1 | #include <rtems/freebsd/machine/rtems-bsd-config.h> |
---|
2 | |
---|
3 | /* $OpenBSD: pf_ruleset.c,v 1.1 2006/10/27 13:56:51 mcbride Exp $ */ |
---|
4 | |
---|
5 | /* |
---|
6 | * Copyright (c) 2001 Daniel Hartmeier |
---|
7 | * Copyright (c) 2002,2003 Henning Brauer |
---|
8 | * All rights reserved. |
---|
9 | * |
---|
10 | * Redistribution and use in source and binary forms, with or without |
---|
11 | * modification, are permitted provided that the following conditions |
---|
12 | * are met: |
---|
13 | * |
---|
14 | * - Redistributions of source code must retain the above copyright |
---|
15 | * notice, this list of conditions and the following disclaimer. |
---|
16 | * - Redistributions in binary form must reproduce the above |
---|
17 | * copyright notice, this list of conditions and the following |
---|
18 | * disclaimer in the documentation and/or other materials provided |
---|
19 | * with the distribution. |
---|
20 | * |
---|
21 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
---|
22 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
---|
23 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS |
---|
24 | * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE |
---|
25 | * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, |
---|
26 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, |
---|
27 | * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
---|
28 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER |
---|
29 | * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
---|
30 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN |
---|
31 | * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
---|
32 | * POSSIBILITY OF SUCH DAMAGE. |
---|
33 | * |
---|
34 | * Effort sponsored in part by the Defense Advanced Research Projects |
---|
35 | * Agency (DARPA) and Air Force Research Laboratory, Air Force |
---|
36 | * Materiel Command, USAF, under agreement number F30602-01-2-0537. |
---|
37 | * |
---|
38 | */ |
---|
39 | |
---|
40 | #ifdef __FreeBSD__ |
---|
41 | #include <rtems/freebsd/sys/cdefs.h> |
---|
42 | __FBSDID("$FreeBSD$"); |
---|
43 | #endif |
---|
44 | |
---|
45 | #include <rtems/freebsd/sys/param.h> |
---|
46 | #include <rtems/freebsd/sys/socket.h> |
---|
47 | #ifdef _KERNEL |
---|
48 | # include <rtems/freebsd/sys/systm.h> |
---|
49 | #endif /* _KERNEL */ |
---|
50 | #include <rtems/freebsd/sys/mbuf.h> |
---|
51 | |
---|
52 | #include <rtems/freebsd/netinet/in.h> |
---|
53 | #include <rtems/freebsd/netinet/in_systm.h> |
---|
54 | #include <rtems/freebsd/netinet/ip.h> |
---|
55 | #include <rtems/freebsd/netinet/tcp.h> |
---|
56 | |
---|
57 | #include <rtems/freebsd/net/if.h> |
---|
58 | #include <rtems/freebsd/net/pfvar.h> |
---|
59 | |
---|
60 | #ifdef INET6 |
---|
61 | #include <rtems/freebsd/netinet/ip6.h> |
---|
62 | #endif /* INET6 */ |
---|
63 | |
---|
64 | |
---|
65 | #ifdef _KERNEL |
---|
66 | # define DPFPRINTF(format, x...) \ |
---|
67 | if (pf_status.debug >= PF_DEBUG_NOISY) \ |
---|
68 | printf(format , ##x) |
---|
69 | #ifdef __FreeBSD__ |
---|
70 | #define rs_malloc(x) malloc(x, M_TEMP, M_NOWAIT) |
---|
71 | #else |
---|
72 | #define rs_malloc(x) malloc(x, M_TEMP, M_WAITOK) |
---|
73 | #endif |
---|
74 | #define rs_free(x) free(x, M_TEMP) |
---|
75 | |
---|
76 | #else |
---|
77 | /* Userland equivalents so we can lend code to pfctl et al. */ |
---|
78 | |
---|
79 | # include <rtems/freebsd/arpa/inet.h> |
---|
80 | # include <rtems/freebsd/errno.h> |
---|
81 | # include <rtems/freebsd/stdio.h> |
---|
82 | # include <rtems/freebsd/stdlib.h> |
---|
83 | # include <rtems/freebsd/string.h> |
---|
84 | # define rs_malloc(x) malloc(x) |
---|
85 | # define rs_free(x) free(x) |
---|
86 | |
---|
87 | # ifdef PFDEBUG |
---|
88 | # include <rtems/freebsd/sys/stdarg.h> |
---|
89 | # define DPFPRINTF(format, x...) fprintf(stderr, format , ##x) |
---|
90 | # else |
---|
91 | # define DPFPRINTF(format, x...) ((void)0) |
---|
92 | # endif /* PFDEBUG */ |
---|
93 | #endif /* _KERNEL */ |
---|
94 | |
---|
95 | |
---|
96 | struct pf_anchor_global pf_anchors; |
---|
97 | struct pf_anchor pf_main_anchor; |
---|
98 | |
---|
99 | #ifndef __FreeBSD__ |
---|
100 | /* XXX: hum? */ |
---|
101 | int pf_get_ruleset_number(u_int8_t); |
---|
102 | void pf_init_ruleset(struct pf_ruleset *); |
---|
103 | int pf_anchor_setup(struct pf_rule *, |
---|
104 | const struct pf_ruleset *, const char *); |
---|
105 | int pf_anchor_copyout(const struct pf_ruleset *, |
---|
106 | const struct pf_rule *, struct pfioc_rule *); |
---|
107 | void pf_anchor_remove(struct pf_rule *); |
---|
108 | #endif |
---|
109 | |
---|
110 | static __inline int pf_anchor_compare(struct pf_anchor *, struct pf_anchor *); |
---|
111 | |
---|
112 | RB_GENERATE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare); |
---|
113 | RB_GENERATE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare); |
---|
114 | |
---|
115 | static __inline int |
---|
116 | pf_anchor_compare(struct pf_anchor *a, struct pf_anchor *b) |
---|
117 | { |
---|
118 | int c = strcmp(a->path, b->path); |
---|
119 | |
---|
120 | return (c ? (c < 0 ? -1 : 1) : 0); |
---|
121 | } |
---|
122 | |
---|
123 | int |
---|
124 | pf_get_ruleset_number(u_int8_t action) |
---|
125 | { |
---|
126 | switch (action) { |
---|
127 | case PF_SCRUB: |
---|
128 | case PF_NOSCRUB: |
---|
129 | return (PF_RULESET_SCRUB); |
---|
130 | break; |
---|
131 | case PF_PASS: |
---|
132 | case PF_DROP: |
---|
133 | return (PF_RULESET_FILTER); |
---|
134 | break; |
---|
135 | case PF_NAT: |
---|
136 | case PF_NONAT: |
---|
137 | return (PF_RULESET_NAT); |
---|
138 | break; |
---|
139 | case PF_BINAT: |
---|
140 | case PF_NOBINAT: |
---|
141 | return (PF_RULESET_BINAT); |
---|
142 | break; |
---|
143 | case PF_RDR: |
---|
144 | case PF_NORDR: |
---|
145 | return (PF_RULESET_RDR); |
---|
146 | break; |
---|
147 | default: |
---|
148 | return (PF_RULESET_MAX); |
---|
149 | break; |
---|
150 | } |
---|
151 | } |
---|
152 | |
---|
153 | void |
---|
154 | pf_init_ruleset(struct pf_ruleset *ruleset) |
---|
155 | { |
---|
156 | int i; |
---|
157 | |
---|
158 | memset(ruleset, 0, sizeof(struct pf_ruleset)); |
---|
159 | for (i = 0; i < PF_RULESET_MAX; i++) { |
---|
160 | TAILQ_INIT(&ruleset->rules[i].queues[0]); |
---|
161 | TAILQ_INIT(&ruleset->rules[i].queues[1]); |
---|
162 | ruleset->rules[i].active.ptr = &ruleset->rules[i].queues[0]; |
---|
163 | ruleset->rules[i].inactive.ptr = &ruleset->rules[i].queues[1]; |
---|
164 | } |
---|
165 | } |
---|
166 | |
---|
167 | struct pf_anchor * |
---|
168 | pf_find_anchor(const char *path) |
---|
169 | { |
---|
170 | struct pf_anchor *key, *found; |
---|
171 | |
---|
172 | key = (struct pf_anchor *)rs_malloc(sizeof(*key)); |
---|
173 | memset(key, 0, sizeof(*key)); |
---|
174 | strlcpy(key->path, path, sizeof(key->path)); |
---|
175 | found = RB_FIND(pf_anchor_global, &pf_anchors, key); |
---|
176 | rs_free(key); |
---|
177 | return (found); |
---|
178 | } |
---|
179 | |
---|
180 | struct pf_ruleset * |
---|
181 | pf_find_ruleset(const char *path) |
---|
182 | { |
---|
183 | struct pf_anchor *anchor; |
---|
184 | |
---|
185 | while (*path == '/') |
---|
186 | path++; |
---|
187 | if (!*path) |
---|
188 | return (&pf_main_ruleset); |
---|
189 | anchor = pf_find_anchor(path); |
---|
190 | if (anchor == NULL) |
---|
191 | return (NULL); |
---|
192 | else |
---|
193 | return (&anchor->ruleset); |
---|
194 | } |
---|
195 | |
---|
196 | struct pf_ruleset * |
---|
197 | pf_find_or_create_ruleset(const char *path) |
---|
198 | { |
---|
199 | char *p, *q, *r; |
---|
200 | struct pf_ruleset *ruleset; |
---|
201 | #ifdef __FreeBSD__ |
---|
202 | struct pf_anchor *anchor = NULL, *dup, *parent = NULL; |
---|
203 | #else |
---|
204 | struct pf_anchor *anchor, *dup, *parent = NULL; |
---|
205 | #endif |
---|
206 | |
---|
207 | if (path[0] == 0) |
---|
208 | return (&pf_main_ruleset); |
---|
209 | while (*path == '/') |
---|
210 | path++; |
---|
211 | ruleset = pf_find_ruleset(path); |
---|
212 | if (ruleset != NULL) |
---|
213 | return (ruleset); |
---|
214 | p = (char *)rs_malloc(MAXPATHLEN); |
---|
215 | bzero(p, MAXPATHLEN); |
---|
216 | strlcpy(p, path, MAXPATHLEN); |
---|
217 | while (parent == NULL && (q = strrchr(p, '/')) != NULL) { |
---|
218 | *q = 0; |
---|
219 | if ((ruleset = pf_find_ruleset(p)) != NULL) { |
---|
220 | parent = ruleset->anchor; |
---|
221 | break; |
---|
222 | } |
---|
223 | } |
---|
224 | if (q == NULL) |
---|
225 | q = p; |
---|
226 | else |
---|
227 | q++; |
---|
228 | strlcpy(p, path, MAXPATHLEN); |
---|
229 | if (!*q) { |
---|
230 | rs_free(p); |
---|
231 | return (NULL); |
---|
232 | } |
---|
233 | while ((r = strchr(q, '/')) != NULL || *q) { |
---|
234 | if (r != NULL) |
---|
235 | *r = 0; |
---|
236 | if (!*q || strlen(q) >= PF_ANCHOR_NAME_SIZE || |
---|
237 | (parent != NULL && strlen(parent->path) >= |
---|
238 | MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 1)) { |
---|
239 | rs_free(p); |
---|
240 | return (NULL); |
---|
241 | } |
---|
242 | anchor = (struct pf_anchor *)rs_malloc(sizeof(*anchor)); |
---|
243 | if (anchor == NULL) { |
---|
244 | rs_free(p); |
---|
245 | return (NULL); |
---|
246 | } |
---|
247 | memset(anchor, 0, sizeof(*anchor)); |
---|
248 | RB_INIT(&anchor->children); |
---|
249 | strlcpy(anchor->name, q, sizeof(anchor->name)); |
---|
250 | if (parent != NULL) { |
---|
251 | strlcpy(anchor->path, parent->path, |
---|
252 | sizeof(anchor->path)); |
---|
253 | strlcat(anchor->path, "/", sizeof(anchor->path)); |
---|
254 | } |
---|
255 | strlcat(anchor->path, anchor->name, sizeof(anchor->path)); |
---|
256 | if ((dup = RB_INSERT(pf_anchor_global, &pf_anchors, anchor)) != |
---|
257 | NULL) { |
---|
258 | printf("pf_find_or_create_ruleset: RB_INSERT1 " |
---|
259 | "'%s' '%s' collides with '%s' '%s'\n", |
---|
260 | anchor->path, anchor->name, dup->path, dup->name); |
---|
261 | rs_free(anchor); |
---|
262 | rs_free(p); |
---|
263 | return (NULL); |
---|
264 | } |
---|
265 | if (parent != NULL) { |
---|
266 | anchor->parent = parent; |
---|
267 | if ((dup = RB_INSERT(pf_anchor_node, &parent->children, |
---|
268 | anchor)) != NULL) { |
---|
269 | printf("pf_find_or_create_ruleset: " |
---|
270 | "RB_INSERT2 '%s' '%s' collides with " |
---|
271 | "'%s' '%s'\n", anchor->path, anchor->name, |
---|
272 | dup->path, dup->name); |
---|
273 | RB_REMOVE(pf_anchor_global, &pf_anchors, |
---|
274 | anchor); |
---|
275 | rs_free(anchor); |
---|
276 | rs_free(p); |
---|
277 | return (NULL); |
---|
278 | } |
---|
279 | } |
---|
280 | pf_init_ruleset(&anchor->ruleset); |
---|
281 | anchor->ruleset.anchor = anchor; |
---|
282 | parent = anchor; |
---|
283 | if (r != NULL) |
---|
284 | q = r + 1; |
---|
285 | else |
---|
286 | *q = 0; |
---|
287 | } |
---|
288 | rs_free(p); |
---|
289 | return (&anchor->ruleset); |
---|
290 | } |
---|
291 | |
---|
292 | void |
---|
293 | pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset) |
---|
294 | { |
---|
295 | struct pf_anchor *parent; |
---|
296 | int i; |
---|
297 | |
---|
298 | while (ruleset != NULL) { |
---|
299 | if (ruleset == &pf_main_ruleset || ruleset->anchor == NULL || |
---|
300 | !RB_EMPTY(&ruleset->anchor->children) || |
---|
301 | ruleset->anchor->refcnt > 0 || ruleset->tables > 0 || |
---|
302 | ruleset->topen) |
---|
303 | return; |
---|
304 | for (i = 0; i < PF_RULESET_MAX; ++i) |
---|
305 | if (!TAILQ_EMPTY(ruleset->rules[i].active.ptr) || |
---|
306 | !TAILQ_EMPTY(ruleset->rules[i].inactive.ptr) || |
---|
307 | ruleset->rules[i].inactive.open) |
---|
308 | return; |
---|
309 | RB_REMOVE(pf_anchor_global, &pf_anchors, ruleset->anchor); |
---|
310 | if ((parent = ruleset->anchor->parent) != NULL) |
---|
311 | RB_REMOVE(pf_anchor_node, &parent->children, |
---|
312 | ruleset->anchor); |
---|
313 | rs_free(ruleset->anchor); |
---|
314 | if (parent == NULL) |
---|
315 | return; |
---|
316 | ruleset = &parent->ruleset; |
---|
317 | } |
---|
318 | } |
---|
319 | |
---|
320 | int |
---|
321 | pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s, |
---|
322 | const char *name) |
---|
323 | { |
---|
324 | char *p, *path; |
---|
325 | struct pf_ruleset *ruleset; |
---|
326 | |
---|
327 | r->anchor = NULL; |
---|
328 | r->anchor_relative = 0; |
---|
329 | r->anchor_wildcard = 0; |
---|
330 | if (!name[0]) |
---|
331 | return (0); |
---|
332 | path = (char *)rs_malloc(MAXPATHLEN); |
---|
333 | bzero(path, MAXPATHLEN); |
---|
334 | if (name[0] == '/') |
---|
335 | strlcpy(path, name + 1, MAXPATHLEN); |
---|
336 | else { |
---|
337 | /* relative path */ |
---|
338 | r->anchor_relative = 1; |
---|
339 | if (s->anchor == NULL || !s->anchor->path[0]) |
---|
340 | path[0] = 0; |
---|
341 | else |
---|
342 | strlcpy(path, s->anchor->path, MAXPATHLEN); |
---|
343 | while (name[0] == '.' && name[1] == '.' && name[2] == '/') { |
---|
344 | if (!path[0]) { |
---|
345 | printf("pf_anchor_setup: .. beyond root\n"); |
---|
346 | rs_free(path); |
---|
347 | return (1); |
---|
348 | } |
---|
349 | if ((p = strrchr(path, '/')) != NULL) |
---|
350 | *p = 0; |
---|
351 | else |
---|
352 | path[0] = 0; |
---|
353 | r->anchor_relative++; |
---|
354 | name += 3; |
---|
355 | } |
---|
356 | if (path[0]) |
---|
357 | strlcat(path, "/", MAXPATHLEN); |
---|
358 | strlcat(path, name, MAXPATHLEN); |
---|
359 | } |
---|
360 | if ((p = strrchr(path, '/')) != NULL && !strcmp(p, "/*")) { |
---|
361 | r->anchor_wildcard = 1; |
---|
362 | *p = 0; |
---|
363 | } |
---|
364 | ruleset = pf_find_or_create_ruleset(path); |
---|
365 | rs_free(path); |
---|
366 | if (ruleset == NULL || ruleset->anchor == NULL) { |
---|
367 | printf("pf_anchor_setup: ruleset\n"); |
---|
368 | return (1); |
---|
369 | } |
---|
370 | r->anchor = ruleset->anchor; |
---|
371 | r->anchor->refcnt++; |
---|
372 | return (0); |
---|
373 | } |
---|
374 | |
---|
375 | int |
---|
376 | pf_anchor_copyout(const struct pf_ruleset *rs, const struct pf_rule *r, |
---|
377 | struct pfioc_rule *pr) |
---|
378 | { |
---|
379 | pr->anchor_call[0] = 0; |
---|
380 | if (r->anchor == NULL) |
---|
381 | return (0); |
---|
382 | if (!r->anchor_relative) { |
---|
383 | strlcpy(pr->anchor_call, "/", sizeof(pr->anchor_call)); |
---|
384 | strlcat(pr->anchor_call, r->anchor->path, |
---|
385 | sizeof(pr->anchor_call)); |
---|
386 | } else { |
---|
387 | char *a, *p; |
---|
388 | int i; |
---|
389 | |
---|
390 | a = (char *)rs_malloc(MAXPATHLEN); |
---|
391 | bzero(a, MAXPATHLEN); |
---|
392 | if (rs->anchor == NULL) |
---|
393 | a[0] = 0; |
---|
394 | else |
---|
395 | strlcpy(a, rs->anchor->path, MAXPATHLEN); |
---|
396 | for (i = 1; i < r->anchor_relative; ++i) { |
---|
397 | if ((p = strrchr(a, '/')) == NULL) |
---|
398 | p = a; |
---|
399 | *p = 0; |
---|
400 | strlcat(pr->anchor_call, "../", |
---|
401 | sizeof(pr->anchor_call)); |
---|
402 | } |
---|
403 | if (strncmp(a, r->anchor->path, strlen(a))) { |
---|
404 | printf("pf_anchor_copyout: '%s' '%s'\n", a, |
---|
405 | r->anchor->path); |
---|
406 | rs_free(a); |
---|
407 | return (1); |
---|
408 | } |
---|
409 | if (strlen(r->anchor->path) > strlen(a)) |
---|
410 | strlcat(pr->anchor_call, r->anchor->path + (a[0] ? |
---|
411 | strlen(a) + 1 : 0), sizeof(pr->anchor_call)); |
---|
412 | rs_free(a); |
---|
413 | } |
---|
414 | if (r->anchor_wildcard) |
---|
415 | strlcat(pr->anchor_call, pr->anchor_call[0] ? "/*" : "*", |
---|
416 | sizeof(pr->anchor_call)); |
---|
417 | return (0); |
---|
418 | } |
---|
419 | |
---|
420 | void |
---|
421 | pf_anchor_remove(struct pf_rule *r) |
---|
422 | { |
---|
423 | if (r->anchor == NULL) |
---|
424 | return; |
---|
425 | if (r->anchor->refcnt <= 0) { |
---|
426 | printf("pf_anchor_remove: broken refcount\n"); |
---|
427 | r->anchor = NULL; |
---|
428 | return; |
---|
429 | } |
---|
430 | if (!--r->anchor->refcnt) |
---|
431 | pf_remove_if_empty_ruleset(&r->anchor->ruleset); |
---|
432 | r->anchor = NULL; |
---|
433 | } |
---|