376 				       struct header_pointers *hdr)  in tcp_dissect()  argument
378 	hdr->eth = data;  in tcp_dissect()
379 	if (hdr->eth + 1 > data_end)  in tcp_dissect()
382 	switch (bpf_ntohs(hdr->eth->h_proto)) {  in tcp_dissect()
384 		hdr->ipv6 = NULL;  in tcp_dissect()
386 		hdr->ipv4 = (void *)hdr->eth + sizeof(*hdr->eth);  in tcp_dissect()
387 		if (hdr->ipv4 + 1 > data_end)  in tcp_dissect()
389 		if (hdr->ipv4->ihl * 4 < sizeof(*hdr->ipv4))  in tcp_dissect()
391 		if (hdr->ipv4->version != 4)  in tcp_dissect()
394 		if (hdr->ipv4->protocol != IPPROTO_TCP)  in tcp_dissect()
397 		hdr->tcp = (void *)hdr->ipv4 + hdr->ipv4->ihl * 4;  in tcp_dissect()
400 		hdr->ipv4 = NULL;  in tcp_dissect()
402 		hdr->ipv6 = (void *)hdr->eth + sizeof(*hdr->eth);  in tcp_dissect()
403 		if (hdr->ipv6 + 1 > data_end)  in tcp_dissect()
405 		if (hdr->ipv6->version != 6)  in tcp_dissect()
411 		if (hdr->ipv6->nexthdr != NEXTHDR_TCP)  in tcp_dissect()
414 		hdr->tcp = (void *)hdr->ipv6 + sizeof(*hdr->ipv6);  in tcp_dissect()
421 	if (hdr->tcp + 1 > data_end)  in tcp_dissect()
423 	hdr->tcp_len = hdr->tcp->doff * 4;  in tcp_dissect()
424 	if (hdr->tcp_len < sizeof(*hdr->tcp))  in tcp_dissect()
430 static __always_inline int tcp_lookup(void *ctx, struct header_pointers *hdr, bool xdp)  in tcp_lookup()  argument
440 	if (hdr->ipv4) {  in tcp_lookup()
444 		if ((hdr->ipv4->frag_off & bpf_htons(IP_MF | IP_OFFSET)) != 0)  in tcp_lookup()
447 		tup.ipv4.saddr = hdr->ipv4->saddr;  in tcp_lookup()
448 		tup.ipv4.daddr = hdr->ipv4->daddr;  in tcp_lookup()
449 		tup.ipv4.sport = hdr->tcp->source;  in tcp_lookup()
450 		tup.ipv4.dport = hdr->tcp->dest;  in tcp_lookup()
452 	} else if (hdr->ipv6) {  in tcp_lookup()
453 		__builtin_memcpy(tup.ipv6.saddr, &hdr->ipv6->saddr, sizeof(tup.ipv6.saddr));  in tcp_lookup()
454 		__builtin_memcpy(tup.ipv6.daddr, &hdr->ipv6->daddr, sizeof(tup.ipv6.daddr));  in tcp_lookup()
455 		tup.ipv6.sport = hdr->tcp->source;  in tcp_lookup()
456 		tup.ipv6.dport = hdr->tcp->dest;  in tcp_lookup()
535 static __always_inline void tcpv4_gen_synack(struct header_pointers *hdr,  in tcpv4_gen_synack()  argument
544 	swap_eth_addr(hdr->eth->h_source, hdr->eth->h_dest);  in tcpv4_gen_synack()
546 	swap(hdr->ipv4->saddr, hdr->ipv4->daddr);  in tcpv4_gen_synack()
547 	hdr->ipv4->check = 0; /* Calculate checksum later. */  in tcpv4_gen_synack()
548 	hdr->ipv4->tos = 0;  in tcpv4_gen_synack()
549 	hdr->ipv4->id = 0;  in tcpv4_gen_synack()
550 	hdr->ipv4->ttl = ttl;  in tcpv4_gen_synack()
552 	tcp_gen_synack(hdr->tcp, cookie, tsopt, mss, wscale);  in tcpv4_gen_synack()
554 	hdr->tcp_len = hdr->tcp->doff * 4;  in tcpv4_gen_synack()
555 	hdr->ipv4->tot_len = bpf_htons(sizeof(*hdr->ipv4) + hdr->tcp_len);  in tcpv4_gen_synack()
558 static __always_inline void tcpv6_gen_synack(struct header_pointers *hdr,  in tcpv6_gen_synack()  argument
567 	swap_eth_addr(hdr->eth->h_source, hdr->eth->h_dest);  in tcpv6_gen_synack()
569 	swap(hdr->ipv6->saddr, hdr->ipv6->daddr);  in tcpv6_gen_synack()
570 	*(__be32 *)hdr->ipv6 = bpf_htonl(0x60000000);  in tcpv6_gen_synack()
571 	hdr->ipv6->hop_limit = ttl;  in tcpv6_gen_synack()
573 	tcp_gen_synack(hdr->tcp, cookie, tsopt, mss, wscale);  in tcpv6_gen_synack()
575 	hdr->tcp_len = hdr->tcp->doff * 4;  in tcpv6_gen_synack()
576 	hdr->ipv6->payload_len = bpf_htons(hdr->tcp_len);  in tcpv6_gen_synack()
579 static __always_inline int syncookie_handle_syn(struct header_pointers *hdr,  in syncookie_handle_syn()  argument
610 	if (hdr->tcp->fin || hdr->tcp->rst)  in syncookie_handle_syn()
616 	if (!check_port_allowed(bpf_ntohs(hdr->tcp->dest)))  in syncookie_handle_syn()
619 	if (hdr->ipv4) {  in syncookie_handle_syn()
621 		value = bpf_csum_diff(0, 0, (void *)hdr->ipv4, hdr->ipv4->ihl * 4, 0);  in syncookie_handle_syn()
627 		value = bpf_csum_diff(0, 0, (void *)hdr->tcp, hdr->tcp_len, 0);  in syncookie_handle_syn()
630 		if (csum_tcpudp_magic(hdr->ipv4->saddr, hdr->ipv4->daddr,  in syncookie_handle_syn()
631 				      hdr->tcp_len, IPPROTO_TCP, value) != 0)  in syncookie_handle_syn()
634 		ip_len = sizeof(*hdr->ipv4);  in syncookie_handle_syn()
636 		value = bpf_tcp_raw_gen_syncookie_ipv4(hdr->ipv4, hdr->tcp,  in syncookie_handle_syn()
637 						       hdr->tcp_len);  in syncookie_handle_syn()
638 	} else if (hdr->ipv6) {  in syncookie_handle_syn()
640 		value = bpf_csum_diff(0, 0, (void *)hdr->tcp, hdr->tcp_len, 0);  in syncookie_handle_syn()
643 		if (csum_ipv6_magic(&hdr->ipv6->saddr, &hdr->ipv6->daddr,  in syncookie_handle_syn()
644 				    hdr->tcp_len, IPPROTO_TCP, value) != 0)  in syncookie_handle_syn()
647 		ip_len = sizeof(*hdr->ipv6);  in syncookie_handle_syn()
649 		value = bpf_tcp_raw_gen_syncookie_ipv6(hdr->ipv6, hdr->tcp,  in syncookie_handle_syn()
650 						       hdr->tcp_len);  in syncookie_handle_syn()
659 	if (tscookie_init((void *)hdr->tcp, hdr->tcp_len,  in syncookie_handle_syn()
667 	if (data + sizeof(*hdr->eth) + ip_len + TCP_MAXLEN > data_end)  in syncookie_handle_syn()
670 	if (hdr->ipv4) {  in syncookie_handle_syn()
671 		if (hdr->ipv4->ihl * 4 > sizeof(*hdr->ipv4)) {  in syncookie_handle_syn()
674 			new_tcp_header = data + sizeof(*hdr->eth) + sizeof(*hdr->ipv4);  in syncookie_handle_syn()
675 			__builtin_memmove(new_tcp_header, hdr->tcp, sizeof(*hdr->tcp));  in syncookie_handle_syn()
676 			hdr->tcp = new_tcp_header;  in syncookie_handle_syn()
678 			hdr->ipv4->ihl = sizeof(*hdr->ipv4) / 4;  in syncookie_handle_syn()
681 		tcpv4_gen_synack(hdr, cookie, tsopt);  in syncookie_handle_syn()
682 	} else if (hdr->ipv6) {  in syncookie_handle_syn()
683 		tcpv6_gen_synack(hdr, cookie, tsopt);  in syncookie_handle_syn()
689 	hdr->tcp->check = 0;  in syncookie_handle_syn()
690 	value = bpf_csum_diff(0, 0, (void *)hdr->tcp, hdr->tcp_len, 0);  in syncookie_handle_syn()
693 	if (hdr->ipv4) {  in syncookie_handle_syn()
694 		hdr->tcp->check = csum_tcpudp_magic(hdr->ipv4->saddr,  in syncookie_handle_syn()
695 						    hdr->ipv4->daddr,  in syncookie_handle_syn()
696 						    hdr->tcp_len,  in syncookie_handle_syn()
700 		hdr->ipv4->check = 0;  in syncookie_handle_syn()
701 		value = bpf_csum_diff(0, 0, (void *)hdr->ipv4, sizeof(*hdr->ipv4), 0);  in syncookie_handle_syn()
704 		hdr->ipv4->check = csum_fold(value);  in syncookie_handle_syn()
705 	} else if (hdr->ipv6) {  in syncookie_handle_syn()
706 		hdr->tcp->check = csum_ipv6_magic(&hdr->ipv6->saddr,  in syncookie_handle_syn()
707 						  &hdr->ipv6->daddr,  in syncookie_handle_syn()
708 						  hdr->tcp_len,  in syncookie_handle_syn()
717 	new_pkt_size = sizeof(*hdr->eth) + ip_len + hdr->tcp->doff * 4;  in syncookie_handle_syn()
731 static __always_inline int syncookie_handle_ack(struct header_pointers *hdr)  in syncookie_handle_ack()  argument
735 	if (hdr->tcp->rst)  in syncookie_handle_ack()
738 	if (hdr->ipv4)  in syncookie_handle_ack()
739 		err = bpf_tcp_raw_check_syncookie_ipv4(hdr->ipv4, hdr->tcp);  in syncookie_handle_ack()
740 	else if (hdr->ipv6)  in syncookie_handle_ack()
741 		err = bpf_tcp_raw_check_syncookie_ipv6(hdr->ipv6, hdr->tcp);  in syncookie_handle_ack()
751 					   struct header_pointers *hdr, bool xdp)  in syncookie_part1()  argument
755 	ret = tcp_dissect(data, data_end, hdr);  in syncookie_part1()
759 	ret = tcp_lookup(ctx, hdr, xdp);  in syncookie_part1()
765 	if ((hdr->tcp->syn ^ hdr->tcp->ack) != 1)  in syncookie_part1()
768 	/* Grow the TCP header to TCP_MAXLEN to be able to pass any hdr->tcp_len  in syncookie_part1()
772 		if (bpf_xdp_adjust_tail(ctx, TCP_MAXLEN - hdr->tcp_len))  in syncookie_part1()
780 		if (bpf_skb_change_tail(ctx, old_len + TCP_MAXLEN - hdr->tcp_len, 0))  in syncookie_part1()
788 					   struct header_pointers *hdr, bool xdp)  in syncookie_part2()  argument
790 	if (hdr->ipv4) {  in syncookie_part2()
791 		hdr->eth = data;  in syncookie_part2()
792 		hdr->ipv4 = (void *)hdr->eth + sizeof(*hdr->eth);  in syncookie_part2()
796 		if ((void *)hdr->ipv4 + IPV4_MAXLEN > data_end)  in syncookie_part2()
798 		hdr->tcp = (void *)hdr->ipv4 + hdr->ipv4->ihl * 4;  in syncookie_part2()
799 	} else if (hdr->ipv6) {  in syncookie_part2()
800 		hdr->eth = data;  in syncookie_part2()
801 		hdr->ipv6 = (void *)hdr->eth + sizeof(*hdr->eth);  in syncookie_part2()
802 		hdr->tcp = (void *)hdr->ipv6 + sizeof(*hdr->ipv6);  in syncookie_part2()
807 	if ((void *)hdr->tcp + TCP_MAXLEN > data_end)  in syncookie_part2()
813 	hdr->tcp_len = hdr->tcp->doff * 4;  in syncookie_part2()
814 	if (hdr->tcp_len < sizeof(*hdr->tcp))  in syncookie_part2()
817 	return hdr->tcp->syn ? syncookie_handle_syn(hdr, ctx, data, data_end, xdp) :  in syncookie_part2()
818 			       syncookie_handle_ack(hdr);  in syncookie_part2()
826 	struct header_pointers hdr;  in syncookie_xdp()  local
829 	ret = syncookie_part1(ctx, data, data_end, &hdr, true);  in syncookie_xdp()
836 	return syncookie_part2(ctx, data, data_end, &hdr, true);  in syncookie_xdp()
844 	struct header_pointers hdr;  in syncookie_tc()  local
847 	ret = syncookie_part1(skb, data, data_end, &hdr, false);  in syncookie_tc()
854 	ret = syncookie_part2(skb, data, data_end, &hdr, false);  in syncookie_tc()