1 /* Shared library add-on to iptables for DCCP matching
3 * (C) 2005 by Harald Welte <laforge@netfilter.org>
5 * This program is distributed under the terms of GNU GPL v2, 1991
16 #include <linux/dccp.h>
17 #include <linux/netfilter_ipv4/ip_tables.h>
18 #include <linux/netfilter_ipv4/ipt_dccp.h>
21 #define DEBUGP(format, first...) printf(format, ##first)
24 #define DEBUGP(format, fist...)
27 /* Initialize the match. */
29 init(struct ipt_entry_match *m,
30 unsigned int *nfcache)
32 struct ipt_dccp_info *einfo = (struct ipt_dccp_info *)m->data;
34 memset(einfo, 0, sizeof(struct ipt_dccp_info));
37 static void help(void)
40 "DCCP match v%s options\n"
41 " --source-port [!] port[:port] match source port(s)\n"
43 " --destination-port [!] port[:port] match destination port(s)\n"
49 static struct option opts[] = {
50 { .name = "source-port", .has_arg = 1, .flag = 0, .val = '1' },
51 { .name = "sport", .has_arg = 1, .flag = 0, .val = '1' },
52 { .name = "destination-port", .has_arg = 1, .flag = 0, .val = '2' },
53 { .name = "dport", .has_arg = 1, .flag = 0, .val = '2' },
54 { .name = "dccp-types", .has_arg = 1, .flag = 0, .val = '3' },
55 { .name = "dccp-option", .has_arg = 1, .flag = 0, .val = '4' },
60 service_to_port(const char *name)
62 struct servent *service;
64 if ((service = getservbyname(name, "dccp")) != NULL)
65 return ntohs((unsigned short) service->s_port);
71 parse_dccp_port(const char *port)
76 if (string_to_number(port, 0, 65535, &portnum) != -1 ||
77 (portnum = service_to_port(port)) != -1)
78 return (u_int16_t)portnum;
80 exit_error(PARAMETER_PROBLEM,
81 "invalid DCCP port/service `%s' specified", port);
85 parse_dccp_ports(const char *portstring,
91 buffer = strdup(portstring);
92 DEBUGP("%s\n", portstring);
93 if ((cp = strchr(buffer, ':')) == NULL) {
94 ports[0] = ports[1] = parse_dccp_port(buffer);
100 ports[0] = buffer[0] ? parse_dccp_port(buffer) : 0;
101 ports[1] = cp[0] ? parse_dccp_port(cp) : 0xFFFF;
103 if (ports[0] > ports[1])
104 exit_error(PARAMETER_PROBLEM,
105 "invalid portrange (min > max)");
110 static char *dccp_pkt_types[] = {
111 [DCCP_PKT_REQUEST] = "REQUEST",
112 [DCCP_PKT_RESPONSE] = "RESPONSE",
113 [DCCP_PKT_DATA] = "DATA",
114 [DCCP_PKT_ACK] = "ACK",
115 [DCCP_PKT_DATAACK] = "DATAACK",
116 [DCCP_PKT_CLOSEREQ] = "CLOSEREQ",
117 [DCCP_PKT_CLOSE] = "CLOSE",
118 [DCCP_PKT_RESET] = "RESET",
119 [DCCP_PKT_SYNC] = "SYNC",
120 [DCCP_PKT_SYNCACK] = "SYNCACK",
121 [DCCP_PKT_INVALID] = "INVALID",
125 parse_dccp_types(const char *typestring)
127 u_int16_t typemask = 0;
130 buffer = strdup(typestring);
132 for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
134 for (i = 0; i < sizeof(dccp_pkt_types)/sizeof(char *); i++) {
135 if (!strcasecmp(dccp_pkt_types[i], ptr)) {
136 typemask |= (1 << i);
140 if (i == sizeof(dccp_pkt_types)/sizeof(char *))
141 exit_error(PARAMETER_PROBLEM,
142 "Unknown DCCP type `%s'", ptr);
149 static u_int8_t parse_dccp_option(char *optstring)
153 if (string_to_number(optstring, 1, 255, &ret) == -1)
154 exit_error(PARAMETER_PROBLEM, "Bad DCCP option `%s'",
157 return (u_int8_t)ret;
161 parse(int c, char **argv, int invert, unsigned int *flags,
162 const struct ipt_entry *entry,
163 unsigned int *nfcache,
164 struct ipt_entry_match **match)
166 struct ipt_dccp_info *einfo
167 = (struct ipt_dccp_info *)(*match)->data;
171 if (*flags & IPT_DCCP_SRC_PORTS)
172 exit_error(PARAMETER_PROBLEM,
173 "Only one `--source-port' allowed");
174 einfo->flags |= IPT_DCCP_SRC_PORTS;
175 check_inverse(optarg, &invert, &optind, 0);
176 parse_dccp_ports(argv[optind-1], einfo->spts);
178 einfo->invflags |= IPT_DCCP_SRC_PORTS;
179 *flags |= IPT_DCCP_SRC_PORTS;
183 if (*flags & IPT_DCCP_DEST_PORTS)
184 exit_error(PARAMETER_PROBLEM,
185 "Only one `--destination-port' allowed");
186 einfo->flags |= IPT_DCCP_DEST_PORTS;
187 check_inverse(optarg, &invert, &optind, 0);
188 parse_dccp_ports(argv[optind-1], einfo->dpts);
190 einfo->invflags |= IPT_DCCP_DEST_PORTS;
191 *flags |= IPT_DCCP_DEST_PORTS;
195 if (*flags & IPT_DCCP_TYPE)
196 exit_error(PARAMETER_PROBLEM,
197 "Only one `--dccp-types' allowed");
198 einfo->flags |= IPT_DCCP_TYPE;
199 check_inverse(optarg, &invert, &optind, 0);
200 einfo->typemask = parse_dccp_types(argv[optind-1]);
202 einfo->invflags |= IPT_DCCP_TYPE;
203 *flags |= IPT_DCCP_TYPE;
207 if (*flags & IPT_DCCP_OPTION)
208 exit_error(PARAMETER_PROBLEM,
209 "Only one `--dccp-option' allowed");
210 einfo->flags |= IPT_DCCP_OPTION;
211 check_inverse(optarg, &invert, &optind, 0);
212 einfo->option = parse_dccp_option(argv[optind-1]);
214 einfo->invflags |= IPT_DCCP_OPTION;
215 *flags |= IPT_DCCP_OPTION;
224 final_check(unsigned int flags)
229 port_to_service(int port)
231 struct servent *service;
233 if ((service = getservbyport(htons(port), "dccp")))
234 return service->s_name;
240 print_port(u_int16_t port, int numeric)
244 if (numeric || (service = port_to_service(port)) == NULL)
247 printf("%s", service);
251 print_ports(const char *name, u_int16_t min, u_int16_t max,
252 int invert, int numeric)
254 const char *inv = invert ? "!" : "";
256 if (min != 0 || max != 0xFFFF || invert) {
260 print_port(min, numeric);
263 print_port(min, numeric);
265 print_port(max, numeric);
272 print_types(u_int16_t types, int inverted, int numeric)
282 for (i = 0; !(types & (1 << i)); i++);
292 printf("%s", dccp_pkt_types[i]);
299 print_option(u_int8_t option, int invert, int numeric)
301 if (option || invert)
302 printf("option=%s%u ", invert ? "!" : "", option);
305 /* Prints out the matchinfo. */
307 print(const struct ipt_ip *ip,
308 const struct ipt_entry_match *match,
311 const struct ipt_dccp_info *einfo =
312 (const struct ipt_dccp_info *)match->data;
316 if (einfo->flags & IPT_DCCP_SRC_PORTS) {
317 print_ports("spt", einfo->spts[0], einfo->spts[1],
318 einfo->invflags & IPT_DCCP_SRC_PORTS,
322 if (einfo->flags & IPT_DCCP_DEST_PORTS) {
323 print_ports("dpt", einfo->dpts[0], einfo->dpts[1],
324 einfo->invflags & IPT_DCCP_DEST_PORTS,
328 if (einfo->flags & IPT_DCCP_TYPE) {
329 print_types(einfo->typemask,
330 einfo->invflags & IPT_DCCP_TYPE,
334 if (einfo->flags & IPT_DCCP_OPTION) {
335 print_option(einfo->option,
336 einfo->invflags & IPT_DCCP_OPTION, numeric);
340 /* Saves the union ipt_matchinfo in parsable form to stdout. */
342 save(const struct ipt_ip *ip,
343 const struct ipt_entry_match *match)
345 const struct ipt_dccp_info *einfo =
346 (const struct ipt_dccp_info *)match->data;
348 if (einfo->flags & IPT_DCCP_SRC_PORTS) {
349 if (einfo->invflags & IPT_DCCP_SRC_PORTS)
351 if (einfo->spts[0] != einfo->spts[1])
352 printf("--sport %u:%u ",
353 einfo->spts[0], einfo->spts[1]);
355 printf("--sport %u ", einfo->spts[0]);
358 if (einfo->flags & IPT_DCCP_DEST_PORTS) {
359 if (einfo->invflags & IPT_DCCP_DEST_PORTS)
361 if (einfo->dpts[0] != einfo->dpts[1])
362 printf("--dport %u:%u ",
363 einfo->dpts[0], einfo->dpts[1]);
365 printf("--dport %u ", einfo->dpts[0]);
368 if (einfo->flags & IPT_DCCP_TYPE) {
369 printf("--dccp-type ");
370 print_types(einfo->typemask, einfo->invflags & IPT_DCCP_TYPE,0);
373 if (einfo->flags & IPT_DCCP_OPTION) {
374 printf("--dccp-option %s%u ",
375 einfo->typemask & IPT_DCCP_OPTION ? "! " : "",
381 struct iptables_match dccp
383 .version = IPTABLES_VERSION,
384 .size = IPT_ALIGN(sizeof(struct ipt_dccp_info)),
385 .userspacesize = IPT_ALIGN(sizeof(struct ipt_dccp_info)),
389 .final_check = &final_check,
397 register_match(&dccp);