ipv6header_match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
- const void *protohdr,
- u_int16_t datalen,
+ unsigned int protoff,
int *hotdrop)
{
const struct ip6t_ipv6header_info *info = matchinfo;
len = skb->len - ptr;
temp = 0;
- while (ip6t_ext_hdr(nexthdr)) {
- struct ipv6_opt_hdr *hdr;
- int hdrlen;
+ while (ip6t_ext_hdr(nexthdr)) {
+ struct ipv6_opt_hdr _hdr, *hp;
+ int hdrlen;
/* Is there enough space for the next ext header? */
- if (len < (int)sizeof(struct ipv6_opt_hdr))
- return 0;
+ if (len < (int)sizeof(struct ipv6_opt_hdr))
+ return 0;
/* No more exthdr -> evaluate */
- if (nexthdr == NEXTHDR_NONE) {
+ if (nexthdr == NEXTHDR_NONE) {
temp |= MASK_NONE;
break;
}
/* ESP -> evaluate */
- if (nexthdr == NEXTHDR_ESP) {
+ if (nexthdr == NEXTHDR_ESP) {
temp |= MASK_ESP;
break;
}
- hdr=(struct ipv6_opt_hdr *)skb->data+ptr;
+ hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
+ BUG_ON(hp == NULL);
/* Calculate the header length */
- if (nexthdr == NEXTHDR_FRAGMENT) {
- hdrlen = 8;
- } else if (nexthdr == NEXTHDR_AUTH)
- hdrlen = (hdr->hdrlen+2)<<2;
- else
- hdrlen = ipv6_optlen(hdr);
+ if (nexthdr == NEXTHDR_FRAGMENT) {
+ hdrlen = 8;
+ } else if (nexthdr == NEXTHDR_AUTH)
+ hdrlen = (hp->hdrlen + 2) << 2;
+ else
+ hdrlen = ipv6_optlen(hp);
/* set the flag */
- switch (nexthdr){
- case NEXTHDR_HOP:
- temp |= MASK_HOPOPTS;
- break;
- case NEXTHDR_ROUTING:
- temp |= MASK_ROUTING;
- break;
- case NEXTHDR_FRAGMENT:
- temp |= MASK_FRAGMENT;
- break;
- case NEXTHDR_AUTH:
- temp |= MASK_AH;
- break;
- case NEXTHDR_DEST:
- temp |= MASK_DSTOPTS;
- break;
- default:
- return 0;
- break;
+ switch (nexthdr) {
+ case NEXTHDR_HOP:
+ temp |= MASK_HOPOPTS;
+ break;
+ case NEXTHDR_ROUTING:
+ temp |= MASK_ROUTING;
+ break;
+ case NEXTHDR_FRAGMENT:
+ temp |= MASK_FRAGMENT;
+ break;
+ case NEXTHDR_AUTH:
+ temp |= MASK_AH;
+ break;
+ case NEXTHDR_DEST:
+ temp |= MASK_DSTOPTS;
+ break;
+ default:
+ return 0;
+ break;
}
- nexthdr = hdr->nexthdr;
- len -= hdrlen;
- ptr += hdrlen;
+ nexthdr = hp->nexthdr;
+ len -= hdrlen;
+ ptr += hdrlen;
if (ptr > skb->len)
break;
- }
+ }
- if ( (nexthdr != NEXTHDR_NONE ) && (nexthdr != NEXTHDR_ESP) )
+ if ((nexthdr != NEXTHDR_NONE) && (nexthdr != NEXTHDR_ESP))
temp |= MASK_PROTO;
if (info->modeflag)
- return (!( (temp & info->matchflags)
- ^ info->matchflags) ^ info->invflags);
- else
- return (!( temp ^ info->matchflags) ^ info->invflags);
+ return !((temp ^ info->matchflags ^ info->invflags)
+ & info->matchflags);
+ else {
+ if (info->invflags)
+ return temp != info->matchflags;
+ else
+ return temp == info->matchflags;
+ }
}
static int
ipv6header_checkentry(const char *tablename,
- const struct ip6t_ip6 *ip,
+ const void *ip,
+ const struct xt_match *match,
void *matchinfo,
- unsigned int matchsize,
unsigned int hook_mask)
{
- /* Check for obvious errors */
- /* This match is valid in all hooks! */
- if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_ipv6header_info)))
+ const struct ip6t_ipv6header_info *info = matchinfo;
+
+ /* invflags is 0 or 0xff in hard mode */
+ if ((!info->modeflag) && info->invflags != 0x00 &&
+ info->invflags != 0xFF)
return 0;
return 1;
static struct ip6t_match ip6t_ipv6header_match = {
.name = "ipv6header",
.match = &ipv6header_match,
+ .matchsize = sizeof(struct ip6t_ipv6header_info),
.checkentry = &ipv6header_checkentry,
.destroy = NULL,
.me = THIS_MODULE,
};
-static int __init ipv6header_init(void)
+static int __init ipv6header_init(void)
{
return ip6t_register_match(&ip6t_ipv6header_match);
}
module_init(ipv6header_init);
module_exit(ipv6header_exit);
-