* xt_ecn in smaller pieces
@ 2011-06-09 20:23 Jan Engelhardt
2011-06-09 20:23 ` [PATCH 1/4] netfilter: xtables: move ipt_ecn to xt_ecn Jan Engelhardt
` (3 more replies)
0 siblings, 4 replies; 13+ messages in thread
From: Jan Engelhardt @ 2011-06-09 20:23 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Alternate xt_ecn history crafting, whereby the move of the code is explicit,
i.e. will show up in git log --stat -M as such.
===
The following changes since commit b08220bec4daa318a049182dc1cbd395873109cb:
>>>>>>
netfilter: ipt_ecn: fix inversion for IP header ECN match (2011-06-09 15:20:26 +0200)
<<<<<<
(tacks onto your 2/3)
are available in the git repository at:
git://dev.medozas.de/linux xtecn
Jan Engelhardt (3):
netfilter: xtables: move ipt_ecn to xt_ecn
netfilter: xtables: give xt_ecn its own name
netfilter: xtables: collapse conditions in xt_ecn
Patrick McHardy (1):
netfilter: xtables: add an IPv6 capable version of the ECN match
include/linux/netfilter/Kbuild | 1 +
include/linux/netfilter/xt_ecn.h | 35 ++++++
include/linux/netfilter_ipv4/ipt_ecn.h | 38 ++-----
net/ipv4/netfilter/Kconfig | 10 +-
net/ipv4/netfilter/Makefile | 1 -
net/ipv4/netfilter/ipt_ecn.c | 127 ----------------------
net/netfilter/Kconfig | 9 ++
net/netfilter/Makefile | 1 +
net/netfilter/xt_ecn.c | 179 ++++++++++++++++++++++++++++++++
9 files changed, 239 insertions(+), 162 deletions(-)
create mode 100644 include/linux/netfilter/xt_ecn.h
delete mode 100644 net/ipv4/netfilter/ipt_ecn.c
create mode 100644 net/netfilter/xt_ecn.c
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH 1/4] netfilter: xtables: move ipt_ecn to xt_ecn
2011-06-09 20:23 xt_ecn in smaller pieces Jan Engelhardt
@ 2011-06-09 20:23 ` Jan Engelhardt
2011-06-16 15:21 ` Patrick McHardy
2011-06-09 20:23 ` [PATCH 2/4] netfilter: xtables: give xt_ecn its own name Jan Engelhardt
` (2 subsequent siblings)
3 siblings, 1 reply; 13+ messages in thread
From: Jan Engelhardt @ 2011-06-09 20:23 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/Kbuild | 1 +
include/linux/netfilter/xt_ecn.h | 35 +++++++++
include/linux/netfilter_ipv4/ipt_ecn.h | 31 +--------
net/ipv4/netfilter/Kconfig | 10 +-
net/ipv4/netfilter/Makefile | 1 -
net/ipv4/netfilter/ipt_ecn.c | 127 -------------------------------
net/netfilter/Kconfig | 9 ++
net/netfilter/Makefile | 1 +
net/netfilter/xt_ecn.c | 128 ++++++++++++++++++++++++++++++++
9 files changed, 180 insertions(+), 163 deletions(-)
create mode 100644 include/linux/netfilter/xt_ecn.h
delete mode 100644 net/ipv4/netfilter/ipt_ecn.c
create mode 100644 net/netfilter/xt_ecn.c
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index a1b410c..e55dba1 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -40,6 +40,7 @@ header-y += xt_cpu.h
header-y += xt_dccp.h
header-y += xt_devgroup.h
header-y += xt_dscp.h
+header-y += xt_ecn.h
header-y += xt_esp.h
header-y += xt_hashlimit.h
header-y += xt_helper.h
diff --git a/include/linux/netfilter/xt_ecn.h b/include/linux/netfilter/xt_ecn.h
new file mode 100644
index 0000000..065c1a5
--- /dev/null
+++ b/include/linux/netfilter/xt_ecn.h
@@ -0,0 +1,35 @@
+/* iptables module for matching the ECN header in IPv4 and TCP header
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+ *
+ * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
+*/
+#ifndef _XT_ECN_H
+#define _XT_ECN_H
+
+#include <linux/types.h>
+#include <linux/netfilter/xt_dscp.h>
+
+#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
+
+#define IPT_ECN_OP_MATCH_IP 0x01
+#define IPT_ECN_OP_MATCH_ECE 0x10
+#define IPT_ECN_OP_MATCH_CWR 0x20
+
+#define IPT_ECN_OP_MATCH_MASK 0xce
+
+/* match info */
+struct ipt_ecn_info {
+ __u8 operation;
+ __u8 invert;
+ __u8 ip_ect;
+ union {
+ struct {
+ __u8 ect;
+ } tcp;
+ } proto;
+};
+
+#endif /* _XT_ECN_H */
diff --git a/include/linux/netfilter_ipv4/ipt_ecn.h b/include/linux/netfilter_ipv4/ipt_ecn.h
index eabf95f..b1124ec 100644
--- a/include/linux/netfilter_ipv4/ipt_ecn.h
+++ b/include/linux/netfilter_ipv4/ipt_ecn.h
@@ -1,35 +1,6 @@
-/* iptables module for matching the ECN header in IPv4 and TCP header
- *
- * (C) 2002 Harald Welte <laforge@gnumonks.org>
- *
- * This software is distributed under GNU GPL v2, 1991
- *
- * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
-*/
#ifndef _IPT_ECN_H
#define _IPT_ECN_H
-#include <linux/types.h>
-#include <linux/netfilter/xt_dscp.h>
-
-#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
-
-#define IPT_ECN_OP_MATCH_IP 0x01
-#define IPT_ECN_OP_MATCH_ECE 0x10
-#define IPT_ECN_OP_MATCH_CWR 0x20
-
-#define IPT_ECN_OP_MATCH_MASK 0xce
-
-/* match info */
-struct ipt_ecn_info {
- __u8 operation;
- __u8 invert;
- __u8 ip_ect;
- union {
- struct {
- __u8 ect;
- } tcp;
- } proto;
-};
+#include <linux/netfilter/xt_ecn.h>
#endif /* _IPT_ECN_H */
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 1dfc18a..d91b2e6 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -76,11 +76,11 @@ config IP_NF_MATCH_AH
config IP_NF_MATCH_ECN
tristate '"ecn" match support'
depends on NETFILTER_ADVANCED
- help
- This option adds a `ECN' match, which allows you to match against
- the IPv4 and TCP header ECN fields.
-
- To compile it as a module, choose M here. If unsure, say N.
+ select NETFILTER_XT_MATCH_ECN
+ ---help---
+ This is a backwards-compat option for the user's convenience
+ (e.g. when running oldconfig). It selects
+ CONFIG_NETFILTER_XT_MATCH_ECN.
config IP_NF_MATCH_TTL
tristate '"ttl" match support'
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index dca2082..d16c7ec 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -49,7 +49,6 @@ obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
# matches
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
-obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
# targets
obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
deleted file mode 100644
index 2b57e52..0000000
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ /dev/null
@@ -1,127 +0,0 @@
-/* IP tables module for matching the value of the IPv4 and TCP ECN bits
- *
- * (C) 2002 by Harald Welte <laforge@gnumonks.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-#include <linux/in.h>
-#include <linux/ip.h>
-#include <net/ip.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/tcp.h>
-
-#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_ecn.h>
-
-MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match for IPv4");
-MODULE_LICENSE("GPL");
-
-static inline bool match_ip(const struct sk_buff *skb,
- const struct ipt_ecn_info *einfo)
-{
- return ((ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect) ^
- !!(einfo->invert & IPT_ECN_OP_MATCH_IP);
-}
-
-static inline bool match_tcp(const struct sk_buff *skb,
- const struct ipt_ecn_info *einfo,
- bool *hotdrop)
-{
- struct tcphdr _tcph;
- const struct tcphdr *th;
-
- /* In practice, TCP match does this, so can't fail. But let's
- * be good citizens.
- */
- th = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_tcph), &_tcph);
- if (th == NULL) {
- *hotdrop = false;
- return false;
- }
-
- if (einfo->operation & IPT_ECN_OP_MATCH_ECE) {
- if (einfo->invert & IPT_ECN_OP_MATCH_ECE) {
- if (th->ece == 1)
- return false;
- } else {
- if (th->ece == 0)
- return false;
- }
- }
-
- if (einfo->operation & IPT_ECN_OP_MATCH_CWR) {
- if (einfo->invert & IPT_ECN_OP_MATCH_CWR) {
- if (th->cwr == 1)
- return false;
- } else {
- if (th->cwr == 0)
- return false;
- }
- }
-
- return true;
-}
-
-static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
-{
- const struct ipt_ecn_info *info = par->matchinfo;
-
- if (info->operation & IPT_ECN_OP_MATCH_IP)
- if (!match_ip(skb, info))
- return false;
-
- if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
- if (!match_tcp(skb, info, &par->hotdrop))
- return false;
- }
-
- return true;
-}
-
-static int ecn_mt_check(const struct xt_mtchk_param *par)
-{
- const struct ipt_ecn_info *info = par->matchinfo;
- const struct ipt_ip *ip = par->entryinfo;
-
- if (info->operation & IPT_ECN_OP_MATCH_MASK)
- return -EINVAL;
-
- if (info->invert & IPT_ECN_OP_MATCH_MASK)
- return -EINVAL;
-
- if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
- (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {
- pr_info("cannot match TCP bits in rule for non-tcp packets\n");
- return -EINVAL;
- }
-
- return 0;
-}
-
-static struct xt_match ecn_mt_reg __read_mostly = {
- .name = "ecn",
- .family = NFPROTO_IPV4,
- .match = ecn_mt,
- .matchsize = sizeof(struct ipt_ecn_info),
- .checkentry = ecn_mt_check,
- .me = THIS_MODULE,
-};
-
-static int __init ecn_mt_init(void)
-{
- return xt_register_match(&ecn_mt_reg);
-}
-
-static void __exit ecn_mt_exit(void)
-{
- xt_unregister_match(&ecn_mt_reg);
-}
-
-module_init(ecn_mt_init);
-module_exit(ecn_mt_exit);
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 32bff6d..a1dbdc2 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -772,6 +772,15 @@ config NETFILTER_XT_MATCH_DSCP
To compile it as a module, choose M here. If unsure, say N.
+config NETFILTER_XT_MATCH_ECN
+ tristate '"ecn" match support'
+ depends on NETFILTER_ADVANCED
+ ---help---
+ This option adds an "ECN" match, which allows you to match against
+ the IPv4 and TCP header ECN fields.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_ESP
tristate '"esp" match support'
depends on NETFILTER_ADVANCED
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 1a02853..c748722 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -80,6 +80,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) += xt_cpu.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_ECN) += xt_ecn.o
obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
diff --git a/net/netfilter/xt_ecn.c b/net/netfilter/xt_ecn.c
new file mode 100644
index 0000000..2c198f5
--- /dev/null
+++ b/net/netfilter/xt_ecn.c
@@ -0,0 +1,128 @@
+/* IP tables module for matching the value of the IPv4 and TCP ECN bits
+ *
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <net/ip.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/tcp.h>
+
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_ecn.h>
+
+MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
+MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match for IPv4");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_ecn");
+
+static inline bool match_ip(const struct sk_buff *skb,
+ const struct ipt_ecn_info *einfo)
+{
+ return ((ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect) ^
+ !!(einfo->invert & IPT_ECN_OP_MATCH_IP);
+}
+
+static inline bool match_tcp(const struct sk_buff *skb,
+ const struct ipt_ecn_info *einfo,
+ bool *hotdrop)
+{
+ struct tcphdr _tcph;
+ const struct tcphdr *th;
+
+ /* In practice, TCP match does this, so can't fail. But let's
+ * be good citizens.
+ */
+ th = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_tcph), &_tcph);
+ if (th == NULL) {
+ *hotdrop = false;
+ return false;
+ }
+
+ if (einfo->operation & IPT_ECN_OP_MATCH_ECE) {
+ if (einfo->invert & IPT_ECN_OP_MATCH_ECE) {
+ if (th->ece == 1)
+ return false;
+ } else {
+ if (th->ece == 0)
+ return false;
+ }
+ }
+
+ if (einfo->operation & IPT_ECN_OP_MATCH_CWR) {
+ if (einfo->invert & IPT_ECN_OP_MATCH_CWR) {
+ if (th->cwr == 1)
+ return false;
+ } else {
+ if (th->cwr == 0)
+ return false;
+ }
+ }
+
+ return true;
+}
+
+static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+ const struct ipt_ecn_info *info = par->matchinfo;
+
+ if (info->operation & IPT_ECN_OP_MATCH_IP)
+ if (!match_ip(skb, info))
+ return false;
+
+ if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
+ if (!match_tcp(skb, info, &par->hotdrop))
+ return false;
+ }
+
+ return true;
+}
+
+static int ecn_mt_check(const struct xt_mtchk_param *par)
+{
+ const struct ipt_ecn_info *info = par->matchinfo;
+ const struct ipt_ip *ip = par->entryinfo;
+
+ if (info->operation & IPT_ECN_OP_MATCH_MASK)
+ return -EINVAL;
+
+ if (info->invert & IPT_ECN_OP_MATCH_MASK)
+ return -EINVAL;
+
+ if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
+ (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {
+ pr_info("cannot match TCP bits in rule for non-tcp packets\n");
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static struct xt_match ecn_mt_reg __read_mostly = {
+ .name = "ecn",
+ .family = NFPROTO_IPV4,
+ .match = ecn_mt,
+ .matchsize = sizeof(struct ipt_ecn_info),
+ .checkentry = ecn_mt_check,
+ .me = THIS_MODULE,
+};
+
+static int __init ecn_mt_init(void)
+{
+ return xt_register_match(&ecn_mt_reg);
+}
+
+static void __exit ecn_mt_exit(void)
+{
+ xt_unregister_match(&ecn_mt_reg);
+}
+
+module_init(ecn_mt_init);
+module_exit(ecn_mt_exit);
--
1.7.3.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 2/4] netfilter: xtables: give xt_ecn its own name
2011-06-09 20:23 xt_ecn in smaller pieces Jan Engelhardt
2011-06-09 20:23 ` [PATCH 1/4] netfilter: xtables: move ipt_ecn to xt_ecn Jan Engelhardt
@ 2011-06-09 20:23 ` Jan Engelhardt
2011-06-09 20:23 ` [PATCH 3/4] netfilter: xtables: add an IPv6 capable version of the ECN match Jan Engelhardt
2011-06-09 20:23 ` [PATCH 4/4] netfilter: xtables: collapse conditions in xt_ecn Jan Engelhardt
3 siblings, 0 replies; 13+ messages in thread
From: Jan Engelhardt @ 2011-06-09 20:23 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/xt_ecn.h | 12 +++++-----
include/linux/netfilter_ipv4/ipt_ecn.h | 11 +++++++++-
net/netfilter/xt_ecn.c | 34 ++++++++++++++++----------------
3 files changed, 33 insertions(+), 24 deletions(-)
diff --git a/include/linux/netfilter/xt_ecn.h b/include/linux/netfilter/xt_ecn.h
index 065c1a5..7158fca 100644
--- a/include/linux/netfilter/xt_ecn.h
+++ b/include/linux/netfilter/xt_ecn.h
@@ -12,16 +12,16 @@
#include <linux/types.h>
#include <linux/netfilter/xt_dscp.h>
-#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
+#define XT_ECN_IP_MASK (~XT_DSCP_MASK)
-#define IPT_ECN_OP_MATCH_IP 0x01
-#define IPT_ECN_OP_MATCH_ECE 0x10
-#define IPT_ECN_OP_MATCH_CWR 0x20
+#define XT_ECN_OP_MATCH_IP 0x01
+#define XT_ECN_OP_MATCH_ECE 0x10
+#define XT_ECN_OP_MATCH_CWR 0x20
-#define IPT_ECN_OP_MATCH_MASK 0xce
+#define XT_ECN_OP_MATCH_MASK 0xce
/* match info */
-struct ipt_ecn_info {
+struct xt_ecn_info {
__u8 operation;
__u8 invert;
__u8 ip_ect;
diff --git a/include/linux/netfilter_ipv4/ipt_ecn.h b/include/linux/netfilter_ipv4/ipt_ecn.h
index b1124ec..0e0c063 100644
--- a/include/linux/netfilter_ipv4/ipt_ecn.h
+++ b/include/linux/netfilter_ipv4/ipt_ecn.h
@@ -2,5 +2,14 @@
#define _IPT_ECN_H
#include <linux/netfilter/xt_ecn.h>
+#define ipt_ecn_info xt_ecn_info
-#endif /* _IPT_ECN_H */
+enum {
+ IPT_ECN_IP_MASK = XT_ECN_IP_MASK,
+ IPT_ECN_OP_MATCH_IP = XT_ECN_OP_MATCH_IP,
+ IPT_ECN_OP_MATCH_ECE = XT_ECN_OP_MATCH_ECE,
+ IPT_ECN_OP_MATCH_CWR = XT_ECN_OP_MATCH_CWR,
+ IPT_ECN_OP_MATCH_MASK = XT_ECN_OP_MATCH_MASK,
+};
+
+#endif /* IPT_ECN_H */
diff --git a/net/netfilter/xt_ecn.c b/net/netfilter/xt_ecn.c
index 2c198f5..3ebb3dc 100644
--- a/net/netfilter/xt_ecn.c
+++ b/net/netfilter/xt_ecn.c
@@ -15,8 +15,8 @@
#include <linux/tcp.h>
#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_ecn.h>
#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_ecn.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match for IPv4");
@@ -24,14 +24,14 @@ MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_ecn");
static inline bool match_ip(const struct sk_buff *skb,
- const struct ipt_ecn_info *einfo)
+ const struct xt_ecn_info *einfo)
{
- return ((ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect) ^
- !!(einfo->invert & IPT_ECN_OP_MATCH_IP);
+ return ((ip_hdr(skb)->tos & XT_ECN_IP_MASK) == einfo->ip_ect) ^
+ !!(einfo->invert & XT_ECN_OP_MATCH_IP);
}
static inline bool match_tcp(const struct sk_buff *skb,
- const struct ipt_ecn_info *einfo,
+ const struct xt_ecn_info *einfo,
bool *hotdrop)
{
struct tcphdr _tcph;
@@ -46,8 +46,8 @@ static inline bool match_tcp(const struct sk_buff *skb,
return false;
}
- if (einfo->operation & IPT_ECN_OP_MATCH_ECE) {
- if (einfo->invert & IPT_ECN_OP_MATCH_ECE) {
+ if (einfo->operation & XT_ECN_OP_MATCH_ECE) {
+ if (einfo->invert & XT_ECN_OP_MATCH_ECE) {
if (th->ece == 1)
return false;
} else {
@@ -56,8 +56,8 @@ static inline bool match_tcp(const struct sk_buff *skb,
}
}
- if (einfo->operation & IPT_ECN_OP_MATCH_CWR) {
- if (einfo->invert & IPT_ECN_OP_MATCH_CWR) {
+ if (einfo->operation & XT_ECN_OP_MATCH_CWR) {
+ if (einfo->invert & XT_ECN_OP_MATCH_CWR) {
if (th->cwr == 1)
return false;
} else {
@@ -71,13 +71,13 @@ static inline bool match_tcp(const struct sk_buff *skb,
static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
- const struct ipt_ecn_info *info = par->matchinfo;
+ const struct xt_ecn_info *info = par->matchinfo;
- if (info->operation & IPT_ECN_OP_MATCH_IP)
+ if (info->operation & XT_ECN_OP_MATCH_IP)
if (!match_ip(skb, info))
return false;
- if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
+ if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR)) {
if (!match_tcp(skb, info, &par->hotdrop))
return false;
}
@@ -87,16 +87,16 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
static int ecn_mt_check(const struct xt_mtchk_param *par)
{
- const struct ipt_ecn_info *info = par->matchinfo;
+ const struct xt_ecn_info *info = par->matchinfo;
const struct ipt_ip *ip = par->entryinfo;
- if (info->operation & IPT_ECN_OP_MATCH_MASK)
+ if (info->operation & XT_ECN_OP_MATCH_MASK)
return -EINVAL;
- if (info->invert & IPT_ECN_OP_MATCH_MASK)
+ if (info->invert & XT_ECN_OP_MATCH_MASK)
return -EINVAL;
- if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
+ if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
(ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {
pr_info("cannot match TCP bits in rule for non-tcp packets\n");
return -EINVAL;
@@ -109,7 +109,7 @@ static struct xt_match ecn_mt_reg __read_mostly = {
.name = "ecn",
.family = NFPROTO_IPV4,
.match = ecn_mt,
- .matchsize = sizeof(struct ipt_ecn_info),
+ .matchsize = sizeof(struct xt_ecn_info),
.checkentry = ecn_mt_check,
.me = THIS_MODULE,
};
--
1.7.3.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 3/4] netfilter: xtables: add an IPv6 capable version of the ECN match
2011-06-09 20:23 xt_ecn in smaller pieces Jan Engelhardt
2011-06-09 20:23 ` [PATCH 1/4] netfilter: xtables: move ipt_ecn to xt_ecn Jan Engelhardt
2011-06-09 20:23 ` [PATCH 2/4] netfilter: xtables: give xt_ecn its own name Jan Engelhardt
@ 2011-06-09 20:23 ` Jan Engelhardt
2011-06-09 20:23 ` [PATCH 4/4] netfilter: xtables: collapse conditions in xt_ecn Jan Engelhardt
3 siblings, 0 replies; 13+ messages in thread
From: Jan Engelhardt @ 2011-06-09 20:23 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
From: Patrick McHardy <kaber@trash.net>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/xt_ecn.c | 106 ++++++++++++++++++++++++++++++++++++------------
1 files changed, 80 insertions(+), 26 deletions(-)
diff --git a/net/netfilter/xt_ecn.c b/net/netfilter/xt_ecn.c
index 3ebb3dc..6ccc35d 100644
--- a/net/netfilter/xt_ecn.c
+++ b/net/netfilter/xt_ecn.c
@@ -1,6 +1,8 @@
-/* IP tables module for matching the value of the IPv4 and TCP ECN bits
+/*
+ * Xtables module for matching the value of the IPv4/IPv6 and TCP ECN bits
*
* (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ * (C) 2011 Patrick McHardy <kaber@trash.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -17,32 +19,25 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_ecn.h>
#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match for IPv4");
+MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_ecn");
+MODULE_ALIAS("ip6t_ecn");
-static inline bool match_ip(const struct sk_buff *skb,
- const struct xt_ecn_info *einfo)
-{
- return ((ip_hdr(skb)->tos & XT_ECN_IP_MASK) == einfo->ip_ect) ^
- !!(einfo->invert & XT_ECN_OP_MATCH_IP);
-}
-
-static inline bool match_tcp(const struct sk_buff *skb,
- const struct xt_ecn_info *einfo,
- bool *hotdrop)
+static bool match_tcp(const struct sk_buff *skb, struct xt_action_param *par)
{
+ const struct xt_ecn_info *einfo = par->matchinfo;
struct tcphdr _tcph;
const struct tcphdr *th;
/* In practice, TCP match does this, so can't fail. But let's
* be good citizens.
*/
- th = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_tcph), &_tcph);
+ th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);
if (th == NULL) {
- *hotdrop = false;
return false;
}
@@ -69,7 +64,14 @@ static inline bool match_tcp(const struct sk_buff *skb,
return true;
}
-static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
+static inline bool match_ip(const struct sk_buff *skb,
+ const struct xt_ecn_info *einfo)
+{
+ return ((ip_hdr(skb)->tos & XT_ECN_IP_MASK) == einfo->ip_ect) ^
+ !!(einfo->invert & XT_ECN_OP_MATCH_IP);
+}
+
+static bool ecn_mt4(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_ecn_info *info = par->matchinfo;
@@ -78,14 +80,14 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
return false;
if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR)) {
- if (!match_tcp(skb, info, &par->hotdrop))
+ if (!match_tcp(skb, par))
return false;
}
return true;
}
-static int ecn_mt_check(const struct xt_mtchk_param *par)
+static int ecn_mt_check4(const struct xt_mtchk_param *par)
{
const struct xt_ecn_info *info = par->matchinfo;
const struct ipt_ip *ip = par->entryinfo;
@@ -105,23 +107,75 @@ static int ecn_mt_check(const struct xt_mtchk_param *par)
return 0;
}
-static struct xt_match ecn_mt_reg __read_mostly = {
- .name = "ecn",
- .family = NFPROTO_IPV4,
- .match = ecn_mt,
- .matchsize = sizeof(struct xt_ecn_info),
- .checkentry = ecn_mt_check,
- .me = THIS_MODULE,
+static inline bool match_ipv6(const struct sk_buff *skb,
+ const struct xt_ecn_info *einfo)
+{
+ return (((ipv6_hdr(skb)->flow_lbl[0] >> 4) & XT_ECN_IP_MASK) ==
+ einfo->ip_ect) ^
+ !!(einfo->invert & XT_ECN_OP_MATCH_IP);
+}
+
+static bool ecn_mt6(const struct sk_buff *skb, struct xt_action_param *par)
+{
+ const struct xt_ecn_info *info = par->matchinfo;
+
+ if (info->operation & XT_ECN_OP_MATCH_IP && !match_ipv6(skb, info))
+ return false;
+
+ if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
+ !match_tcp(skb, par))
+ return false;
+
+ return true;
+}
+
+static int ecn_mt_check6(const struct xt_mtchk_param *par)
+{
+ const struct xt_ecn_info *info = par->matchinfo;
+ const struct ip6t_ip6 *ip = par->entryinfo;
+
+ if (info->operation & XT_ECN_OP_MATCH_MASK)
+ return -EINVAL;
+
+ if (info->invert & XT_ECN_OP_MATCH_MASK)
+ return -EINVAL;
+
+ if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
+ (ip->proto != IPPROTO_TCP || ip->invflags & IP6T_INV_PROTO)) {
+ pr_info("cannot match TCP bits in rule for non-tcp packets\n");
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static struct xt_match ecn_mt_reg[] __read_mostly = {
+ {
+ .name = "ecn",
+ .family = NFPROTO_IPV4,
+ .match = ecn_mt4,
+ .matchsize = sizeof(struct xt_ecn_info),
+ .checkentry = ecn_mt_check4,
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "ecn",
+ .family = NFPROTO_IPV6,
+ .match = ecn_mt6,
+ .matchsize = sizeof(struct xt_ecn_info),
+ .checkentry = ecn_mt_check6,
+ .me = THIS_MODULE,
+ },
};
static int __init ecn_mt_init(void)
{
- return xt_register_match(&ecn_mt_reg);
+ return xt_register_matches(ecn_mt_reg, ARRAY_SIZE(ecn_mt_reg));
}
static void __exit ecn_mt_exit(void)
{
- xt_unregister_match(&ecn_mt_reg);
+ xt_unregister_matches(ecn_mt_reg, ARRAY_SIZE(ecn_mt_reg));
}
module_init(ecn_mt_init);
--
1.7.3.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 4/4] netfilter: xtables: collapse conditions in xt_ecn
2011-06-09 20:23 xt_ecn in smaller pieces Jan Engelhardt
` (2 preceding siblings ...)
2011-06-09 20:23 ` [PATCH 3/4] netfilter: xtables: add an IPv6 capable version of the ECN match Jan Engelhardt
@ 2011-06-09 20:23 ` Jan Engelhardt
3 siblings, 0 replies; 13+ messages in thread
From: Jan Engelhardt @ 2011-06-09 20:23 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/xt_ecn.c | 15 ++++++---------
1 files changed, 6 insertions(+), 9 deletions(-)
diff --git a/net/netfilter/xt_ecn.c b/net/netfilter/xt_ecn.c
index 6ccc35d..3c831a8 100644
--- a/net/netfilter/xt_ecn.c
+++ b/net/netfilter/xt_ecn.c
@@ -37,9 +37,8 @@ static bool match_tcp(const struct sk_buff *skb, struct xt_action_param *par)
* be good citizens.
*/
th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);
- if (th == NULL) {
+ if (th == NULL)
return false;
- }
if (einfo->operation & XT_ECN_OP_MATCH_ECE) {
if (einfo->invert & XT_ECN_OP_MATCH_ECE) {
@@ -75,14 +74,12 @@ static bool ecn_mt4(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_ecn_info *info = par->matchinfo;
- if (info->operation & XT_ECN_OP_MATCH_IP)
- if (!match_ip(skb, info))
- return false;
+ if (info->operation & XT_ECN_OP_MATCH_IP && !match_ip(skb, info))
+ return false;
- if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR)) {
- if (!match_tcp(skb, par))
- return false;
- }
+ if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
+ !match_tcp(skb, par))
+ return false;
return true;
}
--
1.7.3.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH 1/4] netfilter: xtables: move ipt_ecn to xt_ecn
2011-06-09 20:23 ` [PATCH 1/4] netfilter: xtables: move ipt_ecn to xt_ecn Jan Engelhardt
@ 2011-06-16 15:21 ` Patrick McHardy
2011-06-16 15:31 ` Jan Engelhardt
0 siblings, 1 reply; 13+ messages in thread
From: Patrick McHardy @ 2011-06-16 15:21 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
On 09.06.2011 22:23, Jan Engelhardt wrote:
> --- a/net/ipv4/netfilter/Kconfig
> +++ b/net/ipv4/netfilter/Kconfig
> @@ -76,11 +76,11 @@ config IP_NF_MATCH_AH
> config IP_NF_MATCH_ECN
> tristate '"ecn" match support'
> depends on NETFILTER_ADVANCED
> - help
> - This option adds a `ECN' match, which allows you to match against
> - the IPv4 and TCP header ECN fields.
> -
> - To compile it as a module, choose M here. If unsure, say N.
> + select NETFILTER_XT_MATCH_ECN
> + ---help---
> + This is a backwards-compat option for the user's convenience
> + (e.g. when running oldconfig). It selects
> + CONFIG_NETFILTER_XT_MATCH_ECN.
>
Did this work? I've tried myself, but it would still show the new
option.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 1/4] netfilter: xtables: move ipt_ecn to xt_ecn
2011-06-16 15:21 ` Patrick McHardy
@ 2011-06-16 15:31 ` Jan Engelhardt
2011-06-16 15:34 ` Patrick McHardy
0 siblings, 1 reply; 13+ messages in thread
From: Jan Engelhardt @ 2011-06-16 15:31 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Thursday 2011-06-16 17:21, Patrick McHardy wrote:
>On 09.06.2011 22:23, Jan Engelhardt wrote:
>> --- a/net/ipv4/netfilter/Kconfig
>> +++ b/net/ipv4/netfilter/Kconfig
>> @@ -76,11 +76,11 @@ config IP_NF_MATCH_AH
>> config IP_NF_MATCH_ECN
>> tristate '"ecn" match support'
>> depends on NETFILTER_ADVANCED
>> - help
>> - This option adds a `ECN' match, which allows you to match against
>> - the IPv4 and TCP header ECN fields.
>> -
>> - To compile it as a module, choose M here. If unsure, say N.
>> + select NETFILTER_XT_MATCH_ECN
>> + ---help---
>> + This is a backwards-compat option for the user's convenience
>> + (e.g. when running oldconfig). It selects
>> + CONFIG_NETFILTER_XT_MATCH_ECN.
>>
>
>Did this work? I've tried myself, but it would still show the new
>option.
What do you mean? Of course it is supposed to show NETFILTER_XT_MATCH_ECN.
And IP_NF_MATCH_ECN we cannot hide without removing, but that is not
a problem either.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 1/4] netfilter: xtables: move ipt_ecn to xt_ecn
2011-06-16 15:31 ` Jan Engelhardt
@ 2011-06-16 15:34 ` Patrick McHardy
2011-06-16 15:43 ` Jan Engelhardt
0 siblings, 1 reply; 13+ messages in thread
From: Patrick McHardy @ 2011-06-16 15:34 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
On 16.06.2011 17:31, Jan Engelhardt wrote:
>
> On Thursday 2011-06-16 17:21, Patrick McHardy wrote:
>> On 09.06.2011 22:23, Jan Engelhardt wrote:
>>> --- a/net/ipv4/netfilter/Kconfig
>>> +++ b/net/ipv4/netfilter/Kconfig
>>> @@ -76,11 +76,11 @@ config IP_NF_MATCH_AH
>>> config IP_NF_MATCH_ECN
>>> tristate '"ecn" match support'
>>> depends on NETFILTER_ADVANCED
>>> - help
>>> - This option adds a `ECN' match, which allows you to match against
>>> - the IPv4 and TCP header ECN fields.
>>> -
>>> - To compile it as a module, choose M here. If unsure, say N.
>>> + select NETFILTER_XT_MATCH_ECN
>>> + ---help---
>>> + This is a backwards-compat option for the user's convenience
>>> + (e.g. when running oldconfig). It selects
>>> + CONFIG_NETFILTER_XT_MATCH_ECN.
>>>
>>
>> Did this work? I've tried myself, but it would still show the new
>> option.
>
> What do you mean? Of course it is supposed to show NETFILTER_XT_MATCH_ECN.
Well, ideally not, but fine as long as its still automatically
selected.
I'll pull your patches once the first two fixes are upstream.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 1/4] netfilter: xtables: move ipt_ecn to xt_ecn
2011-06-16 15:34 ` Patrick McHardy
@ 2011-06-16 15:43 ` Jan Engelhardt
2011-06-30 15:38 ` Jan Engelhardt
0 siblings, 1 reply; 13+ messages in thread
From: Jan Engelhardt @ 2011-06-16 15:43 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Thursday 2011-06-16 17:34, Patrick McHardy wrote:
>On 16.06.2011 17:31, Jan Engelhardt wrote:
>>
>> On Thursday 2011-06-16 17:21, Patrick McHardy wrote:
>>> On 09.06.2011 22:23, Jan Engelhardt wrote:
>>>> --- a/net/ipv4/netfilter/Kconfig
>>>> +++ b/net/ipv4/netfilter/Kconfig
>>>> @@ -76,11 +76,11 @@ config IP_NF_MATCH_AH
>>>> config IP_NF_MATCH_ECN
>>>> tristate '"ecn" match support'
>>>> depends on NETFILTER_ADVANCED
>>>> - help
>>>> - This option adds a `ECN' match, which allows you to match against
>>>> - the IPv4 and TCP header ECN fields.
>>>> -
>>>> - To compile it as a module, choose M here. If unsure, say N.
>>>> + select NETFILTER_XT_MATCH_ECN
>>>> + ---help---
>>>> + This is a backwards-compat option for the user's convenience
>>>> + (e.g. when running oldconfig). It selects
>>>> + CONFIG_NETFILTER_XT_MATCH_ECN.
>>>>
>>>
>>> Did this work? I've tried myself, but it would still show the new
>>> option.
>>
>> What do you mean? Of course it is supposed to show NETFILTER_XT_MATCH_ECN.
>
>Well, ideally not, but fine as long as its still automatically
>selected.
>
>I'll pull your patches once the first two fixes are upstream.
We are doing the same thing with the old options for nfmark/ctmark
(cf. Documentation/feature-removal-schedule.txt) so I guess that was ok.
The old options are supposed to be gone in a few releases anyway.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 1/4] netfilter: xtables: move ipt_ecn to xt_ecn
2011-06-16 15:43 ` Jan Engelhardt
@ 2011-06-30 15:38 ` Jan Engelhardt
2011-06-30 16:35 ` Patrick McHardy
0 siblings, 1 reply; 13+ messages in thread
From: Jan Engelhardt @ 2011-06-30 15:38 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Thursday 2011-06-16 17:43, Jan Engelhardt wrote:
>On Thursday 2011-06-16 17:34, Patrick McHardy wrote:
>
>>On 16.06.2011 17:31, Jan Engelhardt wrote:
>>>
>>> On Thursday 2011-06-16 17:21, Patrick McHardy wrote:
>>>> On 09.06.2011 22:23, Jan Engelhardt wrote:
>>>>> --- a/net/ipv4/netfilter/Kconfig
>>>>> +++ b/net/ipv4/netfilter/Kconfig
>>>>> @@ -76,11 +76,11 @@ config IP_NF_MATCH_AH
>>>>> config IP_NF_MATCH_ECN
>>>>> tristate '"ecn" match support'
>>>>> depends on NETFILTER_ADVANCED
>>>>> - help
>>>>> - This option adds a `ECN' match, which allows you to match against
>>>>> - the IPv4 and TCP header ECN fields.
>>>>> -
>>>>> - To compile it as a module, choose M here. If unsure, say N.
>>>>> + select NETFILTER_XT_MATCH_ECN
>>>>> + ---help---
>>>>> + This is a backwards-compat option for the user's convenience
>>>>> + (e.g. when running oldconfig). It selects
>>>>> + CONFIG_NETFILTER_XT_MATCH_ECN.
>>>>>
>>>>
>>>> Did this work? I've tried myself, but it would still show the new
>>>> option.
>>>
>>> What do you mean? Of course it is supposed to show NETFILTER_XT_MATCH_ECN.
>>
>>Well, ideally not, but fine as long as its still automatically
>>selected.
>>
>>I'll pull your patches once the first two fixes are upstream.
>
>We are doing the same thing with the old options for nfmark/ctmark
>(cf. Documentation/feature-removal-schedule.txt) so I guess that was ok.
>The old options are supposed to be gone in a few releases anyway.
ping?
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 1/4] netfilter: xtables: move ipt_ecn to xt_ecn
2011-06-30 15:38 ` Jan Engelhardt
@ 2011-06-30 16:35 ` Patrick McHardy
0 siblings, 0 replies; 13+ messages in thread
From: Patrick McHardy @ 2011-06-30 16:35 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Am 30.06.2011 17:38, schrieb Jan Engelhardt:
> On Thursday 2011-06-16 17:43, Jan Engelhardt wrote:
>
>> On Thursday 2011-06-16 17:34, Patrick McHardy wrote:
>>
>>> On 16.06.2011 17:31, Jan Engelhardt wrote:
>>>>
>>>> On Thursday 2011-06-16 17:21, Patrick McHardy wrote:
>>>>> On 09.06.2011 22:23, Jan Engelhardt wrote:
>>>>>> --- a/net/ipv4/netfilter/Kconfig
>>>>>> +++ b/net/ipv4/netfilter/Kconfig
>>>>>> @@ -76,11 +76,11 @@ config IP_NF_MATCH_AH
>>>>>> config IP_NF_MATCH_ECN
>>>>>> tristate '"ecn" match support'
>>>>>> depends on NETFILTER_ADVANCED
>>>>>> - help
>>>>>> - This option adds a `ECN' match, which allows you to match against
>>>>>> - the IPv4 and TCP header ECN fields.
>>>>>> -
>>>>>> - To compile it as a module, choose M here. If unsure, say N.
>>>>>> + select NETFILTER_XT_MATCH_ECN
>>>>>> + ---help---
>>>>>> + This is a backwards-compat option for the user's convenience
>>>>>> + (e.g. when running oldconfig). It selects
>>>>>> + CONFIG_NETFILTER_XT_MATCH_ECN.
>>>>>>
>>>>>
>>>>> Did this work? I've tried myself, but it would still show the new
>>>>> option.
>>>>
>>>> What do you mean? Of course it is supposed to show NETFILTER_XT_MATCH_ECN.
>>>
>>> Well, ideally not, but fine as long as its still automatically
>>> selected.
>>>
>>> I'll pull your patches once the first two fixes are upstream.
>>
>> We are doing the same thing with the old options for nfmark/ctmark
>> (cf. Documentation/feature-removal-schedule.txt) so I guess that was ok.
>> The old options are supposed to be gone in a few releases anyway.
>
> ping?
>
It hasn't been merged with net-next yet. Don't worry, I'll take
care of that once Dave has merged it.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH 1/4] netfilter: xtables: move ipt_ecn to xt_ecn
2011-12-27 18:57 xt_ecn, with descriptions Jan Engelhardt
@ 2011-12-27 18:57 ` Jan Engelhardt
0 siblings, 0 replies; 13+ messages in thread
From: Jan Engelhardt @ 2011-12-27 18:57 UTC (permalink / raw)
To: netfilter-devel
Prepare the ECN match for augmentation by an IPv6 counterpart. Since
no symbol dependencies to ipv6.ko are added, having a single ecn match
module is the more so welcome.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/Kbuild | 1 +
include/linux/netfilter/xt_ecn.h | 35 ++++++++++++++++++++
include/linux/netfilter_ipv4/ipt_ecn.h | 31 +-----------------
net/ipv4/netfilter/Kconfig | 10 +++---
net/ipv4/netfilter/Makefile | 1 -
net/netfilter/Kconfig | 9 +++++
net/netfilter/Makefile | 1 +
.../netfilter/ipt_ecn.c => netfilter/xt_ecn.c} | 1 +
8 files changed, 53 insertions(+), 36 deletions(-)
create mode 100644 include/linux/netfilter/xt_ecn.h
rename net/{ipv4/netfilter/ipt_ecn.c => netfilter/xt_ecn.c} (99%)
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index e630a2e..e144f54 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -43,6 +43,7 @@ header-y += xt_cpu.h
header-y += xt_dccp.h
header-y += xt_devgroup.h
header-y += xt_dscp.h
+header-y += xt_ecn.h
header-y += xt_esp.h
header-y += xt_hashlimit.h
header-y += xt_helper.h
diff --git a/include/linux/netfilter/xt_ecn.h b/include/linux/netfilter/xt_ecn.h
new file mode 100644
index 0000000..065c1a5
--- /dev/null
+++ b/include/linux/netfilter/xt_ecn.h
@@ -0,0 +1,35 @@
+/* iptables module for matching the ECN header in IPv4 and TCP header
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+ *
+ * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
+*/
+#ifndef _XT_ECN_H
+#define _XT_ECN_H
+
+#include <linux/types.h>
+#include <linux/netfilter/xt_dscp.h>
+
+#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
+
+#define IPT_ECN_OP_MATCH_IP 0x01
+#define IPT_ECN_OP_MATCH_ECE 0x10
+#define IPT_ECN_OP_MATCH_CWR 0x20
+
+#define IPT_ECN_OP_MATCH_MASK 0xce
+
+/* match info */
+struct ipt_ecn_info {
+ __u8 operation;
+ __u8 invert;
+ __u8 ip_ect;
+ union {
+ struct {
+ __u8 ect;
+ } tcp;
+ } proto;
+};
+
+#endif /* _XT_ECN_H */
diff --git a/include/linux/netfilter_ipv4/ipt_ecn.h b/include/linux/netfilter_ipv4/ipt_ecn.h
index eabf95f..b1124ec 100644
--- a/include/linux/netfilter_ipv4/ipt_ecn.h
+++ b/include/linux/netfilter_ipv4/ipt_ecn.h
@@ -1,35 +1,6 @@
-/* iptables module for matching the ECN header in IPv4 and TCP header
- *
- * (C) 2002 Harald Welte <laforge@gnumonks.org>
- *
- * This software is distributed under GNU GPL v2, 1991
- *
- * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
-*/
#ifndef _IPT_ECN_H
#define _IPT_ECN_H
-#include <linux/types.h>
-#include <linux/netfilter/xt_dscp.h>
-
-#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
-
-#define IPT_ECN_OP_MATCH_IP 0x01
-#define IPT_ECN_OP_MATCH_ECE 0x10
-#define IPT_ECN_OP_MATCH_CWR 0x20
-
-#define IPT_ECN_OP_MATCH_MASK 0xce
-
-/* match info */
-struct ipt_ecn_info {
- __u8 operation;
- __u8 invert;
- __u8 ip_ect;
- union {
- struct {
- __u8 ect;
- } tcp;
- } proto;
-};
+#include <linux/netfilter/xt_ecn.h>
#endif /* _IPT_ECN_H */
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 7e1f5cd..53b9c79 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -76,11 +76,11 @@ config IP_NF_MATCH_AH
config IP_NF_MATCH_ECN
tristate '"ecn" match support'
depends on NETFILTER_ADVANCED
- help
- This option adds a `ECN' match, which allows you to match against
- the IPv4 and TCP header ECN fields.
-
- To compile it as a module, choose M here. If unsure, say N.
+ select NETFILTER_XT_MATCH_ECN
+ ---help---
+ This is a backwards-compat option for the user's convenience
+ (e.g. when running oldconfig). It selects
+ CONFIG_NETFILTER_XT_MATCH_ECN.
config IP_NF_MATCH_RPFILTER
tristate '"rpfilter" reverse path filter match support'
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 123dd88..213a462 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -49,7 +49,6 @@ obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
# matches
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
-obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
obj-$(CONFIG_IP_NF_MATCH_RPFILTER) += ipt_rpfilter.o
# targets
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index bac93ba..20388a9 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -778,6 +778,15 @@ config NETFILTER_XT_MATCH_DSCP
To compile it as a module, choose M here. If unsure, say N.
+config NETFILTER_XT_MATCH_ECN
+ tristate '"ecn" match support'
+ depends on NETFILTER_ADVANCED
+ ---help---
+ This option adds an "ECN" match, which allows you to match against
+ the IPv4 and TCP header ECN fields.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_ESP
tristate '"esp" match support'
depends on NETFILTER_ADVANCED
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index b2eee4d..40f4c3d 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -81,6 +81,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) += xt_cpu.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_ECN) += xt_ecn.o
obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/netfilter/xt_ecn.c
similarity index 99%
rename from net/ipv4/netfilter/ipt_ecn.c
rename to net/netfilter/xt_ecn.c
index 2b57e52..2c198f5 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/netfilter/xt_ecn.c
@@ -21,6 +21,7 @@
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match for IPv4");
MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_ecn");
static inline bool match_ip(const struct sk_buff *skb,
const struct ipt_ecn_info *einfo)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 1/4] netfilter: xtables: move ipt_ecn to xt_ecn
2011-12-27 15:27 xt_ecn revisited Jan Engelhardt
@ 2011-12-27 15:27 ` Jan Engelhardt
0 siblings, 0 replies; 13+ messages in thread
From: Jan Engelhardt @ 2011-12-27 15:27 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/Kbuild | 1 +
include/linux/netfilter/xt_ecn.h | 35 +++++++++
include/linux/netfilter_ipv4/ipt_ecn.h | 31 +--------
net/ipv4/netfilter/Kconfig | 10 +-
net/ipv4/netfilter/Makefile | 1 -
net/ipv4/netfilter/ipt_ecn.c | 127 -------------------------------
net/netfilter/Kconfig | 9 ++
net/netfilter/Makefile | 1 +
net/netfilter/xt_ecn.c | 128 ++++++++++++++++++++++++++++++++
9 files changed, 180 insertions(+), 163 deletions(-)
create mode 100644 include/linux/netfilter/xt_ecn.h
delete mode 100644 net/ipv4/netfilter/ipt_ecn.c
create mode 100644 net/netfilter/xt_ecn.c
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index e630a2e..e144f54 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -43,6 +43,7 @@ header-y += xt_cpu.h
header-y += xt_dccp.h
header-y += xt_devgroup.h
header-y += xt_dscp.h
+header-y += xt_ecn.h
header-y += xt_esp.h
header-y += xt_hashlimit.h
header-y += xt_helper.h
diff --git a/include/linux/netfilter/xt_ecn.h b/include/linux/netfilter/xt_ecn.h
new file mode 100644
index 0000000..065c1a5
--- /dev/null
+++ b/include/linux/netfilter/xt_ecn.h
@@ -0,0 +1,35 @@
+/* iptables module for matching the ECN header in IPv4 and TCP header
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+ *
+ * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
+*/
+#ifndef _XT_ECN_H
+#define _XT_ECN_H
+
+#include <linux/types.h>
+#include <linux/netfilter/xt_dscp.h>
+
+#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
+
+#define IPT_ECN_OP_MATCH_IP 0x01
+#define IPT_ECN_OP_MATCH_ECE 0x10
+#define IPT_ECN_OP_MATCH_CWR 0x20
+
+#define IPT_ECN_OP_MATCH_MASK 0xce
+
+/* match info */
+struct ipt_ecn_info {
+ __u8 operation;
+ __u8 invert;
+ __u8 ip_ect;
+ union {
+ struct {
+ __u8 ect;
+ } tcp;
+ } proto;
+};
+
+#endif /* _XT_ECN_H */
diff --git a/include/linux/netfilter_ipv4/ipt_ecn.h b/include/linux/netfilter_ipv4/ipt_ecn.h
index eabf95f..b1124ec 100644
--- a/include/linux/netfilter_ipv4/ipt_ecn.h
+++ b/include/linux/netfilter_ipv4/ipt_ecn.h
@@ -1,35 +1,6 @@
-/* iptables module for matching the ECN header in IPv4 and TCP header
- *
- * (C) 2002 Harald Welte <laforge@gnumonks.org>
- *
- * This software is distributed under GNU GPL v2, 1991
- *
- * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
-*/
#ifndef _IPT_ECN_H
#define _IPT_ECN_H
-#include <linux/types.h>
-#include <linux/netfilter/xt_dscp.h>
-
-#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
-
-#define IPT_ECN_OP_MATCH_IP 0x01
-#define IPT_ECN_OP_MATCH_ECE 0x10
-#define IPT_ECN_OP_MATCH_CWR 0x20
-
-#define IPT_ECN_OP_MATCH_MASK 0xce
-
-/* match info */
-struct ipt_ecn_info {
- __u8 operation;
- __u8 invert;
- __u8 ip_ect;
- union {
- struct {
- __u8 ect;
- } tcp;
- } proto;
-};
+#include <linux/netfilter/xt_ecn.h>
#endif /* _IPT_ECN_H */
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 7e1f5cd..53b9c79 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -76,11 +76,11 @@ config IP_NF_MATCH_AH
config IP_NF_MATCH_ECN
tristate '"ecn" match support'
depends on NETFILTER_ADVANCED
- help
- This option adds a `ECN' match, which allows you to match against
- the IPv4 and TCP header ECN fields.
-
- To compile it as a module, choose M here. If unsure, say N.
+ select NETFILTER_XT_MATCH_ECN
+ ---help---
+ This is a backwards-compat option for the user's convenience
+ (e.g. when running oldconfig). It selects
+ CONFIG_NETFILTER_XT_MATCH_ECN.
config IP_NF_MATCH_RPFILTER
tristate '"rpfilter" reverse path filter match support'
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 123dd88..213a462 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -49,7 +49,6 @@ obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
# matches
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
-obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
obj-$(CONFIG_IP_NF_MATCH_RPFILTER) += ipt_rpfilter.o
# targets
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
deleted file mode 100644
index 2b57e52..0000000
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ /dev/null
@@ -1,127 +0,0 @@
-/* IP tables module for matching the value of the IPv4 and TCP ECN bits
- *
- * (C) 2002 by Harald Welte <laforge@gnumonks.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-#include <linux/in.h>
-#include <linux/ip.h>
-#include <net/ip.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/tcp.h>
-
-#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_ecn.h>
-
-MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match for IPv4");
-MODULE_LICENSE("GPL");
-
-static inline bool match_ip(const struct sk_buff *skb,
- const struct ipt_ecn_info *einfo)
-{
- return ((ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect) ^
- !!(einfo->invert & IPT_ECN_OP_MATCH_IP);
-}
-
-static inline bool match_tcp(const struct sk_buff *skb,
- const struct ipt_ecn_info *einfo,
- bool *hotdrop)
-{
- struct tcphdr _tcph;
- const struct tcphdr *th;
-
- /* In practice, TCP match does this, so can't fail. But let's
- * be good citizens.
- */
- th = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_tcph), &_tcph);
- if (th == NULL) {
- *hotdrop = false;
- return false;
- }
-
- if (einfo->operation & IPT_ECN_OP_MATCH_ECE) {
- if (einfo->invert & IPT_ECN_OP_MATCH_ECE) {
- if (th->ece == 1)
- return false;
- } else {
- if (th->ece == 0)
- return false;
- }
- }
-
- if (einfo->operation & IPT_ECN_OP_MATCH_CWR) {
- if (einfo->invert & IPT_ECN_OP_MATCH_CWR) {
- if (th->cwr == 1)
- return false;
- } else {
- if (th->cwr == 0)
- return false;
- }
- }
-
- return true;
-}
-
-static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
-{
- const struct ipt_ecn_info *info = par->matchinfo;
-
- if (info->operation & IPT_ECN_OP_MATCH_IP)
- if (!match_ip(skb, info))
- return false;
-
- if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
- if (!match_tcp(skb, info, &par->hotdrop))
- return false;
- }
-
- return true;
-}
-
-static int ecn_mt_check(const struct xt_mtchk_param *par)
-{
- const struct ipt_ecn_info *info = par->matchinfo;
- const struct ipt_ip *ip = par->entryinfo;
-
- if (info->operation & IPT_ECN_OP_MATCH_MASK)
- return -EINVAL;
-
- if (info->invert & IPT_ECN_OP_MATCH_MASK)
- return -EINVAL;
-
- if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
- (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {
- pr_info("cannot match TCP bits in rule for non-tcp packets\n");
- return -EINVAL;
- }
-
- return 0;
-}
-
-static struct xt_match ecn_mt_reg __read_mostly = {
- .name = "ecn",
- .family = NFPROTO_IPV4,
- .match = ecn_mt,
- .matchsize = sizeof(struct ipt_ecn_info),
- .checkentry = ecn_mt_check,
- .me = THIS_MODULE,
-};
-
-static int __init ecn_mt_init(void)
-{
- return xt_register_match(&ecn_mt_reg);
-}
-
-static void __exit ecn_mt_exit(void)
-{
- xt_unregister_match(&ecn_mt_reg);
-}
-
-module_init(ecn_mt_init);
-module_exit(ecn_mt_exit);
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index bac93ba..20388a9 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -778,6 +778,15 @@ config NETFILTER_XT_MATCH_DSCP
To compile it as a module, choose M here. If unsure, say N.
+config NETFILTER_XT_MATCH_ECN
+ tristate '"ecn" match support'
+ depends on NETFILTER_ADVANCED
+ ---help---
+ This option adds an "ECN" match, which allows you to match against
+ the IPv4 and TCP header ECN fields.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_ESP
tristate '"esp" match support'
depends on NETFILTER_ADVANCED
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index b2eee4d..40f4c3d 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -81,6 +81,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) += xt_cpu.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_ECN) += xt_ecn.o
obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
diff --git a/net/netfilter/xt_ecn.c b/net/netfilter/xt_ecn.c
new file mode 100644
index 0000000..2c198f5
--- /dev/null
+++ b/net/netfilter/xt_ecn.c
@@ -0,0 +1,128 @@
+/* IP tables module for matching the value of the IPv4 and TCP ECN bits
+ *
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <net/ip.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/tcp.h>
+
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_ecn.h>
+
+MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
+MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match for IPv4");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_ecn");
+
+static inline bool match_ip(const struct sk_buff *skb,
+ const struct ipt_ecn_info *einfo)
+{
+ return ((ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect) ^
+ !!(einfo->invert & IPT_ECN_OP_MATCH_IP);
+}
+
+static inline bool match_tcp(const struct sk_buff *skb,
+ const struct ipt_ecn_info *einfo,
+ bool *hotdrop)
+{
+ struct tcphdr _tcph;
+ const struct tcphdr *th;
+
+ /* In practice, TCP match does this, so can't fail. But let's
+ * be good citizens.
+ */
+ th = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_tcph), &_tcph);
+ if (th == NULL) {
+ *hotdrop = false;
+ return false;
+ }
+
+ if (einfo->operation & IPT_ECN_OP_MATCH_ECE) {
+ if (einfo->invert & IPT_ECN_OP_MATCH_ECE) {
+ if (th->ece == 1)
+ return false;
+ } else {
+ if (th->ece == 0)
+ return false;
+ }
+ }
+
+ if (einfo->operation & IPT_ECN_OP_MATCH_CWR) {
+ if (einfo->invert & IPT_ECN_OP_MATCH_CWR) {
+ if (th->cwr == 1)
+ return false;
+ } else {
+ if (th->cwr == 0)
+ return false;
+ }
+ }
+
+ return true;
+}
+
+static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+ const struct ipt_ecn_info *info = par->matchinfo;
+
+ if (info->operation & IPT_ECN_OP_MATCH_IP)
+ if (!match_ip(skb, info))
+ return false;
+
+ if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
+ if (!match_tcp(skb, info, &par->hotdrop))
+ return false;
+ }
+
+ return true;
+}
+
+static int ecn_mt_check(const struct xt_mtchk_param *par)
+{
+ const struct ipt_ecn_info *info = par->matchinfo;
+ const struct ipt_ip *ip = par->entryinfo;
+
+ if (info->operation & IPT_ECN_OP_MATCH_MASK)
+ return -EINVAL;
+
+ if (info->invert & IPT_ECN_OP_MATCH_MASK)
+ return -EINVAL;
+
+ if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
+ (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {
+ pr_info("cannot match TCP bits in rule for non-tcp packets\n");
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static struct xt_match ecn_mt_reg __read_mostly = {
+ .name = "ecn",
+ .family = NFPROTO_IPV4,
+ .match = ecn_mt,
+ .matchsize = sizeof(struct ipt_ecn_info),
+ .checkentry = ecn_mt_check,
+ .me = THIS_MODULE,
+};
+
+static int __init ecn_mt_init(void)
+{
+ return xt_register_match(&ecn_mt_reg);
+}
+
+static void __exit ecn_mt_exit(void)
+{
+ xt_unregister_match(&ecn_mt_reg);
+}
+
+module_init(ecn_mt_init);
+module_exit(ecn_mt_exit);
--
1.7.3.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
end of thread, other threads:[~2011-12-27 18:57 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-06-09 20:23 xt_ecn in smaller pieces Jan Engelhardt
2011-06-09 20:23 ` [PATCH 1/4] netfilter: xtables: move ipt_ecn to xt_ecn Jan Engelhardt
2011-06-16 15:21 ` Patrick McHardy
2011-06-16 15:31 ` Jan Engelhardt
2011-06-16 15:34 ` Patrick McHardy
2011-06-16 15:43 ` Jan Engelhardt
2011-06-30 15:38 ` Jan Engelhardt
2011-06-30 16:35 ` Patrick McHardy
2011-06-09 20:23 ` [PATCH 2/4] netfilter: xtables: give xt_ecn its own name Jan Engelhardt
2011-06-09 20:23 ` [PATCH 3/4] netfilter: xtables: add an IPv6 capable version of the ECN match Jan Engelhardt
2011-06-09 20:23 ` [PATCH 4/4] netfilter: xtables: collapse conditions in xt_ecn Jan Engelhardt
2011-12-27 15:27 xt_ecn revisited Jan Engelhardt
2011-12-27 15:27 ` [PATCH 1/4] netfilter: xtables: move ipt_ecn to xt_ecn Jan Engelhardt
2011-12-27 18:57 xt_ecn, with descriptions Jan Engelhardt
2011-12-27 18:57 ` [PATCH 1/4] netfilter: xtables: move ipt_ecn to xt_ecn Jan Engelhardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.