extensions/libxt_recent.c

   1 #include <stdbool.h>
   2 #include <stdio.h>
   3 #include <string.h>
   4 #include <xtables.h>
   5 #include <linux/netfilter/xt_recent.h>
   6
   7 enum {
   8         O_SET = 0,
   9         O_RCHECK,
  10         O_UPDATE,
  11         O_REMOVE,
  12         O_SECONDS,
  13         O_REAP,
  14         O_HITCOUNT,
  15         O_RTTL,
  16         O_NAME,
  17         O_RSOURCE,
  18         O_RDEST,
  19         O_MASK,
  20         F_SET    = 1 << O_SET,
  21         F_RCHECK = 1 << O_RCHECK,
  22         F_UPDATE = 1 << O_UPDATE,
  23         F_REMOVE = 1 << O_REMOVE,
  24         F_SECONDS = 1 << O_SECONDS,
  25         F_ANY_OP = F_SET | F_RCHECK | F_UPDATE | F_REMOVE,
  26 };
  27
  28 #define s struct xt_recent_mtinfo
  29 static const struct xt_option_entry recent_opts_v0[] = {
  30         {.name = "set", .id = O_SET, .type = XTTYPE_NONE,
  31          .excl = F_ANY_OP, .flags = XTOPT_INVERT},
  32         {.name = "rcheck", .id = O_RCHECK, .type = XTTYPE_NONE,
  33          .excl = F_ANY_OP, .flags = XTOPT_INVERT},
  34         {.name = "update", .id = O_UPDATE, .type = XTTYPE_NONE,
  35          .excl = F_ANY_OP, .flags = XTOPT_INVERT},
  36         {.name = "remove", .id = O_REMOVE, .type = XTTYPE_NONE,
  37          .excl = F_ANY_OP, .flags = XTOPT_INVERT},
  38         {.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32,
  39          .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds), .min = 1},
  40         {.name = "reap", .id = O_REAP, .type = XTTYPE_NONE,
  41          .also = F_SECONDS },
  42         {.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32,
  43          .flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)},
  44         {.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE,
  45          .excl = F_SET | F_REMOVE},
  46         {.name = "name", .id = O_NAME, .type = XTTYPE_STRING,
  47          .flags = XTOPT_PUT, XTOPT_POINTER(s, name)},
  48         {.name = "rsource", .id = O_RSOURCE, .type = XTTYPE_NONE},
  49         {.name = "rdest", .id = O_RDEST, .type = XTTYPE_NONE},
  50         XTOPT_TABLEEND,
  51 };
  52 #undef s
  53
  54 #define s struct xt_recent_mtinfo_v1
  55 static const struct xt_option_entry recent_opts_v1[] = {
  56         {.name = "set", .id = O_SET, .type = XTTYPE_NONE,
  57          .excl = F_ANY_OP, .flags = XTOPT_INVERT},
  58         {.name = "rcheck", .id = O_RCHECK, .type = XTTYPE_NONE,
  59          .excl = F_ANY_OP, .flags = XTOPT_INVERT},
  60         {.name = "update", .id = O_UPDATE, .type = XTTYPE_NONE,
  61          .excl = F_ANY_OP, .flags = XTOPT_INVERT},
  62         {.name = "remove", .id = O_REMOVE, .type = XTTYPE_NONE,
  63          .excl = F_ANY_OP, .flags = XTOPT_INVERT},
  64         {.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32,
  65          .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds), .min = 1},
  66         {.name = "reap", .id = O_REAP, .type = XTTYPE_NONE,
  67          .also = F_SECONDS },
  68         {.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32,
  69          .flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)},
  70         {.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE,
  71          .excl = F_SET | F_REMOVE},
  72         {.name = "name", .id = O_NAME, .type = XTTYPE_STRING,
  73          .flags = XTOPT_PUT, XTOPT_POINTER(s, name)},
  74         {.name = "rsource", .id = O_RSOURCE, .type = XTTYPE_NONE},
  75         {.name = "rdest", .id = O_RDEST, .type = XTTYPE_NONE},
  76         {.name = "mask", .id = O_MASK, .type = XTTYPE_HOST,
  77          .flags = XTOPT_PUT, XTOPT_POINTER(s, mask)},
  78         XTOPT_TABLEEND,
  79 };
  80 #undef s
  81
  82 static void recent_help(void)
  83 {
  84         printf(
  85 "recent match options:\n"
  86 "[!] --set                       Add source address to list, always matches.\n"
  87 "[!] --rcheck                    Match if source address in list.\n"
  88 "[!] --update                    Match if source address in list, also update last-seen time.\n"
  89 "[!] --remove                    Match if source address in list, also removes that address from list.\n"
  90 "    --seconds seconds           For check and update commands above.\n"
  91 "                                Specifies that the match will only occur if source address last seen within\n"
  92 "                                the last 'seconds' seconds.\n"
  93 "    --reap                      Purge entries older then 'seconds'.\n"
  94 "                                Can only be used in conjunction with the seconds option.\n"
  95 "    --hitcount hits             For check and update commands above.\n"
  96 "                                Specifies that the match will only occur if source address seen hits times.\n"
  97 "                                May be used in conjunction with the seconds option.\n"
  98 "    --rttl                      For check and update commands above.\n"
  99 "                                Specifies that the match will only occur if the source address and the TTL\n"
 100 "                                match between this packet and the one which was set.\n"
 101 "                                Useful if you have problems with people spoofing their source address in order\n"
 102 "                                to DoS you via this module.\n"
 103 "    --name name                 Name of the recent list to be used.  DEFAULT used if none given.\n"
 104 "    --rsource                   Match/Save the source address of each packet in the recent list table (default).\n"
 105 "    --rdest                     Match/Save the destination address of each packet in the recent list table.\n"
 106 "    --mask netmask              Netmask that will be applied to this recent list.\n"
 107 "xt_recent by: Stephen Frost <sfrost@snowman.net>.\n");
 108 }
 109
 110 enum {
 111         XT_RECENT_REV_0 = 0,
 112         XT_RECENT_REV_1,
 113 };
 114
 115 static void recent_init(struct xt_entry_match *match, unsigned int rev)
 116 {
 117         struct xt_recent_mtinfo *info = (struct xt_recent_mtinfo *)match->data;
 118         struct xt_recent_mtinfo_v1 *info_v1 =
 119                 (struct xt_recent_mtinfo_v1 *)match->data;
 120
 121         strncpy(info->name,"DEFAULT", XT_RECENT_NAME_LEN);
 122         /* even though XT_RECENT_NAME_LEN is currently defined as 200,
 123          * better be safe, than sorry */
 124         info->name[XT_RECENT_NAME_LEN-1] = '\0';
 125         info->side = XT_RECENT_SOURCE;
 126         if (rev == XT_RECENT_REV_1)
 127                 memset(&info_v1->mask, 0xFF, sizeof(info_v1->mask));
 128 }
 129
 130 static void recent_parse(struct xt_option_call *cb)
 131 {
 132         struct xt_recent_mtinfo *info = cb->data;
 133
 134         xtables_option_parse(cb);
 135         switch (cb->entry->id) {
 136         case O_SET:
 137                 info->check_set |= XT_RECENT_SET;
 138                 if (cb->invert)
 139                         info->invert = true;
 140                 break;
 141         case O_RCHECK:
 142                 info->check_set |= XT_RECENT_CHECK;
 143                 if (cb->invert)
 144                         info->invert = true;
 145                 break;
 146         case O_UPDATE:
 147                 info->check_set |= XT_RECENT_UPDATE;
 148                 if (cb->invert)
 149                         info->invert = true;
 150                 break;
 151         case O_REMOVE:
 152                 info->check_set |= XT_RECENT_REMOVE;
 153                 if (cb->invert)
 154                         info->invert = true;
 155                 break;
 156         case O_RTTL:
 157                 info->check_set |= XT_RECENT_TTL;
 158                 break;
 159         case O_RSOURCE:
 160                 info->side = XT_RECENT_SOURCE;
 161                 break;
 162         case O_RDEST:
 163                 info->side = XT_RECENT_DEST;
 164                 break;
 165         case O_REAP:
 166                 info->check_set |= XT_RECENT_REAP;
 167                 break;
 168         }
 169 }
 170
 171 static void recent_check(struct xt_fcheck_call *cb)
 172 {
 173         if (!(cb->xflags & F_ANY_OP))
 174                 xtables_error(PARAMETER_PROBLEM,
 175                         "recent: you must specify one of `--set', `--rcheck' "
 176                         "`--update' or `--remove'");
 177 }
 178
 179 static void recent_print(const void *ip, const struct xt_entry_match *match,
 180                          unsigned int family)
 181 {
 182         const struct xt_recent_mtinfo_v1 *info = (const void *)match->data;
 183
 184         if (info->invert)
 185                 printf(" !");
 186
 187         printf(" recent:");
 188         if (info->check_set & XT_RECENT_SET)
 189                 printf(" SET");
 190         if (info->check_set & XT_RECENT_CHECK)
 191                 printf(" CHECK");
 192         if (info->check_set & XT_RECENT_UPDATE)
 193                 printf(" UPDATE");
 194         if (info->check_set & XT_RECENT_REMOVE)
 195                 printf(" REMOVE");
 196         if(info->seconds) printf(" seconds: %d", info->seconds);
 197         if (info->check_set & XT_RECENT_REAP)
 198                 printf(" reap");
 199         if(info->hit_count) printf(" hit_count: %d", info->hit_count);
 200         if (info->check_set & XT_RECENT_TTL)
 201                 printf(" TTL-Match");
 202         printf(" name: %s", info->name);
 203         if (info->side == XT_RECENT_SOURCE)
 204                 printf(" side: source");
 205         if (info->side == XT_RECENT_DEST)
 206                 printf(" side: dest");
 207
 208         switch(family) {
 209         case NFPROTO_IPV4:
 210                 printf(" mask: %s",
 211                         xtables_ipaddr_to_numeric(&info->mask.in));
 212                 break;
 213         case NFPROTO_IPV6:
 214                 printf(" mask: %s",
 215                         xtables_ip6addr_to_numeric(&info->mask.in6));
 216                 break;
 217         }
 218 }
 219
 220 static void recent_save(const void *ip, const struct xt_entry_match *match,
 221                         unsigned int family)
 222 {
 223         const struct xt_recent_mtinfo_v1 *info = (const void *)match->data;
 224
 225         if (info->invert)
 226                 printf(" !");
 227
 228         if (info->check_set & XT_RECENT_SET)
 229                 printf(" --set");
 230         if (info->check_set & XT_RECENT_CHECK)
 231                 printf(" --rcheck");
 232         if (info->check_set & XT_RECENT_UPDATE)
 233                 printf(" --update");
 234         if (info->check_set & XT_RECENT_REMOVE)
 235                 printf(" --remove");
 236         if(info->seconds) printf(" --seconds %d", info->seconds);
 237         if (info->check_set & XT_RECENT_REAP)
 238                 printf(" --reap");
 239         if(info->hit_count) printf(" --hitcount %d", info->hit_count);
 240         if (info->check_set & XT_RECENT_TTL)
 241                 printf(" --rttl");
 242         printf(" --name %s",info->name);
 243
 244         switch(family) {
 245         case NFPROTO_IPV4:
 246                 printf(" --mask %s",
 247                         xtables_ipaddr_to_numeric(&info->mask.in));
 248                 break;
 249         case NFPROTO_IPV6:
 250                 printf(" --mask %s",
 251                         xtables_ip6addr_to_numeric(&info->mask.in6));
 252                 break;
 253         }
 254
 255         if (info->side == XT_RECENT_SOURCE)
 256                 printf(" --rsource");
 257         if (info->side == XT_RECENT_DEST)
 258                 printf(" --rdest");
 259 }
 260
 261 static void recent_init_v0(struct xt_entry_match *match)
 262 {
 263         recent_init(match, XT_RECENT_REV_0);
 264 }
 265
 266 static void recent_init_v1(struct xt_entry_match *match)
 267 {
 268         recent_init(match, XT_RECENT_REV_1);
 269 }
 270
 271 static void recent_save_v0(const void *ip, const struct xt_entry_match *match)
 272 {
 273         recent_save(ip, match, NFPROTO_UNSPEC);
 274 }
 275
 276 static void recent_save_v4(const void *ip, const struct xt_entry_match *match)
 277 {
 278         recent_save(ip, match, NFPROTO_IPV4);
 279 }
 280
 281 static void recent_save_v6(const void *ip, const struct xt_entry_match *match)
 282 {
 283         recent_save(ip, match, NFPROTO_IPV6);
 284 }
 285
 286 static void recent_print_v0(const void *ip, const struct xt_entry_match *match,
 287                             int numeric)
 288 {
 289         recent_print(ip, match, NFPROTO_UNSPEC);
 290 }
 291
 292 static void recent_print_v4(const void *ip, const struct xt_entry_match *match,
 293                          int numeric)
 294 {
 295         recent_print(ip, match, NFPROTO_IPV4);
 296 }
 297
 298 static void recent_print_v6(const void *ip, const struct xt_entry_match *match,
 299                          int numeric)
 300 {
 301         recent_print(ip, match, NFPROTO_IPV6);
 302 }
 303
 304 static struct xtables_match recent_mt_reg[] = {
 305         {
 306                 .name          = "recent",
 307                 .version       = XTABLES_VERSION,
 308                 .revision      = 0,
 309                 .family        = NFPROTO_UNSPEC,
 310                 .size          = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
 311                 .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
 312                 .help          = recent_help,
 313                 .init          = recent_init_v0,
 314                 .x6_parse      = recent_parse,
 315                 .x6_fcheck     = recent_check,
 316                 .print         = recent_print_v0,
 317                 .save          = recent_save_v0,
 318                 .x6_options    = recent_opts_v0,
 319         },
 320         {
 321                 .name          = "recent",
 322                 .version       = XTABLES_VERSION,
 323                 .revision      = 1,
 324                 .family        = NFPROTO_IPV4,
 325                 .size          = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)),
 326                 .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)),
 327                 .help          = recent_help,
 328                 .init          = recent_init_v1,
 329                 .x6_parse      = recent_parse,
 330                 .x6_fcheck     = recent_check,
 331                 .print         = recent_print_v4,
 332                 .save          = recent_save_v4,
 333                 .x6_options    = recent_opts_v1,
 334         },
 335         {
 336                 .name          = "recent",
 337                 .version       = XTABLES_VERSION,
 338                 .revision      = 1,
 339                 .family        = NFPROTO_IPV6,
 340                 .size          = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)),
 341                 .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)),
 342                 .help          = recent_help,
 343                 .init          = recent_init_v1,
 344                 .x6_parse      = recent_parse,
 345                 .x6_fcheck     = recent_check,
 346                 .print         = recent_print_v6,
 347                 .save          = recent_save_v6,
 348                 .x6_options    = recent_opts_v1,
 349         },
 350 };
 351
 352 void _init(void)
 353 {
 354         xtables_register_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg));
 355 }