From patchwork Wed Apr 3 14:27:30 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: holger@eitzenberger.org X-Patchwork-Id: 233497 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 216292C009D for ; Thu, 4 Apr 2013 01:43:07 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1760462Ab3DCOmv (ORCPT ); Wed, 3 Apr 2013 10:42:51 -0400 Received: from moutng.kundenserver.de ([212.227.126.187]:65169 "EHLO moutng.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1760325Ab3DCOmt (ORCPT ); Wed, 3 Apr 2013 10:42:49 -0400 Received: from kruemel.eitzenberger.org (p54AD049C.dip0.t-ipconnect.de [84.173.4.156]) by mrelayeu.kundenserver.de (node=mreu0) with ESMTP (Nemesis) id 0MUjgO-1U6uD4312K-00YDQS; Wed, 03 Apr 2013 16:42:47 +0200 Received: from holger by kruemel.eitzenberger.org with local (Exim 4.76) (envelope-from ) id 1UNOth-000089-K8; Wed, 03 Apr 2013 16:42:45 +0200 Message-Id: <20130403144245.298678947@eitzenberger.org> User-Agent: quilt/0.50-1 Date: Wed, 03 Apr 2013 16:27:30 +0200 From: holger@eitzenberger.org To: netfilter-devel@vger.kernel.org Cc: kaber@trash.net, pablo@netfilter.org Subject: [PATCH RFC 1/2] icmp6: match on errors and informational types References: <20130403142729.484857089@eitzenberger.org> Content-Disposition: inline; filename=iptables/iptables-icmp6-match-errors-and-info.diff X-Provags-ID: V02:K0:uVU/GlDFIH9OMeQ1CO6v85W1CLFzfrdg2AbSqsHCthA sYr8bJ2kxVYYQVH8U8VJ5CdBZTCtOYYKD/nYRcm4pD49oa+oA2 WphNqXqqtrIMa6FzlTsQ7BOPENqAxdI+1ILAClvarO8T9UPUPi evGgZVATUnBKwAORyPnese0eikvkCAjo4YxQTzx/cgqifLUT3E GduV3Yu+V6B5lej8ivc221WI4YIepxcqRlo7IkOuL5c1Vhp4FV X4VOMwNhRhgUERlBT7+zbG5Q6xYio0Ffu9Ewji4t0A4nlLLnPG pnxCdehSj1Ank3p/Zv8m3qlUspYB9n4P4eSA4ghBah/2mnBbfv 8OlQ7M7LGeGnD7mUxVHow+tWGaQrkg2JsL74QI+w4MEg1AE2Qb UyVG3QB52tMnQ== Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Signed-off-by: Holger Eitzenberger --- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Index: iptables/extensions/libip6t_icmp6.c =================================================================== --- iptables.orig/extensions/libip6t_icmp6.c 2013-04-03 14:35:43.000000000 +0200 +++ iptables/extensions/libip6t_icmp6.c 2013-04-03 14:55:47.000000000 +0200 @@ -7,8 +7,17 @@ enum { O_ICMPV6_TYPE = 0, + O_ICMPV6_ERROR, + O_ICMPV6_INFO, }; +enum { + F_ICMPV6_TYPE = 1 << O_ICMPV6_TYPE, + F_ICMPV6_ERROR = 1 << O_ICMPV6_ERROR, + F_ICMPV6_INFO = 1 << O_ICMPV6_INFO, +}; +#define F_ICMPV6_ALL (F_ICMPV6_TYPE | F_ICMPV6_ERROR | F_ICMPV6_INFO) + struct icmpv6_names { const char *name; uint8_t type; @@ -80,13 +89,19 @@ printf( "icmpv6 match options:\n" "[!] --icmpv6-type typename match icmpv6 type\n" -" (or numeric type or type/code)\n"); +" (or numeric type or type/code)\n\n" +" --icmpv6-error match any icmpv6 error type\n" +" --icmpv6-info match any icmpv6 informational type\n"); print_icmpv6types(); } static const struct xt_option_entry icmp6_opts[] = { {.name = "icmpv6-type", .id = O_ICMPV6_TYPE, .type = XTTYPE_STRING, - .flags = XTOPT_MAND | XTOPT_INVERT}, + .flags = XTOPT_INVERT, .excl = F_ICMPV6_ALL}, + {.name = "icmpv6-error", .id = O_ICMPV6_ERROR, .type = XTTYPE_NONE, + .excl = F_ICMPV6_ALL}, + {.name = "icmpv6-info", .id = O_ICMPV6_INFO, .type = XTTYPE_NONE, + .excl = F_ICMPV6_ALL}, XTOPT_TABLEEND, }; @@ -155,9 +170,19 @@ struct ip6t_icmp *icmpv6info = cb->data; xtables_option_parse(cb); - parse_icmpv6(cb->arg, &icmpv6info->type, icmpv6info->code); - if (cb->invert) - icmpv6info->invflags |= IP6T_ICMP_INV; + switch (cb->entry->id) { + case O_ICMPV6_TYPE: + parse_icmpv6(cb->arg, &icmpv6info->type, icmpv6info->code); + if (cb->invert) + icmpv6info->flags |= IP6T_ICMP_INV; + break; + case O_ICMPV6_ERROR: + icmpv6info->flags |= IP6T_ICMP_ERROR; + break; + case O_ICMPV6_INFO: + icmpv6info->flags |= IP6T_ICMP_INFO; + break; + } } static void print_icmpv6type(uint8_t type, @@ -198,25 +223,35 @@ const struct ip6t_icmp *icmpv6 = (struct ip6t_icmp *)match->data; printf(" ipv6-icmp"); - print_icmpv6type(icmpv6->type, icmpv6->code[0], icmpv6->code[1], - icmpv6->invflags & IP6T_ICMP_INV, - numeric); - - if (icmpv6->invflags & ~IP6T_ICMP_INV) - printf(" Unknown invflags: 0x%X", - icmpv6->invflags & ~IP6T_ICMP_INV); + if (icmpv6->flags & IP6T_ICMP_ERROR) + printf(" icmp6-error"); + else if (icmpv6->flags & IP6T_ICMP_INFO) + printf(" icmp6-info"); + else + print_icmpv6type(icmpv6->type, icmpv6->code[0], icmpv6->code[1], + icmpv6->flags & IP6T_ICMP_INV, + numeric); + + if (icmpv6->flags & ~IP6T_ICMP_MASK) + printf(" Unknown flags: 0x%X", icmpv6->flags & ~IP6T_ICMP_INV); } static void icmp6_save(const void *ip, const struct xt_entry_match *match) { const struct ip6t_icmp *icmpv6 = (struct ip6t_icmp *)match->data; - if (icmpv6->invflags & IP6T_ICMP_INV) + if (icmpv6->flags & IP6T_ICMP_INV) printf(" !"); - printf(" --icmpv6-type %u", icmpv6->type); - if (icmpv6->code[0] != 0 || icmpv6->code[1] != 0xFF) - printf("/%u", icmpv6->code[0]); + if (icmpv6->flags & IP6T_ICMP_ERROR) + printf(" --icmpv6-error"); + else if (icmpv6->flags & IP6T_ICMP_INFO) + printf(" --icmpv6-info"); + else { + printf(" --icmpv6-type %u", icmpv6->type); + if (icmpv6->code[0] != 0 || icmpv6->code[1] != 0xFF) + printf("/%u", icmpv6->code[0]); + } } static struct xtables_match icmp6_mt6_reg = { Index: iptables/include/linux/netfilter_ipv6/ip6_tables.h =================================================================== --- iptables.orig/include/linux/netfilter_ipv6/ip6_tables.h 2013-04-03 14:36:02.000000000 +0200 +++ iptables/include/linux/netfilter_ipv6/ip6_tables.h 2013-04-03 14:36:31.000000000 +0200 @@ -180,11 +180,14 @@ struct ip6t_icmp { u_int8_t type; /* type to match */ u_int8_t code[2]; /* range of code */ - u_int8_t invflags; /* Inverse flags */ + u_int8_t flags; }; -/* Values for "inv" field for struct ipt_icmp. */ +/* Values for "flags" of struct ipt_icmp. */ #define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */ +#define IP6T_ICMP_ERROR 0x02 /* Match any error type */ +#define IP6T_ICMP_INFO 0x04 /* Match any informational type */ +#define IP6T_ICMP_MASK 0x07 /* The argument to IP6T_SO_GET_INFO */ struct ip6t_getinfo { Index: iptables/extensions/libip6t_icmp6.man =================================================================== --- iptables.orig/extensions/libip6t_icmp6.man 2012-05-24 13:36:24.000000000 +0200 +++ iptables/extensions/libip6t_icmp6.man 2013-04-03 15:05:26.000000000 +0200 @@ -1,5 +1,5 @@ This extension can be used if `\-\-protocol ipv6\-icmp' or `\-\-protocol icmpv6' is -specified. It provides the following option: +specified. It provides the following options: .TP [\fB!\fP] \fB\-\-icmpv6\-type\fP \fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP This allows specification of the ICMPv6 type, which can be a numeric @@ -12,3 +12,9 @@ .nf ip6tables \-p ipv6\-icmp \-h .fi +.TP +\fB\-\-icmpv6\-error\fP +Match ICMPv6 error types (< 128). +.TP +\fB\-\-icmpv6\-info\fP +Match ICMPv6 informational types (>= 128).