anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-20 19:44:56 +02:00
Code Issues Releases Wiki Activity

Compare commits

base: anonfunc:v1.44
Branches Tags
anonfunc:master anonfunc:xta-2.x anonfunc:xta-1.x anonfunc:demos anonfunc:mp2t
anonfunc:v3.18 anonfunc:v3.17 anonfunc:v3.16 anonfunc:v3.15 anonfunc:v2.15 anonfunc:v3.14 anonfunc:v3.13 anonfunc:v3.12 anonfunc:v3.11 anonfunc:v3.10 anonfunc:v3.9 anonfunc:v3.8 anonfunc:v3.7 anonfunc:v3.6 anonfunc:v3.5 anonfunc:v3.4 anonfunc:v3.3 anonfunc:v3.2 anonfunc:v3.1 anonfunc:v3.0 anonfunc:v2.14 anonfunc:v2.13 anonfunc:v2.12 anonfunc:v2.11 anonfunc:v2.10 anonfunc:v2.9 anonfunc:v2.8 anonfunc:v2.7 anonfunc:v2.6 anonfunc:v2.5 anonfunc:v2.4 anonfunc:v2.3 anonfunc:v2.2 anonfunc:v2.1 anonfunc:v2.0 anonfunc:v1.47.1 anonfunc:v1.47 anonfunc:v1.46 anonfunc:v1.45 anonfunc:v1.44 anonfunc:v1.43 anonfunc:v1.42 anonfunc:v1.41 anonfunc:v1.40 anonfunc:v1.39 anonfunc:v1.38 anonfunc:v1.37 anonfunc:v1.36 anonfunc:v1.35 anonfunc:v1.34 anonfunc:v1.33 anonfunc:v1.32 anonfunc:v1.31 anonfunc:v1.30 anonfunc:v1.29 anonfunc:v1.28 anonfunc:v1.27 anonfunc:v1.26 anonfunc:v1.25 anonfunc:v1.24 anonfunc:v1.23 anonfunc:v1.22 anonfunc:v1.21 anonfunc:v1.20 anonfunc:v1.19 anonfunc:v1.18 anonfunc:v1.17 anonfunc:v1.16 anonfunc:v1.15 anonfunc:v1.14 anonfunc:v1.13 anonfunc:v1.12 anonfunc:v1.10 anonfunc:v1.9 anonfunc:v1.8 anonfunc:v1.7 anonfunc:v1.6 anonfunc:v1.5.7 anonfunc:v1.5.5 anonfunc:v1.5.4.1 anonfunc:v1.5.4 anonfunc:v1.5.3 anonfunc:v1.5.2 anonfunc:v1.5.1 anonfunc:v1.5.0
..
compare: anonfunc:v2.7
Branches Tags
anonfunc:master anonfunc:xta-2.x anonfunc:xta-1.x anonfunc:demos anonfunc:mp2t
anonfunc:v3.18 anonfunc:v3.17 anonfunc:v3.16 anonfunc:v3.15 anonfunc:v2.15 anonfunc:v3.14 anonfunc:v3.13 anonfunc:v3.12 anonfunc:v3.11 anonfunc:v3.10 anonfunc:v3.9 anonfunc:v3.8 anonfunc:v3.7 anonfunc:v3.6 anonfunc:v3.5 anonfunc:v3.4 anonfunc:v3.3 anonfunc:v3.2 anonfunc:v3.1 anonfunc:v3.0 anonfunc:v2.14 anonfunc:v2.13 anonfunc:v2.12 anonfunc:v2.11 anonfunc:v2.10 anonfunc:v2.9 anonfunc:v2.8 anonfunc:v2.7 anonfunc:v2.6 anonfunc:v2.5 anonfunc:v2.4 anonfunc:v2.3 anonfunc:v2.2 anonfunc:v2.1 anonfunc:v2.0 anonfunc:v1.47.1 anonfunc:v1.47 anonfunc:v1.46 anonfunc:v1.45 anonfunc:v1.44 anonfunc:v1.43 anonfunc:v1.42 anonfunc:v1.41 anonfunc:v1.40 anonfunc:v1.39 anonfunc:v1.38 anonfunc:v1.37 anonfunc:v1.36 anonfunc:v1.35 anonfunc:v1.34 anonfunc:v1.33 anonfunc:v1.32 anonfunc:v1.31 anonfunc:v1.30 anonfunc:v1.29 anonfunc:v1.28 anonfunc:v1.27 anonfunc:v1.26 anonfunc:v1.25 anonfunc:v1.24 anonfunc:v1.23 anonfunc:v1.22 anonfunc:v1.21 anonfunc:v1.20 anonfunc:v1.19 anonfunc:v1.18 anonfunc:v1.17 anonfunc:v1.16 anonfunc:v1.15 anonfunc:v1.14 anonfunc:v1.13 anonfunc:v1.12 anonfunc:v1.10 anonfunc:v1.9 anonfunc:v1.8 anonfunc:v1.7 anonfunc:v1.6 anonfunc:v1.5.7 anonfunc:v1.5.5 anonfunc:v1.5.4.1 anonfunc:v1.5.4 anonfunc:v1.5.3 anonfunc:v1.5.2 anonfunc:v1.5.1 anonfunc:v1.5.0

117 Commits
v1.44 ... v2.7

Author SHA1 Message Date
Jan Engelhardt
e277360bcd Xtables-addons 2.7 2015-07-06 05:59:21 +02:00
Jan Engelhardt
672f12b2a6 doc: remove old changelog entries 2015-07-06 05:59:21 +02:00
Jan Engelhardt
8788b6c096 doc: combine kernel version numbers 2015-07-06 05:59:21 +02:00
Alexander Petrenas
96ce5ec488 xt_TARPIT: support for Linux 4.1 2015-07-06 05:59:21 +02:00
Jan Engelhardt
5e22c9c592 xt_ACCOUNT: avoid implicit padding in struct ipt_acc_handle_ip 
Make the structure size so that an ILP32 environment has no problem
taking the raw bytes from an LP64 one.
 2015-06-05 13:52:45 +02:00
Jan Engelhardt
01f97bfdd1 iptaccount: cast from uint64_t to please printf 
%llu wants an "unsigned long long", which is not necessarily
the same as uint64_t.
 2015-06-05 13:51:56 +02:00
Neal P. Murphy
1324442bce xt_ACCOUNT: make counters 64-bit wide 
The Smoothwall Express traffic stats collector (traffiClogger) does
not handle counter rollovers well and does not perform read&flush.
(Yes, the code is somewhat aged.) To change it to perform read&flush
is non-trivial. Then, it occurred to me that it might be easier to
change ipt_ACCOUNT in xtables-addons to use 64-bit counters,
considering it was designed around single kernel pages.

The following submission counts to at least 100 GB, produces no
obvious kernel gripes, and adjacent counters do not seem to interfere
with each other. Yes, it uses more memory, but RAM costs much less
than bugs that grown out of complex software.

The theory:

  - Use two kernel pages for the counters for each group of 256
    addresses.
  - Change counters to 64-bit.
  - Change to __get_free_pages/free_pages, using order=2
    (two consecutive pages), and zero both pages.
  - Change "%u" to "%llu" as needed.
  - Everything else pretty much stays the same.

I also changed tmpbuf to two pages (Justin Case's idea), but I
do not know if that's really necessary.
 2015-06-05 13:51:55 +02:00
Jan Engelhardt
a576f4d43e Xtables-addons 2.6 2014-09-29 10:33:13 +02:00
Jan Engelhardt
cc17e1d0fe build: explicitly support Linux 3.16, 3.17 2014-09-04 18:50:35 +02:00
Adam Butcher
c08835d65c xt_pknock: fix pknock in UDP SPA mode 
When the PK_CRYPTO pre-processor flag got removed in
v1.47.1-2-g66f213e, one of the removal cases was misapplied; the body
of an "#ifndef PK_CRYPTO" was left in rather than the whole section
being removed.
 2014-09-04 18:45:42 +02:00
Adam Butcher
4c21811919 src: work with typeof 
Although not officially supported, we have found that the
xtables-addons modules we are interested in work fine on 3.0.4 with a
slight non-invasive mod to compat_xtables.h.
 2014-09-04 18:44:52 +02:00
Jan Engelhardt
431062c6ec Xtables-addons 2.5 2014-04-18 19:14:59 +02:00
Jan Engelhardt
87adf3461f build: resolve compile error with Linux 3.15 
Commit v3.15-rc1~141^2~97 changed the signature for cn_netlink_send.
 2014-04-18 19:12:51 +02:00
Jan Engelhardt
f2e21e67a5 build: resolve compile error with Linux 3.13 
net_random has been removed in commit v3.14-rc1~94^2~191 and replaced
by its definition, prandom_u32.

prandom_u32 was only introduced in v3.8-rc1~74^2~22, so we will have
an extra ifdef for 3.7 support.
 2014-04-18 19:12:40 +02:00
Daniel Golle
ae307c0bf3 xt_quota2: introduce support for network namespaces 
Initialize a separate xt_quota2 instance for each network
namespace so data limit can be set and enforced per container.
 2014-04-18 15:10:05 +02:00
Jan Engelhardt
ec8c6b8732 doc: add xt_quota2 changelog items 2014-01-18 12:29:09 +01:00
Jan Engelhardt
7916b74a42 Xtables-addons 2.4 2014-01-09 10:37:52 +01:00
Jan Engelhardt
7fbbd0401e build: support for Linux 3.13 2014-01-09 10:25:40 +01:00
Jan Engelhardt
991c0cf4cf compat_xtables: remove no longer needed target API redirection 
Function signature for targets stayed the same since 3.7.
 2014-01-09 10:24:32 +01:00
Jan Engelhardt
b58e78968e compat_xtables: remove unused compat_nfinetaddr.h header 2014-01-09 10:19:48 +01:00
Jan Engelhardt
02eb0e5df9 compat_xtables: remove unused function declarations 2014-01-09 10:19:00 +01:00
Jan Engelhardt
98ea6c538b compat_xtables: remove unused ipt_unregister_table macro 2014-01-09 10:16:42 +01:00
Jan Engelhardt
7cf7250e07 compat_xtables: remove unused xtnu_ip_route_me_harder 2014-01-09 10:16:02 +01:00
Jan Engelhardt
f9b0ee7533 compat_xtables: remove unused xtnu_skb_make_writable 2014-01-09 10:14:36 +01:00
Jan Engelhardt
a82d0ba517 compat_xtables: remove unused xtnu_request_find_match 
The xt_find_match function is also getting unexported in 3.14.
 2014-01-09 10:09:04 +01:00
Sam Liddicott
bc2bcc383c xt_quota2: remove trailing junk which might have a digit in it 
Signed-off-by: Sam Liddicott <sam@liddicott.com>
 2014-01-09 10:00:43 +01:00
Sam Liddicott
c6c70ab30b xt_quota2: fix 2 bugs when not in grow mode 
1. XT_QUOTA_NO_CHANGE should not alter quota to zero ever
2. XT_QUOTA_PACKET should not be set to zero based on skb->len

Signed-off-by: Sam Liddicott <sam@liddicott.com>
 2014-01-09 09:59:04 +01:00
Jan Engelhardt
a0a8fbc091 Update .gitignore 
Looks like GCOV is enabled somewhere.
 2014-01-09 09:58:08 +01:00
Jan Engelhardt
9414a5df34 extensions: remove RAWSNAT/RAWDNAT 2013-08-07 15:42:56 +02:00
Jan Engelhardt
f28cfff138 extensions: remove STEAL target 
There is enough demo code in the "demos" branch.
 2013-08-07 15:40:24 +02:00
Jan Engelhardt
a8d7ec5ad6 build: skip calling depmod 
Calling depmod is no longer needed. (Since sometime in the 2.6
series.)
 2013-06-19 06:09:34 +02:00
Jan Engelhardt
29f293743a Xtables-addons 2.3 2013-06-18 08:09:18 +02:00
Jan Engelhardt
3bf7ebc48c xt_pknock: support for Linux 3.10 2013-06-18 08:09:18 +02:00
Jan Engelhardt
172bc7e306 xt_quota2: support for Linux 3.10 2013-06-18 08:09:18 +02:00
Jan Engelhardt
db45bbcb9e xt_condition: support for Linux 3.10 2013-06-18 08:09:18 +02:00
Jan Engelhardt
b2cd0ab65b xt_DNETMAP: support for Linux 3.10 2013-06-18 08:09:16 +02:00
Jan Engelhardt
b5a2f9aa14 compat_xtables: dissolve unusued rt_dst 2013-06-08 15:27:34 +02:00
Jan Engelhardt
6fbb35d686 extensions: resolve compile error when CONFIG_UIDGID_STRICT_TYPE_CHECKS=y 
xt_DNETMAP.c: In function "dnetmap_tg_check":
xt_DNETMAP.c:331:16: error: incompatible types when assigning to
type "kuid_t" from type "unsigned int"
xt_DNETMAP.c:332:16: error: incompatible types when assigning to
type "kgid_t" from type "unsigned int"
xt_DNETMAP.c:344:16: error: incompatible types when assigning to
type "kuid_t" from type "unsigned int"
xt_DNETMAP.c:345:16: error: incompatible types when assigning to
type "kgid_t" from type "unsigned int"
xt_condition.c: In function "condition_mt_check":
xt_condition.c:158:24: error: incompatible types when assigning to
type "kuid_t" from type "unsigned int"
xt_condition.c:159:24: error: incompatible types when assigning to
type "kgid_t" from type "unsigned int"
xt_quota2.c: In function "q2_get_counter":
xt_quota2.c:134:18: error: incompatible types when assigning to type
"kuid_t" from type "unsigned int"
xt_quota2.c:135:18: error: incompatible types when assigning to type
"kgid_t" from type "unsigned int"
 2013-06-08 15:10:20 +02:00
Dmitry Smirnov
e1d9825475 scripts: avoid bashism in xt_geoip_dl 
xt_geoip_dl is marked to use /bin/sh. As such, avoid bashisms.
 2013-06-02 17:29:12 +02:00
Dmitry Smirnov
efa8b9670a build: only scan manpages in extensions/ 
When using quilt to apply some patch to manpages, files named
libxt_*.man can appear within $srcdir/.pc which will be found by our
find(1) call. Limit the search to $srcdir/extensions to avoid this.
 2013-06-02 17:18:58 +02:00
Jan Engelhardt
2b38d081a5 doc: spelling and grammar corrections to DNETMAP 2013-06-02 17:13:25 +02:00
Jan Engelhardt
fda591dba4 doc: replace apostrophes by proper situation-dependent puncutation 2013-06-02 16:59:44 +02:00
Jan Engelhardt
9de3027c02 doc: dissolve contractions 2013-06-02 16:59:14 +02:00
Jan Engelhardt
2dc8f21476 doc: more escapes for minuses 2013-06-02 16:57:50 +02:00
Jan Engelhardt
e027089782 doc: markup paragraphs 2013-06-02 16:53:56 +02:00
Dmitry Smirnov
fe7a30c746 doc: lint man pages (hyphens and spelling) 
* hyphen-used-as-minus-sign
* spelling-error-in-manpage
 2013-06-02 16:49:12 +02:00
Jan Engelhardt
d582cc04df build: remove manpage files during make clean 2013-06-02 16:48:56 +02:00
Jan Engelhardt
13db8d78c9 extensions: make print (iptables -L) output the same as save (-S) 2013-05-30 17:16:56 +02:00
Денис Устименко
6a60b5ab75 xt_quota2: print "!" at the correct position during iptables-save 2013-05-30 17:04:47 +02:00
Jan Engelhardt
d48a5fe0f4 xt_geoip: do not throw a warnings when country database is size 0 2013-05-30 17:00:25 +02:00
Dmitry Popov
b70905e7cb xt_RAWNAT: skb writable part might not include whole L4 header (IPv4 case) 
Consider TCP/IPv4 packet with IP options: sizeof(*iph) + sizeof(struct
tcphdr) is not enough to include tcp checksum. It may hurt if this
packet is fragmented.

Therefore, we should use iph->ihl * 4 instead of sizeof(*iph).

Signed-off-by: Dmitry Popov <dp@highloadlab.com>
 2013-05-08 13:21:54 +02:00
Jan Engelhardt
3f04148501 Xtables-addons 2.2 2013-03-31 21:14:37 +02:00
Jan Engelhardt
d96fff8893 DELUDE: update comment about reentrancy 2013-03-31 21:11:25 +02:00
Jan Engelhardt
aceca54912 iptaccount: fix being a no-op program 
A PPC system has been observed where "char" is unsigned; with that,
the getopt loop will never terminate because optchar != -1 could not
happen.
 2013-03-31 21:11:24 +02:00
Jan Engelhardt
cb1cdb190f build: support for Linux 3.9 2013-03-07 22:56:27 +01:00
Jan Engelhardt
48ebf55444 Xtables-addons 2.1 2012-12-27 08:01:00 +01:00
Jan Engelhardt
57c3cc1722 build: support for Linux 3.8 2012-12-27 07:59:34 +01:00
Jan Engelhardt
29141b6e95 xt_DNETMAP: fix compile error with Linux 3.7 2012-12-21 05:45:15 +01:00
Jan Engelhardt
cdac8506c3 Xtables-addons 2.0 
I have been thinking quite a while when to drop support for old
versions. The changes in Linux kernel 3.7 in nf_nat prompted me to
make the cut here, to throw out most of the backwards-compatibility
code and start mostly blank. As future kernels will be released and
supported, no doubt will new code to work with those releases be
added.

If you run with an older kernel, continue to use the Xtables-addons
1.x series.
 2012-11-12 21:47:14 +01:00
Jan Engelhardt
5494bc40f4 Merge branch 'maint' into newage 2012-11-12 19:01:31 +01:00
Jan Engelhardt
bcdb7ed4e9 Update my email address 
To ... none! Whatever is recent is in the git log.
 2012-11-12 19:01:14 +01:00
Jan Engelhardt
1ed86c6bbd build: remove support for Linux 3.6 / switch xt_DNETMAP to nf_nat 2012-11-12 18:42:11 +01:00
Jan Engelhardt
2a5f1099c8 build: remove support for Linux 3.5 2012-11-12 18:31:33 +01:00
Jan Engelhardt
c243c78af4 build: remove support for Linux 3.4 2012-11-12 18:31:28 +01:00
Jan Engelhardt
91da2a0dbd build: remove support for Linux 3.3 2012-11-12 18:31:22 +01:00
Jan Engelhardt
a160a2aa36 build: remove support for Linux 3.2 2012-11-12 18:31:16 +01:00
Jan Engelhardt
b25e96fd49 build: remove support for Linux 3.1 2012-11-12 18:31:08 +01:00
Jan Engelhardt
6d74f76a29 build: remove support for Linux 3.0 2012-11-12 18:31:03 +01:00
Jan Engelhardt
78e47758c6 build: remove support for Linux 2.6.39 2012-11-12 18:30:49 +01:00
Jan Engelhardt
bcdd42f556 build: remove support for Linux 2.6.38 2012-11-12 18:30:42 +01:00
Jan Engelhardt
acf92ff914 build: remove support for Linux 2.6.37 2012-11-12 18:30:36 +01:00
Jan Engelhardt
0e845bf23f build: remove support for Linux 2.6.36 2012-11-12 18:30:30 +01:00
Jan Engelhardt
158e6a26eb xt_CHECKSUM: remove the module 
This is available in upstream Linux 2.6.36+.
 2012-11-12 18:30:20 +01:00
Jan Engelhardt
693c32f414 build: remove support for Linux 2.6.35 2012-11-12 18:30:19 +01:00
Jan Engelhardt
3e337562d7 xt_TEE: remove the module 
This is available in upstream Linux 2.6.35+.
 2012-11-12 18:30:09 +01:00
Jan Engelhardt
bb25bc08c4 build: remove support for Linux 2.6.34 2012-11-12 18:30:08 +01:00
Jan Engelhardt
ea3e4b2ed5 build: remove support for Linux 2.6.33 2012-11-12 18:30:01 +01:00
Jan Engelhardt
557af2177f build: remove support for Linux 2.6.32 2012-11-12 18:29:53 +01:00
Jan Engelhardt
60f5239630 build: remove support for Linux 2.6.31 2012-10-16 04:16:57 +02:00
Jan Engelhardt
3ba7d8c3a9 build: remove support for Linux 2.6.30 2012-10-16 04:16:57 +02:00
Jan Engelhardt
28d12faba8 build: remove support for Linux 2.6.29 2012-10-16 04:16:57 +02:00
Jan Engelhardt
cf7a3d4342 build: remove support for Linux 2.6.28 2012-10-16 04:16:57 +02:00
Jan Engelhardt
fabad77f8f build: remove support for Linux 2.6.27 2012-10-16 04:16:57 +02:00
Jan Engelhardt
5e020d380c build: remove support for Linux 2.6.26 2012-10-16 04:16:57 +02:00
Jan Engelhardt
a7fbf4f4de build: remove support for Linux 2.6.25 2012-10-16 04:16:57 +02:00
Jan Engelhardt
4137f6c111 build: remove support for Linux 2.6.24 2012-10-16 04:16:57 +02:00
Jan Engelhardt
04d8ebe31c build: remove support for Linux 2.6.23 2012-10-16 04:16:56 +02:00
Jan Engelhardt
6ab4c02a54 build: remove support for Linux 2.6.22 2012-10-16 04:16:56 +02:00
Jan Engelhardt
a66e4510b8 build: remove support for Linux 2.6.21 2012-10-16 02:36:14 +02:00
Jan Engelhardt
31aebc134e build: remove support for Linux 2.6.20 2012-10-16 02:36:10 +02:00
Jan Engelhardt
e640a15ec9 build: remove support for Linux 2.6.19 2012-10-16 02:36:06 +02:00
Jan Engelhardt
66f213e324 build: remove support for Linux 2.6.18 2012-10-16 02:36:02 +02:00
Jan Engelhardt
0dcc56bc62 build: remove support for Linux 2.6.17 2012-10-16 02:35:57 +02:00
Jan Engelhardt
8db01220fd Xtables-addons 1.47.1 2012-10-15 21:29:22 +02:00
Jan Engelhardt
95ff9a2de3 build: resolve compiler error 
extensions/xt_psd.c:141:2: error: implicit declaration of function
'vmalloc' [-Werror=implicit-function-declaration]
 2012-10-15 21:15:25 +02:00
Jan Engelhardt
2f1e094125 Xtables-addons 1.47 2012-10-15 20:03:02 +02:00
Jan Engelhardt
37b000182f xt_psd: replace vzalloc by vmalloc+memset 
The lower support boundary is currently 2.6.32, but vzalloc is only
available since 2.6.37.
 2012-10-15 20:02:43 +02:00
Jan Engelhardt
255a310536 Merge branch 'psd' 2012-09-18 07:33:00 +02:00
Florian Westphal
3a6e73e986 xt_psd: add IPv6 support 
Because most users will probably only use IPv4 psd, allocate most of the
state6 storage when the first IPv6 psd rule is added, and not at module
load time via .bss.
 2012-09-18 03:33:37 +02:00
Florian Westphal
0a97126f5b xt_psd: move IPv4 state locking responsibility to caller 
The former psd_match function is now < 72 lines.
 2012-09-18 02:53:02 +02:00
Florian Westphal
2ba833fe47 xt_psd: move L4 header fetching into helper 
Also start splitting psd_match into two functions, one to do initial
sanity checking and header retrieval, one to do the actual work.
 2012-09-18 02:47:30 +02:00
Florian Westphal
77240e0918 xt_psd: use tcph->dest directly 
This allows us to move more code away from the main match function.
 2012-09-18 02:45:17 +02:00
Florian Westphal
651e60f8d7 xt_psd: move table cleanup into helper 2012-09-18 02:43:04 +02:00
Florian Westphal
54ac2a899a xt_psd: split struct host into generic and AF-dependent structure 2012-09-18 02:42:22 +02:00
Florian Westphal
61d2be172d xt_psd: remove unneeded variables, make hash unsigned 
- dest port and dest address were only written, never read
- struct inaddr isn't needed either, just look at iph->saddr
 2012-09-18 02:41:15 +02:00
Florian Westphal
093f3b0a97 xt_psd: move match functionality to helpers 
Reduce line count and to allow code reuse when IPv6 support will be
introduced.
 2012-09-17 04:44:29 +02:00
Florian Westphal
57d25f22f1 xt_psd: avoid if (c=h) do {..} while (c = c->next) 
It is aquivalent to c=h; while (c) { ..; c = c->next; }
which is a bit easier to read.
 2012-09-17 04:42:56 +02:00
Florian Westphal
2f18ab31ec xt_psd: move parts of main match function to helpers 
The match function is way too large, start to split this into smaller
chunks.
 2012-09-17 00:02:49 +02:00
Florian Westphal
12d0a8702c xt_psd: consider protocol when searching port list 
If we saw a TCP packet on port X, and we receive a UDP packet from the
same host to port X, we counted this as "port X", and did not see this
as a new packet.

Change compare to also consider protocol number and move it to a helper
to de-bloat the overlay large match function.

This change makes psd more aggressive with mixed TCP/UDP traffic.
 2012-09-17 00:02:45 +02:00
Jan Engelhardt
35ce1adf5e Xtables-addons 1.46 2012-08-23 15:54:21 +02:00
Jan Engelhardt
e5fe0b9c14 doc: update xt_SYSRQ.man to reflect that the full IPv6 address is needed 
xt_SYSRQ uses NIP6_FMT, so requires the expanded form for the digest.

Reported-by: Jan Krcmar <honza801@gmail.com>
 2012-08-23 15:27:23 +02:00
Arif Hossain
cd7fc84b29 build: remove extraneous closing bracket in configure.ac 
Now autogen.sh will work without complaints.
 2012-08-02 17:49:40 +02:00
Josh Hunt
4ff5a8fbf6 TARPIT: fix memory leak when tarpit_generic() fails 
Currently tarpit_generic() just returns on failure, but this does not
free nskb.

Signed-off-by: Josh Hunt <johunt@akamai.com>
 2012-08-02 17:48:05 +02:00
Florian Westphal
37e3a543a9 extensions: fix ipv6_find_hdr upstream change fallout 
Upstream commit v3.5-rc1~109^2~138^2~4 ("netfilter: ip6_tables: add
flags parameter to ipv6_find_hdr()") changed the offset parameter of
ipv6_find_hdr() to be an input-output value. Moreover, if it is
non-zero, it MUST point to a valid IPv6 header embedded in the
packet.
 2012-07-21 15:42:02 +02:00
Jan Engelhardt
5f6cbbc663 Xtables-addons 1.45 2012-07-16 05:39:32 +02:00
Jan Engelhardt
a2676585da build: avoid use of unexported functions 
Fixes: "WARNING 'ipv6_find_hdr' [xt_TARPIT.ko] not found" in
<= linux-2.6.37.
 2012-07-16 05:36:41 +02:00
Jan Engelhardt
4a8aab6aed fix: "WARNING 'xtnu_ipv6_find_hdr' [.ko] not found" 2012-07-16 05:34:24 +02:00
109 changed files with 1195 additions and 4636 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1,3 +1,4 @@
*.gcno
*.la
*.lo
*.loT

9
INSTALL
View File

@@ -14,14 +14,15 @@ Supported configurations for this release
* iptables >= 1.4.5
* kernel-devel >= 2.6.32
* kernel-devel >= 3.7
with prepared build/output directory
- CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
- CONFIG_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_MARK
enabled =y or as module (=m)
- CONFIG_NF_CONNTRACK
- CONFIG_NF_CONNTRACK_MARK enabled =y or as module (=m)
- CONFIG_CONNECTOR y/m if you wish to receive userspace
notifications from pknock through netlink/connector
(Use xtables-addons-1.x if you need support for Linux < 3.7.)
Selecting extensions
====================

6
Makefile.am
View File

@@ -11,8 +11,10 @@ FORCE:
xtables-addons.8: FORCE
${MAKE} -f Makefile.mans all;
install-exec-hook:
depmod -a || :;
clean-local-mans:
${MAKE} -f Makefile.mans clean;
clean-local: clean-local-mans
config.status: Makefile.iptrules.in

7
Makefile.mans.in
View File

@@ -3,8 +3,8 @@
srcdir := @srcdir@
wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man' | sort)
wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man' | sort)
wcman_matches := $(shell find "${srcdir}/extensions" -name 'libxt_[a-z]*.man' -print | sort)
wcman_targets := $(shell find "${srcdir}/extensions" -name 'libxt_[A-Z]*.man' -print | sort)
wlist_matches := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_matches})
wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
@@ -38,3 +38,6 @@ matches.man: .manpages.lst ${wcman_matches}
targets.man: .manpages.lst ${wcman_targets}
$(call man_run,${wlist_targets})
clean:
rm -f xtables-addons.8 matches.man targets.man

12
configure.ac
View File

@@ -1,4 +1,4 @@
AC_INIT([xtables-addons], [1.44])
AC_INIT([xtables-addons], [2.7])
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
@@ -31,7 +31,7 @@ xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
AC_ARG_WITH([xtlibdir],
AS_HELP_STRING([--with-xtlibdir=PATH],
[Path where to install Xtables extensions [[autodetect]]]]),
[Path where to install Xtables extensions [[autodetect]]]),
[xtlibdir="$withval"])
AC_MSG_CHECKING([Xtables module directory])
AC_MSG_RESULT([$xtlibdir])
@@ -63,11 +63,11 @@ if test -n "$kbuilddir"; then
echo "WARNING: Version detection did not succeed. Continue at own luck.";
else
echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 4; then
echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
elif test "$kmajor" -eq 3; then
if test "$kmajor" -gt 4 -o "$kmajor" -eq 4 -a "$kminor" -gt 1; then
echo "WARNING: That kernel version is not officially supported yet. Continue at own luck.";
elif test "$kmajor" -eq 4 -a "$kminor" -le 1; then
:;
elif test "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -ge 32; then
elif test "$kmajor" -eq 3 -a "$kminor" -ge 7; then
:;
else
echo "WARNING: That kernel version is not officially supported.";

64
doc/api/2.6.17.c
View File

@@ -1,64 +0,0 @@
match:
/* true/false */
int
(*match)(
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop,
);
/* true/false */
int
(*checkentry)(
const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
void *userdata,
);
/* true/false */
int
(*checkentry)(
const char *tablename,
const void *entry,
const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
);

59
doc/api/2.6.19.c
View File

@@ -1,59 +0,0 @@
match:
/* true/false */
int
(*match)(
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop,
);
/* true/false */
int
(*checkentry)(
const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_match *match,
void *matchinfo,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
);
/* true/false */
int
(*checkentry)(
const char *tablename,
const void *entry,
const struct xt_target *target,
void *targinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_target *target,
void *targinfo,
);

59
doc/api/2.6.23.c
View File

@@ -1,59 +0,0 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
bool *hotdrop,
);
/* true/false */
bool
(*checkentry)(
const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_match *match,
void *matchinfo,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
);
/* true/false */
bool
(*checkentry)(
const char *tablename,
const void *entry,
const struct xt_target *target,
void *targinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_target *target,
void *targinfo,
);

59
doc/api/2.6.24.c
View File

@@ -1,59 +0,0 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
bool *hotdrop,
);
/* true/false */
bool
(*checkentry)(
const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_match *match,
void *matchinfo,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
);
/* true/false */
bool
(*checkentry)(
const char *tablename,
const void *entry,
const struct xt_target *target,
void *targinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_target *target,
void *targinfo,
);

39
doc/api/2.6.28.c
View File

@@ -1,39 +0,0 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct xt_match_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_mtchk_param *,
);
void
(*destroy)(
const struct xt_mtdtor_param *,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff *skb,
const struct xt_target_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_tgchk_param *,
);
void
(*destroy)(
const struct xt_tgdtor_param *,
);

38
doc/api/2.6.31.c
View File

@@ -1,38 +0,0 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct xt_match_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_mtchk_param *,
);
void
(*destroy)(
const struct xt_mtdtor_param *,
);
target:
unsigned int
(*target)(
struct sk_buff *skb,
const struct xt_target_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_tgchk_param *,
);
void
(*destroy)(
const struct xt_tgdtor_param *,
);

39
doc/api/2.6.32.c
View File

@@ -1,39 +0,0 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct xt_match_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_mtchk_param *,
);
void
(*destroy)(
const struct xt_mtdtor_param *,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff *skb,
const struct xt_target_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_tgchk_param *,
);
void
(*destroy)(
const struct xt_tgdtor_param *,
);

513
doc/changelog.txt
View File

@@ -3,480 +3,77 @@ HEAD
====
v1.44 (2012-07-15)
==================
Fixes:
- SYSRQ: fix double target initialization at module load
- build: do not attempt to build IPv6 parts if CONFIG_IP6_NF_IPTABLES=n
Enhancements:
- TARPIT gained IPv6 support
v1.43 (2012-06-30)
==================
Fixes:
- xt_psd: avoid crash due to curr->next corruption
Changes:
- xt_psd: reject invalid match options
Enhancements:
- Support for Linux 3.5
- DNETMAP: new type: static binding
- DNETMAP: new persistent flag option for prefix
- DNETMAP: add write support to procfs interface
v1.42 (2012-04-05)
==================
Fixes:
- compat_xtables: fixed mistranslation of checkentry return values
(affected kernels < 2.6.23)
- xt_SYSRQ: fix compile error when crypto is turned off
Changes:
- ipset6-genl has been dropped from the tree;
the libmnl build-time dependency is thus no longer needed
Enhancements:
- Support for Linux 3.3, 3.4
v1.41 (2012-01-04)
==================
Changes:
- Deactivate build of ipset-genl by default.
I think the original ipset package can now take over, given there are
a handful of kernels (2.6.39 onwards) that do not need patching.
Enhancements:
- Support for Linux 3.2
v1.40 (2011-11-30)
==================
Fixes:
- build: the code actually requires at least iptables 1.4.5 (would yield a
compile error otherwise), make sure configure checks for it; update INSTALL
- xt_ECHO: fix kernel warning about RTAX_HOPLIMIT being used
- xt_ipv4options: fix an infinite loop
Changes:
- xt_ECHO: now calculates UDP checksum
- Linux kernel versions below 2.6.32 are no longer officially
supported, and will not be part of compilation testing.
- update to ipset 6.10
Enhancements:
- xt_ECHO: IPv6 support
v1.39 (2011-09-21)
==================
Fixes:
- libxt_ACCOUNT: fix compilation after missing libxtables_CFLAGS
- build: fix compilation after missing libxtables_CFLAGS in submodules
- build: add missing linux/version.h includes where needed
Changes:
- Remove unsupported ipset 4.x from the Xtables-addons distribution
- ipset: move ipset_errcode from src to library to avoid undefined reference
- update to ipset 6.9.1
v1.38 (2011-08-20)
==================
- xt_CHECKSUM: abort build when the feature is already provided by mainline
- xt_SYSRQ: fix UDPLITE header lookup in IPv6
- xt_TARPIT: fix kernel warning about RTAX_HOPLIMIT being used
- xt_TEE: abort build when the feature is already provided by mainline
- xt_ipp2p: support UDPLITE
- xt_pknock: support UDPLITE
- xt_psd: restore functionality with UDP
- xt_psd: support UDPLITE
- update to ipset 6.8
- support for Linux 3.1
v1.37 (2011-06-25)
==================
Fixes:
- xt_SYSRQ: make IPv6 trigger work again
- xt_SYSRQ: improve security: include host address in digest
- xt_TARPIT: fix a kernel oops in --reset mode
v1.36 (2011-06-03)
==================
Changes:
- xt_geoip: avoid recursive function calls
- xt_TARPIT: unlock for use in all tables
- xt_TARPIT: honeypot and reset modes
- update to ipset 6.7
- support for Linux 3.0
v1.35 (2011-04-11)
==================
Enhancements:
- update to ipset 6.3
* allow "new" as a commad alias to "create"
* resolving IP addresses did not work at listing/saving sets, fixed
* check ICMP and ICMPv6 with the set match and target in the testsuite
* avoid possible syntax clashing at saving hostnames
* fix linking with CONFIG_IPV6=n
* sctp, udplite support for the hash:*port* types
- ipset-genl: handle EAGAIN return value emitted from autoloader
- ipset-genl: resolve nfgenmsg remains and fix spurious protocol abort
v1.34 (2011-04-07)
==================
Fixes:
- xt_pknock: avoid crash when hash TFM could not be allocated
- xt_pknock: avoid inversion of rule lookup that led to warnings
- xt_DNETMAP: add missing module alias
- xt_DNETMAP: support for kernels below 2.6.34
Changes:
- Linux kernel versions below 2.6.29 are no longer officially
supported, and will not be part of compilation testing.
v1.33 (2011-02-02)
==================
Fixes:
- build: restore functionality of `configure --without-kbuild`
- build: fix objdir builds for ipset-5 (xt-a specific)
- build: fix missing inclusion of dependency rules
- xt_LOGMARK: fix detection of untracked connection for Linux >= 2.6.36
Enhancements:
- IPv6 support for xt_geoip
- Update to ipset 5.3
* make IPv4 and IPv6 address handling similar
* show correct line numbers in restore output for parser errors
- Update to ipset 5.4
* fixed ICMP and ICMPv6 handling
* fixed trailing whitespaces and pr_* messages
* fixed module loading at create/header commands
- build: support for Linux up to 2.6.38
- build: preliminary support for iptables 1.4.11
v1.32 (2011-01-04)
==================
Fixes:
- Update to ipset 4.5
* the iptreemap type used wrong gfp flags when deleting entries
- Include ipset 5.2 with genetlink patch (beta)
* no kernel patch needed, but requires Linux >= 2.6.35
and thus needs to be manually enabled in mconfig
v1.31 (2010-11-05)
==================
Fixes:
- build: improve detection of kernel version and error handling
Changes:
- build: automatically derive Xtables module directory, thus
--with-xtlibdir is no longer needed for ./configure in most cases
(If I still see a distro using it, I will scold you for not
reading this changelog.)
Enhancements:
- LOGMARK: print remaining lifetime of cts
- xt_iface: allow matching against incoming/outgoing interface
- libxt_gradm: match packets based on status of grsecurity RBAC
(userspace part only - xt_gradm is in the grsec patch)
v1.30 (2010-010-02)
===================
Fixes:
- update to ipset 4.4
* ipport{,ip,net}hash did not work with mixed "src" and "dst"
destination parameters
Changes:
- deactivate building xt_TEE and xt_CHECKSUM by default, as these have been
merged upstream in Linux 2.6.35 and 2.6.36, respectively.
Distros still wishing to build this need to enable it in their build
script, e.g. perl -i -pe 's{^build_TEE=.*}{build_TEE=m}' mconfig;
v1.29 (2010-09-29)
==================
- compat_xtables: return bool for match_check and target_check in 2.6.23..34
- ipset: enable building of ip_set_ipport{ip,net}hash.ko
- support for Linux 2.6.36
- SYSRQ: resolve compile error with Linux 2.6.36
- TEE: resolve compile error with Linux 2.6.36
- add workaround for broken linux-glibc-devel 2.6.34 userspace headers
("implicit declaration of function 'ALIGN'")
v1.28 (2010-07-24)
==================
- RAWNAT: IPv6 variants erroneously rejected masks /33-/128
- new target xt_CHECKSUM
- xt_length2: add support for IPv6 jumbograms
- xt_geoip: fix possible out-of-bounds access
- import xt_geoip database scripts
v1.27 (2010-05-16)
==================
- further updates for the upcoming 2.6.35 changes
v1.26 (2010-04-30)
==================
- compat_xtables: fix 2.6.34 compile error due to a typo
v1.25 (2010-04-26)
==================
- TEE: do rechecksumming in PREROUTING too
- TEE: decrease TTL on cloned packet
- TEE: set dont-fragment on cloned packets
- TEE: free skb when route lookup failed
- TEE: do not limit use to mangle table
- TEE: do not retain iif and mark on cloned packet
- TEE: new loop detection logic
- TEE: use less expensive pskb_copy
- condition: remove unnecessary RCU protection
v1.24 (2010-03-17)
==================
- build: fix build of userspace modules against old (pre-2.6.25)
headers from linux-glibc-devel (/usr/include/linux)
- ipp2p: updated bittorent command recognition
- SYSRQ: let module load when crypto is unavailable
- SYSRQ: allow processing of UDP-Lite
v1.23 (2010-02-24)
==================
- build: support for Linux 2.6.34
- build: remove unused --with-ksource option
- build: remove unneeded --with-xtables option
- build: fix compilations in RAWNAT, SYSRQ and length2 when CONFIG_IPV6=n
- ipset: update to 4.2
- ECHO: fix compilation w.r.t. skb_dst
v1.22 (2010-01-22)
==================
- compat_xtables: support for 2.6.33 skb_iif changes
- geoip: for FHS compliance use /usr/share/xt_geoip instead of /var/geoip
- ipset: enable build of ip_set_setlist.ko
- quota2: add the --no-change mode
v1.21 (2009-12-09)
==================
- ACCOUNT: avoid collision with arp_tables setsockopt numbers
- doc: fix option mismatch --gw/--gateway in libxt_TEE.man
v1.20 (2009-11-19)
==================
- ipp2p: add more boundary checks
- ipp2p: fix Gnutelle line ending detection
- LOGMARK: remove unknown options from manpage
- ACCOUNT: endianess-correctness
- ipset: install manpage
- ipset: fast forward to v4.1
v1.19 (2009-10-12)
==================
- build: compile fixes for 2.6.31-rt
- build: support for Linux 2.6.32
- ipp2p: try to address underflows
- psd: avoid potential crash when dealing with non-linear skbs
- merge xt_ACCOUNT userspace utilities
- added reworked xt_pknock module
Changes from pknock v0.5:
- pknock: "strict" and "checkip" flags were not displayed in `iptables -L`
- pknock: the GC expire time's lower bound is now the default gc time
(65000 msec) to avoid rendering anti-spoof protection in SPA mode useless
- pknock: avoid crash on memory allocation failure and fix memleak
- pknock: avoid fillup of peer table during DDoS
- pknock: automatic closing of ports
- pknock: make non-zero time mandatory for TCP mode
- pknock: display only pknock mode and state relevant information in procfs
- pknock: check interknock time only for !ST_ALLOWED peers
- pknock: preserve time/autoclose values for rules added in
reverse/arbitrary order
- pknock: add a manpage
v1.18 (2009-09-09)
==================
- build: support for Linux 2.6.31
- ipset: fast forward to v3.2
- quota2: support anonymous counters
- quota2: reduce memory footprint for anonymous counters
- quota2: extend locked period during cleanup (locking bugfix)
- quota2: use strtoull instead of strtoul
- merged xt_ACCOUNT module
- merged xt_psd module
v1.17 (2009-06-16)
==================
- IPMARK: print missing --shift parameter
- build: use readlink -f in extensions/ipset/
- build: support for Linux 2.6.30
v1.16 (2009-05-27)
==================
- RAWNAT: make iptable_rawpost compile with 2.6.30-rc5
- ipset: fast forward to 3.0
v1.15 (2009-04-30)
==================
- build: add kernel version check to configure
- condition: compile fix for 2.6.30-rc
- condition: fix intrapositional negation sign
- fuzzy: fix bogus comparison logic leftover from move to new 1.4.3 API
- ipp2p: fix bogus varargs call
- ipp2p: fix typo in error message
- added "iface" match
- added rawpost table (for use with RAWNAT)
- added RAWSNAT/RAWDNAT targets
v1.14 (2009-03-31)
==================
- fuzzy: need to account for kernel-level modified variables in .userspacesize
- geoip: remove XT_ALIGN from .userspacesize when used with offsetof
- SYSRQ: ignore non-UDP packets
- SYSRQ: do proper L4 header access in IPv6 code
(must not use tcp/udp_hdr in input path)
- add "STEAL" target
- dhcpmac: rename from dhcpaddr
v1.13 (2009-03-23)
==================
- added a reworked ipv4options match
- upgrade to iptables 1.4.3 API
v1.12 (2009-03-07)
==================
- ipset: fix for compilation with 2.6.29-rt
- ipset: fast forward to 2.5.0
- rename xt_portscan to xt_lscan ("low-level scan") because
"portscan" as a word caused confusion
- xt_LOGMARK: print incoming interface index
- revert "TEE: do not use TOS for routing"
- xt_TEE: resolve unknown symbol error with CONFIG_IPV6=n
- xt_TEE: enable routing by iif, nfmark and flowlabel
v1.10 (2009-02-18)
==================
- compat: compile fixes for 2.6.29
- ipset: upgrade to ipset 2.4.9
v1.9 (2009-01-30)
v2.7 (2015-07-06)
=================
- add the xt_length2 extension
- xt_TEE: remove intrapositional '!' support
- ipset: upgrade to ipset 2.4.7
Enhancements:
- Support for Linux up to 4.1
v1.8 (2009-01-10)
v2.6 (2014-09-29)
=================
- xt_TEE: IPv6 support
- xt_TEE: do not include TOS value in routing decision
- xt_TEE: fix switch-case inversion for name/IP display
- xt_ipp2p: update manpages and help text
- xt_ipp2p: remove log flooding
- xt_portscan: update manpage about --grscan option caveats
Enhancements:
- Support for Linux up to 3.17
Fixes:
- xt_pknock: UDP SPA mode erroneously returned an error saying
crypto was unavailable
v1.7 (2008-12-25)
v2.5 (2014-04-18)
=================
- xt_ECHO: compile fix
- avoid the use of "_init" which led to compile errors on some installations
- build: do not unconditionally install ipset
- doc: add manpages for xt_ECHO and xt_TEE
- xt_ipp2p: kazaa detection code cleanup
- xt_ipp2p: fix newline inspection in kazaa detection
- xt_ipp2p: ensure better array bounds checking
- xt_SYSRQ: improve security by hashing password
Enhancements:
- Support for Linux up to 3.15
- xt_quota2: introduce support for network namespaces
v1.6 (2008-11-18)
v2.4 (2014-01-09)
=================
- build: support for Linux 2.6.17
- build: compile fixes for 2.6.18 and 2.6.19
- xt_ECHO: resolve compile errors in xt_ECHO
- xt_ipp2p: parenthesize unaligned-access macros
Enhancements:
- Support for Linux up to 3.13
Changes:
- remove unmaintained RAWSNAT/RAWDNAT code
- remove unused parts of compat_xtables that served Linux <3.7
Fixes:
- xt_quota2: --no-change should not alter quota to zero ever
- xt_quota2: --packet should not be set to zero based on skb->len
v1.5.7 (2008-09-01)
===================
- API layer: fix use of uninitialized 'hotdrop' variable
- API layer: move to pskb-based signatures
- xt_SYSRQ: compile fixes for Linux <= 2.6.19
- ipset: adjust semaphore.h include for Linux >= 2.6.27
- build: automatically run `depmod -a` on installation
- add reworked xt_fuzzy module
- add DHCP address match and mangle module
- xt_portscan: IPv6 support
- xt_SYSRQ: add missing module aliases
v2.3 (2013-06-18)
=================
Enhancements:
- Support for Linux 3.10
Fixes:
- xt_DNETMAP, xt_condition, xt_quota2: resolve compile error when
CONFIG_UIDGID_STRICT_TYPE_CHECKS=y
- xt_RAWNAT: ensure correct operation in the presence of IPv4 options
- xt_geoip: do not throw a warnings when country database is size 0
- xt_quota2: print "!" at the correct position during iptables-save
Changes:
- Make print (iptables -L) output the same as save (-S)
v1.5.5 (2008-08-03)
===================
- manpage updates for xt_CHAOS, xt_IPMARK; README updates
- build: properly recognize external Kbuild/Mbuild files
- build: remove dependency on CONFIG_NETWORK_SECMARK
- add the xt_SYSRQ target
- add the xt_quota2 extension
- import ipset extension group
v2.2 (2013-03-31)
=================
Enhancements:
- Support for Linux 3.9
- iptaccount: fix entire program being erroneously optimized away on PPC
v1.5.4.1 (2008-04-26)
=====================
- build: fix compile error for 2.6.18-stable
v2.1 (2012-11-27)
=================
Fixes:
- DNETMAP: fix compile error with Linux 3.7
Enhancements:
- Support for Linux 3.8
v1.5.4 (2008-04-09)
===================
- build: support building multiple files with one config option
- API layer: add check for pskb relocation
- doc: generate manpages
- xt_ECHO: catch skb_linearize out-of-memory condition
- xt_LOGMARK: add hook= and ctdir= fields in dump
- xt_LOGMARK: fix comma output in ctstatus= list
- xt_TEE: fix address copying bug
- xt_TEE: make skb writable before attempting checksum update
- add reworked xt_condition match
- add reworked xt_ipp2p match
- add reworked xt_IPMARK target
v2.0 (2012-11-12)
=================
Changes:
- remove support for Linux 2.6.173.6
- remove xt_TEE (this is available upstream since 2.6.35)
- remove xt_CHECKSUM (this is available upstream since 2.6.36)
Enhancements:
- Support for Linux 3.7
v1.5.3 (2008-03-22)
===================
- support for Linux 2.6.18
- add xt_ECHO sample target
- add reworked xt_geoip match
v1.5.2 (2008-03-04)
===================
- build: support for GNU make < 3.81 which does not have $(realpath)
v1.5.1 (2008-02-21)
===================
- build: allow user to select what extensions to compile and install
- build: allow external proejcts to be downloaded into the tree
- xt_LOGMARK: dump classify mark, ctstate and ctstatus
- add xt_CHAOS, xt_DELUDE and xt_portscan from Chaostables
v1.5.0 (2008-02-11)
===================
Initial release with:
- extensions: xt_LOGMARK, xt_TARPIT, xt_TEE
- support for Linux >= 2.6.19
If you want to use Xtables-addons with kernels older than 3.7,
use the addons 1.x series (maintained but without new features).

20
extensions/ACCOUNT/iptaccount.c
View File

@@ -64,7 +64,7 @@ int main(int argc, char *argv[])
struct ipt_ACCOUNT_context ctx;
struct ipt_acc_handle_ip *entry;
int i;
char optchar;
int optchar;
bool doHandleUsage = false, doHandleFree = false, doTableNames = false;
bool doFlush = false, doContinue = false, doCSV = false;
@@ -200,13 +200,19 @@ int main(int argc, char *argv[])
while ((entry = ipt_ACCOUNT_get_next_entry(&ctx)) != NULL)
{
if (doCSV)
printf("%s;%u;%u;%u;%u\n",
addr_to_dotted(entry->ip), entry->src_packets, entry->src_bytes,
entry->dst_packets, entry->dst_bytes);
printf("%s;%llu;%llu;%llu;%llu\n",
addr_to_dotted(entry->ip),
(unsigned long long)entry->src_packets,
(unsigned long long)entry->src_bytes,
(unsigned long long)entry->dst_packets,
(unsigned long long)entry->dst_bytes);
else
printf("IP: %s SRC packets: %u bytes: %u DST packets: %u bytes: %u\n",
addr_to_dotted(entry->ip), entry->src_packets, entry->src_bytes,
entry->dst_packets, entry->dst_bytes);
printf("IP: %s SRC packets: %llu bytes: %llu DST packets: %llu bytes: %llu\n",
addr_to_dotted(entry->ip),
(unsigned long long)entry->src_packets,
(unsigned long long)entry->src_bytes,
(unsigned long long)entry->dst_packets,
(unsigned long long)entry->dst_bytes);
}
if (doContinue)

47
extensions/ACCOUNT/xt_ACCOUNT.c
View File

@@ -22,11 +22,7 @@
#include <net/tcp.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,27)
#include <linux/semaphore.h>
#else
#include <asm/semaphore.h>
#endif
#include <linux/semaphore.h>
#include <linux/kernel.h>
#include <linux/mm.h>
@@ -77,13 +73,13 @@ struct ipt_acc_handle {
};
/* Used for every IP entry
Size is 16 bytes so that 256 (class C network) * 16
fits in one kernel (zero) page */
Size is 32 bytes so that 256 (class C network) * 16
fits in a double kernel (zero) page (two consecutive kernel pages)*/
struct ipt_acc_ip {
uint32_t src_packets;
uint32_t src_bytes;
uint32_t dst_packets;
uint32_t dst_bytes;
uint64_t src_packets;
uint64_t src_bytes;
uint64_t dst_packets;
uint64_t dst_bytes;
};
/*
@@ -113,14 +109,14 @@ static DEFINE_SPINLOCK(ipt_acc_lock);
/* Mutex (semaphore) used for manipulating userspace handles/snapshot data */
static struct semaphore ipt_acc_userspace_mutex;
/* Allocates a page and clears it */
/* Allocates a page pair and clears it */
static void *ipt_acc_zalloc_page(void)
{
// Don't use get_zeroed_page until it's fixed in the kernel.
// get_zeroed_page(GFP_ATOMIC)
void *mem = (void *)__get_free_page(GFP_ATOMIC);
void *mem = (void *)__get_free_pages(GFP_ATOMIC, 2);
if (mem) {
memset (mem, 0, PAGE_SIZE);
memset(mem, 0, 2 *PAGE_SIZE);
}
return mem;
@@ -135,7 +131,7 @@ static void ipt_acc_data_free(void *data, uint8_t depth)
/* Free for 8 bit network */
if (depth == 0) {
free_page((unsigned long)data);
free_pages((unsigned long)data, 2);
return;
}
@@ -148,7 +144,7 @@ static void ipt_acc_data_free(void *data, uint8_t depth)
free_page((unsigned long)mask_16->mask_24[b]);
}
}
free_page((unsigned long)data);
free_pages((unsigned long)data, 2);
return;
}
@@ -168,7 +164,7 @@ static void ipt_acc_data_free(void *data, uint8_t depth)
free_page((unsigned long)mask_16);
}
}
free_page((unsigned long)data);
free_pages((unsigned long)data, 2);
return;
}
@@ -478,14 +474,15 @@ static void ipt_acc_depth2_insert(struct ipt_acc_mask_8 *mask_8,
}
}
static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action_param *par)
static unsigned int
ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ipt_acc_info *info =
par->targinfo;
__be32 src_ip = ip_hdr(*pskb)->saddr;
__be32 dst_ip = ip_hdr(*pskb)->daddr;
uint32_t size = ntohs(ip_hdr(*pskb)->tot_len);
__be32 src_ip = ip_hdr(skb)->saddr;
__be32 dst_ip = ip_hdr(skb)->daddr;
uint32_t size = ntohs(ip_hdr(skb)->tot_len);
spin_lock_bh(&ipt_acc_lock);
@@ -541,7 +538,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
/*
Functions dealing with "handles":
Handles are snapshots of a accounting state.
Handles are snapshots of an accounting state.
read snapshots are only for debugging the code
and are very expensive concerning speed/memory
@@ -1123,7 +1120,7 @@ static int __init account_tg_init(void)
ACCOUNT_MAX_HANDLES * sizeof(struct ipt_acc_handle));
/* Allocate one page as temporary storage */
if ((ipt_acc_tmpbuf = (void*)__get_free_page(GFP_KERNEL)) == NULL) {
if ((ipt_acc_tmpbuf = (void *)__get_free_pages(GFP_KERNEL, 2)) == NULL) {
printk("ACCOUNT: Out of memory for temporary buffer page\n");
goto error_cleanup;
}
@@ -1145,7 +1142,7 @@ error_cleanup:
if (ipt_acc_handles)
kfree(ipt_acc_handles);
if (ipt_acc_tmpbuf)
free_page((unsigned long)ipt_acc_tmpbuf);
free_pages((unsigned long)ipt_acc_tmpbuf, 2);
return -EINVAL;
}
@@ -1158,7 +1155,7 @@ static void __exit account_tg_exit(void)
kfree(ipt_acc_tables);
kfree(ipt_acc_handles);
free_page((unsigned long)ipt_acc_tmpbuf);
free_pages((unsigned long)ipt_acc_tmpbuf, 2);
}
module_init(account_tg_init);

10
extensions/ACCOUNT/xt_ACCOUNT.h
View File

@@ -59,11 +59,11 @@ struct ipt_acc_handle_sockopt {
Used for every IP when returning data
*/
struct ipt_acc_handle_ip {
__be32 ip;
uint32_t src_packets;
uint32_t src_bytes;
uint32_t dst_packets;
uint32_t dst_bytes;
__be32 ip, __dummy;
uint64_t src_packets;
uint64_t src_bytes;
uint64_t dst_packets;
uint64_t dst_bytes;
};
#endif /* _IPT_ACCOUNT_H */

7
extensions/Kbuild
View File

@@ -7,7 +7,6 @@ obj-m += compat_xtables.o
obj-${build_ACCOUNT} += ACCOUNT/
obj-${build_CHAOS} += xt_CHAOS.o
obj-${build_CHECKSUM} += xt_CHECKSUM.o
obj-${build_DELUDE} += xt_DELUDE.o
obj-${build_DHCPMAC} += xt_DHCPMAC.o
obj-${build_DNETMAP} += xt_DNETMAP.o
@@ -16,14 +15,8 @@ obj-${build_ECHO} += xt_ECHO.o
endif
obj-${build_IPMARK} += xt_IPMARK.o
obj-${build_LOGMARK} += xt_LOGMARK.o
obj-${build_RAWNAT} += xt_RAWNAT.o iptable_rawpost.o
ifneq (${CONFIG_IP6_NF_IPTABLES},)
obj-${build_RAWNAT} += ip6table_rawpost.o
endif
obj-${build_SYSRQ} += xt_SYSRQ.o
obj-${build_STEAL} += xt_STEAL.o
obj-${build_TARPIT} += xt_TARPIT.o
obj-${build_TEE} += xt_TEE.o
obj-${build_condition} += xt_condition.o
obj-${build_fuzzy} += xt_fuzzy.o
obj-${build_geoip} += xt_geoip.o

4
extensions/Mbuild
View File

@@ -2,18 +2,14 @@
obj-${build_ACCOUNT} += ACCOUNT/
obj-${build_CHAOS} += libxt_CHAOS.so
obj-${build_CHECKSUM} += libxt_CHECKSUM.so
obj-${build_DELUDE} += libxt_DELUDE.so
obj-${build_DHCPMAC} += libxt_DHCPMAC.so libxt_dhcpmac.so
obj-${build_DNETMAP} += libxt_DNETMAP.so
obj-${build_ECHO} += libxt_ECHO.so
obj-${build_IPMARK} += libxt_IPMARK.so
obj-${build_LOGMARK} += libxt_LOGMARK.so
obj-${build_RAWNAT} += libxt_RAWDNAT.so libxt_RAWSNAT.so
obj-${build_STEAL} += libxt_STEAL.so
obj-${build_SYSRQ} += libxt_SYSRQ.so
obj-${build_TARPIT} += libxt_TARPIT.so
obj-${build_TEE} += libxt_TEE.so
obj-${build_condition} += libxt_condition.so
obj-${build_fuzzy} += libxt_fuzzy.so
obj-${build_geoip} += libxt_geoip.so

14
extensions/compat_nfinetaddr.h
View File

@@ -1,14 +0,0 @@
#ifndef _COMPAT_NFINETADDR_H
#define _COMPAT_NFINETADDR_H 1
#include <linux/in.h>
#include <linux/in6.h>
union nf_inet_addr {
__be32 ip;
__be32 ip6[4];
struct in_addr in;
struct in6_addr in6;
};
#endif /* _COMPAT_NFINETADDR_H */

87
extensions/compat_rawpost.h
View File

@@ -1,87 +0,0 @@
#ifndef XTA_COMPAT_RAWPOST_H
#define XTA_COMPAT_RAWPOST_H 1
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
typedef struct sk_buff sk_buff_t;
#else
typedef struct sk_buff *sk_buff_t;
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 21)
#define XT_TARGET_INIT(__name, __size) \
{ \
.target.u.user = { \
.target_size = XT_ALIGN(__size), \
.name = __name, \
}, \
}
#define IPT_ENTRY_INIT(__size) \
{ \
.target_offset = sizeof(struct ipt_entry), \
.next_offset = (__size), \
}
#define IPT_STANDARD_INIT(__verdict) \
{ \
.entry = IPT_ENTRY_INIT(sizeof(struct ipt_standard)), \
.target = XT_TARGET_INIT(IPT_STANDARD_TARGET, \
sizeof(struct xt_standard_target)), \
.target.verdict = -(__verdict) - 1, \
}
#define IPT_ERROR_INIT \
{ \
.entry = IPT_ENTRY_INIT(sizeof(struct ipt_error)), \
.target = XT_TARGET_INIT(IPT_ERROR_TARGET, \
sizeof(struct ipt_error_target)), \
.target.errorname = "ERROR", \
}
#define IP6T_ENTRY_INIT(__size) \
{ \
.target_offset = sizeof(struct ip6t_entry), \
.next_offset = (__size), \
}
#define IP6T_STANDARD_INIT(__verdict) \
{ \
.entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \
.target = XT_TARGET_INIT(IP6T_STANDARD_TARGET, \
sizeof(struct ip6t_standard_target)), \
.target.verdict = -(__verdict) - 1, \
}
#define IP6T_ERROR_INIT \
{ \
.entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \
.target = XT_TARGET_INIT(IP6T_ERROR_TARGET, \
sizeof(struct ip6t_error_target)), \
.target.errorname = "ERROR", \
}
#endif /* 2.6.21 */
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
# include <linux/netfilter_ipv6/ip6_tables.h>
/* Standard entry */
struct ip6t_standard
{
struct ip6t_entry entry;
struct ip6t_standard_target target;
};
struct ip6t_error_target
{
struct ip6t_entry_target target;
char errorname[IP6T_FUNCTION_MAXNAMELEN];
};
struct ip6t_error
{
struct ip6t_entry entry;
struct ip6t_error_target target;
};
#endif /* 2.6.20 */
#endif /* XTA_COMPAT_RAWPOST_H */

50
extensions/compat_skbuff.h
View File

@@ -4,34 +4,8 @@
struct tcphdr;
struct udphdr;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 30)
static inline void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)
{
skb->dst = dst;
}
static inline struct dst_entry *skb_dst(const struct sk_buff *skb)
{
return skb->dst;
}
static inline struct rtable *skb_rtable(const struct sk_buff *skb)
{
return (void *)skb->dst;
}
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
# define skb_ifindex(skb) \
(((skb)->input_dev != NULL) ? (skb)->input_dev->ifindex : 0)
# define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32)
# define skb_ifindex(skb) (skb)->iif
# define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
#else
# define skb_ifindex(skb) (skb)->skb_iif
# define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
#endif
#define skb_ifindex(skb) (skb)->skb_iif
#define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
#ifdef CONFIG_NETWORK_SECMARK
# define skb_secmark(skb) ((skb)->secmark)
@@ -39,24 +13,4 @@ static inline struct rtable *skb_rtable(const struct sk_buff *skb)
# define skb_secmark(skb) 0
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 21)
# define ip_hdr(skb) ((skb)->nh.iph)
# define ip_hdrlen(skb) (ip_hdr(skb)->ihl * 4)
# define ipv6_hdr(skb) ((skb)->nh.ipv6h)
# define skb_network_header(skb) ((skb)->nh.raw)
# define skb_transport_header(skb) ((skb)->h.raw)
static inline void skb_reset_network_header(struct sk_buff *skb)
{
skb->nh.raw = skb->data;
}
static inline struct tcphdr *tcp_hdr(const struct sk_buff *skb)
{
return (void *)skb_transport_header(skb);
}
static inline struct udphdr *udp_hdr(const struct sk_buff *skb)
{
return (void *)skb_transport_header(skb);
}
#endif
#endif /* COMPAT_SKBUFF_H */

595
extensions/compat_xtables.c
View File

@@ -1,6 +1,6 @@
/*
* API compat layer
* written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
* written by Jan Engelhardt, 2008 - 2010
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License, either
@@ -21,588 +21,13 @@
#include <net/ip.h>
#include <net/ipv6.h>
#include <net/route.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 2, 0)
# include <linux/export.h>
#endif
#include <linux/export.h>
#include "compat_skbuff.h"
#include "compat_xtnu.h"
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
# define WITH_IPV6 1
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
static int xtnu_match_run(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *cm, const void *matchinfo, int offset,
unsigned int protoff, int *hotdrop)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
static bool xtnu_match_run(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *cm, const void *matchinfo, int offset,
unsigned int protoff, bool *hotdrop)
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
{
struct xtnu_match *nm = xtcompat_numatch(cm);
bool lo_ret;
struct xt_action_param local_par;
local_par.in = in;
local_par.out = out;
local_par.match = cm;
local_par.matchinfo = matchinfo;
local_par.fragoff = offset;
local_par.thoff = protoff;
local_par.hotdrop = false;
local_par.family = NFPROTO_UNSPEC; /* don't have that info */
if (nm == NULL || nm->match == NULL)
return false;
lo_ret = nm->match(skb, &local_par);
*hotdrop = local_par.hotdrop;
return lo_ret;
}
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
static bool xtnu_match_run(const struct sk_buff *skb,
const struct xt_match_param *par)
{
struct xtnu_match *nm = xtcompat_numatch(par->match);
struct xt_action_param local_par;
bool ret;
local_par.in = par->in;
local_par.out = par->out;
local_par.match = par->match;
local_par.matchinfo = par->matchinfo;
local_par.fragoff = par->fragoff;
local_par.thoff = par->thoff;
local_par.hotdrop = false;
local_par.family = par->family;
if (nm == NULL || nm->match == NULL)
return false;
ret = nm->match(skb, &local_par);
*par->hotdrop = local_par.hotdrop;
return ret;
}
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
static int xtnu_match_check(const char *table, const void *entry,
const struct xt_match *cm, void *matchinfo, unsigned int matchinfosize,
unsigned int hook_mask)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
static int xtnu_match_check(const char *table, const void *entry,
const struct xt_match *cm, void *matchinfo, unsigned int hook_mask)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
static bool xtnu_match_check(const char *table, const void *entry,
const struct xt_match *cm, void *matchinfo, unsigned int hook_mask)
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
{
struct xtnu_match *nm = xtcompat_numatch(cm);
struct xt_mtchk_param local_par = {
.table = table,
.entryinfo = entry,
.match = cm,
.matchinfo = matchinfo,
.hook_mask = hook_mask,
.family = NFPROTO_UNSPEC,
};
if (nm == NULL)
return false;
if (nm->checkentry == NULL)
return true;
return nm->checkentry(&local_par) == 0;
}
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
static bool xtnu_match_check(const struct xt_mtchk_param *par)
{
struct xtnu_match *nm = xtcompat_numatch(par->match);
if (nm == NULL)
return false;
if (nm->checkentry == NULL)
return true;
return nm->checkentry(par) == 0;
}
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo,
unsigned int matchinfosize)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo)
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
{
struct xtnu_match *nm = xtcompat_numatch(cm);
struct xt_mtdtor_param local_par = {
.match = cm,
.matchinfo = matchinfo,
.family = NFPROTO_UNSPEC,
};
if (nm != NULL && nm->destroy != NULL)
nm->destroy(&local_par);
}
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
int xtnu_register_match(struct xtnu_match *nt)
{
struct xt_match *ct;
char *tmp;
int ret;
ct = kzalloc(sizeof(struct xt_match), GFP_KERNEL);
if (ct == NULL)
return -ENOMEM;
tmp = (char *)ct->name;
memcpy(tmp, nt->name, sizeof(nt->name));
tmp = (char *)(ct->name + sizeof(ct->name) - sizeof(void *));
*(tmp-1) = '\0';
memcpy(tmp, &nt, sizeof(void *));
ct->revision = nt->revision;
ct->family = nt->family;
ct->table = (char *)nt->table;
ct->hooks = nt->hooks;
ct->proto = nt->proto;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
ct->match = xtnu_match_run;
ct->checkentry = xtnu_match_check;
ct->destroy = xtnu_match_destroy;
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
ct->match = xtnu_match_run;
ct->checkentry = xtnu_match_check;
ct->destroy = nt->destroy;
#else
ct->match = nt->match;
ct->checkentry = xtnu_match_check;
ct->destroy = nt->destroy;
#endif
ct->matchsize = nt->matchsize;
ct->me = nt->me;
nt->__compat_match = ct;
ret = xt_register_match(ct);
if (ret != 0)
kfree(ct);
return ret;
}
EXPORT_SYMBOL_GPL(xtnu_register_match);
int xtnu_register_matches(struct xtnu_match *nt, unsigned int num)
{
unsigned int i;
int ret;
for (i = 0; i < num; ++i) {
ret = xtnu_register_match(&nt[i]);
if (ret < 0) {
if (i > 0)
xtnu_unregister_matches(nt, i);
return ret;
}
}
return 0;
}
EXPORT_SYMBOL_GPL(xtnu_register_matches);
void xtnu_unregister_match(struct xtnu_match *nt)
{
xt_unregister_match(nt->__compat_match);
kfree(nt->__compat_match);
}
EXPORT_SYMBOL_GPL(xtnu_unregister_match);
void xtnu_unregister_matches(struct xtnu_match *nt, unsigned int num)
{
unsigned int i;
for (i = 0; i < num; ++i)
xtnu_unregister_match(&nt[i]);
}
EXPORT_SYMBOL_GPL(xtnu_unregister_matches);
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
static unsigned int xtnu_target_run(struct sk_buff **pskb,
const struct net_device *in, const struct net_device *out,
unsigned int hooknum, const struct xt_target *ct, const void *targinfo,
void *userdata)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
static unsigned int xtnu_target_run(struct sk_buff **pskb,
const struct net_device *in, const struct net_device *out,
unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
static unsigned int xtnu_target_run(struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
{
struct xtnu_target *nt = xtcompat_nutarget(ct);
struct xt_action_param local_par;
local_par.in = in;
local_par.out = out;
local_par.hooknum = hooknum;
local_par.target = ct;
local_par.targinfo = targinfo;
local_par.family = NFPROTO_UNSPEC;
if (nt != NULL && nt->target != NULL)
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
return nt->target(pskb, &local_par);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
return nt->target(&skb, &local_par);
#endif
return XT_CONTINUE;
}
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
static unsigned int
xtnu_target_run(struct sk_buff *skb, const struct xt_target_param *par)
{
struct xtnu_target *nt = xtcompat_nutarget(par->target);
struct xt_action_param local_par;
local_par.in = par->in;
local_par.out = par->out;
local_par.hooknum = par->hooknum;
local_par.target = par->target;
local_par.targinfo = par->targinfo;
local_par.family = par->family;
return nt->target(&skb, &local_par);
}
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
static unsigned int
xtnu_target_run(struct sk_buff *skb, const struct xt_action_param *par)
{
struct xtnu_target *nt = xtcompat_nutarget(par->target);
return nt->target(&skb, par);
}
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
static int xtnu_target_check(const char *table, const void *entry,
const struct xt_target *ct, void *targinfo,
unsigned int targinfosize, unsigned int hook_mask)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
static int xtnu_target_check(const char *table, const void *entry,
const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
static bool xtnu_target_check(const char *table, const void *entry,
const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
{
struct xtnu_target *nt = xtcompat_nutarget(ct);
struct xt_tgchk_param local_par = {
.table = table,
.entryinfo = entry,
.target = ct,
.targinfo = targinfo,
.hook_mask = hook_mask,
.family = NFPROTO_UNSPEC,
};
if (nt == NULL)
return false;
if (nt->checkentry == NULL)
/* this is valid, just like if there was no function */
return true;
return nt->checkentry(&local_par) == 0;
}
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
static bool xtnu_target_check(const struct xt_tgchk_param *par)
{
struct xtnu_target *nt = xtcompat_nutarget(par->target);
if (nt == NULL)
return false;
if (nt->checkentry == NULL)
return true;
return nt->checkentry(par) == 0;
}
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo,
unsigned int targinfosize)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo)
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
{
struct xtnu_target *nt = xtcompat_nutarget(ct);
struct xt_tgdtor_param local_par = {
.target = ct,
.targinfo = targinfo,
.family = NFPROTO_UNSPEC,
};
if (nt != NULL && nt->destroy != NULL)
nt->destroy(&local_par);
}
#endif
int xtnu_register_target(struct xtnu_target *nt)
{
struct xt_target *ct;
char *tmp;
int ret;
ct = kzalloc(sizeof(struct xt_target), GFP_KERNEL);
if (ct == NULL)
return -ENOMEM;
tmp = (char *)ct->name;
memcpy(tmp, nt->name, sizeof(nt->name));
tmp = (char *)(ct->name + sizeof(ct->name) - sizeof(void *));
*(tmp-1) = '\0';
memcpy(tmp, &nt, sizeof(void *));
ct->revision = nt->revision;
ct->family = nt->family;
ct->table = (char *)nt->table;
ct->hooks = nt->hooks;
ct->proto = nt->proto;
ct->target = xtnu_target_run;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
ct->checkentry = xtnu_target_check;
ct->destroy = xtnu_target_destroy;
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
ct->checkentry = xtnu_target_check;
ct->destroy = nt->destroy;
#else
ct->checkentry = nt->checkentry;
ct->destroy = nt->destroy;
#endif
ct->targetsize = nt->targetsize;
ct->me = nt->me;
nt->__compat_target = ct;
ret = xt_register_target(ct);
if (ret != 0)
kfree(ct);
return ret;
}
EXPORT_SYMBOL_GPL(xtnu_register_target);
int xtnu_register_targets(struct xtnu_target *nt, unsigned int num)
{
unsigned int i;
int ret;
for (i = 0; i < num; ++i) {
ret = xtnu_register_target(&nt[i]);
if (ret < 0) {
if (i > 0)
xtnu_unregister_targets(nt, i);
return ret;
}
}
return 0;
}
EXPORT_SYMBOL_GPL(xtnu_register_targets);
void xtnu_unregister_target(struct xtnu_target *nt)
{
xt_unregister_target(nt->__compat_target);
kfree(nt->__compat_target);
}
EXPORT_SYMBOL_GPL(xtnu_unregister_target);
void xtnu_unregister_targets(struct xtnu_target *nt, unsigned int num)
{
unsigned int i;
for (i = 0; i < num; ++i)
xtnu_unregister_target(&nt[i]);
}
EXPORT_SYMBOL_GPL(xtnu_unregister_targets);
struct xt_match *xtnu_request_find_match(unsigned int af, const char *name,
uint8_t revision)
{
static const char *const xt_prefix[] = {
[AF_UNSPEC] = "x",
[AF_INET] = "ip",
[AF_INET6] = "ip6",
#ifdef AF_ARP
[AF_ARP] = "arp",
#elif defined(NF_ARP) && NF_ARP != AF_UNSPEC
[NF_ARP] = "arp",
#endif
};
struct xt_match *match;
match = try_then_request_module(xt_find_match(af, name, revision),
"%st_%s", xt_prefix[af], name);
if (IS_ERR(match) || match == NULL)
return NULL;
return match;
}
EXPORT_SYMBOL_GPL(xtnu_request_find_match);
int xtnu_ip_route_me_harder(struct sk_buff **pskb, unsigned int addr_type)
{
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 17)
/* Actually this one is valid up to 2.6.18.4, but changed in 2.6.18.5 */
return ip_route_me_harder(pskb);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
return ip_route_me_harder(pskb, addr_type);
#else
return ip_route_me_harder(*pskb, addr_type);
#endif
}
EXPORT_SYMBOL_GPL(xtnu_ip_route_me_harder);
int xtnu_skb_make_writable(struct sk_buff **pskb, unsigned int len)
{
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
return skb_make_writable(pskb, len);
#else
return skb_make_writable(*pskb, len);
#endif
}
EXPORT_SYMBOL_GPL(xtnu_skb_make_writable);
#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 24)
static int __xtnu_ip_local_out(struct sk_buff *skb)
{
struct iphdr *iph = ip_hdr(skb);
iph->tot_len = htons(skb->len);
ip_send_check(iph);
return nf_hook(PF_INET, NF_IP_LOCAL_OUT, skb, NULL,
skb->dst->dev, dst_output);
}
int xtnu_ip_local_out(struct sk_buff *skb)
{
int err;
err = __xtnu_ip_local_out(skb);
if (likely(err == 1))
err = dst_output(skb);
return err;
}
EXPORT_SYMBOL_GPL(xtnu_ip_local_out);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
static int __xtnu_ip_local_out(struct sk_buff **pskb)
{
struct iphdr *iph = ip_hdr(*pskb);
iph->tot_len = htons((*pskb)->len);
ip_send_check(iph);
return nf_hook(PF_INET, NF_IP_LOCAL_OUT, pskb, NULL,
(*pskb)->dst->dev, dst_output);
}
int xtnu_ip_local_out(struct sk_buff *skb)
{
int err;
err = __xtnu_ip_local_out(&skb);
if (likely(err == 1))
err = dst_output(skb);
return err;
}
EXPORT_SYMBOL_GPL(xtnu_ip_local_out);
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
int xtnu_ip_route_output_key(void *net, struct rtable **rp, struct flowi *flp)
{
return ip_route_output_flow(rp, flp, NULL, 0);
}
EXPORT_SYMBOL_GPL(xtnu_ip_route_output_key);
void xtnu_proto_csum_replace4(__sum16 *sum, struct sk_buff *skb,
__be32 from, __be32 to, bool pseudohdr)
{
__be32 diff[] = {~from, to};
const void *dv = diff; /* kludge for < v2.6.19-555-g72685fc */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
if (skb->ip_summed != CHECKSUM_PARTIAL) {
*sum = csum_fold(csum_partial(dv, sizeof(diff),
~csum_unfold(*sum)));
if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
skb->csum = ~csum_partial(dv, sizeof(diff),
~skb->csum);
} else if (pseudohdr) {
*sum = ~csum_fold(csum_partial(dv, sizeof(diff),
csum_unfold(*sum)));
}
#else
*sum = csum_fold(csum_partial(dv, sizeof(diff),
~csum_unfold(*sum)));
#endif
}
EXPORT_SYMBOL_GPL(xtnu_proto_csum_replace4);
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
int xtnu_neigh_hh_output(struct hh_cache *hh, struct sk_buff *skb)
{
unsigned int hh_alen;
read_lock_bh(&hh->hh_lock);
hh_alen = HH_DATA_ALIGN(hh->hh_len);
memcpy(skb->data - hh_alen, hh->hh_data, hh_alen);
read_unlock_bh(&hh->hh_lock);
skb_push(skb, hh->hh_len);
return hh->hh_output(skb);
}
EXPORT_SYMBOL_GPL(xtnu_neigh_hh_output);
static inline __wsum xtnu_csum_unfold(__sum16 n)
{
return (__force __wsum)n;
}
void xtnu_csum_replace4(__sum16 *sum, __be32 from, __be32 to)
{
__be32 diff[] = {~from, to};
*sum = csum_fold(csum_partial((char *)diff, sizeof(diff),
~xtnu_csum_unfold(*sum)));
}
void xtnu_csum_replace2(__sum16 *sum, __be16 from, __be16 to)
{
xtnu_csum_replace4(sum, (__force __be32)from, (__force __be32)to);
}
EXPORT_SYMBOL_GPL(xtnu_csum_replace2);
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 17)
int xtnu_skb_linearize(struct sk_buff *skb)
{
return skb_linearize(skb, GFP_ATOMIC);
}
EXPORT_SYMBOL_GPL(xtnu_skb_linearize);
#endif
void *HX_memmem(const void *space, size_t spacesize,
const void *point, size_t pointsize)
{
@@ -617,20 +42,4 @@ void *HX_memmem(const void *space, size_t spacesize,
}
EXPORT_SYMBOL_GPL(HX_memmem);
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 3, 0) && defined(WITH_IPV6)
int xtnu_ipv6_skip_exthdr(const struct sk_buff *skb, int start,
uint8_t *nexthdrp, __be16 *fragoffp)
{
return ipv6_skip_exthdr(skb, start, nexthdrp);
}
#endif
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 5, 0) && defined(WITH_IPV6)
int xtnu_ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
int target, unsigned short *fragoff, int *fragflg)
{
return ipv6_find_hdr(skb, offset, target, fragoff);
}
#endif
MODULE_LICENSE("GPL");

121
extensions/compat_xtables.h
View File

@@ -8,8 +8,12 @@
#define DEBUGP Use__pr_debug__instead
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 17)
# warning Kernels below 2.6.17 not supported.
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 7, 0)
# warning Kernels below 3.7 not supported.
#endif
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 8, 0)
# define prandom_u32() random32()
#endif
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
@@ -17,86 +21,8 @@
# warning You have CONFIG_NF_CONNTRACK enabled, but CONFIG_NF_CONNTRACK_MARK is not (please enable).
# endif
# include <net/netfilter/nf_conntrack.h>
#elif defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
# if !defined(CONFIG_IP_NF_CONNTRACK_MARK)
# warning You have CONFIG_IP_NF_CONNTRACK enabled, but CONFIG_IP_NF_CONNTRACK_MARK is not (please enable).
# endif
# include <linux/netfilter_ipv4/ip_conntrack.h>
# define nf_conn ip_conntrack
# define nf_ct_get ip_conntrack_get
# define nf_conntrack_untracked ip_conntrack_untracked
#else
# warning You need either CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK.
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 17)
# define skb_init_secmark(skb)
# define skb_linearize xtnu_skb_linearize
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
# define neigh_hh_output xtnu_neigh_hh_output
# define IPPROTO_UDPLITE 136
# define CSUM_MANGLED_0 ((__force __sum16)0xffff)
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
# define NF_INET_PRE_ROUTING NF_IP_PRE_ROUTING
# define NF_INET_LOCAL_IN NF_IP_LOCAL_IN
# define NF_INET_FORWARD NF_IP_FORWARD
# define NF_INET_LOCAL_OUT NF_IP_LOCAL_OUT
# define NF_INET_POST_ROUTING NF_IP_POST_ROUTING
# define ip_local_out xtnu_ip_local_out
# define ip_route_output_key xtnu_ip_route_output_key
# include "compat_nfinetaddr.h"
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
# define init_net xtnu_ip_route_output_key /* yes */
# define init_net__loopback_dev (&loopback_dev)
# define init_net__proc_net proc_net
#else
# define init_net__loopback_dev init_net.loopback_dev
# define init_net__proc_net init_net.proc_net
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
# define xt_match xtnu_match
# define xt_register_match xtnu_register_match
# define xt_unregister_match xtnu_unregister_match
# define xt_register_matches xtnu_register_matches
# define xt_unregister_matches xtnu_unregister_matches
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
# define csum_replace2 xtnu_csum_replace2
# define csum_replace4 xtnu_csum_replace4
# define inet_proto_csum_replace4 xtnu_proto_csum_replace4
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
# define csum_replace2 nf_csum_replace2
# define csum_replace4 nf_csum_replace4
# define inet_proto_csum_replace4 xtnu_proto_csum_replace4
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
# define ipt_unregister_table(tbl) ipt_unregister_table(&init_net, (tbl))
# define ip6t_unregister_table(tbl) ip6t_unregister_table(&init_net, (tbl))
#else
# define ipt_unregister_table(tbl) ipt_unregister_table(tbl)
# define ip6t_unregister_table(tbl) ip6t_unregister_table(tbl)
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
# define rt_dst(rt) (&(rt)->dst)
#else
# define rt_dst(rt) (&(rt)->u.dst)
#endif
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 3, 0)
# define nf_nat_ipv4_multi_range_compat nf_nat_multi_range_compat
# define nf_nat_ipv4_range nf_nat_range
# define NF_NAT_RANGE_MAP_IPS IP_NAT_RANGE_MAP_IPS
# define ipv6_skip_exthdr xtnu_ipv6_skip_exthdr
# warning You need CONFIG_NF_CONNTRACK.
#endif
#if !defined(NIP6) && !defined(NIP6_FMT)
@@ -120,18 +46,31 @@
# define NIPQUAD_FMT "%u.%u.%u.%u"
#endif
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 5, 0)
# define ipv6_find_hdr xtnu_ipv6_find_hdr
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 9, 0)
static inline struct inode *file_inode(struct file *f)
{
return f->f_path.dentry->d_inode;
}
#endif
#define ip_route_me_harder xtnu_ip_route_me_harder
#define skb_make_writable xtnu_skb_make_writable
#define xt_target xtnu_target
#define xt_register_target xtnu_register_target
#define xt_unregister_target xtnu_unregister_target
#define xt_register_targets xtnu_register_targets
#define xt_unregister_targets xtnu_unregister_targets
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 10, 0)
static inline void proc_set_user(struct proc_dir_entry *de,
typeof(de->uid) uid, typeof(de->gid) gid)
{
de->uid = uid;
de->gid = gid;
}
#define xt_request_find_match xtnu_request_find_match
static inline void *PDE_DATA(struct inode *inode)
{
return PDE(inode)->data;
}
static inline void proc_remove(struct proc_dir_entry *de)
{
if (de != NULL)
remove_proc_entry(de->name, de->parent);
}
#endif
#endif /* _XTABLES_COMPAT_H */

105
extensions/compat_xtnu.h
View File

@@ -1,93 +1,11 @@
#ifndef _COMPAT_XTNU_H
#define _COMPAT_XTNU_H 1
#include <linux/list.h>
#include <linux/netfilter/x_tables.h>
#include <linux/spinlock.h>
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
typedef _Bool bool;
enum { false = 0, true = 1, };
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
typedef __u16 __bitwise __sum16;
typedef __u32 __bitwise __wsum;
#endif
struct flowi;
struct hh_cache;
struct module;
struct net_device;
struct rtable;
struct sk_buff;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
enum {
NFPROTO_UNSPEC = 0,
NFPROTO_IPV4 = 2,
NFPROTO_ARP = 3,
NFPROTO_BRIDGE = 7,
NFPROTO_IPV6 = 10,
NFPROTO_DECNET = 12,
NFPROTO_NUMPROTO,
};
struct xt_mtchk_param {
const char *table;
const void *entryinfo;
const struct xt_match *match;
void *matchinfo;
unsigned int hook_mask;
u_int8_t family;
};
struct xt_mtdtor_param {
const struct xt_match *match;
void *matchinfo;
u_int8_t family;
};
struct xt_target_param {
const struct net_device *in, *out;
unsigned int hooknum;
const struct xt_target *target;
const void *targinfo;
u_int8_t family;
};
struct xt_tgchk_param {
const char *table;
const void *entryinfo;
const struct xt_target *target;
void *targinfo;
unsigned int hook_mask;
u_int8_t family;
};
struct xt_tgdtor_param {
const struct xt_target *target;
void *targinfo;
u_int8_t family;
};
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
struct xt_action_param {
union {
const struct xt_match *match;
const struct xt_target *target;
};
union {
const void *matchinfo, *targinfo;
};
const struct net_device *in, *out;
int fragoff;
unsigned int thoff, hooknum;
u_int8_t family;
bool hotdrop;
};
#endif
struct xtnu_match {
/*
* Making it smaller by sizeof(void *) on purpose to catch
@@ -135,18 +53,7 @@ static inline struct xtnu_target *xtcompat_nutarget(const struct xt_target *t)
return q;
}
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
static inline __wsum csum_unfold(__sum16 n)
{
return (__force __wsum)n;
}
#endif
extern int xtnu_ip_local_out(struct sk_buff *);
extern int xtnu_ip_route_me_harder(struct sk_buff **, unsigned int);
extern int xtnu_skb_make_writable(struct sk_buff **, unsigned int);
extern int xtnu_register_match(struct xtnu_match *);
extern int xtnu_ip_route_output_key(void *, struct rtable **, struct flowi *);
extern void xtnu_unregister_match(struct xtnu_match *);
extern int xtnu_register_matches(struct xtnu_match *, unsigned int);
extern void xtnu_unregister_matches(struct xtnu_match *, unsigned int);
@@ -154,18 +61,6 @@ extern int xtnu_register_target(struct xtnu_target *);
extern void xtnu_unregister_target(struct xtnu_target *);
extern int xtnu_register_targets(struct xtnu_target *, unsigned int);
extern void xtnu_unregister_targets(struct xtnu_target *, unsigned int);
extern struct xt_match *xtnu_request_find_match(unsigned int,
const char *, uint8_t);
extern int xtnu_neigh_hh_output(struct hh_cache *, struct sk_buff *);
extern void xtnu_csum_replace2(__u16 __bitwise *, __be16, __be16);
extern void xtnu_csum_replace4(__u16 __bitwise *, __be32, __be32);
extern void xtnu_proto_csum_replace4(__u16 __bitwise *, struct sk_buff *,
__be32, __be32, bool);
extern int xtnu_skb_linearize(struct sk_buff *);
extern int xtnu_ipv6_skip_exthdr(const struct sk_buff *, int,
uint8_t *, __be16 *);
extern int xtnu_ipv6_find_hdr(const struct sk_buff *, unsigned int *,
int, unsigned short *, int *);
extern void *HX_memmem(const void *, size_t, const void *, size_t);

107
extensions/ip6table_rawpost.c
View File

@@ -1,107 +0,0 @@
/*
* rawpost table for ip6_tables
* written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
* placed in the Public Domain
*/
#include <linux/module.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <net/ip.h>
#include "compat_xtables.h"
#include "compat_rawpost.h"
enum {
RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
};
static struct {
struct ip6t_replace repl;
struct ip6t_standard entries[1];
struct ip6t_error term;
} rawpost6_initial __initdata = {
.repl = {
.name = "rawpost",
.valid_hooks = RAWPOST_VALID_HOOKS,
.num_entries = 2,
.size = sizeof(struct ip6t_standard) +
sizeof(struct ip6t_error),
.hook_entry = {
[NF_INET_POST_ROUTING] = 0,
},
.underflow = {
[NF_INET_POST_ROUTING] = 0,
},
},
.entries = {
IP6T_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */
},
.term = IP6T_ERROR_INIT, /* ERROR */
};
static struct xt_table *rawpost6_ptable;
static struct xt_table rawpost6_itable = {
.name = "rawpost",
.af = NFPROTO_IPV6,
.valid_hooks = RAWPOST_VALID_HOOKS,
.me = THIS_MODULE,
};
static unsigned int rawpost6_hook_fn(unsigned int hook, sk_buff_t *skb,
const struct net_device *in, const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
return ip6t_do_table(skb, hook, in, out, rawpost6_ptable);
#else
return ip6t_do_table(skb, hook, in, out, rawpost6_ptable, NULL);
#endif
}
static struct nf_hook_ops rawpost6_hook_ops __read_mostly = {
.hook = rawpost6_hook_fn,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP6_PRI_LAST,
.owner = THIS_MODULE,
};
static int __init rawpost6_table_init(void)
{
int ret;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
rwlock_init(&rawpost6_itable.lock);
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
rawpost6_ptable = ip6t_register_table(&init_net, &rawpost6_itable,
&rawpost6_initial.repl);
if (IS_ERR(rawpost6_ptable))
return PTR_ERR(rawpost6_ptable);
#else
ret = ip6t_register_table(&rawpost6_itable, &rawpost6_initial.repl);
if (ret < 0)
return ret;
rawpost6_ptable = &rawpost6_itable;
#endif
ret = nf_register_hook(&rawpost6_hook_ops);
if (ret < 0)
goto out;
return ret;
out:
ip6t_unregister_table(rawpost6_ptable);
return ret;
}
static void __exit rawpost6_table_exit(void)
{
nf_unregister_hook(&rawpost6_hook_ops);
ip6t_unregister_table(rawpost6_ptable);
}
module_init(rawpost6_table_init);
module_exit(rawpost6_table_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_LICENSE("GPL");

109
extensions/iptable_rawpost.c
View File

@@ -1,109 +0,0 @@
/*
* rawpost table for ip_tables
* written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
* placed in the Public Domain
*/
#include <linux/module.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/version.h>
#include <net/ip.h>
#include "compat_xtables.h"
#include "compat_rawpost.h"
enum {
RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
};
static struct {
struct ipt_replace repl;
struct ipt_standard entries[1];
struct ipt_error term;
} rawpost4_initial __initdata = {
.repl = {
.name = "rawpost",
.valid_hooks = RAWPOST_VALID_HOOKS,
.num_entries = 2,
.size = sizeof(struct ipt_standard) +
sizeof(struct ipt_error),
.hook_entry = {
[NF_INET_POST_ROUTING] = 0,
},
.underflow = {
[NF_INET_POST_ROUTING] = 0,
},
},
.entries = {
IPT_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */
},
.term = IPT_ERROR_INIT, /* ERROR */
};
static struct xt_table *rawpost4_ptable;
static struct xt_table rawpost4_itable = {
.name = "rawpost",
.af = NFPROTO_IPV4,
.valid_hooks = RAWPOST_VALID_HOOKS,
.me = THIS_MODULE,
};
static unsigned int rawpost4_hook_fn(unsigned int hook, sk_buff_t *skb,
const struct net_device *in, const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
return ipt_do_table(skb, hook, in, out, rawpost4_ptable);
#else
return ipt_do_table(skb, hook, in, out, rawpost4_ptable, NULL);
#endif
}
static struct nf_hook_ops rawpost4_hook_ops __read_mostly = {
.hook = rawpost4_hook_fn,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP_PRI_LAST,
.owner = THIS_MODULE,
};
static int __init rawpost4_table_init(void)
{
int ret;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
rwlock_init(&rawpost4_itable.lock);
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
rawpost4_ptable = ipt_register_table(&init_net, &rawpost4_itable,
&rawpost4_initial.repl);
if (IS_ERR(rawpost4_ptable))
return PTR_ERR(rawpost4_ptable);
#else
ret = ipt_register_table(&rawpost4_itable, &rawpost4_initial.repl);
if (ret < 0)
return ret;
rawpost4_ptable = &rawpost4_itable;
#endif
ret = nf_register_hook(&rawpost4_hook_ops);
if (ret < 0)
goto out;
return ret;
out:
ipt_unregister_table(rawpost4_ptable);
return ret;
}
static void __exit rawpost4_table_exit(void)
{
nf_unregister_hook(&rawpost4_hook_ops);
ipt_unregister_table(rawpost4_ptable);
}
module_init(rawpost4_table_init);
module_exit(rawpost4_table_exit);
MODULE_DESCRIPTION("Xtables: rawpost table for use with RAWNAT");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_LICENSE("GPL");

24
extensions/libxt_CHAOS.c
View File

@@ -1,6 +1,6 @@
/*
* "CHAOS" target extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
* Copyright © Jan Engelhardt, 2006 - 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -64,21 +64,6 @@ static void chaos_tg_check(unsigned int flags)
"may be specified");
}
static void chaos_tg_print(const void *ip,
const struct xt_entry_target *target, int numeric)
{
const struct xt_chaos_tginfo *info = (const void *)target->data;
switch (info->variant) {
case XTCHAOS_DELUDE:
printf(" DELUDE ");
break;
case XTCHAOS_TARPIT:
printf(" TARPIT ");
break;
}
}
static void chaos_tg_save(const void *ip, const struct xt_entry_target *target)
{
const struct xt_chaos_tginfo *info = (const void *)target->data;
@@ -93,6 +78,13 @@ static void chaos_tg_save(const void *ip, const struct xt_entry_target *target)
}
}
static void chaos_tg_print(const void *ip,
const struct xt_entry_target *target, int numeric)
{
printf(" -j CHAOS");
chaos_tg_save(ip, target);
}
static struct xtables_target chaos_tg_reg = {
.version = XTABLES_VERSION,
.name = "CHAOS",

3
extensions/libxt_CHAOS.man
View File

@@ -1,3 +1,4 @@
.PP
Causes confusion on the other end by doing odd things with incoming packets.
CHAOS will randomly reply (or not) with one of its configurable subtargets:
.TP
@@ -17,5 +18,5 @@ connections than they can.
The randomness factor of not replying vs. replying can be set during load-time
of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
.PP
See http://jengelh.medozas.de/projects/chaostables/ for more information
See http://inai.de/projects/chaostables/ for more information
about CHAOS, DELUDE and lscan.

94
extensions/libxt_CHECKSUM.c
View File

@@ -1,94 +0,0 @@
/*
* (C) 2002 by Harald Welte <laforge@gnumonks.org>
* (C) 2010 by Red Hat, Inc
* Author: Michael S. Tsirkin <mst@redhat.com>
*
* This program is distributed under the terms of GNU GPL v2, 1991
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <getopt.h>
#include <xtables.h>
#include "xt_CHECKSUM.h"
#include "compat_user.h"
static void CHECKSUM_help(void)
{
printf(
"CHECKSUM target options\n"
" --checksum-fill Fill in packet checksum.\n");
}
static const struct option CHECKSUM_opts[] = {
{ "checksum-fill", 0, NULL, 'F' },
{ .name = NULL }
};
static int CHECKSUM_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_CHECKSUM_info *einfo
= (struct xt_CHECKSUM_info *)(*target)->data;
switch (c) {
case 'F':
xtables_param_act(XTF_ONLY_ONCE, "CHECKSUM", "--checksum-fill",
*flags & XT_CHECKSUM_OP_FILL);
einfo->operation = XT_CHECKSUM_OP_FILL;
*flags |= XT_CHECKSUM_OP_FILL;
break;
default:
return 0;
}
return 1;
}
static void CHECKSUM_check(unsigned int flags)
{
if (!flags)
xtables_error(PARAMETER_PROBLEM,
"CHECKSUM target: Parameter --checksum-fill is required");
}
static void CHECKSUM_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
const struct xt_CHECKSUM_info *einfo =
(const struct xt_CHECKSUM_info *)target->data;
printf("CHECKSUM ");
if (einfo->operation & XT_CHECKSUM_OP_FILL)
printf(" fill ");
}
static void CHECKSUM_save(const void *ip, const struct xt_entry_target *target)
{
const struct xt_CHECKSUM_info *einfo =
(const struct xt_CHECKSUM_info *)target->data;
if (einfo->operation & XT_CHECKSUM_OP_FILL)
printf(" --checksum-fill ");
}
static struct xtables_target checksum_tg_reg = {
.name = "CHECKSUM",
.version = XTABLES_VERSION,
.family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
.help = CHECKSUM_help,
.parse = CHECKSUM_parse,
.final_check = CHECKSUM_check,
.print = CHECKSUM_print,
.save = CHECKSUM_save,
.extra_opts = CHECKSUM_opts,
};
static __attribute__((constructor)) void _init(void)
{
xtables_register_target(&checksum_tg_reg);
}

8
extensions/libxt_CHECKSUM.man
View File

@@ -1,8 +0,0 @@
This target allows to selectively work around broken/old applications.
It can only be used in the mangle table.
.TP
\fB\-\-checksum\-fill\fP
Compute and fill in the checksum in a packet that lacks a checksum.
This is particularly useful, if you need to work around old applications
such as dhcp clients, that do not work well with checksum offloads,
but don't want to disable checksum offload in your device.

2
extensions/libxt_DELUDE.c
View File

@@ -1,6 +1,6 @@
/*
* "DELUDE" target extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
* Copyright © Jan Engelhardt, 2006 - 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either

1
extensions/libxt_DELUDE.man
View File

@@ -1,3 +1,4 @@
.PP
The DELUDE target will reply to a SYN packet with SYN-ACK, and to all other
packets with an RST. This will terminate the connection much like REJECT, but
network scanners doing TCP half-open discovery can be spoofed to make them

18
extensions/libxt_DHCPMAC.c
View File

@@ -1,6 +1,6 @@
/*
* "DHCPMAC" target extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
* Copyright © Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -61,15 +61,6 @@ static void dhcpmac_tg_check(unsigned int flags)
"--set-mac parameter required");
}
static void dhcpmac_tg_print(const void *ip,
const struct xt_entry_target *target, int numeric)
{
const struct dhcpmac_info *info = (void *)target->data;
printf(" DHCPMAC %s" DH_MAC_FMT "/%u ",
info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
}
static void dhcpmac_tg_save(const void *ip,
const struct xt_entry_target *target)
{
@@ -81,6 +72,13 @@ static void dhcpmac_tg_save(const void *ip,
DH_MAC_HEX(info->addr), info->mask);
}
static void dhcpmac_tg_print(const void *ip,
const struct xt_entry_target *target, int numeric)
{
printf(" -j DHCPMAC");
dhcpmac_tg_save(ip, target);
}
static struct xtables_target dhcpmac_tg_reg = {
.version = XTABLES_VERSION,
.name = "DHCPMAC",

1
extensions/libxt_DHCPMAC.man
View File

@@ -1,3 +1,4 @@
.PP
In conjunction with ebtables, DHCPMAC can be used to completely change all MAC
addresses from and to a VMware-based virtual machine. This is needed because
VMware does not allow to set a non-VMware MAC address before an operating

65
extensions/libxt_DNETMAP.c
View File

@@ -69,19 +69,8 @@ static int netmask2bits(u_int32_t netmask)
return bits;
}
static void DNETMAP_init(struct xt_entry_target *t)
{
struct xt_DNETMAP_tginfo *tginfo = (void *)&t->data;
struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
/* Actually, it's 0, but it's ignored at the moment. */
mr->rangesize = 1;
tginfo->ttl = 0;
tginfo->flags = 0;
}
/* Parses network address */
static void parse_prefix(char *arg, struct nf_nat_ipv4_range *range)
static void parse_prefix(char *arg, struct nf_nat_range *range)
{
char *slash;
const struct in_addr *ip;
@@ -97,7 +86,7 @@ static void parse_prefix(char *arg, struct nf_nat_ipv4_range *range)
if (ip == NULL)
xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
arg);
range->min_ip = ip->s_addr;
range->min_addr.in = *ip;
if (slash) {
if (strchr(slash + 1, '.')) {
ip = xtables_numeric_to_ipmask(slash + 1);
@@ -123,20 +112,20 @@ static void parse_prefix(char *arg, struct nf_nat_ipv4_range *range)
} else
netmask = ~0;
if (range->min_ip & ~netmask) {
if (range->min_addr.ip & ~netmask) {
if (slash)
*slash = '/';
xtables_error(PARAMETER_PROBLEM, "Bad network address \"%s\"\n",
arg);
}
range->max_ip = range->min_ip | ~netmask;
range->max_addr.ip = range->min_addr.ip | ~netmask;
}
static int DNETMAP_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_DNETMAP_tginfo *tginfo = (void *)(*target)->data;
struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
struct nf_nat_range *mr = &tginfo->prefix;
char *end;
switch (c) {
@@ -147,7 +136,7 @@ static int DNETMAP_parse(int c, char **argv, int invert, unsigned int *flags,
invert);
/* TO-DO use xtables_ipparse_any instead? */
parse_prefix(optarg, &mr->range[0]);
parse_prefix(optarg, mr);
*flags |= XT_DNETMAP_PREFIX;
tginfo->flags |= XT_DNETMAP_PREFIX;
return 1;
@@ -192,14 +181,13 @@ static void DNETMAP_print_addr(const void *ip,
int numeric)
{
struct xt_DNETMAP_tginfo *tginfo = (void *)&target->data;
const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
const struct nf_nat_ipv4_range *r = &mr->range[0];
const struct nf_nat_range *r = &tginfo->prefix;
struct in_addr a;
int bits;
a.s_addr = r->min_ip;
a = r->min_addr.in;
printf("%s", xtables_ipaddr_to_numeric(&a));
a.s_addr = ~(r->min_ip ^ r->max_ip);
a.s_addr = ~(r->min_addr.ip ^ r->max_addr.ip);
bits = netmask2bits(a.s_addr);
if (bits < 0)
printf("/%s", xtables_ipaddr_to_numeric(&a));
@@ -207,33 +195,6 @@ static void DNETMAP_print_addr(const void *ip,
printf("/%d", bits);
}
static void DNETMAP_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
struct xt_DNETMAP_tginfo *tginfo = (void *)&target->data;
const __u8 *flags = &tginfo->flags;
printf(" prefix ");
if (*flags & XT_DNETMAP_PREFIX)
DNETMAP_print_addr(ip, target, numeric);
else
printf("any");
if (*flags & XT_DNETMAP_REUSE)
printf(" reuse");
if (*flags & XT_DNETMAP_STATIC)
printf(" static");
if (*flags & XT_DNETMAP_PERSISTENT)
printf(" persistent");
if (*flags & XT_DNETMAP_TTL)
printf(" ttl %i", tginfo->ttl);
else
printf(" ttl default");
}
static void DNETMAP_save(const void *ip, const struct xt_entry_target *target)
{
struct xt_DNETMAP_tginfo *tginfo = (void *)&target->data;
@@ -258,6 +219,13 @@ static void DNETMAP_save(const void *ip, const struct xt_entry_target *target)
printf(" --ttl %i ", tginfo->ttl);
}
static void DNETMAP_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
printf(" -j DNETMAP");
DNETMAP_save(ip, target);
}
static struct xtables_target dnetmap_tg_reg = {
.name = MODULENAME,
.version = XTABLES_VERSION,
@@ -265,7 +233,6 @@ static struct xtables_target dnetmap_tg_reg = {
.size = XT_ALIGN(sizeof(struct xt_DNETMAP_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_DNETMAP_tginfo)),
.help = DNETMAP_help,
.init = DNETMAP_init,
.parse = DNETMAP_parse,
.print = DNETMAP_print,
.save = DNETMAP_save,

257
extensions/libxt_DNETMAP.man
View File

@@ -1,172 +1,179 @@
The \fBDNETMAP\fR target allows dynamic two-way 1:1 mapping of IPv4 subnets.
Single rule can map private subnet to shorter public subnet creating and
maintaining unambigeous private-public ip bindings. Second rule can be used to
map new flows to private subnet according to maintained bindings. Target allows
efficient public IPv4 space usage and unambigeous NAT at the same time.
Target can be used only in \fBnat\fR table in \fBPOSTROUTING\fR or \fBOUTPUT\fR
chains for SNAT and in \fBPREROUTING\fR for DNAT. Only flows directed to bound
IPs will be DNATed. Packet continues chain traversal if there is no free
postnat-ip to be assigned to prenat-ip. Default binding \fBttl\fR is \fI10
minutes\fR and can be changed using \fBdefault_ttl\fR module option. Default ip
hash size is 256 and can be changed using \fBhash_size\fR module option.
.PP
The \fBDNETMAP\fR target allows dynamic two-way 1:1 mapping of IPv4 subnets. A
single rule can map a private subnet to a shorter public subnet, creating and
maintaining unambiguous private-public IP address bindings. The second rule can
be used to map new flows to a private subnet according to maintained bindings.
The target allows efficient public IPv4 space usage and unambiguous NAT at the
same time.
.PP
The target can be used only in the \fBnat\fR table in \fBPOSTROUTING\fR or
\fBOUTPUT\fR chains for SNAT, and in \fBPREROUTING\fR for DNAT. Only flows
directed to bound addresses will be DNATed. The packet continues chain
traversal if there is no free postnat address to be assigned to the prenat
address. The default binding \fBTTL\fR is \fI10 minutes\fR and can be changed
using the \fBdefault_ttl\fR module option. The default address hash size is 256
and can be changed using the \fBhash_size\fR module option.
.TP
\fB\-\-prefix\fR \fIaddr\fR\fB/\fR\fImask\fR
Network subnet to map to. If not specified, all existing prefixes are used.
The network subnet to map to. If not specified, all existing prefixes are used.
.TP
\fB\-\-reuse\fR
Reuse entry for given prenat-ip from any prefix despite bindings ttl < 0.
Reuse the entry for a given prenat address from any prefix even if the
binding's TTL is < 0.
.TP
\fB\-\-persistent\fR
Set prefix persistent. It won't be removed after deleting last iptables rule.
Option is effective only in the first rule for a given prefix. If you
need to change persistency for existing prefix, please use proc interface
described below.
Set the prefix to be persistent. It will not be removed after deleting the last
iptables rule. The option is effective only in the first rule for a given
prefix. If you need to change persistency for an existing prefix, please use
the procfs interface described below.
.TP
\fB\-\-static\fR
Don't create dynamic mappings using this rule. Use static mappings only. Note
that you need to create static mappings via proc interface for this rule with
this option to have any effect.
Do not create dynamic mappings using this rule. Use static mappings only. Note
that you need to create static mappings via the procfs interface for this rule
for this option to have any effect.
.TP
\fB\-\-ttl\fR \fIseconds\fR
Regenerate bindings ttl value to \fIseconds\fR. If negative value is specified,
bindings ttl is kept unchanged. If not specified then default ttl value (600s)
is used.
Reset the binding's TTL value to \fIseconds\fR. If a negative value is
specified, the binding's TTL is kept unchanged. If this option is not
specified, then the default TTL value (600s) is used.
.PP
\fB* /proc interface\fR
Module creates following entries for each new specified subnet:
.PP
The module creates the following entries for each new specified subnet:
.TP
\fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR
Contains binding table for subnet/mask. Each line contains \fBprenat-ip\fR,
\fBpostnat-ip\fR,\fBttl\fR (seconds till entry times out), \fBlasthit\fR (last
entry hit in seconds relative to system boot time). Please note that \fBttl\fR
and \fBlasthit\fR entries contain \fBS\fR in case of static binding.
Contains the binding table for the given \fIsubnet/mask\fP. Each line contains
\fBprenat address\fR, \fBpostnat address\fR, \fBttl\fR (seconds until the entry
times out), \fBlasthit\fR (last hit to the entry in seconds relative to system
boot time). Please note that the \fBttl\fR and \fBlasthit\fR entries contain an
'\fBS\fR' in case of a static binding.
.TP
\fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR\fB_stat\fR
Contains statistics for given subnet/mask. Line contains contains four
numerical values separated by spaces. First one is number of currently used
dynamic addresses (bindings with negative ttl excluded), second one is number
static assignments, third one is number of all usable addresses in subnet and
the fourth one is mean \fBttl\fR value for all active entries. If prefix has
persistent flag set it'll be noted as fifth entry.
Contains statistics for a given \fIsubnet/mask\fP. The line contains four
numerical values separated by spaces. The first one is the number of currently
used dynamic addresses (bindings with negative TTL excluded), the second one is
the number of static assignments, the third one is the number of all usable
addresses in the subnet, and the fourth one is the mean \fBTTL\fR value for all
active entries. If the prefix has the persistent flag set, it will be noted as
fifth entry.
.PP
Following write operations are supported via proc interface:
The following write operations are supported via the procfs interface:
.TP
echo "+\fIprenatIP\fR:\fIpostnatIP\fR" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
Adds static binding between prenatIP nad postnatIP. If postnatIP is already
bound, previous binding will be timedout immediatelly. Static binding is never
timedout.
echo "+\fIprenat-address\fR:\fIpostnat-address\fR" >\fB/proc/net/xt_DNETMAP/subnet_mask\fR
Adds a static binding between the prenat and postnap address. If
postnat_address is already bound, any previous binding will be timed out
immediately. A static binding is never timed out.
.TP
echo "-\fIIP\fR" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
Removes binding with \fIIP\fR as prenat or postnat address. If removed binding
is currently static, it'll make entry available for dynamic allocation.
echo "\-\fIaddress\fR" >\fB/proc/net/xt_DNETMAP/subnet_mask\fR
Removes the binding with \fIaddress\fR as prenat or postnat address. If the
removed binding is currently static, it will make the entry available for
dynamic allocation.
.TP
echo "+persistent" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
Sets persistent flag for prefix. It's usefull if you don't want bindings to get
flushed when firewall is restarted. You can check if prefix is persistent by
printing \fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR\fB_stat\fR
contents.
echo "+persistent" >\fB/proc/net/xt_DNETMAP/subnet_mask\fR
Sets the persistent flag for the prefix. It is useful if you do not want
bindings to get flushed when the firewall is restarted. You can check if the
prefix is persistent by printing the contents of
\fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR\fB_stat\fR.
.TP
echo "-persistent" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
Unsets persistent flag for prefix. In this mode prefix will be deleted if the
last iptables rule for that prefix is removed.
echo "\-persistent" >\fB/proc/net/xt_DNETMAP/subnet_mask\fR
Unsets the persistent flag for the prefix. In this mode, the prefix will be
deleted if the last iptables rule for that prefix is removed.
.TP
echo "flush" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
Flushes all bindings for specific prefix. All static entries are also flushed
and are available for dynamic bindings.
echo "flush" >\fB/proc/net/xt_DNETMAP/subnet_mask\fR
Flushes all bindings for the specific prefix. All static entries are also
flushed and become available for dynamic bindings.
.PP
Note! Entries are removed if the last iptables rule for a specific prefix is
deleted unless there's persistent flag set.
deleted unless the persistent flag is set.
.PP
\fB* Logging\fR
Module logs binding add/timeout events to klog. This behaviour can be disabled
using \fBdisable_log\fR module parameter.
.PP
The module logs binding add/timeout events to klog. This behaviour can be
disabled using the \fBdisable_log\fR module parameter.
.PP
\fB* Examples\fR
.PP
\fB1.\fR Map subnet 192.168.0.0/24 to subnets 20.0.0.0/26. SNAT only:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26
Active hosts from 192.168.0.0/24 subnet are mapped to 20.0.0.0/26. If packet
from not yet bound prenat-ip hits the rule and there are no free or timed-out
(ttl<0) entries in prefix 20.0.0.0/28, then notice is logged to klog and chain
traversal continues. If packet from already bound prenat-ip hits the rule,
bindings ttl value is regenerated to default_ttl and SNAT is performed.
.PP
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
.PP
Active hosts from the 192.168.0.0/24 subnet are mapped to 20.0.0.0/26. If the
packet from a not yet bound prenat address hits the rule and there are no free
or timed-out (TTL<0) entries in prefix 20.0.0.0/28, then a notice is logged to
klog and chain traversal continues. If packet from an already-bound prenat
address hits the rule, the binding's TTL value is reset to default_ttl and SNAT
is performed.
.PP
\fB2.\fR Use of \fB\-\-reuse\fR and \fB\-\-ttl\fR switches, multiple rule
interaction:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix
20.0.0.0/26 --reuse --ttl 200
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 30.0.0.0/26
Active hosts from 192.168.0.0/24 subnet are mapped to 20.0.0.0/26 with ttl =
200 seconds. If there are no free addresses in first prefix the next one
(30.0.0.0/26) is used with default ttl. It's important to note that the first
rule SNATs all flows whose source IP is already actively (ttl>0) bound to ANY
prefix. Parameter \fB\-\-reuse\fR makes this functionality work even for
inactive (ttl<0) entries.
If both subnets are exhaused, then chain traversal continues.
\fB3.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 bidirectional way:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26
iptables -t nat -A PREROUTING -j DNETMAP
If host 192.168.0.10 generates some traffic, it gets bound to first free IP in
subnet - 20.0.0.0. Now any traffic directed to 20.0.0.0 gets DNATed to
192.168.0.10 as long as there's an active (ttl>0) binding. There's no need to
specify \fB\-\-prefix\fR parameter in PREROUTING rule, because this way it DNATs
traffic to all active prefixes. You could specify prefix it you'd like to make
DNAT work for specific prefix only.
\fB4.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 with static assignments only:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26
--static
echo "+192.168.0.10:20.0.0.1" > /proc/net/xt_DNETMAP/20.0.0.0_26
.PP
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix
20.0.0.0/26 \-\-reuse \-\-ttl 200
.PP
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 30.0.0.0/26
.PP
Active hosts from 192.168.0.0/24 subnet are mapped to 20.0.0.0/26 with TTL =
200 seconds. If there are no free addresses in first prefix, the next one
(30.0.0.0/26) is used with the default TTL. It is important to note that the
first rule SNATs all flows whose source address is already actively bound
(TTL>0) to ANY prefix. The \fB\-\-reuse\fR parameter makes this functionality
work even for inactive (TTL<0) entries.
.PP
If both subnets are exhausted, then chain traversal continues.
.PP
\fB3.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 in a bidirectional way:
.PP
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
.PP
iptables \-t nat \-A PREROUTING \-j DNETMAP
.PP
If the host 192.168.0.10 generates some traffic, it gets bound to first free
address in the subnet \(em 20.0.0.0. Now, any traffic directed to 20.0.0.0 gets
DNATed to 192.168.0.10 as long as there is an active (TTL>0) binding. There is
no need to specify \fB\-\-prefix\fR parameter in a PREROUTING rule, because
this way, it DNATs traffic to all active prefixes. You could specify the prefix
you would like to make DNAT work for a specific prefix only.
.PP
\fB4.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 with static assignments
only:
.PP
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
\-\-static
.PP
echo "+192.168.0.10:20.0.0.1" >/proc/net/xt_DNETMAP/20.0.0.0_26
.br
echo "+192.168.0.11:20.0.0.2" > /proc/net/xt_DNETMAP/20.0.0.0_26
echo "+192.168.0.11:20.0.0.2" >/proc/net/xt_DNETMAP/20.0.0.0_26
.br
echo "+192.168.0.51:20.0.0.3" > /proc/net/xt_DNETMAP/20.0.0.0_26
echo "+192.168.0.51:20.0.0.3" >/proc/net/xt_DNETMAP/20.0.0.0_26
.PP
This configuration will allow only preconfigured static bindings to work due to
\fBstatic\fR rule option. Without this flag dynamic bindings would be created
using non-static entries.
the \fBstatic\fR rule option. Without this flag, dynamic bindings would be
created using non-static entries.
.PP
\fB5.\fR Persistent prefix:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26
--persistent
.PP
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
\-\-persistent
.br
\fBor\fR
.br
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26
iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
.br
echo "+persistent" > /proc/net/xt_DNETMAP/20.0.0.0_26
Now we can check persistent flag of the prefix:
echo "+persistent" >/proc/net/xt_DNETMAP/20.0.0.0_26
.PP
Now, we can check the persistent flag of the prefix:
.br
cat /proc/net/xt_DNETMAP/20.0.0.0_26
.br
0 0 64 0 \fBpersistent\fR
Flush iptables nat table and see that prefix is still in existence:
.PP
Flush the iptables nat table and see that prefix is still in existence:
.br
iptables -F -t nat
iptables \-F \-t nat
.br
ls -l /proc/net/xt_DNETMAP
ls \-l /proc/net/xt_DNETMAP
.br
-rw-r--r-- 1 root root 0 06-10 09:01 20.0.0.0_26
\-rw\-r\-\-r\-\- 1 root root 0 06\-10 09:01 20.0.0.0_26
.br
-rw-r--r-- 1 root root 0 06-10 09:01 20.0.0.0_26_stat
\-rw\-r\-\-r\-\- 1 root root 0 06\-10 09:01 20.0.0.0_26_stat
.

2
extensions/libxt_ECHO.c
View File

@@ -1,6 +1,6 @@
/*
* "ECHO" target extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
* Copyright © Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either

1
extensions/libxt_ECHO.man
View File

@@ -1,3 +1,4 @@
.PP
The \fBECHO\fP target will send back all packets it received. It serves as an
examples for an Xtables target.
.PP

29
extensions/libxt_IPMARK.c
View File

@@ -1,7 +1,7 @@
/*
* "IPMARK" target extension for iptables
* Copyright © Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>, 2003
* Jan Engelhardt <jengelh [at] medozas de>, 2008
* Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -112,25 +112,6 @@ static void ipmark_tg_check(unsigned int flags)
"IPMARK target: Parameter --addr is required");
}
static void
ipmark_tg_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
const struct xt_ipmark_tginfo *info = (const void *)target->data;
if (info->selector == XT_IPMARK_SRC)
printf(" IPMARK src ip ");
else
printf(" IPMARK dst ip ");
if (info->shift != 0)
printf(" shift %u ", (unsigned int)info->shift);
if (info->andmask != ~0U)
printf(" and 0x%x ", (unsigned int)info->andmask);
if (info->ormask != 0)
printf(" or 0x%x ", (unsigned int)info->ormask);
}
static void
ipmark_tg_save(const void *entry, const struct xt_entry_target *target)
{
@@ -149,6 +130,14 @@ ipmark_tg_save(const void *entry, const struct xt_entry_target *target)
printf(" --or-mask 0x%x ", (unsigned int)info->ormask);
}
static void
ipmark_tg_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
printf(" -j IPMARK");
ipmark_tg_save(entry, target);
}
static struct xtables_target ipmark_tg_reg = {
.version = XTABLES_VERSION,
.name = "IPMARK",

3
extensions/libxt_IPMARK.man
View File

@@ -1,7 +1,8 @@
.PP
Allows you to mark a received packet basing on its IP address. This
can replace many mangle/mark entries with only one, if you use
firewall based classifier.
.PP
This target is to be used inside the \fBmangle\fP table.
.TP
\fB\-\-addr\fP {\fBsrc\fP|\fBdst\fP}

19
extensions/libxt_LOGMARK.c
View File

@@ -1,6 +1,6 @@
/*
* "LOGMARK" target extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
* Copyright © Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -77,15 +77,6 @@ logmark_tg_parse(int c, char **argv, int invert, unsigned int *flags,
return false;
}
static void
logmark_tg_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
const struct xt_logmark_tginfo *info = (void *)target->data;
printf(" LOGMARK level %u prefix \"%s\" ", info->level, info->prefix);
}
static void
logmark_tg_save(const void *ip, const struct xt_entry_target *target)
{
@@ -97,6 +88,14 @@ logmark_tg_save(const void *ip, const struct xt_entry_target *target)
printf(" --log-prefix \"%s\" ", info->prefix);
}
static void
logmark_tg_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
printf(" -j LOGMARK");
logmark_tg_save(ip, target);
}
static struct xtables_target logmark_tg_reg = {
.version = XTABLES_VERSION,
.name = "LOGMARK",

1
extensions/libxt_LOGMARK.man
View File

@@ -1,3 +1,4 @@
.PP
The LOGMARK target will log packet and connection marks to syslog.
.TP
\fB\-\-log\-level\fR \fIlevel\fR

189
extensions/libxt_RAWDNAT.c
View File

@@ -1,189 +0,0 @@
/*
* "RAWNAT" target extension for iptables
* Copyright © Jan Engelhardt, 2008 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <netinet/in.h>
#include <getopt.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <xtables.h>
#include <linux/netfilter.h>
#include "xt_RAWNAT.h"
#include "compat_user.h"
enum {
FLAGS_TO = 1 << 0,
};
static const struct option rawdnat_tg_opts[] = {
{.name = "to-destination", .has_arg = true, .val = 't'},
{},
};
static void rawdnat_tg_help(void)
{
printf(
"RAWDNAT target options:\n"
" --to-destination addr[/mask] Address or network to map to\n"
);
}
static int
rawdnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_rawnat_tginfo *info = (void *)(*target)->data;
struct in_addr *a;
unsigned int mask;
char *end;
switch (c) {
case 't':
info->mask = 32;
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 32))
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
info->mask = mask;
}
a = xtables_numeric_to_ipaddr(optarg);
if (a == NULL)
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
memcpy(&info->addr.in, a, sizeof(*a));
*flags |= FLAGS_TO;
return true;
}
return false;
}
static int
rawdnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_rawnat_tginfo *info = (void *)(*target)->data;
struct in6_addr *a;
unsigned int mask;
char *end;
switch (c) {
case 't':
info->mask = 128;
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 128))
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
info->mask = mask;
}
a = xtables_numeric_to_ip6addr(optarg);
if (a == NULL)
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
memcpy(&info->addr.in6, a, sizeof(*a));
*flags |= FLAGS_TO;
return true;
}
return false;
}
static void rawdnat_tg_check(unsigned int flags)
{
if (!(flags & FLAGS_TO))
xtables_error(PARAMETER_PROBLEM, "RAWDNAT: "
"\"--to-destination\" is required.");
}
static void
rawdnat_tg4_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
if (!numeric && info->mask == 32)
printf(" to-destination %s ",
xtables_ipaddr_to_anyname(&info->addr.in));
else
printf(" to-destination %s/%u ",
xtables_ipaddr_to_numeric(&info->addr.in), info->mask);
}
static void
rawdnat_tg6_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
if (!numeric && info->mask == 128)
printf(" to-destination %s ",
xtables_ip6addr_to_anyname(&info->addr.in6));
else
printf(" to-destination %s/%u ",
xtables_ip6addr_to_numeric(&info->addr.in6), info->mask);
}
static void
rawdnat_tg4_save(const void *entry, const struct xt_entry_target *target)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
printf(" --to-destination %s/%u ",
xtables_ipaddr_to_numeric(&info->addr.in),
info->mask);
}
static void
rawdnat_tg6_save(const void *entry, const struct xt_entry_target *target)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
printf(" --to-destination %s/%u ",
xtables_ip6addr_to_numeric(&info->addr.in6),
info->mask);
}
static struct xtables_target rawdnat_tg_reg[] = {
{
.version = XTABLES_VERSION,
.name = "RAWDNAT",
.revision = 0,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawdnat_tg_help,
.parse = rawdnat_tg4_parse,
.final_check = rawdnat_tg_check,
.print = rawdnat_tg4_print,
.save = rawdnat_tg4_save,
.extra_opts = rawdnat_tg_opts,
},
{
.version = XTABLES_VERSION,
.name = "RAWDNAT",
.revision = 0,
.family = NFPROTO_IPV6,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawdnat_tg_help,
.parse = rawdnat_tg6_parse,
.final_check = rawdnat_tg_check,
.print = rawdnat_tg6_print,
.save = rawdnat_tg6_save,
.extra_opts = rawdnat_tg_opts,
},
};
static void _init(void)
{
xtables_register_targets(rawdnat_tg_reg,
sizeof(rawdnat_tg_reg) / sizeof(*rawdnat_tg_reg));
}

10
extensions/libxt_RAWDNAT.man
View File

@@ -1,10 +0,0 @@
The \fBRAWDNAT\fR target will rewrite the destination address in the IP header,
much like the \fBNETMAP\fR target.
.TP
\fB\-\-to\-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR]
Network address to map to. The resulting address will be constructed the
following way: All 'one' bits in the \fImask\fR are filled in from the new
\fIaddress\fR. All bits that are zero in the mask are filled in from the
original address.
.PP
See the \fBRAWSNAT\fR help entry for examples and constraints.

189
extensions/libxt_RAWSNAT.c
View File

@@ -1,189 +0,0 @@
/*
* "RAWNAT" target extension for iptables
* Copyright © Jan Engelhardt, 2008 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <netinet/in.h>
#include <getopt.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <xtables.h>
#include <linux/netfilter.h>
#include "xt_RAWNAT.h"
#include "compat_user.h"
enum {
FLAGS_TO = 1 << 0,
};
static const struct option rawsnat_tg_opts[] = {
{.name = "to-source", .has_arg = true, .val = 't'},
{},
};
static void rawsnat_tg_help(void)
{
printf(
"RAWSNAT target options:\n"
" --to-source addr[/mask] Address or network to map to\n"
);
}
static int
rawsnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_rawnat_tginfo *info = (void *)(*target)->data;
struct in_addr *a;
unsigned int mask;
char *end;
switch (c) {
case 't':
info->mask = 32;
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 32))
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
info->mask = mask;
}
a = xtables_numeric_to_ipaddr(optarg);
if (a == NULL)
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
memcpy(&info->addr.in, a, sizeof(*a));
*flags |= FLAGS_TO;
return true;
}
return false;
}
static int
rawsnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_rawnat_tginfo *info = (void *)(*target)->data;
struct in6_addr *a;
unsigned int mask;
char *end;
switch (c) {
case 't':
info->mask = 128;
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 128))
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
info->mask = mask;
}
a = xtables_numeric_to_ip6addr(optarg);
if (a == NULL)
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
memcpy(&info->addr.in6, a, sizeof(*a));
*flags |= FLAGS_TO;
return true;
}
return false;
}
static void rawsnat_tg_check(unsigned int flags)
{
if (!(flags & FLAGS_TO))
xtables_error(PARAMETER_PROBLEM, "RAWSNAT: "
"\"--to-source\" is required.");
}
static void
rawsnat_tg4_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
if (!numeric && info->mask == 32)
printf(" to-source %s ",
xtables_ipaddr_to_anyname(&info->addr.in));
else
printf(" to-source %s/%u ",
xtables_ipaddr_to_numeric(&info->addr.in), info->mask);
}
static void
rawsnat_tg6_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
if (!numeric && info->mask == 128)
printf(" to-source %s ",
xtables_ip6addr_to_anyname(&info->addr.in6));
else
printf(" to-source %s/%u ",
xtables_ip6addr_to_numeric(&info->addr.in6), info->mask);
}
static void
rawsnat_tg4_save(const void *entry, const struct xt_entry_target *target)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
printf(" --to-source %s/%u ",
xtables_ipaddr_to_numeric(&info->addr.in),
info->mask);
}
static void
rawsnat_tg6_save(const void *entry, const struct xt_entry_target *target)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
printf(" --to-source %s/%u ",
xtables_ip6addr_to_numeric(&info->addr.in6),
info->mask);
}
static struct xtables_target rawsnat_tg_reg[] = {
{
.version = XTABLES_VERSION,
.name = "RAWSNAT",
.revision = 0,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawsnat_tg_help,
.parse = rawsnat_tg4_parse,
.final_check = rawsnat_tg_check,
.print = rawsnat_tg4_print,
.save = rawsnat_tg4_save,
.extra_opts = rawsnat_tg_opts,
},
{
.version = XTABLES_VERSION,
.name = "RAWSNAT",
.revision = 0,
.family = NFPROTO_IPV6,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawsnat_tg_help,
.parse = rawsnat_tg6_parse,
.final_check = rawsnat_tg_check,
.print = rawsnat_tg6_print,
.save = rawsnat_tg6_save,
.extra_opts = rawsnat_tg_opts,
},
};
static void _init(void)
{
xtables_register_targets(rawsnat_tg_reg,
sizeof(rawsnat_tg_reg) / sizeof(*rawsnat_tg_reg));
}

38
extensions/libxt_RAWSNAT.man
View File

@@ -1,38 +0,0 @@
The \fBRAWSNAT\fR and \fBRAWDNAT\fP targets provide stateless network address
translation.
.PP
The \fBRAWSNAT\fR target will rewrite the source address in the IP header, much
like the \fBNETMAP\fP target. \fBRAWSNAT\fP (and \fBRAWDNAT\fP) may only be
used in the \fBraw\fP or \fBrawpost\fP tables, but can be used in all chains,
which makes it possible to change the source address either when the packet
enters the machine or when it leaves it. The reason for this table constraint
is that RAWNAT must happen outside of connection tracking.
.TP
\fB\-\-to\-source\fR \fIaddr\fR[\fB/\fR\fImask\fR]
Network address to map to. The resulting address will be constructed the
following way: All 'one' bits in the \fImask\fR are filled in from the new
\fIaddress\fR. All bits that are zero in the mask are filled in from the
original address.
.PP
As an example, changing the destination for packets forwarded from an internal
LAN to the internet:
.IP
\-t raw \-A PREROUTING \-i lan0 \-d 212.201.100.135 \-j RAWDNAT \-\-to\-destination 199.181.132.250;
\-t rawpost \-A POSTROUTING \-o lan0 \-s 199.181.132.250 \-j RAWSNAT \-\-to\-source 212.201.100.135;
.PP
Note that changing addresses may influence the route selection! Specifically,
it statically NATs packets, not connections, like the normal DNAT/SNAT targets
would do. Also note that it can transform already-NATed connections \(em as
said, it is completely external to Netfilter's connection tracking/NAT.
.PP
If the machine itself generates packets that are to be rawnat'ed, you need a
rule in the OUTPUT chain instead, just like you would with the stateful NAT
targets.
.PP
It may be necessary that in doing so, you also need an extra RAWSNAT rule, to
override the automatic source address selection that the routing code does
before passing packets to iptables. If the connecting socket has not been
explicitly bound to an address, as is the common mode of operation, the address
that will be chosen is the primary address of the device through which the
packet would be routed with its initial destination address - the address as
seen before any RAWNAT takes place.

32
extensions/libxt_STEAL.c
View File

@@ -1,32 +0,0 @@
#include <stdio.h>
#include <xtables.h>
#include "compat_user.h"
static void steal_tg_help(void)
{
printf("STEAL takes no options\n\n");
}
static int steal_tg_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
return 0;
}
static void steal_tg_check(unsigned int flags)
{
}
static struct xtables_target steal_tg_reg = {
.version = XTABLES_VERSION,
.name = "STEAL",
.family = NFPROTO_UNSPEC,
.help = steal_tg_help,
.parse = steal_tg_parse,
.final_check = steal_tg_check,
};
static void _init(void)
{
xtables_register_target(&steal_tg_reg);
}

2
extensions/libxt_STEAL.man
View File

@@ -1,2 +0,0 @@
Like the DROP target, but does not throw an error like DROP when used in the
\fBOUTPUT\fP chain.

7
extensions/libxt_SYSRQ.man
View File

@@ -1,3 +1,4 @@
.PP
The SYSRQ target allows to remotely trigger sysrq on the local machine over the
network. This can be useful when vital parts of the machine hang, for example
an oops in a filesystem causing locks to be not released and processes to get
@@ -62,7 +63,7 @@ password="password"
seqno="$(date +%s)"
salt="$(dd bs=12 count=1 if=/dev/urandom 2>/dev/null |
openssl enc \-base64)"
ipaddr=10.10.25.7
ipaddr="2001:0db8:0000:0000:0000:ff00:0042:8329"
req="$sysrq_key,$seqno,$salt"
req="$req,$(echo \-n "$req,$ipaddr,$password" | sha1sum | cut \-c1\-40)"
@@ -75,8 +76,8 @@ sysrq key can be used at once, but bear in mind that, for example, a sync may
not complete before a subsequent reboot or poweroff.
.PP
An IPv4 address should have no leading zeros, an IPv6 address should
be in the form recommended by RFC 5952. The debug option will log the
correct form of the address.
be in the full expanded form (as shown above). The debug option will cause
output to be emitted in the same form.
.PP
The hashing scheme should be enough to prevent mis-use of SYSRQ in many
environments, but it is not perfect: take reasonable precautions to

25
extensions/libxt_TARPIT.c
View File

@@ -67,24 +67,6 @@ static void tarpit_tg_check(unsigned int flags)
"TARPIT: only one action can be used at a time");
}
static void tarpit_tg_print(const void *ip,
const struct xt_entry_target *target, int numeric)
{
const struct xt_tarpit_tginfo *info = (void *)target->data;
switch (info->variant) {
case XTTARPIT_HONEYPOT:
printf(" honeypot mode ");
break;
case XTTARPIT_RESET:
printf(" reset mode ");
break;
default:
printf(" tarpit mode ");
break;
}
}
static void tarpit_tg_save(const void *ip,
const struct xt_entry_target *target)
{
@@ -103,6 +85,13 @@ static void tarpit_tg_save(const void *ip,
}
}
static void tarpit_tg_print(const void *ip,
const struct xt_entry_target *target, int numeric)
{
printf(" -j TARPIT");
tarpit_tg_save(ip, target);
}
static struct xtables_target tarpit_tg_reg = {
.version = XTABLES_VERSION,
.name = "TARPIT",

1
extensions/libxt_TARPIT.man
View File

@@ -1,3 +1,4 @@
.PP
Captures and holds incoming TCP connections using no local per-connection
resources.
.PP

173
extensions/libxt_TEE.c
View File

@@ -1,173 +0,0 @@
/*
* "TEE" target extension for iptables
* Copyright © Sebastian Claßen <sebastian.classen [at] freenet.ag>, 2007
* Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <sys/socket.h>
#include <getopt.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>
#include <net/if.h>
#include <netinet/in.h>
#include <xtables.h>
#include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h>
#include "xt_TEE.h"
#include "compat_user.h"
enum {
FLAG_GATEWAY = 1 << 0,
};
static const struct option tee_tg_opts[] = {
{.name = "gateway", .has_arg = true, .val = 'g'},
{NULL},
};
static void tee_tg_help(void)
{
printf(
"TEE target options:\n"
" --gateway IPADDR Route packet via the gateway given by address\n"
"\n");
}
static int tee_tg_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_tee_tginfo *info = (void *)(*target)->data;
const struct in_addr *ia;
switch (c) {
case 'g':
if (*flags & FLAG_GATEWAY)
xtables_error(PARAMETER_PROBLEM,
"Cannot specify --gateway more than once");
ia = xtables_numeric_to_ipaddr(optarg);
if (ia == NULL)
xtables_error(PARAMETER_PROBLEM,
"Invalid IP address %s", optarg);
memcpy(&info->gw, ia, sizeof(*ia));
*flags |= FLAG_GATEWAY;
return true;
}
return false;
}
static int tee_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_tee_tginfo *info = (void *)(*target)->data;
const struct in6_addr *ia;
switch (c) {
case 'g':
if (*flags & FLAG_GATEWAY)
xtables_error(PARAMETER_PROBLEM,
"Cannot specify --gateway more than once");
ia = xtables_numeric_to_ip6addr(optarg);
if (ia == NULL)
xtables_error(PARAMETER_PROBLEM,
"Invalid IP address %s", optarg);
memcpy(&info->gw, ia, sizeof(*ia));
*flags |= FLAG_GATEWAY;
return true;
}
return false;
}
static void tee_tg_check(unsigned int flags)
{
if (flags == 0)
xtables_error(PARAMETER_PROBLEM, "TEE target: "
"--gateway parameter required");
}
static void tee_tg_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
const struct xt_tee_tginfo *info = (const void *)target->data;
if (numeric)
printf(" TEE gw:%s ", xtables_ipaddr_to_numeric(&info->gw.in));
else
printf(" TEE gw:%s ", xtables_ipaddr_to_anyname(&info->gw.in));
}
static void tee_tg6_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
const struct xt_tee_tginfo *info = (const void *)target->data;
if (numeric)
printf(" TEE gw:%s ", xtables_ip6addr_to_numeric(&info->gw.in6));
else
printf(" TEE gw:%s ", xtables_ip6addr_to_anyname(&info->gw.in6));
}
static void tee_tg_save(const void *ip, const struct xt_entry_target *target)
{
const struct xt_tee_tginfo *info = (const void *)target->data;
printf(" --gateway %s ", xtables_ipaddr_to_numeric(&info->gw.in));
}
static void tee_tg6_save(const void *ip, const struct xt_entry_target *target)
{
const struct xt_tee_tginfo *info = (const void *)target->data;
printf(" --gateway %s ", xtables_ip6addr_to_numeric(&info->gw.in6));
}
static struct xtables_target tee_tg_reg[] = {
{
.name = "TEE",
.version = XTABLES_VERSION,
.revision = 0,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
.help = tee_tg_help,
.parse = tee_tg_parse,
.final_check = tee_tg_check,
.print = tee_tg_print,
.save = tee_tg_save,
.extra_opts = tee_tg_opts,
},
{
.name = "TEE",
.version = XTABLES_VERSION,
.revision = 0,
.family = NFPROTO_IPV6,
.size = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
.help = tee_tg_help,
.parse = tee_tg6_parse,
.final_check = tee_tg_check,
.print = tee_tg6_print,
.save = tee_tg6_save,
.extra_opts = tee_tg_opts,
},
};
static __attribute__((constructor)) void tee_tg_ldr(void)
{
xtables_register_targets(tee_tg_reg,
sizeof(tee_tg_reg) / sizeof(*tee_tg_reg));
}

12
extensions/libxt_TEE.man
View File

@@ -1,12 +0,0 @@
The \fBTEE\fP target will clone a packet and redirect this clone to another
machine on the \fBlocal\fP network segment. In other words, the nexthop
must be the target, or you will have to configure the nexthop to forward it
further if so desired.
.TP
\fB\-\-gateway\fP \fIipaddr\fP
Send the cloned packet to the host reachable at the given IP address.
Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.
.PP
To forward all incoming traffic on eth0 to an Network Layer logging box:
.PP
\-t mangle \-A PREROUTING \-i eth0 \-j TEE \-\-gateway 2001:db8::1

18
extensions/libxt_condition.c
View File

@@ -2,7 +2,7 @@
* "condition" match extension for iptables
* Stephane Ouellette <ouellettes [at] videotron ca>, 2002-10-22
* Massimiliano Hofer <max [at] nucleus it>, 2006-05-15
* Jan Engelhardt <jengelh [at] medozas de>, 2008
* Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License; either version 2
@@ -62,15 +62,6 @@ static void condition_check(unsigned int flags)
"Condition match: must specify --condition");
}
static void condition_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
const struct xt_condition_mtinfo *info = (const void *)match->data;
printf(" condition %s%s ", (info->invert) ? "!" : "", info->name);
}
static void condition_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_condition_mtinfo *info = (const void *)match->data;
@@ -78,6 +69,13 @@ static void condition_save(const void *ip, const struct xt_entry_match *match)
printf("%s --condition \"%s\" ", info->invert ? " !" : "", info->name);
}
static void condition_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
printf(" -m condition");
condition_save(ip, match);
}
static struct xtables_match condition_mt_reg = {
.name = "condition",
.revision = 1,

1
extensions/libxt_condition.man
View File

@@ -1,3 +1,4 @@
.PP
This matches if a specific condition variable is (un)set.
.TP
[\fB!\fP] \fB\-\-condition\fP \fIname\fP

18
extensions/libxt_dhcpmac.c
View File

@@ -1,6 +1,6 @@
/*
* "dhcpmac" match extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
* Copyright © Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -62,15 +62,6 @@ static void dhcpmac_mt_check(unsigned int flags)
"--mac parameter required");
}
static void dhcpmac_mt_print(const void *ip,
const struct xt_entry_match *match, int numeric)
{
const struct dhcpmac_info *info = (void *)match->data;
printf(" dhcpmac %s" DH_MAC_FMT "/%u ",
info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
}
static void dhcpmac_mt_save(const void *ip,
const struct xt_entry_match *match)
{
@@ -82,6 +73,13 @@ static void dhcpmac_mt_save(const void *ip,
DH_MAC_HEX(info->addr), info->mask);
}
static void dhcpmac_mt_print(const void *ip,
const struct xt_entry_match *match, int numeric)
{
printf(" -m dhcpmac");
dhcpmac_mt_save(ip, match);
}
static struct xtables_match dhcpmac_mt_reg = {
.version = XTABLES_VERSION,
.name = "dhcpmac",

16
extensions/libxt_fuzzy.c
View File

@@ -83,15 +83,6 @@ static void fuzzy_mt_check(unsigned int flags)
{
}
static void fuzzy_mt_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
const struct xt_fuzzy_mtinfo *info = (const void *)match->data;
printf(" fuzzy: lower limit = %u pps - upper limit = %u pps ",
info->minimum_rate, info->maximum_rate);
}
static void fuzzy_mt_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_fuzzy_mtinfo *info = (const void *)match->data;
@@ -100,6 +91,13 @@ static void fuzzy_mt_save(const void *ip, const struct xt_entry_match *match)
printf(" --upper-limit %u ", info->maximum_rate);
}
static void fuzzy_mt_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
printf(" -m fuzzy");
fuzzy_mt_save(ip, match);
}
static struct xtables_match fuzzy_mt_reg = {
.name = "fuzzy",
.revision = 1,

1
extensions/libxt_fuzzy.man
View File

@@ -1,3 +1,4 @@
.PP
This module matches a rate limit based on a fuzzy logic controller (FLC).
.TP
\fB\-\-lower\-limit\fP \fInumber\fP

34
extensions/libxt_geoip.c
View File

@@ -2,7 +2,7 @@
* "geoip" match extension for iptables
* Copyright © Samuel Jean <peejix [at] people netfilter org>, 2004 - 2008
* Copyright © Nicolas Bouliane <acidfu [at] people netfilter org>, 2004 - 2008
* Jan Engelhardt <jengelh [at] medozas de>, 2008-2011
* Jan Engelhardt, 2008-2011
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -251,31 +251,6 @@ geoip_final_check(unsigned int flags)
"geoip: missing arguments");
}
static void
geoip_print(const void *ip, const struct xt_entry_match *match, int numeric)
{
const struct xt_geoip_match_info *info = (void*)match->data;
u_int8_t i;
if (info->flags & XT_GEOIP_SRC)
printf(" Source ");
else
printf(" Destination ");
if (info->count > 1)
printf("countries: ");
else
printf("country: ");
if (info->flags & XT_GEOIP_INV)
printf("! ");
for (i = 0; i < info->count; i++)
printf("%s%c%c", i ? "," : "", COUNTRY(info->cc[i]));
printf(" ");
}
static void
geoip_save(const void *ip, const struct xt_entry_match *match)
{
@@ -295,6 +270,13 @@ geoip_save(const void *ip, const struct xt_entry_match *match)
printf(" ");
}
static void
geoip_print(const void *ip, const struct xt_entry_match *match, int numeric)
{
printf(" -m geoip");
geoip_save(ip, match);
}
static struct xtables_match geoip_match[] = {
{
.family = NFPROTO_IPV6,

5
extensions/libxt_geoip.man
View File

@@ -1,3 +1,4 @@
.PP
Match a packet by its source or destination country.
.TP
[\fB!\fP] \fB\-\-src\-cc\fP, \fB\-\-source\-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP]
@@ -15,8 +16,8 @@ with the source package, and which should be available in compiled packages in
/usr/lib(exec)/xtables-addons/. The first command retrieves CSV files from
MaxMind, while the other two build packed bisectable range files:
.PP
mkdir -p /usr/share/xt_geoip; cd /tmp; $path/to/xt_geoip_dl;
mkdir \-p /usr/share/xt_geoip; cd /tmp; $path/to/xt_geoip_dl;
.PP
$path/to/xt_geoip_build -D /usr/share/xt_geoip GeoIP*.csv;
$path/to/xt_geoip_build \-D /usr/share/xt_geoip GeoIP*.csv;
.PP
The shared library is hardcoded to look in these paths, so use them.

18
extensions/libxt_gradm.c
View File

@@ -57,17 +57,6 @@ static void gradm_mt_check(unsigned int flags)
{
}
static void gradm_mt_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
const struct xt_gradm_mtinfo *info = (const void *)match->data;
if (info->invflags)
printf("gradm: disabled");
else
printf("gradm: enabled");
}
static void gradm_mt_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_gradm_mtinfo *info = (const void *)match->data;
@@ -78,6 +67,13 @@ static void gradm_mt_save(const void *ip, const struct xt_entry_match *match)
printf(" --enabled ");
}
static void gradm_mt_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
printf(" -m gradm");
gradm_mt_save(ip, match);
}
static struct xtables_match gradm_mt_reg = {
.family = NFPROTO_UNSPEC,
.name = "gradm",

1
extensions/libxt_gradm.man
View File

@@ -1,3 +1,4 @@
.PP
This module matches packets based on grsecurity RBAC status.
.TP
[\fB!\fP] \fB\-\-enabled\fP

34
extensions/libxt_iface.c
View File

@@ -175,33 +175,6 @@ static void iface_mt_check(unsigned int flags)
"iface: You must specify at least one option");
}
static void iface_mt_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
const struct xt_iface_mtinfo *info = (const void *)match->data;
printf(" iface: ");
if (info->flags & XT_IFACE_DEV_IN)
printf("(in)");
else if (info->flags & XT_IFACE_DEV_OUT)
printf("(out)");
else
printf("%s", info->ifname);
printf(" [state:");
iface_print_opt(info, XT_IFACE_UP, "up");
iface_print_opt(info, XT_IFACE_BROADCAST, "broadcast");
iface_print_opt(info, XT_IFACE_LOOPBACK, "loopback");
iface_print_opt(info, XT_IFACE_POINTOPOINT, "pointopoint");
iface_print_opt(info, XT_IFACE_RUNNING, "running");
iface_print_opt(info, XT_IFACE_NOARP, "noarp");
iface_print_opt(info, XT_IFACE_PROMISC, "promisc");
iface_print_opt(info, XT_IFACE_MULTICAST, "multicast");
iface_print_opt(info, XT_IFACE_DYNAMIC, "dynamic");
iface_print_opt(info, XT_IFACE_LOWER_UP, "lower_up");
iface_print_opt(info, XT_IFACE_DORMANT, "dormant");
printf("] ");
}
static void iface_mt_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_iface_mtinfo *info = (const void *)match->data;
@@ -226,6 +199,13 @@ static void iface_mt_save(const void *ip, const struct xt_entry_match *match)
printf(" ");
}
static void iface_mt_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
printf(" -m iface");
iface_mt_save(ip, match);
}
static struct xtables_match iface_mt_reg = {
.version = XTABLES_VERSION,
.name = "iface",

1
extensions/libxt_iface.man
View File

@@ -1,3 +1,4 @@
.PP
Allows you to check interface states. First, an interface needs to be selected
for comparison. Exactly one option of the following three must be specified:
.TP

4
extensions/libxt_ipp2p.c
View File

@@ -1,7 +1,7 @@
/*
* "ipp2p" match extension for iptables
* Eicke Friedrich/Klaus Degner <ipp2p@ipp2p.org>, 2005 - 2006
* Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
* Jan Engelhardt, 2008 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -217,7 +217,7 @@ ipp2p_mt_print1(const void *entry, const struct xt_entry_match *match,
static void ipp2p_mt_print(const void *entry,
const struct xt_entry_match *match, int numeric)
{
printf(" ipp2p ");
printf(" -m ipp2p ");
ipp2p_mt_print1(entry, match, true);
}

1
extensions/libxt_ipp2p.man
View File

@@ -1,3 +1,4 @@
.PP
This module matches certain packets in P2P flows. It is not
designed to match all packets belonging to a P2P connection \(em
use IPP2P together with CONNMARK for this purpose.

18
extensions/libxt_ipv4options.c
View File

@@ -133,17 +133,6 @@ static void ipv4options_print_flags(const struct xt_ipv4options_mtinfo1 *info,
}
}
static void ipv4options_mt_print(const void *ip,
const struct xt_entry_match *match, int numeric)
{
const struct xt_ipv4options_mtinfo1 *info = (void *)match->data;
printf(" ipv4options %s ",
(info->flags & XT_V4OPTS_ANY) ? "any-of" : "all-of");
ipv4options_print_flags(info, numeric);
printf(" ");
}
static void ipv4options_mt_save(const void *ip,
const struct xt_entry_match *match)
{
@@ -158,6 +147,13 @@ static void ipv4options_mt_save(const void *ip,
printf(" ");
}
static void ipv4options_mt_print(const void *ip,
const struct xt_entry_match *match, int numeric)
{
printf(" -m ipv4options");
ipv4options_mt_save(ip, match);
}
static struct xtables_match ipv4options_mt_reg = {
.version = XTABLES_VERSION,
.name = "ipv4options",

1
extensions/libxt_ipv4options.man
View File

@@ -1,3 +1,4 @@
.PP
The "ipv4options" module allows to match against a set of IPv4 header options.
.TP
\fB\-\-flags\fP [\fB!\fP]\fIsymbol\fP[\fB,\fP[\fB!\fP]\fIsymbol...\fP]

30
extensions/libxt_length2.c
View File

@@ -107,29 +107,6 @@ static void length_mt_check(unsigned int flags)
"--layer3. Consider specifying it explicitly.\n");
}
static void length_mt_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
const struct xt_length_mtinfo2 *info = (const void *)match->data;
if (info->flags & XT_LENGTH_LAYER3)
printf(" layer3 ");
else if (info->flags & XT_LENGTH_LAYER4)
printf(" layer4 ");
else if (info->flags & XT_LENGTH_LAYER5)
printf(" layer5 ");
else if (info->flags & XT_LENGTH_LAYER7)
printf(" layer7 ");
printf(" length ");
if (info->flags & XT_LENGTH_INVERT)
printf("! ");
if (info->min == info->max)
printf("%u ", (unsigned int)info->min);
else
printf("%u-%u ", (unsigned int)info->min,
(unsigned int)info->max);
}
static void length_mt_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_length_mtinfo2 *info = (const void *)match->data;
@@ -152,6 +129,13 @@ static void length_mt_save(const void *ip, const struct xt_entry_match *match)
(unsigned int)info->max);
}
static void length_mt_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
printf(" -m length2");
length_mt_save(ip, match);
}
static struct xtables_match length2_mt_reg = {
.version = XTABLES_VERSION,
.name = "length2",

1
extensions/libxt_length2.man
View File

@@ -1,3 +1,4 @@
.PP
This module matches the length of a packet against a specific value or range of
values.
.TP

33
extensions/libxt_lscan.c
View File

@@ -1,6 +1,6 @@
/*
* LSCAN match extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2009
* Copyright © Jan Engelhardt, 2006 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -64,30 +64,6 @@ static void lscan_mt_check(unsigned int flags)
{
}
static void lscan_mt_print(const void *ip,
const struct xt_entry_match *match, int numeric)
{
const struct xt_lscan_mtinfo *info = (const void *)(match->data);
const char *s = "";
printf(" lscan ");
if (info->match_stealth) {
printf("STEALTH");
s = ",";
}
if (info->match_syn) {
printf("%sSYNSCAN", s);
s = ",";
}
if (info->match_cn) {
printf("%sCNSCAN", s);
s = ",";
}
if (info->match_gr)
printf("%sGRSCAN", s);
printf(" ");
}
static void lscan_mt_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_lscan_mtinfo *info = (const void *)(match->data);
@@ -102,6 +78,13 @@ static void lscan_mt_save(const void *ip, const struct xt_entry_match *match)
printf(" --grscan ");
}
static void lscan_mt_print(const void *ip,
const struct xt_entry_match *match, int numeric)
{
printf(" -m lscan");
lscan_mt_save(ip, match);
}
static struct xtables_match lscan_mt_reg = {
.version = XTABLES_VERSION,
.name = "lscan",

3
extensions/libxt_lscan.man
View File

@@ -1,4 +1,5 @@
Detects simple low-level scan attemps based upon the packet's contents.
.PP
Detects simple low-level scan attempts based upon the packet's contents.
(This is
different from other implementations, which also try to match the rate of new
connections.) Note that an attempt is only discovered after it has been carried

20
extensions/libxt_psd.c
View File

@@ -117,18 +117,6 @@ static int psd_mt_parse(int c, char **argv, int invert, unsigned int *flags,
/* Final check; nothing. */
static void psd_mt_final_check(unsigned int flags) {}
/* Prints out the targinfo. */
static void psd_mt_print(const void *ip, const struct xt_entry_match *match, int numeric)
{
const struct xt_psd_info *psdinfo = (const struct xt_psd_info *)match->data;
printf(" psd ");
printf("weight-threshold: %u ", psdinfo->weight_threshold);
printf("delay-threshold: %u ", psdinfo->delay_threshold);
printf("lo-ports-weight: %u ", psdinfo->lo_ports_weight);
printf("hi-ports-weight: %u ", psdinfo->hi_ports_weight);
}
/* Saves the union ipt_targinfo in parsable form to stdout. */
static void psd_mt_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_psd_info *psdinfo = (const struct xt_psd_info *)match->data;
@@ -138,11 +126,17 @@ static void psd_mt_save(const void *ip, const struct xt_entry_match *match)
printf("--psd-hi-ports-weight %u ", psdinfo->hi_ports_weight);
}
static void psd_mt_print(const void *ip, const struct xt_entry_match *match, int numeric)
{
printf(" -m psd");
psd_mt_save(ip, match);
}
static struct xtables_match psd_mt_reg = {
.name = "psd",
.version = XTABLES_VERSION,
.revision = 1,
.family = NFPROTO_IPV4,
.family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_psd_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_psd_info)),
.help = psd_mt_help,

1
extensions/libxt_psd.man
View File

@@ -1,3 +1,4 @@
.PP
Attempt to detect TCP and UDP port scans. This match was derived from
Solar Designer's scanlogd.
.TP

25
extensions/libxt_quota2.c
View File

@@ -1,7 +1,7 @@
/*
* "quota2" match extension for iptables
* Sam Johnston <samj [at] samj net>
* Jan Engelhardt <jengelh [at] medozas de>, 2008
* Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -98,8 +98,6 @@ quota_mt2_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_quota_mtinfo2 *q = (void *)match->data;
if (q->flags & XT_QUOTA_INVERT)
printf(" !");
if (q->flags & XT_QUOTA_GROW)
printf(" --grow ");
if (q->flags & XT_QUOTA_NO_CHANGE)
@@ -108,29 +106,16 @@ quota_mt2_save(const void *ip, const struct xt_entry_match *match)
printf(" --packets ");
if (*q->name != '\0')
printf(" --name %s ", q->name);
if (q->flags & XT_QUOTA_INVERT)
printf(" !");
printf(" --quota %llu ", (unsigned long long)q->quota);
}
static void quota_mt2_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
const struct xt_quota_mtinfo2 *q = (const void *)match->data;
if (q->flags & XT_QUOTA_INVERT)
printf(" !");
if (q->flags & XT_QUOTA_GROW)
printf(" counter");
else
printf(" quota");
if (*q->name != '\0')
printf(" %s:", q->name);
printf(" %llu ", (unsigned long long)q->quota);
if (q->flags & XT_QUOTA_PACKET)
printf("packets ");
else
printf("bytes ");
if (q->flags & XT_QUOTA_NO_CHANGE)
printf("(no-change mode) ");
printf(" -m quota");
quota_mt2_save(ip, match);
}
static struct xtables_match quota_mt2_reg = {

1
extensions/libxt_quota2.man
View File

@@ -1,3 +1,4 @@
.PP
The "quota2" implements a named counter which can be increased or decreased
on a per-match basis. Available modes are packet counting or byte counting.
The value of the counter can be read and reset through procfs, thereby making

12
extensions/pknock/libxt_pknock.man
View File

@@ -15,10 +15,10 @@ modprobe xt_pknock
.PP
Example 1 (TCP mode, manual closing of opened port not possible):
.IP
iptables -P INPUT DROP
iptables \-P INPUT DROP
.IP
iptables -A INPUT -p tcp -m pknock --knockports 4002,4001,4004 --strict
--name SSH --time 10 --autoclose 60 --dport 22 -j ACCEPT
iptables \-A INPUT \-p tcp \-m pknock \-\-knockports 4002,4001,4004 \-\-strict
\-\-name SSH \-\-time 10 \-\-autoclose 60 \-\-dport 22 \-j ACCEPT
.PP
The rule will allow tcp port 22 for the attempting IP address after the successful reception of TCP SYN packets
to ports 4002, 4001 and 4004, in this order (a.k.a. port-knocking).
@@ -33,10 +33,10 @@ Example 2 (UDP mode \(em non-replayable and non-spoofable, manual closing
of opened port possible, secure, also called "SPA" = Secure Port
Authorization):
.IP
iptables -A INPUT -p udp -m pknock --knockports 4000 --name FTP
--opensecret foo --closesecret bar --autoclose 240 -j DROP
iptables \-A INPUT \-p udp \-m pknock \-\-knockports 4000 \-\-name FTP
\-\-opensecret foo \-\-closesecret bar \-\-autoclose 240 \-j DROP
.IP
iptables -A INPUT -p tcp -m pknock --checkip --name FTP --dport 21 -j ACCEPT
iptables \-A INPUT \-p tcp \-m pknock \-\-checkip \-\-name FTP \-\-dport 21 \-j ACCEPT
.PP
The first rule will create an "ALLOWED" record in /proc/net/xt_pknock/FTP after
the successful reception of an UDP packet to port 4000. The packet payload must be

58
extensions/pknock/xt_pknock.c
View File

@@ -32,10 +32,6 @@
#include "xt_pknock.h"
#include "compat_xtables.h"
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
# define PK_CRYPTO 1
#endif
enum status {
ST_INIT = 1,
ST_MATCHING,
@@ -113,7 +109,6 @@ static struct proc_dir_entry *pde;
static DEFINE_SPINLOCK(list_lock);
#ifdef PK_CRYPTO
static struct {
const char *algo;
struct crypto_hash *tfm;
@@ -124,7 +119,6 @@ static struct {
.tfm = NULL,
.size = 0
};
#endif
module_param(rule_hashsize, int, S_IRUGO);
MODULE_PARM_DESC(rule_hashsize, "Buckets in rule hash table (default: 8)");
@@ -196,8 +190,7 @@ status_itoa(enum status status)
static void *
pknock_seq_start(struct seq_file *s, loff_t *pos)
{
const struct proc_dir_entry *pde = s->private;
const struct xt_pknock_rule *rule = pde->data;
const struct xt_pknock_rule *rule = s->private;
spin_lock_bh(&list_lock);
@@ -216,8 +209,7 @@ pknock_seq_start(struct seq_file *s, loff_t *pos)
static void *
pknock_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
const struct proc_dir_entry *pde = s->private;
const struct xt_pknock_rule *rule = pde->data;
const struct xt_pknock_rule *rule = s->private;
++*pos;
if (*pos >= peer_hashsize)
@@ -249,8 +241,7 @@ pknock_seq_show(struct seq_file *s, void *v)
unsigned long time;
const struct list_head *peer_head = v;
const struct proc_dir_entry *pde = s->private;
const struct xt_pknock_rule *rule = pde->data;
const struct xt_pknock_rule *rule = s->private;
list_for_each_safe(pos, n, peer_head) {
peer = list_entry(pos, struct peer, head);
@@ -301,7 +292,7 @@ pknock_proc_open(struct inode *inode, struct file *file)
int ret = seq_open(file, &pknock_seq_ops);
if (ret == 0) {
struct seq_file *sf = file->private_data;
sf->private = PDE(inode);
sf->private = PDE_DATA(inode);
}
return ret;
}
@@ -484,13 +475,11 @@ add_rule(struct xt_pknock_mtinfo *info)
rule->timer.function = peer_gc;
rule->timer.data = (unsigned long)rule;
rule->status_proc = create_proc_entry(info->rule_name, 0, pde);
rule->status_proc = proc_create_data(info->rule_name, 0, pde,
&pknock_proc_ops, rule);
if (rule->status_proc == NULL)
goto out;
rule->status_proc->proc_fops = &pknock_proc_ops;
rule->status_proc->data = rule;
list_add(&rule->head, &rule_hashtable[hash]);
pr_debug("(A) rule_name: %s - created.\n", rule->rule_name);
return true;
@@ -712,14 +701,17 @@ msg_to_userspace_nl(const struct xt_pknock_mtinfo *info,
memcpy(m + 1, &msg, m->len);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 15, 0)
cn_netlink_send(m, 0, multicast_group, GFP_ATOMIC);
#else
cn_netlink_send(m, multicast_group, GFP_ATOMIC);
#endif
kfree(m);
#endif
return true;
}
#ifdef PK_CRYPTO
/**
* Transforms a sequence of characters to hexadecimal.
*
@@ -783,9 +775,7 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
epoch_min = get_seconds() / 60;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
sg_init_table(sg, ARRAY_SIZE(sg));
#endif
sg_set_buf(&sg[0], &ipsrc, sizeof(ipsrc));
sg_set_buf(&sg[1], &epoch_min, sizeof(epoch_min));
@@ -818,7 +808,6 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
kfree(hexresult);
return fret;
}
#endif /* PK_CRYPTO */
/**
* If the peer pass the security policy.
@@ -841,13 +830,11 @@ pass_security(struct peer *peer, const struct xt_pknock_mtinfo *info,
pk_debug("DENIED (anti-spoof protection)", peer);
return false;
}
#ifdef PK_CRYPTO
/* Check for OPEN secret */
if (has_secret(info->open_secret,
info->open_secret_len, peer->ip,
payload, payload_len))
return true;
#endif
return false;
}
@@ -939,7 +926,6 @@ static bool
is_close_knock(const struct peer *peer, const struct xt_pknock_mtinfo *info,
const unsigned char *payload, unsigned int payload_len)
{
#ifdef PK_CRYPTO
/* Check for CLOSE secret. */
if (has_secret(info->close_secret,
info->close_secret_len, peer->ip,
@@ -948,7 +934,6 @@ is_close_knock(const struct peer *peer, const struct xt_pknock_mtinfo *info,
pk_debug("BLOCKED", peer);
return true;
}
#endif
return false;
}
@@ -983,14 +968,8 @@ static bool pknock_mt(const struct sk_buff *skb,
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
#ifdef PK_CRYPTO
hdr_len = (iph->ihl * 4) + sizeof(struct udphdr);
break;
#else
pr_debug("UDP protocol not supported\n");
return false;
#endif
default:
pr_debug("IP payload protocol is neither tcp nor udp.\n");
return false;
@@ -1079,12 +1058,6 @@ static int pknock_mt_check(const struct xt_mtchk_param *par)
if (!(info->option & XT_PKNOCK_NAME))
RETURN_ERR("You must specify --name option.\n");
#ifndef PK_CRYPTO
if (info->option & (XT_PKNOCK_OPENSECRET | XT_PKNOCK_CLOSESECRET))
RETURN_ERR("No crypto support available; "
"cannot use opensecret/closescret\n");
#endif
if (info->option & XT_PKNOCK_OPENSECRET && info->ports_count != 1)
RETURN_ERR("--opensecret must have just one knock port\n");
if (info->option & XT_PKNOCK_KNOCKPORT) {
@@ -1154,7 +1127,6 @@ static int __init xt_pknock_mt_init(void)
if (gc_expir_time < DEFAULT_GC_EXPIRATION_TIME)
gc_expir_time = DEFAULT_GC_EXPIRATION_TIME;
#ifdef PK_CRYPTO
if (request_module(crypto.algo) < 0) {
printk(KERN_ERR PKNOCK "request_module('%s') error.\n",
crypto.algo);
@@ -1171,11 +1143,8 @@ static int __init xt_pknock_mt_init(void)
crypto.size = crypto_hash_digestsize(crypto.tfm);
crypto.desc.tfm = crypto.tfm;
crypto.desc.flags = 0;
#else
pr_info("No crypto support for < 2.6.19\n");
#endif
pde = proc_mkdir("xt_pknock", init_net__proc_net);
pde = proc_mkdir("xt_pknock", init_net.proc_net);
if (pde == NULL) {
printk(KERN_ERR PKNOCK "proc_mkdir() error in _init().\n");
return -ENXIO;
@@ -1185,14 +1154,11 @@ static int __init xt_pknock_mt_init(void)
static void __exit xt_pknock_mt_exit(void)
{
remove_proc_entry("xt_pknock", init_net__proc_net);
remove_proc_entry("xt_pknock", init_net.proc_net);
xt_unregister_match(&xt_pknock_mt_reg);
kfree(rule_hashtable);
#ifdef PK_CRYPTO
if (crypto.tfm != NULL)
crypto_free_hash(crypto.tfm);
#endif
}
module_init(xt_pknock_mt_init);

73
extensions/xt_CHAOS.c
View File

@@ -1,6 +1,6 @@
/*
* "CHAOS" target extension for Xtables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
* Copyright © Jan Engelhardt, 2006 - 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -54,29 +54,8 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
const int fragoff = ntohs(iph->frag_off) & IP_OFFSET;
typeof(xt_tarpit) destiny;
bool ret;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
int hotdrop = false;
#else
bool hotdrop = false;
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
ret = xm_tcp->match(skb, par->in, par->out, xm_tcp, &tcp_params,
fragoff, thoff, &hotdrop);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
{
struct xt_match_param local_par = {
.in = par->in,
.out = par->out,
.match = xm_tcp,
.matchinfo = &tcp_params,
.fragoff = fragoff,
.thoff = thoff,
.hotdrop = &hotdrop,
};
ret = xm_tcp->match(skb, &local_par);
}
#else
{
struct xt_action_param local_par;
local_par.in = par->in,
@@ -89,30 +68,10 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
ret = xm_tcp->match(skb, &local_par);
hotdrop = local_par.hotdrop;
}
#endif
if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
if (!ret || hotdrop || (unsigned int)prandom_u32() > delude_percentage)
return;
destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
destiny->target(&skb, par->in, par->out, par->hooknum, destiny, NULL, NULL);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
destiny->target(&skb, par->in, par->out, par->hooknum, destiny, NULL);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
destiny->target(skb, par->in, par->out, par->hooknum, destiny, NULL);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
{
struct xt_target_param local_par = {
.in = par->in,
.out = par->out,
.hooknum = par->hooknum,
.target = destiny,
.targinfo = par->targinfo,
.family = par->family,
};
destiny->target(skb, &local_par);
}
#else
{
struct xt_action_param local_par;
local_par.in = par->in;
@@ -123,11 +82,10 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
local_par.family = par->family;
destiny->target(skb, &local_par);
}
#endif
}
static unsigned int
chaos_tg(struct sk_buff **pskb, const struct xt_action_param *par)
chaos_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
/*
* Equivalent to:
@@ -138,29 +96,9 @@ chaos_tg(struct sk_buff **pskb, const struct xt_action_param *par)
* -A chaos -j DROP;
*/
const struct xt_chaos_tginfo *info = par->targinfo;
struct sk_buff *skb = *pskb;
const struct iphdr *iph = ip_hdr(skb);
if ((unsigned int)net_random() <= reject_percentage) {
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
return xt_reject->target(pskb, par->in, par->out, par->hooknum,
xt_reject, &reject_params, NULL);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
return xt_reject->target(pskb, par->in, par->out, par->hooknum,
xt_reject, &reject_params);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
return xt_reject->target(skb, par->in, par->out, par->hooknum,
xt_reject, &reject_params);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
struct xt_target_param local_par = {
.in = par->in,
.out = par->out,
.hooknum = par->hooknum,
.target = xt_reject,
.targinfo = &reject_params,
};
return xt_reject->target(skb, &local_par);
#else
if ((unsigned int)prandom_u32() <= reject_percentage) {
struct xt_action_param local_par;
local_par.in = par->in;
local_par.out = par->out;
@@ -168,7 +106,6 @@ chaos_tg(struct sk_buff **pskb, const struct xt_action_param *par)
local_par.target = xt_reject;
local_par.targinfo = &reject_params;
return xt_reject->target(skb, &local_par);
#endif
}
/* TARPIT/DELUDE may not be called from the OUTPUT chain */
@@ -274,6 +211,6 @@ static void __exit chaos_tg_exit(void)
module_init(chaos_tg_init);
module_exit(chaos_tg_exit);
MODULE_DESCRIPTION("Xtables: Network scan slowdown with non-deterministic results");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_CHAOS");

80
extensions/xt_CHECKSUM.c
View File

@@ -1,80 +0,0 @@
/*
* (C) 2002 by Harald Welte <laforge@netfilter.org>
* (C) 2010 Red Hat, Inc.
*
* Author: Michael S. Tsirkin <mst@redhat.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/version.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
# error ----------------------------------------------------------
# error This module has been merged into, and is available in the
# error mainline since Linux kernel v2.6.36. Please use that.
# error ----------------------------------------------------------
#endif
#include <linux/netfilter/x_tables.h>
#include "xt_CHECKSUM.h"
#include "compat_xtables.h"
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Michael S. Tsirkin <mst@redhat.com>");
MODULE_DESCRIPTION("Xtables: checksum modification");
MODULE_ALIAS("ipt_CHECKSUM");
MODULE_ALIAS("ip6t_CHECKSUM");
static unsigned int
checksum_tg(struct sk_buff **pskb, const struct xt_action_param *par)
{
struct sk_buff *skb = *pskb;
if (skb->ip_summed == CHECKSUM_PARTIAL)
skb_checksum_help(skb);
return XT_CONTINUE;
}
static int checksum_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_CHECKSUM_info *einfo = par->targinfo;
if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
pr_info("unsupported CHECKSUM operation %x\n", einfo->operation);
return -EINVAL;
}
if (!einfo->operation) {
pr_info("no CHECKSUM operation enabled\n");
return -EINVAL;
}
return 0;
}
static struct xt_target checksum_tg_reg __read_mostly = {
.name = "CHECKSUM",
.family = NFPROTO_UNSPEC,
.target = checksum_tg,
.targetsize = sizeof(struct xt_CHECKSUM_info),
.table = "mangle",
.checkentry = checksum_tg_check,
.me = THIS_MODULE,
};
static int __init checksum_tg_init(void)
{
return xt_register_target(&checksum_tg_reg);
}
static void __exit checksum_tg_exit(void)
{
xt_unregister_target(&checksum_tg_reg);
}
module_init(checksum_tg_init);
module_exit(checksum_tg_exit);

18
extensions/xt_CHECKSUM.h
View File

@@ -1,18 +0,0 @@
/* Header file for iptables ipt_CHECKSUM target
*
* (C) 2002 by Harald Welte <laforge@gnumonks.org>
* (C) 2010 Red Hat Inc
* Author: Michael S. Tsirkin <mst@redhat.com>
*
* This software is distributed under GNU GPL v2, 1991
*/
#ifndef _IPT_CHECKSUM_TARGET_H
#define _IPT_CHECKSUM_TARGET_H
#define XT_CHECKSUM_OP_FILL 0x01 /* fill in checksum in IP header */
struct xt_CHECKSUM_info {
__u8 operation; /* bitset of operations */
};
#endif /* _IPT_CHECKSUM_TARGET_H */

29
extensions/xt_DELUDE.c
View File

@@ -1,6 +1,6 @@
/*
* "DELUDE" target extension for Xtables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2008
* Copyright © Jan Engelhardt, 2007 - 2008
*
* Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
* (C) 1999-2001 Paul `Rusty' Russell
@@ -100,20 +100,19 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
}
}
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr), niph->saddr,
niph->daddr, csum_partial((char *)tcph,
sizeof(struct tcphdr), 0));
#else
tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
niph->daddr, csum_partial((char *)tcph,
sizeof(struct tcphdr), 0));
#endif
addr_type = RTN_UNSPEC;
#ifdef CONFIG_BRIDGE_NETFILTER
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
nskb->nf_bridge->physoutdev))
#else
if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
nskb->nf_bridge->mask & BRNF_BRIDGED))
#endif
#else
if (hook != NF_INET_FORWARD)
#endif
@@ -122,7 +121,7 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
/* ip_route_me_harder expects skb->dst to be set */
skb_dst_set(nskb, dst_clone(skb_dst(oldskb)));
if (ip_route_me_harder(&nskb, addr_type))
if (ip_route_me_harder(nskb, addr_type))
goto free_nskb;
else
niph = ip_hdr(nskb);
@@ -144,12 +143,14 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
}
static unsigned int
delude_tg(struct sk_buff **pskb, const struct xt_action_param *par)
delude_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
/* WARNING: This code causes reentry within iptables.
This means that the iptables jump stack is now crap. We
must return an absolute verdict. --RR */
delude_send_reset(*pskb, par->hooknum);
/*
* Sending the reset causes reentrancy within iptables - and should not pose
* a problem, as that is supported since Linux 2.6.35. But since we do not
* actually want to have a connection open, we are still going to drop it.
*/
delude_send_reset(skb, par->hooknum);
return NF_DROP;
}
@@ -177,6 +178,6 @@ static void __exit delude_tg_exit(void)
module_init(delude_tg_init);
module_exit(delude_tg_exit);
MODULE_DESCRIPTION("Xtables: Close TCP connections after handshake");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_DELUDE");

9
extensions/xt_DHCPMAC.c
View File

@@ -1,6 +1,6 @@
/*
* "DHCPMAC" extensions for Xtables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
* Copyright © Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -89,15 +89,14 @@ dhcpmac_mt(const struct sk_buff *skb, struct xt_action_param *par)
}
static unsigned int
dhcpmac_tg(struct sk_buff **pskb, const struct xt_action_param *par)
dhcpmac_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct dhcpmac_info *info = par->targinfo;
struct dhcp_message dhcpbuf, *dh;
struct udphdr udpbuf, *udph;
struct sk_buff *skb = *pskb;
unsigned int i;
if (!skb_make_writable(pskb, 0))
if (!skb_make_writable(skb, 0))
return NF_DROP;
udph = skb_header_pointer(skb, ip_hdrlen(skb),
@@ -167,7 +166,7 @@ static void __exit dhcpmac_exit(void)
module_init(dhcpmac_init);
module_exit(dhcpmac_exit);
MODULE_DESCRIPTION("Xtables: Clamp DHCP MAC to packet MAC addresses");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_DHCPMAC");
MODULE_ALIAS("ipt_dhcpmac");

139
extensions/xt_DNETMAP.c
View File

@@ -26,17 +26,12 @@
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter/x_tables.h>
#include <linux/seq_file.h>
#include <linux/uidgid.h>
#include <linux/version.h>
#include <net/netfilter/nf_nat_rule.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
#include <net/net_namespace.h>
#include <net/netns/generic.h>
#endif
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 3, 0)
# include <net/netfilter/nf_nat.h>
#else
# include <linux/netfilter/nf_nat.h>
#endif
#include <net/netfilter/nf_nat.h>
#include "compat_xtables.h"
#include "xt_DNETMAP.h"
@@ -84,7 +79,7 @@ struct dnetmap_entry {
};
struct dnetmap_prefix {
struct nf_nat_ipv4_multi_range_compat prefix;
struct nf_nat_range prefix;
char prefix_str[16];
#ifdef CONFIG_PROC_FS
char proc_str_data[20];
@@ -109,28 +104,19 @@ struct dnetmap_net {
struct list_head *dnetmap_iphash;
};
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
static int dnetmap_net_id;
static inline struct dnetmap_net *dnetmap_pernet(struct net *net)
{
return net_generic(net, dnetmap_net_id);
}
#else
struct dnetmap_net *dnetmap;
#define dnetmap_pernet(x) dnetmap
#endif
static DEFINE_SPINLOCK(dnetmap_lock);
static DEFINE_MUTEX(dnetmap_mutex);
#ifdef CONFIG_PROC_FS
static const struct file_operations dnetmap_tg_fops;
static const struct file_operations dnetmap_tg_fops, dnetmap_stat_proc_fops;
#endif
static int dnetmap_stat_proc_read(char __user *buffer, char **start,
off_t offset, int length, int *eof,
void *data);
static inline unsigned int dnetmap_entry_hash(const __be32 addr)
{
return ntohl(addr) & (hash_size - 1);
@@ -179,7 +165,7 @@ dnetmap_addr_in_prefix(struct dnetmap_net *dnetmap_net, const __be32 addr,
static struct dnetmap_prefix *
dnetmap_prefix_lookup(struct dnetmap_net *dnetmap_net,
const struct nf_nat_ipv4_multi_range_compat *mr)
const struct nf_nat_range *mr)
{
struct dnetmap_prefix *p;
@@ -258,7 +244,7 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
{
struct dnetmap_net *dnetmap_net = dnetmap_pernet(par->net);
const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
const struct nf_nat_range *mr = &tginfo->prefix;
struct dnetmap_prefix *p;
struct dnetmap_entry *e;
#ifdef CONFIG_PROC_FS
@@ -274,14 +260,10 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
return ret;
}
if (!(mr->range[0].flags & NF_NAT_RANGE_MAP_IPS)) {
if (!(mr->flags & NF_NAT_RANGE_MAP_IPS)) {
pr_debug("DNETMAP:check: bad MAP_IPS.\n");
return -EINVAL;
}
if (mr->rangesize != 1) {
pr_debug("DNETMAP:check: bad rangesize %u.\n", mr->rangesize);
return -EINVAL;
}
mutex_lock(&dnetmap_mutex);
p = dnetmap_prefix_lookup(dnetmap_net, mr);
@@ -307,15 +289,15 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
INIT_LIST_HEAD(&p->lru_list);
INIT_LIST_HEAD(&p->elist);
ip_min = ntohl(mr->range[0].min_ip) + (whole_prefix == 0);
ip_max = ntohl(mr->range[0].max_ip) - (whole_prefix == 0);
ip_min = ntohl(mr->min_addr.ip) + (whole_prefix == 0);
ip_max = ntohl(mr->max_addr.ip) - (whole_prefix == 0);
sprintf(p->prefix_str, NIPQUAD_FMT "/%u", NIPQUAD(mr->range[0].min_ip),
sprintf(p->prefix_str, NIPQUAD_FMT "/%u", NIPQUAD(mr->min_addr.ip),
33 - ffs(~(ip_min ^ ip_max)));
#ifdef CONFIG_PROC_FS
sprintf(p->proc_str_data, NIPQUAD_FMT "_%u", NIPQUAD(mr->range[0].min_ip),
sprintf(p->proc_str_data, NIPQUAD_FMT "_%u", NIPQUAD(mr->min_addr.ip),
33 - ffs(~(ip_min ^ ip_max)));
sprintf(p->proc_str_stat, NIPQUAD_FMT "_%u_stat", NIPQUAD(mr->range[0].min_ip),
sprintf(p->proc_str_stat, NIPQUAD_FMT "_%u_stat", NIPQUAD(mr->min_addr.ip),
33 - ffs(~(ip_min ^ ip_max)));
#endif
printk(KERN_INFO KBUILD_MODNAME ": new prefix %s\n", p->prefix_str);
@@ -344,21 +326,20 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
ret = -ENOMEM;
goto out;
}
pde_data->uid = proc_uid;
pde_data->gid = proc_gid;
proc_set_user(pde_data, make_kuid(&init_user_ns, proc_uid),
make_kgid(&init_user_ns, proc_gid));
/* statistics */
pde_stat = create_proc_entry(p->proc_str_stat, proc_perms,
dnetmap_net->xt_dnetmap);
pde_stat = proc_create_data(p->proc_str_stat, proc_perms,
dnetmap_net->xt_dnetmap,
&dnetmap_stat_proc_fops, p);
if (pde_stat == NULL) {
kfree(p);
ret = -ENOMEM;
goto out;
}
pde_stat->data = p;
pde_stat->read_proc = dnetmap_stat_proc_read;
pde_stat->uid = proc_uid;
pde_stat->gid = proc_gid;
proc_set_user(pde_stat, make_kuid(&init_user_ns, proc_uid),
make_kgid(&init_user_ns, proc_gid));
#endif
spin_lock_bh(&dnetmap_lock);
@@ -372,17 +353,16 @@ out:
}
static unsigned int
dnetmap_tg(struct sk_buff **pskb, const struct xt_action_param *par)
dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
struct sk_buff *skb = *pskb;
struct net *net = dev_net(par->in ? par->in : par->out);
struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
__be32 prenat_ip, postnat_ip, prenat_ip_prev;
const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
struct nf_nat_ipv4_range newrange;
const struct nf_nat_range *mr = &tginfo->prefix;
struct nf_nat_range newrange;
struct dnetmap_entry *e;
struct dnetmap_prefix *p;
__s32 jttl;
@@ -419,15 +399,14 @@ dnetmap_tg(struct sk_buff **pskb, const struct xt_action_param *par)
spin_unlock_bh(&dnetmap_lock);
newrange = ((struct nf_nat_ipv4_range) {
mr->range[0].flags | NF_NAT_RANGE_MAP_IPS,
e->prenat_addr, e->prenat_addr,
mr->range[0].min, mr->range[0].max});
/* Hand modified range to generic setup. */
memset(&newrange, 0, sizeof(newrange));
newrange.flags = mr->flags | NF_NAT_RANGE_MAP_IPS;
newrange.min_addr.ip = e->prenat_addr;
newrange.max_addr.ip = e->prenat_addr;
newrange.min_proto = mr->min_proto;
newrange.max_proto = mr->max_proto;
return nf_nat_setup_info(ct, &newrange,
HOOK2MANIP(par->hooknum));
}
prenat_ip = ip_hdr(skb)->saddr;
@@ -509,12 +488,12 @@ bind_new_prefix:
spin_unlock_bh(&dnetmap_lock);
newrange = ((struct nf_nat_ipv4_range) {
mr->range[0].flags | NF_NAT_RANGE_MAP_IPS,
postnat_ip, postnat_ip,
mr->range[0].min, mr->range[0].max});
/* Hand modified range to generic setup. */
memset(&newrange, 0, sizeof(newrange));
newrange.flags = mr->flags | NF_NAT_RANGE_MAP_IPS;
newrange.min_addr.ip = postnat_ip;
newrange.max_addr.ip = postnat_ip;
newrange.min_proto = mr->min_proto;
newrange.max_proto = mr->max_proto;
return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
no_rev_map:
@@ -528,7 +507,7 @@ static void dnetmap_tg_destroy(const struct xt_tgdtor_param *par)
{
struct dnetmap_net *dnetmap_net = dnetmap_pernet(par->net);
const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
const struct nf_nat_range *mr = &tginfo->prefix;
struct dnetmap_prefix *p;
if (!(tginfo->flags & XT_DNETMAP_PREFIX))
@@ -610,27 +589,24 @@ static const struct seq_operations dnetmap_seq_ops = {
static int dnetmap_seq_open(struct inode *inode, struct file *file)
{
struct proc_dir_entry *pde = PDE(inode);
struct dnetmap_iter_state *st;
st = __seq_open_private(file, &dnetmap_seq_ops, sizeof(*st));
if (st == NULL)
return -ENOMEM;
st->p = pde->data;
st->p = PDE_DATA(inode);
return 0;
}
static ssize_t
dnetmap_tg_proc_write(struct file *file, const char __user *input,size_t size, loff_t *loff)
{
const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
struct dnetmap_prefix *p = pde->data;
struct dnetmap_prefix *p = PDE_DATA(file_inode(file));
struct dnetmap_entry *e;
char buf[sizeof("+192.168.100.100:200.200.200.200")];
const char *c = buf;
const char *c2;
//union nf_inet_addr addr = {};
__be32 addr1,addr2;
bool add;
char str[25];
@@ -800,11 +776,9 @@ static const struct file_operations dnetmap_tg_fops = {
};
/* for statistics */
static int dnetmap_stat_proc_read(char __user *buffer, char **start,
off_t offset, int length, int *eof,
void *data)
static int dnetmap_stat_proc_show(struct seq_file *m, void *data)
{
const struct dnetmap_prefix *p = data;
const struct dnetmap_prefix *p = m->private;
struct dnetmap_entry *e;
unsigned int used, used_static, all;
long int ttl, sum_ttl;
@@ -830,16 +804,25 @@ static int dnetmap_stat_proc_read(char __user *buffer, char **start,
}
sum_ttl = used > 0 ? sum_ttl / (used * HZ) : 0;
sprintf(buffer, "%u %u %u %ld %s\n", used, used_static, all, sum_ttl,(p->flags & XT_DNETMAP_PERSISTENT ? "persistent" : ""));
if (length >= strlen(buffer))
*eof = true;
seq_printf(m, "%u %u %u %ld %s\n", used, used_static, all, sum_ttl,(p->flags & XT_DNETMAP_PERSISTENT ? "persistent" : ""));
spin_unlock_bh(&dnetmap_lock);
return strlen(buffer);
return 0;
}
static int dnetmap_stat_proc_open(struct inode *inode, struct file *file)
{
return single_open(file, dnetmap_stat_proc_show, PDE_DATA(inode));
}
static const struct file_operations dnetmap_stat_proc_fops = {
.open = dnetmap_stat_proc_open,
.read = seq_read,
.llseek = seq_lseek,
.release = single_release,
};
static int __net_init dnetmap_proc_net_init(struct net *net)
{
struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
@@ -852,7 +835,7 @@ static int __net_init dnetmap_proc_net_init(struct net *net)
static void __net_exit dnetmap_proc_net_exit(struct net *net)
{
proc_net_remove(net, "xt_DNETMAP");
remove_proc_entry("xt_DNETMAP", net->proc_net);
}
#else
@@ -871,13 +854,6 @@ static int __net_init dnetmap_net_init(struct net *net)
struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
int i;
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 34)
dnetmap = kmalloc(sizeof(struct dnetmap_net),GFP_ATOMIC);
if (dnetmap == NULL)
return -ENOMEM;
dnetmap_net = dnetmap;
#endif
dnetmap_net->dnetmap_iphash = kmalloc(sizeof(struct list_head) *
hash_size * 2, GFP_ATOMIC);
if (dnetmap_net->dnetmap_iphash == NULL)
@@ -906,20 +882,15 @@ static void __net_exit dnetmap_net_exit(struct net *net)
mutex_unlock(&dnetmap_mutex);
kfree(dnetmap_net->dnetmap_iphash);
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 34)
kfree(dnetmap_net);
#endif
dnetmap_proc_net_exit(net);
}
static struct pernet_operations dnetmap_net_ops = {
.init = dnetmap_net_init,
.exit = dnetmap_net_exit,
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
.id = &dnetmap_net_id,
.size = sizeof(struct dnetmap_net),
#endif
};
static struct xt_target dnetmap_tg_reg __read_mostly = {

2
extensions/xt_DNETMAP.h
View File

@@ -13,7 +13,7 @@ enum {
};
struct xt_DNETMAP_tginfo {
struct nf_nat_ipv4_multi_range_compat prefix;
struct nf_nat_range prefix;
__u8 flags;
__s32 ttl;
};

28
extensions/xt_ECHO.c
View File

@@ -1,7 +1,7 @@
/*
* "ECHO" (RFC 862) target extension for Xtables
* Sample module for "Writing your own Netfilter Modules"
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008-2011
* Copyright © Jan Engelhardt, 2008-2011
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -24,9 +24,8 @@
#include "compat_xtables.h"
static unsigned int
echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par)
{
const struct sk_buff *oldskb = *poldskb;
const struct udphdr *oldudp;
const struct ipv6hdr *oldip;
struct udphdr *newudp, oldudp_buf;
@@ -39,7 +38,7 @@ echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
/* This allows us to do the copy operation in fewer lines of code. */
if (skb_linearize(*poldskb) < 0)
if (skb_linearize(oldskb) < 0)
return NF_DROP;
oldip = ipv6_hdr(oldskb);
@@ -105,18 +104,14 @@ echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
}
skb_dst_set(newskb, dst);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
newip->hop_limit = ip6_dst_hoplimit(skb_dst(newskb));
#else
newip->hop_limit = dst_metric(skb_dst(newskb), RTAX_HOPLIMIT);
#endif
newskb->ip_summed = CHECKSUM_NONE;
/* "Never happens" (?) */
if (newskb->len > dst_mtu(skb_dst(newskb)))
goto free_nskb;
nf_ct_attach(newskb, *poldskb);
nf_ct_attach(newskb, oldskb);
ip6_local_out(newskb);
return NF_DROP;
@@ -126,9 +121,8 @@ echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
}
static unsigned int
echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
echo_tg4(struct sk_buff *oldskb, const struct xt_action_param *par)
{
const struct sk_buff *oldskb = *poldskb;
const struct udphdr *oldudp;
const struct iphdr *oldip;
struct udphdr *newudp, oldudp_buf;
@@ -138,7 +132,7 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
void *payload;
/* This allows us to do the copy operation in fewer lines of code. */
if (skb_linearize(*poldskb) < 0)
if (skb_linearize(oldskb) < 0)
return NF_DROP;
oldip = ip_hdr(oldskb);
@@ -196,21 +190,17 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
/* ip_route_me_harder expects the skb's dst to be set */
skb_dst_set(newskb, dst_clone(skb_dst(oldskb)));
if (ip_route_me_harder(&newskb, RTN_UNSPEC) != 0)
if (ip_route_me_harder(newskb, RTN_UNSPEC) != 0)
goto free_nskb;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
newip->ttl = ip4_dst_hoplimit(skb_dst(newskb));
#else
newip->ttl = dst_metric(skb_dst(newskb), RTAX_HOPLIMIT);
#endif
newskb->ip_summed = CHECKSUM_NONE;
/* "Never happens" (?) */
if (newskb->len > dst_mtu(skb_dst(newskb)))
goto free_nskb;
nf_ct_attach(newskb, *poldskb);
nf_ct_attach(newskb, oldskb);
ip_local_out(newskb);
return NF_DROP;
@@ -252,7 +242,7 @@ static void __exit echo_tg_exit(void)
module_init(echo_tg_init);
module_exit(echo_tg_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_DESCRIPTION("Xtables: ECHO diagnosis target");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ip6t_ECHO");

8
extensions/xt_IPMARK.c
View File

@@ -1,7 +1,7 @@
/*
* "IPMARK" target extension for Xtables
* Copyright © Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>, 2003
* Jan Engelhardt <jengelh [at] medozas de>, 2008
* Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -25,10 +25,9 @@ MODULE_ALIAS("ipt_IPMARK");
MODULE_ALIAS("ip6t_IPMARK");
static unsigned int
ipmark_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
ipmark_tg4(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_ipmark_tginfo *ipmarkinfo = par->targinfo;
const struct sk_buff *skb = *pskb;
const struct iphdr *iph = ip_hdr(skb);
__u32 mark;
@@ -61,10 +60,9 @@ static __u32 ipmark_from_ip6(const struct in6_addr *a, unsigned int s)
}
static unsigned int
ipmark_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
ipmark_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_ipmark_tginfo *info = par->targinfo;
const struct sk_buff *skb = *pskb;
const struct ipv6hdr *iph = ipv6_hdr(skb);
__u32 mark;

12
extensions/xt_LOGMARK.c
View File

@@ -2,7 +2,7 @@
* "LOGMARK" target extension to Xtables
* useful for debugging
*
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008-2010
* Copyright © Jan Engelhardt, 2008-2010
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -63,9 +63,8 @@ static void logmark_ct(const struct nf_conn *ct, enum ip_conntrack_info ctinfo)
}
static unsigned int
logmark_tg(struct sk_buff **pskb, const struct xt_action_param *par)
logmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct sk_buff *skb = *pskb;
const struct xt_logmark_tginfo *info = par->targinfo;
const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
@@ -80,13 +79,8 @@ logmark_tg(struct sk_buff **pskb, const struct xt_action_param *par)
printk(" ctdir=%s", dir_names[ctinfo >= IP_CT_IS_REPLY]);
if (ct == NULL)
printk(" ct=NULL ctmark=NULL ctstate=INVALID ctstatus=NONE");
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
else if (nf_ct_is_untracked(ct))
printk(" ct=UNTRACKED ctmark=NULL ctstate=UNTRACKED ctstatus=NONE");
#else
else if (ct == &nf_conntrack_untracked)
printk(" ct=UNTRACKED ctmark=NULL ctstate=UNTRACKED ctstatus=NONE");
#endif
else
logmark_ct(ct, ctinfo);
@@ -141,7 +135,7 @@ static void __exit logmark_tg_exit(void)
module_init(logmark_tg_init);
module_exit(logmark_tg_exit);
MODULE_DESCRIPTION("Xtables: netfilter mark logging to syslog");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_LOGMARK");
MODULE_ALIAS("ip6t_LOGMARK");

358
extensions/xt_RAWNAT.c
View File

@@ -1,358 +0,0 @@
/*
* "RAWNAT" target extension for Xtables - untracked NAT
* Copyright © Jan Engelhardt, 2008 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/version.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include "compat_xtables.h"
#include "xt_RAWNAT.h"
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
# define WITH_IPV6 1
#endif
static inline __be32
remask(__be32 addr, __be32 repl, unsigned int shift)
{
uint32_t mask = (shift == 32) ? 0 : (~(uint32_t)0 >> shift);
return htonl((ntohl(addr) & mask) | (ntohl(repl) & ~mask));
}
#ifdef WITH_IPV6
static void
rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
{
switch (mask) {
case 0:
break;
case 1 ... 31:
addr[0] = remask(addr[0], repl[0], mask);
break;
case 32:
addr[0] = repl[0];
break;
case 33 ... 63:
addr[0] = repl[0];
addr[1] = remask(addr[1], repl[1], mask - 32);
break;
case 64:
addr[0] = repl[0];
addr[1] = repl[1];
break;
case 65 ... 95:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = remask(addr[2], repl[2], mask - 64);
case 96:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = repl[2];
break;
case 97 ... 127:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = repl[2];
addr[3] = remask(addr[3], repl[3], mask - 96);
break;
case 128:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = repl[2];
addr[3] = repl[3];
break;
}
}
#endif
static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip)
{
struct iphdr *iph = ip_hdr(skb);
void *transport_hdr = (void *)iph + ip_hdrlen(skb);
struct tcphdr *tcph;
struct udphdr *udph;
bool cond;
switch (iph->protocol) {
case IPPROTO_TCP:
tcph = transport_hdr;
inet_proto_csum_replace4(&tcph->check, skb, oldip, newip, true);
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
udph = transport_hdr;
cond = udph->check != 0;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
cond |= skb->ip_summed == CHECKSUM_PARTIAL;
#endif
if (cond) {
inet_proto_csum_replace4(&udph->check, skb,
oldip, newip, true);
if (udph->check == 0)
udph->check = CSUM_MANGLED_0;
}
break;
}
}
static unsigned int rawnat4_writable_part(const struct iphdr *iph)
{
unsigned int wlen = sizeof(*iph);
switch (iph->protocol) {
case IPPROTO_TCP:
wlen += sizeof(struct tcphdr);
break;
case IPPROTO_UDP:
wlen += sizeof(struct udphdr);
break;
}
return wlen;
}
static unsigned int
rawsnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
struct iphdr *iph;
__be32 new_addr;
iph = ip_hdr(*pskb);
new_addr = remask(iph->saddr, info->addr.ip, info->mask);
if (iph->saddr == new_addr)
return XT_CONTINUE;
if (!skb_make_writable(pskb, rawnat4_writable_part(iph)))
return NF_DROP;
iph = ip_hdr(*pskb);
csum_replace4(&iph->check, iph->saddr, new_addr);
rawnat4_update_l4(*pskb, iph->saddr, new_addr);
iph->saddr = new_addr;
return XT_CONTINUE;
}
static unsigned int
rawdnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
struct iphdr *iph;
__be32 new_addr;
iph = ip_hdr(*pskb);
new_addr = remask(iph->daddr, info->addr.ip, info->mask);
if (iph->daddr == new_addr)
return XT_CONTINUE;
if (!skb_make_writable(pskb, rawnat4_writable_part(iph)))
return NF_DROP;
iph = ip_hdr(*pskb);
csum_replace4(&iph->check, iph->daddr, new_addr);
rawnat4_update_l4(*pskb, iph->daddr, new_addr);
iph->daddr = new_addr;
return XT_CONTINUE;
}
#ifdef WITH_IPV6
static bool rawnat6_prepare_l4(struct sk_buff **pskb, unsigned int *l4offset,
unsigned int *l4proto)
{
static const unsigned int types[] =
{IPPROTO_TCP, IPPROTO_UDP, IPPROTO_UDPLITE};
unsigned int i;
int err;
*l4proto = NEXTHDR_MAX;
for (i = 0; i < ARRAY_SIZE(types); ++i) {
err = ipv6_find_hdr(*pskb, l4offset, types[i], NULL, NULL);
if (err >= 0) {
*l4proto = types[i];
break;
}
if (err != -ENOENT)
return false;
}
switch (*l4proto) {
case IPPROTO_TCP:
if (!skb_make_writable(pskb, *l4offset + sizeof(struct tcphdr)))
return false;
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
if (!skb_make_writable(pskb, *l4offset + sizeof(struct udphdr)))
return false;
break;
}
return true;
}
static void rawnat6_update_l4(struct sk_buff *skb, unsigned int l4proto,
unsigned int l4offset, const struct in6_addr *oldip,
const struct in6_addr *newip)
{
const struct ipv6hdr *iph = ipv6_hdr(skb);
struct tcphdr *tcph;
struct udphdr *udph;
unsigned int i;
bool cond;
switch (l4proto) {
case IPPROTO_TCP:
tcph = (void *)iph + l4offset;
for (i = 0; i < 4; ++i)
inet_proto_csum_replace4(&tcph->check, skb,
oldip->s6_addr32[i], newip->s6_addr32[i], true);
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
udph = (void *)iph + l4offset;
cond = udph->check;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
cond |= skb->ip_summed == CHECKSUM_PARTIAL;
#endif
if (cond) {
for (i = 0; i < 4; ++i)
inet_proto_csum_replace4(&udph->check, skb,
oldip->s6_addr32[i],
newip->s6_addr32[i], true);
if (udph->check == 0)
udph->check = CSUM_MANGLED_0;
}
break;
}
}
static unsigned int
rawsnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
unsigned int l4offset, l4proto;
struct ipv6hdr *iph;
struct in6_addr new_addr;
iph = ipv6_hdr(*pskb);
memcpy(&new_addr, &iph->saddr, sizeof(new_addr));
rawnat_ipv6_mask(new_addr.s6_addr32, info->addr.ip6, info->mask);
if (ipv6_addr_cmp(&iph->saddr, &new_addr) == 0)
return XT_CONTINUE;
if (!rawnat6_prepare_l4(pskb, &l4offset, &l4proto))
return NF_DROP;
iph = ipv6_hdr(*pskb);
rawnat6_update_l4(*pskb, l4proto, l4offset, &iph->saddr, &new_addr);
memcpy(&iph->saddr, &new_addr, sizeof(new_addr));
return XT_CONTINUE;
}
static unsigned int
rawdnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
unsigned int l4offset, l4proto;
struct ipv6hdr *iph;
struct in6_addr new_addr;
iph = ipv6_hdr(*pskb);
memcpy(&new_addr, &iph->daddr, sizeof(new_addr));
rawnat_ipv6_mask(new_addr.s6_addr32, info->addr.ip6, info->mask);
if (ipv6_addr_cmp(&iph->daddr, &new_addr) == 0)
return XT_CONTINUE;
if (!rawnat6_prepare_l4(pskb, &l4offset, &l4proto))
return NF_DROP;
iph = ipv6_hdr(*pskb);
rawnat6_update_l4(*pskb, l4proto, l4offset, &iph->daddr, &new_addr);
memcpy(&iph->daddr, &new_addr, sizeof(new_addr));
return XT_CONTINUE;
}
#endif
static int rawnat_tg_check(const struct xt_tgchk_param *par)
{
if (strcmp(par->table, "raw") == 0 ||
strcmp(par->table, "rawpost") == 0)
return 0;
printk(KERN_ERR KBUILD_MODNAME " may only be used in the \"raw\" or "
"\"rawpost\" table.\n");
return -EINVAL;
}
static struct xt_target rawnat_tg_reg[] __read_mostly = {
{
.name = "RAWSNAT",
.revision = 0,
.family = NFPROTO_IPV4,
.target = rawsnat_tg4,
.targetsize = sizeof(struct xt_rawnat_tginfo),
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
#ifdef WITH_IPV6
{
.name = "RAWSNAT",
.revision = 0,
.family = NFPROTO_IPV6,
.target = rawsnat_tg6,
.targetsize = sizeof(struct xt_rawnat_tginfo),
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
#endif
{
.name = "RAWDNAT",
.revision = 0,
.family = NFPROTO_IPV4,
.target = rawdnat_tg4,
.targetsize = sizeof(struct xt_rawnat_tginfo),
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
#ifdef WITH_IPV6
{
.name = "RAWDNAT",
.revision = 0,
.family = NFPROTO_IPV6,
.target = rawdnat_tg6,
.targetsize = sizeof(struct xt_rawnat_tginfo),
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
#endif
};
static int __init rawnat_tg_init(void)
{
return xt_register_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg));
}
static void __exit rawnat_tg_exit(void)
{
xt_unregister_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg));
}
module_init(rawnat_tg_init);
module_exit(rawnat_tg_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Xtables: conntrack-less raw NAT");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_RAWSNAT");
MODULE_ALIAS("ipt_RAWDNAT");
MODULE_ALIAS("ip6t_RAWSNAT");
MODULE_ALIAS("ip6t_RAWDNAT");

9
extensions/xt_RAWNAT.h
View File

@@ -1,9 +0,0 @@
#ifndef _LINUX_NETFILTER_XT_TARGET_RAWNAT
#define _LINUX_NETFILTER_XT_TARGET_RAWNAT 1
struct xt_rawnat_tginfo {
union nf_inet_addr addr;
__u8 mask;
};
#endif /* _LINUX_NETFILTER_XT_TARGET_RAWNAT */

67
extensions/xt_STEAL.c
View File

@@ -1,67 +0,0 @@
/*
* "STEAL" demo target extension for Xtables
* written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
* placed in the Public Domain
*/
#include <linux/module.h>
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include "compat_xtables.h"
static unsigned int
steal_tg(struct sk_buff **pskb, const struct xt_action_param *par)
{
kfree_skb(*pskb);
return NF_STOLEN;
}
static struct xt_target steal_tg_reg[] __read_mostly = {
{
.name = "STEAL",
.revision = 0,
.family = NFPROTO_UNSPEC,
.target = steal_tg,
.me = THIS_MODULE,
},
{
.name = "STEAL",
.revision = 0,
.family = NFPROTO_IPV6,
.target = steal_tg,
.me = THIS_MODULE,
},
{
.name = "STEAL",
.revision = 0,
.family = NFPROTO_ARP,
.target = steal_tg,
.me = THIS_MODULE,
},
{
.name = "STEAL",
.revision = 0,
.family = NFPROTO_BRIDGE,
.target = steal_tg,
.me = THIS_MODULE,
},
};
static int __init steal_tg_init(void)
{
return xt_register_targets(steal_tg_reg, ARRAY_SIZE(steal_tg_reg));
}
static void __exit steal_tg_exit(void)
{
xt_unregister_targets(steal_tg_reg, ARRAY_SIZE(steal_tg_reg));
}
module_init(steal_tg_init);
module_exit(steal_tg_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Xtables: Silently DROP packets on output chain");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_STEAL");
MODULE_ALIAS("ip6t_STEAL");
MODULE_ALIAS("arpt_STEAL");
MODULE_ALIAS("ebt_STEAL");

35
extensions/xt_SYSRQ.c
View File

@@ -1,6 +1,6 @@
/*
* "SYSRQ" target extension for Xtables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
* Copyright © Jan Engelhardt, 2008 - 2012
*
* Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
*
@@ -24,10 +24,10 @@
#include <linux/crypto.h>
#include <linux/scatterlist.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include "compat_xtables.h"
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19) && \
(defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE))
#if defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE)
# define WITH_CRYPTO 1
#endif
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
@@ -120,9 +120,7 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
ret = crypto_hash_init(&desc);
if (ret != 0)
goto hash_fail;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
sg_init_table(sg, 2);
#endif
sg_set_buf(&sg[0], data, n);
i = strlen(sysrq_digest_password);
sg_set_buf(&sg[1], sysrq_digest_password, i);
@@ -154,13 +152,7 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
sysrq_seqno = new_seqno;
for (i = 0; i < len && data[i] != ','; ++i) {
printk(KERN_INFO KBUILD_MODNAME ": SysRq %c\n", data[i]);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
handle_sysrq(data[i]);
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
handle_sysrq(data[i], NULL);
#else
handle_sysrq(data[i], NULL, NULL);
#endif
}
return NF_ACCEPT;
@@ -191,21 +183,14 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
return NF_DROP;
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
handle_sysrq(c);
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
handle_sysrq(c, NULL);
#else
handle_sysrq(c, NULL, NULL);
#endif
return NF_ACCEPT;
}
#endif
static unsigned int
sysrq_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
sysrq_tg4(struct sk_buff *skb, const struct xt_action_param *par)
{
struct sk_buff *skb = *pskb;
const struct iphdr *iph;
const struct udphdr *udph;
uint16_t len;
@@ -234,13 +219,12 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
#ifdef WITH_IPV6
static unsigned int
sysrq_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
sysrq_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
struct sk_buff *skb = *pskb;
const struct ipv6hdr *iph;
const struct udphdr *udph;
unsigned short frag_off;
unsigned int th_off;
unsigned int th_off = 0;
uint16_t len;
if (skb_linearize(skb) < 0)
@@ -364,8 +348,9 @@ static int __init sysrq_crypto_init(void)
fail:
sysrq_crypto_exit();
return ret;
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 19)
printk(KERN_WARNING "xt_SYSRQ does not provide crypto for < 2.6.19\n");
#else
printk(KERN_WARNING "Kernel was compiled without crypto, "
"so xt_SYSRQ won't use crypto.\n");
#endif
return -EINVAL;
}
@@ -386,7 +371,7 @@ static void __exit sysrq_tg_exit(void)
module_init(sysrq_tg_init);
module_exit(sysrq_tg_exit);
MODULE_DESCRIPTION("Xtables: triggering SYSRQ remotely");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_AUTHOR("John Haxby <john.haxby@oracle.com");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_SYSRQ");

70
extensions/xt_TARPIT.c
View File

@@ -79,7 +79,7 @@ static bool xttarpit_tarpit(struct tcphdr *tcph, const struct tcphdr *oth)
#if 0
/* Rate-limit replies to !SYN,ACKs */
if (!oth->syn && oth->ack)
if (!xrlim_allow(rt_dst(ort), HZ))
if (!xrlim_allow(&ort->dst, HZ))
return false;
#endif
@@ -107,8 +107,8 @@ static bool xttarpit_honeypot(struct tcphdr *tcph, const struct tcphdr *oth,
tcph->syn = true;
tcph->ack = true;
tcph->window = oth->window &
((net_random() & 0x1f) - 0xf);
tcph->seq = htonl(net_random() & ~oth->seq);
((prandom_u32() & 0x1f) - 0xf);
tcph->seq = htonl(prandom_u32() & ~oth->seq);
tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
}
@@ -117,7 +117,7 @@ static bool xttarpit_honeypot(struct tcphdr *tcph, const struct tcphdr *oth,
tcph->syn = false;
tcph->ack = true;
tcph->window = oth->window &
((net_random() & 0x1f) - 0xf);
((prandom_u32() & 0x1f) - 0xf);
tcph->ack_seq = payload > 100 ?
htonl(ntohl(oth->seq) + payload) :
oth->seq;
@@ -208,13 +208,9 @@ static void tarpit_tcp4(struct sk_buff *oldskb, unsigned int hook,
nf_reset(nskb);
skb_nfmark(nskb) = 0;
skb_init_secmark(nskb);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 18)
skb_shinfo(nskb)->gso_size = 0;
skb_shinfo(nskb)->gso_segs = 0;
skb_shinfo(nskb)->gso_type = 0;
#endif
oldhdr = ip_hdr(oldskb);
tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb));
@@ -237,19 +233,13 @@ static void tarpit_tcp4(struct sk_buff *oldskb, unsigned int hook,
((u_int8_t *)tcph)[13] = 0;
if (!tarpit_generic(tcph, oth, payload, mode))
return;
goto free_nskb;
/* Adjust TCP checksum */
tcph->check = 0;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr), niph->saddr,
niph->daddr, csum_partial((char *)tcph,
sizeof(struct tcphdr), 0));
#else
tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
niph->daddr, csum_partial((char *)tcph,
sizeof(struct tcphdr), 0));
#endif
/* Set DF, id = 0 */
niph->frag_off = htons(IP_DF);
@@ -259,14 +249,19 @@ static void tarpit_tcp4(struct sk_buff *oldskb, unsigned int hook,
niph->id = ~oldhdr->id + 1;
#ifdef CONFIG_BRIDGE_NETFILTER
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
nskb->nf_bridge->physoutdev != NULL))
#else
if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
nskb->nf_bridge->mask & BRNF_BRIDGED))
#endif
#else
if (hook != NF_INET_FORWARD)
#endif
addr_type = RTN_LOCAL;
if (ip_route_me_harder(&nskb, addr_type))
if (ip_route_me_harder(nskb, addr_type))
goto free_nskb;
else
niph = ip_hdr(nskb);
@@ -277,11 +272,7 @@ static void tarpit_tcp4(struct sk_buff *oldskb, unsigned int hook,
if (mode == XTTARPIT_HONEYPOT)
niph->ttl = 128;
else
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
niph->ttl = ip4_dst_hoplimit(skb_dst(nskb));
#else
niph->ttl = dst_metric(skb_dst(nskb), RTAX_HOPLIMIT);
#endif
/* Adjust IP checksum */
niph->check = 0;
@@ -293,8 +284,13 @@ static void tarpit_tcp4(struct sk_buff *oldskb, unsigned int hook,
nf_ct_attach(nskb, oldskb);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, NULL, nskb, NULL,
skb_dst(nskb)->dev, dst_output_sk);
#else
NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb, NULL,
skb_dst(nskb)->dev, dst_output);
#endif
return;
free_nskb:
@@ -359,13 +355,9 @@ static void tarpit_tcp6(struct sk_buff *oldskb, unsigned int hook,
nf_reset(nskb);
skb_nfmark(nskb) = 0;
skb_init_secmark(nskb);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 18)
skb_shinfo(nskb)->gso_size = 0;
skb_shinfo(nskb)->gso_segs = 0;
skb_shinfo(nskb)->gso_type = 0;
#endif
skb_put(nskb, sizeof(struct ipv6hdr));
ip6h = ipv6_hdr(nskb);
*(__be32 *)ip6h = htonl(0x60000000 | (tclass << 20));
@@ -374,16 +366,11 @@ static void tarpit_tcp6(struct sk_buff *oldskb, unsigned int hook,
ip6h->daddr = oip6h->saddr;
/* Adjust IP TTL */
if (mode == XTTARPIT_HONEYPOT)
if (mode == XTTARPIT_HONEYPOT) {
ip6h->hop_limit = 128;
else
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 26)
} else {
ip6h->hop_limit = ip6_dst_hoplimit(skb_dst(nskb));
#else
ip6h->hop_limit = dst_metric(dst, RTAX_HOPLIMIT);
if (ip6h->hop_limit < 0)
ip6h->hop_limit = ipv6_get_hoplimit((skb_dst(nskb))->dev).
#endif
}
tcph = (struct tcphdr *)(skb_network_header(nskb) +
sizeof(struct ipv6hdr));
@@ -399,7 +386,7 @@ static void tarpit_tcp6(struct sk_buff *oldskb, unsigned int hook,
payload = nskb->len - sizeof(struct ipv6hdr) - sizeof(struct tcphdr);
if (!tarpit_generic(&oth, tcph, payload, mode))
return;
goto free_nskb;
ip6h->payload_len = htons(sizeof(struct tcphdr));
tcph->check = 0;
@@ -417,8 +404,13 @@ static void tarpit_tcp6(struct sk_buff *oldskb, unsigned int hook,
nf_ct_attach(nskb, oldskb);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, NULL, nskb, NULL,
skb_dst(nskb)->dev, dst_output_sk);
#else
NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb, NULL,
skb_dst(nskb)->dev, dst_output);
#endif
return;
free_nskb:
@@ -427,9 +419,8 @@ static void tarpit_tcp6(struct sk_buff *oldskb, unsigned int hook,
#endif
static unsigned int
tarpit_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
tarpit_tg4(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct sk_buff *skb = *pskb;
const struct iphdr *iph = ip_hdr(skb);
const struct rtable *rt = skb_rtable(skb);
const struct xt_tarpit_tginfo *info = par->targinfo;
@@ -458,15 +449,14 @@ tarpit_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
if (iph->frag_off & htons(IP_OFFSET))
return NF_DROP;
tarpit_tcp4(*pskb, par->hooknum, info->variant);
tarpit_tcp4(skb, par->hooknum, info->variant);
return NF_DROP;
}
#ifdef WITH_IPV6
static unsigned int
tarpit_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
tarpit_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct sk_buff *skb = *pskb;
const struct ipv6hdr *iph = ipv6_hdr(skb);
const struct rt6_info *rt = (struct rt6_info *)skb_dst(skb);
const struct xt_tarpit_tginfo *info = par->targinfo;
@@ -501,7 +491,7 @@ tarpit_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
return NF_DROP;
}
tarpit_tcp6(*pskb, par->hooknum, info->variant);
tarpit_tcp6(skb, par->hooknum, info->variant);
return NF_DROP;
}
#endif
@@ -544,7 +534,7 @@ static void __exit tarpit_tg_exit(void)
module_init(tarpit_tg_init);
module_exit(tarpit_tg_exit);
MODULE_DESCRIPTION("Xtables: \"TARPIT\", capture and hold TCP connections");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_TARPIT");
MODULE_ALIAS("ip6t_TARPIT");

299
extensions/xt_TEE.c
View File

@@ -1,299 +0,0 @@
/*
* "TEE" target extension for Xtables
* Copyright © Sebastian Claßen <sebastian.classen [at] freenet de>, 2007
* Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2008
*
* based on ipt_ROUTE.c from Cédric de Launois
* <delaunois [at] info ucl ac be>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* version 2, as published by the Free Software Foundation.
*/
#include <linux/ip.h>
#include <linux/module.h>
#include <linux/route.h>
#include <linux/skbuff.h>
#include <linux/version.h>
#include <net/checksum.h>
#include <net/icmp.h>
#include <net/ip.h>
#include <net/ip6_route.h>
#include <net/route.h>
#include <linux/netfilter/x_tables.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
# error ----------------------------------------------------------
# error This module has been merged into, and is available in the
# error mainline since Linux kernel v2.6.35. Please use that.
# error ----------------------------------------------------------
#endif
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
# define WITH_CONNTRACK 1
# include <net/netfilter/nf_conntrack.h>
#endif
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
# define WITH_IPV6 1
#endif
#include "compat_xtables.h"
#include "xt_TEE.h"
static bool tee_active[NR_CPUS];
static const union nf_inet_addr tee_zero_address;
static bool
tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
{
const struct iphdr *iph = ip_hdr(skb);
struct rtable *rt;
struct flowi fl;
memset(&fl, 0, sizeof(fl));
fl.nl_u.ip4_u.daddr = info->gw.ip;
fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
if (ip_route_output_key(&init_net, &rt, &fl) != 0)
return false;
dst_release(skb_dst(skb));
skb_dst_set(skb, rt_dst(rt));
skb->dev = rt_dst(rt)->dev;
skb->protocol = htons(ETH_P_IP);
return true;
}
static inline bool dev_hh_avail(const struct net_device *dev)
{
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
return dev->hard_header != NULL;
#else
return dev->header_ops != NULL;
#endif
}
/*
* Stolen from ip_finish_output2
* PRE : skb->dev is set to the device we are leaving by
* skb->dst is not NULL
* POST: the packet is sent with the link layer header pushed
* the packet is destroyed
*/
static void tee_tg_send(struct sk_buff *skb)
{
const struct dst_entry *dst = skb_dst(skb);
const struct net_device *dev = dst->dev;
unsigned int hh_len = LL_RESERVED_SPACE(dev);
/* Be paranoid, rather than too clever. */
if (unlikely(skb_headroom(skb) < hh_len && dev_hh_avail(dev))) {
struct sk_buff *skb2;
skb2 = skb_realloc_headroom(skb, LL_RESERVED_SPACE(dev));
if (skb2 == NULL) {
kfree_skb(skb);
return;
}
if (skb->sk != NULL)
skb_set_owner_w(skb2, skb->sk);
kfree_skb(skb);
skb = skb2;
}
if (dst->hh != NULL)
neigh_hh_output(dst->hh, skb);
else if (dst->neighbour != NULL)
dst->neighbour->output(skb);
else
kfree_skb(skb);
}
static unsigned int
tee_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_tee_tginfo *info = par->targinfo;
struct sk_buff *skb = *pskb;
struct iphdr *iph;
unsigned int cpu = smp_processor_id();
if (tee_active[cpu])
return XT_CONTINUE;
/*
* Copy the skb, and route the copy. Will later return %XT_CONTINUE for
* the original skb, which should continue on its way as if nothing has
* happened. The copy should be independently delivered to the TEE
* --gateway.
*/
skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL)
return XT_CONTINUE;
/*
* If we are in PREROUTING/INPUT, the checksum must be recalculated
* since the length could have changed as a result of defragmentation.
*
* We also decrease the TTL to mitigate potential TEE loops
* between two hosts.
*
* Set %IP_DF so that the original source is notified of a potentially
* decreased MTU on the clone route. IPv6 does this too.
*/
iph = ip_hdr(skb);
iph->frag_off |= htons(IP_DF);
if (par->hooknum == NF_INET_PRE_ROUTING ||
par->hooknum == NF_INET_LOCAL_IN)
--iph->ttl;
ip_send_check(iph);
#ifdef WITH_CONNTRACK
/*
* Tell conntrack to forget this packet. It may have side effects to
* see the same packet twice, as for example, accounting the original
* connection for the cloned packet.
*/
nf_conntrack_put(skb->nfct);
skb->nfct = &nf_conntrack_untracked.ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
#endif
/*
* Normally, we would just use ip_local_out. Because iph->check is
* already correct, we could take a shortcut and call dst_output
* [forwards to ip_output] directly. ip_output however will invoke
* Netfilter hooks and cause reentrancy. So we skip that too and go
* directly to ip_finish_output. Since we should not do XFRM, control
* passes to ip_finish_output2. That function is not exported, so it is
* copied here as tee_ip_direct_send.
*
* We do no XFRM on the cloned packet on purpose! The choice of
* iptables match options will control whether the raw packet or the
* transformed version is cloned.
*
* Also on purpose, no fragmentation is done, to preserve the
* packet as best as possible.
*/
if (tee_tg_route4(skb, info)) {
tee_active[cpu] = true;
tee_tg_send(skb);
tee_active[cpu] = false;
} else {
kfree_skb(skb);
}
return XT_CONTINUE;
}
#ifdef WITH_IPV6
static bool
tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
{
const struct ipv6hdr *iph = ipv6_hdr(skb);
struct dst_entry *dst;
struct flowi fl;
memset(&fl, 0, sizeof(fl));
fl.nl_u.ip6_u.daddr = info->gw.in6;
fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
(iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 25)
dst = ip6_route_output(NULL, &fl);
#else
dst = ip6_route_output(dev_net(skb->dev), NULL, &fl);
#endif
if (dst == NULL)
return false;
dst_release(skb_dst(skb));
skb_dst_set(skb, dst);
skb->dev = dst->dev;
skb->protocol = htons(ETH_P_IPV6);
return true;
}
static unsigned int
tee_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_tee_tginfo *info = par->targinfo;
struct sk_buff *skb = *pskb;
unsigned int cpu = smp_processor_id();
if (tee_active[cpu])
return XT_CONTINUE;
skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL)
return XT_CONTINUE;
#ifdef WITH_CONNTRACK
nf_conntrack_put(skb->nfct);
skb->nfct = &nf_conntrack_untracked.ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
#endif
if (par->hooknum == NF_INET_PRE_ROUTING ||
par->hooknum == NF_INET_LOCAL_IN) {
struct ipv6hdr *iph = ipv6_hdr(skb);
--iph->hop_limit;
}
if (tee_tg_route6(skb, info)) {
tee_active[cpu] = true;
tee_tg_send(skb);
tee_active[cpu] = false;
} else {
kfree_skb(skb);
}
return XT_CONTINUE;
}
#endif /* WITH_IPV6 */
static int tee_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_tee_tginfo *info = par->targinfo;
/* 0.0.0.0 and :: not allowed */
return (memcmp(&info->gw, &tee_zero_address,
sizeof(tee_zero_address)) == 0) ? -EINVAL : 0;
}
static struct xt_target tee_tg_reg[] __read_mostly = {
{
.name = "TEE",
.revision = 0,
.family = NFPROTO_IPV4,
.target = tee_tg4,
.targetsize = sizeof(struct xt_tee_tginfo),
.checkentry = tee_tg_check,
.me = THIS_MODULE,
},
#ifdef WITH_IPV6
{
.name = "TEE",
.revision = 0,
.family = NFPROTO_IPV6,
.target = tee_tg6,
.targetsize = sizeof(struct xt_tee_tginfo),
.checkentry = tee_tg_check,
.me = THIS_MODULE,
},
#endif
};
static int __init tee_tg_init(void)
{
return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
}
static void __exit tee_tg_exit(void)
{
xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
}
module_init(tee_tg_init);
module_exit(tee_tg_exit);
MODULE_AUTHOR("Sebastian Claßen <sebastian.classen@freenet.ag>");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Xtables: Reroute packet copy");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_TEE");
MODULE_ALIAS("ip6t_TEE");

8
extensions/xt_TEE.h
View File

@@ -1,8 +0,0 @@
#ifndef _XT_TEE_TARGET_H
#define _XT_TEE_TARGET_H
struct xt_tee_tginfo {
union nf_inet_addr gw;
};
#endif /* _XT_TEE_TARGET_H */

60
extensions/xt_condition.c
View File

@@ -35,7 +35,7 @@ static unsigned int condition_gid_perms = 0;
MODULE_AUTHOR("Stephane Ouellette <ouellettes@videotron.ca>");
MODULE_AUTHOR("Massimiliano Hofer <max@nucleus.it>");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_DESCRIPTION("Allows rules to match against condition variables");
MODULE_LICENSE("GPL");
module_param(condition_list_perms, uint, S_IRUSR | S_IWUSR);
@@ -52,6 +52,7 @@ struct condition_variable {
struct proc_dir_entry *status_proc;
unsigned int refcount;
bool enabled;
char name[sizeof(((struct xt_condition_mtinfo *)NULL)->name)];
};
/* proc_lock is a user context only semaphore used for write access */
@@ -61,22 +62,23 @@ static DEFINE_MUTEX(proc_lock);
static LIST_HEAD(conditions_list);
static struct proc_dir_entry *proc_net_condition;
static int condition_proc_read(char __user *buffer, char **start, off_t offset,
int length, int *eof, void *data)
static int condition_proc_show(struct seq_file *m, void *data)
{
const struct condition_variable *var = data;
const struct condition_variable *var = m->private;
buffer[0] = var->enabled ? '1' : '0';
buffer[1] = '\n';
if (length >= 2)
*eof = true;
return 2;
return seq_printf(m, var->enabled ? "1\n" : "0\n");
}
static int condition_proc_write(struct file *file, const char __user *buffer,
unsigned long length, void *data)
static int condition_proc_open(struct inode *inode, struct file *file)
{
struct condition_variable *var = data;
return single_open(file, condition_proc_show, PDE_DATA(inode));
}
static ssize_t
condition_proc_write(struct file *file, const char __user *buffer,
size_t length, loff_t *loff)
{
struct condition_variable *var = PDE_DATA(file_inode(file));
char newval;
if (length > 0) {
@@ -95,6 +97,14 @@ static int condition_proc_write(struct file *file, const char __user *buffer,
return length;
}
static const struct file_operations condition_proc_fops = {
.open = condition_proc_open,
.read = seq_read,
.llseek = seq_lseek,
.write = condition_proc_write,
.release = single_release,
};
static bool
condition_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
@@ -124,7 +134,7 @@ static int condition_mt_check(const struct xt_mtchk_param *par)
*/
mutex_lock(&proc_lock);
list_for_each_entry(var, &conditions_list, list) {
if (strcmp(info->name, var->status_proc->name) == 0) {
if (strcmp(info->name, var->name) == 0) {
var->refcount++;
mutex_unlock(&proc_lock);
info->condvar = var;
@@ -139,27 +149,23 @@ static int condition_mt_check(const struct xt_mtchk_param *par)
return -ENOMEM;
}
memcpy(var->name, info->name, sizeof(info->name));
/* Create the condition variable's proc file entry. */
var->status_proc = create_proc_entry(info->name, condition_list_perms,
proc_net_condition);
var->status_proc = proc_create_data(info->name, condition_list_perms,
proc_net_condition, &condition_proc_fops, var);
if (var->status_proc == NULL) {
kfree(var);
mutex_unlock(&proc_lock);
return -ENOMEM;
}
proc_set_user(var->status_proc,
make_kuid(&init_user_ns, condition_uid_perms),
make_kgid(&init_user_ns, condition_gid_perms));
var->refcount = 1;
var->enabled = false;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
var->status_proc->owner = THIS_MODULE;
#endif
var->status_proc->data = var;
wmb();
var->status_proc->read_proc = condition_proc_read;
var->status_proc->write_proc = condition_proc_write;
list_add(&var->list, &conditions_list);
var->status_proc->uid = condition_uid_perms;
var->status_proc->gid = condition_gid_perms;
mutex_unlock(&proc_lock);
info->condvar = var;
return 0;
@@ -173,7 +179,7 @@ static void condition_mt_destroy(const struct xt_mtdtor_param *par)
mutex_lock(&proc_lock);
if (--var->refcount == 0) {
list_del(&var->list);
remove_proc_entry(var->status_proc->name, proc_net_condition);
proc_remove(var->status_proc);
mutex_unlock(&proc_lock);
kfree(var);
return;
@@ -211,13 +217,13 @@ static int __init condition_mt_init(void)
int ret;
mutex_init(&proc_lock);
proc_net_condition = proc_mkdir(dir_name, init_net__proc_net);
proc_net_condition = proc_mkdir(dir_name, init_net.proc_net);
if (proc_net_condition == NULL)
return -EACCES;
ret = xt_register_matches(condition_mt_reg, ARRAY_SIZE(condition_mt_reg));
if (ret < 0) {
remove_proc_entry(dir_name, init_net__proc_net);
remove_proc_entry(dir_name, init_net.proc_net);
return ret;
}
@@ -227,7 +233,7 @@ static int __init condition_mt_init(void)
static void __exit condition_mt_exit(void)
{
xt_unregister_matches(condition_mt_reg, ARRAY_SIZE(condition_mt_reg));
remove_proc_entry(dir_name, init_net__proc_net);
remove_proc_entry(dir_name, init_net.proc_net);
}
module_init(condition_mt_init);

16
extensions/xt_geoip.c
View File

@@ -83,10 +83,18 @@ geoip_add_node(const struct geoip_country_user __user *umem_ptr,
p->count = umem.count;
p->cc = umem.cc;
size = p->count * geoproto_size[proto];
subnet = vmalloc(size);
if (subnet == NULL) {
ret = -ENOMEM;
goto free_p;
if (size == 0) {
/*
* Believe it or not, vmalloc prints a warning to dmesg for
* zero-sized allocations :-/
*/
subnet = NULL;
} else {
subnet = vmalloc(size);
if (subnet == NULL) {
ret = -ENOMEM;
goto free_p;
}
}
if (copy_from_user(subnet,
(const void __user *)(unsigned long)umem.subnets, size) != 0) {

4
extensions/xt_iface.c
View File

@@ -48,11 +48,7 @@ static const struct net_device *iface_get(const struct xt_iface_mtinfo *info,
return par->in;
else if (info->flags & XT_IFACE_DEV_OUT)
return par->out;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
return *put = dev_get_by_name(&init_net, info->ifname);
#else
return *put = dev_get_by_name(info->ifname);
#endif
}
static bool iface_flagtest(unsigned int devflags, unsigned int flags,

2
extensions/xt_ipv4options.c
View File

@@ -76,7 +76,7 @@ static void __exit ipv4options_mt_exit(void)
}
MODULE_DESCRIPTION("Xatblse: IPv4 option match");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_ipv4options");
module_init(ipv4options_mt_init);

7
extensions/xt_length2.c
View File

@@ -1,6 +1,6 @@
/*
* xt_length - Xtables module to match packet length
* Copyright © Jan Engelhardt <jengelh@medozas.de>, 2007 - 2009
* Copyright © Jan Engelhardt , 2007 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -29,7 +29,7 @@
# define NEXTHDR_IPV4 4
#endif
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_DESCRIPTION("Xtables: Packet length (Layer3,4,5) match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_length2");
@@ -203,7 +203,8 @@ length2_mt6(const struct sk_buff *skb, struct xt_action_param *par)
const struct xt_length_mtinfo2 *info = par->matchinfo;
const struct ipv6hdr *iph = ipv6_hdr(skb);
unsigned int len = 0, l4proto;
unsigned int thoff = par->thoff;
/* par->thoff would only set if ip6tables -p was used; so just use 0 */
unsigned int thoff = 0;
bool hit = true;
if (info->flags & XT_LENGTH_LAYER3) {

Some files were not shown because too many files have changed in this diff Show More