OpenCores
URL https://opencores.org/ocsvn/or1k/or1k/trunk

Subversion Repositories or1k

[/] [or1k/] [trunk/] [linux/] [linux-2.4/] [net/] [ipv4/] [netfilter/] [ipt_conntrack.c] - Blame information for rev 1765

Details | Compare with Previous | View Log

Line No. Rev Author Line
1 1275 phoenix 
/* Kernel module to match connection tracking information.
2 
 * Superset of Rusty's minimalistic state match.
3 
 * GPL (C) 2001  Marc Boucher (marc@mbsi.ca).
4 
 */
5 
#include <linux/module.h>
6 
#include <linux/skbuff.h>
7 
#include <linux/netfilter_ipv4/ip_conntrack.h>
8 
#include <linux/netfilter_ipv4/ip_tables.h>
9 
#include <linux/netfilter_ipv4/ipt_conntrack.h>
10 
 
11 
static int
12 
match(const struct sk_buff *skb,
13 
      const struct net_device *in,
14 
      const struct net_device *out,
15 
      const void *matchinfo,
16 
      int offset,
17 
      const void *hdr,
18 
      u_int16_t datalen,
19 
      int *hotdrop)
20 
{
21 
        const struct ipt_conntrack_info *sinfo = matchinfo;
22 
        struct ip_conntrack *ct;
23 
        enum ip_conntrack_info ctinfo;
24 
        unsigned int statebit;
25 
 
26 
        ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
27 
 
28 
#define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))
29 
 
30 
        if (ct)
31 
                statebit = IPT_CONNTRACK_STATE_BIT(ctinfo);
32 
        else
33 
                statebit = IPT_CONNTRACK_STATE_INVALID;
34 
 
35 
        if(sinfo->flags & IPT_CONNTRACK_STATE) {
36 
                if (ct) {
37 
                        if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip !=
38 
                            ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip)
39 
                                statebit |= IPT_CONNTRACK_STATE_SNAT;
40 
 
41 
                        if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip !=
42 
                            ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip)
43 
                                statebit |= IPT_CONNTRACK_STATE_DNAT;
44 
                }
45 
 
46 
                if (FWINV((statebit & sinfo->statemask) == 0, IPT_CONNTRACK_STATE))
47 
                        return 0;
48 
        }
49 
 
50 
        if(sinfo->flags & IPT_CONNTRACK_PROTO) {
51 
                if (!ct || FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum != sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum, IPT_CONNTRACK_PROTO))
52 
                        return 0;
53 
        }
54 
 
55 
        if(sinfo->flags & IPT_CONNTRACK_ORIGSRC) {
56 
                if (!ct || FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip&sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) != sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip, IPT_CONNTRACK_ORIGSRC))
57 
                        return 0;
58 
        }
59 
 
60 
        if(sinfo->flags & IPT_CONNTRACK_ORIGDST) {
61 
                if (!ct || FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip&sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) != sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip, IPT_CONNTRACK_ORIGDST))
62 
                        return 0;
63 
        }
64 
 
65 
        if(sinfo->flags & IPT_CONNTRACK_REPLSRC) {
66 
                if (!ct || FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip&sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) != sinfo->tuple[IP_CT_DIR_REPLY].src.ip, IPT_CONNTRACK_REPLSRC))
67 
                        return 0;
68 
        }
69 
 
70 
        if(sinfo->flags & IPT_CONNTRACK_REPLDST) {
71 
                if (!ct || FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip&sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) != sinfo->tuple[IP_CT_DIR_REPLY].dst.ip, IPT_CONNTRACK_REPLDST))
72 
                        return 0;
73 
        }
74 
 
75 
        if(sinfo->flags & IPT_CONNTRACK_STATUS) {
76 
                if (!ct || FWINV((ct->status & sinfo->statusmask) == 0, IPT_CONNTRACK_STATUS))
77 
                        return 0;
78 
        }
79 
 
80 
        if(sinfo->flags & IPT_CONNTRACK_EXPIRES) {
81 
                unsigned long expires;
82 
 
83 
                if(!ct)
84 
                        return 0;
85 
 
86 
                expires = timer_pending(&ct->timeout) ? (ct->timeout.expires - jiffies)/HZ : 0;
87 
 
88 
                if (FWINV(!(expires >= sinfo->expires_min && expires <= sinfo->expires_max), IPT_CONNTRACK_EXPIRES))
89 
                        return 0;
90 
        }
91 
 
92 
        return 1;
93 
}
94 
 
95 
static int check(const char *tablename,
96 
                 const struct ipt_ip *ip,
97 
                 void *matchinfo,
98 
                 unsigned int matchsize,
99 
                 unsigned int hook_mask)
100 
{
101 
        if (matchsize != IPT_ALIGN(sizeof(struct ipt_conntrack_info)))
102 
                return 0;
103 
 
104 
        return 1;
105 
}
106 
 
107 
static struct ipt_match conntrack_match
108 
= { { NULL, NULL }, "conntrack", &match, &check, NULL, THIS_MODULE };
109 
 
110 
static int __init init(void)
111 
{
112 
        return ipt_register_match(&conntrack_match);
113 
}
114 
 
115 
static void __exit fini(void)
116 
{
117 
        ipt_unregister_match(&conntrack_match);
118 
}
119 
 
120 
module_init(init);
121 
module_exit(fini);
122 
MODULE_LICENSE("GPL");

powered by: WebSVN 2.1.0

© copyright 1999-2024 OpenCores.org, equivalent to Oliscience, all rights reserved. OpenCores®, registered trademark.