加了空格试试

only check out no any change
2024-12-31 15:11:17 +08:00 · 2024-12-31 10:13:36 +08:00
14 changed files with 492 additions and 815 deletions
--- a/linux-3.0.4/include/linux/netfilter/xt_CONNMARK.h
+++ b/linux-3.0.4/include/linux/netfilter/xt_CONNMARK.h
@ -1,6 +1,31 @@
-#ifndef _XT_CONNMARK_H_target
+#ifndef _XT_CONNMARK_H
-#define _XT_CONNMARK_H_target
+#define _XT_CONNMARK_H
-#include <linux/netfilter/xt_connmark.h>
+#include <linux/types.h>
-#endif /*_XT_CONNMARK_H_target*/
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
 * by Henrik Nordstrom <hno@marasystems.com>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 */
 enum {
 	XT_CONNMARK_SET = 0,
 	XT_CONNMARK_SAVE,
 	XT_CONNMARK_RESTORE
 };
 struct xt_connmark_tginfo1 {
 	__u32 ctmark, ctmask, nfmask;
 	__u8 mode;
 };
 struct xt_connmark_mtinfo1 {
 	__u32 mark, mask;
 	__u8 invert;
 };
 #endif /*_XT_CONNMARK_H*/
--- a/linux-3.0.4/include/linux/netfilter/xt_DSCP.h
+++ b/linux-3.0.4/include/linux/netfilter/xt_DSCP.h
@ -1,26 +1,31 @@
-/* x_tables module for setting the IPv4/IPv6 DSCP field
+/* x_tables module for matching the IPv4/IPv6 DSCP field
 *
 * (C) 2002 Harald Welte <laforge@gnumonks.org>
 * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
 * This software is distributed under GNU GPL v2, 1991
 *
 * See RFC2474 for a description of the DSCP field within the IP Header.
 *
- * xt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp
+ * xt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp
 */
-#ifndef _XT_DSCP_TARGET_H
+#ifndef _XT_DSCP_H
-#define _XT_DSCP_TARGET_H
+#define _XT_DSCP_H
-#include <linux/netfilter/xt_dscp.h>
+
 #include <linux/types.h>
-/* target info */
+#define XT_DSCP_MASK	0xfc	/* 11111100 */
-struct xt_DSCP_info {
+#define XT_DSCP_SHIFT	2
 #define XT_DSCP_MAX	0x3f	/* 00111111 */
 /* match info */
 struct xt_dscp_info {
 	__u8 dscp;
 	__u8 invert;
 };
-struct xt_tos_target_info {
+struct xt_tos_match_info {
 	__u8 tos_value;
 	__u8 tos_mask;
 	__u8 tos_value;
 	__u8 invert;
 };
-#endif /* _XT_DSCP_TARGET_H */
+#endif /* _XT_DSCP_H */
--- a/linux-3.0.4/include/linux/netfilter/xt_MARK.h
+++ b/linux-3.0.4/include/linux/netfilter/xt_MARK.h
@ -1,6 +1,15 @@
-#ifndef _XT_MARK_H_target
+#ifndef _XT_MARK_H
-#define _XT_MARK_H_target
+#define _XT_MARK_H
-#include <linux/netfilter/xt_mark.h>
+#include <linux/types.h>
-#endif /*_XT_MARK_H_target */
+struct xt_mark_tginfo2 {
 	__u32 mark, mask;
 };
 struct xt_mark_mtinfo1 {
 	__u32 mark, mask;
 	__u8 invert;
 };
 #endif /*_XT_MARK_H*/
--- a/linux-3.0.4/include/linux/netfilter/xt_RATEEST.h
+++ b/linux-3.0.4/include/linux/netfilter/xt_RATEEST.h
@ -1,15 +1,37 @@
-#ifndef _XT_RATEEST_TARGET_H
+#ifndef _XT_RATEEST_MATCH_H
-#define _XT_RATEEST_TARGET_H
+#define _XT_RATEEST_MATCH_H
 #include <linux/types.h>
-struct xt_rateest_target_info {
+enum xt_rateest_match_flags {
-	char			name[IFNAMSIZ];
+	XT_RATEEST_MATCH_INVERT	= 1<<0,
-	__s8			interval;
+	XT_RATEEST_MATCH_ABS	= 1<<1,
-	__u8		ewma_log;
+	XT_RATEEST_MATCH_REL	= 1<<2,
-
+	XT_RATEEST_MATCH_DELTA	= 1<<3,
-	/* Used internally by the kernel */
+	XT_RATEEST_MATCH_BPS	= 1<<4,
-	struct xt_rateest	*est __attribute__((aligned(8)));
+	XT_RATEEST_MATCH_PPS	= 1<<5,
 };
-#endif /* _XT_RATEEST_TARGET_H */
+enum xt_rateest_match_mode {
 	XT_RATEEST_MATCH_NONE,
 	XT_RATEEST_MATCH_EQ,
 	XT_RATEEST_MATCH_LT,
 	XT_RATEEST_MATCH_GT,
 };
 struct xt_rateest_match_info {
 	char			name1[IFNAMSIZ];
 	char			name2[IFNAMSIZ];
 	__u16		flags;
 	__u16		mode;
 	__u32		bps1;
 	__u32		pps1;
 	__u32		bps2;
 	__u32		pps2;
 	/* Used internally by the kernel */
 	struct xt_rateest	*est1 __attribute__((aligned(8)));
 	struct xt_rateest	*est2 __attribute__((aligned(8)));
 };
 #endif /* _XT_RATEEST_MATCH_H */
--- a/linux-3.0.4/include/linux/netfilter/xt_TCPMSS.h
+++ b/linux-3.0.4/include/linux/netfilter/xt_TCPMSS.h
@ -1,12 +1,11 @@
-#ifndef _XT_TCPMSS_H
+#ifndef _XT_TCPMSS_MATCH_H
-#define _XT_TCPMSS_H
+#define _XT_TCPMSS_MATCH_H
 #include <linux/types.h>
-struct xt_tcpmss_info {
+struct xt_tcpmss_match_info {
-	__u16 mss;
+    __u16 mss_min, mss_max;
    __u8 invert;
 };
-#define XT_TCPMSS_CLAMP_PMTU 0xffff
+#endif /*_XT_TCPMSS_MATCH_H*/
 #endif /* _XT_TCPMSS_H */
--- a/linux-3.0.4/include/linux/netfilter_ipv4/ipt_ECN.h
+++ b/linux-3.0.4/include/linux/netfilter_ipv4/ipt_ECN.h
@ -1,33 +1,35 @@
-/* Header file for iptables ipt_ECN target
+/* iptables module for matching the ECN header in IPv4 and TCP header
 *
- * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
 *
 * This software is distributed under GNU GPL v2, 1991
 * 
- * ipt_ECN.h,v 1.3 2002/05/29 12:17:40 laforge Exp
+ * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
 */
-#ifndef _IPT_ECN_TARGET_H
+#ifndef _IPT_ECN_H
-#define _IPT_ECN_TARGET_H
+#define _IPT_ECN_H
 #include <linux/types.h>
-#include <linux/netfilter/xt_DSCP.h>
+#include <linux/netfilter/xt_dscp.h>
 #define IPT_ECN_IP_MASK	(~XT_DSCP_MASK)
-#define IPT_ECN_OP_SET_IP	0x01	/* set ECN bits of IPv4 header */
+#define IPT_ECN_OP_MATCH_IP	0x01
-#define IPT_ECN_OP_SET_ECE	0x10	/* set ECE bit of TCP header */
+#define IPT_ECN_OP_MATCH_ECE	0x10
-#define IPT_ECN_OP_SET_CWR	0x20	/* set CWR bit of TCP header */
+#define IPT_ECN_OP_MATCH_CWR	0x20
-#define IPT_ECN_OP_MASK		0xce
+#define IPT_ECN_OP_MATCH_MASK	0xce
-struct ipt_ECN_info {
+/* match info */
-	__u8 operation;	/* bitset of operations */
+struct ipt_ecn_info {
-	__u8 ip_ect;	/* ECT codepoint of IPv4 header, pre-shifted */
+	__u8 operation;
 	__u8 invert;
 	__u8 ip_ect;
 	union {
 		struct {
-			__u8 ece:1, cwr:1; /* TCP ECT bits */
+			__u8 ect;
 		} tcp;
 	} proto;
 };
-#endif /* _IPT_ECN_TARGET_H */
+#endif /* _IPT_ECN_H */
--- a/linux-3.0.4/include/linux/netfilter_ipv4/ipt_TTL.h
+++ b/linux-3.0.4/include/linux/netfilter_ipv4/ipt_TTL.h
@ -1,5 +1,5 @@
-/* TTL modification module for IP tables
+/* IP tables module for matching the value of the TTL
- * (C) 2000 by Harald Welte <laforge@netfilter.org> */
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org> */
 #ifndef _IPT_TTL_H
 #define _IPT_TTL_H
@ -7,14 +7,14 @@
 #include <linux/types.h>
 enum {
-	IPT_TTL_SET = 0,
+	IPT_TTL_EQ = 0,		/* equals */
-	IPT_TTL_INC,
+	IPT_TTL_NE,		/* not equals */
-	IPT_TTL_DEC
+	IPT_TTL_LT,		/* less than */
 	IPT_TTL_GT,		/* greater than */
 };
 #define IPT_TTL_MAXMODE	IPT_TTL_DEC
-struct ipt_TTL_info {
+struct ipt_ttl_info {
 	__u8	mode;
 	__u8	ttl;
 };
--- a/linux-3.0.4/include/linux/netfilter_ipv6/ip6t_HL.h
+++ b/linux-3.0.4/include/linux/netfilter_ipv6/ip6t_HL.h
@ -1,6 +1,6 @@
-/* Hop Limit modification module for ip6tables
+/* ip6tables module for matching the Hop Limit value
 * Maciej Soltysiak <solt@dns.toxicfilms.tv>
- * Based on HW's TTL module */
+ * Based on HW's ttl module */
 #ifndef _IP6T_HL_H
 #define _IP6T_HL_H
@ -8,14 +8,14 @@
 #include <linux/types.h>
 enum {
-	IP6T_HL_SET = 0,
+	IP6T_HL_EQ = 0,		/* equals */
-	IP6T_HL_INC,
+	IP6T_HL_NE,		/* not equals */
-	IP6T_HL_DEC
+	IP6T_HL_LT,		/* less than */
 	IP6T_HL_GT,		/* greater than */
 };
 #define IP6T_HL_MAXMODE	IP6T_HL_DEC
-struct ip6t_HL_info {
+struct ip6t_hl_info {
 	__u8	mode;
 	__u8	hop_limit;
 };
--- a/linux-3.0.4/kernel/acct.c
+++ b/linux-3.0.4/kernel/acct.c
@ -68,9 +68,9 @@
 */
 int acct_parm[3] = {4, 2, 30};
-#define RESUME		(acct_parm[0])	/* >foo% free space - resume */
+#define  RESUME		(acct_parm[0])	/* >foo% free space - resume */
-#define SUSPEND		(acct_parm[1])	/* <foo% free space - suspend */
+#define  SUSPEND		(acct_parm[1])	/* <foo% free space - suspend */
-#define ACCT_TIMEOUT	(acct_parm[2])	/* foo second timeout between checks */
+#define  ACCT_TIMEOUT	(acct_parm[2])	/* foo second timeout between checks */
 /*
 * External references and all of the globals.
--- a/linux-3.0.4/net/ipv4/netfilter/ipt_ECN.c
+++ b/linux-3.0.4/net/ipv4/netfilter/ipt_ECN.c
@ -1,138 +1,127 @@
-/* iptables module for the IPv4 and TCP ECN bits, Version 1.5
+/* IP tables module for matching the value of the IPv4 and TCP ECN bits
 *
- * (C) 2002 by Harald Welte <laforge@netfilter.org>
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
-*/
+ */
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 #include <net/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/tcp.h>
 #include <net/checksum.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_ECN.h>
+#include <linux/netfilter_ipv4/ipt_ecn.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag modification");
+MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match for IPv4");
 MODULE_LICENSE("GPL");
-/* set ECT codepoint from IP header.
+static inline bool match_ip(const struct sk_buff *skb,
- * 	return false if there was an error. */
+			    const struct ipt_ecn_info *einfo)
 static inline bool
 set_ect_ip(struct sk_buff *skb, const struct ipt_ECN_info *einfo)
 {
-	struct iphdr *iph = ip_hdr(skb);
+	return ((ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect) ^
 	       !!(einfo->invert & IPT_ECN_OP_MATCH_IP);
 }
-	if ((iph->tos & IPT_ECN_IP_MASK) != (einfo->ip_ect & IPT_ECN_IP_MASK)) {
+static inline bool match_tcp(const struct sk_buff *skb,
-		__u8 oldtos;
+			     const struct ipt_ecn_info *einfo,
-		if (!skb_make_writable(skb, sizeof(struct iphdr)))
+			     bool *hotdrop)
 {
 	struct tcphdr _tcph;
 	const struct tcphdr *th;
 	/* In practice, TCP match does this, so can't fail.  But let's
 	 * be good citizens.
 	 */
 	th = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_tcph), &_tcph);
 	if (th == NULL) {
 		*hotdrop = false;
 		return false;
 	}
 	if (einfo->operation & IPT_ECN_OP_MATCH_ECE) {
 		if (einfo->invert & IPT_ECN_OP_MATCH_ECE) {
 			if (th->ece == 1)
 				return false;
 		} else {
 			if (th->ece == 0)
 				return false;
 		}
 	}
 	if (einfo->operation & IPT_ECN_OP_MATCH_CWR) {
 		if (einfo->invert & IPT_ECN_OP_MATCH_CWR) {
 			if (th->cwr == 1)
 				return false;
 		} else {
 			if (th->cwr == 0)
 				return false;
 		}
 	}
 	return true;
 }
 static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct ipt_ecn_info *info = par->matchinfo;
 	if (info->operation & IPT_ECN_OP_MATCH_IP)
 		if (!match_ip(skb, info))
 			return false;
 	if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
 		if (!match_tcp(skb, info, &par->hotdrop))
 			return false;
 		iph = ip_hdr(skb);
 		oldtos = iph->tos;
 		iph->tos &= ~IPT_ECN_IP_MASK;
 		iph->tos |= (einfo->ip_ect & IPT_ECN_IP_MASK);
 		csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
 	}
 	return true;
 }
-/* Return false if there was an error. */
+static int ecn_mt_check(const struct xt_mtchk_param *par)
 static inline bool
 set_ect_tcp(struct sk_buff *skb, const struct ipt_ECN_info *einfo)
 {
-	struct tcphdr _tcph, *tcph;
+	const struct ipt_ecn_info *info = par->matchinfo;
-	__be16 oldval;
+	const struct ipt_ip *ip = par->entryinfo;
-	/* Not enough header? */
+	if (info->operation & IPT_ECN_OP_MATCH_MASK)
-	tcph = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_tcph), &_tcph);
+		return -EINVAL;
 	if (!tcph)
 		return false;
-	if ((!(einfo->operation & IPT_ECN_OP_SET_ECE) ||
+	if (info->invert & IPT_ECN_OP_MATCH_MASK)
-	     tcph->ece == einfo->proto.tcp.ece) &&
+		return -EINVAL;
 	    (!(einfo->operation & IPT_ECN_OP_SET_CWR) ||
 	     tcph->cwr == einfo->proto.tcp.cwr))
 		return true;
-	if (!skb_make_writable(skb, ip_hdrlen(skb) + sizeof(*tcph)))
+	if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
-		return false;
+	    (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {
-	tcph = (void *)ip_hdr(skb) + ip_hdrlen(skb);
+		pr_info("cannot match TCP bits in rule for non-tcp packets\n");
 	oldval = ((__be16 *)tcph)[6];
 	if (einfo->operation & IPT_ECN_OP_SET_ECE)
 		tcph->ece = einfo->proto.tcp.ece;
 	if (einfo->operation & IPT_ECN_OP_SET_CWR)
 		tcph->cwr = einfo->proto.tcp.cwr;
 	inet_proto_csum_replace2(&tcph->check, skb,
 				 oldval, ((__be16 *)tcph)[6], 0);
 	return true;
 }
 static unsigned int
 ecn_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	const struct ipt_ECN_info *einfo = par->targinfo;
 	if (einfo->operation & IPT_ECN_OP_SET_IP)
 		if (!set_ect_ip(skb, einfo))
 			return NF_DROP;
 	if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR) &&
 	    ip_hdr(skb)->protocol == IPPROTO_TCP)
 		if (!set_ect_tcp(skb, einfo))
 			return NF_DROP;
 	return XT_CONTINUE;
 }
 static int ecn_tg_check(const struct xt_tgchk_param *par)
 {
 	const struct ipt_ECN_info *einfo = par->targinfo;
 	const struct ipt_entry *e = par->entryinfo;
 	if (einfo->operation & IPT_ECN_OP_MASK) {
 		pr_info("unsupported ECN operation %x\n", einfo->operation);
 		return -EINVAL;
 	}
 	if (einfo->ip_ect & ~IPT_ECN_IP_MASK) {
 		pr_info("new ECT codepoint %x out of mask\n", einfo->ip_ect);
 		return -EINVAL;
 	}
 	if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
 	    (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
 		pr_info("cannot use TCP operations on a non-tcp rule\n");
 		return -EINVAL;
 	}
 	return 0;
 }
-static struct xt_target ecn_tg_reg __read_mostly = {
+static struct xt_match ecn_mt_reg __read_mostly = {
-	.name		= "ECN",
+	.name		= "ecn",
 	.family		= NFPROTO_IPV4,
-	.target		= ecn_tg,
+	.match		= ecn_mt,
-	.targetsize	= sizeof(struct ipt_ECN_info),
+	.matchsize	= sizeof(struct ipt_ecn_info),
-	.table		= "mangle",
+	.checkentry	= ecn_mt_check,
 	.checkentry	= ecn_tg_check,
 	.me		= THIS_MODULE,
 };
-static int __init ecn_tg_init(void)
+static int __init ecn_mt_init(void)
 {
-	return xt_register_target(&ecn_tg_reg);
+	return xt_register_match(&ecn_mt_reg);
 }
-static void __exit ecn_tg_exit(void)
+static void __exit ecn_mt_exit(void)
 {
-	xt_unregister_target(&ecn_tg_reg);
+	xt_unregister_match(&ecn_mt_reg);
 }
-module_init(ecn_tg_init);
+module_init(ecn_mt_init);
-module_exit(ecn_tg_exit);
+module_exit(ecn_mt_exit);
--- a/linux-3.0.4/net/netfilter/xt_DSCP.c
+++ b/linux-3.0.4/net/netfilter/xt_DSCP.c
@ -1,14 +1,11 @@
-/* x_tables module for setting the IPv4/IPv6 DSCP field, Version 1.8
+/* IP tables module for matching the value of the IPv4/IPv6 DSCP field
 *
 * (C) 2002 by Harald Welte <laforge@netfilter.org>
 * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
- *
+ */
 * See RFC2474 for a description of the DSCP field within the IP Header.
 */
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
@ -17,148 +14,102 @@
 #include <net/dsfield.h>
 #include <linux/netfilter/x_tables.h>
-#include <linux/netfilter/xt_DSCP.h>
+#include <linux/netfilter/xt_dscp.h>
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("Xtables: DSCP/TOS field modification");
+MODULE_DESCRIPTION("Xtables: DSCP/TOS field match");
 MODULE_LICENSE("GPL");
-MODULE_ALIAS("ipt_DSCP");
+MODULE_ALIAS("ipt_dscp");
-MODULE_ALIAS("ip6t_DSCP");
+MODULE_ALIAS("ip6t_dscp");
-MODULE_ALIAS("ipt_TOS");
+MODULE_ALIAS("ipt_tos");
-MODULE_ALIAS("ip6t_TOS");
+MODULE_ALIAS("ip6t_tos");
-static unsigned int
+static bool
-dscp_tg(struct sk_buff *skb, const struct xt_action_param *par)
+dscp_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
-	const struct xt_DSCP_info *dinfo = par->targinfo;
+	const struct xt_dscp_info *info = par->matchinfo;
 	u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
-	if (dscp != dinfo->dscp) {
+	return (dscp == info->dscp) ^ !!info->invert;
 		if (!skb_make_writable(skb, sizeof(struct iphdr)))
 			return NF_DROP;
 		ipv4_change_dsfield(ip_hdr(skb), (__u8)(~XT_DSCP_MASK),
 				    dinfo->dscp << XT_DSCP_SHIFT);
 	}
 	return XT_CONTINUE;
 }
-static unsigned int
+static bool
-dscp_tg6(struct sk_buff *skb, const struct xt_action_param *par)
+dscp_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 {
-	const struct xt_DSCP_info *dinfo = par->targinfo;
+	const struct xt_dscp_info *info = par->matchinfo;
 	u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
-	if (dscp != dinfo->dscp) {
+	return (dscp == info->dscp) ^ !!info->invert;
 		if (!skb_make_writable(skb, sizeof(struct ipv6hdr)))
 			return NF_DROP;
 		ipv6_change_dsfield(ipv6_hdr(skb), (__u8)(~XT_DSCP_MASK),
 				    dinfo->dscp << XT_DSCP_SHIFT);
 	}
 	return XT_CONTINUE;
 }
-static int dscp_tg_check(const struct xt_tgchk_param *par)
+static int dscp_mt_check(const struct xt_mtchk_param *par)
 {
-	const struct xt_DSCP_info *info = par->targinfo;
+	const struct xt_dscp_info *info = par->matchinfo;
 	if (info->dscp > XT_DSCP_MAX) {
 		pr_info("dscp %x out of range\n", info->dscp);
 		return -EDOM;
 	}
 	return 0;
 }
-static unsigned int
+static bool tos_mt(const struct sk_buff *skb, struct xt_action_param *par)
 tos_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
-	const struct xt_tos_target_info *info = par->targinfo;
+	const struct xt_tos_match_info *info = par->matchinfo;
 	struct iphdr *iph = ip_hdr(skb);
 	u_int8_t orig, nv;
-	orig = ipv4_get_dsfield(iph);
+	if (par->family == NFPROTO_IPV4)
-	nv   = (orig & ~info->tos_mask) ^ info->tos_value;
+		return ((ip_hdr(skb)->tos & info->tos_mask) ==
-
+		       info->tos_value) ^ !!info->invert;
-	if (orig != nv) {
+	else
-		if (!skb_make_writable(skb, sizeof(struct iphdr)))
+		return ((ipv6_get_dsfield(ipv6_hdr(skb)) & info->tos_mask) ==
-			return NF_DROP;
+		       info->tos_value) ^ !!info->invert;
 		iph = ip_hdr(skb);
 		ipv4_change_dsfield(iph, 0, nv);
 	}
 	return XT_CONTINUE;
 }
-static unsigned int
+static struct xt_match dscp_mt_reg[] __read_mostly = {
 tos_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	const struct xt_tos_target_info *info = par->targinfo;
 	struct ipv6hdr *iph = ipv6_hdr(skb);
 	u_int8_t orig, nv;
 	orig = ipv6_get_dsfield(iph);
 	nv   = (orig & ~info->tos_mask) ^ info->tos_value;
 	if (orig != nv) {
 		if (!skb_make_writable(skb, sizeof(struct iphdr)))
 			return NF_DROP;
 		iph = ipv6_hdr(skb);
 		ipv6_change_dsfield(iph, 0, nv);
 	}
 	return XT_CONTINUE;
 }
 static struct xt_target dscp_tg_reg[] __read_mostly = {
 	{
-		.name		= "DSCP",
+		.name		= "dscp",
 		.family		= NFPROTO_IPV4,
-		.checkentry	= dscp_tg_check,
+		.checkentry	= dscp_mt_check,
-		.target		= dscp_tg,
+		.match		= dscp_mt,
-		.targetsize	= sizeof(struct xt_DSCP_info),
+		.matchsize	= sizeof(struct xt_dscp_info),
 		.table		= "mangle",
 		.me		= THIS_MODULE,
 	},
 	{
-		.name		= "DSCP",
+		.name		= "dscp",
 		.family		= NFPROTO_IPV6,
-		.checkentry	= dscp_tg_check,
+		.checkentry	= dscp_mt_check,
-		.target		= dscp_tg6,
+		.match		= dscp_mt6,
-		.targetsize	= sizeof(struct xt_DSCP_info),
+		.matchsize	= sizeof(struct xt_dscp_info),
 		.table		= "mangle",
 		.me		= THIS_MODULE,
 	},
 	{
-		.name		= "TOS",
+		.name		= "tos",
 		.revision	= 1,
 		.family		= NFPROTO_IPV4,
-		.table		= "mangle",
+		.match		= tos_mt,
-		.target		= tos_tg,
+		.matchsize	= sizeof(struct xt_tos_match_info),
 		.targetsize	= sizeof(struct xt_tos_target_info),
 		.me		= THIS_MODULE,
 	},
 	{
-		.name		= "TOS",
+		.name		= "tos",
 		.revision	= 1,
 		.family		= NFPROTO_IPV6,
-		.table		= "mangle",
+		.match		= tos_mt,
-		.target		= tos_tg6,
+		.matchsize	= sizeof(struct xt_tos_match_info),
 		.targetsize	= sizeof(struct xt_tos_target_info),
 		.me		= THIS_MODULE,
 	},
 };
-static int __init dscp_tg_init(void)
+static int __init dscp_mt_init(void)
 {
-	return xt_register_targets(dscp_tg_reg, ARRAY_SIZE(dscp_tg_reg));
+	return xt_register_matches(dscp_mt_reg, ARRAY_SIZE(dscp_mt_reg));
 }
-static void __exit dscp_tg_exit(void)
+static void __exit dscp_mt_exit(void)
 {
-	xt_unregister_targets(dscp_tg_reg, ARRAY_SIZE(dscp_tg_reg));
+	xt_unregister_matches(dscp_mt_reg, ARRAY_SIZE(dscp_mt_reg));
 }
-module_init(dscp_tg_init);
+module_init(dscp_mt_init);
-module_exit(dscp_tg_exit);
+module_exit(dscp_mt_exit);
--- a/linux-3.0.4/net/netfilter/xt_HL.c
+++ b/linux-3.0.4/net/netfilter/xt_HL.c
@ -1,169 +1,96 @@
 /*
- * TTL modification target for IP tables
+ * IP tables module for matching the value of the TTL
- * (C) 2000,2005 by Harald Welte <laforge@netfilter.org>
+ * (C) 2000,2001 by Harald Welte <laforge@netfilter.org>
 *
- * Hop Limit modification target for ip6tables
+ * Hop Limit matching module
- * Maciej Soltysiak <solt@dns.toxicfilms.tv>
+ * (C) 2001-2002 Maciej Soltysiak <solt@dns.toxicfilms.tv>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 #include <linux/ipv6.h>
-#include <net/checksum.h>
+#include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/netfilter/x_tables.h>
-#include <linux/netfilter_ipv4/ipt_TTL.h>
+#include <linux/netfilter_ipv4/ipt_ttl.h>
-#include <linux/netfilter_ipv6/ip6t_HL.h>
+#include <linux/netfilter_ipv6/ip6t_hl.h>
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
 MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
-MODULE_DESCRIPTION("Xtables: Hoplimit/TTL Limit field modification target");
+MODULE_DESCRIPTION("Xtables: Hoplimit/TTL field match");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_ttl");
 MODULE_ALIAS("ip6t_hl");
-static unsigned int
+static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par)
 ttl_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
-	struct iphdr *iph;
+	const struct ipt_ttl_info *info = par->matchinfo;
-	const struct ipt_TTL_info *info = par->targinfo;
+	const u8 ttl = ip_hdr(skb)->ttl;
 	int new_ttl;
 	if (!skb_make_writable(skb, skb->len))
 		return NF_DROP;
 	iph = ip_hdr(skb);
 	switch (info->mode) {
-		case IPT_TTL_SET:
+		case IPT_TTL_EQ:
-			new_ttl = info->ttl;
+			return ttl == info->ttl;
-			break;
+		case IPT_TTL_NE:
-		case IPT_TTL_INC:
+			return ttl != info->ttl;
-			new_ttl = iph->ttl + info->ttl;
+		case IPT_TTL_LT:
-			if (new_ttl > 255)
+			return ttl < info->ttl;
-				new_ttl = 255;
+		case IPT_TTL_GT:
-			break;
+			return ttl > info->ttl;
 		case IPT_TTL_DEC:
 			new_ttl = iph->ttl - info->ttl;
 			if (new_ttl < 0)
 				new_ttl = 0;
 			break;
 		default:
 			new_ttl = iph->ttl;
 			break;
 	}
-	if (new_ttl != iph->ttl) {
+	return false;
 		csum_replace2(&iph->check, htons(iph->ttl << 8),
 					   htons(new_ttl << 8));
 		iph->ttl = new_ttl;
 	}
 	return XT_CONTINUE;
 }
-static unsigned int
+static bool hl_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 hl_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 {
-	struct ipv6hdr *ip6h;
+	const struct ip6t_hl_info *info = par->matchinfo;
-	const struct ip6t_HL_info *info = par->targinfo;
+	const struct ipv6hdr *ip6h = ipv6_hdr(skb);
 	int new_hl;
 	if (!skb_make_writable(skb, skb->len))
 		return NF_DROP;
 	ip6h = ipv6_hdr(skb);
 	switch (info->mode) {
-		case IP6T_HL_SET:
+		case IP6T_HL_EQ:
-			new_hl = info->hop_limit;
+			return ip6h->hop_limit == info->hop_limit;
-			break;
+		case IP6T_HL_NE:
-		case IP6T_HL_INC:
+			return ip6h->hop_limit != info->hop_limit;
-			new_hl = ip6h->hop_limit + info->hop_limit;
+		case IP6T_HL_LT:
-			if (new_hl > 255)
+			return ip6h->hop_limit < info->hop_limit;
-				new_hl = 255;
+		case IP6T_HL_GT:
-			break;
+			return ip6h->hop_limit > info->hop_limit;
 		case IP6T_HL_DEC:
 			new_hl = ip6h->hop_limit - info->hop_limit;
 			if (new_hl < 0)
 				new_hl = 0;
 			break;
 		default:
 			new_hl = ip6h->hop_limit;
 			break;
 	}
-	ip6h->hop_limit = new_hl;
+	return false;
 	return XT_CONTINUE;
 }
-static int ttl_tg_check(const struct xt_tgchk_param *par)
+static struct xt_match hl_mt_reg[] __read_mostly = {
 {
 	const struct ipt_TTL_info *info = par->targinfo;
 	if (info->mode > IPT_TTL_MAXMODE) {
 		pr_info("TTL: invalid or unknown mode %u\n", info->mode);
 		return -EINVAL;
 	}
 	if (info->mode != IPT_TTL_SET && info->ttl == 0)
 		return -EINVAL;
 	return 0;
 }
 static int hl_tg6_check(const struct xt_tgchk_param *par)
 {
 	const struct ip6t_HL_info *info = par->targinfo;
 	if (info->mode > IP6T_HL_MAXMODE) {
 		pr_info("invalid or unknown mode %u\n", info->mode);
 		return -EINVAL;
 	}
 	if (info->mode != IP6T_HL_SET && info->hop_limit == 0) {
 		pr_info("increment/decrement does not "
 			"make sense with value 0\n");
 		return -EINVAL;
 	}
 	return 0;
 }
 static struct xt_target hl_tg_reg[] __read_mostly = {
 	{
-		.name       = "TTL",
+		.name       = "ttl",
 		.revision   = 0,
 		.family     = NFPROTO_IPV4,
-		.target     = ttl_tg,
+		.match      = ttl_mt,
-		.targetsize = sizeof(struct ipt_TTL_info),
+		.matchsize  = sizeof(struct ipt_ttl_info),
 		.table      = "mangle",
 		.checkentry = ttl_tg_check,
 		.me         = THIS_MODULE,
 	},
 	{
-		.name       = "HL",
+		.name       = "hl",
 		.revision   = 0,
 		.family     = NFPROTO_IPV6,
-		.target     = hl_tg6,
+		.match      = hl_mt6,
-		.targetsize = sizeof(struct ip6t_HL_info),
+		.matchsize  = sizeof(struct ip6t_hl_info),
 		.table      = "mangle",
 		.checkentry = hl_tg6_check,
 		.me         = THIS_MODULE,
 	},
 };
-static int __init hl_tg_init(void)
+static int __init hl_mt_init(void)
 {
-	return xt_register_targets(hl_tg_reg, ARRAY_SIZE(hl_tg_reg));
+	return xt_register_matches(hl_mt_reg, ARRAY_SIZE(hl_mt_reg));
 }
-static void __exit hl_tg_exit(void)
+static void __exit hl_mt_exit(void)
 {
-	xt_unregister_targets(hl_tg_reg, ARRAY_SIZE(hl_tg_reg));
+	xt_unregister_matches(hl_mt_reg, ARRAY_SIZE(hl_mt_reg));
 }
-module_init(hl_tg_init);
+module_init(hl_mt_init);
-module_exit(hl_tg_exit);
+module_exit(hl_mt_exit);
 MODULE_ALIAS("ipt_TTL");
 MODULE_ALIAS("ip6t_HL");
--- a/linux-3.0.4/net/netfilter/xt_RATEEST.c
+++ b/linux-3.0.4/net/netfilter/xt_RATEEST.c
@ -8,194 +8,151 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/gen_stats.h>
 #include <linux/jhash.h>
 #include <linux/rtnetlink.h>
 #include <linux/random.h>
 #include <linux/slab.h>
 #include <net/gen_stats.h>
 #include <net/netlink.h>
 #include <linux/netfilter/x_tables.h>
-#include <linux/netfilter/xt_RATEEST.h>
+#include <linux/netfilter/xt_rateest.h>
 #include <net/netfilter/xt_rateest.h>
 static DEFINE_MUTEX(xt_rateest_mutex);
-#define RATEEST_HSIZE	16
+static bool
-static struct hlist_head rateest_hash[RATEEST_HSIZE] __read_mostly;
+xt_rateest_mt(const struct sk_buff *skb, struct xt_action_param *par)
 static unsigned int jhash_rnd __read_mostly;
 static bool rnd_inited __read_mostly;
 static unsigned int xt_rateest_hash(const char *name)
 {
-	return jhash(name, FIELD_SIZEOF(struct xt_rateest, name), jhash_rnd) &
+	const struct xt_rateest_match_info *info = par->matchinfo;
-	       (RATEEST_HSIZE - 1);
+	struct gnet_stats_rate_est *r;
-}
+	u_int32_t bps1, bps2, pps1, pps2;
 	bool ret = true;
-static void xt_rateest_hash_insert(struct xt_rateest *est)
+	spin_lock_bh(&info->est1->lock);
-{
+	r = &info->est1->rstats;
-	unsigned int h;
+	if (info->flags & XT_RATEEST_MATCH_DELTA) {
 		bps1 = info->bps1 >= r->bps ? info->bps1 - r->bps : 0;
 		pps1 = info->pps1 >= r->pps ? info->pps1 - r->pps : 0;
 	} else {
 		bps1 = r->bps;
 		pps1 = r->pps;
 	}
 	spin_unlock_bh(&info->est1->lock);
-	h = xt_rateest_hash(est->name);
+	if (info->flags & XT_RATEEST_MATCH_ABS) {
-	hlist_add_head(&est->list, &rateest_hash[h]);
+		bps2 = info->bps2;
-}
+		pps2 = info->pps2;
-
+	} else {
-struct xt_rateest *xt_rateest_lookup(const char *name)
+		spin_lock_bh(&info->est2->lock);
-{
+		r = &info->est2->rstats;
-	struct xt_rateest *est;
+		if (info->flags & XT_RATEEST_MATCH_DELTA) {
-	struct hlist_node *n;
+			bps2 = info->bps2 >= r->bps ? info->bps2 - r->bps : 0;
-	unsigned int h;
+			pps2 = info->pps2 >= r->pps ? info->pps2 - r->pps : 0;
-
+		} else {
-	h = xt_rateest_hash(name);
+			bps2 = r->bps;
-	mutex_lock(&xt_rateest_mutex);
+			pps2 = r->pps;
 	hlist_for_each_entry(est, n, &rateest_hash[h], list) {
 		if (strcmp(est->name, name) == 0) {
 			est->refcnt++;
 			mutex_unlock(&xt_rateest_mutex);
 			return est;
 		}
-	}
+		spin_unlock_bh(&info->est2->lock);
 	mutex_unlock(&xt_rateest_mutex);
 	return NULL;
 }
 EXPORT_SYMBOL_GPL(xt_rateest_lookup);
 static void xt_rateest_free_rcu(struct rcu_head *head)
 {
 	kfree(container_of(head, struct xt_rateest, rcu));
 }
 void xt_rateest_put(struct xt_rateest *est)
 {
 	mutex_lock(&xt_rateest_mutex);
 	if (--est->refcnt == 0) {
 		hlist_del(&est->list);
 		gen_kill_estimator(&est->bstats, &est->rstats);
 		/*
 		 * gen_estimator est_timer() might access est->lock or bstats,
 		 * wait a RCU grace period before freeing 'est'
 		 */
 		call_rcu(&est->rcu, xt_rateest_free_rcu);
 	}
 	mutex_unlock(&xt_rateest_mutex);
 }
 EXPORT_SYMBOL_GPL(xt_rateest_put);
 static unsigned int
 xt_rateest_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	const struct xt_rateest_target_info *info = par->targinfo;
 	struct gnet_stats_basic_packed *stats = &info->est->bstats;
 	spin_lock_bh(&info->est->lock);
 	stats->bytes += skb->len;
 	stats->packets++;
 	spin_unlock_bh(&info->est->lock);
 	return XT_CONTINUE;
 }
 static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
 {
 	struct xt_rateest_target_info *info = par->targinfo;
 	struct xt_rateest *est;
 	struct {
 		struct nlattr		opt;
 		struct gnet_estimator	est;
 	} cfg;
 	int ret;
 	if (unlikely(!rnd_inited)) {
 		get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
 		rnd_inited = true;
 	}
-	est = xt_rateest_lookup(info->name);
+	switch (info->mode) {
-	if (est) {
+	case XT_RATEEST_MATCH_LT:
-		/*
+		if (info->flags & XT_RATEEST_MATCH_BPS)
-		 * If estimator parameters are specified, they must match the
+			ret &= bps1 < bps2;
-		 * existing estimator.
+		if (info->flags & XT_RATEEST_MATCH_PPS)
-		 */
+			ret &= pps1 < pps2;
-		if ((!info->interval && !info->ewma_log) ||
+		break;
-		    (info->interval != est->params.interval ||
+	case XT_RATEEST_MATCH_GT:
-		     info->ewma_log != est->params.ewma_log)) {
+		if (info->flags & XT_RATEEST_MATCH_BPS)
-			xt_rateest_put(est);
+			ret &= bps1 > bps2;
-			return -EINVAL;
+		if (info->flags & XT_RATEEST_MATCH_PPS)
-		}
+			ret &= pps1 > pps2;
-		info->est = est;
+		break;
-		return 0;
+	case XT_RATEEST_MATCH_EQ:
 		if (info->flags & XT_RATEEST_MATCH_BPS)
 			ret &= bps1 == bps2;
 		if (info->flags & XT_RATEEST_MATCH_PPS)
 			ret &= pps1 == pps2;
 		break;
 	}
-	ret = -ENOMEM;
+	ret ^= info->flags & XT_RATEEST_MATCH_INVERT ? true : false;
 	est = kzalloc(sizeof(*est), GFP_KERNEL);
 	if (!est)
 		goto err1;
 	strlcpy(est->name, info->name, sizeof(est->name));
 	spin_lock_init(&est->lock);
 	est->refcnt		= 1;
 	est->params.interval	= info->interval;
 	est->params.ewma_log	= info->ewma_log;
 	cfg.opt.nla_len		= nla_attr_size(sizeof(cfg.est));
 	cfg.opt.nla_type	= TCA_STATS_RATE_EST;
 	cfg.est.interval	= info->interval;
 	cfg.est.ewma_log	= info->ewma_log;
 	ret = gen_new_estimator(&est->bstats, &est->rstats,
 				&est->lock, &cfg.opt);
 	if (ret < 0)
 		goto err2;
 	info->est = est;
 	xt_rateest_hash_insert(est);
 	return 0;
 err2:
 	kfree(est);
 err1:
 	return ret;
 }
-static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par)
+static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
 {
-	struct xt_rateest_target_info *info = par->targinfo;
+	struct xt_rateest_match_info *info = par->matchinfo;
 	struct xt_rateest *est1, *est2;
 	int ret = false;
-	xt_rateest_put(info->est);
+	if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS |
 				     XT_RATEEST_MATCH_REL)) != 1)
 		goto err1;
 	if (!(info->flags & (XT_RATEEST_MATCH_BPS | XT_RATEEST_MATCH_PPS)))
 		goto err1;
 	switch (info->mode) {
 	case XT_RATEEST_MATCH_EQ:
 	case XT_RATEEST_MATCH_LT:
 	case XT_RATEEST_MATCH_GT:
 		break;
 	default:
 		goto err1;
 	}
 	ret  = -ENOENT;
 	est1 = xt_rateest_lookup(info->name1);
 	if (!est1)
 		goto err1;
 	if (info->flags & XT_RATEEST_MATCH_REL) {
 		est2 = xt_rateest_lookup(info->name2);
 		if (!est2)
 			goto err2;
 	} else
 		est2 = NULL;
 	info->est1 = est1;
 	info->est2 = est2;
 	return 0;
 err2:
 	xt_rateest_put(est1);
 err1:
 	return -EINVAL;
 }
-static struct xt_target xt_rateest_tg_reg __read_mostly = {
+static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par)
-	.name       = "RATEEST",
+{
 	struct xt_rateest_match_info *info = par->matchinfo;
 	xt_rateest_put(info->est1);
 	if (info->est2)
 		xt_rateest_put(info->est2);
 }
 static struct xt_match xt_rateest_mt_reg __read_mostly = {
 	.name       = "rateest",
 	.revision   = 0,
 	.family     = NFPROTO_UNSPEC,
-	.target     = xt_rateest_tg,
+	.match      = xt_rateest_mt,
-	.checkentry = xt_rateest_tg_checkentry,
+	.checkentry = xt_rateest_mt_checkentry,
-	.destroy    = xt_rateest_tg_destroy,
+	.destroy    = xt_rateest_mt_destroy,
-	.targetsize = sizeof(struct xt_rateest_target_info),
+	.matchsize  = sizeof(struct xt_rateest_match_info),
 	.me         = THIS_MODULE,
 };
-static int __init xt_rateest_tg_init(void)
+static int __init xt_rateest_mt_init(void)
 {
-	unsigned int i;
+	return xt_register_match(&xt_rateest_mt_reg);
 	for (i = 0; i < ARRAY_SIZE(rateest_hash); i++)
 		INIT_HLIST_HEAD(&rateest_hash[i]);
 	return xt_register_target(&xt_rateest_tg_reg);
 }
-static void __exit xt_rateest_tg_fini(void)
+static void __exit xt_rateest_mt_fini(void)
 {
-	xt_unregister_target(&xt_rateest_tg_reg);
+	xt_unregister_match(&xt_rateest_mt_reg);
 	rcu_barrier(); /* Wait for completion of call_rcu()'s (xt_rateest_free_rcu) */
 }
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
 MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("Xtables: packet rate estimator");
+MODULE_DESCRIPTION("xtables rate estimator match");
-MODULE_ALIAS("ipt_RATEEST");
+MODULE_ALIAS("ipt_rateest");
-MODULE_ALIAS("ip6t_RATEEST");
+MODULE_ALIAS("ip6t_rateest");
-module_init(xt_rateest_tg_init);
+module_init(xt_rateest_mt_init);
-module_exit(xt_rateest_tg_fini);
+module_exit(xt_rateest_mt_fini);
--- a/linux-3.0.4/net/netfilter/xt_TCPMSS.c
+++ b/linux-3.0.4/net/netfilter/xt_TCPMSS.c
@ -1,319 +1,110 @@
-/*
+/* Kernel module to match TCP MSS values. */
- * This is a module which is used for setting the MSS option in TCP packets.
+
- *
+/* Copyright (C) 2000 Marc Boucher <marc@mbsi.ca>
- * Copyright (C) 2000 Marc Boucher <marc@mbsi.ca>
+ * Portions (C) 2005 by Harald Welte <laforge@netfilter.org>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 #include <linux/gfp.h>
 #include <linux/ipv6.h>
 #include <linux/tcp.h>
 #include <net/dst.h>
 #include <net/flow.h>
 #include <net/ipv6.h>
 #include <net/route.h>
 #include <net/tcp.h>
 #include <linux/netfilter/xt_tcpmss.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_tcpudp.h>
 #include <linux/netfilter/xt_TCPMSS.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("Xtables: TCP Maximum Segment Size (MSS) adjustment");
+MODULE_DESCRIPTION("Xtables: TCP MSS match");
-MODULE_ALIAS("ipt_TCPMSS");
+MODULE_ALIAS("ipt_tcpmss");
-MODULE_ALIAS("ip6t_TCPMSS");
+MODULE_ALIAS("ip6t_tcpmss");
-static inline unsigned int
+static bool
-optlen(const u_int8_t *opt, unsigned int offset)
+tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
-	/* Beware zero-length options: make finite progress */
+	const struct xt_tcpmss_match_info *info = par->matchinfo;
-	if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0)
+	const struct tcphdr *th;
-		return 1;
+	struct tcphdr _tcph;
-	else
+	/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
-		return opt[offset+1];
+	const u_int8_t *op;
-}
+	u8 _opt[15 * 4 - sizeof(_tcph)];
 	unsigned int i, optlen;
-static int
+	/* If we don't have the whole header, drop packet. */
-tcpmss_mangle_packet(struct sk_buff *skb,
+	th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);
-		     const struct xt_tcpmss_info *info,
+	if (th == NULL)
-		     unsigned int in_mtu,
+		goto dropit;
 		     unsigned int tcphoff,
 		     unsigned int minlen)
 {
 	struct tcphdr *tcph;
 	unsigned int tcplen, i;
 	__be16 oldval;
 	u16 newmss;
 	u8 *opt;
-	if (!skb_make_writable(skb, skb->len))
+	/* Malformed. */
-		return -1;
+	if (th->doff*4 < sizeof(*th))
 		goto dropit;
-	tcplen = skb->len - tcphoff;
+	optlen = th->doff*4 - sizeof(*th);
-	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
+	if (!optlen)
 		goto out;
-	/* Header cannot be larger than the packet */
+	/* Truncated options. */
-	if (tcplen < tcph->doff*4)
+	op = skb_header_pointer(skb, par->thoff + sizeof(*th), optlen, _opt);
-		return -1;
+	if (op == NULL)
 		goto dropit;
-	if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
+	for (i = 0; i < optlen; ) {
-		if (dst_mtu(skb_dst(skb)) <= minlen) {
+		if (op[i] == TCPOPT_MSS
-			if (net_ratelimit())
+		    && (optlen - i) >= TCPOLEN_MSS
-				pr_err("unknown or invalid path-MTU (%u)\n",
+		    && op[i+1] == TCPOLEN_MSS) {
-				       dst_mtu(skb_dst(skb)));
+			u_int16_t mssval;
-			return -1;
+
-		}
+			mssval = (op[i+2] << 8) | op[i+3];
-		if (in_mtu <= minlen) {
+
-			if (net_ratelimit())
+			return (mssval >= info->mss_min &&
-				pr_err("unknown or invalid path-MTU (%u)\n",
+				mssval <= info->mss_max) ^ info->invert;
 				       in_mtu);
 			return -1;
 		}
 		newmss = min(dst_mtu(skb_dst(skb)), in_mtu) - minlen;
 	} else
 		newmss = info->mss;
 	opt = (u_int8_t *)tcph;
 	for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
 		if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
 		    opt[i+1] == TCPOLEN_MSS) {
 			u_int16_t oldmss;
 			oldmss = (opt[i+2] << 8) | opt[i+3];
 			/* Never increase MSS, even when setting it, as
 			 * doing so results in problems for hosts that rely
 			 * on MSS being set correctly.
 			 */
 			if (oldmss <= newmss)
 				return 0;
 			opt[i+2] = (newmss & 0xff00) >> 8;
 			opt[i+3] = newmss & 0x00ff;
 			inet_proto_csum_replace2(&tcph->check, skb,
 						 htons(oldmss), htons(newmss),
 						 0);
 			return 0;
 		}
 		if (op[i] < 2)
 			i++;
 		else
 			i += op[i+1] ? : 1;
 	}
 out:
 	return info->invert;
-	/* There is data after the header so the option can't be added
+dropit:
-	   without moving it, and doing so may make the SYN packet
+	par->hotdrop = true;
 	   itself too large. Accept the packet unmodified instead. */
 	if (tcplen > tcph->doff*4)
 		return 0;
 	/*
 	 * MSS Option not found ?! add it..
 	 */
 	if (skb_tailroom(skb) < TCPOLEN_MSS) {
 		if (pskb_expand_head(skb, 0,
 				     TCPOLEN_MSS - skb_tailroom(skb),
 				     GFP_ATOMIC))
 			return -1;
 		tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
 	}
 	skb_put(skb, TCPOLEN_MSS);
 	opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
 	memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
 	inet_proto_csum_replace2(&tcph->check, skb,
 				 htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
 	opt[0] = TCPOPT_MSS;
 	opt[1] = TCPOLEN_MSS;
 	opt[2] = (newmss & 0xff00) >> 8;
 	opt[3] = newmss & 0x00ff;
 	inet_proto_csum_replace4(&tcph->check, skb, 0, *((__be32 *)opt), 0);
 	oldval = ((__be16 *)tcph)[6];
 	tcph->doff += TCPOLEN_MSS/4;
 	inet_proto_csum_replace2(&tcph->check, skb,
 				 oldval, ((__be16 *)tcph)[6], 0);
 	return TCPOLEN_MSS;
 }
 static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb,
 				    unsigned int family)
 {
 	struct flowi fl;
 	const struct nf_afinfo *ai;
 	struct rtable *rt = NULL;
 	u_int32_t mtu     = ~0U;
 	if (family == PF_INET) {
 		struct flowi4 *fl4 = &fl.u.ip4;
 		memset(fl4, 0, sizeof(*fl4));
 		fl4->daddr = ip_hdr(skb)->saddr;
 	} else {
 		struct flowi6 *fl6 = &fl.u.ip6;
 		memset(fl6, 0, sizeof(*fl6));
 		ipv6_addr_copy(&fl6->daddr, &ipv6_hdr(skb)->saddr);
 	}
 	rcu_read_lock();
 	ai = nf_get_afinfo(family);
 	if (ai != NULL)
 		ai->route(&init_net, (struct dst_entry **)&rt, &fl, false);
 	rcu_read_unlock();
 	if (rt != NULL) {
 		mtu = dst_mtu(&rt->dst);
 		dst_release(&rt->dst);
 	}
 	return mtu;
 }
 static unsigned int
 tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	struct iphdr *iph = ip_hdr(skb);
 	__be16 newlen;
 	int ret;
 	ret = tcpmss_mangle_packet(skb, par->targinfo,
 				   tcpmss_reverse_mtu(skb, PF_INET),
 				   iph->ihl * 4,
 				   sizeof(*iph) + sizeof(struct tcphdr));
 	if (ret < 0)
 		return NF_DROP;
 	if (ret > 0) {
 		iph = ip_hdr(skb);
 		newlen = htons(ntohs(iph->tot_len) + ret);
 		csum_replace2(&iph->check, iph->tot_len, newlen);
 		iph->tot_len = newlen;
 	}
 	return XT_CONTINUE;
 }
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
 static unsigned int
 tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	struct ipv6hdr *ipv6h = ipv6_hdr(skb);
 	u8 nexthdr;
 	int tcphoff;
 	int ret;
 	nexthdr = ipv6h->nexthdr;
 	tcphoff = ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr);
 	if (tcphoff < 0)
 		return NF_DROP;
 	ret = tcpmss_mangle_packet(skb, par->targinfo,
 				   tcpmss_reverse_mtu(skb, PF_INET6),
 				   tcphoff,
 				   sizeof(*ipv6h) + sizeof(struct tcphdr));
 	if (ret < 0)
 		return NF_DROP;
 	if (ret > 0) {
 		ipv6h = ipv6_hdr(skb);
 		ipv6h->payload_len = htons(ntohs(ipv6h->payload_len) + ret);
 	}
 	return XT_CONTINUE;
 }
 #endif
 /* Must specify -p tcp --syn */
 static inline bool find_syn_match(const struct xt_entry_match *m)
 {
 	const struct xt_tcp *tcpinfo = (const struct xt_tcp *)m->data;
 	if (strcmp(m->u.kernel.match->name, "tcp") == 0 &&
 	    tcpinfo->flg_cmp & TCPHDR_SYN &&
 	    !(tcpinfo->invflags & XT_TCP_INV_FLAGS))
 		return true;
 	return false;
 }
-static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
+static struct xt_match tcpmss_mt_reg[] __read_mostly = {
 {
 	const struct xt_tcpmss_info *info = par->targinfo;
 	const struct ipt_entry *e = par->entryinfo;
 	const struct xt_entry_match *ematch;
 	if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
 	    (par->hook_mask & ~((1 << NF_INET_FORWARD) |
 			   (1 << NF_INET_LOCAL_OUT) |
 			   (1 << NF_INET_POST_ROUTING))) != 0) {
 		pr_info("path-MTU clamping only supported in "
 			"FORWARD, OUTPUT and POSTROUTING hooks\n");
 		return -EINVAL;
 	}
 	xt_ematch_foreach(ematch, e)
 		if (find_syn_match(ematch))
 			return 0;
 	pr_info("Only works on TCP SYN packets\n");
 	return -EINVAL;
 }
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
 static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
 {
 	const struct xt_tcpmss_info *info = par->targinfo;
 	const struct ip6t_entry *e = par->entryinfo;
 	const struct xt_entry_match *ematch;
 	if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
 	    (par->hook_mask & ~((1 << NF_INET_FORWARD) |
 			   (1 << NF_INET_LOCAL_OUT) |
 			   (1 << NF_INET_POST_ROUTING))) != 0) {
 		pr_info("path-MTU clamping only supported in "
 			"FORWARD, OUTPUT and POSTROUTING hooks\n");
 		return -EINVAL;
 	}
 	xt_ematch_foreach(ematch, e)
 		if (find_syn_match(ematch))
 			return 0;
 	pr_info("Only works on TCP SYN packets\n");
 	return -EINVAL;
 }
 #endif
 static struct xt_target tcpmss_tg_reg[] __read_mostly = {
 	{
 		.name		= "tcpmss",
 		.family		= NFPROTO_IPV4,
-		.name		= "TCPMSS",
+		.match		= tcpmss_mt,
-		.checkentry	= tcpmss_tg4_check,
+		.matchsize	= sizeof(struct xt_tcpmss_match_info),
 		.target		= tcpmss_tg4,
 		.targetsize	= sizeof(struct xt_tcpmss_info),
 		.proto		= IPPROTO_TCP,
 		.me		= THIS_MODULE,
 	},
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
 	{
 		.name		= "tcpmss",
 		.family		= NFPROTO_IPV6,
-		.name		= "TCPMSS",
+		.match		= tcpmss_mt,
-		.checkentry	= tcpmss_tg6_check,
+		.matchsize	= sizeof(struct xt_tcpmss_match_info),
 		.target		= tcpmss_tg6,
 		.targetsize	= sizeof(struct xt_tcpmss_info),
 		.proto		= IPPROTO_TCP,
 		.me		= THIS_MODULE,
 	},
 #endif
 };
-static int __init tcpmss_tg_init(void)
+static int __init tcpmss_mt_init(void)
 {
-	return xt_register_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg));
+	return xt_register_matches(tcpmss_mt_reg, ARRAY_SIZE(tcpmss_mt_reg));
 }
-static void __exit tcpmss_tg_exit(void)
+static void __exit tcpmss_mt_exit(void)
 {
-	xt_unregister_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg));
+	xt_unregister_matches(tcpmss_mt_reg, ARRAY_SIZE(tcpmss_mt_reg));
 }
-module_init(tcpmss_tg_init);
+module_init(tcpmss_mt_init);
-module_exit(tcpmss_tg_exit);
+module_exit(tcpmss_mt_exit);
Author	SHA1	Message	Date
cgy	f39cf4183f	加了空格试试	2024-12-31 15:11:17 +08:00
cgy	f40b6c4f9f	only check out no any change	2024-12-31 10:13:36 +08:00