1// SPDX-License-Identifier: GPL-2.0-only
2/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@netfilter.org>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 */
8
9/* Get Layer-4 data from the packets */
10
11#include <linux/ip.h>
12#include <linux/skbuff.h>
13#include <linux/icmp.h>
14#include <linux/icmpv6.h>
15#include <linux/sctp.h>
16#include <linux/netfilter_ipv6/ip6_tables.h>
17#include <net/ip.h>
18#include <net/ipv6.h>
19
20#include <linux/netfilter/ipset/ip_set_getport.h>
21#include <linux/export.h>
22
23/* We must handle non-linear skbs */
24static bool
25get_port(const struct sk_buff *skb, int protocol, unsigned int protooff,
26 bool src, __be16 *port, u8 *proto)
27{
28 switch (protocol) {
29 case IPPROTO_TCP: {
30 struct tcphdr _tcph;
31 const struct tcphdr *th;
32
33 th = skb_header_pointer(skb, offset: protooff, len: sizeof(_tcph), buffer: &_tcph);
34 if (!th)
35 /* No choice either */
36 return false;
37
38 *port = src ? th->source : th->dest;
39 break;
40 }
41 case IPPROTO_SCTP: {
42 struct sctphdr _sh;
43 const struct sctphdr *sh;
44
45 sh = skb_header_pointer(skb, offset: protooff, len: sizeof(_sh), buffer: &_sh);
46 if (!sh)
47 /* No choice either */
48 return false;
49
50 *port = src ? sh->source : sh->dest;
51 break;
52 }
53 case IPPROTO_UDP:
54 case IPPROTO_UDPLITE: {
55 struct udphdr _udph;
56 const struct udphdr *uh;
57
58 uh = skb_header_pointer(skb, offset: protooff, len: sizeof(_udph), buffer: &_udph);
59 if (!uh)
60 /* No choice either */
61 return false;
62
63 *port = src ? uh->source : uh->dest;
64 break;
65 }
66 case IPPROTO_ICMP: {
67 struct icmphdr _ich;
68 const struct icmphdr *ic;
69
70 ic = skb_header_pointer(skb, offset: protooff, len: sizeof(_ich), buffer: &_ich);
71 if (!ic)
72 return false;
73
74 *port = (__force __be16)htons((ic->type << 8) | ic->code);
75 break;
76 }
77 case IPPROTO_ICMPV6: {
78 struct icmp6hdr _ich;
79 const struct icmp6hdr *ic;
80
81 ic = skb_header_pointer(skb, offset: protooff, len: sizeof(_ich), buffer: &_ich);
82 if (!ic)
83 return false;
84
85 *port = (__force __be16)
86 htons((ic->icmp6_type << 8) | ic->icmp6_code);
87 break;
88 }
89 default:
90 break;
91 }
92 *proto = protocol;
93
94 return true;
95}
96
97bool
98ip_set_get_ip4_port(const struct sk_buff *skb, bool src,
99 __be16 *port, u8 *proto)
100{
101 const struct iphdr *iph = ip_hdr(skb);
102 unsigned int protooff = skb_network_offset(skb) + ip_hdrlen(skb);
103 int protocol = iph->protocol;
104
105 /* See comments at tcp_match in ip_tables.c */
106 if (protocol <= 0)
107 return false;
108
109 if (ntohs(iph->frag_off) & IP_OFFSET)
110 switch (protocol) {
111 case IPPROTO_TCP:
112 case IPPROTO_SCTP:
113 case IPPROTO_UDP:
114 case IPPROTO_UDPLITE:
115 case IPPROTO_ICMP:
116 /* Port info not available for fragment offset > 0 */
117 return false;
118 default:
119 /* Other protocols doesn't have ports,
120 * so we can match fragments.
121 */
122 *proto = protocol;
123 return true;
124 }
125
126 return get_port(skb, protocol, protooff, src, port, proto);
127}
128EXPORT_SYMBOL_GPL(ip_set_get_ip4_port);
129
130#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
131bool
132ip_set_get_ip6_port(const struct sk_buff *skb, bool src,
133 __be16 *port, u8 *proto)
134{
135 int protoff;
136 u8 nexthdr;
137 __be16 frag_off = 0;
138
139 nexthdr = ipv6_hdr(skb)->nexthdr;
140 protoff = ipv6_skip_exthdr(skb,
141 start: skb_network_offset(skb) +
142 sizeof(struct ipv6hdr), nexthdrp: &nexthdr,
143 frag_offp: &frag_off);
144 if (protoff < 0 || (frag_off & htons(~0x7)) != 0)
145 return false;
146
147 return get_port(skb, protocol: nexthdr, protooff: protoff, src, port, proto);
148}
149EXPORT_SYMBOL_GPL(ip_set_get_ip6_port);
150#endif
151

source code of linux/net/netfilter/ipset/ip_set_getport.c