net/bridge/netfilter/ebt_ip.c

   1 /*
   2  *  ebt_ip
   3  *
   4  *      Authors:
   5  *      Bart De Schuymer <bdschuym@pandora.be>
   6  *
   7  *  April, 2002
   8  *
   9  *  Changes:
  10  *    added ip-sport and ip-dport
  11  *    Innominate Security Technologies AG <mhopf@innominate.com>
  12  *    September, 2002
  13  */
  14
  15 #include <linux/netfilter_bridge/ebtables.h>
  16 #include <linux/netfilter_bridge/ebt_ip.h>
  17 #include <linux/ip.h>
  18 #include <linux/in.h>
  19 #include <linux/module.h>
  20
  21 struct tcpudphdr {
  22         uint16_t src;
  23         uint16_t dst;
  24 };
  25
  26 static int ebt_filter_ip(const struct sk_buff *skb, const struct net_device *in,
  27    const struct net_device *out, const void *data,
  28    unsigned int datalen)
  29 {
  30         struct ebt_ip_info *info = (struct ebt_ip_info *)data;
  31         struct iphdr _iph, *ih;
  32         struct tcpudphdr _ports, *pptr;
  33
  34         ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
  35         if (ih == NULL)
  36                 return EBT_NOMATCH;
  37         if (info->bitmask & EBT_IP_TOS &&
  38            FWINV(info->tos != ih->tos, EBT_IP_TOS))
  39                 return EBT_NOMATCH;
  40         if (info->bitmask & EBT_IP_SOURCE &&
  41            FWINV((ih->saddr & info->smsk) !=
  42            info->saddr, EBT_IP_SOURCE))
  43                 return EBT_NOMATCH;
  44         if ((info->bitmask & EBT_IP_DEST) &&
  45            FWINV((ih->daddr & info->dmsk) !=
  46            info->daddr, EBT_IP_DEST))
  47                 return EBT_NOMATCH;
  48         if (info->bitmask & EBT_IP_PROTO) {
  49                 if (FWINV(info->protocol != ih->protocol, EBT_IP_PROTO))
  50                         return EBT_NOMATCH;
  51                 if (!(info->bitmask & EBT_IP_DPORT) &&
  52                     !(info->bitmask & EBT_IP_SPORT))
  53                         return EBT_MATCH;
  54                 pptr = skb_header_pointer(skb, ih->ihl*4,
  55                                           sizeof(_ports), &_ports);
  56                 if (pptr == NULL)
  57                         return EBT_NOMATCH;
  58                 if (info->bitmask & EBT_IP_DPORT) {
  59                         u32 dst = ntohs(pptr->dst);
  60                         if (FWINV(dst < info->dport[0] ||
  61                                   dst > info->dport[1],
  62                                   EBT_IP_DPORT))
  63                         return EBT_NOMATCH;
  64                 }
  65                 if (info->bitmask & EBT_IP_SPORT) {
  66                         u32 src = ntohs(pptr->src);
  67                         if (FWINV(src < info->sport[0] ||
  68                                   src > info->sport[1],
  69                                   EBT_IP_SPORT))
  70                         return EBT_NOMATCH;
  71                 }
  72         }
  73         return EBT_MATCH;
  74 }
  75
  76 static int ebt_ip_check(const char *tablename, unsigned int hookmask,
  77    const struct ebt_entry *e, void *data, unsigned int datalen)
  78 {
  79         struct ebt_ip_info *info = (struct ebt_ip_info *)data;
  80
  81         if (datalen != EBT_ALIGN(sizeof(struct ebt_ip_info)))
  82                 return -EINVAL;
  83         if (e->ethproto != htons(ETH_P_IP) ||
  84            e->invflags & EBT_IPROTO)
  85                 return -EINVAL;
  86         if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK)
  87                 return -EINVAL;
  88         if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) {
  89                 if (info->invflags & EBT_IP_PROTO)
  90                         return -EINVAL;
  91                 if (info->protocol != IPPROTO_TCP &&
  92                     info->protocol != IPPROTO_UDP)
  93                          return -EINVAL;
  94         }
  95         if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1])
  96                 return -EINVAL;
  97         if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1])
  98                 return -EINVAL;
  99         return 0;
 100 }
 101
 102 static struct ebt_match filter_ip =
 103 {
 104         .name           = EBT_IP_MATCH,
 105         .match          = ebt_filter_ip,
 106         .check          = ebt_ip_check,
 107         .me             = THIS_MODULE,
 108 };
 109
 110 static int __init init(void)
 111 {
 112         return ebt_register_match(&filter_ip);
 113 }
 114
 115 static void __exit fini(void)
 116 {
 117         ebt_unregister_match(&filter_ip);
 118 }
 119
 120 module_init(init);
 121 module_exit(fini);
 122 MODULE_LICENSE("GPL");