1 /* Shared library add-on to iptables for SCTP matching
3 * (C) 2003 by Harald Welte <laforge@gnumonks.org>
5 * This program is distributed under the terms of GNU GPL v2, 1991
7 * libipt_ecn.c borrowed heavily from libipt_dscp.c
17 #include <netinet/in.h>
20 #include <linux/netfilter/xt_sctp.h>
23 #define DEBUGP(format, first...) printf(format, ##first)
26 #define DEBUGP(format, fist...)
30 print_chunk(u_int32_t chunknum, int numeric);
32 static void sctp_init(struct xt_entry_match *m)
35 struct xt_sctp_info *einfo = (struct xt_sctp_info *)m->data;
37 memset(einfo, 0, sizeof(struct xt_sctp_info));
39 for (i = 0; i < XT_NUM_SCTP_FLAGS; i++) {
40 einfo->flag_info[i].chunktype = -1;
44 static void sctp_help(void)
47 "sctp match options\n"
48 "[!] --source-port port[:port] match source port(s)\n"
50 "[!] --destination-port port[:port] match destination port(s)\n"
52 "[!] --chunk-types (all|any|none) (chunktype[:flags])+ match if all, any or none of\n"
53 " chunktypes are present\n"
54 "chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN ALL NONE\n");
57 static const struct option sctp_opts[] = {
58 { .name = "source-port", .has_arg = 1, .val = '1' },
59 { .name = "sport", .has_arg = 1, .val = '1' },
60 { .name = "destination-port", .has_arg = 1, .val = '2' },
61 { .name = "dport", .has_arg = 1, .val = '2' },
62 { .name = "chunk-types", .has_arg = 1, .val = '3' },
67 parse_sctp_ports(const char *portstring,
73 buffer = strdup(portstring);
74 DEBUGP("%s\n", portstring);
75 if ((cp = strchr(buffer, ':')) == NULL) {
76 ports[0] = ports[1] = xtables_parse_port(buffer, "sctp");
82 ports[0] = buffer[0] ? xtables_parse_port(buffer, "sctp") : 0;
83 ports[1] = cp[0] ? xtables_parse_port(cp, "sctp") : 0xFFFF;
85 if (ports[0] > ports[1])
86 xtables_error(PARAMETER_PROBLEM,
87 "invalid portrange (min > max)");
92 struct sctp_chunk_names {
94 unsigned int chunk_type;
95 const char *valid_flags;
98 /*'ALL' and 'NONE' will be treated specially. */
99 static const struct sctp_chunk_names sctp_chunk_names[]
100 = { { .name = "DATA", .chunk_type = 0, .valid_flags = "----IUBE"},
101 { .name = "INIT", .chunk_type = 1, .valid_flags = "--------"},
102 { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------"},
103 { .name = "SACK", .chunk_type = 3, .valid_flags = "--------"},
104 { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------"},
105 { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------"},
106 { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T"},
107 { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------"},
108 { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------"},
109 { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------"},
110 { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------"},
111 { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------"},
112 { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------"},
113 { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------"},
114 { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T"},
115 { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------"},
116 { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------"},
117 { .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------"},
121 save_chunk_flag_info(struct xt_sctp_flag_info *flag_info,
129 for (i = 0; i < *flag_count; i++) {
130 if (flag_info[i].chunktype == chunktype) {
131 DEBUGP("Previous match found\n");
132 flag_info[i].chunktype = chunktype;
133 flag_info[i].flag_mask |= (1 << bit);
135 flag_info[i].flag |= (1 << bit);
142 if (*flag_count == XT_NUM_SCTP_FLAGS) {
143 xtables_error (PARAMETER_PROBLEM,
144 "Number of chunk types with flags exceeds currently allowed limit."
145 "Increasing this limit involves changing IPT_NUM_SCTP_FLAGS and"
146 "recompiling both the kernel space and user space modules\n");
149 flag_info[*flag_count].chunktype = chunktype;
150 flag_info[*flag_count].flag_mask |= (1 << bit);
152 flag_info[*flag_count].flag |= (1 << bit);
158 parse_sctp_chunk(struct xt_sctp_info *einfo,
167 buffer = strdup(chunks);
168 DEBUGP("Buffer: %s\n", buffer);
170 SCTP_CHUNKMAP_RESET(einfo->chunkmap);
172 if (!strcasecmp(buffer, "ALL")) {
173 SCTP_CHUNKMAP_SET_ALL(einfo->chunkmap);
177 if (!strcasecmp(buffer, "NONE")) {
178 SCTP_CHUNKMAP_RESET(einfo->chunkmap);
182 for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
184 DEBUGP("Next Chunk type %s\n", ptr);
186 if ((chunk_flags = strchr(ptr, ':')) != NULL) {
190 for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i)
191 if (strcasecmp(sctp_chunk_names[i].name, ptr) == 0) {
192 DEBUGP("Chunk num %d\n", sctp_chunk_names[i].chunk_type);
193 SCTP_CHUNKMAP_SET(einfo->chunkmap,
194 sctp_chunk_names[i].chunk_type);
199 xtables_error(PARAMETER_PROBLEM,
200 "Unknown sctp chunk `%s'", ptr);
203 DEBUGP("Chunk flags %s\n", chunk_flags);
204 for (j = 0; j < strlen(chunk_flags); j++) {
208 if ((p = strchr(sctp_chunk_names[i].valid_flags,
209 toupper(chunk_flags[j]))) != NULL) {
210 bit = p - sctp_chunk_names[i].valid_flags;
213 save_chunk_flag_info(einfo->flag_info,
214 &(einfo->flag_count), i, bit,
215 isupper(chunk_flags[j]));
217 xtables_error(PARAMETER_PROBLEM,
218 "Invalid flags for chunk type %d\n", i);
228 parse_sctp_chunks(struct xt_sctp_info *einfo,
229 const char *match_type,
232 DEBUGP("Match type: %s Chunks: %s\n", match_type, chunks);
233 if (!strcasecmp(match_type, "ANY")) {
234 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ANY;
235 } else if (!strcasecmp(match_type, "ALL")) {
236 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ALL;
237 } else if (!strcasecmp(match_type, "ONLY")) {
238 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ONLY;
240 xtables_error (PARAMETER_PROBLEM,
241 "Match type has to be one of \"ALL\", \"ANY\" or \"ONLY\"");
244 SCTP_CHUNKMAP_RESET(einfo->chunkmap);
245 parse_sctp_chunk(einfo, chunks);
249 sctp_parse(int c, char **argv, int invert, unsigned int *flags,
250 const void *entry, struct xt_entry_match **match)
252 struct xt_sctp_info *einfo
253 = (struct xt_sctp_info *)(*match)->data;
257 if (*flags & XT_SCTP_SRC_PORTS)
258 xtables_error(PARAMETER_PROBLEM,
259 "Only one `--source-port' allowed");
260 einfo->flags |= XT_SCTP_SRC_PORTS;
261 xtables_check_inverse(optarg, &invert, &optind, 0, argv);
262 parse_sctp_ports(optarg, einfo->spts);
264 einfo->invflags |= XT_SCTP_SRC_PORTS;
265 *flags |= XT_SCTP_SRC_PORTS;
269 if (*flags & XT_SCTP_DEST_PORTS)
270 xtables_error(PARAMETER_PROBLEM,
271 "Only one `--destination-port' allowed");
272 einfo->flags |= XT_SCTP_DEST_PORTS;
273 xtables_check_inverse(optarg, &invert, &optind, 0, argv);
274 parse_sctp_ports(optarg, einfo->dpts);
276 einfo->invflags |= XT_SCTP_DEST_PORTS;
277 *flags |= XT_SCTP_DEST_PORTS;
281 if (*flags & XT_SCTP_CHUNK_TYPES)
282 xtables_error(PARAMETER_PROBLEM,
283 "Only one `--chunk-types' allowed");
284 xtables_check_inverse(optarg, &invert, &optind, 0, argv);
287 || argv[optind][0] == '-' || argv[optind][0] == '!')
288 xtables_error(PARAMETER_PROBLEM,
289 "--chunk-types requires two args");
291 einfo->flags |= XT_SCTP_CHUNK_TYPES;
292 parse_sctp_chunks(einfo, optarg, argv[optind]);
294 einfo->invflags |= XT_SCTP_CHUNK_TYPES;
296 *flags |= XT_SCTP_CHUNK_TYPES;
306 port_to_service(int port)
308 struct servent *service;
310 if ((service = getservbyport(htons(port), "sctp")))
311 return service->s_name;
317 print_port(u_int16_t port, int numeric)
321 if (numeric || (service = port_to_service(port)) == NULL)
324 printf("%s", service);
328 print_ports(const char *name, u_int16_t min, u_int16_t max,
329 int invert, int numeric)
331 const char *inv = invert ? "!" : "";
333 if (min != 0 || max != 0xFFFF || invert) {
337 print_port(min, numeric);
340 print_port(min, numeric);
342 print_port(max, numeric);
349 print_chunk_flags(u_int32_t chunknum, u_int8_t chunk_flags, u_int8_t chunk_flags_mask)
353 DEBUGP("type: %d\tflags: %x\tflag mask: %x\n", chunknum, chunk_flags,
356 if (chunk_flags_mask) {
360 for (i = 7; i >= 0; i--) {
361 if (chunk_flags_mask & (1 << i)) {
362 if (chunk_flags & (1 << i)) {
363 printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]);
365 printf("%c", tolower(sctp_chunk_names[chunknum].valid_flags[7-i]));
372 print_chunk(u_int32_t chunknum, int numeric)
375 printf("0x%04X", chunknum);
380 for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i)
381 if (sctp_chunk_names[i].chunk_type == chunknum)
382 printf("%s", sctp_chunk_names[chunknum].name);
387 print_chunks(const struct xt_sctp_info *einfo, int numeric)
389 u_int32_t chunk_match_type = einfo->chunk_match_type;
390 const struct xt_sctp_flag_info *flag_info = einfo->flag_info;
391 int flag_count = einfo->flag_count;
395 switch (chunk_match_type) {
396 case SCTP_CHUNK_MATCH_ANY: printf("any "); break;
397 case SCTP_CHUNK_MATCH_ALL: printf("all "); break;
398 case SCTP_CHUNK_MATCH_ONLY: printf("only "); break;
399 default: printf("Never reach herer\n"); break;
402 if (SCTP_CHUNKMAP_IS_CLEAR(einfo->chunkmap)) {
407 if (SCTP_CHUNKMAP_IS_ALL_SET(einfo->chunkmap)) {
413 for (i = 0; i < 256; i++) {
414 if (SCTP_CHUNKMAP_IS_SET(einfo->chunkmap, i)) {
418 print_chunk(i, numeric);
419 for (j = 0; j < flag_count; j++) {
420 if (flag_info[j].chunktype == i) {
421 print_chunk_flags(i, flag_info[j].flag,
422 flag_info[j].flag_mask);
435 sctp_print(const void *ip, const struct xt_entry_match *match, int numeric)
437 const struct xt_sctp_info *einfo =
438 (const struct xt_sctp_info *)match->data;
442 if (einfo->flags & XT_SCTP_SRC_PORTS) {
443 print_ports("spt", einfo->spts[0], einfo->spts[1],
444 einfo->invflags & XT_SCTP_SRC_PORTS,
448 if (einfo->flags & XT_SCTP_DEST_PORTS) {
449 print_ports("dpt", einfo->dpts[0], einfo->dpts[1],
450 einfo->invflags & XT_SCTP_DEST_PORTS,
454 if (einfo->flags & XT_SCTP_CHUNK_TYPES) {
455 /* FIXME: print_chunks() is used in save() where the printing of '!'
456 s taken care of, so we need to do that here as well */
457 if (einfo->invflags & XT_SCTP_CHUNK_TYPES) {
460 print_chunks(einfo, numeric);
464 static void sctp_save(const void *ip, const struct xt_entry_match *match)
466 const struct xt_sctp_info *einfo =
467 (const struct xt_sctp_info *)match->data;
469 if (einfo->flags & XT_SCTP_SRC_PORTS) {
470 if (einfo->invflags & XT_SCTP_SRC_PORTS)
472 if (einfo->spts[0] != einfo->spts[1])
473 printf("--sport %u:%u ",
474 einfo->spts[0], einfo->spts[1]);
476 printf("--sport %u ", einfo->spts[0]);
479 if (einfo->flags & XT_SCTP_DEST_PORTS) {
480 if (einfo->invflags & XT_SCTP_DEST_PORTS)
482 if (einfo->dpts[0] != einfo->dpts[1])
483 printf("--dport %u:%u ",
484 einfo->dpts[0], einfo->dpts[1]);
486 printf("--dport %u ", einfo->dpts[0]);
489 if (einfo->flags & XT_SCTP_CHUNK_TYPES) {
490 if (einfo->invflags & XT_SCTP_CHUNK_TYPES)
492 printf("--chunk-types ");
494 print_chunks(einfo, 0);
498 static struct xtables_match sctp_match = {
500 .family = NFPROTO_UNSPEC,
501 .version = XTABLES_VERSION,
502 .size = XT_ALIGN(sizeof(struct xt_sctp_info)),
503 .userspacesize = XT_ALIGN(sizeof(struct xt_sctp_info)),
509 .extra_opts = sctp_opts,
514 xtables_register_match(&sctp_match);
projects / profile / ivi / iptables.git / blob