1 /* Shared library add-on to iptables to add ESP support. */
9 #include <linux/netfilter/xt_esp.h>
11 /* Function which prints out usage message. */
12 static void esp_help(void)
15 "esp match options:\n"
16 " --espspi [!] spi[:spi]\n"
17 " match spi (range)\n");
20 static const struct option esp_opts[] = {
21 { "espspi", 1, NULL, '1' },
26 parse_esp_spi(const char *spistr)
28 unsigned long int spi;
31 spi = strtoul(spistr,&ep,0) ;
34 exit_error(PARAMETER_PROBLEM,
35 "ESP no valid digits in spi `%s'", spistr);
37 if ( spi == ULONG_MAX && errno == ERANGE ) {
38 exit_error(PARAMETER_PROBLEM,
39 "spi `%s' specified too big: would overflow", spistr);
41 if ( *spistr != '\0' && *ep != '\0' ) {
42 exit_error(PARAMETER_PROBLEM,
43 "ESP error parsing spi `%s'", spistr);
45 return (u_int32_t) spi;
49 parse_esp_spis(const char *spistring, u_int32_t *spis)
54 buffer = strdup(spistring);
55 if ((cp = strchr(buffer, ':')) == NULL)
56 spis[0] = spis[1] = parse_esp_spi(buffer);
61 spis[0] = buffer[0] ? parse_esp_spi(buffer) : 0;
62 spis[1] = cp[0] ? parse_esp_spi(cp) : 0xFFFFFFFF;
63 if (spis[0] > spis[1])
64 exit_error(PARAMETER_PROBLEM,
65 "Invalid ESP spi range: %s", spistring);
70 /* Initialize the match. */
71 static void esp_init(struct xt_entry_match *m)
73 struct xt_esp *espinfo = (struct xt_esp *)m->data;
75 espinfo->spis[1] = 0xFFFFFFFF;
80 /* Function which parses command options; returns true if it
83 esp_parse(int c, char **argv, int invert, unsigned int *flags,
84 const void *entry, struct xt_entry_match **match)
86 struct xt_esp *espinfo = (struct xt_esp *)(*match)->data;
91 exit_error(PARAMETER_PROBLEM,
92 "Only one `--espspi' allowed");
93 check_inverse(optarg, &invert, &optind, 0);
94 parse_esp_spis(argv[optind-1], espinfo->spis);
96 espinfo->invflags |= XT_ESP_INV_SPI;
107 print_spis(const char *name, u_int32_t min, u_int32_t max,
110 const char *inv = invert ? "!" : "";
112 if (min != 0 || max != 0xFFFFFFFF || invert) {
114 printf("%s:%s%u ", name, inv, min);
116 printf("%ss:%s%u:%u ", name, inv, min, max);
120 /* Prints out the union ipt_matchinfo. */
122 esp_print(const void *ip, const struct xt_entry_match *match, int numeric)
124 const struct xt_esp *esp = (struct xt_esp *)match->data;
127 print_spis("spi", esp->spis[0], esp->spis[1],
128 esp->invflags & XT_ESP_INV_SPI);
129 if (esp->invflags & ~XT_ESP_INV_MASK)
130 printf("Unknown invflags: 0x%X ",
131 esp->invflags & ~XT_ESP_INV_MASK);
134 /* Saves the union ipt_matchinfo in parsable form to stdout. */
135 static void esp_save(const void *ip, const struct xt_entry_match *match)
137 const struct xt_esp *espinfo = (struct xt_esp *)match->data;
139 if (!(espinfo->spis[0] == 0
140 && espinfo->spis[1] == 0xFFFFFFFF)) {
141 printf("--espspi %s",
142 (espinfo->invflags & XT_ESP_INV_SPI) ? "! " : "");
155 static struct xtables_match esp_match = {
158 .version = XTABLES_VERSION,
159 .size = XT_ALIGN(sizeof(struct xt_esp)),
160 .userspacesize = XT_ALIGN(sizeof(struct xt_esp)),
166 .extra_opts = esp_opts,
169 static struct xtables_match esp_match6 = {
172 .version = XTABLES_VERSION,
173 .size = XT_ALIGN(sizeof(struct xt_esp)),
174 .userspacesize = XT_ALIGN(sizeof(struct xt_esp)),
180 .extra_opts = esp_opts,
186 xtables_register_match(&esp_match);
187 xtables_register_match(&esp_match6);