Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / iptables / 1e01b0b82f70b0b11dcfbced485dbe7aeac4fb8c / . / extensions / libipt_policy.c
blob: 6b044d875f6a163a474def3edf73068163ab9f31 [file] [log] [blame]
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]1/* Shared library add-on to iptables to add policy support. */
2#include <stdio.h>
3#include <netdb.h>
4#include <string.h>
5#include <stdlib.h>
6#include <syslog.h>
7#include <getopt.h>
8#include <netdb.h>
9#include <errno.h>
10#include <sys/socket.h>
11#include <netinet/in.h>
12#include <arpa/inet.h>
Jan Engelhardt5d9678a2008-11-20 10:15:35 +0100[diff] [blame]13#include <xtables.h>
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]14
15#include <linux/netfilter_ipv4/ip_tables.h>
Jan Engelhardta2a7f2b2008-09-01 14:20:13 +0200[diff] [blame]16#include <linux/netfilter_ipv4/ipt_policy.h>
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]17
18/*
19 * HACK: global pointer to current matchinfo for making
20 * final checks and adjustments in final_check.
21 */
22static struct ipt_policy_info *policy_info;
23
Jan Engelhardt59d16402007-10-04 16:28:39 +0000[diff] [blame]24static void policy_help(void)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]25{
26 printf(
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]27"policy match options:\n"
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]28" --dir in|out match policy applied during decapsulation/\n"
29" policy to be applied during encapsulation\n"
30" --pol none|ipsec match policy\n"
31" --strict match entire policy instead of single element\n"
32" at any position\n"
33"[!] --reqid reqid match reqid\n"
34"[!] --spi spi match SPI\n"
35"[!] --proto proto match protocol (ah/esp/ipcomp)\n"
36"[!] --mode mode match mode (transport/tunnel)\n"
37"[!] --tunnel-src addr/mask match tunnel source\n"
38"[!] --tunnel-dst addr/mask match tunnel destination\n"
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]39" --next begin next element in policy\n");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]40}
41
Jan Engelhardt59d16402007-10-04 16:28:39 +0000[diff] [blame]42static const struct option policy_opts[] =
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]43{
44 {
45 .name = "dir",
46 .has_arg = 1,
47 .val = '1',
48 },
49 {
50 .name = "pol",
51 .has_arg = 1,
52 .val = '2',
53 },
54 {
55 .name = "strict",
56 .val = '3'
57 },
58 {
59 .name = "reqid",
60 .has_arg = 1,
61 .val = '4',
62 },
63 {
64 .name = "spi",
65 .has_arg = 1,
66 .val = '5'
67 },
68 {
69 .name = "tunnel-src",
70 .has_arg = 1,
71 .val = '6'
72 },
73 {
74 .name = "tunnel-dst",
75 .has_arg = 1,
76 .val = '7'
77 },
78 {
79 .name = "proto",
80 .has_arg = 1,
81 .val = '8'
82 },
83 {
84 .name = "mode",
85 .has_arg = 1,
86 .val = '9'
87 },
88 {
89 .name = "next",
90 .val = 'a'
91 },
Max Kellermann9ee386a2008-01-29 13:48:05 +0000[diff] [blame]92 { .name = NULL }
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]93};
94
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]95static int parse_direction(char *s)
96{
97 if (strcmp(s, "in") == 0)
98 return IPT_POLICY_MATCH_IN;
99 if (strcmp(s, "out") == 0)
100 return IPT_POLICY_MATCH_OUT;
101 exit_error(PARAMETER_PROBLEM, "policy_match: invalid dir `%s'", s);
102}
103
104static int parse_policy(char *s)
105{
106 if (strcmp(s, "none") == 0)
107 return IPT_POLICY_MATCH_NONE;
108 if (strcmp(s, "ipsec") == 0)
109 return 0;
110 exit_error(PARAMETER_PROBLEM, "policy match: invalid policy `%s'", s);
111}
112
113static int parse_mode(char *s)
114{
115 if (strcmp(s, "transport") == 0)
116 return IPT_POLICY_MODE_TRANSPORT;
117 if (strcmp(s, "tunnel") == 0)
118 return IPT_POLICY_MODE_TUNNEL;
119 exit_error(PARAMETER_PROBLEM, "policy match: invalid mode `%s'", s);
120}
121
Jan Engelhardt59d16402007-10-04 16:28:39 +0000[diff] [blame]122static int policy_parse(int c, char **argv, int invert, unsigned int *flags,
123 const void *entry, struct xt_entry_match **match)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]124{
125 struct ipt_policy_info *info = (void *)(*match)->data;
126 struct ipt_policy_elem *e = &info->pol[info->len];
127 struct in_addr *addr = NULL, mask;
128 unsigned int naddr = 0;
129 int mode;
130
131 check_inverse(optarg, &invert, &optind, 0);
132
133 switch (c) {
134 case '1':
135 if (info->flags & (IPT_POLICY_MATCH_IN|IPT_POLICY_MATCH_OUT))
136 exit_error(PARAMETER_PROBLEM,
137 "policy match: double --dir option");
138 if (invert)
139 exit_error(PARAMETER_PROBLEM,
140 "policy match: can't invert --dir option");
141
142 info->flags |= parse_direction(argv[optind-1]);
143 break;
144 case '2':
145 if (invert)
146 exit_error(PARAMETER_PROBLEM,
147 "policy match: can't invert --policy option");
148
149 info->flags |= parse_policy(argv[optind-1]);
150 break;
151 case '3':
152 if (info->flags & IPT_POLICY_MATCH_STRICT)
153 exit_error(PARAMETER_PROBLEM,
154 "policy match: double --strict option");
155
156 if (invert)
157 exit_error(PARAMETER_PROBLEM,
158 "policy match: can't invert --strict option");
159
160 info->flags |= IPT_POLICY_MATCH_STRICT;
161 break;
162 case '4':
163 if (e->match.reqid)
164 exit_error(PARAMETER_PROBLEM,
165 "policy match: double --reqid option");
166
167 e->match.reqid = 1;
168 e->invert.reqid = invert;
169 e->reqid = strtol(argv[optind-1], NULL, 10);
170 break;
171 case '5':
172 if (e->match.spi)
173 exit_error(PARAMETER_PROBLEM,
174 "policy match: double --spi option");
Patrick McHardy1d0f57c2006-01-12 09:12:47 +0000[diff] [blame]175
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]176 e->match.spi = 1;
177 e->invert.spi = invert;
178 e->spi = strtol(argv[optind-1], NULL, 0x10);
179 break;
180 case '6':
181 if (e->match.saddr)
182 exit_error(PARAMETER_PROBLEM,
183 "policy match: double --tunnel-src option");
184
Jan Engelhardtbd943842008-01-20 13:38:08 +0000[diff] [blame]185 ipparse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]186 if (naddr > 1)
187 exit_error(PARAMETER_PROBLEM,
188 "policy match: name resolves to multiple IPs");
189
190 e->match.saddr = 1;
191 e->invert.saddr = invert;
Patrick McHardy02e88f22006-01-31 18:24:14 +0000[diff] [blame]192 e->saddr.a4 = addr[0];
193 e->smask.a4 = mask;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]194 break;
195 case '7':
196 if (e->match.daddr)
197 exit_error(PARAMETER_PROBLEM,
198 "policy match: double --tunnel-dst option");
199
Jan Engelhardtbd943842008-01-20 13:38:08 +0000[diff] [blame]200 ipparse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]201 if (naddr > 1)
202 exit_error(PARAMETER_PROBLEM,
203 "policy match: name resolves to multiple IPs");
204
205 e->match.daddr = 1;
206 e->invert.daddr = invert;
Patrick McHardy02e88f22006-01-31 18:24:14 +0000[diff] [blame]207 e->daddr.a4 = addr[0];
208 e->dmask.a4 = mask;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]209 break;
210 case '8':
211 if (e->match.proto)
212 exit_error(PARAMETER_PROBLEM,
213 "policy match: double --proto option");
214
215 e->proto = parse_protocol(argv[optind-1]);
216 if (e->proto != IPPROTO_AH && e->proto != IPPROTO_ESP &&
217 e->proto != IPPROTO_COMP)
218 exit_error(PARAMETER_PROBLEM,
219 "policy match: protocol must ah/esp/ipcomp");
220 e->match.proto = 1;
221 e->invert.proto = invert;
222 break;
223 case '9':
224 if (e->match.mode)
225 exit_error(PARAMETER_PROBLEM,
226 "policy match: double --mode option");
Patrick McHardy1d0f57c2006-01-12 09:12:47 +0000[diff] [blame]227
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]228 mode = parse_mode(argv[optind-1]);
229 e->match.mode = 1;
230 e->invert.mode = invert;
231 e->mode = mode;
232 break;
233 case 'a':
234 if (invert)
235 exit_error(PARAMETER_PROBLEM,
236 "policy match: can't invert --next option");
237
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]238 if (++info->len == IPT_POLICY_MAX_ELEM)
239 exit_error(PARAMETER_PROBLEM,
240 "policy match: maximum policy depth reached");
241 break;
242 default:
243 return 0;
244 }
245
246 policy_info = info;
247 return 1;
248}
249
Jan Engelhardt59d16402007-10-04 16:28:39 +0000[diff] [blame]250static void policy_check(unsigned int flags)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]251{
252 struct ipt_policy_info *info = policy_info;
253 struct ipt_policy_elem *e;
254 int i;
255
256 if (info == NULL)
257 exit_error(PARAMETER_PROBLEM,
258 "policy match: no parameters given");
259
260 if (!(info->flags & (IPT_POLICY_MATCH_IN|IPT_POLICY_MATCH_OUT)))
261 exit_error(PARAMETER_PROBLEM,
262 "policy match: neither --in nor --out specified");
263
264 if (info->flags & IPT_POLICY_MATCH_NONE) {
265 if (info->flags & IPT_POLICY_MATCH_STRICT)
266 exit_error(PARAMETER_PROBLEM,
267 "policy match: policy none but --strict given");
268
269 if (info->len != 0)
270 exit_error(PARAMETER_PROBLEM,
271 "policy match: policy none but policy given");
272 } else
273 info->len++; /* increase len by 1, no --next after last element */
274
275 if (!(info->flags & IPT_POLICY_MATCH_STRICT) && info->len > 1)
276 exit_error(PARAMETER_PROBLEM,
277 "policy match: multiple elements but no --strict");
278
279 for (i = 0; i < info->len; i++) {
280 e = &info->pol[i];
Patrick McHardya46d88d2006-01-12 09:43:18 +0000[diff] [blame]281
Noticed by Tom Eastep3f347562006-01-22 13:47:07 +0000[diff] [blame]282 if (info->flags & IPT_POLICY_MATCH_STRICT &&
283 !(e->match.reqid || e->match.spi || e->match.saddr ||
Patrick McHardya46d88d2006-01-12 09:43:18 +0000[diff] [blame]284 e->match.daddr || e->match.proto || e->match.mode))
285 exit_error(PARAMETER_PROBLEM,
286 "policy match: empty policy element");
287
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]288 if ((e->match.saddr || e->match.daddr)
289 && ((e->mode == IPT_POLICY_MODE_TUNNEL && e->invert.mode) ||
290 (e->mode == IPT_POLICY_MODE_TRANSPORT && !e->invert.mode)))
291 exit_error(PARAMETER_PROBLEM,
292 "policy match: --tunnel-src/--tunnel-dst "
293 "is only valid in tunnel mode");
294 }
295}
296
297static void print_mode(char *prefix, u_int8_t mode, int numeric)
298{
299 printf("%smode ", prefix);
300
301 switch (mode) {
302 case IPT_POLICY_MODE_TRANSPORT:
303 printf("transport ");
304 break;
305 case IPT_POLICY_MODE_TUNNEL:
306 printf("tunnel ");
307 break;
308 default:
309 printf("??? ");
310 break;
311 }
312}
313
314static void print_proto(char *prefix, u_int8_t proto, int numeric)
315{
316 struct protoent *p = NULL;
317
318 printf("%sproto ", prefix);
319 if (!numeric)
320 p = getprotobynumber(proto);
321 if (p != NULL)
322 printf("%s ", p->p_name);
323 else
324 printf("%u ", proto);
325}
326
327#define PRINT_INVERT(x) \
328do { \
329 if (x) \
330 printf("! "); \
331} while(0)
332
333static void print_entry(char *prefix, const struct ipt_policy_elem *e,
334 int numeric)
335{
336 if (e->match.reqid) {
337 PRINT_INVERT(e->invert.reqid);
338 printf("%sreqid %u ", prefix, e->reqid);
339 }
340 if (e->match.spi) {
341 PRINT_INVERT(e->invert.spi);
342 printf("%sspi 0x%x ", prefix, e->spi);
343 }
344 if (e->match.proto) {
345 PRINT_INVERT(e->invert.proto);
346 print_proto(prefix, e->proto, numeric);
347 }
348 if (e->match.mode) {
349 PRINT_INVERT(e->invert.mode);
350 print_mode(prefix, e->mode, numeric);
351 }
352 if (e->match.daddr) {
353 PRINT_INVERT(e->invert.daddr);
354 printf("%stunnel-dst %s%s ", prefix,
Jan Engelhardte44ea7f2009-01-30 03:55:09 +0100[diff] [blame]355 xtables_ipaddr_to_numeric((const void *)&e->daddr),
356 xtables_ipmask_to_numeric((const void *)&e->dmask));
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]357 }
358 if (e->match.saddr) {
359 PRINT_INVERT(e->invert.saddr);
360 printf("%stunnel-src %s%s ", prefix,
Jan Engelhardte44ea7f2009-01-30 03:55:09 +0100[diff] [blame]361 xtables_ipaddr_to_numeric((const void *)&e->saddr),
362 xtables_ipmask_to_numeric((const void *)&e->smask));
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]363 }
364}
365
366static void print_flags(char *prefix, const struct ipt_policy_info *info)
367{
368 if (info->flags & IPT_POLICY_MATCH_IN)
369 printf("%sdir in ", prefix);
370 else
371 printf("%sdir out ", prefix);
372
373 if (info->flags & IPT_POLICY_MATCH_NONE)
374 printf("%spol none ", prefix);
375 else
376 printf("%spol ipsec ", prefix);
377
378 if (info->flags & IPT_POLICY_MATCH_STRICT)
379 printf("%sstrict ", prefix);
380}
381
Jan Engelhardt59d16402007-10-04 16:28:39 +0000[diff] [blame]382static void policy_print(const void *ip, const struct xt_entry_match *match,
383 int numeric)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]384{
385 const struct ipt_policy_info *info = (void *)match->data;
386 unsigned int i;
387
388 printf("policy match ");
389 print_flags("", info);
390 for (i = 0; i < info->len; i++) {
391 if (info->len > 1)
392 printf("[%u] ", i);
393 print_entry("", &info->pol[i], numeric);
394 }
395}
396
Jan Engelhardt59d16402007-10-04 16:28:39 +0000[diff] [blame]397static void policy_save(const void *ip, const struct xt_entry_match *match)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]398{
399 const struct ipt_policy_info *info = (void *)match->data;
400 unsigned int i;
401
402 print_flags("--", info);
403 for (i = 0; i < info->len; i++) {
404 print_entry("--", &info->pol[i], 0);
405 if (i + 1 < info->len)
406 printf("--next ");
407 }
408}
409
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]410static struct xtables_match policy_mt_reg = {
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]411 .name = "policy",
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]412 .version = XTABLES_VERSION,
Jan Engelhardt03d99482008-11-18 12:27:54 +0100[diff] [blame]413 .family = NFPROTO_IPV4,
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]414 .size = XT_ALIGN(sizeof(struct ipt_policy_info)),
415 .userspacesize = XT_ALIGN(sizeof(struct ipt_policy_info)),
Jan Engelhardt59d16402007-10-04 16:28:39 +0000[diff] [blame]416 .help = policy_help,
417 .parse = policy_parse,
418 .final_check = policy_check,
419 .print = policy_print,
420 .save = policy_save,
421 .extra_opts = policy_opts,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]422};
423
424void _init(void)
425{
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]426 xtables_register_match(&policy_mt_reg);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]427}