[NETFILTER]: Add new iptables TTL target

This new iptables target allows manipulation of the TTL of an IPv4 packet.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

3 files changed, 134 insertions, 0 deletions

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index c4213f3de505..e046f5521814 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -664,6 +664,20 @@ config IP_NF_TARGET_CLASSIFY
 
           To compile it as a module, choose M here.  If unsure, say N.
 
+config IP_NF_TARGET_TTL
+        tristate  'TTL target support'
+        depends on IP_NF_MANGLE
+        help
+          This option adds a `TTL' target, which enables the user to modify
+          the TTL value of the IP header.
+
+          While it is safe to decrement/lower the TTL, this target also enables
+          functionality to increment and set the TTL value of the IP header to
+          arbitrary values.  This is EXTREMELY DANGEROUS since you can easily
+          create immortal packets that loop forever on the network.
+
+          To compile it as a module, choose M here.  If unsure, say N.
+
 config IP_NF_TARGET_CONNMARK
         tristate  'CONNMARK target support'
         depends on IP_NF_CONNTRACK_MARK && IP_NF_MANGLE
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 89cae69ee208..a7bd38f50522 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -85,6 +85,7 @@ obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
 obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
 obj-$(CONFIG_IP_NF_TARGET_NOTRACK) += ipt_NOTRACK.o
 obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
+obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
 
 # generic ARP tables
 obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
diff --git a/net/ipv4/netfilter/ipt_TTL.c b/net/ipv4/netfilter/ipt_TTL.c
new file mode 100644
index 000000000000..b9ae6a9382f3
--- /dev/null
+++ b/net/ipv4/netfilter/ipt_TTL.c
@@ -0,0 +1,119 @@
+/* TTL modification target for IP tables
+ * (C) 2000,2005 by Harald Welte <laforge@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_TTL.h>
+
+MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
+MODULE_DESCRIPTION("IP tables TTL modification module");
+MODULE_LICENSE("GPL");
+
+static unsigned int 
+ipt_ttl_target(struct sk_buff **pskb, const struct net_device *in, 
+                const struct net_device *out, unsigned int hooknum, 
+                const void *targinfo, void *userinfo)
+{
+        struct iphdr *iph;
+        const struct ipt_TTL_info *info = targinfo;
+        u_int16_t diffs[2];
+        int new_ttl;
+
+        if (!skb_make_writable(pskb, (*pskb)->len))
+                return NF_DROP;
+
+        iph = (*pskb)->nh.iph;
+
+        switch (info->mode) {
+                case IPT_TTL_SET:
+                        new_ttl = info->ttl;
+                        break;
+                case IPT_TTL_INC:
+                        new_ttl = iph->ttl + info->ttl;
+                        if (new_ttl > 255)
+                                new_ttl = 255;
+                        break;
+                case IPT_TTL_DEC:
+                        new_ttl = iph->ttl - info->ttl;
+                        if (new_ttl < 0)
+                                new_ttl = 0;
+                        break;
+                default:
+                        new_ttl = iph->ttl;
+                        break;
+        }
+
+        if (new_ttl != iph->ttl) {
+                diffs[0] = htons(((unsigned)iph->ttl) << 8) ^ 0xFFFF;
+                iph->ttl = new_ttl;
+                diffs[1] = htons(((unsigned)iph->ttl) << 8);
+                iph->check = csum_fold(csum_partial((char *)diffs,
+                                                    sizeof(diffs),
+                                                    iph->check^0xFFFF));
+        }
+
+        return IPT_CONTINUE;
+}
+
+static int ipt_ttl_checkentry(const char *tablename,
+                const struct ipt_entry *e,
+                void *targinfo,
+                unsigned int targinfosize,
+                unsigned int hook_mask)
+{
+        struct ipt_TTL_info *info = targinfo;
+
+        if (targinfosize != IPT_ALIGN(sizeof(struct ipt_TTL_info))) {
+                printk(KERN_WARNING "ipt_TTL: targinfosize %u != %Zu\n",
+                                targinfosize,
+                                IPT_ALIGN(sizeof(struct ipt_TTL_info)));
+                return 0;
+        }
+
+        if (strcmp(tablename, "mangle")) {
+                printk(KERN_WARNING "ipt_TTL: can only be called from "
+                        "\"mangle\" table, not \"%s\"\n", tablename);
+                return 0;
+        }
+
+        if (info->mode > IPT_TTL_MAXMODE) {
+                printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n", 
+                        info->mode);
+                return 0;
+        }
+
+        if ((info->mode != IPT_TTL_SET) && (info->ttl == 0))
+                return 0;
+
+        return 1;
+}
+
+static struct ipt_target ipt_TTL = { 
+        .name           = "TTL",
+        .target         = ipt_ttl_target, 
+        .checkentry     = ipt_ttl_checkentry, 
+        .me             = THIS_MODULE,
+};
+
+static int __init init(void)
+{
+        return ipt_register_target(&ipt_TTL);
+}
+
+static void __exit fini(void)
+{
+        ipt_unregister_target(&ipt_TTL);
+}
+
+module_init(init);
+module_exit(fini);