User id and group id integration in NPF

lib/libnpf/npf.c

@@ -735,6 +735,14 @@ npf_rule_setproc(nl_rule_t *rl, const char *name)
 	return nvlist_error(rl->rule_dict);
 }
 
+int
+npf_rule_setrid(nl_rule_t *rl, rid_t *rid, const char *name)
+{
+	uint64_t uid_element[3] = { rid->id[0], rid->id[1], rid->op };
+	nvlist_add_number_array(rl->rule_dict, name, uid_element, 3);
+	return nvlist_error(rl->rule_dict);
+}
+
 void *
 npf_rule_export(nl_rule_t *rl, size_t *length)
 {

lib/libnpf/npf.expsym

@@ -75,6 +75,7 @@ npf_rule_setinfo
 npf_rule_setkey
 npf_rule_setprio
 npf_rule_setproc
+npf_rule_setrid
 npf_ruleset_add
 npf_ruleset_flush
 npf_ruleset_remkey

lib/libnpf/npf.h

@@ -106,6 +106,7 @@ nl_rule_t *	npf_rule_create(const char *, uint32_t, const char *);
 int		npf_rule_setcode(nl_rule_t *, int, const void *, size_t);
 int		npf_rule_setprio(nl_rule_t *, int);
 int		npf_rule_setproc(nl_rule_t *, const char *);
+int		npf_rule_setrid(nl_rule_t *, rid_t *, const char *);
 int		npf_rule_setkey(nl_rule_t *, const void *, size_t);
 int		npf_rule_setinfo(nl_rule_t *, const void *, size_t);
 const char *	npf_rule_getname(nl_rule_t *);

sys/modules/npf/Makefile

@@ -11,7 +11,7 @@ KMOD=		npf
 IOCONF=		npf.ioconf
 SRCS=		npf.c npf_alg.c npf_conf.c npf_ctl.c npf_handler.c
 SRCS+=		npf_bpf.c npf_if.c npf_inet.c npf_mbuf.c npf_nat.c
-SRCS+=		npf_params.c npf_ruleset.c npf_rproc.c
+SRCS+=		npf_params.c npf_ruleset.c npf_rproc.c npf_socket.c
 SRCS+=		npf_conn.c npf_conndb.c npf_connkey.c npf_portmap.c
 SRCS+=		npf_state.c npf_state_tcp.c npf_tableset.c
 SRCS+=		lpm.c npf_sendpkt.c npf_worker.c npf_os.c npf_ifaddr.c

sys/net/npf/files.npf

@@ -32,7 +32,7 @@ file	net/npf/npf_portmap.c			npf
 file	net/npf/npf_alg.c			npf
 file	net/npf/npf_sendpkt.c			npf
 file	net/npf/npf_worker.c			npf
-
+file	net/npf/npf_socket.c			npf
 file	net/npf/npf_os.c			npf
 file	net/npf/npf_ifaddr.c			npf
 

sys/net/npf/npf.h

@@ -59,6 +59,15 @@ typedef union {
 	uint32_t		word32[4];
 } npf_addr_t;
 
+/*
+ * use a single type for both user id and group id
+ * since both gid and uid are uint32_t
+ */
+struct r_id {
+	uint32_t	id[2];
+	uint8_t		op;
+};
+
 typedef uint8_t			npf_netmask_t;
 
 #define	NPF_MAX_NETMASK		(128)
@@ -372,6 +381,19 @@ typedef enum {
 	NPF_STATS_COUNT
 } npf_stats_t;
 
+/* unary and binary operators */
+enum {
+	NPF_OP_NONE,
+	NPF_OP_EQ,
+	NPF_OP_NE,
+	NPF_OP_LE,
+	NPF_OP_LT,
+	NPF_OP_GE,
+	NPF_OP_GT,
+	NPF_OP_XRG,
+	NPF_OP_IRG
+};
+
 #define	NPF_STATS_SIZE		(sizeof(uint64_t) * NPF_STATS_COUNT)
 
 #endif	/* _NPF_NET_H_ */

sys/net/npf/npf_ctl.c

@@ -378,6 +378,15 @@ npf_mk_singlerule(npf_t *npf, const nvlist_t *req, nvlist_t *resp,
 		npf_rule_setcode(rl, type, bc, clen);
 	}
 
+	/* user and group ids filt option if set */
+	if (nvlist_exists_number_array(req, "r_user")) {
+		npf_rule_setuid(req, rl, "r_user");
+	}
+
+	if (nvlist_exists_number_array(req, "r_group")) {
+		npf_rule_setgid(req, rl, "r_group");
+	}
+
 	*rlret = rl;
 	return 0;
 err:

sys/net/npf/npf_handler.c

@@ -148,7 +148,7 @@ npfk_packet_handler(npf_t *npf, struct mbuf **mp, ifnet_t *ifp, int di)
 	npf_conn_t *con;
 	npf_rule_t *rl;
 	npf_rproc_t *rp;
-	int error, decision, flags;
+	int error, decision, flags, id_match;
 	npf_match_info_t mi;
 	bool mff;
 
@@ -239,10 +239,20 @@ npfk_packet_handler(npf_t *npf, struct mbuf **mp, ifnet_t *ifp, int di)
 	KASSERT(rp == NULL);
 	rp = npf_rule_getrproc(rl);
 
-	/* Conclude with the rule and release the lock. */
+	/* check for matching process uid/gid before concluding
+	 * so we know early if we will be reversing action or not
+	 */
+	id_match = npf_uid_gid_match(rl, &npc, di);
+
+	/* Conclude with the rule and release the lock */
 	error = npf_rule_conclude(rl, &mi);
 	npf_config_read_exit(npf, slock);
 
+	/* reverse between pass and block conditions */
+	if (id_match != -1 && !id_match) {
+		error = npf_rule_reverse(&npc, &mi, error);
+	}
+
 	if (error) {
 		npf_stats_inc(npf, NPF_STAT_BLOCK_RULESET);
 		goto block;

sys/net/npf/npf_impl.h

@@ -84,6 +84,7 @@ typedef struct npf_rprocset	npf_rprocset_t;
 typedef struct npf_alg		npf_alg_t;
 typedef struct npf_natpolicy	npf_natpolicy_t;
 typedef struct npf_conn		npf_conn_t;
+typedef struct r_id		rid_t;
 
 struct npf_conndb;
 struct npf_table;
@@ -427,11 +428,17 @@ void		npf_ruleset_gc(npf_ruleset_t *);
 
 npf_rule_t *	npf_ruleset_inspect(npf_cache_t *, const npf_ruleset_t *,
 		    const int, const int);
+int		npf_rule_reverse(npf_cache_t *, npf_match_info_t *, int);
+int		npf_uid_gid_match(npf_rule_t *, npf_cache_t *, int);
+int		npf_rule_match_grp(npf_rule_t *, npf_cache_t *, int);
+int		npf_rule_match_user(npf_rule_t *, npf_cache_t *, int);
 int		npf_rule_conclude(const npf_rule_t *, npf_match_info_t *);
 
 /* Rule interface. */
 npf_rule_t *	npf_rule_alloc(npf_t *, const nvlist_t *);
 void		npf_rule_setcode(npf_rule_t *, int, void *, size_t);
+void		npf_rule_setuid(const nvlist_t *, npf_rule_t *, const char *);
+void		npf_rule_setgid(const nvlist_t *, npf_rule_t *, const char *);
 void		npf_rule_setrproc(npf_rule_t *, npf_rproc_t *);
 void		npf_rule_free(npf_rule_t *);
 uint64_t	npf_rule_getid(const npf_rule_t *);
@@ -475,6 +482,11 @@ int		npf_state_tcp_timeout(npf_t *, const npf_state_t *);
 void		npf_portmap_sysinit(void);
 void		npf_portmap_sysfini(void);
 
+/* uid/gid process matching */
+int		npf_socket_lookup_uid(npf_cache_t *, int, uint32_t *);
+int		npf_socket_lookup_gid(npf_cache_t *, int, uint32_t *);
+int		npf_match_rid(rid_t *, uint32_t);
+
 void		npf_portmap_init(npf_t *);
 void		npf_portmap_fini(npf_t *);
 

sys/net/npf/npf_ruleset.c

@@ -118,6 +118,9 @@ struct npf_rule {
 	LIST_ENTRY(npf_rule)	r_aentry;
 	nvlist_t *		r_info;
 	size_t			r_info_len;
+
+	rid_t uid;
+	rid_t gid;
 };
 
 #define	SKIPTO_ADJ_FLAG		(1U << 31)
@@ -655,6 +658,9 @@ npf_rule_alloc(npf_t *npf, const nvlist_t *rule)
 		}
 		memcpy(rl->r_key, key, len);
 	}
+
+	/* init uid/gids to none */
+	rl->gid.op = rl->uid.op = NPF_OP_NONE;
 	return rl;
 }
 
@@ -716,6 +722,43 @@ npf_rule_setcode(npf_rule_t *rl, const int type, void *code, size_t size)
 	rl->r_jcode = npf_bpf_compile(code, size);
 }
 
+/* again, use a single rule getid function both uid and gids */
+static rid_t
+npf_rule_getrid(const nvlist_t *req, const char *name)
+{
+	size_t nitems;
+	rid_t id;
+	const uint64_t *rid = nvlist_get_number_array(req, name, &nitems);
+	KASSERT(nitems == 3);
+
+	id.id[0] = (uint32_t)rid[0];
+	id.id[1] = (uint32_t)rid[1];
+	id.op = (uint8_t)rid[2];
+
+	return id;
+}
+
+static void
+npf_rule_setrid(const nvlist_t *req, rid_t* rid, const char *name)
+{
+	rid_t id;
+
+	id = npf_rule_getrid(req, name);
+	memcpy(rid, &id, sizeof(*rid));
+}
+
+void
+npf_rule_setuid(const nvlist_t *req, npf_rule_t *rl, const char *name)
+{
+	npf_rule_setrid(req, &rl->uid, name);
+}
+
+void
+npf_rule_setgid(const nvlist_t *req, npf_rule_t *rl, const char *name)
+{
+	npf_rule_setrid(req, &rl->gid, name);
+}
+
 /*
  * npf_rule_setrproc: assign a rule procedure and hold a reference on it.
  */
@@ -754,6 +797,7 @@ npf_rule_free(npf_rule_t *rl)
 	if (rl->r_info) {
 		kmem_free(rl->r_info, rl->r_info_len);
 	}
+
 	kmem_free(rl, sizeof(npf_rule_t));
 }
 
@@ -929,6 +973,102 @@ npf_ruleset_inspect(npf_cache_t *npc, const npf_ruleset_t *rlset,
 	return final_rl;
 }
 
+/*
+  * just exchange the flag attributes for pass/block for the diff protocols.
+  * for passing, we set the STATEFULNESS for TCP connection establishment
+  * if ret == 0, it is for a pass to be changed to block
+  * non-zero ret indicates a block to pass
+  * when we change to block, we assume the default RST rerturn for TCP
+  * when we change to pass, we ensure no bit field for RST for tcp and ICMP for udp
+  * finally change the ret condition too
+  */
+int
+npf_rule_reverse(npf_cache_t *npc, npf_match_info_t *mi, int ret)
+{
+
+	KASSERT(npf_iscached(npc, NPC_LAYER4));
+	switch(npc->npc_proto) {
+		case IPPROTO_TCP:
+			if (ret == 0) /* switch pass to block */ {
+				mi->mi_retfl &= !(NPF_RULE_PASS | NPF_RULE_STATEFUL |
+					NPF_RULE_GSTATEFUL);
+				mi->mi_retfl |= NPF_RULE_RETRST;
+			}
+			else /* block to pass */ {
+				mi->mi_retfl &= !(NPF_RULE_RETRST);
+				mi->mi_retfl |= (NPF_RULE_PASS | NPF_RULE_STATEFUL |
+					NPF_RULE_GSTATEFUL);
+			}
+			break;
+		case IPPROTO_UDP:
+			if (ret == 0) /* pass to block */ {
+				mi->mi_retfl &= !(NPF_RULE_PASS);
+				mi->mi_retfl |= NPF_RULE_RETICMP;
+			}
+			else /* block to pass */ {
+				mi->mi_retfl &= !(NPF_RULE_RETICMP);
+				mi->mi_retfl |= NPF_RULE_PASS;
+			}
+			break;
+	}
+
+	return (ret == 0) ? ENETUNREACH : 0;
+}
+
+/* only perform uid/gid checks when set */
+int
+npf_uid_gid_match(npf_rule_t *rl, npf_cache_t *npc, int dir)
+{
+	int matched;
+	if (rl->uid.op == NPF_OP_NONE && rl->gid.op == NPF_OP_NONE)
+		return -1;
+
+	matched = 0;
+	if (rl->uid.op == NPF_OP_NONE)
+		matched |= npf_rule_match_user(rl, npc, dir);
+	if (rl->gid.op == NPF_OP_NONE)
+		matched |= npf_rule_match_usrgrp(rl, npc, dir);
+
+	return matched;
+}
+
+/*
+* lookup process sockets and match rule ids to socket user id
+* if socket id doesn't match any of rule ids, reverse action
+*/
+int
+npf_rule_match_user(npf_rule_t *rl, npf_cache_t *npc, int dir)
+{
+	int error;
+	uid_t sk_uid;
+
+	KASSERT(npf_iscached(npc, NPC_IP46));
+	KASSERT(npf_iscached(npc, NPC_LAYER4));
+
+	error = npf_socket_lookup_uid(npc, dir, &sk_uid);
+	if (error == -1) {
+		return ENOTCONN;
+	}
+
+	return npf_match_rid(rl->uid, sk_uid);
+}
+
+int
+npf_rule_match_grp(npf_rule_t *rl, npf_cache_t *npc, int dir)
+{
+	uid_t sk_gid;
+	int error;
+
+	KASSERT(npf_iscached(npc, NPC_IP46)); /* assert layer3 cache info*/
+	KASSERT(npf_iscached(npc, NPC_LAYER4)); /* assert layer4 cache info */
+
+	error = npf_socket_lookup_gid(npc, dir, &sk_gid);
+	if (error == -1)
+		return ENOTCONN;
+
+	return npf_match_rid(rl->gid, sk_gid);
+}
+
 /*
  * npf_rule_conclude: return decision and the flags for conclusion.
  *