1 /*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published
4 * by the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * Authors:
8 * Libarptc code from: Bart De Schuymer <bdschuym@pandora.be>
9 * Port to libxtables: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
10 */
11
12 #include <stdio.h>
13 #include <netdb.h>
14 #include <string.h>
15 #include <stdlib.h>
16 #include <limits.h>
17 #include <getopt.h>
18 #include <errno.h>
19 #include <netinet/ether.h>
20
21 #include <xtables.h>
22 #include <linux/netfilter_arp/arpt_mangle.h>
23
mangle_help(void)24 static void mangle_help(void)
25 {
26 printf(
27 "mangle target options:\n"
28 "--mangle-ip-s IP address\n"
29 "--mangle-ip-d IP address\n"
30 "--mangle-mac-s MAC address\n"
31 "--mangle-mac-d MAC address\n"
32 "--mangle-target target (DROP, CONTINUE or ACCEPT -- default is ACCEPT)\n"
33 );
34 }
35
36 enum {
37 MANGLE_IPS = 0,
38 MANGLE_IPT = 1,
39 MANGLE_DEVS = 2,
40 MANGLE_DEVT = 3,
41 MANGLE_TARGET = 4,
42 };
43
44 static const struct xt_option_entry mangle_opts[] = {
45 { .name = "mangle-ip-s", .id = MANGLE_IPS, .type = XTTYPE_STRING },
46 { .name = "mangle-ip-d", .id = MANGLE_IPT, .type = XTTYPE_STRING },
47 { .name = "mangle-mac-s", .id = MANGLE_DEVS, .type = XTTYPE_STRING },
48 { .name = "mangle-mac-d", .id = MANGLE_DEVT, .type = XTTYPE_STRING },
49 { .name = "mangle-target", .id = MANGLE_TARGET,
50 .type = XTTYPE_STRING },
51 XTOPT_TABLEEND,
52 };
53
54
network_to_addr(const char * name)55 static struct in_addr *network_to_addr(const char *name)
56 {
57 struct netent *net;
58 static struct in_addr addr;
59
60 if ((net = getnetbyname(name)) != NULL) {
61 if (net->n_addrtype != AF_INET)
62 return (struct in_addr *) NULL;
63 addr.s_addr = htonl((unsigned long) net->n_net);
64 return &addr;
65 }
66
67 return (struct in_addr *) NULL;
68 }
69
inaddrcpy(struct in_addr * dst,struct in_addr * src)70 static void inaddrcpy(struct in_addr *dst, struct in_addr *src)
71 {
72 dst->s_addr = src->s_addr;
73 }
74
host_to_addr(const char * name,unsigned int * naddr)75 static struct in_addr *host_to_addr(const char *name, unsigned int *naddr)
76 {
77 struct in_addr *addr;
78 struct addrinfo hints;
79 struct addrinfo *res, *p;
80 int err;
81 unsigned int i;
82
83 memset(&hints, 0, sizeof(hints));
84 hints.ai_flags = AI_CANONNAME;
85 hints.ai_family = AF_INET;
86 hints.ai_socktype = SOCK_RAW;
87
88 *naddr = 0;
89 err = getaddrinfo(name, NULL, &hints, &res);
90 if (err != 0)
91 return NULL;
92 else {
93 for (p = res; p != NULL; p = p->ai_next)
94 (*naddr)++;
95 addr = xtables_calloc(*naddr, sizeof(struct in_addr));
96 for (i = 0, p = res; p != NULL; p = p->ai_next)
97 memcpy(&addr[i++],
98 &((const struct sockaddr_in *)p->ai_addr)->sin_addr,
99 sizeof(struct in_addr));
100 freeaddrinfo(res);
101 return addr;
102 }
103
104 return (struct in_addr *) NULL;
105 }
106
string_to_number(const char * s,unsigned int min,unsigned int max,unsigned int * ret)107 static int string_to_number(const char *s, unsigned int min,
108 unsigned int max, unsigned int *ret)
109 {
110 long number;
111 char *end;
112
113 /* Handle hex, octal, etc. */
114 errno = 0;
115 number = strtol(s, &end, 0);
116 if (*end == '\0' && end != s) {
117 /* we parsed a number, let's see if we want this */
118 if (errno != ERANGE && min <= number && number <= max) {
119 *ret = number;
120 return 0;
121 }
122 }
123 return -1;
124 }
125
dotted_to_addr(const char * dotted)126 static struct in_addr *dotted_to_addr(const char *dotted)
127 {
128 static struct in_addr addr;
129 unsigned char *addrp;
130 char *p, *q;
131 unsigned int onebyte;
132 int i;
133 char buf[20];
134
135 /* copy dotted string, because we need to modify it */
136 strncpy(buf, dotted, sizeof(buf) - 1);
137 addrp = (unsigned char *) &(addr.s_addr);
138
139 p = buf;
140 for (i = 0; i < 3; i++) {
141 if ((q = strchr(p, '.')) == NULL)
142 return (struct in_addr *) NULL;
143
144 *q = '\0';
145 if (string_to_number(p, 0, 255, &onebyte) == -1)
146 return (struct in_addr *) NULL;
147
148 addrp[i] = (unsigned char) onebyte;
149 p = q + 1;
150 }
151
152 /* we've checked 3 bytes, now we check the last one */
153 if (string_to_number(p, 0, 255, &onebyte) == -1)
154 return (struct in_addr *) NULL;
155
156 addrp[3] = (unsigned char) onebyte;
157
158 return &addr;
159 }
160
parse_hostnetwork(const char * name,unsigned int * naddrs)161 static struct in_addr *parse_hostnetwork(const char *name,
162 unsigned int *naddrs)
163 {
164 struct in_addr *addrp, *addrptmp;
165
166 if ((addrptmp = dotted_to_addr(name)) != NULL ||
167 (addrptmp = network_to_addr(name)) != NULL) {
168 addrp = xtables_malloc(sizeof(struct in_addr));
169 inaddrcpy(addrp, addrptmp);
170 *naddrs = 1;
171 return addrp;
172 }
173 if ((addrp = host_to_addr(name, naddrs)) != NULL)
174 return addrp;
175
176 xtables_error(PARAMETER_PROBLEM, "host/network `%s' not found", name);
177 }
178
mangle_parse(struct xt_option_call * cb)179 static void mangle_parse(struct xt_option_call *cb)
180 {
181 const struct arpt_entry *e = cb->xt_entry;
182 struct arpt_mangle *mangle = cb->data;
183 struct in_addr *ipaddr;
184 struct ether_addr *macaddr;
185
186 /* mangle target is by default "ACCEPT". Setting it here,
187 * since original arpt_mangle.c init() no longer exists*/
188 mangle->target = NF_ACCEPT;
189
190 xtables_option_parse(cb);
191 switch (cb->entry->id) {
192 case MANGLE_IPS:
193 /*
194 if (e->arp.arpln_mask == 0)
195 xtables_error(PARAMETER_PROBLEM, "no pln defined");
196
197 if (e->arp.invflags & ARPT_INV_ARPPLN)
198 xtables_error(PARAMETER_PROBLEM,
199 "! pln not allowed for --mangle-ip-s");
200 */
201 /*
202 if (e->arp.arpln != 4)
203 xtables_error(PARAMETER_PROBLEM, "only pln=4 supported");
204 */
205 {
206 unsigned int nr;
207 ipaddr = parse_hostnetwork(cb->arg, &nr);
208 }
209 mangle->u_s.src_ip.s_addr = ipaddr->s_addr;
210 free(ipaddr);
211 mangle->flags |= ARPT_MANGLE_SIP;
212 break;
213 case MANGLE_IPT:
214 /*
215 if (e->arp.arpln_mask == 0)
216 xtables_error(PARAMETER_PROBLEM, "no pln defined");
217
218 if (e->arp.invflags & ARPT_INV_ARPPLN)
219 xtables_error(PARAMETER_PROBLEM,
220 "! pln not allowed for --mangle-ip-d");
221 */
222 /*
223 if (e->arp.arpln != 4)
224 xtables_error(PARAMETER_PROBLEM, "only pln=4 supported");
225 */
226 {
227 unsigned int nr;
228 ipaddr = parse_hostnetwork(cb->arg, &nr);
229 }
230 mangle->u_t.tgt_ip.s_addr = ipaddr->s_addr;
231 free(ipaddr);
232 mangle->flags |= ARPT_MANGLE_TIP;
233 break;
234 case MANGLE_DEVS:
235 if (e->arp.arhln_mask == 0)
236 xtables_error(PARAMETER_PROBLEM,
237 "no --h-length defined");
238 if (e->arp.invflags & ARPT_INV_ARPHLN)
239 xtables_error(PARAMETER_PROBLEM,
240 "! --h-length not allowed for "
241 "--mangle-mac-s");
242 if (e->arp.arhln != 6)
243 xtables_error(PARAMETER_PROBLEM,
244 "only --h-length 6 supported");
245 macaddr = ether_aton(cb->arg);
246 if (macaddr == NULL)
247 xtables_error(PARAMETER_PROBLEM, "invalid source MAC");
248 memcpy(mangle->src_devaddr, macaddr, e->arp.arhln);
249 mangle->flags |= ARPT_MANGLE_SDEV;
250 break;
251 case MANGLE_DEVT:
252 if (e->arp.arhln_mask == 0)
253 xtables_error(PARAMETER_PROBLEM,
254 "no --h-length defined");
255 if (e->arp.invflags & ARPT_INV_ARPHLN)
256 xtables_error(PARAMETER_PROBLEM,
257 "! hln not allowed for --mangle-mac-d");
258 if (e->arp.arhln != 6)
259 xtables_error(PARAMETER_PROBLEM,
260 "only --h-length 6 supported");
261 macaddr = ether_aton(cb->arg);
262 if (macaddr == NULL)
263 xtables_error(PARAMETER_PROBLEM, "invalid target MAC");
264 memcpy(mangle->tgt_devaddr, macaddr, e->arp.arhln);
265 mangle->flags |= ARPT_MANGLE_TDEV;
266 break;
267 case MANGLE_TARGET:
268 if (!strcmp(cb->arg, "DROP"))
269 mangle->target = NF_DROP;
270 else if (!strcmp(cb->arg, "ACCEPT"))
271 mangle->target = NF_ACCEPT;
272 else if (!strcmp(cb->arg, "CONTINUE"))
273 mangle->target = ARPT_CONTINUE;
274 else
275 xtables_error(PARAMETER_PROBLEM,
276 "bad target for --mangle-target");
277 break;
278 }
279 }
280
mangle_fcheck(struct xt_fcheck_call * cb)281 static void mangle_fcheck(struct xt_fcheck_call *cb)
282 {
283 }
284
addr_to_dotted(const struct in_addr * addrp)285 static char *addr_to_dotted(const struct in_addr *addrp)
286 {
287 static char buf[20];
288 const unsigned char *bytep;
289
290 bytep = (const unsigned char *) &(addrp->s_addr);
291 sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]);
292 return buf;
293 }
294
addr_to_host(const struct in_addr * addr)295 static char *addr_to_host(const struct in_addr *addr)
296 {
297 struct hostent *host;
298
299 if ((host = gethostbyaddr((char *) addr,
300 sizeof(struct in_addr), AF_INET)) != NULL)
301 return (char *) host->h_name;
302
303 return (char *) NULL;
304 }
305
addr_to_network(const struct in_addr * addr)306 static char *addr_to_network(const struct in_addr *addr)
307 {
308 struct netent *net;
309
310 if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL)
311 return (char *) net->n_name;
312
313 return (char *) NULL;
314 }
315
addr_to_anyname(const struct in_addr * addr)316 static char *addr_to_anyname(const struct in_addr *addr)
317 {
318 char *name;
319
320 if ((name = addr_to_host(addr)) != NULL ||
321 (name = addr_to_network(addr)) != NULL)
322 return name;
323
324 return addr_to_dotted(addr);
325 }
326
print_mac(const unsigned char * mac,int l)327 static void print_mac(const unsigned char *mac, int l)
328 {
329 int j;
330
331 for (j = 0; j < l; j++)
332 printf("%02x%s", mac[j],
333 (j==l-1) ? "" : ":");
334 }
335
mangle_print(const void * ip,const struct xt_entry_target * target,int numeric)336 static void mangle_print(const void *ip, const struct xt_entry_target *target,
337 int numeric)
338 {
339 const struct arpt_mangle *m = (const void *)target;
340 char buf[100];
341
342 if (m->flags & ARPT_MANGLE_SIP) {
343 if (numeric)
344 sprintf(buf, "%s", addr_to_dotted(&(m->u_s.src_ip)));
345 else
346 sprintf(buf, "%s", addr_to_anyname(&(m->u_s.src_ip)));
347 printf("--mangle-ip-s %s ", buf);
348 }
349 if (m->flags & ARPT_MANGLE_SDEV) {
350 printf("--mangle-mac-s ");
351 print_mac((unsigned char *)m->src_devaddr, 6);
352 printf(" ");
353 }
354 if (m->flags & ARPT_MANGLE_TIP) {
355 if (numeric)
356 sprintf(buf, "%s", addr_to_dotted(&(m->u_t.tgt_ip)));
357 else
358 sprintf(buf, "%s", addr_to_anyname(&(m->u_t.tgt_ip)));
359 printf("--mangle-ip-d %s ", buf);
360 }
361 if (m->flags & ARPT_MANGLE_TDEV) {
362 printf("--mangle-mac-d ");
363 print_mac((unsigned char *)m->tgt_devaddr, 6);
364 printf(" ");
365 }
366 if (m->target != NF_ACCEPT) {
367 printf("--mangle-target ");
368 if (m->target == NF_DROP)
369 printf("DROP ");
370 else
371 printf("CONTINUE ");
372 }
373 }
374
mangle_save(const void * ip,const struct xt_entry_target * target)375 static void mangle_save(const void *ip, const struct xt_entry_target *target)
376 {
377 }
378
379 static struct xtables_target mangle_tg_reg = {
380 .family = NFPROTO_ARP,
381 .name = "mangle",
382 .version = XTABLES_VERSION,
383 .size = XT_ALIGN(sizeof(struct arpt_mangle)),
384 .userspacesize = XT_ALIGN(sizeof(struct arpt_mangle)),
385 .help = mangle_help,
386 .x6_parse = mangle_parse,
387 .x6_fcheck = mangle_fcheck,
388 .print = mangle_print,
389 .save = mangle_save,
390 .x6_options = mangle_opts,
391 };
392
_init(void)393 void _init(void)
394 {
395 xtables_register_target(&mangle_tg_reg);
396 }
397