[NETFILTER]: x_tables: unify IPv4/IPv6 esp match

This unifies ipt_esp and ip6t_esp to xt_esp. Please note that now a user program needs to specify IPPROTO_ESP as protocol to use esp match with IPv6. This means that ip6tables requires '-p esp' like iptables. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> 2006-04-01 05:22:30 -0500
committer: David S. Miller <davem@davemloft.net> 2006-04-01 05:22:30 -0500
commit: dc5ab2faece3b7473931357db7f63f596678481d (patch)
tree: d1e5fd3e805e7d2c4136459cca17d5f8ed44bfb6 /net/ipv6
parent: 9606a21635cec077e1928273751b44ecc824a49d (diff)
3 files changed, 4 insertions, 119 deletions
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 98f78759f1ab..bdd569fc66cb 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -115,11 +115,11 @@ config IP6_NF_MATCH_IPV6HEADER
          To compile it as a module, choose M here.  If unsure, say N.
-config IP6_NF_MATCH_AHESP
+config IP6_NF_MATCH_AH
-        tristate "AH/ESP match support"
+        tristate "AH match support"
        depends on IP6_NF_IPTABLES
        help
-          This module allows one to match AH and ESP packets.
+          This module allows one to match AH packets.
          To compile it as a module, choose M here.  If unsure, say N.
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index 8436a1a1731f..c38717011e64 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -8,7 +8,7 @@ obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
 obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o ip6t_dst.o
 obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
 obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o
-obj-$(CONFIG_IP6_NF_MATCH_AHESP) += ip6t_esp.o ip6t_ah.o
+obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o
 obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o
 obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT) += ip6t_multiport.o
 obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
diff --git a/net/ipv6/netfilter/ip6t_esp.c b/net/ipv6/netfilter/ip6t_esp.c
deleted file mode 100644
index 36bedad2c6f7..000000000000
--- a/net/ipv6/netfilter/ip6t_esp.c
+++ /dev/null
@@ -1,115 +0,0 @@
-/* Kernel module to match ESP parameters. */
-/* (C) 2001-2002 Andras Kis-Szabo <kisza@sch.bme.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/ip.h>
-#include <linux/ipv6.h>
-#include <linux/types.h>
-#include <net/checksum.h>
-#include <net/ipv6.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/netfilter_ipv6/ip6t_esp.h>
-MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("IPv6 ESP match");
-MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
-#if 0
-#define DEBUGP printk
-#else
-#define DEBUGP(format, args...)
-#endif
-/* Returns 1 if the spi is matched by the range, 0 otherwise */
-static inline int
-spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, int invert)
-{
-        int r=0;
-        DEBUGP("esp spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ',
-               min,spi,max);
-        r=(spi >= min && spi <= max) ^ invert;
-        DEBUGP(" result %s\n",r? "PASS\n" : "FAILED\n");
-        return r;
-}
-static int
-match(const struct sk_buff *skb,
-      const struct net_device *in,
-      const struct net_device *out,
-      const struct xt_match *match,
-      const void *matchinfo,
-      int offset,
-      unsigned int protoff,
-      int *hotdrop)
-{
-        struct ip_esp_hdr _esp, *eh;
-        const struct ip6t_esp *espinfo = matchinfo;
-        unsigned int ptr;
-        /* Make sure this isn't an evil packet */
-        /*DEBUGP("ipv6_esp entered \n");*/
-        if (ipv6_find_hdr(skb, &ptr, NEXTHDR_ESP, NULL) < 0)
-                return 0;
-        eh = skb_header_pointer(skb, ptr, sizeof(_esp), &_esp);
-        if (eh == NULL) {
-                *hotdrop = 1;
-                return 0;
-        }
-        DEBUGP("IPv6 ESP SPI %u %08X\n", ntohl(eh->spi), ntohl(eh->spi));
-        return (eh != NULL)
-                && spi_match(espinfo->spis[0], espinfo->spis[1],
-                              ntohl(eh->spi),
-                              !!(espinfo->invflags & IP6T_ESP_INV_SPI));
-}
-/* Called when user tries to insert an entry of this type. */
-static int
-checkentry(const char *tablename,
-           const void *ip,
-           const struct xt_match *match,
-           void *matchinfo,
-           unsigned int matchinfosize,
-           unsigned int hook_mask)
-{
-        const struct ip6t_esp *espinfo = matchinfo;
-        if (espinfo->invflags & ~IP6T_ESP_INV_MASK) {
-                DEBUGP("ip6t_esp: unknown flags %X\n",
-                         espinfo->invflags);
-                return 0;
-        }
-        return 1;
-}
-static struct ip6t_match esp_match = {
-        .name           = "esp",
-        .match          = match,
-        .matchsize      = sizeof(struct ip6t_esp),
-        .checkentry     = checkentry,
-        .me             = THIS_MODULE,
-};
-static int __init ip6t_esp_init(void)
-{
-        return ip6t_register_match(&esp_match);
-}
-static void __exit ip6t_esp_fini(void)
-{
-        ip6t_unregister_match(&esp_match);
-}
-module_init(ip6t_esp_init);
-module_exit(ip6t_esp_fini);
author	Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>	2006-04-01 05:22:30 -0500
committer	David S. Miller <davem@davemloft.net>	2006-04-01 05:22:30 -0500
commit	dc5ab2faece3b7473931357db7f63f596678481d (patch)
tree	d1e5fd3e805e7d2c4136459cca17d5f8ed44bfb6 /net/ipv6
parent	9606a21635cec077e1928273751b44ecc824a49d (diff)

diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index 98f78759f1ab..bdd569fc66cb 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig
@@ -115,11 +115,11 @@ config IP6_NF_MATCH_IPV6HEADER
115		115
116	To compile it as a module, choose M here. If unsure, say N.	116	To compile it as a module, choose M here. If unsure, say N.
117		117
118	config IP6_NF_MATCH_AHESP	118	config IP6_NF_MATCH_AH
119	tristate "AH/ESP match support"	119	tristate "AH match support"
120	depends on IP6_NF_IPTABLES	120	depends on IP6_NF_IPTABLES
121	help	121	help
122	This module allows one to match AH and ESP packets.	122	This module allows one to match AH packets.
123		123
124	To compile it as a module, choose M here. If unsure, say N.	124	To compile it as a module, choose M here. If unsure, say N.
125		125


diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile index 8436a1a1731f..c38717011e64 100644 --- a/net/ipv6/netfilter/Makefile +++ b/net/ipv6/netfilter/Makefile
@@ -8,7 +8,7 @@ obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
8	obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o ip6t_dst.o	8	obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o ip6t_dst.o
9	obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o	9	obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
10	obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o	10	obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o
11	obj-$(CONFIG_IP6_NF_MATCH_AHESP) += ip6t_esp.o ip6t_ah.o	11	obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o
12	obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o	12	obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o
13	obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT) += ip6t_multiport.o	13	obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT) += ip6t_multiport.o
14	obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o	14	obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o


diff --git a/net/ipv6/netfilter/ip6t_esp.c b/net/ipv6/netfilter/ip6t_esp.c deleted file mode 100644 index 36bedad2c6f7..000000000000 --- a/net/ipv6/netfilter/ip6t_esp.c +++ /dev/null
@@ -1,115 +0,0 @@
1	/* Kernel module to match ESP parameters. */
2	/* (C) 2001-2002 Andras Kis-Szabo <kisza@sch.bme.hu>
3	*
4	* This program is free software; you can redistribute it and/or modify
5	* it under the terms of the GNU General Public License version 2 as
6	* published by the Free Software Foundation.
7	*/
8
9
10	#include <linux/module.h>
11	#include <linux/skbuff.h>
12	#include <linux/ip.h>
13	#include <linux/ipv6.h>
14	#include <linux/types.h>
15	#include <net/checksum.h>
16	#include <net/ipv6.h>
17
18	#include <linux/netfilter_ipv6/ip6_tables.h>
19	#include <linux/netfilter_ipv6/ip6t_esp.h>
20
21	MODULE_LICENSE("GPL");
22	MODULE_DESCRIPTION("IPv6 ESP match");
23	MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
24
25	#if 0
26	#define DEBUGP printk
27	#else
28	#define DEBUGP(format, args...)
29	#endif
30
31	/* Returns 1 if the spi is matched by the range, 0 otherwise */
32	static inline int
33	spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, int invert)
34	{
35	int r=0;
36	DEBUGP("esp spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ',
37	min,spi,max);
38	r=(spi >= min && spi <= max) ^ invert;
39	DEBUGP(" result %s\n",r? "PASS\n" : "FAILED\n");
40	return r;
41	}
42
43	static int
44	match(const struct sk_buff *skb,
45	const struct net_device *in,
46	const struct net_device *out,
47	const struct xt_match *match,
48	const void *matchinfo,
49	int offset,
50	unsigned int protoff,
51	int *hotdrop)
52	{
53	struct ip_esp_hdr _esp, *eh;
54	const struct ip6t_esp *espinfo = matchinfo;
55	unsigned int ptr;
56
57	/* Make sure this isn't an evil packet */
58	/DEBUGP("ipv6_esp entered \n");/
59
60	if (ipv6_find_hdr(skb, &ptr, NEXTHDR_ESP, NULL) < 0)
61	return 0;
62
63	eh = skb_header_pointer(skb, ptr, sizeof(_esp), &_esp);
64	if (eh == NULL) {
65	*hotdrop = 1;
66	return 0;
67	}
68
69	DEBUGP("IPv6 ESP SPI %u %08X\n", ntohl(eh->spi), ntohl(eh->spi));
70
71	return (eh != NULL)
72	&& spi_match(espinfo->spis[0], espinfo->spis[1],
73	ntohl(eh->spi),
74	!!(espinfo->invflags & IP6T_ESP_INV_SPI));
75	}
76
77	/* Called when user tries to insert an entry of this type. */
78	static int
79	checkentry(const char *tablename,
80	const void *ip,
81	const struct xt_match *match,
82	void *matchinfo,
83	unsigned int matchinfosize,
84	unsigned int hook_mask)
85	{
86	const struct ip6t_esp *espinfo = matchinfo;
87
88	if (espinfo->invflags & ~IP6T_ESP_INV_MASK) {
89	DEBUGP("ip6t_esp: unknown flags %X\n",
90	espinfo->invflags);
91	return 0;
92	}
93	return 1;
94	}
95
96	static struct ip6t_match esp_match = {
97	.name = "esp",
98	.match = match,
99	.matchsize = sizeof(struct ip6t_esp),
100	.checkentry = checkentry,
101	.me = THIS_MODULE,
102	};
103
104	static int __init ip6t_esp_init(void)
105	{
106	return ip6t_register_match(&esp_match);
107	}
108
109	static void __exit ip6t_esp_fini(void)
110	{
111	ip6t_unregister_match(&esp_match);
112	}
113
114	module_init(ip6t_esp_init);
115	module_exit(ip6t_esp_fini);