diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-09-26 08:35:15 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-10-02 12:30:49 -0400 |
| commit | c8d7b98bec43faaa6583c3135030be5eb4693acb (patch) | |
| tree | f7a8eaf696632ec402b61bbefd534d66d2b48c33 /net/ipv4 | |
| parent | 51b0a5d8c21a91801bbef9bcc8639dc0b206c6cd (diff) | |
netfilter: move nf_send_resetX() code to nf_reject_ipvX modules
Move nf_send_reset() and nf_send_reset6() to nf_reject_ipv4 and
nf_reject_ipv6 respectively. This code is shared by x_tables and
nf_tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/Kconfig | 6 | ||||
| -rw-r--r-- | net/ipv4/netfilter/Makefile | 3 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_reject_ipv4.c | 127 |
3 files changed, 136 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 345242a79db6..4c019d5c3f57 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig | |||
| @@ -61,8 +61,13 @@ config NFT_CHAIN_ROUTE_IPV4 | |||
| 61 | fields such as the source, destination, type of service and | 61 | fields such as the source, destination, type of service and |
| 62 | the packet mark. | 62 | the packet mark. |
| 63 | 63 | ||
| 64 | config NF_REJECT_IPV4 | ||
| 65 | tristate "IPv4 packet rejection" | ||
| 66 | default m if NETFILTER_ADVANCED=n | ||
| 67 | |||
| 64 | config NFT_REJECT_IPV4 | 68 | config NFT_REJECT_IPV4 |
| 65 | depends on NF_TABLES_IPV4 | 69 | depends on NF_TABLES_IPV4 |
| 70 | select NF_REJECT_IPV4 | ||
| 66 | default NFT_REJECT | 71 | default NFT_REJECT |
| 67 | tristate | 72 | tristate |
| 68 | 73 | ||
| @@ -208,6 +213,7 @@ config IP_NF_FILTER | |||
| 208 | config IP_NF_TARGET_REJECT | 213 | config IP_NF_TARGET_REJECT |
| 209 | tristate "REJECT target support" | 214 | tristate "REJECT target support" |
| 210 | depends on IP_NF_FILTER | 215 | depends on IP_NF_FILTER |
| 216 | select NF_REJECT_IPV4 | ||
| 211 | default m if NETFILTER_ADVANCED=n | 217 | default m if NETFILTER_ADVANCED=n |
| 212 | help | 218 | help |
| 213 | The REJECT target allows a filtering rule to specify that an ICMP | 219 | The REJECT target allows a filtering rule to specify that an ICMP |
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index 14488cc5fd2c..f4cef5af0969 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile | |||
| @@ -23,6 +23,9 @@ obj-$(CONFIG_NF_DEFRAG_IPV4) += nf_defrag_ipv4.o | |||
| 23 | obj-$(CONFIG_NF_LOG_ARP) += nf_log_arp.o | 23 | obj-$(CONFIG_NF_LOG_ARP) += nf_log_arp.o |
| 24 | obj-$(CONFIG_NF_LOG_IPV4) += nf_log_ipv4.o | 24 | obj-$(CONFIG_NF_LOG_IPV4) += nf_log_ipv4.o |
| 25 | 25 | ||
| 26 | # reject | ||
| 27 | obj-$(CONFIG_NF_REJECT_IPV4) += nf_reject_ipv4.o | ||
| 28 | |||
| 26 | # NAT helpers (nf_conntrack) | 29 | # NAT helpers (nf_conntrack) |
| 27 | obj-$(CONFIG_NF_NAT_H323) += nf_nat_h323.o | 30 | obj-$(CONFIG_NF_NAT_H323) += nf_nat_h323.o |
| 28 | obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o | 31 | obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o |
diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c new file mode 100644 index 000000000000..b023b4eb1a96 --- /dev/null +++ b/net/ipv4/netfilter/nf_reject_ipv4.c | |||
| @@ -0,0 +1,127 @@ | |||
| 1 | /* (C) 1999-2001 Paul `Rusty' Russell | ||
| 2 | * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> | ||
| 3 | * | ||
| 4 | * This program is free software; you can redistribute it and/or modify | ||
| 5 | * it under the terms of the GNU General Public License version 2 as | ||
| 6 | * published by the Free Software Foundation. | ||
| 7 | */ | ||
| 8 | |||
| 9 | #include <net/ip.h> | ||
| 10 | #include <net/tcp.h> | ||
| 11 | #include <net/route.h> | ||
| 12 | #include <net/dst.h> | ||
| 13 | #include <linux/netfilter_ipv4.h> | ||
| 14 | |||
| 15 | /* Send RST reply */ | ||
| 16 | void nf_send_reset(struct sk_buff *oldskb, int hook) | ||
| 17 | { | ||
| 18 | struct sk_buff *nskb; | ||
| 19 | const struct iphdr *oiph; | ||
| 20 | struct iphdr *niph; | ||
| 21 | const struct tcphdr *oth; | ||
| 22 | struct tcphdr _otcph, *tcph; | ||
| 23 | |||
| 24 | /* IP header checks: fragment. */ | ||
| 25 | if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET)) | ||
| 26 | return; | ||
| 27 | |||
| 28 | oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb), | ||
| 29 | sizeof(_otcph), &_otcph); | ||
| 30 | if (oth == NULL) | ||
| 31 | return; | ||
| 32 | |||
| 33 | /* No RST for RST. */ | ||
| 34 | if (oth->rst) | ||
| 35 | return; | ||
| 36 | |||
| 37 | if (skb_rtable(oldskb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST)) | ||
| 38 | return; | ||
| 39 | |||
| 40 | /* Check checksum */ | ||
| 41 | if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP)) | ||
| 42 | return; | ||
| 43 | oiph = ip_hdr(oldskb); | ||
| 44 | |||
| 45 | nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) + | ||
| 46 | LL_MAX_HEADER, GFP_ATOMIC); | ||
| 47 | if (!nskb) | ||
| 48 | return; | ||
| 49 | |||
| 50 | skb_reserve(nskb, LL_MAX_HEADER); | ||
| 51 | |||
| 52 | skb_reset_network_header(nskb); | ||
| 53 | niph = (struct iphdr *)skb_put(nskb, sizeof(struct iphdr)); | ||
| 54 | niph->version = 4; | ||
| 55 | niph->ihl = sizeof(struct iphdr) / 4; | ||
| 56 | niph->tos = 0; | ||
| 57 | niph->id = 0; | ||
| 58 | niph->frag_off = htons(IP_DF); | ||
| 59 | niph->protocol = IPPROTO_TCP; | ||
| 60 | niph->check = 0; | ||
| 61 | niph->saddr = oiph->daddr; | ||
| 62 | niph->daddr = oiph->saddr; | ||
| 63 | |||
| 64 | skb_reset_transport_header(nskb); | ||
| 65 | tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr)); | ||
| 66 | memset(tcph, 0, sizeof(*tcph)); | ||
| 67 | tcph->source = oth->dest; | ||
| 68 | tcph->dest = oth->source; | ||
| 69 | tcph->doff = sizeof(struct tcphdr) / 4; | ||
| 70 | |||
| 71 | if (oth->ack) | ||
| 72 | tcph->seq = oth->ack_seq; | ||
| 73 | else { | ||
| 74 | tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin + | ||
| 75 | oldskb->len - ip_hdrlen(oldskb) - | ||
| 76 | (oth->doff << 2)); | ||
| 77 | tcph->ack = 1; | ||
| 78 | } | ||
| 79 | |||
| 80 | tcph->rst = 1; | ||
| 81 | tcph->check = ~tcp_v4_check(sizeof(struct tcphdr), niph->saddr, | ||
| 82 | niph->daddr, 0); | ||
| 83 | nskb->ip_summed = CHECKSUM_PARTIAL; | ||
| 84 | nskb->csum_start = (unsigned char *)tcph - nskb->head; | ||
| 85 | nskb->csum_offset = offsetof(struct tcphdr, check); | ||
| 86 | |||
| 87 | /* ip_route_me_harder expects skb->dst to be set */ | ||
| 88 | skb_dst_set_noref(nskb, skb_dst(oldskb)); | ||
| 89 | |||
| 90 | nskb->protocol = htons(ETH_P_IP); | ||
| 91 | if (ip_route_me_harder(nskb, RTN_UNSPEC)) | ||
| 92 | goto free_nskb; | ||
| 93 | |||
| 94 | niph->ttl = ip4_dst_hoplimit(skb_dst(nskb)); | ||
| 95 | |||
| 96 | /* "Never happens" */ | ||
| 97 | if (nskb->len > dst_mtu(skb_dst(nskb))) | ||
| 98 | goto free_nskb; | ||
| 99 | |||
| 100 | nf_ct_attach(nskb, oldskb); | ||
| 101 | |||
| 102 | #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) | ||
| 103 | /* If we use ip_local_out for bridged traffic, the MAC source on | ||
| 104 | * the RST will be ours, instead of the destination's. This confuses | ||
| 105 | * some routers/firewalls, and they drop the packet. So we need to | ||
| 106 | * build the eth header using the original destination's MAC as the | ||
| 107 | * source, and send the RST packet directly. | ||
| 108 | */ | ||
| 109 | if (oldskb->nf_bridge) { | ||
| 110 | struct ethhdr *oeth = eth_hdr(oldskb); | ||
| 111 | nskb->dev = oldskb->nf_bridge->physindev; | ||
| 112 | niph->tot_len = htons(nskb->len); | ||
| 113 | ip_send_check(niph); | ||
| 114 | if (dev_hard_header(nskb, nskb->dev, ntohs(nskb->protocol), | ||
| 115 | oeth->h_source, oeth->h_dest, nskb->len) < 0) | ||
| 116 | goto free_nskb; | ||
| 117 | dev_queue_xmit(nskb); | ||
| 118 | } else | ||
| 119 | #endif | ||
| 120 | ip_local_out(nskb); | ||
| 121 | |||
| 122 | return; | ||
| 123 | |||
| 124 | free_nskb: | ||
| 125 | kfree_skb(nskb); | ||
| 126 | } | ||
| 127 | EXPORT_SYMBOL_GPL(nf_send_reset); | ||