| 1 | // SPDX-License-Identifier: GPL-2.0-only |
|---|
| 2 | /* Kernel module to match TCP MSS values. */ |
|---|
| 3 | |
|---|
| 4 | /* Copyright (C) 2000 Marc Boucher <marc@mbsi.ca> |
|---|
| 5 | * Portions (C) 2005 by Harald Welte <laforge@netfilter.org> |
|---|
| 6 | */ |
|---|
| 7 | |
|---|
| 8 | #include <linux/module.h> |
|---|
| 9 | #include <linux/skbuff.h> |
|---|
| 10 | #include <net/tcp.h> |
|---|
| 11 | |
|---|
| 12 | #include <linux/netfilter/xt_tcpmss.h> |
|---|
| 13 | #include <linux/netfilter/x_tables.h> |
|---|
| 14 | |
|---|
| 15 | #include <linux/netfilter_ipv4/ip_tables.h> |
|---|
| 16 | #include <linux/netfilter_ipv6/ip6_tables.h> |
|---|
| 17 | |
|---|
| 18 | MODULE_LICENSE("GPL" ); |
|---|
| 19 | MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>" ); |
|---|
| 20 | MODULE_DESCRIPTION("Xtables: TCP MSS match" ); |
|---|
| 21 | MODULE_ALIAS("ipt_tcpmss" ); |
|---|
| 22 | MODULE_ALIAS("ip6t_tcpmss" ); |
|---|
| 23 | |
|---|
| 24 | static bool |
|---|
| 25 | tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par) |
|---|
| 26 | { |
|---|
| 27 | const struct xt_tcpmss_match_info *info = par->matchinfo; |
|---|
| 28 | const struct tcphdr *th; |
|---|
| 29 | struct tcphdr _tcph; |
|---|
| 30 | /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */ |
|---|
| 31 | const u_int8_t *op; |
|---|
| 32 | u8 _opt[15 * 4 - sizeof(_tcph)]; |
|---|
| 33 | unsigned int i, optlen; |
|---|
| 34 | |
|---|
| 35 | /* If we don't have the whole header, drop packet. */ |
|---|
| 36 | th = skb_header_pointer(skb, offset: par->thoff, len: sizeof(_tcph), buffer: &_tcph); |
|---|
| 37 | if (th == NULL) |
|---|
| 38 | goto dropit; |
|---|
| 39 | |
|---|
| 40 | /* Malformed. */ |
|---|
| 41 | if (th->doff*4 < sizeof(*th)) |
|---|
| 42 | goto dropit; |
|---|
| 43 | |
|---|
| 44 | optlen = th->doff*4 - sizeof(*th); |
|---|
| 45 | if (!optlen) |
|---|
| 46 | goto out; |
|---|
| 47 | |
|---|
| 48 | /* Truncated options. */ |
|---|
| 49 | op = skb_header_pointer(skb, offset: par->thoff + sizeof(*th), len: optlen, buffer: _opt); |
|---|
| 50 | if (op == NULL) |
|---|
| 51 | goto dropit; |
|---|
| 52 | |
|---|
| 53 | for (i = 0; i < optlen; ) { |
|---|
| 54 | if (op[i] == TCPOPT_MSS |
|---|
| 55 | && (optlen - i) >= TCPOLEN_MSS |
|---|
| 56 | && op[i+1] == TCPOLEN_MSS) { |
|---|
| 57 | u_int16_t mssval; |
|---|
| 58 | |
|---|
| 59 | mssval = (op[i+2] << 8) | op[i+3]; |
|---|
| 60 | |
|---|
| 61 | return (mssval >= info->mss_min && |
|---|
| 62 | mssval <= info->mss_max) ^ info->invert; |
|---|
| 63 | } |
|---|
| 64 | if (op[i] < 2) |
|---|
| 65 | i++; |
|---|
| 66 | else |
|---|
| 67 | i += op[i+1] ? : 1; |
|---|
| 68 | } |
|---|
| 69 | out: |
|---|
| 70 | return info->invert; |
|---|
| 71 | |
|---|
| 72 | dropit: |
|---|
| 73 | par->hotdrop = true; |
|---|
| 74 | return false; |
|---|
| 75 | } |
|---|
| 76 | |
|---|
| 77 | static struct xt_match tcpmss_mt_reg[] __read_mostly = { |
|---|
| 78 | { |
|---|
| 79 | .name = "tcpmss" , |
|---|
| 80 | .family = NFPROTO_IPV4, |
|---|
| 81 | .match = tcpmss_mt, |
|---|
| 82 | .matchsize = sizeof(struct xt_tcpmss_match_info), |
|---|
| 83 | .proto = IPPROTO_TCP, |
|---|
| 84 | .me = THIS_MODULE, |
|---|
| 85 | }, |
|---|
| 86 | { |
|---|
| 87 | .name = "tcpmss" , |
|---|
| 88 | .family = NFPROTO_IPV6, |
|---|
| 89 | .match = tcpmss_mt, |
|---|
| 90 | .matchsize = sizeof(struct xt_tcpmss_match_info), |
|---|
| 91 | .proto = IPPROTO_TCP, |
|---|
| 92 | .me = THIS_MODULE, |
|---|
| 93 | }, |
|---|
| 94 | }; |
|---|
| 95 | |
|---|
| 96 | static int __init tcpmss_mt_init(void) |
|---|
| 97 | { |
|---|
| 98 | return xt_register_matches(match: tcpmss_mt_reg, ARRAY_SIZE(tcpmss_mt_reg)); |
|---|
| 99 | } |
|---|
| 100 | |
|---|
| 101 | static void __exit tcpmss_mt_exit(void) |
|---|
| 102 | { |
|---|
| 103 | xt_unregister_matches(match: tcpmss_mt_reg, ARRAY_SIZE(tcpmss_mt_reg)); |
|---|
| 104 | } |
|---|
| 105 | |
|---|
| 106 | module_init(tcpmss_mt_init); |
|---|
| 107 | module_exit(tcpmss_mt_exit); |
|---|
| 108 | |
|---|
