LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12413 Commits
1 Branch
46 MiB
Tree: 3b5a8eee84
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3b5a8eee84'
${ noResults }
openwrt-packages-dist/net/wifidog-ng/src/main.c

176 lines
4.8 KiB
Raw Normal View History

wifidog-ng: Update to 2.0.0 Signed-off-by: Jianhui Zhao <jianhuizhao329@gmail.com>
6 years ago
 
  1. /*

  2.  *  Copyright (C) 2017 jianhui zhao <jianhuizhao329@gmail.com>
  3.  *
  4.  *  This program is free software; you can redistribute it and/or modify
  5.  *  it under the terms of the GNU General Public License version 2 as
  6.  *  published by the Free Software Foundation.
  7.  */
  8. 

  9. #include <linux/init.h>

  10. #include <linux/module.h>

  11. #include <linux/version.h>

  12. 

  13. #include <linux/ip.h>

  14. #include <linux/tcp.h>

  15. #include <linux/udp.h>

  16. #include <net/netfilter/nf_nat.h>

  17. #include <net/netfilter/nf_nat_l3proto.h>

  18. 

  19. #include "utils.h"

  20. #include "config.h"

  21. 

  22. #define IPS_HIJACKED    (1 << 31)

  23. #define IPS_ALLOWED     (1 << 30)

  24. 

  25. static u32 wd_nf_nat_setup_info(void *priv, struct sk_buff *skb,
  26.     const struct nf_hook_state *state, struct nf_conn *ct)
  27. {
  28.     struct config *conf = get_config();
  29.     struct tcphdr *tcph = tcp_hdr(skb);
  30.     union nf_conntrack_man_proto proto;
  31.     struct nf_nat_range newrange;
  32.     static uint16_t PORT_80 = htons(80);
  33. 

  34.     proto.tcp.port = (tcph->dest == PORT_80) ? htons(conf->port) : htons(conf->ssl_port);
  35.     newrange.flags       = NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED;
  36.     newrange.min_addr.ip = newrange.max_addr.ip = conf->interface_ipaddr;
  37.     newrange.min_proto   = newrange.max_proto = proto;
  38. 

  39.     ct->status |= IPS_HIJACKED;
  40. 

  41.     return nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_DST);
  42. }
  43. 

  44. static u32 wifidog_hook(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)
  45. {
  46.     struct config *conf = get_config();
  47.     struct iphdr *iph = ip_hdr(skb);
  48.     struct nf_conn *ct;
  49.     struct tcphdr *tcph;
  50.     struct udphdr *udph;
  51.     enum ip_conntrack_info ctinfo;
  52.     static uint16_t PORT_80 = htons(80);    /* http */
  53.     static uint16_t PORT_443 = htons(443);  /* https */
  54.     static uint16_t PORT_67 = htons(67);    /* dhcp */
  55.     static uint16_t PORT_53 = htons(53);    /* dns */
  56. 

  57.     if (unlikely(!conf->enabled))
  58.         return NF_ACCEPT;
  59. 

  60.     if (state->in->ifindex != conf->interface_ifindex)
  61.         return NF_ACCEPT;
  62. 

  63.     /* Accept broadcast */
  64.     if (skb->pkt_type == PACKET_BROADCAST || skb->pkt_type == PACKET_MULTICAST)
  65.         return NF_ACCEPT;
  66. 

  67.     /* Accept all to local area networks */
  68.     if ((iph->daddr | ~conf->interface_mask) == conf->interface_broadcast)
  69.         return NF_ACCEPT;
  70. 

  71.     ct = nf_ct_get(skb, &ctinfo);
  72.     if (!ct || (ct->status & IPS_ALLOWED))
  73.         return NF_ACCEPT;
  74. 

  75.     if (ct->status & IPS_HIJACKED) {
  76.         if (is_allowed_mac(skb, state)) {
  77.             /* Avoid duplication of authentication */
  78.             nf_reset(skb);
  79.             nf_ct_kill(ct);
  80.         }
  81.         return NF_ACCEPT;
  82.     } else if (ctinfo == IP_CT_NEW && (is_allowed_dest_ip(skb, state) || is_allowed_mac(skb, state))) {
  83.         ct->status |= IPS_ALLOWED;
  84.         return NF_ACCEPT;
  85.     }
  86. 

  87.     switch (iph->protocol) {
  88.     case IPPROTO_TCP:
  89.         tcph = tcp_hdr(skb);
  90.         if(tcph->dest == PORT_53 || tcph->dest == PORT_67) {
  91.             ct->status |= IPS_ALLOWED;
  92.             return NF_ACCEPT;
  93.         }
  94. 

  95.         if (tcph->dest == PORT_80 || tcph->dest == PORT_443)
  96.             goto redirect;
  97.         else
  98.             return NF_DROP;
  99. 

  100.     case IPPROTO_UDP:
  101.         udph = udp_hdr(skb);
  102.         if(udph->dest == PORT_53 || udph->dest == PORT_67) {
  103.             ct->status |= IPS_ALLOWED;
  104.             return NF_ACCEPT;
  105.         }
  106.         return NF_DROP;
  107. 

  108.     default:
  109.         ct->status |= IPS_ALLOWED;
  110.         return NF_ACCEPT;
  111.     }
  112. 

  113. redirect:
  114.     /* all packets from unknown client are dropped */
  115.     if (ctinfo != IP_CT_NEW || (ct->status & IPS_DST_NAT_DONE)) {
  116.         pr_debug("dropping packets of suspect stream, src:%pI4, dst:%pI4\n", &iph->saddr, &iph->daddr);
  117.         return NF_DROP;
  118.     }
  119. 

  120.     return nf_nat_ipv4_in(priv, skb, state, wd_nf_nat_setup_info);
  121. }
  122. 

  123. static struct nf_hook_ops wifidog_ops[] __read_mostly = {
  124.     {
  125.         .hook       = wifidog_hook,
  126.         .pf         = PF_INET,
  127.         .hooknum    = NF_INET_PRE_ROUTING,
  128.         .priority   = NF_IP_PRI_CONNTRACK + 1 /* after conntrack */
  129.     }
  130. };
  131. 

  132. static int __init wifidog_init(void)
  133. {
  134.     int ret;
  135. 

  136.     ret = init_config();
  137.     if (ret)
  138.         return ret;
  139. 

  140. #if LINUX_VERSION_CODE > KERNEL_VERSION(4, 12, 14)

  141.     ret = nf_register_net_hooks(&init_net, wifidog_ops, ARRAY_SIZE(wifidog_ops));
  142. #else

  143.     ret = nf_register_hooks(wifidog_ops, ARRAY_SIZE(wifidog_ops));
  144. #endif

  145.     if (ret < 0) {
  146.         pr_err("can't register hook\n");
  147.         goto remove_config;
  148.     }
  149. 

  150.     pr_info("kmod of wifidog is started\n");
  151. 

  152.     return 0;
  153. 

  154. remove_config:
  155.     deinit_config();
  156.     return ret;
  157. }
  158. 

  159. static void __exit wifidog_exit(void)
  160. {
  161.     deinit_config();
  162. 

  163. #if LINUX_VERSION_CODE > KERNEL_VERSION(4, 12, 14)

  164.     nf_unregister_net_hooks(&init_net, wifidog_ops, ARRAY_SIZE(wifidog_ops));
  165. #else

  166.     nf_unregister_hooks(wifidog_ops, ARRAY_SIZE(wifidog_ops));
  167. #endif

  168. 

  169.     pr_info("kmod of wifidog-ng is stop\n");
  170. }
  171. 

  172. module_init(wifidog_init);
  173. module_exit(wifidog_exit);
  174. 

  175. MODULE_AUTHOR("jianhui zhao <jianhuizhao329@gmail.com>");
  176. MODULE_LICENSE("GPL");