API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 29th, 2016
54
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.96 KB | None | 0 0
raw download clone embed print report
  1. From 8a40d85519a0ef5d101f969b8464567b92b167bc Mon Sep 17 00:00:00 2001
  2. From: Oleksandr Natalenko <oleksandr@natalenko.name>
  3. Date: Sun, 28 Aug 2016 18:27:47 +0300
  4. Subject: [PATCH] ipt_df-4.7: initial port
  5.  
  6. ---
  7. include/uapi/linux/netfilter_ipv4/ipt_DF.h | 13 +++++
  8. net/ipv4/netfilter/Kconfig | 9 ++++
  9. net/ipv4/netfilter/Makefile | 1 +
  10. net/ipv4/netfilter/ipt_DF.c | 76 ++++++++++++++++++++++++++++++
  11. 4 files changed, 99 insertions(+)
  12. create mode 100644 include/uapi/linux/netfilter_ipv4/ipt_DF.h
  13. create mode 100644 net/ipv4/netfilter/ipt_DF.c
  14.  
  15. diff --git a/include/uapi/linux/netfilter_ipv4/ipt_DF.h b/include/uapi/linux/netfilter_ipv4/ipt_DF.h
  16. new file mode 100644
  17. index 0000000..36d4af5
  18. --- /dev/null
  19. +++ b/include/uapi/linux/netfilter_ipv4/ipt_DF.h
  20. @@ -0,0 +1,13 @@
  21. +#ifndef _IPT_DF_TARGET_H
  22. +#define _IPT_DF_TARGET_H
  23. +
  24. +enum {
  25. + IPT_DF_CLEAR = 1
  26. +};
  27. +
  28. +struct ipt_DF_info {
  29. + u_int8_t mode;
  30. +};
  31. +
  32. +#endif /* _IPT_DF_TARGET_H */
  33. +
  34. diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
  35. index c187c60..83091fb 100644
  36. --- a/net/ipv4/netfilter/Kconfig
  37. +++ b/net/ipv4/netfilter/Kconfig
  38. @@ -263,6 +263,15 @@ config IP_NF_TARGET_SYNPROXY
  39.  
  40. To compile it as a module, choose M here. If unsure, say N.
  41.  
  42. +config IP_NF_TARGET_DF
  43. + tristate "DF target support"
  44. + default m if NETFILTER_ADVANCED=n
  45. + help
  46. + This option adds a `DF' target, allowing you to set or remove
  47. + "Do not fragment" flag on any traffic in mangle table.
  48. +
  49. + To compile it as a module, choose M here. If unsure, say N.
  50. +
  51. # NAT + specific targets: nf_conntrack
  52. config IP_NF_NAT
  53. tristate "iptables NAT support"
  54. diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
  55. index 87b073d..7874301 100644
  56. --- a/net/ipv4/netfilter/Makefile
  57. +++ b/net/ipv4/netfilter/Makefile
  58. @@ -64,6 +64,7 @@ obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
  59. obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
  60. obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
  61. obj-$(CONFIG_IP_NF_TARGET_SYNPROXY) += ipt_SYNPROXY.o
  62. +obj-$(CONFIG_IP_NF_TARGET_DF) += ipt_DF.o
  63.  
  64. # generic ARP tables
  65. obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
  66. diff --git a/net/ipv4/netfilter/ipt_DF.c b/net/ipv4/netfilter/ipt_DF.c
  67. new file mode 100644
  68. index 0000000..dabe2d8
  69. --- /dev/null
  70. +++ b/net/ipv4/netfilter/ipt_DF.c
  71. @@ -0,0 +1,76 @@
  72. +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  73. +
  74. +#include <linux/in.h>
  75. +#include <linux/module.h>
  76. +#include <linux/skbuff.h>
  77. +#include <linux/ip.h>
  78. +#include <net/ip.h>
  79. +#include <linux/tcp.h>
  80. +#include <net/checksum.h>
  81. +
  82. +#include <linux/netfilter/x_tables.h>
  83. +#include <linux/netfilter_ipv4/ip_tables.h>
  84. +#include <linux/netfilter_ipv4/ipt_DF.h>
  85. +
  86. +MODULE_AUTHOR("Dmitry Labutcky <avl@strace.net>");
  87. +MODULE_DESCRIPTION("IP tables remove DF flag module");
  88. +MODULE_LICENSE("GPL");
  89. +
  90. +static unsigned int df_tg(struct sk_buff *skb,
  91. + const struct xt_action_param *par)
  92. +{
  93. +
  94. + struct iphdr *iph;
  95. + const struct ipt_DF_info *info = par->targinfo;
  96. + u_int16_t diffs[2];
  97. +
  98. + if (!skb_make_writable(skb, skb->len))
  99. + return NF_DROP;
  100. +
  101. + iph = ip_hdr(skb);
  102. +
  103. + if (info->mode != IPT_DF_CLEAR)
  104. + return XT_CONTINUE;
  105. +
  106. + if (!(iph->frag_off & 0x0040))
  107. + return XT_CONTINUE;
  108. +
  109. + diffs[0] = htons(((unsigned)iph->frag_off) << 8) ^ 0xFFFF;
  110. + iph->frag_off = iph->frag_off & 0xFFBF;
  111. + diffs[1] = htons(((unsigned)iph->frag_off) << 8);
  112. + iph->check = csum_fold(csum_partial((char *)diffs,
  113. + sizeof(diffs),
  114. + iph->check ^ 0xFFFF));
  115. +
  116. + return XT_CONTINUE;
  117. +
  118. +}
  119. +
  120. +static int df_tg_check(const struct xt_tgchk_param *par)
  121. +{
  122. + return 0;
  123. +}
  124. +
  125. +static struct xt_target df_tg_reg __read_mostly = {
  126. + .name = "DF",
  127. + .family = NFPROTO_IPV4,
  128. + .target = df_tg,
  129. + .targetsize = sizeof(struct ipt_DF_info),
  130. + .table = "mangle",
  131. + .checkentry = df_tg_check,
  132. + .me = THIS_MODULE,
  133. +};
  134. +
  135. +static int __init df_tg_init(void)
  136. +{
  137. + return xt_register_target(&df_tg_reg);
  138. +}
  139. +
  140. +static void __exit df_tg_exit(void)
  141. +{
  142. + xt_unregister_target(&df_tg_reg);
  143. +}
  144. +
  145. +module_init(df_tg_init);
  146. +module_exit(df_tg_exit);
  147. +
  148. --
  149. 2.9.3
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!