From f474c7d4d4538ee3605d8d726a172f155ad5e4ee Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sat, 3 Oct 2009 00:23:42 +0200 Subject: [PATCH] pknock: rename IPT_PKNOCK_* -> XT_PKNOCK_* --- extensions/libxt_pknock.c | 104 +++++++++++++++++++------------------- extensions/xt_pknock.c | 46 ++++++++--------- extensions/xt_pknock.h | 33 ++++++------ 3 files changed, 93 insertions(+), 90 deletions(-) diff --git a/extensions/libxt_pknock.c b/extensions/libxt_pknock.c index 8163f10..d750944 100644 --- a/extensions/libxt_pknock.c +++ b/extensions/libxt_pknock.c @@ -64,7 +64,7 @@ parse_ports(const char *portstring, uint16_t *ports, const char *proto) if (buffer == NULL) xtables_error(OTHER_PROBLEM, "strdup failed"); - for (cp=buffer, i=0; cp != NULL && iports_count = parse_ports(optarg, info->port, proto); - info->option |= IPT_PKNOCK_KNOCKPORT; - *flags |= IPT_PKNOCK_KNOCKPORT; + info->option |= XT_PKNOCK_KNOCKPORT; + *flags |= XT_PKNOCK_KNOCKPORT; #if DEBUG printf("ports_count: %d\n", info->ports_count); #endif break; case 't': /* --time */ - if (*flags & IPT_PKNOCK_TIME) + if (*flags & XT_PKNOCK_TIME) xtables_error(PARAMETER_PROBLEM, PKNOCK "cannot use --time twice.\n"); xtables_check_inverse(argv[optind-1], &invert, &optind, 0); info->max_time = atoi(optarg); - info->option |= IPT_PKNOCK_TIME; - *flags |= IPT_PKNOCK_TIME; + info->option |= XT_PKNOCK_TIME; + *flags |= XT_PKNOCK_TIME; break; case 'n': /* --name */ - if (*flags & IPT_PKNOCK_NAME) + if (*flags & XT_PKNOCK_NAME) xtables_error(PARAMETER_PROBLEM, PKNOCK "cannot use --name twice.\n"); xtables_check_inverse(argv[optind-1], &invert, &optind, 0); - memset(info->rule_name, 0, IPT_PKNOCK_MAX_BUF_LEN + 1); - strncpy(info->rule_name, optarg, IPT_PKNOCK_MAX_BUF_LEN); + memset(info->rule_name, 0, XT_PKNOCK_MAX_BUF_LEN + 1); + strncpy(info->rule_name, optarg, XT_PKNOCK_MAX_BUF_LEN); info->rule_name_len = strlen(info->rule_name); - info->option |= IPT_PKNOCK_NAME; - *flags |= IPT_PKNOCK_NAME; + info->option |= XT_PKNOCK_NAME; + *flags |= XT_PKNOCK_NAME; #if DEBUG printf("info->rule_name: %s\n", info->rule_name); #endif break; case 'a': /* --opensecret */ - if (*flags & IPT_PKNOCK_OPENSECRET) + if (*flags & XT_PKNOCK_OPENSECRET) xtables_error(PARAMETER_PROBLEM, PKNOCK "cannot use --opensecret twice.\n"); xtables_check_inverse(argv[optind-1], &invert, &optind, 0); - memset(info->open_secret, 0, IPT_PKNOCK_MAX_PASSWD_LEN + 1); - strncpy(info->open_secret, optarg, IPT_PKNOCK_MAX_PASSWD_LEN); + memset(info->open_secret, 0, XT_PKNOCK_MAX_PASSWD_LEN + 1); + strncpy(info->open_secret, optarg, XT_PKNOCK_MAX_PASSWD_LEN); info->open_secret_len = strlen(info->open_secret); - info->option |= IPT_PKNOCK_OPENSECRET; - *flags |= IPT_PKNOCK_OPENSECRET; + info->option |= XT_PKNOCK_OPENSECRET; + *flags |= XT_PKNOCK_OPENSECRET; break; case 'z': /* --closesecret */ - if (*flags & IPT_PKNOCK_CLOSESECRET) + if (*flags & XT_PKNOCK_CLOSESECRET) xtables_error(PARAMETER_PROBLEM, PKNOCK "cannot use --closesecret twice.\n"); xtables_check_inverse(argv[optind-1], &invert, &optind, 0); - memset(info->close_secret, 0, IPT_PKNOCK_MAX_PASSWD_LEN + 1); - strncpy(info->close_secret, optarg, IPT_PKNOCK_MAX_PASSWD_LEN); + memset(info->close_secret, 0, XT_PKNOCK_MAX_PASSWD_LEN + 1); + strncpy(info->close_secret, optarg, XT_PKNOCK_MAX_PASSWD_LEN); info->close_secret_len = strlen(info->close_secret); - info->option |= IPT_PKNOCK_CLOSESECRET; - *flags |= IPT_PKNOCK_CLOSESECRET; + info->option |= XT_PKNOCK_CLOSESECRET; + *flags |= XT_PKNOCK_CLOSESECRET; break; case 'c': /* --checkip */ - if (*flags & IPT_PKNOCK_CHECKIP) + if (*flags & XT_PKNOCK_CHECKIP) xtables_error(PARAMETER_PROBLEM, PKNOCK "cannot use --checkip twice.\n"); xtables_check_inverse(argv[optind-1], &invert, &optind, 0); - info->option |= IPT_PKNOCK_CHECKIP; - *flags |= IPT_PKNOCK_CHECKIP; + info->option |= XT_PKNOCK_CHECKIP; + *flags |= XT_PKNOCK_CHECKIP; break; case 'x': /* --strict */ - if (*flags & IPT_PKNOCK_STRICT) + if (*flags & XT_PKNOCK_STRICT) xtables_error(PARAMETER_PROBLEM, PKNOCK "cannot use --strict twice.\n"); xtables_check_inverse(argv[optind-1], &invert, &optind, 0); - info->option |= IPT_PKNOCK_STRICT; - *flags |= IPT_PKNOCK_STRICT; + info->option |= XT_PKNOCK_STRICT; + *flags |= XT_PKNOCK_STRICT; break; default: @@ -240,42 +240,42 @@ static void pknock_check(unsigned int flags) if (!flags) xtables_error(PARAMETER_PROBLEM, PKNOCK "expection an option.\n"); - if (!(flags & IPT_PKNOCK_NAME)) + if (!(flags & XT_PKNOCK_NAME)) xtables_error(PARAMETER_PROBLEM, PKNOCK "--name option is required.\n"); - if (flags & IPT_PKNOCK_KNOCKPORT) { - if (flags & IPT_PKNOCK_CHECKIP) { + if (flags & XT_PKNOCK_KNOCKPORT) { + if (flags & XT_PKNOCK_CHECKIP) { xtables_error(PARAMETER_PROBLEM, PKNOCK "cannot specify --knockports with --checkip.\n"); } - if ((flags & IPT_PKNOCK_OPENSECRET) - && !(flags & IPT_PKNOCK_CLOSESECRET)) + if ((flags & XT_PKNOCK_OPENSECRET) + && !(flags & XT_PKNOCK_CLOSESECRET)) { xtables_error(PARAMETER_PROBLEM, PKNOCK "--opensecret must go with --closesecret.\n"); } - if ((flags & IPT_PKNOCK_CLOSESECRET) - && !(flags & IPT_PKNOCK_OPENSECRET)) + if ((flags & XT_PKNOCK_CLOSESECRET) + && !(flags & XT_PKNOCK_OPENSECRET)) { xtables_error(PARAMETER_PROBLEM, PKNOCK "--closesecret must go with --opensecret.\n"); } } - if (flags & IPT_PKNOCK_CHECKIP) { - if (flags & IPT_PKNOCK_KNOCKPORT) { + if (flags & XT_PKNOCK_CHECKIP) { + if (flags & XT_PKNOCK_KNOCKPORT) { xtables_error(PARAMETER_PROBLEM, PKNOCK "cannot specify --checkip with --knockports.\n"); } - if ((flags & IPT_PKNOCK_OPENSECRET) - || (flags & IPT_PKNOCK_CLOSESECRET)) + if ((flags & XT_PKNOCK_OPENSECRET) + || (flags & XT_PKNOCK_CLOSESECRET)) { xtables_error(PARAMETER_PROBLEM, PKNOCK "cannot specify --opensecret and" " --closesecret with --checkip.\n"); } - if (flags & IPT_PKNOCK_TIME) { + if (flags & XT_PKNOCK_TIME) { xtables_error(PARAMETER_PROBLEM, PKNOCK "cannot specify --time with --checkip.\n"); } @@ -290,19 +290,19 @@ static void pknock_print(const void *ip, int i; printf("pknock "); - if (info->option & IPT_PKNOCK_KNOCKPORT) { + if (info->option & XT_PKNOCK_KNOCKPORT) { printf("knockports "); for (i=0; iports_count; i++) printf("%s%d", i ? "," : "", info->port[i]); printf(" "); } - if (info->option & IPT_PKNOCK_TIME) + if (info->option & XT_PKNOCK_TIME) printf("time %ld ", (long)info->max_time); - if (info->option & IPT_PKNOCK_NAME) + if (info->option & XT_PKNOCK_NAME) printf("name %s ", info->rule_name); - if (info->option & IPT_PKNOCK_OPENSECRET) + if (info->option & XT_PKNOCK_OPENSECRET) printf("opensecret "); - if (info->option & IPT_PKNOCK_CLOSESECRET) + if (info->option & XT_PKNOCK_CLOSESECRET) printf("closesecret "); } @@ -312,23 +312,23 @@ static void pknock_save(const void *ip, const struct xt_entry_match *match) int i; const struct xt_pknock_mtinfo *info = (void *)match->data; - if (info->option & IPT_PKNOCK_KNOCKPORT) { + if (info->option & XT_PKNOCK_KNOCKPORT) { printf("--knockports "); for (i=0; iports_count; i++) printf("%s%d", i ? "," : "", info->port[i]); printf(" "); } - if (info->option & IPT_PKNOCK_TIME) + if (info->option & XT_PKNOCK_TIME) printf("--time %ld ", (long)info->max_time); - if (info->option & IPT_PKNOCK_NAME) + if (info->option & XT_PKNOCK_NAME) printf("--name %s ", info->rule_name); - if (info->option & IPT_PKNOCK_OPENSECRET) + if (info->option & XT_PKNOCK_OPENSECRET) printf("--opensecret "); - if (info->option & IPT_PKNOCK_CLOSESECRET) + if (info->option & XT_PKNOCK_CLOSESECRET) printf("--closesecret "); - if (info->option & IPT_PKNOCK_STRICT) + if (info->option & XT_PKNOCK_STRICT) printf("--strict "); - if (info->option & IPT_PKNOCK_CHECKIP) + if (info->option & XT_PKNOCK_CHECKIP) printf("--checkip "); } diff --git a/extensions/xt_pknock.c b/extensions/xt_pknock.c index 6200b5e..f6706d4 100644 --- a/extensions/xt_pknock.c +++ b/extensions/xt_pknock.c @@ -65,7 +65,7 @@ struct peer { */ struct xt_pknock_rule { struct list_head head; - char rule_name[IPT_PKNOCK_MAX_BUF_LEN + 1]; + char rule_name[XT_PKNOCK_MAX_BUF_LEN+1]; int rule_name_len; unsigned int ref_count; struct timer_list timer; @@ -433,7 +433,7 @@ add_rule(struct xt_pknock_mtinfo *info) if (rulecmp(info, rule)) { rule->ref_count++; - if (info->option & IPT_PKNOCK_CHECKIP) { + if (info->option & XT_PKNOCK_CHECKIP) { pr_debug("add_rule() (AC)" " rule found: %s - " "ref_count: %d\n", @@ -452,7 +452,7 @@ add_rule(struct xt_pknock_mtinfo *info) INIT_LIST_HEAD(&rule->head); - memset(rule->rule_name, 0, IPT_PKNOCK_MAX_BUF_LEN + 1); + memset(rule->rule_name, 0, XT_PKNOCK_MAX_BUF_LEN + 1); strncpy(rule->rule_name, info->rule_name, info->rule_name_len); rule->rule_name_len = info->rule_name_len; @@ -858,7 +858,7 @@ update_peer(struct peer *peer, const struct xt_pknock_mtinfo *info, if (is_wrong_knock(peer, info, hdr->port)) { pk_debug("DIDN'T MATCH", peer); /* Peer must start the sequence from scratch. */ - if (info->option & IPT_PKNOCK_STRICT) + if (info->option & XT_PKNOCK_STRICT) reset_knock_status(peer); return false; @@ -866,7 +866,7 @@ update_peer(struct peer *peer, const struct xt_pknock_mtinfo *info, #ifdef PK_CRYPTO /* If security is needed. */ - if (info->option & IPT_PKNOCK_OPENSECRET ) { + if (info->option & XT_PKNOCK_OPENSECRET ) { if (hdr->proto != IPPROTO_UDP) return false; @@ -894,7 +894,7 @@ update_peer(struct peer *peer, const struct xt_pknock_mtinfo *info, } /* Controls the max matching time between ports. */ - if (info->option & IPT_PKNOCK_TIME) { + if (info->option & XT_PKNOCK_TIME) { time = jiffies/HZ; if (is_time_exceeded(peer, info->max_time)) { @@ -997,7 +997,7 @@ static bool pknock_mt(const struct sk_buff *skb, /* Gives the peer matching status added to rule depending on ip src. */ peer = get_peer(rule, iph->saddr); - if (info->option & IPT_PKNOCK_CHECKIP) { + if (info->option & XT_PKNOCK_CHECKIP) { ret = is_allowed(peer); goto out; } @@ -1008,10 +1008,10 @@ static bool pknock_mt(const struct sk_buff *skb, } /* Sets, updates, removes or checks the peer matching status. */ - if (info->option & IPT_PKNOCK_KNOCKPORT) { + if (info->option & XT_PKNOCK_KNOCKPORT) { if ((ret = is_allowed(peer))) { #ifdef PK_CRYPTO - if (info->option & IPT_PKNOCK_CLOSESECRET && + if (info->option & XT_PKNOCK_CLOSESECRET && iph->protocol == IPPROTO_UDP) { if (is_close_knock(peer, info, hdr.payload, hdr.payload_len)) @@ -1059,51 +1059,51 @@ static bool pknock_mt_check(const struct xt_mtchk_param *par) if (!add_rule(info)) RETURN_ERR("add_rule() error in checkentry() function.\n"); - if (!(info->option & IPT_PKNOCK_NAME)) + if (!(info->option & XT_PKNOCK_NAME)) RETURN_ERR("You must specify --name option.\n"); #ifdef PK_CRYPTO - if ((info->option & IPT_PKNOCK_OPENSECRET) && (info->ports_count != 1)) + if ((info->option & XT_PKNOCK_OPENSECRET) && (info->ports_count != 1)) RETURN_ERR("--opensecret must have just one knock port\n"); #endif - if (info->option & IPT_PKNOCK_KNOCKPORT) { - if (info->option & IPT_PKNOCK_CHECKIP) { + if (info->option & XT_PKNOCK_KNOCKPORT) { + if (info->option & XT_PKNOCK_CHECKIP) { RETURN_ERR("Can't specify --knockports with --checkip.\n"); } #ifdef PK_CRYPTO - if ((info->option & IPT_PKNOCK_OPENSECRET) && - !(info->option & IPT_PKNOCK_CLOSESECRET)) + if ((info->option & XT_PKNOCK_OPENSECRET) && + !(info->option & XT_PKNOCK_CLOSESECRET)) { RETURN_ERR("--opensecret must go with --closesecret.\n"); } - if ((info->option & IPT_PKNOCK_CLOSESECRET) && - !(info->option & IPT_PKNOCK_OPENSECRET)) + if ((info->option & XT_PKNOCK_CLOSESECRET) && + !(info->option & XT_PKNOCK_OPENSECRET)) { RETURN_ERR("--closesecret must go with --opensecret.\n"); } #endif } - if (info->option & IPT_PKNOCK_CHECKIP) { - if (info->option & IPT_PKNOCK_KNOCKPORT) + if (info->option & XT_PKNOCK_CHECKIP) { + if (info->option & XT_PKNOCK_KNOCKPORT) { RETURN_ERR("Can't specify --checkip with --knockports.\n"); } #ifdef PK_CRYPTO - if ((info->option & IPT_PKNOCK_OPENSECRET) || - (info->option & IPT_PKNOCK_CLOSESECRET)) + if ((info->option & XT_PKNOCK_OPENSECRET) || + (info->option & XT_PKNOCK_CLOSESECRET)) { RETURN_ERR("Can't specify --opensecret and --closesecret" " with --checkip.\n"); } #endif - if (info->option & IPT_PKNOCK_TIME) + if (info->option & XT_PKNOCK_TIME) RETURN_ERR("Can't specify --time with --checkip.\n"); } #ifdef PK_CRYPTO - if (info->option & IPT_PKNOCK_OPENSECRET) { + if (info->option & XT_PKNOCK_OPENSECRET) { if (info->open_secret_len == info->close_secret_len) { if (memcmp(info->open_secret, info->close_secret, info->open_secret_len) == 0) diff --git a/extensions/xt_pknock.h b/extensions/xt_pknock.h index 6c502ed..bb82c07 100644 --- a/extensions/xt_pknock.h +++ b/extensions/xt_pknock.h @@ -13,35 +13,38 @@ #define PKNOCK "xt_pknock: " -#define IPT_PKNOCK_KNOCKPORT 0x01 -#define IPT_PKNOCK_TIME 0x02 -#define IPT_PKNOCK_NAME 0x04 -#define IPT_PKNOCK_STRICT 0x08 -#define IPT_PKNOCK_CHECKIP 0x10 -#define IPT_PKNOCK_OPENSECRET 0x20 -#define IPT_PKNOCK_CLOSESECRET 0x40 +enum { + XT_PKNOCK_KNOCKPORT = 1 << 0, + XT_PKNOCK_TIME = 1 << 1, + XT_PKNOCK_NAME = 1 << 2, + XT_PKNOCK_STRICT = 1 << 3, + XT_PKNOCK_CHECKIP = 1 << 4, + XT_PKNOCK_OPENSECRET = 1 << 5, + XT_PKNOCK_CLOSESECRET = 1 << 6, -#define IPT_PKNOCK_MAX_PORTS 15 -#define IPT_PKNOCK_MAX_BUF_LEN 31 -#define IPT_PKNOCK_MAX_PASSWD_LEN 31 + /* Can never change these, as they are make up the user protocol. */ + XT_PKNOCK_MAX_PORTS = 15, + XT_PKNOCK_MAX_BUF_LEN = 31, + XT_PKNOCK_MAX_PASSWD_LEN = 31, +}; #define DEBUG 1 struct xt_pknock_mtinfo { - char rule_name[IPT_PKNOCK_MAX_BUF_LEN + 1]; + char rule_name[XT_PKNOCK_MAX_BUF_LEN+1]; uint32_t rule_name_len; - char open_secret[IPT_PKNOCK_MAX_PASSWD_LEN + 1]; + char open_secret[XT_PKNOCK_MAX_PASSWD_LEN+1]; uint32_t open_secret_len; - char close_secret[IPT_PKNOCK_MAX_PASSWD_LEN + 1]; + char close_secret[XT_PKNOCK_MAX_PASSWD_LEN+1]; uint32_t close_secret_len; uint8_t option; /* --time, --knock-port, ... */ uint8_t ports_count; /* number of ports */ - uint16_t port[IPT_PKNOCK_MAX_PORTS]; /* port[,port,port,...] */ + uint16_t port[XT_PKNOCK_MAX_PORTS]; /* port[,port,port,...] */ uint32_t max_time; /* max matching time between ports */ }; struct xt_pknock_nl_msg { - char rule_name[IPT_PKNOCK_MAX_BUF_LEN + 1]; + char rule_name[XT_PKNOCK_MAX_BUF_LEN+1]; uint32_t peer_ip; };