diff options
Diffstat (limited to 'net/ipv4')
-rw-r--r-- | net/ipv4/netfilter/Kconfig | 10 | ||||
-rw-r--r-- | net/ipv4/netfilter/Makefile | 1 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_policy.c | 170 |
3 files changed, 181 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 88a60650e6b8..a9893ec03e02 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig | |||
@@ -487,6 +487,16 @@ config IP_NF_MATCH_STRING | |||
487 | 487 | ||
488 | To compile it as a module, choose M here. If unsure, say N. | 488 | To compile it as a module, choose M here. If unsure, say N. |
489 | 489 | ||
490 | config IP_NF_MATCH_POLICY | ||
491 | tristate "IPsec policy match support" | ||
492 | depends on IP_NF_IPTABLES && XFRM | ||
493 | help | ||
494 | Policy matching allows you to match packets based on the | ||
495 | IPsec policy that was used during decapsulation/will | ||
496 | be used during encapsulation. | ||
497 | |||
498 | To compile it as a module, choose M here. If unsure, say N. | ||
499 | |||
490 | # `filter', generic and specific targets | 500 | # `filter', generic and specific targets |
491 | config IP_NF_FILTER | 501 | config IP_NF_FILTER |
492 | tristate "Packet filtering" | 502 | tristate "Packet filtering" |
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index d0a447e520a2..549b01a648b3 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile | |||
@@ -72,6 +72,7 @@ obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o | |||
72 | obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o | 72 | obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o |
73 | obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o | 73 | obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o |
74 | obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o | 74 | obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o |
75 | obj-$(CONFIG_IP_NF_MATCH_POLICY) += ipt_policy.o | ||
75 | obj-$(CONFIG_IP_NF_MATCH_COMMENT) += ipt_comment.o | 76 | obj-$(CONFIG_IP_NF_MATCH_COMMENT) += ipt_comment.o |
76 | obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o | 77 | obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o |
77 | 78 | ||
diff --git a/net/ipv4/netfilter/ipt_policy.c b/net/ipv4/netfilter/ipt_policy.c new file mode 100644 index 000000000000..709debcc69c9 --- /dev/null +++ b/net/ipv4/netfilter/ipt_policy.c | |||
@@ -0,0 +1,170 @@ | |||
1 | /* IP tables module for matching IPsec policy | ||
2 | * | ||
3 | * Copyright (c) 2004,2005 Patrick McHardy, <kaber@trash.net> | ||
4 | * | ||
5 | * This program is free software; you can redistribute it and/or modify | ||
6 | * it under the terms of the GNU General Public License version 2 as | ||
7 | * published by the Free Software Foundation. | ||
8 | */ | ||
9 | |||
10 | #include <linux/kernel.h> | ||
11 | #include <linux/config.h> | ||
12 | #include <linux/module.h> | ||
13 | #include <linux/skbuff.h> | ||
14 | #include <linux/init.h> | ||
15 | #include <net/xfrm.h> | ||
16 | |||
17 | #include <linux/netfilter_ipv4.h> | ||
18 | #include <linux/netfilter_ipv4/ip_tables.h> | ||
19 | #include <linux/netfilter_ipv4/ipt_policy.h> | ||
20 | |||
21 | MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); | ||
22 | MODULE_DESCRIPTION("IPtables IPsec policy matching module"); | ||
23 | MODULE_LICENSE("GPL"); | ||
24 | |||
25 | |||
26 | static inline int | ||
27 | match_xfrm_state(struct xfrm_state *x, const struct ipt_policy_elem *e) | ||
28 | { | ||
29 | #define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x)) | ||
30 | |||
31 | return MATCH(saddr, x->props.saddr.a4 & e->smask) && | ||
32 | MATCH(daddr, x->id.daddr.a4 & e->dmask) && | ||
33 | MATCH(proto, x->id.proto) && | ||
34 | MATCH(mode, x->props.mode) && | ||
35 | MATCH(spi, x->id.spi) && | ||
36 | MATCH(reqid, x->props.reqid); | ||
37 | } | ||
38 | |||
39 | static int | ||
40 | match_policy_in(const struct sk_buff *skb, const struct ipt_policy_info *info) | ||
41 | { | ||
42 | const struct ipt_policy_elem *e; | ||
43 | struct sec_path *sp = skb->sp; | ||
44 | int strict = info->flags & IPT_POLICY_MATCH_STRICT; | ||
45 | int i, pos; | ||
46 | |||
47 | if (sp == NULL) | ||
48 | return -1; | ||
49 | if (strict && info->len != sp->len) | ||
50 | return 0; | ||
51 | |||
52 | for (i = sp->len - 1; i >= 0; i--) { | ||
53 | pos = strict ? i - sp->len + 1 : 0; | ||
54 | if (pos >= info->len) | ||
55 | return 0; | ||
56 | e = &info->pol[pos]; | ||
57 | |||
58 | if (match_xfrm_state(sp->x[i].xvec, e)) { | ||
59 | if (!strict) | ||
60 | return 1; | ||
61 | } else if (strict) | ||
62 | return 0; | ||
63 | } | ||
64 | |||
65 | return strict ? 1 : 0; | ||
66 | } | ||
67 | |||
68 | static int | ||
69 | match_policy_out(const struct sk_buff *skb, const struct ipt_policy_info *info) | ||
70 | { | ||
71 | const struct ipt_policy_elem *e; | ||
72 | struct dst_entry *dst = skb->dst; | ||
73 | int strict = info->flags & IPT_POLICY_MATCH_STRICT; | ||
74 | int i, pos; | ||
75 | |||
76 | if (dst->xfrm == NULL) | ||
77 | return -1; | ||
78 | |||
79 | for (i = 0; dst && dst->xfrm; dst = dst->child, i++) { | ||
80 | pos = strict ? i : 0; | ||
81 | if (pos >= info->len) | ||
82 | return 0; | ||
83 | e = &info->pol[pos]; | ||
84 | |||
85 | if (match_xfrm_state(dst->xfrm, e)) { | ||
86 | if (!strict) | ||
87 | return 1; | ||
88 | } else if (strict) | ||
89 | return 0; | ||
90 | } | ||
91 | |||
92 | return strict ? 1 : 0; | ||
93 | } | ||
94 | |||
95 | static int match(const struct sk_buff *skb, | ||
96 | const struct net_device *in, | ||
97 | const struct net_device *out, | ||
98 | const void *matchinfo, int offset, int *hotdrop) | ||
99 | { | ||
100 | const struct ipt_policy_info *info = matchinfo; | ||
101 | int ret; | ||
102 | |||
103 | if (info->flags & IPT_POLICY_MATCH_IN) | ||
104 | ret = match_policy_in(skb, info); | ||
105 | else | ||
106 | ret = match_policy_out(skb, info); | ||
107 | |||
108 | if (ret < 0) | ||
109 | ret = info->flags & IPT_POLICY_MATCH_NONE ? 1 : 0; | ||
110 | else if (info->flags & IPT_POLICY_MATCH_NONE) | ||
111 | ret = 0; | ||
112 | |||
113 | return ret; | ||
114 | } | ||
115 | |||
116 | static int checkentry(const char *tablename, const struct ipt_ip *ip, | ||
117 | void *matchinfo, unsigned int matchsize, | ||
118 | unsigned int hook_mask) | ||
119 | { | ||
120 | struct ipt_policy_info *info = matchinfo; | ||
121 | |||
122 | if (matchsize != IPT_ALIGN(sizeof(*info))) { | ||
123 | printk(KERN_ERR "ipt_policy: matchsize %u != %zu\n", | ||
124 | matchsize, IPT_ALIGN(sizeof(*info))); | ||
125 | return 0; | ||
126 | } | ||
127 | if (!(info->flags & (IPT_POLICY_MATCH_IN|IPT_POLICY_MATCH_OUT))) { | ||
128 | printk(KERN_ERR "ipt_policy: neither incoming nor " | ||
129 | "outgoing policy selected\n"); | ||
130 | return 0; | ||
131 | } | ||
132 | if (hook_mask & (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_LOCAL_IN) | ||
133 | && info->flags & IPT_POLICY_MATCH_OUT) { | ||
134 | printk(KERN_ERR "ipt_policy: output policy not valid in " | ||
135 | "PRE_ROUTING and INPUT\n"); | ||
136 | return 0; | ||
137 | } | ||
138 | if (hook_mask & (1 << NF_IP_POST_ROUTING | 1 << NF_IP_LOCAL_OUT) | ||
139 | && info->flags & IPT_POLICY_MATCH_IN) { | ||
140 | printk(KERN_ERR "ipt_policy: input policy not valid in " | ||
141 | "POST_ROUTING and OUTPUT\n"); | ||
142 | return 0; | ||
143 | } | ||
144 | if (info->len > IPT_POLICY_MAX_ELEM) { | ||
145 | printk(KERN_ERR "ipt_policy: too many policy elements\n"); | ||
146 | return 0; | ||
147 | } | ||
148 | |||
149 | return 1; | ||
150 | } | ||
151 | |||
152 | static struct ipt_match policy_match = { | ||
153 | .name = "policy", | ||
154 | .match = match, | ||
155 | .checkentry = checkentry, | ||
156 | .me = THIS_MODULE, | ||
157 | }; | ||
158 | |||
159 | static int __init init(void) | ||
160 | { | ||
161 | return ipt_register_match(&policy_match); | ||
162 | } | ||
163 | |||
164 | static void __exit fini(void) | ||
165 | { | ||
166 | ipt_unregister_match(&policy_match); | ||
167 | } | ||
168 | |||
169 | module_init(init); | ||
170 | module_exit(fini); | ||