source-git / libnetfilter_queue

Clone
Source Code
GIT

Blame src/extra/ipv6.c

c8 c8s master
  1.   c43939a3749bd3023911fb2d8d3aba95185b6f5c
  2.   src
  3.   extra
  4.   ipv6.c
Blob History Raw
Packit c43939 
/*
Packit c43939 
 * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
Packit c43939 
 *
Packit c43939 
 * This program is free software; you can redistribute it and/or modify
Packit c43939 
 * it under the terms of the GNU General Public License as published by
Packit c43939 
 * the Free Software Foundation; either version 2 of the License, or
Packit c43939 
 * (at your option) any later version.
Packit c43939 
 *
Packit c43939 
 * This code has been sponsored by Vyatta Inc. <http://www.vyatta.com>
Packit c43939 
 */
Packit c43939
Packit c43939 
#include <stdio.h>
Packit c43939 
#include <stddef.h>
Packit c43939 
#include <stdbool.h>
Packit c43939 
#include <arpa/inet.h>
Packit c43939 
#include <netinet/ip6.h>
Packit c43939
Packit c43939 
#include <libnetfilter_queue/libnetfilter_queue.h>
Packit c43939 
#include <libnetfilter_queue/libnetfilter_queue_ipv6.h>
Packit c43939 
#include <libnetfilter_queue/pktbuff.h>
Packit c43939
Packit c43939 
#include "internal.h"
Packit c43939
Packit c43939 
/**
Packit c43939 
 * \defgroup ipv6 IPv6 helper functions
Packit c43939 
 * @{
Packit c43939 
 */
Packit c43939
Packit c43939 
/**
Packit c43939 
 * nfq_ip6_get_hdr - get IPv6 header
Packit c43939 
 * \param pktb: Pointer to user-space network packet buffer
Packit c43939 
 *
Packit c43939 
 * \returns pointer to IPv6 header if a valid header found, else NULL.
Packit c43939 
 */
Packit c43939 
EXPORT_SYMBOL
Packit c43939 
struct ip6_hdr *nfq_ip6_get_hdr(struct pkt_buff *pktb)
Packit c43939 
{
Packit c43939 
	struct ip6_hdr *ip6h;
Packit c43939 
	unsigned int pktlen = pktb_tail(pktb) - pktb->network_header;
Packit c43939
Packit c43939 
	/* Not enough room for IPv6 header. */
Packit c43939 
	if (pktlen < sizeof(struct ip6_hdr))
Packit c43939 
		return NULL;
Packit c43939
Packit c43939 
	ip6h = (struct ip6_hdr *)pktb->network_header;
Packit c43939
Packit c43939 
	/* Not IPv6 packet. */
Packit c43939 
	if ((*(uint8_t *)ip6h & 0xf0) != 0x60)
Packit c43939 
		return NULL;
Packit c43939
Packit c43939 
	return ip6h;
Packit c43939 
}
Packit c43939
Packit c43939 
/**
Packit c43939 
 * nfq_ip6_set_transport_header - set transport header pointer for IPv6 packet
Packit c43939 
 * \param pktb: Pointer to user-space network packet buffer
Packit c43939 
 * \param ip6h: Pointer to IPv6 header
Packit c43939 
 * \param target: Protocol number to find transport header (ie. IPPROTO_*)
Packit c43939 
 *
Packit c43939 
 * \returns 1 if the protocol has been found and the transport
Packit c43939 
 * header has been set, else 0.
Packit c43939 
 */
Packit c43939 
EXPORT_SYMBOL
Packit c43939 
int nfq_ip6_set_transport_header(struct pkt_buff *pktb, struct ip6_hdr *ip6h,
Packit c43939 
				 uint8_t target)
Packit c43939 
{
Packit c43939 
	uint8_t nexthdr = ip6h->ip6_nxt;
Packit c43939 
	uint8_t *cur = (uint8_t *)ip6h + sizeof(struct ip6_hdr);
Packit c43939
Packit c43939 
	while (nexthdr != target) {
Packit c43939 
		struct ip6_ext *ip6_ext;
Packit c43939 
		uint32_t hdrlen;
Packit c43939
Packit c43939 
		/* No more extensions, we're done. */
Packit c43939 
		if (nexthdr == IPPROTO_NONE) {
Packit c43939 
			cur = NULL;
Packit c43939 
			break;
Packit c43939 
		}
Packit c43939 
		/* No room for extension, bad packet. */
Packit c43939 
		if (pktb_tail(pktb) - cur < sizeof(struct ip6_ext)) {
Packit c43939 
			cur = NULL;
Packit c43939 
			break;
Packit c43939 
		}
Packit c43939 
		ip6_ext = (struct ip6_ext *)cur;
Packit c43939
Packit c43939 
		if (nexthdr == IPPROTO_FRAGMENT) {
Packit c43939 
			uint16_t *frag_off;
Packit c43939
Packit c43939 
			/* No room for full fragment header, bad packet. */
Packit c43939 
			if (pktb_tail(pktb) - cur < sizeof(struct ip6_frag)) {
Packit c43939 
				cur = NULL;
Packit c43939 
				break;
Packit c43939 
			}
Packit c43939
Packit c43939 
			frag_off = (uint16_t *)cur +
Packit c43939 
					offsetof(struct ip6_frag, ip6f_offlg);
Packit c43939
Packit c43939 
			/* Fragment offset is only 13 bits long. */
Packit c43939 
			if (htons(*frag_off & ~0x7)) {
Packit c43939 
				/* Not the first fragment, it does not contain
Packit c43939 
				 * any headers.
Packit c43939 
				 */
Packit c43939 
				cur = NULL;
Packit c43939 
				break;
Packit c43939 
			}
Packit c43939 
			hdrlen = sizeof(struct ip6_frag);
Packit c43939 
		} else if (nexthdr == IPPROTO_AH)
Packit c43939 
			hdrlen = (ip6_ext->ip6e_len + 2) << 2;
Packit c43939 
		else
Packit c43939 
			hdrlen = ip6_ext->ip6e_len;
Packit c43939
Packit c43939 
		nexthdr = ip6_ext->ip6e_nxt;
Packit c43939 
		cur += hdrlen;
Packit c43939 
	}
Packit c43939 
	pktb->transport_header = cur;
Packit c43939 
	return cur ? 1 : 0;
Packit c43939 
}
Packit c43939
Packit c43939 
/**
Packit c43939 
 * nfq_ip6_mangle - mangle IPv6 packet buffer
Packit c43939 
 * \param pktb: Pointer to user-space network packet buffer
Packit c43939 
 * \param dataoff: Offset to layer 4 header
Packit c43939 
 * \param match_offset: Offset to content that you want to mangle
Packit c43939 
 * \param match_len: Length of the existing content you want to mangle
Packit c43939 
 * \param rep_buffer: Pointer to data you want to use to replace current content
Packit c43939 
 * \param rep_len: Length of data you want to use to replace current content
Packit c43939 
 * \returns 1 for success and 0 for failure. See pktb_mangle() for failure case
Packit c43939 
 * \note This function updates the IPv6 length (if necessary)
Packit c43939 
 */
Packit c43939 
EXPORT_SYMBOL
Packit c43939 
int nfq_ip6_mangle(struct pkt_buff *pktb, unsigned int dataoff,
Packit c43939 
		   unsigned int match_offset, unsigned int match_len,
Packit c43939 
		   const char *rep_buffer, unsigned int rep_len)
Packit c43939 
{
Packit c43939 
	struct ip6_hdr *ip6h = (struct ip6_hdr *)pktb->network_header;
Packit c43939
Packit c43939 
	if (!pktb_mangle(pktb, dataoff, match_offset, match_len, rep_buffer,
Packit c43939 
			 rep_len))
Packit c43939 
		return 0;
Packit c43939
Packit c43939 
	/* Fix IPv6 hdr length information */
Packit c43939 
	ip6h->ip6_plen =
Packit c43939 
		htons(pktb_tail(pktb) - pktb->network_header - sizeof *ip6h);
Packit c43939
Packit c43939 
	return 1;
Packit c43939 
}
Packit c43939
Packit c43939 
/**
Packit c43939 
 * nfq_ip6_snprintf - print IPv6 header into one buffer in iptables LOG format
Packit c43939 
 * \param buf: Pointer to buffer that is used to print the object
Packit c43939 
 * \param size: Size of the buffer (or remaining room in it).
Packit c43939 
 * \param ip6h: Pointer to a valid IPv6 header.
Packit c43939 
 * \returns same as snprintf
Packit c43939 
 * \sa **snprintf**(3)
Packit c43939 
 *
Packit c43939 
 */
Packit c43939 
EXPORT_SYMBOL
Packit c43939 
int nfq_ip6_snprintf(char *buf, size_t size, const struct ip6_hdr *ip6h)
Packit c43939 
{
Packit c43939 
	int ret;
Packit c43939 
	char src[INET6_ADDRSTRLEN];
Packit c43939 
	char dst[INET6_ADDRSTRLEN];
Packit c43939
Packit c43939 
	inet_ntop(AF_INET6, &ip6h->ip6_src, src, INET6_ADDRSTRLEN);
Packit c43939 
	inet_ntop(AF_INET6, &ip6h->ip6_dst, dst, INET6_ADDRSTRLEN);
Packit c43939
Packit c43939 
	ret = snprintf(buf, size, "SRC=%s DST=%s LEN=%zu TC=0x%X "
Packit c43939 
				  "HOPLIMIT=%u FLOWLBL=%u ",
Packit c43939 
			src, dst,
Packit c43939 
			ntohs(ip6h->ip6_plen) + sizeof(struct ip6_hdr),
Packit c43939 
			(ip6h->ip6_flow & 0x0ff00000) >> 20,
Packit c43939 
			ip6h->ip6_hlim,
Packit c43939 
			(ip6h->ip6_flow & 0x000fffff));
Packit c43939
Packit c43939 
	return ret;
Packit c43939 
}
Packit c43939
Packit c43939 
/**
Packit c43939 
 * @}
Packit c43939 
 */

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation