Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* iptables module for the IPv4 and TCP ECN bits, Version 1.5 |
2 | * | |
3 | * (C) 2002 by Harald Welte <laforge@netfilter.org> | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License version 2 as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp | |
10 | */ | |
11 | ||
12 | #include <linux/module.h> | |
13 | #include <linux/skbuff.h> | |
14 | #include <linux/ip.h> | |
15 | #include <linux/tcp.h> | |
16 | #include <net/checksum.h> | |
17 | ||
18 | #include <linux/netfilter_ipv4/ip_tables.h> | |
19 | #include <linux/netfilter_ipv4/ipt_ECN.h> | |
20 | ||
21 | MODULE_LICENSE("GPL"); | |
22 | MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); | |
23 | MODULE_DESCRIPTION("iptables ECN modification module"); | |
24 | ||
25 | /* set ECT codepoint from IP header. | |
26 | * return 0 if there was an error. */ | |
27 | static inline int | |
28 | set_ect_ip(struct sk_buff **pskb, const struct ipt_ECN_info *einfo) | |
29 | { | |
da878c8e PM |
30 | struct iphdr *iph = (*pskb)->nh.iph; |
31 | u_int16_t oldtos; | |
1da177e4 | 32 | |
da878c8e | 33 | if ((iph->tos & IPT_ECN_IP_MASK) != (einfo->ip_ect & IPT_ECN_IP_MASK)) { |
089af26c | 34 | if (!skb_make_writable(pskb, sizeof(struct iphdr))) |
1da177e4 | 35 | return 0; |
da878c8e PM |
36 | iph = (*pskb)->nh.iph; |
37 | oldtos = iph->tos; | |
38 | iph->tos &= ~IPT_ECN_IP_MASK; | |
39 | iph->tos |= (einfo->ip_ect & IPT_ECN_IP_MASK); | |
40 | iph->check = nf_csum_update(oldtos ^ 0xFFFF, iph->tos, | |
41 | iph->check); | |
1da177e4 LT |
42 | } |
43 | return 1; | |
44 | } | |
45 | ||
46 | /* Return 0 if there was an error. */ | |
47 | static inline int | |
84fa7933 | 48 | set_ect_tcp(struct sk_buff **pskb, const struct ipt_ECN_info *einfo) |
1da177e4 LT |
49 | { |
50 | struct tcphdr _tcph, *tcph; | |
4cf411de | 51 | u_int16_t oldval; |
1da177e4 LT |
52 | |
53 | /* Not enought header? */ | |
54 | tcph = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl*4, | |
55 | sizeof(_tcph), &_tcph); | |
56 | if (!tcph) | |
57 | return 0; | |
58 | ||
fd841326 PM |
59 | if ((!(einfo->operation & IPT_ECN_OP_SET_ECE) || |
60 | tcph->ece == einfo->proto.tcp.ece) && | |
61 | ((!(einfo->operation & IPT_ECN_OP_SET_CWR) || | |
62 | tcph->cwr == einfo->proto.tcp.cwr))) | |
1da177e4 LT |
63 | return 1; |
64 | ||
089af26c | 65 | if (!skb_make_writable(pskb, (*pskb)->nh.iph->ihl*4+sizeof(*tcph))) |
1da177e4 LT |
66 | return 0; |
67 | tcph = (void *)(*pskb)->nh.iph + (*pskb)->nh.iph->ihl*4; | |
68 | ||
4cf411de | 69 | oldval = ((u_int16_t *)tcph)[6]; |
1da177e4 LT |
70 | if (einfo->operation & IPT_ECN_OP_SET_ECE) |
71 | tcph->ece = einfo->proto.tcp.ece; | |
72 | if (einfo->operation & IPT_ECN_OP_SET_CWR) | |
73 | tcph->cwr = einfo->proto.tcp.cwr; | |
1da177e4 | 74 | |
4cf411de PM |
75 | tcph->check = nf_proto_csum_update((*pskb), |
76 | oldval ^ 0xFFFF, | |
77 | ((u_int16_t *)tcph)[6], | |
78 | tcph->check, 0); | |
1da177e4 LT |
79 | return 1; |
80 | } | |
81 | ||
82 | static unsigned int | |
83 | target(struct sk_buff **pskb, | |
84 | const struct net_device *in, | |
85 | const struct net_device *out, | |
86 | unsigned int hooknum, | |
c4986734 | 87 | const struct xt_target *target, |
fe1cb108 | 88 | const void *targinfo) |
1da177e4 LT |
89 | { |
90 | const struct ipt_ECN_info *einfo = targinfo; | |
91 | ||
92 | if (einfo->operation & IPT_ECN_OP_SET_IP) | |
93 | if (!set_ect_ip(pskb, einfo)) | |
94 | return NF_DROP; | |
95 | ||
96 | if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR) | |
97 | && (*pskb)->nh.iph->protocol == IPPROTO_TCP) | |
84fa7933 | 98 | if (!set_ect_tcp(pskb, einfo)) |
1da177e4 LT |
99 | return NF_DROP; |
100 | ||
101 | return IPT_CONTINUE; | |
102 | } | |
103 | ||
104 | static int | |
105 | checkentry(const char *tablename, | |
2e4e6a17 | 106 | const void *e_void, |
c4986734 | 107 | const struct xt_target *target, |
1da177e4 | 108 | void *targinfo, |
1da177e4 LT |
109 | unsigned int hook_mask) |
110 | { | |
111 | const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo; | |
2e4e6a17 | 112 | const struct ipt_entry *e = e_void; |
1da177e4 | 113 | |
1da177e4 LT |
114 | if (einfo->operation & IPT_ECN_OP_MASK) { |
115 | printk(KERN_WARNING "ECN: unsupported ECN operation %x\n", | |
116 | einfo->operation); | |
117 | return 0; | |
118 | } | |
119 | if (einfo->ip_ect & ~IPT_ECN_IP_MASK) { | |
120 | printk(KERN_WARNING "ECN: new ECT codepoint %x out of mask\n", | |
121 | einfo->ip_ect); | |
122 | return 0; | |
123 | } | |
1da177e4 LT |
124 | if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) |
125 | && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) { | |
126 | printk(KERN_WARNING "ECN: cannot use TCP operations on a " | |
127 | "non-tcp rule\n"); | |
128 | return 0; | |
129 | } | |
1da177e4 LT |
130 | return 1; |
131 | } | |
132 | ||
133 | static struct ipt_target ipt_ecn_reg = { | |
134 | .name = "ECN", | |
135 | .target = target, | |
1d5cd909 PM |
136 | .targetsize = sizeof(struct ipt_ECN_info), |
137 | .table = "mangle", | |
1da177e4 LT |
138 | .checkentry = checkentry, |
139 | .me = THIS_MODULE, | |
140 | }; | |
141 | ||
65b4b4e8 | 142 | static int __init ipt_ecn_init(void) |
1da177e4 LT |
143 | { |
144 | return ipt_register_target(&ipt_ecn_reg); | |
145 | } | |
146 | ||
65b4b4e8 | 147 | static void __exit ipt_ecn_fini(void) |
1da177e4 LT |
148 | { |
149 | ipt_unregister_target(&ipt_ecn_reg); | |
150 | } | |
151 | ||
65b4b4e8 AM |
152 | module_init(ipt_ecn_init); |
153 | module_exit(ipt_ecn_fini); |