new file mode 100644
@@ -0,0 +1,225 @@
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <strings.h>
+#include <netdb.h>
+#include <arpa/inet.h>
+#include <xtables.h>
+#include <linux/netfilter/xt_l2tp.h>
+
+enum {
+ O_TID = 0,
+ O_SID,
+ O_VERSION,
+ O_ENCAP,
+ O_TYPE,
+};
+
+static void l2tp_help(void)
+{
+ printf(
+"l2tp match options:\n"
+" --tunnel-id id\n"
+" --tid ...\n"
+" match tunnel-id\n"
+" --session-id id\n"
+" --sid ...\n"
+" match session-id\n"
+" --pversion {2|3}\n"
+" match version\n"
+" --encap {udp|ip}\n"
+" match encapsulation\n"
+" --type {control|data}\n"
+" match packet type\n");
+}
+
+#define s struct xt_l2tp_info
+static const struct xt_option_entry l2tp_opts[] = {
+ {.name = "tunnel-id", .id = O_TID, .type = XTTYPE_UINT32,
+ .flags = XTOPT_PUT, XTOPT_POINTER(s, tid)},
+ {.name = "tid", .id = O_TID, .type = XTTYPE_UINT32,
+ .flags = XTOPT_PUT, XTOPT_POINTER(s, tid)},
+ {.name = "session-id", .id = O_SID, .type = XTTYPE_UINT32,
+ .flags = XTOPT_PUT, XTOPT_POINTER(s, sid)},
+ {.name = "sid", .id = O_SID, .type = XTTYPE_UINT32,
+ .flags = XTOPT_PUT, XTOPT_POINTER(s, sid)},
+ {.name = "pversion", .id = O_VERSION, .type = XTTYPE_UINT8,
+ .flags = XTOPT_PUT, XTOPT_POINTER(s, version)},
+ {.name = "encap", .id = O_ENCAP, .type = XTTYPE_STRING },
+ {.name = "type", .id = O_TYPE, .type = XTTYPE_STRING },
+ XTOPT_TABLEEND,
+};
+#undef s
+
+static int parse_encap(const char *s)
+{
+ if (strcmp(s, "udp") == 0)
+ return XT_L2TP_ENCAP_UDP;
+ if (strcmp(s, "ip") == 0)
+ return XT_L2TP_ENCAP_IP;
+ xtables_error(PARAMETER_PROBLEM, "l2tp: invalid encap \"%s\"", s);
+}
+
+static int parse_type(const char *s)
+{
+ if (strcmp(s, "control") == 0)
+ return XT_L2TP_TYPE_CONTROL;
+ if (strcmp(s, "data") == 0)
+ return XT_L2TP_TYPE_DATA;
+ xtables_error(PARAMETER_PROBLEM, "l2tp: invalid type \"%s\"", s);
+}
+
+static void l2tp_parse(struct xt_option_call *cb)
+{
+ struct xt_l2tp_info *info = cb->data;
+
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_TID:
+ info->flags |= XT_L2TP_TID;
+ break;
+ case O_SID:
+ info->flags |= XT_L2TP_SID;
+ break;
+ case O_VERSION:
+ info->flags |= XT_L2TP_VERSION;
+ break;
+ case O_ENCAP:
+ info->encap = parse_encap(cb->arg);
+ info->flags |= XT_L2TP_ENCAP;
+ break;
+ case O_TYPE:
+ info->type = parse_type(cb->arg);
+ info->flags |= XT_L2TP_TYPE;
+ break;
+ }
+}
+
+static void l2tp_check(struct xt_fcheck_call *cb)
+{
+ struct xt_l2tp_info *info = cb->data;
+
+ if ((!(info->flags & XT_L2TP_TID)) &&
+ (!(info->flags & XT_L2TP_SID)) &&
+ ((!(info->flags & XT_L2TP_TYPE)) || (info->type != XT_L2TP_TYPE_CONTROL)))
+ xtables_error(PARAMETER_PROBLEM,
+ "l2tp tid, sid or control type not specified");
+
+ if (info->flags & XT_L2TP_VERSION) {
+ if ((info->version < 2) || (info->version > 3))
+ xtables_error(PARAMETER_PROBLEM, "l2tp: invalid version \"%d\"",
+ info->version);
+
+ if (info->version == 2) {
+ if ((info->flags & XT_L2TP_TID) &&
+ (info->tid > 0xffff))
+ xtables_error(PARAMETER_PROBLEM,
+ "l2tp tid is 16 bits for L2TPv2");
+ if ((info->flags & XT_L2TP_SID) &&
+ (info->sid > 0xffff))
+ xtables_error(PARAMETER_PROBLEM,
+ "l2tp sid is 16 bits for L2TPv2");
+ if ((info->flags & XT_L2TP_ENCAP) &&
+ (info->encap == XT_L2TP_ENCAP_IP))
+ xtables_error(PARAMETER_PROBLEM,
+ "l2tp encap ip invalid for L2TPv2");
+
+ /* v2 is always UDP encap */
+ if (!(info->flags & XT_L2TP_ENCAP)) {
+ info->encap = XT_L2TP_ENCAP_UDP;
+ info->flags |= XT_L2TP_ENCAP;
+ }
+ }
+ }
+
+ if (!(info->flags & XT_L2TP_ENCAP))
+ xtables_error(PARAMETER_PROBLEM,
+ "l2tp: encap not specified");
+}
+
+static void print_encap(uint8_t encap, const char *prefix)
+{
+ printf(" %sencap ", prefix);
+
+ switch (encap) {
+ case XT_L2TP_ENCAP_UDP:
+ printf("udp");
+ break;
+ case XT_L2TP_ENCAP_IP:
+ printf("ip");
+ break;
+ default:
+ printf("???");
+ break;
+ }
+}
+
+static void print_type(uint8_t type, const char *prefix)
+{
+ printf(" %stype ", prefix);
+
+ switch (type) {
+ case XT_L2TP_TYPE_CONTROL:
+ printf("control");
+ break;
+ case XT_L2TP_TYPE_DATA:
+ printf("data");
+ break;
+ default:
+ printf("???");
+ break;
+ }
+}
+
+static void l2tp_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_l2tp_info *info = (struct xt_l2tp_info *)match->data;
+
+ printf(" l2tp");
+ if (info->flags & XT_L2TP_TID)
+ printf(" tid %u", info->tid);
+ if (info->flags & XT_L2TP_SID)
+ printf(" sid %u", info->sid);
+ if (info->flags & XT_L2TP_VERSION)
+ printf(" pver %hd", info->version);
+ if (info->flags & XT_L2TP_ENCAP)
+ print_encap(info->encap, "");
+ if (info->flags & XT_L2TP_TYPE)
+ print_type(info->type, "");
+}
+
+static void l2tp_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_l2tp_info *info = (struct xt_l2tp_info *)match->data;
+
+ if (info->flags & XT_L2TP_TID)
+ printf(" --tid %u", info->tid);
+ if (info->flags & XT_L2TP_SID)
+ printf(" --sid %u", info->sid);
+ if (info->flags & XT_L2TP_VERSION)
+ printf(" --pversion %hd", info->version);
+ if (info->flags & XT_L2TP_ENCAP)
+ print_encap(info->encap, "--");
+ if (info->flags & XT_L2TP_TYPE)
+ print_type(info->type, "--");
+}
+
+static struct xtables_match l2tp_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "l2tp",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_l2tp_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_l2tp_info)),
+ .help = l2tp_help,
+ .print = l2tp_print,
+ .save = l2tp_save,
+ .x6_fcheck = l2tp_check,
+ .x6_parse = l2tp_parse,
+ .x6_options = l2tp_opts,
+};
+
+void
+_init(void)
+{
+ xtables_register_match(&l2tp_match);
+}
new file mode 100644
@@ -0,0 +1,39 @@
+This is used to match L2TP packets. L2TP tunnels are identified by
+tunnel-id and session-id fields in the L2TP header. L2TPv2 and L2TPv3
+are supported.
+.TP
+\fB\-\-tunnel\-id\fP,\fB\-\-tid\fP \fIid\fP
+.TP
+\fB\-\-session\-id\fP,\fB\-\-sid\fP \fIid\fP
+.TP
+\fB\-\-pversion\fP {\fB2\fP|\fB3\fP}
+.TP
+\fB\-\-encap\fP {\fBudp\fP|\fBip\fP}
+.TP
+\fB\-\-type\fP {\fBcontrol\fP|\fBdata\fP}
+.PP
+At least one of \fB\-\-tunnel\-id\fP, \fB\-\-session\-id\fP or
+\fB\-\-type\fP must be
+specified.
+.PP
+\fB\-\-encap\fP must also be specified, either explicitely, or
+implicitely by specifying \fB\-\-pversion 2.
+.PP
+L2TP match rules should always be used together with IP address
+specifiers since the tunnel-id and session-id fields are scoped by the
+L2TP sender or receiver.
+.PP
+To match L2TPv3 packets which use 32-bit tunnel and session ids, the
+\fBpversion\fP option must be used to set the protocol version to 3.
+.PP
+Examples:
+.IP
+iptables \-A INPUT \-s 1.2.3.4 \-m l2tp
+\-\-tid 42 \-\-pversion 2 \-j DROP
+.IP
+iptables \-A OUTPUT \-d 1.2.3.5 \-m l2tp
+\-\-tid 100043 \-\-sid 100042
+\-\-pversion 3 \-\-encap ip \-j DROP
+.IP
+iptables \-A INPUT \-s 1.2.3.4 \-m l2tp
+\-\-encap udp \-\-type control \-j DROP
new file mode 100644
@@ -0,0 +1,36 @@
+#ifndef _LINUX_NETFILTER_XT_L2TP_H
+#define _LINUX_NETFILTER_XT_L2TP_H
+
+#include <linux/types.h>
+
+enum xt_l2tp_encap {
+ XT_L2TP_ENCAP_UDP,
+ XT_L2TP_ENCAP_IP,
+};
+
+enum xt_l2tp_type {
+ XT_L2TP_TYPE_CONTROL,
+ XT_L2TP_TYPE_DATA,
+};
+
+/* L2TP matching stuff */
+struct xt_l2tp_info {
+ __u32 tid; /* tunnel id */
+ __u32 sid; /* session id */
+ __u8 version; /* L2TP protocol version */
+ __u8 encap; /* L2TP encapsulation type */
+ __u8 type; /* L2TP packet type */
+ __u8 flags; /* which fields to match */
+};
+
+enum {
+ XT_L2TP_TID = (1 << 0), /* match L2TP tunnel id */
+ XT_L2TP_SID = (1 << 1), /* match L2TP session id */
+ XT_L2TP_VERSION = (1 << 2), /* match L2TP protocol version */
+ XT_L2TP_ENCAP = (1 << 3), /* match L2TP encapsulation type */
+ XT_L2TP_TYPE = (1 << 4), /* match L2TP packet type */
+};
+
+
+#endif /* _LINUX_NETFILTER_XT_L2TP_H */
+
This patch adds an iptables extension to support the l2tp xtables add-on. The matcher lets users filter on one or more fields of L2TP packets: tunnel-id, session-id, protocol version, encapsulation type (IP or UDP), packet type (control or data). Requires corresponding netfilter xt_l2tp kernel support, submitted separately. Signed-off-by: James Chapman <jchapman@katalix.com> --- Changes in v2: Change check() function to be consistent with kernel Changes in v3: Add local copy of xt_l2tp.h Changes in v4: Update check() again to be consistent with kernel. Changes in v5: Derive encap=udp setting if user specifies v2. Check that encap is specified. Update man page. Tested the argument checking using the trivial script below. #!/bin/sh IPTABLES=./iptables check_ok() { echo $* $* if [ $? -ne 0 ]; then echo "FAIL: $*" exit 1 fi } check_fail() { echo $* $* if [ $? -eq 0 ]; then echo "FAIL: $*" exit 1 fi } # Rejected commands check_fail $IPTABLES -I OUTPUT -m l2tp check_fail $IPTABLES -I OUTPUT -m l2tp --tid 42 check_fail $IPTABLES -I OUTPUT -m l2tp --sid 42 check_fail $IPTABLES -I OUTPUT -m l2tp --type control check_fail $IPTABLES -I OUTPUT -m l2tp --type data check_fail $IPTABLES -I OUTPUT -m l2tp --encap udp --type invalid check_fail $IPTABLES -I OUTPUT -m l2tp --tid 42 --pversion 1 check_fail $IPTABLES -I OUTPUT -m l2tp --tid 42 --pversion 3 check_fail $IPTABLES -I OUTPUT -m l2tp --tid 65536 --pversion 2 check_fail $IPTABLES -I OUTPUT -m l2tp --tid 42 --sid 65536 --pversion 2 # Good commands check_ok $IPTABLES -I OUTPUT -m l2tp --tid 42 --pversion 2 check_ok $IPTABLES -D OUTPUT -m l2tp --tid 42 --pversion 2 check_ok $IPTABLES -I OUTPUT -m l2tp --tid 42 --pversion 2 --sid 42 check_ok $IPTABLES -D OUTPUT -m l2tp --tid 42 --pversion 2 --sid 42 check_ok $IPTABLES -I OUTPUT -m l2tp --tid 42 --encap udp check_ok $IPTABLES -D OUTPUT -m l2tp --tid 42 --encap udp check_ok $IPTABLES -I OUTPUT -m l2tp --tid 42 --pversion 3 --encap udp check_ok $IPTABLES -D OUTPUT -m l2tp --tid 42 --pversion 3 --encap udp check_ok $IPTABLES -I OUTPUT -m l2tp --tid 42 --pversion 3 --encap ip check_ok $IPTABLES -D OUTPUT -m l2tp --tid 42 --pversion 3 --encap ip check_ok $IPTABLES -I OUTPUT -m l2tp --tid 42 --pversion 3 --encap udp --type control check_ok $IPTABLES -D OUTPUT -m l2tp --tid 42 --pversion 3 --encap udp --type control check_ok $IPTABLES -I OUTPUT -m l2tp --tid 42 --pversion 3 --encap udp --sid 42 check_ok $IPTABLES -D OUTPUT -m l2tp --tid 42 --pversion 3 --encap udp --sid 42 --- :000000 100644 0000000... 85f6c54... A extensions/libxt_l2tp.c :000000 100644 0000000... b3969ea... A extensions/libxt_l2tp.man :000000 100644 0000000... ba0a3ed... A include/linux/netfilter/xt_l2tp.h extensions/libxt_l2tp.c | 225 +++++++++++++++++++++++++++++++++++++ extensions/libxt_l2tp.man | 39 +++++++ include/linux/netfilter/xt_l2tp.h | 36 ++++++ 3 files changed, 300 insertions(+), 0 deletions(-)