Blame - net/netfilter/xt_ecn.c - linux

blob: b96e8203ac54982e562ea083f390eff5d213477e [file] [log] [blame]

Thomas Gleixner	d2912cb	2019-06-04 10:11:33 +0200	[diff] [blame]	1	// SPDX-License-Identifier: GPL-2.0-only
Patrick McHardy	af0d29c	2011-06-09 15:20:27 +0200	[diff] [blame]	2	/*
				3	* Xtables module for matching the value of the IPv4/IPv6 and TCP ECN bits
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	4	*
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	5	* (C) 2002 by Harald Welte <laforge@gnumonks.org>
Patrick McHardy	af0d29c	2011-06-09 15:20:27 +0200	[diff] [blame]	6	* (C) 2011 Patrick McHardy <kaber@trash.net>
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	7	*/
Jan Engelhardt	ff67e4e	2010-03-19 21:08:16 +0100	[diff] [blame]	8	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
Jan Engelhardt	6709dbb	2007-02-07 15:11:19 -0800	[diff] [blame]	9	#include <linux/in.h>
				10	#include <linux/ip.h>
Arnaldo Carvalho de Melo	c9bdd4b	2007-03-12 20:09:15 -0300	[diff] [blame]	11	#include <net/ip.h>
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	12	#include <linux/module.h>
				13	#include <linux/skbuff.h>
				14	#include <linux/tcp.h>
				15
Jan Engelhardt	6709dbb	2007-02-07 15:11:19 -0800	[diff] [blame]	16	#include <linux/netfilter/x_tables.h>
Jan Engelhardt	a4c6f9d	2011-06-09 21:15:37 +0200	[diff] [blame]	17	#include <linux/netfilter/xt_ecn.h>
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	18	#include <linux/netfilter_ipv4/ip_tables.h>
Patrick McHardy	af0d29c	2011-06-09 15:20:27 +0200	[diff] [blame]	19	#include <linux/netfilter_ipv6/ip6_tables.h>
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	20
				21	MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
Patrick McHardy	af0d29c	2011-06-09 15:20:27 +0200	[diff] [blame]	22	MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match");
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	23	MODULE_LICENSE("GPL");
Jan Engelhardt	d446a820	2011-06-09 21:03:07 +0200	[diff] [blame]	24	MODULE_ALIAS("ipt_ecn");
Patrick McHardy	af0d29c	2011-06-09 15:20:27 +0200	[diff] [blame]	25	MODULE_ALIAS("ip6t_ecn");
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	26
Patrick McHardy	af0d29c	2011-06-09 15:20:27 +0200	[diff] [blame]	27	static bool match_tcp(const struct sk_buff skb, struct xt_action_param par)
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	28	{
Patrick McHardy	af0d29c	2011-06-09 15:20:27 +0200	[diff] [blame]	29	const struct xt_ecn_info *einfo = par->matchinfo;
Jan Engelhardt	a47362a	2007-07-07 22:16:55 -0700	[diff] [blame]	30	struct tcphdr _tcph;
				31	const struct tcphdr *th;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	32
				33	/* In practice, TCP match does this, so can't fail. But let's
				34	* be good citizens.
				35	*/
Patrick McHardy	af0d29c	2011-06-09 15:20:27 +0200	[diff] [blame]	36	th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);
Jan Engelhardt	42c344a	2011-06-09 22:16:50 +0200	[diff] [blame]	37	if (th == NULL)
Jan Engelhardt	1d93a9c	2007-07-07 22:15:35 -0700	[diff] [blame]	38	return false;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	39
Jan Engelhardt	a4c6f9d	2011-06-09 21:15:37 +0200	[diff] [blame]	40	if (einfo->operation & XT_ECN_OP_MATCH_ECE) {
				41	if (einfo->invert & XT_ECN_OP_MATCH_ECE) {
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	42	if (th->ece == 1)
Jan Engelhardt	1d93a9c	2007-07-07 22:15:35 -0700	[diff] [blame]	43	return false;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	44	} else {
				45	if (th->ece == 0)
Jan Engelhardt	1d93a9c	2007-07-07 22:15:35 -0700	[diff] [blame]	46	return false;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	47	}
				48	}
				49
Jan Engelhardt	a4c6f9d	2011-06-09 21:15:37 +0200	[diff] [blame]	50	if (einfo->operation & XT_ECN_OP_MATCH_CWR) {
				51	if (einfo->invert & XT_ECN_OP_MATCH_CWR) {
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	52	if (th->cwr == 1)
Jan Engelhardt	1d93a9c	2007-07-07 22:15:35 -0700	[diff] [blame]	53	return false;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	54	} else {
				55	if (th->cwr == 0)
Jan Engelhardt	1d93a9c	2007-07-07 22:15:35 -0700	[diff] [blame]	56	return false;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	57	}
				58	}
				59
Jan Engelhardt	1d93a9c	2007-07-07 22:15:35 -0700	[diff] [blame]	60	return true;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	61	}
				62
Patrick McHardy	af0d29c	2011-06-09 15:20:27 +0200	[diff] [blame]	63	static inline bool match_ip(const struct sk_buff *skb,
				64	const struct xt_ecn_info *einfo)
				65	{
				66	return ((ip_hdr(skb)->tos & XT_ECN_IP_MASK) == einfo->ip_ect) ^
				67	!!(einfo->invert & XT_ECN_OP_MATCH_IP);
				68	}
				69
				70	static bool ecn_mt4(const struct sk_buff skb, struct xt_action_param par)
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	71	{
Jan Engelhardt	a4c6f9d	2011-06-09 21:15:37 +0200	[diff] [blame]	72	const struct xt_ecn_info *info = par->matchinfo;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	73
Jan Engelhardt	42c344a	2011-06-09 22:16:50 +0200	[diff] [blame]	74	if (info->operation & XT_ECN_OP_MATCH_IP && !match_ip(skb, info))
				75	return false;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	76
Jan Engelhardt	42c344a	2011-06-09 22:16:50 +0200	[diff] [blame]	77	if (info->operation & (XT_ECN_OP_MATCH_ECE \| XT_ECN_OP_MATCH_CWR) &&
				78	!match_tcp(skb, par))
				79	return false;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	80
Jan Engelhardt	1d93a9c	2007-07-07 22:15:35 -0700	[diff] [blame]	81	return true;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	82	}
				83
Patrick McHardy	af0d29c	2011-06-09 15:20:27 +0200	[diff] [blame]	84	static int ecn_mt_check4(const struct xt_mtchk_param *par)
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	85	{
Jan Engelhardt	a4c6f9d	2011-06-09 21:15:37 +0200	[diff] [blame]	86	const struct xt_ecn_info *info = par->matchinfo;
Jan Engelhardt	9b4fce7	2008-10-08 11:35:18 +0200	[diff] [blame]	87	const struct ipt_ip *ip = par->entryinfo;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	88
Jan Engelhardt	a4c6f9d	2011-06-09 21:15:37 +0200	[diff] [blame]	89	if (info->operation & XT_ECN_OP_MATCH_MASK)
Jan Engelhardt	bd414ee	2010-03-23 16:35:56 +0100	[diff] [blame]	90	return -EINVAL;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	91
Jan Engelhardt	a4c6f9d	2011-06-09 21:15:37 +0200	[diff] [blame]	92	if (info->invert & XT_ECN_OP_MATCH_MASK)
Jan Engelhardt	bd414ee	2010-03-23 16:35:56 +0100	[diff] [blame]	93	return -EINVAL;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	94
Jan Engelhardt	a4c6f9d	2011-06-09 21:15:37 +0200	[diff] [blame]	95	if (info->operation & (XT_ECN_OP_MATCH_ECE \| XT_ECN_OP_MATCH_CWR) &&
Patrick McHardy	58d5a02	2011-06-16 17:24:17 +0200	[diff] [blame]	96	(ip->proto != IPPROTO_TCP \|\| ip->invflags & IPT_INV_PROTO)) {
Florian Westphal	b260664	2018-02-09 15:52:07 +0100	[diff] [blame]	97	pr_info_ratelimited("cannot match TCP bits for non-tcp packets\n");
Jan Engelhardt	bd414ee	2010-03-23 16:35:56 +0100	[diff] [blame]	98	return -EINVAL;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	99	}
				100
Jan Engelhardt	bd414ee	2010-03-23 16:35:56 +0100	[diff] [blame]	101	return 0;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	102	}
				103
Patrick McHardy	af0d29c	2011-06-09 15:20:27 +0200	[diff] [blame]	104	static inline bool match_ipv6(const struct sk_buff *skb,
				105	const struct xt_ecn_info *einfo)
				106	{
				107	return (((ipv6_hdr(skb)->flow_lbl[0] >> 4) & XT_ECN_IP_MASK) ==
				108	einfo->ip_ect) ^
				109	!!(einfo->invert & XT_ECN_OP_MATCH_IP);
				110	}
				111
				112	static bool ecn_mt6(const struct sk_buff skb, struct xt_action_param par)
				113	{
				114	const struct xt_ecn_info *info = par->matchinfo;
				115
				116	if (info->operation & XT_ECN_OP_MATCH_IP && !match_ipv6(skb, info))
				117	return false;
				118
				119	if (info->operation & (XT_ECN_OP_MATCH_ECE \| XT_ECN_OP_MATCH_CWR) &&
				120	!match_tcp(skb, par))
				121	return false;
				122
				123	return true;
				124	}
				125
				126	static int ecn_mt_check6(const struct xt_mtchk_param *par)
				127	{
				128	const struct xt_ecn_info *info = par->matchinfo;
				129	const struct ip6t_ip6 *ip = par->entryinfo;
				130
				131	if (info->operation & XT_ECN_OP_MATCH_MASK)
				132	return -EINVAL;
				133
				134	if (info->invert & XT_ECN_OP_MATCH_MASK)
				135	return -EINVAL;
				136
				137	if (info->operation & (XT_ECN_OP_MATCH_ECE \| XT_ECN_OP_MATCH_CWR) &&
				138	(ip->proto != IPPROTO_TCP \|\| ip->invflags & IP6T_INV_PROTO)) {
Florian Westphal	b260664	2018-02-09 15:52:07 +0100	[diff] [blame]	139	pr_info_ratelimited("cannot match TCP bits for non-tcp packets\n");
Patrick McHardy	af0d29c	2011-06-09 15:20:27 +0200	[diff] [blame]	140	return -EINVAL;
				141	}
				142
				143	return 0;
				144	}
				145
				146	static struct xt_match ecn_mt_reg[] __read_mostly = {
				147	{
				148	.name = "ecn",
				149	.family = NFPROTO_IPV4,
				150	.match = ecn_mt4,
				151	.matchsize = sizeof(struct xt_ecn_info),
				152	.checkentry = ecn_mt_check4,
				153	.me = THIS_MODULE,
				154	},
				155	{
				156	.name = "ecn",
				157	.family = NFPROTO_IPV6,
				158	.match = ecn_mt6,
				159	.matchsize = sizeof(struct xt_ecn_info),
				160	.checkentry = ecn_mt_check6,
				161	.me = THIS_MODULE,
				162	},
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	163	};
				164
Jan Engelhardt	d3c5ee6	2007-12-04 23:24:03 -0800	[diff] [blame]	165	static int __init ecn_mt_init(void)
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	166	{
Patrick McHardy	af0d29c	2011-06-09 15:20:27 +0200	[diff] [blame]	167	return xt_register_matches(ecn_mt_reg, ARRAY_SIZE(ecn_mt_reg));
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	168	}
				169
Jan Engelhardt	d3c5ee6	2007-12-04 23:24:03 -0800	[diff] [blame]	170	static void __exit ecn_mt_exit(void)
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	171	{
Patrick McHardy	af0d29c	2011-06-09 15:20:27 +0200	[diff] [blame]	172	xt_unregister_matches(ecn_mt_reg, ARRAY_SIZE(ecn_mt_reg));
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	173	}
				174
Jan Engelhardt	d3c5ee6	2007-12-04 23:24:03 -0800	[diff] [blame]	175	module_init(ecn_mt_init);
				176	module_exit(ecn_mt_exit);