| 1 | // SPDX-License-Identifier: GPL-2.0-only |
|---|
| 2 | /* |
|---|
| 3 | * A module for stripping a specific TCP option from TCP packets. |
|---|
| 4 | * |
|---|
| 5 | * Copyright (C) 2007 Sven Schnelle <svens@bitebene.org> |
|---|
| 6 | * Copyright © CC Computer Consultants GmbH, 2007 |
|---|
| 7 | */ |
|---|
| 8 | |
|---|
| 9 | #include <linux/module.h> |
|---|
| 10 | #include <linux/skbuff.h> |
|---|
| 11 | #include <linux/ip.h> |
|---|
| 12 | #include <linux/ipv6.h> |
|---|
| 13 | #include <linux/tcp.h> |
|---|
| 14 | #include <net/ipv6.h> |
|---|
| 15 | #include <net/tcp.h> |
|---|
| 16 | #include <linux/netfilter/x_tables.h> |
|---|
| 17 | #include <linux/netfilter/xt_TCPOPTSTRIP.h> |
|---|
| 18 | |
|---|
| 19 | static inline unsigned int optlen(const u_int8_t *opt, unsigned int offset) |
|---|
| 20 | { |
|---|
| 21 | /* Beware zero-length options: make finite progress */ |
|---|
| 22 | if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0) |
|---|
| 23 | return 1; |
|---|
| 24 | else |
|---|
| 25 | return opt[offset+1]; |
|---|
| 26 | } |
|---|
| 27 | |
|---|
| 28 | static unsigned int |
|---|
| 29 | tcpoptstrip_mangle_packet(struct sk_buff *skb, |
|---|
| 30 | const struct xt_action_param *par, |
|---|
| 31 | unsigned int tcphoff) |
|---|
| 32 | { |
|---|
| 33 | const struct xt_tcpoptstrip_target_info *info = par->targinfo; |
|---|
| 34 | struct tcphdr *tcph, _th; |
|---|
| 35 | unsigned int optl, i, j; |
|---|
| 36 | u_int16_t n, o; |
|---|
| 37 | u_int8_t *opt; |
|---|
| 38 | int tcp_hdrlen; |
|---|
| 39 | |
|---|
| 40 | /* This is a fragment, no TCP header is available */ |
|---|
| 41 | if (par->fragoff != 0) |
|---|
| 42 | return XT_CONTINUE; |
|---|
| 43 | |
|---|
| 44 | tcph = skb_header_pointer(skb, offset: tcphoff, len: sizeof(_th), buffer: &_th); |
|---|
| 45 | if (!tcph) |
|---|
| 46 | return NF_DROP; |
|---|
| 47 | |
|---|
| 48 | tcp_hdrlen = tcph->doff * 4; |
|---|
| 49 | if (tcp_hdrlen < sizeof(struct tcphdr)) |
|---|
| 50 | return NF_DROP; |
|---|
| 51 | |
|---|
| 52 | if (skb_ensure_writable(skb, write_len: tcphoff + tcp_hdrlen)) |
|---|
| 53 | return NF_DROP; |
|---|
| 54 | |
|---|
| 55 | /* must reload tcph, might have been moved */ |
|---|
| 56 | tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); |
|---|
| 57 | opt = (u8 *)tcph; |
|---|
| 58 | |
|---|
| 59 | /* |
|---|
| 60 | * Walk through all TCP options - if we find some option to remove, |
|---|
| 61 | * set all octets to %TCPOPT_NOP and adjust checksum. |
|---|
| 62 | */ |
|---|
| 63 | for (i = sizeof(struct tcphdr); i < tcp_hdrlen - 1; i += optl) { |
|---|
| 64 | optl = optlen(opt, offset: i); |
|---|
| 65 | |
|---|
| 66 | if (i + optl > tcp_hdrlen) |
|---|
| 67 | break; |
|---|
| 68 | |
|---|
| 69 | if (!tcpoptstrip_test_bit(info->strip_bmap, opt[i])) |
|---|
| 70 | continue; |
|---|
| 71 | |
|---|
| 72 | for (j = 0; j < optl; ++j) { |
|---|
| 73 | o = opt[i+j]; |
|---|
| 74 | n = TCPOPT_NOP; |
|---|
| 75 | if ((i + j) % 2 == 0) { |
|---|
| 76 | o <<= 8; |
|---|
| 77 | n <<= 8; |
|---|
| 78 | } |
|---|
| 79 | inet_proto_csum_replace2(sum: &tcph->check, skb, htons(o), |
|---|
| 80 | htons(n), pseudohdr: false); |
|---|
| 81 | } |
|---|
| 82 | memset(opt + i, TCPOPT_NOP, optl); |
|---|
| 83 | } |
|---|
| 84 | |
|---|
| 85 | return XT_CONTINUE; |
|---|
| 86 | } |
|---|
| 87 | |
|---|
| 88 | static unsigned int |
|---|
| 89 | tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par) |
|---|
| 90 | { |
|---|
| 91 | return tcpoptstrip_mangle_packet(skb, par, tcphoff: ip_hdrlen(skb)); |
|---|
| 92 | } |
|---|
| 93 | |
|---|
| 94 | #if IS_ENABLED(CONFIG_IP6_NF_MANGLE) |
|---|
| 95 | static unsigned int |
|---|
| 96 | tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_action_param *par) |
|---|
| 97 | { |
|---|
| 98 | struct ipv6hdr *ipv6h = ipv6_hdr(skb); |
|---|
| 99 | int tcphoff; |
|---|
| 100 | u_int8_t nexthdr; |
|---|
| 101 | __be16 frag_off; |
|---|
| 102 | |
|---|
| 103 | nexthdr = ipv6h->nexthdr; |
|---|
| 104 | tcphoff = ipv6_skip_exthdr(skb, start: sizeof(*ipv6h), nexthdrp: &nexthdr, frag_offp: &frag_off); |
|---|
| 105 | if (tcphoff < 0) |
|---|
| 106 | return NF_DROP; |
|---|
| 107 | |
|---|
| 108 | return tcpoptstrip_mangle_packet(skb, par, tcphoff); |
|---|
| 109 | } |
|---|
| 110 | #endif |
|---|
| 111 | |
|---|
| 112 | static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = { |
|---|
| 113 | { |
|---|
| 114 | .name = "TCPOPTSTRIP" , |
|---|
| 115 | .family = NFPROTO_IPV4, |
|---|
| 116 | .table = "mangle" , |
|---|
| 117 | .proto = IPPROTO_TCP, |
|---|
| 118 | .target = tcpoptstrip_tg4, |
|---|
| 119 | .targetsize = sizeof(struct xt_tcpoptstrip_target_info), |
|---|
| 120 | .me = THIS_MODULE, |
|---|
| 121 | }, |
|---|
| 122 | #if IS_ENABLED(CONFIG_IP6_NF_MANGLE) |
|---|
| 123 | { |
|---|
| 124 | .name = "TCPOPTSTRIP" , |
|---|
| 125 | .family = NFPROTO_IPV6, |
|---|
| 126 | .table = "mangle" , |
|---|
| 127 | .proto = IPPROTO_TCP, |
|---|
| 128 | .target = tcpoptstrip_tg6, |
|---|
| 129 | .targetsize = sizeof(struct xt_tcpoptstrip_target_info), |
|---|
| 130 | .me = THIS_MODULE, |
|---|
| 131 | }, |
|---|
| 132 | #endif |
|---|
| 133 | }; |
|---|
| 134 | |
|---|
| 135 | static int __init tcpoptstrip_tg_init(void) |
|---|
| 136 | { |
|---|
| 137 | return xt_register_targets(target: tcpoptstrip_tg_reg, |
|---|
| 138 | ARRAY_SIZE(tcpoptstrip_tg_reg)); |
|---|
| 139 | } |
|---|
| 140 | |
|---|
| 141 | static void __exit tcpoptstrip_tg_exit(void) |
|---|
| 142 | { |
|---|
| 143 | xt_unregister_targets(target: tcpoptstrip_tg_reg, |
|---|
| 144 | ARRAY_SIZE(tcpoptstrip_tg_reg)); |
|---|
| 145 | } |
|---|
| 146 | |
|---|
| 147 | module_init(tcpoptstrip_tg_init); |
|---|
| 148 | module_exit(tcpoptstrip_tg_exit); |
|---|
| 149 | MODULE_AUTHOR("Sven Schnelle <svens@bitebene.org>, Jan Engelhardt <jengelh@medozas.de>" ); |
|---|
| 150 | MODULE_DESCRIPTION("Xtables: TCP option stripping" ); |
|---|
| 151 | MODULE_LICENSE("GPL" ); |
|---|
| 152 | MODULE_ALIAS("ipt_TCPOPTSTRIP" ); |
|---|
| 153 | MODULE_ALIAS("ip6t_TCPOPTSTRIP" ); |
|---|
| 154 | |
|---|
