[deliverable/linux.git] / net / netfilter / xt_TCPMSS.c

/*
 * This is a module which is used for setting the MSS option in TCP packets.
 *
 * Copyright (C) 2000 Marc Boucher <marc@mbsi.ca>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/tcp.h>
#include <net/dst.h>
#include <net/flow.h>
#include <net/ipv6.h>
#include <net/route.h>
#include <net/tcp.h>

#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_tcpudp.h>
#include <linux/netfilter/xt_TCPMSS.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
MODULE_DESCRIPTION("Xtables: TCP Maximum Segment Size (MSS) adjustment");
MODULE_ALIAS("ipt_TCPMSS");
MODULE_ALIAS("ip6t_TCPMSS");

static inline unsigned int
optlen(const u_int8_t *opt, unsigned int offset)
{
	/* Beware zero-length options: make finite progress */
	if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0)
		return 1;
	else
		return opt[offset+1];
}

static int
tcpmss_mangle_packet(struct sk_buff *skb,
		     const struct xt_tcpmss_info *info,
		     unsigned int in_mtu,
		     unsigned int tcphoff,
		     unsigned int minlen)
{
	struct tcphdr *tcph;
	unsigned int tcplen, i;
	__be16 oldval;
	u16 newmss;
	u8 *opt;

	if (!skb_make_writable(skb, skb->len))
		return -1;

	tcplen = skb->len - tcphoff;
	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);

	/* Header cannot be larger than the packet */
	if (tcplen < tcph->doff*4)
		return -1;

	if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
		if (dst_mtu(skb_dst(skb)) <= minlen) {
			if (net_ratelimit())
				pr_err("unknown or invalid path-MTU (%u)\n",
				       dst_mtu(skb_dst(skb)));
			return -1;
		}
		if (in_mtu <= minlen) {
			if (net_ratelimit())
				pr_err("unknown or invalid path-MTU (%u)\n",
				       in_mtu);
			return -1;
		}
		newmss = min(dst_mtu(skb_dst(skb)), in_mtu) - minlen;
	} else
		newmss = info->mss;

	opt = (u_int8_t *)tcph;
	for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
		if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
		    opt[i+1] == TCPOLEN_MSS) {
			u_int16_t oldmss;

			oldmss = (opt[i+2] << 8) | opt[i+3];

			/* Never increase MSS, even when setting it, as
			 * doing so results in problems for hosts that rely
			 * on MSS being set correctly.
			 */
			if (oldmss <= newmss)
				return 0;

			opt[i+2] = (newmss & 0xff00) >> 8;
			opt[i+3] = newmss & 0x00ff;

			inet_proto_csum_replace2(&tcph->check, skb,
						 htons(oldmss), htons(newmss),
						 0);
			return 0;
		}
	}

	/* There is data after the header so the option can't be added
	   without moving it, and doing so may make the SYN packet
	   itself too large. Accept the packet unmodified instead. */
	if (tcplen > tcph->doff*4)
		return 0;

	/*
	 * MSS Option not found ?! add it..
	 */
	if (skb_tailroom(skb) < TCPOLEN_MSS) {
		if (pskb_expand_head(skb, 0,
				     TCPOLEN_MSS - skb_tailroom(skb),
				     GFP_ATOMIC))
			return -1;
		tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
	}

	skb_put(skb, TCPOLEN_MSS);

	opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
	memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));

	inet_proto_csum_replace2(&tcph->check, skb,
				 htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
	opt[0] = TCPOPT_MSS;
	opt[1] = TCPOLEN_MSS;
	opt[2] = (newmss & 0xff00) >> 8;
	opt[3] = newmss & 0x00ff;

	inet_proto_csum_replace4(&tcph->check, skb, 0, *((__be32 *)opt), 0);

	oldval = ((__be16 *)tcph)[6];
	tcph->doff += TCPOLEN_MSS/4;
	inet_proto_csum_replace2(&tcph->check, skb,
				 oldval, ((__be16 *)tcph)[6], 0);
	return TCPOLEN_MSS;
}

static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb,
				    unsigned int family)
{
	struct flowi fl = {};
	const struct nf_afinfo *ai;
	struct rtable *rt = NULL;
	u_int32_t mtu     = ~0U;

	if (family == PF_INET)
		fl.fl4_dst = ip_hdr(skb)->saddr;
	else
		fl.fl6_dst = ipv6_hdr(skb)->saddr;

	rcu_read_lock();
	ai = nf_get_afinfo(family);
	if (ai != NULL)
		ai->route((struct dst_entry **)&rt, &fl);
	rcu_read_unlock();

	if (rt != NULL) {
		mtu = dst_mtu(&rt->u.dst);
		dst_release(&rt->u.dst);
	}
	return mtu;
}

static unsigned int
tcpmss_tg4(struct sk_buff *skb, const struct xt_target_param *par)
{
	struct iphdr *iph = ip_hdr(skb);
	__be16 newlen;
	int ret;

	ret = tcpmss_mangle_packet(skb, par->targinfo,
				   tcpmss_reverse_mtu(skb, PF_INET),
				   iph->ihl * 4,
				   sizeof(*iph) + sizeof(struct tcphdr));
	if (ret < 0)
		return NF_DROP;
	if (ret > 0) {
		iph = ip_hdr(skb);
		newlen = htons(ntohs(iph->tot_len) + ret);
		csum_replace2(&iph->check, iph->tot_len, newlen);
		iph->tot_len = newlen;
	}
	return XT_CONTINUE;
}

#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
static unsigned int
tcpmss_tg6(struct sk_buff *skb, const struct xt_target_param *par)
{
	struct ipv6hdr *ipv6h = ipv6_hdr(skb);
	u8 nexthdr;
	int tcphoff;
	int ret;

	nexthdr = ipv6h->nexthdr;
	tcphoff = ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr);
	if (tcphoff < 0)
		return NF_DROP;
	ret = tcpmss_mangle_packet(skb, par->targinfo,
				   tcpmss_reverse_mtu(skb, PF_INET6),
				   tcphoff,
				   sizeof(*ipv6h) + sizeof(struct tcphdr));
	if (ret < 0)
		return NF_DROP;
	if (ret > 0) {
		ipv6h = ipv6_hdr(skb);
		ipv6h->payload_len = htons(ntohs(ipv6h->payload_len) + ret);
	}
	return XT_CONTINUE;
}
#endif

#define TH_SYN 0x02

/* Must specify -p tcp --syn */
static inline bool find_syn_match(const struct xt_entry_match *m)
{
	const struct xt_tcp *tcpinfo = (const struct xt_tcp *)m->data;

	if (strcmp(m->u.kernel.match->name, "tcp") == 0 &&
	    tcpinfo->flg_cmp & TH_SYN &&
	    !(tcpinfo->invflags & XT_TCP_INV_FLAGS))
		return true;

	return false;
}

static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
{
	const struct xt_tcpmss_info *info = par->targinfo;
	const struct ipt_entry *e = par->entryinfo;
	const struct xt_entry_match *ematch;

	if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
	    (par->hook_mask & ~((1 << NF_INET_FORWARD) |
			   (1 << NF_INET_LOCAL_OUT) |
			   (1 << NF_INET_POST_ROUTING))) != 0) {
		pr_info("path-MTU clamping only supported in "
			"FORWARD, OUTPUT and POSTROUTING hooks\n");
		return -EINVAL;
	}
	xt_ematch_foreach(ematch, e)
		if (find_syn_match(ematch))
			return 0;
	pr_info("Only works on TCP SYN packets\n");
	return -EINVAL;
}

#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
{
	const struct xt_tcpmss_info *info = par->targinfo;
	const struct ip6t_entry *e = par->entryinfo;
	const struct xt_entry_match *ematch;

	if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
	    (par->hook_mask & ~((1 << NF_INET_FORWARD) |
			   (1 << NF_INET_LOCAL_OUT) |
			   (1 << NF_INET_POST_ROUTING))) != 0) {
		pr_info("path-MTU clamping only supported in "
			"FORWARD, OUTPUT and POSTROUTING hooks\n");
		return -EINVAL;
	}
	xt_ematch_foreach(ematch, e)
		if (find_syn_match(ematch))
			return 0;
	pr_info("Only works on TCP SYN packets\n");
	return -EINVAL;
}
#endif

static struct xt_target tcpmss_tg_reg[] __read_mostly = {
	{
		.family		= NFPROTO_IPV4,
		.name		= "TCPMSS",
		.checkentry	= tcpmss_tg4_check,
		.target		= tcpmss_tg4,
		.targetsize	= sizeof(struct xt_tcpmss_info),
		.proto		= IPPROTO_TCP,
		.me		= THIS_MODULE,
	},
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
	{
		.family		= NFPROTO_IPV6,
		.name		= "TCPMSS",
		.checkentry	= tcpmss_tg6_check,
		.target		= tcpmss_tg6,
		.targetsize	= sizeof(struct xt_tcpmss_info),
		.proto		= IPPROTO_TCP,
		.me		= THIS_MODULE,
	},
#endif
};

static int __init tcpmss_tg_init(void)
{
	return xt_register_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg));
}

static void __exit tcpmss_tg_exit(void)
{
	xt_unregister_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg));
}

module_init(tcpmss_tg_init);
module_exit(tcpmss_tg_exit);
Commit	Line	Data
cdd289a2 PM	1	/*
	2	* This is a module which is used for setting the MSS option in TCP packets.
	3	*
	4	* Copyright (C) 2000 Marc Boucher <marc@mbsi.ca>
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License version 2 as
	8	* published by the Free Software Foundation.
	9	*/
8bee4bad	10	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
cdd289a2 PM	11	#include <linux/module.h>
	12	#include <linux/skbuff.h>
	13	#include <linux/ip.h>
	14	#include <linux/ipv6.h>
	15	#include <linux/tcp.h>
37c08387 JE	16	#include <net/dst.h>
37c08387 JE	17	#include <net/flow.h>
cdd289a2	18	#include <net/ipv6.h>
37c08387	19	#include <net/route.h>
cdd289a2 PM	20	#include <net/tcp.h>
	21
	22	#include <linux/netfilter_ipv4/ip_tables.h>
	23	#include <linux/netfilter_ipv6/ip6_tables.h>
	24	#include <linux/netfilter/x_tables.h>
	25	#include <linux/netfilter/xt_tcpudp.h>
	26	#include <linux/netfilter/xt_TCPMSS.h>
	27
	28	MODULE_LICENSE("GPL");
	29	MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
2ae15b64	30	MODULE_DESCRIPTION("Xtables: TCP Maximum Segment Size (MSS) adjustment");
cdd289a2 PM	31	MODULE_ALIAS("ipt_TCPMSS");
	32	MODULE_ALIAS("ip6t_TCPMSS");
	33
	34	static inline unsigned int
	35	optlen(const u_int8_t *opt, unsigned int offset)
	36	{
	37	/* Beware zero-length options: make finite progress */
	38	if (opt[offset] <= TCPOPT_NOP \|\| opt[offset+1] == 0)
	39	return 1;
	40	else
	41	return opt[offset+1];
	42	}
	43
	44	static int
3db05fea	45	tcpmss_mangle_packet(struct sk_buff *skb,
cdd289a2	46	const struct xt_tcpmss_info *info,
37c08387	47	unsigned int in_mtu,
cdd289a2 PM	48	unsigned int tcphoff,
	49	unsigned int minlen)
	50	{
	51	struct tcphdr *tcph;
	52	unsigned int tcplen, i;
	53	__be16 oldval;
	54	u16 newmss;
	55	u8 *opt;
	56
3db05fea	57	if (!skb_make_writable(skb, skb->len))
cdd289a2 PM	58	return -1;
cdd289a2 PM	59
3db05fea HX	60	tcplen = skb->len - tcphoff;
3db05fea HX	61	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
cdd289a2	62
10a19939 SA	63	/* Header cannot be larger than the packet */
10a19939 SA	64	if (tcplen < tcph->doff*4)
cdd289a2	65	return -1;
cdd289a2 PM	66
cdd289a2 PM	67	if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
adf30907	68	if (dst_mtu(skb_dst(skb)) <= minlen) {
cdd289a2	69	if (net_ratelimit())
ff67e4e4	70	pr_err("unknown or invalid path-MTU (%u)\n",
adf30907	71	dst_mtu(skb_dst(skb)));
cdd289a2 PM	72	return -1;
cdd289a2 PM	73	}
37c08387 JE	74	if (in_mtu <= minlen) {
37c08387 JE	75	if (net_ratelimit())
ff67e4e4 JE	76	pr_err("unknown or invalid path-MTU (%u)\n",
ff67e4e4 JE	77	in_mtu);
37c08387 JE	78	return -1;
37c08387 JE	79	}
adf30907	80	newmss = min(dst_mtu(skb_dst(skb)), in_mtu) - minlen;
cdd289a2 PM	81	} else
	82	newmss = info->mss;
	83
	84	opt = (u_int8_t *)tcph;
	85	for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
	86	if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
	87	opt[i+1] == TCPOLEN_MSS) {
	88	u_int16_t oldmss;
	89
	90	oldmss = (opt[i+2] << 8) \| opt[i+3];
	91
17008064 BL	92	/* Never increase MSS, even when setting it, as
	93	* doing so results in problems for hosts that rely
	94	* on MSS being set correctly.
	95	*/
	96	if (oldmss <= newmss)
cdd289a2 PM	97	return 0;
	98
	99	opt[i+2] = (newmss & 0xff00) >> 8;
7c4e36bc	100	opt[i+3] = newmss & 0x00ff;
cdd289a2	101
be0ea7d5 PM	102	inet_proto_csum_replace2(&tcph->check, skb,
	103	htons(oldmss), htons(newmss),
	104	0);
cdd289a2 PM	105	return 0;
	106	}
	107	}
	108
10a19939 SA	109	/* There is data after the header so the option can't be added
	110	without moving it, and doing so may make the SYN packet
	111	itself too large. Accept the packet unmodified instead. */
	112	if (tcplen > tcph->doff*4)
	113	return 0;
	114
cdd289a2 PM	115	/*
	116	* MSS Option not found ?! add it..
	117	*/
3db05fea HX	118	if (skb_tailroom(skb) < TCPOLEN_MSS) {
	119	if (pskb_expand_head(skb, 0,
	120	TCPOLEN_MSS - skb_tailroom(skb),
2ca7b0ac	121	GFP_ATOMIC))
cdd289a2	122	return -1;
3db05fea	123	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
cdd289a2 PM	124	}
cdd289a2 PM	125
3db05fea	126	skb_put(skb, TCPOLEN_MSS);
cdd289a2 PM	127
	128	opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
	129	memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
	130
be0ea7d5 PM	131	inet_proto_csum_replace2(&tcph->check, skb,
be0ea7d5 PM	132	htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
cdd289a2 PM	133	opt[0] = TCPOPT_MSS;
	134	opt[1] = TCPOLEN_MSS;
	135	opt[2] = (newmss & 0xff00) >> 8;
7c4e36bc	136	opt[3] = newmss & 0x00ff;
cdd289a2	137
be0ea7d5	138	inet_proto_csum_replace4(&tcph->check, skb, 0, ((__be32 )opt), 0);
cdd289a2 PM	139
	140	oldval = ((__be16 *)tcph)[6];
	141	tcph->doff += TCPOLEN_MSS/4;
be0ea7d5 PM	142	inet_proto_csum_replace2(&tcph->check, skb,
be0ea7d5 PM	143	oldval, ((__be16 *)tcph)[6], 0);
cdd289a2 PM	144	return TCPOLEN_MSS;
	145	}
	146
db1a75bd JE	147	static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb,
db1a75bd JE	148	unsigned int family)
37c08387	149	{
db1a75bd	150	struct flowi fl = {};
37c08387 JE	151	const struct nf_afinfo *ai;
	152	struct rtable *rt = NULL;
	153	u_int32_t mtu = ~0U;
	154
db1a75bd JE	155	if (family == PF_INET)
	156	fl.fl4_dst = ip_hdr(skb)->saddr;
	157	else
	158	fl.fl6_dst = ipv6_hdr(skb)->saddr;
	159
37c08387	160	rcu_read_lock();
db1a75bd	161	ai = nf_get_afinfo(family);
37c08387 JE	162	if (ai != NULL)
	163	ai->route((struct dst_entry **)&rt, &fl);
	164	rcu_read_unlock();
	165
	166	if (rt != NULL) {
	167	mtu = dst_mtu(&rt->u.dst);
	168	dst_release(&rt->u.dst);
	169	}
	170	return mtu;
	171	}
	172
cdd289a2	173	static unsigned int
7eb35586	174	tcpmss_tg4(struct sk_buff skb, const struct xt_target_param par)
cdd289a2	175	{
3db05fea	176	struct iphdr *iph = ip_hdr(skb);
cdd289a2 PM	177	__be16 newlen;
	178	int ret;
	179
7eb35586	180	ret = tcpmss_mangle_packet(skb, par->targinfo,
db1a75bd	181	tcpmss_reverse_mtu(skb, PF_INET),
37c08387	182	iph->ihl * 4,
cdd289a2 PM	183	sizeof(*iph) + sizeof(struct tcphdr));
	184	if (ret < 0)
	185	return NF_DROP;
	186	if (ret > 0) {
3db05fea	187	iph = ip_hdr(skb);
cdd289a2	188	newlen = htons(ntohs(iph->tot_len) + ret);
be0ea7d5	189	csum_replace2(&iph->check, iph->tot_len, newlen);
cdd289a2 PM	190	iph->tot_len = newlen;
	191	}
	192	return XT_CONTINUE;
	193	}
	194
	195	#if defined(CONFIG_IP6_NF_IPTABLES) \|\| defined(CONFIG_IP6_NF_IPTABLES_MODULE)
	196	static unsigned int
7eb35586	197	tcpmss_tg6(struct sk_buff skb, const struct xt_target_param par)
cdd289a2	198	{
3db05fea	199	struct ipv6hdr *ipv6h = ipv6_hdr(skb);
cdd289a2 PM	200	u8 nexthdr;
	201	int tcphoff;
	202	int ret;
	203
	204	nexthdr = ipv6h->nexthdr;
3db05fea	205	tcphoff = ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr);
9dc0564e	206	if (tcphoff < 0)
cdd289a2	207	return NF_DROP;
7eb35586	208	ret = tcpmss_mangle_packet(skb, par->targinfo,
db1a75bd	209	tcpmss_reverse_mtu(skb, PF_INET6),
37c08387	210	tcphoff,
cdd289a2 PM	211	sizeof(*ipv6h) + sizeof(struct tcphdr));
	212	if (ret < 0)
	213	return NF_DROP;
	214	if (ret > 0) {
3db05fea	215	ipv6h = ipv6_hdr(skb);
cdd289a2 PM	216	ipv6h->payload_len = htons(ntohs(ipv6h->payload_len) + ret);
	217	}
	218	return XT_CONTINUE;
	219	}
	220	#endif
	221
	222	#define TH_SYN 0x02
	223
	224	/* Must specify -p tcp --syn */
e1931b78	225	static inline bool find_syn_match(const struct xt_entry_match *m)
cdd289a2 PM	226	{
	227	const struct xt_tcp tcpinfo = (const struct xt_tcp )m->data;
	228
	229	if (strcmp(m->u.kernel.match->name, "tcp") == 0 &&
	230	tcpinfo->flg_cmp & TH_SYN &&
	231	!(tcpinfo->invflags & XT_TCP_INV_FLAGS))
e1931b78	232	return true;
cdd289a2	233
e1931b78	234	return false;
cdd289a2 PM	235	}
cdd289a2 PM	236
135367b8	237	static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
cdd289a2	238	{
af5d6dc2 JE	239	const struct xt_tcpmss_info *info = par->targinfo;
af5d6dc2 JE	240	const struct ipt_entry *e = par->entryinfo;
dcea992a	241	const struct xt_entry_match *ematch;
cdd289a2 PM	242
cdd289a2 PM	243	if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
af5d6dc2	244	(par->hook_mask & ~((1 << NF_INET_FORWARD) \|
6e23ae2a PM	245	(1 << NF_INET_LOCAL_OUT) \|
6e23ae2a PM	246	(1 << NF_INET_POST_ROUTING))) != 0) {
8bee4bad JE	247	pr_info("path-MTU clamping only supported in "
8bee4bad JE	248	"FORWARD, OUTPUT and POSTROUTING hooks\n");
d6b00a53	249	return -EINVAL;
cdd289a2	250	}
dcea992a JE	251	xt_ematch_foreach(ematch, e)
dcea992a JE	252	if (find_syn_match(ematch))
d6b00a53	253	return 0;
8bee4bad	254	pr_info("Only works on TCP SYN packets\n");
d6b00a53	255	return -EINVAL;
cdd289a2 PM	256	}
	257
	258	#if defined(CONFIG_IP6_NF_IPTABLES) \|\| defined(CONFIG_IP6_NF_IPTABLES_MODULE)
135367b8	259	static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
cdd289a2	260	{
af5d6dc2 JE	261	const struct xt_tcpmss_info *info = par->targinfo;
af5d6dc2 JE	262	const struct ip6t_entry *e = par->entryinfo;
dcea992a	263	const struct xt_entry_match *ematch;
cdd289a2 PM	264
cdd289a2 PM	265	if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
af5d6dc2	266	(par->hook_mask & ~((1 << NF_INET_FORWARD) \|
6e23ae2a PM	267	(1 << NF_INET_LOCAL_OUT) \|
6e23ae2a PM	268	(1 << NF_INET_POST_ROUTING))) != 0) {
8bee4bad JE	269	pr_info("path-MTU clamping only supported in "
8bee4bad JE	270	"FORWARD, OUTPUT and POSTROUTING hooks\n");
d6b00a53	271	return -EINVAL;
cdd289a2	272	}
dcea992a JE	273	xt_ematch_foreach(ematch, e)
dcea992a JE	274	if (find_syn_match(ematch))
d6b00a53	275	return 0;
8bee4bad	276	pr_info("Only works on TCP SYN packets\n");
d6b00a53	277	return -EINVAL;
cdd289a2 PM	278	}
	279	#endif
	280
d3c5ee6d	281	static struct xt_target tcpmss_tg_reg[] __read_mostly = {
cdd289a2	282	{
ee999d8b	283	.family = NFPROTO_IPV4,
cdd289a2	284	.name = "TCPMSS",
d3c5ee6d JE	285	.checkentry = tcpmss_tg4_check,
d3c5ee6d JE	286	.target = tcpmss_tg4,
cdd289a2 PM	287	.targetsize = sizeof(struct xt_tcpmss_info),
	288	.proto = IPPROTO_TCP,
	289	.me = THIS_MODULE,
	290	},
	291	#if defined(CONFIG_IP6_NF_IPTABLES) \|\| defined(CONFIG_IP6_NF_IPTABLES_MODULE)
	292	{
ee999d8b	293	.family = NFPROTO_IPV6,
cdd289a2	294	.name = "TCPMSS",
d3c5ee6d JE	295	.checkentry = tcpmss_tg6_check,
d3c5ee6d JE	296	.target = tcpmss_tg6,
cdd289a2 PM	297	.targetsize = sizeof(struct xt_tcpmss_info),
	298	.proto = IPPROTO_TCP,
	299	.me = THIS_MODULE,
	300	},
	301	#endif
	302	};
	303
d3c5ee6d	304	static int __init tcpmss_tg_init(void)
cdd289a2	305	{
d3c5ee6d	306	return xt_register_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg));
cdd289a2 PM	307	}
cdd289a2 PM	308
d3c5ee6d	309	static void __exit tcpmss_tg_exit(void)
cdd289a2	310	{
d3c5ee6d	311	xt_unregister_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg));
cdd289a2 PM	312	}
cdd289a2 PM	313
d3c5ee6d JE	314	module_init(tcpmss_tg_init);
d3c5ee6d JE	315	module_exit(tcpmss_tg_exit);