1/* Shared library add-on to iptables for SCTP matching 2 * 3 * (C) 2003 by Harald Welte <laforge@gnumonks.org> 4 * 5 * This program is distributed under the terms of GNU GPL v2, 1991 6 * 7 * libipt_ecn.c borrowed heavily from libipt_dscp.c 8 * 9 */ 10#include <stdbool.h> 11#include <stdio.h> 12#include <string.h> 13#include <stdlib.h> 14#include <getopt.h> 15#include <netdb.h> 16#include <ctype.h> 17 18#include <netinet/in.h> 19#include <xtables.h> 20 21#include <linux/netfilter/xt_sctp.h> 22 23#if 0 24#define DEBUGP(format, first...) printf(format, ##first) 25#define static 26#else 27#define DEBUGP(format, fist...) 28#endif 29 30static void 31print_chunk(uint32_t chunknum, int numeric); 32 33static void sctp_init(struct xt_entry_match *m) 34{ 35 int i; 36 struct xt_sctp_info *einfo = (struct xt_sctp_info *)m->data; 37 38 for (i = 0; i < XT_NUM_SCTP_FLAGS; i++) { 39 einfo->flag_info[i].chunktype = -1; 40 } 41} 42 43static void sctp_help(void) 44{ 45 printf( 46"sctp match options\n" 47"[!] --source-port port[:port] match source port(s)\n" 48" --sport ...\n" 49"[!] --destination-port port[:port] match destination port(s)\n" 50" --dport ...\n" 51"[!] --chunk-types (all|any|none) (chunktype[:flags])+ match if all, any or none of\n" 52" chunktypes are present\n" 53"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN ALL NONE\n"); 54} 55 56static const struct option sctp_opts[] = { 57 {.name = "source-port", .has_arg = true, .val = '1'}, 58 {.name = "sport", .has_arg = true, .val = '1'}, 59 {.name = "destination-port", .has_arg = true, .val = '2'}, 60 {.name = "dport", .has_arg = true, .val = '2'}, 61 {.name = "chunk-types", .has_arg = true, .val = '3'}, 62 XT_GETOPT_TABLEEND, 63}; 64 65static void 66parse_sctp_ports(const char *portstring, 67 uint16_t *ports) 68{ 69 char *buffer; 70 char *cp; 71 72 buffer = strdup(portstring); 73 DEBUGP("%s\n", portstring); 74 if ((cp = strchr(buffer, ':')) == NULL) { 75 ports[0] = ports[1] = xtables_parse_port(buffer, "sctp"); 76 } 77 else { 78 *cp = '\0'; 79 cp++; 80 81 ports[0] = buffer[0] ? xtables_parse_port(buffer, "sctp") : 0; 82 ports[1] = cp[0] ? xtables_parse_port(cp, "sctp") : 0xFFFF; 83 84 if (ports[0] > ports[1]) 85 xtables_error(PARAMETER_PROBLEM, 86 "invalid portrange (min > max)"); 87 } 88 free(buffer); 89} 90 91struct sctp_chunk_names { 92 const char *name; 93 unsigned int chunk_type; 94 const char *valid_flags; 95}; 96 97/*'ALL' and 'NONE' will be treated specially. */ 98static const struct sctp_chunk_names sctp_chunk_names[] 99= { { .name = "DATA", .chunk_type = 0, .valid_flags = "----IUBE"}, 100 { .name = "INIT", .chunk_type = 1, .valid_flags = "--------"}, 101 { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------"}, 102 { .name = "SACK", .chunk_type = 3, .valid_flags = "--------"}, 103 { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------"}, 104 { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------"}, 105 { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T"}, 106 { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------"}, 107 { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------"}, 108 { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------"}, 109 { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------"}, 110 { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------"}, 111 { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------"}, 112 { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------"}, 113 { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T"}, 114 { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------"}, 115 { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------"}, 116 { .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------"}, 117}; 118 119static void 120save_chunk_flag_info(struct xt_sctp_flag_info *flag_info, 121 int *flag_count, 122 int chunktype, 123 int bit, 124 int set) 125{ 126 int i; 127 128 for (i = 0; i < *flag_count; i++) { 129 if (flag_info[i].chunktype == chunktype) { 130 DEBUGP("Previous match found\n"); 131 flag_info[i].chunktype = chunktype; 132 flag_info[i].flag_mask |= (1 << bit); 133 if (set) { 134 flag_info[i].flag |= (1 << bit); 135 } 136 137 return; 138 } 139 } 140 141 if (*flag_count == XT_NUM_SCTP_FLAGS) { 142 xtables_error (PARAMETER_PROBLEM, 143 "Number of chunk types with flags exceeds currently allowed limit." 144 "Increasing this limit involves changing IPT_NUM_SCTP_FLAGS and" 145 "recompiling both the kernel space and user space modules\n"); 146 } 147 148 flag_info[*flag_count].chunktype = chunktype; 149 flag_info[*flag_count].flag_mask |= (1 << bit); 150 if (set) { 151 flag_info[*flag_count].flag |= (1 << bit); 152 } 153 (*flag_count)++; 154} 155 156static void 157parse_sctp_chunk(struct xt_sctp_info *einfo, 158 const char *chunks) 159{ 160 char *ptr; 161 char *buffer; 162 unsigned int i, j; 163 int found = 0; 164 char *chunk_flags; 165 166 buffer = strdup(chunks); 167 DEBUGP("Buffer: %s\n", buffer); 168 169 SCTP_CHUNKMAP_RESET(einfo->chunkmap); 170 171 if (!strcasecmp(buffer, "ALL")) { 172 SCTP_CHUNKMAP_SET_ALL(einfo->chunkmap); 173 goto out; 174 } 175 176 if (!strcasecmp(buffer, "NONE")) { 177 SCTP_CHUNKMAP_RESET(einfo->chunkmap); 178 goto out; 179 } 180 181 for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) { 182 found = 0; 183 DEBUGP("Next Chunk type %s\n", ptr); 184 185 if ((chunk_flags = strchr(ptr, ':')) != NULL) { 186 *chunk_flags++ = 0; 187 } 188 189 for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i) 190 if (strcasecmp(sctp_chunk_names[i].name, ptr) == 0) { 191 DEBUGP("Chunk num %d\n", sctp_chunk_names[i].chunk_type); 192 SCTP_CHUNKMAP_SET(einfo->chunkmap, 193 sctp_chunk_names[i].chunk_type); 194 found = 1; 195 break; 196 } 197 if (!found) 198 xtables_error(PARAMETER_PROBLEM, 199 "Unknown sctp chunk `%s'", ptr); 200 201 if (chunk_flags) { 202 DEBUGP("Chunk flags %s\n", chunk_flags); 203 for (j = 0; j < strlen(chunk_flags); j++) { 204 char *p; 205 int bit; 206 207 if ((p = strchr(sctp_chunk_names[i].valid_flags, 208 toupper(chunk_flags[j]))) != NULL) { 209 bit = p - sctp_chunk_names[i].valid_flags; 210 bit = 7 - bit; 211 212 save_chunk_flag_info(einfo->flag_info, 213 &(einfo->flag_count), i, bit, 214 isupper(chunk_flags[j])); 215 } else { 216 xtables_error(PARAMETER_PROBLEM, 217 "Invalid flags for chunk type %d\n", i); 218 } 219 } 220 } 221 } 222out: 223 free(buffer); 224} 225 226static void 227parse_sctp_chunks(struct xt_sctp_info *einfo, 228 const char *match_type, 229 const char *chunks) 230{ 231 DEBUGP("Match type: %s Chunks: %s\n", match_type, chunks); 232 if (!strcasecmp(match_type, "ANY")) { 233 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ANY; 234 } else if (!strcasecmp(match_type, "ALL")) { 235 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ALL; 236 } else if (!strcasecmp(match_type, "ONLY")) { 237 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ONLY; 238 } else { 239 xtables_error (PARAMETER_PROBLEM, 240 "Match type has to be one of \"ALL\", \"ANY\" or \"ONLY\""); 241 } 242 243 SCTP_CHUNKMAP_RESET(einfo->chunkmap); 244 parse_sctp_chunk(einfo, chunks); 245} 246 247static int 248sctp_parse(int c, char **argv, int invert, unsigned int *flags, 249 const void *entry, struct xt_entry_match **match) 250{ 251 struct xt_sctp_info *einfo 252 = (struct xt_sctp_info *)(*match)->data; 253 254 switch (c) { 255 case '1': 256 if (*flags & XT_SCTP_SRC_PORTS) 257 xtables_error(PARAMETER_PROBLEM, 258 "Only one `--source-port' allowed"); 259 einfo->flags |= XT_SCTP_SRC_PORTS; 260 xtables_check_inverse(optarg, &invert, &optind, 0, argv); 261 parse_sctp_ports(optarg, einfo->spts); 262 if (invert) 263 einfo->invflags |= XT_SCTP_SRC_PORTS; 264 *flags |= XT_SCTP_SRC_PORTS; 265 break; 266 267 case '2': 268 if (*flags & XT_SCTP_DEST_PORTS) 269 xtables_error(PARAMETER_PROBLEM, 270 "Only one `--destination-port' allowed"); 271 einfo->flags |= XT_SCTP_DEST_PORTS; 272 xtables_check_inverse(optarg, &invert, &optind, 0, argv); 273 parse_sctp_ports(optarg, einfo->dpts); 274 if (invert) 275 einfo->invflags |= XT_SCTP_DEST_PORTS; 276 *flags |= XT_SCTP_DEST_PORTS; 277 break; 278 279 case '3': 280 if (*flags & XT_SCTP_CHUNK_TYPES) 281 xtables_error(PARAMETER_PROBLEM, 282 "Only one `--chunk-types' allowed"); 283 xtables_check_inverse(optarg, &invert, &optind, 0, argv); 284 285 if (!argv[optind] 286 || argv[optind][0] == '-' || argv[optind][0] == '!') 287 xtables_error(PARAMETER_PROBLEM, 288 "--chunk-types requires two args"); 289 290 einfo->flags |= XT_SCTP_CHUNK_TYPES; 291 parse_sctp_chunks(einfo, optarg, argv[optind]); 292 if (invert) 293 einfo->invflags |= XT_SCTP_CHUNK_TYPES; 294 optind++; 295 *flags |= XT_SCTP_CHUNK_TYPES; 296 break; 297 } 298 return 1; 299} 300 301static const char * 302port_to_service(int port) 303{ 304 const struct servent *service; 305 306 if ((service = getservbyport(htons(port), "sctp"))) 307 return service->s_name; 308 309 return NULL; 310} 311 312static void 313print_port(uint16_t port, int numeric) 314{ 315 const char *service; 316 317 if (numeric || (service = port_to_service(port)) == NULL) 318 printf("%u", port); 319 else 320 printf("%s", service); 321} 322 323static void 324print_ports(const char *name, uint16_t min, uint16_t max, 325 int invert, int numeric) 326{ 327 const char *inv = invert ? "!" : ""; 328 329 if (min != 0 || max != 0xFFFF || invert) { 330 printf(" %s", name); 331 if (min == max) { 332 printf(":%s", inv); 333 print_port(min, numeric); 334 } else { 335 printf("s:%s", inv); 336 print_port(min, numeric); 337 printf(":"); 338 print_port(max, numeric); 339 } 340 } 341} 342 343static void 344print_chunk_flags(uint32_t chunknum, uint8_t chunk_flags, uint8_t chunk_flags_mask) 345{ 346 int i; 347 348 DEBUGP("type: %d\tflags: %x\tflag mask: %x\n", chunknum, chunk_flags, 349 chunk_flags_mask); 350 351 if (chunk_flags_mask) { 352 printf(":"); 353 } 354 355 for (i = 7; i >= 0; i--) { 356 if (chunk_flags_mask & (1 << i)) { 357 if (chunk_flags & (1 << i)) { 358 printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]); 359 } else { 360 printf("%c", tolower(sctp_chunk_names[chunknum].valid_flags[7-i])); 361 } 362 } 363 } 364} 365 366static void 367print_chunk(uint32_t chunknum, int numeric) 368{ 369 if (numeric) { 370 printf("0x%04X", chunknum); 371 } 372 else { 373 int i; 374 375 for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i) 376 if (sctp_chunk_names[i].chunk_type == chunknum) 377 printf("%s", sctp_chunk_names[chunknum].name); 378 } 379} 380 381static void 382print_chunks(const struct xt_sctp_info *einfo, int numeric) 383{ 384 uint32_t chunk_match_type = einfo->chunk_match_type; 385 const struct xt_sctp_flag_info *flag_info = einfo->flag_info; 386 int flag_count = einfo->flag_count; 387 int i, j; 388 int flag; 389 390 switch (chunk_match_type) { 391 case SCTP_CHUNK_MATCH_ANY: printf(" any"); break; 392 case SCTP_CHUNK_MATCH_ALL: printf(" all"); break; 393 case SCTP_CHUNK_MATCH_ONLY: printf(" only"); break; 394 default: printf("Never reach here\n"); break; 395 } 396 397 if (SCTP_CHUNKMAP_IS_CLEAR(einfo->chunkmap)) { 398 printf(" NONE"); 399 goto out; 400 } 401 402 if (SCTP_CHUNKMAP_IS_ALL_SET(einfo->chunkmap)) { 403 printf(" ALL"); 404 goto out; 405 } 406 407 flag = 0; 408 for (i = 0; i < 256; i++) { 409 if (SCTP_CHUNKMAP_IS_SET(einfo->chunkmap, i)) { 410 if (flag) 411 printf(","); 412 else 413 putchar(' '); 414 flag = 1; 415 print_chunk(i, numeric); 416 for (j = 0; j < flag_count; j++) { 417 if (flag_info[j].chunktype == i) { 418 print_chunk_flags(i, flag_info[j].flag, 419 flag_info[j].flag_mask); 420 } 421 } 422 } 423 } 424out: 425 return; 426} 427 428static void 429sctp_print(const void *ip, const struct xt_entry_match *match, int numeric) 430{ 431 const struct xt_sctp_info *einfo = 432 (const struct xt_sctp_info *)match->data; 433 434 printf(" sctp"); 435 436 if (einfo->flags & XT_SCTP_SRC_PORTS) { 437 print_ports("spt", einfo->spts[0], einfo->spts[1], 438 einfo->invflags & XT_SCTP_SRC_PORTS, 439 numeric); 440 } 441 442 if (einfo->flags & XT_SCTP_DEST_PORTS) { 443 print_ports("dpt", einfo->dpts[0], einfo->dpts[1], 444 einfo->invflags & XT_SCTP_DEST_PORTS, 445 numeric); 446 } 447 448 if (einfo->flags & XT_SCTP_CHUNK_TYPES) { 449 /* FIXME: print_chunks() is used in save() where the printing of '!' 450 s taken care of, so we need to do that here as well */ 451 if (einfo->invflags & XT_SCTP_CHUNK_TYPES) { 452 printf(" !"); 453 } 454 print_chunks(einfo, numeric); 455 } 456} 457 458static void sctp_save(const void *ip, const struct xt_entry_match *match) 459{ 460 const struct xt_sctp_info *einfo = 461 (const struct xt_sctp_info *)match->data; 462 463 if (einfo->flags & XT_SCTP_SRC_PORTS) { 464 if (einfo->invflags & XT_SCTP_SRC_PORTS) 465 printf(" !"); 466 if (einfo->spts[0] != einfo->spts[1]) 467 printf(" --sport %u:%u", 468 einfo->spts[0], einfo->spts[1]); 469 else 470 printf(" --sport %u", einfo->spts[0]); 471 } 472 473 if (einfo->flags & XT_SCTP_DEST_PORTS) { 474 if (einfo->invflags & XT_SCTP_DEST_PORTS) 475 printf(" !"); 476 if (einfo->dpts[0] != einfo->dpts[1]) 477 printf(" --dport %u:%u", 478 einfo->dpts[0], einfo->dpts[1]); 479 else 480 printf(" --dport %u", einfo->dpts[0]); 481 } 482 483 if (einfo->flags & XT_SCTP_CHUNK_TYPES) { 484 if (einfo->invflags & XT_SCTP_CHUNK_TYPES) 485 printf(" !"); 486 printf(" --chunk-types"); 487 488 print_chunks(einfo, 0); 489 } 490} 491 492static struct xtables_match sctp_match = { 493 .name = "sctp", 494 .family = NFPROTO_UNSPEC, 495 .version = XTABLES_VERSION, 496 .size = XT_ALIGN(sizeof(struct xt_sctp_info)), 497 .userspacesize = XT_ALIGN(sizeof(struct xt_sctp_info)), 498 .help = sctp_help, 499 .init = sctp_init, 500 .parse = sctp_parse, 501 .print = sctp_print, 502 .save = sctp_save, 503 .extra_opts = sctp_opts, 504}; 505 506void _init(void) 507{ 508 xtables_register_match(&sctp_match); 509} 510