public
/
dhcp_protect
Observar 1
Favorito 0
Fork 0
Código Issues 0 Pull requests 0 Versões 2 Wiki Atividade
A userspace application that filters DHCP floods to protect a DHCP server. It uses the Netfilter userspace packet queuing API.
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
32 Commits
1 Branch
Tag: 2b82ce64df
Branches Tags
${ item.name }
Criar branch ${ searchTerm }
de 2b82ce64df
${ noResults }
dhcp_protect/src/dp_nfqueue.c

dp_nfqueue.c 4.2KB
Original Anotar Histórico

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167 
  1. /**************************************************************************

  2. * Copyright 2019 Pascal Gloor

  3. * 

  4. * Licensed under the Apache License, Version 2.0 (the "License");

  5. * you may not use this file except in compliance with the License.

  6. * You may obtain a copy of the License at

  7. * 

  8. *     http://www.apache.org/licenses/LICENSE-2.0

  9. * 

  10. * Unless required by applicable law or agreed to in writing, software

  11. * distributed under the License is distributed on an "AS IS" BASIS,

  12. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. * See the License for the specific language governing permissions and

  14. * limitations under the License.

  15. **************************************************************************/

  16. 

  17. #include <stdio.h>

  18. #include <string.h>

  19. #include <arpa/inet.h>

  20. #include <errno.h>

  21. 

  22. #include "dp_nfqueue.h"

  23. #include "dp_accounting.h"

  24. #include "dp_blacklist.h"

  25. #include "dp_helpers.h"

  26. #include "dp_dhcpv4.h"

  27. #include "dp_dhcpv6.h"

  28. 

  29. // start netfilter queue

  30. void *dp_nfq_start(void *data) {

  31. 	dp_conf *conf = (dp_conf*)data;

  32. 	struct nfq_handle *h;

  33. 	struct nfq_q_handle *qh;

  34. 	int fd;

  35. 

  36. 	if ( ( h = nfq_open() ) == NULL ) {

  37. 		fprintf(stderr,"error during nfq_open() %s\n", strerror(errno));

  38. 		return NULL;

  39. 	}

  40. 

  41. 	if ( ( qh = nfq_create_queue(h, conf->queue, &dp_callback, conf) ) == NULL ) {

  42. 		fprintf(stderr, "error during nfq_create_queue() %s\n", strerror(errno));

  43. 		return NULL;

  44. 	}

  45. 

  46. 	if ( nfq_set_mode(qh, NFQNL_COPY_PACKET, 1500) < 0 ) {

  47. 		fprintf(stderr,"error during nfq_set_mode() %s\n", strerror(errno));

  48. 		return NULL;

  49. 	}

  50. 

  51. 	if ( nfq_set_queue_flags(qh, NFQA_CFG_F_FAIL_OPEN, NFQA_CFG_F_FAIL_OPEN) < 0 ) {

  52. 		fprintf(stderr,"error during nfq_set_queue_flags() %s\n", strerror(errno));

  53. 		return NULL;

  54. 	}

  55. 

  56. 	fd = nfq_fd(h);

  57. 

  58. 	while(1) {

  59. 		static char buf[65536];

  60. 		int rv;

  61. 

  62. 		rv = recv(fd, buf, sizeof(buf), 0);

  63. 

  64. 		switch(rv) {

  65. 			case -1:

  66. 				fprintf(stderr, "recv() error: %s\n", strerror(errno));

  67. 				return NULL;

  68. 			case 0:

  69. 				fprintf(stderr,"socket is closed!?\n");

  70. 				return NULL;

  71. 			default:

  72. 				// send packet to callback

  73. 				nfq_handle_packet(h, buf, rv);

  74. 				break;

  75. 		}

  76. 	}

  77. 	return NULL;

  78. }

  79. 

  80. // decode dhcp packet

  81. int dp_dhcp_check(struct nfq_data *nfa, dp_conf *conf) {

  82. 	unsigned char *pkt;

  83. 	int pktlen;

  84. 	int offset = 0;

  85. 	unsigned char *remoteid = NULL;

  86. 	int remoteidlen = 0;

  87. 	int rv = NF_ACCEPT;

  88. 

  89. 	pktlen = nfq_get_payload(nfa, &pkt);

  90. 

  91. 	if ( conf->debug ) printf("got a packet, len = %i\n", pktlen);

  92. 

  93. 	// can we read the IP proto and IP header length ?

  94. 	if ( pktlen > 0 ) {

  95. 		uint8_t ipver;

  96. 		uint8_t ihl;

  97. 

  98. 		ipver = pkt[offset];

  99. 		ipver >>= 4;

  100. 		ihl   = pkt[offset];

  101. 		ihl  &= 0x0f;

  102. 

  103. 		if ( ipver == 4 ) {

  104. 			// jump to DHCPv4

  105. 			offset += ( ihl * 4 ) + 8;

  106. 			dp_dhcpv4_check(conf, pkt, pktlen, offset, &remoteid, &remoteidlen);

  107. 		}

  108. 		else if ( ipver == 6 ) {

  109. 			// jump to DHCPv6

  110. 			offset += 40 + 8;

  111. 			dp_dhcpv6_check(conf, pkt, pktlen, offset, &remoteid, &remoteidlen);

  112. 		}

  113. 		else {		

  114. 			if ( conf->debug ) printf("not an IPv4 packet\n");

  115. 			goto end;

  116. 		}

  117. 	}

  118. 

  119. 	if ( conf->debug ) printf("remoteidlen=%i\n",remoteidlen);

  120. 

  121. 	if ( remoteidlen>0 ) {

  122. 		if ( conf->debug ) {

  123. 			int i;

  124. 			printf("remoteid: ");

  125. 			for(i=0; i<remoteidlen; i++)

  126. 				printf("%02x", remoteid[i]);

  127. 			printf("\n");

  128. 		}

  129. 		// count the packet, even when blacklisted.

  130. 		dp_accounting_add(conf, remoteid, remoteidlen);

  131. 

  132. 		// check if already in the blacklist

  133. 		if ( dp_blacklist_check(conf, remoteid, remoteidlen) == NF_DROP )

  134. 			rv = NF_DROP;

  135. 

  136. 		// check if it must be added to the blacklist

  137. 		else if ( dp_accounting_check(conf, remoteid, remoteidlen) == NF_DROP ) {

  138. 			dp_blacklist_add(conf, remoteid, remoteidlen);

  139. 			rv = NF_DROP;

  140. 		}

  141. 	}

  142. 

  143. 	end:

  144. 

  145. 	return rv;

  146. }

  147. 

  148. // netfilter queue callback

  149. int dp_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) {

  150. 	struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfa);

  151. 	dp_conf *conf = (dp_conf*)data;

  152. 	int id = -1;

  153. 	int verdict;

  154. 

  155. 	if ( ph ) {

  156. 		id = ntohl (ph->packet_id);

  157. 		if ( conf->debug ) printf ("received packet with id %d\n", id);

  158. 	}

  159. 

  160. 	verdict = dp_dhcp_check(nfa, conf); /* Treat packet */

  161. 

  162. 	// override decision for dryrun

  163. 	if ( conf->dryrun )

  164. 		verdict = NF_ACCEPT;

  165. 

  166. 	return nfq_set_verdict(qh, id, verdict, 0, NULL); /* Verdict packet */

  167. }