public
/
dhcp_protect
关注 1
点赞 0
派生 0
代码 工单 0 合并请求 0 版本发布 2 百科 动态
A userspace application that filters DHCP floods to protect a DHCP server. It uses the Netfilter userspace packet queuing API.
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
30 提交
1 分支
目录树: 64cb08090a
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '64cb08090a'
${ noResults }
dhcp_protect/dhcp_protect.c

dhcp_protect.c 13KB
原始文件 Blame 文件历史

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563 
  1. //   DHCP Protect

  2. //

  3. //   Copyright 2019 Pascal Gloor

  4. //

  5. //   Licensed under the Apache License, Version 2.0 (the "License");

  6. //   you may not use this file except in compliance with the License.

  7. //   You may obtain a copy of the License at

  8. //

  9. //     http://www.apache.org/licenses/LICENSE-2.0

  10. //

  11. //   Unless required by applicable law or agreed to in writing, software

  12. //   distributed under the License is distributed on an "AS IS" BASIS,

  13. //   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. //   See the License for the specific language governing permissions and

  15. //   limitations under the License.

  16. 

  17. 

  18. #include <stdio.h>

  19. #include <stdlib.h>

  20. #include <string.h>

  21. #include <unistd.h>

  22. #include <stdint.h>

  23. #include <errno.h>

  24. #include <time.h>

  25. #include <stdarg.h>

  26. #include <syslog.h>

  27. #include <arpa/inet.h>

  28. 

  29. #include <linux/netfilter.h>

  30. #include <libnetfilter_queue/libnetfilter_queue.h>

  31. 

  32. #include <uthash.h>

  33. 

  34. #include "dhcp_protect.h"

  35. 

  36. // main function

  37. int main(int argc, char **argv) {

  38. 	char *configfile;

  39. 	dp_conf conf;

  40. 

  41. 	if ( argc == 2 ) {

  42. 		configfile = argv[1];

  43. 	}

  44. 	else {

  45. 		dp_usage(argv[0]);

  46. 		return EXIT_FAILURE;

  47. 	}

  48. 

  49. 	if ( dp_load_config(&conf, configfile) == NULL )

  50. 		return EXIT_FAILURE;

  51. 

  52. 	openlog("dhcp_protect", LOG_PID, LOG_DAEMON);

  53. 

  54. 	dp_nfq_start(&conf);

  55. 

  56. 	return 0;

  57. }

  58. 

  59. // syslog function

  60. void dp_log(unsigned char *remoteid, int remoteidlen, char *fmt, ...) {

  61. 	va_list argList;

  62. 	char buf[1000];

  63. 	int offset = remoteidlen*2;

  64. 	int i;

  65. 

  66. 	for(i=0; i<remoteidlen; i++) {

  67. 		sprintf(buf+(i*2), "%02x", remoteid[i]);

  68. 	}

  69. 	buf[offset]=':'; offset++;

  70. 	buf[offset]=' '; offset++;

  71. 

  72. 	va_start(argList, fmt);

  73. 	vsnprintf(buf+offset, sizeof(buf)-offset-1, fmt, argList);

  74. 	va_end(argList);

  75. 

  76. 	syslog(LOG_DAEMON|LOG_INFO, "%s", buf);

  77. }

  78. 

  79. // start netfilter queue

  80. void dp_nfq_start(dp_conf *conf) {

  81. 	struct nfq_handle *h;

  82. 	struct nfq_q_handle *qh;

  83. 	int fd;

  84. 

  85. 	if ( ( h = nfq_open() ) == NULL ) {

  86. 		fprintf(stderr,"error during nfq_open() %s\n", strerror(errno));

  87. 		return;

  88. 	}

  89. 

  90. 	if ( ( qh = nfq_create_queue(h, conf->queue, &dp_callback, conf) ) == NULL ) {

  91. 		fprintf(stderr, "error during nfq_create_queue() %s\n", strerror(errno));

  92. 		return;

  93. 	}

  94. 

  95. 	if ( nfq_set_mode(qh, NFQNL_COPY_PACKET, 1500) < 0 ) {

  96. 		fprintf(stderr,"error during nfq_set_mode() %s\n", strerror(errno));

  97. 		return;

  98. 	}

  99. 

  100. 	if ( nfq_set_queue_flags(qh, NFQA_CFG_F_FAIL_OPEN, NFQA_CFG_F_FAIL_OPEN) < 0 ) {

  101. 		fprintf(stderr,"error during nfq_set_queue_flags() %s\n", strerror(errno));

  102. 		return;

  103. 	}

  104. 

  105. 	fd = nfq_fd(h);

  106. 

  107. 	while(1) {

  108. 		static char buf[65536];

  109. 		int rv;

  110. 

  111. 		rv = recv(fd, buf, sizeof(buf), 0);

  112. 

  113. 		switch(rv) {

  114. 			case -1:

  115. 				fprintf(stderr, "recv() error: %s\n", strerror(errno));

  116. 				return;

  117. 			case 0:

  118. 				fprintf(stderr,"socket is closed!?\n");

  119. 				return;

  120. 			default:

  121. 				// send packet to callback

  122. 				nfq_handle_packet(h, buf, rv);

  123. 				break;

  124. 		}

  125. 	}

  126. }

  127. 

  128. // display usage

  129. void dp_usage(char *prog) {

  130. 	fprintf(stderr,"Usage: %s <configuration file>\n",prog);

  131. }

  132. 

  133. 

  134. // load configuration file

  135. dp_conf *dp_load_config(dp_conf *conf, char *file) {

  136. 	FILE *fh;

  137. 	char *line = NULL;

  138. 	size_t len = 0;

  139. 	int error = 0;

  140. 

  141. 	printf("Loading configuration %s\n",file);

  142. 	

  143. 

  144. 	if ( ( fh = fopen(file,"r") ) == NULL ) {

  145. 		fprintf(stderr,"Failed to open configuration file '%s': %s\n", file, strerror(errno));

  146. 		return NULL;

  147. 	}

  148. 

  149. 	while (getline(&line, &len, fh) != -1) {

  150. 		char *name, *value;

  151. 

  152. 		name  = strtok(line, "=\r\n ");

  153. 		value = strtok(NULL,"=\r\n ");

  154. 

  155. 		if ( name == NULL || value == NULL || name[0] == '#' )

  156. 			continue;

  157. 

  158. 		if ( strcmp(name,"max_pkt_per_interval")==0 )

  159. 			conf->pktint = atoi(value);

  160. 		else if ( strcmp(name,"interval")==0 )

  161. 			conf->interval = atoi(value);

  162. 		else if ( strcmp(name, "debug")==0 )

  163. 			conf->debug = atoi(value) ? 1 : 0;

  164. 		else if ( strcmp(name, "blacklist_time")==0 )

  165. 			conf->bltime = atoi(value);

  166. 		else if ( strcmp(name, "queue")==0 )

  167. 			conf->queue = atoi(value);

  168. 		else if ( strcmp(name, "dryrun")==0 )

  169. 			conf->dryrun = atoi(value) ? 1 : 0;

  170. 		else

  171. 			fprintf(stderr,"unknown directive '%s', ignored\n", name);

  172. 

  173. 		free(line);

  174. 	}

  175. 	fclose(fh);

  176. 

  177. 	if ( conf->pktint < 1 || conf->pktint > 1000 ) {

  178. 		fprintf(stderr,"max_pkt_per_interval value invalid (min 1, max 1000)\n");

  179. 		error=1;

  180. 	}

  181. 	if ( conf->interval < 5 || conf->interval > 900 ) {

  182. 		fprintf(stderr,"interval value invalid (min 5, max 900)\n");

  183. 		error=1;

  184. 	}

  185. 	if ( conf->debug < 0 || conf->debug > 1 ) {

  186. 		fprintf(stderr,"debug value invalid (0 or 1)\n");

  187. 		error=1;

  188. 	}

  189. 	if ( conf->bltime < 10 || conf->bltime > 900 ) {

  190. 		fprintf(stderr,"blacklist_time value invalid (min 10, max 900)\n");

  191. 		error=1;

  192. 	}

  193. 	if ( conf->queue < 0 ) {

  194. 		fprintf(stderr,"queue must be a positive integer\n");

  195. 		error=1;

  196. 	}

  197. 	if ( conf->dryrun < 0 || conf->dryrun > 1 ) {

  198. 		fprintf(stderr, "dryrun value invalid (0 or 1)\n");

  199. 		error=1;

  200. 	}

  201. 

  202. 	if ( error )

  203. 		return NULL;

  204. 

  205. 	printf("Configuration:\n");

  206. 	printf("\t%-20s = %4s\n", "dryrun", conf->dryrun ? "Yes" : "No");

  207. 	printf("\t%-20s = %4s\n", "debug", conf->debug ? "Yes" : "No" );

  208. 	printf("\t%-20s = %4is\n", "interval", conf->interval);

  209. 	printf("\t%-20s = %4i\n", "max_pkt_per_interval", conf->pktint);

  210. 	printf("\t%-20s = %4is\n", "blacklist_time", conf->bltime);

  211. 	printf("\t%-20s = %4i\n", "queue", conf->queue);

  212. 

  213. 

  214. 	return conf;

  215. }

  216. 

  217. // decode dhcp packet

  218. int dp_dhcp_check(struct nfq_data *nfa, dp_conf *conf) {

  219. 	unsigned char *pkt;

  220. 	int pktlen;

  221. 	int offset = 0;

  222. 	unsigned char *remoteid = NULL;

  223. 	int remoteidlen = 0;

  224. 	int rv = NF_ACCEPT;

  225. 

  226. 	pktlen = nfq_get_payload(nfa, &pkt);

  227. 

  228. 	if ( conf->debug ) printf("got a packet, len = %i\n", pktlen);

  229. 

  230. 	// can we read the IP proto and IP header length ?

  231. 	if ( pktlen > 0 ) {

  232. 		uint8_t ipver;

  233. 		uint8_t ihl;

  234. 

  235. 		ipver = pkt[offset];

  236. 		ipver >>= 4;

  237. 		ihl   = pkt[offset];

  238. 		ihl  &= 0x0f;

  239. 

  240. 		if ( ipver == 4 ) {

  241. 			// jump to DHCPv4

  242. 			offset += ( ihl * 4 ) + 8;

  243. 			dp_dhcpv4_check(conf, pkt, pktlen, offset, &remoteid, &remoteidlen);

  244. 		}

  245. 		else if ( ipver == 6 ) {

  246. 			// jump to DHCPv6

  247. 			offset += 40 + 8;

  248. 			dp_dhcpv6_check(conf, pkt, pktlen, offset, &remoteid, &remoteidlen);

  249. 		}

  250. 		else {		

  251. 			if ( conf->debug ) printf("not an IPv4 packet\n");

  252. 			goto end;

  253. 		}

  254. 	}

  255. 

  256. 	if ( conf->debug ) printf("remoteidlen=%i\n",remoteidlen);

  257. 

  258. 	if ( remoteidlen>0 ) {

  259. 		if ( conf->debug ) {

  260. 			int i;

  261. 			printf("remoteid: ");

  262. 			for(i=0; i<remoteidlen; i++)

  263. 				printf("%02x", remoteid[i]);

  264. 			printf("\n");

  265. 		}

  266. 		// count the packet, even when blacklisted.

  267. 		dp_accounting_add(conf, remoteid, remoteidlen);

  268. 

  269. 		// check if already in the blacklist

  270. 		if ( dp_blacklist_check(conf, remoteid, remoteidlen) == NF_DROP )

  271. 			rv = NF_DROP;

  272. 

  273. 		// check if it must be added to the blacklist

  274. 		else if ( dp_accounting_check(conf, remoteid, remoteidlen) == NF_DROP ) {

  275. 			dp_blacklist_add(conf, remoteid, remoteidlen);

  276. 			rv = NF_DROP;

  277. 		}

  278. 	}

  279. 

  280. 	end:

  281. 

  282. 	dp_hash_cleanup(conf);

  283. 

  284. 	return rv;

  285. }

  286. 

  287. void dp_dhcpv6_check(dp_conf *conf, unsigned char *pkt, int pktlen, int offset, unsigned char **remoteid, int *remoteidlen) {

  288. 	uint8_t msgtype = (uint8_t)pkt[offset];

  289. 

  290. 	if ( conf->debug ) printf("offset=%i\n",offset);

  291. 

  292. 	switch(msgtype) {

  293. 		case 12: // RELAY-FORW

  294. 		case 13: // RELAY-REPL

  295. 			offset += 2 + 16 + 16; // msg-type, hop-count, link-addr, peer-addr

  296. 			if ( conf->debug ) printf("this is a relay msg\n");

  297. 			break;

  298. 		default: // all other msgtypes

  299. 			offset += 4; // msg-type, transaction-id

  300. 	}

  301. 

  302. 	if ( conf->debug ) printf("offset=%i\n",offset);

  303. 

  304. 	while(offset+4<=pktlen) {

  305. 		uint16_t code = ntohs(*(uint16_t*)(pkt+offset));

  306. 		uint16_t len  = ntohs(*(uint16_t*)(pkt+offset+2));

  307. 

  308. 		if ( conf->debug ) printf("code %i len %i\n", code, len);

  309. 

  310. 		offset+=4;

  311. 

  312. 		if ( code == 9 ) { // relay message

  313. 			if ( conf->debug ) printf("option 9, relay msg\n");

  314. 			offset+=4;

  315. 			continue;

  316. 		}

  317. 

  318. 		if ( code == 1 ) { // Client identifier / DUID

  319. 			// make sure there's enough space

  320. 			if ( offset + len <= pktlen ) {

  321. 				*remoteid = pkt+offset;

  322. 				*remoteidlen = len;

  323. 				break;

  324. 			}

  325. 		}

  326. 		offset+=len;

  327. 	}

  328. }

  329. 

  330. 

  331. void dp_dhcpv4_check(dp_conf *conf, unsigned char *pkt, int pktlen, int offset, unsigned char **remoteid, int *remoteidlen) {

  332. 	int hwaddrpos = offset + 28; // remember where the hw addr is if we need to fallback to it

  333. 	int hwlenpos = offset + 2;   // remember where the hw addr len is if we need to fallback to it

  334. 

  335. 	// jump DHCP header

  336. 	offset += 28 + 16 + 64 + 128;

  337. 

  338. 	// minimum packet size, fixed header + magic cookie (4 octets)

  339. 	if ( pktlen < offset + 4 ) {

  340. 		if ( conf->debug ) printf("packet too small\n");

  341. 		return;

  342. 	}

  343. 

  344. 	// check magic cookie

  345. 	if ( pkt[offset] != 99 || pkt[offset+1] != 130 || pkt[offset+2] != 83 || pkt[offset+3] != 99 ) {

  346. 		if ( conf->debug )

  347. 			printf(

  348. 				"invalid magic cookie %02x%02x%02x%02x\n",

  349. 				pkt[offset], pkt[offset+1],

  350. 				pkt[offset+2], pkt[offset+3]);

  351. 		return;

  352. 	}

  353. 	offset+=4;

  354. 

  355. 

  356. 	// parse TLV options

  357. 	while(offset<pktlen && remoteidlen==0) {

  358. 		uint8_t type = pkt[offset];

  359. 		uint8_t len;

  360. 

  361. 		offset++;

  362. 

  363. 		// padding of 1 octet

  364. 		if ( type == 0 ) {

  365. 			continue;

  366. 		}

  367. 

  368. 		// end of options

  369. 		if ( type == 255 )

  370. 			break;

  371. 

  372. 		// make sure we can read len

  373. 		if ( offset>=pktlen )

  374. 			break;

  375. 

  376. 		len = pkt[offset];

  377. 		offset++;

  378. 

  379. 		// can the value be read

  380. 		if ( offset+len>pktlen )

  381. 			break;

  382. 

  383. 		// option 82 parser

  384. 		if ( type == 82 ) {

  385. 			unsigned char *o82 = pkt+offset;

  386. 			int o82off = 0;

  387. 

  388. 			// loop until the end, +2 to ensure we can read type and length

  389. 			while(o82off+2<len && remoteidlen==0) {

  390. 				uint8_t otype = o82[o82off];

  391. 				uint8_t olen  = o82[o82off+1];

  392. 				o82off+=2;

  393. 

  394. 				// printf("o82 type=%i len=%i\n", otype, olen);

  395. 

  396. 				// remoteid

  397. 				if ( otype == 2 ) {

  398. 					// make sure we don't overflow and can read all data

  399. 					if ( o82off + olen > len ) {

  400. 						if ( conf->debug) printf("option 82.2 data too long\n");

  401. 						break;

  402. 					}

  403. 					else {

  404. 						*remoteid = o82 + o82off;

  405. 						*remoteidlen = olen;

  406. 					}

  407. 				}

  408. 

  409. 				o82off+=olen;

  410. 			}

  411. 		}

  412. 

  413. 		offset+=len;

  414. 	}

  415. 

  416. 	// if we didn't find opt82.2, we fallback to the hw addr

  417. 	if ( *remoteidlen == 0 ) {

  418. 		// nope, we won't overflow

  419. 		if ( (uint8_t)pkt[hwlenpos] <= 16 ) {

  420. 			*remoteid = pkt+hwaddrpos;

  421. 			*remoteidlen = (uint8_t)pkt[hwlenpos];

  422. 		}

  423. 	}

  424. }

  425. 

  426. // netfilter queue callback

  427. static int dp_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) {

  428. 	struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfa);

  429. 	dp_conf *conf = (dp_conf*)data;

  430. 	int id = -1;

  431. 	int verdict;

  432. 

  433. 	if ( ph ) {

  434. 		id = ntohl (ph->packet_id);

  435. 		if ( conf->debug ) printf ("received packet with id %d\n", id);

  436. 	}

  437. 

  438. 	verdict = dp_dhcp_check(nfa, conf); /* Treat packet */

  439. 

  440. 	// override decision for dryrun

  441. 	if ( conf->dryrun )

  442. 		verdict = NF_ACCEPT;

  443. 

  444. 	return nfq_set_verdict(qh, id, verdict, 0, NULL); /* Verdict packet */

  445. }

  446. 

  447. void dp_accounting_add(dp_conf *conf, unsigned char *remoteid, int len) {

  448. 	//int i;

  449. 	dp_accounting *ac;

  450. 

  451. 	// does the element already exist

  452. 	HASH_FIND(hh, accountings, remoteid, len, ac);

  453. 

  454. 	if ( conf->debug ) printf("AC: add item\n");

  455. 

  456. 	// found it, increment the counter

  457. 	if ( ac ) {

  458. 		if ( conf->debug ) printf("AC: item found, incrementing\n");

  459. 		ac->count++;

  460. 	}

  461. 	// not found, create a new one

  462. 	else {

  463. 		if ( conf->debug ) printf("AC: item not found, creating\n");

  464. 		ac = malloc(sizeof(dp_accounting));

  465. 

  466. 		memcpy(ac->remoteid, remoteid, len);

  467. 		ac->len = len;

  468. 		ac->count = 1;

  469. 

  470. 		HASH_ADD(hh, accountings, remoteid, len, ac);

  471. 	}

  472. }

  473. 

  474. void dp_blacklist_add(dp_conf *conf, unsigned char *remoteid, int len) {

  475. 	dp_blacklist *bl;

  476. 

  477. 	// alrady exists?

  478. 	HASH_FIND(hh, blacklists, remoteid, len, bl);

  479. 

  480. 	if ( conf->debug ) printf("BL: add item\n");

  481. 

  482. 	// found an entry, push the expiration further

  483. 	if ( bl ) {

  484. 		if ( conf->debug ) printf("BL: item found -> pushing further\n");

  485. 		bl->expire = time(NULL) + conf->bltime;

  486. 	}

  487. 	// not found, create a new one

  488. 	else {

  489. 		if ( conf->debug ) printf("BL: item not found, new entry in BL\n");

  490. 		dp_log(remoteid, len, "blacklisting started");

  491. 		bl = malloc(sizeof(dp_blacklist));

  492. 		memcpy(bl->remoteid, remoteid, len);

  493. 		bl->len = len;

  494. 		bl->expire = time(NULL) + conf->bltime;

  495. 		HASH_ADD(hh, blacklists, remoteid, len, bl);

  496. 	}

  497. }

  498. 

  499. void dp_hash_cleanup(dp_conf *conf) {

  500. 	dp_accounting *ac, *actmp;

  501. 	dp_blacklist *bl, *bltmp;

  502. 

  503. 	// is it time to cleanup the list?

  504. 	// cleanup every conf->interval seconds 

  505. 	if ( dp_accountingtime + conf->interval < time(NULL) ) {

  506. 		if ( conf->debug ) printf("cleanup interval\n");

  507. 		dp_accountingtime = time(NULL);

  508. 		HASH_ITER(hh, accountings, ac, actmp) {

  509. 			HASH_DEL(accountings, ac);

  510. 			free(ac);

  511. 		}

  512. 	}

  513. 

  514. 	// blacklist cleanup check every 1 sec

  515. 	if ( dp_cleanuptime < time(NULL) ) {

  516. 		if ( conf->debug ) printf("cleanup BL\n");

  517. 		dp_cleanuptime = time(NULL);

  518. 		HASH_ITER(hh, blacklists, bl, bltmp) {

  519. 			if ( bl->expire < time(NULL) ) {

  520. 				dp_log(

  521. 					bl->remoteid, bl->len, 

  522. 					"blacklisting ended");

  523. 				HASH_DEL(blacklists, bl);

  524. 				free(bl);

  525. 			}

  526. 		}

  527. 	}

  528. }

  529. 

  530. int dp_accounting_check(dp_conf *conf, unsigned char *remoteid, int len) {

  531. 	dp_accounting *ac;

  532. 

  533. 	HASH_FIND(hh, accountings, remoteid, len, ac);

  534. 

  535. 	if ( conf->debug ) printf("AC Check\n");

  536. 

  537. 	if ( ac ) {

  538. 		if(conf->debug) printf("AC Check: found item %i > %i ?\n", ac->count, conf->pktint);

  539. 

  540. 		if ( ac->count > conf->pktint ) {

  541. 			if(conf->debug) printf("flood detected!\n");

  542. 			return NF_DROP;

  543. 		}

  544. 	}

  545. 	return NF_ACCEPT;

  546. }

  547. 

  548. int dp_blacklist_check(dp_conf *conf, unsigned char *remoteid, int len) {

  549. 	dp_blacklist *bl;

  550. 

  551. 	HASH_FIND(hh, blacklists, remoteid, len, bl);

  552. 

  553. 	if ( conf->debug ) printf("BL Check\n");

  554. 

  555. 	if ( bl ) {

  556. 

  557. 		if ( bl->expire > time(NULL) ) {

  558. 			if ( conf->debug ) printf("blacklisted!\n");

  559. 			return NF_DROP;

  560. 		}

  561. 	}

  562. 	return NF_ACCEPT;

  563. }