From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@computergmbh.de>
Cc: Sven Schnelle <svens@bitebene.org>, netfilter-devel@vger.kernel.org
Subject: Re: [RFC] TCPOPTSTRIP target
Date: Fri, 28 Sep 2007 17:02:48 +0200 [thread overview]
Message-ID: <46FD1798.2020302@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0709281643520.25099@fbirervta.pbzchgretzou.qr>
Jan Engelhardt wrote:
> Since I had nothing better to do, I did a cleanup :)
Great :) My main question is what the use case of this is.
> @@ -0,0 +1,155 @@
> +/*
> + * A module for stripping a specific TCP option from TCP packets.
> + *
> + * Copyright (C) 2007 Sven Schnelle <svens@bitebene.org>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + */
> +
> +#include <linux/module.h>
> +#include <linux/skbuff.h>
> +#include <linux/ip.h>
> +#include <linux/ipv6.h>
> +#include <linux/tcp.h>
> +#include <net/ipv6.h>
> +#include <net/tcp.h>
> +#include <linux/netfilter/x_tables.h>
> +#include <linux/netfilter/xt_tcpudp.h>
tcpudp.h? Shouldn't be needed.
> +#include <linux/netfilter/xt_TCPOPTSTRIP.h>
> +
> +static void fast_csum(__sum16 *csum, const u_int8_t *optr,
> + const u_int8_t *nptr, const int offset)
> +{
> + u_int8_t s[4];
> +
> + if (offset & 1) {
> + s[0] = s[2] = 0;
> + s[1] = ~*optr;
> + s[3] = *nptr;
> + } else {
> + s[1] = s[3] = 0;
> + s[0] = ~*optr;
> + s[2] = *nptr;
> + }
> +
> + *csum = csum_fold(csum_partial(s, 4, ~csum_unfold(*csum)));
> +}
Please use the generic checksumming helpers.
> +
> +static unsigned int
> +tcpoptstrip_mangle_packet(struct sk_buff **pskb,
> + const struct xt_tcpoptstrip_info *info,
> + unsigned int tcphoff, unsigned int minlen)
> +{
> + const u_int8_t newopt = TCPOPT_NOP;
> + unsigned int optl, tcplen, i, j;
> + struct tcphdr *tcph;
> + u_int8_t *opt;
> +
> + if (!skb_make_writable(pskb, (*pskb)->len))
> + return NF_DROP;
> +
> + tcplen = (*pskb)->len - tcphoff;
> + tcph = (struct tcphdr *)(skb_network_header(*pskb) + tcphoff);
> +
> + if (tcplen != 4 * tcph->doff)
> + return NF_DROP;
Seems to be copied from TCPMSS - but I don't see why you shouldn't allow
stripping options from packets with data.
> +
> + opt = (u_int8_t *)tcph;
> +
> + for (i = sizeof(struct tcphdr); i < 4 * tcph->doff; i += optl) {
> + optl = optlen(opt, i);
> +
> + if (optl + i > tcph->doff*4)
> + break;
> +
> + if (opt[i] == info->tcpoption) {
> + for (j = 0; j < optl; j++)
> + fast_csum(&tcph->check, opt + i + j,
> + &newopt, i + j);
> + if (optl & 1)
> + fast_csum(&tcph->check, &newopt,
> + &newopt, i + j);
> + memset(opt+i, newopt, optl);
For TCPOPTSTRIP I would expect either real stripping or replacement
by TCPOPT_NOP. In which cases does replacement by something else
make sense?
next prev parent reply other threads:[~2007-09-28 15:03 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-28 6:56 [RFC] TCPOPTSTRIP target Sven Schnelle
2007-09-28 14:16 ` Jan Engelhardt
2007-09-28 14:44 ` Jan Engelhardt
2007-09-28 14:57 ` Jan Engelhardt
2007-09-28 15:02 ` Patrick McHardy [this message]
2007-09-28 15:33 ` Jan Engelhardt
2007-09-28 15:34 ` Jan Engelhardt
2007-09-28 15:44 ` Patrick McHardy
2007-09-28 16:04 ` Jan Engelhardt
2007-09-28 16:07 ` Patrick McHardy
2007-09-29 9:04 ` Sven Schnelle
2007-09-29 9:16 ` Jan Engelhardt
2007-09-29 14:33 ` Patrick McHardy
2007-09-29 17:23 ` Krzysztof Oledzki
2007-10-02 14:09 ` Sven Schnelle
2007-10-02 17:32 ` [RFC] TCPOPTSTRIP target (netfilter) Jan Engelhardt
2007-10-02 17:56 ` Krzysztof Oledzki
2007-10-02 17:57 ` Jan Engelhardt
2007-10-02 18:01 ` Jan Engelhardt
2007-10-04 5:04 ` Patrick McHardy
2007-10-02 14:09 ` [RFC] TCPOPTSTRIP target Sven Schnelle
2007-10-02 14:20 ` Sven Schnelle
2007-10-02 17:49 ` Krzysztof Oledzki
2007-10-02 17:51 ` [RFC] TCPOPTSTRIP target (iptables) Jan Engelhardt
2007-10-06 14:10 ` Sven Schnelle
2007-10-06 14:33 ` Jan Engelhardt
2007-10-06 14:53 ` Sven Schnelle
2007-10-06 15:00 ` [PATCH] xt_TCPOPTSTRIP 20071006 (kernel) Jan Engelhardt
2007-10-06 15:19 ` Sven Schnelle
2007-10-06 15:21 ` Jan Engelhardt
2007-10-08 5:05 ` Patrick McHardy
2007-10-08 5:00 ` Patrick McHardy
2007-10-08 7:58 ` Sven Schnelle
2007-10-08 8:20 ` Patrick McHardy
2007-10-08 15:55 ` Jan Engelhardt
2007-10-08 16:27 ` Patrick McHardy
2007-10-08 16:42 ` Jan Engelhardt
2007-10-06 15:01 ` [PATCH] TCPOPTSTRIP 20071006 (iptables) Jan Engelhardt
2007-10-06 15:37 ` Krzysztof Oledzki
2007-10-06 15:52 ` [PATCH 1/1] TCPOPTSTRIP 20071006 descriptions (iptables) Jan Engelhardt
2007-10-08 8:22 ` [PATCH] TCPOPTSTRIP 20071006 (iptables) Patrick McHardy
2007-09-29 9:05 ` [RFC] TCPOPTSTRIP target Sven Schnelle
2007-10-02 17:22 ` Sven Schnelle
2007-10-02 17:31 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46FD1798.2020302@trash.net \
--to=kaber@trash.net \
--cc=jengelh@computergmbh.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=svens@bitebene.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).