diff options
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/netfilter/Kconfig | 10 | ||||
-rw-r--r-- | net/ipv4/netfilter/Makefile | 1 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_policy.c | 170 | ||||
-rw-r--r-- | net/ipv6/netfilter/Kconfig | 10 | ||||
-rw-r--r-- | net/ipv6/netfilter/Makefile | 1 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_policy.c | 175 |
6 files changed, 367 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 88a60650e6b8..a9893ec03e02 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig | |||
@@ -487,6 +487,16 @@ config IP_NF_MATCH_STRING | |||
487 | 487 | ||
488 | To compile it as a module, choose M here. If unsure, say N. | 488 | To compile it as a module, choose M here. If unsure, say N. |
489 | 489 | ||
490 | config IP_NF_MATCH_POLICY | ||
491 | tristate "IPsec policy match support" | ||
492 | depends on IP_NF_IPTABLES && XFRM | ||
493 | help | ||
494 | Policy matching allows you to match packets based on the | ||
495 | IPsec policy that was used during decapsulation/will | ||
496 | be used during encapsulation. | ||
497 | |||
498 | To compile it as a module, choose M here. If unsure, say N. | ||
499 | |||
490 | # `filter', generic and specific targets | 500 | # `filter', generic and specific targets |
491 | config IP_NF_FILTER | 501 | config IP_NF_FILTER |
492 | tristate "Packet filtering" | 502 | tristate "Packet filtering" |
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index d0a447e520a2..549b01a648b3 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile | |||
@@ -72,6 +72,7 @@ obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o | |||
72 | obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o | 72 | obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o |
73 | obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o | 73 | obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o |
74 | obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o | 74 | obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o |
75 | obj-$(CONFIG_IP_NF_MATCH_POLICY) += ipt_policy.o | ||
75 | obj-$(CONFIG_IP_NF_MATCH_COMMENT) += ipt_comment.o | 76 | obj-$(CONFIG_IP_NF_MATCH_COMMENT) += ipt_comment.o |
76 | obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o | 77 | obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o |
77 | 78 | ||
diff --git a/net/ipv4/netfilter/ipt_policy.c b/net/ipv4/netfilter/ipt_policy.c new file mode 100644 index 000000000000..709debcc69c9 --- /dev/null +++ b/net/ipv4/netfilter/ipt_policy.c | |||
@@ -0,0 +1,170 @@ | |||
1 | /* IP tables module for matching IPsec policy | ||
2 | * | ||
3 | * Copyright (c) 2004,2005 Patrick McHardy, <kaber@trash.net> | ||
4 | * | ||
5 | * This program is free software; you can redistribute it and/or modify | ||
6 | * it under the terms of the GNU General Public License version 2 as | ||
7 | * published by the Free Software Foundation. | ||
8 | */ | ||
9 | |||
10 | #include <linux/kernel.h> | ||
11 | #include <linux/config.h> | ||
12 | #include <linux/module.h> | ||
13 | #include <linux/skbuff.h> | ||
14 | #include <linux/init.h> | ||
15 | #include <net/xfrm.h> | ||
16 | |||
17 | #include <linux/netfilter_ipv4.h> | ||
18 | #include <linux/netfilter_ipv4/ip_tables.h> | ||
19 | #include <linux/netfilter_ipv4/ipt_policy.h> | ||
20 | |||
21 | MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); | ||
22 | MODULE_DESCRIPTION("IPtables IPsec policy matching module"); | ||
23 | MODULE_LICENSE("GPL"); | ||
24 | |||
25 | |||
26 | static inline int | ||
27 | match_xfrm_state(struct xfrm_state *x, const struct ipt_policy_elem *e) | ||
28 | { | ||
29 | #define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x)) | ||
30 | |||
31 | return MATCH(saddr, x->props.saddr.a4 & e->smask) && | ||
32 | MATCH(daddr, x->id.daddr.a4 & e->dmask) && | ||
33 | MATCH(proto, x->id.proto) && | ||
34 | MATCH(mode, x->props.mode) && | ||
35 | MATCH(spi, x->id.spi) && | ||
36 | MATCH(reqid, x->props.reqid); | ||
37 | } | ||
38 | |||
39 | static int | ||
40 | match_policy_in(const struct sk_buff *skb, const struct ipt_policy_info *info) | ||
41 | { | ||
42 | const struct ipt_policy_elem *e; | ||
43 | struct sec_path *sp = skb->sp; | ||
44 | int strict = info->flags & IPT_POLICY_MATCH_STRICT; | ||
45 | int i, pos; | ||
46 | |||
47 | if (sp == NULL) | ||
48 | return -1; | ||
49 | if (strict && info->len != sp->len) | ||
50 | return 0; | ||
51 | |||
52 | for (i = sp->len - 1; i >= 0; i--) { | ||
53 | pos = strict ? i - sp->len + 1 : 0; | ||
54 | if (pos >= info->len) | ||
55 | return 0; | ||
56 | e = &info->pol[pos]; | ||
57 | |||
58 | if (match_xfrm_state(sp->x[i].xvec, e)) { | ||
59 | if (!strict) | ||
60 | return 1; | ||
61 | } else if (strict) | ||
62 | return 0; | ||
63 | } | ||
64 | |||
65 | return strict ? 1 : 0; | ||
66 | } | ||
67 | |||
68 | static int | ||
69 | match_policy_out(const struct sk_buff *skb, const struct ipt_policy_info *info) | ||
70 | { | ||
71 | const struct ipt_policy_elem *e; | ||
72 | struct dst_entry *dst = skb->dst; | ||
73 | int strict = info->flags & IPT_POLICY_MATCH_STRICT; | ||
74 | int i, pos; | ||
75 | |||
76 | if (dst->xfrm == NULL) | ||
77 | return -1; | ||
78 | |||
79 | for (i = 0; dst && dst->xfrm; dst = dst->child, i++) { | ||
80 | pos = strict ? i : 0; | ||
81 | if (pos >= info->len) | ||
82 | return 0; | ||
83 | e = &info->pol[pos]; | ||
84 | |||
85 | if (match_xfrm_state(dst->xfrm, e)) { | ||
86 | if (!strict) | ||
87 | return 1; | ||
88 | } else if (strict) | ||
89 | return 0; | ||
90 | } | ||
91 | |||
92 | return strict ? 1 : 0; | ||
93 | } | ||
94 | |||
95 | static int match(const struct sk_buff *skb, | ||
96 | const struct net_device *in, | ||
97 | const struct net_device *out, | ||
98 | const void *matchinfo, int offset, int *hotdrop) | ||
99 | { | ||
100 | const struct ipt_policy_info *info = matchinfo; | ||
101 | int ret; | ||
102 | |||
103 | if (info->flags & IPT_POLICY_MATCH_IN) | ||
104 | ret = match_policy_in(skb, info); | ||
105 | else | ||
106 | ret = match_policy_out(skb, info); | ||
107 | |||
108 | if (ret < 0) | ||
109 | ret = info->flags & IPT_POLICY_MATCH_NONE ? 1 : 0; | ||
110 | else if (info->flags & IPT_POLICY_MATCH_NONE) | ||
111 | ret = 0; | ||
112 | |||
113 | return ret; | ||
114 | } | ||
115 | |||
116 | static int checkentry(const char *tablename, const struct ipt_ip *ip, | ||
117 | void *matchinfo, unsigned int matchsize, | ||
118 | unsigned int hook_mask) | ||
119 | { | ||
120 | struct ipt_policy_info *info = matchinfo; | ||
121 | |||
122 | if (matchsize != IPT_ALIGN(sizeof(*info))) { | ||
123 | printk(KERN_ERR "ipt_policy: matchsize %u != %zu\n", | ||
124 | matchsize, IPT_ALIGN(sizeof(*info))); | ||
125 | return 0; | ||
126 | } | ||
127 | if (!(info->flags & (IPT_POLICY_MATCH_IN|IPT_POLICY_MATCH_OUT))) { | ||
128 | printk(KERN_ERR "ipt_policy: neither incoming nor " | ||
129 | "outgoing policy selected\n"); | ||
130 | return 0; | ||
131 | } | ||
132 | if (hook_mask & (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_LOCAL_IN) | ||
133 | && info->flags & IPT_POLICY_MATCH_OUT) { | ||
134 | printk(KERN_ERR "ipt_policy: output policy not valid in " | ||
135 | "PRE_ROUTING and INPUT\n"); | ||
136 | return 0; | ||
137 | } | ||
138 | if (hook_mask & (1 << NF_IP_POST_ROUTING | 1 << NF_IP_LOCAL_OUT) | ||
139 | && info->flags & IPT_POLICY_MATCH_IN) { | ||
140 | printk(KERN_ERR "ipt_policy: input policy not valid in " | ||
141 | "POST_ROUTING and OUTPUT\n"); | ||
142 | return 0; | ||
143 | } | ||
144 | if (info->len > IPT_POLICY_MAX_ELEM) { | ||
145 | printk(KERN_ERR "ipt_policy: too many policy elements\n"); | ||
146 | return 0; | ||
147 | } | ||
148 | |||
149 | return 1; | ||
150 | } | ||
151 | |||
152 | static struct ipt_match policy_match = { | ||
153 | .name = "policy", | ||
154 | .match = match, | ||
155 | .checkentry = checkentry, | ||
156 | .me = THIS_MODULE, | ||
157 | }; | ||
158 | |||
159 | static int __init init(void) | ||
160 | { | ||
161 | return ipt_register_match(&policy_match); | ||
162 | } | ||
163 | |||
164 | static void __exit fini(void) | ||
165 | { | ||
166 | ipt_unregister_match(&policy_match); | ||
167 | } | ||
168 | |||
169 | module_init(init); | ||
170 | module_exit(fini); | ||
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index 04912f9b35c3..105dd69ee9fb 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig | |||
@@ -179,6 +179,16 @@ config IP6_NF_MATCH_PHYSDEV | |||
179 | 179 | ||
180 | To compile it as a module, choose M here. If unsure, say N. | 180 | To compile it as a module, choose M here. If unsure, say N. |
181 | 181 | ||
182 | config IP6_NF_MATCH_POLICY | ||
183 | tristate "IPsec policy match support" | ||
184 | depends on IP6_NF_IPTABLES && XFRM | ||
185 | help | ||
186 | Policy matching allows you to match packets based on the | ||
187 | IPsec policy that was used during decapsulation/will | ||
188 | be used during encapsulation. | ||
189 | |||
190 | To compile it as a module, choose M here. If unsure, say N. | ||
191 | |||
182 | # The targets | 192 | # The targets |
183 | config IP6_NF_FILTER | 193 | config IP6_NF_FILTER |
184 | tristate "Packet filtering" | 194 | tristate "Packet filtering" |
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile index 9ab5b2ca1f59..c0c809b426e8 100644 --- a/net/ipv6/netfilter/Makefile +++ b/net/ipv6/netfilter/Makefile | |||
@@ -13,6 +13,7 @@ obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o ip6t_dst.o | |||
13 | obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o | 13 | obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o |
14 | obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o | 14 | obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o |
15 | obj-$(CONFIG_IP6_NF_MATCH_AHESP) += ip6t_esp.o ip6t_ah.o | 15 | obj-$(CONFIG_IP6_NF_MATCH_AHESP) += ip6t_esp.o ip6t_ah.o |
16 | obj-$(CONFIG_IP6_NF_MATCH_POLICY) += ip6t_policy.o | ||
16 | obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o | 17 | obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o |
17 | obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT) += ip6t_multiport.o | 18 | obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT) += ip6t_multiport.o |
18 | obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o | 19 | obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o |
diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c new file mode 100644 index 000000000000..13fedad48c1d --- /dev/null +++ b/net/ipv6/netfilter/ip6t_policy.c | |||
@@ -0,0 +1,175 @@ | |||
1 | /* IP tables module for matching IPsec policy | ||
2 | * | ||
3 | * Copyright (c) 2004,2005 Patrick McHardy, <kaber@trash.net> | ||
4 | * | ||
5 | * This program is free software; you can redistribute it and/or modify | ||
6 | * it under the terms of the GNU General Public License version 2 as | ||
7 | * published by the Free Software Foundation. | ||
8 | */ | ||
9 | |||
10 | #include <linux/kernel.h> | ||
11 | #include <linux/config.h> | ||
12 | #include <linux/module.h> | ||
13 | #include <linux/skbuff.h> | ||
14 | #include <linux/init.h> | ||
15 | #include <net/xfrm.h> | ||
16 | |||
17 | #include <linux/netfilter_ipv6.h> | ||
18 | #include <linux/netfilter_ipv6/ip6_tables.h> | ||
19 | #include <linux/netfilter_ipv6/ip6t_policy.h> | ||
20 | |||
21 | MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); | ||
22 | MODULE_DESCRIPTION("IPtables IPsec policy matching module"); | ||
23 | MODULE_LICENSE("GPL"); | ||
24 | |||
25 | |||
26 | static inline int | ||
27 | match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e) | ||
28 | { | ||
29 | #define MATCH_ADDR(x,y,z) (!e->match.x || \ | ||
30 | ((ip6_masked_addrcmp((z), &e->x, &e->y)) == 0) ^ e->invert.x) | ||
31 | #define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x)) | ||
32 | |||
33 | return MATCH_ADDR(saddr, smask, (struct in6_addr *)&x->props.saddr.a6) && | ||
34 | MATCH_ADDR(daddr, dmask, (struct in6_addr *)&x->id.daddr.a6) && | ||
35 | MATCH(proto, x->id.proto) && | ||
36 | MATCH(mode, x->props.mode) && | ||
37 | MATCH(spi, x->id.spi) && | ||
38 | MATCH(reqid, x->props.reqid); | ||
39 | } | ||
40 | |||
41 | static int | ||
42 | match_policy_in(const struct sk_buff *skb, const struct ip6t_policy_info *info) | ||
43 | { | ||
44 | const struct ip6t_policy_elem *e; | ||
45 | struct sec_path *sp = skb->sp; | ||
46 | int strict = info->flags & IP6T_POLICY_MATCH_STRICT; | ||
47 | int i, pos; | ||
48 | |||
49 | if (sp == NULL) | ||
50 | return -1; | ||
51 | if (strict && info->len != sp->len) | ||
52 | return 0; | ||
53 | |||
54 | for (i = sp->len - 1; i >= 0; i--) { | ||
55 | pos = strict ? i - sp->len + 1 : 0; | ||
56 | if (pos >= info->len) | ||
57 | return 0; | ||
58 | e = &info->pol[pos]; | ||
59 | |||
60 | if (match_xfrm_state(sp->x[i].xvec, e)) { | ||
61 | if (!strict) | ||
62 | return 1; | ||
63 | } else if (strict) | ||
64 | return 0; | ||
65 | } | ||
66 | |||
67 | return strict ? 1 : 0; | ||
68 | } | ||
69 | |||
70 | static int | ||
71 | match_policy_out(const struct sk_buff *skb, const struct ip6t_policy_info *info) | ||
72 | { | ||
73 | const struct ip6t_policy_elem *e; | ||
74 | struct dst_entry *dst = skb->dst; | ||
75 | int strict = info->flags & IP6T_POLICY_MATCH_STRICT; | ||
76 | int i, pos; | ||
77 | |||
78 | if (dst->xfrm == NULL) | ||
79 | return -1; | ||
80 | |||
81 | for (i = 0; dst && dst->xfrm; dst = dst->child, i++) { | ||
82 | pos = strict ? i : 0; | ||
83 | if (pos >= info->len) | ||
84 | return 0; | ||
85 | e = &info->pol[pos]; | ||
86 | |||
87 | if (match_xfrm_state(dst->xfrm, e)) { | ||
88 | if (!strict) | ||
89 | return 1; | ||
90 | } else if (strict) | ||
91 | return 0; | ||
92 | } | ||
93 | |||
94 | return strict ? 1 : 0; | ||
95 | } | ||
96 | |||
97 | static int match(const struct sk_buff *skb, | ||
98 | const struct net_device *in, | ||
99 | const struct net_device *out, | ||
100 | const void *matchinfo, | ||
101 | int offset, | ||
102 | unsigned int protoff, | ||
103 | int *hotdrop) | ||
104 | { | ||
105 | const struct ip6t_policy_info *info = matchinfo; | ||
106 | int ret; | ||
107 | |||
108 | if (info->flags & IP6T_POLICY_MATCH_IN) | ||
109 | ret = match_policy_in(skb, info); | ||
110 | else | ||
111 | ret = match_policy_out(skb, info); | ||
112 | |||
113 | if (ret < 0) | ||
114 | ret = info->flags & IP6T_POLICY_MATCH_NONE ? 1 : 0; | ||
115 | else if (info->flags & IP6T_POLICY_MATCH_NONE) | ||
116 | ret = 0; | ||
117 | |||
118 | return ret; | ||
119 | } | ||
120 | |||
121 | static int checkentry(const char *tablename, const struct ip6t_ip6 *ip, | ||
122 | void *matchinfo, unsigned int matchsize, | ||
123 | unsigned int hook_mask) | ||
124 | { | ||
125 | struct ip6t_policy_info *info = matchinfo; | ||
126 | |||
127 | if (matchsize != IP6T_ALIGN(sizeof(*info))) { | ||
128 | printk(KERN_ERR "ip6t_policy: matchsize %u != %zu\n", | ||
129 | matchsize, IP6T_ALIGN(sizeof(*info))); | ||
130 | return 0; | ||
131 | } | ||
132 | if (!(info->flags & (IP6T_POLICY_MATCH_IN|IP6T_POLICY_MATCH_OUT))) { | ||
133 | printk(KERN_ERR "ip6t_policy: neither incoming nor " | ||
134 | "outgoing policy selected\n"); | ||
135 | return 0; | ||
136 | } | ||
137 | if (hook_mask & (1 << NF_IP6_PRE_ROUTING | 1 << NF_IP6_LOCAL_IN) | ||
138 | && info->flags & IP6T_POLICY_MATCH_OUT) { | ||
139 | printk(KERN_ERR "ip6t_policy: output policy not valid in " | ||
140 | "PRE_ROUTING and INPUT\n"); | ||
141 | return 0; | ||
142 | } | ||
143 | if (hook_mask & (1 << NF_IP6_POST_ROUTING | 1 << NF_IP6_LOCAL_OUT) | ||
144 | && info->flags & IP6T_POLICY_MATCH_IN) { | ||
145 | printk(KERN_ERR "ip6t_policy: input policy not valid in " | ||
146 | "POST_ROUTING and OUTPUT\n"); | ||
147 | return 0; | ||
148 | } | ||
149 | if (info->len > IP6T_POLICY_MAX_ELEM) { | ||
150 | printk(KERN_ERR "ip6t_policy: too many policy elements\n"); | ||
151 | return 0; | ||
152 | } | ||
153 | |||
154 | return 1; | ||
155 | } | ||
156 | |||
157 | static struct ip6t_match policy_match = { | ||
158 | .name = "policy", | ||
159 | .match = match, | ||
160 | .checkentry = checkentry, | ||
161 | .me = THIS_MODULE, | ||
162 | }; | ||
163 | |||
164 | static int __init init(void) | ||
165 | { | ||
166 | return ip6t_register_match(&policy_match); | ||
167 | } | ||
168 | |||
169 | static void __exit fini(void) | ||
170 | { | ||
171 | ip6t_unregister_match(&policy_match); | ||
172 | } | ||
173 | |||
174 | module_init(init); | ||
175 | module_exit(fini); | ||