[mirror_ubuntu-bionic-kernel.git] / net / netfilter / xt_TCPMSS.c

/*
 * This is a module which is used for setting the MSS option in TCP packets.
 *
 * Copyright (C) 2000 Marc Boucher <marc@mbsi.ca>
 * Copyright (C) 2007 Patrick McHardy <kaber@trash.net>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <linux/gfp.h>
#include <linux/ipv6.h>
#include <linux/tcp.h>
#include <net/dst.h>
#include <net/flow.h>
#include <net/ipv6.h>
#include <net/route.h>
#include <net/tcp.h>

#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_tcpudp.h>
#include <linux/netfilter/xt_TCPMSS.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
MODULE_DESCRIPTION("Xtables: TCP Maximum Segment Size (MSS) adjustment");
MODULE_ALIAS("ipt_TCPMSS");
MODULE_ALIAS("ip6t_TCPMSS");

static inline unsigned int
optlen(const u_int8_t *opt, unsigned int offset)
{
	/* Beware zero-length options: make finite progress */
	if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0)
		return 1;
	else
		return opt[offset+1];
}

static int
tcpmss_mangle_packet(struct sk_buff *skb,
		     const struct xt_tcpmss_info *info,
		     unsigned int in_mtu,
		     unsigned int tcphoff,
		     unsigned int minlen)
{
	struct tcphdr *tcph;
	unsigned int tcplen, i;
	__be16 oldval;
	u16 newmss;
	u8 *opt;

	if (!skb_make_writable(skb, skb->len))
		return -1;

	tcplen = skb->len - tcphoff;
	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);

	/* Header cannot be larger than the packet */
	if (tcplen < tcph->doff*4)
		return -1;

	if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
		if (dst_mtu(skb_dst(skb)) <= minlen) {
			net_err_ratelimited("unknown or invalid path-MTU (%u)\n",
					    dst_mtu(skb_dst(skb)));
			return -1;
		}
		if (in_mtu <= minlen) {
			net_err_ratelimited("unknown or invalid path-MTU (%u)\n",
					    in_mtu);
			return -1;
		}
		newmss = min(dst_mtu(skb_dst(skb)), in_mtu) - minlen;
	} else
		newmss = info->mss;

	opt = (u_int8_t *)tcph;
	for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
		if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
		    opt[i+1] == TCPOLEN_MSS) {
			u_int16_t oldmss;

			oldmss = (opt[i+2] << 8) | opt[i+3];

			/* Never increase MSS, even when setting it, as
			 * doing so results in problems for hosts that rely
			 * on MSS being set correctly.
			 */
			if (oldmss <= newmss)
				return 0;

			opt[i+2] = (newmss & 0xff00) >> 8;
			opt[i+3] = newmss & 0x00ff;

			inet_proto_csum_replace2(&tcph->check, skb,
						 htons(oldmss), htons(newmss),
						 0);
			return 0;
		}
	}

	/* There is data after the header so the option can't be added
	   without moving it, and doing so may make the SYN packet
	   itself too large. Accept the packet unmodified instead. */
	if (tcplen > tcph->doff*4)
		return 0;

	/*
	 * MSS Option not found ?! add it..
	 */
	if (skb_tailroom(skb) < TCPOLEN_MSS) {
		if (pskb_expand_head(skb, 0,
				     TCPOLEN_MSS - skb_tailroom(skb),
				     GFP_ATOMIC))
			return -1;
		tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
	}

	skb_put(skb, TCPOLEN_MSS);

	opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
	memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));

	inet_proto_csum_replace2(&tcph->check, skb,
				 htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
	opt[0] = TCPOPT_MSS;
	opt[1] = TCPOLEN_MSS;
	opt[2] = (newmss & 0xff00) >> 8;
	opt[3] = newmss & 0x00ff;

	inet_proto_csum_replace4(&tcph->check, skb, 0, *((__be32 *)opt), 0);

	oldval = ((__be16 *)tcph)[6];
	tcph->doff += TCPOLEN_MSS/4;
	inet_proto_csum_replace2(&tcph->check, skb,
				 oldval, ((__be16 *)tcph)[6], 0);
	return TCPOLEN_MSS;
}

static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb,
				    unsigned int family)
{
	struct flowi fl;
	const struct nf_afinfo *ai;
	struct rtable *rt = NULL;
	u_int32_t mtu     = ~0U;

	if (family == PF_INET) {
		struct flowi4 *fl4 = &fl.u.ip4;
		memset(fl4, 0, sizeof(*fl4));
		fl4->daddr = ip_hdr(skb)->saddr;
	} else {
		struct flowi6 *fl6 = &fl.u.ip6;

		memset(fl6, 0, sizeof(*fl6));
		fl6->daddr = ipv6_hdr(skb)->saddr;
	}
	rcu_read_lock();
	ai = nf_get_afinfo(family);
	if (ai != NULL)
		ai->route(&init_net, (struct dst_entry **)&rt, &fl, false);
	rcu_read_unlock();

	if (rt != NULL) {
		mtu = dst_mtu(&rt->dst);
		dst_release(&rt->dst);
	}
	return mtu;
}

static unsigned int
tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par)
{
	struct iphdr *iph = ip_hdr(skb);
	__be16 newlen;
	int ret;

	ret = tcpmss_mangle_packet(skb, par->targinfo,
				   tcpmss_reverse_mtu(skb, PF_INET),
				   iph->ihl * 4,
				   sizeof(*iph) + sizeof(struct tcphdr));
	if (ret < 0)
		return NF_DROP;
	if (ret > 0) {
		iph = ip_hdr(skb);
		newlen = htons(ntohs(iph->tot_len) + ret);
		csum_replace2(&iph->check, iph->tot_len, newlen);
		iph->tot_len = newlen;
	}
	return XT_CONTINUE;
}

#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
static unsigned int
tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
	struct ipv6hdr *ipv6h = ipv6_hdr(skb);
	u8 nexthdr;
	__be16 frag_off;
	int tcphoff;
	int ret;

	nexthdr = ipv6h->nexthdr;
	tcphoff = ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr, &frag_off);
	if (tcphoff < 0)
		return NF_DROP;
	ret = tcpmss_mangle_packet(skb, par->targinfo,
				   tcpmss_reverse_mtu(skb, PF_INET6),
				   tcphoff,
				   sizeof(*ipv6h) + sizeof(struct tcphdr));
	if (ret < 0)
		return NF_DROP;
	if (ret > 0) {
		ipv6h = ipv6_hdr(skb);
		ipv6h->payload_len = htons(ntohs(ipv6h->payload_len) + ret);
	}
	return XT_CONTINUE;
}
#endif

/* Must specify -p tcp --syn */
static inline bool find_syn_match(const struct xt_entry_match *m)
{
	const struct xt_tcp *tcpinfo = (const struct xt_tcp *)m->data;

	if (strcmp(m->u.kernel.match->name, "tcp") == 0 &&
	    tcpinfo->flg_cmp & TCPHDR_SYN &&
	    !(tcpinfo->invflags & XT_TCP_INV_FLAGS))
		return true;

	return false;
}

static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
{
	const struct xt_tcpmss_info *info = par->targinfo;
	const struct ipt_entry *e = par->entryinfo;
	const struct xt_entry_match *ematch;

	if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
	    (par->hook_mask & ~((1 << NF_INET_FORWARD) |
			   (1 << NF_INET_LOCAL_OUT) |
			   (1 << NF_INET_POST_ROUTING))) != 0) {
		pr_info("path-MTU clamping only supported in "
			"FORWARD, OUTPUT and POSTROUTING hooks\n");
		return -EINVAL;
	}
	xt_ematch_foreach(ematch, e)
		if (find_syn_match(ematch))
			return 0;
	pr_info("Only works on TCP SYN packets\n");
	return -EINVAL;
}

#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
{
	const struct xt_tcpmss_info *info = par->targinfo;
	const struct ip6t_entry *e = par->entryinfo;
	const struct xt_entry_match *ematch;

	if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
	    (par->hook_mask & ~((1 << NF_INET_FORWARD) |
			   (1 << NF_INET_LOCAL_OUT) |
			   (1 << NF_INET_POST_ROUTING))) != 0) {
		pr_info("path-MTU clamping only supported in "
			"FORWARD, OUTPUT and POSTROUTING hooks\n");
		return -EINVAL;
	}
	xt_ematch_foreach(ematch, e)
		if (find_syn_match(ematch))
			return 0;
	pr_info("Only works on TCP SYN packets\n");
	return -EINVAL;
}
#endif

static struct xt_target tcpmss_tg_reg[] __read_mostly = {
	{
		.family		= NFPROTO_IPV4,
		.name		= "TCPMSS",
		.checkentry	= tcpmss_tg4_check,
		.target		= tcpmss_tg4,
		.targetsize	= sizeof(struct xt_tcpmss_info),
		.proto		= IPPROTO_TCP,
		.me		= THIS_MODULE,
	},
#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
	{
		.family		= NFPROTO_IPV6,
		.name		= "TCPMSS",
		.checkentry	= tcpmss_tg6_check,
		.target		= tcpmss_tg6,
		.targetsize	= sizeof(struct xt_tcpmss_info),
		.proto		= IPPROTO_TCP,
		.me		= THIS_MODULE,
	},
#endif
};

static int __init tcpmss_tg_init(void)
{
	return xt_register_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg));
}

static void __exit tcpmss_tg_exit(void)
{
	xt_unregister_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg));
}

module_init(tcpmss_tg_init);
module_exit(tcpmss_tg_exit);
Commit	Line	Data
cdd289a2 PM	1	/*
	2	* This is a module which is used for setting the MSS option in TCP packets.
	3	*
	4	* Copyright (C) 2000 Marc Boucher <marc@mbsi.ca>
f229f6ce	5	* Copyright (C) 2007 Patrick McHardy <kaber@trash.net>
cdd289a2 PM	6	*
	7	* This program is free software; you can redistribute it and/or modify
	8	* it under the terms of the GNU General Public License version 2 as
	9	* published by the Free Software Foundation.
	10	*/
8bee4bad	11	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
cdd289a2 PM	12	#include <linux/module.h>
	13	#include <linux/skbuff.h>
	14	#include <linux/ip.h>
5a0e3ad6	15	#include <linux/gfp.h>
cdd289a2 PM	16	#include <linux/ipv6.h>
cdd289a2 PM	17	#include <linux/tcp.h>
37c08387 JE	18	#include <net/dst.h>
37c08387 JE	19	#include <net/flow.h>
cdd289a2	20	#include <net/ipv6.h>
37c08387	21	#include <net/route.h>
cdd289a2 PM	22	#include <net/tcp.h>
	23
	24	#include <linux/netfilter_ipv4/ip_tables.h>
	25	#include <linux/netfilter_ipv6/ip6_tables.h>
	26	#include <linux/netfilter/x_tables.h>
	27	#include <linux/netfilter/xt_tcpudp.h>
	28	#include <linux/netfilter/xt_TCPMSS.h>
	29
	30	MODULE_LICENSE("GPL");
	31	MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
2ae15b64	32	MODULE_DESCRIPTION("Xtables: TCP Maximum Segment Size (MSS) adjustment");
cdd289a2 PM	33	MODULE_ALIAS("ipt_TCPMSS");
	34	MODULE_ALIAS("ip6t_TCPMSS");
	35
	36	static inline unsigned int
	37	optlen(const u_int8_t *opt, unsigned int offset)
	38	{
	39	/* Beware zero-length options: make finite progress */
	40	if (opt[offset] <= TCPOPT_NOP \|\| opt[offset+1] == 0)
	41	return 1;
	42	else
	43	return opt[offset+1];
	44	}
	45
	46	static int
3db05fea	47	tcpmss_mangle_packet(struct sk_buff *skb,
cdd289a2	48	const struct xt_tcpmss_info *info,
37c08387	49	unsigned int in_mtu,
cdd289a2 PM	50	unsigned int tcphoff,
	51	unsigned int minlen)
	52	{
	53	struct tcphdr *tcph;
	54	unsigned int tcplen, i;
	55	__be16 oldval;
	56	u16 newmss;
	57	u8 *opt;
	58
3db05fea	59	if (!skb_make_writable(skb, skb->len))
cdd289a2 PM	60	return -1;
cdd289a2 PM	61
3db05fea HX	62	tcplen = skb->len - tcphoff;
3db05fea HX	63	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
cdd289a2	64
10a19939 SA	65	/* Header cannot be larger than the packet */
10a19939 SA	66	if (tcplen < tcph->doff*4)
cdd289a2	67	return -1;
cdd289a2 PM	68
cdd289a2 PM	69	if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
adf30907	70	if (dst_mtu(skb_dst(skb)) <= minlen) {
e87cc472 JP	71	net_err_ratelimited("unknown or invalid path-MTU (%u)\n",
e87cc472 JP	72	dst_mtu(skb_dst(skb)));
cdd289a2 PM	73	return -1;
cdd289a2 PM	74	}
37c08387	75	if (in_mtu <= minlen) {
e87cc472 JP	76	net_err_ratelimited("unknown or invalid path-MTU (%u)\n",
e87cc472 JP	77	in_mtu);
37c08387 JE	78	return -1;
37c08387 JE	79	}
adf30907	80	newmss = min(dst_mtu(skb_dst(skb)), in_mtu) - minlen;
cdd289a2 PM	81	} else
	82	newmss = info->mss;
	83
	84	opt = (u_int8_t *)tcph;
	85	for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
	86	if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
	87	opt[i+1] == TCPOLEN_MSS) {
	88	u_int16_t oldmss;
	89
	90	oldmss = (opt[i+2] << 8) \| opt[i+3];
	91
17008064 BL	92	/* Never increase MSS, even when setting it, as
	93	* doing so results in problems for hosts that rely
	94	* on MSS being set correctly.
	95	*/
	96	if (oldmss <= newmss)
cdd289a2 PM	97	return 0;
	98
	99	opt[i+2] = (newmss & 0xff00) >> 8;
7c4e36bc	100	opt[i+3] = newmss & 0x00ff;
cdd289a2	101
be0ea7d5 PM	102	inet_proto_csum_replace2(&tcph->check, skb,
	103	htons(oldmss), htons(newmss),
	104	0);
cdd289a2 PM	105	return 0;
	106	}
	107	}
	108
10a19939 SA	109	/* There is data after the header so the option can't be added
	110	without moving it, and doing so may make the SYN packet
	111	itself too large. Accept the packet unmodified instead. */
	112	if (tcplen > tcph->doff*4)
	113	return 0;
	114
cdd289a2 PM	115	/*
	116	* MSS Option not found ?! add it..
	117	*/
3db05fea HX	118	if (skb_tailroom(skb) < TCPOLEN_MSS) {
	119	if (pskb_expand_head(skb, 0,
	120	TCPOLEN_MSS - skb_tailroom(skb),
2ca7b0ac	121	GFP_ATOMIC))
cdd289a2	122	return -1;
3db05fea	123	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
cdd289a2 PM	124	}
cdd289a2 PM	125
3db05fea	126	skb_put(skb, TCPOLEN_MSS);
cdd289a2 PM	127
	128	opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
	129	memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
	130
be0ea7d5 PM	131	inet_proto_csum_replace2(&tcph->check, skb,
be0ea7d5 PM	132	htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
cdd289a2 PM	133	opt[0] = TCPOPT_MSS;
	134	opt[1] = TCPOLEN_MSS;
	135	opt[2] = (newmss & 0xff00) >> 8;
7c4e36bc	136	opt[3] = newmss & 0x00ff;
cdd289a2	137
be0ea7d5	138	inet_proto_csum_replace4(&tcph->check, skb, 0, ((__be32 )opt), 0);
cdd289a2 PM	139
	140	oldval = ((__be16 *)tcph)[6];
	141	tcph->doff += TCPOLEN_MSS/4;
be0ea7d5 PM	142	inet_proto_csum_replace2(&tcph->check, skb,
be0ea7d5 PM	143	oldval, ((__be16 *)tcph)[6], 0);
cdd289a2 PM	144	return TCPOLEN_MSS;
	145	}
	146
db1a75bd JE	147	static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb,
db1a75bd JE	148	unsigned int family)
37c08387	149	{
a1bbb0e6	150	struct flowi fl;
37c08387 JE	151	const struct nf_afinfo *ai;
	152	struct rtable *rt = NULL;
	153	u_int32_t mtu = ~0U;
	154
a1bbb0e6 DM	155	if (family == PF_INET) {
	156	struct flowi4 *fl4 = &fl.u.ip4;
	157	memset(fl4, 0, sizeof(*fl4));
	158	fl4->daddr = ip_hdr(skb)->saddr;
	159	} else {
	160	struct flowi6 *fl6 = &fl.u.ip6;
db1a75bd	161
a1bbb0e6	162	memset(fl6, 0, sizeof(*fl6));
4e3fd7a0	163	fl6->daddr = ipv6_hdr(skb)->saddr;
a1bbb0e6	164	}
37c08387	165	rcu_read_lock();
db1a75bd	166	ai = nf_get_afinfo(family);
37c08387	167	if (ai != NULL)
0fae2e77	168	ai->route(&init_net, (struct dst_entry **)&rt, &fl, false);
37c08387 JE	169	rcu_read_unlock();
	170
	171	if (rt != NULL) {
d8d1f30b CG	172	mtu = dst_mtu(&rt->dst);
d8d1f30b CG	173	dst_release(&rt->dst);
37c08387 JE	174	}
	175	return mtu;
	176	}
	177
cdd289a2	178	static unsigned int
4b560b44	179	tcpmss_tg4(struct sk_buff skb, const struct xt_action_param par)
cdd289a2	180	{
3db05fea	181	struct iphdr *iph = ip_hdr(skb);
cdd289a2 PM	182	__be16 newlen;
	183	int ret;
	184
7eb35586	185	ret = tcpmss_mangle_packet(skb, par->targinfo,
db1a75bd	186	tcpmss_reverse_mtu(skb, PF_INET),
37c08387	187	iph->ihl * 4,
cdd289a2 PM	188	sizeof(*iph) + sizeof(struct tcphdr));
	189	if (ret < 0)
	190	return NF_DROP;
	191	if (ret > 0) {
3db05fea	192	iph = ip_hdr(skb);
cdd289a2	193	newlen = htons(ntohs(iph->tot_len) + ret);
be0ea7d5	194	csum_replace2(&iph->check, iph->tot_len, newlen);
cdd289a2 PM	195	iph->tot_len = newlen;
	196	}
	197	return XT_CONTINUE;
	198	}
	199
c0cd1156	200	#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
cdd289a2	201	static unsigned int
4b560b44	202	tcpmss_tg6(struct sk_buff skb, const struct xt_action_param par)
cdd289a2	203	{
3db05fea	204	struct ipv6hdr *ipv6h = ipv6_hdr(skb);
cdd289a2	205	u8 nexthdr;
75f2811c	206	__be16 frag_off;
cdd289a2 PM	207	int tcphoff;
	208	int ret;
	209
	210	nexthdr = ipv6h->nexthdr;
75f2811c	211	tcphoff = ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr, &frag_off);
9dc0564e	212	if (tcphoff < 0)
cdd289a2	213	return NF_DROP;
7eb35586	214	ret = tcpmss_mangle_packet(skb, par->targinfo,
db1a75bd	215	tcpmss_reverse_mtu(skb, PF_INET6),
37c08387	216	tcphoff,
cdd289a2 PM	217	sizeof(*ipv6h) + sizeof(struct tcphdr));
	218	if (ret < 0)
	219	return NF_DROP;
	220	if (ret > 0) {
3db05fea	221	ipv6h = ipv6_hdr(skb);
cdd289a2 PM	222	ipv6h->payload_len = htons(ntohs(ipv6h->payload_len) + ret);
	223	}
	224	return XT_CONTINUE;
	225	}
	226	#endif
	227
cdd289a2	228	/* Must specify -p tcp --syn */
e1931b78	229	static inline bool find_syn_match(const struct xt_entry_match *m)
cdd289a2 PM	230	{
	231	const struct xt_tcp tcpinfo = (const struct xt_tcp )m->data;
	232
	233	if (strcmp(m->u.kernel.match->name, "tcp") == 0 &&
a3433f35	234	tcpinfo->flg_cmp & TCPHDR_SYN &&
cdd289a2	235	!(tcpinfo->invflags & XT_TCP_INV_FLAGS))
e1931b78	236	return true;
cdd289a2	237
e1931b78	238	return false;
cdd289a2 PM	239	}
cdd289a2 PM	240
135367b8	241	static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
cdd289a2	242	{
af5d6dc2 JE	243	const struct xt_tcpmss_info *info = par->targinfo;
af5d6dc2 JE	244	const struct ipt_entry *e = par->entryinfo;
dcea992a	245	const struct xt_entry_match *ematch;
cdd289a2 PM	246
cdd289a2 PM	247	if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
af5d6dc2	248	(par->hook_mask & ~((1 << NF_INET_FORWARD) \|
6e23ae2a PM	249	(1 << NF_INET_LOCAL_OUT) \|
6e23ae2a PM	250	(1 << NF_INET_POST_ROUTING))) != 0) {
8bee4bad JE	251	pr_info("path-MTU clamping only supported in "
8bee4bad JE	252	"FORWARD, OUTPUT and POSTROUTING hooks\n");
d6b00a53	253	return -EINVAL;
cdd289a2	254	}
dcea992a JE	255	xt_ematch_foreach(ematch, e)
dcea992a JE	256	if (find_syn_match(ematch))
d6b00a53	257	return 0;
8bee4bad	258	pr_info("Only works on TCP SYN packets\n");
d6b00a53	259	return -EINVAL;
cdd289a2 PM	260	}
cdd289a2 PM	261
c0cd1156	262	#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
135367b8	263	static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
cdd289a2	264	{
af5d6dc2 JE	265	const struct xt_tcpmss_info *info = par->targinfo;
af5d6dc2 JE	266	const struct ip6t_entry *e = par->entryinfo;
dcea992a	267	const struct xt_entry_match *ematch;
cdd289a2 PM	268
cdd289a2 PM	269	if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
af5d6dc2	270	(par->hook_mask & ~((1 << NF_INET_FORWARD) \|
6e23ae2a PM	271	(1 << NF_INET_LOCAL_OUT) \|
6e23ae2a PM	272	(1 << NF_INET_POST_ROUTING))) != 0) {
8bee4bad JE	273	pr_info("path-MTU clamping only supported in "
8bee4bad JE	274	"FORWARD, OUTPUT and POSTROUTING hooks\n");
d6b00a53	275	return -EINVAL;
cdd289a2	276	}
dcea992a JE	277	xt_ematch_foreach(ematch, e)
dcea992a JE	278	if (find_syn_match(ematch))
d6b00a53	279	return 0;
8bee4bad	280	pr_info("Only works on TCP SYN packets\n");
d6b00a53	281	return -EINVAL;
cdd289a2 PM	282	}
	283	#endif
	284
d3c5ee6d	285	static struct xt_target tcpmss_tg_reg[] __read_mostly = {
cdd289a2	286	{
ee999d8b	287	.family = NFPROTO_IPV4,
cdd289a2	288	.name = "TCPMSS",
d3c5ee6d JE	289	.checkentry = tcpmss_tg4_check,
d3c5ee6d JE	290	.target = tcpmss_tg4,
cdd289a2 PM	291	.targetsize = sizeof(struct xt_tcpmss_info),
	292	.proto = IPPROTO_TCP,
	293	.me = THIS_MODULE,
	294	},
c0cd1156	295	#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
cdd289a2	296	{
ee999d8b	297	.family = NFPROTO_IPV6,
cdd289a2	298	.name = "TCPMSS",
d3c5ee6d JE	299	.checkentry = tcpmss_tg6_check,
d3c5ee6d JE	300	.target = tcpmss_tg6,
cdd289a2 PM	301	.targetsize = sizeof(struct xt_tcpmss_info),
	302	.proto = IPPROTO_TCP,
	303	.me = THIS_MODULE,
	304	},
	305	#endif
	306	};
	307
d3c5ee6d	308	static int __init tcpmss_tg_init(void)
cdd289a2	309	{
d3c5ee6d	310	return xt_register_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg));
cdd289a2 PM	311	}
cdd289a2 PM	312
d3c5ee6d	313	static void __exit tcpmss_tg_exit(void)
cdd289a2	314	{
d3c5ee6d	315	xt_unregister_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg));
cdd289a2 PM	316	}
cdd289a2 PM	317
d3c5ee6d JE	318	module_init(tcpmss_tg_init);
d3c5ee6d JE	319	module_exit(tcpmss_tg_exit);