netfilter: Combine ipt_ttl and ip6t_hl source
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
parent
563d36eb3f
commit
cfac5ef7b9
9 changed files with 117 additions and 151 deletions
|
@ -92,15 +92,6 @@ config IP_NF_MATCH_ECN
|
|||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
config IP_NF_MATCH_TTL
|
||||
tristate '"ttl" match support'
|
||||
depends on NETFILTER_ADVANCED
|
||||
help
|
||||
This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
|
||||
to match packets by their TTL value.
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
# `filter', generic and specific targets
|
||||
config IP_NF_FILTER
|
||||
tristate "Packet filtering"
|
||||
|
|
|
@ -51,7 +51,6 @@ obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
|
|||
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
|
||||
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
|
||||
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
|
||||
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
|
||||
|
||||
# targets
|
||||
obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
|
||||
|
|
|
@ -1,63 +0,0 @@
|
|||
/* IP tables module for matching the value of the TTL
|
||||
*
|
||||
* (C) 2000,2001 by Harald Welte <laforge@netfilter.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
* published by the Free Software Foundation.
|
||||
*/
|
||||
|
||||
#include <linux/ip.h>
|
||||
#include <linux/module.h>
|
||||
#include <linux/skbuff.h>
|
||||
|
||||
#include <linux/netfilter_ipv4/ipt_ttl.h>
|
||||
#include <linux/netfilter/x_tables.h>
|
||||
|
||||
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
|
||||
MODULE_DESCRIPTION("Xtables: IPv4 TTL field match");
|
||||
MODULE_LICENSE("GPL");
|
||||
|
||||
static bool ttl_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
{
|
||||
const struct ipt_ttl_info *info = par->matchinfo;
|
||||
const u8 ttl = ip_hdr(skb)->ttl;
|
||||
|
||||
switch (info->mode) {
|
||||
case IPT_TTL_EQ:
|
||||
return ttl == info->ttl;
|
||||
case IPT_TTL_NE:
|
||||
return ttl != info->ttl;
|
||||
case IPT_TTL_LT:
|
||||
return ttl < info->ttl;
|
||||
case IPT_TTL_GT:
|
||||
return ttl > info->ttl;
|
||||
default:
|
||||
printk(KERN_WARNING "ipt_ttl: unknown mode %d\n",
|
||||
info->mode);
|
||||
return false;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
static struct xt_match ttl_mt_reg __read_mostly = {
|
||||
.name = "ttl",
|
||||
.family = NFPROTO_IPV4,
|
||||
.match = ttl_mt,
|
||||
.matchsize = sizeof(struct ipt_ttl_info),
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __init ttl_mt_init(void)
|
||||
{
|
||||
return xt_register_match(&ttl_mt_reg);
|
||||
}
|
||||
|
||||
static void __exit ttl_mt_exit(void)
|
||||
{
|
||||
xt_unregister_match(&ttl_mt_reg);
|
||||
}
|
||||
|
||||
module_init(ttl_mt_init);
|
||||
module_exit(ttl_mt_exit);
|
|
@ -94,15 +94,6 @@ config IP6_NF_MATCH_OPTS
|
|||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
config IP6_NF_MATCH_HL
|
||||
tristate '"hl" match support'
|
||||
depends on NETFILTER_ADVANCED
|
||||
help
|
||||
HL matching allows you to match packets based on the hop
|
||||
limit of the packet.
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
config IP6_NF_MATCH_IPV6HEADER
|
||||
tristate '"ipv6header" IPv6 Extension Headers Match'
|
||||
default m if NETFILTER_ADVANCED=n
|
||||
|
|
|
@ -20,7 +20,6 @@ obj-$(CONFIG_NF_CONNTRACK_IPV6) += nf_conntrack_ipv6.o
|
|||
obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
|
||||
|
|
|
@ -1,68 +0,0 @@
|
|||
/* Hop Limit matching module */
|
||||
|
||||
/* (C) 2001-2002 Maciej Soltysiak <solt@dns.toxicfilms.tv>
|
||||
* Based on HW's ttl module
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
* published by the Free Software Foundation.
|
||||
*/
|
||||
|
||||
#include <linux/ipv6.h>
|
||||
#include <linux/module.h>
|
||||
#include <linux/skbuff.h>
|
||||
|
||||
#include <linux/netfilter_ipv6/ip6t_hl.h>
|
||||
#include <linux/netfilter/x_tables.h>
|
||||
|
||||
MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
|
||||
MODULE_DESCRIPTION("Xtables: IPv6 Hop Limit field match");
|
||||
MODULE_LICENSE("GPL");
|
||||
|
||||
static bool hl_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
{
|
||||
const struct ip6t_hl_info *info = par->matchinfo;
|
||||
const struct ipv6hdr *ip6h = ipv6_hdr(skb);
|
||||
|
||||
switch (info->mode) {
|
||||
case IP6T_HL_EQ:
|
||||
return ip6h->hop_limit == info->hop_limit;
|
||||
break;
|
||||
case IP6T_HL_NE:
|
||||
return ip6h->hop_limit != info->hop_limit;
|
||||
break;
|
||||
case IP6T_HL_LT:
|
||||
return ip6h->hop_limit < info->hop_limit;
|
||||
break;
|
||||
case IP6T_HL_GT:
|
||||
return ip6h->hop_limit > info->hop_limit;
|
||||
break;
|
||||
default:
|
||||
printk(KERN_WARNING "ip6t_hl: unknown mode %d\n",
|
||||
info->mode);
|
||||
return false;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
static struct xt_match hl_mt6_reg __read_mostly = {
|
||||
.name = "hl",
|
||||
.family = NFPROTO_IPV6,
|
||||
.match = hl_mt6,
|
||||
.matchsize = sizeof(struct ip6t_hl_info),
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __init hl_mt6_init(void)
|
||||
{
|
||||
return xt_register_match(&hl_mt6_reg);
|
||||
}
|
||||
|
||||
static void __exit hl_mt6_exit(void)
|
||||
{
|
||||
xt_unregister_match(&hl_mt6_reg);
|
||||
}
|
||||
|
||||
module_init(hl_mt6_init);
|
||||
module_exit(hl_mt6_exit);
|
|
@ -620,6 +620,14 @@ config NETFILTER_XT_MATCH_HELPER
|
|||
|
||||
To compile it as a module, choose M here. If unsure, say Y.
|
||||
|
||||
config NETFILTER_XT_MATCH_HL
|
||||
tristate '"hl" hoplimit/TTL match support'
|
||||
depends on NETFILTER_ADVANCED
|
||||
---help---
|
||||
HL matching allows you to match packets based on the hoplimit
|
||||
in the IPv6 header, or the time-to-live field in the IPv4
|
||||
header of the packet.
|
||||
|
||||
config NETFILTER_XT_MATCH_IPRANGE
|
||||
tristate '"iprange" address range match support'
|
||||
depends on NETFILTER_ADVANCED
|
||||
|
|
|
@ -68,6 +68,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
|
|||
obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) += xt_iprange.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
|
||||
|
|
108
net/netfilter/xt_hl.c
Normal file
108
net/netfilter/xt_hl.c
Normal file
|
@ -0,0 +1,108 @@
|
|||
/*
|
||||
* IP tables module for matching the value of the TTL
|
||||
* (C) 2000,2001 by Harald Welte <laforge@netfilter.org>
|
||||
*
|
||||
* Hop Limit matching module
|
||||
* (C) 2001-2002 Maciej Soltysiak <solt@dns.toxicfilms.tv>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
* published by the Free Software Foundation.
|
||||
*/
|
||||
|
||||
#include <linux/ip.h>
|
||||
#include <linux/ipv6.h>
|
||||
#include <linux/module.h>
|
||||
#include <linux/skbuff.h>
|
||||
|
||||
#include <linux/netfilter/x_tables.h>
|
||||
#include <linux/netfilter_ipv4/ipt_ttl.h>
|
||||
#include <linux/netfilter_ipv6/ip6t_hl.h>
|
||||
|
||||
MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
|
||||
MODULE_DESCRIPTION("Xtables: Hoplimit/TTL field match");
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_ALIAS("ipt_ttl");
|
||||
MODULE_ALIAS("ip6t_hl");
|
||||
|
||||
static bool ttl_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
{
|
||||
const struct ipt_ttl_info *info = par->matchinfo;
|
||||
const u8 ttl = ip_hdr(skb)->ttl;
|
||||
|
||||
switch (info->mode) {
|
||||
case IPT_TTL_EQ:
|
||||
return ttl == info->ttl;
|
||||
case IPT_TTL_NE:
|
||||
return ttl != info->ttl;
|
||||
case IPT_TTL_LT:
|
||||
return ttl < info->ttl;
|
||||
case IPT_TTL_GT:
|
||||
return ttl > info->ttl;
|
||||
default:
|
||||
printk(KERN_WARNING "ipt_ttl: unknown mode %d\n",
|
||||
info->mode);
|
||||
return false;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
static bool hl_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
{
|
||||
const struct ip6t_hl_info *info = par->matchinfo;
|
||||
const struct ipv6hdr *ip6h = ipv6_hdr(skb);
|
||||
|
||||
switch (info->mode) {
|
||||
case IP6T_HL_EQ:
|
||||
return ip6h->hop_limit == info->hop_limit;
|
||||
break;
|
||||
case IP6T_HL_NE:
|
||||
return ip6h->hop_limit != info->hop_limit;
|
||||
break;
|
||||
case IP6T_HL_LT:
|
||||
return ip6h->hop_limit < info->hop_limit;
|
||||
break;
|
||||
case IP6T_HL_GT:
|
||||
return ip6h->hop_limit > info->hop_limit;
|
||||
break;
|
||||
default:
|
||||
printk(KERN_WARNING "ip6t_hl: unknown mode %d\n",
|
||||
info->mode);
|
||||
return false;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
static struct xt_match hl_mt_reg[] __read_mostly = {
|
||||
{
|
||||
.name = "ttl",
|
||||
.revision = 0,
|
||||
.family = NFPROTO_IPV4,
|
||||
.match = ttl_mt,
|
||||
.matchsize = sizeof(struct ipt_ttl_info),
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
{
|
||||
.name = "hl",
|
||||
.revision = 0,
|
||||
.family = NFPROTO_IPV6,
|
||||
.match = hl_mt6,
|
||||
.matchsize = sizeof(struct ip6t_hl_info),
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
};
|
||||
|
||||
static int __init hl_mt_init(void)
|
||||
{
|
||||
return xt_register_matches(hl_mt_reg, ARRAY_SIZE(hl_mt_reg));
|
||||
}
|
||||
|
||||
static void __exit hl_mt_exit(void)
|
||||
{
|
||||
xt_unregister_matches(hl_mt_reg, ARRAY_SIZE(hl_mt_reg));
|
||||
}
|
||||
|
||||
module_init(hl_mt_init);
|
||||
module_exit(hl_mt_exit);
|
Loading…
Reference in a new issue