• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 #include <stdio.h>
2 #include <xtables.h>
3 #include <linux/netfilter_ipv6/ip6t_frag.h>
4 
5 enum {
6 	O_FRAGID = 0,
7 	O_FRAGLEN,
8 	O_FRAGRES,
9 	O_FRAGFIRST,
10 	O_FRAGMORE,
11 	O_FRAGLAST,
12 	F_FRAGMORE = 1 << O_FRAGMORE,
13 	F_FRAGLAST = 1 << O_FRAGLAST,
14 };
15 
frag_help(void)16 static void frag_help(void)
17 {
18 	printf(
19 "frag match options:\n"
20 "[!] --fragid id[:id]           match the id (range)\n"
21 "[!] --fraglen length           total length of this header\n"
22 " --fragres                     check the reserved field too\n"
23 " --fragfirst                   matches on the first fragment\n"
24 " [--fragmore|--fraglast]       there are more fragments or this\n"
25 "                               is the last one\n");
26 }
27 
28 #define s struct ip6t_frag
29 static const struct xt_option_entry frag_opts[] = {
30 	{.name = "fragid", .id = O_FRAGID, .type = XTTYPE_UINT32RC,
31 	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, ids)},
32 	{.name = "fraglen", .id = O_FRAGLEN, .type = XTTYPE_UINT32,
33 	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, hdrlen)},
34 	{.name = "fragres", .id = O_FRAGRES, .type = XTTYPE_NONE},
35 	{.name = "fragfirst", .id = O_FRAGFIRST, .type = XTTYPE_NONE},
36 	{.name = "fragmore", .id = O_FRAGMORE, .type = XTTYPE_NONE,
37 	 .excl = F_FRAGLAST},
38 	{.name = "fraglast", .id = O_FRAGLAST, .type = XTTYPE_NONE,
39 	 .excl = F_FRAGMORE},
40 	XTOPT_TABLEEND,
41 };
42 #undef s
43 
frag_init(struct xt_entry_match * m)44 static void frag_init(struct xt_entry_match *m)
45 {
46 	struct ip6t_frag *fraginfo = (void *)m->data;
47 
48 	fraginfo->ids[1] = ~0U;
49 }
50 
frag_parse(struct xt_option_call * cb)51 static void frag_parse(struct xt_option_call *cb)
52 {
53 	struct ip6t_frag *fraginfo = cb->data;
54 
55 	xtables_option_parse(cb);
56 	switch (cb->entry->id) {
57 	case O_FRAGID:
58 		if (cb->nvals == 1)
59 			fraginfo->ids[1] = fraginfo->ids[0];
60 		if (cb->invert)
61 			fraginfo->invflags |= IP6T_FRAG_INV_IDS;
62 		/*
63 		 * Note however that IP6T_FRAG_IDS is not tested by anything,
64 		 * so it is merely here for completeness.
65 		 */
66 		fraginfo->flags |= IP6T_FRAG_IDS;
67 		break;
68 	case O_FRAGLEN:
69 		/*
70 		 * As of Linux 3.0, the kernel does not check for
71 		 * fraglen at all.
72 		 */
73 		if (cb->invert)
74 			fraginfo->invflags |= IP6T_FRAG_INV_LEN;
75 		fraginfo->flags |= IP6T_FRAG_LEN;
76 		break;
77 	case O_FRAGRES:
78 		fraginfo->flags |= IP6T_FRAG_RES;
79 		break;
80 	case O_FRAGFIRST:
81 		fraginfo->flags |= IP6T_FRAG_FST;
82 		break;
83 	case O_FRAGMORE:
84 		fraginfo->flags |= IP6T_FRAG_MF;
85 		break;
86 	case O_FRAGLAST:
87 		fraginfo->flags |= IP6T_FRAG_NMF;
88 		break;
89 	}
90 }
91 
92 static void
print_ids(const char * name,uint32_t min,uint32_t max,int invert)93 print_ids(const char *name, uint32_t min, uint32_t max,
94 	    int invert)
95 {
96 	const char *inv = invert ? "!" : "";
97 
98 	if (min != 0 || max != 0xFFFFFFFF || invert) {
99 		printf("%s", name);
100 		if (min == max)
101 			printf(":%s%u", inv, min);
102 		else
103 			printf("s:%s%u:%u", inv, min, max);
104 	}
105 }
106 
frag_print(const void * ip,const struct xt_entry_match * match,int numeric)107 static void frag_print(const void *ip, const struct xt_entry_match *match,
108                        int numeric)
109 {
110 	const struct ip6t_frag *frag = (struct ip6t_frag *)match->data;
111 
112 	printf(" frag ");
113 	print_ids("id", frag->ids[0], frag->ids[1],
114 		    frag->invflags & IP6T_FRAG_INV_IDS);
115 
116 	if (frag->flags & IP6T_FRAG_LEN) {
117 		printf(" length:%s%u",
118 			frag->invflags & IP6T_FRAG_INV_LEN ? "!" : "",
119 			frag->hdrlen);
120 	}
121 
122 	if (frag->flags & IP6T_FRAG_RES)
123 		printf(" reserved");
124 
125 	if (frag->flags & IP6T_FRAG_FST)
126 		printf(" first");
127 
128 	if (frag->flags & IP6T_FRAG_MF)
129 		printf(" more");
130 
131 	if (frag->flags & IP6T_FRAG_NMF)
132 		printf(" last");
133 
134 	if (frag->invflags & ~IP6T_FRAG_INV_MASK)
135 		printf(" Unknown invflags: 0x%X",
136 		       frag->invflags & ~IP6T_FRAG_INV_MASK);
137 }
138 
frag_save(const void * ip,const struct xt_entry_match * match)139 static void frag_save(const void *ip, const struct xt_entry_match *match)
140 {
141 	const struct ip6t_frag *fraginfo = (struct ip6t_frag *)match->data;
142 
143 	if (!(fraginfo->ids[0] == 0
144 	    && fraginfo->ids[1] == 0xFFFFFFFF)) {
145 		printf("%s --fragid ",
146 			(fraginfo->invflags & IP6T_FRAG_INV_IDS) ? " !" : "");
147 		if (fraginfo->ids[0]
148 		    != fraginfo->ids[1])
149 			printf("%u:%u",
150 			       fraginfo->ids[0],
151 			       fraginfo->ids[1]);
152 		else
153 			printf("%u",
154 			       fraginfo->ids[0]);
155 	}
156 
157 	if (fraginfo->flags & IP6T_FRAG_LEN) {
158 		printf("%s --fraglen %u",
159 			(fraginfo->invflags & IP6T_FRAG_INV_LEN) ? " !" : "",
160 			fraginfo->hdrlen);
161 	}
162 
163 	if (fraginfo->flags & IP6T_FRAG_RES)
164 		printf(" --fragres");
165 
166 	if (fraginfo->flags & IP6T_FRAG_FST)
167 		printf(" --fragfirst");
168 
169 	if (fraginfo->flags & IP6T_FRAG_MF)
170 		printf(" --fragmore");
171 
172 	if (fraginfo->flags & IP6T_FRAG_NMF)
173 		printf(" --fraglast");
174 }
175 
frag_xlate(struct xt_xlate * xl,const struct xt_xlate_mt_params * params)176 static int frag_xlate(struct xt_xlate *xl,
177 		      const struct xt_xlate_mt_params *params)
178 {
179 	const struct ip6t_frag *fraginfo =
180 		(struct ip6t_frag *)params->match->data;
181 	char *space= "";
182 
183 	if (!(fraginfo->ids[0] == 0 && fraginfo->ids[1] == 0xFFFFFFFF)) {
184 		xt_xlate_add(xl, "frag id %s",
185 			     (fraginfo->invflags & IP6T_FRAG_INV_IDS) ?
186 			     "!= " : "");
187 		if (fraginfo->ids[0] != fraginfo->ids[1])
188 			xt_xlate_add(xl, "%u-%u", fraginfo->ids[0],
189 				     fraginfo->ids[1]);
190 		else
191 			xt_xlate_add(xl, "%u", fraginfo->ids[0]);
192 
193 		space = " ";
194 	}
195 
196 	if (fraginfo->flags & IP6T_FRAG_RES) {
197 		xt_xlate_add(xl, "%sfrag reserved 1", space);
198 		space = " ";
199 	}
200 	if (fraginfo->flags & IP6T_FRAG_FST) {
201 		xt_xlate_add(xl, "%sfrag frag-off 0", space);
202 		space = " ";
203 	}
204 	if (fraginfo->flags & IP6T_FRAG_MF) {
205 		xt_xlate_add(xl, "%sfrag more-fragments 1", space);
206 		space = " ";
207 	}
208 	if (fraginfo->flags & IP6T_FRAG_NMF) {
209 		xt_xlate_add(xl, "%sfrag more-fragments 0", space);
210 	}
211 
212 	return 1;
213 }
214 
215 static struct xtables_match frag_mt6_reg = {
216 	.name          = "frag",
217 	.version       = XTABLES_VERSION,
218 	.family        = NFPROTO_IPV6,
219 	.size          = XT_ALIGN(sizeof(struct ip6t_frag)),
220 	.userspacesize = XT_ALIGN(sizeof(struct ip6t_frag)),
221 	.help          = frag_help,
222 	.init          = frag_init,
223 	.print         = frag_print,
224 	.save          = frag_save,
225 	.x6_parse      = frag_parse,
226 	.x6_options    = frag_opts,
227 	.xlate	       = frag_xlate,
228 };
229 
230 void
_init(void)231 _init(void)
232 {
233 	xtables_register_match(&frag_mt6_reg);
234 }
235