search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6
[wrt350n-kernel.git] / net / bridge / netfilter / ebt_ip.c
blob65caa00dcf2a348d0c321a42add55acd40177339
1 /*
2 * ebt_ip
3 *
4 * Authors:
5 * Bart De Schuymer <bdschuym@pandora.be>
6 *
7 * April, 2002
8 *
9 * Changes:
10 * added ip-sport and ip-dport
11 * Innominate Security Technologies AG <mhopf@innominate.com>
12 * September, 2002
13 */
14
15 #include <linux/netfilter_bridge/ebtables.h>
16 #include <linux/netfilter_bridge/ebt_ip.h>
17 #include <linux/ip.h>
18 #include <net/ip.h>
19 #include <linux/in.h>
20 #include <linux/module.h>
21
22 struct tcpudphdr {
23 __be16 src;
24 __be16 dst;
25 };
26
27 static int ebt_filter_ip(const struct sk_buff *skb, const struct net_device *in,
28 const struct net_device *out, const void *data,
29 unsigned int datalen)
30 {
31 const struct ebt_ip_info *info = data;
32 const struct iphdr *ih;
33 struct iphdr _iph;
34 const struct tcpudphdr *pptr;
35 struct tcpudphdr _ports;
36
37 ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
38 if (ih == NULL)
39 return EBT_NOMATCH;
40 if (info->bitmask & EBT_IP_TOS &&
41 FWINV(info->tos != ih->tos, EBT_IP_TOS))
42 return EBT_NOMATCH;
43 if (info->bitmask & EBT_IP_SOURCE &&
44 FWINV((ih->saddr & info->smsk) !=
45 info->saddr, EBT_IP_SOURCE))
46 return EBT_NOMATCH;
47 if ((info->bitmask & EBT_IP_DEST) &&
48 FWINV((ih->daddr & info->dmsk) !=
49 info->daddr, EBT_IP_DEST))
50 return EBT_NOMATCH;
51 if (info->bitmask & EBT_IP_PROTO) {
52 if (FWINV(info->protocol != ih->protocol, EBT_IP_PROTO))
53 return EBT_NOMATCH;
54 if (!(info->bitmask & EBT_IP_DPORT) &&
55 !(info->bitmask & EBT_IP_SPORT))
56 return EBT_MATCH;
57 if (ntohs(ih->frag_off) & IP_OFFSET)
58 return EBT_NOMATCH;
59 pptr = skb_header_pointer(skb, ih->ihl*4,
60 sizeof(_ports), &_ports);
61 if (pptr == NULL)
62 return EBT_NOMATCH;
63 if (info->bitmask & EBT_IP_DPORT) {
64 u32 dst = ntohs(pptr->dst);
65 if (FWINV(dst < info->dport[0] ||
66 dst > info->dport[1],
67 EBT_IP_DPORT))
68 return EBT_NOMATCH;
69 }
70 if (info->bitmask & EBT_IP_SPORT) {
71 u32 src = ntohs(pptr->src);
72 if (FWINV(src < info->sport[0] ||
73 src > info->sport[1],
74 EBT_IP_SPORT))
75 return EBT_NOMATCH;
76 }
77 }
78 return EBT_MATCH;
79 }
80
81 static int ebt_ip_check(const char *tablename, unsigned int hookmask,
82 const struct ebt_entry *e, void *data, unsigned int datalen)
83 {
84 const struct ebt_ip_info *info = data;
85
86 if (datalen != EBT_ALIGN(sizeof(struct ebt_ip_info)))
87 return -EINVAL;
88 if (e->ethproto != htons(ETH_P_IP) ||
89 e->invflags & EBT_IPROTO)
90 return -EINVAL;
91 if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK)
92 return -EINVAL;
93 if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) {
94 if (info->invflags & EBT_IP_PROTO)
95 return -EINVAL;
96 if (info->protocol != IPPROTO_TCP &&
97 info->protocol != IPPROTO_UDP &&
98 info->protocol != IPPROTO_UDPLITE &&
99 info->protocol != IPPROTO_SCTP &&
100 info->protocol != IPPROTO_DCCP)
101 return -EINVAL;
102 }
103 if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1])
104 return -EINVAL;
105 if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1])
106 return -EINVAL;
107 return 0;
108 }
109
110 static struct ebt_match filter_ip __read_mostly = {
111 .name = EBT_IP_MATCH,
112 .match = ebt_filter_ip,
113 .check = ebt_ip_check,
114 .me = THIS_MODULE,
115 };
116
117 static int __init ebt_ip_init(void)
118 {
119 return ebt_register_match(&filter_ip);
120 }
121
122 static void __exit ebt_ip_fini(void)
123 {
124 ebt_unregister_match(&filter_ip);
125 }
126
127 module_init(ebt_ip_init);
128 module_exit(ebt_ip_fini);
129 MODULE_DESCRIPTION("Ebtables: IPv4 protocol packet match");
130 MODULE_LICENSE("GPL");
WRT350N Kernel Patches