Linux Kernel
3.7.1
Main Page
Related Pages
Modules
Namespaces
Data Structures
Files
File List
Globals
All
Data Structures
Namespaces
Files
Functions
Variables
Typedefs
Enumerations
Enumerator
Macros
Groups
Pages
net
ipv6
netfilter
ip6t_ah.c
Go to the documentation of this file.
1
/* Kernel module to match AH parameters. */
2
3
/* (C) 2001-2002 Andras Kis-Szabo <
[email protected]
>
4
*
5
* This program is free software; you can redistribute it and/or modify
6
* it under the terms of the GNU General Public License version 2 as
7
* published by the Free Software Foundation.
8
*/
9
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
#include <linux/module.h>
11
#include <
linux/skbuff.h
>
12
#include <linux/ip.h>
13
#include <linux/ipv6.h>
14
#include <linux/types.h>
15
#include <
net/checksum.h
>
16
#include <
net/ipv6.h
>
17
18
#include <linux/netfilter/x_tables.h>
19
#include <linux/netfilter_ipv6/ip6_tables.h>
20
#include <
linux/netfilter_ipv6/ip6t_ah.h
>
21
22
MODULE_LICENSE
(
"GPL"
);
23
MODULE_DESCRIPTION
(
"Xtables: IPv6 IPsec-AH match"
);
24
MODULE_AUTHOR
(
"Andras Kis-Szabo <
[email protected]
>"
);
25
26
/* Returns 1 if the spi is matched by the range, 0 otherwise */
27
static
inline
bool
28
spi_match(
u_int32_t
min
,
u_int32_t
max
,
u_int32_t
spi
,
bool
invert)
29
{
30
bool
r
;
31
32
pr_debug
(
"spi_match:%c 0x%x <= 0x%x <= 0x%x\n"
,
33
invert ?
'!'
:
' '
, min, spi, max);
34
r = (spi >= min && spi <=
max
) ^ invert;
35
pr_debug
(
" result %s\n"
, r ?
"PASS"
:
"FAILED"
);
36
return
r
;
37
}
38
39
static
bool
ah_mt6(
const
struct
sk_buff
*
skb
,
struct
xt_action_param
*par)
40
{
41
struct
ip_auth_hdr
_ah;
42
const
struct
ip_auth_hdr
*
ah
;
43
const
struct
ip6t_ah
*ahinfo = par->
matchinfo
;
44
unsigned
int
ptr
= 0;
45
unsigned
int
hdrlen
= 0;
46
int
err
;
47
48
err =
ipv6_find_hdr
(skb, &ptr,
NEXTHDR_AUTH
,
NULL
,
NULL
);
49
if
(err < 0) {
50
if
(err != -
ENOENT
)
51
par->
hotdrop
=
true
;
52
return
false
;
53
}
54
55
ah = skb_header_pointer(skb, ptr,
sizeof
(_ah), &_ah);
56
if
(ah ==
NULL
) {
57
par->
hotdrop
=
true
;
58
return
false
;
59
}
60
61
hdrlen = (ah->
hdrlen
+ 2) << 2;
62
63
pr_debug
(
"IPv6 AH LEN %u %u "
, hdrlen, ah->
hdrlen
);
64
pr_debug
(
"RES %04X "
, ah->
reserved
);
65
pr_debug
(
"SPI %u %08X\n"
,
ntohl
(ah->
spi
),
ntohl
(ah->
spi
));
66
67
pr_debug
(
"IPv6 AH spi %02X "
,
68
spi_match(ahinfo->
spis
[0], ahinfo->
spis
[1],
69
ntohl
(ah->
spi
),
70
!!(ahinfo->
invflags
&
IP6T_AH_INV_SPI
)));
71
pr_debug
(
"len %02X %04X %02X "
,
72
ahinfo->
hdrlen
, hdrlen,
73
(!ahinfo->
hdrlen
||
74
(ahinfo->
hdrlen
== hdrlen) ^
75
!!(ahinfo->
invflags
&
IP6T_AH_INV_LEN
)));
76
pr_debug
(
"res %02X %04X %02X\n"
,
77
ahinfo->
hdrres
, ah->
reserved
,
78
!(ahinfo->
hdrres
&& ah->
reserved
));
79
80
return
(ah !=
NULL
) &&
81
spi_match(ahinfo->
spis
[0], ahinfo->
spis
[1],
82
ntohl
(ah->
spi
),
83
!!(ahinfo->
invflags
&
IP6T_AH_INV_SPI
)) &&
84
(!ahinfo->
hdrlen
||
85
(ahinfo->
hdrlen
==
hdrlen
) ^
86
!!(ahinfo->
invflags
&
IP6T_AH_INV_LEN
)) &&
87
!(ahinfo->
hdrres
&& ah->
reserved
);
88
}
89
90
static
int
ah_mt6_check(
const
struct
xt_mtchk_param
*par)
91
{
92
const
struct
ip6t_ah
*ahinfo = par->
matchinfo
;
93
94
if
(ahinfo->
invflags
& ~
IP6T_AH_INV_MASK
) {
95
pr_debug
(
"unknown flags %X\n"
, ahinfo->
invflags
);
96
return
-
EINVAL
;
97
}
98
return
0;
99
}
100
101
static
struct
xt_match
ah_mt6_reg
__read_mostly
= {
102
.name =
"ah"
,
103
.family =
NFPROTO_IPV6
,
104
.match = ah_mt6,
105
.matchsize =
sizeof
(
struct
ip6t_ah
),
106
.checkentry = ah_mt6_check,
107
.me =
THIS_MODULE
,
108
};
109
110
static
int
__init
ah_mt6_init(
void
)
111
{
112
return
xt_register_match
(&ah_mt6_reg);
113
}
114
115
static
void
__exit
ah_mt6_exit(
void
)
116
{
117
xt_unregister_match
(&ah_mt6_reg);
118
}
119
120
module_init
(ah_mt6_init);
121
module_exit
(ah_mt6_exit);
Generated on Thu Jan 10 2013 14:59:23 for Linux Kernel by
1.8.2