iface: import version 20081029

extensions/Kbuild

@@ -18,6 +18,7 @@ obj-${build_TEE}         += xt_TEE.o
 obj-${build_condition}   += xt_condition.o
 obj-${build_fuzzy}       += xt_fuzzy.o
 obj-${build_geoip}       += xt_geoip.o
+obj-${build_iface}       += xt_iface.o
 obj-${build_ipp2p}       += xt_ipp2p.o
 obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += xt_ipv4options.o

extensions/Mbuild

@@ -11,6 +11,7 @@ obj-${build_TEE}         += libxt_TEE.so
 obj-${build_condition}   += libxt_condition.so
 obj-${build_fuzzy}       += libxt_fuzzy.so
 obj-${build_geoip}       += libxt_geoip.so
+obj-${build_iface}       += libxt_iface.so
 obj-${build_ipp2p}       += libxt_ipp2p.so
 obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += libxt_ipv4options.so

extensions/libxt_iface.c

@@ -0,0 +1,254 @@
+/*
+ * Shared library add-on to iptables to add interface state matching
+ * support.
+ *
+ * (C) 2008 Gáspár Lajos <gaspar.lajos@glsys.eu>
+ *
+ * This program is released under the terms of GNU GPL version 2.
+ */
+
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <xtables.h>
+#include "xt_iface.h"
+
+static struct option iface_mt_opts[] = {
+	{.name = "iface",	.has_arg = true,  .flag = 0, .val = 'i'},
+	{.name = "up",		.has_arg = false, .flag = 0, .val = 'u'},
+	{.name = "down",	.has_arg = false, .flag = 0, .val = 'U'}, /* not up */
+	{.name = "broadcast",	.has_arg = false, .flag = 0, .val = 'b'},
+	{.name = "loopback",	.has_arg = false, .flag = 0, .val = 'l'},
+	{.name = "pointopoint",	.has_arg = false, .flag = 0, .val = 'p'},
+	{.name = "pointtopoint",.has_arg = false, .flag = 0, .val = 'p'}, /* eq pointopoint */
+	{.name = "running",	.has_arg = false, .flag = 0, .val = 'r'},
+	{.name = "noarp",	.has_arg = false, .flag = 0, .val = 'n'},
+	{.name = "arp",		.has_arg = false, .flag = 0, .val = 'N'}, /* not noarp */
+	{.name = "promisc",	.has_arg = false, .flag = 0, .val = 'o'},
+	{.name = "promiscous",	.has_arg = false, .flag = 0, .val = 'o'}, /* eq promisc */
+	{.name = "multicast",	.has_arg = false, .flag = 0, .val = 'm'},
+	{.name = "dynamic",	.has_arg = false, .flag = 0, .val = 'd'},
+	{.name = "lower_up",	.has_arg = false, .flag = 0, .val = 'w'},
+	{.name = "dormant",	.has_arg = false, .flag = 0, .val = 'a'},
+	{.name = NULL},
+};
+
+static void iface_print_opt(const struct xt_iface_mtinfo *info,
+    const unsigned int option, const char *command)
+{
+	DEBUGP("print_option... %s", command);
+	if (info->flags & option)
+		printf(" %s", command);
+	if (info->invflags & option)
+		printf(" ! %s", command);
+}
+
+static void iface_setflag(struct xt_iface_mtinfo *info,
+    unsigned int *flags, int invert, u_int16_t flag, const char *command)
+{
+	DEBUGP("setflag... %s", command);
+	if (*flags & flag)
+		xtables_error(PARAMETER_PROBLEM,
+			"iface: \"--%s\" flag already specified", command);
+	if (invert)
+		info->invflags |= flag;
+	else
+		info->flags |= flag;
+	*flags |= flag;
+}
+
+static bool iface_valid_name(const char *name)
+{
+	char invalid_chars[] = ".+!*";
+
+	DEBUGP("valid_interface_name... %d %d", strcspn(name, invalid_chars), strlen(name));
+	return !((strlen(name) >= IFNAMSIZ) || (strcspn(name, invalid_chars) != strlen(name)));
+}
+
+static void iface_mt_help(void)
+{
+	printf(
+	_MODULE_NAME " match v%s rev:%#2x options:\n"
+	"    --iface interface\t\tName of interface\n"
+	"[!] --up\n"
+	"[!] --down\t\t\tmatch if UP flag (not) set\n"
+	"[!] --broadcast\t\tmatch if BROADCAST flag (not) set\n"
+	"[!] --loopback\t\t\tmatch if LOOPBACK flag (not) set\n"
+	"[!] --pointopoint\n"
+	"[!] --pointtopoint\t\tmatch if POINTOPOINT flag (not) set\n"
+	"[!] --running\t\t\tmatch if RUNNING flag (not) set\n"
+	"[!] --noarp\n"
+	"[!] --arp\t\t\tmatch if NOARP flag (not) set\n"
+	"[!] --promisc\n"
+	"[!] --promiscous\t\tmatch if PROMISC flag (not) set\n"
+	"[!] --multicast\t\tmatch if MULTICAST flag (not) set\n"
+	"[!] --dynamic\t\t\tmatch if DYNAMIC flag (not) set\n"
+	"[!] --lower_up\t\t\tmatch if LOWER_UP flag (not) set\n"
+	"[!] --dormant\t\t\tmatch if DORMANT flag (not) set\n",
+	XTABLES_VERSION, _MODULE_REVISION);
+}
+
+static void iface_mt_init(struct xt_entry_match *m)
+{
+	DEBUGP("init...");
+}
+
+static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+    const void *entry, struct xt_entry_match **match)
+{
+	DEBUGP("parse... c:%c invert:%x", c, invert);
+	struct xt_iface_mtinfo *info = (void *)(*match)->data;
+
+	switch (c) {
+	case 'U':
+		c = 'u';
+		invert = !invert;
+		break;
+	case 'N':
+		c = 'n';
+		invert = !invert;
+		break;
+	}
+
+	switch (c) {
+	case 'i': /* interface name */
+		if (*flags & XT_IFACE_IFACE)
+			xtables_error(PARAMETER_PROBLEM,
+				"iface: Interface name already specified");
+		if (!iface_valid_name(optarg))
+			xtables_error(PARAMETER_PROBLEM,
+				"iface: Invalid interface name!");
+		strcpy(info->ifname, optarg);
+		*flags |= XT_IFACE_IFACE;
+		return 1;
+	case 'u': /* UP */
+		iface_setflag(info, flags, invert, XT_IFACE_UP, "up");
+		return 1;
+	case 'b': /* BROADCAST */
+		iface_setflag(info, flags, invert, XT_IFACE_BROADCAST, "broadcast");
+		return 1;
+	case 'l': /* LOOPBACK */
+		iface_setflag(info, flags, invert, XT_IFACE_LOOPBACK, "loopback");
+		return 1;
+	case 'p': /* POINTOPOINT */
+		iface_setflag(info, flags, invert, XT_IFACE_POINTOPOINT, "pointopoint");
+		return 1;
+	case 'r': /* RUNNING */
+		iface_setflag(info, flags, invert, XT_IFACE_RUNNING, "running");
+		return 1;
+	case 'n': /* NOARP */
+		iface_setflag(info, flags, invert, XT_IFACE_NOARP, "noarp");
+		return 1;
+	case 'o': /* PROMISC */
+		iface_setflag(info, flags, invert, XT_IFACE_PROMISC, "promisc");
+		return 1;
+	case 'm': /* MULTICAST */
+		iface_setflag(info, flags, invert, XT_IFACE_MULTICAST, "multicast");
+		return 1;
+	case 'd': /* DYNAMIC */
+		iface_setflag(info, flags, invert, XT_IFACE_DYNAMIC, "dynamic");
+		return 1;
+	case 'w': /* LOWER_UP */
+		iface_setflag(info, flags, invert, XT_IFACE_LOWER_UP, "lower_up");
+		return 1;
+	case 'a': /* DORMANT */
+		iface_setflag(info, flags, invert, XT_IFACE_DORMANT, "dormant");
+		return 1;
+	default:
+		return 0;
+	}
+}
+
+static void iface_mt_check(unsigned int flags)
+{
+	DEBUGP("final_check...");
+	if (!(flags & XT_IFACE_IFACE))
+		xtables_error(PARAMETER_PROBLEM,
+			"iface: You must specify an interface");
+	if ((flags == 0) || (flags == XT_IFACE_IFACE))
+		xtables_error(PARAMETER_PROBLEM,
+			"iface: You must specify at least one option");
+}
+
+static void iface_mt_print(const void *ip, const struct xt_entry_match *match,
+    int numeric)
+{
+	DEBUGP("print...");
+	const struct xt_iface_mtinfo *info = (const void *)match->data;
+
+	printf("iface: \"%s\" [state:", info->ifname);
+	iface_print_opt(info, XT_IFACE_UP,          "up");
+	iface_print_opt(info, XT_IFACE_BROADCAST,   "broadcast");
+	iface_print_opt(info, XT_IFACE_LOOPBACK,    "loopback");
+	iface_print_opt(info, XT_IFACE_POINTOPOINT, "pointopoint");
+	iface_print_opt(info, XT_IFACE_RUNNING,     "running");
+	iface_print_opt(info, XT_IFACE_NOARP,       "noarp");
+	iface_print_opt(info, XT_IFACE_PROMISC,     "promisc");
+	iface_print_opt(info, XT_IFACE_MULTICAST,   "multicast");
+	iface_print_opt(info, XT_IFACE_DYNAMIC,     "dynamic");
+	iface_print_opt(info, XT_IFACE_LOWER_UP,    "lower_up");
+	iface_print_opt(info, XT_IFACE_DORMANT,     "dormant");
+	printf("] ");
+}
+
+static void iface_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	DEBUGP("save...");
+	const struct xt_iface_mtinfo *info = (const void *)match->data;
+
+	printf(" --iface %s", info->ifname);
+	iface_print_opt(info, XT_IFACE_UP,          "--up");
+	iface_print_opt(info, XT_IFACE_BROADCAST,   "--broadcast");
+	iface_print_opt(info, XT_IFACE_LOOPBACK,    "--loopback");
+	iface_print_opt(info, XT_IFACE_POINTOPOINT, "--pointopoint");
+	iface_print_opt(info, XT_IFACE_RUNNING,     "--running");
+	iface_print_opt(info, XT_IFACE_NOARP,       "--noarp");
+	iface_print_opt(info, XT_IFACE_PROMISC,     "--promisc");
+	iface_print_opt(info, XT_IFACE_MULTICAST,   "--multicast");
+	iface_print_opt(info, XT_IFACE_DYNAMIC,     "--dynamic");
+	iface_print_opt(info, XT_IFACE_LOWER_UP,    "--lower_up");
+	iface_print_opt(info, XT_IFACE_DORMANT,     "--dormant");
+	printf(" ");
+}
+
+static struct xtables_match iface_mt_reg = {
+	.version	= XTABLES_VERSION,
+	.name		= _MODULE_NAME,
+	.revision	= _MODULE_REVISION,
+	.family		= AF_INET,
+	.size		= XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
+	.help		= iface_mt_help,
+	.init		= iface_mt_init,
+	.parse		= iface_mt_parse,
+	.final_check	= iface_mt_check,
+	.print		= iface_mt_print,
+	.save		= iface_mt_save,
+	.extra_opts	= iface_mt_opts,
+};
+
+static struct xtables_match iface_mt6_reg = {
+	.version	= XTABLES_VERSION,
+	.name		= _MODULE_NAME,
+	.revision	= _MODULE_REVISION,
+	.family		= AF_INET6,
+	.size		= XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
+	.help		= iface_mt_help,
+	.init		= iface_mt_init,
+	.parse		= iface_mt_parse,
+	.final_check	= iface_mt_check,
+	.print		= iface_mt_print,
+	.save		= iface_mt_save,
+	.extra_opts	= iface_mt_opts,
+};
+
+static void _init(void)
+{
+	DEBUGP("_init...");
+	xtables_register_match(&iface_mt_reg);
+	xtables_register_match(&iface_mt6_reg);
+}

extensions/libxt_iface.man

@@ -0,0 +1,52 @@
+Allows you to check interface states.
+
+.TP
+.BI "--iface " "interface"
+Check the states on "interface". Required.
+.TP
+.B [!] --up
+Check the UP flag.
+.TP
+.B [!] --down
+Not --up.
+.TP
+.B "[!] --broadcast"
+Check the BROADCAST flag.
+.TP
+.B "[!] --loopback"
+Check the LOOPBACK flag.
+.TP
+.B "[!] --pointopoint"
+Check the POINTOPOINT flag.
+.TP
+.B "[!] --pointtopoint"
+Same as --pointopoint.
+.TP
+.B [!] --running
+Check the RUNNING flag. Do NOT relay on it!
+.TP
+.B [!] --noarp
+Check the NOARP flag.
+.TP
+.B [!] --arp
+Not --noarp.
+.TP
+.B [!] --promisc
+Check the PROMISC flag.
+.TP
+.B [!] --promiscous
+Same as --promisc.
+.TP
+.B [!] --multicast
+Check the MULTICAST flag.
+.TP
+.B [!] --dynamic
+Check the DYNAMIC flag.
+.TP
+.B [!] --lower_up
+Check the LOWER_UP flag.
+.TP
+.B [!] --dormant
+Check the DORMANT flag.
+
+For more information see the \fIif.h\fP header file in the kernel source.

extensions/xt_iface.c

@@ -0,0 +1,138 @@
+/*
+ *	xt_iface - kernel module to match interface state flags
+ *
+ *	Original author: Gáspár Lajos <gaspar.lajos@glsys.eu>
+ */
+
+#define _KERNEL 1
+
+#include <linux/if.h>
+#include <linux/module.h>
+#include <linux/moduleparam.h>
+#include <linux/netdevice.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter/x_tables.h>
+#include "xt_iface.h"
+
+MODULE_AUTHOR("Gáspár Lajos <gaspar.lajos@glsys.eu>");
+MODULE_DESCRIPTION("Xtables: iface match module");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_iface");
+MODULE_ALIAS("ip6t_iface");
+//MODULE_ALIAS("arpt_iface");
+
+static struct xt_iface_flag_pairs xt_iface_lookup[XT_IFACE_FLAGCOUNT] =
+{
+	{.iface_flag = XT_IFACE_UP,		.iff_flag = IFF_UP},
+	{.iface_flag = XT_IFACE_BROADCAST,	.iff_flag = IFF_BROADCAST},
+	{.iface_flag = XT_IFACE_LOOPBACK,	.iff_flag = IFF_LOOPBACK},
+	{.iface_flag = XT_IFACE_POINTOPOINT,	.iff_flag = IFF_POINTOPOINT},
+	{.iface_flag = XT_IFACE_RUNNING,	.iff_flag = IFF_RUNNING},
+	{.iface_flag = XT_IFACE_NOARP,		.iff_flag = IFF_NOARP},
+	{.iface_flag = XT_IFACE_PROMISC,	.iff_flag = IFF_PROMISC},
+	{.iface_flag = XT_IFACE_MULTICAST,	.iff_flag = IFF_MULTICAST},
+	{.iface_flag = XT_IFACE_DYNAMIC,	.iff_flag = IFF_DYNAMIC},
+	{.iface_flag = XT_IFACE_LOWER_UP,	.iff_flag = IFF_LOWER_UP},
+	{.iface_flag = XT_IFACE_DORMANT,	.iff_flag = IFF_DORMANT},
+};
+
+static bool xt_iface_mt(const struct sk_buff *skb,
+    const struct xt_match_param *par)
+{
+	const struct xt_iface_mtinfo *info = par->matchinfo;
+	struct net_device *dev;
+	bool retval;
+	int i;
+	DEBUGP("match...");
+	DEBUGP("Interface: %s", info->ifname);
+	retval =
+	    ((dev = dev_get_by_name(&init_net, info->ifname)) != NULL);
+	if (retval) {
+#if DEBUG
+		DEBUGP("dev->flags: %#8x", dev->flags);
+		if (dev->flags & IFF_UP)
+			DEBUGP("            %#8x (UP)", IFF_UP);
+		if (dev->flags & IFF_BROADCAST)
+			DEBUGP("            %#8x (BROADCAST)", IFF_BROADCAST);
+		if (dev->flags & IFF_LOOPBACK)
+			DEBUGP("            %#8x (LOOPBACK)", IFF_LOOPBACK);
+		if (dev->flags & IFF_POINTOPOINT)
+			DEBUGP("            %#8x (POINTOPOINT)", IFF_POINTOPOINT);
+		if (dev->flags & IFF_RUNNING)
+			DEBUGP("            %#8x (RUNNING)", IFF_RUNNING);
+		if (dev->flags & IFF_NOARP)
+			DEBUGP("            %#8x (NOARP)", IFF_NOARP);
+		if (dev->flags & IFF_PROMISC)
+			DEBUGP("            %#8x (PROMISC)", IFF_PROMISC);
+		if (dev->flags & IFF_MULTICAST)
+			DEBUGP("            %#8x (MULTICAST)", IFF_MULTICAST);
+		if (dev->flags & IFF_DYNAMIC)
+			DEBUGP("            %#8x (DYNAMIC)", IFF_DYNAMIC);
+		if (dev->flags & IFF_LOWER_UP)
+			DEBUGP("            %#8x (LOWER_UP)", IFF_LOWER_UP);
+		if (dev->flags & IFF_DORMANT)
+			DEBUGP("            %#8x (DORMANT)", IFF_DORMANT);
+#endif
+		for (i=0; (i<XT_IFACE_FLAGCOUNT) && (retval); i++)
+			{
+			if (info->flags & xt_iface_lookup[i].iface_flag)
+				retval = retval && (dev->flags & xt_iface_lookup[i].iff_flag);
+			if (info->invflags & xt_iface_lookup[i].iface_flag)
+				retval = retval && !(dev->flags & xt_iface_lookup[i].iff_flag);
+			}
+		dev_put(dev);
+	}
+	return retval;
+}
+
+static bool xt_iface_mt_check(const struct xt_mtchk_param *par)
+{
+	DEBUGP("checkentry...");
+	return true;
+}
+
+static void xt_iface_mt_destroy(const struct xt_mtdtor_param *par)
+{
+	DEBUGP("destroy...");
+}
+
+static struct xt_match xt_iface_mt_reg[] __read_mostly = {
+	{
+		.name       = _MODULE_NAME,
+		.revision   = _MODULE_REVISION,
+		.family     = AF_INET,
+		.matchsize  = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
+		.match      = xt_iface_mt,
+		.checkentry = xt_iface_mt_check,
+		.destroy    = xt_iface_mt_destroy,
+		.data       = 0,
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = _MODULE_NAME,
+		.revision   = _MODULE_REVISION,
+		.family     = AF_INET6,
+		.matchsize  = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
+		.match      = xt_iface_mt,
+		.checkentry = xt_iface_mt_check,
+		.destroy    = xt_iface_mt_destroy,
+		.data       = 0,
+		.me         = THIS_MODULE,
+	},
+};
+
+static int __init xt_iface_match_init(void)
+{
+	DEBUGP("init...\n");
+	return xt_register_matches(xt_iface_mt_reg,
+		ARRAY_SIZE(xt_iface_mt_reg));
+}
+
+static void __exit xt_iface_match_exit(void)
+{
+	DEBUGP("exit...\n");
+	xt_unregister_matches(xt_iface_mt_reg, ARRAY_SIZE(xt_iface_mt_reg));
+}
+
+module_init(xt_iface_match_init);
+module_exit(xt_iface_match_exit);

extensions/xt_iface.h

@@ -0,0 +1,46 @@
+#ifndef _LINUX_NETFILTER_XT_IFACE_H
+#define _LINUX_NETFILTER_XT_IFACE_H 1
+
+#define DEBUG 0
+#define _MODULE_NAME "iface"
+#define _MODULE_REVISION 0
+
+#if DEBUG
+#if _KERNEL
+#define DEBUGP(format, args...) printk(KERN_INFO "xt_"_MODULE_NAME": "format"\n", ##args)
+#else
+#define DEBUGP(format, args...) printf("# DEBUG: libxt_"_MODULE_NAME": "format"\n", ##args)
+#endif
+#else
+#define DEBUGP(format, args...)
+#endif
+
+#define XT_IFACE_FLAGCOUNT 11
+
+enum {
+	XT_IFACE_UP          = 1 << 0,
+	XT_IFACE_BROADCAST   = 1 << 1,
+	XT_IFACE_LOOPBACK    = 1 << 2,
+	XT_IFACE_POINTOPOINT = 1 << 3,
+	XT_IFACE_RUNNING     = 1 << 4,
+	XT_IFACE_NOARP       = 1 << 5,
+	XT_IFACE_PROMISC     = 1 << 6,
+	XT_IFACE_MULTICAST   = 1 << 7,
+	XT_IFACE_DYNAMIC     = 1 << 8,
+	XT_IFACE_LOWER_UP    = 1 << 9,
+	XT_IFACE_DORMANT     = 1 << 10,
+	XT_IFACE_IFACE       = 1 << 15,
+};
+
+struct xt_iface_flag_pairs {
+	u_int16_t iface_flag;
+	u_int32_t iff_flag;
+};
+
+struct xt_iface_mtinfo {
+	char ifname[IFNAMSIZ];
+	u_int16_t flags;
+	u_int16_t invflags;
+};
+
+#endif

mconfig

@@ -13,6 +13,7 @@ build_TEE=m
 build_condition=m
 build_fuzzy=m
 build_geoip=m
+build_iface=m
 build_ipp2p=m
 build_ipset=m
 build_ipv4options=m