[netfilter-cvslog] r3844 - trunk/iptables/extensions

laforge at netfilter.org laforge at netfilter.org
Sun Apr 10 22:34:01 CEST 2005 

Author: laforge at netfilter.org
Date: 2005-04-10 22:34:00 +0200 (Sun, 10 Apr 2005)
New Revision: 3844

Modified:
   trunk/iptables/extensions/libipt_REJECT.c
   trunk/iptables/extensions/libipt_REJECT.man
Log:
add REJECT with icmp-frag-needed (Florian Lohoff)


Modified: trunk/iptables/extensions/libipt_REJECT.c
===================================================================
--- trunk/iptables/extensions/libipt_REJECT.c	2005-04-10 20:03:02 UTC (rev 3843)
+++ trunk/iptables/extensions/libipt_REJECT.c	2005-04-10 20:34:00 UTC (rev 3844)
@@ -46,6 +46,8 @@
 	 IPT_ICMP_HOST_PROHIBITED, "ICMP host prohibited"},
 	{"tcp-reset", "tcp-reset",
 	 IPT_TCP_RESET, "TCP RST packet"},
+	{"icmp-frag-needed", "frag-needed",
+	 IPT_ICMP_FRAG_NEEDED, "ICMP fragmentation needed"},
 	{"icmp-admin-prohibited", "admin-prohib",
 	 IPT_ICMP_ADMIN_PROHIBITED, "ICMP administratively prohibited (*)"}
 };
@@ -73,7 +75,8 @@
 	printf(
 "REJECT options:\n"
 "--reject-with type              drop input packet and send back\n"
-"                                a reply packet according to type:\n");
+"                                a reply packet according to type:\n"
+"--pmtu                          send back pmtu for icmp-frag-needed\n");
 
 	print_reject_types();
 
@@ -82,6 +85,7 @@
 
 static struct option opts[] = {
 	{ "reject-with", 1, 0, '1' },
+	{ "pmtu", 1, 0, '2' },
 	{ 0 }
 };
 
@@ -96,6 +100,17 @@
 
 }
 
+/* Allocate and initialize the target. */
+static void
+init_v1(struct ipt_entry_target *t, unsigned int *nfcache)
+{
+	struct ipt_reject_info_v1 *reject = (struct ipt_reject_info_v1 *)t->data;
+
+	/* default */
+	reject->with = IPT_ICMP_PORT_UNREACHABLE;
+
+}
+
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -132,6 +147,51 @@
 	return 0;
 }
 
+/* Function which parses command options; returns true if it
+   ate an option */
+static int
+parse_v1(int c, char **argv, int invert, unsigned int *flags,
+      const struct ipt_entry *entry,
+      struct ipt_entry_target **target)
+{
+	struct ipt_reject_info_v1 *reject = (struct ipt_reject_info_v1 *)(*target)->data;
+	unsigned int limit = sizeof(reject_table)/sizeof(struct reject_names);
+	unsigned int i;
+
+	switch(c) {
+	case '1':
+		if (check_inverse(optarg, &invert, NULL, 0))
+			exit_error(PARAMETER_PROBLEM,
+				   "Unexpected `!' after --reject-with");
+		for (i = 0; i < limit; i++) {
+			if ((strncasecmp(reject_table[i].name, optarg, strlen(optarg)) == 0)
+			    || (strncasecmp(reject_table[i].alias, optarg, strlen(optarg)) == 0)) {
+				reject->with = reject_table[i].with;
+				return 1;
+			}
+		}
+		/* This due to be dropped late in 2.4 pre-release cycle --RR */
+		if (strncasecmp("echo-reply", optarg, strlen(optarg)) == 0
+		    || strncasecmp("echoreply", optarg, strlen(optarg)) == 0)
+			fprintf(stderr, "--reject-with echo-reply no longer"
+				" supported\n");
+		exit_error(PARAMETER_PROBLEM, "unknown reject type `%s'",optarg);
+	case '2':
+		if (reject->with != IPT_ICMP_FRAG_NEEDED) 
+			exit_error(PARAMETER_PROBLEM, "--pmtu only valid with icmp-frag-needed");
+		if (string_to_number(optarg, 68, 65535, &i) == -1)
+			exit_error(PARAMETER_PROBLEM, "pmtu number `%s' out of range",optarg);
+
+		reject->value=i;
+		return 1;
+	default:
+		/* Fall through */
+		break;
+	}
+	return 0;
+}
+
+
 /* Final check; nothing. */
 static void final_check(unsigned int flags)
 {
@@ -154,6 +214,27 @@
 	printf("reject-with %s ", reject_table[i].name);
 }
 
+/* Prints out ipt_reject_info. */
+static void
+print_v1(const struct ipt_ip *ip,
+      const struct ipt_entry_target *target,
+      int numeric)
+{
+	const struct ipt_reject_info_v1 *reject
+		= (const struct ipt_reject_info_v1 *)target->data;
+	unsigned int i;
+
+	for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++) {
+		if (reject_table[i].with == reject->with)
+			break;
+	}
+	printf("reject-with %s ", reject_table[i].name);
+
+	if (reject->with == IPT_ICMP_FRAG_NEEDED)
+		printf("pmtu %d ", reject->value);
+}
+
+
 /* Saves ipt_reject in parsable form to stdout. */
 static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
 {
@@ -168,7 +249,25 @@
 	printf("--reject-with %s ", reject_table[i].name);
 }
 
-static struct iptables_target reject = { 
+/* Saves ipt_reject in parsable form to stdout. */
+static void save_v1(const struct ipt_ip *ip, const struct ipt_entry_target *target)
+{
+	const struct ipt_reject_info_v1 *reject
+		= (const struct ipt_reject_info_v1 *)target->data;
+	unsigned int i;
+
+	for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++)
+		if (reject_table[i].with == reject->with)
+			break;
+
+	printf("--reject-with %s ", reject_table[i].name);
+
+	if (reject->with == IPT_ICMP_FRAG_NEEDED)
+		printf("--pmtu %d ", reject->value);
+}
+
+
+static struct iptables_target reject_v0 = { 
 	.next		= NULL,
 	.name		= "REJECT",
 	.version	= IPTABLES_VERSION,
@@ -183,7 +282,25 @@
 	.extra_opts	= opts
 };
 
+static struct iptables_target reject_v1 = { 
+	.next		= NULL,
+	.name		= "REJECT",
+	.version	= IPTABLES_VERSION,
+	.revision	= 1,
+	.size		= IPT_ALIGN(sizeof(struct ipt_reject_info_v1)),
+	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_reject_info_v1)),
+	.help		= &help,
+	.init		= &init_v1,
+	.parse		= &parse_v1,
+	.final_check	= &final_check,
+	.print		= &print_v1,
+	.save		= &save_v1,
+	.extra_opts	= opts
+};
+
+
 void _init(void)
 {
-	register_target(&reject);
+	register_target(&reject_v0);
+	register_target(&reject_v1);
 }

Modified: trunk/iptables/extensions/libipt_REJECT.man
===================================================================
--- trunk/iptables/extensions/libipt_REJECT.man	2005-04-10 20:03:02 UTC (rev 3843)
+++ trunk/iptables/extensions/libipt_REJECT.man	2005-04-10 20:34:00 UTC (rev 3844)
@@ -21,6 +21,7 @@
 .B " icmp-net-prohibited"
 .B " icmp-host-prohibited or"
 .B " icmp-admin-prohibited (*)"
+.B " icmp-frag-needed"
 .fi
 which return the appropriate ICMP error message (\fBport-unreachable\fP is
 the default).  The option
@@ -31,4 +32,7 @@
 (113/tcp) probes which frequently occur when sending mail to broken mail
 hosts (which won't accept your mail otherwise).
 .TP
+.BI "--pmtu " "size"
+The next-hop MTU the icmp-frag-needed is sent back with.
+.TP
 (*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT

More information about the netfilter-cvslog mailing list