Re: [PATCH] Add xt_tos

[Patrick McHardy <kaber@trash.net>]

[-- Attachment #1: Type: text/plain, Size: 742 bytes --]

Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> --- /dev/null
>> +++ gitone/include/linux/netfilter/xt_tos.h
>> @@ -0,0 +1,13 @@
>> +#ifndef _XT_TOS_MATCH_H
>> +#define _XT_TOS_MATCH_H
>> +
>> +struct xt_tos_info {
>> +    u_int8_t tos;
>> +    u_int8_t invert;
>> +};
>>   
>
> I think this will break compatiblity on CRIS, which IIRC doesn't
> perform any alignment (XT_ALIGN becomes a NOP) and thus the
> structure size increases.
>
> I've already queued up the patch with some changes (capital
> letters removed from function names, keep ipt_TOS.h, Kbuild),
> could you send me a fix on top of that? I guess the options
> are to remove inversion or to introduce a new revision (or
> to convice me that I'm wrong :))

And the patch ..



[-- Attachment #2: x --]
[-- Type: text/plain, Size: 11285 bytes --]

[NETFILTER]: x_tables: convert ipt_TOS to xt_TOS

Convert ipt_TOS to xt_TOS, adding support for IPv6

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit b179fee4c192be068ae50684f0156a34d4b87462
tree 8bb868b52a236a07c708ebb69e793a3e0fb41abf
parent 4866d72ec7bf0feb2469506364bc27b8a712ecde
author Jan Engelhardt <jengelh@computergmbh.de> Sat, 20 Oct 2007 17:45:04 +0200
committer Patrick McHardy <kaber@trash.net> Sat, 20 Oct 2007 17:45:04 +0200

 include/linux/netfilter/Kbuild         |    1 
 include/linux/netfilter/xt_TOS.h       |   12 +++
 include/linux/netfilter_ipv4/ipt_TOS.h |    8 --
 net/ipv4/netfilter/Kconfig             |   10 --
 net/ipv4/netfilter/Makefile            |    1 
 net/ipv4/netfilter/ipt_TOS.c           |   87 ---------------------
 net/netfilter/Kconfig                  |    8 ++
 net/netfilter/Makefile                 |    1 
 net/netfilter/xt_TOS.c                 |  130 ++++++++++++++++++++++++++++++++
 9 files changed, 154 insertions(+), 104 deletions(-)

diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index 2b91869..a170740 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -36,6 +36,7 @@ header-y += xt_tos.h
 header-y += xt_SECMARK.h
 header-y += xt_CONNSECMARK.h
 header-y += xt_TCPMSS.h
+header-y += xt_TOS.h
 
 unifdef-y += nf_conntrack_common.h
 unifdef-y += nf_conntrack_ftp.h
diff --git a/include/linux/netfilter/xt_TOS.h b/include/linux/netfilter/xt_TOS.h
new file mode 100644
index 0000000..5d7071a
--- /dev/null
+++ b/include/linux/netfilter/xt_TOS.h
@@ -0,0 +1,12 @@
+#ifndef _XT_TOS_TARGET_H
+#define _XT_TOS_TARGET_H
+
+#ifndef IPTOS_NORMALSVC
+#	define IPTOS_NORMALSVC 0
+#endif
+
+struct xt_TOS_info {
+	u_int8_t tos_value, tos_mask;
+};
+
+#endif /* _XT_TOS_TARGET_H */
diff --git a/include/linux/netfilter_ipv4/ipt_TOS.h b/include/linux/netfilter_ipv4/ipt_TOS.h
index 6bf9e1f..d80019c 100644
--- a/include/linux/netfilter_ipv4/ipt_TOS.h
+++ b/include/linux/netfilter_ipv4/ipt_TOS.h
@@ -1,12 +1,8 @@
 #ifndef _IPT_TOS_H_target
 #define _IPT_TOS_H_target
 
-#ifndef IPTOS_NORMALSVC
-#define IPTOS_NORMALSVC 0
-#endif
+#include <linux/netfilter/xt_TOS.h>
 
-struct ipt_tos_target_info {
-	u_int8_t tos;
-};
+#define ipt_tos_target_info xt_TOS_info
 
 #endif /*_IPT_TOS_H_target*/
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 27cd7cd..30c61a0 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -302,16 +302,6 @@ config IP_NF_MANGLE
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
-config IP_NF_TARGET_TOS
-	tristate "TOS target support"
-	depends on IP_NF_MANGLE
-	help
-	  This option adds a `TOS' target, which allows you to create rules in
-	  the `mangle' table which alter the Type Of Service field of an IP
-	  packet prior to routing.
-
-	  To compile it as a module, choose M here.  If unsure, say N.
-
 config IP_NF_TARGET_ECN
 	tristate "ECN target support"
 	depends on IP_NF_MANGLE
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index c5d906b..5704fc9 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -58,7 +58,6 @@ obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
 obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
 obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
 obj-$(CONFIG_IP_NF_TARGET_SAME) += ipt_SAME.o
-obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
 obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
 
diff --git a/net/ipv4/netfilter/ipt_TOS.c b/net/ipv4/netfilter/ipt_TOS.c
deleted file mode 100644
index d4573ba..0000000
--- a/net/ipv4/netfilter/ipt_TOS.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/* This is a module which is used for setting the TOS field of a packet. */
-
-/* (C) 1999-2001 Paul `Rusty' Russell
- * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/ip.h>
-#include <net/checksum.h>
-
-#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter_ipv4/ipt_TOS.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables TOS mangling module");
-
-static unsigned int
-target(struct sk_buff *skb,
-       const struct net_device *in,
-       const struct net_device *out,
-       unsigned int hooknum,
-       const struct xt_target *target,
-       const void *targinfo)
-{
-	const struct ipt_tos_target_info *tosinfo = targinfo;
-	struct iphdr *iph = ip_hdr(skb);
-
-	if ((iph->tos & IPTOS_TOS_MASK) != tosinfo->tos) {
-		__u8 oldtos;
-		if (!skb_make_writable(skb, sizeof(struct iphdr)))
-			return NF_DROP;
-		iph = ip_hdr(skb);
-		oldtos = iph->tos;
-		iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
-		nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
-	}
-	return XT_CONTINUE;
-}
-
-static bool
-checkentry(const char *tablename,
-	   const void *e_void,
-	   const struct xt_target *target,
-	   void *targinfo,
-	   unsigned int hook_mask)
-{
-	const u_int8_t tos = ((struct ipt_tos_target_info *)targinfo)->tos;
-
-	if (tos != IPTOS_LOWDELAY
-	    && tos != IPTOS_THROUGHPUT
-	    && tos != IPTOS_RELIABILITY
-	    && tos != IPTOS_MINCOST
-	    && tos != IPTOS_NORMALSVC) {
-		printk(KERN_WARNING "TOS: bad tos value %#x\n", tos);
-		return false;
-	}
-	return true;
-}
-
-static struct xt_target ipt_tos_reg __read_mostly = {
-	.name		= "TOS",
-	.family		= AF_INET,
-	.target		= target,
-	.targetsize	= sizeof(struct ipt_tos_target_info),
-	.table		= "mangle",
-	.checkentry	= checkentry,
-	.me		= THIS_MODULE,
-};
-
-static int __init ipt_tos_init(void)
-{
-	return xt_register_target(&ipt_tos_reg);
-}
-
-static void __exit ipt_tos_fini(void)
-{
-	xt_unregister_target(&ipt_tos_reg);
-}
-
-module_init(ipt_tos_init);
-module_exit(ipt_tos_fini);
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 0f7af69..d58e3d5 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -418,6 +418,14 @@ config NETFILTER_XT_TARGET_TCPOPTSTRIP
 	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
 	  TCP options from TCP packets.
 
+config NETFILTER_XT_TARGET_TOS
+	tristate '"TOS" target support'
+	depends on NETFILTER_XTABLES
+	---help---
+	This option adds a "TOS" target, which allows you to create rules in
+	the "mangle" table to alter the Type Of Service field of an IPv4
+	packet or the Traffic Class field of an IPv6 packet prior to routing.
+
 config NETFILTER_XT_MATCH_COMMENT
 	tristate  '"comment" match support'
 	depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 4d40040..e2a0285 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -49,6 +49,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) += xt_TCPOPTSTRIP.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_TOS) += xt_TOS.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
 
 # matches
diff --git a/net/netfilter/xt_TOS.c b/net/netfilter/xt_TOS.c
new file mode 100644
index 0000000..5d77cb4
--- /dev/null
+++ b/net/netfilter/xt_TOS.c
@@ -0,0 +1,130 @@
+/* This is a module which is used for setting the TOS field of a packet. */
+
+/* (C) 1999-2001 Paul `Rusty' Russell
+ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
+ * © 2007 CC Computer Consultants GmbH <jengelh@computergmbh.de>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <net/checksum.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_TOS.h>
+
+static unsigned int
+xt_tos_target4(struct sk_buff *skb, const struct net_device *in,
+               const struct net_device *out, unsigned int hooknum,
+               const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_TOS_info *info = targinfo;
+	struct iphdr *iph = ip_hdr(skb);
+	u_int8_t old_tos;
+
+	if ((iph->tos & IPTOS_TOS_MASK) == info->tos_value)
+		return XT_CONTINUE;
+
+	if (!skb_make_writable(skb, sizeof(struct iphdr)))
+		return NF_DROP;
+
+	iph      = ip_hdr(skb);
+	old_tos  = iph->tos;
+	iph->tos = (iph->tos & IPTOS_PREC_MASK) |
+	           ((iph->tos & info->tos_mask) ^ info->tos_value);
+	nf_csum_replace2(&iph->check, htons(old_tos), htons(iph->tos));
+	return XT_CONTINUE;
+}
+
+static unsigned int
+xt_tos_target6(struct sk_buff *skb, const struct net_device *in,
+               const struct net_device *out, unsigned int hooknum,
+               const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_TOS_info *info = targinfo;
+	struct ipv6hdr *iph = ipv6_hdr(skb);
+
+	if (iph->priority == info->tos_value)
+		return XT_CONTINUE;
+
+	if (!skb_make_writable(skb, sizeof(struct ipv6hdr)))
+		return NF_DROP;
+
+	iph            = ipv6_hdr(skb);
+	iph->priority &= info->tos_mask;
+	iph->priority ^= info->tos_value;
+	return XT_CONTINUE;
+}
+
+static bool
+xt_tos_check(const char *tablename, const void *e_void,
+             const struct xt_target *target, void *targinfo,
+             unsigned int hook_mask)
+{
+	const struct xt_TOS_info *info = targinfo;
+
+	if (target->family == AF_INET6 && info->tos_value > 0xF) {
+		printk(KERN_WARNING KBUILD_MODNAME
+		       ": Traffic Class field may only take values 0-15\n");
+		return false;
+	}
+
+	if (target->family == AF_INET) {
+		if ((info->tos_value & ~IPTOS_TOS_MASK) != 0) {
+			printk(KERN_WARNING KBUILD_MODNAME
+			       ": Bad TOS value %#x\n", info->tos_value);
+			return false;
+		}
+		if ((info->tos_mask & ~IPTOS_TOS_MASK) != 0) {
+			printk(KERN_WARNING KBUILD_MODNAME
+			       ": Bad mask for TOS operation: %#x\n",
+			       info->tos_mask);
+			return false;
+		}
+	}
+
+	return true;
+}
+
+static struct xt_target xt_tos_reg[] __read_mostly = {
+	{
+		.name		= "TOS",
+		.family		= AF_INET,
+		.target		= xt_tos_target4,
+		.targetsize	= sizeof(struct xt_TOS_info),
+		.table		= "mangle",
+		.checkentry	= xt_tos_check,
+		.me		= THIS_MODULE,
+	},
+	{
+		.name		= "TOS",
+		.family		= AF_INET6,
+		.target		= xt_tos_target6,
+		.targetsize	= sizeof(struct xt_TOS_info),
+		.table		= "mangle",
+		.checkentry	= xt_tos_check,
+		.me		= THIS_MODULE,
+	},
+};
+
+static int __init xt_tos_init(void)
+{
+	return xt_register_targets(xt_tos_reg, ARRAY_SIZE(xt_tos_reg));
+}
+
+static void __exit xt_tos_exit(void)
+{
+	xt_unregister_targets(xt_tos_reg, ARRAY_SIZE(xt_tos_reg));
+}
+
+module_init(xt_tos_init);
+module_exit(xt_tos_exit);
+MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
+MODULE_DESCRIPTION("netfilter \"TOS\" target module");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_TOS");
+MODULE_ALIAS("ip6t_TOS");