2 * This is a module which is used for rejecting packets.
3 * Added support for customized reject packets (Jozsef Kadlecsik).
4 * Added support for ICMP type-3-code-13 (Maciej Soltysiak). [RFC 1812]
6 #include <linux/config.h>
7 #include <linux/module.h>
8 #include <linux/skbuff.h>
10 #include <linux/udp.h>
11 #include <linux/icmp.h>
15 #include <net/route.h>
16 #include <linux/netfilter_ipv4/ip_tables.h>
17 #include <linux/netfilter_ipv4/ipt_REJECT.h>
22 #define DEBUGP(format, args...)
25 /* If the original packet is part of a connection, but the connection
26 is not confirmed, our manufactured reply will not be associated
27 with it, so we need to do this manually. */
28 static void connection_attach(struct sk_buff *new_skb, struct nf_ct_info *nfct)
30 void (*attach)(struct sk_buff *, struct nf_ct_info *);
32 /* Avoid module unload race with ip_ct_attach being NULLed out */
33 if (nfct && (attach = ip_ct_attach) != NULL) {
34 mb(); /* Just to be sure: must be read before executing this */
35 attach(new_skb, nfct);
39 static inline struct rtable *route_reverse(struct sk_buff *skb, int local)
41 struct iphdr *iph = skb->nh.iph;
42 struct dst_entry *odst;
47 fl.nl_u.ip4_u.daddr = iph->saddr;
48 fl.nl_u.ip4_u.saddr = iph->daddr;
49 fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
51 if (ip_route_output_key(&rt, &fl) != 0)
54 /* non-local src, find valid iif to satisfy
55 * rp-filter when calling ip_route_input. */
56 fl.nl_u.ip4_u.daddr = iph->daddr;
57 if (ip_route_output_key(&rt, &fl) != 0)
61 if (ip_route_input(skb, iph->saddr, iph->daddr,
62 RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
63 dst_release(&rt->u.dst);
66 dst_release(&rt->u.dst);
67 rt = (struct rtable *)skb->dst;
71 if (rt->u.dst.error) {
72 dst_release(&rt->u.dst);
80 static void send_reset(struct sk_buff *oldskb, int local)
83 struct tcphdr *otcph, *tcph;
91 /* IP header checks: fragment, too short. */
92 if (oldskb->nh.iph->frag_off & htons(IP_OFFSET)
93 || oldskb->len < (oldskb->nh.iph->ihl<<2) + sizeof(struct tcphdr))
96 otcph = (struct tcphdr *)((u_int32_t*)oldskb->nh.iph + oldskb->nh.iph->ihl);
97 otcplen = oldskb->len - oldskb->nh.iph->ihl*4;
99 if (skb_copy_bits(oldskb, oldskb->nh.iph->ihl*4,
100 otcph, sizeof(*otcph)) < 0)
103 /* No RST for RST. */
107 /* Check checksum. */
108 if (tcp_v4_check(otcph, otcplen, oldskb->nh.iph->saddr,
109 oldskb->nh.iph->daddr,
110 csum_partial((char *)otcph, otcplen, 0)) != 0)
113 if ((rt = route_reverse(oldskb, local)) == NULL)
116 hh_len = (rt->u.dst.dev->hard_header_len + 15)&~15;
118 /* Copy skb (even if skb is about to be dropped, we can't just
119 clone it because there may be other things, such as tcpdump,
120 interested in it). We also need to expand headroom in case
121 hh_len of incoming interface < hh_len of outgoing interface */
122 nskb = skb_copy_expand(oldskb, hh_len, skb_tailroom(oldskb),
125 dst_release(&rt->u.dst);
129 dst_release(nskb->dst);
130 nskb->dst = &rt->u.dst;
132 /* This packet will not be the same as the other: clear nf fields */
133 nf_conntrack_put(nskb->nfct);
136 #ifdef CONFIG_NETFILTER_DEBUG
141 tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
143 /* Swap source and dest */
144 tmp_addr = nskb->nh.iph->saddr;
145 nskb->nh.iph->saddr = nskb->nh.iph->daddr;
146 nskb->nh.iph->daddr = tmp_addr;
147 tmp_port = tcph->source;
148 tcph->source = tcph->dest;
149 tcph->dest = tmp_port;
151 /* Truncate to length (no data) */
152 tcph->doff = sizeof(struct tcphdr)/4;
153 skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr));
154 nskb->nh.iph->tot_len = htons(nskb->len);
158 tcph->seq = otcph->ack_seq;
162 tcph->ack_seq = htonl(ntohl(otcph->seq) + otcph->syn + otcph->fin
163 + otcplen - (otcph->doff<<2));
168 ((u_int8_t *)tcph)[13] = 0;
170 tcph->ack = needs_ack;
175 /* Adjust TCP checksum */
177 tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
180 csum_partial((char *)tcph,
181 sizeof(struct tcphdr), 0));
183 /* Adjust IP TTL, DF */
184 nskb->nh.iph->ttl = MAXTTL;
186 nskb->nh.iph->frag_off = htons(IP_DF);
187 nskb->nh.iph->id = 0;
189 /* Adjust IP checksum */
190 nskb->nh.iph->check = 0;
191 nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
194 /* "Never happens" */
195 if (nskb->len > dst_pmtu(nskb->dst))
198 connection_attach(nskb, oldskb->nfct);
200 NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
208 static void send_unreach(struct sk_buff *skb_in, int code)
212 struct icmphdr *icmph;
213 struct sk_buff *nskb;
217 struct rtable *rt = (struct rtable*)skb_in->dst;
223 /* FIXME: Use sysctl number. --RR */
224 if (!xrlim_allow(&rt->u.dst, 1*HZ))
227 iph = skb_in->nh.iph;
229 /* No replies to physical multicast/broadcast */
230 if (skb_in->pkt_type!=PACKET_HOST)
233 /* Now check at the protocol level */
234 if (rt->rt_flags&(RTCF_BROADCAST|RTCF_MULTICAST))
237 /* Only reply to fragment 0. */
238 if (iph->frag_off&htons(IP_OFFSET))
241 /* Ensure we have at least 8 bytes of proto header. */
242 if (skb_in->len < skb_in->nh.iph->ihl*4 + 8)
245 /* if UDP checksum is set, verify it's correct */
246 if (iph->protocol == IPPROTO_UDP
247 && skb_in->tail-(u8*)iph >= sizeof(struct udphdr)) {
248 int datalen = skb_in->len - (iph->ihl<<2);
249 udph = (struct udphdr *)((char *)iph + (iph->ihl<<2));
251 && csum_tcpudp_magic(iph->saddr, iph->daddr,
252 datalen, IPPROTO_UDP,
253 csum_partial((char *)udph, datalen,
258 /* If we send an ICMP error to an ICMP error a mess would result.. */
259 if (iph->protocol == IPPROTO_ICMP
260 && skb_in->tail-(u8*)iph >= sizeof(struct icmphdr)) {
261 icmph = (struct icmphdr *)((char *)iph + (iph->ihl<<2));
263 if (skb_copy_bits(skb_in, skb_in->nh.iph->ihl*4,
264 icmph, sizeof(*icmph)) < 0)
267 /* Between echo-reply (0) and timestamp (13),
268 everything except echo-request (8) is an error.
269 Also, anything greater than NR_ICMP_TYPES is
270 unknown, and hence should be treated as an error... */
271 if ((icmph->type < ICMP_TIMESTAMP
272 && icmph->type != ICMP_ECHOREPLY
273 && icmph->type != ICMP_ECHO)
274 || icmph->type > NR_ICMP_TYPES)
279 if (!(rt->rt_flags & RTCF_LOCAL))
282 tos = (iph->tos & IPTOS_TOS_MASK) | IPTOS_PREC_INTERNETCONTROL;
285 struct flowi fl = { .nl_u = { .ip4_u =
286 { .daddr = skb_in->nh.iph->saddr,
288 .tos = RT_TOS(tos) } } };
289 if (ip_route_output_key(&rt, &fl))
292 /* RFC says return as much as we can without exceeding 576 bytes. */
293 length = skb_in->len + sizeof(struct iphdr) + sizeof(struct icmphdr);
295 if (length > dst_pmtu(&rt->u.dst))
296 length = dst_pmtu(&rt->u.dst);
300 hh_len = (rt->u.dst.dev->hard_header_len + 15)&~15;
302 nskb = alloc_skb(hh_len+15+length, GFP_ATOMIC);
309 nskb->dst = &rt->u.dst;
310 skb_reserve(nskb, hh_len);
312 /* Set up IP header */
314 = (struct iphdr *)skb_put(nskb, sizeof(struct iphdr));
318 iph->tot_len = htons(length);
320 /* PMTU discovery never applies to ICMP packets. */
324 ip_select_ident(iph, &rt->u.dst, NULL);
325 iph->protocol=IPPROTO_ICMP;
326 iph->saddr=rt->rt_src;
327 iph->daddr=rt->rt_dst;
329 iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
331 /* Set up ICMP header. */
332 icmph = nskb->h.icmph
333 = (struct icmphdr *)skb_put(nskb, sizeof(struct icmphdr));
334 icmph->type = ICMP_DEST_UNREACH;
336 icmph->un.gateway = 0;
339 /* Copy as much of original packet as will fit */
341 length - sizeof(struct iphdr) - sizeof(struct icmphdr));
343 skb_copy_bits(skb_in, 0, data,
344 length - sizeof(struct iphdr) - sizeof(struct icmphdr));
346 icmph->checksum = ip_compute_csum((unsigned char *)icmph,
347 length - sizeof(struct iphdr));
349 connection_attach(nskb, skb_in->nfct);
351 NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
355 static unsigned int reject(struct sk_buff **pskb,
356 const struct net_device *in,
357 const struct net_device *out,
358 unsigned int hooknum,
359 const void *targinfo,
362 const struct ipt_reject_info *reject = targinfo;
364 /* Our naive response construction doesn't deal with IP
365 options, and probably shouldn't try. */
366 if ((*pskb)->nh.iph->ihl<<2 != sizeof(struct iphdr))
369 /* WARNING: This code causes reentry within iptables.
370 This means that the iptables jump stack is now crap. We
371 must return an absolute verdict. --RR */
372 switch (reject->with) {
373 case IPT_ICMP_NET_UNREACHABLE:
374 send_unreach(*pskb, ICMP_NET_UNREACH);
376 case IPT_ICMP_HOST_UNREACHABLE:
377 send_unreach(*pskb, ICMP_HOST_UNREACH);
379 case IPT_ICMP_PROT_UNREACHABLE:
380 send_unreach(*pskb, ICMP_PROT_UNREACH);
382 case IPT_ICMP_PORT_UNREACHABLE:
383 send_unreach(*pskb, ICMP_PORT_UNREACH);
385 case IPT_ICMP_NET_PROHIBITED:
386 send_unreach(*pskb, ICMP_NET_ANO);
388 case IPT_ICMP_HOST_PROHIBITED:
389 send_unreach(*pskb, ICMP_HOST_ANO);
391 case IPT_ICMP_ADMIN_PROHIBITED:
392 send_unreach(*pskb, ICMP_PKT_FILTERED);
395 send_reset(*pskb, hooknum == NF_IP_LOCAL_IN);
396 case IPT_ICMP_ECHOREPLY:
397 /* Doesn't happen. */
404 static int check(const char *tablename,
405 const struct ipt_entry *e,
407 unsigned int targinfosize,
408 unsigned int hook_mask)
410 const struct ipt_reject_info *rejinfo = targinfo;
412 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_reject_info))) {
413 DEBUGP("REJECT: targinfosize %u != 0\n", targinfosize);
417 /* Only allow these for packet filtering. */
418 if (strcmp(tablename, "filter") != 0) {
419 DEBUGP("REJECT: bad table `%s'.\n", tablename);
422 if ((hook_mask & ~((1 << NF_IP_LOCAL_IN)
423 | (1 << NF_IP_FORWARD)
424 | (1 << NF_IP_LOCAL_OUT))) != 0) {
425 DEBUGP("REJECT: bad hook mask %X\n", hook_mask);
429 if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
430 printk("REJECT: ECHOREPLY no longer supported.\n");
432 } else if (rejinfo->with == IPT_TCP_RESET) {
433 /* Must specify that it's a TCP packet */
434 if (e->ip.proto != IPPROTO_TCP
435 || (e->ip.invflags & IPT_INV_PROTO)) {
436 DEBUGP("REJECT: TCP_RESET invalid for non-tcp\n");
444 static struct ipt_target ipt_reject_reg = {
451 static int __init init(void)
453 if (ipt_register_target(&ipt_reject_reg))
458 static void __exit fini(void)
460 ipt_unregister_target(&ipt_reject_reg);
465 MODULE_LICENSE("GPL");