From 12ebd551a2e43637c3f8417c62201753739386e6 Mon Sep 17 00:00:00 2001 From: fnm3 Date: Tue, 25 Jun 2002 16:49:11 +0000 Subject: Code redesign. Lot of debug messages. Checks for passed parameters. --- kernel/linux/net/bridge/netfilter/ebt_vlan.c | 342 ++++++++++++++++++++------- 1 file changed, 254 insertions(+), 88 deletions(-) (limited to 'kernel') diff --git a/kernel/linux/net/bridge/netfilter/ebt_vlan.c b/kernel/linux/net/bridge/netfilter/ebt_vlan.c index b7fcb3f..68e7966 100644 --- a/kernel/linux/net/bridge/netfilter/ebt_vlan.c +++ b/kernel/linux/net/bridge/netfilter/ebt_vlan.c @@ -1,120 +1,284 @@ /* - * ebt_vlan kernelspace - * - * Authors: - * Bart De Schuymer - * Nick Fedchik - * - * June, 2002 + * Description: EBTables 802.1Q match extension kernelspace module. + * Authors: Nick Fedchik + * Bart De Schuymer + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#include -#include -#include #include +#include #include +#include +#include static unsigned char debug; +#define MODULE_VERSION "0.4 (" __DATE__ " " __TIME__ ")" + MODULE_PARM (debug, "0-1b"); MODULE_PARM_DESC (debug, "debug=1 is turn on debug messages"); +MODULE_AUTHOR ("Nick Fedchik "); +MODULE_DESCRIPTION ("802.1Q match module (ebtables extension), v" + MODULE_VERSION); +MODULE_LICENSE ("GPL"); -#define MODULE_VERSION "0.2" -static int ebt_filter_vlan (const struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - const void *data, - unsigned int datalen, - const struct ebt_counter *c) +#define DEBUG_MSG(...) if (debug) printk (KERN_DEBUG __FILE__ ":" __FUNCTION__ ": " __VA_ARGS__) +#define INV_FLAG(_inv_flag_) (infostuff->invflags & _inv_flag_) ? "!" : "" +#define GET_BITMASK(_BIT_MASK_) infostuff->bitmask & _BIT_MASK_ +#define SET_BITMASK(_BIT_MASK_) infostuff->bitmask |= _BIT_MASK_ +#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) if (!((infostuff->_MATCH_ == _MATCH_)^!!(infostuff->invflags & _MASK_))) return 1; + +/* + * Function description: ebt_filter_vlan() is main engine for + * checking passed 802.1Q frame according to + * the passed extension parameters (in the *data buffer) + * ebt_filter_vlan() is called after successfull check the rule params + * by ebt_check_vlan() function. + * Parameters: + * const struct sk_buff *skb - pointer to passed ethernet frame buffer + * const void *data - pointer to passed extension parameters + * unsigned int datalen - length of passed *data buffer + * const struct net_device *in - + * const struct net_device *out - + * const struct ebt_counter *c - + * Returned values: + * 0 - ok (all rule params matched) + * 1 - miss (rule params not acceptable to the parsed frame) + */ +static int +ebt_filter_vlan (const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + const void *data, + unsigned int datalen, const struct ebt_counter *c) { - struct ebt_vlan_info *infostuff = (struct ebt_vlan_info *) data; - struct vlan_ethhdr *vlanethhdr = - (struct vlan_ethhdr *) skb->mac.raw; - unsigned short v_id; - unsigned short v_prio; - unsigned short v_TCI; + struct ebt_vlan_info *infostuff = (struct ebt_vlan_info *) data; /* userspace data */ + struct vlan_ethhdr *frame = (struct vlan_ethhdr *) skb->mac.raw; /* Passed tagged frame */ - /* - * Calculate 802.1Q VLAN ID and user_priority from - * Tag Control Information (TCI) field. - * Reserved one bit (13) for CFI (Canonical Format Indicator) - */ - v_TCI = ntohs (vlanethhdr->h_vlan_TCI); - v_id = v_TCI & 0xFFF; - v_prio = v_TCI >> 13; + unsigned short TCI; /* Whole TCI, given from parsed frame */ + unsigned short id; /* VLAN ID, given from frame TCI */ + unsigned char prio; /* user_priority, given from frame TCI */ + unsigned short encap; /* VLAN encapsulated Type/Length field, given from orig frame */ /* - * Checking VLANs + * Tag Control Information (TCI) consists of the following elements: + * - User_priority. This field allows the tagged frame to carry user_priority + * information across Bridged LANs in which individual LAN segments may be unable to signal + * priority information (e.g., 802.3/Ethernet segments). + * The user_priority field is three bits in length, + * interpreted as a binary number. The user_priority is therefore + * capable of representing eight priority levels, 0 through 7. + * The use and interpretation of this field is defined in ISO/IEC 15802-3. + * - Canonical Format Indicator (CFI). This field is used, + * in 802.3/Ethernet, to signal the presence or absence + * of a RIF field, and, in combination with the Non-canonical Format Indicator (NCFI) carried + * in the RIF, to signal the bit order of address information carried in the encapsulated + * frame. The Canonical Format Indicator (CFI) is a single bit flag value. + * - VLAN Identifier (VID). This field uniquely identifies the VLAN to + * which the frame belongs. The twelve-bit VLAN Identifier (VID) field + * uniquely identify the VLAN to which the frame belongs. + * The VID is encoded as an unsigned binary number. */ - if (infostuff->bitmask & EBT_VLAN_ID) { /* Is VLAN ID parsed? */ - if (!((infostuff->id == v_id) - ^ !!(infostuff->invflags & EBT_VLAN_ID))) - return 1; - if (debug) - printk (KERN_DEBUG - "ebt_vlan: matched ID=%s%d (mask=%X)\n", - (infostuff-> - invflags & EBT_VLAN_ID) ? "!" : "", - infostuff->id, infostuff->bitmask); - } + TCI = ntohs (frame->h_vlan_TCI); + id = TCI & 0xFFF; + prio = TCI >> 13; + encap = frame->h_vlan_encapsulated_proto; + /* - * Checking User Priority + * First step is to check is null VLAN ID present + * in the parsed frame */ - if (infostuff->bitmask & EBT_VLAN_PRIO) { /* Is VLAN Prio parsed? */ - if (!((infostuff->prio == v_prio) - ^ !!(infostuff->invflags & EBT_VLAN_PRIO))) - return 1; /* missed */ - if (debug) - printk (KERN_DEBUG - "ebt_vlan: matched Prio=%s%d (mask=%X)\n", - (infostuff-> - invflags & EBT_VLAN_PRIO) ? "!" : "", - infostuff->prio, infostuff->bitmask); + if (!(id)) { + /* + * Checking VLAN Identifier (VID) + */ + if (GET_BITMASK (EBT_VLAN_ID)) { /* Is VLAN ID parsed? */ + EXIT_ON_MISMATCH (id, EBT_VLAN_ID); + DEBUG_MSG + ("matched rule id=%s%d for frame id=%d\n", + INV_FLAG (EBT_VLAN_ID), infostuff->id, id); + } + } else { + /* + * Checking user_priority + */ + if (GET_BITMASK (EBT_VLAN_PRIO)) { /* Is VLAN user_priority parsed? */ + EXIT_ON_MISMATCH (prio, EBT_VLAN_PRIO); + DEBUG_MSG + ("matched rule prio=%s%d for frame prio=%d\n", + INV_FLAG (EBT_VLAN_PRIO), infostuff->prio, + prio); + } } /* - * Checking for Encapsulated proto + * Checking Encapsulated Proto (Length/Type) field */ - if (infostuff->bitmask & EBT_VLAN_ENCAP) { /* Is VLAN Encap parsed? */ - if (! - ((infostuff->encap == - vlanethhdr->h_vlan_encapsulated_proto) - ^ !!(infostuff->invflags & EBT_VLAN_ENCAP))) - return 1; /* missed */ - if (debug) - printk (KERN_DEBUG - "ebt_vlan: matched encap=%s%2.4X (mask=%X)\n", - (infostuff-> - invflags & EBT_VLAN_ENCAP) ? "!" : "", - ntohs (infostuff->encap), - infostuff->bitmask); + if (GET_BITMASK (EBT_VLAN_ENCAP)) { /* Is VLAN Encap parsed? */ + EXIT_ON_MISMATCH (encap, EBT_VLAN_ENCAP); + DEBUG_MSG ("matched encap=%s%2.4X for frame encap=%2.4X\n", + INV_FLAG (EBT_VLAN_ENCAP), + ntohs (infostuff->encap), ntohs (encap)); } - /* - * rule matched + * All possible extension parameters was parsed. + * If rule never returned by missmatch, then all ok. */ return 0; } /* - * ebt_vlan_check() is called when userspace delivers the table to the kernel, - * * it is called to check that userspace doesn't give a bad table. + * Function description: ebt_vlan_check() is called when userspace + * delivers the table to the kernel, + * and to check that userspace doesn't give a bad table. + * Parameters: + * const char *tablename - table name string + * unsigned int hooknr - hook number + * const struct ebt_entry *e - ebtables entry basic set + * const void *data - pointer to passed extension parameters + * unsigned int datalen - length of passed *data buffer + * Returned values: + * 0 - ok (all delivered rule params are correct) + * 1 - miss (rule params is out of range, invalid, incompatible, etc.) */ -static int ebt_vlan_check (const char *tablename, unsigned int hookmask, - const struct ebt_entry *e, void *data, - unsigned int datalen) +static int +ebt_check_vlan (const char *tablename, + unsigned int hooknr, + const struct ebt_entry *e, void *data, + unsigned int datalen) { struct ebt_vlan_info *infostuff = (struct ebt_vlan_info *) data; - if (datalen != sizeof (struct ebt_vlan_info)) + /* + * Parameters buffer overflow check + */ + if (datalen != sizeof (struct ebt_vlan_info)) { + DEBUG_MSG + ("params size %d is not eq to ebt_vlan_info (%d)\n", + datalen, sizeof (struct ebt_vlan_info)); return -EINVAL; + } - if (e->ethproto != __constant_htons (ETH_P_8021Q)) + /* + * Is it 802.1Q frame checked? + */ + if (e->ethproto != __constant_htons (ETH_P_8021Q)) { + DEBUG_MSG ("passed frame %2.4X is not 802.1Q (8100)\n", + (unsigned short) ntohs (e->ethproto)); return -EINVAL; + } + /* + * Check for bitmask range + * True if even one bit is out of mask + */ if (infostuff->bitmask & ~EBT_VLAN_MASK) { + DEBUG_MSG ("bitmask %2X is out of mask (%2X)\n", + infostuff->bitmask, EBT_VLAN_MASK); + return -EINVAL; + } + + /* + * Check for inversion flags range + */ + if (infostuff->invflags & ~EBT_VLAN_MASK) { + DEBUG_MSG ("inversion flags %2X is out of mask (%2X)\n", + infostuff->invflags, EBT_VLAN_MASK); return -EINVAL; } + /* + * Reserved VLAN ID (VID) values + * ----------------------------- + * 0 - The null VLAN ID. Indicates that the tag header contains only user_priority information; + * no VLAN identifier is present in the frame. This VID value shall not be + * configured as a PVID, configured in any Filtering Database entry, or used in any + * Management operation. + * + * 1 - The default Port VID (PVID) value used for classifying frames on ingress through a Bridge + * Port. The PVID value can be changed by management on a per-Port basis. + * + * 0x0FFF - Reserved for implementation use. This VID value shall not be configured as a + * PVID or transmitted in a tag header. + * + * The remaining values of VID are available for general use as VLAN identifiers. + * A Bridge may implement the ability to support less than the full range of VID values; + * i.e., for a given implementation, + * an upper limit, N, is defined for the VID values supported, where N is less than or equal to 4094. + * All implementations shall support the use of all VID values in the range 0 through their defined maximum + * VID, N. + * + * For Linux, N = 4094. + */ + if (GET_BITMASK (EBT_VLAN_ID)) { /* when vlan-id param was spec-ed */ + if (!!infostuff->id) { /* if id!=0 => check vid range */ + if (infostuff->id > 4094) { /* check if id > than (0x0FFE) */ + DEBUG_MSG + ("vlan id %d is out of range (1-4094)\n", + infostuff->id); + return -EINVAL; + } + /* + * Note: This is valid VLAN-tagged frame point. + * Any value of user_priority are acceptable, but could be ignored + * according to 802.1Q Std. + */ + } else { + /* + * if id=0 (null VLAN ID) => Check for user_priority range + */ + if (GET_BITMASK (EBT_VLAN_PRIO)) { + if ((unsigned char) infostuff->prio > 7) { + DEBUG_MSG + ("prio %d is out of range (0-7)\n", + infostuff->prio); + return -EINVAL; + } + } + /* + * Note2: This is valid priority-tagged frame point + * with null VID field. + */ + } + } else { /* VLAN Id not set */ + if (GET_BITMASK (EBT_VLAN_PRIO)) { /* But user_priority is set - abnormal! */ + infostuff->id = 0; /* Set null VID (case for Priority-tagged frames) */ + SET_BITMASK (EBT_VLAN_ID); /* and set id flag */ + } + } + /* + * Check for encapsulated proto range - it is possible to be any value for u_short range. + * When relaying a tagged frame between 802.3/Ethernet MACs, + * a Bridge may adjust the padding field such that + * the minimum size of a transmitted tagged frame is 68 octets (7.2). + * if_ether.h: ETH_ZLEN 60 - Min. octets in frame sans FCS + */ + if (GET_BITMASK (EBT_VLAN_ENCAP)) { + if ((unsigned short) ntohs (infostuff->encap) < ETH_ZLEN) { + DEBUG_MSG + ("encap packet length %d is less than minimal %d\n", + ntohs (infostuff->encap), ETH_ZLEN); + return -EINVAL; + } + } + + /* + * Otherwise is all correct + */ + DEBUG_MSG ("802.1Q tagged frame checked (%s table, %d hook)\n", + tablename, hooknr); return 0; } @@ -122,22 +286,27 @@ static struct ebt_match filter_vlan = { {NULL, NULL}, EBT_VLAN_MATCH, ebt_filter_vlan, - ebt_vlan_check, + ebt_check_vlan, NULL, THIS_MODULE }; +/* + * Module initialization function. + * Called when module is loaded to kernelspace + */ static int __init init (void) { - printk (KERN_INFO - "ebt_vlan: 802.1Q VLAN matching module for EBTables " - MODULE_VERSION "\n"); - if (debug) - printk (KERN_DEBUG - "ebt_vlan: 802.1Q rule matching debug is on\n"); + DEBUG_MSG ("ebtables 802.1Q extension module v" + MODULE_VERSION "\n"); + DEBUG_MSG ("module debug=%d\n", !!debug); return ebt_register_match (&filter_vlan); } +/* + * Module "finalization" function + * Called when download module from kernelspace + */ static void __exit fini (void) { ebt_unregister_match (&filter_vlan); @@ -145,8 +314,5 @@ static void __exit fini (void) module_init (init); module_exit (fini); + EXPORT_NO_SYMBOLS; -MODULE_AUTHOR ("Nick Fedchik "); -MODULE_DESCRIPTION ("802.1Q VLAN matching module for ebtables, v" - MODULE_VERSION); -MODULE_LICENSE ("GPL"); -- cgit v1.2.3