[thirdparty/linux.git] / net / netfilter / xt_CHECKSUM.c

/* iptables module for the packet checksum mangling
 *
 * (C) 2002 by Harald Welte <laforge@netfilter.org>
 * (C) 2010 Red Hat, Inc.
 *
 * Author: Michael S. Tsirkin <mst@redhat.com>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>

#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_CHECKSUM.h>

#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Michael S. Tsirkin <mst@redhat.com>");
MODULE_DESCRIPTION("Xtables: checksum modification");
MODULE_ALIAS("ipt_CHECKSUM");
MODULE_ALIAS("ip6t_CHECKSUM");

static unsigned int
checksum_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
	if (skb->ip_summed == CHECKSUM_PARTIAL && !skb_is_gso(skb))
		skb_checksum_help(skb);

	return XT_CONTINUE;
}

static int checksum_tg_check(const struct xt_tgchk_param *par)
{
	const struct xt_CHECKSUM_info *einfo = par->targinfo;
	const struct ip6t_ip6 *i6 = par->entryinfo;
	const struct ipt_ip *i4 = par->entryinfo;

	if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
		pr_info_ratelimited("unsupported CHECKSUM operation %x\n",
				    einfo->operation);
		return -EINVAL;
	}
	if (!einfo->operation)
		return -EINVAL;

	switch (par->family) {
	case NFPROTO_IPV4:
		if (i4->proto == IPPROTO_UDP &&
		    (i4->invflags & XT_INV_PROTO) == 0)
			return 0;
		break;
	case NFPROTO_IPV6:
		if ((i6->flags & IP6T_F_PROTO) &&
		    i6->proto == IPPROTO_UDP &&
		    (i6->invflags & XT_INV_PROTO) == 0)
			return 0;
		break;
	}

	pr_warn_once("CHECKSUM should be avoided.  If really needed, restrict with \"-p udp\" and only use in OUTPUT\n");
	return 0;
}

static struct xt_target checksum_tg_reg __read_mostly = {
	.name		= "CHECKSUM",
	.family		= NFPROTO_UNSPEC,
	.target		= checksum_tg,
	.targetsize	= sizeof(struct xt_CHECKSUM_info),
	.table		= "mangle",
	.checkentry	= checksum_tg_check,
	.me		= THIS_MODULE,
};

static int __init checksum_tg_init(void)
{
	return xt_register_target(&checksum_tg_reg);
}

static void __exit checksum_tg_exit(void)
{
	xt_unregister_target(&checksum_tg_reg);
}

module_init(checksum_tg_init);
module_exit(checksum_tg_exit);
Commit	Line	Data
edf0e1fb MT	1	/* iptables module for the packet checksum mangling
	2	*
	3	* (C) 2002 by Harald Welte <laforge@netfilter.org>
	4	* (C) 2010 Red Hat, Inc.
	5	*
	6	* Author: Michael S. Tsirkin <mst@redhat.com>
	7	*
	8	* This program is free software; you can redistribute it and/or modify
	9	* it under the terms of the GNU General Public License version 2 as
	10	* published by the Free Software Foundation.
	11	*/
	12	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
	13	#include <linux/module.h>
	14	#include <linux/skbuff.h>
	15
	16	#include <linux/netfilter/x_tables.h>
	17	#include <linux/netfilter/xt_CHECKSUM.h>
	18
10568f6c FW	19	#include <linux/netfilter_ipv4/ip_tables.h>
	20	#include <linux/netfilter_ipv6/ip6_tables.h>
	21
edf0e1fb MT	22	MODULE_LICENSE("GPL");
	23	MODULE_AUTHOR("Michael S. Tsirkin <mst@redhat.com>");
	24	MODULE_DESCRIPTION("Xtables: checksum modification");
	25	MODULE_ALIAS("ipt_CHECKSUM");
	26	MODULE_ALIAS("ip6t_CHECKSUM");
	27
	28	static unsigned int
	29	checksum_tg(struct sk_buff skb, const struct xt_action_param par)
	30	{
10568f6c	31	if (skb->ip_summed == CHECKSUM_PARTIAL && !skb_is_gso(skb))
edf0e1fb MT	32	skb_checksum_help(skb);
	33
	34	return XT_CONTINUE;
	35	}
	36
	37	static int checksum_tg_check(const struct xt_tgchk_param *par)
	38	{
	39	const struct xt_CHECKSUM_info *einfo = par->targinfo;
10568f6c FW	40	const struct ip6t_ip6 *i6 = par->entryinfo;
10568f6c FW	41	const struct ipt_ip *i4 = par->entryinfo;
edf0e1fb MT	42
edf0e1fb MT	43	if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
b2606644 FW	44	pr_info_ratelimited("unsupported CHECKSUM operation %x\n",
b2606644 FW	45	einfo->operation);
edf0e1fb MT	46	return -EINVAL;
edf0e1fb MT	47	}
0cc9501f	48	if (!einfo->operation)
edf0e1fb	49	return -EINVAL;
0cc9501f	50
10568f6c FW	51	switch (par->family) {
	52	case NFPROTO_IPV4:
	53	if (i4->proto == IPPROTO_UDP &&
	54	(i4->invflags & XT_INV_PROTO) == 0)
	55	return 0;
	56	break;
	57	case NFPROTO_IPV6:
	58	if ((i6->flags & IP6T_F_PROTO) &&
	59	i6->proto == IPPROTO_UDP &&
	60	(i6->invflags & XT_INV_PROTO) == 0)
	61	return 0;
	62	break;
	63	}
	64
	65	pr_warn_once("CHECKSUM should be avoided. If really needed, restrict with \"-p udp\" and only use in OUTPUT\n");
edf0e1fb MT	66	return 0;
	67	}
	68
	69	static struct xt_target checksum_tg_reg __read_mostly = {
	70	.name = "CHECKSUM",
	71	.family = NFPROTO_UNSPEC,
	72	.target = checksum_tg,
	73	.targetsize = sizeof(struct xt_CHECKSUM_info),
	74	.table = "mangle",
	75	.checkentry = checksum_tg_check,
	76	.me = THIS_MODULE,
	77	};
	78
	79	static int __init checksum_tg_init(void)
	80	{
	81	return xt_register_target(&checksum_tg_reg);
	82	}
	83
	84	static void __exit checksum_tg_exit(void)
	85	{
	86	xt_unregister_target(&checksum_tg_reg);
	87	}
	88
	89	module_init(checksum_tg_init);
	90	module_exit(checksum_tg_exit);