377 				       struct header_pointers *hdr)  in tcp_dissect()  argument
379 	hdr->eth = data;  in tcp_dissect()
380 	if (hdr->eth + 1 > data_end)  in tcp_dissect()
383 	switch (bpf_ntohs(hdr->eth->h_proto)) {  in tcp_dissect()
385 		hdr->ipv6 = NULL;  in tcp_dissect()
387 		hdr->ipv4 = (void *)hdr->eth + sizeof(*hdr->eth);  in tcp_dissect()
388 		if (hdr->ipv4 + 1 > data_end)  in tcp_dissect()
390 		if (hdr->ipv4->ihl * 4 < sizeof(*hdr->ipv4))  in tcp_dissect()
392 		if (hdr->ipv4->version != 4)  in tcp_dissect()
395 		if (hdr->ipv4->protocol != IPPROTO_TCP)  in tcp_dissect()
398 		hdr->tcp = (void *)hdr->ipv4 + hdr->ipv4->ihl * 4;  in tcp_dissect()
401 		hdr->ipv4 = NULL;  in tcp_dissect()
403 		hdr->ipv6 = (void *)hdr->eth + sizeof(*hdr->eth);  in tcp_dissect()
404 		if (hdr->ipv6 + 1 > data_end)  in tcp_dissect()
406 		if (hdr->ipv6->version != 6)  in tcp_dissect()
412 		if (hdr->ipv6->nexthdr != NEXTHDR_TCP)  in tcp_dissect()
415 		hdr->tcp = (void *)hdr->ipv6 + sizeof(*hdr->ipv6);  in tcp_dissect()
422 	if (hdr->tcp + 1 > data_end)  in tcp_dissect()
424 	hdr->tcp_len = hdr->tcp->doff * 4;  in tcp_dissect()
425 	if (hdr->tcp_len < sizeof(*hdr->tcp))  in tcp_dissect()
431 static __always_inline int tcp_lookup(void *ctx, struct header_pointers *hdr, bool xdp)  in tcp_lookup()  argument
441 	if (hdr->ipv4) {  in tcp_lookup()
445 		if ((hdr->ipv4->frag_off & bpf_htons(IP_DF | IP_MF | IP_OFFSET)) != bpf_htons(IP_DF))  in tcp_lookup()
448 		tup.ipv4.saddr = hdr->ipv4->saddr;  in tcp_lookup()
449 		tup.ipv4.daddr = hdr->ipv4->daddr;  in tcp_lookup()
450 		tup.ipv4.sport = hdr->tcp->source;  in tcp_lookup()
451 		tup.ipv4.dport = hdr->tcp->dest;  in tcp_lookup()
453 	} else if (hdr->ipv6) {  in tcp_lookup()
454 		__builtin_memcpy(tup.ipv6.saddr, &hdr->ipv6->saddr, sizeof(tup.ipv6.saddr));  in tcp_lookup()
455 		__builtin_memcpy(tup.ipv6.daddr, &hdr->ipv6->daddr, sizeof(tup.ipv6.daddr));  in tcp_lookup()
456 		tup.ipv6.sport = hdr->tcp->source;  in tcp_lookup()
457 		tup.ipv6.dport = hdr->tcp->dest;  in tcp_lookup()
536 static __always_inline void tcpv4_gen_synack(struct header_pointers *hdr,  in tcpv4_gen_synack()  argument
545 	swap_eth_addr(hdr->eth->h_source, hdr->eth->h_dest);  in tcpv4_gen_synack()
547 	swap(hdr->ipv4->saddr, hdr->ipv4->daddr);  in tcpv4_gen_synack()
548 	hdr->ipv4->check = 0; /* Calculate checksum later. */  in tcpv4_gen_synack()
549 	hdr->ipv4->tos = 0;  in tcpv4_gen_synack()
550 	hdr->ipv4->id = 0;  in tcpv4_gen_synack()
551 	hdr->ipv4->ttl = ttl;  in tcpv4_gen_synack()
553 	tcp_gen_synack(hdr->tcp, cookie, tsopt, mss, wscale);  in tcpv4_gen_synack()
555 	hdr->tcp_len = hdr->tcp->doff * 4;  in tcpv4_gen_synack()
556 	hdr->ipv4->tot_len = bpf_htons(sizeof(*hdr->ipv4) + hdr->tcp_len);  in tcpv4_gen_synack()
559 static __always_inline void tcpv6_gen_synack(struct header_pointers *hdr,  in tcpv6_gen_synack()  argument
568 	swap_eth_addr(hdr->eth->h_source, hdr->eth->h_dest);  in tcpv6_gen_synack()
570 	swap(hdr->ipv6->saddr, hdr->ipv6->daddr);  in tcpv6_gen_synack()
571 	*(__be32 *)hdr->ipv6 = bpf_htonl(0x60000000);  in tcpv6_gen_synack()
572 	hdr->ipv6->hop_limit = ttl;  in tcpv6_gen_synack()
574 	tcp_gen_synack(hdr->tcp, cookie, tsopt, mss, wscale);  in tcpv6_gen_synack()
576 	hdr->tcp_len = hdr->tcp->doff * 4;  in tcpv6_gen_synack()
577 	hdr->ipv6->payload_len = bpf_htons(hdr->tcp_len);  in tcpv6_gen_synack()
580 static __always_inline int syncookie_handle_syn(struct header_pointers *hdr,  in syncookie_handle_syn()  argument
611 	if (hdr->tcp->fin || hdr->tcp->rst)  in syncookie_handle_syn()
617 	if (!check_port_allowed(bpf_ntohs(hdr->tcp->dest)))  in syncookie_handle_syn()
620 	if (hdr->ipv4) {  in syncookie_handle_syn()
622 		value = bpf_csum_diff(0, 0, (void *)hdr->ipv4, hdr->ipv4->ihl * 4, 0);  in syncookie_handle_syn()
628 		value = bpf_csum_diff(0, 0, (void *)hdr->tcp, hdr->tcp_len, 0);  in syncookie_handle_syn()
631 		if (csum_tcpudp_magic(hdr->ipv4->saddr, hdr->ipv4->daddr,  in syncookie_handle_syn()
632 				      hdr->tcp_len, IPPROTO_TCP, value) != 0)  in syncookie_handle_syn()
635 		ip_len = sizeof(*hdr->ipv4);  in syncookie_handle_syn()
637 		value = bpf_tcp_raw_gen_syncookie_ipv4(hdr->ipv4, hdr->tcp,  in syncookie_handle_syn()
638 						       hdr->tcp_len);  in syncookie_handle_syn()
639 	} else if (hdr->ipv6) {  in syncookie_handle_syn()
641 		value = bpf_csum_diff(0, 0, (void *)hdr->tcp, hdr->tcp_len, 0);  in syncookie_handle_syn()
644 		if (csum_ipv6_magic(&hdr->ipv6->saddr, &hdr->ipv6->daddr,  in syncookie_handle_syn()
645 				    hdr->tcp_len, IPPROTO_TCP, value) != 0)  in syncookie_handle_syn()
648 		ip_len = sizeof(*hdr->ipv6);  in syncookie_handle_syn()
650 		value = bpf_tcp_raw_gen_syncookie_ipv6(hdr->ipv6, hdr->tcp,  in syncookie_handle_syn()
651 						       hdr->tcp_len);  in syncookie_handle_syn()
660 	if (tscookie_init((void *)hdr->tcp, hdr->tcp_len,  in syncookie_handle_syn()
668 	if (data + sizeof(*hdr->eth) + ip_len + TCP_MAXLEN > data_end)  in syncookie_handle_syn()
671 	if (hdr->ipv4) {  in syncookie_handle_syn()
672 		if (hdr->ipv4->ihl * 4 > sizeof(*hdr->ipv4)) {  in syncookie_handle_syn()
675 			new_tcp_header = data + sizeof(*hdr->eth) + sizeof(*hdr->ipv4);  in syncookie_handle_syn()
676 			__builtin_memmove(new_tcp_header, hdr->tcp, sizeof(*hdr->tcp));  in syncookie_handle_syn()
677 			hdr->tcp = new_tcp_header;  in syncookie_handle_syn()
679 			hdr->ipv4->ihl = sizeof(*hdr->ipv4) / 4;  in syncookie_handle_syn()
682 		tcpv4_gen_synack(hdr, cookie, tsopt);  in syncookie_handle_syn()
683 	} else if (hdr->ipv6) {  in syncookie_handle_syn()
684 		tcpv6_gen_synack(hdr, cookie, tsopt);  in syncookie_handle_syn()
690 	hdr->tcp->check = 0;  in syncookie_handle_syn()
691 	value = bpf_csum_diff(0, 0, (void *)hdr->tcp, hdr->tcp_len, 0);  in syncookie_handle_syn()
694 	if (hdr->ipv4) {  in syncookie_handle_syn()
695 		hdr->tcp->check = csum_tcpudp_magic(hdr->ipv4->saddr,  in syncookie_handle_syn()
696 						    hdr->ipv4->daddr,  in syncookie_handle_syn()
697 						    hdr->tcp_len,  in syncookie_handle_syn()
701 		hdr->ipv4->check = 0;  in syncookie_handle_syn()
702 		value = bpf_csum_diff(0, 0, (void *)hdr->ipv4, sizeof(*hdr->ipv4), 0);  in syncookie_handle_syn()
705 		hdr->ipv4->check = csum_fold(value);  in syncookie_handle_syn()
706 	} else if (hdr->ipv6) {  in syncookie_handle_syn()
707 		hdr->tcp->check = csum_ipv6_magic(&hdr->ipv6->saddr,  in syncookie_handle_syn()
708 						  &hdr->ipv6->daddr,  in syncookie_handle_syn()
709 						  hdr->tcp_len,  in syncookie_handle_syn()
718 	new_pkt_size = sizeof(*hdr->eth) + ip_len + hdr->tcp->doff * 4;  in syncookie_handle_syn()
732 static __always_inline int syncookie_handle_ack(struct header_pointers *hdr)  in syncookie_handle_ack()  argument
736 	if (hdr->tcp->rst)  in syncookie_handle_ack()
739 	if (hdr->ipv4)  in syncookie_handle_ack()
740 		err = bpf_tcp_raw_check_syncookie_ipv4(hdr->ipv4, hdr->tcp);  in syncookie_handle_ack()
741 	else if (hdr->ipv6)  in syncookie_handle_ack()
742 		err = bpf_tcp_raw_check_syncookie_ipv6(hdr->ipv6, hdr->tcp);  in syncookie_handle_ack()
752 					   struct header_pointers *hdr, bool xdp)  in syncookie_part1()  argument
756 	ret = tcp_dissect(data, data_end, hdr);  in syncookie_part1()
760 	ret = tcp_lookup(ctx, hdr, xdp);  in syncookie_part1()
766 	if ((hdr->tcp->syn ^ hdr->tcp->ack) != 1)  in syncookie_part1()
769 	/* Grow the TCP header to TCP_MAXLEN to be able to pass any hdr->tcp_len  in syncookie_part1()
773 		if (bpf_xdp_adjust_tail(ctx, TCP_MAXLEN - hdr->tcp_len))  in syncookie_part1()
781 		if (bpf_skb_change_tail(ctx, old_len + TCP_MAXLEN - hdr->tcp_len, 0))  in syncookie_part1()
789 					   struct header_pointers *hdr, bool xdp)  in syncookie_part2()  argument
791 	if (hdr->ipv4) {  in syncookie_part2()
792 		hdr->eth = data;  in syncookie_part2()
793 		hdr->ipv4 = (void *)hdr->eth + sizeof(*hdr->eth);  in syncookie_part2()
797 		if ((void *)hdr->ipv4 + IPV4_MAXLEN > data_end)  in syncookie_part2()
799 		hdr->tcp = (void *)hdr->ipv4 + hdr->ipv4->ihl * 4;  in syncookie_part2()
800 	} else if (hdr->ipv6) {  in syncookie_part2()
801 		hdr->eth = data;  in syncookie_part2()
802 		hdr->ipv6 = (void *)hdr->eth + sizeof(*hdr->eth);  in syncookie_part2()
803 		hdr->tcp = (void *)hdr->ipv6 + sizeof(*hdr->ipv6);  in syncookie_part2()
808 	if ((void *)hdr->tcp + TCP_MAXLEN > data_end)  in syncookie_part2()
814 	hdr->tcp_len = hdr->tcp->doff * 4;  in syncookie_part2()
815 	if (hdr->tcp_len < sizeof(*hdr->tcp))  in syncookie_part2()
818 	return hdr->tcp->syn ? syncookie_handle_syn(hdr, ctx, data, data_end, xdp) :  in syncookie_part2()
819 			       syncookie_handle_ack(hdr);  in syncookie_part2()
827 	struct header_pointers hdr;  in syncookie_xdp()  local
830 	ret = syncookie_part1(ctx, data, data_end, &hdr, true);  in syncookie_xdp()
837 	return syncookie_part2(ctx, data, data_end, &hdr, true);  in syncookie_xdp()
845 	struct header_pointers hdr;  in syncookie_tc()  local
848 	ret = syncookie_part1(skb, data, data_end, &hdr, false);  in syncookie_tc()
855 	ret = syncookie_part2(skb, data, data_end, &hdr, false);  in syncookie_tc()