iptables/extensions/libxt_ecn.c

/* Shared library add-on to iptables for ECN matching
 *
 * (C) 2002 by Harald Welte <laforge@netfilter.org>
 * (C) 2011 by Patrick McHardy <kaber@trash.net>
 *
 * This program is distributed under the terms of GNU GPL v2, 1991
 *
 * libipt_ecn.c borrowed heavily from libipt_dscp.c
 *
 */
#include <stdio.h>
#include <xtables.h>
#include <linux/netfilter/xt_ecn.h>

enum {
	O_ECN_TCP_CWR = 0,
	O_ECN_TCP_ECE,
	O_ECN_IP_ECT,
};

static void ecn_help(void)
{
	printf(
"ECN match options\n"
"[!] --ecn-tcp-cwr 		Match CWR bit of TCP header\n"
"[!] --ecn-tcp-ece		Match ECE bit of TCP header\n"
"[!] --ecn-ip-ect [0..3]	Match ECN codepoint in IPv4/IPv6 header\n");
}

static const struct xt_option_entry ecn_opts[] = {
	{.name = "ecn-tcp-cwr", .id = O_ECN_TCP_CWR, .type = XTTYPE_NONE,
	 .flags = XTOPT_INVERT},
	{.name = "ecn-tcp-ece", .id = O_ECN_TCP_ECE, .type = XTTYPE_NONE,
	 .flags = XTOPT_INVERT},
	{.name = "ecn-ip-ect", .id = O_ECN_IP_ECT, .type = XTTYPE_UINT8,
	 .min = 0, .max = 3, .flags = XTOPT_INVERT},
	XTOPT_TABLEEND,
};

static void ecn_parse(struct xt_option_call *cb)
{
	struct xt_ecn_info *einfo = cb->data;

	xtables_option_parse(cb);
	switch (cb->entry->id) {
	case O_ECN_TCP_CWR:
		einfo->operation |= XT_ECN_OP_MATCH_CWR;
		if (cb->invert)
			einfo->invert |= XT_ECN_OP_MATCH_CWR;
		break;
	case O_ECN_TCP_ECE:
		einfo->operation |= XT_ECN_OP_MATCH_ECE;
		if (cb->invert)
			einfo->invert |= XT_ECN_OP_MATCH_ECE;
		break;
	case O_ECN_IP_ECT:
		if (cb->invert)
			einfo->invert |= XT_ECN_OP_MATCH_IP;
		einfo->operation |= XT_ECN_OP_MATCH_IP;
		einfo->ip_ect = cb->val.u8;
		break;
	}
}

static void ecn_check(struct xt_fcheck_call *cb)
{
	if (cb->xflags == 0)
		xtables_error(PARAMETER_PROBLEM,
		           "ECN match: some option required");
}

static void ecn_print(const void *ip, const struct xt_entry_match *match,
                      int numeric)
{
	const struct xt_ecn_info *einfo =
		(const struct xt_ecn_info *)match->data;

	printf(" ECN match");

	if (einfo->operation & XT_ECN_OP_MATCH_ECE) {
		printf(" %sECE",
		       (einfo->invert & XT_ECN_OP_MATCH_ECE) ? "!" : "");
	}

	if (einfo->operation & XT_ECN_OP_MATCH_CWR) {
		printf(" %sCWR",
		       (einfo->invert & XT_ECN_OP_MATCH_CWR) ? "!" : "");
	}

	if (einfo->operation & XT_ECN_OP_MATCH_IP) {
		printf(" %sECT=%d",
		       (einfo->invert & XT_ECN_OP_MATCH_IP) ? "!" : "",
		       einfo->ip_ect);
	}
}

static void ecn_save(const void *ip, const struct xt_entry_match *match)
{
	const struct xt_ecn_info *einfo =
		(const struct xt_ecn_info *)match->data;

	if (einfo->operation & XT_ECN_OP_MATCH_ECE) {
		if (einfo->invert & XT_ECN_OP_MATCH_ECE)
			printf(" !");
		printf(" --ecn-tcp-ece");
	}

	if (einfo->operation & XT_ECN_OP_MATCH_CWR) {
		if (einfo->invert & XT_ECN_OP_MATCH_CWR)
			printf(" !");
		printf(" --ecn-tcp-cwr");
	}

	if (einfo->operation & XT_ECN_OP_MATCH_IP) {
		if (einfo->invert & XT_ECN_OP_MATCH_IP)
			printf(" !");
		printf(" --ecn-ip-ect %d", einfo->ip_ect);
	}
}

static int ecn_xlate(struct xt_xlate *xl,
		     const struct xt_xlate_mt_params *params)
{
	const struct xt_ecn_info *einfo =
		(const struct xt_ecn_info *)params->match->data;

	if (!(einfo->operation & XT_ECN_OP_MATCH_IP))
		return 0;

	xt_xlate_add(xl, "ip ecn ");
	if (einfo->invert)
		xt_xlate_add(xl,"!= ");

	switch (einfo->ip_ect) {
	case 0:
		xt_xlate_add(xl, "not-ect");
		break;
	case 1:
		xt_xlate_add(xl, "ect1");
		break;
	case 2:
		xt_xlate_add(xl, "ect0");
		break;
	case 3:
		xt_xlate_add(xl, "ce");
		break;
	}
	return 1;
}

static struct xtables_match ecn_mt_reg = {
	.name          = "ecn",
	.version       = XTABLES_VERSION,
	.family        = NFPROTO_UNSPEC,
	.size          = XT_ALIGN(sizeof(struct xt_ecn_info)),
	.userspacesize = XT_ALIGN(sizeof(struct xt_ecn_info)),
	.help          = ecn_help,
	.print         = ecn_print,
	.save          = ecn_save,
	.x6_parse      = ecn_parse,
	.x6_fcheck     = ecn_check,
	.x6_options    = ecn_opts,
	.xlate	       = ecn_xlate,
};

void _init(void)
{
	xtables_register_match(&ecn_mt_reg);
}