You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
418 lines
11 KiB
418 lines
11 KiB
--- iptables-1.4.0rc1/extensions/libipt_layer7.c 1969-12-31 18:00:00.000000000 -0600
|
|
+++ iptables-1.4.0rc1-layer7/extensions/libipt_layer7.c 2007-11-19 06:06:56.000000000 -0600
|
|
@@ -0,0 +1,393 @@
|
|
+/*
|
|
+ Shared library add-on to iptables to add layer 7 matching support.
|
|
+
|
|
+ By Matthew Strait <quadong@users.sf.net>, Oct 2003.
|
|
+
|
|
+ http://l7-filter.sf.net
|
|
+
|
|
+ This program is free software; you can redistribute it and/or
|
|
+ modify it under the terms of the GNU General Public License
|
|
+ as published by the Free Software Foundation; either version
|
|
+ 2 of the License, or (at your option) any later version.
|
|
+ http://www.gnu.org/licenses/gpl.txt
|
|
+
|
|
+ Based on libipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
|
|
+*/
|
|
+
|
|
+#define _GNU_SOURCE
|
|
+#include <stdio.h>
|
|
+#include <netdb.h>
|
|
+#include <string.h>
|
|
+#include <stdlib.h>
|
|
+#include <getopt.h>
|
|
+#include <ctype.h>
|
|
+#include <dirent.h>
|
|
+
|
|
+#include <iptables.h>
|
|
+#include <linux/netfilter/xt_layer7.h>
|
|
+
|
|
+#define MAX_FN_LEN 256
|
|
+
|
|
+static char l7dir[MAX_FN_LEN] = "\0";
|
|
+
|
|
+/* Function which prints out usage message. */
|
|
+static void help(void)
|
|
+{
|
|
+ printf(
|
|
+ "LAYER7 match v%s options:\n"
|
|
+ "--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
|
|
+ " (--l7dir must be specified before --l7proto if used!)\n"
|
|
+ "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n",
|
|
+ IPTABLES_VERSION);
|
|
+ fputc('\n', stdout);
|
|
+}
|
|
+
|
|
+static struct option opts[] = {
|
|
+ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' },
|
|
+ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' },
|
|
+ { .name = 0 }
|
|
+};
|
|
+
|
|
+/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
|
|
+int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info)
|
|
+{
|
|
+ FILE * f;
|
|
+ char * line = NULL;
|
|
+ size_t len = 0;
|
|
+
|
|
+ enum { protocol, pattern, done } datatype = protocol;
|
|
+
|
|
+ f = fopen(filename, "r");
|
|
+
|
|
+ if(!f)
|
|
+ return 0;
|
|
+
|
|
+ while(getline(&line, &len, f) != -1)
|
|
+ {
|
|
+ if(strlen(line) < 2 || line[0] == '#')
|
|
+ continue;
|
|
+
|
|
+ /* strip the pesky newline... */
|
|
+ if(line[strlen(line) - 1] == '\n')
|
|
+ line[strlen(line) - 1] = '\0';
|
|
+
|
|
+ if(datatype == protocol)
|
|
+ {
|
|
+ /* Ignore everything on the line beginning with the
|
|
+ first space or tab . For instance, this allows the
|
|
+ protocol line in http.pat to be "http " (or
|
|
+ "http I am so cool") instead of just "http". */
|
|
+ if(strchr(line, ' ')){
|
|
+ char * space = strchr(line, ' ');
|
|
+ space[0] = '\0';
|
|
+ }
|
|
+ if(strchr(line, '\t')){
|
|
+ char * space = strchr(line, '\t');
|
|
+ space[0] = '\0';
|
|
+ }
|
|
+
|
|
+ /* sanity check. First non-comment non-blank
|
|
+ line must be the same as the file name. */
|
|
+ if(strcmp(line, protoname))
|
|
+ exit_error(OTHER_PROBLEM,
|
|
+ "Protocol name (%s) doesn't match file name (%s). Bailing out\n",
|
|
+ line, filename);
|
|
+
|
|
+ if(strlen(line) >= MAX_PROTOCOL_LEN)
|
|
+ exit_error(PARAMETER_PROBLEM,
|
|
+ "Protocol name in %s too long!", filename);
|
|
+ strncpy(info->protocol, line, MAX_PROTOCOL_LEN);
|
|
+
|
|
+ datatype = pattern;
|
|
+ }
|
|
+ else if(datatype == pattern)
|
|
+ {
|
|
+ if(strlen(line) >= MAX_PATTERN_LEN)
|
|
+ exit_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename);
|
|
+ strncpy(info->pattern, line, MAX_PATTERN_LEN);
|
|
+
|
|
+ datatype = done;
|
|
+ break;
|
|
+ }
|
|
+ else
|
|
+ exit_error(OTHER_PROBLEM, "Internal error");
|
|
+ }
|
|
+
|
|
+ if(datatype != done)
|
|
+ exit_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename);
|
|
+
|
|
+ if(line) free(line);
|
|
+ fclose(f);
|
|
+
|
|
+ return 1;
|
|
+
|
|
+/*
|
|
+ fprintf(stderr, "protocol: %s\npattern: %s\n\n",
|
|
+ info->protocol,
|
|
+ info->pattern);
|
|
+*/
|
|
+}
|
|
+
|
|
+static int hex2dec(char c)
|
|
+{
|
|
+ switch (c)
|
|
+ {
|
|
+ case '0' ... '9':
|
|
+ return c - '0';
|
|
+ case 'a' ... 'f':
|
|
+ return c - 'a' + 10;
|
|
+ case 'A' ... 'F':
|
|
+ return c - 'A' + 10;
|
|
+ default:
|
|
+ exit_error(OTHER_PROBLEM, "hex2dec: bad value!\n");
|
|
+ return 0;
|
|
+ }
|
|
+}
|
|
+
|
|
+/* takes a string with \xHH escapes and returns one with the characters
|
|
+they stand for */
|
|
+static char * pre_process(char * s)
|
|
+{
|
|
+ char * result = malloc(strlen(s) + 1);
|
|
+ int sindex = 0, rindex = 0;
|
|
+ while( sindex < strlen(s) )
|
|
+ {
|
|
+ if( sindex + 3 < strlen(s) &&
|
|
+ s[sindex] == '\\' && s[sindex+1] == 'x' &&
|
|
+ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) )
|
|
+ {
|
|
+ /* carefully remember to call tolower here... */
|
|
+ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 +
|
|
+ hex2dec(s[sindex + 3] ) );
|
|
+
|
|
+ switch ( result[rindex] )
|
|
+ {
|
|
+ case 0x24:
|
|
+ case 0x28:
|
|
+ case 0x29:
|
|
+ case 0x2a:
|
|
+ case 0x2b:
|
|
+ case 0x2e:
|
|
+ case 0x3f:
|
|
+ case 0x5b:
|
|
+ case 0x5c:
|
|
+ case 0x5d:
|
|
+ case 0x5e:
|
|
+ case 0x7c:
|
|
+ fprintf(stderr,
|
|
+ "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
|
|
+ "I recommend that you write this as %c or \\%c, depending on what you meant.\n",
|
|
+ result[rindex], s[sindex + 2], s[sindex + 3], result[rindex], result[rindex]);
|
|
+ break;
|
|
+ case 0x00:
|
|
+ fprintf(stderr,
|
|
+ "Warning: null (\\x00) in layer7 regexp. A null terminates the regexp string!\n");
|
|
+ break;
|
|
+ default:
|
|
+ break;
|
|
+ }
|
|
+
|
|
+
|
|
+ sindex += 3; /* 4 total */
|
|
+ }
|
|
+ else
|
|
+ result[rindex] = tolower(s[sindex]);
|
|
+
|
|
+ sindex++;
|
|
+ rindex++;
|
|
+ }
|
|
+ result[rindex] = '\0';
|
|
+
|
|
+ return result;
|
|
+}
|
|
+
|
|
+#define MAX_SUBDIRS 128
|
|
+char ** readl7dir(char * dirname)
|
|
+{
|
|
+ DIR * scratchdir;
|
|
+ struct dirent ** namelist;
|
|
+ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *));
|
|
+
|
|
+ int n, d = 1;
|
|
+ subdirs[0] = "";
|
|
+
|
|
+ n = scandir(dirname, &namelist, 0, alphasort);
|
|
+
|
|
+ if (n < 0)
|
|
+ {
|
|
+ perror("scandir");
|
|
+ exit_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname);
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ while(n--)
|
|
+ {
|
|
+ char fulldirname[MAX_FN_LEN];
|
|
+
|
|
+ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name);
|
|
+
|
|
+ if((scratchdir = opendir(fulldirname)) != NULL)
|
|
+ {
|
|
+ closedir(scratchdir);
|
|
+
|
|
+ if(!strcmp(namelist[n]->d_name, ".") ||
|
|
+ !strcmp(namelist[n]->d_name, ".."))
|
|
+ /* do nothing */ ;
|
|
+ else
|
|
+ {
|
|
+ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1);
|
|
+ strcpy(subdirs[d], namelist[n]->d_name);
|
|
+ d++;
|
|
+ if(d >= MAX_SUBDIRS - 1)
|
|
+ {
|
|
+ fprintf(stderr,
|
|
+ "Too many subdirectories, skipping the rest!\n");
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ free(namelist[n]);
|
|
+ }
|
|
+ free(namelist);
|
|
+ }
|
|
+
|
|
+ subdirs[d] = NULL;
|
|
+
|
|
+ return subdirs;
|
|
+}
|
|
+
|
|
+static void
|
|
+parse_layer7_protocol(const char *s, struct xt_layer7_info *info)
|
|
+{
|
|
+ char filename[MAX_FN_LEN];
|
|
+ char * dir = NULL;
|
|
+ char ** subdirs;
|
|
+ int n = 0, done = 0;
|
|
+
|
|
+ if(strlen(l7dir) > 0)
|
|
+ dir = l7dir;
|
|
+ else
|
|
+ dir = "/etc/l7-protocols";
|
|
+
|
|
+ subdirs = readl7dir(dir);
|
|
+
|
|
+ while(subdirs[n] != NULL)
|
|
+ {
|
|
+ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
|
|
+
|
|
+ //fprintf(stderr, "Trying to find pattern in %s ... ", filename);
|
|
+
|
|
+ if(c > MAX_FN_LEN)
|
|
+ {
|
|
+ exit_error(OTHER_PROBLEM,
|
|
+ "Filename beginning with %s is too long!\n", filename);
|
|
+ }
|
|
+
|
|
+ /* read in the pattern from the file */
|
|
+ if(parse_protocol_file(filename, s, info))
|
|
+ {
|
|
+ //fprintf(stderr, "found\n");
|
|
+ done = 1;
|
|
+ break;
|
|
+ }
|
|
+
|
|
+ //fprintf(stderr, "not found\n");
|
|
+
|
|
+ n++;
|
|
+ }
|
|
+
|
|
+ if(!done)
|
|
+ exit_error(OTHER_PROBLEM,
|
|
+ "Couldn't find a pattern definition file for %s.\n", s);
|
|
+
|
|
+ /* process \xHH escapes and tolower everything. (our regex lib has no
|
|
+ case insensitivity option.) */
|
|
+ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN);
|
|
+}
|
|
+
|
|
+/* Function which parses command options; returns true if it ate an option */
|
|
+static int parse(int c, char **argv, int invert, unsigned int *flags,
|
|
+ const void *entry, struct xt_entry_match **match)
|
|
+{
|
|
+ struct xt_layer7_info *layer7info =
|
|
+ (struct xt_layer7_info *)(*match)->data;
|
|
+
|
|
+ switch (c) {
|
|
+ case '1':
|
|
+ check_inverse(optarg, &invert, &optind, 0);
|
|
+ parse_layer7_protocol(argv[optind-1], layer7info);
|
|
+ if (invert)
|
|
+ layer7info->invert = 1;
|
|
+ *flags = 1;
|
|
+ break;
|
|
+
|
|
+ case '2':
|
|
+ /* not going to use this, but maybe we need to strip a ! anyway (?) */
|
|
+ check_inverse(optarg, &invert, &optind, 0);
|
|
+
|
|
+ if(strlen(argv[optind-1]) >= MAX_FN_LEN)
|
|
+ exit_error(PARAMETER_PROBLEM, "directory name too long\n");
|
|
+
|
|
+ strncpy(l7dir, argv[optind-1], MAX_FN_LEN);
|
|
+
|
|
+ *flags = 1;
|
|
+ break;
|
|
+
|
|
+ default:
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+/* Final check; must have specified --l7proto */
|
|
+static void final_check(unsigned int flags)
|
|
+{
|
|
+ if (!flags)
|
|
+ exit_error(PARAMETER_PROBLEM,
|
|
+ "LAYER7 match: You must specify `--l7proto'");
|
|
+}
|
|
+
|
|
+static void print_protocol(char s[], int invert, int numeric)
|
|
+{
|
|
+ fputs("l7proto ", stdout);
|
|
+ if (invert) fputc('!', stdout);
|
|
+ printf("%s ", s);
|
|
+}
|
|
+
|
|
+/* Prints out the matchinfo. */
|
|
+static void print(const void *ip,
|
|
+ const struct xt_entry_match *match,
|
|
+ int numeric)
|
|
+{
|
|
+ printf("LAYER7 ");
|
|
+
|
|
+ print_protocol(((struct xt_layer7_info *)match->data)->protocol,
|
|
+ ((struct xt_layer7_info *)match->data)->invert, numeric);
|
|
+}
|
|
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
|
|
+static void save(const void *ip, const struct xt_entry_match *match)
|
|
+{
|
|
+ const struct xt_layer7_info *info =
|
|
+ (const struct xt_layer7_info*) match->data;
|
|
+
|
|
+ printf("--l7proto %s%s ", (info->invert) ? "! ": "", info->protocol);
|
|
+}
|
|
+
|
|
+static struct iptables_match layer7 = {
|
|
+ .name = "layer7",
|
|
+ .version = IPTABLES_VERSION,
|
|
+ .size = IPT_ALIGN(sizeof(struct xt_layer7_info)),
|
|
+ .userspacesize = IPT_ALIGN(sizeof(struct xt_layer7_info)),
|
|
+ .help = &help,
|
|
+ .parse = &parse,
|
|
+ .final_check = &final_check,
|
|
+ .print = &print,
|
|
+ .save = &save,
|
|
+ .extra_opts = opts
|
|
+};
|
|
+
|
|
+void _init(void)
|
|
+{
|
|
+ register_match(&layer7);
|
|
+}
|
|
--- iptables-1.4.0rc1/extensions/libipt_layer7.man 1969-12-31 18:00:00.000000000 -0600
|
|
+++ iptables-1.4.0rc1-layer7/extensions/libipt_layer7.man 2007-11-19 05:49:46.000000000 -0600
|
|
@@ -0,0 +1,14 @@
|
|
+This module matches packets based on the application layer data of
|
|
+their connections. It uses regular expression matching to compare
|
|
+the application layer data to regular expressions found it the layer7
|
|
+configuration files. This is an experimental module which can be found at
|
|
+http://l7-filter.sf.net. It takes two options.
|
|
+.TP
|
|
+.BI "--l7proto " "\fIprotocol\fP"
|
|
+Match the specified protocol. The protocol name must match a file
|
|
+name in /etc/l7-protocols/ or one of its first-level child directories.
|
|
+.TP
|
|
+.BI "--l7dir " "\fIdirectory\fP"
|
|
+Use \fIdirectory\fP instead of /etc/l7-protocols/. This option must be
|
|
+specified before --l7proto.
|
|
+
|
|
--- iptables-1.4.0rc1/extensions/.layer7-test 1969-12-31 18:00:00.000000000 -0600
|
|
+++ iptables-1.4.0rc1-layer7/extensions/.layer7-test 2007-11-19 06:18:58.000000000 -0600
|
|
@@ -0,0 +1,2 @@
|
|
+#! /bin/sh
|
|
+[ -f $KERNEL_DIR/include/linux/netfilter/xt_layer7.h ] && echo layer7
|
|
|