anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-20 19:44:56 +02:00
Code Issues Releases Wiki Activity

Compare commits

base: anonfunc:v1.7
Branches Tags
anonfunc:master anonfunc:xta-2.x anonfunc:xta-1.x anonfunc:demos anonfunc:mp2t
anonfunc:v3.18 anonfunc:v3.17 anonfunc:v3.16 anonfunc:v3.15 anonfunc:v2.15 anonfunc:v3.14 anonfunc:v3.13 anonfunc:v3.12 anonfunc:v3.11 anonfunc:v3.10 anonfunc:v3.9 anonfunc:v3.8 anonfunc:v3.7 anonfunc:v3.6 anonfunc:v3.5 anonfunc:v3.4 anonfunc:v3.3 anonfunc:v3.2 anonfunc:v3.1 anonfunc:v3.0 anonfunc:v2.14 anonfunc:v2.13 anonfunc:v2.12 anonfunc:v2.11 anonfunc:v2.10 anonfunc:v2.9 anonfunc:v2.8 anonfunc:v2.7 anonfunc:v2.6 anonfunc:v2.5 anonfunc:v2.4 anonfunc:v2.3 anonfunc:v2.2 anonfunc:v2.1 anonfunc:v2.0 anonfunc:v1.47.1 anonfunc:v1.47 anonfunc:v1.46 anonfunc:v1.45 anonfunc:v1.44 anonfunc:v1.43 anonfunc:v1.42 anonfunc:v1.41 anonfunc:v1.40 anonfunc:v1.39 anonfunc:v1.38 anonfunc:v1.37 anonfunc:v1.36 anonfunc:v1.35 anonfunc:v1.34 anonfunc:v1.33 anonfunc:v1.32 anonfunc:v1.31 anonfunc:v1.30 anonfunc:v1.29 anonfunc:v1.28 anonfunc:v1.27 anonfunc:v1.26 anonfunc:v1.25 anonfunc:v1.24 anonfunc:v1.23 anonfunc:v1.22 anonfunc:v1.21 anonfunc:v1.20 anonfunc:v1.19 anonfunc:v1.18 anonfunc:v1.17 anonfunc:v1.16 anonfunc:v1.15 anonfunc:v1.14 anonfunc:v1.13 anonfunc:v1.12 anonfunc:v1.10 anonfunc:v1.9 anonfunc:v1.8 anonfunc:v1.7 anonfunc:v1.6 anonfunc:v1.5.7 anonfunc:v1.5.5 anonfunc:v1.5.4.1 anonfunc:v1.5.4 anonfunc:v1.5.3 anonfunc:v1.5.2 anonfunc:v1.5.1 anonfunc:v1.5.0
..
compare: anonfunc:v1.18
Branches Tags
anonfunc:master anonfunc:xta-2.x anonfunc:xta-1.x anonfunc:demos anonfunc:mp2t
anonfunc:v3.18 anonfunc:v3.17 anonfunc:v3.16 anonfunc:v3.15 anonfunc:v2.15 anonfunc:v3.14 anonfunc:v3.13 anonfunc:v3.12 anonfunc:v3.11 anonfunc:v3.10 anonfunc:v3.9 anonfunc:v3.8 anonfunc:v3.7 anonfunc:v3.6 anonfunc:v3.5 anonfunc:v3.4 anonfunc:v3.3 anonfunc:v3.2 anonfunc:v3.1 anonfunc:v3.0 anonfunc:v2.14 anonfunc:v2.13 anonfunc:v2.12 anonfunc:v2.11 anonfunc:v2.10 anonfunc:v2.9 anonfunc:v2.8 anonfunc:v2.7 anonfunc:v2.6 anonfunc:v2.5 anonfunc:v2.4 anonfunc:v2.3 anonfunc:v2.2 anonfunc:v2.1 anonfunc:v2.0 anonfunc:v1.47.1 anonfunc:v1.47 anonfunc:v1.46 anonfunc:v1.45 anonfunc:v1.44 anonfunc:v1.43 anonfunc:v1.42 anonfunc:v1.41 anonfunc:v1.40 anonfunc:v1.39 anonfunc:v1.38 anonfunc:v1.37 anonfunc:v1.36 anonfunc:v1.35 anonfunc:v1.34 anonfunc:v1.33 anonfunc:v1.32 anonfunc:v1.31 anonfunc:v1.30 anonfunc:v1.29 anonfunc:v1.28 anonfunc:v1.27 anonfunc:v1.26 anonfunc:v1.25 anonfunc:v1.24 anonfunc:v1.23 anonfunc:v1.22 anonfunc:v1.21 anonfunc:v1.20 anonfunc:v1.19 anonfunc:v1.18 anonfunc:v1.17 anonfunc:v1.16 anonfunc:v1.15 anonfunc:v1.14 anonfunc:v1.13 anonfunc:v1.12 anonfunc:v1.10 anonfunc:v1.9 anonfunc:v1.8 anonfunc:v1.7 anonfunc:v1.6 anonfunc:v1.5.7 anonfunc:v1.5.5 anonfunc:v1.5.4.1 anonfunc:v1.5.4 anonfunc:v1.5.3 anonfunc:v1.5.2 anonfunc:v1.5.1 anonfunc:v1.5.0

157 Commits
v1.7 ... v1.18

Author SHA1 Message Date
Jan Engelhardt
26f25a43a9 Xtables-addons 1.18 2009-09-09 17:37:07 +02:00
Jan Engelhardt
bcda21a2b0 Merge branch 'psd' 2009-09-09 17:27:28 +02:00
Jan Engelhardt
4e6bc8af95 Merge branch 'ACCOUNT' 2009-09-09 17:26:00 +02:00
Jan Engelhardt
bd4be0d991 ACCOUNT: remove pointless casts 2009-09-05 04:39:00 +02:00
Jan Engelhardt
1f736c8203 ACCOUNT: remove static initializers to zero 
These are not needed, .bss is zeroed.
 2009-09-05 04:39:00 +02:00
Jan Rafaj
90fa3ab9e2 ACCOUNT: tweak base ctl number for setsockopts 
IPT_BASE_CTL+3 is already used IPT_SO_GET_REVISION_TARGET and
therefore must not be used by extensions.
 2009-09-05 04:38:57 +02:00
Jan Engelhardt
fd82a312d6 Merge branch 'ipset' 2009-09-05 03:49:47 +02:00
Jan Engelhardt
27c1676821 ipset: fix compile error with 2.6.20 
$e/ipset/ip_set_iptree.c: In function "iptree_test":
$e/ipset/ip_set_iptree.c:84:6: warning: implicit declaration of
function "time_after"
$e/ipset/ip_set_iptree.c:84:39: error: "jiffies" undeclared (first
use in this function)
$e/ipset/ip_set_iptree.c:84:39: error: (Each undeclared identifier is
reported only once
$e/ipset/ip_set_iptree.c:84:39: error: for each function it appears
in.)
$e/ipset/ip_set_iptree.c: In function "iptree_add":
$e/ipset/ip_set_iptree.c:130:57: error: "jiffies" undeclared (first
use in this function)
$e/ipset/ip_set_iptree.c:134:48: error: "HZ" undeclared (first use in
this function)
$e/ipset/ip_set_iptree.c: In function "ip_tree_gc":
$e/ipset/ip_set_iptree.c:214:8: warning: implicit declaration of
function "time_before"
$e/ipset/ip_set_iptree.c:214:42: error: "jiffies" undeclared (first
use in this function)
$e/ipset/ip_set_iptree.c:258:49: error: "HZ" undeclared (first use in
this function)
$e/ipset/ip_set_iptree.c: In function "init_gc_timer":
$e/ipset/ip_set_iptree.c:274:20: error: "jiffies" undeclared (first
use in this function)
$e/ipset/ip_set_iptree.c:274:49: error: "HZ" undeclared (first use in
this function)
$e/ipset/ip_set_iptree.c: In function "iptree_list_members_size":
$e/ipset/ip_set_iptree.c:380:58: error: "jiffies" undeclared (first
use in this function)
$e/ipset/ip_set_iptree.c: In function "iptree_list_members":
$e/ipset/ip_set_iptree.c:407:58: error: "jiffies" undeclared (first
use in this function)
$e/ipset/ip_set_iptree.c:411:37: error: "HZ" undeclared (first use in
this function)

$e/ipset/ip_set_iptreemap.c: In function "gc":
$e/ipset/ip_set_iptreemap.c:456:20: error: "jiffies" undeclared
(first use in this function)
$e/ipset/ip_set_iptreemap.c:456:20: error: (Each undeclared
identifier is reported only once
$e/ipset/ip_set_iptreemap.c:456:20: error: for each function it
appears in.)
$e/ipset/ip_set_iptreemap.c:456:49: error: "HZ" undeclared (first use
in this function)
$e/ipset/ip_set_iptreemap.c: In function "init_gc_timer":
$e/ipset/ip_set_iptreemap.c:468:20: error: "jiffies" undeclared
(first use in this function)
$e/ipset/ip_set_iptreemap.c:468:49: error: "HZ" undeclared (first use
in this function)
 2009-09-05 03:49:37 +02:00
Jan Engelhardt
3e26335cbd ipset: fast forward to v3.2 2009-09-05 03:49:37 +02:00
Jan Rafaj
f4b96672ef ACCOUNT: add kernel module metadata and alias 2009-09-05 03:40:47 +02:00
Jan Engelhardt
c3d080f21a ACCOUNT: manpage updates 
- expand "f.e."
- escape dashes where appropriate
- fB/fI formatting
 2009-09-05 03:40:47 +02:00
Jan Rafaj
cb268031b7 ACCOUNT: supply manpage 2009-09-05 03:40:47 +02:00
Jan Engelhardt
ac44a5a1fe ACCOUNT: direct-inline two short functions 2009-09-05 03:40:47 +02:00
Jan Rafaj
a3baa78ae2 ACCOUNT: remove compat glue from libxt_ACCOUNT 2009-09-05 03:40:47 +02:00
Jan Rafaj
47e002127c ACCOUNT: use non-clashing function names 
[jengelh: It is just impossible to set a breakpoint right on functions
if all modules call or/use the same symbol name.]
 2009-09-05 03:40:47 +02:00
Jan Rafaj
03363a528a ACCOUNT: utilize compat_xtables.h for backwards compatibility 2009-09-05 03:40:47 +02:00
Jan Rafaj
58b016f0af ACCOUNT: replace own DEBUGP by kernel's pr_debug 2009-09-05 03:40:47 +02:00
Jan Rafaj
8d64e7bd50 ACCOUNT: remove manual compat support 2009-09-05 03:40:47 +02:00
Jan Engelhardt
dd6cb27da4 ACCOUNT: simple reformat, use tabs instead of spaces 
The result is not perfect, but at more manageable.
 2009-09-05 03:40:46 +02:00
Jan Engelhardt
06c01131e8 ACCOUNT: remove trailing whitespace 2009-09-05 03:38:58 +02:00
Jan Engelhardt
a44c4e4b1d Import ACCOUNT kernel and iptables modules 
Reference: git://developer.intra2net.com/ipt_ACCOUNT # v1.15-1-gfb4dd1a
 2009-09-05 03:38:31 +02:00
Jan Engelhardt
1fb6f187d3 build: enable fully parallel builds 
Make make happy by using ${MAKE} instead of make.
 2009-08-28 12:32:52 +02:00
Jan Engelhardt
83e474f9ab psd: move pr_ prefix into pr_fmt 2009-08-28 12:32:23 +02:00
Jan Engelhardt
efd4c91557 psd: style: remove braces for single statements in ifs 2009-08-16 12:40:44 +02:00
Jan Engelhardt
65a257a67d psd: style: add explicit comparisons where not used in bool context 2009-08-14 20:26:37 +02:00
Jan Engelhardt
5b07e04600 psd: style: break double statements 2009-08-14 20:24:36 +02:00
Jan Engelhardt
6b175b40cb psd: jiffies is an unsigned long, fix compiler warning 
"jiffies" has always been unsigned long, not clock_t.

xt_psd.c:176:7: warning: comparison of distinct pointer types lacks a cast
 2009-08-14 20:19:13 +02:00
Jan Engelhardt
0887365f8b psd: remove whitespace at EOL 2009-08-14 20:15:00 +02:00
Jan Engelhardt
cebadbfcd7 psd: merge into main configuration files 
When psd is included in the main tree, it can use the main
configuration files.
 2009-08-14 20:12:43 +02:00
Mohd Nawawi Mohamad Jamili
380b1b6997 psd: fix revision mismatch 2009-08-13 13:11:18 +02:00
Jan Engelhardt
8e5219636a psd: tag match reg struct as __read_mostly 2009-08-13 01:04:26 +02:00
Jan Engelhardt
760edd3db6 psd: use fixated types in info struct 2009-08-13 00:52:46 +02:00
Jan Engelhardt
502c1c05aa psd: return correct status from init 2009-08-13 00:46:33 +02:00
Jan Engelhardt
a7ceccc0f4 psd: bss is always zero-initialized 2009-08-13 00:45:52 +02:00
Jan Engelhardt
10bd08d0f3 psd: remove empty checkentry function 2009-08-13 00:44:39 +02:00
Jan Engelhardt
1e5315d338 psd: replace open-coded access by skb handling functions 
pskb->network_header would not even compile under older kernels.

This also fixes the compile warning:
xt_psd.c:116:18: warning: cast to pointer from integer of different size
 2009-08-13 00:42:01 +02:00
Jan Engelhardt
579484ed70 psd: avoid shadowing of function 
ip_hdr and tcp_hdr are actually functions. Because we need them means
they must not be shadowed by variables.
 2009-08-13 00:38:39 +02:00
Mohd Nawawi Mohamad Jamili
2aa32d4bce psd: import 20090807 code base 2009-08-12 21:59:33 +02:00
Jan Engelhardt
5aee8738ed quota2: fix invalid page access in cleanup function 2009-08-07 10:35:52 +02:00
Jan Engelhardt
1111edfd85 quota2: change max name length from 31 to 15 2009-07-10 17:21:27 +02:00
Jan Engelhardt
0d47cb8b37 quota2: direct-code XT_QUOTA_COUNTER_NAME_LENGTH 2009-07-10 17:21:12 +02:00
Jan Engelhardt
1c55aec64a quota2: use strtoull instead of strtoul 2009-07-10 17:18:48 +02:00
Jan Engelhardt
dd26ab476c quota2: extend locked period during cleanup 2009-07-04 02:11:25 +02:00
Jan Engelhardt
4bf667d8eb quota2: reduce memory footprint for anonymous counters 
48/64 bytes (32/64-bit arch, resp.) per counter.
 2009-07-04 01:53:35 +02:00
Jan Engelhardt
0a88bd3435 quota2: consolidate spinlocking calls 2009-07-04 01:31:13 +02:00
Jan Engelhardt
62fb261265 quota2: prefix internal struct name with xt_ 2009-07-04 01:29:32 +02:00
Jan Engelhardt
d97f77a8f5 TEE: spello fix 2009-07-02 04:16:14 +02:00
Jan Engelhardt
822c6bebe2 quota2: support nameless counters 2009-07-02 02:21:11 +02:00
Jan Engelhardt
fdf42a3a50 build: support for Linux 2.6.31-rc1 2009-07-02 01:51:40 +02:00
Jan Engelhardt
6b2ca78af7 build: fix kernel version info 2009-07-02 01:04:48 +02:00
Jan Engelhardt
ee24cd1ac1 Xtables-addons 1.17 2009-06-16 16:25:53 +02:00
kd6lvw
71812a2053 build: support for Linux 2.6.30 
Fix a compile error with xt_quota2. Linux kernel commit
v2.6.29-7544-g3ba113d removed the "owner" member.
 2009-06-12 03:41:00 +02:00
kd6lvw
31e4e18998 build: use readlink -f in extensions/ipset/ 
Supplement to v1.5.7-5-gf373750.
 2009-06-12 03:37:18 +02:00
Marek Michalkiewicz
9fb2ffe1d3 IPMARK: print missing --shift parameter 2009-06-12 03:33:54 +02:00
Jan Engelhardt
23e83aa04c Xtables-addons 1.16 2009-05-27 14:55:51 +02:00
Jan Engelhardt
77ee63ba8b ipset: fast forward to 3.0 2009-05-27 14:51:15 +02:00
Jan Engelhardt
49e59a6dce RAWNAT: make iptable_rawpost compile with 2.6.30-rc5 2009-05-15 18:35:53 +02:00
Jan Engelhardt
137ecb9814 extensions: bump revision number to avoid possible POM clash 
Users still using a kernel with POM modules may have problems due to
differing binary structures. Bump the revision numbers of the
Xtables-addons modules, to make them distinct from POM.
 2009-05-14 21:42:05 +02:00
Jan Engelhardt
7e25254e93 SYSRQ: enable userspace module for multiprotocol 2009-05-14 21:39:48 +02:00
Jan Engelhardt
0c9ae3cb1b iface: enable for multiprotocol 2009-05-14 21:38:09 +02:00
Jan Engelhardt
471e747fc0 STEAL: enable for multiprotocol 2009-05-14 21:38:08 +02:00
Jan Engelhardt
fe7a66f3cb Xtables-addons 1.15 2009-04-30 20:58:23 +02:00
Jan Engelhardt
a13650f94d Merge branch 'RAWNAT' 2009-04-30 20:35:59 +02:00
Jan Engelhardt
73e7b5ead1 compat_xtables: fix compilation with <= 2.6.19 
Once upon a time there was no such checksumming...
 2009-04-30 20:35:48 +02:00
Jan Engelhardt
e5920cc577 Merge branch 'iface' 2009-04-30 19:41:56 +02:00
Jan Engelhardt
39655fe83b iface: fix compilation with <= 2.6.27 
Need to include compat_xtables.h to get all the definitions for older
kernels.
Also, net namespaces are not available before 2.6.24.
 2009-04-30 19:41:31 +02:00
Jan Engelhardt
9df309a14a iface: remove unused .data field 
Neither is it anywhere used, but compat_xtables does not provide it
either.
 2009-04-28 10:04:36 +02:00
Jan Engelhardt
5e2085a45f build: reword RH5-unsupported warning 2009-04-28 01:41:57 +02:00
Jan Engelhardt
4bcb7077c0 Merge branch 'iface' 2009-04-27 20:50:05 +02:00
Jan Engelhardt
000c2d73fd iface: must use __u types in header files 2009-04-27 20:46:25 +02:00
Jan Engelhardt
e89c5d976a iface: move private struct xt_iface_flag_pairs to .c file 2009-04-27 20:46:09 +02:00
Jan Engelhardt
f5ed98fbf5 iface: update documentation 
For one, the tabs must go as they cause alignment problems. Also
update the manpage with proper markup.
 2009-04-26 23:20:38 +02:00
Jan Engelhardt
60c4162087 iface: replace --lower_up by --lower-up 2009-04-26 22:22:20 +02:00
Jan Engelhardt
074a7d6cb7 iface: remove --promiscous flag 
The spelling is difficult (actually it is "promiscuous"), and one
option should be enough. Keeping --promisc.
 2009-04-26 22:21:27 +02:00
Jan Engelhardt
a6ba463c43 iface: remove redundant fields and use bool 2009-04-26 22:13:06 +02:00
Jan Engelhardt
be2061c520 iface: constify data arrays 2009-04-26 22:13:05 +02:00
Jan Engelhardt
3f96deb0f0 iface: remove define for internal array size 
The macro was only used inside kernel code and not relevant to
user-space anyway.
 2009-04-26 22:07:53 +02:00
Jan Engelhardt
6d8ce3acae iface: dissolve module name/revision macros 
The module name will unlikely be changing anytime soon. And if the
revision increases, we cannot just bump the number (well, in
Xtables-addons we can, but it would not be the case for the core
kernel). So let's not get into bad habits.
 2009-04-26 22:07:43 +02:00
Jan Engelhardt
f6c317710f iface: remove version/revision from helptext 
XTABLES_VERSION does not contain anything meaningful to display.
Printing the revision is not of value too, I think.
 2009-04-26 22:01:30 +02:00
Jan Engelhardt
6799806300 iface: use NFPROTO_* 2009-04-26 21:59:41 +02:00
Jan Engelhardt
0d36136f54 iface: some command decoupling 2009-04-26 21:56:53 +02:00
Jan Engelhardt
e1fc5f2086 iface: remove redundant parentheses 2009-04-26 21:56:25 +02:00
Jan Engelhardt
9d5f4bf468 Merge branch 'RAWNAT' 2009-04-26 21:47:43 +02:00
Jan Engelhardt
637516f2d4 RAWNAT: add extension's kernel and userspace modules 
RAWNAT provides stateless 1:1 network address translation.
 2009-04-26 21:44:54 +02:00
Jan Engelhardt
b427c930f2 build: add kernel version check to configure 2009-04-26 20:22:40 +02:00
Roman Hoog Antink
34f39756ec condition: fix intrapositional negation sign 2009-04-17 16:12:30 +02:00
Bryan Duff
e36c7575fc condition: compile fix for 2.6.30-rc 2009-04-17 16:01:45 +02:00
Jan Engelhardt
0a23bd2580 doc: update changelog 2009-04-14 21:43:13 +02:00
Jan Engelhardt
03aeed615d RAWNAT: add the rawpost tables for IPv4/IPv6 2009-04-11 00:35:58 +02:00
Jan Engelhardt
49018e2ff7 Merge branch 'sf/master' 2009-04-11 00:33:28 +02:00
Jan Engelhardt
50d14a33c0 ipp2p: fix typo in error message 
Reference: http://bugs.gentoo.org/show_bug.cgi?id=250407
Reported-by: Mike <empx@gmx.de>
 2009-04-10 19:42:59 +02:00
Jan Engelhardt
c64a78ffcc ipp2p: fix bogus varargs call 
Reference: http://bugs.gentoo.org/show_bug.cgi?id=250407
Reported-by: Mike <empx@gmx.de>
 2009-04-10 19:34:56 +02:00
Jan Engelhardt
1aae519356 iface: remove DEBUGP 2009-04-05 10:59:12 +02:00
Jan Engelhardt
af5823b407 iface: remove redundant functions 2009-04-05 10:50:45 +02:00
Jan Engelhardt
9b198fe6e7 iface: import version 20081029 2009-04-05 10:37:05 +02:00
Jan Engelhardt
4997b326f6 fuzzy: fix bogus comparison logic leftover from move to new 1.4.3 API 2009-04-05 10:36:16 +02:00
Jriri Moravec
c288ecdb9c dhcpmac: fix rename leftover from typo 2009-04-04 01:14:32 +02:00
Jan Engelhardt
f21e372402 ipp2p: print ipp2p module name when run from iptables -L 2009-04-04 00:45:20 +02:00
Eray Aslan
927dd88dc4 SYSRQ: fix manpage typo 2009-04-02 10:37:55 +02:00
Jan Engelhardt
7dd96ec357 Xtables-addons 1.14 2009-03-31 22:55:29 +02:00
Jan Engelhardt
ba6aa51f91 SYSRQ: do proper L4 header access in IPv6 code 2009-03-27 21:06:26 +01:00
Jan Engelhardt
beb7546e20 SYSRQ: ignore non-UDP packets 2009-03-27 20:27:03 +01:00
Jan Engelhardt
67579079e0 layer: block use of DEBUGP 
As per "Writing Netfilter Modules" e-book 20090326 section 4.8, one
should use pr_debug instead.
 2009-03-27 00:00:44 +01:00
Jan Engelhardt
3a632a9bc5 dhcpmac: rename from dhcpaddr 2009-03-26 21:55:10 +01:00
Jan Engelhardt
45b2e64d82 desc: add informational Kconfig descriptions 2009-03-26 21:32:44 +01:00
Jan Engelhardt
538d74b5d8 Update my email address 2009-03-25 22:10:42 +01:00
Jan Engelhardt
e3988b50b5 Add the "STEAL" target from the "demos" branch 2009-03-25 19:54:25 +01:00
Jan Engelhardt
f4b8440fba libxt_geoip: geoip: remove XT_ALIGN from .userspacesize when used with offsetof 
XT_ALIGN rounds up to the nearest multiple of 64 bits, but that is wrong
for .userspacesize if it is less than .matchsize/.targetsize.
 2009-03-24 08:27:41 +01:00
Changli Gao
d3ee3a0c3c libxt_fuzzy: need to account for kernel-level modified variables in .userspacesize 
When reviewing the code, I found there maybe a bug in libxt_fuzzy.c.
If a user wants to delete this match, he will get an error reported,
and the command fails. As the fields after maximum_rate in
xt_fuzzy_mtinfo will be altered in kernel space, we should assign the
userspacesize with the value offsetof(struct xt_fuzzy_mtinfo,
packets_total) instead.
 2009-03-24 08:26:24 +01:00
Jan Engelhardt
f96bc08f35 Xtables-addons 1.13 2009-03-23 15:50:42 +01:00
Jan Engelhardt
a0c791dc88 Upgrade to iptables 1.4.3 API 2009-03-19 11:05:26 +01:00
Jan Engelhardt
f717a91bc5 Merge branch 'ipv4options' 2009-03-19 11:03:26 +01:00
Jan Engelhardt
8bd5fc14ba libxt_ipv4options: add manpage 2009-03-19 10:34:27 +01:00
Jan Engelhardt
a51b16097b Add a reworked IPv4 options match - xt_ipv4options 
This revision 1 of ipv4options makes it possible to match the
presence or absence of any of the 32 possible IP options, either all
or any of the options the user specified.
 2009-03-08 23:38:12 +01:00
Jan Engelhardt
0bb538ba69 Xtables-addons 1.12 2009-03-07 03:24:21 +01:00
Jan Engelhardt
e11a07b230 build: fix compile issues with <= 2.6.19 
Resolve compile breakage from commits
36f80be2f7 and
7b9ca945d4.
 2009-03-07 02:58:36 +01:00
Jan Engelhardt
d263cfbd50 ipset: fast forward to 2.5.0 2009-03-07 01:33:31 +01:00
Jan Engelhardt
36f80be2f7 xt_TEE: enable routing by iif, nfmark and flowlabel 
Patrick McHardy suggests in
http://marc.info/?l=netfilter-devel&m=123564267330117&w=2 that
routing should handle the clone more like its original.
 2009-03-07 01:27:08 +01:00
Jan Engelhardt
7b9ca945d4 xt_LOGMARK: print incoming interface index 2009-03-07 01:15:48 +01:00
Jan Engelhardt
ffeb1da7d7 build: silence warning about ignored variable 
The warning was:

	config.status: WARNING: 'extensions/ipset/GNUmakefile.in'
	seems to ignore the --datarootdir setting
 2009-03-07 00:59:05 +01:00
Florian Westphal
d2d8712980 xt_TEE: resolve unknown symbol error with CONFIG_IPV6=n 
WARNING: xt_TEE.ko needs unknown symbol ip6_route_output

Signed-off-by: Florian Westphal <fwestphal@astaro.com>
 2009-03-07 00:48:16 +01:00
Jan Engelhardt
621cef39f5 revert "TEE: do not use TOS for routing" 
Revert commit f77a8e2eda.

Patrick McHardy suggests in
http://marc.info/?l=netfilter-devel&m=123564267330117&w=2 that
routing should handle the clone more like its original.
 2009-03-05 02:03:06 +01:00
Jan Engelhardt
08e6f23655 xt_lscan: rename from xt_portscan 2009-03-05 01:43:29 +01:00
Jan Engelhardt
4a25321191 doc: ipset: replace RW_LOCK_UNLOCKED 
ipset uses RW_LOCK_UNLOCKED directly, but this is not quite right,
and causes compilation errors with 2.6.29-rt.
 2009-03-05 01:30:02 +01:00
Jan Engelhardt
8c322a0119 ipset: replace RW_LOCK_UNLOCKED 
ipset uses RW_LOCK_UNLOCKED directly, but this is not quite right,
and causes compilation errors with 2.6.29-rt.
 2009-03-05 01:25:17 +01:00
Jan Engelhardt
bd39e4671e doc: remove old path examples 2009-02-24 19:14:10 +01:00
Jan Engelhardt
3d6bb5f86f doc: add changelog 2009-02-21 17:21:39 +01:00
Jan Engelhardt
ce03d0ee8e build: make kbuild call obey V 2009-02-21 16:54:49 +01:00
Jan Engelhardt
bca90ca2a7 build: trigger configure when GNUmakefile.in changed 2009-02-21 16:54:30 +01:00
Jan Engelhardt
08cb9e5584 Xtables-addons 1.10 2009-02-18 00:31:26 +01:00
Jan Engelhardt
1a8cc305af doc: add precise version information to INSTALL document 2009-02-11 16:56:35 +01:00
Jan Engelhardt
47a34e0ccf ipset: upgrade to ipset 2.4.9 2009-02-11 16:51:40 +01:00
Jan Engelhardt
36dab67658 Update .gitignore 2009-02-11 15:57:10 +01:00
Jan Engelhardt
7bb2957e47 compat: compile fixes for 2.6.29 
2.6.29 removes at least NIP6, and NIPQUAD is scheduled to follow.
 2009-02-11 15:56:33 +01:00
Jan Engelhardt
c168a2f142 Xtables-addons 1.9 2009-01-30 06:34:07 +01:00
Jan Engelhardt
68af6989b1 ipset: bump version to 2.4.7 
Moving from ipset 2.4.5 to 2.4.7. Upstream changed, but
the Xtables-addons copy did not (issues were not present):

>2.4.7
>  - Typo which broke compilation with kernels < 2.6.28
>    fixed (reported by Richard Lucassen, Danny Rawlins)
>
>2.4.6
>   - Compatibility fix for kernels >= 2.6.28
 2009-01-30 06:33:21 +01:00
Jan Engelhardt
446c67018a TEE: remove calls to check_inverse 2009-01-30 06:19:22 +01:00
Jan Engelhardt
0fe8e180c4 ipp2p: version bump 
For cosmetics, or so. The recent bugfix warrants this I'd say.
 2009-01-30 06:02:10 +01:00
Jan Engelhardt
7cdfc0ac3d Add xt_length2 
xt_length2 provides exact layer-4,-5 and -7 length matching
besides the preexisting layer-3 length match.
 2009-01-30 06:01:12 +01:00
Jan Engelhardt
85cab10371 Xtables-addons 1.8 2009-01-10 14:05:46 +01:00
Jan Engelhardt
61d8425cb6 Merge branch 'TEE6' 2009-01-10 14:03:04 +01:00
Jan Engelhardt
d49b6244c1 Merge branch 'TEE' 2009-01-10 14:03:03 +01:00
Jan Engelhardt
10c2b97786 Merge branch 'ipp2p' 2009-01-10 13:59:43 +01:00
Jan Engelhardt
9ed364ed36 TEE: collapse tee_tg_send{4,6} 2009-01-10 13:58:19 +01:00
Jan Engelhardt
b95e5f6417 TEE: IPv6 support for iptables module 2009-01-10 10:19:21 +01:00
Jan Engelhardt
4afebf88eb Merge branch 'TEE' into TEE6 2009-01-10 10:01:31 +01:00
Jan Engelhardt
d523158e92 TEE: iptables -nL and -L produced conversely output 2009-01-10 10:01:27 +01:00
Jan Engelhardt
1fd1787a1c TEE: limit iptables module to NFPROTO_IPV4 
The code here is only usable with IPv4.
 2009-01-10 09:57:44 +01:00
Jan Engelhardt
fbbca68790 ipp2p: partial revert of 3c8131b9 
Revert part of 3c8131b976.

The transport header offset is not (yet) set by the time Netfilter
is invoked so using tcp_hdr/udp_hdr has undefined behavior.
 2009-01-10 08:25:42 +01:00
Jan Engelhardt
4cdfd49637 ipp2p: add boundary check in search_all_kazaa 
To avoid underflow on "end - 18", we must check for plen >= 18.
 2009-01-10 06:11:13 +01:00
Jan Engelhardt
31c01cf107 portscan: update manpage about --grscan caveats 2009-01-10 05:23:43 +01:00
Jan Engelhardt
879e964f60 ipp2p: remove log flooding 
Syslog was flooded by lots of messages due to if (plen >= 5) firing
on any packet, when it should have been plen < 5. Incidentally, this
turned up that plen also takes on huge nonsense values, assuming
underflow - yet to be investigated.
 2009-01-10 04:47:14 +01:00
Jan Engelhardt
019c9de291 ipp2p: update help text 
More suggestions from Stanley Pinchak.
 2009-01-10 04:42:27 +01:00
Jan Engelhardt
af370f81f0 ipp2p: update manpage 
(With suggestions from Stanley Pinchak.)
 2009-01-09 20:24:41 +01:00
Jan Engelhardt
4aad07bdc4 TEE: IPv6 support 2008-11-21 01:15:21 +01:00
Jan Engelhardt
7a3f874753 TEE: various cleanups, add comments 
Normalize function names in light of upcoming IPv6 support.
Reformat other lines.
Add comment note about tee_send4.
 2008-11-21 01:15:03 +01:00
Jan Engelhardt
f77a8e2eda TEE: do not use TOS for routing 
Otherwise the cloned packet may be subject to more policy routing
rules than expected.
 2008-11-21 01:15:02 +01:00
129 changed files with 5825 additions and 858 deletions
Expand all files Collapse all files

22
INSTALL
View File

@@ -9,16 +9,23 @@ in combination with the kernel's Kbuild system.
# make install
Prerequirements
===============
Supported configurations for this release
=========================================
* iptables 1.4.1
* iptables >= 1.4.3
* kernel-source >= 2.6.17 with prepared build/output directory
* kernel-source >= 2.6.17, no upper bound known
with prepared build/output directory
- CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
- CONFIG_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_MARK
enabled =y or as module (=m)
Extra notes:
* in the kernel 2.6.18.x series, >= 2.6.18.5 is required
* requires that no vendor backports interfere
Selecting extensions
====================
@@ -45,11 +52,8 @@ Configuring and compiling
xtables.h, should it not be within the standard C compiler
include path (/usr/include), or if you want to override it.
The directory will be checked for xtables.h and
include/xtables.h. (This is to support the following specs:)
--with-xtables=/usr/src/xtables
--with-xtables=/usr/src/xtables/include
--with-xtables=/opt/xtables/include
include/xtables.h. (The latter to support both standard
/usr/include and the iptables source root.)
--with-libxtdir=

3
Makefile.am
View File

@@ -1,7 +1,6 @@
# -*- Makefile -*-
ACLOCAL_AMFLAGS = -I m4
AUTOMAKE_OPTIONS = foreign subdir-objects
SUBDIRS = extensions
man_MANS := xtables-addons.8
@@ -15,6 +14,8 @@ extensions/%:
install-exec-local:
depmod -a || :;
config.status: extensions/GNUmakefile.in
.PHONY: tarball
tarball:
rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};

58
configure.ac
View File

@@ -1,9 +1,9 @@
AC_INIT([xtables-addons], [1.7])
AC_INIT([xtables-addons], [1.18])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
AC_PROG_INSTALL
AM_INIT_AUTOMAKE([-Wall])
AM_INIT_AUTOMAKE([-Wall foreign subdir-objects])
AC_PROG_CC
AM_PROG_CC_C_O
AC_DISABLE_STATIC
@@ -28,8 +28,11 @@ AC_ARG_WITH([xtlibdir],
[xtlibdir="$withval"],
[xtlibdir='${libexecdir}/xtables'])
AC_MSG_CHECKING([xtables.h presence])
#
# --with-xtables= overrides a possibly installed pkgconfig file.
#
if [[ -n "$xtables_location" ]]; then
AC_MSG_CHECKING([xtables.h presence])
if [[ -f "$xtables_location/xtables.h" ]]; then
AC_MSG_RESULT([$xtables_location/xtables.h])
xtables_CFLAGS="-I $xtables_location";
@@ -37,13 +40,15 @@ if [[ -n "$xtables_location" ]]; then
AC_MSG_RESULT([$xtables_location/include/xtables.h])
xtables_CFLAGS="-I $xtables_location/include";
fi;
fi;
if [[ -z "$xtables_CFLAGS" ]]; then
if [[ -f "$includedir/xtables.h" ]]; then
AC_MSG_RESULT([$includedir/xtables.h])
else
AC_MSG_RESULT([no])
if [[ -z "$xtables_CFLAGS" ]]; then
if [[ -f "$includedir/xtables.h" ]]; then
AC_MSG_RESULT([$includedir/xtables.h])
else
AC_MSG_RESULT([no])
fi;
fi;
else
PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
fi;
regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
@@ -58,6 +63,41 @@ if [[ -n "$ksourcedir" ]]; then
kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include";
fi;
#
# check kernel version
#
if grep -q "CentOS release 5\." /etc/redhat-release 2>/dev/null ||
grep -q "Red Hat Enterprise Linux Server release 5" /etc/redhat-release 2>/dev/null; then
# しまった!
# Well, just a warning. Maybe the admin updated the kernel.
echo "WARNING: This distribution's shipped kernel is not supported.";
fi;
krel="$(make -sC ${kbuilddir} kernelrelease)";
krel="${krel%%-*}";
kmajor="${krel%%.*}";
krel="${krel#*.}";
kminor="${krel%%.*}";
krel="${krel#*.}";
kmicro="${krel%%.*}";
krel2="${krel#*.}";
if test "$krel" = "$krel2"; then
kstable=0;
else
kstable="${krel%%.*}";
if test -z "$kstable"; then
kstable=0;
fi;
fi;
echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 31; then
echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
\( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
"$kstable" -lt 5 \); then
echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
exit 1;
fi;
AC_SUBST([regular_CFLAGS])
AC_SUBST([xtables_CFLAGS])
AC_SUBST([kinclude_CFLAGS])

4
doc/README.psd Normal file
View File

@@ -0,0 +1,4 @@
PSD (Portscan Detection) External extensions for Xtables-addons
Example:
iptables -A INPUT -m psd --psd-weight-threshold 21 --psd-delay-threshold 300 --psd-lo-ports-weight 1 --psd-hi-ports-weight 10 -j LOG --log-prefix "PSD: "

180
doc/changelog.txt Normal file
View File

@@ -0,0 +1,180 @@
Xtables-addons 1.18 (September 09 2009)
=======================================
- build: support for Linux 2.6.31
- ipset: fast forward to v3.2
- quota2: support anonymous counters
- quota2: reduce memory footprint for anonymous counters
- quota2: extend locked period during cleanup (locking bugfix)
- quota2: use strtoull instead of strtoul
- merged xt_ACCOUNT module
- merged xt_psd module
Xtables-addons 1.17 (June 16 2009)
==================================
- IPMARK: print missing --shift parameter
- build: use readlink -f in extensions/ipset/
- build: support for Linux 2.6.30
Xtables-addons 1.16 (May 27 2009)
=================================
- RAWNAT: make iptable_rawpost compile with 2.6.30-rc5
- ipset: fast forward to 3.0
Xtables-addons 1.15 (April 30 2009)
===================================
- build: add kernel version check to configure
- condition: compile fix for 2.6.30-rc
- condition: fix intrapositional negation sign
- fuzzy: fix bogus comparison logic leftover from move to new 1.4.3 API
- ipp2p: fix bogus varargs call
- ipp2p: fix typo in error message
- added "iface" match
- added rawpost table (for use with RAWNAT)
- added RAWSNAT/RAWDNAT targets
Xtables-addons 1.14 (March 31 2009)
===================================
- fuzzy: need to account for kernel-level modified variables in .userspacesize
- geoip: remove XT_ALIGN from .userspacesize when used with offsetof
- SYSRQ: ignore non-UDP packets
- SYSRQ: do proper L4 header access in IPv6 code
(must not use tcp/udp_hdr in input path)
- add "STEAL" target
- dhcpmac: rename from dhcpaddr
Xtables-addons 1.13 (March 23 2009)
===================================
- added a reworked ipv4options match
- upgrade to iptables 1.4.3 API
Xtables-addons 1.12 (March 07 2009)
===================================
- ipset: fix for compilation with 2.6.29-rt
- ipset: fast forward to 2.5.0
- rename xt_portscan to xt_lscan ("low-level scan") because
"portscan" as a word caused confusion
- xt_LOGMARK: print incoming interface index
- revert "TEE: do not use TOS for routing"
- xt_TEE: resolve unknown symbol error with CONFIG_IPV6=n
- xt_TEE: enable routing by iif, nfmark and flowlabel
Xtables-addons 1.10 (February 18 2009)
======================================
- compat: compile fixes for 2.6.29
- ipset: upgrade to ipset 2.4.9
Xtables-addons 1.9 (January 30 2009)
====================================
- add the xt_length2 extension
- xt_TEE: remove intrapositional '!' support
- ipset: upgrade to ipset 2.4.7
Xtables-addons 1.8 (January 10 2009)
====================================
- xt_TEE: IPv6 support
- xt_TEE: do not include TOS value in routing decision
- xt_TEE: fix switch-case inversion for name/IP display
- xt_ipp2p: update manpages and help text
- xt_ipp2p: remove log flooding
- xt_portscan: update manpage about --grscan option caveats
Xtables-addons 1.7 (December 25 2008)
=====================================
- xt_ECHO: compile fix
- avoid the use of "_init" which led to compile errors on some installations
- build: do not unconditionally install ipset
- doc: add manpages for xt_ECHO and xt_TEE
- xt_ipp2p: kazaa detection code cleanup
- xt_ipp2p: fix newline inspection in kazaa detection
- xt_ipp2p: ensure better array bounds checking
- xt_SYSRQ: improve security by hashing password
Xtables-addons 1.6 (November 18 2008)
=====================================
- build: support for Linux 2.6.17
- build: compile fixes for 2.6.18 and 2.6.19
- xt_ECHO: resolve compile errors in xt_ECHO
- xt_ipp2p: parenthesize unaligned-access macros
Xtables-addons 1.5.7 (September 01 2008)
========================================
- API layer: fix use of uninitialized 'hotdrop' variable
- API layer: move to pskb-based signatures
- xt_SYSRQ: compile fixes for Linux <= 2.6.19
- ipset: adjust semaphore.h include for Linux >= 2.6.27
- build: automatically run `depmod -a` on installation
- add reworked xt_fuzzy module
- add DHCP address match and mangle module
- xt_portscan: IPv6 support
- xt_SYSRQ: add missing module aliases
Xtables-addons 1.5.5 (August 03 2008)
=====================================
- manpage updates for xt_CHAOS, xt_IPMARK; README updates
- build: properly recognize external Kbuild/Mbuild files
- build: remove dependency on CONFIG_NETWORK_SECMARK
- add the xt_SYSRQ target
- add the xt_quota2 extension
- import ipset extension group
Xtables-addons 1.5.4.1 (April 26 2008)
======================================
- build: fix compile error for 2.6.18-stable
Xtables-addons 1.5.4 (April 09 2008)
====================================
- build: support building multiple files with one config option
- API layer: add check for pskb relocation
- doc: generate manpages
- xt_ECHO: catch skb_linearize out-of-memory condition
- xt_LOGMARK: add hook= and ctdir= fields in dump
- xt_LOGMARK: fix comma output in ctstatus= list
- xt_TEE: fix address copying bug
- xt_TEE: make skb writable before attempting checksum update
- add reworked xt_condition match
- add reworked xt_ipp2p match
- add reworked xt_IPMARK target
Xtables-addons 1.5.3 (March 22 2008)
====================================
- support for Linux 2.6.18
- add xt_ECHO sample target
- add reworked xt_geoip match
Xtables-addons 1.5.2 (March 04 2008)
====================================
- build: support for GNU make < 3.81 which does not have $(realpath)
Xtables-addons 1.5.1 (February 21 2008)
=======================================
- build: allow user to select what extensions to compile and install
- build: allow external proejcts to be downloaded into the tree
- xt_LOGMARK: dump classify mark, ctstate and ctstatus
- add xt_CHAOS, xt_DELUDE and xt_portscan from Chaostables
Xtables-addons 1.5.0 (February 11 2008)
=======================================
Initial release with:
- extensions: xt_LOGMARK, xt_TARPIT, xt_TEE
- support for Linux >= 2.6.19

1
extensions/.gitignore vendored
View File

@@ -3,6 +3,7 @@
.tmp_versions
*.ko
*.mod.c
Module.markers
Module.symvers
Modules.symvers
modules.order

31
extensions/GNUmakefile.in
View File

@@ -31,15 +31,14 @@ AM_CFLAGS := ${regular_CFLAGS} -I${top_srcdir}/include ${xtables_CFLAGS} ${
AM_DEPFLAGS = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
VU := 0
am__1verbose_CC_0 = @echo " CC " $@;
am__1verbose_CCLD_0 = @echo " CCLD " $@;
am__1verbose_GEN_0 = @echo " GEN " $@;
am__1verbose_CC_1 = @echo " CC " $@ "<-" $<;
am__1verbose_CCLD_1 = @echo " CCLD " $@ "<-" $^;
am__1verbose_GEN_1 = @echo " GEN " $@ "<-" $<;
am__verbose_CC = ${am__1verbose_CC_${VU}}
am__verbose_CCLD = ${am__1verbose_CCLD_${VU}}
am__verbose_GEN = ${am__1verbose_GEN_${VU}}
am__v_CC_0 = @echo " CC " $@;
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_GEN_0 = @echo " GEN " $@;
am__v_SILENT_0 = @
AM_V_CC = ${am__v_CC_${VU}}
AM_V_CCLD = ${am__v_CCLD_${VU}}
AM_V_GEN = ${am__v_GEN_${VU}}
AM_V_silent = ${am__v_GEN_${VU}}
#
@@ -78,7 +77,7 @@ install: modules_install subdirs-install ${targets_install}
install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/";
clean: clean_modules
@for i in ${subdirs_list}; do make -C $$i clean; done;
@for i in ${subdirs_list}; do ${MAKE} -C $$i clean; done;
rm -f *.oo *.so;
distclean: clean
@@ -93,23 +92,23 @@ distclean: clean
.PHONY: modules modules_install clean_modules
modules:
make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules;
${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules; fi;
modules_install:
make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install;
${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install; fi;
clean_modules:
make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean;
${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean; fi;
#
# Shared libraries
#
lib%.so: lib%.oo
${am__verbose_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
${AM_V_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
lib%.oo: ${srcdir}/lib%.c
${am__verbose_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
#
@@ -126,7 +125,7 @@ wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
rm -f $@.tmp;
man_run = \
${am__verbose_GEN}for ext in $(1); do \
${AM_V_GEN}for ext in $(1); do \
f="${srcdir}/libxt_$$ext.man"; \
if [ -f "$$f" ]; then \
echo ".SS $$ext"; \

11
extensions/Kbuild
View File

@@ -5,21 +5,28 @@ include ${XA_TOPSRCDIR}/mconfig
obj-m += compat_xtables.o
obj-${build_ACCOUNT} += xt_ACCOUNT.o
obj-${build_CHAOS} += xt_CHAOS.o
obj-${build_DELUDE} += xt_DELUDE.o
obj-${build_DHCPADDR} += xt_DHCPADDR.o
obj-${build_DHCPMAC} += xt_DHCPMAC.o
obj-${build_ECHO} += xt_ECHO.o
obj-${build_IPMARK} += xt_IPMARK.o
obj-${build_LOGMARK} += xt_LOGMARK.o
obj-${build_RAWNAT} += xt_RAWNAT.o iptable_rawpost.o ip6table_rawpost.o
obj-${build_SYSRQ} += xt_SYSRQ.o
obj-${build_STEAL} += xt_STEAL.o
obj-${build_TARPIT} += xt_TARPIT.o
obj-${build_TEE} += xt_TEE.o
obj-${build_condition} += xt_condition.o
obj-${build_fuzzy} += xt_fuzzy.o
obj-${build_geoip} += xt_geoip.o
obj-${build_iface} += xt_iface.o
obj-${build_ipp2p} += xt_ipp2p.o
obj-${build_ipset} += ipset/
obj-${build_portscan} += xt_portscan.o
obj-${build_ipv4options} += xt_ipv4options.o
obj-${build_length2} += xt_length2.o
obj-${build_lscan} += xt_lscan.o
obj-${build_psd} += xt_psd.o
obj-${build_quota2} += xt_quota2.o
-include ${M}/*.Kbuild

11
extensions/Mbuild
View File

@@ -1,16 +1,23 @@
obj-${build_ACCOUNT} += libxt_ACCOUNT.so
obj-${build_CHAOS} += libxt_CHAOS.so
obj-${build_DELUDE} += libxt_DELUDE.so
obj-${build_DHCPADDR} += libxt_DHCPADDR.so libxt_dhcpaddr.so
obj-${build_DHCPMAC} += libxt_DHCPMAC.so libxt_dhcpmac.so
obj-${build_ECHO} += libxt_ECHO.so
obj-${build_IPMARK} += libxt_IPMARK.so
obj-${build_LOGMARK} += libxt_LOGMARK.so
obj-${build_RAWNAT} += libxt_RAWDNAT.so libxt_RAWSNAT.so
obj-${build_STEAL} += libxt_STEAL.so
obj-${build_SYSRQ} += libxt_SYSRQ.so
obj-${build_TARPIT} += libxt_TARPIT.so
obj-${build_TEE} += libxt_TEE.so
obj-${build_condition} += libxt_condition.so
obj-${build_fuzzy} += libxt_fuzzy.so
obj-${build_geoip} += libxt_geoip.so
obj-${build_iface} += libxt_iface.so
obj-${build_ipp2p} += libxt_ipp2p.so
obj-${build_ipset} += ipset/
obj-${build_portscan} += libxt_portscan.so
obj-${build_ipv4options} += libxt_ipv4options.so
obj-${build_length2} += libxt_length2.so
obj-${build_lscan} += libxt_lscan.so
obj-${build_psd} += libxt_psd.so
obj-${build_quota2} += libxt_quota2.so

87
extensions/compat_rawpost.h Normal file
View File

@@ -0,0 +1,87 @@
#ifndef XTA_COMPAT_RAWPOST_H
#define XTA_COMPAT_RAWPOST_H 1
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
typedef struct sk_buff sk_buff_t;
#else
typedef struct sk_buff *sk_buff_t;
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 21)
#define XT_TARGET_INIT(__name, __size) \
{ \
.target.u.user = { \
.target_size = XT_ALIGN(__size), \
.name = __name, \
}, \
}
#define IPT_ENTRY_INIT(__size) \
{ \
.target_offset = sizeof(struct ipt_entry), \
.next_offset = (__size), \
}
#define IPT_STANDARD_INIT(__verdict) \
{ \
.entry = IPT_ENTRY_INIT(sizeof(struct ipt_standard)), \
.target = XT_TARGET_INIT(IPT_STANDARD_TARGET, \
sizeof(struct xt_standard_target)), \
.target.verdict = -(__verdict) - 1, \
}
#define IPT_ERROR_INIT \
{ \
.entry = IPT_ENTRY_INIT(sizeof(struct ipt_error)), \
.target = XT_TARGET_INIT(IPT_ERROR_TARGET, \
sizeof(struct ipt_error_target)), \
.target.errorname = "ERROR", \
}
#define IP6T_ENTRY_INIT(__size) \
{ \
.target_offset = sizeof(struct ip6t_entry), \
.next_offset = (__size), \
}
#define IP6T_STANDARD_INIT(__verdict) \
{ \
.entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \
.target = XT_TARGET_INIT(IP6T_STANDARD_TARGET, \
sizeof(struct ip6t_standard_target)), \
.target.verdict = -(__verdict) - 1, \
}
#define IP6T_ERROR_INIT \
{ \
.entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \
.target = XT_TARGET_INIT(IP6T_ERROR_TARGET, \
sizeof(struct ip6t_error_target)), \
.target.errorname = "ERROR", \
}
#endif /* 2.6.21 */
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
# include <linux/netfilter_ipv6/ip6_tables.h>
/* Standard entry */
struct ip6t_standard
{
struct ip6t_entry entry;
struct ip6t_standard_target target;
};
struct ip6t_error_target
{
struct ip6t_entry_target target;
char errorname[IP6T_FUNCTION_MAXNAMELEN];
};
struct ip6t_error
{
struct ip6t_entry entry;
struct ip6t_error_target target;
};
#endif /* 2.6.20 */
#endif /* XTA_COMPAT_RAWPOST_H */

20
extensions/compat_skbuff.h
View File

@@ -4,9 +4,29 @@
struct tcphdr;
struct udphdr;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 30)
static inline void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)
{
skb->dst = dst;
}
static inline struct dst_entry *skb_dst(const struct sk_buff *skb)
{
return skb->dst;
}
static inline struct rtable *skb_rtable(const struct sk_buff *skb)
{
return (void *)skb->dst;
}
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
# define skb_ifindex(skb) \
(((skb)->input_dev != NULL) ? (skb)->input_dev->ifindex : 0)
# define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark)
#else
# define skb_ifindex(skb) (skb)->iif
# define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
#endif

31
extensions/compat_xtables.c
View File

@@ -20,11 +20,6 @@
#include "compat_skbuff.h"
#include "compat_xtnu.h"
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
typedef __u16 __bitwise __sum16;
typedef __u32 __bitwise __wsum;
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
static int xtnu_match_run(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
@@ -447,6 +442,30 @@ int xtnu_ip_route_output_key(void *net, struct rtable **rp, struct flowi *flp)
return ip_route_output_flow(rp, flp, NULL, 0);
}
EXPORT_SYMBOL_GPL(xtnu_ip_route_output_key);
void xtnu_proto_csum_replace4(__sum16 *sum, struct sk_buff *skb,
__be32 from, __be32 to, bool pseudohdr)
{
__be32 diff[] = {~from, to};
const void *dv = diff; /* kludge for < v2.6.19-555-g72685fc */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
if (skb->ip_summed != CHECKSUM_PARTIAL) {
*sum = csum_fold(csum_partial(dv, sizeof(diff),
~csum_unfold(*sum)));
if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
skb->csum = ~csum_partial(dv, sizeof(diff),
~skb->csum);
} else if (pseudohdr) {
*sum = ~csum_fold(csum_partial(dv, sizeof(diff),
csum_unfold(*sum)));
}
#else
*sum = csum_fold(csum_partial(dv, sizeof(diff),
~csum_unfold(*sum)));
#endif
}
EXPORT_SYMBOL_GPL(xtnu_proto_csum_replace4);
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
@@ -468,7 +487,7 @@ static inline __wsum xtnu_csum_unfold(__sum16 n)
return (__force __wsum)n;
}
static inline void xtnu_csum_replace4(__sum16 *sum, __be32 from, __be32 to)
void xtnu_csum_replace4(__sum16 *sum, __be32 from, __be32 to)
{
__be32 diff[] = {~from, to};
*sum = csum_fold(csum_partial((char *)diff, sizeof(diff),

29
extensions/compat_xtables.h
View File

@@ -1,10 +1,13 @@
#ifndef _XTABLES_COMPAT_H
#define _XTABLES_COMPAT_H 1
#include <linux/kernel.h>
#include <linux/version.h>
#include "compat_skbuff.h"
#include "compat_xtnu.h"
#define DEBUGP Use__pr_debug__instead
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 17)
# warning Kernels below 2.6.17 not supported.
#endif
@@ -34,6 +37,7 @@
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
# define neigh_hh_output xtnu_neigh_hh_output
# define IPPROTO_UDPLITE 136
# define CSUM_MANGLED_0 ((__force __sum16)0xffff)
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
@@ -66,8 +70,33 @@
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
# define csum_replace2 xtnu_csum_replace2
# define csum_replace4 xtnu_csum_replace4
# define inet_proto_csum_replace4 xtnu_proto_csum_replace4
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
# define csum_replace2 nf_csum_replace2
# define csum_replace4 nf_csum_replace4
# define inet_proto_csum_replace4 xtnu_proto_csum_replace4
#endif
#if !defined(NIP6) && !defined(NIP6_FMT)
# define NIP6(addr) \
ntohs((addr).s6_addr16[0]), \
ntohs((addr).s6_addr16[1]), \
ntohs((addr).s6_addr16[2]), \
ntohs((addr).s6_addr16[3]), \
ntohs((addr).s6_addr16[4]), \
ntohs((addr).s6_addr16[5]), \
ntohs((addr).s6_addr16[6]), \
ntohs((addr).s6_addr16[7])
# define NIP6_FMT "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
#endif
#if !defined(NIPQUAD) && !defined(NIPQUAD_FMT)
# define NIPQUAD(addr) \
((const unsigned char *)&addr)[0], \
((const unsigned char *)&addr)[1], \
((const unsigned char *)&addr)[2], \
((const unsigned char *)&addr)[3]
# define NIPQUAD_FMT "%u.%u.%u.%u"
#endif
#define ip_route_me_harder xtnu_ip_route_me_harder

14
extensions/compat_xtnu.h
View File

@@ -9,6 +9,10 @@
typedef _Bool bool;
enum { false = 0, true = 1, };
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
typedef __u16 __bitwise __sum16;
typedef __u32 __bitwise __wsum;
#endif
struct flowi;
struct hh_cache;
@@ -122,6 +126,13 @@ static inline struct xtnu_target *xtcompat_nutarget(const struct xt_target *t)
return q;
}
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
static inline __wsum csum_unfold(__sum16 n)
{
return (__force __wsum)n;
}
#endif
extern int xtnu_ip_local_out(struct sk_buff *);
extern int xtnu_ip_route_me_harder(struct sk_buff **, unsigned int);
extern int xtnu_skb_make_writable(struct sk_buff **, unsigned int);
@@ -138,6 +149,9 @@ extern struct xt_match *xtnu_request_find_match(unsigned int,
const char *, uint8_t);
extern int xtnu_neigh_hh_output(struct hh_cache *, struct sk_buff *);
extern void xtnu_csum_replace2(__u16 __bitwise *, __be16, __be16);
extern void xtnu_csum_replace4(__u16 __bitwise *, __be32, __be32);
extern void xtnu_proto_csum_replace4(__u16 __bitwise *, struct sk_buff *,
__be32, __be32, bool);
extern int xtnu_skb_linearize(struct sk_buff *);
#endif /* _COMPAT_XTNU_H */

107
extensions/ip6table_rawpost.c Normal file
View File

@@ -0,0 +1,107 @@
/*
* rawpost table for ip6_tables
* written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
* placed in the Public Domain
*/
#include <linux/module.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <net/ip.h>
#include "compat_xtables.h"
#include "compat_rawpost.h"
enum {
RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
};
static struct {
struct ip6t_replace repl;
struct ip6t_standard entries[1];
struct ip6t_error term;
} rawpost6_initial __initdata = {
.repl = {
.name = "rawpost",
.valid_hooks = RAWPOST_VALID_HOOKS,
.num_entries = 2,
.size = sizeof(struct ip6t_standard) +
sizeof(struct ip6t_error),
.hook_entry = {
[NF_INET_POST_ROUTING] = 0,
},
.underflow = {
[NF_INET_POST_ROUTING] = 0,
},
},
.entries = {
IP6T_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */
},
.term = IP6T_ERROR_INIT, /* ERROR */
};
static struct xt_table *rawpost6_ptable;
static struct xt_table rawpost6_itable = {
.name = "rawpost",
.af = NFPROTO_IPV6,
.valid_hooks = RAWPOST_VALID_HOOKS,
.me = THIS_MODULE,
};
static unsigned int rawpost6_hook_fn(unsigned int hook, sk_buff_t *skb,
const struct net_device *in, const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
return ip6t_do_table(skb, hook, in, out, rawpost6_ptable);
#else
return ip6t_do_table(skb, hook, in, out, rawpost6_ptable, NULL);
#endif
}
static struct nf_hook_ops rawpost6_hook_ops __read_mostly = {
.hook = rawpost6_hook_fn,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP6_PRI_LAST,
.owner = THIS_MODULE,
};
static int __init rawpost6_table_init(void)
{
int ret;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
rwlock_init(&rawpost6_itable.lock);
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
rawpost6_ptable = ip6t_register_table(&init_net, &rawpost6_itable,
&rawpost6_initial.repl);
if (IS_ERR(rawpost6_ptable))
return PTR_ERR(rawpost6_ptable);
#else
ret = ip6t_register_table(&rawpost6_itable, &rawpost6_initial.repl);
if (ret < 0)
return ret;
rawpost6_ptable = &rawpost6_itable;
#endif
ret = nf_register_hook(&rawpost6_hook_ops);
if (ret < 0)
goto out;
return ret;
out:
ip6t_unregister_table(rawpost6_ptable);
return ret;
}
static void __exit rawpost6_table_exit(void)
{
nf_unregister_hook(&rawpost6_hook_ops);
ip6t_unregister_table(rawpost6_ptable);
}
module_init(rawpost6_table_init);
module_exit(rawpost6_table_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_LICENSE("GPL");

5
extensions/ipset/GNUmakefile.in
View File

@@ -2,8 +2,9 @@
top_srcdir := @top_srcdir@
srcdir := @srcdir@
abstop_srcdir := $(shell readlink -e ${top_srcdir})
abssrcdir := $(shell readlink -e ${srcdir})
datarootdir := @datarootdir@
abstop_srcdir := $(shell readlink -f ${top_srcdir})
abssrcdir := $(shell readlink -f ${srcdir})
ifeq (${abstop_srcdir},)
$(error Path resolution of ${top_srcdir} failed)

93
extensions/ipset/ip_set.c
View File

@@ -19,7 +19,7 @@
#include <linux/ip.h>
#include <linux/skbuff.h>
#include <linux/random.h>
#include <linux/jhash.h>
#include "ip_set_jhash.h"
#include <linux/errno.h>
#include <linux/capability.h>
#include <asm/uaccess.h>
@@ -493,7 +493,7 @@ ip_set_find_byindex(ip_set_id_t index)
static inline int
__ip_set_testip(struct ip_set *set,
const void *data,
size_t size,
u_int32_t size,
ip_set_ip_t *ip)
{
int res;
@@ -508,7 +508,7 @@ __ip_set_testip(struct ip_set *set,
static int
__ip_set_addip(ip_set_id_t index,
const void *data,
size_t size)
u_int32_t size)
{
struct ip_set *set = ip_set_list[index];
ip_set_ip_t ip;
@@ -529,15 +529,15 @@ __ip_set_addip(ip_set_id_t index,
static int
ip_set_addip(ip_set_id_t index,
const void *data,
size_t size)
u_int32_t size)
{
struct ip_set *set = ip_set_list[index];
IP_SET_ASSERT(set);
if (size - sizeof(struct ip_set_req_adt) != set->type->reqsize) {
ip_set_printk("data length wrong (want %zu, have %zu)",
set->type->reqsize,
ip_set_printk("data length wrong (want %lu, have %zu)",
(long unsigned)set->type->reqsize,
size - sizeof(struct ip_set_req_adt));
return -EINVAL;
}
@@ -549,7 +549,7 @@ ip_set_addip(ip_set_id_t index,
static int
ip_set_delip(ip_set_id_t index,
const void *data,
size_t size)
u_int32_t size)
{
struct ip_set *set = ip_set_list[index];
ip_set_ip_t ip;
@@ -558,8 +558,8 @@ ip_set_delip(ip_set_id_t index,
IP_SET_ASSERT(set);
if (size - sizeof(struct ip_set_req_adt) != set->type->reqsize) {
ip_set_printk("data length wrong (want %zu, have %zu)",
set->type->reqsize,
ip_set_printk("data length wrong (want %lu, have %zu)",
(long unsigned)set->type->reqsize,
size - sizeof(struct ip_set_req_adt));
return -EINVAL;
}
@@ -576,7 +576,7 @@ ip_set_delip(ip_set_id_t index,
static int
ip_set_testip(ip_set_id_t index,
const void *data,
size_t size)
u_int32_t size)
{
struct ip_set *set = ip_set_list[index];
ip_set_ip_t ip;
@@ -585,8 +585,8 @@ ip_set_testip(ip_set_id_t index,
IP_SET_ASSERT(set);
if (size - sizeof(struct ip_set_req_adt) != set->type->reqsize) {
ip_set_printk("data length wrong (want %zu, have %zu)",
set->type->reqsize,
ip_set_printk("data length wrong (want %lu, have %zu)",
(long unsigned)set->type->reqsize,
size - sizeof(struct ip_set_req_adt));
return -EINVAL;
}
@@ -601,7 +601,7 @@ ip_set_testip(ip_set_id_t index,
static int
ip_set_bindip(ip_set_id_t index,
const void *data,
size_t size)
u_int32_t size)
{
struct ip_set *set = ip_set_list[index];
const struct ip_set_req_bind *req_bind;
@@ -687,7 +687,7 @@ __unbind_default(struct ip_set *set)
static int
ip_set_unbindip(ip_set_id_t index,
const void *data,
size_t size)
u_int32_t size)
{
struct ip_set *set;
const struct ip_set_req_bind *req_bind;
@@ -760,7 +760,7 @@ ip_set_unbindip(ip_set_id_t index,
static int
ip_set_testbind(ip_set_id_t index,
const void *data,
size_t size)
u_int32_t size)
{
struct ip_set *set = ip_set_list[index];
const struct ip_set_req_bind *req_bind;
@@ -862,7 +862,7 @@ ip_set_create(const char *name,
const char *typename,
ip_set_id_t restore,
const void *data,
size_t size)
u_int32_t size)
{
struct ip_set *set;
ip_set_id_t index = 0, id;
@@ -877,7 +877,7 @@ ip_set_create(const char *name,
set = kmalloc(sizeof(struct ip_set), GFP_KERNEL);
if (!set)
return -ENOMEM;
set->lock = RW_LOCK_UNLOCKED;
rwlock_init(&set->lock);
strncpy(set->name, name, IP_SET_MAXNAMELEN);
set->binding = IP_SET_INVALID_ID;
atomic_set(&set->ref, 0);
@@ -915,9 +915,9 @@ ip_set_create(const char *name,
/* Check request size */
if (size != set->type->header_size) {
ip_set_printk("data length wrong (want %zu, have %zu)",
set->type->header_size,
size);
ip_set_printk("data length wrong (want %lu, have %lu)",
(long unsigned)set->type->header_size,
(long unsigned)size);
goto put_out;
}
@@ -1109,7 +1109,7 @@ ip_set_swap(ip_set_id_t from_index, ip_set_id_t to_index)
static inline void
__set_hash_bindings_size_list(struct ip_set_hash *set_hash,
ip_set_id_t id, size_t *size)
ip_set_id_t id, u_int32_t *size)
{
if (set_hash->id == id)
*size += sizeof(struct ip_set_hash_list);
@@ -1117,7 +1117,7 @@ __set_hash_bindings_size_list(struct ip_set_hash *set_hash,
static inline void
__set_hash_bindings_size_save(struct ip_set_hash *set_hash,
ip_set_id_t id, size_t *size)
ip_set_id_t id, u_int32_t *size)
{
if (set_hash->id == id)
*size += sizeof(struct ip_set_hash_save);
@@ -1220,7 +1220,7 @@ static int ip_set_save_set(ip_set_id_t index,
*used += sizeof(struct ip_set_save);
set = ip_set_list[index];
DP("set: %s, used: %u(%u) %p %p", set->name, *used, len,
DP("set: %s, used: %d(%d) %p %p", set->name, *used, len,
data, data + *used);
read_lock_bh(&set->lock);
@@ -1237,8 +1237,8 @@ static int ip_set_save_set(ip_set_id_t index,
set->type->list_header(set, data + *used);
*used += set_save->header_size;
DP("set header filled: %s, used: %u(%u) %p %p", set->name, *used,
set_save->header_size, data, data + *used);
DP("set header filled: %s, used: %d(%lu) %p %p", set->name, *used,
(unsigned long)set_save->header_size, data, data + *used);
/* Get and ensure set specific members size */
set_save->members_size = set->type->list_members_size(set);
if (*used + set_save->members_size > len)
@@ -1248,8 +1248,8 @@ static int ip_set_save_set(ip_set_id_t index,
set->type->list_members(set, data + *used);
*used += set_save->members_size;
read_unlock_bh(&set->lock);
DP("set members filled: %s, used: %u(%u) %p %p", set->name, *used,
set_save->members_size, data, data + *used);
DP("set members filled: %s, used: %d(%lu) %p %p", set->name, *used,
(unsigned long)set_save->members_size, data, data + *used);
return 0;
unlock_set:
@@ -1329,7 +1329,7 @@ static int ip_set_restore(void *data,
while (1) {
line++;
DP("%u %u %u", used, sizeof(struct ip_set_restore), len);
DP("%d %zu %d", used, sizeof(struct ip_set_restore), len);
/* Get and ensure header size */
if (used + sizeof(struct ip_set_restore) > len)
return line;
@@ -1367,12 +1367,13 @@ static int ip_set_restore(void *data,
/* Try to restore members data */
set = ip_set_list[index];
members_size = 0;
DP("members_size %u reqsize %u",
set_restore->members_size, set->type->reqsize);
DP("members_size %lu reqsize %lu",
(unsigned long)set_restore->members_size,
(unsigned long)set->type->reqsize);
while (members_size + set->type->reqsize <=
set_restore->members_size) {
line++;
DP("members: %u, line %u", members_size, line);
DP("members: %d, line %d", members_size, line);
res = __ip_set_addip(index,
data + used + members_size,
set->type->reqsize);
@@ -1381,8 +1382,8 @@ static int ip_set_restore(void *data,
members_size += set->type->reqsize;
}
DP("members_size %u %u",
set_restore->members_size, members_size);
DP("members_size %lu %d",
(unsigned long)set_restore->members_size, members_size);
if (members_size != set_restore->members_size)
return line++;
used += set_restore->members_size;
@@ -1442,10 +1443,10 @@ ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len)
struct ip_set_req_adt *req_adt;
ip_set_id_t index = IP_SET_INVALID_ID;
int (*adtfn)(ip_set_id_t index,
const void *data, size_t size);
const void *data, u_int32_t size);
struct fn_table {
int (*fn)(ip_set_id_t index,
const void *data, size_t size);
const void *data, u_int32_t size);
} adtfn_table[] =
{ { ip_set_addip }, { ip_set_delip }, { ip_set_testip},
{ ip_set_bindip}, { ip_set_unbindip }, { ip_set_testbind },
@@ -1910,13 +1911,23 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
res = -ENOENT;
goto done;
}
#define SETLIST(set) (strcmp(set->type->typename, "setlist") == 0)
used = 0;
if (index == IP_SET_INVALID_ID) {
/* Save all sets */
/* Save all sets: ugly setlist type dependency */
int setlist = 0;
setlists:
for (i = 0; i < ip_set_max && res == 0; i++) {
if (ip_set_list[i] != NULL)
if (ip_set_list[i] != NULL
&& !(setlist ^ SETLIST(ip_set_list[i])))
res = ip_set_save_set(i, data, &used, *len);
}
if (!setlist) {
setlist = 1;
goto setlists;
}
} else {
/* Save an individual set */
res = ip_set_save_set(index, data, &used, *len);
@@ -1938,14 +1949,14 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
if (*len < sizeof(struct ip_set_req_setnames)
|| *len != req_restore->size) {
ip_set_printk("invalid RESTORE (want =%zu, got %d)",
req_restore->size, *len);
ip_set_printk("invalid RESTORE (want =%lu, got %d)",
(long unsigned)req_restore->size, *len);
res = -EINVAL;
goto done;
}
line = ip_set_restore(data + sizeof(struct ip_set_req_setnames),
req_restore->size - sizeof(struct ip_set_req_setnames));
DP("ip_set_restore: %u", line);
DP("ip_set_restore: %d", line);
if (line != 0) {
res = -EAGAIN;
req_restore->size = line;
@@ -1960,7 +1971,7 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
} /* end of switch(op) */
copy:
DP("set %s, copylen %u", index != IP_SET_INVALID_ID
DP("set %s, copylen %d", index != IP_SET_INVALID_ID
&& ip_set_list[index]
? ip_set_list[index]->name
: ":all:", copylen);

32
extensions/ipset/ip_set.h
View File

@@ -48,7 +48,7 @@
/*
* Used so that the kernel module and ipset-binary can match their versions
*/
#define IP_SET_PROTOCOL_VERSION 2
#define IP_SET_PROTOCOL_VERSION 3
#define IP_SET_MAXNAMELEN 32 /* set names and set typenames */
@@ -236,7 +236,7 @@ struct ip_set_req_max_sets {
struct ip_set_req_setnames {
unsigned op;
ip_set_id_t index; /* set to list/save */
size_t size; /* size to get setdata/bindings */
u_int32_t size; /* size to get setdata/bindings */
/* followed by sets number of struct ip_set_name_list */
};
@@ -258,9 +258,9 @@ struct ip_set_list {
ip_set_id_t index;
ip_set_id_t binding;
u_int32_t ref;
size_t header_size; /* Set header data of header_size */
size_t members_size; /* Set members data of members_size */
size_t bindings_size; /* Set bindings data of bindings_size */
u_int32_t header_size; /* Set header data of header_size */
u_int32_t members_size; /* Set members data of members_size */
u_int32_t bindings_size;/* Set bindings data of bindings_size */
};
struct ip_set_hash_list {
@@ -277,8 +277,8 @@ struct ip_set_hash_list {
struct ip_set_save {
ip_set_id_t index;
ip_set_id_t binding;
size_t header_size; /* Set header data of header_size */
size_t members_size; /* Set members data of members_size */
u_int32_t header_size; /* Set header data of header_size */
u_int32_t members_size; /* Set members data of members_size */
};
/* At restoring, ip == 0 means default binding for the given set: */
@@ -298,8 +298,8 @@ struct ip_set_restore {
char name[IP_SET_MAXNAMELEN];
char typename[IP_SET_MAXNAMELEN];
ip_set_id_t index;
size_t header_size; /* Create data of header_size */
size_t members_size; /* Set members data of members_size */
u_int32_t header_size; /* Create data of header_size */
u_int32_t members_size; /* Set members data of members_size */
};
static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
@@ -366,14 +366,14 @@ struct ip_set_type {
* return 0 if not in set, 1 if in set.
*/
int (*testip) (struct ip_set *set,
const void *data, size_t size,
const void *data, u_int32_t size,
ip_set_ip_t *ip);
/*
* Size of the data structure passed by when
* adding/deletin/testing an entry.
*/
size_t reqsize;
u_int32_t reqsize;
/* Add IP into set (userspace: ipset -A set IP)
* Return -EEXIST if the address is already in the set,
@@ -381,7 +381,7 @@ struct ip_set_type {
* If the address was not already in the set, 0 is returned.
*/
int (*addip) (struct ip_set *set,
const void *data, size_t size,
const void *data, u_int32_t size,
ip_set_ip_t *ip);
/* Add IP into set (kernel: iptables ... -j SET set src|dst)
@@ -401,7 +401,7 @@ struct ip_set_type {
* If the address really was in the set, 0 is returned.
*/
int (*delip) (struct ip_set *set,
const void *data, size_t size,
const void *data, u_int32_t size,
ip_set_ip_t *ip);
/* remove IP from set (kernel: iptables ... -j SET --entry x)
@@ -418,7 +418,7 @@ struct ip_set_type {
/* new set creation - allocated type specific items
*/
int (*create) (struct ip_set *set,
const void *data, size_t size);
const void *data, u_int32_t size);
/* retry the operation after successfully tweaking the set
*/
@@ -437,7 +437,7 @@ struct ip_set_type {
/* Listing: size needed for header
*/
size_t header_size;
u_int32_t header_size;
/* Listing: Get the header
*
@@ -523,7 +523,7 @@ extern int ip_set_testip_kernel(ip_set_id_t id,
#define UADT0(type, adt, args...) \
static int \
FNAME(type,_u,adt)(struct ip_set *set, const void *data, size_t size, \
FNAME(type,_u,adt)(struct ip_set *set, const void *data, u_int32_t size,\
ip_set_ip_t *hash_ip) \
{ \
const STRUCT(ip_set_req_,type) *req = data; \

8
extensions/ipset/ip_set_bitmaps.h
View File

@@ -6,7 +6,7 @@
#ifdef __KERNEL__
#define BITMAP_CREATE(type) \
static int \
type##_create(struct ip_set *set, const void *data, size_t size) \
type##_create(struct ip_set *set, const void *data, u_int32_t size) \
{ \
int newbytes; \
const struct ip_set_req_##type##_create *req = data; \
@@ -19,8 +19,8 @@ type##_create(struct ip_set *set, const void *data, size_t size) \
\
map = kmalloc(sizeof(struct ip_set_##type), GFP_KERNEL); \
if (!map) { \
DP("out of memory for %d bytes", \
sizeof(struct ip_set_#type)); \
DP("out of memory for %zu bytes", \
sizeof(struct ip_set_##type)); \
return -ENOMEM; \
} \
map->first_ip = req->from; \
@@ -35,7 +35,7 @@ type##_create(struct ip_set *set, const void *data, size_t size) \
map->size = newbytes; \
map->members = ip_set_malloc(newbytes); \
if (!map->members) { \
DP("out of memory for %d bytes", newbytes); \
DP("out of memory for %i bytes", newbytes); \
kfree(map); \
return -ENOMEM; \
} \

1
extensions/ipset/ip_set_compat.h
View File

@@ -58,6 +58,7 @@ static inline void *kzalloc(size_t size, gfp_t flags)
#endif
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23)
#include <linux/netfilter.h>
#define KMEM_CACHE_CREATE(name, size) \
kmem_cache_create(name, size, 0, 0, NULL, NULL)
#else

16
extensions/ipset/ip_set_hashes.h
View File

@@ -28,20 +28,22 @@ type##_retry(struct ip_set *set) \
hashsize++; \
\
ip_set_printk("rehashing of set %s triggered: " \
"hashsize grows from %u to %u", \
set->name, map->hashsize, hashsize); \
"hashsize grows from %lu to %lu", \
set->name, \
(long unsigned)map->hashsize, \
(long unsigned)hashsize); \
\
tmp = kmalloc(sizeof(struct ip_set_##type) \
+ map->probes * sizeof(initval_t), GFP_ATOMIC); \
if (!tmp) { \
DP("out of memory for %d bytes", \
DP("out of memory for %zu bytes", \
sizeof(struct ip_set_##type) \
+ map->probes * sizeof(initval_t)); \
return -ENOMEM; \
} \
tmp->members = harray_malloc(hashsize, sizeof(dtype), GFP_ATOMIC);\
if (!tmp->members) { \
DP("out of memory for %d bytes", hashsize * sizeof(dtype));\
DP("out of memory for %zu bytes", hashsize * sizeof(dtype));\
kfree(tmp); \
return -ENOMEM; \
} \
@@ -88,7 +90,7 @@ type##_retry(struct ip_set *set) \
#define HASH_CREATE(type, dtype) \
static int \
type##_create(struct ip_set *set, const void *data, size_t size) \
type##_create(struct ip_set *set, const void *data, u_int32_t size) \
{ \
const struct ip_set_req_##type##_create *req = data; \
struct ip_set_##type *map; \
@@ -107,7 +109,7 @@ type##_create(struct ip_set *set, const void *data, size_t size) \
map = kmalloc(sizeof(struct ip_set_##type) \
+ req->probes * sizeof(initval_t), GFP_KERNEL); \
if (!map) { \
DP("out of memory for %d bytes", \
DP("out of memory for %zu bytes", \
sizeof(struct ip_set_##type) \
+ req->probes * sizeof(initval_t)); \
return -ENOMEM; \
@@ -124,7 +126,7 @@ type##_create(struct ip_set *set, const void *data, size_t size) \
} \
map->members = harray_malloc(map->hashsize, sizeof(dtype), GFP_KERNEL);\
if (!map->members) { \
DP("out of memory for %d bytes", map->hashsize * sizeof(dtype));\
DP("out of memory for %zu bytes", map->hashsize * sizeof(dtype));\
kfree(map); \
return -ENOMEM; \
} \

20
extensions/ipset/ip_set_iphash.c
View File

@@ -11,7 +11,7 @@
#include <linux/moduleparam.h>
#include <linux/ip.h>
#include <linux/skbuff.h>
#include <linux/jhash.h>
#include "ip_set_jhash.h"
#include <linux/errno.h>
#include <asm/uaccess.h>
#include <asm/bitops.h>
@@ -42,8 +42,7 @@ iphash_id(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
if (*elem == *hash_ip)
return id;
/* No shortcut at testing - there can be deleted
* entries. */
/* No shortcut - there can be deleted entries. */
}
return UINT_MAX;
}
@@ -64,18 +63,21 @@ __iphash_add(struct ip_set_iphash *map, ip_set_ip_t *ip)
{
__u32 probe;
u_int16_t i;
ip_set_ip_t *elem;
ip_set_ip_t *elem, *slot = NULL;
for (i = 0; i < map->probes; i++) {
probe = jhash_ip(map, i, *ip) % map->hashsize;
elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
if (*elem == *ip)
return -EEXIST;
if (!*elem) {
*elem = *ip;
map->elements++;
return 0;
}
if (!(slot || *elem))
slot = elem;
/* There can be deleted entries, must check all slots */
}
if (slot) {
*slot = *ip;
map->elements++;
return 0;
}
/* Trigger rehashing */
return -EAGAIN;

2
extensions/ipset/ip_set_ipmap.h
View File

@@ -13,7 +13,7 @@ struct ip_set_ipmap {
ip_set_ip_t netmask; /* subnet netmask */
ip_set_ip_t sizeid; /* size of set in IPs */
ip_set_ip_t hosts; /* number of hosts in a subnet */
size_t size; /* size of the ipmap proper */
u_int32_t size; /* size of the ipmap proper */
};
struct ip_set_req_ipmap_create {

20
extensions/ipset/ip_set_ipporthash.c
View File

@@ -13,7 +13,7 @@
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/skbuff.h>
#include <linux/jhash.h>
#include "ip_set_jhash.h"
#include <linux/errno.h>
#include <asm/uaccess.h>
#include <asm/bitops.h>
@@ -49,8 +49,7 @@ ipporthash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
if (*elem == *hash_ip)
return id;
/* No shortcut at testing - there can be deleted
* entries. */
/* No shortcut - there can be deleted entries. */
}
return UINT_MAX;
}
@@ -86,18 +85,21 @@ __ipporthash_add(struct ip_set_ipporthash *map, ip_set_ip_t *ip)
{
__u32 probe;
u_int16_t i;
ip_set_ip_t *elem;
ip_set_ip_t *elem, *slot = NULL;
for (i = 0; i < map->probes; i++) {
probe = jhash_ip(map, i, *ip) % map->hashsize;
elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
if (*elem == *ip)
return -EEXIST;
if (!*elem) {
*elem = *ip;
map->elements++;
return 0;
}
if (!(slot || *elem))
slot = elem;
/* There can be deleted entries, must check all slots */
}
if (slot) {
*slot = *ip;
map->elements++;
return 0;
}
/* Trigger rehashing */
return -EAGAIN;

22
extensions/ipset/ip_set_ipportiphash.c
View File

@@ -13,7 +13,7 @@
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/skbuff.h>
#include <linux/jhash.h>
#include "ip_set_jhash.h"
#include <linux/errno.h>
#include <asm/uaccess.h>
#include <asm/bitops.h>
@@ -51,8 +51,7 @@ ipportiphash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
elem = HARRAY_ELEM(map->members, struct ipportip *, id);
if (elem->ip == *hash_ip && elem->ip1 == ip1)
return id;
/* No shortcut at testing - there can be deleted
* entries. */
/* No shortcut - there can be deleted entries. */
}
return UINT_MAX;
}
@@ -90,19 +89,22 @@ __ipportip_add(struct ip_set_ipportiphash *map,
{
__u32 probe;
u_int16_t i;
struct ipportip *elem;
struct ipportip *elem, *slot = NULL;
for (i = 0; i < map->probes; i++) {
probe = jhash_ip2(map, i, hash_ip, ip1) % map->hashsize;
elem = HARRAY_ELEM(map->members, struct ipportip *, probe);
if (elem->ip == hash_ip && elem->ip1 == ip1)
return -EEXIST;
if (!(elem->ip || elem->ip1)) {
elem->ip = hash_ip;
elem->ip1 = ip1;
map->elements++;
return 0;
}
if (!(slot || elem->ip || elem->ip1))
slot = elem;
/* There can be deleted entries, must check all slots */
}
if (slot) {
slot->ip = hash_ip;
slot->ip1 = ip1;
map->elements++;
return 0;
}
/* Trigger rehashing */
return -EAGAIN;

24
extensions/ipset/ip_set_ipportnethash.c
View File

@@ -13,7 +13,7 @@
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/skbuff.h>
#include <linux/jhash.h>
#include "ip_set_jhash.h"
#include <linux/errno.h>
#include <asm/uaccess.h>
#include <asm/bitops.h>
@@ -53,8 +53,7 @@ ipportnethash_id_cidr(struct ip_set *set, ip_set_ip_t *hash_ip,
elem = HARRAY_ELEM(map->members, struct ipportip *, id);
if (elem->ip == *hash_ip && elem->ip1 == ip1)
return id;
/* No shortcut at testing - there can be deleted
* entries. */
/* No shortcut - there can be deleted entries. */
}
return UINT_MAX;
}
@@ -103,7 +102,7 @@ ipportnethash_test(struct ip_set *set, ip_set_ip_t *hash_ip,
}
static int
ipportnethash_utest(struct ip_set *set, const void *data, size_t size,
ipportnethash_utest(struct ip_set *set, const void *data, u_int32_t size,
ip_set_ip_t *hash_ip)
{
const struct ip_set_req_ipportnethash *req = data;
@@ -137,19 +136,22 @@ __ipportnet_add(struct ip_set_ipportnethash *map,
{
__u32 probe;
u_int16_t i;
struct ipportip *elem;
struct ipportip *elem, *slot = NULL;
for (i = 0; i < map->probes; i++) {
probe = jhash_ip2(map, i, hash_ip, ip1) % map->hashsize;
elem = HARRAY_ELEM(map->members, struct ipportip *, probe);
if (elem->ip == hash_ip && elem->ip1 == ip1)
return -EEXIST;
if (!(elem->ip || elem->ip1)) {
elem->ip = hash_ip;
elem->ip1 = ip1;
map->elements++;
return 0;
}
if (!(slot || elem->ip || elem->ip1))
slot = elem;
/* There can be deleted entries, must check all slots */
}
if (slot) {
slot->ip = hash_ip;
slot->ip1 = ip1;
map->elements++;
return 0;
}
/* Trigger rehashing */
return -EAGAIN;

9
extensions/ipset/ip_set_iptree.c
View File

@@ -10,6 +10,7 @@
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/ip.h>
#include <linux/jiffies.h>
#include <linux/skbuff.h>
#include <linux/slab.h>
#include <linux/delay.h>
@@ -276,21 +277,21 @@ init_gc_timer(struct ip_set *set)
}
static int
iptree_create(struct ip_set *set, const void *data, size_t size)
iptree_create(struct ip_set *set, const void *data, u_int32_t size)
{
const struct ip_set_req_iptree_create *req = data;
struct ip_set_iptree *map;
if (size != sizeof(struct ip_set_req_iptree_create)) {
ip_set_printk("data length wrong (want %zu, have %zu)",
ip_set_printk("data length wrong (want %zu, have %lu)",
sizeof(struct ip_set_req_iptree_create),
size);
(unsigned long)size);
return -EINVAL;
}
map = kmalloc(sizeof(struct ip_set_iptree), GFP_KERNEL);
if (!map) {
DP("out of memory for %d bytes",
DP("out of memory for %zu bytes",
sizeof(struct ip_set_iptree));
return -ENOMEM;
}

9
extensions/ipset/ip_set_iptreemap.c
View File

@@ -14,6 +14,7 @@
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/ip.h>
#include <linux/jiffies.h>
#include <linux/skbuff.h>
#include <linux/slab.h>
#include <linux/delay.h>
@@ -338,7 +339,7 @@ KADT(iptreemap, add, ipaddr, ip)
static inline int
__delip_single(struct ip_set *set, ip_set_ip_t *hash_ip,
ip_set_ip_t ip, unsigned int __nocast flags)
ip_set_ip_t ip, gfp_t flags)
{
struct ip_set_iptreemap *map = set->data;
struct ip_set_iptreemap_b *btree;
@@ -364,7 +365,7 @@ __delip_single(struct ip_set *set, ip_set_ip_t *hash_ip,
static inline int
iptreemap_del(struct ip_set *set, ip_set_ip_t *hash_ip,
ip_set_ip_t start, ip_set_ip_t end, unsigned int __nocast flags)
ip_set_ip_t start, ip_set_ip_t end, gfp_t flags)
{
struct ip_set_iptreemap *map = set->data;
struct ip_set_iptreemap_b *btree;
@@ -470,7 +471,7 @@ init_gc_timer(struct ip_set *set)
}
static int
iptreemap_create(struct ip_set *set, const void *data, size_t size)
iptreemap_create(struct ip_set *set, const void *data, u_int32_t size)
{
const struct ip_set_req_iptreemap_create *req = data;
struct ip_set_iptreemap *map;
@@ -567,7 +568,7 @@ iptreemap_list_members_size(const struct ip_set *set)
return (count * sizeof(struct ip_set_req_iptreemap));
}
static inline size_t
static inline u_int32_t
add_member(void *data, size_t offset, ip_set_ip_t start, ip_set_ip_t end)
{
struct ip_set_req_iptreemap *entry = data + offset;

181
extensions/ipset/ip_set_jhash.h
View File

@@ -1,148 +1,157 @@
#ifndef _LINUX_IPSET_JHASH_H
#define _LINUX_IPSET_JHASH_H
/* This is a copy of linux/jhash.h but the types u32/u8 are changed
* to __u32/__u8 so that the header file can be included into
* userspace code as well. Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
*/
#ifndef _LINUX_JHASH_H
#define _LINUX_JHASH_H
/* jhash.h: Jenkins hash support.
*
* Copyright (C) 1996 Bob Jenkins (bob_jenkins@burtleburtle.net)
* Copyright (C) 2006. Bob Jenkins (bob_jenkins@burtleburtle.net)
*
* http://burtleburtle.net/bob/hash/
*
* These are the credits from Bob's sources:
*
* lookup2.c, by Bob Jenkins, December 1996, Public Domain.
* hash(), hash2(), hash3, and mix() are externally useful functions.
* Routines to test the hash are included if SELF_TEST is defined.
* You can use this free for any purpose. It has no warranty.
* lookup3.c, by Bob Jenkins, May 2006, Public Domain.
*
* Copyright (C) 2003 David S. Miller (davem@redhat.com)
* These are functions for producing 32-bit hashes for hash table lookup.
* hashword(), hashlittle(), hashlittle2(), hashbig(), mix(), and final()
* are externally useful functions. Routines to test the hash are included
* if SELF_TEST is defined. You can use this free for any purpose. It's in
* the public domain. It has no warranty.
*
* Copyright (C) 2009 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
*
* I've modified Bob's hash to be useful in the Linux kernel, and
* any bugs present are surely my fault. -DaveM
* any bugs present are my fault. Jozsef
*/
/* NOTE: Arguments are modified. */
#define __jhash_mix(a, b, c) \
#define __rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
/* __jhash_mix - mix 3 32-bit values reversibly. */
#define __jhash_mix(a,b,c) \
{ \
a -= b; a -= c; a ^= (c>>13); \
b -= c; b -= a; b ^= (a<<8); \
c -= a; c -= b; c ^= (b>>13); \
a -= b; a -= c; a ^= (c>>12); \
b -= c; b -= a; b ^= (a<<16); \
c -= a; c -= b; c ^= (b>>5); \
a -= b; a -= c; a ^= (c>>3); \
b -= c; b -= a; b ^= (a<<10); \
c -= a; c -= b; c ^= (b>>15); \
a -= c; a ^= __rot(c, 4); c += b; \
b -= a; b ^= __rot(a, 6); a += c; \
c -= b; c ^= __rot(b, 8); b += a; \
a -= c; a ^= __rot(c,16); c += b; \
b -= a; b ^= __rot(a,19); a += c; \
c -= b; c ^= __rot(b, 4); b += a; \
}
/* __jhash_final - final mixing of 3 32-bit values (a,b,c) into c */
#define __jhash_final(a,b,c) \
{ \
c ^= b; c -= __rot(b,14); \
a ^= c; a -= __rot(c,11); \
b ^= a; b -= __rot(a,25); \
c ^= b; c -= __rot(b,16); \
a ^= c; a -= __rot(c,4); \
b ^= a; b -= __rot(a,14); \
c ^= b; c -= __rot(b,24); \
}
/* The golden ration: an arbitrary value */
#define JHASH_GOLDEN_RATIO 0x9e3779b9
#define JHASH_GOLDEN_RATIO 0xdeadbeef
/* The most generic version, hashes an arbitrary sequence
* of bytes. No alignment or length assumptions are made about
* the input key.
* the input key. The result depends on endianness.
*/
static inline __u32 jhash(void *key, __u32 length, __u32 initval)
static inline u32 jhash(const void *key, u32 length, u32 initval)
{
__u32 a, b, c, len;
__u8 *k = key;
u32 a,b,c;
const u8 *k = key;
len = length;
a = b = JHASH_GOLDEN_RATIO;
c = initval;
while (len >= 12) {
a += (k[0] +((__u32)k[1]<<8) +((__u32)k[2]<<16) +((__u32)k[3]<<24));
b += (k[4] +((__u32)k[5]<<8) +((__u32)k[6]<<16) +((__u32)k[7]<<24));
c += (k[8] +((__u32)k[9]<<8) +((__u32)k[10]<<16)+((__u32)k[11]<<24));
__jhash_mix(a,b,c);
/* Set up the internal state */
a = b = c = JHASH_GOLDEN_RATIO + length + initval;
/* all but the last block: affect some 32 bits of (a,b,c) */
while (length > 12) {
a += (k[0] + ((u32)k[1]<<8) + ((u32)k[2]<<16) + ((u32)k[3]<<24));
b += (k[4] + ((u32)k[5]<<8) + ((u32)k[6]<<16) + ((u32)k[7]<<24));
c += (k[8] + ((u32)k[9]<<8) + ((u32)k[10]<<16) + ((u32)k[11]<<24));
__jhash_mix(a, b, c);
length -= 12;
k += 12;
len -= 12;
}
c += length;
switch (len) {
case 11: c += ((__u32)k[10]<<24);
case 10: c += ((__u32)k[9]<<16);
case 9 : c += ((__u32)k[8]<<8);
case 8 : b += ((__u32)k[7]<<24);
case 7 : b += ((__u32)k[6]<<16);
case 6 : b += ((__u32)k[5]<<8);
/* last block: affect all 32 bits of (c) */
/* all the case statements fall through */
switch (length) {
case 12: c += (u32)k[11]<<24;
case 11: c += (u32)k[10]<<16;
case 10: c += (u32)k[9]<<8;
case 9 : c += k[8];
case 8 : b += (u32)k[7]<<24;
case 7 : b += (u32)k[6]<<16;
case 6 : b += (u32)k[5]<<8;
case 5 : b += k[4];
case 4 : a += ((__u32)k[3]<<24);
case 3 : a += ((__u32)k[2]<<16);
case 2 : a += ((__u32)k[1]<<8);
case 4 : a += (u32)k[3]<<24;
case 3 : a += (u32)k[2]<<16;
case 2 : a += (u32)k[1]<<8;
case 1 : a += k[0];
};
__jhash_mix(a,b,c);
__jhash_final(a, b, c);
case 0 :
break;
}
return c;
}
/* A special optimized version that handles 1 or more of __u32s.
* The length parameter here is the number of __u32s in the key.
/* A special optimized version that handles 1 or more of u32s.
* The length parameter here is the number of u32s in the key.
*/
static inline __u32 jhash2(__u32 *k, __u32 length, __u32 initval)
static inline u32 jhash2(const u32 *k, u32 length, u32 initval)
{
__u32 a, b, c, len;
u32 a, b, c;
a = b = JHASH_GOLDEN_RATIO;
c = initval;
len = length;
/* Set up the internal state */
a = b = c = JHASH_GOLDEN_RATIO + (length<<2) + initval;
while (len >= 3) {
/* handle most of the key */
while (length > 3) {
a += k[0];
b += k[1];
c += k[2];
__jhash_mix(a, b, c);
k += 3; len -= 3;
length -= 3;
k += 3;
}
c += length * 4;
switch (len) {
case 2 : b += k[1];
case 1 : a += k[0];
};
__jhash_mix(a,b,c);
/* handle the last 3 u32's */
/* all the case statements fall through */
switch (length) {
case 3: c += k[2];
case 2: b += k[1];
case 1: a += k[0];
__jhash_final(a, b, c);
case 0: /* case 0: nothing left to add */
break;
}
return c;
}
/* A special ultra-optimized versions that knows they are hashing exactly
* 3, 2 or 1 word(s).
*
* NOTE: In partilar the "c += length; __jhash_mix(a,b,c);" normally
* done at the end is not done here.
*/
static inline __u32 jhash_3words(__u32 a, __u32 b, __u32 c, __u32 initval)
static inline u32 jhash_3words(u32 a, u32 b, u32 c, u32 initval)
{
a += JHASH_GOLDEN_RATIO;
b += JHASH_GOLDEN_RATIO;
c += initval;
a += JHASH_GOLDEN_RATIO + initval;
b += JHASH_GOLDEN_RATIO + initval;
c += JHASH_GOLDEN_RATIO + initval;
__jhash_mix(a, b, c);
__jhash_final(a, b, c);
return c;
}
static inline __u32 jhash_2words(__u32 a, __u32 b, __u32 initval)
static inline u32 jhash_2words(u32 a, u32 b, u32 initval)
{
return jhash_3words(a, b, 0, initval);
return jhash_3words(0, a, b, initval);
}
static inline __u32 jhash_1word(__u32 a, __u32 initval)
static inline u32 jhash_1word(u32 a, u32 initval)
{
return jhash_3words(a, 0, 0, initval);
return jhash_3words(0, 0, a, initval);
}
#endif /* _LINUX_IPSET_JHASH_H */
#endif /* _LINUX_JHASH_H */

16
extensions/ipset/ip_set_macipmap.c
View File

@@ -22,7 +22,7 @@
#include "ip_set_macipmap.h"
static int
macipmap_utest(struct ip_set *set, const void *data, size_t size,
macipmap_utest(struct ip_set *set, const void *data, u_int32_t size,
ip_set_ip_t *hash_ip)
{
const struct ip_set_macipmap *map = set->data;
@@ -35,8 +35,7 @@ macipmap_utest(struct ip_set *set, const void *data, size_t size,
*hash_ip = req->ip;
DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u",
set->name, HIPQUAD(req->ip), HIPQUAD(*hash_ip));
if (test_bit(IPSET_MACIP_ISSET,
(void *) &table[req->ip - map->first_ip].flags)) {
if (table[req->ip - map->first_ip].match) {
return (memcmp(req->ethernet,
&table[req->ip - map->first_ip].ethernet,
ETH_ALEN) == 0);
@@ -64,8 +63,7 @@ macipmap_ktest(struct ip_set *set,
*hash_ip = ip;
DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u",
set->name, HIPQUAD(ip), HIPQUAD(*hash_ip));
if (test_bit(IPSET_MACIP_ISSET,
(void *) &table[ip - map->first_ip].flags)) {
if (table[ip - map->first_ip].match) {
/* Is mac pointer valid?
* If so, compare... */
return (skb_mac_header(skb) >= skb->head
@@ -88,13 +86,13 @@ macipmap_add(struct ip_set *set, ip_set_ip_t *hash_ip,
if (ip < map->first_ip || ip > map->last_ip)
return -ERANGE;
if (test_and_set_bit(IPSET_MACIP_ISSET,
(void *) &table[ip - map->first_ip].flags))
if (table[ip - map->first_ip].match)
return -EEXIST;
*hash_ip = ip;
DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip));
memcpy(&table[ip - map->first_ip].ethernet, ethernet, ETH_ALEN);
table[ip - map->first_ip].match = IPSET_MACIP_ISSET;
return 0;
}
@@ -114,11 +112,11 @@ macipmap_del(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
if (ip < map->first_ip || ip > map->last_ip)
return -ERANGE;
if (!test_and_clear_bit(IPSET_MACIP_ISSET,
(void *)&table[ip - map->first_ip].flags))
if (!table[ip - map->first_ip].match)
return -EEXIST;
*hash_ip = ip;
table[ip - map->first_ip].match = 0;
DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip));
return 0;
}

4
extensions/ipset/ip_set_macipmap.h
View File

@@ -17,7 +17,7 @@ struct ip_set_macipmap {
ip_set_ip_t first_ip; /* host byte order, included in range */
ip_set_ip_t last_ip; /* host byte order, included in range */
u_int32_t flags;
size_t size; /* size of the ipmap proper */
u_int32_t size; /* size of the ipmap proper */
};
struct ip_set_req_macipmap_create {
@@ -32,7 +32,7 @@ struct ip_set_req_macipmap {
};
struct ip_set_macip {
unsigned short flags;
unsigned short match;
unsigned char ethernet[ETH_ALEN];
};

4
extensions/ipset/ip_set_malloc.h
View File

@@ -40,7 +40,7 @@ struct harray {
};
static inline void *
__harray_malloc(size_t hashsize, size_t typesize, int flags)
__harray_malloc(size_t hashsize, size_t typesize, gfp_t flags)
{
struct harray *harray;
size_t max_elements, size, i, j;
@@ -88,7 +88,7 @@ __harray_malloc(size_t hashsize, size_t typesize, int flags)
}
static inline void *
harray_malloc(size_t hashsize, size_t typesize, int flags)
harray_malloc(size_t hashsize, size_t typesize, gfp_t flags)
{
void *harray;

19
extensions/ipset/ip_set_nethash.c
View File

@@ -11,7 +11,7 @@
#include <linux/moduleparam.h>
#include <linux/ip.h>
#include <linux/skbuff.h>
#include <linux/jhash.h>
#include "ip_set_jhash.h"
#include <linux/errno.h>
#include <asm/uaccess.h>
#include <asm/bitops.h>
@@ -44,6 +44,7 @@ nethash_id_cidr(const struct ip_set_nethash *map,
elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
if (*elem == *hash_ip)
return id;
/* No shortcut - there can be deleted entries. */
}
return UINT_MAX;
}
@@ -79,7 +80,7 @@ nethash_test(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
}
static int
nethash_utest(struct ip_set *set, const void *data, size_t size,
nethash_utest(struct ip_set *set, const void *data, u_int32_t size,
ip_set_ip_t *hash_ip)
{
const struct ip_set_req_nethash *req = data;
@@ -99,17 +100,21 @@ __nethash_add(struct ip_set_nethash *map, ip_set_ip_t *ip)
{
__u32 probe;
u_int16_t i;
ip_set_ip_t *elem;
ip_set_ip_t *elem, *slot = NULL;
for (i = 0; i < map->probes; i++) {
probe = jhash_ip(map, i, *ip) % map->hashsize;
elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
if (*elem == *ip)
return -EEXIST;
if (!*elem) {
*elem = *ip;
return 0;
}
if (!(slot || *elem))
slot = elem;
/* There can be deleted entries, must check all slots */
}
if (slot) {
*slot = *ip;
map->elements++;
return 0;
}
/* Trigger rehashing */
return -EAGAIN;

2
extensions/ipset/ip_set_portmap.h
View File

@@ -10,7 +10,7 @@ struct ip_set_portmap {
void *members; /* the portmap proper */
ip_set_ip_t first_ip; /* host byte order, included in range */
ip_set_ip_t last_ip; /* host byte order, included in range */
size_t size; /* size of the ipmap proper */
u_int32_t size; /* size of the ipmap proper */
};
struct ip_set_req_portmap_create {

20
extensions/ipset/ip_set_setlist.c
View File

@@ -21,14 +21,14 @@
* after ==> ref, index
*/
static inline bool
static inline int
next_index_eq(const struct ip_set_setlist *map, int i, ip_set_id_t index)
{
return i < map->size && map->index[i] == index;
}
static int
setlist_utest(struct ip_set *set, const void *data, size_t size,
setlist_utest(struct ip_set *set, const void *data, u_int32_t size,
ip_set_ip_t *hash_ip)
{
const struct ip_set_setlist *map = set->data;
@@ -38,17 +38,15 @@ setlist_utest(struct ip_set *set, const void *data, size_t size,
struct ip_set *s;
if (req->before && req->ref[0] == '\0')
return -EINVAL;
return 0;
index = __ip_set_get_byname(req->name, &s);
if (index == IP_SET_INVALID_ID)
return -EEXIST;
return 0;
if (req->ref[0] != '\0') {
ref = __ip_set_get_byname(req->ref, &s);
if (ref == IP_SET_INVALID_ID) {
res = -EEXIST;
if (ref == IP_SET_INVALID_ID)
goto finish;
}
}
for (i = 0; i < map->size
&& map->index[i] != IP_SET_INVALID_ID; i++) {
@@ -109,7 +107,7 @@ insert_setlist(struct ip_set_setlist *map, int i, ip_set_id_t index)
}
static int
setlist_uadd(struct ip_set *set, const void *data, size_t size,
setlist_uadd(struct ip_set *set, const void *data, u_int32_t size,
ip_set_ip_t *hash_ip)
{
struct ip_set_setlist *map = set->data;
@@ -172,7 +170,7 @@ setlist_kadd(struct ip_set *set,
return res;
}
static inline bool
static inline int
unshift_setlist(struct ip_set_setlist *map, int i)
{
int j;
@@ -184,7 +182,7 @@ unshift_setlist(struct ip_set_setlist *map, int i)
}
static int
setlist_udel(struct ip_set *set, const void *data, size_t size,
setlist_udel(struct ip_set *set, const void *data, u_int32_t size,
ip_set_ip_t *hash_ip)
{
struct ip_set_setlist *map = set->data;
@@ -251,7 +249,7 @@ setlist_kdel(struct ip_set *set,
}
static int
setlist_create(struct ip_set *set, const void *data, size_t size)
setlist_create(struct ip_set *set, const void *data, u_int32_t size)
{
struct ip_set_setlist *map;
const struct ip_set_req_setlist_create *req = data;

9
extensions/ipset/ipset.8
View File

@@ -50,6 +50,9 @@ IP set bindings pointing to sets and iptables matches and targets
referring to sets creates references, which protects the given sets in
the kernel. A set cannot be removed (destroyed) while there is a single
reference pointing to it.
.P
.B
Please note, binding sets is a deprecated feature and will be removed in a later release. Switch to the multidata type of sets from using bindings.
.SH OPTIONS
The options that are recognized by
.B ipset
@@ -602,8 +605,4 @@ Joakim Axelsson, Patrick Schaaf and Martin Josefsson.
.P
Sven Wegener wrote the iptreemap type.
.SH LAST REMARK
.BR "I stand on the shoulder of giants."
.\" .. and did I mention that we are incredibly cool people?
.\" .. sexy, too ..
.\" .. witty, charming, powerful ..
.\" .. and most of all, modest ..
.BR "I stand on the shoulders of giants."

9
extensions/ipset/ipset.c
View File

@@ -30,7 +30,7 @@
#define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
#endif
#define IPSET_VERSION "2.4.5"
#define IPSET_VERSION "3.2"
char program_name[] = "ipset";
char program_version[] = IPSET_VERSION;
@@ -629,7 +629,8 @@ void parse_ip(const char *str, ip_set_ip_t * ip)
"host/network `%s' resolves to serveral ip-addresses. "
"Please specify one.", str);
*ip = ntohl(((struct in_addr *) host->h_addr_list[0])->s_addr);
memcpy(&addr, host->h_addr_list[0], sizeof(struct in_addr));
*ip = ntohl(addr.s_addr);
return;
}
@@ -1579,7 +1580,7 @@ static int set_adtip(struct set *set, const char *adt,
/* Alloc memory for the data to send */
size = sizeof(struct ip_set_req_adt) + set->settype->adt_size ;
DP("alloc size %i", size);
DP("alloc size %d", size);
data = ipset_malloc(size);
/* Fill out the request */
@@ -1665,7 +1666,7 @@ static int set_bind(struct set *set, const char *adt,
size += IP_SET_MAXNAMELEN;
else if (!(op == IP_SET_OP_UNBIND_SET && set == NULL))
size += set->settype->adt_size;
DP("alloc size %i", size);
DP("alloc size %d", size);
data = ipset_malloc(size);
/* Fill out the request */

23
extensions/ipset/ipset.h
View File

@@ -95,7 +95,7 @@ struct settype {
*/
/* Size of create data. Will be sent to kernel */
size_t create_size;
u_int32_t create_size;
/* Initialize the create. */
void (*create_init) (void *data);
@@ -115,7 +115,7 @@ struct settype {
*/
/* Size of data. Will be sent to kernel */
size_t adt_size;
u_int32_t adt_size;
/* Function which parses command options */
ip_set_ip_t (*adt_parser) (int cmd, const char *optarg, void *data);
@@ -125,7 +125,7 @@ struct settype {
*/
/* Size of header. */
size_t header_size;
u_int32_t header_size;
/* Initialize the type-header */
void (*initheader) (struct set *set, const void *data);
@@ -134,16 +134,16 @@ struct settype {
void (*printheader) (struct set *set, unsigned options);
/* Pretty print all IPs */
void (*printips) (struct set *set, void *data, size_t len, unsigned options);
void (*printips) (struct set *set, void *data, u_int32_t len, unsigned options);
/* Pretty print all IPs sorted */
void (*printips_sorted) (struct set *set, void *data, size_t len, unsigned options);
void (*printips_sorted) (struct set *set, void *data, u_int32_t len, unsigned options);
/* Print save arguments for creating the set */
void (*saveheader) (struct set *set, unsigned options);
/* Print save for all IPs */
void (*saveips) (struct set *set, void *data, size_t len, unsigned options);
void (*saveips) (struct set *set, void *data, u_int32_t len, unsigned options);
/* Conver a single IP (binding) to string */
char * (*bindip_tostring)(struct set *set, ip_set_ip_t ip, unsigned options);
@@ -189,10 +189,13 @@ extern struct set *set_find_byid(ip_set_id_t id);
extern unsigned warn_once;
#define BITSPERBYTE (8*sizeof(char))
#define ID2BYTE(id) ((id)/BITSPERBYTE)
#define ID2MASK(id) (1 << ((id)%BITSPERBYTE))
#define test_bit(id, heap) ((((char *)(heap))[ID2BYTE(id)] & ID2MASK(id)) != 0)
#define BITS_PER_LONG (8*sizeof(unsigned long))
#define BIT_WORD(nr) ((nr) / BITS_PER_LONG)
static inline int test_bit(int nr, const unsigned long *addr)
{
return 1UL & (addr[BIT_WORD(nr)] >> (nr & (BITS_PER_LONG-1)));
}
#define UNUSED __attribute__ ((unused))
#define CONSTRUCTOR(module) \

4
extensions/ipset/ipset_iphash.c
View File

@@ -192,7 +192,7 @@ printheader(struct set *set, unsigned options UNUSED)
}
static void
printips(struct set *set UNUSED, void *data, size_t len, unsigned options)
printips(struct set *set UNUSED, void *data, u_int32_t len, unsigned options)
{
size_t offset = 0;
ip_set_ip_t *ip;
@@ -221,7 +221,7 @@ saveheader(struct set *set, unsigned options UNUSED)
/* Print save for an IP */
static void
saveips(struct set *set UNUSED, void *data, size_t len, unsigned options)
saveips(struct set *set UNUSED, void *data, u_int32_t len, unsigned options)
{
size_t offset = 0;
ip_set_ip_t *ip;

8
extensions/ipset/ipset_ipmap.c
View File

@@ -225,12 +225,12 @@ initheader(struct set *set, const void *data)
mask = range_to_mask(header->from, header->to, &mask_bits);
netmask_bits = mask_to_bits(header->netmask);
DP("bits: %i %i", mask_bits, netmask_bits);
DP("bits: %d %d", mask_bits, netmask_bits);
map->hosts = 2 << (32 - netmask_bits - 1);
map->sizeid = 2 << (netmask_bits - mask_bits - 1);
}
DP("%i %i", map->hosts, map->sizeid );
DP("%d %d", map->hosts, map->sizeid );
}
static void
@@ -248,7 +248,7 @@ printheader(struct set *set, unsigned options)
static void
printips_sorted(struct set *set, void *data,
size_t len UNUSED, unsigned options)
u_int32_t len UNUSED, unsigned options)
{
struct ip_set_ipmap *mysetdata = set->settype->header;
ip_set_ip_t id;
@@ -279,7 +279,7 @@ saveheader(struct set *set, unsigned options)
}
static void
saveips(struct set *set, void *data, size_t len UNUSED, unsigned options)
saveips(struct set *set, void *data, u_int32_t len UNUSED, unsigned options)
{
struct ip_set_ipmap *mysetdata = set->settype->header;
ip_set_ip_t id;

4
extensions/ipset/ipset_ipporthash.c
View File

@@ -248,7 +248,7 @@ printheader(struct set *set, unsigned options)
}
static void
printips(struct set *set, void *data, size_t len, unsigned options)
printips(struct set *set, void *data, u_int32_t len, unsigned options)
{
struct ip_set_ipporthash *mysetdata = set->settype->header;
size_t offset = 0;
@@ -284,7 +284,7 @@ saveheader(struct set *set, unsigned options)
/* Print save for an IP */
static void
saveips(struct set *set, void *data, size_t len, unsigned options)
saveips(struct set *set, void *data, u_int32_t len, unsigned options)
{
struct ip_set_ipporthash *mysetdata = set->settype->header;
size_t offset = 0;

4
extensions/ipset/ipset_ipportiphash.c
View File

@@ -253,7 +253,7 @@ printheader(struct set *set, unsigned options)
}
static void
printips(struct set *set, void *data, size_t len, unsigned options)
printips(struct set *set, void *data, u_int32_t len, unsigned options)
{
struct ip_set_ipportiphash *mysetdata = set->settype->header;
size_t offset = 0;
@@ -292,7 +292,7 @@ saveheader(struct set *set, unsigned options)
/* Print save for an IP */
static void
saveips(struct set *set, void *data, size_t len, unsigned options)
saveips(struct set *set, void *data, u_int32_t len, unsigned options)
{
struct ip_set_ipportiphash *mysetdata = set->settype->header;
size_t offset = 0;

4
extensions/ipset/ipset_ipportnethash.c
View File

@@ -318,7 +318,7 @@ unpack_ip_tostring(ip_set_ip_t ip, unsigned options UNUSED)
}
static void
printips(struct set *set, void *data, size_t len, unsigned options)
printips(struct set *set, void *data, u_int32_t len, unsigned options)
{
struct ip_set_ipportnethash *mysetdata = set->settype->header;
size_t offset = 0;
@@ -357,7 +357,7 @@ saveheader(struct set *set, unsigned options)
/* Print save for an IP */
static void
saveips(struct set *set, void *data, size_t len, unsigned options)
saveips(struct set *set, void *data, u_int32_t len, unsigned options)
{
struct ip_set_ipportnethash *mysetdata = set->settype->header;
size_t offset = 0;

4
extensions/ipset/ipset_iptree.c
View File

@@ -123,7 +123,7 @@ printheader(struct set *set, unsigned options UNUSED)
}
static void
printips_sorted(struct set *set, void *data, size_t len, unsigned options)
printips_sorted(struct set *set, void *data, u_int32_t len, unsigned options)
{
struct ip_set_iptree *mysetdata = set->settype->header;
struct ip_set_req_iptree *req;
@@ -155,7 +155,7 @@ saveheader(struct set *set, unsigned options UNUSED)
}
static void
saveips(struct set *set, void *data, size_t len, unsigned options)
saveips(struct set *set, void *data, u_int32_t len, unsigned options)
{
struct ip_set_iptree *mysetdata = set->settype->header;
struct ip_set_req_iptree *req;

4
extensions/ipset/ipset_iptreemap.c
View File

@@ -115,7 +115,7 @@ printheader(struct set *set, unsigned int options UNUSED)
static void
printips_sorted(struct set *set UNUSED, void *data,
size_t len, unsigned int options)
u_int32_t len, unsigned int options)
{
struct ip_set_req_iptreemap *req;
size_t offset = 0;
@@ -147,7 +147,7 @@ saveheader(struct set *set, unsigned int options UNUSED)
static void
saveips(struct set *set UNUSED, void *data,
size_t len, unsigned int options)
u_int32_t len, unsigned int options)
{
struct ip_set_req_iptreemap *req;
size_t offset = 0;

10
extensions/ipset/ipset_macipmap.c
View File

@@ -245,15 +245,14 @@ print_mac(unsigned char macaddress[ETH_ALEN])
static void
printips_sorted(struct set *set, void *data,
size_t len UNUSED, unsigned options)
u_int32_t len UNUSED, unsigned options)
{
struct ip_set_macipmap *mysetdata = set->settype->header;
struct ip_set_macip *table = data;
u_int32_t addr = mysetdata->first_ip;
while (addr <= mysetdata->last_ip) {
if (test_bit(IPSET_MACIP_ISSET,
(void *)&table[addr - mysetdata->first_ip].flags)) {
if (table[addr - mysetdata->first_ip].match) {
printf("%s,", ip_tostring(addr, options));
print_mac(table[addr - mysetdata->first_ip].
ethernet);
@@ -280,15 +279,14 @@ saveheader(struct set *set, unsigned options)
static void
saveips(struct set *set, void *data,
size_t len UNUSED, unsigned options)
u_int32_t len UNUSED, unsigned options)
{
struct ip_set_macipmap *mysetdata = set->settype->header;
struct ip_set_macip *table = data;
u_int32_t addr = mysetdata->first_ip;
while (addr <= mysetdata->last_ip) {
if (test_bit(IPSET_MACIP_ISSET,
(void *)&table[addr - mysetdata->first_ip].flags)) {
if (table[addr - mysetdata->first_ip].match) {
printf("-A %s %s,",
set->name, ip_tostring(addr, options));
print_mac(table[addr - mysetdata->first_ip].

4
extensions/ipset/ipset_nethash.c
View File

@@ -224,7 +224,7 @@ unpack_ip_tostring(ip_set_ip_t ip, unsigned options UNUSED)
}
static void
printips(struct set *set UNUSED, void *data, size_t len, unsigned options)
printips(struct set *set UNUSED, void *data, u_int32_t len, unsigned options)
{
size_t offset = 0;
ip_set_ip_t *ip;
@@ -249,7 +249,7 @@ saveheader(struct set *set, unsigned options UNUSED)
/* Print save for an IP */
static void
saveips(struct set *set UNUSED, void *data, size_t len, unsigned options)
saveips(struct set *set UNUSED, void *data, u_int32_t len, unsigned options)
{
size_t offset = 0;
ip_set_ip_t *ip;

4
extensions/ipset/ipset_portmap.c
View File

@@ -149,7 +149,7 @@ printheader(struct set *set, unsigned options)
static void
printports_sorted(struct set *set, void *data,
size_t len UNUSED, unsigned options)
u_int32_t len UNUSED, unsigned options)
{
struct ip_set_portmap *mysetdata = set->settype->header;
u_int32_t addr = mysetdata->first_ip;
@@ -184,7 +184,7 @@ saveheader(struct set *set, unsigned options)
static void
saveports(struct set *set, void *data,
size_t len UNUSED, unsigned options)
u_int32_t len UNUSED, unsigned options)
{
struct ip_set_portmap *mysetdata = set->settype->header;
u_int32_t addr = mysetdata->first_ip;

4
extensions/ipset/ipset_setlist.c
View File

@@ -134,7 +134,7 @@ printheader(struct set *set, unsigned options UNUSED)
static void
printips_sorted(struct set *set, void *data,
size_t len UNUSED, unsigned options UNUSED)
u_int32_t len UNUSED, unsigned options UNUSED)
{
struct ip_set_setlist *mysetdata = set->settype->header;
int i;
@@ -162,7 +162,7 @@ saveheader(struct set *set, unsigned options UNUSED)
static void
saveips(struct set *set, void *data,
size_t len UNUSED, unsigned options UNUSED)
u_int32_t len UNUSED, unsigned options UNUSED)
{
struct ip_set_setlist *mysetdata = set->settype->header;
int i;

109
extensions/iptable_rawpost.c Normal file
View File

@@ -0,0 +1,109 @@
/*
* rawpost table for ip_tables
* written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
* placed in the Public Domain
*/
#include <linux/module.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/version.h>
#include <net/ip.h>
#include "compat_xtables.h"
#include "compat_rawpost.h"
enum {
RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
};
static struct {
struct ipt_replace repl;
struct ipt_standard entries[1];
struct ipt_error term;
} rawpost4_initial __initdata = {
.repl = {
.name = "rawpost",
.valid_hooks = RAWPOST_VALID_HOOKS,
.num_entries = 2,
.size = sizeof(struct ipt_standard) +
sizeof(struct ipt_error),
.hook_entry = {
[NF_INET_POST_ROUTING] = 0,
},
.underflow = {
[NF_INET_POST_ROUTING] = 0,
},
},
.entries = {
IPT_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */
},
.term = IPT_ERROR_INIT, /* ERROR */
};
static struct xt_table *rawpost4_ptable;
static struct xt_table rawpost4_itable = {
.name = "rawpost",
.af = NFPROTO_IPV4,
.valid_hooks = RAWPOST_VALID_HOOKS,
.me = THIS_MODULE,
};
static unsigned int rawpost4_hook_fn(unsigned int hook, sk_buff_t *skb,
const struct net_device *in, const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
return ipt_do_table(skb, hook, in, out, rawpost4_ptable);
#else
return ipt_do_table(skb, hook, in, out, rawpost4_ptable, NULL);
#endif
}
static struct nf_hook_ops rawpost4_hook_ops __read_mostly = {
.hook = rawpost4_hook_fn,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP_PRI_LAST,
.owner = THIS_MODULE,
};
static int __init rawpost4_table_init(void)
{
int ret;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
rwlock_init(&rawpost4_itable.lock);
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
rawpost4_ptable = ipt_register_table(&init_net, &rawpost4_itable,
&rawpost4_initial.repl);
if (IS_ERR(rawpost4_ptable))
return PTR_ERR(rawpost4_ptable);
#else
ret = ipt_register_table(&rawpost4_itable, &rawpost4_initial.repl);
if (ret < 0)
return ret;
rawpost4_ptable = &rawpost4_itable;
#endif
ret = nf_register_hook(&rawpost4_hook_ops);
if (ret < 0)
goto out;
return ret;
out:
ipt_unregister_table(rawpost4_ptable);
return ret;
}
static void __exit rawpost4_table_exit(void)
{
nf_unregister_hook(&rawpost4_hook_ops);
ipt_unregister_table(rawpost4_ptable);
}
module_init(rawpost4_table_init);
module_exit(rawpost4_table_exit);
MODULE_DESCRIPTION("Xtables: rawpost table for use with RAWNAT");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_LICENSE("GPL");

168
extensions/libxt_ACCOUNT.c Normal file
View File

@@ -0,0 +1,168 @@
/* Shared library add-on to iptables to add ACCOUNT(ing) support.
Author: Intra2net AG <opensource@intra2net.com>
*/
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <syslog.h>
#include <getopt.h>
#include <stddef.h>
#include <xtables.h>
#include "xt_ACCOUNT.h"
static struct option account_tg_opts[] = {
{ .name = "addr", .has_arg = 1, .flag = 0, .val = 'a' },
{ .name = "tname", .has_arg = 1, .flag = 0, .val = 't' },
{ .name = 0 }
};
/* Function which prints out usage message. */
static void account_tg_help(void)
{
printf(
"ACCOUNT target options:\n"
" --%s ip/netmask\t\tBase network IP and netmask used for this table\n"
" --%s name\t\t\tTable name for the userspace library\n",
account_tg_opts[0].name, account_tg_opts[1].name);
}
/* Initialize the target. */
static void
account_tg_init(struct xt_entry_target *t)
{
struct ipt_acc_info *accountinfo = (struct ipt_acc_info *)t->data;
accountinfo->table_nr = -1;
}
#define IPT_ACCOUNT_OPT_ADDR 0x01
#define IPT_ACCOUNT_OPT_TABLE 0x02
/* Function which parses command options; returns true if it
ate an option */
static int account_tg_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct ipt_acc_info *accountinfo = (struct ipt_acc_info *)(*target)->data;
struct in_addr *addrs = NULL, mask;
unsigned int naddrs = 0;
switch (c) {
case 'a':
if (*flags & IPT_ACCOUNT_OPT_ADDR)
xtables_error(PARAMETER_PROBLEM, "Can't specify --%s twice",
account_tg_opts[0].name);
if (xtables_check_inverse(optarg, &invert, NULL, 0))
xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --%s",
account_tg_opts[0].name);
xtables_ipparse_any(optarg, &addrs, &mask, &naddrs);
if (naddrs > 1)
xtables_error(PARAMETER_PROBLEM, "multiple IP addresses not allowed");
accountinfo->net_ip = addrs[0].s_addr;
accountinfo->net_mask = mask.s_addr;
*flags |= IPT_ACCOUNT_OPT_ADDR;
break;
case 't':
if (*flags & IPT_ACCOUNT_OPT_TABLE)
xtables_error(PARAMETER_PROBLEM,
"Can't specify --%s twice",
account_tg_opts[1].name);
if (xtables_check_inverse(optarg, &invert, NULL, 0))
xtables_error(PARAMETER_PROBLEM,
"Unexpected `!' after --%s",
account_tg_opts[1].name);
if (strlen(optarg) > ACCOUNT_TABLE_NAME_LEN - 1)
xtables_error(PARAMETER_PROBLEM,
"Maximum table name length %u for --%s",
ACCOUNT_TABLE_NAME_LEN - 1,
account_tg_opts[1].name);
strcpy(accountinfo->table_name, optarg);
*flags |= IPT_ACCOUNT_OPT_TABLE;
break;
default:
return 0;
}
return 1;
}
static void account_tg_check(unsigned int flags)
{
if (!(flags & IPT_ACCOUNT_OPT_ADDR) || !(flags & IPT_ACCOUNT_OPT_TABLE))
xtables_error(PARAMETER_PROBLEM, "ACCOUNT: needs --%s and --%s",
account_tg_opts[0].name, account_tg_opts[1].name);
}
static void account_tg_print_it(const void *ip,
const struct xt_entry_target *target, char do_prefix)
{
const struct ipt_acc_info *accountinfo
= (const struct ipt_acc_info *)target->data;
struct in_addr a;
if (!do_prefix)
printf("ACCOUNT ");
// Network information
if (do_prefix)
printf("--");
printf("%s ", account_tg_opts[0].name);
a.s_addr = accountinfo->net_ip;
printf("%s", xtables_ipaddr_to_numeric(&a));
a.s_addr = accountinfo->net_mask;
printf("%s", xtables_ipmask_to_numeric(&a));
printf(" ");
if (do_prefix)
printf("--");
printf("%s %s", account_tg_opts[1].name, accountinfo->table_name);
}
static void
account_tg_print(const void *ip,
const struct xt_entry_target *target,
int numeric)
{
account_tg_print_it(ip, target, 0);
}
/* Saves the union ipt_targinfo in parsable form to stdout. */
static void
account_tg_save(const void *ip, const struct xt_entry_target *target)
{
account_tg_print_it(ip, target, 1);
}
static struct xtables_target account_tg_reg = {
.name = "ACCOUNT",
.family = AF_INET,
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct ipt_acc_info)),
.userspacesize = offsetof(struct ipt_acc_info, table_nr),
.help = account_tg_help,
.init = account_tg_init,
.parse = account_tg_parse,
.final_check = account_tg_check,
.print = account_tg_print,
.save = account_tg_save,
.extra_opts = account_tg_opts,
};
static __attribute__((constructor)) void account_tg_ldr(void)
{
xtables_register_target(&account_tg_reg);
}

72
extensions/libxt_ACCOUNT.man Normal file
View File

@@ -0,0 +1,72 @@
The ACCOUNT target is a high performance accounting system for large
local networks. It allows per-IP accounting in whole prefixes of IPv4
addresses with size of up to /8 without the need to add individual
accouting rule for each IP address.
.PP
The ACCOUNT is designed to be queried for data every second or at
least every ten seconds. It is written as kernel module to handle high
bandwidths without packet loss.
.PP
The largest possible subnet size is 24 bit, meaning for example 10.0.0.0/8
network. ACCOUNT uses fixed internal data structures
which speeds up the processing of each packet. Furthermore,
accounting data for one complete 192.168.1.X/24 network takes 4 KB of
memory. Memory for 16 or 24 bit networks is only allocated when
needed.
.PP
To optimize the kernel<->userspace data transfer a bit more, the
kernel module only transfers information about IPs, where the src/dst
packet counter is not 0. This saves precious kernel time.
.PP
There is no /proc interface as it would be too slow for continuous access.
The read-and-flush query operation is the fastest, as no internal data
snapshot needs to be created&copied for all data. Use the "read"
operation without flush only for debugging purposes!
.PP
Usage:
.PP
ACCOUNT takes two mandatory parameters:
.TP
\fB\-\-addr\fR \fInetwork\fP\fB/\fP\fInetmask\fR
where \fInetwork\fP\fB/\fP\fInetmask\fP is the subnet to account for, in CIDR syntax
.TP
\fB\-\-tname\fP \fINAME\fP
where \fINAME\fP is the name of the table where the accounting information
should be stored
.PP
The subnet 0.0.0.0/0 is a special case: all data are then stored in the src_bytes
and src_packets structure of slot "0". This is useful if you want
to account the overall traffic to/from your internet provider.
.PP
The data can be queried using the userspace libxt_ACCOUNT_cl library,
and by the reference implementation to show usage of this library,
the \fBiptaccount\fP(8) tool, which features following options:
.PP
[\fB\-u\fP] show kernel handle usage
.PP
[\fB\-h\fP] free all kernel handles (experts only!)
.PP
[\fB\-a\fP] list all table names
.PP
[\fB\-l\fP \fIname\fP] show data in table \fIname\fP
.PP
[\fB\-f\fP] flush data after showing
.PP
[\fB\-c\fP] loop every second (abort with CTRL+C)
.PP
Here is an example of use:
.PP
iptables \-A FORWARD \-j ACCOUNT \-\-addr 0.0.0.0/0 \-\-tname all_outgoing
iptables \-A FORWARD \-j ACCOUNT \-\-addr 192.168.1.0/24 \-\-tname sales
.PP
This creates two tables called "all_outgoing" and "sales" which can be
queried using the userspace library/iptaccount tool.
.PP
Note that this target is non-terminating \(em the packet destined to it
will continue traversing the chain in which it has been used.
.PP
Also note that once a table has been defined for specific CIDR address/netmask
block, it can be referenced multiple times using \-j ACCOUNT, provided
that both the original table name and address/netmask block are specified.
.PP
For more information go to http://www.intra2net.com/en/developer/ipt_ACCOUNT/

2
extensions/libxt_CHAOS.c
View File

@@ -58,7 +58,7 @@ static void chaos_tg_check(unsigned int flags)
{
if (flags == (F_DELUDE | F_TARPIT))
/* If flags == 0x03, both were specified, which should not be. */
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"CHAOS: only one of --tarpit or --delude "
"may be specified");
}

2
extensions/libxt_CHAOS.man
View File

@@ -18,4 +18,4 @@ The randomness factor of not replying vs. replying can be set during load-time
of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
.PP
See http://jengelh.medozas.de/projects/chaostables/ for more information
about CHAOS, DELUDE and portscan.
about CHAOS, DELUDE and lscan.

101
extensions/libxt_DHCPADDR.c
View File

@@ -1,101 +0,0 @@
/*
* "DHCPADDR" target extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <getopt.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/ether.h>
#include <xtables.h>
#include "xt_DHCPADDR.h"
#include "mac.c"
enum {
F_MAC = 1 << 0,
};
static const struct option dhcpaddr_tg_opts[] = {
{.name = "set-mac", .has_arg = true, .val = 'M'},
{NULL},
};
static void dhcpaddr_tg_help(void)
{
printf(
"DHCPADDDR target options:\n"
" --set-mac lladdr[/mask] Set MAC address in DHCP Client Host field\n"
);
}
static int dhcpaddr_tg_parse(int c, char **argv, int invert,
unsigned int *flags, const void *entry, struct xt_entry_target **target)
{
struct dhcpaddr_info *info = (void *)(*target)->data;
switch (c) {
case 'M':
param_act(P_ONLY_ONCE, "DHCPADDR", "--set-mac", *flags & F_MAC);
param_act(P_NO_INVERT, "DHCPADDR", "--set-mac", invert);
if (!mac_parse(optarg, info->addr, &info->mask))
param_act(P_BAD_VALUE, "DHCPADDR", "--set-mac", optarg);
*flags |= F_MAC;
return true;
}
return false;
}
static void dhcpaddr_tg_check(unsigned int flags)
{
if (flags == 0)
exit_error(PARAMETER_PROBLEM, "DHCPADDR target: "
"--set-mac parameter required");
}
static void dhcpaddr_tg_print(const void *ip,
const struct xt_entry_target *target, int numeric)
{
const struct dhcpaddr_info *info = (void *)target->data;
printf("DHCPADDR %s" DH_MAC_FMT "/%u ",
info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
}
static void dhcpaddr_tg_save(const void *ip,
const struct xt_entry_target *target)
{
const struct dhcpaddr_info *info = (const void *)target->data;
if (info->invert)
printf("! ");
printf("--set-mac " DH_MAC_FMT "/%u ",
DH_MAC_HEX(info->addr), info->mask);
}
static struct xtables_target dhcpaddr_tg_reg = {
.version = XTABLES_VERSION,
.name = "DHCPADDR",
.revision = 0,
.family = PF_INET,
.size = XT_ALIGN(sizeof(struct dhcpaddr_info)),
.userspacesize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
.help = dhcpaddr_tg_help,
.parse = dhcpaddr_tg_parse,
.final_check = dhcpaddr_tg_check,
.print = dhcpaddr_tg_print,
.save = dhcpaddr_tg_save,
.extra_opts = dhcpaddr_tg_opts,
};
static __attribute__((constructor)) void dhcpaddr_tg_ldr(void)
{
xtables_register_target(&dhcpaddr_tg_reg);
}

101
extensions/libxt_DHCPMAC.c Normal file
View File

@@ -0,0 +1,101 @@
/*
* "DHCPMAC" target extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <getopt.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/ether.h>
#include <xtables.h>
#include "xt_DHCPMAC.h"
#include "mac.c"
enum {
F_MAC = 1 << 0,
};
static const struct option dhcpmac_tg_opts[] = {
{.name = "set-mac", .has_arg = true, .val = 'M'},
{NULL},
};
static void dhcpmac_tg_help(void)
{
printf(
"DHCPMAC target options:\n"
" --set-mac lladdr[/mask] Set MAC address in DHCP Client Host field\n"
);
}
static int dhcpmac_tg_parse(int c, char **argv, int invert,
unsigned int *flags, const void *entry, struct xt_entry_target **target)
{
struct dhcpmac_info *info = (void *)(*target)->data;
switch (c) {
case 'M':
xtables_param_act(XTF_ONLY_ONCE, "DHCPMAC", "--set-mac", *flags & F_MAC);
xtables_param_act(XTF_NO_INVERT, "DHCPMAC", "--set-mac", invert);
if (!mac_parse(optarg, info->addr, &info->mask))
xtables_param_act(XTF_BAD_VALUE, "DHCPMAC", "--set-mac", optarg);
*flags |= F_MAC;
return true;
}
return false;
}
static void dhcpmac_tg_check(unsigned int flags)
{
if (flags == 0)
xtables_error(PARAMETER_PROBLEM, "DHCPMAC target: "
"--set-mac parameter required");
}
static void dhcpmac_tg_print(const void *ip,
const struct xt_entry_target *target, int numeric)
{
const struct dhcpmac_info *info = (void *)target->data;
printf("DHCPMAC %s" DH_MAC_FMT "/%u ",
info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
}
static void dhcpmac_tg_save(const void *ip,
const struct xt_entry_target *target)
{
const struct dhcpmac_info *info = (const void *)target->data;
if (info->invert)
printf("! ");
printf("--set-mac " DH_MAC_FMT "/%u ",
DH_MAC_HEX(info->addr), info->mask);
}
static struct xtables_target dhcpmac_tg_reg = {
.version = XTABLES_VERSION,
.name = "DHCPMAC",
.revision = 0,
.family = PF_INET,
.size = XT_ALIGN(sizeof(struct dhcpmac_info)),
.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
.help = dhcpmac_tg_help,
.parse = dhcpmac_tg_parse,
.final_check = dhcpmac_tg_check,
.print = dhcpmac_tg_print,
.save = dhcpmac_tg_save,
.extra_opts = dhcpmac_tg_opts,
};
static __attribute__((constructor)) void dhcpmac_tg_ldr(void)
{
xtables_register_target(&dhcpmac_tg_reg);
}

6
extensions/libxt_DHCPADDR.man → extensions/libxt_DHCPMAC.man
View File

@@ -1,4 +1,4 @@
In conjunction with ebtables, DHCPADDR can be used to completely change all MAC
In conjunction with ebtables, DHCPMAC can be used to completely change all MAC
addresses from and to a VMware-based virtual machine. This is needed because
VMware does not allow to set a non-VMware MAC address before an operating
system is booted (and the MAC be changed with `ip link set eth0 address
@@ -13,11 +13,11 @@ EXAMPLE, replacing all addresses from one of VMware's assigned vendor IDs
(00:50:56) addresses with something else:
.PP
iptables -t mangle -A FORWARD -p udp --dport 67 -m physdev --physdev-in vmnet1
-m dhcpaddr --mac 00:50:56:00:00:00/24 -j DHCPADDR --set-mac
-m dhcpmac --mac 00:50:56:00:00:00/24 -j DHCPMAC --set-mac
ab:cd:ef:00:00:00/24
.PP
iptables -t mangle -A FORWARD -p udp --dport 68 -m physdev --physdev-out vmnet1
-m dhcpaddr --mac ab:cd:ef:00:00:00/24 -j DHCPADDR --set-mac
-m dhcpmac --mac ab:cd:ef:00:00:00/24 -j DHCPMAC --set-mac
00:50:56:00:00:00/24
.PP
(This assumes there is a bridge interface that has vmnet1 as a port. You will

70
extensions/libxt_IPMARK.c
View File

@@ -58,45 +58,46 @@ static int ipmark_tg_parse(int c, char **argv, int invert, unsigned int *flags,
switch (c) {
case '1':
param_act(P_ONLY_ONCE, "IPMARK", "addr", *flags & FL_ADDR_USED);
param_act(P_NO_INVERT, "IPMARK", "addr", invert);
xtables_param_act(XTF_ONLY_ONCE, "IPMARK", "addr", *flags & FL_ADDR_USED);
xtables_param_act(XTF_NO_INVERT, "IPMARK", "addr", invert);
if (strcmp(optarg, "src") == 0)
info->selector = XT_IPMARK_SRC;
else if (strcmp(optarg, "dst") == 0)
info->selector = XT_IPMARK_DST;
else
exit_error(PARAMETER_PROBLEM, "Bad addr value `%s' - should be `src' or `dst'", optarg);
xtables_error(PARAMETER_PROBLEM, "Bad addr value `%s' - should be `src' or `dst'", optarg);
*flags |= FL_ADDR_USED;
return true;
case '2':
param_act(P_ONLY_ONCE, "IPMARK", "and-mask", *flags & FL_AND_MASK_USED);
param_act(P_NO_INVERT, "IPMARK", "and-mask", invert);
if (!strtonum(optarg, NULL, &n, 0, ~0U))
param_act(P_BAD_VALUE, "IPMARK", "and-mask", optarg);
xtables_param_act(XTF_ONLY_ONCE, "IPMARK", "and-mask", *flags & FL_AND_MASK_USED);
xtables_param_act(XTF_NO_INVERT, "IPMARK", "and-mask", invert);
if (!xtables_strtoui(optarg, NULL, &n, 0, ~0U))
xtables_param_act(XTF_BAD_VALUE, "IPMARK", "and-mask", optarg);
info->andmask = n;
*flags |= FL_AND_MASK_USED;
return true;
case '3':
param_act(P_ONLY_ONCE, "IPMARK", "or-mask", *flags & FL_OR_MASK_USED);
param_act(P_NO_INVERT, "IPMARK", "or-mask", invert);
if (!strtonum(optarg, NULL, &n, 0, ~0U))
param_act(P_BAD_VALUE, "IPMARK", "or-mask", optarg);
xtables_param_act(XTF_ONLY_ONCE, "IPMARK", "or-mask", *flags & FL_OR_MASK_USED);
xtables_param_act(XTF_NO_INVERT, "IPMARK", "or-mask", invert);
if (!xtables_strtoui(optarg, NULL, &n, 0, ~0U))
xtables_param_act(XTF_BAD_VALUE, "IPMARK", "or-mask", optarg);
info->ormask = n;
*flags |= FL_OR_MASK_USED;
return true;
case '4':
param_act(P_ONLY_ONCE, "IPMARK", "--shift", *flags & FL_SHIFT);
param_act(P_NO_INVERT, "IPMARK", "--shift", invert);
xtables_param_act(XTF_ONLY_ONCE, "IPMARK", "--shift", *flags & FL_SHIFT);
xtables_param_act(XTF_NO_INVERT, "IPMARK", "--shift", invert);
/*
* Anything >31 does not make sense for IPv4, but it still
* does the right thing.
*/
if (!strtonum(optarg, NULL, &n, 0, 128))
param_act(P_BAD_VALUE, "IPMARK", "--shift", optarg);
if (!xtables_strtoui(optarg, NULL, &n, 0, 128))
xtables_param_act(XTF_BAD_VALUE, "IPMARK", "--shift", optarg);
info->shift = n;
*flags |= FL_SHIFT;
return true;
}
@@ -106,7 +107,7 @@ static int ipmark_tg_parse(int c, char **argv, int invert, unsigned int *flags,
static void ipmark_tg_check(unsigned int flags)
{
if (!(flags & FL_ADDR_USED))
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"IPMARK target: Parameter --addr is required");
}
@@ -117,14 +118,16 @@ ipmark_tg_print(const void *entry, const struct xt_entry_target *target,
const struct xt_ipmark_tginfo *info = (const void *)target->data;
if (info->selector == XT_IPMARK_SRC)
printf("IPMARK src ip");
printf("IPMARK src ip ");
else
printf("IPMARK dst ip");
printf("IPMARK dst ip ");
if (info->shift != 0)
printf("shift %u ", (unsigned int)info->shift);
if (info->andmask != ~0U)
printf(" and 0x%x ", (unsigned int)info->andmask);
printf("and 0x%x ", (unsigned int)info->andmask);
if (info->ormask != 0)
printf(" or 0x%x ", (unsigned int)info->ormask);
printf("or 0x%x ", (unsigned int)info->ormask);
}
static void
@@ -137,33 +140,19 @@ ipmark_tg_save(const void *entry, const struct xt_entry_target *target)
else
printf("--addr dst ");
if (info->shift != 0)
printf("--shift %u ", (unsigned int)info->shift);
if (info->andmask != ~0U)
printf("--and-mask 0x%x ", (unsigned int)info->andmask);
if (info->ormask != 0)
printf("--or-mask 0x%x ", (unsigned int)info->ormask);
}
static struct xtables_target ipmark_tg4_reg = {
static struct xtables_target ipmark_tg_reg = {
.version = XTABLES_VERSION,
.name = "IPMARK",
.family = PF_INET,
.revision = 0,
.size = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
.help = ipmark_tg_help,
.init = ipmark_tg_init,
.parse = ipmark_tg_parse,
.final_check = ipmark_tg_check,
.print = ipmark_tg_print,
.save = ipmark_tg_save,
.extra_opts = ipmark_tg_opts,
};
static struct xtables_target ipmark_tg6_reg = {
.version = XTABLES_VERSION,
.name = "IPMARK",
.family = PF_INET6,
.revision = 0,
.family = PF_UNSPEC,
.revision = 1,
.size = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
.help = ipmark_tg_help,
@@ -177,6 +166,5 @@ static struct xtables_target ipmark_tg6_reg = {
static __attribute__((constructor)) void ipmark_tg_ldr(void)
{
xtables_register_target(&ipmark_tg4_reg);
xtables_register_target(&ipmark_tg6_reg);
xtables_register_target(&ipmark_tg_reg);
}

16
extensions/libxt_LOGMARK.c
View File

@@ -51,23 +51,23 @@ logmark_tg_parse(int c, char **argv, int invert, unsigned int *flags,
switch (c) {
case 'l': /* --log-level */
param_act(P_ONLY_ONCE, "LOGMARK", "--log-level", *flags & F_LEVEL);
param_act(P_NO_INVERT, "LOGMARK", "--log-level", invert);
if (!strtonum(optarg, NULL, &x, 0, 8))
param_act(P_BAD_VALUE, "LOGMARK", "--log-level", optarg);
xtables_param_act(XTF_ONLY_ONCE, "LOGMARK", "--log-level", *flags & F_LEVEL);
xtables_param_act(XTF_NO_INVERT, "LOGMARK", "--log-level", invert);
if (!xtables_strtoui(optarg, NULL, &x, 0, 8))
xtables_param_act(XTF_BAD_VALUE, "LOGMARK", "--log-level", optarg);
info->level = x;
*flags |= F_LEVEL;
return true;
case 'p': /* --log-prefix */
param_act(P_ONLY_ONCE, "LOGMARK", "--log-prefix", *flags & F_PREFIX);
param_act(P_NO_INVERT, "LOGMARK", "--log-prefix", invert);
xtables_param_act(XTF_ONLY_ONCE, "LOGMARK", "--log-prefix", *flags & F_PREFIX);
xtables_param_act(XTF_NO_INVERT, "LOGMARK", "--log-prefix", invert);
if (strlen(optarg) > sizeof(info->prefix))
exit_error(PARAMETER_PROBLEM, "LOGMARK: Maximum "
xtables_error(PARAMETER_PROBLEM, "LOGMARK: Maximum "
"prefix length is %zu",
sizeof(info->prefix));
if (strchr(optarg, '\n'))
exit_error(PARAMETER_PROBLEM, "LOGMARK: Newlines not "
xtables_error(PARAMETER_PROBLEM, "LOGMARK: Newlines not "
"allowed in log prefix");
strncpy(info->prefix, optarg, sizeof(info->prefix));
*flags |= F_PREFIX;

187
extensions/libxt_RAWDNAT.c Normal file
View File

@@ -0,0 +1,187 @@
/*
* "RAWNAT" target extension for iptables
* Copyright © Jan Engelhardt, 2008 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <netinet/in.h>
#include <getopt.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <xtables.h>
#include <linux/netfilter.h>
#include "xt_RAWNAT.h"
enum {
FLAGS_TO = 1 << 0,
};
static const struct option rawdnat_tg_opts[] = {
{.name = "to-destination", .has_arg = true, .val = 't'},
{},
};
static void rawdnat_tg_help(void)
{
printf(
"RAWDNAT target options:\n"
" --to-destination addr[/mask] Address or network to map to\n"
);
}
static int
rawdnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_rawnat_tginfo *info = (void *)(*target)->data;
struct in_addr *a;
unsigned int mask;
char *end;
switch (c) {
case 't':
info->mask = 32;
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 32))
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
info->mask = mask;
}
a = xtables_numeric_to_ipaddr(optarg);
if (a == NULL)
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
memcpy(&info->addr.in, a, sizeof(*a));
*flags |= FLAGS_TO;
return true;
}
return false;
}
static int
rawdnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_rawnat_tginfo *info = (void *)(*target)->data;
struct in6_addr *a;
unsigned int mask;
char *end;
switch (c) {
case 't':
info->mask = 128;
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 32))
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
info->mask = mask;
}
a = xtables_numeric_to_ip6addr(optarg);
if (a == NULL)
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
memcpy(&info->addr.in6, a, sizeof(*a));
*flags |= FLAGS_TO;
return true;
}
return false;
}
static void rawdnat_tg_check(unsigned int flags)
{
if (!(flags & FLAGS_TO))
xtables_error(PARAMETER_PROBLEM, "RAWDNAT: "
"\"--to-destination\" is required.");
}
static void
rawdnat_tg4_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
if (!numeric && info->mask == 32)
printf("to-destination %s ",
xtables_ipaddr_to_anyname(&info->addr.in));
else
printf("to-destination %s/%u ",
xtables_ipaddr_to_numeric(&info->addr.in), info->mask);
}
static void
rawdnat_tg6_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
if (!numeric && info->mask == 128)
printf("to-destination %s ",
xtables_ip6addr_to_anyname(&info->addr.in6));
else
printf("to-destination %s/%u ",
xtables_ip6addr_to_numeric(&info->addr.in6), info->mask);
}
static void
rawdnat_tg4_save(const void *entry, const struct xt_entry_target *target)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
printf("--to-destination %s/%u ",
xtables_ipaddr_to_numeric(&info->addr.in),
info->mask);
}
static void
rawdnat_tg6_save(const void *entry, const struct xt_entry_target *target)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
printf("--to-destination %s/%u ",
xtables_ip6addr_to_numeric(&info->addr.in6),
info->mask);
}
static struct xtables_target rawdnat_tg4_reg = {
.version = XTABLES_VERSION,
.name = "RAWDNAT",
.revision = 0,
.family = PF_INET,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawdnat_tg_help,
.parse = rawdnat_tg4_parse,
.final_check = rawdnat_tg_check,
.print = rawdnat_tg4_print,
.save = rawdnat_tg4_save,
.extra_opts = rawdnat_tg_opts,
};
static struct xtables_target rawdnat_tg6_reg = {
.version = XTABLES_VERSION,
.name = "RAWDNAT",
.revision = 0,
.family = PF_INET6,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawdnat_tg_help,
.parse = rawdnat_tg6_parse,
.final_check = rawdnat_tg_check,
.print = rawdnat_tg6_print,
.save = rawdnat_tg6_save,
.extra_opts = rawdnat_tg_opts,
};
static void _init(void)
{
xtables_register_target(&rawdnat_tg4_reg);
xtables_register_target(&rawdnat_tg6_reg);
}

10
extensions/libxt_RAWDNAT.man Normal file
View File

@@ -0,0 +1,10 @@
The \fBRAWDNAT\fR target will rewrite the destination address in the IP header,
much like the \fBNETMAP\fR target.
.TP
\fB--to-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR]
Network address to map to. The resulting address will be constructed the
following way: All 'one' bits in the \fImask\fR are filled in from the new
\fIaddress\fR. All bits that are zero in the mask are filled in from the
original address.
.PP
See the \fBRAWSNAT\fR help entry for examples and constraints.

187
extensions/libxt_RAWSNAT.c Normal file
View File

@@ -0,0 +1,187 @@
/*
* "RAWNAT" target extension for iptables
* Copyright © Jan Engelhardt, 2008 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <netinet/in.h>
#include <getopt.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <xtables.h>
#include <linux/netfilter.h>
#include "xt_RAWNAT.h"
enum {
FLAGS_TO = 1 << 0,
};
static const struct option rawsnat_tg_opts[] = {
{.name = "to-source", .has_arg = true, .val = 't'},
{},
};
static void rawsnat_tg_help(void)
{
printf(
"RAWSNAT target options:\n"
" --to-source addr[/mask] Address or network to map to\n"
);
}
static int
rawsnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_rawnat_tginfo *info = (void *)(*target)->data;
struct in_addr *a;
unsigned int mask;
char *end;
switch (c) {
case 't':
info->mask = 32;
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 32))
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
info->mask = mask;
}
a = xtables_numeric_to_ipaddr(optarg);
if (a == NULL)
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
memcpy(&info->addr.in, a, sizeof(*a));
*flags |= FLAGS_TO;
return true;
}
return false;
}
static int
rawsnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_rawnat_tginfo *info = (void *)(*target)->data;
struct in6_addr *a;
unsigned int mask;
char *end;
switch (c) {
case 't':
info->mask = 128;
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 32))
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
info->mask = mask;
}
a = xtables_numeric_to_ip6addr(optarg);
if (a == NULL)
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
memcpy(&info->addr.in6, a, sizeof(*a));
*flags |= FLAGS_TO;
return true;
}
return false;
}
static void rawsnat_tg_check(unsigned int flags)
{
if (!(flags & FLAGS_TO))
xtables_error(PARAMETER_PROBLEM, "RAWSNAT: "
"\"--to-source\" is required.");
}
static void
rawsnat_tg4_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
if (!numeric && info->mask == 32)
printf("to-source %s ",
xtables_ipaddr_to_anyname(&info->addr.in));
else
printf("to-source %s/%u ",
xtables_ipaddr_to_numeric(&info->addr.in), info->mask);
}
static void
rawsnat_tg6_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
if (!numeric && info->mask == 128)
printf("to-source %s ",
xtables_ip6addr_to_anyname(&info->addr.in6));
else
printf("to-source %s/%u ",
xtables_ip6addr_to_numeric(&info->addr.in6), info->mask);
}
static void
rawsnat_tg4_save(const void *entry, const struct xt_entry_target *target)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
printf("--to-source %s/%u ",
xtables_ipaddr_to_numeric(&info->addr.in),
info->mask);
}
static void
rawsnat_tg6_save(const void *entry, const struct xt_entry_target *target)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
printf("--to-source %s/%u ",
xtables_ip6addr_to_numeric(&info->addr.in6),
info->mask);
}
static struct xtables_target rawsnat_tg4_reg = {
.version = XTABLES_VERSION,
.name = "RAWSNAT",
.revision = 0,
.family = PF_INET,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawsnat_tg_help,
.parse = rawsnat_tg4_parse,
.final_check = rawsnat_tg_check,
.print = rawsnat_tg4_print,
.save = rawsnat_tg4_save,
.extra_opts = rawsnat_tg_opts,
};
static struct xtables_target rawsnat_tg6_reg = {
.version = XTABLES_VERSION,
.name = "RAWSNAT",
.revision = 0,
.family = PF_INET6,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawsnat_tg_help,
.parse = rawsnat_tg6_parse,
.final_check = rawsnat_tg_check,
.print = rawsnat_tg6_print,
.save = rawsnat_tg6_save,
.extra_opts = rawsnat_tg_opts,
};
static void _init(void)
{
xtables_register_target(&rawsnat_tg4_reg);
xtables_register_target(&rawsnat_tg6_reg);
}

38
extensions/libxt_RAWSNAT.man Normal file
View File

@@ -0,0 +1,38 @@
The \fBRAWSNAT\fR and \fBRAWDNAT\fP targets provide stateless network address
translation.
.PP
The \fBRAWSNAT\fR target will rewrite the source address in the IP header, much
like the \fBNETMAP\fP target. \fBRAWSNAT\fP (and \fBRAWDNAT\fP) may only be
used in the \fBraw\fP or \fBrawpost\fP tables, but can be used in all chains,
which makes it possible to change the source address either when the packet
enters the machine or when it leaves it. The reason for this table constraint
is that RAWNAT must happen outside of connection tracking.
.TP
\fB--to-source\fR \fIaddr\fR[\fB/\fR\fImask\fR]
Network address to map to. The resulting address will be constructed the
following way: All 'one' bits in the \fImask\fR are filled in from the new
\fIaddress\fR. All bits that are zero in the mask are filled in from the
original address.
.PP
As an example, changing the destination for packets forwarded from an internal
LAN to the internet:
.IP
-t raw -A PREROUTING -i lan0 -d 212.201.100.135 -j RAWDNAT --to-destination 199.181.132.250
-t rawpost -A POSTROUTING -o lan0 -s 199.181.132.250 -j RAWSNAT --to-source 212.201.100.135
.PP
Note that changing addresses may influence the route selection! Specifically,
it statically NATs packets, not connections, like the normal DNAT/SNAT targets
would do. Also note that it can transform already-NATed connections -- as said,
it is completely external to Netfilter's connection tracking/NAT.
.PP
If the machine itself generates packets that are to be rawnat'ed, you need a
rule in the OUTPUT chain instead, just like you would with the stateful NAT
targets.
.PP
It may be necessary that in doing so, you also need an extra RAWSNAT rule, to
override the automatic source address selection that the routing code does
before passing packets to iptables. If the connecting socket has not been
explicitly bound to an address, as is the common mode of operation, the address
that will be chosen is the primary address of the device through which the
packet would be routed with its initial destination address - the address as
seen before any RAWNAT takes place.

33
extensions/libxt_STEAL.c Normal file
View File

@@ -0,0 +1,33 @@
#include <stdio.h>
#include <xtables.h>
static void steal_tg_help(void)
{
printf("STEAL takes no options\n\n");
}
static int steal_tg_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
return 0;
}
static void steal_tg_check(unsigned int flags)
{
}
static struct xtables_target steal_tg_reg = {
.version = XTABLES_VERSION,
.name = "STEAL",
.family = AF_UNSPEC,
.size = XT_ALIGN(0),
.userspacesize = XT_ALIGN(0),
.help = steal_tg_help,
.parse = steal_tg_parse,
.final_check = steal_tg_check,
};
static void _init(void)
{
xtables_register_target(&steal_tg_reg);
}

2
extensions/libxt_STEAL.man Normal file
View File

@@ -0,0 +1,2 @@
Like the DROP target, but does not throw an error like DROP when used in the
\fBOUTPUT\fP chain.

19
extensions/libxt_SYSRQ.c
View File

@@ -21,21 +21,11 @@ static void sysrq_tg_check(unsigned int flags)
{
}
static struct xtables_target sysrq_tg4_reg = {
static struct xtables_target sysrq_tg_reg = {
.version = XTABLES_VERSION,
.name = "SYSRQ",
.family = PF_INET,
.size = XT_ALIGN(0),
.userspacesize = XT_ALIGN(0),
.help = sysrq_tg_help,
.parse = sysrq_tg_parse,
.final_check = sysrq_tg_check,
};
static struct xtables_target sysrq_tg6_reg = {
.version = XTABLES_VERSION,
.name = "SYSRQ",
.family = PF_INET6,
.revision = 1,
.family = PF_UNSPEC,
.size = XT_ALIGN(0),
.userspacesize = XT_ALIGN(0),
.help = sysrq_tg_help,
@@ -45,6 +35,5 @@ static struct xtables_target sysrq_tg6_reg = {
static __attribute__((constructor)) void sysrq_tg_ldr(void)
{
xtables_register_target(&sysrq_tg4_reg);
xtables_register_target(&sysrq_tg6_reg);
xtables_register_target(&sysrq_tg_reg);
}

2
extensions/libxt_SYSRQ.man
View File

@@ -25,7 +25,7 @@ ipsec --proto esp --tunnel-src 10.10.25.1 --tunnel-dst 10.10.25.7
You should also limit the rate at which connections can be received to limit
the CPU time taken by illegal requests, for example:
.IP
-A INPUT 0s 10.10.25.1 -m mac --mac-source aa:bb:cc:dd:ee:ff -d 10.10.25.7
-A INPUT -s 10.10.25.1 -m mac --mac-source aa:bb:cc:dd:ee:ff -d 10.10.25.7
-p udp --dport 9 -m limit --limit 5/minute -j SYSRQ
.PP
This extension does not take any options. The \fB-p udp\fP options are

81
extensions/libxt_TEE.c
View File

@@ -1,7 +1,7 @@
/*
* "TEE" target extension for iptables
* Copyright © Sebastian Claßen <sebastian.classen [at] freenet.ag>, 2007
* Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2008
* Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -50,16 +50,37 @@ static int tee_tg_parse(int c, char **argv, int invert, unsigned int *flags,
switch (c) {
case 'g':
if (*flags & FLAG_GATEWAY)
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"Cannot specify --gw more than once");
if (check_inverse(optarg, &invert, NULL, 0))
exit_error(PARAMETER_PROBLEM,
"Unexpected \"!\" after --gateway");
ia = numeric_to_ipaddr(optarg);
ia = xtables_numeric_to_ipaddr(optarg);
if (ia == NULL)
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"Invalid IP address %s", optarg);
memcpy(&info->gw, ia, sizeof(*ia));
*flags |= FLAG_GATEWAY;
return true;
}
return false;
}
static int tee_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_tee_tginfo *info = (void *)(*target)->data;
const struct in6_addr *ia;
switch (c) {
case 'g':
if (*flags & FLAG_GATEWAY)
xtables_error(PARAMETER_PROBLEM,
"Cannot specify --gw more than once");
ia = xtables_numeric_to_ip6addr(optarg);
if (ia == NULL)
xtables_error(PARAMETER_PROBLEM,
"Invalid IP address %s", optarg);
memcpy(&info->gw, ia, sizeof(*ia));
@@ -73,7 +94,7 @@ static int tee_tg_parse(int c, char **argv, int invert, unsigned int *flags,
static void tee_tg_check(unsigned int flags)
{
if (flags == 0)
exit_error(PARAMETER_PROBLEM, "TEE target: "
xtables_error(PARAMETER_PROBLEM, "TEE target: "
"--gateway parameter required");
}
@@ -83,21 +104,41 @@ static void tee_tg_print(const void *ip, const struct xt_entry_target *target,
const struct xt_tee_tginfo *info = (const void *)target->data;
if (numeric)
printf("TEE gw:%s ", ipaddr_to_anyname(&info->gw.in));
printf("TEE gw:%s ", xtables_ipaddr_to_numeric(&info->gw.in));
else
printf("TEE gw:%s ", ipaddr_to_numeric(&info->gw.in));
printf("TEE gw:%s ", xtables_ipaddr_to_anyname(&info->gw.in));
}
static void tee_tg6_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
const struct xt_tee_tginfo *info = (const void *)target->data;
if (numeric)
printf("TEE gw:%s ", xtables_ip6addr_to_numeric(&info->gw.in6));
else
printf("TEE gw:%s ", xtables_ip6addr_to_anyname(&info->gw.in6));
}
static void tee_tg_save(const void *ip, const struct xt_entry_target *target)
{
const struct xt_tee_tginfo *info = (const void *)target->data;
printf("--gateway %s ", ipaddr_to_numeric(&info->gw.in));
printf("--gateway %s ", xtables_ipaddr_to_numeric(&info->gw.in));
}
static void tee_tg6_save(const void *ip, const struct xt_entry_target *target)
{
const struct xt_tee_tginfo *info = (const void *)target->data;
printf("--gateway %s ", xtables_ip6addr_to_numeric(&info->gw.in6));
}
static struct xtables_target tee_tg_reg = {
.name = "TEE",
.version = XTABLES_VERSION,
.revision = 0,
.family = PF_INET,
.size = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
.help = tee_tg_help,
@@ -108,7 +149,23 @@ static struct xtables_target tee_tg_reg = {
.extra_opts = tee_tg_opts,
};
static struct xtables_target tee_tg6_reg = {
.name = "TEE",
.version = XTABLES_VERSION,
.revision = 0,
.family = PF_INET6,
.size = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
.help = tee_tg_help,
.parse = tee_tg6_parse,
.final_check = tee_tg_check,
.print = tee_tg6_print,
.save = tee_tg6_save,
.extra_opts = tee_tg_opts,
};
static __attribute__((constructor)) void tee_tg_ldr(void)
{
xtables_register_target(&tee_tg_reg);
xtables_register_target(&tee_tg6_reg);
}

10
extensions/libxt_condition.c
View File

@@ -37,13 +37,13 @@ static int condition_parse(int c, char **argv, int invert, unsigned int *flags,
if (c == 'X') {
if (*flags)
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"Can't specify multiple conditions");
if (strlen(optarg) < sizeof(info->name))
strcpy(info->name, optarg);
else
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"File name too long");
info->invert = invert;
@@ -57,7 +57,7 @@ static int condition_parse(int c, char **argv, int invert, unsigned int *flags,
static void condition_check(unsigned int flags)
{
if (flags == 0)
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"Condition match: must specify --condition");
}
@@ -74,12 +74,12 @@ static void condition_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_condition_mtinfo *info = (const void *)match->data;
printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
printf("%s--condition \"%s\" ", info->invert ? "! " : "", info->name);
}
static struct xtables_match condition_mt_reg = {
.name = "condition",
.revision = 0,
.revision = 1,
.family = PF_UNSPEC,
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_condition_mtinfo)),

4
extensions/libxt_dhcpaddr.man
View File

@@ -1,4 +0,0 @@
.TP
\fB--mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
Matches the DHCP Client Host address in a DHCP message. \fImask\fP specifies
the prefix length of the initial portion to match.

58
extensions/libxt_dhcpaddr.c → extensions/libxt_dhcpmac.c
View File

@@ -1,5 +1,5 @@
/*
* "dhcpaddr" match extension for iptables
* "dhcpmac" match extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
*
* This program is free software; you can redistribute it and/or
@@ -14,37 +14,37 @@
#include <netdb.h>
#include <net/ethernet.h>
#include <xtables.h>
#include "xt_DHCPADDR.h"
#include "xt_DHCPMAC.h"
#include "mac.c"
enum {
F_MAC = 1 << 0,
};
static const struct option dhcpaddr_mt_opts[] = {
static const struct option dhcpmac_mt_opts[] = {
{.name = "mac", .has_arg = true, .val = 'M'},
{NULL},
};
static void dhcpaddr_mt_help(void)
static void dhcpmac_mt_help(void)
{
printf(
"dhcpaddr match options:\n"
"dhcpmac match options:\n"
"[!] --mac lladdr[/mask] Match on MAC address in DHCP Client Host field\n"
);
}
static int dhcpaddr_mt_parse(int c, char **argv, int invert,
static int dhcpmac_mt_parse(int c, char **argv, int invert,
unsigned int *flags, const void *entry, struct xt_entry_match **match)
{
struct dhcpaddr_info *info = (void *)(*match)->data;
struct dhcpmac_info *info = (void *)(*match)->data;
switch (c) {
case 'M':
param_act(P_ONLY_ONCE, "dhcpaddr", "--mac", *flags & F_MAC);
param_act(P_NO_INVERT, "dhcpaddr", "--mac", invert);
xtables_param_act(XTF_ONLY_ONCE, "dhcpmac", "--mac", *flags & F_MAC);
xtables_param_act(XTF_NO_INVERT, "dhcpmac", "--mac", invert);
if (!mac_parse(optarg, info->addr, &info->mask))
param_act(P_BAD_VALUE, "dhcpaddr", "--mac", optarg);
xtables_param_act(XTF_BAD_VALUE, "dhcpmac", "--mac", optarg);
if (invert)
info->invert = true;
*flags |= F_MAC;
@@ -54,26 +54,26 @@ static int dhcpaddr_mt_parse(int c, char **argv, int invert,
return false;
}
static void dhcpaddr_mt_check(unsigned int flags)
static void dhcpmac_mt_check(unsigned int flags)
{
if (flags == 0)
exit_error(PARAMETER_PROBLEM, "dhcpaddr match: "
xtables_error(PARAMETER_PROBLEM, "dhcpmac match: "
"--mac parameter required");
}
static void dhcpaddr_mt_print(const void *ip,
static void dhcpmac_mt_print(const void *ip,
const struct xt_entry_match *match, int numeric)
{
const struct dhcpaddr_info *info = (void *)match->data;
const struct dhcpmac_info *info = (void *)match->data;
printf("dhcpaddr %s" DH_MAC_FMT "/%u ",
printf("dhcpmac %s" DH_MAC_FMT "/%u ",
info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
}
static void dhcpaddr_mt_save(const void *ip,
static void dhcpmac_mt_save(const void *ip,
const struct xt_entry_match *match)
{
const struct dhcpaddr_info *info = (void *)match->data;
const struct dhcpmac_info *info = (void *)match->data;
if (info->invert)
printf("! ");
@@ -81,22 +81,22 @@ static void dhcpaddr_mt_save(const void *ip,
DH_MAC_HEX(info->addr), info->mask);
}
static struct xtables_match dhcpaddr_mt_reg = {
static struct xtables_match dhcpmac_mt_reg = {
.version = XTABLES_VERSION,
.name = "dhcpaddr",
.name = "dhcpmac",
.revision = 0,
.family = PF_INET,
.size = XT_ALIGN(sizeof(struct dhcpaddr_info)),
.userspacesize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
.help = dhcpaddr_mt_help,
.parse = dhcpaddr_mt_parse,
.final_check = dhcpaddr_mt_check,
.print = dhcpaddr_mt_print,
.save = dhcpaddr_mt_save,
.extra_opts = dhcpaddr_mt_opts,
.size = XT_ALIGN(sizeof(struct dhcpmac_info)),
.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
.help = dhcpmac_mt_help,
.parse = dhcpmac_mt_parse,
.final_check = dhcpmac_mt_check,
.print = dhcpmac_mt_print,
.save = dhcpmac_mt_save,
.extra_opts = dhcpmac_mt_opts,
};
static __attribute__((constructor)) void dhcpaddr_mt_ldr(void)
static __attribute__((constructor)) void dhcpmac_mt_ldr(void)
{
xtables_register_match(&dhcpaddr_mt_reg);
xtables_register_match(&dhcpmac_mt_reg);
}

4
extensions/libxt_dhcpmac.man Normal file
View File

@@ -0,0 +1,4 @@
.TP
\fB--mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
Matches the DHCP "Client Host" address (a MAC address) in a DHCP message.
\fImask\fP specifies the prefix length of the initial portion to match.

20
extensions/libxt_fuzzy.c
View File

@@ -9,6 +9,7 @@
*/
#include <getopt.h>
#include <netdb.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -54,22 +55,22 @@ static int fuzzy_mt_parse(int c, char **argv, int invert, unsigned int *flags,
switch (c) {
case '1':
if (invert)
exit_error(PARAMETER_PROBLEM,"Can't specify ! --lower-limit");
xtables_error(PARAMETER_PROBLEM,"Can't specify ! --lower-limit");
if (*flags & IPT_FUZZY_OPT_MINIMUM)
exit_error(PARAMETER_PROBLEM,"Can't specify --lower-limit twice");
if (string_to_number(optarg,1,FUZZY_MAX_RATE,&num) == -1 || num < 1)
exit_error(PARAMETER_PROBLEM,"BAD --lower-limit");
xtables_error(PARAMETER_PROBLEM,"Can't specify --lower-limit twice");
if (!xtables_strtoui(optarg, NULL, &num, 1, FUZZY_MAX_RATE) || num < 1)
xtables_error(PARAMETER_PROBLEM,"BAD --lower-limit");
info->minimum_rate = num;
*flags |= IPT_FUZZY_OPT_MINIMUM;
return true;
case '2':
if (invert)
exit_error(PARAMETER_PROBLEM,"Can't specify ! --upper-limit");
xtables_error(PARAMETER_PROBLEM,"Can't specify ! --upper-limit");
if (*flags & IPT_FUZZY_OPT_MAXIMUM)
exit_error(PARAMETER_PROBLEM,"Can't specify --upper-limit twice");
if (string_to_number(optarg,1,FUZZY_MAX_RATE,&num) == -1 || num < 1)
exit_error(PARAMETER_PROBLEM,"BAD --upper-limit");
xtables_error(PARAMETER_PROBLEM,"Can't specify --upper-limit twice");
if (!xtables_strtoui(optarg, NULL, &num, 1, FUZZY_MAX_RATE) || num < 1)
xtables_error(PARAMETER_PROBLEM,"BAD --upper-limit");
info->maximum_rate = num;
*flags |= IPT_FUZZY_OPT_MAXIMUM;
return true;
@@ -100,9 +101,10 @@ static void fuzzy_mt_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match fuzzy_mt_reg = {
.name = "fuzzy",
.revision = 1,
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
.userspacesize = offsetof(struct xt_fuzzy_mtinfo, packets_total),
.help = fuzzy_mt_help,
.init = fuzzy_mt_init,
.parse = fuzzy_mt_parse,

27
extensions/libxt_geoip.c
View File

@@ -64,16 +64,16 @@ static struct geoip_subnet *geoip_get_subnets(const char *code, uint32_t *count)
if ((fd = open(buf, O_RDONLY)) < 0) {
fprintf(stderr, "Could not open %s: %s\n", buf, strerror(errno));
exit_error(OTHER_PROBLEM, "Could not read geoip database");
xtables_error(OTHER_PROBLEM, "Could not read geoip database");
}
fstat(fd, &sb);
if (sb.st_size % sizeof(struct geoip_subnet) != 0)
exit_error(OTHER_PROBLEM, "Database file %s seems to be "
xtables_error(OTHER_PROBLEM, "Database file %s seems to be "
"corrupted", buf);
subnets = malloc(sb.st_size);
if (subnets == NULL)
exit_error(OTHER_PROBLEM, "geoip: insufficient memory");
xtables_error(OTHER_PROBLEM, "geoip: insufficient memory");
read(fd, subnets, sb.st_size);
close(fd);
*count = sb.st_size / sizeof(struct geoip_subnet);
@@ -103,7 +103,7 @@ check_geoip_cc(char *cc, u_int16_t cc_used[], u_int8_t count)
if (strlen(cc) != 2) /* Country must be 2 chars long according
to the ISO3166 standard */
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"geoip: invalid country code '%s'", cc);
// Verification will fail if chars aren't uppercased.
@@ -112,7 +112,7 @@ check_geoip_cc(char *cc, u_int16_t cc_used[], u_int8_t count)
if (isalnum(cc[i]) != 0)
cc[i] = toupper(cc[i]);
else
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"geoip: invalid country code '%s'", cc);
/* Convert chars into a single 16 bit integer.
@@ -140,7 +140,7 @@ static unsigned int parse_geoip_cc(const char *ccstr, uint16_t *cc,
buffer = strdup(ccstr);
if (!buffer)
exit_error(OTHER_PROBLEM,
xtables_error(OTHER_PROBLEM,
"geoip: insufficient memory available");
for (cp = buffer, i = 0; cp && i < XT_GEOIP_MAX; cp = next, i++)
@@ -150,19 +150,19 @@ static unsigned int parse_geoip_cc(const char *ccstr, uint16_t *cc,
if ((cctmp = check_geoip_cc(cp, cc, count)) != 0) {
if ((mem[count++].user = (unsigned long)geoip_load_cc(cp, cctmp)) == 0)
exit_error(OTHER_PROBLEM,
xtables_error(OTHER_PROBLEM,
"geoip: insufficient memory available");
cc[count-1] = cctmp;
}
}
if (cp)
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"geoip: too many countries specified");
free(buffer);
if (count == 0)
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"geoip: don't know what happened");
return count;
@@ -176,7 +176,7 @@ static int geoip_parse(int c, char **argv, int invert, unsigned int *flags,
switch (c) {
case '1':
if (*flags & (XT_GEOIP_SRC | XT_GEOIP_DST))
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"geoip: Only exactly one of --source-country "
"or --destination-country must be specified!");
@@ -190,7 +190,7 @@ static int geoip_parse(int c, char **argv, int invert, unsigned int *flags,
case '2':
if (*flags & (XT_GEOIP_SRC | XT_GEOIP_DST))
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"geoip: Only exactly one of --source-country "
"or --destination-country must be specified!");
@@ -210,7 +210,7 @@ static void
geoip_final_check(unsigned int flags)
{
if (!flags)
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"geoip: missing arguments");
}
@@ -261,9 +261,10 @@ geoip_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match geoip_match = {
.family = AF_INET,
.name = "geoip",
.revision = 1,
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_geoip_match_info)),
.userspacesize = XT_ALIGN(offsetof(struct xt_geoip_match_info, mem)),
.userspacesize = offsetof(struct xt_geoip_match_info, mem),
.help = geoip_help,
.parse = geoip_parse,
.final_check = geoip_final_check,

217
extensions/libxt_iface.c Normal file
View File

@@ -0,0 +1,217 @@
/*
* Shared library add-on to iptables to add interface state matching
* support.
*
* (C) 2008 Gáspár Lajos <gaspar.lajos@glsys.eu>
*
* This program is released under the terms of GNU GPL version 2.
*/
#include <getopt.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <xtables.h>
#include "xt_iface.h"
static const struct option iface_mt_opts[] = {
{.name = "iface", .has_arg = true, .val = 'i'},
{.name = "up", .has_arg = false, .val = 'u'},
{.name = "down", .has_arg = false, .val = 'U'}, /* not up */
{.name = "broadcast", .has_arg = false, .val = 'b'},
{.name = "loopback", .has_arg = false, .val = 'l'},
{.name = "pointopoint", .has_arg = false, .val = 'p'},
{.name = "pointtopoint", .has_arg = false, .val = 'p'}, /* eq pointopoint */
{.name = "running", .has_arg = false, .val = 'r'},
{.name = "noarp", .has_arg = false, .val = 'n'},
{.name = "arp", .has_arg = false, .val = 'N'}, /* not noarp */
{.name = "promisc", .has_arg = false, .val = 'o'},
{.name = "multicast", .has_arg = false, .val = 'm'},
{.name = "dynamic", .has_arg = false, .val = 'd'},
{.name = "lower-up", .has_arg = false, .val = 'w'},
{.name = "dormant", .has_arg = false, .val = 'a'},
{NULL},
};
static void iface_print_opt(const struct xt_iface_mtinfo *info,
const unsigned int option, const char *command)
{
if (info->flags & option)
printf(" %s", command);
if (info->invflags & option)
printf(" ! %s", command);
}
static void iface_setflag(struct xt_iface_mtinfo *info,
unsigned int *flags, int invert, u_int16_t flag, const char *command)
{
if (*flags & flag)
xtables_error(PARAMETER_PROBLEM,
"iface: \"--%s\" flag already specified", command);
if (invert)
info->invflags |= flag;
else
info->flags |= flag;
*flags |= flag;
}
static bool iface_valid_name(const char *name)
{
static const char invalid_chars[] = ".+!*";
return strlen(name) < IFNAMSIZ && strpbrk(name, invalid_chars) == NULL;
}
static void iface_mt_help(void)
{
printf(
"iface match options:\n"
" --iface interface Name of interface\n"
"[!] --up / --down match if UP flag (not) set\n"
"[!] --broadcast match if BROADCAST flag (not) set\n"
"[!] --loopback match if LOOPBACK flag (not) set\n"
"[!] --pointopoint\n"
"[!] --pointtopoint match if POINTOPOINT flag (not) set\n"
"[!] --running match if RUNNING flag (not) set\n"
"[!] --noarp / --arp match if NOARP flag (not) set\n"
"[!] --promisc match if PROMISC flag (not) set\n"
"[!] --multicast match if MULTICAST flag (not) set\n"
"[!] --dynamic match if DYNAMIC flag (not) set\n"
"[!] --lower-up match if LOWER_UP flag (not) set\n"
"[!] --dormant match if DORMANT flag (not) set\n");
}
static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
struct xt_iface_mtinfo *info = (void *)(*match)->data;
switch (c) {
case 'U':
c = 'u';
invert = !invert;
break;
case 'N':
c = 'n';
invert = !invert;
break;
}
switch (c) {
case 'i': /* interface name */
if (*flags & XT_IFACE_IFACE)
xtables_error(PARAMETER_PROBLEM,
"iface: Interface name already specified");
if (!iface_valid_name(optarg))
xtables_error(PARAMETER_PROBLEM,
"iface: Invalid interface name!");
strcpy(info->ifname, optarg);
*flags |= XT_IFACE_IFACE;
return true;
case 'u': /* UP */
iface_setflag(info, flags, invert, XT_IFACE_UP, "up");
return true;
case 'b': /* BROADCAST */
iface_setflag(info, flags, invert, XT_IFACE_BROADCAST, "broadcast");
return true;
case 'l': /* LOOPBACK */
iface_setflag(info, flags, invert, XT_IFACE_LOOPBACK, "loopback");
return true;
case 'p': /* POINTOPOINT */
iface_setflag(info, flags, invert, XT_IFACE_POINTOPOINT, "pointopoint");
return true;
case 'r': /* RUNNING */
iface_setflag(info, flags, invert, XT_IFACE_RUNNING, "running");
return true;
case 'n': /* NOARP */
iface_setflag(info, flags, invert, XT_IFACE_NOARP, "noarp");
return true;
case 'o': /* PROMISC */
iface_setflag(info, flags, invert, XT_IFACE_PROMISC, "promisc");
return true;
case 'm': /* MULTICAST */
iface_setflag(info, flags, invert, XT_IFACE_MULTICAST, "multicast");
return true;
case 'd': /* DYNAMIC */
iface_setflag(info, flags, invert, XT_IFACE_DYNAMIC, "dynamic");
return true;
case 'w': /* LOWER_UP */
iface_setflag(info, flags, invert, XT_IFACE_LOWER_UP, "lower_up");
return true;
case 'a': /* DORMANT */
iface_setflag(info, flags, invert, XT_IFACE_DORMANT, "dormant");
return true;
}
return false;
}
static void iface_mt_check(unsigned int flags)
{
if (!(flags & XT_IFACE_IFACE))
xtables_error(PARAMETER_PROBLEM,
"iface: You must specify an interface");
if (flags == 0 || flags == XT_IFACE_IFACE)
xtables_error(PARAMETER_PROBLEM,
"iface: You must specify at least one option");
}
static void iface_mt_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
const struct xt_iface_mtinfo *info = (const void *)match->data;
printf("iface: \"%s\" [state:", info->ifname);
iface_print_opt(info, XT_IFACE_UP, "up");
iface_print_opt(info, XT_IFACE_BROADCAST, "broadcast");
iface_print_opt(info, XT_IFACE_LOOPBACK, "loopback");
iface_print_opt(info, XT_IFACE_POINTOPOINT, "pointopoint");
iface_print_opt(info, XT_IFACE_RUNNING, "running");
iface_print_opt(info, XT_IFACE_NOARP, "noarp");
iface_print_opt(info, XT_IFACE_PROMISC, "promisc");
iface_print_opt(info, XT_IFACE_MULTICAST, "multicast");
iface_print_opt(info, XT_IFACE_DYNAMIC, "dynamic");
iface_print_opt(info, XT_IFACE_LOWER_UP, "lower_up");
iface_print_opt(info, XT_IFACE_DORMANT, "dormant");
printf("] ");
}
static void iface_mt_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_iface_mtinfo *info = (const void *)match->data;
printf(" --iface %s", info->ifname);
iface_print_opt(info, XT_IFACE_UP, "--up");
iface_print_opt(info, XT_IFACE_BROADCAST, "--broadcast");
iface_print_opt(info, XT_IFACE_LOOPBACK, "--loopback");
iface_print_opt(info, XT_IFACE_POINTOPOINT, "--pointopoint");
iface_print_opt(info, XT_IFACE_RUNNING, "--running");
iface_print_opt(info, XT_IFACE_NOARP, "--noarp");
iface_print_opt(info, XT_IFACE_PROMISC, "--promisc");
iface_print_opt(info, XT_IFACE_MULTICAST, "--multicast");
iface_print_opt(info, XT_IFACE_DYNAMIC, "--dynamic");
iface_print_opt(info, XT_IFACE_LOWER_UP, "--lower_up");
iface_print_opt(info, XT_IFACE_DORMANT, "--dormant");
printf(" ");
}
static struct xtables_match iface_mt_reg = {
.version = XTABLES_VERSION,
.name = "iface",
.revision = 0,
.family = AF_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
.help = iface_mt_help,
.parse = iface_mt_parse,
.final_check = iface_mt_check,
.print = iface_mt_print,
.save = iface_mt_save,
.extra_opts = iface_mt_opts,
};
static void _init(void)
{
xtables_register_match(&iface_mt_reg);
}

37
extensions/libxt_iface.man Normal file
View File

@@ -0,0 +1,37 @@
Allows you to check interface states.
.TP
\fB\-\-iface\fP \fIname\fP
Check the states on the given interface. This option is required.
.TP
[\fB!\fP] \fB\-\-up\fP, [\fB!\fP] \fB\-\-down\fP
Check the UP flag.
.TP
[\fB!\fP] \fB\-\-broadcast\fP
Check the BROADCAST flag.
.TP
[\fB!\fP] \fB\-\-loopback\fP
Check the LOOPBACK flag.
.TP
[\fB!\fP] \fB\-\-pointtopoint\fP
Check the POINTTOPOINT flag.
.TP
[\fB!\fP] \fB\-\-running\fP
Check the RUNNING flag. Do NOT rely on it!
.TP
[\fB!\fP] \fB\-\-noarp\fP, [\fB!\fP] \fB\-\-arp\fP
Check the NOARP flag.
.TP
[\fB!\fP] \fB\-\-promisc\fP
Check the PROMISC flag.
.TP
[\fB!\fP] \fB\-\-multicast\fP
Check the MULTICAST flag.
.TP
[\fB!\fP] \fB\-\-dynamic\fP
Check the DYNAMIC flag.
.TP
[\fB!\fP] \fB\-\-lower-up\fP
Check the LOWER_UP flag.
.TP
[\fB!\fP] \fB\-\-dormant\fP
Check the DORMANT flag.

94
extensions/libxt_ipp2p.c
View File

@@ -1,7 +1,7 @@
/*
* "ipp2p" match extension for iptables
* Eicke Friedrich/Klaus Degner <ipp2p@ipp2p.org>, 2005 - 2006
* Jan Engelhardt <jengelh [at] medozas de>, 2008
* Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -17,12 +17,12 @@
#include <ctype.h>
#include <xtables.h>
#include "xt_ipp2p.h"
#define param_act(t, s, f) param_act((t), "ipp2p", (s), (f))
#define param_act(t, s, f) xtables_param_act((t), "ipp2p", (s), (f))
static void ipp2p_mt_help(void)
{
printf(
"IPP2P v%s options:\n"
"ipp2p v%s match options:\n"
" --edk [tcp,udp] All known eDonkey/eMule/Overnet packets\n"
" --dc [tcp] All known Direct Connect packets\n"
" --kazaa [tcp,udp] All known KaZaA packets\n"
@@ -32,19 +32,10 @@ static void ipp2p_mt_help(void)
" --winmx [tcp] All known WinMX\n"
" --soul [tcp] All known SoulSeek\n"
" --ares [tcp] All known Ares\n\n"
"EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n"
"EXPERIMENTAL protocols:\n"
" --mute [tcp] All known Mute packets\n"
" --waste [tcp] All known Waste packets\n"
" --xdcc [tcp] All known XDCC packets (only xdcc login)\n\n"
"DEBUG SUPPPORT, use only if you know why\n"
" --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n"
"\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n"
"You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n"
"\nSee README included with this package for more details or visit http://www.ipp2p.org\n"
"\nExamples:\n"
" iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n"
" iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n"
" iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n"
, IPP2P_VERSION);
}
@@ -72,109 +63,109 @@ static int ipp2p_mt_parse(int c, char **argv, int invert, unsigned int *flags,
switch (c) {
case '2': /*cmd: edk*/
param_act(P_ONLY_ONCE, "--edk", *flags & IPP2P_EDK);
param_act(P_NO_INVERT, "--edk", invert);
param_act(XTF_ONLY_ONCE, "--edk", *flags & IPP2P_EDK);
param_act(XTF_NO_INVERT, "--edk", invert);
if (*flags & IPP2P_DATA_EDK)
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"ipp2p: use `--edk' OR `--edk-data' but not both of them!");
*flags |= IPP2P_EDK;
info->cmd |= IPP2P_EDK;
break;
case '7': /*cmd: dc*/
param_act(P_ONLY_ONCE, "--dc", *flags & IPP2P_DC);
param_act(P_NO_INVERT, "--dc", invert);
param_act(XTF_ONLY_ONCE, "--dc", *flags & IPP2P_DC);
param_act(XTF_NO_INVERT, "--dc", invert);
if (*flags & IPP2P_DATA_DC)
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"ipp2p: use `--dc' OR `--dc-data' but not both of them!");
*flags |= IPP2P_DC;
info->cmd |= IPP2P_DC;
break;
case '9': /*cmd: gnu*/
param_act(P_ONLY_ONCE, "--gnu", *flags & IPP2P_GNU);
param_act(P_NO_INVERT, "--gnu", invert);
param_act(XTF_ONLY_ONCE, "--gnu", *flags & IPP2P_GNU);
param_act(XTF_NO_INVERT, "--gnu", invert);
if (*flags & IPP2P_DATA_GNU)
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"ipp2p: use `--gnu' OR `--gnu-data' but not both of them!");
*flags |= IPP2P_GNU;
info->cmd |= IPP2P_GNU;
break;
case 'a': /*cmd: kazaa*/
param_act(P_ONLY_ONCE, "--kazaa", *flags & IPP2P_KAZAA);
param_act(P_NO_INVERT, "--kazaa", invert);
param_act(XTF_ONLY_ONCE, "--kazaa", *flags & IPP2P_KAZAA);
param_act(XTF_NO_INVERT, "--kazaa", invert);
if (*flags & IPP2P_DATA_KAZAA)
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!");
*flags |= IPP2P_KAZAA;
info->cmd |= IPP2P_KAZAA;
break;
case 'b': /*cmd: bit*/
param_act(P_ONLY_ONCE, "--kazaa", *flags & IPP2P_BIT);
param_act(P_NO_INVERT, "--kazaa", invert);
param_act(XTF_ONLY_ONCE, "--bit", *flags & IPP2P_BIT);
param_act(XTF_NO_INVERT, "--bit", invert);
*flags |= IPP2P_BIT;
info->cmd |= IPP2P_BIT;
break;
case 'c': /*cmd: apple*/
param_act(P_ONLY_ONCE, "--apple", *flags & IPP2P_APPLE);
param_act(P_NO_INVERT, "--apple", invert);
param_act(XTF_ONLY_ONCE, "--apple", *flags & IPP2P_APPLE);
param_act(XTF_NO_INVERT, "--apple", invert);
*flags |= IPP2P_APPLE;
info->cmd |= IPP2P_APPLE;
break;
case 'd': /*cmd: soul*/
param_act(P_ONLY_ONCE, "--soul", *flags & IPP2P_SOUL);
param_act(P_NO_INVERT, "--soul", invert);
param_act(XTF_ONLY_ONCE, "--soul", *flags & IPP2P_SOUL);
param_act(XTF_NO_INVERT, "--soul", invert);
*flags |= IPP2P_SOUL;
info->cmd |= IPP2P_SOUL;
break;
case 'e': /*cmd: winmx*/
param_act(P_ONLY_ONCE, "--winmx", *flags & IPP2P_WINMX);
param_act(P_NO_INVERT, "--winmx", invert);
param_act(XTF_ONLY_ONCE, "--winmx", *flags & IPP2P_WINMX);
param_act(XTF_NO_INVERT, "--winmx", invert);
*flags |= IPP2P_WINMX;
info->cmd |= IPP2P_WINMX;
break;
case 'f': /*cmd: ares*/
param_act(P_ONLY_ONCE, "--ares", *flags & IPP2P_ARES);
param_act(P_NO_INVERT, "--ares", invert);
param_act(XTF_ONLY_ONCE, "--ares", *flags & IPP2P_ARES);
param_act(XTF_NO_INVERT, "--ares", invert);
*flags |= IPP2P_ARES;
info->cmd |= IPP2P_ARES;
break;
case 'g': /*cmd: mute*/
param_act(P_ONLY_ONCE, "--mute", *flags & IPP2P_MUTE);
param_act(P_NO_INVERT, "--mute", invert);
param_act(XTF_ONLY_ONCE, "--mute", *flags & IPP2P_MUTE);
param_act(XTF_NO_INVERT, "--mute", invert);
*flags |= IPP2P_MUTE;
info->cmd |= IPP2P_MUTE;
break;
case 'h': /*cmd: waste*/
param_act(P_ONLY_ONCE, "--waste", *flags & IPP2P_WASTE);
param_act(P_NO_INVERT, "--waste", invert);
param_act(XTF_ONLY_ONCE, "--waste", *flags & IPP2P_WASTE);
param_act(XTF_NO_INVERT, "--waste", invert);
*flags |= IPP2P_WASTE;
info->cmd |= IPP2P_WASTE;
break;
case 'i': /*cmd: xdcc*/
param_act(P_ONLY_ONCE, "--xdcc", *flags & IPP2P_XDCC);
param_act(P_NO_INVERT, "--xdcc", invert);
param_act(XTF_ONLY_ONCE, "--xdcc", *flags & IPP2P_XDCC);
param_act(XTF_NO_INVERT, "--xdcc", invert);
*flags |= IPP2P_XDCC;
info->cmd |= IPP2P_XDCC;
break;
case 'j': /*cmd: debug*/
param_act(P_ONLY_ONCE, "--debug", info->debug);
param_act(P_NO_INVERT, "--debug", invert);
param_act(XTF_ONLY_ONCE, "--debug", info->debug);
param_act(XTF_NO_INVERT, "--debug", invert);
info->debug = 1;
break;
default:
// exit_error(PARAMETER_PROBLEM,
// xtables_error(PARAMETER_PROBLEM,
// "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
return 0;
}
@@ -184,7 +175,7 @@ static int ipp2p_mt_parse(int c, char **argv, int invert, unsigned int *flags,
static void ipp2p_mt_check(unsigned int flags)
{
if (!flags)
exit_error(PARAMETER_PROBLEM,
xtables_error(PARAMETER_PROBLEM,
"\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
}
@@ -208,7 +199,7 @@ static const char *const ipp2p_cmds[] = {
};
static void
ipp2p_mt_print(const void *entry, const struct xt_entry_match *match,
ipp2p_mt_print1(const void *entry, const struct xt_entry_match *match,
int numeric)
{
const struct ipt_p2p_info *info = (const void *)match->data;
@@ -222,15 +213,22 @@ ipp2p_mt_print(const void *entry, const struct xt_entry_match *match,
printf("--debug ");
}
static void ipp2p_mt_print(const void *entry,
const struct xt_entry_match *match, int numeric)
{
printf("ipp2p ");
ipp2p_mt_print1(entry, match, true);
}
static void ipp2p_mt_save(const void *entry, const struct xt_entry_match *match)
{
ipp2p_mt_print(entry, match, true);
ipp2p_mt_print1(entry, match, true);
}
static struct xtables_match ipp2p_mt_reg = {
.version = XTABLES_VERSION,
.name = "ipp2p",
.revision = 0,
.revision = 1,
.family = AF_INET,
.size = XT_ALIGN(sizeof(struct ipt_p2p_info)),
.userspacesize = XT_ALIGN(sizeof(struct ipt_p2p_info)),

18
extensions/libxt_ipp2p.man
View File

@@ -1,12 +1,12 @@
This module matches certain packets in P2P flows. It is not
designed to match all packets belonging to a P2P connection -
use IPP2P together with CONNMARK for this purpose. Also visit
http://www.ipp2p.org for detailed information.
use IPP2P together with CONNMARK for this purpose.
.PP
Use it together with -p tcp or -p udp to search these protocols
only or without -p switch to search packets of both protocols.
IPP2P provides the following options:
.PP
IPP2P provides the following options, of which one or more may be specified
on the command line:
.TP
.B "--edk "
Matches as many eDonkey/eMule packets as possible.
@@ -38,3 +38,11 @@ Matches Ares and AresLite packets. Use together with -j DROP only.
.B "--debug "
Prints some information about each hit into kernel logfile. May
produce huge logfiles so beware!
.PP
Note that ipp2p may not (and often, does not) identify all packets that are
exchanged as a result of running filesharing programs.
.PP
There is more information on http://ipp2p.org/ , but it has not been updated
since September 2006, and the syntax there is different from the ipp2p.c
provided in Xtables-addons; most importantly, the --ipp2p flag was removed due
to its ambiguity to match "all known" protocols.

177
extensions/libxt_ipv4options.c Normal file
View File

@@ -0,0 +1,177 @@
/*
* "ipv4options" match extension for iptables
* Coprygith © Jan Engelhardt, 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <getopt.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <xtables.h>
#include "xt_ipv4options.h"
/*
* Overview from http://www.networksorcery.com/enp/protocol/ip.htm
* Not providing strings for options that seem to be most distant in the past.
*/
static const char *const v4opt_names[32] = {
[ 1] = "nop",
[ 2] = "security", /* RFC 1108 */
[ 3] = "lsrr", /* RFC 791 */
[ 4] = "timestamp", /* RFC 781, 791 */
[ 7] = "record-route", /* RFC 791 */
[ 9] = "ssrr", /* RFC 791 */
[11] = "mtu-probe", /* RFC 1063 */
[12] = "mtu-reply", /* RFC 1063 */
[18] = "traceroute", /* RFC 1393 */
[20] = "router-alert", /* RFC 2113 */
};
static void ipv4options_mt_help(void)
{
printf(
"ipv4options match options:\n"
"--flags [!]symbol[,...] Match presence/absence (!) of option\n"
" (either by name or number)\n"
"--any Interpret --flags as OR-combined\n\n");
}
static const struct option ipv4options_mt_opts[] = {
{.name = "flags", .has_arg = true, .val = 'f'},
{.name = "any", .has_arg = false, .val = 'a'},
{NULL},
};
static void ipv4options_parse_flagspec(struct xt_ipv4options_mtinfo1 *info,
char *arg)
{
unsigned int i, opt;
bool inv;
char *p;
while (true) {
p = strchr(arg, ',');
if (p != NULL)
*p = '\0';
inv = false;
opt = 0;
if (*arg == '!') {
inv = true;
++arg;
}
for (i = 1; i < 32;++i)
if (v4opt_names[i] != NULL &&
strcmp(v4opt_names[i], arg) == 0) {
opt = i;
break;
}
if (opt == 0 &&
!xtables_strtoui(arg, NULL, &opt, 0, UINT8_MAX))
xtables_error(PARAMETER_PROBLEM,
"ipv4options: Bad option value \"%s\"", arg);
if (opt == 0)
xtables_error(PARAMETER_PROBLEM,
"ipv4options: Option value may not be zero");
info->map |= (1 << opt);
if (inv)
info->invert |= (1 << opt);
if (p == NULL)
break;
arg = p + 1;
}
}
static int ipv4options_mt_parse(int c, char **argv, int invert,
unsigned int *flags, const void *entry, struct xt_entry_match **match)
{
struct xt_ipv4options_mtinfo1 *info = (void *)(*match)->data;
switch (c) {
case 'a': /* --any */
xtables_param_act(XTF_NO_INVERT, "ipv4options", "--any", invert);
info->flags |= XT_V4OPTS_ANY;
return true;
case 'f': /* --flags */
xtables_param_act(XTF_NO_INVERT, "ipv4options", "--flags", invert);
ipv4options_parse_flagspec(info, optarg);
return true;
}
return false;
}
/* no checking of *flags - no IPv4 options is also valid */
static void ipv4options_print_flags(const struct xt_ipv4options_mtinfo1 *info,
bool numeric)
{
uint32_t tmp = info->map;
unsigned int i;
for (i = 1; i < 32; ++i)
if (tmp & (1 << i)) {
if (info->invert & (1 << i))
printf("!");
if (!numeric && v4opt_names[i] != NULL)
printf("%s", v4opt_names[i]);
else
printf("%u", i);
tmp &= ~(1 << i);
if (tmp)
printf(",");
}
}
static void ipv4options_mt_print(const void *ip,
const struct xt_entry_match *match, int numeric)
{
const struct xt_ipv4options_mtinfo1 *info = (void *)match->data;
printf("ipv4options %s ",
(info->flags & XT_V4OPTS_ANY) ? "any-of" : "all-of");
ipv4options_print_flags(info, numeric);
printf(" ");
}
static void ipv4options_mt_save(const void *ip,
const struct xt_entry_match *match)
{
const struct xt_ipv4options_mtinfo1 *info = (void *)match->data;
if (info->map != 0) {
printf("--flags ");
ipv4options_print_flags(info, true);
}
if (info->flags & XT_V4OPTS_ANY)
printf(" --any");
printf(" ");
}
static struct xtables_match ipv4options_mt_reg = {
.version = XTABLES_VERSION,
.name = "ipv4options",
.revision = 1,
.family = PF_INET,
.size = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
.help = ipv4options_mt_help,
.parse = ipv4options_mt_parse,
.print = ipv4options_mt_print,
.save = ipv4options_mt_save,
.extra_opts = ipv4options_mt_opts,
};
static __attribute__((constructor)) void ipv4options_mt_ldr(void)
{
xtables_register_match(&ipv4options_mt_reg);
}

47
extensions/libxt_ipv4options.man Normal file
View File

@@ -0,0 +1,47 @@
The "ipv4options" module allows to match against a set of IPv4 header options.
.TP
\fB\-\-flags\fP [\fB!\fP]\fIsymbol\fP[\fB,\fP[\fB!\fP]\fIsymbol...\fP]
Specify the options that shall appear or not appear in the header. Each
symbol specification is delimited by a comma, and a '!' can be prefixed to
a symbol to negate its presence. Symbols are either the name of an IPv4 option
or its number. See examples below.
.TP
\fB\-\-any\fP
By default, all of the flags specified must be present/absent, that is, they
form an AND condition. Use the \-\-any flag instead to use an OR condition
where only at least one symbol spec must be true.
.PP
Known symbol names (and their number):
.PP
1 - \fBnop\fP
.PP
2 - \fBsecurity\fP - RFC 1108
.PP
3 - \fBlsrr\fP - Loose Source Routing, RFC 791
.PP
4 - \fBtimestamp\fP - RFC 781, 791
.PP
7 - \fBrecord\-route\fP - RFC 791
.PP
9 - \fBssrr\fP - Strict Source Routing, RFC 791
.PP
11 - \fBmtu\-probe\fP - RFC 1063
.PP
12 - \fBmtu\-reply\fP - RFC 1063
.PP
18 - \fBtraceroute\fP - RFC 1393
.PP
20 - \fBrouter-alert\fP - RFC 2113
.PP
Examples:
.PP
Match packets that have both Timestamp and NOP:
\-m ipv4options \-\-flags nop,timestamp
.PP
~ that have either of Timestamp or NOP, or both:
\-\-flags nop,timestamp \-\-any
.PP
~ that have Timestamp and no NOP: \-\-flags '!nop,timestamp'
.PP
~ that have either no NOP or a timestamp (or both conditions):
\-\-flags '!nop,timestamp' \-\-any

18
extensions/libxt_length.man Normal file
View File

@@ -0,0 +1,18 @@
This module matches the length of a packet against a specific value or range of
values.
.TP
[\fB!\fR] \fB--length\fR \fIlength\fR[\fB:\fR\fIlength\fR]
Match exact length or length range.
.TP
\fB--layer3\fR
Match the layer3 frame size (e.g. IPv4/v6 header plus payload).
.TP
\fB--layer4\fR
Match the layer4 frame size (e.g. TCP/UDP header plus payload).
.TP
\fB--layer5\fR
Match the layer5 frame size (e.g. TCP/UDP payload, often called layer7).
.PP
If no --layer* option is given, --layer3 is assumed by default. Note that using
--layer5 may not match a packet if it is not one of the recognized types
(currently TCP, UDP, UDPLite, ICMP, AH and ESP) or which has no 5th layer.

173
extensions/libxt_length2.c Normal file
View File

@@ -0,0 +1,173 @@
#include <getopt.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <xtables.h>
#include "xt_length2.h"
enum {
F_LAYER = 1 << 0,
F_LENGTH = 1 << 1,
XT_LENGTH_LAYER_MASK = XT_LENGTH_LAYER3 | XT_LENGTH_LAYER4 |
XT_LENGTH_LAYER5 | XT_LENGTH_LAYER7,
};
static void length_mt_help(void)
{
printf(
"length match options:\n"
" --layer3 Match against layer3 size (e.g. L4 + IPv6 header)\n"
" --layer4 Match against layer4 size (e.g. L5 + SCTP header)\n"
" --layer5 Match against layer5 size (e.g. L7 + chunk headers)\n"
" --layer7 Match against layer7 payload (e.g. SCTP payload)\n"
"[!] --length n[:n] Match packet length against value or range\n"
" of values (inclusive)\n"
);
}
static const struct option length_mt_opts[] = {
{.name = "layer3", .has_arg = false, .val = '3'},
{.name = "layer4", .has_arg = false, .val = '4'},
{.name = "layer5", .has_arg = false, .val = '5'},
{.name = "layer7", .has_arg = false, .val = '7'},
{.name = "length", .has_arg = true, .val = '='},
{NULL},
};
static void length_mt_init(struct xt_entry_match *match)
{
struct xt_length_mtinfo2 *info = (void *)match->data;
info->flags = XT_LENGTH_LAYER3;
}
static int length_mt_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
struct xt_length_mtinfo2 *info = (void *)(*match)->data;
unsigned int from, to;
char *end;
switch (c) {
case '3': /* --layer3 */
xtables_param_act(XTF_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
info->flags &= ~XT_LENGTH_LAYER_MASK;
info->flags |= XT_LENGTH_LAYER3;
*flags |= F_LAYER;
return true;
case '4': /* --layer4 */
xtables_param_act(XTF_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
info->flags &= ~XT_LENGTH_LAYER_MASK;
info->flags |= XT_LENGTH_LAYER4;
*flags |= F_LAYER;
return true;
case '5': /* --layer5 */
xtables_param_act(XTF_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
info->flags &= ~XT_LENGTH_LAYER_MASK;
info->flags |= XT_LENGTH_LAYER5;
*flags |= F_LAYER;
return true;
case '7': /* --layer7 */
xtables_param_act(XTF_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
info->flags &= ~XT_LENGTH_LAYER_MASK;
info->flags |= XT_LENGTH_LAYER7;
*flags |= F_LAYER;
return true;
case '=': /* --length */
xtables_param_act(XTF_ONLY_ONCE, "length", "--length", *flags & F_LENGTH);
if (invert)
info->flags |= XT_LENGTH_INVERT;
if (!xtables_strtoui(optarg, &end, &from, 0, ~0U))
xtables_param_act(XTF_BAD_VALUE, "length", "--length", optarg);
to = from;
if (*end == ':')
if (!xtables_strtoui(end + 1, &end, &to, 0, ~0U))
xtables_param_act(XTF_BAD_VALUE, "length",
"--length", optarg);
if (*end != '\0')
xtables_param_act(XTF_BAD_VALUE, "length", "--length", optarg);
info->min = from;
info->max = to;
*flags |= F_LENGTH;
return true;
}
return false;
}
static void length_mt_check(unsigned int flags)
{
if (!(flags & F_LENGTH))
xtables_error(PARAMETER_PROBLEM,
"length: You must specify \"--length\"");
if (!(flags & F_LAYER))
fprintf(stderr, "iptables: length match: Defaulting to "
"--layer3. Consider specifying it explicitly.\n");
}
static void length_mt_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
const struct xt_length_mtinfo2 *info = (const void *)match->data;
if (info->flags & XT_LENGTH_LAYER3)
printf("layer3 ");
else if (info->flags & XT_LENGTH_LAYER4)
printf("layer4 ");
else if (info->flags & XT_LENGTH_LAYER5)
printf("layer5 ");
else if (info->flags & XT_LENGTH_LAYER7)
printf("layer7 ");
printf("length ");
if (info->flags & XT_LENGTH_INVERT)
printf("! ");
if (info->min == info->max)
printf("%u ", (unsigned int)info->min);
else
printf("%u-%u ", (unsigned int)info->min,
(unsigned int)info->max);
}
static void length_mt_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_length_mtinfo2 *info = (const void *)match->data;
if (info->flags & XT_LENGTH_LAYER3)
printf("--layer3 ");
else if (info->flags & XT_LENGTH_LAYER4)
printf("--layer4 ");
else if (info->flags & XT_LENGTH_LAYER5)
printf("--layer5 ");
else if (info->flags & XT_LENGTH_LAYER7)
printf("--layer7 ");
if (info->flags & XT_LENGTH_INVERT)
printf("! ");
printf("--length ");
if (info->min == info->max)
printf("%u ", (unsigned int)info->min);
else
printf("%u:%u ", (unsigned int)info->min,
(unsigned int)info->max);
}
static struct xtables_match length2_mt_reg = {
.version = XTABLES_VERSION,
.name = "length2",
.revision = 2,
.family = PF_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_length_mtinfo2)),
.userspacesize = XT_ALIGN(sizeof(struct xt_length_mtinfo2)),
.init = length_mt_init,
.help = length_mt_help,
.parse = length_mt_parse,
.final_check = length_mt_check,
.print = length_mt_print,
.save = length_mt_save,
.extra_opts = length_mt_opts,
};
static void _init(void)
{
xtables_register_match(&length2_mt_reg);
}

52
extensions/libxt_portscan.c → extensions/libxt_lscan.c
View File

@@ -1,6 +1,6 @@
/*
* "portscan" match extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
* LSCAN match extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -16,9 +16,9 @@
#include <xtables.h>
#include <linux/netfilter/x_tables.h>
#include "xt_portscan.h"
#include "xt_lscan.h"
static const struct option portscan_mt_opts[] = {
static const struct option lscan_mt_opts[] = {
{.name = "stealth", .has_arg = false, .val = 'x'},
{.name = "synscan", .has_arg = false, .val = 's'},
{.name = "cnscan", .has_arg = false, .val = 'c'},
@@ -26,10 +26,10 @@ static const struct option portscan_mt_opts[] = {
{NULL},
};
static void portscan_mt_help(void)
static void lscan_mt_help(void)
{
printf(
"portscan match options:\n"
"lscan match options:\n"
"(Combining them will make them match by OR-logic)\n"
" --stealth Match TCP Stealth packets\n"
" --synscan Match TCP SYN scans\n"
@@ -37,10 +37,10 @@ static void portscan_mt_help(void)
" --grscan Match Banner Grabbing scans\n");
}
static int portscan_mt_parse(int c, char **argv, int invert,
static int lscan_mt_parse(int c, char **argv, int invert,
unsigned int *flags, const void *entry, struct xt_entry_match **match)
{
struct xt_portscan_mtinfo *info = (void *)((*match)->data);
struct xt_lscan_mtinfo *info = (void *)((*match)->data);
switch (c) {
case 'c':
@@ -59,17 +59,17 @@ static int portscan_mt_parse(int c, char **argv, int invert,
return false;
}
static void portscan_mt_check(unsigned int flags)
static void lscan_mt_check(unsigned int flags)
{
}
static void portscan_mt_print(const void *ip,
static void lscan_mt_print(const void *ip,
const struct xt_entry_match *match, int numeric)
{
const struct xt_portscan_mtinfo *info = (const void *)(match->data);
const struct xt_lscan_mtinfo *info = (const void *)(match->data);
const char *s = "";
printf("portscan ");
printf("lscan ");
if (info->match_stealth) {
printf("STEALTH");
s = ",";
@@ -87,9 +87,9 @@ static void portscan_mt_print(const void *ip,
printf(" ");
}
static void portscan_mt_save(const void *ip, const struct xt_entry_match *match)
static void lscan_mt_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_portscan_mtinfo *info = (const void *)(match->data);
const struct xt_lscan_mtinfo *info = (const void *)(match->data);
if (info->match_stealth)
printf("--stealth ");
@@ -101,22 +101,22 @@ static void portscan_mt_save(const void *ip, const struct xt_entry_match *match)
printf("--grscan ");
}
static struct xtables_match portscan_mt_reg = {
static struct xtables_match lscan_mt_reg = {
.version = XTABLES_VERSION,
.name = "portscan",
.name = "lscan",
.revision = 0,
.family = AF_INET,
.size = XT_ALIGN(sizeof(struct xt_portscan_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_portscan_mtinfo)),
.help = portscan_mt_help,
.parse = portscan_mt_parse,
.final_check = portscan_mt_check,
.print = portscan_mt_print,
.save = portscan_mt_save,
.extra_opts = portscan_mt_opts,
.size = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
.help = lscan_mt_help,
.parse = lscan_mt_parse,
.final_check = lscan_mt_check,
.print = lscan_mt_print,
.save = lscan_mt_save,
.extra_opts = lscan_mt_opts,
};
static __attribute__((constructor)) void portscan_mt_ldr(void)
static __attribute__((constructor)) void lscan_mt_ldr(void)
{
xtables_register_match(&portscan_mt_reg);
xtables_register_match(&lscan_mt_reg);
}

11
extensions/libxt_portscan.man → extensions/libxt_lscan.man
View File

@@ -1,4 +1,5 @@
Detects simple port scan attemps based upon the packet's contents. (This is
Detects simple low-level scan attemps based upon the packet's contents.
(This is
different from other implementations, which also try to match the rate of new
connections.) Note that an attempt is only discovered after it has been carried
out, but this information can be used in conjunction with other rules to block
@@ -20,8 +21,12 @@ connection was torn down after completion of the 3-way handshake.
\fB--grscan\fR
Match if data in the connection only flew in the direction of the remote side,
e.g. if the connection was terminated after a locally running daemon sent its
identification. (e.g. openssh)
identification. (E.g. openssh, smtp, ftpd.) This may falsely trigger on
warranted single-direction data flows, usually bulk data transfers such as
FTP DATA connections or IRC DCC. Grab Scan Detection should only be used on
ports where a protocol runs that is guaranteed to do a bidirectional exchange
of bytes.
.PP
NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
so be advised to carefully use xt_portscan in conjunction with blocking rules,
so be advised to carefully use xt_lscan in conjunction with blocking rules,
as it may lock out your very own internal network.

158
extensions/libxt_psd.c Normal file
View File

@@ -0,0 +1,158 @@
/*
Shared library add-on to iptables to add PSD support
Copyright (C) 2000,2001 astaro AG
This file is distributed under the terms of the GNU General Public
License (GPL). Copies of the GPL can be obtained from:
ftp://prep.ai.mit.edu/pub/gnu/GPL
2000-05-04 Markus Hennig <hennig@astaro.de> : initial
2000-08-18 Dennis Koslowski <koslowski@astaro.de> : first release
2000-12-01 Dennis Koslowski <koslowski@astaro.de> : UDP scans detection added
2001-02-04 Jan Rekorajski <baggins@pld.org.pl> : converted from target to match
2003-03-02 Harald Welte <laforge@netfilter.org>: fix 'storage' bug
2008-04-03 Mohd Nawawi <nawawi@tracenetworkcorporation.com>: update to 2.6.24 / 1.4 code
2008-06-24 Mohd Nawawi <nawawi@tracenetworkcorporation.com>: update to 2.6.24 / 1.4.1 code
2009-08-07 Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com> : ported to xtables-addons
*/
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <syslog.h>
#include <getopt.h>
#include <xtables.h>
#include <linux/netfilter/x_tables.h>
#include "xt_psd.h"
/* Function which prints out usage message. */
static void psd_mt_help(void) {
printf(
"psd match options:\n"
" --psd-weight-threshold threshhold Portscan detection weight threshold\n"
" --psd-delay-threshold delay Portscan detection delay threshold\n"
" --psd-lo-ports-weight lo Privileged ports weight\n"
" --psd-hi-ports-weight hi High ports weight\n\n");
}
static const struct option psd_mt_opts[] = {
{.name = "psd-weight-threshold", .has_arg = true, .val = '1'},
{.name = "psd-delay-threshold", .has_arg = true, .val = '2'},
{.name = "psd-lo-ports-weight", .has_arg = true, .val = '3'},
{.name = "psd-hi-ports-weight", .has_arg = true, .val = '4'},
{NULL}
};
/* Initialize the target. */
static void psd_mt_init(struct xt_entry_match *match) {
struct xt_psd_info *psdinfo = (struct xt_psd_info *)match->data;
psdinfo->weight_threshold = SCAN_WEIGHT_THRESHOLD;
psdinfo->delay_threshold = SCAN_DELAY_THRESHOLD;
psdinfo->lo_ports_weight = PORT_WEIGHT_PRIV;
psdinfo->hi_ports_weight = PORT_WEIGHT_HIGH;
}
#define XT_PSD_OPT_CTRESH 0x01
#define XT_PSD_OPT_DTRESH 0x02
#define XT_PSD_OPT_LPWEIGHT 0x04
#define XT_PSD_OPT_HPWEIGHT 0x08
static int psd_mt_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
struct xt_psd_info *psdinfo = (struct xt_psd_info *)(*match)->data;
unsigned int num;
switch (c) {
/* PSD-weight-threshold */
case '1':
if (*flags & XT_PSD_OPT_CTRESH)
xtables_error(PARAMETER_PROBLEM,"Can't specify --psd-weight-threshold twice");
if (!xtables_strtoui(optarg, NULL, &num, 0, PSD_MAX_RATE))
xtables_error(PARAMETER_PROBLEM, "bad --psd-weight-threshold '%s'", optarg);
psdinfo->weight_threshold = num;
*flags |= XT_PSD_OPT_CTRESH;
return true;
/* PSD-delay-threshold */
case '2':
if (*flags & XT_PSD_OPT_DTRESH)
xtables_error(PARAMETER_PROBLEM, "Can't specify --psd-delay-threshold twice");
if (!xtables_strtoui(optarg, NULL, &num, 0, PSD_MAX_RATE))
xtables_error(PARAMETER_PROBLEM, "bad --psd-delay-threshold '%s'", optarg);
psdinfo->delay_threshold = num;
*flags |= XT_PSD_OPT_DTRESH;
return true;
/* PSD-lo-ports-weight */
case '3':
if (*flags & XT_PSD_OPT_LPWEIGHT)
xtables_error(PARAMETER_PROBLEM, "Can't specify --psd-lo-ports-weight twice");
if (!xtables_strtoui(optarg, NULL, &num, 0, PSD_MAX_RATE))
xtables_error(PARAMETER_PROBLEM, "bad --psd-lo-ports-weight '%s'", optarg);
psdinfo->lo_ports_weight = num;
*flags |= XT_PSD_OPT_LPWEIGHT;
return true;
/* PSD-hi-ports-weight */
case '4':
if (*flags & XT_PSD_OPT_HPWEIGHT)
xtables_error(PARAMETER_PROBLEM, "Can't specify --psd-hi-ports-weight twice");
if (!xtables_strtoui(optarg, NULL, &num, 0, PSD_MAX_RATE))
xtables_error(PARAMETER_PROBLEM, "bad --psd-hi-ports-weight '%s'", optarg);
psdinfo->hi_ports_weight = num;
*flags |= XT_PSD_OPT_HPWEIGHT;
return true;
}
return false;
}
/* Final check; nothing. */
static void psd_mt_final_check(unsigned int flags) {}
/* Prints out the targinfo. */
static void psd_mt_print(const void *ip, const struct xt_entry_match *match, int numeric)
{
const struct xt_psd_info *psdinfo = (const struct xt_psd_info *)match->data;
printf("psd ");
printf("weight-threshold: %u ", psdinfo->weight_threshold);
printf("delay-threshold: %u ", psdinfo->delay_threshold);
printf("lo-ports-weight: %u ", psdinfo->lo_ports_weight);
printf("hi-ports-weight: %u ", psdinfo->hi_ports_weight);
}
/* Saves the union ipt_targinfo in parsable form to stdout. */
static void psd_mt_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_psd_info *psdinfo = (const struct xt_psd_info *)match->data;
printf("--psd-weight-threshold %u ", psdinfo->weight_threshold);
printf("--psd-delay-threshold %u ", psdinfo->delay_threshold);
printf("--psd-lo-ports-weight %u ", psdinfo->lo_ports_weight);
printf("--psd-hi-ports-weight %u ", psdinfo->hi_ports_weight);
}
static struct xtables_match psd_mt_reg = {
.name = "psd",
.version = XTABLES_VERSION,
.revision = 1,
.family = PF_INET,
.size = XT_ALIGN(sizeof(struct xt_psd_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_psd_info)),
.help = psd_mt_help,
.init = psd_mt_init,
.parse = psd_mt_parse,
.final_check = psd_mt_final_check,
.print = psd_mt_print,
.save = psd_mt_save,
.extra_opts = psd_mt_opts,
};
static __attribute__((constructor)) void psd_mt_ldr(void)
{
xtables_register_match(&psd_mt_reg);
}

18
extensions/libxt_psd.man Normal file
View File

@@ -0,0 +1,18 @@
Attempt to detect TCP and UDP port scans. This match was derived from
Solar Designer's scanlogd.
.TP
.BI "--psd-weight-threshold " "threshold"
Total weight of the latest TCP/UDP packets with different
destination ports coming from the same host to be treated as port
scan sequence.
.TP
.BI "--psd-delay-threshold " "delay"
Delay (in hundredths of second) for the packets with different
destination ports coming from the same host to be treated as
possible port scan subsequence.
.TP
.BI "--psd-lo-ports-weight " "weight"
Weight of the packet with privileged (<=1024) destination port.
.TP
.BI "--psd-hi-ports-weight " "weight"
Weight of the packet with non-priviliged destination port.

18
extensions/libxt_quota2.c
View File

@@ -51,31 +51,31 @@ quota_mt2_parse(int c, char **argv, int invert, unsigned int *flags,
switch (c) {
case 'g':
param_act(P_ONLY_ONCE, "quota", "--grow", *flags & FL_GROW);
param_act(P_NO_INVERT, "quota", "--grow", invert);
xtables_param_act(XTF_ONLY_ONCE, "quota", "--grow", *flags & FL_GROW);
xtables_param_act(XTF_NO_INVERT, "quota", "--grow", invert);
info->flags |= XT_QUOTA_GROW;
*flags |= FL_GROW;
return true;
case 'n':
/* zero termination done on behalf of the kernel module */
param_act(P_ONLY_ONCE, "quota", "--name", *flags & FL_NAME);
param_act(P_NO_INVERT, "quota", "--name", invert);
xtables_param_act(XTF_ONLY_ONCE, "quota", "--name", *flags & FL_NAME);
xtables_param_act(XTF_NO_INVERT, "quota", "--name", invert);
strncpy(info->name, optarg, sizeof(info->name));
*flags |= FL_NAME;
return true;
case 'p':
param_act(P_ONLY_ONCE, "quota", "--packets", *flags & FL_PACKET);
param_act(P_NO_INVERT, "quota", "--packets", invert);
xtables_param_act(XTF_ONLY_ONCE, "quota", "--packets", *flags & FL_PACKET);
xtables_param_act(XTF_NO_INVERT, "quota", "--packets", invert);
info->flags |= XT_QUOTA_PACKET;
*flags |= FL_PACKET;
return true;
case 'q':
param_act(P_ONLY_ONCE, "quota", "--quota", *flags & FL_QUOTA);
xtables_param_act(XTF_ONLY_ONCE, "quota", "--quota", *flags & FL_QUOTA);
if (invert)
info->flags |= XT_QUOTA_INVERT;
info->quota = strtoull(optarg, &end, 0);
if (*end != '\0')
exit_error(PARAMETER_PROBLEM, "quota match: "
xtables_error(PARAMETER_PROBLEM, "quota match: "
"invalid value for --quota");
*flags |= FL_QUOTA;
return true;
@@ -121,7 +121,7 @@ static void quota_mt2_print(const void *ip, const struct xt_entry_match *match,
static struct xtables_match quota_mt2_reg = {
.family = AF_UNSPEC,
.revision = 2,
.revision = 3,
.name = "quota2",
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof (struct xt_quota_mtinfo2)),

2
extensions/mac.c
View File

@@ -19,7 +19,7 @@ static bool mac_parse(const char *addr, unsigned char *dest, uint8_t *mask)
*mask = 48;
if (*end == '/') {
if (!strtonum(end + 1, &end, &value, 0, 48))
if (!xtables_strtoui(end + 1, &end, &value, 0, 48))
return false;
if (*end != '\0')
return false;

1104
extensions/xt_ACCOUNT.c Normal file
View File

File diff suppressed because it is too large Load Diff

118
extensions/xt_ACCOUNT.h Normal file
View File

@@ -0,0 +1,118 @@
/***************************************************************************
* Copyright (C) 2004-2006 by Intra2net AG *
* opensource@intra2net.com *
* *
* This program is free software; you can redistribute it and/or modify *
* it under the terms of the GNU General Public License *
* version 2 as published by the Free Software Foundation; *
* *
***************************************************************************/
#ifndef _IPT_ACCOUNT_H
#define _IPT_ACCOUNT_H
/*
* Socket option interface shared between kernel (xt_ACCOUNT) and userspace
* library (libxt_ACCOUNT_cl). Hopefully we are unique at least within our
* kernel & xtables-addons space.
*/
#define SO_ACCOUNT_BASE_CTL 90
#define IPT_SO_SET_ACCOUNT_HANDLE_FREE (SO_ACCOUNT_BASE_CTL + 1)
#define IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL (SO_ACCOUNT_BASE_CTL + 2)
#define IPT_SO_SET_ACCOUNT_MAX IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL
#define IPT_SO_GET_ACCOUNT_PREPARE_READ (SO_ACCOUNT_BASE_CTL + 4)
#define IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH (SO_ACCOUNT_BASE_CTL + 5)
#define IPT_SO_GET_ACCOUNT_GET_DATA (SO_ACCOUNT_BASE_CTL + 6)
#define IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE (SO_ACCOUNT_BASE_CTL + 7)
#define IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES (SO_ACCOUNT_BASE_CTL + 8)
#define IPT_SO_GET_ACCOUNT_MAX IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES
#define ACCOUNT_MAX_TABLES 128
#define ACCOUNT_TABLE_NAME_LEN 32
#define ACCOUNT_MAX_HANDLES 10
/* Structure for the userspace part of ipt_ACCOUNT */
struct ipt_acc_info {
uint32_t net_ip;
uint32_t net_mask;
char table_name[ACCOUNT_TABLE_NAME_LEN];
int32_t table_nr;
};
/* Internal table structure, generated by check_entry() */
struct ipt_acc_table {
char name[ACCOUNT_TABLE_NAME_LEN]; /* name of the table */
uint32_t ip; /* base IP of network */
uint32_t netmask; /* netmask of the network */
unsigned char depth; /* size of network:
0: 8 bit, 1: 16bit, 2: 24 bit */
uint32_t refcount; /* refcount of this table.
if zero, destroy it */
uint32_t itemcount; /* number of IPs in this table */
void *data; /* pointer to the actual data,
depending on netmask */
};
/* Internal handle structure */
struct ipt_acc_handle {
uint32_t ip; /* base IP of network. Used for
caculating the final IP during
get_data() */
unsigned char depth; /* size of network. See above for
details */
uint32_t itemcount; /* number of IPs in this table */
void *data; /* pointer to the actual data,
depending on size */
};
/* Handle structure for communication with the userspace library */
struct ipt_acc_handle_sockopt {
uint32_t handle_nr; /* Used for HANDLE_FREE */
char name[ACCOUNT_TABLE_NAME_LEN]; /* Used for HANDLE_PREPARE_READ/
HANDLE_READ_FLUSH */
uint32_t itemcount; /* Used for HANDLE_PREPARE_READ/
HANDLE_READ_FLUSH */
};
/* Used for every IP entry
Size is 16 bytes so that 256 (class C network) * 16
fits in one kernel (zero) page */
struct ipt_acc_ip {
uint32_t src_packets;
uint32_t src_bytes;
uint32_t dst_packets;
uint32_t dst_bytes;
};
/*
Used for every IP when returning data
*/
struct ipt_acc_handle_ip {
uint32_t ip;
uint32_t src_packets;
uint32_t src_bytes;
uint32_t dst_packets;
uint32_t dst_bytes;
};
/*
The IPs are organized as an array so that direct slot
calculations are possible.
Only 8 bit networks are preallocated, 16/24 bit networks
allocate their slots when needed -> very efficent.
*/
struct ipt_acc_mask_24 {
struct ipt_acc_ip ip[256];
};
struct ipt_acc_mask_16 {
struct ipt_acc_mask_24 *mask_24[256];
};
struct ipt_acc_mask_8 {
struct ipt_acc_mask_16 *mask_16[256];
};
#endif /* _IPT_ACCOUNT_H */

2
extensions/xt_CHAOS.c
View File

@@ -234,7 +234,7 @@ static void __exit chaos_tg_exit(void)
module_init(chaos_tg_init);
module_exit(chaos_tg_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
MODULE_DESCRIPTION("Xtables: Network scan slowdown with non-deterministic results");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_CHAOS");

9
extensions/xt_DELUDE.c
View File

@@ -119,19 +119,18 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
addr_type = RTN_LOCAL;
/* ip_route_me_harder expects skb->dst to be set */
dst_hold(oldskb->dst);
nskb->dst = oldskb->dst;
skb_dst_set(nskb, dst_clone(skb_dst(oldskb)));
if (ip_route_me_harder(&nskb, addr_type))
goto free_nskb;
else
niph = ip_hdr(nskb);
niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
niph->ttl = dst_metric(skb_dst(nskb), RTAX_HOPLIMIT);
nskb->ip_summed = CHECKSUM_NONE;
/* "Never happens" */
if (nskb->len > dst_mtu(nskb->dst))
if (nskb->len > dst_mtu(skb_dst(nskb)))
goto free_nskb;
nf_ct_attach(nskb, oldskb);
@@ -176,7 +175,7 @@ static void __exit delude_tg_exit(void)
module_init(delude_tg_init);
module_exit(delude_tg_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
MODULE_DESCRIPTION("Xtables: Close TCP connections after handshake");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_DELUDE");

8
extensions/xt_DHCPMAC.Kconfig Normal file
View File

@@ -0,0 +1,8 @@
config NETFILTER_XT_DHCPMAC
tristate '"DHCPMAC" DHCP address matching and manipulation support'
depends on NETFILTER_XTABLES
depends on IP_NF_MANGLE || IP6_NF_MANGLE
---help---
The DHCPMAC extensions allows to match and change the MAC address in
a DHCP packet, so as to work around VMware's "inability" to use MAC
addresses from a vendor different than VMware at boot time.

50
extensions/xt_DHCPADDR.c → extensions/xt_DHCPMAC.c
View File

@@ -1,5 +1,5 @@
/*
* "DHCPADDR" extensions for Xtables
* "DHCPMAC" extensions for Xtables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
*
* This program is free software; you can redistribute it and/or
@@ -14,7 +14,7 @@
#include <linux/udp.h>
#include <net/ip.h>
#include <linux/netfilter/x_tables.h>
#include "xt_DHCPADDR.h"
#include "xt_DHCPMAC.h"
#include "compat_xtables.h"
struct dhcp_message {
@@ -69,9 +69,9 @@ static bool ether_cmp(const unsigned char *lh, const unsigned char *rh,
}
static bool
dhcpaddr_mt(const struct sk_buff *skb, const struct xt_match_param *par)
dhcpmac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct dhcpaddr_info *info = par->matchinfo;
const struct dhcpmac_info *info = par->matchinfo;
const struct dhcp_message *dh;
struct dhcp_message dhcpbuf;
@@ -89,9 +89,9 @@ dhcpaddr_mt(const struct sk_buff *skb, const struct xt_match_param *par)
}
static unsigned int
dhcpaddr_tg(struct sk_buff **pskb, const struct xt_target_param *par)
dhcpmac_tg(struct sk_buff **pskb, const struct xt_target_param *par)
{
const struct dhcpaddr_info *info = par->targinfo;
const struct dhcpmac_info *info = par->targinfo;
struct dhcp_message dhcpbuf, *dh;
struct udphdr udpbuf, *udph;
struct sk_buff *skb = *pskb;
@@ -122,52 +122,52 @@ dhcpaddr_tg(struct sk_buff **pskb, const struct xt_target_param *par)
return XT_CONTINUE;
}
static struct xt_target dhcpaddr_tg_reg __read_mostly = {
.name = "DHCPADDR",
static struct xt_target dhcpmac_tg_reg __read_mostly = {
.name = "DHCPMAC",
.revision = 0,
.family = NFPROTO_IPV4,
.proto = IPPROTO_UDP,
.table = "mangle",
.target = dhcpaddr_tg,
.targetsize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
.target = dhcpmac_tg,
.targetsize = XT_ALIGN(sizeof(struct dhcpmac_info)),
.me = THIS_MODULE,
};
static struct xt_match dhcpaddr_mt_reg __read_mostly = {
.name = "dhcpaddr",
static struct xt_match dhcpmac_mt_reg __read_mostly = {
.name = "dhcpmac",
.revision = 0,
.family = NFPROTO_IPV4,
.proto = IPPROTO_UDP,
.match = dhcpaddr_mt,
.matchsize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
.match = dhcpmac_mt,
.matchsize = XT_ALIGN(sizeof(struct dhcpmac_info)),
.me = THIS_MODULE,
};
static int __init dhcpaddr_init(void)
static int __init dhcpmac_init(void)
{
int ret;
ret = xt_register_target(&dhcpaddr_tg_reg);
ret = xt_register_target(&dhcpmac_tg_reg);
if (ret != 0)
return ret;
ret = xt_register_match(&dhcpaddr_mt_reg);
ret = xt_register_match(&dhcpmac_mt_reg);
if (ret != 0) {
xt_unregister_target(&dhcpaddr_tg_reg);
xt_unregister_target(&dhcpmac_tg_reg);
return ret;
}
return 0;
}
static void __exit dhcpaddr_exit(void)
static void __exit dhcpmac_exit(void)
{
xt_unregister_target(&dhcpaddr_tg_reg);
xt_unregister_match(&dhcpaddr_mt_reg);
xt_unregister_target(&dhcpmac_tg_reg);
xt_unregister_match(&dhcpmac_mt_reg);
}
module_init(dhcpaddr_init);
module_exit(dhcpaddr_exit);
module_init(dhcpmac_init);
module_exit(dhcpmac_exit);
MODULE_DESCRIPTION("Xtables: Clamp DHCP MAC to packet MAC addresses");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_DHCPADDR");
MODULE_ALIAS("ipt_dhcpaddr");
MODULE_ALIAS("ipt_DHCPMAC");
MODULE_ALIAS("ipt_dhcpmac");

8
extensions/xt_DHCPADDR.h → extensions/xt_DHCPMAC.h
View File

@@ -1,12 +1,12 @@
#ifndef _LINUX_NETFILTER_XT_DHCPADDR_H
#define _LINUX_NETFILTER_XT_DHCPADDR_H 1
#ifndef _LINUX_NETFILTER_XT_DHCPMAC_H
#define _LINUX_NETFILTER_XT_DHCPMAC_H 1
#define DH_MAC_FMT "%02X:%02X:%02X:%02X:%02X:%02X"
#define DH_MAC_HEX(z) z[0], z[1], z[2], z[3], z[4], z[5]
struct dhcpaddr_info {
struct dhcpmac_info {
unsigned char addr[ETH_ALEN];
uint8_t mask, invert;
};
#endif /* _LINUX_NETFILTER_XT_DHCPADDR_H */
#endif /* _LINUX_NETFILTER_XT_DHCPMAC_H */

4
extensions/xt_IPMARK.c
View File

@@ -82,7 +82,7 @@ ipmark_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
static struct xt_target ipmark_tg_reg[] __read_mostly = {
{
.name = "IPMARK",
.revision = 0,
.revision = 1,
.family = NFPROTO_IPV4,
.table = "mangle",
.target = ipmark_tg4,
@@ -91,7 +91,7 @@ static struct xt_target ipmark_tg_reg[] __read_mostly = {
},
{
.name = "IPMARK",
.revision = 0,
.revision = 1,
.family = NFPROTO_IPV6,
.table = "mangle",
.target = ipmark_tg6,

7
extensions/xt_LOGMARK.c
View File

@@ -38,9 +38,10 @@ logmark_tg(struct sk_buff **pskb, const struct xt_target_param *par)
enum ip_conntrack_info ctinfo;
bool prev = false;
printk("<%u>%.*s""hook=%s nfmark=0x%x secmark=0x%x classify=0x%x",
printk("<%u>%.*s""iif=%d hook=%s nfmark=0x%x "
"secmark=0x%x classify=0x%x",
info->level, (unsigned int)sizeof(info->prefix), info->prefix,
hook_names[par->hooknum],
skb_ifindex(skb), hook_names[par->hooknum],
skb_nfmark(skb), skb_secmark(skb), skb->priority);
ct = nf_ct_get(skb, &ctinfo);
@@ -127,7 +128,7 @@ static void __exit logmark_tg_exit(void)
module_init(logmark_tg_init);
module_exit(logmark_tg_exit);
MODULE_DESCRIPTION("Xtables: netfilter mark logging to syslog");
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_LOGMARK");
MODULE_ALIAS("ip6t_LOGMARK");

8
extensions/xt_RAWNAT.Kconfig Normal file
View File

@@ -0,0 +1,8 @@
config NETFILTER_XT_TARGET_RAWNAT
tristate '"RAWNAT" raw address translation w/o conntrack'
depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
depends on IP_NF_RAW || IP_NF6_RAW
---help---
This option adds the RAWSNAT and RAWDNAT targets which can do Network
Address Translation (no port translation) without requiring Netfilter
connection tracking.

346
extensions/xt_RAWNAT.c Normal file
View File

@@ -0,0 +1,346 @@
/*
* "RAWNAT" target extension for Xtables - untracked NAT
* Copyright © Jan Engelhardt, 2008 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include "compat_xtables.h"
#include "xt_RAWNAT.h"
static inline __be32
remask(__be32 addr, __be32 repl, unsigned int shift)
{
uint32_t mask = (shift == 32) ? 0 : (~(uint32_t)0 >> shift);
return htonl((ntohl(addr) & mask) | (ntohl(repl) & ~mask));
}
static void
rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
{
switch (mask) {
case 0:
break;
case 1 ... 31:
addr[0] = remask(addr[0], repl[0], mask);
break;
case 32:
addr[0] = repl[0];
break;
case 33 ... 63:
addr[0] = repl[0];
addr[1] = remask(addr[1], repl[1], mask - 64);
break;
case 64:
addr[0] = repl[0];
addr[1] = repl[1];
break;
case 65 ... 95:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = remask(addr[2], repl[2], mask - 96);
case 96:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = repl[2];
break;
case 97 ... 127:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = repl[2];
addr[3] = remask(addr[3], repl[3], mask - 128);
break;
case 128:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = repl[2];
addr[3] = repl[3];
break;
}
}
static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip)
{
struct iphdr *iph = ip_hdr(skb);
void *transport_hdr = (void *)iph + ip_hdrlen(skb);
struct tcphdr *tcph;
struct udphdr *udph;
bool cond;
switch (iph->protocol) {
case IPPROTO_TCP:
tcph = transport_hdr;
inet_proto_csum_replace4(&tcph->check, skb, oldip, newip, true);
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
udph = transport_hdr;
cond = udph->check != 0;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
cond |= skb->ip_summed == CHECKSUM_PARTIAL;
#endif
if (cond) {
inet_proto_csum_replace4(&udph->check, skb,
oldip, newip, true);
if (udph->check == 0)
udph->check = CSUM_MANGLED_0;
}
break;
}
}
static unsigned int rawnat4_writable_part(const struct iphdr *iph)
{
unsigned int wlen = sizeof(*iph);
switch (iph->protocol) {
case IPPROTO_TCP:
wlen += sizeof(struct tcphdr);
break;
case IPPROTO_UDP:
wlen += sizeof(struct udphdr);
break;
}
return wlen;
}
static unsigned int
rawsnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
struct iphdr *iph;
__be32 new_addr;
iph = ip_hdr(*pskb);
new_addr = remask(iph->saddr, info->addr.ip, info->mask);
if (iph->saddr == new_addr)
return XT_CONTINUE;
if (!skb_make_writable(pskb, rawnat4_writable_part(iph)))
return NF_DROP;
iph = ip_hdr(*pskb);
csum_replace4(&iph->check, iph->saddr, new_addr);
rawnat4_update_l4(*pskb, iph->saddr, new_addr);
iph->saddr = new_addr;
return XT_CONTINUE;
}
static unsigned int
rawdnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
struct iphdr *iph;
__be32 new_addr;
iph = ip_hdr(*pskb);
new_addr = remask(iph->daddr, info->addr.ip, info->mask);
if (iph->daddr == new_addr)
return XT_CONTINUE;
if (!skb_make_writable(pskb, rawnat4_writable_part(iph)))
return NF_DROP;
iph = ip_hdr(*pskb);
csum_replace4(&iph->check, iph->daddr, new_addr);
rawnat4_update_l4(*pskb, iph->daddr, new_addr);
iph->daddr = new_addr;
return XT_CONTINUE;
}
static bool rawnat6_prepare_l4(struct sk_buff **pskb, unsigned int *l4offset,
unsigned int *l4proto)
{
static const unsigned int types[] =
{IPPROTO_TCP, IPPROTO_UDP, IPPROTO_UDPLITE};
unsigned int i;
int err;
*l4proto = NEXTHDR_MAX;
for (i = 0; i < ARRAY_SIZE(types); ++i) {
err = ipv6_find_hdr(*pskb, l4offset, types[i], NULL);
if (err >= 0) {
*l4proto = types[i];
break;
}
if (err != -ENOENT)
return false;
}
switch (*l4proto) {
case IPPROTO_TCP:
if (!skb_make_writable(pskb, *l4offset + sizeof(struct tcphdr)))
return false;
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
if (!skb_make_writable(pskb, *l4offset + sizeof(struct udphdr)))
return false;
break;
}
return true;
}
static void rawnat6_update_l4(struct sk_buff *skb, unsigned int l4proto,
unsigned int l4offset, const struct in6_addr *oldip,
const struct in6_addr *newip)
{
const struct ipv6hdr *iph = ipv6_hdr(skb);
struct tcphdr *tcph;
struct udphdr *udph;
unsigned int i;
bool cond;
switch (l4proto) {
case IPPROTO_TCP:
tcph = (void *)iph + l4offset;
for (i = 0; i < 4; ++i)
inet_proto_csum_replace4(&tcph->check, skb,
oldip->s6_addr32[i], newip->s6_addr32[i], true);
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
udph = (void *)iph + l4offset;
cond = udph->check;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
cond |= skb->ip_summed == CHECKSUM_PARTIAL;
#endif
if (cond) {
for (i = 0; i < 4; ++i)
inet_proto_csum_replace4(&udph->check, skb,
oldip->s6_addr32[i],
newip->s6_addr32[i], true);
if (udph->check == 0)
udph->check = CSUM_MANGLED_0;
}
break;
}
}
static unsigned int
rawsnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
unsigned int l4offset, l4proto;
struct ipv6hdr *iph;
struct in6_addr new_addr;
iph = ipv6_hdr(*pskb);
memcpy(&new_addr, &iph->saddr, sizeof(new_addr));
rawnat_ipv6_mask(new_addr.s6_addr32, info->addr.ip6, info->mask);
if (ipv6_addr_cmp(&iph->saddr, &new_addr) == 0)
return XT_CONTINUE;
if (!rawnat6_prepare_l4(pskb, &l4offset, &l4proto))
return NF_DROP;
iph = ipv6_hdr(*pskb);
rawnat6_update_l4(*pskb, l4proto, l4offset, &iph->saddr, &new_addr);
memcpy(&iph->saddr, &new_addr, sizeof(new_addr));
return XT_CONTINUE;
}
static unsigned int
rawdnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
unsigned int l4offset, l4proto;
struct ipv6hdr *iph;
struct in6_addr new_addr;
iph = ipv6_hdr(*pskb);
memcpy(&new_addr, &iph->daddr, sizeof(new_addr));
rawnat_ipv6_mask(new_addr.s6_addr32, info->addr.ip6, info->mask);
if (ipv6_addr_cmp(&iph->daddr, &new_addr) == 0)
return XT_CONTINUE;
if (!rawnat6_prepare_l4(pskb, &l4offset, &l4proto))
return NF_DROP;
iph = ipv6_hdr(*pskb);
rawnat6_update_l4(*pskb, l4proto, l4offset, &iph->daddr, &new_addr);
memcpy(&iph->daddr, &new_addr, sizeof(new_addr));
return XT_CONTINUE;
}
static bool rawnat_tg_check(const struct xt_tgchk_param *par)
{
if (strcmp(par->table, "raw") == 0 ||
strcmp(par->table, "rawpost") == 0)
return true;
printk(KERN_ERR KBUILD_MODNAME " may only be used in the \"raw\" or "
"\"rawpost\" table.\n");
return false;
}
static struct xt_target rawnat_tg_reg[] __read_mostly = {
{
.name = "RAWSNAT",
.revision = 0,
.family = NFPROTO_IPV4,
.target = rawsnat_tg4,
.targetsize = sizeof(struct xt_rawnat_tginfo),
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
{
.name = "RAWSNAT",
.revision = 0,
.family = NFPROTO_IPV6,
.target = rawsnat_tg6,
.targetsize = sizeof(struct xt_rawnat_tginfo),
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
{
.name = "RAWDNAT",
.revision = 0,
.family = NFPROTO_IPV4,
.target = rawdnat_tg4,
.targetsize = sizeof(struct xt_rawnat_tginfo),
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
{
.name = "RAWDNAT",
.revision = 0,
.family = NFPROTO_IPV6,
.target = rawdnat_tg6,
.targetsize = sizeof(struct xt_rawnat_tginfo),
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
};
static int __init rawnat_tg_init(void)
{
return xt_register_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg));
}
static void __exit rawnat_tg_exit(void)
{
xt_unregister_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg));
}
module_init(rawnat_tg_init);
module_exit(rawnat_tg_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Xtables: conntrack-less raw NAT");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_RAWSNAT");
MODULE_ALIAS("ipt_RAWDNAT");
MODULE_ALIAS("ip6t_RAWSNAT");
MODULE_ALIAS("ip6t_RAWDNAT");

9
extensions/xt_RAWNAT.h Normal file
View File

@@ -0,0 +1,9 @@
#ifndef _LINUX_NETFILTER_XT_TARGET_RAWNAT
#define _LINUX_NETFILTER_XT_TARGET_RAWNAT 1
struct xt_rawnat_tginfo {
union nf_inet_addr addr;
__u8 mask;
};
#endif /* _LINUX_NETFILTER_XT_TARGET_RAWNAT */

Some files were not shown because too many files have changed in this diff Show More