Root/target/linux/generic-2.4/patches/620-netfilter_iprange.patch

1--- a/Documentation/Configure.help
2+++ b/Documentation/Configure.help
3@@ -2986,6 +2986,14 @@ CONFIG_IP_NF_MATCH_TOS
4   If you want to compile it as a module, say M here and read
5   <file:Documentation/modules.txt>. If unsure, say `N'.
6 
7+iprange match support
8+CONFIG_IP_NF_MATCH_IPRANGE
9+ This option makes possible to match IP addresses against
10+ IP address ranges.
11+
12+ If you want to compile it as a module, say M here and read
13+ <file:Documentation/modules.txt>. If unsure, say `N'.
14+
15 Condition variable match support
16 CONFIG_IP_NF_MATCH_CONDITION
17   This option allows you to match firewall rules against condition
18--- /dev/null
19+++ b/include/linux/netfilter_ipv4/ipt_iprange.h
20@@ -0,0 +1,23 @@
21+#ifndef _IPT_IPRANGE_H
22+#define _IPT_IPRANGE_H
23+
24+#define IPRANGE_SRC 0x01 /* Match source IP address */
25+#define IPRANGE_DST 0x02 /* Match destination IP address */
26+#define IPRANGE_SRC_INV 0x10 /* Negate the condition */
27+#define IPRANGE_DST_INV 0x20 /* Negate the condition */
28+
29+struct ipt_iprange {
30+ /* Inclusive: network order. */
31+ u_int32_t min_ip, max_ip;
32+};
33+
34+struct ipt_iprange_info
35+{
36+ struct ipt_iprange src;
37+ struct ipt_iprange dst;
38+
39+ /* Flags from above */
40+ u_int8_t flags;
41+};
42+
43+#endif /* _IPT_IPRANGE_H */
44--- a/net/ipv4/netfilter/Config.in
45+++ b/net/ipv4/netfilter/Config.in
46@@ -25,6 +25,7 @@ tristate 'IP tables support (required fo
47 if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then
48 # The simple matches.
49   dep_tristate ' limit match support' CONFIG_IP_NF_MATCH_LIMIT $CONFIG_IP_NF_IPTABLES
50+ dep_tristate ' IP range match support' CONFIG_IP_NF_MATCH_IPRANGE $CONFIG_IP_NF_IPTABLES
51   dep_tristate ' quota match support' CONFIG_IP_NF_MATCH_QUOTA $CONFIG_IP_NF_IPTABLES
52   dep_tristate ' MAC address match support' CONFIG_IP_NF_MATCH_MAC $CONFIG_IP_NF_IPTABLES
53   dep_tristate ' Packet type match support' CONFIG_IP_NF_MATCH_PKTTYPE $CONFIG_IP_NF_IPTABLES
54--- /dev/null
55+++ b/net/ipv4/netfilter/ipt_iprange.c
56@@ -0,0 +1,101 @@
57+/*
58+ * iptables module to match IP address ranges
59+ * (c) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
60+ *
61+ * Released under the terms of GNU GPLv2.
62+ *
63+ */
64+#include <linux/module.h>
65+#include <linux/skbuff.h>
66+#include <linux/ip.h>
67+#include <linux/netfilter_ipv4/ip_tables.h>
68+#include <linux/netfilter_ipv4/ipt_iprange.h>
69+
70+MODULE_LICENSE("GPL");
71+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
72+MODULE_DESCRIPTION("iptables arbitrary IP range match module");
73+
74+#if 0
75+#define DEBUGP printk
76+#else
77+#define DEBUGP(format, args...)
78+#endif
79+
80+static int
81+match(const struct sk_buff *skb,
82+ const struct net_device *in,
83+ const struct net_device *out,
84+ const void *matchinfo,
85+ int offset,
86+ const void *hdr,
87+ u_int16_t datalen,
88+ int *hotdrop)
89+{
90+ const struct ipt_iprange_info *info = matchinfo;
91+ const struct iphdr *iph = skb->nh.iph;
92+
93+
94+ if (info->flags & IPRANGE_SRC) {
95+ if (((ntohl(iph->saddr) < ntohl(info->src.min_ip))
96+ || (ntohl(iph->saddr) > ntohl(info->src.max_ip)))
97+ ^ !!(info->flags & IPRANGE_SRC_INV)) {
98+ DEBUGP("src IP %u.%u.%u.%u NOT in range %s"
99+ "%u.%u.%u.%u-%u.%u.%u.%u\n",
100+ NIPQUAD(iph->saddr),
101+ info->flags & IPRANGE_SRC_INV ? "(INV) " : "",
102+ NIPQUAD(info->src.min_ip),
103+ NIPQUAD(info->src.max_ip));
104+ return 0;
105+ }
106+ }
107+ if (info->flags & IPRANGE_DST) {
108+ if (((ntohl(iph->daddr) < ntohl(info->dst.min_ip))
109+ || (ntohl(iph->daddr) > ntohl(info->dst.max_ip)))
110+ ^ !!(info->flags & IPRANGE_DST_INV)) {
111+ DEBUGP("dst IP %u.%u.%u.%u NOT in range %s"
112+ "%u.%u.%u.%u-%u.%u.%u.%u\n",
113+ NIPQUAD(iph->daddr),
114+ info->flags & IPRANGE_DST_INV ? "(INV) " : "",
115+ NIPQUAD(info->dst.min_ip),
116+ NIPQUAD(info->dst.max_ip));
117+ return 0;
118+ }
119+ }
120+ return 1;
121+}
122+
123+static int check(const char *tablename,
124+ const struct ipt_ip *ip,
125+ void *matchinfo,
126+ unsigned int matchsize,
127+ unsigned int hook_mask)
128+{
129+ /* verify size */
130+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_iprange_info)))
131+ return 0;
132+
133+ return 1;
134+}
135+
136+static struct ipt_match iprange_match =
137+{
138+ .list = { NULL, NULL },
139+ .name = "iprange",
140+ .match = &match,
141+ .checkentry = &check,
142+ .destroy = NULL,
143+ .me = THIS_MODULE
144+};
145+
146+static int __init init(void)
147+{
148+ return ipt_register_match(&iprange_match);
149+}
150+
151+static void __exit fini(void)
152+{
153+ ipt_unregister_match(&iprange_match);
154+}
155+
156+module_init(init);
157+module_exit(fini);
158--- a/net/ipv4/netfilter/Makefile
159+++ b/net/ipv4/netfilter/Makefile
160@@ -81,6 +81,7 @@ obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
161 # matches
162 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
163 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
164+obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
165 obj-$(CONFIG_IP_NF_MATCH_QUOTA) += ipt_quota.o
166 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
167 obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
168

Archive Download this file

Branches:
backfire
history
master
release_2010-11-17
release_2010-12-14
release_2011-02-23
release_2011-05-28
release_2011-08-27
release_2011-11-13
release_2012-03-18
release_2012-04-09
release_2012-10-11
uclibc_nptl



interactive