Commit f72e25a897c7edda03a0e1f767925d98772684da
Committed by
David S. Miller
David S. Miller
1 parent
2ae15b64e6
Exists in
master
and in
7 other branches
[NETFILTER]: Rename ipt_iprange to xt_iprange
This patch moves ipt_iprange to xt_iprange, in preparation for adding IPv6 support to xt_iprange. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 9 changed files with 107 additions and 93 deletions Side-by-side Diff
include/linux/netfilter/Kbuild
include/linux/netfilter/xt_iprange.h
| 1 | +#ifndef _LINUX_NETFILTER_XT_IPRANGE_H | |
| 2 | +#define _LINUX_NETFILTER_XT_IPRANGE_H 1 | |
| 3 | + | |
| 4 | +enum { | |
| 5 | + IPRANGE_SRC = 1 << 0, /* match source IP address */ | |
| 6 | + IPRANGE_DST = 1 << 1, /* match destination IP address */ | |
| 7 | + IPRANGE_SRC_INV = 1 << 4, /* negate the condition */ | |
| 8 | + IPRANGE_DST_INV = 1 << 5, /* -"- */ | |
| 9 | +}; | |
| 10 | + | |
| 11 | +struct xt_iprange_mtinfo { | |
| 12 | + union nf_inet_addr src_min, src_max; | |
| 13 | + union nf_inet_addr dst_min, dst_max; | |
| 14 | + u_int8_t flags; | |
| 15 | +}; | |
| 16 | + | |
| 17 | +#endif /* _LINUX_NETFILTER_XT_IPRANGE_H */ |
include/linux/netfilter_ipv4/ipt_iprange.h
| ... | ... | @@ -2,11 +2,7 @@ |
| 2 | 2 | #define _IPT_IPRANGE_H |
| 3 | 3 | |
| 4 | 4 | #include <linux/types.h> |
| 5 | - | |
| 6 | -#define IPRANGE_SRC 0x01 /* Match source IP address */ | |
| 7 | -#define IPRANGE_DST 0x02 /* Match destination IP address */ | |
| 8 | -#define IPRANGE_SRC_INV 0x10 /* Negate the condition */ | |
| 9 | -#define IPRANGE_DST_INV 0x20 /* Negate the condition */ | |
| 5 | +#include <linux/netfilter/xt_iprange.h> | |
| 10 | 6 | |
| 11 | 7 | struct ipt_iprange { |
| 12 | 8 | /* Inclusive: network order. */ |
net/ipv4/netfilter/Kconfig
| ... | ... | @@ -57,16 +57,6 @@ |
| 57 | 57 | To compile it as a module, choose M here. If unsure, say N. |
| 58 | 58 | |
| 59 | 59 | # The matches. |
| 60 | -config IP_NF_MATCH_IPRANGE | |
| 61 | - tristate '"iprange" match support' | |
| 62 | - depends on IP_NF_IPTABLES | |
| 63 | - depends on NETFILTER_ADVANCED | |
| 64 | - help | |
| 65 | - This option makes possible to match IP addresses against IP address | |
| 66 | - ranges. | |
| 67 | - | |
| 68 | - To compile it as a module, choose M here. If unsure, say N. | |
| 69 | - | |
| 70 | 60 | config IP_NF_MATCH_RECENT |
| 71 | 61 | tristate '"recent" match support' |
| 72 | 62 | depends on IP_NF_IPTABLES |
net/ipv4/netfilter/Makefile
| ... | ... | @@ -44,7 +44,6 @@ |
| 44 | 44 | obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o |
| 45 | 45 | obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o |
| 46 | 46 | obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o |
| 47 | -obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o | |
| 48 | 47 | obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o |
| 49 | 48 | obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o |
| 50 | 49 |
net/ipv4/netfilter/ipt_iprange.c
| 1 | -/* | |
| 2 | - * iptables module to match IP address ranges | |
| 3 | - * | |
| 4 | - * (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | |
| 5 | - * | |
| 6 | - * This program is free software; you can redistribute it and/or modify | |
| 7 | - * it under the terms of the GNU General Public License version 2 as | |
| 8 | - * published by the Free Software Foundation. | |
| 9 | - */ | |
| 10 | -#include <linux/module.h> | |
| 11 | -#include <linux/skbuff.h> | |
| 12 | -#include <linux/ip.h> | |
| 13 | -#include <linux/netfilter/x_tables.h> | |
| 14 | -#include <linux/netfilter_ipv4/ipt_iprange.h> | |
| 15 | - | |
| 16 | -MODULE_LICENSE("GPL"); | |
| 17 | -MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
| 18 | -MODULE_DESCRIPTION("Xtables: arbitrary IPv4 range matching"); | |
| 19 | - | |
| 20 | -static bool | |
| 21 | -iprange_mt(const struct sk_buff *skb, const struct net_device *in, | |
| 22 | - const struct net_device *out, const struct xt_match *match, | |
| 23 | - const void *matchinfo, int offset, unsigned int protoff, | |
| 24 | - bool *hotdrop) | |
| 25 | -{ | |
| 26 | - const struct ipt_iprange_info *info = matchinfo; | |
| 27 | - const struct iphdr *iph = ip_hdr(skb); | |
| 28 | - | |
| 29 | - if (info->flags & IPRANGE_SRC) { | |
| 30 | - if ((ntohl(iph->saddr) < ntohl(info->src.min_ip) | |
| 31 | - || ntohl(iph->saddr) > ntohl(info->src.max_ip)) | |
| 32 | - ^ !!(info->flags & IPRANGE_SRC_INV)) { | |
| 33 | - pr_debug("src IP %u.%u.%u.%u NOT in range %s" | |
| 34 | - "%u.%u.%u.%u-%u.%u.%u.%u\n", | |
| 35 | - NIPQUAD(iph->saddr), | |
| 36 | - info->flags & IPRANGE_SRC_INV ? "(INV) " : "", | |
| 37 | - NIPQUAD(info->src.min_ip), | |
| 38 | - NIPQUAD(info->src.max_ip)); | |
| 39 | - return false; | |
| 40 | - } | |
| 41 | - } | |
| 42 | - if (info->flags & IPRANGE_DST) { | |
| 43 | - if ((ntohl(iph->daddr) < ntohl(info->dst.min_ip) | |
| 44 | - || ntohl(iph->daddr) > ntohl(info->dst.max_ip)) | |
| 45 | - ^ !!(info->flags & IPRANGE_DST_INV)) { | |
| 46 | - pr_debug("dst IP %u.%u.%u.%u NOT in range %s" | |
| 47 | - "%u.%u.%u.%u-%u.%u.%u.%u\n", | |
| 48 | - NIPQUAD(iph->daddr), | |
| 49 | - info->flags & IPRANGE_DST_INV ? "(INV) " : "", | |
| 50 | - NIPQUAD(info->dst.min_ip), | |
| 51 | - NIPQUAD(info->dst.max_ip)); | |
| 52 | - return false; | |
| 53 | - } | |
| 54 | - } | |
| 55 | - return true; | |
| 56 | -} | |
| 57 | - | |
| 58 | -static struct xt_match iprange_mt_reg __read_mostly = { | |
| 59 | - .name = "iprange", | |
| 60 | - .family = AF_INET, | |
| 61 | - .match = iprange_mt, | |
| 62 | - .matchsize = sizeof(struct ipt_iprange_info), | |
| 63 | - .me = THIS_MODULE | |
| 64 | -}; | |
| 65 | - | |
| 66 | -static int __init iprange_mt_init(void) | |
| 67 | -{ | |
| 68 | - return xt_register_match(&iprange_mt_reg); | |
| 69 | -} | |
| 70 | - | |
| 71 | -static void __exit iprange_mt_exit(void) | |
| 72 | -{ | |
| 73 | - xt_unregister_match(&iprange_mt_reg); | |
| 74 | -} | |
| 75 | - | |
| 76 | -module_init(iprange_mt_init); | |
| 77 | -module_exit(iprange_mt_exit); |
net/netfilter/Kconfig
| ... | ... | @@ -567,6 +567,17 @@ |
| 567 | 567 | |
| 568 | 568 | To compile it as a module, choose M here. If unsure, say Y. |
| 569 | 569 | |
| 570 | +config NETFILTER_XT_MATCH_IPRANGE | |
| 571 | + tristate '"iprange" address range match support' | |
| 572 | + depends on NETFILTER_XTABLES | |
| 573 | + depends on NETFILTER_ADVANCED | |
| 574 | + ---help--- | |
| 575 | + This option adds a "iprange" match, which allows you to match based on | |
| 576 | + an IP address range. (Normal iptables only matches on single addresses | |
| 577 | + with an optional mask.) | |
| 578 | + | |
| 579 | + If unsure, say M. | |
| 580 | + | |
| 570 | 581 | config NETFILTER_XT_MATCH_LENGTH |
| 571 | 582 | tristate '"length" match support' |
| 572 | 583 | depends on NETFILTER_XTABLES |
net/netfilter/Makefile
| ... | ... | @@ -63,6 +63,7 @@ |
| 63 | 63 | obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o |
| 64 | 64 | obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o |
| 65 | 65 | obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o |
| 66 | +obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) += xt_iprange.o | |
| 66 | 67 | obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o |
| 67 | 68 | obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o |
| 68 | 69 | obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o |
net/netfilter/xt_iprange.c
| 1 | +/* | |
| 2 | + * xt_iprange - Netfilter module to match IP address ranges | |
| 3 | + * | |
| 4 | + * (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | |
| 5 | + * | |
| 6 | + * This program is free software; you can redistribute it and/or modify | |
| 7 | + * it under the terms of the GNU General Public License version 2 as | |
| 8 | + * published by the Free Software Foundation. | |
| 9 | + */ | |
| 10 | +#include <linux/module.h> | |
| 11 | +#include <linux/skbuff.h> | |
| 12 | +#include <linux/ip.h> | |
| 13 | +#include <linux/netfilter/x_tables.h> | |
| 14 | +#include <linux/netfilter_ipv4/ipt_iprange.h> | |
| 15 | + | |
| 16 | +static bool | |
| 17 | +iprange_mt_v0(const struct sk_buff *skb, const struct net_device *in, | |
| 18 | + const struct net_device *out, const struct xt_match *match, | |
| 19 | + const void *matchinfo, int offset, unsigned int protoff, | |
| 20 | + bool *hotdrop) | |
| 21 | +{ | |
| 22 | + const struct ipt_iprange_info *info = matchinfo; | |
| 23 | + const struct iphdr *iph = ip_hdr(skb); | |
| 24 | + | |
| 25 | + if (info->flags & IPRANGE_SRC) { | |
| 26 | + if ((ntohl(iph->saddr) < ntohl(info->src.min_ip) | |
| 27 | + || ntohl(iph->saddr) > ntohl(info->src.max_ip)) | |
| 28 | + ^ !!(info->flags & IPRANGE_SRC_INV)) { | |
| 29 | + pr_debug("src IP %u.%u.%u.%u NOT in range %s" | |
| 30 | + "%u.%u.%u.%u-%u.%u.%u.%u\n", | |
| 31 | + NIPQUAD(iph->saddr), | |
| 32 | + info->flags & IPRANGE_SRC_INV ? "(INV) " : "", | |
| 33 | + NIPQUAD(info->src.min_ip), | |
| 34 | + NIPQUAD(info->src.max_ip)); | |
| 35 | + return false; | |
| 36 | + } | |
| 37 | + } | |
| 38 | + if (info->flags & IPRANGE_DST) { | |
| 39 | + if ((ntohl(iph->daddr) < ntohl(info->dst.min_ip) | |
| 40 | + || ntohl(iph->daddr) > ntohl(info->dst.max_ip)) | |
| 41 | + ^ !!(info->flags & IPRANGE_DST_INV)) { | |
| 42 | + pr_debug("dst IP %u.%u.%u.%u NOT in range %s" | |
| 43 | + "%u.%u.%u.%u-%u.%u.%u.%u\n", | |
| 44 | + NIPQUAD(iph->daddr), | |
| 45 | + info->flags & IPRANGE_DST_INV ? "(INV) " : "", | |
| 46 | + NIPQUAD(info->dst.min_ip), | |
| 47 | + NIPQUAD(info->dst.max_ip)); | |
| 48 | + return false; | |
| 49 | + } | |
| 50 | + } | |
| 51 | + return true; | |
| 52 | +} | |
| 53 | + | |
| 54 | +static struct xt_match iprange_mt_reg __read_mostly = { | |
| 55 | + .name = "iprange", | |
| 56 | + .family = AF_INET, | |
| 57 | + .match = iprange_mt_v0, | |
| 58 | + .matchsize = sizeof(struct ipt_iprange_info), | |
| 59 | + .me = THIS_MODULE | |
| 60 | +}; | |
| 61 | + | |
| 62 | +static int __init iprange_mt_init(void) | |
| 63 | +{ | |
| 64 | + return xt_register_match(&iprange_mt_reg); | |
| 65 | +} | |
| 66 | + | |
| 67 | +static void __exit iprange_mt_exit(void) | |
| 68 | +{ | |
| 69 | + xt_unregister_match(&iprange_mt_reg); | |
| 70 | +} | |
| 71 | + | |
| 72 | +module_init(iprange_mt_init); | |
| 73 | +module_exit(iprange_mt_exit); | |
| 74 | +MODULE_LICENSE("GPL"); | |
| 75 | +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
| 76 | +MODULE_DESCRIPTION("Xtables: arbitrary IPv4 range matching"); |