5 files changed, 224 insertions, 3 deletions

diff --git a/include/linux/dccp.h b/include/linux/dccp.h
index fd1412ddb3ff..431d58923ba9 100644
--- a/include/linux/dccp.h
+++ b/include/linux/dccp.h
@@ -242,10 +242,15 @@ static inline struct dccp_hdr_ext *dccp_hdrx(const struct sk_buff *skb)
         return (struct dccp_hdr_ext *)(skb->h.raw + sizeof(struct dccp_hdr));
 }
 
+static inline unsigned int __dccp_basic_hdr_len(const struct dccp_hdr *dh)
+{
+        return sizeof(*dh) + (dh->dccph_x ? sizeof(struct dccp_hdr_ext) : 0);
+}
+
 static inline unsigned int dccp_basic_hdr_len(const struct sk_buff *skb)
 {
         const struct dccp_hdr *dh = dccp_hdr(skb);
-        return sizeof(*dh) + (dh->dccph_x ? sizeof(struct dccp_hdr_ext) : 0);
+        return __dccp_basic_hdr_len(dh);
 }
 
 static inline __u64 dccp_hdr_seq(const struct sk_buff *skb)
@@ -297,10 +302,15 @@ static inline struct dccp_hdr_reset *dccp_hdr_reset(struct sk_buff *skb)
         return (struct dccp_hdr_reset *)(skb->h.raw + dccp_basic_hdr_len(skb));
 }
 
+static inline unsigned int __dccp_hdr_len(const struct dccp_hdr *dh)
+{
+        return __dccp_basic_hdr_len(dh) +
+               dccp_packet_hdr_len(dh->dccph_type);
+}
+
 static inline unsigned int dccp_hdr_len(const struct sk_buff *skb)
 {
-        return dccp_basic_hdr_len(skb) +
-               dccp_packet_hdr_len(dccp_hdr(skb)->dccph_type);
+        return __dccp_hdr_len(dccp_hdr(skb));
 }
 
 
diff --git a/include/linux/netfilter_ipv4/ipt_dccp.h b/include/linux/netfilter_ipv4/ipt_dccp.h
new file mode 100644
index 000000000000..3cb3a522e62b
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_dccp.h
@@ -0,0 +1,23 @@
+#ifndef _IPT_DCCP_H_
+#define _IPT_DCCP_H_
+
+#define IPT_DCCP_SRC_PORTS              0x01
+#define IPT_DCCP_DEST_PORTS             0x02
+#define IPT_DCCP_TYPE                   0x04
+#define IPT_DCCP_OPTION                 0x08
+
+#define IPT_DCCP_VALID_FLAGS            0x0f
+
+struct ipt_dccp_info {
+        u_int16_t dpts[2];  /* Min, Max */
+        u_int16_t spts[2];  /* Min, Max */
+
+        u_int16_t flags;
+        u_int16_t invflags;
+
+        u_int16_t typemask;
+        u_int8_t option;
+};
+
+#endif /* _IPT_DCCP_H_ */
+
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 2fa26a41fa47..9f5e1d769b5f 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -354,6 +354,17 @@ config IP_NF_MATCH_SCTP
           If you want to compile it as a module, say M here and read
           <file:Documentation/modules.txt>.  If unsure, say `N'.
 
+config IP_NF_MATCH_DCCP
+        tristate  'DCCP protocol match support'
+        depends on IP_NF_IPTABLES
+        help
+          With this option enabled, you will be able to use the iptables
+          `dccp' match in order to match on DCCP source/destination ports
+          and DCCP flags.
+
+          If you want to compile it as a module, say M here and read
+          <file:Documentation/modules.txt>.  If unsure, say `N'.
+
 config IP_NF_MATCH_COMMENT
         tristate  'comment match support'
         depends on IP_NF_IPTABLES
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index c2ae663b723f..58aa7c616e1f 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -42,6 +42,7 @@ obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
 obj-$(CONFIG_IP_NF_MATCH_HASHLIMIT) += ipt_hashlimit.o
 obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
+obj-$(CONFIG_IP_NF_MATCH_DCCP) += ipt_dccp.o
 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
 obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
diff --git a/net/ipv4/netfilter/ipt_dccp.c b/net/ipv4/netfilter/ipt_dccp.c
new file mode 100644
index 000000000000..ad3278bba6c1
--- /dev/null
+++ b/net/ipv4/netfilter/ipt_dccp.c
@@ -0,0 +1,176 @@
+/*
+ * iptables module for DCCP protocol header matching
+ *
+ * (C) 2005 by Harald Welte <laforge@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/spinlock.h>
+#include <net/ip.h>
+#include <linux/dccp.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_dccp.h>
+
+#define DCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \
+                                  || (!!((invflag) & (option)) ^ (cond)))
+
+static unsigned char *dccp_optbuf;
+static DEFINE_SPINLOCK(dccp_buflock);
+
+static inline int
+dccp_find_option(u_int8_t option,
+                 const struct sk_buff *skb,
+                 const struct dccp_hdr *dh,
+                 int *hotdrop)
+{
+        /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
+        unsigned char *op;
+        unsigned int optoff = __dccp_hdr_len(dh);
+        unsigned int optlen = dh->dccph_doff*4 - __dccp_hdr_len(dh);
+        unsigned int i;
+
+        if (dh->dccph_doff * 4 < __dccp_hdr_len(dh)) {
+                *hotdrop = 1;
+                return 0;
+        }
+
+        if (!optlen)
+                return 0;
+
+        spin_lock_bh(&dccp_buflock);
+        op = skb_header_pointer(skb,
+                                skb->nh.iph->ihl*4 + optoff,
+                                optlen, dccp_optbuf);
+        if (op == NULL) {
+                /* If we don't have the whole header, drop packet. */
+                spin_unlock_bh(&dccp_buflock);
+                *hotdrop = 1;
+                return 0;
+        }
+
+        for (i = 0; i < optlen; ) {
+                if (op[i] == option) {
+                        spin_unlock_bh(&dccp_buflock);
+                        return 1;
+                }
+
+                if (op[i] < 2) 
+                        i++;
+                else 
+                        i += op[i+1]?:1;
+        }
+
+        spin_unlock_bh(&dccp_buflock);
+        return 0;
+}
+
+
+static inline int
+match_types(const struct dccp_hdr *dh, u_int16_t typemask)
+{
+        return (typemask & (1 << dh->dccph_type));
+}
+
+static inline int
+match_option(u_int8_t option, const struct sk_buff *skb,
+             const struct dccp_hdr *dh, int *hotdrop)
+{
+        return dccp_find_option(option, skb, dh, hotdrop);
+}
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      int *hotdrop)
+{
+        const struct ipt_dccp_info *info = 
+                                (const struct ipt_dccp_info *)matchinfo;
+        struct dccp_hdr _dh, *dh;
+
+        if (offset)
+                return 0;
+        
+        dh = skb_header_pointer(skb, skb->nh.iph->ihl*4, sizeof(_dh), &_dh);
+        if (dh == NULL) {
+                *hotdrop = 1;
+                return 0;
+        }
+
+        return  DCCHECK(((ntohs(dh->dccph_sport) >= info->spts[0]) 
+                        && (ntohs(dh->dccph_sport) <= info->spts[1])), 
+                        IPT_DCCP_SRC_PORTS, info->flags, info->invflags)
+                && DCCHECK(((ntohs(dh->dccph_dport) >= info->dpts[0]) 
+                        && (ntohs(dh->dccph_dport) <= info->dpts[1])), 
+                        IPT_DCCP_DEST_PORTS, info->flags, info->invflags)
+                && DCCHECK(match_types(dh, info->typemask),
+                           IPT_DCCP_TYPE, info->flags, info->invflags)
+                && DCCHECK(match_option(info->option, skb, dh, hotdrop),
+                           IPT_DCCP_OPTION, info->flags, info->invflags);
+}
+
+static int
+checkentry(const char *tablename,
+           const struct ipt_ip *ip,
+           void *matchinfo,
+           unsigned int matchsize,
+           unsigned int hook_mask)
+{
+        const struct ipt_dccp_info *info;
+
+        info = (const struct ipt_dccp_info *)matchinfo;
+
+        return ip->proto == IPPROTO_DCCP
+                && !(ip->invflags & IPT_INV_PROTO)
+                && matchsize == IPT_ALIGN(sizeof(struct ipt_dccp_info))
+                && !(info->flags & ~IPT_DCCP_VALID_FLAGS)
+                && !(info->invflags & ~IPT_DCCP_VALID_FLAGS)
+                && !(info->invflags & ~info->flags);
+}
+
+static struct ipt_match dccp_match = 
+{ 
+        .name           = "dccp",
+        .match          = &match,
+        .checkentry     = &checkentry,
+        .me             = THIS_MODULE,
+};
+
+static int __init init(void)
+{
+        int ret;
+
+        /* doff is 8 bits, so the maximum option size is (4*256).  Don't put
+         * this in BSS since DaveM is worried about locked TLB's for kernel
+         * BSS. */
+        dccp_optbuf = kmalloc(256 * 4, GFP_KERNEL);
+        if (!dccp_optbuf)
+                return -ENOMEM;
+        ret = ipt_register_match(&dccp_match);
+        if (ret)
+                kfree(dccp_optbuf);
+
+        return ret;
+}
+
+static void __exit fini(void)
+{
+        ipt_unregister_match(&dccp_match);
+        kfree(dccp_optbuf);
+}
+
+module_init(init);
+module_exit(fini);
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
+MODULE_DESCRIPTION("Match for DCCP protocol packets");
+