static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
{
to->pkt_type = from->pkt_type;
to->priority = from->priority;
to->protocol = from->protocol;
dst_release(to->dst);
to->dst = dst_clone(from->dst);
to->dev = from->dev;
#ifdef CONFIG_NET_SCHED
to->tc_index = from->tc_index;
#endif
#ifdef CONFIG_NETFILTER
to->nfmark = from->nfmark;
/* Connection association is same as pre-frag packet */
nf_conntrack_put(to->nfct);
to->nfct = from->nfct;
nf_conntrack_get(to->nfct);
to->nfctinfo = from->nfctinfo;
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
nf_conntrack_put_reasm(to->nfct_reasm);
to->nfct_reasm = from->nfct_reasm;
nf_conntrack_get_reasm(to->nfct_reasm);
#endif
#ifdef CONFIG_BRIDGE_NETFILTER
nf_bridge_put(to->nf_bridge);
to->nf_bridge = from->nf_bridge;
nf_bridge_get(to->nf_bridge);
#endif
#endif
skb_copy_secmark(to, from);
}
static void
synproxy_send_tcp(struct net *net,
const struct sk_buff *skb, struct sk_buff *nskb,
struct nf_conntrack *nfct, enum ip_conntrack_info ctinfo,
struct iphdr *niph, struct tcphdr *nth,
unsigned int tcp_hdr_size)
{
nth->check = ~tcp_v4_check(tcp_hdr_size, niph->saddr, niph->daddr, 0);
nskb->ip_summed = CHECKSUM_PARTIAL;
nskb->csum_start = (unsigned char *)nth - nskb->head;
nskb->csum_offset = offsetof(struct tcphdr, check);
skb_dst_set_noref(nskb, skb_dst(skb));
nskb->protocol = htons(ETH_P_IP);
if (ip_route_me_harder(net, nskb, RTN_UNSPEC))
goto free_nskb;
if (nfct) {
nskb->nfct = nfct;
nskb->nfctinfo = ctinfo;
nf_conntrack_get(nfct);
}
ip_local_out(net, nskb->sk, nskb);
return;
free_nskb:
kfree_skb(nskb);
}
static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
{
to->pkt_type = from->pkt_type;
to->priority = from->priority;
to->protocol = from->protocol;
to->security = from->security;
dst_release(to->dst);
to->dst = dst_clone(from->dst);
to->dev = from->dev;
#ifdef CONFIG_NET_SCHED
to->tc_index = from->tc_index;
#endif
#ifdef CONFIG_NETFILTER
to->nfmark = from->nfmark;
/* Connection association is same as pre-frag packet */
to->nfct = from->nfct;
nf_conntrack_get(to->nfct);
to->nfctinfo = from->nfctinfo;
#ifdef CONFIG_BRIDGE_NETFILTER
nf_bridge_put(to->nf_bridge);
to->nf_bridge = from->nf_bridge;
nf_bridge_get(to->nf_bridge);
#endif
#ifdef CONFIG_NETFILTER_DEBUG
to->nf_debug = from->nf_debug;
#endif
#endif
}
static unsigned int ipv6_conntrack_in(unsigned int hooknum,
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
struct sk_buff *reasm = (*pskb)->nfct_reasm;
/* This packet is fragmented and has reassembled packet. */
if (reasm) {
/* Reassembled packet isn't parsed yet ? */
if (!reasm->nfct) {
unsigned int ret;
ret = nf_conntrack_in(PF_INET6, hooknum, &reasm);
if (ret != NF_ACCEPT)
return ret;
}
nf_conntrack_get(reasm->nfct);
(*pskb)->nfct = reasm->nfct;
/* purpose : Cisco CIAM Alert author : Rain date : 2011-07-06 */
/* description : Patch nf_conntrack_l3proto_ipv6.c 2.6.20.3 for Cisco CIAM Alert */
(*pskb)->nfctinfo = reasm->nfctinfo;
return NF_ACCEPT;
}
return nf_conntrack_in(PF_INET6, hooknum, pskb);
}
static unsigned int
tee_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_tee_tginfo *info = par->targinfo;
if (percpu_read(tee_active))
return XT_CONTINUE;
skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL)
return XT_CONTINUE;
#ifdef WITH_CONNTRACK
nf_conntrack_put(skb->nfct);
skb->nfct = &nf_ct_untracked_get()->ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
#endif
if (par->hooknum == NF_INET_PRE_ROUTING ||
par->hooknum == NF_INET_LOCAL_IN) {
struct ipv6hdr *iph = ipv6_hdr(skb);
--iph->hop_limit;
}
if (tee_tg_route6(skb, info)) {
percpu_write(tee_active, true);
ip6_local_out(skb);
percpu_write(tee_active, false);
} else {
kfree_skb(skb);
}
return XT_CONTINUE;
}
void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
const struct in6_addr *gw, int oif)
{
if (this_cpu_read(nf_skb_duplicated))
return;
skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL)
return;
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
nf_conntrack_put(skb->nfct);
skb->nfct = &nf_ct_untracked_get()->ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
#endif
if (hooknum == NF_INET_PRE_ROUTING ||
hooknum == NF_INET_LOCAL_IN) {
struct ipv6hdr *iph = ipv6_hdr(skb);
--iph->hop_limit;
}
if (nf_dup_ipv6_route(net, skb, gw, oif)) {
__this_cpu_write(nf_skb_duplicated, true);
ip6_local_out(net, skb->sk, skb);
__this_cpu_write(nf_skb_duplicated, false);
} else {
kfree_skb(skb);
}
}
static unsigned int ipv6_conntrack_in(unsigned int hooknum,
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
struct sk_buff *reasm = (*pskb)->nfct_reasm;
/* This packet is fragmented and has reassembled packet. */
if (reasm) {
/* Reassembled packet isn't parsed yet ? */
if (!reasm->nfct) {
unsigned int ret;
ret = nf_conntrack_in(PF_INET6, hooknum, &reasm);
if (ret != NF_ACCEPT)
return ret;
}
nf_conntrack_get(reasm->nfct);
(*pskb)->nfct = reasm->nfct;
(*pskb)->nfctinfo = reasm->nfctinfo;
return NF_ACCEPT;
}
return nf_conntrack_in(PF_INET6, hooknum, pskb);
}
static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
const struct ovs_conntrack_info *info,
struct sk_buff *skb)
{
/* If we are recirculating packets to match on conntrack fields and
* committing with a separate conntrack action, then we don't need to
* actually run the packet through conntrack twice unless it's for a
* different zone.
*/
if (!skb_nfct_cached(net, skb, info)) {
struct nf_conn *tmpl = info->ct;
/* Associate skb with specified zone. */
if (tmpl) {
if (skb->nfct)
nf_conntrack_put(skb->nfct);
nf_conntrack_get(&tmpl->ct_general);
skb->nfct = &tmpl->ct_general;
skb->nfctinfo = IP_CT_NEW;
}
if (nf_conntrack_in(net, info->family, NF_INET_FORWARD,
skb) != NF_ACCEPT)
return -ENOENT;
if (ovs_ct_helper(skb, info->family) != NF_ACCEPT) {
WARN_ONCE(1, "helper rejected packet");
return -EINVAL;
}
}
ovs_ct_update_key(skb, info, key, true);
return 0;
}
/* Deliver cached events for old pending events, if current conntrack != old */
void __nf_ct_event_cache_init(struct nf_conn *ct)
{
struct nf_conntrack_ecache *ecache;
/* take care of delivering potentially old events */
ecache = &__get_cpu_var(nf_conntrack_ecache);
BUG_ON(ecache->ct == ct);
if (ecache->ct)
__nf_ct_deliver_cached_events(ecache);
/* initialize for this conntrack/packet */
ecache->ct = ct;
nf_conntrack_get(&ct->ct_general);
}
static unsigned int
notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
/* Previously seen (loopback)? Ignore. */
if (skb->nfct != NULL)
return XT_CONTINUE;
skb->nfct = &nf_ct_untracked_get()->ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
return XT_CONTINUE;
}
static unsigned int
tee_tg4(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_tee_tginfo *info = par->targinfo;
struct iphdr *iph;
if (percpu_read(tee_active))
return XT_CONTINUE;
/*
* Copy the skb, and route the copy. Will later return %XT_CONTINUE for
* the original skb, which should continue on its way as if nothing has
* happened. The copy should be independently delivered to the TEE
* --gateway.
*/
skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL)
return XT_CONTINUE;
#ifdef WITH_CONNTRACK
/* Avoid counting cloned packets towards the original connection. */
nf_conntrack_put(skb->nfct);
skb->nfct = &nf_ct_untracked_get()->ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
#endif
/*
* If we are in PREROUTING/INPUT, the checksum must be recalculated
* since the length could have changed as a result of defragmentation.
*
* We also decrease the TTL to mitigate potential TEE loops
* between two hosts.
*
* Set %IP_DF so that the original source is notified of a potentially
* decreased MTU on the clone route. IPv6 does this too.
*/
iph = ip_hdr(skb);
iph->frag_off |= htons(IP_DF);
if (par->hooknum == NF_INET_PRE_ROUTING ||
par->hooknum == NF_INET_LOCAL_IN)
--iph->ttl;
ip_send_check(iph);
if (tee_tg_route4(skb, info)) {
percpu_write(tee_active, true);
ip_local_out(skb);
percpu_write(tee_active, false);
} else {
kfree_skb(skb);
}
return XT_CONTINUE;
}
void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
const struct in_addr *gw, int oif)
{
struct iphdr *iph;
if (this_cpu_read(nf_skb_duplicated))
return;
/*
* Copy the skb, and route the copy. Will later return %XT_CONTINUE for
* the original skb, which should continue on its way as if nothing has
* happened. The copy should be independently delivered to the gateway.
*/
skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL)
return;
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
/* Avoid counting cloned packets towards the original connection. */
nf_conntrack_put(skb->nfct);
skb->nfct = &nf_ct_untracked_get()->ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
#endif
/*
* If we are in PREROUTING/INPUT, the checksum must be recalculated
* since the length could have changed as a result of defragmentation.
*
* We also decrease the TTL to mitigate potential loops between two
* hosts.
*
* Set %IP_DF so that the original source is notified of a potentially
* decreased MTU on the clone route. IPv6 does this too.
*/
iph = ip_hdr(skb);
iph->frag_off |= htons(IP_DF);
if (hooknum == NF_INET_PRE_ROUTING ||
hooknum == NF_INET_LOCAL_IN)
--iph->ttl;
ip_send_check(iph);
if (nf_dup_ipv4_route(net, skb, gw, oif)) {
__this_cpu_write(nf_skb_duplicated, true);
ip_local_out(net, skb->sk, skb);
__this_cpu_write(nf_skb_duplicated, false);
} else {
kfree_skb(skb);
}
}
/* Note: This doesn't put any conntrack and bridge info in dst. */
static void __nf_copy(struct sk_buff *dst, const struct sk_buff *src)
{
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
dst->nfct = src->nfct;
nf_conntrack_get(src->nfct);
dst->nfctinfo = src->nfctinfo;
#endif
#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
dst->nfct_reasm = src->nfct_reasm;
nf_conntrack_get_reasm(src->nfct_reasm);
#endif
#ifdef CONFIG_BRIDGE_NETFILTER
dst->nf_bridge = src->nf_bridge;
nf_bridge_get(src->nf_bridge);
#endif
}
static unsigned int
notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
/* Previously seen (loopback)? Ignore. */
if (skb->nfct != NULL)
return XT_CONTINUE;
/* Attach fake conntrack entry.
If there is a real ct entry correspondig to this packet,
it'll hang aroun till timing out. We don't deal with it
for performance reasons. JK */
skb->nfct = &nf_conntrack_untracked.ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
return XT_CONTINUE;
}
static void
synproxy_send_tcp(const struct sk_buff *skb, struct sk_buff *nskb,
struct nf_conntrack *nfct, enum ip_conntrack_info ctinfo,
struct ipv6hdr *niph, struct tcphdr *nth,
unsigned int tcp_hdr_size)
{
struct net *net = nf_ct_net((struct nf_conn *)nfct);
struct dst_entry *dst;
struct flowi6 fl6;
nth->check = ~tcp_v6_check(tcp_hdr_size, &niph->saddr, &niph->daddr, 0);
nskb->ip_summed = CHECKSUM_PARTIAL;
nskb->csum_start = (unsigned char *)nth - nskb->head;
nskb->csum_offset = offsetof(struct tcphdr, check);
memset(&fl6, 0, sizeof(fl6));
fl6.flowi6_proto = IPPROTO_TCP;
fl6.saddr = niph->saddr;
fl6.daddr = niph->daddr;
fl6.fl6_sport = nth->source;
fl6.fl6_dport = nth->dest;
security_skb_classify_flow((struct sk_buff *)skb, flowi6_to_flowi(&fl6));
dst = ip6_route_output(net, NULL, &fl6);
if (dst == NULL || dst->error) {
dst_release(dst);
goto free_nskb;
}
dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0);
if (IS_ERR(dst))
goto free_nskb;
skb_dst_set(nskb, dst);
if (nfct) {
nskb->nfct = nfct;
nskb->nfctinfo = ctinfo;
nf_conntrack_get(nfct);
}
ip6_local_out(nskb);
return;
free_nskb:
kfree_skb(nskb);
}
static int
icmpv6_error(struct net *net, struct nf_conn *tmpl,
struct sk_buff *skb, unsigned int dataoff,
enum ip_conntrack_info *ctinfo, u_int8_t pf, unsigned int hooknum)
{
const struct icmp6hdr *icmp6h;
struct icmp6hdr _ih;
int type;
icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
if (icmp6h == NULL) {
if (LOG_INVALID(net, IPPROTO_ICMPV6))
nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
"nf_ct_icmpv6: short packet ");
return -NF_ACCEPT;
}
if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
nf_ip6_checksum(skb, hooknum, dataoff, IPPROTO_ICMPV6)) {
if (LOG_INVALID(net, IPPROTO_ICMPV6))
nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
"nf_ct_icmpv6: ICMPv6 checksum failed ");
return -NF_ACCEPT;
}
type = icmp6h->icmp6_type - 130;
if (type >= 0 && type < sizeof(noct_valid_new) &&
noct_valid_new[type]) {
skb->nfct = &nf_ct_untracked_get()->ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
return NF_ACCEPT;
}
if (icmp6h->icmp6_type >= 128)
return NF_ACCEPT;
return icmpv6_error_message(net, tmpl, skb, dataoff, ctinfo, hooknum);
}
static unsigned int
target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo)
{
/* Previously seen (loopback)? Ignore. */
if ((*pskb)->nfct != NULL)
return XT_CONTINUE;
/* Attach fake conntrack entry.
If there is a real ct entry correspondig to this packet,
it'll hang aroun till timing out. We don't deal with it
for performance reasons. JK */
nf_ct_untrack(*pskb);
(*pskb)->nfctinfo = IP_CT_NEW;
nf_conntrack_get((*pskb)->nfct);
return XT_CONTINUE;
}
static int __net_init synproxy_net_init(struct net *net)
{
struct synproxy_net *snet = synproxy_pernet(net);
struct nf_conn *ct;
int err = -ENOMEM;
ct = nf_ct_tmpl_alloc(net, 0, GFP_KERNEL);
if (IS_ERR(ct)) {
err = PTR_ERR(ct);
goto err1;
}
if (!nfct_seqadj_ext_add(ct))
goto err2;
if (!nfct_synproxy_ext_add(ct))
goto err2;
__set_bit(IPS_CONFIRMED_BIT, &ct->status);
nf_conntrack_get(&ct->ct_general);
snet->tmpl = ct;
snet->stats = alloc_percpu(struct synproxy_stats);
if (snet->stats == NULL)
goto err2;
err = synproxy_proc_init(net);
if (err < 0)
goto err3;
return 0;
err3:
free_percpu(snet->stats);
err2:
nf_conntrack_free(ct);
err1:
return err;
}
static unsigned int
target(struct sk_buff **pskb,
unsigned int hooknum,
const struct net_device *in,
const struct net_device *out,
const void *targinfo,
void *userinfo)
{
#endif
#if 0
static unsigned int ipt_route_target(struct sk_buff **pskb,
unsigned int hooknum,
const struct net_device *in,
const struct net_device *out,
//#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
// const struct xt_target *target,
//#endif
//#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
const void *targinfo,
void *userinfo)
//#else
// const void *targinfo)
//#endif
#endif
static unsigned int ipt_route_target
(struct sk_buff *skb2, const struct xt_target_param *par)
{
const struct ipt_route_target_info *route_info = par->targinfo;
// struct sk_buff *skb = *pskb;
struct sk_buff **pskb = &skb2;
struct sk_buff *skb = *pskb;
unsigned int res;
#if 1
if (skb->nfct ==
&(route_tee_track.ct_general)) {
/* Loopback - a packet we already routed, is to be
* routed another time. Avoid that, now.
*/
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: loopback - DROP!\n");
return NF_DROP;
}
#endif
/* If we are at PREROUTING or INPUT hook
* the TTL isn't decreased by the IP stack
*/
if (par->hooknum == NF_INET_PRE_ROUTING ||
par->hooknum == NF_INET_LOCAL_IN) {
struct iphdr *iph = ip_hdr(skb);
if (iph->ttl <= 1) {
struct rtable *rt;
struct flowi fl = {
.oif = 0,
.nl_u = {
.ip4_u = {
.daddr = iph->daddr,
.saddr = iph->saddr,
.tos = RT_TOS(iph->tos),
.scope = ((iph->tos & RTO_ONLINK) ?
RT_SCOPE_LINK :
RT_SCOPE_UNIVERSE)
}
}
};
if (ip_route_output_key(&init_net,&rt, &fl)) {
return NF_DROP;
}
if (skb->dev == rt->u.dst.dev) {
/* Drop old route. */
dst_release(skb->dst);
skb->dst = &rt->u.dst;
/* this will traverse normal stack, and
* thus call conntrack on the icmp packet */
icmp_send(skb, ICMP_TIME_EXCEEDED,
ICMP_EXC_TTL, 0);
}
return NF_DROP;
}
/*
* If we are at INPUT the checksum must be recalculated since
* the length could change as the result of a defragmentation.
*/
if(par->hooknum == NF_INET_LOCAL_IN) {
iph->ttl = iph->ttl - 1;
iph->check = 0;
iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
} else {
ip_decrease_ttl(iph);
}
}
if ((route_info->flags & IPT_ROUTE_TEE)) {
/*
* Copy the *pskb, and route the copy. Will later return
* IPT_CONTINUE for the original skb, which should continue
* on its way as if nothing happened. The copy should be
* independantly delivered to the ROUTE --gw.
*/
skb = skb_copy(*pskb, GFP_ATOMIC);
if (!skb) {
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: copy failed!\n");
return IPT_CONTINUE;
}
}
/* Tell conntrack to forget this packet since it may get confused
* when a packet is leaving with dst address == our address.
* Good idea ? Dunno. Need advice.
*
* NEW: mark the skb with our &route_tee_track, so we avoid looping
* on any already routed packet.
*/
if (!(route_info->flags & IPT_ROUTE_CONTINUE)) {
nf_conntrack_put(skb->nfct);
skb->nfct = &route_tee_track.ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
}
if (route_info->oif[0] != '\0') {
res = route_oif(route_info, skb);
} else if (route_info->iif[0] != '\0') {
res = route_iif(route_info, skb);
} else if (route_info->gw) {
res = route_gw(route_info, skb);
} else {
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: no parameter !\n");
res = IPT_CONTINUE;
}
if ((route_info->flags & IPT_ROUTE_TEE))
res = IPT_CONTINUE;
return res;
}
#if 0
static int ipt_route_checkentry(const char *tablename,
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16)
const void *e,
#else
// const struct ipt_ip *ip,
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
const struct xt_target *target,
#endif
void *targinfo,
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
unsigned int targinfosize,
#endif
unsigned int hook_mask)
#endif
/*
struct xt_tgchk_param {
const char *table;
const void *entryinfo;
const struct xt_target *target;
void *targinfo;
unsigned int hook_mask;
u_int8_t family;
};
*/
static bool ipt_route_checkentry(const struct xt_tgchk_param *par)
{
if (strcmp(par->table, "mangle") != 0) {
printk("ipt_ROUTE: bad table `%s', use the `mangle' table.\n",
par->table);
return 0;
}
if (par->hook_mask & ~( (1 << NF_INET_PRE_ROUTING)
| (1 << NF_INET_LOCAL_IN)
| (1 << NF_INET_FORWARD)
| (1 << NF_INET_LOCAL_OUT)
| (1 << NF_INET_POST_ROUTING))) {
printk("ipt_ROUTE: bad hook\n");
return 0;
}
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
if (targinfosize != IPT_ALIGN(sizeof(struct ipt_route_target_info))) {
printk(KERN_WARNING "ipt_ROUTE: targinfosize %u != %Zu\n",
targinfosize,
IPT_ALIGN(sizeof(struct ipt_route_target_info)));
return 0;
}
#endif
return 1;
}
//static struct ipt_target ipt_route_reg = {
static struct xt_target ipt_route_reg = {
.name = "ROUTE",
.target = ipt_route_target,
.family=AF_INET,
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
.targetsize = sizeof(struct ipt_route_target_info),
#endif
.hooks=(1 << NF_INET_PRE_ROUTING)
| (1 << NF_INET_LOCAL_IN)
| (1 << NF_INET_FORWARD)
| (1 << NF_INET_LOCAL_OUT)
| (1 << NF_INET_POST_ROUTING),
.checkentry = ipt_route_checkentry,
.me = THIS_MODULE,
};
static int __init init(void)
{
/* Set up fake conntrack (stolen from raw.patch):
- to never be deleted, not in any hashes */
atomic_set(&route_tee_track.ct_general.use, 1);
/* - and look it like as a confirmed connection */
set_bit(IPS_CONFIRMED_BIT, &route_tee_track.status);
/* Initialize fake conntrack so that NAT will skip it */
route_tee_track.status |= IPS_NAT_DONE_MASK;
return xt_register_target(&ipt_route_reg);
}
static void __exit fini(void)
{
xt_unregister_target(&ipt_route_reg);
}
struct sk_buff *skb_clone(struct sk_buff *skb, int gfp_mask)
{
struct sk_buff *n = kmem_cache_alloc(skbuff_head_cache, gfp_mask);
if (!n)
return NULL;
#define C(x) n->x = skb->x
n->next = n->prev = NULL;
n->list = NULL;
n->sk = NULL;
C(stamp);
C(dev);
C(real_dev);
C(h);
C(nh);
C(mac);
C(dst);
dst_clone(skb->dst);
C(sp);
#ifdef CONFIG_INET
secpath_get(skb->sp);
#endif
memcpy(n->cb, skb->cb, sizeof(skb->cb));
C(len);
C(data_len);
C(csum);
C(local_df);
n->cloned = 1;
C(pkt_type);
C(ip_summed);
C(priority);
C(protocol);
C(security);
n->destructor = NULL;
#ifdef CONFIG_NETFILTER
C(nfmark);
C(nfcache);
C(nfct);
nf_conntrack_get(skb->nfct);
#ifdef CONFIG_NETFILTER_DEBUG
C(nf_debug);
#endif
#ifdef CONFIG_BRIDGE_NETFILTER
C(nf_bridge);
nf_bridge_get(skb->nf_bridge);
#endif
#endif /*CONFIG_NETFILTER*/
#if defined(CONFIG_HIPPI)
C(private);
#endif
#ifdef CONFIG_NET_SCHED
C(tc_index);
#ifdef CONFIG_NET_CLS_ACT
n->tc_verd = SET_TC_VERD(skb->tc_verd,0);
n->tc_verd = CLR_TC_OK2MUNGE(skb->tc_verd);
n->tc_verd = CLR_TC_MUNGED(skb->tc_verd);
C(input_dev);
C(tc_classid);
#endif
#endif
#if defined(CONFIG_MIPS_BRCM)
C(retfreeq_flags);
n->retfreeq_flags &= ~SKB_PREALLOC;
C(retfreeq_cb);
C(retfreeq_context);
C(rcvfrom);
memcpy(n->extif, skb->extif, sizeof(skb->extif));
#endif
C(truesize);
atomic_set(&n->users, 1);
C(head);
C(data);
C(tail);
C(end);
atomic_inc(&(skb_shinfo(skb)->dataref));
skb->cloned = 1;
return n;
}
struct sk_buff *skb_clone(struct sk_buff *skb, gfp_t gfp_mask)
{
struct sk_buff *n;
n = skb + 1;
if (skb->fclone == SKB_FCLONE_ORIG &&
n->fclone == SKB_FCLONE_UNAVAILABLE) {
atomic_t *fclone_ref = (atomic_t *) (n + 1);
n->fclone = SKB_FCLONE_CLONE;
atomic_inc(fclone_ref);
} else {
n = kmem_cache_alloc(skbuff_head_cache, gfp_mask);
if (!n)
return NULL;
n->fclone = SKB_FCLONE_UNAVAILABLE;
}
#define C(x) n->x = skb->x
n->next = n->prev = NULL;
n->sk = NULL;
C(tstamp);
C(dev);
C(h);
C(nh);
C(mac);
C(dst);
dst_clone(skb->dst);
C(sp);
#ifdef CONFIG_INET
secpath_get(skb->sp);
#endif
memcpy(n->cb, skb->cb, sizeof(skb->cb));
C(len);
C(data_len);
C(mac_len);
C(csum);
C(local_df);
n->cloned = 1;
n->nohdr = 0;
C(pkt_type);
C(ip_summed);
C(priority);
#if defined(CONFIG_IP_VS) || defined(CONFIG_IP_VS_MODULE)
C(ipvs_property);
#endif
C(protocol);
n->destructor = NULL;
C(mark);
#ifdef CONFIG_NETFILTER
C(nfct);
nf_conntrack_get(skb->nfct);
C(nfctinfo);
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
C(nfct_reasm);
nf_conntrack_get_reasm(skb->nfct_reasm);
#endif
#ifdef CONFIG_BRIDGE_NETFILTER
C(nf_bridge);
nf_bridge_get(skb->nf_bridge);
#endif
#endif /*CONFIG_NETFILTER*/
#ifdef CONFIG_NET_SCHED
C(tc_index);
#ifdef CONFIG_NET_CLS_ACT
n->tc_verd = SET_TC_VERD(skb->tc_verd,0);
n->tc_verd = CLR_TC_OK2MUNGE(n->tc_verd);
n->tc_verd = CLR_TC_MUNGED(n->tc_verd);
C(iif);
#endif
skb_copy_secmark(n, skb);
#endif
C(truesize);
atomic_set(&n->users, 1);
C(head);
C(data);
C(tail);
C(end);
atomic_inc(&(skb_shinfo(skb)->dataref));
skb->cloned = 1;
return n;
}
static unsigned int ipt_route_target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const void *targinfo,
void *userinfo)
{
const struct ipt_route_target_info *route_info = targinfo;
struct sk_buff *skb = *pskb;
unsigned int res;
if (skb->nfct == &route_tee_track.ct_general) {
/* Loopback - a packet we already routed, is to be
* routed another time. Avoid that, now.
*/
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: loopback - DROP!\n");
return NF_DROP;
}
/* If we are at PREROUTING or INPUT hook
* the TTL isn't decreased by the IP stack
*/
if (hooknum == NF_IP_PRE_ROUTING ||
hooknum == NF_IP_LOCAL_IN) {
struct iphdr *iph = skb->nh.iph;
if (iph->ttl <= 1) {
struct rtable *rt;
struct flowi fl = {
.oif = 0,
.nl_u = {
.ip4_u = {
.daddr = iph->daddr,
.saddr = iph->saddr,
.tos = RT_TOS(iph->tos),
.scope = ((iph->tos & RTO_ONLINK) ?
RT_SCOPE_LINK :
RT_SCOPE_UNIVERSE)
}
}
};
if (ip_route_output_key(&rt, &fl)) {
return NF_DROP;
}
if (skb->dev == rt->u.dst.dev) {
/* Drop old route. */
dst_release(skb->dst);
skb->dst = &rt->u.dst;
/* this will traverse normal stack, and
* thus call conntrack on the icmp packet */
icmp_send(skb, ICMP_TIME_EXCEEDED,
ICMP_EXC_TTL, 0);
}
return NF_DROP;
}
/*
* If we are at INPUT the checksum must be recalculated since
* the length could change as the result of a defragmentation.
*/
if(hooknum == NF_IP_LOCAL_IN) {
iph->ttl = iph->ttl - 1;
iph->check = 0;
iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
} else {
ip_decrease_ttl(iph);
}
}
if ((route_info->flags & IPT_ROUTE_TEE)) {
/*
* Copy the *pskb, and route the copy. Will later return
* IPT_CONTINUE for the original skb, which should continue
* on its way as if nothing happened. The copy should be
* independantly delivered to the ROUTE --gw.
*/
skb = skb_copy(*pskb, GFP_ATOMIC);
if (!skb) {
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: copy failed!\n");
return IPT_CONTINUE;
}
}
/* Tell conntrack to forget this packet since it may get confused
* when a packet is leaving with dst address == our address.
* Good idea ? Dunno. Need advice.
*
* NEW: mark the skb with our &route_tee_track, so we avoid looping
* on any already routed packet.
*/
if (!(route_info->flags & IPT_ROUTE_CONTINUE)) {
nf_conntrack_put(skb->nfct);
skb->nfct = &route_tee_track.ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
skb->nfcache = 0;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
}
if (route_info->oif[0] != '\0') {
res = route_oif(route_info, skb);
} else if (route_info->iif[0] != '\0') {
res = route_iif(route_info, skb);
} else if (route_info->gw) {
res = route_gw(route_info, skb);
} else {
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: no parameter !\n");
res = IPT_CONTINUE;
}
if ((route_info->flags & IPT_ROUTE_TEE))
res = IPT_CONTINUE;
return res;
}
struct sk_buff *skb_clone(struct sk_buff *skb, int gfp_mask)
{
struct sk_buff *n;
n = skb_head_from_pool();
if (!n) {
n = kmem_cache_alloc(skbuff_head_cache, gfp_mask);
if (!n)
return NULL;
}
#define C(x) n->x = skb->x
n->next = n->prev = NULL;
n->list = NULL;
n->sk = NULL;
C(stamp);
C(dev);
C(h);
C(nh);
C(mac);
C(dst);
dst_clone(n->dst);
memcpy(n->cb, skb->cb, sizeof(skb->cb));
C(len);
C(data_len);
C(csum);
n->cloned = 1;
C(pkt_type);
C(ip_summed);
C(priority);
atomic_set(&n->users, 1);
C(protocol);
C(security);
C(truesize);
C(head);
C(data);
C(tail);
C(end);
n->destructor = NULL;
#ifdef CONFIG_NETFILTER
C(nfmark);
C(nfcache);
C(nfct);
#ifdef CONFIG_NETFILTER_DEBUG
C(nf_debug);
#endif
#endif /*CONFIG_NETFILTER*/
#if defined(CONFIG_HIPPI)
C(private);
#endif
#ifdef CONFIG_NET_SCHED
C(tc_index);
#endif
atomic_inc(&(skb_shinfo(skb)->dataref));
skb->cloned = 1;
#ifdef CONFIG_NETFILTER
nf_conntrack_get(skb->nfct);
#endif
return n;
}
/* Try to route the packet according to the routing keys specified in
* route_info. Keys are :
* - ifindex :
* 0 if no oif preferred,
* otherwise set to the index of the desired oif
* - route_info->gw :
* 0 if no gateway specified,
* otherwise set to the next host to which the pkt must be routed
* If success, skb->dev is the output device to which the packet must
* be sent and skb->dst is not NULL
*
* RETURN: -1 if an error occured
* 1 if the packet was succesfully routed to the
* destination desired
* 0 if the kernel routing table could not route the packet
* according to the keys specified
*/
static int route(struct sk_buff *skb,
unsigned int ifindex,
const struct ipt_route_target_info *route_info)
{
int err;
struct rtable *rt;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
struct iphdr *iph = ip_hdr(skb);
#else
struct iphdr *iph = skb->nh.iph;
#endif
struct flowi fl = {
.oif = ifindex,
.nl_u = {
.ip4_u = {
.daddr = iph->daddr,
.saddr = 0,
.tos = RT_TOS(iph->tos),
.scope = RT_SCOPE_UNIVERSE,
}
}
};
/* The destination address may be overloaded by the target */
if (route_info->gw)
fl.fl4_dst = route_info->gw;
/* Trying to route the packet using the standard routing table. */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,26)
if ((err = ip_route_output_key(&init_net, &rt, &fl))) {
#else
if ((err = ip_route_output_key(&rt, &fl))) {
#endif
if (net_ratelimit())
DEBUGP("ipt_ROUTE: couldn't route pkt (err: %i)",err);
return -1;
}
/* Drop old route. */
dst_release(skb->dst);
skb->dst = NULL;
/* Success if no oif specified or if the oif correspond to the
* one desired */
if (!ifindex || rt->u.dst.dev->ifindex == ifindex) {
skb->dst = &rt->u.dst;
skb->dev = skb->dst->dev;
skb->protocol = htons(ETH_P_IP);
return 1;
}
/* The interface selected by the routing table is not the one
* specified by the user. This may happen because the dst address
* is one of our own addresses.
*/
if (net_ratelimit())
DEBUGP("ipt_ROUTE: failed to route as desired gw=%u.%u.%u.%u oif=%i (got oif=%i)\n",
NIPQUAD(route_info->gw), ifindex, rt->u.dst.dev->ifindex);
return 0;
}
/* Stolen from ip_finish_output2
* PRE : skb->dev is set to the device we are leaving by
* skb->dst is not NULL
* POST: the packet is sent with the link layer header pushed
* the packet is destroyed
*/
static void ip_direct_send(struct sk_buff *skb)
{
struct dst_entry *dst = skb->dst;
struct hh_cache *hh = dst->hh;
struct net_device *dev = dst->dev;
int hh_len = LL_RESERVED_SPACE(dev);
unsigned seq;
/* Be paranoid, rather than too clever. */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24)
if (unlikely(skb_headroom(skb) < hh_len && dev->header_ops)) {
#else
if (unlikely(skb_headroom(skb) < hh_len && dev->hard_header)) {
#endif
struct sk_buff *skb2;
skb2 = skb_realloc_headroom(skb, LL_RESERVED_SPACE(dev));
if (skb2 == NULL) {
kfree_skb(skb);
return;
}
if (skb->sk)
skb_set_owner_w(skb2, skb->sk);
kfree_skb(skb);
skb = skb2;
}
if (hh) {
do {
int hh_alen;
seq = read_seqbegin(&hh->hh_lock);
hh_alen = HH_DATA_ALIGN(hh->hh_len);
memcpy(skb->data - hh_alen, hh->hh_data, hh_alen);
} while (read_seqretry(&hh->hh_lock, seq));
skb_push(skb, hh->hh_len);
hh->hh_output(skb);
} else if (dst->neighbour)
dst->neighbour->output(skb);
else {
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: no hdr & no neighbour cache!\n");
kfree_skb(skb);
}
}
/* PRE : skb->dev is set to the device we are leaving by
* POST: - the packet is directly sent to the skb->dev device, without
* pushing the link layer header.
* - the packet is destroyed
*/
static inline int dev_direct_send(struct sk_buff *skb)
{
return dev_queue_xmit(skb);
}
static unsigned int route_oif(const struct ipt_route_target_info *route_info,
struct sk_buff *skb)
{
unsigned int ifindex = 0;
struct net_device *dev_out = NULL;
/* The user set the interface name to use.
* Getting the current interface index.
*/
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24)
if ((dev_out = dev_get_by_name(&init_net, route_info->oif))) {
#else
if ((dev_out = dev_get_by_name(route_info->oif))) {
#endif
ifindex = dev_out->ifindex;
} else {
/* Unknown interface name : packet dropped */
if (net_ratelimit())
DEBUGP("ipt_ROUTE: oif interface %s not found\n", route_info->oif);
return NF_DROP;
}
/* Trying the standard way of routing packets */
switch (route(skb, ifindex, route_info)) {
case 1:
dev_put(dev_out);
if (route_info->flags & IPT_ROUTE_CONTINUE)
return IPT_CONTINUE;
ip_direct_send(skb);
return NF_STOLEN;
case 0:
/* Failed to send to oif. Trying the hard way */
if (route_info->flags & IPT_ROUTE_CONTINUE)
return NF_DROP;
if (net_ratelimit())
DEBUGP("ipt_ROUTE: forcing the use of %i\n",
ifindex);
/* We have to force the use of an interface.
* This interface must be a tunnel interface since
* otherwise we can't guess the hw address for
* the packet. For a tunnel interface, no hw address
* is needed.
*/
if ((dev_out->type != ARPHRD_TUNNEL)
&& (dev_out->type != ARPHRD_IPGRE)) {
if (net_ratelimit())
DEBUGP("ipt_ROUTE: can't guess the hw addr !\n");
dev_put(dev_out);
return NF_DROP;
}
/* Send the packet. This will also free skb
* Do not go through the POST_ROUTING hook because
* skb->dst is not set and because it will probably
* get confused by the destination IP address.
*/
skb->dev = dev_out;
dev_direct_send(skb);
dev_put(dev_out);
return NF_STOLEN;
default:
/* Unexpected error */
dev_put(dev_out);
return NF_DROP;
}
}
static unsigned int route_iif(const struct ipt_route_target_info *route_info,
struct sk_buff *skb)
{
struct net_device *dev_in = NULL;
/* Getting the current interface index. */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24)
if (!(dev_in = dev_get_by_name(&init_net, route_info->iif))) {
#else
if (!(dev_in = dev_get_by_name(route_info->iif))) {
#endif
if (net_ratelimit())
DEBUGP("ipt_ROUTE: iif interface %s not found\n", route_info->iif);
return NF_DROP;
}
skb->dev = dev_in;
dst_release(skb->dst);
skb->dst = NULL;
netif_rx(skb);
dev_put(dev_in);
return NF_STOLEN;
}
static unsigned int route_gw(const struct ipt_route_target_info *route_info,
struct sk_buff *skb)
{
if (route(skb, 0, route_info)!=1)
return NF_DROP;
if (route_info->flags & IPT_ROUTE_CONTINUE)
return IPT_CONTINUE;
ip_direct_send(skb);
return NF_STOLEN;
}
/* To detect and deter routed packet loopback when using the --tee option,
* we take a page out of the raw.patch book: on the copied skb, we set up
* a fake ->nfct entry, pointing to the local &route_tee_track. We skip
* routing packets when we see they already have that ->nfct.
*/
static struct nf_conn route_tee_track;
static unsigned int
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
target(struct sk_buff **pskb,
unsigned int hooknum,
const struct net_device *in,
const struct net_device *out,
const void *targinfo,
void *userinfo)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const void *targinfo,
void *userinfo)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
void *userinfo)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
target(struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo)
#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) */
target(struct sk_buff *skb,
const struct xt_target_param *par)
#endif
{
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
const struct ipt_route_target_info *route_info = targinfo;
#else
const struct ipt_route_target_info *route_info = par->targinfo;
unsigned int hooknum = par->hooknum;
#endif
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
struct sk_buff *skb = *pskb;
#endif
unsigned int res;
if (skb->nfct == &route_tee_track.ct_general) {
/* Loopback - a packet we already routed, is to be
* routed another time. Avoid that, now.
*/
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: loopback - DROP!\n");
return NF_DROP;
}
/* If we are at PREROUTING or INPUT hook
* the TTL isn't decreased by the IP stack
*/
if (hooknum == NF_INET_PRE_ROUTING ||
hooknum == NF_INET_LOCAL_IN) {
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
struct iphdr *iph = ip_hdr(skb);
#else
struct iphdr *iph = skb->nh.iph;
#endif
if (iph->ttl <= 1) {
struct rtable *rt;
struct flowi fl = {
.oif = 0,
.nl_u = {
.ip4_u = {
.daddr = iph->daddr,
.saddr = iph->saddr,
.tos = RT_TOS(iph->tos),
.scope = ((iph->tos & RTO_ONLINK) ?
RT_SCOPE_LINK :
RT_SCOPE_UNIVERSE)
}
}
};
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,26)
if (ip_route_output_key(&init_net, &rt, &fl)) {
#else
if (ip_route_output_key(&rt, &fl)) {
#endif
return NF_DROP;
}
if (skb->dev == rt->u.dst.dev) {
/* Drop old route. */
dst_release(skb->dst);
skb->dst = &rt->u.dst;
/* this will traverse normal stack, and
* thus call conntrack on the icmp packet */
icmp_send(skb, ICMP_TIME_EXCEEDED,
ICMP_EXC_TTL, 0);
}
return NF_DROP;
}
/*
* If we are at INPUT the checksum must be recalculated since
* the length could change as the result of a defragmentation.
*/
if(hooknum == NF_INET_LOCAL_IN) {
iph->ttl = iph->ttl - 1;
iph->check = 0;
iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
} else {
ip_decrease_ttl(iph);
}
}
if ((route_info->flags & IPT_ROUTE_TEE)) {
/*
* Copy the skb, and route the copy. Will later return
* IPT_CONTINUE for the original skb, which should continue
* on its way as if nothing happened. The copy should be
* independantly delivered to the ROUTE --gw.
*/
skb = skb_copy(skb, GFP_ATOMIC);
if (!skb) {
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: copy failed!\n");
return IPT_CONTINUE;
}
}
/* Tell conntrack to forget this packet since it may get confused
* when a packet is leaving with dst address == our address.
* Good idea ? Dunno. Need advice.
*
* NEW: mark the skb with our &route_tee_track, so we avoid looping
* on any already routed packet.
*/
if (!(route_info->flags & IPT_ROUTE_CONTINUE)) {
nf_conntrack_put(skb->nfct);
skb->nfct = &route_tee_track.ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
}
if (route_info->oif[0] != '\0') {
res = route_oif(route_info, skb);
} else if (route_info->iif[0] != '\0') {
res = route_iif(route_info, skb);
} else if (route_info->gw) {
res = route_gw(route_info, skb);
} else {
if (net_ratelimit())
DEBUGP(KERN_DEBUG "ipt_ROUTE: no parameter !\n");
res = IPT_CONTINUE;
}
if ((route_info->flags & IPT_ROUTE_TEE))
res = IPT_CONTINUE;
return res;
}
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16)
static int
checkentry(const char *tablename,
const struct ipt_entry *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
static int
checkentry(const char *tablename,
const void *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
static int
checkentry(const char *tablename,
const void *e,
const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23)
static int
checkentry(const char *tablename,
const void *e,
const struct xt_target *target,
void *targinfo,
unsigned int hook_mask)
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
static bool
checkentry(const char *tablename,
const void *e,
const struct xt_target *target,
void *targinfo,
unsigned int hook_mask)
#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) */
static bool
checkentry(const struct xt_tgchk_param *par)
#endif
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28)
const char *tablename = par->table;
unsigned int hook_mask = par->hook_mask;
#endif
if (strcmp(tablename, "mangle") != 0) {
printk("ipt_ROUTE: bad table `%s', use the `mangle' table.\n",
tablename);
return 0;
}
if (hook_mask & ~( (1 << NF_INET_PRE_ROUTING)
| (1 << NF_INET_LOCAL_IN)
| (1 << NF_INET_FORWARD)
| (1 << NF_INET_LOCAL_OUT)
| (1 << NF_INET_POST_ROUTING))) {
printk("ipt_ROUTE: bad hook\n");
return 0;
}
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
if (targinfosize != IPT_ALIGN(sizeof(struct ipt_route_target_info))) {
printk(KERN_WARNING "ipt_ROUTE: targinfosize %u != %Zu\n",
targinfosize,
IPT_ALIGN(sizeof(struct ipt_route_target_info)));
return 0;
}
#endif
return 1;
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
static struct ipt_target xt_route_reg = {
#else
static struct ipt_target ipt_route_reg = {
#endif
.name = "ROUTE",
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
.family = AF_INET,
#endif
.target = target,
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
.targetsize = sizeof(struct ipt_route_target_info),
#endif
.checkentry = checkentry,
.me = THIS_MODULE,
};
static int __init init(void)
{
/* Set up fake conntrack (stolen from raw.patch):
- to never be deleted, not in any hashes */
atomic_set(&route_tee_track.ct_general.use, 1);
/* - and look it like as a confirmed connection */
set_bit(IPS_CONFIRMED_BIT, &route_tee_track.status);
/* Initialize fake conntrack so that NAT will skip it */
route_tee_track.status |= IPS_NAT_DONE_MASK;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
return xt_register_target(&xt_route_reg);
#else
return ipt_register_target(&ipt_route_reg);
#endif
}
static void __exit fini(void)
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
xt_unregister_target(&xt_route_reg);
#else
ipt_unregister_target(&ipt_route_reg);
#endif
}
module_init(init);
module_exit(fini);