2 * Copyright (c) 2004 Ruslan Ermilov and Vsevolod Lobko.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 #include <sys/cdefs.h>
27 __FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw_table.c 200601 2009-12-16 10:48:40Z luigi $");
30 * Lookup table support for ipfw
32 * Lookup tables are implemented (at the moment) using the radix
33 * tree used for routing tables. Tables store key-value entries, where
34 * keys are network prefixes (addr/masklen), and values are integers.
35 * As a degenerate case we can interpret keys as 32-bit integers
38 * The table is protected by the IPFW lock even for manipulation coming
39 * from userland, because operations are typically fast.
42 #if !defined(KLD_MODULE)
44 #include "opt_ipdivert.h"
48 #error IPFIREWALL requires INET.
51 #include "opt_inet6.h"
52 #include "opt_ipsec.h"
54 #include <sys/param.h>
55 #include <sys/systm.h>
56 #include <sys/malloc.h>
57 #include <sys/kernel.h>
59 #include <sys/rwlock.h>
60 #include <sys/socket.h>
61 #include <net/if.h> /* ip_fw.h requires IFNAMSIZ */
62 #include <net/radix.h>
63 #include <net/route.h>
66 #include <netinet/in.h>
67 #include <netinet/ip_var.h> /* struct ipfw_rule_ref */
68 #include <netinet/ip_fw.h>
69 #include <sys/queue.h> /* LIST_HEAD */
70 #include <netinet/ipfw/ip_fw_private.h>
73 #include <security/mac/mac_framework.h>
76 MALLOC_DEFINE(M_IPFW_TBL, "ipfw_tbl", "IpFw tables");
79 struct radix_node rn[2];
80 struct sockaddr_in addr, mask;
85 * The radix code expects addr and mask to be array of bytes,
86 * with the first byte being the length of the array. rn_inithead
87 * is called with the offset in bits of the lookup key within the
88 * array. If we use a sockaddr_in as the underlying type,
89 * sin_len is conveniently located at offset 0, sin_addr is at
90 * offset 4 and normally aligned.
91 * But for portability, let's avoid assumption and make the code explicit
93 #define KEY_LEN(v) *((uint8_t *)&(v))
94 #define KEY_OFS (8*offsetof(struct sockaddr_in, sin_addr))
97 ipfw_add_table_entry(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr,
98 uint8_t mlen, uint32_t value)
100 struct radix_node_head *rnh;
101 struct table_entry *ent;
102 struct radix_node *rn;
104 if (tbl >= IPFW_TABLES_MAX)
106 rnh = ch->tables[tbl];
107 ent = malloc(sizeof(*ent), M_IPFW_TBL, M_NOWAIT | M_ZERO);
111 KEY_LEN(ent->addr) = KEY_LEN(ent->mask) = 8;
112 ent->mask.sin_addr.s_addr = htonl(mlen ? ~((1 << (32 - mlen)) - 1) : 0);
113 ent->addr.sin_addr.s_addr = addr & ent->mask.sin_addr.s_addr;
115 rn = rnh->rnh_addaddr(&ent->addr, &ent->mask, rnh, (void *)ent);
118 free(ent, M_IPFW_TBL);
126 ipfw_del_table_entry(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr,
129 struct radix_node_head *rnh;
130 struct table_entry *ent;
131 struct sockaddr_in sa, mask;
133 if (tbl >= IPFW_TABLES_MAX)
135 rnh = ch->tables[tbl];
136 KEY_LEN(sa) = KEY_LEN(mask) = 8;
137 mask.sin_addr.s_addr = htonl(mlen ? ~((1 << (32 - mlen)) - 1) : 0);
138 sa.sin_addr.s_addr = addr & mask.sin_addr.s_addr;
140 ent = (struct table_entry *)rnh->rnh_deladdr(&sa, &mask, rnh);
146 free(ent, M_IPFW_TBL);
151 flush_table_entry(struct radix_node *rn, void *arg)
153 struct radix_node_head * const rnh = arg;
154 struct table_entry *ent;
156 ent = (struct table_entry *)
157 rnh->rnh_deladdr(rn->rn_key, rn->rn_mask, rnh);
159 free(ent, M_IPFW_TBL);
164 ipfw_flush_table(struct ip_fw_chain *ch, uint16_t tbl)
166 struct radix_node_head *rnh;
168 IPFW_WLOCK_ASSERT(ch);
170 if (tbl >= IPFW_TABLES_MAX)
172 rnh = ch->tables[tbl];
173 KASSERT(rnh != NULL, ("NULL IPFW table"));
174 rnh->rnh_walktree(rnh, flush_table_entry, rnh);
179 ipfw_destroy_tables(struct ip_fw_chain *ch)
182 struct radix_node_head *rnh;
184 IPFW_WLOCK_ASSERT(ch);
186 for (tbl = 0; tbl < IPFW_TABLES_MAX; tbl++) {
187 ipfw_flush_table(ch, tbl);
188 rnh = ch->tables[tbl];
189 rn_detachhead((void **)&rnh);
194 ipfw_init_tables(struct ip_fw_chain *ch)
199 for (i = 0; i < IPFW_TABLES_MAX; i++) {
200 if (!rn_inithead((void **)&ch->tables[i], KEY_OFS)) {
201 for (j = 0; j < i; j++) {
202 (void) ipfw_flush_table(ch, j);
211 ipfw_lookup_table(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr,
214 struct radix_node_head *rnh;
215 struct table_entry *ent;
216 struct sockaddr_in sa;
218 if (tbl >= IPFW_TABLES_MAX)
220 rnh = ch->tables[tbl];
222 sa.sin_addr.s_addr = addr;
223 ent = (struct table_entry *)(rnh->rnh_lookup(&sa, NULL, rnh));
232 count_table_entry(struct radix_node *rn, void *arg)
234 u_int32_t * const cnt = arg;
241 ipfw_count_table(struct ip_fw_chain *ch, uint32_t tbl, uint32_t *cnt)
243 struct radix_node_head *rnh;
245 if (tbl >= IPFW_TABLES_MAX)
247 rnh = ch->tables[tbl];
249 rnh->rnh_walktree(rnh, count_table_entry, cnt);
254 dump_table_entry(struct radix_node *rn, void *arg)
256 struct table_entry * const n = (struct table_entry *)rn;
257 ipfw_table * const tbl = arg;
258 ipfw_table_entry *ent;
260 if (tbl->cnt == tbl->size)
262 ent = &tbl->ent[tbl->cnt];
264 if (in_nullhost(n->mask.sin_addr))
267 ent->masklen = 33 - ffs(ntohl(n->mask.sin_addr.s_addr));
268 ent->addr = n->addr.sin_addr.s_addr;
269 ent->value = n->value;
275 ipfw_dump_table(struct ip_fw_chain *ch, ipfw_table *tbl)
277 struct radix_node_head *rnh;
279 if (tbl->tbl >= IPFW_TABLES_MAX)
281 rnh = ch->tables[tbl->tbl];
283 rnh->rnh_walktree(rnh, dump_table_entry, tbl);