X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=net%2Fipv4%2Fnetfilter%2Fipt_ah.c;h=1798f86bc534ff68c5b80691262c9535c6d7b206;hb=refs%2Fremotes%2Fvserver;hp=1f0d7652f6dc16f1adf14b5e2954c6676b35c61f;hpb=5273a3df6485dc2ad6aa7ddd441b9a21970f003b;p=linux-2.6.git diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c index 1f0d7652f..1798f86bc 100644 --- a/net/ipv4/netfilter/ipt_ah.c +++ b/net/ipv4/netfilter/ipt_ah.c @@ -39,76 +39,71 @@ static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, + const struct xt_match *match, const void *matchinfo, int offset, + unsigned int protoff, int *hotdrop) { - struct ip_auth_hdr ah; + struct ip_auth_hdr _ahdr, *ah; const struct ipt_ah *ahinfo = matchinfo; /* Must not be a fragment. */ if (offset) return 0; - if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &ah, sizeof(ah)) < 0) { + ah = skb_header_pointer(skb, protoff, + sizeof(_ahdr), &_ahdr); + if (ah == NULL) { /* We've been asked to examine this packet, and we - can't. Hence, no choice but to drop. */ + * can't. Hence, no choice but to drop. + */ duprintf("Dropping evil AH tinygram.\n"); *hotdrop = 1; return 0; } return spi_match(ahinfo->spis[0], ahinfo->spis[1], - ntohl(ah.spi), + ntohl(ah->spi), !!(ahinfo->invflags & IPT_AH_INV_SPI)); } /* Called when user tries to insert an entry of this type. */ static int checkentry(const char *tablename, - const struct ipt_ip *ip, + const void *ip_void, + const struct xt_match *match, void *matchinfo, - unsigned int matchinfosize, unsigned int hook_mask) { const struct ipt_ah *ahinfo = matchinfo; - /* Must specify proto == AH, and no unknown invflags */ - if (ip->proto != IPPROTO_AH || (ip->invflags & IPT_INV_PROTO)) { - duprintf("ipt_ah: Protocol %u != %u\n", ip->proto, - IPPROTO_AH); - return 0; - } - if (matchinfosize != IPT_ALIGN(sizeof(struct ipt_ah))) { - duprintf("ipt_ah: matchsize %u != %u\n", - matchinfosize, IPT_ALIGN(sizeof(struct ipt_ah))); - return 0; - } + /* Must specify no unknown invflags */ if (ahinfo->invflags & ~IPT_AH_INV_MASK) { - duprintf("ipt_ah: unknown flags %X\n", - ahinfo->invflags); + duprintf("ipt_ah: unknown flags %X\n", ahinfo->invflags); return 0; } - return 1; } static struct ipt_match ah_match = { .name = "ah", - .match = &match, - .checkentry = &checkentry, + .match = match, + .matchsize = sizeof(struct ipt_ah), + .proto = IPPROTO_AH, + .checkentry = checkentry, .me = THIS_MODULE, }; -static int __init init(void) +static int __init ipt_ah_init(void) { return ipt_register_match(&ah_match); } -static void __exit cleanup(void) +static void __exit ipt_ah_fini(void) { ipt_unregister_match(&ah_match); } -module_init(init); -module_exit(cleanup); +module_init(ipt_ah_init); +module_exit(ipt_ah_fini);