Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
xt_policy.c
Go to the documentation of this file.
1 /* IP tables module for matching IPsec policy
2  *
3  * Copyright (c) 2004,2005 Patrick McHardy, <[email protected]>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  */
9 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10 #include <linux/kernel.h>
11 #include <linux/module.h>
12 #include <linux/skbuff.h>
13 #include <linux/init.h>
14 #include <net/xfrm.h>
15 
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/xt_policy.h>
18 #include <linux/netfilter/x_tables.h>
19 
20 MODULE_AUTHOR("Patrick McHardy <[email protected]>");
21 MODULE_DESCRIPTION("Xtables: IPsec policy match");
22 MODULE_LICENSE("GPL");
23 
24 static inline bool
25 xt_addr_cmp(const union nf_inet_addr *a1, const union nf_inet_addr *m,
26  const union nf_inet_addr *a2, unsigned short family)
27 {
28  switch (family) {
29  case NFPROTO_IPV4:
30  return ((a1->ip ^ a2->ip) & m->ip) == 0;
31  case NFPROTO_IPV6:
32  return ipv6_masked_addr_cmp(&a1->in6, &m->in6, &a2->in6) == 0;
33  }
34  return false;
35 }
36 
37 static bool
38 match_xfrm_state(const struct xfrm_state *x, const struct xt_policy_elem *e,
39  unsigned short family)
40 {
41 #define MATCH_ADDR(x,y,z) (!e->match.x || \
42  (xt_addr_cmp(&e->x, &e->y, (const union nf_inet_addr *)(z), family) \
43  ^ e->invert.x))
44 #define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x))
45 
46  return MATCH_ADDR(saddr, smask, &x->props.saddr) &&
47  MATCH_ADDR(daddr, dmask, &x->id.daddr) &&
48  MATCH(proto, x->id.proto) &&
49  MATCH(mode, x->props.mode) &&
50  MATCH(spi, x->id.spi) &&
51  MATCH(reqid, x->props.reqid);
52 }
53 
54 static int
55 match_policy_in(const struct sk_buff *skb, const struct xt_policy_info *info,
56  unsigned short family)
57 {
58  const struct xt_policy_elem *e;
59  const struct sec_path *sp = skb->sp;
60  int strict = info->flags & XT_POLICY_MATCH_STRICT;
61  int i, pos;
62 
63  if (sp == NULL)
64  return -1;
65  if (strict && info->len != sp->len)
66  return 0;
67 
68  for (i = sp->len - 1; i >= 0; i--) {
69  pos = strict ? i - sp->len + 1 : 0;
70  if (pos >= info->len)
71  return 0;
72  e = &info->pol[pos];
73 
74  if (match_xfrm_state(sp->xvec[i], e, family)) {
75  if (!strict)
76  return 1;
77  } else if (strict)
78  return 0;
79  }
80 
81  return strict ? 1 : 0;
82 }
83 
84 static int
85 match_policy_out(const struct sk_buff *skb, const struct xt_policy_info *info,
86  unsigned short family)
87 {
88  const struct xt_policy_elem *e;
89  const struct dst_entry *dst = skb_dst(skb);
90  int strict = info->flags & XT_POLICY_MATCH_STRICT;
91  int i, pos;
92 
93  if (dst->xfrm == NULL)
94  return -1;
95 
96  for (i = 0; dst && dst->xfrm; dst = dst->child, i++) {
97  pos = strict ? i : 0;
98  if (pos >= info->len)
99  return 0;
100  e = &info->pol[pos];
101 
102  if (match_xfrm_state(dst->xfrm, e, family)) {
103  if (!strict)
104  return 1;
105  } else if (strict)
106  return 0;
107  }
108 
109  return strict ? i == info->len : 0;
110 }
111 
112 static bool
113 policy_mt(const struct sk_buff *skb, struct xt_action_param *par)
114 {
115  const struct xt_policy_info *info = par->matchinfo;
116  int ret;
117 
118  if (info->flags & XT_POLICY_MATCH_IN)
119  ret = match_policy_in(skb, info, par->family);
120  else
121  ret = match_policy_out(skb, info, par->family);
122 
123  if (ret < 0)
124  ret = info->flags & XT_POLICY_MATCH_NONE ? true : false;
125  else if (info->flags & XT_POLICY_MATCH_NONE)
126  ret = false;
127 
128  return ret;
129 }
130 
131 static int policy_mt_check(const struct xt_mtchk_param *par)
132 {
133  const struct xt_policy_info *info = par->matchinfo;
134 
135  if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
136  pr_info("neither incoming nor outgoing policy selected\n");
137  return -EINVAL;
138  }
139  if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
140  (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) {
141  pr_info("output policy not valid in PREROUTING and INPUT\n");
142  return -EINVAL;
143  }
144  if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
145  (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) {
146  pr_info("input policy not valid in POSTROUTING and OUTPUT\n");
147  return -EINVAL;
148  }
149  if (info->len > XT_POLICY_MAX_ELEM) {
150  pr_info("too many policy elements\n");
151  return -EINVAL;
152  }
153  return 0;
154 }
155 
156 static struct xt_match policy_mt_reg[] __read_mostly = {
157  {
158  .name = "policy",
159  .family = NFPROTO_IPV4,
160  .checkentry = policy_mt_check,
161  .match = policy_mt,
162  .matchsize = sizeof(struct xt_policy_info),
163  .me = THIS_MODULE,
164  },
165  {
166  .name = "policy",
167  .family = NFPROTO_IPV6,
168  .checkentry = policy_mt_check,
169  .match = policy_mt,
170  .matchsize = sizeof(struct xt_policy_info),
171  .me = THIS_MODULE,
172  },
173 };
174 
175 static int __init policy_mt_init(void)
176 {
177  return xt_register_matches(policy_mt_reg, ARRAY_SIZE(policy_mt_reg));
178 }
179 
180 static void __exit policy_mt_exit(void)
181 {
182  xt_unregister_matches(policy_mt_reg, ARRAY_SIZE(policy_mt_reg));
183 }
184 
185 module_init(policy_mt_init);
186 module_exit(policy_mt_exit);
187 MODULE_ALIAS("ipt_policy");
188 MODULE_ALIAS("ip6t_policy");
Generated on Thu Jan 10 2013 15:00:57 for Linux Kernel by   doxygen 1.8.2