libxt_policy.c revision d441ad6a68c5d65344449962f4648d297d453b6c 
1#include <stdbool.h>
2#include <stdint.h>
3#include <stdio.h>
4#include <string.h>
5#include <netdb.h>
6#include <xtables.h>
7#include <linux/netfilter/xt_policy.h>
8
9enum {
10	O_DIRECTION = 0,
11	O_POLICY,
12	O_STRICT,
13	O_REQID,
14	O_SPI,
15	O_PROTO,
16	O_MODE,
17	O_TUNNELSRC,
18	O_TUNNELDST,
19	O_NEXT
20};
21
22static void policy_help(void)
23{
24	printf(
25"policy match options:\n"
26"  --dir in|out			match policy applied during decapsulation/\n"
27"				policy to be applied during encapsulation\n"
28"  --pol none|ipsec		match policy\n"
29"  --strict 			match entire policy instead of single element\n"
30"				at any position\n"
31"[!] --reqid reqid		match reqid\n"
32"[!] --spi spi			match SPI\n"
33"[!] --proto proto		match protocol (ah/esp/ipcomp)\n"
34"[!] --mode mode 		match mode (transport/tunnel)\n"
35"[!] --tunnel-src addr/mask	match tunnel source\n"
36"[!] --tunnel-dst addr/mask	match tunnel destination\n"
37"  --next 			begin next element in policy\n");
38}
39
40static const struct xt_option_entry policy_opts[] = {
41	{.name = "dir", .id = O_DIRECTION, .type = XTTYPE_STRING,
42	 .flags = XTOPT_INVERT},
43	{.name = "pol", .id = O_POLICY, .type = XTTYPE_STRING},
44	{.name = "strict", .id = O_STRICT, .type = XTTYPE_NONE},
45	{.name = "reqid", .id = O_REQID, .type = XTTYPE_UINT32},
46	{.name = "spi", .id = O_SPI, .type = XTTYPE_UINT32},
47	{.name = "tunnel-src", .id = O_TUNNELSRC, .type = XTTYPE_HOSTMASK},
48	{.name = "tunnel-dst", .id = O_TUNNELDST, .type = XTTYPE_HOSTMASK},
49	{.name = "proto", .id = O_PROTO, .type = XTTYPE_STRING},
50	{.name = "mode", .id = O_MODE, .type = XTTYPE_STRING},
51	{.name = "next", .id = O_NEXT, .type = XTTYPE_NONE},
52	XTOPT_TABLEEND,
53};
54
55static int parse_direction(const char *s)
56{
57	if (strcmp(s, "in") == 0)
58		return XT_POLICY_MATCH_IN;
59	if (strcmp(s, "out") == 0)
60		return XT_POLICY_MATCH_OUT;
61	xtables_error(PARAMETER_PROBLEM, "policy_match: invalid dir \"%s\"", s);
62}
63
64static int parse_policy(const char *s)
65{
66	if (strcmp(s, "none") == 0)
67		return XT_POLICY_MATCH_NONE;
68	if (strcmp(s, "ipsec") == 0)
69		return 0;
70	xtables_error(PARAMETER_PROBLEM, "policy match: invalid policy \"%s\"", s);
71}
72
73static int parse_mode(const char *s)
74{
75	if (strcmp(s, "transport") == 0)
76		return XT_POLICY_MODE_TRANSPORT;
77	if (strcmp(s, "tunnel") == 0)
78		return XT_POLICY_MODE_TUNNEL;
79	xtables_error(PARAMETER_PROBLEM, "policy match: invalid mode \"%s\"", s);
80}
81
82static void policy_parse(struct xt_option_call *cb)
83{
84	struct xt_policy_info *info = cb->data;
85	struct xt_policy_elem *e = &info->pol[info->len];
86
87	xtables_option_parse(cb);
88	switch (cb->entry->id) {
89	case O_DIRECTION:
90		info->flags |= parse_direction(cb->arg);
91		break;
92	case O_POLICY:
93		info->flags |= parse_policy(cb->arg);
94		break;
95	case O_STRICT:
96		info->flags |= XT_POLICY_MATCH_STRICT;
97		break;
98	case O_REQID:
99		if (e->match.reqid)
100			xtables_error(PARAMETER_PROBLEM,
101			           "policy match: double --reqid option");
102		e->match.reqid = 1;
103		e->invert.reqid = cb->invert;
104		e->reqid = cb->val.u32;
105		break;
106	case O_SPI:
107		if (e->match.spi)
108			xtables_error(PARAMETER_PROBLEM,
109			           "policy match: double --spi option");
110		e->match.spi = 1;
111		e->invert.spi = cb->invert;
112		e->spi = cb->val.u32;
113		break;
114	case O_TUNNELSRC:
115		if (e->match.saddr)
116			xtables_error(PARAMETER_PROBLEM,
117			           "policy match: double --tunnel-src option");
118
119		e->match.saddr = 1;
120		e->invert.saddr = cb->invert;
121		memcpy(&e->saddr, &cb->val.haddr, sizeof(cb->val.haddr));
122		memcpy(&e->smask, &cb->val.hmask, sizeof(cb->val.hmask));
123                break;
124	case O_TUNNELDST:
125		if (e->match.daddr)
126			xtables_error(PARAMETER_PROBLEM,
127			           "policy match: double --tunnel-dst option");
128		e->match.daddr = 1;
129		e->invert.daddr = cb->invert;
130		memcpy(&e->daddr, &cb->val.haddr, sizeof(cb->val.haddr));
131		memcpy(&e->dmask, &cb->val.hmask, sizeof(cb->val.hmask));
132		break;
133	case O_PROTO:
134		if (e->match.proto)
135			xtables_error(PARAMETER_PROBLEM,
136			           "policy match: double --proto option");
137		e->proto = xtables_parse_protocol(cb->arg);
138		if (e->proto != IPPROTO_AH && e->proto != IPPROTO_ESP &&
139		    e->proto != IPPROTO_COMP)
140			xtables_error(PARAMETER_PROBLEM,
141			           "policy match: protocol must be ah/esp/ipcomp");
142		e->match.proto = 1;
143		e->invert.proto = cb->invert;
144		break;
145	case O_MODE:
146		if (e->match.mode)
147			xtables_error(PARAMETER_PROBLEM,
148			           "policy match: double --mode option");
149		e->match.mode = 1;
150		e->invert.mode = cb->invert;
151		e->mode = parse_mode(cb->arg);
152		break;
153	case O_NEXT:
154		if (++info->len == XT_POLICY_MAX_ELEM)
155			xtables_error(PARAMETER_PROBLEM,
156			           "policy match: maximum policy depth reached");
157		break;
158	}
159}
160
161static void policy_check(struct xt_fcheck_call *cb)
162{
163	struct xt_policy_info *info = cb->data;
164	const struct xt_policy_elem *e;
165	int i;
166
167	/*
168	 * The old "no parameters given" check is carried out
169	 * by testing for --dir.
170	 */
171	if (!(info->flags & (XT_POLICY_MATCH_IN | XT_POLICY_MATCH_OUT)))
172		xtables_error(PARAMETER_PROBLEM,
173		           "policy match: neither --dir in nor --dir out specified");
174
175	if (info->flags & XT_POLICY_MATCH_NONE) {
176		if (info->flags & XT_POLICY_MATCH_STRICT)
177			xtables_error(PARAMETER_PROBLEM,
178			           "policy match: policy none but --strict given");
179
180		if (info->len != 0)
181			xtables_error(PARAMETER_PROBLEM,
182			           "policy match: policy none but policy given");
183	} else
184		info->len++;	/* increase len by 1, no --next after last element */
185
186	if (!(info->flags & XT_POLICY_MATCH_STRICT) && info->len > 1)
187		xtables_error(PARAMETER_PROBLEM,
188		           "policy match: multiple elements but no --strict");
189
190	for (i = 0; i < info->len; i++) {
191		e = &info->pol[i];
192
193		if (info->flags & XT_POLICY_MATCH_STRICT &&
194		    !(e->match.reqid || e->match.spi || e->match.saddr ||
195		      e->match.daddr || e->match.proto || e->match.mode))
196			xtables_error(PARAMETER_PROBLEM,
197			           "policy match: empty policy element");
198
199		if ((e->match.saddr || e->match.daddr)
200		    && ((e->mode == XT_POLICY_MODE_TUNNEL && e->invert.mode) ||
201		        (e->mode == XT_POLICY_MODE_TRANSPORT && !e->invert.mode)))
202			xtables_error(PARAMETER_PROBLEM,
203			           "policy match: --tunnel-src/--tunnel-dst "
204			           "is only valid in tunnel mode");
205	}
206}
207
208static void print_mode(const char *prefix, uint8_t mode, int numeric)
209{
210	printf(" %smode ", prefix);
211
212	switch (mode) {
213	case XT_POLICY_MODE_TRANSPORT:
214		printf("transport");
215		break;
216	case XT_POLICY_MODE_TUNNEL:
217		printf("tunnel");
218		break;
219	default:
220		printf("???");
221		break;
222	}
223}
224
225static void print_proto(const char *prefix, uint8_t proto, int numeric)
226{
227	const struct protoent *p = NULL;
228
229	printf(" %sproto ", prefix);
230	if (!numeric)
231		p = getprotobynumber(proto);
232	if (p != NULL)
233		printf("%s", p->p_name);
234	else
235		printf("%u", proto);
236}
237
238#define PRINT_INVERT(x)		\
239do {				\
240	if (x)			\
241		printf(" !");	\
242} while(0)
243
244static void print_entry(const char *prefix, const struct xt_policy_elem *e,
245                        bool numeric, uint8_t family)
246{
247	if (e->match.reqid) {
248		PRINT_INVERT(e->invert.reqid);
249		printf(" %sreqid %u", prefix, e->reqid);
250	}
251	if (e->match.spi) {
252		PRINT_INVERT(e->invert.spi);
253		printf(" %sspi 0x%x", prefix, e->spi);
254	}
255	if (e->match.proto) {
256		PRINT_INVERT(e->invert.proto);
257		print_proto(prefix, e->proto, numeric);
258	}
259	if (e->match.mode) {
260		PRINT_INVERT(e->invert.mode);
261		print_mode(prefix, e->mode, numeric);
262	}
263	if (e->match.daddr) {
264		PRINT_INVERT(e->invert.daddr);
265		if (family == NFPROTO_IPV6)
266			printf(" %stunnel-dst %s%s", prefix,
267			       xtables_ip6addr_to_numeric(&e->daddr.a6),
268			       xtables_ip6mask_to_numeric(&e->dmask.a6));
269		else
270			printf(" %stunnel-dst %s%s", prefix,
271			       xtables_ipaddr_to_numeric(&e->daddr.a4),
272			       xtables_ipmask_to_numeric(&e->dmask.a4));
273	}
274	if (e->match.saddr) {
275		PRINT_INVERT(e->invert.saddr);
276		if (family == NFPROTO_IPV6)
277			printf(" %stunnel-src %s%s", prefix,
278			       xtables_ip6addr_to_numeric(&e->saddr.a6),
279			       xtables_ip6mask_to_numeric(&e->smask.a6));
280		else
281			printf(" %stunnel-src %s%s", prefix,
282			       xtables_ipaddr_to_numeric(&e->saddr.a4),
283			       xtables_ipmask_to_numeric(&e->smask.a4));
284	}
285}
286
287static void print_flags(const char *prefix, const struct xt_policy_info *info)
288{
289	if (info->flags & XT_POLICY_MATCH_IN)
290		printf(" %sdir in", prefix);
291	else
292		printf(" %sdir out", prefix);
293
294	if (info->flags & XT_POLICY_MATCH_NONE)
295		printf(" %spol none", prefix);
296	else
297		printf(" %spol ipsec", prefix);
298
299	if (info->flags & XT_POLICY_MATCH_STRICT)
300		printf(" %sstrict", prefix);
301}
302
303static void policy4_print(const void *ip, const struct xt_entry_match *match,
304                          int numeric)
305{
306	const struct xt_policy_info *info = (void *)match->data;
307	unsigned int i;
308
309	printf(" policy match");
310	print_flags("", info);
311	for (i = 0; i < info->len; i++) {
312		if (info->len > 1)
313			printf(" [%u]", i);
314		print_entry("", &info->pol[i], numeric, NFPROTO_IPV4);
315	}
316}
317
318static void policy6_print(const void *ip, const struct xt_entry_match *match,
319                          int numeric)
320{
321	const struct xt_policy_info *info = (void *)match->data;
322	unsigned int i;
323
324	printf(" policy match");
325	print_flags("", info);
326	for (i = 0; i < info->len; i++) {
327		if (info->len > 1)
328			printf(" [%u]", i);
329		print_entry("", &info->pol[i], numeric, NFPROTO_IPV6);
330	}
331}
332
333static void policy4_save(const void *ip, const struct xt_entry_match *match)
334{
335	const struct xt_policy_info *info = (void *)match->data;
336	unsigned int i;
337
338	print_flags("--", info);
339	for (i = 0; i < info->len; i++) {
340		print_entry("--", &info->pol[i], false, NFPROTO_IPV4);
341		if (i + 1 < info->len)
342			printf(" --next");
343	}
344}
345
346static void policy6_save(const void *ip, const struct xt_entry_match *match)
347{
348	const struct xt_policy_info *info = (void *)match->data;
349	unsigned int i;
350
351	print_flags("--", info);
352	for (i = 0; i < info->len; i++) {
353		print_entry("--", &info->pol[i], false, NFPROTO_IPV6);
354		if (i + 1 < info->len)
355			printf(" --next");
356	}
357}
358
359static struct xtables_match policy_mt_reg[] = {
360	{
361		.name          = "policy",
362		.version       = XTABLES_VERSION,
363		.family        = NFPROTO_IPV4,
364		.size          = XT_ALIGN(sizeof(struct xt_policy_info)),
365		.userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)),
366		.help          = policy_help,
367		.x6_parse      = policy_parse,
368		.x6_fcheck     = policy_check,
369		.print         = policy4_print,
370		.save          = policy4_save,
371		.x6_options    = policy_opts,
372	},
373	{
374		.name          = "policy",
375		.version       = XTABLES_VERSION,
376		.family        = NFPROTO_IPV6,
377		.size          = XT_ALIGN(sizeof(struct xt_policy_info)),
378		.userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)),
379		.help          = policy_help,
380		.x6_parse      = policy_parse,
381		.x6_fcheck     = policy_check,
382		.print         = policy6_print,
383		.save          = policy6_save,
384		.x6_options    = policy_opts,
385	},
386};
387
388void _init(void)
389{
390	xtables_register_matches(policy_mt_reg, ARRAY_SIZE(policy_mt_reg));
391}
392