2 * This is a module which is used for setting the MSS option in TCP packets.
4 * Copyright (C) 2000 Marc Boucher <marc@mbsi.ca>
5 * Copyright (C) 2007 Patrick McHardy <kaber@trash.net>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12 #include <linux/module.h>
13 #include <linux/skbuff.h>
15 #include <linux/gfp.h>
16 #include <linux/ipv6.h>
17 #include <linux/tcp.h>
21 #include <net/route.h>
24 #include <linux/netfilter_ipv4/ip_tables.h>
25 #include <linux/netfilter_ipv6/ip6_tables.h>
26 #include <linux/netfilter/x_tables.h>
27 #include <linux/netfilter/xt_tcpudp.h>
28 #include <linux/netfilter/xt_TCPMSS.h>
30 MODULE_LICENSE("GPL");
31 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
32 MODULE_DESCRIPTION("Xtables: TCP Maximum Segment Size (MSS) adjustment");
33 MODULE_ALIAS("ipt_TCPMSS");
34 MODULE_ALIAS("ip6t_TCPMSS");
36 static inline unsigned int
37 optlen(const u_int8_t *opt, unsigned int offset)
39 /* Beware zero-length options: make finite progress */
40 if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0)
47 tcpmss_mangle_packet(struct sk_buff *skb,
48 const struct xt_tcpmss_info *info,
54 unsigned int tcplen, i;
59 if (!skb_make_writable(skb, skb->len))
62 tcplen = skb->len - tcphoff;
63 tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
65 /* Header cannot be larger than the packet */
66 if (tcplen < tcph->doff*4)
69 if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
70 if (dst_mtu(skb_dst(skb)) <= minlen) {
71 net_err_ratelimited("unknown or invalid path-MTU (%u)\n",
72 dst_mtu(skb_dst(skb)));
75 if (in_mtu <= minlen) {
76 net_err_ratelimited("unknown or invalid path-MTU (%u)\n",
80 newmss = min(dst_mtu(skb_dst(skb)), in_mtu) - minlen;
84 opt = (u_int8_t *)tcph;
85 for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
86 if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
87 opt[i+1] == TCPOLEN_MSS) {
90 oldmss = (opt[i+2] << 8) | opt[i+3];
92 /* Never increase MSS, even when setting it, as
93 * doing so results in problems for hosts that rely
94 * on MSS being set correctly.
99 opt[i+2] = (newmss & 0xff00) >> 8;
100 opt[i+3] = newmss & 0x00ff;
102 inet_proto_csum_replace2(&tcph->check, skb,
103 htons(oldmss), htons(newmss),
109 /* There is data after the header so the option can't be added
110 without moving it, and doing so may make the SYN packet
111 itself too large. Accept the packet unmodified instead. */
112 if (tcplen > tcph->doff*4)
116 * MSS Option not found ?! add it..
118 if (skb_tailroom(skb) < TCPOLEN_MSS) {
119 if (pskb_expand_head(skb, 0,
120 TCPOLEN_MSS - skb_tailroom(skb),
123 tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
126 skb_put(skb, TCPOLEN_MSS);
128 /* RFC 879 states that the default MSS is 536 without specific
129 * knowledge that the destination host is prepared to accept larger.
130 * Since no MSS was provided, we MUST NOT set a value > 536.
132 newmss = min(newmss, (u16)536);
134 opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
135 memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
137 inet_proto_csum_replace2(&tcph->check, skb,
138 htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
140 opt[1] = TCPOLEN_MSS;
141 opt[2] = (newmss & 0xff00) >> 8;
142 opt[3] = newmss & 0x00ff;
144 inet_proto_csum_replace4(&tcph->check, skb, 0, *((__be32 *)opt), 0);
146 oldval = ((__be16 *)tcph)[6];
147 tcph->doff += TCPOLEN_MSS/4;
148 inet_proto_csum_replace2(&tcph->check, skb,
149 oldval, ((__be16 *)tcph)[6], 0);
153 static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb,
157 const struct nf_afinfo *ai;
158 struct rtable *rt = NULL;
161 if (family == PF_INET) {
162 struct flowi4 *fl4 = &fl.u.ip4;
163 memset(fl4, 0, sizeof(*fl4));
164 fl4->daddr = ip_hdr(skb)->saddr;
166 struct flowi6 *fl6 = &fl.u.ip6;
168 memset(fl6, 0, sizeof(*fl6));
169 fl6->daddr = ipv6_hdr(skb)->saddr;
172 ai = nf_get_afinfo(family);
174 ai->route(&init_net, (struct dst_entry **)&rt, &fl, false);
178 mtu = dst_mtu(&rt->dst);
179 dst_release(&rt->dst);
185 tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par)
187 struct iphdr *iph = ip_hdr(skb);
191 ret = tcpmss_mangle_packet(skb, par->targinfo,
192 tcpmss_reverse_mtu(skb, PF_INET),
194 sizeof(*iph) + sizeof(struct tcphdr));
199 newlen = htons(ntohs(iph->tot_len) + ret);
200 csum_replace2(&iph->check, iph->tot_len, newlen);
201 iph->tot_len = newlen;
206 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
208 tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par)
210 struct ipv6hdr *ipv6h = ipv6_hdr(skb);
216 nexthdr = ipv6h->nexthdr;
217 tcphoff = ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr, &frag_off);
220 ret = tcpmss_mangle_packet(skb, par->targinfo,
221 tcpmss_reverse_mtu(skb, PF_INET6),
223 sizeof(*ipv6h) + sizeof(struct tcphdr));
227 ipv6h = ipv6_hdr(skb);
228 ipv6h->payload_len = htons(ntohs(ipv6h->payload_len) + ret);
234 /* Must specify -p tcp --syn */
235 static inline bool find_syn_match(const struct xt_entry_match *m)
237 const struct xt_tcp *tcpinfo = (const struct xt_tcp *)m->data;
239 if (strcmp(m->u.kernel.match->name, "tcp") == 0 &&
240 tcpinfo->flg_cmp & TCPHDR_SYN &&
241 !(tcpinfo->invflags & XT_TCP_INV_FLAGS))
247 static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
249 const struct xt_tcpmss_info *info = par->targinfo;
250 const struct ipt_entry *e = par->entryinfo;
251 const struct xt_entry_match *ematch;
253 if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
254 (par->hook_mask & ~((1 << NF_INET_FORWARD) |
255 (1 << NF_INET_LOCAL_OUT) |
256 (1 << NF_INET_POST_ROUTING))) != 0) {
257 pr_info("path-MTU clamping only supported in "
258 "FORWARD, OUTPUT and POSTROUTING hooks\n");
261 xt_ematch_foreach(ematch, e)
262 if (find_syn_match(ematch))
264 pr_info("Only works on TCP SYN packets\n");
268 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
269 static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
271 const struct xt_tcpmss_info *info = par->targinfo;
272 const struct ip6t_entry *e = par->entryinfo;
273 const struct xt_entry_match *ematch;
275 if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
276 (par->hook_mask & ~((1 << NF_INET_FORWARD) |
277 (1 << NF_INET_LOCAL_OUT) |
278 (1 << NF_INET_POST_ROUTING))) != 0) {
279 pr_info("path-MTU clamping only supported in "
280 "FORWARD, OUTPUT and POSTROUTING hooks\n");
283 xt_ematch_foreach(ematch, e)
284 if (find_syn_match(ematch))
286 pr_info("Only works on TCP SYN packets\n");
291 static struct xt_target tcpmss_tg_reg[] __read_mostly = {
293 .family = NFPROTO_IPV4,
295 .checkentry = tcpmss_tg4_check,
296 .target = tcpmss_tg4,
297 .targetsize = sizeof(struct xt_tcpmss_info),
298 .proto = IPPROTO_TCP,
301 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
303 .family = NFPROTO_IPV6,
305 .checkentry = tcpmss_tg6_check,
306 .target = tcpmss_tg6,
307 .targetsize = sizeof(struct xt_tcpmss_info),
308 .proto = IPPROTO_TCP,
314 static int __init tcpmss_tg_init(void)
316 return xt_register_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg));
319 static void __exit tcpmss_tg_exit(void)
321 xt_unregister_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg));
324 module_init(tcpmss_tg_init);
325 module_exit(tcpmss_tg_exit);