2 * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 #include <sys/cdefs.h>
27 __FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw2.c 200601 2009-12-16 10:48:40Z luigi $");
30 * The FreeBSD IP packet firewall, main file
33 #if !defined(KLD_MODULE)
35 #include "opt_ipdivert.h"
39 #error IPFIREWALL requires INET.
42 #include "opt_inet6.h"
43 #include "opt_ipsec.h"
45 #include <sys/param.h>
46 #include <sys/systm.h>
47 #include <sys/condvar.h>
48 #include <sys/eventhandler.h>
49 #include <sys/malloc.h>
51 #include <sys/kernel.h>
54 #include <sys/module.h>
57 #include <sys/rwlock.h>
58 #include <sys/socket.h>
59 #include <sys/socketvar.h>
60 #include <sys/sysctl.h>
61 #include <sys/syslog.h>
62 #include <sys/ucred.h>
63 #include <net/ethernet.h> /* for ETHERTYPE_IP */
65 #include <net/route.h>
66 #include <net/pf_mtag.h>
69 #include <netinet/in.h>
70 #include <netinet/in_var.h>
71 #include <netinet/in_pcb.h>
72 #include <netinet/ip.h>
73 #include <netinet/ip_var.h>
74 #include <netinet/ip_icmp.h>
75 #include <netinet/ip_fw.h>
76 #include <netinet/ipfw/ip_fw_private.h>
77 #include <netinet/ip_carp.h>
78 #include <netinet/pim.h>
79 #include <netinet/tcp_var.h>
80 #include <netinet/udp.h>
81 #include <netinet/udp_var.h>
82 #include <netinet/sctp.h>
84 #include <netinet/ip6.h>
85 #include <netinet/icmp6.h>
87 #include <netinet6/scope6_var.h>
88 #include <netinet6/ip6_var.h>
91 #include <machine/in_cksum.h> /* XXX for in_cksum */
94 #include <security/mac/mac_framework.h>
98 * static variables followed by global ones.
99 * All ipfw global variables are here.
102 /* ipfw_vnet_ready controls when we are open for business */
103 static VNET_DEFINE(int, ipfw_vnet_ready) = 0;
104 #define V_ipfw_vnet_ready VNET(ipfw_vnet_ready)
106 static VNET_DEFINE(int, fw_deny_unknown_exthdrs);
107 #define V_fw_deny_unknown_exthdrs VNET(fw_deny_unknown_exthdrs)
109 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
110 static int default_to_accept = 1;
112 static int default_to_accept;
115 VNET_DEFINE(int, autoinc_step);
118 * Each rule belongs to one of 32 different sets (0..31).
119 * The variable set_disable contains one bit per set.
120 * If the bit is set, all rules in the corresponding set
121 * are disabled. Set RESVD_SET(31) is reserved for the default rule
122 * and rules that are not deleted by the flush command,
123 * and CANNOT be disabled.
124 * Rules in set RESVD_SET can only be deleted individually.
126 VNET_DEFINE(u_int32_t, set_disable);
127 #define V_set_disable VNET(set_disable)
129 VNET_DEFINE(int, fw_verbose);
130 /* counter for ipfw_log(NULL...) */
131 VNET_DEFINE(u_int64_t, norule_counter);
132 VNET_DEFINE(int, verbose_limit);
134 /* layer3_chain contains the list of rules for layer 3 */
135 VNET_DEFINE(struct ip_fw_chain, layer3_chain);
137 ipfw_nat_t *ipfw_nat_ptr = NULL;
138 struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int);
139 ipfw_nat_cfg_t *ipfw_nat_cfg_ptr;
140 ipfw_nat_cfg_t *ipfw_nat_del_ptr;
141 ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr;
142 ipfw_nat_cfg_t *ipfw_nat_get_log_ptr;
145 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
146 SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, one_pass,
147 CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_one_pass), 0,
148 "Only do a single pass through ipfw when using dummynet(4)");
149 SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step,
150 CTLFLAG_RW, &VNET_NAME(autoinc_step), 0,
151 "Rule number auto-increment step");
152 SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, verbose,
153 CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_verbose), 0,
154 "Log matches to ipfw rules");
155 SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit,
156 CTLFLAG_RW, &VNET_NAME(verbose_limit), 0,
157 "Set upper limit of matches of ipfw rules logged");
158 uint32_t dummy_def = IPFW_DEFAULT_RULE;
159 SYSCTL_UINT(_net_inet_ip_fw, OID_AUTO, default_rule, CTLFLAG_RD,
161 "The default/max possible rule number.");
162 uint32_t dummy_tables_max = IPFW_TABLES_MAX;
163 SYSCTL_UINT(_net_inet_ip_fw, OID_AUTO, tables_max, CTLFLAG_RD,
164 &dummy_tables_max, 0,
165 "The maximum number of tables.");
166 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, default_to_accept, CTLFLAG_RDTUN,
167 &default_to_accept, 0,
168 "Make the default rule accept all packets.");
169 TUNABLE_INT("net.inet.ip.fw.default_to_accept", &default_to_accept);
170 SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, static_count,
171 CTLFLAG_RD, &VNET_NAME(layer3_chain.n_rules), 0,
172 "Number of static rules");
175 SYSCTL_DECL(_net_inet6_ip6);
176 SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
177 SYSCTL_VNET_INT(_net_inet6_ip6_fw, OID_AUTO, deny_unknown_exthdrs,
178 CTLFLAG_RW | CTLFLAG_SECURE, &VNET_NAME(fw_deny_unknown_exthdrs), 0,
179 "Deny packets with unknown IPv6 Extension Headers");
182 #endif /* SYSCTL_NODE */
186 * Some macros used in the various matching options.
187 * L3HDR maps an ipv4 pointer into a layer3 header pointer of type T
188 * Other macros just cast void * into the appropriate type
190 #define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl))
191 #define TCP(p) ((struct tcphdr *)(p))
192 #define SCTP(p) ((struct sctphdr *)(p))
193 #define UDP(p) ((struct udphdr *)(p))
194 #define ICMP(p) ((struct icmphdr *)(p))
195 #define ICMP6(p) ((struct icmp6_hdr *)(p))
198 icmptype_match(struct icmphdr *icmp, ipfw_insn_u32 *cmd)
200 int type = icmp->icmp_type;
202 return (type <= ICMP_MAXTYPE && (cmd->d[0] & (1<<type)) );
205 #define TT ( (1 << ICMP_ECHO) | (1 << ICMP_ROUTERSOLICIT) | \
206 (1 << ICMP_TSTAMP) | (1 << ICMP_IREQ) | (1 << ICMP_MASKREQ) )
209 is_icmp_query(struct icmphdr *icmp)
211 int type = icmp->icmp_type;
213 return (type <= ICMP_MAXTYPE && (TT & (1<<type)) );
218 * The following checks use two arrays of 8 or 16 bits to store the
219 * bits that we want set or clear, respectively. They are in the
220 * low and high half of cmd->arg1 or cmd->d[0].
222 * We scan options and store the bits we find set. We succeed if
224 * (want_set & ~bits) == 0 && (want_clear & ~bits) == want_clear
226 * The code is sometimes optimized not to store additional variables.
230 flags_match(ipfw_insn *cmd, u_int8_t bits)
235 if ( ((cmd->arg1 & 0xff) & bits) != 0)
236 return 0; /* some bits we want set were clear */
237 want_clear = (cmd->arg1 >> 8) & 0xff;
238 if ( (want_clear & bits) != want_clear)
239 return 0; /* some bits we want clear were set */
244 ipopts_match(struct ip *ip, ipfw_insn *cmd)
246 int optlen, bits = 0;
247 u_char *cp = (u_char *)(ip + 1);
248 int x = (ip->ip_hl << 2) - sizeof (struct ip);
250 for (; x > 0; x -= optlen, cp += optlen) {
251 int opt = cp[IPOPT_OPTVAL];
253 if (opt == IPOPT_EOL)
255 if (opt == IPOPT_NOP)
258 optlen = cp[IPOPT_OLEN];
259 if (optlen <= 0 || optlen > x)
260 return 0; /* invalid or truncated */
268 bits |= IP_FW_IPOPT_LSRR;
272 bits |= IP_FW_IPOPT_SSRR;
276 bits |= IP_FW_IPOPT_RR;
280 bits |= IP_FW_IPOPT_TS;
284 return (flags_match(cmd, bits));
288 tcpopts_match(struct tcphdr *tcp, ipfw_insn *cmd)
290 int optlen, bits = 0;
291 u_char *cp = (u_char *)(tcp + 1);
292 int x = (tcp->th_off << 2) - sizeof(struct tcphdr);
294 for (; x > 0; x -= optlen, cp += optlen) {
296 if (opt == TCPOPT_EOL)
298 if (opt == TCPOPT_NOP)
312 bits |= IP_FW_TCPOPT_MSS;
316 bits |= IP_FW_TCPOPT_WINDOW;
319 case TCPOPT_SACK_PERMITTED:
321 bits |= IP_FW_TCPOPT_SACK;
324 case TCPOPT_TIMESTAMP:
325 bits |= IP_FW_TCPOPT_TS;
330 return (flags_match(cmd, bits));
334 iface_match(struct ifnet *ifp, ipfw_insn_if *cmd)
336 if (ifp == NULL) /* no iface with this packet, match fails */
338 /* Check by name or by IP address */
339 if (cmd->name[0] != '\0') { /* match by name */
342 if (fnmatch(cmd->name, ifp->if_xname, 0) == 0)
345 if (strncmp(ifp->if_xname, cmd->name, IFNAMSIZ) == 0)
349 #if !defined( __linux__ ) && !defined( _WIN32 )
353 TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) {
354 if (ia->ifa_addr->sa_family != AF_INET)
356 if (cmd->p.ip.s_addr == ((struct sockaddr_in *)
357 (ia->ifa_addr))->sin_addr.s_addr) {
358 if_addr_runlock(ifp);
359 return(1); /* match */
362 if_addr_runlock(ifp);
365 return(0); /* no match, fail ... */
369 * The verify_path function checks if a route to the src exists and
370 * if it is reachable via ifp (when provided).
372 * The 'verrevpath' option checks that the interface that an IP packet
373 * arrives on is the same interface that traffic destined for the
374 * packet's source address would be routed out of.
375 * The 'versrcreach' option just checks that the source address is
376 * reachable via any route (except default) in the routing table.
377 * These two are a measure to block forged packets. This is also
378 * commonly known as "anti-spoofing" or Unicast Reverse Path
379 * Forwarding (Unicast RFP) in Cisco-ese. The name of the knobs
380 * is purposely reminiscent of the Cisco IOS command,
382 * ip verify unicast reverse-path
383 * ip verify unicast source reachable-via any
385 * which implements the same functionality. But note that the syntax
386 * is misleading, and the check may be performed on all IP packets
387 * whether unicast, multicast, or broadcast.
390 verify_path(struct in_addr src, struct ifnet *ifp, u_int fib)
392 #if defined( __linux__ ) || defined( _WIN32 )
396 struct sockaddr_in *dst;
398 bzero(&ro, sizeof(ro));
400 dst = (struct sockaddr_in *)&(ro.ro_dst);
401 dst->sin_family = AF_INET;
402 dst->sin_len = sizeof(*dst);
404 in_rtalloc_ign(&ro, 0, fib);
406 if (ro.ro_rt == NULL)
410 * If ifp is provided, check for equality with rtentry.
411 * We should use rt->rt_ifa->ifa_ifp, instead of rt->rt_ifp,
412 * in order to pass packets injected back by if_simloop():
413 * if useloopback == 1 routing entry (via lo0) for our own address
414 * may exist, so we need to handle routing assymetry.
416 if (ifp != NULL && ro.ro_rt->rt_ifa->ifa_ifp != ifp) {
421 /* if no ifp provided, check if rtentry is not default route */
423 satosin(rt_key(ro.ro_rt))->sin_addr.s_addr == INADDR_ANY) {
428 /* or if this is a blackhole/reject route */
429 if (ifp == NULL && ro.ro_rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
434 /* found valid route */
442 * ipv6 specific rules here...
445 icmp6type_match (int type, ipfw_insn_u32 *cmd)
447 return (type <= ICMP6_MAXTYPE && (cmd->d[type/32] & (1<<(type%32)) ) );
451 flow6id_match( int curr_flow, ipfw_insn_u32 *cmd )
454 for (i=0; i <= cmd->o.arg1; ++i )
455 if (curr_flow == cmd->d[i] )
460 /* support for IP6_*_ME opcodes */
462 search_ip6_addr_net (struct in6_addr * ip6_addr)
466 struct in6_ifaddr *fdm;
467 struct in6_addr copia;
469 TAILQ_FOREACH(mdc, &V_ifnet, if_link) {
471 TAILQ_FOREACH(mdc2, &mdc->if_addrhead, ifa_link) {
472 if (mdc2->ifa_addr->sa_family == AF_INET6) {
473 fdm = (struct in6_ifaddr *)mdc2;
474 copia = fdm->ia_addr.sin6_addr;
475 /* need for leaving scope_id in the sock_addr */
476 in6_clearscope(&copia);
477 if (IN6_ARE_ADDR_EQUAL(ip6_addr, &copia)) {
478 if_addr_runlock(mdc);
483 if_addr_runlock(mdc);
489 verify_path6(struct in6_addr *src, struct ifnet *ifp)
492 struct sockaddr_in6 *dst;
494 bzero(&ro, sizeof(ro));
496 dst = (struct sockaddr_in6 * )&(ro.ro_dst);
497 dst->sin6_family = AF_INET6;
498 dst->sin6_len = sizeof(*dst);
499 dst->sin6_addr = *src;
500 /* XXX MRT 0 for ipv6 at this time */
501 rtalloc_ign((struct route *)&ro, 0);
503 if (ro.ro_rt == NULL)
507 * if ifp is provided, check for equality with rtentry
508 * We should use rt->rt_ifa->ifa_ifp, instead of rt->rt_ifp,
509 * to support the case of sending packets to an address of our own.
510 * (where the former interface is the first argument of if_simloop()
511 * (=ifp), the latter is lo0)
513 if (ifp != NULL && ro.ro_rt->rt_ifa->ifa_ifp != ifp) {
518 /* if no ifp provided, check if rtentry is not default route */
520 IN6_IS_ADDR_UNSPECIFIED(&satosin6(rt_key(ro.ro_rt))->sin6_addr)) {
525 /* or if this is a blackhole/reject route */
526 if (ifp == NULL && ro.ro_rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
531 /* found valid route */
538 is_icmp6_query(int icmp6_type)
540 if ((icmp6_type <= ICMP6_MAXTYPE) &&
541 (icmp6_type == ICMP6_ECHO_REQUEST ||
542 icmp6_type == ICMP6_MEMBERSHIP_QUERY ||
543 icmp6_type == ICMP6_WRUREQUEST ||
544 icmp6_type == ICMP6_FQDN_QUERY ||
545 icmp6_type == ICMP6_NI_QUERY))
552 send_reject6(struct ip_fw_args *args, int code, u_int hlen, struct ip6_hdr *ip6)
557 if (code == ICMP6_UNREACH_RST && args->f_id.proto == IPPROTO_TCP) {
559 tcp = (struct tcphdr *)((char *)ip6 + hlen);
561 if ((tcp->th_flags & TH_RST) == 0) {
563 m0 = ipfw_send_pkt(args->m, &(args->f_id),
564 ntohl(tcp->th_seq), ntohl(tcp->th_ack),
565 tcp->th_flags | TH_RST);
567 ip6_output(m0, NULL, NULL, 0, NULL, NULL,
571 } else if (code != ICMP6_UNREACH_RST) { /* Send an ICMPv6 unreach. */
574 * Unlike above, the mbufs need to line up with the ip6 hdr,
575 * as the contents are read. We need to m_adj() the
577 * The mbuf will however be thrown away so we can adjust it.
578 * Remember we did an m_pullup on it already so we
579 * can make some assumptions about contiguousness.
582 m_adj(m, args->L3offset);
584 icmp6_error(m, ICMP6_DST_UNREACH, code, 0);
595 * sends a reject message, consuming the mbuf passed as an argument.
598 send_reject(struct ip_fw_args *args, int code, int iplen, struct ip *ip)
602 /* XXX When ip is not guaranteed to be at mtod() we will
603 * need to account for this */
604 * The mbuf will however be thrown away so we can adjust it.
605 * Remember we did an m_pullup on it already so we
606 * can make some assumptions about contiguousness.
609 m_adj(m, args->L3offset);
611 if (code != ICMP_REJECT_RST) { /* Send an ICMP unreach */
612 /* We need the IP header in host order for icmp_error(). */
614 icmp_error(args->m, ICMP_UNREACH, code, 0L, 0);
615 } else if (args->f_id.proto == IPPROTO_TCP) {
616 struct tcphdr *const tcp =
617 L3HDR(struct tcphdr, mtod(args->m, struct ip *));
618 if ( (tcp->th_flags & TH_RST) == 0) {
620 m = ipfw_send_pkt(args->m, &(args->f_id),
621 ntohl(tcp->th_seq), ntohl(tcp->th_ack),
622 tcp->th_flags | TH_RST);
624 ip_output(m, NULL, NULL, 0, NULL, NULL);
633 * Support for uid/gid/jail lookup. These tests are expensive
634 * (because we may need to look into the list of active sockets)
635 * so we cache the results. ugid_lookupp is 0 if we have not
636 * yet done a lookup, 1 if we succeeded, and -1 if we tried
637 * and failed. The function always returns the match value.
638 * We could actually spare the variable and use *uc, setting
639 * it to '(void *)check_uidgid if we have no info, NULL if
640 * we tried and failed, or any other value if successful.
643 check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif,
644 struct in_addr dst_ip, u_int16_t dst_port, struct in_addr src_ip,
645 u_int16_t src_port, struct ucred **uc, int *ugid_lookupp,
649 return cred_check(insn, proto, oif,
650 dst_ip, dst_port, src_ip, src_port,
651 (struct bsd_ucred *)uc, ugid_lookupp, ((struct mbuf *)inp)->m_skb);
653 struct inpcbinfo *pi;
659 * Check to see if the UDP or TCP stack supplied us with
660 * the PCB. If so, rather then holding a lock and looking
661 * up the PCB, we can use the one that was supplied.
663 if (inp && *ugid_lookupp == 0) {
664 INP_LOCK_ASSERT(inp);
665 if (inp->inp_socket != NULL) {
666 *uc = crhold(inp->inp_cred);
672 * If we have already been here and the packet has no
673 * PCB entry associated with it, then we can safely
674 * assume that this is a no match.
676 if (*ugid_lookupp == -1)
678 if (proto == IPPROTO_TCP) {
681 } else if (proto == IPPROTO_UDP) {
682 wildcard = INPLOOKUP_WILDCARD;
687 if (*ugid_lookupp == 0) {
690 in_pcblookup_hash(pi,
691 dst_ip, htons(dst_port),
692 src_ip, htons(src_port),
694 in_pcblookup_hash(pi,
695 src_ip, htons(src_port),
696 dst_ip, htons(dst_port),
699 *uc = crhold(pcb->inp_cred);
702 INP_INFO_RUNLOCK(pi);
703 if (*ugid_lookupp == 0) {
705 * We tried and failed, set the variable to -1
706 * so we will not try again on this packet.
712 if (insn->o.opcode == O_UID)
713 match = ((*uc)->cr_uid == (uid_t)insn->d[0]);
714 else if (insn->o.opcode == O_GID)
715 match = groupmember((gid_t)insn->d[0], *uc);
716 else if (insn->o.opcode == O_JAIL)
717 match = ((*uc)->cr_prison->pr_id == (int)insn->d[0]);
723 * Helper function to set args with info on the rule after the matching
724 * one. slot is precise, whereas we guess rule_id as they are
725 * assigned sequentially.
728 set_match(struct ip_fw_args *args, int slot,
729 struct ip_fw_chain *chain)
731 args->rule.chain_id = chain->id;
732 args->rule.slot = slot + 1; /* we use 0 as a marker */
733 args->rule.rule_id = 1 + chain->map[slot]->id;
734 args->rule.rulenum = chain->map[slot]->rulenum;
738 * The main check routine for the firewall.
740 * All arguments are in args so we can modify them and return them
741 * back to the caller.
745 * args->m (in/out) The packet; we set to NULL when/if we nuke it.
746 * Starts with the IP header.
747 * args->eh (in) Mac header if present, NULL for layer3 packet.
748 * args->L3offset Number of bytes bypassed if we came from L2.
749 * e.g. often sizeof(eh) ** NOTYET **
750 * args->oif Outgoing interface, NULL if packet is incoming.
751 * The incoming interface is in the mbuf. (in)
752 * args->divert_rule (in/out)
753 * Skip up to the first rule past this rule number;
754 * upon return, non-zero port number for divert or tee.
756 * args->rule Pointer to the last matching rule (in/out)
757 * args->next_hop Socket we are forwarding to (out).
758 * args->f_id Addresses grabbed from the packet (out)
759 * args->rule.info a cookie depending on rule action
763 * IP_FW_PASS the packet must be accepted
764 * IP_FW_DENY the packet must be dropped
765 * IP_FW_DIVERT divert packet, port in m_tag
766 * IP_FW_TEE tee packet, port in m_tag
767 * IP_FW_DUMMYNET to dummynet, pipe in args->cookie
768 * IP_FW_NETGRAPH into netgraph, cookie args->cookie
769 * args->rule contains the matching rule,
770 * args->rule.info has additional information.
774 ipfw_chk(struct ip_fw_args *args)
778 * Local variables holding state while processing a packet:
780 * IMPORTANT NOTE: to speed up the processing of rules, there
781 * are some assumption on the values of the variables, which
782 * are documented here. Should you change them, please check
783 * the implementation of the various instructions to make sure
784 * that they still work.
786 * args->eh The MAC header. It is non-null for a layer2
787 * packet, it is NULL for a layer-3 packet.
789 * args->L3offset Offset in the packet to the L3 (IP or equiv.) header.
791 * m | args->m Pointer to the mbuf, as received from the caller.
792 * It may change if ipfw_chk() does an m_pullup, or if it
793 * consumes the packet because it calls send_reject().
794 * XXX This has to change, so that ipfw_chk() never modifies
795 * or consumes the buffer.
796 * ip is the beginning of the ip(4 or 6) header.
797 * Calculated by adding the L3offset to the start of data.
798 * (Until we start using L3offset, the packet is
799 * supposed to start with the ip header).
801 struct mbuf *m = args->m;
802 struct ip *ip = mtod(m, struct ip *);
805 * For rules which contain uid/gid or jail constraints, cache
806 * a copy of the users credentials after the pcb lookup has been
807 * executed. This will speed up the processing of rules with
808 * these types of constraints, as well as decrease contention
809 * on pcb related locks.
812 struct bsd_ucred ucred_cache;
814 struct ucred *ucred_cache = NULL;
816 int ucred_lookup = 0;
819 * oif | args->oif If NULL, ipfw_chk has been called on the
820 * inbound path (ether_input, ip_input).
821 * If non-NULL, ipfw_chk has been called on the outbound path
822 * (ether_output, ip_output).
824 struct ifnet *oif = args->oif;
826 int f_pos = 0; /* index of current rule in the array */
830 * hlen The length of the IP header.
832 u_int hlen = 0; /* hlen >0 means we have an IP pkt */
835 * offset The offset of a fragment. offset != 0 means that
836 * we have a fragment at this offset of an IPv4 packet.
837 * offset == 0 means that (if this is an IPv4 packet)
838 * this is the first or only fragment.
839 * For IPv6 offset == 0 means there is no Fragment Header.
840 * If offset != 0 for IPv6 always use correct mask to
841 * get the correct offset because we add IP6F_MORE_FRAG
842 * to be able to dectect the first fragment which would
843 * otherwise have offset = 0.
848 * Local copies of addresses. They are only valid if we have
851 * proto The protocol. Set to 0 for non-ip packets,
852 * or to the protocol read from the packet otherwise.
853 * proto != 0 means that we have an IPv4 packet.
855 * src_port, dst_port port numbers, in HOST format. Only
856 * valid for TCP and UDP packets.
858 * src_ip, dst_ip ip addresses, in NETWORK format.
859 * Only valid for IPv4 packets.
862 uint16_t src_port = 0, dst_port = 0; /* NOTE: host format */
863 struct in_addr src_ip, dst_ip; /* NOTE: network format */
866 uint16_t etype = 0; /* Host order stored ether type */
869 * dyn_dir = MATCH_UNKNOWN when rules unchecked,
870 * MATCH_NONE when checked and not matched (q = NULL),
871 * MATCH_FORWARD or MATCH_REVERSE otherwise (q != NULL)
873 int dyn_dir = MATCH_UNKNOWN;
874 ipfw_dyn_rule *q = NULL;
875 struct ip_fw_chain *chain = &V_layer3_chain;
878 * We store in ulp a pointer to the upper layer protocol header.
879 * In the ipv4 case this is easy to determine from the header,
880 * but for ipv6 we might have some additional headers in the middle.
881 * ulp is NULL if not found.
883 void *ulp = NULL; /* upper layer protocol pointer. */
884 /* XXX ipv6 variables */
886 u_int16_t ext_hd = 0; /* bits vector for extension header filtering */
887 /* end of ipv6 variables */
890 int done = 0; /* flag to exit the outer loop */
892 if (m->m_flags & M_SKIP_FIREWALL || (! V_ipfw_vnet_ready))
893 return (IP_FW_PASS); /* accept */
895 dst_ip.s_addr = 0; /* make sure it is initialized */
896 src_ip.s_addr = 0; /* make sure it is initialized */
897 pktlen = m->m_pkthdr.len;
898 args->f_id.fib = M_GETFIB(m); /* note mbuf not altered) */
899 proto = args->f_id.proto = 0; /* mark f_id invalid */
900 /* XXX 0 is a valid proto: IP/IPv6 Hop-by-Hop Option */
903 * PULLUP_TO(len, p, T) makes sure that len + sizeof(T) is contiguous,
904 * then it sets p to point at the offset "len" in the mbuf. WARNING: the
905 * pointer might become stale after other pullups (but we never use it
908 #define PULLUP_TO(_len, p, T) \
910 int x = (_len) + sizeof(T); \
911 if ((m)->m_len < x) { \
912 args->m = m = m_pullup(m, x); \
914 goto pullup_failed; \
916 p = (mtod(m, char *) + (_len)); \
920 * if we have an ether header,
923 etype = ntohs(args->eh->ether_type);
925 /* Identify IP packets and fill up variables. */
926 if (pktlen >= sizeof(struct ip6_hdr) &&
927 (args->eh == NULL || etype == ETHERTYPE_IPV6) && ip->ip_v == 6) {
928 struct ip6_hdr *ip6 = (struct ip6_hdr *)ip;
930 args->f_id.addr_type = 6;
931 hlen = sizeof(struct ip6_hdr);
932 proto = ip6->ip6_nxt;
934 /* Search extension headers to find upper layer protocols */
935 while (ulp == NULL) {
938 PULLUP_TO(hlen, ulp, struct icmp6_hdr);
939 args->f_id.flags = ICMP6(ulp)->icmp6_type;
943 PULLUP_TO(hlen, ulp, struct tcphdr);
944 dst_port = TCP(ulp)->th_dport;
945 src_port = TCP(ulp)->th_sport;
946 args->f_id.flags = TCP(ulp)->th_flags;
950 PULLUP_TO(hlen, ulp, struct sctphdr);
951 src_port = SCTP(ulp)->src_port;
952 dst_port = SCTP(ulp)->dest_port;
956 PULLUP_TO(hlen, ulp, struct udphdr);
957 dst_port = UDP(ulp)->uh_dport;
958 src_port = UDP(ulp)->uh_sport;
961 case IPPROTO_HOPOPTS: /* RFC 2460 */
962 PULLUP_TO(hlen, ulp, struct ip6_hbh);
963 ext_hd |= EXT_HOPOPTS;
964 hlen += (((struct ip6_hbh *)ulp)->ip6h_len + 1) << 3;
965 proto = ((struct ip6_hbh *)ulp)->ip6h_nxt;
969 case IPPROTO_ROUTING: /* RFC 2460 */
970 PULLUP_TO(hlen, ulp, struct ip6_rthdr);
971 switch (((struct ip6_rthdr *)ulp)->ip6r_type) {
973 ext_hd |= EXT_RTHDR0;
976 ext_hd |= EXT_RTHDR2;
979 printf("IPFW2: IPV6 - Unknown Routing "
981 ((struct ip6_rthdr *)ulp)->ip6r_type);
982 if (V_fw_deny_unknown_exthdrs)
986 ext_hd |= EXT_ROUTING;
987 hlen += (((struct ip6_rthdr *)ulp)->ip6r_len + 1) << 3;
988 proto = ((struct ip6_rthdr *)ulp)->ip6r_nxt;
992 case IPPROTO_FRAGMENT: /* RFC 2460 */
993 PULLUP_TO(hlen, ulp, struct ip6_frag);
994 ext_hd |= EXT_FRAGMENT;
995 hlen += sizeof (struct ip6_frag);
996 proto = ((struct ip6_frag *)ulp)->ip6f_nxt;
997 offset = ((struct ip6_frag *)ulp)->ip6f_offlg &
999 /* Add IP6F_MORE_FRAG for offset of first
1000 * fragment to be != 0. */
1001 offset |= ((struct ip6_frag *)ulp)->ip6f_offlg &
1004 printf("IPFW2: IPV6 - Invalid Fragment "
1006 if (V_fw_deny_unknown_exthdrs)
1007 return (IP_FW_DENY);
1010 args->f_id.frag_id6 =
1011 ntohl(((struct ip6_frag *)ulp)->ip6f_ident);
1015 case IPPROTO_DSTOPTS: /* RFC 2460 */
1016 PULLUP_TO(hlen, ulp, struct ip6_hbh);
1017 ext_hd |= EXT_DSTOPTS;
1018 hlen += (((struct ip6_hbh *)ulp)->ip6h_len + 1) << 3;
1019 proto = ((struct ip6_hbh *)ulp)->ip6h_nxt;
1023 case IPPROTO_AH: /* RFC 2402 */
1024 PULLUP_TO(hlen, ulp, struct ip6_ext);
1026 hlen += (((struct ip6_ext *)ulp)->ip6e_len + 2) << 2;
1027 proto = ((struct ip6_ext *)ulp)->ip6e_nxt;
1031 case IPPROTO_ESP: /* RFC 2406 */
1032 PULLUP_TO(hlen, ulp, uint32_t); /* SPI, Seq# */
1033 /* Anything past Seq# is variable length and
1034 * data past this ext. header is encrypted. */
1038 case IPPROTO_NONE: /* RFC 2460 */
1040 * Packet ends here, and IPv6 header has
1041 * already been pulled up. If ip6e_len!=0
1042 * then octets must be ignored.
1044 ulp = ip; /* non-NULL to get out of loop. */
1047 case IPPROTO_OSPFIGP:
1048 /* XXX OSPF header check? */
1049 PULLUP_TO(hlen, ulp, struct ip6_ext);
1053 /* XXX PIM header check? */
1054 PULLUP_TO(hlen, ulp, struct pim);
1058 PULLUP_TO(hlen, ulp, struct carp_header);
1059 if (((struct carp_header *)ulp)->carp_version !=
1061 return (IP_FW_DENY);
1062 if (((struct carp_header *)ulp)->carp_type !=
1064 return (IP_FW_DENY);
1067 case IPPROTO_IPV6: /* RFC 2893 */
1068 PULLUP_TO(hlen, ulp, struct ip6_hdr);
1071 case IPPROTO_IPV4: /* RFC 2893 */
1072 PULLUP_TO(hlen, ulp, struct ip);
1076 printf("IPFW2: IPV6 - Unknown Extension "
1077 "Header(%d), ext_hd=%x\n", proto, ext_hd);
1078 if (V_fw_deny_unknown_exthdrs)
1079 return (IP_FW_DENY);
1080 PULLUP_TO(hlen, ulp, struct ip6_ext);
1084 ip = mtod(m, struct ip *);
1085 ip6 = (struct ip6_hdr *)ip;
1086 args->f_id.src_ip6 = ip6->ip6_src;
1087 args->f_id.dst_ip6 = ip6->ip6_dst;
1088 args->f_id.src_ip = 0;
1089 args->f_id.dst_ip = 0;
1090 args->f_id.flow_id6 = ntohl(ip6->ip6_flow);
1091 } else if (pktlen >= sizeof(struct ip) &&
1092 (args->eh == NULL || etype == ETHERTYPE_IP) && ip->ip_v == 4) {
1094 hlen = ip->ip_hl << 2;
1095 args->f_id.addr_type = 4;
1098 * Collect parameters into local variables for faster matching.
1101 src_ip = ip->ip_src;
1102 dst_ip = ip->ip_dst;
1103 offset = ntohs(ip->ip_off) & IP_OFFMASK;
1104 iplen = ntohs(ip->ip_len);
1105 pktlen = iplen < pktlen ? iplen : pktlen;
1110 PULLUP_TO(hlen, ulp, struct tcphdr);
1111 dst_port = TCP(ulp)->th_dport;
1112 src_port = TCP(ulp)->th_sport;
1113 args->f_id.flags = TCP(ulp)->th_flags;
1117 PULLUP_TO(hlen, ulp, struct udphdr);
1118 dst_port = UDP(ulp)->uh_dport;
1119 src_port = UDP(ulp)->uh_sport;
1123 PULLUP_TO(hlen, ulp, struct icmphdr);
1124 args->f_id.flags = ICMP(ulp)->icmp_type;
1132 ip = mtod(m, struct ip *);
1133 args->f_id.src_ip = ntohl(src_ip.s_addr);
1134 args->f_id.dst_ip = ntohl(dst_ip.s_addr);
1137 if (proto) { /* we may have port numbers, store them */
1138 args->f_id.proto = proto;
1139 args->f_id.src_port = src_port = ntohs(src_port);
1140 args->f_id.dst_port = dst_port = ntohs(dst_port);
1144 if (! V_ipfw_vnet_ready) { /* shutting down, leave NOW. */
1145 IPFW_RUNLOCK(chain);
1146 return (IP_FW_PASS); /* accept */
1148 if (args->rule.slot) {
1150 * Packet has already been tagged as a result of a previous
1151 * match on rule args->rule aka args->rule_id (PIPE, QUEUE,
1152 * REASS, NETGRAPH, DIVERT/TEE...)
1153 * Validate the slot and continue from the next one
1154 * if still present, otherwise do a lookup.
1156 f_pos = (args->rule.chain_id == chain->id) ?
1158 ipfw_find_rule(chain, args->rule.rulenum,
1159 args->rule.rule_id);
1165 * Now scan the rules, and parse microinstructions for each rule.
1166 * We have two nested loops and an inner switch. Sometimes we
1167 * need to break out of one or both loops, or re-enter one of
1168 * the loops with updated variables. Loop variables are:
1170 * f_pos (outer loop) points to the current rule.
1171 * On output it points to the matching rule.
1172 * done (outer loop) is used as a flag to break the loop.
1173 * l (inner loop) residual length of current rule.
1174 * cmd points to the current microinstruction.
1176 * We break the inner loop by setting l=0 and possibly
1177 * cmdlen=0 if we don't want to advance cmd.
1178 * We break the outer loop by setting done=1
1179 * We can restart the inner loop by setting l>0 and f_pos, f, cmd
1182 for (; f_pos < chain->n_rules; f_pos++) {
1184 uint32_t tablearg = 0;
1185 int l, cmdlen, skip_or; /* skip rest of OR block */
1188 f = chain->map[f_pos];
1189 if (V_set_disable & (1 << f->set) )
1193 for (l = f->cmd_len, cmd = f->cmd ; l > 0 ;
1194 l -= cmdlen, cmd += cmdlen) {
1198 * check_body is a jump target used when we find a
1199 * CHECK_STATE, and need to jump to the body of
1204 cmdlen = F_LEN(cmd);
1206 * An OR block (insn_1 || .. || insn_n) has the
1207 * F_OR bit set in all but the last instruction.
1208 * The first match will set "skip_or", and cause
1209 * the following instructions to be skipped until
1210 * past the one with the F_OR bit clear.
1212 if (skip_or) { /* skip this instruction */
1213 if ((cmd->len & F_OR) == 0)
1214 skip_or = 0; /* next one is good */
1217 match = 0; /* set to 1 if we succeed */
1219 switch (cmd->opcode) {
1221 * The first set of opcodes compares the packet's
1222 * fields with some pattern, setting 'match' if a
1223 * match is found. At the end of the loop there is
1224 * logic to deal with F_NOT and F_OR flags associated
1232 printf("ipfw: opcode %d unimplemented\n",
1240 * We only check offset == 0 && proto != 0,
1241 * as this ensures that we have a
1242 * packet with the ports info.
1246 if (is_ipv6) /* XXX to be fixed later */
1248 if (proto == IPPROTO_TCP ||
1249 proto == IPPROTO_UDP)
1250 match = check_uidgid(
1251 (ipfw_insn_u32 *)cmd,
1254 src_ip, src_port, (void *)&ucred_cache,
1255 &ucred_lookup, (struct inpcb *)args->m);
1259 match = iface_match(m->m_pkthdr.rcvif,
1260 (ipfw_insn_if *)cmd);
1264 match = iface_match(oif, (ipfw_insn_if *)cmd);
1268 match = iface_match(oif ? oif :
1269 m->m_pkthdr.rcvif, (ipfw_insn_if *)cmd);
1273 if (args->eh != NULL) { /* have MAC header */
1274 u_int32_t *want = (u_int32_t *)
1275 ((ipfw_insn_mac *)cmd)->addr;
1276 u_int32_t *mask = (u_int32_t *)
1277 ((ipfw_insn_mac *)cmd)->mask;
1278 u_int32_t *hdr = (u_int32_t *)args->eh;
1281 ( want[0] == (hdr[0] & mask[0]) &&
1282 want[1] == (hdr[1] & mask[1]) &&
1283 want[2] == (hdr[2] & mask[2]) );
1288 if (args->eh != NULL) {
1290 ((ipfw_insn_u16 *)cmd)->ports;
1293 for (i = cmdlen - 1; !match && i>0;
1295 match = (etype >= p[0] &&
1301 match = (offset != 0);
1304 case O_IN: /* "out" is "not in" */
1305 match = (oif == NULL);
1309 match = (args->eh != NULL);
1314 /* For diverted packets, args->rule.info
1315 * contains the divert port (in host format)
1316 * reason and direction.
1318 uint32_t i = args->rule.info;
1319 match = (i&IPFW_IS_MASK) == IPFW_IS_DIVERT &&
1320 cmd->arg1 & ((i & IPFW_INFO_IN) ? 1 : 2);
1326 * We do not allow an arg of 0 so the
1327 * check of "proto" only suffices.
1329 match = (proto == cmd->arg1);
1334 (((ipfw_insn_ip *)cmd)->addr.s_addr ==
1338 case O_IP_SRC_LOOKUP:
1339 case O_IP_DST_LOOKUP:
1342 (cmd->opcode == O_IP_DST_LOOKUP) ?
1343 dst_ip.s_addr : src_ip.s_addr;
1346 if (cmdlen > F_INSN_SIZE(ipfw_insn_u32)) {
1347 /* generic lookup. The key must be
1348 * in 32bit big-endian format.
1350 v = ((ipfw_insn_u32 *)cmd)->d[1];
1352 key = dst_ip.s_addr;
1354 key = src_ip.s_addr;
1355 else if (offset != 0)
1357 else if (proto != IPPROTO_TCP &&
1358 proto != IPPROTO_UDP)
1361 key = htonl(dst_port);
1363 key = htonl(src_port);
1364 else if (v == 4 || v == 5) {
1366 (ipfw_insn_u32 *)cmd,
1369 src_ip, src_port, (void *)&ucred_cache,
1370 &ucred_lookup, (struct inpcb *)args->m);
1372 if (v ==4 /* O_UID */)
1373 key = ucred_cache.uid;
1374 else if (v == 5 /* O_JAIL */)
1375 key = ucred_cache.xid;
1377 if (v == 4 /* O_UID */)
1378 key = ucred_cache->cr_uid;
1379 else if (v == 5 /* O_JAIL */)
1380 key = ucred_cache->cr_prison->pr_id;
1386 match = ipfw_lookup_table(chain,
1387 cmd->arg1, key, &v);
1390 if (cmdlen == F_INSN_SIZE(ipfw_insn_u32))
1392 ((ipfw_insn_u32 *)cmd)->d[0] == v;
1402 (cmd->opcode == O_IP_DST_MASK) ?
1403 dst_ip.s_addr : src_ip.s_addr;
1404 uint32_t *p = ((ipfw_insn_u32 *)cmd)->d;
1407 for (; !match && i>0; i-= 2, p+= 2)
1408 match = (p[0] == (a & p[1]));
1416 INADDR_TO_IFP(src_ip, tif);
1417 match = (tif != NULL);
1424 u_int32_t *d = (u_int32_t *)(cmd+1);
1426 cmd->opcode == O_IP_DST_SET ?
1432 addr -= d[0]; /* subtract base */
1433 match = (addr < cmd->arg1) &&
1434 ( d[ 1 + (addr>>5)] &
1435 (1<<(addr & 0x1f)) );
1441 (((ipfw_insn_ip *)cmd)->addr.s_addr ==
1449 INADDR_TO_IFP(dst_ip, tif);
1450 match = (tif != NULL);
1457 * offset == 0 && proto != 0 is enough
1458 * to guarantee that we have a
1459 * packet with port info.
1461 if ((proto==IPPROTO_UDP || proto==IPPROTO_TCP)
1464 (cmd->opcode == O_IP_SRCPORT) ?
1465 src_port : dst_port ;
1467 ((ipfw_insn_u16 *)cmd)->ports;
1470 for (i = cmdlen - 1; !match && i>0;
1472 match = (x>=p[0] && x<=p[1]);
1477 match = (offset == 0 && proto==IPPROTO_ICMP &&
1478 icmptype_match(ICMP(ulp), (ipfw_insn_u32 *)cmd) );
1483 match = is_ipv6 && offset == 0 &&
1484 proto==IPPROTO_ICMPV6 &&
1486 ICMP6(ulp)->icmp6_type,
1487 (ipfw_insn_u32 *)cmd);
1493 ipopts_match(ip, cmd) );
1498 cmd->arg1 == ip->ip_v);
1504 if (is_ipv4) { /* only for IP packets */
1509 if (cmd->opcode == O_IPLEN)
1511 else if (cmd->opcode == O_IPTTL)
1513 else /* must be IPID */
1514 x = ntohs(ip->ip_id);
1516 match = (cmd->arg1 == x);
1519 /* otherwise we have ranges */
1520 p = ((ipfw_insn_u16 *)cmd)->ports;
1522 for (; !match && i>0; i--, p += 2)
1523 match = (x >= p[0] && x <= p[1]);
1527 case O_IPPRECEDENCE:
1529 (cmd->arg1 == (ip->ip_tos & 0xe0)) );
1534 flags_match(cmd, ip->ip_tos));
1538 if (proto == IPPROTO_TCP && offset == 0) {
1546 ((ip->ip_hl + tcp->th_off) << 2);
1548 match = (cmd->arg1 == x);
1551 /* otherwise we have ranges */
1552 p = ((ipfw_insn_u16 *)cmd)->ports;
1554 for (; !match && i>0; i--, p += 2)
1555 match = (x >= p[0] && x <= p[1]);
1560 match = (proto == IPPROTO_TCP && offset == 0 &&
1561 flags_match(cmd, TCP(ulp)->th_flags));
1565 match = (proto == IPPROTO_TCP && offset == 0 &&
1566 tcpopts_match(TCP(ulp), cmd));
1570 match = (proto == IPPROTO_TCP && offset == 0 &&
1571 ((ipfw_insn_u32 *)cmd)->d[0] ==
1576 match = (proto == IPPROTO_TCP && offset == 0 &&
1577 ((ipfw_insn_u32 *)cmd)->d[0] ==
1582 match = (proto == IPPROTO_TCP && offset == 0 &&
1583 cmd->arg1 == TCP(ulp)->th_win);
1587 /* reject packets which have SYN only */
1588 /* XXX should i also check for TH_ACK ? */
1589 match = (proto == IPPROTO_TCP && offset == 0 &&
1590 (TCP(ulp)->th_flags &
1591 (TH_RST | TH_ACK | TH_SYN)) != TH_SYN);
1596 ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd;
1599 at = pf_find_mtag(m);
1600 if (at != NULL && at->qid != 0)
1602 at = pf_get_mtag(m);
1605 * Let the packet fall back to the
1610 at->qid = altq->qid;
1620 ipfw_log(f, hlen, args, m,
1621 oif, offset, tablearg, ip);
1626 match = (random()<((ipfw_insn_u32 *)cmd)->d[0]);
1630 /* Outgoing packets automatically pass/match */
1631 match = ((oif != NULL) ||
1632 (m->m_pkthdr.rcvif == NULL) ||
1636 verify_path6(&(args->f_id.src_ip6),
1637 m->m_pkthdr.rcvif) :
1639 verify_path(src_ip, m->m_pkthdr.rcvif,
1644 /* Outgoing packets automatically pass/match */
1645 match = (hlen > 0 && ((oif != NULL) ||
1648 verify_path6(&(args->f_id.src_ip6),
1651 verify_path(src_ip, NULL, args->f_id.fib)));
1655 /* Outgoing packets automatically pass/match */
1656 if (oif == NULL && hlen > 0 &&
1657 ( (is_ipv4 && in_localaddr(src_ip))
1660 in6_localaddr(&(args->f_id.src_ip6)))
1665 is_ipv6 ? verify_path6(
1666 &(args->f_id.src_ip6),
1667 m->m_pkthdr.rcvif) :
1678 match = (m_tag_find(m,
1679 PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
1681 /* otherwise no match */
1687 IN6_ARE_ADDR_EQUAL(&args->f_id.src_ip6,
1688 &((ipfw_insn_ip6 *)cmd)->addr6);
1693 IN6_ARE_ADDR_EQUAL(&args->f_id.dst_ip6,
1694 &((ipfw_insn_ip6 *)cmd)->addr6);
1696 case O_IP6_SRC_MASK:
1697 case O_IP6_DST_MASK:
1701 struct in6_addr *d =
1702 &((ipfw_insn_ip6 *)cmd)->addr6;
1704 for (; !match && i > 0; d += 2,
1705 i -= F_INSN_SIZE(struct in6_addr)
1711 APPLY_MASK(&p, &d[1]);
1713 IN6_ARE_ADDR_EQUAL(&d[0],
1720 match= is_ipv6 && search_ip6_addr_net(&args->f_id.src_ip6);
1724 match= is_ipv6 && search_ip6_addr_net(&args->f_id.dst_ip6);
1729 flow6id_match(args->f_id.flow_id6,
1730 (ipfw_insn_u32 *) cmd);
1735 (ext_hd & ((ipfw_insn *) cmd)->arg1);
1749 uint32_t tag = (cmd->arg1 == IP_FW_TABLEARG) ?
1750 tablearg : cmd->arg1;
1752 /* Packet is already tagged with this tag? */
1753 mtag = m_tag_locate(m, MTAG_IPFW, tag, NULL);
1755 /* We have `untag' action when F_NOT flag is
1756 * present. And we must remove this mtag from
1757 * mbuf and reset `match' to zero (`match' will
1758 * be inversed later).
1759 * Otherwise we should allocate new mtag and
1760 * push it into mbuf.
1762 if (cmd->len & F_NOT) { /* `untag' action */
1764 m_tag_delete(m, mtag);
1766 } else if (mtag == NULL) {
1767 if ((mtag = m_tag_alloc(MTAG_IPFW,
1768 tag, 0, M_NOWAIT)) != NULL)
1769 m_tag_prepend(m, mtag);
1775 case O_FIB: /* try match the specified fib */
1776 if (args->f_id.fib == cmd->arg1)
1782 uint32_t tag = (cmd->arg1 == IP_FW_TABLEARG) ?
1783 tablearg : cmd->arg1;
1786 match = m_tag_locate(m, MTAG_IPFW,
1791 /* we have ranges */
1792 for (mtag = m_tag_first(m);
1793 mtag != NULL && !match;
1794 mtag = m_tag_next(m, mtag)) {
1798 if (mtag->m_tag_cookie != MTAG_IPFW)
1801 p = ((ipfw_insn_u16 *)cmd)->ports;
1803 for(; !match && i > 0; i--, p += 2)
1805 mtag->m_tag_id >= p[0] &&
1806 mtag->m_tag_id <= p[1];
1812 * The second set of opcodes represents 'actions',
1813 * i.e. the terminal part of a rule once the packet
1814 * matches all previous patterns.
1815 * Typically there is only one action for each rule,
1816 * and the opcode is stored at the end of the rule
1817 * (but there are exceptions -- see below).
1819 * In general, here we set retval and terminate the
1820 * outer loop (would be a 'break 3' in some language,
1821 * but we need to set l=0, done=1)
1824 * O_COUNT and O_SKIPTO actions:
1825 * instead of terminating, we jump to the next rule
1826 * (setting l=0), or to the SKIPTO target (setting
1827 * f/f_len, cmd and l as needed), respectively.
1829 * O_TAG, O_LOG and O_ALTQ action parameters:
1830 * perform some action and set match = 1;
1832 * O_LIMIT and O_KEEP_STATE: these opcodes are
1833 * not real 'actions', and are stored right
1834 * before the 'action' part of the rule.
1835 * These opcodes try to install an entry in the
1836 * state tables; if successful, we continue with
1837 * the next opcode (match=1; break;), otherwise
1838 * the packet must be dropped (set retval,
1839 * break loops with l=0, done=1)
1841 * O_PROBE_STATE and O_CHECK_STATE: these opcodes
1842 * cause a lookup of the state table, and a jump
1843 * to the 'action' part of the parent rule
1844 * if an entry is found, or
1845 * (CHECK_STATE only) a jump to the next rule if
1846 * the entry is not found.
1847 * The result of the lookup is cached so that
1848 * further instances of these opcodes become NOPs.
1849 * The jump to the next rule is done by setting
1854 if (ipfw_install_state(f,
1855 (ipfw_insn_limit *)cmd, args, tablearg)) {
1856 /* error or limit violation */
1857 retval = IP_FW_DENY;
1858 l = 0; /* exit inner loop */
1859 done = 1; /* exit outer loop */
1867 * dynamic rules are checked at the first
1868 * keep-state or check-state occurrence,
1869 * with the result being stored in dyn_dir.
1870 * The compiler introduces a PROBE_STATE
1871 * instruction for us when we have a
1872 * KEEP_STATE (because PROBE_STATE needs
1875 if (dyn_dir == MATCH_UNKNOWN &&
1876 (q = ipfw_lookup_dyn_rule(&args->f_id,
1877 &dyn_dir, proto == IPPROTO_TCP ?
1881 * Found dynamic entry, update stats
1882 * and jump to the 'action' part of
1883 * the parent rule by setting
1884 * f, cmd, l and clearing cmdlen.
1888 /* XXX we would like to have f_pos
1889 * readily accessible in the dynamic
1890 * rule, instead of having to
1894 f_pos = ipfw_find_rule(chain,
1896 cmd = ACTION_PTR(f);
1897 l = f->cmd_len - f->act_ofs;
1904 * Dynamic entry not found. If CHECK_STATE,
1905 * skip to next rule, if PROBE_STATE just
1906 * ignore and continue with next opcode.
1908 if (cmd->opcode == O_CHECK_STATE)
1909 l = 0; /* exit inner loop */
1914 retval = 0; /* accept */
1915 l = 0; /* exit inner loop */
1916 done = 1; /* exit outer loop */
1921 set_match(args, f_pos, chain);
1922 args->rule.info = (cmd->arg1 == IP_FW_TABLEARG) ?
1923 tablearg : cmd->arg1;
1924 if (cmd->opcode == O_PIPE)
1925 args->rule.info |= IPFW_IS_PIPE;
1927 args->rule.info |= IPFW_ONEPASS;
1928 retval = IP_FW_DUMMYNET;
1929 l = 0; /* exit inner loop */
1930 done = 1; /* exit outer loop */
1935 if (args->eh) /* not on layer 2 */
1937 /* otherwise this is terminal */
1938 l = 0; /* exit inner loop */
1939 done = 1; /* exit outer loop */
1940 retval = (cmd->opcode == O_DIVERT) ?
1941 IP_FW_DIVERT : IP_FW_TEE;
1942 set_match(args, f_pos, chain);
1943 args->rule.info = (cmd->arg1 == IP_FW_TABLEARG) ?
1944 tablearg : cmd->arg1;
1948 f->pcnt++; /* update stats */
1950 f->timestamp = time_uptime;
1951 l = 0; /* exit inner loop */
1955 f->pcnt++; /* update stats */
1957 f->timestamp = time_uptime;
1958 /* If possible use cached f_pos (in f->next_rule),
1959 * whose version is written in f->next_rule
1960 * (horrible hacks to avoid changing the ABI).
1962 if (cmd->arg1 != IP_FW_TABLEARG &&
1963 (uintptr_t)f->x_next == chain->id) {
1964 f_pos = (uintptr_t)f->next_rule;
1966 int i = (cmd->arg1 == IP_FW_TABLEARG) ?
1967 tablearg : cmd->arg1;
1968 /* make sure we do not jump backward */
1969 if (i <= f->rulenum)
1971 f_pos = ipfw_find_rule(chain, i, 0);
1972 /* update the cache */
1973 if (cmd->arg1 != IP_FW_TABLEARG) {
1975 (void *)(uintptr_t)f_pos;
1977 (void *)(uintptr_t)chain->id;
1981 * Skip disabled rules, and re-enter
1982 * the inner loop with the correct
1983 * f_pos, f, l and cmd.
1984 * Also clear cmdlen and skip_or
1986 for (; f_pos < chain->n_rules - 1 &&
1988 (1 << chain->map[f_pos]->set));
1991 /* prepare to enter the inner loop */
1992 f = chain->map[f_pos];
2002 * Drop the packet and send a reject notice
2003 * if the packet is not ICMP (or is an ICMP
2004 * query), and it is not multicast/broadcast.
2006 if (hlen > 0 && is_ipv4 && offset == 0 &&
2007 (proto != IPPROTO_ICMP ||
2008 is_icmp_query(ICMP(ulp))) &&
2009 !(m->m_flags & (M_BCAST|M_MCAST)) &&
2010 !IN_MULTICAST(ntohl(dst_ip.s_addr))) {
2011 send_reject(args, cmd->arg1, iplen, ip);
2017 if (hlen > 0 && is_ipv6 &&
2018 ((offset & IP6F_OFF_MASK) == 0) &&
2019 (proto != IPPROTO_ICMPV6 ||
2020 (is_icmp6_query(args->f_id.flags) == 1)) &&
2021 !(m->m_flags & (M_BCAST|M_MCAST)) &&
2022 !IN6_IS_ADDR_MULTICAST(&args->f_id.dst_ip6)) {
2024 args, cmd->arg1, hlen,
2025 (struct ip6_hdr *)ip);
2031 retval = IP_FW_DENY;
2032 l = 0; /* exit inner loop */
2033 done = 1; /* exit outer loop */
2037 if (args->eh) /* not valid on layer2 pkts */
2039 if (!q || dyn_dir == MATCH_FORWARD) {
2040 struct sockaddr_in *sa;
2041 sa = &(((ipfw_insn_sa *)cmd)->sa);
2042 if (sa->sin_addr.s_addr == INADDR_ANY) {
2043 bcopy(sa, &args->hopstore,
2045 args->hopstore.sin_addr.s_addr =
2047 args->next_hop = &args->hopstore;
2049 args->next_hop = sa;
2052 retval = IP_FW_PASS;
2053 l = 0; /* exit inner loop */
2054 done = 1; /* exit outer loop */
2059 set_match(args, f_pos, chain);
2060 args->rule.info = (cmd->arg1 == IP_FW_TABLEARG) ?
2061 tablearg : cmd->arg1;
2062 retval = (cmd->opcode == O_NETGRAPH) ?
2063 IP_FW_NETGRAPH : IP_FW_NGTEE;
2064 l = 0; /* exit inner loop */
2065 done = 1; /* exit outer loop */
2069 f->pcnt++; /* update stats */
2071 f->timestamp = time_uptime;
2072 M_SETFIB(m, cmd->arg1);
2073 args->f_id.fib = cmd->arg1;
2074 l = 0; /* exit inner loop */
2078 if (!IPFW_NAT_LOADED) {
2079 retval = IP_FW_DENY;
2084 set_match(args, f_pos, chain);
2085 t = ((ipfw_insn_nat *)cmd)->nat;
2087 nat_id = (cmd->arg1 == IP_FW_TABLEARG) ?
2088 tablearg : cmd->arg1;
2089 t = (*lookup_nat_ptr)(&chain->nat, nat_id);
2092 retval = IP_FW_DENY;
2093 l = 0; /* exit inner loop */
2094 done = 1; /* exit outer loop */
2097 if (cmd->arg1 != IP_FW_TABLEARG)
2098 ((ipfw_insn_nat *)cmd)->nat = t;
2100 retval = ipfw_nat_ptr(args, t, m);
2102 l = 0; /* exit inner loop */
2103 done = 1; /* exit outer loop */
2111 l = 0; /* in any case exit inner loop */
2112 ip_off = ntohs(ip->ip_off);
2114 /* if not fragmented, go to next rule */
2115 if ((ip_off & (IP_MF | IP_OFFMASK)) == 0)
2118 * ip_reass() expects len & off in host
2123 args->m = m = ip_reass(m);
2126 * do IP header checksum fixup.
2128 if (m == NULL) { /* fragment got swallowed */
2129 retval = IP_FW_DENY;
2130 } else { /* good, packet complete */
2133 ip = mtod(m, struct ip *);
2134 hlen = ip->ip_hl << 2;
2137 if (hlen == sizeof(struct ip))
2138 ip->ip_sum = in_cksum_hdr(ip);
2140 ip->ip_sum = in_cksum(m, hlen);
2141 retval = IP_FW_REASS;
2142 set_match(args, f_pos, chain);
2144 done = 1; /* exit outer loop */
2149 panic("-- unknown opcode %d\n", cmd->opcode);
2150 } /* end of switch() on opcodes */
2152 * if we get here with l=0, then match is irrelevant.
2155 if (cmd->len & F_NOT)
2159 if (cmd->len & F_OR)
2162 if (!(cmd->len & F_OR)) /* not an OR block, */
2163 break; /* try next rule */
2166 } /* end of inner loop, scan opcodes */
2171 /* next_rule:; */ /* try next rule */
2173 } /* end of outer for, scan rules */
2176 struct ip_fw *rule = chain->map[f_pos];
2177 /* Update statistics */
2179 rule->bcnt += pktlen;
2180 rule->timestamp = time_uptime;
2182 retval = IP_FW_DENY;
2183 printf("ipfw: ouch!, skip past end of rules, denying packet\n");
2185 IPFW_RUNLOCK(chain);
2187 if (ucred_cache != NULL)
2188 crfree(ucred_cache);
2194 printf("ipfw: pullup failed\n");
2195 return (IP_FW_DENY);
2199 * Module and VNET glue
2203 * Stuff that must be initialised only on boot or module load
2212 * Only print out this stuff the first time around,
2213 * when called from the sysinit code.
2219 "initialized, divert %s, nat %s, "
2220 "rule-based forwarding "
2221 #ifdef IPFIREWALL_FORWARD
2226 "default to %s, logging ",
2232 #ifdef IPFIREWALL_NAT
2237 default_to_accept ? "accept" : "deny");
2240 * Note: V_xxx variables can be accessed here but the vnet specific
2241 * initializer may not have been called yet for the VIMAGE case.
2242 * Tuneables will have been processed. We will print out values for
2244 * XXX This should all be rationalized AFTER 8.0
2246 if (V_fw_verbose == 0)
2247 printf("disabled\n");
2248 else if (V_verbose_limit == 0)
2249 printf("unlimited\n");
2251 printf("limited to %d packets/entry by default\n",
2254 ipfw_log_bpf(1); /* init */
2259 * Called for the removal of the last instance only on module unload.
2265 ipfw_log_bpf(0); /* uninit */
2267 printf("IP firewall unloaded\n");
2271 * Stuff that must be initialized for every instance
2272 * (including the first of course).
2275 vnet_ipfw_init(const void *unused)
2278 struct ip_fw *rule = NULL;
2279 struct ip_fw_chain *chain;
2281 chain = &V_layer3_chain;
2283 /* First set up some values that are compile time options */
2284 V_autoinc_step = 100; /* bounded to 1..1000 in add_rule() */
2285 V_fw_deny_unknown_exthdrs = 1;
2286 #ifdef IPFIREWALL_VERBOSE
2289 #ifdef IPFIREWALL_VERBOSE_LIMIT
2290 V_verbose_limit = IPFIREWALL_VERBOSE_LIMIT;
2292 #ifdef IPFIREWALL_NAT
2293 LIST_INIT(&chain->nat);
2296 /* insert the default rule and create the initial map */
2298 chain->static_len = sizeof(struct ip_fw);
2299 chain->map = malloc(sizeof(struct ip_fw *), M_IPFW, M_NOWAIT | M_ZERO);
2301 rule = malloc(chain->static_len, M_IPFW, M_NOWAIT | M_ZERO);
2304 free(chain->map, M_IPFW);
2305 printf("ipfw2: ENOSPC initializing default rule "
2306 "(support disabled)\n");
2309 error = ipfw_init_tables(chain);
2311 panic("init_tables"); /* XXX Marko fix this ! */
2314 /* fill and insert the default rule */
2316 rule->rulenum = IPFW_DEFAULT_RULE;
2318 rule->set = RESVD_SET;
2319 rule->cmd[0].len = 1;
2320 rule->cmd[0].opcode = default_to_accept ? O_ACCEPT : O_DENY;
2321 chain->rules = chain->default_rule = chain->map[0] = rule;
2322 chain->id = rule->id = 1;
2324 IPFW_LOCK_INIT(chain);
2327 /* First set up some values that are compile time options */
2328 V_ipfw_vnet_ready = 1; /* Open for business */
2331 * Hook the sockopt handler, and the layer2 (V_ip_fw_chk_ptr)
2332 * and pfil hooks for ipv4 and ipv6. Even if the latter two fail
2333 * we still keep the module alive because the sockopt and
2334 * layer2 paths are still useful.
2335 * ipfw[6]_hook return 0 on success, ENOENT on failure,
2336 * so we can ignore the exact return value and just set a flag.
2338 * Note that V_fw[6]_enable are manipulated by a SYSCTL_PROC so
2339 * changes in the underlying (per-vnet) variables trigger
2340 * immediate hook()/unhook() calls.
2341 * In layer2 we have the same behaviour, except that V_ether_ipfw
2342 * is checked on each packet because there are no pfil hooks.
2344 V_ip_fw_ctl_ptr = ipfw_ctl;
2345 V_ip_fw_chk_ptr = ipfw_chk;
2346 error = ipfw_attach_hooks(1);
2351 * Called for the removal of each instance.
2354 vnet_ipfw_uninit(const void *unused)
2356 struct ip_fw *reap, *rule;
2357 struct ip_fw_chain *chain = &V_layer3_chain;
2360 V_ipfw_vnet_ready = 0; /* tell new callers to go away */
2362 * disconnect from ipv4, ipv6, layer2 and sockopt.
2363 * Then grab, release and grab again the WLOCK so we make
2364 * sure the update is propagated and nobody will be in.
2366 (void)ipfw_attach_hooks(0 /* detach */);
2367 V_ip_fw_chk_ptr = NULL;
2368 V_ip_fw_ctl_ptr = NULL;
2369 IPFW_UH_WLOCK(chain);
2370 IPFW_UH_WUNLOCK(chain);
2371 IPFW_UH_WLOCK(chain);
2374 IPFW_WUNLOCK(chain);
2377 ipfw_dyn_uninit(0); /* run the callout_drain */
2378 ipfw_flush_tables(chain);
2380 for (i = 0; i < chain->n_rules; i++) {
2381 rule = chain->map[i];
2382 rule->x_next = reap;
2386 free(chain->map, M_IPFW);
2387 IPFW_WUNLOCK(chain);
2388 IPFW_UH_WUNLOCK(chain);
2390 ipfw_reap_rules(reap);
2391 IPFW_LOCK_DESTROY(chain);
2392 ipfw_dyn_uninit(1); /* free the remaining parts */
2397 * Module event handler.
2398 * In general we have the choice of handling most of these events by the
2399 * event handler or by the (VNET_)SYS(UN)INIT handlers. I have chosen to
2400 * use the SYSINIT handlers as they are more capable of expressing the
2401 * flow of control during module and vnet operations, so this is just
2402 * a skeleton. Note there is no SYSINIT equivalent of the module
2403 * SHUTDOWN handler, but we don't have anything to do in that case anyhow.
2406 ipfw_modevent(module_t mod, int type, void *unused)
2412 /* Called once at module load or
2413 * system boot if compiled in. */
2416 /* Called before unload. May veto unloading. */
2419 /* Called during unload. */
2422 /* Called during system shutdown. */
2431 static moduledata_t ipfwmod = {
2437 /* Define startup order. */
2438 #define IPFW_SI_SUB_FIREWALL SI_SUB_PROTO_IFATTACHDOMAIN
2439 #define IPFW_MODEVENT_ORDER (SI_ORDER_ANY - 255) /* On boot slot in here. */
2440 #define IPFW_MODULE_ORDER (IPFW_MODEVENT_ORDER + 1) /* A little later. */
2441 #define IPFW_VNET_ORDER (IPFW_MODEVENT_ORDER + 2) /* Later still. */
2443 DECLARE_MODULE(ipfw, ipfwmod, IPFW_SI_SUB_FIREWALL, IPFW_MODEVENT_ORDER);
2444 MODULE_VERSION(ipfw, 2);
2445 /* should declare some dependencies here */
2448 * Starting up. Done in order after ipfwmod() has been called.
2449 * VNET_SYSINIT is also called for each existing vnet and each new vnet.
2451 SYSINIT(ipfw_init, IPFW_SI_SUB_FIREWALL, IPFW_MODULE_ORDER,
2453 VNET_SYSINIT(vnet_ipfw_init, IPFW_SI_SUB_FIREWALL, IPFW_VNET_ORDER,
2454 vnet_ipfw_init, NULL);
2457 * Closing up shop. These are done in REVERSE ORDER, but still
2458 * after ipfwmod() has been called. Not called on reboot.
2459 * VNET_SYSUNINIT is also called for each exiting vnet as it exits.
2460 * or when the module is unloaded.
2462 SYSUNINIT(ipfw_destroy, IPFW_SI_SUB_FIREWALL, IPFW_MODULE_ORDER,
2463 ipfw_destroy, NULL);
2464 VNET_SYSUNINIT(vnet_ipfw_uninit, IPFW_SI_SUB_FIREWALL, IPFW_VNET_ORDER,
2465 vnet_ipfw_uninit, NULL);