_nomem);
1408 return NULL;
1409 }
1410 bcopy((char *)&ips, (char *)is, sizeof(*is));
1411 /*
1412 * Do not do the modulous here, it is done in fr_stinsert().
1413 */
1414 if (fr != NULL) {
1415 (void) strncpy(is->is_group, fr->fr_group, FR_GROUPLEN);
1416 if (fr->fr_age[0] != 0) {
1417 is->is_tqehead[0] = fr_addtimeoutqueue(&ips_utqe,
1418 fr->fr_age[0]);
1419 is->is_sti.tqe_flags |= TQE_RULEBASED;
1420 }
1421 if (fr->fr_age[1] != 0) {
1422 is->is_tqehead[1] = fr_addtimeoutqueue(&ips_utqe,
1423 fr->fr_age[1]);
1424 is->is_sti.tqe_flags |= TQE_RULEBASED;
1425 }
1426
1427 is->is_tag = fr->fr_logtag;
1428
1429 /*
1430 * The name '-' is special for network interfaces and causes
1431 * a NULL name to be present, always, allowing packets to
1432 * match it, regardless of their interface.
1433 */
1434 if ((fin->fin_ifp == NULL) ||
1435 (fr->fr_ifnames[out << 1][0] == '-' &&
1436 fr->fr_ifnames[out << 1][1] == '\0')) {
1437 is->is_ifp[out << 1] = fr->fr_ifas[0];
1438 strncpy(is->is_ifname[out << 1], fr->fr_ifnames[0],
1439 sizeof(fr->fr_ifnames[0]));
1440 } else {
1441 is->is_ifp[out << 1] = fin->fin_ifp;
1442 COPYIFNAME(is->is_v, fin->fin_ifp,
1443 is->is_ifname[out << 1]);
1444 }
1445
1446 is->is_ifp[(out << 1) + 1] = fr->fr_ifas[1];
1447 strncpy(is->is_ifname[(out << 1) + 1], fr->fr_ifnames[1],
1448 sizeof(fr->fr_ifnames[1]));
1449
1450 is->is_ifp[(1 - out) << 1] = fr->fr_ifas[2];
1451 strncpy(is->is_ifname[((1 - out) << 1)], fr->fr_ifnames[2],
1452 sizeof(fr->fr_ifnames[2]));
1453
1454 is->is_ifp[((1 - out) << 1) + 1] = fr->fr_ifas[3];
1455 strncpy(is->is_ifname[((1 - out) << 1) + 1], fr->fr_ifnames[3],
1456 sizeof(fr->fr_ifnames[3]));
1457 } else {
1458 pass = fr_flags;
1459 is->is_tag = FR_NOLOGTAG;
1460
1461 if (fin->fin_ifp != NULL) {
1462 is->is_ifp[out << 1] = fin->fin_ifp;
1463 COPYIFNAME(is->is_v, fin->fin_ifp,
1464 is->is_ifname[out << 1]);
1465 }
1466 }
1467
1468 is->is_ref = 1;
1469 is->is_pass = pass;
1470 is->is_pkts[0] = 0, is->is_bytes[0] = 0;
1471 is->is_pkts[1] = 0, is->is_bytes[1] = 0;
1472 is->is_pkts[2] = 0, is->is_bytes[2] = 0;
1473 is->is_pkts[3] = 0, is->is_bytes[3] = 0;
1474 if ((fin->fin_flx & FI_IGNORE) == 0) {
1475 is->is_pkts[out] = 1;
1476 is->is_bytes[out] = fin->fin_plen;
1477 is->is_flx[out][0] = fin->fin_flx & FI_CMP;
1478 is->is_flx[out][0] &= ~FI_OOW;
1479 }
1480
1481 if (pass & FR_STSTRICT)
1482 is->is_flags |= IS_STRICT;
1483
1484 if (pass & FR_STATESYNC)
1485 is->is_flags |= IS_STATESYNC;
1486
1487 /*
1488 * We want to check everything that is a property of this packet,
1489 * but we don't (automatically) care about it's fragment status as
1490 * this may change.
1491 */
1492 is->is_v = fin->fin_v;
1493 is->is_opt[0] = fin->fin_optmsk;
1494 is->is_optmsk[0] = 0xffffffff;
1495 is->is_optmsk[1] = 0xffffffff;
1496 if (is->is_v == 6) {
1497 is->is_opt[0] &= ~0x8;
1498 is->is_optmsk[0] &= ~0x8;
1499 is->is_optmsk[1] &= ~0x8;
1500 }
1501 is->is_me = stsave;
1502 is->is_sec = fin->fin_secmsk;
1503 is->is_secmsk = 0xffff;
1504 is->is_auth = fin->fin_auth;
1505 is->is_authmsk = 0xffff;
1506 if (flags & (SI_WILDP|SI_WILDA)) {
1507 ATOMIC_INCL(ips_stats.iss_wild);
1508 }
1509 is->is_rulen = fin->fin_rule;
1510
1511
1512 if (pass & FR_LOGFIRST)
1513 is->is_pass &= ~(FR_LOGFIRST|FR_LOG);
1514
1515 READ_ENTER(&ipf_state);
1516
1517 fr_stinsert(is, fin->fin_rev);
1518
1519 if (fin->fin_p == IPPROTO_TCP) {
1520 /*
1521 * If we're creating state for a starting connection, start the
1522 * timer on it as we'll never see an error if it fails to
1523 * connect.
1524 */
1525 (void) fr_tcp_age(&is->is_sti, fin, ips_tqtqb, is->is_flags);
1526 MUTEX_EXIT(&is->is_lock);
1527 #ifdef IPFILTER_SCAN
1528 if ((is->is_flags & SI_CLONE) == 0)
1529 (void) ipsc_attachis(is);
1530 #endif
1531 } else {
1532 MUTEX_EXIT(&is->is_lock);
1533 }
1534 #ifdef IPFILTER_SYNC
1535 if ((is->is_flags & IS_STATESYNC) && ((is->is_flags & SI_CLONE) == 0))
1536 is->is_sync = ipfsync_new(SMC_STATE, fin, is);
1537 #endif
1538 if (ipstate_logging)
1539 ipstate_log(is, ISL_NEW);
1540
1541 RWLOCK_EXIT(&ipf_state);
1542 fin->fin_rev = IP6_NEQ(&is->is_dst, &fin->fin_daddr);
1543 fin->fin_flx |= FI_STATE;
1544 if (fin->fin_flx & FI_FRAG)
1545 (void) fr_newfrag(fin, pass ^ FR_KEEPSTATE);
1546
1547 return is;
1548 }
1549
1550
1551 /* ------------------------------------------------------------------------ */
1552 /* Function: fr_tcpoptions */
1553 /* Returns: int - 1 == packet matches state entry, 0 == it does not, */
1554 /* -1 == packet has bad TCP options data */
1555 /* Parameters: fin(I) - pointer to packet information */
1556 /* tcp(I) - pointer to TCP packet header */
1557 /* td(I) - pointer to TCP data held as part of the state */
1558 /* */
1559 /* Look after the TCP header for any options and deal with those that are */
1560 /* present. Record details about those that we recogise. */
1561 /* ------------------------------------------------------------------------ */
1562 static int fr_tcpoptions(fin, tcp, td)
1563 fr_info_t *fin;
1564 tcphdr_t *tcp;
1565 tcpdata_t *td;
1566 {
1567 int off, mlen, ol, i, len, retval;
1568 char buf[64], *s, opt;
1569 mb_t *m = NULL;
1570
1571 len = (TCP_OFF(tcp) << 2);
1572 if (fin->fin_dlen < len)
1573 return 0;
1574 len -= sizeof(*tcp);
1575
1576 off = fin->fin_plen - fin->fin_dlen + sizeof(*tcp) + fin->fin_ipoff;
1577
1578 m = fin->fin_m;
1579 mlen = MSGDSIZE(m) - off;
1580 if (len > mlen) {
1581 len = mlen;
1582 retval = 0;
1583 } else {
1584 retval = 1;
1585 }
1586
1587 COPYDATA(m, off, len, buf);
1588
1589 for (s = buf; len > 0; ) {
1590 opt = *s;
1591 if (opt == TCPOPT_EOL)
1592 break;
1593 else if (opt == TCPOPT_NOP)
1594 ol = 1;
1595 else {
1596 if (len < 2)
1597 break;
1598 ol = (int)*(s + 1);
1599 if (ol < 2 || ol > len)
1600 break;
1601
1602 /*
1603 * Extract the TCP options we are interested in out of
1604 * the header and store them in the tcpdata struct.
1605 */
1606 switch (opt)
1607 {
1608 case TCPOPT_WINDOW :
1609 if (ol == TCPOLEN_WINDOW) {
1610 i = (int)*(s + 2);
1611 if (i > TCP_WSCALE_MAX)
1612 i = TCP_WSCALE_MAX;
1613 else if (i < 0)
1614 i = 0;
1615 td->td_winscale = i;
1616 td->td_winflags |= TCP_WSCALE_SEEN|
1617 TCP_WSCALE_FIRST;
1618 } else
1619 retval = -1;
1620 break;
1621 case TCPOPT_MAXSEG :
1622 /*
1623 * So, if we wanted to set the TCP MAXSEG,
1624 * it should be done here...
1625 */
1626 if (ol == TCPOLEN_MAXSEG) {
1627 i = (int)*(s + 2);
1628 i <<= 8;
1629 i += (int)*(s + 3);
1630 td->td_maxseg = i;
1631 } else
1632 retval = -1;
1633 break;
1634 case TCPOPT_SACK_PERMITTED :
1635 if (ol == TCPOLEN_SACK_PERMITTED)
1636 td->td_winflags |= TCP_SACK_PERMIT;
1637 else
1638 retval = -1;
1639 break;
1640 }
1641 }
1642 len -= ol;
1643 s += ol;
1644 }
1645 return retval;
1646 }
1647
1648
1649 /* ------------------------------------------------------------------------ */
1650 /* Function: fr_tcpstate */
1651 /* Returns: int - 1 == packet matches state entry, 0 == it does not */
1652 /* Parameters: fin(I) - pointer to packet information */
1653 /* tcp(I) - pointer to TCP packet header */
1654 /* is(I) - pointer to master state structure */
1655 /* */
1656 /* Check to see if a packet with TCP headers fits within the TCP window. */
1657 /* Change timeout depending on whether new packet is a SYN-ACK returning */
1658 /* for a SYN or a RST or FIN which indicate time to close up shop. */
1659 /* ------------------------------------------------------------------------ */
1660 static int fr_tcpstate(fin, tcp, is)
1661 fr_info_t *fin;
1662 tcphdr_t *tcp;
1663 ipstate_t *is;
1664 {
1665 int source, ret = 0, flags;
1666 tcpdata_t *fdata, *tdata;
1667
1668 source = !fin->fin_rev;
1669 if (((is->is_flags & IS_TCPFSM) != 0) && (source == 1) &&
1670 (ntohs(is->is_sport) != fin->fin_data[0]))
1671 source = 0;
1672 fdata = &is->is_tcp.ts_data[!source];
1673 tdata = &is->is_tcp.ts_data[source];
1674
1675 MUTEX_ENTER(&is->is_lock);
1676
1677 /*
1678 * If a SYN packet is received for a connection that is on the way out
1679 * but hasn't yet departed then advance this session along the way.
1680 */
1681 if ((tcp->th_flags & TH_OPENING) == TH_SYN) {
1682 if ((is->is_state[0] > IPF_TCPS_ESTABLISHED) &&
1683 (is->is_state[1] > IPF_TCPS_ESTABLISHED)) {
1684 is->is_state[!source] = IPF_TCPS_CLOSED;
1685 fr_movequeue(&is->is_sti, is->is_sti.tqe_ifq,
1686 &ips_deletetq);
1687 MUTEX_EXIT(&is->is_lock);
1688 return 0;
1689 }
1690 }
1691
1692 ret = fr_tcpinwindow(fin, fdata, tdata, tcp, is->is_flags);
1693 if (ret > 0) {
1694 #ifdef IPFILTER_SCAN
1695 if (is->is_flags & (IS_SC_CLIENT|IS_SC_SERVER)) {
1696 ipsc_packet(fin, is);
1697 if (FR_ISBLOCK(is->is_pass)) {
1698 MUTEX_EXIT(&is->is_lock);
1699 return 1;
1700 }
1701 }
1702 #endif
1703
1704 /*
1705 * Nearing end of connection, start timeout.
1706 */
1707 ret = fr_tcp_age(&is->is_sti, fin, ips_tqtqb, is->is_flags);
1708 if (ret == 0) {
1709 MUTEX_EXIT(&is->is_lock);
1710 return 0;
1711 }
1712
1713 /*
1714 * set s0's as appropriate. Use syn-ack packet as it
1715 * contains both pieces of required information.
1716 */
1717 /*
1718 * Window scale option is only present in SYN/SYN-ACK packet.
1719 * Compare with ~TH_FIN to mask out T/TCP setups.
1720 */
1721 flags = tcp->th_flags & ~(TH_FIN|TH_ECNALL);
1722 if (flags == (TH_SYN|TH_ACK)) {
1723 is->is_s0[source] = ntohl(tcp->th_ack);
1724 is->is_s0[!source] = ntohl(tcp->th_seq) + 1;
1725 if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2))) {
1726 if (fr_tcpoptions(fin, tcp, fdata) == -1)
1727 fin->fin_flx |= FI_BAD;
1728 }
1729 if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN))
1730 fr_checknewisn(fin, is);
1731 } else if (flags == TH_SYN) {
1732 is->is_s0[source] = ntohl(tcp->th_seq) + 1;
1733 if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2))) {
1734 if (fr_tcpoptions(fin, tcp, fdata) == -1)
1735 fin->fin_flx |= FI_BAD;
1736 }
1737
1738 if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN))
1739 fr_checknewisn(fin, is);
1740
1741 }
1742 ret = 1;
1743 } else {
1744 fin->fin_flx |= FI_OOW;
1745 }
1746 MUTEX_EXIT(&is->is_lock);
1747 return ret;
1748 }
1749
1750
1751 /* ------------------------------------------------------------------------ */
1752 /* Function: fr_checknewisn */
1753 /* Returns: Nil */
1754 /* Parameters: fin(I) - pointer to packet information */
1755 /* is(I) - pointer to master state structure */
1756 /* */
1757 /* Check to see if this TCP connection is expecting and needs a new */
1758 /* sequence number for a particular direction of the connection. */
1759 /* */
1760 /* NOTE: This does not actually change the sequence numbers, only gets new */
1761 /* one ready. */
1762 /* ------------------------------------------------------------------------ */
1763 static void fr_checknewisn(fin, is)
1764 fr_info_t *fin;
1765 ipstate_t *is;
1766 {
1767 u_32_t sumd, old, new;
1768 tcphdr_t *tcp;
1769 int i;
1770
1771 i = fin->fin_rev;
1772 tcp = fin->fin_dp;
1773
1774 if (((i == 0) && !(is->is_flags & IS_ISNSYN)) ||
1775 ((i == 1) && !(is->is_flags & IS_ISNACK))) {
1776 old = ntohl(tcp->th_seq);
1777 new = fr_newisn(fin);
1778 is->is_isninc[i] = new - old;
1779 CALC_SUMD(old, new, sumd);
1780 is->is_sumd[i] = (sumd & 0xffff) + (sumd >> 16);
1781
1782 is->is_flags |= ((i == 0) ? IS_ISNSYN : IS_ISNACK);
1783 }
1784 }
1785
1786
1787 /* ------------------------------------------------------------------------ */
1788 /* Function: fr_tcpinwindow */
1789 /* Returns: int - 1 == packet inside TCP "window", 0 == not inside, */
1790 /* 2 == packet seq number matches next expected */
1791 /* Parameters: fin(I) - pointer to packet information */
1792 /* fdata(I) - pointer to tcp state informatio (forward) */
1793 /* tdata(I) - pointer to tcp state informatio (reverse) */
1794 /* tcp(I) - pointer to TCP packet header */
1795 /* */
1796 /* Given a packet has matched addresses and ports, check to see if it is */
1797 /* within the TCP data window. In a show of generosity, allow packets that */
1798 /* are within the window space behind the current sequence # as well. */
1799 /* ------------------------------------------------------------------------ */
1800 int fr_tcpinwindow(fin, fdata, tdata, tcp, flags)
1801 fr_info_t *fin;
1802 tcpdata_t *fdata, *tdata;
1803 tcphdr_t *tcp;
1804 int flags;
1805 {
1806 tcp_seq seq, ack, end;
1807 int ackskew, tcpflags;
1808 u_32_t win, maxwin;
1809 int dsize, inseq;
1810
1811 /*
1812 * Find difference between last checked packet and this packet.
1813 */
1814 tcpflags = tcp->th_flags;
1815 seq = ntohl(tcp->th_seq);
1816 ack = ntohl(tcp->th_ack);
1817 if (tcpflags & TH_SYN)
1818 win = ntohs(tcp->th_win);
1819 else
1820 win = ntohs(tcp->th_win) << fdata->td_winscale;
1821
1822 /*
1823 * A window of 0 produces undesirable behaviour from this function.
1824 */
1825 if (win == 0)
1826 win = 1;
1827
1828 dsize = fin->fin_dlen - (TCP_OFF(tcp) << 2) +
1829 ((tcpflags & TH_SYN) ? 1 : 0) + ((tcpflags & TH_FIN) ? 1 : 0);
1830
1831 /*
1832 * if window scaling is present, the scaling is only allowed
1833 * for windows not in the first SYN packet. In that packet the
1834 * window is 65535 to specify the largest window possible
1835 * for receivers not implementing the window scale option.
1836 * Currently, we do not assume TTCP here. That means that
1837 * if we see a second packet from a host (after the initial
1838 * SYN), we can assume that the receiver of the SYN did
1839 * already send back the SYN/ACK (and thus that we know if
1840 * the receiver also does window scaling)
1841 */
1842 if (!(tcpflags & TH_SYN) && (fdata->td_winflags & TCP_WSCALE_FIRST)) {
1843 fdata->td_winflags &= ~TCP_WSCALE_FIRST;
1844 fdata->td_maxwin = win;
1845 }
1846
1847 end = seq + dsize;
1848
1849 if ((fdata->td_end == 0) &&
1850 (!(flags & IS_TCPFSM) ||
1851 ((tcpflags & TH_OPENING) == TH_OPENING))) {
1852 /*
1853 * Must be a (outgoing) SYN-ACK in reply to a SYN.
1854 */
1855 fdata->td_end = end - 1;
1856 fdata->td_maxwin = 1;
1857 fdata->td_maxend = end + win;
1858 }
1859
1860 if (!(tcpflags & TH_ACK)) { /* Pretend an ack was sent */
1861 ack = tdata->td_end;
1862 } else if (((tcpflags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) &&
1863 (ack == 0)) {
1864 /* gross hack to get around certain broken tcp stacks */
1865 ack = tdata->td_end;
1866 }
1867
1868 maxwin = tdata->td_maxwin;
1869 ackskew = tdata->td_end - ack;
1870
1871 /*
1872 * Strict sequencing only allows in-order delivery.
1873 */
1874 if (seq != fdata->td_end) {
1875 if ((flags & IS_STRICT) != 0) {
1876 return 0;
1877 }
1878 }
1879
1880 inseq = 0;
1881 if ((SEQ_GE(fdata->td_maxend, end)) &&
1882 (SEQ_GE(seq, fdata->td_end - maxwin)) &&
1883 /* XXX what about big packets */
1884 #define MAXACKWINDOW 66000
1885 (-ackskew <= (MAXACKWINDOW)) &&
1886 ( ackskew <= (MAXACKWINDOW << fdata->td_winscale))) {
1887 inseq = 1;
1888 /*
1889 * Microsoft Windows will send the next packet to the right of the
1890 * window if SACK is in use.
1891 */
1892 } else if ((seq == fdata->td_maxend) && (ackskew == 0) &&
1893 (fdata->td_winflags & TCP_SACK_PERMIT) &&
1894 (tdata->td_winflags & TCP_SACK_PERMIT)) {
1895 inseq = 1;
1896 /*
1897 * Sometimes a TCP RST will be generated with only the ACK field
1898 * set to non-zero.
1899 */
1900 } else if ((seq == 0) && (tcpflags == (TH_RST|TH_ACK)) &&
1901 (ackskew >= -1) && (ackskew <= 1)) {
1902 inseq = 1;
1903 } else if (!(flags & IS_TCPFSM)) {
1904 int i;
1905
1906 i = (fin->fin_rev << 1) + fin->fin_out;
1907
1908 #if 0
1909 if (is_pkts[i]0 == 0) {
1910 /*
1911 * Picking up a connection in the middle, the "next"
1912 * packet seen from a direction that is new should be
1913 * accepted, even if it appears out of sequence.
1914 */
1915 inseq = 1;
1916 } else
1917 #endif
1918 if (!(fdata->td_winflags &
1919 (TCP_WSCALE_SEEN|TCP_WSCALE_FIRST))) {
1920 /*
1921 * No TCPFSM and no window scaling, so make some
1922 * extra guesses.
1923 */
1924 if ((seq == fdata->td_maxend) && (ackskew == 0))
1925 inseq = 1;
1926 else if (SEQ_GE(seq + maxwin, fdata->td_end - maxwin))
1927 inseq = 1;
1928 }
1929 }
1930
1931 /* TRACE(inseq, fdata, tdata, seq, end, ack, ackskew, win, maxwin) */
1932
1933 if (inseq) {
1934 /* if ackskew < 0 then this should be due to fragmented
1935 * packets. There is no way to know the length of the
1936 * total packet in advance.
1937 * We do know the total length from the fragment cache though.
1938 * Note however that there might be more sessions with
1939 * exactly the same source and destination parameters in the
1940 * state cache (and source and destination is the only stuff
1941 * that is saved in the fragment cache). Note further that
1942 * some TCP connections in the state cache are hashed with
1943 * sport and dport as well which makes it not worthwhile to
1944 * look for them.
1945 * Thus, when ackskew is negative but still seems to belong
1946 * to this session, we bump up the destinations end value.
1947 */
1948 if (ackskew < 0)
1949 tdata->td_end = ack;
1950
1951 /* update max window seen */
1952 if (fdata->td_maxwin < win)
1953 fdata->td_maxwin = win;
1954 if (SEQ_GT(end, fdata->td_end))
1955 fdata->td_end = end;
1956 if (SEQ_GE(ack + win, tdata->td_maxend))
1957 tdata->td_maxend = ack + win;
1958 return 1;
1959 }
1960 return 0;
1961 }
1962
1963
1964 /* ------------------------------------------------------------------------ */
1965 /* Function: fr_stclone */
1966 /* Returns: ipstate_t* - NULL == cloning failed, */
1967 /* else pointer to new state structure */
1968 /* Parameters: fin(I) - pointer to packet information */
1969 /* tcp(I) - pointer to TCP/UDP header */
1970 /* is(I) - pointer to master state structure */
1971 /* */
1972 /* Create a "duplcate" state table entry from the master. */
1973 /* ------------------------------------------------------------------------ */
1974 static ipstate_t *fr_stclone(fin, tcp, is)
1975 fr_info_t *fin;
1976 tcphdr_t *tcp;
1977 ipstate_t *is;
1978 {
1979 ipstate_t *clone;
1980 u_32_t send;
1981
1982 if (ips_num == fr_statemax) {
1983 ATOMIC_INCL(ips_stats.iss_max);
1984 fr_state_doflush = 1;
1985 return NULL;
1986 }
1987 KMALLOC(clone, ipstate_t *);
1988 if (clone == NULL)
1989 return NULL;
1990 bcopy((char *)is, (char *)clone, sizeof(*clone));
1991
1992 MUTEX_NUKE(&clone->is_lock);
1993 /*
1994 * It has not yet been placed on any timeout queue, so make sure
1995 * all of that data is zero'd out.
1996 */
1997 clone->is_sti.tqe_pnext = NULL;
1998 clone->is_sti.tqe_next = NULL;
1999 clone->is_sti.tqe_ifq = NULL;
2000 clone->is_sti.tqe_parent = clone;
2001
2002 clone->is_die = ONE_DAY + fr_ticks;
2003 clone->is_state[0] = 0;
2004 clone->is_state[1] = 0;
2005 send = ntohl(tcp->th_seq) + fin->fin_dlen - (TCP_OFF(tcp) << 2) +
2006 ((tcp->th_flags & TH_SYN) ? 1 : 0) +
2007 ((tcp->th_flags & TH_FIN) ? 1 : 0);
2008
2009 if (fin->fin_rev == 1) {
2010 clone->is_dend = send;
2011 clone->is_maxdend = send;
2012 clone->is_send = 0;
2013 clone->is_maxswin = 1;
2014 clone->is_maxdwin = ntohs(tcp->th_win);
2015 if (clone->is_maxdwin == 0)
2016 clone->is_maxdwin = 1;
2017 } else {
2018 clone->is_send = send;
2019 clone->is_maxsend = send;
2020 clone->is_dend = 0;
2021 clone->is_maxdwin = 1;
2022 clone->is_maxswin = ntohs(tcp->th_win);
2023 if (clone->is_maxswin == 0)
2024 clone->is_maxswin = 1;
2025 }
2026
2027 clone->is_flags &= ~SI_CLONE;
2028 clone->is_flags |= SI_CLONED;
2029 fr_stinsert(clone, fin->fin_rev);
2030 clone->is_ref = 1;
2031 if (clone->is_p == IPPROTO_TCP) {
2032 (void) fr_tcp_age(&clone->is_sti, fin, ips_tqtqb,
2033 clone->is_flags);
2034 }
2035 MUTEX_EXIT(&clone->is_lock);
2036 #ifdef IPFILTER_SCAN
2037 (void) ipsc_attachis(is);
2038 #endif
2039 #ifdef IPFILTER_SYNC
2040 if (is->is_flags & IS_STATESYNC)
2041 clone->is_sync = ipfsync_new(SMC_STATE, fin, clone);
2042 #endif
2043 return clone;
2044 }
2045
2046
2047 /* ------------------------------------------------------------------------ */
2048 /* Function: fr_matchsrcdst */
2049 /* Returns: Nil */
2050 /* Parameters: fin(I) - pointer to packet information */
2051 /* is(I) - pointer to state structure */
2052 /* src(I) - pointer to source address */
2053 /* dst(I) - pointer to destination address */
2054 /* tcp(I) - pointer to TCP/UDP header */
2055 /* */
2056 /* Match a state table entry against an IP packet. The logic below is that */
2057 /* ret gets set to one if the match succeeds, else remains 0. If it is */
2058 /* still 0 after the test. no match. */
2059 /* ------------------------------------------------------------------------ */
2060 static ipstate_t *fr_matchsrcdst(fin, is, src, dst, tcp, cmask)
2061 fr_info_t *fin;
2062 ipstate_t *is;
2063 i6addr_t *src, *dst;
2064 tcphdr_t *tcp;
2065 u_32_t cmask;
2066 {
2067 int ret = 0, rev, out, flags, flx = 0, idx;
2068 u_short sp, dp;
2069 u_32_t cflx;
2070 void *ifp;
2071
2072 /*
2073 * If a connection is about to be deleted, no packets
2074 * are allowed to match it.
2075 */
2076 if (is->is_sti.tqe_ifq == &ips_deletetq)
2077 return NULL;
2078
2079 rev = IP6_NEQ(&is->is_dst, dst);
2080 ifp = fin->fin_ifp;
2081 out = fin->fin_out;
2082 flags = is->is_flags;
2083 sp = 0;
2084 dp = 0;
2085
2086 if (tcp != NULL) {
2087 sp = htons(fin->fin_sport);
2088 dp = ntohs(fin->fin_dport);
2089 }
2090 if (!rev) {
2091 if (tcp != NULL) {
2092 if (!(flags & SI_W_SPORT) && (sp != is->is_sport))
2093 rev = 1;
2094 else if (!(flags & SI_W_DPORT) && (dp != is->is_dport))
2095 rev = 1;
2096 }
2097 }
2098
2099 idx = (out << 1) + rev;
2100
2101 /*
2102 * If the interface for this 'direction' is set, make sure it matches.
2103 * An interface name that is not set matches any, as does a name of *.
2104 */
2105 if ((is->is_ifp[idx] == ifp) || (is->is_ifp[idx] == NULL &&
2106 (*is->is_ifname[idx] == '\0' || *is->is_ifname[idx] == '-' ||
2107 *is->is_ifname[idx] == '*')))
2108 ret = 1;
2109
2110 if (ret == 0)
2111 return NULL;
2112 ret = 0;
2113
2114 /*
2115 * Match addresses and ports.
2116 */
2117 if (rev == 0) {
2118 if ((IP6_EQ(&is->is_dst, dst) || (flags & SI_W_DADDR)) &&
2119 (IP6_EQ(&is->is_src, src) || (flags & SI_W_SADDR))) {
2120 if (tcp) {
2121 if ((sp == is->is_sport || flags & SI_W_SPORT)&&
2122 (dp == is->is_dport || flags & SI_W_DPORT))
2123 ret = 1;
2124 } else {
2125 ret = 1;
2126 }
2127 }
2128 } else {
2129 if ((IP6_EQ(&is->is_dst, src) || (flags & SI_W_DADDR)) &&
2130 (IP6_EQ(&is->is_src, dst) || (flags & SI_W_SADDR))) {
2131 if (tcp) {
2132 if ((dp == is->is_sport || flags & SI_W_SPORT)&&
2133 (sp == is->is_dport || flags & SI_W_DPORT))
2134 ret = 1;
2135 } else {
2136 ret = 1;
2137 }
2138 }
2139 }
2140
2141 if (ret == 0)
2142 return NULL;
2143
2144 /*
2145 * Whether or not this should be here, is questionable, but the aim
2146 * is to get this out of the main line.
2147 */
2148 if (tcp == NULL)
2149 flags = is->is_flags & ~(SI_WILDP|SI_NEWFR|SI_CLONE|SI_CLONED);
2150
2151 /*
2152 * Only one of the source or destination address can be flaged as a
2153 * wildcard. Fill in the missing address, if set.
2154 * For IPv6, if the address being copied in is multicast, then
2155 * don't reset the wild flag - multicast causes it to be set in the
2156 * first place!
2157 */
2158 if ((flags & (SI_W_SADDR|SI_W_DADDR))) {
2159 fr_ip_t *fi = &fin->fin_fi;
2160
2161 if ((flags & SI_W_SADDR) != 0) {
2162 if (rev == 0) {
2163 #ifdef USE_INET6
2164 if (is->is_v == 6 &&
2165 IN6_IS_ADDR_MULTICAST(&fi->fi_src.in6))
2166 /*EMPTY*/;
2167 else
2168 #endif
2169 {
2170 is->is_src = fi->fi_src;
2171 is->is_flags &= ~SI_W_SADDR;
2172 }
2173 } else {
2174 #ifdef USE_INET6
2175 if (is->is_v == 6 &&
2176 IN6_IS_ADDR_MULTICAST(&fi->fi_dst.in6))
2177 /*EMPTY*/;
2178 else
2179 #endif
2180 {
2181 is->is_src = fi->fi_dst;
2182 is->is_flags &= ~SI_W_SADDR;
2183 }
2184 }
2185 } else if ((flags & SI_W_DADDR) != 0) {
2186 if (rev == 0) {
2187 #ifdef USE_INET6
2188 if (is->is_v == 6 &&
2189 IN6_IS_ADDR_MULTICAST(&fi->fi_dst.in6))
2190 /*EMPTY*/;
2191 else
2192 #endif
2193 {
2194 is->is_dst = fi->fi_dst;
2195 is->is_flags &= ~SI_W_DADDR;
2196 }
2197 } else {
2198 #ifdef USE_INET6
2199 if (is->is_v == 6 &&
2200 IN6_IS_ADDR_MULTICAST(&fi->fi_src.in6))
2201 /*EMPTY*/;
2202 else
2203 #endif
2204 {
2205 is->is_dst = fi->fi_src;
2206 is->is_flags &= ~SI_W_DADDR;
2207 }
2208 }
2209 }
2210 if ((is->is_flags & (SI_WILDA|SI_WILDP)) == 0) {
2211 ATOMIC_DECL(ips_stats.iss_wild);
2212 }
2213 }
2214
2215 flx = fin->fin_flx & cmask;
2216 cflx = is->is_flx[out][rev];
2217
2218 /*
2219 * Match up any flags set from IP options.
2220 */
2221 if ((cflx && (flx != (cflx & cmask))) ||
2222 ((fin->fin_optmsk & is->is_optmsk[rev]) != is->is_opt[rev]) ||
2223 ((fin->fin_secmsk & is->is_secmsk) != is->is_sec) ||
2224 ((fin->fin_auth & is->is_authmsk) != is->is_auth))
2225 return NULL;
2226
2227 /*
2228 * Only one of the source or destination port can be flagged as a
2229 * wildcard. When filling it in, fill in a copy of the matched entry
2230 * if it has the cloning flag set.
2231 */
2232 if ((fin->fin_flx & FI_IGNORE) != 0) {
2233 fin->fin_rev = rev;
2234 return is;
2235 }
2236
2237 if ((flags & (SI_W_SPORT|SI_W_DPORT))) {
2238 if ((flags & SI_CLONE) != 0) {
2239 ipstate_t *clone;
2240
2241 clone = fr_stclone(fin, tcp, is);
2242 if (clone == NULL)
2243 return NULL;
2244 is = clone;
2245 } else {
2246 ATOMIC_DECL(ips_stats.iss_wild);
2247 }
2248
2249 if ((flags & SI_W_SPORT) != 0) {
2250 if (rev == 0) {
2251 is->is_sport = sp;
2252 is->is_send = ntohl(tcp->th_seq);
2253 } else {
2254 is->is_sport = dp;
2255 is->is_send = ntohl(tcp->th_ack);
2256 }
2257 is->is_maxsend = is->is_send + 1;
2258 } else if ((flags & SI_W_DPORT) != 0) {
2259 if (rev == 0) {
2260 is->is_dport = dp;
2261 is->is_dend = ntohl(tcp->th_ack);
2262 } else {
2263 is->is_dport = sp;
2264 is->is_dend = ntohl(tcp->th_seq);
2265 }
2266 is->is_maxdend = is->is_dend + 1;
2267 }
2268 is->is_flags &= ~(SI_W_SPORT|SI_W_DPORT);
2269 if ((flags & SI_CLONED) && ipstate_logging)
2270 ipstate_log(is, ISL_CLONE);
2271 }
2272
2273 ret = -1;
2274
2275 if (is->is_flx[out][rev] == 0) {
2276 is->is_flx[out][rev] = flx;
2277 is->is_opt[rev] = fin->fin_optmsk;
2278 if (is->is_v == 6) {
2279 is->is_opt[rev] &= ~0x8;
2280 is->is_optmsk[rev] &= ~0x8;
2281 }
2282 }
2283
2284 /*
2285 * Check if the interface name for this "direction" is set and if not,
2286 * fill it in.
2287 */
2288 if (is->is_ifp[idx] == NULL &&
2289 (*is->is_ifname[idx] == '\0' || *is->is_ifname[idx] == '*')) {
2290 is->is_ifp[idx] = ifp;
2291 COPYIFNAME(is->is_v, ifp, is->is_ifname[idx]);
2292 }
2293 fin->fin_rev = rev;
2294 return is;
2295 }
2296
2297
2298 /* ------------------------------------------------------------------------ */
2299 /* Function: fr_checkicmpmatchingstate */
2300 /* Returns: Nil */
2301 /* Parameters: fin(I) - pointer to packet information */
2302 /* */
2303 /* If we've got an ICMP error message, using the information stored in the */
2304 /* ICMP packet, look for a matching state table entry. */
2305 /* */
2306 /* If we return NULL then no lock on ipf_state is held. */
2307 /* If we return non-null then a read-lock on ipf_state is held. */
2308 /* ------------------------------------------------------------------------ */
2309 static ipstate_t *fr_checkicmpmatchingstate(fin)
2310 fr_info_t *fin;
2311 {
2312 ipstate_t *is, **isp;
2313 u_short sport, dport;
2314 u_char pr;
2315 int backward, i, oi;
2316 i6addr_t dst, src;
2317 struct icmp *ic;
2318 u_short savelen;
2319 icmphdr_t *icmp;
2320 fr_info_t ofin;
2321 tcphdr_t *tcp;
2322 int type, len;
2323 ip_t *oip;
2324 u_int hv;
2325
2326 /*
2327 * Does it at least have the return (basic) IP header ?
2328 * Is it an actual recognised ICMP error type?
2329 * Only a basic IP header (no options) should be with
2330 * an ICMP error header.
2331 */
2332 if ((fin->fin_v != 4) || (fin->fin_hlen != sizeof(ip_t)) ||
2333 (fin->fin_plen < ICMPERR_MINPKTLEN) ||
2334 !(fin->fin_flx & FI_ICMPERR))
2335 return NULL;
2336 ic = fin->fin_dp;
2337 type = ic->icmp_type;
2338
2339 oip = (ip_t *)((char *)ic + ICMPERR_ICMPHLEN);
2340 /*
2341 * Check if the at least the old IP header (with options) and
2342 * 8 bytes of payload is present.
2343 */
2344 if (fin->fin_plen < ICMPERR_MAXPKTLEN + ((IP_HL(oip) - 5) << 2))
2345 return NULL;
2346
2347 /*
2348 * Sanity Checks.
2349 */
2350 len = fin->fin_dlen - ICMPERR_ICMPHLEN;
2351 if ((len <= 0) || ((IP_HL(oip) << 2) > len))
2352 return NULL;
2353
2354 /*
2355 * Is the buffer big enough for all of it ? It's the size of the IP
2356 * header claimed in the encapsulated part which is of concern. It
2357 * may be too big to be in this buffer but not so big that it's
2358 * outside the ICMP packet, leading to TCP deref's causing problems.
2359 * This is possible because we don't know how big oip_hl is when we
2360 * do the pullup early in fr_check() and thus can't guarantee it is
2361 * all here now.
2362 */
2363 #ifdef _KERNEL
2364 {
2365 mb_t *m;
2366
2367 m = fin->fin_m;
2368 # if defined(MENTAT)
2369 if ((char *)oip + len > (char *)m->b_wptr)
2370 return NULL;
2371 # else
2372 if ((char *)oip + len > (char *)fin->fin_ip + m->m_len)
2373 return NULL;
2374 # endif
2375 }
2376 #endif
2377 bcopy((char *)fin, (char *)&ofin, sizeof(*fin));
2378
2379 /*
2380 * in the IPv4 case we must zero the i6addr union otherwise
2381 * the IP6_EQ and IP6_NEQ macros produce the wrong results because
2382 * of the 'junk' in the unused part of the union
2383 */
2384 bzero((char *)&src, sizeof(src));
2385 bzero((char *)&dst, sizeof(dst));
2386
2387 /*
2388 * we make an fin entry to be able to feed it to
2389 * matchsrcdst note that not all fields are encessary
2390 * but this is the cleanest way. Note further we fill
2391 * in fin_mp such that if someone uses it we'll get
2392 * a kernel panic. fr_matchsrcdst does not use this.
2393 *
2394 * watch out here, as ip is in host order and oip in network
2395 * order. Any change we make must be undone afterwards, like
2396 * oip->ip_off - it is still in network byte order so fix it.
2397 */
2398 savelen = oip->ip_len;
2399 oip->ip_len = len;
2400 oip->ip_off = ntohs(oip->ip_off);
2401
2402 ofin.fin_flx = FI_NOCKSUM;
2403 ofin.fin_v = 4;
2404 ofin.fin_ip = oip;
2405 ofin.fin_m = NULL; /* if dereferenced, panic XXX */
2406 ofin.fin_mp = NULL; /* if dereferenced, panic XXX */
2407 (void) fr_makefrip(IP_HL(oip) << 2, oip, &ofin);
2408 ofin.fin_ifp = fin->fin_ifp;
2409 ofin.fin_out = !fin->fin_out;
2410 /*
2411 * Reset the short and bad flag here because in fr_matchsrcdst()
2412 * the flags for the current packet (fin_flx) are compared against
2413 * those for the existing session.
2414 */
2415 ofin.fin_flx &= ~(FI_BAD|FI_SHORT);
2416
2417 /*
2418 * Put old values of ip_len and ip_off back as we don't know
2419 * if we have to forward the packet (or process it again.
2420 */
2421 oip->ip_len = savelen;
2422 oip->ip_off = htons(oip->ip_off);
2423
2424 switch (oip->ip_p)
2425 {
2426 case IPPROTO_ICMP :
2427 /*
2428 * an ICMP error can only be generated as a result of an
2429 * ICMP query, not as the response on an ICMP error
2430 *
2431 * XXX theoretically ICMP_ECHOREP and the other reply's are
2432 * ICMP query's as well, but adding them here seems strange XXX
2433 */
2434 if ((ofin.fin_flx & FI_ICMPERR) != 0)
2435 return NULL;
2436
2437 /*
2438 * perform a lookup of the ICMP packet in the state table
2439 */
2440 icmp = (icmphdr_t *)((char *)oip + (IP_HL(oip) << 2));
2441 hv = (pr = oip->ip_p);
2442 src.in4 = oip->ip_src;
2443 hv += src.in4.s_addr;
2444 dst.in4 = oip->ip_dst;
2445 hv += dst.in4.s_addr;
2446 hv += icmp->icmp_id;
2447 hv = DOUBLE_HASH(hv);
2448
2449 READ_ENTER(&ipf_state);
2450 for (isp = &ips_table[hv]; ((is = *isp) != NULL); ) {
2451 isp = &is->is_hnext;
2452 if ((is->is_p != pr) || (is->is_v != 4))
2453 continue;
2454 if (is->is_pass & FR_NOICMPERR)
2455 continue;
2456 is = fr_matchsrcdst(&ofin, is, &src, &dst,
2457 NULL, FI_ICMPCMP);
2458 if (is != NULL) {
2459 /*
2460 * i : the index of this packet (the icmp
2461 * unreachable)
2462 * oi : the index of the original packet found
2463 * in the icmp header (i.e. the packet
2464 * causing this icmp)
2465 * backward : original packet was backward
2466 * compared to the state
2467 */
2468 backward = IP6_NEQ(&is->is_src, &src);
2469 fin->fin_rev = !backward;
2470 i = (!backward << 1) + fin->fin_out;
2471 oi = (backward << 1) + ofin.fin_out;
2472 if (is->is_icmppkts[i] > is->is_pkts[oi])
2473 continue;
2474 ips_stats.iss_hits++;
2475 is->is_icmppkts[i]++;
2476 return is;
2477 }
2478 }
2479 RWLOCK_EXIT(&ipf_state);
2480 return NULL;
2481 case IPPROTO_TCP :
2482 case IPPROTO_UDP :
2483 break;
2484 default :
2485 return NULL;
2486 }
2487
2488 tcp = (tcphdr_t *)((char *)oip + (IP_HL(oip) << 2));
2489 dport = tcp->th_dport;
2490 sport = tcp->th_sport;
2491
2492 hv = (pr = oip->ip_p);
2493 src.in4 = oip->ip_src;
2494 hv += src.in4.s_addr;
2495 dst.in4 = oip->ip_dst;
2496 hv += dst.in4.s_addr;
2497 hv += dport;
2498 hv += sport;
2499 hv = DOUBLE_HASH(hv);
2500
2501 READ_ENTER(&ipf_state);
2502 for (isp = &ips_table[hv]; ((is = *isp) != NULL); ) {
2503 isp = &is->is_hnext;
2504 /*
2505 * Only allow this icmp though if the
2506 * encapsulated packet was allowed through the
2507 * other way around. Note that the minimal amount
2508 * of info present does not allow for checking against
2509 * tcp internals such as seq and ack numbers. Only the
2510 * ports are known to be present and can be even if the
2511 * short flag is set.
2512 */
2513 if ((is->is_p == pr) && (is->is_v == 4) &&
2514 (is = fr_matchsrcdst(&ofin, is, &src, &dst,
2515 tcp, FI_ICMPCMP))) {
2516 /*
2517 * i : the index of this packet (the icmp unreachable)
2518 * oi : the index of the original packet found in the
2519 * icmp header (i.e. the packet causing this icmp)
2520 * backward : original packet was backward compared to
2521 * the state
2522 */
2523 backward = IP6_NEQ(&is->is_src, &src);
2524 fin->fin_rev = !backward;
2525 i = (!backward << 1) + fin->fin_out;
2526 oi = (backward << 1) + ofin.fin_out;
2527
2528 if (((is->is_pass & FR_NOICMPERR) != 0) ||
2529 (is->is_icmppkts[i] > is->is_pkts[oi]))
2530 break;
2531 ips_stats.iss_hits++;
2532 is->is_icmppkts[i]++;
2533 /*
2534 * we deliberately do not touch the timeouts
2535 * for the accompanying state table entry.
2536 * It remains to be seen if that is correct. XXX
2537 */
2538 return is;
2539 }
2540 }
2541 RWLOCK_EXIT(&ipf_state);
2542 return NULL;
2543 }
2544
2545
2546 /* ------------------------------------------------------------------------ */
2547 /* Function: fr_ipsmove */
2548 /* Returns: Nil */
2549 /* Parameters: is(I) - pointer to state table entry */
2550 /* hv(I) - new hash value for state table entry */
2551 /* Write Locks: ipf_state */
2552 /* */
2553 /* Move a state entry from one position in the hash table to another. */
2554 /* ------------------------------------------------------------------------ */
2555 static void fr_ipsmove(is, hv)
2556 ipstate_t *is;
2557 u_int hv;
2558 {
2559 ipstate_t **isp;
2560 u_int hvm;
2561
2562 hvm = is->is_hv;
2563 /*
2564 * Remove the hash from the old location...
2565 */
2566 isp = is->is_phnext;
2567 if (is->is_hnext)
2568 is->is_hnext->is_phnext = isp;
2569 *isp = is->is_hnext;
2570 if (ips_table[hvm] == NULL)
2571 ips_stats.iss_inuse--;
2572 ips_stats.iss_bucketlen[hvm]--;
2573
2574 /*
2575 * ...and put the hash in the new one.
2576 */
2577 hvm = DOUBLE_HASH(hv);
2578 is->is_hv = hvm;
2579 isp = &ips_table[hvm];
2580 if (*isp)
2581 (*isp)->is_phnext = &is->is_hnext;
2582 else
2583 ips_stats.iss_inuse++;
2584 ips_stats.iss_bucketlen[hvm]++;
2585 is->is_phnext = isp;
2586 is->is_hnext = *isp;
2587 *isp = is;
2588 }
2589
2590
2591 /* ------------------------------------------------------------------------ */
2592 /* Function: fr_stlookup */
2593 /* Returns: ipstate_t* - NULL == no matching state found, */
2594 /* else pointer to state information is returned */
2595 /* Parameters: fin(I) - pointer to packet information */
2596 /* tcp(I) - pointer to TCP/UDP header. */
2597 /* */
2598 /* Search the state table for a matching entry to the packet described by */
2599 /* the contents of *fin. */
2600 /* */
2601 /* If we return NULL then no lock on ipf_state is held. */
2602 /* If we return non-null then a read-lock on ipf_state is held. */
2603 /* ------------------------------------------------------------------------ */
2604 ipstate_t *fr_stlookup(fin, tcp, ifqp)
2605 fr_info_t *fin;
2606 tcphdr_t *tcp;
2607 ipftq_t **ifqp;
2608 {
2609 u_int hv, hvm, pr, v, tryagain;
2610 ipstate_t *is, **isp;
2611 u_short dport, sport;
2612 i6addr_t src, dst;
2613 struct icmp *ic;
2614 ipftq_t *ifq;
2615 int oow;
2616
2617 is = NULL;
2618 ifq = NULL;
2619 tcp = fin->fin_dp;
2620 ic = (struct icmp *)tcp;
2621 hv = (pr = fin->fin_fi.fi_p);
2622 src = fin->fin_fi.fi_src;
2623 dst = fin->fin_fi.fi_dst;
2624 hv += src.in4.s_addr;
2625 hv += dst.in4.s_addr;
2626
2627 v = fin->fin_fi.fi_v;
2628 #ifdef USE_INET6
2629 if (v == 6) {
2630 hv += fin->fin_fi.fi_src.i6[1];
2631 hv += fin->fin_fi.fi_src.i6[2];
2632 hv += fin->fin_fi.fi_src.i6[3];
2633
2634 if ((fin->fin_p == IPPROTO_ICMPV6) &&
2635 IN6_IS_ADDR_MULTICAST(&fin->fin_fi.fi_dst.in6)) {
2636 hv -= dst.in4.s_addr;
2637 } else {
2638 hv += fin->fin_fi.fi_dst.i6[1];
2639 hv += fin->fin_fi.fi_dst.i6[2];
2640 hv += fin->fin_fi.fi_dst.i6[3];
2641 }
2642 }
2643 #endif
2644 if ((v == 4) &&
2645 (fin->fin_flx & (FI_MULTICAST|FI_BROADCAST|FI_MBCAST))) {
2646 if (fin->fin_out == 0) {
2647 hv -= src.in4.s_addr;
2648 } else {
2649 hv -= dst.in4.s_addr;
2650 }
2651 }
2652
2653 /*
2654 * Search the hash table for matching packet header info.
2655 */
2656 switch (pr)
2657 {
2658 #ifdef USE_INET6
2659 case IPPROTO_ICMPV6 :
2660 tryagain = 0;
2661 if (v == 6) {
2662 if ((ic->icmp_type == ICMP6_ECHO_REQUEST) ||
2663 (ic->icmp_type == ICMP6_ECHO_REPLY)) {
2664 hv += ic->icmp_id;
2665 }
2666 }
2667 READ_ENTER(&ipf_state);
2668 icmp6again:
2669 hvm = DOUBLE_HASH(hv);
2670 for (isp = &ips_table[hvm]; ((is = *isp) != NULL); ) {
2671 isp = &is->is_hnext;
2672 if ((is->is_p != pr) || (is->is_v != v))
2673 continue;
2674 is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
2675 if (is != NULL &&
2676 fr_matchicmpqueryreply(v, &is->is_icmp,
2677 ic, fin->fin_rev)) {
2678 if (fin->fin_rev)
2679 ifq = &ips_icmpacktq;
2680 else
2681 ifq = &ips_icmptq;
2682 break;
2683 }
2684 }
2685
2686 if (is != NULL) {
2687 if ((tryagain != 0) && !(is->is_flags & SI_W_DADDR)) {
2688 hv += fin->fin_fi.fi_src.i6[0];
2689 hv += fin->fin_fi.fi_src.i6[1];
2690 hv += fin->fin_fi.fi_src.i6[2];
2691 hv += fin->fin_fi.fi_src.i6[3];
2692 fr_ipsmove(is, hv);
2693 MUTEX_DOWNGRADE(&ipf_state);
2694 }
2695 break;
2696 }
2697 RWLOCK_EXIT(&ipf_state);
2698
2699 /*
2700 * No matching icmp state entry. Perhaps this is a
2701 * response to another state entry.
2702 *
2703 * XXX With some ICMP6 packets, the "other" address is already
2704 * in the packet, after the ICMP6 header, and this could be
2705 * used in place of the multicast address. However, taking
2706 * advantage of this requires some significant code changes
2707 * to handle the specific types where that is the case.
2708 */
2709 if ((ips_stats.iss_wild != 0) && (v == 6) && (tryagain == 0) &&
2710 !IN6_IS_ADDR_MULTICAST(&fin->fin_fi.fi_src.in6)) {
2711 hv -= fin->fin_fi.fi_src.i6[0];
2712 hv -= fin->fin_fi.fi_src.i6[1];
2713 hv -= fin->fin_fi.fi_src.i6[2];
2714 hv -= fin->fin_fi.fi_src.i6[3];
2715 tryagain = 1;
2716 WRITE_ENTER(&ipf_state);
2717 goto icmp6again;
2718 }
2719
2720 is = fr_checkicmp6matchingstate(fin);
2721 if (is != NULL)
2722 return is;
2723 break;
2724 #endif
2725
2726 case IPPROTO_ICMP :
2727 if (v == 4) {
2728 hv += ic->icmp_id;
2729 }
2730 hv = DOUBLE_HASH(hv);
2731 READ_ENTER(&ipf_state);
2732 for (isp = &ips_table[hv]; ((is = *isp) != NULL); ) {
2733 isp = &is->is_hnext;
2734 if ((is->is_p != pr) || (is->is_v != v))
2735 continue;
2736 is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
2737 if ((is != NULL) &&
2738 (ic->icmp_id == is->is_icmp.ici_id) &&
2739 fr_matchicmpqueryreply(v, &is->is_icmp,
2740 ic, fin->fin_rev)) {
2741 if (fin->fin_rev)
2742 ifq = &ips_icmpacktq;
2743 else
2744 ifq = &ips_icmptq;
2745 break;
2746 }
2747 }
2748 if (is == NULL) {
2749 RWLOCK_EXIT(&ipf_state);
2750 }
2751 break;
2752
2753 case IPPROTO_TCP :
2754 case IPPROTO_UDP :
2755 ifqp = NULL;
2756 sport = htons(fin->fin_data[0]);
2757 hv += sport;
2758 dport = htons(fin->fin_data[1]);
2759 hv += dport;
2760 oow = 0;
2761 tryagain = 0;
2762 READ_ENTER(&ipf_state);
2763 retry_tcpudp:
2764 hvm = DOUBLE_HASH(hv);
2765 for (isp = &ips_table[hvm]; ((is = *isp) != NULL); ) {
2766 isp = &is->is_hnext;
2767 if ((is->is_p != pr) || (is->is_v != v))
2768 continue;
2769 fin->fin_flx &= ~FI_OOW;
2770 is = fr_matchsrcdst(fin, is, &src, &dst, tcp, FI_CMP);
2771 if (is != NULL) {
2772 if (pr == IPPROTO_TCP) {
2773 if (!fr_tcpstate(fin, tcp, is)) {
2774 oow |= fin->fin_flx & FI_OOW;
2775 continue;
2776 }
2777 }
2778 break;
2779 }
2780 }
2781 if (is != NULL) {
2782 if (tryagain &&
2783 !(is->is_flags & (SI_CLONE|SI_WILDP|SI_WILDA))) {
2784 hv += dport;
2785 hv += sport;
2786 fr_ipsmove(is, hv);
2787 MUTEX_DOWNGRADE(&ipf_state);
2788 }
2789 break;
2790 }
2791 RWLOCK_EXIT(&ipf_state);
2792
2793 if (ips_stats.iss_wild) {
2794 if (tryagain == 0) {
2795 hv -= dport;
2796 hv -= sport;
2797 } else if (tryagain == 1) {
2798 hv = fin->fin_fi.fi_p;
2799 /*
2800 * If we try to pretend this is a reply to a
2801 * multicast/broadcast packet then we need to
2802 * exclude part of the address from the hash
2803 * calculation.
2804 */
2805 if (fin->fin_out == 0) {
2806 hv += src.in4.s_addr;
2807 } else {
2808 hv += dst.in4.s_addr;
2809 }
2810 hv += dport;
2811 hv += sport;
2812 }
2813 tryagain++;
2814 if (tryagain <= 2) {
2815 WRITE_ENTER(&ipf_state);
2816 goto retry_tcpudp;
2817 }
2818 }
2819 fin->fin_flx |= oow;
2820 break;
2821
2822 #if 0
2823 case IPPROTO_GRE :
2824 gre = fin->fin_dp;
2825 if (GRE_REV(gre->gr_flags) == 1) {
2826 hv += gre->gr_call;
2827 }
2828 /* FALLTHROUGH */
2829 #endif
2830 default :
2831 ifqp = NULL;
2832 hvm = DOUBLE_HASH(hv);
2833 READ_ENTER(&ipf_state);
2834 for (isp = &ips_table[hvm]; ((is = *isp) != NULL); ) {
2835 isp = &is->is_hnext;
2836 if ((is->is_p != pr) || (is->is_v != v))
2837 continue;
2838 is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
2839 if (is != NULL) {
2840 ifq = &ips_iptq;
2841 break;
2842 }
2843 }
2844 if (is == NULL) {
2845 RWLOCK_EXIT(&ipf_state);
2846 }
2847 break;
2848 }
2849
2850 if (is != NULL) {
2851 if (((is->is_sti.tqe_flags & TQE_RULEBASED) != 0) &&
2852 (is->is_tqehead[fin->fin_rev] != NULL))
2853 ifq = is->is_tqehead[fin->fin_rev];
2854 if (ifq != NULL && ifqp != NULL)
2855 *ifqp = ifq;
2856 }
2857 return is;
2858 }
2859
2860
2861 /* ------------------------------------------------------------------------ */
2862 /* Function: fr_updatestate */
2863 /* Returns: Nil */
2864 /* Parameters: fin(I) - pointer to packet information */
2865 /* is(I) - pointer to state table entry */
2866 /* Read Locks: ipf_state */
2867 /* */
2868 /* Updates packet and byte counters for a newly received packet. Seeds the */
2869 /* fragment cache with a new entry as required. */
2870 /* ------------------------------------------------------------------------ */
2871 void fr_updatestate(fin, is, ifq)
2872 fr_info_t *fin;
2873 ipstate_t *is;
2874 ipftq_t *ifq;
2875 {
2876 ipftqent_t *tqe;
2877 int i, pass;
2878
2879 i = (fin->fin_rev << 1) + fin->fin_out;
2880
2881 /*
2882 * For TCP packets, ifq == NULL. For all others, check if this new
2883 * queue is different to the last one it was on and move it if so.
2884 */
2885 tqe = &is->is_sti;
2886 MUTEX_ENTER(&is->is_lock);
2887 if ((tqe->tqe_flags & TQE_RULEBASED) != 0)
2888 ifq = is->is_tqehead[fin->fin_rev];
2889
2890 if (ifq != NULL)
2891 fr_movequeue(tqe, tqe->tqe_ifq, ifq);
2892
2893 is->is_pkts[i]++;
2894 fin->fin_pktnum = is->is_pkts[i] + is->is_icmppkts[i];
2895 is->is_bytes[i] += fin->fin_plen;
2896 MUTEX_EXIT(&is->is_lock);
2897
2898 #ifdef IPFILTER_SYNC
2899 if (is->is_flags & IS_STATESYNC)
2900 ipfsync_update(SMC_STATE, fin, is->is_sync);
2901 #endif
2902
2903 ATOMIC_INCL(ips_stats.iss_hits);
2904
2905 fin->fin_fr = is->is_rule;
2906
2907 /*
2908 * If this packet is a fragment and the rule says to track fragments,
2909 * then create a new fragment cache entry.
2910 */
2911 pass = is->is_pass;
2912 if ((fin->fin_flx & FI_FRAG) && FR_ISPASS(pass))
2913 (void) fr_newfrag(fin, pass ^ FR_KEEPSTATE);
2914 }
2915
2916
2917 /* ------------------------------------------------------------------------ */
2918 /* Function: fr_checkstate */
2919 /* Returns: frentry_t* - NULL == search failed, */
2920 /* else pointer to rule for matching state */
2921 /* Parameters: ifp(I) - pointer to interface */
2922 /* passp(I) - pointer to filtering result flags */
2923 /* */
2924 /* Check if a packet is associated with an entry in the state table. */
2925 /* ------------------------------------------------------------------------ */
2926 frentry_t *fr_checkstate(fin, passp)
2927 fr_info_t *fin;
2928 u_32_t *passp;
2929 {
2930 ipstate_t *is;
2931 frentry_t *fr;
2932 tcphdr_t *tcp;
2933 ipftq_t *ifq;
2934 u_int pass;
2935
2936 if (fr_state_lock || (ips_list == NULL) ||
2937 (fin->fin_flx & (FI_SHORT|FI_STATE|FI_FRAGBODY|FI_BAD)))
2938 return NULL;
2939
2940 is = NULL;
2941 if ((fin->fin_flx & FI_TCPUDP) ||
2942 (fin->fin_fi.fi_p == IPPROTO_ICMP)
2943 #ifdef USE_INET6
2944 || (fin->fin_fi.fi_p == IPPROTO_ICMPV6)
2945 #endif
2946 )
2947 tcp = fin->fin_dp;
2948 else
2949 tcp = NULL;
2950
2951 /*
2952 * Search the hash table for matching packet header info.
2953 */
2954 ifq = NULL;
2955 is = fr_stlookup(fin, tcp, &ifq);
2956 switch (fin->fin_p)
2957 {
2958 #ifdef USE_INET6
2959 case IPPROTO_ICMPV6 :
2960 if (is != NULL)
2961 break;
2962 if (fin->fin_v == 6) {
2963 is = fr_checkicmp6matchingstate(fin);
2964 if (is != NULL)
2965 goto matched;
2966 }
2967 break;
2968 #endif
2969 case IPPROTO_ICMP :
2970 if (is != NULL)
2971 break;
2972 /*
2973 * No matching icmp state entry. Perhaps this is a
2974 * response to another state entry.
2975 */
2976 is = fr_checkicmpmatchingstate(fin);
2977 if (is != NULL)
2978 goto matched;
2979 break;
2980 case IPPROTO_TCP :
2981 if (is == NULL)
2982 break;
2983
2984 if (is->is_pass & FR_NEWISN) {
2985 if (fin->fin_out == 0)
2986 fr_fixinisn(fin, is);
2987 else if (fin->fin_out == 1)
2988 fr_fixoutisn(fin, is);
2989 }
2990 break;
2991 default :
2992 if (fin->fin_rev)
2993 ifq = &ips_udpacktq;
2994 else
2995 ifq = &ips_udptq;
2996 break;
2997 }
2998 if (is == NULL) {
2999 ATOMIC_INCL(ips_stats.iss_miss);
3000 return NULL;
3001 }
3002
3003 matched:
3004 fr = is->is_rule;
3005 if (fr != NULL) {
3006 if ((fin->fin_out == 0) && (fr->fr_nattag.ipt_num[0] != 0)) {
3007 if (fin->fin_nattag == NULL)
3008 return NULL;
3009 if (fr_matchtag(&fr->fr_nattag, fin->fin_nattag) != 0)
3010 return NULL;
3011 }
3012 (void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN);
3013 fin->fin_icode = fr->fr_icode;
3014 }
3015
3016 fin->fin_rule = is->is_rulen;
3017 pass = is->is_pass;
3018 fr_updatestate(fin, is, ifq);
3019
3020 RWLOCK_EXIT(&ipf_state);
3021 fin->fin_flx |= FI_STATE;
3022 if ((pass & FR_LOGFIRST) != 0)
3023 pass &= ~(FR_LOGFIRST|FR_LOG);
3024 *passp = pass;
3025 return fr;
3026 }
3027
3028
3029 /* ------------------------------------------------------------------------ */
3030 /* Function: fr_fixoutisn */
3031 /* Returns: Nil */
3032 /* Parameters: fin(I) - pointer to packet information */
3033 /* is(I) - pointer to master state structure */
3034 /* */
3035 /* Called only for outbound packets, adjusts the sequence number and the */
3036 /* TCP checksum to match that change. */
3037 /* ------------------------------------------------------------------------ */
3038 static void fr_fixoutisn(fin, is)
3039 fr_info_t *fin;
3040 ipstate_t *is;
3041 {
3042 tcphdr_t *tcp;
3043 int rev;
3044 u_32_t seq;
3045
3046 tcp = fin->fin_dp;
3047 rev = fin->fin_rev;
3048 if ((is->is_flags & IS_ISNSYN) != 0) {
3049 if (rev == 0) {
3050 seq = ntohl(tcp->th_seq);
3051 seq += is->is_isninc[0];
3052 tcp->th_seq = htonl(seq);
3053 fix_outcksum(fin, &tcp->th_sum, is->is_sumd[0]);
3054 }
3055 }
3056 if ((is->is_flags & IS_ISNACK) != 0) {
3057 if (rev == 1) {
3058 seq = ntohl(tcp->th_seq);
3059 seq += is->is_isninc[1];
3060 tcp->th_seq = htonl(seq);
3061 fix_outcksum(fin, &tcp->th_sum, is->is_sumd[1]);
3062 }
3063 }
3064 }
3065
3066
3067 /* ------------------------------------------------------------------------ */
3068 /* Function: fr_fixinisn */
3069 /* Returns: Nil */
3070 /* Parameters: fin(I) - pointer to packet information */
3071 /* is(I) - pointer to master state structure */
3072 /* */
3073 /* Called only for inbound packets, adjusts the acknowledge number and the */
3074 /* TCP checksum to match that change. */
3075 /* ------------------------------------------------------------------------ */
3076 static void fr_fixinisn(fin, is)
3077 fr_info_t *fin;
3078 ipstate_t *is;
3079 {
3080 tcphdr_t *tcp;
3081 int rev;
3082 u_32_t ack;
3083
3084 tcp = fin->fin_dp;
3085 rev = fin->fin_rev;
3086 if ((is->is_flags & IS_ISNSYN) != 0) {
3087 if (rev == 1) {
3088 ack = ntohl(tcp->th_ack);
3089 ack -= is->is_isninc[0];
3090 tcp->th_ack = htonl(ack);
3091 fix_incksum(fin, &tcp->th_sum, is->is_sumd[0]);
3092 }
3093 }
3094 if ((is->is_flags & IS_ISNACK) != 0) {
3095 if (rev == 0) {
3096 ack = ntohl(tcp->th_ack);
3097 ack -= is->is_isninc[1];
3098 tcp->th_ack = htonl(ack);
3099 fix_incksum(fin, &tcp->th_sum, is->is_sumd[1]);
3100 }
3101 }
3102 }
3103
3104
3105 /* ------------------------------------------------------------------------ */
3106 /* Function: fr_statesync */
3107 /* Returns: Nil */
3108 /* Parameters: ifp(I) - pointer to interface */
3109 /* */
3110 /* Walk through all state entries and if an interface pointer match is */
3111 /* found then look it up again, based on its name in case the pointer has */
3112 /* changed since last time. */
3113 /* */
3114 /* If ifp is passed in as being non-null then we are only doing updates for */
3115 /* existing, matching, uses of it. */
3116 /* ------------------------------------------------------------------------ */
3117 void fr_statesync(ifp)
3118 void *ifp;
3119 {
3120 ipstate_t *is;
3121 int i;
3122
3123 if (fr_running <= 0)
3124 return;
3125
3126 WRITE_ENTER(&ipf_state);
3127
3128 if (fr_running <= 0) {
3129 RWLOCK_EXIT(&ipf_state);
3130 return;
3131 }
3132
3133 for (is = ips_list; is; is = is->is_next) {
3134 /*
3135 * Look up all the interface names in the state entry.
3136 */
3137 for (i = 0; i < 4; i++) {
3138 if (ifp == NULL || ifp == is->is_ifp[i])
3139 is->is_ifp[i] = fr_resolvenic(is->is_ifname[i],
3140 is->is_v);
3141 }
3142 }
3143 RWLOCK_EXIT(&ipf_state);
3144 }
3145
3146
3147 /* ------------------------------------------------------------------------ */
3148 /* Function: fr_delstate */
3149 /* Returns: int - 0 = entry deleted, else reference count on struct */
3150 /* Parameters: is(I) - pointer to state structure to delete */
3151 /* why(I) - if not 0, log reason why it was deleted */
3152 /* Write Locks: ipf_state */
3153 /* */
3154 /* Deletes a state entry from the enumerated list as well as the hash table */
3155 /* and timeout queue lists. Make adjustments to hash table statistics and */
3156 /* global counters as required. */
3157 /* ------------------------------------------------------------------------ */
3158 static int fr_delstate(is, why)
3159 ipstate_t *is;
3160 int why;
3161 {
3162
3163 /*
3164 * Since we want to delete this, remove it from the state table,
3165 * where it can be found & used, first.
3166 */
3167 if (is->is_phnext != NULL) {
3168 *is->is_phnext = is->is_hnext;
3169 if (is->is_hnext != NULL)
3170 is->is_hnext->is_phnext = is->is_phnext;
3171 if (ips_table[is->is_hv] == NULL)
3172 ips_stats.iss_inuse--;
3173 ips_stats.iss_bucketlen[is->is_hv]--;
3174
3175 is->is_phnext = NULL;
3176 is->is_hnext = NULL;
3177 }
3178
3179 /*
3180 * Because ips_stats.iss_wild is a count of entries in the state
3181 * table that have wildcard flags set, only decerement it once
3182 * and do it here.
3183 */
3184 if (is->is_flags & (SI_WILDP|SI_WILDA)) {
3185 if (!(is->is_flags & SI_CLONED)) {
3186 ATOMIC_DECL(ips_stats.iss_wild);
3187 }
3188 is->is_flags &= ~(SI_WILDP|SI_WILDA);
3189 }
3190
3191 /*
3192 * Next, remove it from the timeout queue it is in.
3193 */
3194 if (is->is_sti.tqe_ifq != NULL)
3195 fr_deletequeueentry(&is->is_sti);
3196
3197 if (is->is_me != NULL) {
3198 *is->is_me = NULL;
3199 is->is_me = NULL;
3200 }
3201
3202 /*
3203 * If it is still in use by something else, do not go any further,
3204 * but note that at this point it is now an orphan. How can this
3205 * be? fr_state_flush() calls fr_delete() directly because it wants
3206 * to empty the table out and if something has a hold on a state
3207 * entry (such as ipfstat), it'll do the deref path that'll bring
3208 * us back here to do the real delete & free.
3209 */
3210 MUTEX_ENTER(&is->is_lock);
3211 if (is->is_ref > 1) {
3212 is->is_ref--;
3213 MUTEX_EXIT(&is->is_lock);
3214 return is->is_ref;
3215 }
3216 MUTEX_EXIT(&is->is_lock);
3217
3218 is->is_ref = 0;
3219
3220 if (is->is_tqehead[0] != NULL) {
3221 (void) fr_deletetimeoutqueue(is->is_tqehead[0]);
3222 }
3223 if (is->is_tqehead[1] != NULL) {
3224 (void) fr_deletetimeoutqueue(is->is_tqehead[1]);
3225 }
3226
3227 #ifdef IPFILTER_SYNC
3228 if (is->is_sync)
3229 ipfsync_del(is->is_sync);
3230 #endif
3231 #ifdef IPFILTER_SCAN
3232 (void) ipsc_detachis(is);
3233 #endif
3234
3235 /*
3236 * Now remove it from the linked list of known states
3237 */
3238 if (is->is_pnext != NULL) {
3239 *is->is_pnext = is->is_next;
3240
3241 if (is->is_next != NULL)
3242 is->is_next->is_pnext = is->is_pnext;
3243
3244 is->is_pnext = NULL;
3245 is->is_next = NULL;
3246 }
3247
3248 if (ipstate_logging != 0 && why != 0)
3249 ipstate_log(is, why);
3250
3251 if (is->is_p == IPPROTO_TCP)
3252 ips_stats.iss_fin++;
3253 else
3254 ips_stats.iss_expire++;
3255
3256 if (is->is_rule != NULL) {
3257 is->is_rule->fr_statecnt--;
3258 (void) fr_derefrule(&is->is_rule);
3259 }
3260
3261 #if defined(NEED_LOCAL_RAND) && defined(_KERNEL)
3262 ipf_rand_push(is, sizeof(*is));
3263 #endif
3264
3265 MUTEX_DESTROY(&is->is_lock);
3266 KFREE(is);
3267 ips_num--;
3268
3269 return 0;
3270 }
3271
3272
3273 /* ------------------------------------------------------------------------ */
3274 /* Function: fr_timeoutstate */
3275 /* Returns: Nil */
3276 /* Parameters: Nil */
3277 /* */
3278 /* Slowly expire held state for thingslike UDP and ICMP. The algorithm */
3279 /* used here is to keep the queue sorted with the oldest things at the top */
3280 /* and the youngest at the bottom. So if the top one doesn't need to be */
3281 /* expired then neither will any under it. */
3282 /* ------------------------------------------------------------------------ */
3283 void fr_timeoutstate()
3284 {
3285 ipftq_t *ifq, *ifqnext;
3286 ipftqent_t *tqe, *tqn;
3287 ipstate_t *is;
3288 SPL_INT(s);
3289
3290 SPL_NET(s);
3291 WRITE_ENTER(&ipf_state);
3292 for (ifq = ips_tqtqb; ifq != NULL; ifq = ifq->ifq_next)
3293 for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) {
3294 if (tqe->tqe_die > fr_ticks)
3295 break;
3296 tqn = tqe->tqe_next;
3297 is = tqe->tqe_parent;
3298 fr_delstate(is, ISL_EXPIRE);
3299 }
3300
3301 for (ifq = ips_utqe; ifq != NULL; ifq = ifq->ifq_next) {
3302 for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) {
3303 if (tqe->tqe_die > fr_ticks)
3304 break;
3305 tqn = tqe->tqe_next;
3306 is = tqe->tqe_parent;
3307 fr_delstate(is, ISL_EXPIRE);
3308 }
3309 }
3310
3311 for (ifq = ips_utqe; ifq != NULL; ifq = ifqnext) {
3312 ifqnext = ifq->ifq_next;
3313
3314 if (((ifq->ifq_flags & IFQF_DELETE) != 0) &&
3315 (ifq->ifq_ref == 0)) {
3316 fr_freetimeoutqueue(ifq);
3317 }
3318 }
3319
3320 if (fr_state_doflush) {
3321 (void) fr_state_flush(2, 0);
3322 fr_state_doflush = 0;
3323 }
3324
3325 RWLOCK_EXIT(&ipf_state);
3326 SPL_X(s);
3327 }
3328
3329
3330 /* ------------------------------------------------------------------------ */
3331 /* Function: fr_state_flush */
3332 /* Returns: int - 0 == success, -1 == failure */
3333 /* Parameters: Nil */
3334 /* Write Locks: ipf_state */
3335 /* */
3336 /* Flush state tables. Three actions currently defined: */
3337 /* which == 0 : flush all state table entries */
3338 /* which == 1 : flush TCP connections which have started to close but are */
3339 /* stuck for some reason. */
3340 /* which == 2 : flush TCP connections which have been idle for a long time, */
3341 /* starting at > 4 days idle and working back in successive half-*/
3342 /* days to at most 12 hours old. If this fails to free enough */
3343 /* slots then work backwards in half hour slots to 30 minutes. */
3344 /* If that too fails, then work backwards in 30 second intervals */
3345 /* for the last 30 minutes to at worst 30 seconds idle. */
3346 /* ------------------------------------------------------------------------ */
3347 int fr_state_flush(which, proto)
3348 int which, proto;
3349 {
3350 ipftq_t *ifq, *ifqnext;
3351 ipftqent_t *tqe, *tqn;
3352 ipstate_t *is, **isp;
3353 int removed;
3354 SPL_INT(s);
3355
3356 removed = 0;
3357
3358 SPL_NET(s);
3359
3360 switch (which)
3361 {
3362 case 0 :
3363 /*
3364 * Style 0 flush removes everything...
3365 */
3366 for (isp = &ips_list; ((is = *isp) != NULL); ) {
3367 if ((proto != 0) && (is->is_v != proto)) {
3368 isp = &is->is_next;
3369 continue;
3370 }
3371 if (fr_delstate(is, ISL_FLUSH) == 0)
3372 removed++;
3373 else
3374 isp = &is->is_next;
3375 }
3376 break;
3377
3378 case 1 :
3379 /*
3380 * Since we're only interested in things that are closing,
3381 * we can start with the appropriate timeout queue.
3382 */
3383 for (ifq = ips_tqtqb + IPF_TCPS_CLOSE_WAIT; ifq != NULL;
3384 ifq = ifq->ifq_next) {
3385
3386 for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) {
3387 tqn = tqe->tqe_next;
3388 is = tqe->tqe_parent;
3389 if (is->is_p != IPPROTO_TCP)
3390 break;
3391 if (fr_delstate(is, ISL_EXPIRE) == 0)
3392 removed++;
3393 }
3394 }
3395
3396 /*
3397 * Also need to look through the user defined queues.
3398 */
3399 for (ifq = ips_utqe; ifq != NULL; ifq = ifqnext) {
3400 ifqnext = ifq->ifq_next;
3401 for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) {
3402 tqn = tqe->tqe_next;
3403 is = tqe->tqe_parent;
3404 if (is->is_p != IPPROTO_TCP)
3405 continue;
3406
3407 if ((is->is_state[0] > IPF_TCPS_ESTABLISHED) &&
3408 (is->is_state[1] > IPF_TCPS_ESTABLISHED)) {
3409 if (fr_delstate(is, ISL_EXPIRE) == 0)
3410 removed++;
3411 }
3412 }
3413 }
3414 break;
3415
3416 case 2 :
3417 break;
3418
3419 /*
3420 * Args 5-11 correspond to flushing those particular states
3421 * for TCP connections.
3422 */
3423 case IPF_TCPS_CLOSE_WAIT :
3424 case IPF_TCPS_FIN_WAIT_1 :
3425 case IPF_TCPS_CLOSING :
3426 case IPF_TCPS_LAST_ACK :
3427 case IPF_TCPS_FIN_WAIT_2 :
3428 case IPF_TCPS_TIME_WAIT :
3429 case IPF_TCPS_CLOSED :
3430 tqn = ips_tqtqb[which].ifq_head;
3431 while (tqn != NULL) {
3432 tqe = tqn;
3433 tqn = tqe->tqe_next;
3434 is = tqe->tqe_parent;
3435 if (fr_delstate(is, ISL_FLUSH) == 0)
3436 removed++;
3437 }
3438 break;
3439
3440 default :
3441 if (which < 30)
3442 break;
3443
3444 /*
3445 * Take a large arbitrary number to mean the number of seconds
3446 * for which which consider to be the maximum value we'll allow
3447 * the expiration to be.
3448 */
3449 which = IPF_TTLVAL(which);
3450 for (isp = &ips_list; ((is = *isp) != NULL); ) {
3451 if ((proto == 0) || (is->is_v == proto)) {
3452 if (fr_ticks - is->is_touched > which) {
3453 if (fr_delstate(is, ISL_FLUSH) == 0) {
3454 removed++;
3455 continue;
3456 }
3457 }
3458 }
3459 isp = &is->is_next;
3460 }
3461 break;
3462 }
3463
3464 if (which != 2) {
3465 SPL_X(s);
3466 return removed;
3467 }
3468
3469 /*
3470 * Asked to remove inactive entries because the table is full.
3471 */
3472 if (fr_ticks - ips_last_force_flush > IPF_TTLVAL(5)) {
3473 ips_last_force_flush = fr_ticks;
3474 removed = ipf_queueflush(fr_state_flush_entry, ips_tqtqb,
3475 ips_utqe);
3476 }
3477
3478 SPL_X(s);
3479 return removed;
3480 }
3481
3482
3483 /* ------------------------------------------------------------------------ */
3484 /* Function: fr_state_flush_entry */
3485 /* Returns: int - 0 = entry deleted, else not deleted */
3486 /* Parameters: entry(I) - pointer to state structure to delete */
3487 /* Write Locks: ipf_state */
3488 /* */
3489 /* This function is a stepping stone between ipf_queueflush() and */
3490 /* fr_delstate(). It is used so we can provide a uniform interface via the */
3491 /* ipf_queueflush() function. */
3492 /* ------------------------------------------------------------------------ */
3493 static int fr_state_flush_entry(entry)
3494 void *entry;
3495 {
3496 return fr_delstate(entry, ISL_FLUSH);
3497 }
3498
3499
3500 /* ------------------------------------------------------------------------ */
3501 /* Function: fr_tcp_age */
3502 /* Returns: int - 1 == state transition made, 0 == no change (rejected) */
3503 /* Parameters: tq(I) - pointer to timeout queue information */
3504 /* fin(I) - pointer to packet information */
3505 /* tqtab(I) - TCP timeout queue table this is in */
3506 /* flags(I) - flags from state/NAT entry */
3507 /* */
3508 /* Rewritten by Arjan de Vet <Arjan.deVet@adv.iae.nl>, 2000-07-29: */
3509 /* */
3510 /* - (try to) base state transitions on real evidence only, */
3511 /* i.e. packets that are sent and have been received by ipfilter; */
3512 /* diagram 18.12 of TCP/IP volume 1 by W. Richard Stevens was used. */
3513 /* */
3514 /* - deal with half-closed connections correctly; */
3515 /* */
3516 /* - store the state of the source in state[0] such that ipfstat */
3517 /* displays the state as source/dest instead of dest/source; the calls */
3518 /* to fr_tcp_age have been changed accordingly. */
3519 /* */
3520 /* Internal Parameters: */
3521 /* */
3522 /* state[0] = state of source (host that initiated connection) */
3523 /* state[1] = state of dest (host that accepted the connection) */
3524 /* */
3525 /* dir == 0 : a packet from source to dest */
3526 /* dir == 1 : a packet from dest to source */
3527 /* */
3528 /* A typical procession for a connection is as follows: */
3529 /* */
3530 /* +--------------+-------------------+ */
3531 /* | Side '0' | Side '1' | */
3532 /* +--------------+-------------------+ */
3533 /* | 0 -> 1 (SYN) | | */
3534 /* | | 0 -> 2 (SYN-ACK) | */
3535 /* | 1 -> 3 (ACK) | | */
3536 /* | | 2 -> 4 (ACK-PUSH) | */
3537 /* | 3 -> 4 (ACK) | | */
3538 /* | ... | ... | */
3539 /* | | 4 -> 6 (FIN-ACK) | */
3540 /* | 4 -> 5 (ACK) | | */
3541 /* | | 6 -> 6 (ACK-PUSH) | */
3542 /* | 5 -> 5 (ACK) | | */
3543 /* | 5 -> 8 (FIN) | | */
3544 /* | | 6 -> 10 (ACK) | */
3545 /* +--------------+-------------------+ */
3546 /* */
3547 /* Locking: it is assumed that the parent of the tqe structure is locked. */
3548 /* ------------------------------------------------------------------------ */
3549 int fr_tcp_age(tqe, fin, tqtab, flags)
3550 ipftqent_t *tqe;
3551 fr_info_t *fin;
3552 ipftq_t *tqtab;
3553 int flags;
3554 {
3555 int dlen, ostate, nstate, rval, dir;
3556 u_char tcpflags;
3557 tcphdr_t *tcp;
3558
3559 tcp = fin->fin_dp;
3560
3561 rval = 0;
3562 dir = fin->fin_rev;
3563 tcpflags = tcp->th_flags;
3564 dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
3565 ostate = tqe->tqe_state[1 - dir];
3566 nstate = tqe->tqe_state[dir];
3567
3568 if (tcpflags & TH_RST) {
3569 if (!(tcpflags & TH_PUSH) && !dlen)
3570 nstate = IPF_TCPS_CLOSED;
3571 else
3572 nstate = IPF_TCPS_CLOSE_WAIT;
3573
3574 if (ostate <= IPF_TCPS_ESTABLISHED) {
3575 tqe->tqe_state[1 - dir] = IPF_TCPS_CLOSE_WAIT;
3576 }
3577 rval = 1;
3578 } else {
3579 switch (nstate)
3580 {
3581 case IPF_TCPS_LISTEN: /* 0 */
3582 if ((tcpflags & TH_OPENING) == TH_OPENING) {
3583 /*
3584 * 'dir' received an S and sends SA in
3585 * response, LISTEN -> SYN_RECEIVED
3586 */
3587 nstate = IPF_TCPS_SYN_RECEIVED;
3588 rval = 1;
3589 } else if ((tcpflags & TH_OPENING) == TH_SYN) {
3590 /* 'dir' sent S, LISTEN -> SYN_SENT */
3591 nstate = IPF_TCPS_SYN_SENT;
3592 rval = 1;
3593 }
3594 /*
3595 * the next piece of code makes it possible to get
3596 * already established connections into the state table
3597 * after a restart or reload of the filter rules; this
3598 * does not work when a strict 'flags S keep state' is
3599 * used for tcp connections of course
3600 */
3601 if (((flags & IS_TCPFSM) == 0) &&
3602 ((tcpflags & TH_ACKMASK) == TH_ACK)) {
3603 /*
3604 * we saw an A, guess 'dir' is in ESTABLISHED
3605 * mode
3606 */
3607 switch (ostate)
3608 {
3609 case IPF_TCPS_LISTEN :
3610 case IPF_TCPS_SYN_RECEIVED :
3611 nstate = IPF_TCPS_HALF_ESTAB;
3612 rval = 1;
3613 break;
3614 case IPF_TCPS_HALF_ESTAB :
3615 case IPF_TCPS_ESTABLISHED :
3616 nstate = IPF_TCPS_ESTABLISHED;
3617 rval = 1;
3618 break;
3619 default :
3620 break;
3621 }
3622 }
3623 /*
3624 * TODO: besides regular ACK packets we can have other
3625 * packets as well; it is yet to be determined how we
3626 * should initialize the states in those cases
3627 */
3628 break;
3629
3630 case IPF_TCPS_SYN_SENT: /* 1 */
3631 if ((tcpflags & ~(TH_ECN|TH_CWR)) == TH_SYN) {
3632 /*
3633 * A retransmitted SYN packet. We do not reset
3634 * the timeout here to fr_tcptimeout because a
3635 * connection connect timeout does not renew
3636 * after every packet that is sent. We need to
3637 * set rval so as to indicate the packet has
3638 * passed the check for its flags being valid
3639 * in the TCP FSM. Setting rval to 2 has the
3640 * result of not resetting the timeout.
3641 */
3642 rval = 2;
3643 } else if ((tcpflags & (TH_SYN|TH_FIN|TH_ACK)) ==
3644 TH_ACK) {
3645 /*
3646 * we see an A from 'dir' which is in SYN_SENT
3647 * state: 'dir' sent an A in response to an SA
3648 * which it received, SYN_SENT -> ESTABLISHED
3649 */
3650 nstate = IPF_TCPS_ESTABLISHED;
3651 rval = 1;
3652 } else if (tcpflags & TH_FIN) {
3653 /*
3654 * we see an F from 'dir' which is in SYN_SENT
3655 * state and wants to close its side of the
3656 * connection; SYN_SENT -> FIN_WAIT_1
3657 */
3658 nstate = IPF_TCPS_FIN_WAIT_1;
3659 rval = 1;
3660 } else if ((tcpflags & TH_OPENING) == TH_OPENING) {
3661 /*
3662 * we see an SA from 'dir' which is already in
3663 * SYN_SENT state, this means we have a
3664 * simultaneous open; SYN_SENT -> SYN_RECEIVED
3665 */
3666 nstate = IPF_TCPS_SYN_RECEIVED;
3667 rval = 1;
3668 }
3669 break;
3670
3671 case IPF_TCPS_SYN_RECEIVED: /* 2 */
3672 if ((tcpflags & (TH_SYN|TH_FIN|TH_ACK)) == TH_ACK) {
3673 /*
3674 * we see an A from 'dir' which was in
3675 * SYN_RECEIVED state so it must now be in
3676 * established state, SYN_RECEIVED ->
3677 * ESTABLISHED
3678 */
3679 nstate = IPF_TCPS_ESTABLISHED;
3680 rval = 1;
3681 } else if ((tcpflags & ~(TH_ECN|TH_CWR)) ==
3682 TH_OPENING) {
3683 /*
3684 * We see an SA from 'dir' which is already in
3685 * SYN_RECEIVED state.
3686 */
3687 rval = 2;
3688 } else if (tcpflags & TH_FIN) {
3689 /*
3690 * we see an F from 'dir' which is in
3691 * SYN_RECEIVED state and wants to close its
3692 * side of the connection; SYN_RECEIVED ->
3693 * FIN_WAIT_1
3694 */
3695 nstate = IPF_TCPS_FIN_WAIT_1;
3696 rval = 1;
3697 }
3698 break;
3699
3700 case IPF_TCPS_HALF_ESTAB: /* 3 */
3701 if (tcpflags & TH_FIN) {
3702 nstate = IPF_TCPS_FIN_WAIT_1;
3703 rval = 1;
3704 } else if ((tcpflags & TH_ACKMASK) == TH_ACK) {
3705 /*
3706 * If we've picked up a connection in mid
3707 * flight, we could be looking at a follow on
3708 * packet from the same direction as the one
3709 * that created this state. Recognise it but
3710 * do not advance the entire connection's
3711 * state.
3712 */
3713 switch (ostate)
3714 {
3715 case IPF_TCPS_LISTEN :
3716 case IPF_TCPS_SYN_SENT :
3717 case IPF_TCPS_SYN_RECEIVED :
3718 rval = 1;
3719 break;
3720 case IPF_TCPS_HALF_ESTAB :
3721 case IPF_TCPS_ESTABLISHED :
3722 nstate = IPF_TCPS_ESTABLISHED;
3723 rval = 1;
3724 break;
3725 default :
3726 break;
3727 }
3728 }
3729 break;
3730
3731 case IPF_TCPS_ESTABLISHED: /* 4 */
3732 rval = 1;
3733 if (tcpflags & TH_FIN) {
3734 /*
3735 * 'dir' closed its side of the connection;
3736 * this gives us a half-closed connection;
3737 * ESTABLISHED -> FIN_WAIT_1
3738 */
3739 if (ostate == IPF_TCPS_FIN_WAIT_1) {
3740 nstate = IPF_TCPS_CLOSING;
3741 } else {
3742 nstate = IPF_TCPS_FIN_WAIT_1;
3743 }
3744 } else if (tcpflags & TH_ACK) {
3745 /*
3746 * an ACK, should we exclude other flags here?
3747 */
3748 if (ostate == IPF_TCPS_FIN_WAIT_1) {
3749 /*
3750 * We know the other side did an active
3751 * close, so we are ACKing the recvd
3752 * FIN packet (does the window matching
3753 * code guarantee this?) and go into
3754 * CLOSE_WAIT state; this gives us a
3755 * half-closed connection
3756 */
3757 nstate = IPF_TCPS_CLOSE_WAIT;
3758 } else if (ostate < IPF_TCPS_CLOSE_WAIT) {
3759 /*
3760 * still a fully established
3761 * connection reset timeout
3762 */
3763 nstate = IPF_TCPS_ESTABLISHED;
3764 }
3765 }
3766 break;
3767
3768 case IPF_TCPS_CLOSE_WAIT: /* 5 */
3769 rval = 1;
3770 if (tcpflags & TH_FIN) {
3771 /*
3772 * application closed and 'dir' sent a FIN,
3773 * we're now going into LAST_ACK state
3774 */
3775 nstate = IPF_TCPS_LAST_ACK;
3776 } else {
3777 /*
3778 * we remain in CLOSE_WAIT because the other
3779 * side has closed already and we did not
3780 * close our side yet; reset timeout
3781 */
3782 nstate = IPF_TCPS_CLOSE_WAIT;
3783 }
3784 break;
3785
3786 case IPF_TCPS_FIN_WAIT_1: /* 6 */
3787 rval = 1;
3788 if ((tcpflags & TH_ACK) &&
3789 ostate > IPF_TCPS_CLOSE_WAIT) {
3790 /*
3791 * if the other side is not active anymore
3792 * it has sent us a FIN packet that we are
3793 * ack'ing now with an ACK; this means both
3794 * sides have now closed the connection and
3795 * we go into TIME_WAIT
3796 */
3797 /*
3798 * XXX: how do we know we really are ACKing
3799 * the FIN packet here? does the window code
3800 * guarantee that?
3801 */
3802 nstate = IPF_TCPS_TIME_WAIT;
3803 } else {
3804 /*
3805 * we closed our side of the connection
3806 * already but the other side is still active
3807 * (ESTABLISHED/CLOSE_WAIT); continue with
3808 * this half-closed connection
3809 */
3810 nstate = IPF_TCPS_FIN_WAIT_1;
3811 }
3812 break;
3813
3814 case IPF_TCPS_CLOSING: /* 7 */
3815 if ((tcpflags & (TH_FIN|TH_ACK)) == TH_ACK) {
3816 nstate = IPF_TCPS_TIME_WAIT;
3817 }
3818 rval = 2;
3819 break;
3820
3821 case IPF_TCPS_LAST_ACK: /* 8 */
3822 if (tcpflags & TH_ACK) {
3823 if ((tcpflags & TH_PUSH) || dlen)
3824 /*
3825 * there is still data to be delivered,
3826 * reset timeout
3827 */
3828 rval = 1;
3829 else
3830 rval = 2;
3831 }
3832 /*
3833 * we cannot detect when we go out of LAST_ACK state to
3834 * CLOSED because that is based on the reception of ACK
3835 * packets; ipfilter can only detect that a packet
3836 * has been sent by a host
3837 */
3838 break;
3839
3840 case IPF_TCPS_FIN_WAIT_2: /* 9 */
3841 /* NOT USED */
3842 break;
3843
3844 case IPF_TCPS_TIME_WAIT: /* 10 */
3845 /* we're in 2MSL timeout now */
3846 if (ostate == IPF_TCPS_LAST_ACK) {
3847 nstate = IPF_TCPS_CLOSED;
3848 }
3849 rval = 1;
3850 break;
3851
3852 case IPF_TCPS_CLOSED: /* 11 */
3853 rval = 2;
3854 break;
3855
3856 default :
3857 #if defined(_KERNEL)
3858 # if SOLARIS
3859 cmn_err(CE_NOTE,
3860 "tcp %lx flags %x si %lx nstate %d ostate %d\n",
3861 (u_long)tcp, tcpflags, (u_long)tqe,
3862 nstate, ostate);
3863 # else
3864 printf("tcp %lx flags %x si %lx nstate %d ostate %d\n",
3865 (u_long)tcp, tcpflags, (u_long)tqe,
3866 nstate, ostate);
3867 # endif
3868 #else
3869 abort();
3870 #endif
3871 break;
3872 }
3873 }
3874
3875 /*
3876 * If rval == 2 then do not update the queue position, but treat the
3877 * packet as being ok.
3878 */
3879 if (rval == 2)
3880 rval = 1;
3881 else if (rval == 1) {
3882 tqe->tqe_state[dir] = nstate;
3883 if ((tqe->tqe_flags & TQE_RULEBASED) == 0)
3884 fr_movequeue(tqe, tqe->tqe_ifq, tqtab + nstate);
3885 }
3886
3887 return rval;
3888 }
3889
3890
3891 /* ------------------------------------------------------------------------ */
3892 /* Function: ipstate_log */
3893 /* Returns: Nil */
3894 /* Parameters: is(I) - pointer to state structure */
3895 /* type(I) - type of log entry to create */
3896 /* */
3897 /* Creates a state table log entry using the state structure and type info. */
3898 /* passed in. Log packet/byte counts, source/destination address and other */
3899 /* protocol specific information. */
3900 /* ------------------------------------------------------------------------ */
3901 void ipstate_log(is, type)
3902 struct ipstate *is;
3903 u_int type;
3904 {
3905 #ifdef IPFILTER_LOG
3906 struct ipslog ipsl;
3907 size_t sizes[1];
3908 void *items[1];
3909 int types[1];
3910
3911 /*
3912 * Copy information out of the ipstate_t structure and into the
3913 * structure used for logging.
3914 */
3915 ipsl.isl_type = type;
3916 ipsl.isl_pkts[0] = is->is_pkts[0] + is->is_icmppkts[0];
3917 ipsl.isl_bytes[0] = is->is_bytes[0];
3918 ipsl.isl_pkts[1] = is->is_pkts[1] + is->is_icmppkts[1];
3919 ipsl.isl_bytes[1] = is->is_bytes[1];
3920 ipsl.isl_pkts[2] = is->is_pkts[2] + is->is_icmppkts[2];
3921 ipsl.isl_bytes[2] = is->is_bytes[2];
3922 ipsl.isl_pkts[3] = is->is_pkts[3] + is->is_icmppkts[3];
3923 ipsl.isl_bytes[3] = is->is_bytes[3];
3924 ipsl.isl_src = is->is_src;
3925 ipsl.isl_dst = is->is_dst;
3926 ipsl.isl_p = is->is_p;
3927 ipsl.isl_v = is->is_v;
3928 ipsl.isl_flags = is->is_flags;
3929 ipsl.isl_tag = is->is_tag;
3930 ipsl.isl_rulen = is->is_rulen;
3931 (void) strncpy(ipsl.isl_group, is->is_group, FR_GROUPLEN);
3932
3933 if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) {
3934 ipsl.isl_sport = is->is_sport;
3935 ipsl.isl_dport = is->is_dport;
3936 if (ipsl.isl_p == IPPROTO_TCP) {
3937 ipsl.isl_state[0] = is->is_state[0];
3938 ipsl.isl_state[1] = is->is_state[1];
3939 }
3940 } else if (ipsl.isl_p == IPPROTO_ICMP) {
3941 ipsl.isl_itype = is->is_icmp.ici_type;
3942 } else if (ipsl.isl_p == IPPROTO_ICMPV6) {
3943 ipsl.isl_itype = is->is_icmp.ici_type;
3944 } else {
3945 ipsl.isl_ps.isl_filler[0] = 0;
3946 ipsl.isl_ps.isl_filler[1] = 0;
3947 }
3948
3949 items[0] = &ipsl;
3950 sizes[0] = sizeof(ipsl);
3951 types[0] = 0;
3952
3953 if (ipllog(IPL_LOGSTATE, NULL, items, sizes, types, 1)) {
3954 ATOMIC_INCL(ips_stats.iss_logged);
3955 } else {
3956 ATOMIC_INCL(ips_stats.iss_logfail);
3957 }
3958 #endif
3959 }
3960
3961
3962 #ifdef USE_INET6
3963 /* ------------------------------------------------------------------------ */
3964 /* Function: fr_checkicmp6matchingstate */
3965 /* Returns: ipstate_t* - NULL == no match found, */
3966 /* else pointer to matching state entry */
3967 /* Parameters: fin(I) - pointer to packet information */
3968 /* Locks: NULL == no locks, else Read Lock on ipf_state */
3969 /* */
3970 /* If we've got an ICMPv6 error message, using the information stored in */
3971 /* the ICMPv6 packet, look for a matching state table entry. */
3972 /* ------------------------------------------------------------------------ */
3973 static ipstate_t *fr_checkicmp6matchingstate(fin)
3974 fr_info_t *fin;
3975 {
3976 struct icmp6_hdr *ic6, *oic;
3977 int type, backward, i;
3978 ipstate_t *is, **isp;
3979 u_short sport, dport;
3980 i6addr_t dst, src;
3981 u_short savelen;
3982 icmpinfo_t *ic;
3983 fr_info_t ofin;
3984 tcphdr_t *tcp;
3985 ip6_t *oip6;
3986 u_char pr;
3987 u_int hv;
3988
3989 /*
3990 * Does it at least have the return (basic) IP header ?
3991 * Is it an actual recognised ICMP error type?
3992 * Only a basic IP header (no options) should be with
3993 * an ICMP error header.
3994 */
3995 if ((fin->fin_v != 6) || (fin->fin_plen < ICMP6ERR_MINPKTLEN) ||
3996 !(fin->fin_flx & FI_ICMPERR))
3997 return NULL;
3998
3999 ic6 = fin->fin_dp;
4000 type = ic6->icmp6_type;
4001
4002 oip6 = (ip6_t *)((char *)ic6 + ICMPERR_ICMPHLEN);
4003 if (fin->fin_plen < sizeof(*oip6))
4004 return NULL;
4005
4006 bcopy((char *)fin, (char *)&ofin, sizeof(*fin));
4007 ofin.fin_v = 6;
4008 ofin.fin_ifp = fin->fin_ifp;
4009 ofin.fin_out = !fin->fin_out;
4010 ofin.fin_m = NULL; /* if dereferenced, panic XXX */
4011 ofin.fin_mp = NULL; /* if dereferenced, panic XXX */
4012
4013 /*
4014 * We make a fin entry to be able to feed it to
4015 * matchsrcdst. Note that not all fields are necessary
4016 * but this is the cleanest way. Note further we fill
4017 * in fin_mp such that if someone uses it we'll get
4018 * a kernel panic. fr_matchsrcdst does not use this.
4019 *
4020 * watch out here, as ip is in host order and oip6 in network
4021 * order. Any change we make must be undone afterwards.
4022 */
4023 savelen = oip6->ip6_plen;
4024 oip6->ip6_plen = fin->fin_dlen - ICMPERR_ICMPHLEN;
4025 ofin.fin_flx = FI_NOCKSUM;
4026 ofin.fin_ip = (ip_t *)oip6;
4027 (void) fr_makefrip(sizeof(*oip6), (ip_t *)oip6, &ofin);
4028 ofin.fin_flx &= ~(FI_BAD|FI_SHORT);
4029 oip6->ip6_plen = savelen;
4030
4031 if (oip6->ip6_nxt == IPPROTO_ICMPV6) {
4032 oic = (struct icmp6_hdr *)(oip6 + 1);
4033 /*
4034 * an ICMP error can only be generated as a result of an
4035 * ICMP query, not as the response on an ICMP error
4036 *
4037 * XXX theoretically ICMP_ECHOREP and the other reply's are
4038 * ICMP query's as well, but adding them here seems strange XXX
4039 */
4040 if (!(oic->icmp6_type & ICMP6_INFOMSG_MASK))
4041 return NULL;
4042
4043 /*
4044 * perform a lookup of the ICMP packet in the state table
4045 */
4046 hv = (pr = oip6->ip6_nxt);
4047 src.in6 = oip6->ip6_src;
4048 hv += src.in4.s_addr;
4049 dst.in6 = oip6->ip6_dst;
4050 hv += dst.in4.s_addr;
4051 hv += oic->icmp6_id;
4052 hv += oic->icmp6_seq;
4053 hv = DOUBLE_HASH(hv);
4054
4055 READ_ENTER(&ipf_state);
4056 for (isp = &ips_table[hv]; ((is = *isp) != NULL); ) {
4057 ic = &is->is_icmp;
4058 isp = &is->is_hnext;
4059 if ((is->is_p == pr) &&
4060 !(is->is_pass & FR_NOICMPERR) &&
4061 (oic->icmp6_id == ic->ici_id) &&
4062 (oic->icmp6_seq == ic->ici_seq) &&
4063 (is = fr_matchsrcdst(&ofin, is, &src,
4064 &dst, NULL, FI_ICMPCMP))) {
4065 /*
4066 * in the state table ICMP query's are stored
4067 * with the type of the corresponding ICMP
4068 * response. Correct here
4069 */
4070 if (((ic->ici_type == ICMP6_ECHO_REPLY) &&
4071 (oic->icmp6_type == ICMP6_ECHO_REQUEST)) ||
4072 (ic->ici_type - 1 == oic->icmp6_type )) {
4073 ips_stats.iss_hits++;
4074 backward = IP6_NEQ(&is->is_dst, &src);
4075 fin->fin_rev = !backward;
4076 i = (backward << 1) + fin->fin_out;
4077 is->is_icmppkts[i]++;
4078 return is;
4079 }
4080 }
4081 }
4082 RWLOCK_EXIT(&ipf_state);
4083 return NULL;
4084 }
4085
4086 hv = (pr = oip6->ip6_nxt);
4087 src.in6 = oip6->ip6_src;
4088 hv += src.i6[0];
4089 hv += src.i6[1];
4090 hv += src.i6[2];
4091 hv += src.i6[3];
4092 dst.in6 = oip6->ip6_dst;
4093 hv += dst.i6[0];
4094 hv += dst.i6[1];
4095 hv += dst.i6[2];
4096 hv += dst.i6[3];
4097
4098 if ((oip6->ip6_nxt == IPPROTO_TCP) || (oip6->ip6_nxt == IPPROTO_UDP)) {
4099 tcp = (tcphdr_t *)(oip6 + 1);
4100 dport = tcp->th_dport;
4101 sport = tcp->th_sport;
4102 hv += dport;
4103 hv += sport;
4104 } else
4105 tcp = NULL;
4106 hv = DOUBLE_HASH(hv);
4107
4108 READ_ENTER(&ipf_state);
4109 for (isp = &ips_table[hv]; ((is = *isp) != NULL); ) {
4110 isp = &is->is_hnext;
4111 /*
4112 * Only allow this icmp though if the
4113 * encapsulated packet was allowed through the
4114 * other way around. Note that the minimal amount
4115 * of info present does not allow for checking against
4116 * tcp internals such as seq and ack numbers.
4117 */
4118 if ((is->is_p != pr) || (is->is_v != 6) ||
4119 (is->is_pass & FR_NOICMPERR))
4120 continue;
4121 is = fr_matchsrcdst(&ofin, is, &src, &dst, tcp, FI_ICMPCMP);
4122 if (is != NULL) {
4123 ips_stats.iss_hits++;
4124 backward = IP6_NEQ(&is->is_dst, &src);
4125 fin->fin_rev = !backward;
4126 i = (backward << 1) + fin->fin_out;
4127 is->is_icmppkts[i]++;
4128 /*
4129 * we deliberately do not touch the timeouts
4130 * for the accompanying state table entry.
4131 * It remains to be seen if that is correct. XXX
4132 */
4133 return is;
4134 }
4135 }
4136 RWLOCK_EXIT(&ipf_state);
4137 return NULL;
4138 }
4139 #endif
4140
4141
4142 /* ------------------------------------------------------------------------ */
4143 /* Function: fr_sttab_init */
4144 /* Returns: Nil */
4145 /* Parameters: tqp(I) - pointer to an array of timeout queues for TCP */
4146 /* */
4147 /* Initialise the array of timeout queues for TCP. */
4148 /* ------------------------------------------------------------------------ */
4149 void fr_sttab_init(tqp)
4150 ipftq_t *tqp;
4151 {
4152 int i;
4153
4154 for (i = IPF_TCP_NSTATES - 1; i >= 0; i--) {
4155 tqp[i].ifq_ttl = 0;
4156 tqp[i].ifq_ref = 1;
4157 tqp[i].ifq_head = NULL;
4158 tqp[i].ifq_tail = &tqp[i].ifq_head;
4159 tqp[i].ifq_next = tqp + i + 1;
4160 MUTEX_INIT(&tqp[i].ifq_lock, "ipftq tcp tab");
4161 }
4162 tqp[IPF_TCP_NSTATES - 1].ifq_next = NULL;
4163 tqp[IPF_TCPS_CLOSED].ifq_ttl = fr_tcpclosed;
4164 tqp[IPF_TCPS_LISTEN].ifq_ttl = fr_tcptimeout;
4165 tqp[IPF_TCPS_SYN_SENT].ifq_ttl = fr_tcptimeout;
4166 tqp[IPF_TCPS_SYN_RECEIVED].ifq_ttl = fr_tcptimeout;
4167 tqp[IPF_TCPS_ESTABLISHED].ifq_ttl = fr_tcpidletimeout;
4168 tqp[IPF_TCPS_CLOSE_WAIT].ifq_ttl = fr_tcphalfclosed;
4169 tqp[IPF_TCPS_FIN_WAIT_1].ifq_ttl = fr_tcphalfclosed;
4170 tqp[IPF_TCPS_CLOSING].ifq_ttl = fr_tcptimeout;
4171 tqp[IPF_TCPS_LAST_ACK].ifq_ttl = fr_tcplastack;
4172 tqp[IPF_TCPS_FIN_WAIT_2].ifq_ttl = fr_tcpclosewait;
4173 tqp[IPF_TCPS_TIME_WAIT].ifq_ttl = fr_tcptimewait;
4174 tqp[IPF_TCPS_HALF_ESTAB].ifq_ttl = fr_tcptimeout;
4175 }
4176
4177
4178 /* ------------------------------------------------------------------------ */
4179 /* Function: fr_sttab_destroy */
4180 /* Returns: Nil */
4181 /* Parameters: tqp(I) - pointer to an array of timeout queues for TCP */
4182 /* */
4183 /* Do whatever is necessary to "destroy" each of the entries in the array */
4184 /* of timeout queues for TCP. */
4185 /* ------------------------------------------------------------------------ */
4186 void fr_sttab_destroy(tqp)
4187 ipftq_t *tqp;
4188 {
4189 int i;
4190
4191 for (i = IPF_TCP_NSTATES - 1; i >= 0; i--)
4192 MUTEX_DESTROY(&tqp[i].ifq_lock);
4193 }
4194
4195
4196 /* ------------------------------------------------------------------------ */
4197 /* Function: fr_statederef */
4198 /* Returns: Nil */
4199 /* Parameters: isp(I) - pointer to pointer to state table entry */
4200 /* */
4201 /* Decrement the reference counter for this state table entry and free it */
4202 /* if there are no more things using it. */
4203 /* */
4204 /* This function is only called when cleaning up after increasing is_ref by */
4205 /* one earlier in the 'code path' so if is_ref is 1 when entering, we do */
4206 /* have an orphan, otherwise not. However there is a possible race between */
4207 /* the entry being deleted via flushing with an ioctl call (that calls the */
4208 /* delete function directly) and the tail end of packet processing so we */
4209 /* need to grab is_lock before doing the check to synchronise the two code */
4210 /* paths. */
4211 /* */
4212 /* When operating in userland (ipftest), we have no timers to clear a state */
4213 /* entry. Therefore, we make a few simple tests before deleting an entry */
4214 /* outright. We compare states on each side looking for a combination of */
4215 /* TIME_WAIT (should really be FIN_WAIT_2?) and LAST_ACK. Then we factor */
4216 /* in packet direction with the interface list to make sure we don't */
4217 /* prematurely delete an entry on a final inbound packet that's we're also */
4218 /* supposed to route elsewhere. */
4219 /* */
4220 /* Internal parameters: */
4221 /* state[0] = state of source (host that initiated connection) */
4222 /* state[1] = state of dest (host that accepted the connection) */
4223 /* */
4224 /* dir == 0 : a packet from source to dest */
4225 /* dir == 1 : a packet from dest to source */
4226 /* ------------------------------------------------------------------------ */
4227 void fr_statederef(isp)
4228 ipstate_t **isp;
4229 {
4230 ipstate_t *is;
4231
4232 is = *isp;
4233 *isp = NULL;
4234
4235 MUTEX_ENTER(&is->is_lock);
4236 if (is->is_ref > 1) {
4237 is->is_ref--;
4238 MUTEX_EXIT(&is->is_lock);
4239 return;
4240 }
4241 MUTEX_EXIT(&is->is_lock);
4242
4243 WRITE_ENTER(&ipf_state);
4244 fr_delstate(is, ISL_EXPIRE);
4245 RWLOCK_EXIT(&ipf_state);
4246 }
4247
4248
4249 /* ------------------------------------------------------------------------ */
4250 /* Function: fr_setstatequeue */
4251 /* Returns: Nil */
4252 /* Parameters: is(I) - pointer to state structure */
4253 /* rev(I) - forward(0) or reverse(1) direction */
4254 /* Locks: ipf_state (read or write) */
4255 /* */
4256 /* Put the state entry on its default queue entry, using rev as a helped in */
4257 /* determining which queue it should be placed on. */
4258 /* ------------------------------------------------------------------------ */
4259 void fr_setstatequeue(is, rev)
4260 ipstate_t *is;
4261 int rev;
4262 {
4263 ipftq_t *oifq, *nifq;
4264
4265
4266 if ((is->is_sti.tqe_flags & TQE_RULEBASED) != 0)
4267 nifq = is->is_tqehead[rev];
4268 else
4269 nifq = NULL;
4270
4271 if (nifq == NULL) {
4272 switch (is->is_p)
4273 {
4274 #ifdef USE_INET6
4275 case IPPROTO_ICMPV6 :
4276 if (rev == 1)
4277 nifq = &ips_icmpacktq;
4278 else
4279 nifq = &ips_icmptq;
4280 break;
4281 #endif
4282 case IPPROTO_ICMP :
4283 if (rev == 1)
4284 nifq = &ips_icmpacktq;
4285 else
4286 nifq = &ips_icmptq;
4287 break;
4288 case IPPROTO_TCP :
4289 nifq = ips_tqtqb + is->is_state[rev];
4290 break;
4291
4292 case IPPROTO_UDP :
4293 if (rev == 1)
4294 nifq = &ips_udpacktq;
4295 else
4296 nifq = &ips_udptq;
4297 break;
4298
4299 default :
4300 nifq = &ips_iptq;
4301 break;
4302 }
4303 }
4304
4305 oifq = is->is_sti.tqe_ifq;
4306 /*
4307 * If it's currently on a timeout queue, move it from one queue to
4308 * another, else put it on the end of the newly determined queue.
4309 */
4310 if (oifq != NULL)
4311 fr_movequeue(&is->is_sti, oifq, nifq);
4312 else
4313 fr_queueappend(&is->is_sti, nifq, is);
4314 return;
4315 }
4316
4317
4318 /* ------------------------------------------------------------------------ */
4319 /* Function: fr_stateiter */
4320 /* Returns: int - 0 == success, else error */
4321 /* Parameters: token(I) - pointer to ipftoken structure */
4322 /* itp(I) - pointer to ipfgeniter structure */
4323 /* */
4324 /* This function handles the SIOCGENITER ioctl for the state tables and */
4325 /* walks through the list of entries in the state table list (ips_list.) */
4326 /* ------------------------------------------------------------------------ */
4327 static int fr_stateiter(token, itp)
4328 ipftoken_t *token;
4329 ipfgeniter_t *itp;
4330 {
4331 ipstate_t *is, *next, zero;
4332 int error, count;
4333 char *dst;
4334
4335 if (itp->igi_data == NULL)
4336 return EFAULT;
4337
4338 if (itp->igi_nitems < 1)
4339 return ENOSPC;
4340
4341 if (itp->igi_type != IPFGENITER_STATE)
4342 return EINVAL;
4343
4344 error = 0;
4345
4346 READ_ENTER(&ipf_state);
4347
4348 /*
4349 * Get "previous" entry from the token, and find the next entry
4350 * to be processed.
4351 */
4352 is = token->ipt_data;
4353 if (is == NULL) {
4354 next = ips_list;
4355 } else {
4356 next = is->is_next;
4357 }
4358
4359 dst = itp->igi_data;
4360 for (count = itp->igi_nitems; count > 0; count--) {
4361 /*
4362 * If we found an entry, add a reference and update the token.
4363 * Otherwise, zero out data to be returned and NULL out token.
4364 */
4365 if (next != NULL) {
4366 MUTEX_ENTER(&next->is_lock);
4367 next->is_ref++;
4368 MUTEX_EXIT(&next->is_lock);
4369 token->ipt_data = next;
4370 } else {
4371 bzero(&zero, sizeof(zero));
4372 next = &zero;
4373 token->ipt_data = NULL;
4374 }
4375
4376 /*
4377 * Safe to release lock now the we have a reference.
4378 */
4379 RWLOCK_EXIT(&ipf_state);
4380
4381 /*
4382 * Copy out data and clean up references and tokens.
4383 */
4384 error = COPYOUT(next, dst, sizeof(*next));
4385 if (error != 0)
4386 error = EFAULT;
4387
4388 if (is != NULL)
4389 fr_statederef(&is);
4390
4391 if (token->ipt_data != NULL) {
4392 break;
4393 } else {
4394 if (next->is_next == NULL) {
4395 token->ipt_data = NULL;
4396 break;
4397 }
4398 }
4399
4400 if ((count == 1) || (error != 0))
4401 break;
4402
4403 READ_ENTER(&ipf_state);
4404 dst += sizeof(*next);
4405 is = next;
4406 next = is->is_next;
4407 }
4408
4409 return error;
4410 }
4411
4412
4413 /* ------------------------------------------------------------------------ */
4414 /* Function: fr_stgettable */
4415 /* Returns: int - 0 = success, else error */
4416 /* Parameters: data(I) - pointer to ioctl data */
4417 /* */
4418 /* This function handles ioctl requests for tables of state information. */
4419 /* At present the only table it deals with is the hash bucket statistics. */
4420 /* ------------------------------------------------------------------------ */
4421 static int fr_stgettable(data)
4422 char *data;
4423 {
4424 ipftable_t table;
4425 int error;
4426
4427 error = fr_inobj(data, &table, IPFOBJ_GTABLE);
4428 if (error != 0)
4429 return error;
4430
4431 if (table.ita_type != IPFTABLE_BUCKETS)
4432 return EINVAL;
4433
4434 error = COPYOUT(ips_stats.iss_bucketlen, table.ita_table,
4435 fr_statesize * sizeof(u_long));
4436 if (error != 0)
4437 error = EFAULT;
4438 return error;
4439 }
NetBSD on the FriendlyARM MINI2440