Commit 4ae89ad9 authored by Joe Perches's avatar Joe Perches Committed by Pablo Neira Ayuso

etherdevice.h & bridge: netfilter: Add and use ether_addr_equal_masked

There are code duplications of a masked ethernet address comparison here
so make it a separate function instead.

Miscellanea:

o Neaten alignment of FWINV macro uses to make it clearer for the reader
Signed-off-by: default avatarJoe Perches <joe@perches.com>
Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 468b021b
...@@ -373,6 +373,29 @@ static inline bool ether_addr_equal_unaligned(const u8 *addr1, const u8 *addr2) ...@@ -373,6 +373,29 @@ static inline bool ether_addr_equal_unaligned(const u8 *addr1, const u8 *addr2)
#endif #endif
} }
/**
* ether_addr_equal_masked - Compare two Ethernet addresses with a mask
* @addr1: Pointer to a six-byte array containing the 1st Ethernet address
* @addr2: Pointer to a six-byte array containing the 2nd Ethernet address
* @mask: Pointer to a six-byte array containing the Ethernet address bitmask
*
* Compare two Ethernet addresses with a mask, returns true if for every bit
* set in the bitmask the equivalent bits in the ethernet addresses are equal.
* Using a mask with all bits set is a slower ether_addr_equal.
*/
static inline bool ether_addr_equal_masked(const u8 *addr1, const u8 *addr2,
const u8 *mask)
{
int i;
for (i = 0; i < ETH_ALEN; i++) {
if ((addr1[i] ^ addr2[i]) & mask[i])
return false;
}
return true;
}
/** /**
* is_etherdev_addr - Tell if given Ethernet address belongs to the device. * is_etherdev_addr - Tell if given Ethernet address belongs to the device.
* @dev: Pointer to a device structure * @dev: Pointer to a device structure
......
...@@ -65,7 +65,6 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -65,7 +65,6 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
if (info->bitmask & (EBT_ARP_SRC_MAC | EBT_ARP_DST_MAC)) { if (info->bitmask & (EBT_ARP_SRC_MAC | EBT_ARP_DST_MAC)) {
const unsigned char *mp; const unsigned char *mp;
unsigned char _mac[ETH_ALEN]; unsigned char _mac[ETH_ALEN];
uint8_t verdict, i;
if (ah->ar_hln != ETH_ALEN || ah->ar_hrd != htons(ARPHRD_ETHER)) if (ah->ar_hln != ETH_ALEN || ah->ar_hrd != htons(ARPHRD_ETHER))
return false; return false;
...@@ -74,11 +73,9 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -74,11 +73,9 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
sizeof(_mac), &_mac); sizeof(_mac), &_mac);
if (mp == NULL) if (mp == NULL)
return false; return false;
verdict = 0; if (FWINV(!ether_addr_equal_masked(mp, info->smaddr,
for (i = 0; i < 6; i++) info->smmsk),
verdict |= (mp[i] ^ info->smaddr[i]) & EBT_ARP_SRC_MAC))
info->smmsk[i];
if (FWINV(verdict != 0, EBT_ARP_SRC_MAC))
return false; return false;
} }
...@@ -88,11 +85,9 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -88,11 +85,9 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
sizeof(_mac), &_mac); sizeof(_mac), &_mac);
if (mp == NULL) if (mp == NULL)
return false; return false;
verdict = 0; if (FWINV(!ether_addr_equal_masked(mp, info->dmaddr,
for (i = 0; i < 6; i++) info->dmmsk),
verdict |= (mp[i] ^ info->dmaddr[i]) & EBT_ARP_DST_MAC))
info->dmmsk[i];
if (FWINV(verdict != 0, EBT_ARP_DST_MAC))
return false; return false;
} }
} }
......
...@@ -46,7 +46,6 @@ static bool ebt_filter_config(const struct ebt_stp_info *info, ...@@ -46,7 +46,6 @@ static bool ebt_filter_config(const struct ebt_stp_info *info,
const struct ebt_stp_config_info *c; const struct ebt_stp_config_info *c;
u16 v16; u16 v16;
u32 v32; u32 v32;
int verdict, i;
c = &info->config; c = &info->config;
if ((info->bitmask & EBT_STP_FLAGS) && if ((info->bitmask & EBT_STP_FLAGS) &&
...@@ -54,66 +53,62 @@ static bool ebt_filter_config(const struct ebt_stp_info *info, ...@@ -54,66 +53,62 @@ static bool ebt_filter_config(const struct ebt_stp_info *info,
return false; return false;
if (info->bitmask & EBT_STP_ROOTPRIO) { if (info->bitmask & EBT_STP_ROOTPRIO) {
v16 = NR16(stpc->root); v16 = NR16(stpc->root);
if (FWINV(v16 < c->root_priol || if (FWINV(v16 < c->root_priol || v16 > c->root_priou,
v16 > c->root_priou, EBT_STP_ROOTPRIO)) EBT_STP_ROOTPRIO))
return false; return false;
} }
if (info->bitmask & EBT_STP_ROOTADDR) { if (info->bitmask & EBT_STP_ROOTADDR) {
verdict = 0; if (FWINV(!ether_addr_equal_masked(&stpc->root[2], c->root_addr,
for (i = 0; i < 6; i++) c->root_addrmsk),
verdict |= (stpc->root[2+i] ^ c->root_addr[i]) & EBT_STP_ROOTADDR))
c->root_addrmsk[i];
if (FWINV(verdict != 0, EBT_STP_ROOTADDR))
return false; return false;
} }
if (info->bitmask & EBT_STP_ROOTCOST) { if (info->bitmask & EBT_STP_ROOTCOST) {
v32 = NR32(stpc->root_cost); v32 = NR32(stpc->root_cost);
if (FWINV(v32 < c->root_costl || if (FWINV(v32 < c->root_costl || v32 > c->root_costu,
v32 > c->root_costu, EBT_STP_ROOTCOST)) EBT_STP_ROOTCOST))
return false; return false;
} }
if (info->bitmask & EBT_STP_SENDERPRIO) { if (info->bitmask & EBT_STP_SENDERPRIO) {
v16 = NR16(stpc->sender); v16 = NR16(stpc->sender);
if (FWINV(v16 < c->sender_priol || if (FWINV(v16 < c->sender_priol || v16 > c->sender_priou,
v16 > c->sender_priou, EBT_STP_SENDERPRIO)) EBT_STP_SENDERPRIO))
return false; return false;
} }
if (info->bitmask & EBT_STP_SENDERADDR) { if (info->bitmask & EBT_STP_SENDERADDR) {
verdict = 0; if (FWINV(!ether_addr_equal_masked(&stpc->sender[2],
for (i = 0; i < 6; i++) c->sender_addr,
verdict |= (stpc->sender[2+i] ^ c->sender_addr[i]) & c->sender_addrmsk),
c->sender_addrmsk[i]; EBT_STP_SENDERADDR))
if (FWINV(verdict != 0, EBT_STP_SENDERADDR))
return false; return false;
} }
if (info->bitmask & EBT_STP_PORT) { if (info->bitmask & EBT_STP_PORT) {
v16 = NR16(stpc->port); v16 = NR16(stpc->port);
if (FWINV(v16 < c->portl || if (FWINV(v16 < c->portl || v16 > c->portu, EBT_STP_PORT))
v16 > c->portu, EBT_STP_PORT))
return false; return false;
} }
if (info->bitmask & EBT_STP_MSGAGE) { if (info->bitmask & EBT_STP_MSGAGE) {
v16 = NR16(stpc->msg_age); v16 = NR16(stpc->msg_age);
if (FWINV(v16 < c->msg_agel || if (FWINV(v16 < c->msg_agel || v16 > c->msg_ageu,
v16 > c->msg_ageu, EBT_STP_MSGAGE)) EBT_STP_MSGAGE))
return false; return false;
} }
if (info->bitmask & EBT_STP_MAXAGE) { if (info->bitmask & EBT_STP_MAXAGE) {
v16 = NR16(stpc->max_age); v16 = NR16(stpc->max_age);
if (FWINV(v16 < c->max_agel || if (FWINV(v16 < c->max_agel || v16 > c->max_ageu,
v16 > c->max_ageu, EBT_STP_MAXAGE)) EBT_STP_MAXAGE))
return false; return false;
} }
if (info->bitmask & EBT_STP_HELLOTIME) { if (info->bitmask & EBT_STP_HELLOTIME) {
v16 = NR16(stpc->hello_time); v16 = NR16(stpc->hello_time);
if (FWINV(v16 < c->hello_timel || if (FWINV(v16 < c->hello_timel || v16 > c->hello_timeu,
v16 > c->hello_timeu, EBT_STP_HELLOTIME)) EBT_STP_HELLOTIME))
return false; return false;
} }
if (info->bitmask & EBT_STP_FWDD) { if (info->bitmask & EBT_STP_FWDD) {
v16 = NR16(stpc->forward_delay); v16 = NR16(stpc->forward_delay);
if (FWINV(v16 < c->forward_delayl || if (FWINV(v16 < c->forward_delayl || v16 > c->forward_delayu,
v16 > c->forward_delayu, EBT_STP_FWDD)) EBT_STP_FWDD))
return false; return false;
} }
return true; return true;
......
...@@ -130,7 +130,6 @@ ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb, ...@@ -130,7 +130,6 @@ ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
const struct ethhdr *h = eth_hdr(skb); const struct ethhdr *h = eth_hdr(skb);
const struct net_bridge_port *p; const struct net_bridge_port *p;
__be16 ethproto; __be16 ethproto;
int verdict, i;
if (skb_vlan_tag_present(skb)) if (skb_vlan_tag_present(skb))
ethproto = htons(ETH_P_8021Q); ethproto = htons(ETH_P_8021Q);
...@@ -157,19 +156,15 @@ ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb, ...@@ -157,19 +156,15 @@ ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
return 1; return 1;
if (e->bitmask & EBT_SOURCEMAC) { if (e->bitmask & EBT_SOURCEMAC) {
verdict = 0; if (FWINV2(!ether_addr_equal_masked(h->h_source,
for (i = 0; i < 6; i++) e->sourcemac, e->sourcemsk),
verdict |= (h->h_source[i] ^ e->sourcemac[i]) & EBT_ISOURCE))
e->sourcemsk[i];
if (FWINV2(verdict != 0, EBT_ISOURCE))
return 1; return 1;
} }
if (e->bitmask & EBT_DESTMAC) { if (e->bitmask & EBT_DESTMAC) {
verdict = 0; if (FWINV2(!ether_addr_equal_masked(h->h_dest,
for (i = 0; i < 6; i++) e->destmac, e->destmsk),
verdict |= (h->h_dest[i] ^ e->destmac[i]) & EBT_IDEST))
e->destmsk[i];
if (FWINV2(verdict != 0, EBT_IDEST))
return 1; return 1;
} }
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment