1 | /* |
2 | * xt_time |
3 | * Copyright © CC Computer Consultants GmbH, 2007 |
4 | * |
5 | * based on ipt_time by Fabrice MARIE <fabrice@netfilter.org> |
6 | * This is a module which is used for time matching |
7 | * It is using some modified code from dietlibc (localtime() function) |
8 | * that you can find at https://www.fefe.de/dietlibc/ |
9 | * This file is distributed under the terms of the GNU General Public |
10 | * License (GPL). Copies of the GPL can be obtained from gnu.org/gpl. |
11 | */ |
12 | |
13 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
14 | |
15 | #include <linux/ktime.h> |
16 | #include <linux/module.h> |
17 | #include <linux/skbuff.h> |
18 | #include <linux/types.h> |
19 | #include <linux/netfilter/x_tables.h> |
20 | #include <linux/netfilter/xt_time.h> |
21 | |
22 | struct xtm { |
23 | u_int8_t month; /* (1-12) */ |
24 | u_int8_t monthday; /* (1-31) */ |
25 | u_int8_t weekday; /* (1-7) */ |
26 | u_int8_t hour; /* (0-23) */ |
27 | u_int8_t minute; /* (0-59) */ |
28 | u_int8_t second; /* (0-59) */ |
29 | unsigned int dse; |
30 | }; |
31 | |
32 | extern struct timezone sys_tz; /* ouch */ |
33 | |
34 | static const u_int16_t days_since_year[] = { |
35 | 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, |
36 | }; |
37 | |
38 | static const u_int16_t days_since_leapyear[] = { |
39 | 0, 31, 60, 91, 121, 152, 182, 213, 244, 274, 305, 335, |
40 | }; |
41 | |
42 | /* |
43 | * Since time progresses forward, it is best to organize this array in reverse, |
44 | * to minimize lookup time. |
45 | */ |
46 | enum { |
47 | DSE_FIRST = 2039, |
48 | SECONDS_PER_DAY = 86400, |
49 | }; |
50 | static const u_int16_t days_since_epoch[] = { |
51 | /* 2039 - 2030 */ |
52 | 25202, 24837, 24472, 24106, 23741, 23376, 23011, 22645, 22280, 21915, |
53 | /* 2029 - 2020 */ |
54 | 21550, 21184, 20819, 20454, 20089, 19723, 19358, 18993, 18628, 18262, |
55 | /* 2019 - 2010 */ |
56 | 17897, 17532, 17167, 16801, 16436, 16071, 15706, 15340, 14975, 14610, |
57 | /* 2009 - 2000 */ |
58 | 14245, 13879, 13514, 13149, 12784, 12418, 12053, 11688, 11323, 10957, |
59 | /* 1999 - 1990 */ |
60 | 10592, 10227, 9862, 9496, 9131, 8766, 8401, 8035, 7670, 7305, |
61 | /* 1989 - 1980 */ |
62 | 6940, 6574, 6209, 5844, 5479, 5113, 4748, 4383, 4018, 3652, |
63 | /* 1979 - 1970 */ |
64 | 3287, 2922, 2557, 2191, 1826, 1461, 1096, 730, 365, 0, |
65 | }; |
66 | |
67 | static inline bool is_leap(unsigned int y) |
68 | { |
69 | return y % 4 == 0 && (y % 100 != 0 || y % 400 == 0); |
70 | } |
71 | |
72 | /* |
73 | * Each network packet has a (nano)seconds-since-the-epoch (SSTE) timestamp. |
74 | * Since we match against days and daytime, the SSTE value needs to be |
75 | * computed back into human-readable dates. |
76 | * |
77 | * This is done in three separate functions so that the most expensive |
78 | * calculations are done last, in case a "simple match" can be found earlier. |
79 | */ |
80 | static inline unsigned int localtime_1(struct xtm *r, time64_t time) |
81 | { |
82 | unsigned int v, w; |
83 | |
84 | /* Each day has 86400s, so finding the hour/minute is actually easy. */ |
85 | div_u64_rem(dividend: time, divisor: SECONDS_PER_DAY, remainder: &v); |
86 | r->second = v % 60; |
87 | w = v / 60; |
88 | r->minute = w % 60; |
89 | r->hour = w / 60; |
90 | return v; |
91 | } |
92 | |
93 | static inline void localtime_2(struct xtm *r, time64_t time) |
94 | { |
95 | /* |
96 | * Here comes the rest (weekday, monthday). First, divide the SSTE |
97 | * by seconds-per-day to get the number of _days_ since the epoch. |
98 | */ |
99 | r->dse = div_u64(dividend: time, divisor: SECONDS_PER_DAY); |
100 | |
101 | /* |
102 | * 1970-01-01 (w=0) was a Thursday (4). |
103 | * -1 and +1 map Sunday properly onto 7. |
104 | */ |
105 | r->weekday = (4 + r->dse - 1) % 7 + 1; |
106 | } |
107 | |
108 | static void localtime_3(struct xtm *r, time64_t time) |
109 | { |
110 | unsigned int year, i, w = r->dse; |
111 | |
112 | /* |
113 | * In each year, a certain number of days-since-the-epoch have passed. |
114 | * Find the year that is closest to said days. |
115 | * |
116 | * Consider, for example, w=21612 (2029-03-04). Loop will abort on |
117 | * dse[i] <= w, which happens when dse[i] == 21550. This implies |
118 | * year == 2009. w will then be 62. |
119 | */ |
120 | for (i = 0, year = DSE_FIRST; days_since_epoch[i] > w; |
121 | ++i, --year) |
122 | /* just loop */; |
123 | |
124 | w -= days_since_epoch[i]; |
125 | |
126 | /* |
127 | * By now we have the current year, and the day of the year. |
128 | * r->yearday = w; |
129 | * |
130 | * On to finding the month (like above). In each month, a certain |
131 | * number of days-since-New Year have passed, and find the closest |
132 | * one. |
133 | * |
134 | * Consider w=62 (in a non-leap year). Loop will abort on |
135 | * dsy[i] < w, which happens when dsy[i] == 31+28 (i == 2). |
136 | * Concludes i == 2, i.e. 3rd month => March. |
137 | * |
138 | * (A different approach to use would be to subtract a monthlength |
139 | * from w repeatedly while counting.) |
140 | */ |
141 | if (is_leap(y: year)) { |
142 | /* use days_since_leapyear[] in a leap year */ |
143 | for (i = ARRAY_SIZE(days_since_leapyear) - 1; |
144 | i > 0 && days_since_leapyear[i] > w; --i) |
145 | /* just loop */; |
146 | r->monthday = w - days_since_leapyear[i] + 1; |
147 | } else { |
148 | for (i = ARRAY_SIZE(days_since_year) - 1; |
149 | i > 0 && days_since_year[i] > w; --i) |
150 | /* just loop */; |
151 | r->monthday = w - days_since_year[i] + 1; |
152 | } |
153 | |
154 | r->month = i + 1; |
155 | } |
156 | |
157 | static bool |
158 | time_mt(const struct sk_buff *skb, struct xt_action_param *par) |
159 | { |
160 | const struct xt_time_info *info = par->matchinfo; |
161 | unsigned int packet_time; |
162 | struct xtm current_time; |
163 | time64_t stamp; |
164 | |
165 | /* |
166 | * We need real time here, but we can neither use skb->tstamp |
167 | * nor __net_timestamp(). |
168 | * |
169 | * skb->tstamp and skb->skb_mstamp_ns overlap, however, they |
170 | * use different clock types (real vs monotonic). |
171 | * |
172 | * Suppose you have two rules: |
173 | * 1. match before 13:00 |
174 | * 2. match after 13:00 |
175 | * |
176 | * If you match against processing time (ktime_get_real_seconds) it |
177 | * may happen that the same packet matches both rules if |
178 | * it arrived at the right moment before 13:00, so it would be |
179 | * better to check skb->tstamp and set it via __net_timestamp() |
180 | * if needed. This however breaks outgoing packets tx timestamp, |
181 | * and causes them to get delayed forever by fq packet scheduler. |
182 | */ |
183 | stamp = ktime_get_real_seconds(); |
184 | |
185 | if (info->flags & XT_TIME_LOCAL_TZ) |
186 | /* Adjust for local timezone */ |
187 | stamp -= 60 * sys_tz.tz_minuteswest; |
188 | |
189 | /* |
190 | * xt_time will match when _all_ of the following hold: |
191 | * - 'now' is in the global time range date_start..date_end |
192 | * - 'now' is in the monthday mask |
193 | * - 'now' is in the weekday mask |
194 | * - 'now' is in the daytime range time_start..time_end |
195 | * (and by default, libxt_time will set these so as to match) |
196 | * |
197 | * note: info->date_start/stop are unsigned 32-bit values that |
198 | * can hold values beyond y2038, but not after y2106. |
199 | */ |
200 | |
201 | if (stamp < info->date_start || stamp > info->date_stop) |
202 | return false; |
203 | |
204 | packet_time = localtime_1(r: ¤t_time, time: stamp); |
205 | |
206 | if (info->daytime_start < info->daytime_stop) { |
207 | if (packet_time < info->daytime_start || |
208 | packet_time > info->daytime_stop) |
209 | return false; |
210 | } else { |
211 | if (packet_time < info->daytime_start && |
212 | packet_time > info->daytime_stop) |
213 | return false; |
214 | |
215 | /** if user asked to ignore 'next day', then e.g. |
216 | * '1 PM Wed, August 1st' should be treated |
217 | * like 'Tue 1 PM July 31st'. |
218 | * |
219 | * This also causes |
220 | * 'Monday, "23:00 to 01:00", to match for 2 hours, starting |
221 | * Monday 23:00 to Tuesday 01:00. |
222 | */ |
223 | if ((info->flags & XT_TIME_CONTIGUOUS) && |
224 | packet_time <= info->daytime_stop) |
225 | stamp -= SECONDS_PER_DAY; |
226 | } |
227 | |
228 | localtime_2(r: ¤t_time, time: stamp); |
229 | |
230 | if (!(info->weekdays_match & (1 << current_time.weekday))) |
231 | return false; |
232 | |
233 | /* Do not spend time computing monthday if all days match anyway */ |
234 | if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) { |
235 | localtime_3(r: ¤t_time, time: stamp); |
236 | if (!(info->monthdays_match & (1 << current_time.monthday))) |
237 | return false; |
238 | } |
239 | |
240 | return true; |
241 | } |
242 | |
243 | static int time_mt_check(const struct xt_mtchk_param *par) |
244 | { |
245 | const struct xt_time_info *info = par->matchinfo; |
246 | |
247 | if (info->daytime_start > XT_TIME_MAX_DAYTIME || |
248 | info->daytime_stop > XT_TIME_MAX_DAYTIME) { |
249 | pr_info_ratelimited("invalid argument - start or stop time greater than 23:59:59\n" ); |
250 | return -EDOM; |
251 | } |
252 | |
253 | if (info->flags & ~XT_TIME_ALL_FLAGS) { |
254 | pr_info_ratelimited("unknown flags 0x%x\n" , |
255 | info->flags & ~XT_TIME_ALL_FLAGS); |
256 | return -EINVAL; |
257 | } |
258 | |
259 | if ((info->flags & XT_TIME_CONTIGUOUS) && |
260 | info->daytime_start < info->daytime_stop) |
261 | return -EINVAL; |
262 | |
263 | return 0; |
264 | } |
265 | |
266 | static struct xt_match xt_time_mt_reg __read_mostly = { |
267 | .name = "time" , |
268 | .family = NFPROTO_UNSPEC, |
269 | .match = time_mt, |
270 | .checkentry = time_mt_check, |
271 | .matchsize = sizeof(struct xt_time_info), |
272 | .me = THIS_MODULE, |
273 | }; |
274 | |
275 | static int __init time_mt_init(void) |
276 | { |
277 | int minutes = sys_tz.tz_minuteswest; |
278 | |
279 | if (minutes < 0) /* east of Greenwich */ |
280 | pr_info("kernel timezone is +%02d%02d\n" , |
281 | -minutes / 60, -minutes % 60); |
282 | else /* west of Greenwich */ |
283 | pr_info("kernel timezone is -%02d%02d\n" , |
284 | minutes / 60, minutes % 60); |
285 | |
286 | return xt_register_match(target: &xt_time_mt_reg); |
287 | } |
288 | |
289 | static void __exit time_mt_exit(void) |
290 | { |
291 | xt_unregister_match(target: &xt_time_mt_reg); |
292 | } |
293 | |
294 | module_init(time_mt_init); |
295 | module_exit(time_mt_exit); |
296 | MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>" ); |
297 | MODULE_DESCRIPTION("Xtables: time-based matching" ); |
298 | MODULE_LICENSE("GPL" ); |
299 | MODULE_ALIAS("ipt_time" ); |
300 | MODULE_ALIAS("ip6t_time" ); |
301 | |