2005-06-07 04:05:09 +00:00
|
|
|
/* $OpenBSD: bpf.c,v 1.13 2004/05/05 14:28:58 deraadt Exp $ */
|
|
|
|
|
|
|
|
/* BPF socket interface code, originally contributed by Archie Cobbs. */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Copyright (c) 1995, 1996, 1998, 1999
|
|
|
|
* The Internet Software Consortium. All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
*
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
* 3. Neither the name of The Internet Software Consortium nor the names
|
|
|
|
* of its contributors may be used to endorse or promote products derived
|
|
|
|
* from this software without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND
|
|
|
|
* CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
|
|
|
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
|
|
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
|
|
* DISCLAIMED. IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR
|
|
|
|
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
|
|
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
|
|
|
|
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
|
|
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
|
|
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
|
|
|
|
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*
|
|
|
|
* This software has been written for the Internet Software Consortium
|
|
|
|
* by Ted Lemon <mellon@fugue.com> in cooperation with Vixie
|
|
|
|
* Enterprises. To learn more about the Internet Software Consortium,
|
|
|
|
* see ``http://www.vix.com/isc''. To learn more about Vixie
|
|
|
|
* Enterprises, see ``http://www.vix.com''.
|
|
|
|
*/
|
|
|
|
|
2005-08-23 23:59:55 +00:00
|
|
|
#include <sys/cdefs.h>
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
|
2005-06-07 04:05:09 +00:00
|
|
|
#include "dhcpd.h"
|
2013-07-03 22:12:54 +00:00
|
|
|
#include "privsep.h"
|
2014-03-16 11:04:44 +00:00
|
|
|
#include <sys/capsicum.h>
|
2005-06-07 04:05:09 +00:00
|
|
|
#include <sys/ioctl.h>
|
|
|
|
#include <sys/uio.h>
|
|
|
|
|
|
|
|
#include <net/bpf.h>
|
|
|
|
#include <netinet/in_systm.h>
|
|
|
|
#include <netinet/ip.h>
|
|
|
|
#include <netinet/udp.h>
|
|
|
|
#include <netinet/if_ether.h>
|
|
|
|
|
|
|
|
#define BPF_FORMAT "/dev/bpf%d"
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Called by get_interface_list for each interface that's discovered.
|
|
|
|
* Opens a packet filter for each interface and adds it to the select
|
|
|
|
* mask.
|
|
|
|
*/
|
|
|
|
int
|
2013-07-03 22:01:52 +00:00
|
|
|
if_register_bpf(struct interface_info *info, int flags)
|
2005-06-07 04:05:09 +00:00
|
|
|
{
|
|
|
|
char filename[50];
|
|
|
|
int sock, b;
|
|
|
|
|
|
|
|
/* Open a BPF device */
|
2013-07-03 22:01:52 +00:00
|
|
|
for (b = 0;; b++) {
|
2005-06-07 04:05:09 +00:00
|
|
|
snprintf(filename, sizeof(filename), BPF_FORMAT, b);
|
2013-07-03 22:01:52 +00:00
|
|
|
sock = open(filename, flags);
|
2005-06-07 04:05:09 +00:00
|
|
|
if (sock < 0) {
|
|
|
|
if (errno == EBUSY)
|
|
|
|
continue;
|
|
|
|
else
|
|
|
|
error("Can't find free bpf: %m");
|
|
|
|
} else
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Set the BPF device to point at this interface. */
|
|
|
|
if (ioctl(sock, BIOCSETIF, info->ifp) < 0)
|
|
|
|
error("Can't attach interface %s to bpf device %s: %m",
|
|
|
|
info->name, filename);
|
|
|
|
|
|
|
|
return (sock);
|
|
|
|
}
|
|
|
|
|
2013-07-03 22:01:52 +00:00
|
|
|
/*
|
|
|
|
* Packet write filter program:
|
|
|
|
* 'ip and udp and src port bootps and dst port (bootps or bootpc)'
|
|
|
|
*/
|
|
|
|
struct bpf_insn dhcp_bpf_wfilter[] = {
|
|
|
|
BPF_STMT(BPF_LD + BPF_B + BPF_IND, 14),
|
|
|
|
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (IPVERSION << 4) + 5, 0, 12),
|
|
|
|
|
|
|
|
/* Make sure this is an IP packet... */
|
|
|
|
BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 12),
|
|
|
|
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ETHERTYPE_IP, 0, 10),
|
|
|
|
|
|
|
|
/* Make sure it's a UDP packet... */
|
|
|
|
BPF_STMT(BPF_LD + BPF_B + BPF_ABS, 23),
|
|
|
|
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 0, 8),
|
|
|
|
|
|
|
|
/* Make sure this isn't a fragment... */
|
|
|
|
BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 20),
|
|
|
|
BPF_JUMP(BPF_JMP + BPF_JSET + BPF_K, 0x1fff, 6, 0), /* patched */
|
|
|
|
|
|
|
|
/* Get the IP header length... */
|
|
|
|
BPF_STMT(BPF_LDX + BPF_B + BPF_MSH, 14),
|
|
|
|
|
|
|
|
/* Make sure it's from the right port... */
|
|
|
|
BPF_STMT(BPF_LD + BPF_H + BPF_IND, 14),
|
|
|
|
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 68, 0, 3),
|
|
|
|
|
|
|
|
/* Make sure it is to the right ports ... */
|
|
|
|
BPF_STMT(BPF_LD + BPF_H + BPF_IND, 16),
|
|
|
|
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 67, 0, 1),
|
|
|
|
|
|
|
|
/* If we passed all the tests, ask for the whole packet. */
|
|
|
|
BPF_STMT(BPF_RET+BPF_K, (u_int)-1),
|
|
|
|
|
|
|
|
/* Otherwise, drop it. */
|
|
|
|
BPF_STMT(BPF_RET+BPF_K, 0),
|
|
|
|
};
|
|
|
|
|
|
|
|
int dhcp_bpf_wfilter_len = sizeof(dhcp_bpf_wfilter) / sizeof(struct bpf_insn);
|
|
|
|
|
2005-06-07 04:05:09 +00:00
|
|
|
void
|
|
|
|
if_register_send(struct interface_info *info)
|
|
|
|
{
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
cap_rights_t rights;
|
2013-07-03 22:01:52 +00:00
|
|
|
struct bpf_version v;
|
|
|
|
struct bpf_program p;
|
2009-10-21 23:50:35 +00:00
|
|
|
int sock, on = 1;
|
|
|
|
|
2013-07-03 22:01:52 +00:00
|
|
|
/* Open a BPF device and hang it on this interface... */
|
|
|
|
info->wfdesc = if_register_bpf(info, O_WRONLY);
|
|
|
|
|
|
|
|
/* Make sure the BPF version is in range... */
|
|
|
|
if (ioctl(info->wfdesc, BIOCVERSION, &v) < 0)
|
|
|
|
error("Can't get BPF version: %m");
|
|
|
|
|
|
|
|
if (v.bv_major != BPF_MAJOR_VERSION ||
|
|
|
|
v.bv_minor < BPF_MINOR_VERSION)
|
|
|
|
error("Kernel BPF version out of range - recompile dhcpd!");
|
|
|
|
|
|
|
|
/* Set up the bpf write filter program structure. */
|
|
|
|
p.bf_len = dhcp_bpf_wfilter_len;
|
|
|
|
p.bf_insns = dhcp_bpf_wfilter;
|
|
|
|
|
|
|
|
if (dhcp_bpf_wfilter[7].k == 0x1fff)
|
|
|
|
dhcp_bpf_wfilter[7].k = htons(IP_MF|IP_OFFMASK);
|
|
|
|
|
|
|
|
if (ioctl(info->wfdesc, BIOCSETWF, &p) < 0)
|
|
|
|
error("Can't install write filter program: %m");
|
|
|
|
|
|
|
|
if (ioctl(info->wfdesc, BIOCLOCK, NULL) < 0)
|
|
|
|
error("Cannot lock bpf");
|
2009-10-21 23:50:35 +00:00
|
|
|
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
cap_rights_init(&rights, CAP_WRITE);
|
|
|
|
if (cap_rights_limit(info->wfdesc, &rights) < 0 && errno != ENOSYS)
|
2013-07-03 22:16:02 +00:00
|
|
|
error("Can't limit bpf descriptor: %m");
|
|
|
|
|
2009-10-21 23:50:35 +00:00
|
|
|
/*
|
|
|
|
* Use raw socket for unicast send.
|
|
|
|
*/
|
|
|
|
if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP)) == -1)
|
|
|
|
error("socket(SOCK_RAW): %m");
|
|
|
|
if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &on,
|
|
|
|
sizeof(on)) == -1)
|
|
|
|
error("setsockopt(IP_HDRINCL): %m");
|
|
|
|
info->ufdesc = sock;
|
2005-06-07 04:05:09 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Packet filter program...
|
|
|
|
*
|
|
|
|
* XXX: Changes to the filter program may require changes to the
|
|
|
|
* constant offsets used in if_register_send to patch the BPF program!
|
|
|
|
*/
|
|
|
|
struct bpf_insn dhcp_bpf_filter[] = {
|
|
|
|
/* Make sure this is an IP packet... */
|
|
|
|
BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 12),
|
|
|
|
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ETHERTYPE_IP, 0, 8),
|
|
|
|
|
|
|
|
/* Make sure it's a UDP packet... */
|
|
|
|
BPF_STMT(BPF_LD + BPF_B + BPF_ABS, 23),
|
|
|
|
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 0, 6),
|
|
|
|
|
|
|
|
/* Make sure this isn't a fragment... */
|
|
|
|
BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 20),
|
|
|
|
BPF_JUMP(BPF_JMP + BPF_JSET + BPF_K, 0x1fff, 4, 0),
|
|
|
|
|
|
|
|
/* Get the IP header length... */
|
|
|
|
BPF_STMT(BPF_LDX + BPF_B + BPF_MSH, 14),
|
|
|
|
|
|
|
|
/* Make sure it's to the right port... */
|
|
|
|
BPF_STMT(BPF_LD + BPF_H + BPF_IND, 16),
|
|
|
|
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 67, 0, 1), /* patch */
|
|
|
|
|
|
|
|
/* If we passed all the tests, ask for the whole packet. */
|
|
|
|
BPF_STMT(BPF_RET+BPF_K, (u_int)-1),
|
|
|
|
|
|
|
|
/* Otherwise, drop it. */
|
|
|
|
BPF_STMT(BPF_RET+BPF_K, 0),
|
|
|
|
};
|
|
|
|
|
|
|
|
int dhcp_bpf_filter_len = sizeof(dhcp_bpf_filter) / sizeof(struct bpf_insn);
|
|
|
|
|
|
|
|
void
|
|
|
|
if_register_receive(struct interface_info *info)
|
|
|
|
{
|
2013-07-03 22:16:02 +00:00
|
|
|
static const unsigned long cmds[2] = { SIOCGIFFLAGS, SIOCGIFMEDIA };
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
cap_rights_t rights;
|
2005-06-07 04:05:09 +00:00
|
|
|
struct bpf_version v;
|
|
|
|
struct bpf_program p;
|
|
|
|
int flag = 1, sz;
|
|
|
|
|
|
|
|
/* Open a BPF device and hang it on this interface... */
|
2013-07-03 22:01:52 +00:00
|
|
|
info->rfdesc = if_register_bpf(info, O_RDONLY);
|
2005-06-07 04:05:09 +00:00
|
|
|
|
|
|
|
/* Make sure the BPF version is in range... */
|
|
|
|
if (ioctl(info->rfdesc, BIOCVERSION, &v) < 0)
|
|
|
|
error("Can't get BPF version: %m");
|
|
|
|
|
|
|
|
if (v.bv_major != BPF_MAJOR_VERSION ||
|
|
|
|
v.bv_minor < BPF_MINOR_VERSION)
|
|
|
|
error("Kernel BPF version out of range - recompile dhcpd!");
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Set immediate mode so that reads return as soon as a packet
|
|
|
|
* comes in, rather than waiting for the input buffer to fill
|
|
|
|
* with packets.
|
|
|
|
*/
|
|
|
|
if (ioctl(info->rfdesc, BIOCIMMEDIATE, &flag) < 0)
|
|
|
|
error("Can't set immediate mode on bpf device: %m");
|
|
|
|
|
|
|
|
/* Get the required BPF buffer length from the kernel. */
|
|
|
|
if (ioctl(info->rfdesc, BIOCGBLEN, &sz) < 0)
|
|
|
|
error("Can't get bpf buffer length: %m");
|
|
|
|
info->rbuf_max = sz;
|
|
|
|
info->rbuf = malloc(info->rbuf_max);
|
|
|
|
if (!info->rbuf)
|
|
|
|
error("Can't allocate %lu bytes for bpf input buffer.",
|
|
|
|
(unsigned long)info->rbuf_max);
|
|
|
|
info->rbuf_offset = 0;
|
|
|
|
info->rbuf_len = 0;
|
|
|
|
|
|
|
|
/* Set up the bpf filter program structure. */
|
|
|
|
p.bf_len = dhcp_bpf_filter_len;
|
|
|
|
p.bf_insns = dhcp_bpf_filter;
|
|
|
|
|
|
|
|
/* Patch the server port into the BPF program...
|
|
|
|
*
|
|
|
|
* XXX: changes to filter program may require changes to the
|
|
|
|
* insn number(s) used below!
|
|
|
|
*/
|
|
|
|
dhcp_bpf_filter[8].k = LOCAL_PORT;
|
|
|
|
|
|
|
|
if (ioctl(info->rfdesc, BIOCSETF, &p) < 0)
|
|
|
|
error("Can't install packet filter program: %m");
|
|
|
|
|
|
|
|
if (ioctl(info->rfdesc, BIOCLOCK, NULL) < 0)
|
|
|
|
error("Cannot lock bpf");
|
2013-07-03 22:16:02 +00:00
|
|
|
|
2014-02-06 21:36:14 +00:00
|
|
|
cap_rights_init(&rights, CAP_IOCTL, CAP_EVENT, CAP_READ);
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
if (cap_rights_limit(info->rfdesc, &rights) < 0 && errno != ENOSYS)
|
2013-07-03 22:16:02 +00:00
|
|
|
error("Can't limit bpf descriptor: %m");
|
|
|
|
if (cap_ioctls_limit(info->rfdesc, cmds, 2) < 0 && errno != ENOSYS)
|
|
|
|
error("Can't limit ioctls for bpf descriptor: %m");
|
2005-06-07 04:05:09 +00:00
|
|
|
}
|
|
|
|
|
2013-07-03 21:57:24 +00:00
|
|
|
void
|
2013-07-03 22:12:54 +00:00
|
|
|
send_packet_unpriv(int privfd, struct dhcp_packet *raw, size_t len,
|
|
|
|
struct in_addr from, struct in_addr to)
|
|
|
|
{
|
|
|
|
struct imsg_hdr hdr;
|
|
|
|
struct buf *buf;
|
|
|
|
int errs;
|
|
|
|
|
|
|
|
hdr.code = IMSG_SEND_PACKET;
|
|
|
|
hdr.len = sizeof(hdr) +
|
|
|
|
sizeof(size_t) + len +
|
|
|
|
sizeof(from) + sizeof(to);
|
|
|
|
|
|
|
|
if ((buf = buf_open(hdr.len)) == NULL)
|
|
|
|
error("buf_open: %m");
|
|
|
|
|
|
|
|
errs = 0;
|
|
|
|
errs += buf_add(buf, &hdr, sizeof(hdr));
|
|
|
|
errs += buf_add(buf, &len, sizeof(len));
|
|
|
|
errs += buf_add(buf, raw, len);
|
|
|
|
errs += buf_add(buf, &from, sizeof(from));
|
|
|
|
errs += buf_add(buf, &to, sizeof(to));
|
|
|
|
if (errs)
|
|
|
|
error("buf_add: %m");
|
|
|
|
|
|
|
|
if (buf_close(privfd, buf) == -1)
|
|
|
|
error("buf_close: %m");
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
send_packet_priv(struct interface_info *interface, struct imsg_hdr *hdr, int fd)
|
2005-06-07 04:05:09 +00:00
|
|
|
{
|
|
|
|
unsigned char buf[256];
|
|
|
|
struct iovec iov[2];
|
2009-10-21 23:50:35 +00:00
|
|
|
struct msghdr msg;
|
2013-07-03 22:12:54 +00:00
|
|
|
struct dhcp_packet raw;
|
|
|
|
size_t len;
|
|
|
|
struct in_addr from, to;
|
2005-06-07 04:05:09 +00:00
|
|
|
int result, bufp = 0;
|
|
|
|
|
2013-07-03 22:12:54 +00:00
|
|
|
if (hdr->len < sizeof(*hdr) + sizeof(size_t))
|
|
|
|
error("corrupted message received");
|
|
|
|
buf_read(fd, &len, sizeof(len));
|
|
|
|
if (hdr->len != sizeof(*hdr) + sizeof(size_t) + len +
|
|
|
|
sizeof(from) + sizeof(to)) {
|
|
|
|
error("corrupted message received");
|
|
|
|
}
|
|
|
|
if (len > sizeof(raw))
|
|
|
|
error("corrupted message received");
|
|
|
|
buf_read(fd, &raw, len);
|
|
|
|
buf_read(fd, &from, sizeof(from));
|
|
|
|
buf_read(fd, &to, sizeof(to));
|
|
|
|
|
2005-06-07 04:05:09 +00:00
|
|
|
/* Assemble the headers... */
|
2013-07-03 21:53:54 +00:00
|
|
|
if (to.s_addr == INADDR_BROADCAST)
|
2013-07-03 21:49:10 +00:00
|
|
|
assemble_hw_header(interface, buf, &bufp);
|
2013-07-03 21:53:54 +00:00
|
|
|
assemble_udp_ip_header(buf, &bufp, from.s_addr, to.s_addr,
|
2013-07-03 22:12:54 +00:00
|
|
|
htons(REMOTE_PORT), (unsigned char *)&raw, len);
|
2005-06-07 04:05:09 +00:00
|
|
|
|
2013-07-03 21:58:26 +00:00
|
|
|
iov[0].iov_base = buf;
|
2005-06-07 04:05:09 +00:00
|
|
|
iov[0].iov_len = bufp;
|
2013-07-03 22:12:54 +00:00
|
|
|
iov[1].iov_base = &raw;
|
2005-06-07 04:05:09 +00:00
|
|
|
iov[1].iov_len = len;
|
|
|
|
|
2009-10-21 23:50:35 +00:00
|
|
|
/* Fire it off */
|
2013-07-03 21:53:54 +00:00
|
|
|
if (to.s_addr == INADDR_BROADCAST)
|
2009-10-21 23:50:35 +00:00
|
|
|
result = writev(interface->wfdesc, iov, 2);
|
|
|
|
else {
|
2013-07-03 21:53:54 +00:00
|
|
|
struct sockaddr_in sato;
|
|
|
|
|
|
|
|
sato.sin_addr = to;
|
|
|
|
sato.sin_port = htons(REMOTE_PORT);
|
|
|
|
sato.sin_family = AF_INET;
|
|
|
|
sato.sin_len = sizeof(sato);
|
|
|
|
|
2009-10-21 23:50:35 +00:00
|
|
|
memset(&msg, 0, sizeof(msg));
|
2013-07-03 21:53:54 +00:00
|
|
|
msg.msg_name = (struct sockaddr *)&sato;
|
|
|
|
msg.msg_namelen = sizeof(sato);
|
2009-10-21 23:50:35 +00:00
|
|
|
msg.msg_iov = iov;
|
|
|
|
msg.msg_iovlen = 2;
|
|
|
|
result = sendmsg(interface->ufdesc, &msg, 0);
|
|
|
|
}
|
|
|
|
|
2005-06-07 04:05:09 +00:00
|
|
|
if (result < 0)
|
|
|
|
warning("send_packet: %m");
|
|
|
|
}
|
|
|
|
|
|
|
|
ssize_t
|
|
|
|
receive_packet(struct interface_info *interface, unsigned char *buf,
|
|
|
|
size_t len, struct sockaddr_in *from, struct hardware *hfrom)
|
|
|
|
{
|
|
|
|
int length = 0, offset = 0;
|
|
|
|
struct bpf_hdr hdr;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* All this complexity is because BPF doesn't guarantee that
|
|
|
|
* only one packet will be returned at a time. We're getting
|
|
|
|
* what we deserve, though - this is a terrible abuse of the BPF
|
|
|
|
* interface. Sigh.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* Process packets until we get one we can return or until we've
|
|
|
|
* done a read and gotten nothing we can return...
|
|
|
|
*/
|
|
|
|
do {
|
|
|
|
/* If the buffer is empty, fill it. */
|
2006-09-26 01:02:02 +00:00
|
|
|
if (interface->rbuf_offset >= interface->rbuf_len) {
|
2005-06-07 04:05:09 +00:00
|
|
|
length = read(interface->rfdesc, interface->rbuf,
|
|
|
|
interface->rbuf_max);
|
|
|
|
if (length <= 0)
|
|
|
|
return (length);
|
|
|
|
interface->rbuf_offset = 0;
|
|
|
|
interface->rbuf_len = length;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If there isn't room for a whole bpf header, something
|
|
|
|
* went wrong, but we'll ignore it and hope it goes
|
|
|
|
* away... XXX
|
|
|
|
*/
|
|
|
|
if (interface->rbuf_len - interface->rbuf_offset <
|
|
|
|
sizeof(hdr)) {
|
|
|
|
interface->rbuf_offset = interface->rbuf_len;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Copy out a bpf header... */
|
|
|
|
memcpy(&hdr, &interface->rbuf[interface->rbuf_offset],
|
|
|
|
sizeof(hdr));
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If the bpf header plus data doesn't fit in what's
|
|
|
|
* left of the buffer, stick head in sand yet again...
|
|
|
|
*/
|
|
|
|
if (interface->rbuf_offset + hdr.bh_hdrlen + hdr.bh_caplen >
|
|
|
|
interface->rbuf_len) {
|
|
|
|
interface->rbuf_offset = interface->rbuf_len;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2005-07-27 19:25:46 +00:00
|
|
|
/* Skip over the BPF header... */
|
|
|
|
interface->rbuf_offset += hdr.bh_hdrlen;
|
|
|
|
|
2005-06-07 04:05:09 +00:00
|
|
|
/*
|
|
|
|
* If the captured data wasn't the whole packet, or if
|
|
|
|
* the packet won't fit in the input buffer, all we can
|
|
|
|
* do is drop it.
|
|
|
|
*/
|
|
|
|
if (hdr.bh_caplen != hdr.bh_datalen) {
|
2005-07-28 15:30:19 +00:00
|
|
|
interface->rbuf_offset =
|
|
|
|
BPF_WORDALIGN(interface->rbuf_offset +
|
|
|
|
hdr.bh_caplen);
|
2005-06-07 04:05:09 +00:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Decode the physical header... */
|
|
|
|
offset = decode_hw_header(interface->rbuf,
|
|
|
|
interface->rbuf_offset, hfrom);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If a physical layer checksum failed (dunno of any
|
|
|
|
* physical layer that supports this, but WTH), skip
|
|
|
|
* this packet.
|
|
|
|
*/
|
|
|
|
if (offset < 0) {
|
2005-07-28 15:30:19 +00:00
|
|
|
interface->rbuf_offset =
|
|
|
|
BPF_WORDALIGN(interface->rbuf_offset +
|
|
|
|
hdr.bh_caplen);
|
2005-06-07 04:05:09 +00:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
interface->rbuf_offset += offset;
|
|
|
|
hdr.bh_caplen -= offset;
|
|
|
|
|
|
|
|
/* Decode the IP and UDP headers... */
|
|
|
|
offset = decode_udp_ip_header(interface->rbuf,
|
|
|
|
interface->rbuf_offset, from, NULL, hdr.bh_caplen);
|
|
|
|
|
|
|
|
/* If the IP or UDP checksum was bad, skip the packet... */
|
|
|
|
if (offset < 0) {
|
2005-07-28 15:30:19 +00:00
|
|
|
interface->rbuf_offset =
|
|
|
|
BPF_WORDALIGN(interface->rbuf_offset +
|
|
|
|
hdr.bh_caplen);
|
2005-06-07 04:05:09 +00:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
interface->rbuf_offset += offset;
|
|
|
|
hdr.bh_caplen -= offset;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If there's not enough room to stash the packet data,
|
|
|
|
* we have to skip it (this shouldn't happen in real
|
|
|
|
* life, though).
|
|
|
|
*/
|
|
|
|
if (hdr.bh_caplen > len) {
|
2005-07-28 15:30:19 +00:00
|
|
|
interface->rbuf_offset =
|
|
|
|
BPF_WORDALIGN(interface->rbuf_offset +
|
|
|
|
hdr.bh_caplen);
|
2005-06-07 04:05:09 +00:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Copy out the data in the packet... */
|
|
|
|
memcpy(buf, interface->rbuf + interface->rbuf_offset,
|
|
|
|
hdr.bh_caplen);
|
2005-07-28 15:30:19 +00:00
|
|
|
interface->rbuf_offset =
|
|
|
|
BPF_WORDALIGN(interface->rbuf_offset +
|
|
|
|
hdr.bh_caplen);
|
2005-06-07 04:05:09 +00:00
|
|
|
return (hdr.bh_caplen);
|
|
|
|
} while (!length);
|
|
|
|
return (0);
|
|
|
|
}
|