2 * This is a module which is used for rejecting packets.
3 * Added support for customized reject packets (Jozsef Kadlecsik).
5 #include <linux/config.h>
6 #include <linux/module.h>
7 #include <linux/skbuff.h>
13 #include <net/route.h>
14 #include <linux/netfilter_ipv4/ip_tables.h>
15 #include <linux/netfilter_ipv4/ipt_REJECT.h>
20 #define DEBUGP(format, args...)
24 static void send_reset(struct sk_buff *oldskb, int local)
27 struct tcphdr *otcph, *tcph;
33 /* IP header checks: fragment, too short. */
34 if (oldskb->nh.iph->frag_off & htons(IP_OFFSET)
35 || oldskb->len < (oldskb->nh.iph->ihl<<2) + sizeof(struct tcphdr))
38 otcph = (struct tcphdr *)((u_int32_t*)oldskb->nh.iph + oldskb->nh.iph->ihl);
39 otcplen = oldskb->len - oldskb->nh.iph->ihl*4;
46 if (tcp_v4_check(otcph, otcplen, oldskb->nh.iph->saddr,
47 oldskb->nh.iph->daddr,
48 csum_partial((char *)otcph, otcplen, 0)) != 0)
51 /* Copy skb (even if skb is about to be dropped, we can't just
52 clone it because there may be other things, such as tcpdump,
54 nskb = skb_copy(oldskb, GFP_ATOMIC);
58 /* This packet will not be the same as the other: clear nf fields */
59 nf_conntrack_put(nskb->nfct);
62 #ifdef CONFIG_NETFILTER_DEBUG
66 tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
68 /* Swap source and dest */
69 nskb->nh.iph->daddr = xchg(&nskb->nh.iph->saddr, nskb->nh.iph->daddr);
71 tcph->source = tcph->dest;
74 /* Truncate to length (no data) */
75 tcph->doff = sizeof(struct tcphdr)/4;
76 skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr));
77 nskb->nh.iph->tot_len = htons(nskb->len);
81 tcph->seq = otcph->ack_seq;
85 tcph->ack_seq = htonl(ntohl(otcph->seq) + otcph->syn + otcph->fin
86 + otcplen - (otcph->doff<<2));
91 ((u_int8_t *)tcph)[13] = 0;
93 tcph->ack = needs_ack;
98 /* Adjust TCP checksum */
100 tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
103 csum_partial((char *)tcph,
104 sizeof(struct tcphdr), 0));
106 /* Adjust IP TTL, DF */
107 nskb->nh.iph->ttl = MAXTTL;
109 nskb->nh.iph->frag_off = htons(IP_DF);
110 nskb->nh.iph->id = 0;
112 /* Adjust IP checksum */
113 nskb->nh.iph->check = 0;
114 nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
117 /* Routing: if not headed for us, route won't like source */
118 if (ip_route_output(&rt, nskb->nh.iph->daddr,
119 local ? nskb->nh.iph->saddr : 0,
120 RT_TOS(nskb->nh.iph->tos) | RTO_CONN,
124 dst_release(nskb->dst);
125 nskb->dst = &rt->u.dst;
127 /* "Never happens" */
128 if (nskb->len > nskb->dst->pmtu)
131 NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
139 static unsigned int reject(struct sk_buff **pskb,
140 unsigned int hooknum,
141 const struct net_device *in,
142 const struct net_device *out,
143 const void *targinfo,
146 const struct ipt_reject_info *reject = targinfo;
148 /* WARNING: This code causes reentry within iptables.
149 This means that the iptables jump stack is now crap. We
150 must return an absolute verdict. --RR */
151 switch (reject->with) {
152 case IPT_ICMP_NET_UNREACHABLE:
153 icmp_send(*pskb, ICMP_DEST_UNREACH, ICMP_NET_UNREACH, 0);
155 case IPT_ICMP_HOST_UNREACHABLE:
156 icmp_send(*pskb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
158 case IPT_ICMP_PROT_UNREACHABLE:
159 icmp_send(*pskb, ICMP_DEST_UNREACH, ICMP_PROT_UNREACH, 0);
161 case IPT_ICMP_PORT_UNREACHABLE:
162 icmp_send(*pskb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
164 case IPT_ICMP_NET_PROHIBITED:
165 icmp_send(*pskb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0);
167 case IPT_ICMP_HOST_PROHIBITED:
168 icmp_send(*pskb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0);
170 case IPT_ICMP_ECHOREPLY: {
171 struct icmphdr *icmph = (struct icmphdr *)
172 ((u_int32_t *)(*pskb)->nh.iph + (*pskb)->nh.iph->ihl);
173 unsigned int datalen = (*pskb)->len - (*pskb)->nh.iph->ihl * 4;
175 /* Not non-head frags, or truncated */
176 if (((ntohs((*pskb)->nh.iph->frag_off) & IP_OFFSET) == 0)
178 /* Usually I don't like cut & pasting code,
179 but dammit, my party is starting in 45
181 struct icmp_bxm icmp_param;
183 icmp_param.icmph=*icmph;
184 icmp_param.icmph.type=ICMP_ECHOREPLY;
185 icmp_param.data_ptr=(icmph+1);
186 icmp_param.data_len=datalen;
187 icmp_reply(&icmp_param, *pskb);
192 send_reset(*pskb, hooknum == NF_IP_LOCAL_IN);
199 static inline int find_ping_match(const struct ipt_entry_match *m)
201 const struct ipt_icmp *icmpinfo = (const struct ipt_icmp *)m->data;
203 if (strcmp(m->u.kernel.match->name, "icmp") == 0
204 && icmpinfo->type == ICMP_ECHO
205 && !(icmpinfo->invflags & IPT_ICMP_INV))
211 static int check(const char *tablename,
212 const struct ipt_entry *e,
214 unsigned int targinfosize,
215 unsigned int hook_mask)
217 const struct ipt_reject_info *rejinfo = targinfo;
219 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_icmp))) {
220 DEBUGP("REJECT: targinfosize %u != 0\n", targinfosize);
224 /* Only allow these for packet filtering. */
225 if (strcmp(tablename, "filter") != 0) {
226 DEBUGP("REJECT: bad table `%s'.\n", tablename);
229 if ((hook_mask & ~((1 << NF_IP_LOCAL_IN)
230 | (1 << NF_IP_FORWARD)
231 | (1 << NF_IP_LOCAL_OUT))) != 0) {
232 DEBUGP("REJECT: bad hook mask %X\n", hook_mask);
236 if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
237 /* Must specify that it's an ICMP ping packet. */
238 if (e->ip.proto != IPPROTO_ICMP
239 || (e->ip.invflags & IPT_INV_PROTO)) {
240 DEBUGP("REJECT: ECHOREPLY illegal for non-icmp\n");
243 /* Must contain ICMP match. */
244 if (IPT_MATCH_ITERATE(e, find_ping_match) == 0) {
245 DEBUGP("REJECT: ECHOREPLY illegal for non-ping\n");
248 } else if (rejinfo->with == IPT_TCP_RESET) {
249 /* Must specify that it's a TCP packet */
250 if (e->ip.proto != IPPROTO_TCP
251 || (e->ip.invflags & IPT_INV_PROTO)) {
252 DEBUGP("REJECT: TCP_RESET illegal for non-tcp\n");
260 static struct ipt_target ipt_reject_reg
261 = { { NULL, NULL }, "REJECT", reject, check, NULL, THIS_MODULE };
263 static int __init init(void)
265 if (ipt_register_target(&ipt_reject_reg))
270 static void __exit fini(void)
272 ipt_unregister_target(&ipt_reject_reg);