~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/netfilter/xt_ecn.c

Version: ~ [ linux-5.15-rc5 ] ~ [ linux-5.14.11 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.72 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.152 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.210 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.250 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.286 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.288 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * Xtables module for matching the value of the IPv4/IPv6 and TCP ECN bits
  3  *
  4  * (C) 2002 by Harald Welte <laforge@gnumonks.org>
  5  * (C) 2011 Patrick McHardy <kaber@trash.net>
  6  *
  7  * This program is free software; you can redistribute it and/or modify
  8  * it under the terms of the GNU General Public License version 2 as
  9  * published by the Free Software Foundation.
 10  */
 11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 12 #include <linux/in.h>
 13 #include <linux/ip.h>
 14 #include <net/ip.h>
 15 #include <linux/module.h>
 16 #include <linux/skbuff.h>
 17 #include <linux/tcp.h>
 18 
 19 #include <linux/netfilter/x_tables.h>
 20 #include <linux/netfilter/xt_ecn.h>
 21 #include <linux/netfilter_ipv4/ip_tables.h>
 22 #include <linux/netfilter_ipv6/ip6_tables.h>
 23 
 24 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
 25 MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match");
 26 MODULE_LICENSE("GPL");
 27 MODULE_ALIAS("ipt_ecn");
 28 MODULE_ALIAS("ip6t_ecn");
 29 
 30 static bool match_tcp(const struct sk_buff *skb, struct xt_action_param *par)
 31 {
 32         const struct xt_ecn_info *einfo = par->matchinfo;
 33         struct tcphdr _tcph;
 34         const struct tcphdr *th;
 35 
 36         /* In practice, TCP match does this, so can't fail.  But let's
 37          * be good citizens.
 38          */
 39         th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);
 40         if (th == NULL)
 41                 return false;
 42 
 43         if (einfo->operation & XT_ECN_OP_MATCH_ECE) {
 44                 if (einfo->invert & XT_ECN_OP_MATCH_ECE) {
 45                         if (th->ece == 1)
 46                                 return false;
 47                 } else {
 48                         if (th->ece == 0)
 49                                 return false;
 50                 }
 51         }
 52 
 53         if (einfo->operation & XT_ECN_OP_MATCH_CWR) {
 54                 if (einfo->invert & XT_ECN_OP_MATCH_CWR) {
 55                         if (th->cwr == 1)
 56                                 return false;
 57                 } else {
 58                         if (th->cwr == 0)
 59                                 return false;
 60                 }
 61         }
 62 
 63         return true;
 64 }
 65 
 66 static inline bool match_ip(const struct sk_buff *skb,
 67                             const struct xt_ecn_info *einfo)
 68 {
 69         return ((ip_hdr(skb)->tos & XT_ECN_IP_MASK) == einfo->ip_ect) ^
 70                !!(einfo->invert & XT_ECN_OP_MATCH_IP);
 71 }
 72 
 73 static bool ecn_mt4(const struct sk_buff *skb, struct xt_action_param *par)
 74 {
 75         const struct xt_ecn_info *info = par->matchinfo;
 76 
 77         if (info->operation & XT_ECN_OP_MATCH_IP && !match_ip(skb, info))
 78                 return false;
 79 
 80         if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
 81             !match_tcp(skb, par))
 82                 return false;
 83 
 84         return true;
 85 }
 86 
 87 static int ecn_mt_check4(const struct xt_mtchk_param *par)
 88 {
 89         const struct xt_ecn_info *info = par->matchinfo;
 90         const struct ipt_ip *ip = par->entryinfo;
 91 
 92         if (info->operation & XT_ECN_OP_MATCH_MASK)
 93                 return -EINVAL;
 94 
 95         if (info->invert & XT_ECN_OP_MATCH_MASK)
 96                 return -EINVAL;
 97 
 98         if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
 99             (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {
100                 pr_info("cannot match TCP bits in rule for non-tcp packets\n");
101                 return -EINVAL;
102         }
103 
104         return 0;
105 }
106 
107 static inline bool match_ipv6(const struct sk_buff *skb,
108                               const struct xt_ecn_info *einfo)
109 {
110         return (((ipv6_hdr(skb)->flow_lbl[0] >> 4) & XT_ECN_IP_MASK) ==
111                 einfo->ip_ect) ^
112                !!(einfo->invert & XT_ECN_OP_MATCH_IP);
113 }
114 
115 static bool ecn_mt6(const struct sk_buff *skb, struct xt_action_param *par)
116 {
117         const struct xt_ecn_info *info = par->matchinfo;
118 
119         if (info->operation & XT_ECN_OP_MATCH_IP && !match_ipv6(skb, info))
120                 return false;
121 
122         if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
123             !match_tcp(skb, par))
124                 return false;
125 
126         return true;
127 }
128 
129 static int ecn_mt_check6(const struct xt_mtchk_param *par)
130 {
131         const struct xt_ecn_info *info = par->matchinfo;
132         const struct ip6t_ip6 *ip = par->entryinfo;
133 
134         if (info->operation & XT_ECN_OP_MATCH_MASK)
135                 return -EINVAL;
136 
137         if (info->invert & XT_ECN_OP_MATCH_MASK)
138                 return -EINVAL;
139 
140         if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
141             (ip->proto != IPPROTO_TCP || ip->invflags & IP6T_INV_PROTO)) {
142                 pr_info("cannot match TCP bits in rule for non-tcp packets\n");
143                 return -EINVAL;
144         }
145 
146         return 0;
147 }
148 
149 static struct xt_match ecn_mt_reg[] __read_mostly = {
150         {
151                 .name           = "ecn",
152                 .family         = NFPROTO_IPV4,
153                 .match          = ecn_mt4,
154                 .matchsize      = sizeof(struct xt_ecn_info),
155                 .checkentry     = ecn_mt_check4,
156                 .me             = THIS_MODULE,
157         },
158         {
159                 .name           = "ecn",
160                 .family         = NFPROTO_IPV6,
161                 .match          = ecn_mt6,
162                 .matchsize      = sizeof(struct xt_ecn_info),
163                 .checkentry     = ecn_mt_check6,
164                 .me             = THIS_MODULE,
165         },
166 };
167 
168 static int __init ecn_mt_init(void)
169 {
170         return xt_register_matches(ecn_mt_reg, ARRAY_SIZE(ecn_mt_reg));
171 }
172 
173 static void __exit ecn_mt_exit(void)
174 {
175         xt_unregister_matches(ecn_mt_reg, ARRAY_SIZE(ecn_mt_reg));
176 }
177 
178 module_init(ecn_mt_init);
179 module_exit(ecn_mt_exit);
180 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp