5 * Bart De Schuymer <bdschuym@pandora.be>
10 * added ip-sport and ip-dport
11 * Innominate Security Technologies AG <mhopf@innominate.com>
17 #include <linux/module.h>
18 #include <linux/netfilter/x_tables.h>
19 #include <linux/netfilter_bridge/ebtables.h>
20 #include <linux/netfilter_bridge/ebt_ip.h>
28 ebt_ip_mt(const struct sk_buff
*skb
, struct xt_action_param
*par
)
30 const struct ebt_ip_info
*info
= par
->matchinfo
;
31 const struct iphdr
*ih
;
33 const struct tcpudphdr
*pptr
;
34 struct tcpudphdr _ports
;
36 ih
= skb_header_pointer(skb
, 0, sizeof(_iph
), &_iph
);
39 if (info
->bitmask
& EBT_IP_TOS
&&
40 FWINV(info
->tos
!= ih
->tos
, EBT_IP_TOS
))
42 if (info
->bitmask
& EBT_IP_SOURCE
&&
43 FWINV((ih
->saddr
& info
->smsk
) !=
44 info
->saddr
, EBT_IP_SOURCE
))
46 if ((info
->bitmask
& EBT_IP_DEST
) &&
47 FWINV((ih
->daddr
& info
->dmsk
) !=
48 info
->daddr
, EBT_IP_DEST
))
50 if (info
->bitmask
& EBT_IP_PROTO
) {
51 if (FWINV(info
->protocol
!= ih
->protocol
, EBT_IP_PROTO
))
53 if (!(info
->bitmask
& EBT_IP_DPORT
) &&
54 !(info
->bitmask
& EBT_IP_SPORT
))
56 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
58 pptr
= skb_header_pointer(skb
, ih
->ihl
*4,
59 sizeof(_ports
), &_ports
);
62 if (info
->bitmask
& EBT_IP_DPORT
) {
63 u32 dst
= ntohs(pptr
->dst
);
64 if (FWINV(dst
< info
->dport
[0] ||
69 if (info
->bitmask
& EBT_IP_SPORT
) {
70 u32 src
= ntohs(pptr
->src
);
71 if (FWINV(src
< info
->sport
[0] ||
80 static int ebt_ip_mt_check(const struct xt_mtchk_param
*par
)
82 const struct ebt_ip_info
*info
= par
->matchinfo
;
83 const struct ebt_entry
*e
= par
->entryinfo
;
85 if (e
->ethproto
!= htons(ETH_P_IP
) ||
86 e
->invflags
& EBT_IPROTO
)
88 if (info
->bitmask
& ~EBT_IP_MASK
|| info
->invflags
& ~EBT_IP_MASK
)
90 if (info
->bitmask
& (EBT_IP_DPORT
| EBT_IP_SPORT
)) {
91 if (info
->invflags
& EBT_IP_PROTO
)
93 if (info
->protocol
!= IPPROTO_TCP
&&
94 info
->protocol
!= IPPROTO_UDP
&&
95 info
->protocol
!= IPPROTO_UDPLITE
&&
96 info
->protocol
!= IPPROTO_SCTP
&&
97 info
->protocol
!= IPPROTO_DCCP
)
100 if (info
->bitmask
& EBT_IP_DPORT
&& info
->dport
[0] > info
->dport
[1])
102 if (info
->bitmask
& EBT_IP_SPORT
&& info
->sport
[0] > info
->sport
[1])
107 static struct xt_match ebt_ip_mt_reg __read_mostly
= {
110 .family
= NFPROTO_BRIDGE
,
112 .checkentry
= ebt_ip_mt_check
,
113 .matchsize
= sizeof(struct ebt_ip_info
),
117 static int __init
ebt_ip_init(void)
119 return xt_register_match(&ebt_ip_mt_reg
);
122 static void __exit
ebt_ip_fini(void)
124 xt_unregister_match(&ebt_ip_mt_reg
);
127 module_init(ebt_ip_init
);
128 module_exit(ebt_ip_fini
);
129 MODULE_DESCRIPTION("Ebtables: IPv4 protocol packet match");
130 MODULE_LICENSE("GPL");