anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-20 19:44:56 +02:00
Code Issues Releases Wiki Activity

Compare commits

base: anonfunc:v1.13
Branches Tags
anonfunc:master anonfunc:xta-2.x anonfunc:xta-1.x anonfunc:demos anonfunc:mp2t
anonfunc:v3.18 anonfunc:v3.17 anonfunc:v3.16 anonfunc:v3.15 anonfunc:v2.15 anonfunc:v3.14 anonfunc:v3.13 anonfunc:v3.12 anonfunc:v3.11 anonfunc:v3.10 anonfunc:v3.9 anonfunc:v3.8 anonfunc:v3.7 anonfunc:v3.6 anonfunc:v3.5 anonfunc:v3.4 anonfunc:v3.3 anonfunc:v3.2 anonfunc:v3.1 anonfunc:v3.0 anonfunc:v2.14 anonfunc:v2.13 anonfunc:v2.12 anonfunc:v2.11 anonfunc:v2.10 anonfunc:v2.9 anonfunc:v2.8 anonfunc:v2.7 anonfunc:v2.6 anonfunc:v2.5 anonfunc:v2.4 anonfunc:v2.3 anonfunc:v2.2 anonfunc:v2.1 anonfunc:v2.0 anonfunc:v1.47.1 anonfunc:v1.47 anonfunc:v1.46 anonfunc:v1.45 anonfunc:v1.44 anonfunc:v1.43 anonfunc:v1.42 anonfunc:v1.41 anonfunc:v1.40 anonfunc:v1.39 anonfunc:v1.38 anonfunc:v1.37 anonfunc:v1.36 anonfunc:v1.35 anonfunc:v1.34 anonfunc:v1.33 anonfunc:v1.32 anonfunc:v1.31 anonfunc:v1.30 anonfunc:v1.29 anonfunc:v1.28 anonfunc:v1.27 anonfunc:v1.26 anonfunc:v1.25 anonfunc:v1.24 anonfunc:v1.23 anonfunc:v1.22 anonfunc:v1.21 anonfunc:v1.20 anonfunc:v1.19 anonfunc:v1.18 anonfunc:v1.17 anonfunc:v1.16 anonfunc:v1.15 anonfunc:v1.14 anonfunc:v1.13 anonfunc:v1.12 anonfunc:v1.10 anonfunc:v1.9 anonfunc:v1.8 anonfunc:v1.7 anonfunc:v1.6 anonfunc:v1.5.7 anonfunc:v1.5.5 anonfunc:v1.5.4.1 anonfunc:v1.5.4 anonfunc:v1.5.3 anonfunc:v1.5.2 anonfunc:v1.5.1 anonfunc:v1.5.0
..
compare: anonfunc:v1.15
Branches Tags
anonfunc:master anonfunc:xta-2.x anonfunc:xta-1.x anonfunc:demos anonfunc:mp2t
anonfunc:v3.18 anonfunc:v3.17 anonfunc:v3.16 anonfunc:v3.15 anonfunc:v2.15 anonfunc:v3.14 anonfunc:v3.13 anonfunc:v3.12 anonfunc:v3.11 anonfunc:v3.10 anonfunc:v3.9 anonfunc:v3.8 anonfunc:v3.7 anonfunc:v3.6 anonfunc:v3.5 anonfunc:v3.4 anonfunc:v3.3 anonfunc:v3.2 anonfunc:v3.1 anonfunc:v3.0 anonfunc:v2.14 anonfunc:v2.13 anonfunc:v2.12 anonfunc:v2.11 anonfunc:v2.10 anonfunc:v2.9 anonfunc:v2.8 anonfunc:v2.7 anonfunc:v2.6 anonfunc:v2.5 anonfunc:v2.4 anonfunc:v2.3 anonfunc:v2.2 anonfunc:v2.1 anonfunc:v2.0 anonfunc:v1.47.1 anonfunc:v1.47 anonfunc:v1.46 anonfunc:v1.45 anonfunc:v1.44 anonfunc:v1.43 anonfunc:v1.42 anonfunc:v1.41 anonfunc:v1.40 anonfunc:v1.39 anonfunc:v1.38 anonfunc:v1.37 anonfunc:v1.36 anonfunc:v1.35 anonfunc:v1.34 anonfunc:v1.33 anonfunc:v1.32 anonfunc:v1.31 anonfunc:v1.30 anonfunc:v1.29 anonfunc:v1.28 anonfunc:v1.27 anonfunc:v1.26 anonfunc:v1.25 anonfunc:v1.24 anonfunc:v1.23 anonfunc:v1.22 anonfunc:v1.21 anonfunc:v1.20 anonfunc:v1.19 anonfunc:v1.18 anonfunc:v1.17 anonfunc:v1.16 anonfunc:v1.15 anonfunc:v1.14 anonfunc:v1.13 anonfunc:v1.12 anonfunc:v1.10 anonfunc:v1.9 anonfunc:v1.8 anonfunc:v1.7 anonfunc:v1.6 anonfunc:v1.5.7 anonfunc:v1.5.5 anonfunc:v1.5.4.1 anonfunc:v1.5.4 anonfunc:v1.5.3 anonfunc:v1.5.2 anonfunc:v1.5.1 anonfunc:v1.5.0

48 Commits
v1.13 ... v1.15

Author SHA1 Message Date
Jan Engelhardt
fe7a66f3cb Xtables-addons 1.15 2009-04-30 20:58:23 +02:00
Jan Engelhardt
a13650f94d Merge branch 'RAWNAT' 2009-04-30 20:35:59 +02:00
Jan Engelhardt
73e7b5ead1 compat_xtables: fix compilation with <= 2.6.19 
Once upon a time there was no such checksumming...
 2009-04-30 20:35:48 +02:00
Jan Engelhardt
e5920cc577 Merge branch 'iface' 2009-04-30 19:41:56 +02:00
Jan Engelhardt
39655fe83b iface: fix compilation with <= 2.6.27 
Need to include compat_xtables.h to get all the definitions for older
kernels.
Also, net namespaces are not available before 2.6.24.
 2009-04-30 19:41:31 +02:00
Jan Engelhardt
9df309a14a iface: remove unused .data field 
Neither is it anywhere used, but compat_xtables does not provide it
either.
 2009-04-28 10:04:36 +02:00
Jan Engelhardt
5e2085a45f build: reword RH5-unsupported warning 2009-04-28 01:41:57 +02:00
Jan Engelhardt
4bcb7077c0 Merge branch 'iface' 2009-04-27 20:50:05 +02:00
Jan Engelhardt
000c2d73fd iface: must use __u types in header files 2009-04-27 20:46:25 +02:00
Jan Engelhardt
e89c5d976a iface: move private struct xt_iface_flag_pairs to .c file 2009-04-27 20:46:09 +02:00
Jan Engelhardt
f5ed98fbf5 iface: update documentation 
For one, the tabs must go as they cause alignment problems. Also
update the manpage with proper markup.
 2009-04-26 23:20:38 +02:00
Jan Engelhardt
60c4162087 iface: replace --lower_up by --lower-up 2009-04-26 22:22:20 +02:00
Jan Engelhardt
074a7d6cb7 iface: remove --promiscous flag 
The spelling is difficult (actually it is "promiscuous"), and one
option should be enough. Keeping --promisc.
 2009-04-26 22:21:27 +02:00
Jan Engelhardt
a6ba463c43 iface: remove redundant fields and use bool 2009-04-26 22:13:06 +02:00
Jan Engelhardt
be2061c520 iface: constify data arrays 2009-04-26 22:13:05 +02:00
Jan Engelhardt
3f96deb0f0 iface: remove define for internal array size 
The macro was only used inside kernel code and not relevant to
user-space anyway.
 2009-04-26 22:07:53 +02:00
Jan Engelhardt
6d8ce3acae iface: dissolve module name/revision macros 
The module name will unlikely be changing anytime soon. And if the
revision increases, we cannot just bump the number (well, in
Xtables-addons we can, but it would not be the case for the core
kernel). So let's not get into bad habits.
 2009-04-26 22:07:43 +02:00
Jan Engelhardt
f6c317710f iface: remove version/revision from helptext 
XTABLES_VERSION does not contain anything meaningful to display.
Printing the revision is not of value too, I think.
 2009-04-26 22:01:30 +02:00
Jan Engelhardt
6799806300 iface: use NFPROTO_* 2009-04-26 21:59:41 +02:00
Jan Engelhardt
0d36136f54 iface: some command decoupling 2009-04-26 21:56:53 +02:00
Jan Engelhardt
e1fc5f2086 iface: remove redundant parentheses 2009-04-26 21:56:25 +02:00
Jan Engelhardt
9d5f4bf468 Merge branch 'RAWNAT' 2009-04-26 21:47:43 +02:00
Jan Engelhardt
637516f2d4 RAWNAT: add extension's kernel and userspace modules 
RAWNAT provides stateless 1:1 network address translation.
 2009-04-26 21:44:54 +02:00
Jan Engelhardt
b427c930f2 build: add kernel version check to configure 2009-04-26 20:22:40 +02:00
Roman Hoog Antink
34f39756ec condition: fix intrapositional negation sign 2009-04-17 16:12:30 +02:00
Bryan Duff
e36c7575fc condition: compile fix for 2.6.30-rc 2009-04-17 16:01:45 +02:00
Jan Engelhardt
0a23bd2580 doc: update changelog 2009-04-14 21:43:13 +02:00
Jan Engelhardt
03aeed615d RAWNAT: add the rawpost tables for IPv4/IPv6 2009-04-11 00:35:58 +02:00
Jan Engelhardt
49018e2ff7 Merge branch 'sf/master' 2009-04-11 00:33:28 +02:00
Jan Engelhardt
50d14a33c0 ipp2p: fix typo in error message 
Reference: http://bugs.gentoo.org/show_bug.cgi?id=250407
Reported-by: Mike <empx@gmx.de>
 2009-04-10 19:42:59 +02:00
Jan Engelhardt
c64a78ffcc ipp2p: fix bogus varargs call 
Reference: http://bugs.gentoo.org/show_bug.cgi?id=250407
Reported-by: Mike <empx@gmx.de>
 2009-04-10 19:34:56 +02:00
Jan Engelhardt
1aae519356 iface: remove DEBUGP 2009-04-05 10:59:12 +02:00
Jan Engelhardt
af5823b407 iface: remove redundant functions 2009-04-05 10:50:45 +02:00
Jan Engelhardt
9b198fe6e7 iface: import version 20081029 2009-04-05 10:37:05 +02:00
Jan Engelhardt
4997b326f6 fuzzy: fix bogus comparison logic leftover from move to new 1.4.3 API 2009-04-05 10:36:16 +02:00
Jriri Moravec
c288ecdb9c dhcpmac: fix rename leftover from typo 2009-04-04 01:14:32 +02:00
Jan Engelhardt
f21e372402 ipp2p: print ipp2p module name when run from iptables -L 2009-04-04 00:45:20 +02:00
Eray Aslan
927dd88dc4 SYSRQ: fix manpage typo 2009-04-02 10:37:55 +02:00
Jan Engelhardt
7dd96ec357 Xtables-addons 1.14 2009-03-31 22:55:29 +02:00
Jan Engelhardt
ba6aa51f91 SYSRQ: do proper L4 header access in IPv6 code 2009-03-27 21:06:26 +01:00
Jan Engelhardt
beb7546e20 SYSRQ: ignore non-UDP packets 2009-03-27 20:27:03 +01:00
Jan Engelhardt
67579079e0 layer: block use of DEBUGP 
As per "Writing Netfilter Modules" e-book 20090326 section 4.8, one
should use pr_debug instead.
 2009-03-27 00:00:44 +01:00
Jan Engelhardt
3a632a9bc5 dhcpmac: rename from dhcpaddr 2009-03-26 21:55:10 +01:00
Jan Engelhardt
45b2e64d82 desc: add informational Kconfig descriptions 2009-03-26 21:32:44 +01:00
Jan Engelhardt
538d74b5d8 Update my email address 2009-03-25 22:10:42 +01:00
Jan Engelhardt
e3988b50b5 Add the "STEAL" target from the "demos" branch 2009-03-25 19:54:25 +01:00
Jan Engelhardt
f4b8440fba libxt_geoip: geoip: remove XT_ALIGN from .userspacesize when used with offsetof 
XT_ALIGN rounds up to the nearest multiple of 64 bits, but that is wrong
for .userspacesize if it is less than .matchsize/.targetsize.
 2009-03-24 08:27:41 +01:00
Changli Gao
d3ee3a0c3c libxt_fuzzy: need to account for kernel-level modified variables in .userspacesize 
When reviewing the code, I found there maybe a bug in libxt_fuzzy.c.
If a user wants to delete this match, he will get an error reported,
and the command fails. As the fields after maximum_rate in
xt_fuzzy_mtinfo will be altered in kernel space, we should assign the
userspacesize with the value offsetof(struct xt_fuzzy_mtinfo,
packets_total) instead.
 2009-03-24 08:26:24 +01:00
50 changed files with 2027 additions and 295 deletions
Expand all files Collapse all files

33
configure.ac
View File

@@ -1,5 +1,5 @@
AC_INIT([xtables-addons], [1.13])
AC_INIT([xtables-addons], [1.15])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
AC_PROG_INSTALL
@@ -63,6 +63,37 @@ if [[ -n "$ksourcedir" ]]; then
kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include";
fi;
#
# check kernel version
#
if grep -q "CentOS release 5\." /etc/redhat-release 2>/dev/null ||
grep -q "Red Hat Enterprise Linux Server release 5" /etc/redhat-release 2>/dev/null; then
# しまった!
# Well, just a warning. Maybe the admin updated the kernel.
echo "WARNING: This distribution's shipped kernel is not supported.";
fi;
krel="$(make -sC ${kbuilddir} kernelrelease)";
krel="${krel%%-*}";
kmajor="${krel%%.*}";
krel="${krel#*.}";
kminor="${krel%%.*}";
krel="${krel#*.}";
kmicro="${krel%%.*}";
krel="${krel#*.}";
kstable="${krel%%.*}";
if test -z "$kstable"; then
kstable=0;
fi;
echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 30; then
echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
\( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
"$kstable" -lt 5 \); then
echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
exit 1;
fi;
AC_SUBST([regular_CFLAGS])
AC_SUBST([xtables_CFLAGS])
AC_SUBST([kinclude_CFLAGS])

26
doc/changelog.txt
View File

@@ -1,5 +1,29 @@
Xtables-addons 1.15 (April 30 2009)
===================================
- build: add kernel version check to configure
- condition: compile fix for 2.6.30-rc
- condition: fix intrapositional negation sign
- fuzzy: fix bogus comparison logic leftover from move to new 1.4.3 API
- ipp2p: fix bogus varargs call
- ipp2p: fix typo in error message
- added "iface" match
- added rawpost table (for use with RAWNAT)
- added RAWSNAT/RAWDNAT targets
Xtables-addons 1.14 (March 31 2009)
===================================
- fuzzy: need to account for kernel-level modified variables in .userspacesize
- geoip: remove XT_ALIGN from .userspacesize when used with offsetof
- SYSRQ: ignore non-UDP packets
- SYSRQ: do proper L4 header access in IPv6 code
(must not use tcp/udp_hdr in input path)
- add "STEAL" target
- dhcpmac: rename from dhcpaddr
Xtables-addons 1.13 (March 23 2009)
===================================
- added a reworked ipv4options match
@@ -11,7 +35,7 @@ Xtables-addons 1.12 (March 07 2009)
- ipset: fix for compilation with 2.6.29-rt
- ipset: fast forward to 2.5.0
- rename xt_portscan to xt_lscan ("low-level scan") because
"portscan" as a wor caused confusion
"portscan" as a word caused confusion
- xt_LOGMARK: print incoming interface index
- revert "TEE: do not use TOS for routing"
- xt_TEE: resolve unknown symbol error with CONFIG_IPV6=n

5
extensions/Kbuild
View File

@@ -7,16 +7,19 @@ obj-m += compat_xtables.o
obj-${build_CHAOS} += xt_CHAOS.o
obj-${build_DELUDE} += xt_DELUDE.o
obj-${build_DHCPADDR} += xt_DHCPADDR.o
obj-${build_DHCPMAC} += xt_DHCPMAC.o
obj-${build_ECHO} += xt_ECHO.o
obj-${build_IPMARK} += xt_IPMARK.o
obj-${build_LOGMARK} += xt_LOGMARK.o
obj-${build_RAWNAT} += xt_RAWNAT.o iptable_rawpost.o ip6table_rawpost.o
obj-${build_SYSRQ} += xt_SYSRQ.o
obj-${build_STEAL} += xt_STEAL.o
obj-${build_TARPIT} += xt_TARPIT.o
obj-${build_TEE} += xt_TEE.o
obj-${build_condition} += xt_condition.o
obj-${build_fuzzy} += xt_fuzzy.o
obj-${build_geoip} += xt_geoip.o
obj-${build_iface} += xt_iface.o
obj-${build_ipp2p} += xt_ipp2p.o
obj-${build_ipset} += ipset/
obj-${build_ipv4options} += xt_ipv4options.o

5
extensions/Mbuild
View File

@@ -1,15 +1,18 @@
obj-${build_CHAOS} += libxt_CHAOS.so
obj-${build_DELUDE} += libxt_DELUDE.so
obj-${build_DHCPADDR} += libxt_DHCPADDR.so libxt_dhcpaddr.so
obj-${build_DHCPMAC} += libxt_DHCPMAC.so libxt_dhcpmac.so
obj-${build_ECHO} += libxt_ECHO.so
obj-${build_IPMARK} += libxt_IPMARK.so
obj-${build_LOGMARK} += libxt_LOGMARK.so
obj-${build_RAWNAT} += libxt_RAWDNAT.so libxt_RAWSNAT.so
obj-${build_STEAL} += libxt_STEAL.so
obj-${build_SYSRQ} += libxt_SYSRQ.so
obj-${build_TARPIT} += libxt_TARPIT.so
obj-${build_TEE} += libxt_TEE.so
obj-${build_condition} += libxt_condition.so
obj-${build_fuzzy} += libxt_fuzzy.so
obj-${build_geoip} += libxt_geoip.so
obj-${build_iface} += libxt_iface.so
obj-${build_ipp2p} += libxt_ipp2p.so
obj-${build_ipset} += ipset/
obj-${build_ipv4options} += libxt_ipv4options.so

87
extensions/compat_rawpost.h Normal file
View File

@@ -0,0 +1,87 @@
#ifndef XTA_COMPAT_RAWPOST_H
#define XTA_COMPAT_RAWPOST_H 1
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
typedef struct sk_buff sk_buff_t;
#else
typedef struct sk_buff *sk_buff_t;
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 21)
#define XT_TARGET_INIT(__name, __size) \
{ \
.target.u.user = { \
.target_size = XT_ALIGN(__size), \
.name = __name, \
}, \
}
#define IPT_ENTRY_INIT(__size) \
{ \
.target_offset = sizeof(struct ipt_entry), \
.next_offset = (__size), \
}
#define IPT_STANDARD_INIT(__verdict) \
{ \
.entry = IPT_ENTRY_INIT(sizeof(struct ipt_standard)), \
.target = XT_TARGET_INIT(IPT_STANDARD_TARGET, \
sizeof(struct xt_standard_target)), \
.target.verdict = -(__verdict) - 1, \
}
#define IPT_ERROR_INIT \
{ \
.entry = IPT_ENTRY_INIT(sizeof(struct ipt_error)), \
.target = XT_TARGET_INIT(IPT_ERROR_TARGET, \
sizeof(struct ipt_error_target)), \
.target.errorname = "ERROR", \
}
#define IP6T_ENTRY_INIT(__size) \
{ \
.target_offset = sizeof(struct ip6t_entry), \
.next_offset = (__size), \
}
#define IP6T_STANDARD_INIT(__verdict) \
{ \
.entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \
.target = XT_TARGET_INIT(IP6T_STANDARD_TARGET, \
sizeof(struct ip6t_standard_target)), \
.target.verdict = -(__verdict) - 1, \
}
#define IP6T_ERROR_INIT \
{ \
.entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \
.target = XT_TARGET_INIT(IP6T_ERROR_TARGET, \
sizeof(struct ip6t_error_target)), \
.target.errorname = "ERROR", \
}
#endif /* 2.6.21 */
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
# include <linux/netfilter_ipv6/ip6_tables.h>
/* Standard entry */
struct ip6t_standard
{
struct ip6t_entry entry;
struct ip6t_standard_target target;
};
struct ip6t_error_target
{
struct ip6t_entry_target target;
char errorname[IP6T_FUNCTION_MAXNAMELEN];
};
struct ip6t_error
{
struct ip6t_entry entry;
struct ip6t_error_target target;
};
#endif /* 2.6.20 */
#endif /* XTA_COMPAT_RAWPOST_H */

31
extensions/compat_xtables.c
View File

@@ -20,11 +20,6 @@
#include "compat_skbuff.h"
#include "compat_xtnu.h"
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
typedef __u16 __bitwise __sum16;
typedef __u32 __bitwise __wsum;
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
static int xtnu_match_run(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
@@ -447,6 +442,30 @@ int xtnu_ip_route_output_key(void *net, struct rtable **rp, struct flowi *flp)
return ip_route_output_flow(rp, flp, NULL, 0);
}
EXPORT_SYMBOL_GPL(xtnu_ip_route_output_key);
void xtnu_proto_csum_replace4(__sum16 *sum, struct sk_buff *skb,
__be32 from, __be32 to, bool pseudohdr)
{
__be32 diff[] = {~from, to};
const void *dv = diff; /* kludge for < v2.6.19-555-g72685fc */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
if (skb->ip_summed != CHECKSUM_PARTIAL) {
*sum = csum_fold(csum_partial(dv, sizeof(diff),
~csum_unfold(*sum)));
if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
skb->csum = ~csum_partial(dv, sizeof(diff),
~skb->csum);
} else if (pseudohdr) {
*sum = ~csum_fold(csum_partial(dv, sizeof(diff),
csum_unfold(*sum)));
}
#else
*sum = csum_fold(csum_partial(dv, sizeof(diff),
~csum_unfold(*sum)));
#endif
}
EXPORT_SYMBOL_GPL(xtnu_proto_csum_replace4);
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
@@ -468,7 +487,7 @@ static inline __wsum xtnu_csum_unfold(__sum16 n)
return (__force __wsum)n;
}
static inline void xtnu_csum_replace4(__sum16 *sum, __be32 from, __be32 to)
void xtnu_csum_replace4(__sum16 *sum, __be32 from, __be32 to)
{
__be32 diff[] = {~from, to};
*sum = csum_fold(csum_partial((char *)diff, sizeof(diff),

7
extensions/compat_xtables.h
View File

@@ -6,6 +6,8 @@
#include "compat_skbuff.h"
#include "compat_xtnu.h"
#define DEBUGP Use__pr_debug__instead
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 17)
# warning Kernels below 2.6.17 not supported.
#endif
@@ -35,6 +37,7 @@
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
# define neigh_hh_output xtnu_neigh_hh_output
# define IPPROTO_UDPLITE 136
# define CSUM_MANGLED_0 ((__force __sum16)0xffff)
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
@@ -67,8 +70,12 @@
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
# define csum_replace2 xtnu_csum_replace2
# define csum_replace4 xtnu_csum_replace4
# define inet_proto_csum_replace4 xtnu_proto_csum_replace4
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
# define csum_replace2 nf_csum_replace2
# define csum_replace4 nf_csum_replace4
# define inet_proto_csum_replace4 xtnu_proto_csum_replace4
#endif
#if !defined(NIP6) && !defined(NIP6_FMT)

14
extensions/compat_xtnu.h
View File

@@ -9,6 +9,10 @@
typedef _Bool bool;
enum { false = 0, true = 1, };
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
typedef __u16 __bitwise __sum16;
typedef __u32 __bitwise __wsum;
#endif
struct flowi;
struct hh_cache;
@@ -122,6 +126,13 @@ static inline struct xtnu_target *xtcompat_nutarget(const struct xt_target *t)
return q;
}
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
static inline __wsum csum_unfold(__sum16 n)
{
return (__force __wsum)n;
}
#endif
extern int xtnu_ip_local_out(struct sk_buff *);
extern int xtnu_ip_route_me_harder(struct sk_buff **, unsigned int);
extern int xtnu_skb_make_writable(struct sk_buff **, unsigned int);
@@ -138,6 +149,9 @@ extern struct xt_match *xtnu_request_find_match(unsigned int,
const char *, uint8_t);
extern int xtnu_neigh_hh_output(struct hh_cache *, struct sk_buff *);
extern void xtnu_csum_replace2(__u16 __bitwise *, __be16, __be16);
extern void xtnu_csum_replace4(__u16 __bitwise *, __be32, __be32);
extern void xtnu_proto_csum_replace4(__u16 __bitwise *, struct sk_buff *,
__be32, __be32, bool);
extern int xtnu_skb_linearize(struct sk_buff *);
#endif /* _COMPAT_XTNU_H */

105
extensions/ip6table_rawpost.c Normal file
View File

@@ -0,0 +1,105 @@
/*
* rawpost table for ip6_tables
* written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
* placed in the Public Domain
*/
#include <linux/module.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <net/ip.h>
#include "compat_xtables.h"
#include "compat_rawpost.h"
enum {
RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
};
static struct {
struct ip6t_replace repl;
struct ip6t_standard entries[1];
struct ip6t_error term;
} rawpost6_initial __initdata = {
.repl = {
.name = "rawpost",
.valid_hooks = RAWPOST_VALID_HOOKS,
.num_entries = 2,
.size = sizeof(struct ip6t_standard) +
sizeof(struct ip6t_error),
.hook_entry = {
[NF_INET_POST_ROUTING] = 0,
},
.underflow = {
[NF_INET_POST_ROUTING] = 0,
},
},
.entries = {
IP6T_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */
},
.term = IP6T_ERROR_INIT, /* ERROR */
};
static struct xt_table *rawpost6_ptable;
static struct xt_table rawpost6_itable = {
.name = "rawpost",
.af = NFPROTO_IPV6,
.valid_hooks = RAWPOST_VALID_HOOKS,
.me = THIS_MODULE,
};
static unsigned int rawpost6_hook_fn(unsigned int hook, sk_buff_t *skb,
const struct net_device *in, const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
return ip6t_do_table(skb, hook, in, out, rawpost6_ptable);
#else
return ip6t_do_table(skb, hook, in, out, rawpost6_ptable, NULL);
#endif
}
static struct nf_hook_ops rawpost6_hook_ops __read_mostly = {
.hook = rawpost6_hook_fn,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP6_PRI_LAST,
.owner = THIS_MODULE,
};
static int __init rawpost6_table_init(void)
{
int ret;
rwlock_init(&rawpost6_itable.lock);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
rawpost6_ptable = ip6t_register_table(&init_net, &rawpost6_itable,
&rawpost6_initial.repl);
if (IS_ERR(rawpost6_ptable))
return PTR_ERR(rawpost6_ptable);
#else
ret = ip6t_register_table(&rawpost6_itable, &rawpost6_initial.repl);
if (ret < 0)
return ret;
rawpost6_ptable = &rawpost6_itable;
#endif
ret = nf_register_hook(&rawpost6_hook_ops);
if (ret < 0)
goto out;
return ret;
out:
ip6t_unregister_table(rawpost6_ptable);
return ret;
}
static void __exit rawpost6_table_exit(void)
{
nf_unregister_hook(&rawpost6_hook_ops);
ip6t_unregister_table(rawpost6_ptable);
}
module_init(rawpost6_table_init);
module_exit(rawpost6_table_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_LICENSE("GPL");

107
extensions/iptable_rawpost.c Normal file
View File

@@ -0,0 +1,107 @@
/*
* rawpost table for ip_tables
* written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
* placed in the Public Domain
*/
#include <linux/module.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/version.h>
#include <net/ip.h>
#include "compat_xtables.h"
#include "compat_rawpost.h"
enum {
RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
};
static struct {
struct ipt_replace repl;
struct ipt_standard entries[1];
struct ipt_error term;
} rawpost4_initial __initdata = {
.repl = {
.name = "rawpost",
.valid_hooks = RAWPOST_VALID_HOOKS,
.num_entries = 2,
.size = sizeof(struct ipt_standard) +
sizeof(struct ipt_error),
.hook_entry = {
[NF_INET_POST_ROUTING] = 0,
},
.underflow = {
[NF_INET_POST_ROUTING] = 0,
},
},
.entries = {
IPT_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */
},
.term = IPT_ERROR_INIT, /* ERROR */
};
static struct xt_table *rawpost4_ptable;
static struct xt_table rawpost4_itable = {
.name = "rawpost",
.af = NFPROTO_IPV4,
.valid_hooks = RAWPOST_VALID_HOOKS,
.me = THIS_MODULE,
};
static unsigned int rawpost4_hook_fn(unsigned int hook, sk_buff_t *skb,
const struct net_device *in, const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
return ipt_do_table(skb, hook, in, out, rawpost4_ptable);
#else
return ipt_do_table(skb, hook, in, out, rawpost4_ptable, NULL);
#endif
}
static struct nf_hook_ops rawpost4_hook_ops __read_mostly = {
.hook = rawpost4_hook_fn,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP_PRI_LAST,
.owner = THIS_MODULE,
};
static int __init rawpost4_table_init(void)
{
int ret;
rwlock_init(&rawpost4_itable.lock);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
rawpost4_ptable = ipt_register_table(&init_net, &rawpost4_itable,
&rawpost4_initial.repl);
if (IS_ERR(rawpost4_ptable))
return PTR_ERR(rawpost4_ptable);
#else
ret = ipt_register_table(&rawpost4_itable, &rawpost4_initial.repl);
if (ret < 0)
return ret;
rawpost4_ptable = &rawpost4_itable;
#endif
ret = nf_register_hook(&rawpost4_hook_ops);
if (ret < 0)
goto out;
return ret;
out:
ipt_unregister_table(rawpost4_ptable);
return ret;
}
static void __exit rawpost4_table_exit(void)
{
nf_unregister_hook(&rawpost4_hook_ops);
ipt_unregister_table(rawpost4_ptable);
}
module_init(rawpost4_table_init);
module_exit(rawpost4_table_exit);
MODULE_DESCRIPTION("Xtables: rawpost table for use with RAWNAT");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_LICENSE("GPL");

101
extensions/libxt_DHCPADDR.c
View File

@@ -1,101 +0,0 @@
/*
* "DHCPADDR" target extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <getopt.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/ether.h>
#include <xtables.h>
#include "xt_DHCPADDR.h"
#include "mac.c"
enum {
F_MAC = 1 << 0,
};
static const struct option dhcpaddr_tg_opts[] = {
{.name = "set-mac", .has_arg = true, .val = 'M'},
{NULL},
};
static void dhcpaddr_tg_help(void)
{
printf(
"DHCPADDDR target options:\n"
" --set-mac lladdr[/mask] Set MAC address in DHCP Client Host field\n"
);
}
static int dhcpaddr_tg_parse(int c, char **argv, int invert,
unsigned int *flags, const void *entry, struct xt_entry_target **target)
{
struct dhcpaddr_info *info = (void *)(*target)->data;
switch (c) {
case 'M':
xtables_param_act(XTF_ONLY_ONCE, "DHCPADDR", "--set-mac", *flags & F_MAC);
xtables_param_act(XTF_NO_INVERT, "DHCPADDR", "--set-mac", invert);
if (!mac_parse(optarg, info->addr, &info->mask))
xtables_param_act(XTF_BAD_VALUE, "DHCPADDR", "--set-mac", optarg);
*flags |= F_MAC;
return true;
}
return false;
}
static void dhcpaddr_tg_check(unsigned int flags)
{
if (flags == 0)
xtables_error(PARAMETER_PROBLEM, "DHCPADDR target: "
"--set-mac parameter required");
}
static void dhcpaddr_tg_print(const void *ip,
const struct xt_entry_target *target, int numeric)
{
const struct dhcpaddr_info *info = (void *)target->data;
printf("DHCPADDR %s" DH_MAC_FMT "/%u ",
info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
}
static void dhcpaddr_tg_save(const void *ip,
const struct xt_entry_target *target)
{
const struct dhcpaddr_info *info = (const void *)target->data;
if (info->invert)
printf("! ");
printf("--set-mac " DH_MAC_FMT "/%u ",
DH_MAC_HEX(info->addr), info->mask);
}
static struct xtables_target dhcpaddr_tg_reg = {
.version = XTABLES_VERSION,
.name = "DHCPADDR",
.revision = 0,
.family = PF_INET,
.size = XT_ALIGN(sizeof(struct dhcpaddr_info)),
.userspacesize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
.help = dhcpaddr_tg_help,
.parse = dhcpaddr_tg_parse,
.final_check = dhcpaddr_tg_check,
.print = dhcpaddr_tg_print,
.save = dhcpaddr_tg_save,
.extra_opts = dhcpaddr_tg_opts,
};
static __attribute__((constructor)) void dhcpaddr_tg_ldr(void)
{
xtables_register_target(&dhcpaddr_tg_reg);
}

101
extensions/libxt_DHCPMAC.c Normal file
View File

@@ -0,0 +1,101 @@
/*
* "DHCPMAC" target extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <getopt.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/ether.h>
#include <xtables.h>
#include "xt_DHCPMAC.h"
#include "mac.c"
enum {
F_MAC = 1 << 0,
};
static const struct option dhcpmac_tg_opts[] = {
{.name = "set-mac", .has_arg = true, .val = 'M'},
{NULL},
};
static void dhcpmac_tg_help(void)
{
printf(
"DHCPMAC target options:\n"
" --set-mac lladdr[/mask] Set MAC address in DHCP Client Host field\n"
);
}
static int dhcpmac_tg_parse(int c, char **argv, int invert,
unsigned int *flags, const void *entry, struct xt_entry_target **target)
{
struct dhcpmac_info *info = (void *)(*target)->data;
switch (c) {
case 'M':
xtables_param_act(XTF_ONLY_ONCE, "DHCPMAC", "--set-mac", *flags & F_MAC);
xtables_param_act(XTF_NO_INVERT, "DHCPMAC", "--set-mac", invert);
if (!mac_parse(optarg, info->addr, &info->mask))
xtables_param_act(XTF_BAD_VALUE, "DHCPMAC", "--set-mac", optarg);
*flags |= F_MAC;
return true;
}
return false;
}
static void dhcpmac_tg_check(unsigned int flags)
{
if (flags == 0)
xtables_error(PARAMETER_PROBLEM, "DHCPMAC target: "
"--set-mac parameter required");
}
static void dhcpmac_tg_print(const void *ip,
const struct xt_entry_target *target, int numeric)
{
const struct dhcpmac_info *info = (void *)target->data;
printf("DHCPMAC %s" DH_MAC_FMT "/%u ",
info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
}
static void dhcpmac_tg_save(const void *ip,
const struct xt_entry_target *target)
{
const struct dhcpmac_info *info = (const void *)target->data;
if (info->invert)
printf("! ");
printf("--set-mac " DH_MAC_FMT "/%u ",
DH_MAC_HEX(info->addr), info->mask);
}
static struct xtables_target dhcpmac_tg_reg = {
.version = XTABLES_VERSION,
.name = "DHCPMAC",
.revision = 0,
.family = PF_INET,
.size = XT_ALIGN(sizeof(struct dhcpmac_info)),
.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
.help = dhcpmac_tg_help,
.parse = dhcpmac_tg_parse,
.final_check = dhcpmac_tg_check,
.print = dhcpmac_tg_print,
.save = dhcpmac_tg_save,
.extra_opts = dhcpmac_tg_opts,
};
static __attribute__((constructor)) void dhcpmac_tg_ldr(void)
{
xtables_register_target(&dhcpmac_tg_reg);
}

6
extensions/libxt_DHCPADDR.man → extensions/libxt_DHCPMAC.man
View File

@@ -1,4 +1,4 @@
In conjunction with ebtables, DHCPADDR can be used to completely change all MAC
In conjunction with ebtables, DHCPMAC can be used to completely change all MAC
addresses from and to a VMware-based virtual machine. This is needed because
VMware does not allow to set a non-VMware MAC address before an operating
system is booted (and the MAC be changed with `ip link set eth0 address
@@ -13,11 +13,11 @@ EXAMPLE, replacing all addresses from one of VMware's assigned vendor IDs
(00:50:56) addresses with something else:
.PP
iptables -t mangle -A FORWARD -p udp --dport 67 -m physdev --physdev-in vmnet1
-m dhcpaddr --mac 00:50:56:00:00:00/24 -j DHCPADDR --set-mac
-m dhcpmac --mac 00:50:56:00:00:00/24 -j DHCPMAC --set-mac
ab:cd:ef:00:00:00/24
.PP
iptables -t mangle -A FORWARD -p udp --dport 68 -m physdev --physdev-out vmnet1
-m dhcpaddr --mac ab:cd:ef:00:00:00/24 -j DHCPADDR --set-mac
-m dhcpmac --mac ab:cd:ef:00:00:00/24 -j DHCPMAC --set-mac
00:50:56:00:00:00/24
.PP
(This assumes there is a bridge interface that has vmnet1 as a port. You will

187
extensions/libxt_RAWDNAT.c Normal file
View File

@@ -0,0 +1,187 @@
/*
* "RAWNAT" target extension for iptables
* Copyright © Jan Engelhardt, 2008 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <netinet/in.h>
#include <getopt.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <xtables.h>
#include <linux/netfilter.h>
#include "xt_RAWNAT.h"
enum {
FLAGS_TO = 1 << 0,
};
static const struct option rawdnat_tg_opts[] = {
{.name = "to-destination", .has_arg = true, .val = 't'},
{},
};
static void rawdnat_tg_help(void)
{
printf(
"RAWDNAT target options:\n"
" --to-destination addr[/mask] Address or network to map to\n"
);
}
static int
rawdnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_rawnat_tginfo *info = (void *)(*target)->data;
struct in_addr *a;
unsigned int mask;
char *end;
switch (c) {
case 't':
info->mask = 32;
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 32))
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
info->mask = mask;
}
a = xtables_numeric_to_ipaddr(optarg);
if (a == NULL)
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
memcpy(&info->addr.in, a, sizeof(*a));
*flags |= FLAGS_TO;
return true;
}
return false;
}
static int
rawdnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_rawnat_tginfo *info = (void *)(*target)->data;
struct in6_addr *a;
unsigned int mask;
char *end;
switch (c) {
case 't':
info->mask = 128;
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 32))
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
info->mask = mask;
}
a = xtables_numeric_to_ip6addr(optarg);
if (a == NULL)
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
memcpy(&info->addr.in6, a, sizeof(*a));
*flags |= FLAGS_TO;
return true;
}
return false;
}
static void rawdnat_tg_check(unsigned int flags)
{
if (!(flags & FLAGS_TO))
xtables_error(PARAMETER_PROBLEM, "RAWDNAT: "
"\"--to-destination\" is required.");
}
static void
rawdnat_tg4_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
if (!numeric && info->mask == 32)
printf("to-destination %s ",
xtables_ipaddr_to_anyname(&info->addr.in));
else
printf("to-destination %s/%u ",
xtables_ipaddr_to_numeric(&info->addr.in), info->mask);
}
static void
rawdnat_tg6_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
if (!numeric && info->mask == 128)
printf("to-destination %s ",
xtables_ip6addr_to_anyname(&info->addr.in6));
else
printf("to-destination %s/%u ",
xtables_ip6addr_to_numeric(&info->addr.in6), info->mask);
}
static void
rawdnat_tg4_save(const void *entry, const struct xt_entry_target *target)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
printf("--to-destination %s/%u ",
xtables_ipaddr_to_numeric(&info->addr.in),
info->mask);
}
static void
rawdnat_tg6_save(const void *entry, const struct xt_entry_target *target)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
printf("--to-destination %s/%u ",
xtables_ip6addr_to_numeric(&info->addr.in6),
info->mask);
}
static struct xtables_target rawdnat_tg4_reg = {
.version = XTABLES_VERSION,
.name = "RAWDNAT",
.revision = 0,
.family = PF_INET,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawdnat_tg_help,
.parse = rawdnat_tg4_parse,
.final_check = rawdnat_tg_check,
.print = rawdnat_tg4_print,
.save = rawdnat_tg4_save,
.extra_opts = rawdnat_tg_opts,
};
static struct xtables_target rawdnat_tg6_reg = {
.version = XTABLES_VERSION,
.name = "RAWDNAT",
.revision = 0,
.family = PF_INET6,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawdnat_tg_help,
.parse = rawdnat_tg6_parse,
.final_check = rawdnat_tg_check,
.print = rawdnat_tg6_print,
.save = rawdnat_tg6_save,
.extra_opts = rawdnat_tg_opts,
};
static void _init(void)
{
xtables_register_target(&rawdnat_tg4_reg);
xtables_register_target(&rawdnat_tg6_reg);
}

10
extensions/libxt_RAWDNAT.man Normal file
View File

@@ -0,0 +1,10 @@
The \fBRAWDNAT\fR target will rewrite the destination address in the IP header,
much like the \fBNETMAP\fR target.
.TP
\fB--to-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR]
Network address to map to. The resulting address will be constructed the
following way: All 'one' bits in the \fImask\fR are filled in from the new
\fIaddress\fR. All bits that are zero in the mask are filled in from the
original address.
.PP
See the \fBRAWSNAT\fR help entry for examples and constraints.

187
extensions/libxt_RAWSNAT.c Normal file
View File

@@ -0,0 +1,187 @@
/*
* "RAWNAT" target extension for iptables
* Copyright © Jan Engelhardt, 2008 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <netinet/in.h>
#include <getopt.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <xtables.h>
#include <linux/netfilter.h>
#include "xt_RAWNAT.h"
enum {
FLAGS_TO = 1 << 0,
};
static const struct option rawsnat_tg_opts[] = {
{.name = "to-source", .has_arg = true, .val = 't'},
{},
};
static void rawsnat_tg_help(void)
{
printf(
"RAWSNAT target options:\n"
" --to-source addr[/mask] Address or network to map to\n"
);
}
static int
rawsnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_rawnat_tginfo *info = (void *)(*target)->data;
struct in_addr *a;
unsigned int mask;
char *end;
switch (c) {
case 't':
info->mask = 32;
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 32))
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
info->mask = mask;
}
a = xtables_numeric_to_ipaddr(optarg);
if (a == NULL)
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
memcpy(&info->addr.in, a, sizeof(*a));
*flags |= FLAGS_TO;
return true;
}
return false;
}
static int
rawsnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_rawnat_tginfo *info = (void *)(*target)->data;
struct in6_addr *a;
unsigned int mask;
char *end;
switch (c) {
case 't':
info->mask = 128;
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 32))
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
info->mask = mask;
}
a = xtables_numeric_to_ip6addr(optarg);
if (a == NULL)
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
memcpy(&info->addr.in6, a, sizeof(*a));
*flags |= FLAGS_TO;
return true;
}
return false;
}
static void rawsnat_tg_check(unsigned int flags)
{
if (!(flags & FLAGS_TO))
xtables_error(PARAMETER_PROBLEM, "RAWSNAT: "
"\"--to-source\" is required.");
}
static void
rawsnat_tg4_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
if (!numeric && info->mask == 32)
printf("to-source %s ",
xtables_ipaddr_to_anyname(&info->addr.in));
else
printf("to-source %s/%u ",
xtables_ipaddr_to_numeric(&info->addr.in), info->mask);
}
static void
rawsnat_tg6_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
if (!numeric && info->mask == 128)
printf("to-source %s ",
xtables_ip6addr_to_anyname(&info->addr.in6));
else
printf("to-source %s/%u ",
xtables_ip6addr_to_numeric(&info->addr.in6), info->mask);
}
static void
rawsnat_tg4_save(const void *entry, const struct xt_entry_target *target)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
printf("--to-source %s/%u ",
xtables_ipaddr_to_numeric(&info->addr.in),
info->mask);
}
static void
rawsnat_tg6_save(const void *entry, const struct xt_entry_target *target)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
printf("--to-source %s/%u ",
xtables_ip6addr_to_numeric(&info->addr.in6),
info->mask);
}
static struct xtables_target rawsnat_tg4_reg = {
.version = XTABLES_VERSION,
.name = "RAWSNAT",
.revision = 0,
.family = PF_INET,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawsnat_tg_help,
.parse = rawsnat_tg4_parse,
.final_check = rawsnat_tg_check,
.print = rawsnat_tg4_print,
.save = rawsnat_tg4_save,
.extra_opts = rawsnat_tg_opts,
};
static struct xtables_target rawsnat_tg6_reg = {
.version = XTABLES_VERSION,
.name = "RAWSNAT",
.revision = 0,
.family = PF_INET6,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawsnat_tg_help,
.parse = rawsnat_tg6_parse,
.final_check = rawsnat_tg_check,
.print = rawsnat_tg6_print,
.save = rawsnat_tg6_save,
.extra_opts = rawsnat_tg_opts,
};
static void _init(void)
{
xtables_register_target(&rawsnat_tg4_reg);
xtables_register_target(&rawsnat_tg6_reg);
}

38
extensions/libxt_RAWSNAT.man Normal file
View File

@@ -0,0 +1,38 @@
The \fBRAWSNAT\fR and \fBRAWDNAT\fP targets provide stateless network address
translation.
.PP
The \fBRAWSNAT\fR target will rewrite the source address in the IP header, much
like the \fBNETMAP\fP target. \fBRAWSNAT\fP (and \fBRAWDNAT\fP) may only be
used in the \fBraw\fP or \fBrawpost\fP tables, but can be used in all chains,
which makes it possible to change the source address either when the packet
enters the machine or when it leaves it. The reason for this table constraint
is that RAWNAT must happen outside of connection tracking.
.TP
\fB--to-source\fR \fIaddr\fR[\fB/\fR\fImask\fR]
Network address to map to. The resulting address will be constructed the
following way: All 'one' bits in the \fImask\fR are filled in from the new
\fIaddress\fR. All bits that are zero in the mask are filled in from the
original address.
.PP
As an example, changing the destination for packets forwarded from an internal
LAN to the internet:
.IP
-t raw -A PREROUTING -i lan0 -d 212.201.100.135 -j RAWDNAT --to-destination 199.181.132.250
-t rawpost -A POSTROUTING -o lan0 -s 199.181.132.250 -j RAWSNAT --to-source 212.201.100.135
.PP
Note that changing addresses may influence the route selection! Specifically,
it statically NATs packets, not connections, like the normal DNAT/SNAT targets
would do. Also note that it can transform already-NATed connections -- as said,
it is completely external to Netfilter's connection tracking/NAT.
.PP
If the machine itself generates packets that are to be rawnat'ed, you need a
rule in the OUTPUT chain instead, just like you would with the stateful NAT
targets.
.PP
It may be necessary that in doing so, you also need an extra RAWSNAT rule, to
override the automatic source address selection that the routing code does
before passing packets to iptables. If the connecting socket has not been
explicitly bound to an address, as is the common mode of operation, the address
that will be chosen is the primary address of the device through which the
packet would be routed with its initial destination address - the address as
seen before any RAWNAT takes place.

33
extensions/libxt_STEAL.c Normal file
View File

@@ -0,0 +1,33 @@
#include <stdio.h>
#include <xtables.h>
static void steal_tg_help(void)
{
printf("STEAL takes no options\n\n");
}
static int steal_tg_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
return 0;
}
static void steal_tg_check(unsigned int flags)
{
}
static struct xtables_target steal_tg_reg = {
.version = XTABLES_VERSION,
.name = "STEAL",
.family = AF_INET,
.size = XT_ALIGN(0),
.userspacesize = XT_ALIGN(0),
.help = steal_tg_help,
.parse = steal_tg_parse,
.final_check = steal_tg_check,
};
static void _init(void)
{
xtables_register_target(&steal_tg_reg);
}

2
extensions/libxt_STEAL.man Normal file
View File

@@ -0,0 +1,2 @@
Like the DROP target, but does not throw an error like DROP when used in the
\fBOUTPUT\fP chain.

2
extensions/libxt_SYSRQ.man
View File

@@ -25,7 +25,7 @@ ipsec --proto esp --tunnel-src 10.10.25.1 --tunnel-dst 10.10.25.7
You should also limit the rate at which connections can be received to limit
the CPU time taken by illegal requests, for example:
.IP
-A INPUT 0s 10.10.25.1 -m mac --mac-source aa:bb:cc:dd:ee:ff -d 10.10.25.7
-A INPUT -s 10.10.25.1 -m mac --mac-source aa:bb:cc:dd:ee:ff -d 10.10.25.7
-p udp --dport 9 -m limit --limit 5/minute -j SYSRQ
.PP
This extension does not take any options. The \fB-p udp\fP options are

2
extensions/libxt_condition.c
View File

@@ -74,7 +74,7 @@ static void condition_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_condition_mtinfo *info = (const void *)match->data;
printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
printf("%s--condition \"%s\" ", info->invert ? "! " : "", info->name);
}
static struct xtables_match condition_mt_reg = {

102
extensions/libxt_dhcpaddr.c
View File

@@ -1,102 +0,0 @@
/*
* "dhcpaddr" match extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <getopt.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <net/ethernet.h>
#include <xtables.h>
#include "xt_DHCPADDR.h"
#include "mac.c"
enum {
F_MAC = 1 << 0,
};
static const struct option dhcpaddr_mt_opts[] = {
{.name = "mac", .has_arg = true, .val = 'M'},
{NULL},
};
static void dhcpaddr_mt_help(void)
{
printf(
"dhcpaddr match options:\n"
"[!] --mac lladdr[/mask] Match on MAC address in DHCP Client Host field\n"
);
}
static int dhcpaddr_mt_parse(int c, char **argv, int invert,
unsigned int *flags, const void *entry, struct xt_entry_match **match)
{
struct dhcpaddr_info *info = (void *)(*match)->data;
switch (c) {
case 'M':
xtables_param_act(XTF_ONLY_ONCE, "dhcpaddr", "--mac", *flags & F_MAC);
xtables_param_act(XTF_NO_INVERT, "dhcpaddr", "--mac", invert);
if (!mac_parse(optarg, info->addr, &info->mask))
xtables_param_act(XTF_BAD_VALUE, "dhcpaddr", "--mac", optarg);
if (invert)
info->invert = true;
*flags |= F_MAC;
return true;
}
return false;
}
static void dhcpaddr_mt_check(unsigned int flags)
{
if (flags == 0)
xtables_error(PARAMETER_PROBLEM, "dhcpaddr match: "
"--mac parameter required");
}
static void dhcpaddr_mt_print(const void *ip,
const struct xt_entry_match *match, int numeric)
{
const struct dhcpaddr_info *info = (void *)match->data;
printf("dhcpaddr %s" DH_MAC_FMT "/%u ",
info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
}
static void dhcpaddr_mt_save(const void *ip,
const struct xt_entry_match *match)
{
const struct dhcpaddr_info *info = (void *)match->data;
if (info->invert)
printf("! ");
printf("--mac " DH_MAC_FMT "/%u ",
DH_MAC_HEX(info->addr), info->mask);
}
static struct xtables_match dhcpaddr_mt_reg = {
.version = XTABLES_VERSION,
.name = "dhcpaddr",
.revision = 0,
.family = PF_INET,
.size = XT_ALIGN(sizeof(struct dhcpaddr_info)),
.userspacesize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
.help = dhcpaddr_mt_help,
.parse = dhcpaddr_mt_parse,
.final_check = dhcpaddr_mt_check,
.print = dhcpaddr_mt_print,
.save = dhcpaddr_mt_save,
.extra_opts = dhcpaddr_mt_opts,
};
static __attribute__((constructor)) void dhcpaddr_mt_ldr(void)
{
xtables_register_match(&dhcpaddr_mt_reg);
}

4
extensions/libxt_dhcpaddr.man
View File

@@ -1,4 +0,0 @@
.TP
\fB--mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
Matches the DHCP Client Host address in a DHCP message. \fImask\fP specifies
the prefix length of the initial portion to match.

102
extensions/libxt_dhcpmac.c Normal file
View File

@@ -0,0 +1,102 @@
/*
* "dhcpmac" match extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <getopt.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <net/ethernet.h>
#include <xtables.h>
#include "xt_DHCPMAC.h"
#include "mac.c"
enum {
F_MAC = 1 << 0,
};
static const struct option dhcpmac_mt_opts[] = {
{.name = "mac", .has_arg = true, .val = 'M'},
{NULL},
};
static void dhcpmac_mt_help(void)
{
printf(
"dhcpmac match options:\n"
"[!] --mac lladdr[/mask] Match on MAC address in DHCP Client Host field\n"
);
}
static int dhcpmac_mt_parse(int c, char **argv, int invert,
unsigned int *flags, const void *entry, struct xt_entry_match **match)
{
struct dhcpmac_info *info = (void *)(*match)->data;
switch (c) {
case 'M':
xtables_param_act(XTF_ONLY_ONCE, "dhcpmac", "--mac", *flags & F_MAC);
xtables_param_act(XTF_NO_INVERT, "dhcpmac", "--mac", invert);
if (!mac_parse(optarg, info->addr, &info->mask))
xtables_param_act(XTF_BAD_VALUE, "dhcpmac", "--mac", optarg);
if (invert)
info->invert = true;
*flags |= F_MAC;
return true;
}
return false;
}
static void dhcpmac_mt_check(unsigned int flags)
{
if (flags == 0)
xtables_error(PARAMETER_PROBLEM, "dhcpmac match: "
"--mac parameter required");
}
static void dhcpmac_mt_print(const void *ip,
const struct xt_entry_match *match, int numeric)
{
const struct dhcpmac_info *info = (void *)match->data;
printf("dhcpmac %s" DH_MAC_FMT "/%u ",
info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
}
static void dhcpmac_mt_save(const void *ip,
const struct xt_entry_match *match)
{
const struct dhcpmac_info *info = (void *)match->data;
if (info->invert)
printf("! ");
printf("--mac " DH_MAC_FMT "/%u ",
DH_MAC_HEX(info->addr), info->mask);
}
static struct xtables_match dhcpmac_mt_reg = {
.version = XTABLES_VERSION,
.name = "dhcpmac",
.revision = 0,
.family = PF_INET,
.size = XT_ALIGN(sizeof(struct dhcpmac_info)),
.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
.help = dhcpmac_mt_help,
.parse = dhcpmac_mt_parse,
.final_check = dhcpmac_mt_check,
.print = dhcpmac_mt_print,
.save = dhcpmac_mt_save,
.extra_opts = dhcpmac_mt_opts,
};
static __attribute__((constructor)) void dhcpmac_mt_ldr(void)
{
xtables_register_match(&dhcpmac_mt_reg);
}

4
extensions/libxt_dhcpmac.man Normal file
View File

@@ -0,0 +1,4 @@
.TP
\fB--mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
Matches the DHCP "Client Host" address (a MAC address) in a DHCP message.
\fImask\fP specifies the prefix length of the initial portion to match.

7
extensions/libxt_fuzzy.c
View File

@@ -9,6 +9,7 @@
*/
#include <getopt.h>
#include <netdb.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -57,7 +58,7 @@ static int fuzzy_mt_parse(int c, char **argv, int invert, unsigned int *flags,
xtables_error(PARAMETER_PROBLEM,"Can't specify ! --lower-limit");
if (*flags & IPT_FUZZY_OPT_MINIMUM)
xtables_error(PARAMETER_PROBLEM,"Can't specify --lower-limit twice");
if (!xtables_strtoui(optarg, NULL, &num, 1, FUZZY_MAX_RATE) == -1 || num < 1)
if (!xtables_strtoui(optarg, NULL, &num, 1, FUZZY_MAX_RATE) || num < 1)
xtables_error(PARAMETER_PROBLEM,"BAD --lower-limit");
info->minimum_rate = num;
*flags |= IPT_FUZZY_OPT_MINIMUM;
@@ -68,7 +69,7 @@ static int fuzzy_mt_parse(int c, char **argv, int invert, unsigned int *flags,
xtables_error(PARAMETER_PROBLEM,"Can't specify ! --upper-limit");
if (*flags & IPT_FUZZY_OPT_MAXIMUM)
xtables_error(PARAMETER_PROBLEM,"Can't specify --upper-limit twice");
if (!xtables_strtoui(optarg, NULL, &num, 1, FUZZY_MAX_RATE) == -1 || num < 1)
if (!xtables_strtoui(optarg, NULL, &num, 1, FUZZY_MAX_RATE) || num < 1)
xtables_error(PARAMETER_PROBLEM,"BAD --upper-limit");
info->maximum_rate = num;
*flags |= IPT_FUZZY_OPT_MAXIMUM;
@@ -102,7 +103,7 @@ static struct xtables_match fuzzy_mt_reg = {
.name = "fuzzy",
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
.userspacesize = offsetof(struct xt_fuzzy_mtinfo, packets_total),
.help = fuzzy_mt_help,
.init = fuzzy_mt_init,
.parse = fuzzy_mt_parse,

2
extensions/libxt_geoip.c
View File

@@ -263,7 +263,7 @@ static struct xtables_match geoip_match = {
.name = "geoip",
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_geoip_match_info)),
.userspacesize = XT_ALIGN(offsetof(struct xt_geoip_match_info, mem)),
.userspacesize = offsetof(struct xt_geoip_match_info, mem),
.help = geoip_help,
.parse = geoip_parse,
.final_check = geoip_final_check,

233
extensions/libxt_iface.c Normal file
View File

@@ -0,0 +1,233 @@
/*
* Shared library add-on to iptables to add interface state matching
* support.
*
* (C) 2008 Gáspár Lajos <gaspar.lajos@glsys.eu>
*
* This program is released under the terms of GNU GPL version 2.
*/
#include <getopt.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <xtables.h>
#include "xt_iface.h"
static const struct option iface_mt_opts[] = {
{.name = "iface", .has_arg = true, .val = 'i'},
{.name = "up", .has_arg = false, .val = 'u'},
{.name = "down", .has_arg = false, .val = 'U'}, /* not up */
{.name = "broadcast", .has_arg = false, .val = 'b'},
{.name = "loopback", .has_arg = false, .val = 'l'},
{.name = "pointopoint", .has_arg = false, .val = 'p'},
{.name = "pointtopoint", .has_arg = false, .val = 'p'}, /* eq pointopoint */
{.name = "running", .has_arg = false, .val = 'r'},
{.name = "noarp", .has_arg = false, .val = 'n'},
{.name = "arp", .has_arg = false, .val = 'N'}, /* not noarp */
{.name = "promisc", .has_arg = false, .val = 'o'},
{.name = "multicast", .has_arg = false, .val = 'm'},
{.name = "dynamic", .has_arg = false, .val = 'd'},
{.name = "lower-up", .has_arg = false, .val = 'w'},
{.name = "dormant", .has_arg = false, .val = 'a'},
{NULL},
};
static void iface_print_opt(const struct xt_iface_mtinfo *info,
const unsigned int option, const char *command)
{
if (info->flags & option)
printf(" %s", command);
if (info->invflags & option)
printf(" ! %s", command);
}
static void iface_setflag(struct xt_iface_mtinfo *info,
unsigned int *flags, int invert, u_int16_t flag, const char *command)
{
if (*flags & flag)
xtables_error(PARAMETER_PROBLEM,
"iface: \"--%s\" flag already specified", command);
if (invert)
info->invflags |= flag;
else
info->flags |= flag;
*flags |= flag;
}
static bool iface_valid_name(const char *name)
{
static const char invalid_chars[] = ".+!*";
return strlen(name) < IFNAMSIZ && strpbrk(name, invalid_chars) == NULL;
}
static void iface_mt_help(void)
{
printf(
"iface match options:\n"
" --iface interface Name of interface\n"
"[!] --up / --down match if UP flag (not) set\n"
"[!] --broadcast match if BROADCAST flag (not) set\n"
"[!] --loopback match if LOOPBACK flag (not) set\n"
"[!] --pointopoint\n"
"[!] --pointtopoint match if POINTOPOINT flag (not) set\n"
"[!] --running match if RUNNING flag (not) set\n"
"[!] --noarp / --arp match if NOARP flag (not) set\n"
"[!] --promisc match if PROMISC flag (not) set\n"
"[!] --multicast match if MULTICAST flag (not) set\n"
"[!] --dynamic match if DYNAMIC flag (not) set\n"
"[!] --lower-up match if LOWER_UP flag (not) set\n"
"[!] --dormant match if DORMANT flag (not) set\n");
}
static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
struct xt_iface_mtinfo *info = (void *)(*match)->data;
switch (c) {
case 'U':
c = 'u';
invert = !invert;
break;
case 'N':
c = 'n';
invert = !invert;
break;
}
switch (c) {
case 'i': /* interface name */
if (*flags & XT_IFACE_IFACE)
xtables_error(PARAMETER_PROBLEM,
"iface: Interface name already specified");
if (!iface_valid_name(optarg))
xtables_error(PARAMETER_PROBLEM,
"iface: Invalid interface name!");
strcpy(info->ifname, optarg);
*flags |= XT_IFACE_IFACE;
return true;
case 'u': /* UP */
iface_setflag(info, flags, invert, XT_IFACE_UP, "up");
return true;
case 'b': /* BROADCAST */
iface_setflag(info, flags, invert, XT_IFACE_BROADCAST, "broadcast");
return true;
case 'l': /* LOOPBACK */
iface_setflag(info, flags, invert, XT_IFACE_LOOPBACK, "loopback");
return true;
case 'p': /* POINTOPOINT */
iface_setflag(info, flags, invert, XT_IFACE_POINTOPOINT, "pointopoint");
return true;
case 'r': /* RUNNING */
iface_setflag(info, flags, invert, XT_IFACE_RUNNING, "running");
return true;
case 'n': /* NOARP */
iface_setflag(info, flags, invert, XT_IFACE_NOARP, "noarp");
return true;
case 'o': /* PROMISC */
iface_setflag(info, flags, invert, XT_IFACE_PROMISC, "promisc");
return true;
case 'm': /* MULTICAST */
iface_setflag(info, flags, invert, XT_IFACE_MULTICAST, "multicast");
return true;
case 'd': /* DYNAMIC */
iface_setflag(info, flags, invert, XT_IFACE_DYNAMIC, "dynamic");
return true;
case 'w': /* LOWER_UP */
iface_setflag(info, flags, invert, XT_IFACE_LOWER_UP, "lower_up");
return true;
case 'a': /* DORMANT */
iface_setflag(info, flags, invert, XT_IFACE_DORMANT, "dormant");
return true;
}
return false;
}
static void iface_mt_check(unsigned int flags)
{
if (!(flags & XT_IFACE_IFACE))
xtables_error(PARAMETER_PROBLEM,
"iface: You must specify an interface");
if (flags == 0 || flags == XT_IFACE_IFACE)
xtables_error(PARAMETER_PROBLEM,
"iface: You must specify at least one option");
}
static void iface_mt_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
const struct xt_iface_mtinfo *info = (const void *)match->data;
printf("iface: \"%s\" [state:", info->ifname);
iface_print_opt(info, XT_IFACE_UP, "up");
iface_print_opt(info, XT_IFACE_BROADCAST, "broadcast");
iface_print_opt(info, XT_IFACE_LOOPBACK, "loopback");
iface_print_opt(info, XT_IFACE_POINTOPOINT, "pointopoint");
iface_print_opt(info, XT_IFACE_RUNNING, "running");
iface_print_opt(info, XT_IFACE_NOARP, "noarp");
iface_print_opt(info, XT_IFACE_PROMISC, "promisc");
iface_print_opt(info, XT_IFACE_MULTICAST, "multicast");
iface_print_opt(info, XT_IFACE_DYNAMIC, "dynamic");
iface_print_opt(info, XT_IFACE_LOWER_UP, "lower_up");
iface_print_opt(info, XT_IFACE_DORMANT, "dormant");
printf("] ");
}
static void iface_mt_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_iface_mtinfo *info = (const void *)match->data;
printf(" --iface %s", info->ifname);
iface_print_opt(info, XT_IFACE_UP, "--up");
iface_print_opt(info, XT_IFACE_BROADCAST, "--broadcast");
iface_print_opt(info, XT_IFACE_LOOPBACK, "--loopback");
iface_print_opt(info, XT_IFACE_POINTOPOINT, "--pointopoint");
iface_print_opt(info, XT_IFACE_RUNNING, "--running");
iface_print_opt(info, XT_IFACE_NOARP, "--noarp");
iface_print_opt(info, XT_IFACE_PROMISC, "--promisc");
iface_print_opt(info, XT_IFACE_MULTICAST, "--multicast");
iface_print_opt(info, XT_IFACE_DYNAMIC, "--dynamic");
iface_print_opt(info, XT_IFACE_LOWER_UP, "--lower_up");
iface_print_opt(info, XT_IFACE_DORMANT, "--dormant");
printf(" ");
}
static struct xtables_match iface_mt_reg = {
.version = XTABLES_VERSION,
.name = "iface",
.revision = 0,
.family = AF_INET,
.size = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
.help = iface_mt_help,
.parse = iface_mt_parse,
.final_check = iface_mt_check,
.print = iface_mt_print,
.save = iface_mt_save,
.extra_opts = iface_mt_opts,
};
static struct xtables_match iface_mt6_reg = {
.version = XTABLES_VERSION,
.name = "iface",
.revision = 0,
.family = AF_INET6,
.size = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
.help = iface_mt_help,
.parse = iface_mt_parse,
.final_check = iface_mt_check,
.print = iface_mt_print,
.save = iface_mt_save,
.extra_opts = iface_mt_opts,
};
static void _init(void)
{
xtables_register_match(&iface_mt_reg);
xtables_register_match(&iface_mt6_reg);
}

37
extensions/libxt_iface.man Normal file
View File

@@ -0,0 +1,37 @@
Allows you to check interface states.
.TP
\fB\-\-iface\fP \fIname\fP
Check the states on the given interface. This option is required.
.TP
[\fB!\fP] \fB\-\-up\fP, [\fB!\fP] \fB\-\-down\fP
Check the UP flag.
.TP
[\fB!\fP] \fB\-\-broadcast\fP
Check the BROADCAST flag.
.TP
[\fB!\fP] \fB\-\-loopback\fP
Check the LOOPBACK flag.
.TP
[\fB!\fP] \fB\-\-pointtopoint\fP
Check the POINTTOPOINT flag.
.TP
[\fB!\fP] \fB\-\-running\fP
Check the RUNNING flag. Do NOT rely on it!
.TP
[\fB!\fP] \fB\-\-noarp\fP, [\fB!\fP] \fB\-\-arp\fP
Check the NOARP flag.
.TP
[\fB!\fP] \fB\-\-promisc\fP
Check the PROMISC flag.
.TP
[\fB!\fP] \fB\-\-multicast\fP
Check the MULTICAST flag.
.TP
[\fB!\fP] \fB\-\-dynamic\fP
Check the DYNAMIC flag.
.TP
[\fB!\fP] \fB\-\-lower-up\fP
Check the LOWER_UP flag.
.TP
[\fB!\fP] \fB\-\-dormant\fP
Check the DORMANT flag.

67
extensions/libxt_ipp2p.c
View File

@@ -1,7 +1,7 @@
/*
* "ipp2p" match extension for iptables
* Eicke Friedrich/Klaus Degner <ipp2p@ipp2p.org>, 2005 - 2006
* Jan Engelhardt <jengelh [at] medozas de>, 2008
* Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -17,7 +17,7 @@
#include <ctype.h>
#include <xtables.h>
#include "xt_ipp2p.h"
#define param_act(t, s, f) param_act((t), "ipp2p", (s), (f))
#define param_act(t, s, f) xtables_param_act((t), "ipp2p", (s), (f))
static void ipp2p_mt_help(void)
{
@@ -63,8 +63,8 @@ static int ipp2p_mt_parse(int c, char **argv, int invert, unsigned int *flags,
switch (c) {
case '2': /*cmd: edk*/
xtables_param_act(XTF_ONLY_ONCE, "--edk", *flags & IPP2P_EDK);
xtables_param_act(XTF_NO_INVERT, "--edk", invert);
param_act(XTF_ONLY_ONCE, "--edk", *flags & IPP2P_EDK);
param_act(XTF_NO_INVERT, "--edk", invert);
if (*flags & IPP2P_DATA_EDK)
xtables_error(PARAMETER_PROBLEM,
"ipp2p: use `--edk' OR `--edk-data' but not both of them!");
@@ -73,8 +73,8 @@ static int ipp2p_mt_parse(int c, char **argv, int invert, unsigned int *flags,
break;
case '7': /*cmd: dc*/
xtables_param_act(XTF_ONLY_ONCE, "--dc", *flags & IPP2P_DC);
xtables_param_act(XTF_NO_INVERT, "--dc", invert);
param_act(XTF_ONLY_ONCE, "--dc", *flags & IPP2P_DC);
param_act(XTF_NO_INVERT, "--dc", invert);
if (*flags & IPP2P_DATA_DC)
xtables_error(PARAMETER_PROBLEM,
"ipp2p: use `--dc' OR `--dc-data' but not both of them!");
@@ -83,8 +83,8 @@ static int ipp2p_mt_parse(int c, char **argv, int invert, unsigned int *flags,
break;
case '9': /*cmd: gnu*/
xtables_param_act(XTF_ONLY_ONCE, "--gnu", *flags & IPP2P_GNU);
xtables_param_act(XTF_NO_INVERT, "--gnu", invert);
param_act(XTF_ONLY_ONCE, "--gnu", *flags & IPP2P_GNU);
param_act(XTF_NO_INVERT, "--gnu", invert);
if (*flags & IPP2P_DATA_GNU)
xtables_error(PARAMETER_PROBLEM,
"ipp2p: use `--gnu' OR `--gnu-data' but not both of them!");
@@ -93,8 +93,8 @@ static int ipp2p_mt_parse(int c, char **argv, int invert, unsigned int *flags,
break;
case 'a': /*cmd: kazaa*/
xtables_param_act(XTF_ONLY_ONCE, "--kazaa", *flags & IPP2P_KAZAA);
xtables_param_act(XTF_NO_INVERT, "--kazaa", invert);
param_act(XTF_ONLY_ONCE, "--kazaa", *flags & IPP2P_KAZAA);
param_act(XTF_NO_INVERT, "--kazaa", invert);
if (*flags & IPP2P_DATA_KAZAA)
xtables_error(PARAMETER_PROBLEM,
"ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!");
@@ -103,64 +103,64 @@ static int ipp2p_mt_parse(int c, char **argv, int invert, unsigned int *flags,
break;
case 'b': /*cmd: bit*/
xtables_param_act(XTF_ONLY_ONCE, "--kazaa", *flags & IPP2P_BIT);
xtables_param_act(XTF_NO_INVERT, "--kazaa", invert);
param_act(XTF_ONLY_ONCE, "--bit", *flags & IPP2P_BIT);
param_act(XTF_NO_INVERT, "--bit", invert);
*flags |= IPP2P_BIT;
info->cmd |= IPP2P_BIT;
break;
case 'c': /*cmd: apple*/
xtables_param_act(XTF_ONLY_ONCE, "--apple", *flags & IPP2P_APPLE);
xtables_param_act(XTF_NO_INVERT, "--apple", invert);
param_act(XTF_ONLY_ONCE, "--apple", *flags & IPP2P_APPLE);
param_act(XTF_NO_INVERT, "--apple", invert);
*flags |= IPP2P_APPLE;
info->cmd |= IPP2P_APPLE;
break;
case 'd': /*cmd: soul*/
xtables_param_act(XTF_ONLY_ONCE, "--soul", *flags & IPP2P_SOUL);
xtables_param_act(XTF_NO_INVERT, "--soul", invert);
param_act(XTF_ONLY_ONCE, "--soul", *flags & IPP2P_SOUL);
param_act(XTF_NO_INVERT, "--soul", invert);
*flags |= IPP2P_SOUL;
info->cmd |= IPP2P_SOUL;
break;
case 'e': /*cmd: winmx*/
xtables_param_act(XTF_ONLY_ONCE, "--winmx", *flags & IPP2P_WINMX);
xtables_param_act(XTF_NO_INVERT, "--winmx", invert);
param_act(XTF_ONLY_ONCE, "--winmx", *flags & IPP2P_WINMX);
param_act(XTF_NO_INVERT, "--winmx", invert);
*flags |= IPP2P_WINMX;
info->cmd |= IPP2P_WINMX;
break;
case 'f': /*cmd: ares*/
xtables_param_act(XTF_ONLY_ONCE, "--ares", *flags & IPP2P_ARES);
xtables_param_act(XTF_NO_INVERT, "--ares", invert);
param_act(XTF_ONLY_ONCE, "--ares", *flags & IPP2P_ARES);
param_act(XTF_NO_INVERT, "--ares", invert);
*flags |= IPP2P_ARES;
info->cmd |= IPP2P_ARES;
break;
case 'g': /*cmd: mute*/
xtables_param_act(XTF_ONLY_ONCE, "--mute", *flags & IPP2P_MUTE);
xtables_param_act(XTF_NO_INVERT, "--mute", invert);
param_act(XTF_ONLY_ONCE, "--mute", *flags & IPP2P_MUTE);
param_act(XTF_NO_INVERT, "--mute", invert);
*flags |= IPP2P_MUTE;
info->cmd |= IPP2P_MUTE;
break;
case 'h': /*cmd: waste*/
xtables_param_act(XTF_ONLY_ONCE, "--waste", *flags & IPP2P_WASTE);
xtables_param_act(XTF_NO_INVERT, "--waste", invert);
param_act(XTF_ONLY_ONCE, "--waste", *flags & IPP2P_WASTE);
param_act(XTF_NO_INVERT, "--waste", invert);
*flags |= IPP2P_WASTE;
info->cmd |= IPP2P_WASTE;
break;
case 'i': /*cmd: xdcc*/
xtables_param_act(XTF_ONLY_ONCE, "--xdcc", *flags & IPP2P_XDCC);
xtables_param_act(XTF_NO_INVERT, "--xdcc", invert);
param_act(XTF_ONLY_ONCE, "--xdcc", *flags & IPP2P_XDCC);
param_act(XTF_NO_INVERT, "--xdcc", invert);
*flags |= IPP2P_XDCC;
info->cmd |= IPP2P_XDCC;
break;
case 'j': /*cmd: debug*/
xtables_param_act(XTF_ONLY_ONCE, "--debug", info->debug);
xtables_param_act(XTF_NO_INVERT, "--debug", invert);
param_act(XTF_ONLY_ONCE, "--debug", info->debug);
param_act(XTF_NO_INVERT, "--debug", invert);
info->debug = 1;
break;
@@ -199,7 +199,7 @@ static const char *const ipp2p_cmds[] = {
};
static void
ipp2p_mt_print(const void *entry, const struct xt_entry_match *match,
ipp2p_mt_print1(const void *entry, const struct xt_entry_match *match,
int numeric)
{
const struct ipt_p2p_info *info = (const void *)match->data;
@@ -213,9 +213,16 @@ ipp2p_mt_print(const void *entry, const struct xt_entry_match *match,
printf("--debug ");
}
static void ipp2p_mt_print(const void *entry,
const struct xt_entry_match *match, int numeric)
{
printf("ipp2p ");
ipp2p_mt_print1(entry, match, true);
}
static void ipp2p_mt_save(const void *entry, const struct xt_entry_match *match)
{
ipp2p_mt_print(entry, match, true);
ipp2p_mt_print1(entry, match, true);
}
static struct xtables_match ipp2p_mt_reg = {

2
extensions/xt_CHAOS.c
View File

@@ -234,7 +234,7 @@ static void __exit chaos_tg_exit(void)
module_init(chaos_tg_init);
module_exit(chaos_tg_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
MODULE_DESCRIPTION("Xtables: Network scan slowdown with non-deterministic results");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_CHAOS");

2
extensions/xt_DELUDE.c
View File

@@ -176,7 +176,7 @@ static void __exit delude_tg_exit(void)
module_init(delude_tg_init);
module_exit(delude_tg_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
MODULE_DESCRIPTION("Xtables: Close TCP connections after handshake");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_DELUDE");

8
extensions/xt_DHCPMAC.Kconfig Normal file
View File

@@ -0,0 +1,8 @@
config NETFILTER_XT_DHCPMAC
tristate '"DHCPMAC" DHCP address matching and manipulation support'
depends on NETFILTER_XTABLES
depends on IP_NF_MANGLE || IP6_NF_MANGLE
---help---
The DHCPMAC extensions allows to match and change the MAC address in
a DHCP packet, so as to work around VMware's "inability" to use MAC
addresses from a vendor different than VMware at boot time.

50
extensions/xt_DHCPADDR.c → extensions/xt_DHCPMAC.c
View File

@@ -1,5 +1,5 @@
/*
* "DHCPADDR" extensions for Xtables
* "DHCPMAC" extensions for Xtables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
*
* This program is free software; you can redistribute it and/or
@@ -14,7 +14,7 @@
#include <linux/udp.h>
#include <net/ip.h>
#include <linux/netfilter/x_tables.h>
#include "xt_DHCPADDR.h"
#include "xt_DHCPMAC.h"
#include "compat_xtables.h"
struct dhcp_message {
@@ -69,9 +69,9 @@ static bool ether_cmp(const unsigned char *lh, const unsigned char *rh,
}
static bool
dhcpaddr_mt(const struct sk_buff *skb, const struct xt_match_param *par)
dhcpmac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct dhcpaddr_info *info = par->matchinfo;
const struct dhcpmac_info *info = par->matchinfo;
const struct dhcp_message *dh;
struct dhcp_message dhcpbuf;
@@ -89,9 +89,9 @@ dhcpaddr_mt(const struct sk_buff *skb, const struct xt_match_param *par)
}
static unsigned int
dhcpaddr_tg(struct sk_buff **pskb, const struct xt_target_param *par)
dhcpmac_tg(struct sk_buff **pskb, const struct xt_target_param *par)
{
const struct dhcpaddr_info *info = par->targinfo;
const struct dhcpmac_info *info = par->targinfo;
struct dhcp_message dhcpbuf, *dh;
struct udphdr udpbuf, *udph;
struct sk_buff *skb = *pskb;
@@ -122,52 +122,52 @@ dhcpaddr_tg(struct sk_buff **pskb, const struct xt_target_param *par)
return XT_CONTINUE;
}
static struct xt_target dhcpaddr_tg_reg __read_mostly = {
.name = "DHCPADDR",
static struct xt_target dhcpmac_tg_reg __read_mostly = {
.name = "DHCPMAC",
.revision = 0,
.family = NFPROTO_IPV4,
.proto = IPPROTO_UDP,
.table = "mangle",
.target = dhcpaddr_tg,
.targetsize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
.target = dhcpmac_tg,
.targetsize = XT_ALIGN(sizeof(struct dhcpmac_info)),
.me = THIS_MODULE,
};
static struct xt_match dhcpaddr_mt_reg __read_mostly = {
.name = "dhcpaddr",
static struct xt_match dhcpmac_mt_reg __read_mostly = {
.name = "dhcpmac",
.revision = 0,
.family = NFPROTO_IPV4,
.proto = IPPROTO_UDP,
.match = dhcpaddr_mt,
.matchsize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
.match = dhcpmac_mt,
.matchsize = XT_ALIGN(sizeof(struct dhcpmac_info)),
.me = THIS_MODULE,
};
static int __init dhcpaddr_init(void)
static int __init dhcpmac_init(void)
{
int ret;
ret = xt_register_target(&dhcpaddr_tg_reg);
ret = xt_register_target(&dhcpmac_tg_reg);
if (ret != 0)
return ret;
ret = xt_register_match(&dhcpaddr_mt_reg);
ret = xt_register_match(&dhcpmac_mt_reg);
if (ret != 0) {
xt_unregister_target(&dhcpaddr_tg_reg);
xt_unregister_target(&dhcpmac_tg_reg);
return ret;
}
return 0;
}
static void __exit dhcpaddr_exit(void)
static void __exit dhcpmac_exit(void)
{
xt_unregister_target(&dhcpaddr_tg_reg);
xt_unregister_match(&dhcpaddr_mt_reg);
xt_unregister_target(&dhcpmac_tg_reg);
xt_unregister_match(&dhcpmac_mt_reg);
}
module_init(dhcpaddr_init);
module_exit(dhcpaddr_exit);
module_init(dhcpmac_init);
module_exit(dhcpmac_exit);
MODULE_DESCRIPTION("Xtables: Clamp DHCP MAC to packet MAC addresses");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_DHCPADDR");
MODULE_ALIAS("ipt_dhcpaddr");
MODULE_ALIAS("ipt_DHCPMAC");
MODULE_ALIAS("ipt_dhcpmac");

8
extensions/xt_DHCPADDR.h → extensions/xt_DHCPMAC.h
View File

@@ -1,12 +1,12 @@
#ifndef _LINUX_NETFILTER_XT_DHCPADDR_H
#define _LINUX_NETFILTER_XT_DHCPADDR_H 1
#ifndef _LINUX_NETFILTER_XT_DHCPMAC_H
#define _LINUX_NETFILTER_XT_DHCPMAC_H 1
#define DH_MAC_FMT "%02X:%02X:%02X:%02X:%02X:%02X"
#define DH_MAC_HEX(z) z[0], z[1], z[2], z[3], z[4], z[5]
struct dhcpaddr_info {
struct dhcpmac_info {
unsigned char addr[ETH_ALEN];
uint8_t mask, invert;
};
#endif /* _LINUX_NETFILTER_XT_DHCPADDR_H */
#endif /* _LINUX_NETFILTER_XT_DHCPMAC_H */

2
extensions/xt_LOGMARK.c
View File

@@ -128,7 +128,7 @@ static void __exit logmark_tg_exit(void)
module_init(logmark_tg_init);
module_exit(logmark_tg_exit);
MODULE_DESCRIPTION("Xtables: netfilter mark logging to syslog");
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_LOGMARK");
MODULE_ALIAS("ip6t_LOGMARK");

8
extensions/xt_RAWNAT.Kconfig Normal file
View File

@@ -0,0 +1,8 @@
config NETFILTER_XT_TARGET_RAWNAT
tristate '"RAWNAT" raw address translation w/o conntrack'
depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
depends on IP_NF_RAW || IP_NF6_RAW
---help---
This option adds the RAWSNAT and RAWDNAT targets which can do Network
Address Translation (no port translation) without requiring Netfilter
connection tracking.

346
extensions/xt_RAWNAT.c Normal file
View File

@@ -0,0 +1,346 @@
/*
* "RAWNAT" target extension for Xtables - untracked NAT
* Copyright © Jan Engelhardt, 2008 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include "compat_xtables.h"
#include "xt_RAWNAT.h"
static inline __be32
remask(__be32 addr, __be32 repl, unsigned int shift)
{
uint32_t mask = (shift == 32) ? 0 : (~(uint32_t)0 >> shift);
return htonl((ntohl(addr) & mask) | (ntohl(repl) & ~mask));
}
static void
rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
{
switch (mask) {
case 0:
break;
case 1 ... 31:
addr[0] = remask(addr[0], repl[0], mask);
break;
case 32:
addr[0] = repl[0];
break;
case 33 ... 63:
addr[0] = repl[0];
addr[1] = remask(addr[1], repl[1], mask - 64);
break;
case 64:
addr[0] = repl[0];
addr[1] = repl[1];
break;
case 65 ... 95:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = remask(addr[2], repl[2], mask - 96);
case 96:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = repl[2];
break;
case 97 ... 127:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = repl[2];
addr[3] = remask(addr[3], repl[3], mask - 128);
break;
case 128:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = repl[2];
addr[3] = repl[3];
break;
}
}
static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip)
{
struct iphdr *iph = ip_hdr(skb);
void *transport_hdr = (void *)iph + ip_hdrlen(skb);
struct tcphdr *tcph;
struct udphdr *udph;
bool cond;
switch (iph->protocol) {
case IPPROTO_TCP:
tcph = transport_hdr;
inet_proto_csum_replace4(&tcph->check, skb, oldip, newip, true);
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
udph = transport_hdr;
cond = udph->check != 0;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
cond |= skb->ip_summed == CHECKSUM_PARTIAL;
#endif
if (cond) {
inet_proto_csum_replace4(&udph->check, skb,
oldip, newip, true);
if (udph->check == 0)
udph->check = CSUM_MANGLED_0;
}
break;
}
}
static unsigned int rawnat4_writable_part(const struct iphdr *iph)
{
unsigned int wlen = sizeof(*iph);
switch (iph->protocol) {
case IPPROTO_TCP:
wlen += sizeof(struct tcphdr);
break;
case IPPROTO_UDP:
wlen += sizeof(struct udphdr);
break;
}
return wlen;
}
static unsigned int
rawsnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
struct iphdr *iph;
__be32 new_addr;
iph = ip_hdr(*pskb);
new_addr = remask(iph->saddr, info->addr.ip, info->mask);
if (iph->saddr == new_addr)
return XT_CONTINUE;
if (!skb_make_writable(pskb, rawnat4_writable_part(iph)))
return NF_DROP;
iph = ip_hdr(*pskb);
csum_replace4(&iph->check, iph->saddr, new_addr);
rawnat4_update_l4(*pskb, iph->saddr, new_addr);
iph->saddr = new_addr;
return XT_CONTINUE;
}
static unsigned int
rawdnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
struct iphdr *iph;
__be32 new_addr;
iph = ip_hdr(*pskb);
new_addr = remask(iph->daddr, info->addr.ip, info->mask);
if (iph->daddr == new_addr)
return XT_CONTINUE;
if (!skb_make_writable(pskb, rawnat4_writable_part(iph)))
return NF_DROP;
iph = ip_hdr(*pskb);
csum_replace4(&iph->check, iph->daddr, new_addr);
rawnat4_update_l4(*pskb, iph->daddr, new_addr);
iph->daddr = new_addr;
return XT_CONTINUE;
}
static bool rawnat6_prepare_l4(struct sk_buff **pskb, unsigned int *l4offset,
unsigned int *l4proto)
{
static const unsigned int types[] =
{IPPROTO_TCP, IPPROTO_UDP, IPPROTO_UDPLITE};
unsigned int i;
int err;
*l4proto = NEXTHDR_MAX;
for (i = 0; i < ARRAY_SIZE(types); ++i) {
err = ipv6_find_hdr(*pskb, l4offset, types[i], NULL);
if (err >= 0) {
*l4proto = types[i];
break;
}
if (err != -ENOENT)
return false;
}
switch (*l4proto) {
case IPPROTO_TCP:
if (!skb_make_writable(pskb, *l4offset + sizeof(struct tcphdr)))
return false;
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
if (!skb_make_writable(pskb, *l4offset + sizeof(struct udphdr)))
return false;
break;
}
return true;
}
static void rawnat6_update_l4(struct sk_buff *skb, unsigned int l4proto,
unsigned int l4offset, const struct in6_addr *oldip,
const struct in6_addr *newip)
{
const struct ipv6hdr *iph = ipv6_hdr(skb);
struct tcphdr *tcph;
struct udphdr *udph;
unsigned int i;
bool cond;
switch (l4proto) {
case IPPROTO_TCP:
tcph = (void *)iph + l4offset;
for (i = 0; i < 4; ++i)
inet_proto_csum_replace4(&tcph->check, skb,
oldip->s6_addr32[i], newip->s6_addr32[i], true);
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
udph = (void *)iph + l4offset;
cond = udph->check;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
cond |= skb->ip_summed == CHECKSUM_PARTIAL;
#endif
if (cond) {
for (i = 0; i < 4; ++i)
inet_proto_csum_replace4(&udph->check, skb,
oldip->s6_addr32[i],
newip->s6_addr32[i], true);
if (udph->check == 0)
udph->check = CSUM_MANGLED_0;
}
break;
}
}
static unsigned int
rawsnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
unsigned int l4offset, l4proto;
struct ipv6hdr *iph;
struct in6_addr new_addr;
iph = ipv6_hdr(*pskb);
memcpy(&new_addr, &iph->saddr, sizeof(new_addr));
rawnat_ipv6_mask(new_addr.s6_addr32, info->addr.ip6, info->mask);
if (ipv6_addr_cmp(&iph->saddr, &new_addr) == 0)
return XT_CONTINUE;
if (!rawnat6_prepare_l4(pskb, &l4offset, &l4proto))
return NF_DROP;
iph = ipv6_hdr(*pskb);
rawnat6_update_l4(*pskb, l4proto, l4offset, &iph->saddr, &new_addr);
memcpy(&iph->saddr, &new_addr, sizeof(new_addr));
return XT_CONTINUE;
}
static unsigned int
rawdnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
unsigned int l4offset, l4proto;
struct ipv6hdr *iph;
struct in6_addr new_addr;
iph = ipv6_hdr(*pskb);
memcpy(&new_addr, &iph->daddr, sizeof(new_addr));
rawnat_ipv6_mask(new_addr.s6_addr32, info->addr.ip6, info->mask);
if (ipv6_addr_cmp(&iph->daddr, &new_addr) == 0)
return XT_CONTINUE;
if (!rawnat6_prepare_l4(pskb, &l4offset, &l4proto))
return NF_DROP;
iph = ipv6_hdr(*pskb);
rawnat6_update_l4(*pskb, l4proto, l4offset, &iph->daddr, &new_addr);
memcpy(&iph->daddr, &new_addr, sizeof(new_addr));
return XT_CONTINUE;
}
static bool rawnat_tg_check(const struct xt_tgchk_param *par)
{
if (strcmp(par->table, "raw") == 0 ||
strcmp(par->table, "rawpost") == 0)
return true;
printk(KERN_ERR KBUILD_MODNAME " may only be used in the \"raw\" or "
"\"rawpost\" table.\n");
return false;
}
static struct xt_target rawnat_tg_reg[] __read_mostly = {
{
.name = "RAWSNAT",
.revision = 0,
.family = NFPROTO_IPV4,
.target = rawsnat_tg4,
.targetsize = sizeof(struct xt_rawnat_tginfo),
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
{
.name = "RAWSNAT",
.revision = 0,
.family = NFPROTO_IPV6,
.target = rawsnat_tg6,
.targetsize = sizeof(struct xt_rawnat_tginfo),
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
{
.name = "RAWDNAT",
.revision = 0,
.family = NFPROTO_IPV4,
.target = rawdnat_tg4,
.targetsize = sizeof(struct xt_rawnat_tginfo),
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
{
.name = "RAWDNAT",
.revision = 0,
.family = NFPROTO_IPV6,
.target = rawdnat_tg6,
.targetsize = sizeof(struct xt_rawnat_tginfo),
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
};
static int __init rawnat_tg_init(void)
{
return xt_register_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg));
}
static void __exit rawnat_tg_exit(void)
{
xt_unregister_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg));
}
module_init(rawnat_tg_init);
module_exit(rawnat_tg_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Xtables: conntrack-less raw NAT");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_RAWSNAT");
MODULE_ALIAS("ipt_RAWDNAT");
MODULE_ALIAS("ip6t_RAWSNAT");
MODULE_ALIAS("ip6t_RAWDNAT");

9
extensions/xt_RAWNAT.h Normal file
View File

@@ -0,0 +1,9 @@
#ifndef _LINUX_NETFILTER_XT_TARGET_RAWNAT
#define _LINUX_NETFILTER_XT_TARGET_RAWNAT 1
struct xt_rawnat_tginfo {
union nf_inet_addr addr;
__u8 mask;
};
#endif /* _LINUX_NETFILTER_XT_TARGET_RAWNAT */

66
extensions/xt_STEAL.c Normal file
View File

@@ -0,0 +1,66 @@
/*
* "STEAL" demo target extension for Xtables
* written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
* placed in the Public Domain
*/
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include "compat_xtables.h"
static unsigned int
steal_tg(struct sk_buff **pskb, const struct xt_target_param *par)
{
kfree_skb(*pskb);
return NF_STOLEN;
}
static struct xt_target steal_tg_reg[] __read_mostly = {
{
.name = "STEAL",
.revision = 0,
.family = NFPROTO_UNSPEC,
.target = steal_tg,
.me = THIS_MODULE,
},
{
.name = "STEAL",
.revision = 0,
.family = NFPROTO_IPV6,
.target = steal_tg,
.me = THIS_MODULE,
},
{
.name = "STEAL",
.revision = 0,
.family = NFPROTO_ARP,
.target = steal_tg,
.me = THIS_MODULE,
},
{
.name = "STEAL",
.revision = 0,
.family = NFPROTO_BRIDGE,
.target = steal_tg,
.me = THIS_MODULE,
},
};
static int __init steal_tg_init(void)
{
return xt_register_targets(steal_tg_reg, ARRAY_SIZE(steal_tg_reg));
}
static void __exit steal_tg_exit(void)
{
xt_unregister_targets(steal_tg_reg, ARRAY_SIZE(steal_tg_reg));
}
module_init(steal_tg_init);
module_exit(steal_tg_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Xtables: Silently DROP packets on output chain");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_STEAL");
MODULE_ALIAS("ip6t_STEAL");
MODULE_ALIAS("arpt_STEAL");
MODULE_ALIAS("ebt_STEAL");

17
extensions/xt_SYSRQ.c
View File

@@ -199,8 +199,11 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
if (skb_linearize(skb) < 0)
return NF_DROP;
iph = ip_hdr(skb);
udph = (void *)iph + ip_hdrlen(skb);
iph = ip_hdr(skb);
if (iph->protocol != IPPROTO_UDP)
return NF_ACCEPT; /* sink it */
udph = (const void *)iph + ip_hdrlen(skb);
len = ntohs(udph->len) - sizeof(struct udphdr);
if (sysrq_debug)
@@ -217,13 +220,19 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
struct sk_buff *skb = *pskb;
const struct ipv6hdr *iph;
const struct udphdr *udph;
unsigned short frag_off;
unsigned int th_off;
uint16_t len;
if (skb_linearize(skb) < 0)
return NF_DROP;
iph = ipv6_hdr(skb);
udph = udp_hdr(skb);
iph = ipv6_hdr(skb);
if (ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off) < 0 ||
frag_off > 0)
return NF_ACCEPT; /* sink it */
udph = (const void *)iph + th_off;
len = ntohs(udph->len) - sizeof(struct udphdr);
if (sysrq_debug)

2
extensions/xt_TARPIT.c
View File

@@ -245,7 +245,7 @@ static void __exit tarpit_tg_exit(void)
module_init(tarpit_tg_init);
module_exit(tarpit_tg_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
MODULE_DESCRIPTION("Xtables: \"TARPIT\", capture and hold TCP connections");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_TARPIT");

2
extensions/xt_condition.c
View File

@@ -161,7 +161,9 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
var->refcount = 1;
var->enabled = false;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
var->status_proc->owner = THIS_MODULE;
#endif
var->status_proc->data = var;
wmb();
var->status_proc->read_proc = condition_proc_read;

100
extensions/xt_iface.c Normal file
View File

@@ -0,0 +1,100 @@
/*
* xt_iface - kernel module to match interface state flags
*
* Original author: Gáspár Lajos <gaspar.lajos@glsys.eu>
*/
#include <linux/if.h>
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/netdevice.h>
#include <linux/skbuff.h>
#include <linux/netfilter/x_tables.h>
#include "xt_iface.h"
#include "compat_xtables.h"
struct xt_iface_flag_pairs {
uint16_t iface_flag;
uint32_t iff_flag;
};
MODULE_AUTHOR("Gáspár Lajos <gaspar.lajos@glsys.eu>");
MODULE_DESCRIPTION("Xtables: iface match module");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_iface");
MODULE_ALIAS("ip6t_iface");
//MODULE_ALIAS("arpt_iface");
static const struct xt_iface_flag_pairs xt_iface_lookup[] =
{
{.iface_flag = XT_IFACE_UP, .iff_flag = IFF_UP},
{.iface_flag = XT_IFACE_BROADCAST, .iff_flag = IFF_BROADCAST},
{.iface_flag = XT_IFACE_LOOPBACK, .iff_flag = IFF_LOOPBACK},
{.iface_flag = XT_IFACE_POINTOPOINT, .iff_flag = IFF_POINTOPOINT},
{.iface_flag = XT_IFACE_RUNNING, .iff_flag = IFF_RUNNING},
{.iface_flag = XT_IFACE_NOARP, .iff_flag = IFF_NOARP},
{.iface_flag = XT_IFACE_PROMISC, .iff_flag = IFF_PROMISC},
{.iface_flag = XT_IFACE_MULTICAST, .iff_flag = IFF_MULTICAST},
{.iface_flag = XT_IFACE_DYNAMIC, .iff_flag = IFF_DYNAMIC},
{.iface_flag = XT_IFACE_LOWER_UP, .iff_flag = IFF_LOWER_UP},
{.iface_flag = XT_IFACE_DORMANT, .iff_flag = IFF_DORMANT},
};
static bool xt_iface_mt(const struct sk_buff *skb,
const struct xt_match_param *par)
{
const struct xt_iface_mtinfo *info = par->matchinfo;
struct net_device *dev;
bool retval;
int i;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
dev = dev_get_by_name(&init_net, info->ifname);
#else
dev = dev_get_by_name(info->ifname);
#endif
retval = dev != NULL;
if (retval) {
for (i = 0; i < ARRAY_SIZE(xt_iface_lookup) && retval; ++i) {
if (info->flags & xt_iface_lookup[i].iface_flag)
retval &= dev->flags & xt_iface_lookup[i].iff_flag;
if (info->invflags & xt_iface_lookup[i].iface_flag)
retval &= !(dev->flags & xt_iface_lookup[i].iff_flag);
}
dev_put(dev);
}
return retval;
}
static struct xt_match xt_iface_mt_reg[] __read_mostly = {
{
.name = "iface",
.revision = 0,
.family = NFPROTO_IPV4,
.matchsize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
.match = xt_iface_mt,
.me = THIS_MODULE,
},
{
.name = "iface",
.revision = 0,
.family = NFPROTO_IPV6,
.matchsize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
.match = xt_iface_mt,
.me = THIS_MODULE,
},
};
static int __init xt_iface_match_init(void)
{
return xt_register_matches(xt_iface_mt_reg,
ARRAY_SIZE(xt_iface_mt_reg));
}
static void __exit xt_iface_match_exit(void)
{
xt_unregister_matches(xt_iface_mt_reg, ARRAY_SIZE(xt_iface_mt_reg));
}
module_init(xt_iface_match_init);
module_exit(xt_iface_match_exit);

25
extensions/xt_iface.h Normal file
View File

@@ -0,0 +1,25 @@
#ifndef _LINUX_NETFILTER_XT_IFACE_H
#define _LINUX_NETFILTER_XT_IFACE_H 1
enum {
XT_IFACE_UP = 1 << 0,
XT_IFACE_BROADCAST = 1 << 1,
XT_IFACE_LOOPBACK = 1 << 2,
XT_IFACE_POINTOPOINT = 1 << 3,
XT_IFACE_RUNNING = 1 << 4,
XT_IFACE_NOARP = 1 << 5,
XT_IFACE_PROMISC = 1 << 6,
XT_IFACE_MULTICAST = 1 << 7,
XT_IFACE_DYNAMIC = 1 << 8,
XT_IFACE_LOWER_UP = 1 << 9,
XT_IFACE_DORMANT = 1 << 10,
XT_IFACE_IFACE = 1 << 15,
};
struct xt_iface_mtinfo {
char ifname[IFNAMSIZ];
__u16 flags;
__u16 invflags;
};
#endif

6
extensions/xt_ipv4options.Kconfig Normal file
View File

@@ -0,0 +1,6 @@
config NETFILTER_XT_MATCH_IPV4OPTIONS
tristate '"ipv4options" IPv4 option match support'
depends on NETFILTER_XTABLES
---help---
The ipv4options match can be used to check on the presence or absence
of one or move IPv4 options.

7
extensions/xt_length2.Kconfig Normal file
View File

@@ -0,0 +1,7 @@
config NETFILTER_XT_MATCH_LENGTH2
tristate '"length2" match support'
depends on NETFILTER_XTABLES
---help---
This option adds the "length2" match which is an advanced form of
xt_length that allows unambiguous layer-4/-5/-7 length matching. It is
useful to detect empty packets or for aiding in packet scheduling.

8
extensions/xt_quota2.Kconfig Normal file
View File

@@ -0,0 +1,8 @@
config NETFILTER_XT_MATCH_QUOTA2
tristate '"quota2" match support'
depends on NETFILTER_XTABLES
---help---
This option adds the "quota2" match which is an advanced form of
xt_quota that also allows counting upwards, and where the counter can
be set through procfs. This allows for simple interfacing of
accounting information.

5
mconfig
View File

@@ -2,16 +2,19 @@
#
build_CHAOS=m
build_DELUDE=m
build_DHCPADDR=m
build_DHCPMAC=m
build_ECHO=
build_IPMARK=m
build_LOGMARK=m
build_RAWNAT=m
build_STEAL=m
build_SYSRQ=m
build_TARPIT=m
build_TEE=m
build_condition=m
build_fuzzy=m
build_geoip=m
build_iface=m
build_ipp2p=m
build_ipset=m
build_ipv4options=m

2
xtables-addons.8.in
View File

@@ -1,4 +1,4 @@
.TH xtables\-addons 8 "v1.12 (2009\-03\-23)" "" "v1.13 (2009\-03\-23)"
.TH xtables\-addons 8 "v1.15 (2009\-04\-30)" "" "v1.15 (2009\-04\-30)"
.SH Name
Xtables\-addons - additional extensions for iptables, ip6tables, etc.
.SH Targets