search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
K2.6 patches and update.
[tomato.git] / release / src / router / iptables / extensions / libip6t_ipv6header.c
bloba260e6e1ebe59e8dd8477ee31910411e60486c7a
1 /* ipv6header match - matches IPv6 packets based
2 on whether they contain certain headers */
3
4 /* Original idea: Brad Chapman
5 * Rewritten by: Andras Kis-Szabo <kisza@sch.bme.hu> */
6
7 #include <getopt.h>
8 #include <ip6tables.h>
9 #include <stddef.h>
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <string.h>
13 #include <netdb.h>
14 #include <sys/types.h>
15
16 #include <linux/netfilter_ipv6/ip6_tables.h>
17 #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
18
19 /* This maybe required
20 #include <linux/in.h>
21 #include <linux/in6.h>
22 */
23
24
25 /* A few hardcoded protocols for 'all' and in case the user has no
26 * /etc/protocols */
27 struct pprot {
28 char *name;
29 u_int8_t num;
30 };
31
32 struct numflag {
33 u_int8_t proto;
34 u_int8_t flag;
35 };
36
37 static const struct pprot chain_protos[] = {
38 { "hop-by-hop", IPPROTO_HOPOPTS },
39 { "protocol", IPPROTO_RAW },
40 { "hop", IPPROTO_HOPOPTS },
41 { "dst", IPPROTO_DSTOPTS },
42 { "route", IPPROTO_ROUTING },
43 { "frag", IPPROTO_FRAGMENT },
44 { "auth", IPPROTO_AH },
45 { "esp", IPPROTO_ESP },
46 { "none", IPPROTO_NONE },
47 { "prot", IPPROTO_RAW },
48 { "0", IPPROTO_HOPOPTS },
49 { "60", IPPROTO_DSTOPTS },
50 { "43", IPPROTO_ROUTING },
51 { "44", IPPROTO_FRAGMENT },
52 { "51", IPPROTO_AH },
53 { "50", IPPROTO_ESP },
54 { "59", IPPROTO_NONE },
55 { "255", IPPROTO_RAW },
56 /* { "all", 0 }, */
57 };
58
59 static const struct numflag chain_flags[] = {
60 { IPPROTO_HOPOPTS, MASK_HOPOPTS },
61 { IPPROTO_DSTOPTS, MASK_DSTOPTS },
62 { IPPROTO_ROUTING, MASK_ROUTING },
63 { IPPROTO_FRAGMENT, MASK_FRAGMENT },
64 { IPPROTO_AH, MASK_AH },
65 { IPPROTO_ESP, MASK_ESP },
66 { IPPROTO_NONE, MASK_NONE },
67 { IPPROTO_RAW, MASK_PROTO },
68 };
69
70 static char *
71 proto_to_name(u_int8_t proto, int nolookup)
72 {
73 unsigned int i;
74
75 if (proto && !nolookup) {
76 struct protoent *pent = getprotobynumber(proto);
77 if (pent)
78 return pent->p_name;
79 }
80
81 for (i = 0; i < sizeof(chain_protos)/sizeof(struct pprot); i++)
82 if (chain_protos[i].num == proto)
83 return chain_protos[i].name;
84
85 return NULL;
86 }
87
88 static u_int16_t
89 name_to_proto(const char *s)
90 {
91 unsigned int proto=0;
92 struct protoent *pent;
93
94 if ((pent = getprotobyname(s)))
95 proto = pent->p_proto;
96 else {
97 unsigned int i;
98 for (i = 0;
99 i < sizeof(chain_protos)/sizeof(struct pprot);
100 i++) {
101 if (strcmp(s, chain_protos[i].name) == 0) {
102 proto = chain_protos[i].num;
103 break;
104 }
105 }
106
107 if (i == sizeof(chain_protos)/sizeof(struct pprot))
108 exit_error(PARAMETER_PROBLEM,
109 "unknown header `%s' specified",
110 s);
111 }
112
113 return (u_int16_t)proto;
114 }
115
116 static unsigned int
117 add_proto_to_mask(int proto){
118 unsigned int i=0, flag=0;
119
120 for (i = 0;
121 i < sizeof(chain_flags)/sizeof(struct numflag);
122 i++) {
123 if (proto == chain_flags[i].proto){
124 flag = chain_flags[i].flag;
125 break;
126 }
127 }
128
129 if (i == sizeof(chain_flags)/sizeof(struct numflag))
130 exit_error(PARAMETER_PROBLEM,
131 "unknown header `%d' specified",
132 proto);
133
134 return flag;
135 }
136
137 static void
138 help(void)
139 {
140 printf(
141 "ipv6header v%s match options:\n"
142 "--header [!] headers Type of header to match, by name\n"
143 " names: hop,dst,route,frag,auth,esp,none,proto\n"
144 " long names: hop-by-hop,ipv6-opts,ipv6-route,\n"
145 " ipv6-frag,ah,esp,ipv6-nonxt,protocol\n"
146 " numbers: 0,60,43,44,51,50,59\n"
147 "--soft The header CONTAINS the specified extensions\n",
148 IPTABLES_VERSION);
149 }
150
151 static struct option opts[] = {
152 { "header", 1, 0, '1' },
153 { "soft", 0, 0, '2' },
154 { 0 }
155 };
156
157 static void
158 init(struct ip6t_entry_match *m, unsigned int *nfcache)
159 {
160 struct ip6t_ipv6header_info *info = (struct ip6t_ipv6header_info *)m->data;
161
162 info->matchflags = 0x00;
163 info->invflags = 0x00;
164 info->modeflag = 0x00;
165 }
166
167 static unsigned int
168 parse_header(const char *flags) {
169 unsigned int ret = 0;
170 char *ptr;
171 char *buffer;
172
173 buffer = strdup(flags);
174
175 for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ","))
176 ret |= add_proto_to_mask(name_to_proto(ptr));
177
178 free(buffer);
179 return ret;
180 }
181
182 #define IPV6_HDR_HEADER 0x01
183 #define IPV6_HDR_SOFT 0x02
184
185 /* Parses command options; returns 0 if it ate an option */
186 static int
187 parse(int c, char **argv, int invert, unsigned int *flags,
188 const struct ip6t_entry *entry,
189 unsigned int *nfcache,
190 struct ip6t_entry_match **match)
191 {
192 struct ip6t_ipv6header_info *info = (struct ip6t_ipv6header_info *)(*match)->data;
193
194 switch (c) {
195 case '1' :
196 /* Parse the provided header names */
197 if (*flags & IPV6_HDR_HEADER)
198 exit_error(PARAMETER_PROBLEM,
199 "Only one `--header' allowed");
200
201 check_inverse(optarg, &invert, &optind, 0);
202
203 if (! (info->matchflags = parse_header(argv[optind-1])) )
204 exit_error(PARAMETER_PROBLEM, "ip6t_ipv6header: cannot parse header names");
205
206 if (invert)
207 info->invflags |= 0xFF;
208 *flags |= IPV6_HDR_HEADER;
209 break;
210 case '2' :
211 /* Soft-mode requested? */
212 if (*flags & IPV6_HDR_SOFT)
213 exit_error(PARAMETER_PROBLEM,
214 "Only one `--soft' allowed");
215
216 info->modeflag |= 0xFF;
217 *flags |= IPV6_HDR_SOFT;
218 break;
219 default:
220 return 0;
221 }
222
223 return 1;
224 }
225
226 /* Checks the flags variable */
227 static void
228 final_check(unsigned int flags)
229 {
230 if (!flags) exit_error(PARAMETER_PROBLEM, "ip6t_ipv6header: no options specified");
231 }
232
233 static void
234 print_header(u_int8_t flags){
235 int have_flag = 0;
236
237 while (flags) {
238 unsigned int i;
239
240 for (i = 0; (flags & chain_flags[i].flag) == 0; i++);
241
242 if (have_flag)
243 printf(",");
244
245 printf("%s", proto_to_name(chain_flags[i].proto,0));
246 have_flag = 1;
247
248 flags &= ~chain_flags[i].flag;
249 }
250
251 if (!have_flag)
252 printf("NONE");
253 }
254
255 /* Prints out the match */
256 static void
257 print(const struct ip6t_ip6 *ip,
258 const struct ip6t_entry_match *match,
259 int numeric)
260 {
261 const struct ip6t_ipv6header_info *info = (const struct ip6t_ipv6header_info *)match->data;
262 printf("ipv6header ");
263
264 if (info->matchflags || info->invflags) {
265 printf("flags:%s", info->invflags ? "!" : "");
266 if (numeric)
267 printf("0x%02X ", info->matchflags);
268 else {
269 print_header(info->matchflags);
270 printf(" ");
271 }
272 }
273
274 if (info->modeflag)
275 printf("soft ");
276
277 return;
278 }
279
280 /* Saves the match */
281 static void
282 save(const struct ip6t_ip6 *ip,
283 const struct ip6t_entry_match *match)
284 {
285
286 const struct ip6t_ipv6header_info *info = (const struct ip6t_ipv6header_info *)match->data;
287
288 printf("--header ");
289 printf("%s", info->invflags ? "!" : "");
290 print_header(info->matchflags);
291 printf(" ");
292 if (info->modeflag)
293 printf("--soft ");
294
295 return;
296 }
297
298 static
299 struct ip6tables_match ipv6header = {
300 .name = "ipv6header",
301 .version = IPTABLES_VERSION,
302 .size = IP6T_ALIGN(sizeof(struct ip6t_ipv6header_info)),
303 .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_ipv6header_info)),
304 .help = &help,
305 .init = &init,
306 .parse = &parse,
307 .final_check = &final_check,
308 .print = &print,
309 .save = &save,
310 .extra_opts = opts,
311 };
312
313 void _init(void)
314 {
315 register_match6(&ipv6header);
316 }
Tomato firmware and modifications.