From af7f07c46cb21258940e1a3395fec858ff7e0e08 Mon Sep 17 00:00:00 2001 From: oceanfly Date: Thu, 3 Sep 2015 21:24:16 -0400 Subject: [PATCH] latest latest --- include/uapi/linux/netfilter/xt_CONNMARK.h | 6 - include/uapi/linux/netfilter/xt_MARK.h | 6 - include/uapi/linux/netfilter/xt_dscp.h | 31 ---- include/uapi/linux/netfilter/xt_rateest.h | 37 ----- include/uapi/linux/netfilter/xt_tcpmss.h | 11 -- include/uapi/linux/netfilter_ipv4/ipt_ECN.h | 33 ---- include/uapi/linux/netfilter_ipv4/ipt_TTL.h | 23 --- include/uapi/linux/netfilter_ipv6/ip6t_hl.h | 24 --- net/netfilter/xt_HL.c | 169 -------------------- net/netfilter/xt_dscp.c | 115 ------------- net/netfilter/xt_rateest.c | 157 ------------------ net/netfilter/xt_tcpmss.c | 110 ------------- 12 files changed, 722 deletions(-) delete mode 100644 include/uapi/linux/netfilter/xt_CONNMARK.h delete mode 100644 include/uapi/linux/netfilter/xt_MARK.h delete mode 100644 include/uapi/linux/netfilter/xt_dscp.h delete mode 100644 include/uapi/linux/netfilter/xt_rateest.h delete mode 100644 include/uapi/linux/netfilter/xt_tcpmss.h delete mode 100644 include/uapi/linux/netfilter_ipv4/ipt_ECN.h delete mode 100644 include/uapi/linux/netfilter_ipv4/ipt_TTL.h delete mode 100644 include/uapi/linux/netfilter_ipv6/ip6t_hl.h delete mode 100644 net/netfilter/xt_HL.c delete mode 100644 net/netfilter/xt_dscp.c delete mode 100644 net/netfilter/xt_rateest.c delete mode 100644 net/netfilter/xt_tcpmss.c diff --git a/include/uapi/linux/netfilter/xt_CONNMARK.h b/include/uapi/linux/netfilter/xt_CONNMARK.h deleted file mode 100644 index 2f2e48ec80238a..00000000000000 --- a/include/uapi/linux/netfilter/xt_CONNMARK.h +++ /dev/null @@ -1,6 +0,0 @@ -#ifndef _XT_CONNMARK_H_target -#define _XT_CONNMARK_H_target - -#include - -#endif /*_XT_CONNMARK_H_target*/ diff --git a/include/uapi/linux/netfilter/xt_MARK.h b/include/uapi/linux/netfilter/xt_MARK.h deleted file mode 100644 index 41c456deba222e..00000000000000 --- a/include/uapi/linux/netfilter/xt_MARK.h +++ /dev/null @@ -1,6 +0,0 @@ -#ifndef _XT_MARK_H_target -#define _XT_MARK_H_target - -#include - -#endif /*_XT_MARK_H_target */ diff --git a/include/uapi/linux/netfilter/xt_dscp.h b/include/uapi/linux/netfilter/xt_dscp.h deleted file mode 100644 index 15f8932ad5ce64..00000000000000 --- a/include/uapi/linux/netfilter/xt_dscp.h +++ /dev/null @@ -1,31 +0,0 @@ -/* x_tables module for matching the IPv4/IPv6 DSCP field - * - * (C) 2002 Harald Welte - * This software is distributed under GNU GPL v2, 1991 - * - * See RFC2474 for a description of the DSCP field within the IP Header. - * - * xt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp -*/ -#ifndef _XT_DSCP_H -#define _XT_DSCP_H - -#include - -#define XT_DSCP_MASK 0xfc /* 11111100 */ -#define XT_DSCP_SHIFT 2 -#define XT_DSCP_MAX 0x3f /* 00111111 */ - -/* match info */ -struct xt_dscp_info { - __u8 dscp; - __u8 invert; -}; - -struct xt_tos_match_info { - __u8 tos_mask; - __u8 tos_value; - __u8 invert; -}; - -#endif /* _XT_DSCP_H */ diff --git a/include/uapi/linux/netfilter/xt_rateest.h b/include/uapi/linux/netfilter/xt_rateest.h deleted file mode 100644 index d40a6196842ab3..00000000000000 --- a/include/uapi/linux/netfilter/xt_rateest.h +++ /dev/null @@ -1,37 +0,0 @@ -#ifndef _XT_RATEEST_MATCH_H -#define _XT_RATEEST_MATCH_H - -#include - -enum xt_rateest_match_flags { - XT_RATEEST_MATCH_INVERT = 1<<0, - XT_RATEEST_MATCH_ABS = 1<<1, - XT_RATEEST_MATCH_REL = 1<<2, - XT_RATEEST_MATCH_DELTA = 1<<3, - XT_RATEEST_MATCH_BPS = 1<<4, - XT_RATEEST_MATCH_PPS = 1<<5, -}; - -enum xt_rateest_match_mode { - XT_RATEEST_MATCH_NONE, - XT_RATEEST_MATCH_EQ, - XT_RATEEST_MATCH_LT, - XT_RATEEST_MATCH_GT, -}; - -struct xt_rateest_match_info { - char name1[IFNAMSIZ]; - char name2[IFNAMSIZ]; - __u16 flags; - __u16 mode; - __u32 bps1; - __u32 pps1; - __u32 bps2; - __u32 pps2; - - /* Used internally by the kernel */ - struct xt_rateest *est1 __attribute__((aligned(8))); - struct xt_rateest *est2 __attribute__((aligned(8))); -}; - -#endif /* _XT_RATEEST_MATCH_H */ diff --git a/include/uapi/linux/netfilter/xt_tcpmss.h b/include/uapi/linux/netfilter/xt_tcpmss.h deleted file mode 100644 index fbac56b9e667ec..00000000000000 --- a/include/uapi/linux/netfilter/xt_tcpmss.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef _XT_TCPMSS_MATCH_H -#define _XT_TCPMSS_MATCH_H - -#include - -struct xt_tcpmss_match_info { - __u16 mss_min, mss_max; - __u8 invert; -}; - -#endif /*_XT_TCPMSS_MATCH_H*/ diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ECN.h b/include/uapi/linux/netfilter_ipv4/ipt_ECN.h deleted file mode 100644 index bb88d5315a4dd7..00000000000000 --- a/include/uapi/linux/netfilter_ipv4/ipt_ECN.h +++ /dev/null @@ -1,33 +0,0 @@ -/* Header file for iptables ipt_ECN target - * - * (C) 2002 by Harald Welte - * - * This software is distributed under GNU GPL v2, 1991 - * - * ipt_ECN.h,v 1.3 2002/05/29 12:17:40 laforge Exp -*/ -#ifndef _IPT_ECN_TARGET_H -#define _IPT_ECN_TARGET_H - -#include -#include - -#define IPT_ECN_IP_MASK (~XT_DSCP_MASK) - -#define IPT_ECN_OP_SET_IP 0x01 /* set ECN bits of IPv4 header */ -#define IPT_ECN_OP_SET_ECE 0x10 /* set ECE bit of TCP header */ -#define IPT_ECN_OP_SET_CWR 0x20 /* set CWR bit of TCP header */ - -#define IPT_ECN_OP_MASK 0xce - -struct ipt_ECN_info { - __u8 operation; /* bitset of operations */ - __u8 ip_ect; /* ECT codepoint of IPv4 header, pre-shifted */ - union { - struct { - __u8 ece:1, cwr:1; /* TCP ECT bits */ - } tcp; - } proto; -}; - -#endif /* _IPT_ECN_TARGET_H */ diff --git a/include/uapi/linux/netfilter_ipv4/ipt_TTL.h b/include/uapi/linux/netfilter_ipv4/ipt_TTL.h deleted file mode 100644 index f6ac169d92f9bb..00000000000000 --- a/include/uapi/linux/netfilter_ipv4/ipt_TTL.h +++ /dev/null @@ -1,23 +0,0 @@ -/* TTL modification module for IP tables - * (C) 2000 by Harald Welte */ - -#ifndef _IPT_TTL_H -#define _IPT_TTL_H - -#include - -enum { - IPT_TTL_SET = 0, - IPT_TTL_INC, - IPT_TTL_DEC -}; - -#define IPT_TTL_MAXMODE IPT_TTL_DEC - -struct ipt_TTL_info { - __u8 mode; - __u8 ttl; -}; - - -#endif diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_hl.h b/include/uapi/linux/netfilter_ipv6/ip6t_hl.h deleted file mode 100644 index 6e76dbc6c19aa0..00000000000000 --- a/include/uapi/linux/netfilter_ipv6/ip6t_hl.h +++ /dev/null @@ -1,24 +0,0 @@ -/* ip6tables module for matching the Hop Limit value - * Maciej Soltysiak - * Based on HW's ttl module */ - -#ifndef _IP6T_HL_H -#define _IP6T_HL_H - -#include - -enum { - IP6T_HL_EQ = 0, /* equals */ - IP6T_HL_NE, /* not equals */ - IP6T_HL_LT, /* less than */ - IP6T_HL_GT, /* greater than */ -}; - - -struct ip6t_hl_info { - __u8 mode; - __u8 hop_limit; -}; - - -#endif diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c deleted file mode 100644 index 1535e87ed9bd4f..00000000000000 --- a/net/netfilter/xt_HL.c +++ /dev/null @@ -1,169 +0,0 @@ -/* - * TTL modification target for IP tables - * (C) 2000,2005 by Harald Welte - * - * Hop Limit modification target for ip6tables - * Maciej Soltysiak - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - */ -#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -#include -#include -#include -#include -#include - -#include -#include -#include - -MODULE_AUTHOR("Harald Welte "); -MODULE_AUTHOR("Maciej Soltysiak "); -MODULE_DESCRIPTION("Xtables: Hoplimit/TTL Limit field modification target"); -MODULE_LICENSE("GPL"); - -static unsigned int -ttl_tg(struct sk_buff *skb, const struct xt_action_param *par) -{ - struct iphdr *iph; - const struct ipt_TTL_info *info = par->targinfo; - int new_ttl; - - if (!skb_make_writable(skb, skb->len)) - return NF_DROP; - - iph = ip_hdr(skb); - - switch (info->mode) { - case IPT_TTL_SET: - new_ttl = info->ttl; - break; - case IPT_TTL_INC: - new_ttl = iph->ttl + info->ttl; - if (new_ttl > 255) - new_ttl = 255; - break; - case IPT_TTL_DEC: - new_ttl = iph->ttl - info->ttl; - if (new_ttl < 0) - new_ttl = 0; - break; - default: - new_ttl = iph->ttl; - break; - } - - if (new_ttl != iph->ttl) { - csum_replace2(&iph->check, htons(iph->ttl << 8), - htons(new_ttl << 8)); - iph->ttl = new_ttl; - } - - return XT_CONTINUE; -} - -static unsigned int -hl_tg6(struct sk_buff *skb, const struct xt_action_param *par) -{ - struct ipv6hdr *ip6h; - const struct ip6t_HL_info *info = par->targinfo; - int new_hl; - - if (!skb_make_writable(skb, skb->len)) - return NF_DROP; - - ip6h = ipv6_hdr(skb); - - switch (info->mode) { - case IP6T_HL_SET: - new_hl = info->hop_limit; - break; - case IP6T_HL_INC: - new_hl = ip6h->hop_limit + info->hop_limit; - if (new_hl > 255) - new_hl = 255; - break; - case IP6T_HL_DEC: - new_hl = ip6h->hop_limit - info->hop_limit; - if (new_hl < 0) - new_hl = 0; - break; - default: - new_hl = ip6h->hop_limit; - break; - } - - ip6h->hop_limit = new_hl; - - return XT_CONTINUE; -} - -static int ttl_tg_check(const struct xt_tgchk_param *par) -{ - const struct ipt_TTL_info *info = par->targinfo; - - if (info->mode > IPT_TTL_MAXMODE) { - pr_info("TTL: invalid or unknown mode %u\n", info->mode); - return -EINVAL; - } - if (info->mode != IPT_TTL_SET && info->ttl == 0) - return -EINVAL; - return 0; -} - -static int hl_tg6_check(const struct xt_tgchk_param *par) -{ - const struct ip6t_HL_info *info = par->targinfo; - - if (info->mode > IP6T_HL_MAXMODE) { - pr_info("invalid or unknown mode %u\n", info->mode); - return -EINVAL; - } - if (info->mode != IP6T_HL_SET && info->hop_limit == 0) { - pr_info("increment/decrement does not " - "make sense with value 0\n"); - return -EINVAL; - } - return 0; -} - -static struct xt_target hl_tg_reg[] __read_mostly = { - { - .name = "TTL", - .revision = 0, - .family = NFPROTO_IPV4, - .target = ttl_tg, - .targetsize = sizeof(struct ipt_TTL_info), - .table = "mangle", - .checkentry = ttl_tg_check, - .me = THIS_MODULE, - }, - { - .name = "HL", - .revision = 0, - .family = NFPROTO_IPV6, - .target = hl_tg6, - .targetsize = sizeof(struct ip6t_HL_info), - .table = "mangle", - .checkentry = hl_tg6_check, - .me = THIS_MODULE, - }, -}; - -static int __init hl_tg_init(void) -{ - return xt_register_targets(hl_tg_reg, ARRAY_SIZE(hl_tg_reg)); -} - -static void __exit hl_tg_exit(void) -{ - xt_unregister_targets(hl_tg_reg, ARRAY_SIZE(hl_tg_reg)); -} - -module_init(hl_tg_init); -module_exit(hl_tg_exit); -MODULE_ALIAS("ipt_TTL"); -MODULE_ALIAS("ip6t_HL"); diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c deleted file mode 100644 index 64670fc5d0e1a5..00000000000000 --- a/net/netfilter/xt_dscp.c +++ /dev/null @@ -1,115 +0,0 @@ -/* IP tables module for matching the value of the IPv4/IPv6 DSCP field - * - * (C) 2002 by Harald Welte - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - */ -#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -#include -#include -#include -#include -#include - -#include -#include - -MODULE_AUTHOR("Harald Welte "); -MODULE_DESCRIPTION("Xtables: DSCP/TOS field match"); -MODULE_LICENSE("GPL"); -MODULE_ALIAS("ipt_dscp"); -MODULE_ALIAS("ip6t_dscp"); -MODULE_ALIAS("ipt_tos"); -MODULE_ALIAS("ip6t_tos"); - -static bool -dscp_mt(const struct sk_buff *skb, struct xt_action_param *par) -{ - const struct xt_dscp_info *info = par->matchinfo; - u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; - - return (dscp == info->dscp) ^ !!info->invert; -} - -static bool -dscp_mt6(const struct sk_buff *skb, struct xt_action_param *par) -{ - const struct xt_dscp_info *info = par->matchinfo; - u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT; - - return (dscp == info->dscp) ^ !!info->invert; -} - -static int dscp_mt_check(const struct xt_mtchk_param *par) -{ - const struct xt_dscp_info *info = par->matchinfo; - - if (info->dscp > XT_DSCP_MAX) { - pr_info("dscp %x out of range\n", info->dscp); - return -EDOM; - } - - return 0; -} - -static bool tos_mt(const struct sk_buff *skb, struct xt_action_param *par) -{ - const struct xt_tos_match_info *info = par->matchinfo; - - if (par->family == NFPROTO_IPV4) - return ((ip_hdr(skb)->tos & info->tos_mask) == - info->tos_value) ^ !!info->invert; - else - return ((ipv6_get_dsfield(ipv6_hdr(skb)) & info->tos_mask) == - info->tos_value) ^ !!info->invert; -} - -static struct xt_match dscp_mt_reg[] __read_mostly = { - { - .name = "dscp", - .family = NFPROTO_IPV4, - .checkentry = dscp_mt_check, - .match = dscp_mt, - .matchsize = sizeof(struct xt_dscp_info), - .me = THIS_MODULE, - }, - { - .name = "dscp", - .family = NFPROTO_IPV6, - .checkentry = dscp_mt_check, - .match = dscp_mt6, - .matchsize = sizeof(struct xt_dscp_info), - .me = THIS_MODULE, - }, - { - .name = "tos", - .revision = 1, - .family = NFPROTO_IPV4, - .match = tos_mt, - .matchsize = sizeof(struct xt_tos_match_info), - .me = THIS_MODULE, - }, - { - .name = "tos", - .revision = 1, - .family = NFPROTO_IPV6, - .match = tos_mt, - .matchsize = sizeof(struct xt_tos_match_info), - .me = THIS_MODULE, - }, -}; - -static int __init dscp_mt_init(void) -{ - return xt_register_matches(dscp_mt_reg, ARRAY_SIZE(dscp_mt_reg)); -} - -static void __exit dscp_mt_exit(void) -{ - xt_unregister_matches(dscp_mt_reg, ARRAY_SIZE(dscp_mt_reg)); -} - -module_init(dscp_mt_init); -module_exit(dscp_mt_exit); diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c deleted file mode 100644 index 7720b036d76a84..00000000000000 --- a/net/netfilter/xt_rateest.c +++ /dev/null @@ -1,157 +0,0 @@ -/* - * (C) 2007 Patrick McHardy - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - */ -#include -#include -#include - -#include -#include -#include - - -static bool -xt_rateest_mt(const struct sk_buff *skb, struct xt_action_param *par) -{ - const struct xt_rateest_match_info *info = par->matchinfo; - struct gnet_stats_rate_est64 *r; - u_int32_t bps1, bps2, pps1, pps2; - bool ret = true; - - spin_lock_bh(&info->est1->lock); - r = &info->est1->rstats; - if (info->flags & XT_RATEEST_MATCH_DELTA) { - bps1 = info->bps1 >= r->bps ? info->bps1 - r->bps : 0; - pps1 = info->pps1 >= r->pps ? info->pps1 - r->pps : 0; - } else { - bps1 = r->bps; - pps1 = r->pps; - } - spin_unlock_bh(&info->est1->lock); - - if (info->flags & XT_RATEEST_MATCH_ABS) { - bps2 = info->bps2; - pps2 = info->pps2; - } else { - spin_lock_bh(&info->est2->lock); - r = &info->est2->rstats; - if (info->flags & XT_RATEEST_MATCH_DELTA) { - bps2 = info->bps2 >= r->bps ? info->bps2 - r->bps : 0; - pps2 = info->pps2 >= r->pps ? info->pps2 - r->pps : 0; - } else { - bps2 = r->bps; - pps2 = r->pps; - } - spin_unlock_bh(&info->est2->lock); - } - - switch (info->mode) { - case XT_RATEEST_MATCH_LT: - if (info->flags & XT_RATEEST_MATCH_BPS) - ret &= bps1 < bps2; - if (info->flags & XT_RATEEST_MATCH_PPS) - ret &= pps1 < pps2; - break; - case XT_RATEEST_MATCH_GT: - if (info->flags & XT_RATEEST_MATCH_BPS) - ret &= bps1 > bps2; - if (info->flags & XT_RATEEST_MATCH_PPS) - ret &= pps1 > pps2; - break; - case XT_RATEEST_MATCH_EQ: - if (info->flags & XT_RATEEST_MATCH_BPS) - ret &= bps1 == bps2; - if (info->flags & XT_RATEEST_MATCH_PPS) - ret &= pps1 == pps2; - break; - } - - ret ^= info->flags & XT_RATEEST_MATCH_INVERT ? true : false; - return ret; -} - -static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par) -{ - struct xt_rateest_match_info *info = par->matchinfo; - struct xt_rateest *est1, *est2; - int ret = -EINVAL; - - if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS | - XT_RATEEST_MATCH_REL)) != 1) - goto err1; - - if (!(info->flags & (XT_RATEEST_MATCH_BPS | XT_RATEEST_MATCH_PPS))) - goto err1; - - switch (info->mode) { - case XT_RATEEST_MATCH_EQ: - case XT_RATEEST_MATCH_LT: - case XT_RATEEST_MATCH_GT: - break; - default: - goto err1; - } - - ret = -ENOENT; - est1 = xt_rateest_lookup(info->name1); - if (!est1) - goto err1; - - est2 = NULL; - if (info->flags & XT_RATEEST_MATCH_REL) { - est2 = xt_rateest_lookup(info->name2); - if (!est2) - goto err2; - } - - info->est1 = est1; - info->est2 = est2; - return 0; - -err2: - xt_rateest_put(est1); -err1: - return ret; -} - -static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par) -{ - struct xt_rateest_match_info *info = par->matchinfo; - - xt_rateest_put(info->est1); - if (info->est2) - xt_rateest_put(info->est2); -} - -static struct xt_match xt_rateest_mt_reg __read_mostly = { - .name = "rateest", - .revision = 0, - .family = NFPROTO_UNSPEC, - .match = xt_rateest_mt, - .checkentry = xt_rateest_mt_checkentry, - .destroy = xt_rateest_mt_destroy, - .matchsize = sizeof(struct xt_rateest_match_info), - .me = THIS_MODULE, -}; - -static int __init xt_rateest_mt_init(void) -{ - return xt_register_match(&xt_rateest_mt_reg); -} - -static void __exit xt_rateest_mt_fini(void) -{ - xt_unregister_match(&xt_rateest_mt_reg); -} - -MODULE_AUTHOR("Patrick McHardy "); -MODULE_LICENSE("GPL"); -MODULE_DESCRIPTION("xtables rate estimator match"); -MODULE_ALIAS("ipt_rateest"); -MODULE_ALIAS("ip6t_rateest"); -module_init(xt_rateest_mt_init); -module_exit(xt_rateest_mt_fini); diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c deleted file mode 100644 index c53d4d18eadf71..00000000000000 --- a/net/netfilter/xt_tcpmss.c +++ /dev/null @@ -1,110 +0,0 @@ -/* Kernel module to match TCP MSS values. */ - -/* Copyright (C) 2000 Marc Boucher - * Portions (C) 2005 by Harald Welte - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - */ - -#include -#include -#include - -#include -#include - -#include -#include - -MODULE_LICENSE("GPL"); -MODULE_AUTHOR("Marc Boucher "); -MODULE_DESCRIPTION("Xtables: TCP MSS match"); -MODULE_ALIAS("ipt_tcpmss"); -MODULE_ALIAS("ip6t_tcpmss"); - -static bool -tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par) -{ - const struct xt_tcpmss_match_info *info = par->matchinfo; - const struct tcphdr *th; - struct tcphdr _tcph; - /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */ - const u_int8_t *op; - u8 _opt[15 * 4 - sizeof(_tcph)]; - unsigned int i, optlen; - - /* If we don't have the whole header, drop packet. */ - th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph); - if (th == NULL) - goto dropit; - - /* Malformed. */ - if (th->doff*4 < sizeof(*th)) - goto dropit; - - optlen = th->doff*4 - sizeof(*th); - if (!optlen) - goto out; - - /* Truncated options. */ - op = skb_header_pointer(skb, par->thoff + sizeof(*th), optlen, _opt); - if (op == NULL) - goto dropit; - - for (i = 0; i < optlen; ) { - if (op[i] == TCPOPT_MSS - && (optlen - i) >= TCPOLEN_MSS - && op[i+1] == TCPOLEN_MSS) { - u_int16_t mssval; - - mssval = (op[i+2] << 8) | op[i+3]; - - return (mssval >= info->mss_min && - mssval <= info->mss_max) ^ info->invert; - } - if (op[i] < 2) - i++; - else - i += op[i+1] ? : 1; - } -out: - return info->invert; - -dropit: - par->hotdrop = true; - return false; -} - -static struct xt_match tcpmss_mt_reg[] __read_mostly = { - { - .name = "tcpmss", - .family = NFPROTO_IPV4, - .match = tcpmss_mt, - .matchsize = sizeof(struct xt_tcpmss_match_info), - .proto = IPPROTO_TCP, - .me = THIS_MODULE, - }, - { - .name = "tcpmss", - .family = NFPROTO_IPV6, - .match = tcpmss_mt, - .matchsize = sizeof(struct xt_tcpmss_match_info), - .proto = IPPROTO_TCP, - .me = THIS_MODULE, - }, -}; - -static int __init tcpmss_mt_init(void) -{ - return xt_register_matches(tcpmss_mt_reg, ARRAY_SIZE(tcpmss_mt_reg)); -} - -static void __exit tcpmss_mt_exit(void) -{ - xt_unregister_matches(tcpmss_mt_reg, ARRAY_SIZE(tcpmss_mt_reg)); -} - -module_init(tcpmss_mt_init); -module_exit(tcpmss_mt_exit);