Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / iptables / 500f483fff529dcd88ec96b9d5054be6cd6363a0 / . / extensions / libipt_REJECT.c
blob: 90ec163f347b77b8f37c5a5c21a22df81b597f0e [file] [log] [blame]
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1/* Shared library add-on to iptables to add customized REJECT support.
2 *
3 * (C) 2000 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
4 */
5#include <stdio.h>
6#include <string.h>
7#include <stdlib.h>
8#include <getopt.h>
9#include <iptables.h>
10#include <linux/netfilter_ipv4/ip_tables.h>
11#include <linux/netfilter_ipv4/ipt_REJECT.h>
Harald Welte5a52c512003-05-24 11:44:18 +0000[diff] [blame]12#include <linux/version.h>
13
14/* If we are compiling against a kernel that does not support
15 * IPT_ICMP_ADMIN_PROHIBITED, we are emulating it.
16 * The result will be a plain DROP of the packet instead of
17 * reject. -- Maciej Soltysiak <solt@dns.toxicfilms.tv>
18 */
19#ifndef IPT_ICMP_ADMIN_PROHIBITED
20#define IPT_ICMP_ADMIN_PROHIBITED IPT_TCP_RESET + 1
21#endif
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]22
23struct reject_names {
24 const char *name;
25 const char *alias;
26 enum ipt_reject_with with;
27 const char *desc;
28};
29
30static const struct reject_names reject_table[] = {
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]31 {"icmp-net-unreachable", "net-unreach",
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]32 IPT_ICMP_NET_UNREACHABLE, "ICMP network unreachable"},
33 {"icmp-host-unreachable", "host-unreach",
34 IPT_ICMP_HOST_UNREACHABLE, "ICMP host unreachable"},
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]35 {"icmp-proto-unreachable", "proto-unreach",
36 IPT_ICMP_PROT_UNREACHABLE, "ICMP protocol unreachable"},
Harald Welte30d920a2001-06-16 19:02:25 +0000[diff] [blame]37 {"icmp-port-unreachable", "port-unreach",
38 IPT_ICMP_PORT_UNREACHABLE, "ICMP port unreachable (default)"},
Rusty Russellbd8382b2000-12-18 05:09:52 +0000[diff] [blame]39#if 0
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]40 {"echo-reply", "echoreply",
Rusty Russellf7e72d52000-06-20 19:07:29 +0000[diff] [blame]41 IPT_ICMP_ECHOREPLY, "for ICMP echo only: faked ICMP echo reply"},
Rusty Russellbd8382b2000-12-18 05:09:52 +0000[diff] [blame]42#endif
Rusty Russellf7e72d52000-06-20 19:07:29 +0000[diff] [blame]43 {"icmp-net-prohibited", "net-prohib",
44 IPT_ICMP_NET_PROHIBITED, "ICMP network prohibited"},
45 {"icmp-host-prohibited", "host-prohib",
46 IPT_ICMP_HOST_PROHIBITED, "ICMP host prohibited"},
Harald Welte11b85912005-11-22 08:54:28 +0000[diff] [blame]47 {"tcp-reset", "tcp-rst",
Harald Welte5a52c512003-05-24 11:44:18 +0000[diff] [blame]48 IPT_TCP_RESET, "TCP RST packet"},
49 {"icmp-admin-prohibited", "admin-prohib",
50 IPT_ICMP_ADMIN_PROHIBITED, "ICMP administratively prohibited (*)"}
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]51};
52
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]53static void
Patrick McHardy500f4832007-09-08 15:59:04 +0000[diff] [blame^]54print_reject_types(void)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]55{
56 unsigned int i;
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]57
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]58 printf("Valid reject types:\n");
59
60 for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++) {
61 printf(" %-25s\t%s\n", reject_table[i].name, reject_table[i].desc);
62 printf(" %-25s\talias\n", reject_table[i].alias);
63 }
64 printf("\n");
65}
66
67/* Saves the union ipt_targinfo in parsable form to stdout. */
68
69/* Function which prints out usage message. */
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]70static void
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]71help(void)
72{
73 printf(
74"REJECT options:\n"
75"--reject-with type drop input packet and send back\n"
Harald Welte7d774512005-04-15 09:39:55 +0000[diff] [blame]76" a reply packet according to type:\n");
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]77
78 print_reject_types();
Harald Welte5a52c512003-05-24 11:44:18 +0000[diff] [blame]79
80 printf("(*) See man page or read the INCOMPATIBILITES file for compatibility issues.\n");
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]81}
82
Jan Engelhardt661f1122007-07-30 14:46:51 +0000[diff] [blame]83static const struct option opts[] = {
Patrick McHardy500f4832007-09-08 15:59:04 +0000[diff] [blame^]84 { "reject-with", 1, NULL, '1' },
85 { }
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]86};
87
88/* Allocate and initialize the target. */
89static void
Peter Rileyea146a92007-09-02 13:09:07 +0000[diff] [blame]90init(struct xt_entry_target *t)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]91{
92 struct ipt_reject_info *reject = (struct ipt_reject_info *)t->data;
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]93
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]94 /* default */
95 reject->with = IPT_ICMP_PORT_UNREACHABLE;
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]96
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]97}
98
99/* Function which parses command options; returns true if it
100 ate an option */
101static int
102parse(int c, char **argv, int invert, unsigned int *flags,
Yasuyuki KOZAKAIc0a9ab92007-07-24 06:02:05 +0000[diff] [blame]103 const void *entry,
Yasuyuki KOZAKAI193df8e2007-07-24 05:57:28 +0000[diff] [blame]104 struct xt_entry_target **target)
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]105{
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]106 struct ipt_reject_info *reject = (struct ipt_reject_info *)(*target)->data;
107 unsigned int limit = sizeof(reject_table)/sizeof(struct reject_names);
108 unsigned int i;
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]109
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]110 switch(c) {
111 case '1':
Harald Welteb77f1da2002-03-14 11:35:58 +0000[diff] [blame]112 if (check_inverse(optarg, &invert, NULL, 0))
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]113 exit_error(PARAMETER_PROBLEM,
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]114 "Unexpected `!' after --reject-with");
115 for (i = 0; i < limit; i++) {
116 if ((strncasecmp(reject_table[i].name, optarg, strlen(optarg)) == 0)
117 || (strncasecmp(reject_table[i].alias, optarg, strlen(optarg)) == 0)) {
118 reject->with = reject_table[i].with;
119 return 1;
120 }
121 }
Rusty Russellbd8382b2000-12-18 05:09:52 +0000[diff] [blame]122 /* This due to be dropped late in 2.4 pre-release cycle --RR */
123 if (strncasecmp("echo-reply", optarg, strlen(optarg)) == 0
124 || strncasecmp("echoreply", optarg, strlen(optarg)) == 0)
125 fprintf(stderr, "--reject-with echo-reply no longer"
126 " supported\n");
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]127 exit_error(PARAMETER_PROBLEM, "unknown reject type `%s'",optarg);
128 default:
129 /* Fall through */
Marc Boucher6e9bfc72002-01-19 12:48:05 +0000[diff] [blame]130 break;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]131 }
132 return 0;
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]133}
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]134
135/* Final check; nothing. */
136static void final_check(unsigned int flags)
137{
138}
139
140/* Prints out ipt_reject_info. */
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]141static void
Yasuyuki KOZAKAIc0a9ab92007-07-24 06:02:05 +0000[diff] [blame]142print(const void *ip,
Yasuyuki KOZAKAI193df8e2007-07-24 05:57:28 +0000[diff] [blame]143 const struct xt_entry_target *target,
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]144 int numeric)
145{
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]146 const struct ipt_reject_info *reject
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]147 = (const struct ipt_reject_info *)target->data;
148 unsigned int i;
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]149
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]150 for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++) {
151 if (reject_table[i].with == reject->with)
152 break;
153 }
154 printf("reject-with %s ", reject_table[i].name);
155}
156
157/* Saves ipt_reject in parsable form to stdout. */
Yasuyuki KOZAKAIc0a9ab92007-07-24 06:02:05 +0000[diff] [blame]158static void save(const void *ip, const struct xt_entry_target *target)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]159{
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]160 const struct ipt_reject_info *reject
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]161 = (const struct ipt_reject_info *)target->data;
Harald Welte97b3fde2001-05-12 05:22:18 +0000[diff] [blame]162 unsigned int i;
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]163
Harald Welte97b3fde2001-05-12 05:22:18 +0000[diff] [blame]164 for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++)
165 if (reject_table[i].with == reject->with)
166 break;
167
168 printf("--reject-with %s ", reject_table[i].name);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]169}
170
Harald Welte7d774512005-04-15 09:39:55 +0000[diff] [blame]171static struct iptables_target reject = {
Pablo Neira8caee8b2004-12-28 13:11:59 +0000[diff] [blame]172 .name = "REJECT",
173 .version = IPTABLES_VERSION,
174 .size = IPT_ALIGN(sizeof(struct ipt_reject_info)),
175 .userspacesize = IPT_ALIGN(sizeof(struct ipt_reject_info)),
176 .help = &help,
177 .init = &init,
178 .parse = &parse,
179 .final_check = &final_check,
180 .print = &print,
181 .save = &save,
182 .extra_opts = opts
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]183};
184
185void _init(void)
186{
Harald Welte7d774512005-04-15 09:39:55 +0000[diff] [blame]187 register_target(&reject);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]188}