libip6t_frag.c revision a620c61d441b931bc4a52ec07f1b906318ee4069 
1/* Shared library add-on to ip6tables to add Fragmentation header support. */
2#include <stdio.h>
3#include <netdb.h>
4#include <string.h>
5#include <stdlib.h>
6#include <getopt.h>
7#include <errno.h>
8#include <ip6tables.h>
9#include <linux/netfilter_ipv6/ip6t_frag.h>
10
11/* Function which prints out usage message. */
12static void
13help(void)
14{
15	printf(
16"FRAG v%s options:\n"
17" --fragid [!] id[:id]          match the id (range)\n"
18" --fraglen [!] length          total length of this header\n"
19" --fragres                     check the reserved filed, too\n"
20" --fragfirst                   matches on the first fragment\n"
21" [--fragmore|--fraglast]       there are more fragments or this\n"
22"                               is the last one\n",
23IPTABLES_VERSION);
24}
25
26static struct option opts[] = {
27	{ .name = "fragid",    .has_arg = 1, .flag = 0, .val = '1' },
28	{ .name = "fraglen",   .has_arg = 1, .flag = 0, .val = '2' },
29	{ .name = "fragres",   .has_arg = 0, .flag = 0, .val = '3' },
30	{ .name = "fragfirst", .has_arg = 0, .flag = 0, .val = '4' },
31	{ .name = "fragmore",  .has_arg = 0, .flag = 0, .val = '5' },
32	{ .name = "fraglast",  .has_arg = 0, .flag = 0, .val = '6' },
33	{ .name = 0 }
34};
35
36static u_int32_t
37parse_frag_id(const char *idstr, const char *typestr)
38{
39	unsigned long int id;
40	char* ep;
41
42	id = strtoul(idstr, &ep, 0);
43
44	if ( idstr == ep ) {
45		exit_error(PARAMETER_PROBLEM,
46			   "FRAG no valid digits in %s `%s'", typestr, idstr);
47	}
48	if ( id == ULONG_MAX  && errno == ERANGE ) {
49		exit_error(PARAMETER_PROBLEM,
50			   "%s `%s' specified too big: would overflow",
51			   typestr, idstr);
52	}
53	if ( *idstr != '\0'  && *ep != '\0' ) {
54		exit_error(PARAMETER_PROBLEM,
55			   "FRAG error parsing %s `%s'", typestr, idstr);
56	}
57	return (u_int32_t) id;
58}
59
60static void
61parse_frag_ids(const char *idstring, u_int32_t *ids)
62{
63	char *buffer;
64	char *cp;
65
66	buffer = strdup(idstring);
67	if ((cp = strchr(buffer, ':')) == NULL)
68		ids[0] = ids[1] = parse_frag_id(buffer,"id");
69	else {
70		*cp = '\0';
71		cp++;
72
73		ids[0] = buffer[0] ? parse_frag_id(buffer,"id") : 0;
74		ids[1] = cp[0] ? parse_frag_id(cp,"id") : 0xFFFFFFFF;
75	}
76	free(buffer);
77}
78
79/* Initialize the match. */
80static void
81init(struct xt_entry_match *m, unsigned int *nfcache)
82{
83	struct ip6t_frag *fraginfo = (struct ip6t_frag *)m->data;
84
85	fraginfo->ids[0] = 0x0L;
86	fraginfo->ids[1] = 0xFFFFFFFF;
87	fraginfo->hdrlen = 0;
88	fraginfo->flags = 0;
89	fraginfo->invflags = 0;
90}
91
92/* Function which parses command options; returns true if it
93   ate an option */
94static int
95parse(int c, char **argv, int invert, unsigned int *flags,
96      const void *entry,
97      unsigned int *nfcache,
98      struct xt_entry_match **match)
99{
100	struct ip6t_frag *fraginfo = (struct ip6t_frag *)(*match)->data;
101
102	switch (c) {
103	case '1':
104		if (*flags & IP6T_FRAG_IDS)
105			exit_error(PARAMETER_PROBLEM,
106				   "Only one `--fragid' allowed");
107		check_inverse(optarg, &invert, &optind, 0);
108		parse_frag_ids(argv[optind-1], fraginfo->ids);
109		if (invert)
110			fraginfo->invflags |= IP6T_FRAG_INV_IDS;
111		fraginfo->flags |= IP6T_FRAG_IDS;
112		*flags |= IP6T_FRAG_IDS;
113		break;
114	case '2':
115		if (*flags & IP6T_FRAG_LEN)
116			exit_error(PARAMETER_PROBLEM,
117				   "Only one `--fraglen' allowed");
118		check_inverse(optarg, &invert, &optind, 0);
119		fraginfo->hdrlen = parse_frag_id(argv[optind-1], "length");
120		if (invert)
121			fraginfo->invflags |= IP6T_FRAG_INV_LEN;
122		fraginfo->flags |= IP6T_FRAG_LEN;
123		*flags |= IP6T_FRAG_LEN;
124		break;
125	case '3':
126		if (*flags & IP6T_FRAG_RES)
127			exit_error(PARAMETER_PROBLEM,
128				   "Only one `--fragres' allowed");
129		fraginfo->flags |= IP6T_FRAG_RES;
130		*flags |= IP6T_FRAG_RES;
131		break;
132	case '4':
133		if (*flags & IP6T_FRAG_FST)
134			exit_error(PARAMETER_PROBLEM,
135				   "Only one `--fragfirst' allowed");
136		fraginfo->flags |= IP6T_FRAG_FST;
137		*flags |= IP6T_FRAG_FST;
138		break;
139	case '5':
140		if (*flags & (IP6T_FRAG_MF|IP6T_FRAG_NMF))
141			exit_error(PARAMETER_PROBLEM,
142			   "Only one `--fragmore' or `--fraglast' allowed");
143		fraginfo->flags |= IP6T_FRAG_MF;
144		*flags |= IP6T_FRAG_MF;
145		break;
146	case '6':
147		if (*flags & (IP6T_FRAG_MF|IP6T_FRAG_NMF))
148			exit_error(PARAMETER_PROBLEM,
149			   "Only one `--fragmore' or `--fraglast' allowed");
150		fraginfo->flags |= IP6T_FRAG_NMF;
151		*flags |= IP6T_FRAG_NMF;
152		break;
153	default:
154		return 0;
155	}
156
157	return 1;
158}
159
160/* Final check; we don't care. */
161static void
162final_check(unsigned int flags)
163{
164}
165
166static void
167print_ids(const char *name, u_int32_t min, u_int32_t max,
168	    int invert)
169{
170	const char *inv = invert ? "!" : "";
171
172	if (min != 0 || max != 0xFFFFFFFF || invert) {
173		printf("%s", name);
174		if (min == max)
175			printf(":%s%u ", inv, min);
176		else
177			printf("s:%s%u:%u ", inv, min, max);
178	}
179}
180
181/* Prints out the union ip6t_matchinfo. */
182static void
183print(const void *ip,
184      const struct xt_entry_match *match, int numeric)
185{
186	const struct ip6t_frag *frag = (struct ip6t_frag *)match->data;
187
188	printf("frag ");
189	print_ids("id", frag->ids[0], frag->ids[1],
190		    frag->invflags & IP6T_FRAG_INV_IDS);
191
192	if (frag->flags & IP6T_FRAG_LEN) {
193		printf("length:%s%u ",
194			frag->invflags & IP6T_FRAG_INV_LEN ? "!" : "",
195			frag->hdrlen);
196	}
197
198	if (frag->flags & IP6T_FRAG_RES)
199		printf("reserved ");
200
201	if (frag->flags & IP6T_FRAG_FST)
202		printf("first ");
203
204	if (frag->flags & IP6T_FRAG_MF)
205		printf("more ");
206
207	if (frag->flags & IP6T_FRAG_NMF)
208		printf("last ");
209
210	if (frag->invflags & ~IP6T_FRAG_INV_MASK)
211		printf("Unknown invflags: 0x%X ",
212		       frag->invflags & ~IP6T_FRAG_INV_MASK);
213}
214
215/* Saves the union ip6t_matchinfo in parsable form to stdout. */
216static void save(const void *ip, const struct xt_entry_match *match)
217{
218	const struct ip6t_frag *fraginfo = (struct ip6t_frag *)match->data;
219
220	if (!(fraginfo->ids[0] == 0
221	    && fraginfo->ids[1] == 0xFFFFFFFF)) {
222		printf("--fragid %s",
223			(fraginfo->invflags & IP6T_FRAG_INV_IDS) ? "! " : "");
224		if (fraginfo->ids[0]
225		    != fraginfo->ids[1])
226			printf("%u:%u ",
227			       fraginfo->ids[0],
228			       fraginfo->ids[1]);
229		else
230			printf("%u ",
231			       fraginfo->ids[0]);
232	}
233
234	if (fraginfo->flags & IP6T_FRAG_LEN) {
235		printf("--fraglen %s%u ",
236			(fraginfo->invflags & IP6T_FRAG_INV_LEN) ? "! " : "",
237			fraginfo->hdrlen);
238	}
239
240	if (fraginfo->flags & IP6T_FRAG_RES)
241		printf("--fragres ");
242
243	if (fraginfo->flags & IP6T_FRAG_FST)
244		printf("--fragfirst ");
245
246	if (fraginfo->flags & IP6T_FRAG_MF)
247		printf("--fragmore ");
248
249	if (fraginfo->flags & IP6T_FRAG_NMF)
250		printf("--fraglast ");
251}
252
253static
254struct ip6tables_match frag = {
255	.name          = "frag",
256	.version       = IPTABLES_VERSION,
257	.size          = IP6T_ALIGN(sizeof(struct ip6t_frag)),
258	.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_frag)),
259	.help          = &help,
260	.init          = &init,
261	.parse         = &parse,
262	.final_check   = &final_check,
263	.print         = &print,
264	.save          = &save,
265	.extra_opts    = opts
266};
267
268void
269_init(void)
270{
271	register_match6(&frag);
272}
273