1 #include <stdbool.h>
2 #include <stdio.h>
3 #include <string.h>
4 #include <xtables.h>
5 #include <linux/netfilter/xt_recent.h>
6
7 enum {
8 O_SET = 0,
9 O_RCHECK,
10 O_UPDATE,
11 O_REMOVE,
12 O_SECONDS,
13 O_REAP,
14 O_HITCOUNT,
15 O_RTTL,
16 O_NAME,
17 O_RSOURCE,
18 O_RDEST,
19 O_MASK,
20 F_SET = 1 << O_SET,
21 F_RCHECK = 1 << O_RCHECK,
22 F_UPDATE = 1 << O_UPDATE,
23 F_REMOVE = 1 << O_REMOVE,
24 F_SECONDS = 1 << O_SECONDS,
25 F_ANY_OP = F_SET | F_RCHECK | F_UPDATE | F_REMOVE,
26 };
27
28 #define s struct xt_recent_mtinfo
29 static const struct xt_option_entry recent_opts_v0[] = {
30 {.name = "set", .id = O_SET, .type = XTTYPE_NONE,
31 .excl = F_ANY_OP, .flags = XTOPT_INVERT},
32 {.name = "rcheck", .id = O_RCHECK, .type = XTTYPE_NONE,
33 .excl = F_ANY_OP, .flags = XTOPT_INVERT},
34 {.name = "update", .id = O_UPDATE, .type = XTTYPE_NONE,
35 .excl = F_ANY_OP, .flags = XTOPT_INVERT},
36 {.name = "remove", .id = O_REMOVE, .type = XTTYPE_NONE,
37 .excl = F_ANY_OP, .flags = XTOPT_INVERT},
38 {.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32,
39 .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds), .min = 1},
40 {.name = "reap", .id = O_REAP, .type = XTTYPE_NONE,
41 .also = F_SECONDS },
42 {.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32,
43 .flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)},
44 {.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE,
45 .excl = F_SET | F_REMOVE},
46 {.name = "name", .id = O_NAME, .type = XTTYPE_STRING,
47 .flags = XTOPT_PUT, XTOPT_POINTER(s, name)},
48 {.name = "rsource", .id = O_RSOURCE, .type = XTTYPE_NONE},
49 {.name = "rdest", .id = O_RDEST, .type = XTTYPE_NONE},
50 XTOPT_TABLEEND,
51 };
52 #undef s
53
54 #define s struct xt_recent_mtinfo_v1
55 static const struct xt_option_entry recent_opts_v1[] = {
56 {.name = "set", .id = O_SET, .type = XTTYPE_NONE,
57 .excl = F_ANY_OP, .flags = XTOPT_INVERT},
58 {.name = "rcheck", .id = O_RCHECK, .type = XTTYPE_NONE,
59 .excl = F_ANY_OP, .flags = XTOPT_INVERT},
60 {.name = "update", .id = O_UPDATE, .type = XTTYPE_NONE,
61 .excl = F_ANY_OP, .flags = XTOPT_INVERT},
62 {.name = "remove", .id = O_REMOVE, .type = XTTYPE_NONE,
63 .excl = F_ANY_OP, .flags = XTOPT_INVERT},
64 {.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32,
65 .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds), .min = 1},
66 {.name = "reap", .id = O_REAP, .type = XTTYPE_NONE,
67 .also = F_SECONDS },
68 {.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32,
69 .flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)},
70 {.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE,
71 .excl = F_SET | F_REMOVE},
72 {.name = "name", .id = O_NAME, .type = XTTYPE_STRING,
73 .flags = XTOPT_PUT, XTOPT_POINTER(s, name)},
74 {.name = "rsource", .id = O_RSOURCE, .type = XTTYPE_NONE},
75 {.name = "rdest", .id = O_RDEST, .type = XTTYPE_NONE},
76 {.name = "mask", .id = O_MASK, .type = XTTYPE_HOST,
77 .flags = XTOPT_PUT, XTOPT_POINTER(s, mask)},
78 XTOPT_TABLEEND,
79 };
80 #undef s
81
recent_help(void)82 static void recent_help(void)
83 {
84 printf(
85 "recent match options:\n"
86 "[!] --set Add source address to list, always matches.\n"
87 "[!] --rcheck Match if source address in list.\n"
88 "[!] --update Match if source address in list, also update last-seen time.\n"
89 "[!] --remove Match if source address in list, also removes that address from list.\n"
90 " --seconds seconds For check and update commands above.\n"
91 " Specifies that the match will only occur if source address last seen within\n"
92 " the last 'seconds' seconds.\n"
93 " --reap Purge entries older then 'seconds'.\n"
94 " Can only be used in conjunction with the seconds option.\n"
95 " --hitcount hits For check and update commands above.\n"
96 " Specifies that the match will only occur if source address seen hits times.\n"
97 " May be used in conjunction with the seconds option.\n"
98 " --rttl For check and update commands above.\n"
99 " Specifies that the match will only occur if the source address and the TTL\n"
100 " match between this packet and the one which was set.\n"
101 " Useful if you have problems with people spoofing their source address in order\n"
102 " to DoS you via this module.\n"
103 " --name name Name of the recent list to be used. DEFAULT used if none given.\n"
104 " --rsource Match/Save the source address of each packet in the recent list table (default).\n"
105 " --rdest Match/Save the destination address of each packet in the recent list table.\n"
106 " --mask netmask Netmask that will be applied to this recent list.\n"
107 "xt_recent by: Stephen Frost <sfrost@snowman.net>.\n");
108 }
109
110 enum {
111 XT_RECENT_REV_0 = 0,
112 XT_RECENT_REV_1,
113 };
114
recent_init(struct xt_entry_match * match,unsigned int rev)115 static void recent_init(struct xt_entry_match *match, unsigned int rev)
116 {
117 struct xt_recent_mtinfo *info = (struct xt_recent_mtinfo *)match->data;
118 struct xt_recent_mtinfo_v1 *info_v1 =
119 (struct xt_recent_mtinfo_v1 *)match->data;
120
121 strncpy(info->name,"DEFAULT", XT_RECENT_NAME_LEN);
122 /* even though XT_RECENT_NAME_LEN is currently defined as 200,
123 * better be safe, than sorry */
124 info->name[XT_RECENT_NAME_LEN-1] = '\0';
125 info->side = XT_RECENT_SOURCE;
126 if (rev == XT_RECENT_REV_1)
127 memset(&info_v1->mask, 0xFF, sizeof(info_v1->mask));
128 }
129
recent_parse(struct xt_option_call * cb)130 static void recent_parse(struct xt_option_call *cb)
131 {
132 struct xt_recent_mtinfo *info = cb->data;
133
134 xtables_option_parse(cb);
135 switch (cb->entry->id) {
136 case O_SET:
137 info->check_set |= XT_RECENT_SET;
138 if (cb->invert)
139 info->invert = true;
140 break;
141 case O_RCHECK:
142 info->check_set |= XT_RECENT_CHECK;
143 if (cb->invert)
144 info->invert = true;
145 break;
146 case O_UPDATE:
147 info->check_set |= XT_RECENT_UPDATE;
148 if (cb->invert)
149 info->invert = true;
150 break;
151 case O_REMOVE:
152 info->check_set |= XT_RECENT_REMOVE;
153 if (cb->invert)
154 info->invert = true;
155 break;
156 case O_RTTL:
157 info->check_set |= XT_RECENT_TTL;
158 break;
159 case O_RSOURCE:
160 info->side = XT_RECENT_SOURCE;
161 break;
162 case O_RDEST:
163 info->side = XT_RECENT_DEST;
164 break;
165 case O_REAP:
166 info->check_set |= XT_RECENT_REAP;
167 break;
168 }
169 }
170
recent_check(struct xt_fcheck_call * cb)171 static void recent_check(struct xt_fcheck_call *cb)
172 {
173 if (!(cb->xflags & F_ANY_OP))
174 xtables_error(PARAMETER_PROBLEM,
175 "recent: you must specify one of `--set', `--rcheck' "
176 "`--update' or `--remove'");
177 }
178
recent_print(const void * ip,const struct xt_entry_match * match,unsigned int family)179 static void recent_print(const void *ip, const struct xt_entry_match *match,
180 unsigned int family)
181 {
182 const struct xt_recent_mtinfo_v1 *info = (const void *)match->data;
183
184 if (info->invert)
185 printf(" !");
186
187 printf(" recent:");
188 if (info->check_set & XT_RECENT_SET)
189 printf(" SET");
190 if (info->check_set & XT_RECENT_CHECK)
191 printf(" CHECK");
192 if (info->check_set & XT_RECENT_UPDATE)
193 printf(" UPDATE");
194 if (info->check_set & XT_RECENT_REMOVE)
195 printf(" REMOVE");
196 if(info->seconds) printf(" seconds: %d", info->seconds);
197 if (info->check_set & XT_RECENT_REAP)
198 printf(" reap");
199 if(info->hit_count) printf(" hit_count: %d", info->hit_count);
200 if (info->check_set & XT_RECENT_TTL)
201 printf(" TTL-Match");
202 printf(" name: %s", info->name);
203 if (info->side == XT_RECENT_SOURCE)
204 printf(" side: source");
205 if (info->side == XT_RECENT_DEST)
206 printf(" side: dest");
207
208 switch(family) {
209 case NFPROTO_IPV4:
210 printf(" mask: %s",
211 xtables_ipaddr_to_numeric(&info->mask.in));
212 break;
213 case NFPROTO_IPV6:
214 printf(" mask: %s",
215 xtables_ip6addr_to_numeric(&info->mask.in6));
216 break;
217 }
218 }
219
recent_save(const void * ip,const struct xt_entry_match * match,unsigned int family)220 static void recent_save(const void *ip, const struct xt_entry_match *match,
221 unsigned int family)
222 {
223 const struct xt_recent_mtinfo_v1 *info = (const void *)match->data;
224
225 if (info->invert)
226 printf(" !");
227
228 if (info->check_set & XT_RECENT_SET)
229 printf(" --set");
230 if (info->check_set & XT_RECENT_CHECK)
231 printf(" --rcheck");
232 if (info->check_set & XT_RECENT_UPDATE)
233 printf(" --update");
234 if (info->check_set & XT_RECENT_REMOVE)
235 printf(" --remove");
236 if(info->seconds) printf(" --seconds %d", info->seconds);
237 if (info->check_set & XT_RECENT_REAP)
238 printf(" --reap");
239 if(info->hit_count) printf(" --hitcount %d", info->hit_count);
240 if (info->check_set & XT_RECENT_TTL)
241 printf(" --rttl");
242 printf(" --name %s",info->name);
243
244 switch(family) {
245 case NFPROTO_IPV4:
246 printf(" --mask %s",
247 xtables_ipaddr_to_numeric(&info->mask.in));
248 break;
249 case NFPROTO_IPV6:
250 printf(" --mask %s",
251 xtables_ip6addr_to_numeric(&info->mask.in6));
252 break;
253 }
254
255 if (info->side == XT_RECENT_SOURCE)
256 printf(" --rsource");
257 if (info->side == XT_RECENT_DEST)
258 printf(" --rdest");
259 }
260
recent_init_v0(struct xt_entry_match * match)261 static void recent_init_v0(struct xt_entry_match *match)
262 {
263 recent_init(match, XT_RECENT_REV_0);
264 }
265
recent_init_v1(struct xt_entry_match * match)266 static void recent_init_v1(struct xt_entry_match *match)
267 {
268 recent_init(match, XT_RECENT_REV_1);
269 }
270
recent_save_v0(const void * ip,const struct xt_entry_match * match)271 static void recent_save_v0(const void *ip, const struct xt_entry_match *match)
272 {
273 recent_save(ip, match, NFPROTO_UNSPEC);
274 }
275
recent_save_v4(const void * ip,const struct xt_entry_match * match)276 static void recent_save_v4(const void *ip, const struct xt_entry_match *match)
277 {
278 recent_save(ip, match, NFPROTO_IPV4);
279 }
280
recent_save_v6(const void * ip,const struct xt_entry_match * match)281 static void recent_save_v6(const void *ip, const struct xt_entry_match *match)
282 {
283 recent_save(ip, match, NFPROTO_IPV6);
284 }
285
recent_print_v0(const void * ip,const struct xt_entry_match * match,int numeric)286 static void recent_print_v0(const void *ip, const struct xt_entry_match *match,
287 int numeric)
288 {
289 recent_print(ip, match, NFPROTO_UNSPEC);
290 }
291
recent_print_v4(const void * ip,const struct xt_entry_match * match,int numeric)292 static void recent_print_v4(const void *ip, const struct xt_entry_match *match,
293 int numeric)
294 {
295 recent_print(ip, match, NFPROTO_IPV4);
296 }
297
recent_print_v6(const void * ip,const struct xt_entry_match * match,int numeric)298 static void recent_print_v6(const void *ip, const struct xt_entry_match *match,
299 int numeric)
300 {
301 recent_print(ip, match, NFPROTO_IPV6);
302 }
303
304 static struct xtables_match recent_mt_reg[] = {
305 {
306 .name = "recent",
307 .version = XTABLES_VERSION,
308 .revision = 0,
309 .family = NFPROTO_UNSPEC,
310 .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
311 .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
312 .help = recent_help,
313 .init = recent_init_v0,
314 .x6_parse = recent_parse,
315 .x6_fcheck = recent_check,
316 .print = recent_print_v0,
317 .save = recent_save_v0,
318 .x6_options = recent_opts_v0,
319 },
320 {
321 .name = "recent",
322 .version = XTABLES_VERSION,
323 .revision = 1,
324 .family = NFPROTO_IPV4,
325 .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)),
326 .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)),
327 .help = recent_help,
328 .init = recent_init_v1,
329 .x6_parse = recent_parse,
330 .x6_fcheck = recent_check,
331 .print = recent_print_v4,
332 .save = recent_save_v4,
333 .x6_options = recent_opts_v1,
334 },
335 {
336 .name = "recent",
337 .version = XTABLES_VERSION,
338 .revision = 1,
339 .family = NFPROTO_IPV6,
340 .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)),
341 .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)),
342 .help = recent_help,
343 .init = recent_init_v1,
344 .x6_parse = recent_parse,
345 .x6_fcheck = recent_check,
346 .print = recent_print_v6,
347 .save = recent_save_v6,
348 .x6_options = recent_opts_v1,
349 },
350 };
351
_init(void)352 void _init(void)
353 {
354 xtables_register_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg));
355 }
356