1 #include <stdbool.h>
2 #include <stdio.h>
3 #include <string.h>
4 #include <xtables.h>
5 #include <linux/netfilter/xt_recent.h>
6
7 enum {
8 O_SET = 0,
9 O_RCHECK,
10 O_UPDATE,
11 O_REMOVE,
12 O_SECONDS,
13 O_REAP,
14 O_HITCOUNT,
15 O_RTTL,
16 O_NAME,
17 O_RSOURCE,
18 O_RDEST,
19 O_MASK,
20 F_SET = 1 << O_SET,
21 F_RCHECK = 1 << O_RCHECK,
22 F_UPDATE = 1 << O_UPDATE,
23 F_REMOVE = 1 << O_REMOVE,
24 F_SECONDS = 1 << O_SECONDS,
25 F_ANY_OP = F_SET | F_RCHECK | F_UPDATE | F_REMOVE,
26 };
27
28 #define s struct xt_recent_mtinfo
29 static const struct xt_option_entry recent_opts_v0[] = {
30 {.name = "set", .id = O_SET, .type = XTTYPE_NONE,
31 .excl = F_ANY_OP, .flags = XTOPT_INVERT},
32 {.name = "rcheck", .id = O_RCHECK, .type = XTTYPE_NONE,
33 .excl = F_ANY_OP, .flags = XTOPT_INVERT},
34 {.name = "update", .id = O_UPDATE, .type = XTTYPE_NONE,
35 .excl = F_ANY_OP, .flags = XTOPT_INVERT},
36 {.name = "remove", .id = O_REMOVE, .type = XTTYPE_NONE,
37 .excl = F_ANY_OP, .flags = XTOPT_INVERT},
38 {.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32,
39 .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds), .min = 1},
40 {.name = "reap", .id = O_REAP, .type = XTTYPE_NONE,
41 .also = F_SECONDS },
42 {.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32,
43 .flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)},
44 {.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE,
45 .excl = F_SET | F_REMOVE},
46 {.name = "name", .id = O_NAME, .type = XTTYPE_STRING,
47 .flags = XTOPT_PUT, XTOPT_POINTER(s, name)},
48 {.name = "rsource", .id = O_RSOURCE, .type = XTTYPE_NONE},
49 {.name = "rdest", .id = O_RDEST, .type = XTTYPE_NONE},
50 XTOPT_TABLEEND,
51 };
52 #undef s
53
54 #define s struct xt_recent_mtinfo_v1
55 static const struct xt_option_entry recent_opts_v1[] = {
56 {.name = "set", .id = O_SET, .type = XTTYPE_NONE,
57 .excl = F_ANY_OP, .flags = XTOPT_INVERT},
58 {.name = "rcheck", .id = O_RCHECK, .type = XTTYPE_NONE,
59 .excl = F_ANY_OP, .flags = XTOPT_INVERT},
60 {.name = "update", .id = O_UPDATE, .type = XTTYPE_NONE,
61 .excl = F_ANY_OP, .flags = XTOPT_INVERT},
62 {.name = "remove", .id = O_REMOVE, .type = XTTYPE_NONE,
63 .excl = F_ANY_OP, .flags = XTOPT_INVERT},
64 {.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32,
65 .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds), .min = 1},
66 {.name = "reap", .id = O_REAP, .type = XTTYPE_NONE,
67 .also = F_SECONDS },
68 {.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32,
69 .flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)},
70 {.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE,
71 .excl = F_SET | F_REMOVE},
72 {.name = "name", .id = O_NAME, .type = XTTYPE_STRING,
73 .flags = XTOPT_PUT, XTOPT_POINTER(s, name)},
74 {.name = "rsource", .id = O_RSOURCE, .type = XTTYPE_NONE},
75 {.name = "rdest", .id = O_RDEST, .type = XTTYPE_NONE},
76 {.name = "mask", .id = O_MASK, .type = XTTYPE_HOST,
77 .flags = XTOPT_PUT, XTOPT_POINTER(s, mask)},
78 XTOPT_TABLEEND,
79 };
80 #undef s
81
recent_help(void)82 static void recent_help(void)
83 {
84 printf(
85 "recent match options:\n"
86 "[!] --set Add source address to list, always matches.\n"
87 "[!] --rcheck Match if source address in list.\n"
88 "[!] --update Match if source address in list, also update last-seen time.\n"
89 "[!] --remove Match if source address in list, also removes that address from list.\n"
90 " --seconds seconds For check and update commands above.\n"
91 " Specifies that the match will only occur if source address last seen within\n"
92 " the last 'seconds' seconds.\n"
93 " --reap Purge entries older then 'seconds'.\n"
94 " Can only be used in conjunction with the seconds option.\n"
95 " --hitcount hits For check and update commands above.\n"
96 " Specifies that the match will only occur if source address seen hits times.\n"
97 " May be used in conjunction with the seconds option.\n"
98 " --rttl For check and update commands above.\n"
99 " Specifies that the match will only occur if the source address and the TTL\n"
100 " match between this packet and the one which was set.\n"
101 " Useful if you have problems with people spoofing their source address in order\n"
102 " to DoS you via this module.\n"
103 " --name name Name of the recent list to be used. DEFAULT used if none given.\n"
104 " --rsource Match/Save the source address of each packet in the recent list table (default).\n"
105 " --rdest Match/Save the destination address of each packet in the recent list table.\n"
106 " --mask netmask Netmask that will be applied to this recent list.\n"
107 "xt_recent by: Stephen Frost <sfrost@snowman.net>.\n");
108 }
109
110 enum {
111 XT_RECENT_REV_0 = 0,
112 XT_RECENT_REV_1,
113 };
114
recent_init(struct xt_entry_match * match,unsigned int rev)115 static void recent_init(struct xt_entry_match *match, unsigned int rev)
116 {
117 struct xt_recent_mtinfo *info = (struct xt_recent_mtinfo *)match->data;
118 struct xt_recent_mtinfo_v1 *info_v1 =
119 (struct xt_recent_mtinfo_v1 *)match->data;
120
121 strncpy(info->name,"DEFAULT", XT_RECENT_NAME_LEN);
122 /* even though XT_RECENT_NAME_LEN is currently defined as 200,
123 * better be safe, than sorry */
124 info->name[XT_RECENT_NAME_LEN-1] = '\0';
125 info->side = XT_RECENT_SOURCE;
126 if (rev == XT_RECENT_REV_1)
127 memset(&info_v1->mask, 0xFF, sizeof(info_v1->mask));
128 }
129
recent_parse(struct xt_option_call * cb)130 static void recent_parse(struct xt_option_call *cb)
131 {
132 struct xt_recent_mtinfo *info = cb->data;
133
134 xtables_option_parse(cb);
135 switch (cb->entry->id) {
136 case O_SET:
137 info->check_set |= XT_RECENT_SET;
138 if (cb->invert)
139 info->invert = true;
140 break;
141 case O_RCHECK:
142 info->check_set |= XT_RECENT_CHECK;
143 if (cb->invert)
144 info->invert = true;
145 break;
146 case O_UPDATE:
147 info->check_set |= XT_RECENT_UPDATE;
148 if (cb->invert)
149 info->invert = true;
150 break;
151 case O_REMOVE:
152 info->check_set |= XT_RECENT_REMOVE;
153 if (cb->invert)
154 info->invert = true;
155 break;
156 case O_RTTL:
157 info->check_set |= XT_RECENT_TTL;
158 break;
159 case O_RSOURCE:
160 info->side = XT_RECENT_SOURCE;
161 break;
162 case O_RDEST:
163 info->side = XT_RECENT_DEST;
164 break;
165 case O_REAP:
166 info->check_set |= XT_RECENT_REAP;
167 break;
168 }
169 }
170
recent_check(struct xt_fcheck_call * cb)171 static void recent_check(struct xt_fcheck_call *cb)
172 {
173 if (!(cb->xflags & F_ANY_OP))
174 xtables_error(PARAMETER_PROBLEM,
175 "recent: you must specify one of `--set', `--rcheck' "
176 "`--update' or `--remove'");
177 }
178
recent_print(const void * ip,const struct xt_entry_match * match,unsigned int family)179 static void recent_print(const void *ip, const struct xt_entry_match *match,
180 unsigned int family)
181 {
182 const struct xt_recent_mtinfo_v1 *info = (const void *)match->data;
183
184 if (info->invert)
185 printf(" !");
186
187 printf(" recent:");
188 if (info->check_set & XT_RECENT_SET)
189 printf(" SET");
190 if (info->check_set & XT_RECENT_CHECK)
191 printf(" CHECK");
192 if (info->check_set & XT_RECENT_UPDATE)
193 printf(" UPDATE");
194 if (info->check_set & XT_RECENT_REMOVE)
195 printf(" REMOVE");
196 if (info->seconds)
197 printf(" seconds: %u", info->seconds);
198 if (info->check_set & XT_RECENT_REAP)
199 printf(" reap");
200 if (info->hit_count)
201 printf(" hit_count: %u", info->hit_count);
202 if (info->check_set & XT_RECENT_TTL)
203 printf(" TTL-Match");
204 printf(" name: %s", info->name);
205 if (info->side == XT_RECENT_SOURCE)
206 printf(" side: source");
207 if (info->side == XT_RECENT_DEST)
208 printf(" side: dest");
209
210 switch(family) {
211 case NFPROTO_IPV4:
212 printf(" mask: %s",
213 xtables_ipaddr_to_numeric(&info->mask.in));
214 break;
215 case NFPROTO_IPV6:
216 printf(" mask: %s",
217 xtables_ip6addr_to_numeric(&info->mask.in6));
218 break;
219 }
220 }
221
recent_save(const void * ip,const struct xt_entry_match * match,unsigned int family)222 static void recent_save(const void *ip, const struct xt_entry_match *match,
223 unsigned int family)
224 {
225 const struct xt_recent_mtinfo_v1 *info = (const void *)match->data;
226
227 if (info->invert)
228 printf(" !");
229
230 if (info->check_set & XT_RECENT_SET)
231 printf(" --set");
232 if (info->check_set & XT_RECENT_CHECK)
233 printf(" --rcheck");
234 if (info->check_set & XT_RECENT_UPDATE)
235 printf(" --update");
236 if (info->check_set & XT_RECENT_REMOVE)
237 printf(" --remove");
238 if (info->seconds)
239 printf(" --seconds %u", info->seconds);
240 if (info->check_set & XT_RECENT_REAP)
241 printf(" --reap");
242 if (info->hit_count)
243 printf(" --hitcount %u", info->hit_count);
244 if (info->check_set & XT_RECENT_TTL)
245 printf(" --rttl");
246 printf(" --name %s",info->name);
247
248 switch(family) {
249 case NFPROTO_IPV4:
250 printf(" --mask %s",
251 xtables_ipaddr_to_numeric(&info->mask.in));
252 break;
253 case NFPROTO_IPV6:
254 printf(" --mask %s",
255 xtables_ip6addr_to_numeric(&info->mask.in6));
256 break;
257 }
258
259 if (info->side == XT_RECENT_SOURCE)
260 printf(" --rsource");
261 if (info->side == XT_RECENT_DEST)
262 printf(" --rdest");
263 }
264
recent_init_v0(struct xt_entry_match * match)265 static void recent_init_v0(struct xt_entry_match *match)
266 {
267 recent_init(match, XT_RECENT_REV_0);
268 }
269
recent_init_v1(struct xt_entry_match * match)270 static void recent_init_v1(struct xt_entry_match *match)
271 {
272 recent_init(match, XT_RECENT_REV_1);
273 }
274
recent_save_v0(const void * ip,const struct xt_entry_match * match)275 static void recent_save_v0(const void *ip, const struct xt_entry_match *match)
276 {
277 recent_save(ip, match, NFPROTO_UNSPEC);
278 }
279
recent_save_v4(const void * ip,const struct xt_entry_match * match)280 static void recent_save_v4(const void *ip, const struct xt_entry_match *match)
281 {
282 recent_save(ip, match, NFPROTO_IPV4);
283 }
284
recent_save_v6(const void * ip,const struct xt_entry_match * match)285 static void recent_save_v6(const void *ip, const struct xt_entry_match *match)
286 {
287 recent_save(ip, match, NFPROTO_IPV6);
288 }
289
recent_print_v0(const void * ip,const struct xt_entry_match * match,int numeric)290 static void recent_print_v0(const void *ip, const struct xt_entry_match *match,
291 int numeric)
292 {
293 recent_print(ip, match, NFPROTO_UNSPEC);
294 }
295
recent_print_v4(const void * ip,const struct xt_entry_match * match,int numeric)296 static void recent_print_v4(const void *ip, const struct xt_entry_match *match,
297 int numeric)
298 {
299 recent_print(ip, match, NFPROTO_IPV4);
300 }
301
recent_print_v6(const void * ip,const struct xt_entry_match * match,int numeric)302 static void recent_print_v6(const void *ip, const struct xt_entry_match *match,
303 int numeric)
304 {
305 recent_print(ip, match, NFPROTO_IPV6);
306 }
307
308 static struct xtables_match recent_mt_reg[] = {
309 {
310 .name = "recent",
311 .version = XTABLES_VERSION,
312 .revision = 0,
313 .family = NFPROTO_UNSPEC,
314 .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
315 .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
316 .help = recent_help,
317 .init = recent_init_v0,
318 .x6_parse = recent_parse,
319 .x6_fcheck = recent_check,
320 .print = recent_print_v0,
321 .save = recent_save_v0,
322 .x6_options = recent_opts_v0,
323 },
324 {
325 .name = "recent",
326 .version = XTABLES_VERSION,
327 .revision = 1,
328 .family = NFPROTO_IPV4,
329 .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)),
330 .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)),
331 .help = recent_help,
332 .init = recent_init_v1,
333 .x6_parse = recent_parse,
334 .x6_fcheck = recent_check,
335 .print = recent_print_v4,
336 .save = recent_save_v4,
337 .x6_options = recent_opts_v1,
338 },
339 {
340 .name = "recent",
341 .version = XTABLES_VERSION,
342 .revision = 1,
343 .family = NFPROTO_IPV6,
344 .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)),
345 .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)),
346 .help = recent_help,
347 .init = recent_init_v1,
348 .x6_parse = recent_parse,
349 .x6_fcheck = recent_check,
350 .print = recent_print_v6,
351 .save = recent_save_v6,
352 .x6_options = recent_opts_v1,
353 },
354 };
355
_init(void)356 void _init(void)
357 {
358 xtables_register_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg));
359 }
360