2 * Copyright (c) 2005-2013 Patrick McHardy <kaber@trash.net>
11 #include <linux/netfilter/xt_policy.h>
24 F_STRICT = 1 << O_STRICT,
27 static void policy_help(void)
30 "policy match options:\n"
31 " --dir in|out match policy applied during decapsulation/\n"
32 " policy to be applied during encapsulation\n"
33 " --pol none|ipsec match policy\n"
34 " --strict match entire policy instead of single element\n"
36 "These options may be used repeatedly, to describe policy elements:\n"
37 "[!] --reqid reqid match reqid\n"
38 "[!] --spi spi match SPI\n"
39 "[!] --proto proto match protocol (ah/esp/ipcomp)\n"
40 "[!] --mode mode match mode (transport/tunnel)\n"
41 "[!] --tunnel-src addr/mask match tunnel source\n"
42 "[!] --tunnel-dst addr/mask match tunnel destination\n"
43 " --next begin next element in policy\n");
46 static const struct xt_option_entry policy_opts[] = {
47 {.name = "dir", .id = O_DIRECTION, .type = XTTYPE_STRING},
48 {.name = "pol", .id = O_POLICY, .type = XTTYPE_STRING},
49 {.name = "strict", .id = O_STRICT, .type = XTTYPE_NONE},
50 {.name = "reqid", .id = O_REQID, .type = XTTYPE_UINT32,
51 .flags = XTOPT_MULTI | XTOPT_INVERT},
52 {.name = "spi", .id = O_SPI, .type = XTTYPE_UINT32,
53 .flags = XTOPT_MULTI | XTOPT_INVERT},
54 {.name = "tunnel-src", .id = O_TUNNELSRC, .type = XTTYPE_HOSTMASK,
55 .flags = XTOPT_MULTI | XTOPT_INVERT},
56 {.name = "tunnel-dst", .id = O_TUNNELDST, .type = XTTYPE_HOSTMASK,
57 .flags = XTOPT_MULTI | XTOPT_INVERT},
58 {.name = "proto", .id = O_PROTO, .type = XTTYPE_PROTOCOL,
59 .flags = XTOPT_MULTI | XTOPT_INVERT},
60 {.name = "mode", .id = O_MODE, .type = XTTYPE_STRING,
61 .flags = XTOPT_MULTI | XTOPT_INVERT},
62 {.name = "next", .id = O_NEXT, .type = XTTYPE_NONE,
63 .flags = XTOPT_MULTI, .also = F_STRICT},
67 static int parse_direction(const char *s)
69 if (strcmp(s, "in") == 0)
70 return XT_POLICY_MATCH_IN;
71 if (strcmp(s, "out") == 0)
72 return XT_POLICY_MATCH_OUT;
73 xtables_error(PARAMETER_PROBLEM, "policy_match: invalid dir \"%s\"", s);
76 static int parse_policy(const char *s)
78 if (strcmp(s, "none") == 0)
79 return XT_POLICY_MATCH_NONE;
80 if (strcmp(s, "ipsec") == 0)
82 xtables_error(PARAMETER_PROBLEM, "policy match: invalid policy \"%s\"", s);
85 static int parse_mode(const char *s)
87 if (strcmp(s, "transport") == 0)
88 return XT_POLICY_MODE_TRANSPORT;
89 if (strcmp(s, "tunnel") == 0)
90 return XT_POLICY_MODE_TUNNEL;
91 xtables_error(PARAMETER_PROBLEM, "policy match: invalid mode \"%s\"", s);
94 static void policy_parse(struct xt_option_call *cb)
96 struct xt_policy_info *info = cb->data;
97 struct xt_policy_elem *e = &info->pol[info->len];
99 xtables_option_parse(cb);
100 switch (cb->entry->id) {
102 info->flags |= parse_direction(cb->arg);
105 info->flags |= parse_policy(cb->arg);
108 info->flags |= XT_POLICY_MATCH_STRICT;
112 xtables_error(PARAMETER_PROBLEM,
113 "policy match: double --reqid option");
115 e->invert.reqid = cb->invert;
116 e->reqid = cb->val.u32;
120 xtables_error(PARAMETER_PROBLEM,
121 "policy match: double --spi option");
123 e->invert.spi = cb->invert;
124 e->spi = cb->val.u32;
128 xtables_error(PARAMETER_PROBLEM,
129 "policy match: double --tunnel-src option");
132 e->invert.saddr = cb->invert;
133 memcpy(&e->saddr, &cb->val.haddr, sizeof(cb->val.haddr));
134 memcpy(&e->smask, &cb->val.hmask, sizeof(cb->val.hmask));
138 xtables_error(PARAMETER_PROBLEM,
139 "policy match: double --tunnel-dst option");
141 e->invert.daddr = cb->invert;
142 memcpy(&e->daddr, &cb->val.haddr, sizeof(cb->val.haddr));
143 memcpy(&e->dmask, &cb->val.hmask, sizeof(cb->val.hmask));
147 xtables_error(PARAMETER_PROBLEM,
148 "policy match: double --proto option");
149 e->proto = cb->val.protocol;
150 if (e->proto != IPPROTO_AH && e->proto != IPPROTO_ESP &&
151 e->proto != IPPROTO_COMP)
152 xtables_error(PARAMETER_PROBLEM,
153 "policy match: protocol must be ah/esp/ipcomp");
155 e->invert.proto = cb->invert;
159 xtables_error(PARAMETER_PROBLEM,
160 "policy match: double --mode option");
162 e->invert.mode = cb->invert;
163 e->mode = parse_mode(cb->arg);
166 if (++info->len == XT_POLICY_MAX_ELEM)
167 xtables_error(PARAMETER_PROBLEM,
168 "policy match: maximum policy depth reached");
173 static void policy_check(struct xt_fcheck_call *cb)
175 struct xt_policy_info *info = cb->data;
176 const struct xt_policy_elem *e;
180 * The old "no parameters given" check is carried out
181 * by testing for --dir.
183 if (!(info->flags & (XT_POLICY_MATCH_IN | XT_POLICY_MATCH_OUT)))
184 xtables_error(PARAMETER_PROBLEM,
185 "policy match: neither --dir in nor --dir out specified");
187 if (info->flags & XT_POLICY_MATCH_NONE) {
188 if (info->flags & XT_POLICY_MATCH_STRICT)
189 xtables_error(PARAMETER_PROBLEM,
190 "policy match: policy none but --strict given");
193 xtables_error(PARAMETER_PROBLEM,
194 "policy match: policy none but policy given");
196 info->len++; /* increase len by 1, no --next after last element */
199 * This is already represented with O_NEXT requiring F_STRICT in the
200 * options table, but will keep this code as a comment for reference.
202 if (!(info->flags & XT_POLICY_MATCH_STRICT) && info->len > 1)
203 xtables_error(PARAMETER_PROBLEM,
204 "policy match: multiple elements but no --strict");
207 for (i = 0; i < info->len; i++) {
210 if (info->flags & XT_POLICY_MATCH_STRICT &&
211 !(e->match.reqid || e->match.spi || e->match.saddr ||
212 e->match.daddr || e->match.proto || e->match.mode))
213 xtables_error(PARAMETER_PROBLEM,
214 "policy match: empty policy element %u. "
215 "--strict is in effect, but at least one of "
216 "reqid, spi, tunnel-src, tunnel-dst, proto or "
217 "mode is required.", i);
219 if ((e->match.saddr || e->match.daddr)
220 && ((e->mode == XT_POLICY_MODE_TUNNEL && e->invert.mode) ||
221 (e->mode == XT_POLICY_MODE_TRANSPORT && !e->invert.mode)))
222 xtables_error(PARAMETER_PROBLEM,
223 "policy match: --tunnel-src/--tunnel-dst "
224 "is only valid in tunnel mode");
228 static void print_mode(const char *prefix, uint8_t mode, int numeric)
230 printf(" %smode ", prefix);
233 case XT_POLICY_MODE_TRANSPORT:
236 case XT_POLICY_MODE_TUNNEL:
245 static void print_proto(const char *prefix, uint8_t proto, int numeric)
247 const struct protoent *p = NULL;
249 printf(" %sproto ", prefix);
251 p = getprotobynumber(proto);
253 printf("%s", p->p_name);
258 #define PRINT_INVERT(x) \
264 static void print_entry(const char *prefix, const struct xt_policy_elem *e,
265 bool numeric, uint8_t family)
267 if (e->match.reqid) {
268 PRINT_INVERT(e->invert.reqid);
269 printf(" %sreqid %u", prefix, e->reqid);
272 PRINT_INVERT(e->invert.spi);
273 printf(" %sspi 0x%x", prefix, e->spi);
275 if (e->match.proto) {
276 PRINT_INVERT(e->invert.proto);
277 print_proto(prefix, e->proto, numeric);
280 PRINT_INVERT(e->invert.mode);
281 print_mode(prefix, e->mode, numeric);
283 if (e->match.daddr) {
284 PRINT_INVERT(e->invert.daddr);
285 if (family == NFPROTO_IPV6)
286 printf(" %stunnel-dst %s%s", prefix,
287 xtables_ip6addr_to_numeric(&e->daddr.a6),
288 xtables_ip6mask_to_numeric(&e->dmask.a6));
290 printf(" %stunnel-dst %s%s", prefix,
291 xtables_ipaddr_to_numeric(&e->daddr.a4),
292 xtables_ipmask_to_numeric(&e->dmask.a4));
294 if (e->match.saddr) {
295 PRINT_INVERT(e->invert.saddr);
296 if (family == NFPROTO_IPV6)
297 printf(" %stunnel-src %s%s", prefix,
298 xtables_ip6addr_to_numeric(&e->saddr.a6),
299 xtables_ip6mask_to_numeric(&e->smask.a6));
301 printf(" %stunnel-src %s%s", prefix,
302 xtables_ipaddr_to_numeric(&e->saddr.a4),
303 xtables_ipmask_to_numeric(&e->smask.a4));
307 static void print_flags(const char *prefix, const struct xt_policy_info *info)
309 if (info->flags & XT_POLICY_MATCH_IN)
310 printf(" %sdir in", prefix);
312 printf(" %sdir out", prefix);
314 if (info->flags & XT_POLICY_MATCH_NONE)
315 printf(" %spol none", prefix);
317 printf(" %spol ipsec", prefix);
319 if (info->flags & XT_POLICY_MATCH_STRICT)
320 printf(" %sstrict", prefix);
323 static void policy4_print(const void *ip, const struct xt_entry_match *match,
326 const struct xt_policy_info *info = (void *)match->data;
329 printf(" policy match");
330 print_flags("", info);
331 for (i = 0; i < info->len; i++) {
334 print_entry("", &info->pol[i], numeric, NFPROTO_IPV4);
338 static void policy6_print(const void *ip, const struct xt_entry_match *match,
341 const struct xt_policy_info *info = (void *)match->data;
344 printf(" policy match");
345 print_flags("", info);
346 for (i = 0; i < info->len; i++) {
349 print_entry("", &info->pol[i], numeric, NFPROTO_IPV6);
353 static void policy4_save(const void *ip, const struct xt_entry_match *match)
355 const struct xt_policy_info *info = (void *)match->data;
358 print_flags("--", info);
359 for (i = 0; i < info->len; i++) {
360 print_entry("--", &info->pol[i], false, NFPROTO_IPV4);
361 if (i + 1 < info->len)
366 static void policy6_save(const void *ip, const struct xt_entry_match *match)
368 const struct xt_policy_info *info = (void *)match->data;
371 print_flags("--", info);
372 for (i = 0; i < info->len; i++) {
373 print_entry("--", &info->pol[i], false, NFPROTO_IPV6);
374 if (i + 1 < info->len)
379 static struct xtables_match policy_mt_reg[] = {
382 .version = XTABLES_VERSION,
383 .family = NFPROTO_IPV4,
384 .size = XT_ALIGN(sizeof(struct xt_policy_info)),
385 .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)),
387 .x6_parse = policy_parse,
388 .x6_fcheck = policy_check,
389 .print = policy4_print,
390 .save = policy4_save,
391 .x6_options = policy_opts,
395 .version = XTABLES_VERSION,
396 .family = NFPROTO_IPV6,
397 .size = XT_ALIGN(sizeof(struct xt_policy_info)),
398 .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)),
400 .x6_parse = policy_parse,
401 .x6_fcheck = policy_check,
402 .print = policy6_print,
403 .save = policy6_save,
404 .x6_options = policy_opts,
410 xtables_register_matches(policy_mt_reg, ARRAY_SIZE(policy_mt_reg));