1 /* Compatibility framework for ipchains and ipfwadm support; designed
2 to look as much like the 2.2 infrastructure as possible. */
4 /* (C) 1999-2001 Paul `Rusty' Russell
5 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
12 struct notifier_block;
14 #include <linux/netfilter_ipv4.h>
18 #include <linux/inetdevice.h>
19 #include <linux/netdevice.h>
20 #include <linux/module.h>
21 #include <asm/uaccess.h>
23 #include <net/route.h>
24 #include <linux/netfilter_ipv4/compat_firewall.h>
25 #include <linux/netfilter_ipv4/ip_conntrack.h>
26 #include <linux/netfilter_ipv4/ip_conntrack_core.h>
27 #include "ip_fw_compat.h"
29 static struct firewall_ops *fwops;
32 /* From ip_vs_core.c */
34 check_for_ip_vs_out(struct sk_buff **skb_p, int (*okfn)(struct sk_buff *));
37 /* They call these; we do what they want. */
38 int register_firewall(int pf, struct firewall_ops *fw)
41 printk("Attempt to register non-IP firewall module.\n");
45 printk("Attempt to register multiple firewall modules.\n");
53 int unregister_firewall(int pf, struct firewall_ops *fw)
60 fw_in(unsigned int hooknum,
61 struct sk_buff **pskb,
62 const struct net_device *in,
63 const struct net_device *out,
64 int (*okfn)(struct sk_buff *))
69 /* Assume worse case: any hook could change packet */
70 (*pskb)->nfcache |= NFC_UNKNOWN | NFC_ALTERED;
71 if ((*pskb)->ip_summed == CHECKSUM_HW)
72 (*pskb)->ip_summed = CHECKSUM_NONE;
75 case NF_IP_PRE_ROUTING:
76 if (fwops->fw_acct_in)
77 fwops->fw_acct_in(fwops, PF_INET,
78 (struct net_device *)in,
81 if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
82 *pskb = ip_ct_gather_frags(*pskb);
88 ret = fwops->fw_input(fwops, PF_INET, (struct net_device *)in,
93 /* Connection will only be set if it was
94 demasqueraded: if so, skip forward chain. */
97 else ret = fwops->fw_forward(fwops, PF_INET,
98 (struct net_device *)out,
102 case NF_IP_POST_ROUTING:
103 ret = fwops->fw_output(fwops, PF_INET,
104 (struct net_device *)out,
106 if (ret == FW_ACCEPT || ret == FW_SKIP) {
107 if (fwops->fw_acct_out)
108 fwops->fw_acct_out(fwops, PF_INET,
109 (struct net_device *)out,
113 /* ip_conntrack_confirm return NF_DROP or NF_ACCEPT */
114 if (ip_conntrack_confirm(*pskb) == NF_DROP)
124 * Generally, routing is THE FIRST thing to make, when
125 * packet enters IP stack. Before packet is routed you
126 * cannot call any service routines from IP stack. */
127 struct iphdr *iph = (*pskb)->nh.iph;
129 if ((*pskb)->dst != NULL
130 || ip_route_input(*pskb, iph->daddr, iph->saddr, iph->tos,
131 (struct net_device *)in) == 0)
132 icmp_send(*pskb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH,
139 if (hooknum == NF_IP_PRE_ROUTING) {
140 check_for_demasq(pskb);
141 check_for_redirect(*pskb);
142 } else if (hooknum == NF_IP_POST_ROUTING) {
143 check_for_unredirect(*pskb);
144 /* Handle ICMP errors from client here */
145 if ((*pskb)->nh.iph->protocol == IPPROTO_ICMP
147 check_for_masq_error(pskb);
152 if (hooknum == NF_IP_FORWARD) {
154 /* check if it is for ip_vs */
155 if (check_for_ip_vs_out(pskb, okfn) == NF_STOLEN)
158 return do_masquerade(pskb, out);
160 else return NF_ACCEPT;
163 if (hooknum == NF_IP_PRE_ROUTING)
164 return do_redirect(*pskb, in, redirpt);
165 else return NF_ACCEPT;
173 static unsigned int fw_confirm(unsigned int hooknum,
174 struct sk_buff **pskb,
175 const struct net_device *in,
176 const struct net_device *out,
177 int (*okfn)(struct sk_buff *))
179 return ip_conntrack_confirm(*pskb);
182 extern int ip_fw_ctl(int optval, void *m, unsigned int len);
184 static int sock_fn(struct sock *sk, int optval, void *user, unsigned int len)
187 2.2: sizeof(struct ip_fwtest) (~14x4 + 3x4 = 17x4)
188 2.2: sizeof(struct ip_fwnew) (~1x4 + 15x4 + 3x4 + 3x4 = 22x4)
189 2.0: sizeof(struct ip_fw) (~25x4)
191 We can't include both 2.0 and 2.2 headers, they conflict.
192 Hence, 200 is a good number. --RR */
194 if (!capable(CAP_NET_ADMIN))
197 if (len > sizeof(tmp_fw) || len < 1)
200 if (copy_from_user(&tmp_fw, user, len))
203 return -ip_fw_ctl(optval, &tmp_fw, len);
206 static struct nf_hook_ops preroute_ops = {
208 .owner = THIS_MODULE,
210 .hooknum = NF_IP_PRE_ROUTING,
211 .priority = NF_IP_PRI_FILTER,
214 static struct nf_hook_ops postroute_ops = {
216 .owner = THIS_MODULE,
218 .hooknum = NF_IP_POST_ROUTING,
219 .priority = NF_IP_PRI_FILTER,
222 static struct nf_hook_ops forward_ops = {
224 .owner = THIS_MODULE,
226 .hooknum = NF_IP_FORWARD,
227 .priority = NF_IP_PRI_FILTER,
230 static struct nf_hook_ops local_in_ops = {
232 .owner = THIS_MODULE,
234 .hooknum = NF_IP_LOCAL_IN,
235 .priority = NF_IP_PRI_LAST - 1,
238 static struct nf_sockopt_ops sock_ops = {
241 .set_optmax = 64 + 1024 + 1,
245 extern int ipfw_init_or_cleanup(int init);
247 static int init_or_cleanup(int init)
251 if (!init) goto cleanup;
253 ret = nf_register_sockopt(&sock_ops);
256 goto cleanup_nothing;
258 ret = ipfw_init_or_cleanup(1);
260 goto cleanup_sockopt;
266 nf_register_hook(&preroute_ops);
267 nf_register_hook(&postroute_ops);
268 nf_register_hook(&forward_ops);
269 nf_register_hook(&local_in_ops);
274 nf_unregister_hook(&preroute_ops);
275 nf_unregister_hook(&postroute_ops);
276 nf_unregister_hook(&forward_ops);
277 nf_unregister_hook(&local_in_ops);
282 ipfw_init_or_cleanup(0);
285 nf_unregister_sockopt(&sock_ops);
291 static int __init init(void)
293 return init_or_cleanup(1);
296 static void __exit fini(void)