public
/
dhcp_protect
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Kods Problēmas 0 Izmaiņu pieprasījumi 0 Laidieni 2 Vikivietne Aktivitāte
A userspace application that filters DHCP floods to protect a DHCP server. It uses the Netfilter userspace packet queuing API.
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
32 Revīzijas
1 Atzars
Koks: 2b82ce64df
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no '2b82ce64df'
${ noResults }
dhcp_protect/src/dp_nfqueue.c

dp_nfqueue.c 4.2KB
Neapstrādāts Vainot Vēsture

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167 
  1. /**************************************************************************

  2. * Copyright 2019 Pascal Gloor

  3. * 

  4. * Licensed under the Apache License, Version 2.0 (the "License");

  5. * you may not use this file except in compliance with the License.

  6. * You may obtain a copy of the License at

  7. * 

  8. *     http://www.apache.org/licenses/LICENSE-2.0

  9. * 

  10. * Unless required by applicable law or agreed to in writing, software

  11. * distributed under the License is distributed on an "AS IS" BASIS,

  12. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. * See the License for the specific language governing permissions and

  14. * limitations under the License.

  15. **************************************************************************/

  16. 

  17. #include <stdio.h>

  18. #include <string.h>

  19. #include <arpa/inet.h>

  20. #include <errno.h>

  21. 

  22. #include "dp_nfqueue.h"

  23. #include "dp_accounting.h"

  24. #include "dp_blacklist.h"

  25. #include "dp_helpers.h"

  26. #include "dp_dhcpv4.h"

  27. #include "dp_dhcpv6.h"

  28. 

  29. // start netfilter queue

  30. void *dp_nfq_start(void *data) {

  31. 	dp_conf *conf = (dp_conf*)data;

  32. 	struct nfq_handle *h;

  33. 	struct nfq_q_handle *qh;

  34. 	int fd;

  35. 

  36. 	if ( ( h = nfq_open() ) == NULL ) {

  37. 		fprintf(stderr,"error during nfq_open() %s\n", strerror(errno));

  38. 		return NULL;

  39. 	}

  40. 

  41. 	if ( ( qh = nfq_create_queue(h, conf->queue, &dp_callback, conf) ) == NULL ) {

  42. 		fprintf(stderr, "error during nfq_create_queue() %s\n", strerror(errno));

  43. 		return NULL;

  44. 	}

  45. 

  46. 	if ( nfq_set_mode(qh, NFQNL_COPY_PACKET, 1500) < 0 ) {

  47. 		fprintf(stderr,"error during nfq_set_mode() %s\n", strerror(errno));

  48. 		return NULL;

  49. 	}

  50. 

  51. 	if ( nfq_set_queue_flags(qh, NFQA_CFG_F_FAIL_OPEN, NFQA_CFG_F_FAIL_OPEN) < 0 ) {

  52. 		fprintf(stderr,"error during nfq_set_queue_flags() %s\n", strerror(errno));

  53. 		return NULL;

  54. 	}

  55. 

  56. 	fd = nfq_fd(h);

  57. 

  58. 	while(1) {

  59. 		static char buf[65536];

  60. 		int rv;

  61. 

  62. 		rv = recv(fd, buf, sizeof(buf), 0);

  63. 

  64. 		switch(rv) {

  65. 			case -1:

  66. 				fprintf(stderr, "recv() error: %s\n", strerror(errno));

  67. 				return NULL;

  68. 			case 0:

  69. 				fprintf(stderr,"socket is closed!?\n");

  70. 				return NULL;

  71. 			default:

  72. 				// send packet to callback

  73. 				nfq_handle_packet(h, buf, rv);

  74. 				break;

  75. 		}

  76. 	}

  77. 	return NULL;

  78. }

  79. 

  80. // decode dhcp packet

  81. int dp_dhcp_check(struct nfq_data *nfa, dp_conf *conf) {

  82. 	unsigned char *pkt;

  83. 	int pktlen;

  84. 	int offset = 0;

  85. 	unsigned char *remoteid = NULL;

  86. 	int remoteidlen = 0;

  87. 	int rv = NF_ACCEPT;

  88. 

  89. 	pktlen = nfq_get_payload(nfa, &pkt);

  90. 

  91. 	if ( conf->debug ) printf("got a packet, len = %i\n", pktlen);

  92. 

  93. 	// can we read the IP proto and IP header length ?

  94. 	if ( pktlen > 0 ) {

  95. 		uint8_t ipver;

  96. 		uint8_t ihl;

  97. 

  98. 		ipver = pkt[offset];

  99. 		ipver >>= 4;

  100. 		ihl   = pkt[offset];

  101. 		ihl  &= 0x0f;

  102. 

  103. 		if ( ipver == 4 ) {

  104. 			// jump to DHCPv4

  105. 			offset += ( ihl * 4 ) + 8;

  106. 			dp_dhcpv4_check(conf, pkt, pktlen, offset, &remoteid, &remoteidlen);

  107. 		}

  108. 		else if ( ipver == 6 ) {

  109. 			// jump to DHCPv6

  110. 			offset += 40 + 8;

  111. 			dp_dhcpv6_check(conf, pkt, pktlen, offset, &remoteid, &remoteidlen);

  112. 		}

  113. 		else {		

  114. 			if ( conf->debug ) printf("not an IPv4 packet\n");

  115. 			goto end;

  116. 		}

  117. 	}

  118. 

  119. 	if ( conf->debug ) printf("remoteidlen=%i\n",remoteidlen);

  120. 

  121. 	if ( remoteidlen>0 ) {

  122. 		if ( conf->debug ) {

  123. 			int i;

  124. 			printf("remoteid: ");

  125. 			for(i=0; i<remoteidlen; i++)

  126. 				printf("%02x", remoteid[i]);

  127. 			printf("\n");

  128. 		}

  129. 		// count the packet, even when blacklisted.

  130. 		dp_accounting_add(conf, remoteid, remoteidlen);

  131. 

  132. 		// check if already in the blacklist

  133. 		if ( dp_blacklist_check(conf, remoteid, remoteidlen) == NF_DROP )

  134. 			rv = NF_DROP;

  135. 

  136. 		// check if it must be added to the blacklist

  137. 		else if ( dp_accounting_check(conf, remoteid, remoteidlen) == NF_DROP ) {

  138. 			dp_blacklist_add(conf, remoteid, remoteidlen);

  139. 			rv = NF_DROP;

  140. 		}

  141. 	}

  142. 

  143. 	end:

  144. 

  145. 	return rv;

  146. }

  147. 

  148. // netfilter queue callback

  149. int dp_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) {

  150. 	struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfa);

  151. 	dp_conf *conf = (dp_conf*)data;

  152. 	int id = -1;

  153. 	int verdict;

  154. 

  155. 	if ( ph ) {

  156. 		id = ntohl (ph->packet_id);

  157. 		if ( conf->debug ) printf ("received packet with id %d\n", id);

  158. 	}

  159. 

  160. 	verdict = dp_dhcp_check(nfa, conf); /* Treat packet */

  161. 

  162. 	// override decision for dryrun

  163. 	if ( conf->dryrun )

  164. 		verdict = NF_ACCEPT;

  165. 

  166. 	return nfq_set_verdict(qh, id, verdict, 0, NULL); /* Verdict packet */

  167. }