1 /* Shared library add-on to ip6tables to add ESP support. */
9 #include <linux/netfilter_ipv6/ip6t_esp.h>
11 /* Function which prints out usage message. */
17 " --espspi [!] spi[:spi] match spi (range)\n",
21 static struct option opts[] = {
22 { .name = "espspi", .has_arg = 1, .flag = 0, .val = '1' },
27 parse_esp_spi(const char *spistr)
29 unsigned long int spi;
32 spi = strtoul(spistr, &ep, 0);
35 exit_error(PARAMETER_PROBLEM,
36 "ESP no valid digits in spi `%s'", spistr);
38 if ( spi == ULONG_MAX && errno == ERANGE ) {
39 exit_error(PARAMETER_PROBLEM,
40 "spi `%s' specified too big: would overflow", spistr);
42 if ( *spistr != '\0' && *ep != '\0' ) {
43 exit_error(PARAMETER_PROBLEM,
44 "ESP error parsing spi `%s'", spistr);
46 return (u_int32_t) spi;
50 parse_esp_spis(const char *spistring, u_int32_t *spis)
55 buffer = strdup(spistring);
56 if ((cp = strchr(buffer, ':')) == NULL)
57 spis[0] = spis[1] = parse_esp_spi(buffer);
62 spis[0] = buffer[0] ? parse_esp_spi(buffer) : 0;
63 spis[1] = cp[0] ? parse_esp_spi(cp) : 0xFFFFFFFF;
68 /* Initialize the match. */
70 init(struct ip6t_entry_match *m, unsigned int *nfcache)
72 struct ip6t_esp *espinfo = (struct ip6t_esp *)m->data;
74 espinfo->spis[1] = 0xFFFFFFFF;
79 /* Function which parses command options; returns true if it
82 parse(int c, char **argv, int invert, unsigned int *flags,
83 const struct ip6t_entry *entry,
84 unsigned int *nfcache,
85 struct ip6t_entry_match **match)
87 struct ip6t_esp *espinfo = (struct ip6t_esp *)(*match)->data;
92 exit_error(PARAMETER_PROBLEM,
93 "Only one `--espspi' allowed");
94 check_inverse(optarg, &invert, &optind, 0);
95 parse_esp_spis(argv[optind-1], espinfo->spis);
97 espinfo->invflags |= IP6T_ESP_INV_SPI;
107 /* Final check; we don't care. */
109 final_check(unsigned int flags)
114 print_spis(const char *name, u_int32_t min, u_int32_t max,
117 const char *inv = invert ? "!" : "";
119 if (min != 0 || max != 0xFFFFFFFF || invert) {
121 printf("%s:%s%u ", name, inv, min);
123 printf("%ss:%s%u:%u ", name, inv, min, max);
127 /* Prints out the union ip6t_matchinfo. */
129 print(const struct ip6t_ip6 *ip,
130 const struct ip6t_entry_match *match, int numeric)
132 const struct ip6t_esp *esp = (struct ip6t_esp *)match->data;
135 print_spis("spi", esp->spis[0], esp->spis[1],
136 esp->invflags & IP6T_ESP_INV_SPI);
137 if (esp->invflags & ~IP6T_ESP_INV_MASK)
138 printf("Unknown invflags: 0x%X ",
139 esp->invflags & ~IP6T_ESP_INV_MASK);
142 /* Saves the union ip6t_matchinfo in parsable form to stdout. */
143 static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
145 const struct ip6t_esp *espinfo = (struct ip6t_esp *)match->data;
147 if (!(espinfo->spis[0] == 0
148 && espinfo->spis[1] == 0xFFFFFFFF)) {
149 printf("--espspi %s",
150 (espinfo->invflags & IP6T_ESP_INV_SPI) ? "! " : "");
164 struct ip6tables_match esp = {
166 .version = IPTABLES_VERSION,
167 .size = IP6T_ALIGN(sizeof(struct ip6t_esp)),
168 .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_esp)),
172 .final_check = &final_check,
181 register_match6(&esp);