net/ipv6/netfilter/ip6t_ipv6header.c

   1 /* ipv6header match - matches IPv6 packets based
   2    on whether they contain certain headers */
   3
   4 /* Original idea: Brad Chapman
   5  * Rewritten by: Andras Kis-Szabo <kisza@sch.bme.hu> */
   6
   7 /* (C) 2001-2002 Andras Kis-Szabo <kisza@sch.bme.hu>
   8  *
   9  * This program is free software; you can redistribute it and/or modify
  10  * it under the terms of the GNU General Public License version 2 as
  11  * published by the Free Software Foundation.
  12  */
  13
  14 #include <linux/module.h>
  15 #include <linux/skbuff.h>
  16 #include <linux/ipv6.h>
  17 #include <linux/types.h>
  18 #include <net/checksum.h>
  19 #include <net/ipv6.h>
  20
  21 #include <linux/netfilter_ipv6/ip6_tables.h>
  22 #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
  23
  24 MODULE_LICENSE("GPL");
  25 MODULE_DESCRIPTION("IPv6 headers match");
  26 MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
  27
  28 static int
  29 ipv6header_match(const struct sk_buff *skb,
  30                  const struct net_device *in,
  31                  const struct net_device *out,
  32                  const struct xt_match *match,
  33                  const void *matchinfo,
  34                  int offset,
  35                  unsigned int protoff,
  36                  int *hotdrop)
  37 {
  38         const struct ip6t_ipv6header_info *info = matchinfo;
  39         unsigned int temp;
  40         int len;
  41         u8 nexthdr;
  42         unsigned int ptr;
  43
  44         /* Make sure this isn't an evil packet */
  45
  46         /* type of the 1st exthdr */
  47         nexthdr = skb->nh.ipv6h->nexthdr;
  48         /* pointer to the 1st exthdr */
  49         ptr = sizeof(struct ipv6hdr);
  50         /* available length */
  51         len = skb->len - ptr;
  52         temp = 0;
  53
  54         while (ip6t_ext_hdr(nexthdr)) {
  55                 struct ipv6_opt_hdr _hdr, *hp;
  56                 int hdrlen;
  57
  58                 /* Is there enough space for the next ext header? */
  59                 if (len < (int)sizeof(struct ipv6_opt_hdr))
  60                         return 0;
  61                 /* No more exthdr -> evaluate */
  62                 if (nexthdr == NEXTHDR_NONE) {
  63                         temp |= MASK_NONE;
  64                         break;
  65                 }
  66                 /* ESP -> evaluate */
  67                 if (nexthdr == NEXTHDR_ESP) {
  68                         temp |= MASK_ESP;
  69                         break;
  70                 }
  71
  72                 hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
  73                 BUG_ON(hp == NULL);
  74
  75                 /* Calculate the header length */
  76                 if (nexthdr == NEXTHDR_FRAGMENT) {
  77                         hdrlen = 8;
  78                 } else if (nexthdr == NEXTHDR_AUTH)
  79                         hdrlen = (hp->hdrlen + 2) << 2;
  80                 else
  81                         hdrlen = ipv6_optlen(hp);
  82
  83                 /* set the flag */
  84                 switch (nexthdr) {
  85                 case NEXTHDR_HOP:
  86                         temp |= MASK_HOPOPTS;
  87                         break;
  88                 case NEXTHDR_ROUTING:
  89                         temp |= MASK_ROUTING;
  90                         break;
  91                 case NEXTHDR_FRAGMENT:
  92                         temp |= MASK_FRAGMENT;
  93                         break;
  94                 case NEXTHDR_AUTH:
  95                         temp |= MASK_AH;
  96                         break;
  97                 case NEXTHDR_DEST:
  98                         temp |= MASK_DSTOPTS;
  99                         break;
 100                 default:
 101                         return 0;
 102                         break;
 103                 }
 104
 105                 nexthdr = hp->nexthdr;
 106                 len -= hdrlen;
 107                 ptr += hdrlen;
 108                 if (ptr > skb->len)
 109                         break;
 110         }
 111
 112         if ((nexthdr != NEXTHDR_NONE) && (nexthdr != NEXTHDR_ESP))
 113                 temp |= MASK_PROTO;
 114
 115         if (info->modeflag)
 116                 return !((temp ^ info->matchflags ^ info->invflags)
 117                          & info->matchflags);
 118         else {
 119                 if (info->invflags)
 120                         return temp != info->matchflags;
 121                 else
 122                         return temp == info->matchflags;
 123         }
 124 }
 125
 126 static int
 127 ipv6header_checkentry(const char *tablename,
 128                       const void *ip,
 129                       const struct xt_match *match,
 130                       void *matchinfo,
 131                       unsigned int hook_mask)
 132 {
 133         const struct ip6t_ipv6header_info *info = matchinfo;
 134
 135         /* invflags is 0 or 0xff in hard mode */
 136         if ((!info->modeflag) && info->invflags != 0x00 &&
 137             info->invflags != 0xFF)
 138                 return 0;
 139
 140         return 1;
 141 }
 142
 143 static struct ip6t_match ip6t_ipv6header_match = {
 144         .name           = "ipv6header",
 145         .match          = &ipv6header_match,
 146         .matchsize      = sizeof(struct ip6t_ipv6header_info),
 147         .checkentry     = &ipv6header_checkentry,
 148         .destroy        = NULL,
 149         .me             = THIS_MODULE,
 150 };
 151
 152 static int __init ipv6header_init(void)
 153 {
 154         return ip6t_register_match(&ip6t_ipv6header_match);
 155 }
 156
 157 static void __exit ipv6header_exit(void)
 158 {
 159         ip6t_unregister_match(&ip6t_ipv6header_match);
 160 }
 161
 162 module_init(ipv6header_init);
 163 module_exit(ipv6header_exit);