public
/
dhcp_protect
Suivre 1
Ajouter aux favoris 0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 2 Wiki Activité
A userspace application that filters DHCP floods to protect a DHCP server. It uses the Netfilter userspace packet queuing API.
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
3 Révisions
1 Branche
Aborescence: 1382cd41b6
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '1382cd41b6'
${ noResults }
dhcp_protect/dhcp_protect.c

dhcp_protect.c 7.6KB
Brut Annotations Historique

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348 
  1. // dhcp_protect.c

  2. 

  3. #include <stdio.h>

  4. #include <stdlib.h>

  5. #include <string.h>

  6. #include <unistd.h>

  7. #include <stdint.h>

  8. #include <errno.h>

  9. #include <time.h>

  10. #include <linux/netfilter.h>

  11. #include <libnetfilter_queue/libnetfilter_queue.h>

  12. #include <uthash.h>

  13. #include "dhcp_protect.h"

  14. 

  15. // main function

  16. int main(int argc, char **argv) {

  17. 	char *configfile;

  18. 	dp_conf conf;

  19. 	struct nfq_q_handle *qh;

  20. 

  21. 	if ( argc == 2 ) {

  22. 		configfile = argv[1];

  23. 	}

  24. 	else {

  25. 		usage(argv[0]);

  26. 		return EXIT_FAILURE;

  27. 	}

  28. 

  29. 	if ( load_config(&conf, configfile) == NULL )

  30. 		return EXIT_FAILURE;

  31. 

  32. 	nfq_start(&conf);

  33. 

  34. 	return 0;

  35. }

  36. 

  37. // start netfilter queue

  38. void nfq_start(dp_conf *conf) {

  39. 	struct nfq_handle *h;

  40. 	struct nfq_q_handle *qh;

  41. 	int fd;

  42. 

  43. 	if ( ( h = nfq_open() ) == NULL ) {

  44. 		fprintf(stderr,"error during nfq_open() %s\n", strerror(errno));

  45. 		return;

  46. 	}

  47. 

  48. 	if ( ( qh = nfq_create_queue(h, conf->queue, &dp_callback, conf) ) == NULL ) {

  49. 		fprintf(stderr, "error during nfq_create_queue() %s\n", strerror(errno));

  50. 		return;

  51. 	}

  52. 

  53. 	if ( nfq_set_mode(qh, NFQNL_COPY_PACKET, 1500) < 0 ) {

  54. 		fprintf(stderr,"error during nfq_set_mode() %s\n", strerror(errno));

  55. 		return;

  56. 	}

  57. 

  58. 	if ( nfq_set_queue_flags(qh, NFQA_CFG_F_FAIL_OPEN, NFQA_CFG_F_FAIL_OPEN) < 0 ) {

  59. 		fprintf(stderr,"error during nfq_set_queue_flags() %s\n", strerror(errno));

  60. 		return;

  61. 	}

  62. 

  63. 	fd = nfq_fd(h);

  64. 

  65. 	while(1) {

  66. 		static char buf[65536];

  67. 		int rv;

  68. 

  69. 		if ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) {

  70. 			nfq_handle_packet(h, buf, rv); /* send packet to callback */

  71. 		}

  72. 	}

  73. }

  74. 

  75. // display usage

  76. void usage(char *prog) {

  77. 	fprintf(stderr,"Usage: %s <configuration file>\n",prog);

  78. }

  79. 

  80. 

  81. // load configuration file

  82. dp_conf *load_config(dp_conf *conf, char *file) {

  83. 	FILE *fh;

  84. 	char *line = NULL;

  85. 	size_t len = 0;

  86. 	int error = 0;

  87. 

  88. 	printf("Loading configuration %s\n",file);

  89. 	

  90. 

  91. 	if ( ( fh = fopen(file,"r") ) == NULL ) {

  92. 		fprintf(stderr,"Failed to open configuration file '%s': %s\n", file, strerror(errno));

  93. 		return NULL;

  94. 	}

  95. 

  96. 	while (getline(&line, &len, fh) != -1) {

  97. 		char *name, *value;

  98. 

  99. 		name  = strtok(line, "=\r\n ");

  100. 		value = strtok(NULL,"=\r\n ");

  101. 

  102. 		if ( name == NULL || value == NULL || name[0] == '#' )

  103. 			continue;

  104. 

  105. 		if ( strcmp(name,"max_pkt_per_interval")==0 )

  106. 			conf->pktint = atoi(value);

  107. 		else if ( strcmp(name,"interval")==0 )

  108. 			conf->interval = atoi(value);

  109. 		else if ( strcmp(name, "debug")==0 )

  110. 			conf->debug = atoi(value) ? 1 : 0;

  111. 		else if ( strcmp(name, "blacklist_time")==0 )

  112. 			conf->bltime = atoi(value);

  113. 		else if ( strcmp(name, "queue")==0 )

  114. 			conf->queue = atoi(value);

  115. 		else

  116. 			fprintf(stderr,"unknown directive '%s', ignored\n", name);

  117. 

  118. 		free(line);

  119. 	}

  120. 	fclose(fh);

  121. 

  122. 	if ( conf->pktint < 1 || conf->pktint > 1000 ) {

  123. 		fprintf(stderr,"max_pkt_per_interval value invalid (min 1, max 1000)\n");

  124. 		error=1;

  125. 	}

  126. 	if ( conf->interval < 10 || conf->interval > 60 ) {

  127. 		fprintf(stderr,"interval value invalid (min 10, max 60)\n");

  128. 		error=1;

  129. 	}

  130. 	if ( conf->debug < 0 || conf->debug > 1 ) {

  131. 		fprintf(stderr,"debug value invalid (0 or 1)\n");

  132. 		error=1;

  133. 	}

  134. 	if ( conf->bltime < 10 || conf->bltime > 900 ) {

  135. 		fprintf(stderr,"blacklist_time value invalid (min 10, max 900)\n");

  136. 		error=1;

  137. 	}

  138. 	if ( conf->queue < 0 ) {

  139. 		fprintf(stderr,"queue must be a positive integer\n");

  140. 		error=1;

  141. 	}

  142. 

  143. 	if ( error )

  144. 		return NULL;

  145. 

  146. 	printf("Configuration:\n");

  147. 	printf("\t%-20s = %4i\n", "max_pkt_per_interval", conf->pktint);

  148. 	printf("\t%-20s = %4i\n", "interval", conf->interval);

  149. 	printf("\t%-20s = %4i\n", "debug", conf->debug);

  150. 	printf("\t%-20s = %4i\n", "blacklist_time", conf->bltime);

  151. 	printf("\t%-20s = %4i\n", "queue", conf->queue);

  152. 

  153. 

  154. 	return conf;

  155. }

  156. 

  157. // decode dhcp packet

  158. u_int32_t dhcp_check(struct nfq_data *nfa, int *verdict, dp_conf *conf) {

  159. 	unsigned char *pkt;

  160. 	int pktlen;

  161. 	int offset = 0;

  162. 	unsigned char *remoteid;

  163. 	int remoteidlen = 0;

  164. 	int found = 0;

  165. 	uint8_t ipver = 0;

  166. 	uint8_t ihl = 0;

  167. 	int i;

  168. 

  169. 	pktlen = nfq_get_payload(nfa, &pkt);

  170. 

  171. 	for(i=0; i<pktlen; i++) {

  172. 		if ( !(i%16) ) printf("\n");

  173. 		printf("%02x ", pkt[i]);

  174. 	}

  175. 

  176. 	// can we read the IP proto and IP header length ?

  177. 	if ( pktlen > 0 ) {

  178. 		ipver = pkt[offset];

  179. 		ipver >>= 4;

  180. 		ihl   = pkt[offset];

  181. 		ihl  &= 0x0f;

  182. 

  183. 		if ( ipver != 4 ) {

  184. 			if ( conf->debug ) printf("not an IPv4 packet\n");

  185. 			return NF_ACCEPT;

  186. 		}

  187. 

  188. 		// jump over the IPv4 header

  189. 		offset += ihl * 4;

  190. 	}

  191. 

  192. 

  193. 	// jump over UDP + DHCP header

  194. 	offset += 8 + 28 + 16 + 64 + 128;

  195. 

  196. 	// minimum packet size, fixed header + magic cookie (4 octets)

  197. 	if ( pktlen < offset + 4 ) {

  198. 		if ( conf->debug ) printf("packet too small\n");

  199. 		return NF_ACCEPT;

  200. 	}

  201. 

  202. 	// check magic cookie

  203. 	if ( pkt[offset] != 99 || pkt[offset+1] != 130 || pkt[offset+2] != 83 || pkt[offset+3] != 99 ) {

  204. 		if ( conf->debug ) printf("invalid magic cookie %02x%02x%02x%02x\n", pkt[offset], pkt[offset+1], pkt[offset+2], pkt[offset+3]);

  205. 		return NF_ACCEPT;

  206. 	}

  207. 	offset+=4;

  208. 

  209. 

  210. 	// parse TLV options

  211. 	while(offset<pktlen && !found) {

  212. 		uint8_t type = pkt[offset];

  213. 		uint8_t len;

  214. 

  215. 		offset++;

  216. 

  217. 		printf("type : %i\n",type);

  218. 

  219. 		// padding of 1 octet

  220. 		if ( type == 0 ) {

  221. 			continue;

  222. 		}

  223. 

  224. 		// end of options

  225. 		if ( type == 255 )

  226. 			break;

  227. 

  228. 		// make sure we can read len

  229. 		if ( offset>=pktlen )

  230. 			break;

  231. 

  232. 		len = pkt[offset];

  233. 		offset++;

  234. 

  235. 		printf("len  : %i\n", len);

  236. 

  237. 		// can the value be read

  238. 		if ( offset+len>=pktlen )

  239. 			break;

  240. 

  241. 		// option 82 parser

  242. 		if ( type == 82 ) {

  243. 			unsigned char *o82 = pkt+offset;

  244. 			int o82off = 0;

  245. 

  246. 			// loop until the end, +2 to ensure we can read type and length

  247. 			while(o82off+2<len && !found) {

  248. 				uint8_t otype = o82[o82off];

  249. 				uint8_t olen  = o82[o82off+1];

  250. 				o82off+=2;

  251. 

  252. 				printf("o82 type=%i len=%i\n", otype, olen);

  253. 

  254. 				// remoteid

  255. 				if ( otype == 2 ) {

  256. 					// make sure we don't overflow and can read all data

  257. 					if ( o82off + olen > len ) {

  258. 						if ( conf->debug) printf("option 82.2 data too long\n");

  259. 						return NF_ACCEPT;

  260. 					}

  261. 					else {

  262. 						remoteid = o82 + o82off;

  263. 						remoteidlen = olen;

  264. 						found=1;

  265. 					}

  266. 				}

  267. 

  268. 				o82off+=olen;

  269. 			}

  270. 		}

  271. 

  272. 		offset+=len;

  273. 	}

  274. 

  275. 	if ( found ) {

  276. 		dp_blacklist_count(conf, remoteid, remoteidlen);

  277. 		if ( dp_blacklist_check(conf, remoteid, remoteidlen) )

  278. 			return NF_ACCEPT;

  279. 		else

  280. 			return NF_DROP;

  281. 	}

  282. 

  283. 	printf("got a packet, len = %i\n", pktlen);

  284. 	return NF_ACCEPT;

  285. }

  286. 

  287. // netfilter queue callback

  288. static int dp_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) {

  289. 	dp_conf *conf = (dp_conf*)data;

  290. 	int verdict;

  291. 	u_int32_t id = dhcp_check(nfa, &verdict, conf); /* Treat packet */

  292. 	return nfq_set_verdict(qh, id, verdict, 0, NULL); /* Verdict packet */

  293. }

  294. 

  295. void dp_blacklist_count(dp_conf *conf, unsigned char *remoteid, int len) {

  296. 	int i;

  297. 	dp_blacklist *bl, *tmp;

  298. 

  299. 	// does the element already exist

  300. 	HASH_FIND(hh, blacklists, remoteid, len, bl);

  301. 

  302. 	// found it, increment the counter

  303. 	if ( bl ) {

  304. 		if ( conf->debug ) printf("BL: item found, incrementing\n");

  305. 		bl->count++;

  306. 	}

  307. 	// not found, create a new one

  308. 	else {

  309. 		bl = malloc(sizeof(dp_blacklist));

  310. 

  311. 		memcpy(bl->remoteid, remoteid, len);

  312. 		bl->len = len;

  313. 		bl->count = 1;

  314. 

  315. 		if ( conf->debug ) printf("BL: item not found, creating\n");

  316. 

  317. 		HASH_ADD(hh, blacklists, remoteid, len, bl);

  318. 	}

  319. 

  320. 	printf("count this remoteid ");

  321. 	for(i=0; i<len; i++) printf("%02x",*(uint8_t*)(remoteid+i));

  322. 	printf("\n");

  323. 

  324. 	// is it time to cleanup the list?

  325. 	if ( dp_timestamp + conf->interval < time(NULL) ) {

  326. 		if ( conf->debug ) printf("cleanup interval\n");

  327. 		dp_timestamp = time(NULL);

  328. 		HASH_ITER(hh, blacklists, bl, tmp) {

  329. 			HASH_DEL(blacklists, bl);

  330. 			free(bl);

  331. 		}

  332. 	}

  333. }

  334. 

  335. int dp_blacklist_check(dp_conf *conf, unsigned char *remoteid, int len) {

  336. 	dp_blacklist *bl;

  337. 

  338. 	HASH_FIND(hh, blacklists, remoteid, len, bl);

  339. 

  340. 	if ( bl ) {

  341. 		if(conf->debug) printf("found item\n");

  342. 

  343. 		if ( bl->count > conf->pktint ) {

  344. 			if(conf->debug) printf("flood detected!\n");

  345. 			return NF_DROP;

  346. 		}

  347. 	}

  348. }