[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match

This unifies ipt_multiport and ip6t_multiport to xt_multiport. As a result, this addes support for inversion and port range match to IPv6 packets. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> 2006-04-01 05:22:54 -0500
committer: David S. Miller <davem@davemloft.net> 2006-04-01 05:22:54 -0500
commit: a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 (patch)
tree: c84c5b3167c116f0c419a2bbb04877bdac38dd07 /net/ipv4
parent: dc5ab2faece3b7473931357db7f63f596678481d (diff)
3 files changed, 0 insertions, 206 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index ebbd644fa8c4..77855ccd6b43 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -221,16 +221,6 @@ config IP_NF_MATCH_IPRANGE
          To compile it as a module, choose M here.  If unsure, say N.
-config IP_NF_MATCH_MULTIPORT
-        tristate "Multiple port match support"
-        depends on IP_NF_IPTABLES
-        help
-          Multiport matching allows you to match TCP or UDP packets based on
-          a series of source or destination ports: normally a rule can only
-          match a single range of ports.
-          To compile it as a module, choose M here.  If unsure, say N.
 config IP_NF_MATCH_TOS
        tristate "TOS match support"
        depends on IP_NF_IPTABLES
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 09ae167632e7..461cb1eb5de7 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -53,7 +53,6 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
 # matches
 obj-$(CONFIG_IP_NF_MATCH_HASHLIMIT) += ipt_hashlimit.o
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
-obj-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport.o
 obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
 obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
diff --git a/net/ipv4/netfilter/ipt_multiport.c b/net/ipv4/netfilter/ipt_multiport.c
deleted file mode 100644
index ac95d8390bcc..000000000000
--- a/net/ipv4/netfilter/ipt_multiport.c
+++ /dev/null
@@ -1,195 +0,0 @@
-/* Kernel module to match one of a list of TCP/UDP ports: ports are in
-   the same place so we can treat them as equal. */
-/* (C) 1999-2001 Paul `Rusty' Russell
- * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-#include <linux/module.h>
-#include <linux/types.h>
-#include <linux/udp.h>
-#include <linux/skbuff.h>
-#include <linux/netfilter_ipv4/ipt_multiport.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables multiple port match module");
-#if 0
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
-/* Returns 1 if the port is matched by the test, 0 otherwise. */
-static inline int
-ports_match(const u_int16_t *portlist, enum ipt_multiport_flags flags,
-            u_int8_t count, u_int16_t src, u_int16_t dst)
-{
-        unsigned int i;
-        for (i=0; i<count; i++) {
-                if (flags != IPT_MULTIPORT_DESTINATION
-                    && portlist[i] == src)
-                        return 1;
-                if (flags != IPT_MULTIPORT_SOURCE
-                    && portlist[i] == dst)
-                        return 1;
-        }
-        return 0;
-}
-/* Returns 1 if the port is matched by the test, 0 otherwise. */
-static inline int
-ports_match_v1(const struct ipt_multiport_v1 *minfo,
-               u_int16_t src, u_int16_t dst)
-{
-        unsigned int i;
-        u_int16_t s, e;
-        for (i=0; i < minfo->count; i++) {
-                s = minfo->ports[i];
-                if (minfo->pflags[i]) {
-                        /* range port matching */
-                        e = minfo->ports[++i];
-                        duprintf("src or dst matches with %d-%d?\n", s, e);
-                        if (minfo->flags == IPT_MULTIPORT_SOURCE
-                            && src >= s && src <= e)
-                                return 1 ^ minfo->invert;
-                        if (minfo->flags == IPT_MULTIPORT_DESTINATION
-                            && dst >= s && dst <= e)
-                                return 1 ^ minfo->invert;
-                        if (minfo->flags == IPT_MULTIPORT_EITHER
-                            && ((dst >= s && dst <= e)
-                                || (src >= s && src <= e)))
-                                return 1 ^ minfo->invert;
-                } else {
-                        /* exact port matching */
-                        duprintf("src or dst matches with %d?\n", s);
-                        if (minfo->flags == IPT_MULTIPORT_SOURCE
-                            && src == s)
-                                return 1 ^ minfo->invert;
-                        if (minfo->flags == IPT_MULTIPORT_DESTINATION
-                            && dst == s)
-                                return 1 ^ minfo->invert;
-                        if (minfo->flags == IPT_MULTIPORT_EITHER
-                            && (src == s || dst == s))
-                                return 1 ^ minfo->invert;
-                }
-        }
- 
-        return minfo->invert;
-}
-static int
-match(const struct sk_buff *skb,
-      const struct net_device *in,
-      const struct net_device *out,
-      const struct xt_match *match,
-      const void *matchinfo,
-      int offset,
-      unsigned int protoff,
-      int *hotdrop)
-{
-        u16 _ports[2], *pptr;
-        const struct ipt_multiport *multiinfo = matchinfo;
-        if (offset)
-                return 0;
-        pptr = skb_header_pointer(skb, protoff,
-                                  sizeof(_ports), _ports);
-        if (pptr == NULL) {
-                /* We've been asked to examine this packet, and we
-                 * can't.  Hence, no choice but to drop.
-                 */
-                duprintf("ipt_multiport:"
-                         " Dropping evil offset=0 tinygram.\n");
-                *hotdrop = 1;
-                return 0;
-        }
-        return ports_match(multiinfo->ports,
-                           multiinfo->flags, multiinfo->count,
-                           ntohs(pptr[0]), ntohs(pptr[1]));
-}
-static int
-match_v1(const struct sk_buff *skb,
-         const struct net_device *in,
-         const struct net_device *out,
-         const struct xt_match *match,
-         const void *matchinfo,
-         int offset,
-         unsigned int protoff,
-         int *hotdrop)
-{
-        u16 _ports[2], *pptr;
-        const struct ipt_multiport_v1 *multiinfo = matchinfo;
-        if (offset)
-                return 0;
-        pptr = skb_header_pointer(skb, protoff,
-                                  sizeof(_ports), _ports);
-        if (pptr == NULL) {
-                /* We've been asked to examine this packet, and we
-                 * can't.  Hence, no choice but to drop.
-                 */
-                duprintf("ipt_multiport:"
-                         " Dropping evil offset=0 tinygram.\n");
-                *hotdrop = 1;
-                return 0;
-        }
-        return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1]));
-}
-static struct ipt_match multiport_match = {
-        .name           = "multiport",
-        .revision       = 0,
-        .match          = match,
-        .matchsize      = sizeof(struct ipt_multiport),
-        .me             = THIS_MODULE,
-};
-static struct ipt_match multiport_match_v1 = {
-        .name           = "multiport",
-        .revision       = 1,
-        .match          = match_v1,
-        .matchsize      = sizeof(struct ipt_multiport_v1),
-        .me             = THIS_MODULE,
-};
-static int __init ipt_multiport_init(void)
-{
-        int err;
-        err = ipt_register_match(&multiport_match);
-        if (!err) {
-                err = ipt_register_match(&multiport_match_v1);
-                if (err)
-                        ipt_unregister_match(&multiport_match);
-        }
-        return err;
-}
-static void __exit ipt_multiport_fini(void)
-{
-        ipt_unregister_match(&multiport_match);
-        ipt_unregister_match(&multiport_match_v1);
-}
-module_init(ipt_multiport_init);
-module_exit(ipt_multiport_fini);
author	Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>	2006-04-01 05:22:54 -0500
committer	David S. Miller <davem@davemloft.net>	2006-04-01 05:22:54 -0500
commit	a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 (patch)
tree	c84c5b3167c116f0c419a2bbb04877bdac38dd07 /net/ipv4
parent	dc5ab2faece3b7473931357db7f63f596678481d (diff)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index ebbd644fa8c4..77855ccd6b43 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig
@@ -221,16 +221,6 @@ config IP_NF_MATCH_IPRANGE
221		221
222	To compile it as a module, choose M here. If unsure, say N.	222	To compile it as a module, choose M here. If unsure, say N.
223		223
224	config IP_NF_MATCH_MULTIPORT
225	tristate "Multiple port match support"
226	depends on IP_NF_IPTABLES
227	help
228	Multiport matching allows you to match TCP or UDP packets based on
229	a series of source or destination ports: normally a rule can only
230	match a single range of ports.
231
232	To compile it as a module, choose M here. If unsure, say N.
233
234	config IP_NF_MATCH_TOS	224	config IP_NF_MATCH_TOS
235	tristate "TOS match support"	225	tristate "TOS match support"
236	depends on IP_NF_IPTABLES	226	depends on IP_NF_IPTABLES


diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index 09ae167632e7..461cb1eb5de7 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile
@@ -53,7 +53,6 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
53	# matches	53	# matches
54	obj-$(CONFIG_IP_NF_MATCH_HASHLIMIT) += ipt_hashlimit.o	54	obj-$(CONFIG_IP_NF_MATCH_HASHLIMIT) += ipt_hashlimit.o
55	obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o	55	obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
56	obj-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport.o
57	obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o	56	obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
58	obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o	57	obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
59	obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o	58	obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o


diff --git a/net/ipv4/netfilter/ipt_multiport.c b/net/ipv4/netfilter/ipt_multiport.c deleted file mode 100644 index ac95d8390bcc..000000000000 --- a/net/ipv4/netfilter/ipt_multiport.c +++ /dev/null
@@ -1,195 +0,0 @@
1	/* Kernel module to match one of a list of TCP/UDP ports: ports are in
2	the same place so we can treat them as equal. */
3
4	/* (C) 1999-2001 Paul `Rusty' Russell
5	* (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
6	*
7	* This program is free software; you can redistribute it and/or modify
8	* it under the terms of the GNU General Public License version 2 as
9	* published by the Free Software Foundation.
10	*/
11
12	#include <linux/module.h>
13	#include <linux/types.h>
14	#include <linux/udp.h>
15	#include <linux/skbuff.h>
16
17	#include <linux/netfilter_ipv4/ipt_multiport.h>
18	#include <linux/netfilter_ipv4/ip_tables.h>
19
20	MODULE_LICENSE("GPL");
21	MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
22	MODULE_DESCRIPTION("iptables multiple port match module");
23
24	#if 0
25	#define duprintf(format, args...) printk(format , ## args)
26	#else
27	#define duprintf(format, args...)
28	#endif
29
30	/* Returns 1 if the port is matched by the test, 0 otherwise. */
31	static inline int
32	ports_match(const u_int16_t *portlist, enum ipt_multiport_flags flags,
33	u_int8_t count, u_int16_t src, u_int16_t dst)
34	{
35	unsigned int i;
36	for (i=0; i<count; i++) {
37	if (flags != IPT_MULTIPORT_DESTINATION
38	&& portlist[i] == src)
39	return 1;
40
41	if (flags != IPT_MULTIPORT_SOURCE
42	&& portlist[i] == dst)
43	return 1;
44	}
45
46	return 0;
47	}
48
49	/* Returns 1 if the port is matched by the test, 0 otherwise. */
50	static inline int
51	ports_match_v1(const struct ipt_multiport_v1 *minfo,
52	u_int16_t src, u_int16_t dst)
53	{
54	unsigned int i;
55	u_int16_t s, e;
56
57	for (i=0; i < minfo->count; i++) {
58	s = minfo->ports[i];
59
60	if (minfo->pflags[i]) {
61	/* range port matching */
62	e = minfo->ports[++i];
63	duprintf("src or dst matches with %d-%d?\n", s, e);
64
65	if (minfo->flags == IPT_MULTIPORT_SOURCE
66	&& src >= s && src <= e)
67	return 1 ^ minfo->invert;
68	if (minfo->flags == IPT_MULTIPORT_DESTINATION
69	&& dst >= s && dst <= e)
70	return 1 ^ minfo->invert;
71	if (minfo->flags == IPT_MULTIPORT_EITHER
72	&& ((dst >= s && dst <= e)
73	\|\| (src >= s && src <= e)))
74	return 1 ^ minfo->invert;
75	} else {
76	/* exact port matching */
77	duprintf("src or dst matches with %d?\n", s);
78
79	if (minfo->flags == IPT_MULTIPORT_SOURCE
80	&& src == s)
81	return 1 ^ minfo->invert;
82	if (minfo->flags == IPT_MULTIPORT_DESTINATION
83	&& dst == s)
84	return 1 ^ minfo->invert;
85	if (minfo->flags == IPT_MULTIPORT_EITHER
86	&& (src == s \|\| dst == s))
87	return 1 ^ minfo->invert;
88	}
89	}
90
91	return minfo->invert;
92	}
93
94	static int
95	match(const struct sk_buff *skb,
96	const struct net_device *in,
97	const struct net_device *out,
98	const struct xt_match *match,
99	const void *matchinfo,
100	int offset,
101	unsigned int protoff,
102	int *hotdrop)
103	{
104	u16 _ports[2], *pptr;
105	const struct ipt_multiport *multiinfo = matchinfo;
106
107	if (offset)
108	return 0;
109
110	pptr = skb_header_pointer(skb, protoff,
111	sizeof(_ports), _ports);
112	if (pptr == NULL) {
113	/* We've been asked to examine this packet, and we
114	* can't. Hence, no choice but to drop.
115	*/
116	duprintf("ipt_multiport:"
117	" Dropping evil offset=0 tinygram.\n");
118	*hotdrop = 1;
119	return 0;
120	}
121
122	return ports_match(multiinfo->ports,
123	multiinfo->flags, multiinfo->count,
124	ntohs(pptr[0]), ntohs(pptr[1]));
125	}
126
127	static int
128	match_v1(const struct sk_buff *skb,
129	const struct net_device *in,
130	const struct net_device *out,
131	const struct xt_match *match,
132	const void *matchinfo,
133	int offset,
134	unsigned int protoff,
135	int *hotdrop)
136	{
137	u16 _ports[2], *pptr;
138	const struct ipt_multiport_v1 *multiinfo = matchinfo;
139
140	if (offset)
141	return 0;
142
143	pptr = skb_header_pointer(skb, protoff,
144	sizeof(_ports), _ports);
145	if (pptr == NULL) {
146	/* We've been asked to examine this packet, and we
147	* can't. Hence, no choice but to drop.
148	*/
149	duprintf("ipt_multiport:"
150	" Dropping evil offset=0 tinygram.\n");
151	*hotdrop = 1;
152	return 0;
153	}
154
155	return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1]));
156	}
157
158	static struct ipt_match multiport_match = {
159	.name = "multiport",
160	.revision = 0,
161	.match = match,
162	.matchsize = sizeof(struct ipt_multiport),
163	.me = THIS_MODULE,
164	};
165
166	static struct ipt_match multiport_match_v1 = {
167	.name = "multiport",
168	.revision = 1,
169	.match = match_v1,
170	.matchsize = sizeof(struct ipt_multiport_v1),
171	.me = THIS_MODULE,
172	};
173
174	static int __init ipt_multiport_init(void)
175	{
176	int err;
177
178	err = ipt_register_match(&multiport_match);
179	if (!err) {
180	err = ipt_register_match(&multiport_match_v1);
181	if (err)
182	ipt_unregister_match(&multiport_match);
183	}
184
185	return err;
186	}
187
188	static void __exit ipt_multiport_fini(void)
189	{
190	ipt_unregister_match(&multiport_match);
191	ipt_unregister_match(&multiport_match_v1);
192	}
193
194	module_init(ipt_multiport_init);
195	module_exit(ipt_multiport_fini);