[net-next-2.6.git] / net / ipv4 / netfilter / ipt_ECN.c

/* iptables module for the IPv4 and TCP ECN bits, Version 1.5
 *
 * (C) 2002 by Harald Welte <laforge@netfilter.org>
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as 
 * published by the Free Software Foundation.
 *
 * ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
*/

#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <net/checksum.h>

#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_ECN.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
MODULE_DESCRIPTION("iptables ECN modification module");

/* set ECT codepoint from IP header.
 * 	return 0 if there was an error. */
static inline int
set_ect_ip(struct sk_buff **pskb, const struct ipt_ECN_info *einfo)
{
	if (((*pskb)->nh.iph->tos & IPT_ECN_IP_MASK)
	    != (einfo->ip_ect & IPT_ECN_IP_MASK)) {
		u_int16_t diffs[2];

		if (!skb_make_writable(pskb, sizeof(struct iphdr)))
			return 0;

		diffs[0] = htons((*pskb)->nh.iph->tos) ^ 0xFFFF;
		(*pskb)->nh.iph->tos &= ~IPT_ECN_IP_MASK;
		(*pskb)->nh.iph->tos |= (einfo->ip_ect & IPT_ECN_IP_MASK);
		diffs[1] = htons((*pskb)->nh.iph->tos);
		(*pskb)->nh.iph->check
			= csum_fold(csum_partial((char *)diffs,
						 sizeof(diffs),
						 (*pskb)->nh.iph->check
						 ^0xFFFF));
	} 
	return 1;
}

/* Return 0 if there was an error. */
static inline int
set_ect_tcp(struct sk_buff **pskb, const struct ipt_ECN_info *einfo)
{
	struct tcphdr _tcph, *tcph;
	u_int16_t diffs[2];

	/* Not enought header? */
	tcph = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl*4,
				  sizeof(_tcph), &_tcph);
	if (!tcph)
		return 0;

	if ((!(einfo->operation & IPT_ECN_OP_SET_ECE) ||
	     tcph->ece == einfo->proto.tcp.ece) &&
	    ((!(einfo->operation & IPT_ECN_OP_SET_CWR) ||
	     tcph->cwr == einfo->proto.tcp.cwr)))
		return 1;

	if (!skb_make_writable(pskb, (*pskb)->nh.iph->ihl*4+sizeof(*tcph)))
		return 0;
	tcph = (void *)(*pskb)->nh.iph + (*pskb)->nh.iph->ihl*4;

	if (((*pskb)->ip_summed == CHECKSUM_PARTIAL ||
	     (*pskb)->ip_summed == CHECKSUM_COMPLETE) &&
	    skb_checksum_help(*pskb))
		return 0;

	diffs[0] = ((u_int16_t *)tcph)[6];
	if (einfo->operation & IPT_ECN_OP_SET_ECE)
		tcph->ece = einfo->proto.tcp.ece;
	if (einfo->operation & IPT_ECN_OP_SET_CWR)
		tcph->cwr = einfo->proto.tcp.cwr;
	diffs[1] = ((u_int16_t *)tcph)[6];
	diffs[0] = diffs[0] ^ 0xFFFF;

	if ((*pskb)->ip_summed != CHECKSUM_UNNECESSARY)
		tcph->check = csum_fold(csum_partial((char *)diffs,
						     sizeof(diffs),
						     tcph->check^0xFFFF));
	return 1;
}

static unsigned int
target(struct sk_buff **pskb,
       const struct net_device *in,
       const struct net_device *out,
       unsigned int hooknum,
       const struct xt_target *target,
       const void *targinfo,
       void *userinfo)
{
	const struct ipt_ECN_info *einfo = targinfo;

	if (einfo->operation & IPT_ECN_OP_SET_IP)
		if (!set_ect_ip(pskb, einfo))
			return NF_DROP;

	if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR)
	    && (*pskb)->nh.iph->protocol == IPPROTO_TCP)
		if (!set_ect_tcp(pskb, einfo))
			return NF_DROP;

	return IPT_CONTINUE;
}

static int
checkentry(const char *tablename,
	   const void *e_void,
	   const struct xt_target *target,
           void *targinfo,
           unsigned int targinfosize,
           unsigned int hook_mask)
{
	const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo;
	const struct ipt_entry *e = e_void;

	if (einfo->operation & IPT_ECN_OP_MASK) {
		printk(KERN_WARNING "ECN: unsupported ECN operation %x\n",
			einfo->operation);
		return 0;
	}
	if (einfo->ip_ect & ~IPT_ECN_IP_MASK) {
		printk(KERN_WARNING "ECN: new ECT codepoint %x out of mask\n",
			einfo->ip_ect);
		return 0;
	}
	if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
		printk(KERN_WARNING "ECN: cannot use TCP operations on a "
		       "non-tcp rule\n");
		return 0;
	}
	return 1;
}

static struct ipt_target ipt_ecn_reg = {
	.name		= "ECN",
	.target		= target,
	.targetsize	= sizeof(struct ipt_ECN_info),
	.table		= "mangle",
	.checkentry	= checkentry,
	.me		= THIS_MODULE,
};

static int __init ipt_ecn_init(void)
{
	return ipt_register_target(&ipt_ecn_reg);
}

static void __exit ipt_ecn_fini(void)
{
	ipt_unregister_target(&ipt_ecn_reg);
}

module_init(ipt_ecn_init);
module_exit(ipt_ecn_fini);
Commit	Line	Data
1da177e4 LT	1	/* iptables module for the IPv4 and TCP ECN bits, Version 1.5
	2	*
	3	* (C) 2002 by Harald Welte <laforge@netfilter.org>
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License version 2 as
	7	* published by the Free Software Foundation.
	8	*
	9	* ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
	10	*/
	11
	12	#include <linux/module.h>
	13	#include <linux/skbuff.h>
	14	#include <linux/ip.h>
	15	#include <linux/tcp.h>
	16	#include <net/checksum.h>
	17
	18	#include <linux/netfilter_ipv4/ip_tables.h>
	19	#include <linux/netfilter_ipv4/ipt_ECN.h>
	20
	21	MODULE_LICENSE("GPL");
	22	MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
	23	MODULE_DESCRIPTION("iptables ECN modification module");
	24
	25	/* set ECT codepoint from IP header.
	26	* return 0 if there was an error. */
	27	static inline int
	28	set_ect_ip(struct sk_buff *pskb, const struct ipt_ECN_info einfo)
	29	{
	30	if (((*pskb)->nh.iph->tos & IPT_ECN_IP_MASK)
	31	!= (einfo->ip_ect & IPT_ECN_IP_MASK)) {
	32	u_int16_t diffs[2];
	33
089af26c	34	if (!skb_make_writable(pskb, sizeof(struct iphdr)))
1da177e4 LT	35	return 0;
	36
	37	diffs[0] = htons((*pskb)->nh.iph->tos) ^ 0xFFFF;
	38	(*pskb)->nh.iph->tos &= ~IPT_ECN_IP_MASK;
	39	(*pskb)->nh.iph->tos \|= (einfo->ip_ect & IPT_ECN_IP_MASK);
	40	diffs[1] = htons((*pskb)->nh.iph->tos);
	41	(*pskb)->nh.iph->check
	42	= csum_fold(csum_partial((char *)diffs,
	43	sizeof(diffs),
	44	(*pskb)->nh.iph->check
	45	^0xFFFF));
1da177e4 LT	46	}
	47	return 1;
	48	}
	49
	50	/* Return 0 if there was an error. */
	51	static inline int
84fa7933	52	set_ect_tcp(struct sk_buff *pskb, const struct ipt_ECN_info einfo)
1da177e4 LT	53	{
	54	struct tcphdr _tcph, *tcph;
	55	u_int16_t diffs[2];
	56
	57	/* Not enought header? */
	58	tcph = skb_header_pointer(pskb, (pskb)->nh.iph->ihl*4,
	59	sizeof(_tcph), &_tcph);
	60	if (!tcph)
	61	return 0;
	62
fd841326 PM	63	if ((!(einfo->operation & IPT_ECN_OP_SET_ECE) \|\|
	64	tcph->ece == einfo->proto.tcp.ece) &&
	65	((!(einfo->operation & IPT_ECN_OP_SET_CWR) \|\|
	66	tcph->cwr == einfo->proto.tcp.cwr)))
1da177e4 LT	67	return 1;
1da177e4 LT	68
089af26c	69	if (!skb_make_writable(pskb, (pskb)->nh.iph->ihl4+sizeof(*tcph)))
1da177e4 LT	70	return 0;
	71	tcph = (void )(pskb)->nh.iph + (pskb)->nh.iph->ihl4;
	72
84fa7933 PM	73	if (((*pskb)->ip_summed == CHECKSUM_PARTIAL \|\|
	74	(*pskb)->ip_summed == CHECKSUM_COMPLETE) &&
	75	skb_checksum_help(*pskb))
f93592ff PM	76	return 0;
f93592ff PM	77
1da177e4 LT	78	diffs[0] = ((u_int16_t *)tcph)[6];
	79	if (einfo->operation & IPT_ECN_OP_SET_ECE)
	80	tcph->ece = einfo->proto.tcp.ece;
	81	if (einfo->operation & IPT_ECN_OP_SET_CWR)
	82	tcph->cwr = einfo->proto.tcp.cwr;
	83	diffs[1] = ((u_int16_t *)tcph)[6];
	84	diffs[0] = diffs[0] ^ 0xFFFF;
	85
f93592ff	86	if ((*pskb)->ip_summed != CHECKSUM_UNNECESSARY)
1da177e4 LT	87	tcph->check = csum_fold(csum_partial((char *)diffs,
	88	sizeof(diffs),
	89	tcph->check^0xFFFF));
1da177e4 LT	90	return 1;
	91	}
	92
	93	static unsigned int
	94	target(struct sk_buff **pskb,
	95	const struct net_device *in,
	96	const struct net_device *out,
	97	unsigned int hooknum,
c4986734	98	const struct xt_target *target,
1da177e4 LT	99	const void *targinfo,
	100	void *userinfo)
	101	{
	102	const struct ipt_ECN_info *einfo = targinfo;
	103
	104	if (einfo->operation & IPT_ECN_OP_SET_IP)
	105	if (!set_ect_ip(pskb, einfo))
	106	return NF_DROP;
	107
	108	if (einfo->operation & (IPT_ECN_OP_SET_ECE \| IPT_ECN_OP_SET_CWR)
	109	&& (*pskb)->nh.iph->protocol == IPPROTO_TCP)
84fa7933	110	if (!set_ect_tcp(pskb, einfo))
1da177e4 LT	111	return NF_DROP;
	112
	113	return IPT_CONTINUE;
	114	}
	115
	116	static int
	117	checkentry(const char *tablename,
2e4e6a17	118	const void *e_void,
c4986734	119	const struct xt_target *target,
1da177e4 LT	120	void *targinfo,
	121	unsigned int targinfosize,
	122	unsigned int hook_mask)
	123	{
	124	const struct ipt_ECN_info einfo = (struct ipt_ECN_info )targinfo;
2e4e6a17	125	const struct ipt_entry *e = e_void;
1da177e4	126
1da177e4 LT	127	if (einfo->operation & IPT_ECN_OP_MASK) {
	128	printk(KERN_WARNING "ECN: unsupported ECN operation %x\n",
	129	einfo->operation);
	130	return 0;
	131	}
	132	if (einfo->ip_ect & ~IPT_ECN_IP_MASK) {
	133	printk(KERN_WARNING "ECN: new ECT codepoint %x out of mask\n",
	134	einfo->ip_ect);
	135	return 0;
	136	}
1da177e4 LT	137	if ((einfo->operation & (IPT_ECN_OP_SET_ECE\|IPT_ECN_OP_SET_CWR))
	138	&& (e->ip.proto != IPPROTO_TCP \|\| (e->ip.invflags & IPT_INV_PROTO))) {
	139	printk(KERN_WARNING "ECN: cannot use TCP operations on a "
	140	"non-tcp rule\n");
	141	return 0;
	142	}
1da177e4 LT	143	return 1;
	144	}
	145
	146	static struct ipt_target ipt_ecn_reg = {
	147	.name = "ECN",
	148	.target = target,
1d5cd909 PM	149	.targetsize = sizeof(struct ipt_ECN_info),
1d5cd909 PM	150	.table = "mangle",
1da177e4 LT	151	.checkentry = checkentry,
	152	.me = THIS_MODULE,
	153	};
	154
65b4b4e8	155	static int __init ipt_ecn_init(void)
1da177e4 LT	156	{
	157	return ipt_register_target(&ipt_ecn_reg);
	158	}
	159
65b4b4e8	160	static void __exit ipt_ecn_fini(void)
1da177e4 LT	161	{
	162	ipt_unregister_target(&ipt_ecn_reg);
	163	}
	164
65b4b4e8 AM	165	module_init(ipt_ecn_init);
65b4b4e8 AM	166	module_exit(ipt_ecn_fini);