[mirror_ubuntu-hirsute-kernel.git] / net / ipv4 / netfilter / ipt_REJECT.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 * This is a module which is used for rejecting packets.
 */

/* (C) 1999-2001 Paul `Rusty' Russell
 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
 */
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/slab.h>
#include <linux/ip.h>
#include <linux/udp.h>
#include <linux/icmp.h>
#include <net/icmp.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_REJECT.h>
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
#include <linux/netfilter_bridge.h>
#endif

#include <net/netfilter/ipv4/nf_reject.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv4");

static unsigned int
reject_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
	const struct ipt_reject_info *reject = par->targinfo;
	int hook = xt_hooknum(par);

	switch (reject->with) {
	case IPT_ICMP_NET_UNREACHABLE:
		nf_send_unreach(skb, ICMP_NET_UNREACH, hook);
		break;
	case IPT_ICMP_HOST_UNREACHABLE:
		nf_send_unreach(skb, ICMP_HOST_UNREACH, hook);
		break;
	case IPT_ICMP_PROT_UNREACHABLE:
		nf_send_unreach(skb, ICMP_PROT_UNREACH, hook);
		break;
	case IPT_ICMP_PORT_UNREACHABLE:
		nf_send_unreach(skb, ICMP_PORT_UNREACH, hook);
		break;
	case IPT_ICMP_NET_PROHIBITED:
		nf_send_unreach(skb, ICMP_NET_ANO, hook);
		break;
	case IPT_ICMP_HOST_PROHIBITED:
		nf_send_unreach(skb, ICMP_HOST_ANO, hook);
		break;
	case IPT_ICMP_ADMIN_PROHIBITED:
		nf_send_unreach(skb, ICMP_PKT_FILTERED, hook);
		break;
	case IPT_TCP_RESET:
		nf_send_reset(xt_net(par), skb, hook);
	case IPT_ICMP_ECHOREPLY:
		/* Doesn't happen. */
		break;
	}

	return NF_DROP;
}

static int reject_tg_check(const struct xt_tgchk_param *par)
{
	const struct ipt_reject_info *rejinfo = par->targinfo;
	const struct ipt_entry *e = par->entryinfo;

	if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
		pr_info_ratelimited("ECHOREPLY no longer supported.\n");
		return -EINVAL;
	} else if (rejinfo->with == IPT_TCP_RESET) {
		/* Must specify that it's a TCP packet */
		if (e->ip.proto != IPPROTO_TCP ||
		    (e->ip.invflags & XT_INV_PROTO)) {
			pr_info_ratelimited("TCP_RESET invalid for non-tcp\n");
			return -EINVAL;
		}
	}
	return 0;
}

static struct xt_target reject_tg_reg __read_mostly = {
	.name		= "REJECT",
	.family		= NFPROTO_IPV4,
	.target		= reject_tg,
	.targetsize	= sizeof(struct ipt_reject_info),
	.table		= "filter",
	.hooks		= (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) |
			  (1 << NF_INET_LOCAL_OUT),
	.checkentry	= reject_tg_check,
	.me		= THIS_MODULE,
};

static int __init reject_tg_init(void)
{
	return xt_register_target(&reject_tg_reg);
}

static void __exit reject_tg_exit(void)
{
	xt_unregister_target(&reject_tg_reg);
}

module_init(reject_tg_init);
module_exit(reject_tg_exit);
Commit	Line	Data
d2912cb1	1	// SPDX-License-Identifier: GPL-2.0-only
1da177e4 LT	2	/*
1da177e4 LT	3	* This is a module which is used for rejecting packets.
1da177e4 LT	4	*/
	5
	6	/* (C) 1999-2001 Paul `Rusty' Russell
	7	* (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
1da177e4	8	*/
ff67e4e4	9	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
1da177e4 LT	10	#include <linux/module.h>
1da177e4 LT	11	#include <linux/skbuff.h>
5a0e3ad6	12	#include <linux/slab.h>
1da177e4 LT	13	#include <linux/ip.h>
	14	#include <linux/udp.h>
	15	#include <linux/icmp.h>
	16	#include <net/icmp.h>
6709dbbb	17	#include <linux/netfilter/x_tables.h>
1da177e4 LT	18	#include <linux/netfilter_ipv4/ip_tables.h>
1da177e4 LT	19	#include <linux/netfilter_ipv4/ipt_REJECT.h>
1109a90c	20	#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
1da177e4 LT	21	#include <linux/netfilter_bridge.h>
	22	#endif
	23
cc70d069 EL	24	#include <net/netfilter/ipv4/nf_reject.h>
cc70d069 EL	25
1da177e4 LT	26	MODULE_LICENSE("GPL");
1da177e4 LT	27	MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
2ae15b64	28	MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv4");
1da177e4	29
d3c5ee6d	30	static unsigned int
4b560b44	31	reject_tg(struct sk_buff skb, const struct xt_action_param par)
1da177e4	32	{
7eb35586	33	const struct ipt_reject_info *reject = par->targinfo;
613dbd95	34	int hook = xt_hooknum(par);
1da177e4	35
e905a9ed YH	36	switch (reject->with) {
e905a9ed YH	37	case IPT_ICMP_NET_UNREACHABLE:
ee586bbc	38	nf_send_unreach(skb, ICMP_NET_UNREACH, hook);
e905a9ed YH	39	break;
e905a9ed YH	40	case IPT_ICMP_HOST_UNREACHABLE:
ee586bbc	41	nf_send_unreach(skb, ICMP_HOST_UNREACH, hook);
e905a9ed YH	42	break;
e905a9ed YH	43	case IPT_ICMP_PROT_UNREACHABLE:
ee586bbc	44	nf_send_unreach(skb, ICMP_PROT_UNREACH, hook);
e905a9ed YH	45	break;
e905a9ed YH	46	case IPT_ICMP_PORT_UNREACHABLE:
ee586bbc	47	nf_send_unreach(skb, ICMP_PORT_UNREACH, hook);
e905a9ed YH	48	break;
e905a9ed YH	49	case IPT_ICMP_NET_PROHIBITED:
ee586bbc	50	nf_send_unreach(skb, ICMP_NET_ANO, hook);
e905a9ed	51	break;
1da177e4	52	case IPT_ICMP_HOST_PROHIBITED:
ee586bbc	53	nf_send_unreach(skb, ICMP_HOST_ANO, hook);
e905a9ed YH	54	break;
e905a9ed YH	55	case IPT_ICMP_ADMIN_PROHIBITED:
ee586bbc	56	nf_send_unreach(skb, ICMP_PKT_FILTERED, hook);
1da177e4 LT	57	break;
1da177e4 LT	58	case IPT_TCP_RESET:
613dbd95	59	nf_send_reset(xt_net(par), skb, hook);
1da177e4 LT	60	case IPT_ICMP_ECHOREPLY:
	61	/* Doesn't happen. */
	62	break;
	63	}
	64
	65	return NF_DROP;
	66	}
	67
135367b8	68	static int reject_tg_check(const struct xt_tgchk_param *par)
1da177e4	69	{
af5d6dc2 JE	70	const struct ipt_reject_info *rejinfo = par->targinfo;
af5d6dc2 JE	71	const struct ipt_entry *e = par->entryinfo;
1da177e4	72
1da177e4	73	if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
b2606644	74	pr_info_ratelimited("ECHOREPLY no longer supported.\n");
d6b00a53	75	return -EINVAL;
1da177e4 LT	76	} else if (rejinfo->with == IPT_TCP_RESET) {
1da177e4 LT	77	/* Must specify that it's a TCP packet */
3666ed1c JP	78	if (e->ip.proto != IPPROTO_TCP \|\|
3666ed1c JP	79	(e->ip.invflags & XT_INV_PROTO)) {
b2606644	80	pr_info_ratelimited("TCP_RESET invalid for non-tcp\n");
d6b00a53	81	return -EINVAL;
1da177e4 LT	82	}
1da177e4 LT	83	}
d6b00a53	84	return 0;
1da177e4 LT	85	}
1da177e4 LT	86
d3c5ee6d	87	static struct xt_target reject_tg_reg __read_mostly = {
1da177e4	88	.name = "REJECT",
ee999d8b	89	.family = NFPROTO_IPV4,
d3c5ee6d	90	.target = reject_tg,
1d5cd909 PM	91	.targetsize = sizeof(struct ipt_reject_info),
1d5cd909 PM	92	.table = "filter",
6e23ae2a PM	93	.hooks = (1 << NF_INET_LOCAL_IN) \| (1 << NF_INET_FORWARD) \|
6e23ae2a PM	94	(1 << NF_INET_LOCAL_OUT),
d3c5ee6d	95	.checkentry = reject_tg_check,
1da177e4 LT	96	.me = THIS_MODULE,
	97	};
	98
d3c5ee6d	99	static int __init reject_tg_init(void)
1da177e4	100	{
d3c5ee6d	101	return xt_register_target(&reject_tg_reg);
1da177e4 LT	102	}
1da177e4 LT	103
d3c5ee6d	104	static void __exit reject_tg_exit(void)
1da177e4	105	{
d3c5ee6d	106	xt_unregister_target(&reject_tg_reg);
1da177e4 LT	107	}
1da177e4 LT	108
d3c5ee6d JE	109	module_init(reject_tg_init);
d3c5ee6d JE	110	module_exit(reject_tg_exit);