Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ip6t_ah.c
Go to the documentation of this file.
1 /* Kernel module to match AH parameters. */
2 
3 /* (C) 2001-2002 Andras Kis-Szabo <[email protected]>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  */
9 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10 #include <linux/module.h>
11 #include <linux/skbuff.h>
12 #include <linux/ip.h>
13 #include <linux/ipv6.h>
14 #include <linux/types.h>
15 #include <net/checksum.h>
16 #include <net/ipv6.h>
17 
18 #include <linux/netfilter/x_tables.h>
19 #include <linux/netfilter_ipv6/ip6_tables.h>
21 
22 MODULE_LICENSE("GPL");
23 MODULE_DESCRIPTION("Xtables: IPv6 IPsec-AH match");
24 MODULE_AUTHOR("Andras Kis-Szabo <[email protected]>");
25 
26 /* Returns 1 if the spi is matched by the range, 0 otherwise */
27 static inline bool
28 spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
29 {
30  bool r;
31 
32  pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
33  invert ? '!' : ' ', min, spi, max);
34  r = (spi >= min && spi <= max) ^ invert;
35  pr_debug(" result %s\n", r ? "PASS" : "FAILED");
36  return r;
37 }
38 
39 static bool ah_mt6(const struct sk_buff *skb, struct xt_action_param *par)
40 {
41  struct ip_auth_hdr _ah;
42  const struct ip_auth_hdr *ah;
43  const struct ip6t_ah *ahinfo = par->matchinfo;
44  unsigned int ptr = 0;
45  unsigned int hdrlen = 0;
46  int err;
47 
48  err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL, NULL);
49  if (err < 0) {
50  if (err != -ENOENT)
51  par->hotdrop = true;
52  return false;
53  }
54 
55  ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
56  if (ah == NULL) {
57  par->hotdrop = true;
58  return false;
59  }
60 
61  hdrlen = (ah->hdrlen + 2) << 2;
62 
63  pr_debug("IPv6 AH LEN %u %u ", hdrlen, ah->hdrlen);
64  pr_debug("RES %04X ", ah->reserved);
65  pr_debug("SPI %u %08X\n", ntohl(ah->spi), ntohl(ah->spi));
66 
67  pr_debug("IPv6 AH spi %02X ",
68  spi_match(ahinfo->spis[0], ahinfo->spis[1],
69  ntohl(ah->spi),
70  !!(ahinfo->invflags & IP6T_AH_INV_SPI)));
71  pr_debug("len %02X %04X %02X ",
72  ahinfo->hdrlen, hdrlen,
73  (!ahinfo->hdrlen ||
74  (ahinfo->hdrlen == hdrlen) ^
75  !!(ahinfo->invflags & IP6T_AH_INV_LEN)));
76  pr_debug("res %02X %04X %02X\n",
77  ahinfo->hdrres, ah->reserved,
78  !(ahinfo->hdrres && ah->reserved));
79 
80  return (ah != NULL) &&
81  spi_match(ahinfo->spis[0], ahinfo->spis[1],
82  ntohl(ah->spi),
83  !!(ahinfo->invflags & IP6T_AH_INV_SPI)) &&
84  (!ahinfo->hdrlen ||
85  (ahinfo->hdrlen == hdrlen) ^
86  !!(ahinfo->invflags & IP6T_AH_INV_LEN)) &&
87  !(ahinfo->hdrres && ah->reserved);
88 }
89 
90 static int ah_mt6_check(const struct xt_mtchk_param *par)
91 {
92  const struct ip6t_ah *ahinfo = par->matchinfo;
93 
94  if (ahinfo->invflags & ~IP6T_AH_INV_MASK) {
95  pr_debug("unknown flags %X\n", ahinfo->invflags);
96  return -EINVAL;
97  }
98  return 0;
99 }
100 
101 static struct xt_match ah_mt6_reg __read_mostly = {
102  .name = "ah",
103  .family = NFPROTO_IPV6,
104  .match = ah_mt6,
105  .matchsize = sizeof(struct ip6t_ah),
106  .checkentry = ah_mt6_check,
107  .me = THIS_MODULE,
108 };
109 
110 static int __init ah_mt6_init(void)
111 {
112  return xt_register_match(&ah_mt6_reg);
113 }
114 
115 static void __exit ah_mt6_exit(void)
116 {
117  xt_unregister_match(&ah_mt6_reg);
118 }
119 
120 module_init(ah_mt6_init);
121 module_exit(ah_mt6_exit);