Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
xt_TCPOPTSTRIP.c
Go to the documentation of this file.
1 /*
2  * A module for stripping a specific TCP option from TCP packets.
3  *
4  * Copyright (C) 2007 Sven Schnelle <[email protected]>
5  * Copyright © CC Computer Consultants GmbH, 2007
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License version 2 as
9  * published by the Free Software Foundation.
10  */
11 
12 #include <linux/module.h>
13 #include <linux/skbuff.h>
14 #include <linux/ip.h>
15 #include <linux/ipv6.h>
16 #include <linux/tcp.h>
17 #include <net/ipv6.h>
18 #include <net/tcp.h>
19 #include <linux/netfilter/x_tables.h>
20 #include <linux/netfilter/xt_TCPOPTSTRIP.h>
21 
22 static inline unsigned int optlen(const u_int8_t *opt, unsigned int offset)
23 {
24  /* Beware zero-length options: make finite progress */
25  if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0)
26  return 1;
27  else
28  return opt[offset+1];
29 }
30 
31 static unsigned int
32 tcpoptstrip_mangle_packet(struct sk_buff *skb,
33  const struct xt_tcpoptstrip_target_info *info,
34  unsigned int tcphoff, unsigned int minlen)
35 {
36  unsigned int optl, i, j;
37  struct tcphdr *tcph;
38  u_int16_t n, o;
39  u_int8_t *opt;
40 
41  if (!skb_make_writable(skb, skb->len))
42  return NF_DROP;
43 
44  tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
45  opt = (u_int8_t *)tcph;
46 
47  /*
48  * Walk through all TCP options - if we find some option to remove,
49  * set all octets to %TCPOPT_NOP and adjust checksum.
50  */
51  for (i = sizeof(struct tcphdr); i < tcp_hdrlen(skb); i += optl) {
52  optl = optlen(opt, i);
53 
54  if (i + optl > tcp_hdrlen(skb))
55  break;
56 
57  if (!tcpoptstrip_test_bit(info->strip_bmap, opt[i]))
58  continue;
59 
60  for (j = 0; j < optl; ++j) {
61  o = opt[i+j];
62  n = TCPOPT_NOP;
63  if ((i + j) % 2 == 0) {
64  o <<= 8;
65  n <<= 8;
66  }
67  inet_proto_csum_replace2(&tcph->check, skb, htons(o),
68  htons(n), 0);
69  }
70  memset(opt + i, TCPOPT_NOP, optl);
71  }
72 
73  return XT_CONTINUE;
74 }
75 
76 static unsigned int
77 tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par)
78 {
79  return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb),
80  sizeof(struct iphdr) + sizeof(struct tcphdr));
81 }
82 
83 #if IS_ENABLED(CONFIG_IP6_NF_MANGLE)
84 static unsigned int
85 tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_action_param *par)
86 {
87  struct ipv6hdr *ipv6h = ipv6_hdr(skb);
88  int tcphoff;
89  u_int8_t nexthdr;
90  __be16 frag_off;
91 
92  nexthdr = ipv6h->nexthdr;
93  tcphoff = ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr, &frag_off);
94  if (tcphoff < 0)
95  return NF_DROP;
96 
97  return tcpoptstrip_mangle_packet(skb, par->targinfo, tcphoff,
98  sizeof(*ipv6h) + sizeof(struct tcphdr));
99 }
100 #endif
101 
102 static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = {
103  {
104  .name = "TCPOPTSTRIP",
105  .family = NFPROTO_IPV4,
106  .table = "mangle",
107  .proto = IPPROTO_TCP,
108  .target = tcpoptstrip_tg4,
109  .targetsize = sizeof(struct xt_tcpoptstrip_target_info),
110  .me = THIS_MODULE,
111  },
112 #if IS_ENABLED(CONFIG_IP6_NF_MANGLE)
113  {
114  .name = "TCPOPTSTRIP",
115  .family = NFPROTO_IPV6,
116  .table = "mangle",
117  .proto = IPPROTO_TCP,
118  .target = tcpoptstrip_tg6,
119  .targetsize = sizeof(struct xt_tcpoptstrip_target_info),
120  .me = THIS_MODULE,
121  },
122 #endif
123 };
124 
125 static int __init tcpoptstrip_tg_init(void)
126 {
127  return xt_register_targets(tcpoptstrip_tg_reg,
128  ARRAY_SIZE(tcpoptstrip_tg_reg));
129 }
130 
131 static void __exit tcpoptstrip_tg_exit(void)
132 {
133  xt_unregister_targets(tcpoptstrip_tg_reg,
134  ARRAY_SIZE(tcpoptstrip_tg_reg));
135 }
136 
137 module_init(tcpoptstrip_tg_init);
138 module_exit(tcpoptstrip_tg_exit);
139 MODULE_AUTHOR("Sven Schnelle <[email protected]>, Jan Engelhardt <[email protected]>");
140 MODULE_DESCRIPTION("Xtables: TCP option stripping");
141 MODULE_LICENSE("GPL");
142 MODULE_ALIAS("ipt_TCPOPTSTRIP");
143 MODULE_ALIAS("ip6t_TCPOPTSTRIP");
Generated on Thu Jan 10 2013 15:01:00 for Linux Kernel by   doxygen 1.8.2