1 /* ipv6header match - matches IPv6 packets based
2 on whether they contain certain headers */
4 /* Original idea: Brad Chapman
5 * Rewritten by: Andras Kis-Szabo <kisza@sch.bme.hu> */
14 #include <sys/types.h>
16 #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
18 /* This maybe required
20 #include <linux/in6.h>
24 /* A few hardcoded protocols for 'all' and in case the user has no
36 static const struct pprot chain_protos[] = {
37 { "hop-by-hop", IPPROTO_HOPOPTS },
38 { "protocol", IPPROTO_RAW },
39 { "hop", IPPROTO_HOPOPTS },
40 { "dst", IPPROTO_DSTOPTS },
41 { "route", IPPROTO_ROUTING },
42 { "frag", IPPROTO_FRAGMENT },
43 { "auth", IPPROTO_AH },
44 { "esp", IPPROTO_ESP },
45 { "none", IPPROTO_NONE },
46 { "prot", IPPROTO_RAW },
47 { "0", IPPROTO_HOPOPTS },
48 { "60", IPPROTO_DSTOPTS },
49 { "43", IPPROTO_ROUTING },
50 { "44", IPPROTO_FRAGMENT },
52 { "50", IPPROTO_ESP },
53 { "59", IPPROTO_NONE },
54 { "255", IPPROTO_RAW },
58 static const struct numflag chain_flags[] = {
59 { IPPROTO_HOPOPTS, MASK_HOPOPTS },
60 { IPPROTO_DSTOPTS, MASK_DSTOPTS },
61 { IPPROTO_ROUTING, MASK_ROUTING },
62 { IPPROTO_FRAGMENT, MASK_FRAGMENT },
63 { IPPROTO_AH, MASK_AH },
64 { IPPROTO_ESP, MASK_ESP },
65 { IPPROTO_NONE, MASK_NONE },
66 { IPPROTO_RAW, MASK_PROTO },
70 proto_to_name(u_int8_t proto, int nolookup)
74 if (proto && !nolookup) {
75 struct protoent *pent = getprotobynumber(proto);
80 for (i = 0; i < ARRAY_SIZE(chain_protos); ++i)
81 if (chain_protos[i].num == proto)
82 return chain_protos[i].name;
88 name_to_proto(const char *s)
91 struct protoent *pent;
93 if ((pent = getprotobyname(s)))
94 proto = pent->p_proto;
97 for (i = 0; i < ARRAY_SIZE(chain_protos); ++i)
98 if (strcmp(s, chain_protos[i].name) == 0) {
99 proto = chain_protos[i].num;
103 if (i == ARRAY_SIZE(chain_protos))
104 xtables_error(PARAMETER_PROBLEM,
105 "unknown header `%s' specified",
113 add_proto_to_mask(int proto){
114 unsigned int i=0, flag=0;
116 for (i = 0; i < ARRAY_SIZE(chain_flags); ++i)
117 if (proto == chain_flags[i].proto){
118 flag = chain_flags[i].flag;
122 if (i == ARRAY_SIZE(chain_flags))
123 xtables_error(PARAMETER_PROBLEM,
124 "unknown header `%d' specified",
130 static void ipv6header_help(void)
133 "ipv6header match options:\n"
134 "[!] --header headers Type of header to match, by name\n"
135 " names: hop,dst,route,frag,auth,esp,none,proto\n"
136 " long names: hop-by-hop,ipv6-opts,ipv6-route,\n"
137 " ipv6-frag,ah,esp,ipv6-nonxt,protocol\n"
138 " numbers: 0,60,43,44,51,50,59\n"
139 "--soft The header CONTAINS the specified extensions\n");
142 static const struct option ipv6header_opts[] = {
143 { "header", 1, NULL, '1' },
144 { "soft", 0, NULL, '2' },
148 static void ipv6header_init(struct xt_entry_match *m)
150 struct ip6t_ipv6header_info *info = (struct ip6t_ipv6header_info *)m->data;
152 info->matchflags = 0x00;
153 info->invflags = 0x00;
154 info->modeflag = 0x00;
158 parse_header(const char *flags) {
159 unsigned int ret = 0;
163 buffer = strdup(flags);
165 for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ","))
166 ret |= add_proto_to_mask(name_to_proto(ptr));
172 #define IPV6_HDR_HEADER 0x01
173 #define IPV6_HDR_SOFT 0x02
176 ipv6header_parse(int c, char **argv, int invert, unsigned int *flags,
177 const void *entry, struct xt_entry_match **match)
179 struct ip6t_ipv6header_info *info = (struct ip6t_ipv6header_info *)(*match)->data;
183 /* Parse the provided header names */
184 if (*flags & IPV6_HDR_HEADER)
185 xtables_error(PARAMETER_PROBLEM,
186 "Only one `--header' allowed");
188 xtables_check_inverse(optarg, &invert, &optind, 0, argv);
190 if (! (info->matchflags = parse_header(optarg)) )
191 xtables_error(PARAMETER_PROBLEM, "ip6t_ipv6header: cannot parse header names");
194 info->invflags |= 0xFF;
195 *flags |= IPV6_HDR_HEADER;
198 /* Soft-mode requested? */
199 if (*flags & IPV6_HDR_SOFT)
200 xtables_error(PARAMETER_PROBLEM,
201 "Only one `--soft' allowed");
203 info->modeflag |= 0xFF;
204 *flags |= IPV6_HDR_SOFT;
213 static void ipv6header_check(unsigned int flags)
215 if (!flags) xtables_error(PARAMETER_PROBLEM, "ip6t_ipv6header: no options specified");
219 print_header(u_int8_t flags){
225 for (i = 0; (flags & chain_flags[i].flag) == 0; i++);
230 printf("%s", proto_to_name(chain_flags[i].proto,0));
233 flags &= ~chain_flags[i].flag;
240 static void ipv6header_print(const void *ip,
241 const struct xt_entry_match *match, int numeric)
243 const struct ip6t_ipv6header_info *info = (const struct ip6t_ipv6header_info *)match->data;
244 printf("ipv6header ");
246 if (info->matchflags || info->invflags) {
247 printf("flags:%s", info->invflags ? "!" : "");
249 printf("0x%02X ", info->matchflags);
251 print_header(info->matchflags);
260 static void ipv6header_save(const void *ip, const struct xt_entry_match *match)
263 const struct ip6t_ipv6header_info *info = (const struct ip6t_ipv6header_info *)match->data;
265 printf("%s--header ", info->invflags ? "! " : "");
266 print_header(info->matchflags);
272 static struct xtables_match ipv6header_mt6_reg = {
273 .name = "ipv6header",
274 .version = XTABLES_VERSION,
275 .family = NFPROTO_IPV6,
276 .size = XT_ALIGN(sizeof(struct ip6t_ipv6header_info)),
277 .userspacesize = XT_ALIGN(sizeof(struct ip6t_ipv6header_info)),
278 .help = ipv6header_help,
279 .init = ipv6header_init,
280 .parse = ipv6header_parse,
281 .final_check = ipv6header_check,
282 .print = ipv6header_print,
283 .save = ipv6header_save,
284 .extra_opts = ipv6header_opts,
289 xtables_register_match(&ipv6header_mt6_reg);