extensions/libipt_ah.c

   1 /* Shared library add-on to iptables to add AH support. */
   2 #include <stdio.h>
   3 #include <netdb.h>
   4 #include <string.h>
   5 #include <stdlib.h>
   6 #include <getopt.h>
   7 #include <errno.h>
   8 #include <xtables.h>
   9 #include <linux/netfilter_ipv4/ipt_ah.h>
  10
  11 static void ah_help(void)
  12 {
  13         printf(
  14 "ah match options:\n"
  15 "[!] --ahspi spi[:spi]\n"
  16 "                               match spi (range)\n");
  17 }
  18
  19 static const struct option ah_opts[] = {
  20         { "ahspi", 1, NULL, '1' },
  21         { .name = NULL }
  22 };
  23
  24 static u_int32_t
  25 parse_ah_spi(const char *spistr)
  26 {
  27         unsigned long int spi;
  28         char* ep;
  29
  30         spi =  strtoul(spistr,&ep,0) ;
  31
  32         if ( spistr == ep ) {
  33                 xtables_error(PARAMETER_PROBLEM,
  34                            "AH no valid digits in spi `%s'", spistr);
  35         }
  36         if ( spi == ULONG_MAX  && errno == ERANGE ) {
  37                 xtables_error(PARAMETER_PROBLEM,
  38                            "spi `%s' specified too big: would overflow", spistr);
  39         }
  40         if ( *spistr != '\0'  && *ep != '\0' ) {
  41                 xtables_error(PARAMETER_PROBLEM,
  42                            "AH error parsing spi `%s'", spistr);
  43         }
  44         return spi;
  45 }
  46
  47 static void
  48 parse_ah_spis(const char *spistring, u_int32_t *spis)
  49 {
  50         char *buffer;
  51         char *cp;
  52
  53         buffer = strdup(spistring);
  54         if ((cp = strchr(buffer, ':')) == NULL)
  55                 spis[0] = spis[1] = parse_ah_spi(buffer);
  56         else {
  57                 *cp = '\0';
  58                 cp++;
  59
  60                 spis[0] = buffer[0] ? parse_ah_spi(buffer) : 0;
  61                 spis[1] = cp[0] ? parse_ah_spi(cp) : 0xFFFFFFFF;
  62         }
  63         free(buffer);
  64 }
  65
  66 static void ah_init(struct xt_entry_match *m)
  67 {
  68         struct ipt_ah *ahinfo = (struct ipt_ah *)m->data;
  69
  70         ahinfo->spis[1] = 0xFFFFFFFF;
  71 }
  72
  73 #define AH_SPI 0x01
  74
  75 static int ah_parse(int c, char **argv, int invert, unsigned int *flags,
  76                     const void *entry, struct xt_entry_match **match)
  77 {
  78         struct ipt_ah *ahinfo = (struct ipt_ah *)(*match)->data;
  79
  80         switch (c) {
  81         case '1':
  82                 if (*flags & AH_SPI)
  83                         xtables_error(PARAMETER_PROBLEM,
  84                                    "Only one `--ahspi' allowed");
  85                 xtables_check_inverse(optarg, &invert, &optind, 0);
  86                 parse_ah_spis(argv[optind-1], ahinfo->spis);
  87                 if (invert)
  88                         ahinfo->invflags |= IPT_AH_INV_SPI;
  89                 *flags |= AH_SPI;
  90                 break;
  91         default:
  92                 return 0;
  93         }
  94
  95         return 1;
  96 }
  97
  98 static void
  99 print_spis(const char *name, u_int32_t min, u_int32_t max,
 100             int invert)
 101 {
 102         const char *inv = invert ? "!" : "";
 103
 104         if (min != 0 || max != 0xFFFFFFFF || invert) {
 105                 printf("%s", name);
 106                 if (min == max) {
 107                         printf(":%s", inv);
 108                         printf("%u", min);
 109                 } else {
 110                         printf("s:%s", inv);
 111                         printf("%u",min);
 112                         printf(":");
 113                         printf("%u",max);
 114                 }
 115                 printf(" ");
 116         }
 117 }
 118
 119 static void ah_print(const void *ip, const struct xt_entry_match *match,
 120                      int numeric)
 121 {
 122         const struct ipt_ah *ah = (struct ipt_ah *)match->data;
 123
 124         printf("ah ");
 125         print_spis("spi", ah->spis[0], ah->spis[1],
 126                     ah->invflags & IPT_AH_INV_SPI);
 127         if (ah->invflags & ~IPT_AH_INV_MASK)
 128                 printf("Unknown invflags: 0x%X ",
 129                        ah->invflags & ~IPT_AH_INV_MASK);
 130 }
 131
 132 static void ah_save(const void *ip, const struct xt_entry_match *match)
 133 {
 134         const struct ipt_ah *ahinfo = (struct ipt_ah *)match->data;
 135
 136         if (!(ahinfo->spis[0] == 0
 137             && ahinfo->spis[1] == 0xFFFFFFFF)) {
 138                 printf("%s--ahspi ",
 139                         (ahinfo->invflags & IPT_AH_INV_SPI) ? "! " : "");
 140                 if (ahinfo->spis[0]
 141                     != ahinfo->spis[1])
 142                         printf("%u:%u ",
 143                                ahinfo->spis[0],
 144                                ahinfo->spis[1]);
 145                 else
 146                         printf("%u ",
 147                                ahinfo->spis[0]);
 148         }
 149
 150 }
 151
 152 static struct xtables_match ah_mt_reg = {
 153         .name           = "ah",
 154         .version        = XTABLES_VERSION,
 155         .family         = NFPROTO_IPV4,
 156         .size           = XT_ALIGN(sizeof(struct ipt_ah)),
 157         .userspacesize  = XT_ALIGN(sizeof(struct ipt_ah)),
 158         .help           = ah_help,
 159         .init           = ah_init,
 160         .parse          = ah_parse,
 161         .print          = ah_print,
 162         .save           = ah_save,
 163         .extra_opts     = ah_opts,
 164 };
 165
 166 void
 167 _init(void)
 168 {
 169         xtables_register_match(&ah_mt_reg);
 170 }