Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* iptables module for the IPv4 and TCP ECN bits, Version 1.5 |
2 | * | |
3 | * (C) 2002 by Harald Welte <laforge@netfilter.org> | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License version 2 as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp | |
10 | */ | |
11 | ||
12 | #include <linux/module.h> | |
13 | #include <linux/skbuff.h> | |
14 | #include <linux/ip.h> | |
15 | #include <linux/tcp.h> | |
16 | #include <net/checksum.h> | |
17 | ||
18 | #include <linux/netfilter_ipv4/ip_tables.h> | |
19 | #include <linux/netfilter_ipv4/ipt_ECN.h> | |
20 | ||
21 | MODULE_LICENSE("GPL"); | |
22 | MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); | |
23 | MODULE_DESCRIPTION("iptables ECN modification module"); | |
24 | ||
25 | /* set ECT codepoint from IP header. | |
26 | * return 0 if there was an error. */ | |
27 | static inline int | |
28 | set_ect_ip(struct sk_buff **pskb, const struct ipt_ECN_info *einfo) | |
29 | { | |
da878c8e | 30 | struct iphdr *iph = (*pskb)->nh.iph; |
1da177e4 | 31 | |
da878c8e | 32 | if ((iph->tos & IPT_ECN_IP_MASK) != (einfo->ip_ect & IPT_ECN_IP_MASK)) { |
43bc0ca7 | 33 | __u8 oldtos; |
089af26c | 34 | if (!skb_make_writable(pskb, sizeof(struct iphdr))) |
1da177e4 | 35 | return 0; |
da878c8e PM |
36 | iph = (*pskb)->nh.iph; |
37 | oldtos = iph->tos; | |
38 | iph->tos &= ~IPT_ECN_IP_MASK; | |
39 | iph->tos |= (einfo->ip_ect & IPT_ECN_IP_MASK); | |
43bc0ca7 | 40 | nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos)); |
1da177e4 LT |
41 | } |
42 | return 1; | |
43 | } | |
44 | ||
45 | /* Return 0 if there was an error. */ | |
46 | static inline int | |
84fa7933 | 47 | set_ect_tcp(struct sk_buff **pskb, const struct ipt_ECN_info *einfo) |
1da177e4 LT |
48 | { |
49 | struct tcphdr _tcph, *tcph; | |
6a19d614 | 50 | __be16 oldval; |
1da177e4 LT |
51 | |
52 | /* Not enought header? */ | |
53 | tcph = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl*4, | |
54 | sizeof(_tcph), &_tcph); | |
55 | if (!tcph) | |
56 | return 0; | |
57 | ||
fd841326 PM |
58 | if ((!(einfo->operation & IPT_ECN_OP_SET_ECE) || |
59 | tcph->ece == einfo->proto.tcp.ece) && | |
60 | ((!(einfo->operation & IPT_ECN_OP_SET_CWR) || | |
61 | tcph->cwr == einfo->proto.tcp.cwr))) | |
1da177e4 LT |
62 | return 1; |
63 | ||
089af26c | 64 | if (!skb_make_writable(pskb, (*pskb)->nh.iph->ihl*4+sizeof(*tcph))) |
1da177e4 LT |
65 | return 0; |
66 | tcph = (void *)(*pskb)->nh.iph + (*pskb)->nh.iph->ihl*4; | |
67 | ||
6a19d614 | 68 | oldval = ((__be16 *)tcph)[6]; |
1da177e4 LT |
69 | if (einfo->operation & IPT_ECN_OP_SET_ECE) |
70 | tcph->ece = einfo->proto.tcp.ece; | |
71 | if (einfo->operation & IPT_ECN_OP_SET_CWR) | |
72 | tcph->cwr = einfo->proto.tcp.cwr; | |
1da177e4 | 73 | |
43bc0ca7 AV |
74 | nf_proto_csum_replace2(&tcph->check, *pskb, |
75 | oldval, ((__be16 *)tcph)[6], 0); | |
1da177e4 LT |
76 | return 1; |
77 | } | |
78 | ||
79 | static unsigned int | |
80 | target(struct sk_buff **pskb, | |
81 | const struct net_device *in, | |
82 | const struct net_device *out, | |
83 | unsigned int hooknum, | |
c4986734 | 84 | const struct xt_target *target, |
fe1cb108 | 85 | const void *targinfo) |
1da177e4 LT |
86 | { |
87 | const struct ipt_ECN_info *einfo = targinfo; | |
88 | ||
89 | if (einfo->operation & IPT_ECN_OP_SET_IP) | |
90 | if (!set_ect_ip(pskb, einfo)) | |
91 | return NF_DROP; | |
92 | ||
93 | if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR) | |
94 | && (*pskb)->nh.iph->protocol == IPPROTO_TCP) | |
84fa7933 | 95 | if (!set_ect_tcp(pskb, einfo)) |
1da177e4 LT |
96 | return NF_DROP; |
97 | ||
98 | return IPT_CONTINUE; | |
99 | } | |
100 | ||
101 | static int | |
102 | checkentry(const char *tablename, | |
2e4e6a17 | 103 | const void *e_void, |
c4986734 | 104 | const struct xt_target *target, |
1da177e4 | 105 | void *targinfo, |
1da177e4 LT |
106 | unsigned int hook_mask) |
107 | { | |
108 | const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo; | |
2e4e6a17 | 109 | const struct ipt_entry *e = e_void; |
1da177e4 | 110 | |
1da177e4 LT |
111 | if (einfo->operation & IPT_ECN_OP_MASK) { |
112 | printk(KERN_WARNING "ECN: unsupported ECN operation %x\n", | |
113 | einfo->operation); | |
114 | return 0; | |
115 | } | |
116 | if (einfo->ip_ect & ~IPT_ECN_IP_MASK) { | |
117 | printk(KERN_WARNING "ECN: new ECT codepoint %x out of mask\n", | |
118 | einfo->ip_ect); | |
119 | return 0; | |
120 | } | |
1da177e4 LT |
121 | if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) |
122 | && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) { | |
123 | printk(KERN_WARNING "ECN: cannot use TCP operations on a " | |
124 | "non-tcp rule\n"); | |
125 | return 0; | |
126 | } | |
1da177e4 LT |
127 | return 1; |
128 | } | |
129 | ||
130 | static struct ipt_target ipt_ecn_reg = { | |
131 | .name = "ECN", | |
132 | .target = target, | |
1d5cd909 PM |
133 | .targetsize = sizeof(struct ipt_ECN_info), |
134 | .table = "mangle", | |
1da177e4 LT |
135 | .checkentry = checkentry, |
136 | .me = THIS_MODULE, | |
137 | }; | |
138 | ||
65b4b4e8 | 139 | static int __init ipt_ecn_init(void) |
1da177e4 LT |
140 | { |
141 | return ipt_register_target(&ipt_ecn_reg); | |
142 | } | |
143 | ||
65b4b4e8 | 144 | static void __exit ipt_ecn_fini(void) |
1da177e4 LT |
145 | { |
146 | ipt_unregister_target(&ipt_ecn_reg); | |
147 | } | |
148 | ||
65b4b4e8 AM |
149 | module_init(ipt_ecn_init); |
150 | module_exit(ipt_ecn_fini); |