Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ip6t_REJECT.c
Go to the documentation of this file.
1 /*
2  * IP6 tables REJECT target module
3  * Linux INET6 implementation
4  *
5  * Copyright (C)2003 USAGI/WIDE Project
6  *
7  * Authors:
8  * Yasuyuki Kozakai <[email protected]>
9  *
10  * Based on net/ipv4/netfilter/ipt_REJECT.c
11  *
12  * This program is free software; you can redistribute it and/or
13  * modify it under the terms of the GNU General Public License
14  * as published by the Free Software Foundation; either version
15  * 2 of the License, or (at your option) any later version.
16  */
17 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18 
19 #include <linux/gfp.h>
20 #include <linux/module.h>
21 #include <linux/skbuff.h>
22 #include <linux/icmpv6.h>
23 #include <linux/netdevice.h>
24 #include <net/ipv6.h>
25 #include <net/tcp.h>
26 #include <net/icmp.h>
27 #include <net/ip6_checksum.h>
28 #include <net/ip6_fib.h>
29 #include <net/ip6_route.h>
30 #include <net/flow.h>
31 #include <linux/netfilter/x_tables.h>
32 #include <linux/netfilter_ipv6/ip6_tables.h>
34 
35 MODULE_AUTHOR("Yasuyuki KOZAKAI <[email protected]>");
36 MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv6");
37 MODULE_LICENSE("GPL");
38 
39 /* Send RST reply */
40 static void send_reset(struct net *net, struct sk_buff *oldskb)
41 {
42  struct sk_buff *nskb;
43  struct tcphdr otcph, *tcph;
44  unsigned int otcplen, hh_len;
45  int tcphoff, needs_ack;
46  const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
47  struct ipv6hdr *ip6h;
48 #define DEFAULT_TOS_VALUE 0x0U
49  const __u8 tclass = DEFAULT_TOS_VALUE;
50  struct dst_entry *dst = NULL;
51  u8 proto;
52  __be16 frag_off;
53  struct flowi6 fl6;
54 
55  if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) ||
56  (!(ipv6_addr_type(&oip6h->daddr) & IPV6_ADDR_UNICAST))) {
57  pr_debug("addr is not unicast.\n");
58  return;
59  }
60 
61  proto = oip6h->nexthdr;
62  tcphoff = ipv6_skip_exthdr(oldskb, ((u8*)(oip6h+1) - oldskb->data), &proto, &frag_off);
63 
64  if ((tcphoff < 0) || (tcphoff > oldskb->len)) {
65  pr_debug("Cannot get TCP header.\n");
66  return;
67  }
68 
69  otcplen = oldskb->len - tcphoff;
70 
71  /* IP header checks: fragment, too short. */
72  if (proto != IPPROTO_TCP || otcplen < sizeof(struct tcphdr)) {
73  pr_debug("proto(%d) != IPPROTO_TCP, "
74  "or too short. otcplen = %d\n",
75  proto, otcplen);
76  return;
77  }
78 
79  if (skb_copy_bits(oldskb, tcphoff, &otcph, sizeof(struct tcphdr)))
80  BUG();
81 
82  /* No RST for RST. */
83  if (otcph.rst) {
84  pr_debug("RST is set\n");
85  return;
86  }
87 
88  /* Check checksum. */
89  if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
90  skb_checksum(oldskb, tcphoff, otcplen, 0))) {
91  pr_debug("TCP checksum is invalid\n");
92  return;
93  }
94 
95  memset(&fl6, 0, sizeof(fl6));
96  fl6.flowi6_proto = IPPROTO_TCP;
97  fl6.saddr = oip6h->daddr;
98  fl6.daddr = oip6h->saddr;
99  fl6.fl6_sport = otcph.dest;
100  fl6.fl6_dport = otcph.source;
101  security_skb_classify_flow(oldskb, flowi6_to_flowi(&fl6));
102  dst = ip6_route_output(net, NULL, &fl6);
103  if (dst == NULL || dst->error) {
104  dst_release(dst);
105  return;
106  }
107  dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0);
108  if (IS_ERR(dst))
109  return;
110 
111  hh_len = (dst->dev->hard_header_len + 15)&~15;
112  nskb = alloc_skb(hh_len + 15 + dst->header_len + sizeof(struct ipv6hdr)
113  + sizeof(struct tcphdr) + dst->trailer_len,
114  GFP_ATOMIC);
115 
116  if (!nskb) {
117  net_dbg_ratelimited("cannot alloc skb\n");
118  dst_release(dst);
119  return;
120  }
121 
122  skb_dst_set(nskb, dst);
123 
124  skb_reserve(nskb, hh_len + dst->header_len);
125 
126  skb_put(nskb, sizeof(struct ipv6hdr));
127  skb_reset_network_header(nskb);
128  ip6h = ipv6_hdr(nskb);
129  *(__be32 *)ip6h = htonl(0x60000000 | (tclass << 20));
130  ip6h->hop_limit = ip6_dst_hoplimit(dst);
131  ip6h->nexthdr = IPPROTO_TCP;
132  ip6h->saddr = oip6h->daddr;
133  ip6h->daddr = oip6h->saddr;
134 
135  tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));
136  /* Truncate to length (no data) */
137  tcph->doff = sizeof(struct tcphdr)/4;
138  tcph->source = otcph.dest;
139  tcph->dest = otcph.source;
140 
141  if (otcph.ack) {
142  needs_ack = 0;
143  tcph->seq = otcph.ack_seq;
144  tcph->ack_seq = 0;
145  } else {
146  needs_ack = 1;
147  tcph->ack_seq = htonl(ntohl(otcph.seq) + otcph.syn + otcph.fin
148  + otcplen - (otcph.doff<<2));
149  tcph->seq = 0;
150  }
151 
152  /* Reset flags */
153  ((u_int8_t *)tcph)[13] = 0;
154  tcph->rst = 1;
155  tcph->ack = needs_ack;
156  tcph->window = 0;
157  tcph->urg_ptr = 0;
158  tcph->check = 0;
159 
160  /* Adjust TCP checksum */
161  tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr,
162  &ipv6_hdr(nskb)->daddr,
163  sizeof(struct tcphdr), IPPROTO_TCP,
164  csum_partial(tcph,
165  sizeof(struct tcphdr), 0));
166 
167  nf_ct_attach(nskb, oldskb);
168 
169  ip6_local_out(nskb);
170 }
171 
172 static inline void
173 send_unreach(struct net *net, struct sk_buff *skb_in, unsigned char code,
174  unsigned int hooknum)
175 {
176  if (hooknum == NF_INET_LOCAL_OUT && skb_in->dev == NULL)
177  skb_in->dev = net->loopback_dev;
178 
179  icmpv6_send(skb_in, ICMPV6_DEST_UNREACH, code, 0);
180 }
181 
182 static unsigned int
183 reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
184 {
185  const struct ip6t_reject_info *reject = par->targinfo;
186  struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
187 
188  pr_debug("%s: medium point\n", __func__);
189  switch (reject->with) {
190  case IP6T_ICMP6_NO_ROUTE:
191  send_unreach(net, skb, ICMPV6_NOROUTE, par->hooknum);
192  break;
194  send_unreach(net, skb, ICMPV6_ADM_PROHIBITED, par->hooknum);
195  break;
197  send_unreach(net, skb, ICMPV6_NOT_NEIGHBOUR, par->hooknum);
198  break;
200  send_unreach(net, skb, ICMPV6_ADDR_UNREACH, par->hooknum);
201  break;
203  send_unreach(net, skb, ICMPV6_PORT_UNREACH, par->hooknum);
204  break;
206  /* Do nothing */
207  break;
208  case IP6T_TCP_RESET:
209  send_reset(net, skb);
210  break;
211  default:
212  net_info_ratelimited("case %u not handled yet\n", reject->with);
213  break;
214  }
215 
216  return NF_DROP;
217 }
218 
219 static int reject_tg6_check(const struct xt_tgchk_param *par)
220 {
221  const struct ip6t_reject_info *rejinfo = par->targinfo;
222  const struct ip6t_entry *e = par->entryinfo;
223 
224  if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
225  pr_info("ECHOREPLY is not supported.\n");
226  return -EINVAL;
227  } else if (rejinfo->with == IP6T_TCP_RESET) {
228  /* Must specify that it's a TCP packet */
229  if (e->ipv6.proto != IPPROTO_TCP ||
230  (e->ipv6.invflags & XT_INV_PROTO)) {
231  pr_info("TCP_RESET illegal for non-tcp\n");
232  return -EINVAL;
233  }
234  }
235  return 0;
236 }
237 
238 static struct xt_target reject_tg6_reg __read_mostly = {
239  .name = "REJECT",
240  .family = NFPROTO_IPV6,
241  .target = reject_tg6,
242  .targetsize = sizeof(struct ip6t_reject_info),
243  .table = "filter",
244  .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) |
245  (1 << NF_INET_LOCAL_OUT),
246  .checkentry = reject_tg6_check,
247  .me = THIS_MODULE
248 };
249 
250 static int __init reject_tg6_init(void)
251 {
252  return xt_register_target(&reject_tg6_reg);
253 }
254 
255 static void __exit reject_tg6_exit(void)
256 {
257  xt_unregister_target(&reject_tg6_reg);
258 }
259 
260 module_init(reject_tg6_init);
261 module_exit(reject_tg6_exit);