1 /*
2 * Copyright (c) 2005-2013 Patrick McHardy <kaber@trash.net>
3 */
4
5 #include <stdbool.h>
6 #include <stdint.h>
7 #include <stdio.h>
8 #include <string.h>
9 #include <netdb.h>
10 #include <xtables.h>
11 #include <linux/netfilter/xt_policy.h>
12
13 enum {
14 O_DIRECTION = 0,
15 O_POLICY,
16 O_STRICT,
17 O_REQID,
18 O_SPI,
19 O_PROTO,
20 O_MODE,
21 O_TUNNELSRC,
22 O_TUNNELDST,
23 O_NEXT,
24 F_STRICT = 1 << O_STRICT,
25 };
26
policy_help(void)27 static void policy_help(void)
28 {
29 printf(
30 "policy match options:\n"
31 " --dir in|out match policy applied during decapsulation/\n"
32 " policy to be applied during encapsulation\n"
33 " --pol none|ipsec match policy\n"
34 " --strict match entire policy instead of single element\n"
35 " at any position\n"
36 "These options may be used repeatedly, to describe policy elements:\n"
37 "[!] --reqid reqid match reqid\n"
38 "[!] --spi spi match SPI\n"
39 "[!] --proto proto match protocol (ah/esp/ipcomp)\n"
40 "[!] --mode mode match mode (transport/tunnel)\n"
41 "[!] --tunnel-src addr/mask match tunnel source\n"
42 "[!] --tunnel-dst addr/mask match tunnel destination\n"
43 " --next begin next element in policy\n");
44 }
45
46 static const struct xt_option_entry policy_opts[] = {
47 {.name = "dir", .id = O_DIRECTION, .type = XTTYPE_STRING},
48 {.name = "pol", .id = O_POLICY, .type = XTTYPE_STRING},
49 {.name = "strict", .id = O_STRICT, .type = XTTYPE_NONE},
50 {.name = "reqid", .id = O_REQID, .type = XTTYPE_UINT32,
51 .flags = XTOPT_MULTI | XTOPT_INVERT},
52 {.name = "spi", .id = O_SPI, .type = XTTYPE_UINT32,
53 .flags = XTOPT_MULTI | XTOPT_INVERT},
54 {.name = "tunnel-src", .id = O_TUNNELSRC, .type = XTTYPE_HOSTMASK,
55 .flags = XTOPT_MULTI | XTOPT_INVERT},
56 {.name = "tunnel-dst", .id = O_TUNNELDST, .type = XTTYPE_HOSTMASK,
57 .flags = XTOPT_MULTI | XTOPT_INVERT},
58 {.name = "proto", .id = O_PROTO, .type = XTTYPE_PROTOCOL,
59 .flags = XTOPT_MULTI | XTOPT_INVERT},
60 {.name = "mode", .id = O_MODE, .type = XTTYPE_STRING,
61 .flags = XTOPT_MULTI | XTOPT_INVERT},
62 {.name = "next", .id = O_NEXT, .type = XTTYPE_NONE,
63 .flags = XTOPT_MULTI, .also = F_STRICT},
64 XTOPT_TABLEEND,
65 };
66
parse_direction(const char * s)67 static int parse_direction(const char *s)
68 {
69 if (strcmp(s, "in") == 0)
70 return XT_POLICY_MATCH_IN;
71 if (strcmp(s, "out") == 0)
72 return XT_POLICY_MATCH_OUT;
73 xtables_error(PARAMETER_PROBLEM, "policy_match: invalid dir \"%s\"", s);
74 }
75
parse_policy(const char * s)76 static int parse_policy(const char *s)
77 {
78 if (strcmp(s, "none") == 0)
79 return XT_POLICY_MATCH_NONE;
80 if (strcmp(s, "ipsec") == 0)
81 return 0;
82 xtables_error(PARAMETER_PROBLEM, "policy match: invalid policy \"%s\"", s);
83 }
84
parse_mode(const char * s)85 static int parse_mode(const char *s)
86 {
87 if (strcmp(s, "transport") == 0)
88 return XT_POLICY_MODE_TRANSPORT;
89 if (strcmp(s, "tunnel") == 0)
90 return XT_POLICY_MODE_TUNNEL;
91 xtables_error(PARAMETER_PROBLEM, "policy match: invalid mode \"%s\"", s);
92 }
93
policy_parse(struct xt_option_call * cb)94 static void policy_parse(struct xt_option_call *cb)
95 {
96 struct xt_policy_info *info = cb->data;
97 struct xt_policy_elem *e = &info->pol[info->len];
98
99 xtables_option_parse(cb);
100 switch (cb->entry->id) {
101 case O_DIRECTION:
102 info->flags |= parse_direction(cb->arg);
103 break;
104 case O_POLICY:
105 info->flags |= parse_policy(cb->arg);
106 break;
107 case O_STRICT:
108 info->flags |= XT_POLICY_MATCH_STRICT;
109 break;
110 case O_REQID:
111 if (e->match.reqid)
112 xtables_error(PARAMETER_PROBLEM,
113 "policy match: double --reqid option");
114 e->match.reqid = 1;
115 e->invert.reqid = cb->invert;
116 e->reqid = cb->val.u32;
117 break;
118 case O_SPI:
119 if (e->match.spi)
120 xtables_error(PARAMETER_PROBLEM,
121 "policy match: double --spi option");
122 e->match.spi = 1;
123 e->invert.spi = cb->invert;
124 e->spi = cb->val.u32;
125 break;
126 case O_TUNNELSRC:
127 if (e->match.saddr)
128 xtables_error(PARAMETER_PROBLEM,
129 "policy match: double --tunnel-src option");
130
131 e->match.saddr = 1;
132 e->invert.saddr = cb->invert;
133 memcpy(&e->saddr, &cb->val.haddr, sizeof(cb->val.haddr));
134 memcpy(&e->smask, &cb->val.hmask, sizeof(cb->val.hmask));
135 break;
136 case O_TUNNELDST:
137 if (e->match.daddr)
138 xtables_error(PARAMETER_PROBLEM,
139 "policy match: double --tunnel-dst option");
140 e->match.daddr = 1;
141 e->invert.daddr = cb->invert;
142 memcpy(&e->daddr, &cb->val.haddr, sizeof(cb->val.haddr));
143 memcpy(&e->dmask, &cb->val.hmask, sizeof(cb->val.hmask));
144 break;
145 case O_PROTO:
146 if (e->match.proto)
147 xtables_error(PARAMETER_PROBLEM,
148 "policy match: double --proto option");
149 e->proto = cb->val.protocol;
150 if (e->proto != IPPROTO_AH && e->proto != IPPROTO_ESP &&
151 e->proto != IPPROTO_COMP)
152 xtables_error(PARAMETER_PROBLEM,
153 "policy match: protocol must be ah/esp/ipcomp");
154 e->match.proto = 1;
155 e->invert.proto = cb->invert;
156 break;
157 case O_MODE:
158 if (e->match.mode)
159 xtables_error(PARAMETER_PROBLEM,
160 "policy match: double --mode option");
161 e->match.mode = 1;
162 e->invert.mode = cb->invert;
163 e->mode = parse_mode(cb->arg);
164 break;
165 case O_NEXT:
166 if (++info->len == XT_POLICY_MAX_ELEM)
167 xtables_error(PARAMETER_PROBLEM,
168 "policy match: maximum policy depth reached");
169 break;
170 }
171 }
172
policy_check(struct xt_fcheck_call * cb)173 static void policy_check(struct xt_fcheck_call *cb)
174 {
175 struct xt_policy_info *info = cb->data;
176 const struct xt_policy_elem *e;
177 int i;
178
179 /*
180 * The old "no parameters given" check is carried out
181 * by testing for --dir.
182 */
183 if (!(info->flags & (XT_POLICY_MATCH_IN | XT_POLICY_MATCH_OUT)))
184 xtables_error(PARAMETER_PROBLEM,
185 "policy match: neither --dir in nor --dir out specified");
186
187 if (info->flags & XT_POLICY_MATCH_NONE) {
188 if (info->flags & XT_POLICY_MATCH_STRICT)
189 xtables_error(PARAMETER_PROBLEM,
190 "policy match: policy none but --strict given");
191
192 if (info->len != 0)
193 xtables_error(PARAMETER_PROBLEM,
194 "policy match: policy none but policy given");
195 } else
196 info->len++; /* increase len by 1, no --next after last element */
197
198 /*
199 * This is already represented with O_NEXT requiring F_STRICT in the
200 * options table, but will keep this code as a comment for reference.
201 *
202 if (!(info->flags & XT_POLICY_MATCH_STRICT) && info->len > 1)
203 xtables_error(PARAMETER_PROBLEM,
204 "policy match: multiple elements but no --strict");
205 */
206
207 for (i = 0; i < info->len; i++) {
208 e = &info->pol[i];
209
210 if (info->flags & XT_POLICY_MATCH_STRICT &&
211 !(e->match.reqid || e->match.spi || e->match.saddr ||
212 e->match.daddr || e->match.proto || e->match.mode))
213 xtables_error(PARAMETER_PROBLEM,
214 "policy match: empty policy element %u. "
215 "--strict is in effect, but at least one of "
216 "reqid, spi, tunnel-src, tunnel-dst, proto or "
217 "mode is required.", i);
218
219 if ((e->match.saddr || e->match.daddr)
220 && ((e->mode == XT_POLICY_MODE_TUNNEL && e->invert.mode) ||
221 (e->mode == XT_POLICY_MODE_TRANSPORT && !e->invert.mode)))
222 xtables_error(PARAMETER_PROBLEM,
223 "policy match: --tunnel-src/--tunnel-dst "
224 "is only valid in tunnel mode");
225 }
226 }
227
print_mode(const char * prefix,uint8_t mode,int numeric)228 static void print_mode(const char *prefix, uint8_t mode, int numeric)
229 {
230 printf(" %smode ", prefix);
231
232 switch (mode) {
233 case XT_POLICY_MODE_TRANSPORT:
234 printf("transport");
235 break;
236 case XT_POLICY_MODE_TUNNEL:
237 printf("tunnel");
238 break;
239 default:
240 printf("???");
241 break;
242 }
243 }
244
print_proto(const char * prefix,uint8_t proto,int numeric)245 static void print_proto(const char *prefix, uint8_t proto, int numeric)
246 {
247 const struct protoent *p = NULL;
248
249 printf(" %sproto ", prefix);
250 if (!numeric)
251 p = getprotobynumber(proto);
252 if (p != NULL)
253 printf("%s", p->p_name);
254 else
255 printf("%u", proto);
256 }
257
258 #define PRINT_INVERT(x) \
259 do { \
260 if (x) \
261 printf(" !"); \
262 } while(0)
263
print_entry(const char * prefix,const struct xt_policy_elem * e,bool numeric,uint8_t family)264 static void print_entry(const char *prefix, const struct xt_policy_elem *e,
265 bool numeric, uint8_t family)
266 {
267 if (e->match.reqid) {
268 PRINT_INVERT(e->invert.reqid);
269 printf(" %sreqid %u", prefix, e->reqid);
270 }
271 if (e->match.spi) {
272 PRINT_INVERT(e->invert.spi);
273 printf(" %sspi 0x%x", prefix, e->spi);
274 }
275 if (e->match.proto) {
276 PRINT_INVERT(e->invert.proto);
277 print_proto(prefix, e->proto, numeric);
278 }
279 if (e->match.mode) {
280 PRINT_INVERT(e->invert.mode);
281 print_mode(prefix, e->mode, numeric);
282 }
283 if (e->match.daddr) {
284 PRINT_INVERT(e->invert.daddr);
285 if (family == NFPROTO_IPV6)
286 printf(" %stunnel-dst %s%s", prefix,
287 xtables_ip6addr_to_numeric(&e->daddr.a6),
288 xtables_ip6mask_to_numeric(&e->dmask.a6));
289 else
290 printf(" %stunnel-dst %s%s", prefix,
291 xtables_ipaddr_to_numeric(&e->daddr.a4),
292 xtables_ipmask_to_numeric(&e->dmask.a4));
293 }
294 if (e->match.saddr) {
295 PRINT_INVERT(e->invert.saddr);
296 if (family == NFPROTO_IPV6)
297 printf(" %stunnel-src %s%s", prefix,
298 xtables_ip6addr_to_numeric(&e->saddr.a6),
299 xtables_ip6mask_to_numeric(&e->smask.a6));
300 else
301 printf(" %stunnel-src %s%s", prefix,
302 xtables_ipaddr_to_numeric(&e->saddr.a4),
303 xtables_ipmask_to_numeric(&e->smask.a4));
304 }
305 }
306
print_flags(const char * prefix,const struct xt_policy_info * info)307 static void print_flags(const char *prefix, const struct xt_policy_info *info)
308 {
309 if (info->flags & XT_POLICY_MATCH_IN)
310 printf(" %sdir in", prefix);
311 else
312 printf(" %sdir out", prefix);
313
314 if (info->flags & XT_POLICY_MATCH_NONE)
315 printf(" %spol none", prefix);
316 else
317 printf(" %spol ipsec", prefix);
318
319 if (info->flags & XT_POLICY_MATCH_STRICT)
320 printf(" %sstrict", prefix);
321 }
322
policy4_print(const void * ip,const struct xt_entry_match * match,int numeric)323 static void policy4_print(const void *ip, const struct xt_entry_match *match,
324 int numeric)
325 {
326 const struct xt_policy_info *info = (void *)match->data;
327 unsigned int i;
328
329 printf(" policy match");
330 print_flags("", info);
331 for (i = 0; i < info->len; i++) {
332 if (info->len > 1)
333 printf(" [%u]", i);
334 print_entry("", &info->pol[i], numeric, NFPROTO_IPV4);
335 }
336 }
337
policy6_print(const void * ip,const struct xt_entry_match * match,int numeric)338 static void policy6_print(const void *ip, const struct xt_entry_match *match,
339 int numeric)
340 {
341 const struct xt_policy_info *info = (void *)match->data;
342 unsigned int i;
343
344 printf(" policy match");
345 print_flags("", info);
346 for (i = 0; i < info->len; i++) {
347 if (info->len > 1)
348 printf(" [%u]", i);
349 print_entry("", &info->pol[i], numeric, NFPROTO_IPV6);
350 }
351 }
352
policy4_save(const void * ip,const struct xt_entry_match * match)353 static void policy4_save(const void *ip, const struct xt_entry_match *match)
354 {
355 const struct xt_policy_info *info = (void *)match->data;
356 unsigned int i;
357
358 print_flags("--", info);
359 for (i = 0; i < info->len; i++) {
360 print_entry("--", &info->pol[i], false, NFPROTO_IPV4);
361 if (i + 1 < info->len)
362 printf(" --next");
363 }
364 }
365
policy6_save(const void * ip,const struct xt_entry_match * match)366 static void policy6_save(const void *ip, const struct xt_entry_match *match)
367 {
368 const struct xt_policy_info *info = (void *)match->data;
369 unsigned int i;
370
371 print_flags("--", info);
372 for (i = 0; i < info->len; i++) {
373 print_entry("--", &info->pol[i], false, NFPROTO_IPV6);
374 if (i + 1 < info->len)
375 printf(" --next");
376 }
377 }
378
379 static struct xtables_match policy_mt_reg[] = {
380 {
381 .name = "policy",
382 .version = XTABLES_VERSION,
383 .family = NFPROTO_IPV4,
384 .size = XT_ALIGN(sizeof(struct xt_policy_info)),
385 .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)),
386 .help = policy_help,
387 .x6_parse = policy_parse,
388 .x6_fcheck = policy_check,
389 .print = policy4_print,
390 .save = policy4_save,
391 .x6_options = policy_opts,
392 },
393 {
394 .name = "policy",
395 .version = XTABLES_VERSION,
396 .family = NFPROTO_IPV6,
397 .size = XT_ALIGN(sizeof(struct xt_policy_info)),
398 .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)),
399 .help = policy_help,
400 .x6_parse = policy_parse,
401 .x6_fcheck = policy_check,
402 .print = policy6_print,
403 .save = policy6_save,
404 .x6_options = policy_opts,
405 },
406 };
407
_init(void)408 void _init(void)
409 {
410 xtables_register_matches(policy_mt_reg, ARRAY_SIZE(policy_mt_reg));
411 }
412