xtables: move icmp/icmpv6 logic to xt_tcpudp

#include <linux/vmalloc.h>

#include <linux/netdevice.h>

#include <linux/module.h>

#include <linux/icmp.h>

#include <net/ip.h>

#include <net/compat.h>

#include <linux/uaccess.h>

MODULE_LICENSE("GPL");

MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");

MODULE_DESCRIPTION("IPv4 packet filter");

MODULE_ALIAS("ipt_icmp");

void *ipt_alloc_initial_table(const struct xt_table *info)

{

		__ipt_unregister_table(net, table);

}

/* Returns 1 if the type and code is matched by the range, 0 otherwise */

static inline bool

icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,

		     u_int8_t type, u_int8_t code,

		     bool invert)

{

	return ((test_type == 0xFF) ||

		(type == test_type && code >= min_code && code <= max_code))

		^ invert;

}

static bool

icmp_match(const struct sk_buff *skb, struct xt_action_param *par)

{

	const struct icmphdr *ic;

	struct icmphdr _icmph;

	const struct ipt_icmp *icmpinfo = par->matchinfo;

	/* Must not be a fragment. */

	if (par->fragoff != 0)

		return false;

	ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);

	if (ic == NULL) {

		/* We've been asked to examine this packet, and we

		 * can't.  Hence, no choice but to drop.

		 */

		par->hotdrop = true;

		return false;

	}

	return icmp_type_code_match(icmpinfo->type,

				    icmpinfo->code[0],

				    icmpinfo->code[1],

				    ic->type, ic->code,

				    !!(icmpinfo->invflags&IPT_ICMP_INV));

}

static int icmp_checkentry(const struct xt_mtchk_param *par)

{

	const struct ipt_icmp *icmpinfo = par->matchinfo;

	/* Must specify no unknown invflags */

	return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0;

}

static struct xt_target ipt_builtin_tg[] __read_mostly = {

	{

		.name             = XT_STANDARD_TARGET,

	.owner		= THIS_MODULE,

};

static struct xt_match ipt_builtin_mt[] __read_mostly = {

	{

		.name       = "icmp",

		.match      = icmp_match,

		.matchsize  = sizeof(struct ipt_icmp),

		.checkentry = icmp_checkentry,

		.proto      = IPPROTO_ICMP,

		.family     = NFPROTO_IPV4,

		.me	    = THIS_MODULE,

	},

};

static int __net_init ip_tables_net_init(struct net *net)

{

	return xt_proto_init(net, NFPROTO_IPV4);

	ret = xt_register_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));

	if (ret < 0)

		goto err2;

	ret = xt_register_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));

	if (ret < 0)

		goto err4;

	/* Register setsockopt */

	ret = nf_register_sockopt(&ipt_sockopts);

	if (ret < 0)

		goto err5;

		goto err4;

	return 0;

err5:

	xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));

err4:

	xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));

err2:

{

	nf_unregister_sockopt(&ipt_sockopts);

	xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));

	xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));

	unregister_pernet_subsys(&ip_tables_net_ops);

}

#include <linux/netdevice.h>

#include <linux/module.h>

#include <linux/poison.h>

#include <linux/icmpv6.h>

#include <net/ipv6.h>

#include <net/compat.h>

#include <linux/uaccess.h>

MODULE_LICENSE("GPL");

MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");

MODULE_DESCRIPTION("IPv6 packet filter");

MODULE_ALIAS("ip6t_icmp6");

void *ip6t_alloc_initial_table(const struct xt_table *info)

{

		__ip6t_unregister_table(net, table);

}

/* Returns 1 if the type and code is matched by the range, 0 otherwise */

static inline bool

icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,

		     u_int8_t type, u_int8_t code,

		     bool invert)

{

	return (type == test_type && code >= min_code && code <= max_code)

		^ invert;

}

static bool

icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)

{

	const struct icmp6hdr *ic;

	struct icmp6hdr _icmph;

	const struct ip6t_icmp *icmpinfo = par->matchinfo;

	/* Must not be a fragment. */

	if (par->fragoff != 0)

		return false;

	ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);

	if (ic == NULL) {

		/* We've been asked to examine this packet, and we

		 * can't.  Hence, no choice but to drop.

		 */

		par->hotdrop = true;

		return false;

	}

	return icmp6_type_code_match(icmpinfo->type,

				     icmpinfo->code[0],

				     icmpinfo->code[1],

				     ic->icmp6_type, ic->icmp6_code,

				     !!(icmpinfo->invflags&IP6T_ICMP_INV));

}

/* Called when user tries to insert an entry of this type. */

static int icmp6_checkentry(const struct xt_mtchk_param *par)

{

	const struct ip6t_icmp *icmpinfo = par->matchinfo;

	/* Must specify no unknown invflags */

	return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;

}

/* The built-in targets: standard (NULL) and error. */

static struct xt_target ip6t_builtin_tg[] __read_mostly = {

	{

	.owner		= THIS_MODULE,

};

static struct xt_match ip6t_builtin_mt[] __read_mostly = {

	{

		.name       = "icmp6",

		.match      = icmp6_match,

		.matchsize  = sizeof(struct ip6t_icmp),

		.checkentry = icmp6_checkentry,

		.proto      = IPPROTO_ICMPV6,

		.family     = NFPROTO_IPV6,

		.me	    = THIS_MODULE,

	},

};

static int __net_init ip6_tables_net_init(struct net *net)

{

	return xt_proto_init(net, NFPROTO_IPV6);

	ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));

	if (ret < 0)

		goto err2;

	ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));

	if (ret < 0)

		goto err4;

	/* Register setsockopt */

	ret = nf_register_sockopt(&ip6t_sockopts);

	if (ret < 0)

		goto err5;

		goto err4;

	return 0;

err5:

	xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));

err4:

	xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));

err2:

{

	nf_unregister_sockopt(&ip6t_sockopts);

	xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));

	xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));

	unregister_pernet_subsys(&ip6_tables_net_ops);

}

#include <linux/module.h>

#include <net/ip.h>

#include <linux/ipv6.h>

#include <linux/icmp.h>

#include <net/ipv6.h>

#include <net/tcp.h>

#include <net/udp.h>

MODULE_ALIAS("ipt_tcp");

MODULE_ALIAS("ip6t_udp");

MODULE_ALIAS("ip6t_tcp");

MODULE_ALIAS("ipt_icmp");

MODULE_ALIAS("ip6t_icmp6");

/* Returns 1 if the port is matched by the range, 0 otherwise */

static inline bool

	return (udpinfo->invflags & ~XT_UDP_INV_MASK) ? -EINVAL : 0;

}

/* Returns 1 if the type and code is matched by the range, 0 otherwise */

static bool type_code_in_range(u8 test_type, u8 min_code, u8 max_code,

			       u8 type, u8 code)

{

	return type == test_type && code >= min_code && code <= max_code;

}

static bool icmp_type_code_match(u8 test_type, u8 min_code, u8 max_code,

				 u8 type, u8 code, bool invert)

{

	return (test_type == 0xFF ||

		type_code_in_range(test_type, min_code, max_code, type, code))

		^ invert;

}

static bool icmp6_type_code_match(u8 test_type, u8 min_code, u8 max_code,

				  u8 type, u8 code, bool invert)

{

	return type_code_in_range(test_type, min_code, max_code, type, code) ^ invert;

}

static bool

icmp_match(const struct sk_buff *skb, struct xt_action_param *par)

{

	const struct icmphdr *ic;

	struct icmphdr _icmph;

	const struct ipt_icmp *icmpinfo = par->matchinfo;

	/* Must not be a fragment. */

	if (par->fragoff != 0)

		return false;

	ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);

	if (!ic) {

		/* We've been asked to examine this packet, and we

		 * can't.  Hence, no choice but to drop.

		 */

		par->hotdrop = true;

		return false;

	}

	return icmp_type_code_match(icmpinfo->type,

				    icmpinfo->code[0],

				    icmpinfo->code[1],

				    ic->type, ic->code,

				    !!(icmpinfo->invflags & IPT_ICMP_INV));

}

static bool

icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)

{

	const struct icmp6hdr *ic;

	struct icmp6hdr _icmph;

	const struct ip6t_icmp *icmpinfo = par->matchinfo;

	/* Must not be a fragment. */

	if (par->fragoff != 0)

		return false;

	ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);

	if (!ic) {

		/* We've been asked to examine this packet, and we

		 * can't.  Hence, no choice but to drop.

		 */

		par->hotdrop = true;

		return false;

	}

	return icmp6_type_code_match(icmpinfo->type,

				     icmpinfo->code[0],

				     icmpinfo->code[1],

				     ic->icmp6_type, ic->icmp6_code,

				     !!(icmpinfo->invflags & IP6T_ICMP_INV));

}

static int icmp_checkentry(const struct xt_mtchk_param *par)

{

	const struct ipt_icmp *icmpinfo = par->matchinfo;

	return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0;

}

static int icmp6_checkentry(const struct xt_mtchk_param *par)

{

	const struct ip6t_icmp *icmpinfo = par->matchinfo;

	return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;

}

static struct xt_match tcpudp_mt_reg[] __read_mostly = {

	{

		.name		= "tcp",

		.proto		= IPPROTO_UDPLITE,

		.me		= THIS_MODULE,

	},

	{

		.name       = "icmp",

		.match      = icmp_match,

		.matchsize  = sizeof(struct ipt_icmp),

		.checkentry = icmp_checkentry,

		.proto      = IPPROTO_ICMP,

		.family     = NFPROTO_IPV4,

		.me         = THIS_MODULE,

	},

	{

		.name       = "icmp6",

		.match      = icmp6_match,

		.matchsize  = sizeof(struct ip6t_icmp),

		.checkentry = icmp6_checkentry,

		.proto      = IPPROTO_ICMPV6,

		.family     = NFPROTO_IPV6,

		.me	    = THIS_MODULE,

	},

};

static int __init tcpudp_mt_init(void)