netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [xtables-addons 0/4] IPv6 support for xt_ipp2p
@ 2021-09-13  9:20 Jeremy Sowden
  2021-09-13  9:20 ` [xtables-addons 1/4] xt_ipp2p: don't search haystack if it's empty Jeremy Sowden
                   ` (5 more replies)
  0 siblings, 6 replies; 7+ messages in thread
From: Jeremy Sowden @ 2021-09-13  9:20 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: Netfilter Devel, kaskada

* The first patch short-circuits searches if the packet is empty.
* The second and third patches refactor the ipv4 code in anticipation of
  adding ipv6 support.
* The fourth patch adds ipv6 support.

Jeremy Sowden (4):
  xt_ipp2p: don't search haystack if it's empty
  xt_ipp2p: move the protocol-specific code out into separate functions
  xt_ipp2p: move result printing code into separate functions
  xt_ipp2p: add ipv6 support

 extensions/libxt_ipp2p.c |   2 +-
 extensions/xt_ipp2p.c    | 293 ++++++++++++++++++++++++++++-----------
 2 files changed, 214 insertions(+), 81 deletions(-)

-- 
2.33.0


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [xtables-addons 1/4] xt_ipp2p: don't search haystack if it's empty
  2021-09-13  9:20 [xtables-addons 0/4] IPv6 support for xt_ipp2p Jeremy Sowden
@ 2021-09-13  9:20 ` Jeremy Sowden
  2021-09-13  9:20 ` [xtables-addons 2/4] xt_ipp2p: move the protocol-specific code out into separate functions Jeremy Sowden
                   ` (4 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: Jeremy Sowden @ 2021-09-13  9:20 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: Netfilter Devel, kaskada

All the search functions have a positive minimum packet-length.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 extensions/xt_ipp2p.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/extensions/xt_ipp2p.c b/extensions/xt_ipp2p.c
index 8fb1b79bb414..4e0fbb675c76 100644
--- a/extensions/xt_ipp2p.c
+++ b/extensions/xt_ipp2p.c
@@ -842,14 +842,17 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		if (tcph->syn) return 0;  /* if SYN bit is set bail out */
 		if (tcph->rst) return 0;  /* if RST bit is set bail out */
 
-		haystack += tcph->doff * 4; /* get TCP-Header-Size */
 		if (tcph->doff * 4 > hlen) {
 			if (info->debug)
 				pr_info("TCP header indicated packet larger than it is\n");
-			hlen = 0;
-		} else {
-			hlen -= tcph->doff * 4;
+			return 0;
 		}
+		if (tcph->doff * 4 == hlen)
+			return 0;
+
+		haystack += tcph->doff * 4; /* get TCP-Header-Size */
+		hlen     -= tcph->doff * 4;
+
 		while (matchlist[i].command) {
 			if ((info->cmd & matchlist[i].command) == matchlist[i].command &&
 			    hlen > matchlist[i].packet_len)
@@ -875,14 +878,16 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	{
 		const struct udphdr *udph = (const void *)ip + ip_hdrlen(skb);
 
-		haystack += sizeof(*udph);
 		if (sizeof(*udph) > hlen) {
 			if (info->debug)
 				pr_info("UDP header indicated packet larger than it is\n");
-			hlen = 0;
-		} else {
-			hlen -= sizeof(*udph);
+			return 0;
 		}
+		if (sizeof(*udph) == hlen)
+			return 0;
+
+		haystack += sizeof(*udph);
+		hlen     -= sizeof(*udph);
 
 		while (udp_list[i].command) {
 			if ((info->cmd & udp_list[i].command) == udp_list[i].command &&
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [xtables-addons 2/4] xt_ipp2p: move the protocol-specific code out into separate functions
  2021-09-13  9:20 [xtables-addons 0/4] IPv6 support for xt_ipp2p Jeremy Sowden
  2021-09-13  9:20 ` [xtables-addons 1/4] xt_ipp2p: don't search haystack if it's empty Jeremy Sowden
@ 2021-09-13  9:20 ` Jeremy Sowden
  2021-09-13  9:20 ` [xtables-addons 3/4] xt_ipp2p: move result printing code " Jeremy Sowden
                   ` (3 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: Jeremy Sowden @ 2021-09-13  9:20 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: Netfilter Devel, kaskada

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 extensions/xt_ipp2p.c | 165 ++++++++++++++++++++++++------------------
 1 file changed, 93 insertions(+), 72 deletions(-)

diff --git a/extensions/xt_ipp2p.c b/extensions/xt_ipp2p.c
index 4e0fbb675c76..298950514569 100644
--- a/extensions/xt_ipp2p.c
+++ b/extensions/xt_ipp2p.c
@@ -807,15 +807,97 @@ static const struct {
 	{0},
 };
 
+static bool
+ipp2p_mt_tcp(const struct ipt_p2p_info *info, const struct tcphdr *tcph,
+	     const unsigned char *haystack, unsigned int hlen,
+	     const struct iphdr *ip)
+{
+	size_t tcph_len = tcph->doff * 4;
+	bool p2p_result = false;
+	int i = 0;
+
+	if (tcph->fin) return 0;  /* if FIN bit is set bail out */
+	if (tcph->syn) return 0;  /* if SYN bit is set bail out */
+	if (tcph->rst) return 0;  /* if RST bit is set bail out */
+
+	if (hlen < tcph_len) {
+		if (info->debug)
+			pr_info("TCP header indicated packet larger than it is\n");
+		return 0;
+	}
+	if (hlen == tcph_len)
+		return 0;
+
+	haystack += tcph_len;
+	hlen     -= tcph_len;
+
+	while (matchlist[i].command) {
+		if ((info->cmd & matchlist[i].command) == matchlist[i].command &&
+		    hlen > matchlist[i].packet_len)
+		{
+			p2p_result = matchlist[i].function_name(haystack, hlen);
+			if (p2p_result)	{
+				if (info->debug)
+					printk("IPP2P.debug:TCP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %d\n",
+					       p2p_result, &ip->saddr,
+					       ntohs(tcph->source),
+					       &ip->daddr,
+					       ntohs(tcph->dest), hlen);
+				return p2p_result;
+			}
+		}
+		i++;
+	}
+	return p2p_result;
+}
+
+static bool
+ipp2p_mt_udp(const struct ipt_p2p_info *info, const struct udphdr *udph,
+	     const unsigned char *haystack, unsigned int hlen,
+	     const struct iphdr *ip)
+{
+	size_t udph_len = sizeof(*udph);
+	bool p2p_result = false;
+	int i = 0;
+
+	if (hlen < udph_len) {
+		if (info->debug)
+			pr_info("UDP header indicated packet larger than it is\n");
+		return 0;
+	}
+	if (hlen == udph_len)
+		return 0;
+
+	haystack += udph_len;
+	hlen     -= udph_len;
+
+	while (udp_list[i].command) {
+		if ((info->cmd & udp_list[i].command) == udp_list[i].command &&
+		    hlen > udp_list[i].packet_len)
+		{
+			p2p_result = udp_list[i].function_name(haystack, hlen);
+			if (p2p_result) {
+				if (info->debug)
+					printk("IPP2P.debug:UDP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %d\n",
+					       p2p_result, &ip->saddr,
+					       ntohs(udph->source),
+					       &ip->daddr,
+					       ntohs(udph->dest), hlen);
+				return p2p_result;
+			}
+		}
+		i++;
+	}
+	return p2p_result;
+}
+
 static bool
 ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct ipt_p2p_info *info = par->matchinfo;
-	const unsigned char  *haystack;
 	const struct iphdr *ip = ip_hdr(skb);
-	bool p2p_result = false;
-	int i = 0;
-	unsigned int hlen = ntohs(ip->tot_len) - ip_hdrlen(skb);	/* hlen = packet-data length */
+	const unsigned char *haystack;  /* packet-data */
+	unsigned int hlen;              /* packet-data length */
 
 	/* must not be a fragment */
 	if (par->fragoff != 0) {
@@ -831,84 +913,23 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		return 0;
 	}
 
-	haystack = skb_network_header(skb) + ip_hdrlen(skb);
+	haystack = skb_transport_header(skb);
+	hlen     = ntohs(ip->tot_len) - skb_transport_offset(skb);
 
 	switch (ip->protocol) {
 	case IPPROTO_TCP:	/* what to do with a TCP packet */
 	{
-		const struct tcphdr *tcph = (const void *)ip + ip_hdrlen(skb);
-
-		if (tcph->fin) return 0;  /* if FIN bit is set bail out */
-		if (tcph->syn) return 0;  /* if SYN bit is set bail out */
-		if (tcph->rst) return 0;  /* if RST bit is set bail out */
-
-		if (tcph->doff * 4 > hlen) {
-			if (info->debug)
-				pr_info("TCP header indicated packet larger than it is\n");
-			return 0;
-		}
-		if (tcph->doff * 4 == hlen)
-			return 0;
+		const struct tcphdr *tcph = tcp_hdr(skb);
 
-		haystack += tcph->doff * 4; /* get TCP-Header-Size */
-		hlen     -= tcph->doff * 4;
-
-		while (matchlist[i].command) {
-			if ((info->cmd & matchlist[i].command) == matchlist[i].command &&
-			    hlen > matchlist[i].packet_len)
-			{
-				p2p_result = matchlist[i].function_name(haystack, hlen);
-				if (p2p_result)	{
-					if (info->debug)
-						printk("IPP2P.debug:TCP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %d\n",
-						       p2p_result, &ip->saddr,
-						       ntohs(tcph->source),
-						       &ip->daddr,
-						       ntohs(tcph->dest), hlen);
-					return p2p_result;
-				}
-			}
-			i++;
-		}
-		return p2p_result;
+		return ipp2p_mt_tcp(info, tcph, haystack, hlen, ip);
 	}
-
-	case IPPROTO_UDP:	/* what to do with an UDP packet */
+	case IPPROTO_UDP:	/* what to do with a UDP packet */
 	case IPPROTO_UDPLITE:
 	{
-		const struct udphdr *udph = (const void *)ip + ip_hdrlen(skb);
+		const struct udphdr *udph = udp_hdr(skb);
 
-		if (sizeof(*udph) > hlen) {
-			if (info->debug)
-				pr_info("UDP header indicated packet larger than it is\n");
-			return 0;
-		}
-		if (sizeof(*udph) == hlen)
-			return 0;
-
-		haystack += sizeof(*udph);
-		hlen     -= sizeof(*udph);
-
-		while (udp_list[i].command) {
-			if ((info->cmd & udp_list[i].command) == udp_list[i].command &&
-			    hlen > udp_list[i].packet_len)
-			{
-				p2p_result = udp_list[i].function_name(haystack, hlen);
-				if (p2p_result) {
-					if (info->debug)
-						printk("IPP2P.debug:UDP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %d\n",
-						       p2p_result, &ip->saddr,
-						       ntohs(udph->source),
-						       &ip->daddr,
-						       ntohs(udph->dest), hlen);
-					return p2p_result;
-				}
-			}
-			i++;
-		}
-		return p2p_result;
+		return ipp2p_mt_udp(info, udph, haystack, hlen, ip);
 	}
-
 	default:
 		return 0;
 	}
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [xtables-addons 3/4] xt_ipp2p: move result printing code into separate functions
  2021-09-13  9:20 [xtables-addons 0/4] IPv6 support for xt_ipp2p Jeremy Sowden
  2021-09-13  9:20 ` [xtables-addons 1/4] xt_ipp2p: don't search haystack if it's empty Jeremy Sowden
  2021-09-13  9:20 ` [xtables-addons 2/4] xt_ipp2p: move the protocol-specific code out into separate functions Jeremy Sowden
@ 2021-09-13  9:20 ` Jeremy Sowden
  2021-09-13  9:20 ` [xtables-addons 4/4] xt_ipp2p: add ipv6 support Jeremy Sowden
                   ` (2 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: Jeremy Sowden @ 2021-09-13  9:20 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: Netfilter Devel, kaskada

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 extensions/xt_ipp2p.c | 75 +++++++++++++++++++++++++++++++++++--------
 1 file changed, 61 insertions(+), 14 deletions(-)

diff --git a/extensions/xt_ipp2p.c b/extensions/xt_ipp2p.c
index 298950514569..56fcbe497718 100644
--- a/extensions/xt_ipp2p.c
+++ b/extensions/xt_ipp2p.c
@@ -19,6 +19,27 @@ MODULE_AUTHOR("Eicke Friedrich/Klaus Degner <ipp2p@ipp2p.org>");
 MODULE_DESCRIPTION("An extension to iptables to identify P2P traffic.");
 MODULE_LICENSE("GPL");
 
+union ipp2p_addr {
+	__be32 ip;
+};
+
+struct ipp2p_result_printer {
+	const union ipp2p_addr *saddr, *daddr;
+	short sport, dport;
+	void (*print) (const union ipp2p_addr *, short,
+		       const union ipp2p_addr *, short,
+		       bool, unsigned int);
+};
+
+static void
+print_result (const struct ipp2p_result_printer *rp, bool result,
+	      unsigned int hlen)
+{
+	rp->print(rp->saddr, rp->sport,
+		  rp->daddr, rp->dport,
+		  result, hlen);
+}
+
 /* Search for UDP eDonkey/eMule/Kad commands */
 static unsigned int
 udp_search_edk(const unsigned char *t, const unsigned int packet_len)
@@ -807,10 +828,19 @@ static const struct {
 	{0},
 };
 
+static void
+ipp2p_print_result_tcp(const union ipp2p_addr *saddr, short sport,
+		       const union ipp2p_addr *daddr, short dport,
+		       bool p2p_result, unsigned int hlen)
+{
+	printk("IPP2P.debug:TCP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %u\n",
+	       p2p_result, &saddr->ip, sport, &daddr->ip, dport, hlen);
+}
+
 static bool
 ipp2p_mt_tcp(const struct ipt_p2p_info *info, const struct tcphdr *tcph,
 	     const unsigned char *haystack, unsigned int hlen,
-	     const struct iphdr *ip)
+	     const struct ipp2p_result_printer *rp)
 {
 	size_t tcph_len = tcph->doff * 4;
 	bool p2p_result = false;
@@ -838,11 +868,7 @@ ipp2p_mt_tcp(const struct ipt_p2p_info *info, const struct tcphdr *tcph,
 			p2p_result = matchlist[i].function_name(haystack, hlen);
 			if (p2p_result)	{
 				if (info->debug)
-					printk("IPP2P.debug:TCP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %d\n",
-					       p2p_result, &ip->saddr,
-					       ntohs(tcph->source),
-					       &ip->daddr,
-					       ntohs(tcph->dest), hlen);
+					print_result(rp, p2p_result, hlen);
 				return p2p_result;
 			}
 		}
@@ -851,10 +877,19 @@ ipp2p_mt_tcp(const struct ipt_p2p_info *info, const struct tcphdr *tcph,
 	return p2p_result;
 }
 
+static void
+ipp2p_print_result_udp(const union ipp2p_addr *saddr, short sport,
+		       const union ipp2p_addr *daddr, short dport,
+		       bool p2p_result, unsigned int hlen)
+{
+	printk("IPP2P.debug:UDP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %u\n",
+	       p2p_result, &saddr->ip, sport, &daddr->ip, dport, hlen);
+}
+
 static bool
 ipp2p_mt_udp(const struct ipt_p2p_info *info, const struct udphdr *udph,
 	     const unsigned char *haystack, unsigned int hlen,
-	     const struct iphdr *ip)
+	     const struct ipp2p_result_printer *rp)
 {
 	size_t udph_len = sizeof(*udph);
 	bool p2p_result = false;
@@ -878,11 +913,7 @@ ipp2p_mt_udp(const struct ipt_p2p_info *info, const struct udphdr *udph,
 			p2p_result = udp_list[i].function_name(haystack, hlen);
 			if (p2p_result) {
 				if (info->debug)
-					printk("IPP2P.debug:UDP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %d\n",
-					       p2p_result, &ip->saddr,
-					       ntohs(udph->source),
-					       &ip->daddr,
-					       ntohs(udph->dest), hlen);
+					print_result(rp, p2p_result, hlen);
 				return p2p_result;
 			}
 		}
@@ -896,6 +927,8 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct ipt_p2p_info *info = par->matchinfo;
 	const struct iphdr *ip = ip_hdr(skb);
+	struct ipp2p_result_printer printer;
+	union ipp2p_addr saddr, daddr;
 	const unsigned char *haystack;  /* packet-data */
 	unsigned int hlen;              /* packet-data length */
 
@@ -916,19 +949,33 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	haystack = skb_transport_header(skb);
 	hlen     = ntohs(ip->tot_len) - skb_transport_offset(skb);
 
+	saddr.ip = ip->saddr;
+	daddr.ip = ip->daddr;
+
+	printer.saddr = &saddr;
+	printer.daddr = &daddr;
+
 	switch (ip->protocol) {
 	case IPPROTO_TCP:	/* what to do with a TCP packet */
 	{
 		const struct tcphdr *tcph = tcp_hdr(skb);
 
-		return ipp2p_mt_tcp(info, tcph, haystack, hlen, ip);
+		printer.sport = ntohs(tcph->source);
+		printer.dport = ntohs(tcph->dest);
+		printer.print = ipp2p_print_result_tcp;
+
+		return ipp2p_mt_tcp(info, tcph, haystack, hlen, &printer);
 	}
 	case IPPROTO_UDP:	/* what to do with a UDP packet */
 	case IPPROTO_UDPLITE:
 	{
 		const struct udphdr *udph = udp_hdr(skb);
 
-		return ipp2p_mt_udp(info, udph, haystack, hlen, ip);
+		printer.sport = ntohs(udph->source);
+		printer.dport = ntohs(udph->dest);
+		printer.print = ipp2p_print_result_udp;
+
+		return ipp2p_mt_udp(info, udph, haystack, hlen, &printer);
 	}
 	default:
 		return 0;
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [xtables-addons 4/4] xt_ipp2p: add ipv6 support
  2021-09-13  9:20 [xtables-addons 0/4] IPv6 support for xt_ipp2p Jeremy Sowden
                   ` (2 preceding siblings ...)
  2021-09-13  9:20 ` [xtables-addons 3/4] xt_ipp2p: move result printing code " Jeremy Sowden
@ 2021-09-13  9:20 ` Jeremy Sowden
       [not found] ` <1wg.aVMb.5l0xziYPqYA.1XFsCY@seznam.cz>
  2021-09-13 17:19 ` Jan Engelhardt
  5 siblings, 0 replies; 7+ messages in thread
From: Jeremy Sowden @ 2021-09-13  9:20 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: Netfilter Devel, kaskada

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 extensions/libxt_ipp2p.c |   2 +-
 extensions/xt_ipp2p.c    | 110 ++++++++++++++++++++++++++++++---------
 2 files changed, 86 insertions(+), 26 deletions(-)

diff --git a/extensions/libxt_ipp2p.c b/extensions/libxt_ipp2p.c
index 74be4bee95ea..38b3be3eed0d 100644
--- a/extensions/libxt_ipp2p.c
+++ b/extensions/libxt_ipp2p.c
@@ -230,7 +230,7 @@ static struct xtables_match ipp2p_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "ipp2p",
 	.revision      = 1,
-	.family        = NFPROTO_IPV4,
+	.family        = NFPROTO_UNSPEC,
 	.size          = XT_ALIGN(sizeof(struct ipt_p2p_info)),
 	.userspacesize = XT_ALIGN(sizeof(struct ipt_p2p_info)),
 	.help          = ipp2p_mt_help,
diff --git a/extensions/xt_ipp2p.c b/extensions/xt_ipp2p.c
index 56fcbe497718..74f7d18fc04b 100644
--- a/extensions/xt_ipp2p.c
+++ b/extensions/xt_ipp2p.c
@@ -21,6 +21,7 @@ MODULE_LICENSE("GPL");
 
 union ipp2p_addr {
 	__be32 ip;
+	struct in6_addr in6;
 };
 
 struct ipp2p_result_printer {
@@ -829,14 +830,23 @@ static const struct {
 };
 
 static void
-ipp2p_print_result_tcp(const union ipp2p_addr *saddr, short sport,
-		       const union ipp2p_addr *daddr, short dport,
-		       bool p2p_result, unsigned int hlen)
+ipp2p_print_result_tcp4(const union ipp2p_addr *saddr, short sport,
+			const union ipp2p_addr *daddr, short dport,
+			bool p2p_result, unsigned int hlen)
 {
 	printk("IPP2P.debug:TCP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %u\n",
 	       p2p_result, &saddr->ip, sport, &daddr->ip, dport, hlen);
 }
 
+static void
+ipp2p_print_result_tcp6(const union ipp2p_addr *saddr, short sport,
+			const union ipp2p_addr *daddr, short dport,
+			bool p2p_result, unsigned int hlen)
+{
+	printk("IPP2P.debug:TCP-match: %d from: %pI6:%hu to: %pI6:%hu Length: %u\n",
+	       p2p_result, &saddr->in6, sport, &daddr->in6, dport, hlen);
+}
+
 static bool
 ipp2p_mt_tcp(const struct ipt_p2p_info *info, const struct tcphdr *tcph,
 	     const unsigned char *haystack, unsigned int hlen,
@@ -878,14 +888,23 @@ ipp2p_mt_tcp(const struct ipt_p2p_info *info, const struct tcphdr *tcph,
 }
 
 static void
-ipp2p_print_result_udp(const union ipp2p_addr *saddr, short sport,
-		       const union ipp2p_addr *daddr, short dport,
-		       bool p2p_result, unsigned int hlen)
+ipp2p_print_result_udp4(const union ipp2p_addr *saddr, short sport,
+			const union ipp2p_addr *daddr, short dport,
+			bool p2p_result, unsigned int hlen)
 {
 	printk("IPP2P.debug:UDP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %u\n",
 	       p2p_result, &saddr->ip, sport, &daddr->ip, dport, hlen);
 }
 
+static void
+ipp2p_print_result_udp6(const union ipp2p_addr *saddr, short sport,
+			const union ipp2p_addr *daddr, short dport,
+			bool p2p_result, unsigned int hlen)
+{
+	printk("IPP2P.debug:UDP-match: %d from: %pI6:%hu to: %pI6:%hu Length: %u\n",
+	       p2p_result, &saddr->in6, sport, &daddr->in6, dport, hlen);
+}
+
 static bool
 ipp2p_mt_udp(const struct ipt_p2p_info *info, const struct udphdr *udph,
 	     const unsigned char *haystack, unsigned int hlen,
@@ -926,13 +945,19 @@ static bool
 ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct ipt_p2p_info *info = par->matchinfo;
-	const struct iphdr *ip = ip_hdr(skb);
 	struct ipp2p_result_printer printer;
 	union ipp2p_addr saddr, daddr;
 	const unsigned char *haystack;  /* packet-data */
 	unsigned int hlen;              /* packet-data length */
-
-	/* must not be a fragment */
+	u8 family = xt_family(par);
+	int protocol;
+
+	/* must not be a fragment
+	 *
+	 * NB, `par->fragoff` may be zero for a fragmented IPv6 packet.
+	 * However, in that case the later call to `ipv6_find_hdr` will not find
+	 * a transport protocol, and so we will return 0 there.
+	 */
 	if (par->fragoff != 0) {
 		if (info->debug)
 			printk("IPP2P.match: offset found %d\n", par->fragoff);
@@ -946,23 +971,47 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		return 0;
 	}
 
-	haystack = skb_transport_header(skb);
-	hlen     = ntohs(ip->tot_len) - skb_transport_offset(skb);
+	if (family == NFPROTO_IPV4) {
+
+		const struct iphdr *ip = ip_hdr(skb);
+
+		saddr.ip = ip->saddr;
+		daddr.ip = ip->daddr;
+
+		protocol = ip->protocol;
 
-	saddr.ip = ip->saddr;
-	daddr.ip = ip->daddr;
+		hlen = ip_transport_len(skb);
+
+	} else {
+
+		const struct ipv6hdr *ip = ipv6_hdr(skb);
+		int thoff = 0;
+
+		saddr.in6 = ip->saddr;
+		daddr.in6 = ip->daddr;
+
+		protocol = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);
+		if (protocol < 0)
+			return 0;
+
+		hlen = ipv6_transport_len(skb);
+
+	}
 
 	printer.saddr = &saddr;
 	printer.daddr = &daddr;
 
-	switch (ip->protocol) {
+	haystack = skb_transport_header(skb);
+
+	switch (protocol) {
 	case IPPROTO_TCP:	/* what to do with a TCP packet */
 	{
 		const struct tcphdr *tcph = tcp_hdr(skb);
 
 		printer.sport = ntohs(tcph->source);
 		printer.dport = ntohs(tcph->dest);
-		printer.print = ipp2p_print_result_tcp;
+		printer.print = family == NFPROTO_IPV4 ?
+			ipp2p_print_result_tcp4 : ipp2p_print_result_tcp6;
 
 		return ipp2p_mt_tcp(info, tcph, haystack, hlen, &printer);
 	}
@@ -973,7 +1022,8 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 
 		printer.sport = ntohs(udph->source);
 		printer.dport = ntohs(udph->dest);
-		printer.print = ipp2p_print_result_udp;
+		printer.print = family == NFPROTO_IPV4 ?
+			ipp2p_print_result_udp4 : ipp2p_print_result_udp6;
 
 		return ipp2p_mt_udp(info, udph, haystack, hlen, &printer);
 	}
@@ -982,23 +1032,33 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	}
 }
 
-static struct xt_match ipp2p_mt_reg __read_mostly = {
-	.name       = "ipp2p",
-	.revision   = 1,
-	.family     = NFPROTO_IPV4,
-	.match      = ipp2p_mt,
-	.matchsize  = sizeof(struct ipt_p2p_info),
-	.me         = THIS_MODULE,
+static struct xt_match ipp2p_mt_reg[] __read_mostly = {
+	{
+		.name       = "ipp2p",
+		.revision   = 1,
+		.family     = NFPROTO_IPV4,
+		.match      = ipp2p_mt,
+		.matchsize  = sizeof(struct ipt_p2p_info),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "ipp2p",
+		.revision   = 1,
+		.family     = NFPROTO_IPV6,
+		.match      = ipp2p_mt,
+		.matchsize  = sizeof(struct ipt_p2p_info),
+		.me         = THIS_MODULE,
+	},
 };
 
 static int __init ipp2p_mt_init(void)
 {
-	return xt_register_match(&ipp2p_mt_reg);
+	return xt_register_matches(ipp2p_mt_reg, ARRAY_SIZE(ipp2p_mt_reg));
 }
 
 static void __exit ipp2p_mt_exit(void)
 {
-	xt_unregister_match(&ipp2p_mt_reg);
+	xt_unregister_matches(ipp2p_mt_reg, ARRAY_SIZE(ipp2p_mt_reg));
 }
 
 module_init(ipp2p_mt_init);
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [xtables-addons 0/4] IPv6 support for xt_ipp2p
       [not found] ` <1wg.aVMb.5l0xziYPqYA.1XFsCY@seznam.cz>
@ 2021-09-13 14:55   ` Jeremy Sowden
  0 siblings, 0 replies; 7+ messages in thread
From: Jeremy Sowden @ 2021-09-13 14:55 UTC (permalink / raw)
  To: kaskada; +Cc: Jan Engelhardt, Netfilter Devel

[-- Attachment #1: Type: text/plain, Size: 2996 bytes --]

On 2021-09-13, at 16:41:38 +0200, kaskada@email.cz wrote:
> big thank you for your patches. I`ve already tried to compile them as
> those are already on git.
>
> Unfortunatelly I got these errors after make. You can see it in the
> attachment.
>
> [...]
>
> M=/usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions modules; fi;
> make[3]: Vstupuje se do adres????e ???/usr/src/linux-headers-4.19.0-17-amd64???
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/ACCOUNT/xt_ACCOUNT.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/pknock/xt_pknock.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/compat_xtables.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_CHAOS.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_DELUDE.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_DHCPMAC.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_DNETMAP.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_ECHO.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_IPMARK.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_LOGMARK.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_PROTO.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_SYSRQ.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_TARPIT.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_condition.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_fuzzy.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_geoip.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_iface.o
>   CC [M]  /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_ipp2p.o
> /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_ipp2p.c: In function ???ipp2p_mt???:
> /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_ipp2p.c:978:10: error: implicit declaration of function ???ip_transport_len???; did you mean ???skb_transport_offset???? [-Werror=implicit-function-declaration]
>    hlen = ip_transport_len(skb);
>           ^~~~~~~~~~~~~~~~
>           skb_transport_offset
> /usr/src/xtables-addons-with-ipv6-for-IPP2P/xtables-addons/extensions/xt_ipp2p.c:988:10: error: implicit declaration of function ???ipv6_transport_len???; did you mean ???ipv6_authlen???? [-Werror=implicit-function-declaration]
>    hlen = ipv6_transport_len(skb);
>           ^~~~~~~~~~~~~~~~~~

Ah, ip_transport_len and ipv6_transport_len were introduced in v5.1.
I'll change the code to use something else.

J.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [xtables-addons 0/4] IPv6 support for xt_ipp2p
  2021-09-13  9:20 [xtables-addons 0/4] IPv6 support for xt_ipp2p Jeremy Sowden
                   ` (4 preceding siblings ...)
       [not found] ` <1wg.aVMb.5l0xziYPqYA.1XFsCY@seznam.cz>
@ 2021-09-13 17:19 ` Jan Engelhardt
  5 siblings, 0 replies; 7+ messages in thread
From: Jan Engelhardt @ 2021-09-13 17:19 UTC (permalink / raw)
  To: Jeremy Sowden; +Cc: Netfilter Devel, kaskada


On Monday 2021-09-13 11:20, Jeremy Sowden wrote:

>* The first patch short-circuits searches if the packet is empty.
>* The second and third patches refactor the ipv4 code in anticipation of
>  adding ipv6 support.
>* The fourth patch adds ipv6 support.

Added it.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2021-09-13 17:20 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-13  9:20 [xtables-addons 0/4] IPv6 support for xt_ipp2p Jeremy Sowden
2021-09-13  9:20 ` [xtables-addons 1/4] xt_ipp2p: don't search haystack if it's empty Jeremy Sowden
2021-09-13  9:20 ` [xtables-addons 2/4] xt_ipp2p: move the protocol-specific code out into separate functions Jeremy Sowden
2021-09-13  9:20 ` [xtables-addons 3/4] xt_ipp2p: move result printing code " Jeremy Sowden
2021-09-13  9:20 ` [xtables-addons 4/4] xt_ipp2p: add ipv6 support Jeremy Sowden
     [not found] ` <1wg.aVMb.5l0xziYPqYA.1XFsCY@seznam.cz>
2021-09-13 14:55   ` [xtables-addons 0/4] IPv6 support for xt_ipp2p Jeremy Sowden
2021-09-13 17:19 ` Jan Engelhardt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).