Commit Graph

190 Commits

Author SHA1 Message Date
Ian Dowse
ed1a13b18f Bridged packets are supplied to the firewall with their IP header
in network byte order, but icmp_error() expects the IP header to
be in host order and the code here did not perform the necessary
swapping for the bridged case. This bug causes an "icmp_error: bad
length" panic when certain length IP packets (e.g. ip_len == 0x100)
are rejected by the firewall with an ICMP response.

MFC after:	3 days
2002-12-27 17:43:25 +00:00
Bosko Milekic
86fea6be59 o Untangle the confusion with the malloc flags {M_WAITOK, M_NOWAIT} and
the mbuf allocator flags {M_TRYWAIT, M_DONTWAIT}.
o Fix a bpf_compat issue where malloc() was defined to just call
  bpf_alloc() and pass the 'canwait' flag(s) along.  It's been changed
  to call bpf_alloc() but pass the corresponding M_TRYWAIT or M_DONTWAIT
  flag (and only one of those two).

Submitted by: Hiten Pandya <hiten@unixdaemons.com> (hiten->commit_count++)
2002-12-19 22:58:27 +00:00
Luigi Rizzo
2b25acc158 Remove (almost all) global variables that were used to hold
packet forwarding state ("annotations") during ip processing.
The code is considerably cleaner now.

The variables removed by this change are:

        ip_divert_cookie        used by divert sockets
        ip_fw_fwd_addr          used for transparent ip redirection
        last_pkt                used by dynamic pipes in dummynet

Removal of the first two has been done by carrying the annotations
into volatile structs prepended to the mbuf chains, and adding
appropriate code to add/remove annotations in the routines which
make use of them, i.e. ip_input(), ip_output(), tcp_input(),
bdg_forward(), ether_demux(), ether_output_frame(), div_output().

On passing, remove a bug in divert handling of fragmented packet.
Now it is the fragment at offset 0 which sets the divert status of
the whole packet, whereas formerly it was the last incoming fragment
to decide.

Removal of last_pkt required a change in the interface of ip_fw_chk()
and dummynet_io(). On passing, use the same mechanism for dummynet
annotations and for divert/forward annotations.

option IPFIREWALL_FORWARD is effectively useless, the code to
implement it is very small and is now in by default to avoid the
obfuscation of conditionally compiled code.

NOTES:
 * there is at least one global variable left, sro_fwd, in ip_output().
   I am not sure if/how this can be removed.

 * I have deliberately avoided gratuitous style changes in this commit
   to avoid cluttering the diffs. Minor stule cleanup will likely be
   necessary

 * this commit only focused on the IP layer. I am sure there is a
   number of global variables used in the TCP and maybe UDP stack.

 * despite the number of files touched, there are absolutely no API's
   or data structures changed by this commit (except the interfaces of
   ip_fw_chk() and dummynet_io(), which are internal anyways), so
   an MFC is quite safe and unintrusive (and desirable, given the
   improved readability of the code).

MFC after: 10 days
2002-06-22 11:51:02 +00:00
Luigi Rizzo
2f8707ca5d Remove custom definitions (IP_FW_TCPF_SYN etc.) of TCP header flags
which are the same as the original ones (TH_SYN etc.)
2002-05-13 10:21:13 +00:00
Luigi Rizzo
201efb1913 Add code to match MAC header fields (at the moment supported on
bridged packets only, soon to come also for packets on ordinary
ether_input() and ether_output() paths. The syntax is

    ipfw add <action> MAC dst src type

where dst and src can be "any" or a MAC address optionallyfollowed
by a mask, e.g.

	10:20:30:40:50
	10:20:30:40:50/32
	10:20:30:40:50&ff:ff:ff:f0:ff:0f

and type can be a single ethernet type, a range, or a type followed by
a mask (values are always in hexadecimal) e.g.

	0800
	0800-0806
	0800/8
	0800&03ff

Note, I am still uncertain on what is the best format for inputting
these values, having the values in hexadecimal is convenient in most
cases but can be confusing sometimes. Suggestions welcome.

Implement suggestion from PR 37778 to allow "not me" on destination
and source IP. The code in the PR was slightly wrong and interfered
with the normal handling of IP addresses. This version hopefully is
correct.

Minor cleanup of the code, in some places moving the indentation to 4
spaces because the code was becoming too deep. Eventually, in a
separate commit, I will move the whole file to 4 space indent.
2002-05-12 20:43:50 +00:00
Luigi Rizzo
d60315bef5 Cleanup the interface to ip_fw_chk, two of the input arguments
were totally useless and have been removed.

ip_input.c, ip_output.c:
    Properly initialize the "ip" pointer in case the firewall does an
    m_pullup() on the packet.

    Remove some debugging code forgotten long ago.

ip_fw.[ch], bridge.c:
    Prepare the grounds for matching MAC header fields in bridged packets,
    so we can have 'etherfw' functionality without a lot of kernel and
    userland bloat.
2002-05-09 10:34:57 +00:00
Crist J. Clark
0f56b10c4b Enlighten those who read the FINE POINTS of the documentation a bit
more on how ipfw(8) deals with tiny fragments. While we're at it, add
a quick log message to even let people know we dropped a packet. (Note
that the second FINE POINT is somewhat redundant given the first, but
since the code is there, leave the docs for it.)

MFC after:	1 day
2002-05-01 06:29:16 +00:00
John Baldwin
a854ed9893 Simple p_ucred -> td_ucred changes to start using the per-thread ucred
reference.
2002-02-27 18:32:23 +00:00
Luigi Rizzo
ca462bcfcb BUGFIX: make use of the pointer to the target of skipto rules,
so that after the first time we can follow the pointer instead
of having to scan the list.
This was the intended behaviour from day one.

PR: 34639
MFC-after: 3 days
2002-02-20 17:15:57 +00:00
Mike Barcroft
fd8e4ebc8c o Move NTOHL() and associated macros into <sys/param.h>. These are
deprecated in favor of the POSIX-defined lowercase variants.
o Change all occurrences of NTOHL() and associated marcros in the
  source tree to use the lowercase function variants.
o Add missing license bits to sparc64's <machine/endian.h>.
  Approved by: jake
o Clean up <machine/endian.h> files.
o Remove unused __uint16_swap_uint32() from i386's <machine/endian.h>.
o Remove prototypes for non-existent bswapXX() functions.
o Include <machine/endian.h> in <arpa/inet.h> to define the
  POSIX-required ntohl() family of functions.
o Do similar things to expose the ntohl() family in libstand, <netinet/in.h>,
  and <sys/param.h>.
o Prepend underscores to the ntohl() family to help deal with
  complexities associated with having MD (asm and inline) versions, and
  having to prevent exposure of these functions in other headers that
  happen to make use of endian-specific defines.
o Create weak aliases to the canonical function name to help deal with
  third-party software forgetting to include an appropriate header.
o Remove some now unneeded pollution from <sys/types.h>.
o Add missing <arpa/inet.h> includes in userland.

Tested on:	alpha, i386
Reviewed by:	bde, jake, tmm
2002-02-18 20:35:27 +00:00
Dima Dorfman
364efeccb0 Silence unused variable warning in the !KLD_MODULE case.
Submitted by:	archie
2002-02-10 22:22:05 +00:00
Crist J. Clark
db38d34abb Fix a missing "ipfw:" in a syslog message.
MFC after:	1 day
2002-01-07 07:12:09 +00:00
Yaroslav Tykhiy
37b5d6e33d Implement matching IP precedence in ipfw(4).
Submitted by:	Igor Timkin <ivt@gamma.ru>
2001-12-21 18:43:02 +00:00
Jonathan Lemon
f8b6a631a2 minor whitespace fixes. 2001-12-14 19:32:00 +00:00
Dima Dorfman
3a33b1b3b7 ipfw_modevent(): Don't use an unnatural block to define a variable
(fcp) that's already defined in the outer block and isn't used
anywhere else.  This silences -Wunused.

Reviewed by:	md5(1)
2001-11-27 20:32:47 +00:00
Dima Dorfman
e8d41815df Remove debugging printfs that weren't conditional on any debugging
options in handling MOD_{UN,}LOAD (they weren't very useful, anyway).
2001-11-27 20:28:48 +00:00
Luigi Rizzo
7b109fa404 MFS: sync the ipfw/dummynet/bridge code with the one recently merged
into stable (mostly , but not only, formatting and comments changes).
2001-11-04 22:56:25 +00:00
Paul Saab
4787fd37af Only allow users to see their own socket connections if
kern.ipc.showallsockets is set to 0.

Submitted by:	billf (with modifications by me)
Inspired by:	Dave McKay (aka pm aka Packet Magnet)
Reviewed by:	peter
MFC after:	2 weeks
2001-10-05 07:06:32 +00:00
Paul Saab
db69a05dce Make it so dummynet and bridge can be loaded as modules.
Submitted by:	billf
2001-10-05 05:45:27 +00:00
Luigi Rizzo
cc33247e33 Fix a problem with unnumbered rules introduced in latest commit.
Reported by: des
2001-10-01 17:35:54 +00:00
Luigi Rizzo
830cc17841 Two main changes here:
+ implement "limit" rules, which permit to limit the number of sessions
   between certain host pairs (according to masks). These are a special
   type of stateful rules, which might be of interest in some cases.
   See the ipfw manpage for details.

 + merge the list pointers and ipfw rule descriptors in the kernel, so
   the code is smaller, faster and more readable. This patch basically
   consists in replacing "foo->rule->bar" with "rule->bar" all over
   the place.
   I have been willing to do this for ages!

MFC after: 1 week
2001-09-27 23:44:27 +00:00
Robert Watson
785f9ffca3 o Modify IPFW and DUMMYNET administrative setsockopt() calls to use
securelevel_gt() to check the securelevel, rather than direct access
  to the securelevel variable.

Obtained from:	TrustedBSD Project
2001-09-26 19:58:29 +00:00
Luigi Rizzo
078156d09d Fix a null pointer dereference introduced in the last commit, plus
remove a useless assignment and move a comment.

Submitted by: Thomas Moestl
2001-09-24 05:24:19 +00:00
Luigi Rizzo
32f967a3c0 A bunch of minor changes to the code (see below) for readability, code size
and speed. No new functionality added (yet) apart from a bugfix.
MFC will occur in due time and probably in stages.

BUGFIX: fix a problem in old code which prevented reallocation of
the hash table for dynamic rules (there is a PR on this).

OTHER CHANGES: minor changes to the internal struct for static and dynamic rules.
Requires rebuild of ipfw binary.

Add comments to show how data structures are linked together.
(It probably makes no sense to keep the chain pointers separate
from actual rule descriptors. They will be hopefully merged soon.

keep a (sysctl-readable) counter for the number of static rules,
to speed up IP_FW_GET operations

initial support for a "grace time" for expired connections, so we
can set timeouts for closing connections to much shorter times.

merge zero_entry() and resetlog_entry(), they use basically the
same code.

clean up and reduce replication of code for removing rules,
both for readability and code size.

introduce a separate lifetime for dynamic UDP rules.

fix a problem in old code which prevented reallocation of
the hash table for dynamic rules (PR ...)

restructure dynamic rule descriptors

introduce some local variables to avoid multiple dereferencing of
pointer chains (reduces code size and hopefully increases speed).
2001-09-20 13:52:49 +00:00
Bill Fumerola
52cf11d8a1 the IP_FW_GET code in ip_fw_ctl() sizes a buffer to hold information
about rules and dynamic rules. it later fills this buffer with these
rules.

it also takes the opporunity to compare the expiration of the dynamic
rules with the current time and either marks them for deletion or simply
charges the countdown.

unfortunatly it does this all (the sizing, the buffer copying, and the
expiration GC) with no spl protection whatsoever. it was possible for
the dynamic rule(s) to be ripped out from under the request before it
had completed, resulting in corrupt memory dereferencing.

Reviewed by:	ps
MFC before:	4.4-RELEASE, hopefully.
2001-08-26 10:09:47 +00:00
Crist J. Clark
92a99815a8 While in there fixing a fragment logging bug, fix it so we log
fragments "right." Log fragment information tcpdump(8)-style,

   Jul  1 19:38:45 bubbles /boot/kernel/kernel: ipfw: 1000 Accept ICMP:8.0 192.168.64.60 192.168.64.20 in via ep0 (frag 53113:1480@0+)

That is, instead of the old,

  ... Fragment = <offset/8>

Do,

  ... (frag <IP ID>:<data len>@<offset>[+])

PR:		kern/23446
Approved by:	ru
MFC after:	1 week
2001-07-02 15:50:31 +00:00
Bill Fumerola
0901f62e11 pipe/queue are the only consumers of flow_id, so only set it in those cases 2001-04-06 06:52:25 +00:00
Hidetoshi Shimokawa
110a013333 Replace dyn_fin_lifetime with dyn_ack_lifetime for half-closed state.
Half-closed state could last long for some connections and fin_lifetime
(default 20sec) is too short for that.

OK'ed by: luigi
2001-03-27 05:28:30 +00:00
Paul Richards
1789d85615 Only flush rules that have a rule number above that set by a new
sysctl, net.inet.ip.fw.permanent_rules.

This allows you to install rules that are persistent across flushes,
which is very useful if you want a default set of rules that
maintains your access to remote machines while you're reconfiguring
the other rules.

Reviewed by:	Mark Murray <markm@FreeBSD.org>
2001-03-21 08:19:31 +00:00
Jonathan Lemon
32676c2d1f The TCP sequence number used for sending a RST with the ipfw reset rule
is already in host byte order, so do not swap it again.

Reviewed by:	bfumerola
2001-03-09 08:13:08 +00:00
Bill Fumerola
2a6cb8804e The TCP header-specific section suffered a little bit of bitrot recently:
When we recieve a fragmented TCP packet (other than the first) we can't
extract header information (we don't have state to reference). In a rather
unelegant fashion we just move on and assume a non-match.

Recent additions to the TCP header-specific section of the code neglected
to add the logic to the fragment code so in those cases the match was
assumed to be positive and those parts of the rule (which should have
resulted in a non-match/continue) were instead skipped (which means
the processing of the rule continued even though it had already not
matched).

Fault can be spread out over Rich Steenbergen (tcpoptions) and myself
(tcp{seq,ack,win}).

rwatson sent me a patch that got me thinking about this whole situation
(but what I'm committing / this description is mine so don't blame him).
2001-02-27 10:20:44 +00:00
Jonathan Lemon
7c45cb9bca Clean up warning. 2001-02-15 22:32:06 +00:00
Poul-Henning Kamp
bb07ec8c84 Introduce a new feature in IPFW: Check of the source or destination
address is configured on a interface.  This is useful for routers with
dynamic interfaces.  It is now possible to say:

        0100 allow       tcp from any to any established
        0200 skipto 1000 tcp from any to any
        0300 allow       ip from any to any
        1000 allow       tcp from 1.2.3.4 to me 22
        1010 deny        tcp from any to me 22
        1020 allow       tcp from any to any

and not have to worry about the behaviour if dynamic interfaces configure
new IP numbers later on.

The check is semi expensive (traverses the interface address list)
so it should be protected as in the above example if high performance
is a requirement.
2001-02-13 14:12:37 +00:00
Luigi Rizzo
7e1cd0d23d Sync with the bridge/dummynet/ipfw code already tested in stable.
In ip_fw.[ch] change a couple of variable and field names to
avoid having types, variables and fields with the same name.
2001-02-10 00:10:18 +00:00
Poul-Henning Kamp
fc2ffbe604 Mechanical change to use <sys/queue.h> macro API instead of
fondling implementation details.

Created with: sed(1)
Reviewed by: md5(1)
2001-02-04 13:13:25 +00:00
Luigi Rizzo
507b4b5432 MFS: bridge/ipfw/dummynet fixes (bridge.c will be committed separately) 2001-02-02 00:18:00 +00:00
Luigi Rizzo
f8acf87bb5 Make sure we do not follow an invalid pointer in ipfw_report
when we get an incomplete packet or m_pullup fails.
2001-01-27 02:31:08 +00:00
Luigi Rizzo
26fb17bdd0 Minor cleanups after yesterday's patch.
The code (bridging and dummynet) actually worked fine!
2001-01-26 19:43:54 +00:00
Luigi Rizzo
6258acf88f Bring dummynet in line with the code that now works in -STABLE.
It compiles, but I cannot test functionality yet.
2001-01-26 06:49:34 +00:00
Robert Watson
65450f2f77 o IPFW incorrectly handled filtering in the presence of previously
reserved and now allocated TCP flags in incoming packets.  This patch
  stops overloading those bits in the IP firewall rules, and moves
  colliding flags to a seperate field, ipflg.  The IPFW userland
  management tool, ipfw(8), is updated to reflect this change.  New TCP
  flags related to ECN are now included in tcp.h for reference, although
  we don't currently implement TCP+ECN.

o To use this fix without completely rebuilding, it is sufficient to copy
  ip_fw.h and tcp.h into your appropriate include directory, then rebuild
  the ipfw kernel module, and ipfw tool, and install both.  Note that a
  mismatch between module and userland tool will result in incorrect
  installation of firewall rules that may have unexpected effects.  This
  is an MFC candidate, following shakedown.  This bug does not appear
  to affect ipfilter.

Reviewed by:	security-officer, billf
Reported by:	Aragon Gouveia <aragon@phat.za.net>
2001-01-09 03:10:30 +00:00
David Malone
7cc0979fd6 Convert more malloc+bzero to malloc+M_ZERO.
Submitted by:	josh@zipperup.org
Submitted by:	Robert Drehmel <robd@gmx.net>
2000-12-08 21:51:06 +00:00
Ruslan Ermilov
203de3b494 Fixed the security breach I introduced in rev 1.145.
Disallow getsockopt(IP_FW_ADD) if securelevel >= 3.

PR:		22600
2000-11-07 09:20:32 +00:00
Poul-Henning Kamp
53ce36d17a Remove unneeded #include <sys/proc.h> lines. 2000-10-29 13:57:19 +00:00
Ruslan Ermilov
3cebc3e4de Fetch the protocol header (TCP, UDP, ICMP) only from the first fragment
of IP datagram.  This fixes the problem when firewall denied fragmented
packets whose last fragment was less than minimum protocol header size.

Found by:	Harti Brandt <brandt@fokus.gmd.de>
PR:		kern/22309
2000-10-27 07:19:17 +00:00
Luigi Rizzo
1f8ed85239 Close PR22152 and PR19511 -- correct the naming of a variable 2000-10-26 00:16:12 +00:00
Ruslan Ermilov
bc95ac80b2 Allow for IP_FW_ADD to be used in getsockopt(2) incarnation as
well, in which case return the rule number back into userland.

PR:		bin/18351
Reviewed by:	archie, luigi
2000-10-12 07:59:14 +00:00
Ruslan Ermilov
c0752e1657 As we now may check the TCP header window field, make sure we pullup
enough into the mbuf data area.  Solve this problem once and for all
by pulling up the entire (standard) header for TCP and UDP, and four
bytes of header for ICMP (enough for type, code and cksum fields).
2000-10-06 12:12:09 +00:00
Ruslan Ermilov
60f9125458 Added the missing ntohs() conversion when matching IP packet with
the IP_FW_IF_IPID rule.  (We have recently decided to keep the
ip_id field in network byte order inside the kernel, see revision
1.140 of src/sys/netinet/ip_input.c).

I did not like to have the conversion happen in userland, and I
think that the similar conversions for fw_tcp(seq|ack|win) should
be moved out of userland (src/sbin/ipfw/ipfw.c) into the kernel.
2000-10-03 12:18:11 +00:00
Bill Fumerola
9ad30943aa Add new fields for more granularity:
IP: version, tos, ttl, len, id
	TCP: seq#, ack#, window size

Reviewed by:  silence on freebsd-{net,ipfw}
2000-10-02 03:33:31 +00:00
Ruslan Ermilov
3ea420e391 Document that net.inet.ip.fw.one_pass only affects dummynet(4).
Noticed by:	Peter Jeremy<peter.jeremy@alcatel.com.au>
2000-09-29 08:39:06 +00:00