From nobody Mon Feb 9 15:15:03 2026 Received: from smtp-out.freemail.hu (fmfe34.freemail.hu [46.107.16.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8E8F41F37C0; Tue, 7 Jan 2025 18:47:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=46.107.16.239 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736275669; cv=none; b=bhX3+GFn2N+Tuv9w99MrO6CyfUXsHUTFYe9t2IZEaoZtEItsX2YttBPRQw042/lxrM8it34ob0PfgsjvTCwfB8/aJx26GuliPL19oBmSmM21H9H3JhPlwjZhbgH82kDMsSx9xxFUmrHrOgS5m0yHP8s95JfWQHNrGZABlkpxZL0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736275669; c=relaxed/simple; bh=QtZykaW6f1yhllS+f4ktOrrhEiAJHcuH4HkLqdZd/g4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=L/vTw/8jK6pahbSoB3zLZyQkrA01IKv65zw+cRydUDMnJFJKQbVrzjvjngo3TUlNx7JwXnLloPiCpnHbVmzdhRks9IPgS+6wesBEt65umWHoV4LPfuMN0W+iozBSK+yaqOyTuJKFEYOoeLHhx6i8MenBMvoEWtA9tTbb6+020ZI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=freemail.hu; spf=pass smtp.mailfrom=freemail.hu; dkim=fail (2048-bit key) header.d=freemail.hu header.i=@freemail.hu header.b=Ue7eZAk9 reason="signature verification failed"; arc=none smtp.client-ip=46.107.16.239 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=freemail.hu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=freemail.hu Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=freemail.hu header.i=@freemail.hu header.b="Ue7eZAk9" Received: from fizweb.elte.hu (fizweb.elte.hu [157.181.183.248]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.freemail.hu (Postfix) with ESMTPSA id 4YSKmZ5Tk4zyj4; Tue, 07 Jan 2025 19:47:42 +0100 (CET) From: egyszeregy@freemail.hu To: fw@strlen.de, pablo@netfilter.org, lorenzo@kernel.org, daniel@iogearbox.net, leitao@debian.org, amiculas@cisco.com, kadlec@netfilter.org, davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Cc: =?UTF-8?q?Benjamin=20Sz=C5=91ke?= Subject: [PATCH 1/6] netfilter: x_tables: Format code of xt_*.c files. Date: Tue, 7 Jan 2025 19:47:19 +0100 Message-ID: <20250107184724.56223-2-egyszeregy@freemail.hu> X-Mailer: git-send-email 2.43.5 In-Reply-To: <20250107184724.56223-1-egyszeregy@freemail.hu> References: <20250107184724.56223-1-egyszeregy@freemail.hu> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/relaxed; t=1736275663; s=20181004; d=freemail.hu; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Content-Type:Content-Transfer-Encoding; l=5682; bh=aZ5a6+8Lu2K6ZE5CeZeSpS6BAvHMB6jITlIYidHZ0gs=; b=Ue7eZAk9ULF3DgVcqOPapTIaIGCErkudwLrnSjpg4f4I0K3X3IIt1KOcuLc11Q/n LqYyjPvSwa3pXha9u6i6IqPEormVWcQHFuovMGnCeR7449ugf9S8IV1bVn5uGIcg2ZQ 10lYdXaJ2fVSSiBoD8cIDeS4+b0bxUCNWS6eO8XUQVa43aZgWX/1WtgLimiLfgA36oT dAH7iSHpaO4zULfOoaxNa1/SnR51JIlX2UhFOnfRn+aYZFt75kqQ/t66hQ9rjwwv7Pf psbMbDj778YVCsQ2+zFA1EQsH1S5yLGyIQgIlTE7pdRGYG1gOs68oOPwslYvPeMlWan TwaasAvA3Q== From: Benjamin Sz=C5=91ke Adjuste code style to be compatbile with checkpatch.pl checks in the following files: xt_DSCP.c, xt_HL.c, xt_RATEEST.c, xt_TCPMSS.c - Change to use u8, u16 and u32 types. - Fix coding style of math operations and brackets. Signed-off-by: Benjamin Sz=C5=91ke --- net/netfilter/xt_DSCP.c | 9 ++++----- net/netfilter/xt_HL.c | 3 +-- net/netfilter/xt_RATEEST.c | 1 + net/netfilter/xt_TCPMSS.c | 26 ++++++++++++++------------ 4 files changed, 20 insertions(+), 19 deletions(-) diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c index 90f24a6a26c5..a76701fd31ab 100644 --- a/net/netfilter/xt_DSCP.c +++ b/net/netfilter/xt_DSCP.c @@ -30,7 +30,7 @@ static unsigned int dscp_tg(struct sk_buff *skb, const struct xt_action_param *par) { const struct xt_DSCP_info *dinfo =3D par->targinfo; - u_int8_t dscp =3D ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; + u8 dscp =3D ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; =20 if (dscp !=3D dinfo->dscp) { if (skb_ensure_writable(skb, sizeof(struct iphdr))) @@ -38,7 +38,6 @@ dscp_tg(struct sk_buff *skb, const struct xt_action_param= *par) =20 ipv4_change_dsfield(ip_hdr(skb), XT_DSCP_ECN_MASK, dinfo->dscp << XT_DSCP_SHIFT); - } return XT_CONTINUE; } @@ -47,7 +46,7 @@ static unsigned int dscp_tg6(struct sk_buff *skb, const struct xt_action_param *par) { const struct xt_DSCP_info *dinfo =3D par->targinfo; - u_int8_t dscp =3D ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT; + u8 dscp =3D ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT; =20 if (dscp !=3D dinfo->dscp) { if (skb_ensure_writable(skb, sizeof(struct ipv6hdr))) @@ -73,7 +72,7 @@ tos_tg(struct sk_buff *skb, const struct xt_action_param = *par) { const struct xt_tos_target_info *info =3D par->targinfo; struct iphdr *iph =3D ip_hdr(skb); - u_int8_t orig, nv; + u8 orig, nv; =20 orig =3D ipv4_get_dsfield(iph); nv =3D (orig & ~info->tos_mask) ^ info->tos_value; @@ -93,7 +92,7 @@ tos_tg6(struct sk_buff *skb, const struct xt_action_param= *par) { const struct xt_tos_target_info *info =3D par->targinfo; struct ipv6hdr *iph =3D ipv6_hdr(skb); - u_int8_t orig, nv; + u8 orig, nv; =20 orig =3D ipv6_get_dsfield(iph); nv =3D (orig & ~info->tos_mask) ^ info->tos_value; diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c index a847d7a7eacd..1e1b30b27fef 100644 --- a/net/netfilter/xt_HL.c +++ b/net/netfilter/xt_HL.c @@ -54,8 +54,7 @@ ttl_tg(struct sk_buff *skb, const struct xt_action_param = *par) } =20 if (new_ttl !=3D iph->ttl) { - csum_replace2(&iph->check, htons(iph->ttl << 8), - htons(new_ttl << 8)); + csum_replace2(&iph->check, htons(iph->ttl << 8), htons(new_ttl << 8)); iph->ttl =3D new_ttl; } =20 diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c index a86bb0e4bb42..d56276b965fa 100644 --- a/net/netfilter/xt_RATEEST.c +++ b/net/netfilter/xt_RATEEST.c @@ -20,6 +20,7 @@ #define RATEEST_HSIZE 16 =20 struct xt_rateest_net { + /* To synchronize concurrent synchronous rate estimator operations. */ struct mutex hash_lock; struct hlist_head hash[RATEEST_HSIZE]; }; diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index 3dc1320237c2..9944ca1eb950 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -31,13 +31,13 @@ MODULE_ALIAS("ipt_TCPMSS"); MODULE_ALIAS("ip6t_TCPMSS"); =20 static inline unsigned int -optlen(const u_int8_t *opt, unsigned int offset) +optlen(const u8 *opt, unsigned int offset) { /* Beware zero-length options: make finite progress */ - if (opt[offset] <=3D TCPOPT_NOP || opt[offset+1] =3D=3D 0) + if (opt[offset] <=3D TCPOPT_NOP || opt[offset + 1] =3D=3D 0) return 1; else - return opt[offset+1]; + return opt[offset + 1]; } =20 static u_int32_t tcpmss_reverse_mtu(struct net *net, @@ -46,10 +46,11 @@ static u_int32_t tcpmss_reverse_mtu(struct net *net, { struct flowi fl; struct rtable *rt =3D NULL; - u_int32_t mtu =3D ~0U; + u32 mtu =3D ~0U; =20 if (family =3D=3D PF_INET) { struct flowi4 *fl4 =3D &fl.u.ip4; + memset(fl4, 0, sizeof(*fl4)); fl4->daddr =3D ip_hdr(skb)->saddr; } else { @@ -60,7 +61,7 @@ static u_int32_t tcpmss_reverse_mtu(struct net *net, } =20 nf_route(net, (struct dst_entry **)&rt, &fl, false, family); - if (rt !=3D NULL) { + if (rt) { mtu =3D dst_mtu(&rt->dst); dst_release(&rt->dst); } @@ -110,15 +111,16 @@ tcpmss_mangle_packet(struct sk_buff *skb, return -1; } newmss =3D min_mtu - minlen; - } else + } else { newmss =3D info->mss; + } =20 opt =3D (u_int8_t *)tcph; for (i =3D sizeof(struct tcphdr); i <=3D tcp_hdrlen - TCPOLEN_MSS; i +=3D= optlen(opt, i)) { - if (opt[i] =3D=3D TCPOPT_MSS && opt[i+1] =3D=3D TCPOLEN_MSS) { - u_int16_t oldmss; + if (opt[i] =3D=3D TCPOPT_MSS && opt[i + 1] =3D=3D TCPOLEN_MSS) { + u16 oldmss; =20 - oldmss =3D (opt[i+2] << 8) | opt[i+3]; + oldmss =3D (opt[i + 2] << 8) | opt[i + 3]; =20 /* Never increase MSS, even when setting it, as * doing so results in problems for hosts that rely @@ -127,8 +129,8 @@ tcpmss_mangle_packet(struct sk_buff *skb, if (oldmss <=3D newmss) return 0; =20 - opt[i+2] =3D (newmss & 0xff00) >> 8; - opt[i+3] =3D newmss & 0x00ff; + opt[i + 2] =3D (newmss & 0xff00) >> 8; + opt[i + 3] =3D newmss & 0x00ff; =20 inet_proto_csum_replace2(&tcph->check, skb, htons(oldmss), htons(newmss), @@ -186,7 +188,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, inet_proto_csum_replace4(&tcph->check, skb, 0, *((__be32 *)opt), false); =20 oldval =3D ((__be16 *)tcph)[6]; - tcph->doff +=3D TCPOLEN_MSS/4; + tcph->doff +=3D TCPOLEN_MSS / 4; inet_proto_csum_replace2(&tcph->check, skb, oldval, ((__be16 *)tcph)[6], false); return TCPOLEN_MSS; --=20 2.43.5 From nobody Mon Feb 9 15:15:03 2026 Received: from smtp-out.freemail.hu (fmfe34.freemail.hu [46.107.16.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 64DA61F4E4E; Tue, 7 Jan 2025 18:47:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=46.107.16.239 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736275675; cv=none; b=BbIUQKnC53QIvYRCKxkF/f5i9PKjagH+E/+c579HJo7H0b0UlbHZlVoU5w7mGn/kBWU90I9t17kS2EXTf0yA8OUhptTPsi5JCi8aszwoGlsjGpRIlhZigisDSrikTzGKAjG/sjwro9aqsNy+j/OOZYdF8sDYQkyGelmhyinJGRs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736275675; c=relaxed/simple; bh=34xHcBkLP9MKWpkTwOCkiWSWE0s0AkGmcWIvkDXzZ5c=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=iFtos75tOe1A5VZM1pZbnVeeESnSbr9AbqN0zWZAcrrcL93GdcM8LDohTDKyIqw6OXI3GOFXyTVtiMGW0E3iWV9kPIzwOAZem3gnGAaYgUMkf8uNcmAabrBrpZtkEdV4l2DXT4msVs9x0WzuY+As+/N73bUM2W2nGVDV1R23iE0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=freemail.hu; spf=pass smtp.mailfrom=freemail.hu; dkim=fail (2048-bit key) header.d=freemail.hu header.i=@freemail.hu header.b=evWGOg9Q reason="signature verification failed"; arc=none smtp.client-ip=46.107.16.239 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=freemail.hu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=freemail.hu Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=freemail.hu header.i=@freemail.hu header.b="evWGOg9Q" Received: from fizweb.elte.hu (fizweb.elte.hu [157.181.183.248]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.freemail.hu (Postfix) with ESMTPSA id 4YSKmj60cKz10G1; Tue, 07 Jan 2025 19:47:49 +0100 (CET) From: egyszeregy@freemail.hu To: fw@strlen.de, pablo@netfilter.org, lorenzo@kernel.org, daniel@iogearbox.net, leitao@debian.org, amiculas@cisco.com, kadlec@netfilter.org, davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Cc: =?UTF-8?q?Benjamin=20Sz=C5=91ke?= Subject: [PATCH 2/6] netfilter: x_tables: Merge xt_DSCP.c to xt_dscp.c Date: Tue, 7 Jan 2025 19:47:20 +0100 Message-ID: <20250107184724.56223-3-egyszeregy@freemail.hu> X-Mailer: git-send-email 2.43.5 In-Reply-To: <20250107184724.56223-1-egyszeregy@freemail.hu> References: <20250107184724.56223-1-egyszeregy@freemail.hu> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/relaxed; t=1736275670; s=20181004; d=freemail.hu; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Content-Type:Content-Transfer-Encoding; l=13621; bh=NAW8pR1PhSSuLmU+nt2z8zBJ/Rj8N54lH9MUySmdUnc=; b=evWGOg9Qrq/Sr/+cyJEGzmTFYEkaxRPEKhw9FEVQRWHNpbKWdGIhZErkVGBQrljg 0hBxtgZ+AWMw5ZDjGVOY1Lu32iN2hrKFH6TfHli3gxdFYTlob6vroQ5+HoST535xMEh 2KwmPJyn2H9S0VUBr6aEA82BjUVmqbozxSfPETeigNIL1PAkMSnM4VNYMr86wSu6Un2 V9Uog3Pona8DOIrks3nWSyFloyZ3RFqWZhAMwwID+yNz9pGw+GpESN7YNl7BMNji2xW ZB8eQDTMIDS0VenDUbiN3N92XamcSdtEdO3BRuejSb/AYwCs1Mfhe7hN9eitbm62Gkw tiwrVvW1fg== From: Benjamin Sz=C5=91ke Merge xt_DSCP.c to xt_dscp.c file and remove xt_DSCP.c. Signed-off-by: Benjamin Sz=C5=91ke --- net/netfilter/Kconfig | 21 ++++++ net/netfilter/Makefile | 3 +- net/netfilter/xt_DSCP.c | 160 ---------------------------------------- net/netfilter/xt_dscp.c | 155 ++++++++++++++++++++++++++++++++++++-- 4 files changed, 170 insertions(+), 169 deletions(-) delete mode 100644 net/netfilter/xt_DSCP.c diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index df2dc21304ef..ae0c30641cec 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -802,6 +802,17 @@ config NETFILTER_XT_SET =20 To compile it as a module, choose M here. If unsure, say N. =20 +config NETFILTER_XT_DSCP + tristate '"DSCP" and "TOS" target and match support' + depends on NETFILTER_ADVANCED + help + This option adds the "DSCP" target and "dscp" match. + + Netfilter dscp matching which allows you to match against the + IPv4/IPv6 header DSCP field (differentiated services codepoint). + The target allows you to manipulate the IPv4/IPv6 + header DSCP field (differentiated services codepoint). + # alphabetically ordered list of targets =20 comment "Xtables targets" @@ -882,6 +893,7 @@ config NETFILTER_XT_TARGET_DSCP tristate '"DSCP" and "TOS" target support' depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT depends on NETFILTER_ADVANCED + select NETFILTER_XT_DSCP help This option adds a `DSCP' target, which allows you to manipulate the IPv4/IPv6 header DSCP field (differentiated services codepoint). @@ -892,6 +904,10 @@ config NETFILTER_XT_TARGET_DSCP the "mangle" table which alter the Type Of Service field of an IPv4 or the Priority field of an IPv6 packet, prior to routing. =20 + This is a backwards-compat option for the user's convenience + (e.g. when running oldconfig). It selects + CONFIG_NETFILTER_XT_DSCP (combined dscp/DSCP module). + To compile it as a module, choose M here. If unsure, say N. =20 config NETFILTER_XT_TARGET_HL @@ -1301,6 +1317,7 @@ config NETFILTER_XT_MATCH_DEVGROUP config NETFILTER_XT_MATCH_DSCP tristate '"dscp" and "tos" match support' depends on NETFILTER_ADVANCED + select NETFILTER_XT_DSCP help This option adds a `DSCP' match, which allows you to match against the IPv4/IPv6 header DSCP field (differentiated services codepoint). @@ -1311,6 +1328,10 @@ config NETFILTER_XT_MATCH_DSCP based on the Type Of Service fields of the IPv4 packet (which share the same bits as DSCP). =20 + This is a backwards-compat option for the user's convenience + (e.g. when running oldconfig). It selects + CONFIG_NETFILTER_XT_DSCP (combined dscp/DSCP module). + To compile it as a module, choose M here. If unsure, say N. =20 config NETFILTER_XT_MATCH_ECN diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index f0aa4d7ef499..5f9927563b35 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile @@ -160,6 +160,7 @@ obj-$(CONFIG_NETFILTER_XT_MARK) +=3D xt_mark.o obj-$(CONFIG_NETFILTER_XT_CONNMARK) +=3D xt_connmark.o obj-$(CONFIG_NETFILTER_XT_SET) +=3D xt_set.o obj-$(CONFIG_NETFILTER_XT_NAT) +=3D xt_nat.o +obj-$(CONFIG_NETFILTER_XT_DSCP) +=3D xt_dscp.o =20 # targets obj-$(CONFIG_NETFILTER_XT_TARGET_AUDIT) +=3D xt_AUDIT.o @@ -167,7 +168,6 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CHECKSUM) +=3D xt_CHEC= KSUM.o obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) +=3D xt_CLASSIFY.o obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) +=3D xt_CONNSECMARK.o obj-$(CONFIG_NETFILTER_XT_TARGET_CT) +=3D xt_CT.o -obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) +=3D xt_DSCP.o obj-$(CONFIG_NETFILTER_XT_TARGET_HL) +=3D xt_HL.o obj-$(CONFIG_NETFILTER_XT_TARGET_HMARK) +=3D xt_HMARK.o obj-$(CONFIG_NETFILTER_XT_TARGET_LED) +=3D xt_LED.o @@ -198,7 +198,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) +=3D xt_conn= track.o obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) +=3D xt_cpu.o obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) +=3D xt_dccp.o obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) +=3D xt_devgroup.o -obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) +=3D xt_dscp.o obj-$(CONFIG_NETFILTER_XT_MATCH_ECN) +=3D xt_ecn.o obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) +=3D xt_esp.o obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) +=3D xt_hashlimit.o diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c deleted file mode 100644 index a76701fd31ab..000000000000 --- a/net/netfilter/xt_DSCP.c +++ /dev/null @@ -1,160 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-only -/* x_tables module for setting the IPv4/IPv6 DSCP field, Version 1.8 - * - * (C) 2002 by Harald Welte - * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh - * - * See RFC2474 for a description of the DSCP field within the IP Header. -*/ -#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -#include -#include -#include -#include -#include - -#include -#include - -MODULE_AUTHOR("Harald Welte "); -MODULE_DESCRIPTION("Xtables: DSCP/TOS field modification"); -MODULE_LICENSE("GPL"); -MODULE_ALIAS("ipt_DSCP"); -MODULE_ALIAS("ip6t_DSCP"); -MODULE_ALIAS("ipt_TOS"); -MODULE_ALIAS("ip6t_TOS"); - -#define XT_DSCP_ECN_MASK 3u - -static unsigned int -dscp_tg(struct sk_buff *skb, const struct xt_action_param *par) -{ - const struct xt_DSCP_info *dinfo =3D par->targinfo; - u8 dscp =3D ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; - - if (dscp !=3D dinfo->dscp) { - if (skb_ensure_writable(skb, sizeof(struct iphdr))) - return NF_DROP; - - ipv4_change_dsfield(ip_hdr(skb), XT_DSCP_ECN_MASK, - dinfo->dscp << XT_DSCP_SHIFT); - } - return XT_CONTINUE; -} - -static unsigned int -dscp_tg6(struct sk_buff *skb, const struct xt_action_param *par) -{ - const struct xt_DSCP_info *dinfo =3D par->targinfo; - u8 dscp =3D ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT; - - if (dscp !=3D dinfo->dscp) { - if (skb_ensure_writable(skb, sizeof(struct ipv6hdr))) - return NF_DROP; - - ipv6_change_dsfield(ipv6_hdr(skb), XT_DSCP_ECN_MASK, - dinfo->dscp << XT_DSCP_SHIFT); - } - return XT_CONTINUE; -} - -static int dscp_tg_check(const struct xt_tgchk_param *par) -{ - const struct xt_DSCP_info *info =3D par->targinfo; - - if (info->dscp > XT_DSCP_MAX) - return -EDOM; - return 0; -} - -static unsigned int -tos_tg(struct sk_buff *skb, const struct xt_action_param *par) -{ - const struct xt_tos_target_info *info =3D par->targinfo; - struct iphdr *iph =3D ip_hdr(skb); - u8 orig, nv; - - orig =3D ipv4_get_dsfield(iph); - nv =3D (orig & ~info->tos_mask) ^ info->tos_value; - - if (orig !=3D nv) { - if (skb_ensure_writable(skb, sizeof(struct iphdr))) - return NF_DROP; - iph =3D ip_hdr(skb); - ipv4_change_dsfield(iph, 0, nv); - } - - return XT_CONTINUE; -} - -static unsigned int -tos_tg6(struct sk_buff *skb, const struct xt_action_param *par) -{ - const struct xt_tos_target_info *info =3D par->targinfo; - struct ipv6hdr *iph =3D ipv6_hdr(skb); - u8 orig, nv; - - orig =3D ipv6_get_dsfield(iph); - nv =3D (orig & ~info->tos_mask) ^ info->tos_value; - - if (orig !=3D nv) { - if (skb_ensure_writable(skb, sizeof(struct iphdr))) - return NF_DROP; - iph =3D ipv6_hdr(skb); - ipv6_change_dsfield(iph, 0, nv); - } - - return XT_CONTINUE; -} - -static struct xt_target dscp_tg_reg[] __read_mostly =3D { - { - .name =3D "DSCP", - .family =3D NFPROTO_IPV4, - .checkentry =3D dscp_tg_check, - .target =3D dscp_tg, - .targetsize =3D sizeof(struct xt_DSCP_info), - .table =3D "mangle", - .me =3D THIS_MODULE, - }, - { - .name =3D "DSCP", - .family =3D NFPROTO_IPV6, - .checkentry =3D dscp_tg_check, - .target =3D dscp_tg6, - .targetsize =3D sizeof(struct xt_DSCP_info), - .table =3D "mangle", - .me =3D THIS_MODULE, - }, - { - .name =3D "TOS", - .revision =3D 1, - .family =3D NFPROTO_IPV4, - .table =3D "mangle", - .target =3D tos_tg, - .targetsize =3D sizeof(struct xt_tos_target_info), - .me =3D THIS_MODULE, - }, - { - .name =3D "TOS", - .revision =3D 1, - .family =3D NFPROTO_IPV6, - .table =3D "mangle", - .target =3D tos_tg6, - .targetsize =3D sizeof(struct xt_tos_target_info), - .me =3D THIS_MODULE, - }, -}; - -static int __init dscp_tg_init(void) -{ - return xt_register_targets(dscp_tg_reg, ARRAY_SIZE(dscp_tg_reg)); -} - -static void __exit dscp_tg_exit(void) -{ - xt_unregister_targets(dscp_tg_reg, ARRAY_SIZE(dscp_tg_reg)); -} - -module_init(dscp_tg_init); -module_exit(dscp_tg_exit); diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c index fb0169a8f9bb..bdd67b0458ab 100644 --- a/net/netfilter/xt_dscp.c +++ b/net/netfilter/xt_dscp.c @@ -1,7 +1,10 @@ // SPDX-License-Identifier: GPL-2.0-only -/* IP tables module for matching the value of the IPv4/IPv6 DSCP field +/* x_tables module for matching/modifying the value of the IPv4/IPv6 DSCP = field * * (C) 2002 by Harald Welte + * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh + * + * See RFC2474 for a description of the DSCP field within the IP Header. */ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt #include @@ -14,12 +17,19 @@ #include =20 MODULE_AUTHOR("Harald Welte "); -MODULE_DESCRIPTION("Xtables: DSCP/TOS field match"); +MODULE_DESCRIPTION("Xtables: DSCP/TOS field match and target modification"= ); MODULE_LICENSE("GPL"); MODULE_ALIAS("ipt_dscp"); MODULE_ALIAS("ip6t_dscp"); MODULE_ALIAS("ipt_tos"); MODULE_ALIAS("ip6t_tos"); +MODULE_ALIAS("ipt_DSCP"); +MODULE_ALIAS("ip6t_DSCP"); +MODULE_ALIAS("ipt_TOS"); +MODULE_ALIAS("ip6t_TOS"); +MODULE_ALIAS("xt_DSCP"); + +#define XT_DSCP_ECN_MASK 3u =20 static bool dscp_mt(const struct sk_buff *skb, struct xt_action_param *par) @@ -96,15 +106,146 @@ static struct xt_match dscp_mt_reg[] __read_mostly = =3D { }, }; =20 -static int __init dscp_mt_init(void) +static unsigned int +dscp_tg(struct sk_buff *skb, const struct xt_action_param *par) +{ + const struct xt_DSCP_info *dinfo =3D par->targinfo; + u8 dscp =3D ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; + + if (dscp !=3D dinfo->dscp) { + if (skb_ensure_writable(skb, sizeof(struct iphdr))) + return NF_DROP; + + ipv4_change_dsfield(ip_hdr(skb), XT_DSCP_ECN_MASK, + dinfo->dscp << XT_DSCP_SHIFT); + } + return XT_CONTINUE; +} + +static unsigned int +dscp_tg6(struct sk_buff *skb, const struct xt_action_param *par) { - return xt_register_matches(dscp_mt_reg, ARRAY_SIZE(dscp_mt_reg)); + const struct xt_DSCP_info *dinfo =3D par->targinfo; + u8 dscp =3D ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT; + + if (dscp !=3D dinfo->dscp) { + if (skb_ensure_writable(skb, sizeof(struct ipv6hdr))) + return NF_DROP; + + ipv6_change_dsfield(ipv6_hdr(skb), XT_DSCP_ECN_MASK, + dinfo->dscp << XT_DSCP_SHIFT); + } + return XT_CONTINUE; +} + +static int dscp_tg_check(const struct xt_tgchk_param *par) +{ + const struct xt_DSCP_info *info =3D par->targinfo; + + if (info->dscp > XT_DSCP_MAX) + return -EDOM; + return 0; +} + +static unsigned int +tos_tg(struct sk_buff *skb, const struct xt_action_param *par) +{ + const struct xt_tos_target_info *info =3D par->targinfo; + struct iphdr *iph =3D ip_hdr(skb); + u8 orig, nv; + + orig =3D ipv4_get_dsfield(iph); + nv =3D (orig & ~info->tos_mask) ^ info->tos_value; + + if (orig !=3D nv) { + if (skb_ensure_writable(skb, sizeof(struct iphdr))) + return NF_DROP; + iph =3D ip_hdr(skb); + ipv4_change_dsfield(iph, 0, nv); + } + + return XT_CONTINUE; +} + +static unsigned int +tos_tg6(struct sk_buff *skb, const struct xt_action_param *par) +{ + const struct xt_tos_target_info *info =3D par->targinfo; + struct ipv6hdr *iph =3D ipv6_hdr(skb); + u8 orig, nv; + + orig =3D ipv6_get_dsfield(iph); + nv =3D (orig & ~info->tos_mask) ^ info->tos_value; + + if (orig !=3D nv) { + if (skb_ensure_writable(skb, sizeof(struct iphdr))) + return NF_DROP; + iph =3D ipv6_hdr(skb); + ipv6_change_dsfield(iph, 0, nv); + } + + return XT_CONTINUE; +} + +static struct xt_target dscp_tg_reg[] __read_mostly =3D { + { + .name =3D "DSCP", + .family =3D NFPROTO_IPV4, + .checkentry =3D dscp_tg_check, + .target =3D dscp_tg, + .targetsize =3D sizeof(struct xt_DSCP_info), + .table =3D "mangle", + .me =3D THIS_MODULE, + }, + { + .name =3D "DSCP", + .family =3D NFPROTO_IPV6, + .checkentry =3D dscp_tg_check, + .target =3D dscp_tg6, + .targetsize =3D sizeof(struct xt_DSCP_info), + .table =3D "mangle", + .me =3D THIS_MODULE, + }, + { + .name =3D "TOS", + .revision =3D 1, + .family =3D NFPROTO_IPV4, + .table =3D "mangle", + .target =3D tos_tg, + .targetsize =3D sizeof(struct xt_tos_target_info), + .me =3D THIS_MODULE, + }, + { + .name =3D "TOS", + .revision =3D 1, + .family =3D NFPROTO_IPV6, + .table =3D "mangle", + .target =3D tos_tg6, + .targetsize =3D sizeof(struct xt_tos_target_info), + .me =3D THIS_MODULE, + }, +}; + +static int __init dscp_init(void) +{ + int ret; + + ret =3D xt_register_targets(dscp_tg_reg, ARRAY_SIZE(dscp_tg_reg)); + if (ret < 0) + return ret; + ret =3D xt_register_matches(dscp_mt_reg, ARRAY_SIZE(dscp_mt_reg)); + if (ret < 0) { + xt_unregister_targets(dscp_tg_reg, ARRAY_SIZE(dscp_tg_reg)); + return ret; + } + return 0; } =20 -static void __exit dscp_mt_exit(void) +static void __exit dscp_exit(void) { xt_unregister_matches(dscp_mt_reg, ARRAY_SIZE(dscp_mt_reg)); + xt_unregister_targets(dscp_tg_reg, ARRAY_SIZE(dscp_tg_reg)); } =20 -module_init(dscp_mt_init); -module_exit(dscp_mt_exit); +module_init(dscp_init); +module_exit(dscp_exit); --=20 2.43.5 From nobody Mon Feb 9 15:15:03 2026 Received: from smtp-out.freemail.hu (fmfe34.freemail.hu [46.107.16.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E3C2A1F540C; Tue, 7 Jan 2025 18:47:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=46.107.16.239 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736275682; cv=none; b=YKLQu+3bBw2FV1FVKUuitk2/8iOaGDBCHRJ8C4NH6ictTuy6LzJLLMf8J5NjgAbxs8N3VhKx/hu75fwYSuaPg1gN6ObpQUmxizKxliKVZqT2nTrFThW9p65v40wYo7ok8pNd2A16/z2zBdc2hRI6IM0gGEmbcHuanIV/OpyRFf0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736275682; c=relaxed/simple; bh=V+fr7GIVrQQm4X9la1BlNUmLzdE6qO65HNVNNQpfauo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=QxDWOOmMYeNi1zccaaMZ9hUA2kdMOf8auqNLyWobYGYd05xbMH/2VJvdJ0jSCDBBLtLUTymWERrvSCrVk4QgWxIVmcKgG8IUY2aZPxCsm3XGnuJA42LYp1JqmChQIchMdVXN5CUxOPJR/XkdSdNH1OqI/+1Pvvw2oHWPuJO9UB8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=freemail.hu; spf=pass smtp.mailfrom=freemail.hu; dkim=fail (2048-bit key) header.d=freemail.hu header.i=@freemail.hu header.b=eopd5hRB reason="signature verification failed"; arc=none smtp.client-ip=46.107.16.239 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=freemail.hu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=freemail.hu Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=freemail.hu header.i=@freemail.hu header.b="eopd5hRB" Received: from fizweb.elte.hu (fizweb.elte.hu [157.181.183.248]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.freemail.hu (Postfix) with ESMTPSA id 4YSKmr2zCjz10rx; Tue, 07 Jan 2025 19:47:56 +0100 (CET) From: egyszeregy@freemail.hu To: fw@strlen.de, pablo@netfilter.org, lorenzo@kernel.org, daniel@iogearbox.net, leitao@debian.org, amiculas@cisco.com, kadlec@netfilter.org, davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Cc: =?UTF-8?q?Benjamin=20Sz=C5=91ke?= Subject: [PATCH 3/6] netfilter: x_tables: Merge xt_HL.c to xt_hl.c Date: Tue, 7 Jan 2025 19:47:21 +0100 Message-ID: <20250107184724.56223-4-egyszeregy@freemail.hu> X-Mailer: git-send-email 2.43.5 In-Reply-To: <20250107184724.56223-1-egyszeregy@freemail.hu> References: <20250107184724.56223-1-egyszeregy@freemail.hu> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/relaxed; t=1736275677; s=20181004; d=freemail.hu; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Content-Type:Content-Transfer-Encoding; l=12858; bh=5SeJleRUlf06zufvMo4YMnypeY+NN0xgQggiV9ZGVG0=; b=eopd5hRBMyjC4vOa4trwKO+yExNdkCMToZgP3uS6hiHTA1zTlnITnn/sYg22grYj z6/kf3KmjiknqneZFOeGJyXOQnpbBOckQhi2s5sXx3htIXygk0geP1Bhf9BT921rkZI tluT4jls6AOhoUE4AZb5NEqGWAGCIXa3YCWz9RPpHvSLCJSqsRlPu2t5j+TwjtMhEfc tybqkAxnWfXfSLrQV4s+SI5DvMN4akR6x176avv3h24D+gdZcdQvYLpMaux7fXbz4dI 2TcLKqTcr2bKi8pRwkGjX6UWVOGhBust2bMubx9draMrO7KsxMRqBh8qZdLlICHiNac QlKbFsGJWA== From: Benjamin Sz=C5=91ke Merge xt_HL.c to xt_hl.c file and remove xt_HL.c. Signed-off-by: Benjamin Sz=C5=91ke --- net/netfilter/Kconfig | 22 ++++++ net/netfilter/Makefile | 3 +- net/netfilter/xt_HL.c | 158 --------------------------------------- net/netfilter/xt_hl.c | 163 ++++++++++++++++++++++++++++++++++++++--- 4 files changed, 175 insertions(+), 171 deletions(-) delete mode 100644 net/netfilter/xt_HL.c diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index ae0c30641cec..ca293f9a1db5 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -813,6 +813,18 @@ config NETFILTER_XT_DSCP The target allows you to manipulate the IPv4/IPv6 header DSCP field (differentiated services codepoint). =20 +config NETFILTER_XT_HL + tristate '"HL" hoplimit target and match support' + depends on NETFILTER_ADVANCED + help + This option adds the "HL" target and "hl" match. + + Netfilter hl matching allows you to match packets based on + the hoplimit in the IPv6 header, or the time-to-live field in + the IPv4 header of the packet. + The target allows you to change the hoplimit/time-to-live + value of the IP header. + # alphabetically ordered list of targets =20 comment "Xtables targets" @@ -914,6 +926,7 @@ config NETFILTER_XT_TARGET_HL tristate '"HL" hoplimit target support' depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT depends on NETFILTER_ADVANCED + select NETFILTER_XT_HL help This option adds the "HL" (for IPv6) and "TTL" (for IPv4) targets, which enable the user to change the @@ -925,6 +938,10 @@ config NETFILTER_XT_TARGET_HL since you can easily create immortal packets that loop forever on the network. =20 + This is a backwards-compat option for the user's convenience + (e.g. when running oldconfig). It selects + CONFIG_NETFILTER_XT_HL (combined hl/HL module). + config NETFILTER_XT_TARGET_HMARK tristate '"HMARK" target support' depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=3Dn @@ -1380,11 +1397,16 @@ config NETFILTER_XT_MATCH_HELPER config NETFILTER_XT_MATCH_HL tristate '"hl" hoplimit/TTL match support' depends on NETFILTER_ADVANCED + select NETFILTER_XT_HL help HL matching allows you to match packets based on the hoplimit in the IPv6 header, or the time-to-live field in the IPv4 header of the packet. =20 + This is a backwards-compat option for the user's convenience + (e.g. when running oldconfig). It selects + CONFIG_NETFILTER_XT_HL (combined hl/HL module). + config NETFILTER_XT_MATCH_IPCOMP tristate '"ipcomp" match support' depends on NETFILTER_ADVANCED diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 5f9927563b35..381a18ce84d0 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile @@ -161,6 +161,7 @@ obj-$(CONFIG_NETFILTER_XT_CONNMARK) +=3D xt_connmark.o obj-$(CONFIG_NETFILTER_XT_SET) +=3D xt_set.o obj-$(CONFIG_NETFILTER_XT_NAT) +=3D xt_nat.o obj-$(CONFIG_NETFILTER_XT_DSCP) +=3D xt_dscp.o +obj-$(CONFIG_NETFILTER_XT_HL) +=3D xt_hl.o =20 # targets obj-$(CONFIG_NETFILTER_XT_TARGET_AUDIT) +=3D xt_AUDIT.o @@ -168,7 +169,6 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CHECKSUM) +=3D xt_CHEC= KSUM.o obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) +=3D xt_CLASSIFY.o obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) +=3D xt_CONNSECMARK.o obj-$(CONFIG_NETFILTER_XT_TARGET_CT) +=3D xt_CT.o -obj-$(CONFIG_NETFILTER_XT_TARGET_HL) +=3D xt_HL.o obj-$(CONFIG_NETFILTER_XT_TARGET_HMARK) +=3D xt_HMARK.o obj-$(CONFIG_NETFILTER_XT_TARGET_LED) +=3D xt_LED.o obj-$(CONFIG_NETFILTER_XT_TARGET_LOG) +=3D xt_LOG.o @@ -202,7 +202,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ECN) +=3D xt_ecn.o obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) +=3D xt_esp.o obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) +=3D xt_hashlimit.o obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) +=3D xt_helper.o -obj-$(CONFIG_NETFILTER_XT_MATCH_HL) +=3D xt_hl.o obj-$(CONFIG_NETFILTER_XT_MATCH_IPCOMP) +=3D xt_ipcomp.o obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) +=3D xt_iprange.o obj-$(CONFIG_NETFILTER_XT_MATCH_IPVS) +=3D xt_ipvs.o diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c deleted file mode 100644 index 1e1b30b27fef..000000000000 --- a/net/netfilter/xt_HL.c +++ /dev/null @@ -1,158 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-only -/* - * TTL modification target for IP tables - * (C) 2000,2005 by Harald Welte - * - * Hop Limit modification target for ip6tables - * Maciej Soltysiak - */ -#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -#include -#include -#include -#include -#include - -#include -#include -#include - -MODULE_AUTHOR("Harald Welte "); -MODULE_AUTHOR("Maciej Soltysiak "); -MODULE_DESCRIPTION("Xtables: Hoplimit/TTL Limit field modification target"= ); -MODULE_LICENSE("GPL"); - -static unsigned int -ttl_tg(struct sk_buff *skb, const struct xt_action_param *par) -{ - struct iphdr *iph; - const struct ipt_TTL_info *info =3D par->targinfo; - int new_ttl; - - if (skb_ensure_writable(skb, sizeof(*iph))) - return NF_DROP; - - iph =3D ip_hdr(skb); - - switch (info->mode) { - case IPT_TTL_SET: - new_ttl =3D info->ttl; - break; - case IPT_TTL_INC: - new_ttl =3D iph->ttl + info->ttl; - if (new_ttl > 255) - new_ttl =3D 255; - break; - case IPT_TTL_DEC: - new_ttl =3D iph->ttl - info->ttl; - if (new_ttl < 0) - new_ttl =3D 0; - break; - default: - new_ttl =3D iph->ttl; - break; - } - - if (new_ttl !=3D iph->ttl) { - csum_replace2(&iph->check, htons(iph->ttl << 8), htons(new_ttl << 8)); - iph->ttl =3D new_ttl; - } - - return XT_CONTINUE; -} - -static unsigned int -hl_tg6(struct sk_buff *skb, const struct xt_action_param *par) -{ - struct ipv6hdr *ip6h; - const struct ip6t_HL_info *info =3D par->targinfo; - int new_hl; - - if (skb_ensure_writable(skb, sizeof(*ip6h))) - return NF_DROP; - - ip6h =3D ipv6_hdr(skb); - - switch (info->mode) { - case IP6T_HL_SET: - new_hl =3D info->hop_limit; - break; - case IP6T_HL_INC: - new_hl =3D ip6h->hop_limit + info->hop_limit; - if (new_hl > 255) - new_hl =3D 255; - break; - case IP6T_HL_DEC: - new_hl =3D ip6h->hop_limit - info->hop_limit; - if (new_hl < 0) - new_hl =3D 0; - break; - default: - new_hl =3D ip6h->hop_limit; - break; - } - - ip6h->hop_limit =3D new_hl; - - return XT_CONTINUE; -} - -static int ttl_tg_check(const struct xt_tgchk_param *par) -{ - const struct ipt_TTL_info *info =3D par->targinfo; - - if (info->mode > IPT_TTL_MAXMODE) - return -EINVAL; - if (info->mode !=3D IPT_TTL_SET && info->ttl =3D=3D 0) - return -EINVAL; - return 0; -} - -static int hl_tg6_check(const struct xt_tgchk_param *par) -{ - const struct ip6t_HL_info *info =3D par->targinfo; - - if (info->mode > IP6T_HL_MAXMODE) - return -EINVAL; - if (info->mode !=3D IP6T_HL_SET && info->hop_limit =3D=3D 0) - return -EINVAL; - return 0; -} - -static struct xt_target hl_tg_reg[] __read_mostly =3D { - { - .name =3D "TTL", - .revision =3D 0, - .family =3D NFPROTO_IPV4, - .target =3D ttl_tg, - .targetsize =3D sizeof(struct ipt_TTL_info), - .table =3D "mangle", - .checkentry =3D ttl_tg_check, - .me =3D THIS_MODULE, - }, - { - .name =3D "HL", - .revision =3D 0, - .family =3D NFPROTO_IPV6, - .target =3D hl_tg6, - .targetsize =3D sizeof(struct ip6t_HL_info), - .table =3D "mangle", - .checkentry =3D hl_tg6_check, - .me =3D THIS_MODULE, - }, -}; - -static int __init hl_tg_init(void) -{ - return xt_register_targets(hl_tg_reg, ARRAY_SIZE(hl_tg_reg)); -} - -static void __exit hl_tg_exit(void) -{ - xt_unregister_targets(hl_tg_reg, ARRAY_SIZE(hl_tg_reg)); -} - -module_init(hl_tg_init); -module_exit(hl_tg_exit); -MODULE_ALIAS("ipt_TTL"); -MODULE_ALIAS("ip6t_HL"); diff --git a/net/netfilter/xt_hl.c b/net/netfilter/xt_hl.c index c1a70f8f0441..330951c0dfe2 100644 --- a/net/netfilter/xt_hl.c +++ b/net/netfilter/xt_hl.c @@ -1,26 +1,36 @@ // SPDX-License-Identifier: GPL-2.0-only -/* - * IP tables module for matching the value of the TTL +/* IP tables module for matching/modifying the value of the TTL * (C) 2000,2001 by Harald Welte * * Hop Limit matching module * (C) 2001-2002 Maciej Soltysiak + * + * TTL modification target for IP tables + * (C) 2000,2005 by Harald Welte + * + * Hop Limit modification target for ip6tables + * Maciej Soltysiak */ - -#include -#include +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt #include #include +#include +#include +#include =20 #include #include #include =20 +MODULE_AUTHOR("Harald Welte "); MODULE_AUTHOR("Maciej Soltysiak "); -MODULE_DESCRIPTION("Xtables: Hoplimit/TTL field match"); +MODULE_DESCRIPTION("Xtables: Hoplimit/TTL field match and modification tar= get"); MODULE_LICENSE("GPL"); MODULE_ALIAS("ipt_ttl"); MODULE_ALIAS("ip6t_hl"); +MODULE_ALIAS("ipt_TTL"); +MODULE_ALIAS("ip6t_HL"); +MODULE_ALIAS("xt_HL"); =20 static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par) { @@ -79,15 +89,146 @@ static struct xt_match hl_mt_reg[] __read_mostly =3D { }, }; =20 -static int __init hl_mt_init(void) +static unsigned int +ttl_tg(struct sk_buff *skb, const struct xt_action_param *par) +{ + struct iphdr *iph; + const struct ipt_TTL_info *info =3D par->targinfo; + int new_ttl; + + if (skb_ensure_writable(skb, sizeof(*iph))) + return NF_DROP; + + iph =3D ip_hdr(skb); + + switch (info->mode) { + case IPT_TTL_SET: + new_ttl =3D info->ttl; + break; + case IPT_TTL_INC: + new_ttl =3D iph->ttl + info->ttl; + if (new_ttl > 255) + new_ttl =3D 255; + break; + case IPT_TTL_DEC: + new_ttl =3D iph->ttl - info->ttl; + if (new_ttl < 0) + new_ttl =3D 0; + break; + default: + new_ttl =3D iph->ttl; + break; + } + + if (new_ttl !=3D iph->ttl) { + csum_replace2(&iph->check, htons(iph->ttl << 8), htons(new_ttl << 8)); + iph->ttl =3D new_ttl; + } + + return XT_CONTINUE; +} + +static unsigned int +hl_tg6(struct sk_buff *skb, const struct xt_action_param *par) +{ + struct ipv6hdr *ip6h; + const struct ip6t_HL_info *info =3D par->targinfo; + int new_hl; + + if (skb_ensure_writable(skb, sizeof(*ip6h))) + return NF_DROP; + + ip6h =3D ipv6_hdr(skb); + + switch (info->mode) { + case IP6T_HL_SET: + new_hl =3D info->hop_limit; + break; + case IP6T_HL_INC: + new_hl =3D ip6h->hop_limit + info->hop_limit; + if (new_hl > 255) + new_hl =3D 255; + break; + case IP6T_HL_DEC: + new_hl =3D ip6h->hop_limit - info->hop_limit; + if (new_hl < 0) + new_hl =3D 0; + break; + default: + new_hl =3D ip6h->hop_limit; + break; + } + + ip6h->hop_limit =3D new_hl; + + return XT_CONTINUE; +} + +static int ttl_tg_check(const struct xt_tgchk_param *par) +{ + const struct ipt_TTL_info *info =3D par->targinfo; + + if (info->mode > IPT_TTL_MAXMODE) + return -EINVAL; + if (info->mode !=3D IPT_TTL_SET && info->ttl =3D=3D 0) + return -EINVAL; + return 0; +} + +static int hl_tg6_check(const struct xt_tgchk_param *par) +{ + const struct ip6t_HL_info *info =3D par->targinfo; + + if (info->mode > IP6T_HL_MAXMODE) + return -EINVAL; + if (info->mode !=3D IP6T_HL_SET && info->hop_limit =3D=3D 0) + return -EINVAL; + return 0; +} + +static struct xt_target hl_tg_reg[] __read_mostly =3D { + { + .name =3D "TTL", + .revision =3D 0, + .family =3D NFPROTO_IPV4, + .target =3D ttl_tg, + .targetsize =3D sizeof(struct ipt_TTL_info), + .table =3D "mangle", + .checkentry =3D ttl_tg_check, + .me =3D THIS_MODULE, + }, + { + .name =3D "HL", + .revision =3D 0, + .family =3D NFPROTO_IPV6, + .target =3D hl_tg6, + .targetsize =3D sizeof(struct ip6t_HL_info), + .table =3D "mangle", + .checkentry =3D hl_tg6_check, + .me =3D THIS_MODULE, + }, +}; + +static int __init hl_init(void) { - return xt_register_matches(hl_mt_reg, ARRAY_SIZE(hl_mt_reg)); + int ret; + + ret =3D xt_register_targets(hl_tg_reg, ARRAY_SIZE(hl_tg_reg)); + if (ret < 0) + return ret; + ret =3D xt_register_matches(hl_mt_reg, ARRAY_SIZE(hl_mt_reg)); + if (ret < 0) { + xt_unregister_targets(hl_tg_reg, ARRAY_SIZE(hl_tg_reg)); + return ret; + } + return 0; } =20 -static void __exit hl_mt_exit(void) +static void __exit hl_exit(void) { xt_unregister_matches(hl_mt_reg, ARRAY_SIZE(hl_mt_reg)); + xt_unregister_targets(hl_tg_reg, ARRAY_SIZE(hl_tg_reg)); } =20 -module_init(hl_mt_init); -module_exit(hl_mt_exit); +module_init(hl_init); +module_exit(hl_exit); --=20 2.43.5 From nobody Mon Feb 9 15:15:03 2026 Received: from smtp-out.freemail.hu (fmfe34.freemail.hu [46.107.16.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA6F31F472F; Tue, 7 Jan 2025 18:48:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=46.107.16.239 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736275694; cv=none; b=I4V7LFsR16ywJU4AR6f1KCEdkJC2sGeno6fVPe2ofyk3jERCpYnascL56gSolhDl31uaZOZx5I7lU5Q6j+YolOhGU44GfqaheN46UkGAh1HJEb8ePHlSqEhmSTS0r4eOIUZv3sJ7r7+EKs0EjBG6eZCiQCiWGm83tLCBGuI34T8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736275694; c=relaxed/simple; bh=+BVeyhg4zJidUQtnhsZ5V34Oa+zzzqnapUeOX+M6s24=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Dm0Q+4vh9L6BAvPf6TLhbPj/LjoEYos9kzlWHw4zTMi+EuGiZUioBy/OnpcB9J3GXs7EsKAQaNd83ml1AD7sw/0rm5v50np8K5EBa0XqExQdDcFxWbrUcFA9mN6icZWU9xlQgSbtbgCnyliN+c1ldpksQ8K3oRYbaoZXU2GAIn8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=freemail.hu; spf=pass smtp.mailfrom=freemail.hu; dkim=fail (2048-bit key) header.d=freemail.hu header.i=@freemail.hu header.b=f2xolSup reason="signature verification failed"; arc=none smtp.client-ip=46.107.16.239 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=freemail.hu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=freemail.hu Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=freemail.hu header.i=@freemail.hu header.b="f2xolSup" Received: from fizweb.elte.hu (fizweb.elte.hu [157.181.183.248]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.freemail.hu (Postfix) with ESMTPSA id 4YSKn43Xr7z10V0; Tue, 07 Jan 2025 19:48:08 +0100 (CET) From: egyszeregy@freemail.hu To: fw@strlen.de, pablo@netfilter.org, lorenzo@kernel.org, daniel@iogearbox.net, leitao@debian.org, amiculas@cisco.com, kadlec@netfilter.org, davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Cc: =?UTF-8?q?Benjamin=20Sz=C5=91ke?= Subject: [PATCH 4/6] netfilter: x_tables: Merge xt_RATEEST.c to xt_rateest.c Date: Tue, 7 Jan 2025 19:47:22 +0100 Message-ID: <20250107184724.56223-5-egyszeregy@freemail.hu> X-Mailer: git-send-email 2.43.5 In-Reply-To: <20250107184724.56223-1-egyszeregy@freemail.hu> References: <20250107184724.56223-1-egyszeregy@freemail.hu> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/relaxed; t=1736275689; s=20181004; d=freemail.hu; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Content-Type:Content-Transfer-Encoding; l=18209; bh=zvBk9tEFlJcU6YRcwwr7UH6SPiB9QwVsgVKuAbHki0c=; b=f2xolSup7rgxoyZdyXb5Jv4CvUuz68TYPzRcwIH5lGw4KcEJPp3fyywIhfNbzYxf vCWCRD+XrD5Ik+RV+3yNrmr5aTyefCBEUTxHKwXoDvVAoWq12m5jNyja1tCnuAymvUt qdtB/jEBLZaGMBdnfGNtd58W1e1q6n0e+JfyvlJ/Zk3nDnAJzIBq2BBAl65/3wkHOIi tAjxVWGRIH//h6bjDjczI9TCRJpjT0JvQGzNwNJIvkU8DMp0woIdB+CHDeasRNLwgkZ Gl0vEI6Eu2eMW9kU/WkCjN6XfJG+qwNjCgvuuQ6UTfFYfpzJxQ/YB+gmrZ9T9/YfQu7 nI7iESLZew== From: Benjamin Sz=C5=91ke Merge xt_RATEEST.c to xt_rateest.c file and remove xt_RATEEST.c. Signed-off-by: Benjamin Sz=C5=91ke --- net/netfilter/Kconfig | 19 +++ net/netfilter/Makefile | 3 +- net/netfilter/xt_RATEEST.c | 249 ------------------------------------ net/netfilter/xt_rateest.c | 253 +++++++++++++++++++++++++++++++++++-- 4 files changed, 263 insertions(+), 261 deletions(-) delete mode 100644 net/netfilter/xt_RATEEST.c diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index ca293f9a1db5..1aff3c7c4363 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -825,6 +825,16 @@ config NETFILTER_XT_HL The target allows you to change the hoplimit/time-to-live value of the IP header. =20 +config NETFILTER_XT_RATEEST + tristate '"RATEEST" target and match support' + depends on NETFILTER_ADVANCED + help + This option adds the "RATEEST" target and "rateest" match. + + Netfilter rateest matching allows you to match on the rate + estimated by the RATEEST target. + The target allows you to measure rates similar to TC estimators. + # alphabetically ordered list of targets =20 comment "Xtables targets" @@ -1062,11 +1072,16 @@ config NETFILTER_XT_TARGET_NOTRACK config NETFILTER_XT_TARGET_RATEEST tristate '"RATEEST" target support' depends on NETFILTER_ADVANCED + select NETFILTER_XT_RATEEST help This option adds a `RATEEST' target, which allows to measure rates similar to TC estimators. The `rateest' match can be used to match on the measured rates. =20 + This is a backwards-compat option for the user's convenience + (e.g. when running oldconfig). It selects + CONFIG_NETFILTER_XT_RATEEST (combined rateest/RATEEST module). + To compile it as a module, choose M here. If unsure, say N. =20 config NETFILTER_XT_TARGET_REDIRECT @@ -1576,6 +1591,10 @@ config NETFILTER_XT_MATCH_RATEEST This option adds a `rateest' match, which allows to match on the rate estimated by the RATEEST target. =20 + This is a backwards-compat option for the user's convenience + (e.g. when running oldconfig). It selects + CONFIG_NETFILTER_XT_RATEEST (combined rateest/RATEEST module). + To compile it as a module, choose M here. If unsure, say N. =20 config NETFILTER_XT_MATCH_REALM diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 381a18ce84d0..923112b0dc1e 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile @@ -162,6 +162,7 @@ obj-$(CONFIG_NETFILTER_XT_SET) +=3D xt_set.o obj-$(CONFIG_NETFILTER_XT_NAT) +=3D xt_nat.o obj-$(CONFIG_NETFILTER_XT_DSCP) +=3D xt_dscp.o obj-$(CONFIG_NETFILTER_XT_HL) +=3D xt_hl.o +obj-$(CONFIG_NETFILTER_XT_RATEEST) +=3D xt_rateest.o =20 # targets obj-$(CONFIG_NETFILTER_XT_TARGET_AUDIT) +=3D xt_AUDIT.o @@ -175,7 +176,6 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_LOG) +=3D xt_LOG.o obj-$(CONFIG_NETFILTER_XT_TARGET_NETMAP) +=3D xt_NETMAP.o obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) +=3D xt_NFLOG.o obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) +=3D xt_NFQUEUE.o -obj-$(CONFIG_NETFILTER_XT_TARGET_RATEEST) +=3D xt_RATEEST.o obj-$(CONFIG_NETFILTER_XT_TARGET_REDIRECT) +=3D xt_REDIRECT.o obj-$(CONFIG_NETFILTER_XT_TARGET_MASQUERADE) +=3D xt_MASQUERADE.o obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) +=3D xt_SECMARK.o @@ -218,7 +218,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) +=3D xt_physde= v.o obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) +=3D xt_pkttype.o obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) +=3D xt_policy.o obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) +=3D xt_quota.o -obj-$(CONFIG_NETFILTER_XT_MATCH_RATEEST) +=3D xt_rateest.o obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) +=3D xt_realm.o obj-$(CONFIG_NETFILTER_XT_MATCH_RECENT) +=3D xt_recent.o obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) +=3D xt_sctp.o diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c deleted file mode 100644 index d56276b965fa..000000000000 --- a/net/netfilter/xt_RATEEST.c +++ /dev/null @@ -1,249 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-only -/* - * (C) 2007 Patrick McHardy - */ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include - -#define RATEEST_HSIZE 16 - -struct xt_rateest_net { - /* To synchronize concurrent synchronous rate estimator operations. */ - struct mutex hash_lock; - struct hlist_head hash[RATEEST_HSIZE]; -}; - -static unsigned int xt_rateest_id; - -static unsigned int jhash_rnd __read_mostly; - -static unsigned int xt_rateest_hash(const char *name) -{ - return jhash(name, sizeof_field(struct xt_rateest, name), jhash_rnd) & - (RATEEST_HSIZE - 1); -} - -static void xt_rateest_hash_insert(struct xt_rateest_net *xn, - struct xt_rateest *est) -{ - unsigned int h; - - h =3D xt_rateest_hash(est->name); - hlist_add_head(&est->list, &xn->hash[h]); -} - -static struct xt_rateest *__xt_rateest_lookup(struct xt_rateest_net *xn, - const char *name) -{ - struct xt_rateest *est; - unsigned int h; - - h =3D xt_rateest_hash(name); - hlist_for_each_entry(est, &xn->hash[h], list) { - if (strcmp(est->name, name) =3D=3D 0) { - est->refcnt++; - return est; - } - } - - return NULL; -} - -struct xt_rateest *xt_rateest_lookup(struct net *net, const char *name) -{ - struct xt_rateest_net *xn =3D net_generic(net, xt_rateest_id); - struct xt_rateest *est; - - mutex_lock(&xn->hash_lock); - est =3D __xt_rateest_lookup(xn, name); - mutex_unlock(&xn->hash_lock); - return est; -} -EXPORT_SYMBOL_GPL(xt_rateest_lookup); - -void xt_rateest_put(struct net *net, struct xt_rateest *est) -{ - struct xt_rateest_net *xn =3D net_generic(net, xt_rateest_id); - - mutex_lock(&xn->hash_lock); - if (--est->refcnt =3D=3D 0) { - hlist_del(&est->list); - gen_kill_estimator(&est->rate_est); - /* - * gen_estimator est_timer() might access est->lock or bstats, - * wait a RCU grace period before freeing 'est' - */ - kfree_rcu(est, rcu); - } - mutex_unlock(&xn->hash_lock); -} -EXPORT_SYMBOL_GPL(xt_rateest_put); - -static unsigned int -xt_rateest_tg(struct sk_buff *skb, const struct xt_action_param *par) -{ - const struct xt_rateest_target_info *info =3D par->targinfo; - struct gnet_stats_basic_sync *stats =3D &info->est->bstats; - - spin_lock_bh(&info->est->lock); - u64_stats_add(&stats->bytes, skb->len); - u64_stats_inc(&stats->packets); - spin_unlock_bh(&info->est->lock); - - return XT_CONTINUE; -} - -static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) -{ - struct xt_rateest_net *xn =3D net_generic(par->net, xt_rateest_id); - struct xt_rateest_target_info *info =3D par->targinfo; - struct xt_rateest *est; - struct { - struct nlattr opt; - struct gnet_estimator est; - } cfg; - int ret; - - if (strnlen(info->name, sizeof(est->name)) >=3D sizeof(est->name)) - return -ENAMETOOLONG; - - net_get_random_once(&jhash_rnd, sizeof(jhash_rnd)); - - mutex_lock(&xn->hash_lock); - est =3D __xt_rateest_lookup(xn, info->name); - if (est) { - mutex_unlock(&xn->hash_lock); - /* - * If estimator parameters are specified, they must match the - * existing estimator. - */ - if ((!info->interval && !info->ewma_log) || - (info->interval !=3D est->params.interval || - info->ewma_log !=3D est->params.ewma_log)) { - xt_rateest_put(par->net, est); - return -EINVAL; - } - info->est =3D est; - return 0; - } - - ret =3D -ENOMEM; - est =3D kzalloc(sizeof(*est), GFP_KERNEL); - if (!est) - goto err1; - - gnet_stats_basic_sync_init(&est->bstats); - strscpy(est->name, info->name, sizeof(est->name)); - spin_lock_init(&est->lock); - est->refcnt =3D 1; - est->params.interval =3D info->interval; - est->params.ewma_log =3D info->ewma_log; - - cfg.opt.nla_len =3D nla_attr_size(sizeof(cfg.est)); - cfg.opt.nla_type =3D TCA_STATS_RATE_EST; - cfg.est.interval =3D info->interval; - cfg.est.ewma_log =3D info->ewma_log; - - ret =3D gen_new_estimator(&est->bstats, NULL, &est->rate_est, - &est->lock, NULL, &cfg.opt); - if (ret < 0) - goto err2; - - info->est =3D est; - xt_rateest_hash_insert(xn, est); - mutex_unlock(&xn->hash_lock); - return 0; - -err2: - kfree(est); -err1: - mutex_unlock(&xn->hash_lock); - return ret; -} - -static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par) -{ - struct xt_rateest_target_info *info =3D par->targinfo; - - xt_rateest_put(par->net, info->est); -} - -static struct xt_target xt_rateest_tg_reg[] __read_mostly =3D { - { - .name =3D "RATEEST", - .revision =3D 0, - .family =3D NFPROTO_IPV4, - .target =3D xt_rateest_tg, - .checkentry =3D xt_rateest_tg_checkentry, - .destroy =3D xt_rateest_tg_destroy, - .targetsize =3D sizeof(struct xt_rateest_target_info), - .usersize =3D offsetof(struct xt_rateest_target_info, est), - .me =3D THIS_MODULE, - }, -#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) - { - .name =3D "RATEEST", - .revision =3D 0, - .family =3D NFPROTO_IPV6, - .target =3D xt_rateest_tg, - .checkentry =3D xt_rateest_tg_checkentry, - .destroy =3D xt_rateest_tg_destroy, - .targetsize =3D sizeof(struct xt_rateest_target_info), - .usersize =3D offsetof(struct xt_rateest_target_info, est), - .me =3D THIS_MODULE, - }, -#endif -}; - -static __net_init int xt_rateest_net_init(struct net *net) -{ - struct xt_rateest_net *xn =3D net_generic(net, xt_rateest_id); - int i; - - mutex_init(&xn->hash_lock); - for (i =3D 0; i < ARRAY_SIZE(xn->hash); i++) - INIT_HLIST_HEAD(&xn->hash[i]); - return 0; -} - -static struct pernet_operations xt_rateest_net_ops =3D { - .init =3D xt_rateest_net_init, - .id =3D &xt_rateest_id, - .size =3D sizeof(struct xt_rateest_net), -}; - -static int __init xt_rateest_tg_init(void) -{ - int err =3D register_pernet_subsys(&xt_rateest_net_ops); - - if (err) - return err; - return xt_register_targets(xt_rateest_tg_reg, ARRAY_SIZE(xt_rateest_tg_re= g)); -} - -static void __exit xt_rateest_tg_fini(void) -{ - xt_unregister_targets(xt_rateest_tg_reg, ARRAY_SIZE(xt_rateest_tg_reg)); - unregister_pernet_subsys(&xt_rateest_net_ops); -} - - -MODULE_AUTHOR("Patrick McHardy "); -MODULE_LICENSE("GPL"); -MODULE_DESCRIPTION("Xtables: packet rate estimator"); -MODULE_ALIAS("ipt_RATEEST"); -MODULE_ALIAS("ip6t_RATEEST"); -module_init(xt_rateest_tg_init); -module_exit(xt_rateest_tg_fini); diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c index 72324bd976af..c0153b5b47a0 100644 --- a/net/netfilter/xt_rateest.c +++ b/net/netfilter/xt_rateest.c @@ -5,11 +5,28 @@ #include #include #include +#include +#include +#include +#include +#include +#include +#include =20 #include #include #include =20 +#define RATEEST_HSIZE 16 + +MODULE_AUTHOR("Patrick McHardy "); +MODULE_LICENSE("GPL"); +MODULE_DESCRIPTION("xtables packet rate estimator"); +MODULE_ALIAS("ipt_rateest"); +MODULE_ALIAS("ip6t_rateest"); +MODULE_ALIAS("ipt_RATEEST"); +MODULE_ALIAS("ip6t_RATEEST"); +MODULE_ALIAS("xt_RATEEST"); =20 static bool xt_rateest_mt(const struct sk_buff *skb, struct xt_action_param *par) @@ -134,20 +151,236 @@ static struct xt_match xt_rateest_mt_reg __read_most= ly =3D { .me =3D THIS_MODULE, }; =20 -static int __init xt_rateest_mt_init(void) +struct xt_rateest_net { + /* To synchronize concurrent synchronous rate estimator operations. */ + struct mutex hash_lock; + struct hlist_head hash[RATEEST_HSIZE]; +}; + +static unsigned int xt_rateest_id; + +static unsigned int jhash_rnd __read_mostly; + +static unsigned int xt_rateest_hash(const char *name) +{ + return jhash(name, sizeof_field(struct xt_rateest, name), jhash_rnd) & + (RATEEST_HSIZE - 1); +} + +static void xt_rateest_hash_insert(struct xt_rateest_net *xn, + struct xt_rateest *est) +{ + unsigned int h; + + h =3D xt_rateest_hash(est->name); + hlist_add_head(&est->list, &xn->hash[h]); +} + +static struct xt_rateest *__xt_rateest_lookup(struct xt_rateest_net *xn, + const char *name) { - return xt_register_match(&xt_rateest_mt_reg); + struct xt_rateest *est; + unsigned int h; + + h =3D xt_rateest_hash(name); + hlist_for_each_entry(est, &xn->hash[h], list) { + if (strcmp(est->name, name) =3D=3D 0) { + est->refcnt++; + return est; + } + } + + return NULL; } =20 -static void __exit xt_rateest_mt_fini(void) +struct xt_rateest *xt_rateest_lookup(struct net *net, const char *name) +{ + struct xt_rateest_net *xn =3D net_generic(net, xt_rateest_id); + struct xt_rateest *est; + + mutex_lock(&xn->hash_lock); + est =3D __xt_rateest_lookup(xn, name); + mutex_unlock(&xn->hash_lock); + return est; +} +EXPORT_SYMBOL_GPL(xt_rateest_lookup); + +void xt_rateest_put(struct net *net, struct xt_rateest *est) +{ + struct xt_rateest_net *xn =3D net_generic(net, xt_rateest_id); + + mutex_lock(&xn->hash_lock); + if (--est->refcnt =3D=3D 0) { + hlist_del(&est->list); + gen_kill_estimator(&est->rate_est); + /* + * gen_estimator est_timer() might access est->lock or bstats, + * wait a RCU grace period before freeing 'est' + */ + kfree_rcu(est, rcu); + } + mutex_unlock(&xn->hash_lock); +} +EXPORT_SYMBOL_GPL(xt_rateest_put); + +static unsigned int +xt_rateest_tg(struct sk_buff *skb, const struct xt_action_param *par) +{ + const struct xt_rateest_target_info *info =3D par->targinfo; + struct gnet_stats_basic_sync *stats =3D &info->est->bstats; + + spin_lock_bh(&info->est->lock); + u64_stats_add(&stats->bytes, skb->len); + u64_stats_inc(&stats->packets); + spin_unlock_bh(&info->est->lock); + + return XT_CONTINUE; +} + +static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) +{ + struct xt_rateest_net *xn =3D net_generic(par->net, xt_rateest_id); + struct xt_rateest_target_info *info =3D par->targinfo; + struct xt_rateest *est; + struct { + struct nlattr opt; + struct gnet_estimator est; + } cfg; + int ret; + + if (strnlen(info->name, sizeof(est->name)) >=3D sizeof(est->name)) + return -ENAMETOOLONG; + + net_get_random_once(&jhash_rnd, sizeof(jhash_rnd)); + + mutex_lock(&xn->hash_lock); + est =3D __xt_rateest_lookup(xn, info->name); + if (est) { + mutex_unlock(&xn->hash_lock); + /* + * If estimator parameters are specified, they must match the + * existing estimator. + */ + if ((!info->interval && !info->ewma_log) || + (info->interval !=3D est->params.interval || + info->ewma_log !=3D est->params.ewma_log)) { + xt_rateest_put(par->net, est); + return -EINVAL; + } + info->est =3D est; + return 0; + } + + ret =3D -ENOMEM; + est =3D kzalloc(sizeof(*est), GFP_KERNEL); + if (!est) + goto err1; + + gnet_stats_basic_sync_init(&est->bstats); + strscpy(est->name, info->name, sizeof(est->name)); + spin_lock_init(&est->lock); + est->refcnt =3D 1; + est->params.interval =3D info->interval; + est->params.ewma_log =3D info->ewma_log; + + cfg.opt.nla_len =3D nla_attr_size(sizeof(cfg.est)); + cfg.opt.nla_type =3D TCA_STATS_RATE_EST; + cfg.est.interval =3D info->interval; + cfg.est.ewma_log =3D info->ewma_log; + + ret =3D gen_new_estimator(&est->bstats, NULL, &est->rate_est, + &est->lock, NULL, &cfg.opt); + if (ret < 0) + goto err2; + + info->est =3D est; + xt_rateest_hash_insert(xn, est); + mutex_unlock(&xn->hash_lock); + return 0; + +err2: + kfree(est); +err1: + mutex_unlock(&xn->hash_lock); + return ret; +} + +static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par) +{ + struct xt_rateest_target_info *info =3D par->targinfo; + + xt_rateest_put(par->net, info->est); +} + +static struct xt_target xt_rateest_tg_reg[] __read_mostly =3D { + { + .name =3D "RATEEST", + .revision =3D 0, + .family =3D NFPROTO_IPV4, + .target =3D xt_rateest_tg, + .checkentry =3D xt_rateest_tg_checkentry, + .destroy =3D xt_rateest_tg_destroy, + .targetsize =3D sizeof(struct xt_rateest_target_info), + .usersize =3D offsetof(struct xt_rateest_target_info, est), + .me =3D THIS_MODULE, + }, +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) + { + .name =3D "RATEEST", + .revision =3D 0, + .family =3D NFPROTO_IPV6, + .target =3D xt_rateest_tg, + .checkentry =3D xt_rateest_tg_checkentry, + .destroy =3D xt_rateest_tg_destroy, + .targetsize =3D sizeof(struct xt_rateest_target_info), + .usersize =3D offsetof(struct xt_rateest_target_info, est), + .me =3D THIS_MODULE, + }, +#endif +}; + +static __net_init int xt_rateest_net_init(struct net *net) +{ + struct xt_rateest_net *xn =3D net_generic(net, xt_rateest_id); + int i; + + mutex_init(&xn->hash_lock); + for (i =3D 0; i < ARRAY_SIZE(xn->hash); i++) + INIT_HLIST_HEAD(&xn->hash[i]); + return 0; +} + +static struct pernet_operations xt_rateest_net_ops =3D { + .init =3D xt_rateest_net_init, + .id =3D &xt_rateest_id, + .size =3D sizeof(struct xt_rateest_net), +}; + +static int __init xt_rateest_init(void) +{ + int ret =3D register_pernet_subsys(&xt_rateest_net_ops); + + if (ret) + return ret; + + ret =3D xt_register_targets(xt_rateest_tg_reg, ARRAY_SIZE(xt_rateest_tg_r= eg)); + if (ret < 0) + return ret; + ret =3D xt_register_match(&xt_rateest_mt_reg); + if (ret < 0) { + xt_unregister_targets(xt_rateest_tg_reg, ARRAY_SIZE(xt_rateest_tg_reg)); + unregister_pernet_subsys(&xt_rateest_net_ops); + return ret; + } + return 0; +} + +static void __exit xt_rateest_exit(void) { xt_unregister_match(&xt_rateest_mt_reg); + xt_unregister_targets(xt_rateest_tg_reg, ARRAY_SIZE(xt_rateest_tg_reg)); + unregister_pernet_subsys(&xt_rateest_net_ops); } =20 -MODULE_AUTHOR("Patrick McHardy "); -MODULE_LICENSE("GPL"); -MODULE_DESCRIPTION("xtables rate estimator match"); -MODULE_ALIAS("ipt_rateest"); -MODULE_ALIAS("ip6t_rateest"); -module_init(xt_rateest_mt_init); -module_exit(xt_rateest_mt_fini); +module_init(xt_rateest_init); +module_exit(xt_rateest_exit); --=20 2.43.5 From nobody Mon Feb 9 15:15:03 2026 Received: from smtp-out.freemail.hu (fmfe34.freemail.hu [46.107.16.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6857E1F4282; Tue, 7 Jan 2025 18:48:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=46.107.16.239 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736275723; cv=none; b=aqd3l9v0Uv6Q3CaQMviyt2qKiehzNNnEklNp2xIgRJUjtc/RJx+OXMKBehkagU0E6nnPQU59oI+nWjFLD/fR3L4E5OaNWSGmWO8bQSPCu0WSwMkWvgqa3VxYoEMyOED/VwqPArzt1Mw60mDDfIuPjUTgaRUwTptd6SajB3O5NOk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736275723; c=relaxed/simple; bh=9C0HpMaoBV7meefl43yf2yh0r2jmPFEtgSGgZPdTlUQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=o1wX995C0WusDWTdTnQ3sXLPrTDj1r11o2puluTdTHGw/F05fNF7gF5IodIOo8mX41hNQWLmh2rbrPINEcCFF5O2TR7EsrRhcnHqhBWQqE0xNTDUMTrMeBvfibYCM8keTyLut+qJYogivFyqzQEi1XsAmSatPgIhbxNqctjjHxU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=freemail.hu; spf=pass smtp.mailfrom=freemail.hu; dkim=fail (2048-bit key) header.d=freemail.hu header.i=@freemail.hu header.b=CZBaQJVA reason="signature verification failed"; arc=none smtp.client-ip=46.107.16.239 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=freemail.hu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=freemail.hu Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=freemail.hu header.i=@freemail.hu header.b="CZBaQJVA" Received: from fizweb.elte.hu (fizweb.elte.hu [157.181.183.248]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.freemail.hu (Postfix) with ESMTPSA id 4YSKnb67l0z100L; Tue, 07 Jan 2025 19:48:35 +0100 (CET) From: egyszeregy@freemail.hu To: fw@strlen.de, pablo@netfilter.org, lorenzo@kernel.org, daniel@iogearbox.net, leitao@debian.org, amiculas@cisco.com, kadlec@netfilter.org, davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Cc: =?UTF-8?q?Benjamin=20Sz=C5=91ke?= Subject: [PATCH 5/6] netfilter: x_tables: Merge xt_TCPMSS.c to xt_tcpmss.c Date: Tue, 7 Jan 2025 19:47:23 +0100 Message-ID: <20250107184724.56223-6-egyszeregy@freemail.hu> X-Mailer: git-send-email 2.43.5 In-Reply-To: <20250107184724.56223-1-egyszeregy@freemail.hu> References: <20250107184724.56223-1-egyszeregy@freemail.hu> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/relaxed; t=1736275716; s=20181004; d=freemail.hu; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Content-Type:Content-Transfer-Encoding; l=24371; bh=bEZb0pCTD8jimTwyjH8TZgCfJ7iEMhRBCaNw8hy3ZtA=; b=CZBaQJVASRlBPxXRoJW0ZvQriauQ/ZbVRU/Kmpu6PHTQmhcFl69KF4bq9ZCwgP5m 4ru+21iIBdJVMWmn4OTxKHCsXiYYQIQIJDKa0+bkKR//Hq315TT/InlooSnwuK/Qaab +kv0ogk/p03ghK7rPVrKhWdmO15D2uIXkrL3Gss3e/hz3XU12EoArp8dOTrdQfWYBtc viEVADfH+VkZtYaRREqN9UoHiS26rjeE7RQYKYi5Y9hGso7VIdE/7uwEpgS0OpgGbYH WI69BwaV07HZdft7gWj0zjqg5QX4BeTGlKHIQ/rje+Rrkr/pVXe/UVUbCkeZOhKFS+B YMh1k1uNrQ== From: Benjamin Sz=C5=91ke Merge xt_TCPMSS.c to xt_tcpmss.c file and remove xt_TCPMSS.c. Signed-off-by: Benjamin Sz=C5=91ke --- net/netfilter/Kconfig | 22 +++ net/netfilter/Makefile | 3 +- net/netfilter/xt_TCPMSS.c | 347 ------------------------------------- net/netfilter/xt_tcpmss.c | 352 ++++++++++++++++++++++++++++++++++++-- 4 files changed, 362 insertions(+), 362 deletions(-) delete mode 100644 net/netfilter/xt_TCPMSS.c diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 1aff3c7c4363..34fbdfdbdde9 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -835,6 +835,18 @@ config NETFILTER_XT_RATEEST estimated by the RATEEST target. The target allows you to measure rates similar to TC estimators. =20 +config NETFILTER_XT_TCPMSS + tristate '"TCPMSS" target and match support' + depends on IPV6 || IPV6=3Dn + default m if NETFILTER_ADVANCED=3Dn + help + This option adds the "TCPMSS" target and "tcpmss" match. + + Netfilter tcpmss matching allows you to examine the MSS value of + TCP SYN packets, which control the maximum packet size for that connect= ion. + The target allows you to alter the MSS value of TCP SYN packets, + to control the maximum size for that connection. + # alphabetically ordered list of targets =20 comment "Xtables targets" @@ -1170,6 +1182,7 @@ config NETFILTER_XT_TARGET_TCPMSS tristate '"TCPMSS" target support' depends on IPV6 || IPV6=3Dn default m if NETFILTER_ADVANCED=3Dn + select NETFILTER_XT_TCPMSS help This option adds a `TCPMSS' target, which allows you to alter the MSS value of TCP SYN packets, to control the maximum size for that @@ -1191,6 +1204,10 @@ config NETFILTER_XT_TARGET_TCPMSS iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --clamp-mss-to-pmtu =20 + This is a backwards-compat option for the user's convenience + (e.g. when running oldconfig). It selects + CONFIG_NETFILTER_XT_TCPMSS (combined tcpmss/TCPMSS module). + To compile it as a module, choose M here. If unsure, say N. =20 config NETFILTER_XT_TARGET_TCPOPTSTRIP @@ -1687,11 +1704,16 @@ config NETFILTER_XT_MATCH_STRING config NETFILTER_XT_MATCH_TCPMSS tristate '"tcpmss" match support' depends on NETFILTER_ADVANCED + select NETFILTER_XT_TCPMSS help This option adds a `tcpmss' match, which allows you to examine the MSS value of TCP SYN packets, which control the maximum packet size for that connection. =20 + This is a backwards-compat option for the user's convenience + (e.g. when running oldconfig). It selects + CONFIG_NETFILTER_XT_TCPMSS (combined tcpmss/TCPMSS module). + To compile it as a module, choose M here. If unsure, say N. =20 config NETFILTER_XT_MATCH_TIME diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 923112b0dc1e..df6bfa46e6ab 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile @@ -163,6 +163,7 @@ obj-$(CONFIG_NETFILTER_XT_NAT) +=3D xt_nat.o obj-$(CONFIG_NETFILTER_XT_DSCP) +=3D xt_dscp.o obj-$(CONFIG_NETFILTER_XT_HL) +=3D xt_hl.o obj-$(CONFIG_NETFILTER_XT_RATEEST) +=3D xt_rateest.o +obj-$(CONFIG_NETFILTER_XT_TCPMSS) +=3D xt_tcpmss.o =20 # targets obj-$(CONFIG_NETFILTER_XT_TARGET_AUDIT) +=3D xt_AUDIT.o @@ -180,7 +181,6 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_REDIRECT) +=3D xt_REDI= RECT.o obj-$(CONFIG_NETFILTER_XT_TARGET_MASQUERADE) +=3D xt_MASQUERADE.o obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) +=3D xt_SECMARK.o obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) +=3D xt_TPROXY.o -obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) +=3D xt_TCPMSS.o obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) +=3D xt_TCPOPTSTRIP.o obj-$(CONFIG_NETFILTER_XT_TARGET_TEE) +=3D xt_TEE.o obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) +=3D xt_TRACE.o @@ -225,7 +225,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) +=3D xt_socket.o obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) +=3D xt_state.o obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) +=3D xt_statistic.o obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) +=3D xt_string.o -obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) +=3D xt_tcpmss.o obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) +=3D xt_time.o obj-$(CONFIG_NETFILTER_XT_MATCH_U32) +=3D xt_u32.o =20 diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c deleted file mode 100644 index 9944ca1eb950..000000000000 --- a/net/netfilter/xt_TCPMSS.c +++ /dev/null @@ -1,347 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-only -/* - * This is a module which is used for setting the MSS option in TCP packet= s. - * - * Copyright (C) 2000 Marc Boucher - * Copyright (C) 2007 Patrick McHardy - */ -#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -MODULE_LICENSE("GPL"); -MODULE_AUTHOR("Marc Boucher "); -MODULE_DESCRIPTION("Xtables: TCP Maximum Segment Size (MSS) adjustment"); -MODULE_ALIAS("ipt_TCPMSS"); -MODULE_ALIAS("ip6t_TCPMSS"); - -static inline unsigned int -optlen(const u8 *opt, unsigned int offset) -{ - /* Beware zero-length options: make finite progress */ - if (opt[offset] <=3D TCPOPT_NOP || opt[offset + 1] =3D=3D 0) - return 1; - else - return opt[offset + 1]; -} - -static u_int32_t tcpmss_reverse_mtu(struct net *net, - const struct sk_buff *skb, - unsigned int family) -{ - struct flowi fl; - struct rtable *rt =3D NULL; - u32 mtu =3D ~0U; - - if (family =3D=3D PF_INET) { - struct flowi4 *fl4 =3D &fl.u.ip4; - - memset(fl4, 0, sizeof(*fl4)); - fl4->daddr =3D ip_hdr(skb)->saddr; - } else { - struct flowi6 *fl6 =3D &fl.u.ip6; - - memset(fl6, 0, sizeof(*fl6)); - fl6->daddr =3D ipv6_hdr(skb)->saddr; - } - - nf_route(net, (struct dst_entry **)&rt, &fl, false, family); - if (rt) { - mtu =3D dst_mtu(&rt->dst); - dst_release(&rt->dst); - } - return mtu; -} - -static int -tcpmss_mangle_packet(struct sk_buff *skb, - const struct xt_action_param *par, - unsigned int family, - unsigned int tcphoff, - unsigned int minlen) -{ - const struct xt_tcpmss_info *info =3D par->targinfo; - struct tcphdr *tcph; - int len, tcp_hdrlen; - unsigned int i; - __be16 oldval; - u16 newmss; - u8 *opt; - - /* This is a fragment, no TCP header is available */ - if (par->fragoff !=3D 0) - return 0; - - if (skb_ensure_writable(skb, skb->len)) - return -1; - - len =3D skb->len - tcphoff; - if (len < (int)sizeof(struct tcphdr)) - return -1; - - tcph =3D (struct tcphdr *)(skb_network_header(skb) + tcphoff); - tcp_hdrlen =3D tcph->doff * 4; - - if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr)) - return -1; - - if (info->mss =3D=3D XT_TCPMSS_CLAMP_PMTU) { - struct net *net =3D xt_net(par); - unsigned int in_mtu =3D tcpmss_reverse_mtu(net, skb, family); - unsigned int min_mtu =3D min(dst_mtu(skb_dst(skb)), in_mtu); - - if (min_mtu <=3D minlen) { - net_err_ratelimited("unknown or invalid path-MTU (%u)\n", - min_mtu); - return -1; - } - newmss =3D min_mtu - minlen; - } else { - newmss =3D info->mss; - } - - opt =3D (u_int8_t *)tcph; - for (i =3D sizeof(struct tcphdr); i <=3D tcp_hdrlen - TCPOLEN_MSS; i +=3D= optlen(opt, i)) { - if (opt[i] =3D=3D TCPOPT_MSS && opt[i + 1] =3D=3D TCPOLEN_MSS) { - u16 oldmss; - - oldmss =3D (opt[i + 2] << 8) | opt[i + 3]; - - /* Never increase MSS, even when setting it, as - * doing so results in problems for hosts that rely - * on MSS being set correctly. - */ - if (oldmss <=3D newmss) - return 0; - - opt[i + 2] =3D (newmss & 0xff00) >> 8; - opt[i + 3] =3D newmss & 0x00ff; - - inet_proto_csum_replace2(&tcph->check, skb, - htons(oldmss), htons(newmss), - false); - return 0; - } - } - - /* There is data after the header so the option can't be added - * without moving it, and doing so may make the SYN packet - * itself too large. Accept the packet unmodified instead. - */ - if (len > tcp_hdrlen) - return 0; - - /* tcph->doff has 4 bits, do not wrap it to 0 */ - if (tcp_hdrlen >=3D 15 * 4) - return 0; - - /* - * MSS Option not found ?! add it.. - */ - if (skb_tailroom(skb) < TCPOLEN_MSS) { - if (pskb_expand_head(skb, 0, - TCPOLEN_MSS - skb_tailroom(skb), - GFP_ATOMIC)) - return -1; - tcph =3D (struct tcphdr *)(skb_network_header(skb) + tcphoff); - } - - skb_put(skb, TCPOLEN_MSS); - - /* - * IPv4: RFC 1122 states "If an MSS option is not received at - * connection setup, TCP MUST assume a default send MSS of 536". - * IPv6: RFC 2460 states IPv6 has a minimum MTU of 1280 and a minimum - * length IPv6 header of 60, ergo the default MSS value is 1220 - * Since no MSS was provided, we must use the default values - */ - if (xt_family(par) =3D=3D NFPROTO_IPV4) - newmss =3D min(newmss, (u16)536); - else - newmss =3D min(newmss, (u16)1220); - - opt =3D (u_int8_t *)tcph + sizeof(struct tcphdr); - memmove(opt + TCPOLEN_MSS, opt, len - sizeof(struct tcphdr)); - - inet_proto_csum_replace2(&tcph->check, skb, - htons(len), htons(len + TCPOLEN_MSS), true); - opt[0] =3D TCPOPT_MSS; - opt[1] =3D TCPOLEN_MSS; - opt[2] =3D (newmss & 0xff00) >> 8; - opt[3] =3D newmss & 0x00ff; - - inet_proto_csum_replace4(&tcph->check, skb, 0, *((__be32 *)opt), false); - - oldval =3D ((__be16 *)tcph)[6]; - tcph->doff +=3D TCPOLEN_MSS / 4; - inet_proto_csum_replace2(&tcph->check, skb, - oldval, ((__be16 *)tcph)[6], false); - return TCPOLEN_MSS; -} - -static unsigned int -tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par) -{ - struct iphdr *iph =3D ip_hdr(skb); - __be16 newlen; - int ret; - - ret =3D tcpmss_mangle_packet(skb, par, - PF_INET, - iph->ihl * 4, - sizeof(*iph) + sizeof(struct tcphdr)); - if (ret < 0) - return NF_DROP; - if (ret > 0) { - iph =3D ip_hdr(skb); - newlen =3D htons(ntohs(iph->tot_len) + ret); - csum_replace2(&iph->check, iph->tot_len, newlen); - iph->tot_len =3D newlen; - } - return XT_CONTINUE; -} - -#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) -static unsigned int -tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par) -{ - struct ipv6hdr *ipv6h =3D ipv6_hdr(skb); - u8 nexthdr; - __be16 frag_off, oldlen, newlen; - int tcphoff; - int ret; - - nexthdr =3D ipv6h->nexthdr; - tcphoff =3D ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr, &frag_off); - if (tcphoff < 0) - return NF_DROP; - ret =3D tcpmss_mangle_packet(skb, par, - PF_INET6, - tcphoff, - sizeof(*ipv6h) + sizeof(struct tcphdr)); - if (ret < 0) - return NF_DROP; - if (ret > 0) { - ipv6h =3D ipv6_hdr(skb); - oldlen =3D ipv6h->payload_len; - newlen =3D htons(ntohs(oldlen) + ret); - if (skb->ip_summed =3D=3D CHECKSUM_COMPLETE) - skb->csum =3D csum_add(csum_sub(skb->csum, (__force __wsum)oldlen), - (__force __wsum)newlen); - ipv6h->payload_len =3D newlen; - } - return XT_CONTINUE; -} -#endif - -/* Must specify -p tcp --syn */ -static inline bool find_syn_match(const struct xt_entry_match *m) -{ - const struct xt_tcp *tcpinfo =3D (const struct xt_tcp *)m->data; - - if (strcmp(m->u.kernel.match->name, "tcp") =3D=3D 0 && - tcpinfo->flg_cmp & TCPHDR_SYN && - !(tcpinfo->invflags & XT_TCP_INV_FLAGS)) - return true; - - return false; -} - -static int tcpmss_tg4_check(const struct xt_tgchk_param *par) -{ - const struct xt_tcpmss_info *info =3D par->targinfo; - const struct ipt_entry *e =3D par->entryinfo; - const struct xt_entry_match *ematch; - - if (info->mss =3D=3D XT_TCPMSS_CLAMP_PMTU && - (par->hook_mask & ~((1 << NF_INET_FORWARD) | - (1 << NF_INET_LOCAL_OUT) | - (1 << NF_INET_POST_ROUTING))) !=3D 0) { - pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT= and POSTROUTING hooks\n"); - return -EINVAL; - } - if (par->nft_compat) - return 0; - - xt_ematch_foreach(ematch, e) - if (find_syn_match(ematch)) - return 0; - pr_info_ratelimited("Only works on TCP SYN packets\n"); - return -EINVAL; -} - -#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) -static int tcpmss_tg6_check(const struct xt_tgchk_param *par) -{ - const struct xt_tcpmss_info *info =3D par->targinfo; - const struct ip6t_entry *e =3D par->entryinfo; - const struct xt_entry_match *ematch; - - if (info->mss =3D=3D XT_TCPMSS_CLAMP_PMTU && - (par->hook_mask & ~((1 << NF_INET_FORWARD) | - (1 << NF_INET_LOCAL_OUT) | - (1 << NF_INET_POST_ROUTING))) !=3D 0) { - pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT= and POSTROUTING hooks\n"); - return -EINVAL; - } - if (par->nft_compat) - return 0; - - xt_ematch_foreach(ematch, e) - if (find_syn_match(ematch)) - return 0; - pr_info_ratelimited("Only works on TCP SYN packets\n"); - return -EINVAL; -} -#endif - -static struct xt_target tcpmss_tg_reg[] __read_mostly =3D { - { - .family =3D NFPROTO_IPV4, - .name =3D "TCPMSS", - .checkentry =3D tcpmss_tg4_check, - .target =3D tcpmss_tg4, - .targetsize =3D sizeof(struct xt_tcpmss_info), - .proto =3D IPPROTO_TCP, - .me =3D THIS_MODULE, - }, -#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) - { - .family =3D NFPROTO_IPV6, - .name =3D "TCPMSS", - .checkentry =3D tcpmss_tg6_check, - .target =3D tcpmss_tg6, - .targetsize =3D sizeof(struct xt_tcpmss_info), - .proto =3D IPPROTO_TCP, - .me =3D THIS_MODULE, - }, -#endif -}; - -static int __init tcpmss_tg_init(void) -{ - return xt_register_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg)); -} - -static void __exit tcpmss_tg_exit(void) -{ - xt_unregister_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg)); -} - -module_init(tcpmss_tg_init); -module_exit(tcpmss_tg_exit); diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c index 37704ab01799..9cf627e96226 100644 --- a/net/netfilter/xt_tcpmss.c +++ b/net/netfilter/xt_tcpmss.c @@ -1,25 +1,37 @@ // SPDX-License-Identifier: GPL-2.0-only -/* Kernel module to match TCP MSS values. */ - -/* Copyright (C) 2000 Marc Boucher +/* Kernel module for matching/modifying TCP MSS values/packets. + * + * Copyright (C) 2000 Marc Boucher * Portions (C) 2005 by Harald Welte + * Copyright (C) 2007 Patrick McHardy */ - +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt #include #include +#include +#include +#include +#include +#include +#include +#include +#include #include =20 -#include -#include - #include #include +#include +#include +#include =20 MODULE_LICENSE("GPL"); MODULE_AUTHOR("Marc Boucher "); -MODULE_DESCRIPTION("Xtables: TCP MSS match"); +MODULE_DESCRIPTION("Xtables: TCP Maximum Segment Size (MSS) adjustment and= match"); MODULE_ALIAS("ipt_tcpmss"); MODULE_ALIAS("ip6t_tcpmss"); +MODULE_ALIAS("ipt_TCPMSS"); +MODULE_ALIAS("ip6t_TCPMSS"); +MODULE_ALIAS("xt_TCPMSS"); =20 static bool tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par) @@ -93,15 +105,329 @@ static struct xt_match tcpmss_mt_reg[] __read_mostly = =3D { }, }; =20 -static int __init tcpmss_mt_init(void) +static inline unsigned int +optlen(const u8 *opt, unsigned int offset) +{ + /* Beware zero-length options: make finite progress */ + if (opt[offset] <=3D TCPOPT_NOP || opt[offset + 1] =3D=3D 0) + return 1; + else + return opt[offset + 1]; +} + +static u_int32_t tcpmss_reverse_mtu(struct net *net, + const struct sk_buff *skb, + unsigned int family) +{ + struct flowi fl; + struct rtable *rt =3D NULL; + u32 mtu =3D ~0U; + + if (family =3D=3D PF_INET) { + struct flowi4 *fl4 =3D &fl.u.ip4; + + memset(fl4, 0, sizeof(*fl4)); + fl4->daddr =3D ip_hdr(skb)->saddr; + } else { + struct flowi6 *fl6 =3D &fl.u.ip6; + + memset(fl6, 0, sizeof(*fl6)); + fl6->daddr =3D ipv6_hdr(skb)->saddr; + } + + nf_route(net, (struct dst_entry **)&rt, &fl, false, family); + if (rt) { + mtu =3D dst_mtu(&rt->dst); + dst_release(&rt->dst); + } + return mtu; +} + +static int +tcpmss_mangle_packet(struct sk_buff *skb, + const struct xt_action_param *par, + unsigned int family, + unsigned int tcphoff, + unsigned int minlen) +{ + const struct xt_tcpmss_info *info =3D par->targinfo; + struct tcphdr *tcph; + int len, tcp_hdrlen; + unsigned int i; + __be16 oldval; + u16 newmss; + u8 *opt; + + /* This is a fragment, no TCP header is available */ + if (par->fragoff !=3D 0) + return 0; + + if (skb_ensure_writable(skb, skb->len)) + return -1; + + len =3D skb->len - tcphoff; + if (len < (int)sizeof(struct tcphdr)) + return -1; + + tcph =3D (struct tcphdr *)(skb_network_header(skb) + tcphoff); + tcp_hdrlen =3D tcph->doff * 4; + + if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr)) + return -1; + + if (info->mss =3D=3D XT_TCPMSS_CLAMP_PMTU) { + struct net *net =3D xt_net(par); + unsigned int in_mtu =3D tcpmss_reverse_mtu(net, skb, family); + unsigned int min_mtu =3D min(dst_mtu(skb_dst(skb)), in_mtu); + + if (min_mtu <=3D minlen) { + net_err_ratelimited("unknown or invalid path-MTU (%u)\n", + min_mtu); + return -1; + } + newmss =3D min_mtu - minlen; + } else { + newmss =3D info->mss; + } + + opt =3D (u_int8_t *)tcph; + for (i =3D sizeof(struct tcphdr); i <=3D tcp_hdrlen - TCPOLEN_MSS; i +=3D= optlen(opt, i)) { + if (opt[i] =3D=3D TCPOPT_MSS && opt[i + 1] =3D=3D TCPOLEN_MSS) { + u16 oldmss; + + oldmss =3D (opt[i + 2] << 8) | opt[i + 3]; + + /* Never increase MSS, even when setting it, as + * doing so results in problems for hosts that rely + * on MSS being set correctly. + */ + if (oldmss <=3D newmss) + return 0; + + opt[i + 2] =3D (newmss & 0xff00) >> 8; + opt[i + 3] =3D newmss & 0x00ff; + + inet_proto_csum_replace2(&tcph->check, skb, + htons(oldmss), htons(newmss), + false); + return 0; + } + } + + /* There is data after the header so the option can't be added + * without moving it, and doing so may make the SYN packet + * itself too large. Accept the packet unmodified instead. + */ + if (len > tcp_hdrlen) + return 0; + + /* tcph->doff has 4 bits, do not wrap it to 0 */ + if (tcp_hdrlen >=3D 15 * 4) + return 0; + + /* + * MSS Option not found ?! add it.. + */ + if (skb_tailroom(skb) < TCPOLEN_MSS) { + if (pskb_expand_head(skb, 0, + TCPOLEN_MSS - skb_tailroom(skb), + GFP_ATOMIC)) + return -1; + tcph =3D (struct tcphdr *)(skb_network_header(skb) + tcphoff); + } + + skb_put(skb, TCPOLEN_MSS); + + /* + * IPv4: RFC 1122 states "If an MSS option is not received at + * connection setup, TCP MUST assume a default send MSS of 536". + * IPv6: RFC 2460 states IPv6 has a minimum MTU of 1280 and a minimum + * length IPv6 header of 60, ergo the default MSS value is 1220 + * Since no MSS was provided, we must use the default values + */ + if (xt_family(par) =3D=3D NFPROTO_IPV4) + newmss =3D min(newmss, (u16)536); + else + newmss =3D min(newmss, (u16)1220); + + opt =3D (u_int8_t *)tcph + sizeof(struct tcphdr); + memmove(opt + TCPOLEN_MSS, opt, len - sizeof(struct tcphdr)); + + inet_proto_csum_replace2(&tcph->check, skb, + htons(len), htons(len + TCPOLEN_MSS), true); + opt[0] =3D TCPOPT_MSS; + opt[1] =3D TCPOLEN_MSS; + opt[2] =3D (newmss & 0xff00) >> 8; + opt[3] =3D newmss & 0x00ff; + + inet_proto_csum_replace4(&tcph->check, skb, 0, *((__be32 *)opt), false); + + oldval =3D ((__be16 *)tcph)[6]; + tcph->doff +=3D TCPOLEN_MSS / 4; + inet_proto_csum_replace2(&tcph->check, skb, + oldval, ((__be16 *)tcph)[6], false); + return TCPOLEN_MSS; +} + +static unsigned int +tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par) +{ + struct iphdr *iph =3D ip_hdr(skb); + __be16 newlen; + int ret; + + ret =3D tcpmss_mangle_packet(skb, par, + PF_INET, + iph->ihl * 4, + sizeof(*iph) + sizeof(struct tcphdr)); + if (ret < 0) + return NF_DROP; + if (ret > 0) { + iph =3D ip_hdr(skb); + newlen =3D htons(ntohs(iph->tot_len) + ret); + csum_replace2(&iph->check, iph->tot_len, newlen); + iph->tot_len =3D newlen; + } + return XT_CONTINUE; +} + +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) +static unsigned int +tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par) +{ + struct ipv6hdr *ipv6h =3D ipv6_hdr(skb); + u8 nexthdr; + __be16 frag_off, oldlen, newlen; + int tcphoff; + int ret; + + nexthdr =3D ipv6h->nexthdr; + tcphoff =3D ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr, &frag_off); + if (tcphoff < 0) + return NF_DROP; + ret =3D tcpmss_mangle_packet(skb, par, + PF_INET6, + tcphoff, + sizeof(*ipv6h) + sizeof(struct tcphdr)); + if (ret < 0) + return NF_DROP; + if (ret > 0) { + ipv6h =3D ipv6_hdr(skb); + oldlen =3D ipv6h->payload_len; + newlen =3D htons(ntohs(oldlen) + ret); + if (skb->ip_summed =3D=3D CHECKSUM_COMPLETE) + skb->csum =3D csum_add(csum_sub(skb->csum, (__force __wsum)oldlen), + (__force __wsum)newlen); + ipv6h->payload_len =3D newlen; + } + return XT_CONTINUE; +} +#endif + +/* Must specify -p tcp --syn */ +static inline bool find_syn_match(const struct xt_entry_match *m) +{ + const struct xt_tcp *tcpinfo =3D (const struct xt_tcp *)m->data; + + if (strcmp(m->u.kernel.match->name, "tcp") =3D=3D 0 && + tcpinfo->flg_cmp & TCPHDR_SYN && + !(tcpinfo->invflags & XT_TCP_INV_FLAGS)) + return true; + + return false; +} + +static int tcpmss_tg4_check(const struct xt_tgchk_param *par) +{ + const struct xt_tcpmss_info *info =3D par->targinfo; + const struct ipt_entry *e =3D par->entryinfo; + const struct xt_entry_match *ematch; + + if (info->mss =3D=3D XT_TCPMSS_CLAMP_PMTU && + (par->hook_mask & ~((1 << NF_INET_FORWARD) | + (1 << NF_INET_LOCAL_OUT) | + (1 << NF_INET_POST_ROUTING))) !=3D 0) { + pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT= and POSTROUTING hooks\n"); + return -EINVAL; + } + if (par->nft_compat) + return 0; + + xt_ematch_foreach(ematch, e) + if (find_syn_match(ematch)) + return 0; + pr_info_ratelimited("Only works on TCP SYN packets\n"); + return -EINVAL; +} + +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) +static int tcpmss_tg6_check(const struct xt_tgchk_param *par) +{ + const struct xt_tcpmss_info *info =3D par->targinfo; + const struct ip6t_entry *e =3D par->entryinfo; + const struct xt_entry_match *ematch; + + if (info->mss =3D=3D XT_TCPMSS_CLAMP_PMTU && + (par->hook_mask & ~((1 << NF_INET_FORWARD) | + (1 << NF_INET_LOCAL_OUT) | + (1 << NF_INET_POST_ROUTING))) !=3D 0) { + pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT= and POSTROUTING hooks\n"); + return -EINVAL; + } + if (par->nft_compat) + return 0; + + xt_ematch_foreach(ematch, e) + if (find_syn_match(ematch)) + return 0; + pr_info_ratelimited("Only works on TCP SYN packets\n"); + return -EINVAL; +} +#endif + +static struct xt_target tcpmss_tg_reg[] __read_mostly =3D { + { + .family =3D NFPROTO_IPV4, + .name =3D "TCPMSS", + .checkentry =3D tcpmss_tg4_check, + .target =3D tcpmss_tg4, + .targetsize =3D sizeof(struct xt_tcpmss_info), + .proto =3D IPPROTO_TCP, + .me =3D THIS_MODULE, + }, +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) + { + .family =3D NFPROTO_IPV6, + .name =3D "TCPMSS", + .checkentry =3D tcpmss_tg6_check, + .target =3D tcpmss_tg6, + .targetsize =3D sizeof(struct xt_tcpmss_info), + .proto =3D IPPROTO_TCP, + .me =3D THIS_MODULE, + }, +#endif +}; + +static int __init tcpmss_init(void) { - return xt_register_matches(tcpmss_mt_reg, ARRAY_SIZE(tcpmss_mt_reg)); + int ret; + + ret =3D xt_register_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg)); + if (ret < 0) + return ret; + ret =3D xt_register_matches(tcpmss_mt_reg, ARRAY_SIZE(tcpmss_mt_reg)); + if (ret < 0) { + xt_unregister_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg)); + return ret; + } + return 0; } =20 -static void __exit tcpmss_mt_exit(void) +static void __exit tcpmss_exit(void) { xt_unregister_matches(tcpmss_mt_reg, ARRAY_SIZE(tcpmss_mt_reg)); + xt_unregister_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg)); } =20 -module_init(tcpmss_mt_init); -module_exit(tcpmss_mt_exit); +module_init(tcpmss_init); +module_exit(tcpmss_exit); --=20 2.43.5 From nobody Mon Feb 9 15:15:03 2026 Received: from smtp-out.freemail.hu (fmfe34.freemail.hu [46.107.16.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B4FB01F471C; Tue, 7 Jan 2025 18:48:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=46.107.16.239 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736275737; cv=none; b=qyiuNZg58rR6g3qX/LBCi4FsG/m3ZU6i6EgpeaLHWJam62xYMKigp2ih6p/A+Q61GeaKueWHlMAFrVUi07xMyHJRxSxF65S3ddUaUzL3Fg1818Sjc745fqpxxtGJXXHf+t5nXWQ3SWR0MB8DZoCDkuE59mKU/YesUGaEXC73/VQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736275737; c=relaxed/simple; bh=sJtP5k+9B7FVuJ4FQ+xEmKEnmP48sajydm44qewhoYI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=m20XEII2V4JxvSMpwv8mQWC2q9MpHERqRwauekJXb/mESowBIimyNA1pbfdf6NGRrT+H1JsVXsm2n/1LJCZ7CImUnomhkpPxa/zIEaewFpvXJQOib9EU4qX4YkVhHsqctsa9JBFWwkEoCTsa2Y6TTHp/5MtezBakKguzXbX18Pk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=freemail.hu; spf=pass smtp.mailfrom=freemail.hu; dkim=fail (2048-bit key) header.d=freemail.hu header.i=@freemail.hu header.b=HX8Vq4zt reason="signature verification failed"; arc=none smtp.client-ip=46.107.16.239 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=freemail.hu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=freemail.hu Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=freemail.hu header.i=@freemail.hu header.b="HX8Vq4zt" Received: from fizweb.elte.hu (fizweb.elte.hu [157.181.183.248]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.freemail.hu (Postfix) with ESMTPSA id 4YSKnw3Xzvz10mN; Tue, 07 Jan 2025 19:48:52 +0100 (CET) From: egyszeregy@freemail.hu To: fw@strlen.de, pablo@netfilter.org, lorenzo@kernel.org, daniel@iogearbox.net, leitao@debian.org, amiculas@cisco.com, kadlec@netfilter.org, davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Cc: =?UTF-8?q?Benjamin=20Sz=C5=91ke?= Subject: [PATCH 6/6] netfilter: x_tables: Adjust code style of xt_*.c files. Date: Tue, 7 Jan 2025 19:47:24 +0100 Message-ID: <20250107184724.56223-7-egyszeregy@freemail.hu> X-Mailer: git-send-email 2.43.5 In-Reply-To: <20250107184724.56223-1-egyszeregy@freemail.hu> References: <20250107184724.56223-1-egyszeregy@freemail.hu> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/relaxed; t=1736275732; s=20181004; d=freemail.hu; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Content-Type:Content-Transfer-Encoding; l=3557; bh=Yd4xrnhdsyrfeeJt8qwnkIqtaiGci73CHdk/SD5WDPE=; b=HX8Vq4ztcZAeB3FdBALnbViGgZ3pueHSAHX9Y7MXHydWapFsSlfDCilMk319+CJv 5niSxNOu4a9ZJkQ2Tc/80otILu8+BG+ncP0n/iNGHBoXzOFBkU1uc2wztqLVB1C7XiS T+c4K0LKbuJZFtwbyQzOWSYa2r3H8NuNDzsgPh1Z+XsqY+BPU85oyNBRgD8fXqdfV1J xZZYTXO/sn54/I3Vc+acktPddPQPg9MNA2KrKJixf8ORtU74RA8ve7i/yencgjayjI1 GzfYWK43qa7S4AXIyECig676s8qptW5hdTJh2ZMRmvDUQP89/V7T6lgDyMVBFoEsNSJ BmJ86BtqaQ== From: Benjamin Sz=C5=91ke - Change to use u8, u16 and u32 types. - Fix format of #define macros Signed-off-by: Benjamin Sz=C5=91ke --- net/netfilter/xt_dscp.c | 6 +++--- net/netfilter/xt_rateest.c | 4 ++-- net/netfilter/xt_tcpmss.c | 10 ++++------ 3 files changed, 9 insertions(+), 11 deletions(-) diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c index bdd67b0458ab..2d09a66c131e 100644 --- a/net/netfilter/xt_dscp.c +++ b/net/netfilter/xt_dscp.c @@ -29,13 +29,13 @@ MODULE_ALIAS("ipt_TOS"); MODULE_ALIAS("ip6t_TOS"); MODULE_ALIAS("xt_DSCP"); =20 -#define XT_DSCP_ECN_MASK 3u +#define XT_DSCP_ECN_MASK (3u) =20 static bool dscp_mt(const struct sk_buff *skb, struct xt_action_param *par) { const struct xt_dscp_info *info =3D par->matchinfo; - u_int8_t dscp =3D ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; + u8 dscp =3D ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; =20 return (dscp =3D=3D info->dscp) ^ !!info->invert; } @@ -44,7 +44,7 @@ static bool dscp_mt6(const struct sk_buff *skb, struct xt_action_param *par) { const struct xt_dscp_info *info =3D par->matchinfo; - u_int8_t dscp =3D ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT; + u8 dscp =3D ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT; =20 return (dscp =3D=3D info->dscp) ^ !!info->invert; } diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c index c0153b5b47a0..b31458079c3e 100644 --- a/net/netfilter/xt_rateest.c +++ b/net/netfilter/xt_rateest.c @@ -17,7 +17,7 @@ #include #include =20 -#define RATEEST_HSIZE 16 +#define RATEEST_HSIZE (16) =20 MODULE_AUTHOR("Patrick McHardy "); MODULE_LICENSE("GPL"); @@ -33,7 +33,7 @@ xt_rateest_mt(const struct sk_buff *skb, struct xt_action= _param *par) { const struct xt_rateest_match_info *info =3D par->matchinfo; struct gnet_stats_rate_est64 sample =3D {0}; - u_int32_t bps1, bps2, pps1, pps2; + u32 bps1, bps2, pps1, pps2; bool ret =3D true; =20 gen_estimator_read(&info->est1->rate_est, &sample); diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c index 9cf627e96226..b0312a085d9e 100644 --- a/net/netfilter/xt_tcpmss.c +++ b/net/netfilter/xt_tcpmss.c @@ -40,7 +40,7 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_par= am *par) const struct tcphdr *th; struct tcphdr _tcph; /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */ - const u_int8_t *op; + const u8 *op; u8 _opt[15 * 4 - sizeof(_tcph)]; unsigned int i, optlen; =20 @@ -115,9 +115,7 @@ optlen(const u8 *opt, unsigned int offset) return opt[offset + 1]; } =20 -static u_int32_t tcpmss_reverse_mtu(struct net *net, - const struct sk_buff *skb, - unsigned int family) +static u32 tcpmss_reverse_mtu(struct net *net, const struct sk_buff *skb, = unsigned int family) { struct flowi fl; struct rtable *rt =3D NULL; @@ -190,7 +188,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, newmss =3D info->mss; } =20 - opt =3D (u_int8_t *)tcph; + opt =3D (u8 *)tcph; for (i =3D sizeof(struct tcphdr); i <=3D tcp_hdrlen - TCPOLEN_MSS; i +=3D= optlen(opt, i)) { if (opt[i] =3D=3D TCPOPT_MSS && opt[i + 1] =3D=3D TCPOLEN_MSS) { u16 oldmss; @@ -250,7 +248,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, else newmss =3D min(newmss, (u16)1220); =20 - opt =3D (u_int8_t *)tcph + sizeof(struct tcphdr); + opt =3D (u8 *)tcph + sizeof(struct tcphdr); memmove(opt + TCPOLEN_MSS, opt, len - sizeof(struct tcphdr)); =20 inet_proto_csum_replace2(&tcph->check, skb, --=20 2.43.5