[NETFILTER]: x_tables: unify IPv4/IPv6 esp match

+14

include/linux/netfilter/xt_esp.h

··· 1 + #ifndef _XT_ESP_H 2 + #define _XT_ESP_H 3 + 4 + struct xt_esp 5 + { 6 + u_int32_t spis[2]; /* Security Parameter Index */ 7 + u_int8_t invflags; /* Inverse flags */ 8 + }; 9 + 10 + /* Values for "invflags" field in struct xt_esp. */ 11 + #define XT_ESP_INV_SPI 0x01 /* Invert the sense of spi. */ 12 + #define XT_ESP_INV_MASK 0x01 /* All possible flags. */ 13 + 14 + #endif /*_XT_ESP_H*/

+4 -10

include/linux/netfilter_ipv4/ipt_esp.h

··· 1 1 #ifndef _IPT_ESP_H 2 2 #define _IPT_ESP_H 3 3 4 - struct ipt_esp 5 - { 6 - u_int32_t spis[2]; /* Security Parameter Index */ 7 - u_int8_t invflags; /* Inverse flags */ 8 - }; 4 + #include <linux/netfilter/xt_esp.h> 9 5 10 - 11 - 12 - /* Values for "invflags" field in struct ipt_esp. */ 13 - #define IPT_ESP_INV_SPI 0x01 /* Invert the sense of spi. */ 14 - #define IPT_ESP_INV_MASK 0x01 /* All possible flags. */ 6 + #define ipt_esp xt_esp 7 + #define IPT_ESP_INV_SPI XT_ESP_INV_SPI 8 + #define IPT_ESP_INV_MASK XT_ESP_INV_MASK 15 9 16 10 #endif /*_IPT_ESP_H*/

+4 -8

include/linux/netfilter_ipv6/ip6t_esp.h

··· 1 1 #ifndef _IP6T_ESP_H 2 2 #define _IP6T_ESP_H 3 3 4 - struct ip6t_esp 5 - { 6 - u_int32_t spis[2]; /* Security Parameter Index */ 7 - u_int8_t invflags; /* Inverse flags */ 8 - }; 4 + #include <linux/netfilter/xt_esp.h> 9 5 10 - /* Values for "invflags" field in struct ip6t_esp. */ 11 - #define IP6T_ESP_INV_SPI 0x01 /* Invert the sense of spi. */ 12 - #define IP6T_ESP_INV_MASK 0x01 /* All possible flags. */ 6 + #define ip6t_esp xt_esp 7 + #define IP6T_ESP_INV_SPI XT_ESP_INV_SPI 8 + #define IP6T_ESP_INV_MASK XT_ESP_INV_MASK 13 9 14 10 #endif /*_IP6T_ESP_H*/

+4 -4

net/ipv4/netfilter/Kconfig

··· 272 272 273 273 To compile it as a module, choose M here. If unsure, say N. 274 274 275 - config IP_NF_MATCH_AH_ESP 276 - tristate "AH/ESP match support" 275 + config IP_NF_MATCH_AH 276 + tristate "AH match support" 277 277 depends on IP_NF_IPTABLES 278 278 help 279 - These two match extensions (`ah' and `esp') allow you to match a 280 - range of SPIs inside AH or ESP headers of IPSec packets. 279 + This match extension allows you to match a range of SPIs 280 + inside AH header of IPSec packets. 281 281 282 282 To compile it as a module, choose M here. If unsure, say N. 283 283

+1 -1

net/ipv4/netfilter/Makefile

··· 59 59 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o 60 60 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o 61 61 obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp.o 62 - obj-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah.o ipt_esp.o 62 + obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o 63 63 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o 64 64 obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o 65 65

+53 -28

net/ipv4/netfilter/ipt_esp.c net/netfilter/xt_esp.c

··· 9 9 10 10 #include <linux/module.h> 11 11 #include <linux/skbuff.h> 12 + #include <linux/in.h> 12 13 #include <linux/ip.h> 13 14 14 - #include <linux/netfilter_ipv4/ipt_esp.h> 15 + #include <linux/netfilter/xt_esp.h> 16 + #include <linux/netfilter/x_tables.h> 17 + 15 18 #include <linux/netfilter_ipv4/ip_tables.h> 19 + #include <linux/netfilter_ipv6/ip6_tables.h> 16 20 17 21 MODULE_LICENSE("GPL"); 18 22 MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>"); 19 - MODULE_DESCRIPTION("iptables ESP SPI match module"); 23 + MODULE_DESCRIPTION("x_tables ESP SPI match module"); 24 + MODULE_ALIAS("ipt_esp"); 25 + MODULE_ALIAS("ip6t_esp"); 20 26 21 - #ifdef DEBUG_CONNTRACK 27 + #if 0 22 28 #define duprintf(format, args...) printk(format , ## args) 23 29 #else 24 30 #define duprintf(format, args...) ··· 34 28 static inline int 35 29 spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, int invert) 36 30 { 37 - int r=0; 38 - duprintf("esp spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ', 39 - min,spi,max); 40 - r=(spi >= min && spi <= max) ^ invert; 41 - duprintf(" result %s\n",r? "PASS" : "FAILED"); 31 + int r = 0; 32 + duprintf("esp spi_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ', 33 + min, spi, max); 34 + r = (spi >= min && spi <= max) ^ invert; 35 + duprintf(" result %s\n", r ? "PASS" : "FAILED"); 42 36 return r; 43 37 } 44 38 ··· 53 47 int *hotdrop) 54 48 { 55 49 struct ip_esp_hdr _esp, *eh; 56 - const struct ipt_esp *espinfo = matchinfo; 50 + const struct xt_esp *espinfo = matchinfo; 57 51 58 52 /* Must not be a fragment. */ 59 53 if (offset) 60 54 return 0; 61 55 62 - eh = skb_header_pointer(skb, protoff, 63 - sizeof(_esp), &_esp); 56 + eh = skb_header_pointer(skb, protoff, sizeof(_esp), &_esp); 64 57 if (eh == NULL) { 65 58 /* We've been asked to examine this packet, and we 66 59 * can't. Hence, no choice but to drop. ··· 69 64 return 0; 70 65 } 71 66 72 - return spi_match(espinfo->spis[0], espinfo->spis[1], 73 - ntohl(eh->spi), 74 - !!(espinfo->invflags & IPT_ESP_INV_SPI)); 67 + return spi_match(espinfo->spis[0], espinfo->spis[1], ntohl(eh->spi), 68 + !!(espinfo->invflags & XT_ESP_INV_SPI)); 75 69 } 76 70 77 71 /* Called when user tries to insert an entry of this type. */ ··· 82 78 unsigned int matchinfosize, 83 79 unsigned int hook_mask) 84 80 { 85 - const struct ipt_esp *espinfo = matchinfo; 81 + const struct xt_esp *espinfo = matchinfo; 86 82 87 - /* Must specify no unknown invflags */ 88 - if (espinfo->invflags & ~IPT_ESP_INV_MASK) { 89 - duprintf("ipt_esp: unknown flags %X\n", espinfo->invflags); 83 + if (espinfo->invflags & ~XT_ESP_INV_MASK) { 84 + duprintf("xt_esp: unknown flags %X\n", espinfo->invflags); 90 85 return 0; 91 86 } 87 + 92 88 return 1; 93 89 } 94 90 95 - static struct ipt_match esp_match = { 91 + static struct xt_match esp_match = { 96 92 .name = "esp", 97 - .match = match, 98 - .matchsize = sizeof(struct ipt_esp), 93 + .family = AF_INET, 99 94 .proto = IPPROTO_ESP, 100 - .checkentry = checkentry, 95 + .match = &match, 96 + .matchsize = sizeof(struct xt_esp), 97 + .checkentry = &checkentry, 101 98 .me = THIS_MODULE, 102 99 }; 103 100 104 - static int __init ipt_esp_init(void) 101 + static struct xt_match esp6_match = { 102 + .name = "esp", 103 + .family = AF_INET6, 104 + .proto = IPPROTO_ESP, 105 + .match = &match, 106 + .matchsize = sizeof(struct xt_esp), 107 + .checkentry = &checkentry, 108 + .me = THIS_MODULE, 109 + }; 110 + 111 + static int __init xt_esp_init(void) 105 112 { 106 - return ipt_register_match(&esp_match); 113 + int ret; 114 + ret = xt_register_match(&esp_match); 115 + if (ret) 116 + return ret; 117 + 118 + ret = xt_register_match(&esp6_match); 119 + if (ret) 120 + xt_unregister_match(&esp_match); 121 + 122 + return ret; 107 123 } 108 124 109 - static void __exit ipt_esp_fini(void) 125 + static void __exit xt_esp_cleanup(void) 110 126 { 111 - ipt_unregister_match(&esp_match); 127 + xt_unregister_match(&esp_match); 128 + xt_unregister_match(&esp6_match); 112 129 } 113 130 114 - module_init(ipt_esp_init); 115 - module_exit(ipt_esp_fini); 131 + module_init(xt_esp_init); 132 + module_exit(xt_esp_cleanup);

+3 -3

net/ipv6/netfilter/Kconfig

··· 115 115 116 116 To compile it as a module, choose M here. If unsure, say N. 117 117 118 - config IP6_NF_MATCH_AHESP 119 - tristate "AH/ESP match support" 118 + config IP6_NF_MATCH_AH 119 + tristate "AH match support" 120 120 depends on IP6_NF_IPTABLES 121 121 help 122 - This module allows one to match AH and ESP packets. 122 + This module allows one to match AH packets. 123 123 124 124 To compile it as a module, choose M here. If unsure, say N. 125 125

+1 -1

net/ipv6/netfilter/Makefile

··· 8 8 obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o ip6t_dst.o 9 9 obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o 10 10 obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o 11 - obj-$(CONFIG_IP6_NF_MATCH_AHESP) += ip6t_esp.o ip6t_ah.o 11 + obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o 12 12 obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o 13 13 obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT) += ip6t_multiport.o 14 14 obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o

-115

net/ipv6/netfilter/ip6t_esp.c

··· 1 - /* Kernel module to match ESP parameters. */ 2 - /* (C) 2001-2002 Andras Kis-Szabo <kisza@sch.bme.hu> 3 - * 4 - * This program is free software; you can redistribute it and/or modify 5 - * it under the terms of the GNU General Public License version 2 as 6 - * published by the Free Software Foundation. 7 - */ 8 - 9 - 10 - #include <linux/module.h> 11 - #include <linux/skbuff.h> 12 - #include <linux/ip.h> 13 - #include <linux/ipv6.h> 14 - #include <linux/types.h> 15 - #include <net/checksum.h> 16 - #include <net/ipv6.h> 17 - 18 - #include <linux/netfilter_ipv6/ip6_tables.h> 19 - #include <linux/netfilter_ipv6/ip6t_esp.h> 20 - 21 - MODULE_LICENSE("GPL"); 22 - MODULE_DESCRIPTION("IPv6 ESP match"); 23 - MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>"); 24 - 25 - #if 0 26 - #define DEBUGP printk 27 - #else 28 - #define DEBUGP(format, args...) 29 - #endif 30 - 31 - /* Returns 1 if the spi is matched by the range, 0 otherwise */ 32 - static inline int 33 - spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, int invert) 34 - { 35 - int r=0; 36 - DEBUGP("esp spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ', 37 - min,spi,max); 38 - r=(spi >= min && spi <= max) ^ invert; 39 - DEBUGP(" result %s\n",r? "PASS\n" : "FAILED\n"); 40 - return r; 41 - } 42 - 43 - static int 44 - match(const struct sk_buff *skb, 45 - const struct net_device *in, 46 - const struct net_device *out, 47 - const struct xt_match *match, 48 - const void *matchinfo, 49 - int offset, 50 - unsigned int protoff, 51 - int *hotdrop) 52 - { 53 - struct ip_esp_hdr _esp, *eh; 54 - const struct ip6t_esp *espinfo = matchinfo; 55 - unsigned int ptr; 56 - 57 - /* Make sure this isn't an evil packet */ 58 - /*DEBUGP("ipv6_esp entered \n");*/ 59 - 60 - if (ipv6_find_hdr(skb, &ptr, NEXTHDR_ESP, NULL) < 0) 61 - return 0; 62 - 63 - eh = skb_header_pointer(skb, ptr, sizeof(_esp), &_esp); 64 - if (eh == NULL) { 65 - *hotdrop = 1; 66 - return 0; 67 - } 68 - 69 - DEBUGP("IPv6 ESP SPI %u %08X\n", ntohl(eh->spi), ntohl(eh->spi)); 70 - 71 - return (eh != NULL) 72 - && spi_match(espinfo->spis[0], espinfo->spis[1], 73 - ntohl(eh->spi), 74 - !!(espinfo->invflags & IP6T_ESP_INV_SPI)); 75 - } 76 - 77 - /* Called when user tries to insert an entry of this type. */ 78 - static int 79 - checkentry(const char *tablename, 80 - const void *ip, 81 - const struct xt_match *match, 82 - void *matchinfo, 83 - unsigned int matchinfosize, 84 - unsigned int hook_mask) 85 - { 86 - const struct ip6t_esp *espinfo = matchinfo; 87 - 88 - if (espinfo->invflags & ~IP6T_ESP_INV_MASK) { 89 - DEBUGP("ip6t_esp: unknown flags %X\n", 90 - espinfo->invflags); 91 - return 0; 92 - } 93 - return 1; 94 - } 95 - 96 - static struct ip6t_match esp_match = { 97 - .name = "esp", 98 - .match = match, 99 - .matchsize = sizeof(struct ip6t_esp), 100 - .checkentry = checkentry, 101 - .me = THIS_MODULE, 102 - }; 103 - 104 - static int __init ip6t_esp_init(void) 105 - { 106 - return ip6t_register_match(&esp_match); 107 - } 108 - 109 - static void __exit ip6t_esp_fini(void) 110 - { 111 - ip6t_unregister_match(&esp_match); 112 - } 113 - 114 - module_init(ip6t_esp_init); 115 - module_exit(ip6t_esp_fini);

+9

net/netfilter/Kconfig

··· 231 231 If you want to compile it as a module, say M here and read 232 232 <file:Documentation/modules.txt>. If unsure, say `N'. 233 233 234 + config NETFILTER_XT_MATCH_ESP 235 + tristate '"ESP" match support' 236 + depends on NETFILTER_XTABLES 237 + help 238 + This match extension allows you to match a range of SPIs 239 + inside ESP header of IPSec packets. 240 + 241 + To compile it as a module, choose M here. If unsure, say N. 242 + 234 243 config NETFILTER_XT_MATCH_HELPER 235 244 tristate '"helper" match support' 236 245 depends on NETFILTER_XTABLES

+1

net/netfilter/Makefile

··· 35 35 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNMARK) += xt_connmark.o 36 36 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o 37 37 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o 38 + obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o 38 39 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o 39 40 obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o 40 41 obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o