blob: f7d98ea1e9c2d084cbd50559491af43ac82bc4e5 [file] [log] [blame] [raw]
/*
* Copyright (C) 1993-2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if defined(KERNEL) || defined(_KERNEL)
# undef KERNEL
# undef _KERNEL
# define KERNEL 1
# define _KERNEL 1
#endif
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/time.h>
#include <sys/file.h>
#ifdef __hpux
# include <sys/timeout.h>
#endif
#if !defined(_KERNEL)
# include <stdio.h>
# include <string.h>
# include <stdlib.h>
# define _KERNEL
# ifdef __OpenBSD__
struct file;
# endif
# include <sys/uio.h>
# undef _KERNEL
#endif
#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
# include <sys/filio.h>
# include <sys/fcntl.h>
#else
# include <sys/ioctl.h>
#endif
#if !defined(linux)
# include <sys/protosw.h>
#endif
#include <sys/socket.h>
#if defined(_KERNEL)
# include <sys/systm.h>
# if !defined(__SVR4) && !defined(__svr4__)
# include <sys/mbuf.h>
# endif
#endif
#if !defined(__SVR4) && !defined(__svr4__)
# if defined(_KERNEL) && !defined(__sgi) && !defined(AIX)
# include <sys/kernel.h>
# endif
#else
# include <sys/byteorder.h>
# ifdef _KERNEL
# include <sys/dditypes.h>
# endif
# include <sys/stream.h>
# include <sys/kmem.h>
#endif
#include <net/if.h>
#ifdef sun
# include <net/af.h>
#endif
#include <net/route.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#if !defined(linux)
# include <netinet/ip_var.h>
#endif
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#include "netinet/ip_compat.h"
#include <netinet/tcpip.h>
#include "netinet/ip_fil.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_frag.h"
#include "netinet/ip_state.h"
#include "netinet/ip_auth.h"
#include "netinet/ip_proxy.h"
#include "netinet/ip_sync.h"
#if (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
# if defined(_KERNEL)
# ifndef IPFILTER_LKM
# include <sys/libkern.h>
# include <sys/systm.h>
# endif
extern struct callout_handle ipf_slowtimer_ch;
# endif
#endif
#if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
# include <sys/callout.h>
extern struct callout ipf_slowtimer_ch;
#endif
#if defined(__OpenBSD__)
# include <sys/timeout.h>
extern struct timeout ipf_slowtimer_ch;
#endif
/* END OF INCLUDES */
#if !defined(lint)
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id$";
#endif
ipfr_t *ipfr_list = NULL;
ipfr_t **ipfr_tail = &ipfr_list;
ipfr_t *ipfr_natlist = NULL;
ipfr_t **ipfr_nattail = &ipfr_natlist;
ipfr_t *ipfr_ipidlist = NULL;
ipfr_t **ipfr_ipidtail = &ipfr_ipidlist;
static ipfr_t **ipfr_heads;
static ipfr_t **ipfr_nattab;
static ipfr_t **ipfr_ipidtab;
static ipfrstat_t ipfr_stats;
static frentry_t ipfr_block;
static int ipfr_inuse = 0;
int ipfr_size = IPFT_SIZE;
int ipf_ipfrttl = 120; /* 60 seconds */
int ipf_frag_lock = 0;
int ipf_frag_inited = 0;
u_32_t ipf_ticks = 0;
#ifdef USE_MUTEXES
static ipfr_t *ipfr_frag_new __P((fr_info_t *, u_32_t, ipfr_t **,
ipfrwlock_t *));
static ipfr_t *ipf_frag_lookup __P((fr_info_t *, ipfr_t **, ipfrwlock_t *));
#else
static ipfr_t *ipfr_frag_new __P((fr_info_t *, u_32_t, ipfr_t **));
static ipfr_t *ipf_frag_lookup __P((fr_info_t *, ipfr_t **));
#endif
static void ipf_frag_delete __P((ipfr_t *, ipfr_t ***));
static void ipf_frag_free __P((ipfr_t *));
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_init */
/* Returns: int - 0 == success, -1 == error */
/* Parameters: Nil */
/* */
/* Initialise the hash tables for the fragment cache lookups. */
/* ------------------------------------------------------------------------ */
int
ipf_frag_init()
{
KMALLOCS(ipfr_heads, ipfr_t **, ipfr_size * sizeof(ipfr_t *));
if (ipfr_heads == NULL)
return -1;
bzero((char *)ipfr_heads, ipfr_size * sizeof(ipfr_t *));
KMALLOCS(ipfr_nattab, ipfr_t **, ipfr_size * sizeof(ipfr_t *));
if (ipfr_nattab == NULL)
return -1;
bzero((char *)ipfr_nattab, ipfr_size * sizeof(ipfr_t *));
KMALLOCS(ipfr_ipidtab, ipfr_t **, ipfr_size * sizeof(ipfr_t *));
if (ipfr_ipidtab == NULL)
return -1;
bzero((char *)ipfr_ipidtab, ipfr_size * sizeof(ipfr_t *));
RWLOCK_INIT(&ipf_frag, "ipf fragment rwlock");
bzero((char *)&ipfr_block, sizeof(ipfr_block));
ipfr_block.fr_flags = FR_BLOCK|FR_QUICK;
ipfr_block.fr_ref = 1;
ipf_frag_inited = 1;
return 0;
}
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_unload */
/* Returns: Nil */
/* Parameters: Nil */
/* */
/* Free all memory allocated whilst running and from initialisation. */
/* ------------------------------------------------------------------------ */
void
ipf_frag_unload()
{
if (ipf_frag_inited == 1) {
ipf_frag_clear();
RW_DESTROY(&ipf_frag);
ipf_frag_inited = 0;
}
if (ipfr_heads != NULL)
KFREES(ipfr_heads, ipfr_size * sizeof(ipfr_t *));
ipfr_heads = NULL;
if (ipfr_nattab != NULL)
KFREES(ipfr_nattab, ipfr_size * sizeof(ipfr_t *));
ipfr_nattab = NULL;
if (ipfr_ipidtab != NULL)
KFREES(ipfr_ipidtab, ipfr_size * sizeof(ipfr_t *));
ipfr_ipidtab = NULL;
}
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_stats */
/* Returns: ipfrstat_t* - pointer to struct with current frag stats */
/* Parameters: Nil */
/* */
/* Updates ipfr_stats with current information and returns a pointer to it */
/* ------------------------------------------------------------------------ */
ipfrstat_t *
ipf_frag_stats()
{
ipfr_stats.ifs_table = ipfr_heads;
ipfr_stats.ifs_nattab = ipfr_nattab;
ipfr_stats.ifs_inuse = ipfr_inuse;
return &ipfr_stats;
}
/* ------------------------------------------------------------------------ */
/* Function: ipfr_frag_new */
/* Returns: ipfr_t * - pointer to fragment cache state info or NULL */
/* Parameters: fin(I) - pointer to packet information */
/* table(I) - pointer to frag table to add to */
/* lock(I) - pointer to lock to get a write hold of */
/* */
/* Add a new entry to the fragment cache, registering it as having come */
/* through this box, with the result of the filter operation. */
/* */
/* If this function succeeds, it returns with a write lock held on "lock". */
/* If it fails, no lock is held on return. */
/* ------------------------------------------------------------------------ */
static ipfr_t *
ipfr_frag_new(fin, pass, table
#ifdef USE_MUTEXES
, lock
#endif
)
fr_info_t *fin;
u_32_t pass;
ipfr_t *table[];
#ifdef USE_MUTEXES
ipfrwlock_t *lock;
#endif
{
ipfr_t *fra, frag, *fran;
u_int idx, off;
frentry_t *fr;
if (ipfr_inuse >= ipfr_size) {
ATOMIC_INCL(ipfr_stats.ifs_maximum);
return NULL;
}
if ((fin->fin_flx & (FI_FRAG|FI_BAD)) != FI_FRAG) {
ATOMIC_INCL(ipfr_stats.ifs_newbad);
return NULL;
}
if (pass & FR_FRSTRICT) {
if (fin->fin_off != 0) {
ATOMIC_INCL(ipfr_stats.ifs_newrestrictnot0);
return NULL;
}
}
frag.ipfr_p = fin->fin_p;
idx = fin->fin_p;
frag.ipfr_id = fin->fin_id;
idx += fin->fin_id;
frag.ipfr_source = fin->fin_fi.fi_src;
idx += frag.ipfr_src.s_addr;
frag.ipfr_dest = fin->fin_fi.fi_dst;
idx += frag.ipfr_dst.s_addr;
frag.ipfr_ifp = fin->fin_ifp;
idx *= 127;
idx %= ipfr_size;
frag.ipfr_optmsk = fin->fin_fi.fi_optmsk & IPF_OPTCOPY;
frag.ipfr_secmsk = fin->fin_fi.fi_secmsk;
frag.ipfr_auth = fin->fin_fi.fi_auth;
off = fin->fin_off >> 3;
#ifdef USE_INET6
if ((off == 0) && (fin->fin_v == 6)) {
char *ptr;
int end;
ptr = (char *)fin->fin_fraghdr + sizeof(struct ip6_frag);
end = fin->fin_plen - (ptr - (char *)fin->fin_ip);
frag.ipfr_firstend = end >> 3;
} else
#endif
frag.ipfr_firstend = 0;
/*
* allocate some memory, if possible, if not, just record that we
* failed to do so.
*/
KMALLOC(fran, ipfr_t *);
if (fran == NULL) {
ipfr_stats.ifs_nomem++;
return NULL;
}
WRITE_ENTER(lock);
/*
* first, make sure it isn't already there...
*/
for (fra = table[idx]; (fra != NULL); fra = fra->ipfr_hnext)
if (!bcmp((char *)&frag.ipfr_ifp, (char *)&fra->ipfr_ifp,
IPFR_CMPSZ)) {
RWLOCK_EXIT(lock);
ATOMIC_INCL(ipfr_stats.ifs_exists);
KFREE(fra);
return NULL;
}
fra = fran;
fran = NULL;
fr = fin->fin_fr;
fra->ipfr_rule = fr;
if (fr != NULL) {
MUTEX_ENTER(&fr->fr_lock);
fr->fr_ref++;
MUTEX_EXIT(&fr->fr_lock);
}
/*
* Insert the fragment into the fragment table, copy the struct used
* in the search using bcopy rather than reassign each field.
* Set the ttl to the default.
*/
if ((fra->ipfr_hnext = table[idx]) != NULL)
table[idx]->ipfr_hprev = &fra->ipfr_hnext;
fra->ipfr_hprev = table + idx;
fra->ipfr_data = NULL;
table[idx] = fra;
bcopy((char *)&frag.ipfr_ifp, (char *)&fra->ipfr_ifp, IPFR_CMPSZ);
fra->ipfr_ttl = ipf_ticks + ipf_ipfrttl;
fra->ipfr_firstend = frag.ipfr_firstend;
/*
* Compute the offset of the expected start of the next packet.
*/
if (off == 0)
fra->ipfr_seen0 = 1;
fra->ipfr_off = off + (fin->fin_dlen >> 3);
fra->ipfr_pass = pass;
fra->ipfr_ref = 1;
ipfr_stats.ifs_new++;
ipfr_inuse++;
return fra;
}
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_new */
/* Returns: int - 0 == success, -1 == error */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* Add a new entry to the fragment cache table based on the current packet */
/* ------------------------------------------------------------------------ */
int
ipf_frag_new(fin, pass)
u_32_t pass;
fr_info_t *fin;
{
ipfr_t *fra;
if (ipf_frag_lock != 0)
return -1;
#ifdef USE_MUTEXES
fra = ipfr_frag_new(fin, pass, ipfr_heads, &ipf_frag);
#else
fra = ipfr_frag_new(fin, pass, ipfr_heads);
#endif
if (fra != NULL) {
*ipfr_tail = fra;
fra->ipfr_prev = ipfr_tail;
ipfr_tail = &fra->ipfr_next;
if (ipfr_list == NULL)
ipfr_list = fra;
fra->ipfr_next = NULL;
RWLOCK_EXIT(&ipf_frag);
}
return fra ? 0 : -1;
}
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_natnew */
/* Returns: int - 0 == success, -1 == error */
/* Parameters: fin(I) - pointer to packet information */
/* nat(I) - pointer to NAT structure */
/* */
/* Create a new NAT fragment cache entry based on the current packet and */
/* the NAT structure for this "session". */
/* ------------------------------------------------------------------------ */
int
ipf_frag_natnew(fin, pass, nat)
fr_info_t *fin;
u_32_t pass;
nat_t *nat;
{
ipfr_t *fra;
if ((fin->fin_v != 4) || (ipf_frag_lock != 0))
return 0;
#ifdef USE_MUTEXES
fra = ipfr_frag_new(fin, pass, ipfr_nattab, &ipf_natfrag);
#else
fra = ipfr_frag_new(fin, pass, ipfr_nattab);
#endif
if (fra != NULL) {
fra->ipfr_data = nat;
nat->nat_data = fra;
*ipfr_nattail = fra;
fra->ipfr_prev = ipfr_nattail;
ipfr_nattail = &fra->ipfr_next;
fra->ipfr_next = NULL;
RWLOCK_EXIT(&ipf_natfrag);
}
return fra ? 0 : -1;
}
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_ipidnew */
/* Returns: int - 0 == success, -1 == error */
/* Parameters: fin(I) - pointer to packet information */
/* ipid(I) - new IP ID for this fragmented packet */
/* */
/* Create a new fragment cache entry for this packet and store, as a data */
/* pointer, the new IP ID value. */
/* ------------------------------------------------------------------------ */
int
ipf_frag_ipidnew(fin, ipid)
fr_info_t *fin;
u_32_t ipid;
{
ipfr_t *fra;
if (ipf_frag_lock)
return 0;
#ifdef USE_MUTEXES
fra = ipfr_frag_new(fin, 0, ipfr_ipidtab, &ipf_ipidfrag);
#else
fra = ipfr_frag_new(fin, 0, ipfr_ipidtab);
#endif
if (fra != NULL) {
fra->ipfr_data = (void *)ipid;
*ipfr_ipidtail = fra;
fra->ipfr_prev = ipfr_ipidtail;
ipfr_ipidtail = &fra->ipfr_next;
fra->ipfr_next = NULL;
RWLOCK_EXIT(&ipf_ipidfrag);
}
return fra ? 0 : -1;
}
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_lookup */
/* Returns: ipfr_t * - pointer to ipfr_t structure if there's a */
/* matching entry in the frag table, else NULL */
/* Parameters: fin(I) - pointer to packet information */
/* table(I) - pointer to fragment cache table to search */
/* */
/* Check the fragment cache to see if there is already a record of this */
/* packet with its filter result known. */
/* */
/* If this function succeeds, it returns with a write lock held on "lock". */
/* If it fails, no lock is held on return. */
/* ------------------------------------------------------------------------ */
static ipfr_t *
ipf_frag_lookup(fin, table
#ifdef USE_MUTEXES
, lock
#endif
)
fr_info_t *fin;
ipfr_t *table[];
#ifdef USE_MUTEXES
ipfrwlock_t *lock;
#endif
{
ipfr_t *f, frag;
u_int idx;
/*
* We don't want to let short packets match because they could be
* compromising the security of other rules that want to match on
* layer 4 fields (and can't because they have been fragmented off.)
* Why do this check here? The counter acts as an indicator of this
* kind of attack, whereas if it was elsewhere, it wouldn't know if
* other matching packets had been seen.
*/
if (fin->fin_flx & FI_SHORT) {
ATOMIC_INCL(ipfr_stats.ifs_short);
return NULL;
}
if ((fin->fin_flx & FI_BAD) != 0) {
ATOMIC_INCL(ipfr_stats.ifs_bad);
return NULL;
}
/*
* For fragments, we record protocol, packet id, TOS and both IP#'s
* (these should all be the same for all fragments of a packet).
*
* build up a hash value to index the table with.
*/
frag.ipfr_p = fin->fin_p;
idx = fin->fin_p;
frag.ipfr_id = fin->fin_id;
idx += fin->fin_id;
frag.ipfr_source = fin->fin_fi.fi_src;
idx += frag.ipfr_src.s_addr;
frag.ipfr_dest = fin->fin_fi.fi_dst;
idx += frag.ipfr_dst.s_addr;
frag.ipfr_ifp = fin->fin_ifp;
idx *= 127;
idx %= ipfr_size;
frag.ipfr_optmsk = fin->fin_fi.fi_optmsk & IPF_OPTCOPY;
frag.ipfr_secmsk = fin->fin_fi.fi_secmsk;
frag.ipfr_auth = fin->fin_fi.fi_auth;
READ_ENTER(lock);
/*
* check the table, careful to only compare the right amount of data
*/
for (f = table[idx]; f; f = f->ipfr_hnext) {
if (!bcmp((char *)&frag.ipfr_ifp, (char *)&f->ipfr_ifp,
IPFR_CMPSZ)) {
u_short off;
/*
* XXX - We really need to be guarding against the
* retransmission of (src,dst,id,offset-range) here
* because a fragmented packet is never resent with
* the same IP ID# (or shouldn't).
*/
off = fin->fin_off >> 3;
if (f->ipfr_seen0) {
if (off == 0) {
ATOMIC_INCL(ipfr_stats.ifs_retrans0);
continue;
}
/*
* Case 3. See comment for frpr_fragment6.
*/
if ((f->ipfr_firstend != 0) &&
(off < f->ipfr_firstend)) {
ATOMIC_INCL(ipfr_stats.ifs_overlap);
fin->fin_flx |= FI_BAD;
break;
}
} else if (off == 0)
f->ipfr_seen0 = 1;
if (f != table[idx]) {
ipfr_t **fp;
/*
* Move fragment info. to the top of the list
* to speed up searches. First, delink...
*/
fp = f->ipfr_hprev;
(*fp) = f->ipfr_hnext;
if (f->ipfr_hnext != NULL)
f->ipfr_hnext->ipfr_hprev = fp;
/*
* Then put back at the top of the chain.
*/
f->ipfr_hnext = table[idx];
table[idx]->ipfr_hprev = &f->ipfr_hnext;
f->ipfr_hprev = table + idx;
table[idx] = f;
}
/*
* If we've follwed the fragments, and this is the
* last (in order), shrink expiration time.
*/
if (off == f->ipfr_off) {
f->ipfr_off = (fin->fin_dlen >> 3) + off;
/*
* Well, we could shrink the expiration time
* but only if every fragment has been seen
* in order upto this, the last. ipfr_badorder
* is used here to count those out of order
* and if it equals 0 when we get to the last
* fragment then we can assume all of the
* fragments have been seen and in order.
*/
if (!ntohs(fin->fin_ip->ip_off & IP_MF) &&
(f->ipfr_badorder == 0))
f->ipfr_ttl = ipf_ticks + 1;
} else {
f->ipfr_badorder++;
ATOMIC_INCL(ipfr_stats.ifs_unordered);
if (f->ipfr_pass & FR_FRSTRICT) {
ATOMIC_INCL(ipfr_stats.ifs_strict);
continue;
}
}
ATOMIC_INCL(ipfr_stats.ifs_hits);
return f;
}
}
RWLOCK_EXIT(lock);
ATOMIC_INCL(ipfr_stats.ifs_miss);
return NULL;
}
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_natknown */
/* Returns: nat_t* - pointer to 'parent' NAT structure if frag table */
/* match found, else NULL */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* Functional interface for NAT lookups of the NAT fragment cache */
/* ------------------------------------------------------------------------ */
nat_t *
ipf_frag_natknown(fin)
fr_info_t *fin;
{
nat_t *nat;
ipfr_t *ipf;
if ((ipf_frag_lock) || !ipfr_natlist)
return NULL;
#ifdef USE_MUTEXES
ipf = ipf_frag_lookup(fin, ipfr_nattab, &ipf_natfrag);
#else
ipf = ipf_frag_lookup(fin, ipfr_nattab);
#endif
if (ipf != NULL) {
nat = ipf->ipfr_data;
/*
* This is the last fragment for this packet.
*/
if ((ipf->ipfr_ttl == ipf_ticks + 1) && (nat != NULL)) {
nat->nat_data = NULL;
ipf->ipfr_data = NULL;
}
RWLOCK_EXIT(&ipf_natfrag);
} else
nat = NULL;
return nat;
}
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_ipidknown */
/* Returns: u_32_t - IPv4 ID for this packet if match found, else */
/* return 0xfffffff to indicate no match. */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* Functional interface for IP ID lookups of the IP ID fragment cache */
/* ------------------------------------------------------------------------ */
u_32_t
ipf_frag_ipidknown(fin)
fr_info_t *fin;
{
ipfr_t *ipf;
u_32_t id;
if ((fin->fin_v != 4) || (ipf_frag_lock) || !ipfr_ipidlist)
return 0xffffffff;
#ifdef USE_MUTEXES
ipf = ipf_frag_lookup(fin, ipfr_ipidtab, &ipf_ipidfrag);
#else
ipf = ipf_frag_lookup(fin, ipfr_ipidtab);
#endif
if (ipf != NULL) {
id = (u_32_t)ipf->ipfr_data;
RWLOCK_EXIT(&ipf_ipidfrag);
} else
id = 0xffffffff;
return id;
}
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_known */
/* Returns: frentry_t* - pointer to filter rule if a match is found in */
/* the frag cache table, else NULL. */
/* Parameters: fin(I) - pointer to packet information */
/* passp(O) - pointer to where to store rule flags resturned */
/* */
/* Functional interface for normal lookups of the fragment cache. If a */
/* match is found, return the rule pointer and flags from the rule, except */
/* that if FR_LOGFIRST is set, reset FR_LOG. */
/* ------------------------------------------------------------------------ */
frentry_t *
ipf_frag_known(fin, passp)
fr_info_t *fin;
u_32_t *passp;
{
frentry_t *fr = NULL;
ipfr_t *fra;
u_32_t pass;
if ((ipf_frag_lock) || (ipfr_list == NULL))
return NULL;
#ifdef USE_MUTEXES
fra = ipf_frag_lookup(fin, ipfr_heads, &ipf_frag);
#else
fra = ipf_frag_lookup(fin, ipfr_heads);
#endif
if (fra != NULL) {
if (fin->fin_flx & FI_BAD) {
fr = &ipfr_block;
fin->fin_reason = 10;
} else {
fr = fra->ipfr_rule;
}
fin->fin_fr = fr;
if (fr != NULL) {
pass = fr->fr_flags;
if ((pass & FR_KEEPSTATE) != 0) {
fin->fin_flx |= FI_STATE;
}
if ((pass & FR_LOGFIRST) != 0)
pass &= ~(FR_LOGFIRST|FR_LOG);
*passp = pass;
}
RWLOCK_EXIT(&ipf_frag);
}
return fr;
}
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_forget */
/* Returns: Nil */
/* Parameters: ptr(I) - pointer to data structure */
/* */
/* Search through all of the fragment cache entries and wherever a pointer */
/* is found to match ptr, reset it to NULL. */
/* ------------------------------------------------------------------------ */
void
ipf_frag_forget(ptr)
void *ptr;
{
ipfr_t *fr;
WRITE_ENTER(&ipf_frag);
for (fr = ipfr_list; fr; fr = fr->ipfr_next)
if (fr->ipfr_data == ptr)
fr->ipfr_data = NULL;
RWLOCK_EXIT(&ipf_frag);
}
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_natforget */
/* Returns: Nil */
/* Parameters: ptr(I) - pointer to data structure */
/* */
/* Search through all of the fragment cache entries for NAT and wherever a */
/* pointer is found to match ptr, reset it to NULL. */
/* ------------------------------------------------------------------------ */
void
ipf_frag_natforget(ptr)
void *ptr;
{
ipfr_t *fr;
WRITE_ENTER(&ipf_natfrag);
for (fr = ipfr_natlist; fr; fr = fr->ipfr_next)
if (fr->ipfr_data == ptr)
fr->ipfr_data = NULL;
RWLOCK_EXIT(&ipf_natfrag);
}
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_delete */
/* Returns: Nil */
/* Parameters: fra(I) - pointer to fragment structure to delete */
/* tail(IO) - pointer to the pointer to the tail of the frag */
/* list */
/* */
/* Remove a fragment cache table entry from the table & list. Also free */
/* the filter rule it is associated with it if it is no longer used as a */
/* result of decreasing the reference count. */
/* ------------------------------------------------------------------------ */
static void
ipf_frag_delete(fra, tail)
ipfr_t *fra, ***tail;
{
if (fra->ipfr_next)
fra->ipfr_next->ipfr_prev = fra->ipfr_prev;
*fra->ipfr_prev = fra->ipfr_next;
if (*tail == &fra->ipfr_next)
*tail = fra->ipfr_prev;
if (fra->ipfr_hnext)
fra->ipfr_hnext->ipfr_hprev = fra->ipfr_hprev;
*fra->ipfr_hprev = fra->ipfr_hnext;
if (fra->ipfr_rule != NULL) {
(void) ipf_derefrule(&fra->ipfr_rule);
}
if (fra->ipfr_ref <= 0)
ipf_frag_free(fra);
}
static void
ipf_frag_free(fra)
ipfr_t *fra;
{
KFREE(fra);
ipfr_stats.ifs_expire++;
ipfr_inuse--;
}
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_clear */
/* Returns: Nil */
/* Parameters: Nil */
/* */
/* Free memory in use by fragment state information kept. Do the normal */
/* fragment state stuff first and then the NAT-fragment table. */
/* ------------------------------------------------------------------------ */
void
ipf_frag_clear()
{
ipfr_t *fra;
nat_t *nat;
WRITE_ENTER(&ipf_frag);
while ((fra = ipfr_list) != NULL) {
fra->ipfr_ref--;
ipf_frag_delete(fra, &ipfr_tail);
}
ipfr_tail = &ipfr_list;
RWLOCK_EXIT(&ipf_frag);
WRITE_ENTER(&ipf_nat);
WRITE_ENTER(&ipf_natfrag);
while ((fra = ipfr_natlist) != NULL) {
nat = fra->ipfr_data;
if (nat != NULL) {
if (nat->nat_data == fra)
nat->nat_data = NULL;
}
fra->ipfr_ref--;
ipf_frag_delete(fra, &ipfr_nattail);
}
ipfr_nattail = &ipfr_natlist;
RWLOCK_EXIT(&ipf_natfrag);
RWLOCK_EXIT(&ipf_nat);
}
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_expire */
/* Returns: Nil */
/* Parameters: Nil */
/* */
/* Expire entries in the fragment cache table that have been there too long */
/* ------------------------------------------------------------------------ */
void
ipf_frag_expire()
{
ipfr_t **fp, *fra;
nat_t *nat;
SPL_INT(s);
if (ipf_frag_lock)
return;
SPL_NET(s);
WRITE_ENTER(&ipf_frag);
/*
* Go through the entire table, looking for entries to expire,
* which is indicated by the ttl being less than or equal to ipf_ticks.
*/
for (fp = &ipfr_list; ((fra = *fp) != NULL); ) {
if (fra->ipfr_ttl > ipf_ticks)
break;
fra->ipfr_ref--;
ipf_frag_delete(fra, &ipfr_tail);
}
RWLOCK_EXIT(&ipf_frag);
WRITE_ENTER(&ipf_ipidfrag);
for (fp = &ipfr_ipidlist; ((fra = *fp) != NULL); ) {
if (fra->ipfr_ttl > ipf_ticks)
break;
fra->ipfr_ref--;
ipf_frag_delete(fra, &ipfr_ipidtail);
}
RWLOCK_EXIT(&ipf_ipidfrag);
/*
* Same again for the NAT table, except that if the structure also
* still points to a NAT structure, and the NAT structure points back
* at the one to be free'd, NULL the reference from the NAT struct.
* NOTE: We need to grab both mutex's early, and in this order so as
* to prevent a deadlock if both try to expire at the same time.
* The extra if() statement here is because it locks out all NAT
* operations - no need to do that if there are no entries in this
* list, right?
*/
if (ipfr_natlist != NULL) {
WRITE_ENTER(&ipf_nat);
WRITE_ENTER(&ipf_natfrag);
for (fp = &ipfr_natlist; ((fra = *fp) != NULL); ) {
if (fra->ipfr_ttl > ipf_ticks)
break;
nat = fra->ipfr_data;
if (nat != NULL) {
if (nat->nat_data == fra)
nat->nat_data = NULL;
}
fra->ipfr_ref--;
ipf_frag_delete(fra, &ipfr_nattail);
}
RWLOCK_EXIT(&ipf_natfrag);
RWLOCK_EXIT(&ipf_nat);
}
SPL_X(s);
}
/* ------------------------------------------------------------------------ */
/* Function: ipf_slowtimer */
/* Returns: Nil */
/* Parameters: Nil */
/* */
/* Slowly expire held state for fragments. Timeouts are set * in */
/* expectation of this being called twice per second. */
/* ------------------------------------------------------------------------ */
#if !defined(_KERNEL) || (!SOLARIS && !defined(__hpux) && !defined(__sgi) && \
!defined(__osf__))
# if defined(_KERNEL) && ((BSD >= 199103) || defined(__sgi))
void
ipf_slowtimer __P((void *ptr))
# else
int
ipf_slowtimer()
# endif
{
READ_ENTER(&ipf_global);
ipf_expiretokens();
ipf_frag_expire();
ipf_state_timeout();
ipf_nat_expire();
ipf_auth_expire();
#ifdef IPFILTER_SYNC
ipf_sync_expire();
#endif
ipf_ticks++;
if (ipf_running <= 0)
goto done;
# ifdef _KERNEL
# if defined(__NetBSD__) && (__NetBSD_Version__ >= 104240000)
callout_reset(&ipf_slowtimer_ch, hz / 2, ipf_slowtimer, NULL);
# else
# if defined(__OpenBSD__)
timeout_add(&ipf_slowtimer_ch, hz/2);
# else
# if (__FreeBSD_version >= 300000)
ipf_slowtimer_ch = timeout(ipf_slowtimer, NULL, hz/2);
# else
# ifdef linux
;
# else
timeout(ipf_slowtimer, NULL, hz/2);
# endif
# endif /* FreeBSD */
# endif /* OpenBSD */
# endif /* NetBSD */
# endif
done:
RWLOCK_EXIT(&ipf_global);
# if (BSD < 199103) || !defined(_KERNEL)
return 0;
# endif
}
#endif /* !SOLARIS && !defined(__hpux) && !defined(__sgi) */
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_next */
/* Returns: int - 0 == success, else error */
/* Parameters: token(I) - pointer to token information for this caller */
/* itp(I) - pointer to generic iterator from caller */
/* top(I) - top of the fragment list */
/* tail(I) - tail of the fragment list */
/* lock(I) - fragment cache lock */
/* */
/* This function is used to interate through the list of entries in the */
/* fragment cache. It increases the reference count on the one currently */
/* being returned so that the caller can come back and resume from it later.*/
/* */
/* This function is used for both the NAT fragment cache as well as the ipf */
/* fragment cache - hence the reason for passing in top, tail and lock. */
/* ------------------------------------------------------------------------ */
int
ipf_frag_next(token, itp, top, tail
#ifdef USE_MUTEXES
, lock
#endif
)
ipftoken_t *token;
ipfgeniter_t *itp;
ipfr_t **top, ***tail;
#ifdef USE_MUTEXES
ipfrwlock_t *lock;
#endif
{
ipfr_t *frag, *next, zero;
int error = 0;
frag = token->ipt_data;
if (frag == (ipfr_t *)-1) {
ipf_freetoken(token);
ipf_interror = 20001;
return ESRCH;
}
READ_ENTER(lock);
if (frag == NULL)
next = *top;
else
next = frag->ipfr_next;
if (next != NULL) {
ATOMIC_INC(next->ipfr_ref);
token->ipt_data = next;
} else {
bzero(&zero, sizeof(zero));
next = &zero;
token->ipt_data = NULL;
}
RWLOCK_EXIT(lock);
if (frag != NULL) {
#ifdef USE_MUTEXES
ipf_frag_deref(&frag, lock);
#else
ipf_frag_deref(&frag);
#endif
}
error = COPYOUT(next, itp->igi_data, sizeof(*next));
if (error != 0) {
ipf_interror = 20002;
error = EFAULT;
}
return error;
}
/* ------------------------------------------------------------------------ */
/* Function: ipf_frag_deref */
/* Returns: Nil */
/* Parameters: frp(IO) - pointer to fragment structure to deference */
/* lock(I) - lock associated with the fragment */
/* */
/* This function dereferences a fragment structure (ipfr_t). The pointer */
/* passed in will always be reset back to NULL, even if the structure is */
/* not freed, to enforce the notion that the caller is no longer entitled */
/* to use the pointer it is dropping the reference to. */
/* ------------------------------------------------------------------------ */
void
ipf_frag_deref(frp
#ifdef USE_MUTEXES
, lock
#endif
)
ipfr_t **frp;
#ifdef USE_MUTEXES
ipfrwlock_t *lock;
#endif
{
ipfr_t *fra;
fra = *frp;
*frp = NULL;
WRITE_ENTER(lock);
fra->ipfr_ref--;
if (fra->ipfr_ref <= 0)
ipf_frag_free(fra);
RWLOCK_EXIT(lock);
}