Home | History | Annotate | Download | only in extensions 
      1 #include <stdint.h>
      2 #include <stdio.h>
      3 #include <string.h>
      4 #include <xtables.h>
      5 #include <limits.h> /* INT_MAX in ip6_tables.h */
      6 #include <linux/netfilter_ipv6/ip6_tables.h>
      7 
      8 enum {
      9 	O_ICMPV6_TYPE = 0,
     10 };
     11 
     12 struct icmpv6_names {
     13 	const char *name;
     14 	uint8_t type;
     15 	uint8_t code_min, code_max;
     16 };
     17 
     18 static const struct icmpv6_names icmpv6_codes[] = {
     19 	{ "destination-unreachable", 1, 0, 0xFF },
     20 	{   "no-route", 1, 0, 0 },
     21 	{   "communication-prohibited", 1, 1, 1 },
     22 	{   "address-unreachable", 1, 3, 3 },
     23 	{   "port-unreachable", 1, 4, 4 },
     24 
     25 	{ "packet-too-big", 2, 0, 0xFF },
     26 
     27 	{ "time-exceeded", 3, 0, 0xFF },
     28 	/* Alias */ { "ttl-exceeded", 3, 0, 0xFF },
     29 	{   "ttl-zero-during-transit", 3, 0, 0 },
     30 	{   "ttl-zero-during-reassembly", 3, 1, 1 },
     31 
     32 	{ "parameter-problem", 4, 0, 0xFF },
     33 	{   "bad-header", 4, 0, 0 },
     34 	{   "unknown-header-type", 4, 1, 1 },
     35 	{   "unknown-option", 4, 2, 2 },
     36 
     37 	{ "echo-request", 128, 0, 0xFF },
     38 	/* Alias */ { "ping", 128, 0, 0xFF },
     39 
     40 	{ "echo-reply", 129, 0, 0xFF },
     41 	/* Alias */ { "pong", 129, 0, 0xFF },
     42 
     43 	{ "router-solicitation", 133, 0, 0xFF },
     44 
     45 	{ "router-advertisement", 134, 0, 0xFF },
     46 
     47 	{ "neighbour-solicitation", 135, 0, 0xFF },
     48 	/* Alias */ { "neighbor-solicitation", 135, 0, 0xFF },
     49 
     50 	{ "neighbour-advertisement", 136, 0, 0xFF },
     51 	/* Alias */ { "neighbor-advertisement", 136, 0, 0xFF },
     52 
     53 	{ "redirect", 137, 0, 0xFF },
     54 
     55 };
     56 
     57 static void
     58 print_icmpv6types(void)
     59 {
     60 	unsigned int i;
     61 	printf("Valid ICMPv6 Types:");
     62 
     63 	for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i) {
     64 		if (i && icmpv6_codes[i].type == icmpv6_codes[i-1].type) {
     65 			if (icmpv6_codes[i].code_min == icmpv6_codes[i-1].code_min
     66 			    && (icmpv6_codes[i].code_max
     67 				== icmpv6_codes[i-1].code_max))
     68 				printf(" (%s)", icmpv6_codes[i].name);
     69 			else
     70 				printf("\n   %s", icmpv6_codes[i].name);
     71 		}
     72 		else
     73 			printf("\n%s", icmpv6_codes[i].name);
     74 	}
     75 	printf("\n");
     76 }
     77 
     78 static void icmp6_help(void)
     79 {
     80 	printf(
     81 "icmpv6 match options:\n"
     82 "[!] --icmpv6-type typename	match icmpv6 type\n"
     83 "				(or numeric type or type/code)\n");
     84 	print_icmpv6types();
     85 }
     86 
     87 static const struct xt_option_entry icmp6_opts[] = {
     88 	{.name = "icmpv6-type", .id = O_ICMPV6_TYPE, .type = XTTYPE_STRING,
     89 	 .flags = XTOPT_MAND | XTOPT_INVERT},
     90 	XTOPT_TABLEEND,
     91 };
     92 
     93 static void
     94 parse_icmpv6(const char *icmpv6type, uint8_t *type, uint8_t code[])
     95 {
     96 	static const unsigned int limit = ARRAY_SIZE(icmpv6_codes);
     97 	unsigned int match = limit;
     98 	unsigned int i;
     99 
    100 	for (i = 0; i < limit; i++) {
    101 		if (strncasecmp(icmpv6_codes[i].name, icmpv6type, strlen(icmpv6type))
    102 		    == 0) {
    103 			if (match != limit)
    104 				xtables_error(PARAMETER_PROBLEM,
    105 					   "Ambiguous ICMPv6 type `%s':"
    106 					   " `%s' or `%s'?",
    107 					   icmpv6type,
    108 					   icmpv6_codes[match].name,
    109 					   icmpv6_codes[i].name);
    110 			match = i;
    111 		}
    112 	}
    113 
    114 	if (match != limit) {
    115 		*type = icmpv6_codes[match].type;
    116 		code[0] = icmpv6_codes[match].code_min;
    117 		code[1] = icmpv6_codes[match].code_max;
    118 	} else {
    119 		char *slash;
    120 		char buffer[strlen(icmpv6type) + 1];
    121 		unsigned int number;
    122 
    123 		strcpy(buffer, icmpv6type);
    124 		slash = strchr(buffer, '/');
    125 
    126 		if (slash)
    127 			*slash = '\0';
    128 
    129 		if (!xtables_strtoui(buffer, NULL, &number, 0, UINT8_MAX))
    130 			xtables_error(PARAMETER_PROBLEM,
    131 				   "Invalid ICMPv6 type `%s'\n", buffer);
    132 		*type = number;
    133 		if (slash) {
    134 			if (!xtables_strtoui(slash+1, NULL, &number, 0, UINT8_MAX))
    135 				xtables_error(PARAMETER_PROBLEM,
    136 					   "Invalid ICMPv6 code `%s'\n",
    137 					   slash+1);
    138 			code[0] = code[1] = number;
    139 		} else {
    140 			code[0] = 0;
    141 			code[1] = 0xFF;
    142 		}
    143 	}
    144 }
    145 
    146 static void icmp6_init(struct xt_entry_match *m)
    147 {
    148 	struct ip6t_icmp *icmpv6info = (struct ip6t_icmp *)m->data;
    149 
    150 	icmpv6info->code[1] = 0xFF;
    151 }
    152 
    153 static void icmp6_parse(struct xt_option_call *cb)
    154 {
    155 	struct ip6t_icmp *icmpv6info = cb->data;
    156 
    157 	xtables_option_parse(cb);
    158 	parse_icmpv6(cb->arg, &icmpv6info->type, icmpv6info->code);
    159 	if (cb->invert)
    160 		icmpv6info->invflags |= IP6T_ICMP_INV;
    161 }
    162 
    163 static void print_icmpv6type(uint8_t type,
    164 			   uint8_t code_min, uint8_t code_max,
    165 			   int invert,
    166 			   int numeric)
    167 {
    168 	if (!numeric) {
    169 		unsigned int i;
    170 
    171 		for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
    172 			if (icmpv6_codes[i].type == type
    173 			    && icmpv6_codes[i].code_min == code_min
    174 			    && icmpv6_codes[i].code_max == code_max)
    175 				break;
    176 
    177 		if (i != ARRAY_SIZE(icmpv6_codes)) {
    178 			printf(" %s%s",
    179 			       invert ? "!" : "",
    180 			       icmpv6_codes[i].name);
    181 			return;
    182 		}
    183 	}
    184 
    185 	if (invert)
    186 		printf(" !");
    187 
    188 	printf("type %u", type);
    189 	if (code_min == code_max)
    190 		printf(" code %u", code_min);
    191 	else if (code_min != 0 || code_max != 0xFF)
    192 		printf(" codes %u-%u", code_min, code_max);
    193 }
    194 
    195 static void icmp6_print(const void *ip, const struct xt_entry_match *match,
    196                         int numeric)
    197 {
    198 	const struct ip6t_icmp *icmpv6 = (struct ip6t_icmp *)match->data;
    199 
    200 	printf(" ipv6-icmp");
    201 	print_icmpv6type(icmpv6->type, icmpv6->code[0], icmpv6->code[1],
    202 		       icmpv6->invflags & IP6T_ICMP_INV,
    203 		       numeric);
    204 
    205 	if (icmpv6->invflags & ~IP6T_ICMP_INV)
    206 		printf(" Unknown invflags: 0x%X",
    207 		       icmpv6->invflags & ~IP6T_ICMP_INV);
    208 }
    209 
    210 static void icmp6_save(const void *ip, const struct xt_entry_match *match)
    211 {
    212 	const struct ip6t_icmp *icmpv6 = (struct ip6t_icmp *)match->data;
    213 
    214 	if (icmpv6->invflags & IP6T_ICMP_INV)
    215 		printf(" !");
    216 
    217 	printf(" --icmpv6-type %u", icmpv6->type);
    218 	if (icmpv6->code[0] != 0 || icmpv6->code[1] != 0xFF)
    219 		printf("/%u", icmpv6->code[0]);
    220 }
    221 
    222 static struct xtables_match icmp6_mt6_reg = {
    223 	.name 		= "icmp6",
    224 	.version 	= XTABLES_VERSION,
    225 	.family		= NFPROTO_IPV6,
    226 	.size		= XT_ALIGN(sizeof(struct ip6t_icmp)),
    227 	.userspacesize	= XT_ALIGN(sizeof(struct ip6t_icmp)),
    228 	.help		= icmp6_help,
    229 	.init		= icmp6_init,
    230 	.print		= icmp6_print,
    231 	.save		= icmp6_save,
    232 	.x6_parse	= icmp6_parse,
    233 	.x6_options	= icmp6_opts,
    234 };
    235 
    236 void _init(void)
    237 {
    238 	xtables_register_match(&icmp6_mt6_reg);
    239 }
    240