+128

include/net/netfilter/ipv4/nf_reject.h

reviewed

··· 1 1 + #ifndef _IPV4_NF_REJECT_H 2 2 + #define _IPV4_NF_REJECT_H 3 3 + 4 4 + #include <net/ip.h> 5 5 + #include <net/tcp.h> 6 6 + #include <net/route.h> 7 7 + #include <net/dst.h> 8 8 + 9 9 + static inline void nf_send_unreach(struct sk_buff *skb_in, int code) 10 10 + { 11 11 + icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0); 12 12 + } 13 13 + 14 14 + /* Send RST reply */ 15 15 + static void nf_send_reset(struct sk_buff *oldskb, int hook) 16 16 + { 17 17 + struct sk_buff *nskb; 18 18 + const struct iphdr *oiph; 19 19 + struct iphdr *niph; 20 20 + const struct tcphdr *oth; 21 21 + struct tcphdr _otcph, *tcph; 22 22 + 23 23 + /* IP header checks: fragment. */ 24 24 + if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET)) 25 25 + return; 26 26 + 27 27 + oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb), 28 28 + sizeof(_otcph), &_otcph); 29 29 + if (oth == NULL) 30 30 + return; 31 31 + 32 32 + /* No RST for RST. */ 33 33 + if (oth->rst) 34 34 + return; 35 35 + 36 36 + if (skb_rtable(oldskb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST)) 37 37 + return; 38 38 + 39 39 + /* Check checksum */ 40 40 + if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP)) 41 41 + return; 42 42 + oiph = ip_hdr(oldskb); 43 43 + 44 44 + nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) + 45 45 + LL_MAX_HEADER, GFP_ATOMIC); 46 46 + if (!nskb) 47 47 + return; 48 48 + 49 49 + skb_reserve(nskb, LL_MAX_HEADER); 50 50 + 51 51 + skb_reset_network_header(nskb); 52 52 + niph = (struct iphdr *)skb_put(nskb, sizeof(struct iphdr)); 53 53 + niph->version = 4; 54 54 + niph->ihl = sizeof(struct iphdr) / 4; 55 55 + niph->tos = 0; 56 56 + niph->id = 0; 57 57 + niph->frag_off = htons(IP_DF); 58 58 + niph->protocol = IPPROTO_TCP; 59 59 + niph->check = 0; 60 60 + niph->saddr = oiph->daddr; 61 61 + niph->daddr = oiph->saddr; 62 62 + 63 63 + skb_reset_transport_header(nskb); 64 64 + tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr)); 65 65 + memset(tcph, 0, sizeof(*tcph)); 66 66 + tcph->source = oth->dest; 67 67 + tcph->dest = oth->source; 68 68 + tcph->doff = sizeof(struct tcphdr) / 4; 69 69 + 70 70 + if (oth->ack) 71 71 + tcph->seq = oth->ack_seq; 72 72 + else { 73 73 + tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin + 74 74 + oldskb->len - ip_hdrlen(oldskb) - 75 75 + (oth->doff << 2)); 76 76 + tcph->ack = 1; 77 77 + } 78 78 + 79 79 + tcph->rst = 1; 80 80 + tcph->check = ~tcp_v4_check(sizeof(struct tcphdr), niph->saddr, 81 81 + niph->daddr, 0); 82 82 + nskb->ip_summed = CHECKSUM_PARTIAL; 83 83 + nskb->csum_start = (unsigned char *)tcph - nskb->head; 84 84 + nskb->csum_offset = offsetof(struct tcphdr, check); 85 85 + 86 86 + /* ip_route_me_harder expects skb->dst to be set */ 87 87 + skb_dst_set_noref(nskb, skb_dst(oldskb)); 88 88 + 89 89 + nskb->protocol = htons(ETH_P_IP); 90 90 + if (ip_route_me_harder(nskb, RTN_UNSPEC)) 91 91 + goto free_nskb; 92 92 + 93 93 + niph->ttl = ip4_dst_hoplimit(skb_dst(nskb)); 94 94 + 95 95 + /* "Never happens" */ 96 96 + if (nskb->len > dst_mtu(skb_dst(nskb))) 97 97 + goto free_nskb; 98 98 + 99 99 + nf_ct_attach(nskb, oldskb); 100 100 + 101 101 + #ifdef CONFIG_BRIDGE_NETFILTER 102 102 + /* If we use ip_local_out for bridged traffic, the MAC source on 103 103 + * the RST will be ours, instead of the destination's. This confuses 104 104 + * some routers/firewalls, and they drop the packet. So we need to 105 105 + * build the eth header using the original destination's MAC as the 106 106 + * source, and send the RST packet directly. 107 107 + */ 108 108 + if (oldskb->nf_bridge) { 109 109 + struct ethhdr *oeth = eth_hdr(oldskb); 110 110 + nskb->dev = oldskb->nf_bridge->physindev; 111 111 + niph->tot_len = htons(nskb->len); 112 112 + ip_send_check(niph); 113 113 + if (dev_hard_header(nskb, nskb->dev, ntohs(nskb->protocol), 114 114 + oeth->h_source, oeth->h_dest, nskb->len) < 0) 115 115 + goto free_nskb; 116 116 + dev_queue_xmit(nskb); 117 117 + } else 118 118 + #endif 119 119 + ip_local_out(nskb); 120 120 + 121 121 + return; 122 122 + 123 123 + free_nskb: 124 124 + kfree_skb(nskb); 125 125 + } 126 126 + 127 127 + 128 128 + #endif /* _IPV4_NF_REJECT_H */

+171

include/net/netfilter/ipv6/nf_reject.h

reviewed

··· 1 1 + #ifndef _IPV6_NF_REJECT_H 2 2 + #define _IPV6_NF_REJECT_H 3 3 + 4 4 + #include <net/ipv6.h> 5 5 + #include <net/ip6_route.h> 6 6 + #include <net/ip6_fib.h> 7 7 + #include <net/ip6_checksum.h> 8 8 + #include <linux/netfilter_ipv6.h> 9 9 + 10 10 + static inline void 11 11 + nf_send_unreach6(struct net *net, struct sk_buff *skb_in, unsigned char code, 12 12 + unsigned int hooknum) 13 13 + { 14 14 + if (hooknum == NF_INET_LOCAL_OUT && skb_in->dev == NULL) 15 15 + skb_in->dev = net->loopback_dev; 16 16 + 17 17 + icmpv6_send(skb_in, ICMPV6_DEST_UNREACH, code, 0); 18 18 + } 19 19 + 20 20 + /* Send RST reply */ 21 21 + static void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook) 22 22 + { 23 23 + struct sk_buff *nskb; 24 24 + struct tcphdr otcph, *tcph; 25 25 + unsigned int otcplen, hh_len; 26 26 + int tcphoff, needs_ack; 27 27 + const struct ipv6hdr *oip6h = ipv6_hdr(oldskb); 28 28 + struct ipv6hdr *ip6h; 29 29 + #define DEFAULT_TOS_VALUE 0x0U 30 30 + const __u8 tclass = DEFAULT_TOS_VALUE; 31 31 + struct dst_entry *dst = NULL; 32 32 + u8 proto; 33 33 + __be16 frag_off; 34 34 + struct flowi6 fl6; 35 35 + 36 36 + if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) || 37 37 + (!(ipv6_addr_type(&oip6h->daddr) & IPV6_ADDR_UNICAST))) { 38 38 + pr_debug("addr is not unicast.\n"); 39 39 + return; 40 40 + } 41 41 + 42 42 + proto = oip6h->nexthdr; 43 43 + tcphoff = ipv6_skip_exthdr(oldskb, ((u8*)(oip6h+1) - oldskb->data), &proto, &frag_off); 44 44 + 45 45 + if ((tcphoff < 0) || (tcphoff > oldskb->len)) { 46 46 + pr_debug("Cannot get TCP header.\n"); 47 47 + return; 48 48 + } 49 49 + 50 50 + otcplen = oldskb->len - tcphoff; 51 51 + 52 52 + /* IP header checks: fragment, too short. */ 53 53 + if (proto != IPPROTO_TCP || otcplen < sizeof(struct tcphdr)) { 54 54 + pr_debug("proto(%d) != IPPROTO_TCP, " 55 55 + "or too short. otcplen = %d\n", 56 56 + proto, otcplen); 57 57 + return; 58 58 + } 59 59 + 60 60 + if (skb_copy_bits(oldskb, tcphoff, &otcph, sizeof(struct tcphdr))) 61 61 + BUG(); 62 62 + 63 63 + /* No RST for RST. */ 64 64 + if (otcph.rst) { 65 65 + pr_debug("RST is set\n"); 66 66 + return; 67 67 + } 68 68 + 69 69 + /* Check checksum. */ 70 70 + if (nf_ip6_checksum(oldskb, hook, tcphoff, IPPROTO_TCP)) { 71 71 + pr_debug("TCP checksum is invalid\n"); 72 72 + return; 73 73 + } 74 74 + 75 75 + memset(&fl6, 0, sizeof(fl6)); 76 76 + fl6.flowi6_proto = IPPROTO_TCP; 77 77 + fl6.saddr = oip6h->daddr; 78 78 + fl6.daddr = oip6h->saddr; 79 79 + fl6.fl6_sport = otcph.dest; 80 80 + fl6.fl6_dport = otcph.source; 81 81 + security_skb_classify_flow(oldskb, flowi6_to_flowi(&fl6)); 82 82 + dst = ip6_route_output(net, NULL, &fl6); 83 83 + if (dst == NULL || dst->error) { 84 84 + dst_release(dst); 85 85 + return; 86 86 + } 87 87 + dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0); 88 88 + if (IS_ERR(dst)) 89 89 + return; 90 90 + 91 91 + hh_len = (dst->dev->hard_header_len + 15)&~15; 92 92 + nskb = alloc_skb(hh_len + 15 + dst->header_len + sizeof(struct ipv6hdr) 93 93 + + sizeof(struct tcphdr) + dst->trailer_len, 94 94 + GFP_ATOMIC); 95 95 + 96 96 + if (!nskb) { 97 97 + net_dbg_ratelimited("cannot alloc skb\n"); 98 98 + dst_release(dst); 99 99 + return; 100 100 + } 101 101 + 102 102 + skb_dst_set(nskb, dst); 103 103 + 104 104 + skb_reserve(nskb, hh_len + dst->header_len); 105 105 + 106 106 + skb_put(nskb, sizeof(struct ipv6hdr)); 107 107 + skb_reset_network_header(nskb); 108 108 + ip6h = ipv6_hdr(nskb); 109 109 + ip6_flow_hdr(ip6h, tclass, 0); 110 110 + ip6h->hop_limit = ip6_dst_hoplimit(dst); 111 111 + ip6h->nexthdr = IPPROTO_TCP; 112 112 + ip6h->saddr = oip6h->daddr; 113 113 + ip6h->daddr = oip6h->saddr; 114 114 + 115 115 + skb_reset_transport_header(nskb); 116 116 + tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr)); 117 117 + /* Truncate to length (no data) */ 118 118 + tcph->doff = sizeof(struct tcphdr)/4; 119 119 + tcph->source = otcph.dest; 120 120 + tcph->dest = otcph.source; 121 121 + 122 122 + if (otcph.ack) { 123 123 + needs_ack = 0; 124 124 + tcph->seq = otcph.ack_seq; 125 125 + tcph->ack_seq = 0; 126 126 + } else { 127 127 + needs_ack = 1; 128 128 + tcph->ack_seq = htonl(ntohl(otcph.seq) + otcph.syn + otcph.fin 129 129 + + otcplen - (otcph.doff<<2)); 130 130 + tcph->seq = 0; 131 131 + } 132 132 + 133 133 + /* Reset flags */ 134 134 + ((u_int8_t *)tcph)[13] = 0; 135 135 + tcph->rst = 1; 136 136 + tcph->ack = needs_ack; 137 137 + tcph->window = 0; 138 138 + tcph->urg_ptr = 0; 139 139 + tcph->check = 0; 140 140 + 141 141 + /* Adjust TCP checksum */ 142 142 + tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr, 143 143 + &ipv6_hdr(nskb)->daddr, 144 144 + sizeof(struct tcphdr), IPPROTO_TCP, 145 145 + csum_partial(tcph, 146 146 + sizeof(struct tcphdr), 0)); 147 147 + 148 148 + nf_ct_attach(nskb, oldskb); 149 149 + 150 150 + #ifdef CONFIG_BRIDGE_NETFILTER 151 151 + /* If we use ip6_local_out for bridged traffic, the MAC source on 152 152 + * the RST will be ours, instead of the destination's. This confuses 153 153 + * some routers/firewalls, and they drop the packet. So we need to 154 154 + * build the eth header using the original destination's MAC as the 155 155 + * source, and send the RST packet directly. 156 156 + */ 157 157 + if (oldskb->nf_bridge) { 158 158 + struct ethhdr *oeth = eth_hdr(oldskb); 159 159 + nskb->dev = oldskb->nf_bridge->physindev; 160 160 + nskb->protocol = htons(ETH_P_IPV6); 161 161 + ip6h->payload_len = htons(sizeof(struct tcphdr)); 162 162 + if (dev_hard_header(nskb, nskb->dev, ntohs(nskb->protocol), 163 163 + oeth->h_source, oeth->h_dest, nskb->len) < 0) 164 164 + return; 165 165 + dev_queue_xmit(nskb); 166 166 + } else 167 167 + #endif 168 168 + ip6_local_out(nskb); 169 169 + } 170 170 + 171 171 + #endif /* _IPV6_NF_REJECT_H */

+10 -130

net/ipv4/netfilter/ipt_REJECT.c

reviewed

··· 17 17 #include <linux/udp.h> 18 18 #include <linux/icmp.h> 19 19 #include <net/icmp.h> 20 20 - #include <net/ip.h> 21 21 - #include <net/tcp.h> 22 22 - #include <net/route.h> 23 23 - #include <net/dst.h> 24 20 #include <linux/netfilter/x_tables.h> 25 21 #include <linux/netfilter_ipv4/ip_tables.h> 26 22 #include <linux/netfilter_ipv4/ipt_REJECT.h> ··· 24 28 #include <linux/netfilter_bridge.h> 25 29 #endif 26 30 31 31 + #include <net/netfilter/ipv4/nf_reject.h> 32 32 + 27 33 MODULE_LICENSE("GPL"); 28 34 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); 29 35 MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv4"); 30 30 - 31 31 - /* Send RST reply */ 32 32 - static void send_reset(struct sk_buff *oldskb, int hook) 33 33 - { 34 34 - struct sk_buff *nskb; 35 35 - const struct iphdr *oiph; 36 36 - struct iphdr *niph; 37 37 - const struct tcphdr *oth; 38 38 - struct tcphdr _otcph, *tcph; 39 39 - 40 40 - /* IP header checks: fragment. */ 41 41 - if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET)) 42 42 - return; 43 43 - 44 44 - oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb), 45 45 - sizeof(_otcph), &_otcph); 46 46 - if (oth == NULL) 47 47 - return; 48 48 - 49 49 - /* No RST for RST. */ 50 50 - if (oth->rst) 51 51 - return; 52 52 - 53 53 - if (skb_rtable(oldskb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST)) 54 54 - return; 55 55 - 56 56 - /* Check checksum */ 57 57 - if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP)) 58 58 - return; 59 59 - oiph = ip_hdr(oldskb); 60 60 - 61 61 - nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) + 62 62 - LL_MAX_HEADER, GFP_ATOMIC); 63 63 - if (!nskb) 64 64 - return; 65 65 - 66 66 - skb_reserve(nskb, LL_MAX_HEADER); 67 67 - 68 68 - skb_reset_network_header(nskb); 69 69 - niph = (struct iphdr *)skb_put(nskb, sizeof(struct iphdr)); 70 70 - niph->version = 4; 71 71 - niph->ihl = sizeof(struct iphdr) / 4; 72 72 - niph->tos = 0; 73 73 - niph->id = 0; 74 74 - niph->frag_off = htons(IP_DF); 75 75 - niph->protocol = IPPROTO_TCP; 76 76 - niph->check = 0; 77 77 - niph->saddr = oiph->daddr; 78 78 - niph->daddr = oiph->saddr; 79 79 - 80 80 - skb_reset_transport_header(nskb); 81 81 - tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr)); 82 82 - memset(tcph, 0, sizeof(*tcph)); 83 83 - tcph->source = oth->dest; 84 84 - tcph->dest = oth->source; 85 85 - tcph->doff = sizeof(struct tcphdr) / 4; 86 86 - 87 87 - if (oth->ack) 88 88 - tcph->seq = oth->ack_seq; 89 89 - else { 90 90 - tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin + 91 91 - oldskb->len - ip_hdrlen(oldskb) - 92 92 - (oth->doff << 2)); 93 93 - tcph->ack = 1; 94 94 - } 95 95 - 96 96 - tcph->rst = 1; 97 97 - tcph->check = ~tcp_v4_check(sizeof(struct tcphdr), niph->saddr, 98 98 - niph->daddr, 0); 99 99 - nskb->ip_summed = CHECKSUM_PARTIAL; 100 100 - nskb->csum_start = (unsigned char *)tcph - nskb->head; 101 101 - nskb->csum_offset = offsetof(struct tcphdr, check); 102 102 - 103 103 - /* ip_route_me_harder expects skb->dst to be set */ 104 104 - skb_dst_set_noref(nskb, skb_dst(oldskb)); 105 105 - 106 106 - nskb->protocol = htons(ETH_P_IP); 107 107 - if (ip_route_me_harder(nskb, RTN_UNSPEC)) 108 108 - goto free_nskb; 109 109 - 110 110 - niph->ttl = ip4_dst_hoplimit(skb_dst(nskb)); 111 111 - 112 112 - /* "Never happens" */ 113 113 - if (nskb->len > dst_mtu(skb_dst(nskb))) 114 114 - goto free_nskb; 115 115 - 116 116 - nf_ct_attach(nskb, oldskb); 117 117 - 118 118 - #ifdef CONFIG_BRIDGE_NETFILTER 119 119 - /* If we use ip_local_out for bridged traffic, the MAC source on 120 120 - * the RST will be ours, instead of the destination's. This confuses 121 121 - * some routers/firewalls, and they drop the packet. So we need to 122 122 - * build the eth header using the original destination's MAC as the 123 123 - * source, and send the RST packet directly. 124 124 - */ 125 125 - if (oldskb->nf_bridge) { 126 126 - struct ethhdr *oeth = eth_hdr(oldskb); 127 127 - nskb->dev = oldskb->nf_bridge->physindev; 128 128 - niph->tot_len = htons(nskb->len); 129 129 - ip_send_check(niph); 130 130 - if (dev_hard_header(nskb, nskb->dev, ntohs(nskb->protocol), 131 131 - oeth->h_source, oeth->h_dest, nskb->len) < 0) 132 132 - goto free_nskb; 133 133 - dev_queue_xmit(nskb); 134 134 - } else 135 135 - #endif 136 136 - ip_local_out(nskb); 137 137 - 138 138 - return; 139 139 - 140 140 - free_nskb: 141 141 - kfree_skb(nskb); 142 142 - } 143 143 - 144 144 - static inline void send_unreach(struct sk_buff *skb_in, int code) 145 145 - { 146 146 - icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0); 147 147 - } 148 36 149 37 static unsigned int 150 38 reject_tg(struct sk_buff *skb, const struct xt_action_param *par) ··· 37 157 38 158 switch (reject->with) { 39 159 case IPT_ICMP_NET_UNREACHABLE: 40 40 - send_unreach(skb, ICMP_NET_UNREACH); 160 160 + nf_send_unreach(skb, ICMP_NET_UNREACH); 41 161 break; 42 162 case IPT_ICMP_HOST_UNREACHABLE: 43 43 - send_unreach(skb, ICMP_HOST_UNREACH); 163 163 + nf_send_unreach(skb, ICMP_HOST_UNREACH); 44 164 break; 45 165 case IPT_ICMP_PROT_UNREACHABLE: 46 46 - send_unreach(skb, ICMP_PROT_UNREACH); 166 166 + nf_send_unreach(skb, ICMP_PROT_UNREACH); 47 167 break; 48 168 case IPT_ICMP_PORT_UNREACHABLE: 49 49 - send_unreach(skb, ICMP_PORT_UNREACH); 169 169 + nf_send_unreach(skb, ICMP_PORT_UNREACH); 50 170 break; 51 171 case IPT_ICMP_NET_PROHIBITED: 52 52 - send_unreach(skb, ICMP_NET_ANO); 172 172 + nf_send_unreach(skb, ICMP_NET_ANO); 53 173 break; 54 174 case IPT_ICMP_HOST_PROHIBITED: 55 55 - send_unreach(skb, ICMP_HOST_ANO); 175 175 + nf_send_unreach(skb, ICMP_HOST_ANO); 56 176 break; 57 177 case IPT_ICMP_ADMIN_PROHIBITED: 58 58 - send_unreach(skb, ICMP_PKT_FILTERED); 178 178 + nf_send_unreach(skb, ICMP_PKT_FILTERED); 59 179 break; 60 180 case IPT_TCP_RESET: 61 61 - send_reset(skb, par->hooknum); 181 181 + nf_send_reset(skb, par->hooknum); 62 182 case IPT_ICMP_ECHOREPLY: 63 183 /* Doesn't happen. */ 64 184 break;

+8 -171

net/ipv6/netfilter/ip6t_REJECT.c

reviewed

··· 23 23 #include <linux/skbuff.h> 24 24 #include <linux/icmpv6.h> 25 25 #include <linux/netdevice.h> 26 26 - #include <net/ipv6.h> 27 27 - #include <net/tcp.h> 28 26 #include <net/icmp.h> 29 29 - #include <net/ip6_checksum.h> 30 30 - #include <net/ip6_fib.h> 31 31 - #include <net/ip6_route.h> 32 27 #include <net/flow.h> 33 28 #include <linux/netfilter/x_tables.h> 34 29 #include <linux/netfilter_ipv6/ip6_tables.h> 35 30 #include <linux/netfilter_ipv6/ip6t_REJECT.h> 36 31 32 32 + #include <net/netfilter/ipv6/nf_reject.h> 33 33 + 37 34 MODULE_AUTHOR("Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>"); 38 35 MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv6"); 39 36 MODULE_LICENSE("GPL"); 40 37 41 41 - /* Send RST reply */ 42 42 - static void send_reset(struct net *net, struct sk_buff *oldskb, int hook) 43 43 - { 44 44 - struct sk_buff *nskb; 45 45 - struct tcphdr otcph, *tcph; 46 46 - unsigned int otcplen, hh_len; 47 47 - int tcphoff, needs_ack; 48 48 - const struct ipv6hdr *oip6h = ipv6_hdr(oldskb); 49 49 - struct ipv6hdr *ip6h; 50 50 - #define DEFAULT_TOS_VALUE 0x0U 51 51 - const __u8 tclass = DEFAULT_TOS_VALUE; 52 52 - struct dst_entry *dst = NULL; 53 53 - u8 proto; 54 54 - __be16 frag_off; 55 55 - struct flowi6 fl6; 56 56 - 57 57 - if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) || 58 58 - (!(ipv6_addr_type(&oip6h->daddr) & IPV6_ADDR_UNICAST))) { 59 59 - pr_debug("addr is not unicast.\n"); 60 60 - return; 61 61 - } 62 62 - 63 63 - proto = oip6h->nexthdr; 64 64 - tcphoff = ipv6_skip_exthdr(oldskb, ((u8*)(oip6h+1) - oldskb->data), &proto, &frag_off); 65 65 - 66 66 - if ((tcphoff < 0) || (tcphoff > oldskb->len)) { 67 67 - pr_debug("Cannot get TCP header.\n"); 68 68 - return; 69 69 - } 70 70 - 71 71 - otcplen = oldskb->len - tcphoff; 72 72 - 73 73 - /* IP header checks: fragment, too short. */ 74 74 - if (proto != IPPROTO_TCP || otcplen < sizeof(struct tcphdr)) { 75 75 - pr_debug("proto(%d) != IPPROTO_TCP, " 76 76 - "or too short. otcplen = %d\n", 77 77 - proto, otcplen); 78 78 - return; 79 79 - } 80 80 - 81 81 - if (skb_copy_bits(oldskb, tcphoff, &otcph, sizeof(struct tcphdr))) 82 82 - BUG(); 83 83 - 84 84 - /* No RST for RST. */ 85 85 - if (otcph.rst) { 86 86 - pr_debug("RST is set\n"); 87 87 - return; 88 88 - } 89 89 - 90 90 - /* Check checksum. */ 91 91 - if (nf_ip6_checksum(oldskb, hook, tcphoff, IPPROTO_TCP)) { 92 92 - pr_debug("TCP checksum is invalid\n"); 93 93 - return; 94 94 - } 95 95 - 96 96 - memset(&fl6, 0, sizeof(fl6)); 97 97 - fl6.flowi6_proto = IPPROTO_TCP; 98 98 - fl6.saddr = oip6h->daddr; 99 99 - fl6.daddr = oip6h->saddr; 100 100 - fl6.fl6_sport = otcph.dest; 101 101 - fl6.fl6_dport = otcph.source; 102 102 - security_skb_classify_flow(oldskb, flowi6_to_flowi(&fl6)); 103 103 - dst = ip6_route_output(net, NULL, &fl6); 104 104 - if (dst == NULL || dst->error) { 105 105 - dst_release(dst); 106 106 - return; 107 107 - } 108 108 - dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0); 109 109 - if (IS_ERR(dst)) 110 110 - return; 111 111 - 112 112 - hh_len = (dst->dev->hard_header_len + 15)&~15; 113 113 - nskb = alloc_skb(hh_len + 15 + dst->header_len + sizeof(struct ipv6hdr) 114 114 - + sizeof(struct tcphdr) + dst->trailer_len, 115 115 - GFP_ATOMIC); 116 116 - 117 117 - if (!nskb) { 118 118 - net_dbg_ratelimited("cannot alloc skb\n"); 119 119 - dst_release(dst); 120 120 - return; 121 121 - } 122 122 - 123 123 - skb_dst_set(nskb, dst); 124 124 - 125 125 - skb_reserve(nskb, hh_len + dst->header_len); 126 126 - 127 127 - skb_put(nskb, sizeof(struct ipv6hdr)); 128 128 - skb_reset_network_header(nskb); 129 129 - ip6h = ipv6_hdr(nskb); 130 130 - ip6_flow_hdr(ip6h, tclass, 0); 131 131 - ip6h->hop_limit = ip6_dst_hoplimit(dst); 132 132 - ip6h->nexthdr = IPPROTO_TCP; 133 133 - ip6h->saddr = oip6h->daddr; 134 134 - ip6h->daddr = oip6h->saddr; 135 135 - 136 136 - skb_reset_transport_header(nskb); 137 137 - tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr)); 138 138 - /* Truncate to length (no data) */ 139 139 - tcph->doff = sizeof(struct tcphdr)/4; 140 140 - tcph->source = otcph.dest; 141 141 - tcph->dest = otcph.source; 142 142 - 143 143 - if (otcph.ack) { 144 144 - needs_ack = 0; 145 145 - tcph->seq = otcph.ack_seq; 146 146 - tcph->ack_seq = 0; 147 147 - } else { 148 148 - needs_ack = 1; 149 149 - tcph->ack_seq = htonl(ntohl(otcph.seq) + otcph.syn + otcph.fin 150 150 - + otcplen - (otcph.doff<<2)); 151 151 - tcph->seq = 0; 152 152 - } 153 153 - 154 154 - /* Reset flags */ 155 155 - ((u_int8_t *)tcph)[13] = 0; 156 156 - tcph->rst = 1; 157 157 - tcph->ack = needs_ack; 158 158 - tcph->window = 0; 159 159 - tcph->urg_ptr = 0; 160 160 - tcph->check = 0; 161 161 - 162 162 - /* Adjust TCP checksum */ 163 163 - tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr, 164 164 - &ipv6_hdr(nskb)->daddr, 165 165 - sizeof(struct tcphdr), IPPROTO_TCP, 166 166 - csum_partial(tcph, 167 167 - sizeof(struct tcphdr), 0)); 168 168 - 169 169 - nf_ct_attach(nskb, oldskb); 170 170 - 171 171 - #ifdef CONFIG_BRIDGE_NETFILTER 172 172 - /* If we use ip6_local_out for bridged traffic, the MAC source on 173 173 - * the RST will be ours, instead of the destination's. This confuses 174 174 - * some routers/firewalls, and they drop the packet. So we need to 175 175 - * build the eth header using the original destination's MAC as the 176 176 - * source, and send the RST packet directly. 177 177 - */ 178 178 - if (oldskb->nf_bridge) { 179 179 - struct ethhdr *oeth = eth_hdr(oldskb); 180 180 - nskb->dev = oldskb->nf_bridge->physindev; 181 181 - nskb->protocol = htons(ETH_P_IPV6); 182 182 - ip6h->payload_len = htons(sizeof(struct tcphdr)); 183 183 - if (dev_hard_header(nskb, nskb->dev, ntohs(nskb->protocol), 184 184 - oeth->h_source, oeth->h_dest, nskb->len) < 0) 185 185 - return; 186 186 - dev_queue_xmit(nskb); 187 187 - } else 188 188 - #endif 189 189 - ip6_local_out(nskb); 190 190 - } 191 191 - 192 192 - static inline void 193 193 - send_unreach(struct net *net, struct sk_buff *skb_in, unsigned char code, 194 194 - unsigned int hooknum) 195 195 - { 196 196 - if (hooknum == NF_INET_LOCAL_OUT && skb_in->dev == NULL) 197 197 - skb_in->dev = net->loopback_dev; 198 198 - 199 199 - icmpv6_send(skb_in, ICMPV6_DEST_UNREACH, code, 0); 200 200 - } 201 38 202 39 static unsigned int 203 40 reject_tg6(struct sk_buff *skb, const struct xt_action_param *par) ··· 45 208 pr_debug("%s: medium point\n", __func__); 46 209 switch (reject->with) { 47 210 case IP6T_ICMP6_NO_ROUTE: 48 48 - send_unreach(net, skb, ICMPV6_NOROUTE, par->hooknum); 211 211 + nf_send_unreach6(net, skb, ICMPV6_NOROUTE, par->hooknum); 49 212 break; 50 213 case IP6T_ICMP6_ADM_PROHIBITED: 51 51 - send_unreach(net, skb, ICMPV6_ADM_PROHIBITED, par->hooknum); 214 214 + nf_send_unreach6(net, skb, ICMPV6_ADM_PROHIBITED, par->hooknum); 52 215 break; 53 216 case IP6T_ICMP6_NOT_NEIGHBOUR: 54 54 - send_unreach(net, skb, ICMPV6_NOT_NEIGHBOUR, par->hooknum); 217 217 + nf_send_unreach6(net, skb, ICMPV6_NOT_NEIGHBOUR, par->hooknum); 55 218 break; 56 219 case IP6T_ICMP6_ADDR_UNREACH: 57 57 - send_unreach(net, skb, ICMPV6_ADDR_UNREACH, par->hooknum); 220 220 + nf_send_unreach6(net, skb, ICMPV6_ADDR_UNREACH, par->hooknum); 58 221 break; 59 222 case IP6T_ICMP6_PORT_UNREACH: 60 60 - send_unreach(net, skb, ICMPV6_PORT_UNREACH, par->hooknum); 223 223 + nf_send_unreach6(net, skb, ICMPV6_PORT_UNREACH, par->hooknum); 61 224 break; 62 225 case IP6T_ICMP6_ECHOREPLY: 63 226 /* Do nothing */ 64 227 break; 65 228 case IP6T_TCP_RESET: 66 66 - send_reset(net, skb, par->hooknum); 229 229 + nf_send_reset6(net, skb, par->hooknum); 67 230 break; 68 231 default: 69 232 net_info_ratelimited("case %u not handled yet\n", reject->with);