blob: 2aec10be2a0a1f3767df8d5df76db3cbb44c2088 [file] [log] [blame]
/* Shared library add-on to iptables to add ipv4 options matching support. */
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <getopt.h>
#include <iptables.h>
#include <linux/netfilter_ipv4/ipt_ipv4options.h>
/* Function which prints out usage message. */
static void
help(void)
{
printf(
"ipv4options v%s options:\n"
" --ssrr (match strict source routing flag)\n"
" --lsrr (match loose source routing flag)\n"
" --no-srr (match packets with no source routing)\n\n"
" [!] --rr (match record route flag)\n\n"
" [!] --ts (match timestamp flag)\n\n"
" [!] --ra (match router-alert option)\n\n"
" [!] --any-opt (match any option or no option at all if used with '!')\n",
IPTABLES_VERSION);
}
static struct option opts[] = {
{ "ssrr", 0, 0, '1' },
{ "lsrr", 0, 0, '2' },
{ "no-srr", 0, 0, '3'},
{ "rr", 0, 0, '4'},
{ "ts", 0, 0, '5'},
{ "ra", 0, 0, '6'},
{ "any-opt", 0, 0, '7'},
{0}
};
/* Initialize the match. */
static void
init(struct ipt_entry_match *m, unsigned int *nfcache)
{
/* caching not yet implemented */
*nfcache |= NFC_UNKNOWN;
}
/* Function which parses command options; returns true if it
ate an option */
static int
parse(int c, char **argv, int invert, unsigned int *flags,
const struct ipt_entry *entry,
unsigned int *nfcache,
struct ipt_entry_match **match)
{
struct ipt_ipv4options_info *info = (struct ipt_ipv4options_info *)(*match)->data;
switch (c)
{
/* strict-source-routing */
case '1':
if (invert)
exit_error(PARAMETER_PROBLEM,
"ipv4options: unexpected `!' with --ssrr");
if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
exit_error(PARAMETER_PROBLEM,
"Can't specify --ssrr twice");
if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
exit_error(PARAMETER_PROBLEM,
"Can't specify --ssrr with --lsrr");
if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
exit_error(PARAMETER_PROBLEM,
"Can't specify --ssrr with --no-srr");
info->options |= IPT_IPV4OPTION_MATCH_SSRR;
*flags |= IPT_IPV4OPTION_MATCH_SSRR;
break;
/* loose-source-routing */
case '2':
if (invert)
exit_error(PARAMETER_PROBLEM,
"ipv4options: unexpected `!' with --lsrr");
if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
exit_error(PARAMETER_PROBLEM,
"Can't specify --lsrr twice");
if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
exit_error(PARAMETER_PROBLEM,
"Can't specify --lsrr with --ssrr");
if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
exit_error(PARAMETER_PROBLEM,
"Can't specify --lsrr with --no-srr");
info->options |= IPT_IPV4OPTION_MATCH_LSRR;
*flags |= IPT_IPV4OPTION_MATCH_LSRR;
break;
/* no-source-routing */
case '3':
if (invert)
exit_error(PARAMETER_PROBLEM,
"ipv4options: unexpected `!' with --no-srr");
if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
exit_error(PARAMETER_PROBLEM,
"Can't specify --no-srr twice");
if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
exit_error(PARAMETER_PROBLEM,
"Can't specify --no-srr with --ssrr");
if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
exit_error(PARAMETER_PROBLEM,
"Can't specify --no-srr with --lsrr");
info->options |= IPT_IPV4OPTION_DONT_MATCH_SRR;
*flags |= IPT_IPV4OPTION_DONT_MATCH_SRR;
break;
/* record-route */
case '4':
if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_RR))
exit_error(PARAMETER_PROBLEM,
"Can't specify --rr twice");
if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_RR))
exit_error(PARAMETER_PROBLEM,
"Can't specify ! --rr twice");
if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_RR))
exit_error(PARAMETER_PROBLEM,
"Can't specify --rr with ! --rr");
if (invert && (*flags & IPT_IPV4OPTION_MATCH_RR))
exit_error(PARAMETER_PROBLEM,
"Can't specify ! --rr with --rr");
if (invert) {
info->options |= IPT_IPV4OPTION_DONT_MATCH_RR;
*flags |= IPT_IPV4OPTION_DONT_MATCH_RR;
}
else {
info->options |= IPT_IPV4OPTION_MATCH_RR;
*flags |= IPT_IPV4OPTION_MATCH_RR;
}
break;
/* timestamp */
case '5':
if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP))
exit_error(PARAMETER_PROBLEM,
"Can't specify --ts twice");
if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
exit_error(PARAMETER_PROBLEM,
"Can't specify ! --ts twice");
if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
exit_error(PARAMETER_PROBLEM,
"Can't specify --ts with ! --ts");
if (invert && (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP))
exit_error(PARAMETER_PROBLEM,
"Can't specify ! --ts with --ts");
if (invert) {
info->options |= IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP;
*flags |= IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP;
}
else {
info->options |= IPT_IPV4OPTION_MATCH_TIMESTAMP;
*flags |= IPT_IPV4OPTION_MATCH_TIMESTAMP;
}
break;
/* router-alert */
case '6':
if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
exit_error(PARAMETER_PROBLEM,
"Can't specify --ra twice");
if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
exit_error(PARAMETER_PROBLEM,
"Can't specify ! --rr twice");
if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
exit_error(PARAMETER_PROBLEM,
"Can't specify --ra with ! --ra");
if (invert && (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
exit_error(PARAMETER_PROBLEM,
"Can't specify ! --ra with --ra");
if (invert) {
info->options |= IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT;
*flags |= IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT;
}
else {
info->options |= IPT_IPV4OPTION_MATCH_ROUTER_ALERT;
*flags |= IPT_IPV4OPTION_MATCH_ROUTER_ALERT;
}
break;
/* any option */
case '7' :
if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_ANY_OPT))
exit_error(PARAMETER_PROBLEM,
"Can't specify --any-opt twice");
if (invert && (*flags & IPT_IPV4OPTION_MATCH_ANY_OPT))
exit_error(PARAMETER_PROBLEM,
"Can't specify ! --any-opt with --any-opt");
if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
exit_error(PARAMETER_PROBLEM,
"Can't specify ! --any-opt twice");
if ((!invert) &&
((*flags & IPT_IPV4OPTION_DONT_MATCH_SRR) ||
(*flags & IPT_IPV4OPTION_DONT_MATCH_RR) ||
(*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) ||
(*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)))
exit_error(PARAMETER_PROBLEM,
"Can't specify --any-opt with any other negative ipv4options match");
if (invert &&
((*flags & IPT_IPV4OPTION_MATCH_LSRR) ||
(*flags & IPT_IPV4OPTION_MATCH_SSRR) ||
(*flags & IPT_IPV4OPTION_MATCH_RR) ||
(*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
(*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)))
exit_error(PARAMETER_PROBLEM,
"Can't specify ! --any-opt with any other positive ipv4options match");
if (invert) {
info->options |= IPT_IPV4OPTION_DONT_MATCH_ANY_OPT;
*flags |= IPT_IPV4OPTION_DONT_MATCH_ANY_OPT;
}
else {
info->options |= IPT_IPV4OPTION_MATCH_ANY_OPT;
*flags |= IPT_IPV4OPTION_MATCH_ANY_OPT;
}
break;
default:
return 0;
}
return 1;
}
static void
final_check(unsigned int flags)
{
if (flags == 0)
exit_error(PARAMETER_PROBLEM,
"ipv4options match: you must specify some parameters. See iptables -m ipv4options --help for help.'");
}
/* Prints out the matchinfo. */
static void
print(const struct ipt_ip *ip,
const struct ipt_entry_match *match,
int numeric)
{
struct ipt_ipv4options_info *info = ((struct ipt_ipv4options_info *)match->data);
printf(" IPV4OPTS");
if (info->options & IPT_IPV4OPTION_MATCH_SSRR)
printf(" SSRR");
else if (info->options & IPT_IPV4OPTION_MATCH_LSRR)
printf(" LSRR");
else if (info->options & IPT_IPV4OPTION_DONT_MATCH_SRR)
printf(" !SRR");
if (info->options & IPT_IPV4OPTION_MATCH_RR)
printf(" RR");
else if (info->options & IPT_IPV4OPTION_DONT_MATCH_RR)
printf(" !RR");
if (info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP)
printf(" TS");
else if (info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP)
printf(" !TS");
if (info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)
printf(" RA");
else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)
printf(" !RA");
if (info->options & IPT_IPV4OPTION_MATCH_ANY_OPT)
printf(" ANYOPT ");
else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
printf(" NOOPT");
printf(" ");
}
/* Saves the data in parsable form to stdout. */
static void
save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
{
struct ipt_ipv4options_info *info = ((struct ipt_ipv4options_info *)match->data);
if (info->options & IPT_IPV4OPTION_MATCH_SSRR)
printf(" --ssrr");
else if (info->options & IPT_IPV4OPTION_MATCH_LSRR)
printf(" --lsrr");
else if (info->options & IPT_IPV4OPTION_DONT_MATCH_SRR)
printf(" --no-srr");
if (info->options & IPT_IPV4OPTION_MATCH_RR)
printf(" --rr");
else if (info->options & IPT_IPV4OPTION_DONT_MATCH_RR)
printf(" ! --rr");
if (info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP)
printf(" --ts");
else if (info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP)
printf(" ! --ts");
if (info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)
printf(" --ra");
else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)
printf(" ! --ra");
if (info->options & IPT_IPV4OPTION_MATCH_ANY_OPT)
printf(" --any-opt");
if (info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
printf(" ! --any-opt");
printf(" ");
}
static
struct iptables_match ipv4options_struct
= { NULL,
"ipv4options",
IPTABLES_VERSION,
IPT_ALIGN(sizeof(struct ipt_ipv4options_info)),
IPT_ALIGN(sizeof(struct ipt_ipv4options_info)),
&help,
&init,
&parse,
&final_check,
&print,
&save,
opts
};
void _init(void)
{
register_match(&ipv4options_struct);
}