#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

  #include <linux/types.h>
  #include <linux/module.h>
  #include <net/ip.h>

  #include <linux/ipv6.h>

  #include <net/ipv6.h>
  #include <net/tcp.h>
  #include <net/udp.h>
  #include <linux/netfilter/x_tables.h>
  #include <linux/netfilter/xt_tcpudp.h>
  #include <linux/netfilter_ipv4/ip_tables.h>
  #include <linux/netfilter_ipv6/ip6_tables.h>

  MODULE_DESCRIPTION("Xtables: TCP, UDP and UDP-Lite match");

  MODULE_LICENSE("GPL");
  MODULE_ALIAS("xt_tcp");
  MODULE_ALIAS("xt_udp");
  MODULE_ALIAS("ipt_udp");
  MODULE_ALIAS("ipt_tcp");
  MODULE_ALIAS("ip6t_udp");
  MODULE_ALIAS("ip6t_tcp");

  /* Returns 1 if the port is matched by the range, 0 otherwise */

  static inline bool
  port_match(u_int16_t min, u_int16_t max, u_int16_t port, bool invert)

  {

  	return (port >= min && port <= max) ^ invert;

  }

  static bool

  tcp_find_option(u_int8_t option,
  		const struct sk_buff *skb,
  		unsigned int protoff,
  		unsigned int optlen,

  		bool invert,

  		bool *hotdrop)

  {
  	/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */

  	const u_int8_t *op;
  	u_int8_t _opt[60 - sizeof(struct tcphdr)];

  	unsigned int i;

  	pr_debug("finding option
  ");

  
  	if (!optlen)
  		return invert;
  
  	/* If we don't have the whole header, drop packet. */
  	op = skb_header_pointer(skb, protoff + sizeof(struct tcphdr),
  				optlen, _opt);
  	if (op == NULL) {

  		*hotdrop = true;

  		return false;

  	}
  
  	for (i = 0; i < optlen; ) {
  		if (op[i] == option) return !invert;
  		if (op[i] < 2) i++;
  		else i += op[i+1]?:1;
  	}
  
  	return invert;
  }

  static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)

  {

  	const struct tcphdr *th;
  	struct tcphdr _tcph;

  	const struct xt_tcp *tcpinfo = par->matchinfo;

  	if (par->fragoff != 0) {

  		/* To quote Alan:
  
  		   Don't allow a fragment of TCP 8 bytes in. Nobody normal
  		   causes this. Its a cracker trying to break in by doing a
  		   flag overwrite to pass the direction checks.
  		*/

  		if (par->fragoff == 1) {

  			pr_debug("Dropping evil TCP offset=1 frag.
  ");

  			par->hotdrop = true;

  		}
  		/* Must not be a fragment. */

  		return false;

  	}

  	th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);

  	if (th == NULL) {
  		/* We've been asked to examine this packet, and we
  		   can't.  Hence, no choice but to drop. */

  		pr_debug("Dropping evil TCP offset=0 tinygram.
  ");

  		par->hotdrop = true;

  		return false;

  	}
  
  	if (!port_match(tcpinfo->spts[0], tcpinfo->spts[1],
  			ntohs(th->source),
  			!!(tcpinfo->invflags & XT_TCP_INV_SRCPT)))

  		return false;

  	if (!port_match(tcpinfo->dpts[0], tcpinfo->dpts[1],
  			ntohs(th->dest),
  			!!(tcpinfo->invflags & XT_TCP_INV_DSTPT)))

  		return false;

  	if (!NF_INVF(tcpinfo, XT_TCP_INV_FLAGS,
  		     (((unsigned char *)th)[13] & tcpinfo->flg_mask) == tcpinfo->flg_cmp))

  		return false;

  	if (tcpinfo->option) {
  		if (th->doff * 4 < sizeof(_tcph)) {

  			par->hotdrop = true;

  			return false;

  		}

  		if (!tcp_find_option(tcpinfo->option, skb, par->thoff,

  				     th->doff*4 - sizeof(_tcph),
  				     tcpinfo->invflags & XT_TCP_INV_OPTION,

  				     &par->hotdrop))

  			return false;

  	}

  	return true;

  }

  static int tcp_mt_check(const struct xt_mtchk_param *par)

  {

  	const struct xt_tcp *tcpinfo = par->matchinfo;

  	/* Must specify no unknown invflags */

  	return (tcpinfo->invflags & ~XT_TCP_INV_MASK) ? -EINVAL : 0;

  }

  static bool udp_mt(const struct sk_buff *skb, struct xt_action_param *par)

  {

  	const struct udphdr *uh;
  	struct udphdr _udph;

  	const struct xt_udp *udpinfo = par->matchinfo;

  
  	/* Must not be a fragment. */

  	if (par->fragoff != 0)

  		return false;

  	uh = skb_header_pointer(skb, par->thoff, sizeof(_udph), &_udph);

  	if (uh == NULL) {
  		/* We've been asked to examine this packet, and we
  		   can't.  Hence, no choice but to drop. */

  		pr_debug("Dropping evil UDP tinygram.
  ");

  		par->hotdrop = true;

  		return false;

  	}
  
  	return port_match(udpinfo->spts[0], udpinfo->spts[1],
  			  ntohs(uh->source),
  			  !!(udpinfo->invflags & XT_UDP_INV_SRCPT))
  		&& port_match(udpinfo->dpts[0], udpinfo->dpts[1],
  			      ntohs(uh->dest),
  			      !!(udpinfo->invflags & XT_UDP_INV_DSTPT));
  }

  static int udp_mt_check(const struct xt_mtchk_param *par)

  {

  	const struct xt_udp *udpinfo = par->matchinfo;

  	/* Must specify no unknown invflags */

  	return (udpinfo->invflags & ~XT_UDP_INV_MASK) ? -EINVAL : 0;

  }

  static struct xt_match tcpudp_mt_reg[] __read_mostly = {

  	{
  		.name		= "tcp",

  		.family		= NFPROTO_IPV4,

  		.checkentry	= tcp_mt_check,
  		.match		= tcp_mt,

  		.matchsize	= sizeof(struct xt_tcp),
  		.proto		= IPPROTO_TCP,
  		.me		= THIS_MODULE,
  	},
  	{
  		.name		= "tcp",

  		.family		= NFPROTO_IPV6,

  		.checkentry	= tcp_mt_check,
  		.match		= tcp_mt,

  		.matchsize	= sizeof(struct xt_tcp),
  		.proto		= IPPROTO_TCP,
  		.me		= THIS_MODULE,
  	},
  	{
  		.name		= "udp",

  		.family		= NFPROTO_IPV4,

  		.checkentry	= udp_mt_check,
  		.match		= udp_mt,

  		.matchsize	= sizeof(struct xt_udp),
  		.proto		= IPPROTO_UDP,
  		.me		= THIS_MODULE,
  	},
  	{
  		.name		= "udp",

  		.family		= NFPROTO_IPV6,

  		.checkentry	= udp_mt_check,
  		.match		= udp_mt,

  		.matchsize	= sizeof(struct xt_udp),
  		.proto		= IPPROTO_UDP,
  		.me		= THIS_MODULE,
  	},

  	{
  		.name		= "udplite",

  		.family		= NFPROTO_IPV4,

  		.checkentry	= udp_mt_check,
  		.match		= udp_mt,

  		.matchsize	= sizeof(struct xt_udp),
  		.proto		= IPPROTO_UDPLITE,
  		.me		= THIS_MODULE,
  	},
  	{
  		.name		= "udplite",

  		.family		= NFPROTO_IPV6,

  		.checkentry	= udp_mt_check,
  		.match		= udp_mt,

  		.matchsize	= sizeof(struct xt_udp),
  		.proto		= IPPROTO_UDPLITE,
  		.me		= THIS_MODULE,
  	},

  };

  static int __init tcpudp_mt_init(void)

  {

  	return xt_register_matches(tcpudp_mt_reg, ARRAY_SIZE(tcpudp_mt_reg));

  }

  static void __exit tcpudp_mt_exit(void)

  {

  	xt_unregister_matches(tcpudp_mt_reg, ARRAY_SIZE(tcpudp_mt_reg));

  }

  module_init(tcpudp_mt_init);
  module_exit(tcpudp_mt_exit);