mac_protect.c revision 25ec3e3dd27cc1038c10efa18ed08f064eab5fbe
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#include <sys/mac_impl.h>
#include <sys/mac_client_impl.h>
#include <sys/mac_client_priv.h>
#include <sys/ethernet.h>
/*
* Check if ipaddr is in the 'allowed-ips' list.
*/
static boolean_t
{
uint_t i;
/*
* unspecified addresses are harmless and are used by ARP,DHCP..etc.
*/
if (ipaddr == INADDR_ANY)
return (B_TRUE);
for (i = 0; i < protect->mp_ipaddrcnt; i++) {
return (B_TRUE);
}
return (B_FALSE);
}
/*
* Enforce ip-nospoof protection. Only IPv4 is supported for now.
*/
static int
{
/*
* This handles the case where the mac header is not in
* the same mblk as the IP header.
*/
/*
* IP header missing. Let the packet through.
*/
return (0);
}
switch (sap) {
case ETHERTYPE_IP: {
goto fail;
goto fail;
break;
}
case ETHERTYPE_ARP: {
goto fail;
goto fail;
goto fail;
if (hlen != 0 &&
goto fail;
goto fail;
break;
}
default:
break;
}
return (0);
fail:
/* increment ipnospoof stat here */
return (err);
}
/*
* Enforce link protection on one packet.
*/
static int
{
int err;
if (err != 0) {
return (err);
}
if ((types & MPT_MACNOSPOOF) != 0) {
return (EINVAL);
}
}
if ((types & MPT_RESTRICTED) != 0) {
/*
* ETHERTYPE_VLAN packets are allowed through, provided that
* the vid is not spoofed.
*/
return (EINVAL);
}
sap != ETHERTYPE_ARP) {
return (EINVAL);
}
}
if ((types & MPT_IPNOSPOOF) != 0) {
return (err);
}
}
return (0);
}
/*
* Enforce link protection on a packet chain.
* Packets that pass the checks are returned back to the caller.
*/
mblk_t *
{
/*
* Skip checks if we are part of an aggr.
*/
return (mp);
} else {
}
}
return (ret_mp);
}
/*
* Check if a particular protection type is enabled.
*/
{
}
/*
* Sanity-checks parameters given by userland.
*/
int
{
/* check for invalid types */
return (EINVAL);
if (p->mp_ipaddrcnt != MPT_RESET) {
uint_t i, j;
if (p->mp_ipaddrcnt > MPT_MAXIPADDR)
return (EINVAL);
for (i = 0; i < p->mp_ipaddrcnt; i++) {
/*
* The unspecified address is implicitly allowed
* so there's no need to add it to the list.
*/
if (p->mp_ipaddrs[i] == INADDR_ANY)
return (EINVAL);
for (j = 0; j < p->mp_ipaddrcnt; j++) {
/* found a duplicate */
if (i != j &&
p->mp_ipaddrs[i] == p->mp_ipaddrs[j])
return (EINVAL);
}
}
}
return (0);
}
/*
*/
int
{
int err;
/* tunnels are not supported */
return (ENOTSUP);
return (err);
return (0);
}
void
{
} else {
if (types != 0) {
}
}
if (np->mp_ipaddrcnt != 0) {
sizeof (cp->mp_ipaddrs));
cp->mp_ipaddrcnt = 0;
}
}
}