NF [PATCH 1/6] Use lowercase names for matches

NF [PATCH 1/6] Use lowercase names for matches

[Jan Engelhardt]

Unify netfilter match kconfig descriptions

Consistently use lowercase for matches in kconfig one-line
descriptions and name the match module.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 net/ipv4/netfilter/Kconfig |   21 ++++++---------------
 net/ipv6/netfilter/Kconfig |   16 ++++++++--------
 net/netfilter/Kconfig      |    8 ++++----
 3 files changed, 18 insertions(+), 27 deletions(-)

Index: linux-2.6/net/ipv4/netfilter/Kconfig
===================================================================
--- linux-2.6.orig/net/ipv4/netfilter/Kconfig
+++ linux-2.6/net/ipv4/netfilter/Kconfig
@@ -55,7 +55,7 @@ config IP_NF_IPTABLES
 
 # The matches.
 config IP_NF_MATCH_IPRANGE
-	tristate "IP range match support"
+	tristate '"iprange" match support'
 	depends on IP_NF_IPTABLES
 	help
 	  This option makes possible to match IP addresses against IP address
@@ -63,17 +63,8 @@ config IP_NF_MATCH_IPRANGE
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
-config IP_NF_MATCH_TOS
-	tristate "TOS match support"
-	depends on IP_NF_IPTABLES
-	help
-	  TOS matching allows you to match packets based on the Type Of
-	  Service fields of the IP packet.
-
-	  To compile it as a module, choose M here.  If unsure, say N.
-
 config IP_NF_MATCH_RECENT
-	tristate "recent match support"
+	tristate '"recent" match support'
 	depends on IP_NF_IPTABLES
 	help
 	  This match is used for creating one or many lists of recently
@@ -85,7 +76,7 @@ config IP_NF_MATCH_RECENT
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP_NF_MATCH_ECN
-	tristate "ECN match support"
+	tristate '"ecn" match support'
 	depends on IP_NF_IPTABLES
 	help
 	  This option adds a `ECN' match, which allows you to match against
@@ -94,7 +85,7 @@ config IP_NF_MATCH_ECN
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP_NF_MATCH_AH
-	tristate "AH match support"
+	tristate '"ah" match support'
 	depends on IP_NF_IPTABLES
 	help
 	  This match extension allows you to match a range of SPIs
@@ -103,7 +94,7 @@ config IP_NF_MATCH_AH
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP_NF_MATCH_TTL
-	tristate "TTL match support"
+	tristate '"ttl" match support'
 	depends on IP_NF_IPTABLES
 	help
 	  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
@@ -112,7 +103,7 @@ config IP_NF_MATCH_TTL
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP_NF_MATCH_ADDRTYPE
-	tristate  'address type match support'
+	tristate '"addrtype" address type match support'
 	depends on IP_NF_IPTABLES
 	help
 	  This option allows you to match what routing thinks of an address,
Index: linux-2.6/net/ipv6/netfilter/Kconfig
===================================================================
--- linux-2.6.orig/net/ipv6/netfilter/Kconfig
+++ linux-2.6/net/ipv6/netfilter/Kconfig
@@ -54,7 +54,7 @@ config IP6_NF_IPTABLES
 
 # The simple matches.
 config IP6_NF_MATCH_RT
-	tristate "Routing header match support"
+	tristate '"rt" Routing header match support'
 	depends on IP6_NF_IPTABLES
 	help
 	  rt matching allows you to match packets based on the routing
@@ -63,7 +63,7 @@ config IP6_NF_MATCH_RT
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP6_NF_MATCH_OPTS
-	tristate "Hop-by-hop and Dst opts header match support"
+	tristate '"hopbyhop" and "dst" opts header match support'
 	depends on IP6_NF_IPTABLES
 	help
 	  This allows one to match packets based on the hop-by-hop
@@ -72,7 +72,7 @@ config IP6_NF_MATCH_OPTS
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP6_NF_MATCH_FRAG
-	tristate "Fragmentation header match support"
+	tristate '"frag" Fragmentation header match support'
 	depends on IP6_NF_IPTABLES
 	help
 	  frag matching allows you to match packets based on the fragmentation
@@ -81,7 +81,7 @@ config IP6_NF_MATCH_FRAG
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP6_NF_MATCH_HL
-	tristate "HL match support"
+	tristate '"hl" match support'
 	depends on IP6_NF_IPTABLES
 	help
 	  HL matching allows you to match packets based on the hop
@@ -90,7 +90,7 @@ config IP6_NF_MATCH_HL
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP6_NF_MATCH_IPV6HEADER
-	tristate "IPv6 Extension Headers Match"
+	tristate '"ipv6header" IPv6 Extension Headers Match'
 	depends on IP6_NF_IPTABLES
 	help
 	  This module allows one to match packets based upon
@@ -99,7 +99,7 @@ config IP6_NF_MATCH_IPV6HEADER
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP6_NF_MATCH_AH
-	tristate "AH match support"
+	tristate '"ah" match support'
 	depends on IP6_NF_IPTABLES
 	help
 	  This module allows one to match AH packets.
@@ -107,7 +107,7 @@ config IP6_NF_MATCH_AH
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP6_NF_MATCH_MH
-	tristate "MH match support"
+	tristate '"mh" match support'
 	depends on IP6_NF_IPTABLES
 	help
 	  This module allows one to match MH packets.
@@ -115,7 +115,7 @@ config IP6_NF_MATCH_MH
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP6_NF_MATCH_EUI64
-	tristate "EUI64 address check"
+	tristate '"eui64" address check'
 	depends on IP6_NF_IPTABLES
 	help
 	  This module performs checking on the IPv6 source address
Index: linux-2.6/net/netfilter/Kconfig
===================================================================
--- linux-2.6.orig/net/netfilter/Kconfig
+++ linux-2.6/net/netfilter/Kconfig
@@ -468,7 +468,7 @@ config NETFILTER_XT_MATCH_CONNTRACK
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config NETFILTER_XT_MATCH_DCCP
-	tristate  '"DCCP" protocol match support'
+	tristate '"dccp" protocol match support'
 	depends on NETFILTER_XTABLES
 	help
 	  With this option enabled, you will be able to use the iptables
@@ -479,7 +479,7 @@ config NETFILTER_XT_MATCH_DCCP
 	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 
 config NETFILTER_XT_MATCH_DSCP
-	tristate '"DSCP" match support'
+	tristate '"dscp" match support'
 	depends on NETFILTER_XTABLES
 	help
 	  This option adds a `DSCP' match, which allows you to match against
@@ -490,7 +490,7 @@ config NETFILTER_XT_MATCH_DSCP
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config NETFILTER_XT_MATCH_ESP
-	tristate '"ESP" match support'
+	tristate '"esp" match support'
 	depends on NETFILTER_XTABLES
 	help
 	  This match extension allows you to match a range of SPIs
@@ -565,7 +565,7 @@ config NETFILTER_XT_MATCH_POLICY
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config NETFILTER_XT_MATCH_MULTIPORT
-	tristate "Multiple port match support"
+	tristate '"multiport" Multiple port match support'
 	depends on NETFILTER_XTABLES
 	help
 	  Multiport matching allows you to match TCP or UDP packets based on

NF [PATCH 2/6] Constify include/net/dsfield.h

[Jan Engelhardt]

Constify include/net/dsfield.h

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/net/dsfield.h |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Index: linux-2.6/include/net/dsfield.h
===================================================================
--- linux-2.6.orig/include/net/dsfield.h
+++ linux-2.6/include/net/dsfield.h
@@ -12,15 +12,15 @@
 #include <asm/byteorder.h>
 
 
-static inline __u8 ipv4_get_dsfield(struct iphdr *iph)
+static inline __u8 ipv4_get_dsfield(const struct iphdr *iph)
 {
 	return iph->tos;
 }
 
 
-static inline __u8 ipv6_get_dsfield(struct ipv6hdr *ipv6h)
+static inline __u8 ipv6_get_dsfield(const struct ipv6hdr *ipv6h)
 {
-	return ntohs(*(__be16 *) ipv6h) >> 4;
+	return ntohs(*(const __be16 *)ipv6h) >> 4;
 }
 
 

NF [PATCH 3/6] Merge ipt_tos into xt_dscp

[Jan Engelhardt]

Merge ipt_tos into xt_dscp.

Merge ipt_tos (tos v0 match) into xt_dscp. They both modify the same
field in the IPv4 header, so it seems reasonable to keep them in one
piece. This is part one of the implicit 4-patch series to move tos to
xtables and extend it by IPv6.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 net/ipv4/netfilter/Makefile  |    1 
 net/ipv4/netfilter/ipt_tos.c |   50 -------------------------------------------
 net/netfilter/Kconfig        |    6 ++++-
 net/netfilter/xt_dscp.c      |   24 ++++++++++++++++++--
 4 files changed, 27 insertions(+), 54 deletions(-)

Index: linux-2.6/net/ipv4/netfilter/Makefile
===================================================================
--- linux-2.6.orig/net/ipv4/netfilter/Makefile
+++ linux-2.6/net/ipv4/netfilter/Makefile
@@ -46,7 +46,6 @@ obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
-obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
 
 # targets
Index: linux-2.6/net/ipv4/netfilter/ipt_tos.c
===================================================================
--- linux-2.6.orig/net/ipv4/netfilter/ipt_tos.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/* Kernel module to match TOS values. */
-
-/* (C) 1999-2001 Paul `Rusty' Russell
- * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/ip.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-
-#include <linux/netfilter_ipv4/ipt_tos.h>
-#include <linux/netfilter/x_tables.h>
-
-MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("iptables TOS match module");
-
-static bool
-tos_mt(const struct sk_buff *skb, const struct net_device *in,
-       const struct net_device *out, const struct xt_match *match,
-       const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
-{
-	const struct ipt_tos_info *info = matchinfo;
-
-	return (ip_hdr(skb)->tos == info->tos) ^ info->invert;
-}
-
-static struct xt_match tos_mt_reg __read_mostly = {
-	.name		= "tos",
-	.family		= AF_INET,
-	.match		= tos_mt,
-	.matchsize	= sizeof(struct ipt_tos_info),
-	.me		= THIS_MODULE,
-};
-
-static int __init tos_mt_init(void)
-{
-	return xt_register_match(&tos_mt_reg);
-}
-
-static void __exit tos_mt_exit(void)
-{
-	xt_unregister_match(&tos_mt_reg);
-}
-
-module_init(tos_mt_init);
-module_exit(tos_mt_exit);
Index: linux-2.6/net/netfilter/Kconfig
===================================================================
--- linux-2.6.orig/net/netfilter/Kconfig
+++ linux-2.6/net/netfilter/Kconfig
@@ -479,7 +479,7 @@ config NETFILTER_XT_MATCH_DCCP
 	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 
 config NETFILTER_XT_MATCH_DSCP
-	tristate '"dscp" match support'
+	tristate '"dscp" and "tos" match support'
 	depends on NETFILTER_XTABLES
 	help
 	  This option adds a `DSCP' match, which allows you to match against
@@ -487,6 +487,10 @@ config NETFILTER_XT_MATCH_DSCP
 
 	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
 
+	  It will also add a "tos" match, which allows you to match packets
+	  based on the Type Of Service fields of the IPv4 packet (which share
+	  the same bits as DSCP).
+
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config NETFILTER_XT_MATCH_ESP
Index: linux-2.6/net/netfilter/xt_dscp.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_dscp.c
+++ linux-2.6/net/netfilter/xt_dscp.c
@@ -13,14 +13,16 @@
 #include <linux/ipv6.h>
 #include <net/dsfield.h>
 
-#include <linux/netfilter/xt_dscp.h>
 #include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_dscp.h>
+#include <linux/netfilter_ipv4/ipt_tos.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("x_tables DSCP matching module");
+MODULE_DESCRIPTION("x_tables DSCP/tos matching module");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_dscp");
 MODULE_ALIAS("ip6t_dscp");
+MODULE_ALIAS("ipt_tos");
 
 static bool
 dscp_mt(const struct sk_buff *skb, const struct net_device *in,
@@ -60,6 +62,16 @@ dscp_mt_check(const char *tablename, con
 	return true;
 }
 
+static bool tos_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+                      const struct net_device *out,
+                      const struct xt_match *match, const void *matchinfo,
+                      int offset, unsigned int protoff, bool *hotdrop)
+{
+	const struct ipt_tos_info *info = matchinfo;
+
+	return (ip_hdr(skb)->tos == info->tos) ^ info->invert;
+}
+
 static struct xt_match dscp_mt_reg[] __read_mostly = {
 	{
 		.name		= "dscp",
@@ -77,6 +89,14 @@ static struct xt_match dscp_mt_reg[] __r
 		.matchsize	= sizeof(struct xt_dscp_info),
 		.me		= THIS_MODULE,
 	},
+	{
+		.name      = "tos",
+		.revision  = 0,
+		.family    = AF_INET,
+		.match     = tos_mt_v0,
+		.matchsize = sizeof(struct ipt_tos_info),
+		.me        = THIS_MODULE,
+	},
 };
 
 static int __init dscp_mt_init(void)

NF [PATCH 4/6] Merge ipt_TOS into xt_DSCP

[Jan Engelhardt]

Merge ipt_TOS into xt_DSCP.

Merge ipt_TOS (tos v0 target) into xt_DSCP. They both modify the same
field in the IPv4 header, so it seems reasonable to keep them in one
piece. This is part two of the implicit 4-patch series to move tos to
xtables and extend it by IPv6.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 net/ipv4/netfilter/Kconfig   |   10 -----
 net/ipv4/netfilter/Makefile  |    1 
 net/ipv4/netfilter/ipt_TOS.c |   82 -------------------------------------------
 net/netfilter/Kconfig        |    6 ++-
 net/netfilter/xt_DSCP.c      |   51 ++++++++++++++++++++++++++
 5 files changed, 56 insertions(+), 94 deletions(-)

Index: linux-2.6/net/ipv4/netfilter/Kconfig
===================================================================
--- linux-2.6.orig/net/ipv4/netfilter/Kconfig
+++ linux-2.6/net/ipv4/netfilter/Kconfig
@@ -293,16 +293,6 @@ config IP_NF_MANGLE
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
-config IP_NF_TARGET_TOS
-	tristate "TOS target support"
-	depends on IP_NF_MANGLE
-	help
-	  This option adds a `TOS' target, which allows you to create rules in
-	  the `mangle' table which alter the Type Of Service field of an IP
-	  packet prior to routing.
-
-	  To compile it as a module, choose M here.  If unsure, say N.
-
 config IP_NF_TARGET_ECN
 	tristate "ECN target support"
 	depends on IP_NF_MANGLE
Index: linux-2.6/net/ipv4/netfilter/Makefile
===================================================================
--- linux-2.6.orig/net/ipv4/netfilter/Makefile
+++ linux-2.6/net/ipv4/netfilter/Makefile
@@ -57,7 +57,6 @@ obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt
 obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
 obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
 obj-$(CONFIG_IP_NF_TARGET_SAME) += ipt_SAME.o
-obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
 obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
 
Index: linux-2.6/net/ipv4/netfilter/ipt_TOS.c
===================================================================
--- linux-2.6.orig/net/ipv4/netfilter/ipt_TOS.c
+++ /dev/null
@@ -1,82 +0,0 @@
-/* This is a module which is used for setting the TOS field of a packet. */
-
-/* (C) 1999-2001 Paul `Rusty' Russell
- * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/ip.h>
-#include <net/checksum.h>
-
-#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter_ipv4/ipt_TOS.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables TOS mangling module");
-
-static unsigned int
-tos_tg(struct sk_buff *skb, const struct net_device *in,
-       const struct net_device *out, unsigned int hooknum,
-       const struct xt_target *target, const void *targinfo)
-{
-	const struct ipt_tos_target_info *tosinfo = targinfo;
-	struct iphdr *iph = ip_hdr(skb);
-
-	if ((iph->tos & IPTOS_TOS_MASK) != tosinfo->tos) {
-		__u8 oldtos;
-		if (!skb_make_writable(skb, sizeof(struct iphdr)))
-			return NF_DROP;
-		iph = ip_hdr(skb);
-		oldtos = iph->tos;
-		iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
-		nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
-	}
-	return XT_CONTINUE;
-}
-
-static bool
-tos_tg_check(const char *tablename, const void *e_void,
-             const struct xt_target *target, void *targinfo,
-             unsigned int hook_mask)
-{
-	const u_int8_t tos = ((struct ipt_tos_target_info *)targinfo)->tos;
-
-	if (tos != IPTOS_LOWDELAY
-	    && tos != IPTOS_THROUGHPUT
-	    && tos != IPTOS_RELIABILITY
-	    && tos != IPTOS_MINCOST
-	    && tos != IPTOS_NORMALSVC) {
-		printk(KERN_WARNING "TOS: bad tos value %#x\n", tos);
-		return false;
-	}
-	return true;
-}
-
-static struct xt_target tos_tg_reg __read_mostly = {
-	.name		= "TOS",
-	.family		= AF_INET,
-	.target		= tos_tg,
-	.targetsize	= sizeof(struct ipt_tos_target_info),
-	.table		= "mangle",
-	.checkentry	= tos_tg_check,
-	.me		= THIS_MODULE,
-};
-
-static int __init tos_tg_init(void)
-{
-	return xt_register_target(&tos_tg_reg);
-}
-
-static void __exit tos_tg_exit(void)
-{
-	xt_unregister_target(&tos_tg_reg);
-}
-
-module_init(tos_tg_init);
-module_exit(tos_tg_exit);
Index: linux-2.6/net/netfilter/Kconfig
===================================================================
--- linux-2.6.orig/net/netfilter/Kconfig
+++ linux-2.6/net/netfilter/Kconfig
@@ -293,7 +293,7 @@ config NETFILTER_XT_TARGET_CONNMARK
 	  ipt_CONNMARK.ko.  If unsure, say `N'.
 
 config NETFILTER_XT_TARGET_DSCP
-	tristate '"DSCP" target support'
+	tristate '"DSCP" and "TOS" target support'
 	depends on NETFILTER_XTABLES
 	depends on IP_NF_MANGLE || IP6_NF_MANGLE
 	help
@@ -302,6 +302,10 @@ config NETFILTER_XT_TARGET_DSCP
 
 	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
 
+	  It also adds the "TOS" target, which allows you to create rules in
+	  the "mangle" table which alter the Type Of Service field of an IPv4
+	  packet prior to routing.
+
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config NETFILTER_XT_TARGET_MARK
Index: linux-2.6/net/netfilter/xt_DSCP.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_DSCP.c
+++ linux-2.6/net/netfilter/xt_DSCP.c
@@ -18,12 +18,14 @@
 
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_DSCP.h>
+#include <linux/netfilter_ipv4/ipt_TOS.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
 MODULE_DESCRIPTION("x_tables DSCP modification module");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_DSCP");
 MODULE_ALIAS("ip6t_DSCP");
+MODULE_ALIAS("ipt_TOS");
 
 static unsigned int
 dscp_tg(struct sk_buff *skb, const struct net_device *in,
@@ -76,6 +78,45 @@ dscp_tg_check(const char *tablename, con
 	return true;
 }
 
+static unsigned int
+tos_tg_v0(struct sk_buff *skb, const struct net_device *in,
+          const struct net_device *out, unsigned int hooknum,
+          const struct xt_target *target, const void *targinfo)
+{
+	const struct ipt_tos_target_info *info = targinfo;
+	struct iphdr *iph = ip_hdr(skb);
+	u_int8_t oldtos;
+
+	if ((iph->tos & IPTOS_TOS_MASK) != info->tos) {
+		if (!skb_make_writable(skb, sizeof(struct iphdr)))
+			return NF_DROP;
+
+		iph      = ip_hdr(skb);
+		oldtos   = iph->tos;
+		iph->tos = (iph->tos & IPTOS_PREC_MASK) | info->tos;
+		nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
+	}
+
+	return XT_CONTINUE;
+}
+
+static bool
+tos_tg_check_v0(const char *tablename, const void *e_void,
+                const struct xt_target *target, void *targinfo,
+                unsigned int hook_mask)
+{
+	const u_int8_t tos = ((struct ipt_tos_target_info *)targinfo)->tos;
+
+	if (tos != IPTOS_LOWDELAY && tos != IPTOS_THROUGHPUT &&
+	    tos != IPTOS_RELIABILITY && tos != IPTOS_MINCOST &&
+	    tos != IPTOS_NORMALSVC) {
+		printk(KERN_WARNING "TOS: bad tos value %#x\n", tos);
+		return false;
+	}
+
+	return true;
+}
+
 static struct xt_target dscp_tg_reg[] __read_mostly = {
 	{
 		.name		= "DSCP",
@@ -95,6 +136,16 @@ static struct xt_target dscp_tg_reg[] __
 		.table		= "mangle",
 		.me		= THIS_MODULE,
 	},
+	{
+		.name       = "TOS",
+		.revision   = 0,
+		.family     = AF_INET,
+		.table      = "mangle",
+		.target     = tos_tg_v0,
+		.targetsize = sizeof(struct ipt_tos_target_info),
+		.checkentry = tos_tg_check_v0,
+		.me         = THIS_MODULE,
+	},
 };
 
 static int __init dscp_tg_init(void)

NF [PATCH 5/6] xt_tos v1 match

[Jan Engelhardt]

Import xt_tos v1 match

Extends the xt_dscp match by xt_tos v1 to add support for selectively
matching any bit in the IPv4 TOS and IPv6 Priority fields. (ipt_tos
and xt_dscp only accepted a limited range of possible values.)

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/linux/netfilter/xt_dscp.h |    6 ++++++
 net/netfilter/xt_dscp.c           |   32 ++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

Index: linux-2.6/include/linux/netfilter/xt_dscp.h
===================================================================
--- linux-2.6.orig/include/linux/netfilter/xt_dscp.h
+++ linux-2.6/include/linux/netfilter/xt_dscp.h
@@ -20,4 +20,10 @@ struct xt_dscp_info {
 	u_int8_t invert;
 };
 
+struct xt_tos_match_info {
+	u_int8_t tos_mask;
+	u_int8_t tos_value;
+	u_int8_t invert;
+};
+
 #endif /* _XT_DSCP_H */
Index: linux-2.6/net/netfilter/xt_dscp.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_dscp.c
+++ linux-2.6/net/netfilter/xt_dscp.c
@@ -23,6 +23,7 @@ MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_dscp");
 MODULE_ALIAS("ip6t_dscp");
 MODULE_ALIAS("ipt_tos");
+MODULE_ALIAS("ip6t_tos");
 
 static bool
 dscp_mt(const struct sk_buff *skb, const struct net_device *in,
@@ -72,6 +73,21 @@ static bool tos_mt_v0(const struct sk_bu
 	return (ip_hdr(skb)->tos == info->tos) ^ info->invert;
 }
 
+static bool tos_mt(const struct sk_buff *skb, const struct net_device *in,
+                   const struct net_device *out, const struct xt_match *match,
+                   const void *matchinfo, int offset, unsigned int protoff,
+                   bool *hotdrop)
+{
+	const struct xt_tos_match_info *info = matchinfo;
+
+	if (match->family == AF_INET)
+		return ((ip_hdr(skb)->tos & info->tos_mask) ==
+		       info->tos_value) ^ !!info->invert;
+	else
+		return ((ipv6_get_dsfield(ipv6_hdr(skb)) & info->tos_mask) ==
+		       info->tos_value) ^ !!info->invert;
+}
+
 static struct xt_match dscp_mt_reg[] __read_mostly = {
 	{
 		.name		= "dscp",
@@ -97,6 +113,22 @@ static struct xt_match dscp_mt_reg[] __r
 		.matchsize = sizeof(struct ipt_tos_info),
 		.me        = THIS_MODULE,
 	},
+	{
+		.name      = "tos",
+		.revision  = 1,
+		.family    = AF_INET,
+		.match     = tos_mt,
+		.matchsize = sizeof(struct xt_tos_match_info),
+		.me        = THIS_MODULE,
+	},
+	{
+		.name      = "tos",
+		.revision  = 1,
+		.family    = AF_INET6,
+		.match     = tos_mt,
+		.matchsize = sizeof(struct xt_tos_match_info),
+		.me        = THIS_MODULE,
+	},
 };
 
 static int __init dscp_mt_init(void)

NF [PATCH 6/6] xt_TOS v1 target

[Jan Engelhardt]

Import xt_tos v1 target

Extends the xt_DSCP target by xt_TOS v1 to add support for selectively
setting and flipping any bit in the IPv4 TOS and IPv6 Priority fields.
(ipt_TOS and xt_DSCP only accepted a limited range of possible
values.)

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/linux/netfilter/xt_DSCP.h |    5 +++
 net/netfilter/Kconfig             |    2 -
 net/netfilter/xt_DSCP.c           |   63 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 1 deletion(-)

Index: linux-2.6/include/linux/netfilter/xt_DSCP.h
===================================================================
--- linux-2.6.orig/include/linux/netfilter/xt_DSCP.h
+++ linux-2.6/include/linux/netfilter/xt_DSCP.h
@@ -17,4 +17,9 @@ struct xt_DSCP_info {
 	u_int8_t dscp;
 };
 
+struct xt_tos_target_info {
+	u_int8_t tos_value;
+	u_int8_t tos_mask;
+};
+
 #endif /* _XT_DSCP_TARGET_H */
Index: linux-2.6/net/netfilter/Kconfig
===================================================================
--- linux-2.6.orig/net/netfilter/Kconfig
+++ linux-2.6/net/netfilter/Kconfig
@@ -304,7 +304,7 @@ config NETFILTER_XT_TARGET_DSCP
 
 	  It also adds the "TOS" target, which allows you to create rules in
 	  the "mangle" table which alter the Type Of Service field of an IPv4
-	  packet prior to routing.
+	  or the Priority field of an IPv6 packet, prior to routing.
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
Index: linux-2.6/net/netfilter/xt_DSCP.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_DSCP.c
+++ linux-2.6/net/netfilter/xt_DSCP.c
@@ -26,6 +26,7 @@ MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_DSCP");
 MODULE_ALIAS("ip6t_DSCP");
 MODULE_ALIAS("ipt_TOS");
+MODULE_ALIAS("ip6t_TOS");
 
 static unsigned int
 dscp_tg(struct sk_buff *skb, const struct net_device *in,
@@ -117,6 +118,50 @@ tos_tg_check_v0(const char *tablename, c
 	return true;
 }
 
+static unsigned int
+tos_tg(struct sk_buff *skb, const struct net_device *in,
+       const struct net_device *out, unsigned int hooknum,
+       const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_tos_target_info *info = targinfo;
+	struct iphdr *iph = ip_hdr(skb);
+	u_int8_t orig, nv;
+
+	orig = ipv4_get_dsfield(iph);
+	nv   = (orig & info->tos_mask) ^ info->tos_value;
+
+	if (orig != nv) {
+		if (!skb_make_writable(skb, sizeof(struct iphdr)))
+			return NF_DROP;
+		iph = ip_hdr(skb);
+		ipv4_change_dsfield(iph, ~0, nv);
+	}
+
+	return XT_CONTINUE;
+}
+
+static unsigned int
+tos_tg6(struct sk_buff *skb, const struct net_device *in,
+        const struct net_device *out, unsigned int hooknum,
+        const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_tos_target_info *info = targinfo;
+	struct ipv6hdr *iph = ipv6_hdr(skb);
+	u_int8_t orig, nv;
+
+	orig = ipv6_get_dsfield(iph);
+	nv   = (orig & info->tos_mask) ^ info->tos_value;
+
+	if (orig != nv) {
+		if (!skb_make_writable(skb, sizeof(struct iphdr)))
+			return NF_DROP;
+		iph = ipv6_hdr(skb);
+		ipv6_change_dsfield(iph, ~0, nv);
+	}
+
+	return XT_CONTINUE;
+}
+
 static struct xt_target dscp_tg_reg[] __read_mostly = {
 	{
 		.name		= "DSCP",
@@ -146,6 +191,24 @@ static struct xt_target dscp_tg_reg[] __
 		.checkentry = tos_tg_check_v0,
 		.me         = THIS_MODULE,
 	},
+	{
+		.name       = "TOS",
+		.revision   = 1,
+		.family     = AF_INET,
+		.table      = "mangle",
+		.target     = tos_tg,
+		.targetsize = sizeof(struct xt_tos_target_info),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "TOS",
+		.revision   = 1,
+		.family     = AF_INET6,
+		.table      = "mangle",
+		.target     = tos_tg6,
+		.targetsize = sizeof(struct xt_tos_target_info),
+		.me         = THIS_MODULE,
+	},
 };
 
 static int __init dscp_tg_init(void)

IPT [PATCH 1/3] Introduce bound_strtou()

[Jan Engelhardt]

(This will be used by libxt_tos, libxt_TOS and more to come.)

===Patch begins here===

Introduce bound_strtou(), which works like string_to_number_ll(),
but updates ("passes back") the 'end' pointer. It is useful where
you want to do boundary checking yet work with strings that are
not entirely numbers recognized by strtoul(), e.g.:

	s = "1/2";
	if (!strtoul_bound(s, &end, &value, 0, 5))
		error("Zero-length string, or value out of bounds");
	if (*end != '/')
		error("Malformed string");
	info->param1 = value;
	if (!strtoul_bound(end + 1, &end, &value, 2, 4))
		error("..");
	if (*end != '\0')
		error("Malformed string");
	info->param2 = value;

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/xtables.h |    5 +++++
 xtables.c         |   33 +++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

Index: iptables-modules/include/xtables.h
===================================================================
--- iptables-modules.orig/include/xtables.h
+++ iptables-modules/include/xtables.h
@@ -2,6 +2,7 @@
 #define _XTABLES_H
 
 #include <sys/types.h>
+#include <stdbool.h>
 #include <linux/netfilter/x_tables.h>
 #include <libiptc/libxtc.h>
 
@@ -205,6 +206,10 @@ extern int string_to_number(const char *
 			    unsigned int min,
 			    unsigned int max,
 			    unsigned int *ret);
+extern bool bound_strtoul(const char *, char **, unsigned long *,
+	unsigned long, unsigned long);
+extern bool bound_strtou(const char *, char **, unsigned int *,
+	unsigned int, unsigned int);
 extern int service_to_port(const char *name, const char *proto);
 extern u_int16_t parse_port(const char *port, const char *proto);
 extern void
Index: iptables-modules/xtables.c
===================================================================
--- iptables-modules.orig/xtables.c
+++ iptables-modules/xtables.c
@@ -20,6 +20,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <netdb.h>
+#include <stdbool.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -196,6 +197,38 @@ int string_to_number(const char *s, unsi
 	return result;
 }
 
+bool bound_strtoul(const char *s, char **end, unsigned long *value,
+                   unsigned long min, unsigned long max)
+{
+	unsigned long v;
+
+	errno = 0;
+	v = strtoul(s, end, 0);
+
+	if (*end == s)
+		return false;
+
+	if (errno != ERANGE && min <= v && (max == 0 || v <= max)) {
+		if (value != NULL)
+			*value = v;
+		return true;
+	}
+
+	return false;
+}
+
+bool bound_strtou(const char *s, char **end, unsigned int *value,
+                  unsigned int min, unsigned int max)
+{
+	unsigned long v;
+	bool ret;
+
+	ret = bound_strtoul(s, end, &v, min, max);
+	if (ret && value != NULL)
+		*value = v;
+	return ret;
+}
+
 int service_to_port(const char *name, const char *proto)
 {
 	struct servent *service;

IPT [PATCH 2/3] libxt_tos match module

[Jan Engelhardt]

Upgrades libipt_tos to libxt_tos and use the new xt_tos v1 match.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/Makefile               |    4 
 extensions/libipt_tos.c           |  163 ---------------------------
 extensions/libipt_tos.man         |    9 -
 extensions/libxt_tos.c            |  223 ++++++++++++++++++++++++++++++++++++++
 extensions/libxt_tos.man          |   11 +
 extensions/tos_values.c           |   94 ++++++++++++++++
 include/linux/netfilter/xt_dscp.h |    6 +
 7 files changed, 336 insertions(+), 174 deletions(-)

Index: iptables-modules/extensions/Makefile
===================================================================
--- iptables-modules.orig/extensions/Makefile
+++ iptables-modules/extensions/Makefile
@@ -5,9 +5,9 @@
 # header files are present in the include/linux directory of this iptables
 # package (HW)
 #
-PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange policy realm recent tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG
+PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange policy realm recent ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG
 PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh policy rt HL LOG REJECT
-PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport owner physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE
+PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport owner physdev pkttype quota sctp state statistic standard string tcp tcpmss time tos u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE
 
 PF_EXT_SELINUX_SLIB:=
 PF6_EXT_SELINUX_SLIB:=
Index: iptables-modules/extensions/libipt_tos.c
===================================================================
--- iptables-modules.orig/extensions/libipt_tos.c
+++ /dev/null
@@ -1,163 +0,0 @@
-/* Shared library add-on to iptables to add TOS matching support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_tos.h>
-
-/* TOS names and values. */
-static const
-struct TOS_value
-{
-	unsigned char TOS;
-	const char *name;
-} TOS_values[] = {
-	{ IPTOS_LOWDELAY,    "Minimize-Delay" },
-	{ IPTOS_THROUGHPUT,  "Maximize-Throughput" },
-	{ IPTOS_RELIABILITY, "Maximize-Reliability" },
-	{ IPTOS_MINCOST,     "Minimize-Cost" },
-	{ IPTOS_NORMALSVC,   "Normal-Service" },
-};
-
-/* Function which prints out usage message. */
-static void tos_help(void)
-{
-	unsigned int i;
-
-	printf(
-"TOS match v%s options:\n"
-"[!] --tos value                 Match Type of Service field from one of the\n"
-"                                following numeric or descriptive values:\n",
-IPTABLES_VERSION);
-
-	for (i = 0; i < sizeof(TOS_values)/sizeof(struct TOS_value);i++)
-		printf("                                     %s %u (0x%02x)\n",
-		       TOS_values[i].name,
-                       TOS_values[i].TOS,
-                       TOS_values[i].TOS);
-	fputc('\n', stdout);
-}
-
-static const struct option tos_opts[] = {
-	{ "tos", 1, NULL, '1' },
-	{ }
-};
-
-static void
-parse_tos(const char *s, struct ipt_tos_info *info)
-{
-	unsigned int i;
-	unsigned int tos;
-
-	if (string_to_number(s, 0, 255, &tos) != -1) {
-		if (tos == IPTOS_LOWDELAY
-		    || tos == IPTOS_THROUGHPUT
-		    || tos == IPTOS_RELIABILITY
-		    || tos == IPTOS_MINCOST
-		    || tos == IPTOS_NORMALSVC) {
-		    	info->tos = (u_int8_t )tos;
-		    	return;
-		}
-	} else {
-		for (i = 0; i<sizeof(TOS_values)/sizeof(struct TOS_value); i++)
-			if (strcasecmp(s,TOS_values[i].name) == 0) {
-				info->tos = TOS_values[i].TOS;
-				return;
-			}
-	}
-	exit_error(PARAMETER_PROBLEM, "Bad TOS value `%s'", s);
-}
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int tos_parse(int c, char **argv, int invert, unsigned int *flags,
-                     const void *entry, struct xt_entry_match **match)
-{
-	struct ipt_tos_info *tosinfo = (struct ipt_tos_info *)(*match)->data;
-
-	switch (c) {
-	case '1':
-		/* Ensure that `--tos' haven't been used yet. */
-		if (*flags == 1)
-			exit_error(PARAMETER_PROBLEM,
-					"tos match: only use --tos once!");
-
-		check_inverse(optarg, &invert, &optind, 0);
-		parse_tos(argv[optind-1], tosinfo);
-		if (invert)
-			tosinfo->invert = 1;
-		*flags = 1;
-		break;
-
-	default:
-		return 0;
-	}
-	return 1;
-}
-
-static void
-print_tos(u_int8_t tos, int numeric)
-{
-	unsigned int i;
-
-	if (!numeric) {
-		for (i = 0; i<sizeof(TOS_values)/sizeof(struct TOS_value); i++)
-			if (TOS_values[i].TOS == tos) {
-				printf("%s ", TOS_values[i].name);
-				return;
-			}
-	}
-	printf("0x%02x ", tos);
-}
-
-/* Final check; must have specified --tos. */
-static void tos_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
-			   "TOS match: You must specify `--tos'");
-}
-
-/* Prints out the matchinfo. */
-static void tos_print(const void *ip, const struct xt_entry_match *match,
-                      int numeric)
-{
-	const struct ipt_tos_info *info = (const struct ipt_tos_info *)match->data;
-    
-	printf("TOS match ");
-	if (info->invert)
-		printf("!");
-	print_tos(info->tos, numeric);
-}
-
-/* Saves the union ipt_matchinfo in parsable form to stdout. */
-static void tos_save(const void *ip, const struct xt_entry_match *match)
-{
-	const struct ipt_tos_info *info = (const struct ipt_tos_info *)match->data;
-    
-	if (info->invert)
-		printf("! ");
-	printf("--tos ");
-	print_tos(info->tos, 0);
-}
-
-static struct iptables_match tos_match = {
-	.name		= "tos",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_tos_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_tos_info)),
-	.help		= tos_help,
-	.parse		= tos_parse,
-	.final_check	= tos_check,
-	.print		= tos_print,
-	.save		= tos_save,
-	.extra_opts	= tos_opts,
-};
-
-void _init(void)
-{
-	register_match(&tos_match);
-}
Index: iptables-modules/extensions/libipt_tos.man
===================================================================
--- iptables-modules.orig/extensions/libipt_tos.man
+++ /dev/null
@@ -1,9 +0,0 @@
-This module matches the 8 bits of Type of Service field in the IP
-header (ie. including the precedence bits).
-.TP
-.BI "--tos " "tos"
-The argument is either a standard name, (use
-.br
- iptables -m tos -h
-.br
-to see the list), or a numeric value to match.
Index: iptables-modules/extensions/libxt_tos.c
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_tos.c
@@ -0,0 +1,223 @@
+/*
+ * Shared library add-on to iptables to add tos match support
+ *
+ * Copyright © CC Computer Consultants GmbH, 2007
+ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <getopt.h>
+#include <netdb.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_dscp.h>
+#include <linux/netfilter_ipv4/ipt_tos.h>
+#include "tos_values.c"
+
+enum {
+	FLAG_TOS = 1 << 0,
+};
+
+static const struct option tos_mt_opts[] = {
+	{.name = "tos", .has_arg = true, .val = 't'},
+	{},
+};
+
+static void tos_mt_help(void)
+{
+	const struct tos_symbol_info *symbol;
+
+	printf(
+"tos match v%s options:\n"
+"[!] --tos value[/mask]    Match Type of Service/Priority field value\n"
+"[!] --tos symbol          Match TOS field (IPv4 only) by symbol\n"
+"                          Accepted symbolic names for value are:\n",
+IPTABLES_VERSION);
+
+	for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol)
+		printf("                          (0x%02x) %2u %s\n",
+		       symbol->value, symbol->value, symbol->name);
+
+	printf("\n");
+}
+
+static int tos_mt_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+                           const void *entry, struct xt_entry_match **match)
+{
+	struct ipt_tos_info *info = (void *)(*match)->data;
+	struct tos_value_mask tvm;
+
+	switch (c) {
+	case 't':
+		if (*flags & FLAG_TOS)
+			exit_error(PARAMETER_PROBLEM, "tos match: You cannot "
+			           "specify --tos more than once");
+		check_inverse(optarg, &invert, &optind, 0);
+		if (!tos_parse_symbolic(argv[optind-1], &tvm, 8))
+			exit_error(PARAMETER_PROBLEM, "tos match: Invalid "
+			           "value for --tos parameter");
+		if (tvm.mask != 0xFF)
+			exit_error(PARAMETER_PROBLEM, "tos match: Your kernel "
+			           "is too old to support anything besides "
+				   "/0xFF as a mask.");
+		info->tos = tvm.value;
+		if (invert)
+			info->invert = true;
+		*flags |= FLAG_TOS;
+		return true;
+	}
+	return false;
+}
+
+static int tos_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                        const void *entry, struct xt_entry_match **match)
+{
+	struct xt_tos_match_info *info = (void *)(*match)->data;
+	struct tos_value_mask tvm = {.mask = 0xFF};
+
+	switch (c) {
+	case 't':
+		if (*flags & FLAG_TOS)
+			exit_error(PARAMETER_PROBLEM, "tos match: You cannot "
+			           "specify --tos more than once");
+		check_inverse(optarg, &invert, &optind, 0);
+		if (!tos_parse_symbolic(argv[optind-1], &tvm, 8))
+			exit_error(PARAMETER_PROBLEM, "tos match: Invalid "
+			           "value for --tos parameter");
+		info->tos_value = tvm.value;
+		info->tos_mask  = tvm.mask;
+		if (invert)
+			info->invert = true;
+		*flags |= FLAG_TOS;
+		return true;
+	}
+	return false;
+}
+
+static int tos_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
+                         const void *entry, struct xt_entry_match **match)
+{
+	struct xt_tos_match_info *info = (void *)(*match)->data;
+	struct tos_value_mask tvm = {.mask = 0xF};
+
+	switch (c) {
+	case 't':
+		if (*flags & FLAG_TOS)
+			exit_error(PARAMETER_PROBLEM, "tos match: You cannot "
+			           "specify --tos more than once");
+		check_inverse(optarg, &invert, &optind, 0);
+		if (!tos_parse_numeric(argv[optind-1], &tvm, 4))
+			exit_error(PARAMETER_PROBLEM, "tos match: Invalid "
+			           "value for --tos parameter");
+		info->tos_mask  = tvm.mask;
+		info->tos_value = tvm.value;
+		if (invert)
+			info->invert = true;
+		*flags |= FLAG_TOS;
+		return true;
+	}
+	return false;
+}
+
+static void tos_mt_check(unsigned int flags)
+{
+	if (flags == 0)
+		exit_error(PARAMETER_PROBLEM,
+		           "tos match: --tos parameter required");
+}
+
+static void tos_mt_print_v0(const void *ip, const struct xt_entry_match *match,
+                            int numeric)
+{
+	const struct ipt_tos_info *info = (const void *)match->data;
+
+	printf("tos match ");
+	if (info->invert)
+		printf("!");
+	if (numeric || !tos_try_print_symbolic(info->tos, 0xFF))
+		printf("0x%02x ", info->tos);
+}
+
+static void tos_mt_print(const void *ip, const struct xt_entry_match *match,
+                         int numeric)
+{
+	const struct xt_tos_match_info *info = (const void *)match->data;
+
+	printf("tos match ");
+	if (info->invert)
+		printf("!");
+	if (numeric || !tos_try_print_symbolic(info->tos_value, info->tos_mask))
+		printf("0x%02x ", info->tos_value, info->tos_mask);
+}
+
+static void tos_mt_save_v0(const void *ip, const struct xt_entry_match *match)
+{
+	const struct ipt_tos_info *info = (const void *)match->data;
+
+	if (info->invert)
+		printf("! ");
+	printf("--tos 0x%02x ", info->tos);
+}
+
+static void tos_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_tos_match_info *info = (const void *)match->data;
+
+	if (info->invert)
+		printf("! ");
+	printf("--tos 0x%02x/0x%02x ", info->tos_value, info->tos_mask);
+}
+
+static struct xtables_match tos_mt_reg_v0 = {
+	.version       = IPTABLES_VERSION,
+	.name          = "tos",
+	.family        = AF_INET,
+	.revision      = 0,
+	.size          = XT_ALIGN(sizeof(struct ipt_tos_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct ipt_tos_info)),
+	.help          = tos_mt_help,
+	.parse         = tos_mt_parse_v0,
+	.final_check   = tos_mt_check,
+	.print         = tos_mt_print_v0,
+	.save          = tos_mt_save_v0,
+	.extra_opts    = tos_mt_opts,
+};
+
+static struct xtables_match tos_mt_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "tos",
+	.family        = AF_INET,
+	.revision      = 1,
+	.size          = XT_ALIGN(sizeof(struct xt_tos_match_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_tos_match_info)),
+	.help          = tos_mt_help,
+	.parse         = tos_mt_parse,
+	.final_check   = tos_mt_check,
+	.print         = tos_mt_print,
+	.save          = tos_mt_save,
+	.extra_opts    = tos_mt_opts,
+};
+
+static struct xtables_match tos_mt6_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "tos",
+	.family        = AF_INET6,
+	.revision      = 1,
+	.size          = XT_ALIGN(sizeof(struct xt_tos_match_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_tos_match_info)),
+	.help          = tos_mt_help,
+	.parse         = tos_mt6_parse,
+	.final_check   = tos_mt_check,
+	.print         = tos_mt_print,
+	.save          = tos_mt_save,
+	.extra_opts    = tos_mt_opts,
+};
+
+void _init(void)
+{
+	xtables_register_match(&tos_mt_reg_v0);
+	xtables_register_match(&tos_mt_reg);
+	xtables_register_match(&tos_mt6_reg);
+}
Index: iptables-modules/extensions/libxt_tos.man
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_tos.man
@@ -0,0 +1,11 @@
+This module matches the 8-bit Type of Service field in the IPv4 header (i.e.
+including the 'precedence' bits) or the 4-bit Priority field in the IPv6
+header.
+.TP
+\fB--tos\fR \fIvalue\fR[\fB/\fR\fImask\fR]
+Matches packets with the given TOS mark value. If a mask is specified, it is
+logically ANDed with the TOS mark before the comparison.
+.TP
+\fB--tos\fR \fIsymbol\fR
+You can specify a symbolic name when using the tos match for IPv4. The list of
+recognized TOS names can be obtained by calling iptables with \fB-m tos -h\fR.
Index: iptables-modules/extensions/tos_values.c
===================================================================
--- /dev/null
+++ iptables-modules/extensions/tos_values.c
@@ -0,0 +1,94 @@
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+
+struct tos_value_mask {
+	uint8_t value, mask;
+};
+
+static const struct tos_symbol_info {
+	unsigned char value;
+	const char *name;
+} tos_symbol_names[] = {
+	{IPTOS_LOWDELAY,    "Minimize-Delay"},
+	{IPTOS_THROUGHPUT,  "Maximize-Throughput"},
+	{IPTOS_RELIABILITY, "Maximize-Reliability"},
+	{IPTOS_MINCOST,     "Minimize-Cost"},
+	{IPTOS_NORMALSVC,   "Normal-Service"},
+	{},
+};
+
+/*
+ * tos_parse_numeric - parse sth. like "15/255"
+ *
+ * @s:		input string
+ * @info:	accompanying structure
+ * @bits:	number of bits that are allowed
+ *		(8 for IPv4 TOS field, 4 for IPv6 Priority Field)
+ */
+static bool tos_parse_numeric(const char *str, struct tos_value_mask *tvm,
+                              unsigned int bits)
+{
+	const unsigned int max = (1 << bits) - 1;
+	unsigned int value;
+	char *end;
+
+	bound_strtou(str, &end, &value, 0, max);
+	tvm->value = value;
+	tvm->mask  = max;
+
+	if (*end == '/') {
+		const char *p = end + 1;
+
+		if (!bound_strtou(p, &end, &value, 0, max))
+			exit_error(PARAMETER_PROBLEM, "Illegal value for "
+			           "--tos parameter: \"%s\"", str);
+		tvm->mask = value;
+	}
+
+	if (*end != '\0')
+		exit_error(PARAMETER_PROBLEM, "Illegal value for --tos "
+		           "parameter: \"%s\"", str);
+	return true;
+}
+
+static bool tos_parse_symbolic(const char *str, struct tos_value_mask *tvm,
+                               unsigned int bits)
+{
+	const unsigned int max = (1 << bits) - 1;
+	const struct tos_symbol_info *symbol;
+	char *end;
+
+	if (bound_strtou(str, &end, NULL, 0, max))
+		return tos_parse_numeric(str, tvm, max);
+
+	if (end != str)
+		/* Something like "15foo"... */
+		return false;
+
+	tvm->mask = 0xFF;
+	for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol)
+		if (strcasecmp(str, symbol->name) == 0) {
+			tvm->value = symbol->value;
+			return true;
+		}
+
+	exit_error(PARAMETER_PROBLEM, "Symbolic name \"%s\" is unknown", str);
+	return false;
+}
+
+static bool tos_try_print_symbolic(u_int8_t value, u_int8_t mask)
+{
+	const struct tos_symbol_info *symbol;
+
+	if (mask != 0xFF)
+		return false;
+
+	for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol)
+		if (value == symbol->value) {
+			printf("%s ", symbol->name);
+			return true;
+		}
+
+	return false;
+}
Index: iptables-modules/include/linux/netfilter/xt_dscp.h
===================================================================
--- iptables-modules.orig/include/linux/netfilter/xt_dscp.h
+++ iptables-modules/include/linux/netfilter/xt_dscp.h
@@ -20,4 +20,10 @@ struct xt_dscp_info {
 	u_int8_t invert;
 };
 
+struct xt_tos_match_info {
+	u_int8_t tos_mask;
+	u_int8_t tos_value;
+	u_int8_t invert;
+};
+
 #endif /* _XT_DSCP_H */
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

IPT [PATCH 3/3] libxt_TOS target module

[Jan Engelhardt]

Upgrades libipt_TOS to libxt_TOS and use the new xt_TOS v1 target.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/Makefile               |    4 
 extensions/libipt_TOS.c           |  159 -----------------------------
 extensions/libipt_TOS.man         |   11 --
 extensions/libxt_TOS.c            |  207 ++++++++++++++++++++++++++++++++++++++
 extensions/libxt_TOS.man          |   12 ++
 include/linux/netfilter/xt_DSCP.h |    5 
 6 files changed, 226 insertions(+), 172 deletions(-)

Index: iptables-modules/extensions/Makefile
===================================================================
--- iptables-modules.orig/extensions/Makefile
+++ iptables-modules/extensions/Makefile
@@ -5,9 +5,9 @@
 # header files are present in the include/linux directory of this iptables
 # package (HW)
 #
-PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange policy realm recent ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG
+PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange policy realm recent ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TTL ULOG
 PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh policy rt HL LOG REJECT
-PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport owner physdev pkttype quota sctp state statistic standard string tcp tcpmss time tos u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE
+PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport owner physdev pkttype quota sctp state statistic standard string tcp tcpmss time tos u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TOS TRACE
 
 PF_EXT_SELINUX_SLIB:=
 PF6_EXT_SELINUX_SLIB:=
Index: iptables-modules/extensions/libipt_TOS.c
===================================================================
--- iptables-modules.orig/extensions/libipt_TOS.c
+++ /dev/null
@@ -1,159 +0,0 @@
-/* Shared library add-on to iptables to add TOS target support. */
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_TOS.h>
-
-struct tosinfo {
-	struct xt_entry_target t;
-	struct ipt_tos_target_info tos;
-};
-
-/* TOS names and values. */
-static const
-struct TOS_value
-{
-	unsigned char TOS;
-	const char *name;
-} TOS_values[] = {
-	{ IPTOS_LOWDELAY,    "Minimize-Delay" },
-	{ IPTOS_THROUGHPUT,  "Maximize-Throughput" },
-	{ IPTOS_RELIABILITY, "Maximize-Reliability" },
-	{ IPTOS_MINCOST,     "Minimize-Cost" },
-	{ IPTOS_NORMALSVC,   "Normal-Service" },
-};
-
-/* Function which prints out usage message. */
-static void TOS_help(void)
-{
-	unsigned int i;
-
-	printf(
-"TOS target v%s options:\n"
-"  --set-tos value                   Set Type of Service field to one of the\n"
-"                                following numeric or descriptive values:\n",
-IPTABLES_VERSION);
-
-	for (i = 0; i < sizeof(TOS_values)/sizeof(struct TOS_value);i++)
-		printf("                                     %s %u (0x%02x)\n",
-		       TOS_values[i].name,
-                       TOS_values[i].TOS,
-                       TOS_values[i].TOS);
-	fputc('\n', stdout);
-}
-
-static const struct option TOS_opts[] = {
-	{ "set-tos", 1, NULL, '1' },
-	{ }
-};
-
-static void
-parse_tos(const char *s, struct ipt_tos_target_info *info)
-{
-	unsigned int i, tos;
-
-	if (string_to_number(s, 0, 255, &tos) != -1) {
-		if (tos == IPTOS_LOWDELAY
-		    || tos == IPTOS_THROUGHPUT
-		    || tos == IPTOS_RELIABILITY
-		    || tos == IPTOS_MINCOST
-		    || tos == IPTOS_NORMALSVC) {
-		    	info->tos = (u_int8_t )tos;
-		    	return;
-		}
-	} else {
-		for (i = 0; i<sizeof(TOS_values)/sizeof(struct TOS_value); i++)
-			if (strcasecmp(s,TOS_values[i].name) == 0) {
-				info->tos = TOS_values[i].TOS;
-				return;
-			}
-	}
-	exit_error(PARAMETER_PROBLEM, "Bad TOS value `%s'", s);
-}
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int TOS_parse(int c, char **argv, int invert, unsigned int *flags,
-                     const void *entry, struct xt_entry_target **target)
-{
-	struct ipt_tos_target_info *tosinfo
-		= (struct ipt_tos_target_info *)(*target)->data;
-
-	switch (c) {
-	case '1':
-		if (*flags)
-			exit_error(PARAMETER_PROBLEM,
-			           "TOS target: Cant specify --set-tos twice");
-		parse_tos(optarg, tosinfo);
-		*flags = 1;
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-static void TOS_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
-		           "TOS target: Parameter --set-tos is required");
-}
-
-static void
-print_tos(u_int8_t tos, int numeric)
-{
-	unsigned int i;
-
-	if (!numeric) {
-		for (i = 0; i<sizeof(TOS_values)/sizeof(struct TOS_value); i++)
-			if (TOS_values[i].TOS == tos) {
-				printf("%s ", TOS_values[i].name);
-				return;
-			}
-	}
-	printf("0x%02x ", tos);
-}
-
-/* Prints out the targinfo. */
-static void TOS_print(const void *ip, const struct xt_entry_target *target,
-                      int numeric)
-{
-	const struct ipt_tos_target_info *tosinfo =
-		(const struct ipt_tos_target_info *)target->data;
-	printf("TOS set ");
-	print_tos(tosinfo->tos, numeric);
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void TOS_save(const void *ip, const struct xt_entry_target *target)
-{
-	const struct ipt_tos_target_info *tosinfo =
-		(const struct ipt_tos_target_info *)target->data;
-
-	printf("--set-tos 0x%02x ", tosinfo->tos);
-}
-
-static struct iptables_target tos_target = {
-	.name		= "TOS",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_tos_target_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_tos_target_info)),
-	.help		= TOS_help,
-	.parse		= TOS_parse,
-	.final_check	= TOS_check,
-	.print		= TOS_print,
-	.save		= TOS_save,
-	.extra_opts	= TOS_opts,
-};
-
-void _init(void)
-{
-	register_target(&tos_target);
-}
Index: iptables-modules/extensions/libipt_TOS.man
===================================================================
--- iptables-modules.orig/extensions/libipt_TOS.man
+++ /dev/null
@@ -1,11 +0,0 @@
-This is used to set the 8-bit Type of Service field in the IP header.
-It is only valid in the
-.B mangle
-table.
-.TP
-.BI "--set-tos " "tos"
-You can use a numeric TOS values, or use
-.nf
- iptables -j TOS -h
-.fi
-to see the list of valid TOS names.
Index: iptables-modules/extensions/libxt_TOS.c
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_TOS.c
@@ -0,0 +1,207 @@
+/*
+ * Shared library add-on to iptables to add TOS target support
+ *
+ * Copyright © CC Computer Consultants GmbH, 2007
+ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <getopt.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_DSCP.h>
+#include <linux/netfilter_ipv4/ipt_TOS.h>
+#include "tos_values.c"
+
+enum {
+	FLAG_TOS = 1 << 0,
+};
+
+static const struct option tos_tg_opts[] = {
+	{.name = "set-tos", .has_arg = true, .val = 't'},
+	{},
+};
+
+static void tos_tg_help(void)
+{
+	const struct tos_symbol_info *symbol;
+
+	printf(
+"TOS target v%s options:\n"
+"  --set-tos value[/mask]    Set Type of Service/Priority field to value\n"
+"  --set-tos symbol          Set TOS field (IPv4 only) by symbol\n"
+"                            Accepted symbolic names for value are:\n",
+IPTABLES_VERSION);
+
+	for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol)
+		printf("                          (0x%02x) %2u %s\n",
+		       symbol->value, symbol->value, symbol->name);
+
+	printf("\n");
+}
+
+static int tos_tg_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+                           const void *entry, struct xt_entry_target **target)
+{
+	struct ipt_tos_target_info *info = (void *)(*target)->data;
+	struct tos_value_mask tvm;
+
+	switch (c) {
+	case 't':
+		if (*flags & FLAG_TOS)
+			exit_error(PARAMETER_PROBLEM, "TOS target: You cannot "
+			           "specify --set-tos more than once");
+		if (!tos_parse_symbolic(optarg, &tvm, 8))
+			exit_error(PARAMETER_PROBLEM, "TOS target: Invalid "
+			           "value for --set-tos parameter");
+		if (tvm.mask != 0xFF)
+			exit_error(PARAMETER_PROBLEM, "tos match: Your kernel "
+			           "is too old to support anything besides "
+				   "/0xFF as a mask.");
+		info->tos = tvm.value;
+		*flags |= FLAG_TOS;
+		return true;
+	}
+
+	return false;
+}
+
+static int tos_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
+                         const void *entry, struct xt_entry_target **target)
+{
+	struct xt_tos_target_info *info = (void *)(*target)->data;
+	struct tos_value_mask tvm;
+
+	switch (c) {
+	case 't':
+		if (*flags & FLAG_TOS)
+			exit_error(PARAMETER_PROBLEM, "TOS target: You cannot "
+			           "specify --set-tos more than once");
+		if (!tos_parse_symbolic(optarg, &tvm, 8))
+			exit_error(PARAMETER_PROBLEM, "TOS target: Invalid "
+			           "value for --set-tos parameter");
+		info->tos_value = tvm.value;
+		info->tos_mask  = tvm.mask;
+		*flags |= FLAG_TOS;
+		return true;
+	}
+
+	return false;
+}
+
+static int tos_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
+                         const void *entry, struct xt_entry_target **target)
+{
+	struct xt_tos_target_info *info = (void *)(*target)->data;
+	struct tos_value_mask tvm;
+
+	switch (c) {
+	case 't':
+		if (*flags & FLAG_TOS)
+			exit_error(PARAMETER_PROBLEM, "TOS target: You cannot "
+			           "specify --set-tos more than once");
+		if (!tos_parse_numeric(optarg, &tvm, 4))
+			exit_error(PARAMETER_PROBLEM, "TOS target: Invalid "
+			           "value for --tos parameter");
+		info->tos_value = tvm.value;
+		info->tos_mask  = tvm.mask;
+		*flags |= FLAG_TOS;
+		return true;
+	}
+
+	return false;
+}
+
+static void tos_tg_check(unsigned int flags)
+{
+	if (flags == 0)
+		exit_error(PARAMETER_PROBLEM,
+		           "TOS target: --set-tos parameter required");
+}
+
+static void tos_tg_print_v0(const void *ip,
+                            const struct xt_entry_target *target, int numeric)
+{
+	const struct ipt_tos_target_info *info = (const void *)target->data;
+
+	printf("TOS set ");
+	if (numeric || !tos_try_print_symbolic(info->tos, 0xFF))
+		printf("0x%02x ", info->tos);
+}
+
+static void tos_tg_print(const void *ip, const struct xt_entry_target *target,
+                         int numeric)
+{
+	const struct xt_tos_target_info *info = (const void *)target->data;
+
+	printf("TOS set ");
+	if (numeric || !tos_try_print_symbolic(info->tos_value, info->tos_mask))
+		printf("0x%02x/0x%02x ", info->tos_value, info->tos_mask);
+}
+
+static void tos_tg_save_v0(const void *ip, const struct xt_entry_target *target)
+{
+	const struct ipt_tos_target_info *info = (const void *)target->data;
+
+	printf("--set-tos 0x%02x ", info->tos);
+}
+
+static void tos_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct xt_tos_target_info *info = (const void *)target->data;
+
+	printf("--set-tos 0x%02x/0x%02x ", info->tos_value, info->tos_mask);
+}
+
+static struct xtables_target tos_tg_reg_v0 = {
+	.version       = IPTABLES_VERSION,
+	.name          = "TOS",
+	.revision      = 0,
+	.family        = AF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_tos_target_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)),
+	.help          = tos_tg_help,
+	.parse         = tos_tg_parse_v0,
+	.final_check   = tos_tg_check,
+	.print         = tos_tg_print_v0,
+	.save          = tos_tg_save_v0,
+	.extra_opts    = tos_tg_opts,
+};
+
+static struct xtables_target tos_tg_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "TOS",
+	.revision      = 1,
+	.family        = AF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_tos_target_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)),
+	.help          = tos_tg_help,
+	.parse         = tos_tg4_parse,
+	.final_check   = tos_tg_check,
+	.print         = tos_tg_print,
+	.save          = tos_tg_save,
+	.extra_opts    = tos_tg_opts,
+};
+
+static struct xtables_target tos_tg6_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "TOS",
+	.family        = AF_INET6,
+	.revision      = 1,
+	.size          = XT_ALIGN(sizeof(struct xt_tos_target_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)),
+	.help          = tos_tg_help,
+	.parse         = tos_tg6_parse,
+	.final_check   = tos_tg_check,
+	.print         = tos_tg_print,
+	.save          = tos_tg_save,
+	.extra_opts    = tos_tg_opts,
+};
+
+void _init(void)
+{
+	xtables_register_target(&tos_tg_reg_v0);
+	xtables_register_target(&tos_tg_reg);
+	xtables_register_target(&tos_tg6_reg);
+}
Index: iptables-modules/extensions/libxt_TOS.man
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_TOS.man
@@ -0,0 +1,12 @@
+This module sets the 8-bit Type of Service field in the IPv4 header (including
+the 'precedence' bits) or the 4-bit Priority field in the IPv6 header. It is
+only valid in the \fBmangle\fR table.
+.TP
+\fB--set-tos\fR \fIvalue\fR[\fB/\fR\fImask\fR]
+Zeroes out the TOS bits given by \fImask\fR and XORs \fIvalue\fR into the
+TOS/Priority field.
+.TP
+\fB--set-tos\fR \fIsymbol\fR
+You can specify a symbolic name when using the TOS target for IPv4. It implies
+a mask of 0xFF. The list of recognized TOS names can be obtained by calling
+iptables with \fB-j TOS -h\fR.
Index: iptables-modules/include/linux/netfilter/xt_DSCP.h
===================================================================
--- iptables-modules.orig/include/linux/netfilter/xt_DSCP.h
+++ iptables-modules/include/linux/netfilter/xt_DSCP.h
@@ -17,4 +17,9 @@ struct xt_DSCP_info {
 	u_int8_t dscp;
 };
 
+struct xt_tos_target_info {
+	u_int8_t tos_value;
+	u_int8_t tos_mask;
+};
+
 #endif /* _XT_DSCP_TARGET_H */
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: NF [PATCH 1/6] (borked it!) Use lowercase names for matches

[Jan Engelhardt]

On Nov 27 2007 00:42, Jan Engelhardt wrote:
>@@ -63,17 +63,8 @@ config IP_NF_MATCH_IPRANGE
> 
> 	  To compile it as a module, choose M here.  If unsure, say N.
> 
>-config IP_NF_MATCH_TOS
>-	tristate "TOS match support"
>-	depends on IP_NF_IPTABLES
>-	help
>-	  TOS matching allows you to match packets based on the Type Of
>-	  Service fields of the IP packet.
>-
>-	  To compile it as a module, choose M here.  If unsure, say N.
>-

(quilt or pebkac, that is the question.)

Re: NF [PATCH 1/6] (resend) Use lowercase names for matches

[Jan Engelhardt]

Unify netfilter match kconfig descriptions

Consistently use lowercase for matches in kconfig one-line
descriptions and name the match module.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 net/ipv4/netfilter/Kconfig |   12 ++++++------
 net/ipv6/netfilter/Kconfig |   16 ++++++++--------
 net/netfilter/Kconfig      |    8 ++++----
 3 files changed, 18 insertions(+), 18 deletions(-)

Index: linux-2.6/net/ipv4/netfilter/Kconfig
===================================================================
--- linux-2.6.orig/net/ipv4/netfilter/Kconfig
+++ linux-2.6/net/ipv4/netfilter/Kconfig
@@ -55,7 +55,7 @@ config IP_NF_IPTABLES
 
 # The matches.
 config IP_NF_MATCH_IPRANGE
-	tristate "IP range match support"
+	tristate '"iprange" match support'
 	depends on IP_NF_IPTABLES
 	help
 	  This option makes possible to match IP addresses against IP address
@@ -73,7 +73,7 @@ config IP_NF_MATCH_TOS
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP_NF_MATCH_RECENT
-	tristate "recent match support"
+	tristate '"recent" match support'
 	depends on IP_NF_IPTABLES
 	help
 	  This match is used for creating one or many lists of recently
@@ -85,7 +85,7 @@ config IP_NF_MATCH_RECENT
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP_NF_MATCH_ECN
-	tristate "ECN match support"
+	tristate '"ecn" match support'
 	depends on IP_NF_IPTABLES
 	help
 	  This option adds a `ECN' match, which allows you to match against
@@ -94,7 +94,7 @@ config IP_NF_MATCH_ECN
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP_NF_MATCH_AH
-	tristate "AH match support"
+	tristate '"ah" match support'
 	depends on IP_NF_IPTABLES
 	help
 	  This match extension allows you to match a range of SPIs
@@ -103,7 +103,7 @@ config IP_NF_MATCH_AH
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP_NF_MATCH_TTL
-	tristate "TTL match support"
+	tristate '"ttl" match support'
 	depends on IP_NF_IPTABLES
 	help
 	  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
@@ -112,7 +112,7 @@ config IP_NF_MATCH_TTL
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP_NF_MATCH_ADDRTYPE
-	tristate  'address type match support'
+	tristate '"addrtype" address type match support'
 	depends on IP_NF_IPTABLES
 	help
 	  This option allows you to match what routing thinks of an address,
Index: linux-2.6/net/ipv6/netfilter/Kconfig
===================================================================
--- linux-2.6.orig/net/ipv6/netfilter/Kconfig
+++ linux-2.6/net/ipv6/netfilter/Kconfig
@@ -54,7 +54,7 @@ config IP6_NF_IPTABLES
 
 # The simple matches.
 config IP6_NF_MATCH_RT
-	tristate "Routing header match support"
+	tristate '"rt" Routing header match support'
 	depends on IP6_NF_IPTABLES
 	help
 	  rt matching allows you to match packets based on the routing
@@ -63,7 +63,7 @@ config IP6_NF_MATCH_RT
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP6_NF_MATCH_OPTS
-	tristate "Hop-by-hop and Dst opts header match support"
+	tristate '"hopbyhop" and "dst" opts header match support'
 	depends on IP6_NF_IPTABLES
 	help
 	  This allows one to match packets based on the hop-by-hop
@@ -72,7 +72,7 @@ config IP6_NF_MATCH_OPTS
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP6_NF_MATCH_FRAG
-	tristate "Fragmentation header match support"
+	tristate '"frag" Fragmentation header match support'
 	depends on IP6_NF_IPTABLES
 	help
 	  frag matching allows you to match packets based on the fragmentation
@@ -81,7 +81,7 @@ config IP6_NF_MATCH_FRAG
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP6_NF_MATCH_HL
-	tristate "HL match support"
+	tristate '"hl" match support'
 	depends on IP6_NF_IPTABLES
 	help
 	  HL matching allows you to match packets based on the hop
@@ -90,7 +90,7 @@ config IP6_NF_MATCH_HL
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP6_NF_MATCH_IPV6HEADER
-	tristate "IPv6 Extension Headers Match"
+	tristate '"ipv6header" IPv6 Extension Headers Match'
 	depends on IP6_NF_IPTABLES
 	help
 	  This module allows one to match packets based upon
@@ -99,7 +99,7 @@ config IP6_NF_MATCH_IPV6HEADER
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP6_NF_MATCH_AH
-	tristate "AH match support"
+	tristate '"ah" match support'
 	depends on IP6_NF_IPTABLES
 	help
 	  This module allows one to match AH packets.
@@ -107,7 +107,7 @@ config IP6_NF_MATCH_AH
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP6_NF_MATCH_MH
-	tristate "MH match support"
+	tristate '"mh" match support'
 	depends on IP6_NF_IPTABLES
 	help
 	  This module allows one to match MH packets.
@@ -115,7 +115,7 @@ config IP6_NF_MATCH_MH
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP6_NF_MATCH_EUI64
-	tristate "EUI64 address check"
+	tristate '"eui64" address check'
 	depends on IP6_NF_IPTABLES
 	help
 	  This module performs checking on the IPv6 source address
Index: linux-2.6/net/netfilter/Kconfig
===================================================================
--- linux-2.6.orig/net/netfilter/Kconfig
+++ linux-2.6/net/netfilter/Kconfig
@@ -468,7 +468,7 @@ config NETFILTER_XT_MATCH_CONNTRACK
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config NETFILTER_XT_MATCH_DCCP
-	tristate  '"DCCP" protocol match support'
+	tristate '"dccp" protocol match support'
 	depends on NETFILTER_XTABLES
 	help
 	  With this option enabled, you will be able to use the iptables
@@ -479,7 +479,7 @@ config NETFILTER_XT_MATCH_DCCP
 	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 
 config NETFILTER_XT_MATCH_DSCP
-	tristate '"DSCP" match support'
+	tristate '"dscp" match support'
 	depends on NETFILTER_XTABLES
 	help
 	  This option adds a `DSCP' match, which allows you to match against
@@ -490,7 +490,7 @@ config NETFILTER_XT_MATCH_DSCP
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config NETFILTER_XT_MATCH_ESP
-	tristate '"ESP" match support'
+	tristate '"esp" match support'
 	depends on NETFILTER_XTABLES
 	help
 	  This match extension allows you to match a range of SPIs
@@ -565,7 +565,7 @@ config NETFILTER_XT_MATCH_POLICY
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config NETFILTER_XT_MATCH_MULTIPORT
-	tristate "Multiple port match support"
+	tristate '"multiport" Multiple port match support'
 	depends on NETFILTER_XTABLES
 	help
 	  Multiport matching allows you to match TCP or UDP packets based on

Re: NF [PATCH 3/6] (re) Merge ipt_tos into xt_dscp

[Jan Engelhardt]

Merge ipt_tos into xt_dscp.

Merge ipt_tos (tos v0 match) into xt_dscp. They both modify the same
field in the IPv4 header, so it seems reasonable to keep them in one
piece. This is part one of the implicit 4-patch series to move tos to
xtables and extend it by IPv6.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 net/ipv4/netfilter/Kconfig   |    9 -------
 net/ipv4/netfilter/Makefile  |    1 
 net/ipv4/netfilter/ipt_tos.c |   50 -------------------------------------------
 net/netfilter/Kconfig        |    6 ++++-
 net/netfilter/xt_dscp.c      |   24 ++++++++++++++++++--
 5 files changed, 27 insertions(+), 63 deletions(-)

Index: linux-2.6/net/ipv4/netfilter/Kconfig
===================================================================
--- linux-2.6.orig/net/ipv4/netfilter/Kconfig
+++ linux-2.6/net/ipv4/netfilter/Kconfig
@@ -63,15 +63,6 @@ config IP_NF_MATCH_IPRANGE
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
-config IP_NF_MATCH_TOS
-	tristate "TOS match support"
-	depends on IP_NF_IPTABLES
-	help
-	  TOS matching allows you to match packets based on the Type Of
-	  Service fields of the IP packet.
-
-	  To compile it as a module, choose M here.  If unsure, say N.
-
 config IP_NF_MATCH_RECENT
 	tristate '"recent" match support'
 	depends on IP_NF_IPTABLES
Index: linux-2.6/net/ipv4/netfilter/Makefile
===================================================================
--- linux-2.6.orig/net/ipv4/netfilter/Makefile
+++ linux-2.6/net/ipv4/netfilter/Makefile
@@ -46,7 +46,6 @@ obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
-obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
 
 # targets
Index: linux-2.6/net/ipv4/netfilter/ipt_tos.c
===================================================================
--- linux-2.6.orig/net/ipv4/netfilter/ipt_tos.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/* Kernel module to match TOS values. */
-
-/* (C) 1999-2001 Paul `Rusty' Russell
- * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/ip.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-
-#include <linux/netfilter_ipv4/ipt_tos.h>
-#include <linux/netfilter/x_tables.h>
-
-MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("iptables TOS match module");
-
-static bool
-tos_mt(const struct sk_buff *skb, const struct net_device *in,
-       const struct net_device *out, const struct xt_match *match,
-       const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
-{
-	const struct ipt_tos_info *info = matchinfo;
-
-	return (ip_hdr(skb)->tos == info->tos) ^ info->invert;
-}
-
-static struct xt_match tos_mt_reg __read_mostly = {
-	.name		= "tos",
-	.family		= AF_INET,
-	.match		= tos_mt,
-	.matchsize	= sizeof(struct ipt_tos_info),
-	.me		= THIS_MODULE,
-};
-
-static int __init tos_mt_init(void)
-{
-	return xt_register_match(&tos_mt_reg);
-}
-
-static void __exit tos_mt_exit(void)
-{
-	xt_unregister_match(&tos_mt_reg);
-}
-
-module_init(tos_mt_init);
-module_exit(tos_mt_exit);
Index: linux-2.6/net/netfilter/Kconfig
===================================================================
--- linux-2.6.orig/net/netfilter/Kconfig
+++ linux-2.6/net/netfilter/Kconfig
@@ -479,7 +479,7 @@ config NETFILTER_XT_MATCH_DCCP
 	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 
 config NETFILTER_XT_MATCH_DSCP
-	tristate '"dscp" match support'
+	tristate '"dscp" and "tos" match support'
 	depends on NETFILTER_XTABLES
 	help
 	  This option adds a `DSCP' match, which allows you to match against
@@ -487,6 +487,10 @@ config NETFILTER_XT_MATCH_DSCP
 
 	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
 
+	  It will also add a "tos" match, which allows you to match packets
+	  based on the Type Of Service fields of the IPv4 packet (which share
+	  the same bits as DSCP).
+
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config NETFILTER_XT_MATCH_ESP
Index: linux-2.6/net/netfilter/xt_dscp.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_dscp.c
+++ linux-2.6/net/netfilter/xt_dscp.c
@@ -13,14 +13,16 @@
 #include <linux/ipv6.h>
 #include <net/dsfield.h>
 
-#include <linux/netfilter/xt_dscp.h>
 #include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_dscp.h>
+#include <linux/netfilter_ipv4/ipt_tos.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("x_tables DSCP matching module");
+MODULE_DESCRIPTION("x_tables DSCP/tos matching module");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_dscp");
 MODULE_ALIAS("ip6t_dscp");
+MODULE_ALIAS("ipt_tos");
 
 static bool
 dscp_mt(const struct sk_buff *skb, const struct net_device *in,
@@ -60,6 +62,16 @@ dscp_mt_check(const char *tablename, con
 	return true;
 }
 
+static bool tos_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+                      const struct net_device *out,
+                      const struct xt_match *match, const void *matchinfo,
+                      int offset, unsigned int protoff, bool *hotdrop)
+{
+	const struct ipt_tos_info *info = matchinfo;
+
+	return (ip_hdr(skb)->tos == info->tos) ^ info->invert;
+}
+
 static struct xt_match dscp_mt_reg[] __read_mostly = {
 	{
 		.name		= "dscp",
@@ -77,6 +89,14 @@ static struct xt_match dscp_mt_reg[] __r
 		.matchsize	= sizeof(struct xt_dscp_info),
 		.me		= THIS_MODULE,
 	},
+	{
+		.name      = "tos",
+		.revision  = 0,
+		.family    = AF_INET,
+		.match     = tos_mt_v0,
+		.matchsize = sizeof(struct ipt_tos_info),
+		.me        = THIS_MODULE,
+	},
 };
 
 static int __init dscp_mt_init(void)

Re: NF [PATCH 1/6] (borked it!) Use lowercase names for matches

[Patrick McHardy]

Jan Engelhardt wrote:
> On Nov 27 2007 00:42, Jan Engelhardt wrote:
>   
>> @@ -63,17 +63,8 @@ config IP_NF_MATCH_IPRANGE
>>
>> 	  To compile it as a module, choose M here.  If unsure, say N.
>>
>> -config IP_NF_MATCH_TOS
>> -	tristate "TOS match support"
>> -	depends on IP_NF_IPTABLES
>> -	help
>> -	  TOS matching allows you to match packets based on the Type Of
>> -	  Service fields of the IP packet.
>> -
>> -	  To compile it as a module, choose M here.  If unsure, say N.
>> -
>>     
>
> (quilt or pebkac, that is the question.)
>   

I already fixed it, don't worry :)

Re: NF [PATCH 1/6] Use lowercase names for matches

[Patrick McHardy]

Jan Engelhardt wrote:
> Unify netfilter match kconfig descriptions
>
> Consistently use lowercase for matches in kconfig one-line
> descriptions and name the match module.
>
>   
Applied the fixed patch, thanks.

Re: NF [PATCH 2/6] Constify include/net/dsfield.h

[Patrick McHardy]

Jan Engelhardt wrote:
> Constify include/net/dsfield.h
>
>   

Applied.

Re: NF [PATCH 3/6] Merge ipt_tos into xt_dscp

[Patrick McHardy]

Jan Engelhardt wrote:
> Merge ipt_tos into xt_dscp.
>
> Merge ipt_tos (tos v0 match) into xt_dscp. They both modify the same
> field in the IPv4 header, so it seems reasonable to keep them in one
> piece. This is part one of the implicit 4-patch series to move tos to
> xtables and extend it by IPv6.
>
>  static struct xt_match dscp_mt_reg[] __read_mostly = {
>  	{
>  		.name		= "dscp",
> @@ -77,6 +89,14 @@ static struct xt_match dscp_mt_reg[] __r
>  		.matchsize	= sizeof(struct xt_dscp_info),
>  		.me		= THIS_MODULE,
>  	},
> +	{
> +		.name      = "tos",
> +		.revision  = 0,
> +		.family    = AF_INET,
> +		.match     = tos_mt_v0,
> +		.matchsize = sizeof(struct ipt_tos_info),
> +		.me        = THIS_MODULE,
> +	},


Applied, but changed the last part to match the indentation of
the other match structs.

Re: NF [PATCH 4/6] Merge ipt_TOS into xt_DSCP

[Patrick McHardy]

Jan Engelhardt wrote:
> Merge ipt_TOS into xt_DSCP.
>
> Merge ipt_TOS (tos v0 target) into xt_DSCP. They both modify the same
> field in the IPv4 header, so it seems reasonable to keep them in one
> piece. This is part two of the implicit 4-patch series to move tos to
> xtables and extend it by IPv6.
>
> +	{
> +		.name       = "TOS",
> +		.revision   = 0,
> +		.family     = AF_INET,
> +		.table      = "mangle",
> +		.target     = tos_tg_v0,
> +		.targetsize = sizeof(struct ipt_tos_target_info),
> +		.checkentry = tos_tg_check_v0,
> +		.me         = THIS_MODULE,
> +	},
>  };
>  

Also applied but fixed indentation. Thanks.

Re: NF [PATCH 5/6] xt_tos v1 match

[Patrick McHardy]

Jan Engelhardt wrote:
> Import xt_tos v1 match
>
> Extends the xt_dscp match by xt_tos v1 to add support for selectively
> matching any bit in the IPv4 TOS and IPv6 Priority fields. (ipt_tos
> and xt_dscp only accepted a limited range of possible values.)
>   

Applied and fixed indentation.

Re: NF [PATCH 6/6] xt_TOS v1 target

[Patrick McHardy]

Jan Engelhardt wrote:
> Import xt_tos v1 target
>
> Extends the xt_DSCP target by xt_TOS v1 to add support for selectively
> setting and flipping any bit in the IPv4 TOS and IPv6 Priority fields.
> (ipt_TOS and xt_DSCP only accepted a limited range of possible
> values.)
>   

Fixed indentation and applied it. Thanks a lot Jan, two config options
and two files less :)