static bool dns_mt6(const struct sk_buff *skb, XT_PARAM *par) { struct ipv6hdr _iph; const struct ipv6hdr *ih; int16_t ptr; struct ipv6_opt_hdr _hdr; const struct ipv6_opt_hdr *hp; uint8_t currenthdr; uint16_t hdrlen = 0; if (par->fragoff != 0) { DEBUG_PRINT("fragment packet"); return false; } DEBUG_PRINT("start ipv6"); ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph); ptr = sizeof(_iph); currenthdr = ih->nexthdr; DEBUG_PRINT("start opt loop"); while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) { DEBUG_PRINT("optloop %u", currenthdr); hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); if (hp == NULL) { return false; } switch (currenthdr) { case IPPROTO_FRAGMENT: hdrlen = 8; break; case IPPROTO_DSTOPTS: case IPPROTO_ROUTING: case IPPROTO_HOPOPTS: hdrlen = ipv6_optlen(hp); break; case IPPROTO_AH: hdrlen = (hp->hdrlen + 2) << 2; break; } currenthdr = hp->nexthdr; ptr += hdrlen; } if (currenthdr == IPPROTO_UDP) { return dns_mt_udp(skb, par, ptr); } if (currenthdr == IPPROTO_TCP) { return dns_mt_tcp(skb, par, ptr); } DEBUG_PRINT("unsupported protocol."); return false; }
/* One level of recursion won't kill us */ static void dump_packet(const struct nf_loginfo *info, const struct sk_buff *skb, unsigned int ip6hoff, int recurse) { u_int8_t currenthdr; int fragment; struct ipv6hdr _ip6h; const struct ipv6hdr *ih; unsigned int ptr; unsigned int hdrlen = 0; unsigned int logflags; if (info->type == NF_LOG_TYPE_LOG) logflags = info->u.log.logflags; else logflags = NF_LOG_MASK; ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h); if (ih == NULL) { printk("TRUNCATED"); return; } /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */ printk("SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr); /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */ printk("LEN=%Zu TC=%u HOPLIMIT=%u FLOWLBL=%u ", ntohs(ih->payload_len) + sizeof(struct ipv6hdr), (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20, ih->hop_limit, (ntohl(*(__be32 *)ih) & 0x000fffff)); fragment = 0; ptr = ip6hoff + sizeof(struct ipv6hdr); currenthdr = ih->nexthdr; while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) { struct ipv6_opt_hdr _hdr; const struct ipv6_opt_hdr *hp; hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); if (hp == NULL) { printk("TRUNCATED"); return; } /* Max length: 48 "OPT (...) " */ if (logflags & IP6T_LOG_IPOPT) printk("OPT ( "); switch (currenthdr) { case IPPROTO_FRAGMENT: { struct frag_hdr _fhdr; const struct frag_hdr *fh; printk("FRAG:"); fh = skb_header_pointer(skb, ptr, sizeof(_fhdr), &_fhdr); if (fh == NULL) { printk("TRUNCATED "); return; } /* Max length: 6 "65535 " */ printk("%u ", ntohs(fh->frag_off) & 0xFFF8); /* Max length: 11 "INCOMPLETE " */ if (fh->frag_off & htons(0x0001)) printk("INCOMPLETE "); printk("ID:%08x ", ntohl(fh->identification)); if (ntohs(fh->frag_off) & 0xFFF8) fragment = 1; hdrlen = 8; break; } case IPPROTO_DSTOPTS: case IPPROTO_ROUTING: case IPPROTO_HOPOPTS: if (fragment) { if (logflags & IP6T_LOG_IPOPT) printk(")"); return; } hdrlen = ipv6_optlen(hp); break; /* Max Length */ case IPPROTO_AH: if (logflags & IP6T_LOG_IPOPT) { struct ip_auth_hdr _ahdr; const struct ip_auth_hdr *ah; /* Max length: 3 "AH " */ printk("AH "); if (fragment) { printk(")"); return; } ah = skb_header_pointer(skb, ptr, sizeof(_ahdr), &_ahdr); if (ah == NULL) { /* * Max length: 26 "INCOMPLETE [65535 * bytes] )" */ printk("INCOMPLETE [%u bytes] )", skb->len - ptr); return; } /* Length: 15 "SPI=0xF1234567 */ printk("SPI=0x%x ", ntohl(ah->spi)); } hdrlen = (hp->hdrlen+2)<<2; break; case IPPROTO_ESP: if (logflags & IP6T_LOG_IPOPT) { struct ip_esp_hdr _esph; const struct ip_esp_hdr *eh; /* Max length: 4 "ESP " */ printk("ESP "); if (fragment) { printk(")"); return; } /* * Max length: 26 "INCOMPLETE [65535 bytes] )" */ eh = skb_header_pointer(skb, ptr, sizeof(_esph), &_esph); if (eh == NULL) { printk("INCOMPLETE [%u bytes] )", skb->len - ptr); return; } /* Length: 16 "SPI=0xF1234567 )" */ printk("SPI=0x%x )", ntohl(eh->spi) ); } return; default: /* Max length: 20 "Unknown Ext Hdr 255" */ printk("Unknown Ext Hdr %u", currenthdr); return; } if (logflags & IP6T_LOG_IPOPT) printk(") "); currenthdr = hp->nexthdr; ptr += hdrlen; } switch (currenthdr) { case IPPROTO_TCP: { struct tcphdr _tcph; const struct tcphdr *th; /* Max length: 10 "PROTO=TCP " */ printk("PROTO=TCP "); if (fragment) break; /* Max length: 25 "INCOMPLETE [65535 bytes] " */ th = skb_header_pointer(skb, ptr, sizeof(_tcph), &_tcph); if (th == NULL) { printk("INCOMPLETE [%u bytes] ", skb->len - ptr); return; } /* Max length: 20 "SPT=65535 DPT=65535 " */ printk("SPT=%u DPT=%u ", ntohs(th->source), ntohs(th->dest)); /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */ if (logflags & IP6T_LOG_TCPSEQ) printk("SEQ=%u ACK=%u ", ntohl(th->seq), ntohl(th->ack_seq)); /* Max length: 13 "WINDOW=65535 " */ printk("WINDOW=%u ", ntohs(th->window)); /* Max length: 9 "RES=0x3C " */ printk("RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) & TCP_RESERVED_BITS) >> 22)); /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */ if (th->cwr) printk("CWR "); if (th->ece) printk("ECE "); if (th->urg) printk("URG "); if (th->ack) printk("ACK "); if (th->psh) printk("PSH "); if (th->rst) printk("RST "); if (th->syn) printk("SYN "); if (th->fin) printk("FIN "); /* Max length: 11 "URGP=65535 " */ printk("URGP=%u ", ntohs(th->urg_ptr)); if ((logflags & IP6T_LOG_TCPOPT) && th->doff * 4 > sizeof(struct tcphdr)) { u_int8_t _opt[60 - sizeof(struct tcphdr)]; const u_int8_t *op; unsigned int i; unsigned int optsize = th->doff * 4 - sizeof(struct tcphdr); op = skb_header_pointer(skb, ptr + sizeof(struct tcphdr), optsize, _opt); if (op == NULL) { printk("OPT (TRUNCATED)"); return; } /* Max length: 127 "OPT (" 15*4*2chars ") " */ printk("OPT ("); for (i =0; i < optsize; i++) printk("%02X", op[i]); printk(") "); } break; } case IPPROTO_UDP: case IPPROTO_UDPLITE: { struct udphdr _udph; const struct udphdr *uh; if (currenthdr == IPPROTO_UDP) /* Max length: 10 "PROTO=UDP " */ printk("PROTO=UDP " ); else /* Max length: 14 "PROTO=UDPLITE " */ printk("PROTO=UDPLITE "); if (fragment) break; /* Max length: 25 "INCOMPLETE [65535 bytes] " */ uh = skb_header_pointer(skb, ptr, sizeof(_udph), &_udph); if (uh == NULL) { printk("INCOMPLETE [%u bytes] ", skb->len - ptr); return; } /* Max length: 20 "SPT=65535 DPT=65535 " */ printk("SPT=%u DPT=%u LEN=%u ", ntohs(uh->source), ntohs(uh->dest), ntohs(uh->len)); break; } case IPPROTO_ICMPV6: { struct icmp6hdr _icmp6h; const struct icmp6hdr *ic; /* Max length: 13 "PROTO=ICMPv6 " */ printk("PROTO=ICMPv6 "); if (fragment) break; /* Max length: 25 "INCOMPLETE [65535 bytes] " */ ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h); if (ic == NULL) { printk("INCOMPLETE [%u bytes] ", skb->len - ptr); return; } /* Max length: 18 "TYPE=255 CODE=255 " */ printk("TYPE=%u CODE=%u ", ic->icmp6_type, ic->icmp6_code); switch (ic->icmp6_type) { case ICMPV6_ECHO_REQUEST: case ICMPV6_ECHO_REPLY: /* Max length: 19 "ID=65535 SEQ=65535 " */ printk("ID=%u SEQ=%u ", ntohs(ic->icmp6_identifier), ntohs(ic->icmp6_sequence)); break; case ICMPV6_MGM_QUERY: case ICMPV6_MGM_REPORT: case ICMPV6_MGM_REDUCTION: break; case ICMPV6_PARAMPROB: /* Max length: 17 "POINTER=ffffffff " */ printk("POINTER=%08x ", ntohl(ic->icmp6_pointer)); /* Fall through */ case ICMPV6_DEST_UNREACH: case ICMPV6_PKT_TOOBIG: case ICMPV6_TIME_EXCEED: /* Max length: 3+maxlen */ if (recurse) { printk("["); dump_packet(info, skb, ptr + sizeof(_icmp6h), 0); printk("] "); } /* Max length: 10 "MTU=65535 " */ if (ic->icmp6_type == ICMPV6_PKT_TOOBIG) printk("MTU=%u ", ntohl(ic->icmp6_mtu)); } break; } /* Max length: 10 "PROTO=255 " */ default: printk("PROTO=%u ", currenthdr); } /* Max length: 15 "UID=4294967295 " */ if ((logflags & IP6T_LOG_UID) && recurse && skb->sk) { read_lock_bh(&skb->sk->sk_callback_lock); if (skb->sk->sk_socket && skb->sk->sk_socket->file) printk("UID=%u GID=%u ", skb->sk->sk_socket->file->f_cred->fsuid, skb->sk->sk_socket->file->f_cred->fsgid); read_unlock_bh(&skb->sk->sk_callback_lock); } /* Max length: 16 "MARK=0xFFFFFFFF " */ if (!recurse && skb->mark) printk("MARK=0x%x ", skb->mark); }
static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const void *matchinfo, int offset, const void *protohdr, u_int16_t datalen, int *hotdrop) { struct ipv6_rt_hdr *route = NULL; const struct ip6t_rt *rtinfo = matchinfo; unsigned int temp; unsigned int len; u8 nexthdr; unsigned int ptr; unsigned int hdrlen = 0; unsigned int ret = 0; /* type of the 1st exthdr */ nexthdr = skb->nh.ipv6h->nexthdr; /* pointer to the 1st exthdr */ ptr = sizeof(struct ipv6hdr); /* available length */ len = skb->len - ptr; temp = 0; while (ip6t_ext_hdr(nexthdr)) { struct ipv6_opt_hdr *hdr; DEBUGP("ipv6_rt header iteration \n"); /* Is there enough space for the next ext header? */ if (len < (int)sizeof(struct ipv6_opt_hdr)) return 0; /* No more exthdr -> evaluate */ if (nexthdr == NEXTHDR_NONE) { break; } /* ESP -> evaluate */ if (nexthdr == NEXTHDR_ESP) { break; } hdr=(struct ipv6_opt_hdr *)skb->data+ptr; /* Calculate the header length */ if (nexthdr == NEXTHDR_FRAGMENT) { hdrlen = 8; } else if (nexthdr == NEXTHDR_AUTH) hdrlen = (hdr->hdrlen+2)<<2; else hdrlen = ipv6_optlen(hdr); /* ROUTING -> evaluate */ if (nexthdr == NEXTHDR_ROUTING) { temp |= MASK_ROUTING; break; } /* set the flag */ switch (nexthdr){ case NEXTHDR_HOP: case NEXTHDR_ROUTING: case NEXTHDR_FRAGMENT: case NEXTHDR_AUTH: case NEXTHDR_DEST: break; default: DEBUGP("ipv6_rt match: unknown nextheader %u\n",nexthdr); return 0; break; } nexthdr = hdr->nexthdr; len -= hdrlen; ptr += hdrlen; if ( ptr > skb->len ) { DEBUGP("ipv6_rt: new pointer is too large! \n"); break; } } /* ROUTING header not found */ if ( temp != MASK_ROUTING ) return 0; if (len < (int)sizeof(struct ipv6_rt_hdr)){ *hotdrop = 1; return 0; } if (len < hdrlen){ /* Pcket smaller than its length field */ return 0; } route = (struct ipv6_rt_hdr *) (skb->data + ptr); DEBUGP("IPv6 RT LEN %u %u ", hdrlen, route->hdrlen); DEBUGP("TYPE %04X ", route->type); DEBUGP("SGS_LEFT %u %08X\n", ntohl(route->segments_left), ntohl(route->segments_left)); DEBUGP("IPv6 RT segsleft %02X ", (segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1], ntohl(route->segments_left), !!(rtinfo->invflags & IP6T_RT_INV_SGS)))); DEBUGP("type %02X %02X %02X ", rtinfo->rt_type, route->type, (!(rtinfo->flags & IP6T_RT_TYP) || ((rtinfo->rt_type == route->type) ^ !!(rtinfo->invflags & IP6T_RT_INV_TYP)))); DEBUGP("len %02X %04X %02X ", rtinfo->hdrlen, hdrlen, (!(rtinfo->flags & IP6T_RT_LEN) || ((rtinfo->hdrlen == hdrlen) ^ !!(rtinfo->invflags & IP6T_RT_INV_LEN)))); DEBUGP("res %02X %02X %02X ", (rtinfo->flags & IP6T_RT_RES), ((struct rt0_hdr *)route)->bitmap, !((rtinfo->flags & IP6T_RT_RES) && (((struct rt0_hdr *)route)->bitmap))); ret = (route != NULL) && (segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1], ntohl(route->segments_left), !!(rtinfo->invflags & IP6T_RT_INV_SGS))) && (!(rtinfo->flags & IP6T_RT_LEN) || ((rtinfo->hdrlen == hdrlen) ^ !!(rtinfo->invflags & IP6T_RT_INV_LEN))) && (!(rtinfo->flags & IP6T_RT_TYP) || ((rtinfo->rt_type == route->type) ^ !!(rtinfo->invflags & IP6T_RT_INV_TYP))) && !((rtinfo->flags & IP6T_RT_RES) && (((struct rt0_hdr *)route)->bitmap)); DEBUGP("#%d ",rtinfo->addrnr); temp = len = ptr = 0; if ( !(rtinfo->flags & IP6T_RT_FST) ){ return ret; } else if (rtinfo->flags & IP6T_RT_FST_NSTRICT) { DEBUGP("Not strict "); if ( rtinfo->addrnr > (unsigned int)((hdrlen-8)/16) ){ DEBUGP("There isn't enough space\n"); return 0; } else { DEBUGP("#%d ",rtinfo->addrnr); ptr = 0; for(temp=0; temp<(unsigned int)((hdrlen-8)/16); temp++){ len = 0; while ((u8)(((struct rt0_hdr *)route)-> addr[temp].s6_addr[len]) == (u8)(rtinfo->addrs[ptr].s6_addr[len])){ DEBUGP("%02X?%02X ", (u8)(((struct rt0_hdr *)route)->addr[temp].s6_addr[len]), (u8)(rtinfo->addrs[ptr].s6_addr[len])); len++; if ( len == 16 ) break; } if (len==16) { DEBUGP("ptr=%d temp=%d;\n",ptr,temp); ptr++; } else { DEBUGP("%02X?%02X ", (u8)(((struct rt0_hdr *)route)->addr[temp].s6_addr[len]), (u8)(rtinfo->addrs[ptr].s6_addr[len])); DEBUGP("!ptr=%d temp=%d;\n",ptr,temp); } if (ptr==rtinfo->addrnr) break; } DEBUGP("ptr=%d len=%d #%d\n",ptr,len, rtinfo->addrnr); if ( (len == 16) && (ptr == rtinfo->addrnr)) return ret; else return 0; } } else { DEBUGP("Strict "); if ( rtinfo->addrnr > (unsigned int)((hdrlen-8)/16) ){ DEBUGP("There isn't enough space\n"); return 0; } else { DEBUGP("#%d ",rtinfo->addrnr); for(temp=0; temp<rtinfo->addrnr; temp++){ len = 0; while ((u8)(((struct rt0_hdr *)route)-> addr[temp].s6_addr[len]) == (u8)(rtinfo->addrs[temp].s6_addr[len])){ DEBUGP("%02X?%02X ", (u8)(((struct rt0_hdr *)route)->addr[temp].s6_addr[len]), (u8)(rtinfo->addrs[temp].s6_addr[len])); len++; if ( len == 16 ) break; } if (len!=16) { DEBUGP("%02X?%02X ", (u8)(((struct rt0_hdr *)route)->addr[temp].s6_addr[len]), (u8)(rtinfo->addrs[temp].s6_addr[len])); DEBUGP("!len=%d temp=%d;\n",len,temp); break; } } DEBUGP("temp=%d len=%d #%d\n",temp,len,rtinfo->addrnr); if ( (len == 16) && (temp == rtinfo->addrnr) && (temp == (unsigned int)((hdrlen-8)/16))) return ret; else return 0; } } return 0; }
/* One level of recursion won't kill us */ static void dump_ipv6_packet(struct sbuff *m, const struct nf_loginfo *info, const struct sk_buff *skb, unsigned int ip6hoff, int recurse) { u_int8_t currenthdr; int fragment; struct ipv6hdr _ip6h; const struct ipv6hdr *ih; unsigned int ptr; unsigned int hdrlen = 0; unsigned int logflags; if (info->type == NF_LOG_TYPE_LOG) logflags = info->u.log.logflags; else logflags = NF_LOG_MASK; ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h); if (ih == NULL) { sb_add(m, "TRUNCATED"); return; } /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */ sb_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr); /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */ sb_add(m, "LEN=%Zu TC=%u HOPLIMIT=%u FLOWLBL=%u ", ntohs(ih->payload_len) + sizeof(struct ipv6hdr), (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20, ih->hop_limit, (ntohl(*(__be32 *)ih) & 0x000fffff)); fragment = 0; ptr = ip6hoff + sizeof(struct ipv6hdr); currenthdr = ih->nexthdr; while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) { struct ipv6_opt_hdr _hdr; const struct ipv6_opt_hdr *hp; hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); if (hp == NULL) { sb_add(m, "TRUNCATED"); return; } /* Max length: 48 "OPT (...) " */ if (logflags & XT_LOG_IPOPT) sb_add(m, "OPT ( "); switch (currenthdr) { case IPPROTO_FRAGMENT: { struct frag_hdr _fhdr; const struct frag_hdr *fh; sb_add(m, "FRAG:"); fh = skb_header_pointer(skb, ptr, sizeof(_fhdr), &_fhdr); if (fh == NULL) { sb_add(m, "TRUNCATED "); return; } /* Max length: 6 "65535 " */ sb_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8); /* Max length: 11 "INCOMPLETE " */ if (fh->frag_off & htons(0x0001)) sb_add(m, "INCOMPLETE "); sb_add(m, "ID:%08x ", ntohl(fh->identification)); if (ntohs(fh->frag_off) & 0xFFF8) fragment = 1; hdrlen = 8; break; } case IPPROTO_DSTOPTS: case IPPROTO_ROUTING: case IPPROTO_HOPOPTS: if (fragment) { if (logflags & XT_LOG_IPOPT) sb_add(m, ")"); return; } hdrlen = ipv6_optlen(hp); break; /* Max Length */ case IPPROTO_AH: if (logflags & XT_LOG_IPOPT) { struct ip_auth_hdr _ahdr; const struct ip_auth_hdr *ah; /* Max length: 3 "AH " */ sb_add(m, "AH "); if (fragment) { sb_add(m, ")"); return; } ah = skb_header_pointer(skb, ptr, sizeof(_ahdr), &_ahdr); if (ah == NULL) { /* * Max length: 26 "INCOMPLETE [65535 * bytes] )" */ sb_add(m, "INCOMPLETE [%u bytes] )", skb->len - ptr); return; } /* Length: 15 "SPI=0xF1234567 */ sb_add(m, "SPI=0x%x ", ntohl(ah->spi)); } hdrlen = (hp->hdrlen+2)<<2; break; case IPPROTO_ESP: if (logflags & XT_LOG_IPOPT) { struct ip_esp_hdr _esph; const struct ip_esp_hdr *eh; /* Max length: 4 "ESP " */ sb_add(m, "ESP "); if (fragment) { sb_add(m, ")"); return; } /* * Max length: 26 "INCOMPLETE [65535 bytes] )" */ eh = skb_header_pointer(skb, ptr, sizeof(_esph), &_esph); if (eh == NULL) { sb_add(m, "INCOMPLETE [%u bytes] )", skb->len - ptr); return; } /* Length: 16 "SPI=0xF1234567 )" */ sb_add(m, "SPI=0x%x )", ntohl(eh->spi)); } return; default: /* Max length: 20 "Unknown Ext Hdr 255" */ sb_add(m, "Unknown Ext Hdr %u", currenthdr); return; } if (logflags & XT_LOG_IPOPT) sb_add(m, ") "); currenthdr = hp->nexthdr; ptr += hdrlen; } switch (currenthdr) { case IPPROTO_TCP: if (dump_tcp_header(m, skb, currenthdr, fragment, ptr, logflags)) return; break; case IPPROTO_UDP: case IPPROTO_UDPLITE: if (dump_udp_header(m, skb, currenthdr, fragment, ptr)) return; break; case IPPROTO_ICMPV6: { struct icmp6hdr _icmp6h; const struct icmp6hdr *ic; /* Max length: 13 "PROTO=ICMPv6 " */ sb_add(m, "PROTO=ICMPv6 "); if (fragment) break; /* Max length: 25 "INCOMPLETE [65535 bytes] " */ ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h); if (ic == NULL) { sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - ptr); return; } /* Max length: 18 "TYPE=255 CODE=255 " */ sb_add(m, "TYPE=%u CODE=%u ", ic->icmp6_type, ic->icmp6_code); switch (ic->icmp6_type) { case ICMPV6_ECHO_REQUEST: case ICMPV6_ECHO_REPLY: /* Max length: 19 "ID=65535 SEQ=65535 " */ sb_add(m, "ID=%u SEQ=%u ", ntohs(ic->icmp6_identifier), ntohs(ic->icmp6_sequence)); break; case ICMPV6_MGM_QUERY: case ICMPV6_MGM_REPORT: case ICMPV6_MGM_REDUCTION: break; case ICMPV6_PARAMPROB: /* Max length: 17 "POINTER=ffffffff " */ sb_add(m, "POINTER=%08x ", ntohl(ic->icmp6_pointer)); /* Fall through */ case ICMPV6_DEST_UNREACH: case ICMPV6_PKT_TOOBIG: case ICMPV6_TIME_EXCEED: /* Max length: 3+maxlen */ if (recurse) { sb_add(m, "["); dump_ipv6_packet(m, info, skb, ptr + sizeof(_icmp6h), 0); sb_add(m, "] "); } /* Max length: 10 "MTU=65535 " */ if (ic->icmp6_type == ICMPV6_PKT_TOOBIG) sb_add(m, "MTU=%u ", ntohl(ic->icmp6_mtu)); } break; } /* Max length: 10 "PROTO=255 " */ default: sb_add(m, "PROTO=%u ", currenthdr); } /* Max length: 15 "UID=4294967295 " */ if ((logflags & XT_LOG_UID) && recurse) dump_sk_uid_gid(m, skb->sk); /* Max length: 16 "MARK=0xFFFFFFFF " */ if (!recurse && skb->mark) sb_add(m, "MARK=0x%x ", skb->mark); }
static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const void *matchinfo, int offset, const void *protohdr, u_int16_t datalen, int *hotdrop) { struct ahhdr *ah = NULL; const struct ip6t_ah *ahinfo = matchinfo; unsigned int temp; int len; u8 nexthdr; unsigned int ptr; unsigned int hdrlen = 0; /*DEBUGP("IPv6 AH entered\n");*/ /* if (opt->auth == 0) return 0; * It does not filled on output */ /* type of the 1st exthdr */ nexthdr = skb->nh.ipv6h->nexthdr; /* pointer to the 1st exthdr */ ptr = sizeof(struct ipv6hdr); /* available length */ len = skb->len - ptr; temp = 0; while (ip6t_ext_hdr(nexthdr)) { struct ipv6_opt_hdr *hdr; DEBUGP("ipv6_ah header iteration \n"); /* Is there enough space for the next ext header? */ if (len < (int)sizeof(struct ipv6_opt_hdr)) return 0; /* No more exthdr -> evaluate */ if (nexthdr == NEXTHDR_NONE) { break; } /* ESP -> evaluate */ if (nexthdr == NEXTHDR_ESP) { break; } hdr=skb->data+ptr; /* Calculate the header length */ if (nexthdr == NEXTHDR_FRAGMENT) { hdrlen = 8; } else if (nexthdr == NEXTHDR_AUTH) hdrlen = (hdr->hdrlen+2)<<2; else hdrlen = ipv6_optlen(hdr); /* AH -> evaluate */ if (nexthdr == NEXTHDR_AUTH) { temp |= MASK_AH; break; } /* set the flag */ switch (nexthdr){ case NEXTHDR_HOP: case NEXTHDR_ROUTING: case NEXTHDR_FRAGMENT: case NEXTHDR_AUTH: case NEXTHDR_DEST: break; default: DEBUGP("ipv6_ah match: unknown nextheader %u\n",nexthdr); return 0; break; } nexthdr = hdr->nexthdr; len -= hdrlen; ptr += hdrlen; if ( ptr > skb->len ) { DEBUGP("ipv6_ah: new pointer too large! \n"); break; } } /* AH header not found */ if ( temp != MASK_AH ) return 0; if (len < (int)sizeof(struct ahhdr)){ *hotdrop = 1; return 0; } ah=skb->data+ptr; DEBUGP("IPv6 AH LEN %u %u ", hdrlen, ah->hdrlen); DEBUGP("RES %04X ", ah->reserved); DEBUGP("SPI %u %08X\n", ntohl(ah->spi), ntohl(ah->spi)); DEBUGP("IPv6 AH spi %02X ", (spi_match(ahinfo->spis[0], ahinfo->spis[1], ntohl(ah->spi), !!(ahinfo->invflags & IP6T_AH_INV_SPI)))); DEBUGP("len %02X %04X %02X ", ahinfo->hdrlen, hdrlen, (!ahinfo->hdrlen || (ahinfo->hdrlen == hdrlen) ^ !!(ahinfo->invflags & IP6T_AH_INV_LEN))); DEBUGP("res %02X %04X %02X\n", ahinfo->hdrres, ah->reserved, !(ahinfo->hdrres && ah->reserved)); return (ah != NULL) && (spi_match(ahinfo->spis[0], ahinfo->spis[1], ntohl(ah->spi), !!(ahinfo->invflags & IP6T_AH_INV_SPI))) && (!ahinfo->hdrlen || (ahinfo->hdrlen == hdrlen) ^ !!(ahinfo->invflags & IP6T_AH_INV_LEN)) && !(ahinfo->hdrres && ah->reserved); }
static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const void *matchinfo, int offset, const void *protohdr, u_int16_t datalen, int *hotdrop) { struct ip_esp_hdr *esp = NULL; const struct ip6t_esp *espinfo = matchinfo; unsigned int temp; int len; u8 nexthdr; unsigned int ptr; /* Make sure this isn't an evil packet */ /*DEBUGP("ipv6_esp entered \n");*/ /* type of the 1st exthdr */ nexthdr = skb->nh.ipv6h->nexthdr; /* pointer to the 1st exthdr */ ptr = sizeof(struct ipv6hdr); /* available length */ len = skb->len - ptr; temp = 0; while (ip6t_ext_hdr(nexthdr)) { struct ipv6_opt_hdr *hdr; int hdrlen; DEBUGP("ipv6_esp header iteration \n"); /* Is there enough space for the next ext header? */ if (len < (int)sizeof(struct ipv6_opt_hdr)) return 0; /* No more exthdr -> evaluate */ if (nexthdr == NEXTHDR_NONE) { break; } /* ESP -> evaluate */ if (nexthdr == NEXTHDR_ESP) { temp |= MASK_ESP; break; } hdr=(struct ipv6_opt_hdr *)skb->data+ptr; /* Calculate the header length */ if (nexthdr == NEXTHDR_FRAGMENT) { hdrlen = 8; } else if (nexthdr == NEXTHDR_AUTH) hdrlen = (hdr->hdrlen+2)<<2; else hdrlen = ipv6_optlen(hdr); /* set the flag */ switch (nexthdr){ case NEXTHDR_HOP: case NEXTHDR_ROUTING: case NEXTHDR_FRAGMENT: case NEXTHDR_AUTH: case NEXTHDR_DEST: break; default: DEBUGP("ipv6_esp match: unknown nextheader %u\n",nexthdr); return 0; break; } nexthdr = hdr->nexthdr; len -= hdrlen; ptr += hdrlen; if ( ptr > skb->len ) { DEBUGP("ipv6_esp: new pointer too large! \n"); break; } } /* ESP header not found */ if ( temp != MASK_ESP ) return 0; if (len < (int)sizeof(struct ip_esp_hdr)){ *hotdrop = 1; return 0; } esp = (struct ip_esp_hdr *) (skb->data + ptr); DEBUGP("IPv6 ESP SPI %u %08X\n", ntohl(esp->spi), ntohl(esp->spi)); return (esp != NULL) && spi_match(espinfo->spis[0], espinfo->spis[1], ntohl(esp->spi), !!(espinfo->invflags & IP6T_ESP_INV_SPI)); }
static bool ipv6header_mt6(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop) { const struct ip6t_ipv6header_info *info = matchinfo; unsigned int temp; int len; u8 nexthdr; unsigned int ptr; /* Make sure this isn't an evil packet */ /* type of the 1st exthdr */ nexthdr = ipv6_hdr(skb)->nexthdr; /* pointer to the 1st exthdr */ ptr = sizeof(struct ipv6hdr); /* available length */ len = skb->len - ptr; temp = 0; while (ip6t_ext_hdr(nexthdr)) { struct ipv6_opt_hdr _hdr, *hp; int hdrlen; /* Is there enough space for the next ext header? */ if (len < (int)sizeof(struct ipv6_opt_hdr)) return false; /* No more exthdr -> evaluate */ if (nexthdr == NEXTHDR_NONE) { temp |= MASK_NONE; break; } /* ESP -> evaluate */ if (nexthdr == NEXTHDR_ESP) { temp |= MASK_ESP; break; } hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); BUG_ON(hp == NULL); /* Calculate the header length */ if (nexthdr == NEXTHDR_FRAGMENT) hdrlen = 8; else if (nexthdr == NEXTHDR_AUTH) hdrlen = (hp->hdrlen + 2) << 2; else hdrlen = ipv6_optlen(hp); /* set the flag */ switch (nexthdr) { case NEXTHDR_HOP: temp |= MASK_HOPOPTS; break; case NEXTHDR_ROUTING: temp |= MASK_ROUTING; break; case NEXTHDR_FRAGMENT: temp |= MASK_FRAGMENT; break; case NEXTHDR_AUTH: temp |= MASK_AH; break; case NEXTHDR_DEST: temp |= MASK_DSTOPTS; break; default: return false; break; } nexthdr = hp->nexthdr; len -= hdrlen; ptr += hdrlen; if (ptr > skb->len) break; } if (nexthdr != NEXTHDR_NONE && nexthdr != NEXTHDR_ESP) temp |= MASK_PROTO; if (info->modeflag) return !((temp ^ info->matchflags ^ info->invflags) & info->matchflags); else { if (info->invflags) return temp != info->matchflags; else return temp == info->matchflags; } }
static int ipv6header_match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const void *matchinfo, int offset, const void *protohdr, u_int16_t datalen, int *hotdrop) { const struct ip6t_ipv6header_info *info = matchinfo; unsigned int temp; int len; u8 nexthdr; unsigned int ptr; /* Make sure this isn't an evil packet */ /* type of the 1st exthdr */ nexthdr = skb->nh.ipv6h->nexthdr; /* pointer to the 1st exthdr */ ptr = sizeof(struct ipv6hdr); /* available length */ len = skb->len - ptr; temp = 0; while (ip6t_ext_hdr(nexthdr)) { struct ipv6_opt_hdr *hdr; int hdrlen; /* Is there enough space for the next ext header? */ if (len < (int)sizeof(struct ipv6_opt_hdr)) return 0; /* No more exthdr -> evaluate */ if (nexthdr == NEXTHDR_NONE) { temp |= MASK_NONE; break; } /* ESP -> evaluate */ if (nexthdr == NEXTHDR_ESP) { temp |= MASK_ESP; break; } hdr=(struct ipv6_opt_hdr *)skb->data+ptr; /* Calculate the header length */ if (nexthdr == NEXTHDR_FRAGMENT) { hdrlen = 8; } else if (nexthdr == NEXTHDR_AUTH) hdrlen = (hdr->hdrlen+2)<<2; else hdrlen = ipv6_optlen(hdr); /* set the flag */ switch (nexthdr){ case NEXTHDR_HOP: temp |= MASK_HOPOPTS; break; case NEXTHDR_ROUTING: temp |= MASK_ROUTING; break; case NEXTHDR_FRAGMENT: temp |= MASK_FRAGMENT; break; case NEXTHDR_AUTH: temp |= MASK_AH; break; case NEXTHDR_DEST: temp |= MASK_DSTOPTS; break; default: return 0; break; } nexthdr = hdr->nexthdr; len -= hdrlen; ptr += hdrlen; if (ptr > skb->len) break; } if ( (nexthdr != NEXTHDR_NONE ) && (nexthdr != NEXTHDR_ESP) ) temp |= MASK_PROTO; if (info->modeflag) return (!( (temp & info->matchflags) ^ info->matchflags) ^ info->invflags); else return (!( temp ^ info->matchflags) ^ info->invflags); }
/* Returns whether matches rule or not. */ static inline int ip6_packet_match(const struct sk_buff *skb, const char *indev, const char *outdev, const struct ip6t_ip6 *ip6info, unsigned int *protoff, int *fragoff) { size_t i; unsigned long ret; const struct ipv6hdr *ipv6 = skb->nh.ipv6h; #define FWINV(bool,invflg) ((bool) ^ !!(ip6info->invflags & invflg)) if (FWINV(ip6_masked_addrcmp(ipv6->saddr,ip6info->smsk,ip6info->src), IP6T_INV_SRCIP) || FWINV(ip6_masked_addrcmp(ipv6->daddr,ip6info->dmsk,ip6info->dst), IP6T_INV_DSTIP)) { dprintf("Source or dest mismatch.\n"); /* dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr, ipinfo->smsk.s_addr, ipinfo->src.s_addr, ipinfo->invflags & IP6T_INV_SRCIP ? " (INV)" : ""); dprintf("DST: %u. Mask: %u. Target: %u.%s\n", ip->daddr, ipinfo->dmsk.s_addr, ipinfo->dst.s_addr, ipinfo->invflags & IP6T_INV_DSTIP ? " (INV)" : "");*/ return 0; } /* Look for ifname matches; this should unroll nicely. */ for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) { ret |= (((const unsigned long *)indev)[i] ^ ((const unsigned long *)ip6info->iniface)[i]) & ((const unsigned long *)ip6info->iniface_mask)[i]; } if (FWINV(ret != 0, IP6T_INV_VIA_IN)) { dprintf("VIA in mismatch (%s vs %s).%s\n", indev, ip6info->iniface, ip6info->invflags&IP6T_INV_VIA_IN ?" (INV)":""); return 0; } for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) { ret |= (((const unsigned long *)outdev)[i] ^ ((const unsigned long *)ip6info->outiface)[i]) & ((const unsigned long *)ip6info->outiface_mask)[i]; } if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) { dprintf("VIA out mismatch (%s vs %s).%s\n", outdev, ip6info->outiface, ip6info->invflags&IP6T_INV_VIA_OUT ?" (INV)":""); return 0; } /* ... might want to do something with class and flowlabel here ... */ /* look for the desired protocol header */ if((ip6info->flags & IP6T_F_PROTO)) { u_int8_t currenthdr = ipv6->nexthdr; struct ipv6_opt_hdr _hdr, *hp; u_int16_t ptr; /* Header offset in skb */ u_int16_t hdrlen; /* Header */ u_int16_t _fragoff = 0, *fp = NULL; ptr = IPV6_HDR_LEN; while (ip6t_ext_hdr(currenthdr)) { /* Is there enough space for the next ext header? */ if (skb->len - ptr < IPV6_OPTHDR_LEN) return 0; /* NONE or ESP: there isn't protocol part */ /* If we want to count these packets in '-p all', * we will change the return 0 to 1*/ if ((currenthdr == IPPROTO_NONE) || (currenthdr == IPPROTO_ESP)) return 0; hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); BUG_ON(hp == NULL); /* Size calculation */ if (currenthdr == IPPROTO_FRAGMENT) { fp = skb_header_pointer(skb, ptr+offsetof(struct frag_hdr, frag_off), sizeof(_fragoff), &_fragoff); if (fp == NULL) return 0; _fragoff = ntohs(*fp) & ~0x7; hdrlen = 8; } else if (currenthdr == IPPROTO_AH)
static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const void *matchinfo, int offset, unsigned int protoff, int *hotdrop) { struct ipv6_rt_hdr _route, *rh = NULL; const struct ip6t_rt *rtinfo = matchinfo; unsigned int temp; unsigned int len; u8 nexthdr; unsigned int ptr; unsigned int hdrlen = 0; unsigned int ret = 0; struct in6_addr *ap, _addr; /* type of the 1st exthdr */ nexthdr = skb->nh.ipv6h->nexthdr; /* pointer to the 1st exthdr */ ptr = sizeof(struct ipv6hdr); /* available length */ len = skb->len - ptr; temp = 0; while (ip6t_ext_hdr(nexthdr)) { struct ipv6_opt_hdr _hdr, *hp; DEBUGP("ipv6_rt header iteration \n"); /* Is there enough space for the next ext header? */ if (len < (int)sizeof(struct ipv6_opt_hdr)) return 0; /* No more exthdr -> evaluate */ if (nexthdr == NEXTHDR_NONE) { break; } /* ESP -> evaluate */ if (nexthdr == NEXTHDR_ESP) { break; } hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); BUG_ON(hp == NULL); /* Calculate the header length */ if (nexthdr == NEXTHDR_FRAGMENT) { hdrlen = 8; } else if (nexthdr == NEXTHDR_AUTH) hdrlen = (hp->hdrlen+2)<<2; else hdrlen = ipv6_optlen(hp); /* ROUTING -> evaluate */ if (nexthdr == NEXTHDR_ROUTING) { temp |= MASK_ROUTING; break; } /* set the flag */ switch (nexthdr){ case NEXTHDR_HOP: case NEXTHDR_ROUTING: case NEXTHDR_FRAGMENT: case NEXTHDR_AUTH: case NEXTHDR_DEST: break; default: DEBUGP("ipv6_rt match: unknown nextheader %u\n",nexthdr); return 0; break; } nexthdr = hp->nexthdr; len -= hdrlen; ptr += hdrlen; if ( ptr > skb->len ) { DEBUGP("ipv6_rt: new pointer is too large! \n"); break; } } /* ROUTING header not found */ if ( temp != MASK_ROUTING ) return 0; if (len < (int)sizeof(struct ipv6_rt_hdr)){ *hotdrop = 1; return 0; } if (len < hdrlen){ /* Pcket smaller than its length field */ return 0; } rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route); BUG_ON(rh == NULL); DEBUGP("IPv6 RT LEN %u %u ", hdrlen, rh->hdrlen); DEBUGP("TYPE %04X ", rh->type); DEBUGP("SGS_LEFT %u %02X\n", rh->segments_left, rh->segments_left); DEBUGP("IPv6 RT segsleft %02X ", (segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1], rh->segments_left, !!(rtinfo->invflags & IP6T_RT_INV_SGS)))); DEBUGP("type %02X %02X %02X ", rtinfo->rt_type, rh->type, (!(rtinfo->flags & IP6T_RT_TYP) || ((rtinfo->rt_type == rh->type) ^ !!(rtinfo->invflags & IP6T_RT_INV_TYP)))); DEBUGP("len %02X %04X %02X ", rtinfo->hdrlen, hdrlen, (!(rtinfo->flags & IP6T_RT_LEN) || ((rtinfo->hdrlen == hdrlen) ^ !!(rtinfo->invflags & IP6T_RT_INV_LEN)))); DEBUGP("res %02X %02X %02X ", (rtinfo->flags & IP6T_RT_RES), ((struct rt0_hdr *)rh)->bitmap, !((rtinfo->flags & IP6T_RT_RES) && (((struct rt0_hdr *)rh)->bitmap))); ret = (rh != NULL) && (segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1], rh->segments_left, !!(rtinfo->invflags & IP6T_RT_INV_SGS))) && (!(rtinfo->flags & IP6T_RT_LEN) || ((rtinfo->hdrlen == hdrlen) ^ !!(rtinfo->invflags & IP6T_RT_INV_LEN))) && (!(rtinfo->flags & IP6T_RT_TYP) || ((rtinfo->rt_type == rh->type) ^ !!(rtinfo->invflags & IP6T_RT_INV_TYP))); if (ret && (rtinfo->flags & IP6T_RT_RES)) { u_int32_t *bp, _bitmap; bp = skb_header_pointer(skb, ptr + offsetof(struct rt0_hdr, bitmap), sizeof(_bitmap), &_bitmap); ret = (*bp == 0); }
static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const void *matchinfo, int offset, const void *protohdr, u_int16_t datalen, int *hotdrop) { struct fraghdr *frag = NULL; const struct ip6t_frag *fraginfo = matchinfo; unsigned int temp; int len; u8 nexthdr; unsigned int ptr; unsigned int hdrlen = 0; /* type of the 1st exthdr */ nexthdr = skb->nh.ipv6h->nexthdr; /* pointer to the 1st exthdr */ ptr = sizeof(struct ipv6hdr); /* available length */ len = skb->len - ptr; temp = 0; while (ip6t_ext_hdr(nexthdr)) { struct ipv6_opt_hdr *hdr; DEBUGP("ipv6_frag header iteration \n"); /* Is there enough space for the next ext header? */ if (len < (int)sizeof(struct ipv6_opt_hdr)) return 0; /* No more exthdr -> evaluate */ if (nexthdr == NEXTHDR_NONE) { break; } /* ESP -> evaluate */ if (nexthdr == NEXTHDR_ESP) { break; } hdr=(struct ipv6_opt_hdr *)skb->data+ptr; /* Calculate the header length */ if (nexthdr == NEXTHDR_FRAGMENT) { hdrlen = 8; } else if (nexthdr == NEXTHDR_AUTH) hdrlen = (hdr->hdrlen+2)<<2; else hdrlen = ipv6_optlen(hdr); /* FRAG -> evaluate */ if (nexthdr == NEXTHDR_FRAGMENT) { temp |= MASK_FRAGMENT; break; } /* set the flag */ switch (nexthdr){ case NEXTHDR_HOP: case NEXTHDR_ROUTING: case NEXTHDR_FRAGMENT: case NEXTHDR_AUTH: case NEXTHDR_DEST: break; default: DEBUGP("ipv6_frag match: unknown nextheader %u\n",nexthdr); return 0; break; } nexthdr = hdr->nexthdr; len -= hdrlen; ptr += hdrlen; if ( ptr > skb->len ) { DEBUGP("ipv6_frag: new pointer too large! \n"); break; } } /* FRAG header not found */ if ( temp != MASK_FRAGMENT ) return 0; if (len < (int)sizeof(struct fraghdr)){ *hotdrop = 1; return 0; } frag = (struct fraghdr *) (skb->data + ptr); DEBUGP("IPv6 FRAG LEN %u %u ", hdrlen, frag->hdrlen); DEBUGP("INFO %04X ", frag->info); DEBUGP("OFFSET %04X ", frag->info & IP6F_OFF_MASK); DEBUGP("RES %04X ", frag->info & IP6F_RESERVED_MASK); DEBUGP("MF %04X ", frag->info & IP6F_MORE_FRAG); DEBUGP("ID %u %08X\n", ntohl(frag->id), ntohl(frag->id)); DEBUGP("IPv6 FRAG id %02X ", (id_match(fraginfo->ids[0], fraginfo->ids[1], ntohl(frag->id), !!(fraginfo->invflags & IP6T_FRAG_INV_IDS)))); DEBUGP("len %02X %04X %02X ", fraginfo->hdrlen, hdrlen, (!fraginfo->hdrlen || (fraginfo->hdrlen == hdrlen) ^ !!(fraginfo->invflags & IP6T_FRAG_INV_LEN))); DEBUGP("res %02X %02X %02X ", (fraginfo->flags & IP6T_FRAG_RES), frag->info & IP6F_RESERVED_MASK, !((fraginfo->flags & IP6T_FRAG_RES) && (frag->info & IP6F_RESERVED_MASK))); DEBUGP("first %02X %02X %02X ", (fraginfo->flags & IP6T_FRAG_FST), frag->info & IP6F_OFF_MASK, !((fraginfo->flags & IP6T_FRAG_FST) && (frag->info & IP6F_OFF_MASK))); DEBUGP("mf %02X %02X %02X ", (fraginfo->flags & IP6T_FRAG_MF), frag->info & IP6F_MORE_FRAG, !((fraginfo->flags & IP6T_FRAG_MF) && !((frag->info & IP6F_MORE_FRAG)))); DEBUGP("last %02X %02X %02X\n", (fraginfo->flags & IP6T_FRAG_NMF), frag->info & IP6F_MORE_FRAG, !((fraginfo->flags & IP6T_FRAG_NMF) && (frag->info & IP6F_MORE_FRAG))); return (frag != NULL) && (id_match(fraginfo->ids[0], fraginfo->ids[1], ntohl(frag->id), !!(fraginfo->invflags & IP6T_FRAG_INV_IDS))) && (!fraginfo->hdrlen || (fraginfo->hdrlen == hdrlen) ^ !!(fraginfo->invflags & IP6T_FRAG_INV_LEN)) && !((fraginfo->flags & IP6T_FRAG_RES) && (frag->info & IP6F_RESERVED_MASK)) && !((fraginfo->flags & IP6T_FRAG_FST) && (frag->info & IP6F_OFF_MASK)) && !((fraginfo->flags & IP6T_FRAG_MF) && !((frag->info & IP6F_MORE_FRAG))) && !((fraginfo->flags & IP6T_FRAG_NMF) && (frag->info & IP6F_MORE_FRAG)); }
static int ipv6header_match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const void *matchinfo, int offset, const void *protohdr, u_int16_t datalen, int *hotdrop) { const struct ip6t_ipv6header_info *info = matchinfo; unsigned int temp; int len; u8 nexthdr; unsigned int ptr; struct inet6_skb_parm *opt = (struct inet6_skb_parm *)skb->cb; /* Make sure this isn't an evil packet */ DEBUGP("ipv6_header entered \n"); /* type of the 1st exthdr */ nexthdr = skb->nh.ipv6h->nexthdr; /* pointer to the 1st exthdr */ ptr = sizeof(struct ipv6hdr); /* available length */ len = skb->len - ptr; temp = 0; DEBUGP("ipv6_header nexthdr %02X \n",nexthdr); DEBUGP("ipv6_header ptr %08X \n",ptr); DEBUGP("ipv6_header skblen %04X \n",skb->len); DEBUGP("ipv6_header skbdatalen %04X \n",skb->data_len); DEBUGP("ipv6_header len %04X \n",len); #if 0 for (temp=0;temp<skb->len;temp++){ if (!(temp % 16 )) DEBUGP("\nipv6_header data "); DEBUGP("%02X ",skb->data[temp]); } #endif DEBUGP("\nipv6_header h.raw %02X %02X %02X %02X \n", skb->h.raw[0], skb->h.raw[1], skb->h.raw[2], skb->h.raw[3]); DEBUGP("ipv6_header nh.raw %02X %02X %02X %02X \n", skb->nh.raw[0], skb->nh.raw[1], skb->nh.raw[2], skb->nh.raw[3]); DEBUGP("ipv6_header CB %02X %02X %02X %02X %02X %02X %02X \n", opt->iif, opt->ra, opt->hop, opt->auth, opt->dst0, opt->srcrt, opt->dst1); temp = 0; while (ip6t_ext_hdr(nexthdr)) { struct ipv6_opt_hdr *hdr; int hdrlen; DEBUGP("ipv6_header header iteration \n"); /* Is there enough space for the next ext header? */ if (len < (int)sizeof(struct ipv6_opt_hdr)) return 0; /* No more exthdr -> evaluate */ if (nexthdr == NEXTHDR_NONE) { temp |= MASK_NONE; break; } /* ESP -> evaluate */ if (nexthdr == NEXTHDR_ESP) { temp |= MASK_ESP; break; } hdr=skb->data+ptr; /* Calculate the header length */ if (nexthdr == NEXTHDR_FRAGMENT) { hdrlen = 8; } else if (nexthdr == NEXTHDR_AUTH) hdrlen = (hdr->hdrlen+2)<<2; else hdrlen = ipv6_optlen(hdr); DEBUGP("ipv6_header hdrlen %04X \n",hdrlen); /* set the flag */ switch (nexthdr){ case NEXTHDR_HOP: temp |= MASK_HOPOPTS; break; case NEXTHDR_ROUTING: temp |= MASK_ROUTING; break; case NEXTHDR_FRAGMENT: temp |= MASK_FRAGMENT; break; case NEXTHDR_AUTH: temp |= MASK_AH; break; case NEXTHDR_DEST: temp |= MASK_DSTOPTS; break; default: DEBUGP("IPV6HEADER match: unknown nextheader %u\n",nexthdr); return 0; break; } nexthdr = hdr->nexthdr; len -= hdrlen; ptr += hdrlen; if ( ptr > skb->len ) { DEBUGP("ipv6_header new ptr %04X \n",ptr); break; } } if ( (nexthdr != NEXTHDR_NONE ) && (nexthdr != NEXTHDR_ESP) ) temp |= MASK_PROTO; DEBUGP ("ipv6header: %02X %02X \n", temp, info->matchflags); if (info->modeflag) return (!( (temp & info->matchflags) ^ info->matchflags) ^ info->invflags); else return (!( temp ^ info->matchflags) ^ info->invflags); }