[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match

This unifies ipt_multiport and ip6t_multiport to xt_multiport. As a result, this addes support for inversion and port range match to IPv6 packets. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> 2006-04-01 05:22:54 -0500
committer: David S. Miller <davem@davemloft.net> 2006-04-01 05:22:54 -0500
commit: a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 (patch)
tree: c84c5b3167c116f0c419a2bbb04877bdac38dd07 /net/netfilter
parent: dc5ab2faece3b7473931357db7f63f596678481d (diff)
3 files changed, 325 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 5fe51894b12..e2893effdfa 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -298,6 +298,16 @@ config NETFILTER_XT_MATCH_POLICY
          To compile it as a module, choose M here.  If unsure, say N.
+config NETFILTER_XT_MATCH_MULTIPORT
+        tristate "Multiple port match support"
+        depends on NETFILTER_XTABLES
+        help
+          Multiport matching allows you to match TCP or UDP packets based on
+          a series of source or destination ports: normally a rule can only
+          match a single range of ports.
+          To compile it as a module, choose M here.  If unsure, say N.
 config NETFILTER_XT_MATCH_PHYSDEV
        tristate '"physdev" match support'
        depends on NETFILTER_XTABLES && BRIDGE_NETFILTER
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 8f02486101a..95b7e416512 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -41,6 +41,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
new file mode 100644
index 00000000000..b56cd2baaac
--- /dev/null
+++ b/net/netfilter/xt_multiport.c
@@ -0,0 +1,314 @@
+/* Kernel module to match one of a list of TCP/UDP ports: ports are in
+   the same place so we can treat them as equal. */
+/* (C) 1999-2001 Paul `Rusty' Russell
+ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/types.h>
+#include <linux/udp.h>
+#include <linux/skbuff.h>
+#include <linux/in.h>
+#include <linux/netfilter/xt_multiport.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
+MODULE_DESCRIPTION("x_tables multiple port match module");
+MODULE_ALIAS("ipt_multiport");
+MODULE_ALIAS("ip6t_multiport");
+#if 0
+#define duprintf(format, args...) printk(format , ## args)
+#else
+#define duprintf(format, args...)
+#endif
+/* Returns 1 if the port is matched by the test, 0 otherwise. */
+static inline int
+ports_match(const u_int16_t *portlist, enum xt_multiport_flags flags,
+            u_int8_t count, u_int16_t src, u_int16_t dst)
+{
+        unsigned int i;
+        for (i = 0; i < count; i++) {
+                if (flags != XT_MULTIPORT_DESTINATION && portlist[i] == src)
+                        return 1;
+                if (flags != XT_MULTIPORT_SOURCE && portlist[i] == dst)
+                        return 1;
+        }
+        return 0;
+}
+/* Returns 1 if the port is matched by the test, 0 otherwise. */
+static inline int
+ports_match_v1(const struct xt_multiport_v1 *minfo,
+               u_int16_t src, u_int16_t dst)
+{
+        unsigned int i;
+        u_int16_t s, e;
+        for (i = 0; i < minfo->count; i++) {
+                s = minfo->ports[i];
+                if (minfo->pflags[i]) {
+                        /* range port matching */
+                        e = minfo->ports[++i];
+                        duprintf("src or dst matches with %d-%d?\n", s, e);
+                        if (minfo->flags == XT_MULTIPORT_SOURCE
+                            && src >= s && src <= e)
+                                return 1 ^ minfo->invert;
+                        if (minfo->flags == XT_MULTIPORT_DESTINATION
+                            && dst >= s && dst <= e)
+                                return 1 ^ minfo->invert;
+                        if (minfo->flags == XT_MULTIPORT_EITHER
+                            && ((dst >= s && dst <= e)
+                                || (src >= s && src <= e)))
+                                return 1 ^ minfo->invert;
+                } else {
+                        /* exact port matching */
+                        duprintf("src or dst matches with %d?\n", s);
+                        if (minfo->flags == XT_MULTIPORT_SOURCE
+                            && src == s)
+                                return 1 ^ minfo->invert;
+                        if (minfo->flags == XT_MULTIPORT_DESTINATION
+                            && dst == s)
+                                return 1 ^ minfo->invert;
+                        if (minfo->flags == XT_MULTIPORT_EITHER
+                            && (src == s || dst == s))
+                                return 1 ^ minfo->invert;
+                }
+        }
+        return minfo->invert;
+}
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const struct xt_match *match,
+      const void *matchinfo,
+      int offset,
+      unsigned int protoff,
+      int *hotdrop)
+{
+        u16 _ports[2], *pptr;
+        const struct xt_multiport *multiinfo = matchinfo;
+        if (offset)
+                return 0;
+        pptr = skb_header_pointer(skb, protoff, sizeof(_ports), _ports);
+        if (pptr == NULL) {
+                /* We've been asked to examine this packet, and we
+                 * can't.  Hence, no choice but to drop.
+                 */
+                duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
+                *hotdrop = 1;
+                return 0;
+        }
+        return ports_match(multiinfo->ports,
+                           multiinfo->flags, multiinfo->count,
+                           ntohs(pptr[0]), ntohs(pptr[1]));
+}
+static int
+match_v1(const struct sk_buff *skb,
+         const struct net_device *in,
+         const struct net_device *out,
+         const struct xt_match *match,
+         const void *matchinfo,
+         int offset,
+         unsigned int protoff,
+         int *hotdrop)
+{
+        u16 _ports[2], *pptr;
+        const struct xt_multiport_v1 *multiinfo = matchinfo;
+        if (offset)
+                return 0;
+        pptr = skb_header_pointer(skb, protoff, sizeof(_ports), _ports);
+        if (pptr == NULL) {
+                /* We've been asked to examine this packet, and we
+                 * can't.  Hence, no choice but to drop.
+                 */
+                duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
+                *hotdrop = 1;
+                return 0;
+        }
+        return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1]));
+}
+static inline int
+check(u_int16_t proto,
+      u_int8_t ip_invflags,
+      u_int8_t match_flags,
+      u_int8_t count)
+{
+        /* Must specify proto == TCP/UDP, no unknown flags or bad count */
+        return (proto == IPPROTO_TCP || proto == IPPROTO_UDP)
+                && !(ip_invflags & XT_INV_PROTO)
+                && (match_flags == XT_MULTIPORT_SOURCE
+                    || match_flags == XT_MULTIPORT_DESTINATION
+                    || match_flags == XT_MULTIPORT_EITHER)
+                && count <= XT_MULTI_PORTS;
+}
+/* Called when user tries to insert an entry of this type. */
+static int
+checkentry(const char *tablename,
+           const void *info,
+           const struct xt_match *match,
+           void *matchinfo,
+           unsigned int matchsize,
+           unsigned int hook_mask)
+{
+        const struct ipt_ip *ip = info;
+        const struct xt_multiport *multiinfo = matchinfo;
+        return check(ip->proto, ip->invflags, multiinfo->flags,
+                     multiinfo->count);
+}
+static int
+checkentry_v1(const char *tablename,
+              const void *info,
+              const struct xt_match *match,
+              void *matchinfo,
+              unsigned int matchsize,
+              unsigned int hook_mask)
+{
+        const struct ipt_ip *ip = info;
+        const struct xt_multiport_v1 *multiinfo = matchinfo;
+        return check(ip->proto, ip->invflags, multiinfo->flags,
+                     multiinfo->count);
+}
+static int
+checkentry6(const char *tablename,
+            const void *info,
+            const struct xt_match *match,
+            void *matchinfo,
+            unsigned int matchsize,
+            unsigned int hook_mask)
+{
+        const struct ip6t_ip6 *ip = info;
+        const struct xt_multiport *multiinfo = matchinfo;
+        return check(ip->proto, ip->invflags, multiinfo->flags,
+                     multiinfo->count);
+}
+static int
+checkentry6_v1(const char *tablename,
+               const void *info,
+               const struct xt_match *match,
+               void *matchinfo,
+               unsigned int matchsize,
+               unsigned int hook_mask)
+{
+        const struct ip6t_ip6 *ip = info;
+        const struct xt_multiport_v1 *multiinfo = matchinfo;
+        return check(ip->proto, ip->invflags, multiinfo->flags,
+                     multiinfo->count);
+}
+static struct xt_match multiport_match = {
+        .name           = "multiport",
+        .revision       = 0,
+        .matchsize      = sizeof(struct xt_multiport),
+        .match          = &match,
+        .checkentry     = &checkentry,
+        .family         = AF_INET,
+        .me             = THIS_MODULE,
+};
+static struct xt_match multiport_match_v1 = {
+        .name           = "multiport",
+        .revision       = 1,
+        .matchsize      = sizeof(struct xt_multiport_v1),
+        .match          = &match_v1,
+        .checkentry     = &checkentry_v1,
+        .family         = AF_INET,
+        .me             = THIS_MODULE,
+};
+static struct xt_match multiport6_match = {
+        .name           = "multiport",
+        .revision       = 0,
+        .matchsize      = sizeof(struct xt_multiport),
+        .match          = &match,
+        .checkentry     = &checkentry6,
+        .family         = AF_INET6,
+        .me             = THIS_MODULE,
+};
+static struct xt_match multiport6_match_v1 = {
+        .name           = "multiport",
+        .revision       = 1,
+        .matchsize      = sizeof(struct xt_multiport_v1),
+        .match          = &match_v1,
+        .checkentry     = &checkentry6_v1,
+        .family         = AF_INET6,
+        .me             = THIS_MODULE,
+};
+static int __init xt_multiport_init(void)
+{
+        int ret;
+        ret = xt_register_match(&multiport_match);
+        if (ret)
+                goto out;
+        ret = xt_register_match(&multiport_match_v1);
+        if (ret)
+                goto out_unreg_multi_v0;
+        ret = xt_register_match(&multiport6_match);
+        if (ret)
+                goto out_unreg_multi_v1;
+        ret = xt_register_match(&multiport6_match_v1);
+        if (ret)
+                goto out_unreg_multi6_v0;
+        return ret;
+out_unreg_multi6_v0:
+        xt_unregister_match(&multiport6_match);
+out_unreg_multi_v1:
+        xt_unregister_match(&multiport_match_v1);
+out_unreg_multi_v0:
+        xt_unregister_match(&multiport_match);
+out:
+        return ret;
+}
+static void __exit xt_multiport_fini(void)
+{
+        xt_unregister_match(&multiport_match);
+        xt_unregister_match(&multiport_match_v1);
+        xt_unregister_match(&multiport6_match);
+        xt_unregister_match(&multiport6_match_v1);
+}
+module_init(xt_multiport_init);
+module_exit(xt_multiport_fini);
author	Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>	2006-04-01 05:22:54 -0500
committer	David S. Miller <davem@davemloft.net>	2006-04-01 05:22:54 -0500
commit	a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 (patch)
tree	c84c5b3167c116f0c419a2bbb04877bdac38dd07 /net/netfilter
parent	dc5ab2faece3b7473931357db7f63f596678481d (diff)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 5fe51894b12..e2893effdfa 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -298,6 +298,16 @@ config NETFILTER_XT_MATCH_POLICY
298		298
299	To compile it as a module, choose M here. If unsure, say N.	299	To compile it as a module, choose M here. If unsure, say N.
300		300
		301	config NETFILTER_XT_MATCH_MULTIPORT
		302	tristate "Multiple port match support"
		303	depends on NETFILTER_XTABLES
		304	help
		305	Multiport matching allows you to match TCP or UDP packets based on
		306	a series of source or destination ports: normally a rule can only
		307	match a single range of ports.
		308
		309	To compile it as a module, choose M here. If unsure, say N.
		310
301	config NETFILTER_XT_MATCH_PHYSDEV	311	config NETFILTER_XT_MATCH_PHYSDEV
302	tristate '"physdev" match support'	312	tristate '"physdev" match support'
303	depends on NETFILTER_XTABLES && BRIDGE_NETFILTER	313	depends on NETFILTER_XTABLES && BRIDGE_NETFILTER


diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 8f02486101a..95b7e416512 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -41,6 +41,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
41	obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o	41	obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
42	obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o	42	obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
43	obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o	43	obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
		44	obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
44	obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o	45	obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
45	obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o	46	obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
46	obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o	47	obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o


diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c new file mode 100644 index 00000000000..b56cd2baaac --- /dev/null +++ b/net/netfilter/xt_multiport.c
@@ -0,0 +1,314 @@
		1	/* Kernel module to match one of a list of TCP/UDP ports: ports are in
		2	the same place so we can treat them as equal. */
		3
		4	/* (C) 1999-2001 Paul `Rusty' Russell
		5	* (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
		6	*
		7	* This program is free software; you can redistribute it and/or modify
		8	* it under the terms of the GNU General Public License version 2 as
		9	* published by the Free Software Foundation.
		10	*/
		11
		12	#include <linux/module.h>
		13	#include <linux/types.h>
		14	#include <linux/udp.h>
		15	#include <linux/skbuff.h>
		16	#include <linux/in.h>
		17
		18	#include <linux/netfilter/xt_multiport.h>
		19	#include <linux/netfilter/x_tables.h>
		20	#include <linux/netfilter_ipv4/ip_tables.h>
		21	#include <linux/netfilter_ipv6/ip6_tables.h>
		22
		23	MODULE_LICENSE("GPL");
		24	MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
		25	MODULE_DESCRIPTION("x_tables multiple port match module");
		26	MODULE_ALIAS("ipt_multiport");
		27	MODULE_ALIAS("ip6t_multiport");
		28
		29	#if 0
		30	#define duprintf(format, args...) printk(format , ## args)
		31	#else
		32	#define duprintf(format, args...)
		33	#endif
		34
		35	/* Returns 1 if the port is matched by the test, 0 otherwise. */
		36	static inline int
		37	ports_match(const u_int16_t *portlist, enum xt_multiport_flags flags,
		38	u_int8_t count, u_int16_t src, u_int16_t dst)
		39	{
		40	unsigned int i;
		41	for (i = 0; i < count; i++) {
		42	if (flags != XT_MULTIPORT_DESTINATION && portlist[i] == src)
		43	return 1;
		44
		45	if (flags != XT_MULTIPORT_SOURCE && portlist[i] == dst)
		46	return 1;
		47	}
		48
		49	return 0;
		50	}
		51
		52	/* Returns 1 if the port is matched by the test, 0 otherwise. */
		53	static inline int
		54	ports_match_v1(const struct xt_multiport_v1 *minfo,
		55	u_int16_t src, u_int16_t dst)
		56	{
		57	unsigned int i;
		58	u_int16_t s, e;
		59
		60	for (i = 0; i < minfo->count; i++) {
		61	s = minfo->ports[i];
		62
		63	if (minfo->pflags[i]) {
		64	/* range port matching */
		65	e = minfo->ports[++i];
		66	duprintf("src or dst matches with %d-%d?\n", s, e);
		67
		68	if (minfo->flags == XT_MULTIPORT_SOURCE
		69	&& src >= s && src <= e)
		70	return 1 ^ minfo->invert;
		71	if (minfo->flags == XT_MULTIPORT_DESTINATION
		72	&& dst >= s && dst <= e)
		73	return 1 ^ minfo->invert;
		74	if (minfo->flags == XT_MULTIPORT_EITHER
		75	&& ((dst >= s && dst <= e)
		76	\|\| (src >= s && src <= e)))
		77	return 1 ^ minfo->invert;
		78	} else {
		79	/* exact port matching */
		80	duprintf("src or dst matches with %d?\n", s);
		81
		82	if (minfo->flags == XT_MULTIPORT_SOURCE
		83	&& src == s)
		84	return 1 ^ minfo->invert;
		85	if (minfo->flags == XT_MULTIPORT_DESTINATION
		86	&& dst == s)
		87	return 1 ^ minfo->invert;
		88	if (minfo->flags == XT_MULTIPORT_EITHER
		89	&& (src == s \|\| dst == s))
		90	return 1 ^ minfo->invert;
		91	}
		92	}
		93
		94	return minfo->invert;
		95	}
		96
		97	static int
		98	match(const struct sk_buff *skb,
		99	const struct net_device *in,
		100	const struct net_device *out,
		101	const struct xt_match *match,
		102	const void *matchinfo,
		103	int offset,
		104	unsigned int protoff,
		105	int *hotdrop)
		106	{
		107	u16 _ports[2], *pptr;
		108	const struct xt_multiport *multiinfo = matchinfo;
		109
		110	if (offset)
		111	return 0;
		112
		113	pptr = skb_header_pointer(skb, protoff, sizeof(_ports), _ports);
		114	if (pptr == NULL) {
		115	/* We've been asked to examine this packet, and we
		116	* can't. Hence, no choice but to drop.
		117	*/
		118	duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
		119	*hotdrop = 1;
		120	return 0;
		121	}
		122
		123	return ports_match(multiinfo->ports,
		124	multiinfo->flags, multiinfo->count,
		125	ntohs(pptr[0]), ntohs(pptr[1]));
		126	}
		127
		128	static int
		129	match_v1(const struct sk_buff *skb,
		130	const struct net_device *in,
		131	const struct net_device *out,
		132	const struct xt_match *match,
		133	const void *matchinfo,
		134	int offset,
		135	unsigned int protoff,
		136	int *hotdrop)
		137	{
		138	u16 _ports[2], *pptr;
		139	const struct xt_multiport_v1 *multiinfo = matchinfo;
		140
		141	if (offset)
		142	return 0;
		143
		144	pptr = skb_header_pointer(skb, protoff, sizeof(_ports), _ports);
		145	if (pptr == NULL) {
		146	/* We've been asked to examine this packet, and we
		147	* can't. Hence, no choice but to drop.
		148	*/
		149	duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
		150	*hotdrop = 1;
		151	return 0;
		152	}
		153
		154	return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1]));
		155	}
		156
		157	static inline int
		158	check(u_int16_t proto,
		159	u_int8_t ip_invflags,
		160	u_int8_t match_flags,
		161	u_int8_t count)
		162	{
		163	/* Must specify proto == TCP/UDP, no unknown flags or bad count */
		164	return (proto == IPPROTO_TCP \|\| proto == IPPROTO_UDP)
		165	&& !(ip_invflags & XT_INV_PROTO)
		166	&& (match_flags == XT_MULTIPORT_SOURCE
		167	\|\| match_flags == XT_MULTIPORT_DESTINATION
		168	\|\| match_flags == XT_MULTIPORT_EITHER)
		169	&& count <= XT_MULTI_PORTS;
		170	}
		171
		172	/* Called when user tries to insert an entry of this type. */
		173	static int
		174	checkentry(const char *tablename,
		175	const void *info,
		176	const struct xt_match *match,
		177	void *matchinfo,
		178	unsigned int matchsize,
		179	unsigned int hook_mask)
		180	{
		181	const struct ipt_ip *ip = info;
		182	const struct xt_multiport *multiinfo = matchinfo;
		183
		184	return check(ip->proto, ip->invflags, multiinfo->flags,
		185	multiinfo->count);
		186	}
		187
		188	static int
		189	checkentry_v1(const char *tablename,
		190	const void *info,
		191	const struct xt_match *match,
		192	void *matchinfo,
		193	unsigned int matchsize,
		194	unsigned int hook_mask)
		195	{
		196	const struct ipt_ip *ip = info;
		197	const struct xt_multiport_v1 *multiinfo = matchinfo;
		198
		199	return check(ip->proto, ip->invflags, multiinfo->flags,
		200	multiinfo->count);
		201	}
		202
		203	static int
		204	checkentry6(const char *tablename,
		205	const void *info,
		206	const struct xt_match *match,
		207	void *matchinfo,
		208	unsigned int matchsize,
		209	unsigned int hook_mask)
		210	{
		211	const struct ip6t_ip6 *ip = info;
		212	const struct xt_multiport *multiinfo = matchinfo;
		213
		214	return check(ip->proto, ip->invflags, multiinfo->flags,
		215	multiinfo->count);
		216	}
		217
		218	static int
		219	checkentry6_v1(const char *tablename,
		220	const void *info,
		221	const struct xt_match *match,
		222	void *matchinfo,
		223	unsigned int matchsize,
		224	unsigned int hook_mask)
		225	{
		226	const struct ip6t_ip6 *ip = info;
		227	const struct xt_multiport_v1 *multiinfo = matchinfo;
		228
		229	return check(ip->proto, ip->invflags, multiinfo->flags,
		230	multiinfo->count);
		231	}
		232
		233	static struct xt_match multiport_match = {
		234	.name = "multiport",
		235	.revision = 0,
		236	.matchsize = sizeof(struct xt_multiport),
		237	.match = &match,
		238	.checkentry = &checkentry,
		239	.family = AF_INET,
		240	.me = THIS_MODULE,
		241	};
		242
		243	static struct xt_match multiport_match_v1 = {
		244	.name = "multiport",
		245	.revision = 1,
		246	.matchsize = sizeof(struct xt_multiport_v1),
		247	.match = &match_v1,
		248	.checkentry = &checkentry_v1,
		249	.family = AF_INET,
		250	.me = THIS_MODULE,
		251	};
		252
		253	static struct xt_match multiport6_match = {
		254	.name = "multiport",
		255	.revision = 0,
		256	.matchsize = sizeof(struct xt_multiport),
		257	.match = &match,
		258	.checkentry = &checkentry6,
		259	.family = AF_INET6,
		260	.me = THIS_MODULE,
		261	};
		262
		263	static struct xt_match multiport6_match_v1 = {
		264	.name = "multiport",
		265	.revision = 1,
		266	.matchsize = sizeof(struct xt_multiport_v1),
		267	.match = &match_v1,
		268	.checkentry = &checkentry6_v1,
		269	.family = AF_INET6,
		270	.me = THIS_MODULE,
		271	};
		272
		273	static int __init xt_multiport_init(void)
		274	{
		275	int ret;
		276
		277	ret = xt_register_match(&multiport_match);
		278	if (ret)
		279	goto out;
		280
		281	ret = xt_register_match(&multiport_match_v1);
		282	if (ret)
		283	goto out_unreg_multi_v0;
		284
		285	ret = xt_register_match(&multiport6_match);
		286	if (ret)
		287	goto out_unreg_multi_v1;
		288
		289	ret = xt_register_match(&multiport6_match_v1);
		290	if (ret)
		291	goto out_unreg_multi6_v0;
		292
		293	return ret;
		294
		295	out_unreg_multi6_v0:
		296	xt_unregister_match(&multiport6_match);
		297	out_unreg_multi_v1:
		298	xt_unregister_match(&multiport_match_v1);
		299	out_unreg_multi_v0:
		300	xt_unregister_match(&multiport_match);
		301	out:
		302	return ret;
		303	}
		304
		305	static void __exit xt_multiport_fini(void)
		306	{
		307	xt_unregister_match(&multiport_match);
		308	xt_unregister_match(&multiport_match_v1);
		309	xt_unregister_match(&multiport6_match);
		310	xt_unregister_match(&multiport6_match_v1);
		311	}
		312
		313	module_init(xt_multiport_init);
		314	module_exit(xt_multiport_fini);