1 |
1275 |
phoenix |
/*
|
2 |
|
|
* IPv6 packet mangling table, a port of the IPv4 mangle table to IPv6
|
3 |
|
|
*
|
4 |
|
|
* Copyright (C) 2000-2001 by Harald Welte <laforge@gnumonks.org>
|
5 |
|
|
*/
|
6 |
|
|
#include <linux/module.h>
|
7 |
|
|
#include <linux/netfilter_ipv6/ip6_tables.h>
|
8 |
|
|
|
9 |
|
|
#define MANGLE_VALID_HOOKS ((1 << NF_IP6_PRE_ROUTING) | \
|
10 |
|
|
(1 << NF_IP6_LOCAL_IN) | \
|
11 |
|
|
(1 << NF_IP6_FORWARD) | \
|
12 |
|
|
(1 << NF_IP6_LOCAL_OUT) | \
|
13 |
|
|
(1 << NF_IP6_POST_ROUTING))
|
14 |
|
|
|
15 |
|
|
#if 0
|
16 |
|
|
#define DEBUGP(x, args...) printk(KERN_DEBUG x, ## args)
|
17 |
|
|
#else
|
18 |
|
|
#define DEBUGP(x, args...)
|
19 |
|
|
#endif
|
20 |
|
|
|
21 |
|
|
/* Standard entry. */
|
22 |
|
|
struct ip6t_standard
|
23 |
|
|
{
|
24 |
|
|
struct ip6t_entry entry;
|
25 |
|
|
struct ip6t_standard_target target;
|
26 |
|
|
};
|
27 |
|
|
|
28 |
|
|
struct ip6t_error_target
|
29 |
|
|
{
|
30 |
|
|
struct ip6t_entry_target target;
|
31 |
|
|
char errorname[IP6T_FUNCTION_MAXNAMELEN];
|
32 |
|
|
};
|
33 |
|
|
|
34 |
|
|
struct ip6t_error
|
35 |
|
|
{
|
36 |
|
|
struct ip6t_entry entry;
|
37 |
|
|
struct ip6t_error_target target;
|
38 |
|
|
};
|
39 |
|
|
|
40 |
|
|
static struct
|
41 |
|
|
{
|
42 |
|
|
struct ip6t_replace repl;
|
43 |
|
|
struct ip6t_standard entries[5];
|
44 |
|
|
struct ip6t_error term;
|
45 |
|
|
} initial_table __initdata
|
46 |
|
|
= { { "mangle", MANGLE_VALID_HOOKS, 6,
|
47 |
|
|
sizeof(struct ip6t_standard) * 5 + sizeof(struct ip6t_error),
|
48 |
|
|
{ [NF_IP6_PRE_ROUTING] 0,
|
49 |
|
|
[NF_IP6_LOCAL_IN] sizeof(struct ip6t_standard),
|
50 |
|
|
[NF_IP6_FORWARD] sizeof(struct ip6t_standard) * 2,
|
51 |
|
|
[NF_IP6_LOCAL_OUT] sizeof(struct ip6t_standard) * 3,
|
52 |
|
|
[NF_IP6_POST_ROUTING] sizeof(struct ip6t_standard) * 4},
|
53 |
|
|
{ [NF_IP6_PRE_ROUTING] 0,
|
54 |
|
|
[NF_IP6_LOCAL_IN] sizeof(struct ip6t_standard),
|
55 |
|
|
[NF_IP6_FORWARD] sizeof(struct ip6t_standard) * 2,
|
56 |
|
|
[NF_IP6_LOCAL_OUT] sizeof(struct ip6t_standard) * 3,
|
57 |
|
|
[NF_IP6_POST_ROUTING] sizeof(struct ip6t_standard) * 4},
|
58 |
|
|
0, NULL, { } },
|
59 |
|
|
{
|
60 |
|
|
/* PRE_ROUTING */
|
61 |
|
|
{ { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
|
62 |
|
|
0,
|
63 |
|
|
sizeof(struct ip6t_entry),
|
64 |
|
|
sizeof(struct ip6t_standard),
|
65 |
|
|
0, { 0, 0 }, { } },
|
66 |
|
|
{ { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
|
67 |
|
|
-NF_ACCEPT - 1 } },
|
68 |
|
|
/* LOCAL_IN */
|
69 |
|
|
{ { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
|
70 |
|
|
0,
|
71 |
|
|
sizeof(struct ip6t_entry),
|
72 |
|
|
sizeof(struct ip6t_standard),
|
73 |
|
|
0, { 0, 0 }, { } },
|
74 |
|
|
{ { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
|
75 |
|
|
-NF_ACCEPT - 1 } },
|
76 |
|
|
/* FORWARD */
|
77 |
|
|
{ { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
|
78 |
|
|
0,
|
79 |
|
|
sizeof(struct ip6t_entry),
|
80 |
|
|
sizeof(struct ip6t_standard),
|
81 |
|
|
0, { 0, 0 }, { } },
|
82 |
|
|
{ { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
|
83 |
|
|
-NF_ACCEPT - 1 } },
|
84 |
|
|
/* LOCAL_OUT */
|
85 |
|
|
{ { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
|
86 |
|
|
0,
|
87 |
|
|
sizeof(struct ip6t_entry),
|
88 |
|
|
sizeof(struct ip6t_standard),
|
89 |
|
|
0, { 0, 0 }, { } },
|
90 |
|
|
{ { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
|
91 |
|
|
-NF_ACCEPT - 1 } },
|
92 |
|
|
/* POST_ROUTING */
|
93 |
|
|
{ { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
|
94 |
|
|
0,
|
95 |
|
|
sizeof(struct ip6t_entry),
|
96 |
|
|
sizeof(struct ip6t_standard),
|
97 |
|
|
0, { 0, 0 }, { } },
|
98 |
|
|
{ { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
|
99 |
|
|
-NF_ACCEPT - 1 } }
|
100 |
|
|
},
|
101 |
|
|
/* ERROR */
|
102 |
|
|
{ { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
|
103 |
|
|
0,
|
104 |
|
|
sizeof(struct ip6t_entry),
|
105 |
|
|
sizeof(struct ip6t_error),
|
106 |
|
|
0, { 0, 0 }, { } },
|
107 |
|
|
{ { { { IP6T_ALIGN(sizeof(struct ip6t_error_target)), IP6T_ERROR_TARGET } },
|
108 |
|
|
{ } },
|
109 |
|
|
"ERROR"
|
110 |
|
|
}
|
111 |
|
|
}
|
112 |
|
|
};
|
113 |
|
|
|
114 |
|
|
static struct ip6t_table packet_mangler
|
115 |
|
|
= { { NULL, NULL }, "mangle", &initial_table.repl,
|
116 |
|
|
MANGLE_VALID_HOOKS, RW_LOCK_UNLOCKED, NULL, THIS_MODULE };
|
117 |
|
|
|
118 |
|
|
/* The work comes in here from netfilter.c. */
|
119 |
|
|
static unsigned int
|
120 |
|
|
ip6t_route_hook(unsigned int hook,
|
121 |
|
|
struct sk_buff **pskb,
|
122 |
|
|
const struct net_device *in,
|
123 |
|
|
const struct net_device *out,
|
124 |
|
|
int (*okfn)(struct sk_buff *))
|
125 |
|
|
{
|
126 |
|
|
return ip6t_do_table(pskb, hook, in, out, &packet_mangler, NULL);
|
127 |
|
|
}
|
128 |
|
|
|
129 |
|
|
static unsigned int
|
130 |
|
|
ip6t_local_hook(unsigned int hook,
|
131 |
|
|
struct sk_buff **pskb,
|
132 |
|
|
const struct net_device *in,
|
133 |
|
|
const struct net_device *out,
|
134 |
|
|
int (*okfn)(struct sk_buff *))
|
135 |
|
|
{
|
136 |
|
|
|
137 |
|
|
unsigned long nfmark;
|
138 |
|
|
unsigned int ret;
|
139 |
|
|
struct in6_addr saddr, daddr;
|
140 |
|
|
u_int8_t hop_limit;
|
141 |
|
|
u_int32_t flowlabel;
|
142 |
|
|
|
143 |
|
|
#if 0
|
144 |
|
|
/* root is playing with raw sockets. */
|
145 |
|
|
if ((*pskb)->len < sizeof(struct iphdr)
|
146 |
|
|
|| (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr)) {
|
147 |
|
|
if (net_ratelimit())
|
148 |
|
|
printk("ip6t_hook: happy cracking.\n");
|
149 |
|
|
return NF_ACCEPT;
|
150 |
|
|
}
|
151 |
|
|
#endif
|
152 |
|
|
|
153 |
|
|
/* save source/dest address, nfmark, hoplimit, flowlabel, priority, */
|
154 |
|
|
memcpy(&saddr, &(*pskb)->nh.ipv6h->saddr, sizeof(saddr));
|
155 |
|
|
memcpy(&daddr, &(*pskb)->nh.ipv6h->daddr, sizeof(daddr));
|
156 |
|
|
nfmark = (*pskb)->nfmark;
|
157 |
|
|
hop_limit = (*pskb)->nh.ipv6h->hop_limit;
|
158 |
|
|
|
159 |
|
|
/* flowlabel and prio (includes version, which shouldn't change either */
|
160 |
|
|
flowlabel = *((u_int32_t *) (*pskb)->nh.ipv6h);
|
161 |
|
|
|
162 |
|
|
ret = ip6t_do_table(pskb, hook, in, out, &packet_mangler, NULL);
|
163 |
|
|
|
164 |
|
|
if (ret != NF_DROP && ret != NF_STOLEN
|
165 |
|
|
&& (memcmp(&(*pskb)->nh.ipv6h->saddr, &saddr, sizeof(saddr))
|
166 |
|
|
|| memcmp(&(*pskb)->nh.ipv6h->daddr, &daddr, sizeof(daddr))
|
167 |
|
|
|| (*pskb)->nfmark != nfmark
|
168 |
|
|
|| (*pskb)->nh.ipv6h->hop_limit != hop_limit)) {
|
169 |
|
|
|
170 |
|
|
/* something which could affect routing has changed */
|
171 |
|
|
|
172 |
|
|
DEBUGP("ip6table_mangle: we'd need to re-route a packet\n");
|
173 |
|
|
}
|
174 |
|
|
|
175 |
|
|
return ret;
|
176 |
|
|
}
|
177 |
|
|
|
178 |
|
|
static struct nf_hook_ops ip6t_ops[]
|
179 |
|
|
= { { { NULL, NULL }, ip6t_route_hook, PF_INET6, NF_IP6_PRE_ROUTING, NF_IP6_PRI_MANGLE },
|
180 |
|
|
{ { NULL, NULL }, ip6t_local_hook, PF_INET6, NF_IP6_LOCAL_IN, NF_IP6_PRI_MANGLE },
|
181 |
|
|
{ { NULL, NULL }, ip6t_route_hook, PF_INET6, NF_IP6_FORWARD, NF_IP6_PRI_MANGLE },
|
182 |
|
|
{ { NULL, NULL }, ip6t_local_hook, PF_INET6, NF_IP6_LOCAL_OUT, NF_IP6_PRI_MANGLE },
|
183 |
|
|
{ { NULL, NULL }, ip6t_route_hook, PF_INET6, NF_IP6_POST_ROUTING, NF_IP6_PRI_MANGLE }
|
184 |
|
|
};
|
185 |
|
|
|
186 |
|
|
static int __init init(void)
|
187 |
|
|
{
|
188 |
|
|
int ret;
|
189 |
|
|
|
190 |
|
|
/* Register table */
|
191 |
|
|
ret = ip6t_register_table(&packet_mangler);
|
192 |
|
|
if (ret < 0)
|
193 |
|
|
return ret;
|
194 |
|
|
|
195 |
|
|
/* Register hooks */
|
196 |
|
|
ret = nf_register_hook(&ip6t_ops[0]);
|
197 |
|
|
if (ret < 0)
|
198 |
|
|
goto cleanup_table;
|
199 |
|
|
|
200 |
|
|
ret = nf_register_hook(&ip6t_ops[1]);
|
201 |
|
|
if (ret < 0)
|
202 |
|
|
goto cleanup_hook0;
|
203 |
|
|
|
204 |
|
|
ret = nf_register_hook(&ip6t_ops[2]);
|
205 |
|
|
if (ret < 0)
|
206 |
|
|
goto cleanup_hook1;
|
207 |
|
|
|
208 |
|
|
ret = nf_register_hook(&ip6t_ops[3]);
|
209 |
|
|
if (ret < 0)
|
210 |
|
|
goto cleanup_hook2;
|
211 |
|
|
|
212 |
|
|
ret = nf_register_hook(&ip6t_ops[4]);
|
213 |
|
|
if (ret < 0)
|
214 |
|
|
goto cleanup_hook3;
|
215 |
|
|
|
216 |
|
|
return ret;
|
217 |
|
|
|
218 |
|
|
cleanup_hook3:
|
219 |
|
|
nf_unregister_hook(&ip6t_ops[3]);
|
220 |
|
|
cleanup_hook2:
|
221 |
|
|
nf_unregister_hook(&ip6t_ops[2]);
|
222 |
|
|
cleanup_hook1:
|
223 |
|
|
nf_unregister_hook(&ip6t_ops[1]);
|
224 |
|
|
cleanup_hook0:
|
225 |
|
|
nf_unregister_hook(&ip6t_ops[0]);
|
226 |
|
|
cleanup_table:
|
227 |
|
|
ip6t_unregister_table(&packet_mangler);
|
228 |
|
|
|
229 |
|
|
return ret;
|
230 |
|
|
}
|
231 |
|
|
|
232 |
|
|
static void __exit fini(void)
|
233 |
|
|
{
|
234 |
|
|
unsigned int i;
|
235 |
|
|
|
236 |
|
|
for (i = 0; i < sizeof(ip6t_ops)/sizeof(struct nf_hook_ops); i++)
|
237 |
|
|
nf_unregister_hook(&ip6t_ops[i]);
|
238 |
|
|
|
239 |
|
|
ip6t_unregister_table(&packet_mangler);
|
240 |
|
|
}
|
241 |
|
|
|
242 |
|
|
module_init(init);
|
243 |
|
|
module_exit(fini);
|
244 |
|
|
MODULE_LICENSE("GPL");
|