Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dc5ab2fa authored by Yasuyuki Kozakai's avatar Yasuyuki Kozakai Committed by David S. Miller
Browse files

[NETFILTER]: x_tables: unify IPv4/IPv6 esp match 



This unifies ipt_esp and ip6t_esp to xt_esp. Please note that now
a user program needs to specify IPPROTO_ESP as protocol to use esp match
with IPv6. This means that ip6tables requires '-p esp' like iptables.

Signed-off-by: default avatarYasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 9606a216

include/linux/netfilter/xt_esp.h

0 → 100644
+14 −0
Original line number Diff line number Diff line 
#ifndef _XT_ESP_H

#define _XT_ESP_H



struct xt_esp

{

	u_int32_t spis[2];	/* Security Parameter Index */

	u_int8_t  invflags;	/* Inverse flags */

};



/* Values for "invflags" field in struct xt_esp. */

#define XT_ESP_INV_SPI	0x01	/* Invert the sense of spi. */

#define XT_ESP_INV_MASK	0x01	/* All possible flags. */



#endif /*_XT_ESP_H*/

include/linux/netfilter_ipv4/ipt_esp.h

+4 −10
Original line number Diff line number Diff line 
#ifndef _IPT_ESP_H

#define _IPT_ESP_H



struct ipt_esp

{

	u_int32_t spis[2];			/* Security Parameter Index */

	u_int8_t  invflags;			/* Inverse flags */

};

#include <linux/netfilter/xt_esp.h>







/* Values for "invflags" field in struct ipt_esp. */

#define IPT_ESP_INV_SPI		0x01	/* Invert the sense of spi. */

#define IPT_ESP_INV_MASK	0x01	/* All possible flags. */

#define ipt_esp xt_esp

#define IPT_ESP_INV_SPI		XT_ESP_INV_SPI

#define IPT_ESP_INV_MASK	XT_ESP_INV_MASK



#endif /*_IPT_ESP_H*/

include/linux/netfilter_ipv6/ip6t_esp.h

+4 −8
Original line number Diff line number Diff line 
#ifndef _IP6T_ESP_H

#define _IP6T_ESP_H



struct ip6t_esp

{

	u_int32_t spis[2];			/* Security Parameter Index */

	u_int8_t  invflags;			/* Inverse flags */

};

#include <linux/netfilter/xt_esp.h>



/* Values for "invflags" field in struct ip6t_esp. */

#define IP6T_ESP_INV_SPI		0x01	/* Invert the sense of spi. */

#define IP6T_ESP_INV_MASK	0x01	/* All possible flags. */

#define ip6t_esp xt_esp

#define IP6T_ESP_INV_SPI	XT_ESP_INV_SPI

#define IP6T_ESP_INV_MASK	XT_ESP_INV_MASK



#endif /*_IP6T_ESP_H*/

net/ipv4/netfilter/Kconfig

+4 −4
Original line number Diff line number Diff line
@@ -272,12 +272,12 @@ config IP_NF_MATCH_DSCP 


	  To compile it as a module, choose M here.  If unsure, say N.



config IP_NF_MATCH_AH_ESP

	tristate "AH/ESP match support"

config IP_NF_MATCH_AH

	tristate "AH match support"

	depends on IP_NF_IPTABLES

	help

	  These two match extensions (`ah' and `esp') allow you to match a

	  range of SPIs inside AH or ESP headers of IPSec packets.

	  This match extension allows you to match a range of SPIs

	  inside AH header of IPSec packets.



	  To compile it as a module, choose M here.  If unsure, say N.

net/ipv4/netfilter/Makefile

+1 −1
Original line number Diff line number Diff line
@@ -59,7 +59,7 @@ obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o 
obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o

obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o

obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp.o

obj-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah.o ipt_esp.o

obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o

obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o

obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o