1 /* ipv6header match - matches IPv6 packets based
2 on whether they contain certain headers */
4 /* Original idea: Brad Chapman
5 * Rewritten by: Andras Kis-Szabo <kisza@sch.bme.hu> */
14 #include <sys/types.h>
16 #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
18 /* This maybe required
20 #include <linux/in6.h>
24 /* A few hardcoded protocols for 'all' and in case the user has no
36 static const struct pprot chain_protos[] = {
37 { "hop-by-hop", IPPROTO_HOPOPTS },
38 { "protocol", IPPROTO_RAW },
39 { "hop", IPPROTO_HOPOPTS },
40 { "dst", IPPROTO_DSTOPTS },
41 { "route", IPPROTO_ROUTING },
42 { "frag", IPPROTO_FRAGMENT },
43 { "auth", IPPROTO_AH },
44 { "esp", IPPROTO_ESP },
45 { "none", IPPROTO_NONE },
46 { "prot", IPPROTO_RAW },
47 { "0", IPPROTO_HOPOPTS },
48 { "60", IPPROTO_DSTOPTS },
49 { "43", IPPROTO_ROUTING },
50 { "44", IPPROTO_FRAGMENT },
52 { "50", IPPROTO_ESP },
53 { "59", IPPROTO_NONE },
54 { "255", IPPROTO_RAW },
58 static const struct numflag chain_flags[] = {
59 { IPPROTO_HOPOPTS, MASK_HOPOPTS },
60 { IPPROTO_DSTOPTS, MASK_DSTOPTS },
61 { IPPROTO_ROUTING, MASK_ROUTING },
62 { IPPROTO_FRAGMENT, MASK_FRAGMENT },
63 { IPPROTO_AH, MASK_AH },
64 { IPPROTO_ESP, MASK_ESP },
65 { IPPROTO_NONE, MASK_NONE },
66 { IPPROTO_RAW, MASK_PROTO },
70 proto_to_name(u_int8_t proto, int nolookup)
74 if (proto && !nolookup) {
75 struct protoent *pent = getprotobynumber(proto);
80 for (i = 0; i < sizeof(chain_protos)/sizeof(struct pprot); i++)
81 if (chain_protos[i].num == proto)
82 return chain_protos[i].name;
88 name_to_proto(const char *s)
91 struct protoent *pent;
93 if ((pent = getprotobyname(s)))
94 proto = pent->p_proto;
98 i < sizeof(chain_protos)/sizeof(struct pprot);
100 if (strcmp(s, chain_protos[i].name) == 0) {
101 proto = chain_protos[i].num;
106 if (i == sizeof(chain_protos)/sizeof(struct pprot))
107 xtables_error(PARAMETER_PROBLEM,
108 "unknown header `%s' specified",
116 add_proto_to_mask(int proto){
117 unsigned int i=0, flag=0;
120 i < sizeof(chain_flags)/sizeof(struct numflag);
122 if (proto == chain_flags[i].proto){
123 flag = chain_flags[i].flag;
128 if (i == sizeof(chain_flags)/sizeof(struct numflag))
129 xtables_error(PARAMETER_PROBLEM,
130 "unknown header `%d' specified",
136 static void ipv6header_help(void)
139 "ipv6header match options:\n"
140 "[!] --header headers Type of header to match, by name\n"
141 " names: hop,dst,route,frag,auth,esp,none,proto\n"
142 " long names: hop-by-hop,ipv6-opts,ipv6-route,\n"
143 " ipv6-frag,ah,esp,ipv6-nonxt,protocol\n"
144 " numbers: 0,60,43,44,51,50,59\n"
145 "--soft The header CONTAINS the specified extensions\n");
148 static const struct option ipv6header_opts[] = {
149 { "header", 1, NULL, '1' },
150 { "soft", 0, NULL, '2' },
154 static void ipv6header_init(struct xt_entry_match *m)
156 struct ip6t_ipv6header_info *info = (struct ip6t_ipv6header_info *)m->data;
158 info->matchflags = 0x00;
159 info->invflags = 0x00;
160 info->modeflag = 0x00;
164 parse_header(const char *flags) {
165 unsigned int ret = 0;
169 buffer = strdup(flags);
171 for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ","))
172 ret |= add_proto_to_mask(name_to_proto(ptr));
178 #define IPV6_HDR_HEADER 0x01
179 #define IPV6_HDR_SOFT 0x02
182 ipv6header_parse(int c, char **argv, int invert, unsigned int *flags,
183 const void *entry, struct xt_entry_match **match)
185 struct ip6t_ipv6header_info *info = (struct ip6t_ipv6header_info *)(*match)->data;
189 /* Parse the provided header names */
190 if (*flags & IPV6_HDR_HEADER)
191 xtables_error(PARAMETER_PROBLEM,
192 "Only one `--header' allowed");
194 xtables_check_inverse(optarg, &invert, &optind, 0);
196 if (! (info->matchflags = parse_header(argv[optind-1])) )
197 xtables_error(PARAMETER_PROBLEM, "ip6t_ipv6header: cannot parse header names");
200 info->invflags |= 0xFF;
201 *flags |= IPV6_HDR_HEADER;
204 /* Soft-mode requested? */
205 if (*flags & IPV6_HDR_SOFT)
206 xtables_error(PARAMETER_PROBLEM,
207 "Only one `--soft' allowed");
209 info->modeflag |= 0xFF;
210 *flags |= IPV6_HDR_SOFT;
219 static void ipv6header_check(unsigned int flags)
221 if (!flags) xtables_error(PARAMETER_PROBLEM, "ip6t_ipv6header: no options specified");
225 print_header(u_int8_t flags){
231 for (i = 0; (flags & chain_flags[i].flag) == 0; i++);
236 printf("%s", proto_to_name(chain_flags[i].proto,0));
239 flags &= ~chain_flags[i].flag;
246 static void ipv6header_print(const void *ip,
247 const struct xt_entry_match *match, int numeric)
249 const struct ip6t_ipv6header_info *info = (const struct ip6t_ipv6header_info *)match->data;
250 printf("ipv6header ");
252 if (info->matchflags || info->invflags) {
253 printf("flags:%s", info->invflags ? "!" : "");
255 printf("0x%02X ", info->matchflags);
257 print_header(info->matchflags);
266 static void ipv6header_save(const void *ip, const struct xt_entry_match *match)
269 const struct ip6t_ipv6header_info *info = (const struct ip6t_ipv6header_info *)match->data;
271 printf("%s--header ", info->invflags ? "! " : "");
272 print_header(info->matchflags);
278 static struct xtables_match ipv6header_mt6_reg = {
279 .name = "ipv6header",
280 .version = XTABLES_VERSION,
281 .family = NFPROTO_IPV6,
282 .size = XT_ALIGN(sizeof(struct ip6t_ipv6header_info)),
283 .userspacesize = XT_ALIGN(sizeof(struct ip6t_ipv6header_info)),
284 .help = ipv6header_help,
285 .init = ipv6header_init,
286 .parse = ipv6header_parse,
287 .final_check = ipv6header_check,
288 .print = ipv6header_print,
289 .save = ipv6header_save,
290 .extra_opts = ipv6header_opts,
295 xtables_register_match(&ipv6header_mt6_reg);