aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnders K. Pedersen <akp@surftown.com>2013-05-03 17:15:48 -0400
committerJozsef Kadlecsik <kadlec@blackhole.kfki.hu>2013-09-30 15:33:26 -0400
commit60b0fe372499f66e0c965dc0594320438a3b711c (patch)
tree3a388eb587d0ce4bba35fb1abde411e6c8854fcc
parentb8cd97865c903e032db85e5a4f2783928c56f2bd (diff)
netfilter: ipset: Support package fragments for IPv4 protos without ports
Enable ipset port set types to match IPv4 package fragments for protocols that doesn't have ports (or the port information isn't supported by ipset). For example this allows a hash:ip,port ipset containing the entry 192.168.0.1,gre:0 to match all package fragments for PPTP VPN tunnels to/from the host. Without this patch only the first package fragment (with fragment offset 0) was matched, while subsequent fragments wasn't. This is not possible for IPv6, where the protocol is in the fragmented part of the package unlike IPv4, where the protocol is in the IP header. IPPROTO_ICMPV6 is deliberately not included, because it isn't relevant for IPv4. Signed-off-by: Anders K. Pedersen <akp@surftown.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-rw-r--r--net/netfilter/ipset/ip_set_getport.c18
1 files changed, 17 insertions, 1 deletions
diff --git a/net/netfilter/ipset/ip_set_getport.c b/net/netfilter/ipset/ip_set_getport.c
index dac156f819ac..29fb01ddff93 100644
--- a/net/netfilter/ipset/ip_set_getport.c
+++ b/net/netfilter/ipset/ip_set_getport.c
@@ -102,9 +102,25 @@ ip_set_get_ip4_port(const struct sk_buff *skb, bool src,
102 int protocol = iph->protocol; 102 int protocol = iph->protocol;
103 103
104 /* See comments at tcp_match in ip_tables.c */ 104 /* See comments at tcp_match in ip_tables.c */
105 if (protocol <= 0 || (ntohs(iph->frag_off) & IP_OFFSET)) 105 if (protocol <= 0)
106 return false; 106 return false;
107 107
108 if (ntohs(iph->frag_off) & IP_OFFSET)
109 switch (protocol) {
110 case IPPROTO_TCP:
111 case IPPROTO_SCTP:
112 case IPPROTO_UDP:
113 case IPPROTO_UDPLITE:
114 case IPPROTO_ICMP:
115 /* Port info not available for fragment offset > 0 */
116 return false;
117 default:
118 /* Other protocols doesn't have ports,
119 so we can match fragments */
120 *proto = protocol;
121 return true;
122 }
123
108 return get_port(skb, protocol, protooff, src, port, proto); 124 return get_port(skb, protocol, protooff, src, port, proto);
109} 125}
110EXPORT_SYMBOL_GPL(ip_set_get_ip4_port); 126EXPORT_SYMBOL_GPL(ip_set_get_ip4_port);