public
/
dhcp_protect
Beobachten 1
Favorisieren 0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 2 Wiki Aktivität
A userspace application that filters DHCP floods to protect a DHCP server. It uses the Netfilter userspace packet queuing API.
Du kannst nicht mehr als 25 Themen auswählen Themen müssen mit entweder einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
31 Commits
1 Branch
Struktur: d3dcaaa59b
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „d3dcaaa59b“
${ noResults }
dhcp_protect/src/dp_nfqueue.c

dp_nfqueue.c 3.4KB
Originalformat Blame Verlauf

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152 
  1. #include <stdio.h>

  2. #include <string.h>

  3. #include <arpa/inet.h>

  4. #include <errno.h>

  5. 

  6. #include "dp_nfqueue.h"

  7. #include "dp_accounting.h"

  8. #include "dp_blacklist.h"

  9. #include "dp_helpers.h"

  10. #include "dp_dhcpv4.h"

  11. #include "dp_dhcpv6.h"

  12. 

  13. // start netfilter queue

  14. void dp_nfq_start(dp_conf *conf) {

  15. 	struct nfq_handle *h;

  16. 	struct nfq_q_handle *qh;

  17. 	int fd;

  18. 

  19. 	if ( ( h = nfq_open() ) == NULL ) {

  20. 		fprintf(stderr,"error during nfq_open() %s\n", strerror(errno));

  21. 		return;

  22. 	}

  23. 

  24. 	if ( ( qh = nfq_create_queue(h, conf->queue, &dp_callback, conf) ) == NULL ) {

  25. 		fprintf(stderr, "error during nfq_create_queue() %s\n", strerror(errno));

  26. 		return;

  27. 	}

  28. 

  29. 	if ( nfq_set_mode(qh, NFQNL_COPY_PACKET, 1500) < 0 ) {

  30. 		fprintf(stderr,"error during nfq_set_mode() %s\n", strerror(errno));

  31. 		return;

  32. 	}

  33. 

  34. 	if ( nfq_set_queue_flags(qh, NFQA_CFG_F_FAIL_OPEN, NFQA_CFG_F_FAIL_OPEN) < 0 ) {

  35. 		fprintf(stderr,"error during nfq_set_queue_flags() %s\n", strerror(errno));

  36. 		return;

  37. 	}

  38. 

  39. 	fd = nfq_fd(h);

  40. 

  41. 	while(1) {

  42. 		static char buf[65536];

  43. 		int rv;

  44. 

  45. 		rv = recv(fd, buf, sizeof(buf), 0);

  46. 

  47. 		switch(rv) {

  48. 			case -1:

  49. 				fprintf(stderr, "recv() error: %s\n", strerror(errno));

  50. 				return;

  51. 			case 0:

  52. 				fprintf(stderr,"socket is closed!?\n");

  53. 				return;

  54. 			default:

  55. 				// send packet to callback

  56. 				nfq_handle_packet(h, buf, rv);

  57. 				break;

  58. 		}

  59. 	}

  60. }

  61. 

  62. // decode dhcp packet

  63. int dp_dhcp_check(struct nfq_data *nfa, dp_conf *conf) {

  64. 	unsigned char *pkt;

  65. 	int pktlen;

  66. 	int offset = 0;

  67. 	unsigned char *remoteid = NULL;

  68. 	int remoteidlen = 0;

  69. 	int rv = NF_ACCEPT;

  70. 

  71. 	pktlen = nfq_get_payload(nfa, &pkt);

  72. 

  73. 	if ( conf->debug ) printf("got a packet, len = %i\n", pktlen);

  74. 

  75. 	// can we read the IP proto and IP header length ?

  76. 	if ( pktlen > 0 ) {

  77. 		uint8_t ipver;

  78. 		uint8_t ihl;

  79. 

  80. 		ipver = pkt[offset];

  81. 		ipver >>= 4;

  82. 		ihl   = pkt[offset];

  83. 		ihl  &= 0x0f;

  84. 

  85. 		if ( ipver == 4 ) {

  86. 			// jump to DHCPv4

  87. 			offset += ( ihl * 4 ) + 8;

  88. 			dp_dhcpv4_check(conf, pkt, pktlen, offset, &remoteid, &remoteidlen);

  89. 		}

  90. 		else if ( ipver == 6 ) {

  91. 			// jump to DHCPv6

  92. 			offset += 40 + 8;

  93. 			dp_dhcpv6_check(conf, pkt, pktlen, offset, &remoteid, &remoteidlen);

  94. 		}

  95. 		else {		

  96. 			if ( conf->debug ) printf("not an IPv4 packet\n");

  97. 			goto end;

  98. 		}

  99. 	}

  100. 

  101. 	if ( conf->debug ) printf("remoteidlen=%i\n",remoteidlen);

  102. 

  103. 	if ( remoteidlen>0 ) {

  104. 		if ( conf->debug ) {

  105. 			int i;

  106. 			printf("remoteid: ");

  107. 			for(i=0; i<remoteidlen; i++)

  108. 				printf("%02x", remoteid[i]);

  109. 			printf("\n");

  110. 		}

  111. 		// count the packet, even when blacklisted.

  112. 		dp_accounting_add(conf, remoteid, remoteidlen);

  113. 

  114. 		// check if already in the blacklist

  115. 		if ( dp_blacklist_check(conf, remoteid, remoteidlen) == NF_DROP )

  116. 			rv = NF_DROP;

  117. 

  118. 		// check if it must be added to the blacklist

  119. 		else if ( dp_accounting_check(conf, remoteid, remoteidlen) == NF_DROP ) {

  120. 			dp_blacklist_add(conf, remoteid, remoteidlen);

  121. 			rv = NF_DROP;

  122. 		}

  123. 	}

  124. 

  125. 	end:

  126. 

  127. 	dp_accounting_cleanup(conf);

  128. 	dp_blacklist_cleanup(conf);

  129. 

  130. 	return rv;

  131. }

  132. 

  133. // netfilter queue callback

  134. int dp_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) {

  135. 	struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfa);

  136. 	dp_conf *conf = (dp_conf*)data;

  137. 	int id = -1;

  138. 	int verdict;

  139. 

  140. 	if ( ph ) {

  141. 		id = ntohl (ph->packet_id);

  142. 		if ( conf->debug ) printf ("received packet with id %d\n", id);

  143. 	}

  144. 

  145. 	verdict = dp_dhcp_check(nfa, conf); /* Treat packet */

  146. 

  147. 	// override decision for dryrun

  148. 	if ( conf->dryrun )

  149. 		verdict = NF_ACCEPT;

  150. 

  151. 	return nfq_set_verdict(qh, id, verdict, 0, NULL); /* Verdict packet */

  152. }