libip6t_frag.c revision f1f447b836a714b4646450aaed3dd1aa6ab2808a 
1/* Shared library add-on to ip6tables to add Fragmentation header support. */
2#include <stdio.h>
3#include <netdb.h>
4#include <string.h>
5#include <stdlib.h>
6#include <getopt.h>
7#include <errno.h>
8#include <ip6tables.h>
9#include <linux/netfilter_ipv6/ip6t_frag.h>
10
11/* Function which prints out usage message. */
12static void
13help(void)
14{
15	printf(
16"FRAG v%s options:\n"
17" --fragid [!] id[:id]          match the id (range)\n"
18" --fraglen [!] length          total length of this header\n"
19" --fragres                     check the reserved filed, too\n"
20" --fragfirst                   matches on the frst fragment\n"
21" [--fragmore|--fraglast]       there are more fragments or this\n"
22"                               is the last one\n",
23NETFILTER_VERSION);
24}
25
26static struct option opts[] = {
27	{ "fragid", 1, 0, '1' },
28	{ "fraglen", 1, 0, '2' },
29	{ "fragres", 0, 0, '3' },
30	{ "fragfirst", 0, 0, '4' },
31	{ "fragmore", 0, 0, '5' },
32	{ "fraglast", 0, 0, '6' },
33	{0}
34};
35
36static u_int32_t
37parse_frag_id(const char *idstr, const char *typestr)
38{
39	unsigned long int id;
40	char* ep;
41
42	id =  strtoul(idstr,&ep,0) ;
43
44	if ( idstr == ep ) {
45		exit_error(PARAMETER_PROBLEM,
46			   "FRAG no valid digits in %s `%s'", typestr, idstr);
47	}
48	if ( id == ULONG_MAX  && errno == ERANGE ) {
49		exit_error(PARAMETER_PROBLEM,
50			   "%s `%s' specified too big: would overflow",
51			   typestr, idstr);
52	}
53	if ( *idstr != '\0'  && *ep != '\0' ) {
54		exit_error(PARAMETER_PROBLEM,
55			   "FRAG error parsing %s `%s'", typestr, idstr);
56	}
57	return (u_int32_t) id;
58}
59
60static void
61parse_frag_ids(const char *idstring, u_int32_t *ids)
62{
63	char *buffer;
64	char *cp;
65
66	buffer = strdup(idstring);
67	if ((cp = strchr(buffer, ':')) == NULL)
68		ids[0] = ids[1] = parse_frag_id(buffer,"id");
69	else {
70		*cp = '\0';
71		cp++;
72
73		ids[0] = buffer[0] ? parse_frag_id(buffer,"id") : 0;
74		ids[1] = cp[0] ? parse_frag_id(cp,"id") : 0xFFFFFFFF;
75	}
76	free(buffer);
77}
78
79/* Initialize the match. */
80static void
81init(struct ip6t_entry_match *m, unsigned int *nfcache)
82{
83	struct ip6t_frag *fraginfo = (struct ip6t_frag *)m->data;
84
85	fraginfo->ids[0] = 0x0L;
86	fraginfo->ids[1] = 0xFFFFFFFF;
87	fraginfo->hdrlen = 0;
88	fraginfo->flags = 0;
89	fraginfo->invflags = 0;
90}
91
92/* Function which parses command options; returns true if it
93   ate an option */
94static int
95parse(int c, char **argv, int invert, unsigned int *flags,
96      const struct ip6t_entry *entry,
97      unsigned int *nfcache,
98      struct ip6t_entry_match **match)
99{
100	struct ip6t_frag *fraginfo = (struct ip6t_frag *)(*match)->data;
101
102	switch (c) {
103	case '1':
104		if (*flags & IP6T_FRAG_IDS)
105			exit_error(PARAMETER_PROBLEM,
106				   "Only one `--fragid' allowed");
107		check_inverse(optarg, &invert, &optind, 0);
108		parse_frag_ids(argv[optind-1], fraginfo->ids);
109		if (invert)
110			fraginfo->invflags |= IP6T_FRAG_INV_IDS;
111		fraginfo->flags |= IP6T_FRAG_IDS;
112		*flags |= IP6T_FRAG_IDS;
113		break;
114	case '2':
115		if (*flags & IP6T_FRAG_LEN)
116			exit_error(PARAMETER_PROBLEM,
117				   "Only one `--fraglen' allowed");
118		check_inverse(optarg, &invert, &optind, 0);
119		fraginfo->hdrlen = parse_frag_id(argv[optind-1], "length");
120		if (invert)
121			fraginfo->invflags |= IP6T_FRAG_INV_LEN;
122		fraginfo->flags |= IP6T_FRAG_LEN;
123		*flags |= IP6T_FRAG_LEN;
124		break;
125	case '3':
126		if (*flags & IP6T_FRAG_RES)
127			exit_error(PARAMETER_PROBLEM,
128				   "Only one `--fragres' allowed");
129		fraginfo->flags |= IP6T_FRAG_RES;
130		*flags |= IP6T_FRAG_RES;
131		break;
132	case '4':
133		if (*flags & IP6T_FRAG_FST)
134			exit_error(PARAMETER_PROBLEM,
135				   "Only one `--fragfirst' allowed");
136		fraginfo->flags |= IP6T_FRAG_FST;
137		*flags |= IP6T_FRAG_FST;
138		break;
139	case '5':
140		if (*flags & (IP6T_FRAG_MF|IP6T_FRAG_NMF))
141			exit_error(PARAMETER_PROBLEM,
142			   "Only one `--fragmore' or `--fraglast' allowed");
143		fraginfo->flags |= IP6T_FRAG_MF;
144		*flags |= IP6T_FRAG_MF;
145		break;
146	case '6':
147		if (*flags & (IP6T_FRAG_MF|IP6T_FRAG_NMF))
148			exit_error(PARAMETER_PROBLEM,
149			   "Only one `--fragmore' or `--fraglast' allowed");
150		fraginfo->flags |= IP6T_FRAG_NMF;
151		*flags |= IP6T_FRAG_NMF;
152		break;
153	default:
154		return 0;
155	}
156
157	return 1;
158}
159
160/* Final check; we don't care. */
161static void
162final_check(unsigned int flags)
163{
164}
165
166static void
167print_ids(const char *name, u_int32_t min, u_int32_t max,
168	    int invert)
169{
170	const char *inv = invert ? "!" : "";
171
172	if (min != 0 || max != 0xFFFFFFFF || invert) {
173		printf("%s", name);
174		if (min == max) {
175			printf(":%s", inv);
176			printf("%u", min);
177		} else {
178			printf("s:%s", inv);
179			printf("%u",min);
180			printf(":");
181			printf("%u",max);
182		}
183		printf(" ");
184	}
185}
186
187static void
188print_len(const char *name, u_int32_t len, int invert)
189{
190	const char *inv = invert ? "!" : "";
191
192	if (len != 0 || invert) {
193		printf("%s", name);
194		printf(":%s", inv);
195		printf("%u", len);
196		printf(" ");
197	}
198}
199
200/* Prints out the union ip6t_matchinfo. */
201static void
202print(const struct ip6t_ip6 *ip,
203      const struct ip6t_entry_match *match, int numeric)
204{
205	const struct ip6t_frag *frag = (struct ip6t_frag *)match->data;
206
207	printf("frag ");
208	print_ids("id", frag->ids[0], frag->ids[1],
209		    frag->invflags & IP6T_FRAG_INV_IDS);
210	print_len("length", frag->hdrlen,
211		    frag->invflags & IP6T_FRAG_INV_LEN);
212	if (frag->flags & IP6T_FRAG_RES) printf("reserved ");
213	if (frag->flags & IP6T_FRAG_FST) printf("first ");
214	if (frag->flags & IP6T_FRAG_MF) printf("more ");
215	if (frag->flags & IP6T_FRAG_NMF) printf("last ");
216	if (frag->invflags & ~IP6T_FRAG_INV_MASK)
217		printf("Unknown invflags: 0x%X ",
218		       frag->invflags & ~IP6T_FRAG_INV_MASK);
219}
220
221/* Saves the union ip6t_matchinfo in parsable form to stdout. */
222static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
223{
224	const struct ip6t_frag *fraginfo = (struct ip6t_frag *)match->data;
225
226	if (!(fraginfo->ids[0] == 0
227	    && fraginfo->ids[1] == 0xFFFFFFFF)) {
228		printf("--fragid %s",
229			(fraginfo->invflags & IP6T_FRAG_INV_IDS) ? "! " : "");
230		if (fraginfo->ids[0]
231		    != fraginfo->ids[1])
232			printf("%u:%u ",
233			       fraginfo->ids[0],
234			       fraginfo->ids[1]);
235		else
236			printf("%u ",
237			       fraginfo->ids[0]);
238	}
239
240	if (fraginfo->hdrlen != 0 ) {
241		printf("--fraglen %s%u ",
242			(fraginfo->invflags & IP6T_FRAG_INV_LEN) ? "! " : "",
243			fraginfo->hdrlen);
244	}
245
246	if (fraginfo->flags & IP6T_FRAG_RES) printf("--fragres ");
247	if (fraginfo->flags & IP6T_FRAG_FST) printf("--fragfirst ");
248	if (fraginfo->flags & IP6T_FRAG_MF) printf("--fragmore ");
249	if (fraginfo->flags & IP6T_FRAG_NMF) printf("--fraglast ");
250
251}
252
253static
254struct ip6tables_match frag
255= { NULL,
256    "frag",
257    NETFILTER_VERSION,
258    IP6T_ALIGN(sizeof(struct ip6t_frag)),
259    IP6T_ALIGN(sizeof(struct ip6t_frag)),
260    &help,
261    &init,
262    &parse,
263    &final_check,
264    &print,
265    &save,
266    opts
267};
268
269void
270_init(void)
271{
272	register_match6(&frag);
273}
274