Attachment #3316 for bug #6894

View | Details | Raw Unified | Return to bug 6894
Collapse All | Expand All




{
	u_int8_t type;				/* type to match */
	u_int8_t code[2];			/* range of code */
	u_int8_t flags;				/* Flags */
};

/* Values for "inv" field for struct ipt_icmp. */
#define IPT_ICMP_INV		0x01	/* Invert the sense of type/code test */
#define IPT_ICMP_TYPE_ANY	0x02	/* Match any type */

/* The argument to IPT_SO_GET_INFO */
struct ipt_getinfo




static inline int
icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
		     u_int8_t type, u_int8_t code,
		     u_int8_t flags)
{
	return (((flags & IPT_ICMP_TYPE_ANY) || (type == test_type))
			&& code >= min_code && code <= max_code)
		^ !!(flags&IPT_ICMP_INV);
}

static int

		return 0;
	}

	if(offset) {
		/* fragments can only match wildcard */
		if((icmpinfo->flags & IPT_ICMP_TYPE_ANY) &&
			(icmpinfo->code[0] == 0x00) && (icmpinfo->code[1] == 0xFF))
			return !(icmpinfo->flags&IPT_ICMP_INV);
		else
			return 0;
	}

	return icmp_type_code_match(icmpinfo->type,
					icmpinfo->code[0],
					icmpinfo->code[1],
					icmp->type, icmp->code,
					icmpinfo->flags);
}

/* Called when user tries to insert an entry of this type. */

{
	const struct ipt_icmp *icmpinfo = matchinfo;

	/* Must specify proto == ICMP, and no unknown flags */
	return ip->proto == IPPROTO_ICMP
		&& !(ip->invflags & IPT_INV_PROTO)
		&& matchsize == IPT_ALIGN(sizeof(struct ipt_icmp))
		&& !(icmpinfo->flags & ~(IPT_ICMP_INV|IPT_ICMP_TYPE_ANY));
}

/* The built-in targets: standard (NULL) and error. */

Lines 106-117 Link Here

(-)netfilter/userspace/extensions/libipt_icmp.c (-16 / +35 lines)
106	};	106	};
107		107
108	static unsigned int	108	static unsigned int
109	parse_icmp(const char icmptype, u_int8_t type, u_int8_t code[])	109	parse_icmp(const char icmptype, u_int8_t type, u_int8_t code[], u_int8_t *flags)
110	{	110	{
111	unsigned int limit = sizeof(icmp_codes)/sizeof(struct icmp_names);	111	unsigned int limit = sizeof(icmp_codes)/sizeof(struct icmp_names);
112	unsigned int match = limit;	112	unsigned int match = limit;
113	unsigned int i;	113	unsigned int i;
114		114
		115	*flags &= ~IPT_ICMP_TYPE_ANY;
		116
115	for (i = 0; i < limit; i++) {	117	for (i = 0; i < limit; i++) {
116	if (strncasecmp(icmp_codes[i].name, icmptype, strlen(icmptype))	118	if (strncasecmp(icmp_codes[i].name, icmptype, strlen(icmptype))
117	== 0) {	119	== 0) {
Lines 141-149 Link Here
141	if (slash)	143	if (slash)
142	*slash = '\0';	144	*slash = '\0';
143		145
144	if (string_to_number(buffer, 0, 255, &number) == -1)	146	if(!strncasecmp(buffer, "any", 3)) {
145	exit_error(PARAMETER_PROBLEM,	147	number = 0;
146	"Invalid ICMP type `%s'\n", buffer);	148	*flags \|= IPT_ICMP_TYPE_ANY;
		149	} else {
		150	if (string_to_number(buffer, 0, 255, &number) == -1)
		151	exit_error(PARAMETER_PROBLEM,
		152	"Invalid ICMP type `%s'\n", buffer);
		153	}
147	*type = number;	154	*type = number;
148	if (slash) {	155	if (slash) {
149	if (string_to_number(slash+1, 0, 255, &number) == -1)	156	if (string_to_number(slash+1, 0, 255, &number) == -1)
Lines 168-173 Link Here
168	{	175	{
169	struct ipt_icmp icmpinfo = (struct ipt_icmp )m->data;	176	struct ipt_icmp icmpinfo = (struct ipt_icmp )m->data;
170		177
		178	icmpinfo->flags = IPT_ICMP_TYPE_ANY;
171	icmpinfo->code[1] = 0xFF;	179	icmpinfo->code[1] = 0xFF;
172	}	180	}
173		181
Lines 186-194 Link Here
186	check_inverse(optarg, &invert, &optind, 0);	194	check_inverse(optarg, &invert, &optind, 0);
187	*nfcache \|= parse_icmp(argv[optind-1],	195	*nfcache \|= parse_icmp(argv[optind-1],
188	&icmpinfo->type,	196	&icmpinfo->type,
189	icmpinfo->code);	197	icmpinfo->code,
		198	&icmpinfo->flags);
190	if (invert)	199	if (invert)
191	icmpinfo->invflags \|= IPT_ICMP_INV;	200	icmpinfo->flags \|= IPT_ICMP_INV;
192	break;	201	break;
193		202
194	default:	203	default:
Lines 200-209 Link Here
200		209
201	static void print_icmptype(u_int8_t type,	210	static void print_icmptype(u_int8_t type,
202	u_int8_t code_min, u_int8_t code_max,	211	u_int8_t code_min, u_int8_t code_max,
203	int invert,	212	u_int8_t flags,
204	int numeric)	213	int numeric)
205	{	214	{
206	if (!numeric) {	215	int invert = flags & IPT_ICMP_INV;
		216
		217	if (!numeric && (!flags & IPT_ICMP_TYPE_ANY)) {
207	unsigned int i;	218	unsigned int i;
208		219
209	for (i = 0;	220	for (i = 0;
Lines 226-232 Link Here
226	if (invert)	237	if (invert)
227	printf("!");	238	printf("!");
228		239
229	printf("type %u", type);	240
		241	if(flags & IPT_ICMP_TYPE_ANY)
		242	printf("type any");
		243	else
		244	printf("type %u", type);
		245
230	if (code_min == 0 && code_max == 0xFF)	246	if (code_min == 0 && code_max == 0xFF)
231	printf(" ");	247	printf(" ");
232	else if (code_min == code_max)	248	else if (code_min == code_max)
Lines 245-256 Link Here
245		261
246	printf("icmp ");	262	printf("icmp ");
247	print_icmptype(icmp->type, icmp->code[0], icmp->code[1],	263	print_icmptype(icmp->type, icmp->code[0], icmp->code[1],
248	icmp->invflags & IPT_ICMP_INV,	264	icmp->flags,
249	numeric);	265	numeric);
250		266
251	if (icmp->invflags & ~IPT_ICMP_INV)	267	if (icmp->flags & ~(IPT_ICMP_INV\|IPT_ICMP_TYPE_ANY))
252	printf("Unknown invflags: 0x%X ",	268	printf("Unknown icmp flags: 0x%X ",
253	icmp->invflags & ~IPT_ICMP_INV);	269	icmp->flags & ~(IPT_ICMP_INV\|IPT_ICMP_TYPE_ANY));
254	}	270	}
255		271
256	/* Saves the match in parsable form to stdout. */	272	/* Saves the match in parsable form to stdout. */
Lines 258-267 Link Here
258	{	274	{
259	const struct ipt_icmp icmp = (struct ipt_icmp )match->data;	275	const struct ipt_icmp icmp = (struct ipt_icmp )match->data;
260		276
261	if (icmp->invflags & IPT_ICMP_INV)	277	if (icmp->flags & IPT_ICMP_INV)
262	printf("! ");	278	printf("! ");
263		279
264	printf("--icmp-type %u", icmp->type);	280	if(icmp->flags & IPT_ICMP_TYPE_ANY)
		281	printf("--icmp-type any");
		282	else
		283	printf("--icmp-type %u", icmp->type);
265	if (icmp->code[0] != 0 \|\| icmp->code[1] != 0xFF)	284	if (icmp->code[0] != 0 \|\| icmp->code[1] != 0xFF)
266	printf("/%u", icmp->code[0]);	285	printf("/%u", icmp->code[0]);
267	printf(" ");	286	printf(" ");

Return to bug 6894

Lines 1627-1636 Link Here

(-)linux-2.4.19-mb/net/ipv4/netfilter/ip_tables.c (-9 / +17 lines)
1627	static inline int	1627	static inline int
1628	icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,	1628	icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
1629	u_int8_t type, u_int8_t code,	1629	u_int8_t type, u_int8_t code,
1630	int invert)	1630	u_int8_t flags)
1631	{	1631	{
1632	return (type == test_type && code >= min_code && code <= max_code)	1632	return (((flags & IPT_ICMP_TYPE_ANY) \|\| (type == test_type))
1633	^ invert;	1633	&& code >= min_code && code <= max_code)
		1634	^ !!(flags&IPT_ICMP_INV);
1634	}	1635	}
1635		1636
1636	static int	1637	static int
Lines 1654-1666 Link Here
1654	return 0;	1655	return 0;
1655	}	1656	}
1656		1657
1657	/* Must not be a fragment. */	1658	if(offset) {
1658	return !offset	1659	/* fragments can only match wildcard */
1659	&& icmp_type_code_match(icmpinfo->type,	1660	if((icmpinfo->flags & IPT_ICMP_TYPE_ANY) &&
		1661	(icmpinfo->code[0] == 0x00) && (icmpinfo->code[1] == 0xFF))
		1662	return !(icmpinfo->flags&IPT_ICMP_INV);
		1663	else
		1664	return 0;
		1665	}
		1666
		1667	return icmp_type_code_match(icmpinfo->type,
1660	icmpinfo->code[0],	1668	icmpinfo->code[0],
1661	icmpinfo->code[1],	1669	icmpinfo->code[1],
1662	icmp->type, icmp->code,	1670	icmp->type, icmp->code,
1663	!!(icmpinfo->invflags&IPT_ICMP_INV));	1671	icmpinfo->flags);
1664	}	1672	}
1665		1673
1666	/* Called when user tries to insert an entry of this type. */	1674	/* Called when user tries to insert an entry of this type. */
Lines 1673-1683 Link Here
1673	{	1681	{
1674	const struct ipt_icmp *icmpinfo = matchinfo;	1682	const struct ipt_icmp *icmpinfo = matchinfo;
1675		1683
1676	/* Must specify proto == ICMP, and no unknown invflags */	1684	/* Must specify proto == ICMP, and no unknown flags */
1677	return ip->proto == IPPROTO_ICMP	1685	return ip->proto == IPPROTO_ICMP
1678	&& !(ip->invflags & IPT_INV_PROTO)	1686	&& !(ip->invflags & IPT_INV_PROTO)
1679	&& matchsize == IPT_ALIGN(sizeof(struct ipt_icmp))	1687	&& matchsize == IPT_ALIGN(sizeof(struct ipt_icmp))
1680	&& !(icmpinfo->invflags & ~IPT_ICMP_INV);	1688	&& !(icmpinfo->flags & ~(IPT_ICMP_INV\|IPT_ICMP_TYPE_ANY));
1681	}	1689	}
1682		1690
1683	/* The built-in targets: standard (NULL) and error. */	1691	/* The built-in targets: standard (NULL) and error. */

Lines 197-207 Link Here

(-)linux-2.4.19-mb/include/linux/netfilter_ipv4/ip_tables.h (-2 / +3 lines)
197	{	197	{
198	u_int8_t type; /* type to match */	198	u_int8_t type; /* type to match */
199	u_int8_t code[2]; /* range of code */	199	u_int8_t code[2]; /* range of code */
200	u_int8_t invflags; /* Inverse flags */	200	u_int8_t flags; /* Flags */
201	};	201	};
202		202
203	/* Values for "inv" field for struct ipt_icmp. */	203	/* Values for "inv" field for struct ipt_icmp. */
204	#define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */	204	#define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */
		205	#define IPT_ICMP_TYPE_ANY 0x02 /* Match any type */
205		206
206	/* The argument to IPT_SO_GET_INFO */	207	/* The argument to IPT_SO_GET_INFO */
207	struct ipt_getinfo	208	struct ipt_getinfo