1 #include <stdint.h>
2 #include <stdio.h>
3 #include <netdb.h>
4 #include <arpa/inet.h>
5 #include <xtables.h>
6 #include <linux/netfilter/xt_tcpudp.h>
7
8 enum {
9 O_SOURCE_PORT = 0,
10 O_DEST_PORT,
11 };
12
udp_help(void)13 static void udp_help(void)
14 {
15 printf(
16 "udp match options:\n"
17 "[!] --source-port port[:port]\n"
18 " --sport ...\n"
19 " match source port(s)\n"
20 "[!] --destination-port port[:port]\n"
21 " --dport ...\n"
22 " match destination port(s)\n");
23 }
24
25 #define s struct xt_udp
26 static const struct xt_option_entry udp_opts[] = {
27 {.name = "source-port", .id = O_SOURCE_PORT, .type = XTTYPE_PORTRC,
28 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, spts)},
29 {.name = "sport", .id = O_SOURCE_PORT, .type = XTTYPE_PORTRC,
30 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, spts)},
31 {.name = "destination-port", .id = O_DEST_PORT, .type = XTTYPE_PORTRC,
32 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, dpts)},
33 {.name = "dport", .id = O_DEST_PORT, .type = XTTYPE_PORTRC,
34 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, dpts)},
35 XTOPT_TABLEEND,
36 };
37 #undef s
38
udp_init(struct xt_entry_match * m)39 static void udp_init(struct xt_entry_match *m)
40 {
41 struct xt_udp *udpinfo = (struct xt_udp *)m->data;
42
43 udpinfo->spts[1] = udpinfo->dpts[1] = 0xFFFF;
44 }
45
udp_parse(struct xt_option_call * cb)46 static void udp_parse(struct xt_option_call *cb)
47 {
48 struct xt_udp *udpinfo = cb->data;
49
50 xtables_option_parse(cb);
51 switch (cb->entry->id) {
52 case O_SOURCE_PORT:
53 if (cb->invert)
54 udpinfo->invflags |= XT_UDP_INV_SRCPT;
55 break;
56 case O_DEST_PORT:
57 if (cb->invert)
58 udpinfo->invflags |= XT_UDP_INV_DSTPT;
59 break;
60 }
61 }
62
63 static const char *
port_to_service(int port)64 port_to_service(int port)
65 {
66 const struct servent *service;
67
68 if ((service = getservbyport(htons(port), "udp")))
69 return service->s_name;
70
71 return NULL;
72 }
73
74 static void
print_port(uint16_t port,int numeric)75 print_port(uint16_t port, int numeric)
76 {
77 const char *service;
78
79 if (numeric || (service = port_to_service(port)) == NULL)
80 printf("%u", port);
81 else
82 printf("%s", service);
83 }
84
skip_ports_match(uint16_t min,uint16_t max,bool inv)85 static bool skip_ports_match(uint16_t min, uint16_t max, bool inv)
86 {
87 return min == 0 && max == UINT16_MAX && !inv;
88 }
89
90 static void
print_ports(const char * name,uint16_t min,uint16_t max,int invert,int numeric)91 print_ports(const char *name, uint16_t min, uint16_t max,
92 int invert, int numeric)
93 {
94 const char *inv = invert ? "!" : "";
95
96 if (!skip_ports_match(min, max, invert)) {
97 printf(" %s", name);
98 if (min == max) {
99 printf(":%s", inv);
100 print_port(min, numeric);
101 } else {
102 printf("s:%s", inv);
103 print_port(min, numeric);
104 printf(":");
105 print_port(max, numeric);
106 }
107 }
108 }
109
110 static void
udp_print(const void * ip,const struct xt_entry_match * match,int numeric)111 udp_print(const void *ip, const struct xt_entry_match *match, int numeric)
112 {
113 const struct xt_udp *udp = (struct xt_udp *)match->data;
114
115 printf(" udp");
116 print_ports("spt", udp->spts[0], udp->spts[1],
117 udp->invflags & XT_UDP_INV_SRCPT,
118 numeric);
119 print_ports("dpt", udp->dpts[0], udp->dpts[1],
120 udp->invflags & XT_UDP_INV_DSTPT,
121 numeric);
122 if (udp->invflags & ~XT_UDP_INV_MASK)
123 printf(" Unknown invflags: 0x%X",
124 udp->invflags & ~XT_UDP_INV_MASK);
125 }
126
udp_save(const void * ip,const struct xt_entry_match * match)127 static void udp_save(const void *ip, const struct xt_entry_match *match)
128 {
129 const struct xt_udp *udpinfo = (struct xt_udp *)match->data;
130 bool inv_srcpt = udpinfo->invflags & XT_UDP_INV_SRCPT;
131 bool inv_dstpt = udpinfo->invflags & XT_UDP_INV_DSTPT;
132
133 if (!skip_ports_match(udpinfo->spts[0], udpinfo->spts[1], inv_srcpt)) {
134 if (inv_srcpt)
135 printf(" !");
136 if (udpinfo->spts[0]
137 != udpinfo->spts[1])
138 printf(" --sport %u:%u",
139 udpinfo->spts[0],
140 udpinfo->spts[1]);
141 else
142 printf(" --sport %u",
143 udpinfo->spts[0]);
144 }
145
146 if (!skip_ports_match(udpinfo->dpts[0], udpinfo->dpts[1], inv_dstpt)) {
147 if (inv_dstpt)
148 printf(" !");
149 if (udpinfo->dpts[0]
150 != udpinfo->dpts[1])
151 printf(" --dport %u:%u",
152 udpinfo->dpts[0],
153 udpinfo->dpts[1]);
154 else
155 printf(" --dport %u",
156 udpinfo->dpts[0]);
157 }
158 }
159
udp_xlate(struct xt_xlate * xl,const struct xt_xlate_mt_params * params)160 static int udp_xlate(struct xt_xlate *xl,
161 const struct xt_xlate_mt_params *params)
162 {
163 const struct xt_udp *udpinfo = (struct xt_udp *)params->match->data;
164 bool inv_srcpt = udpinfo->invflags & XT_UDP_INV_SRCPT;
165 bool inv_dstpt = udpinfo->invflags & XT_UDP_INV_DSTPT;
166 bool xlated = false;
167
168 if (!skip_ports_match(udpinfo->spts[0], udpinfo->spts[1], inv_srcpt)) {
169 if (udpinfo->spts[0] != udpinfo->spts[1]) {
170 xt_xlate_add(xl,"udp sport %s%u-%u",
171 inv_srcpt ? "!= ": "",
172 udpinfo->spts[0], udpinfo->spts[1]);
173 } else {
174 xt_xlate_add(xl, "udp sport %s%u",
175 inv_srcpt ? "!= ": "",
176 udpinfo->spts[0]);
177 }
178 xlated = true;
179 }
180
181 if (!skip_ports_match(udpinfo->dpts[0], udpinfo->dpts[1], inv_dstpt)) {
182 if (udpinfo->dpts[0] != udpinfo->dpts[1]) {
183 xt_xlate_add(xl,"udp dport %s%u-%u",
184 inv_dstpt ? "!= ": "",
185 udpinfo->dpts[0], udpinfo->dpts[1]);
186 } else {
187 xt_xlate_add(xl,"udp dport %s%u",
188 inv_dstpt ? "!= ": "",
189 udpinfo->dpts[0]);
190 }
191 xlated = true;
192 }
193
194 if (!xlated)
195 xt_xlate_add(xl, "meta l4proto udp");
196
197 return 1;
198 }
199
200 static struct xtables_match udp_match = {
201 .family = NFPROTO_UNSPEC,
202 .name = "udp",
203 .version = XTABLES_VERSION,
204 .size = XT_ALIGN(sizeof(struct xt_udp)),
205 .userspacesize = XT_ALIGN(sizeof(struct xt_udp)),
206 .help = udp_help,
207 .init = udp_init,
208 .print = udp_print,
209 .save = udp_save,
210 .x6_parse = udp_parse,
211 .x6_options = udp_opts,
212 .xlate = udp_xlate,
213 };
214
215 void
_init(void)216 _init(void)
217 {
218 xtables_register_match(&udp_match);
219 }
220