libxt_sctp.c revision 73866357e4a7a0fdc1b293bf8863fee2bd56da9e
15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)/* Shared library add-on to iptables for SCTP matching 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * (C) 2003 by Harald Welte <laforge@gnumonks.org> 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 55821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * This program is distributed under the terms of GNU GPL v2, 1991 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * libipt_ecn.c borrowed heavily from libipt_dscp.c 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) * 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) */ 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <stdbool.h> 115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <stdio.h> 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <string.h> 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <stdlib.h> 142a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include <getopt.h> 155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <netdb.h> 16f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)#include <ctype.h> 175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <netinet/in.h> 195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <xtables.h> 202a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 212a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include <linux/netfilter/xt_sctp.h> 225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 23f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)#if 0 24f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)#define DEBUGP(format, first...) printf(format, ##first) 25f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)#define static 26f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)#else 275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define DEBUGP(format, fist...) 282a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#endif 295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)static void 315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)print_chunk(uint32_t chunknum, int numeric); 32a3f6a49ab37290eeeb8db0f41ec0f1cb74a68be7Torne (Richard Coles) 33a3f6a49ab37290eeeb8db0f41ec0f1cb74a68be7Torne (Richard Coles)static void sctp_init(struct xt_entry_match *m) 34a3f6a49ab37290eeeb8db0f41ec0f1cb74a68be7Torne (Richard Coles){ 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int i; 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) struct xt_sctp_info *einfo = (struct xt_sctp_info *)m->data; 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) memset(einfo, 0, sizeof(struct xt_sctp_info)); 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) for (i = 0; i < XT_NUM_SCTP_FLAGS; i++) { 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) einfo->flag_info[i].chunktype = -1; 422a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) } 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)static void sctp_help(void) 465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles){ 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) printf( 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)"sctp match options\n" 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)"[!] --source-port port[:port] match source port(s)\n" 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)" --sport ...\n" 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)"[!] --destination-port port[:port] match destination port(s)\n" 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)" --dport ...\n" 535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)"[!] --chunk-types (all|any|none) (chunktype[:flags])+ match if all, any or none of\n" 545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)" chunktypes are present\n" 555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN ALL NONE\n"); 565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)static const struct option sctp_opts[] = { 595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) {.name = "source-port", .has_arg = true, .val = '1'}, 605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) {.name = "sport", .has_arg = true, .val = '1'}, 615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) {.name = "destination-port", .has_arg = true, .val = '2'}, 625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) {.name = "dport", .has_arg = true, .val = '2'}, 635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) {.name = "chunk-types", .has_arg = true, .val = '3'}, 645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) XT_GETOPT_TABLEEND, 655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)static void 685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)parse_sctp_ports(const char *portstring, 695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) uint16_t *ports) 705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles){ 71 char *buffer; 72 char *cp; 73 74 buffer = strdup(portstring); 75 DEBUGP("%s\n", portstring); 76 if ((cp = strchr(buffer, ':')) == NULL) { 77 ports[0] = ports[1] = xtables_parse_port(buffer, "sctp"); 78 } 79 else { 80 *cp = '\0'; 81 cp++; 82 83 ports[0] = buffer[0] ? xtables_parse_port(buffer, "sctp") : 0; 84 ports[1] = cp[0] ? xtables_parse_port(cp, "sctp") : 0xFFFF; 85 86 if (ports[0] > ports[1]) 87 xtables_error(PARAMETER_PROBLEM, 88 "invalid portrange (min > max)"); 89 } 90 free(buffer); 91} 92 93struct sctp_chunk_names { 94 const char *name; 95 unsigned int chunk_type; 96 const char *valid_flags; 97}; 98 99/*'ALL' and 'NONE' will be treated specially. */ 100static const struct sctp_chunk_names sctp_chunk_names[] 101= { { .name = "DATA", .chunk_type = 0, .valid_flags = "----IUBE"}, 102 { .name = "INIT", .chunk_type = 1, .valid_flags = "--------"}, 103 { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------"}, 104 { .name = "SACK", .chunk_type = 3, .valid_flags = "--------"}, 105 { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------"}, 106 { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------"}, 107 { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T"}, 108 { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------"}, 109 { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------"}, 110 { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------"}, 111 { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------"}, 112 { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------"}, 113 { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------"}, 114 { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------"}, 115 { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T"}, 116 { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------"}, 117 { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------"}, 118 { .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------"}, 119}; 120 121static void 122save_chunk_flag_info(struct xt_sctp_flag_info *flag_info, 123 int *flag_count, 124 int chunktype, 125 int bit, 126 int set) 127{ 128 int i; 129 130 for (i = 0; i < *flag_count; i++) { 131 if (flag_info[i].chunktype == chunktype) { 132 DEBUGP("Previous match found\n"); 133 flag_info[i].chunktype = chunktype; 134 flag_info[i].flag_mask |= (1 << bit); 135 if (set) { 136 flag_info[i].flag |= (1 << bit); 137 } 138 139 return; 140 } 141 } 142 143 if (*flag_count == XT_NUM_SCTP_FLAGS) { 144 xtables_error (PARAMETER_PROBLEM, 145 "Number of chunk types with flags exceeds currently allowed limit." 146 "Increasing this limit involves changing IPT_NUM_SCTP_FLAGS and" 147 "recompiling both the kernel space and user space modules\n"); 148 } 149 150 flag_info[*flag_count].chunktype = chunktype; 151 flag_info[*flag_count].flag_mask |= (1 << bit); 152 if (set) { 153 flag_info[*flag_count].flag |= (1 << bit); 154 } 155 (*flag_count)++; 156} 157 158static void 159parse_sctp_chunk(struct xt_sctp_info *einfo, 160 const char *chunks) 161{ 162 char *ptr; 163 char *buffer; 164 unsigned int i, j; 165 int found = 0; 166 char *chunk_flags; 167 168 buffer = strdup(chunks); 169 DEBUGP("Buffer: %s\n", buffer); 170 171 SCTP_CHUNKMAP_RESET(einfo->chunkmap); 172 173 if (!strcasecmp(buffer, "ALL")) { 174 SCTP_CHUNKMAP_SET_ALL(einfo->chunkmap); 175 goto out; 176 } 177 178 if (!strcasecmp(buffer, "NONE")) { 179 SCTP_CHUNKMAP_RESET(einfo->chunkmap); 180 goto out; 181 } 182 183 for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) { 184 found = 0; 185 DEBUGP("Next Chunk type %s\n", ptr); 186 187 if ((chunk_flags = strchr(ptr, ':')) != NULL) { 188 *chunk_flags++ = 0; 189 } 190 191 for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i) 192 if (strcasecmp(sctp_chunk_names[i].name, ptr) == 0) { 193 DEBUGP("Chunk num %d\n", sctp_chunk_names[i].chunk_type); 194 SCTP_CHUNKMAP_SET(einfo->chunkmap, 195 sctp_chunk_names[i].chunk_type); 196 found = 1; 197 break; 198 } 199 if (!found) 200 xtables_error(PARAMETER_PROBLEM, 201 "Unknown sctp chunk `%s'", ptr); 202 203 if (chunk_flags) { 204 DEBUGP("Chunk flags %s\n", chunk_flags); 205 for (j = 0; j < strlen(chunk_flags); j++) { 206 char *p; 207 int bit; 208 209 if ((p = strchr(sctp_chunk_names[i].valid_flags, 210 toupper(chunk_flags[j]))) != NULL) { 211 bit = p - sctp_chunk_names[i].valid_flags; 212 bit = 7 - bit; 213 214 save_chunk_flag_info(einfo->flag_info, 215 &(einfo->flag_count), i, bit, 216 isupper(chunk_flags[j])); 217 } else { 218 xtables_error(PARAMETER_PROBLEM, 219 "Invalid flags for chunk type %d\n", i); 220 } 221 } 222 } 223 } 224out: 225 free(buffer); 226} 227 228static void 229parse_sctp_chunks(struct xt_sctp_info *einfo, 230 const char *match_type, 231 const char *chunks) 232{ 233 DEBUGP("Match type: %s Chunks: %s\n", match_type, chunks); 234 if (!strcasecmp(match_type, "ANY")) { 235 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ANY; 236 } else if (!strcasecmp(match_type, "ALL")) { 237 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ALL; 238 } else if (!strcasecmp(match_type, "ONLY")) { 239 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ONLY; 240 } else { 241 xtables_error (PARAMETER_PROBLEM, 242 "Match type has to be one of \"ALL\", \"ANY\" or \"ONLY\""); 243 } 244 245 SCTP_CHUNKMAP_RESET(einfo->chunkmap); 246 parse_sctp_chunk(einfo, chunks); 247} 248 249static int 250sctp_parse(int c, char **argv, int invert, unsigned int *flags, 251 const void *entry, struct xt_entry_match **match) 252{ 253 struct xt_sctp_info *einfo 254 = (struct xt_sctp_info *)(*match)->data; 255 256 switch (c) { 257 case '1': 258 if (*flags & XT_SCTP_SRC_PORTS) 259 xtables_error(PARAMETER_PROBLEM, 260 "Only one `--source-port' allowed"); 261 einfo->flags |= XT_SCTP_SRC_PORTS; 262 xtables_check_inverse(optarg, &invert, &optind, 0, argv); 263 parse_sctp_ports(optarg, einfo->spts); 264 if (invert) 265 einfo->invflags |= XT_SCTP_SRC_PORTS; 266 *flags |= XT_SCTP_SRC_PORTS; 267 break; 268 269 case '2': 270 if (*flags & XT_SCTP_DEST_PORTS) 271 xtables_error(PARAMETER_PROBLEM, 272 "Only one `--destination-port' allowed"); 273 einfo->flags |= XT_SCTP_DEST_PORTS; 274 xtables_check_inverse(optarg, &invert, &optind, 0, argv); 275 parse_sctp_ports(optarg, einfo->dpts); 276 if (invert) 277 einfo->invflags |= XT_SCTP_DEST_PORTS; 278 *flags |= XT_SCTP_DEST_PORTS; 279 break; 280 281 case '3': 282 if (*flags & XT_SCTP_CHUNK_TYPES) 283 xtables_error(PARAMETER_PROBLEM, 284 "Only one `--chunk-types' allowed"); 285 xtables_check_inverse(optarg, &invert, &optind, 0, argv); 286 287 if (!argv[optind] 288 || argv[optind][0] == '-' || argv[optind][0] == '!') 289 xtables_error(PARAMETER_PROBLEM, 290 "--chunk-types requires two args"); 291 292 einfo->flags |= XT_SCTP_CHUNK_TYPES; 293 parse_sctp_chunks(einfo, optarg, argv[optind]); 294 if (invert) 295 einfo->invflags |= XT_SCTP_CHUNK_TYPES; 296 optind++; 297 *flags |= XT_SCTP_CHUNK_TYPES; 298 break; 299 } 300 return 1; 301} 302 303static char * 304port_to_service(int port) 305{ 306 struct servent *service; 307 308 if ((service = getservbyport(htons(port), "sctp"))) 309 return service->s_name; 310 311 return NULL; 312} 313 314static void 315print_port(uint16_t port, int numeric) 316{ 317 char *service; 318 319 if (numeric || (service = port_to_service(port)) == NULL) 320 printf("%u", port); 321 else 322 printf("%s", service); 323} 324 325static void 326print_ports(const char *name, uint16_t min, uint16_t max, 327 int invert, int numeric) 328{ 329 const char *inv = invert ? "!" : ""; 330 331 if (min != 0 || max != 0xFFFF || invert) { 332 printf(" %s", name); 333 if (min == max) { 334 printf(":%s", inv); 335 print_port(min, numeric); 336 } else { 337 printf("s:%s", inv); 338 print_port(min, numeric); 339 printf(":"); 340 print_port(max, numeric); 341 } 342 } 343} 344 345static void 346print_chunk_flags(uint32_t chunknum, uint8_t chunk_flags, uint8_t chunk_flags_mask) 347{ 348 int i; 349 350 DEBUGP("type: %d\tflags: %x\tflag mask: %x\n", chunknum, chunk_flags, 351 chunk_flags_mask); 352 353 if (chunk_flags_mask) { 354 printf(":"); 355 } 356 357 for (i = 7; i >= 0; i--) { 358 if (chunk_flags_mask & (1 << i)) { 359 if (chunk_flags & (1 << i)) { 360 printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]); 361 } else { 362 printf("%c", tolower(sctp_chunk_names[chunknum].valid_flags[7-i])); 363 } 364 } 365 } 366} 367 368static void 369print_chunk(uint32_t chunknum, int numeric) 370{ 371 if (numeric) { 372 printf("0x%04X", chunknum); 373 } 374 else { 375 int i; 376 377 for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i) 378 if (sctp_chunk_names[i].chunk_type == chunknum) 379 printf("%s", sctp_chunk_names[chunknum].name); 380 } 381} 382 383static void 384print_chunks(const struct xt_sctp_info *einfo, int numeric) 385{ 386 uint32_t chunk_match_type = einfo->chunk_match_type; 387 const struct xt_sctp_flag_info *flag_info = einfo->flag_info; 388 int flag_count = einfo->flag_count; 389 int i, j; 390 int flag; 391 392 switch (chunk_match_type) { 393 case SCTP_CHUNK_MATCH_ANY: printf(" any"); break; 394 case SCTP_CHUNK_MATCH_ALL: printf(" all"); break; 395 case SCTP_CHUNK_MATCH_ONLY: printf(" only"); break; 396 default: printf("Never reach here\n"); break; 397 } 398 399 if (SCTP_CHUNKMAP_IS_CLEAR(einfo->chunkmap)) { 400 printf(" NONE"); 401 goto out; 402 } 403 404 if (SCTP_CHUNKMAP_IS_ALL_SET(einfo->chunkmap)) { 405 printf(" ALL"); 406 goto out; 407 } 408 409 flag = 0; 410 for (i = 0; i < 256; i++) { 411 if (SCTP_CHUNKMAP_IS_SET(einfo->chunkmap, i)) { 412 if (flag) 413 printf(","); 414 else 415 putchar(' '); 416 flag = 1; 417 print_chunk(i, numeric); 418 for (j = 0; j < flag_count; j++) { 419 if (flag_info[j].chunktype == i) { 420 print_chunk_flags(i, flag_info[j].flag, 421 flag_info[j].flag_mask); 422 } 423 } 424 } 425 } 426out: 427 return; 428} 429 430static void 431sctp_print(const void *ip, const struct xt_entry_match *match, int numeric) 432{ 433 const struct xt_sctp_info *einfo = 434 (const struct xt_sctp_info *)match->data; 435 436 printf(" sctp"); 437 438 if (einfo->flags & XT_SCTP_SRC_PORTS) { 439 print_ports("spt", einfo->spts[0], einfo->spts[1], 440 einfo->invflags & XT_SCTP_SRC_PORTS, 441 numeric); 442 } 443 444 if (einfo->flags & XT_SCTP_DEST_PORTS) { 445 print_ports("dpt", einfo->dpts[0], einfo->dpts[1], 446 einfo->invflags & XT_SCTP_DEST_PORTS, 447 numeric); 448 } 449 450 if (einfo->flags & XT_SCTP_CHUNK_TYPES) { 451 /* FIXME: print_chunks() is used in save() where the printing of '!' 452 s taken care of, so we need to do that here as well */ 453 if (einfo->invflags & XT_SCTP_CHUNK_TYPES) { 454 printf(" !"); 455 } 456 print_chunks(einfo, numeric); 457 } 458} 459 460static void sctp_save(const void *ip, const struct xt_entry_match *match) 461{ 462 const struct xt_sctp_info *einfo = 463 (const struct xt_sctp_info *)match->data; 464 465 if (einfo->flags & XT_SCTP_SRC_PORTS) { 466 if (einfo->invflags & XT_SCTP_SRC_PORTS) 467 printf(" !"); 468 if (einfo->spts[0] != einfo->spts[1]) 469 printf(" --sport %u:%u", 470 einfo->spts[0], einfo->spts[1]); 471 else 472 printf(" --sport %u", einfo->spts[0]); 473 } 474 475 if (einfo->flags & XT_SCTP_DEST_PORTS) { 476 if (einfo->invflags & XT_SCTP_DEST_PORTS) 477 printf(" !"); 478 if (einfo->dpts[0] != einfo->dpts[1]) 479 printf(" --dport %u:%u", 480 einfo->dpts[0], einfo->dpts[1]); 481 else 482 printf(" --dport %u", einfo->dpts[0]); 483 } 484 485 if (einfo->flags & XT_SCTP_CHUNK_TYPES) { 486 if (einfo->invflags & XT_SCTP_CHUNK_TYPES) 487 printf(" !"); 488 printf(" --chunk-types"); 489 490 print_chunks(einfo, 0); 491 } 492} 493 494static struct xtables_match sctp_match = { 495 .name = "sctp", 496 .family = NFPROTO_UNSPEC, 497 .version = XTABLES_VERSION, 498 .size = XT_ALIGN(sizeof(struct xt_sctp_info)), 499 .userspacesize = XT_ALIGN(sizeof(struct xt_sctp_info)), 500 .help = sctp_help, 501 .init = sctp_init, 502 .parse = sctp_parse, 503 .print = sctp_print, 504 .save = sctp_save, 505 .extra_opts = sctp_opts, 506}; 507 508void _init(void) 509{ 510 xtables_register_match(&sctp_match); 511} 512