diff options
| author | Patrick McHardy <kaber@trash.net> | 2006-02-04 05:19:09 -0500 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-02-05 02:51:28 -0500 |
| commit | 0047c65a60fa3b6607b55e058ea6a89f39cb3f28 (patch) | |
| tree | 27fd894c370f7930e38c9e0e83cf9b572b51f4ba | |
| parent | 878c41ce5747e1b417bdd92a694c33dc4bd6ec02 (diff) | |
[NETFILTER]: Prepare {ipt,ip6t}_policy match for x_tables unification
The IPv4 and IPv6 version of the policy match are identical besides address
comparison and the data structure used for userspace communication. Unify
the data structures to break compatiblity now (before it is released), so
we can port it to x_tables in 2.6.17.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | include/linux/netfilter_ipv4/ipt_policy.h | 22 | ||||
| -rw-r--r-- | include/linux/netfilter_ipv6/ip6t_policy.h | 22 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ipt_policy.c | 9 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_policy.c | 4 |
4 files changed, 36 insertions, 21 deletions
diff --git a/include/linux/netfilter_ipv4/ipt_policy.h b/include/linux/netfilter_ipv4/ipt_policy.h index 7fd1bec453f1..a3f6eff39d33 100644 --- a/include/linux/netfilter_ipv4/ipt_policy.h +++ b/include/linux/netfilter_ipv4/ipt_policy.h | |||
| @@ -27,16 +27,22 @@ struct ipt_policy_spec | |||
| 27 | reqid:1; | 27 | reqid:1; |
| 28 | }; | 28 | }; |
| 29 | 29 | ||
| 30 | union ipt_policy_addr | ||
| 31 | { | ||
| 32 | struct in_addr a4; | ||
| 33 | struct in6_addr a6; | ||
| 34 | }; | ||
| 35 | |||
| 30 | struct ipt_policy_elem | 36 | struct ipt_policy_elem |
| 31 | { | 37 | { |
| 32 | u_int32_t saddr; | 38 | union ipt_policy_addr saddr; |
| 33 | u_int32_t smask; | 39 | union ipt_policy_addr smask; |
| 34 | u_int32_t daddr; | 40 | union ipt_policy_addr daddr; |
| 35 | u_int32_t dmask; | 41 | union ipt_policy_addr dmask; |
| 36 | u_int32_t spi; | 42 | u_int32_t spi; |
| 37 | u_int32_t reqid; | 43 | u_int32_t reqid; |
| 38 | u_int8_t proto; | 44 | u_int8_t proto; |
| 39 | u_int8_t mode; | 45 | u_int8_t mode; |
| 40 | 46 | ||
| 41 | struct ipt_policy_spec match; | 47 | struct ipt_policy_spec match; |
| 42 | struct ipt_policy_spec invert; | 48 | struct ipt_policy_spec invert; |
diff --git a/include/linux/netfilter_ipv6/ip6t_policy.h b/include/linux/netfilter_ipv6/ip6t_policy.h index 5a93afcd2ff1..671bd818300f 100644 --- a/include/linux/netfilter_ipv6/ip6t_policy.h +++ b/include/linux/netfilter_ipv6/ip6t_policy.h | |||
| @@ -27,16 +27,22 @@ struct ip6t_policy_spec | |||
| 27 | reqid:1; | 27 | reqid:1; |
| 28 | }; | 28 | }; |
| 29 | 29 | ||
| 30 | union ip6t_policy_addr | ||
| 31 | { | ||
| 32 | struct in_addr a4; | ||
| 33 | struct in6_addr a6; | ||
| 34 | }; | ||
| 35 | |||
| 30 | struct ip6t_policy_elem | 36 | struct ip6t_policy_elem |
| 31 | { | 37 | { |
| 32 | struct in6_addr saddr; | 38 | union ip6t_policy_addr saddr; |
| 33 | struct in6_addr smask; | 39 | union ip6t_policy_addr smask; |
| 34 | struct in6_addr daddr; | 40 | union ip6t_policy_addr daddr; |
| 35 | struct in6_addr dmask; | 41 | union ip6t_policy_addr dmask; |
| 36 | u_int32_t spi; | 42 | u_int32_t spi; |
| 37 | u_int32_t reqid; | 43 | u_int32_t reqid; |
| 38 | u_int8_t proto; | 44 | u_int8_t proto; |
| 39 | u_int8_t mode; | 45 | u_int8_t mode; |
| 40 | 46 | ||
| 41 | struct ip6t_policy_spec match; | 47 | struct ip6t_policy_spec match; |
| 42 | struct ip6t_policy_spec invert; | 48 | struct ip6t_policy_spec invert; |
diff --git a/net/ipv4/netfilter/ipt_policy.c b/net/ipv4/netfilter/ipt_policy.c index a48949a3a750..5a7a265280f9 100644 --- a/net/ipv4/netfilter/ipt_policy.c +++ b/net/ipv4/netfilter/ipt_policy.c | |||
| @@ -26,10 +26,13 @@ MODULE_LICENSE("GPL"); | |||
| 26 | static inline int | 26 | static inline int |
| 27 | match_xfrm_state(struct xfrm_state *x, const struct ipt_policy_elem *e) | 27 | match_xfrm_state(struct xfrm_state *x, const struct ipt_policy_elem *e) |
| 28 | { | 28 | { |
| 29 | #define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x)) | 29 | #define MATCH_ADDR(x,y,z) (!e->match.x || \ |
| 30 | ((e->x.a4.s_addr == (e->y.a4.s_addr & (z))) \ | ||
| 31 | ^ e->invert.x)) | ||
| 32 | #define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x)) | ||
| 30 | 33 | ||
| 31 | return MATCH(saddr, x->props.saddr.a4 & e->smask) && | 34 | return MATCH_ADDR(saddr, smask, x->props.saddr.a4) && |
| 32 | MATCH(daddr, x->id.daddr.a4 & e->dmask) && | 35 | MATCH_ADDR(daddr, dmask, x->id.daddr.a4) && |
| 33 | MATCH(proto, x->id.proto) && | 36 | MATCH(proto, x->id.proto) && |
| 34 | MATCH(mode, x->props.mode) && | 37 | MATCH(mode, x->props.mode) && |
| 35 | MATCH(spi, x->id.spi) && | 38 | MATCH(spi, x->id.spi) && |
diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c index 1d0f48276123..3d39ec924041 100644 --- a/net/ipv6/netfilter/ip6t_policy.c +++ b/net/ipv6/netfilter/ip6t_policy.c | |||
| @@ -26,8 +26,8 @@ MODULE_LICENSE("GPL"); | |||
| 26 | static inline int | 26 | static inline int |
| 27 | match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e) | 27 | match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e) |
| 28 | { | 28 | { |
| 29 | #define MATCH_ADDR(x,y,z) (!e->match.x || \ | 29 | #define MATCH_ADDR(x,y,z) (!e->match.x || \ |
| 30 | ((!ip6_masked_addrcmp(&e->x, &e->y, z)) \ | 30 | ((!ip6_masked_addrcmp(&e->x.a6, &e->y.a6, z)) \ |
| 31 | ^ e->invert.x)) | 31 | ^ e->invert.x)) |
| 32 | #define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x)) | 32 | #define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x)) |
| 33 | 33 | ||