Commit 60b0fe37 authored by Anders K. Pedersen's avatar Anders K. Pedersen Committed by Jozsef Kadlecsik

netfilter: ipset: Support package fragments for IPv4 protos without ports

Enable ipset port set types to match IPv4 package fragments for
protocols that doesn't have ports (or the port information isn't
supported by ipset).

For example this allows a hash:ip,port ipset containing the entry
192.168.0.1,gre:0 to match all package fragments for PPTP VPN tunnels
to/from the host. Without this patch only the first package fragment
(with fragment offset 0) was matched, while subsequent fragments wasn't.

This is not possible for IPv6, where the protocol is in the fragmented
part of the package unlike IPv4, where the protocol is in the IP header.

IPPROTO_ICMPV6 is deliberately not included, because it isn't relevant
for IPv4.
Signed-off-by: default avatarAnders K. Pedersen <akp@surftown.com>
Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
parent b8cd9786
...@@ -102,9 +102,25 @@ ip_set_get_ip4_port(const struct sk_buff *skb, bool src, ...@@ -102,9 +102,25 @@ ip_set_get_ip4_port(const struct sk_buff *skb, bool src,
int protocol = iph->protocol; int protocol = iph->protocol;
/* See comments at tcp_match in ip_tables.c */ /* See comments at tcp_match in ip_tables.c */
if (protocol <= 0 || (ntohs(iph->frag_off) & IP_OFFSET)) if (protocol <= 0)
return false; return false;
if (ntohs(iph->frag_off) & IP_OFFSET)
switch (protocol) {
case IPPROTO_TCP:
case IPPROTO_SCTP:
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
case IPPROTO_ICMP:
/* Port info not available for fragment offset > 0 */
return false;
default:
/* Other protocols doesn't have ports,
so we can match fragments */
*proto = protocol;
return true;
}
return get_port(skb, protocol, protooff, src, port, proto); return get_port(skb, protocol, protooff, src, port, proto);
} }
EXPORT_SYMBOL_GPL(ip_set_get_ip4_port); EXPORT_SYMBOL_GPL(ip_set_get_ip4_port);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment