1/*
2 * (C) 2012 by Hans Schillstrom <hans.schillstrom@ericsson.com>
3 * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Description: shared library add-on to iptables to add HMARK target support
10 *
11 * Initial development by Hans Schillstrom. Pablo's improvements to this piece
12 * of software has been sponsored by Sophos Astaro <http://www.sophos.com>.
13 */
14
15#include <stdbool.h>
16#include <stdio.h>
17#include <string.h>
18
19#include "xtables.h"
20#include <linux/netfilter/xt_HMARK.h>
21
22static void HMARK_help(void)
23{
24	printf(
25"HMARK target options, i.e. modify hash calculation by:\n"
26"  --hmark-tuple [src|dst|sport|dport|spi|proto|ct][,...]\n"
27"  --hmark-mod value		    nfmark modulus value\n"
28"  --hmark-offset value		    Last action add value to nfmark\n\n"
29"  --hmark-rnd			    Random see for hashing\n"
30" Alternatively, fine tuning of what will be included in hash calculation\n"
31"  --hmark-src-prefix length	    Source address mask CIDR prefix\n"
32"  --hmark-dst-prefix length	    Dest address mask CIDR prefix\n"
33"  --hmark-sport-mask value	    Mask src port with value\n"
34"  --hmark-dport-mask value	    Mask dst port with value\n"
35"  --hmark-spi-mask value	    For esp and ah AND spi with value\n"
36"  --hmark-sport value		    OR src port with value\n"
37"  --hmark-dport value		    OR dst port with value\n"
38"  --hmark-spi value		    For esp and ah OR spi with value\n"
39"  --hmark-proto-mask value	    Mask Protocol with value\n");
40}
41
42#define hi struct xt_hmark_info
43
44enum {
45	O_HMARK_SADDR_MASK,
46	O_HMARK_DADDR_MASK,
47	O_HMARK_SPI,
48	O_HMARK_SPI_MASK,
49	O_HMARK_SPORT,
50	O_HMARK_DPORT,
51	O_HMARK_SPORT_MASK,
52	O_HMARK_DPORT_MASK,
53	O_HMARK_PROTO_MASK,
54	O_HMARK_RND,
55	O_HMARK_MODULUS,
56	O_HMARK_OFFSET,
57	O_HMARK_CT,
58	O_HMARK_TYPE,
59};
60
61#define HMARK_OPT_PKT_MASK			\
62	((1 << O_HMARK_SADDR_MASK)		| \
63	 (1 << O_HMARK_DADDR_MASK)		| \
64	 (1 << O_HMARK_SPI_MASK)		| \
65	 (1 << O_HMARK_SPORT_MASK)		| \
66	 (1 << O_HMARK_DPORT_MASK)		| \
67	 (1 << O_HMARK_PROTO_MASK)		| \
68	 (1 << O_HMARK_SPI_MASK)		| \
69	 (1 << O_HMARK_SPORT)			| \
70	 (1 << O_HMARK_DPORT)			| \
71	 (1 << O_HMARK_SPI))
72
73static const struct xt_option_entry HMARK_opts[] = {
74	{ .name  = "hmark-tuple",
75	  .type  = XTTYPE_STRING,
76	  .id	 = O_HMARK_TYPE,
77	},
78	{ .name  = "hmark-src-prefix",
79	  .type  = XTTYPE_PLENMASK,
80	  .id	 = O_HMARK_SADDR_MASK,
81	  .flags = XTOPT_PUT, XTOPT_POINTER(hi, src_mask)
82	},
83	{ .name  = "hmark-dst-prefix",
84	  .type  = XTTYPE_PLENMASK,
85	  .id	 = O_HMARK_DADDR_MASK,
86	  .flags = XTOPT_PUT, XTOPT_POINTER(hi, dst_mask)
87	},
88	{ .name  = "hmark-sport-mask",
89	  .type  = XTTYPE_UINT16,
90	  .id	 = O_HMARK_SPORT_MASK,
91	  .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_mask.p16.src)
92	},
93	{ .name  = "hmark-dport-mask",
94	  .type  = XTTYPE_UINT16,
95	  .id	 = O_HMARK_DPORT_MASK,
96	  .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_mask.p16.dst)
97	},
98	{ .name  = "hmark-spi-mask",
99	  .type  = XTTYPE_UINT32,
100	  .id	 = O_HMARK_SPI_MASK,
101	  .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_mask.v32)
102	},
103	{ .name  = "hmark-sport",
104	  .type  = XTTYPE_UINT16,
105	  .id	 = O_HMARK_SPORT,
106	  .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_set.p16.src)
107	},
108	{ .name  = "hmark-dport",
109	  .type  = XTTYPE_UINT16,
110	  .id	 = O_HMARK_DPORT,
111	  .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_set.p16.dst)
112	},
113	{ .name  = "hmark-spi",
114	  .type  = XTTYPE_UINT32,
115	  .id	 = O_HMARK_SPI,
116	  .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_set.v32)
117	},
118	{ .name  = "hmark-proto-mask",
119	  .type  = XTTYPE_UINT16,
120	  .id	 = O_HMARK_PROTO_MASK,
121	  .flags = XTOPT_PUT, XTOPT_POINTER(hi, proto_mask)
122	},
123	{ .name  = "hmark-rnd",
124	  .type  = XTTYPE_UINT32,
125	  .id	 = O_HMARK_RND,
126	  .flags = XTOPT_PUT, XTOPT_POINTER(hi, hashrnd)
127	},
128	{ .name = "hmark-mod",
129	  .type = XTTYPE_UINT32,
130	  .id = O_HMARK_MODULUS,
131	  .min = 1,
132	  .flags = XTOPT_PUT | XTOPT_MAND, XTOPT_POINTER(hi, hmodulus)
133	},
134	{ .name  = "hmark-offset",
135	  .type  = XTTYPE_UINT32,
136	  .id	 = O_HMARK_OFFSET,
137	  .flags = XTOPT_PUT, XTOPT_POINTER(hi, hoffset)
138	},
139	XTOPT_TABLEEND,
140};
141
142static int
143hmark_parse(const char *type, size_t len, struct xt_hmark_info *info,
144	    unsigned int *xflags)
145{
146	if (strncasecmp(type, "ct", len) == 0) {
147		info->flags |= XT_HMARK_FLAG(XT_HMARK_CT);
148		*xflags |= (1 << O_HMARK_CT);
149	} else if (strncasecmp(type, "src", len) == 0) {
150		memset(&info->src_mask, 0xff, sizeof(info->src_mask));
151		info->flags |= XT_HMARK_FLAG(XT_HMARK_SADDR_MASK);
152		*xflags |= (1 << O_HMARK_SADDR_MASK);
153	} else if (strncasecmp(type, "dst", len) == 0) {
154		memset(&info->dst_mask, 0xff, sizeof(info->dst_mask));
155		info->flags |= XT_HMARK_FLAG(XT_HMARK_DADDR_MASK);
156		*xflags |= (1 << O_HMARK_DADDR_MASK);
157	} else if (strncasecmp(type, "sport", len) == 0) {
158		memset(&info->port_mask.p16.src, 0xff,
159			sizeof(info->port_mask.p16.src));
160		info->flags |= XT_HMARK_FLAG(XT_HMARK_SPORT_MASK);
161		*xflags |= (1 << O_HMARK_SPORT_MASK);
162	} else if (strncasecmp(type, "dport", len) == 0) {
163		memset(&info->port_mask.p16.dst, 0xff,
164			sizeof(info->port_mask.p16.dst));
165		info->flags |= XT_HMARK_FLAG(XT_HMARK_DPORT_MASK);
166		*xflags |= (1 << O_HMARK_DPORT_MASK);
167	} else if (strncasecmp(type, "proto", len) == 0) {
168		memset(&info->proto_mask, 0xff, sizeof(info->proto_mask));
169		info->flags |= XT_HMARK_FLAG(XT_HMARK_PROTO_MASK);
170		*xflags |= (1 << O_HMARK_PROTO_MASK);
171	} else if (strncasecmp(type, "spi", len) == 0) {
172		memset(&info->port_mask.v32, 0xff, sizeof(info->port_mask.v32));
173		info->flags |= XT_HMARK_FLAG(XT_HMARK_SPI_MASK);
174		*xflags |= (1 << O_HMARK_SPI_MASK);
175	} else
176		return 0;
177
178	return 1;
179}
180
181static void
182hmark_parse_type(struct xt_option_call *cb)
183{
184	const char *arg = cb->arg;
185	struct xt_hmark_info *info = cb->data;
186	const char *comma;
187
188	while ((comma = strchr(arg, ',')) != NULL) {
189		if (comma == arg ||
190		    !hmark_parse(arg, comma-arg, info, &cb->xflags))
191			xtables_error(PARAMETER_PROBLEM, "Bad type \"%s\"", arg);
192		arg = comma+1;
193	}
194	if (!*arg)
195		xtables_error(PARAMETER_PROBLEM, "\"--hmark-tuple\" requires "
196						 "a list of types with no "
197						 "spaces, e.g. "
198						 "src,dst,sport,dport,proto");
199	if (strlen(arg) == 0 ||
200	    !hmark_parse(arg, strlen(arg), info, &cb->xflags))
201		xtables_error(PARAMETER_PROBLEM, "Bad type \"%s\"", arg);
202}
203
204static void HMARK_parse(struct xt_option_call *cb, int plen)
205{
206	struct xt_hmark_info *info = cb->data;
207
208	xtables_option_parse(cb);
209
210	switch (cb->entry->id) {
211	case O_HMARK_TYPE:
212		hmark_parse_type(cb);
213		break;
214	case O_HMARK_SADDR_MASK:
215		info->flags |= XT_HMARK_FLAG(XT_HMARK_SADDR_MASK);
216		break;
217	case O_HMARK_DADDR_MASK:
218		info->flags |= XT_HMARK_FLAG(XT_HMARK_DADDR_MASK);
219		break;
220	case O_HMARK_SPI:
221		info->port_set.v32 = htonl(cb->val.u32);
222		info->flags |= XT_HMARK_FLAG(XT_HMARK_SPI);
223		break;
224	case O_HMARK_SPORT:
225		info->port_set.p16.src = htons(cb->val.u16);
226		info->flags |= XT_HMARK_FLAG(XT_HMARK_SPORT);
227		break;
228	case O_HMARK_DPORT:
229		info->port_set.p16.dst = htons(cb->val.u16);
230		info->flags |= XT_HMARK_FLAG(XT_HMARK_DPORT);
231		break;
232	case O_HMARK_SPORT_MASK:
233		info->port_mask.p16.src = htons(cb->val.u16);
234		info->flags |= XT_HMARK_FLAG(XT_HMARK_SPORT_MASK);
235		break;
236	case O_HMARK_DPORT_MASK:
237		info->port_mask.p16.dst = htons(cb->val.u16);
238		info->flags |= XT_HMARK_FLAG(XT_HMARK_DPORT_MASK);
239		break;
240	case O_HMARK_SPI_MASK:
241		info->port_mask.v32 = htonl(cb->val.u32);
242		info->flags |= XT_HMARK_FLAG(XT_HMARK_SPI_MASK);
243		break;
244	case O_HMARK_PROTO_MASK:
245		info->flags |= XT_HMARK_FLAG(XT_HMARK_PROTO_MASK);
246		break;
247	case O_HMARK_RND:
248		info->flags |= XT_HMARK_FLAG(XT_HMARK_RND);
249		break;
250	case O_HMARK_MODULUS:
251		info->flags |= XT_HMARK_FLAG(XT_HMARK_MODULUS);
252		break;
253	case O_HMARK_OFFSET:
254		info->flags |= XT_HMARK_FLAG(XT_HMARK_OFFSET);
255		break;
256	case O_HMARK_CT:
257		info->flags |= XT_HMARK_FLAG(XT_HMARK_CT);
258		break;
259	}
260	cb->xflags |= (1 << cb->entry->id);
261}
262
263static void HMARK_ip4_parse(struct xt_option_call *cb)
264{
265	HMARK_parse(cb, 32);
266}
267static void HMARK_ip6_parse(struct xt_option_call *cb)
268{
269	HMARK_parse(cb, 128);
270}
271
272static void HMARK_check(struct xt_fcheck_call *cb)
273{
274	if (!(cb->xflags & (1 << O_HMARK_MODULUS)))
275		xtables_error(PARAMETER_PROBLEM, "--hmark-mod is mandatory");
276	if (!(cb->xflags & (1 << O_HMARK_RND)))
277		xtables_error(PARAMETER_PROBLEM, "--hmark-rnd is mandatory");
278	if (cb->xflags & (1 << O_HMARK_SPI_MASK) &&
279	    (cb->xflags & ((1 << O_HMARK_SPORT_MASK) |
280			   (1 << O_HMARK_DPORT_MASK))))
281		xtables_error(PARAMETER_PROBLEM, "you cannot use "
282				"--hmark-spi-mask and --hmark-?port-mask,"
283				"at the same time");
284	if (!((cb->xflags & HMARK_OPT_PKT_MASK) ||
285	       cb->xflags & (1 << O_HMARK_CT)))
286		xtables_error(PARAMETER_PROBLEM, "you have to specify "
287				"--hmark-tuple at least");
288}
289
290static void HMARK_print(const struct xt_hmark_info *info)
291{
292	if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT_MASK))
293		printf("sport-mask 0x%x ", htons(info->port_mask.p16.src));
294	if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT_MASK))
295		printf("dport-mask 0x%x ", htons(info->port_mask.p16.dst));
296	if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK))
297		printf("spi-mask 0x%x ", htonl(info->port_mask.v32));
298	if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT))
299		printf("sport 0x%x ", htons(info->port_set.p16.src));
300	if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT))
301		printf("dport 0x%x ", htons(info->port_set.p16.dst));
302	if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI))
303		printf("spi 0x%x ", htonl(info->port_set.v32));
304	if (info->flags & XT_HMARK_FLAG(XT_HMARK_PROTO_MASK))
305		printf("proto-mask 0x%x ", info->proto_mask);
306	if (info->flags & XT_HMARK_FLAG(XT_HMARK_RND))
307		printf("rnd 0x%x ", info->hashrnd);
308}
309
310static void HMARK_ip6_print(const void *ip,
311			    const struct xt_entry_target *target, int numeric)
312{
313	const struct xt_hmark_info *info =
314			(const struct xt_hmark_info *)target->data;
315
316	printf(" HMARK ");
317	if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS))
318		printf("mod %u ", info->hmodulus);
319	if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET))
320		printf("+ 0x%x ", info->hoffset);
321	if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT))
322		printf("ct, ");
323	if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK))
324		printf("src-prefix %s ",
325		       xtables_ip6mask_to_numeric(&info->src_mask.in6) + 1);
326	if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK))
327		printf("dst-prefix %s ",
328		       xtables_ip6mask_to_numeric(&info->dst_mask.in6) + 1);
329	HMARK_print(info);
330}
331static void HMARK_ip4_print(const void *ip,
332			    const struct xt_entry_target *target, int numeric)
333{
334	const struct xt_hmark_info *info =
335		(const struct xt_hmark_info *)target->data;
336
337	printf(" HMARK ");
338	if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS))
339		printf("mod %u ", info->hmodulus);
340	if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET))
341		printf("+ 0x%x ", info->hoffset);
342	if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT))
343		printf("ct, ");
344	if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK))
345		printf("src-prefix %u ",
346		       xtables_ipmask_to_cidr(&info->src_mask.in));
347	if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK))
348		printf("dst-prefix %u ",
349		       xtables_ipmask_to_cidr(&info->dst_mask.in));
350	HMARK_print(info);
351}
352
353static void HMARK_save(const struct xt_hmark_info *info)
354{
355	if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT_MASK))
356		printf(" --hmark-sport-mask 0x%04x",
357		       htons(info->port_mask.p16.src));
358	if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT_MASK))
359		printf(" --hmark-dport-mask 0x%04x",
360		       htons(info->port_mask.p16.dst));
361	if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK))
362		printf(" --hmark-spi-mask 0x%08x",
363		       htonl(info->port_mask.v32));
364	if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT))
365		printf(" --hmark-sport 0x%04x",
366		       htons(info->port_set.p16.src));
367	if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT))
368		printf(" --hmark-dport 0x%04x",
369		       htons(info->port_set.p16.dst));
370	if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI))
371		printf(" --hmark-spi 0x%08x", htonl(info->port_set.v32));
372	if (info->flags & XT_HMARK_FLAG(XT_HMARK_PROTO_MASK))
373		printf(" --hmark-proto-mask 0x%02x", info->proto_mask);
374	if (info->flags & XT_HMARK_FLAG(XT_HMARK_RND))
375		printf(" --hmark-rnd 0x%08x", info->hashrnd);
376	if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS))
377		printf(" --hmark-mod %u", info->hmodulus);
378	if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET))
379		printf(" --hmark-offset %u", info->hoffset);
380	if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT))
381		printf(" --hmark-tuple ct");
382}
383
384static void HMARK_ip6_save(const void *ip, const struct xt_entry_target *target)
385{
386	const struct xt_hmark_info *info =
387		(const struct xt_hmark_info *)target->data;
388	int ret;
389
390	if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) {
391		ret = xtables_ip6mask_to_cidr(&info->src_mask.in6);
392		printf(" --hmark-src-prefix %d", ret);
393	}
394	if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) {
395		ret = xtables_ip6mask_to_cidr(&info->dst_mask.in6);
396		printf(" --hmark-dst-prefix %d", ret);
397	}
398	HMARK_save(info);
399}
400
401static void HMARK_ip4_save(const void *ip, const struct xt_entry_target *target)
402{
403	const struct xt_hmark_info *info =
404		(const struct xt_hmark_info *)target->data;
405	int ret;
406
407	if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) {
408		ret = xtables_ipmask_to_cidr(&info->src_mask.in);
409		printf(" --hmark-src-prefix %d", ret);
410	}
411	if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) {
412		ret = xtables_ipmask_to_cidr(&info->dst_mask.in);
413		printf(" --hmark-dst-prefix %d", ret);
414	}
415	HMARK_save(info);
416}
417
418static struct xtables_target mark_tg_reg[] = {
419	{
420		.family        = NFPROTO_IPV4,
421		.name	       = "HMARK",
422		.version       = XTABLES_VERSION,
423		.size	       = XT_ALIGN(sizeof(struct xt_hmark_info)),
424		.userspacesize = XT_ALIGN(sizeof(struct xt_hmark_info)),
425		.help	       = HMARK_help,
426		.print	       = HMARK_ip4_print,
427		.save	       = HMARK_ip4_save,
428		.x6_parse      = HMARK_ip4_parse,
429		.x6_fcheck     = HMARK_check,
430		.x6_options    = HMARK_opts,
431	},
432	{
433		.family        = NFPROTO_IPV6,
434		.name	       = "HMARK",
435		.version       = XTABLES_VERSION,
436		.size	       = XT_ALIGN(sizeof(struct xt_hmark_info)),
437		.userspacesize = XT_ALIGN(sizeof(struct xt_hmark_info)),
438		.help	       = HMARK_help,
439		.print	       = HMARK_ip6_print,
440		.save	       = HMARK_ip6_save,
441		.x6_parse      = HMARK_ip6_parse,
442		.x6_fcheck     = HMARK_check,
443		.x6_options    = HMARK_opts,
444	},
445};
446
447void _init(void)
448{
449	xtables_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
450}
451