1*dbed73cbSSangeeta Misra /*
2*dbed73cbSSangeeta Misra * CDDL HEADER START
3*dbed73cbSSangeeta Misra *
4*dbed73cbSSangeeta Misra * The contents of this file are subject to the terms of the
5*dbed73cbSSangeeta Misra * Common Development and Distribution License (the "License").
6*dbed73cbSSangeeta Misra * You may not use this file except in compliance with the License.
7*dbed73cbSSangeeta Misra *
8*dbed73cbSSangeeta Misra * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9*dbed73cbSSangeeta Misra * or http://www.opensolaris.org/os/licensing.
10*dbed73cbSSangeeta Misra * See the License for the specific language governing permissions
11*dbed73cbSSangeeta Misra * and limitations under the License.
12*dbed73cbSSangeeta Misra *
13*dbed73cbSSangeeta Misra * When distributing Covered Code, include this CDDL HEADER in each
14*dbed73cbSSangeeta Misra * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15*dbed73cbSSangeeta Misra * If applicable, add the following below this CDDL HEADER, with the
16*dbed73cbSSangeeta Misra * fields enclosed by brackets "[]" replaced with your own identifying
17*dbed73cbSSangeeta Misra * information: Portions Copyright [yyyy] [name of copyright owner]
18*dbed73cbSSangeeta Misra *
19*dbed73cbSSangeeta Misra * CDDL HEADER END
20*dbed73cbSSangeeta Misra */
21*dbed73cbSSangeeta Misra
22*dbed73cbSSangeeta Misra /*
23*dbed73cbSSangeeta Misra * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
24*dbed73cbSSangeeta Misra * Use is subject to license terms.
25*dbed73cbSSangeeta Misra */
26*dbed73cbSSangeeta Misra
27*dbed73cbSSangeeta Misra #include <stdio.h>
28*dbed73cbSSangeeta Misra #include <stdlib.h>
29*dbed73cbSSangeeta Misra #include <strings.h>
30*dbed73cbSSangeeta Misra #include <unistd.h>
31*dbed73cbSSangeeta Misra #include <stropts.h>
32*dbed73cbSSangeeta Misra #include <sys/types.h>
33*dbed73cbSSangeeta Misra #include <sys/socket.h>
34*dbed73cbSSangeeta Misra #include <sys/stropts.h>
35*dbed73cbSSangeeta Misra #include <sys/sockio.h>
36*dbed73cbSSangeeta Misra #include <errno.h>
37*dbed73cbSSangeeta Misra #include <sys/list.h>
38*dbed73cbSSangeeta Misra #include <auth_attr.h>
39*dbed73cbSSangeeta Misra #include <auth_list.h>
40*dbed73cbSSangeeta Misra #include <secdb.h>
41*dbed73cbSSangeeta Misra #include <libilb.h>
42*dbed73cbSSangeeta Misra #include "libilb_impl.h"
43*dbed73cbSSangeeta Misra #include "ilbd.h"
44*dbed73cbSSangeeta Misra
45*dbed73cbSSangeeta Misra /*
46*dbed73cbSSangeeta Misra * logs error messages, either to stderr or syslog, depending on
47*dbed73cbSSangeeta Misra * the -d option
48*dbed73cbSSangeeta Misra */
49*dbed73cbSSangeeta Misra static boolean_t ilbd_debugging = B_FALSE;
50*dbed73cbSSangeeta Misra
51*dbed73cbSSangeeta Misra /* Socket to issue ioctl() to the kernel */
52*dbed73cbSSangeeta Misra static int ksock = -1;
53*dbed73cbSSangeeta Misra
54*dbed73cbSSangeeta Misra void
ilbd_enable_debug(void)55*dbed73cbSSangeeta Misra ilbd_enable_debug(void)
56*dbed73cbSSangeeta Misra {
57*dbed73cbSSangeeta Misra ilbd_debugging = B_TRUE;
58*dbed73cbSSangeeta Misra }
59*dbed73cbSSangeeta Misra
60*dbed73cbSSangeeta Misra boolean_t
is_debugging_on(void)61*dbed73cbSSangeeta Misra is_debugging_on(void)
62*dbed73cbSSangeeta Misra {
63*dbed73cbSSangeeta Misra return (ilbd_debugging);
64*dbed73cbSSangeeta Misra }
65*dbed73cbSSangeeta Misra
66*dbed73cbSSangeeta Misra /*
67*dbed73cbSSangeeta Misra * All routines log to syslog, unless the daemon is running in
68*dbed73cbSSangeeta Misra * the foreground, in which case the logging goes to stderr.
69*dbed73cbSSangeeta Misra * The following logging functions are available:
70*dbed73cbSSangeeta Misra *
71*dbed73cbSSangeeta Misra *
72*dbed73cbSSangeeta Misra * logdebug(): A printf-like function for outputting debug messages
73*dbed73cbSSangeeta Misra * (messages at LOG_DEBUG) that are only of use to developers.
74*dbed73cbSSangeeta Misra *
75*dbed73cbSSangeeta Misra * logerr(): A printf-like function for outputting error messages
76*dbed73cbSSangeeta Misra * (messages at LOG_ERR) from the daemon.
77*dbed73cbSSangeeta Misra *
78*dbed73cbSSangeeta Misra * logperror*(): A set of functions used to output error messages
79*dbed73cbSSangeeta Misra * (messages at LOG_ERR); these automatically append strerror(errno)
80*dbed73cbSSangeeta Misra * and a newline to the message passed to them.
81*dbed73cbSSangeeta Misra *
82*dbed73cbSSangeeta Misra * NOTE: since the logging functions write to syslog, the messages passed
83*dbed73cbSSangeeta Misra * to them are not eligible for localization. Thus, gettext() must
84*dbed73cbSSangeeta Misra * *not* be used.
85*dbed73cbSSangeeta Misra *
86*dbed73cbSSangeeta Misra */
87*dbed73cbSSangeeta Misra /* PRINTFLIKE2 */
88*dbed73cbSSangeeta Misra void
ilbd_log(int pri,const char * fmt,...)89*dbed73cbSSangeeta Misra ilbd_log(int pri, const char *fmt, ...)
90*dbed73cbSSangeeta Misra {
91*dbed73cbSSangeeta Misra va_list ap;
92*dbed73cbSSangeeta Misra va_start(ap, fmt);
93*dbed73cbSSangeeta Misra
94*dbed73cbSSangeeta Misra if (ilbd_debugging == B_TRUE) {
95*dbed73cbSSangeeta Misra (void) vfprintf(stderr, fmt, ap);
96*dbed73cbSSangeeta Misra (void) fprintf(stderr, "\n");
97*dbed73cbSSangeeta Misra } else {
98*dbed73cbSSangeeta Misra vsyslog(pri, fmt, ap);
99*dbed73cbSSangeeta Misra }
100*dbed73cbSSangeeta Misra va_end(ap);
101*dbed73cbSSangeeta Misra
102*dbed73cbSSangeeta Misra }
103*dbed73cbSSangeeta Misra
104*dbed73cbSSangeeta Misra /* PRINTFLIKE1 */
105*dbed73cbSSangeeta Misra void
logperror(const char * str)106*dbed73cbSSangeeta Misra logperror(const char *str)
107*dbed73cbSSangeeta Misra {
108*dbed73cbSSangeeta Misra if (ilbd_debugging == B_TRUE)
109*dbed73cbSSangeeta Misra (void) fprintf(stderr, "%s: %s\n", str, strerror(errno));
110*dbed73cbSSangeeta Misra else
111*dbed73cbSSangeeta Misra syslog(LOG_ERR, "%s: %m", str);
112*dbed73cbSSangeeta Misra }
113*dbed73cbSSangeeta Misra
114*dbed73cbSSangeeta Misra
115*dbed73cbSSangeeta Misra ilb_status_t
ilbd_check_client_config_auth(const struct passwd * pwd)116*dbed73cbSSangeeta Misra ilbd_check_client_config_auth(const struct passwd *pwd)
117*dbed73cbSSangeeta Misra {
118*dbed73cbSSangeeta Misra if (chkauthattr(NET_ILB_CONFIG_AUTH, pwd->pw_name) == 0) {
119*dbed73cbSSangeeta Misra logdebug("user %s is not authorized for"
120*dbed73cbSSangeeta Misra " configuration operation", pwd->pw_name);
121*dbed73cbSSangeeta Misra return (ILB_STATUS_CFGAUTH);
122*dbed73cbSSangeeta Misra }
123*dbed73cbSSangeeta Misra return (ILB_STATUS_OK);
124*dbed73cbSSangeeta Misra
125*dbed73cbSSangeeta Misra }
126*dbed73cbSSangeeta Misra
127*dbed73cbSSangeeta Misra ilb_status_t
ilbd_check_client_enable_auth(const struct passwd * pwd)128*dbed73cbSSangeeta Misra ilbd_check_client_enable_auth(const struct passwd *pwd)
129*dbed73cbSSangeeta Misra {
130*dbed73cbSSangeeta Misra if (chkauthattr(NET_ILB_ENABLE_AUTH, pwd->pw_name) == 0) {
131*dbed73cbSSangeeta Misra logdebug("user %s is not authorized for"
132*dbed73cbSSangeeta Misra " enable/disable operation", pwd->pw_name);
133*dbed73cbSSangeeta Misra return (ILB_STATUS_CFGAUTH);
134*dbed73cbSSangeeta Misra }
135*dbed73cbSSangeeta Misra return (ILB_STATUS_OK);
136*dbed73cbSSangeeta Misra
137*dbed73cbSSangeeta Misra }
138*dbed73cbSSangeeta Misra
139*dbed73cbSSangeeta Misra /*
140*dbed73cbSSangeeta Misra * input param. "err" should be one of the errnos defined in
141*dbed73cbSSangeeta Misra * /usr/include/sys/errno.h
142*dbed73cbSSangeeta Misra * this list is NOT complete.
143*dbed73cbSSangeeta Misra */
144*dbed73cbSSangeeta Misra ilb_status_t
ilb_map_errno2ilbstat(int err)145*dbed73cbSSangeeta Misra ilb_map_errno2ilbstat(int err)
146*dbed73cbSSangeeta Misra {
147*dbed73cbSSangeeta Misra ilb_status_t rc = ILB_STATUS_INTERNAL;
148*dbed73cbSSangeeta Misra
149*dbed73cbSSangeeta Misra switch (err) {
150*dbed73cbSSangeeta Misra case 0:
151*dbed73cbSSangeeta Misra rc = ILB_STATUS_OK; /* for completeness' sake */
152*dbed73cbSSangeeta Misra break;
153*dbed73cbSSangeeta Misra case EINVAL:
154*dbed73cbSSangeeta Misra rc = ILB_STATUS_EINVAL;
155*dbed73cbSSangeeta Misra break;
156*dbed73cbSSangeeta Misra case ENOENT:
157*dbed73cbSSangeeta Misra rc = ILB_STATUS_ENOENT;
158*dbed73cbSSangeeta Misra break;
159*dbed73cbSSangeeta Misra case ENOMEM:
160*dbed73cbSSangeeta Misra rc = ILB_STATUS_ENOMEM;
161*dbed73cbSSangeeta Misra break;
162*dbed73cbSSangeeta Misra case EINPROGRESS:
163*dbed73cbSSangeeta Misra rc = ILB_STATUS_INPROGRESS;
164*dbed73cbSSangeeta Misra break;
165*dbed73cbSSangeeta Misra case EEXIST:
166*dbed73cbSSangeeta Misra rc = ILB_STATUS_EEXIST;
167*dbed73cbSSangeeta Misra break;
168*dbed73cbSSangeeta Misra }
169*dbed73cbSSangeeta Misra return (rc);
170*dbed73cbSSangeeta Misra }
171*dbed73cbSSangeeta Misra
172*dbed73cbSSangeeta Misra static int
i_get_kcmd_sz(void * cmdp)173*dbed73cbSSangeeta Misra i_get_kcmd_sz(void *cmdp)
174*dbed73cbSSangeeta Misra {
175*dbed73cbSSangeeta Misra int sz;
176*dbed73cbSSangeeta Misra
177*dbed73cbSSangeeta Misra switch (((ilb_rule_cmd_t *)cmdp)->cmd) {
178*dbed73cbSSangeeta Misra case ILB_DESTROY_RULE:
179*dbed73cbSSangeeta Misra case ILB_ENABLE_RULE:
180*dbed73cbSSangeeta Misra case ILB_DISABLE_RULE:
181*dbed73cbSSangeeta Misra sz = sizeof (ilb_name_cmd_t);
182*dbed73cbSSangeeta Misra break;
183*dbed73cbSSangeeta Misra case ILB_CREATE_RULE:
184*dbed73cbSSangeeta Misra case ILB_LIST_RULE:
185*dbed73cbSSangeeta Misra sz = sizeof (ilb_rule_cmd_t);
186*dbed73cbSSangeeta Misra break;
187*dbed73cbSSangeeta Misra case ILB_NUM_RULES:
188*dbed73cbSSangeeta Misra sz = sizeof (ilb_num_rules_cmd_t);
189*dbed73cbSSangeeta Misra break;
190*dbed73cbSSangeeta Misra case ILB_NUM_SERVERS:
191*dbed73cbSSangeeta Misra sz = sizeof (ilb_num_servers_cmd_t);
192*dbed73cbSSangeeta Misra break;
193*dbed73cbSSangeeta Misra case ILB_ADD_SERVERS: {
194*dbed73cbSSangeeta Misra ilb_servers_info_cmd_t *kcmd = (ilb_servers_info_cmd_t *)cmdp;
195*dbed73cbSSangeeta Misra
196*dbed73cbSSangeeta Misra sz = sizeof (*kcmd) + ((kcmd->num_servers - 1) *
197*dbed73cbSSangeeta Misra sizeof (kcmd->servers));
198*dbed73cbSSangeeta Misra break;
199*dbed73cbSSangeeta Misra }
200*dbed73cbSSangeeta Misra case ILB_RULE_NAMES: {
201*dbed73cbSSangeeta Misra ilb_rule_names_cmd_t *kcmd = (ilb_rule_names_cmd_t *)cmdp;
202*dbed73cbSSangeeta Misra
203*dbed73cbSSangeeta Misra sz = sizeof (*kcmd) +
204*dbed73cbSSangeeta Misra ((kcmd->num_names - 1) * sizeof (kcmd->buf));
205*dbed73cbSSangeeta Misra break;
206*dbed73cbSSangeeta Misra }
207*dbed73cbSSangeeta Misra case ILB_DEL_SERVERS:
208*dbed73cbSSangeeta Misra case ILB_ENABLE_SERVERS:
209*dbed73cbSSangeeta Misra case ILB_DISABLE_SERVERS: {
210*dbed73cbSSangeeta Misra ilb_servers_cmd_t *kcmd = (ilb_servers_cmd_t *)cmdp;
211*dbed73cbSSangeeta Misra
212*dbed73cbSSangeeta Misra sz = sizeof (*kcmd) +
213*dbed73cbSSangeeta Misra ((kcmd->num_servers - 1) * sizeof (kcmd->servers));
214*dbed73cbSSangeeta Misra break;
215*dbed73cbSSangeeta Misra }
216*dbed73cbSSangeeta Misra default: sz = -1;
217*dbed73cbSSangeeta Misra break;
218*dbed73cbSSangeeta Misra }
219*dbed73cbSSangeeta Misra return (sz);
220*dbed73cbSSangeeta Misra }
221*dbed73cbSSangeeta Misra
222*dbed73cbSSangeeta Misra /*
223*dbed73cbSSangeeta Misra * parameter 'sz' is optional (indicated by == 0); if it's not set
224*dbed73cbSSangeeta Misra * we try to derive it from cmdp->cmd
225*dbed73cbSSangeeta Misra */
226*dbed73cbSSangeeta Misra ilb_status_t
do_ioctl(void * cmdp,ssize_t sz)227*dbed73cbSSangeeta Misra do_ioctl(void *cmdp, ssize_t sz)
228*dbed73cbSSangeeta Misra {
229*dbed73cbSSangeeta Misra struct strioctl ioc;
230*dbed73cbSSangeeta Misra int i_rc;
231*dbed73cbSSangeeta Misra
232*dbed73cbSSangeeta Misra if (ksock == -1) {
233*dbed73cbSSangeeta Misra ksock = socket(AF_INET, SOCK_DGRAM, 0);
234*dbed73cbSSangeeta Misra if (ksock == -1) {
235*dbed73cbSSangeeta Misra logperror("do_ioctl: AF_INET socket call"
236*dbed73cbSSangeeta Misra " failed");
237*dbed73cbSSangeeta Misra return (ILB_STATUS_INTERNAL);
238*dbed73cbSSangeeta Misra }
239*dbed73cbSSangeeta Misra }
240*dbed73cbSSangeeta Misra
241*dbed73cbSSangeeta Misra (void) memset(&ioc, 0, sizeof (ioc));
242*dbed73cbSSangeeta Misra ioc.ic_cmd = SIOCILB;
243*dbed73cbSSangeeta Misra ioc.ic_timout = 0;
244*dbed73cbSSangeeta Misra ioc.ic_dp = cmdp;
245*dbed73cbSSangeeta Misra
246*dbed73cbSSangeeta Misra if (sz == 0) {
247*dbed73cbSSangeeta Misra sz = i_get_kcmd_sz(cmdp);
248*dbed73cbSSangeeta Misra
249*dbed73cbSSangeeta Misra if (sz == -1) {
250*dbed73cbSSangeeta Misra logdebug("do_ioctl: unknown command");
251*dbed73cbSSangeeta Misra return (ILB_STATUS_INVAL_CMD);
252*dbed73cbSSangeeta Misra }
253*dbed73cbSSangeeta Misra }
254*dbed73cbSSangeeta Misra
255*dbed73cbSSangeeta Misra ioc.ic_len = sz;
256*dbed73cbSSangeeta Misra
257*dbed73cbSSangeeta Misra i_rc = ioctl(ksock, I_STR, (caddr_t)&ioc);
258*dbed73cbSSangeeta Misra if (i_rc == -1) {
259*dbed73cbSSangeeta Misra logdebug("do_ioctl: SIOCILB ioctl (%d) failed: %s",
260*dbed73cbSSangeeta Misra *(ilb_cmd_t *)cmdp, strerror(errno));
261*dbed73cbSSangeeta Misra return (ilb_map_errno2ilbstat(errno));
262*dbed73cbSSangeeta Misra }
263*dbed73cbSSangeeta Misra
264*dbed73cbSSangeeta Misra return (ILB_STATUS_OK);
265*dbed73cbSSangeeta Misra }
266*dbed73cbSSangeeta Misra
267*dbed73cbSSangeeta Misra /*
268*dbed73cbSSangeeta Misra * Create an OK reply to a client request. It is assumed that the passed
269*dbed73cbSSangeeta Misra * in buffer is large enough to hold the reply.
270*dbed73cbSSangeeta Misra */
271*dbed73cbSSangeeta Misra void
ilbd_reply_ok(uint32_t * rbuf,size_t * rbufsz)272*dbed73cbSSangeeta Misra ilbd_reply_ok(uint32_t *rbuf, size_t *rbufsz)
273*dbed73cbSSangeeta Misra {
274*dbed73cbSSangeeta Misra ilb_comm_t *ic = (ilb_comm_t *)rbuf;
275*dbed73cbSSangeeta Misra
276*dbed73cbSSangeeta Misra ic->ic_cmd = ILBD_CMD_OK;
277*dbed73cbSSangeeta Misra /* Default is one exchange of request/response. */
278*dbed73cbSSangeeta Misra ic->ic_flags = ILB_COMM_END;
279*dbed73cbSSangeeta Misra *rbufsz = sizeof (ilb_comm_t);
280*dbed73cbSSangeeta Misra }
281*dbed73cbSSangeeta Misra
282*dbed73cbSSangeeta Misra /*
283*dbed73cbSSangeeta Misra * Create an error reply to a client request. It is assumed that the passed
284*dbed73cbSSangeeta Misra * in buffer is large enough to hold the reply.
285*dbed73cbSSangeeta Misra */
286*dbed73cbSSangeeta Misra void
ilbd_reply_err(uint32_t * rbuf,size_t * rbufsz,ilb_status_t status)287*dbed73cbSSangeeta Misra ilbd_reply_err(uint32_t *rbuf, size_t *rbufsz, ilb_status_t status)
288*dbed73cbSSangeeta Misra {
289*dbed73cbSSangeeta Misra ilb_comm_t *ic = (ilb_comm_t *)rbuf;
290*dbed73cbSSangeeta Misra
291*dbed73cbSSangeeta Misra ic->ic_cmd = ILBD_CMD_ERROR;
292*dbed73cbSSangeeta Misra /* Default is one exchange of request/response. */
293*dbed73cbSSangeeta Misra ic->ic_flags = ILB_COMM_END;
294*dbed73cbSSangeeta Misra *(ilb_status_t *)&ic->ic_data = status;
295*dbed73cbSSangeeta Misra *rbufsz = sizeof (ilb_comm_t) + sizeof (ilb_status_t);
296*dbed73cbSSangeeta Misra }
297