Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ipt_REJECT.c
Go to the documentation of this file.
1 /*
2  * This is a module which is used for rejecting packets.
3  */
4 
5 /* (C) 1999-2001 Paul `Rusty' Russell
6  * (C) 2002-2004 Netfilter Core Team <[email protected]>
7  *
8  * This program is free software; you can redistribute it and/or modify
9  * it under the terms of the GNU General Public License version 2 as
10  * published by the Free Software Foundation.
11  */
12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13 #include <linux/module.h>
14 #include <linux/skbuff.h>
15 #include <linux/slab.h>
16 #include <linux/ip.h>
17 #include <linux/udp.h>
18 #include <linux/icmp.h>
19 #include <net/icmp.h>
20 #include <net/ip.h>
21 #include <net/tcp.h>
22 #include <net/route.h>
23 #include <net/dst.h>
24 #include <linux/netfilter/x_tables.h>
25 #include <linux/netfilter_ipv4/ip_tables.h>
27 #ifdef CONFIG_BRIDGE_NETFILTER
28 #include <linux/netfilter_bridge.h>
29 #endif
30 
31 MODULE_LICENSE("GPL");
32 MODULE_AUTHOR("Netfilter Core Team <[email protected]>");
33 MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv4");
34 
35 /* Send RST reply */
36 static void send_reset(struct sk_buff *oldskb, int hook)
37 {
38  struct sk_buff *nskb;
39  const struct iphdr *oiph;
40  struct iphdr *niph;
41  const struct tcphdr *oth;
42  struct tcphdr _otcph, *tcph;
43 
44  /* IP header checks: fragment. */
45  if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
46  return;
47 
48  oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
49  sizeof(_otcph), &_otcph);
50  if (oth == NULL)
51  return;
52 
53  /* No RST for RST. */
54  if (oth->rst)
55  return;
56 
57  if (skb_rtable(oldskb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
58  return;
59 
60  /* Check checksum */
61  if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
62  return;
63  oiph = ip_hdr(oldskb);
64 
65  nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) +
67  if (!nskb)
68  return;
69 
70  skb_reserve(nskb, LL_MAX_HEADER);
71 
72  skb_reset_network_header(nskb);
73  niph = (struct iphdr *)skb_put(nskb, sizeof(struct iphdr));
74  niph->version = 4;
75  niph->ihl = sizeof(struct iphdr) / 4;
76  niph->tos = 0;
77  niph->id = 0;
78  niph->frag_off = htons(IP_DF);
79  niph->protocol = IPPROTO_TCP;
80  niph->check = 0;
81  niph->saddr = oiph->daddr;
82  niph->daddr = oiph->saddr;
83 
84  tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));
85  memset(tcph, 0, sizeof(*tcph));
86  tcph->source = oth->dest;
87  tcph->dest = oth->source;
88  tcph->doff = sizeof(struct tcphdr) / 4;
89 
90  if (oth->ack)
91  tcph->seq = oth->ack_seq;
92  else {
93  tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
94  oldskb->len - ip_hdrlen(oldskb) -
95  (oth->doff << 2));
96  tcph->ack = 1;
97  }
98 
99  tcph->rst = 1;
100  tcph->check = ~tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
101  niph->daddr, 0);
102  nskb->ip_summed = CHECKSUM_PARTIAL;
103  nskb->csum_start = (unsigned char *)tcph - nskb->head;
104  nskb->csum_offset = offsetof(struct tcphdr, check);
105 
106  /* ip_route_me_harder expects skb->dst to be set */
107  skb_dst_set_noref(nskb, skb_dst(oldskb));
108 
109  nskb->protocol = htons(ETH_P_IP);
110  if (ip_route_me_harder(nskb, RTN_UNSPEC))
111  goto free_nskb;
112 
113  niph->ttl = ip4_dst_hoplimit(skb_dst(nskb));
114 
115  /* "Never happens" */
116  if (nskb->len > dst_mtu(skb_dst(nskb)))
117  goto free_nskb;
118 
119  nf_ct_attach(nskb, oldskb);
120 
121  ip_local_out(nskb);
122  return;
123 
124  free_nskb:
125  kfree_skb(nskb);
126 }
127 
128 static inline void send_unreach(struct sk_buff *skb_in, int code)
129 {
130  icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0);
131 }
132 
133 static unsigned int
134 reject_tg(struct sk_buff *skb, const struct xt_action_param *par)
135 {
136  const struct ipt_reject_info *reject = par->targinfo;
137 
138  switch (reject->with) {
140  send_unreach(skb, ICMP_NET_UNREACH);
141  break;
143  send_unreach(skb, ICMP_HOST_UNREACH);
144  break;
146  send_unreach(skb, ICMP_PROT_UNREACH);
147  break;
149  send_unreach(skb, ICMP_PORT_UNREACH);
150  break;
152  send_unreach(skb, ICMP_NET_ANO);
153  break;
155  send_unreach(skb, ICMP_HOST_ANO);
156  break;
158  send_unreach(skb, ICMP_PKT_FILTERED);
159  break;
160  case IPT_TCP_RESET:
161  send_reset(skb, par->hooknum);
162  case IPT_ICMP_ECHOREPLY:
163  /* Doesn't happen. */
164  break;
165  }
166 
167  return NF_DROP;
168 }
169 
170 static int reject_tg_check(const struct xt_tgchk_param *par)
171 {
172  const struct ipt_reject_info *rejinfo = par->targinfo;
173  const struct ipt_entry *e = par->entryinfo;
174 
175  if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
176  pr_info("ECHOREPLY no longer supported.\n");
177  return -EINVAL;
178  } else if (rejinfo->with == IPT_TCP_RESET) {
179  /* Must specify that it's a TCP packet */
180  if (e->ip.proto != IPPROTO_TCP ||
181  (e->ip.invflags & XT_INV_PROTO)) {
182  pr_info("TCP_RESET invalid for non-tcp\n");
183  return -EINVAL;
184  }
185  }
186  return 0;
187 }
188 
189 static struct xt_target reject_tg_reg __read_mostly = {
190  .name = "REJECT",
191  .family = NFPROTO_IPV4,
192  .target = reject_tg,
193  .targetsize = sizeof(struct ipt_reject_info),
194  .table = "filter",
195  .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) |
196  (1 << NF_INET_LOCAL_OUT),
197  .checkentry = reject_tg_check,
198  .me = THIS_MODULE,
199 };
200 
201 static int __init reject_tg_init(void)
202 {
203  return xt_register_target(&reject_tg_reg);
204 }
205 
206 static void __exit reject_tg_exit(void)
207 {
208  xt_unregister_target(&reject_tg_reg);
209 }
210 
211 module_init(reject_tg_init);
212 module_exit(reject_tg_exit);