Addrtype match has a new revision (1), which lets address type checking limit to the interface the current packet belongs to. The limitation cannot be applied in the FORWARD hook. Revision 0 lets older userspace programs use the match as earlier. Signed-off-by: Laszlo Attila Toth <panther@xxxxxxxxxx> --- include/linux/netfilter_ipv4/ipt_addrtype.h | 15 ++++- net/ipv4/netfilter/ipt_addrtype.c | 90 +++++++++++++++++++++----- 2 files changed, 86 insertions(+), 19 deletions(-) diff --git a/include/linux/netfilter_ipv4/ipt_addrtype.h b/include/linux/netfilter_ipv4/ipt_addrtype.h index 166ed01..856c79d 100644 --- a/include/linux/netfilter_ipv4/ipt_addrtype.h +++ b/include/linux/netfilter_ipv4/ipt_addrtype.h @@ -1,7 +1,20 @@ #ifndef _IPT_ADDRTYPE_H #define _IPT_ADDRTYPE_H -struct ipt_addrtype_info { +enum +{ + IPT_ADDRTYPE_INVERT_SOURCE = 0x0001, + IPT_ADDRTYPE_INVERT_DEST = 0x0002, + IPT_ADDRTYPE_LIMIT_IFACE = 0x0004, +}; + +struct ipt_addrtype_info_v1 { + u_int16_t source; /* source-type mask */ + u_int16_t dest; /* dest-type mask */ + u_int32_t flags; +}; + +struct ipt_addrtype_info_v0 { u_int16_t source; /* source-type mask */ u_int16_t dest; /* dest-type mask */ u_int32_t invert_source; diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c index 59f01f7..7abe2f7 100644 --- a/net/ipv4/netfilter/ipt_addrtype.c +++ b/net/ipv4/netfilter/ipt_addrtype.c @@ -22,44 +22,98 @@ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Patrick McHardy <kaber@xxxxxxxxx>"); MODULE_DESCRIPTION("iptables addrtype match"); -static inline bool match_type(__be32 addr, u_int16_t mask) +static inline bool match_type(__be32 addr, const struct net_device *in, u_int16_t mask) { - return !!(mask & (1 << inet_addr_type(addr))); + return !!(mask & (1 << inet_dev_addr_type(addr, in))); } -static bool match(const struct sk_buff *skb, - const struct net_device *in, const struct net_device *out, - const struct xt_match *match, const void *matchinfo, - int offset, unsigned int protoff, bool *hotdrop) +static bool addrtype_match_v0(const struct sk_buff *skb, + const struct net_device *in, const struct net_device *out, + const struct xt_match *match, const void *matchinfo, + int offset, unsigned int protoff, bool *hotdrop) { - const struct ipt_addrtype_info *info = matchinfo; + const struct ipt_addrtype_info_v0 *info = matchinfo; const struct iphdr *iph = ip_hdr(skb); bool ret = true; if (info->source) - ret &= match_type(iph->saddr, info->source)^info->invert_source; - if (info->dest) - ret &= match_type(iph->daddr, info->dest)^info->invert_dest; + ret &= match_type(iph->saddr, NULL, info->source)^info->invert_source; + if (ret && (info->dest)) + ret &= match_type(iph->daddr, NULL, info->dest)^info->invert_dest; return ret; } -static struct xt_match addrtype_match __read_mostly = { - .name = "addrtype", - .family = AF_INET, - .match = match, - .matchsize = sizeof(struct ipt_addrtype_info), - .me = THIS_MODULE +static bool addrtype_match_v1(const struct sk_buff *skb, + const struct net_device *in, const struct net_device *out, + const struct xt_match *match, const void *matchinfo, + int offset, unsigned int protoff, bool *hotdrop) +{ + const struct ipt_addrtype_info_v1 *info = matchinfo; + const struct iphdr *iph = ip_hdr(skb); + const struct net_device *limit_dev = NULL; + bool ret = true; + + /* not valid in the FORWARD hook */ + if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE) + limit_dev = (in ? in : out); + + if (info->source) + ret &= match_type(iph->saddr, limit_dev, info->source) ^ + (info->flags & IPT_ADDRTYPE_INVERT_SOURCE); + if (ret && (info->dest)) + ret &= match_type(iph->daddr, limit_dev, info->dest) ^ + (info->flags & IPT_ADDRTYPE_INVERT_DEST); + + return ret; +} + +static bool addrtype_checkentry_v1(const char *tablename, const void *ip_void, + const struct xt_match *match, + void *matchinfo, unsigned int hook_mask) +{ + struct ipt_addrtype_info_v1 *info = matchinfo; + + if (hook_mask & (1 << NF_IP_FORWARD) + && info->flags & IPT_ADDRTYPE_LIMIT_IFACE) { + printk(KERN_ERR "ipt_addrtype: limit-interface not valid in " + "FORWARD\n"); + return false; + } + return true; +} + + +static struct xt_match addrtype_match[] __read_mostly = { + { + .name = "addrtype", + .family = AF_INET, + .revision = 0, + .match = addrtype_match_v0, + .matchsize = sizeof(struct ipt_addrtype_info_v0), + .me = THIS_MODULE + }, + { + .name = "addrtype", + .family = AF_INET, + .revision = 1, + .match = addrtype_match_v1, + .checkentry = addrtype_checkentry_v1, + .matchsize = sizeof(struct ipt_addrtype_info_v1), + .me = THIS_MODULE + } }; static int __init ipt_addrtype_init(void) { - return xt_register_match(&addrtype_match); + return xt_register_matches(addrtype_match, + ARRAY_SIZE(addrtype_match)); } static void __exit ipt_addrtype_fini(void) { - xt_unregister_match(&addrtype_match); + xt_unregister_matches(addrtype_match, + ARRAY_SIZE(addrtype_match)); } module_init(ipt_addrtype_init); -- 1.5.2.5 - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html