/* * (C) 2012 by Hans Schillstrom * (C) 2012 by Pablo Neira Ayuso * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * * Description: shared library add-on to iptables to add HMARK target support * * Initial development by Hans Schillstrom. Pablo's improvements to this piece * of software has been sponsored by Sophos Astaro . */ #include #include #include #include "xtables.h" #include static void HMARK_help(void) { printf( "HMARK target options, i.e. modify hash calculation by:\n" " --hmark-tuple [src|dst|sport|dport|spi|proto|ct][,...]\n" " --hmark-mod value nfmark modulus value\n" " --hmark-offset value Last action add value to nfmark\n\n" " --hmark-rnd Random see for hashing\n" " Alternatively, fine tuning of what will be included in hash calculation\n" " --hmark-src-prefix length Source address mask CIDR prefix\n" " --hmark-dst-prefix length Dest address mask CIDR prefix\n" " --hmark-sport-mask value Mask src port with value\n" " --hmark-dport-mask value Mask dst port with value\n" " --hmark-spi-mask value For esp and ah AND spi with value\n" " --hmark-sport value OR src port with value\n" " --hmark-dport value OR dst port with value\n" " --hmark-spi value For esp and ah OR spi with value\n" " --hmark-proto-mask value Mask Protocol with value\n"); } #define hi struct xt_hmark_info enum { O_HMARK_SADDR_MASK, O_HMARK_DADDR_MASK, O_HMARK_SPI, O_HMARK_SPI_MASK, O_HMARK_SPORT, O_HMARK_DPORT, O_HMARK_SPORT_MASK, O_HMARK_DPORT_MASK, O_HMARK_PROTO_MASK, O_HMARK_RND, O_HMARK_MODULUS, O_HMARK_OFFSET, O_HMARK_CT, O_HMARK_TYPE, }; #define HMARK_OPT_PKT_MASK \ ((1 << O_HMARK_SADDR_MASK) | \ (1 << O_HMARK_DADDR_MASK) | \ (1 << O_HMARK_SPI_MASK) | \ (1 << O_HMARK_SPORT_MASK) | \ (1 << O_HMARK_DPORT_MASK) | \ (1 << O_HMARK_PROTO_MASK) | \ (1 << O_HMARK_SPI_MASK) | \ (1 << O_HMARK_SPORT) | \ (1 << O_HMARK_DPORT) | \ (1 << O_HMARK_SPI)) static const struct xt_option_entry HMARK_opts[] = { { .name = "hmark-tuple", .type = XTTYPE_STRING, .id = O_HMARK_TYPE, }, { .name = "hmark-src-prefix", .type = XTTYPE_PLENMASK, .id = O_HMARK_SADDR_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(hi, src_mask) }, { .name = "hmark-dst-prefix", .type = XTTYPE_PLENMASK, .id = O_HMARK_DADDR_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(hi, dst_mask) }, { .name = "hmark-sport-mask", .type = XTTYPE_UINT16, .id = O_HMARK_SPORT_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_mask.p16.src) }, { .name = "hmark-dport-mask", .type = XTTYPE_UINT16, .id = O_HMARK_DPORT_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_mask.p16.dst) }, { .name = "hmark-spi-mask", .type = XTTYPE_UINT32, .id = O_HMARK_SPI_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_mask.v32) }, { .name = "hmark-sport", .type = XTTYPE_UINT16, .id = O_HMARK_SPORT, .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_set.p16.src) }, { .name = "hmark-dport", .type = XTTYPE_UINT16, .id = O_HMARK_DPORT, .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_set.p16.dst) }, { .name = "hmark-spi", .type = XTTYPE_UINT32, .id = O_HMARK_SPI, .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_set.v32) }, { .name = "hmark-proto-mask", .type = XTTYPE_UINT16, .id = O_HMARK_PROTO_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(hi, proto_mask) }, { .name = "hmark-rnd", .type = XTTYPE_UINT32, .id = O_HMARK_RND, .flags = XTOPT_PUT, XTOPT_POINTER(hi, hashrnd) }, { .name = "hmark-mod", .type = XTTYPE_UINT32, .id = O_HMARK_MODULUS, .min = 1, .flags = XTOPT_PUT | XTOPT_MAND, XTOPT_POINTER(hi, hmodulus) }, { .name = "hmark-offset", .type = XTTYPE_UINT32, .id = O_HMARK_OFFSET, .flags = XTOPT_PUT, XTOPT_POINTER(hi, hoffset) }, XTOPT_TABLEEND, }; static int hmark_parse(const char *type, size_t len, struct xt_hmark_info *info, unsigned int *xflags) { if (strncasecmp(type, "ct", len) == 0) { info->flags |= XT_HMARK_FLAG(XT_HMARK_CT); *xflags |= (1 << O_HMARK_CT); } else if (strncasecmp(type, "src", len) == 0) { memset(&info->src_mask, 0xff, sizeof(info->src_mask)); info->flags |= XT_HMARK_FLAG(XT_HMARK_SADDR_MASK); *xflags |= (1 << O_HMARK_SADDR_MASK); } else if (strncasecmp(type, "dst", len) == 0) { memset(&info->dst_mask, 0xff, sizeof(info->dst_mask)); info->flags |= XT_HMARK_FLAG(XT_HMARK_DADDR_MASK); *xflags |= (1 << O_HMARK_DADDR_MASK); } else if (strncasecmp(type, "sport", len) == 0) { memset(&info->port_mask.p16.src, 0xff, sizeof(info->port_mask.p16.src)); info->flags |= XT_HMARK_FLAG(XT_HMARK_SPORT_MASK); *xflags |= (1 << O_HMARK_SPORT_MASK); } else if (strncasecmp(type, "dport", len) == 0) { memset(&info->port_mask.p16.dst, 0xff, sizeof(info->port_mask.p16.dst)); info->flags |= XT_HMARK_FLAG(XT_HMARK_DPORT_MASK); *xflags |= (1 << O_HMARK_DPORT_MASK); } else if (strncasecmp(type, "proto", len) == 0) { memset(&info->proto_mask, 0xff, sizeof(info->proto_mask)); info->flags |= XT_HMARK_FLAG(XT_HMARK_PROTO_MASK); *xflags |= (1 << O_HMARK_PROTO_MASK); } else if (strncasecmp(type, "spi", len) == 0) { memset(&info->port_mask.v32, 0xff, sizeof(info->port_mask.v32)); info->flags |= XT_HMARK_FLAG(XT_HMARK_SPI_MASK); *xflags |= (1 << O_HMARK_SPI_MASK); } else return 0; return 1; } static void hmark_parse_type(struct xt_option_call *cb) { const char *arg = cb->arg; struct xt_hmark_info *info = cb->data; const char *comma; while ((comma = strchr(arg, ',')) != NULL) { if (comma == arg || !hmark_parse(arg, comma-arg, info, &cb->xflags)) xtables_error(PARAMETER_PROBLEM, "Bad type \"%s\"", arg); arg = comma+1; } if (!*arg) xtables_error(PARAMETER_PROBLEM, "\"--hmark-tuple\" requires " "a list of types with no " "spaces, e.g. " "src,dst,sport,dport,proto"); if (strlen(arg) == 0 || !hmark_parse(arg, strlen(arg), info, &cb->xflags)) xtables_error(PARAMETER_PROBLEM, "Bad type \"%s\"", arg); } static void HMARK_parse(struct xt_option_call *cb, int plen) { struct xt_hmark_info *info = cb->data; xtables_option_parse(cb); switch (cb->entry->id) { case O_HMARK_TYPE: hmark_parse_type(cb); break; case O_HMARK_SADDR_MASK: info->flags |= XT_HMARK_FLAG(XT_HMARK_SADDR_MASK); break; case O_HMARK_DADDR_MASK: info->flags |= XT_HMARK_FLAG(XT_HMARK_DADDR_MASK); break; case O_HMARK_SPI: info->port_set.v32 = htonl(cb->val.u32); info->flags |= XT_HMARK_FLAG(XT_HMARK_SPI); break; case O_HMARK_SPORT: info->port_set.p16.src = htons(cb->val.u16); info->flags |= XT_HMARK_FLAG(XT_HMARK_SPORT); break; case O_HMARK_DPORT: info->port_set.p16.dst = htons(cb->val.u16); info->flags |= XT_HMARK_FLAG(XT_HMARK_DPORT); break; case O_HMARK_SPORT_MASK: info->port_mask.p16.src = htons(cb->val.u16); info->flags |= XT_HMARK_FLAG(XT_HMARK_SPORT_MASK); break; case O_HMARK_DPORT_MASK: info->port_mask.p16.dst = htons(cb->val.u16); info->flags |= XT_HMARK_FLAG(XT_HMARK_DPORT_MASK); break; case O_HMARK_SPI_MASK: info->port_mask.v32 = htonl(cb->val.u32); info->flags |= XT_HMARK_FLAG(XT_HMARK_SPI_MASK); break; case O_HMARK_PROTO_MASK: info->flags |= XT_HMARK_FLAG(XT_HMARK_PROTO_MASK); break; case O_HMARK_RND: info->flags |= XT_HMARK_FLAG(XT_HMARK_RND); break; case O_HMARK_MODULUS: info->flags |= XT_HMARK_FLAG(XT_HMARK_MODULUS); break; case O_HMARK_OFFSET: info->flags |= XT_HMARK_FLAG(XT_HMARK_OFFSET); break; case O_HMARK_CT: info->flags |= XT_HMARK_FLAG(XT_HMARK_CT); break; } cb->xflags |= (1 << cb->entry->id); } static void HMARK_ip4_parse(struct xt_option_call *cb) { HMARK_parse(cb, 32); } static void HMARK_ip6_parse(struct xt_option_call *cb) { HMARK_parse(cb, 128); } static void HMARK_check(struct xt_fcheck_call *cb) { if (!(cb->xflags & (1 << O_HMARK_MODULUS))) xtables_error(PARAMETER_PROBLEM, "--hmark-mod is mandatory"); if (!(cb->xflags & (1 << O_HMARK_RND))) xtables_error(PARAMETER_PROBLEM, "--hmark-rnd is mandatory"); if (cb->xflags & (1 << O_HMARK_SPI_MASK) && (cb->xflags & ((1 << O_HMARK_SPORT_MASK) | (1 << O_HMARK_DPORT_MASK)))) xtables_error(PARAMETER_PROBLEM, "you cannot use " "--hmark-spi-mask and --hmark-?port-mask," "at the same time"); if (!((cb->xflags & HMARK_OPT_PKT_MASK) || cb->xflags & (1 << O_HMARK_CT))) xtables_error(PARAMETER_PROBLEM, "you have to specify " "--hmark-tuple at least"); } static void HMARK_print(const struct xt_hmark_info *info) { if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT_MASK)) printf("sport-mask 0x%x ", htons(info->port_mask.p16.src)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT_MASK)) printf("dport-mask 0x%x ", htons(info->port_mask.p16.dst)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK)) printf("spi-mask 0x%x ", htonl(info->port_mask.v32)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT)) printf("sport 0x%x ", htons(info->port_set.p16.src)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT)) printf("dport 0x%x ", htons(info->port_set.p16.dst)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI)) printf("spi 0x%x ", htonl(info->port_set.v32)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_PROTO_MASK)) printf("proto-mask 0x%x ", info->proto_mask); if (info->flags & XT_HMARK_FLAG(XT_HMARK_RND)) printf("rnd 0x%x ", info->hashrnd); } static void HMARK_ip6_print(const void *ip, const struct xt_entry_target *target, int numeric) { const struct xt_hmark_info *info = (const struct xt_hmark_info *)target->data; printf(" HMARK "); if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS)) printf("mod %u ", info->hmodulus); if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET)) printf("+ 0x%x ", info->hoffset); if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT)) printf("ct, "); if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) printf("src-prefix %s ", xtables_ip6mask_to_numeric(&info->src_mask.in6) + 1); if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) printf("dst-prefix %s ", xtables_ip6mask_to_numeric(&info->dst_mask.in6) + 1); HMARK_print(info); } static void HMARK_ip4_print(const void *ip, const struct xt_entry_target *target, int numeric) { const struct xt_hmark_info *info = (const struct xt_hmark_info *)target->data; printf(" HMARK "); if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS)) printf("mod %u ", info->hmodulus); if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET)) printf("+ 0x%x ", info->hoffset); if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT)) printf("ct, "); if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) printf("src-prefix %u ", xtables_ipmask_to_cidr(&info->src_mask.in)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) printf("dst-prefix %u ", xtables_ipmask_to_cidr(&info->dst_mask.in)); HMARK_print(info); } static void HMARK_save(const struct xt_hmark_info *info) { if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT_MASK)) printf(" --hmark-sport-mask 0x%04x", htons(info->port_mask.p16.src)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT_MASK)) printf(" --hmark-dport-mask 0x%04x", htons(info->port_mask.p16.dst)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK)) printf(" --hmark-spi-mask 0x%08x", htonl(info->port_mask.v32)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT)) printf(" --hmark-sport 0x%04x", htons(info->port_set.p16.src)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT)) printf(" --hmark-dport 0x%04x", htons(info->port_set.p16.dst)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI)) printf(" --hmark-spi 0x%08x", htonl(info->port_set.v32)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_PROTO_MASK)) printf(" --hmark-proto-mask 0x%02x", info->proto_mask); if (info->flags & XT_HMARK_FLAG(XT_HMARK_RND)) printf(" --hmark-rnd 0x%08x", info->hashrnd); if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS)) printf(" --hmark-mod %u", info->hmodulus); if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET)) printf(" --hmark-offset %u", info->hoffset); if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT)) printf(" --hmark-tuple ct"); } static void HMARK_ip6_save(const void *ip, const struct xt_entry_target *target) { const struct xt_hmark_info *info = (const struct xt_hmark_info *)target->data; int ret; if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) { ret = xtables_ip6mask_to_cidr(&info->src_mask.in6); printf(" --hmark-src-prefix %d", ret); } if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) { ret = xtables_ip6mask_to_cidr(&info->dst_mask.in6); printf(" --hmark-dst-prefix %d", ret); } HMARK_save(info); } static void HMARK_ip4_save(const void *ip, const struct xt_entry_target *target) { const struct xt_hmark_info *info = (const struct xt_hmark_info *)target->data; int ret; if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) { ret = xtables_ipmask_to_cidr(&info->src_mask.in); printf(" --hmark-src-prefix %d", ret); } if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) { ret = xtables_ipmask_to_cidr(&info->dst_mask.in); printf(" --hmark-dst-prefix %d", ret); } HMARK_save(info); } static struct xtables_target mark_tg_reg[] = { { .family = NFPROTO_IPV4, .name = "HMARK", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_hmark_info)), .userspacesize = XT_ALIGN(sizeof(struct xt_hmark_info)), .help = HMARK_help, .print = HMARK_ip4_print, .save = HMARK_ip4_save, .x6_parse = HMARK_ip4_parse, .x6_fcheck = HMARK_check, .x6_options = HMARK_opts, }, { .family = NFPROTO_IPV6, .name = "HMARK", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_hmark_info)), .userspacesize = XT_ALIGN(sizeof(struct xt_hmark_info)), .help = HMARK_help, .print = HMARK_ip6_print, .save = HMARK_ip6_save, .x6_parse = HMARK_ip6_parse, .x6_fcheck = HMARK_check, .x6_options = HMARK_opts, }, }; void _init(void) { xtables_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg)); }