diff options
author | Harald Welte <laforge@netfilter.org> | 2006-01-12 16:30:04 -0500 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-01-12 17:06:43 -0500 |
commit | 2e4e6a17af35be359cc8f1c924f8f198fbd478cc (patch) | |
tree | cb4b5438dcf9ff9d57518a26124308bcbfffd214 /net/netfilter/xt_tcpudp.c | |
parent | 880b005f294454d989783d0984dc554dfe3c8214 (diff) |
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter/xt_tcpudp.c')
-rw-r--r-- | net/netfilter/xt_tcpudp.c | 333 |
1 files changed, 333 insertions, 0 deletions
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c new file mode 100644 index 00000000000..33f86fd6f3e --- /dev/null +++ b/net/netfilter/xt_tcpudp.c | |||
@@ -0,0 +1,333 @@ | |||
1 | #include <linux/types.h> | ||
2 | #include <linux/module.h> | ||
3 | #include <net/ip.h> | ||
4 | #include <net/ipv6.h> | ||
5 | #include <net/tcp.h> | ||
6 | #include <net/udp.h> | ||
7 | #include <linux/netfilter/x_tables.h> | ||
8 | #include <linux/netfilter/xt_tcpudp.h> | ||
9 | #include <linux/netfilter_ipv4/ip_tables.h> | ||
10 | #include <linux/netfilter_ipv6/ip6_tables.h> | ||
11 | |||
12 | MODULE_DESCRIPTION("x_tables match for TCP and UDP, supports IPv4 and IPv6"); | ||
13 | MODULE_LICENSE("GPL"); | ||
14 | MODULE_ALIAS("xt_tcp"); | ||
15 | MODULE_ALIAS("xt_udp"); | ||
16 | MODULE_ALIAS("ipt_udp"); | ||
17 | MODULE_ALIAS("ipt_tcp"); | ||
18 | MODULE_ALIAS("ip6t_udp"); | ||
19 | MODULE_ALIAS("ip6t_tcp"); | ||
20 | |||
21 | #ifdef DEBUG_IP_FIREWALL_USER | ||
22 | #define duprintf(format, args...) printk(format , ## args) | ||
23 | #else | ||
24 | #define duprintf(format, args...) | ||
25 | #endif | ||
26 | |||
27 | |||
28 | /* Returns 1 if the port is matched by the range, 0 otherwise */ | ||
29 | static inline int | ||
30 | port_match(u_int16_t min, u_int16_t max, u_int16_t port, int invert) | ||
31 | { | ||
32 | int ret; | ||
33 | |||
34 | ret = (port >= min && port <= max) ^ invert; | ||
35 | return ret; | ||
36 | } | ||
37 | |||
38 | static int | ||
39 | tcp_find_option(u_int8_t option, | ||
40 | const struct sk_buff *skb, | ||
41 | unsigned int protoff, | ||
42 | unsigned int optlen, | ||
43 | int invert, | ||
44 | int *hotdrop) | ||
45 | { | ||
46 | /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */ | ||
47 | u_int8_t _opt[60 - sizeof(struct tcphdr)], *op; | ||
48 | unsigned int i; | ||
49 | |||
50 | duprintf("tcp_match: finding option\n"); | ||
51 | |||
52 | if (!optlen) | ||
53 | return invert; | ||
54 | |||
55 | /* If we don't have the whole header, drop packet. */ | ||
56 | op = skb_header_pointer(skb, protoff + sizeof(struct tcphdr), | ||
57 | optlen, _opt); | ||
58 | if (op == NULL) { | ||
59 | *hotdrop = 1; | ||
60 | return 0; | ||
61 | } | ||
62 | |||
63 | for (i = 0; i < optlen; ) { | ||
64 | if (op[i] == option) return !invert; | ||
65 | if (op[i] < 2) i++; | ||
66 | else i += op[i+1]?:1; | ||
67 | } | ||
68 | |||
69 | return invert; | ||
70 | } | ||
71 | |||
72 | static int | ||
73 | tcp_match(const struct sk_buff *skb, | ||
74 | const struct net_device *in, | ||
75 | const struct net_device *out, | ||
76 | const void *matchinfo, | ||
77 | int offset, | ||
78 | unsigned int protoff, | ||
79 | int *hotdrop) | ||
80 | { | ||
81 | struct tcphdr _tcph, *th; | ||
82 | const struct xt_tcp *tcpinfo = matchinfo; | ||
83 | |||
84 | if (offset) { | ||
85 | /* To quote Alan: | ||
86 | |||
87 | Don't allow a fragment of TCP 8 bytes in. Nobody normal | ||
88 | causes this. Its a cracker trying to break in by doing a | ||
89 | flag overwrite to pass the direction checks. | ||
90 | */ | ||
91 | if (offset == 1) { | ||
92 | duprintf("Dropping evil TCP offset=1 frag.\n"); | ||
93 | *hotdrop = 1; | ||
94 | } | ||
95 | /* Must not be a fragment. */ | ||
96 | return 0; | ||
97 | } | ||
98 | |||
99 | #define FWINVTCP(bool,invflg) ((bool) ^ !!(tcpinfo->invflags & invflg)) | ||
100 | |||
101 | th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph); | ||
102 | if (th == NULL) { | ||
103 | /* We've been asked to examine this packet, and we | ||
104 | can't. Hence, no choice but to drop. */ | ||
105 | duprintf("Dropping evil TCP offset=0 tinygram.\n"); | ||
106 | *hotdrop = 1; | ||
107 | return 0; | ||
108 | } | ||
109 | |||
110 | if (!port_match(tcpinfo->spts[0], tcpinfo->spts[1], | ||
111 | ntohs(th->source), | ||
112 | !!(tcpinfo->invflags & XT_TCP_INV_SRCPT))) | ||
113 | return 0; | ||
114 | if (!port_match(tcpinfo->dpts[0], tcpinfo->dpts[1], | ||
115 | ntohs(th->dest), | ||
116 | !!(tcpinfo->invflags & XT_TCP_INV_DSTPT))) | ||
117 | return 0; | ||
118 | if (!FWINVTCP((((unsigned char *)th)[13] & tcpinfo->flg_mask) | ||
119 | == tcpinfo->flg_cmp, | ||
120 | XT_TCP_INV_FLAGS)) | ||
121 | return 0; | ||
122 | if (tcpinfo->option) { | ||
123 | if (th->doff * 4 < sizeof(_tcph)) { | ||
124 | *hotdrop = 1; | ||
125 | return 0; | ||
126 | } | ||
127 | if (!tcp_find_option(tcpinfo->option, skb, protoff, | ||
128 | th->doff*4 - sizeof(_tcph), | ||
129 | tcpinfo->invflags & XT_TCP_INV_OPTION, | ||
130 | hotdrop)) | ||
131 | return 0; | ||
132 | } | ||
133 | return 1; | ||
134 | } | ||
135 | |||
136 | /* Called when user tries to insert an entry of this type. */ | ||
137 | static int | ||
138 | tcp_checkentry(const char *tablename, | ||
139 | const void *info, | ||
140 | void *matchinfo, | ||
141 | unsigned int matchsize, | ||
142 | unsigned int hook_mask) | ||
143 | { | ||
144 | const struct ipt_ip *ip = info; | ||
145 | const struct xt_tcp *tcpinfo = matchinfo; | ||
146 | |||
147 | /* Must specify proto == TCP, and no unknown invflags */ | ||
148 | return ip->proto == IPPROTO_TCP | ||
149 | && !(ip->invflags & XT_INV_PROTO) | ||
150 | && matchsize == XT_ALIGN(sizeof(struct xt_tcp)) | ||
151 | && !(tcpinfo->invflags & ~XT_TCP_INV_MASK); | ||
152 | } | ||
153 | |||
154 | /* Called when user tries to insert an entry of this type. */ | ||
155 | static int | ||
156 | tcp6_checkentry(const char *tablename, | ||
157 | const void *entry, | ||
158 | void *matchinfo, | ||
159 | unsigned int matchsize, | ||
160 | unsigned int hook_mask) | ||
161 | { | ||
162 | const struct ip6t_ip6 *ipv6 = entry; | ||
163 | const struct xt_tcp *tcpinfo = matchinfo; | ||
164 | |||
165 | /* Must specify proto == TCP, and no unknown invflags */ | ||
166 | return ipv6->proto == IPPROTO_TCP | ||
167 | && !(ipv6->invflags & XT_INV_PROTO) | ||
168 | && matchsize == XT_ALIGN(sizeof(struct xt_tcp)) | ||
169 | && !(tcpinfo->invflags & ~XT_TCP_INV_MASK); | ||
170 | } | ||
171 | |||
172 | |||
173 | static int | ||
174 | udp_match(const struct sk_buff *skb, | ||
175 | const struct net_device *in, | ||
176 | const struct net_device *out, | ||
177 | const void *matchinfo, | ||
178 | int offset, | ||
179 | unsigned int protoff, | ||
180 | int *hotdrop) | ||
181 | { | ||
182 | struct udphdr _udph, *uh; | ||
183 | const struct xt_udp *udpinfo = matchinfo; | ||
184 | |||
185 | /* Must not be a fragment. */ | ||
186 | if (offset) | ||
187 | return 0; | ||
188 | |||
189 | uh = skb_header_pointer(skb, protoff, sizeof(_udph), &_udph); | ||
190 | if (uh == NULL) { | ||
191 | /* We've been asked to examine this packet, and we | ||
192 | can't. Hence, no choice but to drop. */ | ||
193 | duprintf("Dropping evil UDP tinygram.\n"); | ||
194 | *hotdrop = 1; | ||
195 | return 0; | ||
196 | } | ||
197 | |||
198 | return port_match(udpinfo->spts[0], udpinfo->spts[1], | ||
199 | ntohs(uh->source), | ||
200 | !!(udpinfo->invflags & XT_UDP_INV_SRCPT)) | ||
201 | && port_match(udpinfo->dpts[0], udpinfo->dpts[1], | ||
202 | ntohs(uh->dest), | ||
203 | !!(udpinfo->invflags & XT_UDP_INV_DSTPT)); | ||
204 | } | ||
205 | |||
206 | /* Called when user tries to insert an entry of this type. */ | ||
207 | static int | ||
208 | udp_checkentry(const char *tablename, | ||
209 | const void *info, | ||
210 | void *matchinfo, | ||
211 | unsigned int matchinfosize, | ||
212 | unsigned int hook_mask) | ||
213 | { | ||
214 | const struct ipt_ip *ip = info; | ||
215 | const struct xt_udp *udpinfo = matchinfo; | ||
216 | |||
217 | /* Must specify proto == UDP, and no unknown invflags */ | ||
218 | if (ip->proto != IPPROTO_UDP || (ip->invflags & XT_INV_PROTO)) { | ||
219 | duprintf("ipt_udp: Protocol %u != %u\n", ip->proto, | ||
220 | IPPROTO_UDP); | ||
221 | return 0; | ||
222 | } | ||
223 | if (matchinfosize != XT_ALIGN(sizeof(struct xt_udp))) { | ||
224 | duprintf("ipt_udp: matchsize %u != %u\n", | ||
225 | matchinfosize, XT_ALIGN(sizeof(struct xt_udp))); | ||
226 | return 0; | ||
227 | } | ||
228 | if (udpinfo->invflags & ~XT_UDP_INV_MASK) { | ||
229 | duprintf("ipt_udp: unknown flags %X\n", | ||
230 | udpinfo->invflags); | ||
231 | return 0; | ||
232 | } | ||
233 | |||
234 | return 1; | ||
235 | } | ||
236 | |||
237 | /* Called when user tries to insert an entry of this type. */ | ||
238 | static int | ||
239 | udp6_checkentry(const char *tablename, | ||
240 | const void *entry, | ||
241 | void *matchinfo, | ||
242 | unsigned int matchinfosize, | ||
243 | unsigned int hook_mask) | ||
244 | { | ||
245 | const struct ip6t_ip6 *ipv6 = entry; | ||
246 | const struct xt_udp *udpinfo = matchinfo; | ||
247 | |||
248 | /* Must specify proto == UDP, and no unknown invflags */ | ||
249 | if (ipv6->proto != IPPROTO_UDP || (ipv6->invflags & XT_INV_PROTO)) { | ||
250 | duprintf("ip6t_udp: Protocol %u != %u\n", ipv6->proto, | ||
251 | IPPROTO_UDP); | ||
252 | return 0; | ||
253 | } | ||
254 | if (matchinfosize != XT_ALIGN(sizeof(struct xt_udp))) { | ||
255 | duprintf("ip6t_udp: matchsize %u != %u\n", | ||
256 | matchinfosize, XT_ALIGN(sizeof(struct xt_udp))); | ||
257 | return 0; | ||
258 | } | ||
259 | if (udpinfo->invflags & ~XT_UDP_INV_MASK) { | ||
260 | duprintf("ip6t_udp: unknown flags %X\n", | ||
261 | udpinfo->invflags); | ||
262 | return 0; | ||
263 | } | ||
264 | |||
265 | return 1; | ||
266 | } | ||
267 | |||
268 | static struct xt_match tcp_matchstruct = { | ||
269 | .name = "tcp", | ||
270 | .match = &tcp_match, | ||
271 | .checkentry = &tcp_checkentry, | ||
272 | .me = THIS_MODULE, | ||
273 | }; | ||
274 | static struct xt_match tcp6_matchstruct = { | ||
275 | .name = "tcp", | ||
276 | .match = &tcp_match, | ||
277 | .checkentry = &tcp6_checkentry, | ||
278 | .me = THIS_MODULE, | ||
279 | }; | ||
280 | |||
281 | static struct xt_match udp_matchstruct = { | ||
282 | .name = "udp", | ||
283 | .match = &udp_match, | ||
284 | .checkentry = &udp_checkentry, | ||
285 | .me = THIS_MODULE, | ||
286 | }; | ||
287 | static struct xt_match udp6_matchstruct = { | ||
288 | .name = "udp", | ||
289 | .match = &udp_match, | ||
290 | .checkentry = &udp6_checkentry, | ||
291 | .me = THIS_MODULE, | ||
292 | }; | ||
293 | |||
294 | static int __init init(void) | ||
295 | { | ||
296 | int ret; | ||
297 | ret = xt_register_match(AF_INET, &tcp_matchstruct); | ||
298 | if (ret) | ||
299 | return ret; | ||
300 | |||
301 | ret = xt_register_match(AF_INET6, &tcp6_matchstruct); | ||
302 | if (ret) | ||
303 | goto out_unreg_tcp; | ||
304 | |||
305 | ret = xt_register_match(AF_INET, &udp_matchstruct); | ||
306 | if (ret) | ||
307 | goto out_unreg_tcp6; | ||
308 | |||
309 | ret = xt_register_match(AF_INET6, &udp6_matchstruct); | ||
310 | if (ret) | ||
311 | goto out_unreg_udp; | ||
312 | |||
313 | return ret; | ||
314 | |||
315 | out_unreg_udp: | ||
316 | xt_unregister_match(AF_INET, &tcp_matchstruct); | ||
317 | out_unreg_tcp6: | ||
318 | xt_unregister_match(AF_INET6, &tcp6_matchstruct); | ||
319 | out_unreg_tcp: | ||
320 | xt_unregister_match(AF_INET, &tcp_matchstruct); | ||
321 | return ret; | ||
322 | } | ||
323 | |||
324 | static void __exit fini(void) | ||
325 | { | ||
326 | xt_unregister_match(AF_INET6, &udp6_matchstruct); | ||
327 | xt_unregister_match(AF_INET, &udp_matchstruct); | ||
328 | xt_unregister_match(AF_INET6, &tcp6_matchstruct); | ||
329 | xt_unregister_match(AF_INET, &tcp_matchstruct); | ||
330 | } | ||
331 | |||
332 | module_init(init); | ||
333 | module_exit(fini); | ||