|
Packit |
c43939 |
/*
|
|
Packit |
c43939 |
* (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Packit |
c43939 |
*
|
|
Packit |
c43939 |
* This program is free software; you can redistribute it and/or modify
|
|
Packit |
c43939 |
* it under the terms of the GNU General Public License as published by
|
|
Packit |
c43939 |
* the Free Software Foundation; either version 2 of the License, or
|
|
Packit |
c43939 |
* (at your option) any later version.
|
|
Packit |
c43939 |
*
|
|
Packit |
c43939 |
* This code has been sponsored by Vyatta Inc. <http://www.vyatta.com>
|
|
Packit |
c43939 |
*/
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
#include <stdio.h>
|
|
Packit |
c43939 |
#include <stddef.h>
|
|
Packit |
c43939 |
#include <stdbool.h>
|
|
Packit |
c43939 |
#include <arpa/inet.h>
|
|
Packit |
c43939 |
#include <netinet/ip6.h>
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
#include <libnetfilter_queue/libnetfilter_queue.h>
|
|
Packit |
c43939 |
#include <libnetfilter_queue/libnetfilter_queue_ipv6.h>
|
|
Packit |
c43939 |
#include <libnetfilter_queue/pktbuff.h>
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
#include "internal.h"
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
/**
|
|
Packit |
c43939 |
* \defgroup ipv6 IPv6 helper functions
|
|
Packit |
c43939 |
* @{
|
|
Packit |
c43939 |
*/
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
/**
|
|
Packit |
c43939 |
* nfq_ip6_get_hdr - get IPv6 header
|
|
Packit |
c43939 |
* \param pktb: Pointer to user-space network packet buffer
|
|
Packit |
c43939 |
*
|
|
Packit |
c43939 |
* \returns pointer to IPv6 header if a valid header found, else NULL.
|
|
Packit |
c43939 |
*/
|
|
Packit |
c43939 |
EXPORT_SYMBOL
|
|
Packit |
c43939 |
struct ip6_hdr *nfq_ip6_get_hdr(struct pkt_buff *pktb)
|
|
Packit |
c43939 |
{
|
|
Packit |
c43939 |
struct ip6_hdr *ip6h;
|
|
Packit |
c43939 |
unsigned int pktlen = pktb_tail(pktb) - pktb->network_header;
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
/* Not enough room for IPv6 header. */
|
|
Packit |
c43939 |
if (pktlen < sizeof(struct ip6_hdr))
|
|
Packit |
c43939 |
return NULL;
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
ip6h = (struct ip6_hdr *)pktb->network_header;
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
/* Not IPv6 packet. */
|
|
Packit |
c43939 |
if ((*(uint8_t *)ip6h & 0xf0) != 0x60)
|
|
Packit |
c43939 |
return NULL;
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
return ip6h;
|
|
Packit |
c43939 |
}
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
/**
|
|
Packit |
c43939 |
* nfq_ip6_set_transport_header - set transport header pointer for IPv6 packet
|
|
Packit |
c43939 |
* \param pktb: Pointer to user-space network packet buffer
|
|
Packit |
c43939 |
* \param ip6h: Pointer to IPv6 header
|
|
Packit |
c43939 |
* \param target: Protocol number to find transport header (ie. IPPROTO_*)
|
|
Packit |
c43939 |
*
|
|
Packit |
c43939 |
* \returns 1 if the protocol has been found and the transport
|
|
Packit |
c43939 |
* header has been set, else 0.
|
|
Packit |
c43939 |
*/
|
|
Packit |
c43939 |
EXPORT_SYMBOL
|
|
Packit |
c43939 |
int nfq_ip6_set_transport_header(struct pkt_buff *pktb, struct ip6_hdr *ip6h,
|
|
Packit |
c43939 |
uint8_t target)
|
|
Packit |
c43939 |
{
|
|
Packit |
c43939 |
uint8_t nexthdr = ip6h->ip6_nxt;
|
|
Packit |
c43939 |
uint8_t *cur = (uint8_t *)ip6h + sizeof(struct ip6_hdr);
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
while (nexthdr != target) {
|
|
Packit |
c43939 |
struct ip6_ext *ip6_ext;
|
|
Packit |
c43939 |
uint32_t hdrlen;
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
/* No more extensions, we're done. */
|
|
Packit |
c43939 |
if (nexthdr == IPPROTO_NONE) {
|
|
Packit |
c43939 |
cur = NULL;
|
|
Packit |
c43939 |
break;
|
|
Packit |
c43939 |
}
|
|
Packit |
c43939 |
/* No room for extension, bad packet. */
|
|
Packit |
c43939 |
if (pktb_tail(pktb) - cur < sizeof(struct ip6_ext)) {
|
|
Packit |
c43939 |
cur = NULL;
|
|
Packit |
c43939 |
break;
|
|
Packit |
c43939 |
}
|
|
Packit |
c43939 |
ip6_ext = (struct ip6_ext *)cur;
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
if (nexthdr == IPPROTO_FRAGMENT) {
|
|
Packit |
c43939 |
uint16_t *frag_off;
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
/* No room for full fragment header, bad packet. */
|
|
Packit |
c43939 |
if (pktb_tail(pktb) - cur < sizeof(struct ip6_frag)) {
|
|
Packit |
c43939 |
cur = NULL;
|
|
Packit |
c43939 |
break;
|
|
Packit |
c43939 |
}
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
frag_off = (uint16_t *)cur +
|
|
Packit |
c43939 |
offsetof(struct ip6_frag, ip6f_offlg);
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
/* Fragment offset is only 13 bits long. */
|
|
Packit |
c43939 |
if (htons(*frag_off & ~0x7)) {
|
|
Packit |
c43939 |
/* Not the first fragment, it does not contain
|
|
Packit |
c43939 |
* any headers.
|
|
Packit |
c43939 |
*/
|
|
Packit |
c43939 |
cur = NULL;
|
|
Packit |
c43939 |
break;
|
|
Packit |
c43939 |
}
|
|
Packit |
c43939 |
hdrlen = sizeof(struct ip6_frag);
|
|
Packit |
c43939 |
} else if (nexthdr == IPPROTO_AH)
|
|
Packit |
c43939 |
hdrlen = (ip6_ext->ip6e_len + 2) << 2;
|
|
Packit |
c43939 |
else
|
|
Packit |
c43939 |
hdrlen = ip6_ext->ip6e_len;
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
nexthdr = ip6_ext->ip6e_nxt;
|
|
Packit |
c43939 |
cur += hdrlen;
|
|
Packit |
c43939 |
}
|
|
Packit |
c43939 |
pktb->transport_header = cur;
|
|
Packit |
c43939 |
return cur ? 1 : 0;
|
|
Packit |
c43939 |
}
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
/**
|
|
Packit |
c43939 |
* nfq_ip6_mangle - mangle IPv6 packet buffer
|
|
Packit |
c43939 |
* \param pktb: Pointer to user-space network packet buffer
|
|
Packit |
c43939 |
* \param dataoff: Offset to layer 4 header
|
|
Packit |
c43939 |
* \param match_offset: Offset to content that you want to mangle
|
|
Packit |
c43939 |
* \param match_len: Length of the existing content you want to mangle
|
|
Packit |
c43939 |
* \param rep_buffer: Pointer to data you want to use to replace current content
|
|
Packit |
c43939 |
* \param rep_len: Length of data you want to use to replace current content
|
|
Packit |
c43939 |
* \returns 1 for success and 0 for failure. See pktb_mangle() for failure case
|
|
Packit |
c43939 |
* \note This function updates the IPv6 length (if necessary)
|
|
Packit |
c43939 |
*/
|
|
Packit |
c43939 |
EXPORT_SYMBOL
|
|
Packit |
c43939 |
int nfq_ip6_mangle(struct pkt_buff *pktb, unsigned int dataoff,
|
|
Packit |
c43939 |
unsigned int match_offset, unsigned int match_len,
|
|
Packit |
c43939 |
const char *rep_buffer, unsigned int rep_len)
|
|
Packit |
c43939 |
{
|
|
Packit |
c43939 |
struct ip6_hdr *ip6h = (struct ip6_hdr *)pktb->network_header;
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
if (!pktb_mangle(pktb, dataoff, match_offset, match_len, rep_buffer,
|
|
Packit |
c43939 |
rep_len))
|
|
Packit |
c43939 |
return 0;
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
/* Fix IPv6 hdr length information */
|
|
Packit |
c43939 |
ip6h->ip6_plen =
|
|
Packit |
c43939 |
htons(pktb_tail(pktb) - pktb->network_header - sizeof *ip6h);
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
return 1;
|
|
Packit |
c43939 |
}
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
/**
|
|
Packit |
c43939 |
* nfq_ip6_snprintf - print IPv6 header into one buffer in iptables LOG format
|
|
Packit |
c43939 |
* \param buf: Pointer to buffer that is used to print the object
|
|
Packit |
c43939 |
* \param size: Size of the buffer (or remaining room in it).
|
|
Packit |
c43939 |
* \param ip6h: Pointer to a valid IPv6 header.
|
|
Packit |
c43939 |
* \returns same as snprintf
|
|
Packit |
c43939 |
* \sa **snprintf**(3)
|
|
Packit |
c43939 |
*
|
|
Packit |
c43939 |
*/
|
|
Packit |
c43939 |
EXPORT_SYMBOL
|
|
Packit |
c43939 |
int nfq_ip6_snprintf(char *buf, size_t size, const struct ip6_hdr *ip6h)
|
|
Packit |
c43939 |
{
|
|
Packit |
c43939 |
int ret;
|
|
Packit |
c43939 |
char src[INET6_ADDRSTRLEN];
|
|
Packit |
c43939 |
char dst[INET6_ADDRSTRLEN];
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
inet_ntop(AF_INET6, &ip6h->ip6_src, src, INET6_ADDRSTRLEN);
|
|
Packit |
c43939 |
inet_ntop(AF_INET6, &ip6h->ip6_dst, dst, INET6_ADDRSTRLEN);
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
ret = snprintf(buf, size, "SRC=%s DST=%s LEN=%zu TC=0x%X "
|
|
Packit |
c43939 |
"HOPLIMIT=%u FLOWLBL=%u ",
|
|
Packit |
c43939 |
src, dst,
|
|
Packit |
c43939 |
ntohs(ip6h->ip6_plen) + sizeof(struct ip6_hdr),
|
|
Packit |
c43939 |
(ip6h->ip6_flow & 0x0ff00000) >> 20,
|
|
Packit |
c43939 |
ip6h->ip6_hlim,
|
|
Packit |
c43939 |
(ip6h->ip6_flow & 0x000fffff));
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
return ret;
|
|
Packit |
c43939 |
}
|
|
Packit |
c43939 |
|
|
Packit |
c43939 |
/**
|
|
Packit |
c43939 |
* @}
|
|
Packit |
c43939 |
*/
|