]>
Commit | Line | Data |
---|---|---|
2af8cb4e | 1 | --- /dev/null 2005-12-16 15:49:47.000000000 +0100 |
2 | +++ iptables-1.3.8/extensions/libipt_rpc.c 2006-12-04 12:15:20.000000000 +0100 | |
7cf1e9ff | 3 | @@ -0,0 +1,372 @@ |
2af8cb4e | 4 | +/* RPC extension for IP connection matching, Version 2.2 |
5 | + * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br> | |
6 | + * - original rpc tracking module | |
7 | + * - "recent" connection handling for kernel 2.3+ netfilter | |
8 | + * | |
9 | + * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au> | |
10 | + * - upgraded conntrack modules to oldnat api - kernel 2.4.0+ | |
11 | + * | |
12 | + * (C) 2002,2003 by Ian (Larry) Latter <Ian.Latter@mq.edu.au> | |
13 | + * - upgraded conntrack modules to newnat api - kernel 2.4.20+ | |
14 | + * - extended matching to support filtering on procedures | |
15 | + * | |
16 | + * libipt_rpc.c,v 2.2 2003/01/12 18:30:00 | |
17 | + * | |
18 | + * This program is free software; you can redistribute it and/or | |
19 | + * modify it under the terms of the GNU General Public License | |
20 | + * as published by the Free Software Foundation; either version | |
21 | + * 2 of the License, or (at your option) any later version. | |
22 | + ** | |
23 | + * Userspace library syntax: | |
24 | + * --rpc [--rpcs procedure1,procedure2,...procedure128] [--static] | |
25 | + * | |
26 | + * Procedures can be supplied in either numeric or named formats. | |
27 | + * Without --rpcs, this module will behave as the old record-rpc. | |
28 | + ** | |
29 | + * Note to all: | |
30 | + * | |
31 | + * RPCs should not be exposed to the internet - ask the Pentagon; | |
32 | + * | |
33 | + * "The unidentified crackers pleaded guilty in July to charges | |
34 | + * of juvenile delinquency stemming from a string of Pentagon | |
35 | + * network intrusions in February. | |
36 | + * | |
37 | + * The youths, going by the names TooShort and Makaveli, used | |
38 | + * a common server security hole to break in, according to | |
39 | + * Dane Jasper, owner of the California Internet service | |
40 | + * provider, Sonic. They used the hole, known as the 'statd' | |
41 | + * exploit, to attempt more than 800 break-ins, Jasper said." | |
42 | + * | |
43 | + * From: Wired News; "Pentagon Kids Kicked Off Grid" - Nov 6, 1998 | |
44 | + * URL: http://www.wired.com/news/politics/0,1283,16098,00.html | |
45 | + ** | |
46 | + */ | |
47 | + | |
48 | +#include <stdio.h> | |
49 | +#include <netdb.h> | |
50 | +#include <string.h> | |
51 | +#include <stdlib.h> | |
52 | +#include <getopt.h> | |
53 | +#include <rpc/rpc.h> | |
54 | + | |
55 | +#include <iptables.h> | |
56 | +#include <linux/netfilter_ipv4/ipt_rpc.h> | |
57 | +#include <time.h> | |
58 | + | |
59 | + | |
60 | +const int IPT_RPC_RPCS = 1; | |
61 | +const int IPT_RPC_STRC = 2; | |
62 | + | |
63 | +const int IPT_RPC_INT_LBL = 1; | |
64 | +const int IPT_RPC_INT_NUM = 2; | |
65 | +const int IPT_RPC_INT_BTH = 3; | |
66 | + | |
67 | +const int IPT_RPC_CHAR_LEN = 11; | |
68 | +const int IPT_RPC_MAX_ENTS = 128; | |
69 | + | |
70 | +const char preerr[11] = "RPC match:"; | |
71 | + | |
72 | + | |
73 | +static int k_itoa(char *string, int number) | |
74 | +{ | |
75 | + int maxoctet = IPT_RPC_CHAR_LEN - 1; | |
76 | + int store[IPT_RPC_CHAR_LEN]; | |
77 | + int counter; | |
78 | + | |
79 | + | |
80 | + for (counter=0 ; maxoctet != 0 && number != 0; counter++, maxoctet--) { | |
81 | + store[counter] = number / 10; | |
82 | + store[counter] = number - ( store[counter] * 10 ); | |
83 | + number = number / 10; | |
84 | + } | |
85 | + | |
86 | + for ( ; counter != 0; counter--, string++) | |
87 | + *string = store[counter - 1] + 48; | |
88 | + | |
89 | + *string = 0; | |
90 | + | |
91 | + return(0); | |
92 | +} | |
93 | + | |
94 | + | |
95 | +static int k_atoi(char *string) | |
96 | +{ | |
97 | + unsigned int result = 0; | |
98 | + int maxoctet = IPT_RPC_CHAR_LEN; | |
99 | + | |
100 | + | |
101 | + for ( ; *string != 0 && maxoctet != 0; maxoctet--, string++) { | |
102 | + if (*string < 0) | |
103 | + return(0); | |
104 | + if (*string == 0) | |
105 | + break; | |
106 | + if (*string < 48 || *string > 57) { | |
107 | + return(0); | |
108 | + } | |
109 | + result = result * 10 + ( *string - 48 ); | |
110 | + } | |
111 | + | |
112 | + return(result); | |
113 | +} | |
114 | + | |
115 | + | |
116 | +static void print_rpcs(char *c_procs, int i_procs, int labels) | |
117 | +{ | |
118 | + int proc_ctr; | |
119 | + char *proc_ptr; | |
120 | + unsigned int proc_num; | |
121 | + struct rpcent *rpcent; | |
122 | + | |
123 | + | |
124 | + for (proc_ctr=0; proc_ctr <= i_procs; proc_ctr++) { | |
125 | + | |
126 | + if ( proc_ctr != 0 ) | |
127 | + printf(","); | |
128 | + | |
129 | + proc_ptr = c_procs; | |
130 | + proc_ptr += proc_ctr * IPT_RPC_CHAR_LEN; | |
131 | + proc_num = k_atoi(proc_ptr); | |
132 | + | |
133 | + /* labels(1) == no labels, only numbers | |
134 | + * labels(2) == no numbers, only labels | |
135 | + * labels(3) == both labels and numbers | |
136 | + */ | |
137 | + | |
138 | + if (labels == IPT_RPC_INT_LBL || labels == IPT_RPC_INT_BTH ) { | |
139 | + if ( (rpcent = getrpcbynumber(proc_num)) == NULL ) | |
140 | + printf("unknown"); | |
141 | + else | |
142 | + printf("%s", rpcent->r_name); | |
143 | + } | |
144 | + | |
145 | + if (labels == IPT_RPC_INT_BTH ) | |
146 | + printf("("); | |
147 | + | |
148 | + if (labels == IPT_RPC_INT_NUM || labels == IPT_RPC_INT_BTH ) | |
149 | + printf("%i", proc_num); | |
150 | + | |
151 | + if (labels == IPT_RPC_INT_BTH ) | |
152 | + printf(")"); | |
153 | + | |
154 | + } | |
155 | + | |
156 | +} | |
157 | + | |
158 | + | |
159 | +static void help(void) | |
160 | +{ | |
161 | + printf( | |
162 | + "RPC v%s options:\n" | |
163 | + " --rpcs list,of,procedures" | |
164 | + "\ta list of rpc program numbers to apply\n" | |
165 | + "\t\t\t\tie. 100003,mountd,rquotad (numeric or\n" | |
166 | + "\t\t\t\tname form; see /etc/rpc).\n" | |
167 | + " --strict" | |
168 | + "\t\t\ta flag to force the drop of packets\n" | |
169 | + "\t\t\t\tnot containing \"get\" portmapper requests.\n", | |
cf6c4456 | 170 | + XTABLES_VERSION); |
2af8cb4e | 171 | +} |
172 | + | |
173 | + | |
174 | +static struct option opts[] = { | |
175 | + { "rpcs", 1, 0, '1'}, | |
176 | + { "strict", 0, 0, '2'}, | |
177 | + {0} | |
178 | +}; | |
179 | + | |
180 | + | |
7cf1e9ff | 181 | +static void init(struct xt_entry_match *match) |
2af8cb4e | 182 | +{ |
183 | + struct ipt_rpc_info *rpcinfo = ((struct ipt_rpc_info *)match->data); | |
184 | + | |
185 | + | |
186 | + | |
187 | + /* initialise those funky user vars */ | |
188 | + rpcinfo->i_procs = -1; | |
189 | + rpcinfo->strict = 0; | |
190 | + memset((char *)rpcinfo->c_procs, 0, sizeof(rpcinfo->c_procs)); | |
191 | +} | |
192 | + | |
193 | + | |
7cf1e9ff | 194 | +static void parse_rpcs_string(char *string, struct xt_entry_match **match) |
2af8cb4e | 195 | +{ |
196 | + char err1[64] = "%s invalid --rpcs option-set: `%s' (at character %i)"; | |
197 | + char err2[64] = "%s unable to resolve rpc name entry: `%s'"; | |
198 | + char err3[64] = "%s maximum number of --rpc options (%i) exceeded"; | |
199 | + char buf[256]; | |
200 | + char *dup = buf; | |
201 | + int idup = 0; | |
202 | + int term = 0; | |
203 | + char *src, *dst; | |
204 | + char *c_procs; | |
205 | + struct rpcent *rpcent_ptr; | |
206 | + struct ipt_rpc_info *rpcinfo = (struct ipt_rpc_info *)(*match)->data; | |
207 | + | |
208 | + | |
209 | + memset(buf, 0, sizeof(buf)); | |
210 | + | |
211 | + for (src=string, dst=buf; term != 1 ; src++, dst++) { | |
212 | + | |
213 | + if ( *src != ',' && *src != '\0' ) { | |
214 | + if ( ( *src >= 65 && *src <= 90 ) || ( *src >= 97 && *src <= 122) ) { | |
215 | + *dst = *src; | |
216 | + idup = 1; | |
217 | + | |
218 | + } else if ( *src >= 48 && *src <= 57 ) { | |
219 | + *dst = *src; | |
220 | + | |
221 | + } else { | |
fd6db329 | 222 | + xtables_error(PARAMETER_PROBLEM, err1, preerr, |
2af8cb4e | 223 | + string, src - string + 1); |
224 | + | |
225 | + } | |
226 | + | |
227 | + } else { | |
228 | + *dst = '\0'; | |
229 | + if ( idup == 1 ) { | |
230 | + if ( (rpcent_ptr = getrpcbyname(dup)) == NULL ) | |
fd6db329 | 231 | + xtables_error(PARAMETER_PROBLEM, err2, |
2af8cb4e | 232 | + preerr, dup); |
233 | + idup = rpcent_ptr->r_number; | |
234 | + } else { | |
235 | + idup = k_atoi(dup); | |
236 | + } | |
237 | + | |
238 | + rpcinfo->i_procs++; | |
239 | + if ( rpcinfo->i_procs > IPT_RPC_MAX_ENTS ) | |
fd6db329 | 240 | + xtables_error(PARAMETER_PROBLEM, err3, preerr, |
2af8cb4e | 241 | + IPT_RPC_MAX_ENTS); |
242 | + | |
243 | + c_procs = (char *)rpcinfo->c_procs; | |
244 | + c_procs += rpcinfo->i_procs * IPT_RPC_CHAR_LEN; | |
245 | + | |
246 | + memset(buf, 0, sizeof(buf)); | |
247 | + k_itoa((char *)dup, idup); | |
248 | + | |
249 | + strcpy(c_procs, dup); | |
250 | + | |
251 | + if ( *src == '\0') | |
252 | + term = 1; | |
253 | + | |
254 | + idup = 0; | |
255 | + memset(buf, 0, sizeof(buf)); | |
256 | + dst = (char *)buf - 1; | |
257 | + } | |
258 | + } | |
259 | + | |
260 | + return; | |
261 | +} | |
262 | + | |
263 | + | |
264 | +static int parse(int c, char **argv, int invert, unsigned int *flags, | |
7cf1e9ff | 265 | + const void *entry, |
266 | + struct xt_entry_match **match) | |
2af8cb4e | 267 | +{ |
268 | + struct ipt_rpc_info *rpcinfo = (struct ipt_rpc_info *)(*match)->data; | |
269 | + | |
270 | + | |
271 | + switch (c) | |
272 | + { | |
273 | + case '1': | |
274 | + if (invert) | |
fd6db329 | 275 | + xtables_error(PARAMETER_PROBLEM, |
2af8cb4e | 276 | + "%s unexpected '!' with --rpcs\n", preerr); |
277 | + if (*flags & IPT_RPC_RPCS) | |
fd6db329 | 278 | + xtables_error(PARAMETER_PROBLEM, |
2af8cb4e | 279 | + "%s repeated use of --rpcs\n", preerr); |
280 | + parse_rpcs_string(optarg, match); | |
281 | + | |
282 | + *flags |= IPT_RPC_RPCS; | |
283 | + break; | |
284 | + | |
285 | + case '2': | |
286 | + if (invert) | |
fd6db329 | 287 | + xtables_error(PARAMETER_PROBLEM, |
2af8cb4e | 288 | + "%s unexpected '!' with --strict\n", preerr); |
289 | + if (*flags & IPT_RPC_STRC) | |
fd6db329 | 290 | + xtables_error(PARAMETER_PROBLEM, |
2af8cb4e | 291 | + "%s repeated use of --strict\n", preerr); |
292 | + rpcinfo->strict = 1; | |
293 | + *flags |= IPT_RPC_STRC; | |
294 | + break; | |
295 | + | |
296 | + default: | |
297 | + return 0; | |
298 | + } | |
299 | + | |
300 | + return 1; | |
301 | + | |
302 | +} | |
303 | + | |
304 | + | |
305 | +static void final_check(unsigned int flags) | |
306 | +{ | |
307 | + if (flags != (flags | IPT_RPC_RPCS)) { | |
308 | + printf("%s option \"--rpcs\" was not used ... reverting ", preerr); | |
309 | + printf("to old \"record-rpc\" functionality ..\n"); | |
310 | + } | |
311 | +} | |
312 | + | |
313 | + | |
7cf1e9ff | 314 | +static void print(const void *ip, |
315 | + const struct xt_entry_match *match, | |
2af8cb4e | 316 | + int numeric) |
317 | +{ | |
318 | + struct ipt_rpc_info *rpcinfo = ((struct ipt_rpc_info *)match->data); | |
319 | + | |
320 | + | |
321 | + printf("RPCs"); | |
322 | + if(rpcinfo->strict == 1) | |
323 | + printf("[strict]"); | |
324 | + | |
325 | + printf(": "); | |
326 | + | |
327 | + if(rpcinfo->i_procs == -1) { | |
328 | + printf("any(*)"); | |
329 | + | |
330 | + } else { | |
331 | + print_rpcs((char *)&rpcinfo->c_procs, rpcinfo->i_procs, IPT_RPC_INT_BTH); | |
332 | + } | |
333 | + printf(" "); | |
334 | + | |
335 | +} | |
336 | + | |
337 | + | |
7cf1e9ff | 338 | +static void save(const void *ip, const struct xt_entry_match *match) |
2af8cb4e | 339 | +{ |
340 | + struct ipt_rpc_info *rpcinfo = ((struct ipt_rpc_info *)match->data); | |
341 | + | |
342 | + | |
343 | + if(rpcinfo->i_procs > -1) { | |
344 | + printf("--rpcs "); | |
345 | + print_rpcs((char *)&rpcinfo->c_procs, rpcinfo->i_procs, IPT_RPC_INT_NUM); | |
346 | + printf(" "); | |
347 | + } | |
348 | + | |
349 | + if(rpcinfo->strict == 1) | |
350 | + printf("--strict "); | |
351 | + | |
352 | +} | |
353 | + | |
354 | + | |
cf6c4456 | 355 | +static struct xtables_match rpcstruct = { |
2af8cb4e | 356 | + .next = NULL, |
357 | + .name = "rpc", | |
cf6c4456 | 358 | + .version = XTABLES_VERSION, |
9b1e8e39 AM |
359 | + .size = XT_ALIGN(sizeof(struct ipt_rpc_info)), |
360 | + .userspacesize = XT_ALIGN(sizeof(struct ipt_rpc_info)), | |
2af8cb4e | 361 | + .help = &help, |
362 | + .init = &init, | |
363 | + .parse = &parse, | |
364 | + .final_check = &final_check, | |
365 | + .print = &print, | |
366 | + .save = &save, | |
367 | + .extra_opts = opts | |
368 | +}; | |
369 | + | |
370 | + | |
371 | +void _init(void) | |
372 | +{ | |
cf6c4456 | 373 | + xtables_register_match(&rpcstruct); |
2af8cb4e | 374 | +} |
375 | + | |
11e85ced JB |
376 | --- iptables.orig/include/linux/netfilter_ipv4/ipt_rpc.h 1970-01-01 01:00:00.000000000 +0100 |
377 | +++ iptables/include/linux/netfilter_ipv4/ipt_rpc.h 2006-05-04 11:26:08.000000000 +0200 | |
378 | @@ -0,0 +1,35 @@ | |
379 | +/* RPC extension for IP netfilter matching, Version 2.2 | |
380 | + * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br> | |
381 | + * - original rpc tracking module | |
382 | + * - "recent" connection handling for kernel 2.3+ netfilter | |
383 | + * | |
384 | + * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au> | |
385 | + * - upgraded conntrack modules to oldnat api - kernel 2.4.0+ | |
386 | + * | |
387 | + * (C) 2002 by Ian (Larry) Latter <Ian.Latter@mq.edu.au> | |
388 | + * - upgraded conntrack modules to newnat api - kernel 2.4.20+ | |
389 | + * - extended matching to support filtering on procedures | |
390 | + * | |
391 | + * ipt_rpc.h.c,v 2.2 2003/01/12 18:30:00 | |
392 | + * | |
393 | + * This program is free software; you can redistribute it and/or | |
394 | + * modify it under the terms of the GNU General Public License | |
395 | + * as published by the Free Software Foundation; either version | |
396 | + * 2 of the License, or (at your option) any later version. | |
397 | + ** | |
398 | + */ | |
399 | + | |
400 | +#ifndef _IPT_RPC_H | |
401 | +#define _IPT_RPC_H | |
402 | + | |
403 | +struct ipt_rpc_data; | |
404 | + | |
405 | +struct ipt_rpc_info { | |
406 | + int inverse; | |
407 | + int strict; | |
408 | + const char c_procs[1408]; | |
409 | + int i_procs; | |
410 | + struct ipt_rpc_data *data; | |
411 | +}; | |
412 | + | |
413 | +#endif /* _IPT_RPC_H */ |