diff options
-rw-r--r-- | extensions/libxt_ecn.c (renamed from extensions/libipt_ecn.c) | 61 | ||||
-rw-r--r-- | extensions/libxt_ecn.man (renamed from extensions/libipt_ecn.man) | 4 | ||||
-rw-r--r-- | include/linux/netfilter/xt_ecn.h | 33 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ipt_ecn.h | 35 |
4 files changed, 66 insertions, 67 deletions
diff --git a/extensions/libipt_ecn.c b/extensions/libxt_ecn.c index 56a0347e..286782a3 100644 --- a/extensions/libipt_ecn.c +++ b/extensions/libxt_ecn.c @@ -1,6 +1,7 @@ /* Shared library add-on to iptables for ECN matching * - * (C) 2002 by Harald Welte <laforge@gnumonks.org> + * (C) 2002 by Harald Welte <laforge@netfilter.org> + * (C) 2011 by Patrick McHardy <kaber@trash.net> * * This program is distributed under the terms of GNU GPL v2, 1991 * @@ -9,7 +10,7 @@ */ #include <stdio.h> #include <xtables.h> -#include <linux/netfilter_ipv4/ipt_ecn.h> +#include <linux/netfilter/xt_ecn.h> enum { O_ECN_TCP_CWR = 0, @@ -23,7 +24,7 @@ static void ecn_help(void) "ECN match options\n" "[!] --ecn-tcp-cwr Match CWR bit of TCP header\n" "[!] --ecn-tcp-ece Match ECE bit of TCP header\n" -"[!] --ecn-ip-ect [0..3] Match ECN codepoint in IPv4 header\n"); +"[!] --ecn-ip-ect [0..3] Match ECN codepoint in IPv4/IPv6 header\n"); } static const struct xt_option_entry ecn_opts[] = { @@ -38,24 +39,24 @@ static const struct xt_option_entry ecn_opts[] = { static void ecn_parse(struct xt_option_call *cb) { - struct ipt_ecn_info *einfo = cb->data; + struct xt_ecn_info *einfo = cb->data; xtables_option_parse(cb); switch (cb->entry->id) { case O_ECN_TCP_CWR: - einfo->operation |= IPT_ECN_OP_MATCH_CWR; + einfo->operation |= XT_ECN_OP_MATCH_CWR; if (cb->invert) - einfo->invert |= IPT_ECN_OP_MATCH_CWR; + einfo->invert |= XT_ECN_OP_MATCH_CWR; break; case O_ECN_TCP_ECE: - einfo->operation |= IPT_ECN_OP_MATCH_ECE; + einfo->operation |= XT_ECN_OP_MATCH_ECE; if (cb->invert) - einfo->invert |= IPT_ECN_OP_MATCH_ECE; + einfo->invert |= XT_ECN_OP_MATCH_ECE; break; case O_ECN_IP_ECT: if (cb->invert) - einfo->invert |= IPT_ECN_OP_MATCH_IP; - einfo->operation |= IPT_ECN_OP_MATCH_IP; + einfo->invert |= XT_ECN_OP_MATCH_IP; + einfo->operation |= XT_ECN_OP_MATCH_IP; einfo->ip_ect = cb->val.u8; break; } @@ -71,47 +72,47 @@ static void ecn_check(struct xt_fcheck_call *cb) static void ecn_print(const void *ip, const struct xt_entry_match *match, int numeric) { - const struct ipt_ecn_info *einfo = - (const struct ipt_ecn_info *)match->data; + const struct xt_ecn_info *einfo = + (const struct xt_ecn_info *)match->data; printf(" ECN match"); - if (einfo->operation & IPT_ECN_OP_MATCH_ECE) { + if (einfo->operation & XT_ECN_OP_MATCH_ECE) { printf(" %sECE", - (einfo->invert & IPT_ECN_OP_MATCH_ECE) ? "!" : ""); + (einfo->invert & XT_ECN_OP_MATCH_ECE) ? "!" : ""); } - if (einfo->operation & IPT_ECN_OP_MATCH_CWR) { + if (einfo->operation & XT_ECN_OP_MATCH_CWR) { printf(" %sCWR", - (einfo->invert & IPT_ECN_OP_MATCH_CWR) ? "!" : ""); + (einfo->invert & XT_ECN_OP_MATCH_CWR) ? "!" : ""); } - if (einfo->operation & IPT_ECN_OP_MATCH_IP) { + if (einfo->operation & XT_ECN_OP_MATCH_IP) { printf(" %sECT=%d", - (einfo->invert & IPT_ECN_OP_MATCH_IP) ? "!" : "", + (einfo->invert & XT_ECN_OP_MATCH_IP) ? "!" : "", einfo->ip_ect); } } static void ecn_save(const void *ip, const struct xt_entry_match *match) { - const struct ipt_ecn_info *einfo = - (const struct ipt_ecn_info *)match->data; - - if (einfo->operation & IPT_ECN_OP_MATCH_ECE) { - if (einfo->invert & IPT_ECN_OP_MATCH_ECE) + const struct xt_ecn_info *einfo = + (const struct xt_ecn_info *)match->data; + + if (einfo->operation & XT_ECN_OP_MATCH_ECE) { + if (einfo->invert & XT_ECN_OP_MATCH_ECE) printf(" !"); printf(" --ecn-tcp-ece"); } - if (einfo->operation & IPT_ECN_OP_MATCH_CWR) { - if (einfo->invert & IPT_ECN_OP_MATCH_CWR) + if (einfo->operation & XT_ECN_OP_MATCH_CWR) { + if (einfo->invert & XT_ECN_OP_MATCH_CWR) printf(" !"); printf(" --ecn-tcp-cwr"); } - if (einfo->operation & IPT_ECN_OP_MATCH_IP) { - if (einfo->invert & IPT_ECN_OP_MATCH_IP) + if (einfo->operation & XT_ECN_OP_MATCH_IP) { + if (einfo->invert & XT_ECN_OP_MATCH_IP) printf(" !"); printf(" --ecn-ip-ect %d", einfo->ip_ect); } @@ -120,9 +121,9 @@ static void ecn_save(const void *ip, const struct xt_entry_match *match) static struct xtables_match ecn_mt_reg = { .name = "ecn", .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_ecn_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_ecn_info)), + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_ecn_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_ecn_info)), .help = ecn_help, .print = ecn_print, .save = ecn_save, diff --git a/extensions/libipt_ecn.man b/extensions/libxt_ecn.man index 7f806477..31c0a3e8 100644 --- a/extensions/libipt_ecn.man +++ b/extensions/libxt_ecn.man @@ -1,4 +1,4 @@ -This allows you to match the ECN bits of the IPv4 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168 +This allows you to match the ECN bits of the IPv4/IPv6 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168 .TP [\fB!\fP] \fB\-\-ecn\-tcp\-cwr\fP This matches if the TCP ECN CWR (Congestion Window Received) bit is set. @@ -7,5 +7,5 @@ This matches if the TCP ECN CWR (Congestion Window Received) bit is set. This matches if the TCP ECN ECE (ECN Echo) bit is set. .TP [\fB!\fP] \fB\-\-ecn\-ip\-ect\fP \fInum\fP -This matches a particular IPv4 ECT (ECN-Capable Transport). You have to specify +This matches a particular IPv4/IPv6 ECT (ECN-Capable Transport). You have to specify a number between `0' and `3'. diff --git a/include/linux/netfilter/xt_ecn.h b/include/linux/netfilter/xt_ecn.h new file mode 100644 index 00000000..c21cc280 --- /dev/null +++ b/include/linux/netfilter/xt_ecn.h @@ -0,0 +1,33 @@ +/* iptables module for matching the ECN header in IPv4 and TCP header + * + * (C) 2002 Harald Welte <laforge@netfilter.org> + * + * This software is distributed under GNU GPL v2, 1991 +*/ +#ifndef _XT_ECN_H +#define _XT_ECN_H + +#include <linux/types.h> +#include <linux/netfilter/xt_dscp.h> + +#define XT_ECN_IP_MASK (~XT_DSCP_MASK) + +#define XT_ECN_OP_MATCH_IP 0x01 +#define XT_ECN_OP_MATCH_ECE 0x10 +#define XT_ECN_OP_MATCH_CWR 0x20 + +#define XT_ECN_OP_MATCH_MASK 0xce + +/* match info */ +struct xt_ecn_info { + __u8 operation; + __u8 invert; + __u8 ip_ect; + union { + struct { + __u8 ect; + } tcp; + } proto; +}; + +#endif /* _XT_ECN_H */ diff --git a/include/linux/netfilter_ipv4/ipt_ecn.h b/include/linux/netfilter_ipv4/ipt_ecn.h deleted file mode 100644 index eabf95fb..00000000 --- a/include/linux/netfilter_ipv4/ipt_ecn.h +++ /dev/null @@ -1,35 +0,0 @@ -/* iptables module for matching the ECN header in IPv4 and TCP header - * - * (C) 2002 Harald Welte <laforge@gnumonks.org> - * - * This software is distributed under GNU GPL v2, 1991 - * - * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp -*/ -#ifndef _IPT_ECN_H -#define _IPT_ECN_H - -#include <linux/types.h> -#include <linux/netfilter/xt_dscp.h> - -#define IPT_ECN_IP_MASK (~XT_DSCP_MASK) - -#define IPT_ECN_OP_MATCH_IP 0x01 -#define IPT_ECN_OP_MATCH_ECE 0x10 -#define IPT_ECN_OP_MATCH_CWR 0x20 - -#define IPT_ECN_OP_MATCH_MASK 0xce - -/* match info */ -struct ipt_ecn_info { - __u8 operation; - __u8 invert; - __u8 ip_ect; - union { - struct { - __u8 ect; - } tcp; - } proto; -}; - -#endif /* _IPT_ECN_H */ |