Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 1 | /* |
| 2 | * IP6 tables REJECT target module |
| 3 | * Linux INET6 implementation |
| 4 | * |
| 5 | * Copyright (C)2003 USAGI/WIDE Project |
| 6 | * |
| 7 | * Authors: |
| 8 | * Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> |
| 9 | * |
Patrick McHardy | f229f6c | 2013-04-06 15:24:29 +0200 | [diff] [blame] | 10 | * Copyright (c) 2005-2007 Patrick McHardy <kaber@trash.net> |
| 11 | * |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 12 | * Based on net/ipv4/netfilter/ipt_REJECT.c |
| 13 | * |
| 14 | * This program is free software; you can redistribute it and/or |
| 15 | * modify it under the terms of the GNU General Public License |
| 16 | * as published by the Free Software Foundation; either version |
| 17 | * 2 of the License, or (at your option) any later version. |
| 18 | */ |
Jan Engelhardt | ff67e4e | 2010-03-19 21:08:16 +0100 | [diff] [blame] | 19 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 20 | |
Tejun Heo | 5a0e3ad | 2010-03-24 17:04:11 +0900 | [diff] [blame] | 21 | #include <linux/gfp.h> |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 22 | #include <linux/module.h> |
| 23 | #include <linux/skbuff.h> |
| 24 | #include <linux/icmpv6.h> |
| 25 | #include <linux/netdevice.h> |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 26 | #include <net/icmp.h> |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 27 | #include <net/flow.h> |
Jan Engelhardt | 6709dbb | 2007-02-07 15:11:19 -0800 | [diff] [blame] | 28 | #include <linux/netfilter/x_tables.h> |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 29 | #include <linux/netfilter_ipv6/ip6_tables.h> |
| 30 | #include <linux/netfilter_ipv6/ip6t_REJECT.h> |
| 31 | |
Eric Leblond | cc70d06 | 2013-12-29 12:28:13 +0100 | [diff] [blame] | 32 | #include <net/netfilter/ipv6/nf_reject.h> |
| 33 | |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 34 | MODULE_AUTHOR("Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>"); |
Jan Engelhardt | 2ae15b6 | 2008-01-14 23:42:28 -0800 | [diff] [blame] | 35 | MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv6"); |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 36 | MODULE_LICENSE("GPL"); |
| 37 | |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 38 | |
Jan Engelhardt | d3c5ee6 | 2007-12-04 23:24:03 -0800 | [diff] [blame] | 39 | static unsigned int |
Jan Engelhardt | 4b560b4 | 2009-07-05 19:43:26 +0200 | [diff] [blame] | 40 | reject_tg6(struct sk_buff *skb, const struct xt_action_param *par) |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 41 | { |
Jan Engelhardt | 7eb3558 | 2008-10-08 11:35:19 +0200 | [diff] [blame] | 42 | const struct ip6t_reject_info *reject = par->targinfo; |
| 43 | struct net *net = dev_net((par->in != NULL) ? par->in : par->out); |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 44 | |
Harvey Harrison | 0dc4787 | 2008-03-05 20:47:47 -0800 | [diff] [blame] | 45 | pr_debug("%s: medium point\n", __func__); |
YOSHIFUJI Hideaki | 1ab1457 | 2007-02-09 23:24:49 +0900 | [diff] [blame] | 46 | switch (reject->with) { |
| 47 | case IP6T_ICMP6_NO_ROUTE: |
Eric Leblond | cc70d06 | 2013-12-29 12:28:13 +0100 | [diff] [blame] | 48 | nf_send_unreach6(net, skb, ICMPV6_NOROUTE, par->hooknum); |
YOSHIFUJI Hideaki | 1ab1457 | 2007-02-09 23:24:49 +0900 | [diff] [blame] | 49 | break; |
| 50 | case IP6T_ICMP6_ADM_PROHIBITED: |
Eric Leblond | cc70d06 | 2013-12-29 12:28:13 +0100 | [diff] [blame] | 51 | nf_send_unreach6(net, skb, ICMPV6_ADM_PROHIBITED, par->hooknum); |
YOSHIFUJI Hideaki | 1ab1457 | 2007-02-09 23:24:49 +0900 | [diff] [blame] | 52 | break; |
| 53 | case IP6T_ICMP6_NOT_NEIGHBOUR: |
Eric Leblond | cc70d06 | 2013-12-29 12:28:13 +0100 | [diff] [blame] | 54 | nf_send_unreach6(net, skb, ICMPV6_NOT_NEIGHBOUR, par->hooknum); |
YOSHIFUJI Hideaki | 1ab1457 | 2007-02-09 23:24:49 +0900 | [diff] [blame] | 55 | break; |
| 56 | case IP6T_ICMP6_ADDR_UNREACH: |
Eric Leblond | cc70d06 | 2013-12-29 12:28:13 +0100 | [diff] [blame] | 57 | nf_send_unreach6(net, skb, ICMPV6_ADDR_UNREACH, par->hooknum); |
YOSHIFUJI Hideaki | 1ab1457 | 2007-02-09 23:24:49 +0900 | [diff] [blame] | 58 | break; |
| 59 | case IP6T_ICMP6_PORT_UNREACH: |
Eric Leblond | cc70d06 | 2013-12-29 12:28:13 +0100 | [diff] [blame] | 60 | nf_send_unreach6(net, skb, ICMPV6_PORT_UNREACH, par->hooknum); |
YOSHIFUJI Hideaki | 1ab1457 | 2007-02-09 23:24:49 +0900 | [diff] [blame] | 61 | break; |
| 62 | case IP6T_ICMP6_ECHOREPLY: |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 63 | /* Do nothing */ |
| 64 | break; |
| 65 | case IP6T_TCP_RESET: |
Eric Leblond | cc70d06 | 2013-12-29 12:28:13 +0100 | [diff] [blame] | 66 | nf_send_reset6(net, skb, par->hooknum); |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 67 | break; |
| 68 | default: |
Joe Perches | e87cc47 | 2012-05-13 21:56:26 +0000 | [diff] [blame] | 69 | net_info_ratelimited("case %u not handled yet\n", reject->with); |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 70 | break; |
| 71 | } |
| 72 | |
| 73 | return NF_DROP; |
| 74 | } |
| 75 | |
Jan Engelhardt | 135367b | 2010-03-19 17:16:42 +0100 | [diff] [blame] | 76 | static int reject_tg6_check(const struct xt_tgchk_param *par) |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 77 | { |
Jan Engelhardt | af5d6dc | 2008-10-08 11:35:19 +0200 | [diff] [blame] | 78 | const struct ip6t_reject_info *rejinfo = par->targinfo; |
| 79 | const struct ip6t_entry *e = par->entryinfo; |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 80 | |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 81 | if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) { |
Jan Engelhardt | ff67e4e | 2010-03-19 21:08:16 +0100 | [diff] [blame] | 82 | pr_info("ECHOREPLY is not supported.\n"); |
Jan Engelhardt | d6b00a5 | 2010-03-25 16:34:45 +0100 | [diff] [blame] | 83 | return -EINVAL; |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 84 | } else if (rejinfo->with == IP6T_TCP_RESET) { |
| 85 | /* Must specify that it's a TCP packet */ |
Joe Perches | 3666ed1 | 2009-11-23 23:17:06 +0100 | [diff] [blame] | 86 | if (e->ipv6.proto != IPPROTO_TCP || |
| 87 | (e->ipv6.invflags & XT_INV_PROTO)) { |
Jan Engelhardt | ff67e4e | 2010-03-19 21:08:16 +0100 | [diff] [blame] | 88 | pr_info("TCP_RESET illegal for non-tcp\n"); |
Jan Engelhardt | d6b00a5 | 2010-03-25 16:34:45 +0100 | [diff] [blame] | 89 | return -EINVAL; |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 90 | } |
| 91 | } |
Jan Engelhardt | d6b00a5 | 2010-03-25 16:34:45 +0100 | [diff] [blame] | 92 | return 0; |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 93 | } |
| 94 | |
Jan Engelhardt | d3c5ee6 | 2007-12-04 23:24:03 -0800 | [diff] [blame] | 95 | static struct xt_target reject_tg6_reg __read_mostly = { |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 96 | .name = "REJECT", |
Jan Engelhardt | ee999d8 | 2008-10-08 11:35:01 +0200 | [diff] [blame] | 97 | .family = NFPROTO_IPV6, |
Jan Engelhardt | d3c5ee6 | 2007-12-04 23:24:03 -0800 | [diff] [blame] | 98 | .target = reject_tg6, |
Patrick McHardy | 7f93971 | 2006-03-20 18:01:43 -0800 | [diff] [blame] | 99 | .targetsize = sizeof(struct ip6t_reject_info), |
| 100 | .table = "filter", |
Patrick McHardy | 6e23ae2 | 2007-11-19 18:53:30 -0800 | [diff] [blame] | 101 | .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) | |
| 102 | (1 << NF_INET_LOCAL_OUT), |
Jan Engelhardt | d3c5ee6 | 2007-12-04 23:24:03 -0800 | [diff] [blame] | 103 | .checkentry = reject_tg6_check, |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 104 | .me = THIS_MODULE |
| 105 | }; |
| 106 | |
Jan Engelhardt | d3c5ee6 | 2007-12-04 23:24:03 -0800 | [diff] [blame] | 107 | static int __init reject_tg6_init(void) |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 108 | { |
Jan Engelhardt | d3c5ee6 | 2007-12-04 23:24:03 -0800 | [diff] [blame] | 109 | return xt_register_target(&reject_tg6_reg); |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 110 | } |
| 111 | |
Jan Engelhardt | d3c5ee6 | 2007-12-04 23:24:03 -0800 | [diff] [blame] | 112 | static void __exit reject_tg6_exit(void) |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 113 | { |
Jan Engelhardt | d3c5ee6 | 2007-12-04 23:24:03 -0800 | [diff] [blame] | 114 | xt_unregister_target(&reject_tg6_reg); |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 115 | } |
| 116 | |
Jan Engelhardt | d3c5ee6 | 2007-12-04 23:24:03 -0800 | [diff] [blame] | 117 | module_init(reject_tg6_init); |
| 118 | module_exit(reject_tg6_exit); |