public
/
dhcp_protect
보기 1
좋아요 0
포크 0
코드 이슈 0 풀 리퀘스트 0 릴리즈 2 위키 Activity
A userspace application that filters DHCP floods to protect a DHCP server. It uses the Netfilter userspace packet queuing API.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19 커밋
1 브렌치
트리: 01f3b47ea8
브랜치 태그
${ item.name }
Create branch ${ searchTerm }
from '01f3b47ea8'
${ noResults }
dhcp_protect/dhcp_protect.c

dhcp_protect.c 13KB
Raw Blame 히스토리

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542 
  1. // dhcp_protect.c

  2. //   Copyright 2019 Pascal Gloor

  3. //

  4. //   Licensed under the Apache License, Version 2.0 (the "License");

  5. //   you may not use this file except in compliance with the License.

  6. //   You may obtain a copy of the License at

  7. //

  8. //     http://www.apache.org/licenses/LICENSE-2.0

  9. //

  10. //   Unless required by applicable law or agreed to in writing, software

  11. //   distributed under the License is distributed on an "AS IS" BASIS,

  12. //   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. //   See the License for the specific language governing permissions and

  14. //   limitations under the License.

  15. 

  16. 

  17. #include <stdio.h>

  18. #include <stdlib.h>

  19. #include <string.h>

  20. #include <unistd.h>

  21. #include <stdint.h>

  22. #include <errno.h>

  23. #include <time.h>

  24. #include <stdarg.h>

  25. #include <syslog.h>

  26. #include <arpa/inet.h>

  27. 

  28. #include <linux/netfilter.h>

  29. #include <libnetfilter_queue/libnetfilter_queue.h>

  30. 

  31. #include <uthash.h>

  32. 

  33. #include "dhcp_protect.h"

  34. 

  35. // main function

  36. int main(int argc, char **argv) {

  37. 	char *configfile;

  38. 	dp_conf conf;

  39. 

  40. 	if ( argc == 2 ) {

  41. 		configfile = argv[1];

  42. 	}

  43. 	else {

  44. 		dp_usage(argv[0]);

  45. 		return EXIT_FAILURE;

  46. 	}

  47. 

  48. 	if ( dp_load_config(&conf, configfile) == NULL )

  49. 		return EXIT_FAILURE;

  50. 

  51. 	openlog("dhcp_protect", LOG_PID, LOG_DAEMON);

  52. 

  53. 	dp_nfq_start(&conf);

  54. 

  55. 	return 0;

  56. }

  57. 

  58. // syslog function

  59. void dp_log(unsigned char *remoteid, int remoteidlen, char *fmt, ...) {

  60. 	va_list argList;

  61. 	char buf[1000];

  62. 	int offset = remoteidlen*2;

  63. 	int i;

  64. 

  65. 	for(i=0; i<remoteidlen; i++) {

  66. 		sprintf(buf+(i*2), "%02x", remoteid[i]);

  67. 	}

  68. 	buf[offset]=':'; offset++;

  69. 	buf[offset]=' '; offset++;

  70. 

  71. 	va_start(argList, fmt);

  72. 	vsnprintf(buf+offset, sizeof(buf)-offset-1, fmt, argList);

  73. 	va_end(argList);

  74. 

  75. 	syslog(LOG_DAEMON|LOG_INFO, "%s", buf);

  76. }

  77. 

  78. // start netfilter queue

  79. void dp_nfq_start(dp_conf *conf) {

  80. 	struct nfq_handle *h;

  81. 	struct nfq_q_handle *qh;

  82. 	int fd;

  83. 

  84. 	if ( ( h = nfq_open() ) == NULL ) {

  85. 		fprintf(stderr,"error during nfq_open() %s\n", strerror(errno));

  86. 		return;

  87. 	}

  88. 

  89. 	if ( ( qh = nfq_create_queue(h, conf->queue, &dp_callback, conf) ) == NULL ) {

  90. 		fprintf(stderr, "error during nfq_create_queue() %s\n", strerror(errno));

  91. 		return;

  92. 	}

  93. 

  94. 	if ( nfq_set_mode(qh, NFQNL_COPY_PACKET, 1500) < 0 ) {

  95. 		fprintf(stderr,"error during nfq_set_mode() %s\n", strerror(errno));

  96. 		return;

  97. 	}

  98. 

  99. 	if ( nfq_set_queue_flags(qh, NFQA_CFG_F_FAIL_OPEN, NFQA_CFG_F_FAIL_OPEN) < 0 ) {

  100. 		fprintf(stderr,"error during nfq_set_queue_flags() %s\n", strerror(errno));

  101. 		return;

  102. 	}

  103. 

  104. 	fd = nfq_fd(h);

  105. 

  106. 	while(1) {

  107. 		static char buf[65536];

  108. 		int rv;

  109. 

  110. 		if ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) {

  111. 			nfq_handle_packet(h, buf, rv); /* send packet to callback */

  112. 		}

  113. 	}

  114. }

  115. 

  116. // display usage

  117. void dp_usage(char *prog) {

  118. 	fprintf(stderr,"Usage: %s <configuration file>\n",prog);

  119. }

  120. 

  121. 

  122. // load configuration file

  123. dp_conf *dp_load_config(dp_conf *conf, char *file) {

  124. 	FILE *fh;

  125. 	char *line = NULL;

  126. 	size_t len = 0;

  127. 	int error = 0;

  128. 

  129. 	printf("Loading configuration %s\n",file);

  130. 	

  131. 

  132. 	if ( ( fh = fopen(file,"r") ) == NULL ) {

  133. 		fprintf(stderr,"Failed to open configuration file '%s': %s\n", file, strerror(errno));

  134. 		return NULL;

  135. 	}

  136. 

  137. 	while (getline(&line, &len, fh) != -1) {

  138. 		char *name, *value;

  139. 

  140. 		name  = strtok(line, "=\r\n ");

  141. 		value = strtok(NULL,"=\r\n ");

  142. 

  143. 		if ( name == NULL || value == NULL || name[0] == '#' )

  144. 			continue;

  145. 

  146. 		if ( strcmp(name,"max_pkt_per_interval")==0 )

  147. 			conf->pktint = atoi(value);

  148. 		else if ( strcmp(name,"interval")==0 )

  149. 			conf->interval = atoi(value);

  150. 		else if ( strcmp(name, "debug")==0 )

  151. 			conf->debug = atoi(value) ? 1 : 0;

  152. 		else if ( strcmp(name, "blacklist_time")==0 )

  153. 			conf->bltime = atoi(value);

  154. 		else if ( strcmp(name, "queue")==0 )

  155. 			conf->queue = atoi(value);

  156. 		else if ( strcmp(name, "dryrun")==0 )

  157. 			conf->dryrun = atoi(value) ? 1 : 0;

  158. 		else

  159. 			fprintf(stderr,"unknown directive '%s', ignored\n", name);

  160. 

  161. 		free(line);

  162. 	}

  163. 	fclose(fh);

  164. 

  165. 	if ( conf->pktint < 1 || conf->pktint > 1000 ) {

  166. 		fprintf(stderr,"max_pkt_per_interval value invalid (min 1, max 1000)\n");

  167. 		error=1;

  168. 	}

  169. 	if ( conf->interval < 5 || conf->interval > 900 ) {

  170. 		fprintf(stderr,"interval value invalid (min 5, max 900)\n");

  171. 		error=1;

  172. 	}

  173. 	if ( conf->debug < 0 || conf->debug > 1 ) {

  174. 		fprintf(stderr,"debug value invalid (0 or 1)\n");

  175. 		error=1;

  176. 	}

  177. 	if ( conf->bltime < 10 || conf->bltime > 900 ) {

  178. 		fprintf(stderr,"blacklist_time value invalid (min 10, max 900)\n");

  179. 		error=1;

  180. 	}

  181. 	if ( conf->queue < 0 ) {

  182. 		fprintf(stderr,"queue must be a positive integer\n");

  183. 		error=1;

  184. 	}

  185. 	if ( conf->dryrun < 0 || conf->dryrun > 1 ) {

  186. 		fprintf(stderr, "dryrun value invalid (0 or 1)\n");

  187. 		error=1;

  188. 	}

  189. 

  190. 	if ( error )

  191. 		return NULL;

  192. 

  193. 	printf("Configuration:\n");

  194. 	printf("\t%-20s = %4s\n", "dryrun", conf->dryrun ? "Yes" : "No");

  195. 	printf("\t%-20s = %4s\n", "debug", conf->debug ? "Yes" : "No" );

  196. 	printf("\t%-20s = %4is\n", "interval", conf->interval);

  197. 	printf("\t%-20s = %4i\n", "max_pkt_per_interval", conf->pktint);

  198. 	printf("\t%-20s = %4is\n", "blacklist_time", conf->bltime);

  199. 	printf("\t%-20s = %4i\n", "queue", conf->queue);

  200. 

  201. 

  202. 	return conf;

  203. }

  204. 

  205. // decode dhcp packet

  206. int dp_dhcp_check(struct nfq_data *nfa, dp_conf *conf) {

  207. 	unsigned char *pkt;

  208. 	int pktlen;

  209. 	int offset = 0;

  210. 	unsigned char *remoteid = NULL;

  211. 	int remoteidlen = 0;

  212. 	int rv = NF_ACCEPT;

  213. 

  214. 	pktlen = nfq_get_payload(nfa, &pkt);

  215. 

  216. 	if ( conf->debug ) printf("got a packet, len = %i\n", pktlen);

  217. 

  218. 	// can we read the IP proto and IP header length ?

  219. 	if ( pktlen > 0 ) {

  220. 		uint8_t ipver;

  221. 		uint8_t ihl;

  222. 

  223. 		ipver = pkt[offset];

  224. 		ipver >>= 4;

  225. 		ihl   = pkt[offset];

  226. 		ihl  &= 0x0f;

  227. 

  228. 		if ( ipver == 4 ) {

  229. 			// jump to DHCPv4

  230. 			offset += ( ihl * 4 ) + 8;

  231. 			dp_dhcpv4_check(conf, pkt, pktlen, offset, &remoteid, &remoteidlen);

  232. 		}

  233. 		else if ( ipver == 6 ) {

  234. 			// jump to DHCPv6

  235. 			offset += 40 + 8;

  236. 			dp_dhcpv6_check(conf, pkt, pktlen, offset, &remoteid, &remoteidlen);

  237. 		}

  238. 		else {		

  239. 			if ( conf->debug ) printf("not an IPv4 packet\n");

  240. 			goto end;

  241. 		}

  242. 	}

  243. 

  244. 	if ( remoteidlen>0 ) {

  245. 		if ( conf->debug ) {

  246. 			int i;

  247. 			printf("remoteid: ");

  248. 			for(i=0; i<remoteidlen; i++)

  249. 				printf("%02x", remoteid[i]);

  250. 			printf("\n");

  251. 		}

  252. 		// count the packet, even when blacklisted.

  253. 		dp_accounting_add(conf, remoteid, remoteidlen);

  254. 

  255. 		// check if already in the blacklist

  256. 		if ( dp_blacklist_check(conf, remoteid, remoteidlen) == NF_DROP )

  257. 			rv = NF_DROP;

  258. 

  259. 		// check if it must be added to the blacklist

  260. 		else if ( dp_accounting_check(conf, remoteid, remoteidlen) == NF_DROP ) {

  261. 			dp_blacklist_add(conf, remoteid, remoteidlen);

  262. 			rv = NF_DROP;

  263. 		}

  264. 	}

  265. 

  266. 	end:

  267. 

  268. 	dp_hash_cleanup(conf);

  269. 

  270. 	return rv;

  271. }

  272. 

  273. void dp_dhcpv6_check(dp_conf *conf, unsigned char *pkt, int pktlen, int offset, unsigned char **remoteid, int *remoteidlen) {

  274. 

  275. 	while(offset<pktlen) {

  276. 		uint8_t msgtype = (uint8_t)pkt[offset];

  277. 

  278. 		switch(msgtype) {

  279. 			case 11: // RELAY-FORW

  280. 			case 12: // RELAY-REPL

  281. 				offset += 2 + 16 + 16; // msg-type, hop-count, link-addr, peer-addr

  282. 				break;

  283. 			default: // all other msgtypes

  284. 				offset += 2; // msg-type, hop-count

  285. 		}

  286. 

  287. 		while(offset+1<pktlen) {

  288. 			uint8_t code = (uint8_t)pkt[offset];

  289. 			uint8_t len  = (uint8_t)pkt[offset+1];

  290. 

  291. 			offset+=2;

  292. 

  293. 			if ( code == 1 ) { // Client identifier / DUID

  294. 				// make sure there's enough space

  295. 				if ( offset + len <= pktlen ) {

  296. 					*remoteid = pkt+offset;

  297. 					*remoteidlen = len;

  298. 					break;

  299. 				}

  300. 			}

  301. 			offset+=len;

  302. 		}

  303. 

  304. 		if ( *remoteidlen>0 )

  305. 			break;

  306. 	}

  307. }

  308. 

  309. 

  310. void dp_dhcpv4_check(dp_conf *conf, unsigned char *pkt, int pktlen, int offset, unsigned char **remoteid, int *remoteidlen) {

  311. 	int hwaddrpos = offset + 28; // remember where the hw addr is if we need to fallback to it

  312. 	int hwlenpos = offset + 2;   // remember where the hw addr len is if we need to fallback to it

  313. 

  314. 	// jump DHCP header

  315. 	offset += 28 + 16 + 64 + 128;

  316. 

  317. 	// minimum packet size, fixed header + magic cookie (4 octets)

  318. 	if ( pktlen < offset + 4 ) {

  319. 		if ( conf->debug ) printf("packet too small\n");

  320. 		return;

  321. 	}

  322. 

  323. 	// check magic cookie

  324. 	if ( pkt[offset] != 99 || pkt[offset+1] != 130 || pkt[offset+2] != 83 || pkt[offset+3] != 99 ) {

  325. 		if ( conf->debug )

  326. 			printf(

  327. 				"invalid magic cookie %02x%02x%02x%02x\n",

  328. 				pkt[offset], pkt[offset+1],

  329. 				pkt[offset+2], pkt[offset+3]);

  330. 		return;

  331. 	}

  332. 	offset+=4;

  333. 

  334. 

  335. 	// parse TLV options

  336. 	while(offset<pktlen && remoteidlen==0) {

  337. 		uint8_t type = pkt[offset];

  338. 		uint8_t len;

  339. 

  340. 		offset++;

  341. 

  342. 		// padding of 1 octet

  343. 		if ( type == 0 ) {

  344. 			continue;

  345. 		}

  346. 

  347. 		// end of options

  348. 		if ( type == 255 )

  349. 			break;

  350. 

  351. 		// make sure we can read len

  352. 		if ( offset>=pktlen )

  353. 			break;

  354. 

  355. 		len = pkt[offset];

  356. 		offset++;

  357. 

  358. 		// can the value be read

  359. 		if ( offset+len>pktlen )

  360. 			break;

  361. 

  362. 		// option 82 parser

  363. 		if ( type == 82 ) {

  364. 			unsigned char *o82 = pkt+offset;

  365. 			int o82off = 0;

  366. 

  367. 			// loop until the end, +2 to ensure we can read type and length

  368. 			while(o82off+2<len && remoteidlen==0) {

  369. 				uint8_t otype = o82[o82off];

  370. 				uint8_t olen  = o82[o82off+1];

  371. 				o82off+=2;

  372. 

  373. 				// printf("o82 type=%i len=%i\n", otype, olen);

  374. 

  375. 				// remoteid

  376. 				if ( otype == 2 ) {

  377. 					// make sure we don't overflow and can read all data

  378. 					if ( o82off + olen > len ) {

  379. 						if ( conf->debug) printf("option 82.2 data too long\n");

  380. 						break;

  381. 					}

  382. 					else {

  383. 						*remoteid = o82 + o82off;

  384. 						*remoteidlen = olen;

  385. 					}

  386. 				}

  387. 

  388. 				o82off+=olen;

  389. 			}

  390. 		}

  391. 

  392. 		offset+=len;

  393. 	}

  394. 

  395. 	// if we didn't find opt82.2, we fallback to the hw addr

  396. 	if ( *remoteidlen == 0 ) {

  397. 		// nope, we won't overflow

  398. 		if ( (uint8_t)pkt[hwlenpos] <= 16 ) {

  399. 			*remoteid = pkt+hwaddrpos;

  400. 			*remoteidlen = (uint8_t)pkt[hwlenpos];

  401. 		}

  402. 	}

  403. }

  404. 

  405. // netfilter queue callback

  406. static int dp_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) {

  407. 	struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfa);

  408. 	dp_conf *conf = (dp_conf*)data;

  409. 	int id = -1;

  410. 	int verdict;

  411. 

  412. 	if ( ph ) {

  413. 		id = ntohl (ph->packet_id);

  414. 		if ( conf->debug ) printf ("received packet with id %d\n", id);

  415. 	}

  416. 

  417. 	verdict = dp_dhcp_check(nfa, conf); /* Treat packet */

  418. 

  419. 	// override decision for dryrun

  420. 	if ( conf->dryrun )

  421. 		verdict = NF_ACCEPT;

  422. 

  423. 	return nfq_set_verdict(qh, id, verdict, 0, NULL); /* Verdict packet */

  424. }

  425. 

  426. void dp_accounting_add(dp_conf *conf, unsigned char *remoteid, int len) {

  427. 	//int i;

  428. 	dp_accounting *ac;

  429. 

  430. 	// does the element already exist

  431. 	HASH_FIND(hh, accountings, remoteid, len, ac);

  432. 

  433. 	if ( conf->debug ) printf("AC: add item\n");

  434. 

  435. 	// found it, increment the counter

  436. 	if ( ac ) {

  437. 		if ( conf->debug ) printf("AC: item found, incrementing\n");

  438. 		ac->count++;

  439. 	}

  440. 	// not found, create a new one

  441. 	else {

  442. 		if ( conf->debug ) printf("AC: item not found, creating\n");

  443. 		ac = malloc(sizeof(dp_accounting));

  444. 

  445. 		memcpy(ac->remoteid, remoteid, len);

  446. 		ac->len = len;

  447. 		ac->count = 1;

  448. 

  449. 		HASH_ADD(hh, accountings, remoteid, len, ac);

  450. 	}

  451. }

  452. 

  453. void dp_blacklist_add(dp_conf *conf, unsigned char *remoteid, int len) {

  454. 	dp_blacklist *bl;

  455. 

  456. 	// alrady exists?

  457. 	HASH_FIND(hh, blacklists, remoteid, len, bl);

  458. 

  459. 	if ( conf->debug ) printf("BL: add item\n");

  460. 

  461. 	// found an entry, push the expiration further

  462. 	if ( bl ) {

  463. 		if ( conf->debug ) printf("BL: item found -> pushing further\n");

  464. 		bl->expire = time(NULL) + conf->bltime;

  465. 	}

  466. 	// not found, create a new one

  467. 	else {

  468. 		if ( conf->debug ) printf("BL: item not found, new entry in BL\n");

  469. 		dp_log(remoteid, len, "blacklisting started");

  470. 		bl = malloc(sizeof(dp_blacklist));

  471. 		memcpy(bl->remoteid, remoteid, len);

  472. 		bl->len = len;

  473. 		bl->expire = time(NULL) + conf->bltime;

  474. 		HASH_ADD(hh, blacklists, remoteid, len, bl);

  475. 	}

  476. }

  477. 

  478. void dp_hash_cleanup(dp_conf *conf) {

  479. 	dp_accounting *ac, *actmp;

  480. 	dp_blacklist *bl, *bltmp;

  481. 

  482. 	// is it time to cleanup the list?

  483. 	// cleanup every conf->interval seconds 

  484. 	if ( dp_accountingtime + conf->interval < time(NULL) ) {

  485. 		if ( conf->debug ) printf("cleanup interval\n");

  486. 		dp_accountingtime = time(NULL);

  487. 		HASH_ITER(hh, accountings, ac, actmp) {

  488. 			HASH_DEL(accountings, ac);

  489. 			free(ac);

  490. 		}

  491. 	}

  492. 

  493. 	// blacklist cleanup check every 1 sec

  494. 	if ( dp_cleanuptime < time(NULL) ) {

  495. 		if ( conf->debug ) printf("cleanup BL\n");

  496. 		dp_cleanuptime = time(NULL);

  497. 		HASH_ITER(hh, blacklists, bl, bltmp) {

  498. 			if ( bl->expire < time(NULL) ) {

  499. 				dp_log(

  500. 					bl->remoteid, bl->len, 

  501. 					"blacklisting ended");

  502. 				HASH_DEL(blacklists, bl);

  503. 				free(bl);

  504. 			}

  505. 		}

  506. 	}

  507. }

  508. 

  509. int dp_accounting_check(dp_conf *conf, unsigned char *remoteid, int len) {

  510. 	dp_accounting *ac;

  511. 

  512. 	HASH_FIND(hh, accountings, remoteid, len, ac);

  513. 

  514. 	if ( conf->debug ) printf("AC Check\n");

  515. 

  516. 	if ( ac ) {

  517. 		if(conf->debug) printf("AC Check: found item %i > %i ?\n", ac->count, conf->pktint);

  518. 

  519. 		if ( ac->count > conf->pktint ) {

  520. 			if(conf->debug) printf("flood detected!\n");

  521. 			return NF_DROP;

  522. 		}

  523. 	}

  524. 	return NF_ACCEPT;

  525. }

  526. 

  527. int dp_blacklist_check(dp_conf *conf, unsigned char *remoteid, int len) {

  528. 	dp_blacklist *bl;

  529. 

  530. 	HASH_FIND(hh, blacklists, remoteid, len, bl);

  531. 

  532. 	if ( conf->debug ) printf("BL Check\n");

  533. 

  534. 	if ( bl ) {

  535. 

  536. 		if ( bl->expire > time(NULL) ) {

  537. 			if ( conf->debug ) printf("blacklisted!\n");

  538. 			return NF_DROP;

  539. 		}

  540. 	}

  541. 	return NF_ACCEPT;

  542. }