/*- * Copyright (c) 1996 - 2001 Brian Somers <brian@Awfulhak.org> * based on work by Toshiharu OHNO <tony-o@iij.ad.jp> * Internet Initiative Japan, Inc (IIJ) * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD: src/usr.sbin/ppp/filter.c,v 1.52.26.1 2010/12/21 17:10:29 kensmith Exp $ */ #include <sys/param.h> #include <netinet/in.h> #include <netdb.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <sys/socket.h> #include <sys/un.h> #include <stdarg.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <termios.h> #include "layer.h" #include "defs.h" #include "command.h" #include "mbuf.h" #include "log.h" #include "iplist.h" #include "timer.h" #include "throughput.h" #include "lqr.h" #include "hdlc.h" #include "fsm.h" #include "lcp.h" #include "ccp.h" #include "link.h" #include "slcompress.h" #include "ncpaddr.h" #include "ipcp.h" #include "filter.h" #include "descriptor.h" #include "prompt.h" #include "mp.h" #ifndef NORADIUS #include "radius.h" #endif #include "ipv6cp.h" #include "ncp.h" #include "bundle.h" static unsigned filter_Nam2Op(const char *); static int ParsePort(const char *service, const char *proto) { struct servent *servent; char *cp; int port; servent = getservbyname(service, proto); if (servent != 0) return ntohs(servent->s_port); port = strtol(service, &cp, 0); if (cp == service) { log_Printf(LogWARN, "ParsePort: %s is not a port name or number.\n", service); return 0; } return port; } /* * ICMP Syntax: src eq icmp_message_type */ static int ParseIcmp(int argc, char const *const *argv, struct filterent *tgt) { int type; char *cp; switch (argc) { case 0: /* permit/deny all ICMP types */ tgt->f_srcop = tgt->f_dstop = OP_NONE; break; case 3: if (!strcmp(*argv, "src") && !strcmp(argv[1], "eq")) { type = strtol(argv[2], &cp, 0); if (cp == argv[2]) { log_Printf(LogWARN, "ParseIcmp: type is expected.\n"); return 0; } tgt->f_srcop = OP_EQ; tgt->f_srcport = type; tgt->f_dstop = OP_NONE; } break; default: log_Printf(LogWARN, "ParseIcmp: bad icmp syntax.\n"); return 0; } return 1; } /* * UDP Syntax: [src op port] [dst op port] */ static int ParseUdpOrTcp(int argc, char const *const *argv, const struct protoent *pe, struct filterent *tgt) { tgt->f_srcop = tgt->f_dstop = OP_NONE; tgt->f_estab = tgt->f_syn = tgt->f_finrst = 0; if (argc >= 3 && !strcmp(*argv, "src")) { tgt->f_srcop = filter_Nam2Op(argv[1]); if (tgt->f_srcop == OP_NONE) { log_Printf(LogWARN, "ParseUdpOrTcp: bad operator\n"); return 0; } if (pe == NULL) return 0; tgt->f_srcport = ParsePort(argv[2], pe->p_name); if (tgt->f_srcport == 0) return 0; argc -= 3; argv += 3; } if (argc >= 3 && !strcmp(argv[0], "dst")) { tgt->f_dstop = filter_Nam2Op(argv[1]); if (tgt->f_dstop == OP_NONE) { log_Printf(LogWARN, "ParseUdpOrTcp: bad operator\n"); return 0; } if (pe == NULL) return 0; tgt->f_dstport = ParsePort(argv[2], pe->p_name); if (tgt->f_dstport == 0) return 0; argc -= 3; argv += 3; } if (pe && pe->p_proto == IPPROTO_TCP) { for (; argc > 0; argc--, argv++) if (!strcmp(*argv, "estab")) tgt->f_estab = 1; else if (!strcmp(*argv, "syn")) tgt->f_syn = 1; else if (!strcmp(*argv, "finrst")) tgt->f_finrst = 1; else break; } if (argc > 0) { log_Printf(LogWARN, "ParseUdpOrTcp: bad src/dst port syntax: %s\n", *argv); return 0; } return 1; } static int ParseGeneric(int argc, struct filterent *tgt) { /* * Filter currently is a catch-all. Requests are either permitted or * dropped. */ if (argc != 0) { log_Printf(LogWARN, "ParseGeneric: Too many parameters\n"); return 0; } else tgt->f_srcop = tgt->f_dstop = OP_NONE; return 1; } static unsigned addrtype(const char *addr) { if (!strncasecmp(addr, "MYADDR", 6) && (addr[6] == '\0' || addr[6] == '/')) return T_MYADDR; if (!strncasecmp(addr, "MYADDR6", 7) && (addr[7] == '\0' || addr[7] == '/')) return T_MYADDR6; if (!strncasecmp(addr, "HISADDR", 7) && (addr[7] == '\0' || addr[7] == '/')) return T_HISADDR; if (!strncasecmp(addr, "HISADDR6", 8) && (addr[8] == '\0' || addr[8] == '/')) return T_HISADDR6; if (!strncasecmp(addr, "DNS0", 4) && (addr[4] == '\0' || addr[4] == '/')) return T_DNS0; if (!strncasecmp(addr, "DNS1", 4) && (addr[4] == '\0' || addr[4] == '/')) return T_DNS1; return T_ADDR; } static const char * addrstr(struct ncprange *addr, unsigned type) { switch (type) { case T_MYADDR: return "MYADDR"; case T_HISADDR: return "HISADDR"; case T_DNS0: return "DNS0"; case T_DNS1: return "DNS1"; } return ncprange_ntoa(addr); } static int filter_Parse(struct ncp *ncp, int argc, char const *const *argv, struct filterent *ofp) { struct filterent fe; struct protoent *pe; char *wp; int action, family, ruleno, val, width; ruleno = strtol(*argv, &wp, 0); if (*argv == wp || ruleno >= MAXFILTERS) { log_Printf(LogWARN, "Parse: invalid filter number.\n"); return 0; } if (ruleno < 0) { for (ruleno = 0; ruleno < MAXFILTERS; ruleno++) { ofp->f_action = A_NONE; ofp++; } log_Printf(LogWARN, "Parse: filter cleared.\n"); return 1; } ofp += ruleno; if (--argc == 0) { log_Printf(LogWARN, "Parse: missing action.\n"); return 0; } argv++; memset(&fe, '\0', sizeof fe); val = strtol(*argv, &wp, 0); if (!*wp && val >= 0 && val < MAXFILTERS) { if (val <= ruleno) { log_Printf(LogWARN, "Parse: Can only jump forward from rule %d\n", ruleno); return 0; } action = val; } else if (!strcmp(*argv, "permit")) { action = A_PERMIT; } else if (!strcmp(*argv, "deny")) { action = A_DENY; } else if (!strcmp(*argv, "clear")) { ofp->f_action = A_NONE; return 1; } else { log_Printf(LogWARN, "Parse: %s: bad action\n", *argv); return 0; } fe.f_action = action; argc--; argv++; if (argc && argv[0][0] == '!' && !argv[0][1]) { fe.f_invert = 1; argc--; argv++; } ncprange_init(&fe.f_src); ncprange_init(&fe.f_dst); if (argc == 0) pe = NULL; else if ((pe = getprotobyname(*argv)) == NULL && strcmp(*argv, "all") != 0) { if (argc < 2) { log_Printf(LogWARN, "Parse: Protocol or address pair expected\n"); return 0; } else if (strcasecmp(*argv, "any") == 0 || ncprange_aton(&fe.f_src, ncp, *argv)) { family = ncprange_family(&fe.f_src); if (!ncprange_getwidth(&fe.f_src, &width)) width = 0; if (width == 0) ncprange_init(&fe.f_src); fe.f_srctype = addrtype(*argv); argc--; argv++; if (strcasecmp(*argv, "any") == 0 || ncprange_aton(&fe.f_dst, ncp, *argv)) { if (ncprange_family(&fe.f_dst) != AF_UNSPEC && ncprange_family(&fe.f_src) != AF_UNSPEC && family != ncprange_family(&fe.f_dst)) { log_Printf(LogWARN, "Parse: src and dst address families differ\n"); return 0; } if (!ncprange_getwidth(&fe.f_dst, &width)) width = 0; if (width == 0) ncprange_init(&fe.f_dst); fe.f_dsttype = addrtype(*argv); argc--; argv++; } else { log_Printf(LogWARN, "Parse: Protocol or address pair expected\n"); return 0; } if (argc) { if ((pe = getprotobyname(*argv)) == NULL && strcmp(*argv, "all") != 0) { log_Printf(LogWARN, "Parse: %s: Protocol expected\n", *argv); return 0; } else { argc--; argv++; } } } else { log_Printf(LogWARN, "Parse: Protocol or address pair expected\n"); return 0; } } else { argc--; argv++; } if (argc >= 2 && strcmp(*argv, "timeout") == 0) { fe.timeout = strtoul(argv[1], NULL, 10); argc -= 2; argv += 2; } val = 1; fe.f_proto = (pe == NULL) ? 0 : pe->p_proto; switch (fe.f_proto) { case IPPROTO_TCP: case IPPROTO_UDP: case IPPROTO_IPIP: #ifndef NOINET6 case IPPROTO_IPV6: #endif val = ParseUdpOrTcp(argc, argv, pe, &fe); break; case IPPROTO_ICMP: #ifndef NOINET6 case IPPROTO_ICMPV6: #endif val = ParseIcmp(argc, argv, &fe); break; default: val = ParseGeneric(argc, &fe); break; } log_Printf(LogDEBUG, "Parse: Src: %s\n", ncprange_ntoa(&fe.f_src)); log_Printf(LogDEBUG, "Parse: Dst: %s\n", ncprange_ntoa(&fe.f_dst)); log_Printf(LogDEBUG, "Parse: Proto: %d\n", fe.f_proto); log_Printf(LogDEBUG, "Parse: src: %s (%d)\n", filter_Op2Nam(fe.f_srcop), fe.f_srcport); log_Printf(LogDEBUG, "Parse: dst: %s (%d)\n", filter_Op2Nam(fe.f_dstop), fe.f_dstport); log_Printf(LogDEBUG, "Parse: estab: %u\n", fe.f_estab); log_Printf(LogDEBUG, "Parse: syn: %u\n", fe.f_syn); log_Printf(LogDEBUG, "Parse: finrst: %u\n", fe.f_finrst); if (val) *ofp = fe; return val; } int filter_Set(struct cmdargs const *arg) { struct filter *filter; if (arg->argc < arg->argn+2) return -1; if (!strcmp(arg->argv[arg->argn], "in")) filter = &arg->bundle->filter.in; else if (!strcmp(arg->argv[arg->argn], "out")) filter = &arg->bundle->filter.out; else if (!strcmp(arg->argv[arg->argn], "dial")) filter = &arg->bundle->filter.dial; else if (!strcmp(arg->argv[arg->argn], "alive")) filter = &arg->bundle->filter.alive; else { log_Printf(LogWARN, "filter_Set: %s: Invalid filter name.\n", arg->argv[arg->argn]); return -1; } filter_Parse(&arg->bundle->ncp, arg->argc - arg->argn - 1, arg->argv + arg->argn + 1, filter->rule); return 0; } const char * filter_Action2Nam(unsigned act) { static const char * const actname[] = { " none ", "permit ", " deny " }; static char buf[8]; if (act < MAXFILTERS) { snprintf(buf, sizeof buf, "%6d ", act); return buf; } else if (act >= A_NONE && act < A_NONE + sizeof(actname)/sizeof(char *)) return actname[act - A_NONE]; else return "?????? "; } static void doShowFilter(struct filterent *fp, struct prompt *prompt) { struct protoent *pe; int n; for (n = 0; n < MAXFILTERS; n++, fp++) { if (fp->f_action != A_NONE) { prompt_Printf(prompt, " %2d %s", n, filter_Action2Nam(fp->f_action)); prompt_Printf(prompt, "%c ", fp->f_invert ? '!' : ' '); if (ncprange_isset(&fp->f_src)) prompt_Printf(prompt, "%s ", addrstr(&fp->f_src, fp->f_srctype)); else prompt_Printf(prompt, "any "); if (ncprange_isset(&fp->f_dst)) prompt_Printf(prompt, "%s ", addrstr(&fp->f_dst, fp->f_dsttype)); else prompt_Printf(prompt, "any "); if (fp->f_proto) { if ((pe = getprotobynumber(fp->f_proto)) == NULL) prompt_Printf(prompt, "P:%d", fp->f_proto); else prompt_Printf(prompt, "%s", pe->p_name); if (fp->f_srcop) prompt_Printf(prompt, " src %s %d", filter_Op2Nam(fp->f_srcop), fp->f_srcport); if (fp->f_dstop) prompt_Printf(prompt, " dst %s %d", filter_Op2Nam(fp->f_dstop), fp->f_dstport); if (fp->f_estab) prompt_Printf(prompt, " estab"); if (fp->f_syn) prompt_Printf(prompt, " syn"); if (fp->f_finrst) prompt_Printf(prompt, " finrst"); } else prompt_Printf(prompt, "all"); if (fp->timeout != 0) prompt_Printf(prompt, " timeout %u", fp->timeout); prompt_Printf(prompt, "\n"); } } } int filter_Show(struct cmdargs const *arg) { if (arg->argc > arg->argn+1) return -1; if (arg->argc == arg->argn+1) { struct filter *filter; if (!strcmp(arg->argv[arg->argn], "in")) filter = &arg->bundle->filter.in; else if (!strcmp(arg->argv[arg->argn], "out")) filter = &arg->bundle->filter.out; else if (!strcmp(arg->argv[arg->argn], "dial")) filter = &arg->bundle->filter.dial; else if (!strcmp(arg->argv[arg->argn], "alive")) filter = &arg->bundle->filter.alive; else return -1; doShowFilter(filter->rule, arg->prompt); } else { struct filter *filter[4]; int f; filter[0] = &arg->bundle->filter.in; filter[1] = &arg->bundle->filter.out; filter[2] = &arg->bundle->filter.dial; filter[3] = &arg->bundle->filter.alive; for (f = 0; f < 4; f++) { if (f) prompt_Printf(arg->prompt, "\n"); prompt_Printf(arg->prompt, "%s:\n", filter[f]->name); doShowFilter(filter[f]->rule, arg->prompt); } } return 0; } static const char * const opname[] = {"none", "eq", "gt", "lt"}; const char * filter_Op2Nam(unsigned op) { if (op >= sizeof opname / sizeof opname[0]) return "unknown"; return opname[op]; } static unsigned filter_Nam2Op(const char *cp) { unsigned op; for (op = sizeof opname / sizeof opname[0] - 1; op; op--) if (!strcasecmp(cp, opname[op])) break; return op; } void filter_AdjustAddr(struct filter *filter, struct ncpaddr *local, struct ncpaddr *remote, struct in_addr *dns) { struct filterent *fp; int n; for (fp = filter->rule, n = 0; n < MAXFILTERS; fp++, n++) if (fp->f_action != A_NONE) { if (local) { if (fp->f_srctype == T_MYADDR && ncpaddr_family(local) == AF_INET) ncprange_sethost(&fp->f_src, local); if (fp->f_dsttype == T_MYADDR && ncpaddr_family(local) == AF_INET) ncprange_sethost(&fp->f_dst, local); #ifndef NOINET6 if (fp->f_srctype == T_MYADDR6 && ncpaddr_family(local) == AF_INET6) ncprange_sethost(&fp->f_src, local); if (fp->f_dsttype == T_MYADDR6 && ncpaddr_family(local) == AF_INET6) ncprange_sethost(&fp->f_dst, local); #endif } if (remote) { if (fp->f_srctype == T_HISADDR && ncpaddr_family(remote) == AF_INET) ncprange_sethost(&fp->f_src, remote); if (fp->f_dsttype == T_HISADDR && ncpaddr_family(remote) == AF_INET) ncprange_sethost(&fp->f_dst, remote); #ifndef NOINET6 if (fp->f_srctype == T_HISADDR6 && ncpaddr_family(remote) == AF_INET6) ncprange_sethost(&fp->f_src, remote); if (fp->f_dsttype == T_HISADDR6 && ncpaddr_family(remote) == AF_INET6) ncprange_sethost(&fp->f_dst, remote); #endif } if (dns) { if (fp->f_srctype == T_DNS0) ncprange_setip4host(&fp->f_src, dns[0]); if (fp->f_dsttype == T_DNS0) ncprange_setip4host(&fp->f_dst, dns[0]); if (fp->f_srctype == T_DNS1) ncprange_setip4host(&fp->f_src, dns[1]); if (fp->f_dsttype == T_DNS1) ncprange_setip4host(&fp->f_dst, dns[1]); } } }