libxt_sctp.c revision da580fe55ebf234febf4a8880f53a80870e9088f
1/* Shared library add-on to iptables for SCTP matching 2 * 3 * (C) 2003 by Harald Welte <laforge@gnumonks.org> 4 * 5 * This program is distributed under the terms of GNU GPL v2, 1991 6 * 7 * libipt_ecn.c borrowed heavily from libipt_dscp.c 8 * 9 */ 10#include <stdbool.h> 11#include <stdio.h> 12#include <string.h> 13#include <stdlib.h> 14#include <getopt.h> 15#include <netdb.h> 16#include <ctype.h> 17 18#include <netinet/in.h> 19#include <xtables.h> 20 21#include <linux/netfilter/xt_sctp.h> 22 23#if 0 24#define DEBUGP(format, first...) printf(format, ##first) 25#define static 26#else 27#define DEBUGP(format, fist...) 28#endif 29 30static void 31print_chunk(uint32_t chunknum, int numeric); 32 33static void sctp_init(struct xt_entry_match *m) 34{ 35 int i; 36 struct xt_sctp_info *einfo = (struct xt_sctp_info *)m->data; 37 38 memset(einfo, 0, sizeof(struct xt_sctp_info)); 39 40 for (i = 0; i < XT_NUM_SCTP_FLAGS; i++) { 41 einfo->flag_info[i].chunktype = -1; 42 } 43} 44 45static void sctp_help(void) 46{ 47 printf( 48"sctp match options\n" 49"[!] --source-port port[:port] match source port(s)\n" 50" --sport ...\n" 51"[!] --destination-port port[:port] match destination port(s)\n" 52" --dport ...\n" 53"[!] --chunk-types (all|any|none) (chunktype[:flags])+ match if all, any or none of\n" 54" chunktypes are present\n" 55"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN ALL NONE\n"); 56} 57 58static const struct option sctp_opts[] = { 59 {.name = "source-port", .has_arg = true, .val = '1'}, 60 {.name = "sport", .has_arg = true, .val = '1'}, 61 {.name = "destination-port", .has_arg = true, .val = '2'}, 62 {.name = "dport", .has_arg = true, .val = '2'}, 63 {.name = "chunk-types", .has_arg = true, .val = '3'}, 64 XT_GETOPT_TABLEEND, 65}; 66 67static void 68parse_sctp_ports(const char *portstring, 69 uint16_t *ports) 70{ 71 char *buffer; 72 char *cp; 73 74 buffer = strdup(portstring); 75 DEBUGP("%s\n", portstring); 76 if ((cp = strchr(buffer, ':')) == NULL) { 77 ports[0] = ports[1] = xtables_parse_port(buffer, "sctp"); 78 } 79 else { 80 *cp = '\0'; 81 cp++; 82 83 ports[0] = buffer[0] ? xtables_parse_port(buffer, "sctp") : 0; 84 ports[1] = cp[0] ? xtables_parse_port(cp, "sctp") : 0xFFFF; 85 86 if (ports[0] > ports[1]) 87 xtables_error(PARAMETER_PROBLEM, 88 "invalid portrange (min > max)"); 89 } 90 free(buffer); 91} 92 93struct sctp_chunk_names { 94 const char *name; 95 unsigned int chunk_type; 96 const char *valid_flags; 97}; 98 99/*'ALL' and 'NONE' will be treated specially. */ 100static const struct sctp_chunk_names sctp_chunk_names[] 101= { { .name = "DATA", .chunk_type = 0, .valid_flags = "----IUBE"}, 102 { .name = "INIT", .chunk_type = 1, .valid_flags = "--------"}, 103 { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------"}, 104 { .name = "SACK", .chunk_type = 3, .valid_flags = "--------"}, 105 { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------"}, 106 { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------"}, 107 { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T"}, 108 { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------"}, 109 { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------"}, 110 { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------"}, 111 { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------"}, 112 { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------"}, 113 { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------"}, 114 { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------"}, 115 { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T"}, 116 { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------"}, 117 { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------"}, 118 { .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------"}, 119}; 120 121static void 122save_chunk_flag_info(struct xt_sctp_flag_info *flag_info, 123 int *flag_count, 124 int chunktype, 125 int bit, 126 int set) 127{ 128 int i; 129 130 for (i = 0; i < *flag_count; i++) { 131 if (flag_info[i].chunktype == chunktype) { 132 DEBUGP("Previous match found\n"); 133 flag_info[i].chunktype = chunktype; 134 flag_info[i].flag_mask |= (1 << bit); 135 if (set) { 136 flag_info[i].flag |= (1 << bit); 137 } 138 139 return; 140 } 141 } 142 143 if (*flag_count == XT_NUM_SCTP_FLAGS) { 144 xtables_error (PARAMETER_PROBLEM, 145 "Number of chunk types with flags exceeds currently allowed limit." 146 "Increasing this limit involves changing IPT_NUM_SCTP_FLAGS and" 147 "recompiling both the kernel space and user space modules\n"); 148 } 149 150 flag_info[*flag_count].chunktype = chunktype; 151 flag_info[*flag_count].flag_mask |= (1 << bit); 152 if (set) { 153 flag_info[*flag_count].flag |= (1 << bit); 154 } 155 (*flag_count)++; 156} 157 158static void 159parse_sctp_chunk(struct xt_sctp_info *einfo, 160 const char *chunks) 161{ 162 char *ptr; 163 char *buffer; 164 unsigned int i, j; 165 int found = 0; 166 char *chunk_flags; 167 168 buffer = strdup(chunks); 169 DEBUGP("Buffer: %s\n", buffer); 170 171 SCTP_CHUNKMAP_RESET(einfo->chunkmap); 172 173 if (!strcasecmp(buffer, "ALL")) { 174 SCTP_CHUNKMAP_SET_ALL(einfo->chunkmap); 175 goto out; 176 } 177 178 if (!strcasecmp(buffer, "NONE")) { 179 SCTP_CHUNKMAP_RESET(einfo->chunkmap); 180 goto out; 181 } 182 183 for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) { 184 found = 0; 185 DEBUGP("Next Chunk type %s\n", ptr); 186 187 if ((chunk_flags = strchr(ptr, ':')) != NULL) { 188 *chunk_flags++ = 0; 189 } 190 191 for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i) 192 if (strcasecmp(sctp_chunk_names[i].name, ptr) == 0) { 193 DEBUGP("Chunk num %d\n", sctp_chunk_names[i].chunk_type); 194 SCTP_CHUNKMAP_SET(einfo->chunkmap, 195 sctp_chunk_names[i].chunk_type); 196 found = 1; 197 break; 198 } 199 if (!found) 200 xtables_error(PARAMETER_PROBLEM, 201 "Unknown sctp chunk `%s'", ptr); 202 203 if (chunk_flags) { 204 DEBUGP("Chunk flags %s\n", chunk_flags); 205 for (j = 0; j < strlen(chunk_flags); j++) { 206 char *p; 207 int bit; 208 209 if ((p = strchr(sctp_chunk_names[i].valid_flags, 210 toupper(chunk_flags[j]))) != NULL) { 211 bit = p - sctp_chunk_names[i].valid_flags; 212 bit = 7 - bit; 213 214 save_chunk_flag_info(einfo->flag_info, 215 &(einfo->flag_count), i, bit, 216 isupper(chunk_flags[j])); 217 } else { 218 xtables_error(PARAMETER_PROBLEM, 219 "Invalid flags for chunk type %d\n", i); 220 } 221 } 222 } 223 } 224out: 225 free(buffer); 226} 227 228static void 229parse_sctp_chunks(struct xt_sctp_info *einfo, 230 const char *match_type, 231 const char *chunks) 232{ 233 DEBUGP("Match type: %s Chunks: %s\n", match_type, chunks); 234 if (!strcasecmp(match_type, "ANY")) { 235 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ANY; 236 } else if (!strcasecmp(match_type, "ALL")) { 237 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ALL; 238 } else if (!strcasecmp(match_type, "ONLY")) { 239 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ONLY; 240 } else { 241 xtables_error (PARAMETER_PROBLEM, 242 "Match type has to be one of \"ALL\", \"ANY\" or \"ONLY\""); 243 } 244 245 SCTP_CHUNKMAP_RESET(einfo->chunkmap); 246 parse_sctp_chunk(einfo, chunks); 247} 248 249static int 250sctp_parse(int c, char **argv, int invert, unsigned int *flags, 251 const void *entry, struct xt_entry_match **match) 252{ 253 struct xt_sctp_info *einfo 254 = (struct xt_sctp_info *)(*match)->data; 255 256 switch (c) { 257 case '1': 258 if (*flags & XT_SCTP_SRC_PORTS) 259 xtables_error(PARAMETER_PROBLEM, 260 "Only one `--source-port' allowed"); 261 einfo->flags |= XT_SCTP_SRC_PORTS; 262 xtables_check_inverse(optarg, &invert, &optind, 0, argv); 263 parse_sctp_ports(optarg, einfo->spts); 264 if (invert) 265 einfo->invflags |= XT_SCTP_SRC_PORTS; 266 *flags |= XT_SCTP_SRC_PORTS; 267 break; 268 269 case '2': 270 if (*flags & XT_SCTP_DEST_PORTS) 271 xtables_error(PARAMETER_PROBLEM, 272 "Only one `--destination-port' allowed"); 273 einfo->flags |= XT_SCTP_DEST_PORTS; 274 xtables_check_inverse(optarg, &invert, &optind, 0, argv); 275 parse_sctp_ports(optarg, einfo->dpts); 276 if (invert) 277 einfo->invflags |= XT_SCTP_DEST_PORTS; 278 *flags |= XT_SCTP_DEST_PORTS; 279 break; 280 281 case '3': 282 if (*flags & XT_SCTP_CHUNK_TYPES) 283 xtables_error(PARAMETER_PROBLEM, 284 "Only one `--chunk-types' allowed"); 285 xtables_check_inverse(optarg, &invert, &optind, 0, argv); 286 287 if (!argv[optind] 288 || argv[optind][0] == '-' || argv[optind][0] == '!') 289 xtables_error(PARAMETER_PROBLEM, 290 "--chunk-types requires two args"); 291 292 einfo->flags |= XT_SCTP_CHUNK_TYPES; 293 parse_sctp_chunks(einfo, optarg, argv[optind]); 294 if (invert) 295 einfo->invflags |= XT_SCTP_CHUNK_TYPES; 296 optind++; 297 *flags |= XT_SCTP_CHUNK_TYPES; 298 break; 299 } 300 return 1; 301} 302 303static char * 304port_to_service(int port) 305{ 306 struct servent *service; 307 308 if ((service = getservbyport(htons(port), "sctp"))) 309 return service->s_name; 310 311 return NULL; 312} 313 314static void 315print_port(uint16_t port, int numeric) 316{ 317 char *service; 318 319 if (numeric || (service = port_to_service(port)) == NULL) 320 printf("%u", port); 321 else 322 printf("%s", service); 323} 324 325static void 326print_ports(const char *name, uint16_t min, uint16_t max, 327 int invert, int numeric) 328{ 329 const char *inv = invert ? "!" : ""; 330 331 if (min != 0 || max != 0xFFFF || invert) { 332 printf("%s", name); 333 if (min == max) { 334 printf(":%s", inv); 335 print_port(min, numeric); 336 } else { 337 printf("s:%s", inv); 338 print_port(min, numeric); 339 printf(":"); 340 print_port(max, numeric); 341 } 342 printf(" "); 343 } 344} 345 346static void 347print_chunk_flags(uint32_t chunknum, uint8_t chunk_flags, uint8_t chunk_flags_mask) 348{ 349 int i; 350 351 DEBUGP("type: %d\tflags: %x\tflag mask: %x\n", chunknum, chunk_flags, 352 chunk_flags_mask); 353 354 if (chunk_flags_mask) { 355 printf(":"); 356 } 357 358 for (i = 7; i >= 0; i--) { 359 if (chunk_flags_mask & (1 << i)) { 360 if (chunk_flags & (1 << i)) { 361 printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]); 362 } else { 363 printf("%c", tolower(sctp_chunk_names[chunknum].valid_flags[7-i])); 364 } 365 } 366 } 367} 368 369static void 370print_chunk(uint32_t chunknum, int numeric) 371{ 372 if (numeric) { 373 printf("0x%04X", chunknum); 374 } 375 else { 376 int i; 377 378 for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i) 379 if (sctp_chunk_names[i].chunk_type == chunknum) 380 printf("%s", sctp_chunk_names[chunknum].name); 381 } 382} 383 384static void 385print_chunks(const struct xt_sctp_info *einfo, int numeric) 386{ 387 uint32_t chunk_match_type = einfo->chunk_match_type; 388 const struct xt_sctp_flag_info *flag_info = einfo->flag_info; 389 int flag_count = einfo->flag_count; 390 int i, j; 391 int flag; 392 393 switch (chunk_match_type) { 394 case SCTP_CHUNK_MATCH_ANY: printf("any "); break; 395 case SCTP_CHUNK_MATCH_ALL: printf("all "); break; 396 case SCTP_CHUNK_MATCH_ONLY: printf("only "); break; 397 default: printf("Never reach here\n"); break; 398 } 399 400 if (SCTP_CHUNKMAP_IS_CLEAR(einfo->chunkmap)) { 401 printf("NONE "); 402 goto out; 403 } 404 405 if (SCTP_CHUNKMAP_IS_ALL_SET(einfo->chunkmap)) { 406 printf("ALL "); 407 goto out; 408 } 409 410 flag = 0; 411 for (i = 0; i < 256; i++) { 412 if (SCTP_CHUNKMAP_IS_SET(einfo->chunkmap, i)) { 413 if (flag) 414 printf(","); 415 flag = 1; 416 print_chunk(i, numeric); 417 for (j = 0; j < flag_count; j++) { 418 if (flag_info[j].chunktype == i) { 419 print_chunk_flags(i, flag_info[j].flag, 420 flag_info[j].flag_mask); 421 } 422 } 423 } 424 } 425 426 if (flag) 427 printf(" "); 428out: 429 return; 430} 431 432static void 433sctp_print(const void *ip, const struct xt_entry_match *match, int numeric) 434{ 435 const struct xt_sctp_info *einfo = 436 (const struct xt_sctp_info *)match->data; 437 438 printf("sctp "); 439 440 if (einfo->flags & XT_SCTP_SRC_PORTS) { 441 print_ports("spt", einfo->spts[0], einfo->spts[1], 442 einfo->invflags & XT_SCTP_SRC_PORTS, 443 numeric); 444 } 445 446 if (einfo->flags & XT_SCTP_DEST_PORTS) { 447 print_ports("dpt", einfo->dpts[0], einfo->dpts[1], 448 einfo->invflags & XT_SCTP_DEST_PORTS, 449 numeric); 450 } 451 452 if (einfo->flags & XT_SCTP_CHUNK_TYPES) { 453 /* FIXME: print_chunks() is used in save() where the printing of '!' 454 s taken care of, so we need to do that here as well */ 455 if (einfo->invflags & XT_SCTP_CHUNK_TYPES) { 456 printf("! "); 457 } 458 print_chunks(einfo, numeric); 459 } 460} 461 462static void sctp_save(const void *ip, const struct xt_entry_match *match) 463{ 464 const struct xt_sctp_info *einfo = 465 (const struct xt_sctp_info *)match->data; 466 467 if (einfo->flags & XT_SCTP_SRC_PORTS) { 468 if (einfo->invflags & XT_SCTP_SRC_PORTS) 469 printf("! "); 470 if (einfo->spts[0] != einfo->spts[1]) 471 printf("--sport %u:%u ", 472 einfo->spts[0], einfo->spts[1]); 473 else 474 printf("--sport %u ", einfo->spts[0]); 475 } 476 477 if (einfo->flags & XT_SCTP_DEST_PORTS) { 478 if (einfo->invflags & XT_SCTP_DEST_PORTS) 479 printf("! "); 480 if (einfo->dpts[0] != einfo->dpts[1]) 481 printf("--dport %u:%u ", 482 einfo->dpts[0], einfo->dpts[1]); 483 else 484 printf("--dport %u ", einfo->dpts[0]); 485 } 486 487 if (einfo->flags & XT_SCTP_CHUNK_TYPES) { 488 if (einfo->invflags & XT_SCTP_CHUNK_TYPES) 489 printf("! "); 490 printf("--chunk-types "); 491 492 print_chunks(einfo, 0); 493 } 494} 495 496static struct xtables_match sctp_match = { 497 .name = "sctp", 498 .family = NFPROTO_UNSPEC, 499 .version = XTABLES_VERSION, 500 .size = XT_ALIGN(sizeof(struct xt_sctp_info)), 501 .userspacesize = XT_ALIGN(sizeof(struct xt_sctp_info)), 502 .help = sctp_help, 503 .init = sctp_init, 504 .parse = sctp_parse, 505 .print = sctp_print, 506 .save = sctp_save, 507 .extra_opts = sctp_opts, 508}; 509 510void _init(void) 511{ 512 xtables_register_match(&sctp_match); 513} 514