Commit d446a820 authored by Jan Engelhardt's avatar Jan Engelhardt Committed by Pablo Neira Ayuso

netfilter: xtables: move ipt_ecn to xt_ecn

Prepare the ECN match for augmentation by an IPv6 counterpart. Since
no symbol dependencies to ipv6.ko are added, having a single ecn match
module is the more so welcome.
Signed-off-by: default avatarJan Engelhardt <jengelh@medozas.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent c0d2b837
...@@ -43,6 +43,7 @@ header-y += xt_cpu.h ...@@ -43,6 +43,7 @@ header-y += xt_cpu.h
header-y += xt_dccp.h header-y += xt_dccp.h
header-y += xt_devgroup.h header-y += xt_devgroup.h
header-y += xt_dscp.h header-y += xt_dscp.h
header-y += xt_ecn.h
header-y += xt_esp.h header-y += xt_esp.h
header-y += xt_hashlimit.h header-y += xt_hashlimit.h
header-y += xt_helper.h header-y += xt_helper.h
......
/* iptables module for matching the ECN header in IPv4 and TCP header
*
* (C) 2002 Harald Welte <laforge@gnumonks.org>
*
* This software is distributed under GNU GPL v2, 1991
*
* ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
*/
#ifndef _XT_ECN_H
#define _XT_ECN_H
#include <linux/types.h>
#include <linux/netfilter/xt_dscp.h>
#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
#define IPT_ECN_OP_MATCH_IP 0x01
#define IPT_ECN_OP_MATCH_ECE 0x10
#define IPT_ECN_OP_MATCH_CWR 0x20
#define IPT_ECN_OP_MATCH_MASK 0xce
/* match info */
struct ipt_ecn_info {
__u8 operation;
__u8 invert;
__u8 ip_ect;
union {
struct {
__u8 ect;
} tcp;
} proto;
};
#endif /* _XT_ECN_H */
/* iptables module for matching the ECN header in IPv4 and TCP header
*
* (C) 2002 Harald Welte <laforge@gnumonks.org>
*
* This software is distributed under GNU GPL v2, 1991
*
* ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
*/
#ifndef _IPT_ECN_H #ifndef _IPT_ECN_H
#define _IPT_ECN_H #define _IPT_ECN_H
#include <linux/types.h> #include <linux/netfilter/xt_ecn.h>
#include <linux/netfilter/xt_dscp.h>
#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
#define IPT_ECN_OP_MATCH_IP 0x01
#define IPT_ECN_OP_MATCH_ECE 0x10
#define IPT_ECN_OP_MATCH_CWR 0x20
#define IPT_ECN_OP_MATCH_MASK 0xce
/* match info */
struct ipt_ecn_info {
__u8 operation;
__u8 invert;
__u8 ip_ect;
union {
struct {
__u8 ect;
} tcp;
} proto;
};
#endif /* _IPT_ECN_H */ #endif /* _IPT_ECN_H */
...@@ -76,11 +76,11 @@ config IP_NF_MATCH_AH ...@@ -76,11 +76,11 @@ config IP_NF_MATCH_AH
config IP_NF_MATCH_ECN config IP_NF_MATCH_ECN
tristate '"ecn" match support' tristate '"ecn" match support'
depends on NETFILTER_ADVANCED depends on NETFILTER_ADVANCED
help select NETFILTER_XT_MATCH_ECN
This option adds a `ECN' match, which allows you to match against ---help---
the IPv4 and TCP header ECN fields. This is a backwards-compat option for the user's convenience
(e.g. when running oldconfig). It selects
To compile it as a module, choose M here. If unsure, say N. CONFIG_NETFILTER_XT_MATCH_ECN.
config IP_NF_MATCH_RPFILTER config IP_NF_MATCH_RPFILTER
tristate '"rpfilter" reverse path filter match support' tristate '"rpfilter" reverse path filter match support'
......
...@@ -49,7 +49,6 @@ obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o ...@@ -49,7 +49,6 @@ obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
# matches # matches
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
obj-$(CONFIG_IP_NF_MATCH_RPFILTER) += ipt_rpfilter.o obj-$(CONFIG_IP_NF_MATCH_RPFILTER) += ipt_rpfilter.o
# targets # targets
......
...@@ -778,6 +778,15 @@ config NETFILTER_XT_MATCH_DSCP ...@@ -778,6 +778,15 @@ config NETFILTER_XT_MATCH_DSCP
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
config NETFILTER_XT_MATCH_ECN
tristate '"ecn" match support'
depends on NETFILTER_ADVANCED
---help---
This option adds an "ECN" match, which allows you to match against
the IPv4 and TCP header ECN fields.
To compile it as a module, choose M here. If unsure, say N.
config NETFILTER_XT_MATCH_ESP config NETFILTER_XT_MATCH_ESP
tristate '"esp" match support' tristate '"esp" match support'
depends on NETFILTER_ADVANCED depends on NETFILTER_ADVANCED
......
...@@ -81,6 +81,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) += xt_cpu.o ...@@ -81,6 +81,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) += xt_cpu.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_ECN) += xt_ecn.o
obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
......
...@@ -21,6 +21,7 @@ ...@@ -21,6 +21,7 @@
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match for IPv4"); MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match for IPv4");
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_ecn");
static inline bool match_ip(const struct sk_buff *skb, static inline bool match_ip(const struct sk_buff *skb,
const struct ipt_ecn_info *einfo) const struct ipt_ecn_info *einfo)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment