mirror of
git://git.code.sf.net/p/xtables-addons/xtables-addons
synced 2025-09-05 20:26:38 +02:00
xt_PROTO: style fixes
This commit is contained in:
Jan Engelhardt
@@ -60,36 +60,28 @@ static void PROTO_check(struct xt_fcheck_call *cb)
|
||||
|
||||
static void PROTO_save(const void *ip, const struct xt_entry_target *target)
|
||||
{
|
||||
const struct xt_PROTO_info *info =
|
||||
(struct xt_PROTO_info *) target->data;
|
||||
const struct xt_PROTO_info *info = (void *)target->data;
|
||||
|
||||
if(info->mode & (1 << XT_PROTO_SET)){
|
||||
if (info->mode & (1 << XT_PROTO_SET))
|
||||
printf(" --proto-set %u", info->proto);
|
||||
}
|
||||
if(info->mode & (1 << XT_PROTO_STOP_AT_FRAG)){
|
||||
if (info->mode & (1 << XT_PROTO_STOP_AT_FRAG))
|
||||
printf(" --stop-at-frag");
|
||||
}
|
||||
if(info->mode & (1 << XT_PROTO_STOP_AT_AUTH)){
|
||||
if (info->mode & (1 << XT_PROTO_STOP_AT_AUTH))
|
||||
printf(" --stop-at-auth");
|
||||
}
|
||||
}
|
||||
|
||||
static void PROTO_print(const void *ip, const struct xt_entry_target *target,
|
||||
int numeric)
|
||||
{
|
||||
const struct xt_PROTO_info *info =
|
||||
(struct xt_PROTO_info *) target->data;
|
||||
const struct xt_PROTO_info *info = (void *)target->data;
|
||||
|
||||
printf(" PROTO ");
|
||||
if(info->mode & (1 << XT_PROTO_SET)){
|
||||
if (info->mode & (1 << XT_PROTO_SET))
|
||||
printf("set to %u", info->proto);
|
||||
}
|
||||
if(info->mode & (1 << XT_PROTO_STOP_AT_FRAG)){
|
||||
if (info->mode & (1 << XT_PROTO_STOP_AT_FRAG))
|
||||
printf(" stop-at-frag");
|
||||
}
|
||||
if(info->mode & (1 << XT_PROTO_STOP_AT_AUTH)){
|
||||
if (info->mode & (1 << XT_PROTO_STOP_AT_AUTH))
|
||||
printf(" stop-at-auth");
|
||||
}
|
||||
}
|
||||
|
||||
static struct xtables_target proto_tg_reg = {
|
||||
|
||||
@@ -20,11 +20,11 @@ For IPv6 packets, the scenario can be more complex due to the introduction of
|
||||
the extension headers mechanism. By default, the PROTO target will scan the IPv6
|
||||
packet, finding the last extension header and modify its \fBNext-header\fP field.
|
||||
Normally, the following headers will be seen as an extension header:
|
||||
\fINEXTHDR_HOP\fP,
|
||||
\fINEXTHDR_HOP\fP,
|
||||
\fINEXTHDR_ROUTING\fP,
|
||||
\fINEXTHDR_FRAGMENT\fP,
|
||||
\fINEXTHDR_AUTH\fP,
|
||||
\fINEXTHDR_DEST\fP.
|
||||
.PP
|
||||
For fragmented packets, only the first fragment is processed and other fragments
|
||||
are not touched.
|
||||
are not touched.
|
||||
|
||||
@@ -12,8 +12,6 @@
|
||||
#include <linux/ipv6.h>
|
||||
#include <net/ipv6.h>
|
||||
#include <net/checksum.h>
|
||||
|
||||
|
||||
#include <linux/netfilter/x_tables.h>
|
||||
#include "xt_PROTO.h"
|
||||
|
||||
@@ -32,14 +30,12 @@ proto_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||
return NF_DROP;
|
||||
|
||||
iph = ip_hdr(skb);
|
||||
|
||||
new_proto = iph->protocol;
|
||||
if(info->mode & (1 << XT_PROTO_SET)){
|
||||
if (info->mode & (1 << XT_PROTO_SET))
|
||||
new_proto = info->proto;
|
||||
}
|
||||
if (new_proto != iph->protocol) {
|
||||
csum_replace2(&iph->check, htons(iph->protocol & 0xff),
|
||||
htons(new_proto & 0xff));
|
||||
htons(new_proto & 0xff));
|
||||
iph->protocol = new_proto;
|
||||
}
|
||||
|
||||
@@ -51,7 +47,7 @@ proto_tg6(struct sk_buff *skb, const struct xt_action_param *par)
|
||||
{
|
||||
struct ipv6hdr *ip6h;
|
||||
const struct xt_PROTO_info *info = par->targinfo;
|
||||
u8 *nexthdr;
|
||||
u8 *nexthdr;
|
||||
unsigned int hdr_offset;
|
||||
__be16 *fp;
|
||||
|
||||
@@ -60,60 +56,49 @@ proto_tg6(struct sk_buff *skb, const struct xt_action_param *par)
|
||||
|
||||
ip6h = ipv6_hdr(skb);
|
||||
nexthdr = &ip6h->nexthdr;
|
||||
|
||||
hdr_offset = sizeof(struct ipv6hdr);
|
||||
|
||||
for(;;){
|
||||
for (;;) {
|
||||
struct ipv6_opt_hdr _opthdr, *opthp;
|
||||
unsigned int hdrlen;
|
||||
unsigned short _frag_off;
|
||||
if ((!ipv6_ext_hdr(*nexthdr)) || *nexthdr == NEXTHDR_NONE) {
|
||||
if (!ipv6_ext_hdr(*nexthdr) || *nexthdr == NEXTHDR_NONE)
|
||||
break;
|
||||
}
|
||||
opthp = skb_header_pointer(skb, skb_network_offset(skb) + hdr_offset, sizeof(_opthdr), &_opthdr);
|
||||
if(!opthp){
|
||||
if (!opthp)
|
||||
return NF_DROP;
|
||||
}
|
||||
if(*nexthdr == NEXTHDR_FRAGMENT){
|
||||
if(info->mode & (1 << XT_PROTO_STOP_AT_FRAG)){
|
||||
if (*nexthdr == NEXTHDR_FRAGMENT) {
|
||||
if (info->mode & (1 << XT_PROTO_STOP_AT_FRAG))
|
||||
break;
|
||||
}
|
||||
fp = skb_header_pointer(skb,
|
||||
skb_network_offset(skb) + hdr_offset +
|
||||
offsetof(struct frag_hdr,
|
||||
frag_off),
|
||||
sizeof(_frag_off),
|
||||
&_frag_off);
|
||||
fp = skb_header_pointer(skb, skb_network_offset(skb) +
|
||||
hdr_offset + offsetof(struct frag_hdr, frag_off),
|
||||
sizeof(_frag_off), &_frag_off);
|
||||
if (!fp)
|
||||
return NF_DROP;
|
||||
_frag_off = ntohs(*fp) & ~0x7;
|
||||
if(_frag_off){ // if the packet is not the first fragment
|
||||
if ((!ipv6_ext_hdr(opthp->nexthdr)) || opthp->nexthdr == NEXTHDR_NONE ||
|
||||
((info->mode & (1 << XT_PROTO_STOP_AT_AUTH)) && opthp->nexthdr == NEXTHDR_AUTH)
|
||||
) {
|
||||
nexthdr = &((struct ipv6_opt_hdr*)(skb_network_header(skb) + hdr_offset))->nexthdr;
|
||||
if (_frag_off) { // if the packet is not the first fragment
|
||||
if (!ipv6_ext_hdr(opthp->nexthdr) || opthp->nexthdr == NEXTHDR_NONE ||
|
||||
(info->mode & (1 << XT_PROTO_STOP_AT_AUTH) && opthp->nexthdr == NEXTHDR_AUTH)) {
|
||||
nexthdr = &((struct ipv6_opt_hdr *)(skb_network_header(skb) + hdr_offset))->nexthdr;
|
||||
break;
|
||||
}else{
|
||||
} else {
|
||||
return XT_CONTINUE;
|
||||
}
|
||||
}
|
||||
hdrlen = 8;
|
||||
}else if(*nexthdr == NEXTHDR_AUTH){
|
||||
if(info->mode & (1 << XT_PROTO_STOP_AT_AUTH)){
|
||||
} else if(*nexthdr == NEXTHDR_AUTH) {
|
||||
if (info->mode & (1 << XT_PROTO_STOP_AT_AUTH))
|
||||
break;
|
||||
}
|
||||
hdrlen = (opthp->hdrlen + 2) << 2;
|
||||
}else{
|
||||
} else {
|
||||
hdrlen = ipv6_optlen(opthp);
|
||||
}
|
||||
nexthdr = &((struct ipv6_opt_hdr*)(skb_network_header(skb) + hdr_offset))->nexthdr;
|
||||
nexthdr = &((struct ipv6_opt_hdr *)(skb_network_header(skb) + hdr_offset))->nexthdr;
|
||||
hdr_offset += hdrlen;
|
||||
}
|
||||
|
||||
if(info->mode & (1 << XT_PROTO_SET)){
|
||||
if (info->mode & (1 << XT_PROTO_SET))
|
||||
*nexthdr = info->proto;
|
||||
}
|
||||
|
||||
return XT_CONTINUE;
|
||||
}
|
||||
|
||||
@@ -121,12 +106,12 @@ static int proto_tg_check(const struct xt_tgchk_param *par)
|
||||
{
|
||||
const struct xt_PROTO_info *info = par->targinfo;
|
||||
|
||||
if ((info->mode & (1 << XT_PROTO_SET)) == 0){
|
||||
if ((info->mode & (1 << XT_PROTO_SET)) == 0) {
|
||||
pr_info_ratelimited("Did not specify any proto to set\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
if ((par->family != NFPROTO_IPV6) && ((info->mode & ((1 << XT_PROTO_STOP_AT_FRAG) | (1 << XT_PROTO_STOP_AT_AUTH))) != 0)){
|
||||
pr_info_ratelimited("Must not specify stop-at-frag and stop-at-auth on non-ipv6 targets\n");
|
||||
if (par->family != NFPROTO_IPV6 && (info->mode & ((1 << XT_PROTO_STOP_AT_FRAG) | (1 << XT_PROTO_STOP_AT_AUTH))) != 0) {
|
||||
pr_info_ratelimited("Must not specify stop-at-frag and stop-at-auth on non-ipv6 targets\n");
|
||||
return -EPROTOTYPE;
|
||||
}
|
||||
return 0;
|
||||
@@ -169,4 +154,3 @@ module_init(proto_tg_init);
|
||||
module_exit(proto_tg_exit);
|
||||
MODULE_ALIAS("ipt_PROTO");
|
||||
MODULE_ALIAS("ip6t_PROTO");
|
||||
|
||||
|
||||
Reference in New Issue
Block a user