Commit Graph

165 Commits

Author SHA1 Message Date
Robert Watson
f2565d68a4 Move universally to ANSI C function declarations, with relatively
consistent style(9)-ish layout.
2007-05-10 15:58:48 +00:00
Bjoern A. Zeeb
7a92401aea Add support for filtering on Routing Header Type 0 and
Mobile IPv6 Routing Header Type 2 in addition to filter
on the non-differentiated presence of any Routing Header.

MFC after:	3 weeks
2007-05-04 11:15:41 +00:00
Robert Watson
c9791cfb3e Shorten text string for ip_fw2 dynamic rules zone by removing the word
"zone", which is generally not present in zone names.  This reduces the
incidence of line-wrapping in "vmstat -z " using 80-column displays.

MFC after:	3 days
2007-04-17 09:28:36 +00:00
Julian Elischer
1bd69ee131 Since we switched to using monatomically increasing timestamps,
they have been reported back to the userland as being in 1970.
Add boot time to the timestamp to give the time in the scale of the 'current'
real timescale.  Not perfect if you change the time a lot but good enough
to keep all the rules correct relative to each other correct in terms
of time relative to "now".
2007-04-03 22:45:50 +00:00
Alan Cox
055867a06c Include opt_ipdivert.h so that the message announcing ipfw correctly
describes the state of IPDIVERT.
2007-02-03 22:11:53 +00:00
Julian Elischer
7e170af886 Remove two lines that somehow snuck back in after testing.
ip is now an argument to the function ipfw_log()
2007-01-09 21:03:07 +00:00
Paolo Pisati
3d2fff0d3d Prevent adding a rule with a nat action in case IPFIREWALL_NAT was not defined.
Reviewed: luigi
2007-01-05 12:15:31 +00:00
Paolo Pisati
61c0e134f5 Wrap ipfw nat support in a new kernel config option named
"IPFIREWALL_NAT": this way nat is turned off by default and
POLA is preserved.

Reviewed by: rwatson
2007-01-03 11:12:54 +00:00
Julian Elischer
3b62120e87 Remove a bunch of dependencies in the IP header being the first thing in the
mbuf. First moves toward being able to cope better with having layer 2 (or
other encapsulation data) before the IP header in the packet being examined.
More commits to come to round out this functionality. This commit should
have no practical effect but clears the way for what is coming.
Revirewed by: luigi, yar
MFC After: 2 weeks
2007-01-02 19:57:31 +00:00
Paolo Pisati
ff2f6fe80f Summer of Code 2005: improve libalias - part 2 of 2
With the second (and last) part of my previous Summer of Code work, we get:

-ipfw's in kernel nat

-redirect_* and LSNAT support

General information about nat syntax and some examples are available
in the ipfw (8) man page. The redirect and LSNAT syntax are identical
to natd, so please refer to natd (8) man page.

To enable in kernel nat in rc.conf, two options were added:

o firewall_nat_enable: equivalent to natd_enable

o firewall_nat_interface: equivalent to natd_interface

Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet
to continue being checked by the firewall ruleset after being
(de)aliased.

NOTA BENE: due to some problems with libalias architecture, in kernel
nat won't work with TSO enabled nic, thus you have to disable TSO via
ifconfig (ifconfig foo0 -tso).

Approved by: glebius (mentor)
2006-12-29 21:59:17 +00:00
Bjoern A. Zeeb
1d54aa3ba9 MFp4: 92972, 98913 + one more change
In ip6_sprintf no longer use and return one of eight static buffers
for printing/logging ipv6 addresses.
The caller now has to hand in a sufficiently large buffer as first
argument.
2006-12-12 12:17:58 +00:00
Bjoern A. Zeeb
89e7e7e32a Add SCTP as a known upper layer protocol over v6.
We are not yet aware of the protocol internals but this way
SCTP traffic over v6 will not be discarded.

Reported by: Peter Lei via rrs
Tested by:   Peter Lei <peterlei cisco.com>
2006-11-13 19:07:32 +00:00
Robert Watson
acd3428b7d Sweep kernel replacing suser(9) calls with priv(9) calls, assigning
specific privilege names to a broad range of privileges.  These may
require some future tweaking.

Sponsored by:           nCircle Network Security, Inc.
Obtained from:          TrustedBSD Project
Discussed on:           arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
                        Alex Lyashkov <umka at sevcity dot net>,
                        Skip Ford <skip dot ford at verizon dot net>,
                        Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
Robert Watson
aed5570872 Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h
begun with a repo-copy of mac.h to mac_framework.h.  sys/mac.h now
contains the userspace and user<->kernel API and definitions, with all
in-kernel interfaces moved to mac_framework.h, which is now included
across most of the kernel instead.

This change is the first step in a larger cleanup and sweep of MAC
Framework interfaces in the kernel, and will not be MFC'd.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA
2006-10-22 11:52:19 +00:00
Maxim Konovalov
428b67b194 o Do not do args->f_id.addr_type == 6 when there is
IS_IP6_FLOW_ID() exactly for that.
2006-10-11 12:14:28 +00:00
Maxim Konovalov
f16ccf6814 o Kill a nit in the comment. 2006-10-11 12:00:53 +00:00
Maxim Konovalov
5f197ce41e o Extend not very informative ipfw(4) message 'drop session, too many
entries' by src:port and dst:port pairs.  IPv6 part is non-functional
as ``limit'' does not support IPv6 flows.

PR:		kern/103967
Submitted by:	based on Bruce Campbell patch
MFC after:	1 month
2006-10-11 11:52:34 +00:00
Bjoern A. Zeeb
7002145d8e Set scope on MC address so IPv6 carp advertisement will not get dropped
in ip6_output. In case this fails  handle the error directly and log it[1].
In addition permit CARP over v6 in ip_fw2.

PR:                     kern/98622
Similar patch by:       suz
Discussed with:         glebius [1]
Tested by:              Paul.Dekkers surfnet.nl, Philippe.Pegon crc.u-strasbg.fr
MFC after:              3 days
2006-10-07 10:19:58 +00:00
John Hay
724e825a16 Handle a list of IPv6 src and dst addresses correctly, eg.
ipfw add allow ip6 from any to 2000::/16,2002::/16

PR:		102422 (part 3)
Submitted by:	Andrey V. Elsukov <bu7cher at yandex dot ru>
MFC after:	5 days
2006-09-16 10:27:05 +00:00
Christian S.J. Peron
d94f2a68f8 Introduce a new entry point, mac_create_mbuf_from_firewall. This entry point
exists to allow the mandatory access control policy to properly initialize
mbufs generated by the firewall. An example where this might happen is keep
alive packets, or ICMP error packets in response to other packets.

This takes care of kernel panics associated with un-initialize mbuf labels
when the firewall generates packets.

[1] I modified this patch from it's original version, the initial patch
    introduced a number of entry points which were programmatically
    equivalent. So I introduced only one. Instead, we should leverage
    mac_create_mbuf_netlayer() which is used for similar situations,
    an example being icmp_error()

    This will minimize the impact associated with the MFC

Submitted by:	mlaier [1]
MFC after:	1 week

This is a RELENG_6 candidate
2006-09-12 04:25:13 +00:00
John Hay
1c31b456b9 Recognise IPv6 PIM packets.
MFC after:	1 week
2006-08-31 16:56:45 +00:00
Julian Elischer
afad78e259 comply with style police
Submitted by:	ru
MFC after:	1 month
2006-08-18 22:36:05 +00:00
Julian Elischer
c487be961a Allow ipfw to forward to a destination that is specified by a table.
for example:
  fwd tablearg ip from any to table(1)
where table 1 has entries of the form:
1.1.1.0/24 10.2.3.4
208.23.2.0/24 router2

This allows trivial implementation of a secondary routing table implemented
in the firewall layer.

I expect more work (under discussion with Glebius) to follow this to clean
up some of the messy parts of ipfw related to tables.

Reviewed by:	Glebius
MFC after:	1 month
2006-08-17 22:49:50 +00:00
Oleg Bulyzhin
0e0b1bb57a Remove useless NULL pointer check: we are using M_WAITOK flag for memory
allocation.

Submitted by:	Andrey Elsukov <bu7cher at yandex dot ru>
Approved by:	glebius (mentor)
MFC after:	1 week
2006-08-04 10:50:51 +00:00
Oleg Bulyzhin
9b1858ca78 Do not leak memory while flushing rules.
Noticed by:	yar
Approved by:	glebius (mentor)
MFC after:	1 week
2006-08-02 14:58:51 +00:00
Yaroslav Tykhiy
4b97d7affd There is a consensus that ifaddr.ifa_addr should never be NULL,
except in places dealing with ifaddr creation or destruction; and
in such special places incomplete ifaddrs should never be linked
to system-wide data structures.  Therefore we can eliminate all the
superfluous checks for "ifa->ifa_addr != NULL" and get ready
to the system crashing honestly instead of masking possible bugs.

Suggested by:	glebius, jhb, ru
2006-06-29 19:22:05 +00:00
Yaroslav Tykhiy
ad67537233 Use TAILQ_FOREACH consistently. 2006-06-29 17:09:47 +00:00
Bjoern A. Zeeb
333ad3bc40 Eliminate the offset argument from send_reject. It's not been
used since FreeBSD-SA-06:04.ipfw.
Adopt send_reject6 to what had been done for legacy IP: no longer
send or permit sending rejects for any but the first fragment.

Discussed with: oleg, csjp (some weeks ago)
2006-06-29 11:17:16 +00:00
Bjoern A. Zeeb
421d8aa603 Use INPLOOKUP_WILDCARD instead of just 1 more consistently.
OKed by: rwatson (some weeks ago)
2006-06-29 10:49:49 +00:00
Hajimu UMEMOTO
a0a59ae4af - Pullup even when the extention header is unknown, to prevent
infinite loop with net.inet6.ip6.fw.deny_unknown_exthdrs=0.
- Teach ipv6 and ipencap as they appear in an IPv4/IPv6 over IPv6
  tunnel.
- Test the next extention header even when the routing header type
  is unknown with net.inet6.ip6.fw.deny_unknown_exthdrs=0.

Found by:	xcast-fan-club
MFC after:	1 week
2006-06-22 13:22:54 +00:00
Oleg Bulyzhin
254c472561 Add support of 'tablearg' feature for:
- 'tag' & 'untag' action parameters.
- 'tagged' & 'limit' rule options.
Rule examples:
	pipe 1 tag tablearg ip from table(1) to any
	allow ip from any to table(2) tagged tablearg
	allow tcp from table(3) to any 25 setup limit src-addr tablearg

sbin/ipfw/ipfw2.c:
1) new macros
   GET_UINT_ARG - support of 'tablearg' keyword, argument range checking.
   PRINT_UINT_ARG - support of 'tablearg' keyword.
2) strtoport(): do not silently truncate/accept invalid port list expressions
   like: '1,2-abc' or '1,2-3-4' or '1,2-3x4'. style(9) cleanup.

Approved by:	glebius (mentor)
MFC after:	1 month
2006-06-15 09:39:22 +00:00
Oleg Bulyzhin
58a0fab73f install_state(): style(9) cleanup
Approved by:	glebius (mentor)
MFC after:	1 month
2006-06-15 08:54:29 +00:00
Oleg Bulyzhin
458009ae93 install_state() should properly initialize 'addr_type' field of newly created
flows for O_LIMIT rules.  Otherwise 'ipfw -d show' is unable to display
PARENT rules properly.
(This bug was exposed by ipfw2.c rev.1.90)

Approved by:	glebius (mentor)
MFC after:	2 weeks
2006-06-08 11:27:45 +00:00
Oleg Bulyzhin
6a7d5cb645 Implement internal (i.e. inside kernel) packet tagging using mbuf_tags(9).
Since tags are kept while packet resides in kernelspace, it's possible to
use other kernel facilities (like netgraph nodes) for altering those tags.

Submitted by:	Andrey Elsukov <bu7cher at yandex dot ru>
Submitted by:	Vadim Goncharov <vadimnuclight at tpu dot ru>
Approved by:	glebius (mentor)
Idea from:	OpenBSD PF
MFC after:	1 month
2006-05-24 13:09:55 +00:00
Max Laier
0e7185f6e7 Use only lower 64bit of src/dest (and src/dest port) for hashing of IPv6
connections and get rid of the flow_id as it is not guaranteed to be stable
some (most?) current implementations seem to just zero it out.

PR:		kern/88664
Reported by:	jylefort
Submitted by:	Joost Bekkers (w/ changes)
Tested by	"regisr" <regisrApoboxDcom>
2006-05-14 23:42:24 +00:00
Max Laier
656faadcb8 Remove ip6fw. Since ipfw has full functional IPv6 support now and - in
contrast to ip6fw - is properly lockes, it is time to retire ip6fw.
2006-05-12 20:39:23 +00:00
Max Laier
e93187482d Reintroduce net.inet6.ip6.fw.enable sysctl to dis/enable the ipv6 processing
seperately.  Also use pfil hook/unhook instead of keeping the check
functions in pfil just to return there based on the sysctl.  While here fix
some whitespace on a nearby SYSCTL_ macro.
2006-05-12 04:41:27 +00:00
Max Laier
432288dcb6 Don't claim "(+ipv6)" if we didn't build with INET6. 2006-05-11 15:22:38 +00:00
Gleb Smirnoff
e2779391fa - Do not leak read lock in IP_FW_TABLE_GETSIZE case of ipfw_ctl().
- Acquire read (not write) lock in case of IP_FW_TABLE_LIST.

In collaboration with:	ru
2006-03-03 12:10:59 +00:00
Christian S.J. Peron
f5cdbcf14c Use PFIL_HOOKED macros in if_bridge and pass the right argument to
rw_assert. This un-breaks the build.

Submitted by:	Kostik Belousov
Pointy hat to:	csjp
2006-02-02 16:41:20 +00:00
Christian S.J. Peron
604afec496 Somewhat re-factor the read/write locking mechanism associated with the packet
filtering mechanisms to use the new rwlock(9) locking API:

- Drop the variables stored in the phil_head structure which were specific to
  conditions and the home rolled read/write locking mechanism.
- Drop some includes which were used for condition variables
- Drop the inline functions, and convert them to macros. Also, move these
  macros into pfil.h
- Move pfil list locking macros intp phil.h as well
- Rename ph_busy_count to ph_nhooks. This variable will represent the number
  of IN/OUT hooks registered with the pfil head structure
- Define PFIL_HOOKED macro which evaluates to true if there are any
  hooks to be ran by pfil_run_hooks
- In the IP/IP6 stacks, change the ph_busy_count comparison to use the new
  PFIL_HOOKED macro.
- Drop optimization in pfil_run_hooks which checks to see if there are any
  hooks to be ran, and returns if not. This check is already performed by the
  IP stacks when they call:

        if (!PFIL_HOOKED(ph))
                goto skip_hooks;

- Drop in assertion which makes sure that the number of hooks never drops
  below 0 for good measure. This in theory should never happen, and if it
  does than there are problems somewhere
- Drop special logic around PFIL_WAITOK because rw_wlock(9) does not sleep
- Drop variables which support home rolled read/write locking mechanism from
  the IPFW firewall chain structure.
- Swap out the read/write firewall chain lock internal to use the rwlock(9)
  API instead of our home rolled version
- Convert the inlined functions to macros

Reviewed by:	mlaier, andre, glebius
Thanks to:	jhb for the new locking API
2006-02-02 03:13:16 +00:00
Oleg Bulyzhin
44a515834f Fix minor bug in uRPF:
If net.link.ether.inet.useloopback=1 and we send broadcast packet using our
  own source ip address it may be rejected by uRPF rules.

  Same bug was fixed for IPv6 in rev. 1.115 by suz.

PR:		kern/76971
Approved by:	glebius (mentor)
MFC after:	3 days
2006-01-24 13:38:06 +00:00
Christian S.J. Peron
9c57c204be - Change the return type for init_tables from void to int so we can propagate
errors from rn_inithead back to the ipfw initialization function.
- Check return value of rn_inithead for failure, if table allocation has
  failed for any reason, free up any tables we have created and return ENOMEM
- In ipfw_init check the return value of init_tables and free up any mutexes or
  UMA zones which may have been created.
- Assert that the supplied table is not NULL before attempting to dereference.

This fixes panics which were a result of invalid memory accesses due to failed
table allocation. This is an issue mainly because the R_Zalloc function is a
malloc(M_NOWAIT) wrapper, thus making it possible for allocations to fail.

Found by:	Coverity Prevent (tm)
Coverity ID:	CID79
MFC after:	1 week
2006-01-20 05:35:27 +00:00
Christian S.J. Peron
e9186cb94b Destroy the dynamic rule zone in the event that we fail to insert the
initial default rule.

MFC after:	1 week
2006-01-20 03:21:25 +00:00
Colin Percival
9ed97bee65 Correct insecure temporary file usage in texindex. [06:01]
Correct insecure temporary file usage in ee. [06:02]
Correct a race condition when setting file permissions, sanitize file
names by default, and fix a buffer overflow when handling files
larger than 4GB in cpio. [06:03]
Fix an error in the handling of IP fragments in ipfw which can cause
a kernel panic. [06:04]

Security:	FreeBSD-SA-06:01.texindex
Security:	FreeBSD-SA-06:02.ee
Security:	FreeBSD-SA-06:03.cpio
Security:	FreeBSD-SA-06:04.ipfw
2006-01-11 08:02:16 +00:00
Gleb Smirnoff
6e02dbdfa3 Cleanup __FreeBSD_version. 2005-12-16 13:10:32 +00:00
Gleb Smirnoff
40b1ae9e00 Add a new feature for optimizining ipfw rulesets - substitution of the
action argument with the value obtained from table lookup. The feature
is now applicable only to "pipe", "queue", "divert", "tee", "netgraph"
and "ngtee" rules.

An example usage:

  ipfw pipe 1000 config bw 1000Kbyte/s
  ipfw pipe 4000 config bw 4000Kbyte/s
  ipfw table 1 add x.x.x.x 1000
  ipfw table 1 add x.x.x.y 4000
  ipfw pipe tablearg ip from table(1) to any

In the example above the rule will throw different packets to different pipes.

TODO:
  - Support "skipto" action, but without searching all rules.
  - Improve parser, so that it warns about bad rules. These are:
    - "tablearg" argument to action, but no "table" in the rule. All
      traffic will be blocked.
    - "tablearg" argument to action, but "table" searches for entry with
      a specific value. All traffic will be blocked.
    - "tablearg" argument to action, and two "table" looks - for src and
      for dst. The last lookup will match.
2005-12-13 12:16:03 +00:00
Gleb Smirnoff
95d1f36f82 Optimize parallel processing of ipfw(4) rulesets eliminating the locking
of the radix lookup tables. Since several rnh_lookup() can run in
parallel on the same table, we can piggyback on the shared locking
provided by ipfw(4).
  However, the single entry cache in the ip_fw_table can't be used lockless,
so it is removed. This pessimizes two cases: processing of bursts of similar
packets and matching one packet against the same table several times during
one ipfw_chk() lookup. To optimize the processing of similar packet bursts
administrator should use stateful firewall. To optimize the second problem
a solution will be provided soon.

Details:
  o Since we piggyback on the ipfw(4) locking, and the latter is per-chain,
    the tables are moved from the global declaration to the
    struct ip_fw_chain.
  o The struct ip_fw_table is shrunk to one entry and thus vanished.
  o All table manipulating functions are extended to accept the struct
    ip_fw_chain * argument.
  o All table modifing functions use IPFW_WLOCK_ASSERT().
2005-12-06 10:45:49 +00:00
Hajimu UMEMOTO
8846bbf3ce obey opt_inet6.h and opt_ipsec.h in kernel build directory.
Requested by:	hrs
2005-11-29 17:56:11 +00:00
Gleb Smirnoff
b090e4ce1f Garbage-collect now unused struct _ipfw_insn_pipe and flush_pipe_ptrs(),
thus removing a few XXXes.
  Document the ABI breakage in UPDATING.
2005-11-29 08:59:41 +00:00