aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/netfilter/xt_esp.h14
-rw-r--r--include/linux/netfilter_ipv4/ipt_esp.h14
-rw-r--r--include/linux/netfilter_ipv6/ip6t_esp.h12
-rw-r--r--net/ipv4/netfilter/Kconfig8
-rw-r--r--net/ipv4/netfilter/Makefile2
-rw-r--r--net/ipv6/netfilter/Kconfig6
-rw-r--r--net/ipv6/netfilter/Makefile2
-rw-r--r--net/ipv6/netfilter/ip6t_esp.c115
-rw-r--r--net/netfilter/Kconfig9
-rw-r--r--net/netfilter/Makefile1
-rw-r--r--net/netfilter/xt_esp.c (renamed from net/ipv4/netfilter/ipt_esp.c)81
11 files changed, 94 insertions, 170 deletions
diff --git a/include/linux/netfilter/xt_esp.h b/include/linux/netfilter/xt_esp.h
new file mode 100644
index 000000000000..9380fb1c27da
--- /dev/null
+++ b/include/linux/netfilter/xt_esp.h
@@ -0,0 +1,14 @@
1#ifndef _XT_ESP_H
2#define _XT_ESP_H
3
4struct xt_esp
5{
6 u_int32_t spis[2]; /* Security Parameter Index */
7 u_int8_t invflags; /* Inverse flags */
8};
9
10/* Values for "invflags" field in struct xt_esp. */
11#define XT_ESP_INV_SPI 0x01 /* Invert the sense of spi. */
12#define XT_ESP_INV_MASK 0x01 /* All possible flags. */
13
14#endif /*_XT_ESP_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_esp.h b/include/linux/netfilter_ipv4/ipt_esp.h
index c782a83e53e0..78296e7eeff9 100644
--- a/include/linux/netfilter_ipv4/ipt_esp.h
+++ b/include/linux/netfilter_ipv4/ipt_esp.h
@@ -1,16 +1,10 @@
1#ifndef _IPT_ESP_H 1#ifndef _IPT_ESP_H
2#define _IPT_ESP_H 2#define _IPT_ESP_H
3 3
4struct ipt_esp 4#include <linux/netfilter/xt_esp.h>
5{
6 u_int32_t spis[2]; /* Security Parameter Index */
7 u_int8_t invflags; /* Inverse flags */
8};
9 5
10 6#define ipt_esp xt_esp
11 7#define IPT_ESP_INV_SPI XT_ESP_INV_SPI
12/* Values for "invflags" field in struct ipt_esp. */ 8#define IPT_ESP_INV_MASK XT_ESP_INV_MASK
13#define IPT_ESP_INV_SPI 0x01 /* Invert the sense of spi. */
14#define IPT_ESP_INV_MASK 0x01 /* All possible flags. */
15 9
16#endif /*_IPT_ESP_H*/ 10#endif /*_IPT_ESP_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_esp.h b/include/linux/netfilter_ipv6/ip6t_esp.h
index a91b6abc8079..f62eaf53c16c 100644
--- a/include/linux/netfilter_ipv6/ip6t_esp.h
+++ b/include/linux/netfilter_ipv6/ip6t_esp.h
@@ -1,14 +1,10 @@
1#ifndef _IP6T_ESP_H 1#ifndef _IP6T_ESP_H
2#define _IP6T_ESP_H 2#define _IP6T_ESP_H
3 3
4struct ip6t_esp 4#include <linux/netfilter/xt_esp.h>
5{
6 u_int32_t spis[2]; /* Security Parameter Index */
7 u_int8_t invflags; /* Inverse flags */
8};
9 5
10/* Values for "invflags" field in struct ip6t_esp. */ 6#define ip6t_esp xt_esp
11#define IP6T_ESP_INV_SPI 0x01 /* Invert the sense of spi. */ 7#define IP6T_ESP_INV_SPI XT_ESP_INV_SPI
12#define IP6T_ESP_INV_MASK 0x01 /* All possible flags. */ 8#define IP6T_ESP_INV_MASK XT_ESP_INV_MASK
13 9
14#endif /*_IP6T_ESP_H*/ 10#endif /*_IP6T_ESP_H*/
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 882b842c25d4..ebbd644fa8c4 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -272,12 +272,12 @@ config IP_NF_MATCH_DSCP
272 272
273 To compile it as a module, choose M here. If unsure, say N. 273 To compile it as a module, choose M here. If unsure, say N.
274 274
275config IP_NF_MATCH_AH_ESP 275config IP_NF_MATCH_AH
276 tristate "AH/ESP match support" 276 tristate "AH match support"
277 depends on IP_NF_IPTABLES 277 depends on IP_NF_IPTABLES
278 help 278 help
279 These two match extensions (`ah' and `esp') allow you to match a 279 This match extension allows you to match a range of SPIs
280 range of SPIs inside AH or ESP headers of IPSec packets. 280 inside AH header of IPSec packets.
281 281
282 To compile it as a module, choose M here. If unsure, say N. 282 To compile it as a module, choose M here. If unsure, say N.
283 283
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index f2cd9a6c5b91..09ae167632e7 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -59,7 +59,7 @@ obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
59obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o 59obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
60obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o 60obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
61obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp.o 61obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp.o
62obj-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah.o ipt_esp.o 62obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
63obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o 63obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
64obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o 64obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
65 65
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 98f78759f1ab..bdd569fc66cb 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -115,11 +115,11 @@ config IP6_NF_MATCH_IPV6HEADER
115 115
116 To compile it as a module, choose M here. If unsure, say N. 116 To compile it as a module, choose M here. If unsure, say N.
117 117
118config IP6_NF_MATCH_AHESP 118config IP6_NF_MATCH_AH
119 tristate "AH/ESP match support" 119 tristate "AH match support"
120 depends on IP6_NF_IPTABLES 120 depends on IP6_NF_IPTABLES
121 help 121 help
122 This module allows one to match AH and ESP packets. 122 This module allows one to match AH packets.
123 123
124 To compile it as a module, choose M here. If unsure, say N. 124 To compile it as a module, choose M here. If unsure, say N.
125 125
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index 8436a1a1731f..c38717011e64 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -8,7 +8,7 @@ obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
8obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o ip6t_dst.o 8obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o ip6t_dst.o
9obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o 9obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
10obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o 10obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o
11obj-$(CONFIG_IP6_NF_MATCH_AHESP) += ip6t_esp.o ip6t_ah.o 11obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o
12obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o 12obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o
13obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT) += ip6t_multiport.o 13obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT) += ip6t_multiport.o
14obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o 14obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
diff --git a/net/ipv6/netfilter/ip6t_esp.c b/net/ipv6/netfilter/ip6t_esp.c
deleted file mode 100644
index 36bedad2c6f7..000000000000
--- a/net/ipv6/netfilter/ip6t_esp.c
+++ /dev/null
@@ -1,115 +0,0 @@
1/* Kernel module to match ESP parameters. */
2/* (C) 2001-2002 Andras Kis-Szabo <kisza@sch.bme.hu>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 */
8
9
10#include <linux/module.h>
11#include <linux/skbuff.h>
12#include <linux/ip.h>
13#include <linux/ipv6.h>
14#include <linux/types.h>
15#include <net/checksum.h>
16#include <net/ipv6.h>
17
18#include <linux/netfilter_ipv6/ip6_tables.h>
19#include <linux/netfilter_ipv6/ip6t_esp.h>
20
21MODULE_LICENSE("GPL");
22MODULE_DESCRIPTION("IPv6 ESP match");
23MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
24
25#if 0
26#define DEBUGP printk
27#else
28#define DEBUGP(format, args...)
29#endif
30
31/* Returns 1 if the spi is matched by the range, 0 otherwise */
32static inline int
33spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, int invert)
34{
35 int r=0;
36 DEBUGP("esp spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ',
37 min,spi,max);
38 r=(spi >= min && spi <= max) ^ invert;
39 DEBUGP(" result %s\n",r? "PASS\n" : "FAILED\n");
40 return r;
41}
42
43static int
44match(const struct sk_buff *skb,
45 const struct net_device *in,
46 const struct net_device *out,
47 const struct xt_match *match,
48 const void *matchinfo,
49 int offset,
50 unsigned int protoff,
51 int *hotdrop)
52{
53 struct ip_esp_hdr _esp, *eh;
54 const struct ip6t_esp *espinfo = matchinfo;
55 unsigned int ptr;
56
57 /* Make sure this isn't an evil packet */
58 /*DEBUGP("ipv6_esp entered \n");*/
59
60 if (ipv6_find_hdr(skb, &ptr, NEXTHDR_ESP, NULL) < 0)
61 return 0;
62
63 eh = skb_header_pointer(skb, ptr, sizeof(_esp), &_esp);
64 if (eh == NULL) {
65 *hotdrop = 1;
66 return 0;
67 }
68
69 DEBUGP("IPv6 ESP SPI %u %08X\n", ntohl(eh->spi), ntohl(eh->spi));
70
71 return (eh != NULL)
72 && spi_match(espinfo->spis[0], espinfo->spis[1],
73 ntohl(eh->spi),
74 !!(espinfo->invflags & IP6T_ESP_INV_SPI));
75}
76
77/* Called when user tries to insert an entry of this type. */
78static int
79checkentry(const char *tablename,
80 const void *ip,
81 const struct xt_match *match,
82 void *matchinfo,
83 unsigned int matchinfosize,
84 unsigned int hook_mask)
85{
86 const struct ip6t_esp *espinfo = matchinfo;
87
88 if (espinfo->invflags & ~IP6T_ESP_INV_MASK) {
89 DEBUGP("ip6t_esp: unknown flags %X\n",
90 espinfo->invflags);
91 return 0;
92 }
93 return 1;
94}
95
96static struct ip6t_match esp_match = {
97 .name = "esp",
98 .match = match,
99 .matchsize = sizeof(struct ip6t_esp),
100 .checkentry = checkentry,
101 .me = THIS_MODULE,
102};
103
104static int __init ip6t_esp_init(void)
105{
106 return ip6t_register_match(&esp_match);
107}
108
109static void __exit ip6t_esp_fini(void)
110{
111 ip6t_unregister_match(&esp_match);
112}
113
114module_init(ip6t_esp_init);
115module_exit(ip6t_esp_fini);
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 332acb37b385..5fe51894b120 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -231,6 +231,15 @@ config NETFILTER_XT_MATCH_DCCP
231 If you want to compile it as a module, say M here and read 231 If you want to compile it as a module, say M here and read
232 <file:Documentation/modules.txt>. If unsure, say `N'. 232 <file:Documentation/modules.txt>. If unsure, say `N'.
233 233
234config NETFILTER_XT_MATCH_ESP
235 tristate '"ESP" match support'
236 depends on NETFILTER_XTABLES
237 help
238 This match extension allows you to match a range of SPIs
239 inside ESP header of IPSec packets.
240
241 To compile it as a module, choose M here. If unsure, say N.
242
234config NETFILTER_XT_MATCH_HELPER 243config NETFILTER_XT_MATCH_HELPER
235 tristate '"helper" match support' 244 tristate '"helper" match support'
236 depends on NETFILTER_XTABLES 245 depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 9558727f5e79..8f02486101ab 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -35,6 +35,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o
35obj-$(CONFIG_NETFILTER_XT_MATCH_CONNMARK) += xt_connmark.o 35obj-$(CONFIG_NETFILTER_XT_MATCH_CONNMARK) += xt_connmark.o
36obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o 36obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o
37obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o 37obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
38obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
38obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o 39obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
39obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o 40obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
40obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o 41obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
diff --git a/net/ipv4/netfilter/ipt_esp.c b/net/netfilter/xt_esp.c
index 3840b417a3c5..9dad6281e0c1 100644
--- a/net/ipv4/netfilter/ipt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -9,16 +9,22 @@
9 9
10#include <linux/module.h> 10#include <linux/module.h>
11#include <linux/skbuff.h> 11#include <linux/skbuff.h>
12#include <linux/in.h>
12#include <linux/ip.h> 13#include <linux/ip.h>
13 14
14#include <linux/netfilter_ipv4/ipt_esp.h> 15#include <linux/netfilter/xt_esp.h>
16#include <linux/netfilter/x_tables.h>
17
15#include <linux/netfilter_ipv4/ip_tables.h> 18#include <linux/netfilter_ipv4/ip_tables.h>
19#include <linux/netfilter_ipv6/ip6_tables.h>
16 20
17MODULE_LICENSE("GPL"); 21MODULE_LICENSE("GPL");
18MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>"); 22MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
19MODULE_DESCRIPTION("iptables ESP SPI match module"); 23MODULE_DESCRIPTION("x_tables ESP SPI match module");
24MODULE_ALIAS("ipt_esp");
25MODULE_ALIAS("ip6t_esp");
20 26
21#ifdef DEBUG_CONNTRACK 27#if 0
22#define duprintf(format, args...) printk(format , ## args) 28#define duprintf(format, args...) printk(format , ## args)
23#else 29#else
24#define duprintf(format, args...) 30#define duprintf(format, args...)
@@ -28,11 +34,11 @@ MODULE_DESCRIPTION("iptables ESP SPI match module");
28static inline int 34static inline int
29spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, int invert) 35spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, int invert)
30{ 36{
31 int r=0; 37 int r = 0;
32 duprintf("esp spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ', 38 duprintf("esp spi_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ',
33 min,spi,max); 39 min, spi, max);
34 r=(spi >= min && spi <= max) ^ invert; 40 r = (spi >= min && spi <= max) ^ invert;
35 duprintf(" result %s\n",r? "PASS" : "FAILED"); 41 duprintf(" result %s\n", r ? "PASS" : "FAILED");
36 return r; 42 return r;
37} 43}
38 44
@@ -47,14 +53,13 @@ match(const struct sk_buff *skb,
47 int *hotdrop) 53 int *hotdrop)
48{ 54{
49 struct ip_esp_hdr _esp, *eh; 55 struct ip_esp_hdr _esp, *eh;
50 const struct ipt_esp *espinfo = matchinfo; 56 const struct xt_esp *espinfo = matchinfo;
51 57
52 /* Must not be a fragment. */ 58 /* Must not be a fragment. */
53 if (offset) 59 if (offset)
54 return 0; 60 return 0;
55 61
56 eh = skb_header_pointer(skb, protoff, 62 eh = skb_header_pointer(skb, protoff, sizeof(_esp), &_esp);
57 sizeof(_esp), &_esp);
58 if (eh == NULL) { 63 if (eh == NULL) {
59 /* We've been asked to examine this packet, and we 64 /* We've been asked to examine this packet, and we
60 * can't. Hence, no choice but to drop. 65 * can't. Hence, no choice but to drop.
@@ -64,9 +69,8 @@ match(const struct sk_buff *skb,
64 return 0; 69 return 0;
65 } 70 }
66 71
67 return spi_match(espinfo->spis[0], espinfo->spis[1], 72 return spi_match(espinfo->spis[0], espinfo->spis[1], ntohl(eh->spi),
68 ntohl(eh->spi), 73 !!(espinfo->invflags & XT_ESP_INV_SPI));
69 !!(espinfo->invflags & IPT_ESP_INV_SPI));
70} 74}
71 75
72/* Called when user tries to insert an entry of this type. */ 76/* Called when user tries to insert an entry of this type. */
@@ -78,34 +82,55 @@ checkentry(const char *tablename,
78 unsigned int matchinfosize, 82 unsigned int matchinfosize,
79 unsigned int hook_mask) 83 unsigned int hook_mask)
80{ 84{
81 const struct ipt_esp *espinfo = matchinfo; 85 const struct xt_esp *espinfo = matchinfo;
82 86
83 /* Must specify no unknown invflags */ 87 if (espinfo->invflags & ~XT_ESP_INV_MASK) {
84 if (espinfo->invflags & ~IPT_ESP_INV_MASK) { 88 duprintf("xt_esp: unknown flags %X\n", espinfo->invflags);
85 duprintf("ipt_esp: unknown flags %X\n", espinfo->invflags);
86 return 0; 89 return 0;
87 } 90 }
91
88 return 1; 92 return 1;
89} 93}
90 94
91static struct ipt_match esp_match = { 95static struct xt_match esp_match = {
92 .name = "esp", 96 .name = "esp",
93 .match = match, 97 .family = AF_INET,
94 .matchsize = sizeof(struct ipt_esp),
95 .proto = IPPROTO_ESP, 98 .proto = IPPROTO_ESP,
96 .checkentry = checkentry, 99 .match = &match,
100 .matchsize = sizeof(struct xt_esp),
101 .checkentry = &checkentry,
97 .me = THIS_MODULE, 102 .me = THIS_MODULE,
98}; 103};
99 104
100static int __init ipt_esp_init(void) 105static struct xt_match esp6_match = {
106 .name = "esp",
107 .family = AF_INET6,
108 .proto = IPPROTO_ESP,
109 .match = &match,
110 .matchsize = sizeof(struct xt_esp),
111 .checkentry = &checkentry,
112 .me = THIS_MODULE,
113};
114
115static int __init xt_esp_init(void)
101{ 116{
102 return ipt_register_match(&esp_match); 117 int ret;
118 ret = xt_register_match(&esp_match);
119 if (ret)
120 return ret;
121
122 ret = xt_register_match(&esp6_match);
123 if (ret)
124 xt_unregister_match(&esp_match);
125
126 return ret;
103} 127}
104 128
105static void __exit ipt_esp_fini(void) 129static void __exit xt_esp_cleanup(void)
106{ 130{
107 ipt_unregister_match(&esp_match); 131 xt_unregister_match(&esp_match);
132 xt_unregister_match(&esp6_match);
108} 133}
109 134
110module_init(ipt_esp_init); 135module_init(xt_esp_init);
111module_exit(ipt_esp_fini); 136module_exit(xt_esp_cleanup);