miniupnp/miniupnpd/netfilter/iptpinhole.c

412 lines
10 KiB
C

/* $Id: iptpinhole.c,v 1.7 2012/05/08 20:41:45 nanard Exp $ */
/* MiniUPnP project
* http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
* (c) 2012 Thomas Bernard
* This software is subject to the conditions detailed
* in the LICENCE file provided within the distribution */
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <errno.h>
#include <arpa/inet.h>
#include <sys/queue.h>
#include "../config.h"
#include "iptpinhole.h"
#include "../upnpglobalvars.h"
#ifdef ENABLE_6FC_SERVICE
#include <xtables.h>
#include <libiptc/libip6tc.h>
#include "tiny_nf_nat.h"
#define IP6TC_HANDLE struct ip6tc_handle *
static int next_uid = 1;
static LIST_HEAD(pinhole_list_t, pinhole_t) pinhole_list;
static struct pinhole_t *
get_pinhole(unsigned short uid);
struct pinhole_t {
struct in6_addr saddr;
struct in6_addr daddr;
LIST_ENTRY(pinhole_t) entries;
unsigned int timestamp;
unsigned short sport;
unsigned short dport;
unsigned short uid;
unsigned char proto;
};
void init_iptpinhole(void)
{
LIST_INIT(&pinhole_list);
}
void shutdown_iptpinhole(void)
{
/* TODO empty list */
}
/* return uid */
static int
add_to_pinhole_list(struct in6_addr * saddr, unsigned short sport,
struct in6_addr * daddr, unsigned short dport,
int proto, unsigned int timestamp)
{
struct pinhole_t * p;
p = calloc(1, sizeof(struct pinhole_t));
if(!p) {
syslog(LOG_ERR, "add_to_pinhole_list calloc() error");
return -1;
}
memcpy(&p->saddr, saddr, sizeof(struct in6_addr));
p->sport = sport;
memcpy(&p->daddr, daddr, sizeof(struct in6_addr));
p->dport = dport;
p->timestamp = timestamp;
p->proto = (unsigned char)proto;
LIST_INSERT_HEAD(&pinhole_list, p, entries);
while(get_pinhole(next_uid) != NULL) {
next_uid++;
if(next_uid > 65535)
next_uid = 1;
}
p->uid = next_uid;
next_uid++;
if(next_uid > 65535)
next_uid = 1;
return p->uid;
}
static struct pinhole_t *
get_pinhole(unsigned short uid)
{
struct pinhole_t * p;
for(p = pinhole_list.lh_first; p != NULL; p = p->entries.le_next) {
if(p->uid == uid)
return p;
}
return NULL; /* not found */
}
/* new_match()
* Allocate and set a new ip6t_entry_match structure
* The caller must free() it after usage */
static struct ip6t_entry_match *
new_match(int proto, unsigned short sport, unsigned short dport)
{
struct ip6t_entry_match *match;
struct ip6t_tcp *info; /* TODO : use ip6t_udp if needed */
size_t size;
const char * name;
size = XT_ALIGN(sizeof(struct ip6t_entry_match))
+ XT_ALIGN(sizeof(struct ip6t_tcp));
match = calloc(1, size);
match->u.user.match_size = size;
switch(proto) {
case IPPROTO_TCP:
name = "tcp";
break;
case IPPROTO_UDP:
name = "udp";
break;
case IPPROTO_UDPLITE:
name = "udplite";
break;
default:
name = NULL;
}
if(name)
strncpy(match->u.user.name, name, sizeof(match->u.user.name));
else
syslog(LOG_WARNING, "no name for protocol %d", proto);
info = (struct ip6t_tcp *)match->data;
if(sport) {
info->spts[0] = sport; /* specified source port */
info->spts[1] = sport;
} else {
info->spts[0] = 0; /* all source ports */
info->spts[1] = 0xFFFF;
}
info->dpts[0] = dport; /* specified destination port */
info->dpts[1] = dport;
return match;
}
static struct ip6t_entry_target *
get_accept_target(void)
{
struct ip6t_entry_target * target = NULL;
size_t size;
size = XT_ALIGN(sizeof(struct ip6t_entry_target))
+ XT_ALIGN(sizeof(int));
target = calloc(1, size);
target->u.user.target_size = size;
strncpy(target->u.user.name, "ACCEPT", sizeof(target->u.user.name));
return target;
}
static int
ip6tc_init_verify_append(const char * table,
const char * chain,
struct ip6t_entry * e)
{
IP6TC_HANDLE h;
h = ip6tc_init(table);
if(!h) {
syslog(LOG_ERR, "ip6tc_init error : %s", ip6tc_strerror(errno));
return -1;
}
if(!ip6tc_is_chain(chain, h)) {
syslog(LOG_ERR, "chain %s not found", chain);
goto error;
}
if(!ip6tc_append_entry(chain, e, h)) {
syslog(LOG_ERR, "ip6tc_append_entry() error : %s", ip6tc_strerror(errno));
goto error;
}
if(!ip6tc_commit(h)) {
syslog(LOG_ERR, "ip6tc_commit() error : %s", ip6tc_strerror(errno));
goto error;
}
return 0; /* ok */
error:
ip6tc_free(h);
return -1;
}
/*
ip6tables -I %s %d -p %s -i %s -s %s --sport %hu -d %s --dport %hu -j ACCEPT
ip6tables -I %s %d -p %s -i %s --sport %hu -d %s --dport %hu -j ACCEPT
miniupnpd_forward_chain, line_number, proto, ext_if_name, raddr, rport, iaddr, iport
ip6tables -t raw -I PREROUTING %d -p %s -i %s -s %s --sport %hu -d %s --dport %hu -j TRACE
ip6tables -t raw -I PREROUTING %d -p %s -i %s --sport %hu -d %s --dport %hu -j TRACE
*/
int add_pinhole(const char * ifname,
const char * rem_host, unsigned short rem_port,
const char * int_client, unsigned short int_port,
int proto, unsigned int timestamp)
{
int uid;
struct ip6t_entry * e;
struct ip6t_entry_match *match = NULL;
struct ip6t_entry_target *target = NULL;
e = calloc(1, sizeof(struct ip6t_entry));
e->ipv6.proto = proto;
if(ifname)
strncpy(e->ipv6.iniface, ifname, IFNAMSIZ);
if(rem_host) {
inet_pton(AF_INET6, rem_host, &e->ipv6.src);
memset(&e->ipv6.smsk, 0xff, sizeof(e->ipv6.smsk));
}
inet_pton(AF_INET6, int_client, &e->ipv6.dst);
memset(&e->ipv6.dmsk, 0xff, sizeof(e->ipv6.dmsk));
/*e->nfcache = NFC_IP_DST_PT;*/
/*e->nfcache |= NFC_UNKNOWN;*/
match = new_match(proto, rem_port, int_port);
target = get_accept_target();
e = realloc(e, sizeof(struct ip6t_entry)
+ match->u.match_size
+ target->u.target_size);
memcpy(e->elems, match, match->u.match_size);
memcpy(e->elems + match->u.match_size, target, target->u.target_size);
e->target_offset = sizeof(struct ip6t_entry)
+ match->u.match_size;
e->next_offset = sizeof(struct ip6t_entry)
+ match->u.match_size
+ target->u.target_size;
free(match);
free(target);
if(ip6tc_init_verify_append("filter", miniupnpd_v6_filter_chain, e) < 0) {
free(e);
return -1;
}
uid = add_to_pinhole_list(&e->ipv6.src, rem_port,
&e->ipv6.dst, int_port,
proto, timestamp);
free(e);
return uid;
}
int
delete_pinhole(unsigned short uid)
{
struct pinhole_t * p;
IP6TC_HANDLE h;
const struct ip6t_entry * e;
const struct ip6t_entry_match *match = NULL;
/*const struct ip6t_entry_target *target = NULL;*/
unsigned int index;
p = get_pinhole(uid);
if(!p)
return -2; /* not found */
h = ip6tc_init("filter");
if(!h) {
syslog(LOG_ERR, "ip6tc_init error : %s", ip6tc_strerror(errno));
return -1;
}
if(!ip6tc_is_chain(miniupnpd_v6_filter_chain, h)) {
syslog(LOG_ERR, "chain %s not found", miniupnpd_v6_filter_chain);
goto error;
}
index = 0;
for(e = ip6tc_first_rule(miniupnpd_v6_filter_chain, h);
e;
e = ip6tc_next_rule(e, h)) {
if((e->ipv6.proto == p->proto) &&
(0 == memcmp(&e->ipv6.src, &p->saddr, sizeof(e->ipv6.src))) &&
(0 == memcmp(&e->ipv6.dst, &p->daddr, sizeof(e->ipv6.dst)))) {
const struct ip6t_tcp * info;
match = (const struct ip6t_entry_match *)&e->elems;
info = (const struct ip6t_tcp *)&match->data;
if((info->spts[0] == p->sport) && (info->dpts[0] == p->dport)) {
if(!ip6tc_delete_num_entry(miniupnpd_v6_filter_chain, index, h)) {
syslog(LOG_ERR, "ip6tc_delete_num_entry(%s,%d,...): %s",
miniupnpd_v6_filter_chain, index, ip6tc_strerror(errno));
goto error;
}
if(!ip6tc_commit(h)) {
syslog(LOG_ERR, "ip6tc_commit(): %s",
ip6tc_strerror(errno));
goto error;
}
ip6tc_free(h);
LIST_REMOVE(p, entries);
return 0; /* ok */
}
}
index++;
}
ip6tc_free(h);
syslog(LOG_WARNING, "delete_pinhole() rule with PID=%hu not found", uid);
return -2; /* not found */
error:
ip6tc_free(h);
return -1;
}
int
update_pinhole(unsigned short uid, unsigned int timestamp)
{
struct pinhole_t * p;
p = get_pinhole(uid);
if(p) {
p->timestamp = timestamp;
return 0;
} else {
return -2; /* Not found */
}
}
int
get_pinhole_info(unsigned short uid,
char * rem_host, int rem_hostlen, unsigned short * rem_port,
char * int_client, int int_clientlen, unsigned short * int_port,
int * proto, unsigned int * timestamp,
u_int64_t * packets, u_int64_t * bytes)
{
struct pinhole_t * p;
p = get_pinhole(uid);
if(!p)
return -2; /* Not found */
if(rem_host) {
if(inet_ntop(AF_INET6, &p->saddr, rem_host, rem_hostlen) == NULL)
return -1;
}
if(rem_port)
*rem_port = p->sport;
if(int_client) {
if(inet_ntop(AF_INET6, &p->daddr, int_client, int_clientlen) == NULL)
return -1;
}
if(int_port)
*int_port = p->dport;
if(proto)
*proto = p->proto;
if(timestamp)
*timestamp = p->timestamp;
if(packets || bytes) {
/* theses informations need to be read from netfilter */
IP6TC_HANDLE h;
const struct ip6t_entry * e;
const struct ip6t_entry_match * match;
h = ip6tc_init("filter");
if(!h) {
syslog(LOG_ERR, "ip6tc_init error : %s", ip6tc_strerror(errno));
return -1;
}
for(e = ip6tc_first_rule(miniupnpd_v6_filter_chain, h);
e;
e = ip6tc_next_rule(e, h)) {
if((e->ipv6.proto == p->proto) &&
(0 == memcmp(&e->ipv6.src, &p->saddr, sizeof(e->ipv6.src))) &&
(0 == memcmp(&e->ipv6.dst, &p->daddr, sizeof(e->ipv6.dst)))) {
const struct ip6t_tcp * info;
match = (const struct ip6t_entry_match *)&e->elems;
info = (const struct ip6t_tcp *)&match->data;
if((info->spts[0] == p->sport) && (info->dpts[0] == p->dport)) {
if(packets)
*packets = e->counters.pcnt;
if(bytes)
*bytes = e->counters.bcnt;
break;
}
}
}
ip6tc_free(h);
}
return 0;
}
int
clean_pinhole_list(unsigned int * next_timestamp)
{
unsigned int min_ts = UINT_MAX;
struct pinhole_t * p;
time_t current_time;
int n = 0;
current_time = time(NULL);
p = pinhole_list.lh_first;
while(p != NULL) {
if(p->timestamp <= (unsigned int)current_time) {
unsigned short uid = p->uid;
syslog(LOG_INFO, "removing expired pinhole with uid=%hu", uid);
p = p->entries.le_next;
if(delete_pinhole(uid) == 0)
n++;
else
break;
} else {
if(p->timestamp < min_ts)
min_ts = p->timestamp;
p = p->entries.le_next;
}
}
if(next_timestamp)
*next_timestamp = min_ts;
return n;
}
#endif