iptables-layer7.patch

   1 diff -urN iptables-1.4.9.1.org/extensions/libxt_layer7.c iptables-1.4.9.1/extensions/libxt_layer7.c
   2 --- iptables-1.4.9.1.org/extensions/libxt_layer7.c      1970-01-01 01:00:00.000000000 +0100
   3 +++ iptables-1.4.9.1/extensions/libxt_layer7.c  2009-07-14 00:53:05.000000000 +0200
   4 @@ -0,0 +1,368 @@
   5 +/*
   6 +   Shared library add-on to iptables for layer 7 matching support.
   7 +
   8 +   By Matthew Strait <quadong@users.sf.net>, Oct 2003-Aug 2008.
   9 +
  10 +   http://l7-filter.sf.net
  11 +
  12 +   This program is free software; you can redistribute it and/or
  13 +   modify it under the terms of the GNU General Public License
  14 +   as published by the Free Software Foundation; either version
  15 +   2 of the License, or (at your option) any later version.
  16 +   http://www.gnu.org/licenses/gpl.txt
  17 +*/
  18 +
  19 +#define _GNU_SOURCE
  20 +#include <stdio.h>
  21 +#include <netdb.h>
  22 +#include <string.h>
  23 +#include <stdlib.h>
  24 +#include <getopt.h>
  25 +#include <ctype.h>
  26 +#include <dirent.h>
  27 +
  28 +#include <xtables.h>
  29 +#include <linux/netfilter/xt_layer7.h>
  30 +
  31 +#define MAX_FN_LEN 256
  32 +
  33 +static char l7dir[MAX_FN_LEN] = "\0";
  34 +
  35 +/* Function which prints out usage message. */
  36 +static void help(void)
  37 +{
  38 +       printf(
  39 +       "layer7 match options:\n"
  40 +       "    --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
  41 +       "                          (--l7dir must be specified before --l7proto if used)\n"
  42 +       "[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat\n");
  43 +}
  44 +
  45 +static const struct option opts[] = {
  46 +       { .name = "l7proto", .has_arg = 1, .val = 'p' },
  47 +       { .name = "l7dir",   .has_arg = 1, .val = 'd' },
  48 +       { .name = NULL }
  49 +};
  50 +
  51 +/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
  52 +static int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info)
  53 +{
  54 +       FILE * f;
  55 +       char * line = NULL;
  56 +       size_t len = 0;
  57 +
  58 +       enum { protocol, pattern, done } datatype = protocol;
  59 +
  60 +       f = fopen(filename, "r");
  61 +
  62 +       if(!f)
  63 +               return 0;
  64 +
  65 +       while(getline(&line, &len, f) != -1)
  66 +       {
  67 +               if(strlen(line) < 2 || line[0] == '#')
  68 +                       continue;
  69 +
  70 +               /* strip the pesky newline... */
  71 +               if(line[strlen(line) - 1] == '\n')
  72 +                       line[strlen(line) - 1] = '\0';
  73 +
  74 +               if(datatype == protocol)
  75 +               {
  76 +                       /* Ignore everything on the line beginning with the
  77 +                       first space or tab . For instance, this allows the
  78 +                       protocol line in http.pat to be "http " (or
  79 +                       "http I am so cool") instead of just "http". */
  80 +                       if(strchr(line, ' ')){
  81 +                               char * space = strchr(line, ' ');
  82 +                               space[0] = '\0';
  83 +                       }
  84 +                       if(strchr(line, '\t')){
  85 +                               char * space = strchr(line, '\t');
  86 +                               space[0] = '\0';
  87 +                       }
  88 +
  89 +                       /* sanity check.  First non-comment non-blank
  90 +                       line must be the same as the file name. */
  91 +                       if(strcmp(line, protoname))
  92 +                               xtables_error(OTHER_PROBLEM,
  93 +                                       "Protocol name (%s) doesn't match file name (%s).  Bailing out\n",
  94 +                                       line, filename);
  95 +
  96 +                       if(strlen(line) >= MAX_PROTOCOL_LEN)
  97 +                                xtables_error(PARAMETER_PROBLEM,
  98 +                                       "Protocol name in %s too long!", filename);
  99 +                       strncpy(info->protocol, line, MAX_PROTOCOL_LEN);
 100 +
 101 +                       datatype = pattern;
 102 +               }
 103 +               else if(datatype == pattern)
 104 +               {
 105 +                       if(strlen(line) >= MAX_PATTERN_LEN)
 106 +                                xtables_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename);
 107 +                       strncpy(info->pattern, line, MAX_PATTERN_LEN);
 108 +
 109 +                       datatype = done;
 110 +                       break;
 111 +               }
 112 +               else
 113 +                       xtables_error(OTHER_PROBLEM, "Internal error");
 114 +       }
 115 +
 116 +       if(datatype != done)
 117 +               xtables_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename);
 118 +
 119 +       if(line) free(line);
 120 +       fclose(f);
 121 +
 122 +       return 1;
 123 +}
 124 +
 125 +static int hex2dec(char c)
 126 +{
 127 +        switch (c)
 128 +        {
 129 +                case '0' ... '9':
 130 +                        return c - '0';
 131 +                case 'a' ... 'f':
 132 +                        return c - 'a' + 10;
 133 +                case 'A' ... 'F':
 134 +                        return c - 'A' + 10;
 135 +                default:
 136 +                        xtables_error(OTHER_PROBLEM, "hex2dec: bad value!\n");
 137 +                        return 0;
 138 +        }
 139 +}
 140 +
 141 +/* takes a string with \xHH escapes and returns one with the characters
 142 +they stand for */
 143 +static char * pre_process(char * s)
 144 +{
 145 +       char * result = malloc(strlen(s) + 1);
 146 +       int sindex = 0, rrindex = 0;
 147 +        while( sindex < strlen(s) )
 148 +        {
 149 +            if( sindex + 3 < strlen(s) &&
 150 +                s[sindex] == '\\' && s[sindex+1] == 'x' &&
 151 +                isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) )
 152 +                {
 153 +                        /* carefully remember to call tolower here... */
 154 +                        result[rrindex] = tolower( hex2dec(s[sindex + 2])*16 +
 155 +                                                  hex2dec(s[sindex + 3] ) );
 156 +
 157 +                       switch ( result[rrindex] )
 158 +                       {
 159 +                       case 0x24:
 160 +                       case 0x28:
 161 +                       case 0x29:
 162 +                       case 0x2a:
 163 +                       case 0x2b:
 164 +                       case 0x2e:
 165 +                       case 0x3f:
 166 +                       case 0x5b:
 167 +                       case 0x5c:
 168 +                       case 0x5d:
 169 +                       case 0x5e:
 170 +                       case 0x7c:
 171 +                               fprintf(stderr,
 172 +                                       "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
 173 +                                       "I recommend that you write this as %c or \\%c, depending on what you meant.\n",
 174 +                                       result[rrindex], s[sindex + 2], s[sindex + 3], result[rrindex], result[rrindex]);
 175 +                               break;
 176 +                       case 0x00:
 177 +                               fprintf(stderr,
 178 +                                       "Warning: null (\\x00) in layer7 regexp.  A null terminates the regexp string!\n");
 179 +                               break;
 180 +                       default:
 181 +                               break;
 182 +                       }
 183 +
 184 +
 185 +                        sindex += 3; /* 4 total */
 186 +                }
 187 +                else
 188 +                        result[rrindex] = tolower(s[sindex]);
 189 +
 190 +               sindex++;
 191 +               rrindex++;
 192 +        }
 193 +       result[rrindex] = '\0';
 194 +
 195 +       return result;
 196 +}
 197 +
 198 +#define MAX_SUBDIRS 128
 199 +static char ** readl7dir(char * dirname)
 200 +{
 201 +        DIR             * scratchdir;
 202 +        struct dirent   ** namelist;
 203 +       char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *));
 204 +
 205 +        int n, d = 1;
 206 +       subdirs[0] = "";
 207 +
 208 +        n = scandir(dirname, &namelist, 0, alphasort);
 209 +
 210 +       if (n < 0)
 211 +       {
 212 +            perror("scandir");
 213 +           xtables_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname);
 214 +       }
 215 +        else
 216 +       {
 217 +               while(n--)
 218 +               {
 219 +                       char fulldirname[MAX_FN_LEN];
 220 +
 221 +                       snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name);
 222 +
 223 +                       if((scratchdir = opendir(fulldirname)) != NULL)
 224 +                       {
 225 +                               closedir(scratchdir);
 226 +
 227 +                               if(!strcmp(namelist[n]->d_name, ".") ||
 228 +                                  !strcmp(namelist[n]->d_name, ".."))
 229 +                                       /* do nothing */ ;
 230 +                               else
 231 +                               {
 232 +                                       subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1);
 233 +                                       strcpy(subdirs[d], namelist[n]->d_name);
 234 +                                       d++;
 235 +                                       if(d >= MAX_SUBDIRS - 1)
 236 +                                       {
 237 +                                               fprintf(stderr,
 238 +                                                 "Too many subdirectories, skipping the rest!\n");
 239 +                                               break;
 240 +                                       }
 241 +                               }
 242 +                       }
 243 +                       free(namelist[n]);
 244 +               }
 245 +               free(namelist);
 246 +        }
 247 +
 248 +       subdirs[d] = NULL;
 249 +
 250 +       return subdirs;
 251 +}
 252 +
 253 +static void parse_layer7_protocol(const char *s, struct xt_layer7_info *info)
 254 +{
 255 +       char filename[MAX_FN_LEN];
 256 +       char * dir = NULL;
 257 +       char ** subdirs;
 258 +       int n = 0, done = 0;
 259 +
 260 +       if(strlen(l7dir) > 0) dir = l7dir;
 261 +       else                  dir = "/etc/l7-protocols";
 262 +
 263 +       subdirs = readl7dir(dir);
 264 +
 265 +       while(subdirs[n] != NULL)
 266 +       {
 267 +               int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
 268 +
 269 +               if(c > MAX_FN_LEN)
 270 +                       xtables_error(OTHER_PROBLEM,
 271 +                               "Filename beginning with %s is too long!\n", filename);
 272 +
 273 +               /* read in the pattern from the file */
 274 +               if(parse_protocol_file(filename, s, info)){
 275 +                       done = 1;
 276 +                       break;
 277 +               }
 278 +
 279 +               n++;
 280 +       }
 281 +
 282 +       if(!done)
 283 +               xtables_error(OTHER_PROBLEM,
 284 +                       "Couldn't find a pattern definition file for %s.\n", s);
 285 +
 286 +       /* process \xHH escapes and tolower everything. (our regex lib has no
 287 +       case insensitivity option.) */
 288 +       strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN);
 289 +}
 290 +
 291 +/* Function which parses command options; returns true if it ate an option */
 292 +static int parse(int c, char **argv, int invert, unsigned int *flags,
 293 +      const void *entry, struct xt_entry_match **match)
 294 +{
 295 +       struct xt_layer7_info *layer7info =
 296 +               (struct xt_layer7_info *)(*match)->data;
 297 +
 298 +       switch (c) {
 299 +       case 'p':
 300 +               parse_layer7_protocol(argv[optind-1], layer7info);
 301 +               if (invert)
 302 +                       layer7info->invert = true;
 303 +               *flags = 1;
 304 +               break;
 305 +
 306 +       case 'd':
 307 +               if(strlen(argv[optind-1]) >= MAX_FN_LEN)
 308 +                       xtables_error(PARAMETER_PROBLEM, "directory name too long\n");
 309 +
 310 +               strncpy(l7dir, argv[optind-1], MAX_FN_LEN);
 311 +
 312 +               *flags = 1;
 313 +               break;
 314 +
 315 +       default:
 316 +               return 0;
 317 +       }
 318 +
 319 +       return 1;
 320 +}
 321 +
 322 +/* Final check; must have specified --l7proto */
 323 +static void final_check(unsigned int flags)
 324 +{
 325 +       if (!flags)
 326 +               xtables_error(PARAMETER_PROBLEM,
 327 +                          "LAYER7 match: You must specify `--l7proto'");
 328 +}
 329 +
 330 +static void print_protocol(char s[], int invert, int numeric)
 331 +{
 332 +       fputs("l7proto ", stdout);
 333 +       if (invert) fputc('!', stdout);
 334 +       printf("%s ", s);
 335 +}
 336 +
 337 +/* Prints out the matchinfo. */
 338 +static void print(const void *ip,
 339 +      const struct xt_entry_match *match,
 340 +      int numeric)
 341 +{
 342 +       printf("LAYER7 ");
 343 +       print_protocol(((struct xt_layer7_info *)match->data)->protocol,
 344 +                 ((struct xt_layer7_info *)match->data)->invert, numeric);
 345 +}
 346 +/* Saves the union ipt_matchinfo in parsable form to stdout. */
 347 +static void save(const void *ip, const struct xt_entry_match *match)
 348 +{
 349 +        const struct xt_layer7_info *info =
 350 +            (const struct xt_layer7_info*) match->data;
 351 +
 352 +        printf("--l7proto %s%s ", (info->invert)? "! ":"", info->protocol);
 353 +}
 354 +
 355 +static struct xtables_match layer7 = {
 356 +    .family        = AF_INET,
 357 +    .name          = "layer7",
 358 +    .version       = XTABLES_VERSION,
 359 +    .size          = XT_ALIGN(sizeof(struct xt_layer7_info)),
 360 +    .userspacesize = XT_ALIGN(sizeof(struct xt_layer7_info)),
 361 +    .help          = &help,
 362 +    .parse         = &parse,
 363 +    .final_check   = &final_check,
 364 +    .print         = &print,
 365 +    .save          = &save,
 366 +    .extra_opts    = opts
 367 +};
 368 +
 369 +void _init(void)
 370 +{
 371 +       xtables_register_match(&layer7);
 372 +}
 373 diff -urN iptables-1.4.9.1.org/extensions/libxt_layer7.man iptables-1.4.9.1/extensions/libxt_layer7.man
 374 --- iptables-1.4.9.1.org/extensions/libxt_layer7.man    1970-01-01 01:00:00.000000000 +0100
 375 +++ iptables-1.4.9.1/extensions/libxt_layer7.man        2009-07-14 00:51:32.000000000 +0200
 376 @@ -0,0 +1,14 @@
 377 +This module matches packets based on the application layer data of
 378 +their connections.  It uses regular expression matching to compare
 379 +the application layer data to regular expressions found it the layer7
 380 +configuration files.  This is an experimental module which can be found at
 381 +http://l7-filter.sf.net.  It takes two options.
 382 +.TP
 383 +.BI "--l7proto " "\fIprotocol\fP"
 384 +Match the specified protocol.  The protocol name must match a file
 385 +name in /etc/l7-protocols/ or one of its first-level child directories.
 386 +.TP
 387 +.BI "--l7dir " "\fIdirectory\fP"
 388 +Use \fIdirectory\fP instead of /etc/l7-protocols/.  This option must be
 389 +specified before --l7proto.
 390 +
 391 --- iptables.orig/include/linux/netfilter/xt_layer7.h   1969-12-31 18:00:00.000000000 -0600
 392 +++ iptables/include/linux/netfilter/xt_layer7.h        2009-01-07 16:07:31.000000000 -0600
 393 @@ -0,0 +1,13 @@
 394 +#ifndef _XT_LAYER7_H
 395 +#define _XT_LAYER7_H
 396 +
 397 +#define MAX_PATTERN_LEN 8192
 398 +#define MAX_PROTOCOL_LEN 256
 399 +
 400 +struct xt_layer7_info {
 401 +    char protocol[MAX_PROTOCOL_LEN];
 402 +    char pattern[MAX_PATTERN_LEN];
 403 +    u_int8_t invert;
 404 +};
 405 +
 406 +#endif /* _XT_LAYER7_H */