summaryrefslogtreecommitdiffstats
path: root/net/ipv6
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-03-20 18:03:40 -0800
committerDavid S. Miller <davem@davemloft.net>2006-03-20 18:03:40 -0800
commitc4b885139203d37f76662c37ae645fe8e0f4e4e5 (patch)
tree5cedf4d632b273df81bf1712b95dbc8b96cdc0e4 /net/ipv6
parentf2ffd9eeda82b476c034d733be08ecf6a87d2edf (diff)
downloadop-kernel-dev-c4b885139203d37f76662c37ae645fe8e0f4e4e5.zip
op-kernel-dev-c4b885139203d37f76662c37ae645fe8e0f4e4e5.tar.gz
[NETFILTER]: x_tables: replace IPv4/IPv6 policy match by address family independant version
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
-rw-r--r--net/ipv6/netfilter/Kconfig10
-rw-r--r--net/ipv6/netfilter/Makefile1
-rw-r--r--net/ipv6/netfilter/ip6t_policy.c174
3 files changed, 0 insertions, 185 deletions
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 2d6f8ec..98f7875 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -133,16 +133,6 @@ config IP6_NF_MATCH_EUI64
To compile it as a module, choose M here. If unsure, say N.
-config IP6_NF_MATCH_POLICY
- tristate "IPsec policy match support"
- depends on IP6_NF_IPTABLES && XFRM
- help
- Policy matching allows you to match packets based on the
- IPsec policy that was used during decapsulation/will
- be used during encapsulation.
-
- To compile it as a module, choose M here. If unsure, say N.
-
# The targets
config IP6_NF_FILTER
tristate "Packet filtering"
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index db6073c..8436a1a 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -9,7 +9,6 @@ obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o ip6t_dst.o
obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o
obj-$(CONFIG_IP6_NF_MATCH_AHESP) += ip6t_esp.o ip6t_ah.o
-obj-$(CONFIG_IP6_NF_MATCH_POLICY) += ip6t_policy.o
obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o
obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT) += ip6t_multiport.o
obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c
deleted file mode 100644
index f2a5997..0000000
--- a/net/ipv6/netfilter/ip6t_policy.c
+++ /dev/null
@@ -1,174 +0,0 @@
-/* IP tables module for matching IPsec policy
- *
- * Copyright (c) 2004,2005 Patrick McHardy, <kaber@trash.net>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/kernel.h>
-#include <linux/config.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/init.h>
-#include <net/xfrm.h>
-
-#include <linux/netfilter_ipv6.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/netfilter_ipv6/ip6t_policy.h>
-
-MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("IPtables IPsec policy matching module");
-MODULE_LICENSE("GPL");
-
-
-static inline int
-match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e)
-{
-#define MATCH_ADDR(x,y,z) (!e->match.x || \
- ((!ipv6_masked_addr_cmp(&e->x.a6, &e->y.a6, \
- z)) \
- ^ e->invert.x))
-#define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x))
-
- return MATCH_ADDR(saddr, smask, (struct in6_addr *)&x->props.saddr.a6) &&
- MATCH_ADDR(daddr, dmask, (struct in6_addr *)&x->id.daddr.a6) &&
- MATCH(proto, x->id.proto) &&
- MATCH(mode, x->props.mode) &&
- MATCH(spi, x->id.spi) &&
- MATCH(reqid, x->props.reqid);
-}
-
-static int
-match_policy_in(const struct sk_buff *skb, const struct ip6t_policy_info *info)
-{
- const struct ip6t_policy_elem *e;
- struct sec_path *sp = skb->sp;
- int strict = info->flags & IP6T_POLICY_MATCH_STRICT;
- int i, pos;
-
- if (sp == NULL)
- return -1;
- if (strict && info->len != sp->len)
- return 0;
-
- for (i = sp->len - 1; i >= 0; i--) {
- pos = strict ? i - sp->len + 1 : 0;
- if (pos >= info->len)
- return 0;
- e = &info->pol[pos];
-
- if (match_xfrm_state(sp->x[i].xvec, e)) {
- if (!strict)
- return 1;
- } else if (strict)
- return 0;
- }
-
- return strict ? 1 : 0;
-}
-
-static int
-match_policy_out(const struct sk_buff *skb, const struct ip6t_policy_info *info)
-{
- const struct ip6t_policy_elem *e;
- struct dst_entry *dst = skb->dst;
- int strict = info->flags & IP6T_POLICY_MATCH_STRICT;
- int i, pos;
-
- if (dst->xfrm == NULL)
- return -1;
-
- for (i = 0; dst && dst->xfrm; dst = dst->child, i++) {
- pos = strict ? i : 0;
- if (pos >= info->len)
- return 0;
- e = &info->pol[pos];
-
- if (match_xfrm_state(dst->xfrm, e)) {
- if (!strict)
- return 1;
- } else if (strict)
- return 0;
- }
-
- return strict ? i == info->len : 0;
-}
-
-static int match(const struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- const struct xt_match *match,
- const void *matchinfo,
- int offset,
- unsigned int protoff,
- int *hotdrop)
-{
- const struct ip6t_policy_info *info = matchinfo;
- int ret;
-
- if (info->flags & IP6T_POLICY_MATCH_IN)
- ret = match_policy_in(skb, info);
- else
- ret = match_policy_out(skb, info);
-
- if (ret < 0)
- ret = info->flags & IP6T_POLICY_MATCH_NONE ? 1 : 0;
- else if (info->flags & IP6T_POLICY_MATCH_NONE)
- ret = 0;
-
- return ret;
-}
-
-static int checkentry(const char *tablename, const void *ip_void,
- const struct xt_match *match, void *matchinfo,
- unsigned int matchsize, unsigned int hook_mask)
-{
- struct ip6t_policy_info *info = matchinfo;
-
- if (!(info->flags & (IP6T_POLICY_MATCH_IN|IP6T_POLICY_MATCH_OUT))) {
- printk(KERN_ERR "ip6t_policy: neither incoming nor "
- "outgoing policy selected\n");
- return 0;
- }
- if (hook_mask & (1 << NF_IP6_PRE_ROUTING | 1 << NF_IP6_LOCAL_IN)
- && info->flags & IP6T_POLICY_MATCH_OUT) {
- printk(KERN_ERR "ip6t_policy: output policy not valid in "
- "PRE_ROUTING and INPUT\n");
- return 0;
- }
- if (hook_mask & (1 << NF_IP6_POST_ROUTING | 1 << NF_IP6_LOCAL_OUT)
- && info->flags & IP6T_POLICY_MATCH_IN) {
- printk(KERN_ERR "ip6t_policy: input policy not valid in "
- "POST_ROUTING and OUTPUT\n");
- return 0;
- }
- if (info->len > IP6T_POLICY_MAX_ELEM) {
- printk(KERN_ERR "ip6t_policy: too many policy elements\n");
- return 0;
- }
-
- return 1;
-}
-
-static struct ip6t_match policy_match = {
- .name = "policy",
- .match = match,
- .matchsize = sizeof(struct ip6t_policy_info),
- .checkentry = checkentry,
- .me = THIS_MODULE,
-};
-
-static int __init init(void)
-{
- return ip6t_register_match(&policy_match);
-}
-
-static void __exit fini(void)
-{
- ip6t_unregister_match(&policy_match);
-}
-
-module_init(init);
-module_exit(fini);
OpenPOWER on IntegriCloud