URL https://opencores.org/ocsvn/or1k_soc_on_altera_embedded_dev_kit/or1k_soc_on_altera_embedded_dev_kit/trunk

Subversion Repositories or1k_soc_on_altera_embedded_dev_kit

[/] [or1k_soc_on_altera_embedded_dev_kit/] [trunk/] [linux-2.6/] [linux-2.6.24/] [net/] [ipv6/] [netfilter/] [ip6table_mangle.c] - Blame information for rev 17

Go to most recent revision | Details | Compare with Previous | View Log


/*
 * IPv6 packet mangling table, a port of the IPv4 mangle table to IPv6
 *
 * Copyright (C) 2000-2001 by Harald Welte <laforge@gnumonks.org>
 * Copyright (C) 2000-2004 Netfilter Core Team <coreteam@netfilter.org>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
#include <linux/module.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
 
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
MODULE_DESCRIPTION("ip6tables mangle table");
 
#define MANGLE_VALID_HOOKS ((1 << NF_IP6_PRE_ROUTING) | \
                            (1 << NF_IP6_LOCAL_IN) | \
                            (1 << NF_IP6_FORWARD) | \
                            (1 << NF_IP6_LOCAL_OUT) | \
                            (1 << NF_IP6_POST_ROUTING))
 
static struct
{
        struct ip6t_replace repl;
        struct ip6t_standard entries[5];
        struct ip6t_error term;
} initial_table __initdata = {
        .repl = {
                .name = "mangle",
                .valid_hooks = MANGLE_VALID_HOOKS,
                .num_entries = 6,
                .size = sizeof(struct ip6t_standard) * 5 + sizeof(struct ip6t_error),
                .hook_entry = {
                        [NF_IP6_PRE_ROUTING]    = 0,
                        [NF_IP6_LOCAL_IN]       = sizeof(struct ip6t_standard),
                        [NF_IP6_FORWARD]        = sizeof(struct ip6t_standard) * 2,
                        [NF_IP6_LOCAL_OUT]      = sizeof(struct ip6t_standard) * 3,
                        [NF_IP6_POST_ROUTING]   = sizeof(struct ip6t_standard) * 4,
                },
                .underflow = {
                        [NF_IP6_PRE_ROUTING]    = 0,
                        [NF_IP6_LOCAL_IN]       = sizeof(struct ip6t_standard),
                        [NF_IP6_FORWARD]        = sizeof(struct ip6t_standard) * 2,
                        [NF_IP6_LOCAL_OUT]      = sizeof(struct ip6t_standard) * 3,
                        [NF_IP6_POST_ROUTING]   = sizeof(struct ip6t_standard) * 4,
                },
        },
        .entries = {
                IP6T_STANDARD_INIT(NF_ACCEPT),  /* PRE_ROUTING */
                IP6T_STANDARD_INIT(NF_ACCEPT),  /* LOCAL_IN */
                IP6T_STANDARD_INIT(NF_ACCEPT),  /* FORWARD */
                IP6T_STANDARD_INIT(NF_ACCEPT),  /* LOCAL_OUT */
                IP6T_STANDARD_INIT(NF_ACCEPT),  /* POST_ROUTING */
        },
        .term = IP6T_ERROR_INIT,                /* ERROR */
};
 
static struct xt_table packet_mangler = {
        .name           = "mangle",
        .valid_hooks    = MANGLE_VALID_HOOKS,
        .lock           = RW_LOCK_UNLOCKED,
        .me             = THIS_MODULE,
        .af             = AF_INET6,
};
 
/* The work comes in here from netfilter.c. */
static unsigned int
ip6t_route_hook(unsigned int hook,
         struct sk_buff *skb,
         const struct net_device *in,
         const struct net_device *out,
         int (*okfn)(struct sk_buff *))
{
        return ip6t_do_table(skb, hook, in, out, &packet_mangler);
}
 
static unsigned int
ip6t_local_hook(unsigned int hook,
                   struct sk_buff *skb,
                   const struct net_device *in,
                   const struct net_device *out,
                   int (*okfn)(struct sk_buff *))
{
 
        unsigned int ret;
        struct in6_addr saddr, daddr;
        u_int8_t hop_limit;
        u_int32_t flowlabel, mark;
 
#if 0
        /* root is playing with raw sockets. */
        if (skb->len < sizeof(struct iphdr)
            || ip_hdrlen(skb) < sizeof(struct iphdr)) {
                if (net_ratelimit())
                        printk("ip6t_hook: happy cracking.\n");
                return NF_ACCEPT;
        }
#endif
 
        /* save source/dest address, mark, hoplimit, flowlabel, priority,  */
        memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr));
        memcpy(&daddr, &ipv6_hdr(skb)->daddr, sizeof(daddr));
        mark = skb->mark;
        hop_limit = ipv6_hdr(skb)->hop_limit;
 
        /* flowlabel and prio (includes version, which shouldn't change either */
        flowlabel = *((u_int32_t *)ipv6_hdr(skb));
 
        ret = ip6t_do_table(skb, hook, in, out, &packet_mangler);
 
        if (ret != NF_DROP && ret != NF_STOLEN
                && (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr))
                    || memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr))
                    || skb->mark != mark
                    || ipv6_hdr(skb)->hop_limit != hop_limit))
                return ip6_route_me_harder(skb) == 0 ? ret : NF_DROP;
 
        return ret;
}
 
static struct nf_hook_ops ip6t_ops[] = {
        {
                .hook           = ip6t_route_hook,
                .owner          = THIS_MODULE,
                .pf             = PF_INET6,
                .hooknum        = NF_IP6_PRE_ROUTING,
                .priority       = NF_IP6_PRI_MANGLE,
        },
        {
                .hook           = ip6t_local_hook,
                .owner          = THIS_MODULE,
                .pf             = PF_INET6,
                .hooknum        = NF_IP6_LOCAL_IN,
                .priority       = NF_IP6_PRI_MANGLE,
        },
        {
                .hook           = ip6t_route_hook,
                .owner          = THIS_MODULE,
                .pf             = PF_INET6,
                .hooknum        = NF_IP6_FORWARD,
                .priority       = NF_IP6_PRI_MANGLE,
        },
        {
                .hook           = ip6t_local_hook,
                .owner          = THIS_MODULE,
                .pf             = PF_INET6,
                .hooknum        = NF_IP6_LOCAL_OUT,
                .priority       = NF_IP6_PRI_MANGLE,
        },
        {
                .hook           = ip6t_route_hook,
                .owner          = THIS_MODULE,
                .pf             = PF_INET6,
                .hooknum        = NF_IP6_POST_ROUTING,
                .priority       = NF_IP6_PRI_MANGLE,
        },
};
 
static int __init ip6table_mangle_init(void)
{
        int ret;
 
        /* Register table */
        ret = ip6t_register_table(&packet_mangler, &initial_table.repl);
        if (ret < 0)
                return ret;
 
        /* Register hooks */
        ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
        if (ret < 0)
                goto cleanup_table;
 
        return ret;
 
 cleanup_table:
        ip6t_unregister_table(&packet_mangler);
        return ret;
}
 
static void __exit ip6table_mangle_fini(void)
{
        nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
        ip6t_unregister_table(&packet_mangler);
}
 
module_init(ip6table_mangle_init);
module_exit(ip6table_mangle_fini);

Line No.	Rev	Author	Line
1	3	xianfeng	`/*`
2			`* IPv6 packet mangling table, a port of the IPv4 mangle table to IPv6`
3			`*`
4			`* Copyright (C) 2000-2001 by Harald Welte <laforge@gnumonks.org>`
5			`* Copyright (C) 2000-2004 Netfilter Core Team <coreteam@netfilter.org>`
6			`*`
7			`* This program is free software; you can redistribute it and/or modify`
8			`* it under the terms of the GNU General Public License version 2 as`
9			`* published by the Free Software Foundation.`
10			`*/`
11			`#include <linux/module.h>`
12			`#include <linux/netfilter_ipv6/ip6_tables.h>`
13
14			`MODULE_LICENSE("GPL");`
15			`MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");`
16			`MODULE_DESCRIPTION("ip6tables mangle table");`
17
18			`#define MANGLE_VALID_HOOKS ((1 << NF_IP6_PRE_ROUTING) \| \`
19			`(1 << NF_IP6_LOCAL_IN) \| \`
20			`(1 << NF_IP6_FORWARD) \| \`
21			`(1 << NF_IP6_LOCAL_OUT) \| \`
22			`(1 << NF_IP6_POST_ROUTING))`
23
24			`static struct`
25			`{`
26			`struct ip6t_replace repl;`
27			`struct ip6t_standard entries[5];`
28			`struct ip6t_error term;`
29			`} initial_table __initdata = {`
30			`.repl = {`
31			`.name = "mangle",`
32			`.valid_hooks = MANGLE_VALID_HOOKS,`
33			`.num_entries = 6,`
34			`.size = sizeof(struct ip6t_standard) * 5 + sizeof(struct ip6t_error),`
35			`.hook_entry = {`
36			`[NF_IP6_PRE_ROUTING] = 0,`
37			`[NF_IP6_LOCAL_IN] = sizeof(struct ip6t_standard),`
38			`[NF_IP6_FORWARD] = sizeof(struct ip6t_standard) * 2,`
39			`[NF_IP6_LOCAL_OUT] = sizeof(struct ip6t_standard) * 3,`
40			`[NF_IP6_POST_ROUTING] = sizeof(struct ip6t_standard) * 4,`
41			`},`
42			`.underflow = {`
43			`[NF_IP6_PRE_ROUTING] = 0,`
44			`[NF_IP6_LOCAL_IN] = sizeof(struct ip6t_standard),`
45			`[NF_IP6_FORWARD] = sizeof(struct ip6t_standard) * 2,`
46			`[NF_IP6_LOCAL_OUT] = sizeof(struct ip6t_standard) * 3,`
47			`[NF_IP6_POST_ROUTING] = sizeof(struct ip6t_standard) * 4,`
48			`},`
49			`},`
50			`.entries = {`
51			`IP6T_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */`
52			`IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */`
53			`IP6T_STANDARD_INIT(NF_ACCEPT), /* FORWARD */`
54			`IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */`
55			`IP6T_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */`
56			`},`
57			`.term = IP6T_ERROR_INIT, /* ERROR */`
58			`};`
59
60			`static struct xt_table packet_mangler = {`
61			`.name = "mangle",`
62			`.valid_hooks = MANGLE_VALID_HOOKS,`
63			`.lock = RW_LOCK_UNLOCKED,`
64			`.me = THIS_MODULE,`
65			`.af = AF_INET6,`
66			`};`
67
68			`/* The work comes in here from netfilter.c. */`
69			`static unsigned int`
70			`ip6t_route_hook(unsigned int hook,`
71			`struct sk_buff *skb,`
72			`const struct net_device *in,`
73			`const struct net_device *out,`
74			`int (okfn)(struct sk_buff ))`
75			`{`
76			`return ip6t_do_table(skb, hook, in, out, &packet_mangler);`
77			`}`
78
79			`static unsigned int`
80			`ip6t_local_hook(unsigned int hook,`
81			`struct sk_buff *skb,`
82			`const struct net_device *in,`
83			`const struct net_device *out,`
84			`int (okfn)(struct sk_buff ))`
85			`{`
86
87			`unsigned int ret;`
88			`struct in6_addr saddr, daddr;`
89			`u_int8_t hop_limit;`
90			`u_int32_t flowlabel, mark;`
91
92			`#if 0`
93			`/* root is playing with raw sockets. */`
94			`if (skb->len < sizeof(struct iphdr)`
95			`\|\| ip_hdrlen(skb) < sizeof(struct iphdr)) {`
96			`if (net_ratelimit())`
97			`printk("ip6t_hook: happy cracking.\n");`
98			`return NF_ACCEPT;`
99			`}`
100			`#endif`
101
102			`/* save source/dest address, mark, hoplimit, flowlabel, priority, */`
103			`memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr));`
104			`memcpy(&daddr, &ipv6_hdr(skb)->daddr, sizeof(daddr));`
105			`mark = skb->mark;`
106			`hop_limit = ipv6_hdr(skb)->hop_limit;`
107
108			`/* flowlabel and prio (includes version, which shouldn't change either */`
109			`flowlabel = ((u_int32_t )ipv6_hdr(skb));`
110
111			`ret = ip6t_do_table(skb, hook, in, out, &packet_mangler);`
112
113			`if (ret != NF_DROP && ret != NF_STOLEN`
114			`&& (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr))`
115			`\|\| memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr))`
116			`\|\| skb->mark != mark`
117			`\|\| ipv6_hdr(skb)->hop_limit != hop_limit))`
118			`return ip6_route_me_harder(skb) == 0 ? ret : NF_DROP;`
119
120			`return ret;`
121			`}`
122
123			`static struct nf_hook_ops ip6t_ops[] = {`
124			`{`
125			`.hook = ip6t_route_hook,`
126			`.owner = THIS_MODULE,`
127			`.pf = PF_INET6,`
128			`.hooknum = NF_IP6_PRE_ROUTING,`
129			`.priority = NF_IP6_PRI_MANGLE,`
130			`},`
131			`{`
132			`.hook = ip6t_local_hook,`
133			`.owner = THIS_MODULE,`
134			`.pf = PF_INET6,`
135			`.hooknum = NF_IP6_LOCAL_IN,`
136			`.priority = NF_IP6_PRI_MANGLE,`
137			`},`
138			`{`
139			`.hook = ip6t_route_hook,`
140			`.owner = THIS_MODULE,`
141			`.pf = PF_INET6,`
142			`.hooknum = NF_IP6_FORWARD,`
143			`.priority = NF_IP6_PRI_MANGLE,`
144			`},`
145			`{`
146			`.hook = ip6t_local_hook,`
147			`.owner = THIS_MODULE,`
148			`.pf = PF_INET6,`
149			`.hooknum = NF_IP6_LOCAL_OUT,`
150			`.priority = NF_IP6_PRI_MANGLE,`
151			`},`
152			`{`
153			`.hook = ip6t_route_hook,`
154			`.owner = THIS_MODULE,`
155			`.pf = PF_INET6,`
156			`.hooknum = NF_IP6_POST_ROUTING,`
157			`.priority = NF_IP6_PRI_MANGLE,`
158			`},`
159			`};`
160
161			`static int __init ip6table_mangle_init(void)`
162			`{`
163			`int ret;`
164
165			`/* Register table */`
166			`ret = ip6t_register_table(&packet_mangler, &initial_table.repl);`
167			`if (ret < 0)`
168			`return ret;`
169
170			`/* Register hooks */`
171			`ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));`
172			`if (ret < 0)`
173			`goto cleanup_table;`
174
175			`return ret;`
176
177			`cleanup_table:`
178			`ip6t_unregister_table(&packet_mangler);`
179			`return ret;`
180			`}`
181
182			`static void __exit ip6table_mangle_fini(void)`
183			`{`
184			`nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));`
185			`ip6t_unregister_table(&packet_mangler);`
186			`}`
187
188			`module_init(ip6table_mangle_init);`
189			`module_exit(ip6table_mangle_fini);`

Browse

Tools

Subversion Repositories or1k_soc_on_altera_embedded_dev_kit

[/] [or1k_soc_on_altera_embedded_dev_kit/] [trunk/] [linux-2.6/] [linux-2.6.24/] [net/] [ipv6/] [netfilter/] [ip6table_mangle.c] - Blame information for rev 17