• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 #include <stdio.h>
2 #include <xtables.h>
3 #include <linux/netfilter_ipv6/ip6t_frag.h>
4 
5 enum {
6 	O_FRAGID = 0,
7 	O_FRAGLEN,
8 	O_FRAGRES,
9 	O_FRAGFIRST,
10 	O_FRAGMORE,
11 	O_FRAGLAST,
12 	F_FRAGMORE = 1 << O_FRAGMORE,
13 	F_FRAGLAST = 1 << O_FRAGLAST,
14 };
15 
frag_help(void)16 static void frag_help(void)
17 {
18 	printf(
19 "frag match options:\n"
20 "[!] --fragid id[:id]           match the id (range)\n"
21 "[!] --fraglen length           total length of this header\n"
22 " --fragres                     check the reserved field too\n"
23 " --fragfirst                   matches on the first fragment\n"
24 " [--fragmore|--fraglast]       there are more fragments or this\n"
25 "                               is the last one\n");
26 }
27 
28 #define s struct ip6t_frag
29 static const struct xt_option_entry frag_opts[] = {
30 	{.name = "fragid", .id = O_FRAGID, .type = XTTYPE_UINT32RC,
31 	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, ids)},
32 	{.name = "fraglen", .id = O_FRAGLEN, .type = XTTYPE_UINT32,
33 	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, hdrlen)},
34 	{.name = "fragres", .id = O_FRAGRES, .type = XTTYPE_NONE},
35 	{.name = "fragfirst", .id = O_FRAGFIRST, .type = XTTYPE_NONE},
36 	{.name = "fragmore", .id = O_FRAGMORE, .type = XTTYPE_NONE,
37 	 .excl = F_FRAGLAST},
38 	{.name = "fraglast", .id = O_FRAGLAST, .type = XTTYPE_NONE,
39 	 .excl = F_FRAGMORE},
40 	XTOPT_TABLEEND,
41 };
42 #undef s
43 
frag_init(struct xt_entry_match * m)44 static void frag_init(struct xt_entry_match *m)
45 {
46 	struct ip6t_frag *fraginfo = (void *)m->data;
47 
48 	fraginfo->ids[1] = ~0U;
49 }
50 
frag_parse(struct xt_option_call * cb)51 static void frag_parse(struct xt_option_call *cb)
52 {
53 	struct ip6t_frag *fraginfo = cb->data;
54 
55 	xtables_option_parse(cb);
56 	switch (cb->entry->id) {
57 	case O_FRAGID:
58 		if (cb->nvals == 1)
59 			fraginfo->ids[1] = fraginfo->ids[0];
60 		if (cb->invert)
61 			fraginfo->invflags |= IP6T_FRAG_INV_IDS;
62 		/*
63 		 * Note however that IP6T_FRAG_IDS is not tested by anything,
64 		 * so it is merely here for completeness.
65 		 */
66 		fraginfo->flags |= IP6T_FRAG_IDS;
67 		break;
68 	case O_FRAGLEN:
69 		/*
70 		 * As of Linux 3.0, the kernel does not check for
71 		 * fraglen at all.
72 		 */
73 		if (cb->invert)
74 			fraginfo->invflags |= IP6T_FRAG_INV_LEN;
75 		fraginfo->flags |= IP6T_FRAG_LEN;
76 		break;
77 	case O_FRAGRES:
78 		fraginfo->flags |= IP6T_FRAG_RES;
79 		break;
80 	case O_FRAGFIRST:
81 		fraginfo->flags |= IP6T_FRAG_FST;
82 		break;
83 	case O_FRAGMORE:
84 		fraginfo->flags |= IP6T_FRAG_MF;
85 		break;
86 	case O_FRAGLAST:
87 		fraginfo->flags |= IP6T_FRAG_NMF;
88 		break;
89 	}
90 }
91 
skip_ids_match(uint32_t min,uint32_t max,bool inv)92 static bool skip_ids_match(uint32_t min, uint32_t max, bool inv)
93 {
94 	return min == 0 && max == UINT32_MAX && !inv;
95 }
96 
97 static void
print_ids(const char * name,uint32_t min,uint32_t max,int invert)98 print_ids(const char *name, uint32_t min, uint32_t max,
99 	    int invert)
100 {
101 	const char *inv = invert ? "!" : "";
102 
103 	if (!skip_ids_match(min, max, invert)) {
104 		printf("%s", name);
105 		if (min == max)
106 			printf(":%s%u", inv, min);
107 		else
108 			printf("s:%s%u:%u", inv, min, max);
109 	}
110 }
111 
frag_print(const void * ip,const struct xt_entry_match * match,int numeric)112 static void frag_print(const void *ip, const struct xt_entry_match *match,
113                        int numeric)
114 {
115 	const struct ip6t_frag *frag = (struct ip6t_frag *)match->data;
116 
117 	printf(" frag ");
118 	print_ids("id", frag->ids[0], frag->ids[1],
119 		    frag->invflags & IP6T_FRAG_INV_IDS);
120 
121 	if (frag->flags & IP6T_FRAG_LEN) {
122 		printf(" length:%s%u",
123 			frag->invflags & IP6T_FRAG_INV_LEN ? "!" : "",
124 			frag->hdrlen);
125 	}
126 
127 	if (frag->flags & IP6T_FRAG_RES)
128 		printf(" reserved");
129 
130 	if (frag->flags & IP6T_FRAG_FST)
131 		printf(" first");
132 
133 	if (frag->flags & IP6T_FRAG_MF)
134 		printf(" more");
135 
136 	if (frag->flags & IP6T_FRAG_NMF)
137 		printf(" last");
138 
139 	if (frag->invflags & ~IP6T_FRAG_INV_MASK)
140 		printf(" Unknown invflags: 0x%X",
141 		       frag->invflags & ~IP6T_FRAG_INV_MASK);
142 }
143 
frag_save(const void * ip,const struct xt_entry_match * match)144 static void frag_save(const void *ip, const struct xt_entry_match *match)
145 {
146 	const struct ip6t_frag *fraginfo = (struct ip6t_frag *)match->data;
147 	bool inv_ids = fraginfo->invflags & IP6T_FRAG_INV_IDS;
148 
149 	if (!skip_ids_match(fraginfo->ids[0], fraginfo->ids[1], inv_ids)) {
150 		printf("%s --fragid ", inv_ids ? " !" : "");
151 		if (fraginfo->ids[0]
152 		    != fraginfo->ids[1])
153 			printf("%u:%u",
154 			       fraginfo->ids[0],
155 			       fraginfo->ids[1]);
156 		else
157 			printf("%u",
158 			       fraginfo->ids[0]);
159 	}
160 
161 	if (fraginfo->flags & IP6T_FRAG_LEN) {
162 		printf("%s --fraglen %u",
163 			(fraginfo->invflags & IP6T_FRAG_INV_LEN) ? " !" : "",
164 			fraginfo->hdrlen);
165 	}
166 
167 	if (fraginfo->flags & IP6T_FRAG_RES)
168 		printf(" --fragres");
169 
170 	if (fraginfo->flags & IP6T_FRAG_FST)
171 		printf(" --fragfirst");
172 
173 	if (fraginfo->flags & IP6T_FRAG_MF)
174 		printf(" --fragmore");
175 
176 	if (fraginfo->flags & IP6T_FRAG_NMF)
177 		printf(" --fraglast");
178 }
179 
180 #define XLATE_FLAGS (IP6T_FRAG_RES | IP6T_FRAG_FST | \
181 		     IP6T_FRAG_MF | IP6T_FRAG_NMF)
182 
frag_xlate(struct xt_xlate * xl,const struct xt_xlate_mt_params * params)183 static int frag_xlate(struct xt_xlate *xl,
184 		      const struct xt_xlate_mt_params *params)
185 {
186 	const struct ip6t_frag *fraginfo =
187 		(struct ip6t_frag *)params->match->data;
188 	bool inv_ids = fraginfo->invflags & IP6T_FRAG_INV_IDS;
189 
190 	if (!skip_ids_match(fraginfo->ids[0], fraginfo->ids[1], inv_ids)) {
191 		xt_xlate_add(xl, "frag id %s", inv_ids ?  "!= " : "");
192 		if (fraginfo->ids[0] != fraginfo->ids[1])
193 			xt_xlate_add(xl, "%u-%u", fraginfo->ids[0],
194 				     fraginfo->ids[1]);
195 		else
196 			xt_xlate_add(xl, "%u", fraginfo->ids[0]);
197 
198 	} else if (!(fraginfo->flags & XLATE_FLAGS)) {
199 		xt_xlate_add(xl, "exthdr frag exists");
200 		return 1;
201 	}
202 
203 	/* ignore ineffective IP6T_FRAG_LEN bit */
204 
205 	if (fraginfo->flags & IP6T_FRAG_RES)
206 		xt_xlate_add(xl, "frag reserved 1");
207 
208 	if (fraginfo->flags & IP6T_FRAG_FST)
209 		xt_xlate_add(xl, "frag frag-off 0");
210 
211 	if (fraginfo->flags & IP6T_FRAG_MF)
212 		xt_xlate_add(xl, "frag more-fragments 1");
213 
214 	if (fraginfo->flags & IP6T_FRAG_NMF)
215 		xt_xlate_add(xl, "frag more-fragments 0");
216 
217 	return 1;
218 }
219 
220 static struct xtables_match frag_mt6_reg = {
221 	.name          = "frag",
222 	.version       = XTABLES_VERSION,
223 	.family        = NFPROTO_IPV6,
224 	.size          = XT_ALIGN(sizeof(struct ip6t_frag)),
225 	.userspacesize = XT_ALIGN(sizeof(struct ip6t_frag)),
226 	.help          = frag_help,
227 	.init          = frag_init,
228 	.print         = frag_print,
229 	.save          = frag_save,
230 	.x6_parse      = frag_parse,
231 	.x6_options    = frag_opts,
232 	.xlate	       = frag_xlate,
233 };
234 
235 void
_init(void)236 _init(void)
237 {
238 	xtables_register_match(&frag_mt6_reg);
239 }
240