2009-12-15 16:15:14 +00:00
|
|
|
/*-
|
2017-11-27 15:23:17 +00:00
|
|
|
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
|
|
|
|
*
|
2009-12-17 23:11:16 +00:00
|
|
|
* Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa
|
2009-12-15 16:15:14 +00:00
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <sys/cdefs.h>
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Logging support for ipfw
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "opt_ipfw.h"
|
|
|
|
#include "opt_inet.h"
|
|
|
|
#ifndef INET
|
|
|
|
#error IPFIREWALL requires INET.
|
|
|
|
#endif /* INET */
|
|
|
|
#include "opt_inet6.h"
|
|
|
|
|
|
|
|
#include <sys/param.h>
|
|
|
|
#include <sys/systm.h>
|
|
|
|
#include <sys/kernel.h>
|
2016-02-01 17:41:21 +00:00
|
|
|
#include <sys/mbuf.h>
|
2009-12-15 16:15:14 +00:00
|
|
|
#include <sys/socket.h>
|
|
|
|
#include <sys/sysctl.h>
|
|
|
|
#include <sys/syslog.h>
|
|
|
|
#include <net/ethernet.h> /* for ETHERTYPE_IP */
|
|
|
|
#include <net/if.h>
|
2013-10-26 17:58:36 +00:00
|
|
|
#include <net/if_var.h>
|
2009-12-15 16:15:14 +00:00
|
|
|
#include <net/vnet.h>
|
|
|
|
|
|
|
|
#include <netinet/in.h>
|
|
|
|
#include <netinet/ip.h>
|
|
|
|
#include <netinet/ip_icmp.h>
|
2010-01-07 10:08:05 +00:00
|
|
|
#include <netinet/ip_var.h>
|
2009-12-15 16:15:14 +00:00
|
|
|
#include <netinet/ip_fw.h>
|
|
|
|
#include <netinet/tcp_var.h>
|
|
|
|
#include <netinet/udp.h>
|
|
|
|
|
|
|
|
#include <netinet/ip6.h>
|
|
|
|
#include <netinet/icmp6.h>
|
|
|
|
#ifdef INET6
|
|
|
|
#include <netinet6/in6_var.h> /* ip6_sprintf() */
|
|
|
|
#endif
|
|
|
|
|
2012-09-14 11:51:49 +00:00
|
|
|
#include <netpfil/ipfw/ip_fw_private.h>
|
|
|
|
|
2009-12-15 16:15:14 +00:00
|
|
|
#ifdef MAC
|
|
|
|
#include <security/mac/mac_framework.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/*
|
|
|
|
* L3HDR maps an ipv4 pointer into a layer3 header pointer of type T
|
|
|
|
* Other macros just cast void * into the appropriate type
|
|
|
|
*/
|
|
|
|
#define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl))
|
|
|
|
#define TCP(p) ((struct tcphdr *)(p))
|
|
|
|
#define SCTP(p) ((struct sctphdr *)(p))
|
|
|
|
#define UDP(p) ((struct udphdr *)(p))
|
|
|
|
#define ICMP(p) ((struct icmphdr *)(p))
|
|
|
|
#define ICMP6(p) ((struct icmp6_hdr *)(p))
|
|
|
|
|
2013-11-22 05:00:18 +00:00
|
|
|
#ifdef __APPLE__
|
|
|
|
#undef snprintf
|
|
|
|
#define snprintf sprintf
|
|
|
|
#define SNPARGS(buf, len) buf + len
|
|
|
|
#define SNP(buf) buf
|
|
|
|
#else /* !__APPLE__ */
|
2009-12-15 16:15:14 +00:00
|
|
|
#define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
|
|
|
|
#define SNP(buf) buf, sizeof(buf)
|
2013-11-22 05:00:18 +00:00
|
|
|
#endif /* !__APPLE__ */
|
2009-12-15 16:15:14 +00:00
|
|
|
|
Add support for multi-field values inside ipfw tables.
This is the last major change in given branch.
Kernel changes:
* Use 64-bytes structures to hold multi-value variables.
* Use shared array to hold values from all tables (assume
each table algo is capable of holding 32-byte variables).
* Add some placeholders to support per-table value arrays in future.
* Use simple eventhandler-style API to ease the process of adding new
table items. Currently table addition may required multiple UH drops/
acquires which is quite tricky due to atomic table modificatio/swap
support, shared array resize, etc. Deal with it by calling special
notifier capable of rolling back state before actually performing
swap/resize operations. Original operation then restarts itself after
acquiring UH lock.
* Bump all objhash users default values to at least 64
* Fix custom hashing inside objhash.
Userland changes:
* Add support for dumping shared value array via "vlist" internal cmd.
* Some small print/fill_flags dixes to support u32 values.
* valtype is now bitmask of
<skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>.
New values can hold distinct values for each of this types.
* Provide special "legacy" type which assumes all values are the same.
* More helpers/docs following..
Some examples:
3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6
3:41 [1] zfscurr0# ipfw table mimimi info
+++ table(mimimi), set(0) +++
kindex: 2, type: addr
references: 0, valtype: skipto,limit,ipv4,ipv6
algorithm: addr:radix
items: 0, size: 296
3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1
added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1
3:42 [1] zfscurr0# ipfw table mimimi list
+++ table(mimimi), set(0) +++
10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
2014-08-31 23:51:09 +00:00
|
|
|
#define TARG(k, f) IP_FW_ARG_TABLEARG(chain, k, f)
|
2009-12-15 16:15:14 +00:00
|
|
|
/*
|
|
|
|
* We enter here when we have a rule with O_LOG.
|
|
|
|
* XXX this function alone takes about 2Kbytes of code!
|
|
|
|
*/
|
|
|
|
void
|
Add support for multi-field values inside ipfw tables.
This is the last major change in given branch.
Kernel changes:
* Use 64-bytes structures to hold multi-value variables.
* Use shared array to hold values from all tables (assume
each table algo is capable of holding 32-byte variables).
* Add some placeholders to support per-table value arrays in future.
* Use simple eventhandler-style API to ease the process of adding new
table items. Currently table addition may required multiple UH drops/
acquires which is quite tricky due to atomic table modificatio/swap
support, shared array resize, etc. Deal with it by calling special
notifier capable of rolling back state before actually performing
swap/resize operations. Original operation then restarts itself after
acquiring UH lock.
* Bump all objhash users default values to at least 64
* Fix custom hashing inside objhash.
Userland changes:
* Add support for dumping shared value array via "vlist" internal cmd.
* Some small print/fill_flags dixes to support u32 values.
* valtype is now bitmask of
<skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>.
New values can hold distinct values for each of this types.
* Provide special "legacy" type which assumes all values are the same.
* More helpers/docs following..
Some examples:
3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6
3:41 [1] zfscurr0# ipfw table mimimi info
+++ table(mimimi), set(0) +++
kindex: 2, type: addr
references: 0, valtype: skipto,limit,ipv4,ipv6
algorithm: addr:radix
items: 0, size: 296
3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1
added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1
3:42 [1] zfscurr0# ipfw table mimimi list
+++ table(mimimi), set(0) +++
10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
2014-08-31 23:51:09 +00:00
|
|
|
ipfw_log(struct ip_fw_chain *chain, struct ip_fw *f, u_int hlen,
|
PFIL_MEMPTR for ipfw link level hook
With new pfil(9) KPI it is possible to pass a void pointer with length
instead of mbuf pointer to a packet filter. Until this commit no filters
supported that, so pfil run through a shim function pfil_fake_mbuf().
Now the ipfw(4) hook named "default-link", that is instantiated when
net.link.ether.ipfw sysctl is on, supports processing pointer/length
packets natively.
- ip_fw_args now has union for either mbuf or void *, and if flags have
non-zero length, then we use the void *.
- through ipfw_chk() we handle mem/mbuf cases differently.
- ether_header goes away from args. It is ipfw_chk() responsibility
to do parsing of Ethernet header.
- ipfw_log() now uses different bpf APIs to log packets.
Although ipfw_chk() is now capable to process pointer/length packets,
this commit adds support for the link level hook only, see
ipfw_check_frame(). Potentially the IP processing hook ipfw_check_packet()
can be improved too, but that requires more changes since the hook
supports more complex actions: NAT, divert, etc.
Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D19357
2019-03-14 22:52:16 +00:00
|
|
|
struct ip_fw_args *args, u_short offset, uint32_t tablearg, struct ip *ip)
|
2009-12-15 16:15:14 +00:00
|
|
|
{
|
|
|
|
char *action;
|
|
|
|
int limit_reached = 0;
|
2011-08-20 17:05:11 +00:00
|
|
|
char action2[92], proto[128], fragment[32];
|
2009-12-15 16:15:14 +00:00
|
|
|
|
2009-12-17 23:11:16 +00:00
|
|
|
if (V_fw_verbose == 0) {
|
PFIL_MEMPTR for ipfw link level hook
With new pfil(9) KPI it is possible to pass a void pointer with length
instead of mbuf pointer to a packet filter. Until this commit no filters
supported that, so pfil run through a shim function pfil_fake_mbuf().
Now the ipfw(4) hook named "default-link", that is instantiated when
net.link.ether.ipfw sysctl is on, supports processing pointer/length
packets natively.
- ip_fw_args now has union for either mbuf or void *, and if flags have
non-zero length, then we use the void *.
- through ipfw_chk() we handle mem/mbuf cases differently.
- ether_header goes away from args. It is ipfw_chk() responsibility
to do parsing of Ethernet header.
- ipfw_log() now uses different bpf APIs to log packets.
Although ipfw_chk() is now capable to process pointer/length packets,
this commit adds support for the link level hook only, see
ipfw_check_frame(). Potentially the IP processing hook ipfw_check_packet()
can be improved too, but that requires more changes since the hook
supports more complex actions: NAT, divert, etc.
Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D19357
2019-03-14 22:52:16 +00:00
|
|
|
if (args->flags & IPFW_ARGS_LENMASK)
|
|
|
|
ipfw_bpf_tap(args->mem, IPFW_ARGS_LENGTH(args->flags));
|
|
|
|
else if (args->flags & IPFW_ARGS_ETHER)
|
|
|
|
/* layer2, use orig hdr */
|
|
|
|
ipfw_bpf_mtap(args->m);
|
2013-09-28 15:49:36 +00:00
|
|
|
else {
|
2010-07-09 11:27:33 +00:00
|
|
|
/* Add fake header. Later we will store
|
|
|
|
* more info in the header.
|
2009-12-17 23:11:16 +00:00
|
|
|
*/
|
2013-09-28 15:49:36 +00:00
|
|
|
if (ip->ip_v == 4)
|
2016-08-13 15:41:04 +00:00
|
|
|
ipfw_bpf_mtap2("DDDDDDSSSSSS\x08\x00",
|
PFIL_MEMPTR for ipfw link level hook
With new pfil(9) KPI it is possible to pass a void pointer with length
instead of mbuf pointer to a packet filter. Until this commit no filters
supported that, so pfil run through a shim function pfil_fake_mbuf().
Now the ipfw(4) hook named "default-link", that is instantiated when
net.link.ether.ipfw sysctl is on, supports processing pointer/length
packets natively.
- ip_fw_args now has union for either mbuf or void *, and if flags have
non-zero length, then we use the void *.
- through ipfw_chk() we handle mem/mbuf cases differently.
- ether_header goes away from args. It is ipfw_chk() responsibility
to do parsing of Ethernet header.
- ipfw_log() now uses different bpf APIs to log packets.
Although ipfw_chk() is now capable to process pointer/length packets,
this commit adds support for the link level hook only, see
ipfw_check_frame(). Potentially the IP processing hook ipfw_check_packet()
can be improved too, but that requires more changes since the hook
supports more complex actions: NAT, divert, etc.
Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D19357
2019-03-14 22:52:16 +00:00
|
|
|
ETHER_HDR_LEN, args->m);
|
2016-08-13 15:41:04 +00:00
|
|
|
else if (ip->ip_v == 6)
|
|
|
|
ipfw_bpf_mtap2("DDDDDDSSSSSS\x86\xdd",
|
PFIL_MEMPTR for ipfw link level hook
With new pfil(9) KPI it is possible to pass a void pointer with length
instead of mbuf pointer to a packet filter. Until this commit no filters
supported that, so pfil run through a shim function pfil_fake_mbuf().
Now the ipfw(4) hook named "default-link", that is instantiated when
net.link.ether.ipfw sysctl is on, supports processing pointer/length
packets natively.
- ip_fw_args now has union for either mbuf or void *, and if flags have
non-zero length, then we use the void *.
- through ipfw_chk() we handle mem/mbuf cases differently.
- ether_header goes away from args. It is ipfw_chk() responsibility
to do parsing of Ethernet header.
- ipfw_log() now uses different bpf APIs to log packets.
Although ipfw_chk() is now capable to process pointer/length packets,
this commit adds support for the link level hook only, see
ipfw_check_frame(). Potentially the IP processing hook ipfw_check_packet()
can be improved too, but that requires more changes since the hook
supports more complex actions: NAT, divert, etc.
Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D19357
2019-03-14 22:52:16 +00:00
|
|
|
ETHER_HDR_LEN, args->m);
|
2013-09-28 15:49:36 +00:00
|
|
|
else
|
|
|
|
/* Obviously bogus EtherType. */
|
2016-08-13 15:41:04 +00:00
|
|
|
ipfw_bpf_mtap2("DDDDDDSSSSSS\xff\xff",
|
PFIL_MEMPTR for ipfw link level hook
With new pfil(9) KPI it is possible to pass a void pointer with length
instead of mbuf pointer to a packet filter. Until this commit no filters
supported that, so pfil run through a shim function pfil_fake_mbuf().
Now the ipfw(4) hook named "default-link", that is instantiated when
net.link.ether.ipfw sysctl is on, supports processing pointer/length
packets natively.
- ip_fw_args now has union for either mbuf or void *, and if flags have
non-zero length, then we use the void *.
- through ipfw_chk() we handle mem/mbuf cases differently.
- ether_header goes away from args. It is ipfw_chk() responsibility
to do parsing of Ethernet header.
- ipfw_log() now uses different bpf APIs to log packets.
Although ipfw_chk() is now capable to process pointer/length packets,
this commit adds support for the link level hook only, see
ipfw_check_frame(). Potentially the IP processing hook ipfw_check_packet()
can be improved too, but that requires more changes since the hook
supports more complex actions: NAT, divert, etc.
Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D19357
2019-03-14 22:52:16 +00:00
|
|
|
ETHER_HDR_LEN, args->m);
|
2013-09-28 15:49:36 +00:00
|
|
|
}
|
2009-12-17 23:11:16 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
/* the old 'log' function */
|
2009-12-15 16:15:14 +00:00
|
|
|
fragment[0] = '\0';
|
|
|
|
proto[0] = '\0';
|
|
|
|
|
|
|
|
if (f == NULL) { /* bogus pkt */
|
|
|
|
if (V_verbose_limit != 0 && V_norule_counter >= V_verbose_limit)
|
|
|
|
return;
|
|
|
|
V_norule_counter++;
|
|
|
|
if (V_norule_counter == V_verbose_limit)
|
|
|
|
limit_reached = V_verbose_limit;
|
|
|
|
action = "Refuse";
|
|
|
|
} else { /* O_LOG is the first action, find the real one */
|
|
|
|
ipfw_insn *cmd = ACTION_PTR(f);
|
|
|
|
ipfw_insn_log *l = (ipfw_insn_log *)cmd;
|
|
|
|
|
|
|
|
if (l->max_log != 0 && l->log_left == 0)
|
|
|
|
return;
|
|
|
|
l->log_left--;
|
|
|
|
if (l->log_left == 0)
|
|
|
|
limit_reached = l->max_log;
|
|
|
|
cmd += F_LEN(cmd); /* point to first action */
|
|
|
|
if (cmd->opcode == O_ALTQ) {
|
|
|
|
ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd;
|
|
|
|
|
|
|
|
snprintf(SNPARGS(action2, 0), "Altq %d",
|
|
|
|
altq->qid);
|
|
|
|
cmd += F_LEN(cmd);
|
|
|
|
}
|
2013-03-20 10:35:33 +00:00
|
|
|
if (cmd->opcode == O_PROB || cmd->opcode == O_TAG ||
|
|
|
|
cmd->opcode == O_SETDSCP)
|
2009-12-15 16:15:14 +00:00
|
|
|
cmd += F_LEN(cmd);
|
|
|
|
|
|
|
|
action = action2;
|
|
|
|
switch (cmd->opcode) {
|
|
|
|
case O_DENY:
|
|
|
|
action = "Deny";
|
|
|
|
break;
|
|
|
|
|
|
|
|
case O_REJECT:
|
|
|
|
if (cmd->arg1==ICMP_REJECT_RST)
|
|
|
|
action = "Reset";
|
2017-11-26 18:19:01 +00:00
|
|
|
else if (cmd->arg1==ICMP_REJECT_ABORT)
|
|
|
|
action = "Abort";
|
2009-12-15 16:15:14 +00:00
|
|
|
else if (cmd->arg1==ICMP_UNREACH_HOST)
|
|
|
|
action = "Reject";
|
|
|
|
else
|
|
|
|
snprintf(SNPARGS(action2, 0), "Unreach %d",
|
|
|
|
cmd->arg1);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case O_UNREACH6:
|
|
|
|
if (cmd->arg1==ICMP6_UNREACH_RST)
|
|
|
|
action = "Reset";
|
2017-11-26 18:19:01 +00:00
|
|
|
else if (cmd->arg1==ICMP6_UNREACH_ABORT)
|
|
|
|
action = "Abort";
|
2009-12-15 16:15:14 +00:00
|
|
|
else
|
|
|
|
snprintf(SNPARGS(action2, 0), "Unreach %d",
|
|
|
|
cmd->arg1);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case O_ACCEPT:
|
|
|
|
action = "Accept";
|
|
|
|
break;
|
|
|
|
case O_COUNT:
|
|
|
|
action = "Count";
|
|
|
|
break;
|
|
|
|
case O_DIVERT:
|
|
|
|
snprintf(SNPARGS(action2, 0), "Divert %d",
|
Add support for multi-field values inside ipfw tables.
This is the last major change in given branch.
Kernel changes:
* Use 64-bytes structures to hold multi-value variables.
* Use shared array to hold values from all tables (assume
each table algo is capable of holding 32-byte variables).
* Add some placeholders to support per-table value arrays in future.
* Use simple eventhandler-style API to ease the process of adding new
table items. Currently table addition may required multiple UH drops/
acquires which is quite tricky due to atomic table modificatio/swap
support, shared array resize, etc. Deal with it by calling special
notifier capable of rolling back state before actually performing
swap/resize operations. Original operation then restarts itself after
acquiring UH lock.
* Bump all objhash users default values to at least 64
* Fix custom hashing inside objhash.
Userland changes:
* Add support for dumping shared value array via "vlist" internal cmd.
* Some small print/fill_flags dixes to support u32 values.
* valtype is now bitmask of
<skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>.
New values can hold distinct values for each of this types.
* Provide special "legacy" type which assumes all values are the same.
* More helpers/docs following..
Some examples:
3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6
3:41 [1] zfscurr0# ipfw table mimimi info
+++ table(mimimi), set(0) +++
kindex: 2, type: addr
references: 0, valtype: skipto,limit,ipv4,ipv6
algorithm: addr:radix
items: 0, size: 296
3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1
added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1
3:42 [1] zfscurr0# ipfw table mimimi list
+++ table(mimimi), set(0) +++
10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
2014-08-31 23:51:09 +00:00
|
|
|
TARG(cmd->arg1, divert));
|
2009-12-15 16:15:14 +00:00
|
|
|
break;
|
|
|
|
case O_TEE:
|
|
|
|
snprintf(SNPARGS(action2, 0), "Tee %d",
|
Add support for multi-field values inside ipfw tables.
This is the last major change in given branch.
Kernel changes:
* Use 64-bytes structures to hold multi-value variables.
* Use shared array to hold values from all tables (assume
each table algo is capable of holding 32-byte variables).
* Add some placeholders to support per-table value arrays in future.
* Use simple eventhandler-style API to ease the process of adding new
table items. Currently table addition may required multiple UH drops/
acquires which is quite tricky due to atomic table modificatio/swap
support, shared array resize, etc. Deal with it by calling special
notifier capable of rolling back state before actually performing
swap/resize operations. Original operation then restarts itself after
acquiring UH lock.
* Bump all objhash users default values to at least 64
* Fix custom hashing inside objhash.
Userland changes:
* Add support for dumping shared value array via "vlist" internal cmd.
* Some small print/fill_flags dixes to support u32 values.
* valtype is now bitmask of
<skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>.
New values can hold distinct values for each of this types.
* Provide special "legacy" type which assumes all values are the same.
* More helpers/docs following..
Some examples:
3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6
3:41 [1] zfscurr0# ipfw table mimimi info
+++ table(mimimi), set(0) +++
kindex: 2, type: addr
references: 0, valtype: skipto,limit,ipv4,ipv6
algorithm: addr:radix
items: 0, size: 296
3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1
added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1
3:42 [1] zfscurr0# ipfw table mimimi list
+++ table(mimimi), set(0) +++
10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
2014-08-31 23:51:09 +00:00
|
|
|
TARG(cmd->arg1, divert));
|
2009-12-15 16:15:14 +00:00
|
|
|
break;
|
|
|
|
case O_SETFIB:
|
|
|
|
snprintf(SNPARGS(action2, 0), "SetFib %d",
|
2015-11-08 13:44:21 +00:00
|
|
|
TARG(cmd->arg1, fib) & 0x7FFF);
|
2009-12-15 16:15:14 +00:00
|
|
|
break;
|
|
|
|
case O_SKIPTO:
|
|
|
|
snprintf(SNPARGS(action2, 0), "SkipTo %d",
|
Add support for multi-field values inside ipfw tables.
This is the last major change in given branch.
Kernel changes:
* Use 64-bytes structures to hold multi-value variables.
* Use shared array to hold values from all tables (assume
each table algo is capable of holding 32-byte variables).
* Add some placeholders to support per-table value arrays in future.
* Use simple eventhandler-style API to ease the process of adding new
table items. Currently table addition may required multiple UH drops/
acquires which is quite tricky due to atomic table modificatio/swap
support, shared array resize, etc. Deal with it by calling special
notifier capable of rolling back state before actually performing
swap/resize operations. Original operation then restarts itself after
acquiring UH lock.
* Bump all objhash users default values to at least 64
* Fix custom hashing inside objhash.
Userland changes:
* Add support for dumping shared value array via "vlist" internal cmd.
* Some small print/fill_flags dixes to support u32 values.
* valtype is now bitmask of
<skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>.
New values can hold distinct values for each of this types.
* Provide special "legacy" type which assumes all values are the same.
* More helpers/docs following..
Some examples:
3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6
3:41 [1] zfscurr0# ipfw table mimimi info
+++ table(mimimi), set(0) +++
kindex: 2, type: addr
references: 0, valtype: skipto,limit,ipv4,ipv6
algorithm: addr:radix
items: 0, size: 296
3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1
added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1
3:42 [1] zfscurr0# ipfw table mimimi list
+++ table(mimimi), set(0) +++
10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
2014-08-31 23:51:09 +00:00
|
|
|
TARG(cmd->arg1, skipto));
|
2009-12-15 16:15:14 +00:00
|
|
|
break;
|
|
|
|
case O_PIPE:
|
|
|
|
snprintf(SNPARGS(action2, 0), "Pipe %d",
|
Add support for multi-field values inside ipfw tables.
This is the last major change in given branch.
Kernel changes:
* Use 64-bytes structures to hold multi-value variables.
* Use shared array to hold values from all tables (assume
each table algo is capable of holding 32-byte variables).
* Add some placeholders to support per-table value arrays in future.
* Use simple eventhandler-style API to ease the process of adding new
table items. Currently table addition may required multiple UH drops/
acquires which is quite tricky due to atomic table modificatio/swap
support, shared array resize, etc. Deal with it by calling special
notifier capable of rolling back state before actually performing
swap/resize operations. Original operation then restarts itself after
acquiring UH lock.
* Bump all objhash users default values to at least 64
* Fix custom hashing inside objhash.
Userland changes:
* Add support for dumping shared value array via "vlist" internal cmd.
* Some small print/fill_flags dixes to support u32 values.
* valtype is now bitmask of
<skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>.
New values can hold distinct values for each of this types.
* Provide special "legacy" type which assumes all values are the same.
* More helpers/docs following..
Some examples:
3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6
3:41 [1] zfscurr0# ipfw table mimimi info
+++ table(mimimi), set(0) +++
kindex: 2, type: addr
references: 0, valtype: skipto,limit,ipv4,ipv6
algorithm: addr:radix
items: 0, size: 296
3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1
added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1
3:42 [1] zfscurr0# ipfw table mimimi list
+++ table(mimimi), set(0) +++
10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
2014-08-31 23:51:09 +00:00
|
|
|
TARG(cmd->arg1, pipe));
|
2009-12-15 16:15:14 +00:00
|
|
|
break;
|
|
|
|
case O_QUEUE:
|
|
|
|
snprintf(SNPARGS(action2, 0), "Queue %d",
|
Add support for multi-field values inside ipfw tables.
This is the last major change in given branch.
Kernel changes:
* Use 64-bytes structures to hold multi-value variables.
* Use shared array to hold values from all tables (assume
each table algo is capable of holding 32-byte variables).
* Add some placeholders to support per-table value arrays in future.
* Use simple eventhandler-style API to ease the process of adding new
table items. Currently table addition may required multiple UH drops/
acquires which is quite tricky due to atomic table modificatio/swap
support, shared array resize, etc. Deal with it by calling special
notifier capable of rolling back state before actually performing
swap/resize operations. Original operation then restarts itself after
acquiring UH lock.
* Bump all objhash users default values to at least 64
* Fix custom hashing inside objhash.
Userland changes:
* Add support for dumping shared value array via "vlist" internal cmd.
* Some small print/fill_flags dixes to support u32 values.
* valtype is now bitmask of
<skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>.
New values can hold distinct values for each of this types.
* Provide special "legacy" type which assumes all values are the same.
* More helpers/docs following..
Some examples:
3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6
3:41 [1] zfscurr0# ipfw table mimimi info
+++ table(mimimi), set(0) +++
kindex: 2, type: addr
references: 0, valtype: skipto,limit,ipv4,ipv6
algorithm: addr:radix
items: 0, size: 296
3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1
added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1
3:42 [1] zfscurr0# ipfw table mimimi list
+++ table(mimimi), set(0) +++
10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
2014-08-31 23:51:09 +00:00
|
|
|
TARG(cmd->arg1, pipe));
|
2009-12-15 16:15:14 +00:00
|
|
|
break;
|
|
|
|
case O_FORWARD_IP: {
|
2017-02-16 20:47:41 +00:00
|
|
|
char buf[INET_ADDRSTRLEN];
|
2009-12-15 16:15:14 +00:00
|
|
|
ipfw_insn_sa *sa = (ipfw_insn_sa *)cmd;
|
|
|
|
int len;
|
|
|
|
struct in_addr dummyaddr;
|
|
|
|
if (sa->sa.sin_addr.s_addr == INADDR_ANY)
|
|
|
|
dummyaddr.s_addr = htonl(tablearg);
|
|
|
|
else
|
|
|
|
dummyaddr.s_addr = sa->sa.sin_addr.s_addr;
|
|
|
|
|
|
|
|
len = snprintf(SNPARGS(action2, 0), "Forward to %s",
|
2017-02-16 20:47:41 +00:00
|
|
|
inet_ntoa_r(dummyaddr, buf));
|
2009-12-15 16:15:14 +00:00
|
|
|
|
|
|
|
if (sa->sa.sin_port)
|
|
|
|
snprintf(SNPARGS(action2, len), ":%d",
|
|
|
|
sa->sa.sin_port);
|
|
|
|
}
|
|
|
|
break;
|
2011-08-20 17:05:11 +00:00
|
|
|
#ifdef INET6
|
|
|
|
case O_FORWARD_IP6: {
|
|
|
|
char buf[INET6_ADDRSTRLEN];
|
|
|
|
ipfw_insn_sa6 *sa = (ipfw_insn_sa6 *)cmd;
|
|
|
|
int len;
|
|
|
|
|
|
|
|
len = snprintf(SNPARGS(action2, 0), "Forward to [%s]",
|
|
|
|
ip6_sprintf(buf, &sa->sa.sin6_addr));
|
|
|
|
|
|
|
|
if (sa->sa.sin6_port)
|
|
|
|
snprintf(SNPARGS(action2, len), ":%u",
|
|
|
|
sa->sa.sin6_port);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
#endif
|
2009-12-15 16:15:14 +00:00
|
|
|
case O_NETGRAPH:
|
|
|
|
snprintf(SNPARGS(action2, 0), "Netgraph %d",
|
|
|
|
cmd->arg1);
|
|
|
|
break;
|
|
|
|
case O_NGTEE:
|
|
|
|
snprintf(SNPARGS(action2, 0), "Ngtee %d",
|
|
|
|
cmd->arg1);
|
|
|
|
break;
|
|
|
|
case O_NAT:
|
|
|
|
action = "Nat";
|
|
|
|
break;
|
|
|
|
case O_REASS:
|
|
|
|
action = "Reass";
|
|
|
|
break;
|
2011-06-29 10:06:58 +00:00
|
|
|
case O_CALLRETURN:
|
|
|
|
if (cmd->len & F_NOT)
|
|
|
|
action = "Return";
|
|
|
|
else
|
|
|
|
snprintf(SNPARGS(action2, 0), "Call %d",
|
|
|
|
cmd->arg1);
|
|
|
|
break;
|
2017-04-03 02:26:30 +00:00
|
|
|
case O_EXTERNAL_ACTION:
|
|
|
|
snprintf(SNPARGS(action2, 0), "Eaction %s",
|
|
|
|
((struct named_object *)SRV_OBJECT(chain,
|
|
|
|
cmd->arg1))->name);
|
|
|
|
break;
|
2009-12-15 16:15:14 +00:00
|
|
|
default:
|
|
|
|
action = "UNKNOWN";
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (hlen == 0) { /* non-ip */
|
|
|
|
snprintf(SNPARGS(proto, 0), "MAC");
|
|
|
|
|
|
|
|
} else {
|
|
|
|
int len;
|
|
|
|
#ifdef INET6
|
|
|
|
char src[INET6_ADDRSTRLEN + 2], dst[INET6_ADDRSTRLEN + 2];
|
|
|
|
#else
|
|
|
|
char src[INET_ADDRSTRLEN], dst[INET_ADDRSTRLEN];
|
|
|
|
#endif
|
|
|
|
struct icmphdr *icmp;
|
|
|
|
struct tcphdr *tcp;
|
|
|
|
struct udphdr *udp;
|
|
|
|
#ifdef INET6
|
|
|
|
struct ip6_hdr *ip6 = NULL;
|
|
|
|
struct icmp6_hdr *icmp6;
|
2011-08-20 13:47:08 +00:00
|
|
|
u_short ip6f_mf;
|
2009-12-15 16:15:14 +00:00
|
|
|
#endif
|
|
|
|
src[0] = '\0';
|
|
|
|
dst[0] = '\0';
|
|
|
|
#ifdef INET6
|
2011-08-20 13:47:08 +00:00
|
|
|
ip6f_mf = offset & IP6F_MORE_FRAG;
|
|
|
|
offset &= IP6F_OFF_MASK;
|
|
|
|
|
2009-12-15 16:15:14 +00:00
|
|
|
if (IS_IP6_FLOW_ID(&(args->f_id))) {
|
|
|
|
char ip6buf[INET6_ADDRSTRLEN];
|
|
|
|
snprintf(src, sizeof(src), "[%s]",
|
|
|
|
ip6_sprintf(ip6buf, &args->f_id.src_ip6));
|
|
|
|
snprintf(dst, sizeof(dst), "[%s]",
|
|
|
|
ip6_sprintf(ip6buf, &args->f_id.dst_ip6));
|
|
|
|
|
|
|
|
ip6 = (struct ip6_hdr *)ip;
|
|
|
|
tcp = (struct tcphdr *)(((char *)ip) + hlen);
|
|
|
|
udp = (struct udphdr *)(((char *)ip) + hlen);
|
|
|
|
} else
|
|
|
|
#endif
|
|
|
|
{
|
|
|
|
tcp = L3HDR(struct tcphdr, ip);
|
|
|
|
udp = L3HDR(struct udphdr, ip);
|
|
|
|
|
2012-08-01 18:52:07 +00:00
|
|
|
inet_ntop(AF_INET, &ip->ip_src, src, sizeof(src));
|
|
|
|
inet_ntop(AF_INET, &ip->ip_dst, dst, sizeof(dst));
|
2009-12-15 16:15:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
switch (args->f_id.proto) {
|
|
|
|
case IPPROTO_TCP:
|
|
|
|
len = snprintf(SNPARGS(proto, 0), "TCP %s", src);
|
|
|
|
if (offset == 0)
|
|
|
|
snprintf(SNPARGS(proto, len), ":%d %s:%d",
|
|
|
|
ntohs(tcp->th_sport),
|
|
|
|
dst,
|
|
|
|
ntohs(tcp->th_dport));
|
|
|
|
else
|
|
|
|
snprintf(SNPARGS(proto, len), " %s", dst);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case IPPROTO_UDP:
|
2018-01-19 12:50:03 +00:00
|
|
|
case IPPROTO_UDPLITE:
|
|
|
|
len = snprintf(SNPARGS(proto, 0), "UDP%s%s",
|
|
|
|
args->f_id.proto == IPPROTO_UDP ? " ": "Lite ",
|
|
|
|
src);
|
2009-12-15 16:15:14 +00:00
|
|
|
if (offset == 0)
|
|
|
|
snprintf(SNPARGS(proto, len), ":%d %s:%d",
|
|
|
|
ntohs(udp->uh_sport),
|
|
|
|
dst,
|
|
|
|
ntohs(udp->uh_dport));
|
|
|
|
else
|
|
|
|
snprintf(SNPARGS(proto, len), " %s", dst);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case IPPROTO_ICMP:
|
|
|
|
icmp = L3HDR(struct icmphdr, ip);
|
|
|
|
if (offset == 0)
|
|
|
|
len = snprintf(SNPARGS(proto, 0),
|
|
|
|
"ICMP:%u.%u ",
|
|
|
|
icmp->icmp_type, icmp->icmp_code);
|
|
|
|
else
|
|
|
|
len = snprintf(SNPARGS(proto, 0), "ICMP ");
|
|
|
|
len += snprintf(SNPARGS(proto, len), "%s", src);
|
|
|
|
snprintf(SNPARGS(proto, len), " %s", dst);
|
|
|
|
break;
|
|
|
|
#ifdef INET6
|
|
|
|
case IPPROTO_ICMPV6:
|
|
|
|
icmp6 = (struct icmp6_hdr *)(((char *)ip) + hlen);
|
|
|
|
if (offset == 0)
|
|
|
|
len = snprintf(SNPARGS(proto, 0),
|
|
|
|
"ICMPv6:%u.%u ",
|
|
|
|
icmp6->icmp6_type, icmp6->icmp6_code);
|
|
|
|
else
|
|
|
|
len = snprintf(SNPARGS(proto, 0), "ICMPv6 ");
|
|
|
|
len += snprintf(SNPARGS(proto, len), "%s", src);
|
|
|
|
snprintf(SNPARGS(proto, len), " %s", dst);
|
|
|
|
break;
|
|
|
|
#endif
|
|
|
|
default:
|
|
|
|
len = snprintf(SNPARGS(proto, 0), "P:%d %s",
|
|
|
|
args->f_id.proto, src);
|
|
|
|
snprintf(SNPARGS(proto, len), " %s", dst);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef INET6
|
|
|
|
if (IS_IP6_FLOW_ID(&(args->f_id))) {
|
2015-03-31 14:41:29 +00:00
|
|
|
if (offset || ip6f_mf)
|
2009-12-15 16:15:14 +00:00
|
|
|
snprintf(SNPARGS(fragment, 0),
|
|
|
|
" (frag %08x:%d@%d%s)",
|
2010-03-15 17:14:27 +00:00
|
|
|
args->f_id.extra,
|
2009-12-15 16:15:14 +00:00
|
|
|
ntohs(ip6->ip6_plen) - hlen,
|
2011-08-20 13:47:08 +00:00
|
|
|
ntohs(offset) << 3, ip6f_mf ? "+" : "");
|
2009-12-15 16:15:14 +00:00
|
|
|
} else
|
|
|
|
#endif
|
|
|
|
{
|
2010-01-04 19:01:22 +00:00
|
|
|
int ipoff, iplen;
|
|
|
|
ipoff = ntohs(ip->ip_off);
|
|
|
|
iplen = ntohs(ip->ip_len);
|
|
|
|
if (ipoff & (IP_MF | IP_OFFMASK))
|
2009-12-15 16:15:14 +00:00
|
|
|
snprintf(SNPARGS(fragment, 0),
|
|
|
|
" (frag %d:%d@%d%s)",
|
2010-01-04 19:01:22 +00:00
|
|
|
ntohs(ip->ip_id), iplen - (ip->ip_hl << 2),
|
2009-12-15 16:15:14 +00:00
|
|
|
offset << 3,
|
2010-01-04 19:01:22 +00:00
|
|
|
(ipoff & IP_MF) ? "+" : "");
|
2009-12-15 16:15:14 +00:00
|
|
|
}
|
|
|
|
}
|
Bring in the most recent version of ipfw and dummynet, developed
and tested over the past two months in the ipfw3-head branch. This
also happens to be the same code available in the Linux and Windows
ports of ipfw and dummynet.
The major enhancement is a completely restructured version of
dummynet, with support for different packet scheduling algorithms
(loadable at runtime), faster queue/pipe lookup, and a much cleaner
internal architecture and kernel/userland ABI which simplifies
future extensions.
In addition to the existing schedulers (FIFO and WF2Q+), we include
a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new,
very fast version of WF2Q+ called QFQ.
Some test code is also present (in sys/netinet/ipfw/test) that
lets you build and test schedulers in userland.
Also, we have added a compatibility layer that understands requests
from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries,
and replies correctly (at least, it does its best; sometimes you
just cannot tell who sent the request and how to answer).
The compatibility layer should make it possible to MFC this code in a
relatively short time.
Some minor glitches (e.g. handling of ipfw set enable/disable,
and a workaround for a bug in RELENG_7's /sbin/ipfw) will be
fixed with separate commits.
CREDITS:
This work has been partly supported by the ONELAB2 project, and
mostly developed by Riccardo Panicucci and myself.
The code for the qfq scheduler is mostly from Fabio Checconi,
and Marta Carbone and Francesco Magno have helped with testing,
debugging and some bug fixes.
2010-03-02 17:40:48 +00:00
|
|
|
#ifdef __FreeBSD__
|
2019-03-14 22:28:50 +00:00
|
|
|
log(LOG_SECURITY | LOG_INFO, "ipfw: %d %s %s %s via %s%s\n",
|
|
|
|
f ? f->rulenum : -1, action, proto,
|
|
|
|
args->flags & IPFW_ARGS_OUT ? "out" : "in", args->ifp->if_xname,
|
|
|
|
fragment);
|
|
|
|
#else
|
|
|
|
log(LOG_SECURITY | LOG_INFO, "ipfw: %d %s %s [no if info]%s\n",
|
|
|
|
f ? f->rulenum : -1, action, proto, fragment);
|
Bring in the most recent version of ipfw and dummynet, developed
and tested over the past two months in the ipfw3-head branch. This
also happens to be the same code available in the Linux and Windows
ports of ipfw and dummynet.
The major enhancement is a completely restructured version of
dummynet, with support for different packet scheduling algorithms
(loadable at runtime), faster queue/pipe lookup, and a much cleaner
internal architecture and kernel/userland ABI which simplifies
future extensions.
In addition to the existing schedulers (FIFO and WF2Q+), we include
a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new,
very fast version of WF2Q+ called QFQ.
Some test code is also present (in sys/netinet/ipfw/test) that
lets you build and test schedulers in userland.
Also, we have added a compatibility layer that understands requests
from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries,
and replies correctly (at least, it does its best; sometimes you
just cannot tell who sent the request and how to answer).
The compatibility layer should make it possible to MFC this code in a
relatively short time.
Some minor glitches (e.g. handling of ipfw set enable/disable,
and a workaround for a bug in RELENG_7's /sbin/ipfw) will be
fixed with separate commits.
CREDITS:
This work has been partly supported by the ONELAB2 project, and
mostly developed by Riccardo Panicucci and myself.
The code for the qfq scheduler is mostly from Fabio Checconi,
and Marta Carbone and Francesco Magno have helped with testing,
debugging and some bug fixes.
2010-03-02 17:40:48 +00:00
|
|
|
#endif
|
2009-12-15 16:15:14 +00:00
|
|
|
if (limit_reached)
|
|
|
|
log(LOG_SECURITY | LOG_NOTICE,
|
|
|
|
"ipfw: limit %d reached on entry %d\n",
|
|
|
|
limit_reached, f ? f->rulenum : -1);
|
|
|
|
}
|
2009-12-16 10:48:40 +00:00
|
|
|
/* end of file */
|