1 /* Shared library add-on to iptables for ECN matching 2 * 3 * (C) 2002 by Harald Welte <laforge (at) netfilter.org> 4 * (C) 2011 by Patrick McHardy <kaber (at) trash.net> 5 * 6 * This program is distributed under the terms of GNU GPL v2, 1991 7 * 8 * libipt_ecn.c borrowed heavily from libipt_dscp.c 9 * 10 */ 11 #include <stdio.h> 12 #include <xtables.h> 13 #include <linux/netfilter/xt_ecn.h> 14 15 enum { 16 O_ECN_TCP_CWR = 0, 17 O_ECN_TCP_ECE, 18 O_ECN_IP_ECT, 19 }; 20 21 static void ecn_help(void) 22 { 23 printf( 24 "ECN match options\n" 25 "[!] --ecn-tcp-cwr Match CWR bit of TCP header\n" 26 "[!] --ecn-tcp-ece Match ECE bit of TCP header\n" 27 "[!] --ecn-ip-ect [0..3] Match ECN codepoint in IPv4/IPv6 header\n"); 28 } 29 30 static const struct xt_option_entry ecn_opts[] = { 31 {.name = "ecn-tcp-cwr", .id = O_ECN_TCP_CWR, .type = XTTYPE_NONE, 32 .flags = XTOPT_INVERT}, 33 {.name = "ecn-tcp-ece", .id = O_ECN_TCP_ECE, .type = XTTYPE_NONE, 34 .flags = XTOPT_INVERT}, 35 {.name = "ecn-ip-ect", .id = O_ECN_IP_ECT, .type = XTTYPE_UINT8, 36 .min = 0, .max = 3, .flags = XTOPT_INVERT}, 37 XTOPT_TABLEEND, 38 }; 39 40 static void ecn_parse(struct xt_option_call *cb) 41 { 42 struct xt_ecn_info *einfo = cb->data; 43 44 xtables_option_parse(cb); 45 switch (cb->entry->id) { 46 case O_ECN_TCP_CWR: 47 einfo->operation |= XT_ECN_OP_MATCH_CWR; 48 if (cb->invert) 49 einfo->invert |= XT_ECN_OP_MATCH_CWR; 50 break; 51 case O_ECN_TCP_ECE: 52 einfo->operation |= XT_ECN_OP_MATCH_ECE; 53 if (cb->invert) 54 einfo->invert |= XT_ECN_OP_MATCH_ECE; 55 break; 56 case O_ECN_IP_ECT: 57 if (cb->invert) 58 einfo->invert |= XT_ECN_OP_MATCH_IP; 59 einfo->operation |= XT_ECN_OP_MATCH_IP; 60 einfo->ip_ect = cb->val.u8; 61 break; 62 } 63 } 64 65 static void ecn_check(struct xt_fcheck_call *cb) 66 { 67 if (cb->xflags == 0) 68 xtables_error(PARAMETER_PROBLEM, 69 "ECN match: some option required"); 70 } 71 72 static void ecn_print(const void *ip, const struct xt_entry_match *match, 73 int numeric) 74 { 75 const struct xt_ecn_info *einfo = 76 (const struct xt_ecn_info *)match->data; 77 78 printf(" ECN match"); 79 80 if (einfo->operation & XT_ECN_OP_MATCH_ECE) { 81 printf(" %sECE", 82 (einfo->invert & XT_ECN_OP_MATCH_ECE) ? "!" : ""); 83 } 84 85 if (einfo->operation & XT_ECN_OP_MATCH_CWR) { 86 printf(" %sCWR", 87 (einfo->invert & XT_ECN_OP_MATCH_CWR) ? "!" : ""); 88 } 89 90 if (einfo->operation & XT_ECN_OP_MATCH_IP) { 91 printf(" %sECT=%d", 92 (einfo->invert & XT_ECN_OP_MATCH_IP) ? "!" : "", 93 einfo->ip_ect); 94 } 95 } 96 97 static void ecn_save(const void *ip, const struct xt_entry_match *match) 98 { 99 const struct xt_ecn_info *einfo = 100 (const struct xt_ecn_info *)match->data; 101 102 if (einfo->operation & XT_ECN_OP_MATCH_ECE) { 103 if (einfo->invert & XT_ECN_OP_MATCH_ECE) 104 printf(" !"); 105 printf(" --ecn-tcp-ece"); 106 } 107 108 if (einfo->operation & XT_ECN_OP_MATCH_CWR) { 109 if (einfo->invert & XT_ECN_OP_MATCH_CWR) 110 printf(" !"); 111 printf(" --ecn-tcp-cwr"); 112 } 113 114 if (einfo->operation & XT_ECN_OP_MATCH_IP) { 115 if (einfo->invert & XT_ECN_OP_MATCH_IP) 116 printf(" !"); 117 printf(" --ecn-ip-ect %d", einfo->ip_ect); 118 } 119 } 120 121 static struct xtables_match ecn_mt_reg = { 122 .name = "ecn", 123 .version = XTABLES_VERSION, 124 .family = NFPROTO_UNSPEC, 125 .size = XT_ALIGN(sizeof(struct xt_ecn_info)), 126 .userspacesize = XT_ALIGN(sizeof(struct xt_ecn_info)), 127 .help = ecn_help, 128 .print = ecn_print, 129 .save = ecn_save, 130 .x6_parse = ecn_parse, 131 .x6_fcheck = ecn_check, 132 .x6_options = ecn_opts, 133 }; 134 135 void _init(void) 136 { 137 xtables_register_match(&ecn_mt_reg); 138 } 139
