]>
Commit | Line | Data |
---|---|---|
d2912cb1 | 1 | // SPDX-License-Identifier: GPL-2.0-only |
1da177e4 LT |
2 | /* Kernel module to match TCP MSS values. */ |
3 | ||
4 | /* Copyright (C) 2000 Marc Boucher <marc@mbsi.ca> | |
2e4e6a17 | 5 | * Portions (C) 2005 by Harald Welte <laforge@netfilter.org> |
1da177e4 LT |
6 | */ |
7 | ||
8 | #include <linux/module.h> | |
9 | #include <linux/skbuff.h> | |
10 | #include <net/tcp.h> | |
11 | ||
2e4e6a17 HW |
12 | #include <linux/netfilter/xt_tcpmss.h> |
13 | #include <linux/netfilter/x_tables.h> | |
14 | ||
1da177e4 | 15 | #include <linux/netfilter_ipv4/ip_tables.h> |
2e4e6a17 | 16 | #include <linux/netfilter_ipv6/ip6_tables.h> |
1da177e4 | 17 | |
1da177e4 LT |
18 | MODULE_LICENSE("GPL"); |
19 | MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>"); | |
2ae15b64 | 20 | MODULE_DESCRIPTION("Xtables: TCP MSS match"); |
2e4e6a17 | 21 | MODULE_ALIAS("ipt_tcpmss"); |
73aaf935 | 22 | MODULE_ALIAS("ip6t_tcpmss"); |
1da177e4 | 23 | |
1d93a9cb | 24 | static bool |
62fc8051 | 25 | tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par) |
1da177e4 | 26 | { |
f7108a20 | 27 | const struct xt_tcpmss_match_info *info = par->matchinfo; |
3cf93c96 JE |
28 | const struct tcphdr *th; |
29 | struct tcphdr _tcph; | |
1da177e4 | 30 | /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */ |
3cf93c96 JE |
31 | const u_int8_t *op; |
32 | u8 _opt[15 * 4 - sizeof(_tcph)]; | |
1da177e4 LT |
33 | unsigned int i, optlen; |
34 | ||
35 | /* If we don't have the whole header, drop packet. */ | |
f7108a20 | 36 | th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph); |
1da177e4 LT |
37 | if (th == NULL) |
38 | goto dropit; | |
39 | ||
40 | /* Malformed. */ | |
41 | if (th->doff*4 < sizeof(*th)) | |
42 | goto dropit; | |
43 | ||
44 | optlen = th->doff*4 - sizeof(*th); | |
45 | if (!optlen) | |
46 | goto out; | |
47 | ||
48 | /* Truncated options. */ | |
f7108a20 | 49 | op = skb_header_pointer(skb, par->thoff + sizeof(*th), optlen, _opt); |
1da177e4 LT |
50 | if (op == NULL) |
51 | goto dropit; | |
52 | ||
53 | for (i = 0; i < optlen; ) { | |
54 | if (op[i] == TCPOPT_MSS | |
55 | && (optlen - i) >= TCPOLEN_MSS | |
56 | && op[i+1] == TCPOLEN_MSS) { | |
57 | u_int16_t mssval; | |
58 | ||
59 | mssval = (op[i+2] << 8) | op[i+3]; | |
601e68e1 | 60 | |
ce556b3a | 61 | return (mssval >= info->mss_min && |
601e68e1 | 62 | mssval <= info->mss_max) ^ info->invert; |
1da177e4 | 63 | } |
ce556b3a PM |
64 | if (op[i] < 2) |
65 | i++; | |
66 | else | |
67 | i += op[i+1] ? : 1; | |
1da177e4 LT |
68 | } |
69 | out: | |
ce556b3a | 70 | return info->invert; |
1da177e4 | 71 | |
ce556b3a | 72 | dropit: |
b4ba2611 | 73 | par->hotdrop = true; |
1d93a9cb | 74 | return false; |
1da177e4 LT |
75 | } |
76 | ||
d3c5ee6d | 77 | static struct xt_match tcpmss_mt_reg[] __read_mostly = { |
4470bbc7 PM |
78 | { |
79 | .name = "tcpmss", | |
ee999d8b | 80 | .family = NFPROTO_IPV4, |
d3c5ee6d | 81 | .match = tcpmss_mt, |
4470bbc7 PM |
82 | .matchsize = sizeof(struct xt_tcpmss_match_info), |
83 | .proto = IPPROTO_TCP, | |
84 | .me = THIS_MODULE, | |
85 | }, | |
86 | { | |
87 | .name = "tcpmss", | |
ee999d8b | 88 | .family = NFPROTO_IPV6, |
d3c5ee6d | 89 | .match = tcpmss_mt, |
4470bbc7 PM |
90 | .matchsize = sizeof(struct xt_tcpmss_match_info), |
91 | .proto = IPPROTO_TCP, | |
92 | .me = THIS_MODULE, | |
93 | }, | |
1da177e4 LT |
94 | }; |
95 | ||
d3c5ee6d | 96 | static int __init tcpmss_mt_init(void) |
1da177e4 | 97 | { |
d3c5ee6d | 98 | return xt_register_matches(tcpmss_mt_reg, ARRAY_SIZE(tcpmss_mt_reg)); |
1da177e4 LT |
99 | } |
100 | ||
d3c5ee6d | 101 | static void __exit tcpmss_mt_exit(void) |
1da177e4 | 102 | { |
d3c5ee6d | 103 | xt_unregister_matches(tcpmss_mt_reg, ARRAY_SIZE(tcpmss_mt_reg)); |
1da177e4 LT |
104 | } |
105 | ||
d3c5ee6d JE |
106 | module_init(tcpmss_mt_init); |
107 | module_exit(tcpmss_mt_exit); |