1 #include <stdio.h>
2 #include <xtables.h>
3 #include <linux/netfilter_ipv6/ip6t_frag.h>
4 
5 enum {
6 	O_FRAGID = 0,
7 	O_FRAGLEN,
8 	O_FRAGRES,
9 	O_FRAGFIRST,
10 	O_FRAGMORE,
11 	O_FRAGLAST,
12 	F_FRAGMORE = 1 << O_FRAGMORE,
13 	F_FRAGLAST = 1 << O_FRAGLAST,
14 };
15 
frag_help(void)16 static void frag_help(void)
17 {
18 	printf(
19 "frag match options:\n"
20 "[!] --fragid id[:id]           match the id (range)\n"
21 "[!] --fraglen length           total length of this header\n"
22 " --fragres                     check the reserved field too\n"
23 " --fragfirst                   matches on the first fragment\n"
24 " [--fragmore|--fraglast]       there are more fragments or this\n"
25 "                               is the last one\n");
26 }
27 
28 #define s struct ip6t_frag
29 static const struct xt_option_entry frag_opts[] = {
30 	{.name = "fragid", .id = O_FRAGID, .type = XTTYPE_UINT32RC,
31 	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, ids)},
32 	{.name = "fraglen", .id = O_FRAGLEN, .type = XTTYPE_UINT32,
33 	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, hdrlen)},
34 	{.name = "fragres", .id = O_FRAGRES, .type = XTTYPE_NONE},
35 	{.name = "fragfirst", .id = O_FRAGFIRST, .type = XTTYPE_NONE},
36 	{.name = "fragmore", .id = O_FRAGMORE, .type = XTTYPE_NONE,
37 	 .excl = F_FRAGLAST},
38 	{.name = "fraglast", .id = O_FRAGLAST, .type = XTTYPE_NONE,
39 	 .excl = F_FRAGMORE},
40 	XTOPT_TABLEEND,
41 };
42 #undef s
43 
frag_init(struct xt_entry_match * m)44 static void frag_init(struct xt_entry_match *m)
45 {
46 	struct ip6t_frag *fraginfo = (void *)m->data;
47 
48 	fraginfo->ids[1] = ~0U;
49 }
50 
frag_parse(struct xt_option_call * cb)51 static void frag_parse(struct xt_option_call *cb)
52 {
53 	struct ip6t_frag *fraginfo = cb->data;
54 
55 	xtables_option_parse(cb);
56 	switch (cb->entry->id) {
57 	case O_FRAGID:
58 		if (cb->nvals == 1)
59 			fraginfo->ids[1] = fraginfo->ids[0];
60 		if (cb->invert)
61 			fraginfo->invflags |= IP6T_FRAG_INV_IDS;
62 		/*
63 		 * Note however that IP6T_FRAG_IDS is not tested by anything,
64 		 * so it is merely here for completeness.
65 		 */
66 		fraginfo->flags |= IP6T_FRAG_IDS;
67 		break;
68 	case O_FRAGLEN:
69 		/*
70 		 * As of Linux 3.0, the kernel does not check for
71 		 * fraglen at all.
72 		 */
73 		if (cb->invert)
74 			fraginfo->invflags |= IP6T_FRAG_INV_LEN;
75 		fraginfo->flags |= IP6T_FRAG_LEN;
76 		break;
77 	case O_FRAGRES:
78 		fraginfo->flags |= IP6T_FRAG_RES;
79 		break;
80 	case O_FRAGFIRST:
81 		fraginfo->flags |= IP6T_FRAG_FST;
82 		break;
83 	case O_FRAGMORE:
84 		fraginfo->flags |= IP6T_FRAG_MF;
85 		break;
86 	case O_FRAGLAST:
87 		fraginfo->flags |= IP6T_FRAG_NMF;
88 		break;
89 	}
90 }
91 
92 static void
print_ids(const char * name,uint32_t min,uint32_t max,int invert)93 print_ids(const char *name, uint32_t min, uint32_t max,
94 	    int invert)
95 {
96 	const char *inv = invert ? "!" : "";
97 
98 	if (min != 0 || max != 0xFFFFFFFF || invert) {
99 		printf("%s", name);
100 		if (min == max)
101 			printf(":%s%u", inv, min);
102 		else
103 			printf("s:%s%u:%u", inv, min, max);
104 	}
105 }
106 
frag_print(const void * ip,const struct xt_entry_match * match,int numeric)107 static void frag_print(const void *ip, const struct xt_entry_match *match,
108                        int numeric)
109 {
110 	const struct ip6t_frag *frag = (struct ip6t_frag *)match->data;
111 
112 	printf(" frag ");
113 	print_ids("id", frag->ids[0], frag->ids[1],
114 		    frag->invflags & IP6T_FRAG_INV_IDS);
115 
116 	if (frag->flags & IP6T_FRAG_LEN) {
117 		printf(" length:%s%u",
118 			frag->invflags & IP6T_FRAG_INV_LEN ? "!" : "",
119 			frag->hdrlen);
120 	}
121 
122 	if (frag->flags & IP6T_FRAG_RES)
123 		printf(" reserved");
124 
125 	if (frag->flags & IP6T_FRAG_FST)
126 		printf(" first");
127 
128 	if (frag->flags & IP6T_FRAG_MF)
129 		printf(" more");
130 
131 	if (frag->flags & IP6T_FRAG_NMF)
132 		printf(" last");
133 
134 	if (frag->invflags & ~IP6T_FRAG_INV_MASK)
135 		printf(" Unknown invflags: 0x%X",
136 		       frag->invflags & ~IP6T_FRAG_INV_MASK);
137 }
138 
frag_save(const void * ip,const struct xt_entry_match * match)139 static void frag_save(const void *ip, const struct xt_entry_match *match)
140 {
141 	const struct ip6t_frag *fraginfo = (struct ip6t_frag *)match->data;
142 
143 	if (!(fraginfo->ids[0] == 0
144 	    && fraginfo->ids[1] == 0xFFFFFFFF)) {
145 		printf("%s --fragid ",
146 			(fraginfo->invflags & IP6T_FRAG_INV_IDS) ? " !" : "");
147 		if (fraginfo->ids[0]
148 		    != fraginfo->ids[1])
149 			printf("%u:%u",
150 			       fraginfo->ids[0],
151 			       fraginfo->ids[1]);
152 		else
153 			printf("%u",
154 			       fraginfo->ids[0]);
155 	}
156 
157 	if (fraginfo->flags & IP6T_FRAG_LEN) {
158 		printf("%s --fraglen %u",
159 			(fraginfo->invflags & IP6T_FRAG_INV_LEN) ? " !" : "",
160 			fraginfo->hdrlen);
161 	}
162 
163 	if (fraginfo->flags & IP6T_FRAG_RES)
164 		printf(" --fragres");
165 
166 	if (fraginfo->flags & IP6T_FRAG_FST)
167 		printf(" --fragfirst");
168 
169 	if (fraginfo->flags & IP6T_FRAG_MF)
170 		printf(" --fragmore");
171 
172 	if (fraginfo->flags & IP6T_FRAG_NMF)
173 		printf(" --fraglast");
174 }
175 
176 static struct xtables_match frag_mt6_reg = {
177 	.name          = "frag",
178 	.version       = XTABLES_VERSION,
179 	.family        = NFPROTO_IPV6,
180 	.size          = XT_ALIGN(sizeof(struct ip6t_frag)),
181 	.userspacesize = XT_ALIGN(sizeof(struct ip6t_frag)),
182 	.help          = frag_help,
183 	.init          = frag_init,
184 	.print         = frag_print,
185 	.save          = frag_save,
186 	.x6_parse      = frag_parse,
187 	.x6_options    = frag_opts,
188 };
189 
190 void
_init(void)191 _init(void)
192 {
193 	xtables_register_match(&frag_mt6_reg);
194 }
195