[PATCH] Add xt_tos

[PATCH] Add xt_tos

[Jan Engelhardt]

Convert ipt_tos to xt_tos, adding support for IPv6.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/linux/netfilter/xt_tos.h |   13 +++++++
 net/netfilter/Kconfig            |   10 ++++++
 net/netfilter/Makefile           |    1 
 net/netfilter/xt_tos.c           |   65 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 89 insertions(+)

Index: gitone/include/linux/netfilter/xt_tos.h
===================================================================
--- /dev/null
+++ gitone/include/linux/netfilter/xt_tos.h
@@ -0,0 +1,13 @@
+#ifndef _XT_TOS_MATCH_H
+#define _XT_TOS_MATCH_H
+
+struct xt_tos_info {
+	u_int8_t tos;
+	u_int8_t invert;
+};
+
+#ifndef IPTOS_NORMALSVC
+#	define IPTOS_NORMALSVC 0
+#endif
+
+#endif /* _XT_TOS_MATCH_H */
Index: gitone/net/netfilter/Kconfig
===================================================================
--- gitone.orig/net/netfilter/Kconfig
+++ gitone/net/netfilter/Kconfig
@@ -679,6 +679,16 @@ config NETFILTER_XT_MATCH_TIME
 	  If you want to compile it as a module, say M here.
 	  If unsure, say N.
 
+config NETFILTER_XT_MATCH_TOS
+	tristate '"tos" match support'
+	depends on NETFILTER_XTABLES
+	---help---
+	TOS matching allows you to match packets based on the Type Of
+	Service field of the IPv4 packet or Traffic Class field of
+	the IPv6 packet.
+
+	To compile it as a module, choose M here. If unsure, say N.
+
 config NETFILTER_XT_MATCH_U32
 	tristate '"u32" match support'
 	depends on NETFILTER_XTABLES
Index: gitone/net/netfilter/Makefile
===================================================================
--- gitone.orig/net/netfilter/Makefile
+++ gitone/net/netfilter/Makefile
@@ -77,4 +77,5 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTI
 obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_TOS) += xt_tos.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
Index: gitone/net/netfilter/xt_tos.c
===================================================================
--- /dev/null
+++ gitone/net/netfilter/xt_tos.c
@@ -0,0 +1,65 @@
+/* Kernel module to match TOS values. */
+
+/* (C) 1999-2001 Paul `Rusty' Russell
+ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
+ * © 2007 CC Computer Consultants GmbH <jengelh@computergmbh.de>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_tos.h>
+
+static bool
+xt_tos_match(const struct sk_buff *skb, const struct net_device *in,
+             const struct net_device *out, const struct xt_match *match,
+             const void *matchinfo, int offset, unsigned int protoff,
+             bool *hotdrop)
+{
+	const struct xt_tos_info *info = matchinfo;
+
+	if (match->family == AF_INET)
+		return (ip_hdr(skb)->tos == info->tos) ^ info->invert;
+	else
+		return (ipv6_hdr(skb)->priority == info->tos) ^ info->invert;
+}
+
+static struct xt_match xt_tos_reg[] __read_mostly = {
+	{
+		.name      = "tos",
+		.family    = AF_INET,
+		.match     = xt_tos_match,
+		.matchsize = sizeof(struct xt_tos_info),
+		.me        = THIS_MODULE,
+	},
+	{
+		.name      = "tos",
+		.family    = AF_INET6,
+		.match     = xt_tos_match,
+		.matchsize = sizeof(struct xt_tos_info),
+		.me        = THIS_MODULE,
+	},
+};
+
+static int __init xt_tos_init(void)
+{
+	return xt_register_matches(xt_tos_reg, ARRAY_SIZE(xt_tos_reg));
+}
+
+static void __exit xt_tos_exit(void)
+{
+	xt_unregister_matches(xt_tos_reg, ARRAY_SIZE(xt_tos_reg));
+}
+
+module_init(xt_tos_init);
+module_exit(xt_tos_exit);
+MODULE_DESCRIPTION("netfilter \"tos\" match module");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_tos");
+MODULE_ALIAS("ip6t_tos");

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Add xt_tos

[Patrick McHardy]

Jan Engelhardt wrote:
> Convert ipt_tos to xt_tos, adding support for IPv6.
>
> +MODULE_ALIAS("ipt_tos");
> +MODULE_ALIAS("ip6t_tos");

Looks good, but I think this breaks bisection since you remove ipt_tos
in a later patch. I'll fold those together and queue it up for 2.6.25.
Thanks Jan.

Re: [PATCH] Add xt_tos

[Jan Engelhardt]

On Oct 20 2007 17:25, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> Convert ipt_tos to xt_tos, adding support for IPv6.
>>
>> +MODULE_ALIAS("ipt_tos");
>> +MODULE_ALIAS("ip6t_tos");
>
> Looks good, but I think this breaks bisection since you remove ipt_tos
> in a later patch. I'll fold those together and queue it up for 2.6.25.
> Thanks Jan.
>
Someone please test it :)
I do not think it breaks compilation bisection.

The only thing I am worried about is iptables, because that needs
to move from ipt_tos.h to xt_tos.h and I am not sure how that is
going to fly unless the following requirement is put up:

	linux <= 2.6.24 : iptables <= 1.4.0
	linux >= 2.6.25 : iptables >= 1.4.1

i.e. a flag day for both projects.

Re: [PATCH] Add xt_tos

[Patrick McHardy]

Jan Engelhardt wrote:
> On Oct 20 2007 17:25, Patrick McHardy wrote:
>   
>> Jan Engelhardt wrote:
>>     
>>> Convert ipt_tos to xt_tos, adding support for IPv6.
>>>
>>> +MODULE_ALIAS("ipt_tos");
>>> +MODULE_ALIAS("ip6t_tos");
>>>       
>> Looks good, but I think this breaks bisection since you remove ipt_tos
>> in a later patch. I'll fold those together and queue it up for 2.6.25.
>> Thanks Jan.
>>
>>     
> Someone please test it :)
> I do not think it breaks compilation bisection.
>   

Not compilation, but after installation there will be two ipt_TOS modules
(well, one alias and one module). Better to do that in one step IMO.

Re: [PATCH] Add xt_tos

[Patrick McHardy]

Jan Engelhardt wrote:
> --- /dev/null
> +++ gitone/include/linux/netfilter/xt_tos.h
> @@ -0,0 +1,13 @@
> +#ifndef _XT_TOS_MATCH_H
> +#define _XT_TOS_MATCH_H
> +
> +struct xt_tos_info {
> +	u_int8_t tos;
> +	u_int8_t invert;
> +};
>   

I think this will break compatiblity on CRIS, which IIRC doesn't
perform any alignment (XT_ALIGN becomes a NOP) and thus the
structure size increases.

I've already queued up the patch with some changes (capital
letters removed from function names, keep ipt_TOS.h, Kbuild),
could you send me a fix on top of that? I guess the options
are to remove inversion or to introduce a new revision (or
to convice me that I'm wrong :))

Re: [PATCH] Add xt_tos

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 742 bytes --]

Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> --- /dev/null
>> +++ gitone/include/linux/netfilter/xt_tos.h
>> @@ -0,0 +1,13 @@
>> +#ifndef _XT_TOS_MATCH_H
>> +#define _XT_TOS_MATCH_H
>> +
>> +struct xt_tos_info {
>> +    u_int8_t tos;
>> +    u_int8_t invert;
>> +};
>>   
>
> I think this will break compatiblity on CRIS, which IIRC doesn't
> perform any alignment (XT_ALIGN becomes a NOP) and thus the
> structure size increases.
>
> I've already queued up the patch with some changes (capital
> letters removed from function names, keep ipt_TOS.h, Kbuild),
> could you send me a fix on top of that? I guess the options
> are to remove inversion or to introduce a new revision (or
> to convice me that I'm wrong :))

And the patch ..



[-- Attachment #2: x --]
[-- Type: text/plain, Size: 11285 bytes --]

[NETFILTER]: x_tables: convert ipt_TOS to xt_TOS

Convert ipt_TOS to xt_TOS, adding support for IPv6

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit b179fee4c192be068ae50684f0156a34d4b87462
tree 8bb868b52a236a07c708ebb69e793a3e0fb41abf
parent 4866d72ec7bf0feb2469506364bc27b8a712ecde
author Jan Engelhardt <jengelh@computergmbh.de> Sat, 20 Oct 2007 17:45:04 +0200
committer Patrick McHardy <kaber@trash.net> Sat, 20 Oct 2007 17:45:04 +0200

 include/linux/netfilter/Kbuild         |    1 
 include/linux/netfilter/xt_TOS.h       |   12 +++
 include/linux/netfilter_ipv4/ipt_TOS.h |    8 --
 net/ipv4/netfilter/Kconfig             |   10 --
 net/ipv4/netfilter/Makefile            |    1 
 net/ipv4/netfilter/ipt_TOS.c           |   87 ---------------------
 net/netfilter/Kconfig                  |    8 ++
 net/netfilter/Makefile                 |    1 
 net/netfilter/xt_TOS.c                 |  130 ++++++++++++++++++++++++++++++++
 9 files changed, 154 insertions(+), 104 deletions(-)

diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index 2b91869..a170740 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -36,6 +36,7 @@ header-y += xt_tos.h
 header-y += xt_SECMARK.h
 header-y += xt_CONNSECMARK.h
 header-y += xt_TCPMSS.h
+header-y += xt_TOS.h
 
 unifdef-y += nf_conntrack_common.h
 unifdef-y += nf_conntrack_ftp.h
diff --git a/include/linux/netfilter/xt_TOS.h b/include/linux/netfilter/xt_TOS.h
new file mode 100644
index 0000000..5d7071a
--- /dev/null
+++ b/include/linux/netfilter/xt_TOS.h
@@ -0,0 +1,12 @@
+#ifndef _XT_TOS_TARGET_H
+#define _XT_TOS_TARGET_H
+
+#ifndef IPTOS_NORMALSVC
+#	define IPTOS_NORMALSVC 0
+#endif
+
+struct xt_TOS_info {
+	u_int8_t tos_value, tos_mask;
+};
+
+#endif /* _XT_TOS_TARGET_H */
diff --git a/include/linux/netfilter_ipv4/ipt_TOS.h b/include/linux/netfilter_ipv4/ipt_TOS.h
index 6bf9e1f..d80019c 100644
--- a/include/linux/netfilter_ipv4/ipt_TOS.h
+++ b/include/linux/netfilter_ipv4/ipt_TOS.h
@@ -1,12 +1,8 @@
 #ifndef _IPT_TOS_H_target
 #define _IPT_TOS_H_target
 
-#ifndef IPTOS_NORMALSVC
-#define IPTOS_NORMALSVC 0
-#endif
+#include <linux/netfilter/xt_TOS.h>
 
-struct ipt_tos_target_info {
-	u_int8_t tos;
-};
+#define ipt_tos_target_info xt_TOS_info
 
 #endif /*_IPT_TOS_H_target*/
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 27cd7cd..30c61a0 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -302,16 +302,6 @@ config IP_NF_MANGLE
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
-config IP_NF_TARGET_TOS
-	tristate "TOS target support"
-	depends on IP_NF_MANGLE
-	help
-	  This option adds a `TOS' target, which allows you to create rules in
-	  the `mangle' table which alter the Type Of Service field of an IP
-	  packet prior to routing.
-
-	  To compile it as a module, choose M here.  If unsure, say N.
-
 config IP_NF_TARGET_ECN
 	tristate "ECN target support"
 	depends on IP_NF_MANGLE
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index c5d906b..5704fc9 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -58,7 +58,6 @@ obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
 obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
 obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
 obj-$(CONFIG_IP_NF_TARGET_SAME) += ipt_SAME.o
-obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
 obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
 
diff --git a/net/ipv4/netfilter/ipt_TOS.c b/net/ipv4/netfilter/ipt_TOS.c
deleted file mode 100644
index d4573ba..0000000
--- a/net/ipv4/netfilter/ipt_TOS.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/* This is a module which is used for setting the TOS field of a packet. */
-
-/* (C) 1999-2001 Paul `Rusty' Russell
- * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/ip.h>
-#include <net/checksum.h>
-
-#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter_ipv4/ipt_TOS.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables TOS mangling module");
-
-static unsigned int
-target(struct sk_buff *skb,
-       const struct net_device *in,
-       const struct net_device *out,
-       unsigned int hooknum,
-       const struct xt_target *target,
-       const void *targinfo)
-{
-	const struct ipt_tos_target_info *tosinfo = targinfo;
-	struct iphdr *iph = ip_hdr(skb);
-
-	if ((iph->tos & IPTOS_TOS_MASK) != tosinfo->tos) {
-		__u8 oldtos;
-		if (!skb_make_writable(skb, sizeof(struct iphdr)))
-			return NF_DROP;
-		iph = ip_hdr(skb);
-		oldtos = iph->tos;
-		iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
-		nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
-	}
-	return XT_CONTINUE;
-}
-
-static bool
-checkentry(const char *tablename,
-	   const void *e_void,
-	   const struct xt_target *target,
-	   void *targinfo,
-	   unsigned int hook_mask)
-{
-	const u_int8_t tos = ((struct ipt_tos_target_info *)targinfo)->tos;
-
-	if (tos != IPTOS_LOWDELAY
-	    && tos != IPTOS_THROUGHPUT
-	    && tos != IPTOS_RELIABILITY
-	    && tos != IPTOS_MINCOST
-	    && tos != IPTOS_NORMALSVC) {
-		printk(KERN_WARNING "TOS: bad tos value %#x\n", tos);
-		return false;
-	}
-	return true;
-}
-
-static struct xt_target ipt_tos_reg __read_mostly = {
-	.name		= "TOS",
-	.family		= AF_INET,
-	.target		= target,
-	.targetsize	= sizeof(struct ipt_tos_target_info),
-	.table		= "mangle",
-	.checkentry	= checkentry,
-	.me		= THIS_MODULE,
-};
-
-static int __init ipt_tos_init(void)
-{
-	return xt_register_target(&ipt_tos_reg);
-}
-
-static void __exit ipt_tos_fini(void)
-{
-	xt_unregister_target(&ipt_tos_reg);
-}
-
-module_init(ipt_tos_init);
-module_exit(ipt_tos_fini);
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 0f7af69..d58e3d5 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -418,6 +418,14 @@ config NETFILTER_XT_TARGET_TCPOPTSTRIP
 	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
 	  TCP options from TCP packets.
 
+config NETFILTER_XT_TARGET_TOS
+	tristate '"TOS" target support'
+	depends on NETFILTER_XTABLES
+	---help---
+	This option adds a "TOS" target, which allows you to create rules in
+	the "mangle" table to alter the Type Of Service field of an IPv4
+	packet or the Traffic Class field of an IPv6 packet prior to routing.
+
 config NETFILTER_XT_MATCH_COMMENT
 	tristate  '"comment" match support'
 	depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 4d40040..e2a0285 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -49,6 +49,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) += xt_TCPOPTSTRIP.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_TOS) += xt_TOS.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
 
 # matches
diff --git a/net/netfilter/xt_TOS.c b/net/netfilter/xt_TOS.c
new file mode 100644
index 0000000..5d77cb4
--- /dev/null
+++ b/net/netfilter/xt_TOS.c
@@ -0,0 +1,130 @@
+/* This is a module which is used for setting the TOS field of a packet. */
+
+/* (C) 1999-2001 Paul `Rusty' Russell
+ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
+ * © 2007 CC Computer Consultants GmbH <jengelh@computergmbh.de>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <net/checksum.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_TOS.h>
+
+static unsigned int
+xt_tos_target4(struct sk_buff *skb, const struct net_device *in,
+               const struct net_device *out, unsigned int hooknum,
+               const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_TOS_info *info = targinfo;
+	struct iphdr *iph = ip_hdr(skb);
+	u_int8_t old_tos;
+
+	if ((iph->tos & IPTOS_TOS_MASK) == info->tos_value)
+		return XT_CONTINUE;
+
+	if (!skb_make_writable(skb, sizeof(struct iphdr)))
+		return NF_DROP;
+
+	iph      = ip_hdr(skb);
+	old_tos  = iph->tos;
+	iph->tos = (iph->tos & IPTOS_PREC_MASK) |
+	           ((iph->tos & info->tos_mask) ^ info->tos_value);
+	nf_csum_replace2(&iph->check, htons(old_tos), htons(iph->tos));
+	return XT_CONTINUE;
+}
+
+static unsigned int
+xt_tos_target6(struct sk_buff *skb, const struct net_device *in,
+               const struct net_device *out, unsigned int hooknum,
+               const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_TOS_info *info = targinfo;
+	struct ipv6hdr *iph = ipv6_hdr(skb);
+
+	if (iph->priority == info->tos_value)
+		return XT_CONTINUE;
+
+	if (!skb_make_writable(skb, sizeof(struct ipv6hdr)))
+		return NF_DROP;
+
+	iph            = ipv6_hdr(skb);
+	iph->priority &= info->tos_mask;
+	iph->priority ^= info->tos_value;
+	return XT_CONTINUE;
+}
+
+static bool
+xt_tos_check(const char *tablename, const void *e_void,
+             const struct xt_target *target, void *targinfo,
+             unsigned int hook_mask)
+{
+	const struct xt_TOS_info *info = targinfo;
+
+	if (target->family == AF_INET6 && info->tos_value > 0xF) {
+		printk(KERN_WARNING KBUILD_MODNAME
+		       ": Traffic Class field may only take values 0-15\n");
+		return false;
+	}
+
+	if (target->family == AF_INET) {
+		if ((info->tos_value & ~IPTOS_TOS_MASK) != 0) {
+			printk(KERN_WARNING KBUILD_MODNAME
+			       ": Bad TOS value %#x\n", info->tos_value);
+			return false;
+		}
+		if ((info->tos_mask & ~IPTOS_TOS_MASK) != 0) {
+			printk(KERN_WARNING KBUILD_MODNAME
+			       ": Bad mask for TOS operation: %#x\n",
+			       info->tos_mask);
+			return false;
+		}
+	}
+
+	return true;
+}
+
+static struct xt_target xt_tos_reg[] __read_mostly = {
+	{
+		.name		= "TOS",
+		.family		= AF_INET,
+		.target		= xt_tos_target4,
+		.targetsize	= sizeof(struct xt_TOS_info),
+		.table		= "mangle",
+		.checkentry	= xt_tos_check,
+		.me		= THIS_MODULE,
+	},
+	{
+		.name		= "TOS",
+		.family		= AF_INET6,
+		.target		= xt_tos_target6,
+		.targetsize	= sizeof(struct xt_TOS_info),
+		.table		= "mangle",
+		.checkentry	= xt_tos_check,
+		.me		= THIS_MODULE,
+	},
+};
+
+static int __init xt_tos_init(void)
+{
+	return xt_register_targets(xt_tos_reg, ARRAY_SIZE(xt_tos_reg));
+}
+
+static void __exit xt_tos_exit(void)
+{
+	xt_unregister_targets(xt_tos_reg, ARRAY_SIZE(xt_tos_reg));
+}
+
+module_init(xt_tos_init);
+module_exit(xt_tos_exit);
+MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
+MODULE_DESCRIPTION("netfilter \"TOS\" target module");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_TOS");
+MODULE_ALIAS("ip6t_TOS");

Re: [PATCH] Add xt_tos

[Jan Engelhardt]

On Oct 20 2007 17:48, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> --- /dev/null
>> +++ gitone/include/linux/netfilter/xt_tos.h
>> @@ -0,0 +1,13 @@
>> +#ifndef _XT_TOS_MATCH_H
>> +#define _XT_TOS_MATCH_H
>> +
>> +struct xt_tos_info {
>> +	u_int8_t tos;
>> +	u_int8_t invert;
>> +};
>>   
>
> I think this will break compatiblity on CRIS, which IIRC doesn't
> perform any alignment (XT_ALIGN becomes a NOP) and thus the
> structure size increases.

Hah, you screwed it up!
You quote xt_tos, but the patch is xt_TOS :)

> I've already queued up the patch with some changes (capital
> letters removed from function names, keep ipt_TOS.h, Kbuild),
> could you send me a fix on top of that? I guess the options
> are to remove inversion or to introduce a new revision (or
> to convice me that I'm wrong :))

I'll fix it up, somehow.

Re: [PATCH] Add xt_tos

[Jan Engelhardt]

On Oct 20 2007 17:48, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> --- /dev/null
>> +++ gitone/include/linux/netfilter/xt_tos.h
>> @@ -0,0 +1,13 @@
>> +#ifndef _XT_TOS_MATCH_H
>> +#define _XT_TOS_MATCH_H
>> +
>> +struct xt_tos_info {
>> +	u_int8_t tos;
>> +	u_int8_t invert;
>> +};
>>   
>
> I think this will break compatiblity on CRIS, which IIRC doesn't
> perform any alignment (XT_ALIGN becomes a NOP) and thus the
> structure size increases.

Alignment, where? There are no holes here.

Note that ipt_tos(_match)_info also had these two fields.

Re: [PATCH] Add xt_tos

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 809 bytes --]

Jan Engelhardt wrote:
> On Oct 20 2007 17:48, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> --- /dev/null
>>> +++ gitone/include/linux/netfilter/xt_tos.h
>>> @@ -0,0 +1,13 @@
>>> +#ifndef _XT_TOS_MATCH_H
>>> +#define _XT_TOS_MATCH_H
>>> +
>>> +struct xt_tos_info {
>>> +	u_int8_t tos;
>>> +	u_int8_t invert;
>>> +};
>>>   
>> I think this will break compatiblity on CRIS, which IIRC doesn't
>> perform any alignment (XT_ALIGN becomes a NOP) and thus the
>> structure size increases.
> 
> Alignment, where? There are no holes here.

XT_ALIGN - it pads to multiples of the highest alignment
requirement of u{8,16,32,64} - which is 1 one CRIS.

> Note that ipt_tos(_match)_info also had these two fields.

Right, I mixed something up. So the patch I queued (attached
again for reference) seems to be fine.

[-- Attachment #2: x --]
[-- Type: text/plain, Size: 8267 bytes --]

[NETFILTER]: x_tables: convert ipt_tos to xt_tos

Convert ipt_tos to xt_tos, adding support for IPv6

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit f8abb93075208dcfe0986dfbbfdb26681fa1325a
tree 0770c5ad87498a6b60970de451ba5acb3380740f
parent 21509062e54afc85b230256e61a91a6f5a66de06
author Jan Engelhardt <jengelh@computergmbh.de> Tue, 23 Oct 2007 16:09:24 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 23 Oct 2007 16:09:24 +0200

 include/linux/netfilter/Kbuild         |    1 
 include/linux/netfilter/xt_tos.h       |   13 ++++++
 include/linux/netfilter_ipv4/ipt_tos.h |    9 +---
 net/ipv4/netfilter/Kconfig             |    9 ----
 net/ipv4/netfilter/Makefile            |    1 
 net/ipv4/netfilter/ipt_tos.c           |   55 ---------------------------
 net/netfilter/Kconfig                  |   10 +++++
 net/netfilter/Makefile                 |    1 
 net/netfilter/xt_tos.c                 |   65 ++++++++++++++++++++++++++++++++
 9 files changed, 92 insertions(+), 72 deletions(-)

diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index f2eaea2..2b91869 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -32,6 +32,7 @@ header-y += xt_statistic.h
 header-y += xt_string.h
 header-y += xt_tcpmss.h
 header-y += xt_tcpudp.h
+header-y += xt_tos.h
 header-y += xt_SECMARK.h
 header-y += xt_CONNSECMARK.h
 header-y += xt_TCPMSS.h
diff --git a/include/linux/netfilter/xt_tos.h b/include/linux/netfilter/xt_tos.h
new file mode 100644
index 0000000..5453032
--- /dev/null
+++ b/include/linux/netfilter/xt_tos.h
@@ -0,0 +1,13 @@
+#ifndef _XT_TOS_MATCH_H
+#define _XT_TOS_MATCH_H
+
+struct xt_tos_info {
+	u_int8_t tos;
+	u_int8_t invert;
+};
+
+#ifndef IPTOS_NORMALSVC
+#	define IPTOS_NORMALSVC 0
+#endif
+
+#endif /* _XT_TOS_MATCH_H */
diff --git a/include/linux/netfilter_ipv4/ipt_tos.h b/include/linux/netfilter_ipv4/ipt_tos.h
index a21f5df..3b610cc 100644
--- a/include/linux/netfilter_ipv4/ipt_tos.h
+++ b/include/linux/netfilter_ipv4/ipt_tos.h
@@ -1,13 +1,8 @@
 #ifndef _IPT_TOS_H
 #define _IPT_TOS_H
 
-struct ipt_tos_info {
-    u_int8_t tos;
-    u_int8_t invert;
-};
+#include <linux/netfilter/xt_tos.h>
 
-#ifndef IPTOS_NORMALSVC
-#define IPTOS_NORMALSVC 0
-#endif
+#define ipt_tos_info	xt_tos_info
 
 #endif /*_IPT_TOS_H*/
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index fa97947..27cd7cd 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -63,15 +63,6 @@ config IP_NF_MATCH_IPRANGE
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
-config IP_NF_MATCH_TOS
-	tristate "TOS match support"
-	depends on IP_NF_IPTABLES
-	help
-	  TOS matching allows you to match packets based on the Type Of
-	  Service fields of the IP packet.
-
-	  To compile it as a module, choose M here.  If unsure, say N.
-
 config IP_NF_MATCH_RECENT
 	tristate "recent match support"
 	depends on IP_NF_IPTABLES
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 7456833..c5d906b 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -47,7 +47,6 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
 obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
-obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
 
 # targets
diff --git a/net/ipv4/netfilter/ipt_tos.c b/net/ipv4/netfilter/ipt_tos.c
deleted file mode 100644
index e740441..0000000
--- a/net/ipv4/netfilter/ipt_tos.c
+++ /dev/null
@@ -1,55 +0,0 @@
-/* Kernel module to match TOS values. */
-
-/* (C) 1999-2001 Paul `Rusty' Russell
- * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/ip.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-
-#include <linux/netfilter_ipv4/ipt_tos.h>
-#include <linux/netfilter/x_tables.h>
-
-MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("iptables TOS match module");
-
-static bool
-match(const struct sk_buff *skb,
-      const struct net_device *in,
-      const struct net_device *out,
-      const struct xt_match *match,
-      const void *matchinfo,
-      int offset,
-      unsigned int protoff,
-      bool *hotdrop)
-{
-	const struct ipt_tos_info *info = matchinfo;
-
-	return (ip_hdr(skb)->tos == info->tos) ^ info->invert;
-}
-
-static struct xt_match tos_match __read_mostly = {
-	.name		= "tos",
-	.family		= AF_INET,
-	.match		= match,
-	.matchsize	= sizeof(struct ipt_tos_info),
-	.me		= THIS_MODULE,
-};
-
-static int __init ipt_multiport_init(void)
-{
-	return xt_register_match(&tos_match);
-}
-
-static void __exit ipt_multiport_fini(void)
-{
-	xt_unregister_match(&tos_match);
-}
-
-module_init(ipt_multiport_init);
-module_exit(ipt_multiport_fini);
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 607cc8a..0f7af69 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -686,6 +686,16 @@ config NETFILTER_XT_MATCH_TIME
 	  If you want to compile it as a module, say M here.
 	  If unsure, say N.
 
+config NETFILTER_XT_MATCH_TOS
+	tristate '"tos" match support'
+	depends on NETFILTER_XTABLES
+	---help---
+	TOS matching allows you to match packets based on the Type Of
+	Service field of the IPv4 packet or Traffic Class field of
+	the IPv6 packet.
+
+	To compile it as a module, choose M here. If unsure, say N.
+
 config NETFILTER_XT_MATCH_U32
 	tristate '"u32" match support'
 	depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 7763dea..4d40040 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -78,4 +78,5 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_TOS) += xt_tos.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
diff --git a/net/netfilter/xt_tos.c b/net/netfilter/xt_tos.c
new file mode 100644
index 0000000..f625cc1
--- /dev/null
+++ b/net/netfilter/xt_tos.c
@@ -0,0 +1,65 @@
+/* Kernel module to match TOS values. */
+
+/* (C) 1999-2001 Paul `Rusty' Russell
+ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
+ * © 2007 CC Computer Consultants GmbH <jengelh@computergmbh.de>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_tos.h>
+
+static bool
+xt_tos_match(const struct sk_buff *skb, const struct net_device *in,
+             const struct net_device *out, const struct xt_match *match,
+             const void *matchinfo, int offset, unsigned int protoff,
+             bool *hotdrop)
+{
+	const struct xt_tos_info *info = matchinfo;
+
+	if (match->family == AF_INET)
+		return (ip_hdr(skb)->tos == info->tos) ^ info->invert;
+	else
+		return (ipv6_hdr(skb)->priority == info->tos) ^ info->invert;
+}
+
+static struct xt_match xt_tos_reg[] __read_mostly = {
+	{
+		.name      = "tos",
+		.family    = AF_INET,
+		.match     = xt_tos_match,
+		.matchsize = sizeof(struct xt_tos_info),
+		.me        = THIS_MODULE,
+	},
+	{
+		.name      = "tos",
+		.family    = AF_INET6,
+		.match     = xt_tos_match,
+		.matchsize = sizeof(struct xt_tos_info),
+		.me        = THIS_MODULE,
+	},
+};
+
+static int __init xt_tos_init(void)
+{
+	return xt_register_matches(xt_tos_reg, ARRAY_SIZE(xt_tos_reg));
+}
+
+static void __exit xt_tos_exit(void)
+{
+	xt_unregister_matches(xt_tos_reg, ARRAY_SIZE(xt_tos_reg));
+}
+
+module_init(xt_tos_init);
+module_exit(xt_tos_exit);
+MODULE_DESCRIPTION("netfilter \"tos\" match module");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_tos");
+MODULE_ALIAS("ip6t_tos");

Re: [PATCH] Add xt_tos

[Jan Engelhardt]

On Oct 23 2007 16:12, Patrick McHardy wrote:
>> > > +struct xt_tos_info {
>> > > +	u_int8_t tos;
>> > > +	u_int8_t invert;
>> > > +};
>
> XT_ALIGN - it pads to multiples of the highest alignment
> requirement of u{8,16,32,64} - which is 1 one CRIS.

Even then I do not see where the problem is.
If CRIS kernelspace has 1-alignment, then its userspace
will have the same.

>> Note that ipt_tos(_match)_info also had these two fields.
>
> Right, I mixed something up. So the patch I queued (attached
> again for reference) seems to be fine.
>
Please drop it, I resend it (with new functionality).

Re: [PATCH] Add xt_tos

[Patrick McHardy]

Jan Engelhardt wrote:
> On Oct 23 2007 16:12, Patrick McHardy wrote:
>>>>> +struct xt_tos_info {
>>>>> +	u_int8_t tos;
>>>>> +	u_int8_t invert;
>>>>> +};
>> XT_ALIGN - it pads to multiples of the highest alignment
>> requirement of u{8,16,32,64} - which is 1 one CRIS.
> 
> Even then I do not see where the problem is.
> If CRIS kernelspace has 1-alignment, then its userspace
> will have the same.
> 
>>> Note that ipt_tos(_match)_info also had these two fields.
>> Right, I mixed something up. So the patch I queued (attached
>> again for reference) seems to be fine.
>>
> Please drop it, I resend it (with new functionality).


OK. Since this is getting confusing and I get clashes with
your other patches, I'm going to drop both xt_tos and
xt_TOS. Please resend both once you've finished them.
Thanks.