[NETFILTER]: x_tables: replace IPv4 dscp match by address family independent version

This replaces IPv4 dscp match by address family independent version. This also - utilizes dsfield.h to get the DS field in IPv4/IPv6 header, and - checks for the DSCP value from user space. - fixes Kconfig help text. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> 2006-08-22 03:29:37 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-09-22 17:55:21 -0400
commit: 9ba1627617d396135a4d679542a3623d5819e628 (patch)
tree: 4a0a72bca0e4a6ad91ae89b572ac58a074ba4eab /net/netfilter
parent: 131852176c1f5b4350b4af811d1836db387d0c61 (diff)
3 files changed, 125 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index a9894ddfd72a..f781405f5d65 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -263,6 +263,17 @@ config NETFILTER_XT_MATCH_DCCP
          If you want to compile it as a module, say M here and read
          <file:Documentation/modules.txt>.  If unsure, say `N'.
+config NETFILTER_XT_MATCH_DSCP
+        tristate '"DSCP" match support'
+        depends on NETFILTER_XTABLES
+        help
+          This option adds a `DSCP' match, which allows you to match against
+          the IPv4/IPv6 header DSCP field (differentiated services codepoint).
+          The DSCP field can have any value between 0x0 and 0x3f inclusive.
+          To compile it as a module, choose M here.  If unsure, say N.
 config NETFILTER_XT_MATCH_ESP
        tristate '"ESP" match support'
        depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 6fa4b7580458..0b8a70c1df46 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -37,6 +37,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNMARK) += xt_connmark.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
new file mode 100644
index 000000000000..82e250d1f007
--- /dev/null
+++ b/net/netfilter/xt_dscp.c
@@ -0,0 +1,113 @@
+/* IP tables module for matching the value of the IPv4/IPv6 DSCP field
+ *
+ * xt_dscp.c,v 1.3 2002/08/05 19:00:21 laforge Exp
+ *
+ * (C) 2002 by Harald Welte <laforge@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <net/dsfield.h>
+#include <linux/netfilter/xt_dscp.h>
+#include <linux/netfilter/x_tables.h>
+MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
+MODULE_DESCRIPTION("x_tables DSCP matching module");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_dscp");
+MODULE_ALIAS("ip6t_dscp");
+static int match(const struct sk_buff *skb,
+                 const struct net_device *in,
+                 const struct net_device *out,
+                 const struct xt_match *match,
+                 const void *matchinfo,
+                 int offset,
+                 unsigned int protoff,
+                 int *hotdrop)
+{
+        const struct xt_dscp_info *info = matchinfo;
+        u_int8_t dscp = ipv4_get_dsfield(skb->nh.iph) >> XT_DSCP_SHIFT;
+        return (dscp == info->dscp) ^ !!info->invert;
+}
+static int match6(const struct sk_buff *skb,
+                  const struct net_device *in,
+                  const struct net_device *out,
+                  const struct xt_match *match,
+                  const void *matchinfo,
+                  int offset,
+                  unsigned int protoff,
+                  int *hotdrop)
+{
+        const struct xt_dscp_info *info = matchinfo;
+        u_int8_t dscp = ipv6_get_dsfield(skb->nh.ipv6h) >> XT_DSCP_SHIFT;
+        return (dscp == info->dscp) ^ !!info->invert;
+}
+static int checkentry(const char *tablename,
+                      const void *info,
+                      const struct xt_match *match,
+                      void *matchinfo,
+                      unsigned int matchsize,
+                      unsigned int hook_mask)
+{
+        const u_int8_t dscp = ((struct xt_dscp_info *)matchinfo)->dscp;
+        if (dscp > XT_DSCP_MAX) {
+                printk(KERN_ERR "xt_dscp: dscp %x out of range\n", dscp);
+                return 0;
+        }
+        return 1;
+}
+static struct xt_match dscp_match = {
+        .name           = "dscp",
+        .match          = match,
+        .checkentry     = checkentry,
+        .matchsize      = sizeof(struct xt_dscp_info),
+        .family         = AF_INET,
+        .me             = THIS_MODULE,
+};
+static struct xt_match dscp6_match = {
+        .name           = "dscp",
+        .match          = match6,
+        .checkentry     = checkentry,
+        .matchsize      = sizeof(struct xt_dscp_info),
+        .family         = AF_INET6,
+        .me             = THIS_MODULE,
+};
+static int __init xt_dscp_match_init(void)
+{
+        int ret;
+        ret = xt_register_match(&dscp_match);
+        if (ret)
+                return ret;
+        ret = xt_register_match(&dscp6_match);
+        if (ret)
+                xt_unregister_match(&dscp_match);
+        return ret;
+}
+static void __exit xt_dscp_match_fini(void)
+{
+        xt_unregister_match(&dscp_match);
+        xt_unregister_match(&dscp6_match);
+}
+module_init(xt_dscp_match_init);
+module_exit(xt_dscp_match_fini);
author	Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>	2006-08-22 03:29:37 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-09-22 17:55:21 -0400
commit	9ba1627617d396135a4d679542a3623d5819e628 (patch)
tree	4a0a72bca0e4a6ad91ae89b572ac58a074ba4eab /net/netfilter
parent	131852176c1f5b4350b4af811d1836db387d0c61 (diff)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index a9894ddfd72a..f781405f5d65 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -263,6 +263,17 @@ config NETFILTER_XT_MATCH_DCCP
263	If you want to compile it as a module, say M here and read	263	If you want to compile it as a module, say M here and read
264	<file:Documentation/modules.txt>. If unsure, say `N'.	264	<file:Documentation/modules.txt>. If unsure, say `N'.
265		265
		266	config NETFILTER_XT_MATCH_DSCP
		267	tristate '"DSCP" match support'
		268	depends on NETFILTER_XTABLES
		269	help
		270	This option adds a `DSCP' match, which allows you to match against
		271	the IPv4/IPv6 header DSCP field (differentiated services codepoint).
		272
		273	The DSCP field can have any value between 0x0 and 0x3f inclusive.
		274
		275	To compile it as a module, choose M here. If unsure, say N.
		276
266	config NETFILTER_XT_MATCH_ESP	277	config NETFILTER_XT_MATCH_ESP
267	tristate '"ESP" match support'	278	tristate '"ESP" match support'
268	depends on NETFILTER_XTABLES	279	depends on NETFILTER_XTABLES


diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 6fa4b7580458..0b8a70c1df46 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -37,6 +37,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o
37	obj-$(CONFIG_NETFILTER_XT_MATCH_CONNMARK) += xt_connmark.o	37	obj-$(CONFIG_NETFILTER_XT_MATCH_CONNMARK) += xt_connmark.o
38	obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o	38	obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o
39	obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o	39	obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
		40	obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
40	obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o	41	obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
41	obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o	42	obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
42	obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o	43	obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o


diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c new file mode 100644 index 000000000000..82e250d1f007 --- /dev/null +++ b/net/netfilter/xt_dscp.c
@@ -0,0 +1,113 @@
		1	/* IP tables module for matching the value of the IPv4/IPv6 DSCP field
		2	*
		3	* xt_dscp.c,v 1.3 2002/08/05 19:00:21 laforge Exp
		4	*
		5	* (C) 2002 by Harald Welte <laforge@netfilter.org>
		6	*
		7	* This program is free software; you can redistribute it and/or modify
		8	* it under the terms of the GNU General Public License version 2 as
		9	* published by the Free Software Foundation.
		10	*/
		11
		12	#include <linux/module.h>
		13	#include <linux/skbuff.h>
		14	#include <linux/ip.h>
		15	#include <linux/ipv6.h>
		16	#include <net/dsfield.h>
		17
		18	#include <linux/netfilter/xt_dscp.h>
		19	#include <linux/netfilter/x_tables.h>
		20
		21	MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
		22	MODULE_DESCRIPTION("x_tables DSCP matching module");
		23	MODULE_LICENSE("GPL");
		24	MODULE_ALIAS("ipt_dscp");
		25	MODULE_ALIAS("ip6t_dscp");
		26
		27	static int match(const struct sk_buff *skb,
		28	const struct net_device *in,
		29	const struct net_device *out,
		30	const struct xt_match *match,
		31	const void *matchinfo,
		32	int offset,
		33	unsigned int protoff,
		34	int *hotdrop)
		35	{
		36	const struct xt_dscp_info *info = matchinfo;
		37	u_int8_t dscp = ipv4_get_dsfield(skb->nh.iph) >> XT_DSCP_SHIFT;
		38
		39	return (dscp == info->dscp) ^ !!info->invert;
		40	}
		41
		42	static int match6(const struct sk_buff *skb,
		43	const struct net_device *in,
		44	const struct net_device *out,
		45	const struct xt_match *match,
		46	const void *matchinfo,
		47	int offset,
		48	unsigned int protoff,
		49	int *hotdrop)
		50	{
		51	const struct xt_dscp_info *info = matchinfo;
		52	u_int8_t dscp = ipv6_get_dsfield(skb->nh.ipv6h) >> XT_DSCP_SHIFT;
		53
		54	return (dscp == info->dscp) ^ !!info->invert;
		55	}
		56
		57	static int checkentry(const char *tablename,
		58	const void *info,
		59	const struct xt_match *match,
		60	void *matchinfo,
		61	unsigned int matchsize,
		62	unsigned int hook_mask)
		63	{
		64	const u_int8_t dscp = ((struct xt_dscp_info *)matchinfo)->dscp;
		65
		66	if (dscp > XT_DSCP_MAX) {
		67	printk(KERN_ERR "xt_dscp: dscp %x out of range\n", dscp);
		68	return 0;
		69	}
		70
		71	return 1;
		72	}
		73
		74	static struct xt_match dscp_match = {
		75	.name = "dscp",
		76	.match = match,
		77	.checkentry = checkentry,
		78	.matchsize = sizeof(struct xt_dscp_info),
		79	.family = AF_INET,
		80	.me = THIS_MODULE,
		81	};
		82
		83	static struct xt_match dscp6_match = {
		84	.name = "dscp",
		85	.match = match6,
		86	.checkentry = checkentry,
		87	.matchsize = sizeof(struct xt_dscp_info),
		88	.family = AF_INET6,
		89	.me = THIS_MODULE,
		90	};
		91
		92	static int __init xt_dscp_match_init(void)
		93	{
		94	int ret;
		95	ret = xt_register_match(&dscp_match);
		96	if (ret)
		97	return ret;
		98
		99	ret = xt_register_match(&dscp6_match);
		100	if (ret)
		101	xt_unregister_match(&dscp_match);
		102
		103	return ret;
		104	}
		105
		106	static void __exit xt_dscp_match_fini(void)
		107	{
		108	xt_unregister_match(&dscp_match);
		109	xt_unregister_match(&dscp6_match);
		110	}
		111
		112	module_init(xt_dscp_match_init);
		113	module_exit(xt_dscp_match_fini);