diff options
author | Kuo-lang Tseng <kuo-lang.tseng@intel.com> | 2008-06-09 18:55:45 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-06-09 18:55:45 -0400 |
commit | 93f65158723ceb7078ee9a0fd4830c0de00f4b9e (patch) | |
tree | 0c40629695055a983d969490b9291e5b38ae6b4d /net | |
parent | 469689a4dd476c1be6750deea5f59528a17b8b4a (diff) |
netfilter: ebtables: add IPv6 support
It implements matching functions for IPv6 address & traffic class
(merged from the patch sent by Jan Engelhardt [jengelh@computergmbh.de]
http://marc.info/?l=netfilter-devel&m=120182168424052&w=2), protocol,
and layer-4 port id. Corresponding watcher logging function is also
added for IPv6.
Signed-off-by: Kuo-lang Tseng <kuo-lang.tseng@intel.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/bridge/netfilter/Kconfig | 9 | ||||
-rw-r--r-- | net/bridge/netfilter/Makefile | 1 | ||||
-rw-r--r-- | net/bridge/netfilter/ebt_ip6.c | 144 | ||||
-rw-r--r-- | net/bridge/netfilter/ebt_log.c | 64 |
4 files changed, 202 insertions, 16 deletions
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig index 7beeefa0f9c0..fb684c2ff8b6 100644 --- a/net/bridge/netfilter/Kconfig +++ b/net/bridge/netfilter/Kconfig | |||
@@ -83,6 +83,15 @@ config BRIDGE_EBT_IP | |||
83 | 83 | ||
84 | To compile it as a module, choose M here. If unsure, say N. | 84 | To compile it as a module, choose M here. If unsure, say N. |
85 | 85 | ||
86 | config BRIDGE_EBT_IP6 | ||
87 | tristate "ebt: IP6 filter support" | ||
88 | depends on BRIDGE_NF_EBTABLES | ||
89 | help | ||
90 | This option adds the IP6 match, which allows basic IPV6 header field | ||
91 | filtering. | ||
92 | |||
93 | To compile it as a module, choose M here. If unsure, say N. | ||
94 | |||
86 | config BRIDGE_EBT_LIMIT | 95 | config BRIDGE_EBT_LIMIT |
87 | tristate "ebt: limit match support" | 96 | tristate "ebt: limit match support" |
88 | depends on BRIDGE_NF_EBTABLES | 97 | depends on BRIDGE_NF_EBTABLES |
diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile index 83715d73a503..dd960645b413 100644 --- a/net/bridge/netfilter/Makefile +++ b/net/bridge/netfilter/Makefile | |||
@@ -14,6 +14,7 @@ obj-$(CONFIG_BRIDGE_EBT_802_3) += ebt_802_3.o | |||
14 | obj-$(CONFIG_BRIDGE_EBT_AMONG) += ebt_among.o | 14 | obj-$(CONFIG_BRIDGE_EBT_AMONG) += ebt_among.o |
15 | obj-$(CONFIG_BRIDGE_EBT_ARP) += ebt_arp.o | 15 | obj-$(CONFIG_BRIDGE_EBT_ARP) += ebt_arp.o |
16 | obj-$(CONFIG_BRIDGE_EBT_IP) += ebt_ip.o | 16 | obj-$(CONFIG_BRIDGE_EBT_IP) += ebt_ip.o |
17 | obj-$(CONFIG_BRIDGE_EBT_IP) += ebt_ip6.o | ||
17 | obj-$(CONFIG_BRIDGE_EBT_LIMIT) += ebt_limit.o | 18 | obj-$(CONFIG_BRIDGE_EBT_LIMIT) += ebt_limit.o |
18 | obj-$(CONFIG_BRIDGE_EBT_MARK) += ebt_mark_m.o | 19 | obj-$(CONFIG_BRIDGE_EBT_MARK) += ebt_mark_m.o |
19 | obj-$(CONFIG_BRIDGE_EBT_PKTTYPE) += ebt_pkttype.o | 20 | obj-$(CONFIG_BRIDGE_EBT_PKTTYPE) += ebt_pkttype.o |
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c new file mode 100644 index 000000000000..36efb3a75249 --- /dev/null +++ b/net/bridge/netfilter/ebt_ip6.c | |||
@@ -0,0 +1,144 @@ | |||
1 | /* | ||
2 | * ebt_ip6 | ||
3 | * | ||
4 | * Authors: | ||
5 | * Manohar Castelino <manohar.r.castelino@intel.com> | ||
6 | * Kuo-Lang Tseng <kuo-lang.tseng@intel.com> | ||
7 | * Jan Engelhardt <jengelh@computergmbh.de> | ||
8 | * | ||
9 | * Summary: | ||
10 | * This is just a modification of the IPv4 code written by | ||
11 | * Bart De Schuymer <bdschuym@pandora.be> | ||
12 | * with the changes required to support IPv6 | ||
13 | * | ||
14 | * Jan, 2008 | ||
15 | */ | ||
16 | |||
17 | #include <linux/netfilter_bridge/ebtables.h> | ||
18 | #include <linux/netfilter_bridge/ebt_ip6.h> | ||
19 | #include <linux/ipv6.h> | ||
20 | #include <net/ipv6.h> | ||
21 | #include <linux/in.h> | ||
22 | #include <linux/module.h> | ||
23 | #include <net/dsfield.h> | ||
24 | |||
25 | struct tcpudphdr { | ||
26 | __be16 src; | ||
27 | __be16 dst; | ||
28 | }; | ||
29 | |||
30 | static int ebt_filter_ip6(const struct sk_buff *skb, | ||
31 | const struct net_device *in, | ||
32 | const struct net_device *out, const void *data, | ||
33 | unsigned int datalen) | ||
34 | { | ||
35 | const struct ebt_ip6_info *info = (struct ebt_ip6_info *)data; | ||
36 | const struct ipv6hdr *ih6; | ||
37 | struct ipv6hdr _ip6h; | ||
38 | const struct tcpudphdr *pptr; | ||
39 | struct tcpudphdr _ports; | ||
40 | struct in6_addr tmp_addr; | ||
41 | int i; | ||
42 | |||
43 | ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h); | ||
44 | if (ih6 == NULL) | ||
45 | return EBT_NOMATCH; | ||
46 | if (info->bitmask & EBT_IP6_TCLASS && | ||
47 | FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS)) | ||
48 | return EBT_NOMATCH; | ||
49 | for (i = 0; i < 4; i++) | ||
50 | tmp_addr.in6_u.u6_addr32[i] = ih6->saddr.in6_u.u6_addr32[i] & | ||
51 | info->smsk.in6_u.u6_addr32[i]; | ||
52 | if (info->bitmask & EBT_IP6_SOURCE && | ||
53 | FWINV((ipv6_addr_cmp(&tmp_addr, &info->saddr) != 0), | ||
54 | EBT_IP6_SOURCE)) | ||
55 | return EBT_NOMATCH; | ||
56 | for (i = 0; i < 4; i++) | ||
57 | tmp_addr.in6_u.u6_addr32[i] = ih6->daddr.in6_u.u6_addr32[i] & | ||
58 | info->dmsk.in6_u.u6_addr32[i]; | ||
59 | if (info->bitmask & EBT_IP6_DEST && | ||
60 | FWINV((ipv6_addr_cmp(&tmp_addr, &info->daddr) != 0), EBT_IP6_DEST)) | ||
61 | return EBT_NOMATCH; | ||
62 | if (info->bitmask & EBT_IP6_PROTO) { | ||
63 | uint8_t nexthdr = ih6->nexthdr; | ||
64 | int offset_ph; | ||
65 | |||
66 | offset_ph = ipv6_skip_exthdr(skb, sizeof(_ip6h), &nexthdr); | ||
67 | if (offset_ph == -1) | ||
68 | return EBT_NOMATCH; | ||
69 | if (FWINV(info->protocol != nexthdr, EBT_IP6_PROTO)) | ||
70 | return EBT_NOMATCH; | ||
71 | if (!(info->bitmask & EBT_IP6_DPORT) && | ||
72 | !(info->bitmask & EBT_IP6_SPORT)) | ||
73 | return EBT_MATCH; | ||
74 | pptr = skb_header_pointer(skb, offset_ph, sizeof(_ports), | ||
75 | &_ports); | ||
76 | if (pptr == NULL) | ||
77 | return EBT_NOMATCH; | ||
78 | if (info->bitmask & EBT_IP6_DPORT) { | ||
79 | u32 dst = ntohs(pptr->dst); | ||
80 | if (FWINV(dst < info->dport[0] || | ||
81 | dst > info->dport[1], EBT_IP6_DPORT)) | ||
82 | return EBT_NOMATCH; | ||
83 | } | ||
84 | if (info->bitmask & EBT_IP6_SPORT) { | ||
85 | u32 src = ntohs(pptr->src); | ||
86 | if (FWINV(src < info->sport[0] || | ||
87 | src > info->sport[1], EBT_IP6_SPORT)) | ||
88 | return EBT_NOMATCH; | ||
89 | } | ||
90 | return EBT_MATCH; | ||
91 | } | ||
92 | return EBT_MATCH; | ||
93 | } | ||
94 | |||
95 | static int ebt_ip6_check(const char *tablename, unsigned int hookmask, | ||
96 | const struct ebt_entry *e, void *data, unsigned int datalen) | ||
97 | { | ||
98 | struct ebt_ip6_info *info = (struct ebt_ip6_info *)data; | ||
99 | |||
100 | if (datalen != EBT_ALIGN(sizeof(struct ebt_ip6_info))) | ||
101 | return -EINVAL; | ||
102 | if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO) | ||
103 | return -EINVAL; | ||
104 | if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK) | ||
105 | return -EINVAL; | ||
106 | if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) { | ||
107 | if (info->invflags & EBT_IP6_PROTO) | ||
108 | return -EINVAL; | ||
109 | if (info->protocol != IPPROTO_TCP && | ||
110 | info->protocol != IPPROTO_UDP && | ||
111 | info->protocol != IPPROTO_UDPLITE && | ||
112 | info->protocol != IPPROTO_SCTP && | ||
113 | info->protocol != IPPROTO_DCCP) | ||
114 | return -EINVAL; | ||
115 | } | ||
116 | if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1]) | ||
117 | return -EINVAL; | ||
118 | if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1]) | ||
119 | return -EINVAL; | ||
120 | return 0; | ||
121 | } | ||
122 | |||
123 | static struct ebt_match filter_ip6 = | ||
124 | { | ||
125 | .name = EBT_IP6_MATCH, | ||
126 | .match = ebt_filter_ip6, | ||
127 | .check = ebt_ip6_check, | ||
128 | .me = THIS_MODULE, | ||
129 | }; | ||
130 | |||
131 | static int __init ebt_ip6_init(void) | ||
132 | { | ||
133 | return ebt_register_match(&filter_ip6); | ||
134 | } | ||
135 | |||
136 | static void __exit ebt_ip6_fini(void) | ||
137 | { | ||
138 | ebt_unregister_match(&filter_ip6); | ||
139 | } | ||
140 | |||
141 | module_init(ebt_ip6_init); | ||
142 | module_exit(ebt_ip6_fini); | ||
143 | MODULE_DESCRIPTION("Ebtables: IPv6 protocol packet match"); | ||
144 | MODULE_LICENSE("GPL"); | ||
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c index 0b209e4aad0a..c883ec8a28b4 100644 --- a/net/bridge/netfilter/ebt_log.c +++ b/net/bridge/netfilter/ebt_log.c | |||
@@ -18,6 +18,9 @@ | |||
18 | #include <linux/if_arp.h> | 18 | #include <linux/if_arp.h> |
19 | #include <linux/spinlock.h> | 19 | #include <linux/spinlock.h> |
20 | #include <net/netfilter/nf_log.h> | 20 | #include <net/netfilter/nf_log.h> |
21 | #include <linux/ipv6.h> | ||
22 | #include <net/ipv6.h> | ||
23 | #include <linux/in6.h> | ||
21 | 24 | ||
22 | static DEFINE_SPINLOCK(ebt_log_lock); | 25 | static DEFINE_SPINLOCK(ebt_log_lock); |
23 | 26 | ||
@@ -58,6 +61,27 @@ static void print_MAC(const unsigned char *p) | |||
58 | printk("%02x%c", *p, i == ETH_ALEN - 1 ? ' ':':'); | 61 | printk("%02x%c", *p, i == ETH_ALEN - 1 ? ' ':':'); |
59 | } | 62 | } |
60 | 63 | ||
64 | static void | ||
65 | print_ports(const struct sk_buff *skb, uint8_t protocol, int offset) | ||
66 | { | ||
67 | if (protocol == IPPROTO_TCP || | ||
68 | protocol == IPPROTO_UDP || | ||
69 | protocol == IPPROTO_UDPLITE || | ||
70 | protocol == IPPROTO_SCTP || | ||
71 | protocol == IPPROTO_DCCP) { | ||
72 | const struct tcpudphdr *pptr; | ||
73 | struct tcpudphdr _ports; | ||
74 | |||
75 | pptr = skb_header_pointer(skb, offset, | ||
76 | sizeof(_ports), &_ports); | ||
77 | if (pptr == NULL) { | ||
78 | printk(" INCOMPLETE TCP/UDP header"); | ||
79 | return; | ||
80 | } | ||
81 | printk(" SPT=%u DPT=%u", ntohs(pptr->src), ntohs(pptr->dst)); | ||
82 | } | ||
83 | } | ||
84 | |||
61 | #define myNIPQUAD(a) a[0], a[1], a[2], a[3] | 85 | #define myNIPQUAD(a) a[0], a[1], a[2], a[3] |
62 | static void | 86 | static void |
63 | ebt_log_packet(unsigned int pf, unsigned int hooknum, | 87 | ebt_log_packet(unsigned int pf, unsigned int hooknum, |
@@ -95,23 +119,31 @@ ebt_log_packet(unsigned int pf, unsigned int hooknum, | |||
95 | printk(" IP SRC=%u.%u.%u.%u IP DST=%u.%u.%u.%u, IP " | 119 | printk(" IP SRC=%u.%u.%u.%u IP DST=%u.%u.%u.%u, IP " |
96 | "tos=0x%02X, IP proto=%d", NIPQUAD(ih->saddr), | 120 | "tos=0x%02X, IP proto=%d", NIPQUAD(ih->saddr), |
97 | NIPQUAD(ih->daddr), ih->tos, ih->protocol); | 121 | NIPQUAD(ih->daddr), ih->tos, ih->protocol); |
98 | if (ih->protocol == IPPROTO_TCP || | 122 | print_ports(skb, ih->protocol, ih->ihl*4); |
99 | ih->protocol == IPPROTO_UDP || | 123 | goto out; |
100 | ih->protocol == IPPROTO_UDPLITE || | 124 | } |
101 | ih->protocol == IPPROTO_SCTP || | 125 | |
102 | ih->protocol == IPPROTO_DCCP) { | 126 | if ((bitmask & EBT_LOG_IP6) && eth_hdr(skb)->h_proto == |
103 | const struct tcpudphdr *pptr; | 127 | htons(ETH_P_IPV6)) { |
104 | struct tcpudphdr _ports; | 128 | const struct ipv6hdr *ih; |
105 | 129 | struct ipv6hdr _iph; | |
106 | pptr = skb_header_pointer(skb, ih->ihl*4, | 130 | uint8_t nexthdr; |
107 | sizeof(_ports), &_ports); | 131 | int offset_ph; |
108 | if (pptr == NULL) { | 132 | |
109 | printk(" INCOMPLETE TCP/UDP header"); | 133 | ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph); |
110 | goto out; | 134 | if (ih == NULL) { |
111 | } | 135 | printk(" INCOMPLETE IPv6 header"); |
112 | printk(" SPT=%u DPT=%u", ntohs(pptr->src), | 136 | goto out; |
113 | ntohs(pptr->dst)); | ||
114 | } | 137 | } |
138 | printk(" IPv6 SRC=%x:%x:%x:%x:%x:%x:%x:%x " | ||
139 | "IPv6 DST=%x:%x:%x:%x:%x:%x:%x:%x, IPv6 " | ||
140 | "priority=0x%01X, Next Header=%d", NIP6(ih->saddr), | ||
141 | NIP6(ih->daddr), ih->priority, ih->nexthdr); | ||
142 | nexthdr = ih->nexthdr; | ||
143 | offset_ph = ipv6_skip_exthdr(skb, sizeof(_iph), &nexthdr); | ||
144 | if (offset_ph == -1) | ||
145 | goto out; | ||
146 | print_ports(skb, nexthdr, offset_ph); | ||
115 | goto out; | 147 | goto out; |
116 | } | 148 | } |
117 | 149 | ||