[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match

This unifies ipt_multiport and ip6t_multiport to xt_multiport. As a result, this addes support for inversion and port range match to IPv6 packets. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> 2006-04-01 05:22:54 -0500
committer: David S. Miller <davem@davemloft.net> 2006-04-01 05:22:54 -0500
commit: a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 (patch)
tree: c84c5b3167c116f0c419a2bbb04877bdac38dd07 /net/ipv6
parent: dc5ab2faece3b7473931357db7f63f596678481d (diff)
3 files changed, 0 insertions, 136 deletions
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index bdd569fc66cb..4bc4e5b33794 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -87,16 +87,6 @@ config IP6_NF_MATCH_HL
          To compile it as a module, choose M here.  If unsure, say N.
-config IP6_NF_MATCH_MULTIPORT
-        tristate "Multiple port match support"
-        depends on IP6_NF_IPTABLES
-        help
-          Multiport matching allows you to match TCP or UDP packets based on
-          a series of source or destination ports: normally a rule can only
-          match a single range of ports.
-          To compile it as a module, choose M here.  If unsure, say N.
 config IP6_NF_MATCH_OWNER
        tristate "Owner match support"
        depends on IP6_NF_IPTABLES
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index c38717011e64..eeeb57d4c9c5 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -10,7 +10,6 @@ obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
 obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o
 obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o
 obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o
-obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT) += ip6t_multiport.o
 obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
 obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
 obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
diff --git a/net/ipv6/netfilter/ip6t_multiport.c b/net/ipv6/netfilter/ip6t_multiport.c
deleted file mode 100644
index 10c48ba596d6..000000000000
--- a/net/ipv6/netfilter/ip6t_multiport.c
+++ /dev/null
@@ -1,125 +0,0 @@
-/* Kernel module to match one of a list of TCP/UDP ports: ports are in
-   the same place so we can treat them as equal. */
-/* (C) 1999-2001 Paul `Rusty' Russell
- * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-#include <linux/module.h>
-#include <linux/types.h>
-#include <linux/udp.h>
-#include <linux/skbuff.h>
-#include <linux/in.h>
-#include <linux/netfilter_ipv6/ip6t_multiport.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("ip6tables match for multiple ports");
-#if 0
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
-/* Returns 1 if the port is matched by the test, 0 otherwise. */
-static inline int
-ports_match(const u_int16_t *portlist, enum ip6t_multiport_flags flags,
-            u_int8_t count, u_int16_t src, u_int16_t dst)
-{
-        unsigned int i;
-        for (i=0; i<count; i++) {
-                if (flags != IP6T_MULTIPORT_DESTINATION
-                    && portlist[i] == src)
-                        return 1;
-                if (flags != IP6T_MULTIPORT_SOURCE
-                    && portlist[i] == dst)
-                        return 1;
-        }
-        return 0;
-}
-static int
-match(const struct sk_buff *skb,
-      const struct net_device *in,
-      const struct net_device *out,
-      const struct xt_match *match,
-      const void *matchinfo,
-      int offset,
-      unsigned int protoff,
-      int *hotdrop)
-{
-        u16 _ports[2], *pptr;
-        const struct ip6t_multiport *multiinfo = matchinfo;
-        /* Must not be a fragment. */
-        if (offset)
-                return 0;
-        /* Must be big enough to read ports (both UDP and TCP have
-           them at the start). */
-        pptr = skb_header_pointer(skb, protoff, sizeof(_ports), &_ports[0]);
-        if (pptr == NULL) {
-                /* We've been asked to examine this packet, and we
-                 * can't.  Hence, no choice but to drop.
-                 */
-                duprintf("ip6t_multiport:"
-                         " Dropping evil offset=0 tinygram.\n");
-                *hotdrop = 1;
-                return 0;
-        }
-        return ports_match(multiinfo->ports,
-                           multiinfo->flags, multiinfo->count,
-                           ntohs(pptr[0]), ntohs(pptr[1]));
-}
-/* Called when user tries to insert an entry of this type. */
-static int
-checkentry(const char *tablename,
-           const void *info,
-           const struct xt_match *match,
-           void *matchinfo,
-           unsigned int matchsize,
-           unsigned int hook_mask)
-{
-        const struct ip6t_ip6 *ip = info;
-        const struct ip6t_multiport *multiinfo = matchinfo;
-        /* Must specify proto == TCP/UDP, no unknown flags or bad count */
-        return (ip->proto == IPPROTO_TCP || ip->proto == IPPROTO_UDP)
-                && !(ip->invflags & IP6T_INV_PROTO)
-                && (multiinfo->flags == IP6T_MULTIPORT_SOURCE
-                    || multiinfo->flags == IP6T_MULTIPORT_DESTINATION
-                    || multiinfo->flags == IP6T_MULTIPORT_EITHER)
-                && multiinfo->count <= IP6T_MULTI_PORTS;
-}
-static struct ip6t_match multiport_match = {
-        .name           = "multiport",
-        .match          = match,
-        .matchsize      = sizeof(struct ip6t_multiport),
-        .checkentry     = checkentry,
-        .me             = THIS_MODULE,
-};
-static int __init ip6t_multiport_init(void)
-{
-        return ip6t_register_match(&multiport_match);
-}
-static void __exit ip6t_multiport_fini(void)
-{
-        ip6t_unregister_match(&multiport_match);
-}
-module_init(ip6t_multiport_init);
-module_exit(ip6t_multiport_fini);
author	Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>	2006-04-01 05:22:54 -0500
committer	David S. Miller <davem@davemloft.net>	2006-04-01 05:22:54 -0500
commit	a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 (patch)
tree	c84c5b3167c116f0c419a2bbb04877bdac38dd07 /net/ipv6
parent	dc5ab2faece3b7473931357db7f63f596678481d (diff)

diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index bdd569fc66cb..4bc4e5b33794 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig
@@ -87,16 +87,6 @@ config IP6_NF_MATCH_HL
87		87
88	To compile it as a module, choose M here. If unsure, say N.	88	To compile it as a module, choose M here. If unsure, say N.
89		89
90	config IP6_NF_MATCH_MULTIPORT
91	tristate "Multiple port match support"
92	depends on IP6_NF_IPTABLES
93	help
94	Multiport matching allows you to match TCP or UDP packets based on
95	a series of source or destination ports: normally a rule can only
96	match a single range of ports.
97
98	To compile it as a module, choose M here. If unsure, say N.
99
100	config IP6_NF_MATCH_OWNER	90	config IP6_NF_MATCH_OWNER
101	tristate "Owner match support"	91	tristate "Owner match support"
102	depends on IP6_NF_IPTABLES	92	depends on IP6_NF_IPTABLES


diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile index c38717011e64..eeeb57d4c9c5 100644 --- a/net/ipv6/netfilter/Makefile +++ b/net/ipv6/netfilter/Makefile
@@ -10,7 +10,6 @@ obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
10	obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o	10	obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o
11	obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o	11	obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o
12	obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o	12	obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o
13	obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT) += ip6t_multiport.o
14	obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o	13	obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
15	obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o	14	obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
16	obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o	15	obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o


diff --git a/net/ipv6/netfilter/ip6t_multiport.c b/net/ipv6/netfilter/ip6t_multiport.c deleted file mode 100644 index 10c48ba596d6..000000000000 --- a/net/ipv6/netfilter/ip6t_multiport.c +++ /dev/null
@@ -1,125 +0,0 @@
1	/* Kernel module to match one of a list of TCP/UDP ports: ports are in
2	the same place so we can treat them as equal. */
3
4	/* (C) 1999-2001 Paul `Rusty' Russell
5	* (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
6	*
7	* This program is free software; you can redistribute it and/or modify
8	* it under the terms of the GNU General Public License version 2 as
9	* published by the Free Software Foundation.
10	*/
11
12	#include <linux/module.h>
13	#include <linux/types.h>
14	#include <linux/udp.h>
15	#include <linux/skbuff.h>
16	#include <linux/in.h>
17
18	#include <linux/netfilter_ipv6/ip6t_multiport.h>
19	#include <linux/netfilter_ipv6/ip6_tables.h>
20
21	MODULE_LICENSE("GPL");
22	MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
23	MODULE_DESCRIPTION("ip6tables match for multiple ports");
24
25	#if 0
26	#define duprintf(format, args...) printk(format , ## args)
27	#else
28	#define duprintf(format, args...)
29	#endif
30
31	/* Returns 1 if the port is matched by the test, 0 otherwise. */
32	static inline int
33	ports_match(const u_int16_t *portlist, enum ip6t_multiport_flags flags,
34	u_int8_t count, u_int16_t src, u_int16_t dst)
35	{
36	unsigned int i;
37	for (i=0; i<count; i++) {
38	if (flags != IP6T_MULTIPORT_DESTINATION
39	&& portlist[i] == src)
40	return 1;
41
42	if (flags != IP6T_MULTIPORT_SOURCE
43	&& portlist[i] == dst)
44	return 1;
45	}
46
47	return 0;
48	}
49
50	static int
51	match(const struct sk_buff *skb,
52	const struct net_device *in,
53	const struct net_device *out,
54	const struct xt_match *match,
55	const void *matchinfo,
56	int offset,
57	unsigned int protoff,
58	int *hotdrop)
59	{
60	u16 _ports[2], *pptr;
61	const struct ip6t_multiport *multiinfo = matchinfo;
62
63	/* Must not be a fragment. */
64	if (offset)
65	return 0;
66
67	/* Must be big enough to read ports (both UDP and TCP have
68	them at the start). */
69	pptr = skb_header_pointer(skb, protoff, sizeof(_ports), &_ports[0]);
70	if (pptr == NULL) {
71	/* We've been asked to examine this packet, and we
72	* can't. Hence, no choice but to drop.
73	*/
74	duprintf("ip6t_multiport:"
75	" Dropping evil offset=0 tinygram.\n");
76	*hotdrop = 1;
77	return 0;
78	}
79
80	return ports_match(multiinfo->ports,
81	multiinfo->flags, multiinfo->count,
82	ntohs(pptr[0]), ntohs(pptr[1]));
83	}
84
85	/* Called when user tries to insert an entry of this type. */
86	static int
87	checkentry(const char *tablename,
88	const void *info,
89	const struct xt_match *match,
90	void *matchinfo,
91	unsigned int matchsize,
92	unsigned int hook_mask)
93	{
94	const struct ip6t_ip6 *ip = info;
95	const struct ip6t_multiport *multiinfo = matchinfo;
96
97	/* Must specify proto == TCP/UDP, no unknown flags or bad count */
98	return (ip->proto == IPPROTO_TCP \|\| ip->proto == IPPROTO_UDP)
99	&& !(ip->invflags & IP6T_INV_PROTO)
100	&& (multiinfo->flags == IP6T_MULTIPORT_SOURCE
101	\|\| multiinfo->flags == IP6T_MULTIPORT_DESTINATION
102	\|\| multiinfo->flags == IP6T_MULTIPORT_EITHER)
103	&& multiinfo->count <= IP6T_MULTI_PORTS;
104	}
105
106	static struct ip6t_match multiport_match = {
107	.name = "multiport",
108	.match = match,
109	.matchsize = sizeof(struct ip6t_multiport),
110	.checkentry = checkentry,
111	.me = THIS_MODULE,
112	};
113
114	static int __init ip6t_multiport_init(void)
115	{
116	return ip6t_register_match(&multiport_match);
117	}
118
119	static void __exit ip6t_multiport_fini(void)
120	{
121	ip6t_unregister_match(&multiport_match);
122	}
123
124	module_init(ip6t_multiport_init);
125	module_exit(ip6t_multiport_fini);