Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ip6table_mangle.c
Go to the documentation of this file.
1 /*
2  * IPv6 packet mangling table, a port of the IPv4 mangle table to IPv6
3  *
4  * Copyright (C) 2000-2001 by Harald Welte <[email protected]>
5  * Copyright (C) 2000-2004 Netfilter Core Team <[email protected]>
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License version 2 as
9  * published by the Free Software Foundation.
10  */
11 #include <linux/module.h>
12 #include <linux/netfilter_ipv6/ip6_tables.h>
13 #include <linux/slab.h>
14 
15 MODULE_LICENSE("GPL");
16 MODULE_AUTHOR("Netfilter Core Team <[email protected]>");
17 MODULE_DESCRIPTION("ip6tables mangle table");
18 
19 #define MANGLE_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | \
20  (1 << NF_INET_LOCAL_IN) | \
21  (1 << NF_INET_FORWARD) | \
22  (1 << NF_INET_LOCAL_OUT) | \
23  (1 << NF_INET_POST_ROUTING))
24 
25 static const struct xt_table packet_mangler = {
26  .name = "mangle",
27  .valid_hooks = MANGLE_VALID_HOOKS,
28  .me = THIS_MODULE,
29  .af = NFPROTO_IPV6,
30  .priority = NF_IP6_PRI_MANGLE,
31 };
32 
33 static unsigned int
34 ip6t_mangle_out(struct sk_buff *skb, const struct net_device *out)
35 {
36  unsigned int ret;
37  struct in6_addr saddr, daddr;
40 
41 #if 0
42  /* root is playing with raw sockets. */
43  if (skb->len < sizeof(struct iphdr) ||
44  ip_hdrlen(skb) < sizeof(struct iphdr)) {
45  net_warn_ratelimited("ip6t_hook: happy cracking\n");
46  return NF_ACCEPT;
47  }
48 #endif
49 
50  /* save source/dest address, mark, hoplimit, flowlabel, priority, */
51  memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr));
52  memcpy(&daddr, &ipv6_hdr(skb)->daddr, sizeof(daddr));
53  mark = skb->mark;
54  hop_limit = ipv6_hdr(skb)->hop_limit;
55 
56  /* flowlabel and prio (includes version, which shouldn't change either */
57  flowlabel = *((u_int32_t *)ipv6_hdr(skb));
58 
59  ret = ip6t_do_table(skb, NF_INET_LOCAL_OUT, NULL, out,
60  dev_net(out)->ipv6.ip6table_mangle);
61 
62  if (ret != NF_DROP && ret != NF_STOLEN &&
63  (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) ||
64  memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) ||
65  skb->mark != mark ||
66  ipv6_hdr(skb)->hop_limit != hop_limit ||
67  flowlabel != *((u_int32_t *)ipv6_hdr(skb))))
68  return ip6_route_me_harder(skb) == 0 ? ret : NF_DROP;
69 
70  return ret;
71 }
72 
73 /* The work comes in here from netfilter.c. */
74 static unsigned int
75 ip6table_mangle_hook(unsigned int hook, struct sk_buff *skb,
76  const struct net_device *in, const struct net_device *out,
77  int (*okfn)(struct sk_buff *))
78 {
79  if (hook == NF_INET_LOCAL_OUT)
80  return ip6t_mangle_out(skb, out);
81  if (hook == NF_INET_POST_ROUTING)
82  return ip6t_do_table(skb, hook, in, out,
83  dev_net(out)->ipv6.ip6table_mangle);
84  /* INPUT/FORWARD */
85  return ip6t_do_table(skb, hook, in, out,
86  dev_net(in)->ipv6.ip6table_mangle);
87 }
88 
89 static struct nf_hook_ops *mangle_ops __read_mostly;
90 static int __net_init ip6table_mangle_net_init(struct net *net)
91 {
92  struct ip6t_replace *repl;
93 
94  repl = ip6t_alloc_initial_table(&packet_mangler);
95  if (repl == NULL)
96  return -ENOMEM;
97  net->ipv6.ip6table_mangle =
98  ip6t_register_table(net, &packet_mangler, repl);
99  kfree(repl);
100  return PTR_RET(net->ipv6.ip6table_mangle);
101 }
102 
103 static void __net_exit ip6table_mangle_net_exit(struct net *net)
104 {
105  ip6t_unregister_table(net, net->ipv6.ip6table_mangle);
106 }
107 
108 static struct pernet_operations ip6table_mangle_net_ops = {
109  .init = ip6table_mangle_net_init,
110  .exit = ip6table_mangle_net_exit,
111 };
112 
113 static int __init ip6table_mangle_init(void)
114 {
115  int ret;
116 
117  ret = register_pernet_subsys(&ip6table_mangle_net_ops);
118  if (ret < 0)
119  return ret;
120 
121  /* Register hooks */
122  mangle_ops = xt_hook_link(&packet_mangler, ip6table_mangle_hook);
123  if (IS_ERR(mangle_ops)) {
124  ret = PTR_ERR(mangle_ops);
125  goto cleanup_table;
126  }
127 
128  return ret;
129 
130  cleanup_table:
131  unregister_pernet_subsys(&ip6table_mangle_net_ops);
132  return ret;
133 }
134 
135 static void __exit ip6table_mangle_fini(void)
136 {
137  xt_hook_unlink(&packet_mangler, mangle_ops);
138  unregister_pernet_subsys(&ip6table_mangle_net_ops);
139 }
140 
141 module_init(ip6table_mangle_init);
142 module_exit(ip6table_mangle_fini);