1*a71a9546SAutomerger Merge Worker #include <stdint.h>
2*a71a9546SAutomerger Merge Worker #include <stdio.h>
3*a71a9546SAutomerger Merge Worker #include <string.h>
4*a71a9546SAutomerger Merge Worker #include <xtables.h>
5*a71a9546SAutomerger Merge Worker #include <limits.h> /* INT_MAX in ip6_tables.h */
6*a71a9546SAutomerger Merge Worker #include <linux/netfilter_ipv6/ip6_tables.h>
7*a71a9546SAutomerger Merge Worker #include <netinet/icmp6.h>
8*a71a9546SAutomerger Merge Worker
9*a71a9546SAutomerger Merge Worker #include "libxt_icmp.h"
10*a71a9546SAutomerger Merge Worker
11*a71a9546SAutomerger Merge Worker enum {
12*a71a9546SAutomerger Merge Worker O_ICMPV6_TYPE = 0,
13*a71a9546SAutomerger Merge Worker };
14*a71a9546SAutomerger Merge Worker
icmp6_help(void)15*a71a9546SAutomerger Merge Worker static void icmp6_help(void)
16*a71a9546SAutomerger Merge Worker {
17*a71a9546SAutomerger Merge Worker printf(
18*a71a9546SAutomerger Merge Worker "icmpv6 match options:\n"
19*a71a9546SAutomerger Merge Worker "[!] --icmpv6-type typename match icmpv6 type\n"
20*a71a9546SAutomerger Merge Worker " (or numeric type or type/code)\n");
21*a71a9546SAutomerger Merge Worker printf("Valid ICMPv6 Types:");
22*a71a9546SAutomerger Merge Worker xt_print_icmp_types(icmpv6_codes, ARRAY_SIZE(icmpv6_codes));
23*a71a9546SAutomerger Merge Worker }
24*a71a9546SAutomerger Merge Worker
25*a71a9546SAutomerger Merge Worker static const struct xt_option_entry icmp6_opts[] = {
26*a71a9546SAutomerger Merge Worker {.name = "icmpv6-type", .id = O_ICMPV6_TYPE, .type = XTTYPE_STRING,
27*a71a9546SAutomerger Merge Worker .flags = XTOPT_MAND | XTOPT_INVERT},
28*a71a9546SAutomerger Merge Worker XTOPT_TABLEEND,
29*a71a9546SAutomerger Merge Worker };
30*a71a9546SAutomerger Merge Worker
icmp6_init(struct xt_entry_match * m)31*a71a9546SAutomerger Merge Worker static void icmp6_init(struct xt_entry_match *m)
32*a71a9546SAutomerger Merge Worker {
33*a71a9546SAutomerger Merge Worker struct ip6t_icmp *icmpv6info = (struct ip6t_icmp *)m->data;
34*a71a9546SAutomerger Merge Worker
35*a71a9546SAutomerger Merge Worker icmpv6info->code[1] = 0xFF;
36*a71a9546SAutomerger Merge Worker }
37*a71a9546SAutomerger Merge Worker
icmp6_parse(struct xt_option_call * cb)38*a71a9546SAutomerger Merge Worker static void icmp6_parse(struct xt_option_call *cb)
39*a71a9546SAutomerger Merge Worker {
40*a71a9546SAutomerger Merge Worker struct ip6t_icmp *icmpv6info = cb->data;
41*a71a9546SAutomerger Merge Worker
42*a71a9546SAutomerger Merge Worker xtables_option_parse(cb);
43*a71a9546SAutomerger Merge Worker ipt_parse_icmpv6(cb->arg, &icmpv6info->type, icmpv6info->code);
44*a71a9546SAutomerger Merge Worker if (cb->invert)
45*a71a9546SAutomerger Merge Worker icmpv6info->invflags |= IP6T_ICMP_INV;
46*a71a9546SAutomerger Merge Worker }
47*a71a9546SAutomerger Merge Worker
print_icmpv6type(uint8_t type,uint8_t code_min,uint8_t code_max,int invert,int numeric)48*a71a9546SAutomerger Merge Worker static void print_icmpv6type(uint8_t type,
49*a71a9546SAutomerger Merge Worker uint8_t code_min, uint8_t code_max,
50*a71a9546SAutomerger Merge Worker int invert,
51*a71a9546SAutomerger Merge Worker int numeric)
52*a71a9546SAutomerger Merge Worker {
53*a71a9546SAutomerger Merge Worker if (!numeric) {
54*a71a9546SAutomerger Merge Worker unsigned int i;
55*a71a9546SAutomerger Merge Worker
56*a71a9546SAutomerger Merge Worker for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
57*a71a9546SAutomerger Merge Worker if (icmpv6_codes[i].type == type
58*a71a9546SAutomerger Merge Worker && icmpv6_codes[i].code_min == code_min
59*a71a9546SAutomerger Merge Worker && icmpv6_codes[i].code_max == code_max)
60*a71a9546SAutomerger Merge Worker break;
61*a71a9546SAutomerger Merge Worker
62*a71a9546SAutomerger Merge Worker if (i != ARRAY_SIZE(icmpv6_codes)) {
63*a71a9546SAutomerger Merge Worker printf(" %s%s",
64*a71a9546SAutomerger Merge Worker invert ? "!" : "",
65*a71a9546SAutomerger Merge Worker icmpv6_codes[i].name);
66*a71a9546SAutomerger Merge Worker return;
67*a71a9546SAutomerger Merge Worker }
68*a71a9546SAutomerger Merge Worker }
69*a71a9546SAutomerger Merge Worker
70*a71a9546SAutomerger Merge Worker if (invert)
71*a71a9546SAutomerger Merge Worker printf(" !");
72*a71a9546SAutomerger Merge Worker
73*a71a9546SAutomerger Merge Worker printf("type %u", type);
74*a71a9546SAutomerger Merge Worker if (code_min == code_max)
75*a71a9546SAutomerger Merge Worker printf(" code %u", code_min);
76*a71a9546SAutomerger Merge Worker else if (code_min != 0 || code_max != 0xFF)
77*a71a9546SAutomerger Merge Worker printf(" codes %u-%u", code_min, code_max);
78*a71a9546SAutomerger Merge Worker }
79*a71a9546SAutomerger Merge Worker
icmp6_print(const void * ip,const struct xt_entry_match * match,int numeric)80*a71a9546SAutomerger Merge Worker static void icmp6_print(const void *ip, const struct xt_entry_match *match,
81*a71a9546SAutomerger Merge Worker int numeric)
82*a71a9546SAutomerger Merge Worker {
83*a71a9546SAutomerger Merge Worker const struct ip6t_icmp *icmpv6 = (struct ip6t_icmp *)match->data;
84*a71a9546SAutomerger Merge Worker
85*a71a9546SAutomerger Merge Worker printf(" ipv6-icmp");
86*a71a9546SAutomerger Merge Worker print_icmpv6type(icmpv6->type, icmpv6->code[0], icmpv6->code[1],
87*a71a9546SAutomerger Merge Worker icmpv6->invflags & IP6T_ICMP_INV,
88*a71a9546SAutomerger Merge Worker numeric);
89*a71a9546SAutomerger Merge Worker
90*a71a9546SAutomerger Merge Worker if (icmpv6->invflags & ~IP6T_ICMP_INV)
91*a71a9546SAutomerger Merge Worker printf(" Unknown invflags: 0x%X",
92*a71a9546SAutomerger Merge Worker icmpv6->invflags & ~IP6T_ICMP_INV);
93*a71a9546SAutomerger Merge Worker }
94*a71a9546SAutomerger Merge Worker
icmp6_save(const void * ip,const struct xt_entry_match * match)95*a71a9546SAutomerger Merge Worker static void icmp6_save(const void *ip, const struct xt_entry_match *match)
96*a71a9546SAutomerger Merge Worker {
97*a71a9546SAutomerger Merge Worker const struct ip6t_icmp *icmpv6 = (struct ip6t_icmp *)match->data;
98*a71a9546SAutomerger Merge Worker
99*a71a9546SAutomerger Merge Worker if (icmpv6->invflags & IP6T_ICMP_INV)
100*a71a9546SAutomerger Merge Worker printf(" !");
101*a71a9546SAutomerger Merge Worker
102*a71a9546SAutomerger Merge Worker printf(" --icmpv6-type %u", icmpv6->type);
103*a71a9546SAutomerger Merge Worker if (icmpv6->code[0] != 0 || icmpv6->code[1] != 0xFF)
104*a71a9546SAutomerger Merge Worker printf("/%u", icmpv6->code[0]);
105*a71a9546SAutomerger Merge Worker }
106*a71a9546SAutomerger Merge Worker
107*a71a9546SAutomerger Merge Worker #define XT_ICMPV6_TYPE(type) (type - ND_ROUTER_SOLICIT)
108*a71a9546SAutomerger Merge Worker
109*a71a9546SAutomerger Merge Worker static const char *icmp6_type_xlate_array[] = {
110*a71a9546SAutomerger Merge Worker [XT_ICMPV6_TYPE(ND_ROUTER_SOLICIT)] = "nd-router-solicit",
111*a71a9546SAutomerger Merge Worker [XT_ICMPV6_TYPE(ND_ROUTER_ADVERT)] = "nd-router-advert",
112*a71a9546SAutomerger Merge Worker [XT_ICMPV6_TYPE(ND_NEIGHBOR_SOLICIT)] = "nd-neighbor-solicit",
113*a71a9546SAutomerger Merge Worker [XT_ICMPV6_TYPE(ND_NEIGHBOR_ADVERT)] = "nd-neighbor-advert",
114*a71a9546SAutomerger Merge Worker [XT_ICMPV6_TYPE(ND_REDIRECT)] = "nd-redirect",
115*a71a9546SAutomerger Merge Worker };
116*a71a9546SAutomerger Merge Worker
icmp6_type_xlate(unsigned int type)117*a71a9546SAutomerger Merge Worker static const char *icmp6_type_xlate(unsigned int type)
118*a71a9546SAutomerger Merge Worker {
119*a71a9546SAutomerger Merge Worker if (type < ND_ROUTER_SOLICIT || type > ND_REDIRECT)
120*a71a9546SAutomerger Merge Worker return NULL;
121*a71a9546SAutomerger Merge Worker
122*a71a9546SAutomerger Merge Worker return icmp6_type_xlate_array[XT_ICMPV6_TYPE(type)];
123*a71a9546SAutomerger Merge Worker }
124*a71a9546SAutomerger Merge Worker
type_xlate_print(struct xt_xlate * xl,unsigned int icmptype,unsigned int code_min,unsigned int code_max)125*a71a9546SAutomerger Merge Worker static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
126*a71a9546SAutomerger Merge Worker unsigned int code_min,
127*a71a9546SAutomerger Merge Worker unsigned int code_max)
128*a71a9546SAutomerger Merge Worker {
129*a71a9546SAutomerger Merge Worker unsigned int i;
130*a71a9546SAutomerger Merge Worker const char *type_name;
131*a71a9546SAutomerger Merge Worker
132*a71a9546SAutomerger Merge Worker if (code_min == code_max)
133*a71a9546SAutomerger Merge Worker return 0;
134*a71a9546SAutomerger Merge Worker
135*a71a9546SAutomerger Merge Worker type_name = icmp6_type_xlate(icmptype);
136*a71a9546SAutomerger Merge Worker
137*a71a9546SAutomerger Merge Worker if (type_name) {
138*a71a9546SAutomerger Merge Worker xt_xlate_add(xl, "%s", type_name);
139*a71a9546SAutomerger Merge Worker } else {
140*a71a9546SAutomerger Merge Worker for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
141*a71a9546SAutomerger Merge Worker if (icmpv6_codes[i].type == icmptype &&
142*a71a9546SAutomerger Merge Worker icmpv6_codes[i].code_min == code_min &&
143*a71a9546SAutomerger Merge Worker icmpv6_codes[i].code_max == code_max)
144*a71a9546SAutomerger Merge Worker break;
145*a71a9546SAutomerger Merge Worker
146*a71a9546SAutomerger Merge Worker if (i != ARRAY_SIZE(icmpv6_codes))
147*a71a9546SAutomerger Merge Worker xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
148*a71a9546SAutomerger Merge Worker else
149*a71a9546SAutomerger Merge Worker return 0;
150*a71a9546SAutomerger Merge Worker }
151*a71a9546SAutomerger Merge Worker
152*a71a9546SAutomerger Merge Worker return 1;
153*a71a9546SAutomerger Merge Worker }
154*a71a9546SAutomerger Merge Worker
icmp6_xlate(struct xt_xlate * xl,const struct xt_xlate_mt_params * params)155*a71a9546SAutomerger Merge Worker static int icmp6_xlate(struct xt_xlate *xl,
156*a71a9546SAutomerger Merge Worker const struct xt_xlate_mt_params *params)
157*a71a9546SAutomerger Merge Worker {
158*a71a9546SAutomerger Merge Worker const struct ip6t_icmp *info = (struct ip6t_icmp *)params->match->data;
159*a71a9546SAutomerger Merge Worker
160*a71a9546SAutomerger Merge Worker xt_xlate_add(xl, "icmpv6 type%s ",
161*a71a9546SAutomerger Merge Worker (info->invflags & IP6T_ICMP_INV) ? " !=" : "");
162*a71a9546SAutomerger Merge Worker
163*a71a9546SAutomerger Merge Worker if (!type_xlate_print(xl, info->type, info->code[0], info->code[1]))
164*a71a9546SAutomerger Merge Worker return 0;
165*a71a9546SAutomerger Merge Worker
166*a71a9546SAutomerger Merge Worker return 1;
167*a71a9546SAutomerger Merge Worker }
168*a71a9546SAutomerger Merge Worker
169*a71a9546SAutomerger Merge Worker static struct xtables_match icmp6_mt6_reg = {
170*a71a9546SAutomerger Merge Worker .name = "icmp6",
171*a71a9546SAutomerger Merge Worker .version = XTABLES_VERSION,
172*a71a9546SAutomerger Merge Worker .family = NFPROTO_IPV6,
173*a71a9546SAutomerger Merge Worker .size = XT_ALIGN(sizeof(struct ip6t_icmp)),
174*a71a9546SAutomerger Merge Worker .userspacesize = XT_ALIGN(sizeof(struct ip6t_icmp)),
175*a71a9546SAutomerger Merge Worker .help = icmp6_help,
176*a71a9546SAutomerger Merge Worker .init = icmp6_init,
177*a71a9546SAutomerger Merge Worker .print = icmp6_print,
178*a71a9546SAutomerger Merge Worker .save = icmp6_save,
179*a71a9546SAutomerger Merge Worker .x6_parse = icmp6_parse,
180*a71a9546SAutomerger Merge Worker .x6_options = icmp6_opts,
181*a71a9546SAutomerger Merge Worker .xlate = icmp6_xlate,
182*a71a9546SAutomerger Merge Worker };
183*a71a9546SAutomerger Merge Worker
_init(void)184*a71a9546SAutomerger Merge Worker void _init(void)
185*a71a9546SAutomerger Merge Worker {
186*a71a9546SAutomerger Merge Worker xtables_register_match(&icmp6_mt6_reg);
187*a71a9546SAutomerger Merge Worker }
188