[PATCH 1/3] xt_tos match

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Posted for review and checkup.

===Patch begins===

Convert ipt_tos to xt_tos, with a few extras:

	* IPv6 support (will use the priority field)

	* allow to match on the full TOS value
	  (i.e. with Network Precedence, if desired)

Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx>

---
 include/linux/netfilter/Kbuild      |    1 
 include/linux/netfilter/xt_tos.h    |   14 ++++
 include/linux/netfilter_ipv4/Kbuild |    1 
 net/ipv4/netfilter/Kconfig          |    9 ---
 net/ipv4/netfilter/Makefile         |    1 
 net/ipv4/netfilter/ipt_tos.c        |   50 ----------------
 net/netfilter/Kconfig               |   10 +++
 net/netfilter/Makefile              |    1 
 net/netfilter/xt_tos.c              |  106 ++++++++++++++++++++++++++++++++++++
 9 files changed, 132 insertions(+), 61 deletions(-)

Index: net-2.6.25/include/linux/netfilter/Kbuild
===================================================================
--- net-2.6.25.orig/include/linux/netfilter/Kbuild
+++ net-2.6.25/include/linux/netfilter/Kbuild
@@ -35,6 +35,7 @@ header-y += xt_statistic.h
 header-y += xt_string.h
 header-y += xt_tcpmss.h
 header-y += xt_tcpudp.h
+header-y += xt_tos.h
 
 unifdef-y += nf_conntrack_common.h
 unifdef-y += nf_conntrack_ftp.h
Index: net-2.6.25/include/linux/netfilter/xt_tos.h
===================================================================
--- /dev/null
+++ net-2.6.25/include/linux/netfilter/xt_tos.h
@@ -0,0 +1,14 @@
+#ifndef _XT_TOS_MATCH_H
+#define _XT_TOS_MATCH_H
+
+struct xt_tos_match_info {
+	u_int8_t tos_value;
+	u_int8_t tos_mask;
+	u_int8_t invert;
+};
+
+#ifndef IPTOS_NORMALSVC
+#	define IPTOS_NORMALSVC 0
+#endif
+
+#endif /* _XT_TOS_MATCH_H */
Index: net-2.6.25/include/linux/netfilter_ipv4/Kbuild
===================================================================
--- net-2.6.25.orig/include/linux/netfilter_ipv4/Kbuild
+++ net-2.6.25/include/linux/netfilter_ipv4/Kbuild
@@ -40,7 +40,6 @@ header-y += ipt_sctp.h
 header-y += ipt_state.h
 header-y += ipt_string.h
 header-y += ipt_tcpmss.h
-header-y += ipt_tos.h
 header-y += ipt_ttl.h
 
 unifdef-y += ip_queue.h
Index: net-2.6.25/net/ipv4/netfilter/Kconfig
===================================================================
--- net-2.6.25.orig/net/ipv4/netfilter/Kconfig
+++ net-2.6.25/net/ipv4/netfilter/Kconfig
@@ -63,15 +63,6 @@ config IP_NF_MATCH_IPRANGE
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
-config IP_NF_MATCH_TOS
-	tristate "TOS match support"
-	depends on IP_NF_IPTABLES
-	help
-	  TOS matching allows you to match packets based on the Type Of
-	  Service fields of the IP packet.
-
-	  To compile it as a module, choose M here.  If unsure, say N.
-
 config IP_NF_MATCH_RECENT
 	tristate "recent match support"
 	depends on IP_NF_IPTABLES
Index: net-2.6.25/net/ipv4/netfilter/Makefile
===================================================================
--- net-2.6.25.orig/net/ipv4/netfilter/Makefile
+++ net-2.6.25/net/ipv4/netfilter/Makefile
@@ -47,7 +47,6 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
 obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
-obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
 
 # targets
Index: net-2.6.25/net/ipv4/netfilter/ipt_tos.c
===================================================================
--- net-2.6.25.orig/net/ipv4/netfilter/ipt_tos.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/* Kernel module to match TOS values. */
-
-/* (C) 1999-2001 Paul `Rusty' Russell
- * (C) 2002-2004 Netfilter Core Team <coreteam@xxxxxxxxxxxxx>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/ip.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-
-#include <linux/netfilter_ipv4/ipt_tos.h>
-#include <linux/netfilter/x_tables.h>
-
-MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("iptables TOS match module");
-
-static bool
-tos_mt(const struct sk_buff *skb, const struct net_device *in,
-       const struct net_device *out, const struct xt_match *match,
-       const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
-{
-	const struct ipt_tos_info *info = matchinfo;
-
-	return (ip_hdr(skb)->tos == info->tos) ^ info->invert;
-}
-
-static struct xt_match tos_mt_reg __read_mostly = {
-	.name		= "tos",
-	.family		= AF_INET,
-	.match		= tos_mt,
-	.matchsize	= sizeof(struct ipt_tos_info),
-	.me		= THIS_MODULE,
-};
-
-static int __init tos_mt_init(void)
-{
-	return xt_register_match(&tos_mt_reg);
-}
-
-static void __exit tos_mt_exit(void)
-{
-	xt_unregister_match(&tos_mt_reg);
-}
-
-module_init(tos_mt_init);
-module_exit(tos_mt_exit);
Index: net-2.6.25/net/netfilter/Kconfig
===================================================================
--- net-2.6.25.orig/net/netfilter/Kconfig
+++ net-2.6.25/net/netfilter/Kconfig
@@ -679,6 +679,16 @@ config NETFILTER_XT_MATCH_TIME
 	  If you want to compile it as a module, say M here.
 	  If unsure, say N.
 
+config NETFILTER_XT_MATCH_TOS
+	tristate '"tos" match support'
+	depends on NETFILTER_XTABLES
+	---help---
+	TOS matching allows you to match packets based on the Type Of
+	Service field of the IPv4 packet or Traffic Class field of
+	the IPv6 packet.
+
+	To compile it as a module, choose M here. If unsure, say N.
+
 config NETFILTER_XT_MATCH_U32
 	tristate '"u32" match support'
 	depends on NETFILTER_XTABLES
Index: net-2.6.25/net/netfilter/Makefile
===================================================================
--- net-2.6.25.orig/net/netfilter/Makefile
+++ net-2.6.25/net/netfilter/Makefile
@@ -77,4 +77,5 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTI
 obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_TOS) += xt_tos.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
Index: net-2.6.25/net/netfilter/xt_tos.c
===================================================================
--- /dev/null
+++ net-2.6.25/net/netfilter/xt_tos.c
@@ -0,0 +1,106 @@
+/* Kernel module to match TOS values. */
+
+/* (C) 1999-2001 Paul `Rusty' Russell
+ * (C) 2002-2004 Netfilter Core Team <coreteam@xxxxxxxxxxxxx>
+ * © 2007 CC Computer Consultants GmbH
+ * Contact: <jengelh@xxxxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_tos.h>
+#include <linux/netfilter_ipv4/ipt_tos.h>
+
+static bool
+tos_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+          const struct net_device *out, const struct xt_match *match,
+          const void *matchinfo, int offset, unsigned int protoff,
+          bool *hotdrop)
+{
+	const struct ipt_tos_info *info = matchinfo;
+
+	return (ip_hdr(skb)->tos == info->tos) ^ info->invert;
+}
+
+static bool
+tos_mt(const struct sk_buff *skb, const struct net_device *in,
+       const struct net_device *out, const struct xt_match *match,
+       const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
+{
+	const struct xt_tos_match_info *info = matchinfo;
+
+	if (match->family == AF_INET)
+		return ((ip_hdr(skb)->tos & info->tos_mask) ==
+		       info->tos_value) ^ info->invert;
+	else
+		return ((ipv6_hdr(skb)->priority & info->tos_mask) ==
+		       info->tos_value) ^ info->invert;
+}
+
+static bool
+tos_mt6_check(const char *tablename, const void *ip,
+              const struct xt_match *match, void *matchinfo,
+              unsigned int hook_mask)
+{
+	const struct xt_tos_match_info *info = matchinfo;
+
+	if (info->tos_mask > 0xF || info->tos_value > 0xF) {
+		printk(KERN_WARNING KBUILD_MODNAME
+		       ": Traffic Class field may only take values 0-15\n");
+		return false;
+	}
+
+	return true;
+}
+
+static struct xt_match tos_mt_reg[] __read_mostly = {
+	{
+		.name       = "tos",
+		.revision   = 0,
+		.family     = AF_INET,
+		.match      = tos_mt_v0,
+		.matchsize  = sizeof(struct ipt_tos_info),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "tos",
+		.revision   = 1,
+		.family     = AF_INET,
+		.match      = tos_mt,
+		.matchsize  = sizeof(struct xt_tos_match_info),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "tos",
+		.revision   = 1,
+		.family     = AF_INET6,
+		.match      = tos_mt,
+		.matchsize  = sizeof(struct xt_tos_match_info),
+		.checkentry = tos_mt6_check,
+		.me         = THIS_MODULE,
+	},
+};
+
+static int __init tos_mt_init(void)
+{
+	return xt_register_matches(tos_mt_reg, ARRAY_SIZE(tos_mt_reg));
+}
+
+static void __exit tos_mt_exit(void)
+{
+	xt_unregister_matches(tos_mt_reg, ARRAY_SIZE(tos_mt_reg));
+}
+
+module_init(tos_mt_init);
+module_exit(tos_mt_exit);
+MODULE_DESCRIPTION("netfilter \"tos\" match module");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_tos");
+MODULE_ALIAS("ip6t_tos");

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux