public
/
dhcp_protect
关注 1
点赞 0
派生 0
代码 工单 0 合并请求 0 版本发布 2 百科 动态
A userspace application that filters DHCP floods to protect a DHCP server. It uses the Netfilter userspace packet queuing API.
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
7 提交
1 分支
目录树: 7bb46d6c5a
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '7bb46d6c5a'
${ noResults }
dhcp_protect/dhcp_protect.c

dhcp_protect.c 11KB
原始文件 Blame 文件历史

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484 
  1. // dhcp_protect.c

  2. 

  3. #include <stdio.h>

  4. #include <stdlib.h>

  5. #include <string.h>

  6. #include <unistd.h>

  7. #include <stdint.h>

  8. #include <errno.h>

  9. #include <time.h>

  10. #include <stdarg.h>

  11. #include <syslog.h>

  12. #include <arpa/inet.h>

  13. 

  14. #include <linux/netfilter.h>

  15. #include <libnetfilter_queue/libnetfilter_queue.h>

  16. 

  17. #include <uthash.h>

  18. 

  19. #include "dhcp_protect.h"

  20. 

  21. // main function

  22. int main(int argc, char **argv) {

  23. 	char *configfile;

  24. 	dp_conf conf;

  25. 

  26. 	if ( argc == 2 ) {

  27. 		configfile = argv[1];

  28. 	}

  29. 	else {

  30. 		usage(argv[0]);

  31. 		return EXIT_FAILURE;

  32. 	}

  33. 

  34. 	if ( load_config(&conf, configfile) == NULL )

  35. 		return EXIT_FAILURE;

  36. 

  37. 	openlog("dhcp_protect", LOG_PID, LOG_DAEMON);

  38. 

  39. 	nfq_start(&conf);

  40. 

  41. 	return 0;

  42. }

  43. 

  44. // syslog function

  45. void dp_log(unsigned char *remoteid, int remoteidlen, char *fmt, ...) {

  46. 	va_list argList;

  47. 	char buf[1000];

  48. 	int offset = remoteidlen*2;

  49. 	int i;

  50. 

  51. 	for(i=0; i<remoteidlen; i++) {

  52. 		sprintf(buf+(i*2), "%02x", remoteid[i]);

  53. 	}

  54. 	buf[offset]=':'; offset++;

  55. 	buf[offset]=' '; offset++;

  56. 

  57. 	va_start(argList, fmt);

  58. 	vsnprintf(buf+offset, sizeof(buf)-offset-1, fmt, argList);

  59. 	va_end(argList);

  60. 

  61. 	syslog(LOG_DAEMON|LOG_INFO, "%s", buf);

  62. }

  63. 

  64. // start netfilter queue

  65. void nfq_start(dp_conf *conf) {

  66. 	struct nfq_handle *h;

  67. 	struct nfq_q_handle *qh;

  68. 	int fd;

  69. 

  70. 	if ( ( h = nfq_open() ) == NULL ) {

  71. 		fprintf(stderr,"error during nfq_open() %s\n", strerror(errno));

  72. 		return;

  73. 	}

  74. 

  75. 	if ( ( qh = nfq_create_queue(h, conf->queue, &dp_callback, conf) ) == NULL ) {

  76. 		fprintf(stderr, "error during nfq_create_queue() %s\n", strerror(errno));

  77. 		return;

  78. 	}

  79. 

  80. 	if ( nfq_set_mode(qh, NFQNL_COPY_PACKET, 1500) < 0 ) {

  81. 		fprintf(stderr,"error during nfq_set_mode() %s\n", strerror(errno));

  82. 		return;

  83. 	}

  84. 

  85. 	if ( nfq_set_queue_flags(qh, NFQA_CFG_F_FAIL_OPEN, NFQA_CFG_F_FAIL_OPEN) < 0 ) {

  86. 		fprintf(stderr,"error during nfq_set_queue_flags() %s\n", strerror(errno));

  87. 		return;

  88. 	}

  89. 

  90. 	fd = nfq_fd(h);

  91. 

  92. 	while(1) {

  93. 		static char buf[65536];

  94. 		int rv;

  95. 

  96. 		if ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) {

  97. 			nfq_handle_packet(h, buf, rv); /* send packet to callback */

  98. 		}

  99. 	}

  100. }

  101. 

  102. // display usage

  103. void usage(char *prog) {

  104. 	fprintf(stderr,"Usage: %s <configuration file>\n",prog);

  105. }

  106. 

  107. 

  108. // load configuration file

  109. dp_conf *load_config(dp_conf *conf, char *file) {

  110. 	FILE *fh;

  111. 	char *line = NULL;

  112. 	size_t len = 0;

  113. 	int error = 0;

  114. 

  115. 	printf("Loading configuration %s\n",file);

  116. 	

  117. 

  118. 	if ( ( fh = fopen(file,"r") ) == NULL ) {

  119. 		fprintf(stderr,"Failed to open configuration file '%s': %s\n", file, strerror(errno));

  120. 		return NULL;

  121. 	}

  122. 

  123. 	while (getline(&line, &len, fh) != -1) {

  124. 		char *name, *value;

  125. 

  126. 		name  = strtok(line, "=\r\n ");

  127. 		value = strtok(NULL,"=\r\n ");

  128. 

  129. 		if ( name == NULL || value == NULL || name[0] == '#' )

  130. 			continue;

  131. 

  132. 		if ( strcmp(name,"max_pkt_per_interval")==0 )

  133. 			conf->pktint = atoi(value);

  134. 		else if ( strcmp(name,"interval")==0 )

  135. 			conf->interval = atoi(value);

  136. 		else if ( strcmp(name, "debug")==0 )

  137. 			conf->debug = atoi(value) ? 1 : 0;

  138. 		else if ( strcmp(name, "blacklist_time")==0 )

  139. 			conf->bltime = atoi(value);

  140. 		else if ( strcmp(name, "queue")==0 )

  141. 			conf->queue = atoi(value);

  142. 		else if ( strcmp(name, "dryrun")==0 )

  143. 			conf->dryrun = atoi(value) ? 1 : 0;

  144. 		else

  145. 			fprintf(stderr,"unknown directive '%s', ignored\n", name);

  146. 

  147. 		free(line);

  148. 	}

  149. 	fclose(fh);

  150. 

  151. 	if ( conf->pktint < 1 || conf->pktint > 1000 ) {

  152. 		fprintf(stderr,"max_pkt_per_interval value invalid (min 1, max 1000)\n");

  153. 		error=1;

  154. 	}

  155. 	if ( conf->interval < 5 || conf->interval > 900 ) {

  156. 		fprintf(stderr,"interval value invalid (min 5, max 900)\n");

  157. 		error=1;

  158. 	}

  159. 	if ( conf->debug < 0 || conf->debug > 1 ) {

  160. 		fprintf(stderr,"debug value invalid (0 or 1)\n");

  161. 		error=1;

  162. 	}

  163. 	if ( conf->bltime < 10 || conf->bltime > 900 ) {

  164. 		fprintf(stderr,"blacklist_time value invalid (min 10, max 900)\n");

  165. 		error=1;

  166. 	}

  167. 	if ( conf->queue < 0 ) {

  168. 		fprintf(stderr,"queue must be a positive integer\n");

  169. 		error=1;

  170. 	}

  171. 	if ( conf->dryrun < 0 || conf->dryrun > 1 ) {

  172. 		fprintf(stderr, "dryrun value invalid (0 or 1)\n");

  173. 		error=1;

  174. 	}

  175. 

  176. 	if ( error )

  177. 		return NULL;

  178. 

  179. 	printf("Configuration:\n");

  180. 	printf("\t%-20s = %4s\n", "dryrun", conf->dryrun ? "Yes" : "No");

  181. 	printf("\t%-20s = %4s\n", "debug", conf->debug ? "Yes" : "No" );

  182. 	printf("\t%-20s = %4is\n", "interval", conf->interval);

  183. 	printf("\t%-20s = %4i\n", "max_pkt_per_interval", conf->pktint);

  184. 	printf("\t%-20s = %4is\n", "blacklist_time", conf->bltime);

  185. 	printf("\t%-20s = %4i\n", "queue", conf->queue);

  186. 

  187. 

  188. 	return conf;

  189. }

  190. 

  191. // decode dhcp packet

  192. int dhcp_check(struct nfq_data *nfa, dp_conf *conf) {

  193. 	unsigned char *pkt;

  194. 	int pktlen;

  195. 	int offset = 0;

  196. 	unsigned char *remoteid;

  197. 	int remoteidlen = 0;

  198. 	int found = 0;

  199. 	uint8_t ipver = 0;

  200. 	uint8_t ihl = 0;

  201. 	//int i;

  202. 	int rv = NF_ACCEPT;

  203. 

  204. 	pktlen = nfq_get_payload(nfa, &pkt);

  205. 

  206. 	if ( conf->debug ) printf("got a packet, len = %i\n", pktlen);

  207. 

  208. 	/* a bit too much ;)

  209. 	if ( conf->debug ) {

  210. 		for(i=0; i<pktlen; i++) {

  211. 			if ( !(i%16) ) printf("\n");

  212. 			printf("%02x ", pkt[i]);

  213. 		}

  214. 	}

  215. 	*/

  216. 

  217. 	// can we read the IP proto and IP header length ?

  218. 	if ( pktlen > 0 ) {

  219. 		ipver = pkt[offset];

  220. 		ipver >>= 4;

  221. 		ihl   = pkt[offset];

  222. 		ihl  &= 0x0f;

  223. 

  224. 		if ( ipver != 4 ) {

  225. 			if ( conf->debug ) printf("not an IPv4 packet\n");

  226. 			rv = NF_ACCEPT;

  227. 			goto end;

  228. 		}

  229. 

  230. 		// jump over the IPv4 header

  231. 		offset += ihl * 4;

  232. 	}

  233. 

  234. 

  235. 	// jump over UDP + DHCP header

  236. 	offset += 8 + 28 + 16 + 64 + 128;

  237. 

  238. 	// minimum packet size, fixed header + magic cookie (4 octets)

  239. 	if ( pktlen < offset + 4 ) {

  240. 		if ( conf->debug ) printf("packet too small\n");

  241. 		rv = NF_ACCEPT;

  242. 		goto end;

  243. 	}

  244. 

  245. 	// check magic cookie

  246. 	if ( pkt[offset] != 99 || pkt[offset+1] != 130 || pkt[offset+2] != 83 || pkt[offset+3] != 99 ) {

  247. 		if ( conf->debug )

  248. 			printf(

  249. 				"invalid magic cookie %02x%02x%02x%02x\n",

  250. 				pkt[offset], pkt[offset+1],

  251. 				pkt[offset+2], pkt[offset+3]);

  252. 

  253. 		rv = NF_ACCEPT;

  254. 		goto end;

  255. 	}

  256. 	offset+=4;

  257. 

  258. 

  259. 	// parse TLV options

  260. 	while(offset<pktlen && !found) {

  261. 		uint8_t type = pkt[offset];

  262. 		uint8_t len;

  263. 

  264. 		offset++;

  265. 

  266. 		// printf("type : %i\n",type);

  267. 

  268. 		// padding of 1 octet

  269. 		if ( type == 0 ) {

  270. 			continue;

  271. 		}

  272. 

  273. 		// end of options

  274. 		if ( type == 255 )

  275. 			break;

  276. 

  277. 		// make sure we can read len

  278. 		if ( offset>=pktlen )

  279. 			break;

  280. 

  281. 		len = pkt[offset];

  282. 		offset++;

  283. 

  284. 		// printf("len  : %i\n", len);

  285. 

  286. 		// can the value be read

  287. 		if ( offset+len>=pktlen )

  288. 			break;

  289. 

  290. 		// option 82 parser

  291. 		if ( type == 82 ) {

  292. 			unsigned char *o82 = pkt+offset;

  293. 			int o82off = 0;

  294. 

  295. 			// loop until the end, +2 to ensure we can read type and length

  296. 			while(o82off+2<len && !found) {

  297. 				uint8_t otype = o82[o82off];

  298. 				uint8_t olen  = o82[o82off+1];

  299. 				o82off+=2;

  300. 

  301. 				// printf("o82 type=%i len=%i\n", otype, olen);

  302. 

  303. 				// remoteid

  304. 				if ( otype == 2 ) {

  305. 					// make sure we don't overflow and can read all data

  306. 					if ( o82off + olen > len ) {

  307. 						if ( conf->debug) printf("option 82.2 data too long\n");

  308. 						rv = NF_ACCEPT;

  309. 						goto end;

  310. 					}

  311. 					else {

  312. 						remoteid = o82 + o82off;

  313. 						remoteidlen = olen;

  314. 						found=1;

  315. 					}

  316. 				}

  317. 

  318. 				o82off+=olen;

  319. 			}

  320. 		}

  321. 

  322. 		offset+=len;

  323. 	}

  324. 

  325. 	if ( found ) {

  326. 		// count the packet, even when blacklisted.

  327. 		dp_accounting_add(conf, remoteid, remoteidlen);

  328. 

  329. 		// check if already in the blacklist

  330. 		if ( dp_blacklist_check(conf, remoteid, remoteidlen) == NF_DROP )

  331. 			rv = NF_DROP;

  332. 

  333. 		// check if it must be added to the blacklist

  334. 		else if ( dp_accounting_check(conf, remoteid, remoteidlen) == NF_DROP ) {

  335. 			dp_blacklist_add(conf, remoteid, remoteidlen);

  336. 			rv = NF_DROP;

  337. 		}

  338. 	}

  339. 

  340. 	end:

  341. 

  342. 	dp_hash_cleanup(conf);

  343. 

  344. 	return rv;

  345. }

  346. 

  347. // netfilter queue callback

  348. static int dp_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) {

  349. 	struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfa);

  350. 	dp_conf *conf = (dp_conf*)data;

  351. 	int id;

  352. 	int verdict;

  353. 

  354. 	if ( ph ) {

  355. 		id = ntohl (ph->packet_id);

  356. 		if ( conf->debug ) printf ("received packet with id %d\n", id);

  357. 	}

  358. 

  359. 	verdict = dhcp_check(nfa, conf); /* Treat packet */

  360. 

  361. 	// override decision for dryrun

  362. 	if ( conf->dryrun )

  363. 		verdict = NF_ACCEPT;

  364. 

  365. 	return nfq_set_verdict(qh, id, verdict, 0, NULL); /* Verdict packet */

  366. }

  367. 

  368. void dp_accounting_add(dp_conf *conf, unsigned char *remoteid, int len) {

  369. 	//int i;

  370. 	dp_accounting *ac;

  371. 

  372. 	// does the element already exist

  373. 	HASH_FIND(hh, accountings, remoteid, len, ac);

  374. 

  375. 	if ( conf->debug ) printf("AC: add item\n");

  376. 

  377. 	// found it, increment the counter

  378. 	if ( ac ) {

  379. 		if ( conf->debug ) printf("AC: item found, incrementing\n");

  380. 		ac->count++;

  381. 	}

  382. 	// not found, create a new one

  383. 	else {

  384. 		if ( conf->debug ) printf("AC: item not found, creating\n");

  385. 		ac = malloc(sizeof(dp_accounting));

  386. 

  387. 		memcpy(ac->remoteid, remoteid, len);

  388. 		ac->len = len;

  389. 		ac->count = 1;

  390. 

  391. 		HASH_ADD(hh, accountings, remoteid, len, ac);

  392. 	}

  393. }

  394. 

  395. void dp_blacklist_add(dp_conf *conf, unsigned char *remoteid, int len) {

  396. 	dp_blacklist *bl;

  397. 

  398. 	// alrady exists?

  399. 	HASH_FIND(hh, blacklists, remoteid, len, bl);

  400. 

  401. 	if ( conf->debug ) printf("BL: add item\n");

  402. 

  403. 	// found an entry, push the expiration further

  404. 	if ( bl ) {

  405. 		if ( conf->debug ) printf("BL: item found -> pushing further\n");

  406. 		bl->expire = time(NULL) + conf->bltime;

  407. 	}

  408. 	// not found, create a new one

  409. 	else {

  410. 		if ( conf->debug ) printf("BL: item not found, new entry in BL\n");

  411. 		dp_log(remoteid, len, "blacklisting started");

  412. 		bl = malloc(sizeof(dp_blacklist));

  413. 		memcpy(bl->remoteid, remoteid, len);

  414. 		bl->len = len;

  415. 		bl->expire = time(NULL) + conf->bltime;

  416. 		HASH_ADD(hh, blacklists, remoteid, len, bl);

  417. 	}

  418. }

  419. 

  420. void dp_hash_cleanup(dp_conf *conf) {

  421. 	dp_accounting *ac, *actmp;

  422. 	dp_blacklist *bl, *bltmp;

  423. 

  424. 	// is it time to cleanup the list?

  425. 	// cleanup every conf->interval seconds 

  426. 	if ( dp_accountingtime + conf->interval < time(NULL) ) {

  427. 		if ( conf->debug ) printf("cleanup interval\n");

  428. 		dp_accountingtime = time(NULL);

  429. 		HASH_ITER(hh, accountings, ac, actmp) {

  430. 			HASH_DEL(accountings, ac);

  431. 			free(ac);

  432. 		}

  433. 	}

  434. 

  435. 	// blacklist cleanup check every 1 sec

  436. 	if ( dp_cleanuptime < time(NULL) ) {

  437. 		if ( conf->debug ) printf("cleanup BL\n");

  438. 		dp_cleanuptime = time(NULL);

  439. 		HASH_ITER(hh, blacklists, bl, bltmp) {

  440. 			if ( bl->expire < time(NULL) ) {

  441. 				dp_log(

  442. 					bl->remoteid, bl->len, 

  443. 					"blacklisting ended");

  444. 				HASH_DEL(blacklists, bl);

  445. 				free(bl);

  446. 			}

  447. 		}

  448. 	}

  449. }

  450. 

  451. int dp_accounting_check(dp_conf *conf, unsigned char *remoteid, int len) {

  452. 	dp_accounting *ac;

  453. 

  454. 	HASH_FIND(hh, accountings, remoteid, len, ac);

  455. 

  456. 	if ( conf->debug ) printf("AC Check\n");

  457. 

  458. 	if ( ac ) {

  459. 		if(conf->debug) printf("AC Check: found item %i > %i ?\n", ac->count, conf->pktint);

  460. 

  461. 		if ( ac->count > conf->pktint ) {

  462. 			if(conf->debug) printf("flood detected!\n");

  463. 			return NF_DROP;

  464. 		}

  465. 	}

  466. 	return NF_ACCEPT;

  467. }

  468. 

  469. int dp_blacklist_check(dp_conf *conf, unsigned char *remoteid, int len) {

  470. 	dp_blacklist *bl;

  471. 

  472. 	HASH_FIND(hh, blacklists, remoteid, len, bl);

  473. 

  474. 	if ( conf->debug ) printf("BL Check\n");

  475. 

  476. 	if ( bl ) {

  477. 

  478. 		if ( bl->expire > time(NULL) ) {

  479. 			if ( conf->debug ) printf("blacklisted!\n");

  480. 			return NF_DROP;

  481. 		}

  482. 	}

  483. 	return NF_ACCEPT;

  484. }