if (buffer == NULL)
xtables_error(OTHER_PROBLEM, "strdup failed");
- for (cp=buffer, i=0; cp != NULL && i<IPT_PKNOCK_MAX_PORTS; cp=next, i++)
+ for (cp=buffer, i=0; cp != NULL && i<XT_PKNOCK_MAX_PORTS; cp=next, i++)
{
next=strchr(cp, ',');
if (next != NULL)
switch (c) {
case 'k': /* --knockports */
- if (*flags & IPT_PKNOCK_KNOCKPORT)
+ if (*flags & XT_PKNOCK_KNOCKPORT)
xtables_error(PARAMETER_PROBLEM, PKNOCK
"cannot use --knockports twice.\n");
proto = check_proto(pnum, invflags);
info->ports_count = parse_ports(optarg, info->port, proto);
- info->option |= IPT_PKNOCK_KNOCKPORT;
- *flags |= IPT_PKNOCK_KNOCKPORT;
+ info->option |= XT_PKNOCK_KNOCKPORT;
+ *flags |= XT_PKNOCK_KNOCKPORT;
#if DEBUG
printf("ports_count: %d\n", info->ports_count);
#endif
break;
case 't': /* --time */
- if (*flags & IPT_PKNOCK_TIME)
+ if (*flags & XT_PKNOCK_TIME)
xtables_error(PARAMETER_PROBLEM, PKNOCK
"cannot use --time twice.\n");
xtables_check_inverse(argv[optind-1], &invert, &optind, 0);
info->max_time = atoi(optarg);
- info->option |= IPT_PKNOCK_TIME;
- *flags |= IPT_PKNOCK_TIME;
+ info->option |= XT_PKNOCK_TIME;
+ *flags |= XT_PKNOCK_TIME;
break;
case 'n': /* --name */
- if (*flags & IPT_PKNOCK_NAME)
+ if (*flags & XT_PKNOCK_NAME)
xtables_error(PARAMETER_PROBLEM, PKNOCK
"cannot use --name twice.\n");
xtables_check_inverse(argv[optind-1], &invert, &optind, 0);
- memset(info->rule_name, 0, IPT_PKNOCK_MAX_BUF_LEN + 1);
- strncpy(info->rule_name, optarg, IPT_PKNOCK_MAX_BUF_LEN);
+ memset(info->rule_name, 0, XT_PKNOCK_MAX_BUF_LEN + 1);
+ strncpy(info->rule_name, optarg, XT_PKNOCK_MAX_BUF_LEN);
info->rule_name_len = strlen(info->rule_name);
- info->option |= IPT_PKNOCK_NAME;
- *flags |= IPT_PKNOCK_NAME;
+ info->option |= XT_PKNOCK_NAME;
+ *flags |= XT_PKNOCK_NAME;
#if DEBUG
printf("info->rule_name: %s\n", info->rule_name);
#endif
break;
case 'a': /* --opensecret */
- if (*flags & IPT_PKNOCK_OPENSECRET)
+ if (*flags & XT_PKNOCK_OPENSECRET)
xtables_error(PARAMETER_PROBLEM, PKNOCK
"cannot use --opensecret twice.\n");
xtables_check_inverse(argv[optind-1], &invert, &optind, 0);
- memset(info->open_secret, 0, IPT_PKNOCK_MAX_PASSWD_LEN + 1);
- strncpy(info->open_secret, optarg, IPT_PKNOCK_MAX_PASSWD_LEN);
+ memset(info->open_secret, 0, XT_PKNOCK_MAX_PASSWD_LEN + 1);
+ strncpy(info->open_secret, optarg, XT_PKNOCK_MAX_PASSWD_LEN);
info->open_secret_len = strlen(info->open_secret);
- info->option |= IPT_PKNOCK_OPENSECRET;
- *flags |= IPT_PKNOCK_OPENSECRET;
+ info->option |= XT_PKNOCK_OPENSECRET;
+ *flags |= XT_PKNOCK_OPENSECRET;
break;
case 'z': /* --closesecret */
- if (*flags & IPT_PKNOCK_CLOSESECRET)
+ if (*flags & XT_PKNOCK_CLOSESECRET)
xtables_error(PARAMETER_PROBLEM, PKNOCK
"cannot use --closesecret twice.\n");
xtables_check_inverse(argv[optind-1], &invert, &optind, 0);
- memset(info->close_secret, 0, IPT_PKNOCK_MAX_PASSWD_LEN + 1);
- strncpy(info->close_secret, optarg, IPT_PKNOCK_MAX_PASSWD_LEN);
+ memset(info->close_secret, 0, XT_PKNOCK_MAX_PASSWD_LEN + 1);
+ strncpy(info->close_secret, optarg, XT_PKNOCK_MAX_PASSWD_LEN);
info->close_secret_len = strlen(info->close_secret);
- info->option |= IPT_PKNOCK_CLOSESECRET;
- *flags |= IPT_PKNOCK_CLOSESECRET;
+ info->option |= XT_PKNOCK_CLOSESECRET;
+ *flags |= XT_PKNOCK_CLOSESECRET;
break;
case 'c': /* --checkip */
- if (*flags & IPT_PKNOCK_CHECKIP)
+ if (*flags & XT_PKNOCK_CHECKIP)
xtables_error(PARAMETER_PROBLEM, PKNOCK
"cannot use --checkip twice.\n");
xtables_check_inverse(argv[optind-1], &invert, &optind, 0);
- info->option |= IPT_PKNOCK_CHECKIP;
- *flags |= IPT_PKNOCK_CHECKIP;
+ info->option |= XT_PKNOCK_CHECKIP;
+ *flags |= XT_PKNOCK_CHECKIP;
break;
case 'x': /* --strict */
- if (*flags & IPT_PKNOCK_STRICT)
+ if (*flags & XT_PKNOCK_STRICT)
xtables_error(PARAMETER_PROBLEM, PKNOCK
"cannot use --strict twice.\n");
xtables_check_inverse(argv[optind-1], &invert, &optind, 0);
- info->option |= IPT_PKNOCK_STRICT;
- *flags |= IPT_PKNOCK_STRICT;
+ info->option |= XT_PKNOCK_STRICT;
+ *flags |= XT_PKNOCK_STRICT;
break;
default:
if (!flags)
xtables_error(PARAMETER_PROBLEM, PKNOCK "expection an option.\n");
- if (!(flags & IPT_PKNOCK_NAME))
+ if (!(flags & XT_PKNOCK_NAME))
xtables_error(PARAMETER_PROBLEM, PKNOCK
"--name option is required.\n");
- if (flags & IPT_PKNOCK_KNOCKPORT) {
- if (flags & IPT_PKNOCK_CHECKIP) {
+ if (flags & XT_PKNOCK_KNOCKPORT) {
+ if (flags & XT_PKNOCK_CHECKIP) {
xtables_error(PARAMETER_PROBLEM, PKNOCK
"cannot specify --knockports with --checkip.\n");
}
- if ((flags & IPT_PKNOCK_OPENSECRET)
- && !(flags & IPT_PKNOCK_CLOSESECRET))
+ if ((flags & XT_PKNOCK_OPENSECRET)
+ && !(flags & XT_PKNOCK_CLOSESECRET))
{
xtables_error(PARAMETER_PROBLEM, PKNOCK
"--opensecret must go with --closesecret.\n");
}
- if ((flags & IPT_PKNOCK_CLOSESECRET)
- && !(flags & IPT_PKNOCK_OPENSECRET))
+ if ((flags & XT_PKNOCK_CLOSESECRET)
+ && !(flags & XT_PKNOCK_OPENSECRET))
{
xtables_error(PARAMETER_PROBLEM, PKNOCK
"--closesecret must go with --opensecret.\n");
}
}
- if (flags & IPT_PKNOCK_CHECKIP) {
- if (flags & IPT_PKNOCK_KNOCKPORT) {
+ if (flags & XT_PKNOCK_CHECKIP) {
+ if (flags & XT_PKNOCK_KNOCKPORT) {
xtables_error(PARAMETER_PROBLEM, PKNOCK
"cannot specify --checkip with --knockports.\n");
}
- if ((flags & IPT_PKNOCK_OPENSECRET)
- || (flags & IPT_PKNOCK_CLOSESECRET))
+ if ((flags & XT_PKNOCK_OPENSECRET)
+ || (flags & XT_PKNOCK_CLOSESECRET))
{
xtables_error(PARAMETER_PROBLEM, PKNOCK
"cannot specify --opensecret and"
" --closesecret with --checkip.\n");
}
- if (flags & IPT_PKNOCK_TIME) {
+ if (flags & XT_PKNOCK_TIME) {
xtables_error(PARAMETER_PROBLEM, PKNOCK
"cannot specify --time with --checkip.\n");
}
int i;
printf("pknock ");
- if (info->option & IPT_PKNOCK_KNOCKPORT) {
+ if (info->option & XT_PKNOCK_KNOCKPORT) {
printf("knockports ");
for (i=0; i<info->ports_count; i++)
printf("%s%d", i ? "," : "", info->port[i]);
printf(" ");
}
- if (info->option & IPT_PKNOCK_TIME)
+ if (info->option & XT_PKNOCK_TIME)
printf("time %ld ", (long)info->max_time);
- if (info->option & IPT_PKNOCK_NAME)
+ if (info->option & XT_PKNOCK_NAME)
printf("name %s ", info->rule_name);
- if (info->option & IPT_PKNOCK_OPENSECRET)
+ if (info->option & XT_PKNOCK_OPENSECRET)
printf("opensecret ");
- if (info->option & IPT_PKNOCK_CLOSESECRET)
+ if (info->option & XT_PKNOCK_CLOSESECRET)
printf("closesecret ");
}
int i;
const struct xt_pknock_mtinfo *info = (void *)match->data;
- if (info->option & IPT_PKNOCK_KNOCKPORT) {
+ if (info->option & XT_PKNOCK_KNOCKPORT) {
printf("--knockports ");
for (i=0; i<info->ports_count; i++)
printf("%s%d", i ? "," : "", info->port[i]);
printf(" ");
}
- if (info->option & IPT_PKNOCK_TIME)
+ if (info->option & XT_PKNOCK_TIME)
printf("--time %ld ", (long)info->max_time);
- if (info->option & IPT_PKNOCK_NAME)
+ if (info->option & XT_PKNOCK_NAME)
printf("--name %s ", info->rule_name);
- if (info->option & IPT_PKNOCK_OPENSECRET)
+ if (info->option & XT_PKNOCK_OPENSECRET)
printf("--opensecret ");
- if (info->option & IPT_PKNOCK_CLOSESECRET)
+ if (info->option & XT_PKNOCK_CLOSESECRET)
printf("--closesecret ");
- if (info->option & IPT_PKNOCK_STRICT)
+ if (info->option & XT_PKNOCK_STRICT)
printf("--strict ");
- if (info->option & IPT_PKNOCK_CHECKIP)
+ if (info->option & XT_PKNOCK_CHECKIP)
printf("--checkip ");
}
*/
struct xt_pknock_rule {
struct list_head head;
- char rule_name[IPT_PKNOCK_MAX_BUF_LEN + 1];
+ char rule_name[XT_PKNOCK_MAX_BUF_LEN+1];
int rule_name_len;
unsigned int ref_count;
struct timer_list timer;
if (rulecmp(info, rule)) {
rule->ref_count++;
- if (info->option & IPT_PKNOCK_CHECKIP) {
+ if (info->option & XT_PKNOCK_CHECKIP) {
pr_debug("add_rule() (AC)"
" rule found: %s - "
"ref_count: %d\n",
INIT_LIST_HEAD(&rule->head);
- memset(rule->rule_name, 0, IPT_PKNOCK_MAX_BUF_LEN + 1);
+ memset(rule->rule_name, 0, XT_PKNOCK_MAX_BUF_LEN + 1);
strncpy(rule->rule_name, info->rule_name, info->rule_name_len);
rule->rule_name_len = info->rule_name_len;
if (is_wrong_knock(peer, info, hdr->port)) {
pk_debug("DIDN'T MATCH", peer);
/* Peer must start the sequence from scratch. */
- if (info->option & IPT_PKNOCK_STRICT)
+ if (info->option & XT_PKNOCK_STRICT)
reset_knock_status(peer);
return false;
#ifdef PK_CRYPTO
/* If security is needed. */
- if (info->option & IPT_PKNOCK_OPENSECRET ) {
+ if (info->option & XT_PKNOCK_OPENSECRET ) {
if (hdr->proto != IPPROTO_UDP)
return false;
}
/* Controls the max matching time between ports. */
- if (info->option & IPT_PKNOCK_TIME) {
+ if (info->option & XT_PKNOCK_TIME) {
time = jiffies/HZ;
if (is_time_exceeded(peer, info->max_time)) {
/* Gives the peer matching status added to rule depending on ip src. */
peer = get_peer(rule, iph->saddr);
- if (info->option & IPT_PKNOCK_CHECKIP) {
+ if (info->option & XT_PKNOCK_CHECKIP) {
ret = is_allowed(peer);
goto out;
}
}
/* Sets, updates, removes or checks the peer matching status. */
- if (info->option & IPT_PKNOCK_KNOCKPORT) {
+ if (info->option & XT_PKNOCK_KNOCKPORT) {
if ((ret = is_allowed(peer))) {
#ifdef PK_CRYPTO
- if (info->option & IPT_PKNOCK_CLOSESECRET &&
+ if (info->option & XT_PKNOCK_CLOSESECRET &&
iph->protocol == IPPROTO_UDP)
{
if (is_close_knock(peer, info, hdr.payload, hdr.payload_len))
if (!add_rule(info))
RETURN_ERR("add_rule() error in checkentry() function.\n");
- if (!(info->option & IPT_PKNOCK_NAME))
+ if (!(info->option & XT_PKNOCK_NAME))
RETURN_ERR("You must specify --name option.\n");
#ifdef PK_CRYPTO
- if ((info->option & IPT_PKNOCK_OPENSECRET) && (info->ports_count != 1))
+ if ((info->option & XT_PKNOCK_OPENSECRET) && (info->ports_count != 1))
RETURN_ERR("--opensecret must have just one knock port\n");
#endif
- if (info->option & IPT_PKNOCK_KNOCKPORT) {
- if (info->option & IPT_PKNOCK_CHECKIP) {
+ if (info->option & XT_PKNOCK_KNOCKPORT) {
+ if (info->option & XT_PKNOCK_CHECKIP) {
RETURN_ERR("Can't specify --knockports with --checkip.\n");
}
#ifdef PK_CRYPTO
- if ((info->option & IPT_PKNOCK_OPENSECRET) &&
- !(info->option & IPT_PKNOCK_CLOSESECRET))
+ if ((info->option & XT_PKNOCK_OPENSECRET) &&
+ !(info->option & XT_PKNOCK_CLOSESECRET))
{
RETURN_ERR("--opensecret must go with --closesecret.\n");
}
- if ((info->option & IPT_PKNOCK_CLOSESECRET) &&
- !(info->option & IPT_PKNOCK_OPENSECRET))
+ if ((info->option & XT_PKNOCK_CLOSESECRET) &&
+ !(info->option & XT_PKNOCK_OPENSECRET))
{
RETURN_ERR("--closesecret must go with --opensecret.\n");
}
#endif
}
- if (info->option & IPT_PKNOCK_CHECKIP) {
- if (info->option & IPT_PKNOCK_KNOCKPORT)
+ if (info->option & XT_PKNOCK_CHECKIP) {
+ if (info->option & XT_PKNOCK_KNOCKPORT)
{
RETURN_ERR("Can't specify --checkip with --knockports.\n");
}
#ifdef PK_CRYPTO
- if ((info->option & IPT_PKNOCK_OPENSECRET) ||
- (info->option & IPT_PKNOCK_CLOSESECRET))
+ if ((info->option & XT_PKNOCK_OPENSECRET) ||
+ (info->option & XT_PKNOCK_CLOSESECRET))
{
RETURN_ERR("Can't specify --opensecret and --closesecret"
" with --checkip.\n");
}
#endif
- if (info->option & IPT_PKNOCK_TIME)
+ if (info->option & XT_PKNOCK_TIME)
RETURN_ERR("Can't specify --time with --checkip.\n");
}
#ifdef PK_CRYPTO
- if (info->option & IPT_PKNOCK_OPENSECRET) {
+ if (info->option & XT_PKNOCK_OPENSECRET) {
if (info->open_secret_len == info->close_secret_len) {
if (memcmp(info->open_secret, info->close_secret,
info->open_secret_len) == 0)
#define PKNOCK "xt_pknock: "
-#define IPT_PKNOCK_KNOCKPORT 0x01
-#define IPT_PKNOCK_TIME 0x02
-#define IPT_PKNOCK_NAME 0x04
-#define IPT_PKNOCK_STRICT 0x08
-#define IPT_PKNOCK_CHECKIP 0x10
-#define IPT_PKNOCK_OPENSECRET 0x20
-#define IPT_PKNOCK_CLOSESECRET 0x40
+enum {
+ XT_PKNOCK_KNOCKPORT = 1 << 0,
+ XT_PKNOCK_TIME = 1 << 1,
+ XT_PKNOCK_NAME = 1 << 2,
+ XT_PKNOCK_STRICT = 1 << 3,
+ XT_PKNOCK_CHECKIP = 1 << 4,
+ XT_PKNOCK_OPENSECRET = 1 << 5,
+ XT_PKNOCK_CLOSESECRET = 1 << 6,
-#define IPT_PKNOCK_MAX_PORTS 15
-#define IPT_PKNOCK_MAX_BUF_LEN 31
-#define IPT_PKNOCK_MAX_PASSWD_LEN 31
+ /* Can never change these, as they are make up the user protocol. */
+ XT_PKNOCK_MAX_PORTS = 15,
+ XT_PKNOCK_MAX_BUF_LEN = 31,
+ XT_PKNOCK_MAX_PASSWD_LEN = 31,
+};
#define DEBUG 1
struct xt_pknock_mtinfo {
- char rule_name[IPT_PKNOCK_MAX_BUF_LEN + 1];
+ char rule_name[XT_PKNOCK_MAX_BUF_LEN+1];
uint32_t rule_name_len;
- char open_secret[IPT_PKNOCK_MAX_PASSWD_LEN + 1];
+ char open_secret[XT_PKNOCK_MAX_PASSWD_LEN+1];
uint32_t open_secret_len;
- char close_secret[IPT_PKNOCK_MAX_PASSWD_LEN + 1];
+ char close_secret[XT_PKNOCK_MAX_PASSWD_LEN+1];
uint32_t close_secret_len;
uint8_t option; /* --time, --knock-port, ... */
uint8_t ports_count; /* number of ports */
- uint16_t port[IPT_PKNOCK_MAX_PORTS]; /* port[,port,port,...] */
+ uint16_t port[XT_PKNOCK_MAX_PORTS]; /* port[,port,port,...] */
uint32_t max_time; /* max matching time between ports */
};
struct xt_pknock_nl_msg {
- char rule_name[IPT_PKNOCK_MAX_BUF_LEN + 1];
+ char rule_name[XT_PKNOCK_MAX_BUF_LEN+1];
uint32_t peer_ip;
};
projects / thirdparty / xtables-addons.git / commitdiff
