summaryrefslogtreecommitdiffstats
path: root/src/extra
diff options
context:
space:
mode:
Diffstat (limited to 'src/extra')
-rw-r--r--src/extra/checksum.c14
-rw-r--r--src/extra/ipv4.c56
-rw-r--r--src/extra/ipv6.c35
-rw-r--r--src/extra/pktbuff.c36
-rw-r--r--src/extra/tcp.c108
-rw-r--r--src/extra/udp.c111
6 files changed, 263 insertions, 97 deletions
diff --git a/src/extra/checksum.c b/src/extra/checksum.c
index 42389aa..a650b64 100644
--- a/src/extra/checksum.c
+++ b/src/extra/checksum.c
@@ -62,21 +62,21 @@ uint16_t nfq_checksum_tcpudp_ipv6(struct ip6_hdr *ip6h, void *transport_hdr,
uint16_t protonum)
{
uint32_t sum = 0;
- uint32_t hdr_len = (uint32_t *)transport_hdr - (uint32_t *)ip6h;
- uint32_t len = ip6h->ip6_plen - hdr_len;
+ uint32_t hdr_len = (uint8_t *)transport_hdr - (uint8_t *)ip6h;
+ /* Allow for extra headers before the UDP header */
+ /* TODO: Deal with routing headers */
+ uint32_t len = ntohs(ip6h->ip6_plen) - (hdr_len - sizeof *ip6h);
uint8_t *payload = (uint8_t *)ip6h + hdr_len;
int i;
for (i=0; i<8; i++) {
- sum += (ip6h->ip6_src.s6_addr16[i] >> 16) & 0xFFFF;
- sum += (ip6h->ip6_src.s6_addr16[i]) & 0xFFFF;
+ sum += (ip6h->ip6_src.s6_addr16[i]);
}
for (i=0; i<8; i++) {
- sum += (ip6h->ip6_dst.s6_addr16[i] >> 16) & 0xFFFF;
- sum += (ip6h->ip6_dst.s6_addr16[i]) & 0xFFFF;
+ sum += (ip6h->ip6_dst.s6_addr16[i]);
}
sum += htons(protonum);
- sum += htons(ip6h->ip6_plen);
+ sum += htons(len);
return nfq_checksum(sum, (uint16_t *)payload, len);
}
diff --git a/src/extra/ipv4.c b/src/extra/ipv4.c
index c03f23f..797bab1 100644
--- a/src/extra/ipv4.c
+++ b/src/extra/ipv4.c
@@ -26,17 +26,21 @@
*/
/**
- * nfq_ip_get_hdr - get IPv4 header
+ * nfq_ip_get_hdr - get the IPv4 header
* \param pktb: Pointer to user-space network packet buffer
+ * \returns validated pointer to the IPv4 header or NULL if IP is malformed or
+ * not version 4
*
- * This funcion returns NULL if the IPv4 is malformed or the protocol version
- * is not 4. On success, it returns a valid pointer to the IPv4 header.
+ * Many programs will not need to call this function. A possible use is to
+ * determine the layer 4 protocol. The validation is that the buffer is big
+ * enough for the declared lengths in the header, i.e. an extra check for packet
+ * truncation.
*/
EXPORT_SYMBOL
struct iphdr *nfq_ip_get_hdr(struct pkt_buff *pktb)
{
struct iphdr *iph;
- unsigned int pktlen = pktb->tail - pktb->network_header;
+ unsigned int pktlen = pktb_tail(pktb) - pktb->network_header;
/* Not enough room for IPv4 header. */
if (pktlen < sizeof(struct iphdr))
@@ -56,13 +60,14 @@ struct iphdr *nfq_ip_get_hdr(struct pkt_buff *pktb)
}
/**
- * nfq_ip_set_transport_header - set transport header
+ * nfq_ip_set_transport_header - set the \b transport_header field in \b pktb
* \param pktb: Pointer to user-space network packet buffer
* \param iph: Pointer to the IPv4 header
- *
- * Sets the \b transport_header field in \b pktb
- *
- * Level 4 helper functions need this to be set.
+ * \returns 0 on success or -1 if a minimal validation check fails
+ * \note
+ * Most programs should call __nfq_ip_set_transport_header__ as soon as
+ * possible, since most layer 4 helper functions assume the
+ * \b transport_header field is valid.
*/
EXPORT_SYMBOL
int nfq_ip_set_transport_header(struct pkt_buff *pktb, struct iphdr *iph)
@@ -78,11 +83,20 @@ int nfq_ip_set_transport_header(struct pkt_buff *pktb, struct iphdr *iph)
}
/**
+ * \defgroup ip_internals Internal IP functions
+ *
+ * Most user-space programs will never need these.
+ *
+ * @{
+ */
+
+/**
* nfq_ip_set_checksum - set IPv4 checksum
* \param iph: Pointer to the IPv4 header
- *
- * \note Call to this function if you modified the IPv4 header to update the
- * checksum.
+ * \note
+ * nfq_ip_mangle() invokes this function.
+ * As long as developers always use the appropriate mangler for the layer being
+ * mangled, there is no need to call __nfq_ip_set_checksum__.
*/
EXPORT_SYMBOL
void nfq_ip_set_checksum(struct iphdr *iph)
@@ -94,16 +108,20 @@ void nfq_ip_set_checksum(struct iphdr *iph)
}
/**
+ * @}
+ */
+
+/**
* nfq_ip_mangle - mangle IPv4 packet buffer
* \param pktb: Pointer to user-space network packet buffer
- * \param dataoff: Offset to layer 4 header
+ * \param dataoff: Offset to layer 4 header, or zero to mangle IP header
* \param match_offset: Offset to content that you want to mangle
* \param match_len: Length of the existing content you want to mangle
* \param rep_buffer: Pointer to data you want to use to replace current content
* \param rep_len: Length of data you want to use to replace current content
* \returns 1 for success and 0 for failure. See pktb_mangle() for failure case
- * \note This function updates the IPv4 length and recalculates the IPv4
- * checksum (if necessary)
+ * \note This function updates the IPv4 length if necessary and recalculates the
+ * IPv4 checksum.
*/
EXPORT_SYMBOL
int nfq_ip_mangle(struct pkt_buff *pktb, unsigned int dataoff,
@@ -117,7 +135,7 @@ int nfq_ip_mangle(struct pkt_buff *pktb, unsigned int dataoff,
return 0;
/* fix IP hdr checksum information */
- iph->tot_len = htons(pktb->tail - pktb->network_header);
+ iph->tot_len = htons(pktb_tail(pktb) - pktb->network_header);
nfq_ip_set_checksum(iph);
return 1;
@@ -128,10 +146,8 @@ int nfq_ip_mangle(struct pkt_buff *pktb, unsigned int dataoff,
* \param buf: Pointer to buffer that will be used to print the header
* \param size: Size of the buffer (or remaining room in it)
* \param iph: Pointer to a valid IPv4 header
- *
- * This function returns the number of bytes written (excluding the
- * string-terminating NUL) *assuming sufficient room in the buffer*.
- * Read the snprintf manpage for more information about this strange behaviour.
+ * \returns same as snprintf
+ * \sa **snprintf**(3)
*/
EXPORT_SYMBOL
int nfq_ip_snprintf(char *buf, size_t size, const struct iphdr *iph)
diff --git a/src/extra/ipv6.c b/src/extra/ipv6.c
index f685b3b..42c5e25 100644
--- a/src/extra/ipv6.c
+++ b/src/extra/ipv6.c
@@ -36,7 +36,7 @@ EXPORT_SYMBOL
struct ip6_hdr *nfq_ip6_get_hdr(struct pkt_buff *pktb)
{
struct ip6_hdr *ip6h;
- unsigned int pktlen = pktb->tail - pktb->network_header;
+ unsigned int pktlen = pktb_tail(pktb) - pktb->network_header;
/* Not enough room for IPv6 header. */
if (pktlen < sizeof(struct ip6_hdr))
@@ -77,7 +77,7 @@ int nfq_ip6_set_transport_header(struct pkt_buff *pktb, struct ip6_hdr *ip6h,
break;
}
/* No room for extension, bad packet. */
- if (pktb->tail - cur < sizeof(struct ip6_ext)) {
+ if (pktb_tail(pktb) - cur < sizeof(struct ip6_ext)) {
cur = NULL;
break;
}
@@ -87,7 +87,7 @@ int nfq_ip6_set_transport_header(struct pkt_buff *pktb, struct ip6_hdr *ip6h,
uint16_t *frag_off;
/* No room for full fragment header, bad packet. */
- if (pktb->tail - cur < sizeof(struct ip6_frag)) {
+ if (pktb_tail(pktb) - cur < sizeof(struct ip6_frag)) {
cur = NULL;
break;
}
@@ -117,6 +117,35 @@ int nfq_ip6_set_transport_header(struct pkt_buff *pktb, struct ip6_hdr *ip6h,
}
/**
+ * nfq_ip6_mangle - mangle IPv6 packet buffer
+ * \param pktb: Pointer to user-space network packet buffer
+ * \param dataoff: Offset to layer 4 header
+ * \param match_offset: Offset to content that you want to mangle
+ * \param match_len: Length of the existing content you want to mangle
+ * \param rep_buffer: Pointer to data you want to use to replace current content
+ * \param rep_len: Length of data you want to use to replace current content
+ * \returns 1 for success and 0 for failure. See pktb_mangle() for failure case
+ * \note This function updates the IPv6 length (if necessary)
+ */
+EXPORT_SYMBOL
+int nfq_ip6_mangle(struct pkt_buff *pktb, unsigned int dataoff,
+ unsigned int match_offset, unsigned int match_len,
+ const char *rep_buffer, unsigned int rep_len)
+{
+ struct ip6_hdr *ip6h = (struct ip6_hdr *)pktb->network_header;
+
+ if (!pktb_mangle(pktb, dataoff, match_offset, match_len, rep_buffer,
+ rep_len))
+ return 0;
+
+ /* Fix IPv6 hdr length information */
+ ip6h->ip6_plen =
+ htons(pktb_tail(pktb) - pktb->network_header - sizeof *ip6h);
+
+ return 1;
+}
+
+/**
* nfq_ip6_snprintf - print IPv6 header into one buffer in iptables LOG format
* \param buf: Pointer to buffer that is used to print the object
* \param size: Size of the buffer (or remaining room in it).
diff --git a/src/extra/pktbuff.c b/src/extra/pktbuff.c
index 26d7ca8..6dd0ca9 100644
--- a/src/extra/pktbuff.c
+++ b/src/extra/pktbuff.c
@@ -52,6 +52,7 @@ EXPORT_SYMBOL
struct pkt_buff *pktb_alloc(int family, void *data, size_t len, size_t extra)
{
struct pkt_buff *pktb;
+ struct ethhdr *ethhdr;
void *pkt_data;
pktb = calloc(1, sizeof(struct pkt_buff) + len + extra);
@@ -65,18 +66,15 @@ struct pkt_buff *pktb_alloc(int family, void *data, size_t len, size_t extra)
pktb->len = len;
pktb->data_len = len + extra;
- pktb->head = pkt_data;
pktb->data = pkt_data;
- pktb->tail = pktb->head + len;
switch(family) {
case AF_INET:
case AF_INET6:
pktb->network_header = pktb->data;
break;
- case AF_BRIDGE: {
- struct ethhdr *ethhdr = (struct ethhdr *)pktb->data;
-
+ case AF_BRIDGE:
+ ethhdr = (struct ethhdr *)pktb->data;
pktb->mac_header = pktb->data;
switch(ethhdr->h_proto) {
@@ -92,7 +90,6 @@ struct pkt_buff *pktb_alloc(int family, void *data, size_t len, size_t extra)
}
break;
}
- }
return pktb;
}
@@ -111,7 +108,7 @@ uint8_t *pktb_data(struct pkt_buff *pktb)
}
/**
- * pktb_len - return length of the packet buffer
+ * pktb_len - get length of packet buffer
* \param pktb Pointer to userspace packet buffer
* \return Length of packet contained within __pktb__
* \par
@@ -192,7 +189,6 @@ void pktb_pull(struct pkt_buff *pktb, unsigned int len)
EXPORT_SYMBOL
void pktb_put(struct pkt_buff *pktb, unsigned int len)
{
- pktb->tail += len;
pktb->len += len;
}
@@ -205,7 +201,6 @@ EXPORT_SYMBOL
void pktb_trim(struct pkt_buff *pktb, unsigned int len)
{
pktb->len = len;
- pktb->tail = pktb->head + len;
}
/**
@@ -271,26 +266,25 @@ uint8_t *pktb_transport_header(struct pkt_buff *pktb)
* @}
*/
-static int pktb_expand_tail(struct pkt_buff *pkt, int extra)
+static int pktb_expand_tail(struct pkt_buff *pktb, int extra)
{
/* No room in packet, cannot mangle it. We don't support dynamic
* reallocation. Instead, increase the size of the extra room in
* the tail in pktb_alloc.
*/
- if (pkt->len + extra > pkt->data_len)
+ if (pktb->len + extra > pktb->data_len)
return 0;
- pkt->len += extra;
- pkt->tail = pkt->tail + extra;
+ pktb->len += extra;
return 1;
}
-static int enlarge_pkt(struct pkt_buff *pkt, unsigned int extra)
+static int enlarge_pkt(struct pkt_buff *pktb, unsigned int extra)
{
- if (pkt->len + extra > 65535)
+ if (pktb->len + extra > 65535)
return 0;
- if (!pktb_expand_tail(pkt, extra - pktb_tailroom(pkt)))
+ if (!pktb_expand_tail(pktb, extra - pktb_tailroom(pktb)))
return 0;
return 1;
@@ -299,8 +293,10 @@ static int enlarge_pkt(struct pkt_buff *pkt, unsigned int extra)
/**
* pktb_mangle - adjust contents of a packet
* \param pktb Pointer to userspace packet buffer
- * \param dataoff Offset to layer 4 header. Specify zero to access layer 3 (IP)
- * header (layer 2 for family \b AF_BRIDGE)
+ * \param dataoff Supplementary offset, usually offset from layer 3 (IP) header
+ * to the layer 4 (TCP or UDP) header. Specify zero to access the layer 3
+ * header. If \b pktb was created in family \b AF_BRIDGE, specify
+ * \b -ETH_HLEN (a negative offset) to access the layer 2 (MAC) header.
* \param match_offset Further offset to content that you want to mangle
* \param match_len Length of the existing content you want to mangle
* \param rep_buffer Pointer to data you want to use to replace current content
@@ -316,7 +312,7 @@ static int enlarge_pkt(struct pkt_buff *pkt, unsigned int extra)
*/
EXPORT_SYMBOL
int pktb_mangle(struct pkt_buff *pktb,
- unsigned int dataoff,
+ int dataoff,
unsigned int match_offset,
unsigned int match_len,
const char *rep_buffer,
@@ -334,7 +330,7 @@ int pktb_mangle(struct pkt_buff *pktb,
/* move post-replacement */
memmove(data + match_offset + rep_len,
data + match_offset + match_len,
- pktb->tail - (pktb->network_header + dataoff +
+ pktb_tail(pktb) - (pktb->network_header + dataoff +
match_offset + match_len));
/* insert data from buffer */
diff --git a/src/extra/tcp.c b/src/extra/tcp.c
index 136d7ea..933c6ee 100644
--- a/src/extra/tcp.c
+++ b/src/extra/tcp.c
@@ -21,6 +21,7 @@
#include <libnetfilter_queue/libnetfilter_queue.h>
#include <libnetfilter_queue/libnetfilter_queue_tcp.h>
#include <libnetfilter_queue/libnetfilter_queue_ipv4.h>
+#include <libnetfilter_queue/libnetfilter_queue_ipv6.h>
#include <libnetfilter_queue/pktbuff.h>
#include "internal.h"
@@ -31,14 +32,12 @@
*/
/**
- * nfq_tcp_get - get the TCP header
+ * nfq_tcp_get_hdr - get the TCP header
* \param pktb: pointer to user-space network packet buffer
- *
- * This function returns NULL if an invalid TCP header is found. On success,
- * it returns the TCP header.
- *
- * \note You have to call nfq_ip_set_transport_header or
- * nfq_ip6_set_transport_header first to access the TCP header.
+ * \returns validated pointer to the TCP header or NULL if the TCP header was
+ * not set or if a minimal length check fails.
+ * \note You have to call nfq_ip_set_transport_header() or
+ * nfq_ip6_set_transport_header() first to set the TCP header.
*/
EXPORT_SYMBOL
struct tcphdr *nfq_tcp_get_hdr(struct pkt_buff *pktb)
@@ -47,7 +46,7 @@ struct tcphdr *nfq_tcp_get_hdr(struct pkt_buff *pktb)
return NULL;
/* No room for the TCP header. */
- if (pktb->tail - pktb->transport_header < sizeof(struct tcphdr))
+ if (pktb_tail(pktb) - pktb->transport_header < sizeof(struct tcphdr))
return NULL;
return (struct tcphdr *)pktb->transport_header;
@@ -57,6 +56,7 @@ struct tcphdr *nfq_tcp_get_hdr(struct pkt_buff *pktb)
* nfq_tcp_get_payload - get the TCP packet payload
* \param tcph: pointer to the TCP header
* \param pktb: pointer to user-space network packet buffer
+ * \returns Pointer to the TCP payload, or NULL if malformed TCP packet.
*/
EXPORT_SYMBOL
void *nfq_tcp_get_payload(struct tcphdr *tcph, struct pkt_buff *pktb)
@@ -68,7 +68,7 @@ void *nfq_tcp_get_payload(struct tcphdr *tcph, struct pkt_buff *pktb)
return NULL;
/* malformed TCP data offset. */
- if (pktb->transport_header + len > pktb->tail)
+ if (pktb->transport_header + len > pktb_tail(pktb))
return NULL;
return pktb->transport_header + len;
@@ -78,17 +78,31 @@ void *nfq_tcp_get_payload(struct tcphdr *tcph, struct pkt_buff *pktb)
* nfq_tcp_get_payload_len - get the tcp packet payload
* \param tcph: pointer to the TCP header
* \param pktb: pointer to user-space network packet buffer
+ * \returns Length of TCP payload (user data)
*/
EXPORT_SYMBOL
unsigned int nfq_tcp_get_payload_len(struct tcphdr *tcph, struct pkt_buff *pktb)
{
- return pktb->tail - pktb->transport_header;
+ return pktb_tail(pktb) - pktb->transport_header - (tcph->doff * 4);
}
/**
- * nfq_tcp_set_checksum_ipv4 - computes IPv4/TCP packet checksum
+ * \defgroup tcp_internals Internal TCP functions
+ *
+ * Most user-space programs will never need these.
+ *
+ * @{
+ */
+
+/**
+ * nfq_tcp_compute_checksum_ipv4 - computes IPv4/TCP packet checksum
* \param tcph: pointer to the TCP header
* \param iph: pointer to the IPv4 header
+ * \note
+ * nfq_tcp_mangle_ipv4() invokes this function.
+ * As long as developers always use __nfq_tcp_mangle_ipv4__ when changing the
+ * content of a TCP message, there is no need to call
+ * __nfq_tcp_compute_checksum_ipv4__.
*/
EXPORT_SYMBOL
void nfq_tcp_compute_checksum_ipv4(struct tcphdr *tcph, struct iphdr *iph)
@@ -99,9 +113,14 @@ void nfq_tcp_compute_checksum_ipv4(struct tcphdr *tcph, struct iphdr *iph)
}
/**
- * nfq_tcp_set_checksum_ipv6 - computes IPv6/TCP packet checksum
+ * nfq_tcp_compute_checksum_ipv6 - computes IPv6/TCP packet checksum
* \param tcph: pointer to the TCP header
- * \param iph: pointer to the IPv6 header
+ * \param ip6h: pointer to the IPv6 header
+ * \note
+ * nfq_tcp_mangle_ipv6() invokes this function.
+ * As long as developers always use __nfq_tcp_mangle_ipv6__ when changing the
+ * content of a TCP message, there is no need to call
+ * __nfq_tcp_compute_checksum_ipv6__.
*/
EXPORT_SYMBOL
void nfq_tcp_compute_checksum_ipv6(struct tcphdr *tcph, struct ip6_hdr *ip6h)
@@ -111,6 +130,10 @@ void nfq_tcp_compute_checksum_ipv6(struct tcphdr *tcph, struct ip6_hdr *ip6h)
tcph->check = nfq_checksum_tcpudp_ipv6(ip6h, tcph, IPPROTO_TCP);
}
+/**
+ * @}
+ */
+
/*
* The union cast uses a gcc extension to avoid aliasing problems
* (union is compatible to any of its members)
@@ -128,7 +151,9 @@ union tcp_word_hdr {
* readable way
* \param buf: pointer to buffer that is used to print the object
* \param size: size of the buffer (or remaining room in it).
- * \param tcp: pointer to a valid tcp header.
+ * \param tcph: pointer to a valid tcp header.
+ * \returns Same as \b snprintf
+ * \sa __snprintf__(3)
*
*/
EXPORT_SYMBOL
@@ -183,21 +208,25 @@ int nfq_tcp_snprintf(char *buf, size_t size, const struct tcphdr *tcph)
* \param match_len: length of the existing content you want to mangle
* \param rep_buffer: pointer to data you want to use to replace current content
* \param rep_len: length of data you want to use to replace current content
- *
- * \note This function recalculates the IPv4 and TCP checksums for you.
+ * \returns 1 for success and 0 for failure. See pktb_mangle() for failure case
+ * \note This function updates the IPv4 length and recalculates the IPv4 & TCP
+ * checksums for you.
+ * \warning After changing the length of a TCP message, the application will
+ * need to mangle sequence numbers in both directions until another change
+ * puts them in sync again
*/
EXPORT_SYMBOL
-int nfq_tcp_mangle_ipv4(struct pkt_buff *pkt,
+int nfq_tcp_mangle_ipv4(struct pkt_buff *pktb,
unsigned int match_offset, unsigned int match_len,
const char *rep_buffer, unsigned int rep_len)
{
struct iphdr *iph;
struct tcphdr *tcph;
- iph = (struct iphdr *)pkt->network_header;
- tcph = (struct tcphdr *)(pkt->network_header + iph->ihl*4);
+ iph = (struct iphdr *)pktb->network_header;
+ tcph = (struct tcphdr *)(pktb->network_header + iph->ihl*4);
- if (!nfq_ip_mangle(pkt, iph->ihl*4 + tcph->doff*4,
+ if (!nfq_ip_mangle(pktb, iph->ihl*4 + tcph->doff*4,
match_offset, match_len, rep_buffer, rep_len))
return 0;
@@ -207,5 +236,44 @@ int nfq_tcp_mangle_ipv4(struct pkt_buff *pkt,
}
/**
+ * nfq_tcp_mangle_ipv6 - Mangle TCP/IPv6 packet buffer
+ * \param pktb: Pointer to network packet buffer
+ * \param match_offset: Offset from start of TCP data of content that you want
+ * to mangle
+ * \param match_len: Length of the existing content you want to mangle
+ * \param rep_buffer: Pointer to data you want to use to replace current content
+ * \param rep_len: Length of data you want to use to replace current content
+ * \returns 1 for success and 0 for failure. See pktb_mangle() for failure case
+ * \note This function updates the IPv6 length and recalculates the TCP
+ * checksum for you.
+ * \warning After changing the length of a TCP message, the application will
+ * need to mangle sequence numbers in both directions until another change
+ * puts them in sync again
+ */
+EXPORT_SYMBOL
+int nfq_tcp_mangle_ipv6(struct pkt_buff *pktb,
+ unsigned int match_offset, unsigned int match_len,
+ const char *rep_buffer, unsigned int rep_len)
+{
+ struct ip6_hdr *ip6h;
+ struct tcphdr *tcph;
+
+ ip6h = (struct ip6_hdr *)pktb->network_header;
+ tcph = (struct tcphdr *)(pktb->transport_header);
+ if (!tcph)
+ return 0;
+
+ if (!nfq_ip6_mangle(pktb,
+ pktb->transport_header - pktb->network_header +
+ tcph->doff * 4,
+ match_offset, match_len, rep_buffer, rep_len))
+ return 0;
+
+ nfq_tcp_compute_checksum_ipv6(tcph, ip6h);
+
+ return 1;
+}
+
+/**
* @}
*/
diff --git a/src/extra/udp.c b/src/extra/udp.c
index fed23e2..f232127 100644
--- a/src/extra/udp.c
+++ b/src/extra/udp.c
@@ -20,6 +20,7 @@
#include <libnetfilter_queue/libnetfilter_queue.h>
#include <libnetfilter_queue/libnetfilter_queue_udp.h>
#include <libnetfilter_queue/libnetfilter_queue_ipv4.h>
+#include <libnetfilter_queue/libnetfilter_queue_ipv6.h>
#include <libnetfilter_queue/pktbuff.h>
#include "internal.h"
@@ -31,10 +32,12 @@
/**
* nfq_udp_get_hdr - get the UDP header.
- * \param pktb: Pointer to network packet buffer
+ * \param pktb: Pointer to userspace network packet buffer
*
- * This function returns NULL if invalid UDP header is found. On success,
- * it returns the UDP header.
+ * \returns validated pointer to the UDP header or NULL if the UDP header was
+ * not set or if a minimal length check fails.
+ * \note You have to call nfq_ip_set_transport_header() or
+ * nfq_ip6_set_transport_header() first to set the UDP header.
*/
EXPORT_SYMBOL
struct udphdr *nfq_udp_get_hdr(struct pkt_buff *pktb)
@@ -43,7 +46,7 @@ struct udphdr *nfq_udp_get_hdr(struct pkt_buff *pktb)
return NULL;
/* No room for the UDP header. */
- if (pktb->tail - pktb->transport_header < sizeof(struct udphdr))
+ if (pktb_tail(pktb) - pktb->transport_header < sizeof(struct udphdr))
return NULL;
return (struct udphdr *)pktb->transport_header;
@@ -52,7 +55,8 @@ struct udphdr *nfq_udp_get_hdr(struct pkt_buff *pktb)
/**
* nfq_udp_get_payload - get the UDP packet payload.
* \param udph: Pointer to UDP header
- * \param pktb: Pointer to network packet buffer
+ * \param pktb: Pointer to userspace network packet buffer
+ * \returns Pointer to the UDP payload, or NULL if malformed UDP packet.
*/
EXPORT_SYMBOL
void *nfq_udp_get_payload(struct udphdr *udph, struct pkt_buff *pktb)
@@ -64,7 +68,7 @@ void *nfq_udp_get_payload(struct udphdr *udph, struct pkt_buff *pktb)
return NULL;
/* malformed UDP packet. */
- if (pktb->transport_header + len > pktb->tail)
+ if (pktb->transport_header + len > pktb_tail(pktb))
return NULL;
return pktb->transport_header + sizeof(struct udphdr);
@@ -73,23 +77,32 @@ void *nfq_udp_get_payload(struct udphdr *udph, struct pkt_buff *pktb)
/**
* nfq_udp_get_payload_len - get the udp packet payload.
* \param udph: Pointer to UDP header
- * \param pktb: Pointer to network packet buffer
+ * \param pktb: Pointer to userspace network packet buffer
+ * \returns Length of UDP payload (user data)
*/
EXPORT_SYMBOL
unsigned int nfq_udp_get_payload_len(struct udphdr *udph, struct pkt_buff *pktb)
{
- return pktb->tail - pktb->transport_header;
+ return pktb_tail(pktb) - pktb->transport_header - sizeof(struct udphdr);
}
/**
- * nfq_udp_set_checksum_ipv4 - computes a IPv4/TCP packet's segment
- * \param iphdrp: pointer to the ip header
- * \param ippayload: payload of the ip packet
+ * \defgroup udp_internals Internal UDP functions
*
- * \returns the checksum of the udp segment.
+ * Most user-space programs will never need these.
*
- * \see nfq_pkt_compute_ip_checksum
- * \see nfq_pkt_compute_udp_checksum
+ * @{
+ */
+
+/**
+ * nfq_udp_compute_checksum_ipv4 - sets up the UDP checksum in a UDP/IPv4 packet
+ * \param udph: pointer to the UDP header
+ * \param iph: pointer to the IPv4 header
+ * \note
+ * nfq_udp_mangle_ipv4() invokes this function.
+ * As long as developers always use __nfq_udp_mangle_ipv4__ when changing the
+ * content of a UDP message, there is no need to call
+ * __nfq_udp_compute_checksum_ipv4__.
*/
EXPORT_SYMBOL
void nfq_udp_compute_checksum_ipv4(struct udphdr *udph, struct iphdr *iph)
@@ -100,14 +113,14 @@ void nfq_udp_compute_checksum_ipv4(struct udphdr *udph, struct iphdr *iph)
}
/**
- * nfq_udp_set_checksum_ipv6 - computes a IPv6/TCP packet's segment
- * \param iphdrp: pointer to the ip header
- * \param ippayload: payload of the ip packet
- *
- * \returns the checksum of the udp segment.
- *
- * \see nfq_pkt_compute_ip_checksum
- * \see nfq_pkt_compute_udp_checksum
+ * nfq_udp_compute_checksum_ipv6 - sets up the UDP checksum in a UDP/IPv6 packet
+ * \param udph: pointer to the UDP header
+ * \param ip6h: pointer to the IPv6 header
+ * \note
+ * nfq_udp_mangle_ipv6() invokes this function.
+ * As long as developers always use __nfq_udp_mangle_ipv6__ when changing the
+ * content of a UDP message, there is no need to call
+ * __nfq_udp_compute_checksum_ipv6__.
*/
EXPORT_SYMBOL
void nfq_udp_compute_checksum_ipv6(struct udphdr *udph, struct ip6_hdr *ip6h)
@@ -118,6 +131,10 @@ void nfq_udp_compute_checksum_ipv6(struct udphdr *udph, struct ip6_hdr *ip6h)
}
/**
+ * @}
+ */
+
+/**
* nfq_udp_mangle_ipv4 - Mangle UDP/IPv4 packet buffer
* \param pktb: Pointer to network packet buffer
* \param match_offset: Offset from start of UDP data of content that you want
@@ -130,19 +147,19 @@ void nfq_udp_compute_checksum_ipv6(struct udphdr *udph, struct ip6_hdr *ip6h)
* checksums for you.
*/
EXPORT_SYMBOL
-int nfq_udp_mangle_ipv4(struct pkt_buff *pkt,
+int nfq_udp_mangle_ipv4(struct pkt_buff *pktb,
unsigned int match_offset, unsigned int match_len,
const char *rep_buffer, unsigned int rep_len)
{
struct iphdr *iph;
struct udphdr *udph;
- iph = (struct iphdr *)pkt->network_header;
- udph = (struct udphdr *)(pkt->network_header + iph->ihl*4);
+ iph = (struct iphdr *)pktb->network_header;
+ udph = (struct udphdr *)(pktb->network_header + iph->ihl*4);
udph->len = htons(ntohs(udph->len) + rep_len - match_len);
- if (!nfq_ip_mangle(pkt, iph->ihl*4 + sizeof(struct udphdr),
+ if (!nfq_ip_mangle(pktb, iph->ihl*4 + sizeof(struct udphdr),
match_offset, match_len, rep_buffer, rep_len))
return 0;
@@ -152,11 +169,51 @@ int nfq_udp_mangle_ipv4(struct pkt_buff *pkt,
}
/**
+ * nfq_udp_mangle_ipv6 - Mangle UDP/IPv6 packet buffer
+ * \param pktb: Pointer to network packet buffer
+ * \param match_offset: Offset from start of UDP data of content that you want
+ * to mangle
+ * \param match_len: Length of the existing content you want to mangle
+ * \param rep_buffer: Pointer to data you want to use to replace current content
+ * \param rep_len: Length of data you want to use to replace current content
+ * \returns 1 for success and 0 for failure. See pktb_mangle() for failure case
+ * \note This function updates the IPv6 and UDP lengths and recalculates the UDP
+ * checksum for you.
+ */
+EXPORT_SYMBOL
+int nfq_udp_mangle_ipv6(struct pkt_buff *pktb,
+ unsigned int match_offset, unsigned int match_len,
+ const char *rep_buffer, unsigned int rep_len)
+{
+ struct ip6_hdr *ip6h;
+ struct udphdr *udph;
+
+ ip6h = (struct ip6_hdr *)pktb->network_header;
+ udph = (struct udphdr *)(pktb->transport_header);
+ if (!udph)
+ return 0;
+
+ udph->len = htons(ntohs(udph->len) + rep_len - match_len);
+
+ if (!nfq_ip6_mangle(pktb,
+ pktb->transport_header - pktb->network_header +
+ sizeof(struct udphdr),
+ match_offset, match_len, rep_buffer, rep_len))
+ return 0;
+
+ nfq_udp_compute_checksum_ipv6(udph, ip6h);
+
+ return 1;
+}
+
+/**
* nfq_pkt_snprintf_udp_hdr - print udp header into one buffer in a humnan
* readable way
* \param buf: pointer to buffer that is used to print the object
* \param size: size of the buffer (or remaining room in it).
- * \param udp: pointer to a valid udp header.
+ * \param udph: pointer to a valid udp header.
+ * \returns The number of characters notionally written (excluding trailing NUL)
+ * \sa __snprintf__(3)
*
*/
EXPORT_SYMBOL