首页 发现 帮助
登录
GfA
/
linux_kernel
5
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

netfilter: ebtables: add support for matching IGMP type

We already have ICMPv6 type/code matches (which can be used to distinguish
different types of MLD packets). Add support for IPv4 IGMP matches in the
same way.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Matthias Schiffer 7 年之前
父节点
5adc1668dd
当前提交
78d9f4d49b
共有 2 个文件被更改,包括 20 次插入3 次删除
合并视图 显示文件统计
  1. 3 1
      include/uapi/linux/netfilter_bridge/ebt_ip.h
  2. 17 2
      net/bridge/netfilter/ebt_ip.c

+ 3 - 1
include/uapi/linux/netfilter_bridge/ebt_ip.h
查看文件 

@@ -25,8 +25,9 @@
 
 #define EBT_IP_SPORT 0x10
 
 #define EBT_IP_SPORT 0x10
 
 #define EBT_IP_DPORT 0x20
 
 #define EBT_IP_DPORT 0x20
 
 #define EBT_IP_ICMP 0x40
 
 #define EBT_IP_ICMP 0x40
 
+#define EBT_IP_IGMP 0x80
 
 #define EBT_IP_MASK (EBT_IP_SOURCE | EBT_IP_DEST | EBT_IP_TOS | EBT_IP_PROTO |\
 
 #define EBT_IP_MASK (EBT_IP_SOURCE | EBT_IP_DEST | EBT_IP_TOS | EBT_IP_PROTO |\
 
-		     EBT_IP_SPORT | EBT_IP_DPORT | EBT_IP_ICMP)
 
+		     EBT_IP_SPORT | EBT_IP_DPORT | EBT_IP_ICMP | EBT_IP_IGMP)
 
 #define EBT_IP_MATCH "ip"
 
 #define EBT_IP_MATCH "ip"
 
 
 
 /* the same values are used for the invflags */
 
 /* the same values are used for the invflags */
 
@@ -42,6 +43,7 @@ struct ebt_ip_info {
 
 	union {
 
 	union {
 
 		__u16 sport[2];
 
 		__u16 sport[2];
 
 		__u8 icmp_type[2];
 
 		__u8 icmp_type[2];
 
+		__u8 igmp_type[2];
 
 	};
 
 	};
 
 	union {
 
 	union {
 
 		__u16 dport[2];
 
 		__u16 dport[2];

+ 17 - 2
net/bridge/netfilter/ebt_ip.c
查看文件 

@@ -28,6 +28,9 @@ union pkthdr {
 
 		u8 type;
 
 		u8 type;
 
 		u8 code;
 
 		u8 code;
 
 	} icmphdr;
 
 	} icmphdr;
 
+	struct {
 
+		u8 type;
 
+	} igmphdr;
 
 };
 
 };
 
 
 
 static bool
 
 static bool
 
@@ -57,12 +60,12 @@ ebt_ip_mt(const struct sk_buff *skb, struct xt_action_param *par)
 
 		if (NF_INVF(info, EBT_IP_PROTO, info->protocol != ih->protocol))
 
 		if (NF_INVF(info, EBT_IP_PROTO, info->protocol != ih->protocol))
 
 			return false;
 
 			return false;
 
 		if (!(info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT |
 
 		if (!(info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT |
 
-				       EBT_IP_ICMP)))
 
+				       EBT_IP_ICMP | EBT_IP_IGMP)))
 
 			return true;
 
 			return true;
 
 		if (ntohs(ih->frag_off) & IP_OFFSET)
 
 		if (ntohs(ih->frag_off) & IP_OFFSET)
 
 			return false;
 
 			return false;
 
 
 
-		/* min icmp headersize is 4, so sizeof(_pkthdr) is ok. */
 
+		/* min icmp/igmp headersize is 4, so sizeof(_pkthdr) is ok. */
 
 		pptr = skb_header_pointer(skb, ih->ihl*4,
 
 		pptr = skb_header_pointer(skb, ih->ihl*4,
 
 					  sizeof(_pkthdr), &_pkthdr);
 
 					  sizeof(_pkthdr), &_pkthdr);
 
 		if (pptr == NULL)
 
 		if (pptr == NULL)
 
@@ -88,6 +91,11 @@ ebt_ip_mt(const struct sk_buff *skb, struct xt_action_param *par)
 
 			    pptr->icmphdr.code < info->icmp_code[0] ||
 
 			    pptr->icmphdr.code < info->icmp_code[0] ||
 
 			    pptr->icmphdr.code > info->icmp_code[1]))
 
 			    pptr->icmphdr.code > info->icmp_code[1]))
 
 			return false;
 
 			return false;
 
+		if ((info->bitmask & EBT_IP_IGMP) &&
 
+		    NF_INVF(info, EBT_IP_IGMP,
 
+			    pptr->igmphdr.type < info->igmp_type[0] ||
 
+			    pptr->igmphdr.type > info->igmp_type[1]))
 
+			return false;
 
 	}
 
 	}
 
 	return true;
 
 	return true;
 
 }
 
 }
 
@@ -124,6 +132,13 @@ static int ebt_ip_mt_check(const struct xt_mtchk_param *par)
 
 		    info->icmp_code[0] > info->icmp_code[1])
 
 		    info->icmp_code[0] > info->icmp_code[1])
 
 			return -EINVAL;
 
 			return -EINVAL;
 
 	}
 
 	}
 
+	if (info->bitmask & EBT_IP_IGMP) {
 
+		if ((info->invflags & EBT_IP_PROTO) ||
 
+		    info->protocol != IPPROTO_IGMP)
 
+			return -EINVAL;
 
+		if (info->igmp_type[0] > info->igmp_type[1])
 
+			return -EINVAL;
 
+	}
 
 	return 0;
 
 	return 0;
 
 }
 
 }