![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to pfpinhole.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / miniupnpd / pf|
Return to pfpinhole.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / miniupnpd / pf |
1.1 misho 1: /* $Id: pfpinhole.c,v 1.19 2012/05/21 15:47:57 nanard Exp $ */
2: /* MiniUPnP project
3: * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
4: * (c) 2012 Thomas Bernard
5: * This software is subject to the conditions detailed
6: * in the LICENCE file provided within the distribution */
7:
8: #include <sys/types.h>
9: #include <sys/socket.h>
10: #include <sys/param.h>
11: #include <net/if.h>
12: #include <netinet/in.h>
13: #include <netinet/tcp.h>
14: #include <arpa/inet.h>
15: #ifdef __DragonFly__
16: #include <net/pf/pfvar.h>
17: #else
18: #include <net/pfvar.h>
19: #endif
20: #include <fcntl.h>
21: #include <sys/ioctl.h>
22: #include <unistd.h>
23: #include <string.h>
24: #include <syslog.h>
25: #include <stdio.h>
26: #include <stdlib.h>
27:
28: #include "../config.h"
29: #include "pfpinhole.h"
30: #include "../upnpglobalvars.h"
31:
32: /* the pass rules created by add_pinhole() are as follow :
33: *
34: * pass in quick on ep0 inet6 proto udp
35: * from any to dead:beef::42:42 port = 8080
36: * flags S/SA keep state
37: * label "pinhole-2 ts-4321000"
38: *
39: * with the label "pinhole-$uid ts-$timestamp"
40: */
41:
42: #ifdef ENABLE_6FC_SERVICE
43: /* /dev/pf when opened */
44: extern int dev;
45:
46: static int next_uid = 1;
47:
48: #define PINEHOLE_LABEL_FORMAT "pinhole-%d ts-%u"
49:
50: int add_pinhole(const char * ifname,
51: const char * rem_host, unsigned short rem_port,
52: const char * int_client, unsigned short int_port,
53: int proto, unsigned int timestamp)
54: {
55: int uid;
56: struct pfioc_rule pcr;
57: #ifndef PF_NEWSTYLE
58: struct pfioc_pooladdr pp;
59: #endif
60:
61: if(dev<0) {
62: syslog(LOG_ERR, "pf device is not open");
63: return -1;
64: }
65: memset(&pcr, 0, sizeof(pcr));
66: strlcpy(pcr.anchor, anchor_name, MAXPATHLEN);
67:
68: #ifndef PF_NEWSTYLE
69: memset(&pp, 0, sizeof(pp));
70: strlcpy(pp.anchor, anchor_name, MAXPATHLEN);
71: if(ioctl(dev, DIOCBEGINADDRS, &pp) < 0) {
72: syslog(LOG_ERR, "ioctl(dev, DIOCBEGINADDRS, ...): %m");
73: return -1;
74: } else {
75: pcr.pool_ticket = pp.ticket;
76: #else
77: {
78: #endif
79: pcr.rule.direction = PF_IN;
80: pcr.rule.action = PF_PASS;
81: pcr.rule.af = AF_INET6;
82: #ifdef PF_NEWSTYLE
83: pcr.rule.nat.addr.type = PF_ADDR_NONE;
84: pcr.rule.rdr.addr.type = PF_ADDR_NONE;
85: #endif
86: #ifdef USE_IFNAME_IN_RULES
87: if(ifname)
88: strlcpy(pcr.rule.ifname, ifname, IFNAMSIZ);
89: #endif
90: pcr.rule.proto = proto;
91:
92: pcr.rule.quick = 1;/*(GETFLAG(PFNOQUICKRULESMASK))?0:1;*/
93: pcr.rule.log = (GETFLAG(LOGPACKETSMASK))?1:0; /*logpackets;*/
94: /* see the discussion on the forum :
95: * http://miniupnp.tuxfamily.org/forum/viewtopic.php?p=638 */
96: pcr.rule.flags = TH_SYN;
97: pcr.rule.flagset = (TH_SYN|TH_ACK);
98: #ifdef PFRULE_HAS_RTABLEID
99: pcr.rule.rtableid = -1; /* first appeared in OpenBSD 4.0 */
100: #endif
101: #ifdef PFRULE_HAS_ONRDOMAIN
102: pcr.rule.onrdomain = -1; /* first appeared in OpenBSD 5.0 */
103: #endif
104: pcr.rule.keep_state = 1;
105: uid = next_uid;
106: snprintf(pcr.rule.label, PF_RULE_LABEL_SIZE,
107: PINEHOLE_LABEL_FORMAT, uid, timestamp);
108: if(queue)
109: strlcpy(pcr.rule.qname, queue, PF_QNAME_SIZE);
110: if(tag)
111: strlcpy(pcr.rule.tagname, tag, PF_TAG_NAME_SIZE);
112:
113: if(rem_port) {
114: pcr.rule.src.port_op = PF_OP_EQ;
115: pcr.rule.src.port[0] = htons(rem_port);
116: }
117: if(rem_host && rem_host[0] != '\0' && rem_host[0] != '*') {
118: pcr.rule.src.addr.type = PF_ADDR_ADDRMASK;
119: if(inet_pton(AF_INET6, rem_host, &pcr.rule.src.addr.v.a.addr.v6) != 1) {
120: syslog(LOG_ERR, "inet_pton(%s) failed", rem_host);
121: }
122: memset(&pcr.rule.src.addr.v.a.mask.addr8, 255, 16);
123: }
124:
125: pcr.rule.dst.port_op = PF_OP_EQ;
126: pcr.rule.dst.port[0] = htons(int_port);
127: pcr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
128: if(inet_pton(AF_INET6, int_client, &pcr.rule.dst.addr.v.a.addr.v6) != 1) {
129: syslog(LOG_ERR, "inet_pton(%s) failed", int_client);
130: }
131: memset(&pcr.rule.dst.addr.v.a.mask.addr8, 255, 16);
132:
133: if(ifname)
134: strlcpy(pcr.rule.ifname, ifname, IFNAMSIZ);
135:
136: pcr.action = PF_CHANGE_GET_TICKET;
137: if(ioctl(dev, DIOCCHANGERULE, &pcr) < 0) {
138: syslog(LOG_ERR, "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: %m");
139: return -1;
140: } else {
141: pcr.action = PF_CHANGE_ADD_TAIL;
142: if(ioctl(dev, DIOCCHANGERULE, &pcr) < 0) {
143: syslog(LOG_ERR, "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: %m");
144: return -1;
145: }
146: }
147: }
148:
149: if(++next_uid >= 65535) {
150: next_uid = 1;
151: }
152: return uid;
153: }
154:
155: int delete_pinhole(unsigned short uid)
156: {
157: int i, n;
158: struct pfioc_rule pr;
159: char label_start[PF_RULE_LABEL_SIZE];
160: char tmp_label[PF_RULE_LABEL_SIZE];
161:
162: if(dev<0) {
163: syslog(LOG_ERR, "pf device is not open");
164: return -1;
165: }
166: snprintf(label_start, sizeof(label_start),
167: "pinhole-%hu", uid);
168: memset(&pr, 0, sizeof(pr));
169: strlcpy(pr.anchor, anchor_name, MAXPATHLEN);
170: #ifndef PF_NEWSTYLE
171: pr.rule.action = PF_PASS;
172: #endif
173: if(ioctl(dev, DIOCGETRULES, &pr) < 0) {
174: syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
175: return -1;
176: }
177: n = pr.nr;
178: for(i=0; i<n; i++) {
179: pr.nr = i;
180: if(ioctl(dev, DIOCGETRULE, &pr) < 0) {
181: syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
182: return -1;
183: }
184: strlcpy(tmp_label, pr.rule.label, sizeof(tmp_label));
185: strtok(tmp_label, " ");
186: if(0 == strcmp(tmp_label, label_start)) {
187: pr.action = PF_CHANGE_GET_TICKET;
188: if(ioctl(dev, DIOCCHANGERULE, &pr) < 0) {
189: syslog(LOG_ERR, "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: %m");
190: return -1;
191: }
192: pr.action = PF_CHANGE_REMOVE;
193: pr.nr = i;
194: if(ioctl(dev, DIOCCHANGERULE, &pr) < 0) {
195: syslog(LOG_ERR, "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_REMOVE: %m");
196: return -1;
197: }
198: return 0;
199: }
200: }
201: /* not found */
202: return -2;
203: }
204:
205: int
206: get_pinhole_info(unsigned short uid,
207: char * rem_host, int rem_hostlen, unsigned short * rem_port,
208: char * int_client, int int_clientlen, unsigned short * int_port,
209: int * proto, unsigned int * timestamp,
210: u_int64_t * packets, u_int64_t * bytes)
211: {
212: int i, n;
213: struct pfioc_rule pr;
214: char label_start[PF_RULE_LABEL_SIZE];
215: char tmp_label[PF_RULE_LABEL_SIZE];
216: char * p;
217:
218: if(dev<0) {
219: syslog(LOG_ERR, "pf device is not open");
220: return -1;
221: }
222: snprintf(label_start, sizeof(label_start),
223: "pinhole-%hu", uid);
224: memset(&pr, 0, sizeof(pr));
225: strlcpy(pr.anchor, anchor_name, MAXPATHLEN);
226: #ifndef PF_NEWSTYLE
227: pr.rule.action = PF_PASS;
228: #endif
229: if(ioctl(dev, DIOCGETRULES, &pr) < 0) {
230: syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
231: return -1;
232: }
233: n = pr.nr;
234: for(i=0; i<n; i++) {
235: pr.nr = i;
236: if(ioctl(dev, DIOCGETRULE, &pr) < 0) {
237: syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
238: return -1;
239: }
240: strlcpy(tmp_label, pr.rule.label, sizeof(tmp_label));
241: p = tmp_label;
242: strsep(&p, " ");
243: if(0 == strcmp(tmp_label, label_start)) {
244: if(rem_host && (inet_ntop(AF_INET6, &pr.rule.src.addr.v.a.addr.v6, rem_host, rem_hostlen) == NULL)) {
245: return -1;
246: }
247: if(rem_port)
248: *rem_port = ntohs(pr.rule.src.port[0]);
249: if(int_client && (inet_ntop(AF_INET6, &pr.rule.dst.addr.v.a.addr.v6, int_client, int_clientlen) == NULL)) {
250: return -1;
251: }
252: if(int_port)
253: *int_port = ntohs(pr.rule.dst.port[0]);
254: if(proto)
255: *proto = pr.rule.proto;
256: if(timestamp)
257: sscanf(p, "ts-%u", timestamp);
258: #ifdef PFRULE_INOUT_COUNTS
259: if(packets)
260: *packets = pr.rule.packets[0] + pr.rule.packets[1];
261: if(bytes)
262: *bytes = pr.rule.bytes[0] + pr.rule.bytes[1];
263: #else
264: if(packets)
265: *packets = pr.rule.packets;
266: if(bytes)
267: *bytes = pr.rule.bytes;
268: #endif
269: return 0;
270: }
271: }
272: /* not found */
273: return -2;
274: }
275:
276: int update_pinhole(unsigned short uid, unsigned int timestamp)
277: {
278: /* TODO :
279: * As it is not possible to change rule label, we should :
280: * 1 - delete
281: * 2 - Add new
282: * the stats of the rule will then be reset :( */
283: return -42; /* not implemented */
284: }
285:
286: /* return the number of rules removed
287: * or a negative integer in case of error */
288: int clean_pinhole_list(unsigned int * next_timestamp)
289: {
290: int i;
291: struct pfioc_rule pr;
292: time_t current_time;
293: unsigned int ts;
294: int uid;
295: unsigned int min_ts = UINT_MAX;
296: int min_uid = INT_MAX, max_uid = -1;
297: int n = 0;
298:
299: if(dev<0) {
300: syslog(LOG_ERR, "pf device is not open");
301: return -1;
302: }
303: current_time = time(NULL);
304: memset(&pr, 0, sizeof(pr));
305: strlcpy(pr.anchor, anchor_name, MAXPATHLEN);
306: #ifndef PF_NEWSTYLE
307: pr.rule.action = PF_PASS;
308: #endif
309: if(ioctl(dev, DIOCGETRULES, &pr) < 0) {
310: syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
311: return -1;
312: }
313: for(i = pr.nr - 1; i >= 0; i--) {
314: pr.nr = i;
315: if(ioctl(dev, DIOCGETRULE, &pr) < 0) {
316: syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
317: return -1;
318: }
319: if(sscanf(pr.rule.label, PINEHOLE_LABEL_FORMAT, &uid, &ts) != 2) {
320: syslog(LOG_INFO, "rule with label '%s' is not a IGD pinhole", pr.rule.label);
321: continue;
322: }
323: if(ts <= (unsigned int)current_time) {
324: syslog(LOG_INFO, "removing expired pinhole '%s'", pr.rule.label);
325: pr.action = PF_CHANGE_GET_TICKET;
326: if(ioctl(dev, DIOCCHANGERULE, &pr) < 0) {
327: syslog(LOG_ERR, "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: %m");
328: return -1;
329: }
330: pr.action = PF_CHANGE_REMOVE;
331: pr.nr = i;
332: if(ioctl(dev, DIOCCHANGERULE, &pr) < 0) {
333: syslog(LOG_ERR, "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_REMOVE: %m");
334: return -1;
335: }
336: n++;
337: #ifndef PF_NEWSTYLE
338: pr.rule.action = PF_PASS;
339: #endif
340: if(ioctl(dev, DIOCGETRULES, &pr) < 0) {
341: syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
342: return -1;
343: }
344: } else {
345: if(uid > max_uid)
346: max_uid = uid;
347: else if(uid < min_uid)
348: min_uid = uid;
349: if(ts < min_ts)
350: min_ts = ts;
351: }
352: }
353: if(next_timestamp && (min_ts != UINT_MAX))
354: *next_timestamp = min_ts;
355: if(max_uid > 0) {
356: if(((min_uid - 32000) <= next_uid) && (next_uid <= max_uid)) {
357: next_uid = max_uid + 1;
358: }
359: if(next_uid >= 65535) {
360: next_uid = 1;
361: }
362: }
363: return n; /* number of rules removed */
364: }
365:
366: #endif /* ENABLE_IPV6 */
367: