libxt_sctp.c revision c5e85736c207f211d82d2878a5781f512327dfce
1/* Shared library add-on to iptables for SCTP matching 2 * 3 * (C) 2003 by Harald Welte <laforge@gnumonks.org> 4 * 5 * This program is distributed under the terms of GNU GPL v2, 1991 6 * 7 * libipt_ecn.c borrowed heavily from libipt_dscp.c 8 * 9 */ 10#include <stdio.h> 11#include <string.h> 12#include <stdlib.h> 13#include <getopt.h> 14#include <netdb.h> 15#include <ctype.h> 16 17#include <netinet/in.h> 18#include <xtables.h> 19 20#include <linux/netfilter/xt_sctp.h> 21 22#if 0 23#define DEBUGP(format, first...) printf(format, ##first) 24#define static 25#else 26#define DEBUGP(format, fist...) 27#endif 28 29static void 30print_chunk(u_int32_t chunknum, int numeric); 31 32static void sctp_init(struct xt_entry_match *m) 33{ 34 int i; 35 struct xt_sctp_info *einfo = (struct xt_sctp_info *)m->data; 36 37 memset(einfo, 0, sizeof(struct xt_sctp_info)); 38 39 for (i = 0; i < XT_NUM_SCTP_FLAGS; i++) { 40 einfo->flag_info[i].chunktype = -1; 41 } 42} 43 44static void sctp_help(void) 45{ 46 printf( 47"sctp match options\n" 48"[!] --source-port port[:port] match source port(s)\n" 49" --sport ...\n" 50"[!] --destination-port port[:port] match destination port(s)\n" 51" --dport ...\n" 52"[!] --chunk-types (all|any|none) (chunktype[:flags])+ match if all, any or none of\n" 53" chunktypes are present\n" 54"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK ALL NONE\n"); 55} 56 57static const struct option sctp_opts[] = { 58 { .name = "source-port", .has_arg = 1, .val = '1' }, 59 { .name = "sport", .has_arg = 1, .val = '1' }, 60 { .name = "destination-port", .has_arg = 1, .val = '2' }, 61 { .name = "dport", .has_arg = 1, .val = '2' }, 62 { .name = "chunk-types", .has_arg = 1, .val = '3' }, 63 { .name = NULL } 64}; 65 66static void 67parse_sctp_ports(const char *portstring, 68 u_int16_t *ports) 69{ 70 char *buffer; 71 char *cp; 72 73 buffer = strdup(portstring); 74 DEBUGP("%s\n", portstring); 75 if ((cp = strchr(buffer, ':')) == NULL) { 76 ports[0] = ports[1] = xtables_parse_port(buffer, "sctp"); 77 } 78 else { 79 *cp = '\0'; 80 cp++; 81 82 ports[0] = buffer[0] ? xtables_parse_port(buffer, "sctp") : 0; 83 ports[1] = cp[0] ? xtables_parse_port(cp, "sctp") : 0xFFFF; 84 85 if (ports[0] > ports[1]) 86 xtables_error(PARAMETER_PROBLEM, 87 "invalid portrange (min > max)"); 88 } 89 free(buffer); 90} 91 92struct sctp_chunk_names { 93 const char *name; 94 unsigned int chunk_type; 95 const char *valid_flags; 96}; 97 98/*'ALL' and 'NONE' will be treated specially. */ 99static const struct sctp_chunk_names sctp_chunk_names[] 100= { { .name = "DATA", .chunk_type = 0, .valid_flags = "-----UBE"}, 101 { .name = "INIT", .chunk_type = 1, .valid_flags = "--------"}, 102 { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------"}, 103 { .name = "SACK", .chunk_type = 3, .valid_flags = "--------"}, 104 { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------"}, 105 { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------"}, 106 { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T"}, 107 { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------"}, 108 { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------"}, 109 { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------"}, 110 { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------"}, 111 { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------"}, 112 { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------"}, 113 { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------"}, 114 { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T"}, 115 { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------"}, 116 { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------"}, 117}; 118 119static void 120save_chunk_flag_info(struct xt_sctp_flag_info *flag_info, 121 int *flag_count, 122 int chunktype, 123 int bit, 124 int set) 125{ 126 int i; 127 128 for (i = 0; i < *flag_count; i++) { 129 if (flag_info[i].chunktype == chunktype) { 130 DEBUGP("Previous match found\n"); 131 flag_info[i].chunktype = chunktype; 132 flag_info[i].flag_mask |= (1 << bit); 133 if (set) { 134 flag_info[i].flag |= (1 << bit); 135 } 136 137 return; 138 } 139 } 140 141 if (*flag_count == XT_NUM_SCTP_FLAGS) { 142 xtables_error (PARAMETER_PROBLEM, 143 "Number of chunk types with flags exceeds currently allowed limit." 144 "Increasing this limit involves changing IPT_NUM_SCTP_FLAGS and" 145 "recompiling both the kernel space and user space modules\n"); 146 } 147 148 flag_info[*flag_count].chunktype = chunktype; 149 flag_info[*flag_count].flag_mask |= (1 << bit); 150 if (set) { 151 flag_info[*flag_count].flag |= (1 << bit); 152 } 153 (*flag_count)++; 154} 155 156static void 157parse_sctp_chunk(struct xt_sctp_info *einfo, 158 const char *chunks) 159{ 160 char *ptr; 161 char *buffer; 162 unsigned int i, j; 163 int found = 0; 164 char *chunk_flags; 165 166 buffer = strdup(chunks); 167 DEBUGP("Buffer: %s\n", buffer); 168 169 SCTP_CHUNKMAP_RESET(einfo->chunkmap); 170 171 if (!strcasecmp(buffer, "ALL")) { 172 SCTP_CHUNKMAP_SET_ALL(einfo->chunkmap); 173 goto out; 174 } 175 176 if (!strcasecmp(buffer, "NONE")) { 177 SCTP_CHUNKMAP_RESET(einfo->chunkmap); 178 goto out; 179 } 180 181 for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) { 182 found = 0; 183 DEBUGP("Next Chunk type %s\n", ptr); 184 185 if ((chunk_flags = strchr(ptr, ':')) != NULL) { 186 *chunk_flags++ = 0; 187 } 188 189 for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i) 190 if (strcasecmp(sctp_chunk_names[i].name, ptr) == 0) { 191 DEBUGP("Chunk num %d\n", sctp_chunk_names[i].chunk_type); 192 SCTP_CHUNKMAP_SET(einfo->chunkmap, 193 sctp_chunk_names[i].chunk_type); 194 found = 1; 195 break; 196 } 197 if (!found) 198 xtables_error(PARAMETER_PROBLEM, 199 "Unknown sctp chunk `%s'", ptr); 200 201 if (chunk_flags) { 202 DEBUGP("Chunk flags %s\n", chunk_flags); 203 for (j = 0; j < strlen(chunk_flags); j++) { 204 char *p; 205 int bit; 206 207 if ((p = strchr(sctp_chunk_names[i].valid_flags, 208 toupper(chunk_flags[j]))) != NULL) { 209 bit = p - sctp_chunk_names[i].valid_flags; 210 bit = 7 - bit; 211 212 save_chunk_flag_info(einfo->flag_info, 213 &(einfo->flag_count), i, bit, 214 isupper(chunk_flags[j])); 215 } else { 216 xtables_error(PARAMETER_PROBLEM, 217 "Invalid flags for chunk type %d\n", i); 218 } 219 } 220 } 221 } 222out: 223 free(buffer); 224} 225 226static void 227parse_sctp_chunks(struct xt_sctp_info *einfo, 228 const char *match_type, 229 const char *chunks) 230{ 231 DEBUGP("Match type: %s Chunks: %s\n", match_type, chunks); 232 if (!strcasecmp(match_type, "ANY")) { 233 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ANY; 234 } else if (!strcasecmp(match_type, "ALL")) { 235 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ALL; 236 } else if (!strcasecmp(match_type, "ONLY")) { 237 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ONLY; 238 } else { 239 xtables_error (PARAMETER_PROBLEM, 240 "Match type has to be one of \"ALL\", \"ANY\" or \"ONLY\""); 241 } 242 243 SCTP_CHUNKMAP_RESET(einfo->chunkmap); 244 parse_sctp_chunk(einfo, chunks); 245} 246 247static int 248sctp_parse(int c, char **argv, int invert, unsigned int *flags, 249 const void *entry, struct xt_entry_match **match) 250{ 251 struct xt_sctp_info *einfo 252 = (struct xt_sctp_info *)(*match)->data; 253 254 switch (c) { 255 case '1': 256 if (*flags & XT_SCTP_SRC_PORTS) 257 xtables_error(PARAMETER_PROBLEM, 258 "Only one `--source-port' allowed"); 259 einfo->flags |= XT_SCTP_SRC_PORTS; 260 xtables_check_inverse(optarg, &invert, &optind, 0); 261 parse_sctp_ports(argv[optind-1], einfo->spts); 262 if (invert) 263 einfo->invflags |= XT_SCTP_SRC_PORTS; 264 *flags |= XT_SCTP_SRC_PORTS; 265 break; 266 267 case '2': 268 if (*flags & XT_SCTP_DEST_PORTS) 269 xtables_error(PARAMETER_PROBLEM, 270 "Only one `--destination-port' allowed"); 271 einfo->flags |= XT_SCTP_DEST_PORTS; 272 xtables_check_inverse(optarg, &invert, &optind, 0); 273 parse_sctp_ports(argv[optind-1], einfo->dpts); 274 if (invert) 275 einfo->invflags |= XT_SCTP_DEST_PORTS; 276 *flags |= XT_SCTP_DEST_PORTS; 277 break; 278 279 case '3': 280 if (*flags & XT_SCTP_CHUNK_TYPES) 281 xtables_error(PARAMETER_PROBLEM, 282 "Only one `--chunk-types' allowed"); 283 xtables_check_inverse(optarg, &invert, &optind, 0); 284 285 if (!argv[optind] 286 || argv[optind][0] == '-' || argv[optind][0] == '!') 287 xtables_error(PARAMETER_PROBLEM, 288 "--chunk-types requires two args"); 289 290 einfo->flags |= XT_SCTP_CHUNK_TYPES; 291 parse_sctp_chunks(einfo, argv[optind-1], argv[optind]); 292 if (invert) 293 einfo->invflags |= XT_SCTP_CHUNK_TYPES; 294 optind++; 295 *flags |= XT_SCTP_CHUNK_TYPES; 296 break; 297 298 default: 299 return 0; 300 } 301 return 1; 302} 303 304static char * 305port_to_service(int port) 306{ 307 struct servent *service; 308 309 if ((service = getservbyport(htons(port), "sctp"))) 310 return service->s_name; 311 312 return NULL; 313} 314 315static void 316print_port(u_int16_t port, int numeric) 317{ 318 char *service; 319 320 if (numeric || (service = port_to_service(port)) == NULL) 321 printf("%u", port); 322 else 323 printf("%s", service); 324} 325 326static void 327print_ports(const char *name, u_int16_t min, u_int16_t max, 328 int invert, int numeric) 329{ 330 const char *inv = invert ? "!" : ""; 331 332 if (min != 0 || max != 0xFFFF || invert) { 333 printf("%s", name); 334 if (min == max) { 335 printf(":%s", inv); 336 print_port(min, numeric); 337 } else { 338 printf("s:%s", inv); 339 print_port(min, numeric); 340 printf(":"); 341 print_port(max, numeric); 342 } 343 printf(" "); 344 } 345} 346 347static void 348print_chunk_flags(u_int32_t chunknum, u_int8_t chunk_flags, u_int8_t chunk_flags_mask) 349{ 350 int i; 351 352 DEBUGP("type: %d\tflags: %x\tflag mask: %x\n", chunknum, chunk_flags, 353 chunk_flags_mask); 354 355 if (chunk_flags_mask) { 356 printf(":"); 357 } 358 359 for (i = 7; i >= 0; i--) { 360 if (chunk_flags_mask & (1 << i)) { 361 if (chunk_flags & (1 << i)) { 362 printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]); 363 } else { 364 printf("%c", tolower(sctp_chunk_names[chunknum].valid_flags[7-i])); 365 } 366 } 367 } 368} 369 370static void 371print_chunk(u_int32_t chunknum, int numeric) 372{ 373 if (numeric) { 374 printf("0x%04X", chunknum); 375 } 376 else { 377 int i; 378 379 for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i) 380 if (sctp_chunk_names[i].chunk_type == chunknum) 381 printf("%s", sctp_chunk_names[chunknum].name); 382 } 383} 384 385static void 386print_chunks(const struct xt_sctp_info *einfo, int numeric) 387{ 388 u_int32_t chunk_match_type = einfo->chunk_match_type; 389 const struct xt_sctp_flag_info *flag_info = einfo->flag_info; 390 int flag_count = einfo->flag_count; 391 int i, j; 392 int flag; 393 394 switch (chunk_match_type) { 395 case SCTP_CHUNK_MATCH_ANY: printf("any "); break; 396 case SCTP_CHUNK_MATCH_ALL: printf("all "); break; 397 case SCTP_CHUNK_MATCH_ONLY: printf("only "); break; 398 default: printf("Never reach herer\n"); break; 399 } 400 401 if (SCTP_CHUNKMAP_IS_CLEAR(einfo->chunkmap)) { 402 printf("NONE "); 403 goto out; 404 } 405 406 if (SCTP_CHUNKMAP_IS_ALL_SET(einfo->chunkmap)) { 407 printf("ALL "); 408 goto out; 409 } 410 411 flag = 0; 412 for (i = 0; i < 256; i++) { 413 if (SCTP_CHUNKMAP_IS_SET(einfo->chunkmap, i)) { 414 if (flag) 415 printf(","); 416 flag = 1; 417 print_chunk(i, numeric); 418 for (j = 0; j < flag_count; j++) { 419 if (flag_info[j].chunktype == i) { 420 print_chunk_flags(i, flag_info[j].flag, 421 flag_info[j].flag_mask); 422 } 423 } 424 } 425 } 426 427 if (flag) 428 printf(" "); 429out: 430 return; 431} 432 433static void 434sctp_print(const void *ip, const struct xt_entry_match *match, int numeric) 435{ 436 const struct xt_sctp_info *einfo = 437 (const struct xt_sctp_info *)match->data; 438 439 printf("sctp "); 440 441 if (einfo->flags & XT_SCTP_SRC_PORTS) { 442 print_ports("spt", einfo->spts[0], einfo->spts[1], 443 einfo->invflags & XT_SCTP_SRC_PORTS, 444 numeric); 445 } 446 447 if (einfo->flags & XT_SCTP_DEST_PORTS) { 448 print_ports("dpt", einfo->dpts[0], einfo->dpts[1], 449 einfo->invflags & XT_SCTP_DEST_PORTS, 450 numeric); 451 } 452 453 if (einfo->flags & XT_SCTP_CHUNK_TYPES) { 454 /* FIXME: print_chunks() is used in save() where the printing of '!' 455 s taken care of, so we need to do that here as well */ 456 if (einfo->invflags & XT_SCTP_CHUNK_TYPES) { 457 printf("! "); 458 } 459 print_chunks(einfo, numeric); 460 } 461} 462 463static void sctp_save(const void *ip, const struct xt_entry_match *match) 464{ 465 const struct xt_sctp_info *einfo = 466 (const struct xt_sctp_info *)match->data; 467 468 if (einfo->flags & XT_SCTP_SRC_PORTS) { 469 if (einfo->invflags & XT_SCTP_SRC_PORTS) 470 printf("! "); 471 if (einfo->spts[0] != einfo->spts[1]) 472 printf("--sport %u:%u ", 473 einfo->spts[0], einfo->spts[1]); 474 else 475 printf("--sport %u ", einfo->spts[0]); 476 } 477 478 if (einfo->flags & XT_SCTP_DEST_PORTS) { 479 if (einfo->invflags & XT_SCTP_DEST_PORTS) 480 printf("! "); 481 if (einfo->dpts[0] != einfo->dpts[1]) 482 printf("--dport %u:%u ", 483 einfo->dpts[0], einfo->dpts[1]); 484 else 485 printf("--dport %u ", einfo->dpts[0]); 486 } 487 488 if (einfo->flags & XT_SCTP_CHUNK_TYPES) { 489 if (einfo->invflags & XT_SCTP_CHUNK_TYPES) 490 printf("! "); 491 printf("--chunk-types "); 492 493 print_chunks(einfo, 0); 494 } 495} 496 497static struct xtables_match sctp_match = { 498 .name = "sctp", 499 .family = NFPROTO_UNSPEC, 500 .version = XTABLES_VERSION, 501 .size = XT_ALIGN(sizeof(struct xt_sctp_info)), 502 .userspacesize = XT_ALIGN(sizeof(struct xt_sctp_info)), 503 .help = sctp_help, 504 .init = sctp_init, 505 .parse = sctp_parse, 506 .print = sctp_print, 507 .save = sctp_save, 508 .extra_opts = sctp_opts, 509}; 510 511void _init(void) 512{ 513 xtables_register_match(&sctp_match); 514} 515