* iptables: options, tproxy
@ 2010-12-03 21:58 Jan Engelhardt
2010-12-03 21:58 ` [PATCH 1/5] iptables: reset options at the start of each command Jan Engelhardt
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Jan Engelhardt @ 2010-12-03 21:58 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
The following changes since commit 2f09f1b39ced2ae7109382dcf066785bab4a966a:
libxt_conntrack: fix --ctdir save/dump output format (2010-11-17 15:54:18 +0100)
are available in the git repository at:
git://dev.medozas.de/iptables master
Jan Engelhardt (5):
iptables: reset options at the start of each command
iptables: do not emit orig_opts twice
include: update files with headers from Linux 2.6.37-rc1
TPROXY: add support for revision 1
socket: add support for revision 1
extensions/libxt_SECMARK.c | 8 +-
extensions/libxt_TPROXY.c | 193 +++++++++++++++++++++++++-----
extensions/libxt_socket.c | 76 +++++++++++-
extensions/libxt_socket.man | 3 +
extensions/libxt_time.c | 1 +
include/linux/netfilter/xt_CHECKSUM.h | 8 +-
include/linux/netfilter/xt_CT.h | 10 +-
include/linux/netfilter/xt_IDLETIMER.h | 2 +-
include/linux/netfilter/xt_SECMARK.h | 12 +--
include/linux/netfilter/xt_TCPOPTSTRIP.h | 2 +-
include/linux/netfilter/xt_TPROXY.h | 17 ++-
include/linux/netfilter/xt_cluster.h | 8 +-
include/linux/netfilter/xt_connlimit.h | 2 +
include/linux/netfilter/xt_ipvs.h | 2 +
include/linux/netfilter/xt_physdev.h | 3 +
include/linux/netfilter/xt_policy.h | 11 ++
include/linux/netfilter/xt_quota.h | 6 +-
include/linux/netfilter/xt_sctp.h | 4 +-
include/linux/netfilter/xt_socket.h | 12 ++
include/linux/netfilter/xt_time.h | 14 +-
include/linux/netfilter/xt_u32.h | 16 ++--
ip6tables.c | 2 +-
iptables.c | 2 +-
xtables.c | 4 +
24 files changed, 329 insertions(+), 89 deletions(-)
create mode 100644 include/linux/netfilter/xt_socket.h
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/5] iptables: reset options at the start of each command
2010-12-03 21:58 iptables: options, tproxy Jan Engelhardt
@ 2010-12-03 21:58 ` Jan Engelhardt
2010-12-03 21:58 ` [PATCH 2/5] iptables: do not emit orig_opts twice Jan Engelhardt
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Jan Engelhardt @ 2010-12-03 21:58 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
For each new command, iptables is supposed to start afresh with a
blank option set (opts) that only contains the program-specific
options (orig_opts), without any extension options. We failed to
restore this pointer (in function do_command) after the previous free
call in xtables_free_opts.
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
ip6tables.c | 2 +-
iptables.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/ip6tables.c b/ip6tables.c
index 8318f91..9b1629e 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -147,7 +147,6 @@ void ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...) __
struct xtables_globals ip6tables_globals = {
.option_offset = 0,
.program_version = IPTABLES_VERSION,
- .opts = original_opts,
.orig_opts = original_opts,
.exit_err = ip6tables_exit_error,
};
@@ -1335,6 +1334,7 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
demand-load a protocol. */
opterr = 0;
+ opts = xt_params->orig_opts;
while ((c = getopt_long(argc, argv,
"-A:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:g:",
opts, NULL)) != -1) {
diff --git a/iptables.c b/iptables.c
index c800fff..1127bdd 100644
--- a/iptables.c
+++ b/iptables.c
@@ -147,7 +147,6 @@ void iptables_exit_error(enum xtables_exittype status, const char *msg, ...) __a
struct xtables_globals iptables_globals = {
.option_offset = 0,
.program_version = IPTABLES_VERSION,
- .opts = original_opts,
.orig_opts = original_opts,
.exit_err = iptables_exit_error,
};
@@ -1358,6 +1357,7 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
demand-load a protocol. */
opterr = 0;
+ opts = xt_params->orig_opts;
while ((c = getopt_long(argc, argv,
"-A:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:",
opts, NULL)) != -1) {
--
1.7.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/5] iptables: do not emit orig_opts twice
2010-12-03 21:58 iptables: options, tproxy Jan Engelhardt
2010-12-03 21:58 ` [PATCH 1/5] iptables: reset options at the start of each command Jan Engelhardt
@ 2010-12-03 21:58 ` Jan Engelhardt
2010-12-03 21:58 ` [PATCH 3/5] include: update files with headers from Linux 2.6.37-rc1 Jan Engelhardt
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Jan Engelhardt @ 2010-12-03 21:58 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
This just happened to cross my eye; there was no error, but fixing
this up saves a pitfall, and some memory.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
xtables.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/xtables.c b/xtables.c
index d0aa868..2137c98 100644
--- a/xtables.c
+++ b/xtables.c
@@ -103,6 +103,10 @@ struct option *xtables_merge_options(struct option *orig_opts,
memcpy(merge, orig_opts, sizeof(*mp) * num_oold);
mp = merge + num_oold;
+ /* Since @opts also has @orig_opts already, skip the entries */
+ oldopts += num_oold;
+ num_old -= num_oold;
+
/* Second, the new options */
xt_params->option_offset += 256;
*option_offset = xt_params->option_offset;
--
1.7.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/5] include: update files with headers from Linux 2.6.37-rc1
2010-12-03 21:58 iptables: options, tproxy Jan Engelhardt
2010-12-03 21:58 ` [PATCH 1/5] iptables: reset options at the start of each command Jan Engelhardt
2010-12-03 21:58 ` [PATCH 2/5] iptables: do not emit orig_opts twice Jan Engelhardt
@ 2010-12-03 21:58 ` Jan Engelhardt
2010-12-03 21:58 ` [PATCH 4/5] TPROXY: add support for revision 1 Jan Engelhardt
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Jan Engelhardt @ 2010-12-03 21:58 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Also includes the type change to __u{8,16,32} kernel types already.
---
extensions/libxt_SECMARK.c | 8 ++++----
extensions/libxt_time.c | 1 +
include/linux/netfilter/xt_CHECKSUM.h | 8 +++++---
include/linux/netfilter/xt_CT.h | 10 +++++-----
include/linux/netfilter/xt_IDLETIMER.h | 2 +-
include/linux/netfilter/xt_SECMARK.h | 12 +++---------
include/linux/netfilter/xt_TCPOPTSTRIP.h | 2 +-
include/linux/netfilter/xt_TPROXY.h | 17 ++++++++++++-----
include/linux/netfilter/xt_cluster.h | 8 ++++----
include/linux/netfilter/xt_connlimit.h | 2 ++
include/linux/netfilter/xt_ipvs.h | 2 ++
include/linux/netfilter/xt_physdev.h | 3 +++
include/linux/netfilter/xt_policy.h | 11 +++++++++++
include/linux/netfilter/xt_quota.h | 6 +++---
include/linux/netfilter/xt_sctp.h | 4 ++--
include/linux/netfilter/xt_socket.h | 12 ++++++++++++
include/linux/netfilter/xt_time.h | 14 +++++++-------
include/linux/netfilter/xt_u32.h | 16 ++++++++--------
18 files changed, 86 insertions(+), 52 deletions(-)
create mode 100644 include/linux/netfilter/xt_socket.h
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
index 9e231ee..7bf4ff0 100644
--- a/extensions/libxt_SECMARK.c
+++ b/extensions/libxt_SECMARK.c
@@ -40,13 +40,13 @@ static int SECMARK_parse(int c, char **argv, int invert, unsigned int *flags,
"Can't specify --selctx twice");
info->mode = SECMARK_MODE_SEL;
- if (strlen(optarg) > SECMARK_SELCTX_MAX-1)
+ if (strlen(optarg) > SECMARK_SECCTX_MAX-1)
xtables_error(PARAMETER_PROBLEM, PFX
"Maximum length %u exceeded by --selctx"
" parameter (%zu)",
- SECMARK_SELCTX_MAX-1, strlen(optarg));
+ SECMARK_SECCTX_MAX-1, strlen(optarg));
- strcpy(info->u.sel.selctx, optarg);
+ strcpy(info->secctx, optarg);
*flags |= SECMARK_MODE_SEL;
break;
default:
@@ -66,7 +66,7 @@ static void print_secmark(const struct xt_secmark_target_info *info)
{
switch (info->mode) {
case SECMARK_MODE_SEL:
- printf("selctx %s ", info->u.sel.selctx);\
+ printf("selctx %s ", info->secctx);
break;
default:
diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
index 9f12266..5462d93 100644
--- a/extensions/libxt_time.c
+++ b/extensions/libxt_time.c
@@ -20,6 +20,7 @@
#include <time.h>
#include <limits.h>
+#include <linux/types.h>
#include <linux/netfilter/xt_time.h>
#include <xtables.h>
diff --git a/include/linux/netfilter/xt_CHECKSUM.h b/include/linux/netfilter/xt_CHECKSUM.h
index 3b4fb77..9a2e466 100644
--- a/include/linux/netfilter/xt_CHECKSUM.h
+++ b/include/linux/netfilter/xt_CHECKSUM.h
@@ -6,8 +6,10 @@
*
* This software is distributed under GNU GPL v2, 1991
*/
-#ifndef _IPT_CHECKSUM_TARGET_H
-#define _IPT_CHECKSUM_TARGET_H
+#ifndef _XT_CHECKSUM_TARGET_H
+#define _XT_CHECKSUM_TARGET_H
+
+#include <linux/types.h>
#define XT_CHECKSUM_OP_FILL 0x01 /* fill in checksum in IP header */
@@ -15,4 +17,4 @@ struct xt_CHECKSUM_info {
__u8 operation; /* bitset of operations */
};
-#endif /* _IPT_CHECKSUM_TARGET_H */
+#endif /* _XT_CHECKSUM_TARGET_H */
diff --git a/include/linux/netfilter/xt_CT.h b/include/linux/netfilter/xt_CT.h
index 1b56410..fbf4c56 100644
--- a/include/linux/netfilter/xt_CT.h
+++ b/include/linux/netfilter/xt_CT.h
@@ -4,11 +4,11 @@
#define XT_CT_NOTRACK 0x1
struct xt_ct_target_info {
- u_int16_t flags;
- u_int16_t zone;
- u_int32_t ct_events;
- u_int32_t exp_events;
- char helper[16];
+ __u16 flags;
+ __u16 zone;
+ __u32 ct_events;
+ __u32 exp_events;
+ char helper[16];
/* Used internally by the kernel */
struct nf_conn *ct __attribute__((aligned(8)));
diff --git a/include/linux/netfilter/xt_IDLETIMER.h b/include/linux/netfilter/xt_IDLETIMER.h
index 3e1aa1b..208ae93 100644
--- a/include/linux/netfilter/xt_IDLETIMER.h
+++ b/include/linux/netfilter/xt_IDLETIMER.h
@@ -39,7 +39,7 @@ struct idletimer_tg_info {
char label[MAX_IDLETIMER_LABEL_SIZE];
/* for kernel module internal use only */
- struct idletimer_tg *timer __attribute((aligned(8)));
+ struct idletimer_tg *timer __attribute__((aligned(8)));
};
#endif
diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
index 6fcd344..989092b 100644
--- a/include/linux/netfilter/xt_SECMARK.h
+++ b/include/linux/netfilter/xt_SECMARK.h
@@ -11,18 +11,12 @@
* packets are being marked for.
*/
#define SECMARK_MODE_SEL 0x01 /* SELinux */
-#define SECMARK_SELCTX_MAX 256
-
-struct xt_secmark_target_selinux_info {
- __u32 selsid;
- char selctx[SECMARK_SELCTX_MAX];
-};
+#define SECMARK_SECCTX_MAX 256
struct xt_secmark_target_info {
__u8 mode;
- union {
- struct xt_secmark_target_selinux_info sel;
- } u;
+ __u32 secid;
+ char secctx[SECMARK_SECCTX_MAX];
};
#endif /*_XT_SECMARK_H_target */
diff --git a/include/linux/netfilter/xt_TCPOPTSTRIP.h b/include/linux/netfilter/xt_TCPOPTSTRIP.h
index 2db5432..342ef14 100644
--- a/include/linux/netfilter/xt_TCPOPTSTRIP.h
+++ b/include/linux/netfilter/xt_TCPOPTSTRIP.h
@@ -7,7 +7,7 @@
(((1U << (idx & 31)) & bmap[(idx) >> 5]) != 0)
struct xt_tcpoptstrip_target_info {
- u_int32_t strip_bmap[8];
+ __u32 strip_bmap[8];
};
#endif /* _XT_TCPOPTSTRIP_H */
diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/linux/netfilter/xt_TPROXY.h
index 152e8f9..8097e0b 100644
--- a/include/linux/netfilter/xt_TPROXY.h
+++ b/include/linux/netfilter/xt_TPROXY.h
@@ -1,14 +1,21 @@
-#ifndef _XT_TPROXY_H_target
-#define _XT_TPROXY_H_target
+#ifndef _XT_TPROXY_H
+#define _XT_TPROXY_H
/* TPROXY target is capable of marking the packet to perform
* redirection. We can get rid of that whenever we get support for
* mutliple targets in the same rule. */
struct xt_tproxy_target_info {
- u_int32_t mark_mask;
- u_int32_t mark_value;
+ __u32 mark_mask;
+ __u32 mark_value;
__be32 laddr;
__be16 lport;
};
-#endif /* _XT_TPROXY_H_target */
+struct xt_tproxy_target_info_v1 {
+ __u32 mark_mask;
+ __u32 mark_value;
+ union nf_inet_addr laddr;
+ __be16 lport;
+};
+
+#endif /* _XT_TPROXY_H */
diff --git a/include/linux/netfilter/xt_cluster.h b/include/linux/netfilter/xt_cluster.h
index 8866826..66cfa3c 100644
--- a/include/linux/netfilter/xt_cluster.h
+++ b/include/linux/netfilter/xt_cluster.h
@@ -6,10 +6,10 @@ enum xt_cluster_flags {
};
struct xt_cluster_match_info {
- u_int32_t total_nodes;
- u_int32_t node_mask;
- u_int32_t hash_seed;
- u_int32_t flags;
+ __u32 total_nodes;
+ __u32 node_mask;
+ __u32 hash_seed;
+ __u32 flags;
};
#define XT_CLUSTER_NODES_MAX 32
diff --git a/include/linux/netfilter/xt_connlimit.h b/include/linux/netfilter/xt_connlimit.h
index 9ba54e4..7e3284b 100644
--- a/include/linux/netfilter/xt_connlimit.h
+++ b/include/linux/netfilter/xt_connlimit.h
@@ -6,10 +6,12 @@ struct xt_connlimit_data;
struct xt_connlimit_info {
union {
union nf_inet_addr mask;
+#ifndef __KERNEL__
union {
__be32 v4_mask;
__be32 v6_mask[4];
};
+#endif
};
unsigned int limit, inverse;
diff --git a/include/linux/netfilter/xt_ipvs.h b/include/linux/netfilter/xt_ipvs.h
index 1167aeb..eff34ac 100644
--- a/include/linux/netfilter/xt_ipvs.h
+++ b/include/linux/netfilter/xt_ipvs.h
@@ -1,6 +1,8 @@
#ifndef _XT_IPVS_H
#define _XT_IPVS_H
+#include <linux/types.h>
+
enum {
XT_IPVS_IPVS_PROPERTY = 1 << 0, /* all other options imply this one */
XT_IPVS_PROTO = 1 << 1,
diff --git a/include/linux/netfilter/xt_physdev.h b/include/linux/netfilter/xt_physdev.h
index 7d53660..8555e39 100644
--- a/include/linux/netfilter/xt_physdev.h
+++ b/include/linux/netfilter/xt_physdev.h
@@ -3,6 +3,9 @@
#include <linux/types.h>
+#ifdef __KERNEL__
+#include <linux/if.h>
+#endif
#define XT_PHYSDEV_OP_IN 0x01
#define XT_PHYSDEV_OP_OUT 0x02
diff --git a/include/linux/netfilter/xt_policy.h b/include/linux/netfilter/xt_policy.h
index d246eac..be8ead0 100644
--- a/include/linux/netfilter/xt_policy.h
+++ b/include/linux/netfilter/xt_policy.h
@@ -26,19 +26,30 @@ struct xt_policy_spec {
reqid:1;
};
+#ifndef __KERNEL__
union xt_policy_addr {
struct in_addr a4;
struct in6_addr a6;
};
+#endif
struct xt_policy_elem {
union {
+#ifdef __KERNEL__
+ struct {
+ union nf_inet_addr saddr;
+ union nf_inet_addr smask;
+ union nf_inet_addr daddr;
+ union nf_inet_addr dmask;
+ };
+#else
struct {
union xt_policy_addr saddr;
union xt_policy_addr smask;
union xt_policy_addr daddr;
union xt_policy_addr dmask;
};
+#endif
};
__be32 spi;
__u32 reqid;
diff --git a/include/linux/netfilter/xt_quota.h b/include/linux/netfilter/xt_quota.h
index b0d28c6..8bda65f 100644
--- a/include/linux/netfilter/xt_quota.h
+++ b/include/linux/netfilter/xt_quota.h
@@ -9,9 +9,9 @@ enum xt_quota_flags {
struct xt_quota_priv;
struct xt_quota_info {
- u_int32_t flags;
- u_int32_t pad;
- aligned_u64 quota;
+ __u32 flags;
+ __u32 pad;
+ aligned_u64 quota;
/* Used internally by the kernel */
struct xt_quota_priv *master;
diff --git a/include/linux/netfilter/xt_sctp.h b/include/linux/netfilter/xt_sctp.h
index a501e61..29287be 100644
--- a/include/linux/netfilter/xt_sctp.h
+++ b/include/linux/netfilter/xt_sctp.h
@@ -66,7 +66,7 @@ struct xt_sctp_info {
#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
__sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap))
-static __inline__ bool
+static inline bool
__sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n)
{
unsigned int i;
@@ -78,7 +78,7 @@ __sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n)
#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
__sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap))
-static __inline__ bool
+static inline bool
__sctp_chunkmap_is_all_set(const __u32 *chunkmap, unsigned int n)
{
unsigned int i;
diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
new file mode 100644
index 0000000..6f475b8
--- /dev/null
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,12 @@
+#ifndef _XT_SOCKET_H
+#define _XT_SOCKET_H
+
+enum {
+ XT_SOCKET_TRANSPARENT = 1 << 0,
+};
+
+struct xt_socket_mtinfo1 {
+ __u8 flags;
+};
+
+#endif /* _XT_SOCKET_H */
diff --git a/include/linux/netfilter/xt_time.h b/include/linux/netfilter/xt_time.h
index 14b6df4..b8bd456 100644
--- a/include/linux/netfilter/xt_time.h
+++ b/include/linux/netfilter/xt_time.h
@@ -2,13 +2,13 @@
#define _XT_TIME_H 1
struct xt_time_info {
- u_int32_t date_start;
- u_int32_t date_stop;
- u_int32_t daytime_start;
- u_int32_t daytime_stop;
- u_int32_t monthdays_match;
- u_int8_t weekdays_match;
- u_int8_t flags;
+ __u32 date_start;
+ __u32 date_stop;
+ __u32 daytime_start;
+ __u32 daytime_stop;
+ __u32 monthdays_match;
+ __u8 weekdays_match;
+ __u8 flags;
};
enum {
diff --git a/include/linux/netfilter/xt_u32.h b/include/linux/netfilter/xt_u32.h
index 9947f56..e8c3d87 100644
--- a/include/linux/netfilter/xt_u32.h
+++ b/include/linux/netfilter/xt_u32.h
@@ -9,13 +9,13 @@ enum xt_u32_ops {
};
struct xt_u32_location_element {
- u_int32_t number;
- u_int8_t nextop;
+ __u32 number;
+ __u8 nextop;
};
struct xt_u32_value_element {
- u_int32_t min;
- u_int32_t max;
+ __u32 min;
+ __u32 max;
};
/*
@@ -27,14 +27,14 @@ struct xt_u32_value_element {
struct xt_u32_test {
struct xt_u32_location_element location[XT_U32_MAXSIZE+1];
struct xt_u32_value_element value[XT_U32_MAXSIZE+1];
- u_int8_t nnums;
- u_int8_t nvalues;
+ __u8 nnums;
+ __u8 nvalues;
};
struct xt_u32 {
struct xt_u32_test tests[XT_U32_MAXSIZE+1];
- u_int8_t ntests;
- u_int8_t invert;
+ __u8 ntests;
+ __u8 invert;
};
#endif /* _XT_U32_H */
--
1.7.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/5] TPROXY: add support for revision 1
2010-12-03 21:58 iptables: options, tproxy Jan Engelhardt
` (2 preceding siblings ...)
2010-12-03 21:58 ` [PATCH 3/5] include: update files with headers from Linux 2.6.37-rc1 Jan Engelhardt
@ 2010-12-03 21:58 ` Jan Engelhardt
2010-12-03 21:58 ` [PATCH 5/5] socket: " Jan Engelhardt
2010-12-15 22:37 ` iptables: options, tproxy Patrick McHardy
5 siblings, 0 replies; 7+ messages in thread
From: Jan Engelhardt @ 2010-12-03 21:58 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
extensions/libxt_TPROXY.c | 193 ++++++++++++++++++++++++++++++++++++++-------
1 files changed, 165 insertions(+), 28 deletions(-)
diff --git a/extensions/libxt_TPROXY.c b/extensions/libxt_TPROXY.c
index cd0b50a..26419f5 100644
--- a/extensions/libxt_TPROXY.c
+++ b/extensions/libxt_TPROXY.c
@@ -5,6 +5,7 @@
*/
#include <getopt.h>
#include <stdbool.h>
+#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
@@ -36,27 +37,39 @@ static void tproxy_tg_help(void)
" --tproxy-mark value[/mask] Mark packets with the given value/mask\n\n");
}
-static void parse_tproxy_lport(const char *s, struct xt_tproxy_target_info *info)
+static void parse_tproxy_lport(const char *s, uint16_t *portp)
{
unsigned int lport;
if (xtables_strtoui(s, NULL, &lport, 0, UINT16_MAX))
- info->lport = htons(lport);
+ *portp = htons(lport);
else
xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-port", s);
}
-static void parse_tproxy_laddr(const char *s, struct xt_tproxy_target_info *info)
+static void parse_tproxy_laddr(const char *s, union nf_inet_addr *addrp,
+ unsigned int nfproto)
{
- struct in_addr *laddr;
+ struct in6_addr *laddr6 = NULL;
+ struct in_addr *laddr4 = NULL;
- if ((laddr = xtables_numeric_to_ipaddr(s)) == NULL)
- xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s);
-
- info->laddr = laddr->s_addr;
+ if (nfproto == NFPROTO_IPV6) {
+ laddr6 = xtables_numeric_to_ip6addr(s);
+ if (laddr6 == NULL)
+ goto out;
+ addrp->in6 = *laddr6;
+ } else if (nfproto == NFPROTO_IPV4) {
+ laddr4 = xtables_numeric_to_ipaddr(s);
+ if (laddr4 == NULL)
+ goto out;
+ addrp->in = *laddr4;
+ }
+ return;
+ out:
+ xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s);
}
-static void parse_tproxy_mark(char *s, struct xt_tproxy_target_info *info)
+static void parse_tproxy_mark(char *s, uint32_t *markp, uint32_t *maskp)
{
unsigned int value, mask = UINT32_MAX;
char *end;
@@ -69,32 +82,32 @@ static void parse_tproxy_mark(char *s, struct xt_tproxy_target_info *info)
if (*end != '\0')
xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s);
- info->mark_mask = mask;
- info->mark_value = value;
+ *markp = value;
+ *maskp = mask;
}
static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
- struct xt_tproxy_target_info *tproxyinfo = (void *)(*target)->data;
+ struct xt_tproxy_target_info *info = (void *)(*target)->data;
switch (c) {
case '1':
xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT);
xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert);
- parse_tproxy_lport(optarg, tproxyinfo);
+ parse_tproxy_lport(optarg, &info->lport);
*flags |= PARAM_ONPORT;
return 1;
case '2':
xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP);
xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert);
- parse_tproxy_laddr(optarg, tproxyinfo);
+ parse_tproxy_laddr(optarg, (void *)&info->laddr, NFPROTO_IPV4);
*flags |= PARAM_ONIP;
return 1;
case '3':
xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK);
xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert);
- parse_tproxy_mark(optarg, tproxyinfo);
+ parse_tproxy_mark(optarg, &info->mark_value, &info->mark_mask);
*flags |= PARAM_MARK;
return 1;
}
@@ -102,6 +115,49 @@ static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags,
return 0;
}
+static int
+tproxy_tg_parse1(int c, char **argv, int invert, unsigned int *flags,
+ struct xt_tproxy_target_info_v1 *info, unsigned int nfproto)
+{
+ switch (c) {
+ case '1':
+ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT);
+ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert);
+ parse_tproxy_lport(optarg, &info->lport);
+ *flags |= PARAM_ONPORT;
+ return true;
+ case '2':
+ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP);
+ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert);
+ parse_tproxy_laddr(optarg, (void *)&info->laddr, nfproto);
+ *flags |= PARAM_ONIP;
+ return true;
+ case '3':
+ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK);
+ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert);
+ parse_tproxy_mark(optarg, &info->mark_value, &info->mark_mask);
+ *flags |= PARAM_MARK;
+ return true;
+ }
+ return false;
+}
+
+static int
+tproxy_tg_parse4(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_tproxy_target_info_v1 *info = (void *)(*target)->data;
+ return tproxy_tg_parse1(c, argv, invert, flags, info, NFPROTO_IPV4);
+}
+
+static int
+tproxy_tg_parse6(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_tproxy_target_info_v1 *info = (void *)(*target)->data;
+ return tproxy_tg_parse1(c, argv, invert, flags, info, NFPROTO_IPV6);
+}
+
static void tproxy_tg_check(unsigned int flags)
{
if (!(flags & PARAM_ONPORT))
@@ -119,6 +175,32 @@ static void tproxy_tg_print(const void *ip, const struct xt_entry_target *target
(unsigned int)info->mark_mask);
}
+static void
+tproxy_tg_print4(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_tproxy_target_info_v1 *info =
+ (const void *)target->data;
+
+ printf("TPROXY redirect %s:%u mark 0x%x/0x%x",
+ xtables_ipaddr_to_numeric(&info->laddr.in),
+ ntohs(info->lport), (unsigned int)info->mark_value,
+ (unsigned int)info->mark_mask);
+}
+
+static void
+tproxy_tg_print6(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_tproxy_target_info_v1 *info =
+ (const void *)target->data;
+
+ printf("TPROXY redirect %s:%u mark 0x%x/0x%x",
+ xtables_ip6addr_to_numeric(&info->laddr.in6),
+ ntohs(info->lport), (unsigned int)info->mark_value,
+ (unsigned int)info->mark_mask);
+}
+
static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target)
{
const struct xt_tproxy_target_info *info = (const void *)target->data;
@@ -130,21 +212,76 @@ static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target)
(unsigned int)info->mark_value, (unsigned int)info->mark_mask);
}
-static struct xtables_target tproxy_tg_reg = {
- .name = "TPROXY",
- .family = NFPROTO_IPV4,
- .version = XTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
- .help = tproxy_tg_help,
- .parse = tproxy_tg_parse,
- .final_check = tproxy_tg_check,
- .print = tproxy_tg_print,
- .save = tproxy_tg_save,
- .extra_opts = tproxy_tg_opts,
+static void
+tproxy_tg_save4(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_tproxy_target_info_v1 *info;
+
+ info = (const void *)target->data;
+ printf("--on-port %u ", ntohs(info->lport));
+ printf("--on-ip %s ", xtables_ipaddr_to_numeric(&info->laddr.in));
+ printf("--tproxy-mark 0x%x/0x%x ",
+ (unsigned int)info->mark_value, (unsigned int)info->mark_mask);
+}
+
+static void
+tproxy_tg_save6(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_tproxy_target_info_v1 *info;
+
+ info = (const void *)target->data;
+ printf("--on-port %u ", ntohs(info->lport));
+ printf("--on-ip %s ", xtables_ip6addr_to_numeric(&info->laddr.in6));
+ printf("--tproxy-mark 0x%x/0x%x ",
+ (unsigned int)info->mark_value, (unsigned int)info->mark_mask);
+}
+
+static struct xtables_target tproxy_tg_reg[] = {
+ {
+ .name = "TPROXY",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
+ .help = tproxy_tg_help,
+ .parse = tproxy_tg_parse,
+ .final_check = tproxy_tg_check,
+ .print = tproxy_tg_print,
+ .save = tproxy_tg_save,
+ .extra_opts = tproxy_tg_opts,
+ },
+ {
+ .name = "TPROXY",
+ .revision = 1,
+ .family = NFPROTO_IPV4,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
+ .help = tproxy_tg_help,
+ .parse = tproxy_tg_parse4,
+ .final_check = tproxy_tg_check,
+ .print = tproxy_tg_print4,
+ .save = tproxy_tg_save4,
+ .extra_opts = tproxy_tg_opts,
+ },
+ {
+ .name = "TPROXY",
+ .revision = 1,
+ .family = NFPROTO_IPV6,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
+ .help = tproxy_tg_help,
+ .parse = tproxy_tg_parse6,
+ .final_check = tproxy_tg_check,
+ .print = tproxy_tg_print6,
+ .save = tproxy_tg_save6,
+ .extra_opts = tproxy_tg_opts,
+ },
};
void _init(void)
{
- xtables_register_target(&tproxy_tg_reg);
+ xtables_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
}
--
1.7.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 5/5] socket: add support for revision 1
2010-12-03 21:58 iptables: options, tproxy Jan Engelhardt
` (3 preceding siblings ...)
2010-12-03 21:58 ` [PATCH 4/5] TPROXY: add support for revision 1 Jan Engelhardt
@ 2010-12-03 21:58 ` Jan Engelhardt
2010-12-15 22:37 ` iptables: options, tproxy Patrick McHardy
5 siblings, 0 replies; 7+ messages in thread
From: Jan Engelhardt @ 2010-12-03 21:58 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
extensions/libxt_socket.c | 76 +++++++++++++++++++++++++++++++++++++++----
extensions/libxt_socket.man | 3 ++
2 files changed, 72 insertions(+), 7 deletions(-)
diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c
index 1490473..e4dff78 100644
--- a/extensions/libxt_socket.c
+++ b/extensions/libxt_socket.c
@@ -3,17 +3,79 @@
*
* Copyright (C) 2007 BalaBit IT Ltd.
*/
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
#include <xtables.h>
+#include <linux/netfilter/xt_socket.h>
-static struct xtables_match socket_mt_reg = {
- .name = "socket",
- .version = XTABLES_VERSION,
- .family = NFPROTO_IPV4,
- .size = XT_ALIGN(0),
- .userspacesize = XT_ALIGN(0),
+static const struct option socket_mt_opts[] = {
+ {.name = "transparent", .has_arg = false, .val = 't'},
+ XT_GETOPT_TABLEEND,
+};
+
+static void socket_mt_help(void)
+{
+ printf(
+ "socket match options:\n"
+ " --transparent Ignore non-transparent sockets\n\n");
+}
+
+static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_socket_mtinfo1 *info = (void *)(*match)->data;
+
+ switch (c) {
+ case 't':
+ info->flags |= XT_SOCKET_TRANSPARENT;
+ return true;
+ }
+ return false;
+}
+
+static void
+socket_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_socket_mtinfo1 *info = (const void *)match->data;
+
+ if (info->flags & XT_SOCKET_TRANSPARENT)
+ printf("--transparent ");
+}
+
+static void
+socket_mt_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ printf("socket ");
+ socket_mt_save(ip, match);
+}
+
+static struct xtables_match socket_mt_reg[] = {
+ {
+ .name = "socket",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(0),
+ .userspacesize = XT_ALIGN(0),
+ },
+ {
+ .name = "socket",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)),
+ .help = socket_mt_help,
+ .parse = socket_mt_parse,
+ .print = socket_mt_print,
+ .save = socket_mt_save,
+ .extra_opts = socket_mt_opts,
+ },
};
void _init(void)
{
- xtables_register_match(&socket_mt_reg);
+ xtables_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
}
diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man
index 50c8854..41e8d67 100644
--- a/extensions/libxt_socket.man
+++ b/extensions/libxt_socket.man
@@ -1,2 +1,5 @@
This matches if an open socket can be found by doing a socket lookup on the
packet.
+.TP
+\fB\-\-transparent\fP
+Ignore non-transparent sockets.
--
1.7.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: iptables: options, tproxy
2010-12-03 21:58 iptables: options, tproxy Jan Engelhardt
` (4 preceding siblings ...)
2010-12-03 21:58 ` [PATCH 5/5] socket: " Jan Engelhardt
@ 2010-12-15 22:37 ` Patrick McHardy
5 siblings, 0 replies; 7+ messages in thread
From: Patrick McHardy @ 2010-12-15 22:37 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Am 03.12.2010 22:58, schrieb Jan Engelhardt:
> git://dev.medozas.de/iptables master
Pulled, thanks a lot Jan.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2010-12-15 22:38 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-12-03 21:58 iptables: options, tproxy Jan Engelhardt
2010-12-03 21:58 ` [PATCH 1/5] iptables: reset options at the start of each command Jan Engelhardt
2010-12-03 21:58 ` [PATCH 2/5] iptables: do not emit orig_opts twice Jan Engelhardt
2010-12-03 21:58 ` [PATCH 3/5] include: update files with headers from Linux 2.6.37-rc1 Jan Engelhardt
2010-12-03 21:58 ` [PATCH 4/5] TPROXY: add support for revision 1 Jan Engelhardt
2010-12-03 21:58 ` [PATCH 5/5] socket: " Jan Engelhardt
2010-12-15 22:37 ` iptables: options, tproxy Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.