]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* Kernel module to match AH parameters. */ |
2 | ||
3 | /* (C) 2001-2002 Andras Kis-Szabo <kisza@sch.bme.hu> | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License version 2 as | |
7 | * published by the Free Software Foundation. | |
8 | */ | |
9 | ||
10 | #include <linux/module.h> | |
11 | #include <linux/skbuff.h> | |
12 | #include <linux/ipv6.h> | |
13 | #include <linux/types.h> | |
14 | #include <net/checksum.h> | |
15 | #include <net/ipv6.h> | |
16 | ||
17 | #include <linux/netfilter_ipv6/ip6_tables.h> | |
18 | #include <linux/netfilter_ipv6/ip6t_ah.h> | |
19 | ||
20 | MODULE_LICENSE("GPL"); | |
21 | MODULE_DESCRIPTION("IPv6 AH match"); | |
22 | MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>"); | |
23 | ||
24 | #if 0 | |
25 | #define DEBUGP printk | |
26 | #else | |
27 | #define DEBUGP(format, args...) | |
28 | #endif | |
29 | ||
30 | /* Returns 1 if the spi is matched by the range, 0 otherwise */ | |
31 | static inline int | |
32 | spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, int invert) | |
33 | { | |
34 | int r=0; | |
35 | DEBUGP("ah spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ', | |
36 | min,spi,max); | |
37 | r = (spi >= min && spi <= max) ^ invert; | |
38 | DEBUGP(" result %s\n",r? "PASS\n" : "FAILED\n"); | |
39 | return r; | |
40 | } | |
41 | ||
42 | static int | |
43 | match(const struct sk_buff *skb, | |
44 | const struct net_device *in, | |
45 | const struct net_device *out, | |
46 | const void *matchinfo, | |
47 | int offset, | |
48 | unsigned int protoff, | |
49 | int *hotdrop) | |
50 | { | |
51 | struct ip_auth_hdr *ah = NULL, _ah; | |
52 | const struct ip6t_ah *ahinfo = matchinfo; | |
53 | unsigned int temp; | |
54 | int len; | |
55 | u8 nexthdr; | |
56 | unsigned int ptr; | |
57 | unsigned int hdrlen = 0; | |
58 | ||
59 | /*DEBUGP("IPv6 AH entered\n");*/ | |
60 | /* if (opt->auth == 0) return 0; | |
61 | * It does not filled on output */ | |
62 | ||
63 | /* type of the 1st exthdr */ | |
64 | nexthdr = skb->nh.ipv6h->nexthdr; | |
65 | /* pointer to the 1st exthdr */ | |
66 | ptr = sizeof(struct ipv6hdr); | |
67 | /* available length */ | |
68 | len = skb->len - ptr; | |
69 | temp = 0; | |
70 | ||
71 | while (ip6t_ext_hdr(nexthdr)) { | |
72 | struct ipv6_opt_hdr _hdr, *hp; | |
73 | ||
74 | DEBUGP("ipv6_ah header iteration \n"); | |
75 | ||
76 | /* Is there enough space for the next ext header? */ | |
77 | if (len < sizeof(struct ipv6_opt_hdr)) | |
78 | return 0; | |
79 | /* No more exthdr -> evaluate */ | |
80 | if (nexthdr == NEXTHDR_NONE) | |
81 | break; | |
82 | /* ESP -> evaluate */ | |
83 | if (nexthdr == NEXTHDR_ESP) | |
84 | break; | |
85 | ||
86 | hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); | |
87 | BUG_ON(hp == NULL); | |
88 | ||
89 | /* Calculate the header length */ | |
90 | if (nexthdr == NEXTHDR_FRAGMENT) | |
91 | hdrlen = 8; | |
92 | else if (nexthdr == NEXTHDR_AUTH) | |
93 | hdrlen = (hp->hdrlen+2)<<2; | |
94 | else | |
95 | hdrlen = ipv6_optlen(hp); | |
96 | ||
97 | /* AH -> evaluate */ | |
98 | if (nexthdr == NEXTHDR_AUTH) { | |
99 | temp |= MASK_AH; | |
100 | break; | |
101 | } | |
102 | ||
103 | ||
104 | /* set the flag */ | |
105 | switch (nexthdr) { | |
106 | case NEXTHDR_HOP: | |
107 | case NEXTHDR_ROUTING: | |
108 | case NEXTHDR_FRAGMENT: | |
109 | case NEXTHDR_AUTH: | |
110 | case NEXTHDR_DEST: | |
111 | break; | |
112 | default: | |
113 | DEBUGP("ipv6_ah match: unknown nextheader %u\n",nexthdr); | |
114 | return 0; | |
115 | } | |
116 | ||
117 | nexthdr = hp->nexthdr; | |
118 | len -= hdrlen; | |
119 | ptr += hdrlen; | |
120 | if (ptr > skb->len) { | |
121 | DEBUGP("ipv6_ah: new pointer too large! \n"); | |
122 | break; | |
123 | } | |
124 | } | |
125 | ||
126 | /* AH header not found */ | |
127 | if (temp != MASK_AH) | |
128 | return 0; | |
129 | ||
130 | if (len < sizeof(struct ip_auth_hdr)){ | |
131 | *hotdrop = 1; | |
132 | return 0; | |
133 | } | |
134 | ||
135 | ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah); | |
136 | BUG_ON(ah == NULL); | |
137 | ||
138 | DEBUGP("IPv6 AH LEN %u %u ", hdrlen, ah->hdrlen); | |
139 | DEBUGP("RES %04X ", ah->reserved); | |
140 | DEBUGP("SPI %u %08X\n", ntohl(ah->spi), ntohl(ah->spi)); | |
141 | ||
142 | DEBUGP("IPv6 AH spi %02X ", | |
143 | (spi_match(ahinfo->spis[0], ahinfo->spis[1], | |
144 | ntohl(ah->spi), | |
145 | !!(ahinfo->invflags & IP6T_AH_INV_SPI)))); | |
146 | DEBUGP("len %02X %04X %02X ", | |
147 | ahinfo->hdrlen, hdrlen, | |
148 | (!ahinfo->hdrlen || | |
149 | (ahinfo->hdrlen == hdrlen) ^ | |
150 | !!(ahinfo->invflags & IP6T_AH_INV_LEN))); | |
151 | DEBUGP("res %02X %04X %02X\n", | |
152 | ahinfo->hdrres, ah->reserved, | |
153 | !(ahinfo->hdrres && ah->reserved)); | |
154 | ||
155 | return (ah != NULL) | |
156 | && | |
157 | (spi_match(ahinfo->spis[0], ahinfo->spis[1], | |
158 | ntohl(ah->spi), | |
159 | !!(ahinfo->invflags & IP6T_AH_INV_SPI))) | |
160 | && | |
161 | (!ahinfo->hdrlen || | |
162 | (ahinfo->hdrlen == hdrlen) ^ | |
163 | !!(ahinfo->invflags & IP6T_AH_INV_LEN)) | |
164 | && | |
165 | !(ahinfo->hdrres && ah->reserved); | |
166 | } | |
167 | ||
168 | /* Called when user tries to insert an entry of this type. */ | |
169 | static int | |
170 | checkentry(const char *tablename, | |
171 | const struct ip6t_ip6 *ip, | |
172 | void *matchinfo, | |
173 | unsigned int matchinfosize, | |
174 | unsigned int hook_mask) | |
175 | { | |
176 | const struct ip6t_ah *ahinfo = matchinfo; | |
177 | ||
178 | if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_ah))) { | |
179 | DEBUGP("ip6t_ah: matchsize %u != %u\n", | |
180 | matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_ah))); | |
181 | return 0; | |
182 | } | |
183 | if (ahinfo->invflags & ~IP6T_AH_INV_MASK) { | |
184 | DEBUGP("ip6t_ah: unknown flags %X\n", ahinfo->invflags); | |
185 | return 0; | |
186 | } | |
187 | return 1; | |
188 | } | |
189 | ||
190 | static struct ip6t_match ah_match = { | |
191 | .name = "ah", | |
192 | .match = &match, | |
193 | .checkentry = &checkentry, | |
194 | .me = THIS_MODULE, | |
195 | }; | |
196 | ||
197 | static int __init init(void) | |
198 | { | |
199 | return ip6t_register_match(&ah_match); | |
200 | } | |
201 | ||
202 | static void __exit cleanup(void) | |
203 | { | |
204 | ip6t_unregister_match(&ah_match); | |
205 | } | |
206 | ||
207 | module_init(init); | |
208 | module_exit(cleanup); |