From 9b198fe6e7c7d834fc224eddce46299d251866f9 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 5 Apr 2009 10:37:05 +0200 Subject: [PATCH 01/16] iface: import version 20081029 --- extensions/Kbuild | 1 + extensions/Mbuild | 1 + extensions/libxt_iface.c | 254 +++++++++++++++++++++++++++++++++++++ extensions/libxt_iface.man | 52 ++++++++ extensions/xt_iface.c | 138 ++++++++++++++++++++ extensions/xt_iface.h | 46 +++++++ mconfig | 1 + 7 files changed, 493 insertions(+) create mode 100644 extensions/libxt_iface.c create mode 100644 extensions/libxt_iface.man create mode 100644 extensions/xt_iface.c create mode 100644 extensions/xt_iface.h diff --git a/extensions/Kbuild b/extensions/Kbuild index b6de614..a323858 100644 --- a/extensions/Kbuild +++ b/extensions/Kbuild @@ -18,6 +18,7 @@ obj-${build_TEE} += xt_TEE.o obj-${build_condition} += xt_condition.o obj-${build_fuzzy} += xt_fuzzy.o obj-${build_geoip} += xt_geoip.o +obj-${build_iface} += xt_iface.o obj-${build_ipp2p} += xt_ipp2p.o obj-${build_ipset} += ipset/ obj-${build_ipv4options} += xt_ipv4options.o diff --git a/extensions/Mbuild b/extensions/Mbuild index 8c90683..0941640 100644 --- a/extensions/Mbuild +++ b/extensions/Mbuild @@ -11,6 +11,7 @@ obj-${build_TEE} += libxt_TEE.so obj-${build_condition} += libxt_condition.so obj-${build_fuzzy} += libxt_fuzzy.so obj-${build_geoip} += libxt_geoip.so +obj-${build_iface} += libxt_iface.so obj-${build_ipp2p} += libxt_ipp2p.so obj-${build_ipset} += ipset/ obj-${build_ipv4options} += libxt_ipv4options.so diff --git a/extensions/libxt_iface.c b/extensions/libxt_iface.c new file mode 100644 index 0000000..5f4e75b --- /dev/null +++ b/extensions/libxt_iface.c @@ -0,0 +1,254 @@ +/* + * Shared library add-on to iptables to add interface state matching + * support. + * + * (C) 2008 Gáspár Lajos + * + * This program is released under the terms of GNU GPL version 2. + */ + +#include +#include +#include +#include +#include + +#include +#include "xt_iface.h" + +static struct option iface_mt_opts[] = { + {.name = "iface", .has_arg = true, .flag = 0, .val = 'i'}, + {.name = "up", .has_arg = false, .flag = 0, .val = 'u'}, + {.name = "down", .has_arg = false, .flag = 0, .val = 'U'}, /* not up */ + {.name = "broadcast", .has_arg = false, .flag = 0, .val = 'b'}, + {.name = "loopback", .has_arg = false, .flag = 0, .val = 'l'}, + {.name = "pointopoint", .has_arg = false, .flag = 0, .val = 'p'}, + {.name = "pointtopoint",.has_arg = false, .flag = 0, .val = 'p'}, /* eq pointopoint */ + {.name = "running", .has_arg = false, .flag = 0, .val = 'r'}, + {.name = "noarp", .has_arg = false, .flag = 0, .val = 'n'}, + {.name = "arp", .has_arg = false, .flag = 0, .val = 'N'}, /* not noarp */ + {.name = "promisc", .has_arg = false, .flag = 0, .val = 'o'}, + {.name = "promiscous", .has_arg = false, .flag = 0, .val = 'o'}, /* eq promisc */ + {.name = "multicast", .has_arg = false, .flag = 0, .val = 'm'}, + {.name = "dynamic", .has_arg = false, .flag = 0, .val = 'd'}, + {.name = "lower_up", .has_arg = false, .flag = 0, .val = 'w'}, + {.name = "dormant", .has_arg = false, .flag = 0, .val = 'a'}, + {.name = NULL}, +}; + +static void iface_print_opt(const struct xt_iface_mtinfo *info, + const unsigned int option, const char *command) +{ + DEBUGP("print_option... %s", command); + if (info->flags & option) + printf(" %s", command); + if (info->invflags & option) + printf(" ! %s", command); +} + +static void iface_setflag(struct xt_iface_mtinfo *info, + unsigned int *flags, int invert, u_int16_t flag, const char *command) +{ + DEBUGP("setflag... %s", command); + if (*flags & flag) + xtables_error(PARAMETER_PROBLEM, + "iface: \"--%s\" flag already specified", command); + if (invert) + info->invflags |= flag; + else + info->flags |= flag; + *flags |= flag; +} + +static bool iface_valid_name(const char *name) +{ + char invalid_chars[] = ".+!*"; + + DEBUGP("valid_interface_name... %d %d", strcspn(name, invalid_chars), strlen(name)); + return !((strlen(name) >= IFNAMSIZ) || (strcspn(name, invalid_chars) != strlen(name))); +} + +static void iface_mt_help(void) +{ + printf( + _MODULE_NAME " match v%s rev:%#2x options:\n" + " --iface interface\t\tName of interface\n" + "[!] --up\n" + "[!] --down\t\t\tmatch if UP flag (not) set\n" + "[!] --broadcast\t\tmatch if BROADCAST flag (not) set\n" + "[!] --loopback\t\t\tmatch if LOOPBACK flag (not) set\n" + "[!] --pointopoint\n" + "[!] --pointtopoint\t\tmatch if POINTOPOINT flag (not) set\n" + "[!] --running\t\t\tmatch if RUNNING flag (not) set\n" + "[!] --noarp\n" + "[!] --arp\t\t\tmatch if NOARP flag (not) set\n" + "[!] --promisc\n" + "[!] --promiscous\t\tmatch if PROMISC flag (not) set\n" + "[!] --multicast\t\tmatch if MULTICAST flag (not) set\n" + "[!] --dynamic\t\t\tmatch if DYNAMIC flag (not) set\n" + "[!] --lower_up\t\t\tmatch if LOWER_UP flag (not) set\n" + "[!] --dormant\t\t\tmatch if DORMANT flag (not) set\n", + XTABLES_VERSION, _MODULE_REVISION); +} + +static void iface_mt_init(struct xt_entry_match *m) +{ + DEBUGP("init..."); +} + +static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + DEBUGP("parse... c:%c invert:%x", c, invert); + struct xt_iface_mtinfo *info = (void *)(*match)->data; + + switch (c) { + case 'U': + c = 'u'; + invert = !invert; + break; + case 'N': + c = 'n'; + invert = !invert; + break; + } + + switch (c) { + case 'i': /* interface name */ + if (*flags & XT_IFACE_IFACE) + xtables_error(PARAMETER_PROBLEM, + "iface: Interface name already specified"); + if (!iface_valid_name(optarg)) + xtables_error(PARAMETER_PROBLEM, + "iface: Invalid interface name!"); + strcpy(info->ifname, optarg); + *flags |= XT_IFACE_IFACE; + return 1; + case 'u': /* UP */ + iface_setflag(info, flags, invert, XT_IFACE_UP, "up"); + return 1; + case 'b': /* BROADCAST */ + iface_setflag(info, flags, invert, XT_IFACE_BROADCAST, "broadcast"); + return 1; + case 'l': /* LOOPBACK */ + iface_setflag(info, flags, invert, XT_IFACE_LOOPBACK, "loopback"); + return 1; + case 'p': /* POINTOPOINT */ + iface_setflag(info, flags, invert, XT_IFACE_POINTOPOINT, "pointopoint"); + return 1; + case 'r': /* RUNNING */ + iface_setflag(info, flags, invert, XT_IFACE_RUNNING, "running"); + return 1; + case 'n': /* NOARP */ + iface_setflag(info, flags, invert, XT_IFACE_NOARP, "noarp"); + return 1; + case 'o': /* PROMISC */ + iface_setflag(info, flags, invert, XT_IFACE_PROMISC, "promisc"); + return 1; + case 'm': /* MULTICAST */ + iface_setflag(info, flags, invert, XT_IFACE_MULTICAST, "multicast"); + return 1; + case 'd': /* DYNAMIC */ + iface_setflag(info, flags, invert, XT_IFACE_DYNAMIC, "dynamic"); + return 1; + case 'w': /* LOWER_UP */ + iface_setflag(info, flags, invert, XT_IFACE_LOWER_UP, "lower_up"); + return 1; + case 'a': /* DORMANT */ + iface_setflag(info, flags, invert, XT_IFACE_DORMANT, "dormant"); + return 1; + default: + return 0; + } +} + +static void iface_mt_check(unsigned int flags) +{ + DEBUGP("final_check..."); + if (!(flags & XT_IFACE_IFACE)) + xtables_error(PARAMETER_PROBLEM, + "iface: You must specify an interface"); + if ((flags == 0) || (flags == XT_IFACE_IFACE)) + xtables_error(PARAMETER_PROBLEM, + "iface: You must specify at least one option"); +} + +static void iface_mt_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + DEBUGP("print..."); + const struct xt_iface_mtinfo *info = (const void *)match->data; + + printf("iface: \"%s\" [state:", info->ifname); + iface_print_opt(info, XT_IFACE_UP, "up"); + iface_print_opt(info, XT_IFACE_BROADCAST, "broadcast"); + iface_print_opt(info, XT_IFACE_LOOPBACK, "loopback"); + iface_print_opt(info, XT_IFACE_POINTOPOINT, "pointopoint"); + iface_print_opt(info, XT_IFACE_RUNNING, "running"); + iface_print_opt(info, XT_IFACE_NOARP, "noarp"); + iface_print_opt(info, XT_IFACE_PROMISC, "promisc"); + iface_print_opt(info, XT_IFACE_MULTICAST, "multicast"); + iface_print_opt(info, XT_IFACE_DYNAMIC, "dynamic"); + iface_print_opt(info, XT_IFACE_LOWER_UP, "lower_up"); + iface_print_opt(info, XT_IFACE_DORMANT, "dormant"); + printf("] "); +} + +static void iface_mt_save(const void *ip, const struct xt_entry_match *match) +{ + DEBUGP("save..."); + const struct xt_iface_mtinfo *info = (const void *)match->data; + + printf(" --iface %s", info->ifname); + iface_print_opt(info, XT_IFACE_UP, "--up"); + iface_print_opt(info, XT_IFACE_BROADCAST, "--broadcast"); + iface_print_opt(info, XT_IFACE_LOOPBACK, "--loopback"); + iface_print_opt(info, XT_IFACE_POINTOPOINT, "--pointopoint"); + iface_print_opt(info, XT_IFACE_RUNNING, "--running"); + iface_print_opt(info, XT_IFACE_NOARP, "--noarp"); + iface_print_opt(info, XT_IFACE_PROMISC, "--promisc"); + iface_print_opt(info, XT_IFACE_MULTICAST, "--multicast"); + iface_print_opt(info, XT_IFACE_DYNAMIC, "--dynamic"); + iface_print_opt(info, XT_IFACE_LOWER_UP, "--lower_up"); + iface_print_opt(info, XT_IFACE_DORMANT, "--dormant"); + printf(" "); +} + +static struct xtables_match iface_mt_reg = { + .version = XTABLES_VERSION, + .name = _MODULE_NAME, + .revision = _MODULE_REVISION, + .family = AF_INET, + .size = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), + .help = iface_mt_help, + .init = iface_mt_init, + .parse = iface_mt_parse, + .final_check = iface_mt_check, + .print = iface_mt_print, + .save = iface_mt_save, + .extra_opts = iface_mt_opts, +}; + +static struct xtables_match iface_mt6_reg = { + .version = XTABLES_VERSION, + .name = _MODULE_NAME, + .revision = _MODULE_REVISION, + .family = AF_INET6, + .size = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), + .help = iface_mt_help, + .init = iface_mt_init, + .parse = iface_mt_parse, + .final_check = iface_mt_check, + .print = iface_mt_print, + .save = iface_mt_save, + .extra_opts = iface_mt_opts, +}; + +static void _init(void) +{ + DEBUGP("_init..."); + xtables_register_match(&iface_mt_reg); + xtables_register_match(&iface_mt6_reg); +} diff --git a/extensions/libxt_iface.man b/extensions/libxt_iface.man new file mode 100644 index 0000000..40f70e3 --- /dev/null +++ b/extensions/libxt_iface.man @@ -0,0 +1,52 @@ +Allows you to check interface states. + +.TP +.BI "--iface " "interface" +Check the states on "interface". Required. +.TP +.B [!] --up +Check the UP flag. +.TP +.B [!] --down +Not --up. +.TP +.B "[!] --broadcast" +Check the BROADCAST flag. +.TP +.B "[!] --loopback" +Check the LOOPBACK flag. +.TP +.B "[!] --pointopoint" +Check the POINTOPOINT flag. +.TP +.B "[!] --pointtopoint" +Same as --pointopoint. +.TP +.B [!] --running +Check the RUNNING flag. Do NOT relay on it! +.TP +.B [!] --noarp +Check the NOARP flag. +.TP +.B [!] --arp +Not --noarp. +.TP +.B [!] --promisc +Check the PROMISC flag. +.TP +.B [!] --promiscous +Same as --promisc. +.TP +.B [!] --multicast +Check the MULTICAST flag. +.TP +.B [!] --dynamic +Check the DYNAMIC flag. +.TP +.B [!] --lower_up +Check the LOWER_UP flag. +.TP +.B [!] --dormant +Check the DORMANT flag. + +For more information see the \fIif.h\fP header file in the kernel source. diff --git a/extensions/xt_iface.c b/extensions/xt_iface.c new file mode 100644 index 0000000..8f9f51b --- /dev/null +++ b/extensions/xt_iface.c @@ -0,0 +1,138 @@ +/* + * xt_iface - kernel module to match interface state flags + * + * Original author: Gáspár Lajos + */ + +#define _KERNEL 1 + +#include +#include +#include +#include +#include +#include +#include "xt_iface.h" + +MODULE_AUTHOR("Gáspár Lajos "); +MODULE_DESCRIPTION("Xtables: iface match module"); +MODULE_LICENSE("GPL"); +MODULE_ALIAS("ipt_iface"); +MODULE_ALIAS("ip6t_iface"); +//MODULE_ALIAS("arpt_iface"); + +static struct xt_iface_flag_pairs xt_iface_lookup[XT_IFACE_FLAGCOUNT] = +{ + {.iface_flag = XT_IFACE_UP, .iff_flag = IFF_UP}, + {.iface_flag = XT_IFACE_BROADCAST, .iff_flag = IFF_BROADCAST}, + {.iface_flag = XT_IFACE_LOOPBACK, .iff_flag = IFF_LOOPBACK}, + {.iface_flag = XT_IFACE_POINTOPOINT, .iff_flag = IFF_POINTOPOINT}, + {.iface_flag = XT_IFACE_RUNNING, .iff_flag = IFF_RUNNING}, + {.iface_flag = XT_IFACE_NOARP, .iff_flag = IFF_NOARP}, + {.iface_flag = XT_IFACE_PROMISC, .iff_flag = IFF_PROMISC}, + {.iface_flag = XT_IFACE_MULTICAST, .iff_flag = IFF_MULTICAST}, + {.iface_flag = XT_IFACE_DYNAMIC, .iff_flag = IFF_DYNAMIC}, + {.iface_flag = XT_IFACE_LOWER_UP, .iff_flag = IFF_LOWER_UP}, + {.iface_flag = XT_IFACE_DORMANT, .iff_flag = IFF_DORMANT}, +}; + +static bool xt_iface_mt(const struct sk_buff *skb, + const struct xt_match_param *par) +{ + const struct xt_iface_mtinfo *info = par->matchinfo; + struct net_device *dev; + bool retval; + int i; + DEBUGP("match..."); + DEBUGP("Interface: %s", info->ifname); + retval = + ((dev = dev_get_by_name(&init_net, info->ifname)) != NULL); + if (retval) { +#if DEBUG + DEBUGP("dev->flags: %#8x", dev->flags); + if (dev->flags & IFF_UP) + DEBUGP(" %#8x (UP)", IFF_UP); + if (dev->flags & IFF_BROADCAST) + DEBUGP(" %#8x (BROADCAST)", IFF_BROADCAST); + if (dev->flags & IFF_LOOPBACK) + DEBUGP(" %#8x (LOOPBACK)", IFF_LOOPBACK); + if (dev->flags & IFF_POINTOPOINT) + DEBUGP(" %#8x (POINTOPOINT)", IFF_POINTOPOINT); + if (dev->flags & IFF_RUNNING) + DEBUGP(" %#8x (RUNNING)", IFF_RUNNING); + if (dev->flags & IFF_NOARP) + DEBUGP(" %#8x (NOARP)", IFF_NOARP); + if (dev->flags & IFF_PROMISC) + DEBUGP(" %#8x (PROMISC)", IFF_PROMISC); + if (dev->flags & IFF_MULTICAST) + DEBUGP(" %#8x (MULTICAST)", IFF_MULTICAST); + if (dev->flags & IFF_DYNAMIC) + DEBUGP(" %#8x (DYNAMIC)", IFF_DYNAMIC); + if (dev->flags & IFF_LOWER_UP) + DEBUGP(" %#8x (LOWER_UP)", IFF_LOWER_UP); + if (dev->flags & IFF_DORMANT) + DEBUGP(" %#8x (DORMANT)", IFF_DORMANT); +#endif + for (i=0; (iflags & xt_iface_lookup[i].iface_flag) + retval = retval && (dev->flags & xt_iface_lookup[i].iff_flag); + if (info->invflags & xt_iface_lookup[i].iface_flag) + retval = retval && !(dev->flags & xt_iface_lookup[i].iff_flag); + } + dev_put(dev); + } + return retval; +} + +static bool xt_iface_mt_check(const struct xt_mtchk_param *par) +{ + DEBUGP("checkentry..."); + return true; +} + +static void xt_iface_mt_destroy(const struct xt_mtdtor_param *par) +{ + DEBUGP("destroy..."); +} + +static struct xt_match xt_iface_mt_reg[] __read_mostly = { + { + .name = _MODULE_NAME, + .revision = _MODULE_REVISION, + .family = AF_INET, + .matchsize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), + .match = xt_iface_mt, + .checkentry = xt_iface_mt_check, + .destroy = xt_iface_mt_destroy, + .data = 0, + .me = THIS_MODULE, + }, + { + .name = _MODULE_NAME, + .revision = _MODULE_REVISION, + .family = AF_INET6, + .matchsize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), + .match = xt_iface_mt, + .checkentry = xt_iface_mt_check, + .destroy = xt_iface_mt_destroy, + .data = 0, + .me = THIS_MODULE, + }, +}; + +static int __init xt_iface_match_init(void) +{ + DEBUGP("init...\n"); + return xt_register_matches(xt_iface_mt_reg, + ARRAY_SIZE(xt_iface_mt_reg)); +} + +static void __exit xt_iface_match_exit(void) +{ + DEBUGP("exit...\n"); + xt_unregister_matches(xt_iface_mt_reg, ARRAY_SIZE(xt_iface_mt_reg)); +} + +module_init(xt_iface_match_init); +module_exit(xt_iface_match_exit); diff --git a/extensions/xt_iface.h b/extensions/xt_iface.h new file mode 100644 index 0000000..1eed85f --- /dev/null +++ b/extensions/xt_iface.h @@ -0,0 +1,46 @@ +#ifndef _LINUX_NETFILTER_XT_IFACE_H +#define _LINUX_NETFILTER_XT_IFACE_H 1 + +#define DEBUG 0 +#define _MODULE_NAME "iface" +#define _MODULE_REVISION 0 + +#if DEBUG +#if _KERNEL +#define DEBUGP(format, args...) printk(KERN_INFO "xt_"_MODULE_NAME": "format"\n", ##args) +#else +#define DEBUGP(format, args...) printf("# DEBUG: libxt_"_MODULE_NAME": "format"\n", ##args) +#endif +#else +#define DEBUGP(format, args...) +#endif + +#define XT_IFACE_FLAGCOUNT 11 + +enum { + XT_IFACE_UP = 1 << 0, + XT_IFACE_BROADCAST = 1 << 1, + XT_IFACE_LOOPBACK = 1 << 2, + XT_IFACE_POINTOPOINT = 1 << 3, + XT_IFACE_RUNNING = 1 << 4, + XT_IFACE_NOARP = 1 << 5, + XT_IFACE_PROMISC = 1 << 6, + XT_IFACE_MULTICAST = 1 << 7, + XT_IFACE_DYNAMIC = 1 << 8, + XT_IFACE_LOWER_UP = 1 << 9, + XT_IFACE_DORMANT = 1 << 10, + XT_IFACE_IFACE = 1 << 15, +}; + +struct xt_iface_flag_pairs { + u_int16_t iface_flag; + u_int32_t iff_flag; +}; + +struct xt_iface_mtinfo { + char ifname[IFNAMSIZ]; + u_int16_t flags; + u_int16_t invflags; +}; + +#endif diff --git a/mconfig b/mconfig index ac7e135..1b916ec 100644 --- a/mconfig +++ b/mconfig @@ -13,6 +13,7 @@ build_TEE=m build_condition=m build_fuzzy=m build_geoip=m +build_iface=m build_ipp2p=m build_ipset=m build_ipv4options=m From af5823b4072ecbfd3a6b05b9d1553d61a471f233 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 5 Apr 2009 10:50:45 +0200 Subject: [PATCH 02/16] iface: remove redundant functions --- extensions/libxt_iface.c | 7 ------- extensions/xt_iface.c | 15 --------------- 2 files changed, 22 deletions(-) diff --git a/extensions/libxt_iface.c b/extensions/libxt_iface.c index 5f4e75b..10e093f 100644 --- a/extensions/libxt_iface.c +++ b/extensions/libxt_iface.c @@ -91,11 +91,6 @@ static void iface_mt_help(void) XTABLES_VERSION, _MODULE_REVISION); } -static void iface_mt_init(struct xt_entry_match *m) -{ - DEBUGP("init..."); -} - static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_match **match) { @@ -222,7 +217,6 @@ static struct xtables_match iface_mt_reg = { .size = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), .userspacesize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), .help = iface_mt_help, - .init = iface_mt_init, .parse = iface_mt_parse, .final_check = iface_mt_check, .print = iface_mt_print, @@ -238,7 +232,6 @@ static struct xtables_match iface_mt6_reg = { .size = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), .userspacesize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), .help = iface_mt_help, - .init = iface_mt_init, .parse = iface_mt_parse, .final_check = iface_mt_check, .print = iface_mt_print, diff --git a/extensions/xt_iface.c b/extensions/xt_iface.c index 8f9f51b..c7511d9 100644 --- a/extensions/xt_iface.c +++ b/extensions/xt_iface.c @@ -85,17 +85,6 @@ static bool xt_iface_mt(const struct sk_buff *skb, return retval; } -static bool xt_iface_mt_check(const struct xt_mtchk_param *par) -{ - DEBUGP("checkentry..."); - return true; -} - -static void xt_iface_mt_destroy(const struct xt_mtdtor_param *par) -{ - DEBUGP("destroy..."); -} - static struct xt_match xt_iface_mt_reg[] __read_mostly = { { .name = _MODULE_NAME, @@ -103,8 +92,6 @@ static struct xt_match xt_iface_mt_reg[] __read_mostly = { .family = AF_INET, .matchsize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), .match = xt_iface_mt, - .checkentry = xt_iface_mt_check, - .destroy = xt_iface_mt_destroy, .data = 0, .me = THIS_MODULE, }, @@ -114,8 +101,6 @@ static struct xt_match xt_iface_mt_reg[] __read_mostly = { .family = AF_INET6, .matchsize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), .match = xt_iface_mt, - .checkentry = xt_iface_mt_check, - .destroy = xt_iface_mt_destroy, .data = 0, .me = THIS_MODULE, }, From 1aae51935625304ce1dcc380b8b8321d41ea70ee Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 5 Apr 2009 10:59:12 +0200 Subject: [PATCH 03/16] iface: remove DEBUGP --- extensions/libxt_iface.c | 8 -------- extensions/xt_iface.c | 32 +------------------------------- extensions/xt_iface.h | 11 ----------- 3 files changed, 1 insertion(+), 50 deletions(-) diff --git a/extensions/libxt_iface.c b/extensions/libxt_iface.c index 10e093f..2bf4533 100644 --- a/extensions/libxt_iface.c +++ b/extensions/libxt_iface.c @@ -39,7 +39,6 @@ static struct option iface_mt_opts[] = { static void iface_print_opt(const struct xt_iface_mtinfo *info, const unsigned int option, const char *command) { - DEBUGP("print_option... %s", command); if (info->flags & option) printf(" %s", command); if (info->invflags & option) @@ -49,7 +48,6 @@ static void iface_print_opt(const struct xt_iface_mtinfo *info, static void iface_setflag(struct xt_iface_mtinfo *info, unsigned int *flags, int invert, u_int16_t flag, const char *command) { - DEBUGP("setflag... %s", command); if (*flags & flag) xtables_error(PARAMETER_PROBLEM, "iface: \"--%s\" flag already specified", command); @@ -64,7 +62,6 @@ static bool iface_valid_name(const char *name) { char invalid_chars[] = ".+!*"; - DEBUGP("valid_interface_name... %d %d", strcspn(name, invalid_chars), strlen(name)); return !((strlen(name) >= IFNAMSIZ) || (strcspn(name, invalid_chars) != strlen(name))); } @@ -94,7 +91,6 @@ static void iface_mt_help(void) static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_match **match) { - DEBUGP("parse... c:%c invert:%x", c, invert); struct xt_iface_mtinfo *info = (void *)(*match)->data; switch (c) { @@ -159,7 +155,6 @@ static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags, static void iface_mt_check(unsigned int flags) { - DEBUGP("final_check..."); if (!(flags & XT_IFACE_IFACE)) xtables_error(PARAMETER_PROBLEM, "iface: You must specify an interface"); @@ -171,7 +166,6 @@ static void iface_mt_check(unsigned int flags) static void iface_mt_print(const void *ip, const struct xt_entry_match *match, int numeric) { - DEBUGP("print..."); const struct xt_iface_mtinfo *info = (const void *)match->data; printf("iface: \"%s\" [state:", info->ifname); @@ -191,7 +185,6 @@ static void iface_mt_print(const void *ip, const struct xt_entry_match *match, static void iface_mt_save(const void *ip, const struct xt_entry_match *match) { - DEBUGP("save..."); const struct xt_iface_mtinfo *info = (const void *)match->data; printf(" --iface %s", info->ifname); @@ -241,7 +234,6 @@ static struct xtables_match iface_mt6_reg = { static void _init(void) { - DEBUGP("_init..."); xtables_register_match(&iface_mt_reg); xtables_register_match(&iface_mt6_reg); } diff --git a/extensions/xt_iface.c b/extensions/xt_iface.c index c7511d9..6d4b2fc 100644 --- a/extensions/xt_iface.c +++ b/extensions/xt_iface.c @@ -4,8 +4,6 @@ * Original author: Gáspár Lajos */ -#define _KERNEL 1 - #include #include #include @@ -43,36 +41,10 @@ static bool xt_iface_mt(const struct sk_buff *skb, struct net_device *dev; bool retval; int i; - DEBUGP("match..."); - DEBUGP("Interface: %s", info->ifname); + retval = ((dev = dev_get_by_name(&init_net, info->ifname)) != NULL); if (retval) { -#if DEBUG - DEBUGP("dev->flags: %#8x", dev->flags); - if (dev->flags & IFF_UP) - DEBUGP(" %#8x (UP)", IFF_UP); - if (dev->flags & IFF_BROADCAST) - DEBUGP(" %#8x (BROADCAST)", IFF_BROADCAST); - if (dev->flags & IFF_LOOPBACK) - DEBUGP(" %#8x (LOOPBACK)", IFF_LOOPBACK); - if (dev->flags & IFF_POINTOPOINT) - DEBUGP(" %#8x (POINTOPOINT)", IFF_POINTOPOINT); - if (dev->flags & IFF_RUNNING) - DEBUGP(" %#8x (RUNNING)", IFF_RUNNING); - if (dev->flags & IFF_NOARP) - DEBUGP(" %#8x (NOARP)", IFF_NOARP); - if (dev->flags & IFF_PROMISC) - DEBUGP(" %#8x (PROMISC)", IFF_PROMISC); - if (dev->flags & IFF_MULTICAST) - DEBUGP(" %#8x (MULTICAST)", IFF_MULTICAST); - if (dev->flags & IFF_DYNAMIC) - DEBUGP(" %#8x (DYNAMIC)", IFF_DYNAMIC); - if (dev->flags & IFF_LOWER_UP) - DEBUGP(" %#8x (LOWER_UP)", IFF_LOWER_UP); - if (dev->flags & IFF_DORMANT) - DEBUGP(" %#8x (DORMANT)", IFF_DORMANT); -#endif for (i=0; (iflags & xt_iface_lookup[i].iface_flag) @@ -108,14 +80,12 @@ static struct xt_match xt_iface_mt_reg[] __read_mostly = { static int __init xt_iface_match_init(void) { - DEBUGP("init...\n"); return xt_register_matches(xt_iface_mt_reg, ARRAY_SIZE(xt_iface_mt_reg)); } static void __exit xt_iface_match_exit(void) { - DEBUGP("exit...\n"); xt_unregister_matches(xt_iface_mt_reg, ARRAY_SIZE(xt_iface_mt_reg)); } diff --git a/extensions/xt_iface.h b/extensions/xt_iface.h index 1eed85f..97ac4eb 100644 --- a/extensions/xt_iface.h +++ b/extensions/xt_iface.h @@ -1,20 +1,9 @@ #ifndef _LINUX_NETFILTER_XT_IFACE_H #define _LINUX_NETFILTER_XT_IFACE_H 1 -#define DEBUG 0 #define _MODULE_NAME "iface" #define _MODULE_REVISION 0 -#if DEBUG -#if _KERNEL -#define DEBUGP(format, args...) printk(KERN_INFO "xt_"_MODULE_NAME": "format"\n", ##args) -#else -#define DEBUGP(format, args...) printf("# DEBUG: libxt_"_MODULE_NAME": "format"\n", ##args) -#endif -#else -#define DEBUGP(format, args...) -#endif - #define XT_IFACE_FLAGCOUNT 11 enum { From e1fc5f208613f4cb8c28949b78bca325e8e6a022 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 26 Apr 2009 21:56:25 +0200 Subject: [PATCH 04/16] iface: remove redundant parentheses --- extensions/libxt_iface.c | 4 ++-- extensions/xt_iface.c | 7 +++---- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/extensions/libxt_iface.c b/extensions/libxt_iface.c index 2bf4533..9033279 100644 --- a/extensions/libxt_iface.c +++ b/extensions/libxt_iface.c @@ -62,7 +62,7 @@ static bool iface_valid_name(const char *name) { char invalid_chars[] = ".+!*"; - return !((strlen(name) >= IFNAMSIZ) || (strcspn(name, invalid_chars) != strlen(name))); + return !(strlen(name) >= IFNAMSIZ || strcspn(name, invalid_chars) != strlen(name)); } static void iface_mt_help(void) @@ -158,7 +158,7 @@ static void iface_mt_check(unsigned int flags) if (!(flags & XT_IFACE_IFACE)) xtables_error(PARAMETER_PROBLEM, "iface: You must specify an interface"); - if ((flags == 0) || (flags == XT_IFACE_IFACE)) + if (flags == 0 || flags == XT_IFACE_IFACE) xtables_error(PARAMETER_PROBLEM, "iface: You must specify at least one option"); } diff --git a/extensions/xt_iface.c b/extensions/xt_iface.c index 6d4b2fc..e0da78e 100644 --- a/extensions/xt_iface.c +++ b/extensions/xt_iface.c @@ -43,15 +43,14 @@ static bool xt_iface_mt(const struct sk_buff *skb, int i; retval = - ((dev = dev_get_by_name(&init_net, info->ifname)) != NULL); + (dev = dev_get_by_name(&init_net, info->ifname)) != NULL; if (retval) { - for (i=0; (iflags & xt_iface_lookup[i].iface_flag) retval = retval && (dev->flags & xt_iface_lookup[i].iff_flag); if (info->invflags & xt_iface_lookup[i].iface_flag) retval = retval && !(dev->flags & xt_iface_lookup[i].iff_flag); - } + } dev_put(dev); } return retval; From 0d36136f54f69a50345dfcac466d4d8145111ac8 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 26 Apr 2009 21:56:53 +0200 Subject: [PATCH 05/16] iface: some command decoupling --- extensions/libxt_iface.c | 2 +- extensions/xt_iface.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/extensions/libxt_iface.c b/extensions/libxt_iface.c index 9033279..07f9cb7 100644 --- a/extensions/libxt_iface.c +++ b/extensions/libxt_iface.c @@ -62,7 +62,7 @@ static bool iface_valid_name(const char *name) { char invalid_chars[] = ".+!*"; - return !(strlen(name) >= IFNAMSIZ || strcspn(name, invalid_chars) != strlen(name)); + return strlen(name) < IFNAMSIZ && strpbrk(name, invalid_chars) == NULL; } static void iface_mt_help(void) diff --git a/extensions/xt_iface.c b/extensions/xt_iface.c index e0da78e..a30fabf 100644 --- a/extensions/xt_iface.c +++ b/extensions/xt_iface.c @@ -42,14 +42,14 @@ static bool xt_iface_mt(const struct sk_buff *skb, bool retval; int i; - retval = - (dev = dev_get_by_name(&init_net, info->ifname)) != NULL; + dev = dev_get_by_name(&init_net, info->ifname); + retval = dev != NULL; if (retval) { for (i = 0; i < XT_IFACE_FLAGCOUNT && retval; ++i) { if (info->flags & xt_iface_lookup[i].iface_flag) - retval = retval && (dev->flags & xt_iface_lookup[i].iff_flag); + retval &= dev->flags & xt_iface_lookup[i].iff_flag; if (info->invflags & xt_iface_lookup[i].iface_flag) - retval = retval && !(dev->flags & xt_iface_lookup[i].iff_flag); + retval &= !(dev->flags & xt_iface_lookup[i].iff_flag); } dev_put(dev); } From 67998063001d93a740bd9582d6d1697692b940a2 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 26 Apr 2009 21:59:41 +0200 Subject: [PATCH 06/16] iface: use NFPROTO_* --- extensions/xt_iface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extensions/xt_iface.c b/extensions/xt_iface.c index a30fabf..2d633cd 100644 --- a/extensions/xt_iface.c +++ b/extensions/xt_iface.c @@ -60,7 +60,7 @@ static struct xt_match xt_iface_mt_reg[] __read_mostly = { { .name = _MODULE_NAME, .revision = _MODULE_REVISION, - .family = AF_INET, + .family = NFPROTO_IPV4, .matchsize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), .match = xt_iface_mt, .data = 0, @@ -69,7 +69,7 @@ static struct xt_match xt_iface_mt_reg[] __read_mostly = { { .name = _MODULE_NAME, .revision = _MODULE_REVISION, - .family = AF_INET6, + .family = NFPROTO_IPV6, .matchsize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), .match = xt_iface_mt, .data = 0, From f6c317710f5aa9c4dab5e5b5f72c71549d256570 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 26 Apr 2009 22:01:30 +0200 Subject: [PATCH 07/16] iface: remove version/revision from helptext XTABLES_VERSION does not contain anything meaningful to display. Printing the revision is not of value too, I think. --- extensions/libxt_iface.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/extensions/libxt_iface.c b/extensions/libxt_iface.c index 07f9cb7..8b162df 100644 --- a/extensions/libxt_iface.c +++ b/extensions/libxt_iface.c @@ -68,7 +68,7 @@ static bool iface_valid_name(const char *name) static void iface_mt_help(void) { printf( - _MODULE_NAME " match v%s rev:%#2x options:\n" + _MODULE_NAME " match options:\n" " --iface interface\t\tName of interface\n" "[!] --up\n" "[!] --down\t\t\tmatch if UP flag (not) set\n" @@ -84,8 +84,7 @@ static void iface_mt_help(void) "[!] --multicast\t\tmatch if MULTICAST flag (not) set\n" "[!] --dynamic\t\t\tmatch if DYNAMIC flag (not) set\n" "[!] --lower_up\t\t\tmatch if LOWER_UP flag (not) set\n" - "[!] --dormant\t\t\tmatch if DORMANT flag (not) set\n", - XTABLES_VERSION, _MODULE_REVISION); + "[!] --dormant\t\t\tmatch if DORMANT flag (not) set\n"); } static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags, From 6d8ce3acae27f58e0473ee8467536e85150716c5 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 26 Apr 2009 22:07:43 +0200 Subject: [PATCH 08/16] iface: dissolve module name/revision macros The module name will unlikely be changing anytime soon. And if the revision increases, we cannot just bump the number (well, in Xtables-addons we can, but it would not be the case for the core kernel). So let's not get into bad habits. --- extensions/libxt_iface.c | 10 +++++----- extensions/xt_iface.c | 8 ++++---- extensions/xt_iface.h | 3 --- 3 files changed, 9 insertions(+), 12 deletions(-) diff --git a/extensions/libxt_iface.c b/extensions/libxt_iface.c index 8b162df..d5631de 100644 --- a/extensions/libxt_iface.c +++ b/extensions/libxt_iface.c @@ -68,7 +68,7 @@ static bool iface_valid_name(const char *name) static void iface_mt_help(void) { printf( - _MODULE_NAME " match options:\n" + "iface match options:\n" " --iface interface\t\tName of interface\n" "[!] --up\n" "[!] --down\t\t\tmatch if UP flag (not) set\n" @@ -203,8 +203,8 @@ static void iface_mt_save(const void *ip, const struct xt_entry_match *match) static struct xtables_match iface_mt_reg = { .version = XTABLES_VERSION, - .name = _MODULE_NAME, - .revision = _MODULE_REVISION, + .name = "iface", + .revision = 0, .family = AF_INET, .size = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), .userspacesize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), @@ -218,8 +218,8 @@ static struct xtables_match iface_mt_reg = { static struct xtables_match iface_mt6_reg = { .version = XTABLES_VERSION, - .name = _MODULE_NAME, - .revision = _MODULE_REVISION, + .name = "iface", + .revision = 0, .family = AF_INET6, .size = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), .userspacesize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), diff --git a/extensions/xt_iface.c b/extensions/xt_iface.c index 2d633cd..bfcbfc5 100644 --- a/extensions/xt_iface.c +++ b/extensions/xt_iface.c @@ -58,8 +58,8 @@ static bool xt_iface_mt(const struct sk_buff *skb, static struct xt_match xt_iface_mt_reg[] __read_mostly = { { - .name = _MODULE_NAME, - .revision = _MODULE_REVISION, + .name = "iface", + .revision = 0, .family = NFPROTO_IPV4, .matchsize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), .match = xt_iface_mt, @@ -67,8 +67,8 @@ static struct xt_match xt_iface_mt_reg[] __read_mostly = { .me = THIS_MODULE, }, { - .name = _MODULE_NAME, - .revision = _MODULE_REVISION, + .name = "iface", + .revision = 0, .family = NFPROTO_IPV6, .matchsize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)), .match = xt_iface_mt, diff --git a/extensions/xt_iface.h b/extensions/xt_iface.h index 97ac4eb..0a460d9 100644 --- a/extensions/xt_iface.h +++ b/extensions/xt_iface.h @@ -1,9 +1,6 @@ #ifndef _LINUX_NETFILTER_XT_IFACE_H #define _LINUX_NETFILTER_XT_IFACE_H 1 -#define _MODULE_NAME "iface" -#define _MODULE_REVISION 0 - #define XT_IFACE_FLAGCOUNT 11 enum { From 3f96deb0f0da955367fa1c5b110c6ecf17cbb209 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 26 Apr 2009 22:07:43 +0200 Subject: [PATCH 09/16] iface: remove define for internal array size The macro was only used inside kernel code and not relevant to user-space anyway. --- extensions/xt_iface.c | 4 ++-- extensions/xt_iface.h | 2 -- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/extensions/xt_iface.c b/extensions/xt_iface.c index bfcbfc5..c52b694 100644 --- a/extensions/xt_iface.c +++ b/extensions/xt_iface.c @@ -19,7 +19,7 @@ MODULE_ALIAS("ipt_iface"); MODULE_ALIAS("ip6t_iface"); //MODULE_ALIAS("arpt_iface"); -static struct xt_iface_flag_pairs xt_iface_lookup[XT_IFACE_FLAGCOUNT] = +static struct xt_iface_flag_pairs xt_iface_lookup[] = { {.iface_flag = XT_IFACE_UP, .iff_flag = IFF_UP}, {.iface_flag = XT_IFACE_BROADCAST, .iff_flag = IFF_BROADCAST}, @@ -45,7 +45,7 @@ static bool xt_iface_mt(const struct sk_buff *skb, dev = dev_get_by_name(&init_net, info->ifname); retval = dev != NULL; if (retval) { - for (i = 0; i < XT_IFACE_FLAGCOUNT && retval; ++i) { + for (i = 0; i < ARRAY_SIZE(xt_iface_lookup) && retval; ++i) { if (info->flags & xt_iface_lookup[i].iface_flag) retval &= dev->flags & xt_iface_lookup[i].iff_flag; if (info->invflags & xt_iface_lookup[i].iface_flag) diff --git a/extensions/xt_iface.h b/extensions/xt_iface.h index 0a460d9..6a7ec0d 100644 --- a/extensions/xt_iface.h +++ b/extensions/xt_iface.h @@ -1,8 +1,6 @@ #ifndef _LINUX_NETFILTER_XT_IFACE_H #define _LINUX_NETFILTER_XT_IFACE_H 1 -#define XT_IFACE_FLAGCOUNT 11 - enum { XT_IFACE_UP = 1 << 0, XT_IFACE_BROADCAST = 1 << 1, From be2061c52021c514ac4aca6d7c398364428129af Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 26 Apr 2009 22:13:05 +0200 Subject: [PATCH 10/16] iface: constify data arrays --- extensions/libxt_iface.c | 4 ++-- extensions/xt_iface.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/extensions/libxt_iface.c b/extensions/libxt_iface.c index d5631de..4f98a31 100644 --- a/extensions/libxt_iface.c +++ b/extensions/libxt_iface.c @@ -16,7 +16,7 @@ #include #include "xt_iface.h" -static struct option iface_mt_opts[] = { +static const struct option iface_mt_opts[] = { {.name = "iface", .has_arg = true, .flag = 0, .val = 'i'}, {.name = "up", .has_arg = false, .flag = 0, .val = 'u'}, {.name = "down", .has_arg = false, .flag = 0, .val = 'U'}, /* not up */ @@ -60,7 +60,7 @@ static void iface_setflag(struct xt_iface_mtinfo *info, static bool iface_valid_name(const char *name) { - char invalid_chars[] = ".+!*"; + static const char invalid_chars[] = ".+!*"; return strlen(name) < IFNAMSIZ && strpbrk(name, invalid_chars) == NULL; } diff --git a/extensions/xt_iface.c b/extensions/xt_iface.c index c52b694..bc3b7a3 100644 --- a/extensions/xt_iface.c +++ b/extensions/xt_iface.c @@ -19,7 +19,7 @@ MODULE_ALIAS("ipt_iface"); MODULE_ALIAS("ip6t_iface"); //MODULE_ALIAS("arpt_iface"); -static struct xt_iface_flag_pairs xt_iface_lookup[] = +static const struct xt_iface_flag_pairs xt_iface_lookup[] = { {.iface_flag = XT_IFACE_UP, .iff_flag = IFF_UP}, {.iface_flag = XT_IFACE_BROADCAST, .iff_flag = IFF_BROADCAST}, From a6ba463c430e500ac618d0670f1caa309c862735 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 26 Apr 2009 22:13:06 +0200 Subject: [PATCH 11/16] iface: remove redundant fields and use bool --- extensions/libxt_iface.c | 59 ++++++++++++++++++++-------------------- 1 file changed, 29 insertions(+), 30 deletions(-) diff --git a/extensions/libxt_iface.c b/extensions/libxt_iface.c index 4f98a31..55b62fa 100644 --- a/extensions/libxt_iface.c +++ b/extensions/libxt_iface.c @@ -17,22 +17,22 @@ #include "xt_iface.h" static const struct option iface_mt_opts[] = { - {.name = "iface", .has_arg = true, .flag = 0, .val = 'i'}, - {.name = "up", .has_arg = false, .flag = 0, .val = 'u'}, - {.name = "down", .has_arg = false, .flag = 0, .val = 'U'}, /* not up */ - {.name = "broadcast", .has_arg = false, .flag = 0, .val = 'b'}, - {.name = "loopback", .has_arg = false, .flag = 0, .val = 'l'}, - {.name = "pointopoint", .has_arg = false, .flag = 0, .val = 'p'}, - {.name = "pointtopoint",.has_arg = false, .flag = 0, .val = 'p'}, /* eq pointopoint */ - {.name = "running", .has_arg = false, .flag = 0, .val = 'r'}, - {.name = "noarp", .has_arg = false, .flag = 0, .val = 'n'}, - {.name = "arp", .has_arg = false, .flag = 0, .val = 'N'}, /* not noarp */ - {.name = "promisc", .has_arg = false, .flag = 0, .val = 'o'}, - {.name = "promiscous", .has_arg = false, .flag = 0, .val = 'o'}, /* eq promisc */ - {.name = "multicast", .has_arg = false, .flag = 0, .val = 'm'}, - {.name = "dynamic", .has_arg = false, .flag = 0, .val = 'd'}, - {.name = "lower_up", .has_arg = false, .flag = 0, .val = 'w'}, - {.name = "dormant", .has_arg = false, .flag = 0, .val = 'a'}, + {.name = "iface", .has_arg = true, .val = 'i'}, + {.name = "up", .has_arg = false, .val = 'u'}, + {.name = "down", .has_arg = false, .val = 'U'}, /* not up */ + {.name = "broadcast", .has_arg = false, .val = 'b'}, + {.name = "loopback", .has_arg = false, .val = 'l'}, + {.name = "pointopoint", .has_arg = false, .val = 'p'}, + {.name = "pointtopoint",.has_arg = false, .val = 'p'}, /* eq pointopoint */ + {.name = "running", .has_arg = false, .val = 'r'}, + {.name = "noarp", .has_arg = false, .val = 'n'}, + {.name = "arp", .has_arg = false, .val = 'N'}, /* not noarp */ + {.name = "promisc", .has_arg = false, .val = 'o'}, + {.name = "promiscous", .has_arg = false, .val = 'o'}, /* eq promisc */ + {.name = "multicast", .has_arg = false, .val = 'm'}, + {.name = "dynamic", .has_arg = false, .val = 'd'}, + {.name = "lower_up", .has_arg = false, .val = 'w'}, + {.name = "dormant", .has_arg = false, .val = 'a'}, {.name = NULL}, }; @@ -113,43 +113,42 @@ static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags, "iface: Invalid interface name!"); strcpy(info->ifname, optarg); *flags |= XT_IFACE_IFACE; - return 1; + return true; case 'u': /* UP */ iface_setflag(info, flags, invert, XT_IFACE_UP, "up"); - return 1; + return true; case 'b': /* BROADCAST */ iface_setflag(info, flags, invert, XT_IFACE_BROADCAST, "broadcast"); - return 1; + return true; case 'l': /* LOOPBACK */ iface_setflag(info, flags, invert, XT_IFACE_LOOPBACK, "loopback"); - return 1; + return true; case 'p': /* POINTOPOINT */ iface_setflag(info, flags, invert, XT_IFACE_POINTOPOINT, "pointopoint"); - return 1; + return true; case 'r': /* RUNNING */ iface_setflag(info, flags, invert, XT_IFACE_RUNNING, "running"); - return 1; + return true; case 'n': /* NOARP */ iface_setflag(info, flags, invert, XT_IFACE_NOARP, "noarp"); - return 1; + return true; case 'o': /* PROMISC */ iface_setflag(info, flags, invert, XT_IFACE_PROMISC, "promisc"); - return 1; + return true; case 'm': /* MULTICAST */ iface_setflag(info, flags, invert, XT_IFACE_MULTICAST, "multicast"); - return 1; + return true; case 'd': /* DYNAMIC */ iface_setflag(info, flags, invert, XT_IFACE_DYNAMIC, "dynamic"); - return 1; + return true; case 'w': /* LOWER_UP */ iface_setflag(info, flags, invert, XT_IFACE_LOWER_UP, "lower_up"); - return 1; + return true; case 'a': /* DORMANT */ iface_setflag(info, flags, invert, XT_IFACE_DORMANT, "dormant"); - return 1; - default: - return 0; + return true; } + return false; } static void iface_mt_check(unsigned int flags) From 074a7d6cb7d0a94c4cd0b7016de3193d0f614740 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 26 Apr 2009 22:21:27 +0200 Subject: [PATCH 12/16] iface: remove --promiscous flag The spelling is difficult (actually it is "promiscuous"), and one option should be enough. Keeping --promisc. --- extensions/libxt_iface.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/extensions/libxt_iface.c b/extensions/libxt_iface.c index 55b62fa..cd192a5 100644 --- a/extensions/libxt_iface.c +++ b/extensions/libxt_iface.c @@ -28,7 +28,6 @@ static const struct option iface_mt_opts[] = { {.name = "noarp", .has_arg = false, .val = 'n'}, {.name = "arp", .has_arg = false, .val = 'N'}, /* not noarp */ {.name = "promisc", .has_arg = false, .val = 'o'}, - {.name = "promiscous", .has_arg = false, .val = 'o'}, /* eq promisc */ {.name = "multicast", .has_arg = false, .val = 'm'}, {.name = "dynamic", .has_arg = false, .val = 'd'}, {.name = "lower_up", .has_arg = false, .val = 'w'}, @@ -79,8 +78,7 @@ static void iface_mt_help(void) "[!] --running\t\t\tmatch if RUNNING flag (not) set\n" "[!] --noarp\n" "[!] --arp\t\t\tmatch if NOARP flag (not) set\n" - "[!] --promisc\n" - "[!] --promiscous\t\tmatch if PROMISC flag (not) set\n" + "[!] --promisc\t\t\tmatch if PROMISC flag (not) set\n" "[!] --multicast\t\tmatch if MULTICAST flag (not) set\n" "[!] --dynamic\t\t\tmatch if DYNAMIC flag (not) set\n" "[!] --lower_up\t\t\tmatch if LOWER_UP flag (not) set\n" From 60c4162087419e72c043031eb498f6e92b2a9776 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 26 Apr 2009 22:22:20 +0200 Subject: [PATCH 13/16] iface: replace --lower_up by --lower-up --- extensions/libxt_iface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extensions/libxt_iface.c b/extensions/libxt_iface.c index cd192a5..865fd08 100644 --- a/extensions/libxt_iface.c +++ b/extensions/libxt_iface.c @@ -30,7 +30,7 @@ static const struct option iface_mt_opts[] = { {.name = "promisc", .has_arg = false, .val = 'o'}, {.name = "multicast", .has_arg = false, .val = 'm'}, {.name = "dynamic", .has_arg = false, .val = 'd'}, - {.name = "lower_up", .has_arg = false, .val = 'w'}, + {.name = "lower-up", .has_arg = false, .val = 'w'}, {.name = "dormant", .has_arg = false, .val = 'a'}, {.name = NULL}, }; @@ -81,7 +81,7 @@ static void iface_mt_help(void) "[!] --promisc\t\t\tmatch if PROMISC flag (not) set\n" "[!] --multicast\t\tmatch if MULTICAST flag (not) set\n" "[!] --dynamic\t\t\tmatch if DYNAMIC flag (not) set\n" - "[!] --lower_up\t\t\tmatch if LOWER_UP flag (not) set\n" + "[!] --lower-up\t\t\tmatch if LOWER_UP flag (not) set\n" "[!] --dormant\t\t\tmatch if DORMANT flag (not) set\n"); } From f5ed98fbf5f1b35e38be836048a9f1e4045885d5 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 26 Apr 2009 23:19:07 +0200 Subject: [PATCH 14/16] iface: update documentation For one, the tabs must go as they cause alignment problems. Also update the manpage with proper markup. --- doc/changelog.txt | 1 + extensions/libxt_iface.c | 58 ++++++++++++++++++-------------------- extensions/libxt_iface.man | 45 ++++++++++------------------- 3 files changed, 44 insertions(+), 60 deletions(-) diff --git a/doc/changelog.txt b/doc/changelog.txt index 5b958c9..5877f35 100644 --- a/doc/changelog.txt +++ b/doc/changelog.txt @@ -1,5 +1,6 @@ +- add "iface" match - fuzzy: need to account for kernel-level modified variables in .userspacesize - geoip: remove XT_ALIGN from .userspacesize when used with offsetof - SYSRQ: ignore non-UDP packets diff --git a/extensions/libxt_iface.c b/extensions/libxt_iface.c index 865fd08..091951e 100644 --- a/extensions/libxt_iface.c +++ b/extensions/libxt_iface.c @@ -17,22 +17,22 @@ #include "xt_iface.h" static const struct option iface_mt_opts[] = { - {.name = "iface", .has_arg = true, .val = 'i'}, - {.name = "up", .has_arg = false, .val = 'u'}, - {.name = "down", .has_arg = false, .val = 'U'}, /* not up */ - {.name = "broadcast", .has_arg = false, .val = 'b'}, - {.name = "loopback", .has_arg = false, .val = 'l'}, - {.name = "pointopoint", .has_arg = false, .val = 'p'}, - {.name = "pointtopoint",.has_arg = false, .val = 'p'}, /* eq pointopoint */ - {.name = "running", .has_arg = false, .val = 'r'}, - {.name = "noarp", .has_arg = false, .val = 'n'}, - {.name = "arp", .has_arg = false, .val = 'N'}, /* not noarp */ - {.name = "promisc", .has_arg = false, .val = 'o'}, - {.name = "multicast", .has_arg = false, .val = 'm'}, - {.name = "dynamic", .has_arg = false, .val = 'd'}, - {.name = "lower-up", .has_arg = false, .val = 'w'}, - {.name = "dormant", .has_arg = false, .val = 'a'}, - {.name = NULL}, + {.name = "iface", .has_arg = true, .val = 'i'}, + {.name = "up", .has_arg = false, .val = 'u'}, + {.name = "down", .has_arg = false, .val = 'U'}, /* not up */ + {.name = "broadcast", .has_arg = false, .val = 'b'}, + {.name = "loopback", .has_arg = false, .val = 'l'}, + {.name = "pointopoint", .has_arg = false, .val = 'p'}, + {.name = "pointtopoint", .has_arg = false, .val = 'p'}, /* eq pointopoint */ + {.name = "running", .has_arg = false, .val = 'r'}, + {.name = "noarp", .has_arg = false, .val = 'n'}, + {.name = "arp", .has_arg = false, .val = 'N'}, /* not noarp */ + {.name = "promisc", .has_arg = false, .val = 'o'}, + {.name = "multicast", .has_arg = false, .val = 'm'}, + {.name = "dynamic", .has_arg = false, .val = 'd'}, + {.name = "lower-up", .has_arg = false, .val = 'w'}, + {.name = "dormant", .has_arg = false, .val = 'a'}, + {NULL}, }; static void iface_print_opt(const struct xt_iface_mtinfo *info, @@ -68,21 +68,19 @@ static void iface_mt_help(void) { printf( "iface match options:\n" - " --iface interface\t\tName of interface\n" - "[!] --up\n" - "[!] --down\t\t\tmatch if UP flag (not) set\n" - "[!] --broadcast\t\tmatch if BROADCAST flag (not) set\n" - "[!] --loopback\t\t\tmatch if LOOPBACK flag (not) set\n" + " --iface interface Name of interface\n" + "[!] --up / --down match if UP flag (not) set\n" + "[!] --broadcast match if BROADCAST flag (not) set\n" + "[!] --loopback match if LOOPBACK flag (not) set\n" "[!] --pointopoint\n" - "[!] --pointtopoint\t\tmatch if POINTOPOINT flag (not) set\n" - "[!] --running\t\t\tmatch if RUNNING flag (not) set\n" - "[!] --noarp\n" - "[!] --arp\t\t\tmatch if NOARP flag (not) set\n" - "[!] --promisc\t\t\tmatch if PROMISC flag (not) set\n" - "[!] --multicast\t\tmatch if MULTICAST flag (not) set\n" - "[!] --dynamic\t\t\tmatch if DYNAMIC flag (not) set\n" - "[!] --lower-up\t\t\tmatch if LOWER_UP flag (not) set\n" - "[!] --dormant\t\t\tmatch if DORMANT flag (not) set\n"); + "[!] --pointtopoint match if POINTOPOINT flag (not) set\n" + "[!] --running match if RUNNING flag (not) set\n" + "[!] --noarp / --arp match if NOARP flag (not) set\n" + "[!] --promisc match if PROMISC flag (not) set\n" + "[!] --multicast match if MULTICAST flag (not) set\n" + "[!] --dynamic match if DYNAMIC flag (not) set\n" + "[!] --lower-up match if LOWER_UP flag (not) set\n" + "[!] --dormant match if DORMANT flag (not) set\n"); } static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags, diff --git a/extensions/libxt_iface.man b/extensions/libxt_iface.man index 40f70e3..7dc6820 100644 --- a/extensions/libxt_iface.man +++ b/extensions/libxt_iface.man @@ -1,52 +1,37 @@ Allows you to check interface states. - .TP -.BI "--iface " "interface" -Check the states on "interface". Required. +\fB\-\-iface\fP \fIname\fP +Check the states on the given interface. This option is required. .TP -.B [!] --up +[\fB!\fP] \fB\-\-up\fP, [\fB!\fP] \fB\-\-down\fP Check the UP flag. .TP -.B [!] --down -Not --up. -.TP -.B "[!] --broadcast" +[\fB!\fP] \fB\-\-broadcast\fP Check the BROADCAST flag. .TP -.B "[!] --loopback" +[\fB!\fP] \fB\-\-loopback\fP Check the LOOPBACK flag. .TP -.B "[!] --pointopoint" -Check the POINTOPOINT flag. +[\fB!\fP] \fB\-\-pointtopoint\fP +Check the POINTTOPOINT flag. .TP -.B "[!] --pointtopoint" -Same as --pointopoint. +[\fB!\fP] \fB\-\-running\fP +Check the RUNNING flag. Do NOT rely on it! .TP -.B [!] --running -Check the RUNNING flag. Do NOT relay on it! -.TP -.B [!] --noarp +[\fB!\fP] \fB\-\-noarp\fP, [\fB!\fP] \fB\-\-arp\fP Check the NOARP flag. .TP -.B [!] --arp -Not --noarp. -.TP -.B [!] --promisc +[\fB!\fP] \fB\-\-promisc\fP Check the PROMISC flag. .TP -.B [!] --promiscous -Same as --promisc. -.TP -.B [!] --multicast +[\fB!\fP] \fB\-\-multicast\fP Check the MULTICAST flag. .TP -.B [!] --dynamic +[\fB!\fP] \fB\-\-dynamic\fP Check the DYNAMIC flag. .TP -.B [!] --lower_up +[\fB!\fP] \fB\-\-lower-up\fP Check the LOWER_UP flag. .TP -.B [!] --dormant +[\fB!\fP] \fB\-\-dormant\fP Check the DORMANT flag. - -For more information see the \fIif.h\fP header file in the kernel source. From e89c5d976a720c964ed673ac893bc55ef4bbc7bc Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Mon, 27 Apr 2009 20:46:09 +0200 Subject: [PATCH 15/16] iface: move private struct xt_iface_flag_pairs to .c file --- extensions/xt_iface.c | 5 +++++ extensions/xt_iface.h | 5 ----- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/extensions/xt_iface.c b/extensions/xt_iface.c index bc3b7a3..df3e4a3 100644 --- a/extensions/xt_iface.c +++ b/extensions/xt_iface.c @@ -12,6 +12,11 @@ #include #include "xt_iface.h" +struct xt_iface_flag_pairs { + uint16_t iface_flag; + uint32_t iff_flag; +}; + MODULE_AUTHOR("Gáspár Lajos "); MODULE_DESCRIPTION("Xtables: iface match module"); MODULE_LICENSE("GPL"); diff --git a/extensions/xt_iface.h b/extensions/xt_iface.h index 6a7ec0d..46fae34 100644 --- a/extensions/xt_iface.h +++ b/extensions/xt_iface.h @@ -16,11 +16,6 @@ enum { XT_IFACE_IFACE = 1 << 15, }; -struct xt_iface_flag_pairs { - u_int16_t iface_flag; - u_int32_t iff_flag; -}; - struct xt_iface_mtinfo { char ifname[IFNAMSIZ]; u_int16_t flags; From 000c2d73fd61178e400cfa9b0056aa98f33a5304 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Mon, 27 Apr 2009 20:46:25 +0200 Subject: [PATCH 16/16] iface: must use __u types in header files --- extensions/xt_iface.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extensions/xt_iface.h b/extensions/xt_iface.h index 46fae34..f1dbba7 100644 --- a/extensions/xt_iface.h +++ b/extensions/xt_iface.h @@ -18,8 +18,8 @@ enum { struct xt_iface_mtinfo { char ifname[IFNAMSIZ]; - u_int16_t flags; - u_int16_t invflags; + __u16 flags; + __u16 invflags; }; #endif