* [xtables-addons 0/4] IPv6 support for xt_ipp2p
@ 2021-09-13 9:20 Jeremy Sowden
2021-09-13 9:20 ` [xtables-addons 1/4] xt_ipp2p: don't search haystack if it's empty Jeremy Sowden
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Jeremy Sowden @ 2021-09-13 9:20 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Devel, kaskada
* The first patch short-circuits searches if the packet is empty.
* The second and third patches refactor the ipv4 code in anticipation of
adding ipv6 support.
* The fourth patch adds ipv6 support.
Jeremy Sowden (4):
xt_ipp2p: don't search haystack if it's empty
xt_ipp2p: move the protocol-specific code out into separate functions
xt_ipp2p: move result printing code into separate functions
xt_ipp2p: add ipv6 support
extensions/libxt_ipp2p.c | 2 +-
extensions/xt_ipp2p.c | 293 ++++++++++++++++++++++++++++-----------
2 files changed, 214 insertions(+), 81 deletions(-)
--
2.33.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* [xtables-addons 1/4] xt_ipp2p: don't search haystack if it's empty
2021-09-13 9:20 [xtables-addons 0/4] IPv6 support for xt_ipp2p Jeremy Sowden
@ 2021-09-13 9:20 ` Jeremy Sowden
2021-09-13 9:20 ` [xtables-addons 2/4] xt_ipp2p: move the protocol-specific code out into separate functions Jeremy Sowden
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Jeremy Sowden @ 2021-09-13 9:20 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Devel, kaskada
All the search functions have a positive minimum packet-length.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
extensions/xt_ipp2p.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/extensions/xt_ipp2p.c b/extensions/xt_ipp2p.c
index 8fb1b79bb414..4e0fbb675c76 100644
--- a/extensions/xt_ipp2p.c
+++ b/extensions/xt_ipp2p.c
@@ -842,14 +842,17 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
if (tcph->syn) return 0; /* if SYN bit is set bail out */
if (tcph->rst) return 0; /* if RST bit is set bail out */
- haystack += tcph->doff * 4; /* get TCP-Header-Size */
if (tcph->doff * 4 > hlen) {
if (info->debug)
pr_info("TCP header indicated packet larger than it is\n");
- hlen = 0;
- } else {
- hlen -= tcph->doff * 4;
+ return 0;
}
+ if (tcph->doff * 4 == hlen)
+ return 0;
+
+ haystack += tcph->doff * 4; /* get TCP-Header-Size */
+ hlen -= tcph->doff * 4;
+
while (matchlist[i].command) {
if ((info->cmd & matchlist[i].command) == matchlist[i].command &&
hlen > matchlist[i].packet_len)
@@ -875,14 +878,16 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct udphdr *udph = (const void *)ip + ip_hdrlen(skb);
- haystack += sizeof(*udph);
if (sizeof(*udph) > hlen) {
if (info->debug)
pr_info("UDP header indicated packet larger than it is\n");
- hlen = 0;
- } else {
- hlen -= sizeof(*udph);
+ return 0;
}
+ if (sizeof(*udph) == hlen)
+ return 0;
+
+ haystack += sizeof(*udph);
+ hlen -= sizeof(*udph);
while (udp_list[i].command) {
if ((info->cmd & udp_list[i].command) == udp_list[i].command &&
--
2.33.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [xtables-addons 2/4] xt_ipp2p: move the protocol-specific code out into separate functions
2021-09-13 9:20 [xtables-addons 0/4] IPv6 support for xt_ipp2p Jeremy Sowden
2021-09-13 9:20 ` [xtables-addons 1/4] xt_ipp2p: don't search haystack if it's empty Jeremy Sowden
@ 2021-09-13 9:20 ` Jeremy Sowden
2021-09-13 9:20 ` [xtables-addons 3/4] xt_ipp2p: move result printing code " Jeremy Sowden
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Jeremy Sowden @ 2021-09-13 9:20 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Devel, kaskada
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
extensions/xt_ipp2p.c | 165 ++++++++++++++++++++++++------------------
1 file changed, 93 insertions(+), 72 deletions(-)
diff --git a/extensions/xt_ipp2p.c b/extensions/xt_ipp2p.c
index 4e0fbb675c76..298950514569 100644
--- a/extensions/xt_ipp2p.c
+++ b/extensions/xt_ipp2p.c
@@ -807,15 +807,97 @@ static const struct {
{0},
};
+static bool
+ipp2p_mt_tcp(const struct ipt_p2p_info *info, const struct tcphdr *tcph,
+ const unsigned char *haystack, unsigned int hlen,
+ const struct iphdr *ip)
+{
+ size_t tcph_len = tcph->doff * 4;
+ bool p2p_result = false;
+ int i = 0;
+
+ if (tcph->fin) return 0; /* if FIN bit is set bail out */
+ if (tcph->syn) return 0; /* if SYN bit is set bail out */
+ if (tcph->rst) return 0; /* if RST bit is set bail out */
+
+ if (hlen < tcph_len) {
+ if (info->debug)
+ pr_info("TCP header indicated packet larger than it is\n");
+ return 0;
+ }
+ if (hlen == tcph_len)
+ return 0;
+
+ haystack += tcph_len;
+ hlen -= tcph_len;
+
+ while (matchlist[i].command) {
+ if ((info->cmd & matchlist[i].command) == matchlist[i].command &&
+ hlen > matchlist[i].packet_len)
+ {
+ p2p_result = matchlist[i].function_name(haystack, hlen);
+ if (p2p_result) {
+ if (info->debug)
+ printk("IPP2P.debug:TCP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %d\n",
+ p2p_result, &ip->saddr,
+ ntohs(tcph->source),
+ &ip->daddr,
+ ntohs(tcph->dest), hlen);
+ return p2p_result;
+ }
+ }
+ i++;
+ }
+ return p2p_result;
+}
+
+static bool
+ipp2p_mt_udp(const struct ipt_p2p_info *info, const struct udphdr *udph,
+ const unsigned char *haystack, unsigned int hlen,
+ const struct iphdr *ip)
+{
+ size_t udph_len = sizeof(*udph);
+ bool p2p_result = false;
+ int i = 0;
+
+ if (hlen < udph_len) {
+ if (info->debug)
+ pr_info("UDP header indicated packet larger than it is\n");
+ return 0;
+ }
+ if (hlen == udph_len)
+ return 0;
+
+ haystack += udph_len;
+ hlen -= udph_len;
+
+ while (udp_list[i].command) {
+ if ((info->cmd & udp_list[i].command) == udp_list[i].command &&
+ hlen > udp_list[i].packet_len)
+ {
+ p2p_result = udp_list[i].function_name(haystack, hlen);
+ if (p2p_result) {
+ if (info->debug)
+ printk("IPP2P.debug:UDP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %d\n",
+ p2p_result, &ip->saddr,
+ ntohs(udph->source),
+ &ip->daddr,
+ ntohs(udph->dest), hlen);
+ return p2p_result;
+ }
+ }
+ i++;
+ }
+ return p2p_result;
+}
+
static bool
ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ipt_p2p_info *info = par->matchinfo;
- const unsigned char *haystack;
const struct iphdr *ip = ip_hdr(skb);
- bool p2p_result = false;
- int i = 0;
- unsigned int hlen = ntohs(ip->tot_len) - ip_hdrlen(skb); /* hlen = packet-data length */
+ const unsigned char *haystack; /* packet-data */
+ unsigned int hlen; /* packet-data length */
/* must not be a fragment */
if (par->fragoff != 0) {
@@ -831,84 +913,23 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
return 0;
}
- haystack = skb_network_header(skb) + ip_hdrlen(skb);
+ haystack = skb_transport_header(skb);
+ hlen = ntohs(ip->tot_len) - skb_transport_offset(skb);
switch (ip->protocol) {
case IPPROTO_TCP: /* what to do with a TCP packet */
{
- const struct tcphdr *tcph = (const void *)ip + ip_hdrlen(skb);
-
- if (tcph->fin) return 0; /* if FIN bit is set bail out */
- if (tcph->syn) return 0; /* if SYN bit is set bail out */
- if (tcph->rst) return 0; /* if RST bit is set bail out */
-
- if (tcph->doff * 4 > hlen) {
- if (info->debug)
- pr_info("TCP header indicated packet larger than it is\n");
- return 0;
- }
- if (tcph->doff * 4 == hlen)
- return 0;
+ const struct tcphdr *tcph = tcp_hdr(skb);
- haystack += tcph->doff * 4; /* get TCP-Header-Size */
- hlen -= tcph->doff * 4;
-
- while (matchlist[i].command) {
- if ((info->cmd & matchlist[i].command) == matchlist[i].command &&
- hlen > matchlist[i].packet_len)
- {
- p2p_result = matchlist[i].function_name(haystack, hlen);
- if (p2p_result) {
- if (info->debug)
- printk("IPP2P.debug:TCP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %d\n",
- p2p_result, &ip->saddr,
- ntohs(tcph->source),
- &ip->daddr,
- ntohs(tcph->dest), hlen);
- return p2p_result;
- }
- }
- i++;
- }
- return p2p_result;
+ return ipp2p_mt_tcp(info, tcph, haystack, hlen, ip);
}
-
- case IPPROTO_UDP: /* what to do with an UDP packet */
+ case IPPROTO_UDP: /* what to do with a UDP packet */
case IPPROTO_UDPLITE:
{
- const struct udphdr *udph = (const void *)ip + ip_hdrlen(skb);
+ const struct udphdr *udph = udp_hdr(skb);
- if (sizeof(*udph) > hlen) {
- if (info->debug)
- pr_info("UDP header indicated packet larger than it is\n");
- return 0;
- }
- if (sizeof(*udph) == hlen)
- return 0;
-
- haystack += sizeof(*udph);
- hlen -= sizeof(*udph);
-
- while (udp_list[i].command) {
- if ((info->cmd & udp_list[i].command) == udp_list[i].command &&
- hlen > udp_list[i].packet_len)
- {
- p2p_result = udp_list[i].function_name(haystack, hlen);
- if (p2p_result) {
- if (info->debug)
- printk("IPP2P.debug:UDP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %d\n",
- p2p_result, &ip->saddr,
- ntohs(udph->source),
- &ip->daddr,
- ntohs(udph->dest), hlen);
- return p2p_result;
- }
- }
- i++;
- }
- return p2p_result;
+ return ipp2p_mt_udp(info, udph, haystack, hlen, ip);
}
-
default:
return 0;
}
--
2.33.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [xtables-addons 3/4] xt_ipp2p: move result printing code into separate functions
2021-09-13 9:20 [xtables-addons 0/4] IPv6 support for xt_ipp2p Jeremy Sowden
2021-09-13 9:20 ` [xtables-addons 1/4] xt_ipp2p: don't search haystack if it's empty Jeremy Sowden
2021-09-13 9:20 ` [xtables-addons 2/4] xt_ipp2p: move the protocol-specific code out into separate functions Jeremy Sowden
@ 2021-09-13 9:20 ` Jeremy Sowden
2021-09-13 9:20 ` [xtables-addons 4/4] xt_ipp2p: add ipv6 support Jeremy Sowden
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Jeremy Sowden @ 2021-09-13 9:20 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Devel, kaskada
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
extensions/xt_ipp2p.c | 75 +++++++++++++++++++++++++++++++++++--------
1 file changed, 61 insertions(+), 14 deletions(-)
diff --git a/extensions/xt_ipp2p.c b/extensions/xt_ipp2p.c
index 298950514569..56fcbe497718 100644
--- a/extensions/xt_ipp2p.c
+++ b/extensions/xt_ipp2p.c
@@ -19,6 +19,27 @@ MODULE_AUTHOR("Eicke Friedrich/Klaus Degner <ipp2p@ipp2p.org>");
MODULE_DESCRIPTION("An extension to iptables to identify P2P traffic.");
MODULE_LICENSE("GPL");
+union ipp2p_addr {
+ __be32 ip;
+};
+
+struct ipp2p_result_printer {
+ const union ipp2p_addr *saddr, *daddr;
+ short sport, dport;
+ void (*print) (const union ipp2p_addr *, short,
+ const union ipp2p_addr *, short,
+ bool, unsigned int);
+};
+
+static void
+print_result (const struct ipp2p_result_printer *rp, bool result,
+ unsigned int hlen)
+{
+ rp->print(rp->saddr, rp->sport,
+ rp->daddr, rp->dport,
+ result, hlen);
+}
+
/* Search for UDP eDonkey/eMule/Kad commands */
static unsigned int
udp_search_edk(const unsigned char *t, const unsigned int packet_len)
@@ -807,10 +828,19 @@ static const struct {
{0},
};
+static void
+ipp2p_print_result_tcp(const union ipp2p_addr *saddr, short sport,
+ const union ipp2p_addr *daddr, short dport,
+ bool p2p_result, unsigned int hlen)
+{
+ printk("IPP2P.debug:TCP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %u\n",
+ p2p_result, &saddr->ip, sport, &daddr->ip, dport, hlen);
+}
+
static bool
ipp2p_mt_tcp(const struct ipt_p2p_info *info, const struct tcphdr *tcph,
const unsigned char *haystack, unsigned int hlen,
- const struct iphdr *ip)
+ const struct ipp2p_result_printer *rp)
{
size_t tcph_len = tcph->doff * 4;
bool p2p_result = false;
@@ -838,11 +868,7 @@ ipp2p_mt_tcp(const struct ipt_p2p_info *info, const struct tcphdr *tcph,
p2p_result = matchlist[i].function_name(haystack, hlen);
if (p2p_result) {
if (info->debug)
- printk("IPP2P.debug:TCP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %d\n",
- p2p_result, &ip->saddr,
- ntohs(tcph->source),
- &ip->daddr,
- ntohs(tcph->dest), hlen);
+ print_result(rp, p2p_result, hlen);
return p2p_result;
}
}
@@ -851,10 +877,19 @@ ipp2p_mt_tcp(const struct ipt_p2p_info *info, const struct tcphdr *tcph,
return p2p_result;
}
+static void
+ipp2p_print_result_udp(const union ipp2p_addr *saddr, short sport,
+ const union ipp2p_addr *daddr, short dport,
+ bool p2p_result, unsigned int hlen)
+{
+ printk("IPP2P.debug:UDP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %u\n",
+ p2p_result, &saddr->ip, sport, &daddr->ip, dport, hlen);
+}
+
static bool
ipp2p_mt_udp(const struct ipt_p2p_info *info, const struct udphdr *udph,
const unsigned char *haystack, unsigned int hlen,
- const struct iphdr *ip)
+ const struct ipp2p_result_printer *rp)
{
size_t udph_len = sizeof(*udph);
bool p2p_result = false;
@@ -878,11 +913,7 @@ ipp2p_mt_udp(const struct ipt_p2p_info *info, const struct udphdr *udph,
p2p_result = udp_list[i].function_name(haystack, hlen);
if (p2p_result) {
if (info->debug)
- printk("IPP2P.debug:UDP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %d\n",
- p2p_result, &ip->saddr,
- ntohs(udph->source),
- &ip->daddr,
- ntohs(udph->dest), hlen);
+ print_result(rp, p2p_result, hlen);
return p2p_result;
}
}
@@ -896,6 +927,8 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ipt_p2p_info *info = par->matchinfo;
const struct iphdr *ip = ip_hdr(skb);
+ struct ipp2p_result_printer printer;
+ union ipp2p_addr saddr, daddr;
const unsigned char *haystack; /* packet-data */
unsigned int hlen; /* packet-data length */
@@ -916,19 +949,33 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
haystack = skb_transport_header(skb);
hlen = ntohs(ip->tot_len) - skb_transport_offset(skb);
+ saddr.ip = ip->saddr;
+ daddr.ip = ip->daddr;
+
+ printer.saddr = &saddr;
+ printer.daddr = &daddr;
+
switch (ip->protocol) {
case IPPROTO_TCP: /* what to do with a TCP packet */
{
const struct tcphdr *tcph = tcp_hdr(skb);
- return ipp2p_mt_tcp(info, tcph, haystack, hlen, ip);
+ printer.sport = ntohs(tcph->source);
+ printer.dport = ntohs(tcph->dest);
+ printer.print = ipp2p_print_result_tcp;
+
+ return ipp2p_mt_tcp(info, tcph, haystack, hlen, &printer);
}
case IPPROTO_UDP: /* what to do with a UDP packet */
case IPPROTO_UDPLITE:
{
const struct udphdr *udph = udp_hdr(skb);
- return ipp2p_mt_udp(info, udph, haystack, hlen, ip);
+ printer.sport = ntohs(udph->source);
+ printer.dport = ntohs(udph->dest);
+ printer.print = ipp2p_print_result_udp;
+
+ return ipp2p_mt_udp(info, udph, haystack, hlen, &printer);
}
default:
return 0;
--
2.33.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [xtables-addons 4/4] xt_ipp2p: add ipv6 support
2021-09-13 9:20 [xtables-addons 0/4] IPv6 support for xt_ipp2p Jeremy Sowden
` (2 preceding siblings ...)
2021-09-13 9:20 ` [xtables-addons 3/4] xt_ipp2p: move result printing code " Jeremy Sowden
@ 2021-09-13 9:20 ` Jeremy Sowden
[not found] ` <1wg.aVMb.5l0xziYPqYA.1XFsCY@seznam.cz>
2021-09-13 17:19 ` Jan Engelhardt
5 siblings, 0 replies; 7+ messages in thread
From: Jeremy Sowden @ 2021-09-13 9:20 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Devel, kaskada
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
extensions/libxt_ipp2p.c | 2 +-
extensions/xt_ipp2p.c | 110 ++++++++++++++++++++++++++++++---------
2 files changed, 86 insertions(+), 26 deletions(-)
diff --git a/extensions/libxt_ipp2p.c b/extensions/libxt_ipp2p.c
index 74be4bee95ea..38b3be3eed0d 100644
--- a/extensions/libxt_ipp2p.c
+++ b/extensions/libxt_ipp2p.c
@@ -230,7 +230,7 @@ static struct xtables_match ipp2p_mt_reg = {
.version = XTABLES_VERSION,
.name = "ipp2p",
.revision = 1,
- .family = NFPROTO_IPV4,
+ .family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct ipt_p2p_info)),
.userspacesize = XT_ALIGN(sizeof(struct ipt_p2p_info)),
.help = ipp2p_mt_help,
diff --git a/extensions/xt_ipp2p.c b/extensions/xt_ipp2p.c
index 56fcbe497718..74f7d18fc04b 100644
--- a/extensions/xt_ipp2p.c
+++ b/extensions/xt_ipp2p.c
@@ -21,6 +21,7 @@ MODULE_LICENSE("GPL");
union ipp2p_addr {
__be32 ip;
+ struct in6_addr in6;
};
struct ipp2p_result_printer {
@@ -829,14 +830,23 @@ static const struct {
};
static void
-ipp2p_print_result_tcp(const union ipp2p_addr *saddr, short sport,
- const union ipp2p_addr *daddr, short dport,
- bool p2p_result, unsigned int hlen)
+ipp2p_print_result_tcp4(const union ipp2p_addr *saddr, short sport,
+ const union ipp2p_addr *daddr, short dport,
+ bool p2p_result, unsigned int hlen)
{
printk("IPP2P.debug:TCP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %u\n",
p2p_result, &saddr->ip, sport, &daddr->ip, dport, hlen);
}
+static void
+ipp2p_print_result_tcp6(const union ipp2p_addr *saddr, short sport,
+ const union ipp2p_addr *daddr, short dport,
+ bool p2p_result, unsigned int hlen)
+{
+ printk("IPP2P.debug:TCP-match: %d from: %pI6:%hu to: %pI6:%hu Length: %u\n",
+ p2p_result, &saddr->in6, sport, &daddr->in6, dport, hlen);
+}
+
static bool
ipp2p_mt_tcp(const struct ipt_p2p_info *info, const struct tcphdr *tcph,
const unsigned char *haystack, unsigned int hlen,
@@ -878,14 +888,23 @@ ipp2p_mt_tcp(const struct ipt_p2p_info *info, const struct tcphdr *tcph,
}
static void
-ipp2p_print_result_udp(const union ipp2p_addr *saddr, short sport,
- const union ipp2p_addr *daddr, short dport,
- bool p2p_result, unsigned int hlen)
+ipp2p_print_result_udp4(const union ipp2p_addr *saddr, short sport,
+ const union ipp2p_addr *daddr, short dport,
+ bool p2p_result, unsigned int hlen)
{
printk("IPP2P.debug:UDP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %u\n",
p2p_result, &saddr->ip, sport, &daddr->ip, dport, hlen);
}
+static void
+ipp2p_print_result_udp6(const union ipp2p_addr *saddr, short sport,
+ const union ipp2p_addr *daddr, short dport,
+ bool p2p_result, unsigned int hlen)
+{
+ printk("IPP2P.debug:UDP-match: %d from: %pI6:%hu to: %pI6:%hu Length: %u\n",
+ p2p_result, &saddr->in6, sport, &daddr->in6, dport, hlen);
+}
+
static bool
ipp2p_mt_udp(const struct ipt_p2p_info *info, const struct udphdr *udph,
const unsigned char *haystack, unsigned int hlen,
@@ -926,13 +945,19 @@ static bool
ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ipt_p2p_info *info = par->matchinfo;
- const struct iphdr *ip = ip_hdr(skb);
struct ipp2p_result_printer printer;
union ipp2p_addr saddr, daddr;
const unsigned char *haystack; /* packet-data */
unsigned int hlen; /* packet-data length */
-
- /* must not be a fragment */
+ u8 family = xt_family(par);
+ int protocol;
+
+ /* must not be a fragment
+ *
+ * NB, `par->fragoff` may be zero for a fragmented IPv6 packet.
+ * However, in that case the later call to `ipv6_find_hdr` will not find
+ * a transport protocol, and so we will return 0 there.
+ */
if (par->fragoff != 0) {
if (info->debug)
printk("IPP2P.match: offset found %d\n", par->fragoff);
@@ -946,23 +971,47 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
return 0;
}
- haystack = skb_transport_header(skb);
- hlen = ntohs(ip->tot_len) - skb_transport_offset(skb);
+ if (family == NFPROTO_IPV4) {
+
+ const struct iphdr *ip = ip_hdr(skb);
+
+ saddr.ip = ip->saddr;
+ daddr.ip = ip->daddr;
+
+ protocol = ip->protocol;
- saddr.ip = ip->saddr;
- daddr.ip = ip->daddr;
+ hlen = ip_transport_len(skb);
+
+ } else {
+
+ const struct ipv6hdr *ip = ipv6_hdr(skb);
+ int thoff = 0;
+
+ saddr.in6 = ip->saddr;
+ daddr.in6 = ip->daddr;
+
+ protocol = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);
+ if (protocol < 0)
+ return 0;
+
+ hlen = ipv6_transport_len(skb);
+
+ }
printer.saddr = &saddr;
printer.daddr = &daddr;
- switch (ip->protocol) {
+ haystack = skb_transport_header(skb);
+
+ switch (protocol) {
case IPPROTO_TCP: /* what to do with a TCP packet */
{
const struct tcphdr *tcph = tcp_hdr(skb);
printer.sport = ntohs(tcph->source);
printer.dport = ntohs(tcph->dest);
- printer.print = ipp2p_print_result_tcp;
+ printer.print = family == NFPROTO_IPV4 ?
+ ipp2p_print_result_tcp4 : ipp2p_print_result_tcp6;
return ipp2p_mt_tcp(info, tcph, haystack, hlen, &printer);
}
@@ -973,7 +1022,8 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
printer.sport = ntohs(udph->source);
printer.dport = ntohs(udph->dest);
- printer.print = ipp2p_print_result_udp;
+ printer.print = family == NFPROTO_IPV4 ?
+ ipp2p_print_result_udp4 : ipp2p_print_result_udp6;
return ipp2p_mt_udp(info, udph, haystack, hlen, &printer);
}
@@ -982,23 +1032,33 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
}
}
-static struct xt_match ipp2p_mt_reg __read_mostly = {
- .name = "ipp2p",
- .revision = 1,
- .family = NFPROTO_IPV4,
- .match = ipp2p_mt,
- .matchsize = sizeof(struct ipt_p2p_info),
- .me = THIS_MODULE,
+static struct xt_match ipp2p_mt_reg[] __read_mostly = {
+ {
+ .name = "ipp2p",
+ .revision = 1,
+ .family = NFPROTO_IPV4,
+ .match = ipp2p_mt,
+ .matchsize = sizeof(struct ipt_p2p_info),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "ipp2p",
+ .revision = 1,
+ .family = NFPROTO_IPV6,
+ .match = ipp2p_mt,
+ .matchsize = sizeof(struct ipt_p2p_info),
+ .me = THIS_MODULE,
+ },
};
static int __init ipp2p_mt_init(void)
{
- return xt_register_match(&ipp2p_mt_reg);
+ return xt_register_matches(ipp2p_mt_reg, ARRAY_SIZE(ipp2p_mt_reg));
}
static void __exit ipp2p_mt_exit(void)
{
- xt_unregister_match(&ipp2p_mt_reg);
+ xt_unregister_matches(ipp2p_mt_reg, ARRAY_SIZE(ipp2p_mt_reg));
}
module_init(ipp2p_mt_init);
--
2.33.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [xtables-addons 0/4] IPv6 support for xt_ipp2p
[not found] ` <1wg.aVMb.5l0xziYPqYA.1XFsCY@seznam.cz>
@ 2021-09-13 14:55 ` Jeremy Sowden
0 siblings, 0 replies; 7+ messages in thread
From: Jeremy Sowden @ 2021-09-13 14:55 UTC (permalink / raw)
To: kaskada; +Cc: Jan Engelhardt, Netfilter Devel
[-- Attachment #1: Type: text/plain, Size: 2996 bytes --]
On 2021-09-13, at 16:41:38 +0200, kaskada@email.cz wrote:
> big thank you for your patches. I`ve already tried to compile them as
> those are already on git.
>
> Unfortunatelly I got these errors after make. You can see it in the
> attachment.
>
> [...]
>
> M=/usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions modules; fi;
> make[3]: Vstupuje se do adres????e ???/usr/src/linux-headers-4.19.0-17-amd64???
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/ACCOUNT/xt_ACCOUNT.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/pknock/xt_pknock.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/compat_xtables.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_CHAOS.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_DELUDE.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_DHCPMAC.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_DNETMAP.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_ECHO.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_IPMARK.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_LOGMARK.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_PROTO.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_SYSRQ.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_TARPIT.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_condition.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_fuzzy.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_geoip.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_iface.o
> CC [M] /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_ipp2p.o
> /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_ipp2p.c: In function ???ipp2p_mt???:
> /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_ipp2p.c:978:10: error: implicit declaration of function ???ip_transport_len???; did you mean ???skb_transport_offset???? [-Werror=implicit-function-declaration]
> hlen = ip_transport_len(skb);
> ^~~~~~~~~~~~~~~~
> skb_transport_offset
> /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_ipp2p.c:988:10: error: implicit declaration of function ???ipv6_transport_len???; did you mean ???ipv6_authlen???? [-Werror=implicit-function-declaration]
> hlen = ipv6_transport_len(skb);
> ^~~~~~~~~~~~~~~~~~
Ah, ip_transport_len and ipv6_transport_len were introduced in v5.1.
I'll change the code to use something else.
J.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [xtables-addons 0/4] IPv6 support for xt_ipp2p
2021-09-13 9:20 [xtables-addons 0/4] IPv6 support for xt_ipp2p Jeremy Sowden
` (4 preceding siblings ...)
[not found] ` <1wg.aVMb.5l0xziYPqYA.1XFsCY@seznam.cz>
@ 2021-09-13 17:19 ` Jan Engelhardt
5 siblings, 0 replies; 7+ messages in thread
From: Jan Engelhardt @ 2021-09-13 17:19 UTC (permalink / raw)
To: Jeremy Sowden; +Cc: Netfilter Devel, kaskada
On Monday 2021-09-13 11:20, Jeremy Sowden wrote:
>* The first patch short-circuits searches if the packet is empty.
>* The second and third patches refactor the ipv4 code in anticipation of
> adding ipv6 support.
>* The fourth patch adds ipv6 support.
Added it.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-09-13 17:20 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-13 9:20 [xtables-addons 0/4] IPv6 support for xt_ipp2p Jeremy Sowden
2021-09-13 9:20 ` [xtables-addons 1/4] xt_ipp2p: don't search haystack if it's empty Jeremy Sowden
2021-09-13 9:20 ` [xtables-addons 2/4] xt_ipp2p: move the protocol-specific code out into separate functions Jeremy Sowden
2021-09-13 9:20 ` [xtables-addons 3/4] xt_ipp2p: move result printing code " Jeremy Sowden
2021-09-13 9:20 ` [xtables-addons 4/4] xt_ipp2p: add ipv6 support Jeremy Sowden
[not found] ` <1wg.aVMb.5l0xziYPqYA.1XFsCY@seznam.cz>
2021-09-13 14:55 ` [xtables-addons 0/4] IPv6 support for xt_ipp2p Jeremy Sowden
2021-09-13 17:19 ` Jan Engelhardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.