Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ipt_ah.c
Go to the documentation of this file.
1 /* Kernel module to match AH parameters. */
2 /* (C) 1999-2000 Yon Uriarte <[email protected]>
3  *
4  * This program is free software; you can redistribute it and/or modify
5  * it under the terms of the GNU General Public License version 2 as
6  * published by the Free Software Foundation.
7  */
8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9 #include <linux/in.h>
10 #include <linux/module.h>
11 #include <linux/skbuff.h>
12 #include <linux/ip.h>
13 
14 #include <linux/netfilter_ipv4/ipt_ah.h>
15 #include <linux/netfilter/x_tables.h>
16 
17 MODULE_LICENSE("GPL");
18 MODULE_AUTHOR("Yon Uriarte <[email protected]>");
19 MODULE_DESCRIPTION("Xtables: IPv4 IPsec-AH SPI match");
20 
21 /* Returns 1 if the spi is matched by the range, 0 otherwise */
22 static inline bool
23 spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
24 {
25  bool r;
26  pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
27  invert ? '!' : ' ', min, spi, max);
28  r=(spi >= min && spi <= max) ^ invert;
29  pr_debug(" result %s\n", r ? "PASS" : "FAILED");
30  return r;
31 }
32 
33 static bool ah_mt(const struct sk_buff *skb, struct xt_action_param *par)
34 {
35  struct ip_auth_hdr _ahdr;
36  const struct ip_auth_hdr *ah;
37  const struct ipt_ah *ahinfo = par->matchinfo;
38 
39  /* Must not be a fragment. */
40  if (par->fragoff != 0)
41  return false;
42 
43  ah = skb_header_pointer(skb, par->thoff, sizeof(_ahdr), &_ahdr);
44  if (ah == NULL) {
45  /* We've been asked to examine this packet, and we
46  * can't. Hence, no choice but to drop.
47  */
48  pr_debug("Dropping evil AH tinygram.\n");
49  par->hotdrop = true;
50  return 0;
51  }
52 
53  return spi_match(ahinfo->spis[0], ahinfo->spis[1],
54  ntohl(ah->spi),
55  !!(ahinfo->invflags & IPT_AH_INV_SPI));
56 }
57 
58 static int ah_mt_check(const struct xt_mtchk_param *par)
59 {
60  const struct ipt_ah *ahinfo = par->matchinfo;
61 
62  /* Must specify no unknown invflags */
63  if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
64  pr_debug("unknown flags %X\n", ahinfo->invflags);
65  return -EINVAL;
66  }
67  return 0;
68 }
69 
70 static struct xt_match ah_mt_reg __read_mostly = {
71  .name = "ah",
72  .family = NFPROTO_IPV4,
73  .match = ah_mt,
74  .matchsize = sizeof(struct ipt_ah),
75  .proto = IPPROTO_AH,
76  .checkentry = ah_mt_check,
77  .me = THIS_MODULE,
78 };
79 
80 static int __init ah_mt_init(void)
81 {
82  return xt_register_match(&ah_mt_reg);
83 }
84 
85 static void __exit ah_mt_exit(void)
86 {
87  xt_unregister_match(&ah_mt_reg);
88 }
89 
90 module_init(ah_mt_init);
91 module_exit(ah_mt_exit);
Generated on Thu Jan 10 2013 14:58:38 for Linux Kernel by   doxygen 1.8.2