API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 14th, 2015
252
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.61 KB | None | 0 0
raw download clone embed print report
  1. --- /dev/null 2015-01-24 13:07:13.213991073 +0300
  2. +++ ./include/linux/netfilter_ipv4/ipt_weburl.h 2015-01-25 11:36:44.000000000 +0300
  3. @@ -0,0 +1,45 @@
  4. +/* weburl -- A netfilter module to match URLs in HTTP requests
  5. + * This module can match using string match or regular expressions
  6. + * Originally designed for use with Gargoyle router firmware (gargoyle-router.com)
  7. + *
  8. + *
  9. + * Copyright © 2008 by Eric Bishop <eric@gargoyle-router.com>
  10. + *
  11. + * This file is free software: you may copy, redistribute and/or modify it
  12. + * under the terms of the GNU General Public License as published by the
  13. + * Free Software Foundation, either version 2 of the License, or (at your
  14. + * option) any later version.
  15. + *
  16. + * This file is distributed in the hope that it will be useful, but
  17. + * WITHOUT ANY WARRANTY; without even the implied warranty of
  18. + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  19. + * General Public License for more details.
  20. + *
  21. + * You should have received a copy of the GNU General Public License
  22. + * along with this program. If not, see <http://www.gnu.org/licenses/>.
  23. + */
  24. +
  25. +
  26. +
  27. +
  28. +#ifndef _IPT_WEBURL_H
  29. +#define _IPT_WEBURL_H
  30. +
  31. +
  32. +#define MAX_TEST_STR 1024
  33. +
  34. +#define WEBURL_CONTAINS_TYPE 1
  35. +#define WEBURL_REGEX_TYPE 2
  36. +#define WEBURL_EXACT_TYPE 3
  37. +#define WEBURL_ALL_PART 4
  38. +#define WEBURL_DOMAIN_PART 5
  39. +#define WEBURL_PATH_PART 6
  40. +
  41. +struct ipt_weburl_info
  42. +{
  43. + char test_str[MAX_TEST_STR];
  44. + unsigned char match_type;
  45. + unsigned char match_part;
  46. + unsigned char invert;
  47. +};
  48. +#endif /*_IPT_WEBURL_H*/
  49. --- /dev/null 2015-01-24 13:07:13.213991073 +0300
  50. +++ ./extensions/libxt_weburl.c 2015-01-25 11:36:54.000000000 +0300
  51. @@ -0,0 +1,294 @@
  52. +/* weburl -- An iptables extension to match URLs in HTTP requests
  53. + * This module can match using string match or regular expressions
  54. + * Originally designed for use with Gargoyle router firmware (gargoyle-router.com)
  55. + *
  56. + *
  57. + * Copyright © 2008-2010 by Eric Bishop <eric@gargoyle-router.com>
  58. + *
  59. + * This file is free software: you may copy, redistribute and/or modify it
  60. + * under the terms of the GNU General Public License as published by the
  61. + * Free Software Foundation, either version 2 of the License, or (at your
  62. + * option) any later version.
  63. + *
  64. + * This file is distributed in the hope that it will be useful, but
  65. + * WITHOUT ANY WARRANTY; without even the implied warranty of
  66. + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  67. + * General Public License for more details.
  68. + *
  69. + * You should have received a copy of the GNU General Public License
  70. + * along with this program. If not, see <http://www.gnu.org/licenses/>.
  71. + */
  72. +
  73. +
  74. +#include <stdio.h>
  75. +#include <netdb.h>
  76. +#include <string.h>
  77. +#include <stdlib.h>
  78. +#include <getopt.h>
  79. +
  80. +
  81. +/*
  82. + * in iptables 1.4.0 and higher, iptables.h includes xtables.h, which
  83. + * we can use to check whether we need to deal with the new requirements
  84. + * in pre-processor directives below
  85. + */
  86. +#include <iptables.h>
  87. +#include <include/linux/netfilter_ipv4/ipt_weburl.h>
  88. +
  89. +#ifdef _XTABLES_H
  90. + #define iptables_rule_match xtables_rule_match
  91. + #define iptables_match xtables_match
  92. + #define iptables_target xtables_target
  93. + #define ipt_tryload xt_tryload
  94. +#endif
  95. +
  96. +/*
  97. + * XTABLES_VERSION_CODE is only defined in versions 1.4.1 and later, which
  98. + * also require the use of xtables_register_match
  99. + *
  100. + * Version 1.4.0 uses register_match like previous versions
  101. + */
  102. +#ifdef XTABLES_VERSION_CODE
  103. + #define register_match xtables_register_match
  104. +#endif
  105. +
  106. +
  107. +/* utility functions necessary for module to work across multiple iptables versions */
  108. +static int my_check_inverse(const char option[], int* invert, int *my_optind, int argc);
  109. +static void param_problem_exit_error(char* msg);
  110. +
  111. +
  112. +
  113. +/* Function which prints out usage message. */
  114. +static void help(void)
  115. +{
  116. + printf( "weburl options:\n --contains [!] [STRING]\n --contains_regex [!] [REGEX]\n --matches_exactly [!] [STRING]\n --domain_only\n --path_only\n");
  117. +}
  118. +
  119. +static struct option opts[] =
  120. +{
  121. + { .name = "contains", .has_arg = 1, .flag = 0, .val = WEBURL_CONTAINS_TYPE }, //string
  122. + { .name = "contains_regex", .has_arg = 1, .flag = 0, .val = WEBURL_REGEX_TYPE }, //regex
  123. + { .name = "matches_exactly", .has_arg = 1, .flag = 0, .val = WEBURL_EXACT_TYPE }, //exact string match
  124. + { .name = "domain_only", .has_arg = 0, .flag = 0, .val = WEBURL_DOMAIN_PART }, //only match domain portion of url
  125. + { .name = "path_only", .has_arg = 0, .flag = 0, .val = WEBURL_PATH_PART }, //only match path portion of url
  126. + { .name = 0 }
  127. +};
  128. +
  129. +
  130. +/* Function which parses command options; returns true if it
  131. + ate an option */
  132. +static int parse( int c,
  133. + char **argv,
  134. + int invert,
  135. + unsigned int *flags,
  136. +#ifdef _XTABLES_H
  137. + const void *entry,
  138. +#else
  139. + const struct ipt_entry *entry,
  140. + unsigned int *nfcache,
  141. +#endif
  142. + struct ipt_entry_match **match
  143. + )
  144. +{
  145. + struct ipt_weburl_info *info = (struct ipt_weburl_info *)(*match)->data;
  146. + int valid_arg = 0;
  147. +
  148. + if(*flags < 10)
  149. + {
  150. + info->match_part = WEBURL_ALL_PART;
  151. + }
  152. +
  153. + switch (c)
  154. + {
  155. + case WEBURL_CONTAINS_TYPE:
  156. + case WEBURL_REGEX_TYPE:
  157. + case WEBURL_EXACT_TYPE:
  158. + info->match_type = c;
  159. +
  160. + //test whether to invert rule
  161. + my_check_inverse(optarg, &invert, &optind, 0);
  162. + info->invert = invert ? 1 : 0;
  163. +
  164. + //test that test string is reasonable length, then to info
  165. + int testlen = strlen(argv[optind-1]);
  166. + if(testlen > 0 && testlen < MAX_TEST_STR)
  167. + {
  168. + strcpy(info->test_str, argv[optind-1]);
  169. + }
  170. + else if(testlen >= MAX_TEST_STR)
  171. + {
  172. + char err[100];
  173. + sprintf(err, "Parameter definition is too long, must be less than %d characters", MAX_TEST_STR);
  174. + param_problem_exit_error(err);
  175. + }
  176. + else
  177. + {
  178. + param_problem_exit_error("Parameter definition is incomplete");
  179. + }
  180. +
  181. + if(*flags % 10 == 1)
  182. + {
  183. + param_problem_exit_error("You may only specify one string/pattern to match");
  184. + }
  185. + *flags = *flags + 1;
  186. +
  187. + valid_arg = 1;
  188. + break;
  189. +
  190. + case WEBURL_DOMAIN_PART:
  191. + case WEBURL_PATH_PART:
  192. + info->match_part = c;
  193. + if(*flags >= 10)
  194. + {
  195. + param_problem_exit_error("You may specify at most one part of the url to match:\n\t--domain_only, --path_only or neither (to match full url)\n");
  196. + }
  197. + *flags = *flags+10;
  198. +
  199. + valid_arg = 1;
  200. + break;
  201. + }
  202. +
  203. + return valid_arg;
  204. +}
  205. +
  206. +
  207. +
  208. +static void print_weburl_args( struct ipt_weburl_info* info )
  209. +{
  210. + //invert
  211. + if(info->invert > 0)
  212. + {
  213. + printf("! ");
  214. + }
  215. + else
  216. + {
  217. + printf(" ");
  218. + }
  219. + //match type
  220. + switch (info->match_type)
  221. + {
  222. + case WEBURL_CONTAINS_TYPE:
  223. + printf("--contains ");
  224. + break;
  225. + case WEBURL_REGEX_TYPE:
  226. + printf("--contains_regex ");
  227. + break;
  228. + case WEBURL_EXACT_TYPE:
  229. + printf("--matches_exactly ");
  230. + break;
  231. + }
  232. + //test string
  233. + printf("%s ", info->test_str);
  234. +
  235. + //match part
  236. + switch(info->match_part)
  237. + {
  238. + case WEBURL_DOMAIN_PART:
  239. + printf("--domain_only ");
  240. + break;
  241. + case WEBURL_PATH_PART:
  242. + printf("--path_only ");
  243. + break;
  244. + case WEBURL_ALL_PART:
  245. + //print nothing
  246. + break;
  247. + }
  248. +
  249. +}
  250. +
  251. +/* Final check; must have specified a test string with either --contains or --contains_regex. */
  252. +static void final_check(unsigned int flags)
  253. +{
  254. + if (flags %10 == 0)
  255. + {
  256. + param_problem_exit_error("You must specify '--contains' or '--contains_regex' or '--matches_exactly'");
  257. + }
  258. +}
  259. +
  260. +/* Prints out the matchinfo. */
  261. +#ifdef _XTABLES_H
  262. +static void print(const void *ip, const struct xt_entry_match *match, int numeric)
  263. +#else
  264. +static void print(const struct ipt_ip *ip, const struct ipt_entry_match *match, int numeric)
  265. +#endif
  266. +{
  267. + printf(" WEBURL ");
  268. + struct ipt_weburl_info *info = (struct ipt_weburl_info *)match->data;
  269. +
  270. + print_weburl_args(info);
  271. +}
  272. +
  273. +/* Saves the union ipt_matchinfo in parsable form to stdout. */
  274. +#ifdef _XTABLES_H
  275. +static void save(const void *ip, const struct xt_entry_match *match)
  276. +#else
  277. +static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
  278. +#endif
  279. +{
  280. + struct ipt_weburl_info *info = (struct ipt_weburl_info *)match->data;
  281. + print_weburl_args(info);
  282. +}
  283. +
  284. +static struct iptables_match weburl =
  285. +{
  286. + .next = NULL,
  287. + .name = "weburl",
  288. + #ifdef XTABLES_VERSION_CODE
  289. + .version = XTABLES_VERSION,
  290. + #else
  291. + .version = IPTABLES_VERSION,
  292. + #endif
  293. + .size = XT_ALIGN(sizeof(struct ipt_weburl_info)),
  294. + .userspacesize = XT_ALIGN(sizeof(struct ipt_weburl_info)),
  295. + .help = &help,
  296. + .parse = &parse,
  297. + .final_check = &final_check,
  298. + .print = &print,
  299. + .save = &save,
  300. + .extra_opts = opts
  301. +};
  302. +
  303. +void _init(void)
  304. +{
  305. + register_match(&weburl);
  306. +}
  307. +
  308. +
  309. +#ifndef TRUE
  310. +#define TRUE 1
  311. +#endif
  312. +#ifndef FALSE
  313. +#define FALSE 0
  314. +#endif
  315. +static int my_check_inverse(const char option[], int* invert, int *my_optind, int argc)
  316. +{
  317. + if (option && strcmp(option, "!") == 0)
  318. + {
  319. + if (*invert)
  320. + {
  321. + param_problem_exit_error("Multiple `!' flags not allowed");
  322. + }
  323. + *invert = TRUE;
  324. + if (my_optind != NULL)
  325. + {
  326. + ++*my_optind;
  327. + if (argc && *my_optind > argc)
  328. + {
  329. + param_problem_exit_error("no argument following `!'");
  330. + }
  331. + }
  332. + return TRUE;
  333. + }
  334. + return FALSE;
  335. +}
  336. +static void param_problem_exit_error(char* msg)
  337. +{
  338. + #ifdef xtables_error
  339. + xtables_error(PARAMETER_PROBLEM, msg);
  340. + #else
  341. + exit_error(PARAMETER_PROBLEM, msg);
  342. + #endif
  343. +}
  344. +
  345. +
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!