nvram fixup: move the nvram commit hook to commit for all variables, since changes...
[openwrt.git] / package / iptables / patches / 1.3.8 / 002-layer7_2.17.patch
1 Index: iptables-1.3.8/extensions/.layer7-test
2 ===================================================================
3 --- /dev/null
4 +++ iptables-1.3.8/extensions/.layer7-test
5 @@ -0,0 +1,2 @@
6 +#! /bin/sh
7 +[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_layer7.h ] && echo layer7
8 Index: iptables-1.3.8/extensions/libipt_layer7.c
9 ===================================================================
10 --- /dev/null
11 +++ iptables-1.3.8/extensions/libipt_layer7.c
12 @@ -0,0 +1,394 @@
13 +/*
14 + Shared library add-on to iptables to add layer 7 matching support.
15 +
16 + By Matthew Strait <quadong@users.sf.net>, Oct 2003.
17 +
18 + http://l7-filter.sf.net
19 +
20 + This program is free software; you can redistribute it and/or
21 + modify it under the terms of the GNU General Public License
22 + as published by the Free Software Foundation; either version
23 + 2 of the License, or (at your option) any later version.
24 + http://www.gnu.org/licenses/gpl.txt
25 +
26 + Based on libipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
27 +*/
28 +
29 +#define _GNU_SOURCE
30 +#include <stdio.h>
31 +#include <netdb.h>
32 +#include <string.h>
33 +#include <stdlib.h>
34 +#include <getopt.h>
35 +#include <ctype.h>
36 +#include <dirent.h>
37 +
38 +#include <iptables.h>
39 +#include <linux/netfilter_ipv4/ipt_layer7.h>
40 +
41 +#define MAX_FN_LEN 256
42 +
43 +static char l7dir[MAX_FN_LEN] = "\0";
44 +
45 +/* Function which prints out usage message. */
46 +static void help(void)
47 +{
48 + printf(
49 + "LAYER7 match v%s options:\n"
50 + "--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
51 + " (--l7dir must be specified before --l7proto if used!)\n"
52 + "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n",
53 + IPTABLES_VERSION);
54 + fputc('\n', stdout);
55 +}
56 +
57 +static struct option opts[] = {
58 + { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' },
59 + { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' },
60 + { .name = 0 }
61 +};
62 +
63 +/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
64 +int parse_protocol_file(char * filename, const unsigned char * protoname, struct ipt_layer7_info *info)
65 +{
66 + FILE * f;
67 + char * line = NULL;
68 + size_t len = 0;
69 +
70 + enum { protocol, pattern, done } datatype = protocol;
71 +
72 + f = fopen(filename, "r");
73 +
74 + if(!f)
75 + return 0;
76 +
77 + while(getline(&line, &len, f) != -1)
78 + {
79 + if(strlen(line) < 2 || line[0] == '#')
80 + continue;
81 +
82 + /* strip the pesky newline... */
83 + if(line[strlen(line) - 1] == '\n')
84 + line[strlen(line) - 1] = '\0';
85 +
86 + if(datatype == protocol)
87 + {
88 + /* Ignore everything on the line beginning with the
89 + first space or tab . For instance, this allows the
90 + protocol line in http.pat to be "http " (or
91 + "http I am so cool") instead of just "http". */
92 + if(strchr(line, ' ')){
93 + char * space = strchr(line, ' ');
94 + space[0] = '\0';
95 + }
96 + if(strchr(line, '\t')){
97 + char * space = strchr(line, '\t');
98 + space[0] = '\0';
99 + }
100 +
101 + /* sanity check. First non-comment non-blank
102 + line must be the same as the file name. */
103 + if(strcmp(line, protoname))
104 + exit_error(OTHER_PROBLEM,
105 + "Protocol name (%s) doesn't match file name (%s). Bailing out\n",
106 + line, filename);
107 +
108 + if(strlen(line) >= MAX_PROTOCOL_LEN)
109 + exit_error(PARAMETER_PROBLEM,
110 + "Protocol name in %s too long!", filename);
111 + strncpy(info->protocol, line, MAX_PROTOCOL_LEN);
112 +
113 + datatype = pattern;
114 + }
115 + else if(datatype == pattern)
116 + {
117 + if(strlen(line) >= MAX_PATTERN_LEN)
118 + exit_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename);
119 + strncpy(info->pattern, line, MAX_PATTERN_LEN);
120 +
121 + datatype = done;
122 + break;
123 + }
124 + else
125 + exit_error(OTHER_PROBLEM, "Internal error");
126 + }
127 +
128 + if(datatype != done)
129 + exit_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename);
130 +
131 + if(line) free(line);
132 + fclose(f);
133 +
134 + return 1;
135 +
136 +/*
137 + fprintf(stderr, "protocol: %s\npattern: %s\n\n",
138 + info->protocol,
139 + info->pattern);
140 +*/
141 +}
142 +
143 +static int hex2dec(char c)
144 +{
145 + switch (c)
146 + {
147 + case '0' ... '9':
148 + return c - '0';
149 + case 'a' ... 'f':
150 + return c - 'a' + 10;
151 + case 'A' ... 'F':
152 + return c - 'A' + 10;
153 + default:
154 + exit_error(OTHER_PROBLEM, "hex2dec: bad value!\n");
155 + return 0;
156 + }
157 +}
158 +
159 +/* takes a string with \xHH escapes and returns one with the characters
160 +they stand for */
161 +static char * pre_process(char * s)
162 +{
163 + char * result = malloc(strlen(s) + 1);
164 + int sindex = 0, rindex = 0;
165 + while( sindex < strlen(s) )
166 + {
167 + if( sindex + 3 < strlen(s) &&
168 + s[sindex] == '\\' && s[sindex+1] == 'x' &&
169 + isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) )
170 + {
171 + /* carefully remember to call tolower here... */
172 + result[rindex] = tolower( hex2dec(s[sindex + 2])*16 +
173 + hex2dec(s[sindex + 3] ) );
174 +
175 + switch ( result[rindex] )
176 + {
177 + case 0x24:
178 + case 0x28:
179 + case 0x29:
180 + case 0x2a:
181 + case 0x2b:
182 + case 0x2e:
183 + case 0x3f:
184 + case 0x5b:
185 + case 0x5c:
186 + case 0x5d:
187 + case 0x5e:
188 + case 0x7c:
189 + fprintf(stderr,
190 + "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
191 + "I recommend that you write this as %c or \\%c, depending on what you meant.\n",
192 + result[rindex], s[sindex + 2], s[sindex + 3], result[rindex], result[rindex]);
193 + break;
194 + case 0x00:
195 + fprintf(stderr,
196 + "Warning: null (\\x00) in layer7 regexp. A null terminates the regexp string!\n");
197 + break;
198 + default:
199 + break;
200 + }
201 +
202 +
203 + sindex += 3; /* 4 total */
204 + }
205 + else
206 + result[rindex] = tolower(s[sindex]);
207 +
208 + sindex++;
209 + rindex++;
210 + }
211 + result[rindex] = '\0';
212 +
213 + return result;
214 +}
215 +
216 +#define MAX_SUBDIRS 128
217 +char ** readl7dir(char * dirname)
218 +{
219 + DIR * scratchdir;
220 + struct dirent ** namelist;
221 + char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *));
222 +
223 + int n, d = 1;
224 + subdirs[0] = "";
225 +
226 + n = scandir(dirname, &namelist, 0, alphasort);
227 +
228 + if (n < 0)
229 + {
230 + perror("scandir");
231 + exit_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname);
232 + }
233 + else
234 + {
235 + while(n--)
236 + {
237 + char fulldirname[MAX_FN_LEN];
238 +
239 + snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name);
240 +
241 + if((scratchdir = opendir(fulldirname)) != NULL)
242 + {
243 + closedir(scratchdir);
244 +
245 + if(!strcmp(namelist[n]->d_name, ".") ||
246 + !strcmp(namelist[n]->d_name, ".."))
247 + /* do nothing */ ;
248 + else
249 + {
250 + subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1);
251 + strcpy(subdirs[d], namelist[n]->d_name);
252 + d++;
253 + if(d >= MAX_SUBDIRS - 1)
254 + {
255 + fprintf(stderr,
256 + "Too many subdirectories, skipping the rest!\n");
257 + break;
258 + }
259 + }
260 + }
261 + free(namelist[n]);
262 + }
263 + free(namelist);
264 + }
265 +
266 + subdirs[d] = NULL;
267 +
268 + return subdirs;
269 +}
270 +
271 +static void
272 +parse_layer7_protocol(const unsigned char *s, struct ipt_layer7_info *info)
273 +{
274 + char filename[MAX_FN_LEN];
275 + char * dir = NULL;
276 + char ** subdirs;
277 + int n = 0, done = 0;
278 +
279 + if(strlen(l7dir) > 0)
280 + dir = l7dir;
281 + else
282 + dir = "/etc/l7-protocols";
283 +
284 + subdirs = readl7dir(dir);
285 +
286 + while(subdirs[n] != NULL)
287 + {
288 + int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
289 +
290 + //fprintf(stderr, "Trying to find pattern in %s ... ", filename);
291 +
292 + if(c > MAX_FN_LEN)
293 + {
294 + exit_error(OTHER_PROBLEM,
295 + "Filename beginning with %s is too long!\n", filename);
296 + }
297 +
298 + /* read in the pattern from the file */
299 + if(parse_protocol_file(filename, s, info))
300 + {
301 + //fprintf(stderr, "found\n");
302 + done = 1;
303 + break;
304 + }
305 +
306 + //fprintf(stderr, "not found\n");
307 +
308 + n++;
309 + }
310 +
311 + if(!done)
312 + exit_error(OTHER_PROBLEM,
313 + "Couldn't find a pattern definition file for %s.\n", s);
314 +
315 + /* process \xHH escapes and tolower everything. (our regex lib has no
316 + case insensitivity option.) */
317 + strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN);
318 +}
319 +
320 +/* Function which parses command options; returns true if it ate an option */
321 +static int parse(int c, char **argv, int invert, unsigned int *flags,
322 + const struct ipt_entry *entry, unsigned int *nfcache,
323 + struct ipt_entry_match **match)
324 +{
325 + struct ipt_layer7_info *layer7info =
326 + (struct ipt_layer7_info *)(*match)->data;
327 +
328 + switch (c) {
329 + case '1':
330 + check_inverse(optarg, &invert, &optind, 0);
331 + parse_layer7_protocol(argv[optind-1], layer7info);
332 + if (invert)
333 + layer7info->invert = 1;
334 + *flags = 1;
335 + break;
336 +
337 + case '2':
338 + /* not going to use this, but maybe we need to strip a ! anyway (?) */
339 + check_inverse(optarg, &invert, &optind, 0);
340 +
341 + if(strlen(argv[optind-1]) >= MAX_FN_LEN)
342 + exit_error(PARAMETER_PROBLEM, "directory name too long\n");
343 +
344 + strncpy(l7dir, argv[optind-1], MAX_FN_LEN);
345 +
346 + *flags = 1;
347 + break;
348 +
349 + default:
350 + return 0;
351 + }
352 +
353 + return 1;
354 +}
355 +
356 +/* Final check; must have specified --l7proto */
357 +static void final_check(unsigned int flags)
358 +{
359 + if (!flags)
360 + exit_error(PARAMETER_PROBLEM,
361 + "LAYER7 match: You must specify `--l7proto'");
362 +}
363 +
364 +static void print_protocol(char s[], int invert, int numeric)
365 +{
366 + fputs("l7proto ", stdout);
367 + if (invert) fputc('!', stdout);
368 + printf("%s ", s);
369 +}
370 +
371 +/* Prints out the matchinfo. */
372 +static void print(const struct ipt_ip *ip,
373 + const struct ipt_entry_match *match,
374 + int numeric)
375 +{
376 + printf("LAYER7 ");
377 +
378 + print_protocol(((struct ipt_layer7_info *)match->data)->protocol,
379 + ((struct ipt_layer7_info *)match->data)->invert, numeric);
380 +}
381 +/* Saves the union ipt_matchinfo in parsable form to stdout. */
382 +static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
383 +{
384 + const struct ipt_layer7_info *info =
385 + (const struct ipt_layer7_info*) match->data;
386 +
387 + printf("--l7proto %s%s ", (info->invert) ? "! ": "", info->protocol);
388 +}
389 +
390 +static struct iptables_match layer7 = {
391 + .name = "layer7",
392 + .version = IPTABLES_VERSION,
393 + .size = IPT_ALIGN(sizeof(struct ipt_layer7_info)),
394 + .userspacesize = IPT_ALIGN(sizeof(struct ipt_layer7_info)),
395 + .help = &help,
396 + .parse = &parse,
397 + .final_check = &final_check,
398 + .print = &print,
399 + .save = &save,
400 + .extra_opts = opts
401 +};
402 +
403 +void _init(void)
404 +{
405 + register_match(&layer7);
406 +}
407 Index: iptables-1.3.8/extensions/libipt_layer7.man
408 ===================================================================
409 --- /dev/null
410 +++ iptables-1.3.8/extensions/libipt_layer7.man
411 @@ -0,0 +1,14 @@
412 +This module matches packets based on the application layer data of
413 +their connections. It uses regular expression matching to compare
414 +the application layer data to regular expressions found it the layer7
415 +configuration files. This is an experimental module which can be found at
416 +http://l7-filter.sf.net. It takes two options.
417 +.TP
418 +.BI "--l7proto " "\fIprotocol\fP"
419 +Match the specified protocol. The protocol name must match a file
420 +name in /etc/l7-protocols/ or one of its first-level child directories.
421 +.TP
422 +.BI "--l7dir " "\fIdirectory\fP"
423 +Use \fIdirectory\fP instead of /etc/l7-protocols/. This option must be
424 +specified before --l7proto.
425 +
This page took 0.075729 seconds and 5 git commands to generate.