Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
iptable_mangle.c
Go to the documentation of this file.
1 /*
2  * This is the 1999 rewrite of IP Firewalling, aiming for kernel 2.3.x.
3  *
4  * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5  * Copyright (C) 2000-2004 Netfilter Core Team <[email protected]>
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License version 2 as
9  * published by the Free Software Foundation.
10  */
11 #include <linux/module.h>
12 #include <linux/netfilter_ipv4/ip_tables.h>
13 #include <linux/netdevice.h>
14 #include <linux/skbuff.h>
15 #include <linux/slab.h>
16 #include <net/sock.h>
17 #include <net/route.h>
18 #include <linux/ip.h>
19 #include <net/ip.h>
20 
21 MODULE_LICENSE("GPL");
22 MODULE_AUTHOR("Netfilter Core Team <[email protected]>");
23 MODULE_DESCRIPTION("iptables mangle table");
24 
25 #define MANGLE_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | \
26  (1 << NF_INET_LOCAL_IN) | \
27  (1 << NF_INET_FORWARD) | \
28  (1 << NF_INET_LOCAL_OUT) | \
29  (1 << NF_INET_POST_ROUTING))
30 
31 static const struct xt_table packet_mangler = {
32  .name = "mangle",
33  .valid_hooks = MANGLE_VALID_HOOKS,
34  .me = THIS_MODULE,
35  .af = NFPROTO_IPV4,
36  .priority = NF_IP_PRI_MANGLE,
37 };
38 
39 static unsigned int
40 ipt_mangle_out(struct sk_buff *skb, const struct net_device *out)
41 {
42  unsigned int ret;
43  const struct iphdr *iph;
44  u_int8_t tos;
45  __be32 saddr, daddr;
46  u_int32_t mark;
47 
48  /* root is playing with raw sockets. */
49  if (skb->len < sizeof(struct iphdr) ||
50  ip_hdrlen(skb) < sizeof(struct iphdr))
51  return NF_ACCEPT;
52 
53  /* Save things which could affect route */
54  mark = skb->mark;
55  iph = ip_hdr(skb);
56  saddr = iph->saddr;
57  daddr = iph->daddr;
58  tos = iph->tos;
59 
60  ret = ipt_do_table(skb, NF_INET_LOCAL_OUT, NULL, out,
61  dev_net(out)->ipv4.iptable_mangle);
62  /* Reroute for ANY change. */
63  if (ret != NF_DROP && ret != NF_STOLEN) {
64  iph = ip_hdr(skb);
65 
66  if (iph->saddr != saddr ||
67  iph->daddr != daddr ||
68  skb->mark != mark ||
69  iph->tos != tos)
70  if (ip_route_me_harder(skb, RTN_UNSPEC))
71  ret = NF_DROP;
72  }
73 
74  return ret;
75 }
76 
77 /* The work comes in here from netfilter.c. */
78 static unsigned int
79 iptable_mangle_hook(unsigned int hook,
80  struct sk_buff *skb,
81  const struct net_device *in,
82  const struct net_device *out,
83  int (*okfn)(struct sk_buff *))
84 {
85  if (hook == NF_INET_LOCAL_OUT)
86  return ipt_mangle_out(skb, out);
87  if (hook == NF_INET_POST_ROUTING)
88  return ipt_do_table(skb, hook, in, out,
89  dev_net(out)->ipv4.iptable_mangle);
90  /* PREROUTING/INPUT/FORWARD: */
91  return ipt_do_table(skb, hook, in, out,
92  dev_net(in)->ipv4.iptable_mangle);
93 }
94 
95 static struct nf_hook_ops *mangle_ops __read_mostly;
96 
97 static int __net_init iptable_mangle_net_init(struct net *net)
98 {
99  struct ipt_replace *repl;
100 
101  repl = ipt_alloc_initial_table(&packet_mangler);
102  if (repl == NULL)
103  return -ENOMEM;
104  net->ipv4.iptable_mangle =
105  ipt_register_table(net, &packet_mangler, repl);
106  kfree(repl);
107  return PTR_RET(net->ipv4.iptable_mangle);
108 }
109 
110 static void __net_exit iptable_mangle_net_exit(struct net *net)
111 {
112  ipt_unregister_table(net, net->ipv4.iptable_mangle);
113 }
114 
115 static struct pernet_operations iptable_mangle_net_ops = {
116  .init = iptable_mangle_net_init,
117  .exit = iptable_mangle_net_exit,
118 };
119 
120 static int __init iptable_mangle_init(void)
121 {
122  int ret;
123 
124  ret = register_pernet_subsys(&iptable_mangle_net_ops);
125  if (ret < 0)
126  return ret;
127 
128  /* Register hooks */
129  mangle_ops = xt_hook_link(&packet_mangler, iptable_mangle_hook);
130  if (IS_ERR(mangle_ops)) {
131  ret = PTR_ERR(mangle_ops);
132  unregister_pernet_subsys(&iptable_mangle_net_ops);
133  }
134 
135  return ret;
136 }
137 
138 static void __exit iptable_mangle_fini(void)
139 {
140  xt_hook_unlink(&packet_mangler, mangle_ops);
141  unregister_pernet_subsys(&iptable_mangle_net_ops);
142 }
143 
144 module_init(iptable_mangle_init);
145 module_exit(iptable_mangle_fini);
Generated on Thu Jan 10 2013 14:58:40 for Linux Kernel by   doxygen 1.8.2