libxt_policy.c revision d441ad6a68c5d65344449962f4648d297d453b6c
1#include <stdbool.h> 2#include <stdint.h> 3#include <stdio.h> 4#include <string.h> 5#include <netdb.h> 6#include <xtables.h> 7#include <linux/netfilter/xt_policy.h> 8 9enum { 10 O_DIRECTION = 0, 11 O_POLICY, 12 O_STRICT, 13 O_REQID, 14 O_SPI, 15 O_PROTO, 16 O_MODE, 17 O_TUNNELSRC, 18 O_TUNNELDST, 19 O_NEXT 20}; 21 22static void policy_help(void) 23{ 24 printf( 25"policy match options:\n" 26" --dir in|out match policy applied during decapsulation/\n" 27" policy to be applied during encapsulation\n" 28" --pol none|ipsec match policy\n" 29" --strict match entire policy instead of single element\n" 30" at any position\n" 31"[!] --reqid reqid match reqid\n" 32"[!] --spi spi match SPI\n" 33"[!] --proto proto match protocol (ah/esp/ipcomp)\n" 34"[!] --mode mode match mode (transport/tunnel)\n" 35"[!] --tunnel-src addr/mask match tunnel source\n" 36"[!] --tunnel-dst addr/mask match tunnel destination\n" 37" --next begin next element in policy\n"); 38} 39 40static const struct xt_option_entry policy_opts[] = { 41 {.name = "dir", .id = O_DIRECTION, .type = XTTYPE_STRING, 42 .flags = XTOPT_INVERT}, 43 {.name = "pol", .id = O_POLICY, .type = XTTYPE_STRING}, 44 {.name = "strict", .id = O_STRICT, .type = XTTYPE_NONE}, 45 {.name = "reqid", .id = O_REQID, .type = XTTYPE_UINT32}, 46 {.name = "spi", .id = O_SPI, .type = XTTYPE_UINT32}, 47 {.name = "tunnel-src", .id = O_TUNNELSRC, .type = XTTYPE_HOSTMASK}, 48 {.name = "tunnel-dst", .id = O_TUNNELDST, .type = XTTYPE_HOSTMASK}, 49 {.name = "proto", .id = O_PROTO, .type = XTTYPE_STRING}, 50 {.name = "mode", .id = O_MODE, .type = XTTYPE_STRING}, 51 {.name = "next", .id = O_NEXT, .type = XTTYPE_NONE}, 52 XTOPT_TABLEEND, 53}; 54 55static int parse_direction(const char *s) 56{ 57 if (strcmp(s, "in") == 0) 58 return XT_POLICY_MATCH_IN; 59 if (strcmp(s, "out") == 0) 60 return XT_POLICY_MATCH_OUT; 61 xtables_error(PARAMETER_PROBLEM, "policy_match: invalid dir \"%s\"", s); 62} 63 64static int parse_policy(const char *s) 65{ 66 if (strcmp(s, "none") == 0) 67 return XT_POLICY_MATCH_NONE; 68 if (strcmp(s, "ipsec") == 0) 69 return 0; 70 xtables_error(PARAMETER_PROBLEM, "policy match: invalid policy \"%s\"", s); 71} 72 73static int parse_mode(const char *s) 74{ 75 if (strcmp(s, "transport") == 0) 76 return XT_POLICY_MODE_TRANSPORT; 77 if (strcmp(s, "tunnel") == 0) 78 return XT_POLICY_MODE_TUNNEL; 79 xtables_error(PARAMETER_PROBLEM, "policy match: invalid mode \"%s\"", s); 80} 81 82static void policy_parse(struct xt_option_call *cb) 83{ 84 struct xt_policy_info *info = cb->data; 85 struct xt_policy_elem *e = &info->pol[info->len]; 86 87 xtables_option_parse(cb); 88 switch (cb->entry->id) { 89 case O_DIRECTION: 90 info->flags |= parse_direction(cb->arg); 91 break; 92 case O_POLICY: 93 info->flags |= parse_policy(cb->arg); 94 break; 95 case O_STRICT: 96 info->flags |= XT_POLICY_MATCH_STRICT; 97 break; 98 case O_REQID: 99 if (e->match.reqid) 100 xtables_error(PARAMETER_PROBLEM, 101 "policy match: double --reqid option"); 102 e->match.reqid = 1; 103 e->invert.reqid = cb->invert; 104 e->reqid = cb->val.u32; 105 break; 106 case O_SPI: 107 if (e->match.spi) 108 xtables_error(PARAMETER_PROBLEM, 109 "policy match: double --spi option"); 110 e->match.spi = 1; 111 e->invert.spi = cb->invert; 112 e->spi = cb->val.u32; 113 break; 114 case O_TUNNELSRC: 115 if (e->match.saddr) 116 xtables_error(PARAMETER_PROBLEM, 117 "policy match: double --tunnel-src option"); 118 119 e->match.saddr = 1; 120 e->invert.saddr = cb->invert; 121 memcpy(&e->saddr, &cb->val.haddr, sizeof(cb->val.haddr)); 122 memcpy(&e->smask, &cb->val.hmask, sizeof(cb->val.hmask)); 123 break; 124 case O_TUNNELDST: 125 if (e->match.daddr) 126 xtables_error(PARAMETER_PROBLEM, 127 "policy match: double --tunnel-dst option"); 128 e->match.daddr = 1; 129 e->invert.daddr = cb->invert; 130 memcpy(&e->daddr, &cb->val.haddr, sizeof(cb->val.haddr)); 131 memcpy(&e->dmask, &cb->val.hmask, sizeof(cb->val.hmask)); 132 break; 133 case O_PROTO: 134 if (e->match.proto) 135 xtables_error(PARAMETER_PROBLEM, 136 "policy match: double --proto option"); 137 e->proto = xtables_parse_protocol(cb->arg); 138 if (e->proto != IPPROTO_AH && e->proto != IPPROTO_ESP && 139 e->proto != IPPROTO_COMP) 140 xtables_error(PARAMETER_PROBLEM, 141 "policy match: protocol must be ah/esp/ipcomp"); 142 e->match.proto = 1; 143 e->invert.proto = cb->invert; 144 break; 145 case O_MODE: 146 if (e->match.mode) 147 xtables_error(PARAMETER_PROBLEM, 148 "policy match: double --mode option"); 149 e->match.mode = 1; 150 e->invert.mode = cb->invert; 151 e->mode = parse_mode(cb->arg); 152 break; 153 case O_NEXT: 154 if (++info->len == XT_POLICY_MAX_ELEM) 155 xtables_error(PARAMETER_PROBLEM, 156 "policy match: maximum policy depth reached"); 157 break; 158 } 159} 160 161static void policy_check(struct xt_fcheck_call *cb) 162{ 163 struct xt_policy_info *info = cb->data; 164 const struct xt_policy_elem *e; 165 int i; 166 167 /* 168 * The old "no parameters given" check is carried out 169 * by testing for --dir. 170 */ 171 if (!(info->flags & (XT_POLICY_MATCH_IN | XT_POLICY_MATCH_OUT))) 172 xtables_error(PARAMETER_PROBLEM, 173 "policy match: neither --dir in nor --dir out specified"); 174 175 if (info->flags & XT_POLICY_MATCH_NONE) { 176 if (info->flags & XT_POLICY_MATCH_STRICT) 177 xtables_error(PARAMETER_PROBLEM, 178 "policy match: policy none but --strict given"); 179 180 if (info->len != 0) 181 xtables_error(PARAMETER_PROBLEM, 182 "policy match: policy none but policy given"); 183 } else 184 info->len++; /* increase len by 1, no --next after last element */ 185 186 if (!(info->flags & XT_POLICY_MATCH_STRICT) && info->len > 1) 187 xtables_error(PARAMETER_PROBLEM, 188 "policy match: multiple elements but no --strict"); 189 190 for (i = 0; i < info->len; i++) { 191 e = &info->pol[i]; 192 193 if (info->flags & XT_POLICY_MATCH_STRICT && 194 !(e->match.reqid || e->match.spi || e->match.saddr || 195 e->match.daddr || e->match.proto || e->match.mode)) 196 xtables_error(PARAMETER_PROBLEM, 197 "policy match: empty policy element"); 198 199 if ((e->match.saddr || e->match.daddr) 200 && ((e->mode == XT_POLICY_MODE_TUNNEL && e->invert.mode) || 201 (e->mode == XT_POLICY_MODE_TRANSPORT && !e->invert.mode))) 202 xtables_error(PARAMETER_PROBLEM, 203 "policy match: --tunnel-src/--tunnel-dst " 204 "is only valid in tunnel mode"); 205 } 206} 207 208static void print_mode(const char *prefix, uint8_t mode, int numeric) 209{ 210 printf(" %smode ", prefix); 211 212 switch (mode) { 213 case XT_POLICY_MODE_TRANSPORT: 214 printf("transport"); 215 break; 216 case XT_POLICY_MODE_TUNNEL: 217 printf("tunnel"); 218 break; 219 default: 220 printf("???"); 221 break; 222 } 223} 224 225static void print_proto(const char *prefix, uint8_t proto, int numeric) 226{ 227 const struct protoent *p = NULL; 228 229 printf(" %sproto ", prefix); 230 if (!numeric) 231 p = getprotobynumber(proto); 232 if (p != NULL) 233 printf("%s", p->p_name); 234 else 235 printf("%u", proto); 236} 237 238#define PRINT_INVERT(x) \ 239do { \ 240 if (x) \ 241 printf(" !"); \ 242} while(0) 243 244static void print_entry(const char *prefix, const struct xt_policy_elem *e, 245 bool numeric, uint8_t family) 246{ 247 if (e->match.reqid) { 248 PRINT_INVERT(e->invert.reqid); 249 printf(" %sreqid %u", prefix, e->reqid); 250 } 251 if (e->match.spi) { 252 PRINT_INVERT(e->invert.spi); 253 printf(" %sspi 0x%x", prefix, e->spi); 254 } 255 if (e->match.proto) { 256 PRINT_INVERT(e->invert.proto); 257 print_proto(prefix, e->proto, numeric); 258 } 259 if (e->match.mode) { 260 PRINT_INVERT(e->invert.mode); 261 print_mode(prefix, e->mode, numeric); 262 } 263 if (e->match.daddr) { 264 PRINT_INVERT(e->invert.daddr); 265 if (family == NFPROTO_IPV6) 266 printf(" %stunnel-dst %s%s", prefix, 267 xtables_ip6addr_to_numeric(&e->daddr.a6), 268 xtables_ip6mask_to_numeric(&e->dmask.a6)); 269 else 270 printf(" %stunnel-dst %s%s", prefix, 271 xtables_ipaddr_to_numeric(&e->daddr.a4), 272 xtables_ipmask_to_numeric(&e->dmask.a4)); 273 } 274 if (e->match.saddr) { 275 PRINT_INVERT(e->invert.saddr); 276 if (family == NFPROTO_IPV6) 277 printf(" %stunnel-src %s%s", prefix, 278 xtables_ip6addr_to_numeric(&e->saddr.a6), 279 xtables_ip6mask_to_numeric(&e->smask.a6)); 280 else 281 printf(" %stunnel-src %s%s", prefix, 282 xtables_ipaddr_to_numeric(&e->saddr.a4), 283 xtables_ipmask_to_numeric(&e->smask.a4)); 284 } 285} 286 287static void print_flags(const char *prefix, const struct xt_policy_info *info) 288{ 289 if (info->flags & XT_POLICY_MATCH_IN) 290 printf(" %sdir in", prefix); 291 else 292 printf(" %sdir out", prefix); 293 294 if (info->flags & XT_POLICY_MATCH_NONE) 295 printf(" %spol none", prefix); 296 else 297 printf(" %spol ipsec", prefix); 298 299 if (info->flags & XT_POLICY_MATCH_STRICT) 300 printf(" %sstrict", prefix); 301} 302 303static void policy4_print(const void *ip, const struct xt_entry_match *match, 304 int numeric) 305{ 306 const struct xt_policy_info *info = (void *)match->data; 307 unsigned int i; 308 309 printf(" policy match"); 310 print_flags("", info); 311 for (i = 0; i < info->len; i++) { 312 if (info->len > 1) 313 printf(" [%u]", i); 314 print_entry("", &info->pol[i], numeric, NFPROTO_IPV4); 315 } 316} 317 318static void policy6_print(const void *ip, const struct xt_entry_match *match, 319 int numeric) 320{ 321 const struct xt_policy_info *info = (void *)match->data; 322 unsigned int i; 323 324 printf(" policy match"); 325 print_flags("", info); 326 for (i = 0; i < info->len; i++) { 327 if (info->len > 1) 328 printf(" [%u]", i); 329 print_entry("", &info->pol[i], numeric, NFPROTO_IPV6); 330 } 331} 332 333static void policy4_save(const void *ip, const struct xt_entry_match *match) 334{ 335 const struct xt_policy_info *info = (void *)match->data; 336 unsigned int i; 337 338 print_flags("--", info); 339 for (i = 0; i < info->len; i++) { 340 print_entry("--", &info->pol[i], false, NFPROTO_IPV4); 341 if (i + 1 < info->len) 342 printf(" --next"); 343 } 344} 345 346static void policy6_save(const void *ip, const struct xt_entry_match *match) 347{ 348 const struct xt_policy_info *info = (void *)match->data; 349 unsigned int i; 350 351 print_flags("--", info); 352 for (i = 0; i < info->len; i++) { 353 print_entry("--", &info->pol[i], false, NFPROTO_IPV6); 354 if (i + 1 < info->len) 355 printf(" --next"); 356 } 357} 358 359static struct xtables_match policy_mt_reg[] = { 360 { 361 .name = "policy", 362 .version = XTABLES_VERSION, 363 .family = NFPROTO_IPV4, 364 .size = XT_ALIGN(sizeof(struct xt_policy_info)), 365 .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)), 366 .help = policy_help, 367 .x6_parse = policy_parse, 368 .x6_fcheck = policy_check, 369 .print = policy4_print, 370 .save = policy4_save, 371 .x6_options = policy_opts, 372 }, 373 { 374 .name = "policy", 375 .version = XTABLES_VERSION, 376 .family = NFPROTO_IPV6, 377 .size = XT_ALIGN(sizeof(struct xt_policy_info)), 378 .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)), 379 .help = policy_help, 380 .x6_parse = policy_parse, 381 .x6_fcheck = policy_check, 382 .print = policy6_print, 383 .save = policy6_save, 384 .x6_options = policy_opts, 385 }, 386}; 387 388void _init(void) 389{ 390 xtables_register_matches(policy_mt_reg, ARRAY_SIZE(policy_mt_reg)); 391} 392