public
/
dhcp_protect
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
A userspace application that filters DHCP floods to protect a DHCP server. It uses the Netfilter userspace packet queuing API.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
31 Commits
1 Branch
Tree: d3dcaaa59b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd3dcaaa59b'
${ noResults }
dhcp_protect/src/dp_nfqueue.c

dp_nfqueue.c 3.4KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152 
  1. #include <stdio.h>

  2. #include <string.h>

  3. #include <arpa/inet.h>

  4. #include <errno.h>

  5. 

  6. #include "dp_nfqueue.h"

  7. #include "dp_accounting.h"

  8. #include "dp_blacklist.h"

  9. #include "dp_helpers.h"

  10. #include "dp_dhcpv4.h"

  11. #include "dp_dhcpv6.h"

  12. 

  13. // start netfilter queue

  14. void dp_nfq_start(dp_conf *conf) {

  15. 	struct nfq_handle *h;

  16. 	struct nfq_q_handle *qh;

  17. 	int fd;

  18. 

  19. 	if ( ( h = nfq_open() ) == NULL ) {

  20. 		fprintf(stderr,"error during nfq_open() %s\n", strerror(errno));

  21. 		return;

  22. 	}

  23. 

  24. 	if ( ( qh = nfq_create_queue(h, conf->queue, &dp_callback, conf) ) == NULL ) {

  25. 		fprintf(stderr, "error during nfq_create_queue() %s\n", strerror(errno));

  26. 		return;

  27. 	}

  28. 

  29. 	if ( nfq_set_mode(qh, NFQNL_COPY_PACKET, 1500) < 0 ) {

  30. 		fprintf(stderr,"error during nfq_set_mode() %s\n", strerror(errno));

  31. 		return;

  32. 	}

  33. 

  34. 	if ( nfq_set_queue_flags(qh, NFQA_CFG_F_FAIL_OPEN, NFQA_CFG_F_FAIL_OPEN) < 0 ) {

  35. 		fprintf(stderr,"error during nfq_set_queue_flags() %s\n", strerror(errno));

  36. 		return;

  37. 	}

  38. 

  39. 	fd = nfq_fd(h);

  40. 

  41. 	while(1) {

  42. 		static char buf[65536];

  43. 		int rv;

  44. 

  45. 		rv = recv(fd, buf, sizeof(buf), 0);

  46. 

  47. 		switch(rv) {

  48. 			case -1:

  49. 				fprintf(stderr, "recv() error: %s\n", strerror(errno));

  50. 				return;

  51. 			case 0:

  52. 				fprintf(stderr,"socket is closed!?\n");

  53. 				return;

  54. 			default:

  55. 				// send packet to callback

  56. 				nfq_handle_packet(h, buf, rv);

  57. 				break;

  58. 		}

  59. 	}

  60. }

  61. 

  62. // decode dhcp packet

  63. int dp_dhcp_check(struct nfq_data *nfa, dp_conf *conf) {

  64. 	unsigned char *pkt;

  65. 	int pktlen;

  66. 	int offset = 0;

  67. 	unsigned char *remoteid = NULL;

  68. 	int remoteidlen = 0;

  69. 	int rv = NF_ACCEPT;

  70. 

  71. 	pktlen = nfq_get_payload(nfa, &pkt);

  72. 

  73. 	if ( conf->debug ) printf("got a packet, len = %i\n", pktlen);

  74. 

  75. 	// can we read the IP proto and IP header length ?

  76. 	if ( pktlen > 0 ) {

  77. 		uint8_t ipver;

  78. 		uint8_t ihl;

  79. 

  80. 		ipver = pkt[offset];

  81. 		ipver >>= 4;

  82. 		ihl   = pkt[offset];

  83. 		ihl  &= 0x0f;

  84. 

  85. 		if ( ipver == 4 ) {

  86. 			// jump to DHCPv4

  87. 			offset += ( ihl * 4 ) + 8;

  88. 			dp_dhcpv4_check(conf, pkt, pktlen, offset, &remoteid, &remoteidlen);

  89. 		}

  90. 		else if ( ipver == 6 ) {

  91. 			// jump to DHCPv6

  92. 			offset += 40 + 8;

  93. 			dp_dhcpv6_check(conf, pkt, pktlen, offset, &remoteid, &remoteidlen);

  94. 		}

  95. 		else {		

  96. 			if ( conf->debug ) printf("not an IPv4 packet\n");

  97. 			goto end;

  98. 		}

  99. 	}

  100. 

  101. 	if ( conf->debug ) printf("remoteidlen=%i\n",remoteidlen);

  102. 

  103. 	if ( remoteidlen>0 ) {

  104. 		if ( conf->debug ) {

  105. 			int i;

  106. 			printf("remoteid: ");

  107. 			for(i=0; i<remoteidlen; i++)

  108. 				printf("%02x", remoteid[i]);

  109. 			printf("\n");

  110. 		}

  111. 		// count the packet, even when blacklisted.

  112. 		dp_accounting_add(conf, remoteid, remoteidlen);

  113. 

  114. 		// check if already in the blacklist

  115. 		if ( dp_blacklist_check(conf, remoteid, remoteidlen) == NF_DROP )

  116. 			rv = NF_DROP;

  117. 

  118. 		// check if it must be added to the blacklist

  119. 		else if ( dp_accounting_check(conf, remoteid, remoteidlen) == NF_DROP ) {

  120. 			dp_blacklist_add(conf, remoteid, remoteidlen);

  121. 			rv = NF_DROP;

  122. 		}

  123. 	}

  124. 

  125. 	end:

  126. 

  127. 	dp_accounting_cleanup(conf);

  128. 	dp_blacklist_cleanup(conf);

  129. 

  130. 	return rv;

  131. }

  132. 

  133. // netfilter queue callback

  134. int dp_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) {

  135. 	struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfa);

  136. 	dp_conf *conf = (dp_conf*)data;

  137. 	int id = -1;

  138. 	int verdict;

  139. 

  140. 	if ( ph ) {

  141. 		id = ntohl (ph->packet_id);

  142. 		if ( conf->debug ) printf ("received packet with id %d\n", id);

  143. 	}

  144. 

  145. 	verdict = dp_dhcp_check(nfa, conf); /* Treat packet */

  146. 

  147. 	// override decision for dryrun

  148. 	if ( conf->dryrun )

  149. 		verdict = NF_ACCEPT;

  150. 

  151. 	return nfq_set_verdict(qh, id, verdict, 0, NULL); /* Verdict packet */

  152. }