source-git / iptables

Clone
Source Code
GIT

Blame extensions/libipt_icmp.c

c8 c8s master
  1.   52a07f7a979426f84249191fc92318eca8d14dc3
  2.   extensions
  3.   libipt_icmp.c
Blob History Raw
Packit 7b22a4 
#include <stdint.h>
Packit 7b22a4 
#include <stdio.h>
Packit 7b22a4 
#include <string.h>
Packit 7b22a4 
#include <xtables.h>
Packit 7b22a4 
#include <limits.h> /* INT_MAX in ip6_tables.h */
Packit 7b22a4 
#include <linux/netfilter_ipv4/ip_tables.h>
Packit 7b22a4
Packit 7b22a4 
#include "libxt_icmp.h"
Packit 7b22a4
Packit 7b22a4 
/* special hack for icmp-type 'any':
Packit 7b22a4 
 * Up to kernel <=2.4.20 the problem was:
Packit 7b22a4 
 * '-p icmp ' matches all icmp packets
Packit 7b22a4 
 * '-p icmp -m icmp' matches _only_ ICMP type 0 :(
Packit 7b22a4 
 * This is now fixed by initializing the field * to icmp type 0xFF
Packit 7b22a4 
 * See: https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=37
Packit 7b22a4 
 */
Packit 7b22a4
Packit 7b22a4 
enum {
Packit 7b22a4 
	O_ICMP_TYPE = 0,
Packit 7b22a4 
};
Packit 7b22a4
Packit 7b22a4 
static const struct xt_icmp_names icmp_codes[] = {
Packit 7b22a4 
	{ "any", 0xFF, 0, 0xFF },
Packit 7b22a4 
	{ "echo-reply", 0, 0, 0xFF },
Packit 7b22a4 
	/* Alias */ { "pong", 0, 0, 0xFF },
Packit 7b22a4
Packit 7b22a4 
	{ "destination-unreachable", 3, 0, 0xFF },
Packit 7b22a4 
	{   "network-unreachable", 3, 0, 0 },
Packit 7b22a4 
	{   "host-unreachable", 3, 1, 1 },
Packit 7b22a4 
	{   "protocol-unreachable", 3, 2, 2 },
Packit 7b22a4 
	{   "port-unreachable", 3, 3, 3 },
Packit 7b22a4 
	{   "fragmentation-needed", 3, 4, 4 },
Packit 7b22a4 
	{   "source-route-failed", 3, 5, 5 },
Packit 7b22a4 
	{   "network-unknown", 3, 6, 6 },
Packit 7b22a4 
	{   "host-unknown", 3, 7, 7 },
Packit 7b22a4 
	{   "network-prohibited", 3, 9, 9 },
Packit 7b22a4 
	{   "host-prohibited", 3, 10, 10 },
Packit 7b22a4 
	{   "TOS-network-unreachable", 3, 11, 11 },
Packit 7b22a4 
	{   "TOS-host-unreachable", 3, 12, 12 },
Packit 7b22a4 
	{   "communication-prohibited", 3, 13, 13 },
Packit 7b22a4 
	{   "host-precedence-violation", 3, 14, 14 },
Packit 7b22a4 
	{   "precedence-cutoff", 3, 15, 15 },
Packit 7b22a4
Packit 7b22a4 
	{ "source-quench", 4, 0, 0xFF },
Packit 7b22a4
Packit 7b22a4 
	{ "redirect", 5, 0, 0xFF },
Packit 7b22a4 
	{   "network-redirect", 5, 0, 0 },
Packit 7b22a4 
	{   "host-redirect", 5, 1, 1 },
Packit 7b22a4 
	{   "TOS-network-redirect", 5, 2, 2 },
Packit 7b22a4 
	{   "TOS-host-redirect", 5, 3, 3 },
Packit 7b22a4
Packit 7b22a4 
	{ "echo-request", 8, 0, 0xFF },
Packit 7b22a4 
	/* Alias */ { "ping", 8, 0, 0xFF },
Packit 7b22a4
Packit 7b22a4 
	{ "router-advertisement", 9, 0, 0xFF },
Packit 7b22a4
Packit 7b22a4 
	{ "router-solicitation", 10, 0, 0xFF },
Packit 7b22a4
Packit 7b22a4 
	{ "time-exceeded", 11, 0, 0xFF },
Packit 7b22a4 
	/* Alias */ { "ttl-exceeded", 11, 0, 0xFF },
Packit 7b22a4 
	{   "ttl-zero-during-transit", 11, 0, 0 },
Packit 7b22a4 
	{   "ttl-zero-during-reassembly", 11, 1, 1 },
Packit 7b22a4
Packit 7b22a4 
	{ "parameter-problem", 12, 0, 0xFF },
Packit 7b22a4 
	{   "ip-header-bad", 12, 0, 0 },
Packit 7b22a4 
	{   "required-option-missing", 12, 1, 1 },
Packit 7b22a4
Packit 7b22a4 
	{ "timestamp-request", 13, 0, 0xFF },
Packit 7b22a4
Packit 7b22a4 
	{ "timestamp-reply", 14, 0, 0xFF },
Packit 7b22a4
Packit 7b22a4 
	{ "address-mask-request", 17, 0, 0xFF },
Packit 7b22a4
Packit 7b22a4 
	{ "address-mask-reply", 18, 0, 0xFF }
Packit 7b22a4 
};
Packit 7b22a4
Packit 7b22a4 
static void icmp_help(void)
Packit 7b22a4 
{
Packit 7b22a4 
	printf(
Packit 7b22a4 
"icmp match options:\n"
Packit 7b22a4 
"[!] --icmp-type typename	match icmp type\n"
Packit 7b22a4 
"[!] --icmp-type type[/code]	(or numeric type or type/code)\n");
Packit 7b22a4 
	printf("Valid ICMP Types:");
Packit 7b22a4 
	xt_print_icmp_types(icmp_codes, ARRAY_SIZE(icmp_codes));
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static const struct xt_option_entry icmp_opts[] = {
Packit 7b22a4 
	{.name = "icmp-type", .id = O_ICMP_TYPE, .type = XTTYPE_STRING,
Packit 7b22a4 
	 .flags = XTOPT_MAND | XTOPT_INVERT},
Packit 7b22a4 
	XTOPT_TABLEEND,
Packit 7b22a4 
};
Packit 7b22a4
Packit 7b22a4 
static void
Packit 7b22a4 
parse_icmp(const char *icmptype, uint8_t *type, uint8_t code[])
Packit 7b22a4 
{
Packit 7b22a4 
	static const unsigned int limit = ARRAY_SIZE(icmp_codes);
Packit 7b22a4 
	unsigned int match = limit;
Packit 7b22a4 
	unsigned int i;
Packit 7b22a4
Packit 7b22a4 
	for (i = 0; i < limit; i++) {
Packit 7b22a4 
		if (strncasecmp(icmp_codes[i].name, icmptype, strlen(icmptype))
Packit 7b22a4 
		    == 0) {
Packit 7b22a4 
			if (match != limit)
Packit 7b22a4 
				xtables_error(PARAMETER_PROBLEM,
Packit 7b22a4 
					   "Ambiguous ICMP type `%s':"
Packit 7b22a4 
					   " `%s' or `%s'?",
Packit 7b22a4 
					   icmptype,
Packit 7b22a4 
					   icmp_codes[match].name,
Packit 7b22a4 
					   icmp_codes[i].name);
Packit 7b22a4 
			match = i;
Packit 7b22a4 
		}
Packit 7b22a4 
	}
Packit 7b22a4
Packit 7b22a4 
	if (match != limit) {
Packit 7b22a4 
		*type = icmp_codes[match].type;
Packit 7b22a4 
		code[0] = icmp_codes[match].code_min;
Packit 7b22a4 
		code[1] = icmp_codes[match].code_max;
Packit 7b22a4 
	} else {
Packit 7b22a4 
		char *slash;
Packit 7b22a4 
		char buffer[strlen(icmptype) + 1];
Packit 7b22a4 
		unsigned int number;
Packit 7b22a4
Packit 7b22a4 
		strcpy(buffer, icmptype);
Packit 7b22a4 
		slash = strchr(buffer, '/');
Packit 7b22a4
Packit 7b22a4 
		if (slash)
Packit 7b22a4 
			*slash = '\0';
Packit 7b22a4
Packit 7b22a4 
		if (!xtables_strtoui(buffer, NULL, &number, 0, UINT8_MAX))
Packit 7b22a4 
			xtables_error(PARAMETER_PROBLEM,
Packit 7b22a4 
				   "Invalid ICMP type `%s'\n", buffer);
Packit 7b22a4 
		*type = number;
Packit 7b22a4 
		if (slash) {
Packit 7b22a4 
			if (!xtables_strtoui(slash+1, NULL, &number, 0, UINT8_MAX))
Packit 7b22a4 
				xtables_error(PARAMETER_PROBLEM,
Packit 7b22a4 
					   "Invalid ICMP code `%s'\n",
Packit 7b22a4 
					   slash+1);
Packit 7b22a4 
			code[0] = code[1] = number;
Packit 7b22a4 
		} else {
Packit 7b22a4 
			code[0] = 0;
Packit 7b22a4 
			code[1] = 0xFF;
Packit 7b22a4 
		}
Packit 7b22a4 
	}
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static void icmp_init(struct xt_entry_match *m)
Packit 7b22a4 
{
Packit 7b22a4 
	struct ipt_icmp *icmpinfo = (struct ipt_icmp *)m->data;
Packit 7b22a4
Packit 7b22a4 
	icmpinfo->type = 0xFF;
Packit 7b22a4 
	icmpinfo->code[1] = 0xFF;
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static void icmp_parse(struct xt_option_call *cb)
Packit 7b22a4 
{
Packit 7b22a4 
	struct ipt_icmp *icmpinfo = cb->data;
Packit 7b22a4
Packit 7b22a4 
	xtables_option_parse(cb);
Packit 7b22a4 
	parse_icmp(cb->arg, &icmpinfo->type, icmpinfo->code);
Packit 7b22a4 
	if (cb->invert)
Packit 7b22a4 
		icmpinfo->invflags |= IPT_ICMP_INV;
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static void print_icmptype(uint8_t type,
Packit 7b22a4 
			   uint8_t code_min, uint8_t code_max,
Packit 7b22a4 
			   int invert,
Packit 7b22a4 
			   int numeric)
Packit 7b22a4 
{
Packit 7b22a4 
	if (!numeric) {
Packit 7b22a4 
		unsigned int i;
Packit 7b22a4
Packit 7b22a4 
		for (i = 0; i < ARRAY_SIZE(icmp_codes); ++i)
Packit 7b22a4 
			if (icmp_codes[i].type == type
Packit 7b22a4 
			    && icmp_codes[i].code_min == code_min
Packit 7b22a4 
			    && icmp_codes[i].code_max == code_max)
Packit 7b22a4 
				break;
Packit 7b22a4
Packit 7b22a4 
		if (i != ARRAY_SIZE(icmp_codes)) {
Packit 7b22a4 
			printf(" %s%s",
Packit 7b22a4 
			       invert ? "!" : "",
Packit 7b22a4 
			       icmp_codes[i].name);
Packit 7b22a4 
			return;
Packit 7b22a4 
		}
Packit 7b22a4 
	}
Packit 7b22a4
Packit 7b22a4 
	if (invert)
Packit 7b22a4 
		printf(" !");
Packit 7b22a4
Packit 7b22a4 
	printf("type %u", type);
Packit 7b22a4 
	if (code_min == code_max)
Packit 7b22a4 
		printf(" code %u", code_min);
Packit 7b22a4 
	else if (code_min != 0 || code_max != 0xFF)
Packit 7b22a4 
		printf(" codes %u-%u", code_min, code_max);
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static void icmp_print(const void *ip, const struct xt_entry_match *match,
Packit 7b22a4 
                       int numeric)
Packit 7b22a4 
{
Packit 7b22a4 
	const struct ipt_icmp *icmp = (struct ipt_icmp *)match->data;
Packit 7b22a4
Packit 7b22a4 
	printf(" icmp");
Packit 7b22a4 
	print_icmptype(icmp->type, icmp->code[0], icmp->code[1],
Packit 7b22a4 
		       icmp->invflags & IPT_ICMP_INV,
Packit 7b22a4 
		       numeric);
Packit 7b22a4
Packit 7b22a4 
	if (icmp->invflags & ~IPT_ICMP_INV)
Packit 7b22a4 
		printf(" Unknown invflags: 0x%X",
Packit 7b22a4 
		       icmp->invflags & ~IPT_ICMP_INV);
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static void icmp_save(const void *ip, const struct xt_entry_match *match)
Packit 7b22a4 
{
Packit 7b22a4 
	const struct ipt_icmp *icmp = (struct ipt_icmp *)match->data;
Packit 7b22a4
Packit 7b22a4 
	if (icmp->invflags & IPT_ICMP_INV)
Packit 7b22a4 
		printf(" !");
Packit 7b22a4
Packit 7b22a4 
	/* special hack for 'any' case */
Packit 7b22a4 
	if (icmp->type == 0xFF) {
Packit 7b22a4 
		printf(" --icmp-type any");
Packit 7b22a4 
	} else {
Packit 7b22a4 
		printf(" --icmp-type %u", icmp->type);
Packit 7b22a4 
		if (icmp->code[0] != 0 || icmp->code[1] != 0xFF)
Packit 7b22a4 
			printf("/%u", icmp->code[0]);
Packit 7b22a4 
	}
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
Packit 7b22a4 
				     unsigned int code_min,
Packit 7b22a4 
				     unsigned int code_max)
Packit 7b22a4 
{
Packit 7b22a4 
	unsigned int i;
Packit 7b22a4
Packit 7b22a4 
	if (code_min != code_max) {
Packit 7b22a4 
		for (i = 0; i < ARRAY_SIZE(icmp_codes); ++i)
Packit 7b22a4 
			if (icmp_codes[i].type == icmptype &&
Packit 7b22a4 
			    icmp_codes[i].code_min == code_min &&
Packit 7b22a4 
			    icmp_codes[i].code_max == code_max) {
Packit 7b22a4 
				xt_xlate_add(xl, "%s", icmp_codes[i].name);
Packit 7b22a4 
				return 1;
Packit 7b22a4 
			}
Packit 7b22a4 
	}
Packit 7b22a4
Packit 7b22a4 
	return 0;
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static int icmp_xlate(struct xt_xlate *xl,
Packit 7b22a4 
		      const struct xt_xlate_mt_params *params)
Packit 7b22a4 
{
Packit 7b22a4 
	const struct ipt_icmp *info = (struct ipt_icmp *)params->match->data;
Packit 7b22a4
Packit 7b22a4 
	if (info->type != 0xFF) {
Packit 7b22a4 
		xt_xlate_add(xl, "icmp type%s ",
Packit 7b22a4 
			     (info->invflags & IPT_ICMP_INV) ? " !=" : "");
Packit 7b22a4
Packit 7b22a4 
		if (!type_xlate_print(xl, info->type, info->code[0],
Packit 7b22a4 
				      info->code[1]))
Packit 7b22a4 
			return 0;
Packit Service 05978d 
	} else {
Packit Service 05978d 
		/* '-m icmp --icmp-type any' is a noop by itself,
Packit Service 05978d 
		 * but it eats a (mandatory) previous '-p icmp' so
Packit Service 05978d 
		 * emit it here */
Packit Service 05978d 
		xt_xlate_add(xl, "ip protocol icmp");
Packit 7b22a4 
	}
Packit 7b22a4 
	return 1;
Packit 7b22a4 
}
Packit 7b22a4
Packit 7b22a4 
static struct xtables_match icmp_mt_reg = {
Packit 7b22a4 
	.name		= "icmp",
Packit 7b22a4 
	.version	= XTABLES_VERSION,
Packit 7b22a4 
	.family		= NFPROTO_IPV4,
Packit 7b22a4 
	.size		= XT_ALIGN(sizeof(struct ipt_icmp)),
Packit 7b22a4 
	.userspacesize	= XT_ALIGN(sizeof(struct ipt_icmp)),
Packit 7b22a4 
	.help		= icmp_help,
Packit 7b22a4 
	.init		= icmp_init,
Packit 7b22a4 
	.print		= icmp_print,
Packit 7b22a4 
	.save		= icmp_save,
Packit 7b22a4 
	.x6_parse	= icmp_parse,
Packit 7b22a4 
	.x6_options	= icmp_opts,
Packit 7b22a4 
	.xlate		= icmp_xlate,
Packit 7b22a4 
};
Packit 7b22a4
Packit 7b22a4 
void _init(void)
Packit 7b22a4 
{
Packit 7b22a4 
	xtables_register_match(&icmp_mt_reg);
Packit 7b22a4 
}

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation