1 /*
2 * (C) 2012 by Hans Schillstrom <hans.schillstrom@ericsson.com>
3 * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Description: shared library add-on to iptables to add HMARK target support
10 *
11 * Initial development by Hans Schillstrom. Pablo's improvements to this piece
12 * of software has been sponsored by Sophos Astaro <http://www.sophos.com>.
13 */
14
15 #include <stdbool.h>
16 #include <stdio.h>
17 #include <string.h>
18
19 #include "xtables.h"
20 #include <linux/netfilter/xt_HMARK.h>
21
HMARK_help(void)22 static void HMARK_help(void)
23 {
24 printf(
25 "HMARK target options, i.e. modify hash calculation by:\n"
26 " --hmark-tuple [src|dst|sport|dport|spi|proto|ct][,...]\n"
27 " --hmark-mod value nfmark modulus value\n"
28 " --hmark-offset value Last action add value to nfmark\n\n"
29 " --hmark-rnd Random see for hashing\n"
30 " Alternatively, fine tuning of what will be included in hash calculation\n"
31 " --hmark-src-prefix length Source address mask CIDR prefix\n"
32 " --hmark-dst-prefix length Dest address mask CIDR prefix\n"
33 " --hmark-sport-mask value Mask src port with value\n"
34 " --hmark-dport-mask value Mask dst port with value\n"
35 " --hmark-spi-mask value For esp and ah AND spi with value\n"
36 " --hmark-sport value OR src port with value\n"
37 " --hmark-dport value OR dst port with value\n"
38 " --hmark-spi value For esp and ah OR spi with value\n"
39 " --hmark-proto-mask value Mask Protocol with value\n");
40 }
41
42 #define hi struct xt_hmark_info
43
44 /* values must match XT_HMARK_* ones (apart from O_HMARK_TYPE) */
45 enum {
46 O_HMARK_SADDR_MASK,
47 O_HMARK_DADDR_MASK,
48 O_HMARK_SPI,
49 O_HMARK_SPI_MASK,
50 O_HMARK_SPORT,
51 O_HMARK_DPORT,
52 O_HMARK_SPORT_MASK,
53 O_HMARK_DPORT_MASK,
54 O_HMARK_PROTO_MASK,
55 O_HMARK_RND,
56 O_HMARK_MODULUS,
57 O_HMARK_OFFSET,
58 O_HMARK_CT,
59 O_HMARK_TYPE,
60 };
61
62 #define HMARK_OPT_PKT_MASK \
63 ((1 << O_HMARK_SADDR_MASK) | \
64 (1 << O_HMARK_DADDR_MASK) | \
65 (1 << O_HMARK_SPI_MASK) | \
66 (1 << O_HMARK_SPORT_MASK) | \
67 (1 << O_HMARK_DPORT_MASK) | \
68 (1 << O_HMARK_PROTO_MASK) | \
69 (1 << O_HMARK_SPI_MASK) | \
70 (1 << O_HMARK_SPORT) | \
71 (1 << O_HMARK_DPORT) | \
72 (1 << O_HMARK_SPI))
73
74 static const struct xt_option_entry HMARK_opts[] = {
75 { .name = "hmark-tuple",
76 .type = XTTYPE_STRING,
77 .id = O_HMARK_TYPE,
78 },
79 { .name = "hmark-src-prefix",
80 .type = XTTYPE_PLENMASK,
81 .id = O_HMARK_SADDR_MASK,
82 .flags = XTOPT_PUT, XTOPT_POINTER(hi, src_mask)
83 },
84 { .name = "hmark-dst-prefix",
85 .type = XTTYPE_PLENMASK,
86 .id = O_HMARK_DADDR_MASK,
87 .flags = XTOPT_PUT, XTOPT_POINTER(hi, dst_mask)
88 },
89 { .name = "hmark-sport-mask",
90 .type = XTTYPE_UINT16,
91 .id = O_HMARK_SPORT_MASK,
92 .flags = XTOPT_PUT | XTOPT_NBO, XTOPT_POINTER(hi, port_mask.p16.src)
93 },
94 { .name = "hmark-dport-mask",
95 .type = XTTYPE_UINT16,
96 .id = O_HMARK_DPORT_MASK,
97 .flags = XTOPT_PUT | XTOPT_NBO, XTOPT_POINTER(hi, port_mask.p16.dst)
98 },
99 { .name = "hmark-spi-mask",
100 .type = XTTYPE_UINT32,
101 .id = O_HMARK_SPI_MASK,
102 .flags = XTOPT_PUT | XTOPT_NBO, XTOPT_POINTER(hi, port_mask.v32)
103 },
104 { .name = "hmark-sport",
105 .type = XTTYPE_UINT16,
106 .id = O_HMARK_SPORT,
107 .flags = XTOPT_PUT | XTOPT_NBO, XTOPT_POINTER(hi, port_set.p16.src)
108 },
109 { .name = "hmark-dport",
110 .type = XTTYPE_UINT16,
111 .id = O_HMARK_DPORT,
112 .flags = XTOPT_PUT | XTOPT_NBO, XTOPT_POINTER(hi, port_set.p16.dst)
113 },
114 { .name = "hmark-spi",
115 .type = XTTYPE_UINT32,
116 .id = O_HMARK_SPI,
117 .flags = XTOPT_PUT | XTOPT_NBO, XTOPT_POINTER(hi, port_set.v32)
118 },
119 { .name = "hmark-proto-mask",
120 .type = XTTYPE_UINT16,
121 .id = O_HMARK_PROTO_MASK,
122 .flags = XTOPT_PUT, XTOPT_POINTER(hi, proto_mask)
123 },
124 { .name = "hmark-rnd",
125 .type = XTTYPE_UINT32,
126 .id = O_HMARK_RND,
127 .flags = XTOPT_PUT, XTOPT_POINTER(hi, hashrnd)
128 },
129 { .name = "hmark-mod",
130 .type = XTTYPE_UINT32,
131 .id = O_HMARK_MODULUS,
132 .min = 1,
133 .flags = XTOPT_PUT | XTOPT_MAND, XTOPT_POINTER(hi, hmodulus)
134 },
135 { .name = "hmark-offset",
136 .type = XTTYPE_UINT32,
137 .id = O_HMARK_OFFSET,
138 .flags = XTOPT_PUT, XTOPT_POINTER(hi, hoffset)
139 },
140 XTOPT_TABLEEND,
141 };
142
143 static int
hmark_parse(const char * type,size_t len,struct xt_hmark_info * info,unsigned int * xflags)144 hmark_parse(const char *type, size_t len, struct xt_hmark_info *info,
145 unsigned int *xflags)
146 {
147 if (strncasecmp(type, "ct", len) == 0) {
148 info->flags |= XT_HMARK_FLAG(XT_HMARK_CT);
149 *xflags |= (1 << O_HMARK_CT);
150 } else if (strncasecmp(type, "src", len) == 0) {
151 memset(&info->src_mask, 0xff, sizeof(info->src_mask));
152 info->flags |= XT_HMARK_FLAG(XT_HMARK_SADDR_MASK);
153 *xflags |= (1 << O_HMARK_SADDR_MASK);
154 } else if (strncasecmp(type, "dst", len) == 0) {
155 memset(&info->dst_mask, 0xff, sizeof(info->dst_mask));
156 info->flags |= XT_HMARK_FLAG(XT_HMARK_DADDR_MASK);
157 *xflags |= (1 << O_HMARK_DADDR_MASK);
158 } else if (strncasecmp(type, "sport", len) == 0) {
159 memset(&info->port_mask.p16.src, 0xff,
160 sizeof(info->port_mask.p16.src));
161 info->flags |= XT_HMARK_FLAG(XT_HMARK_SPORT_MASK);
162 *xflags |= (1 << O_HMARK_SPORT_MASK);
163 } else if (strncasecmp(type, "dport", len) == 0) {
164 memset(&info->port_mask.p16.dst, 0xff,
165 sizeof(info->port_mask.p16.dst));
166 info->flags |= XT_HMARK_FLAG(XT_HMARK_DPORT_MASK);
167 *xflags |= (1 << O_HMARK_DPORT_MASK);
168 } else if (strncasecmp(type, "proto", len) == 0) {
169 memset(&info->proto_mask, 0xff, sizeof(info->proto_mask));
170 info->flags |= XT_HMARK_FLAG(XT_HMARK_PROTO_MASK);
171 *xflags |= (1 << O_HMARK_PROTO_MASK);
172 } else if (strncasecmp(type, "spi", len) == 0) {
173 memset(&info->port_mask.v32, 0xff, sizeof(info->port_mask.v32));
174 info->flags |= XT_HMARK_FLAG(XT_HMARK_SPI_MASK);
175 *xflags |= (1 << O_HMARK_SPI_MASK);
176 } else
177 return 0;
178
179 return 1;
180 }
181
182 static void
hmark_parse_type(struct xt_option_call * cb)183 hmark_parse_type(struct xt_option_call *cb)
184 {
185 const char *arg = cb->arg;
186 struct xt_hmark_info *info = cb->data;
187 const char *comma;
188
189 while ((comma = strchr(arg, ',')) != NULL) {
190 if (comma == arg ||
191 !hmark_parse(arg, comma-arg, info, &cb->xflags))
192 xtables_error(PARAMETER_PROBLEM, "Bad type \"%s\"", arg);
193 arg = comma+1;
194 }
195 if (!*arg)
196 xtables_error(PARAMETER_PROBLEM, "\"--hmark-tuple\" requires "
197 "a list of types with no "
198 "spaces, e.g. "
199 "src,dst,sport,dport,proto");
200 if (strlen(arg) == 0 ||
201 !hmark_parse(arg, strlen(arg), info, &cb->xflags))
202 xtables_error(PARAMETER_PROBLEM, "Bad type \"%s\"", arg);
203 }
204
HMARK_parse(struct xt_option_call * cb,int plen)205 static void HMARK_parse(struct xt_option_call *cb, int plen)
206 {
207 struct xt_hmark_info *info = cb->data;
208
209 xtables_option_parse(cb);
210
211 switch (cb->entry->id) {
212 case O_HMARK_TYPE:
213 hmark_parse_type(cb);
214 break;
215 default:
216 info->flags |= XT_HMARK_FLAG(cb->entry->id);
217 break;
218 }
219 }
220
HMARK_ip4_parse(struct xt_option_call * cb)221 static void HMARK_ip4_parse(struct xt_option_call *cb)
222 {
223 HMARK_parse(cb, 32);
224 }
HMARK_ip6_parse(struct xt_option_call * cb)225 static void HMARK_ip6_parse(struct xt_option_call *cb)
226 {
227 HMARK_parse(cb, 128);
228 }
229
HMARK_check(struct xt_fcheck_call * cb)230 static void HMARK_check(struct xt_fcheck_call *cb)
231 {
232 if (!(cb->xflags & (1 << O_HMARK_MODULUS)))
233 xtables_error(PARAMETER_PROBLEM, "--hmark-mod is mandatory");
234 if (!(cb->xflags & (1 << O_HMARK_RND)))
235 xtables_error(PARAMETER_PROBLEM, "--hmark-rnd is mandatory");
236 if (cb->xflags & (1 << O_HMARK_SPI_MASK) &&
237 (cb->xflags & ((1 << O_HMARK_SPORT_MASK) |
238 (1 << O_HMARK_DPORT_MASK))))
239 xtables_error(PARAMETER_PROBLEM, "you cannot use "
240 "--hmark-spi-mask and --hmark-?port-mask,"
241 "at the same time");
242 if (!((cb->xflags & HMARK_OPT_PKT_MASK) ||
243 cb->xflags & (1 << O_HMARK_CT)))
244 xtables_error(PARAMETER_PROBLEM, "you have to specify "
245 "--hmark-tuple at least");
246 }
247
HMARK_print(const struct xt_hmark_info * info)248 static void HMARK_print(const struct xt_hmark_info *info)
249 {
250 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT_MASK))
251 printf("sport-mask 0x%x ", htons(info->port_mask.p16.src));
252 if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT_MASK))
253 printf("dport-mask 0x%x ", htons(info->port_mask.p16.dst));
254 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK))
255 printf("spi-mask 0x%x ", htonl(info->port_mask.v32));
256 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT))
257 printf("sport 0x%x ", htons(info->port_set.p16.src));
258 if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT))
259 printf("dport 0x%x ", htons(info->port_set.p16.dst));
260 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI))
261 printf("spi 0x%x ", htonl(info->port_set.v32));
262 if (info->flags & XT_HMARK_FLAG(XT_HMARK_PROTO_MASK))
263 printf("proto-mask 0x%x ", info->proto_mask);
264 if (info->flags & XT_HMARK_FLAG(XT_HMARK_RND))
265 printf("rnd 0x%x ", info->hashrnd);
266 }
267
HMARK_ip6_print(const void * ip,const struct xt_entry_target * target,int numeric)268 static void HMARK_ip6_print(const void *ip,
269 const struct xt_entry_target *target, int numeric)
270 {
271 const struct xt_hmark_info *info =
272 (const struct xt_hmark_info *)target->data;
273
274 printf(" HMARK ");
275 if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS))
276 printf("mod %u ", info->hmodulus);
277 if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET))
278 printf("+ 0x%x ", info->hoffset);
279 if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT))
280 printf("ct, ");
281 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK))
282 printf("src-prefix %s ",
283 xtables_ip6mask_to_numeric(&info->src_mask.in6) + 1);
284 if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK))
285 printf("dst-prefix %s ",
286 xtables_ip6mask_to_numeric(&info->dst_mask.in6) + 1);
287 HMARK_print(info);
288 }
HMARK_ip4_print(const void * ip,const struct xt_entry_target * target,int numeric)289 static void HMARK_ip4_print(const void *ip,
290 const struct xt_entry_target *target, int numeric)
291 {
292 const struct xt_hmark_info *info =
293 (const struct xt_hmark_info *)target->data;
294
295 printf(" HMARK ");
296 if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS))
297 printf("mod %u ", info->hmodulus);
298 if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET))
299 printf("+ 0x%x ", info->hoffset);
300 if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT))
301 printf("ct, ");
302 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK))
303 printf("src-prefix %u ",
304 xtables_ipmask_to_cidr(&info->src_mask.in));
305 if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK))
306 printf("dst-prefix %u ",
307 xtables_ipmask_to_cidr(&info->dst_mask.in));
308 HMARK_print(info);
309 }
310
HMARK_save(const struct xt_hmark_info * info)311 static void HMARK_save(const struct xt_hmark_info *info)
312 {
313 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT_MASK))
314 printf(" --hmark-sport-mask 0x%04x",
315 htons(info->port_mask.p16.src));
316 if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT_MASK))
317 printf(" --hmark-dport-mask 0x%04x",
318 htons(info->port_mask.p16.dst));
319 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK))
320 printf(" --hmark-spi-mask 0x%08x",
321 htonl(info->port_mask.v32));
322 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT))
323 printf(" --hmark-sport 0x%04x",
324 htons(info->port_set.p16.src));
325 if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT))
326 printf(" --hmark-dport 0x%04x",
327 htons(info->port_set.p16.dst));
328 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI))
329 printf(" --hmark-spi 0x%08x", htonl(info->port_set.v32));
330 if (info->flags & XT_HMARK_FLAG(XT_HMARK_PROTO_MASK))
331 printf(" --hmark-proto-mask 0x%02x", info->proto_mask);
332 if (info->flags & XT_HMARK_FLAG(XT_HMARK_RND))
333 printf(" --hmark-rnd 0x%08x", info->hashrnd);
334 if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS))
335 printf(" --hmark-mod %u", info->hmodulus);
336 if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET))
337 printf(" --hmark-offset %u", info->hoffset);
338 if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT))
339 printf(" --hmark-tuple ct");
340 }
341
HMARK_ip6_save(const void * ip,const struct xt_entry_target * target)342 static void HMARK_ip6_save(const void *ip, const struct xt_entry_target *target)
343 {
344 const struct xt_hmark_info *info =
345 (const struct xt_hmark_info *)target->data;
346 int ret;
347
348 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) {
349 ret = xtables_ip6mask_to_cidr(&info->src_mask.in6);
350 printf(" --hmark-src-prefix %d", ret);
351 }
352 if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) {
353 ret = xtables_ip6mask_to_cidr(&info->dst_mask.in6);
354 printf(" --hmark-dst-prefix %d", ret);
355 }
356 HMARK_save(info);
357 }
358
HMARK_ip4_save(const void * ip,const struct xt_entry_target * target)359 static void HMARK_ip4_save(const void *ip, const struct xt_entry_target *target)
360 {
361 const struct xt_hmark_info *info =
362 (const struct xt_hmark_info *)target->data;
363 int ret;
364
365 if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) {
366 ret = xtables_ipmask_to_cidr(&info->src_mask.in);
367 printf(" --hmark-src-prefix %d", ret);
368 }
369 if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) {
370 ret = xtables_ipmask_to_cidr(&info->dst_mask.in);
371 printf(" --hmark-dst-prefix %d", ret);
372 }
373 HMARK_save(info);
374 }
375
376 static struct xtables_target mark_tg_reg[] = {
377 {
378 .family = NFPROTO_IPV4,
379 .name = "HMARK",
380 .version = XTABLES_VERSION,
381 .size = XT_ALIGN(sizeof(struct xt_hmark_info)),
382 .userspacesize = XT_ALIGN(sizeof(struct xt_hmark_info)),
383 .help = HMARK_help,
384 .print = HMARK_ip4_print,
385 .save = HMARK_ip4_save,
386 .x6_parse = HMARK_ip4_parse,
387 .x6_fcheck = HMARK_check,
388 .x6_options = HMARK_opts,
389 },
390 {
391 .family = NFPROTO_IPV6,
392 .name = "HMARK",
393 .version = XTABLES_VERSION,
394 .size = XT_ALIGN(sizeof(struct xt_hmark_info)),
395 .userspacesize = XT_ALIGN(sizeof(struct xt_hmark_info)),
396 .help = HMARK_help,
397 .print = HMARK_ip6_print,
398 .save = HMARK_ip6_save,
399 .x6_parse = HMARK_ip6_parse,
400 .x6_fcheck = HMARK_check,
401 .x6_options = HMARK_opts,
402 },
403 };
404
_init(void)405 void _init(void)
406 {
407 xtables_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
408 }
409