| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame] | 1 | /* Shared library add-on to ip6tables to add customized REJECT support. | 
|  | 2 | * | 
|  | 3 | * (C) 2000 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 
|  | 4 | * | 
|  | 5 | * ported to IPv6 by Harald Welte <laforge@gnumonks.org> | 
|  | 6 | * | 
|  | 7 | */ | 
|  | 8 | #include <stdio.h> | 
|  | 9 | #include <string.h> | 
|  | 10 | #include <stdlib.h> | 
|  | 11 | #include <getopt.h> | 
|  | 12 | #include <xtables.h> | 
|  | 13 | #include <linux/netfilter_ipv6/ip6t_REJECT.h> | 
|  | 14 |  | 
|  | 15 | struct reject_names { | 
|  | 16 | const char *name; | 
|  | 17 | const char *alias; | 
|  | 18 | enum ip6t_reject_with with; | 
|  | 19 | const char *desc; | 
|  | 20 | }; | 
|  | 21 |  | 
|  | 22 | static const struct reject_names reject_table[] = { | 
|  | 23 | {"icmp6-no-route", "no-route", | 
|  | 24 | IP6T_ICMP6_NO_ROUTE, "ICMPv6 no route"}, | 
|  | 25 | {"icmp6-adm-prohibited", "adm-prohibited", | 
|  | 26 | IP6T_ICMP6_ADM_PROHIBITED, "ICMPv6 administratively prohibited"}, | 
|  | 27 | #if 0 | 
|  | 28 | {"icmp6-not-neighbor", "not-neighbor"}, | 
|  | 29 | IP6T_ICMP6_NOT_NEIGHBOR, "ICMPv6 not a neighbor"}, | 
|  | 30 | #endif | 
|  | 31 | {"icmp6-addr-unreachable", "addr-unreach", | 
|  | 32 | IP6T_ICMP6_ADDR_UNREACH, "ICMPv6 address unreachable"}, | 
|  | 33 | {"icmp6-port-unreachable", "port-unreach", | 
|  | 34 | IP6T_ICMP6_PORT_UNREACH, "ICMPv6 port unreachable"}, | 
|  | 35 | {"tcp-reset", "tcp-reset", | 
|  | 36 | IP6T_TCP_RESET, "TCP RST packet"} | 
|  | 37 | }; | 
|  | 38 |  | 
|  | 39 | static void | 
|  | 40 | print_reject_types(void) | 
|  | 41 | { | 
|  | 42 | unsigned int i; | 
|  | 43 |  | 
|  | 44 | printf("Valid reject types:\n"); | 
|  | 45 |  | 
|  | 46 | for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++) { | 
|  | 47 | printf("    %-25s\t%s\n", reject_table[i].name, reject_table[i].desc); | 
|  | 48 | printf("    %-25s\talias\n", reject_table[i].alias); | 
|  | 49 | } | 
|  | 50 | printf("\n"); | 
|  | 51 | } | 
|  | 52 |  | 
|  | 53 | static void REJECT_help(void) | 
|  | 54 | { | 
|  | 55 | printf( | 
|  | 56 | "REJECT target options:\n" | 
|  | 57 | "--reject-with type              drop input packet and send back\n" | 
|  | 58 | "                                a reply packet according to type:\n"); | 
|  | 59 |  | 
|  | 60 | print_reject_types(); | 
|  | 61 | } | 
|  | 62 |  | 
|  | 63 | static const struct option REJECT_opts[] = { | 
|  | 64 | { "reject-with", 1, NULL, '1' }, | 
|  | 65 | { .name = NULL } | 
|  | 66 | }; | 
|  | 67 |  | 
|  | 68 | static void REJECT_init(struct xt_entry_target *t) | 
|  | 69 | { | 
|  | 70 | struct ip6t_reject_info *reject = (struct ip6t_reject_info *)t->data; | 
|  | 71 |  | 
|  | 72 | /* default */ | 
|  | 73 | reject->with = IP6T_ICMP6_PORT_UNREACH; | 
|  | 74 |  | 
|  | 75 | } | 
|  | 76 |  | 
|  | 77 | static int REJECT_parse(int c, char **argv, int invert, unsigned int *flags, | 
|  | 78 | const void *entry, struct xt_entry_target **target) | 
|  | 79 | { | 
|  | 80 | struct ip6t_reject_info *reject = | 
|  | 81 | (struct ip6t_reject_info *)(*target)->data; | 
|  | 82 | unsigned int limit = sizeof(reject_table)/sizeof(struct reject_names); | 
|  | 83 | unsigned int i; | 
|  | 84 |  | 
|  | 85 | switch(c) { | 
|  | 86 | case '1': | 
|  | 87 | if (xtables_check_inverse(optarg, &invert, NULL, 0)) | 
|  | 88 | xtables_error(PARAMETER_PROBLEM, | 
|  | 89 | "Unexpected `!' after --reject-with"); | 
|  | 90 | for (i = 0; i < limit; i++) { | 
|  | 91 | if ((strncasecmp(reject_table[i].name, optarg, strlen(optarg)) == 0) | 
|  | 92 | || (strncasecmp(reject_table[i].alias, optarg, strlen(optarg)) == 0)) { | 
|  | 93 | reject->with = reject_table[i].with; | 
|  | 94 | return 1; | 
|  | 95 | } | 
|  | 96 | } | 
|  | 97 | xtables_error(PARAMETER_PROBLEM, "unknown reject type \"%s\"", optarg); | 
|  | 98 | default: | 
|  | 99 | /* Fall through */ | 
|  | 100 | break; | 
|  | 101 | } | 
|  | 102 | return 0; | 
|  | 103 | } | 
|  | 104 |  | 
|  | 105 | static void REJECT_print(const void *ip, const struct xt_entry_target *target, | 
|  | 106 | int numeric) | 
|  | 107 | { | 
|  | 108 | const struct ip6t_reject_info *reject | 
|  | 109 | = (const struct ip6t_reject_info *)target->data; | 
|  | 110 | unsigned int i; | 
|  | 111 |  | 
|  | 112 | for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++) { | 
|  | 113 | if (reject_table[i].with == reject->with) | 
|  | 114 | break; | 
|  | 115 | } | 
|  | 116 | printf("reject-with %s ", reject_table[i].name); | 
|  | 117 | } | 
|  | 118 |  | 
|  | 119 | static void REJECT_save(const void *ip, const struct xt_entry_target *target) | 
|  | 120 | { | 
|  | 121 | const struct ip6t_reject_info *reject | 
|  | 122 | = (const struct ip6t_reject_info *)target->data; | 
|  | 123 | unsigned int i; | 
|  | 124 |  | 
|  | 125 | for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++) | 
|  | 126 | if (reject_table[i].with == reject->with) | 
|  | 127 | break; | 
|  | 128 |  | 
|  | 129 | printf("--reject-with %s ", reject_table[i].name); | 
|  | 130 | } | 
|  | 131 |  | 
|  | 132 | static struct xtables_target reject_tg6_reg = { | 
|  | 133 | .name = "REJECT", | 
|  | 134 | .version	= XTABLES_VERSION, | 
|  | 135 | .family		= NFPROTO_IPV6, | 
|  | 136 | .size 		= XT_ALIGN(sizeof(struct ip6t_reject_info)), | 
|  | 137 | .userspacesize 	= XT_ALIGN(sizeof(struct ip6t_reject_info)), | 
|  | 138 | .help		= REJECT_help, | 
|  | 139 | .init		= REJECT_init, | 
|  | 140 | .parse		= REJECT_parse, | 
|  | 141 | .print		= REJECT_print, | 
|  | 142 | .save		= REJECT_save, | 
|  | 143 | .extra_opts	= REJECT_opts, | 
|  | 144 | }; | 
|  | 145 |  | 
|  | 146 | void _init(void) | 
|  | 147 | { | 
|  | 148 | xtables_register_target(&reject_tg6_reg); | 
|  | 149 | } |