search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Expand PMF_FN_* macros.
[netbsd-mini2440.git] / sys / dist / ipf / netinet / ip_sync.c
blobc8a093d85e73aca8dcf33a412ad2f1ffa3859a10
1 /* $NetBSD$ */
2
3 /*
4 * Copyright (C) 1995-1998 by Darren Reed.
5 *
6 * See the IPFILTER.LICENCE file for details on licencing.
7 */
8 #if defined(KERNEL) || defined(_KERNEL)
9 # undef KERNEL
10 # undef _KERNEL
11 # define KERNEL 1
12 # define _KERNEL 1
13 #endif
14 #include <sys/errno.h>
15 #include <sys/types.h>
16 #include <sys/param.h>
17 #include <sys/file.h>
18 #if !defined(_KERNEL) && !defined(__KERNEL__)
19 # include <stdio.h>
20 # include <stdlib.h>
21 # include <string.h>
22 # define _KERNEL
23 # define KERNEL
24 # ifdef __OpenBSD__
25 struct file;
26 # endif
27 # include <sys/uio.h>
28 # undef _KERNEL
29 # undef KERNEL
30 #else
31 # include <sys/systm.h>
32 # if !defined(__SVR4) && !defined(__svr4__)
33 # include <sys/mbuf.h>
34 # endif
35 # include <sys/select.h>
36 # if __FreeBSD_version >= 500000
37 # include <sys/selinfo.h>
38 # endif
39 #endif
40 #if defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000)
41 # include <sys/proc.h>
42 #endif
43 #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
44 # include <sys/filio.h>
45 # include <sys/fcntl.h>
46 # if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
47 # include "opt_ipfilter.h"
48 # endif
49 #else
50 # include <sys/ioctl.h>
51 #endif
52 #include <sys/time.h>
53 #if !defined(linux)
54 # include <sys/protosw.h>
55 #endif
56 #include <sys/socket.h>
57 #if defined(__SVR4) || defined(__svr4__)
58 # include <sys/filio.h>
59 # include <sys/byteorder.h>
60 # ifdef _KERNEL
61 # include <sys/dditypes.h>
62 # endif
63 # include <sys/stream.h>
64 # include <sys/kmem.h>
65 #endif
66
67 #include <net/if.h>
68 #ifdef sun
69 # include <net/af.h>
70 #endif
71 #include <netinet/in.h>
72 #include <netinet/in_systm.h>
73 #include <netinet/ip.h>
74 #include <netinet/tcp.h>
75 #if !defined(linux)
76 # include <netinet/ip_var.h>
77 #endif
78 #if !defined(__hpux) && !defined(linux)
79 # include <netinet/tcp_fsm.h>
80 #endif
81 #include <netinet/udp.h>
82 #include <netinet/ip_icmp.h>
83 #include "netinet/ip_compat.h"
84 #include <netinet/tcpip.h>
85 #include "netinet/ip_fil.h"
86 #include "netinet/ip_nat.h"
87 #include "netinet/ip_frag.h"
88 #include "netinet/ip_state.h"
89 #include "netinet/ip_proxy.h"
90 #include "netinet/ip_sync.h"
91 #ifdef USE_INET6
92 #include <netinet/icmp6.h>
93 #endif
94 #if (__FreeBSD_version >= 300000)
95 # include <sys/malloc.h>
96 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
97 # include <sys/libkern.h>
98 # include <sys/systm.h>
99 # endif
100 #endif
101 /* END OF INCLUDES */
102
103 #if !defined(lint)
104 #if defined(__NetBSD__)
105 #include <sys/cdefs.h>
106 __KERNEL_RCSID(0, "$NetBSD$");
107 #else
108 static const char rcsid[] = "@(#)Id: ip_sync.c,v 2.40.2.16 2009/01/27 08:33:23 darrenr Exp";
109 #endif
110 #endif
111
112 #define SYNC_STATETABSZ 256
113 #define SYNC_NATTABSZ 256
114
115 #ifdef IPFILTER_SYNC
116 # if SOLARIS && defined(_KERNEL)
117 extern struct pollhead iplpollhead[IPL_LOGSIZE];
118 # endif
119
120 ipfmutex_t ipf_syncadd, ipsl_mutex;
121 ipfrwlock_t ipf_syncstate, ipf_syncnat;
122 #if SOLARIS && defined(_KERNEL)
123 kcondvar_t ipslwait;
124 #endif
125 synclist_t *syncstatetab[SYNC_STATETABSZ];
126 synclist_t *syncnattab[SYNC_NATTABSZ];
127 synclogent_t synclog[SYNCLOG_SZ];
128 syncupdent_t syncupd[SYNCLOG_SZ];
129 u_int ipf_syncnum = 1;
130 u_int ipf_syncwrap = 0;
131 u_int sl_idx = 0, /* next available sync log entry */
132 su_idx = 0, /* next available sync update entry */
133 sl_tail = 0, /* next sync log entry to read */
134 su_tail = 0; /* next sync update entry to read */
135 int ipf_sync_debug = 0;
136
137
138 # if !defined(sparc) && !defined(__hppa)
139 void ipfsync_tcporder __P((int, struct tcpdata *));
140 void ipfsync_natorder __P((int, struct nat *));
141 void ipfsync_storder __P((int, struct ipstate *));
142 # endif
143
144
145 /* ------------------------------------------------------------------------ */
146 /* Function: ipfsync_init */
147 /* Returns: int - 0 == success, -1 == failure */
148 /* Parameters: Nil */
149 /* */
150 /* Initialise all of the locks required for the sync code and initialise */
151 /* any data structures, as required. */
152 /* ------------------------------------------------------------------------ */
153 int ipfsync_init()
154 {
155 RWLOCK_INIT(&ipf_syncstate, "add things to state sync table");
156 RWLOCK_INIT(&ipf_syncnat, "add things to nat sync table");
157 MUTEX_INIT(&ipf_syncadd, "add things to sync table");
158 MUTEX_INIT(&ipsl_mutex, "add things to sync table");
159 # if SOLARIS && defined(_KERNEL)
160 cv_init(&ipslwait, "ipsl condvar", CV_DRIVER, NULL);
161 # endif
162
163 bzero((char *)syncnattab, sizeof(syncnattab));
164 bzero((char *)syncstatetab, sizeof(syncstatetab));
165
166 return 0;
167 }
168
169
170 # if !defined(sparc) && !defined(__hppa)
171 /* ------------------------------------------------------------------------ */
172 /* Function: ipfsync_tcporder */
173 /* Returns: Nil */
174 /* Parameters: way(I) - direction of byte order conversion. */
175 /* td(IO) - pointer to data to be converted. */
176 /* */
177 /* Do byte swapping on values in the TCP state information structure that */
178 /* need to be used at both ends by the host in their native byte order. */
179 /* ------------------------------------------------------------------------ */
180 void ipfsync_tcporder(way, td)
181 int way;
182 tcpdata_t *td;
183 {
184 if (way) {
185 td->td_maxwin = htons(td->td_maxwin);
186 td->td_end = htonl(td->td_end);
187 td->td_maxend = htonl(td->td_maxend);
188 } else {
189 td->td_maxwin = ntohs(td->td_maxwin);
190 td->td_end = ntohl(td->td_end);
191 td->td_maxend = ntohl(td->td_maxend);
192 }
193 }
194
195
196 /* ------------------------------------------------------------------------ */
197 /* Function: ipfsync_natorder */
198 /* Returns: Nil */
199 /* Parameters: way(I) - direction of byte order conversion. */
200 /* nat(IO) - pointer to data to be converted. */
201 /* */
202 /* Do byte swapping on values in the NAT data structure that need to be */
203 /* used at both ends by the host in their native byte order. */
204 /* ------------------------------------------------------------------------ */
205 void ipfsync_natorder(way, n)
206 int way;
207 nat_t *n;
208 {
209 if (way) {
210 n->nat_age = htonl(n->nat_age);
211 n->nat_flags = htonl(n->nat_flags);
212 n->nat_ipsumd = htonl(n->nat_ipsumd);
213 n->nat_use = htonl(n->nat_use);
214 n->nat_dir = htonl(n->nat_dir);
215 } else {
216 n->nat_age = ntohl(n->nat_age);
217 n->nat_flags = ntohl(n->nat_flags);
218 n->nat_ipsumd = ntohl(n->nat_ipsumd);
219 n->nat_use = ntohl(n->nat_use);
220 n->nat_dir = ntohl(n->nat_dir);
221 }
222 }
223
224
225 /* ------------------------------------------------------------------------ */
226 /* Function: ipfsync_storder */
227 /* Returns: Nil */
228 /* Parameters: way(I) - direction of byte order conversion. */
229 /* ips(IO) - pointer to data to be converted. */
230 /* */
231 /* Do byte swapping on values in the IP state data structure that need to */
232 /* be used at both ends by the host in their native byte order. */
233 /* ------------------------------------------------------------------------ */
234 void ipfsync_storder(way, ips)
235 int way;
236 ipstate_t *ips;
237 {
238 ipfsync_tcporder(way, &ips->is_tcp.ts_data[0]);
239 ipfsync_tcporder(way, &ips->is_tcp.ts_data[1]);
240
241 if (way) {
242 ips->is_hv = htonl(ips->is_hv);
243 ips->is_die = htonl(ips->is_die);
244 ips->is_pass = htonl(ips->is_pass);
245 ips->is_flags = htonl(ips->is_flags);
246 ips->is_opt[0] = htonl(ips->is_opt[0]);
247 ips->is_opt[1] = htonl(ips->is_opt[1]);
248 ips->is_optmsk[0] = htonl(ips->is_optmsk[0]);
249 ips->is_optmsk[1] = htonl(ips->is_optmsk[1]);
250 ips->is_sec = htons(ips->is_sec);
251 ips->is_secmsk = htons(ips->is_secmsk);
252 ips->is_auth = htons(ips->is_auth);
253 ips->is_authmsk = htons(ips->is_authmsk);
254 ips->is_s0[0] = htonl(ips->is_s0[0]);
255 ips->is_s0[1] = htonl(ips->is_s0[1]);
256 ips->is_smsk[0] = htons(ips->is_smsk[0]);
257 ips->is_smsk[1] = htons(ips->is_smsk[1]);
258 } else {
259 ips->is_hv = ntohl(ips->is_hv);
260 ips->is_die = ntohl(ips->is_die);
261 ips->is_pass = ntohl(ips->is_pass);
262 ips->is_flags = ntohl(ips->is_flags);
263 ips->is_opt[0] = ntohl(ips->is_opt[0]);
264 ips->is_opt[1] = ntohl(ips->is_opt[1]);
265 ips->is_optmsk[0] = ntohl(ips->is_optmsk[0]);
266 ips->is_optmsk[1] = ntohl(ips->is_optmsk[1]);
267 ips->is_sec = ntohs(ips->is_sec);
268 ips->is_secmsk = ntohs(ips->is_secmsk);
269 ips->is_auth = ntohs(ips->is_auth);
270 ips->is_authmsk = ntohs(ips->is_authmsk);
271 ips->is_s0[0] = ntohl(ips->is_s0[0]);
272 ips->is_s0[1] = ntohl(ips->is_s0[1]);
273 ips->is_smsk[0] = ntohl(ips->is_smsk[0]);
274 ips->is_smsk[1] = ntohl(ips->is_smsk[1]);
275 }
276 }
277 # else /* !defined(sparc) && !defined(__hppa) */
278 # define ipfsync_tcporder(x,y)
279 # define ipfsync_natorder(x,y)
280 # define ipfsync_storder(x,y)
281 # endif /* !defined(sparc) && !defined(__hppa) */
282
283 /* enable this for debugging */
284
285 # ifdef _KERNEL
286 /* ------------------------------------------------------------------------ */
287 /* Function: ipfsync_write */
288 /* Returns: int - 0 == success, else error value. */
289 /* Parameters: uio(I) - pointer to information about data to write */
290 /* */
291 /* Moves data from user space into the kernel and uses it for updating data */
292 /* structures in the state/NAT tables. */
293 /* ------------------------------------------------------------------------ */
294 int ipfsync_write(uio)
295 struct uio *uio;
296 {
297 synchdr_t sh;
298
299 /*
300 * THIS MUST BE SUFFICIENT LARGE TO STORE
301 * ANY POSSIBLE DATA TYPE
302 */
303 char data[2048];
304
305 int err = 0;
306
307 # if (BSD >= 199306) || defined(__FreeBSD__) || defined(__osf__)
308 uio->uio_rw = UIO_WRITE;
309 # endif
310
311 /* Try to get bytes */
312 while (uio->uio_resid > 0) {
313
314 if (uio->uio_resid >= sizeof(sh)) {
315
316 err = UIOMOVE((void *)&sh, sizeof(sh), UIO_WRITE, uio);
317
318 if (err) {
319 if (ipf_sync_debug > 2)
320 printf("uiomove(header) failed: %d\n",
321 err);
322 return err;
323 }
324
325 /* convert to host order */
326 sh.sm_magic = ntohl(sh.sm_magic);
327 sh.sm_len = ntohl(sh.sm_len);
328 sh.sm_num = ntohl(sh.sm_num);
329
330 if (ipf_sync_debug > 8)
331 printf("[%d] Read v:%d p:%d cmd:%d table:%d rev:%d len:%d magic:%x\n",
332 sh.sm_num, sh.sm_v, sh.sm_p, sh.sm_cmd,
333 sh.sm_table, sh.sm_rev, sh.sm_len,
334 sh.sm_magic);
335
336 if (sh.sm_magic != SYNHDRMAGIC) {
337 if (ipf_sync_debug > 2)
338 printf("uiomove(header) invalud %s\n",
339 "magic");
340 return EINVAL;
341 }
342
343 if (sh.sm_v != 4 && sh.sm_v != 6) {
344 if (ipf_sync_debug > 2)
345 printf("uiomove(header) invalid %s\n",
346 "protocol");
347 return EINVAL;
348 }
349
350 if (sh.sm_cmd > SMC_MAXCMD) {
351 if (ipf_sync_debug > 2)
352 printf("uiomove(header) invalid %s\n",
353 "command");
354 return EINVAL;
355 }
356
357
358 if (sh.sm_table > SMC_MAXTBL) {
359 if (ipf_sync_debug > 2)
360 printf("uiomove(header) invalid %s\n",
361 "table");
362 return EINVAL;
363 }
364
365 } else {
366 /* unsufficient data, wait until next call */
367 if (ipf_sync_debug > 2)
368 printf("uiomove(header) insufficient data");
369 return EAGAIN;
370 }
371
372
373 /*
374 * We have a header, so try to read the amount of data
375 * needed for the request
376 */
377
378 /* not supported */
379 if (sh.sm_len == 0) {
380 if (ipf_sync_debug > 2)
381 printf("uiomove(data zero length %s\n",
382 "not supported");
383 return EINVAL;
384 }
385
386 if (uio->uio_resid >= sh.sm_len) {
387
388 err = UIOMOVE((void *)data, sh.sm_len, UIO_WRITE, uio);
389
390 if (err) {
391 if (ipf_sync_debug > 2)
392 printf("uiomove(data) failed: %d\n",
393 err);
394 return err;
395 }
396
397 if (ipf_sync_debug > 7)
398 printf("uiomove(data) %d bytes read\n",
399 sh.sm_len);
400
401 if (sh.sm_table == SMC_STATE)
402 err = ipfsync_state(&sh, data);
403 else if (sh.sm_table == SMC_NAT)
404 err = ipfsync_nat(&sh, data);
405 if (ipf_sync_debug > 7)
406 printf("[%d] Finished with error %d\n",
407 sh.sm_num, err);
408
409 } else {
410 /* insufficient data, wait until next call */
411 if (ipf_sync_debug > 2)
412 printf("uiomove(data) %s %d bytes, got %d\n",
413 "insufficient data, need",
414 sh.sm_len, uio->uio_resid);
415 return EAGAIN;
416 }
417 }
418
419 /* no more data */
420 return 0;
421 }
422
423
424 /* ------------------------------------------------------------------------ */
425 /* Function: ipfsync_read */
426 /* Returns: int - 0 == success, else error value. */
427 /* Parameters: uio(O) - pointer to information about where to store data */
428 /* */
429 /* This function is called when a user program wants to read some data */
430 /* for pending state/NAT updates. If no data is available, the caller is */
431 /* put to sleep, pending a wakeup from the "lower half" of this code. */
432 /* ------------------------------------------------------------------------ */
433 int ipfsync_read(uio)
434 struct uio *uio;
435 {
436 syncupdent_t *su;
437 synclogent_t *sl;
438 int err = 0;
439
440 if ((uio->uio_resid & 3) || (uio->uio_resid < 8))
441 return EINVAL;
442
443 # if (BSD >= 199306) || defined(__FreeBSD__) || defined(__osf__)
444 uio->uio_rw = UIO_READ;
445 # endif
446
447 MUTEX_ENTER(&ipsl_mutex);
448 while ((sl_tail == sl_idx) && (su_tail == su_idx)) {
449 # if SOLARIS && defined(_KERNEL)
450 if (!cv_wait_sig(&ipslwait, &ipsl_mutex)) {
451 MUTEX_EXIT(&ipsl_mutex);
452 return EINTR;
453 }
454 # else
455 # ifdef __hpux
456 {
457 lock_t *l;
458
459 l = get_sleep_lock(&sl_tail);
460 err = sleep(&sl_tail, PZERO+1);
461 if (err) {
462 MUTEX_EXIT(&ipsl_mutex);
463 return EINTR;
464 }
465 spinunlock(l);
466 }
467 # else /* __hpux */
468 # ifdef __osf__
469 err = mpsleep(&sl_tail, PSUSP|PCATCH, "ipl sleep", 0,
470 &ipsl_mutex, MS_LOCK_SIMPLE);
471 if (err)
472 return EINTR;
473 # else
474 MUTEX_EXIT(&ipsl_mutex);
475 err = SLEEP(&sl_tail, "ipl sleep");
476 if (err)
477 return EINTR;
478 MUTEX_ENTER(&ipsl_mutex);
479 # endif /* __osf__ */
480 # endif /* __hpux */
481 # endif /* SOLARIS */
482 }
483 MUTEX_EXIT(&ipsl_mutex);
484
485 READ_ENTER(&ipf_syncstate);
486 while ((sl_tail < sl_idx) && (uio->uio_resid > sizeof(*sl))) {
487 sl = synclog + sl_tail++;
488 err = UIOMOVE((void *)sl, sizeof(*sl), UIO_READ, uio);
489 if (err != 0)
490 break;
491 }
492
493 while ((su_tail < su_idx) && (uio->uio_resid > sizeof(*su))) {
494 su = syncupd + su_tail;
495 su_tail++;
496 err = UIOMOVE((void *)su, sizeof(*su), UIO_READ, uio);
497 if (err != 0)
498 break;
499 if (su->sup_hdr.sm_sl != NULL)
500 su->sup_hdr.sm_sl->sl_idx = -1;
501 }
502
503 MUTEX_ENTER(&ipf_syncadd);
504 if (su_tail == su_idx)
505 su_tail = su_idx = 0;
506 if (sl_tail == sl_idx)
507 sl_tail = sl_idx = 0;
508 MUTEX_EXIT(&ipf_syncadd);
509 RWLOCK_EXIT(&ipf_syncstate);
510 return err;
511 }
512
513
514 /* ------------------------------------------------------------------------ */
515 /* Function: ipfsync_state */
516 /* Returns: int - 0 == success, else error value. */
517 /* Parameters: sp(I) - pointer to sync packet data header */
518 /* uio(I) - pointer to user data for further information */
519 /* */
520 /* Updates the state table according to information passed in the sync */
521 /* header. As required, more data is fetched from the uio structure but */
522 /* varies depending on the contents of the sync header. This function can */
523 /* create a new state entry or update one. Deletion is left to the state */
524 /* structures being timed out correctly. */
525 /* ------------------------------------------------------------------------ */
526 int ipfsync_state(sp, data)
527 synchdr_t *sp;
528 void *data;
529 {
530 synctcp_update_t su;
531 ipstate_t *is, sn;
532 synclist_t *sl;
533 frentry_t *fr;
534 u_int hv;
535 int err = 0;
536
537 hv = sp->sm_num & (SYNC_STATETABSZ - 1);
538
539 switch (sp->sm_cmd)
540 {
541 case SMC_CREATE :
542
543 bcopy(data, &sn, sizeof(sn));
544 KMALLOC(is, ipstate_t *);
545 if (is == NULL) {
546 err = ENOMEM;
547 break;
548 }
549
550 KMALLOC(sl, synclist_t *);
551 if (sl == NULL) {
552 err = ENOMEM;
553 KFREE(is);
554 break;
555 }
556
557 bzero((char *)is, offsetof(ipstate_t, is_die));
558 bcopy((char *)&sn.is_die, (char *)&is->is_die,
559 sizeof(*is) - offsetof(ipstate_t, is_die));
560 ipfsync_storder(0, is);
561
562 /*
563 * We need to find the same rule on the slave as was used on
564 * the master to create this state entry.
565 */
566 READ_ENTER(&ipf_mutex);
567 fr = fr_getrulen(IPL_LOGIPF, sn.is_group, sn.is_rulen);
568 if (fr != NULL) {
569 MUTEX_ENTER(&fr->fr_lock);
570 fr->fr_ref++;
571 fr->fr_statecnt++;
572 MUTEX_EXIT(&fr->fr_lock);
573 }
574 RWLOCK_EXIT(&ipf_mutex);
575
576 if (ipf_sync_debug > 4)
577 printf("[%d] Filter rules = %p\n", sp->sm_num, fr);
578
579 is->is_rule = fr;
580 is->is_sync = sl;
581
582 sl->sl_idx = -1;
583 sl->sl_ips = is;
584 bcopy(sp, &sl->sl_hdr, sizeof(struct synchdr));
585
586 WRITE_ENTER(&ipf_syncstate);
587 WRITE_ENTER(&ipf_state);
588
589 sl->sl_pnext = syncstatetab + hv;
590 sl->sl_next = syncstatetab[hv];
591 if (syncstatetab[hv] != NULL)
592 syncstatetab[hv]->sl_pnext = &sl->sl_next;
593 syncstatetab[hv] = sl;
594 MUTEX_DOWNGRADE(&ipf_syncstate);
595 fr_stinsert(is, sp->sm_rev);
596 /*
597 * Do not initialise the interface pointers for the state
598 * entry as the full complement of interface names may not
599 * be present.
600 *
601 * Put this state entry on its timeout queue.
602 */
603 /*fr_setstatequeue(is, sp->sm_rev);*/
604 break;
605
606 case SMC_UPDATE :
607 bcopy(data, &su, sizeof(su));
608
609 if (ipf_sync_debug > 4)
610 printf("[%d] Update age %lu state %d/%d \n",
611 sp->sm_num, su.stu_age, su.stu_state[0],
612 su.stu_state[1]);
613
614 READ_ENTER(&ipf_syncstate);
615 for (sl = syncstatetab[hv]; (sl != NULL); sl = sl->sl_next)
616 if (sl->sl_hdr.sm_num == sp->sm_num)
617 break;
618 if (sl == NULL) {
619 if (ipf_sync_debug > 1)
620 printf("[%d] State not found - can't update\n",
621 sp->sm_num);
622 RWLOCK_EXIT(&ipf_syncstate);
623 err = ENOENT;
624 break;
625 }
626
627 READ_ENTER(&ipf_state);
628
629 if (ipf_sync_debug > 6)
630 printf("[%d] Data from state v:%d p:%d cmd:%d table:%d rev:%d\n",
631 sp->sm_num, sl->sl_hdr.sm_v, sl->sl_hdr.sm_p,
632 sl->sl_hdr.sm_cmd, sl->sl_hdr.sm_table,
633 sl->sl_hdr.sm_rev);
634
635 is = sl->sl_ips;
636
637 MUTEX_ENTER(&is->is_lock);
638 switch (sp->sm_p)
639 {
640 case IPPROTO_TCP :
641 /* XXX FV --- shouldn't we do ntohl/htonl???? XXX */
642 is->is_send = su.stu_data[0].td_end;
643 is->is_maxsend = su.stu_data[0].td_maxend;
644 is->is_maxswin = su.stu_data[0].td_maxwin;
645 is->is_state[0] = su.stu_state[0];
646 is->is_dend = su.stu_data[1].td_end;
647 is->is_maxdend = su.stu_data[1].td_maxend;
648 is->is_maxdwin = su.stu_data[1].td_maxwin;
649 is->is_state[1] = su.stu_state[1];
650 break;
651 default :
652 break;
653 }
654
655 if (ipf_sync_debug > 6)
656 printf("[%d] Setting timers for state\n", sp->sm_num);
657
658 fr_setstatequeue(is, sp->sm_rev);
659
660 MUTEX_EXIT(&is->is_lock);
661 break;
662
663 default :
664 err = EINVAL;
665 break;
666 }
667
668 if (err == 0) {
669 RWLOCK_EXIT(&ipf_state);
670 RWLOCK_EXIT(&ipf_syncstate);
671 }
672
673 if (ipf_sync_debug > 6)
674 printf("[%d] Update completed with error %d\n",
675 sp->sm_num, err);
676
677 return err;
678 }
679 # endif /* _KERNEL */
680
681
682 /* ------------------------------------------------------------------------ */
683 /* Function: ipfsync_del */
684 /* Returns: Nil */
685 /* Parameters: sl(I) - pointer to synclist object to delete */
686 /* */
687 /* Deletes an object from the synclist table and free's its memory. */
688 /* ------------------------------------------------------------------------ */
689 void ipfsync_del(sl)
690 synclist_t *sl;
691 {
692 WRITE_ENTER(&ipf_syncstate);
693 *sl->sl_pnext = sl->sl_next;
694 if (sl->sl_next != NULL)
695 sl->sl_next->sl_pnext = sl->sl_pnext;
696 if (sl->sl_idx != -1)
697 syncupd[sl->sl_idx].sup_hdr.sm_sl = NULL;
698 RWLOCK_EXIT(&ipf_syncstate);
699 KFREE(sl);
700 }
701
702
703 /* ------------------------------------------------------------------------ */
704 /* Function: ipfsync_nat */
705 /* Returns: int - 0 == success, else error value. */
706 /* Parameters: sp(I) - pointer to sync packet data header */
707 /* uio(I) - pointer to user data for further information */
708 /* */
709 /* Updates the NAT table according to information passed in the sync */
710 /* header. As required, more data is fetched from the uio structure but */
711 /* varies depending on the contents of the sync header. This function can */
712 /* create a new NAT entry or update one. Deletion is left to the NAT */
713 /* structures being timed out correctly. */
714 /* ------------------------------------------------------------------------ */
715 int ipfsync_nat(sp, data)
716 synchdr_t *sp;
717 void *data;
718 {
719 syncupdent_t su;
720 nat_t *n, *nat;
721 synclist_t *sl;
722 u_int hv = 0;
723 int err;
724
725 READ_ENTER(&ipf_syncnat);
726
727 switch (sp->sm_cmd)
728 {
729 case SMC_CREATE :
730 KMALLOC(n, nat_t *);
731 if (n == NULL) {
732 err = ENOMEM;
733 break;
734 }
735
736 KMALLOC(sl, synclist_t *);
737 if (sl == NULL) {
738 err = ENOMEM;
739 KFREE(n);
740 break;
741 }
742
743 nat = (nat_t *)data;
744 bzero((char *)n, offsetof(nat_t, nat_age));
745 bcopy((char *)&nat->nat_age, (char *)&n->nat_age,
746 sizeof(*n) - offsetof(nat_t, nat_age));
747 ipfsync_natorder(0, n);
748 n->nat_sync = sl;
749
750 sl->sl_idx = -1;
751 sl->sl_ipn = n;
752 sl->sl_num = ntohl(sp->sm_num);
753
754 WRITE_ENTER(&ipf_nat);
755 sl->sl_pnext = syncnattab + hv;
756 sl->sl_next = syncnattab[hv];
757 if (syncnattab[hv] != NULL)
758 syncnattab[hv]->sl_pnext = &sl->sl_next;
759 syncnattab[hv] = sl;
760 nat_insert(n, sl->sl_rev);
761 RWLOCK_EXIT(&ipf_nat);
762 break;
763
764 case SMC_UPDATE :
765 bcopy(data, &su, sizeof(su));
766
767 for (sl = syncnattab[hv]; (sl != NULL); sl = sl->sl_next)
768 if (sl->sl_hdr.sm_num == sp->sm_num)
769 break;
770 if (sl == NULL) {
771 err = ENOENT;
772 break;
773 }
774
775 READ_ENTER(&ipf_nat);
776
777 nat = sl->sl_ipn;
778
779 MUTEX_ENTER(&nat->nat_lock);
780 fr_setnatqueue(nat, sl->sl_rev);
781 MUTEX_EXIT(&nat->nat_lock);
782
783 RWLOCK_EXIT(&ipf_nat);
784
785 break;
786
787 default :
788 err = EINVAL;
789 break;
790 }
791
792 RWLOCK_EXIT(&ipf_syncnat);
793 return 0;
794 }
795
796
797 /* ------------------------------------------------------------------------ */
798 /* Function: ipfsync_new */
799 /* Returns: synclist_t* - NULL == failure, else pointer to new synclist */
800 /* data structure. */
801 /* Parameters: tab(I) - type of synclist_t to create */
802 /* fin(I) - pointer to packet information */
803 /* ptr(I) - pointer to owning object */
804 /* */
805 /* Creates a new sync table entry and notifies any sleepers that it's there */
806 /* waiting to be processed. */
807 /* ------------------------------------------------------------------------ */
808 synclist_t *ipfsync_new(tab, fin, ptr)
809 int tab;
810 fr_info_t *fin;
811 void *ptr;
812 {
813 synclist_t *sl, *ss;
814 synclogent_t *sle;
815 u_int hv, sz;
816
817 if (sl_idx == SYNCLOG_SZ)
818 return NULL;
819 KMALLOC(sl, synclist_t *);
820 if (sl == NULL)
821 return NULL;
822
823 MUTEX_ENTER(&ipf_syncadd);
824 /*
825 * Get a unique number for this synclist_t. The number is only meant
826 * to be unique for the lifetime of the structure and may be reused
827 * later.
828 */
829 ipf_syncnum++;
830 if (ipf_syncnum == 0) {
831 ipf_syncnum = 1;
832 ipf_syncwrap = 1;
833 }
834
835 /*
836 * Use the synch number of the object as the hash key. Should end up
837 * with relatively even distribution over time.
838 * XXX - an attacker could lunch an DoS attack, of sorts, if they are
839 * the only one causing new table entries by only keeping open every
840 * nth connection they make, where n is a value in the interval
841 * [0, SYNC_STATETABSZ-1].
842 */
843 if (tab == SMC_STATE) {
844 hv = ipf_syncnum & (SYNC_STATETABSZ - 1);
845 while (ipf_syncwrap != 0) {
846 for (ss = syncstatetab[hv]; ss; ss = ss->sl_next)
847 if (ss->sl_hdr.sm_num == ipf_syncnum)
848 break;
849 if (ss == NULL)
850 break;
851 ipf_syncnum++;
852 hv = ipf_syncnum & (SYNC_STATETABSZ - 1);
853 }
854 sl->sl_pnext = syncstatetab + hv;
855 sl->sl_next = syncstatetab[hv];
856 syncstatetab[hv] = sl;
857 } else {
858 hv = ipf_syncnum & (SYNC_NATTABSZ - 1);
859 while (ipf_syncwrap != 0) {
860 for (ss = syncnattab[hv]; ss; ss = ss->sl_next)
861 if (ss->sl_hdr.sm_num == ipf_syncnum)
862 break;
863 if (ss == NULL)
864 break;
865 ipf_syncnum++;
866 hv = ipf_syncnum & (SYNC_STATETABSZ - 1);
867 }
868 sl->sl_pnext = syncnattab + hv;
869 sl->sl_next = syncnattab[hv];
870 syncnattab[hv] = sl;
871 }
872 sl->sl_num = ipf_syncnum;
873 MUTEX_EXIT(&ipf_syncadd);
874
875 sl->sl_magic = htonl(SYNHDRMAGIC);
876 sl->sl_v = fin->fin_v;
877 sl->sl_p = fin->fin_p;
878 sl->sl_cmd = SMC_CREATE;
879 sl->sl_idx = -1;
880 sl->sl_table = tab;
881 sl->sl_rev = fin->fin_rev;
882 if (tab == SMC_STATE) {
883 sl->sl_ips = ptr;
884 sz = sizeof(*sl->sl_ips);
885 } else {
886 sl->sl_ipn = ptr;
887 sz = sizeof(*sl->sl_ipn);
888 }
889 sl->sl_len = sz;
890
891 /*
892 * Create the log entry to be read by a user daemon. When it has been
893 * finished and put on the queue, send a signal to wakeup any waiters.
894 */
895 MUTEX_ENTER(&ipf_syncadd);
896 sle = synclog + sl_idx++;
897 bcopy((char *)&sl->sl_hdr, (char *)&sle->sle_hdr,
898 sizeof(sle->sle_hdr));
899 sle->sle_hdr.sm_num = htonl(sle->sle_hdr.sm_num);
900 sle->sle_hdr.sm_len = htonl(sle->sle_hdr.sm_len);
901 if (ptr != NULL) {
902 bcopy((char *)ptr, (char *)&sle->sle_un, sz);
903 if (tab == SMC_STATE) {
904 ipfsync_storder(1, &sle->sle_un.sleu_ips);
905 } else if (tab == SMC_NAT) {
906 ipfsync_natorder(1, &sle->sle_un.sleu_ipn);
907 }
908 }
909 MUTEX_EXIT(&ipf_syncadd);
910
911 MUTEX_ENTER(&ipsl_mutex);
912 # if SOLARIS
913 # ifdef _KERNEL
914 cv_signal(&ipslwait);
915 pollwakeup(&iplpollhead[IPL_LOGSYNC], POLLIN|POLLRDNORM);
916 # endif
917 MUTEX_EXIT(&ipsl_mutex);
918 # else
919 MUTEX_EXIT(&ipsl_mutex);
920 # ifdef _KERNEL
921 WAKEUP(&sl_tail, 0);
922 POLLWAKEUP(IPL_LOGSYNC);
923 # endif
924 # endif
925 return sl;
926 }
927
928
929 /* ------------------------------------------------------------------------ */
930 /* Function: ipfsync_update */
931 /* Returns: Nil */
932 /* Parameters: tab(I) - type of synclist_t to create */
933 /* fin(I) - pointer to packet information */
934 /* sl(I) - pointer to synchronisation object */
935 /* */
936 /* For outbound packets, only, create an sync update record for the user */
937 /* process to read. */
938 /* ------------------------------------------------------------------------ */
939 void ipfsync_update(tab, fin, sl)
940 int tab;
941 fr_info_t *fin;
942 synclist_t *sl;
943 {
944 synctcp_update_t *st;
945 syncupdent_t *slu;
946 ipstate_t *ips;
947 nat_t *nat;
948
949 if (fin->fin_out == 0 || sl == NULL)
950 return;
951
952 WRITE_ENTER(&ipf_syncstate);
953 MUTEX_ENTER(&ipf_syncadd);
954 if (sl->sl_idx == -1) {
955 slu = syncupd + su_idx;
956 sl->sl_idx = su_idx++;
957 bcopy((char *)&sl->sl_hdr, (char *)&slu->sup_hdr,
958 sizeof(slu->sup_hdr));
959 slu->sup_hdr.sm_magic = htonl(SYNHDRMAGIC);
960 slu->sup_hdr.sm_sl = sl;
961 slu->sup_hdr.sm_cmd = SMC_UPDATE;
962 slu->sup_hdr.sm_table = tab;
963 slu->sup_hdr.sm_num = htonl(sl->sl_num);
964 slu->sup_hdr.sm_len = htonl(sizeof(struct synctcp_update));
965 slu->sup_hdr.sm_rev = fin->fin_rev;
966 # if 0
967 if (fin->fin_p == IPPROTO_TCP) {
968 st->stu_len[0] = 0;
969 st->stu_len[1] = 0;
970 }
971 # endif
972 } else
973 slu = syncupd + sl->sl_idx;
974 MUTEX_EXIT(&ipf_syncadd);
975 MUTEX_DOWNGRADE(&ipf_syncstate);
976
977 /*
978 * Only TCP has complex timeouts, others just use default timeouts.
979 * For TCP, we only need to track the connection state and window.
980 */
981 if (fin->fin_p == IPPROTO_TCP) {
982 st = &slu->sup_tcp;
983 if (tab == SMC_STATE) {
984 ips = sl->sl_ips;
985 st->stu_age = htonl(ips->is_die);
986 st->stu_data[0].td_end = ips->is_send;
987 st->stu_data[0].td_maxend = ips->is_maxsend;
988 st->stu_data[0].td_maxwin = ips->is_maxswin;
989 st->stu_state[0] = ips->is_state[0];
990 st->stu_data[1].td_end = ips->is_dend;
991 st->stu_data[1].td_maxend = ips->is_maxdend;
992 st->stu_data[1].td_maxwin = ips->is_maxdwin;
993 st->stu_state[1] = ips->is_state[1];
994 } else if (tab == SMC_NAT) {
995 nat = sl->sl_ipn;
996 st->stu_age = htonl(nat->nat_age);
997 }
998 }
999 RWLOCK_EXIT(&ipf_syncstate);
1000
1001 MUTEX_ENTER(&ipsl_mutex);
1002 # if SOLARIS
1003 # ifdef _KERNEL
1004 cv_signal(&ipslwait);
1005 pollwakeup(&iplpollhead[IPL_LOGSYNC], POLLIN|POLLRDNORM);
1006 # endif
1007 MUTEX_EXIT(&ipsl_mutex);
1008 # else
1009 MUTEX_EXIT(&ipsl_mutex);
1010 # ifdef _KERNEL
1011 WAKEUP(&sl_tail, 0);
1012 POLLWAKEUP(IPL_LOGSYNC);
1013 # endif
1014 # endif
1015 }
1016
1017
1018 /* ------------------------------------------------------------------------ */
1019 /* Function: fr_sync_ioctl */
1020 /* Returns: int - 0 == success, != 0 == failure */
1021 /* Parameters: data(I) - pointer to ioctl data */
1022 /* cmd(I) - ioctl command integer */
1023 /* mode(I) - file mode bits used with open */
1024 /* */
1025 /* This function currently does not handle any ioctls and so just returns */
1026 /* EINVAL on all occasions. */
1027 /* ------------------------------------------------------------------------ */
1028 int fr_sync_ioctl(data, cmd, mode, uid, ctx)
1029 void * data;
1030 ioctlcmd_t cmd;
1031 int mode, uid;
1032 void *ctx;
1033 {
1034 return EINVAL;
1035 }
1036
1037
1038 int ipfsync_canread()
1039 {
1040 return !((sl_tail == sl_idx) && (su_tail == su_idx));
1041 }
1042
1043
1044 int ipfsync_canwrite()
1045 {
1046 return 1;
1047 }
1048 #endif /* IPFILTER_SYNC */
NetBSD on the FriendlyARM MINI2440