diff options
Diffstat (limited to 'net/ipv6')
-rw-r--r-- | net/ipv6/netfilter/ip6t_dst.c | 151 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_eui64.c | 68 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_frag.c | 157 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_hbh.c | 151 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_ipv6header.c | 79 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_owner.c | 28 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_rt.c | 215 |
7 files changed, 427 insertions, 422 deletions
diff --git a/net/ipv6/netfilter/ip6t_dst.c b/net/ipv6/netfilter/ip6t_dst.c index 80fe82669ce2..b4c153a53500 100644 --- a/net/ipv6/netfilter/ip6t_dst.c +++ b/net/ipv6/netfilter/ip6t_dst.c | |||
@@ -36,19 +36,19 @@ MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>"); | |||
36 | #endif | 36 | #endif |
37 | 37 | ||
38 | /* | 38 | /* |
39 | * (Type & 0xC0) >> 6 | 39 | * (Type & 0xC0) >> 6 |
40 | * 0 -> ignorable | 40 | * 0 -> ignorable |
41 | * 1 -> must drop the packet | 41 | * 1 -> must drop the packet |
42 | * 2 -> send ICMP PARM PROB regardless and drop packet | 42 | * 2 -> send ICMP PARM PROB regardless and drop packet |
43 | * 3 -> Send ICMP if not a multicast address and drop packet | 43 | * 3 -> Send ICMP if not a multicast address and drop packet |
44 | * (Type & 0x20) >> 5 | 44 | * (Type & 0x20) >> 5 |
45 | * 0 -> invariant | 45 | * 0 -> invariant |
46 | * 1 -> can change the routing | 46 | * 1 -> can change the routing |
47 | * (Type & 0x1F) Type | 47 | * (Type & 0x1F) Type |
48 | * 0 -> Pad1 (only 1 byte!) | 48 | * 0 -> Pad1 (only 1 byte!) |
49 | * 1 -> PadN LENGTH info (total length = length + 2) | 49 | * 1 -> PadN LENGTH info (total length = length + 2) |
50 | * C0 | 2 -> JUMBO 4 x x x x ( xxxx > 64k ) | 50 | * C0 | 2 -> JUMBO 4 x x x x ( xxxx > 64k ) |
51 | * 5 -> RTALERT 2 x x | 51 | * 5 -> RTALERT 2 x x |
52 | */ | 52 | */ |
53 | 53 | ||
54 | static int | 54 | static int |
@@ -60,16 +60,16 @@ match(const struct sk_buff *skb, | |||
60 | unsigned int protoff, | 60 | unsigned int protoff, |
61 | int *hotdrop) | 61 | int *hotdrop) |
62 | { | 62 | { |
63 | struct ipv6_opt_hdr _optsh, *oh; | 63 | struct ipv6_opt_hdr _optsh, *oh; |
64 | const struct ip6t_opts *optinfo = matchinfo; | 64 | const struct ip6t_opts *optinfo = matchinfo; |
65 | unsigned int temp; | 65 | unsigned int temp; |
66 | unsigned int ptr; | 66 | unsigned int ptr; |
67 | unsigned int hdrlen = 0; | 67 | unsigned int hdrlen = 0; |
68 | unsigned int ret = 0; | 68 | unsigned int ret = 0; |
69 | u8 _opttype, *tp = NULL; | 69 | u8 _opttype, *tp = NULL; |
70 | u8 _optlen, *lp = NULL; | 70 | u8 _optlen, *lp = NULL; |
71 | unsigned int optlen; | 71 | unsigned int optlen; |
72 | 72 | ||
73 | #if HOPBYHOP | 73 | #if HOPBYHOP |
74 | if (ipv6_find_hdr(skb, &ptr, NEXTHDR_HOP, NULL) < 0) | 74 | if (ipv6_find_hdr(skb, &ptr, NEXTHDR_HOP, NULL) < 0) |
75 | #else | 75 | #else |
@@ -77,42 +77,41 @@ match(const struct sk_buff *skb, | |||
77 | #endif | 77 | #endif |
78 | return 0; | 78 | return 0; |
79 | 79 | ||
80 | oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh); | 80 | oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh); |
81 | if (oh == NULL){ | 81 | if (oh == NULL) { |
82 | *hotdrop = 1; | 82 | *hotdrop = 1; |
83 | return 0; | 83 | return 0; |
84 | } | 84 | } |
85 | 85 | ||
86 | hdrlen = ipv6_optlen(oh); | 86 | hdrlen = ipv6_optlen(oh); |
87 | if (skb->len - ptr < hdrlen){ | 87 | if (skb->len - ptr < hdrlen) { |
88 | /* Packet smaller than it's length field */ | 88 | /* Packet smaller than it's length field */ |
89 | return 0; | 89 | return 0; |
90 | } | 90 | } |
91 | 91 | ||
92 | DEBUGP("IPv6 OPTS LEN %u %u ", hdrlen, oh->hdrlen); | 92 | DEBUGP("IPv6 OPTS LEN %u %u ", hdrlen, oh->hdrlen); |
93 | 93 | ||
94 | DEBUGP("len %02X %04X %02X ", | 94 | DEBUGP("len %02X %04X %02X ", |
95 | optinfo->hdrlen, hdrlen, | 95 | optinfo->hdrlen, hdrlen, |
96 | (!(optinfo->flags & IP6T_OPTS_LEN) || | 96 | (!(optinfo->flags & IP6T_OPTS_LEN) || |
97 | ((optinfo->hdrlen == hdrlen) ^ | 97 | ((optinfo->hdrlen == hdrlen) ^ |
98 | !!(optinfo->invflags & IP6T_OPTS_INV_LEN)))); | 98 | !!(optinfo->invflags & IP6T_OPTS_INV_LEN)))); |
99 | 99 | ||
100 | ret = (oh != NULL) | 100 | ret = (oh != NULL) && |
101 | && | 101 | (!(optinfo->flags & IP6T_OPTS_LEN) || |
102 | (!(optinfo->flags & IP6T_OPTS_LEN) || | 102 | ((optinfo->hdrlen == hdrlen) ^ |
103 | ((optinfo->hdrlen == hdrlen) ^ | 103 | !!(optinfo->invflags & IP6T_OPTS_INV_LEN))); |
104 | !!(optinfo->invflags & IP6T_OPTS_INV_LEN))); | 104 | |
105 | 105 | ptr += 2; | |
106 | ptr += 2; | 106 | hdrlen -= 2; |
107 | hdrlen -= 2; | 107 | if (!(optinfo->flags & IP6T_OPTS_OPTS)) { |
108 | if ( !(optinfo->flags & IP6T_OPTS_OPTS) ){ | 108 | return ret; |
109 | return ret; | ||
110 | } else if (optinfo->flags & IP6T_OPTS_NSTRICT) { | 109 | } else if (optinfo->flags & IP6T_OPTS_NSTRICT) { |
111 | DEBUGP("Not strict - not implemented"); | 110 | DEBUGP("Not strict - not implemented"); |
112 | } else { | 111 | } else { |
113 | DEBUGP("Strict "); | 112 | DEBUGP("Strict "); |
114 | DEBUGP("#%d ",optinfo->optsnr); | 113 | DEBUGP("#%d ", optinfo->optsnr); |
115 | for(temp=0; temp<optinfo->optsnr; temp++){ | 114 | for (temp = 0; temp < optinfo->optsnr; temp++) { |
116 | /* type field exists ? */ | 115 | /* type field exists ? */ |
117 | if (hdrlen < 1) | 116 | if (hdrlen < 1) |
118 | break; | 117 | break; |
@@ -122,10 +121,10 @@ match(const struct sk_buff *skb, | |||
122 | break; | 121 | break; |
123 | 122 | ||
124 | /* Type check */ | 123 | /* Type check */ |
125 | if (*tp != (optinfo->opts[temp] & 0xFF00)>>8){ | 124 | if (*tp != (optinfo->opts[temp] & 0xFF00) >> 8) { |
126 | DEBUGP("Tbad %02X %02X\n", | 125 | DEBUGP("Tbad %02X %02X\n", |
127 | *tp, | 126 | *tp, |
128 | (optinfo->opts[temp] & 0xFF00)>>8); | 127 | (optinfo->opts[temp] & 0xFF00) >> 8); |
129 | return 0; | 128 | return 0; |
130 | } else { | 129 | } else { |
131 | DEBUGP("Tok "); | 130 | DEBUGP("Tok "); |
@@ -169,7 +168,8 @@ match(const struct sk_buff *skb, | |||
169 | } | 168 | } |
170 | if (temp == optinfo->optsnr) | 169 | if (temp == optinfo->optsnr) |
171 | return ret; | 170 | return ret; |
172 | else return 0; | 171 | else |
172 | return 0; | ||
173 | } | 173 | } |
174 | 174 | ||
175 | return 0; | 175 | return 0; |
@@ -178,25 +178,24 @@ match(const struct sk_buff *skb, | |||
178 | /* Called when user tries to insert an entry of this type. */ | 178 | /* Called when user tries to insert an entry of this type. */ |
179 | static int | 179 | static int |
180 | checkentry(const char *tablename, | 180 | checkentry(const char *tablename, |
181 | const void *info, | 181 | const void *info, |
182 | void *matchinfo, | 182 | void *matchinfo, |
183 | unsigned int matchinfosize, | 183 | unsigned int matchinfosize, |
184 | unsigned int hook_mask) | 184 | unsigned int hook_mask) |
185 | { | 185 | { |
186 | const struct ip6t_opts *optsinfo = matchinfo; | 186 | const struct ip6t_opts *optsinfo = matchinfo; |
187 | 187 | ||
188 | if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_opts))) { | 188 | if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_opts))) { |
189 | DEBUGP("ip6t_opts: matchsize %u != %u\n", | 189 | DEBUGP("ip6t_opts: matchsize %u != %u\n", |
190 | matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_opts))); | 190 | matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_opts))); |
191 | return 0; | 191 | return 0; |
192 | } | 192 | } |
193 | if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) { | 193 | if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) { |
194 | DEBUGP("ip6t_opts: unknown flags %X\n", | 194 | DEBUGP("ip6t_opts: unknown flags %X\n", optsinfo->invflags); |
195 | optsinfo->invflags); | 195 | return 0; |
196 | return 0; | 196 | } |
197 | } | 197 | |
198 | 198 | return 1; | |
199 | return 1; | ||
200 | } | 199 | } |
201 | 200 | ||
202 | static struct ip6t_match opts_match = { | 201 | static struct ip6t_match opts_match = { |
@@ -212,12 +211,12 @@ static struct ip6t_match opts_match = { | |||
212 | 211 | ||
213 | static int __init init(void) | 212 | static int __init init(void) |
214 | { | 213 | { |
215 | return ip6t_register_match(&opts_match); | 214 | return ip6t_register_match(&opts_match); |
216 | } | 215 | } |
217 | 216 | ||
218 | static void __exit cleanup(void) | 217 | static void __exit cleanup(void) |
219 | { | 218 | { |
220 | ip6t_unregister_match(&opts_match); | 219 | ip6t_unregister_match(&opts_match); |
221 | } | 220 | } |
222 | 221 | ||
223 | module_init(init); | 222 | module_init(init); |
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c index ddf5f571909c..27396ac0b9ed 100644 --- a/net/ipv6/netfilter/ip6t_eui64.c +++ b/net/ipv6/netfilter/ip6t_eui64.c | |||
@@ -27,45 +27,45 @@ match(const struct sk_buff *skb, | |||
27 | unsigned int protoff, | 27 | unsigned int protoff, |
28 | int *hotdrop) | 28 | int *hotdrop) |
29 | { | 29 | { |
30 | unsigned char eui64[8]; | ||
31 | int i = 0; | ||
30 | 32 | ||
31 | unsigned char eui64[8]; | 33 | if (!(skb->mac.raw >= skb->head && |
32 | int i=0; | 34 | (skb->mac.raw + ETH_HLEN) <= skb->data) && |
33 | 35 | offset != 0) { | |
34 | if ( !(skb->mac.raw >= skb->head | 36 | *hotdrop = 1; |
35 | && (skb->mac.raw + ETH_HLEN) <= skb->data) | 37 | return 0; |
36 | && offset != 0) { | 38 | } |
37 | *hotdrop = 1; | 39 | |
38 | return 0; | 40 | memset(eui64, 0, sizeof(eui64)); |
39 | } | 41 | |
40 | 42 | if (eth_hdr(skb)->h_proto == ntohs(ETH_P_IPV6)) { | |
41 | memset(eui64, 0, sizeof(eui64)); | 43 | if (skb->nh.ipv6h->version == 0x6) { |
42 | 44 | memcpy(eui64, eth_hdr(skb)->h_source, 3); | |
43 | if (eth_hdr(skb)->h_proto == ntohs(ETH_P_IPV6)) { | 45 | memcpy(eui64 + 5, eth_hdr(skb)->h_source + 3, 3); |
44 | if (skb->nh.ipv6h->version == 0x6) { | 46 | eui64[3] = 0xff; |
45 | memcpy(eui64, eth_hdr(skb)->h_source, 3); | 47 | eui64[4] = 0xfe; |
46 | memcpy(eui64 + 5, eth_hdr(skb)->h_source + 3, 3); | 48 | eui64[0] |= 0x02; |
47 | eui64[3]=0xff; | 49 | |
48 | eui64[4]=0xfe; | 50 | i = 0; |
49 | eui64[0] |= 0x02; | 51 | while ((skb->nh.ipv6h->saddr.s6_addr[8+i] == eui64[i]) |
50 | 52 | && (i < 8)) | |
51 | i=0; | 53 | i++; |
52 | while ((skb->nh.ipv6h->saddr.s6_addr[8+i] == | 54 | |
53 | eui64[i]) && (i<8)) i++; | 55 | if (i == 8) |
54 | 56 | return 1; | |
55 | if ( i == 8 ) | 57 | } |
56 | return 1; | 58 | } |
57 | } | 59 | |
58 | } | 60 | return 0; |
59 | |||
60 | return 0; | ||
61 | } | 61 | } |
62 | 62 | ||
63 | static int | 63 | static int |
64 | ip6t_eui64_checkentry(const char *tablename, | 64 | ip6t_eui64_checkentry(const char *tablename, |
65 | const void *ip, | 65 | const void *ip, |
66 | void *matchinfo, | 66 | void *matchinfo, |
67 | unsigned int matchsize, | 67 | unsigned int matchsize, |
68 | unsigned int hook_mask) | 68 | unsigned int hook_mask) |
69 | { | 69 | { |
70 | if (hook_mask | 70 | if (hook_mask |
71 | & ~((1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN) | | 71 | & ~((1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN) | |
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c index a9964b946ed5..4c14125a0e26 100644 --- a/net/ipv6/netfilter/ip6t_frag.c +++ b/net/ipv6/netfilter/ip6t_frag.c | |||
@@ -31,12 +31,12 @@ MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>"); | |||
31 | static inline int | 31 | static inline int |
32 | id_match(u_int32_t min, u_int32_t max, u_int32_t id, int invert) | 32 | id_match(u_int32_t min, u_int32_t max, u_int32_t id, int invert) |
33 | { | 33 | { |
34 | int r=0; | 34 | int r = 0; |
35 | DEBUGP("frag id_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ', | 35 | DEBUGP("frag id_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ', |
36 | min,id,max); | 36 | min, id, max); |
37 | r=(id >= min && id <= max) ^ invert; | 37 | r = (id >= min && id <= max) ^ invert; |
38 | DEBUGP(" result %s\n",r? "PASS" : "FAILED"); | 38 | DEBUGP(" result %s\n", r ? "PASS" : "FAILED"); |
39 | return r; | 39 | return r; |
40 | } | 40 | } |
41 | 41 | ||
42 | static int | 42 | static int |
@@ -48,92 +48,91 @@ match(const struct sk_buff *skb, | |||
48 | unsigned int protoff, | 48 | unsigned int protoff, |
49 | int *hotdrop) | 49 | int *hotdrop) |
50 | { | 50 | { |
51 | struct frag_hdr _frag, *fh; | 51 | struct frag_hdr _frag, *fh; |
52 | const struct ip6t_frag *fraginfo = matchinfo; | 52 | const struct ip6t_frag *fraginfo = matchinfo; |
53 | unsigned int ptr; | 53 | unsigned int ptr; |
54 | 54 | ||
55 | if (ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL) < 0) | 55 | if (ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL) < 0) |
56 | return 0; | 56 | return 0; |
57 | 57 | ||
58 | fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag); | 58 | fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag); |
59 | if (fh == NULL){ | 59 | if (fh == NULL) { |
60 | *hotdrop = 1; | 60 | *hotdrop = 1; |
61 | return 0; | 61 | return 0; |
62 | } | 62 | } |
63 | 63 | ||
64 | DEBUGP("INFO %04X ", fh->frag_off); | 64 | DEBUGP("INFO %04X ", fh->frag_off); |
65 | DEBUGP("OFFSET %04X ", ntohs(fh->frag_off) & ~0x7); | 65 | DEBUGP("OFFSET %04X ", ntohs(fh->frag_off) & ~0x7); |
66 | DEBUGP("RES %02X %04X", fh->reserved, ntohs(fh->frag_off) & 0x6); | 66 | DEBUGP("RES %02X %04X", fh->reserved, ntohs(fh->frag_off) & 0x6); |
67 | DEBUGP("MF %04X ", fh->frag_off & htons(IP6_MF)); | 67 | DEBUGP("MF %04X ", fh->frag_off & htons(IP6_MF)); |
68 | DEBUGP("ID %u %08X\n", ntohl(fh->identification), | 68 | DEBUGP("ID %u %08X\n", ntohl(fh->identification), |
69 | ntohl(fh->identification)); | 69 | ntohl(fh->identification)); |
70 | 70 | ||
71 | DEBUGP("IPv6 FRAG id %02X ", | 71 | DEBUGP("IPv6 FRAG id %02X ", |
72 | (id_match(fraginfo->ids[0], fraginfo->ids[1], | 72 | (id_match(fraginfo->ids[0], fraginfo->ids[1], |
73 | ntohl(fh->identification), | 73 | ntohl(fh->identification), |
74 | !!(fraginfo->invflags & IP6T_FRAG_INV_IDS)))); | 74 | !!(fraginfo->invflags & IP6T_FRAG_INV_IDS)))); |
75 | DEBUGP("res %02X %02X%04X %02X ", | 75 | DEBUGP("res %02X %02X%04X %02X ", |
76 | (fraginfo->flags & IP6T_FRAG_RES), fh->reserved, | 76 | (fraginfo->flags & IP6T_FRAG_RES), fh->reserved, |
77 | ntohs(fh->frag_off) & 0x6, | 77 | ntohs(fh->frag_off) & 0x6, |
78 | !((fraginfo->flags & IP6T_FRAG_RES) | 78 | !((fraginfo->flags & IP6T_FRAG_RES) |
79 | && (fh->reserved || (ntohs(fh->frag_off) & 0x06)))); | 79 | && (fh->reserved || (ntohs(fh->frag_off) & 0x06)))); |
80 | DEBUGP("first %02X %02X %02X ", | 80 | DEBUGP("first %02X %02X %02X ", |
81 | (fraginfo->flags & IP6T_FRAG_FST), | 81 | (fraginfo->flags & IP6T_FRAG_FST), |
82 | ntohs(fh->frag_off) & ~0x7, | 82 | ntohs(fh->frag_off) & ~0x7, |
83 | !((fraginfo->flags & IP6T_FRAG_FST) | 83 | !((fraginfo->flags & IP6T_FRAG_FST) |
84 | && (ntohs(fh->frag_off) & ~0x7))); | 84 | && (ntohs(fh->frag_off) & ~0x7))); |
85 | DEBUGP("mf %02X %02X %02X ", | 85 | DEBUGP("mf %02X %02X %02X ", |
86 | (fraginfo->flags & IP6T_FRAG_MF), | 86 | (fraginfo->flags & IP6T_FRAG_MF), |
87 | ntohs(fh->frag_off) & IP6_MF, | 87 | ntohs(fh->frag_off) & IP6_MF, |
88 | !((fraginfo->flags & IP6T_FRAG_MF) | 88 | !((fraginfo->flags & IP6T_FRAG_MF) |
89 | && !((ntohs(fh->frag_off) & IP6_MF)))); | 89 | && !((ntohs(fh->frag_off) & IP6_MF)))); |
90 | DEBUGP("last %02X %02X %02X\n", | 90 | DEBUGP("last %02X %02X %02X\n", |
91 | (fraginfo->flags & IP6T_FRAG_NMF), | 91 | (fraginfo->flags & IP6T_FRAG_NMF), |
92 | ntohs(fh->frag_off) & IP6_MF, | 92 | ntohs(fh->frag_off) & IP6_MF, |
93 | !((fraginfo->flags & IP6T_FRAG_NMF) | 93 | !((fraginfo->flags & IP6T_FRAG_NMF) |
94 | && (ntohs(fh->frag_off) & IP6_MF))); | 94 | && (ntohs(fh->frag_off) & IP6_MF))); |
95 | 95 | ||
96 | return (fh != NULL) | 96 | return (fh != NULL) |
97 | && | 97 | && |
98 | (id_match(fraginfo->ids[0], fraginfo->ids[1], | 98 | (id_match(fraginfo->ids[0], fraginfo->ids[1], |
99 | ntohl(fh->identification), | 99 | ntohl(fh->identification), |
100 | !!(fraginfo->invflags & IP6T_FRAG_INV_IDS))) | 100 | !!(fraginfo->invflags & IP6T_FRAG_INV_IDS))) |
101 | && | 101 | && |
102 | !((fraginfo->flags & IP6T_FRAG_RES) | 102 | !((fraginfo->flags & IP6T_FRAG_RES) |
103 | && (fh->reserved || (ntohs(fh->frag_off) & 0x6))) | 103 | && (fh->reserved || (ntohs(fh->frag_off) & 0x6))) |
104 | && | 104 | && |
105 | !((fraginfo->flags & IP6T_FRAG_FST) | 105 | !((fraginfo->flags & IP6T_FRAG_FST) |
106 | && (ntohs(fh->frag_off) & ~0x7)) | 106 | && (ntohs(fh->frag_off) & ~0x7)) |
107 | && | 107 | && |
108 | !((fraginfo->flags & IP6T_FRAG_MF) | 108 | !((fraginfo->flags & IP6T_FRAG_MF) |
109 | && !(ntohs(fh->frag_off) & IP6_MF)) | 109 | && !(ntohs(fh->frag_off) & IP6_MF)) |
110 | && | 110 | && |
111 | !((fraginfo->flags & IP6T_FRAG_NMF) | 111 | !((fraginfo->flags & IP6T_FRAG_NMF) |
112 | && (ntohs(fh->frag_off) & IP6_MF)); | 112 | && (ntohs(fh->frag_off) & IP6_MF)); |
113 | } | 113 | } |
114 | 114 | ||
115 | /* Called when user tries to insert an entry of this type. */ | 115 | /* Called when user tries to insert an entry of this type. */ |
116 | static int | 116 | static int |
117 | checkentry(const char *tablename, | 117 | checkentry(const char *tablename, |
118 | const void *ip, | 118 | const void *ip, |
119 | void *matchinfo, | 119 | void *matchinfo, |
120 | unsigned int matchinfosize, | 120 | unsigned int matchinfosize, |
121 | unsigned int hook_mask) | 121 | unsigned int hook_mask) |
122 | { | 122 | { |
123 | const struct ip6t_frag *fraginfo = matchinfo; | 123 | const struct ip6t_frag *fraginfo = matchinfo; |
124 | 124 | ||
125 | if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_frag))) { | 125 | if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_frag))) { |
126 | DEBUGP("ip6t_frag: matchsize %u != %u\n", | 126 | DEBUGP("ip6t_frag: matchsize %u != %u\n", |
127 | matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_frag))); | 127 | matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_frag))); |
128 | return 0; | 128 | return 0; |
129 | } | 129 | } |
130 | if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) { | 130 | if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) { |
131 | DEBUGP("ip6t_frag: unknown flags %X\n", | 131 | DEBUGP("ip6t_frag: unknown flags %X\n", fraginfo->invflags); |
132 | fraginfo->invflags); | 132 | return 0; |
133 | return 0; | 133 | } |
134 | } | 134 | |
135 | 135 | return 1; | |
136 | return 1; | ||
137 | } | 136 | } |
138 | 137 | ||
139 | static struct ip6t_match frag_match = { | 138 | static struct ip6t_match frag_match = { |
@@ -145,12 +144,12 @@ static struct ip6t_match frag_match = { | |||
145 | 144 | ||
146 | static int __init init(void) | 145 | static int __init init(void) |
147 | { | 146 | { |
148 | return ip6t_register_match(&frag_match); | 147 | return ip6t_register_match(&frag_match); |
149 | } | 148 | } |
150 | 149 | ||
151 | static void __exit cleanup(void) | 150 | static void __exit cleanup(void) |
152 | { | 151 | { |
153 | ip6t_unregister_match(&frag_match); | 152 | ip6t_unregister_match(&frag_match); |
154 | } | 153 | } |
155 | 154 | ||
156 | module_init(init); | 155 | module_init(init); |
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c index ed8ded18bbd4..37a8474a7e0c 100644 --- a/net/ipv6/netfilter/ip6t_hbh.c +++ b/net/ipv6/netfilter/ip6t_hbh.c | |||
@@ -36,19 +36,19 @@ MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>"); | |||
36 | #endif | 36 | #endif |
37 | 37 | ||
38 | /* | 38 | /* |
39 | * (Type & 0xC0) >> 6 | 39 | * (Type & 0xC0) >> 6 |
40 | * 0 -> ignorable | 40 | * 0 -> ignorable |
41 | * 1 -> must drop the packet | 41 | * 1 -> must drop the packet |
42 | * 2 -> send ICMP PARM PROB regardless and drop packet | 42 | * 2 -> send ICMP PARM PROB regardless and drop packet |
43 | * 3 -> Send ICMP if not a multicast address and drop packet | 43 | * 3 -> Send ICMP if not a multicast address and drop packet |
44 | * (Type & 0x20) >> 5 | 44 | * (Type & 0x20) >> 5 |
45 | * 0 -> invariant | 45 | * 0 -> invariant |
46 | * 1 -> can change the routing | 46 | * 1 -> can change the routing |
47 | * (Type & 0x1F) Type | 47 | * (Type & 0x1F) Type |
48 | * 0 -> Pad1 (only 1 byte!) | 48 | * 0 -> Pad1 (only 1 byte!) |
49 | * 1 -> PadN LENGTH info (total length = length + 2) | 49 | * 1 -> PadN LENGTH info (total length = length + 2) |
50 | * C0 | 2 -> JUMBO 4 x x x x ( xxxx > 64k ) | 50 | * C0 | 2 -> JUMBO 4 x x x x ( xxxx > 64k ) |
51 | * 5 -> RTALERT 2 x x | 51 | * 5 -> RTALERT 2 x x |
52 | */ | 52 | */ |
53 | 53 | ||
54 | static int | 54 | static int |
@@ -60,16 +60,16 @@ match(const struct sk_buff *skb, | |||
60 | unsigned int protoff, | 60 | unsigned int protoff, |
61 | int *hotdrop) | 61 | int *hotdrop) |
62 | { | 62 | { |
63 | struct ipv6_opt_hdr _optsh, *oh; | 63 | struct ipv6_opt_hdr _optsh, *oh; |
64 | const struct ip6t_opts *optinfo = matchinfo; | 64 | const struct ip6t_opts *optinfo = matchinfo; |
65 | unsigned int temp; | 65 | unsigned int temp; |
66 | unsigned int ptr; | 66 | unsigned int ptr; |
67 | unsigned int hdrlen = 0; | 67 | unsigned int hdrlen = 0; |
68 | unsigned int ret = 0; | 68 | unsigned int ret = 0; |
69 | u8 _opttype, *tp = NULL; | 69 | u8 _opttype, *tp = NULL; |
70 | u8 _optlen, *lp = NULL; | 70 | u8 _optlen, *lp = NULL; |
71 | unsigned int optlen; | 71 | unsigned int optlen; |
72 | 72 | ||
73 | #if HOPBYHOP | 73 | #if HOPBYHOP |
74 | if (ipv6_find_hdr(skb, &ptr, NEXTHDR_HOP, NULL) < 0) | 74 | if (ipv6_find_hdr(skb, &ptr, NEXTHDR_HOP, NULL) < 0) |
75 | #else | 75 | #else |
@@ -77,42 +77,41 @@ match(const struct sk_buff *skb, | |||
77 | #endif | 77 | #endif |
78 | return 0; | 78 | return 0; |
79 | 79 | ||
80 | oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh); | 80 | oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh); |
81 | if (oh == NULL){ | 81 | if (oh == NULL) { |
82 | *hotdrop = 1; | 82 | *hotdrop = 1; |
83 | return 0; | 83 | return 0; |
84 | } | 84 | } |
85 | 85 | ||
86 | hdrlen = ipv6_optlen(oh); | 86 | hdrlen = ipv6_optlen(oh); |
87 | if (skb->len - ptr < hdrlen){ | 87 | if (skb->len - ptr < hdrlen) { |
88 | /* Packet smaller than it's length field */ | 88 | /* Packet smaller than it's length field */ |
89 | return 0; | 89 | return 0; |
90 | } | 90 | } |
91 | 91 | ||
92 | DEBUGP("IPv6 OPTS LEN %u %u ", hdrlen, oh->hdrlen); | 92 | DEBUGP("IPv6 OPTS LEN %u %u ", hdrlen, oh->hdrlen); |
93 | 93 | ||
94 | DEBUGP("len %02X %04X %02X ", | 94 | DEBUGP("len %02X %04X %02X ", |
95 | optinfo->hdrlen, hdrlen, | 95 | optinfo->hdrlen, hdrlen, |
96 | (!(optinfo->flags & IP6T_OPTS_LEN) || | 96 | (!(optinfo->flags & IP6T_OPTS_LEN) || |
97 | ((optinfo->hdrlen == hdrlen) ^ | 97 | ((optinfo->hdrlen == hdrlen) ^ |
98 | !!(optinfo->invflags & IP6T_OPTS_INV_LEN)))); | 98 | !!(optinfo->invflags & IP6T_OPTS_INV_LEN)))); |
99 | 99 | ||
100 | ret = (oh != NULL) | 100 | ret = (oh != NULL) && |
101 | && | 101 | (!(optinfo->flags & IP6T_OPTS_LEN) || |
102 | (!(optinfo->flags & IP6T_OPTS_LEN) || | 102 | ((optinfo->hdrlen == hdrlen) ^ |
103 | ((optinfo->hdrlen == hdrlen) ^ | 103 | !!(optinfo->invflags & IP6T_OPTS_INV_LEN))); |
104 | !!(optinfo->invflags & IP6T_OPTS_INV_LEN))); | 104 | |
105 | 105 | ptr += 2; | |
106 | ptr += 2; | 106 | hdrlen -= 2; |
107 | hdrlen -= 2; | 107 | if (!(optinfo->flags & IP6T_OPTS_OPTS)) { |
108 | if ( !(optinfo->flags & IP6T_OPTS_OPTS) ){ | 108 | return ret; |
109 | return ret; | ||
110 | } else if (optinfo->flags & IP6T_OPTS_NSTRICT) { | 109 | } else if (optinfo->flags & IP6T_OPTS_NSTRICT) { |
111 | DEBUGP("Not strict - not implemented"); | 110 | DEBUGP("Not strict - not implemented"); |
112 | } else { | 111 | } else { |
113 | DEBUGP("Strict "); | 112 | DEBUGP("Strict "); |
114 | DEBUGP("#%d ",optinfo->optsnr); | 113 | DEBUGP("#%d ", optinfo->optsnr); |
115 | for(temp=0; temp<optinfo->optsnr; temp++){ | 114 | for (temp = 0; temp < optinfo->optsnr; temp++) { |
116 | /* type field exists ? */ | 115 | /* type field exists ? */ |
117 | if (hdrlen < 1) | 116 | if (hdrlen < 1) |
118 | break; | 117 | break; |
@@ -122,10 +121,10 @@ match(const struct sk_buff *skb, | |||
122 | break; | 121 | break; |
123 | 122 | ||
124 | /* Type check */ | 123 | /* Type check */ |
125 | if (*tp != (optinfo->opts[temp] & 0xFF00)>>8){ | 124 | if (*tp != (optinfo->opts[temp] & 0xFF00) >> 8) { |
126 | DEBUGP("Tbad %02X %02X\n", | 125 | DEBUGP("Tbad %02X %02X\n", |
127 | *tp, | 126 | *tp, |
128 | (optinfo->opts[temp] & 0xFF00)>>8); | 127 | (optinfo->opts[temp] & 0xFF00) >> 8); |
129 | return 0; | 128 | return 0; |
130 | } else { | 129 | } else { |
131 | DEBUGP("Tok "); | 130 | DEBUGP("Tok "); |
@@ -169,7 +168,8 @@ match(const struct sk_buff *skb, | |||
169 | } | 168 | } |
170 | if (temp == optinfo->optsnr) | 169 | if (temp == optinfo->optsnr) |
171 | return ret; | 170 | return ret; |
172 | else return 0; | 171 | else |
172 | return 0; | ||
173 | } | 173 | } |
174 | 174 | ||
175 | return 0; | 175 | return 0; |
@@ -178,25 +178,24 @@ match(const struct sk_buff *skb, | |||
178 | /* Called when user tries to insert an entry of this type. */ | 178 | /* Called when user tries to insert an entry of this type. */ |
179 | static int | 179 | static int |
180 | checkentry(const char *tablename, | 180 | checkentry(const char *tablename, |
181 | const void *entry, | 181 | const void *entry, |
182 | void *matchinfo, | 182 | void *matchinfo, |
183 | unsigned int matchinfosize, | 183 | unsigned int matchinfosize, |
184 | unsigned int hook_mask) | 184 | unsigned int hook_mask) |
185 | { | 185 | { |
186 | const struct ip6t_opts *optsinfo = matchinfo; | 186 | const struct ip6t_opts *optsinfo = matchinfo; |
187 | 187 | ||
188 | if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_opts))) { | 188 | if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_opts))) { |
189 | DEBUGP("ip6t_opts: matchsize %u != %u\n", | 189 | DEBUGP("ip6t_opts: matchsize %u != %u\n", |
190 | matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_opts))); | 190 | matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_opts))); |
191 | return 0; | 191 | return 0; |
192 | } | 192 | } |
193 | if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) { | 193 | if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) { |
194 | DEBUGP("ip6t_opts: unknown flags %X\n", | 194 | DEBUGP("ip6t_opts: unknown flags %X\n", optsinfo->invflags); |
195 | optsinfo->invflags); | 195 | return 0; |
196 | return 0; | 196 | } |
197 | } | 197 | |
198 | 198 | return 1; | |
199 | return 1; | ||
200 | } | 199 | } |
201 | 200 | ||
202 | static struct ip6t_match opts_match = { | 201 | static struct ip6t_match opts_match = { |
@@ -212,12 +211,12 @@ static struct ip6t_match opts_match = { | |||
212 | 211 | ||
213 | static int __init init(void) | 212 | static int __init init(void) |
214 | { | 213 | { |
215 | return ip6t_register_match(&opts_match); | 214 | return ip6t_register_match(&opts_match); |
216 | } | 215 | } |
217 | 216 | ||
218 | static void __exit cleanup(void) | 217 | static void __exit cleanup(void) |
219 | { | 218 | { |
220 | ip6t_unregister_match(&opts_match); | 219 | ip6t_unregister_match(&opts_match); |
221 | } | 220 | } |
222 | 221 | ||
223 | module_init(init); | 222 | module_init(init); |
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c index fda1ceaf5a29..83ad6b272f7e 100644 --- a/net/ipv6/netfilter/ip6t_ipv6header.c +++ b/net/ipv6/netfilter/ip6t_ipv6header.c | |||
@@ -50,20 +50,20 @@ ipv6header_match(const struct sk_buff *skb, | |||
50 | len = skb->len - ptr; | 50 | len = skb->len - ptr; |
51 | temp = 0; | 51 | temp = 0; |
52 | 52 | ||
53 | while (ip6t_ext_hdr(nexthdr)) { | 53 | while (ip6t_ext_hdr(nexthdr)) { |
54 | struct ipv6_opt_hdr _hdr, *hp; | 54 | struct ipv6_opt_hdr _hdr, *hp; |
55 | int hdrlen; | 55 | int hdrlen; |
56 | 56 | ||
57 | /* Is there enough space for the next ext header? */ | 57 | /* Is there enough space for the next ext header? */ |
58 | if (len < (int)sizeof(struct ipv6_opt_hdr)) | 58 | if (len < (int)sizeof(struct ipv6_opt_hdr)) |
59 | return 0; | 59 | return 0; |
60 | /* No more exthdr -> evaluate */ | 60 | /* No more exthdr -> evaluate */ |
61 | if (nexthdr == NEXTHDR_NONE) { | 61 | if (nexthdr == NEXTHDR_NONE) { |
62 | temp |= MASK_NONE; | 62 | temp |= MASK_NONE; |
63 | break; | 63 | break; |
64 | } | 64 | } |
65 | /* ESP -> evaluate */ | 65 | /* ESP -> evaluate */ |
66 | if (nexthdr == NEXTHDR_ESP) { | 66 | if (nexthdr == NEXTHDR_ESP) { |
67 | temp |= MASK_ESP; | 67 | temp |= MASK_ESP; |
68 | break; | 68 | break; |
69 | } | 69 | } |
@@ -72,43 +72,43 @@ ipv6header_match(const struct sk_buff *skb, | |||
72 | BUG_ON(hp == NULL); | 72 | BUG_ON(hp == NULL); |
73 | 73 | ||
74 | /* Calculate the header length */ | 74 | /* Calculate the header length */ |
75 | if (nexthdr == NEXTHDR_FRAGMENT) { | 75 | if (nexthdr == NEXTHDR_FRAGMENT) { |
76 | hdrlen = 8; | 76 | hdrlen = 8; |
77 | } else if (nexthdr == NEXTHDR_AUTH) | 77 | } else if (nexthdr == NEXTHDR_AUTH) |
78 | hdrlen = (hp->hdrlen+2)<<2; | 78 | hdrlen = (hp->hdrlen + 2) << 2; |
79 | else | 79 | else |
80 | hdrlen = ipv6_optlen(hp); | 80 | hdrlen = ipv6_optlen(hp); |
81 | 81 | ||
82 | /* set the flag */ | 82 | /* set the flag */ |
83 | switch (nexthdr){ | 83 | switch (nexthdr) { |
84 | case NEXTHDR_HOP: | 84 | case NEXTHDR_HOP: |
85 | temp |= MASK_HOPOPTS; | 85 | temp |= MASK_HOPOPTS; |
86 | break; | 86 | break; |
87 | case NEXTHDR_ROUTING: | 87 | case NEXTHDR_ROUTING: |
88 | temp |= MASK_ROUTING; | 88 | temp |= MASK_ROUTING; |
89 | break; | 89 | break; |
90 | case NEXTHDR_FRAGMENT: | 90 | case NEXTHDR_FRAGMENT: |
91 | temp |= MASK_FRAGMENT; | 91 | temp |= MASK_FRAGMENT; |
92 | break; | 92 | break; |
93 | case NEXTHDR_AUTH: | 93 | case NEXTHDR_AUTH: |
94 | temp |= MASK_AH; | 94 | temp |= MASK_AH; |
95 | break; | 95 | break; |
96 | case NEXTHDR_DEST: | 96 | case NEXTHDR_DEST: |
97 | temp |= MASK_DSTOPTS; | 97 | temp |= MASK_DSTOPTS; |
98 | break; | 98 | break; |
99 | default: | 99 | default: |
100 | return 0; | 100 | return 0; |
101 | break; | 101 | break; |
102 | } | 102 | } |
103 | 103 | ||
104 | nexthdr = hp->nexthdr; | 104 | nexthdr = hp->nexthdr; |
105 | len -= hdrlen; | 105 | len -= hdrlen; |
106 | ptr += hdrlen; | 106 | ptr += hdrlen; |
107 | if (ptr > skb->len) | 107 | if (ptr > skb->len) |
108 | break; | 108 | break; |
109 | } | 109 | } |
110 | 110 | ||
111 | if ( (nexthdr != NEXTHDR_NONE ) && (nexthdr != NEXTHDR_ESP) ) | 111 | if ((nexthdr != NEXTHDR_NONE) && (nexthdr != NEXTHDR_ESP)) |
112 | temp |= MASK_PROTO; | 112 | temp |= MASK_PROTO; |
113 | 113 | ||
114 | if (info->modeflag) | 114 | if (info->modeflag) |
@@ -137,8 +137,8 @@ ipv6header_checkentry(const char *tablename, | |||
137 | return 0; | 137 | return 0; |
138 | 138 | ||
139 | /* invflags is 0 or 0xff in hard mode */ | 139 | /* invflags is 0 or 0xff in hard mode */ |
140 | if ((!info->modeflag) && info->invflags != 0x00 | 140 | if ((!info->modeflag) && info->invflags != 0x00 && |
141 | && info->invflags != 0xFF) | 141 | info->invflags != 0xFF) |
142 | return 0; | 142 | return 0; |
143 | 143 | ||
144 | return 1; | 144 | return 1; |
@@ -152,7 +152,7 @@ static struct ip6t_match ip6t_ipv6header_match = { | |||
152 | .me = THIS_MODULE, | 152 | .me = THIS_MODULE, |
153 | }; | 153 | }; |
154 | 154 | ||
155 | static int __init ipv6header_init(void) | 155 | static int __init ipv6header_init(void) |
156 | { | 156 | { |
157 | return ip6t_register_match(&ip6t_ipv6header_match); | 157 | return ip6t_register_match(&ip6t_ipv6header_match); |
158 | } | 158 | } |
@@ -164,4 +164,3 @@ static void __exit ipv6header_exit(void) | |||
164 | 164 | ||
165 | module_init(ipv6header_init); | 165 | module_init(ipv6header_init); |
166 | module_exit(ipv6header_exit); | 166 | module_exit(ipv6header_exit); |
167 | |||
diff --git a/net/ipv6/netfilter/ip6t_owner.c b/net/ipv6/netfilter/ip6t_owner.c index 5409b375b512..8c8a4c7ec934 100644 --- a/net/ipv6/netfilter/ip6t_owner.c +++ b/net/ipv6/netfilter/ip6t_owner.c | |||
@@ -36,14 +36,14 @@ match(const struct sk_buff *skb, | |||
36 | if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file) | 36 | if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file) |
37 | return 0; | 37 | return 0; |
38 | 38 | ||
39 | if(info->match & IP6T_OWNER_UID) { | 39 | if (info->match & IP6T_OWNER_UID) { |
40 | if((skb->sk->sk_socket->file->f_uid != info->uid) ^ | 40 | if ((skb->sk->sk_socket->file->f_uid != info->uid) ^ |
41 | !!(info->invert & IP6T_OWNER_UID)) | 41 | !!(info->invert & IP6T_OWNER_UID)) |
42 | return 0; | 42 | return 0; |
43 | } | 43 | } |
44 | 44 | ||
45 | if(info->match & IP6T_OWNER_GID) { | 45 | if (info->match & IP6T_OWNER_GID) { |
46 | if((skb->sk->sk_socket->file->f_gid != info->gid) ^ | 46 | if ((skb->sk->sk_socket->file->f_gid != info->gid) ^ |
47 | !!(info->invert & IP6T_OWNER_GID)) | 47 | !!(info->invert & IP6T_OWNER_GID)) |
48 | return 0; | 48 | return 0; |
49 | } | 49 | } |
@@ -53,23 +53,23 @@ match(const struct sk_buff *skb, | |||
53 | 53 | ||
54 | static int | 54 | static int |
55 | checkentry(const char *tablename, | 55 | checkentry(const char *tablename, |
56 | const void *ip, | 56 | const void *ip, |
57 | void *matchinfo, | 57 | void *matchinfo, |
58 | unsigned int matchsize, | 58 | unsigned int matchsize, |
59 | unsigned int hook_mask) | 59 | unsigned int hook_mask) |
60 | { | 60 | { |
61 | const struct ip6t_owner_info *info = matchinfo; | 61 | const struct ip6t_owner_info *info = matchinfo; |
62 | 62 | ||
63 | if (hook_mask | 63 | if (hook_mask |
64 | & ~((1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING))) { | 64 | & ~((1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING))) { |
65 | printk("ip6t_owner: only valid for LOCAL_OUT or POST_ROUTING.\n"); | 65 | printk("ip6t_owner: only valid for LOCAL_OUT or POST_ROUTING.\n"); |
66 | return 0; | 66 | return 0; |
67 | } | 67 | } |
68 | 68 | ||
69 | if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_owner_info))) | 69 | if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_owner_info))) |
70 | return 0; | 70 | return 0; |
71 | 71 | ||
72 | if (info->match & (IP6T_OWNER_PID|IP6T_OWNER_SID)) { | 72 | if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) { |
73 | printk("ipt_owner: pid and sid matching " | 73 | printk("ipt_owner: pid and sid matching " |
74 | "not supported anymore\n"); | 74 | "not supported anymore\n"); |
75 | return 0; | 75 | return 0; |
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c index 8465b4375855..8f82476dc89e 100644 --- a/net/ipv6/netfilter/ip6t_rt.c +++ b/net/ipv6/netfilter/ip6t_rt.c | |||
@@ -33,12 +33,12 @@ MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>"); | |||
33 | static inline int | 33 | static inline int |
34 | segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, int invert) | 34 | segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, int invert) |
35 | { | 35 | { |
36 | int r=0; | 36 | int r = 0; |
37 | DEBUGP("rt segsleft_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ', | 37 | DEBUGP("rt segsleft_match:%c 0x%x <= 0x%x <= 0x%x", |
38 | min,id,max); | 38 | invert ? '!' : ' ', min, id, max); |
39 | r=(id >= min && id <= max) ^ invert; | 39 | r = (id >= min && id <= max) ^ invert; |
40 | DEBUGP(" result %s\n",r? "PASS" : "FAILED"); | 40 | DEBUGP(" result %s\n", r ? "PASS" : "FAILED"); |
41 | return r; | 41 | return r; |
42 | } | 42 | } |
43 | 43 | ||
44 | static int | 44 | static int |
@@ -50,87 +50,93 @@ match(const struct sk_buff *skb, | |||
50 | unsigned int protoff, | 50 | unsigned int protoff, |
51 | int *hotdrop) | 51 | int *hotdrop) |
52 | { | 52 | { |
53 | struct ipv6_rt_hdr _route, *rh; | 53 | struct ipv6_rt_hdr _route, *rh; |
54 | const struct ip6t_rt *rtinfo = matchinfo; | 54 | const struct ip6t_rt *rtinfo = matchinfo; |
55 | unsigned int temp; | 55 | unsigned int temp; |
56 | unsigned int ptr; | 56 | unsigned int ptr; |
57 | unsigned int hdrlen = 0; | 57 | unsigned int hdrlen = 0; |
58 | unsigned int ret = 0; | 58 | unsigned int ret = 0; |
59 | struct in6_addr *ap, _addr; | 59 | struct in6_addr *ap, _addr; |
60 | 60 | ||
61 | if (ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL) < 0) | 61 | if (ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL) < 0) |
62 | return 0; | 62 | return 0; |
63 | 63 | ||
64 | rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route); | 64 | rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route); |
65 | if (rh == NULL){ | 65 | if (rh == NULL) { |
66 | *hotdrop = 1; | 66 | *hotdrop = 1; |
67 | return 0; | 67 | return 0; |
68 | } | 68 | } |
69 | 69 | ||
70 | hdrlen = ipv6_optlen(rh); | 70 | hdrlen = ipv6_optlen(rh); |
71 | if (skb->len - ptr < hdrlen){ | 71 | if (skb->len - ptr < hdrlen) { |
72 | /* Pcket smaller than its length field */ | 72 | /* Pcket smaller than its length field */ |
73 | return 0; | 73 | return 0; |
74 | } | 74 | } |
75 | 75 | ||
76 | DEBUGP("IPv6 RT LEN %u %u ", hdrlen, rh->hdrlen); | 76 | DEBUGP("IPv6 RT LEN %u %u ", hdrlen, rh->hdrlen); |
77 | DEBUGP("TYPE %04X ", rh->type); | 77 | DEBUGP("TYPE %04X ", rh->type); |
78 | DEBUGP("SGS_LEFT %u %02X\n", rh->segments_left, rh->segments_left); | 78 | DEBUGP("SGS_LEFT %u %02X\n", rh->segments_left, rh->segments_left); |
79 | 79 | ||
80 | DEBUGP("IPv6 RT segsleft %02X ", | 80 | DEBUGP("IPv6 RT segsleft %02X ", |
81 | (segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1], | 81 | (segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1], |
82 | rh->segments_left, | 82 | rh->segments_left, |
83 | !!(rtinfo->invflags & IP6T_RT_INV_SGS)))); | 83 | !!(rtinfo->invflags & IP6T_RT_INV_SGS)))); |
84 | DEBUGP("type %02X %02X %02X ", | 84 | DEBUGP("type %02X %02X %02X ", |
85 | rtinfo->rt_type, rh->type, | 85 | rtinfo->rt_type, rh->type, |
86 | (!(rtinfo->flags & IP6T_RT_TYP) || | 86 | (!(rtinfo->flags & IP6T_RT_TYP) || |
87 | ((rtinfo->rt_type == rh->type) ^ | 87 | ((rtinfo->rt_type == rh->type) ^ |
88 | !!(rtinfo->invflags & IP6T_RT_INV_TYP)))); | 88 | !!(rtinfo->invflags & IP6T_RT_INV_TYP)))); |
89 | DEBUGP("len %02X %04X %02X ", | 89 | DEBUGP("len %02X %04X %02X ", |
90 | rtinfo->hdrlen, hdrlen, | 90 | rtinfo->hdrlen, hdrlen, |
91 | (!(rtinfo->flags & IP6T_RT_LEN) || | 91 | (!(rtinfo->flags & IP6T_RT_LEN) || |
92 | ((rtinfo->hdrlen == hdrlen) ^ | 92 | ((rtinfo->hdrlen == hdrlen) ^ |
93 | !!(rtinfo->invflags & IP6T_RT_INV_LEN)))); | 93 | !!(rtinfo->invflags & IP6T_RT_INV_LEN)))); |
94 | DEBUGP("res %02X %02X %02X ", | 94 | DEBUGP("res %02X %02X %02X ", |
95 | (rtinfo->flags & IP6T_RT_RES), ((struct rt0_hdr *)rh)->reserved, | 95 | (rtinfo->flags & IP6T_RT_RES), |
96 | !((rtinfo->flags & IP6T_RT_RES) && (((struct rt0_hdr *)rh)->reserved))); | 96 | ((struct rt0_hdr *)rh)->reserved, |
97 | 97 | !((rtinfo->flags & IP6T_RT_RES) && | |
98 | ret = (rh != NULL) | 98 | (((struct rt0_hdr *)rh)->reserved))); |
99 | && | 99 | |
100 | (segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1], | 100 | ret = (rh != NULL) |
101 | rh->segments_left, | 101 | && |
102 | !!(rtinfo->invflags & IP6T_RT_INV_SGS))) | 102 | (segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1], |
103 | && | 103 | rh->segments_left, |
104 | (!(rtinfo->flags & IP6T_RT_LEN) || | 104 | !!(rtinfo->invflags & IP6T_RT_INV_SGS))) |
105 | ((rtinfo->hdrlen == hdrlen) ^ | 105 | && |
106 | !!(rtinfo->invflags & IP6T_RT_INV_LEN))) | 106 | (!(rtinfo->flags & IP6T_RT_LEN) || |
107 | && | 107 | ((rtinfo->hdrlen == hdrlen) ^ |
108 | (!(rtinfo->flags & IP6T_RT_TYP) || | 108 | !!(rtinfo->invflags & IP6T_RT_INV_LEN))) |
109 | ((rtinfo->rt_type == rh->type) ^ | 109 | && |
110 | !!(rtinfo->invflags & IP6T_RT_INV_TYP))); | 110 | (!(rtinfo->flags & IP6T_RT_TYP) || |
111 | ((rtinfo->rt_type == rh->type) ^ | ||
112 | !!(rtinfo->invflags & IP6T_RT_INV_TYP))); | ||
111 | 113 | ||
112 | if (ret && (rtinfo->flags & IP6T_RT_RES)) { | 114 | if (ret && (rtinfo->flags & IP6T_RT_RES)) { |
113 | u_int32_t *rp, _reserved; | 115 | u_int32_t *rp, _reserved; |
114 | rp = skb_header_pointer(skb, | 116 | rp = skb_header_pointer(skb, |
115 | ptr + offsetof(struct rt0_hdr, reserved), | 117 | ptr + offsetof(struct rt0_hdr, |
116 | sizeof(_reserved), &_reserved); | 118 | reserved), |
119 | sizeof(_reserved), | ||
120 | &_reserved); | ||
117 | 121 | ||
118 | ret = (*rp == 0); | 122 | ret = (*rp == 0); |
119 | } | 123 | } |
120 | 124 | ||
121 | DEBUGP("#%d ",rtinfo->addrnr); | 125 | DEBUGP("#%d ", rtinfo->addrnr); |
122 | if ( !(rtinfo->flags & IP6T_RT_FST) ){ | 126 | if (!(rtinfo->flags & IP6T_RT_FST)) { |
123 | return ret; | 127 | return ret; |
124 | } else if (rtinfo->flags & IP6T_RT_FST_NSTRICT) { | 128 | } else if (rtinfo->flags & IP6T_RT_FST_NSTRICT) { |
125 | DEBUGP("Not strict "); | 129 | DEBUGP("Not strict "); |
126 | if ( rtinfo->addrnr > (unsigned int)((hdrlen-8)/16) ){ | 130 | if (rtinfo->addrnr > (unsigned int)((hdrlen - 8) / 16)) { |
127 | DEBUGP("There isn't enough space\n"); | 131 | DEBUGP("There isn't enough space\n"); |
128 | return 0; | 132 | return 0; |
129 | } else { | 133 | } else { |
130 | unsigned int i = 0; | 134 | unsigned int i = 0; |
131 | 135 | ||
132 | DEBUGP("#%d ",rtinfo->addrnr); | 136 | DEBUGP("#%d ", rtinfo->addrnr); |
133 | for(temp=0; temp<(unsigned int)((hdrlen-8)/16); temp++){ | 137 | for (temp = 0; |
138 | temp < (unsigned int)((hdrlen - 8) / 16); | ||
139 | temp++) { | ||
134 | ap = skb_header_pointer(skb, | 140 | ap = skb_header_pointer(skb, |
135 | ptr | 141 | ptr |
136 | + sizeof(struct rt0_hdr) | 142 | + sizeof(struct rt0_hdr) |
@@ -141,24 +147,26 @@ match(const struct sk_buff *skb, | |||
141 | BUG_ON(ap == NULL); | 147 | BUG_ON(ap == NULL); |
142 | 148 | ||
143 | if (ipv6_addr_equal(ap, &rtinfo->addrs[i])) { | 149 | if (ipv6_addr_equal(ap, &rtinfo->addrs[i])) { |
144 | DEBUGP("i=%d temp=%d;\n",i,temp); | 150 | DEBUGP("i=%d temp=%d;\n", i, temp); |
145 | i++; | 151 | i++; |
146 | } | 152 | } |
147 | if (i==rtinfo->addrnr) break; | 153 | if (i == rtinfo->addrnr) |
154 | break; | ||
148 | } | 155 | } |
149 | DEBUGP("i=%d #%d\n", i, rtinfo->addrnr); | 156 | DEBUGP("i=%d #%d\n", i, rtinfo->addrnr); |
150 | if (i == rtinfo->addrnr) | 157 | if (i == rtinfo->addrnr) |
151 | return ret; | 158 | return ret; |
152 | else return 0; | 159 | else |
160 | return 0; | ||
153 | } | 161 | } |
154 | } else { | 162 | } else { |
155 | DEBUGP("Strict "); | 163 | DEBUGP("Strict "); |
156 | if ( rtinfo->addrnr > (unsigned int)((hdrlen-8)/16) ){ | 164 | if (rtinfo->addrnr > (unsigned int)((hdrlen - 8) / 16)) { |
157 | DEBUGP("There isn't enough space\n"); | 165 | DEBUGP("There isn't enough space\n"); |
158 | return 0; | 166 | return 0; |
159 | } else { | 167 | } else { |
160 | DEBUGP("#%d ",rtinfo->addrnr); | 168 | DEBUGP("#%d ", rtinfo->addrnr); |
161 | for(temp=0; temp<rtinfo->addrnr; temp++){ | 169 | for (temp = 0; temp < rtinfo->addrnr; temp++) { |
162 | ap = skb_header_pointer(skb, | 170 | ap = skb_header_pointer(skb, |
163 | ptr | 171 | ptr |
164 | + sizeof(struct rt0_hdr) | 172 | + sizeof(struct rt0_hdr) |
@@ -171,9 +179,11 @@ match(const struct sk_buff *skb, | |||
171 | break; | 179 | break; |
172 | } | 180 | } |
173 | DEBUGP("temp=%d #%d\n", temp, rtinfo->addrnr); | 181 | DEBUGP("temp=%d #%d\n", temp, rtinfo->addrnr); |
174 | if ((temp == rtinfo->addrnr) && (temp == (unsigned int)((hdrlen-8)/16))) | 182 | if ((temp == rtinfo->addrnr) && |
183 | (temp == (unsigned int)((hdrlen - 8) / 16))) | ||
175 | return ret; | 184 | return ret; |
176 | else return 0; | 185 | else |
186 | return 0; | ||
177 | } | 187 | } |
178 | } | 188 | } |
179 | 189 | ||
@@ -183,32 +193,31 @@ match(const struct sk_buff *skb, | |||
183 | /* Called when user tries to insert an entry of this type. */ | 193 | /* Called when user tries to insert an entry of this type. */ |
184 | static int | 194 | static int |
185 | checkentry(const char *tablename, | 195 | checkentry(const char *tablename, |
186 | const void *entry, | 196 | const void *entry, |
187 | void *matchinfo, | 197 | void *matchinfo, |
188 | unsigned int matchinfosize, | 198 | unsigned int matchinfosize, |
189 | unsigned int hook_mask) | 199 | unsigned int hook_mask) |
190 | { | 200 | { |
191 | const struct ip6t_rt *rtinfo = matchinfo; | 201 | const struct ip6t_rt *rtinfo = matchinfo; |
192 | 202 | ||
193 | if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_rt))) { | 203 | if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_rt))) { |
194 | DEBUGP("ip6t_rt: matchsize %u != %u\n", | 204 | DEBUGP("ip6t_rt: matchsize %u != %u\n", |
195 | matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_rt))); | 205 | matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_rt))); |
196 | return 0; | 206 | return 0; |
197 | } | 207 | } |
198 | if (rtinfo->invflags & ~IP6T_RT_INV_MASK) { | 208 | if (rtinfo->invflags & ~IP6T_RT_INV_MASK) { |
199 | DEBUGP("ip6t_rt: unknown flags %X\n", | 209 | DEBUGP("ip6t_rt: unknown flags %X\n", rtinfo->invflags); |
200 | rtinfo->invflags); | 210 | return 0; |
201 | return 0; | 211 | } |
202 | } | 212 | if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) && |
203 | if ( (rtinfo->flags & (IP6T_RT_RES|IP6T_RT_FST_MASK)) && | 213 | (!(rtinfo->flags & IP6T_RT_TYP) || |
204 | (!(rtinfo->flags & IP6T_RT_TYP) || | 214 | (rtinfo->rt_type != 0) || |
205 | (rtinfo->rt_type != 0) || | 215 | (rtinfo->invflags & IP6T_RT_INV_TYP))) { |
206 | (rtinfo->invflags & IP6T_RT_INV_TYP)) ) { | 216 | DEBUGP("`--rt-type 0' required before `--rt-0-*'"); |
207 | DEBUGP("`--rt-type 0' required before `--rt-0-*'"); | 217 | return 0; |
208 | return 0; | 218 | } |
209 | } | 219 | |
210 | 220 | return 1; | |
211 | return 1; | ||
212 | } | 221 | } |
213 | 222 | ||
214 | static struct ip6t_match rt_match = { | 223 | static struct ip6t_match rt_match = { |
@@ -220,12 +229,12 @@ static struct ip6t_match rt_match = { | |||
220 | 229 | ||
221 | static int __init init(void) | 230 | static int __init init(void) |
222 | { | 231 | { |
223 | return ip6t_register_match(&rt_match); | 232 | return ip6t_register_match(&rt_match); |
224 | } | 233 | } |
225 | 234 | ||
226 | static void __exit cleanup(void) | 235 | static void __exit cleanup(void) |
227 | { | 236 | { |
228 | ip6t_unregister_match(&rt_match); | 237 | ip6t_unregister_match(&rt_match); |
229 | } | 238 | } |
230 | 239 | ||
231 | module_init(init); | 240 | module_init(init); |