blob: 905b494b0de4b0054b8e1a8b799059a806ba3595 [file] [log] [blame]
/* Shared library add-on to ip6tables to add Fragmentation header support. */
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <getopt.h>
#include <errno.h>
#include <xtables.h>
#include <linux/netfilter_ipv6/ip6t_frag.h>
static void frag_help(void)
{
printf(
"frag match options:\n"
"[!] --fragid id[:id] match the id (range)\n"
"[!] --fraglen length total length of this header\n"
" --fragres check the reserved filed, too\n"
" --fragfirst matches on the first fragment\n"
" [--fragmore|--fraglast] there are more fragments or this\n"
" is the last one\n");
}
static const struct option frag_opts[] = {
{ .name = "fragid", .has_arg = 1, .val = '1' },
{ .name = "fraglen", .has_arg = 1, .val = '2' },
{ .name = "fragres", .has_arg = 0, .val = '3' },
{ .name = "fragfirst", .has_arg = 0, .val = '4' },
{ .name = "fragmore", .has_arg = 0, .val = '5' },
{ .name = "fraglast", .has_arg = 0, .val = '6' },
{ .name = NULL }
};
static u_int32_t
parse_frag_id(const char *idstr, const char *typestr)
{
unsigned long int id;
char* ep;
id = strtoul(idstr, &ep, 0);
if ( idstr == ep ) {
xtables_error(PARAMETER_PROBLEM,
"FRAG no valid digits in %s `%s'", typestr, idstr);
}
if ( id == ULONG_MAX && errno == ERANGE ) {
xtables_error(PARAMETER_PROBLEM,
"%s `%s' specified too big: would overflow",
typestr, idstr);
}
if ( *idstr != '\0' && *ep != '\0' ) {
xtables_error(PARAMETER_PROBLEM,
"FRAG error parsing %s `%s'", typestr, idstr);
}
return id;
}
static void
parse_frag_ids(const char *idstring, u_int32_t *ids)
{
char *buffer;
char *cp;
buffer = strdup(idstring);
if ((cp = strchr(buffer, ':')) == NULL)
ids[0] = ids[1] = parse_frag_id(buffer,"id");
else {
*cp = '\0';
cp++;
ids[0] = buffer[0] ? parse_frag_id(buffer,"id") : 0;
ids[1] = cp[0] ? parse_frag_id(cp,"id") : 0xFFFFFFFF;
}
free(buffer);
}
static void frag_init(struct xt_entry_match *m)
{
struct ip6t_frag *fraginfo = (struct ip6t_frag *)m->data;
fraginfo->ids[0] = 0x0L;
fraginfo->ids[1] = 0xFFFFFFFF;
fraginfo->hdrlen = 0;
fraginfo->flags = 0;
fraginfo->invflags = 0;
}
static int frag_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
struct ip6t_frag *fraginfo = (struct ip6t_frag *)(*match)->data;
switch (c) {
case '1':
if (*flags & IP6T_FRAG_IDS)
xtables_error(PARAMETER_PROBLEM,
"Only one `--fragid' allowed");
xtables_check_inverse(optarg, &invert, &optind, 0);
parse_frag_ids(argv[optind-1], fraginfo->ids);
if (invert)
fraginfo->invflags |= IP6T_FRAG_INV_IDS;
fraginfo->flags |= IP6T_FRAG_IDS;
*flags |= IP6T_FRAG_IDS;
break;
case '2':
if (*flags & IP6T_FRAG_LEN)
xtables_error(PARAMETER_PROBLEM,
"Only one `--fraglen' allowed");
xtables_check_inverse(optarg, &invert, &optind, 0);
fraginfo->hdrlen = parse_frag_id(argv[optind-1], "length");
if (invert)
fraginfo->invflags |= IP6T_FRAG_INV_LEN;
fraginfo->flags |= IP6T_FRAG_LEN;
*flags |= IP6T_FRAG_LEN;
break;
case '3':
if (*flags & IP6T_FRAG_RES)
xtables_error(PARAMETER_PROBLEM,
"Only one `--fragres' allowed");
fraginfo->flags |= IP6T_FRAG_RES;
*flags |= IP6T_FRAG_RES;
break;
case '4':
if (*flags & IP6T_FRAG_FST)
xtables_error(PARAMETER_PROBLEM,
"Only one `--fragfirst' allowed");
fraginfo->flags |= IP6T_FRAG_FST;
*flags |= IP6T_FRAG_FST;
break;
case '5':
if (*flags & (IP6T_FRAG_MF|IP6T_FRAG_NMF))
xtables_error(PARAMETER_PROBLEM,
"Only one `--fragmore' or `--fraglast' allowed");
fraginfo->flags |= IP6T_FRAG_MF;
*flags |= IP6T_FRAG_MF;
break;
case '6':
if (*flags & (IP6T_FRAG_MF|IP6T_FRAG_NMF))
xtables_error(PARAMETER_PROBLEM,
"Only one `--fragmore' or `--fraglast' allowed");
fraginfo->flags |= IP6T_FRAG_NMF;
*flags |= IP6T_FRAG_NMF;
break;
default:
return 0;
}
return 1;
}
static void
print_ids(const char *name, u_int32_t min, u_int32_t max,
int invert)
{
const char *inv = invert ? "!" : "";
if (min != 0 || max != 0xFFFFFFFF || invert) {
printf("%s", name);
if (min == max)
printf(":%s%u ", inv, min);
else
printf("s:%s%u:%u ", inv, min, max);
}
}
static void frag_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
const struct ip6t_frag *frag = (struct ip6t_frag *)match->data;
printf("frag ");
print_ids("id", frag->ids[0], frag->ids[1],
frag->invflags & IP6T_FRAG_INV_IDS);
if (frag->flags & IP6T_FRAG_LEN) {
printf("length:%s%u ",
frag->invflags & IP6T_FRAG_INV_LEN ? "!" : "",
frag->hdrlen);
}
if (frag->flags & IP6T_FRAG_RES)
printf("reserved ");
if (frag->flags & IP6T_FRAG_FST)
printf("first ");
if (frag->flags & IP6T_FRAG_MF)
printf("more ");
if (frag->flags & IP6T_FRAG_NMF)
printf("last ");
if (frag->invflags & ~IP6T_FRAG_INV_MASK)
printf("Unknown invflags: 0x%X ",
frag->invflags & ~IP6T_FRAG_INV_MASK);
}
static void frag_save(const void *ip, const struct xt_entry_match *match)
{
const struct ip6t_frag *fraginfo = (struct ip6t_frag *)match->data;
if (!(fraginfo->ids[0] == 0
&& fraginfo->ids[1] == 0xFFFFFFFF)) {
printf("%s--fragid ",
(fraginfo->invflags & IP6T_FRAG_INV_IDS) ? "! " : "");
if (fraginfo->ids[0]
!= fraginfo->ids[1])
printf("%u:%u ",
fraginfo->ids[0],
fraginfo->ids[1]);
else
printf("%u ",
fraginfo->ids[0]);
}
if (fraginfo->flags & IP6T_FRAG_LEN) {
printf("%s--fraglen %u ",
(fraginfo->invflags & IP6T_FRAG_INV_LEN) ? "! " : "",
fraginfo->hdrlen);
}
if (fraginfo->flags & IP6T_FRAG_RES)
printf("--fragres ");
if (fraginfo->flags & IP6T_FRAG_FST)
printf("--fragfirst ");
if (fraginfo->flags & IP6T_FRAG_MF)
printf("--fragmore ");
if (fraginfo->flags & IP6T_FRAG_NMF)
printf("--fraglast ");
}
static struct xtables_match frag_mt6_reg = {
.name = "frag",
.version = XTABLES_VERSION,
.family = NFPROTO_IPV6,
.size = XT_ALIGN(sizeof(struct ip6t_frag)),
.userspacesize = XT_ALIGN(sizeof(struct ip6t_frag)),
.help = frag_help,
.init = frag_init,
.parse = frag_parse,
.print = frag_print,
.save = frag_save,
.extra_opts = frag_opts,
};
void
_init(void)
{
xtables_register_match(&frag_mt6_reg);
}