1 /* Shared library add-on to iptables for SCTP matching
3 * (C) 2003 by Harald Welte <laforge@gnumonks.org>
5 * This program is distributed under the terms of GNU GPL v2, 1991
7 * libipt_ecn.c borrowed heavily from libipt_dscp.c
18 #include <linux/netfilter_ipv4/ip_tables.h>
21 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
24 #include <linux/netfilter_ipv4/ipt_sctp.h>
26 /* Some ZS!#@:$%*#$! has replaced the ELEMCOUNT macro in ipt_sctp.h with
27 * ARRAY_SIZE without noticing that this file is used from userserspace,
28 * and userspace doesn't have ARRAY_SIZE */
31 #define ELEMCOUNT ARRAY_SIZE
35 #define DEBUGP(format, first...) printf(format, ##first)
38 #define DEBUGP(format, fist...)
42 print_chunk(u_int32_t chunknum, int numeric);
44 /* Initialize the match. */
46 init(struct ipt_entry_match *m,
47 unsigned int *nfcache)
50 struct ipt_sctp_info *einfo = (struct ipt_sctp_info *)m->data;
52 memset(einfo, 0, sizeof(struct ipt_sctp_info));
54 for (i = 0; i < IPT_NUM_SCTP_FLAGS; i++) {
55 einfo->flag_info[i].chunktype = -1;
59 static void help(void)
62 "SCTP match v%s options\n"
63 " --source-port [!] port[:port] match source port(s)\n"
65 " --destination-port [!] port[:port] match destination port(s)\n"
67 " --chunk-types [!] (all|any|none) (chunktype[:flags])+ match if all, any or none of\n"
68 " chunktypes are present\n"
69 "chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK ALL NONE\n",
73 static struct option opts[] = {
74 { .name = "source-port", .has_arg = 1, .flag = 0, .val = '1' },
75 { .name = "sport", .has_arg = 1, .flag = 0, .val = '1' },
76 { .name = "destination-port", .has_arg = 1, .flag = 0, .val = '2' },
77 { .name = "dport", .has_arg = 1, .flag = 0, .val = '2' },
78 { .name = "chunk-types", .has_arg = 1, .flag = 0, .val = '3' },
83 service_to_port(const char *name)
85 struct servent *service;
87 if ((service = getservbyname(name, "sctp")) != NULL)
88 return ntohs((unsigned short) service->s_port);
94 parse_sctp_port(const char *port)
99 if (string_to_number(port, 0, 65535, &portnum) != -1 ||
100 (portnum = service_to_port(port)) != -1)
101 return (u_int16_t)portnum;
103 exit_error(PARAMETER_PROBLEM,
104 "invalid SCTP port/service `%s' specified", port);
108 parse_sctp_ports(const char *portstring,
114 buffer = strdup(portstring);
115 DEBUGP("%s\n", portstring);
116 if ((cp = strchr(buffer, ':')) == NULL) {
117 ports[0] = ports[1] = parse_sctp_port(buffer);
123 ports[0] = buffer[0] ? parse_sctp_port(buffer) : 0;
124 ports[1] = cp[0] ? parse_sctp_port(cp) : 0xFFFF;
126 if (ports[0] > ports[1])
127 exit_error(PARAMETER_PROBLEM,
128 "invalid portrange (min > max)");
133 struct sctp_chunk_names {
135 unsigned int chunk_type;
136 const char *valid_flags;
139 /*'ALL' and 'NONE' will be treated specially. */
140 static struct sctp_chunk_names sctp_chunk_names[]
141 = { { .name = "DATA", .chunk_type = 0, .valid_flags = "-----UBE"},
142 { .name = "INIT", .chunk_type = 1, .valid_flags = "--------"},
143 { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------"},
144 { .name = "SACK", .chunk_type = 3, .valid_flags = "--------"},
145 { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------"},
146 { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------"},
147 { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T"},
148 { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------"},
149 { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------"},
150 { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------"},
151 { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------"},
152 { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------"},
153 { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------"},
154 { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------"},
155 { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T"},
156 { .name = "ASCONF", .chunk_type = 31, .valid_flags = "--------"},
157 { .name = "ASCONF_ACK", .chunk_type = 30, .valid_flags = "--------"},
161 save_chunk_flag_info(struct ipt_sctp_flag_info *flag_info,
169 for (i = 0; i < *flag_count; i++) {
170 if (flag_info[i].chunktype == chunktype) {
171 DEBUGP("Previous match found\n");
172 flag_info[i].chunktype = chunktype;
173 flag_info[i].flag_mask |= (1 << bit);
175 flag_info[i].flag |= (1 << bit);
182 if (*flag_count == IPT_NUM_SCTP_FLAGS) {
183 exit_error (PARAMETER_PROBLEM,
184 "Number of chunk types with flags exceeds currently allowed limit."
185 "Increasing this limit involves changing IPT_NUM_SCTP_FLAGS and"
186 "recompiling both the kernel space and user space modules\n");
189 flag_info[*flag_count].chunktype = chunktype;
190 flag_info[*flag_count].flag_mask |= (1 << bit);
192 flag_info[*flag_count].flag |= (1 << bit);
198 parse_sctp_chunk(struct ipt_sctp_info *einfo,
207 buffer = strdup(chunks);
208 DEBUGP("Buffer: %s\n", buffer);
210 SCTP_CHUNKMAP_RESET(einfo->chunkmap);
212 if (!strcasecmp(buffer, "ALL")) {
213 SCTP_CHUNKMAP_SET_ALL(einfo->chunkmap);
217 if (!strcasecmp(buffer, "NONE")) {
218 SCTP_CHUNKMAP_RESET(einfo->chunkmap);
222 for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
224 DEBUGP("Next Chunk type %s\n", ptr);
226 if ((chunk_flags = strchr(ptr, ':')) != NULL) {
230 for (i = 0; i < ELEMCOUNT(sctp_chunk_names); i++) {
231 if (strcasecmp(sctp_chunk_names[i].name, ptr) == 0) {
232 DEBUGP("Chunk num %d\n", sctp_chunk_names[i].chunk_type);
233 SCTP_CHUNKMAP_SET(einfo->chunkmap,
234 sctp_chunk_names[i].chunk_type);
240 exit_error(PARAMETER_PROBLEM,
241 "Unknown sctp chunk `%s'", ptr);
244 DEBUGP("Chunk flags %s\n", chunk_flags);
245 for (j = 0; j < strlen(chunk_flags); j++) {
249 if ((p = strchr(sctp_chunk_names[i].valid_flags,
250 toupper(chunk_flags[j]))) != NULL) {
251 bit = p - sctp_chunk_names[i].valid_flags;
254 save_chunk_flag_info(einfo->flag_info,
255 &(einfo->flag_count), i, bit,
256 isupper(chunk_flags[j]));
258 exit_error(PARAMETER_PROBLEM,
259 "Invalid flags for chunk type %d\n", i);
269 parse_sctp_chunks(struct ipt_sctp_info *einfo,
270 const char *match_type,
273 DEBUGP("Match type: %s Chunks: %s\n", match_type, chunks);
274 if (!strcasecmp(match_type, "ANY")) {
275 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ANY;
276 } else if (!strcasecmp(match_type, "ALL")) {
277 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ALL;
278 } else if (!strcasecmp(match_type, "ONLY")) {
279 einfo->chunk_match_type = SCTP_CHUNK_MATCH_ONLY;
281 exit_error (PARAMETER_PROBLEM,
282 "Match type has to be one of \"ALL\", \"ANY\" or \"ONLY\"");
285 SCTP_CHUNKMAP_RESET(einfo->chunkmap);
286 parse_sctp_chunk(einfo, chunks);
290 parse(int c, char **argv, int invert, unsigned int *flags,
291 const struct ipt_entry *entry,
292 unsigned int *nfcache,
293 struct ipt_entry_match **match)
295 struct ipt_sctp_info *einfo
296 = (struct ipt_sctp_info *)(*match)->data;
300 if (*flags & IPT_SCTP_SRC_PORTS)
301 exit_error(PARAMETER_PROBLEM,
302 "Only one `--source-port' allowed");
303 einfo->flags |= IPT_SCTP_SRC_PORTS;
304 check_inverse(optarg, &invert, &optind, 0);
305 parse_sctp_ports(argv[optind-1], einfo->spts);
307 einfo->invflags |= IPT_SCTP_SRC_PORTS;
308 *flags |= IPT_SCTP_SRC_PORTS;
312 if (*flags & IPT_SCTP_DEST_PORTS)
313 exit_error(PARAMETER_PROBLEM,
314 "Only one `--destination-port' allowed");
315 einfo->flags |= IPT_SCTP_DEST_PORTS;
316 check_inverse(optarg, &invert, &optind, 0);
317 parse_sctp_ports(argv[optind-1], einfo->dpts);
319 einfo->invflags |= IPT_SCTP_DEST_PORTS;
320 *flags |= IPT_SCTP_DEST_PORTS;
324 if (*flags & IPT_SCTP_CHUNK_TYPES)
325 exit_error(PARAMETER_PROBLEM,
326 "Only one `--chunk-types' allowed");
327 check_inverse(optarg, &invert, &optind, 0);
330 || argv[optind][0] == '-' || argv[optind][0] == '!')
331 exit_error(PARAMETER_PROBLEM,
332 "--chunk-types requires two args");
334 einfo->flags |= IPT_SCTP_CHUNK_TYPES;
335 parse_sctp_chunks(einfo, argv[optind-1], argv[optind]);
337 einfo->invflags |= IPT_SCTP_CHUNK_TYPES;
339 *flags |= IPT_SCTP_CHUNK_TYPES;
349 final_check(unsigned int flags)
354 port_to_service(int port)
356 struct servent *service;
358 if ((service = getservbyport(htons(port), "sctp")))
359 return service->s_name;
365 print_port(u_int16_t port, int numeric)
369 if (numeric || (service = port_to_service(port)) == NULL)
372 printf("%s", service);
376 print_ports(const char *name, u_int16_t min, u_int16_t max,
377 int invert, int numeric)
379 const char *inv = invert ? "!" : "";
381 if (min != 0 || max != 0xFFFF || invert) {
385 print_port(min, numeric);
388 print_port(min, numeric);
390 print_port(max, numeric);
397 print_chunk_flags(u_int32_t chunknum, u_int8_t chunk_flags, u_int8_t chunk_flags_mask)
401 DEBUGP("type: %d\tflags: %x\tflag mask: %x\n", chunknum, chunk_flags,
404 if (chunk_flags_mask) {
408 for (i = 7; i >= 0; i--) {
409 if (chunk_flags_mask & (1 << i)) {
410 if (chunk_flags & (1 << i)) {
411 printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]);
413 printf("%c", tolower(sctp_chunk_names[chunknum].valid_flags[7-i]));
420 print_chunk(u_int32_t chunknum, int numeric)
423 printf("0x%04X", chunknum);
428 for (i = 0; i < ELEMCOUNT(sctp_chunk_names); i++) {
429 if (sctp_chunk_names[i].chunk_type == chunknum)
430 printf("%s", sctp_chunk_names[chunknum].name);
436 print_chunks(u_int32_t chunk_match_type,
437 const u_int32_t *chunkmap,
438 const struct ipt_sctp_flag_info *flag_info,
445 switch (chunk_match_type) {
446 case SCTP_CHUNK_MATCH_ANY: printf("any "); break;
447 case SCTP_CHUNK_MATCH_ALL: printf("all "); break;
448 case SCTP_CHUNK_MATCH_ONLY: printf("only "); break;
449 default: printf("Never reach herer\n"); break;
452 if (SCTP_CHUNKMAP_IS_CLEAR(chunkmap)) {
457 if (SCTP_CHUNKMAP_IS_ALL_SET(chunkmap)) {
463 for (i = 0; i < 256; i++) {
464 if (SCTP_CHUNKMAP_IS_SET(chunkmap, i)) {
467 print_chunk(i, numeric);
468 for (j = 0; j < flag_count; j++) {
469 if (flag_info[j].chunktype == i) {
470 print_chunk_flags(i, flag_info[j].flag,
471 flag_info[j].flag_mask);
482 /* Prints out the matchinfo. */
484 print(const struct ipt_ip *ip,
485 const struct ipt_entry_match *match,
488 const struct ipt_sctp_info *einfo =
489 (const struct ipt_sctp_info *)match->data;
493 if (einfo->flags & IPT_SCTP_SRC_PORTS) {
494 print_ports("spt", einfo->spts[0], einfo->spts[1],
495 einfo->invflags & IPT_SCTP_SRC_PORTS,
499 if (einfo->flags & IPT_SCTP_DEST_PORTS) {
500 print_ports("dpt", einfo->dpts[0], einfo->dpts[1],
501 einfo->invflags & IPT_SCTP_DEST_PORTS,
505 if (einfo->flags & IPT_SCTP_CHUNK_TYPES) {
506 /* FIXME: print_chunks() is used in save() where the printing of '!'
507 s taken care of, so we need to do that here as well */
508 if (einfo->invflags & IPT_SCTP_CHUNK_TYPES) {
511 print_chunks(einfo->chunk_match_type, einfo->chunkmap,
512 einfo->flag_info, einfo->flag_count, numeric);
516 /* Saves the union ipt_matchinfo in parsable form to stdout. */
518 save(const struct ipt_ip *ip,
519 const struct ipt_entry_match *match)
521 const struct ipt_sctp_info *einfo =
522 (const struct ipt_sctp_info *)match->data;
524 if (einfo->flags & IPT_SCTP_SRC_PORTS) {
525 if (einfo->invflags & IPT_SCTP_SRC_PORTS)
527 if (einfo->spts[0] != einfo->spts[1])
528 printf("--sport %u:%u ",
529 einfo->spts[0], einfo->spts[1]);
531 printf("--sport %u ", einfo->spts[0]);
534 if (einfo->flags & IPT_SCTP_DEST_PORTS) {
535 if (einfo->invflags & IPT_SCTP_DEST_PORTS)
537 if (einfo->dpts[0] != einfo->dpts[1])
538 printf("--dport %u:%u ",
539 einfo->dpts[0], einfo->dpts[1]);
541 printf("--dport %u ", einfo->dpts[0]);
544 if (einfo->flags & IPT_SCTP_CHUNK_TYPES) {
545 if (einfo->invflags & IPT_SCTP_CHUNK_TYPES)
547 printf("--chunk-types ");
549 print_chunks(einfo->chunk_match_type, einfo->chunkmap,
550 einfo->flag_info, einfo->flag_count, 0);
555 struct iptables_match sctp
557 .version = IPTABLES_VERSION,
558 .size = IPT_ALIGN(sizeof(struct ipt_sctp_info)),
559 .userspacesize = IPT_ALIGN(sizeof(struct ipt_sctp_info)),
563 .final_check = &final_check,
571 register_match(&sctp);
git://git.onelab.eu / iptables.git / blob