search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Expand PMF_FN_* macros.
[netbsd-mini2440.git] / dist / pf / usr.sbin / ftp-proxy / filter.c
blobf01c0ba7441d4859868b0390f8123b443b6a38fb
1 /* $NetBSD$ */
2 /* $OpenBSD: filter.c,v 1.6 2007/08/01 09:31:41 henning Exp $ */
3
4 /*
5 * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20 #include <sys/ioctl.h>
21 #include <sys/types.h>
22 #include <sys/socket.h>
23
24 #include <net/if.h>
25 #include <net/pfvar.h>
26 #include <netinet/in.h>
27 #include <netinet/tcp.h>
28 #include <arpa/inet.h>
29
30 #include <err.h>
31 #include <errno.h>
32 #include <fcntl.h>
33 #include <stdio.h>
34 #include <string.h>
35 #include <unistd.h>
36
37 #include "filter.h"
38
39 #if defined(__NetBSD__) && defined(WITH_IPF)
40 #include "ipf.h"
41 #endif /* __NetBSD__ && WITH_IPF */
42
43 /* From netinet/in.h, but only _KERNEL_ gets them. */
44 #define satosin(sa) ((struct sockaddr_in *)(sa))
45 #define satosin6(sa) ((struct sockaddr_in6 *)(sa))
46
47 enum { TRANS_FILTER = 0, TRANS_NAT, TRANS_RDR, TRANS_SIZE };
48
49 int prepare_rule(u_int32_t, int, struct sockaddr *, struct sockaddr *,
50 u_int16_t);
51 int server_lookup4(struct sockaddr_in *, struct sockaddr_in *,
52 struct sockaddr_in *);
53 int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *,
54 struct sockaddr_in6 *);
55
56 static struct pfioc_pooladdr pfp;
57 static struct pfioc_rule pfr;
58 static struct pfioc_trans pft;
59 static struct pfioc_trans_e pfte[TRANS_SIZE];
60 static int dev, rule_log;
61 static char *qname, *tagname;
62
63 int
64 add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
65 struct sockaddr *dst, u_int16_t d_port)
66 {
67 #if defined(__NetBSD__) && defined(WITH_IPF)
68 if (ipf_enabled)
69 return ipf_add_filter(id, dir, src, dst, d_port);
70 #endif /* __NetBSD__ && WITH_IPF */
71
72 if (!src || !dst || !d_port) {
73 errno = EINVAL;
74 return (-1);
75 }
76
77 if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port) == -1)
78 return (-1);
79
80 pfr.rule.direction = dir;
81 if (ioctl(dev, DIOCADDRULE, &pfr) == -1)
82 return (-1);
83
84 return (0);
85 }
86
87 int
88 add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
89 u_int16_t d_port, struct sockaddr *nat, u_int16_t nat_range_low,
90 u_int16_t nat_range_high)
91 {
92 #if defined(__NetBSD__) && defined(WITH_IPF)
93 if (ipf_enabled)
94 return ipf_add_nat(id, src, dst, d_port, nat, nat_range_low,
95 nat_range_high);
96 #endif /* __NetBSD__ && WITH_IPF */
97
98 if (!src || !dst || !d_port || !nat || !nat_range_low ||
99 (src->sa_family != nat->sa_family)) {
100 errno = EINVAL;
101 return (-1);
102 }
103
104 if (prepare_rule(id, PF_RULESET_NAT, src, dst, d_port) == -1)
105 return (-1);
106
107 if (nat->sa_family == AF_INET) {
108 memcpy(&pfp.addr.addr.v.a.addr.v4,
109 &satosin(nat)->sin_addr.s_addr, 4);
110 memset(&pfp.addr.addr.v.a.mask.addr8, 255, 4);
111 } else {
112 memcpy(&pfp.addr.addr.v.a.addr.v6,
113 &satosin6(nat)->sin6_addr.s6_addr, 16);
114 memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16);
115 }
116 if (ioctl(dev, DIOCADDADDR, &pfp) == -1)
117 return (-1);
118
119 pfr.rule.rpool.proxy_port[0] = nat_range_low;
120 pfr.rule.rpool.proxy_port[1] = nat_range_high;
121 if (ioctl(dev, DIOCADDRULE, &pfr) == -1)
122 return (-1);
123
124 return (0);
125 }
126
127 int
128 add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
129 u_int16_t d_port, struct sockaddr *rdr, u_int16_t rdr_port)
130 {
131 #if defined(__NetBSD__) && defined(WITH_IPF)
132 if (ipf_enabled)
133 return ipf_add_rdr(id, src, dst, d_port, rdr, rdr_port);
134 #endif /* __NetBSD__ && WITH_IPF */
135
136 if (!src || !dst || !d_port || !rdr || !rdr_port ||
137 (src->sa_family != rdr->sa_family)) {
138 errno = EINVAL;
139 return (-1);
140 }
141
142 if (prepare_rule(id, PF_RULESET_RDR, src, dst, d_port) == -1)
143 return (-1);
144
145 if (rdr->sa_family == AF_INET) {
146 memcpy(&pfp.addr.addr.v.a.addr.v4,
147 &satosin(rdr)->sin_addr.s_addr, 4);
148 memset(&pfp.addr.addr.v.a.mask.addr8, 255, 4);
149 } else {
150 memcpy(&pfp.addr.addr.v.a.addr.v6,
151 &satosin6(rdr)->sin6_addr.s6_addr, 16);
152 memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16);
153 }
154 if (ioctl(dev, DIOCADDADDR, &pfp) == -1)
155 return (-1);
156
157 pfr.rule.rpool.proxy_port[0] = rdr_port;
158 if (ioctl(dev, DIOCADDRULE, &pfr) == -1)
159 return (-1);
160
161 return (0);
162 }
163
164 int
165 do_commit(void)
166 {
167 #if defined(__NetBSD__) && defined(WITH_IPF)
168 if (ipf_enabled)
169 return ipf_do_commit();
170 #endif /* __NetBSD__ && WITH_IPF */
171
172 if (ioctl(dev, DIOCXCOMMIT, &pft) == -1)
173 return (-1);
174
175 return (0);
176 }
177
178 int
179 do_rollback(void)
180 {
181 #if defined(__NetBSD__) && defined(WITH_IPF)
182 if (ipf_enabled)
183 return ipf_do_rollback();
184 #endif /* __NetBSD__ && WITH_IPF */
185
186 if (ioctl(dev, DIOCXROLLBACK, &pft) == -1)
187 return (-1);
188
189 return (0);
190 }
191
192 void
193 init_filter(char *opt_qname, char *opt_tagname, int opt_verbose)
194 {
195 struct pf_status status;
196
197 #if defined(__NetBSD__) && defined(WITH_IPF)
198 if (ipf_enabled) {
199 ipf_init_filter(opt_qname, opt_tagname, opt_verbose);
200 return;
201 }
202 #endif /* __NetBSD__ && WITH_IPF */
203
204 qname = opt_qname;
205 tagname = opt_tagname;
206
207 if (opt_verbose == 1)
208 rule_log = PF_LOG;
209 else if (opt_verbose == 2)
210 rule_log = PF_LOG_ALL;
211
212 dev = open("/dev/pf", O_RDWR);
213 if (dev == -1)
214 err(1, "/dev/pf");
215 if (ioctl(dev, DIOCGETSTATUS, &status) == -1)
216 err(1, "DIOCGETSTATUS");
217 if (!status.running)
218 errx(1, "pf is disabled");
219 }
220
221 int
222 prepare_commit(u_int32_t id)
223 {
224 char an[PF_ANCHOR_NAME_SIZE];
225 int i;
226
227 #if defined(__NetBSD__) && defined(WITH_IPF)
228 if (ipf_enabled)
229 return ipf_prepare_commit(id);
230 #endif /* __NetBSD__ && WITH_IPF */
231
232 memset(&pft, 0, sizeof pft);
233 pft.size = TRANS_SIZE;
234 pft.esize = sizeof pfte[0];
235 pft.array = pfte;
236
237 snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR,
238 getpid(), id);
239 for (i = 0; i < TRANS_SIZE; i++) {
240 memset(&pfte[i], 0, sizeof pfte[0]);
241 strlcpy(pfte[i].anchor, an, PF_ANCHOR_NAME_SIZE);
242 switch (i) {
243 case TRANS_FILTER:
244 pfte[i].rs_num = PF_RULESET_FILTER;
245 break;
246 case TRANS_NAT:
247 pfte[i].rs_num = PF_RULESET_NAT;
248 break;
249 case TRANS_RDR:
250 pfte[i].rs_num = PF_RULESET_RDR;
251 break;
252 default:
253 errno = EINVAL;
254 return (-1);
255 }
256 }
257
258 if (ioctl(dev, DIOCXBEGIN, &pft) == -1)
259 return (-1);
260
261 return (0);
262 }
263
264 int
265 prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
266 struct sockaddr *dst, u_int16_t d_port)
267 {
268 char an[PF_ANCHOR_NAME_SIZE];
269
270 if ((src->sa_family != AF_INET && src->sa_family != AF_INET6) ||
271 (src->sa_family != dst->sa_family)) {
272 errno = EPROTONOSUPPORT;
273 return (-1);
274 }
275
276 memset(&pfp, 0, sizeof pfp);
277 memset(&pfr, 0, sizeof pfr);
278 snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR,
279 getpid(), id);
280 strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE);
281 strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE);
282
283 switch (rs_num) {
284 case PF_RULESET_FILTER:
285 pfr.ticket = pfte[TRANS_FILTER].ticket;
286 break;
287 case PF_RULESET_NAT:
288 pfr.ticket = pfte[TRANS_NAT].ticket;
289 break;
290 case PF_RULESET_RDR:
291 pfr.ticket = pfte[TRANS_RDR].ticket;
292 break;
293 default:
294 errno = EINVAL;
295 return (-1);
296 }
297 if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1)
298 return (-1);
299 pfr.pool_ticket = pfp.ticket;
300
301 /* Generic for all rule types. */
302 pfr.rule.af = src->sa_family;
303 pfr.rule.proto = IPPROTO_TCP;
304 pfr.rule.src.addr.type = PF_ADDR_ADDRMASK;
305 pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
306 if (src->sa_family == AF_INET) {
307 memcpy(&pfr.rule.src.addr.v.a.addr.v4,
308 &satosin(src)->sin_addr.s_addr, 4);
309 memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4);
310 memcpy(&pfr.rule.dst.addr.v.a.addr.v4,
311 &satosin(dst)->sin_addr.s_addr, 4);
312 memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4);
313 } else {
314 memcpy(&pfr.rule.src.addr.v.a.addr.v6,
315 &satosin6(src)->sin6_addr.s6_addr, 16);
316 memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16);
317 memcpy(&pfr.rule.dst.addr.v.a.addr.v6,
318 &satosin6(dst)->sin6_addr.s6_addr, 16);
319 memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16);
320 }
321 pfr.rule.dst.port_op = PF_OP_EQ;
322 pfr.rule.dst.port[0] = htons(d_port);
323 if (tagname != NULL)
324 strlcpy(pfr.rule.tagname, tagname, sizeof pfr.rule.tagname);
325
326 switch (rs_num) {
327 case PF_RULESET_FILTER:
328 /*
329 * pass quick [log] inet[6] proto tcp \
330 * from $src to $dst port = $d_port flags S/SA keep state
331 * (max 1) [queue qname]
332 */
333 pfr.rule.action = PF_PASS;
334 pfr.rule.quick = 1;
335 pfr.rule.log = rule_log;
336 pfr.rule.keep_state = 1;
337 pfr.rule.flags = TH_SYN;
338 pfr.rule.flagset = (TH_SYN|TH_ACK);
339 pfr.rule.max_states = 1;
340 if (qname != NULL)
341 strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
342 break;
343 case PF_RULESET_NAT:
344 /*
345 * nat inet[6] proto tcp from $src to $dst port $d_port -> $nat
346 */
347 pfr.rule.action = PF_NAT;
348 break;
349 case PF_RULESET_RDR:
350 /*
351 * rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr
352 */
353 pfr.rule.action = PF_RDR;
354 break;
355 default:
356 errno = EINVAL;
357 return (-1);
358 }
359
360 return (0);
361 }
362
363 int
364 server_lookup(struct sockaddr *client, struct sockaddr *proxy,
365 struct sockaddr *server)
366 {
367 #if defined(__NetBSD__) && defined(WITH_IPF)
368 if (ipf_enabled)
369 return ipf_server_lookup(client, proxy, server);
370 #endif /* __NetBSD__ && WITH_IPF */
371
372 if (client->sa_family == AF_INET)
373 return (server_lookup4(satosin(client), satosin(proxy),
374 satosin(server)));
375
376 if (client->sa_family == AF_INET6)
377 return (server_lookup6(satosin6(client), satosin6(proxy),
378 satosin6(server)));
379
380 errno = EPROTONOSUPPORT;
381 return (-1);
382 }
383
384 int
385 server_lookup4(struct sockaddr_in *client, struct sockaddr_in *proxy,
386 struct sockaddr_in *server)
387 {
388 struct pfioc_natlook pnl;
389
390 memset(&pnl, 0, sizeof pnl);
391 pnl.direction = PF_OUT;
392 pnl.af = AF_INET;
393 pnl.proto = IPPROTO_TCP;
394 memcpy(&pnl.saddr.v4, &client->sin_addr.s_addr, sizeof pnl.saddr.v4);
395 memcpy(&pnl.daddr.v4, &proxy->sin_addr.s_addr, sizeof pnl.daddr.v4);
396 pnl.sport = client->sin_port;
397 pnl.dport = proxy->sin_port;
398
399 if (ioctl(dev, DIOCNATLOOK, &pnl) == -1)
400 return (-1);
401
402 memset(server, 0, sizeof(struct sockaddr_in));
403 server->sin_len = sizeof(struct sockaddr_in);
404 server->sin_family = AF_INET;
405 memcpy(&server->sin_addr.s_addr, &pnl.rdaddr.v4,
406 sizeof server->sin_addr.s_addr);
407 server->sin_port = pnl.rdport;
408
409 return (0);
410 }
411
412 int
413 server_lookup6(struct sockaddr_in6 *client, struct sockaddr_in6 *proxy,
414 struct sockaddr_in6 *server)
415 {
416 struct pfioc_natlook pnl;
417
418 memset(&pnl, 0, sizeof pnl);
419 pnl.direction = PF_OUT;
420 pnl.af = AF_INET6;
421 pnl.proto = IPPROTO_TCP;
422 memcpy(&pnl.saddr.v6, &client->sin6_addr.s6_addr, sizeof pnl.saddr.v6);
423 memcpy(&pnl.daddr.v6, &proxy->sin6_addr.s6_addr, sizeof pnl.daddr.v6);
424 pnl.sport = client->sin6_port;
425 pnl.dport = proxy->sin6_port;
426
427 if (ioctl(dev, DIOCNATLOOK, &pnl) == -1)
428 return (-1);
429
430 memset(server, 0, sizeof(struct sockaddr_in6));
431 server->sin6_len = sizeof(struct sockaddr_in6);
432 server->sin6_family = AF_INET6;
433 memcpy(&server->sin6_addr.s6_addr, &pnl.rdaddr.v6,
434 sizeof server->sin6_addr);
435 server->sin6_port = pnl.rdport;
436
437 return (0);
438 }
NetBSD on the FriendlyARM MINI2440