Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1315 lines
38 KiB

/********************************************************************/
/** Microsoft LAN Manager **/
/** Copyright(c) Microsoft Corp., 1990-1993 **/
/********************************************************************/
/* :ts=4 */
//** SECFLTR.C - Security Filter Support
//
//
// Security filters provide a mechanism by which the transport protocol
// traffic accepted on IP interfaces may be controlled. Security filtering
// is globally enabled or disabled for all IP interfaces and transports.
// If filtering is enabled, incoming traffic is filtered based on registered
// {interface, protocol, transport value} tuples. The tuples specify
// permissible traffic. All other values will be rejected. For UDP datagrams
// and TCP connections, the transport value is the port number. For RawIP
// datagrams, the transport value is the IP protocol number. An entry exists
// in the filter database for all active interfaces and protocols in the
// system.
//
// The initial status of security filtering - enabled or disabled, is
// controlled by the registry parameter
//
// Services\Tcpip\Parameters\EnableSecurityFilters
//
// If the parameter is not found, filtering is disabled.
//
// The list of permissible values for each protocol is stored in the registry
// under the <Adaptername>\Parameters\Tcpip key in MULTI_SZ parameters.
// The parameter names are TCPAllowedPorts, UDPAllowedPorts and
// RawIPAllowedProtocols. If no parameter is found for a particular protocol,
// all values are permissible. If a parameter is found, the string identifies
// the permissible values. If the string is empty, no values are permissible.
//
// Filter Operation (Filtering Enabled):
//
// IF ( Match(interface, protocol) AND ( AllValuesPermitted(Protocol) OR
// Match(Value) ))
// THEN operation permitted.
// ELSE operation rejected.
//
// Database Implementation:
//
// The filter database is implemented as a three-level structure. The top
// level is a list of interface entries. Each interface entry points to
// a list of protocol entries. Each protocol entry contains a bucket hash
// table used to store transport value entries.
//
// The following calls may be used to access the security filter database:
//
// InitializeSecurityFilters
// CleanupSecurityFilters
// IsSecurityFilteringEnabled
// ControlSecurityFiltering
// AddProtocolSecurityFilter
// DeleteProtocolSecurityFilter
// AddValueSecurityFilter
// DeleteValueSecurityFilter
// EnumerateSecurityFilters
// IsPermittedSecurityFilter
//
#include "precomp.h"
#include "addr.h"
#include "tlcommon.h"
#include "udp.h"
#include "tcp.h"
#include "raw.h"
#include "tcpcfg.h"
#include "tcpinfo.h"
#include "secfltr.h"
//
// All of the init code can be discarded.
//
#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, InitializeSecurityFilters)
#endif
//
// The following routines must be supplied by each platform which implements
// security filters.
//
extern TDI_STATUS
GetSecurityFilterList(
IN NDIS_HANDLE ConfigHandle,
IN ulong Protocol,
IN OUT PNDIS_STRING FilterList
);
extern uint
EnumSecurityFilterValue(
IN PNDIS_STRING FilterList,
IN ulong Index,
OUT ulong * FilterValue
);
//
// Constants
//
#define DHCP_CLIENT_PORT 68
//
// Modification Opcodes
//
#define ADD_VALUE_SECURITY_FILTER 0
#define DELETE_VALUE_SECURITY_FILTER 1
//
// Types
//
//
// Structure for a transport value entry.
//
struct value_entry {
struct Queue ve_link;
ulong ve_value;
};
typedef struct value_entry VALUE_ENTRY, *PVALUE_ENTRY;
#define VALUE_ENTRY_HASH_SIZE 16
#define VALUE_ENTRY_HASH(value) (value % VALUE_ENTRY_HASH_SIZE)
//
// Structure for a protocol entry.
//
struct protocol_entry {
struct Queue pe_link;
ulong pe_protocol;
ULONG pe_accept_all; // TRUE if all values are accepted.
struct Queue pe_entries[VALUE_ENTRY_HASH_SIZE];
};
typedef struct protocol_entry PROTOCOL_ENTRY, *PPROTOCOL_ENTRY;
//
// Structure for an interface entry.
//
struct interface_entry {
struct Queue ie_link;
IPAddr ie_address;
struct Queue ie_protocol_list; // list of protocols to filter
};
typedef struct interface_entry INTERFACE_ENTRY, *PINTERFACE_ENTRY;
//
// Global Data
//
//
// This list of interface entries is the root of the filter database.
//
struct Queue InterfaceEntryList;
//
// The filter operations are synchronized using the AddrObjTableLock.
//
extern IPInfo LocalNetInfo;
//
// Filter Database Helper Functions
//
//* FindInterfaceEntry - Search for an interface entry.
//
// This utility routine searches the security filter database
// for the specified interface entry.
//
//
// Input: InterfaceAddress - The address of the interface to search for.
//
//
// Returns: A pointer to the database entry for the Interface,
// or NULL if no match was found.
//
//
PINTERFACE_ENTRY
FindInterfaceEntry(ULONG InterfaceAddress)
{
PINTERFACE_ENTRY ientry;
struct Queue *qentry;
for (qentry = InterfaceEntryList.q_next;
qentry != &InterfaceEntryList;
qentry = qentry->q_next
) {
ientry = STRUCT_OF(INTERFACE_ENTRY, qentry, ie_link);
if (ientry->ie_address == InterfaceAddress) {
return (ientry);
}
}
return (NULL);
}
//* FindProtocolEntry - Search for a protocol associated with an interface.
//
// This utility routine searches the security filter database
// for the specified protocol registered under the specified interface.
//
//
// Input: InterfaceEntry - A pointer to an interface entry to search under.
// Protocol - The protocol value to search for.
//
//
// Returns: A pointer to the database entry for the <Address, Protocol>,
// or NULL if no match was found.
//
//
PPROTOCOL_ENTRY
FindProtocolEntry(PINTERFACE_ENTRY InterfaceEntry, ULONG Protocol)
{
PPROTOCOL_ENTRY pentry;
struct Queue *qentry;
for (qentry = InterfaceEntry->ie_protocol_list.q_next;
qentry != &(InterfaceEntry->ie_protocol_list);
qentry = qentry->q_next
) {
pentry = STRUCT_OF(PROTOCOL_ENTRY, qentry, pe_link);
if (pentry->pe_protocol == Protocol) {
return (pentry);
}
}
return (NULL);
}
//* FindValueEntry - Search for a value on a particular protocol.
//
// This utility routine searches the security filter database
// for the specified value registered under the specified protocol.
//
//
// Input: ProtocolEntry - A pointer to the database structure for the
// Protocol to search.
// FilterValue - The value to search for.
//
//
// Returns: A pointer to the database entry for the <Protocol, Value>,
// or NULL if no match was found.
//
//
PVALUE_ENTRY
FindValueEntry(PPROTOCOL_ENTRY ProtocolEntry, ULONG FilterValue)
{
PVALUE_ENTRY ventry;
ulong hash_value = VALUE_ENTRY_HASH(FilterValue);
struct Queue *qentry;
for (qentry = ProtocolEntry->pe_entries[hash_value].q_next;
qentry != &(ProtocolEntry->pe_entries[hash_value]);
qentry = qentry->q_next
) {
ventry = STRUCT_OF(VALUE_ENTRY, qentry, ve_link);
if (ventry->ve_value == FilterValue) {
return (ventry);
}
}
return (NULL);
}
//* DeleteProtocolValueEntries
//
// This utility routine deletes all the value entries associated with
// a protocol filter entry.
//
//
// Input: ProtocolEntry - The protocol filter entry for which to
// delete the value entries.
//
//
// Returns: Nothing
//
void
DeleteProtocolValueEntries(PPROTOCOL_ENTRY ProtocolEntry)
{
ulong i;
PVALUE_ENTRY entry;
for (i = 0; i < VALUE_ENTRY_HASH_SIZE; i++) {
while (!EMPTYQ(&(ProtocolEntry->pe_entries[i]))) {
DEQUEUE(&(ProtocolEntry->pe_entries[i]), entry, VALUE_ENTRY, ve_link);
CTEFreeMem(entry);
}
}
return;
}
//* ModifyProtocolEntry
//
// This utility routine modifies one or more filter values associated
// with a protocol.
//
//
// Input: Operation - The operation to perform (add or delete)
//
// ProtocolEntry - A pointer to the protocol entry structure on
// which to operate.
//
// FilterValue - The value to add or delete.
//
//
// Returns: TDI_STATUS code
//
TDI_STATUS
ModifyProtocolEntry(ulong Operation, PPROTOCOL_ENTRY ProtocolEntry,
ulong FilterValue)
{
TDI_STATUS status = TDI_SUCCESS;
if (FilterValue == 0) {
if (Operation == ADD_VALUE_SECURITY_FILTER) {
//
// Accept all values for the protocol
//
ProtocolEntry->pe_accept_all = TRUE;
} else {
//
// Reject all values for the protocol
//
ProtocolEntry->pe_accept_all = FALSE;
}
DeleteProtocolValueEntries(ProtocolEntry);
} else {
PVALUE_ENTRY ventry;
ulong hash_value;
//
// This request modifies an individual entry.
//
ventry = FindValueEntry(ProtocolEntry, FilterValue);
if (Operation == ADD_VALUE_SECURITY_FILTER) {
if (ventry == NULL) {
ventry = CTEAllocMem(sizeof(VALUE_ENTRY));
if (ventry != NULL) {
ventry->ve_value = FilterValue;
hash_value = VALUE_ENTRY_HASH(FilterValue);
ENQUEUE(&(ProtocolEntry->pe_entries[hash_value]),
&(ventry->ve_link));
ProtocolEntry->pe_accept_all = FALSE;
} else {
status = TDI_NO_RESOURCES;
}
}
} else {
if (ventry != NULL) {
REMOVEQ(&(ventry->ve_link));
CTEFreeMem(ventry);
}
}
}
return (status);
}
//* ModifyInterfaceEntry
//
// This utility routine modifies the value entries of one or more protocol
// entries associated with an interface.
//
//
// Input: Operation - The operation to perform (add or delete)
//
// ProtocolEntry - A pointer to the interface entry structure on
// which to operate.
//
// Protocol - The protocol on which to operate.
//
// FilterValue - The value to add or delete.
//
//
// Returns: TDI_STATUS code
//
TDI_STATUS
ModifyInterfaceEntry(ulong Operation, PINTERFACE_ENTRY InterfaceEntry,
ulong Protocol, ulong FilterValue)
{
PPROTOCOL_ENTRY pentry;
TDI_STATUS status;
TDI_STATUS returnStatus = TDI_SUCCESS;
if (Protocol == 0) {
struct Queue *qentry;
//
// Modify all protocols on the interface
//
for (qentry = InterfaceEntry->ie_protocol_list.q_next;
qentry != &(InterfaceEntry->ie_protocol_list);
qentry = qentry->q_next
) {
pentry = STRUCT_OF(PROTOCOL_ENTRY, qentry, pe_link);
status = ModifyProtocolEntry(Operation, pentry, FilterValue);
if (status != TDI_SUCCESS) {
returnStatus = status;
}
}
} else {
//
// Modify a specific protocol on the interface
//
pentry = FindProtocolEntry(InterfaceEntry, Protocol);
if (pentry != NULL) {
returnStatus = ModifyProtocolEntry(Operation, pentry, FilterValue);
} else {
returnStatus = TDI_INVALID_PARAMETER;
}
}
return (returnStatus);
}
//* ModifySecurityFilter - Add or delete an entry.
//
// This routine adds or deletes an entry to/from the security filter database.
//
//
// Input: Operation - The operation to perform (Add or Delete)
// InterfaceAddress - The interface address to modify.
// Protocol - The protocol to modify.
// FilterValue - The transport value to add/delete.
//
// Returns: A TDI status code:
// TDI_INVALID_PARAMETER if the protocol is not in the database.
// TDI_ADDR_INVALID if the interface is not in the database.
// TDI_NO_RESOURCES if memory could not be allocated.
// TDI_SUCCESS otherwise
//
// NOTES:
//
TDI_STATUS
ModifySecurityFilter(ulong Operation, IPAddr InterfaceAddress, ulong Protocol,
ulong FilterValue)
{
PINTERFACE_ENTRY ientry;
TDI_STATUS status;
TDI_STATUS returnStatus = TDI_SUCCESS;
if (InterfaceAddress == 0) {
struct Queue *qentry;
//
// Modify on all interfaces
//
for (qentry = InterfaceEntryList.q_next;
qentry != &InterfaceEntryList;
qentry = qentry->q_next
) {
ientry = STRUCT_OF(INTERFACE_ENTRY, qentry, ie_link);
status = ModifyInterfaceEntry(Operation, ientry, Protocol,
FilterValue);
if (status != TDI_SUCCESS) {
returnStatus = status;
}
}
} else {
ientry = FindInterfaceEntry(InterfaceAddress);
if (ientry != NULL) {
returnStatus = ModifyInterfaceEntry(Operation, ientry, Protocol,
FilterValue);
} else {
returnStatus = TDI_ADDR_INVALID;
}
}
return (returnStatus);
}
//* FillInEnumerationEntry
//
// This utility routine fills in an enumeration entry for a particular
// filter value entry.
//
//
// Input: InterfaceAddress - The address of the associated interface.
//
// Protocol - The associated protocol number.
//
// Value - The enumerated value.
//
// Buffer - Pointer to the user's enumeration buffer.
//
// BufferSize - Pointer to the size of the enumeration buffer.
//
// EntriesReturned - Pointer to a running count of enumerated
// entries stored in Buffer.
//
// EntriesAvailable - Pointer to a running count of entries available
// for enumeration.
//
// Returns: Nothing.
//
// Note: Values written to enumeration entry are in host byte order.
//
void
FillInEnumerationEntry(IPAddr InterfaceAddress, ulong Protocol, ulong Value,
uchar ** Buffer, ulong * BufferSize,
ulong * EntriesReturned, ulong * EntriesAvailable)
{
TCPSecurityFilterEntry *entry = (TCPSecurityFilterEntry *) * Buffer;
if (*BufferSize >= sizeof(TCPSecurityFilterEntry)) {
entry->tsf_address = net_long(InterfaceAddress);
entry->tsf_protocol = Protocol;
entry->tsf_value = Value;
*Buffer += sizeof(TCPSecurityFilterEntry);
*BufferSize -= sizeof(TCPSecurityFilterEntry);
(*EntriesReturned)++;
}
(*EntriesAvailable)++;
return;
}
//* EnumerateProtocolValues
//
// This utility routine enumerates values associated with a
// protocol on an interface.
//
//
// Input: InterfaceEntry - Pointer to the associated interface entry.
//
// ProtocolEntry - Pointer to the protocol being enumerated.
//
// Value - The value to enumerate.
//
// Buffer - Pointer to the user's enumeration buffer.
//
// BufferSize - Pointer to the size of the enumeration buffer.
//
// EntriesReturned - Pointer to a running count of enumerated
// entries stored in Buffer.
//
// EntriesAvailable - Pointer to a running count of entries available
// for enumeration.
//
// Returns: Nothing.
//
void
EnumerateProtocolValues(PINTERFACE_ENTRY InterfaceEntry,
PPROTOCOL_ENTRY ProtocolEntry, ulong Value,
uchar ** Buffer, ulong * BufferSize,
ulong * EntriesReturned, ulong * EntriesAvailable)
{
struct Queue *qentry;
TDI_STATUS status = TDI_SUCCESS;
PVALUE_ENTRY ventry;
ulong i;
if (Value == 0) {
//
// Enumerate all values
//
if (ProtocolEntry->pe_accept_all == TRUE) {
//
// All values permitted.
//
FillInEnumerationEntry(
InterfaceEntry->ie_address,
ProtocolEntry->pe_protocol,
0,
Buffer,
BufferSize,
EntriesReturned,
EntriesAvailable
);
} else {
for (i = 0; i < VALUE_ENTRY_HASH_SIZE; i++) {
for (qentry = ProtocolEntry->pe_entries[i].q_next;
qentry != &(ProtocolEntry->pe_entries[i]);
qentry = qentry->q_next
) {
ventry = STRUCT_OF(VALUE_ENTRY, qentry, ve_link);
FillInEnumerationEntry(
InterfaceEntry->ie_address,
ProtocolEntry->pe_protocol,
ventry->ve_value,
Buffer,
BufferSize,
EntriesReturned,
EntriesAvailable
);
}
}
}
} else {
//
// Enumerate a specific value, if it is registered.
//
ventry = FindValueEntry(ProtocolEntry, Value);
if (ventry != NULL) {
FillInEnumerationEntry(
InterfaceEntry->ie_address,
ProtocolEntry->pe_protocol,
ventry->ve_value,
Buffer,
BufferSize,
EntriesReturned,
EntriesAvailable
);
}
}
return;
}
//* EnumerateInterfaceProtocols
//
// This utility routine enumerates protocols associated with
// an interface.
//
//
// Input: InterfaceEntry - Pointer to the associated interface entry.
//
// Protocol - Protocol number to enumerate.
//
// Value - The filter value to enumerate.
//
// Buffer - Pointer to the user's enumeration buffer.
//
// BufferSize - Pointer to the size of the enumeration buffer.
//
// EntriesReturned - Pointer to a running count of enumerated
// entries stored in Buffer.
//
// EntriesAvailable - Pointer to a running count of entries available
// for enumeration.
//
// Returns: Nothing.
//
void
EnumerateInterfaceProtocols(PINTERFACE_ENTRY InterfaceEntry, ulong Protocol,
ulong Value, uchar ** Buffer, ulong * BufferSize,
ulong * EntriesReturned, ulong * EntriesAvailable)
{
PPROTOCOL_ENTRY pentry;
if (Protocol == 0) {
struct Queue *qentry;
//
// Enumerate all protocols.
//
for (qentry = InterfaceEntry->ie_protocol_list.q_next;
qentry != &(InterfaceEntry->ie_protocol_list);
qentry = qentry->q_next
) {
pentry = STRUCT_OF(PROTOCOL_ENTRY, qentry, pe_link);
EnumerateProtocolValues(
InterfaceEntry,
pentry,
Value,
Buffer,
BufferSize,
EntriesReturned,
EntriesAvailable
);
}
} else {
//
// Enumerate a specific protocol
//
pentry = FindProtocolEntry(InterfaceEntry, Protocol);
if (pentry != NULL) {
EnumerateProtocolValues(
InterfaceEntry,
pentry,
Value,
Buffer,
BufferSize,
EntriesReturned,
EntriesAvailable
);
}
}
return;
}
//
// Filter Database Public API.
//
//* InitializeSecurityFilters - Initializes the security filter database.
//
// The routine performs the initialization necessary to enable the
// security filter database for operation.
//
// Input: None.
//
// Returns: Nothing.
//
//
void
InitializeSecurityFilters(void)
{
INITQ(&InterfaceEntryList);
return;
}
//* CleanupSecurityFilters - Deletes the entire security filter database.
//
// This routine deletes all entries from the security filter database.
//
//
// Input: None.
//
// Returns: Nothing.
//
// NOTE: This routine acquires the AddrObjTableLock.
//
//
void
CleanupSecurityFilters(void)
{
PPROTOCOL_ENTRY pentry;
PINTERFACE_ENTRY ientry;
CTELockHandle handle;
CTEGetLock(&AddrObjTableLock.Lock, &handle);
while (!EMPTYQ(&InterfaceEntryList)) {
DEQUEUE(&InterfaceEntryList, ientry, INTERFACE_ENTRY, ie_link);
while (!EMPTYQ(&(ientry->ie_protocol_list))) {
DEQUEUE(&(ientry->ie_protocol_list), pentry, PROTOCOL_ENTRY,
pe_link);
DeleteProtocolValueEntries(pentry);
CTEFreeMem(pentry);
}
CTEFreeMem(ientry);
}
SecurityFilteringEnabled = FALSE;
CTEFreeLock(&AddrObjTableLock.Lock, handle);
return;
}
//* IsSecurityFilteringEnabled
//
// This routine returns the current global status of security filtering.
//
// Entry: Nothing
//
// Returns: 0 if filtering is disabled, !0 if filtering is enabled.
//
extern uint
IsSecurityFilteringEnabled(void)
{
uint enabled;
CTELockHandle handle;
CTEGetLock(&AddrObjTableLock.Lock, &handle);
enabled = SecurityFilteringEnabled;
CTEFreeLock(&AddrObjTableLock.Lock, handle);
return (enabled);
}
//* ControlSecurityFiltering
//
// This routine globally enables/disables security filtering.
//
// Entry: IsEnabled - 0 disabled filtering, !0 enables filtering.
//
// Returns: Nothing
//
extern void
ControlSecurityFiltering(uint IsEnabled)
{
CTELockHandle handle;
CTEGetLock(&AddrObjTableLock.Lock, &handle);
if (IsEnabled) {
SecurityFilteringEnabled = TRUE;
} else {
SecurityFilteringEnabled = FALSE;
}
CTEFreeLock(&AddrObjTableLock.Lock, handle);
return;
}
//* AddProtocolSecurityFilter
//
// This routine enables security filtering for a specified protocol
// on a specified IP interface.
//
// Entry: InterfaceAddress - The interface on which to enable the protocol.
// (in network byte order)
// Protocol - The protocol to enable.
// ConfigName - The configuration key from which to read
// the filter value information.
//
// Returns: Nothing
//
void
AddProtocolSecurityFilter(IPAddr InterfaceAddress, ulong Protocol,
NDIS_HANDLE ConfigHandle)
{
NDIS_STRING filterList;
ulong filterValue;
ulong i;
PINTERFACE_ENTRY ientry;
PPROTOCOL_ENTRY pentry;
PVOID temp;
CTELockHandle handle;
TDI_STATUS status;
if (IP_ADDR_EQUAL(InterfaceAddress, NULL_IP_ADDR) ||
IP_LOOPBACK_ADDR(InterfaceAddress)
) {
return;
}
ASSERT((Protocol != 0) && (Protocol <= 0xFF));
//
// Read the protocol-specific filter value list from the registry.
//
filterList.MaximumLength = filterList.Length = 0;
filterList.Buffer = NULL;
if (ConfigHandle != NULL) {
status = GetSecurityFilterList(ConfigHandle, Protocol, &filterList);
}
//
// Preallocate interface & protocol structures. We abort on failure.
// The interface & protocol will be protected by default.
//
ientry = CTEAllocMem(sizeof(INTERFACE_ENTRY));
if (ientry == NULL) {
return;
}
ientry->ie_address = InterfaceAddress;
INITQ(&(ientry->ie_protocol_list));
pentry = CTEAllocMem(sizeof(PROTOCOL_ENTRY));
if (pentry == NULL) {
CTEFreeMem(ientry);
return;
}
pentry->pe_protocol = Protocol;
pentry->pe_accept_all = FALSE;
for (i = 0; i < VALUE_ENTRY_HASH_SIZE; i++) {
INITQ(&(pentry->pe_entries[i]));
}
//
// Now go set everything up. First create the interface and protocol
// structures.
//
CTEGetLock(&AddrObjTableLock.Lock, &handle);
temp = FindInterfaceEntry(InterfaceAddress);
if (temp == NULL) {
//
// New interface & protocol.
//
ENQUEUE(&InterfaceEntryList, &(ientry->ie_link));
ENQUEUE(&(ientry->ie_protocol_list), &(pentry->pe_link));
} else {
//
// Existing interface
//
CTEFreeMem(ientry);
ientry = temp;
temp = FindProtocolEntry(ientry, Protocol);
if (temp == NULL) {
//
// New protocol
//
ENQUEUE(&(ientry->ie_protocol_list), &(pentry->pe_link));
} else {
//
// Existing protocol
//
CTEFreeMem(pentry);
}
}
CTEFreeLock(&AddrObjTableLock.Lock, handle);
//
// At this point, the protocol entry is installed, but no values
// are permitted. This is the safest default.
//
if (ConfigHandle != NULL) {
//
// Process the filter value list.
//
if (status == TDI_SUCCESS) {
for (i = 0;
EnumSecurityFilterValue(&filterList, i, &filterValue);
i++
) {
AddValueSecurityFilter(InterfaceAddress, Protocol,
filterValue);
}
} else if (status == TDI_ITEM_NOT_FOUND) {
//
// No filter registered, permit everything.
//
AddValueSecurityFilter(InterfaceAddress, Protocol, 0);
}
}
if (filterList.Buffer != NULL) {
CTEFreeMem(filterList.Buffer);
}
return;
}
//* DeleteProtocolSecurityFilter
//
// This routine disables security filtering for a specified protocol
// on a specified IP interface.
//
// Entry: InterfaceAddress - The interface on which to disable the protocol.
// (in network byte order)
// Protocol - The protocol to disable.
//
// Returns: Nothing
//
void
DeleteProtocolSecurityFilter(IPAddr InterfaceAddress, ulong Protocol)
{
PINTERFACE_ENTRY ientry;
PPROTOCOL_ENTRY pentry;
CTELockHandle handle;
BOOLEAN deleteInterface = FALSE;
CTEGetLock(&AddrObjTableLock.Lock, &handle);
ientry = FindInterfaceEntry(InterfaceAddress);
if (ientry != NULL) {
ASSERT(!EMPTYQ(&(ientry->ie_protocol_list)));
pentry = FindProtocolEntry(ientry, Protocol);
if (pentry != NULL) {
REMOVEQ(&(pentry->pe_link));
}
if (EMPTYQ(&(ientry->ie_protocol_list))) {
//
// Last protocol, delete interface as well.
//
REMOVEQ(&(ientry->ie_link));
deleteInterface = TRUE;
}
CTEFreeLock(&AddrObjTableLock.Lock, handle);
if (pentry != NULL) {
DeleteProtocolValueEntries(pentry);
CTEFreeMem(pentry);
}
if (deleteInterface) {
ASSERT(EMPTYQ(&(ientry->ie_protocol_list)));
CTEFreeMem(ientry);
}
} else {
CTEFreeLock(&AddrObjTableLock.Lock, handle);
}
return;
}
//* AddValueSecurityFilter - Add an entry.
//
// This routine adds a value entry for a specified protocol on a specified
// interface in the security filter database.
//
//
// Input: InterfaceAddress - The interface address to which to add.
// (in network byte order)
// Protocol - The protocol to which to add.
// FilterValue - The transport value to add.
// (in host byte order)
//
// Returns: A TDI status code:
// TDI_INVALID_PARAMETER if the protocol is not in the database.
// TDI_ADDR_INVALID if the interface is not in the database.
// TDI_NO_RESOURCES if memory could not be allocated.
// TDI_SUCCESS otherwise
//
// NOTES:
//
// This routine acquires AddrObjTableLock.
//
// Zero is a wildcard value. Supplying a zero value for the
// InterfaceAddress and/or Protocol causes the operation to be applied
// to all interfaces and/or protocols, as appropriate. Supplying a
// non-zero value causes the operation to be applied to only the
// specified interface and/or protocol. Supplying a FilterValue parameter
// of zero causes all values to be acceptable. Any previously
// registered values are deleted from the database.
//
TDI_STATUS
AddValueSecurityFilter(IPAddr InterfaceAddress, ulong Protocol, ulong FilterValue)
{
CTELockHandle handle;
TDI_STATUS status;
CTEGetLock(&AddrObjTableLock.Lock, &handle);
status = ModifySecurityFilter(ADD_VALUE_SECURITY_FILTER, InterfaceAddress,
Protocol, FilterValue);
CTEFreeLock(&AddrObjTableLock.Lock, handle);
return (status);
}
//* DeleteValueSecurityFilter - Delete an entry.
//
// This routine deletes a value entry for a specified protocol on a specified
// interface in the security filter database.
//
//
// Input: InterfaceAddress - The interface address from which to delete.
// (in network byte order)
// Protocol - The protocol from which to delete.
// FilterValue - The transport value to delete.
// (in host byte order)
//
// Returns: A TDI status code:
// TDI_INVALID_PARAMETER if the protocol is not in the database.
// TDI_ADDR_INVALID if the interface is not in the database.
// TDI_NO_RESOURCES if memory could not be allocated.
// TDI_SUCCESS otherwise
//
// NOTES:
//
// This routine acquires AddrObjTableLock.
//
// Zero is a wildcard value. Supplying a zero value for the
// InterfaceAddress and/or Protocol causes the operation to be applied
// to all interfaces and/or protocols, as appropriate. Supplying a
// non-zero value causes the operation to be applied to only the
// specified interface and/or protocol. Supplying a FilterValue parameter
// of zero causes all values to be rejected. Any previously
// registered values are deleted from the database.
//
TDI_STATUS
DeleteValueSecurityFilter(IPAddr InterfaceAddress, ulong Protocol,
ulong FilterValue)
{
CTELockHandle handle;
TDI_STATUS status;
CTEGetLock(&AddrObjTableLock.Lock, &handle);
status = ModifySecurityFilter(DELETE_VALUE_SECURITY_FILTER,
InterfaceAddress, Protocol, FilterValue);
CTEFreeLock(&AddrObjTableLock.Lock, handle);
return (status);
}
//* EnumerateSecurityFilters - Enumerate security filter database.
//
// This routine enumerates the contents of the security filter database
// for the specified protocol and IP interface.
//
// Input: InterfaceAddress - The interface address to enumerate. A value
// of zero means enumerate all interfaces.
// (in network byte order)
//
// Protocol - The protocol to enumerate. A value of zero
// means enumerate all protocols.
//
// Value - The Protocol value to enumerate. A value of
// zero means enumerate all protocol values.
// (in host byte order)
//
// Buffer - A pointer to a buffer into which to put
// the returned filter entries.
//
// BufferSize - On input, the size in bytes of Buffer.
// On output, the number of bytes written.
//
// EntriesAvailable - On output, the total number of filter entries
// available in the database.
//
// Returns: A TDI status code:
//
// TDI_ADDR_INVALID if the address is not a valid IP interface.
// TDI_SUCCESS otherwise.
//
// NOTES:
//
// This routine acquires AddrObjTableLock.
//
// Entries written to output buffer are in host byte order.
//
void
EnumerateSecurityFilters(IPAddr InterfaceAddress, ulong Protocol,
ulong Value, uchar * Buffer, ulong BufferSize,
ulong * EntriesReturned, ulong * EntriesAvailable)
{
PINTERFACE_ENTRY ientry;
TDI_STATUS status = TDI_SUCCESS;
CTELockHandle handle;
*EntriesAvailable = *EntriesReturned = 0;
CTEGetLock(&AddrObjTableLock.Lock, &handle);
if (InterfaceAddress == 0) {
struct Queue *qentry;
//
// Enumerate all interfaces.
//
for (qentry = InterfaceEntryList.q_next;
qentry != &InterfaceEntryList;
qentry = qentry->q_next
) {
ientry = STRUCT_OF(INTERFACE_ENTRY, qentry, ie_link);
EnumerateInterfaceProtocols(
ientry,
Protocol,
Value,
&Buffer,
&BufferSize,
EntriesReturned,
EntriesAvailable
);
}
} else {
//
// Enumerate a specific interface.
//
ientry = FindInterfaceEntry(InterfaceAddress);
if (ientry != NULL) {
EnumerateInterfaceProtocols(
ientry,
Protocol,
Value,
&Buffer,
&BufferSize,
EntriesReturned,
EntriesAvailable
);
}
}
CTEFreeLock(&AddrObjTableLock.Lock, handle);
return;
}
//* IsPermittedSecurityFilter
//
// This routine determines if communications addressed to
// {Protocol, InterfaceAddress, Value} are permitted by the security filters.
// It looks up the tuple in the security filter database.
//
// Input: InterfaceAddress - The IP interface address to check
// (in network byte order)
// IPContext - The IPContext value passed to the transport
// Protocol - The protocol to check
// Value - The value to check (in host byte order)
//
// Returns: A boolean indicating whether or not the communication is permitted.
//
// NOTES:
//
// This routine must be called with AddrObjTableLock held.
//
//
BOOLEAN
IsPermittedSecurityFilter(IPAddr InterfaceAddress, void *IPContext,
ulong Protocol, ulong FilterValue)
{
PINTERFACE_ENTRY ientry;
PPROTOCOL_ENTRY pentry;
PVALUE_ENTRY ventry;
ulong hash_value;
struct Queue *qentry;
ASSERT(Protocol <= 0xFF);
for (qentry = InterfaceEntryList.q_next;
qentry != &InterfaceEntryList;
qentry = qentry->q_next
) {
ientry = STRUCT_OF(INTERFACE_ENTRY, qentry, ie_link);
if (ientry->ie_address == InterfaceAddress) {
for (qentry = ientry->ie_protocol_list.q_next;
qentry != &(ientry->ie_protocol_list);
qentry = qentry->q_next
) {
pentry = STRUCT_OF(PROTOCOL_ENTRY, qentry, pe_link);
if (pentry->pe_protocol == Protocol) {
if (pentry->pe_accept_all == TRUE) {
//
// All values accepted. Permit operation.
//
return (TRUE);
}
hash_value = VALUE_ENTRY_HASH(FilterValue);
for (qentry = pentry->pe_entries[hash_value].q_next;
qentry != &(pentry->pe_entries[hash_value]);
qentry = qentry->q_next
) {
ventry = STRUCT_OF(VALUE_ENTRY, qentry, ve_link);
if (ventry->ve_value == FilterValue) {
//
// Found it. Operation is permitted.
//
return (TRUE);
}
}
//
// {Interface, Protocol} protected, but no value found.
// Reject operation.
//
return (FALSE);
}
}
//
// Protocol not registered. Reject operation
//
return (FALSE);
}
}
//
// If this packet is on the loopback interface, let it through.
//
if (IP_LOOPBACK_ADDR(InterfaceAddress)) {
return (TRUE);
}
//
// Special check to allow the DHCP client to receive its packets.
// It is safe to make this check all the time because IP will
// not permit a packet to get through on an NTE with a zero address
// unless DHCP is in the process of configuring that NTE.
//
if ((Protocol == PROTOCOL_UDP) &&
(FilterValue == DHCP_CLIENT_PORT) &&
(*LocalNetInfo.ipi_isdhcpinterface) (IPContext)
) {
return (TRUE);
}
//
// Interface not registered. Deny operation.
//
return (FALSE);
}