]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* Kernel module to match TCP MSS values. */ |
2 | ||
3 | /* Copyright (C) 2000 Marc Boucher <marc@mbsi.ca> | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License version 2 as | |
7 | * published by the Free Software Foundation. | |
8 | */ | |
9 | ||
10 | #include <linux/module.h> | |
11 | #include <linux/skbuff.h> | |
12 | #include <net/tcp.h> | |
13 | ||
14 | #include <linux/netfilter_ipv4/ipt_tcpmss.h> | |
15 | #include <linux/netfilter_ipv4/ip_tables.h> | |
16 | ||
17 | #define TH_SYN 0x02 | |
18 | ||
19 | MODULE_LICENSE("GPL"); | |
20 | MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>"); | |
21 | MODULE_DESCRIPTION("iptables TCP MSS match module"); | |
22 | ||
23 | /* Returns 1 if the mss option is set and matched by the range, 0 otherwise */ | |
24 | static inline int | |
25 | mssoption_match(u_int16_t min, u_int16_t max, | |
26 | const struct sk_buff *skb, | |
27 | int invert, | |
28 | int *hotdrop) | |
29 | { | |
30 | struct tcphdr _tcph, *th; | |
31 | /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */ | |
32 | u8 _opt[15 * 4 - sizeof(_tcph)], *op; | |
33 | unsigned int i, optlen; | |
34 | ||
35 | /* If we don't have the whole header, drop packet. */ | |
36 | th = skb_header_pointer(skb, skb->nh.iph->ihl * 4, | |
37 | sizeof(_tcph), &_tcph); | |
38 | if (th == NULL) | |
39 | goto dropit; | |
40 | ||
41 | /* Malformed. */ | |
42 | if (th->doff*4 < sizeof(*th)) | |
43 | goto dropit; | |
44 | ||
45 | optlen = th->doff*4 - sizeof(*th); | |
46 | if (!optlen) | |
47 | goto out; | |
48 | ||
49 | /* Truncated options. */ | |
50 | op = skb_header_pointer(skb, skb->nh.iph->ihl * 4 + sizeof(*th), | |
51 | optlen, _opt); | |
52 | if (op == NULL) | |
53 | goto dropit; | |
54 | ||
55 | for (i = 0; i < optlen; ) { | |
56 | if (op[i] == TCPOPT_MSS | |
57 | && (optlen - i) >= TCPOLEN_MSS | |
58 | && op[i+1] == TCPOLEN_MSS) { | |
59 | u_int16_t mssval; | |
60 | ||
61 | mssval = (op[i+2] << 8) | op[i+3]; | |
62 | ||
63 | return (mssval >= min && mssval <= max) ^ invert; | |
64 | } | |
65 | if (op[i] < 2) i++; | |
66 | else i += op[i+1]?:1; | |
67 | } | |
68 | out: | |
69 | return invert; | |
70 | ||
71 | dropit: | |
72 | *hotdrop = 1; | |
73 | return 0; | |
74 | } | |
75 | ||
76 | static int | |
77 | match(const struct sk_buff *skb, | |
78 | const struct net_device *in, | |
79 | const struct net_device *out, | |
80 | const void *matchinfo, | |
81 | int offset, | |
82 | int *hotdrop) | |
83 | { | |
84 | const struct ipt_tcpmss_match_info *info = matchinfo; | |
85 | ||
86 | return mssoption_match(info->mss_min, info->mss_max, skb, | |
87 | info->invert, hotdrop); | |
88 | } | |
89 | ||
90 | static int | |
91 | checkentry(const char *tablename, | |
92 | const struct ipt_ip *ip, | |
93 | void *matchinfo, | |
94 | unsigned int matchsize, | |
95 | unsigned int hook_mask) | |
96 | { | |
97 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_tcpmss_match_info))) | |
98 | return 0; | |
99 | ||
100 | /* Must specify -p tcp */ | |
101 | if (ip->proto != IPPROTO_TCP || (ip->invflags & IPT_INV_PROTO)) { | |
102 | printk("tcpmss: Only works on TCP packets\n"); | |
103 | return 0; | |
104 | } | |
105 | ||
106 | return 1; | |
107 | } | |
108 | ||
109 | static struct ipt_match tcpmss_match = { | |
110 | .name = "tcpmss", | |
111 | .match = &match, | |
112 | .checkentry = &checkentry, | |
113 | .me = THIS_MODULE, | |
114 | }; | |
115 | ||
116 | static int __init init(void) | |
117 | { | |
118 | return ipt_register_match(&tcpmss_match); | |
119 | } | |
120 | ||
121 | static void __exit fini(void) | |
122 | { | |
123 | ipt_unregister_match(&tcpmss_match); | |
124 | } | |
125 | ||
126 | module_init(init); | |
127 | module_exit(fini); |