make static, usergoup=>group changes

Author: Emmankoko

sys/net/npf/npf_socket.c

@@ -0,0 +1,251 @@
+/*-
+ * Copyright (c) 2025 Emmanuel Nyarko
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+ #include <netinet/tcp.h>
+ #include <netinet/udp.h>
+ #include <netinet/in_pcb.h>
+ #include <sys/socketvar.h>
+
+ #ifdef INET6
+ #include <netinet/ip6.h>
+ #include <netinet6/ip6_var.h>
+ #ifdef __NetBSD__
+ #include <netinet6/in6_pcb.h>
+ #endif /* __NetBSD__ */
+ #endif /* INET6 */
+
+ #include "npf_impl.h"
+
+ extern	struct inpcbtable tcbtable;	/* head of queue of active tcpcb's */
+ extern	struct inpcbtable udbtable;
+
+ static struct socket *	npf_ip6_socket(npf_cache_t *, struct inpcbtable *, int);
+ static struct socket *	npf_ip_socket(npf_cache_t *, struct inpcbtable *, int);
+ static int		npf_match(uint8_t, uint32_t, uint32_t, uint32_t);
+
+ /*
+ * NPF process socket module
+ */
+
+int
+npf_match_uid(struct r_uid *uid, uint32_t uid_lookup)
+{
+	return npf_match(uid->op, uid->uid[0], uid->uid[1], uid_lookup);
+}
+
+int
+npf_match_gid(struct r_gid *gid, uint32_t gid_lookup)
+{
+	return npf_match(gid->op, gid->gid[0], gid->gid[1], gid_lookup);
+}
+
+static int
+npf_match(uint8_t op, uint32_t rid1, uint32_t rid2, uint32_t id_lp)
+{
+	switch (op) {
+	case NPF_OP_IRG:
+		return ((id_lp > rid1) && (id_lp < rid2));
+	case NPF_OP_XRG:
+		return ((id_lp < rid1) || (id_lp > rid2));
+	case NPF_OP_EQ:
+		return (id_lp == rid1);
+	case NPF_OP_NE:
+		return (id_lp != rid1);
+	case NPF_OP_LT:
+		return (id_lp < rid1);
+	case NPF_OP_LE:
+		return (id_lp <= rid1);
+	case NPF_OP_GT:
+		return (id_lp > rid1);
+	case NPF_OP_GE:
+		return (id_lp >= rid1);
+	}
+	return (0); /* never reached */
+}
+
+int
+npf_socket_lookup_uid(npf_cache_t *npc, int dir, uint32_t *uid)
+{
+	struct inpcbtable	*tb = NULL;
+	struct socket		*so = NULL;
+
+	KASSERT(npf_iscached(npc, NPC_IP46));
+
+	if (npf_iscached(npc, NPC_IP4)) {
+		so = npf_ip_socket(npc, tb, dir);
+
+	} else if (npf_iscached(npc, NPC_IP6)) {
+		so = npf_ip6_socket(npc, tb, dir);
+	}
+
+	if (so == NULL || so->so_cred == NULL)
+		return -1;
+
+	*uid = kauth_cred_geteuid(so->so_cred);
+	return 0;
+}
+
+int
+npf_socket_lookup_gid(npf_cache_t *npc, int dir, uint32_t *gid)
+{
+	struct inpcbtable	*tb = NULL;
+	struct socket		*so = NULL;
+
+	KASSERT(npf_iscached(npc, NPC_IP46));
+
+	if (npf_iscached(npc, NPC_IP4)) {
+		so = npf_ip_socket(npc, tb, dir);
+
+	} else if (npf_iscached(npc, NPC_IP6)) {
+		so = npf_ip6_socket(npc, tb, dir);
+	}
+
+	if (so == NULL || so->so_cred == NULL)
+		return -1;
+
+	*gid = kauth_cred_getegid(so->so_cred);
+	return 0;
+}
+
+static struct socket *
+npf_ip_socket(npf_cache_t *npc, struct inpcbtable *tb, int dir)
+{
+	struct in_addr	saddr, daddr;
+	uint16_t		sport, dport;
+	struct socket		*so = NULL;
+	struct inpcb		*inp = NULL;
+
+#define in_pcbhashlookup(tbl, saddr, sport, daddr, dport) \
+	inpcb_lookup(tbl, saddr, sport, daddr, dport, NULL)
+#define in_pcblookup_listen(tbl, addr, port) \
+	inpcb_lookup_bound(tbl, addr, port)
+
+	KASSERT(npf_iscached(npc, NPC_LAYER4));
+	KASSERT(npf_iscached(npc, NPC_IP4));
+
+	struct tcphdr *tcp = npc->npc_l4.tcp;
+	struct udphdr *udp = npc->npc_l4.udp;
+	struct ip *ip = npc->npc_ip.v4;
+
+	switch(npc->npc_proto) {
+		case IPPROTO_TCP:
+			sport = tcp->th_sport;
+			dport = tcp->th_dport;
+			tb = &tcbtable;
+			break;
+		case IPPROTO_UDP:
+			sport = udp->uh_sport;
+			dport = udp->uh_dport;
+			tb = &udbtable;
+			break;
+		default:
+			return NULL;
+	}
+
+	if (dir == PFIL_IN) {
+		saddr = ip->ip_src;
+		daddr = ip->ip_dst;
+	} else {
+		uint16_t p_temp;
+		/* swap ports and addresses */
+		p_temp = sport;
+		sport = dport;
+		dport = p_temp;
+		saddr = ip->ip_dst;
+		daddr = ip->ip_src;
+	}
+
+	inp = in_pcbhashlookup(tb, saddr, sport, daddr, dport);
+	if (inp == NULL) {
+		inp = in_pcblookup_listen(tb, daddr, dport);
+
+		if (inp == NULL) {
+			return NULL;
+		}
+
+	}
+
+	so = inp->inp_socket;
+	return so;
+}
+
+static struct socket *
+npf_ip6_socket(npf_cache_t *npc, struct inpcbtable *tb, int dir)
+{
+	const struct in6_addr	*s6addr, *d6addr;
+	uint16_t	sport, dport;
+	struct inpcb		*in6p = NULL;
+	struct socket		*so = NULL;
+
+#define in6_pcbhashlookup(tbl, saddr, sport, daddr, dport) \
+	in6pcb_lookup(tbl, saddr, sport, daddr, dport, 0, NULL)
+
+#define in6_pcblookup_listen(tbl, addr, port) \
+	in6pcb_lookup_bound(tbl, addr, port, 0)
+
+	KASSERT(npf_iscached(npc, NPC_LAYER4));
+	KASSERT(npf_iscached(npc, NPC_IP6));
+
+	struct tcphdr *tcp = npc->npc_l4.tcp;
+	struct udphdr *udp = npc->npc_l4.udp;
+	struct ip6_hdr *ip6 = npc->npc_ip.v6;
+
+	switch(npc->npc_proto) {
+		case IPPROTO_TCP:
+			sport = tcp->th_sport;
+			dport = tcp->th_dport;
+			tb = &tcbtable;
+			break;
+		case IPPROTO_UDP:
+			sport = udp->uh_sport;
+			dport = udp->uh_dport;
+			tb = &udbtable;
+			break;
+		default:
+			return NULL;
+	}
+
+	if (dir == PFIL_IN) {
+		s6addr = &ip6->ip6_src;
+		d6addr = &ip6->ip6_dst;
+	} else {
+		uint16_t p_temp;
+		/* swap ports and addresses */
+		p_temp = sport;
+		sport = dport;
+		dport = p_temp;
+		s6addr = &ip6->ip6_dst;
+		d6addr = &ip6->ip6_src;
+	}
+	in6p = in6_pcbhashlookup(tb, s6addr, sport, d6addr,
+		dport);
+	if (in6p == NULL) {
+		in6p = in6_pcblookup_listen(tb, d6addr, dport);
+		if (in6p == NULL)
+			return NULL;
+	}
+	so = in6p->inp_socket;
+	return so;
+}

usr.sbin/npf/npfctl/npf_data.c

@@ -272,7 +272,7 @@ npfctl_parse_table_id(const char *name)
 int
 npfctl_parse_user(const char *user, uint32_t *uid)
 {
-	if (strcmp(user, "unknown"))
+	if (!strcmp(user, "unknown"))
 		*uid = UID_MAX;
 	else {
 		struct passwd	*pw;
@@ -286,14 +286,14 @@ npfctl_parse_user(const char *user, uint32_t *uid)
 }
 
 int
-npfctl_parse_usergroup(const char *usergroup, *uint32_t *gid)
+npfctl_parse_group(const char *group, *uint32_t *gid)
 {
-	if (!strcmp(usergroup, "unknown"))
+	if (!strcmp(group, "unknown"))
 		*gid = GID_MAX;
 	else {
 		struct group	*grp;
 
-		if ((grp = getgrnam(usergroup)) == NULL) {
+		if ((grp = getgrnam(group)) == NULL) {
 			return -1;
 		}
 		*gid = grp->gr_gid;

usr.sbin/npf/npfctl/npf_parse.y

@@ -1091,23 +1091,23 @@ gid
 	}
 	| IDENTIFIER
 	{
-		if (npfctl_parse_usergroup($1, &$$) == -1) {
-			yyerror("unknown user group %s", $1);
+		if (npfctl_parse_group($1, &$$) == -1) {
+			yyerror("unknown group %s", $1);
 			YYERROR;
 		}
 	}
 	| VAR_ID
 	{
 		npfvar_t *vp = npfvar_lookup($1);
 		int type = npfvar_get_type(vp, 0);
-		char *user_group;
+		char *group;
 
 		switch (type) {
 		case NPFVAR_IDENTIFIER:
 		case NPFVAR_STRING:
-			user_group = npfvar_expand_string(vp);
-			if (npfctl_parse_usergroup(user_group, &$$) == -1) {
-				yyerror("unknown user group %s", $1);
+			group = npfvar_expand_string(vp);
+			if (npfctl_parse_group(group, &$$) == -1) {
+				yyerror("unknown group %s", $1);
 				YYERROR;
 			}
 			break;

usr.sbin/npf/npfctl/npfctl.h

@@ -142,7 +142,7 @@ npfvar_t *	npfctl_parse_port_range_variable(const char *, npfvar_t *);
 npfvar_t *	npfctl_parse_fam_addr_mask(const char *, const char *,
 		    unsigned long *);
 int		npfctl_parse_user(const char *, uint32_t *);
-int		npfctl_parse_usergroup(const char *, uint32_t *);
+int		npfctl_parse_group(const char *, uint32_t *);
 struct r_uid *	npfctl_init_uid(uint32_t, uint32_t, uint8_t);
 struct r_gid *	npfctl_init_gid(uint32_t, uint32_t, uint8_t);
 bool		npfctl_parse_cidr(char *, fam_addr_mask_t *, int *);