Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / iptables / 1e01b0b82f70b0b11dcfbced485dbe7aeac4fb8c / . / extensions / libipt_REJECT.c
blob: ef404e67b46e6c3a40146a47c3a77570f24a77af [file] [log] [blame]
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1/* Shared library add-on to iptables to add customized REJECT support.
2 *
3 * (C) 2000 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
4 */
5#include <stdio.h>
6#include <string.h>
7#include <stdlib.h>
8#include <getopt.h>
Jan Engelhardt5d9678a2008-11-20 10:15:35 +0100[diff] [blame]9#include <xtables.h>
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]10#include <linux/netfilter_ipv4/ip_tables.h>
11#include <linux/netfilter_ipv4/ipt_REJECT.h>
Harald Welte5a52c512003-05-24 11:44:18 +0000[diff] [blame]12#include <linux/version.h>
13
14/* If we are compiling against a kernel that does not support
15 * IPT_ICMP_ADMIN_PROHIBITED, we are emulating it.
16 * The result will be a plain DROP of the packet instead of
17 * reject. -- Maciej Soltysiak <solt@dns.toxicfilms.tv>
18 */
19#ifndef IPT_ICMP_ADMIN_PROHIBITED
20#define IPT_ICMP_ADMIN_PROHIBITED IPT_TCP_RESET + 1
21#endif
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]22
23struct reject_names {
24 const char *name;
25 const char *alias;
26 enum ipt_reject_with with;
27 const char *desc;
28};
29
30static const struct reject_names reject_table[] = {
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]31 {"icmp-net-unreachable", "net-unreach",
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]32 IPT_ICMP_NET_UNREACHABLE, "ICMP network unreachable"},
33 {"icmp-host-unreachable", "host-unreach",
34 IPT_ICMP_HOST_UNREACHABLE, "ICMP host unreachable"},
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]35 {"icmp-proto-unreachable", "proto-unreach",
36 IPT_ICMP_PROT_UNREACHABLE, "ICMP protocol unreachable"},
Harald Welte30d920a2001-06-16 19:02:25 +0000[diff] [blame]37 {"icmp-port-unreachable", "port-unreach",
38 IPT_ICMP_PORT_UNREACHABLE, "ICMP port unreachable (default)"},
Rusty Russellbd8382b2000-12-18 05:09:52 +0000[diff] [blame]39#if 0
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]40 {"echo-reply", "echoreply",
Rusty Russellf7e72d52000-06-20 19:07:29 +0000[diff] [blame]41 IPT_ICMP_ECHOREPLY, "for ICMP echo only: faked ICMP echo reply"},
Rusty Russellbd8382b2000-12-18 05:09:52 +0000[diff] [blame]42#endif
Rusty Russellf7e72d52000-06-20 19:07:29 +0000[diff] [blame]43 {"icmp-net-prohibited", "net-prohib",
44 IPT_ICMP_NET_PROHIBITED, "ICMP network prohibited"},
45 {"icmp-host-prohibited", "host-prohib",
46 IPT_ICMP_HOST_PROHIBITED, "ICMP host prohibited"},
Harald Welte11b85912005-11-22 08:54:28 +0000[diff] [blame]47 {"tcp-reset", "tcp-rst",
Harald Welte5a52c512003-05-24 11:44:18 +0000[diff] [blame]48 IPT_TCP_RESET, "TCP RST packet"},
49 {"icmp-admin-prohibited", "admin-prohib",
50 IPT_ICMP_ADMIN_PROHIBITED, "ICMP administratively prohibited (*)"}
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]51};
52
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]53static void
Patrick McHardy500f4832007-09-08 15:59:04 +0000[diff] [blame]54print_reject_types(void)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]55{
56 unsigned int i;
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]57
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]58 printf("Valid reject types:\n");
59
60 for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++) {
61 printf(" %-25s\t%s\n", reject_table[i].name, reject_table[i].desc);
62 printf(" %-25s\talias\n", reject_table[i].alias);
63 }
64 printf("\n");
65}
66
Jan Engelhardt1d5b63d2007-10-04 16:29:00 +0000[diff] [blame]67static void REJECT_help(void)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]68{
69 printf(
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]70"REJECT target options:\n"
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]71"--reject-with type drop input packet and send back\n"
Harald Welte7d774512005-04-15 09:39:55 +0000[diff] [blame]72" a reply packet according to type:\n");
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]73
74 print_reject_types();
Harald Welte5a52c512003-05-24 11:44:18 +0000[diff] [blame]75
76 printf("(*) See man page or read the INCOMPATIBILITES file for compatibility issues.\n");
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]77}
78
Jan Engelhardt1d5b63d2007-10-04 16:29:00 +0000[diff] [blame]79static const struct option REJECT_opts[] = {
Patrick McHardy500f4832007-09-08 15:59:04 +0000[diff] [blame]80 { "reject-with", 1, NULL, '1' },
Max Kellermann9ee386a2008-01-29 13:48:05 +0000[diff] [blame]81 { .name = NULL }
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]82};
83
Jan Engelhardt1d5b63d2007-10-04 16:29:00 +0000[diff] [blame]84static void REJECT_init(struct xt_entry_target *t)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]85{
86 struct ipt_reject_info *reject = (struct ipt_reject_info *)t->data;
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]87
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]88 /* default */
89 reject->with = IPT_ICMP_PORT_UNREACHABLE;
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]90
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]91}
92
Jan Engelhardt1d5b63d2007-10-04 16:29:00 +0000[diff] [blame]93static int REJECT_parse(int c, char **argv, int invert, unsigned int *flags,
94 const void *entry, struct xt_entry_target **target)
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]95{
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]96 struct ipt_reject_info *reject = (struct ipt_reject_info *)(*target)->data;
97 unsigned int limit = sizeof(reject_table)/sizeof(struct reject_names);
98 unsigned int i;
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]99
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]100 switch(c) {
101 case '1':
Harald Welteb77f1da2002-03-14 11:35:58 +0000[diff] [blame]102 if (check_inverse(optarg, &invert, NULL, 0))
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]103 exit_error(PARAMETER_PROBLEM,
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]104 "Unexpected `!' after --reject-with");
105 for (i = 0; i < limit; i++) {
106 if ((strncasecmp(reject_table[i].name, optarg, strlen(optarg)) == 0)
107 || (strncasecmp(reject_table[i].alias, optarg, strlen(optarg)) == 0)) {
108 reject->with = reject_table[i].with;
109 return 1;
110 }
111 }
Rusty Russellbd8382b2000-12-18 05:09:52 +0000[diff] [blame]112 /* This due to be dropped late in 2.4 pre-release cycle --RR */
113 if (strncasecmp("echo-reply", optarg, strlen(optarg)) == 0
114 || strncasecmp("echoreply", optarg, strlen(optarg)) == 0)
115 fprintf(stderr, "--reject-with echo-reply no longer"
116 " supported\n");
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]117 exit_error(PARAMETER_PROBLEM, "unknown reject type `%s'",optarg);
118 default:
119 /* Fall through */
Marc Boucher6e9bfc72002-01-19 12:48:05 +0000[diff] [blame]120 break;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]121 }
122 return 0;
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]123}
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]124
Jan Engelhardt1d5b63d2007-10-04 16:29:00 +0000[diff] [blame]125static void REJECT_print(const void *ip, const struct xt_entry_target *target,
126 int numeric)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]127{
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]128 const struct ipt_reject_info *reject
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]129 = (const struct ipt_reject_info *)target->data;
130 unsigned int i;
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]131
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]132 for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++) {
133 if (reject_table[i].with == reject->with)
134 break;
135 }
136 printf("reject-with %s ", reject_table[i].name);
137}
138
Jan Engelhardt1d5b63d2007-10-04 16:29:00 +0000[diff] [blame]139static void REJECT_save(const void *ip, const struct xt_entry_target *target)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]140{
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]141 const struct ipt_reject_info *reject
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]142 = (const struct ipt_reject_info *)target->data;
Harald Welte97b3fde2001-05-12 05:22:18 +0000[diff] [blame]143 unsigned int i;
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]144
Harald Welte97b3fde2001-05-12 05:22:18 +0000[diff] [blame]145 for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++)
146 if (reject_table[i].with == reject->with)
147 break;
148
149 printf("--reject-with %s ", reject_table[i].name);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]150}
151
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]152static struct xtables_target reject_tg_reg = {
Pablo Neira8caee8b2004-12-28 13:11:59 +0000[diff] [blame]153 .name = "REJECT",
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]154 .version = XTABLES_VERSION,
Jan Engelhardt03d99482008-11-18 12:27:54 +0100[diff] [blame]155 .family = NFPROTO_IPV4,
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]156 .size = XT_ALIGN(sizeof(struct ipt_reject_info)),
157 .userspacesize = XT_ALIGN(sizeof(struct ipt_reject_info)),
Jan Engelhardt1d5b63d2007-10-04 16:29:00 +0000[diff] [blame]158 .help = REJECT_help,
159 .init = REJECT_init,
160 .parse = REJECT_parse,
161 .print = REJECT_print,
162 .save = REJECT_save,
163 .extra_opts = REJECT_opts,
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]164};
165
166void _init(void)
167{
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]168 xtables_register_target(&reject_tg_reg);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]169}