Created
August 29, 2016 07:06
-
-
Save pfactum/fca93c9810d9298aeac64ee0976be0b3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 8a40d85519a0ef5d101f969b8464567b92b167bc Mon Sep 17 00:00:00 2001 | |
From: Oleksandr Natalenko <oleksandr@natalenko.name> | |
Date: Sun, 28 Aug 2016 18:27:47 +0300 | |
Subject: [PATCH] ipt_df-4.7: initial port | |
--- | |
include/uapi/linux/netfilter_ipv4/ipt_DF.h | 13 +++++ | |
net/ipv4/netfilter/Kconfig | 9 ++++ | |
net/ipv4/netfilter/Makefile | 1 + | |
net/ipv4/netfilter/ipt_DF.c | 76 ++++++++++++++++++++++++++++++ | |
4 files changed, 99 insertions(+) | |
create mode 100644 include/uapi/linux/netfilter_ipv4/ipt_DF.h | |
create mode 100644 net/ipv4/netfilter/ipt_DF.c | |
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_DF.h b/include/uapi/linux/netfilter_ipv4/ipt_DF.h | |
new file mode 100644 | |
index 0000000..36d4af5 | |
--- /dev/null | |
+++ b/include/uapi/linux/netfilter_ipv4/ipt_DF.h | |
@@ -0,0 +1,13 @@ | |
+#ifndef _IPT_DF_TARGET_H | |
+#define _IPT_DF_TARGET_H | |
+ | |
+enum { | |
+ IPT_DF_CLEAR = 1 | |
+}; | |
+ | |
+struct ipt_DF_info { | |
+ u_int8_t mode; | |
+}; | |
+ | |
+#endif /* _IPT_DF_TARGET_H */ | |
+ | |
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig | |
index c187c60..83091fb 100644 | |
--- a/net/ipv4/netfilter/Kconfig | |
+++ b/net/ipv4/netfilter/Kconfig | |
@@ -263,6 +263,15 @@ config IP_NF_TARGET_SYNPROXY | |
To compile it as a module, choose M here. If unsure, say N. | |
+config IP_NF_TARGET_DF | |
+ tristate "DF target support" | |
+ default m if NETFILTER_ADVANCED=n | |
+ help | |
+ This option adds a `DF' target, allowing you to set or remove | |
+ "Do not fragment" flag on any traffic in mangle table. | |
+ | |
+ To compile it as a module, choose M here. If unsure, say N. | |
+ | |
# NAT + specific targets: nf_conntrack | |
config IP_NF_NAT | |
tristate "iptables NAT support" | |
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile | |
index 87b073d..7874301 100644 | |
--- a/net/ipv4/netfilter/Makefile | |
+++ b/net/ipv4/netfilter/Makefile | |
@@ -64,6 +64,7 @@ obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o | |
obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o | |
obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o | |
obj-$(CONFIG_IP_NF_TARGET_SYNPROXY) += ipt_SYNPROXY.o | |
+obj-$(CONFIG_IP_NF_TARGET_DF) += ipt_DF.o | |
# generic ARP tables | |
obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o | |
diff --git a/net/ipv4/netfilter/ipt_DF.c b/net/ipv4/netfilter/ipt_DF.c | |
new file mode 100644 | |
index 0000000..dabe2d8 | |
--- /dev/null | |
+++ b/net/ipv4/netfilter/ipt_DF.c | |
@@ -0,0 +1,76 @@ | |
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
+ | |
+#include <linux/in.h> | |
+#include <linux/module.h> | |
+#include <linux/skbuff.h> | |
+#include <linux/ip.h> | |
+#include <net/ip.h> | |
+#include <linux/tcp.h> | |
+#include <net/checksum.h> | |
+ | |
+#include <linux/netfilter/x_tables.h> | |
+#include <linux/netfilter_ipv4/ip_tables.h> | |
+#include <linux/netfilter_ipv4/ipt_DF.h> | |
+ | |
+MODULE_AUTHOR("Dmitry Labutcky <avl@strace.net>"); | |
+MODULE_DESCRIPTION("IP tables remove DF flag module"); | |
+MODULE_LICENSE("GPL"); | |
+ | |
+static unsigned int df_tg(struct sk_buff *skb, | |
+ const struct xt_action_param *par) | |
+{ | |
+ | |
+ struct iphdr *iph; | |
+ const struct ipt_DF_info *info = par->targinfo; | |
+ u_int16_t diffs[2]; | |
+ | |
+ if (!skb_make_writable(skb, skb->len)) | |
+ return NF_DROP; | |
+ | |
+ iph = ip_hdr(skb); | |
+ | |
+ if (info->mode != IPT_DF_CLEAR) | |
+ return XT_CONTINUE; | |
+ | |
+ if (!(iph->frag_off & 0x0040)) | |
+ return XT_CONTINUE; | |
+ | |
+ diffs[0] = htons(((unsigned)iph->frag_off) << 8) ^ 0xFFFF; | |
+ iph->frag_off = iph->frag_off & 0xFFBF; | |
+ diffs[1] = htons(((unsigned)iph->frag_off) << 8); | |
+ iph->check = csum_fold(csum_partial((char *)diffs, | |
+ sizeof(diffs), | |
+ iph->check ^ 0xFFFF)); | |
+ | |
+ return XT_CONTINUE; | |
+ | |
+} | |
+ | |
+static int df_tg_check(const struct xt_tgchk_param *par) | |
+{ | |
+ return 0; | |
+} | |
+ | |
+static struct xt_target df_tg_reg __read_mostly = { | |
+ .name = "DF", | |
+ .family = NFPROTO_IPV4, | |
+ .target = df_tg, | |
+ .targetsize = sizeof(struct ipt_DF_info), | |
+ .table = "mangle", | |
+ .checkentry = df_tg_check, | |
+ .me = THIS_MODULE, | |
+}; | |
+ | |
+static int __init df_tg_init(void) | |
+{ | |
+ return xt_register_target(&df_tg_reg); | |
+} | |
+ | |
+static void __exit df_tg_exit(void) | |
+{ | |
+ xt_unregister_target(&df_tg_reg); | |
+} | |
+ | |
+module_init(df_tg_init); | |
+module_exit(df_tg_exit); | |
+ | |
-- | |
2.9.3 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment