1 /* ipv6header match - matches IPv6 packets based
2 on whether they contain certain headers */
3
4 /* Original idea: Brad Chapman
5 * Rewritten by: Andras Kis-Szabo <kisza@sch.bme.hu> */
6 #include <stdint.h>
7 #include <stdio.h>
8 #include <stdlib.h>
9 #include <string.h>
10 #include <netdb.h>
11 #include <xtables.h>
12 #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
13
14 enum {
15 O_HEADER = 0,
16 O_SOFT,
17 };
18
19 /* A few hardcoded protocols for 'all' and in case the user has no
20 * /etc/protocols */
21 struct pprot {
22 char *name;
23 uint8_t num;
24 };
25
26 struct numflag {
27 uint8_t proto;
28 uint8_t flag;
29 };
30
31 static const struct pprot chain_protos[] = {
32 { "hop-by-hop", IPPROTO_HOPOPTS },
33 { "protocol", IPPROTO_RAW },
34 { "hop", IPPROTO_HOPOPTS },
35 { "dst", IPPROTO_DSTOPTS },
36 { "route", IPPROTO_ROUTING },
37 { "frag", IPPROTO_FRAGMENT },
38 { "auth", IPPROTO_AH },
39 { "esp", IPPROTO_ESP },
40 { "none", IPPROTO_NONE },
41 { "prot", IPPROTO_RAW },
42 { "0", IPPROTO_HOPOPTS },
43 { "60", IPPROTO_DSTOPTS },
44 { "43", IPPROTO_ROUTING },
45 { "44", IPPROTO_FRAGMENT },
46 { "51", IPPROTO_AH },
47 { "50", IPPROTO_ESP },
48 { "59", IPPROTO_NONE },
49 { "255", IPPROTO_RAW },
50 /* { "all", 0 }, */
51 };
52
53 static const struct numflag chain_flags[] = {
54 { IPPROTO_HOPOPTS, MASK_HOPOPTS },
55 { IPPROTO_DSTOPTS, MASK_DSTOPTS },
56 { IPPROTO_ROUTING, MASK_ROUTING },
57 { IPPROTO_FRAGMENT, MASK_FRAGMENT },
58 { IPPROTO_AH, MASK_AH },
59 { IPPROTO_ESP, MASK_ESP },
60 { IPPROTO_NONE, MASK_NONE },
61 { IPPROTO_RAW, MASK_PROTO },
62 };
63
64 static const char *
proto_to_name(uint8_t proto,int nolookup)65 proto_to_name(uint8_t proto, int nolookup)
66 {
67 unsigned int i;
68
69 if (proto && !nolookup) {
70 const struct protoent *pent = getprotobynumber(proto);
71 if (pent)
72 return pent->p_name;
73 }
74
75 for (i = 0; i < ARRAY_SIZE(chain_protos); ++i)
76 if (chain_protos[i].num == proto)
77 return chain_protos[i].name;
78
79 return NULL;
80 }
81
82 static uint16_t
name_to_proto(const char * s)83 name_to_proto(const char *s)
84 {
85 unsigned int proto=0;
86 const struct protoent *pent;
87
88 if ((pent = getprotobyname(s)))
89 proto = pent->p_proto;
90 else {
91 unsigned int i;
92 for (i = 0; i < ARRAY_SIZE(chain_protos); ++i)
93 if (strcmp(s, chain_protos[i].name) == 0) {
94 proto = chain_protos[i].num;
95 break;
96 }
97
98 if (i == ARRAY_SIZE(chain_protos))
99 xtables_error(PARAMETER_PROBLEM,
100 "unknown header `%s' specified",
101 s);
102 }
103
104 return proto;
105 }
106
107 static unsigned int
add_proto_to_mask(int proto)108 add_proto_to_mask(int proto){
109 unsigned int i=0, flag=0;
110
111 for (i = 0; i < ARRAY_SIZE(chain_flags); ++i)
112 if (proto == chain_flags[i].proto){
113 flag = chain_flags[i].flag;
114 break;
115 }
116
117 if (i == ARRAY_SIZE(chain_flags))
118 xtables_error(PARAMETER_PROBLEM,
119 "unknown header `%d' specified",
120 proto);
121
122 return flag;
123 }
124
ipv6header_help(void)125 static void ipv6header_help(void)
126 {
127 printf(
128 "ipv6header match options:\n"
129 "[!] --header headers Type of header to match, by name\n"
130 " names: hop,dst,route,frag,auth,esp,none,prot\n"
131 " long names: hop-by-hop,ipv6-opts,ipv6-route,\n"
132 " ipv6-frag,ah,esp,ipv6-nonxt,protocol\n"
133 " numbers: 0,60,43,44,51,50,59\n"
134 "--soft The header CONTAINS the specified extensions\n");
135 }
136
137 static const struct xt_option_entry ipv6header_opts[] = {
138 {.name = "header", .id = O_HEADER, .type = XTTYPE_STRING,
139 .flags = XTOPT_MAND | XTOPT_INVERT},
140 {.name = "soft", .id = O_SOFT, .type = XTTYPE_NONE},
141 XTOPT_TABLEEND,
142 };
143
144 static unsigned int
parse_header(const char * flags)145 parse_header(const char *flags) {
146 unsigned int ret = 0;
147 char *ptr;
148 char *buffer;
149
150 buffer = strdup(flags);
151
152 for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ","))
153 ret |= add_proto_to_mask(name_to_proto(ptr));
154
155 free(buffer);
156 return ret;
157 }
158
ipv6header_parse(struct xt_option_call * cb)159 static void ipv6header_parse(struct xt_option_call *cb)
160 {
161 struct ip6t_ipv6header_info *info = cb->data;
162
163 xtables_option_parse(cb);
164 switch (cb->entry->id) {
165 case O_HEADER:
166 if (!(info->matchflags = parse_header(cb->arg)))
167 xtables_error(PARAMETER_PROBLEM, "ip6t_ipv6header: cannot parse header names");
168 if (cb->invert)
169 info->invflags |= 0xFF;
170 break;
171 case O_SOFT:
172 info->modeflag |= 0xFF;
173 break;
174 }
175 }
176
177 static void
print_header(uint8_t flags)178 print_header(uint8_t flags){
179 int have_flag = 0;
180
181 while (flags) {
182 unsigned int i;
183
184 for (i = 0; (flags & chain_flags[i].flag) == 0; i++);
185
186 if (have_flag)
187 printf(",");
188
189 printf("%s", proto_to_name(chain_flags[i].proto,0));
190 have_flag = 1;
191
192 flags &= ~chain_flags[i].flag;
193 }
194
195 if (!have_flag)
196 printf("NONE");
197 }
198
ipv6header_print(const void * ip,const struct xt_entry_match * match,int numeric)199 static void ipv6header_print(const void *ip,
200 const struct xt_entry_match *match, int numeric)
201 {
202 const struct ip6t_ipv6header_info *info = (const struct ip6t_ipv6header_info *)match->data;
203 printf(" ipv6header");
204
205 if (info->matchflags || info->invflags) {
206 printf(" flags:%s", info->invflags ? "!" : "");
207 if (numeric)
208 printf("0x%02X", info->matchflags);
209 else {
210 print_header(info->matchflags);
211 }
212 }
213
214 if (info->modeflag)
215 printf(" soft");
216 }
217
ipv6header_save(const void * ip,const struct xt_entry_match * match)218 static void ipv6header_save(const void *ip, const struct xt_entry_match *match)
219 {
220
221 const struct ip6t_ipv6header_info *info = (const struct ip6t_ipv6header_info *)match->data;
222
223 printf("%s --header ", info->invflags ? " !" : "");
224 print_header(info->matchflags);
225 if (info->modeflag)
226 printf(" --soft");
227 }
228
229 static struct xtables_match ipv6header_mt6_reg = {
230 .name = "ipv6header",
231 .version = XTABLES_VERSION,
232 .family = NFPROTO_IPV6,
233 .size = XT_ALIGN(sizeof(struct ip6t_ipv6header_info)),
234 .userspacesize = XT_ALIGN(sizeof(struct ip6t_ipv6header_info)),
235 .help = ipv6header_help,
236 .print = ipv6header_print,
237 .save = ipv6header_save,
238 .x6_parse = ipv6header_parse,
239 .x6_options = ipv6header_opts,
240 };
241
_init(void)242 void _init(void)
243 {
244 xtables_register_match(&ipv6header_mt6_reg);
245 }
246