diff options
author | Joonwoo Park <joonwpark81@gmail.com> | 2008-07-08 05:38:56 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-07-08 05:38:56 -0400 |
commit | 4ad3f26162ece5aca3045fd45e15dd99acea4a0e (patch) | |
tree | 05c0db40febdc89055f2572bc0cf42388f798ead | |
parent | dde77e604497dada6f224a685278dfb27747ae52 (diff) |
netfilter: fix string extension for case insensitive pattern matching
The flag XT_STRING_FLAG_IGNORECASE indicates case insensitive string
matching. netfilter can find cmd.exe, Cmd.exe, cMd.exe and etc easily.
A new revision 1 was added, in the meantime invert of xt_string_info
was moved into flags as a flag. If revision is 1, The flag
XT_STRING_FLAG_INVERT indicates invert matching.
Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/linux/netfilter/xt_string.h | 15 | ||||
-rw-r--r-- | net/netfilter/xt_string.c | 38 |
2 files changed, 50 insertions, 3 deletions
diff --git a/include/linux/netfilter/xt_string.h b/include/linux/netfilter/xt_string.h index bb21dd1aee2d..8a6ba7bbef9f 100644 --- a/include/linux/netfilter/xt_string.h +++ b/include/linux/netfilter/xt_string.h | |||
@@ -4,6 +4,11 @@ | |||
4 | #define XT_STRING_MAX_PATTERN_SIZE 128 | 4 | #define XT_STRING_MAX_PATTERN_SIZE 128 |
5 | #define XT_STRING_MAX_ALGO_NAME_SIZE 16 | 5 | #define XT_STRING_MAX_ALGO_NAME_SIZE 16 |
6 | 6 | ||
7 | enum { | ||
8 | XT_STRING_FLAG_INVERT = 0x01, | ||
9 | XT_STRING_FLAG_IGNORECASE = 0x02 | ||
10 | }; | ||
11 | |||
7 | struct xt_string_info | 12 | struct xt_string_info |
8 | { | 13 | { |
9 | u_int16_t from_offset; | 14 | u_int16_t from_offset; |
@@ -11,7 +16,15 @@ struct xt_string_info | |||
11 | char algo[XT_STRING_MAX_ALGO_NAME_SIZE]; | 16 | char algo[XT_STRING_MAX_ALGO_NAME_SIZE]; |
12 | char pattern[XT_STRING_MAX_PATTERN_SIZE]; | 17 | char pattern[XT_STRING_MAX_PATTERN_SIZE]; |
13 | u_int8_t patlen; | 18 | u_int8_t patlen; |
14 | u_int8_t invert; | 19 | union { |
20 | struct { | ||
21 | u_int8_t invert; | ||
22 | } v0; | ||
23 | |||
24 | struct { | ||
25 | u_int8_t flags; | ||
26 | } v1; | ||
27 | } u; | ||
15 | 28 | ||
16 | /* Used internally by the kernel */ | 29 | /* Used internally by the kernel */ |
17 | struct ts_config __attribute__((aligned(8))) *config; | 30 | struct ts_config __attribute__((aligned(8))) *config; |
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c index 72f694d947f4..4903182a062b 100644 --- a/net/netfilter/xt_string.c +++ b/net/netfilter/xt_string.c | |||
@@ -29,12 +29,16 @@ string_mt(const struct sk_buff *skb, const struct net_device *in, | |||
29 | { | 29 | { |
30 | const struct xt_string_info *conf = matchinfo; | 30 | const struct xt_string_info *conf = matchinfo; |
31 | struct ts_state state; | 31 | struct ts_state state; |
32 | int invert; | ||
32 | 33 | ||
33 | memset(&state, 0, sizeof(struct ts_state)); | 34 | memset(&state, 0, sizeof(struct ts_state)); |
34 | 35 | ||
36 | invert = (match->revision == 0 ? conf->u.v0.invert : | ||
37 | conf->u.v1.flags & XT_STRING_FLAG_INVERT); | ||
38 | |||
35 | return (skb_find_text((struct sk_buff *)skb, conf->from_offset, | 39 | return (skb_find_text((struct sk_buff *)skb, conf->from_offset, |
36 | conf->to_offset, conf->config, &state) | 40 | conf->to_offset, conf->config, &state) |
37 | != UINT_MAX) ^ conf->invert; | 41 | != UINT_MAX) ^ invert; |
38 | } | 42 | } |
39 | 43 | ||
40 | #define STRING_TEXT_PRIV(m) ((struct xt_string_info *)(m)) | 44 | #define STRING_TEXT_PRIV(m) ((struct xt_string_info *)(m)) |
@@ -46,6 +50,7 @@ string_mt_check(const char *tablename, const void *ip, | |||
46 | { | 50 | { |
47 | struct xt_string_info *conf = matchinfo; | 51 | struct xt_string_info *conf = matchinfo; |
48 | struct ts_config *ts_conf; | 52 | struct ts_config *ts_conf; |
53 | int flags = TS_AUTOLOAD; | ||
49 | 54 | ||
50 | /* Damn, can't handle this case properly with iptables... */ | 55 | /* Damn, can't handle this case properly with iptables... */ |
51 | if (conf->from_offset > conf->to_offset) | 56 | if (conf->from_offset > conf->to_offset) |
@@ -54,8 +59,15 @@ string_mt_check(const char *tablename, const void *ip, | |||
54 | return false; | 59 | return false; |
55 | if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE) | 60 | if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE) |
56 | return false; | 61 | return false; |
62 | if (match->revision == 1) { | ||
63 | if (conf->u.v1.flags & | ||
64 | ~(XT_STRING_FLAG_IGNORECASE | XT_STRING_FLAG_INVERT)) | ||
65 | return false; | ||
66 | if (conf->u.v1.flags & XT_STRING_FLAG_IGNORECASE) | ||
67 | flags |= TS_IGNORECASE; | ||
68 | } | ||
57 | ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen, | 69 | ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen, |
58 | GFP_KERNEL, TS_AUTOLOAD); | 70 | GFP_KERNEL, flags); |
59 | if (IS_ERR(ts_conf)) | 71 | if (IS_ERR(ts_conf)) |
60 | return false; | 72 | return false; |
61 | 73 | ||
@@ -72,6 +84,17 @@ static void string_mt_destroy(const struct xt_match *match, void *matchinfo) | |||
72 | static struct xt_match string_mt_reg[] __read_mostly = { | 84 | static struct xt_match string_mt_reg[] __read_mostly = { |
73 | { | 85 | { |
74 | .name = "string", | 86 | .name = "string", |
87 | .revision = 0, | ||
88 | .family = AF_INET, | ||
89 | .checkentry = string_mt_check, | ||
90 | .match = string_mt, | ||
91 | .destroy = string_mt_destroy, | ||
92 | .matchsize = sizeof(struct xt_string_info), | ||
93 | .me = THIS_MODULE | ||
94 | }, | ||
95 | { | ||
96 | .name = "string", | ||
97 | .revision = 1, | ||
75 | .family = AF_INET, | 98 | .family = AF_INET, |
76 | .checkentry = string_mt_check, | 99 | .checkentry = string_mt_check, |
77 | .match = string_mt, | 100 | .match = string_mt, |
@@ -81,6 +104,17 @@ static struct xt_match string_mt_reg[] __read_mostly = { | |||
81 | }, | 104 | }, |
82 | { | 105 | { |
83 | .name = "string", | 106 | .name = "string", |
107 | .revision = 0, | ||
108 | .family = AF_INET6, | ||
109 | .checkentry = string_mt_check, | ||
110 | .match = string_mt, | ||
111 | .destroy = string_mt_destroy, | ||
112 | .matchsize = sizeof(struct xt_string_info), | ||
113 | .me = THIS_MODULE | ||
114 | }, | ||
115 | { | ||
116 | .name = "string", | ||
117 | .revision = 1, | ||
84 | .family = AF_INET6, | 118 | .family = AF_INET6, |
85 | .checkentry = string_mt_check, | 119 | .checkentry = string_mt_check, |
86 | .match = string_mt, | 120 | .match = string_mt, |