xref: /freebsd/usr.sbin/ppp/filter.c (revision b740c88bfb6453416926271c089262e7164dace3)
1 /*-
2  * Copyright (c) 1996 - 2001 Brian Somers <brian@Awfulhak.org>
3  *          based on work by Toshiharu OHNO <tony-o@iij.ad.jp>
4  *                           Internet Initiative Japan, Inc (IIJ)
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  *
28  * $FreeBSD$
29  */
30 
31 #include <sys/param.h>
32 #include <netinet/in.h>
33 #include <netdb.h>
34 #include <netinet/in_systm.h>
35 #include <netinet/ip.h>
36 #include <sys/socket.h>
37 #include <sys/un.h>
38 
39 #include <stdarg.h>
40 #include <stdio.h>
41 #include <stdlib.h>
42 #include <string.h>
43 #include <termios.h>
44 
45 #include "layer.h"
46 #include "defs.h"
47 #include "command.h"
48 #include "mbuf.h"
49 #include "log.h"
50 #include "iplist.h"
51 #include "timer.h"
52 #include "throughput.h"
53 #include "lqr.h"
54 #include "hdlc.h"
55 #include "fsm.h"
56 #include "lcp.h"
57 #include "ccp.h"
58 #include "link.h"
59 #include "slcompress.h"
60 #include "ncpaddr.h"
61 #include "ipcp.h"
62 #include "filter.h"
63 #include "descriptor.h"
64 #include "prompt.h"
65 #include "mp.h"
66 #ifndef NORADIUS
67 #include "radius.h"
68 #endif
69 #include "ipv6cp.h"
70 #include "ncp.h"
71 #include "bundle.h"
72 
73 static unsigned filter_Nam2Op(const char *);
74 
75 static int
76 ParsePort(const char *service, const char *proto)
77 {
78   struct servent *servent;
79   char *cp;
80   int port;
81 
82   servent = getservbyname(service, proto);
83   if (servent != 0)
84     return ntohs(servent->s_port);
85 
86   port = strtol(service, &cp, 0);
87   if (cp == service) {
88     log_Printf(LogWARN, "ParsePort: %s is not a port name or number.\n",
89 	      service);
90     return 0;
91   }
92   return port;
93 }
94 
95 /*
96  *	ICMP Syntax:	src eq icmp_message_type
97  */
98 static int
99 ParseIcmp(int argc, char const *const *argv, struct filterent *tgt)
100 {
101   int type;
102   char *cp;
103 
104   switch (argc) {
105   case 0:
106     /* permit/deny all ICMP types */
107     tgt->f_srcop = tgt->f_dstop = OP_NONE;
108     break;
109 
110   case 3:
111     if (!strcmp(*argv, "src") && !strcmp(argv[1], "eq")) {
112       type = strtol(argv[2], &cp, 0);
113       if (cp == argv[2]) {
114 	log_Printf(LogWARN, "ParseIcmp: type is expected.\n");
115 	return 0;
116       }
117       tgt->f_srcop = OP_EQ;
118       tgt->f_srcport = type;
119       tgt->f_dstop = OP_NONE;
120     }
121     break;
122 
123   default:
124     log_Printf(LogWARN, "ParseIcmp: bad icmp syntax.\n");
125     return 0;
126   }
127   return 1;
128 }
129 
130 /*
131  *	UDP Syntax: [src op port] [dst op port]
132  */
133 static int
134 ParseUdpOrTcp(int argc, char const *const *argv, const struct protoent *pe,
135               struct filterent *tgt)
136 {
137   tgt->f_srcop = tgt->f_dstop = OP_NONE;
138   tgt->f_estab = tgt->f_syn = tgt->f_finrst = 0;
139 
140   if (argc >= 3 && !strcmp(*argv, "src")) {
141     tgt->f_srcop = filter_Nam2Op(argv[1]);
142     if (tgt->f_srcop == OP_NONE) {
143       log_Printf(LogWARN, "ParseUdpOrTcp: bad operator\n");
144       return 0;
145     }
146     if (pe == NULL)
147       return 0;
148     tgt->f_srcport = ParsePort(argv[2], pe->p_name);
149     if (tgt->f_srcport == 0)
150       return 0;
151     argc -= 3;
152     argv += 3;
153   }
154 
155   if (argc >= 3 && !strcmp(argv[0], "dst")) {
156     tgt->f_dstop = filter_Nam2Op(argv[1]);
157     if (tgt->f_dstop == OP_NONE) {
158       log_Printf(LogWARN, "ParseUdpOrTcp: bad operator\n");
159       return 0;
160     }
161     if (pe == NULL)
162       return 0;
163     tgt->f_dstport = ParsePort(argv[2], pe->p_name);
164     if (tgt->f_dstport == 0)
165       return 0;
166     argc -= 3;
167     argv += 3;
168   }
169 
170   if (pe && pe->p_proto == IPPROTO_TCP) {
171     for (; argc > 0; argc--, argv++)
172       if (!strcmp(*argv, "estab"))
173         tgt->f_estab = 1;
174       else if (!strcmp(*argv, "syn"))
175         tgt->f_syn = 1;
176       else if (!strcmp(*argv, "finrst"))
177         tgt->f_finrst = 1;
178       else
179         break;
180   }
181 
182   if (argc > 0) {
183     log_Printf(LogWARN, "ParseUdpOrTcp: bad src/dst port syntax: %s\n", *argv);
184     return 0;
185   }
186 
187   return 1;
188 }
189 
190 static int
191 ParseGeneric(int argc, struct filterent *tgt)
192 {
193   /*
194    * Filter currently is a catch-all. Requests are either permitted or
195    * dropped.
196    */
197   if (argc != 0) {
198     log_Printf(LogWARN, "ParseGeneric: Too many parameters\n");
199     return 0;
200   } else
201     tgt->f_srcop = tgt->f_dstop = OP_NONE;
202 
203   return 1;
204 }
205 
206 static unsigned
207 addrtype(const char *addr)
208 {
209   if (!strncasecmp(addr, "MYADDR", 6) && (addr[6] == '\0' || addr[6] == '/'))
210     return T_MYADDR;
211   if (!strncasecmp(addr, "MYADDR6", 7) && (addr[7] == '\0' || addr[7] == '/'))
212     return T_MYADDR6;
213   if (!strncasecmp(addr, "HISADDR", 7) && (addr[7] == '\0' || addr[7] == '/'))
214     return T_HISADDR;
215   if (!strncasecmp(addr, "HISADDR6", 8) && (addr[8] == '\0' || addr[8] == '/'))
216     return T_HISADDR6;
217   if (!strncasecmp(addr, "DNS0", 4) && (addr[4] == '\0' || addr[4] == '/'))
218     return T_DNS0;
219   if (!strncasecmp(addr, "DNS1", 4) && (addr[4] == '\0' || addr[4] == '/'))
220     return T_DNS1;
221 
222   return T_ADDR;
223 }
224 
225 static const char *
226 addrstr(struct ncprange *addr, unsigned type)
227 {
228   switch (type) {
229     case T_MYADDR:
230       return "MYADDR";
231     case T_HISADDR:
232       return "HISADDR";
233     case T_DNS0:
234       return "DNS0";
235     case T_DNS1:
236       return "DNS1";
237   }
238   return ncprange_ntoa(addr);
239 }
240 
241 static int
242 filter_Parse(struct ncp *ncp, int argc, char const *const *argv,
243              struct filterent *ofp)
244 {
245   struct filterent fe;
246   struct protoent *pe;
247   char *wp;
248   int action, family, ruleno, val, width;
249 
250   ruleno = strtol(*argv, &wp, 0);
251   if (*argv == wp || ruleno >= MAXFILTERS) {
252     log_Printf(LogWARN, "Parse: invalid filter number.\n");
253     return 0;
254   }
255   if (ruleno < 0) {
256     for (ruleno = 0; ruleno < MAXFILTERS; ruleno++) {
257       ofp->f_action = A_NONE;
258       ofp++;
259     }
260     log_Printf(LogWARN, "Parse: filter cleared.\n");
261     return 1;
262   }
263   ofp += ruleno;
264 
265   if (--argc == 0) {
266     log_Printf(LogWARN, "Parse: missing action.\n");
267     return 0;
268   }
269   argv++;
270 
271   memset(&fe, '\0', sizeof fe);
272 
273   val = strtol(*argv, &wp, 0);
274   if (!*wp && val >= 0 && val < MAXFILTERS) {
275     if (val <= ruleno) {
276       log_Printf(LogWARN, "Parse: Can only jump forward from rule %d\n",
277                  ruleno);
278       return 0;
279     }
280     action = val;
281   } else if (!strcmp(*argv, "permit")) {
282     action = A_PERMIT;
283   } else if (!strcmp(*argv, "deny")) {
284     action = A_DENY;
285   } else if (!strcmp(*argv, "clear")) {
286     ofp->f_action = A_NONE;
287     return 1;
288   } else {
289     log_Printf(LogWARN, "Parse: %s: bad action\n", *argv);
290     return 0;
291   }
292   fe.f_action = action;
293 
294   argc--;
295   argv++;
296 
297   if (argc && argv[0][0] == '!' && !argv[0][1]) {
298     fe.f_invert = 1;
299     argc--;
300     argv++;
301   }
302 
303   ncprange_init(&fe.f_src);
304   ncprange_init(&fe.f_dst);
305 
306   if (argc == 0)
307     pe = NULL;
308   else if ((pe = getprotobyname(*argv)) == NULL && strcmp(*argv, "all") != 0) {
309     if (argc < 2) {
310       log_Printf(LogWARN, "Parse: Protocol or address pair expected\n");
311       return 0;
312     } else if (strcasecmp(*argv, "any") == 0 ||
313                ncprange_aton(&fe.f_src, ncp, *argv)) {
314       family = ncprange_family(&fe.f_src);
315       if (!ncprange_getwidth(&fe.f_src, &width))
316         width = 0;
317       if (width == 0)
318         ncprange_init(&fe.f_src);
319       fe.f_srctype = addrtype(*argv);
320       argc--;
321       argv++;
322 
323       if (strcasecmp(*argv, "any") == 0 ||
324           ncprange_aton(&fe.f_dst, ncp, *argv)) {
325         if (ncprange_family(&fe.f_dst) != AF_UNSPEC &&
326             ncprange_family(&fe.f_src) != AF_UNSPEC &&
327             family != ncprange_family(&fe.f_dst)) {
328           log_Printf(LogWARN, "Parse: src and dst address families differ\n");
329           return 0;
330         }
331         if (!ncprange_getwidth(&fe.f_dst, &width))
332           width = 0;
333         if (width == 0)
334           ncprange_init(&fe.f_dst);
335         fe.f_dsttype = addrtype(*argv);
336         argc--;
337         argv++;
338       } else {
339         log_Printf(LogWARN, "Parse: Protocol or address pair expected\n");
340         return 0;
341       }
342 
343       if (argc) {
344         if ((pe = getprotobyname(*argv)) == NULL && strcmp(*argv, "all") != 0) {
345           log_Printf(LogWARN, "Parse: %s: Protocol expected\n", *argv);
346           return 0;
347         } else {
348           argc--;
349           argv++;
350         }
351       }
352     } else {
353       log_Printf(LogWARN, "Parse: Protocol or address pair expected\n");
354       return 0;
355     }
356   } else {
357     argc--;
358     argv++;
359   }
360 
361   if (argc >= 2 && strcmp(*argv, "timeout") == 0) {
362     fe.timeout = strtoul(argv[1], NULL, 10);
363     argc -= 2;
364     argv += 2;
365   }
366 
367   val = 1;
368   fe.f_proto = (pe == NULL) ? 0 : pe->p_proto;
369 
370   switch (fe.f_proto) {
371   case IPPROTO_TCP:
372   case IPPROTO_UDP:
373   case IPPROTO_IPIP:
374 #ifndef NOINET6
375   case IPPROTO_IPV6:
376 #endif
377     val = ParseUdpOrTcp(argc, argv, pe, &fe);
378     break;
379   case IPPROTO_ICMP:
380 #ifndef NOINET6
381   case IPPROTO_ICMPV6:
382 #endif
383     val = ParseIcmp(argc, argv, &fe);
384     break;
385   default:
386     val = ParseGeneric(argc, &fe);
387     break;
388   }
389 
390   log_Printf(LogDEBUG, "Parse: Src: %s\n", ncprange_ntoa(&fe.f_src));
391   log_Printf(LogDEBUG, "Parse: Dst: %s\n", ncprange_ntoa(&fe.f_dst));
392   log_Printf(LogDEBUG, "Parse: Proto: %d\n", fe.f_proto);
393 
394   log_Printf(LogDEBUG, "Parse: src:  %s (%d)\n",
395             filter_Op2Nam(fe.f_srcop), fe.f_srcport);
396   log_Printf(LogDEBUG, "Parse: dst:  %s (%d)\n",
397             filter_Op2Nam(fe.f_dstop), fe.f_dstport);
398   log_Printf(LogDEBUG, "Parse: estab: %u\n", fe.f_estab);
399   log_Printf(LogDEBUG, "Parse: syn: %u\n", fe.f_syn);
400   log_Printf(LogDEBUG, "Parse: finrst: %u\n", fe.f_finrst);
401 
402   if (val)
403     *ofp = fe;
404 
405   return val;
406 }
407 
408 int
409 filter_Set(struct cmdargs const *arg)
410 {
411   struct filter *filter;
412 
413   if (arg->argc < arg->argn+2)
414     return -1;
415 
416   if (!strcmp(arg->argv[arg->argn], "in"))
417     filter = &arg->bundle->filter.in;
418   else if (!strcmp(arg->argv[arg->argn], "out"))
419     filter = &arg->bundle->filter.out;
420   else if (!strcmp(arg->argv[arg->argn], "dial"))
421     filter = &arg->bundle->filter.dial;
422   else if (!strcmp(arg->argv[arg->argn], "alive"))
423     filter = &arg->bundle->filter.alive;
424   else {
425     log_Printf(LogWARN, "filter_Set: %s: Invalid filter name.\n",
426               arg->argv[arg->argn]);
427     return -1;
428   }
429 
430   filter_Parse(&arg->bundle->ncp, arg->argc - arg->argn - 1,
431         arg->argv + arg->argn + 1, filter->rule);
432   return 0;
433 }
434 
435 const char *
436 filter_Action2Nam(unsigned act)
437 {
438   static const char * const actname[] = { "  none ", "permit ", "  deny " };
439   static char buf[8];
440 
441   if (act < MAXFILTERS) {
442     snprintf(buf, sizeof buf, "%6d ", act);
443     return buf;
444   } else if (act >= A_NONE && act < A_NONE + sizeof(actname)/sizeof(char *))
445     return actname[act - A_NONE];
446   else
447     return "?????? ";
448 }
449 
450 static void
451 doShowFilter(struct filterent *fp, struct prompt *prompt)
452 {
453   struct protoent *pe;
454   int n;
455 
456   for (n = 0; n < MAXFILTERS; n++, fp++) {
457     if (fp->f_action != A_NONE) {
458       prompt_Printf(prompt, "  %2d %s", n, filter_Action2Nam(fp->f_action));
459       prompt_Printf(prompt, "%c ", fp->f_invert ? '!' : ' ');
460 
461       if (ncprange_isset(&fp->f_src))
462         prompt_Printf(prompt, "%s ", addrstr(&fp->f_src, fp->f_srctype));
463       else
464         prompt_Printf(prompt, "any ");
465 
466       if (ncprange_isset(&fp->f_dst))
467         prompt_Printf(prompt, "%s ", addrstr(&fp->f_dst, fp->f_dsttype));
468       else
469         prompt_Printf(prompt, "any ");
470 
471       if (fp->f_proto) {
472         if ((pe = getprotobynumber(fp->f_proto)) == NULL)
473 	  prompt_Printf(prompt, "P:%d", fp->f_proto);
474         else
475 	  prompt_Printf(prompt, "%s", pe->p_name);
476 
477 	if (fp->f_srcop)
478 	  prompt_Printf(prompt, " src %s %d", filter_Op2Nam(fp->f_srcop),
479 		  fp->f_srcport);
480 	if (fp->f_dstop)
481 	  prompt_Printf(prompt, " dst %s %d", filter_Op2Nam(fp->f_dstop),
482 		  fp->f_dstport);
483 	if (fp->f_estab)
484 	  prompt_Printf(prompt, " estab");
485 	if (fp->f_syn)
486 	  prompt_Printf(prompt, " syn");
487 	if (fp->f_finrst)
488 	  prompt_Printf(prompt, " finrst");
489       } else
490 	prompt_Printf(prompt, "all");
491       if (fp->timeout != 0)
492 	  prompt_Printf(prompt, " timeout %u", fp->timeout);
493       prompt_Printf(prompt, "\n");
494     }
495   }
496 }
497 
498 int
499 filter_Show(struct cmdargs const *arg)
500 {
501   if (arg->argc > arg->argn+1)
502     return -1;
503 
504   if (arg->argc == arg->argn+1) {
505     struct filter *filter;
506 
507     if (!strcmp(arg->argv[arg->argn], "in"))
508       filter = &arg->bundle->filter.in;
509     else if (!strcmp(arg->argv[arg->argn], "out"))
510       filter = &arg->bundle->filter.out;
511     else if (!strcmp(arg->argv[arg->argn], "dial"))
512       filter = &arg->bundle->filter.dial;
513     else if (!strcmp(arg->argv[arg->argn], "alive"))
514       filter = &arg->bundle->filter.alive;
515     else
516       return -1;
517     doShowFilter(filter->rule, arg->prompt);
518   } else {
519     struct filter *filter[4];
520     int f;
521 
522     filter[0] = &arg->bundle->filter.in;
523     filter[1] = &arg->bundle->filter.out;
524     filter[2] = &arg->bundle->filter.dial;
525     filter[3] = &arg->bundle->filter.alive;
526     for (f = 0; f < 4; f++) {
527       if (f)
528         prompt_Printf(arg->prompt, "\n");
529       prompt_Printf(arg->prompt, "%s:\n", filter[f]->name);
530       doShowFilter(filter[f]->rule, arg->prompt);
531     }
532   }
533 
534   return 0;
535 }
536 
537 static const char * const opname[] = {"none", "eq", "gt", "lt"};
538 
539 const char *
540 filter_Op2Nam(unsigned op)
541 {
542   if (op >= sizeof opname / sizeof opname[0])
543     return "unknown";
544   return opname[op];
545 
546 }
547 
548 static unsigned
549 filter_Nam2Op(const char *cp)
550 {
551   unsigned op;
552 
553   for (op = sizeof opname / sizeof opname[0] - 1; op; op--)
554     if (!strcasecmp(cp, opname[op]))
555       break;
556 
557   return op;
558 }
559 
560 void
561 filter_AdjustAddr(struct filter *filter, struct ncpaddr *local,
562                   struct ncpaddr *remote, struct in_addr *dns)
563 {
564   struct filterent *fp;
565   int n;
566 
567   for (fp = filter->rule, n = 0; n < MAXFILTERS; fp++, n++)
568     if (fp->f_action != A_NONE) {
569       if (local) {
570         if (fp->f_srctype == T_MYADDR && ncpaddr_family(local) == AF_INET)
571           ncprange_sethost(&fp->f_src, local);
572         if (fp->f_dsttype == T_MYADDR && ncpaddr_family(local) == AF_INET)
573           ncprange_sethost(&fp->f_dst, local);
574 #ifndef NOINET6
575         if (fp->f_srctype == T_MYADDR6 && ncpaddr_family(local) == AF_INET6)
576           ncprange_sethost(&fp->f_src, local);
577         if (fp->f_dsttype == T_MYADDR6 && ncpaddr_family(local) == AF_INET6)
578           ncprange_sethost(&fp->f_dst, local);
579 #endif
580       }
581       if (remote) {
582         if (fp->f_srctype == T_HISADDR && ncpaddr_family(remote) == AF_INET)
583           ncprange_sethost(&fp->f_src, remote);
584         if (fp->f_dsttype == T_HISADDR && ncpaddr_family(remote) == AF_INET)
585           ncprange_sethost(&fp->f_dst, remote);
586 #ifndef NOINET6
587         if (fp->f_srctype == T_HISADDR6 && ncpaddr_family(remote) == AF_INET6)
588           ncprange_sethost(&fp->f_src, remote);
589         if (fp->f_dsttype == T_HISADDR6 && ncpaddr_family(remote) == AF_INET6)
590           ncprange_sethost(&fp->f_dst, remote);
591 #endif
592       }
593       if (dns) {
594         if (fp->f_srctype == T_DNS0)
595           ncprange_setip4host(&fp->f_src, dns[0]);
596         if (fp->f_dsttype == T_DNS0)
597           ncprange_setip4host(&fp->f_dst, dns[0]);
598         if (fp->f_srctype == T_DNS1)
599           ncprange_setip4host(&fp->f_src, dns[1]);
600         if (fp->f_dsttype == T_DNS1)
601           ncprange_setip4host(&fp->f_dst, dns[1]);
602       }
603     }
604 }
605