1/* 2 * Copyright (c) 2005-2013 Patrick McHardy <kaber@trash.net> 3 */ 4 5#include <stdbool.h> 6#include <stdint.h> 7#include <stdio.h> 8#include <string.h> 9#include <netdb.h> 10#include <xtables.h> 11#include <linux/netfilter/xt_policy.h> 12 13enum { 14 O_DIRECTION = 0, 15 O_POLICY, 16 O_STRICT, 17 O_REQID, 18 O_SPI, 19 O_PROTO, 20 O_MODE, 21 O_TUNNELSRC, 22 O_TUNNELDST, 23 O_NEXT, 24 F_STRICT = 1 << O_STRICT, 25}; 26 27static void policy_help(void) 28{ 29 printf( 30"policy match options:\n" 31" --dir in|out match policy applied during decapsulation/\n" 32" policy to be applied during encapsulation\n" 33" --pol none|ipsec match policy\n" 34" --strict match entire policy instead of single element\n" 35" at any position\n" 36"These options may be used repeatedly, to describe policy elements:\n" 37"[!] --reqid reqid match reqid\n" 38"[!] --spi spi match SPI\n" 39"[!] --proto proto match protocol (ah/esp/ipcomp)\n" 40"[!] --mode mode match mode (transport/tunnel)\n" 41"[!] --tunnel-src addr/mask match tunnel source\n" 42"[!] --tunnel-dst addr/mask match tunnel destination\n" 43" --next begin next element in policy\n"); 44} 45 46static const struct xt_option_entry policy_opts[] = { 47 {.name = "dir", .id = O_DIRECTION, .type = XTTYPE_STRING}, 48 {.name = "pol", .id = O_POLICY, .type = XTTYPE_STRING}, 49 {.name = "strict", .id = O_STRICT, .type = XTTYPE_NONE}, 50 {.name = "reqid", .id = O_REQID, .type = XTTYPE_UINT32, 51 .flags = XTOPT_MULTI | XTOPT_INVERT}, 52 {.name = "spi", .id = O_SPI, .type = XTTYPE_UINT32, 53 .flags = XTOPT_MULTI | XTOPT_INVERT}, 54 {.name = "tunnel-src", .id = O_TUNNELSRC, .type = XTTYPE_HOSTMASK, 55 .flags = XTOPT_MULTI | XTOPT_INVERT}, 56 {.name = "tunnel-dst", .id = O_TUNNELDST, .type = XTTYPE_HOSTMASK, 57 .flags = XTOPT_MULTI | XTOPT_INVERT}, 58 {.name = "proto", .id = O_PROTO, .type = XTTYPE_PROTOCOL, 59 .flags = XTOPT_MULTI | XTOPT_INVERT}, 60 {.name = "mode", .id = O_MODE, .type = XTTYPE_STRING, 61 .flags = XTOPT_MULTI | XTOPT_INVERT}, 62 {.name = "next", .id = O_NEXT, .type = XTTYPE_NONE, 63 .flags = XTOPT_MULTI, .also = F_STRICT}, 64 XTOPT_TABLEEND, 65}; 66 67static int parse_direction(const char *s) 68{ 69 if (strcmp(s, "in") == 0) 70 return XT_POLICY_MATCH_IN; 71 if (strcmp(s, "out") == 0) 72 return XT_POLICY_MATCH_OUT; 73 xtables_error(PARAMETER_PROBLEM, "policy_match: invalid dir \"%s\"", s); 74} 75 76static int parse_policy(const char *s) 77{ 78 if (strcmp(s, "none") == 0) 79 return XT_POLICY_MATCH_NONE; 80 if (strcmp(s, "ipsec") == 0) 81 return 0; 82 xtables_error(PARAMETER_PROBLEM, "policy match: invalid policy \"%s\"", s); 83} 84 85static int parse_mode(const char *s) 86{ 87 if (strcmp(s, "transport") == 0) 88 return XT_POLICY_MODE_TRANSPORT; 89 if (strcmp(s, "tunnel") == 0) 90 return XT_POLICY_MODE_TUNNEL; 91 xtables_error(PARAMETER_PROBLEM, "policy match: invalid mode \"%s\"", s); 92} 93 94static void policy_parse(struct xt_option_call *cb) 95{ 96 struct xt_policy_info *info = cb->data; 97 struct xt_policy_elem *e = &info->pol[info->len]; 98 99 xtables_option_parse(cb); 100 switch (cb->entry->id) { 101 case O_DIRECTION: 102 info->flags |= parse_direction(cb->arg); 103 break; 104 case O_POLICY: 105 info->flags |= parse_policy(cb->arg); 106 break; 107 case O_STRICT: 108 info->flags |= XT_POLICY_MATCH_STRICT; 109 break; 110 case O_REQID: 111 if (e->match.reqid) 112 xtables_error(PARAMETER_PROBLEM, 113 "policy match: double --reqid option"); 114 e->match.reqid = 1; 115 e->invert.reqid = cb->invert; 116 e->reqid = cb->val.u32; 117 break; 118 case O_SPI: 119 if (e->match.spi) 120 xtables_error(PARAMETER_PROBLEM, 121 "policy match: double --spi option"); 122 e->match.spi = 1; 123 e->invert.spi = cb->invert; 124 e->spi = cb->val.u32; 125 break; 126 case O_TUNNELSRC: 127 if (e->match.saddr) 128 xtables_error(PARAMETER_PROBLEM, 129 "policy match: double --tunnel-src option"); 130 131 e->match.saddr = 1; 132 e->invert.saddr = cb->invert; 133 memcpy(&e->saddr, &cb->val.haddr, sizeof(cb->val.haddr)); 134 memcpy(&e->smask, &cb->val.hmask, sizeof(cb->val.hmask)); 135 break; 136 case O_TUNNELDST: 137 if (e->match.daddr) 138 xtables_error(PARAMETER_PROBLEM, 139 "policy match: double --tunnel-dst option"); 140 e->match.daddr = 1; 141 e->invert.daddr = cb->invert; 142 memcpy(&e->daddr, &cb->val.haddr, sizeof(cb->val.haddr)); 143 memcpy(&e->dmask, &cb->val.hmask, sizeof(cb->val.hmask)); 144 break; 145 case O_PROTO: 146 if (e->match.proto) 147 xtables_error(PARAMETER_PROBLEM, 148 "policy match: double --proto option"); 149 e->proto = cb->val.protocol; 150 if (e->proto != IPPROTO_AH && e->proto != IPPROTO_ESP && 151 e->proto != IPPROTO_COMP) 152 xtables_error(PARAMETER_PROBLEM, 153 "policy match: protocol must be ah/esp/ipcomp"); 154 e->match.proto = 1; 155 e->invert.proto = cb->invert; 156 break; 157 case O_MODE: 158 if (e->match.mode) 159 xtables_error(PARAMETER_PROBLEM, 160 "policy match: double --mode option"); 161 e->match.mode = 1; 162 e->invert.mode = cb->invert; 163 e->mode = parse_mode(cb->arg); 164 break; 165 case O_NEXT: 166 if (++info->len == XT_POLICY_MAX_ELEM) 167 xtables_error(PARAMETER_PROBLEM, 168 "policy match: maximum policy depth reached"); 169 break; 170 } 171} 172 173static void policy_check(struct xt_fcheck_call *cb) 174{ 175 struct xt_policy_info *info = cb->data; 176 const struct xt_policy_elem *e; 177 int i; 178 179 /* 180 * The old "no parameters given" check is carried out 181 * by testing for --dir. 182 */ 183 if (!(info->flags & (XT_POLICY_MATCH_IN | XT_POLICY_MATCH_OUT))) 184 xtables_error(PARAMETER_PROBLEM, 185 "policy match: neither --dir in nor --dir out specified"); 186 187 if (info->flags & XT_POLICY_MATCH_NONE) { 188 if (info->flags & XT_POLICY_MATCH_STRICT) 189 xtables_error(PARAMETER_PROBLEM, 190 "policy match: policy none but --strict given"); 191 192 if (info->len != 0) 193 xtables_error(PARAMETER_PROBLEM, 194 "policy match: policy none but policy given"); 195 } else 196 info->len++; /* increase len by 1, no --next after last element */ 197 198 /* 199 * This is already represented with O_NEXT requiring F_STRICT in the 200 * options table, but will keep this code as a comment for reference. 201 * 202 if (!(info->flags & XT_POLICY_MATCH_STRICT) && info->len > 1) 203 xtables_error(PARAMETER_PROBLEM, 204 "policy match: multiple elements but no --strict"); 205 */ 206 207 for (i = 0; i < info->len; i++) { 208 e = &info->pol[i]; 209 210 if (info->flags & XT_POLICY_MATCH_STRICT && 211 !(e->match.reqid || e->match.spi || e->match.saddr || 212 e->match.daddr || e->match.proto || e->match.mode)) 213 xtables_error(PARAMETER_PROBLEM, 214 "policy match: empty policy element %u. " 215 "--strict is in effect, but at least one of " 216 "reqid, spi, tunnel-src, tunnel-dst, proto or " 217 "mode is required.", i); 218 219 if ((e->match.saddr || e->match.daddr) 220 && ((e->mode == XT_POLICY_MODE_TUNNEL && e->invert.mode) || 221 (e->mode == XT_POLICY_MODE_TRANSPORT && !e->invert.mode))) 222 xtables_error(PARAMETER_PROBLEM, 223 "policy match: --tunnel-src/--tunnel-dst " 224 "is only valid in tunnel mode"); 225 } 226} 227 228static void print_mode(const char *prefix, uint8_t mode, int numeric) 229{ 230 printf(" %smode ", prefix); 231 232 switch (mode) { 233 case XT_POLICY_MODE_TRANSPORT: 234 printf("transport"); 235 break; 236 case XT_POLICY_MODE_TUNNEL: 237 printf("tunnel"); 238 break; 239 default: 240 printf("???"); 241 break; 242 } 243} 244 245static void print_proto(const char *prefix, uint8_t proto, int numeric) 246{ 247 const struct protoent *p = NULL; 248 249 printf(" %sproto ", prefix); 250 if (!numeric) 251 p = getprotobynumber(proto); 252 if (p != NULL) 253 printf("%s", p->p_name); 254 else 255 printf("%u", proto); 256} 257 258#define PRINT_INVERT(x) \ 259do { \ 260 if (x) \ 261 printf(" !"); \ 262} while(0) 263 264static void print_entry(const char *prefix, const struct xt_policy_elem *e, 265 bool numeric, uint8_t family) 266{ 267 if (e->match.reqid) { 268 PRINT_INVERT(e->invert.reqid); 269 printf(" %sreqid %u", prefix, e->reqid); 270 } 271 if (e->match.spi) { 272 PRINT_INVERT(e->invert.spi); 273 printf(" %sspi 0x%x", prefix, e->spi); 274 } 275 if (e->match.proto) { 276 PRINT_INVERT(e->invert.proto); 277 print_proto(prefix, e->proto, numeric); 278 } 279 if (e->match.mode) { 280 PRINT_INVERT(e->invert.mode); 281 print_mode(prefix, e->mode, numeric); 282 } 283 if (e->match.daddr) { 284 PRINT_INVERT(e->invert.daddr); 285 if (family == NFPROTO_IPV6) 286 printf(" %stunnel-dst %s%s", prefix, 287 xtables_ip6addr_to_numeric(&e->daddr.a6), 288 xtables_ip6mask_to_numeric(&e->dmask.a6)); 289 else 290 printf(" %stunnel-dst %s%s", prefix, 291 xtables_ipaddr_to_numeric(&e->daddr.a4), 292 xtables_ipmask_to_numeric(&e->dmask.a4)); 293 } 294 if (e->match.saddr) { 295 PRINT_INVERT(e->invert.saddr); 296 if (family == NFPROTO_IPV6) 297 printf(" %stunnel-src %s%s", prefix, 298 xtables_ip6addr_to_numeric(&e->saddr.a6), 299 xtables_ip6mask_to_numeric(&e->smask.a6)); 300 else 301 printf(" %stunnel-src %s%s", prefix, 302 xtables_ipaddr_to_numeric(&e->saddr.a4), 303 xtables_ipmask_to_numeric(&e->smask.a4)); 304 } 305} 306 307static void print_flags(const char *prefix, const struct xt_policy_info *info) 308{ 309 if (info->flags & XT_POLICY_MATCH_IN) 310 printf(" %sdir in", prefix); 311 else 312 printf(" %sdir out", prefix); 313 314 if (info->flags & XT_POLICY_MATCH_NONE) 315 printf(" %spol none", prefix); 316 else 317 printf(" %spol ipsec", prefix); 318 319 if (info->flags & XT_POLICY_MATCH_STRICT) 320 printf(" %sstrict", prefix); 321} 322 323static void policy4_print(const void *ip, const struct xt_entry_match *match, 324 int numeric) 325{ 326 const struct xt_policy_info *info = (void *)match->data; 327 unsigned int i; 328 329 printf(" policy match"); 330 print_flags("", info); 331 for (i = 0; i < info->len; i++) { 332 if (info->len > 1) 333 printf(" [%u]", i); 334 print_entry("", &info->pol[i], numeric, NFPROTO_IPV4); 335 } 336} 337 338static void policy6_print(const void *ip, const struct xt_entry_match *match, 339 int numeric) 340{ 341 const struct xt_policy_info *info = (void *)match->data; 342 unsigned int i; 343 344 printf(" policy match"); 345 print_flags("", info); 346 for (i = 0; i < info->len; i++) { 347 if (info->len > 1) 348 printf(" [%u]", i); 349 print_entry("", &info->pol[i], numeric, NFPROTO_IPV6); 350 } 351} 352 353static void policy4_save(const void *ip, const struct xt_entry_match *match) 354{ 355 const struct xt_policy_info *info = (void *)match->data; 356 unsigned int i; 357 358 print_flags("--", info); 359 for (i = 0; i < info->len; i++) { 360 print_entry("--", &info->pol[i], false, NFPROTO_IPV4); 361 if (i + 1 < info->len) 362 printf(" --next"); 363 } 364} 365 366static void policy6_save(const void *ip, const struct xt_entry_match *match) 367{ 368 const struct xt_policy_info *info = (void *)match->data; 369 unsigned int i; 370 371 print_flags("--", info); 372 for (i = 0; i < info->len; i++) { 373 print_entry("--", &info->pol[i], false, NFPROTO_IPV6); 374 if (i + 1 < info->len) 375 printf(" --next"); 376 } 377} 378 379static struct xtables_match policy_mt_reg[] = { 380 { 381 .name = "policy", 382 .version = XTABLES_VERSION, 383 .family = NFPROTO_IPV4, 384 .size = XT_ALIGN(sizeof(struct xt_policy_info)), 385 .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)), 386 .help = policy_help, 387 .x6_parse = policy_parse, 388 .x6_fcheck = policy_check, 389 .print = policy4_print, 390 .save = policy4_save, 391 .x6_options = policy_opts, 392 }, 393 { 394 .name = "policy", 395 .version = XTABLES_VERSION, 396 .family = NFPROTO_IPV6, 397 .size = XT_ALIGN(sizeof(struct xt_policy_info)), 398 .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)), 399 .help = policy_help, 400 .x6_parse = policy_parse, 401 .x6_fcheck = policy_check, 402 .print = policy6_print, 403 .save = policy6_save, 404 .x6_options = policy_opts, 405 }, 406}; 407 408void _init(void) 409{ 410 xtables_register_matches(policy_mt_reg, ARRAY_SIZE(policy_mt_reg)); 411} 412