X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=net%2Fipv4%2Fnetfilter%2Fipt_esp.c;fp=net%2Fnetfilter%2Fxt_esp.c;h=9de191a8162da78e3177a5e0b356d128a39363b2;hb=987b0145d94eecf292d8b301228356f44611ab7c;hp=9dad6281e0c1084f606a53b7fd0866cb70bc2cc0;hpb=f7ed79d23a47594e7834d66a8f14449796d4f3e6;p=linux-2.6.git

diff --git a/net/netfilter/xt_esp.c b/net/ipv4/netfilter/ipt_esp.c
similarity index 50%
rename from net/netfilter/xt_esp.c
rename to net/ipv4/netfilter/ipt_esp.c
index 9dad6281e..9de191a81 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/ipv4/netfilter/ipt_esp.c
@@ -9,22 +9,16 @@
 
 #include <linux/module.h>
 #include <linux/skbuff.h>
-#include <linux/in.h>
 #include <linux/ip.h>
 
-#include <linux/netfilter/xt_esp.h>
-#include <linux/netfilter/x_tables.h>
-
+#include <linux/netfilter_ipv4/ipt_esp.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
-MODULE_DESCRIPTION("x_tables ESP SPI match module");
-MODULE_ALIAS("ipt_esp");
-MODULE_ALIAS("ip6t_esp");
+MODULE_DESCRIPTION("iptables ESP SPI match module");
 
-#if 0
+#ifdef DEBUG_CONNTRACK
 #define duprintf(format, args...) printk(format , ## args)
 #else
 #define duprintf(format, args...)
@@ -34,11 +28,11 @@ MODULE_ALIAS("ip6t_esp");
 static inline int
 spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, int invert)
 {
-	int r = 0;
-	duprintf("esp spi_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ',
-		 min, spi, max);
-	r = (spi >= min && spi <= max) ^ invert;
-	duprintf(" result %s\n", r ? "PASS" : "FAILED");
+	int r=0;
+        duprintf("esp spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ',
+        	min,spi,max);
+	r=(spi >= min && spi <= max) ^ invert;
+	duprintf(" result %s\n",r? "PASS" : "FAILED");
 	return r;
 }
 
@@ -46,20 +40,20 @@ static int
 match(const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
-      const struct xt_match *match,
       const void *matchinfo,
       int offset,
       unsigned int protoff,
       int *hotdrop)
 {
 	struct ip_esp_hdr _esp, *eh;
-	const struct xt_esp *espinfo = matchinfo;
+	const struct ipt_esp *espinfo = matchinfo;
 
 	/* Must not be a fragment. */
 	if (offset)
 		return 0;
 
-	eh = skb_header_pointer(skb, protoff, sizeof(_esp), &_esp);
+	eh = skb_header_pointer(skb, protoff,
+				sizeof(_esp), &_esp);
 	if (eh == NULL) {
 		/* We've been asked to examine this packet, and we
 		 * can't.  Hence, no choice but to drop.
@@ -69,68 +63,58 @@ match(const struct sk_buff *skb,
 		return 0;
 	}
 
-	return spi_match(espinfo->spis[0], espinfo->spis[1], ntohl(eh->spi),
-			 !!(espinfo->invflags & XT_ESP_INV_SPI));
+	return spi_match(espinfo->spis[0], espinfo->spis[1],
+			 ntohl(eh->spi),
+			 !!(espinfo->invflags & IPT_ESP_INV_SPI));
 }
 
 /* Called when user tries to insert an entry of this type. */
 static int
 checkentry(const char *tablename,
 	   const void *ip_void,
-	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchinfosize,
 	   unsigned int hook_mask)
 {
-	const struct xt_esp *espinfo = matchinfo;
+	const struct ipt_esp *espinfo = matchinfo;
+	const struct ipt_ip *ip = ip_void;
 
-	if (espinfo->invflags & ~XT_ESP_INV_MASK) {
-		duprintf("xt_esp: unknown flags %X\n", espinfo->invflags);
+	/* Must specify proto == ESP, and no unknown invflags */
+	if (ip->proto != IPPROTO_ESP || (ip->invflags & IPT_INV_PROTO)) {
+		duprintf("ipt_esp: Protocol %u != %u\n", ip->proto,
+			 IPPROTO_ESP);
+		return 0;
+	}
+	if (matchinfosize != IPT_ALIGN(sizeof(struct ipt_esp))) {
+		duprintf("ipt_esp: matchsize %u != %u\n",
+			 matchinfosize, IPT_ALIGN(sizeof(struct ipt_esp)));
+		return 0;
+	}
+	if (espinfo->invflags & ~IPT_ESP_INV_MASK) {
+		duprintf("ipt_esp: unknown flags %X\n",
+			 espinfo->invflags);
 		return 0;
 	}
 
 	return 1;
 }
 
-static struct xt_match esp_match = {
+static struct ipt_match esp_match = {
 	.name		= "esp",
-	.family		= AF_INET,
-	.proto		= IPPROTO_ESP,
 	.match		= &match,
-	.matchsize	= sizeof(struct xt_esp),
 	.checkentry	= &checkentry,
 	.me		= THIS_MODULE,
 };
 
-static struct xt_match esp6_match = {
-	.name		= "esp",
-	.family		= AF_INET6,
-	.proto		= IPPROTO_ESP,
-	.match		= &match,
-	.matchsize	= sizeof(struct xt_esp),
-	.checkentry	= &checkentry,
-	.me		= THIS_MODULE,
-};
-
-static int __init xt_esp_init(void)
+static int __init init(void)
 {
-	int ret;
-	ret = xt_register_match(&esp_match);
-	if (ret)
-		return ret;
-
-	ret = xt_register_match(&esp6_match);
-	if (ret)
-		xt_unregister_match(&esp_match);
-
-	return ret;
+	return ipt_register_match(&esp_match);
 }
 
-static void __exit xt_esp_cleanup(void)
+static void __exit cleanup(void)
 {
-	xt_unregister_match(&esp_match);
-	xt_unregister_match(&esp6_match);
+	ipt_unregister_match(&esp_match);
 }
 
-module_init(xt_esp_init);
-module_exit(xt_esp_cleanup);
+module_init(init);
+module_exit(cleanup);