/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
*/
#include <stdlib.h>
#include <strings.h>
#include <stddef.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/list.h>
#include <net/if.h>
#include <assert.h>
#include <errno.h>
#include <libintl.h>
#include <libilb.h>
#include <inet/ilb.h>
#include "libilb_impl.h"
#include "ilbd.h"
/* until we all use AF_* macros ... */
#define AF_2_IPPROTO(_af) (_af == AF_INET)?IPPROTO_IP:IPPROTO_IPV6
#define IPPROTO_2_AF(_i) (_i == IPPROTO_IP)?AF_INET:AF_INET6
#define PROTOCOL_LEN 16 /* protocol type */
#define ADDR_LEN (2 * INET6_ADDRSTRLEN + 1) /* prxy src range */
#define PORT_LEN 6 /* hcport:1-65535 or "ANY" */
static ilb_status_t ilbd_disable_one_rule(ilbd_rule_t *, boolean_t);
static uint32_t i_flags_d2k(int);
#define ILB_SGSRV_2_KSRV(s, k) \
(k)->addr = (s)->sgs_addr; \
(k)->min_port = (s)->sgs_minport; \
(k)->max_port = (s)->sgs_maxport; \
(k)->flags = i_flags_d2k((s)->sgs_flags); \
(k)->err = 0; \
(void) strlcpy((k)->name, (s)->sgs_srvID, sizeof ((k)->name))
list_t ilbd_rule_hlist;
static ilb_algo_t
algo_impl2lib(ilb_algo_impl_t a)
{
switch (a) {
case ILB_ALG_IMPL_ROUNDROBIN:
return (ILB_ALG_ROUNDROBIN);
case ILB_ALG_IMPL_HASH_IP:
return (ILB_ALG_HASH_IP);
case ILB_ALG_IMPL_HASH_IP_SPORT:
return (ILB_ALG_HASH_IP_SPORT);
case ILB_ALG_IMPL_HASH_IP_VIP:
return (ILB_ALG_HASH_IP_VIP);
}
return (0);
}
static ilb_topo_t
topo_impl2lib(ilb_topo_impl_t t)
{
switch (t) {
case ILB_TOPO_IMPL_DSR:
return (ILB_TOPO_DSR);
case ILB_TOPO_IMPL_NAT:
return (ILB_TOPO_NAT);
case ILB_TOPO_IMPL_HALF_NAT:
return (ILB_TOPO_HALF_NAT);
}
return (0);
}
ilb_algo_impl_t
algo_lib2impl(ilb_algo_t a)
{
switch (a) {
case ILB_ALG_ROUNDROBIN:
return (ILB_ALG_IMPL_ROUNDROBIN);
case ILB_ALG_HASH_IP:
return (ILB_ALG_IMPL_HASH_IP);
case ILB_ALG_HASH_IP_SPORT:
return (ILB_ALG_IMPL_HASH_IP_SPORT);
case ILB_ALG_HASH_IP_VIP:
return (ILB_ALG_IMPL_HASH_IP_VIP);
}
return (0);
}
ilb_topo_impl_t
topo_lib2impl(ilb_topo_t t)
{
switch (t) {
case ILB_TOPO_DSR:
return (ILB_TOPO_IMPL_DSR);
case ILB_TOPO_NAT:
return (ILB_TOPO_IMPL_NAT);
case ILB_TOPO_HALF_NAT:
return (ILB_TOPO_IMPL_HALF_NAT);
}
return (0);
}
/*
* Walk the list of rules and check if its safe to add the
* the server to the rule (this is a list of rules hanging
* off of a server group)
*/
ilb_status_t
i_check_srv2rules(list_t *rlist, ilb_sg_srv_t *srv)
{
ilb_status_t rc = ILB_STATUS_OK;
ilbd_rule_t *rl;
int server_portrange, rule_portrange;
int srv_minport, srv_maxport;
int r_minport, r_maxport;
if (srv == NULL)
return (ILB_STATUS_OK);
srv_minport = ntohs(srv->sgs_minport);
srv_maxport = ntohs(srv->sgs_maxport);
for (rl = list_head(rlist); rl != NULL; rl = list_next(rlist, rl)) {
r_minport = ntohs(rl->irl_minport);
r_maxport = ntohs(rl->irl_maxport);
if ((srv_minport != 0) && (srv_minport == srv_maxport)) {
/* server has single port */
if (rl->irl_topo == ILB_TOPO_DSR) {
/*
* either we have a DSR rule with a port
* range, or both server and rule
* have single ports but their values
* don't match - this is incompatible
*/
if (r_maxport > r_minport) {
rc = ILB_STATUS_INVAL_SRVR;
break;
} else if (srv_minport != r_minport) {
rc = ILB_STATUS_BADPORT;
break;
}
}
if (rl->irl_hcpflag == ILB_HCI_PROBE_FIX &&
rl->irl_hcport != srv_minport) {
rc = ILB_STATUS_BADPORT;
break;
}
} else if (srv_maxport > srv_minport) {
/* server has a port range */
if ((rl->irl_topo == ILB_TOPO_DSR) &&
(r_maxport > r_minport)) {
if ((r_minport != srv_minport) ||
(r_maxport != srv_maxport)) {
/*
* we have a DSR rule with a port range
* and its min and max port values
* does not meet that of server's
* - this is incompatible
*/
rc = ILB_STATUS_BADPORT;
break;
}
} else if ((rl->irl_topo == ILB_TOPO_DSR) &&
(r_maxport == r_minport)) {
/*
* we have a DSR rule with a single
* port and a server with a port range
* - this is incompatible
*/
rc = ILB_STATUS_INVAL_SRVR;
break;
} else if (((rl->irl_topo == ILB_TOPO_NAT) ||
(rl->irl_topo == ILB_TOPO_HALF_NAT)) &&
(r_maxport > r_minport)) {
server_portrange = srv_maxport - srv_minport;
rule_portrange = r_maxport - r_minport;
if (rule_portrange != server_portrange) {
/*
* we have a NAT/Half-NAT rule with
* a port range and server with a port
* range and there is a mismatch in the
* sizes of the port ranges - this is
* incompatible
*/
rc = ILB_STATUS_INVAL_SRVR;
break;
}
}
if (rl->irl_hcpflag == ILB_HCI_PROBE_FIX &&
(rl->irl_hcport > srv_maxport ||
rl->irl_hcport < srv_minport)) {
rc = ILB_STATUS_BADPORT;
break;
}
}
}
return (rc);
}
void
i_setup_rule_hlist(void)
{
list_create(&ilbd_rule_hlist, sizeof (ilbd_rule_t),
offsetof(ilbd_rule_t, irl_link));
}
ilb_status_t
i_ilbd_save_rule(ilbd_rule_t *irl, ilbd_scf_cmd_t scf_cmd)
{
boolean_t enable = irl->irl_flags & ILB_FLAGS_RULE_ENABLED;
switch (scf_cmd) {
case ILBD_SCF_CREATE:
return (ilbd_create_pg(ILBD_SCF_RULE, (void *)irl));
case ILBD_SCF_DESTROY:
return (ilbd_destroy_pg(ILBD_SCF_RULE, irl->irl_name));
case ILBD_SCF_ENABLE_DISABLE:
return (ilbd_change_prop(ILBD_SCF_RULE, irl->irl_name,
"status", &enable));
default:
logdebug("i_ilbd_save_rule: invalid scf cmd %d", scf_cmd);
return (ILB_STATUS_INVAL_CMD);
}
}
/*
* allocate a new daemon-specific rule from the "template" passed
* in in *r
*/
static ilbd_rule_t *
i_alloc_ilbd_rule(ilb_rule_info_t *r)
{
ilbd_rule_t *rl;
rl = calloc(sizeof (*rl), 1);
if (rl != NULL && r != NULL)
bcopy(r, &rl->irl_info, sizeof (*r));
return (rl);
}
static ilbd_rule_t *
i_find_rule_byname(const char *name)
{
ilbd_rule_t *rl;
/* find position of rule in list */
rl = list_head(&ilbd_rule_hlist);
while (rl != NULL &&
strncmp(rl->irl_name, name, sizeof (rl->irl_name)) != 0) {
rl = list_next(&ilbd_rule_hlist, rl);
}
return (rl);
}
/*
* get exactly one rule (named in rl->irl_name) data from kernel
*/
static ilb_status_t
ilb_get_krule(ilb_rule_info_t *rl)
{
ilb_status_t rc;
ilb_rule_cmd_t kcmd;
kcmd.cmd = ILB_LIST_RULE;
(void) strlcpy(kcmd.name, rl->rl_name, sizeof (kcmd.name));
kcmd.flags = 0;
rc = do_ioctl(&kcmd, 0);
if (rc != ILB_STATUS_OK)
return (rc);
rl->rl_flags = kcmd.flags;
rl->rl_ipversion = IPPROTO_2_AF(kcmd.ip_ver);
rl->rl_vip = kcmd.vip;
rl->rl_proto = kcmd.proto;
rl->rl_minport = kcmd.min_port;
rl->rl_maxport = kcmd.max_port;
rl->rl_algo = algo_impl2lib(kcmd.algo);
rl->rl_topo = topo_impl2lib(kcmd.topo);
rl->rl_stickymask = kcmd.sticky_mask;
rl->rl_nat_src_start = kcmd.nat_src_start;
rl->rl_nat_src_end = kcmd.nat_src_end;
(void) strlcpy(rl->rl_name, kcmd.name, sizeof (rl->rl_name));
rl->rl_conndrain = kcmd.conn_drain_timeout;
rl->rl_nat_timeout = kcmd.nat_expiry;
rl->rl_sticky_timeout = kcmd.sticky_expiry;
return (ILB_STATUS_OK);
}
ilb_status_t
ilbd_retrieve_rule(ilbd_name_t rl_name, uint32_t *rbuf, size_t *rbufsz)
{
ilbd_rule_t *irl = NULL;
ilb_status_t rc;
ilb_rule_info_t *rinfo;
irl = i_find_rule_byname(rl_name);
if (irl == NULL)
return (ILB_STATUS_ENOENT);
ilbd_reply_ok(rbuf, rbufsz);
rinfo = (ilb_rule_info_t *)&((ilb_comm_t *)rbuf)->ic_data;
bcopy(&irl->irl_info, rinfo, sizeof (*rinfo));
/*
* Check if the various timeout values are 0. If one is, get the
* default values from kernel.
*/
if (rinfo->rl_conndrain == 0 || rinfo->rl_nat_timeout == 0 ||
rinfo->rl_sticky_timeout == 0) {
ilb_rule_info_t tmp_info;
(void) strcpy(tmp_info.rl_name, rinfo->rl_name);
rc = ilb_get_krule(&tmp_info);
if (rc != ILB_STATUS_OK)
return (rc);
if (rinfo->rl_conndrain == 0)
rinfo->rl_conndrain = tmp_info.rl_conndrain;
if ((rinfo->rl_topo == ILB_TOPO_NAT ||
rinfo->rl_topo == ILB_TOPO_HALF_NAT) &&
rinfo->rl_nat_timeout == 0) {
rinfo->rl_nat_timeout = tmp_info.rl_nat_timeout;
}
if ((rinfo->rl_flags & ILB_FLAGS_RULE_STICKY) &&
rinfo->rl_sticky_timeout == 0) {
rinfo->rl_sticky_timeout = tmp_info.rl_sticky_timeout;
}
}
*rbufsz += sizeof (ilb_rule_info_t);
return (ILB_STATUS_OK);
}
static ilb_status_t
ilbd_destroy_one_rule(ilbd_rule_t *irl)
{
ilb_status_t rc;
ilb_name_cmd_t kcmd;
/*
* as far as talking to the kernel is concerned, "all rules"
* is handled in one go somewhere else, so we only
* tell the kernel about single rules here.
*/
if ((irl->irl_flags & ILB_FLAGS_RULE_ALLRULES) == 0) {
kcmd.cmd = ILB_DESTROY_RULE;
(void) strlcpy(kcmd.name, irl->irl_name, sizeof (kcmd.name));
kcmd.flags = 0;
rc = do_ioctl(&kcmd, 0);
if (rc != ILB_STATUS_OK)
return (rc);
}
list_remove(&irl->irl_sg->isg_rulelist, irl);
list_remove(&ilbd_rule_hlist, irl);
/*
* When dissociating a rule, only two errors can happen. The hc
* name is incorrect or the rule is not associated with the hc
* object. Both should not happen.... The check is for debugging
* purpose.
*/
if (RULE_HAS_HC(irl) && (rc = ilbd_hc_dissociate_rule(irl)) !=
ILB_STATUS_OK) {
logerr("ilbd_destroy_one_rule: cannot "
"dissociate %s from hc object %s: %d",
irl->irl_name, irl->irl_hcname, rc);
}
rc = i_ilbd_save_rule(irl, ILBD_SCF_DESTROY);
if (rc != ILB_STATUS_OK)
logdebug("ilbd_destroy_rule: save rule failed");
free(irl);
return (rc);
}
/*
* the following two functions are the other's opposite, and can
* call into each other for roll back purposes in case of error.
* To avoid endless recursion, the 'is_rollback' parameter must be
* set to B_TRUE in the roll back case.
*/
static ilb_status_t
ilbd_enable_one_rule(ilbd_rule_t *irl, boolean_t is_rollback)
{
ilb_status_t rc = ILB_STATUS_OK;
ilb_name_cmd_t kcmd;
/* no use sending a no-op to the kernel */
if ((irl->irl_flags & ILB_FLAGS_RULE_ENABLED) != 0)
return (ILB_STATUS_OK);
irl->irl_flags |= ILB_FLAGS_RULE_ENABLED;
/* "all rules" is handled in one go somewhere else, not here */
if ((irl->irl_flags & ILB_FLAGS_RULE_ALLRULES) == 0) {
kcmd.cmd = ILB_ENABLE_RULE;
(void) strlcpy(kcmd.name, irl->irl_name, sizeof (kcmd.name));
kcmd.flags = 0;
rc = do_ioctl(&kcmd, 0);
if (rc != ILB_STATUS_OK)
return (rc);
}
if (RULE_HAS_HC(irl) && (rc = ilbd_hc_enable_rule(irl)) !=
ILB_STATUS_OK) {
/* Undo the kernel work */
kcmd.cmd = ILB_DISABLE_RULE;
/* Cannot do much if ioctl fails... */
(void) do_ioctl(&kcmd, 0);
return (rc);
}
if (!is_rollback) {
if (rc == ILB_STATUS_OK)
rc = i_ilbd_save_rule(irl, ILBD_SCF_ENABLE_DISABLE);
if (rc != ILB_STATUS_OK)
/* ignore rollback return code */
(void) ilbd_disable_one_rule(irl, B_TRUE);
}
return (rc);
}
static ilb_status_t
ilbd_disable_one_rule(ilbd_rule_t *irl, boolean_t is_rollback)
{
ilb_status_t rc = ILB_STATUS_OK;
ilb_name_cmd_t kcmd;
/* no use sending a no-op to the kernel */
if ((irl->irl_flags & ILB_FLAGS_RULE_ENABLED) == 0)
return (ILB_STATUS_OK);
irl->irl_flags &= ~ILB_FLAGS_RULE_ENABLED;
/* "all rules" is handled in one go somewhere else, not here */
if ((irl->irl_flags & ILB_FLAGS_RULE_ALLRULES) == 0) {
kcmd.cmd = ILB_DISABLE_RULE;
(void) strlcpy(kcmd.name, irl->irl_name, sizeof (kcmd.name));
kcmd.flags = 0;
rc = do_ioctl(&kcmd, 0);
if (rc != ILB_STATUS_OK)
return (rc);
}
if (RULE_HAS_HC(irl) && (rc = ilbd_hc_disable_rule(irl)) !=
ILB_STATUS_OK) {
/* Undo the kernel work */
kcmd.cmd = ILB_ENABLE_RULE;
/* Cannot do much if ioctl fails... */
(void) do_ioctl(&kcmd, 0);
return (rc);
}
if (!is_rollback) {
if (rc == ILB_STATUS_OK)
rc = i_ilbd_save_rule(irl, ILBD_SCF_ENABLE_DISABLE);
if (rc != ILB_STATUS_OK)
/* ignore rollback return code */
(void) ilbd_enable_one_rule(irl, B_TRUE);
}
return (rc);
}
/*
* Generates an audit record for a supplied rule name
* Used for enable_rule, disable_rule, delete_rule,
* and create_rule subcommands
*/
static void
ilbd_audit_rule_event(const char *audit_rule_name,
ilb_rule_info_t *rlinfo, ilbd_cmd_t cmd, ilb_status_t rc,
ucred_t *ucredp)
{
adt_session_data_t *ah;
adt_event_data_t *event;
au_event_t flag;
int scf_val_len = ILBD_MAX_VALUE_LEN;
char *aobuf = NULL; /* algo:topo */
char *valstr1 = NULL;
char *valstr2 = NULL;
char pbuf[PROTOCOL_LEN]; /* protocol */
char hcpbuf[PORT_LEN]; /* hcport */
int audit_error;
if ((ucredp == NULL) && (cmd == ILBD_CREATE_RULE)) {
/*
* we came here from the path where ilbd incorporates
* the configuration that is listed in SCF :
* i_ilbd_read_config->ilbd_walk_rule_pgs->
* ->ilbd_scf_instance_walk_pg->ilbd_create_rule
* We skip auditing in that case
*/
return;
}
if (adt_start_session(&ah, NULL, 0) != 0) {
logerr("ilbd_audit_rule_event: adt_start_session failed");
exit(EXIT_FAILURE);
}
if (adt_set_from_ucred(ah, ucredp, ADT_NEW) != 0) {
(void) adt_end_session(ah);
logerr("ilbd_audit_rule_event: adt_set_from_ucred failed");
exit(EXIT_FAILURE);
}
if (cmd == ILBD_ENABLE_RULE)
flag = ADT_ilb_enable_rule;
else if (cmd == ILBD_DISABLE_RULE)
flag = ADT_ilb_disable_rule;
else if (cmd == ILBD_DESTROY_RULE)
flag = ADT_ilb_delete_rule;
else if (cmd == ILBD_CREATE_RULE)
flag = ADT_ilb_create_rule;
if ((event = adt_alloc_event(ah, flag)) == NULL) {
logerr("ilbd_audit_rule_event: adt_alloc_event failed");
exit(EXIT_FAILURE);
}
(void) memset((char *)event, 0, sizeof (adt_event_data_t));
switch (cmd) {
case ILBD_DESTROY_RULE:
event->adt_ilb_delete_rule.auth_used = NET_ILB_CONFIG_AUTH;
event->adt_ilb_delete_rule.rule_name = (char *)audit_rule_name;
break;
case ILBD_ENABLE_RULE:
event->adt_ilb_enable_rule.auth_used = NET_ILB_ENABLE_AUTH;
event->adt_ilb_enable_rule.rule_name = (char *)audit_rule_name;
break;
case ILBD_DISABLE_RULE:
event->adt_ilb_disable_rule.auth_used = NET_ILB_ENABLE_AUTH;
event->adt_ilb_disable_rule.rule_name = (char *)audit_rule_name;
break;
case ILBD_CREATE_RULE:
if (((aobuf = malloc(scf_val_len)) == NULL) ||
((valstr1 = malloc(scf_val_len)) == NULL) ||
((valstr2 = malloc(scf_val_len)) == NULL)) {
logerr("ilbd_audit_rule_event: could not"
" allocate buffer");
exit(EXIT_FAILURE);
}
event->adt_ilb_create_rule.auth_used = NET_ILB_CONFIG_AUTH;
/* Fill in virtual IP address type */
if (IN6_IS_ADDR_V4MAPPED(&rlinfo->rl_vip)) {
event->adt_ilb_create_rule.virtual_ipaddress_type =
ADT_IPv4;
cvt_addr(event->adt_ilb_create_rule.virtual_ipaddress,
ADT_IPv4, rlinfo->rl_vip);
} else {
event->adt_ilb_create_rule.virtual_ipaddress_type =
ADT_IPv6;
cvt_addr(event->adt_ilb_create_rule.virtual_ipaddress,
ADT_IPv6, rlinfo->rl_vip);
}
/* Fill in port - could be a single value or a range */
event->adt_ilb_create_rule.min_port = ntohs(rlinfo->rl_minport);
if (ntohs(rlinfo->rl_maxport) > ntohs(rlinfo->rl_minport)) {
/* port range */
event->adt_ilb_create_rule.max_port =
ntohs(rlinfo->rl_maxport);
} else {
/* in audit record, max=min when single port */
event->adt_ilb_create_rule.max_port =
ntohs(rlinfo->rl_minport);
}
/*
* Fill in protocol - if user does not specify it,
* its TCP by default
*/
if (rlinfo->rl_proto == IPPROTO_UDP)
(void) snprintf(pbuf, PROTOCOL_LEN, "UDP");
else
(void) snprintf(pbuf, PROTOCOL_LEN, "TCP");
event->adt_ilb_create_rule.protocol = pbuf;
/* Fill in algorithm and operation type */
ilbd_algo_to_str(rlinfo->rl_algo, valstr1);
ilbd_topo_to_str(rlinfo->rl_topo, valstr2);
(void) snprintf(aobuf, scf_val_len, "%s:%s",
valstr1, valstr2);
event->adt_ilb_create_rule.algo_optype = aobuf;
/* Fill in proxy-src for the NAT case */
if (rlinfo->rl_topo == ILB_TOPO_NAT) {
/* copy starting proxy-src address */
if (IN6_IS_ADDR_V4MAPPED(&rlinfo->rl_nat_src_start)) {
/* V4 case */
event->adt_ilb_create_rule.proxy_src_min_type =
ADT_IPv4;
cvt_addr(
event->adt_ilb_create_rule.proxy_src_min,
ADT_IPv4, rlinfo->rl_nat_src_start);
} else {
/* V6 case */
event->adt_ilb_create_rule.proxy_src_min_type =
ADT_IPv6;
cvt_addr(
event->adt_ilb_create_rule.proxy_src_min,
ADT_IPv6, rlinfo->rl_nat_src_start);
}
/* copy ending proxy-src address */
if (&rlinfo->rl_nat_src_end == 0) {
/* proxy-src is a single address */
event->adt_ilb_create_rule.proxy_src_max_type =
event->
adt_ilb_create_rule.proxy_src_min_type;
(void) memcpy(
event->adt_ilb_create_rule.proxy_src_max,
event->adt_ilb_create_rule.proxy_src_min,
(4 * sizeof (uint32_t)));
} else if (
IN6_IS_ADDR_V4MAPPED(&rlinfo->rl_nat_src_end)) {
/*
* proxy-src is a address range - copy ending
* proxy-src address
* V4 case
*/
event->adt_ilb_create_rule.proxy_src_max_type =
ADT_IPv4;
cvt_addr(
event->adt_ilb_create_rule.proxy_src_max,
ADT_IPv4, rlinfo->rl_nat_src_end);
} else {
/* V6 case */
event->adt_ilb_create_rule.proxy_src_max_type =
ADT_IPv6;
cvt_addr(
event->adt_ilb_create_rule.proxy_src_max,
ADT_IPv6, rlinfo->rl_nat_src_end);
}
}
/*
* Fill in pmask if user has specified one - 0 means
* no persistence
*/
valstr1[0] = '\0';
ilbd_ip_to_str(rlinfo->rl_ipversion, &rlinfo->rl_stickymask,
valstr1);
event->adt_ilb_create_rule.persist_mask = valstr1;
/* If there is a hcname */
if (rlinfo->rl_hcname[0] != '\0')
event->adt_ilb_create_rule.hcname = rlinfo->rl_hcname;
/* Fill in hcport */
if (rlinfo->rl_hcpflag == ILB_HCI_PROBE_FIX) {
/* hcport is specified by user */
(void) snprintf(hcpbuf, PORT_LEN, "%d",
rlinfo->rl_hcport);
event->adt_ilb_create_rule.hcport = hcpbuf;
} else if (rlinfo->rl_hcpflag == ILB_HCI_PROBE_ANY) {
/* user has specified "ANY" */
(void) snprintf(hcpbuf, PORT_LEN, "ANY");
event->adt_ilb_create_rule.hcport = hcpbuf;
}
/*
* Fill out the conndrain, nat_timeout and persist_timeout
* If the user does not specify them, the default value
* is set in the kernel. Userland does not know what
* the values are. So if the user
* does not specify these values they will show up as
* 0 in the audit record.
*/
event->adt_ilb_create_rule.conndrain_timeout =
rlinfo->rl_conndrain;
event->adt_ilb_create_rule.nat_timeout =
rlinfo->rl_nat_timeout;
event->adt_ilb_create_rule.persist_timeout =
rlinfo->rl_sticky_timeout;
/* Fill out servergroup and rule name */
event->adt_ilb_create_rule.server_group = rlinfo->rl_sgname;
event->adt_ilb_create_rule.rule_name = rlinfo->rl_name;
break;
}
if (rc == ILB_STATUS_OK) {
if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0) {
logerr("ilbd_audit_rule_event:adt_put_event failed");
exit(EXIT_FAILURE);
}
} else {
audit_error = ilberror2auditerror(rc);
if (adt_put_event(event, ADT_FAILURE, audit_error) != 0) {
logerr("ilbd_audit_rule_event: adt_put_event failed");
exit(EXIT_FAILURE);
}
}
adt_free_event(event);
free(aobuf);
free(valstr1);
free(valstr2);
(void) adt_end_session(ah);
}
/*
* converts IP address from in6_addr format to uint32_t[4]
* This conversion is needed for recording IP address in
* audit records.
*/
void
cvt_addr(uint32_t *audit, int32_t type, struct in6_addr address)
{
if (type == ADT_IPv4) {
/* address is IPv4 */
audit[0] = address._S6_un._S6_u32[3];
} else {
/* address is IPv6 */
(void) memcpy(audit, address._S6_un._S6_u32,
(4 * sizeof (uint32_t)));
}
}
static ilb_status_t
i_ilbd_action_switch(ilbd_rule_t *irl, ilbd_cmd_t cmd,
boolean_t is_rollback, ucred_t *ucredp)
{
ilb_status_t rc;
switch (cmd) {
case ILBD_DESTROY_RULE:
rc = ilbd_destroy_one_rule(irl);
if (!is_rollback) {
ilbd_audit_rule_event(irl->irl_name, NULL,
cmd, rc, ucredp);
}
return (rc);
case ILBD_ENABLE_RULE:
rc = ilbd_enable_one_rule(irl, is_rollback);
if (!is_rollback) {
ilbd_audit_rule_event(irl->irl_name, NULL, cmd,
rc, ucredp);
}
return (rc);
case ILBD_DISABLE_RULE:
rc = ilbd_disable_one_rule(irl, is_rollback);
if (!is_rollback) {
ilbd_audit_rule_event(irl->irl_name, NULL, cmd,
rc, ucredp);
}
return (rc);
}
return (ILB_STATUS_INVAL_CMD);
}
static ilb_cmd_t
i_ilbd2ilb_cmd(ilbd_cmd_t c)
{
ilb_cmd_t r;
switch (c) {
case ILBD_CREATE_RULE:
r = ILB_CREATE_RULE;
break;
case ILBD_DESTROY_RULE:
r = ILB_DESTROY_RULE;
break;
case ILBD_ENABLE_RULE:
r = ILB_ENABLE_RULE;
break;
case ILBD_DISABLE_RULE:
r = ILB_DISABLE_RULE;
break;
}
return (r);
}
static ilbd_cmd_t
get_undo_cmd(ilbd_cmd_t cmd)
{
ilbd_cmd_t u_cmd;
switch (cmd) {
case ILBD_DESTROY_RULE:
u_cmd = ILBD_BAD_CMD;
break;
case ILBD_ENABLE_RULE:
u_cmd = ILBD_DISABLE_RULE;
break;
case ILBD_DISABLE_RULE:
u_cmd = ILBD_ENABLE_RULE;
break;
}
return (u_cmd);
}
static ilb_status_t
i_ilbd_rule_action(const char *rule_name, const struct passwd *ps,
ilbd_cmd_t cmd, ucred_t *ucredp)
{
ilbd_rule_t *irl, *irl_next;
boolean_t is_all_rules = B_FALSE;
ilb_status_t rc = ILB_STATUS_OK;
ilb_name_cmd_t kcmd;
ilbd_cmd_t u_cmd;
char rulename[ILB_NAMESZ];
if (ps != NULL) {
if ((cmd == ILBD_ENABLE_RULE) || (cmd == ILBD_DISABLE_RULE))
rc = ilbd_check_client_enable_auth(ps);
else
rc = ilbd_check_client_config_auth(ps);
/* generate the audit record before bailing out */
if (rc != ILB_STATUS_OK) {
if (rule_name != '\0') {
ilbd_audit_rule_event(rule_name, NULL,
cmd, rc, ucredp);
} else {
(void) snprintf(rulename, sizeof (rulename),
"all");
ilbd_audit_rule_event(rulename, NULL, cmd, rc,
ucredp);
}
goto out;
}
}
is_all_rules = rule_name[0] == 0;
/* just one rule */
if (!is_all_rules) {
irl = i_find_rule_byname(rule_name);
if (irl == NULL) {
rc = ILB_STATUS_ENORULE;
ilbd_audit_rule_event(rule_name, NULL, cmd, rc, ucredp);
goto out;
}
/* auditing will be done by i_ilbd_action_switch() */
rc = i_ilbd_action_switch(irl, cmd, B_FALSE, ucredp);
goto out;
}
/* all rules: first tell the kernel, then walk the daemon's list */
kcmd.cmd = i_ilbd2ilb_cmd(cmd);
kcmd.flags = ILB_RULE_ALLRULES;
rc = do_ioctl(&kcmd, 0);
if (rc != ILB_STATUS_OK) {
(void) snprintf(rulename, sizeof (rulename), "all");
ilbd_audit_rule_event(rulename, NULL, cmd, rc, ucredp);
goto out;
}
irl = list_head(&ilbd_rule_hlist);
while (irl != NULL) {
irl_next = list_next(&ilbd_rule_hlist, irl);
irl->irl_flags |= ILB_FLAGS_RULE_ALLRULES;
/* auditing will be done by i_ilbd_action_switch() */
rc = i_ilbd_action_switch(irl, cmd, B_FALSE, ucredp);
irl->irl_flags &= ~ILB_FLAGS_RULE_ALLRULES;
if (rc != ILB_STATUS_OK)
goto rollback_list;
irl = irl_next;
}
return (rc);
rollback_list:
u_cmd = get_undo_cmd(cmd);
if (u_cmd == ILBD_BAD_CMD)
return (rc);
if (is_all_rules) {
kcmd.cmd = i_ilbd2ilb_cmd(u_cmd);
(void) do_ioctl(&kcmd, 0);
}
/* current list element failed, so we start with previous one */
irl = list_prev(&ilbd_rule_hlist, irl);
while (irl != NULL) {
if (is_all_rules)
irl->irl_flags |= ILB_FLAGS_RULE_ALLRULES;
/*
* When the processing of a command consists of
* multiple sequential steps, and one of them fails,
* ilbd performs rollback to undo the steps taken before the
* failing step. Since ilbd is initiating these steps
* there is not need to audit them.
*/
rc = i_ilbd_action_switch(irl, u_cmd, B_TRUE, NULL);
irl->irl_flags &= ~ILB_FLAGS_RULE_ALLRULES;
irl = list_prev(&ilbd_rule_hlist, irl);
}
out:
return (rc);
}
ilb_status_t
ilbd_destroy_rule(ilbd_name_t rule_name, const struct passwd *ps,
ucred_t *ucredp)
{
return (i_ilbd_rule_action(rule_name, ps, ILBD_DESTROY_RULE, ucredp));
}
ilb_status_t
ilbd_enable_rule(ilbd_name_t rule_name, const struct passwd *ps,
ucred_t *ucredp)
{
return (i_ilbd_rule_action(rule_name, ps, ILBD_ENABLE_RULE, ucredp));
}
ilb_status_t
ilbd_disable_rule(ilbd_name_t rule_name, const struct passwd *ps,
ucred_t *ucredp)
{
return (i_ilbd_rule_action(rule_name, ps, ILBD_DISABLE_RULE, ucredp));
}
/*
* allocate storage for a kernel rule command and fill from
* "template" irl, if non-NULL
*/
static ilb_rule_cmd_t *
i_alloc_kernel_rule_cmd(ilbd_rule_t *irl)
{
ilb_rule_cmd_t *kcmd;
kcmd = (ilb_rule_cmd_t *)malloc(sizeof (*kcmd));
if (kcmd == NULL)
return (kcmd);
bzero(kcmd, sizeof (*kcmd));
if (irl != NULL) {
kcmd->flags = irl->irl_flags;
kcmd->ip_ver = AF_2_IPPROTO(irl->irl_ipversion);
kcmd->vip = irl->irl_vip;
kcmd->proto = irl->irl_proto;
kcmd->min_port = irl->irl_minport;
kcmd->max_port = irl->irl_maxport;
kcmd->algo = algo_lib2impl(irl->irl_algo);
kcmd->topo = topo_lib2impl(irl->irl_topo);
kcmd->sticky_mask = irl->irl_stickymask;
kcmd->nat_src_start = irl->irl_nat_src_start;
kcmd->nat_src_end = irl->irl_nat_src_end;
kcmd->conn_drain_timeout = irl->irl_conndrain;
kcmd->nat_expiry = irl->irl_nat_timeout;
kcmd->sticky_expiry = irl->irl_sticky_timeout;
(void) strlcpy(kcmd->name, irl->irl_name,
sizeof (kcmd->name));
}
return (kcmd);
}
/*
* ncount is the next to be used index into (*kcmdp)->servers
*/
static ilb_status_t
adjust_srv_info_cmd(ilb_servers_info_cmd_t **kcmdp, int index)
{
ilb_servers_info_cmd_t *kcmd = *kcmdp;
size_t sz;
if (kcmd != NULL && kcmd->num_servers > index + 1)
return (ILB_STATUS_OK);
/*
* the first ilb_server_info_t is part of *kcmd, so
* by using index (which is one less than the total needed) here,
* we allocate exactly the amount we need.
*/
sz = sizeof (*kcmd) + (index * sizeof (ilb_server_info_t));
kcmd = (ilb_servers_info_cmd_t *)realloc(kcmd, sz);
if (kcmd == NULL)
return (ILB_STATUS_ENOMEM);
/*
* we don't count the slot we newly allocated yet.
*/
kcmd->num_servers = index;
*kcmdp = kcmd;
return (ILB_STATUS_OK);
}
/*
* this function adds all servers in srvlist to the kernel(!) rule
* the name of which is passed as argument.
*/
static ilb_status_t
i_update_ksrv_rules(char *name, ilbd_sg_t *sg, ilbd_rule_t *rl)
{
ilb_status_t rc;
ilbd_srv_t *srvp;
ilb_servers_info_cmd_t *kcmd = NULL;
int i;
/*
* If the servergroup doesn't have any servers associated with
* it yet, there's nothing more to do here.
*/
if (sg->isg_srvcount == 0)
return (ILB_STATUS_OK);
/*
* walk the list of servers attached to this SG
*/
srvp = list_head(&sg->isg_srvlist);
for (i = 0; srvp != NULL; srvp = list_next(&sg->isg_srvlist, srvp)) {
rc = adjust_srv_info_cmd(&kcmd, i);
if (rc != ILB_STATUS_OK)
goto rollback_kcmd;
ILB_SGSRV_2_KSRV(&srvp->isv_srv, &kcmd->servers[i]);
/*
* "no port" means "copy rule's port" (for kernel rule)
*/
if (kcmd->servers[i].min_port == 0) {
kcmd->servers[i].min_port = rl->irl_minport;
kcmd->servers[i].max_port = rl->irl_maxport;
}
i++;
}
assert(kcmd != NULL);
kcmd->cmd = ILB_ADD_SERVERS;
kcmd->num_servers = i;
(void) strlcpy(kcmd->name, name, sizeof (kcmd->name));
rc = do_ioctl(kcmd, 0);
if (rc != ILB_STATUS_OK)
goto rollback_kcmd;
for (i = 0; i < kcmd->num_servers; i++) {
int e;
if ((e = kcmd->servers[i].err) != 0) {
logerr("i_update_ksrv_rules "
"ioctl indicates failure: %s", strerror(e));
rc = ilb_map_errno2ilbstat(e);
/*
* if adding even a single server failed, we need to
* roll back the whole wad. We ignore any errors and
* return the one that was returned by the first ioctl.
*/
kcmd->cmd = ILB_DEL_SERVERS;
(void) do_ioctl(kcmd, 0);
goto rollback_kcmd;
}
}
rollback_kcmd:
free(kcmd);
return (rc);
}
/* convert a struct in6_addr to valstr */
void
ilbd_ip_to_str(uint16_t ipversion, struct in6_addr *addr, char *valstr)
{
size_t vallen;
ilb_ip_addr_t ipaddr;
void *addrptr;
vallen = (ipversion == AF_INET) ? INET_ADDRSTRLEN : INET6_ADDRSTRLEN;
IP_COPY_IMPL_2_CLI(addr, &ipaddr);
addrptr = (ipversion == AF_INET) ?
(void *)&ipaddr.ia_v4 : (void *)&ipaddr.ia_v6;
if (inet_ntop(ipversion, (void *)addrptr, valstr, vallen == NULL))
logerr("ilbd_ip_to_str: inet_ntop failed");
return;
}
ilb_status_t
ilbd_create_rule(ilb_rule_info_t *rl, int ev_port,
const struct passwd *ps, ucred_t *ucredp)
{
ilb_status_t rc;
ilbd_rule_t *irl = NULL;
ilbd_sg_t *sg;
ilb_rule_cmd_t *kcmd = NULL;
if (ps != NULL) {
if ((rc = ilbd_check_client_config_auth(ps)) != ILB_STATUS_OK)
goto out;
}
if (i_find_rule_byname(rl->rl_name) != NULL) {
logdebug("ilbd_create_rule: rule %s"
" already exists", rl->rl_name);
ilbd_audit_rule_event(NULL, rl, ILBD_CREATE_RULE,
ILB_STATUS_DUP_RULE, ucredp);
return (ILB_STATUS_DUP_RULE);
}
sg = i_find_sg_byname(rl->rl_sgname);
if (sg == NULL) {
logdebug("ilbd_create_rule: rule %s uses non-existent"
" servergroup name %s", rl->rl_name, rl->rl_sgname);
ilbd_audit_rule_event(NULL, rl, ILBD_CREATE_RULE,
ILB_STATUS_SGUNAVAIL, ucredp);
return (ILB_STATUS_SGUNAVAIL);
}
if ((rc = ilbd_sg_check_rule_port(sg, rl)) != ILB_STATUS_OK) {
ilbd_audit_rule_event(NULL, rl, ILBD_CREATE_RULE, rc, ucredp);
return (rc);
}
/* allocs and copies contents of arg (if != NULL) into new rule */
irl = i_alloc_ilbd_rule(rl);
if (irl == NULL) {
ilbd_audit_rule_event(NULL, rl, ILBD_CREATE_RULE,
ILB_STATUS_ENOMEM, ucredp);
return (ILB_STATUS_ENOMEM);
}
/* make sure rule's IPversion (via vip) and SG's match */
if (sg->isg_srvcount > 0) {
ilbd_srv_t *srv = list_head(&sg->isg_srvlist);
int32_t r_af = rl->rl_ipversion;
int32_t s_af = GET_AF(&srv->isv_addr);
if (r_af != s_af) {
logdebug("address family mismatch with servergroup");
rc = ILB_STATUS_MISMATCHSG;
goto out;
}
}
irl->irl_sg = sg;
/* Try associating the rule with the given hc oject. */
if (RULE_HAS_HC(irl)) {
if ((rc = ilbd_hc_associate_rule(irl, ev_port)) !=
ILB_STATUS_OK)
goto out;
}
/*
* checks are done, now:
* 1. create rule in kernel
* 2. tell it about the backend server (which we maintain in SG)
* 3. attach the rule in memory
*/
/* 1. */
/* allocs and copies contents of arg (if != NULL) into new rule */
kcmd = i_alloc_kernel_rule_cmd(irl);
if (kcmd == NULL) {
rc = ILB_STATUS_ENOMEM;
goto rollback_hc;
}
kcmd->cmd = ILB_CREATE_RULE;
rc = do_ioctl(kcmd, 0);
if (rc != ILB_STATUS_OK)
goto rollback_kcmd;
/* 2. */
rc = i_update_ksrv_rules(kcmd->name, sg, irl);
if (rc != ILB_STATUS_OK)
goto rollback_kcmd;
/* 3. */
(void) i_attach_rule2sg(sg, irl);
list_insert_tail(&ilbd_rule_hlist, irl);
if (ps != NULL) {
rc = i_ilbd_save_rule(irl, ILBD_SCF_CREATE);
if (rc != ILB_STATUS_OK)
goto rollback_rule;
}
free(kcmd);
ilbd_audit_rule_event(NULL, rl, ILBD_CREATE_RULE,
ILB_STATUS_OK, ucredp);
return (ILB_STATUS_OK);
rollback_rule:
/*
* ilbd_destroy_one_rule() also frees irl, as well as dissociate
* rule and HC, so all we need to do afterwards is free the kcmd
* and return.
*/
(void) ilbd_destroy_one_rule(irl);
ilbd_audit_rule_event(NULL, rl, ILBD_CREATE_RULE, rc, ucredp);
free(kcmd);
return (rc);
rollback_kcmd:
free(kcmd);
rollback_hc:
/* Cannot fail since the rule is just associated with the hc object. */
if (RULE_HAS_HC(irl))
(void) ilbd_hc_dissociate_rule(irl);
out:
ilbd_audit_rule_event(NULL, rl, ILBD_CREATE_RULE, rc, ucredp);
free(irl);
return (rc);
}
static uint32_t
i_flags_d2k(int f)
{
uint32_t r = 0;
if (ILB_IS_SRV_ENABLED(f))
r |= ILB_SERVER_ENABLED;
/* more as they are defined */
return (r);
}
/*
* walk the list of rules and add srv to the *kernel* rule
* (this is a list of rules hanging off of a server group)
*/
ilb_status_t
i_add_srv2krules(list_t *rlist, ilb_sg_srv_t *srv, int ev_port)
{
ilb_status_t rc = ILB_STATUS_OK;
ilbd_rule_t *rl, *del_rl;
ilb_servers_info_cmd_t kcmd;
ilb_servers_cmd_t del_kcmd;
kcmd.cmd = ILB_ADD_SERVERS;
kcmd.num_servers = 1;
kcmd.servers[0].err = 0;
kcmd.servers[0].addr = srv->sgs_addr;
kcmd.servers[0].flags = i_flags_d2k(srv->sgs_flags);
(void) strlcpy(kcmd.servers[0].name, srv->sgs_srvID,
sizeof (kcmd.servers[0].name));
/*
* a note about rollback: since we need to start rollback with the
* current list element in some case, and with the previous one
* in others, we must "go back" in this latter case before
* we jump to the rollback code.
*/
for (rl = list_head(rlist); rl != NULL; rl = list_next(rlist, rl)) {
(void) strlcpy(kcmd.name, rl->irl_name, sizeof (kcmd.name));
/*
* sgs_minport == 0 means "no port specified"; this
* indicates that the server matches anything the rule
* provides.
* NOTE: this can be different for different rules
* using the same server group, therefore we don't modify
* this information in the servergroup, but *only* in
* the kernel's rule.
*/
if (srv->sgs_minport == 0) {
kcmd.servers[0].min_port = rl->irl_minport;
kcmd.servers[0].max_port = rl->irl_maxport;
} else {
kcmd.servers[0].min_port = srv->sgs_minport;
kcmd.servers[0].max_port = srv->sgs_maxport;
}
rc = do_ioctl((void *)&kcmd, 0);
if (rc != ILB_STATUS_OK) {
logdebug("i_add_srv2krules: do_ioctl call failed");
del_rl = list_prev(rlist, rl);
goto rollback;
}
/*
* if ioctl() returns != 0, it doesn't perform the copyout
* necessary to indicate *which* server failed (we could be
* adding more than one); therefore we must check this
* 'err' field even if ioctl() returns 0.
*/
if (kcmd.servers[0].err != 0) {
logerr("i_add_srv2krules: SIOCILB ioctl returned"
" error %d", kcmd.servers[0].err);
rc = ilb_map_errno2ilbstat(kcmd.servers[0].err);
del_rl = list_prev(rlist, rl);
goto rollback;
}
if (RULE_HAS_HC(rl)) {
if ((rc = ilbd_hc_add_server(rl, srv, ev_port)) !=
ILB_STATUS_OK) {
logerr("i_add_srv2krules: cannot start timer "
" for rules %s server %s", rl->irl_name,
srv->sgs_srvID);
del_rl = rl;
goto rollback;
}
}
}
return (rc);
rollback:
/*
* this is almost, but not quite, the same as i_rem_srv_frm_krules()
* therefore we keep it seperate.
*/
del_kcmd.cmd = ILB_DEL_SERVERS;
del_kcmd.num_servers = 1;
del_kcmd.servers[0].addr = srv->sgs_addr;
while (del_rl != NULL) {
if (RULE_HAS_HC(del_rl))
(void) ilbd_hc_del_server(del_rl, srv);
(void) strlcpy(del_kcmd.name, del_rl->irl_name,
sizeof (del_kcmd.name));
(void) do_ioctl((void *)&del_kcmd, 0);
del_rl = list_prev(rlist, del_rl);
}
return (rc);
}
/*
* ev_port is only used for rollback purposes in this function
*/
ilb_status_t
i_rem_srv_frm_krules(list_t *rlist, ilb_sg_srv_t *srv, int ev_port)
{
ilb_status_t rc = ILB_STATUS_OK;
ilbd_rule_t *rl, *add_rl;
ilb_servers_cmd_t kcmd;
ilb_servers_info_cmd_t add_kcmd;
kcmd.cmd = ILB_DEL_SERVERS;
kcmd.num_servers = 1;
kcmd.servers[0].err = 0;
kcmd.servers[0].addr = srv->sgs_addr;
for (rl = list_head(rlist); rl != NULL; rl = list_next(rlist, rl)) {
(void) strlcpy(kcmd.name, rl->irl_name, sizeof (kcmd.name));
rc = do_ioctl((void *)&kcmd, 0);
if (rc != ILB_STATUS_OK) {
logdebug("i_rem_srv_frm_krules: do_ioctl"
"call failed");
add_rl = list_prev(rlist, rl);
goto rollback;
}
/*
* if ioctl() returns != 0, it doesn't perform the copyout
* necessary to indicate *which* server failed (we could be
* removing more than one); therefore we must check this
* 'err' field even if ioctl() returns 0.
*/
if (kcmd.servers[0].err != 0) {
logerr("i_rem_srv_frm_krules: SIOCILB ioctl"
" returned error %s",
strerror(kcmd.servers[0].err));
rc = ilb_map_errno2ilbstat(kcmd.servers[0].err);
add_rl = list_prev(rlist, rl);
goto rollback;
}
if (RULE_HAS_HC(rl) &&
(rc = ilbd_hc_del_server(rl, srv)) != ILB_STATUS_OK) {
logerr("i_rem_srv_frm_krules: cannot delete "
"timer for rules %s server %s", rl->irl_name,
srv->sgs_srvID);
add_rl = rl;
goto rollback;
}
}
return (rc);
rollback:
/* Don't do roll back if ev_port == -1. */
if (ev_port == -1)
return (rc);
add_kcmd.cmd = ILB_ADD_SERVERS;
add_kcmd.num_servers = 1;
add_kcmd.servers[0].err = 0;
add_kcmd.servers[0].addr = srv->sgs_addr;
add_kcmd.servers[0].flags = i_flags_d2k(srv->sgs_flags);
(void) strlcpy(add_kcmd.servers[0].name, srv->sgs_srvID,
sizeof (add_kcmd.servers[0].name));
while (add_rl != NULL) {
if (srv->sgs_minport == 0) {
add_kcmd.servers[0].min_port = add_rl->irl_minport;
add_kcmd.servers[0].max_port = add_rl->irl_maxport;
} else {
add_kcmd.servers[0].min_port = srv->sgs_minport;
add_kcmd.servers[0].max_port = srv->sgs_maxport;
}
if (RULE_HAS_HC(add_rl))
(void) ilbd_hc_add_server(add_rl, srv, ev_port);
(void) strlcpy(add_kcmd.name, add_rl->irl_name,
sizeof (add_kcmd.name));
(void) do_ioctl((void *)&add_kcmd, 0);
add_rl = list_prev(rlist, add_rl);
}
return (rc);
}