1/* Shared library add-on to ip6tables to add customized REJECT support. 2 * 3 * (C) 2000 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 4 * 5 * ported to IPv6 by Harald Welte <laforge@gnumonks.org> 6 * 7 */ 8#include <stdio.h> 9#include <string.h> 10#include <xtables.h> 11#include <linux/netfilter_ipv6/ip6t_REJECT.h> 12 13struct reject_names { 14 const char *name; 15 const char *alias; 16 enum ip6t_reject_with with; 17 const char *desc; 18}; 19 20enum { 21 O_REJECT_WITH = 0, 22}; 23 24static const struct reject_names reject_table[] = { 25 {"icmp6-no-route", "no-route", 26 IP6T_ICMP6_NO_ROUTE, "ICMPv6 no route"}, 27 {"icmp6-adm-prohibited", "adm-prohibited", 28 IP6T_ICMP6_ADM_PROHIBITED, "ICMPv6 administratively prohibited"}, 29#if 0 30 {"icmp6-not-neighbor", "not-neighbor"}, 31 IP6T_ICMP6_NOT_NEIGHBOR, "ICMPv6 not a neighbor"}, 32#endif 33 {"icmp6-addr-unreachable", "addr-unreach", 34 IP6T_ICMP6_ADDR_UNREACH, "ICMPv6 address unreachable"}, 35 {"icmp6-port-unreachable", "port-unreach", 36 IP6T_ICMP6_PORT_UNREACH, "ICMPv6 port unreachable"}, 37 {"icmp6-src-addr-policy", "src-addr-policy", 38 IP6T_ICMP6_SRC_ADDR_FAIL_POLICY, "ICMPv6 src addr fails ingress/egress policy"}, 39 {"tcp-reset", "tcp-reset", 40 IP6T_TCP_RESET, "TCP RST packet"} 41}; 42 43static void 44print_reject_types(void) 45{ 46 unsigned int i; 47 48 printf("Valid reject types:\n"); 49 50 for (i = 0; i < ARRAY_SIZE(reject_table); ++i) { 51 printf(" %-25s\t%s\n", reject_table[i].name, reject_table[i].desc); 52 printf(" %-25s\talias\n", reject_table[i].alias); 53 } 54 printf("\n"); 55} 56 57static void REJECT_help(void) 58{ 59 printf( 60"REJECT target options:\n" 61"--reject-with type drop input packet and send back\n" 62" a reply packet according to type:\n"); 63 64 print_reject_types(); 65} 66 67static const struct xt_option_entry REJECT_opts[] = { 68 {.name = "reject-with", .id = O_REJECT_WITH, .type = XTTYPE_STRING}, 69 XTOPT_TABLEEND, 70}; 71 72static void REJECT_init(struct xt_entry_target *t) 73{ 74 struct ip6t_reject_info *reject = (struct ip6t_reject_info *)t->data; 75 76 /* default */ 77 reject->with = IP6T_ICMP6_PORT_UNREACH; 78 79} 80 81static void REJECT_parse(struct xt_option_call *cb) 82{ 83 struct ip6t_reject_info *reject = cb->data; 84 unsigned int i; 85 86 xtables_option_parse(cb); 87 for (i = 0; i < ARRAY_SIZE(reject_table); ++i) 88 if (strncasecmp(reject_table[i].name, 89 cb->arg, strlen(cb->arg)) == 0 || 90 strncasecmp(reject_table[i].alias, 91 cb->arg, strlen(cb->arg)) == 0) { 92 reject->with = reject_table[i].with; 93 return; 94 } 95 xtables_error(PARAMETER_PROBLEM, 96 "unknown reject type \"%s\"", cb->arg); 97} 98 99static void REJECT_print(const void *ip, const struct xt_entry_target *target, 100 int numeric) 101{ 102 const struct ip6t_reject_info *reject 103 = (const struct ip6t_reject_info *)target->data; 104 unsigned int i; 105 106 for (i = 0; i < ARRAY_SIZE(reject_table); ++i) 107 if (reject_table[i].with == reject->with) 108 break; 109 printf(" reject-with %s", reject_table[i].name); 110} 111 112static void REJECT_save(const void *ip, const struct xt_entry_target *target) 113{ 114 const struct ip6t_reject_info *reject 115 = (const struct ip6t_reject_info *)target->data; 116 unsigned int i; 117 118 for (i = 0; i < ARRAY_SIZE(reject_table); ++i) 119 if (reject_table[i].with == reject->with) 120 break; 121 122 printf(" --reject-with %s", reject_table[i].name); 123} 124 125static struct xtables_target reject_tg6_reg = { 126 .name = "REJECT", 127 .version = XTABLES_VERSION, 128 .family = NFPROTO_IPV6, 129 .size = XT_ALIGN(sizeof(struct ip6t_reject_info)), 130 .userspacesize = XT_ALIGN(sizeof(struct ip6t_reject_info)), 131 .help = REJECT_help, 132 .init = REJECT_init, 133 .print = REJECT_print, 134 .save = REJECT_save, 135 .x6_parse = REJECT_parse, 136 .x6_options = REJECT_opts, 137}; 138 139void _init(void) 140{ 141 xtables_register_target(&reject_tg6_reg); 142} 143