[mirror_ubuntu-zesty-kernel.git] / net / ipv4 / netfilter / ipt_ECN.c

/* iptables module for the IPv4 and TCP ECN bits, Version 1.5
 *
 * (C) 2002 by Harald Welte <laforge@netfilter.org>
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as 
 * published by the Free Software Foundation.
 *
 * ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
*/

#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <net/checksum.h>

#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_ECN.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
MODULE_DESCRIPTION("iptables ECN modification module");

/* set ECT codepoint from IP header.
 * 	return 0 if there was an error. */
static inline int
set_ect_ip(struct sk_buff **pskb, const struct ipt_ECN_info *einfo)
{
	if (((*pskb)->nh.iph->tos & IPT_ECN_IP_MASK)
	    != (einfo->ip_ect & IPT_ECN_IP_MASK)) {
		u_int16_t diffs[2];

		if (!skb_ip_make_writable(pskb, sizeof(struct iphdr)))
			return 0;

		diffs[0] = htons((*pskb)->nh.iph->tos) ^ 0xFFFF;
		(*pskb)->nh.iph->tos &= ~IPT_ECN_IP_MASK;
		(*pskb)->nh.iph->tos |= (einfo->ip_ect & IPT_ECN_IP_MASK);
		diffs[1] = htons((*pskb)->nh.iph->tos);
		(*pskb)->nh.iph->check
			= csum_fold(csum_partial((char *)diffs,
						 sizeof(diffs),
						 (*pskb)->nh.iph->check
						 ^0xFFFF));
	} 
	return 1;
}

/* Return 0 if there was an error. */
static inline int
set_ect_tcp(struct sk_buff **pskb, const struct ipt_ECN_info *einfo, int inward)
{
	struct tcphdr _tcph, *tcph;
	u_int16_t diffs[2];

	/* Not enought header? */
	tcph = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl*4,
				  sizeof(_tcph), &_tcph);
	if (!tcph)
		return 0;

	if ((!(einfo->operation & IPT_ECN_OP_SET_ECE) ||
	     tcph->ece == einfo->proto.tcp.ece) &&
	    ((!(einfo->operation & IPT_ECN_OP_SET_CWR) ||
	     tcph->cwr == einfo->proto.tcp.cwr)))
		return 1;

	if (!skb_ip_make_writable(pskb, (*pskb)->nh.iph->ihl*4+sizeof(*tcph)))
		return 0;
	tcph = (void *)(*pskb)->nh.iph + (*pskb)->nh.iph->ihl*4;

	if ((*pskb)->ip_summed == CHECKSUM_HW &&
	    skb_checksum_help(*pskb, inward))
		return 0;

	diffs[0] = ((u_int16_t *)tcph)[6];
	if (einfo->operation & IPT_ECN_OP_SET_ECE)
		tcph->ece = einfo->proto.tcp.ece;
	if (einfo->operation & IPT_ECN_OP_SET_CWR)
		tcph->cwr = einfo->proto.tcp.cwr;
	diffs[1] = ((u_int16_t *)tcph)[6];
	diffs[0] = diffs[0] ^ 0xFFFF;

	if ((*pskb)->ip_summed != CHECKSUM_UNNECESSARY)
		tcph->check = csum_fold(csum_partial((char *)diffs,
						     sizeof(diffs),
						     tcph->check^0xFFFF));
	return 1;
}

static unsigned int
target(struct sk_buff **pskb,
       const struct net_device *in,
       const struct net_device *out,
       unsigned int hooknum,
       const void *targinfo,
       void *userinfo)
{
	const struct ipt_ECN_info *einfo = targinfo;

	if (einfo->operation & IPT_ECN_OP_SET_IP)
		if (!set_ect_ip(pskb, einfo))
			return NF_DROP;

	if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR)
	    && (*pskb)->nh.iph->protocol == IPPROTO_TCP)
		if (!set_ect_tcp(pskb, einfo, (out == NULL)))
			return NF_DROP;

	return IPT_CONTINUE;
}

static int
checkentry(const char *tablename,
	   const struct ipt_entry *e,
           void *targinfo,
           unsigned int targinfosize,
           unsigned int hook_mask)
{
	const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo;

	if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ECN_info))) {
		printk(KERN_WARNING "ECN: targinfosize %u != %Zu\n",
		       targinfosize,
		       IPT_ALIGN(sizeof(struct ipt_ECN_info)));
		return 0;
	}

	if (strcmp(tablename, "mangle") != 0) {
		printk(KERN_WARNING "ECN: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
		return 0;
	}

	if (einfo->operation & IPT_ECN_OP_MASK) {
		printk(KERN_WARNING "ECN: unsupported ECN operation %x\n",
			einfo->operation);
		return 0;
	}
	if (einfo->ip_ect & ~IPT_ECN_IP_MASK) {
		printk(KERN_WARNING "ECN: new ECT codepoint %x out of mask\n",
			einfo->ip_ect);
		return 0;
	}

	if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
		printk(KERN_WARNING "ECN: cannot use TCP operations on a "
		       "non-tcp rule\n");
		return 0;
	}

	return 1;
}

static struct ipt_target ipt_ecn_reg = {
	.name		= "ECN",
	.target		= target,
	.checkentry	= checkentry,
	.me		= THIS_MODULE,
};

static int __init init(void)
{
	return ipt_register_target(&ipt_ecn_reg);
}

static void __exit fini(void)
{
	ipt_unregister_target(&ipt_ecn_reg);
}

module_init(init);
module_exit(fini);
Commit	Line	Data
1da177e4 LT	1	/* iptables module for the IPv4 and TCP ECN bits, Version 1.5
	2	*
	3	* (C) 2002 by Harald Welte <laforge@netfilter.org>
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License version 2 as
	7	* published by the Free Software Foundation.
	8	*
	9	* ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
	10	*/
	11
	12	#include <linux/module.h>
	13	#include <linux/skbuff.h>
	14	#include <linux/ip.h>
	15	#include <linux/tcp.h>
	16	#include <net/checksum.h>
	17
	18	#include <linux/netfilter_ipv4/ip_tables.h>
	19	#include <linux/netfilter_ipv4/ipt_ECN.h>
	20
	21	MODULE_LICENSE("GPL");
	22	MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
	23	MODULE_DESCRIPTION("iptables ECN modification module");
	24
	25	/* set ECT codepoint from IP header.
	26	* return 0 if there was an error. */
	27	static inline int
	28	set_ect_ip(struct sk_buff *pskb, const struct ipt_ECN_info einfo)
	29	{
	30	if (((*pskb)->nh.iph->tos & IPT_ECN_IP_MASK)
	31	!= (einfo->ip_ect & IPT_ECN_IP_MASK)) {
	32	u_int16_t diffs[2];
	33
	34	if (!skb_ip_make_writable(pskb, sizeof(struct iphdr)))
	35	return 0;
	36
	37	diffs[0] = htons((*pskb)->nh.iph->tos) ^ 0xFFFF;
	38	(*pskb)->nh.iph->tos &= ~IPT_ECN_IP_MASK;
	39	(*pskb)->nh.iph->tos \|= (einfo->ip_ect & IPT_ECN_IP_MASK);
	40	diffs[1] = htons((*pskb)->nh.iph->tos);
	41	(*pskb)->nh.iph->check
	42	= csum_fold(csum_partial((char *)diffs,
	43	sizeof(diffs),
	44	(*pskb)->nh.iph->check
	45	^0xFFFF));
1da177e4 LT	46	}
	47	return 1;
	48	}
	49
	50	/* Return 0 if there was an error. */
	51	static inline int
	52	set_ect_tcp(struct sk_buff *pskb, const struct ipt_ECN_info einfo, int inward)
	53	{
	54	struct tcphdr _tcph, *tcph;
	55	u_int16_t diffs[2];
	56
	57	/* Not enought header? */
	58	tcph = skb_header_pointer(pskb, (pskb)->nh.iph->ihl*4,
	59	sizeof(_tcph), &_tcph);
	60	if (!tcph)
	61	return 0;
	62
fd841326 PM	63	if ((!(einfo->operation & IPT_ECN_OP_SET_ECE) \|\|
	64	tcph->ece == einfo->proto.tcp.ece) &&
	65	((!(einfo->operation & IPT_ECN_OP_SET_CWR) \|\|
	66	tcph->cwr == einfo->proto.tcp.cwr)))
1da177e4 LT	67	return 1;
	68
	69	if (!skb_ip_make_writable(pskb, (pskb)->nh.iph->ihl4+sizeof(*tcph)))
	70	return 0;
	71	tcph = (void )(pskb)->nh.iph + (pskb)->nh.iph->ihl4;
	72
f93592ff PM	73	if ((*pskb)->ip_summed == CHECKSUM_HW &&
	74	skb_checksum_help(*pskb, inward))
	75	return 0;
	76
1da177e4 LT	77	diffs[0] = ((u_int16_t *)tcph)[6];
	78	if (einfo->operation & IPT_ECN_OP_SET_ECE)
	79	tcph->ece = einfo->proto.tcp.ece;
	80	if (einfo->operation & IPT_ECN_OP_SET_CWR)
	81	tcph->cwr = einfo->proto.tcp.cwr;
	82	diffs[1] = ((u_int16_t *)tcph)[6];
	83	diffs[0] = diffs[0] ^ 0xFFFF;
	84
f93592ff	85	if ((*pskb)->ip_summed != CHECKSUM_UNNECESSARY)
1da177e4 LT	86	tcph->check = csum_fold(csum_partial((char *)diffs,
	87	sizeof(diffs),
	88	tcph->check^0xFFFF));
1da177e4 LT	89	return 1;
	90	}
	91
	92	static unsigned int
	93	target(struct sk_buff **pskb,
	94	const struct net_device *in,
	95	const struct net_device *out,
	96	unsigned int hooknum,
	97	const void *targinfo,
	98	void *userinfo)
	99	{
	100	const struct ipt_ECN_info *einfo = targinfo;
	101
	102	if (einfo->operation & IPT_ECN_OP_SET_IP)
	103	if (!set_ect_ip(pskb, einfo))
	104	return NF_DROP;
	105
	106	if (einfo->operation & (IPT_ECN_OP_SET_ECE \| IPT_ECN_OP_SET_CWR)
	107	&& (*pskb)->nh.iph->protocol == IPPROTO_TCP)
	108	if (!set_ect_tcp(pskb, einfo, (out == NULL)))
	109	return NF_DROP;
	110
	111	return IPT_CONTINUE;
	112	}
	113
	114	static int
	115	checkentry(const char *tablename,
	116	const struct ipt_entry *e,
	117	void *targinfo,
	118	unsigned int targinfosize,
	119	unsigned int hook_mask)
	120	{
	121	const struct ipt_ECN_info einfo = (struct ipt_ECN_info )targinfo;
	122
	123	if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ECN_info))) {
	124	printk(KERN_WARNING "ECN: targinfosize %u != %Zu\n",
	125	targinfosize,
	126	IPT_ALIGN(sizeof(struct ipt_ECN_info)));
	127	return 0;
	128	}
	129
	130	if (strcmp(tablename, "mangle") != 0) {
	131	printk(KERN_WARNING "ECN: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
	132	return 0;
	133	}
	134
	135	if (einfo->operation & IPT_ECN_OP_MASK) {
	136	printk(KERN_WARNING "ECN: unsupported ECN operation %x\n",
	137	einfo->operation);
	138	return 0;
	139	}
	140	if (einfo->ip_ect & ~IPT_ECN_IP_MASK) {
	141	printk(KERN_WARNING "ECN: new ECT codepoint %x out of mask\n",
	142	einfo->ip_ect);
	143	return 0;
	144	}
	145
	146	if ((einfo->operation & (IPT_ECN_OP_SET_ECE\|IPT_ECN_OP_SET_CWR))
	147	&& (e->ip.proto != IPPROTO_TCP \|\| (e->ip.invflags & IPT_INV_PROTO))) {
	148	printk(KERN_WARNING "ECN: cannot use TCP operations on a "
	149	"non-tcp rule\n");
	150	return 0;
	151	}
	152
153	return 1;
154	}
155
156	static struct ipt_target ipt_ecn_reg = {
157	.name = "ECN",
158	.target = target,
159	.checkentry = checkentry,
160	.me = THIS_MODULE,
161	};
162
163	static int __init init(void)
164	{
165	return ipt_register_target(&ipt_ecn_reg);
166	}
167
168	static void __exit fini(void)
169	{
170	ipt_unregister_target(&ipt_ecn_reg);
171	}
172
173	module_init(init);
174	module_exit(fini);