/net/ipv4/netfilter/nf_defrag_ipv4.c
C | 121 lines | 93 code | 17 blank | 11 comment | 13 complexity | 65ffe94947dc1c3173c99ebbe275609d MD5 | raw file
Possible License(s): CC-BY-SA-3.0, GPL-2.0, LGPL-2.0, AGPL-1.0
1/* (C) 1999-2001 Paul `Rusty' Russell
2 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 */
8
9#include <linux/types.h>
10#include <linux/ip.h>
11#include <linux/netfilter.h>
12#include <linux/module.h>
13#include <linux/skbuff.h>
14#include <net/route.h>
15#include <net/ip.h>
16
17#include <linux/netfilter_bridge.h>
18#include <linux/netfilter_ipv4.h>
19#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
20#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
21#include <net/netfilter/nf_conntrack.h>
22#endif
23#include <net/netfilter/nf_conntrack_zones.h>
24
25/* Returns new sk_buff, or NULL */
26static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
27{
28 int err;
29
30 skb_orphan(skb);
31
32 local_bh_disable();
33 err = ip_defrag(skb, user);
34 local_bh_enable();
35
36 if (!err)
37 ip_send_check(ip_hdr(skb));
38
39 return err;
40}
41
42static enum ip_defrag_users nf_ct_defrag_user(unsigned int hooknum,
43 struct sk_buff *skb)
44{
45 u16 zone = NF_CT_DEFAULT_ZONE;
46
47#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
48 if (skb->nfct)
49 zone = nf_ct_zone((struct nf_conn *)skb->nfct);
50#endif
51
52#ifdef CONFIG_BRIDGE_NETFILTER
53 if (skb->nf_bridge &&
54 skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)
55 return IP_DEFRAG_CONNTRACK_BRIDGE_IN + zone;
56#endif
57 if (hooknum == NF_INET_PRE_ROUTING)
58 return IP_DEFRAG_CONNTRACK_IN + zone;
59 else
60 return IP_DEFRAG_CONNTRACK_OUT + zone;
61}
62
63static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
64 struct sk_buff *skb,
65 const struct net_device *in,
66 const struct net_device *out,
67 int (*okfn)(struct sk_buff *))
68{
69#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
70#if !defined(CONFIG_NF_NAT) && !defined(CONFIG_NF_NAT_MODULE)
71 /* Previously seen (loopback)? Ignore. Do this before
72 fragment check. */
73 if (skb->nfct && !nf_ct_is_template((struct nf_conn *)skb->nfct))
74 return NF_ACCEPT;
75#endif
76#endif
77 /* Gather fragments. */
78 if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
79 enum ip_defrag_users user = nf_ct_defrag_user(hooknum, skb);
80 if (nf_ct_ipv4_gather_frags(skb, user))
81 return NF_STOLEN;
82 }
83 return NF_ACCEPT;
84}
85
86static struct nf_hook_ops ipv4_defrag_ops[] = {
87 {
88 .hook = ipv4_conntrack_defrag,
89 .owner = THIS_MODULE,
90 .pf = PF_INET,
91 .hooknum = NF_INET_PRE_ROUTING,
92 .priority = NF_IP_PRI_CONNTRACK_DEFRAG,
93 },
94 {
95 .hook = ipv4_conntrack_defrag,
96 .owner = THIS_MODULE,
97 .pf = PF_INET,
98 .hooknum = NF_INET_LOCAL_OUT,
99 .priority = NF_IP_PRI_CONNTRACK_DEFRAG,
100 },
101};
102
103static int __init nf_defrag_init(void)
104{
105 return nf_register_hooks(ipv4_defrag_ops, ARRAY_SIZE(ipv4_defrag_ops));
106}
107
108static void __exit nf_defrag_fini(void)
109{
110 nf_unregister_hooks(ipv4_defrag_ops, ARRAY_SIZE(ipv4_defrag_ops));
111}
112
113void nf_defrag_ipv4_enable(void)
114{
115}
116EXPORT_SYMBOL_GPL(nf_defrag_ipv4_enable);
117
118module_init(nf_defrag_init);
119module_exit(nf_defrag_fini);
120
121MODULE_LICENSE("GPL");