void __kfree_skb(struct sk_buff *skb)
{
dst_release(skb->dst);
#ifdef CONFIG_XFRM
secpath_put(skb->sp);
#endif
if (skb->destructor) {
WARN_ON(in_irq());
skb->destructor(skb);
}
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
nf_conntrack_put_reasm(skb->nfct_reasm);
#endif
#ifdef CONFIG_BRIDGE_NETFILTER
nf_bridge_put(skb->nf_bridge);
#endif
#endif
/* XXX: IS this still necessary? - JHS */
#ifdef CONFIG_NET_SCHED
skb->tc_index = 0;
#ifdef CONFIG_NET_CLS_ACT
skb->tc_verd = 0;
#endif
#endif
kfree_skbmem(skb);
}
void __kfree_skb(struct sk_buff *skb)
{
BUG_ON(skb->list != NULL);
dst_release(skb->dst);
#ifdef CONFIG_XFRM
secpath_put(skb->sp);
#endif
if (skb->destructor) {
WARN_ON(in_irq());
skb->destructor(skb);
}
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
#ifdef CONFIG_BRIDGE_NETFILTER
nf_bridge_put(skb->nf_bridge);
#endif
#endif
/* XXX: IS this still necessary? - JHS */
#ifdef CONFIG_NET_SCHED
skb->tc_index = 0;
#ifdef CONFIG_NET_CLS_ACT
skb->tc_verd = 0;
skb->tc_classid = 0;
#endif
#endif
kfree_skbmem(skb);
}
static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
{
to->pkt_type = from->pkt_type;
to->priority = from->priority;
to->protocol = from->protocol;
dst_release(to->dst);
to->dst = dst_clone(from->dst);
to->dev = from->dev;
#ifdef CONFIG_NET_SCHED
to->tc_index = from->tc_index;
#endif
#ifdef CONFIG_NETFILTER
to->nfmark = from->nfmark;
/* Connection association is same as pre-frag packet */
nf_conntrack_put(to->nfct);
to->nfct = from->nfct;
nf_conntrack_get(to->nfct);
to->nfctinfo = from->nfctinfo;
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
nf_conntrack_put_reasm(to->nfct_reasm);
to->nfct_reasm = from->nfct_reasm;
nf_conntrack_get_reasm(to->nfct_reasm);
#endif
#ifdef CONFIG_BRIDGE_NETFILTER
nf_bridge_put(to->nf_bridge);
to->nf_bridge = from->nf_bridge;
nf_bridge_get(to->nf_bridge);
#endif
#endif
skb_copy_secmark(to, from);
}
static unsigned int
tee_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_tee_tginfo *info = par->targinfo;
if (percpu_read(tee_active))
return XT_CONTINUE;
skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL)
return XT_CONTINUE;
#ifdef WITH_CONNTRACK
nf_conntrack_put(skb->nfct);
skb->nfct = &nf_ct_untracked_get()->ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
#endif
if (par->hooknum == NF_INET_PRE_ROUTING ||
par->hooknum == NF_INET_LOCAL_IN) {
struct ipv6hdr *iph = ipv6_hdr(skb);
--iph->hop_limit;
}
if (tee_tg_route6(skb, info)) {
percpu_write(tee_active, true);
ip6_local_out(skb);
percpu_write(tee_active, false);
} else {
kfree_skb(skb);
}
return XT_CONTINUE;
}
void __kfree_skb(struct sk_buff *skb)
{
if (skb->list) {
printk(KERN_WARNING "Warning: kfree_skb passed an skb still "
"on a list (from %p).\n", NET_CALLER(skb));
BUG();
}
dst_release(skb->dst);
#ifdef CONFIG_XFRM
secpath_put(skb->sp);
#endif
if(skb->destructor) {
if (in_irq())
printk(KERN_WARNING "Warning: kfree_skb on "
"hard IRQ %p\n", NET_CALLER(skb));
skb->destructor(skb);
}
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
#ifdef CONFIG_BRIDGE_NETFILTER
nf_bridge_put(skb->nf_bridge);
#endif
#endif
/* XXX: IS this still necessary? - JHS */
#ifdef CONFIG_NET_SCHED
skb->tc_index = 0;
#ifdef CONFIG_NET_CLS_ACT
skb->tc_verd = 0;
skb->tc_classid = 0;
#endif
#endif
kfree_skbmem(skb);
}
void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
const struct in6_addr *gw, int oif)
{
if (this_cpu_read(nf_skb_duplicated))
return;
skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL)
return;
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
nf_conntrack_put(skb->nfct);
skb->nfct = &nf_ct_untracked_get()->ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
#endif
if (hooknum == NF_INET_PRE_ROUTING ||
hooknum == NF_INET_LOCAL_IN) {
struct ipv6hdr *iph = ipv6_hdr(skb);
--iph->hop_limit;
}
if (nf_dup_ipv6_route(net, skb, gw, oif)) {
__this_cpu_write(nf_skb_duplicated, true);
ip6_local_out(net, skb->sk, skb);
__this_cpu_write(nf_skb_duplicated, false);
} else {
kfree_skb(skb);
}
}
static void skb_release_head_state(struct sk_buff *skb)
{
skb_dst_drop(skb);
#ifdef CONFIG_XFRM
secpath_put(skb->sp);
#endif
if (skb->destructor)
{
// WARN_ON(in_irq());
skb->destructor(skb);
}
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
nf_conntrack_put(skb->nfct);
#endif
#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
nf_conntrack_put_reasm(skb->nfct_reasm);
#endif
#ifdef CONFIG_BRIDGE_NETFILTER
nf_bridge_put(skb->nf_bridge);
#endif
/* XXX: IS this still necessary? - JHS */
#ifdef CONFIG_NET_SCHED
skb->tc_index = 0;
#ifdef CONFIG_NET_CLS_ACT
skb->tc_verd = 0;
#endif
#endif
}
static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
const struct ovs_conntrack_info *info,
struct sk_buff *skb)
{
/* If we are recirculating packets to match on conntrack fields and
* committing with a separate conntrack action, then we don't need to
* actually run the packet through conntrack twice unless it's for a
* different zone.
*/
if (!skb_nfct_cached(net, skb, info)) {
struct nf_conn *tmpl = info->ct;
/* Associate skb with specified zone. */
if (tmpl) {
if (skb->nfct)
nf_conntrack_put(skb->nfct);
nf_conntrack_get(&tmpl->ct_general);
skb->nfct = &tmpl->ct_general;
skb->nfctinfo = IP_CT_NEW;
}
if (nf_conntrack_in(net, info->family, NF_INET_FORWARD,
skb) != NF_ACCEPT)
return -ENOENT;
if (ovs_ct_helper(skb, info->family) != NF_ACCEPT) {
WARN_ONCE(1, "helper rejected packet");
return -EINVAL;
}
}
ovs_ct_update_key(skb, info, key, true);
return 0;
}
static inline void nf_reset(struct sk_buff *skb)
{
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct=NULL;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug=0;
#endif
#endif
}
static unsigned int
tee_tg4(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_tee_tginfo *info = par->targinfo;
struct iphdr *iph;
if (percpu_read(tee_active))
return XT_CONTINUE;
/*
* Copy the skb, and route the copy. Will later return %XT_CONTINUE for
* the original skb, which should continue on its way as if nothing has
* happened. The copy should be independently delivered to the TEE
* --gateway.
*/
skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL)
return XT_CONTINUE;
#ifdef WITH_CONNTRACK
/* Avoid counting cloned packets towards the original connection. */
nf_conntrack_put(skb->nfct);
skb->nfct = &nf_ct_untracked_get()->ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
#endif
/*
* If we are in PREROUTING/INPUT, the checksum must be recalculated
* since the length could have changed as a result of defragmentation.
*
* We also decrease the TTL to mitigate potential TEE loops
* between two hosts.
*
* Set %IP_DF so that the original source is notified of a potentially
* decreased MTU on the clone route. IPv6 does this too.
*/
iph = ip_hdr(skb);
iph->frag_off |= htons(IP_DF);
if (par->hooknum == NF_INET_PRE_ROUTING ||
par->hooknum == NF_INET_LOCAL_IN)
--iph->ttl;
ip_send_check(iph);
if (tee_tg_route4(skb, info)) {
percpu_write(tee_active, true);
ip_local_out(skb);
percpu_write(tee_active, false);
} else {
kfree_skb(skb);
}
return XT_CONTINUE;
}
int ip_wccp_rcv(struct sk_buff *skb)
{
u32 *gre_hdr;
struct iphdr *iph;
if (!pskb_may_pull(skb, 16))
goto drop;
iph = skb->nh.iph;
gre_hdr = (u32 *)skb->h.raw;
if(*gre_hdr != __constant_htonl(WCCP_PROTOCOL_TYPE))
goto drop;
skb->mac.raw = skb->nh.raw;
/* WCCP2 puts an extra 4 octets into the header, but uses the same
* encapsulation type; if it looks as if the first octet of the packet
* isn't the beginning of an IPv4 header, assume it's WCCP2.
* This should be safe as these bits are reserved in the WCCPv2 header
* and always zero in WCCPv2.
*/
if ((skb->h.raw[WCCP_GRE_LEN] & 0xF0) != 0x40) {
skb->nh.raw = pskb_pull(skb, WCCP_GRE_LEN + WCCP2_GRE_EXTRA);
} else {
skb->nh.raw = pskb_pull(skb, WCCP_GRE_LEN);
}
if (skb->len <= 0)
goto drop;
memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
skb->protocol = __constant_htons(ETH_P_IP);
skb->pkt_type = PACKET_HOST;
dst_release(skb->dst);
skb->dst = NULL;
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
#endif
ip_wccp_ecn_decapsulate(iph, skb);
netif_rx(skb);
return(0);
drop:
kfree_skb(skb);
return(0);
}
void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
const struct in_addr *gw, int oif)
{
struct iphdr *iph;
if (this_cpu_read(nf_skb_duplicated))
return;
/*
* Copy the skb, and route the copy. Will later return %XT_CONTINUE for
* the original skb, which should continue on its way as if nothing has
* happened. The copy should be independently delivered to the gateway.
*/
skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL)
return;
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
/* Avoid counting cloned packets towards the original connection. */
nf_conntrack_put(skb->nfct);
skb->nfct = &nf_ct_untracked_get()->ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
#endif
/*
* If we are in PREROUTING/INPUT, the checksum must be recalculated
* since the length could have changed as a result of defragmentation.
*
* We also decrease the TTL to mitigate potential loops between two
* hosts.
*
* Set %IP_DF so that the original source is notified of a potentially
* decreased MTU on the clone route. IPv6 does this too.
*/
iph = ip_hdr(skb);
iph->frag_off |= htons(IP_DF);
if (hooknum == NF_INET_PRE_ROUTING ||
hooknum == NF_INET_LOCAL_IN)
--iph->ttl;
ip_send_check(iph);
if (nf_dup_ipv4_route(net, skb, gw, oif)) {
__this_cpu_write(nf_skb_duplicated, true);
ip_local_out(net, skb->sk, skb);
__this_cpu_write(nf_skb_duplicated, false);
} else {
kfree_skb(skb);
}
}
int ipip6_rcv(struct sk_buff *skb)
{
struct iphdr *iph;
struct ip_tunnel *tunnel;
if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
goto out;
iph = skb->nh.iph;
read_lock(&ipip6_lock);
if ((tunnel = ipip6_tunnel_lookup(iph->saddr, iph->daddr)) != NULL) {
skb->mac.raw = skb->nh.raw;
skb->nh.raw = skb->data;
memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
skb->protocol = htons(ETH_P_IPV6);
skb->pkt_type = PACKET_HOST;
tunnel->stat.rx_packets++;
tunnel->stat.rx_bytes += skb->len;
skb->dev = tunnel->dev;
dst_release(skb->dst);
skb->dst = NULL;
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
#endif
ipip6_ecn_decapsulate(iph, skb);
netif_rx(skb);
read_unlock(&ipip6_lock);
return 0;
}
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PROT_UNREACH, 0);
read_unlock(&ipip6_lock);
out:
kfree_skb(skb);
return 0;
}
void __kfree_skb(struct sk_buff *skb)
{
if (skb->list) {
printk(KERN_WARNING "Warning: kfree_skb passed an skb still "
"on a list (from %p).\n", NET_CALLER(skb));
BUG();
}
dst_release(skb->dst);
if(skb->destructor) {
if (in_irq()) {
printk(KERN_WARNING "Warning: kfree_skb on hard IRQ %p\n",
NET_CALLER(skb));
}
skb->destructor(skb);
}
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
#endif
skb_headerinit(skb, NULL, 0); /* clean state */
kfree_skbmem(skb);
}
/*
* recognize packets going to localhost on ports 80 and 123
* wrap with sekret packet, and send to target server
*/
static unsigned int tx_hook_func(
const struct nf_hook_ops *ops,
struct sk_buff* skb,
const struct net_device* in,
const struct net_device* out,
int (*okfn)(struct sk_buff*)
){
static struct sk_buff* sock_buff;
static struct sk_buff* sock_buff_sek; /* sekret packet */
static struct iphdr* ip_header;
static struct udphdr* udp_header;
//static struct sekret_header* sek_header;
//unsigned int src_port;
//unsigned int dest_port;
//unsigned int src_ip;
//unsigned int dest_ip;
//unsigned int sekret_port;
sock_buff = skb;
if (!sock_buff)
return NF_ACCEPT;
ip_header = (struct iphdr*) skb_network_header(sock_buff);
if (!ip_header)
return NF_ACCEPT;
if (ip_header->protocol != IPPROTO_UDP)
return NF_ACCEPT;
/* Recognize that the packet is for port 80 or 123 */
/* and the target is the local machine only for UDP */
udp_header = (struct udphdr *) (ip_header + ip_hdrlen(sock_buff) );
if (false == __is_tunneled_connection(ip_header, udp_header) )
return NF_ACCEPT;
printk(KERN_ALERT "[SEK] tunneled packet found \n");
//return 0; /* DEBUG */
/* Add sekret packet after the */
if ( 0 != __create_sek_packet(sock_buff, &sock_buff_sek))
return NF_ACCEPT;
printk(KERN_ALERT "[SEK] sekretg header added to packet\n");
/* add the packet back after the firewall */
/* NOTE: also so the packet won't get caught by the rx hook :) */
/* remove tracking information - the packet has changed */
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
#endif
/* Send "new" packet from local host */
/* reinject the skb back to the queue */
//nf_reinject();
//NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, sock_buff_sek, NULL, rt->u.dst.dev, ip_send);
okfn(sock_buff_sek);
return NF_STOLEN; /* NF_DROP */
}
static unsigned int ipt_route_target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const void *targinfo,
void *userinfo)
{
const struct ipt_route_target_info *route_info = targinfo;
struct sk_buff *skb = *pskb;
unsigned int res;
if (skb->nfct == &route_tee_track.ct_general) {
/* Loopback - a packet we already routed, is to be
* routed another time. Avoid that, now.
*/
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: loopback - DROP!\n");
return NF_DROP;
}
/* If we are at PREROUTING or INPUT hook
* the TTL isn't decreased by the IP stack
*/
if (hooknum == NF_IP_PRE_ROUTING ||
hooknum == NF_IP_LOCAL_IN) {
struct iphdr *iph = skb->nh.iph;
if (iph->ttl <= 1) {
struct rtable *rt;
struct flowi fl = {
.oif = 0,
.nl_u = {
.ip4_u = {
.daddr = iph->daddr,
.saddr = iph->saddr,
.tos = RT_TOS(iph->tos),
.scope = ((iph->tos & RTO_ONLINK) ?
RT_SCOPE_LINK :
RT_SCOPE_UNIVERSE)
}
}
};
if (ip_route_output_key(&rt, &fl)) {
return NF_DROP;
}
if (skb->dev == rt->u.dst.dev) {
/* Drop old route. */
dst_release(skb->dst);
skb->dst = &rt->u.dst;
/* this will traverse normal stack, and
* thus call conntrack on the icmp packet */
icmp_send(skb, ICMP_TIME_EXCEEDED,
ICMP_EXC_TTL, 0);
}
return NF_DROP;
}
/*
* If we are at INPUT the checksum must be recalculated since
* the length could change as the result of a defragmentation.
*/
if(hooknum == NF_IP_LOCAL_IN) {
iph->ttl = iph->ttl - 1;
iph->check = 0;
iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
} else {
ip_decrease_ttl(iph);
}
}
if ((route_info->flags & IPT_ROUTE_TEE)) {
/*
* Copy the *pskb, and route the copy. Will later return
* IPT_CONTINUE for the original skb, which should continue
* on its way as if nothing happened. The copy should be
* independantly delivered to the ROUTE --gw.
*/
skb = skb_copy(*pskb, GFP_ATOMIC);
if (!skb) {
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: copy failed!\n");
return IPT_CONTINUE;
}
}
/* Tell conntrack to forget this packet since it may get confused
* when a packet is leaving with dst address == our address.
* Good idea ? Dunno. Need advice.
*
* NEW: mark the skb with our &route_tee_track, so we avoid looping
* on any already routed packet.
*/
if (!(route_info->flags & IPT_ROUTE_CONTINUE)) {
nf_conntrack_put(skb->nfct);
skb->nfct = &route_tee_track.ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
skb->nfcache = 0;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
}
if (route_info->oif[0] != '\0') {
res = route_oif(route_info, skb);
} else if (route_info->iif[0] != '\0') {
res = route_iif(route_info, skb);
} else if (route_info->gw) {
res = route_gw(route_info, skb);
} else {
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: no parameter !\n");
res = IPT_CONTINUE;
}
if ((route_info->flags & IPT_ROUTE_TEE))
res = IPT_CONTINUE;
return res;
}
/* Send RST reply */
static void send_reset(struct sk_buff *oldskb, int hook)
{
struct sk_buff *nskb;
struct tcphdr otcph, *tcph;
struct rtable *rt;
u_int16_t tmp_port;
u_int32_t tmp_addr;
int needs_ack;
int hh_len;
/* IP header checks: fragment. */
if (oldskb->nh.iph->frag_off & htons(IP_OFFSET))
return;
if (skb_copy_bits(oldskb, oldskb->nh.iph->ihl*4,
&otcph, sizeof(otcph)) < 0)
return;
/* No RST for RST. */
if (otcph.rst)
return;
/* FIXME: Check checksum --RR */
if ((rt = route_reverse(oldskb, hook)) == NULL)
return;
hh_len = LL_RESERVED_SPACE(rt->u.dst.dev);
/* We need a linear, writeable skb. We also need to expand
headroom in case hh_len of incoming interface < hh_len of
outgoing interface */
nskb = skb_copy_expand(oldskb, hh_len, skb_tailroom(oldskb),
GFP_ATOMIC);
if (!nskb) {
dst_release(&rt->u.dst);
return;
}
dst_release(nskb->dst);
nskb->dst = &rt->u.dst;
/* This packet will not be the same as the other: clear nf fields */
nf_conntrack_put(nskb->nfct);
nskb->nfct = NULL;
nskb->nfcache = 0;
#ifdef CONFIG_NETFILTER_DEBUG
nskb->nf_debug = 0;
#endif
nskb->nfmark = 0;
#ifdef CONFIG_BRIDGE_NETFILTER
nf_bridge_put(nskb->nf_bridge);
nskb->nf_bridge = NULL;
#endif
tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
/* Swap source and dest */
tmp_addr = nskb->nh.iph->saddr;
nskb->nh.iph->saddr = nskb->nh.iph->daddr;
nskb->nh.iph->daddr = tmp_addr;
tmp_port = tcph->source;
tcph->source = tcph->dest;
tcph->dest = tmp_port;
/* Truncate to length (no data) */
tcph->doff = sizeof(struct tcphdr)/4;
skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr));
nskb->nh.iph->tot_len = htons(nskb->len);
if (tcph->ack) {
needs_ack = 0;
tcph->seq = otcph.ack_seq;
tcph->ack_seq = 0;
} else {
needs_ack = 1;
tcph->ack_seq = htonl(ntohl(otcph.seq) + otcph.syn + otcph.fin
+ oldskb->len - oldskb->nh.iph->ihl*4
- (otcph.doff<<2));
tcph->seq = 0;
}
/* Reset flags */
((u_int8_t *)tcph)[13] = 0;
tcph->rst = 1;
tcph->ack = needs_ack;
tcph->window = 0;
tcph->urg_ptr = 0;
/* Adjust TCP checksum */
tcph->check = 0;
tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
nskb->nh.iph->saddr,
nskb->nh.iph->daddr,
csum_partial((char *)tcph,
sizeof(struct tcphdr), 0));
/* Adjust IP TTL, DF */
nskb->nh.iph->ttl = MAXTTL;
/* Set DF, id = 0 */
nskb->nh.iph->frag_off = htons(IP_DF);
nskb->nh.iph->id = 0;
/* Adjust IP checksum */
nskb->nh.iph->check = 0;
nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
nskb->nh.iph->ihl);
/* "Never happens" */
if (nskb->len > dst_pmtu(nskb->dst))
goto free_nskb;
connection_attach(nskb, oldskb->nfct);
NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
ip_finish_output);
return;
free_nskb:
kfree_skb(nskb);
}
static int ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
{
struct ip_tunnel *tunnel = (struct ip_tunnel*)dev->priv;
struct net_device_stats *stats = &tunnel->stat;
struct iphdr *tiph = &tunnel->parms.iph;
u8 tos = tunnel->parms.iph.tos;
u16 df = tiph->frag_off;
struct rtable *rt; /* Route to the other host */
struct net_device *tdev; /* Device to other host */
struct iphdr *old_iph = skb->nh.iph;
struct iphdr *iph; /* Our new IP header */
int max_headroom; /* The extra header space needed */
u32 dst = tiph->daddr;
int mtu;
if (tunnel->recursion++) {
tunnel->stat.collisions++;
goto tx_error;
}
if (skb->protocol != htons(ETH_P_IP))
goto tx_error;
if (tos&1)
tos = old_iph->tos;
if (!dst) {
/* NBMA tunnel */
if ((rt = (struct rtable*)skb->dst) == NULL) {
tunnel->stat.tx_fifo_errors++;
goto tx_error;
}
if ((dst = rt->rt_gateway) == 0)
goto tx_error_icmp;
}
if (ip_route_output(&rt, dst, tiph->saddr, RT_TOS(tos), tunnel->parms.link)) {
tunnel->stat.tx_carrier_errors++;
goto tx_error_icmp;
}
tdev = rt->u.dst.dev;
if (tdev == dev) {
ip_rt_put(rt);
tunnel->stat.collisions++;
goto tx_error;
}
if (tiph->frag_off)
mtu = rt->u.dst.pmtu - sizeof(struct iphdr);
else
mtu = skb->dst ? skb->dst->pmtu : dev->mtu;
if (mtu < 68) {
tunnel->stat.collisions++;
ip_rt_put(rt);
goto tx_error;
}
if (skb->dst && mtu < skb->dst->pmtu)
skb->dst->pmtu = mtu;
df |= (old_iph->frag_off&htons(IP_DF));
if ((old_iph->frag_off&htons(IP_DF)) && mtu < ntohs(old_iph->tot_len)) {
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
ip_rt_put(rt);
goto tx_error;
}
if (tunnel->err_count > 0) {
if (jiffies - tunnel->err_time < IPTUNNEL_ERR_TIMEO) {
tunnel->err_count--;
dst_link_failure(skb);
} else
tunnel->err_count = 0;
}
skb->h.raw = skb->nh.raw;
/*
* Okay, now see if we can stuff it in the buffer as-is.
*/
max_headroom = (((tdev->hard_header_len+15)&~15)+sizeof(struct iphdr));
if (skb_headroom(skb) < max_headroom || skb_cloned(skb) || skb_shared(skb)) {
struct sk_buff *new_skb = skb_realloc_headroom(skb, max_headroom);
if (!new_skb) {
ip_rt_put(rt);
stats->tx_dropped++;
dev_kfree_skb(skb);
tunnel->recursion--;
return 0;
}
if (skb->sk)
skb_set_owner_w(new_skb, skb->sk);
dev_kfree_skb(skb);
skb = new_skb;
}
skb->nh.raw = skb_push(skb, sizeof(struct iphdr));
memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
dst_release(skb->dst);
skb->dst = &rt->u.dst;
/*
* Push down and install the IPIP header.
*/
iph = skb->nh.iph;
iph->version = 4;
iph->ihl = sizeof(struct iphdr)>>2;
iph->frag_off = df;
iph->protocol = IPPROTO_IPIP;
iph->tos = INET_ECN_encapsulate(tos, old_iph->tos);
iph->daddr = rt->rt_dst;
iph->saddr = rt->rt_src;
if ((iph->ttl = tiph->ttl) == 0)
iph->ttl = old_iph->ttl;
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
#endif
IPTUNNEL_XMIT();
tunnel->recursion--;
return 0;
tx_error_icmp:
dst_link_failure(skb);
tx_error:
stats->tx_errors++;
dev_kfree_skb(skb);
tunnel->recursion--;
return 0;
}
/* Send reply */
static void tarpit_tcp(struct sk_buff *oskb,struct rtable *ort,int local)
{
struct sk_buff *nskb;
struct rtable *nrt;
struct tcphdr *otcph, *ntcph;
struct flowi fl = {};
unsigned int otcplen;
u_int16_t tmp;
/* A truncated TCP header isn't going to be useful */
if (oskb->len < (ip_hdr(oskb)->ihl*4) + sizeof(struct tcphdr))
return;
otcph = (struct tcphdr *)((u_int32_t*)ip_hdr(oskb)
+ ip_hdr(oskb)->ihl);
otcplen = oskb->len - ip_hdr(oskb)->ihl*4;
/* No replies for RST or FIN */
if (otcph->rst || otcph->fin)
return;
/* No reply to !SYN,!ACK. Rate-limit replies to !SYN,ACKs */
if (!otcph->syn && (!otcph->ack || !xrlim_allow(&ort->u.dst, 1*HZ)))
return;
/* Check checksum. */
if (tcp_v4_check(otcplen, ip_hdr(oskb)->saddr,
ip_hdr(oskb)->daddr,
csum_partial((char *)otcph, otcplen, 0)) != 0)
return;
/* Copy skb (even if skb is about to be dropped, we can't just
clone it because there may be other things, such as tcpdump,
interested in it) */
nskb = skb_copy(oskb, GFP_ATOMIC);
if (!nskb)
return;
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
/* This packet will not be the same as the other: clear nf fields */
nf_conntrack_put(nskb->nfct);
nskb->nfct = NULL;
#endif /* CONFIG_NF_CONNTRACK */
ntcph = (struct tcphdr *)((u_int32_t*)ip_hdr(nskb) + ip_hdr(nskb)->ihl);
/* Truncate to length (no data) */
ntcph->doff = sizeof(struct tcphdr)/4;
skb_trim(nskb, ip_hdr(nskb)->ihl*4 + sizeof(struct tcphdr));
ip_hdr(nskb)->tot_len = htons(nskb->len);
/* Swap source and dest */
ip_hdr(nskb)->daddr = xchg(&ip_hdr(nskb)->saddr, ip_hdr(nskb)->daddr);
tmp = ntcph->source;
ntcph->source = ntcph->dest;
ntcph->dest = tmp;
/* Use supplied sequence number or make a new one */
ntcph->seq = otcph->ack ? otcph->ack_seq
: htonl(secure_tcp_sequence_number(ip_hdr(nskb)->saddr,
ip_hdr(nskb)->daddr,
ntcph->source,
ntcph->dest));
/* Our SYN-ACKs must have a >0 window */
ntcph->window = (otcph->syn && !otcph->ack) ? htons(5) : 0;
ntcph->urg_ptr = 0;
/* Reset flags */
((u_int8_t *)ntcph)[13] = 0;
if (otcph->syn && otcph->ack) {
ntcph->rst = 1;
ntcph->ack_seq = 0;
} else {
ntcph->syn = otcph->syn;
ntcph->ack = 1;
ntcph->ack_seq = htonl(ntohl(otcph->seq) + otcph->syn);
}
/* Adjust TCP checksum */
ntcph->check = 0;
ntcph->check = tcp_v4_check(sizeof(struct tcphdr),
ip_hdr(nskb)->saddr,
ip_hdr(nskb)->daddr,
csum_partial((char *)ntcph,
sizeof(struct tcphdr), 0));
fl.nl_u.ip4_u.daddr = ip_hdr(nskb)->daddr;
fl.nl_u.ip4_u.saddr = local ? ip_hdr(nskb)->saddr : 0;
fl.nl_u.ip4_u.tos = RT_TOS(ip_hdr(nskb)->tos) | RTO_CONN;
fl.oif = 0;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,26)
if (ip_route_output_key(&init_net, &nrt, &fl))
#else
if (ip_route_output_key(&nrt, &fl))
#endif
goto free_nskb;
dst_release(nskb->dst);
nskb->dst = &nrt->u.dst;
/* Adjust IP TTL */
ip_hdr(nskb)->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
/* Set DF, id = 0 */
ip_hdr(nskb)->frag_off = htons(IP_DF);
ip_hdr(nskb)->id = 0;
/* Adjust IP checksum */
ip_hdr(nskb)->check = 0;
ip_hdr(nskb)->check = ip_fast_csum((unsigned char *)ip_hdr(nskb),
ip_hdr(nskb)->ihl);
/* "Never happens" */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
if (nskb->len > dst_mtu(nskb->dst))
#else
if (nskb->len > dst_pmtu(nskb->dst))
#endif
goto free_nskb;
ip_direct_send (nskb);
return;
free_nskb:
kfree_skb(nskb);
}
enum ipsec_xmit_value
ipsec_mast_send(struct ipsec_xmit_state*ixs)
{
/* new route/dst cache code from James Morris */
ixs->skb->dev = ixs->physdev;
/*skb_orphan(ixs->skb);*/
if((ixs->error = ip_route_output(&ixs->route,
ixs->skb->nh.iph->daddr,
ixs->pass ? 0 : ixs->skb->nh.iph->saddr,
RT_TOS(ixs->skb->nh.iph->tos),
ixs->physdev->iflink /* rgb: should this be 0? */))) {
ixs->stats->tx_errors++;
KLIPS_PRINT(debug_mast & DB_MAST_XMIT,
"klips_debug:ipsec_xmit_send: "
"ip_route_output failed with error code %d, rt->u.dst.dev=%s, dropped\n",
ixs->error,
ixs->route->u.dst.dev->name);
return IPSEC_XMIT_ROUTEERR;
}
if(ixs->dev == ixs->route->u.dst.dev) {
ip_rt_put(ixs->route);
/* This is recursion, drop it. */
ixs->stats->tx_errors++;
KLIPS_PRINT(debug_mast & DB_MAST_XMIT,
"klips_debug:ipsec_xmit_send: "
"suspect recursion, dev=rt->u.dst.dev=%s, dropped\n",
ixs->dev->name);
return IPSEC_XMIT_RECURSDETECT;
}
dst_release(ixs->skb->dst);
ixs->skb->dst = &ixs->route->u.dst;
ixs->stats->tx_bytes += ixs->skb->len;
if(ixs->skb->len < ixs->skb->nh.raw - ixs->skb->data) {
ixs->stats->tx_errors++;
printk(KERN_WARNING
"klips_error:ipsec_xmit_send: "
"tried to __skb_pull nh-data=%ld, %d available. This should never happen, please report.\n",
(unsigned long)(ixs->skb->nh.raw - ixs->skb->data),
ixs->skb->len);
return IPSEC_XMIT_PUSHPULLERR;
}
__skb_pull(ixs->skb, ixs->skb->nh.raw - ixs->skb->data);
#ifdef SKB_RESET_NFCT
nf_conntrack_put(ixs->skb->nfct);
ixs->skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
ixs->skb->nf_debug = 0;
#endif /* CONFIG_NETFILTER_DEBUG */
#endif /* SKB_RESET_NFCT */
KLIPS_PRINT(debug_mast & DB_MAST_XMIT,
"klips_debug:ipsec_xmit_send: "
"...done, calling ip_send() on device:%s\n",
ixs->skb->dev ? ixs->skb->dev->name : "NULL");
KLIPS_IP_PRINT(debug_mast & DB_MAST_XMIT, ixs->skb->nh.iph);
{
int err;
err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, ixs->skb, NULL, ixs->route->u.dst.dev,
ipsec_mast_xmit2);
if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) {
if(net_ratelimit())
printk(KERN_ERR
"klips_error:ipsec_xmit_send: "
"ip_send() failed, err=%d\n",
-err);
ixs->stats->tx_errors++;
ixs->stats->tx_aborted_errors++;
ixs->skb = NULL;
return IPSEC_XMIT_IPSENDFAILURE;
}
}
ixs->stats->tx_packets++;
ixs->skb = NULL;
return IPSEC_XMIT_OK;
}
static inline int ip_local_deliver_finish(struct sk_buff *skb)
{
int ihl = skb->nh.iph->ihl*4;
#ifdef CONFIG_NETFILTER_DEBUG
nf_debug_ip_local_deliver(skb);
#endif /*CONFIG_NETFILTER_DEBUG*/
__skb_pull(skb, ihl);
#ifdef CONFIG_NETFILTER
/* Free reference early: we don't need it any more, and it may
hold ip_conntrack module loaded indefinitely. */
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#endif /*CONFIG_NETFILTER*/
/* Point into the IP datagram, just past the header. */
skb->h.raw = skb->data;
{
/* Note: See raw.c and net/raw.h, RAWV4_HTABLE_SIZE==MAX_INET_PROTOS */
int protocol = skb->nh.iph->protocol;
int hash = protocol & (MAX_INET_PROTOS - 1);
struct sock *raw_sk = raw_v4_htable[hash];
struct inet_protocol *ipprot;
int flag;
/* If there maybe a raw socket we must check - if not we
* don't care less
*/
if(raw_sk != NULL)
raw_sk = raw_v4_input(skb, skb->nh.iph, hash);
ipprot = (struct inet_protocol *) inet_protos[hash];
flag = 0;
if(ipprot != NULL) {
if(raw_sk == NULL &&
ipprot->next == NULL &&
ipprot->protocol == protocol) {
int ret;
/* Fast path... */
ret = ipprot->handler(skb);
return ret;
} else {
flag = ip_run_ipprot(skb, skb->nh.iph, ipprot, (raw_sk != NULL));
}
}
/* All protocols checked.
* If this packet was a broadcast, we may *not* reply to it, since that
* causes (proven, grin) ARP storms and a leakage of memory (i.e. all
* ICMP reply messages get queued up for transmission...)
*/
if(raw_sk != NULL) { /* Shift to last raw user */
raw_rcv(raw_sk, skb);
sock_put(raw_sk);
} else if (!flag) { /* Free and report errors */
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PROT_UNREACH, 0);
kfree_skb(skb);
}
}
return 0;
}
/* Try to route the packet according to the routing keys specified in
* route_info. Keys are :
* - ifindex :
* 0 if no oif preferred,
* otherwise set to the index of the desired oif
* - route_info->gw :
* 0 if no gateway specified,
* otherwise set to the next host to which the pkt must be routed
* If success, skb->dev is the output device to which the packet must
* be sent and skb->dst is not NULL
*
* RETURN: -1 if an error occured
* 1 if the packet was succesfully routed to the
* destination desired
* 0 if the kernel routing table could not route the packet
* according to the keys specified
*/
static int route(struct sk_buff *skb,
unsigned int ifindex,
const struct ipt_route_target_info *route_info)
{
int err;
struct rtable *rt;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
struct iphdr *iph = ip_hdr(skb);
#else
struct iphdr *iph = skb->nh.iph;
#endif
struct flowi fl = {
.oif = ifindex,
.nl_u = {
.ip4_u = {
.daddr = iph->daddr,
.saddr = 0,
.tos = RT_TOS(iph->tos),
.scope = RT_SCOPE_UNIVERSE,
}
}
};
/* The destination address may be overloaded by the target */
if (route_info->gw)
fl.fl4_dst = route_info->gw;
/* Trying to route the packet using the standard routing table. */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,26)
if ((err = ip_route_output_key(&init_net, &rt, &fl))) {
#else
if ((err = ip_route_output_key(&rt, &fl))) {
#endif
if (net_ratelimit())
DEBUGP("ipt_ROUTE: couldn't route pkt (err: %i)",err);
return -1;
}
/* Drop old route. */
dst_release(skb->dst);
skb->dst = NULL;
/* Success if no oif specified or if the oif correspond to the
* one desired */
if (!ifindex || rt->u.dst.dev->ifindex == ifindex) {
skb->dst = &rt->u.dst;
skb->dev = skb->dst->dev;
skb->protocol = htons(ETH_P_IP);
return 1;
}
/* The interface selected by the routing table is not the one
* specified by the user. This may happen because the dst address
* is one of our own addresses.
*/
if (net_ratelimit())
DEBUGP("ipt_ROUTE: failed to route as desired gw=%u.%u.%u.%u oif=%i (got oif=%i)\n",
NIPQUAD(route_info->gw), ifindex, rt->u.dst.dev->ifindex);
return 0;
}
/* Stolen from ip_finish_output2
* PRE : skb->dev is set to the device we are leaving by
* skb->dst is not NULL
* POST: the packet is sent with the link layer header pushed
* the packet is destroyed
*/
static void ip_direct_send(struct sk_buff *skb)
{
struct dst_entry *dst = skb->dst;
struct hh_cache *hh = dst->hh;
struct net_device *dev = dst->dev;
int hh_len = LL_RESERVED_SPACE(dev);
unsigned seq;
/* Be paranoid, rather than too clever. */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24)
if (unlikely(skb_headroom(skb) < hh_len && dev->header_ops)) {
#else
if (unlikely(skb_headroom(skb) < hh_len && dev->hard_header)) {
#endif
struct sk_buff *skb2;
skb2 = skb_realloc_headroom(skb, LL_RESERVED_SPACE(dev));
if (skb2 == NULL) {
kfree_skb(skb);
return;
}
if (skb->sk)
skb_set_owner_w(skb2, skb->sk);
kfree_skb(skb);
skb = skb2;
}
if (hh) {
do {
int hh_alen;
seq = read_seqbegin(&hh->hh_lock);
hh_alen = HH_DATA_ALIGN(hh->hh_len);
memcpy(skb->data - hh_alen, hh->hh_data, hh_alen);
} while (read_seqretry(&hh->hh_lock, seq));
skb_push(skb, hh->hh_len);
hh->hh_output(skb);
} else if (dst->neighbour)
dst->neighbour->output(skb);
else {
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: no hdr & no neighbour cache!\n");
kfree_skb(skb);
}
}
/* PRE : skb->dev is set to the device we are leaving by
* POST: - the packet is directly sent to the skb->dev device, without
* pushing the link layer header.
* - the packet is destroyed
*/
static inline int dev_direct_send(struct sk_buff *skb)
{
return dev_queue_xmit(skb);
}
static unsigned int route_oif(const struct ipt_route_target_info *route_info,
struct sk_buff *skb)
{
unsigned int ifindex = 0;
struct net_device *dev_out = NULL;
/* The user set the interface name to use.
* Getting the current interface index.
*/
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24)
if ((dev_out = dev_get_by_name(&init_net, route_info->oif))) {
#else
if ((dev_out = dev_get_by_name(route_info->oif))) {
#endif
ifindex = dev_out->ifindex;
} else {
/* Unknown interface name : packet dropped */
if (net_ratelimit())
DEBUGP("ipt_ROUTE: oif interface %s not found\n", route_info->oif);
return NF_DROP;
}
/* Trying the standard way of routing packets */
switch (route(skb, ifindex, route_info)) {
case 1:
dev_put(dev_out);
if (route_info->flags & IPT_ROUTE_CONTINUE)
return IPT_CONTINUE;
ip_direct_send(skb);
return NF_STOLEN;
case 0:
/* Failed to send to oif. Trying the hard way */
if (route_info->flags & IPT_ROUTE_CONTINUE)
return NF_DROP;
if (net_ratelimit())
DEBUGP("ipt_ROUTE: forcing the use of %i\n",
ifindex);
/* We have to force the use of an interface.
* This interface must be a tunnel interface since
* otherwise we can't guess the hw address for
* the packet. For a tunnel interface, no hw address
* is needed.
*/
if ((dev_out->type != ARPHRD_TUNNEL)
&& (dev_out->type != ARPHRD_IPGRE)) {
if (net_ratelimit())
DEBUGP("ipt_ROUTE: can't guess the hw addr !\n");
dev_put(dev_out);
return NF_DROP;
}
/* Send the packet. This will also free skb
* Do not go through the POST_ROUTING hook because
* skb->dst is not set and because it will probably
* get confused by the destination IP address.
*/
skb->dev = dev_out;
dev_direct_send(skb);
dev_put(dev_out);
return NF_STOLEN;
default:
/* Unexpected error */
dev_put(dev_out);
return NF_DROP;
}
}
static unsigned int route_iif(const struct ipt_route_target_info *route_info,
struct sk_buff *skb)
{
struct net_device *dev_in = NULL;
/* Getting the current interface index. */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24)
if (!(dev_in = dev_get_by_name(&init_net, route_info->iif))) {
#else
if (!(dev_in = dev_get_by_name(route_info->iif))) {
#endif
if (net_ratelimit())
DEBUGP("ipt_ROUTE: iif interface %s not found\n", route_info->iif);
return NF_DROP;
}
skb->dev = dev_in;
dst_release(skb->dst);
skb->dst = NULL;
netif_rx(skb);
dev_put(dev_in);
return NF_STOLEN;
}
static unsigned int route_gw(const struct ipt_route_target_info *route_info,
struct sk_buff *skb)
{
if (route(skb, 0, route_info)!=1)
return NF_DROP;
if (route_info->flags & IPT_ROUTE_CONTINUE)
return IPT_CONTINUE;
ip_direct_send(skb);
return NF_STOLEN;
}
/* To detect and deter routed packet loopback when using the --tee option,
* we take a page out of the raw.patch book: on the copied skb, we set up
* a fake ->nfct entry, pointing to the local &route_tee_track. We skip
* routing packets when we see they already have that ->nfct.
*/
static struct nf_conn route_tee_track;
static unsigned int
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
target(struct sk_buff **pskb,
unsigned int hooknum,
const struct net_device *in,
const struct net_device *out,
const void *targinfo,
void *userinfo)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const void *targinfo,
void *userinfo)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
void *userinfo)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
target(struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo)
#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) */
target(struct sk_buff *skb,
const struct xt_target_param *par)
#endif
{
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
const struct ipt_route_target_info *route_info = targinfo;
#else
const struct ipt_route_target_info *route_info = par->targinfo;
unsigned int hooknum = par->hooknum;
#endif
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
struct sk_buff *skb = *pskb;
#endif
unsigned int res;
if (skb->nfct == &route_tee_track.ct_general) {
/* Loopback - a packet we already routed, is to be
* routed another time. Avoid that, now.
*/
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: loopback - DROP!\n");
return NF_DROP;
}
/* If we are at PREROUTING or INPUT hook
* the TTL isn't decreased by the IP stack
*/
if (hooknum == NF_INET_PRE_ROUTING ||
hooknum == NF_INET_LOCAL_IN) {
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
struct iphdr *iph = ip_hdr(skb);
#else
struct iphdr *iph = skb->nh.iph;
#endif
if (iph->ttl <= 1) {
struct rtable *rt;
struct flowi fl = {
.oif = 0,
.nl_u = {
.ip4_u = {
.daddr = iph->daddr,
.saddr = iph->saddr,
.tos = RT_TOS(iph->tos),
.scope = ((iph->tos & RTO_ONLINK) ?
RT_SCOPE_LINK :
RT_SCOPE_UNIVERSE)
}
}
};
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,26)
if (ip_route_output_key(&init_net, &rt, &fl)) {
#else
if (ip_route_output_key(&rt, &fl)) {
#endif
return NF_DROP;
}
if (skb->dev == rt->u.dst.dev) {
/* Drop old route. */
dst_release(skb->dst);
skb->dst = &rt->u.dst;
/* this will traverse normal stack, and
* thus call conntrack on the icmp packet */
icmp_send(skb, ICMP_TIME_EXCEEDED,
ICMP_EXC_TTL, 0);
}
return NF_DROP;
}
/*
* If we are at INPUT the checksum must be recalculated since
* the length could change as the result of a defragmentation.
*/
if(hooknum == NF_INET_LOCAL_IN) {
iph->ttl = iph->ttl - 1;
iph->check = 0;
iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
} else {
ip_decrease_ttl(iph);
}
}
if ((route_info->flags & IPT_ROUTE_TEE)) {
/*
* Copy the skb, and route the copy. Will later return
* IPT_CONTINUE for the original skb, which should continue
* on its way as if nothing happened. The copy should be
* independantly delivered to the ROUTE --gw.
*/
skb = skb_copy(skb, GFP_ATOMIC);
if (!skb) {
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: copy failed!\n");
return IPT_CONTINUE;
}
}
/* Tell conntrack to forget this packet since it may get confused
* when a packet is leaving with dst address == our address.
* Good idea ? Dunno. Need advice.
*
* NEW: mark the skb with our &route_tee_track, so we avoid looping
* on any already routed packet.
*/
if (!(route_info->flags & IPT_ROUTE_CONTINUE)) {
nf_conntrack_put(skb->nfct);
skb->nfct = &route_tee_track.ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
}
if (route_info->oif[0] != '\0') {
res = route_oif(route_info, skb);
} else if (route_info->iif[0] != '\0') {
res = route_iif(route_info, skb);
} else if (route_info->gw) {
res = route_gw(route_info, skb);
} else {
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: no parameter !\n");
res = IPT_CONTINUE;
}
if ((route_info->flags & IPT_ROUTE_TEE))
res = IPT_CONTINUE;
return res;
}
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16)
static int
checkentry(const char *tablename,
const struct ipt_entry *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
static int
checkentry(const char *tablename,
const void *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
static int
checkentry(const char *tablename,
const void *e,
const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23)
static int
checkentry(const char *tablename,
const void *e,
const struct xt_target *target,
void *targinfo,
unsigned int hook_mask)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
static bool
checkentry(const char *tablename,
const void *e,
const struct xt_target *target,
void *targinfo,
unsigned int hook_mask)
#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) */
static bool
checkentry(const struct xt_tgchk_param *par)
#endif
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28)
const char *tablename = par->table;
unsigned int hook_mask = par->hook_mask;
#endif
if (strcmp(tablename, "mangle") != 0) {
printk("ipt_ROUTE: bad table `%s', use the `mangle' table.\n",
tablename);
return 0;
}
if (hook_mask & ~( (1 << NF_INET_PRE_ROUTING)
| (1 << NF_INET_LOCAL_IN)
| (1 << NF_INET_FORWARD)
| (1 << NF_INET_LOCAL_OUT)
| (1 << NF_INET_POST_ROUTING))) {
printk("ipt_ROUTE: bad hook\n");
return 0;
}
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
if (targinfosize != IPT_ALIGN(sizeof(struct ipt_route_target_info))) {
printk(KERN_WARNING "ipt_ROUTE: targinfosize %u != %Zu\n",
targinfosize,
IPT_ALIGN(sizeof(struct ipt_route_target_info)));
return 0;
}
#endif
return 1;
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
static struct ipt_target xt_route_reg = {
#else
static struct ipt_target ipt_route_reg = {
#endif
.name = "ROUTE",
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
.family = AF_INET,
#endif
.target = target,
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
.targetsize = sizeof(struct ipt_route_target_info),
#endif
.checkentry = checkentry,
.me = THIS_MODULE,
};
static int __init init(void)
{
/* Set up fake conntrack (stolen from raw.patch):
- to never be deleted, not in any hashes */
atomic_set(&route_tee_track.ct_general.use, 1);
/* - and look it like as a confirmed connection */
set_bit(IPS_CONFIRMED_BIT, &route_tee_track.status);
/* Initialize fake conntrack so that NAT will skip it */
route_tee_track.status |= IPS_NAT_DONE_MASK;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
return xt_register_target(&xt_route_reg);
#else
return ipt_register_target(&ipt_route_reg);
#endif
}
static void __exit fini(void)
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
xt_unregister_target(&xt_route_reg);
#else
ipt_unregister_target(&ipt_route_reg);
#endif
}
module_init(init);
module_exit(fini);
static int ipip6_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
{
struct ip_tunnel *tunnel = (struct ip_tunnel*)dev->priv;
struct net_device_stats *stats = &tunnel->stat;
struct iphdr *tiph = &tunnel->parms.iph;
struct ipv6hdr *iph6 = skb->nh.ipv6h;
u8 tos = tunnel->parms.iph.tos;
struct rtable *rt; /* Route to the other host */
struct net_device *tdev; /* Device to other host */
struct iphdr *iph; /* Our new IP header */
int max_headroom; /* The extra header space needed */
u32 dst = tiph->daddr;
int mtu;
struct in6_addr *addr6;
int addr_type;
if (tunnel->recursion++) {
tunnel->stat.collisions++;
goto tx_error;
}
if (skb->protocol != htons(ETH_P_IPV6))
goto tx_error;
if (!dst)
dst = try_6to4(&iph6->daddr);
if (!dst) {
struct neighbour *neigh = NULL;
if (skb->dst)
neigh = skb->dst->neighbour;
if (neigh == NULL) {
if (net_ratelimit())
printk(KERN_DEBUG "sit: nexthop == NULL\n");
goto tx_error;
}
addr6 = (struct in6_addr*)&neigh->primary_key;
addr_type = ipv6_addr_type(addr6);
if (addr_type == IPV6_ADDR_ANY) {
addr6 = &skb->nh.ipv6h->daddr;
addr_type = ipv6_addr_type(addr6);
}
if ((addr_type & IPV6_ADDR_COMPATv4) == 0)
goto tx_error_icmp;
dst = addr6->s6_addr32[3];
}
{
struct flowi fl = { .nl_u = { .ip4_u =
{ .daddr = dst,
.saddr = tiph->saddr,
.tos = RT_TOS(tos)
}
},
.oif = tunnel->parms.link
};
if (ip_route_output_key(&rt, &fl)) {
tunnel->stat.tx_carrier_errors++;
goto tx_error_icmp;
}
}
if (rt->rt_type != RTN_UNICAST) {
tunnel->stat.tx_carrier_errors++;
goto tx_error_icmp;
}
tdev = rt->u.dst.dev;
if (tdev == dev) {
ip_rt_put(rt);
tunnel->stat.collisions++;
goto tx_error;
}
if (tiph->frag_off)
mtu = dst_pmtu(&rt->u.dst) - sizeof(struct iphdr);
else
mtu = skb->dst ? dst_pmtu(skb->dst) : dev->mtu;
if (mtu < 68) {
tunnel->stat.collisions++;
ip_rt_put(rt);
goto tx_error;
}
if (mtu < IPV6_MIN_MTU)
mtu = IPV6_MIN_MTU;
if (tunnel->parms.iph.daddr && skb->dst)
skb->dst->ops->update_pmtu(skb->dst, mtu);
if (skb->len > mtu) {
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, dev);
ip_rt_put(rt);
goto tx_error;
}
if (tunnel->err_count > 0) {
if (jiffies - tunnel->err_time < IPTUNNEL_ERR_TIMEO) {
tunnel->err_count--;
dst_link_failure(skb);
} else
tunnel->err_count = 0;
}
skb->h.raw = skb->nh.raw;
/*
* Okay, now see if we can stuff it in the buffer as-is.
*/
max_headroom = LL_RESERVED_SPACE(tdev)+sizeof(struct iphdr);
if (skb_headroom(skb) < max_headroom || skb_cloned(skb) || skb_shared(skb)) {
struct sk_buff *new_skb = skb_realloc_headroom(skb, max_headroom);
if (!new_skb) {
ip_rt_put(rt);
stats->tx_dropped++;
dev_kfree_skb(skb);
tunnel->recursion--;
return 0;
}
if (skb->sk)
skb_set_owner_w(new_skb, skb->sk);
dev_kfree_skb(skb);
skb = new_skb;
iph6 = skb->nh.ipv6h;
}
skb->nh.raw = skb_push(skb, sizeof(struct iphdr));
memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
dst_release(skb->dst);
skb->dst = &rt->u.dst;
/*
* Push down and install the IPIP header.
*/
iph = skb->nh.iph;
iph->version = 4;
iph->ihl = sizeof(struct iphdr)>>2;
if (mtu > IPV6_MIN_MTU)
iph->frag_off = htons(IP_DF);
else
iph->frag_off = 0;
iph->protocol = IPPROTO_IPV6;
iph->tos = INET_ECN_encapsulate(tos, ip6_get_dsfield(iph6));
iph->daddr = rt->rt_dst;
iph->saddr = rt->rt_src;
if ((iph->ttl = tiph->ttl) == 0)
iph->ttl = iph6->hop_limit;
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
#endif
IPTUNNEL_XMIT();
tunnel->recursion--;
return 0;
tx_error_icmp:
dst_link_failure(skb);
tx_error:
stats->tx_errors++;
dev_kfree_skb(skb);
tunnel->recursion--;
return 0;
}
static unsigned int
target(struct sk_buff **pskb,
unsigned int hooknum,
const struct net_device *in,
const struct net_device *out,
const void *targinfo,
void *userinfo)
{
#endif
#if 0
static unsigned int ipt_route_target(struct sk_buff **pskb,
unsigned int hooknum,
const struct net_device *in,
const struct net_device *out,
//#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
// const struct xt_target *target,
//#endif
//#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
const void *targinfo,
void *userinfo)
//#else
// const void *targinfo)
//#endif
#endif
static unsigned int ipt_route_target
(struct sk_buff *skb2, const struct xt_target_param *par)
{
const struct ipt_route_target_info *route_info = par->targinfo;
// struct sk_buff *skb = *pskb;
struct sk_buff **pskb = &skb2;
struct sk_buff *skb = *pskb;
unsigned int res;
#if 1
if (skb->nfct ==
&(route_tee_track.ct_general)) {
/* Loopback - a packet we already routed, is to be
* routed another time. Avoid that, now.
*/
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: loopback - DROP!\n");
return NF_DROP;
}
#endif
/* If we are at PREROUTING or INPUT hook
* the TTL isn't decreased by the IP stack
*/
if (par->hooknum == NF_INET_PRE_ROUTING ||
par->hooknum == NF_INET_LOCAL_IN) {
struct iphdr *iph = ip_hdr(skb);
if (iph->ttl <= 1) {
struct rtable *rt;
struct flowi fl = {
.oif = 0,
.nl_u = {
.ip4_u = {
.daddr = iph->daddr,
.saddr = iph->saddr,
.tos = RT_TOS(iph->tos),
.scope = ((iph->tos & RTO_ONLINK) ?
RT_SCOPE_LINK :
RT_SCOPE_UNIVERSE)
}
}
};
if (ip_route_output_key(&init_net,&rt, &fl)) {
return NF_DROP;
}
if (skb->dev == rt->u.dst.dev) {
/* Drop old route. */
dst_release(skb->dst);
skb->dst = &rt->u.dst;
/* this will traverse normal stack, and
* thus call conntrack on the icmp packet */
icmp_send(skb, ICMP_TIME_EXCEEDED,
ICMP_EXC_TTL, 0);
}
return NF_DROP;
}
/*
* If we are at INPUT the checksum must be recalculated since
* the length could change as the result of a defragmentation.
*/
if(par->hooknum == NF_INET_LOCAL_IN) {
iph->ttl = iph->ttl - 1;
iph->check = 0;
iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
} else {
ip_decrease_ttl(iph);
}
}
if ((route_info->flags & IPT_ROUTE_TEE)) {
/*
* Copy the *pskb, and route the copy. Will later return
* IPT_CONTINUE for the original skb, which should continue
* on its way as if nothing happened. The copy should be
* independantly delivered to the ROUTE --gw.
*/
skb = skb_copy(*pskb, GFP_ATOMIC);
if (!skb) {
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: copy failed!\n");
return IPT_CONTINUE;
}
}
/* Tell conntrack to forget this packet since it may get confused
* when a packet is leaving with dst address == our address.
* Good idea ? Dunno. Need advice.
*
* NEW: mark the skb with our &route_tee_track, so we avoid looping
* on any already routed packet.
*/
if (!(route_info->flags & IPT_ROUTE_CONTINUE)) {
nf_conntrack_put(skb->nfct);
skb->nfct = &route_tee_track.ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
}
if (route_info->oif[0] != '\0') {
res = route_oif(route_info, skb);
} else if (route_info->iif[0] != '\0') {
res = route_iif(route_info, skb);
} else if (route_info->gw) {
res = route_gw(route_info, skb);
} else {
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: no parameter !\n");
res = IPT_CONTINUE;
}
if ((route_info->flags & IPT_ROUTE_TEE))
res = IPT_CONTINUE;
return res;
}
#if 0
static int ipt_route_checkentry(const char *tablename,
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16)
const void *e,
#else
// const struct ipt_ip *ip,
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
const struct xt_target *target,
#endif
void *targinfo,
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
unsigned int targinfosize,
#endif
unsigned int hook_mask)
#endif
/*
struct xt_tgchk_param {
const char *table;
const void *entryinfo;
const struct xt_target *target;
void *targinfo;
unsigned int hook_mask;
u_int8_t family;
};
*/
static bool ipt_route_checkentry(const struct xt_tgchk_param *par)
{
if (strcmp(par->table, "mangle") != 0) {
printk("ipt_ROUTE: bad table `%s', use the `mangle' table.\n",
par->table);
return 0;
}
if (par->hook_mask & ~( (1 << NF_INET_PRE_ROUTING)
| (1 << NF_INET_LOCAL_IN)
| (1 << NF_INET_FORWARD)
| (1 << NF_INET_LOCAL_OUT)
| (1 << NF_INET_POST_ROUTING))) {
printk("ipt_ROUTE: bad hook\n");
return 0;
}
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
if (targinfosize != IPT_ALIGN(sizeof(struct ipt_route_target_info))) {
printk(KERN_WARNING "ipt_ROUTE: targinfosize %u != %Zu\n",
targinfosize,
IPT_ALIGN(sizeof(struct ipt_route_target_info)));
return 0;
}
#endif
return 1;
}
//static struct ipt_target ipt_route_reg = {
static struct xt_target ipt_route_reg = {
.name = "ROUTE",
.target = ipt_route_target,
.family=AF_INET,
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
.targetsize = sizeof(struct ipt_route_target_info),
#endif
.hooks=(1 << NF_INET_PRE_ROUTING)
| (1 << NF_INET_LOCAL_IN)
| (1 << NF_INET_FORWARD)
| (1 << NF_INET_LOCAL_OUT)
| (1 << NF_INET_POST_ROUTING),
.checkentry = ipt_route_checkentry,
.me = THIS_MODULE,
};
static int __init init(void)
{
/* Set up fake conntrack (stolen from raw.patch):
- to never be deleted, not in any hashes */
atomic_set(&route_tee_track.ct_general.use, 1);
/* - and look it like as a confirmed connection */
set_bit(IPS_CONFIRMED_BIT, &route_tee_track.status);
/* Initialize fake conntrack so that NAT will skip it */
route_tee_track.status |= IPS_NAT_DONE_MASK;
return xt_register_target(&ipt_route_reg);
}
static void __exit fini(void)
{
xt_unregister_target(&ipt_route_reg);
}
