libxt_string.c revision e88a7c2c7175742b58b6aa03f2b5aba2d80330a1 
1/* Shared library add-on to iptables to add string matching support.
2 *
3 * Copyright (C) 2000 Emmanuel Roger  <winfield@freegates.be>
4 *
5 * 2005-08-05 Pablo Neira Ayuso <pablo@eurodev.net>
6 * 	- reimplemented to use new string matching iptables match
7 * 	- add functionality to match packets by using window offsets
8 * 	- add functionality to select the string matching algorithm
9 *
10 * ChangeLog
11 *     29.12.2003: Michael Rash <mbr@cipherdyne.org>
12 *             Fixed iptables save/restore for ascii strings
13 *             that contain space chars, and hex strings that
14 *             contain embedded NULL chars.  Updated to print
15 *             strings in hex mode if any non-printable char
16 *             is contained within the string.
17 *
18 *     27.01.2001: Gianni Tedesco <gianni@ecsc.co.uk>
19 *             Changed --tos to --string in save(). Also
20 *             updated to work with slightly modified
21 *             ipt_string_info.
22 */
23#define _GNU_SOURCE 1
24#include <stdbool.h>
25#include <stdio.h>
26#include <netdb.h>
27#include <string.h>
28#include <stdlib.h>
29#include <getopt.h>
30#include <ctype.h>
31#include <xtables.h>
32#include <stddef.h>
33#include <linux/netfilter/xt_string.h>
34
35static void string_help(void)
36{
37	printf(
38"string match options:\n"
39"--from                       Offset to start searching from\n"
40"--to                         Offset to stop searching\n"
41"--algo                       Algorithm\n"
42"--icase                      Ignore case (default: 0)\n"
43"[!] --string string          Match a string in a packet\n"
44"[!] --hex-string string      Match a hex string in a packet\n");
45}
46
47static const struct option string_opts[] = {
48	{.name = "from",       .has_arg = true,  .val = '1'},
49	{.name = "to",         .has_arg = true,  .val = '2'},
50	{.name = "algo",       .has_arg = true,  .val = '3'},
51	{.name = "string",     .has_arg = true,  .val = '4'},
52	{.name = "hex-string", .has_arg = true,  .val = '5'},
53	{.name = "icase",      .has_arg = false, .val = '6'},
54	XT_GETOPT_TABLEEND,
55};
56
57static void string_init(struct xt_entry_match *m)
58{
59	struct xt_string_info *i = (struct xt_string_info *) m->data;
60
61	i->to_offset = UINT16_MAX;
62}
63
64static void
65parse_string(const char *s, struct xt_string_info *info)
66{
67	/* xt_string does not need \0 at the end of the pattern */
68	if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) {
69		strncpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
70		info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE);
71		return;
72	}
73	xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
74}
75
76static void
77parse_algo(const char *s, struct xt_string_info *info)
78{
79	/* xt_string needs \0 for algo name */
80	if (strlen(s) < XT_STRING_MAX_ALGO_NAME_SIZE) {
81		strncpy(info->algo, s, XT_STRING_MAX_ALGO_NAME_SIZE);
82		return;
83	}
84	xtables_error(PARAMETER_PROBLEM, "ALGO too long \"%s\"", s);
85}
86
87static void
88parse_hex_string(const char *s, struct xt_string_info *info)
89{
90	int i=0, slen, sindex=0, schar;
91	short hex_f = 0, literal_f = 0;
92	char hextmp[3];
93
94	slen = strlen(s);
95
96	if (slen == 0) {
97		xtables_error(PARAMETER_PROBLEM,
98			"STRING must contain at least one char");
99	}
100
101	while (i < slen) {
102		if (s[i] == '\\' && !hex_f) {
103			literal_f = 1;
104		} else if (s[i] == '\\') {
105			xtables_error(PARAMETER_PROBLEM,
106				"Cannot include literals in hex data");
107		} else if (s[i] == '|') {
108			if (hex_f)
109				hex_f = 0;
110			else {
111				hex_f = 1;
112				/* get past any initial whitespace just after the '|' */
113				while (s[i+1] == ' ')
114					i++;
115			}
116			if (i+1 >= slen)
117				break;
118			else
119				i++;  /* advance to the next character */
120		}
121
122		if (literal_f) {
123			if (i+1 >= slen) {
124				xtables_error(PARAMETER_PROBLEM,
125					"Bad literal placement at end of string");
126			}
127			info->pattern[sindex] = s[i+1];
128			i += 2;  /* skip over literal char */
129			literal_f = 0;
130		} else if (hex_f) {
131			if (i+1 >= slen) {
132				xtables_error(PARAMETER_PROBLEM,
133					"Odd number of hex digits");
134			}
135			if (i+2 >= slen) {
136				/* must end with a "|" */
137				xtables_error(PARAMETER_PROBLEM, "Invalid hex block");
138			}
139			if (! isxdigit(s[i])) /* check for valid hex char */
140				xtables_error(PARAMETER_PROBLEM, "Invalid hex char '%c'", s[i]);
141			if (! isxdigit(s[i+1])) /* check for valid hex char */
142				xtables_error(PARAMETER_PROBLEM, "Invalid hex char '%c'", s[i+1]);
143			hextmp[0] = s[i];
144			hextmp[1] = s[i+1];
145			hextmp[2] = '\0';
146			if (! sscanf(hextmp, "%x", &schar))
147				xtables_error(PARAMETER_PROBLEM,
148					"Invalid hex char `%c'", s[i]);
149			info->pattern[sindex] = (char) schar;
150			if (s[i+2] == ' ')
151				i += 3;  /* spaces included in the hex block */
152			else
153				i += 2;
154		} else {  /* the char is not part of hex data, so just copy */
155			info->pattern[sindex] = s[i];
156			i++;
157		}
158		if (sindex > XT_STRING_MAX_PATTERN_SIZE)
159			xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
160		sindex++;
161	}
162	info->patlen = sindex;
163}
164
165#define STRING 0x1
166#define ALGO   0x2
167#define FROM   0x4
168#define TO     0x8
169#define ICASE  0x10
170
171static int
172string_parse(int c, char **argv, int invert, unsigned int *flags,
173             const void *entry, struct xt_entry_match **match)
174{
175	struct xt_string_info *stringinfo =
176	    (struct xt_string_info *)(*match)->data;
177	const int revision = (*match)->u.user.revision;
178
179	switch (c) {
180	case '1':
181		if (*flags & FROM)
182			xtables_error(PARAMETER_PROBLEM,
183				   "Can't specify multiple --from");
184		stringinfo->from_offset = atoi(optarg);
185		*flags |= FROM;
186		break;
187	case '2':
188		if (*flags & TO)
189			xtables_error(PARAMETER_PROBLEM,
190				   "Can't specify multiple --to");
191		stringinfo->to_offset = atoi(optarg);
192		*flags |= TO;
193		break;
194	case '3':
195		if (*flags & ALGO)
196			xtables_error(PARAMETER_PROBLEM,
197				   "Can't specify multiple --algo");
198		parse_algo(optarg, stringinfo);
199		*flags |= ALGO;
200		break;
201	case '4':
202		if (*flags & STRING)
203			xtables_error(PARAMETER_PROBLEM,
204				   "Can't specify multiple --string");
205		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
206		parse_string(optarg, stringinfo);
207		if (invert) {
208			if (revision == 0)
209				stringinfo->u.v0.invert = 1;
210			else
211				stringinfo->u.v1.flags |= XT_STRING_FLAG_INVERT;
212		}
213		*flags |= STRING;
214		break;
215
216	case '5':
217		if (*flags & STRING)
218			xtables_error(PARAMETER_PROBLEM,
219				   "Can't specify multiple --hex-string");
220
221		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
222		parse_hex_string(optarg, stringinfo);  /* sets length */
223		if (invert) {
224			if (revision == 0)
225				stringinfo->u.v0.invert = 1;
226			else
227				stringinfo->u.v1.flags |= XT_STRING_FLAG_INVERT;
228		}
229		*flags |= STRING;
230		break;
231
232	case '6':
233		if (revision == 0)
234			xtables_error(VERSION_PROBLEM,
235				   "Kernel doesn't support --icase");
236
237		stringinfo->u.v1.flags |= XT_STRING_FLAG_IGNORECASE;
238		*flags |= ICASE;
239		break;
240	}
241	return 1;
242}
243
244static void string_check(unsigned int flags)
245{
246	if (!(flags & STRING))
247		xtables_error(PARAMETER_PROBLEM,
248			   "STRING match: You must specify `--string' or "
249			   "`--hex-string'");
250	if (!(flags & ALGO))
251		xtables_error(PARAMETER_PROBLEM,
252			   "STRING match: You must specify `--algo'");
253}
254
255/* Test to see if the string contains non-printable chars or quotes */
256static unsigned short int
257is_hex_string(const char *str, const unsigned short int len)
258{
259	unsigned int i;
260	for (i=0; i < len; i++)
261		if (! isprint(str[i]))
262			return 1;  /* string contains at least one non-printable char */
263	/* use hex output if the last char is a "\" */
264	if ((unsigned char) str[len-1] == 0x5c)
265		return 1;
266	return 0;
267}
268
269/* Print string with "|" chars included as one would pass to --hex-string */
270static void
271print_hex_string(const char *str, const unsigned short int len)
272{
273	unsigned int i;
274	/* start hex block */
275	printf("\"|");
276	for (i=0; i < len; i++) {
277		/* see if we need to prepend a zero */
278		if ((unsigned char) str[i] <= 0x0F)
279			printf("0%x", (unsigned char) str[i]);
280		else
281			printf("%x", (unsigned char) str[i]);
282	}
283	/* close hex block */
284	printf("|\" ");
285}
286
287static void
288print_string(const char *str, const unsigned short int len)
289{
290	unsigned int i;
291	printf(" \"");
292	for (i=0; i < len; i++) {
293		if ((unsigned char) str[i] == 0x22)  /* escape any embedded quotes */
294			printf("%c", 0x5c);
295		printf("%c", (unsigned char) str[i]);
296	}
297	printf("\"");  /* closing quote */
298}
299
300static void
301string_print(const void *ip, const struct xt_entry_match *match, int numeric)
302{
303	const struct xt_string_info *info =
304	    (const struct xt_string_info*) match->data;
305	const int revision = match->u.user.revision;
306	int invert = (revision == 0 ? info->u.v0.invert :
307				    info->u.v1.flags & XT_STRING_FLAG_INVERT);
308
309	if (is_hex_string(info->pattern, info->patlen)) {
310		printf(" STRING match %s", invert ? "!" : "");
311		print_hex_string(info->pattern, info->patlen);
312	} else {
313		printf(" STRING match %s", invert ? "!" : "");
314		print_string(info->pattern, info->patlen);
315	}
316	printf(" ALGO name %s", info->algo);
317	if (info->from_offset != 0)
318		printf(" FROM %u", info->from_offset);
319	if (info->to_offset != 0)
320		printf(" TO %u", info->to_offset);
321	if (revision > 0 && info->u.v1.flags & XT_STRING_FLAG_IGNORECASE)
322		printf(" ICASE");
323}
324
325static void string_save(const void *ip, const struct xt_entry_match *match)
326{
327	const struct xt_string_info *info =
328	    (const struct xt_string_info*) match->data;
329	const int revision = match->u.user.revision;
330	int invert = (revision == 0 ? info->u.v0.invert :
331				    info->u.v1.flags & XT_STRING_FLAG_INVERT);
332
333	if (is_hex_string(info->pattern, info->patlen)) {
334		printf("%s --hex-string", (invert) ? " !" : "");
335		print_hex_string(info->pattern, info->patlen);
336	} else {
337		printf("%s --string", (invert) ? " !": "");
338		print_string(info->pattern, info->patlen);
339	}
340	printf(" --algo %s", info->algo);
341	if (info->from_offset != 0)
342		printf(" --from %u", info->from_offset);
343	if (info->to_offset != 0)
344		printf(" --to %u", info->to_offset);
345	if (revision > 0 && info->u.v1.flags & XT_STRING_FLAG_IGNORECASE)
346		printf(" --icase");
347}
348
349
350static struct xtables_match string_mt_reg[] = {
351	{
352		.name          = "string",
353		.revision      = 0,
354		.family        = NFPROTO_UNSPEC,
355		.version       = XTABLES_VERSION,
356		.size          = XT_ALIGN(sizeof(struct xt_string_info)),
357		.userspacesize = offsetof(struct xt_string_info, config),
358		.help          = string_help,
359		.init          = string_init,
360		.parse         = string_parse,
361		.final_check   = string_check,
362		.print         = string_print,
363		.save          = string_save,
364		.extra_opts    = string_opts,
365	},
366	{
367		.name          = "string",
368		.revision      = 1,
369		.family        = NFPROTO_UNSPEC,
370		.version       = XTABLES_VERSION,
371		.size          = XT_ALIGN(sizeof(struct xt_string_info)),
372		.userspacesize = offsetof(struct xt_string_info, config),
373		.help          = string_help,
374		.init          = string_init,
375		.parse         = string_parse,
376		.final_check   = string_check,
377		.print         = string_print,
378		.save          = string_save,
379		.extra_opts    = string_opts,
380	},
381};
382
383void _init(void)
384{
385	xtables_register_matches(string_mt_reg, ARRAY_SIZE(string_mt_reg));
386}
387