Commit 563d36eb3fb22dd04da9aa6f12e1b9ba0ac115f3
Committed by
Patrick McHardy
Patrick McHardy
1 parent
ddc214c43a
Exists in
master
and in
39 other branches
netfilter: Combine ipt_TTL and ip6t_HL source
Suggested by: James King <t.james.king@gmail.com> Similarly to commit c9fd49680954714473d6cbd2546d6ff120f96840, merge TTL and HL. Since HL does not depend on any IPv6-specific function, no new module dependencies would arise. With slight adjustments to the Kconfig help text. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
Showing 9 changed files with 187 additions and 226 deletions Side-by-side Diff
net/ipv4/netfilter/Kconfig
| ... | ... | @@ -322,21 +322,6 @@ |
| 322 | 322 | |
| 323 | 323 | To compile it as a module, choose M here. If unsure, say N. |
| 324 | 324 | |
| 325 | -config IP_NF_TARGET_TTL | |
| 326 | - tristate 'TTL target support' | |
| 327 | - depends on IP_NF_MANGLE | |
| 328 | - depends on NETFILTER_ADVANCED | |
| 329 | - help | |
| 330 | - This option adds a `TTL' target, which enables the user to modify | |
| 331 | - the TTL value of the IP header. | |
| 332 | - | |
| 333 | - While it is safe to decrement/lower the TTL, this target also enables | |
| 334 | - functionality to increment and set the TTL value of the IP header to | |
| 335 | - arbitrary values. This is EXTREMELY DANGEROUS since you can easily | |
| 336 | - create immortal packets that loop forever on the network. | |
| 337 | - | |
| 338 | - To compile it as a module, choose M here. If unsure, say N. | |
| 339 | - | |
| 340 | 325 | # raw + specific targets |
| 341 | 326 | config IP_NF_RAW |
| 342 | 327 | tristate 'raw table support (required for NOTRACK/TRACE)' |
net/ipv4/netfilter/Makefile
| ... | ... | @@ -61,7 +61,6 @@ |
| 61 | 61 | obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o |
| 62 | 62 | obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o |
| 63 | 63 | obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o |
| 64 | -obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o | |
| 65 | 64 | obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o |
| 66 | 65 | |
| 67 | 66 | # generic ARP tables |
net/ipv4/netfilter/ipt_TTL.c
| 1 | -/* TTL modification target for IP tables | |
| 2 | - * (C) 2000,2005 by Harald Welte <laforge@netfilter.org> | |
| 3 | - * | |
| 4 | - * This program is free software; you can redistribute it and/or modify | |
| 5 | - * it under the terms of the GNU General Public License version 2 as | |
| 6 | - * published by the Free Software Foundation. | |
| 7 | - * | |
| 8 | - */ | |
| 9 | - | |
| 10 | -#include <linux/module.h> | |
| 11 | -#include <linux/skbuff.h> | |
| 12 | -#include <linux/ip.h> | |
| 13 | -#include <net/checksum.h> | |
| 14 | - | |
| 15 | -#include <linux/netfilter/x_tables.h> | |
| 16 | -#include <linux/netfilter_ipv4/ipt_TTL.h> | |
| 17 | - | |
| 18 | -MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); | |
| 19 | -MODULE_DESCRIPTION("Xtables: IPv4 TTL field modification target"); | |
| 20 | -MODULE_LICENSE("GPL"); | |
| 21 | - | |
| 22 | -static unsigned int | |
| 23 | -ttl_tg(struct sk_buff *skb, const struct xt_target_param *par) | |
| 24 | -{ | |
| 25 | - struct iphdr *iph; | |
| 26 | - const struct ipt_TTL_info *info = par->targinfo; | |
| 27 | - int new_ttl; | |
| 28 | - | |
| 29 | - if (!skb_make_writable(skb, skb->len)) | |
| 30 | - return NF_DROP; | |
| 31 | - | |
| 32 | - iph = ip_hdr(skb); | |
| 33 | - | |
| 34 | - switch (info->mode) { | |
| 35 | - case IPT_TTL_SET: | |
| 36 | - new_ttl = info->ttl; | |
| 37 | - break; | |
| 38 | - case IPT_TTL_INC: | |
| 39 | - new_ttl = iph->ttl + info->ttl; | |
| 40 | - if (new_ttl > 255) | |
| 41 | - new_ttl = 255; | |
| 42 | - break; | |
| 43 | - case IPT_TTL_DEC: | |
| 44 | - new_ttl = iph->ttl - info->ttl; | |
| 45 | - if (new_ttl < 0) | |
| 46 | - new_ttl = 0; | |
| 47 | - break; | |
| 48 | - default: | |
| 49 | - new_ttl = iph->ttl; | |
| 50 | - break; | |
| 51 | - } | |
| 52 | - | |
| 53 | - if (new_ttl != iph->ttl) { | |
| 54 | - csum_replace2(&iph->check, htons(iph->ttl << 8), | |
| 55 | - htons(new_ttl << 8)); | |
| 56 | - iph->ttl = new_ttl; | |
| 57 | - } | |
| 58 | - | |
| 59 | - return XT_CONTINUE; | |
| 60 | -} | |
| 61 | - | |
| 62 | -static bool ttl_tg_check(const struct xt_tgchk_param *par) | |
| 63 | -{ | |
| 64 | - const struct ipt_TTL_info *info = par->targinfo; | |
| 65 | - | |
| 66 | - if (info->mode > IPT_TTL_MAXMODE) { | |
| 67 | - printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n", | |
| 68 | - info->mode); | |
| 69 | - return false; | |
| 70 | - } | |
| 71 | - if (info->mode != IPT_TTL_SET && info->ttl == 0) | |
| 72 | - return false; | |
| 73 | - return true; | |
| 74 | -} | |
| 75 | - | |
| 76 | -static struct xt_target ttl_tg_reg __read_mostly = { | |
| 77 | - .name = "TTL", | |
| 78 | - .family = NFPROTO_IPV4, | |
| 79 | - .target = ttl_tg, | |
| 80 | - .targetsize = sizeof(struct ipt_TTL_info), | |
| 81 | - .table = "mangle", | |
| 82 | - .checkentry = ttl_tg_check, | |
| 83 | - .me = THIS_MODULE, | |
| 84 | -}; | |
| 85 | - | |
| 86 | -static int __init ttl_tg_init(void) | |
| 87 | -{ | |
| 88 | - return xt_register_target(&ttl_tg_reg); | |
| 89 | -} | |
| 90 | - | |
| 91 | -static void __exit ttl_tg_exit(void) | |
| 92 | -{ | |
| 93 | - xt_unregister_target(&ttl_tg_reg); | |
| 94 | -} | |
| 95 | - | |
| 96 | -module_init(ttl_tg_init); | |
| 97 | -module_exit(ttl_tg_exit); |
net/ipv6/netfilter/Kconfig
| ... | ... | @@ -170,23 +170,6 @@ |
| 170 | 170 | |
| 171 | 171 | To compile it as a module, choose M here. If unsure, say N. |
| 172 | 172 | |
| 173 | -config IP6_NF_TARGET_HL | |
| 174 | - tristate 'HL (hoplimit) target support' | |
| 175 | - depends on IP6_NF_MANGLE | |
| 176 | - depends on NETFILTER_ADVANCED | |
| 177 | - help | |
| 178 | - This option adds a `HL' target, which enables the user to decrement | |
| 179 | - the hoplimit value of the IPv6 header or set it to a given (lower) | |
| 180 | - value. | |
| 181 | - | |
| 182 | - While it is safe to decrement the hoplimit value, this option also | |
| 183 | - enables functionality to increment and set the hoplimit value of the | |
| 184 | - IPv6 header to arbitrary values. This is EXTREMELY DANGEROUS since | |
| 185 | - you can easily create immortal packets that loop forever on the | |
| 186 | - network. | |
| 187 | - | |
| 188 | - To compile it as a module, choose M here. If unsure, say N. | |
| 189 | - | |
| 190 | 173 | config IP6_NF_RAW |
| 191 | 174 | tristate 'raw table support (required for TRACE)' |
| 192 | 175 | depends on NETFILTER_ADVANCED |
net/ipv6/netfilter/Makefile
net/ipv6/netfilter/ip6t_HL.c
| 1 | -/* | |
| 2 | - * Hop Limit modification target for ip6tables | |
| 3 | - * Maciej Soltysiak <solt@dns.toxicfilms.tv> | |
| 4 | - * Based on HW's TTL module | |
| 5 | - * | |
| 6 | - * This software is distributed under the terms of GNU GPL | |
| 7 | - */ | |
| 8 | - | |
| 9 | -#include <linux/module.h> | |
| 10 | -#include <linux/skbuff.h> | |
| 11 | -#include <linux/ip.h> | |
| 12 | -#include <linux/ipv6.h> | |
| 13 | - | |
| 14 | -#include <linux/netfilter/x_tables.h> | |
| 15 | -#include <linux/netfilter_ipv6/ip6t_HL.h> | |
| 16 | - | |
| 17 | -MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>"); | |
| 18 | -MODULE_DESCRIPTION("Xtables: IPv6 Hop Limit field modification target"); | |
| 19 | -MODULE_LICENSE("GPL"); | |
| 20 | - | |
| 21 | -static unsigned int | |
| 22 | -hl_tg6(struct sk_buff *skb, const struct xt_target_param *par) | |
| 23 | -{ | |
| 24 | - struct ipv6hdr *ip6h; | |
| 25 | - const struct ip6t_HL_info *info = par->targinfo; | |
| 26 | - int new_hl; | |
| 27 | - | |
| 28 | - if (!skb_make_writable(skb, skb->len)) | |
| 29 | - return NF_DROP; | |
| 30 | - | |
| 31 | - ip6h = ipv6_hdr(skb); | |
| 32 | - | |
| 33 | - switch (info->mode) { | |
| 34 | - case IP6T_HL_SET: | |
| 35 | - new_hl = info->hop_limit; | |
| 36 | - break; | |
| 37 | - case IP6T_HL_INC: | |
| 38 | - new_hl = ip6h->hop_limit + info->hop_limit; | |
| 39 | - if (new_hl > 255) | |
| 40 | - new_hl = 255; | |
| 41 | - break; | |
| 42 | - case IP6T_HL_DEC: | |
| 43 | - new_hl = ip6h->hop_limit - info->hop_limit; | |
| 44 | - if (new_hl < 0) | |
| 45 | - new_hl = 0; | |
| 46 | - break; | |
| 47 | - default: | |
| 48 | - new_hl = ip6h->hop_limit; | |
| 49 | - break; | |
| 50 | - } | |
| 51 | - | |
| 52 | - ip6h->hop_limit = new_hl; | |
| 53 | - | |
| 54 | - return XT_CONTINUE; | |
| 55 | -} | |
| 56 | - | |
| 57 | -static bool hl_tg6_check(const struct xt_tgchk_param *par) | |
| 58 | -{ | |
| 59 | - const struct ip6t_HL_info *info = par->targinfo; | |
| 60 | - | |
| 61 | - if (info->mode > IP6T_HL_MAXMODE) { | |
| 62 | - printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n", | |
| 63 | - info->mode); | |
| 64 | - return false; | |
| 65 | - } | |
| 66 | - if (info->mode != IP6T_HL_SET && info->hop_limit == 0) { | |
| 67 | - printk(KERN_WARNING "ip6t_HL: increment/decrement doesn't " | |
| 68 | - "make sense with value 0\n"); | |
| 69 | - return false; | |
| 70 | - } | |
| 71 | - return true; | |
| 72 | -} | |
| 73 | - | |
| 74 | -static struct xt_target hl_tg6_reg __read_mostly = { | |
| 75 | - .name = "HL", | |
| 76 | - .family = NFPROTO_IPV6, | |
| 77 | - .target = hl_tg6, | |
| 78 | - .targetsize = sizeof(struct ip6t_HL_info), | |
| 79 | - .table = "mangle", | |
| 80 | - .checkentry = hl_tg6_check, | |
| 81 | - .me = THIS_MODULE | |
| 82 | -}; | |
| 83 | - | |
| 84 | -static int __init hl_tg6_init(void) | |
| 85 | -{ | |
| 86 | - return xt_register_target(&hl_tg6_reg); | |
| 87 | -} | |
| 88 | - | |
| 89 | -static void __exit hl_tg6_exit(void) | |
| 90 | -{ | |
| 91 | - xt_unregister_target(&hl_tg6_reg); | |
| 92 | -} | |
| 93 | - | |
| 94 | -module_init(hl_tg6_init); | |
| 95 | -module_exit(hl_tg6_exit); |
net/netfilter/Kconfig
| ... | ... | @@ -357,6 +357,21 @@ |
| 357 | 357 | |
| 358 | 358 | To compile it as a module, choose M here. If unsure, say N. |
| 359 | 359 | |
| 360 | +config NETFILTER_XT_TARGET_HL | |
| 361 | + tristate '"HL" hoplimit target support' | |
| 362 | + depends on IP_NF_MANGLE || IP6_NF_MANGLE | |
| 363 | + depends on NETFILTER_ADVANCED | |
| 364 | + ---help--- | |
| 365 | + This option adds the "HL" (for IPv6) and "TTL" (for IPv4) | |
| 366 | + targets, which enable the user to change the | |
| 367 | + hoplimit/time-to-live value of the IP header. | |
| 368 | + | |
| 369 | + While it is safe to decrement the hoplimit/TTL value, the | |
| 370 | + modules also allow to increment and set the hoplimit value of | |
| 371 | + the header to arbitrary values. This is EXTREMELY DANGEROUS | |
| 372 | + since you can easily create immortal packets that loop | |
| 373 | + forever on the network. | |
| 374 | + | |
| 360 | 375 | config NETFILTER_XT_TARGET_MARK |
| 361 | 376 | tristate '"MARK" target support' |
| 362 | 377 | default m if NETFILTER_ADVANCED=n |
net/netfilter/Makefile
| ... | ... | @@ -45,6 +45,7 @@ |
| 45 | 45 | obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o |
| 46 | 46 | obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o |
| 47 | 47 | obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o |
| 48 | +obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o | |
| 48 | 49 | obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o |
| 49 | 50 | obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o |
| 50 | 51 | obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o |
net/netfilter/xt_HL.c
| 1 | +/* | |
| 2 | + * TTL modification target for IP tables | |
| 3 | + * (C) 2000,2005 by Harald Welte <laforge@netfilter.org> | |
| 4 | + * | |
| 5 | + * Hop Limit modification target for ip6tables | |
| 6 | + * Maciej Soltysiak <solt@dns.toxicfilms.tv> | |
| 7 | + * | |
| 8 | + * This program is free software; you can redistribute it and/or modify | |
| 9 | + * it under the terms of the GNU General Public License version 2 as | |
| 10 | + * published by the Free Software Foundation. | |
| 11 | + */ | |
| 12 | + | |
| 13 | +#include <linux/module.h> | |
| 14 | +#include <linux/skbuff.h> | |
| 15 | +#include <linux/ip.h> | |
| 16 | +#include <linux/ipv6.h> | |
| 17 | +#include <net/checksum.h> | |
| 18 | + | |
| 19 | +#include <linux/netfilter/x_tables.h> | |
| 20 | +#include <linux/netfilter_ipv4/ipt_TTL.h> | |
| 21 | +#include <linux/netfilter_ipv6/ip6t_HL.h> | |
| 22 | + | |
| 23 | +MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); | |
| 24 | +MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>"); | |
| 25 | +MODULE_DESCRIPTION("Xtables: Hoplimit/TTL Limit field modification target"); | |
| 26 | +MODULE_LICENSE("GPL"); | |
| 27 | + | |
| 28 | +static unsigned int | |
| 29 | +ttl_tg(struct sk_buff *skb, const struct xt_target_param *par) | |
| 30 | +{ | |
| 31 | + struct iphdr *iph; | |
| 32 | + const struct ipt_TTL_info *info = par->targinfo; | |
| 33 | + int new_ttl; | |
| 34 | + | |
| 35 | + if (!skb_make_writable(skb, skb->len)) | |
| 36 | + return NF_DROP; | |
| 37 | + | |
| 38 | + iph = ip_hdr(skb); | |
| 39 | + | |
| 40 | + switch (info->mode) { | |
| 41 | + case IPT_TTL_SET: | |
| 42 | + new_ttl = info->ttl; | |
| 43 | + break; | |
| 44 | + case IPT_TTL_INC: | |
| 45 | + new_ttl = iph->ttl + info->ttl; | |
| 46 | + if (new_ttl > 255) | |
| 47 | + new_ttl = 255; | |
| 48 | + break; | |
| 49 | + case IPT_TTL_DEC: | |
| 50 | + new_ttl = iph->ttl - info->ttl; | |
| 51 | + if (new_ttl < 0) | |
| 52 | + new_ttl = 0; | |
| 53 | + break; | |
| 54 | + default: | |
| 55 | + new_ttl = iph->ttl; | |
| 56 | + break; | |
| 57 | + } | |
| 58 | + | |
| 59 | + if (new_ttl != iph->ttl) { | |
| 60 | + csum_replace2(&iph->check, htons(iph->ttl << 8), | |
| 61 | + htons(new_ttl << 8)); | |
| 62 | + iph->ttl = new_ttl; | |
| 63 | + } | |
| 64 | + | |
| 65 | + return XT_CONTINUE; | |
| 66 | +} | |
| 67 | + | |
| 68 | +static unsigned int | |
| 69 | +hl_tg6(struct sk_buff *skb, const struct xt_target_param *par) | |
| 70 | +{ | |
| 71 | + struct ipv6hdr *ip6h; | |
| 72 | + const struct ip6t_HL_info *info = par->targinfo; | |
| 73 | + int new_hl; | |
| 74 | + | |
| 75 | + if (!skb_make_writable(skb, skb->len)) | |
| 76 | + return NF_DROP; | |
| 77 | + | |
| 78 | + ip6h = ipv6_hdr(skb); | |
| 79 | + | |
| 80 | + switch (info->mode) { | |
| 81 | + case IP6T_HL_SET: | |
| 82 | + new_hl = info->hop_limit; | |
| 83 | + break; | |
| 84 | + case IP6T_HL_INC: | |
| 85 | + new_hl = ip6h->hop_limit + info->hop_limit; | |
| 86 | + if (new_hl > 255) | |
| 87 | + new_hl = 255; | |
| 88 | + break; | |
| 89 | + case IP6T_HL_DEC: | |
| 90 | + new_hl = ip6h->hop_limit - info->hop_limit; | |
| 91 | + if (new_hl < 0) | |
| 92 | + new_hl = 0; | |
| 93 | + break; | |
| 94 | + default: | |
| 95 | + new_hl = ip6h->hop_limit; | |
| 96 | + break; | |
| 97 | + } | |
| 98 | + | |
| 99 | + ip6h->hop_limit = new_hl; | |
| 100 | + | |
| 101 | + return XT_CONTINUE; | |
| 102 | +} | |
| 103 | + | |
| 104 | +static bool ttl_tg_check(const struct xt_tgchk_param *par) | |
| 105 | +{ | |
| 106 | + const struct ipt_TTL_info *info = par->targinfo; | |
| 107 | + | |
| 108 | + if (info->mode > IPT_TTL_MAXMODE) { | |
| 109 | + printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n", | |
| 110 | + info->mode); | |
| 111 | + return false; | |
| 112 | + } | |
| 113 | + if (info->mode != IPT_TTL_SET && info->ttl == 0) | |
| 114 | + return false; | |
| 115 | + return true; | |
| 116 | +} | |
| 117 | + | |
| 118 | +static bool hl_tg6_check(const struct xt_tgchk_param *par) | |
| 119 | +{ | |
| 120 | + const struct ip6t_HL_info *info = par->targinfo; | |
| 121 | + | |
| 122 | + if (info->mode > IP6T_HL_MAXMODE) { | |
| 123 | + printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n", | |
| 124 | + info->mode); | |
| 125 | + return false; | |
| 126 | + } | |
| 127 | + if (info->mode != IP6T_HL_SET && info->hop_limit == 0) { | |
| 128 | + printk(KERN_WARNING "ip6t_HL: increment/decrement doesn't " | |
| 129 | + "make sense with value 0\n"); | |
| 130 | + return false; | |
| 131 | + } | |
| 132 | + return true; | |
| 133 | +} | |
| 134 | + | |
| 135 | +static struct xt_target hl_tg_reg[] __read_mostly = { | |
| 136 | + { | |
| 137 | + .name = "TTL", | |
| 138 | + .revision = 0, | |
| 139 | + .family = NFPROTO_IPV4, | |
| 140 | + .target = ttl_tg, | |
| 141 | + .targetsize = sizeof(struct ipt_TTL_info), | |
| 142 | + .table = "mangle", | |
| 143 | + .checkentry = ttl_tg_check, | |
| 144 | + .me = THIS_MODULE, | |
| 145 | + }, | |
| 146 | + { | |
| 147 | + .name = "HL", | |
| 148 | + .revision = 0, | |
| 149 | + .family = NFPROTO_IPV6, | |
| 150 | + .target = hl_tg6, | |
| 151 | + .targetsize = sizeof(struct ip6t_HL_info), | |
| 152 | + .table = "mangle", | |
| 153 | + .checkentry = hl_tg6_check, | |
| 154 | + .me = THIS_MODULE, | |
| 155 | + }, | |
| 156 | +}; | |
| 157 | + | |
| 158 | +static int __init hl_tg_init(void) | |
| 159 | +{ | |
| 160 | + return xt_register_targets(hl_tg_reg, ARRAY_SIZE(hl_tg_reg)); | |
| 161 | +} | |
| 162 | + | |
| 163 | +static void __exit hl_tg_exit(void) | |
| 164 | +{ | |
| 165 | + xt_unregister_targets(hl_tg_reg, ARRAY_SIZE(hl_tg_reg)); | |
| 166 | +} | |
| 167 | + | |
| 168 | +module_init(hl_tg_init); | |
| 169 | +module_exit(hl_tg_exit); | |
| 170 | +MODULE_ALIAS("ipt_TTL"); | |
| 171 | +MODULE_ALIAS("ip6t_HL"); |