diff options
| author | The Android Open Source Project <initial-contribution@android.com> | 2009-03-03 18:28:29 -0800 |
|---|---|---|
| committer | The Android Open Source Project <initial-contribution@android.com> | 2009-03-03 18:28:29 -0800 |
| commit | 11c93ca183254ad93f561b6b32419f7ee46266fd (patch) | |
| tree | 4b825dc642cb6eb9a060e54bf8d69288fbee4904 /extensions | |
| parent | 345d26d4f856734cb88897a97d014879fc04e006 (diff) | |
| download | android_external_iptables-11c93ca183254ad93f561b6b32419f7ee46266fd.tar.gz android_external_iptables-11c93ca183254ad93f561b6b32419f7ee46266fd.tar.bz2 android_external_iptables-11c93ca183254ad93f561b6b32419f7ee46266fd.zip | |
auto import from //depot/cupcake/@135843
Diffstat (limited to 'extensions')
219 files changed, 0 insertions, 23667 deletions
diff --git a/extensions/.CLUSTERIP-test b/extensions/.CLUSTERIP-test deleted file mode 100644 index 6d0017a..0000000 --- a/extensions/.CLUSTERIP-test +++ /dev/null @@ -1,2 +0,0 @@ -#! /bin/sh -[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_CLUSTERIP.c ] && echo CLUSTERIP diff --git a/extensions/.NFLOG-test b/extensions/.NFLOG-test deleted file mode 100644 index 25f0dee..0000000 --- a/extensions/.NFLOG-test +++ /dev/null @@ -1,2 +0,0 @@ -#! /bin/sh -[ -f $KERNEL_DIR/include/linux/netfilter/xt_NFLOG.h ] && echo NFLOG diff --git a/extensions/.NFLOG-test6 b/extensions/.NFLOG-test6 deleted file mode 100644 index 25f0dee..0000000 --- a/extensions/.NFLOG-test6 +++ /dev/null @@ -1,2 +0,0 @@ -#! /bin/sh -[ -f $KERNEL_DIR/include/linux/netfilter/xt_NFLOG.h ] && echo NFLOG diff --git a/extensions/.REJECT-test6 b/extensions/.REJECT-test6 deleted file mode 100644 index 1f09694..0000000 --- a/extensions/.REJECT-test6 +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -FILE=$KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_REJECT.h -# True if REJECT is applied. -[ -f $FILE ] && grep IP6T_ICMP6_NO_ROUTE 2>&1 >/dev/null $FILE && echo REJECT diff --git a/extensions/.ah-test6 b/extensions/.ah-test6 deleted file mode 100644 index 1812c56..0000000 --- a/extensions/.ah-test6 +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_ah.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ah.h ] && echo ah diff --git a/extensions/.condition-test b/extensions/.condition-test deleted file mode 100644 index 20f3bc7..0000000 --- a/extensions/.condition-test +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -# True if condition is applied. -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h ] && echo condition diff --git a/extensions/.condition-test6 b/extensions/.condition-test6 deleted file mode 100644 index f4af61f..0000000 --- a/extensions/.condition-test6 +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -# True if condition6 is applied. -[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h ] && echo condition diff --git a/extensions/.connbytes-test b/extensions/.connbytes-test deleted file mode 100644 index 61355d0..0000000 --- a/extensions/.connbytes-test +++ /dev/null @@ -1,2 +0,0 @@ -#! /bin/sh -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_connbytes.h ] && echo connbytes diff --git a/extensions/.dccp-test b/extensions/.dccp-test deleted file mode 100644 index 5b67527..0000000 --- a/extensions/.dccp-test +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -# True if dccp is applied. -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_dccp.h ] && echo dccp diff --git a/extensions/.esp-test6 b/extensions/.esp-test6 deleted file mode 100644 index 7ded945..0000000 --- a/extensions/.esp-test6 +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_esp.h ] && echo esp diff --git a/extensions/.frag-test6 b/extensions/.frag-test6 deleted file mode 100644 index ff3650d..0000000 --- a/extensions/.frag-test6 +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_frag.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_frag.h ] && echo frag diff --git a/extensions/.hashlimit-test6 b/extensions/.hashlimit-test6 deleted file mode 100644 index 9a2a465..0000000 --- a/extensions/.hashlimit-test6 +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -[ -f $KERNEL_DIR/include/linux/netfilter/xt_hashlimit.h ] && echo hashlimit - diff --git a/extensions/.ipv6header-test6 b/extensions/.ipv6header-test6 deleted file mode 100644 index 47f6f06..0000000 --- a/extensions/.ipv6header-test6 +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_ipv6header.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ipv6header.h ] && echo ipv6header diff --git a/extensions/.opts-test6 b/extensions/.opts-test6 deleted file mode 100644 index 1ed2013..0000000 --- a/extensions/.opts-test6 +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_hbh.c -a -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_dst.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_opts.h ] && echo hbh dst diff --git a/extensions/.quota-test b/extensions/.quota-test deleted file mode 100644 index b21058c..0000000 --- a/extensions/.quota-test +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -[ -f $KERNEL_DIR/include/linux/netfilter/xt_quota.h ] && echo quota - diff --git a/extensions/.recent-test b/extensions/.recent-test deleted file mode 100644 index 2a47fc9..0000000 --- a/extensions/.recent-test +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -# True if recent match patch is applied. -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_recent.h ] && echo recent diff --git a/extensions/.rt-test6 b/extensions/.rt-test6 deleted file mode 100644 index e8d5855..0000000 --- a/extensions/.rt-test6 +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_rt.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_rt.h ] && echo rt diff --git a/extensions/.sctp-test6 b/extensions/.sctp-test6 deleted file mode 100644 index 3cfc7b8..0000000 --- a/extensions/.sctp-test6 +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -[ -f $KERNEL_DIR/include/linux/netfilter/xt_sctp.h ] && echo sctp - diff --git a/extensions/.set-test b/extensions/.set-test deleted file mode 100644 index 700a73c..0000000 --- a/extensions/.set-test +++ /dev/null @@ -1,2 +0,0 @@ -#! /bin/sh -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ip_set.h ] && echo set SET diff --git a/extensions/.statistic-test b/extensions/.statistic-test deleted file mode 100644 index 843cb41..0000000 --- a/extensions/.statistic-test +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -[ -f $KERNEL_DIR/net/netfilter/xt_statistic.c -a -f $KERNEL_DIR/include/linux/netfilter/xt_statistic.h ] && echo statistic diff --git a/extensions/.string-test b/extensions/.string-test deleted file mode 100644 index 609f1c2..0000000 --- a/extensions/.string-test +++ /dev/null @@ -1,2 +0,0 @@ -#! /bin/sh -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_string.h ] && echo string diff --git a/extensions/Makefile.orig b/extensions/Makefile.orig deleted file mode 100644 index 8baafee..0000000 --- a/extensions/Makefile.orig +++ /dev/null @@ -1,180 +0,0 @@ -#! /usr/bin/make - -# WARNING: -# only add extensions here that are either present in the kernel, or whose -# header files are present in the include/linux directory of this iptables -# package (HW) -# -PF_EXT_SLIB:=ah addrtype comment connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TCPMSS TOS TTL ULOG -PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK - -ifeq ($(DO_SELINUX), 1) -PF_EXT_SE_SLIB:=SECMARK CONNSECMARK -PF6_EXT_SE_SLIB:=SECMARK CONNSECMARK -endif - -# Optionals -PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) -PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) - -PF_EXT_ALL_SLIB:=$(patsubst extensions/libipt_%.c, %, $(wildcard extensions/libipt_*.c)) -PF6_EXT_ALL_SLIB:=$(patsubst extensions/libip6t_%.c, %, $(wildcard extensions/libip6t_*.c)) - -PF_EXT_MAN_ALL_MATCHES:=$(foreach T,$(PF_EXT_ALL_SLIB),$(shell test -f extensions/libipt_$(T).man && grep -q register_match extensions/libipt_$(T).c && echo $(T))) -PF_EXT_MAN_ALL_TARGETS:=$(foreach T,$(PF_EXT_ALL_SLIB),$(shell test -f extensions/libipt_$(T).man && grep -q register_target extensions/libipt_$(T).c && echo $(T))) -PF6_EXT_MAN_ALL_MATCHES:=$(foreach T,$(PF6_EXT_ALL_SLIB),$(shell test -f extensions/libip6t_$(T).man && grep -q register_match6 extensions/libip6t_$(T).c && echo $(T))) -PF6_EXT_MAN_ALL_TARGETS:=$(foreach T,$(PF6_EXT_ALL_SLIB),$(shell test -f extensions/libip6t_$(T).man && grep -q register_target6 extensions/libip6t_$(T).c && echo $(T))) - -PF_EXT_MAN_MATCHES:=$(filter $(PF_EXT_ALL_SLIB), $(PF_EXT_MAN_ALL_MATCHES)) -PF_EXT_MAN_TARGETS:=$(filter $(PF_EXT_ALL_SLIB), $(PF_EXT_MAN_ALL_TARGETS)) -PF_EXT_MAN_EXTRA_MATCHES:=$(filter-out $(PF_EXT_MAN_MATCHES), $(PF_EXT_MAN_ALL_MATCHES)) -PF_EXT_MAN_EXTRA_TARGETS:=$(filter-out $(PF_EXT_MAN_TARGETS), $(PF_EXT_MAN_ALL_TARGETS)) -PF6_EXT_MAN_MATCHES:=$(filter $(PF6_EXT_ALL_SLIB), $(PF6_EXT_MAN_ALL_MATCHES)) -PF6_EXT_MAN_TARGETS:=$(filter $(PF6_EXT_ALL_SLIB), $(PF6_EXT_MAN_ALL_TARGETS)) -PF6_EXT_MAN_EXTRA_MATCHES:=$(filter-out $(PF6_EXT_MAN_MATCHES), $(PF6_EXT_MAN_ALL_MATCHES)) -PF6_EXT_MAN_EXTRA_TARGETS:=$(filter-out $(PF6_EXT_MAN_TARGETS), $(PF6_EXT_MAN_ALL_TARGETS)) - - -allman: - @echo ALL_SLIB: $(PF_EXT_ALL_SLIB) - @echo ALL_MATCH: $(PF_EXT_MAN_ALL_MATCHES) - @echo ALL_TARGET: $(PF_EXT_MAN_ALL_TARGETS) - -PF_EXT_SLIB+=$(PF_EXT_SLIB_OPTS) -PF6_EXT_SLIB+=$(PF6_EXT_SLIB_OPTS) - -OPTIONALS+=$(patsubst %,IPv4:%,$(PF_EXT_SLIB_OPTS)) -OPTIONALS+=$(patsubst %,IPv6:%,$(PF6_EXT_SLIB_OPTS)) - -ifndef NO_SHARED_LIBS -SHARED_LIBS+=$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).so) -SHARED_SE_LIBS+=$(foreach T,$(PF_EXT_SE_SLIB),extensions/libipt_$(T).so) -EXTRA_INSTALLS+=$(foreach T, $(PF_EXT_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libipt_$(T).so) -EXTRA_INSTALLS+=$(foreach T, $(PF_EXT_SE_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libipt_$(T).so) - -ifeq ($(DO_IPV6), 1) -SHARED_LIBS+=$(foreach T,$(PF6_EXT_SLIB),extensions/libip6t_$(T).so) -SHARED_SE_LIBS+=$(foreach T,$(PF6_EXT_SE_SLIB),extensions/libip6t_$(T).so) -EXTRA_INSTALLS+=$(foreach T, $(PF6_EXT_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libip6t_$(T).so) -EXTRA_INSTALLS+=$(foreach T, $(PF6_EXT_SE_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libip6t_$(T).so) -endif -else # NO_SHARED_LIBS -EXT_OBJS+=$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).o) -EXT_OBJS+=$(foreach T,$(PF_EXT_SE_SLIB),extensions/libipt_$(T).o) -EXT_FUNC+=$(foreach T,$(PF_EXT_SLIB),ipt_$(T)) -EXT_FUNC+=$(foreach T,$(PF_EXT_SE_SLIB),ipt_$(T)) -EXT_OBJS+= extensions/initext.o -ifeq ($(DO_IPV6), 1) -EXT6_OBJS+=$(foreach T,$(PF6_EXT_SLIB),extensions/libip6t_$(T).o) -EXT6_OBJS+=$(foreach T,$(PF6_EXT_SE_SLIB),extensions/libip6t_$(T).o) -EXT6_FUNC+=$(foreach T,$(PF6_EXT_SLIB),ip6t_$(T)) -EXT6_FUNC+=$(foreach T,$(PF6_EXT_SE_SLIB),ip6t_$(T)) -EXT6_OBJS+= extensions/initext6.o -endif # DO_IPV6 -endif # NO_SHARED_LIBS - -ifndef TOPLEVEL_INCLUDED -local: - cd .. && $(MAKE) $(SHARED_LIBS) $(SHARED_SE_LIBS) -endif - -ifdef NO_SHARED_LIBS -extensions/libext.a: $(EXT_OBJS) - rm -f $@; ar crv $@ $(EXT_OBJS) - -extensions/libext6.a: $(EXT6_OBJS) - rm -f $@; ar crv $@ $(EXT6_OBJS) - -extensions/initext.o: extensions/initext.c -extensions/initext6.o: extensions/initext6.c - -extensions/initext.c: extensions/Makefile - echo "" > $@ - for i in $(EXT_FUNC); do \ - echo "extern void $${i}_init(void);" >> $@; \ - done - echo "void init_extensions(void) {" >> $@ - for i in $(EXT_FUNC); do \ - echo " $${i}_init();" >> $@; \ - done - echo "}" >> $@ - -extensions/initext6.c: extensions/Makefile - echo "" > $@ - for i in $(EXT6_FUNC); do \ - echo "extern void $${i}_init(void);" >> $@; \ - done - echo "void init_extensions(void) {" >> $@ - for i in $(EXT6_FUNC); do \ - echo " $${i}_init();" >> $@; \ - done - echo "}" >> $@ - -extensions/lib%.o: extensions/lib%.c - $(CC) $(CFLAGS) -D_INIT=$*_init -c -o $@ $< - -endif - -EXTRAS += extensions/libipt_targets.man -extensions/libipt_targets.man: $(patsubst %,extensions/libipt_%.man,$(PF_EXT_MAN_ALL_TARGETS)) - @for ext in $(PF_EXT_MAN_TARGETS); do \ - echo ".SS $$ext" ;\ - cat extensions/libipt_$$ext.man ;\ - done >extensions/libipt_targets.man - @if [ -n "$(PF_EXT_MAN_EXTRA_TARGETS)" ]; then \ - extra=$(PF_EXT_MAN_EXTRA_TARGETS) ;\ - for ext in $${extra:-""}; do \ - echo ".SS $$ext (not supported, see Patch-O-Matic)" ;\ - cat extensions/libipt_$$ext.man ;\ - done ;\ - fi >>extensions/libipt_targets.man - -EXTRAS += extensions/libipt_matches.man -extensions/libipt_matches.man: $(patsubst %,extensions/libipt_%.man,$(PF_EXT_MAN_ALL_MATCHES)) - @for ext in $(PF_EXT_MAN_MATCHES); do \ - echo ".SS $$ext" ;\ - cat extensions/libipt_$$ext.man ;\ - done >extensions/libipt_matches.man - @if [ -n "$(PF_EXT_MAN_EXTRA_MATCHES)" ]; then \ - extra=$(PF_EXT_MAN_EXTRA_MATCHES) ;\ - for ext in $${extra:-""}; do \ - echo ".SS $$ext (not supported, see Patch-O-Matic)" ;\ - cat extensions/libipt_$$ext.man ;\ - done ;\ - fi >>extensions/libipt_matches.man - -EXTRAS += extensions/libip6t_targets.man -extensions/libip6t_targets.man: $(patsubst %, extensions/libip6t_%.man, $(PF6_EXT_MAN_ALL_TARGETS)) - @for ext in $(PF6_EXT_MAN_TARGETS); do \ - echo ".SS $$ext" ;\ - cat extensions/libip6t_$$ext.man ;\ - done >extensions/libip6t_targets.man - @if [ -n "$(PF6_EXT_MAN_EXTRA_TARGETS)" ]; then \ - extra=$(PF6_EXT_MAN_EXTRA_TARGETS) ;\ - for ext in $${extra:-""}; do \ - echo ".SS $$ext (not supported, see Patch-O-Matic)" ;\ - cat extensions/libip6t_$$ext.man ;\ - done ;\ - fi >>extensions/libip6t_targets.man - -EXTRAS += extensions/libip6t_matches.man -extensions/libip6t_matches.man: $(patsubst %, extensions/libip6t_%.man, $(PF6_EXT_MAN_ALL_MATCHES)) - @for ext in $(PF6_EXT_MAN_MATCHES); do \ - echo ".SS $$ext" ;\ - cat extensions/libip6t_$$ext.man ;\ - done >extensions/libip6t_matches.man - @if [ -n "$(PF6_EXT_MAN_EXTRA_MATCHES)" ]; then \ - extra=$(PF6_EXT_MAN_EXTRA_MATCHES) ;\ - for ext in $${extra:-""}; do \ - echo ".SS $$ext (not supported, see Patch-O-Matic)" ;\ - cat extensions/libip6t_$$ext.man ;\ - done ;\ - fi >>extensions/libip6t_matches.man - -$(DESTDIR)$(LIBDIR)/iptables/libipt_%.so: extensions/libipt_%.so - @[ -d $(DESTDIR)$(LIBDIR)/iptables ] || mkdir -p $(DESTDIR)$(LIBDIR)/iptables - cp $< $@ - -$(DESTDIR)$(LIBDIR)/iptables/libip6t_%.so: extensions/libip6t_%.so - @[ -d $(DESTDIR)$(LIBDIR)/iptables ] || mkdir -p $(DESTDIR)$(LIBDIR)/iptables - cp $< $@ diff --git a/extensions/create_initext b/extensions/create_initext deleted file mode 100755 index 33cab75..0000000 --- a/extensions/create_initext +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -echo "" -for i in $1; do - echo "extern void ${i}_init(void);"; -done; -echo "void init_extensions(void) {" -for i in $1; do - echo " ${i}_init();"; -done -echo "}" - diff --git a/extensions/initext.c b/extensions/initext.c deleted file mode 100644 index 52304a7..0000000 --- a/extensions/initext.c +++ /dev/null @@ -1 +0,0 @@ -#include "gen_initext.c" diff --git a/extensions/libip6t_2connmark.c b/extensions/libip6t_2connmark.c deleted file mode 100644 index 609c8e9..0000000 --- a/extensions/libip6t_2connmark.c +++ /dev/null @@ -1,151 +0,0 @@ -/* Shared library add-on to iptables to add connmark matching support. - * - * (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> - * by Henrik Nordstrom <hno@marasystems.com> - * - * Version 1.1 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <ip6tables.h> -#include "../include/linux/netfilter_ipv4/ipt_2connmark.h" - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"CONNMARK match v%s options:\n" -"[!] --mark value[/mask] Match nfmark value with optional mask\n" -"\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "mark", 1, 0, '1' }, - {0} -}; - -/* Initialize the match. */ -static void -init(struct ip6t_entry_match *m, unsigned int *nfcache) -{ - /* Can't cache this. */ - *nfcache |= NFC_UNKNOWN; -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ipt_connmark_info *markinfo = (struct ipt_connmark_info *)(*match)->data; - - switch (c) { - char *end; - case '1': - check_inverse(optarg, &invert, &optind, 0); - - markinfo->mark = strtoul(optarg, &end, 0); - markinfo->mask = 0xffffffffUL; - - if (*end == '/') - markinfo->mask = strtoul(end+1, &end, 0); - - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg); - if (invert) - markinfo->invert = 1; - *flags = 1; - break; - - default: - return 0; - } - return 1; -} - -static void -print_mark(unsigned long mark, unsigned long mask, int numeric) -{ - if(mask != 0xffffffffUL) - printf("0x%lx/0x%lx ", mark, mask); - else - printf("0x%lx ", mark); -} - -/* Final check; must have specified --mark. */ -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "MARK match: You must specify `--mark'"); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - struct ipt_connmark_info *info = (struct ipt_connmark_info *)match->data; - - printf("CONNMARK match "); - if (info->invert) - printf("!"); - print_mark(info->mark, info->mask, numeric); -} - -/* Saves the matchinfo in parsable form to stdout. */ -static void -save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - struct ipt_connmark_info *info = (struct ipt_connmark_info *)match->data; - - if (info->invert) - printf("! "); - - printf("--mark "); - print_mark(info->mark, info->mask, 0); -} - -static struct ip6tables_match connmark_match = { - .name = "connmark", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ipt_connmark_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ipt_connmark_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void _init(void) -{ - register_match6(&connmark_match); -} diff --git a/extensions/libip6t_2hl.c b/extensions/libip6t_2hl.c deleted file mode 100644 index 208da33..0000000 --- a/extensions/libip6t_2hl.c +++ /dev/null @@ -1,149 +0,0 @@ -/* - * IPv6 Hop Limit matching module - * Maciej Soltysiak <solt@dns.toxicfilms.tv> - * Based on HW's ttl match - * This program is released under the terms of GNU GPL - * Cleanups by Stephane Ouellette <ouellettes@videotron.ca> - */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <getopt.h> -#include <ip6tables.h> - -#include <linux/netfilter_ipv6/ip6_tables.h> -#include <linux/netfilter_ipv6/ip6t_hl.h> - -static void help(void) -{ - printf( -"HL match v%s options:\n" -" --hl-eq [!] value Match hop limit value\n" -" --hl-lt value Match HL < value\n" -" --hl-gt value Match HL > value\n" -, IPTABLES_VERSION); -} - -static int parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_hl_info *info = (struct ip6t_hl_info *) (*match)->data; - u_int8_t value; - - check_inverse(optarg, &invert, &optind, 0); - value = atoi(argv[optind-1]); - - if (*flags) - exit_error(PARAMETER_PROBLEM, - "Can't specify HL option twice"); - - if (!optarg) - exit_error(PARAMETER_PROBLEM, - "hl: You must specify a value"); - switch (c) { - case '2': - if (invert) - info->mode = IP6T_HL_NE; - else - info->mode = IP6T_HL_EQ; - - /* is 0 allowed? */ - info->hop_limit = value; - *flags = 1; - - break; - case '3': - if (invert) - exit_error(PARAMETER_PROBLEM, - "hl: unexpected `!'"); - - info->mode = IP6T_HL_LT; - info->hop_limit = value; - *flags = 1; - - break; - case '4': - if (invert) - exit_error(PARAMETER_PROBLEM, - "hl: unexpected `!'"); - - info->mode = IP6T_HL_GT; - info->hop_limit = value; - *flags = 1; - - break; - default: - return 0; - } - - return 1; -} - -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "HL match: You must specify one of " - "`--hl-eq', `--hl-lt', `--hl-gt'"); -} - -static void print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - static const char *op[] = { - [IP6T_HL_EQ] = "==", - [IP6T_HL_NE] = "!=", - [IP6T_HL_LT] = "<", - [IP6T_HL_GT] = ">" }; - - const struct ip6t_hl_info *info = - (struct ip6t_hl_info *) match->data; - - printf("HL match HL %s %u ", op[info->mode], info->hop_limit); -} - -static void save(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match) -{ - static const char *op[] = { - [IP6T_HL_EQ] = "eq", - [IP6T_HL_NE] = "eq !", - [IP6T_HL_LT] = "lt", - [IP6T_HL_GT] = "gt" }; - - const struct ip6t_hl_info *info = - (struct ip6t_hl_info *) match->data; - - printf("--hl-%s %u ", op[info->mode], info->hop_limit); -} - -static struct option opts[] = { - { .name = "hl", .has_arg = 1, .flag = 0, .val = '2' }, - { .name = "hl-eq", .has_arg = 1, .flag = 0, .val = '2' }, - { .name = "hl-lt", .has_arg = 1, .flag = 0, .val = '3' }, - { .name = "hl-gt", .has_arg = 1, .flag = 0, .val = '4' }, - { 0 } -}; - -static -struct ip6tables_match hl = { - .name = "hl", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_hl_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_hl_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - - -void _init(void) -{ - register_match6(&hl); -} diff --git a/extensions/libip6t_2mark.c b/extensions/libip6t_2mark.c deleted file mode 100644 index b831cfe..0000000 --- a/extensions/libip6t_2mark.c +++ /dev/null @@ -1,142 +0,0 @@ -/* Shared library add-on to ip6tables to add NFMARK matching support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <ip6tables.h> -/* For 64bit kernel / 32bit userspace */ -#include "../include/linux/netfilter_ipv6/ip6t_mark.h" - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"MARK match v%s options:\n" -"[!] --mark value[/mask] Match nfmark value with optional mask\n" -"\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "mark", 1, 0, '1' }, - {0} -}; - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_mark_info *markinfo = (struct ip6t_mark_info *)(*match)->data; - - switch (c) { - char *end; - case '1': - check_inverse(optarg, &invert, &optind, 0); -#ifdef KERNEL_64_USERSPACE_32 - markinfo->mark = strtoull(optarg, &end, 0); - if (*end == '/') { - markinfo->mask = strtoull(end+1, &end, 0); - } else - markinfo->mask = 0xffffffffffffffffULL; -#else - markinfo->mark = strtoul(optarg, &end, 0); - if (*end == '/') { - markinfo->mask = strtoul(end+1, &end, 0); - } else - markinfo->mask = 0xffffffff; -#endif - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg); - if (invert) - markinfo->invert = 1; - *flags = 1; - break; - - default: - return 0; - } - return 1; -} - -#ifdef KERNEL_64_USERSPACE_32 -static void -print_mark(unsigned long long mark, unsigned long long mask, int numeric) -{ - if(mask != 0xffffffffffffffffULL) - printf("0x%llx/0x%llx ", mark, mask); - else - printf("0x%llx ", mark); -} -#else -static void -print_mark(unsigned long mark, unsigned long mask, int numeric) -{ - if(mask != 0xffffffff) - printf("0x%lx/0x%lx ", mark, mask); - else - printf("0x%lx ", mark); -} -#endif - -/* Final check; must have specified --mark. */ -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "MARK match: You must specify `--mark'"); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - struct ip6t_mark_info *info = (struct ip6t_mark_info *)match->data; - - printf("MARK match "); - - if (info->invert) - printf("!"); - - print_mark(info->mark, info->mask, numeric); -} - -/* Saves the union ip6t_matchinfo in parsable form to stdout. */ -static void -save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - struct ip6t_mark_info *info = (struct ip6t_mark_info *)match->data; - - if (info->invert) - printf("! "); - - printf("--mark "); - print_mark(info->mark, info->mask, 0); -} - -static struct ip6tables_match mark = { - .name = "mark", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_mark_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_mark_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts, -}; - -void _init(void) -{ - register_match6(&mark); -} diff --git a/extensions/libip6t_CONNMARK.c b/extensions/libip6t_CONNMARK.c deleted file mode 100644 index 9506f26..0000000 --- a/extensions/libip6t_CONNMARK.c +++ /dev/null @@ -1,220 +0,0 @@ -/* Shared library add-on to iptables to add CONNMARK target support. - * - * (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> - * by Henrik Nordstrom <hno@marasystems.com> - * - * Version 1.1 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6_tables.h> -#include "../include/linux/netfilter_ipv4/ipt_CONNMARK.h" - -#if 0 -struct markinfo { - struct ipt_entry_target t; - struct ipt_connmark_target_info mark; -}; -#endif - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"CONNMARK target v%s options:\n" -" --set-mark value[/mask] Set conntrack mark value\n" -" --save-mark [--mask mask] Save the packet nfmark in the connection\n" -" --restore-mark [--mask mask] Restore saved nfmark value\n" -"\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "set-mark", 1, 0, '1' }, - { "save-mark", 0, 0, '2' }, - { "restore-mark", 0, 0, '3' }, - { "mask", 1, 0, '4' }, - { 0 } -}; - -/* Initialize the target. */ -static void -init(struct ip6t_entry_target *t, unsigned int *nfcache) -{ -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - struct ip6t_entry_target **target) -{ - struct ipt_connmark_target_info *markinfo - = (struct ipt_connmark_target_info *)(*target)->data; - - markinfo->mask = 0xffffffffUL; - - switch (c) { - char *end; - case '1': - markinfo->mode = IPT_CONNMARK_SET; - - markinfo->mark = strtoul(optarg, &end, 0); - if (*end == '/' && end[1] != '\0') - markinfo->mask = strtoul(end+1, &end, 0); - - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg); - if (*flags) - exit_error(PARAMETER_PROBLEM, - "CONNMARK target: Can't specify --set-mark twice"); - *flags = 1; - break; - case '2': - markinfo->mode = IPT_CONNMARK_SAVE; - if (*flags) - exit_error(PARAMETER_PROBLEM, - "CONNMARK target: Can't specify --save-mark twice"); - *flags = 1; - break; - case '3': - markinfo->mode = IPT_CONNMARK_RESTORE; - if (*flags) - exit_error(PARAMETER_PROBLEM, - "CONNMARK target: Can't specify --restore-mark twice"); - *flags = 1; - break; - case '4': - if (!*flags) - exit_error(PARAMETER_PROBLEM, - "CONNMARK target: Can't specify --mask without a operation"); - markinfo->mask = strtoul(optarg, &end, 0); - - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, "Bad MASK value `%s'", optarg); - break; - default: - return 0; - } - - return 1; -} - -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "CONNMARK target: No operation specified"); -} - -static void -print_mark(unsigned long mark) -{ - printf("0x%lx", mark); -} - -static void -print_mask(const char *text, unsigned long mask) -{ - if (mask != 0xffffffffUL) - printf("%s0x%lx", text, mask); -} - - -/* Prints out the target info. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_target *target, - int numeric) -{ - const struct ipt_connmark_target_info *markinfo = - (const struct ipt_connmark_target_info *)target->data; - switch (markinfo->mode) { - case IPT_CONNMARK_SET: - printf("CONNMARK set "); - print_mark(markinfo->mark); - print_mask("/", markinfo->mask); - printf(" "); - break; - case IPT_CONNMARK_SAVE: - printf("CONNMARK save "); - print_mask("mask ", markinfo->mask); - printf(" "); - break; - case IPT_CONNMARK_RESTORE: - printf("CONNMARK restore "); - print_mask("mask ", markinfo->mask); - break; - default: - printf("ERROR: UNKNOWN CONNMARK MODE "); - break; - } -} - -/* Saves the target into in parsable form to stdout. */ -static void -save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target) -{ - const struct ipt_connmark_target_info *markinfo = - (const struct ipt_connmark_target_info *)target->data; - - switch (markinfo->mode) { - case IPT_CONNMARK_SET: - printf("--set-mark "); - print_mark(markinfo->mark); - print_mask("/", markinfo->mask); - printf(" "); - break; - case IPT_CONNMARK_SAVE: - printf("--save-mark "); - print_mask("--mask ", markinfo->mask); - break; - case IPT_CONNMARK_RESTORE: - printf("--restore-mark "); - print_mask("--mask ", markinfo->mask); - break; - default: - printf("ERROR: UNKNOWN CONNMARK MODE "); - break; - } -} - -static struct ip6tables_target connmark_target = { - .name = "CONNMARK", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ipt_connmark_target_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ipt_connmark_target_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void _init(void) -{ - register_target6(&connmark_target); -} diff --git a/extensions/libip6t_CONNSECMARK.c b/extensions/libip6t_CONNSECMARK.c deleted file mode 100644 index b11ed07..0000000 --- a/extensions/libip6t_CONNSECMARK.c +++ /dev/null @@ -1,124 +0,0 @@ -/* - * Shared library add-on to ip6tables to add CONNSECMARK target support. - * - * Based on the MARK and CONNMARK targets. - * - * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com> - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ip6tables.h> -#include <linux/netfilter/xt_CONNSECMARK.h> - -#define PFX "CONNSECMARK target: " - -static void help(void) -{ - printf( -"CONNSECMARK target v%s options:\n" -" --save Copy security mark from packet to conntrack\n" -" --restore Copy security mark from connection to packet\n" -"\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "save", 0, 0, '1' }, - { "restore", 0, 0, '2' }, - { 0 } -}; - -static int parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, struct ip6t_entry_target **target) -{ - struct xt_connsecmark_target_info *info = - (struct xt_connsecmark_target_info*)(*target)->data; - - switch (c) { - case '1': - if (*flags & CONNSECMARK_SAVE) - exit_error(PARAMETER_PROBLEM, PFX - "Can't specify --save twice"); - info->mode = CONNSECMARK_SAVE; - *flags |= CONNSECMARK_SAVE; - break; - - case '2': - if (*flags & CONNSECMARK_RESTORE) - exit_error(PARAMETER_PROBLEM, PFX - "Can't specify --restore twice"); - info->mode = CONNSECMARK_RESTORE; - *flags |= CONNSECMARK_RESTORE; - break; - - default: - return 0; - } - - return 1; -} - -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, PFX "parameter required"); - - if (flags == (CONNSECMARK_SAVE|CONNSECMARK_RESTORE)) - exit_error(PARAMETER_PROBLEM, PFX "only one flag of --save " - "or --restore is allowed"); -} - -static void print_connsecmark(struct xt_connsecmark_target_info *info) -{ - switch (info->mode) { - case CONNSECMARK_SAVE: - printf("save "); - break; - - case CONNSECMARK_RESTORE: - printf("restore "); - break; - - default: - exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode); - } -} - -static void print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_target *target, int numeric) -{ - struct xt_connsecmark_target_info *info = - (struct xt_connsecmark_target_info*)(target)->data; - - printf("CONNSECMARK "); - print_connsecmark(info); -} - -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target) -{ - struct xt_connsecmark_target_info *info = - (struct xt_connsecmark_target_info*)target->data; - - printf("--"); - print_connsecmark(info); -} - -static struct ip6tables_target connsecmark = { - .name = "CONNSECMARK", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct xt_connsecmark_target_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct xt_connsecmark_target_info)), - .parse = &parse, - .help = &help, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void _init(void) -{ - register_target6(&connsecmark); -} diff --git a/extensions/libip6t_CONNSECMARK.man b/extensions/libip6t_CONNSECMARK.man deleted file mode 100644 index b94353a..0000000 --- a/extensions/libip6t_CONNSECMARK.man +++ /dev/null @@ -1,15 +0,0 @@ -This module copies security markings from packets to connections -(if unlabeled), and from connections back to packets (also only -if unlabeled). Typically used in conjunction with SECMARK, it is -only valid in the -.B mangle -table. -.TP -.B --save -If the packet has a security marking, copy it to the connection -if the connection is not marked. -.TP -.B --restore -If the packet does not have a security marking, and the connection -does, copy the security marking from the connection to the packet. - diff --git a/extensions/libip6t_HL.c b/extensions/libip6t_HL.c deleted file mode 100644 index 2062828..0000000 --- a/extensions/libip6t_HL.c +++ /dev/null @@ -1,166 +0,0 @@ -/* - * IPv6 Hop Limit Target module - * Maciej Soltysiak <solt@dns.toxicfilms.tv> - * Based on HW's ttl target - * This program is distributed under the terms of GNU GPL - */ - -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ip6tables.h> - -#include <linux/netfilter_ipv6/ip6_tables.h> -#include <linux/netfilter_ipv6/ip6t_HL.h> - -#define IP6T_HL_USED 1 - -static void init(struct ip6t_entry_target *t, unsigned int *nfcache) -{ -} - -static void help(void) -{ - printf( -"HL target v%s options\n" -" --hl-set value Set HL to <value 0-255>\n" -" --hl-dec value Decrement HL by <value 1-255>\n" -" --hl-inc value Increment HL by <value 1-255>\n" -, IPTABLES_VERSION); -} - -static int parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - struct ip6t_entry_target **target) -{ - struct ip6t_HL_info *info = (struct ip6t_HL_info *) (*target)->data; - unsigned int value; - - if (*flags & IP6T_HL_USED) { - exit_error(PARAMETER_PROBLEM, - "Can't specify HL option twice"); - } - - if (!optarg) - exit_error(PARAMETER_PROBLEM, - "HL: You must specify a value"); - - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "HL: unexpected `!'"); - - if (string_to_number(optarg, 0, 255, &value) == -1) - exit_error(PARAMETER_PROBLEM, - "HL: Expected value between 0 and 255"); - - switch (c) { - - case '1': - info->mode = IP6T_HL_SET; - break; - - case '2': - if (value == 0) { - exit_error(PARAMETER_PROBLEM, - "HL: decreasing by 0?"); - } - - info->mode = IP6T_HL_DEC; - break; - - case '3': - if (value == 0) { - exit_error(PARAMETER_PROBLEM, - "HL: increasing by 0?"); - } - - info->mode = IP6T_HL_INC; - break; - - default: - return 0; - - } - - info->hop_limit = value; - *flags |= IP6T_HL_USED; - - return 1; -} - -static void final_check(unsigned int flags) -{ - if (!(flags & IP6T_HL_USED)) - exit_error(PARAMETER_PROBLEM, - "HL: You must specify an action"); -} - -static void save(const struct ip6t_ip6 *ip, - const struct ip6t_entry_target *target) -{ - const struct ip6t_HL_info *info = - (struct ip6t_HL_info *) target->data; - - switch (info->mode) { - case IP6T_HL_SET: - printf("--hl-set "); - break; - case IP6T_HL_DEC: - printf("--hl-dec "); - break; - - case IP6T_HL_INC: - printf("--hl-inc "); - break; - } - printf("%u ", info->hop_limit); -} - -static void print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_target *target, int numeric) -{ - const struct ip6t_HL_info *info = - (struct ip6t_HL_info *) target->data; - - printf("HL "); - switch (info->mode) { - case IP6T_HL_SET: - printf("set to "); - break; - case IP6T_HL_DEC: - printf("decrement by "); - break; - case IP6T_HL_INC: - printf("increment by "); - break; - } - printf("%u ", info->hop_limit); -} - -static struct option opts[] = { - { "hl-set", 1, 0, '1' }, - { "hl-dec", 1, 0, '2' }, - { "hl-inc", 1, 0, '3' }, - { 0 } -}; - -static -struct ip6tables_target HL = { NULL, - .name = "HL", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_HL_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_HL_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void _init(void) -{ - register_target6(&HL); -} diff --git a/extensions/libip6t_HL.man b/extensions/libip6t_HL.man deleted file mode 100644 index bf46881..0000000 --- a/extensions/libip6t_HL.man +++ /dev/null @@ -1,17 +0,0 @@ -This is used to modify the Hop Limit field in IPv6 header. The Hop Limit field -is similar to what is known as TTL value in IPv4. Setting or incrementing the -Hop Limit field can potentially be very dangerous, so it should be avoided at -any cost. This target is only valid in -.B mangle -table. -.TP -.B Don't ever set or increment the value on packets that leave your local network! -.TP -.BI "--hl-set " "value" -Set the Hop Limit to `value'. -.TP -.BI "--hl-dec " "value" -Decrement the Hop Limit `value' times. -.TP -.BI "--hl-inc " "value" -Increment the Hop Limit `value' times. diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c deleted file mode 100644 index 5043b44..0000000 --- a/extensions/libip6t_LOG.c +++ /dev/null @@ -1,290 +0,0 @@ -/* Shared library add-on to iptables to add LOG support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <syslog.h> -#include <getopt.h> -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6_tables.h> -#include <linux/netfilter_ipv6/ip6t_LOG.h> - -#ifndef IP6T_LOG_UID /* Old kernel */ -#define IP6T_LOG_UID 0x08 -#undef IP6T_LOG_MASK -#define IP6T_LOG_MASK 0x0f -#endif - -#define LOG_DEFAULT_LEVEL LOG_WARNING - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"LOG v%s options:\n" -" --log-level level Level of logging (numeric or see syslog.conf)\n" -" --log-prefix prefix Prefix log messages with this prefix.\n\n" -" --log-tcp-sequence Log TCP sequence numbers.\n\n" -" --log-tcp-options Log TCP options.\n\n" -" --log-ip-options Log IP options.\n\n" -" --log-uid Log UID owning the local socket.\n\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { .name = "log-level", .has_arg = 1, .flag = 0, .val = '!' }, - { .name = "log-prefix", .has_arg = 1, .flag = 0, .val = '#' }, - { .name = "log-tcp-sequence", .has_arg = 0, .flag = 0, .val = '1' }, - { .name = "log-tcp-options", .has_arg = 0, .flag = 0, .val = '2' }, - { .name = "log-ip-options", .has_arg = 0, .flag = 0, .val = '3' }, - { .name = "log-uid", .has_arg = 0, .flag = 0, .val = '4' }, - { .name = 0 } -}; - -/* Initialize the target. */ -static void -init(struct ip6t_entry_target *t, unsigned int *nfcache) -{ - struct ip6t_log_info *loginfo = (struct ip6t_log_info *)t->data; - - loginfo->level = LOG_DEFAULT_LEVEL; - -} - -struct ip6t_log_names { - const char *name; - unsigned int level; -}; - -static struct ip6t_log_names ip6t_log_names[] -= { { .name = "alert", .level = LOG_ALERT }, - { .name = "crit", .level = LOG_CRIT }, - { .name = "debug", .level = LOG_DEBUG }, - { .name = "emerg", .level = LOG_EMERG }, - { .name = "error", .level = LOG_ERR }, /* DEPRECATED */ - { .name = "info", .level = LOG_INFO }, - { .name = "notice", .level = LOG_NOTICE }, - { .name = "panic", .level = LOG_EMERG }, /* DEPRECATED */ - { .name = "warning", .level = LOG_WARNING } -}; - -static u_int8_t -parse_level(const char *level) -{ - unsigned int lev = -1; - unsigned int set = 0; - - if (string_to_number(level, 0, 7, &lev) == -1) { - unsigned int i = 0; - - for (i = 0; - i < sizeof(ip6t_log_names) / sizeof(struct ip6t_log_names); - i++) { - if (strncasecmp(level, ip6t_log_names[i].name, - strlen(level)) == 0) { - if (set++) - exit_error(PARAMETER_PROBLEM, - "log-level `%s' ambiguous", - level); - lev = ip6t_log_names[i].level; - } - } - - if (!set) - exit_error(PARAMETER_PROBLEM, - "log-level `%s' unknown", level); - } - - return (u_int8_t)lev; -} - -#define IP6T_LOG_OPT_LEVEL 0x01 -#define IP6T_LOG_OPT_PREFIX 0x02 -#define IP6T_LOG_OPT_TCPSEQ 0x04 -#define IP6T_LOG_OPT_TCPOPT 0x08 -#define IP6T_LOG_OPT_IPOPT 0x10 -#define IP6T_LOG_OPT_UID 0x20 - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - struct ip6t_entry_target **target) -{ - struct ip6t_log_info *loginfo = (struct ip6t_log_info *)(*target)->data; - - switch (c) { - case '!': - if (*flags & IP6T_LOG_OPT_LEVEL) - exit_error(PARAMETER_PROBLEM, - "Can't specify --log-level twice"); - - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --log-level"); - - loginfo->level = parse_level(optarg); - *flags |= IP6T_LOG_OPT_LEVEL; - break; - - case '#': - if (*flags & IP6T_LOG_OPT_PREFIX) - exit_error(PARAMETER_PROBLEM, - "Can't specify --log-prefix twice"); - - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --log-prefix"); - - if (strlen(optarg) > sizeof(loginfo->prefix) - 1) - exit_error(PARAMETER_PROBLEM, - "Maximum prefix length %u for --log-prefix", - (unsigned int)sizeof(loginfo->prefix) - 1); - - if (strlen(optarg) == 0) - exit_error(PARAMETER_PROBLEM, - "No prefix specified for --log-prefix"); - - if (strlen(optarg) != strlen(strtok(optarg, "\n"))) - exit_error(PARAMETER_PROBLEM, - "Newlines not allowed in --log-prefix"); - - strcpy(loginfo->prefix, optarg); - *flags |= IP6T_LOG_OPT_PREFIX; - break; - - case '1': - if (*flags & IP6T_LOG_OPT_TCPSEQ) - exit_error(PARAMETER_PROBLEM, - "Can't specify --log-tcp-sequence " - "twice"); - - loginfo->logflags |= IP6T_LOG_TCPSEQ; - *flags |= IP6T_LOG_OPT_TCPSEQ; - break; - - case '2': - if (*flags & IP6T_LOG_OPT_TCPOPT) - exit_error(PARAMETER_PROBLEM, - "Can't specify --log-tcp-options twice"); - - loginfo->logflags |= IP6T_LOG_TCPOPT; - *flags |= IP6T_LOG_OPT_TCPOPT; - break; - - case '3': - if (*flags & IP6T_LOG_OPT_IPOPT) - exit_error(PARAMETER_PROBLEM, - "Can't specify --log-ip-options twice"); - - loginfo->logflags |= IP6T_LOG_IPOPT; - *flags |= IP6T_LOG_OPT_IPOPT; - break; - - case '4': - if (*flags & IP6T_LOG_OPT_UID) - exit_error(PARAMETER_PROBLEM, - "Can't specify --log-uid twice"); - - loginfo->logflags |= IP6T_LOG_UID; - *flags |= IP6T_LOG_OPT_UID; - break; - - default: - return 0; - } - - return 1; -} - -/* Final check; nothing. */ -static void final_check(unsigned int flags) -{ -} - -/* Prints out the targinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_target *target, - int numeric) -{ - const struct ip6t_log_info *loginfo - = (const struct ip6t_log_info *)target->data; - unsigned int i = 0; - - printf("LOG "); - if (numeric) - printf("flags %u level %u ", - loginfo->logflags, loginfo->level); - else { - for (i = 0; - i < sizeof(ip6t_log_names) / sizeof(struct ip6t_log_names); - i++) { - if (loginfo->level == ip6t_log_names[i].level) { - printf("level %s ", ip6t_log_names[i].name); - break; - } - } - if (i == sizeof(ip6t_log_names) / sizeof(struct ip6t_log_names)) - printf("UNKNOWN level %u ", loginfo->level); - if (loginfo->logflags & IP6T_LOG_TCPSEQ) - printf("tcp-sequence "); - if (loginfo->logflags & IP6T_LOG_TCPOPT) - printf("tcp-options "); - if (loginfo->logflags & IP6T_LOG_IPOPT) - printf("ip-options "); - if (loginfo->logflags & IP6T_LOG_UID) - printf("uid "); - if (loginfo->logflags & ~(IP6T_LOG_MASK)) - printf("unknown-flags "); - } - - if (strcmp(loginfo->prefix, "") != 0) - printf("prefix `%s' ", loginfo->prefix); -} - -/* Saves the union ip6t_targinfo in parsable form to stdout. */ -static void -save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target) -{ - const struct ip6t_log_info *loginfo - = (const struct ip6t_log_info *)target->data; - - if (strcmp(loginfo->prefix, "") != 0) - printf("--log-prefix \"%s\" ", loginfo->prefix); - - if (loginfo->level != LOG_DEFAULT_LEVEL) - printf("--log-level %d ", loginfo->level); - - if (loginfo->logflags & IP6T_LOG_TCPSEQ) - printf("--log-tcp-sequence "); - if (loginfo->logflags & IP6T_LOG_TCPOPT) - printf("--log-tcp-options "); - if (loginfo->logflags & IP6T_LOG_IPOPT) - printf("--log-ip-options "); - if (loginfo->logflags & IP6T_LOG_UID) - printf("--log-uid "); -} - -static -struct ip6tables_target log -= { - .name = "LOG", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_log_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_log_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void _init(void) -{ - register_target6(&log); -} diff --git a/extensions/libip6t_LOG.man b/extensions/libip6t_LOG.man deleted file mode 100644 index 9d51fd4..0000000 --- a/extensions/libip6t_LOG.man +++ /dev/null @@ -1,31 +0,0 @@ -Turn on kernel logging of matching packets. When this option is set -for a rule, the Linux kernel will print some information on all -matching packets (like most IPv6 IPv6-header fields) via the kernel log -(where it can be read with -.I dmesg -or -.IR syslogd (8)). -This is a "non-terminating target", i.e. rule traversal continues at -the next rule. So if you want to LOG the packets you refuse, use two -separate rules with the same matching criteria, first using target LOG -then DROP (or REJECT). -.TP -.BI "--log-level " "level" -Level of logging (numeric or see \fIsyslog.conf\fP(5)). -.TP -.BI "--log-prefix " "prefix" -Prefix log messages with the specified prefix; up to 29 letters long, -and useful for distinguishing messages in the logs. -.TP -.B --log-tcp-sequence -Log TCP sequence numbers. This is a security risk if the log is -readable by users. -.TP -.B --log-tcp-options -Log options from the TCP packet header. -.TP -.B --log-ip-options -Log options from the IPv6 packet header. -.TP -.B --log-uid -Log the userid of the process which generated the packet. diff --git a/extensions/libip6t_MARK.c b/extensions/libip6t_MARK.c deleted file mode 100644 index a7f1a9d..0000000 --- a/extensions/libip6t_MARK.c +++ /dev/null @@ -1,131 +0,0 @@ -/* Shared library add-on to iptables to add MARK target support. */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6_tables.h> -/* For 64bit kernel / 32bit userspace */ -#include "../include/linux/netfilter_ipv6/ip6t_MARK.h" - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"MARK target v%s options:\n" -" --set-mark value Set nfmark value\n" -"\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { .name = "set-mark", .has_arg = 1, .flag = 0, .val = '1' }, - { .name = 0 } -}; - -/* Initialize the target. */ -static void -init(struct ip6t_entry_target *t, unsigned int *nfcache) -{ -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - struct ip6t_entry_target **target) -{ - struct ip6t_mark_target_info *markinfo - = (struct ip6t_mark_target_info *)(*target)->data; - - switch (c) { - case '1': -#ifdef KERNEL_64_USERSPACE_32 - if (string_to_number_ll(optarg, 0, 0, - &markinfo->mark)) -#else - if (string_to_number_l(optarg, 0, 0, - &markinfo->mark)) -#endif - exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg); - if (*flags) - exit_error(PARAMETER_PROBLEM, - "MARK target: Can't specify --set-mark twice"); - *flags = 1; - break; - - default: - return 0; - } - - return 1; -} - -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "MARK target: Parameter --set-mark is required"); -} - -#ifdef KERNEL_64_USERSPACE_32 -static void -print_mark(unsigned long long mark) -{ - printf("0x%llx ", mark); -} -#else -static void -print_mark(unsigned long mark) -{ - printf("0x%lx ", mark); -} -#endif - -/* Prints out the targinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_target *target, - int numeric) -{ - const struct ip6t_mark_target_info *markinfo = - (const struct ip6t_mark_target_info *)target->data; - - printf("MARK set "); - print_mark(markinfo->mark); -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target) -{ - const struct ip6t_mark_target_info *markinfo = - (const struct ip6t_mark_target_info *)target->data; - - printf("--set-mark "); - print_mark(markinfo->mark); -} - -static -struct ip6tables_target mark = { - .name = "MARK", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_mark_target_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_mark_target_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void _init(void) -{ - register_target6(&mark); -} diff --git a/extensions/libip6t_MARK.man b/extensions/libip6t_MARK.man deleted file mode 100644 index 1f3260c..0000000 --- a/extensions/libip6t_MARK.man +++ /dev/null @@ -1,6 +0,0 @@ -This is used to set the netfilter mark value associated with the -packet. It is only valid in the -.B mangle -table. -.TP -.BI "--set-mark " "mark" diff --git a/extensions/libip6t_NFLOG.c b/extensions/libip6t_NFLOG.c deleted file mode 100644 index c2a3dbd..0000000 --- a/extensions/libip6t_NFLOG.c +++ /dev/null @@ -1,161 +0,0 @@ -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <getopt.h> -#include <ip6tables.h> - -#include <linux/netfilter_ipv6/ip6_tables.h> -#include <linux/netfilter/xt_NFLOG.h> - -enum { - NFLOG_GROUP = 0x1, - NFLOG_PREFIX = 0x2, - NFLOG_RANGE = 0x4, - NFLOG_THRESHOLD = 0x8, -}; - -static struct option opts[] = { - { "nflog-group", 1, 0, NFLOG_GROUP }, - { "nflog-prefix", 1, 0, NFLOG_PREFIX }, - { "nflog-range", 1, 0, NFLOG_RANGE }, - { "nflog-threshold", 1, 0, NFLOG_THRESHOLD }, -}; - -static void help(void) -{ - printf("NFLOG v%s options:\n" - " --nflog-group NUM NETLINK group used for logging\n" - " --nflog-range NUM Number of byte to copy\n" - " --nflog-threshold NUM Message threshold of in-kernel queue\n" - " --nflog-prefix STRING Prefix string for log messages\n\n", - IPTABLES_VERSION); -} - -static void init(struct ip6t_entry_target *t, unsigned int *nfcache) -{ - struct xt_nflog_info *info = (struct xt_nflog_info *)t->data; - - info->group = XT_NFLOG_DEFAULT_GROUP; - info->threshold = XT_NFLOG_DEFAULT_THRESHOLD; -} - -static int parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - struct xt_entry_target **target) -{ - struct xt_nflog_info *info = (struct xt_nflog_info *)(*target)->data; - int n; - - switch (c) { - case NFLOG_GROUP: - if (*flags & NFLOG_GROUP) - exit_error(PARAMETER_PROBLEM, - "Can't specify --nflog-group twice"); - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --nflog-group"); - - n = atoi(optarg); - if (n < 1 || n > 32) - exit_error(PARAMETER_PROBLEM, - "--nflog-group has to be between 1 and 32"); - info->group = 1 << (n - 1); - break; - case NFLOG_PREFIX: - if (*flags & NFLOG_PREFIX) - exit_error(PARAMETER_PROBLEM, - "Can't specify --nflog-prefix twice"); - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --nflog-prefix"); - - n = strlen(optarg); - if (n == 0) - exit_error(PARAMETER_PROBLEM, - "No prefix specified for --nflog-prefix"); - if (n >= sizeof(info->prefix)) - exit_error(PARAMETER_PROBLEM, - "--nflog-prefix too long, max %Zu characters", - sizeof(info->prefix) - 1); - if (n != strlen(strtok(optarg, "\n"))) - exit_error(PARAMETER_PROBLEM, - "Newlines are not allowed in --nflog-prefix"); - strcpy(info->prefix, optarg); - break; - case NFLOG_RANGE: - if (*flags & NFLOG_RANGE) - exit_error(PARAMETER_PROBLEM, - "Can't specify --nflog-range twice"); - n = atoi(optarg); - if (n < 0) - exit_error(PARAMETER_PROBLEM, - "Invalid --nflog-range, must be >= 0"); - info->len = n; - break; - case NFLOG_THRESHOLD: - if (*flags & NFLOG_THRESHOLD) - exit_error(PARAMETER_PROBLEM, - "Can't specify --nflog-threshold twice"); - n = atoi(optarg); - if (n < 1) - exit_error(PARAMETER_PROBLEM, - "Invalid --nflog-threshold, must be >= 1"); - info->threshold = n; - break; - default: - return 0; - } - *flags |= c; - return 1; -} - -static void final_check(unsigned int flags) -{ - return; -} - -static void nflog_print(const struct xt_nflog_info *info, char *prefix) -{ - if (info->prefix[0] != '\0') - printf("%snflog-prefix \"%s\" ", prefix, info->prefix); - if (info->group != XT_NFLOG_DEFAULT_GROUP) - printf("%snflog-group %u ", prefix, ffs(info->group)); - if (info->len) - printf("%snflog-range %u ", prefix, info->len); - if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD) - printf("%snflog-threshold %u ", prefix, info->threshold); -} - -static void print(const struct ip6t_ip6 *ip, const struct xt_entry_target *target, - int numeric) -{ - const struct xt_nflog_info *info = (struct xt_nflog_info *)target->data; - - nflog_print(info, ""); -} - -static void save(const struct ip6t_ip6 *ip, const struct xt_entry_target *target) -{ - const struct xt_nflog_info *info = (struct xt_nflog_info *)target->data; - - nflog_print(info, "--"); -} - -static struct ip6tables_target nflog = { - .name = "NFLOG", - .version = IPTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_nflog_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_nflog_info)), - .help = help, - .init = init, - .parse = parse, - .final_check = final_check, - .print = print, - .save = save, - .extra_opts = opts, -}; - -void _init(void) -{ - register_target6(&nflog); -} diff --git a/extensions/libip6t_NFQUEUE.c b/extensions/libip6t_NFQUEUE.c deleted file mode 100644 index e1964af..0000000 --- a/extensions/libip6t_NFQUEUE.c +++ /dev/null @@ -1,114 +0,0 @@ -/* Shared library add-on to ip666666tables for NFQ - * - * (C) 2005 by Harald Welte <laforge@netfilter.org> - * - * This program is distributed under the terms of GNU GPL v2, 1991 - * - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6_tables.h> -#include <linux/netfilter_ipv4/ipt_NFQUEUE.h> - -static void init(struct ip6t_entry_target *t, unsigned int *nfcache) -{ -} - -static void help(void) -{ - printf( -"NFQUEUE target options\n" -" --queue-num value Send packet to QUEUE number <value>.\n" -" Valid queue numbers are 0-65535\n" -); -} - -static struct option opts[] = { - { "queue-num", 1, 0, 'F' }, - { 0 } -}; - -static void -parse_num(const char *s, struct ipt_NFQ_info *tinfo) -{ - unsigned int num; - - if (string_to_number(s, 0, 65535, &num) == -1) - exit_error(PARAMETER_PROBLEM, - "Invalid queue number `%s'\n", s); - - tinfo->queuenum = num & 0xffff; - return; -} - -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - struct ip6t_entry_target **target) -{ - struct ipt_NFQ_info *tinfo - = (struct ipt_NFQ_info *)(*target)->data; - - switch (c) { - case 'F': - if (*flags) - exit_error(PARAMETER_PROBLEM, "NFQUEUE target: " - "Only use --queue-num ONCE!"); - parse_num(optarg, tinfo); - break; - default: - return 0; - } - - return 1; -} - -static void -final_check(unsigned int flags) -{ -} - -/* Prints out the targinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_target *target, - int numeric) -{ - const struct ipt_NFQ_info *tinfo = - (const struct ipt_NFQ_info *)target->data; - printf("NFQUEUE num %u", tinfo->queuenum); -} - -/* Saves the union ip6t_targinfo in parsable form to stdout. */ -static void -save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target) -{ - const struct ipt_NFQ_info *tinfo = - (const struct ipt_NFQ_info *)target->data; - - printf("--queue-num %u ", tinfo->queuenum); -} - -static struct ip6tables_target nfqueue = { - .next = NULL, - .name = "NFQUEUE", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ipt_NFQ_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ipt_NFQ_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void _init(void) -{ - register_target6(&nfqueue); -} diff --git a/extensions/libip6t_NFQUEUE.man b/extensions/libip6t_NFQUEUE.man deleted file mode 100644 index c4e9d11..0000000 --- a/extensions/libip6t_NFQUEUE.man +++ /dev/null @@ -1,12 +0,0 @@ -This target is an extension of the QUEUE target. As opposed to QUEUE, it allows -you to put a packet into any specific queue, identified by its 16-bit queue -number. -.TP -.BR "--queue-num " "\fIvalue" -This specifies the QUEUE number to use. Valud queue numbers are 0 to 65535. The default value is 0. -.TP -It can only be used with Kernel versions 2.6.14 or later, since it requires -the -.B -nfnetlink_queue -kernel support. diff --git a/extensions/libip6t_REJECT.c b/extensions/libip6t_REJECT.c deleted file mode 100644 index 879716b..0000000 --- a/extensions/libip6t_REJECT.c +++ /dev/null @@ -1,170 +0,0 @@ -/* Shared library add-on to iptables to add customized REJECT support. - * - * (C) 2000 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> - * - * ported to IPv6 by Harald Welte <laforge@gnumonks.org> - * - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6_tables.h> -#include <linux/netfilter_ipv6/ip6t_REJECT.h> - -struct reject_names { - const char *name; - const char *alias; - enum ip6t_reject_with with; - const char *desc; -}; - -static const struct reject_names reject_table[] = { - {"icmp6-no-route", "no-route", - IP6T_ICMP6_NO_ROUTE, "ICMPv6 no route"}, - {"icmp6-adm-prohibited", "adm-prohibited", - IP6T_ICMP6_ADM_PROHIBITED, "ICMPv6 administratively prohibited"}, -#if 0 - {"icmp6-not-neighbor", "not-neighbor"}, - IP6T_ICMP6_NOT_NEIGHBOR, "ICMPv6 not a neighbor"}, -#endif - {"icmp6-addr-unreachable", "addr-unreach", - IP6T_ICMP6_ADDR_UNREACH, "ICMPv6 address unreachable"}, - {"icmp6-port-unreachable", "port-unreach", - IP6T_ICMP6_PORT_UNREACH, "ICMPv6 port unreachable"}, - {"tcp-reset", "tcp-reset", - IP6T_TCP_RESET, "TCP RST packet"} -}; - -static void -print_reject_types() -{ - unsigned int i; - - printf("Valid reject types:\n"); - - for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++) { - printf(" %-25s\t%s\n", reject_table[i].name, reject_table[i].desc); - printf(" %-25s\talias\n", reject_table[i].alias); - } - printf("\n"); -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"REJECT options:\n" -"--reject-with type drop input packet and send back\n" -" a reply packet according to type:\n"); - - print_reject_types(); -} - -static struct option opts[] = { - { "reject-with", 1, 0, '1' }, - { 0 } -}; - -/* Allocate and initialize the target. */ -static void -init(struct ip6t_entry_target *t, unsigned int *nfcache) -{ - struct ip6t_reject_info *reject = (struct ip6t_reject_info *)t->data; - - /* default */ - reject->with = IP6T_ICMP6_PORT_UNREACH; - -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - struct ip6t_entry_target **target) -{ - struct ip6t_reject_info *reject = - (struct ip6t_reject_info *)(*target)->data; - unsigned int limit = sizeof(reject_table)/sizeof(struct reject_names); - unsigned int i; - - switch(c) { - case '1': - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --reject-with"); - for (i = 0; i < limit; i++) { - if ((strncasecmp(reject_table[i].name, optarg, strlen(optarg)) == 0) - || (strncasecmp(reject_table[i].alias, optarg, strlen(optarg)) == 0)) { - reject->with = reject_table[i].with; - return 1; - } - } - exit_error(PARAMETER_PROBLEM, "unknown reject type `%s'",optarg); - default: - /* Fall through */ - break; - } - return 0; -} - -/* Final check; nothing. */ -static void final_check(unsigned int flags) -{ -} - -/* Prints out ipt_reject_info. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_target *target, - int numeric) -{ - const struct ip6t_reject_info *reject - = (const struct ip6t_reject_info *)target->data; - unsigned int i; - - for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++) { - if (reject_table[i].with == reject->with) - break; - } - printf("reject-with %s ", reject_table[i].name); -} - -/* Saves ipt_reject in parsable form to stdout. */ -static void save(const struct ip6t_ip6 *ip, - const struct ip6t_entry_target *target) -{ - const struct ip6t_reject_info *reject - = (const struct ip6t_reject_info *)target->data; - unsigned int i; - - for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++) - if (reject_table[i].with == reject->with) - break; - - printf("--reject-with %s ", reject_table[i].name); -} - -struct ip6tables_target reject = { - .name = "REJECT", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_reject_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_reject_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts, -}; - -void _init(void) -{ - register_target6(&reject); -} diff --git a/extensions/libip6t_REJECT.man b/extensions/libip6t_REJECT.man deleted file mode 100644 index 909d826..0000000 --- a/extensions/libip6t_REJECT.man +++ /dev/null @@ -1,36 +0,0 @@ -This is used to send back an error packet in response to the matched -packet: otherwise it is equivalent to -.B DROP -so it is a terminating TARGET, ending rule traversal. -This target is only valid in the -.BR INPUT , -.B FORWARD -and -.B OUTPUT -chains, and user-defined chains which are only called from those -chains. The following option controls the nature of the error packet -returned: -.TP -.BI "--reject-with " "type" -The type given can be -.nf -.B " icmp6-no-route" -.B " no-route" -.B " icmp6-adm-prohibited" -.B " adm-prohibited" -.B " icmp6-addr-unreachable" -.B " addr-unreach" -.B " icmp6-port-unreachable" -.B " port-unreach" -.fi -which return the appropriate ICMPv6 error message (\fBport-unreach\fP is -the default). Finally, the option -.B tcp-reset -can be used on rules which only match the TCP protocol: this causes a -TCP RST packet to be sent back. This is mainly useful for blocking -.I ident -(113/tcp) probes which frequently occur when sending mail to broken mail -hosts (which won't accept your mail otherwise). -.B tcp-reset -can only be used with kernel versions 2.6.14 or latter. - diff --git a/extensions/libip6t_SECMARK.c b/extensions/libip6t_SECMARK.c deleted file mode 100644 index 8fbae05..0000000 --- a/extensions/libip6t_SECMARK.c +++ /dev/null @@ -1,125 +0,0 @@ -/* - * Shared library add-on to iptables to add SECMARK target support. - * - * Based on the MARK target. - * - * IPv6 version. - * - * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com> - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ip6tables.h> -#include <linux/netfilter/xt_SECMARK.h> - -#define PFX "SECMARK target: " - -static void help(void) -{ - printf( -"SECMARK target v%s options:\n" -" --selctx value Set the SELinux security context\n" -"\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "selctx", 1, 0, '1' }, - { 0 } -}; - -/* Initialize the target. */ -static void init(struct ip6t_entry_target *t, unsigned int *nfcache) -{ } - -/* - * Function which parses command options; returns true if it - * ate an option. - */ -static int parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, struct ip6t_entry_target **target) -{ - struct xt_secmark_target_info *info = - (struct xt_secmark_target_info*)(*target)->data; - - switch (c) { - case '1': - if (*flags & SECMARK_MODE_SEL) - exit_error(PARAMETER_PROBLEM, PFX - "Can't specify --selctx twice"); - info->mode = SECMARK_MODE_SEL; - - if (strlen(optarg) > SECMARK_SELCTX_MAX-1) - exit_error(PARAMETER_PROBLEM, PFX - "Maximum length %u exceeded by --selctx" - " parameter (%zu)", - SECMARK_SELCTX_MAX-1, strlen(optarg)); - - strcpy(info->u.sel.selctx, optarg); - *flags |= SECMARK_MODE_SEL; - break; - default: - return 0; - } - - return 1; -} - -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, PFX "parameter required"); -} - -static void print_secmark(struct xt_secmark_target_info *info) -{ - switch (info->mode) { - case SECMARK_MODE_SEL: - printf("selctx %s ", info->u.sel.selctx);\ - break; - - default: - exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode); - } -} - -static void print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_target *target, int numeric) -{ - struct xt_secmark_target_info *info = - (struct xt_secmark_target_info*)(target)->data; - - printf("SECMARK "); - print_secmark(info); -} - -/* Saves the target info in parsable form to stdout. */ -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target) -{ - struct xt_secmark_target_info *info = - (struct xt_secmark_target_info*)target->data; - - printf("--"); - print_secmark(info); -} - -static struct ip6tables_target secmark = { - .name = "SECMARK", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct xt_secmark_target_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct xt_secmark_target_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void _init(void) -{ - register_target6(&secmark); -} diff --git a/extensions/libip6t_SECMARK.man b/extensions/libip6t_SECMARK.man deleted file mode 100644 index f892de9..0000000 --- a/extensions/libip6t_SECMARK.man +++ /dev/null @@ -1,7 +0,0 @@ -This is used to set the security mark value associated with the -packet for use by security subsystems such as SELinux. It is only -valid in the -.B mangle -table. -.TP -.BI "--selctx " "security_context" diff --git a/extensions/libip6t_TCPMSS.c b/extensions/libip6t_TCPMSS.c deleted file mode 100644 index 7fcccd5..0000000 --- a/extensions/libip6t_TCPMSS.c +++ /dev/null @@ -1,134 +0,0 @@ -/* Shared library add-on to iptables to add TCPMSS target support. - * - * Copyright (c) 2000 Marc Boucher -*/ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6_tables.h> -#include <linux/netfilter_ipv6/ip6t_TCPMSS.h> - -struct mssinfo { - struct ip6t_entry_target t; - struct ip6t_tcpmss_info mss; -}; - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"TCPMSS target v%s mutually-exclusive options:\n" -" --set-mss value explicitly set MSS option to specified value\n" -" --clamp-mss-to-pmtu automatically clamp MSS value to (path_MTU - 60)\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "set-mss", 1, 0, '1' }, - { "clamp-mss-to-pmtu", 0, 0, '2' }, - { 0 } -}; - -/* Initialize the target. */ -static void -init(struct ip6t_entry_target *t, unsigned int *nfcache) -{ -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - struct ip6t_entry_target **target) -{ - struct ip6t_tcpmss_info *mssinfo - = (struct ip6t_tcpmss_info *)(*target)->data; - - switch (c) { - unsigned int mssval; - - case '1': - if (*flags) - exit_error(PARAMETER_PROBLEM, - "TCPMSS target: Only one option may be specified"); - if (string_to_number(optarg, 0, 65535 - 60, &mssval) == -1) - exit_error(PARAMETER_PROBLEM, "Bad TCPMSS value `%s'", optarg); - - mssinfo->mss = mssval; - *flags = 1; - break; - - case '2': - if (*flags) - exit_error(PARAMETER_PROBLEM, - "TCPMSS target: Only one option may be specified"); - mssinfo->mss = IP6T_TCPMSS_CLAMP_PMTU; - *flags = 1; - break; - - default: - return 0; - } - - return 1; -} - -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "TCPMSS target: At least one parameter is required"); -} - -/* Prints out the targinfo. */ -static void -print(const struct ip6t_ip6 *ip6, - const struct ip6t_entry_target *target, - int numeric) -{ - const struct ip6t_tcpmss_info *mssinfo = - (const struct ip6t_tcpmss_info *)target->data; - if(mssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU) - printf("TCPMSS clamp to PMTU "); - else - printf("TCPMSS set %u ", mssinfo->mss); -} - -/* Saves the union ip6t_targinfo in parsable form to stdout. */ -static void -save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target) -{ - const struct ip6t_tcpmss_info *mssinfo = - (const struct ip6t_tcpmss_info *)target->data; - - if(mssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU) - printf("--clamp-mss-to-pmtu "); - else - printf("--set-mss %u ", mssinfo->mss); -} - -static struct ip6tables_target mss = { - .next = NULL, - .name = "TCPMSS", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_tcpmss_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_tcpmss_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void _init(void) -{ - register_target6(&mss); -} diff --git a/extensions/libip6t_TCPMSS.man b/extensions/libip6t_TCPMSS.man deleted file mode 100644 index b4c357e..0000000 --- a/extensions/libip6t_TCPMSS.man +++ /dev/null @@ -1,42 +0,0 @@ -This target allows to alter the MSS value of TCP SYN packets, to control -the maximum size for that connection (usually limiting it to your -outgoing interface's MTU minus 60). Of course, it can only be used -in conjunction with -.BR "-p tcp" . -It is only valid in the -.BR mangle -table. -.br -This target is used to overcome criminally braindead ISPs or servers -which block ICMPv6 Packet Too Big packets or are unable to send them. -The symptoms of this problem are that everything works fine from your -Linux firewall/router, but machines behind it can never exchange large -packets: -.PD 0 -.RS 0.1i -.TP 0.3i -1) -Web browsers connect, then hang with no data received. -.TP -2) -Small mail works fine, but large emails hang. -.TP -3) -ssh works fine, but scp hangs after initial handshaking. -.RE -.PD -Workaround: activate this option and add a rule to your firewall -configuration like: -.nf - ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\ - -j TCPMSS --clamp-mss-to-pmtu -.fi -.TP -.BI "--set-mss " "value" -Explicitly set MSS option to specified value. -.TP -.B "--clamp-mss-to-pmtu" -Automatically clamp MSS value to (path_MTU - 60). -.TP -These options are mutually exclusive. - diff --git a/extensions/libip6t_ah.c b/extensions/libip6t_ah.c deleted file mode 100644 index 794e02e..0000000 --- a/extensions/libip6t_ah.c +++ /dev/null @@ -1,227 +0,0 @@ -/* Shared library add-on to ip6tables to add AH support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <errno.h> -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6t_ah.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"AH v%s options:\n" -" --ahspi [!] spi[:spi] match spi (range)\n" -" --ahlen [!] length total length of this header\n" -" --ahres check the reserved filed, too\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { .name = "ahspi", .has_arg = 1, .flag = 0, .val = '1' }, - { .name = "ahlen", .has_arg = 1, .flag = 0, .val = '2' }, - { .name = "ahres", .has_arg = 0, .flag = 0, .val = '3' }, - { .name = 0 } -}; - -static u_int32_t -parse_ah_spi(const char *spistr, const char *typestr) -{ - unsigned long int spi; - char* ep; - - spi = strtoul(spistr, &ep, 0); - - if ( spistr == ep ) - exit_error(PARAMETER_PROBLEM, - "AH no valid digits in %s `%s'", typestr, spistr); - - if ( spi == ULONG_MAX && errno == ERANGE ) - exit_error(PARAMETER_PROBLEM, - "%s `%s' specified too big: would overflow", - typestr, spistr); - - if ( *spistr != '\0' && *ep != '\0' ) - exit_error(PARAMETER_PROBLEM, - "AH error parsing %s `%s'", typestr, spistr); - - return (u_int32_t) spi; -} - -static void -parse_ah_spis(const char *spistring, u_int32_t *spis) -{ - char *buffer; - char *cp; - - buffer = strdup(spistring); - if ((cp = strchr(buffer, ':')) == NULL) - spis[0] = spis[1] = parse_ah_spi(buffer, "spi"); - else { - *cp = '\0'; - cp++; - - spis[0] = buffer[0] ? parse_ah_spi(buffer, "spi") : 0; - spis[1] = cp[0] ? parse_ah_spi(cp, "spi") : 0xFFFFFFFF; - } - free(buffer); -} - -/* Initialize the match. */ -static void -init(struct ip6t_entry_match *m, unsigned int *nfcache) -{ - struct ip6t_ah *ahinfo = (struct ip6t_ah *)m->data; - - ahinfo->spis[1] = 0xFFFFFFFF; - ahinfo->hdrlen = 0; - ahinfo->hdrres = 0; -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_ah *ahinfo = (struct ip6t_ah *)(*match)->data; - - switch (c) { - case '1': - if (*flags & IP6T_AH_SPI) - exit_error(PARAMETER_PROBLEM, - "Only one `--ahspi' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_ah_spis(argv[optind-1], ahinfo->spis); - if (invert) - ahinfo->invflags |= IP6T_AH_INV_SPI; - *flags |= IP6T_AH_SPI; - break; - case '2': - if (*flags & IP6T_AH_LEN) - exit_error(PARAMETER_PROBLEM, - "Only one `--ahlen' allowed"); - check_inverse(optarg, &invert, &optind, 0); - ahinfo->hdrlen = parse_ah_spi(argv[optind-1], "length"); - if (invert) - ahinfo->invflags |= IP6T_AH_INV_LEN; - *flags |= IP6T_AH_LEN; - break; - case '3': - if (*flags & IP6T_AH_RES) - exit_error(PARAMETER_PROBLEM, - "Only one `--ahres' allowed"); - ahinfo->hdrres = 1; - *flags |= IP6T_AH_RES; - break; - default: - return 0; - } - - return 1; -} - -/* Final check; we don't care. */ -static void -final_check(unsigned int flags) -{ -} - -static void -print_spis(const char *name, u_int32_t min, u_int32_t max, - int invert) -{ - const char *inv = invert ? "!" : ""; - - if (min != 0 || max != 0xFFFFFFFF || invert) { - if (min == max) - printf("%s:%s%u ", name, inv, min); - else - printf("%ss:%s%u:%u ", name, inv, min, max); - } -} - -static void -print_len(const char *name, u_int32_t len, int invert) -{ - const char *inv = invert ? "!" : ""; - - if (len != 0 || invert) - printf("%s:%s%u ", name, inv, len); -} - -/* Prints out the union ip6t_matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, int numeric) -{ - const struct ip6t_ah *ah = (struct ip6t_ah *)match->data; - - printf("ah "); - print_spis("spi", ah->spis[0], ah->spis[1], - ah->invflags & IP6T_AH_INV_SPI); - print_len("length", ah->hdrlen, - ah->invflags & IP6T_AH_INV_LEN); - - if (ah->hdrres) - printf("reserved "); - - if (ah->invflags & ~IP6T_AH_INV_MASK) - printf("Unknown invflags: 0x%X ", - ah->invflags & ~IP6T_AH_INV_MASK); -} - -/* Saves the union ip6t_matchinfo in parsable form to stdout. */ -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - const struct ip6t_ah *ahinfo = (struct ip6t_ah *)match->data; - - if (!(ahinfo->spis[0] == 0 - && ahinfo->spis[1] == 0xFFFFFFFF)) { - printf("--ahspi %s", - (ahinfo->invflags & IP6T_AH_INV_SPI) ? "! " : ""); - if (ahinfo->spis[0] - != ahinfo->spis[1]) - printf("%u:%u ", - ahinfo->spis[0], - ahinfo->spis[1]); - else - printf("%u ", - ahinfo->spis[0]); - } - - if (ahinfo->hdrlen != 0 || (ahinfo->invflags & IP6T_AH_INV_LEN) ) { - printf("--ahlen %s%u ", - (ahinfo->invflags & IP6T_AH_INV_LEN) ? "! " : "", - ahinfo->hdrlen); - } - - if (ahinfo->hdrres != 0 ) - printf("--ahres "); -} - -static -struct ip6tables_match ah = { - .name = "ah", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_ah)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_ah)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void -_init(void) -{ - register_match6(&ah); -} diff --git a/extensions/libip6t_ah.man b/extensions/libip6t_ah.man deleted file mode 100644 index 09d00fd..0000000 --- a/extensions/libip6t_ah.man +++ /dev/null @@ -1,10 +0,0 @@ -This module matches the parameters in Authentication header of IPsec packets. -.TP -.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]" -Matches SPI. -.TP -.BR "--ahlen " "[!] \fIlength" -Total length of this header in octets. -.TP -.BI "--ahres" -Matches if the reserved field is filled with zero. diff --git a/extensions/libip6t_condition.c b/extensions/libip6t_condition.c deleted file mode 100644 index 0e94c39..0000000 --- a/extensions/libip6t_condition.c +++ /dev/null @@ -1,106 +0,0 @@ -/* Shared library add-on to ip6tables for condition match */ -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <getopt.h> -#include <ip6tables.h> - -#include<linux/netfilter_ipv6/ip6_tables.h> -#include<linux/netfilter_ipv6/ip6t_condition.h> - - -static void -help(void) -{ - printf("condition match v%s options:\n" - "--condition [!] filename " - "Match on boolean value stored in /proc file\n", - IPTABLES_VERSION); -} - - -static struct option opts[] = { - { .name = "condition", .has_arg = 1, .flag = 0, .val = 'X' }, - { .name = 0 } -}; - -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct condition6_info *info = - (struct condition6_info *) (*match)->data; - - if (c == 'X') { - if (*flags) - exit_error(PARAMETER_PROBLEM, - "Can't specify multiple conditions"); - - check_inverse(optarg, &invert, &optind, 0); - - if (strlen(argv[optind - 1]) < CONDITION6_NAME_LEN) - strcpy(info->name, argv[optind - 1]); - else - exit_error(PARAMETER_PROBLEM, - "File name too long"); - - info->invert = invert; - *flags = 1; - return 1; - } - - return 0; -} - - -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "Condition match: must specify --condition"); -} - - -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, int numeric) -{ - const struct condition6_info *info = - (const struct condition6_info *) match->data; - - printf("condition %s%s ", (info->invert) ? "!" : "", info->name); -} - - -static void -save(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match) -{ - const struct condition6_info *info = - (const struct condition6_info *) match->data; - - printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name); -} - - -static struct ip6tables_match condition = { - .name = "condition", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct condition6_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct condition6_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - - -void -_init(void) -{ - register_match6(&condition); -} diff --git a/extensions/libip6t_condition.man b/extensions/libip6t_condition.man deleted file mode 100644 index e0bba75..0000000 --- a/extensions/libip6t_condition.man +++ /dev/null @@ -1,4 +0,0 @@ -This matches if a specific /proc filename is '0' or '1'. -.TP -.BR "--condition " "[!] \fIfilename" -Match on boolean value stored in /proc/net/ip6t_condition/filename file diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c deleted file mode 100644 index 19ca23c..0000000 --- a/extensions/libip6t_dst.c +++ /dev/null @@ -1,269 +0,0 @@ -/* Shared library add-on to ip6tables to add Hop-by-Hop and Dst headers support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <errno.h> -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6t_opts.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <arpa/inet.h> - -#ifdef HOPBYHOP -#define UNAME "HBH" -#define LNAME "hbh" -#else -#define UNAME "DST" -#define LNAME "dst" -#endif - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -UNAME " v%s options:\n" -" --" LNAME "-len [!] length total length of this header\n" -" --" LNAME "-opts TYPE[:LEN][,TYPE[:LEN]...] \n" -" Options and its length (list, max: %d)\n", -IPTABLES_VERSION, IP6T_OPTS_OPTSNR); -} - -static struct option opts[] = { - { .name = LNAME "-len", .has_arg = 1, .flag = 0, .val = '1' }, - { .name = LNAME "-opts", .has_arg = 1, .flag = 0, .val = '2' }, - { .name = LNAME "-not-strict", .has_arg = 1, .flag = 0, .val = '3' }, - { .name = 0 } -}; - -static u_int32_t -parse_opts_num(const char *idstr, const char *typestr) -{ - unsigned long int id; - char* ep; - - id = strtoul(idstr, &ep, 0); - - if ( idstr == ep ) { - exit_error(PARAMETER_PROBLEM, - UNAME " no valid digits in %s `%s'", typestr, idstr); - } - if ( id == ULONG_MAX && errno == ERANGE ) { - exit_error(PARAMETER_PROBLEM, - "%s `%s' specified too big: would overflow", - typestr, idstr); - } - if ( *idstr != '\0' && *ep != '\0' ) { - exit_error(PARAMETER_PROBLEM, - UNAME " error parsing %s `%s'", typestr, idstr); - } - return (u_int32_t) id; -} - -static int -parse_options(const char *optsstr, u_int16_t *opts) -{ - char *buffer, *cp, *next, *range; - unsigned int i; - - buffer = strdup(optsstr); - if (!buffer) - exit_error(OTHER_PROBLEM, "strdup failed"); - - for (cp = buffer, i = 0; cp && i < IP6T_OPTS_OPTSNR; cp = next, i++) - { - next = strchr(cp, ','); - - if (next) - *next++='\0'; - - range = strchr(cp, ':'); - - if (range) { - if (i == IP6T_OPTS_OPTSNR-1) - exit_error(PARAMETER_PROBLEM, - "too many ports specified"); - *range++ = '\0'; - } - - opts[i] = (u_int16_t)((parse_opts_num(cp,"opt") & 0x000000FF)<<8); - if (range) { - if (opts[i] == 0) - exit_error(PARAMETER_PROBLEM, - "PAD0 hasn't got length"); - opts[i] |= (u_int16_t)(parse_opts_num(range,"length") & - 0x000000FF); - } else - opts[i] |= (0x00FF); - -#ifdef DEBUG - printf("opts str: %s %s\n", cp, range); - printf("opts opt: %04X\n", opts[i]); -#endif - } - - if (cp) - exit_error(PARAMETER_PROBLEM, "too many addresses specified"); - - free(buffer); - -#ifdef DEBUG - printf("addr nr: %d\n", i); -#endif - - return i; -} - -/* Initialize the match. */ -static void -init(struct ip6t_entry_match *m, unsigned int *nfcache) -{ - struct ip6t_opts *optinfo = (struct ip6t_opts *)m->data; - - optinfo->hdrlen = 0; - optinfo->flags = 0; - optinfo->invflags = 0; - optinfo->optsnr = 0; -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_opts *optinfo = (struct ip6t_opts *)(*match)->data; - - switch (c) { - case '1': - if (*flags & IP6T_OPTS_LEN) - exit_error(PARAMETER_PROBLEM, - "Only one `--" LNAME "-len' allowed"); - check_inverse(optarg, &invert, &optind, 0); - optinfo->hdrlen = parse_opts_num(argv[optind-1], "length"); - if (invert) - optinfo->invflags |= IP6T_OPTS_INV_LEN; - optinfo->flags |= IP6T_OPTS_LEN; - *flags |= IP6T_OPTS_LEN; - break; - case '2': - if (*flags & IP6T_OPTS_OPTS) - exit_error(PARAMETER_PROBLEM, - "Only one `--" LNAME "-opts' allowed"); - check_inverse(optarg, &invert, &optind, 0); - if (invert) - exit_error(PARAMETER_PROBLEM, - " '!' not allowed with `--" LNAME "-opts'"); - optinfo->optsnr = parse_options(argv[optind-1], optinfo->opts); - optinfo->flags |= IP6T_OPTS_OPTS; - *flags |= IP6T_OPTS_OPTS; - break; - case '3': - if (*flags & IP6T_OPTS_NSTRICT) - exit_error(PARAMETER_PROBLEM, - "Only one `--" LNAME "-not-strict' allowed"); - if ( !(*flags & IP6T_OPTS_OPTS) ) - exit_error(PARAMETER_PROBLEM, - "`--" LNAME "-opts ...' required before `--" - LNAME "-not-strict'"); - optinfo->flags |= IP6T_OPTS_NSTRICT; - *flags |= IP6T_OPTS_NSTRICT; - break; - default: - return 0; - } - - return 1; -} - -/* Final check; we don't care. */ -static void -final_check(unsigned int flags) -{ -} - -static void -print_options(int optsnr, u_int16_t *optsp) -{ - unsigned int i; - - for(i = 0; i < optsnr; i++) { - printf("%d", (optsp[i] & 0xFF00) >> 8); - - if ((optsp[i] & 0x00FF) != 0x00FF) - printf(":%d", (optsp[i] & 0x00FF)); - - printf("%c", (i != optsnr - 1) ? ',' : ' '); - } -} - -/* Prints out the union ip6t_matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, int numeric) -{ - const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data; - - printf(LNAME " "); - if (optinfo->flags & IP6T_OPTS_LEN) - printf("length:%s%u ", - optinfo->invflags & IP6T_OPTS_INV_LEN ? "!" : "", - optinfo->hdrlen); - - if (optinfo->flags & IP6T_OPTS_OPTS) - printf("opts "); - - print_options(optinfo->optsnr, (u_int16_t *)optinfo->opts); - - if (optinfo->flags & IP6T_OPTS_NSTRICT) - printf("not-strict "); - - if (optinfo->invflags & ~IP6T_OPTS_INV_MASK) - printf("Unknown invflags: 0x%X ", - optinfo->invflags & ~IP6T_OPTS_INV_MASK); -} - -/* Saves the union ip6t_matchinfo in parsable form to stdout. */ -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data; - - if (optinfo->flags & IP6T_OPTS_LEN) { - printf("--" LNAME "-len %s%u ", - (optinfo->invflags & IP6T_OPTS_INV_LEN) ? "! " : "", - optinfo->hdrlen); - } - - if (optinfo->flags & IP6T_OPTS_OPTS) - printf("--" LNAME "-opts "); - - print_options(optinfo->optsnr, (u_int16_t *)optinfo->opts); - - if (optinfo->flags & IP6T_OPTS_NSTRICT) - printf("--" LNAME "-not-strict "); -} - -static -struct ip6tables_match optstruct = { - .name = LNAME, - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_opts)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_opts)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void -_init(void) -{ - register_match6(&optstruct); -} diff --git a/extensions/libip6t_dst.man b/extensions/libip6t_dst.man deleted file mode 100644 index f42d822..0000000 --- a/extensions/libip6t_dst.man +++ /dev/null @@ -1,7 +0,0 @@ -This module matches the parameters in Destination Options header -.TP -.BR "--dst-len " "[!] \fIlength" -Total length of this header in octets. -.TP -.BR "--dst-opts " "\fItype\fP[:\fIlength\fP][,\fItype\fP[:\fIlength\fP]...]" -numeric type of option and the length of the option data in octets. diff --git a/extensions/libip6t_esp.c b/extensions/libip6t_esp.c deleted file mode 100644 index 886e09b..0000000 --- a/extensions/libip6t_esp.c +++ /dev/null @@ -1,185 +0,0 @@ -/* Shared library add-on to ip6tables to add ESP support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <errno.h> -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6t_esp.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"ESP v%s options:\n" -" --espspi [!] spi[:spi] match spi (range)\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { .name = "espspi", .has_arg = 1, .flag = 0, .val = '1' }, - { .name = 0 } -}; - -static u_int32_t -parse_esp_spi(const char *spistr) -{ - unsigned long int spi; - char* ep; - - spi = strtoul(spistr, &ep, 0); - - if ( spistr == ep ) { - exit_error(PARAMETER_PROBLEM, - "ESP no valid digits in spi `%s'", spistr); - } - if ( spi == ULONG_MAX && errno == ERANGE ) { - exit_error(PARAMETER_PROBLEM, - "spi `%s' specified too big: would overflow", spistr); - } - if ( *spistr != '\0' && *ep != '\0' ) { - exit_error(PARAMETER_PROBLEM, - "ESP error parsing spi `%s'", spistr); - } - return (u_int32_t) spi; -} - -static void -parse_esp_spis(const char *spistring, u_int32_t *spis) -{ - char *buffer; - char *cp; - - buffer = strdup(spistring); - if ((cp = strchr(buffer, ':')) == NULL) - spis[0] = spis[1] = parse_esp_spi(buffer); - else { - *cp = '\0'; - cp++; - - spis[0] = buffer[0] ? parse_esp_spi(buffer) : 0; - spis[1] = cp[0] ? parse_esp_spi(cp) : 0xFFFFFFFF; - if (spis[0] > spis[1]) - exit_error(PARAMETER_PROBLEM, - "Invalid ESP spi range: %s", spistring); - } - free(buffer); -} - -/* Initialize the match. */ -static void -init(struct ip6t_entry_match *m, unsigned int *nfcache) -{ - struct ip6t_esp *espinfo = (struct ip6t_esp *)m->data; - - espinfo->spis[1] = 0xFFFFFFFF; -} - -#define ESP_SPI 0x01 - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_esp *espinfo = (struct ip6t_esp *)(*match)->data; - - switch (c) { - case '1': - if (*flags & ESP_SPI) - exit_error(PARAMETER_PROBLEM, - "Only one `--espspi' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_esp_spis(argv[optind-1], espinfo->spis); - if (invert) - espinfo->invflags |= IP6T_ESP_INV_SPI; - *flags |= ESP_SPI; - break; - default: - return 0; - } - - return 1; -} - -/* Final check; we don't care. */ -static void -final_check(unsigned int flags) -{ -} - -static void -print_spis(const char *name, u_int32_t min, u_int32_t max, - int invert) -{ - const char *inv = invert ? "!" : ""; - - if (min != 0 || max != 0xFFFFFFFF || invert) { - if (min == max) - printf("%s:%s%u ", name, inv, min); - else - printf("%ss:%s%u:%u ", name, inv, min, max); - } -} - -/* Prints out the union ip6t_matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, int numeric) -{ - const struct ip6t_esp *esp = (struct ip6t_esp *)match->data; - - printf("esp "); - print_spis("spi", esp->spis[0], esp->spis[1], - esp->invflags & IP6T_ESP_INV_SPI); - if (esp->invflags & ~IP6T_ESP_INV_MASK) - printf("Unknown invflags: 0x%X ", - esp->invflags & ~IP6T_ESP_INV_MASK); -} - -/* Saves the union ip6t_matchinfo in parsable form to stdout. */ -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - const struct ip6t_esp *espinfo = (struct ip6t_esp *)match->data; - - if (!(espinfo->spis[0] == 0 - && espinfo->spis[1] == 0xFFFFFFFF)) { - printf("--espspi %s", - (espinfo->invflags & IP6T_ESP_INV_SPI) ? "! " : ""); - if (espinfo->spis[0] - != espinfo->spis[1]) - printf("%u:%u ", - espinfo->spis[0], - espinfo->spis[1]); - else - printf("%u ", - espinfo->spis[0]); - } - -} - -static -struct ip6tables_match esp = { - .name = "esp", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_esp)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_esp)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void -_init(void) -{ - register_match6(&esp); -} diff --git a/extensions/libip6t_esp.man b/extensions/libip6t_esp.man deleted file mode 100644 index 7898e02..0000000 --- a/extensions/libip6t_esp.man +++ /dev/null @@ -1,3 +0,0 @@ -This module matches the SPIs in ESP header of IPsec packets. -.TP -.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]" diff --git a/extensions/libip6t_eui64.c b/extensions/libip6t_eui64.c deleted file mode 100644 index c74b04d..0000000 --- a/extensions/libip6t_eui64.c +++ /dev/null @@ -1,76 +0,0 @@ -/* Shared library add-on to ip6tables to add EUI64 address checking support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#if defined(__GLIBC__) && __GLIBC__ == 2 -#include <net/ethernet.h> -#else -#include <linux/if_ether.h> -#endif -#include <ip6tables.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"eui64 v%s options:\n" -" This module hasn't got any option\n" -" This module checks for EUI64 IPv6 addresses\n" -"\n", IPTABLES_VERSION); -} - -static struct option opts[] = { - {0} -}; - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - return 0; -} - -/* Final check */ -static void final_check(unsigned int flags) -{ -} - -/* Prints out the matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - printf("eui64 "); -} - -/* Saves the union ip6t_matchinfo in parsable form to stdout. */ -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - -} - -static struct ip6tables_match eui64 = { - .name = "eui64", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(int)), - .userspacesize = IP6T_ALIGN(sizeof(int)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts, -}; - -void _init(void) -{ - register_match6(&eui64); -} diff --git a/extensions/libip6t_eui64.man b/extensions/libip6t_eui64.man deleted file mode 100644 index cd80b98..0000000 --- a/extensions/libip6t_eui64.man +++ /dev/null @@ -1,10 +0,0 @@ -This module matches the EUI-64 part of a stateless autoconfigured IPv6 address. -It compares the EUI-64 derived from the source MAC address in Ethernet frame -with the lower 64 bits of the IPv6 source address. But "Universal/Local" -bit is not compared. This module doesn't match other link layer frame, and -is only valid in the -.BR PREROUTING , -.BR INPUT -and -.BR FORWARD -chains. diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c deleted file mode 100644 index 51a14fa..0000000 --- a/extensions/libip6t_frag.c +++ /dev/null @@ -1,272 +0,0 @@ -/* Shared library add-on to ip6tables to add Fragmentation header support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <errno.h> -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6t_frag.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"FRAG v%s options:\n" -" --fragid [!] id[:id] match the id (range)\n" -" --fraglen [!] length total length of this header\n" -" --fragres check the reserved filed, too\n" -" --fragfirst matches on the first fragment\n" -" [--fragmore|--fraglast] there are more fragments or this\n" -" is the last one\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { .name = "fragid", .has_arg = 1, .flag = 0, .val = '1' }, - { .name = "fraglen", .has_arg = 1, .flag = 0, .val = '2' }, - { .name = "fragres", .has_arg = 0, .flag = 0, .val = '3' }, - { .name = "fragfirst", .has_arg = 0, .flag = 0, .val = '4' }, - { .name = "fragmore", .has_arg = 0, .flag = 0, .val = '5' }, - { .name = "fraglast", .has_arg = 0, .flag = 0, .val = '6' }, - { .name = 0 } -}; - -static u_int32_t -parse_frag_id(const char *idstr, const char *typestr) -{ - unsigned long int id; - char* ep; - - id = strtoul(idstr, &ep, 0); - - if ( idstr == ep ) { - exit_error(PARAMETER_PROBLEM, - "FRAG no valid digits in %s `%s'", typestr, idstr); - } - if ( id == ULONG_MAX && errno == ERANGE ) { - exit_error(PARAMETER_PROBLEM, - "%s `%s' specified too big: would overflow", - typestr, idstr); - } - if ( *idstr != '\0' && *ep != '\0' ) { - exit_error(PARAMETER_PROBLEM, - "FRAG error parsing %s `%s'", typestr, idstr); - } - return (u_int32_t) id; -} - -static void -parse_frag_ids(const char *idstring, u_int32_t *ids) -{ - char *buffer; - char *cp; - - buffer = strdup(idstring); - if ((cp = strchr(buffer, ':')) == NULL) - ids[0] = ids[1] = parse_frag_id(buffer,"id"); - else { - *cp = '\0'; - cp++; - - ids[0] = buffer[0] ? parse_frag_id(buffer,"id") : 0; - ids[1] = cp[0] ? parse_frag_id(cp,"id") : 0xFFFFFFFF; - } - free(buffer); -} - -/* Initialize the match. */ -static void -init(struct ip6t_entry_match *m, unsigned int *nfcache) -{ - struct ip6t_frag *fraginfo = (struct ip6t_frag *)m->data; - - fraginfo->ids[0] = 0x0L; - fraginfo->ids[1] = 0xFFFFFFFF; - fraginfo->hdrlen = 0; - fraginfo->flags = 0; - fraginfo->invflags = 0; -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_frag *fraginfo = (struct ip6t_frag *)(*match)->data; - - switch (c) { - case '1': - if (*flags & IP6T_FRAG_IDS) - exit_error(PARAMETER_PROBLEM, - "Only one `--fragid' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_frag_ids(argv[optind-1], fraginfo->ids); - if (invert) - fraginfo->invflags |= IP6T_FRAG_INV_IDS; - fraginfo->flags |= IP6T_FRAG_IDS; - *flags |= IP6T_FRAG_IDS; - break; - case '2': - if (*flags & IP6T_FRAG_LEN) - exit_error(PARAMETER_PROBLEM, - "Only one `--fraglen' allowed"); - check_inverse(optarg, &invert, &optind, 0); - fraginfo->hdrlen = parse_frag_id(argv[optind-1], "length"); - if (invert) - fraginfo->invflags |= IP6T_FRAG_INV_LEN; - fraginfo->flags |= IP6T_FRAG_LEN; - *flags |= IP6T_FRAG_LEN; - break; - case '3': - if (*flags & IP6T_FRAG_RES) - exit_error(PARAMETER_PROBLEM, - "Only one `--fragres' allowed"); - fraginfo->flags |= IP6T_FRAG_RES; - *flags |= IP6T_FRAG_RES; - break; - case '4': - if (*flags & IP6T_FRAG_FST) - exit_error(PARAMETER_PROBLEM, - "Only one `--fragfirst' allowed"); - fraginfo->flags |= IP6T_FRAG_FST; - *flags |= IP6T_FRAG_FST; - break; - case '5': - if (*flags & (IP6T_FRAG_MF|IP6T_FRAG_NMF)) - exit_error(PARAMETER_PROBLEM, - "Only one `--fragmore' or `--fraglast' allowed"); - fraginfo->flags |= IP6T_FRAG_MF; - *flags |= IP6T_FRAG_MF; - break; - case '6': - if (*flags & (IP6T_FRAG_MF|IP6T_FRAG_NMF)) - exit_error(PARAMETER_PROBLEM, - "Only one `--fragmore' or `--fraglast' allowed"); - fraginfo->flags |= IP6T_FRAG_NMF; - *flags |= IP6T_FRAG_NMF; - break; - default: - return 0; - } - - return 1; -} - -/* Final check; we don't care. */ -static void -final_check(unsigned int flags) -{ -} - -static void -print_ids(const char *name, u_int32_t min, u_int32_t max, - int invert) -{ - const char *inv = invert ? "!" : ""; - - if (min != 0 || max != 0xFFFFFFFF || invert) { - printf("%s", name); - if (min == max) - printf(":%s%u ", inv, min); - else - printf("s:%s%u:%u ", inv, min, max); - } -} - -/* Prints out the union ip6t_matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, int numeric) -{ - const struct ip6t_frag *frag = (struct ip6t_frag *)match->data; - - printf("frag "); - print_ids("id", frag->ids[0], frag->ids[1], - frag->invflags & IP6T_FRAG_INV_IDS); - - if (frag->flags & IP6T_FRAG_LEN) { - printf("length:%s%u ", - frag->invflags & IP6T_FRAG_INV_LEN ? "!" : "", - frag->hdrlen); - } - - if (frag->flags & IP6T_FRAG_RES) - printf("reserved "); - - if (frag->flags & IP6T_FRAG_FST) - printf("first "); - - if (frag->flags & IP6T_FRAG_MF) - printf("more "); - - if (frag->flags & IP6T_FRAG_NMF) - printf("last "); - - if (frag->invflags & ~IP6T_FRAG_INV_MASK) - printf("Unknown invflags: 0x%X ", - frag->invflags & ~IP6T_FRAG_INV_MASK); -} - -/* Saves the union ip6t_matchinfo in parsable form to stdout. */ -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - const struct ip6t_frag *fraginfo = (struct ip6t_frag *)match->data; - - if (!(fraginfo->ids[0] == 0 - && fraginfo->ids[1] == 0xFFFFFFFF)) { - printf("--fragid %s", - (fraginfo->invflags & IP6T_FRAG_INV_IDS) ? "! " : ""); - if (fraginfo->ids[0] - != fraginfo->ids[1]) - printf("%u:%u ", - fraginfo->ids[0], - fraginfo->ids[1]); - else - printf("%u ", - fraginfo->ids[0]); - } - - if (fraginfo->flags & IP6T_FRAG_LEN) { - printf("--fraglen %s%u ", - (fraginfo->invflags & IP6T_FRAG_INV_LEN) ? "! " : "", - fraginfo->hdrlen); - } - - if (fraginfo->flags & IP6T_FRAG_RES) - printf("--fragres "); - - if (fraginfo->flags & IP6T_FRAG_FST) - printf("--fragfirst "); - - if (fraginfo->flags & IP6T_FRAG_MF) - printf("--fragmore "); - - if (fraginfo->flags & IP6T_FRAG_NMF) - printf("--fraglast "); -} - -static -struct ip6tables_match frag = { - .name = "frag", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_frag)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_frag)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void -_init(void) -{ - register_match6(&frag); -} diff --git a/extensions/libip6t_frag.man b/extensions/libip6t_frag.man deleted file mode 100644 index 5ac13a4..0000000 --- a/extensions/libip6t_frag.man +++ /dev/null @@ -1,20 +0,0 @@ -This module matches the parameters in Fragment header. -.TP -.BR "--fragid " "[!] \fIid\fP[:\fIid\fP]" -Matches the given Identification or range of it. -.TP -.BR "--fraglen " "[!] \fIlength\fP" -This option cannot be used with kernel version 2.6.10 or later. The length of -Fragment header is static and this option doesn't make sense. -.TP -.BR "--fragres " -Matches if the reserved fields are filled with zero. -.TP -.BR "--fragfirst " -Matches on the first fragment. -.TP -.BR "[--fragmore]" -Matches if there are more fragments. -.TP -.BR "[--fraglast]" -Matches if this is the last fragement. diff --git a/extensions/libip6t_hashlimit.c b/extensions/libip6t_hashlimit.c deleted file mode 100644 index 70d2ff3..0000000 --- a/extensions/libip6t_hashlimit.c +++ /dev/null @@ -1,369 +0,0 @@ -/* ip6tables match extension for limiting packets per destination - * - * (C) 2003-2004 by Harald Welte <laforge@netfilter.org> - * - * Development of this code was funded by Astaro AG, http://www.astaro.com/ - * - * Based on ipt_limit.c by - * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr> - * Hervé Eychenne <rv@wallfire.org> - * - * Error corections by nmalykh@bilim.com (22.01.2005) - */ - -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ip6tables.h> -#include <stddef.h> -#include <linux/netfilter_ipv6/ip6_tables.h> -#include <linux/netfilter/xt_hashlimit.h> - -#define XT_HASHLIMIT_BURST 5 - -/* miliseconds */ -#define XT_HASHLIMIT_GCINTERVAL 1000 -#define XT_HASHLIMIT_EXPIRE 10000 - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"hashlimit v%s options:\n" -"--hashlimit <avg> max average match rate\n" -" [Packets per second unless followed by \n" -" /sec /minute /hour /day postfixes]\n" -"--hashlimit-mode <mode> mode is a comma-separated list of\n" -" dstip,srcip,dstport,srcport\n" -"--hashlimit-name <name> name for /proc/net/ipt_hashlimit/\n" -"[--hashlimit-burst <num>] number to match in a burst, default %u\n" -"[--hashlimit-htable-size <num>] number of hashtable buckets\n" -"[--hashlimit-htable-max <num>] number of hashtable entries\n" -"[--hashlimit-htable-gcinterval] interval between garbage collection runs\n" -"[--hashlimit-htable-expire] after which time are idle entries expired?\n" -"\n", IPTABLES_VERSION, XT_HASHLIMIT_BURST); -} - -static struct option opts[] = { - { "hashlimit", 1, 0, '%' }, - { "hashlimit-burst", 1, 0, '$' }, - { "hashlimit-htable-size", 1, 0, '&' }, - { "hashlimit-htable-max", 1, 0, '*' }, - { "hashlimit-htable-gcinterval", 1, 0, '(' }, - { "hashlimit-htable-expire", 1, 0, ')' }, - { "hashlimit-mode", 1, 0, '_' }, - { "hashlimit-name", 1, 0, '"' }, - { 0 } -}; - -static -int parse_rate(const char *rate, u_int32_t *val) -{ - const char *delim; - u_int32_t r; - u_int32_t mult = 1; /* Seconds by default. */ - - delim = strchr(rate, '/'); - if (delim) { - if (strlen(delim+1) == 0) - return 0; - - if (strncasecmp(delim+1, "second", strlen(delim+1)) == 0) - mult = 1; - else if (strncasecmp(delim+1, "minute", strlen(delim+1)) == 0) - mult = 60; - else if (strncasecmp(delim+1, "hour", strlen(delim+1)) == 0) - mult = 60*60; - else if (strncasecmp(delim+1, "day", strlen(delim+1)) == 0) - mult = 24*60*60; - else - return 0; - } - r = atoi(rate); - if (!r) - return 0; - - /* This would get mapped to infinite (1/day is minimum they - can specify, so we're ok at that end). */ - if (r / mult > XT_HASHLIMIT_SCALE) - exit_error(PARAMETER_PROBLEM, "Rate too fast `%s'\n", rate); - - *val = XT_HASHLIMIT_SCALE * mult / r; - return 1; -} - -/* Initialize the match. */ -static void -init(struct ip6t_entry_match *m, unsigned int *nfcache) -{ - struct xt_hashlimit_info *r = (struct xt_hashlimit_info *)m->data; - - r->cfg.burst = XT_HASHLIMIT_BURST; - r->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL; - r->cfg.expire = XT_HASHLIMIT_EXPIRE; - -} - - -/* Parse a 'mode' parameter into the required bitmask */ -static int parse_mode(struct xt_hashlimit_info *r, char *optarg) -{ - char *tok; - char *arg = strdup(optarg); - - if (!arg) - return -1; - - r->cfg.mode = 0; - - for (tok = strtok(arg, ",|"); - tok; - tok = strtok(NULL, ",|")) { - if (!strcmp(tok, "dstip")) - r->cfg.mode |= XT_HASHLIMIT_HASH_DIP; - else if (!strcmp(tok, "srcip")) - r->cfg.mode |= XT_HASHLIMIT_HASH_SIP; - else if (!strcmp(tok, "srcport")) - r->cfg.mode |= XT_HASHLIMIT_HASH_SPT; - else if (!strcmp(tok, "dstport")) - r->cfg.mode |= XT_HASHLIMIT_HASH_DPT; - else { - free(arg); - return -1; - } - } - free(arg); - return 0; -} - -#define PARAM_LIMIT 0x00000001 -#define PARAM_BURST 0x00000002 -#define PARAM_MODE 0x00000004 -#define PARAM_NAME 0x00000008 -#define PARAM_SIZE 0x00000010 -#define PARAM_MAX 0x00000020 -#define PARAM_GCINTERVAL 0x00000040 -#define PARAM_EXPIRE 0x00000080 - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct xt_hashlimit_info *r = - (struct xt_hashlimit_info *)(*match)->data; - unsigned int num; - - switch(c) { - case '%': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (!parse_rate(optarg, &r->cfg.avg)) - exit_error(PARAMETER_PROBLEM, - "bad rate `%s'", optarg); - *flags |= PARAM_LIMIT; - break; - - case '$': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (string_to_number(optarg, 0, 10000, &num) == -1) - exit_error(PARAMETER_PROBLEM, - "bad --hashlimit-burst `%s'", optarg); - r->cfg.burst = num; - *flags |= PARAM_BURST; - break; - case '&': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (string_to_number(optarg, 0, 0xffffffff, &num) == -1) - exit_error(PARAMETER_PROBLEM, - "bad --hashlimit-htable-size: `%s'", optarg); - r->cfg.size = num; - *flags |= PARAM_SIZE; - break; - case '*': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (string_to_number(optarg, 0, 0xffffffff, &num) == -1) - exit_error(PARAMETER_PROBLEM, - "bad --hashlimit-htable-max: `%s'", optarg); - r->cfg.max = num; - *flags |= PARAM_MAX; - break; - case '(': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (string_to_number(optarg, 0, 0xffffffff, &num) == -1) - exit_error(PARAMETER_PROBLEM, - "bad --hashlimit-htable-gcinterval: `%s'", - optarg); - /* FIXME: not HZ dependent!! */ - r->cfg.gc_interval = num; - *flags |= PARAM_GCINTERVAL; - break; - case ')': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (string_to_number(optarg, 0, 0xffffffff, &num) == -1) - exit_error(PARAMETER_PROBLEM, - "bad --hashlimit-htable-expire: `%s'", optarg); - /* FIXME: not HZ dependent */ - r->cfg.expire = num; - *flags |= PARAM_EXPIRE; - break; - case '_': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (parse_mode(r, optarg) < 0) - exit_error(PARAMETER_PROBLEM, - "bad --hashlimit-mode: `%s'\n", optarg); - *flags |= PARAM_MODE; - break; - case '"': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (strlen(optarg) == 0) - exit_error(PARAMETER_PROBLEM, "Zero-length name?"); - strncpy(r->name, optarg, sizeof(r->name)); - *flags |= PARAM_NAME; - break; - default: - return 0; - } - - if (invert) - exit_error(PARAMETER_PROBLEM, - "hashlimit does not support invert"); - - return 1; -} - -/* Final check; nothing. */ -static void final_check(unsigned int flags) -{ - if (!(flags & PARAM_LIMIT)) - exit_error(PARAMETER_PROBLEM, - "You have to specify --hashlimit"); - if (!(flags & PARAM_MODE)) - exit_error(PARAMETER_PROBLEM, - "You have to specify --hashlimit-mode"); - if (!(flags & PARAM_NAME)) - exit_error(PARAMETER_PROBLEM, - "You have to specify --hashlimit-name"); -} - -static struct rates -{ - const char *name; - u_int32_t mult; -} rates[] = { { "day", XT_HASHLIMIT_SCALE*24*60*60 }, - { "hour", XT_HASHLIMIT_SCALE*60*60 }, - { "min", XT_HASHLIMIT_SCALE*60 }, - { "sec", XT_HASHLIMIT_SCALE } }; - -static void print_rate(u_int32_t period) -{ - unsigned int i; - - for (i = 1; i < sizeof(rates)/sizeof(struct rates); i++) { - if (period > rates[i].mult - || rates[i].mult/period < rates[i].mult%period) - break; - } - - printf("%u/%s ", rates[i-1].mult / period, rates[i-1].name); -} - -static void print_mode(const struct xt_hashlimit_info *r, char separator) -{ - int prevmode = 0; - - if (r->cfg.mode & XT_HASHLIMIT_HASH_SIP) { - if (prevmode) - putchar(separator); - fputs("srcip", stdout); - prevmode = 1; - } - if (r->cfg.mode & XT_HASHLIMIT_HASH_SPT) { - if (prevmode) - putchar(separator); - fputs("srcport", stdout); - prevmode = 1; - } - if (r->cfg.mode & XT_HASHLIMIT_HASH_DIP) { - if (prevmode) - putchar(separator); - fputs("dstip", stdout); - prevmode = 1; - } - if (r->cfg.mode & XT_HASHLIMIT_HASH_DPT) { - if (prevmode) - putchar(separator); - fputs("dstport", stdout); - } - putchar(' '); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - struct xt_hashlimit_info *r = - (struct xt_hashlimit_info *)match->data; - fputs("limit: avg ", stdout); print_rate(r->cfg.avg); - printf("burst %u ", r->cfg.burst); - fputs("mode ", stdout); - print_mode(r, '-'); - if (r->cfg.size) - printf("htable-size %u ", r->cfg.size); - if (r->cfg.max) - printf("htable-max %u ", r->cfg.max); - if (r->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL) - printf("htable-gcinterval %u ", r->cfg.gc_interval); - if (r->cfg.expire != XT_HASHLIMIT_EXPIRE) - printf("htable-expire %u ", r->cfg.expire); -} - -/* FIXME: Make minimalist: only print rate if not default --RR */ -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - struct xt_hashlimit_info *r = - (struct xt_hashlimit_info *)match->data; - - fputs("--hashlimit ", stdout); print_rate(r->cfg.avg); - if (r->cfg.burst != XT_HASHLIMIT_BURST) - printf("--hashlimit-burst %u ", r->cfg.burst); - - fputs("--hashlimit-mode ", stdout); - print_mode(r, ','); - - printf("--hashlimit-name %s ", r->name); - - if (r->cfg.size) - printf("--hashlimit-htable-size %u ", r->cfg.size); - if (r->cfg.max) - printf("--hashlimit-htable-max %u ", r->cfg.max); - if (r->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL) - printf("--hashlimit-htable-gcinterval %u", r->cfg.gc_interval); - if (r->cfg.expire != XT_HASHLIMIT_EXPIRE) - printf("--hashlimit-htable-expire %u ", r->cfg.expire); -} - -static struct ip6tables_match hashlimit = { NULL, - .name = "hashlimit", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct xt_hashlimit_info)), - .userspacesize = offsetof(struct xt_hashlimit_info, hinfo), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void _init(void) -{ - register_match6(&hashlimit); -} diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c deleted file mode 100644 index bdcbf9b..0000000 --- a/extensions/libip6t_hbh.c +++ /dev/null @@ -1,262 +0,0 @@ -/* Shared library add-on to ip6tables to add Hop-by-Hop and Dst headers support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <errno.h> -#include <ip6tables.h> -/*#include <linux/in6.h>*/ -#include <linux/netfilter_ipv6/ip6t_opts.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <arpa/inet.h> - -#define DEBUG 0 -#define HOPBYHOP 1 -#define UNAME (HOPBYHOP ? "HBH" : "DST") -#define LNAME (HOPBYHOP ? "hbh" : "dst") - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"%s v%s options:\n" -" --%s-len [!] length total length of this header\n" -" --%s-opts TYPE[:LEN][,TYPE[:LEN]...] \n" -" Options and its length (list, max: %d)\n", -UNAME , IPTABLES_VERSION, LNAME, LNAME, IP6T_OPTS_OPTSNR); -} - -#if HOPBYHOP -static struct option opts[] = { - { "hbh-len", 1, 0, '1' }, - { "hbh-opts", 1, 0, '2' }, - { "hbh-not-strict", 1, 0, '3' }, - {0} -}; -#else -static struct option opts[] = { - { "dst-len", 1, 0, '1' }, - { "dst-opts", 1, 0, '2' }, - { "dst-not-strict", 1, 0, '3' }, - {0} -}; -#endif - -static u_int32_t -parse_opts_num(const char *idstr, const char *typestr) -{ - unsigned long int id; - char* ep; - - id = strtoul(idstr,&ep,0) ; - - if ( idstr == ep ) { - exit_error(PARAMETER_PROBLEM, - "%s no valid digits in %s `%s'", UNAME, typestr, idstr); - } - if ( id == ULONG_MAX && errno == ERANGE ) { - exit_error(PARAMETER_PROBLEM, - "%s `%s' specified too big: would overflow", - typestr, idstr); - } - if ( *idstr != '\0' && *ep != '\0' ) { - exit_error(PARAMETER_PROBLEM, - "%s error parsing %s `%s'", UNAME, typestr, idstr); - } - return (u_int32_t) id; -} - -static int -parse_options(const char *optsstr, u_int16_t *opts) -{ - char *buffer, *cp, *next, *range; - unsigned int i; - - buffer = strdup(optsstr); - if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed"); - - for (cp=buffer, i=0; cp && i<IP6T_OPTS_OPTSNR; cp=next,i++) - { - next=strchr(cp, ','); - if (next) *next++='\0'; - range = strchr(cp, ':'); - if (range) { - if (i == IP6T_OPTS_OPTSNR-1) - exit_error(PARAMETER_PROBLEM, - "too many ports specified"); - *range++ = '\0'; - } - opts[i] = (u_int16_t)((parse_opts_num(cp,"opt") & 0x000000FF)<<8); - if (range) { - if (opts[i] == 0) - exit_error(PARAMETER_PROBLEM, "PAD0 hasn't got length"); - opts[i] |= (u_int16_t)(parse_opts_num(range,"length") & - 0x000000FF); - } else { - opts[i] |= (0x00FF); - } - -#if DEBUG - printf("opts str: %s %s\n", cp, range); - printf("opts opt: %04X\n", opts[i]); -#endif - } - if (cp) exit_error(PARAMETER_PROBLEM, "too many addresses specified"); - - free(buffer); - -#if DEBUG - printf("addr nr: %d\n", i); -#endif - - return i; -} - -/* Initialize the match. */ -static void -init(struct ip6t_entry_match *m, unsigned int *nfcache) -{ - struct ip6t_opts *optinfo = (struct ip6t_opts *)m->data; - - optinfo->hdrlen = 0; - optinfo->flags = 0; - optinfo->invflags = 0; - optinfo->optsnr = 0; -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_opts *optinfo = (struct ip6t_opts *)(*match)->data; - - switch (c) { - case '1': - if (*flags & IP6T_OPTS_LEN) - exit_error(PARAMETER_PROBLEM, - "Only one `--%s-len' allowed", LNAME); - check_inverse(optarg, &invert, &optind, 0); - optinfo->hdrlen = parse_opts_num(argv[optind-1], "length"); - if (invert) - optinfo->invflags |= IP6T_OPTS_INV_LEN; - optinfo->flags |= IP6T_OPTS_LEN; - *flags |= IP6T_OPTS_LEN; - break; - case '2': - if (*flags & IP6T_OPTS_OPTS) - exit_error(PARAMETER_PROBLEM, - "Only one `--%s-opts' allowed", LNAME); - check_inverse(optarg, &invert, &optind, 0); - if (invert) - exit_error(PARAMETER_PROBLEM, - " '!' not allowed with `--%s-opts'", LNAME); - optinfo->optsnr = parse_options(argv[optind-1], optinfo->opts); - optinfo->flags |= IP6T_OPTS_OPTS; - *flags |= IP6T_OPTS_OPTS; - break; - case '3': - if (*flags & IP6T_OPTS_NSTRICT) - exit_error(PARAMETER_PROBLEM, - "Only one `--%s-not-strict' allowed", LNAME); - if ( !(*flags & IP6T_OPTS_OPTS) ) - exit_error(PARAMETER_PROBLEM, - "`--%s-opts ...' required before `--%s-not-strict'", LNAME, LNAME); - optinfo->flags |= IP6T_OPTS_NSTRICT; - *flags |= IP6T_OPTS_NSTRICT; - break; - default: - return 0; - } - - return 1; -} - -/* Final check; we don't care. */ -static void -final_check(unsigned int flags) -{ -} - -static void -print_options(int optsnr, u_int16_t *optsp) -{ - unsigned int i; - - for(i=0; i<optsnr; i++){ - printf("%d", (optsp[i] & 0xFF00)>>8); - if ((optsp[i] & 0x00FF) != 0x00FF){ - printf(":%d", (optsp[i] & 0x00FF)); - } - printf("%c", (i!=optsnr-1)?',':' '); - } -} - -/* Prints out the union ip6t_matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, int numeric) -{ - const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data; - - printf("%s ", LNAME); - if (optinfo->flags & IP6T_OPTS_LEN) { - printf("length"); - printf(":%s", optinfo->invflags & IP6T_OPTS_INV_LEN ? "!" : ""); - printf("%u", optinfo->hdrlen); - printf(" "); - } - if (optinfo->flags & IP6T_OPTS_OPTS) printf("opts "); - print_options(optinfo->optsnr, (u_int16_t *)optinfo->opts); - if (optinfo->flags & IP6T_OPTS_NSTRICT) printf("not-strict "); - if (optinfo->invflags & ~IP6T_OPTS_INV_MASK) - printf("Unknown invflags: 0x%X ", - optinfo->invflags & ~IP6T_OPTS_INV_MASK); -} - -/* Saves the union ip6t_matchinfo in parsable form to stdout. */ -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data; - - if (optinfo->flags & IP6T_OPTS_LEN) { - printf("--%s-len %s%u ", LNAME, - (optinfo->invflags & IP6T_OPTS_INV_LEN) ? "! " : "", - optinfo->hdrlen); - } - - if (optinfo->flags & IP6T_OPTS_OPTS) printf("--%s-opts ", LNAME); - print_options(optinfo->optsnr, (u_int16_t *)optinfo->opts); - if (optinfo->flags & IP6T_OPTS_NSTRICT) printf("--%s-not-strict ", LNAME); - -} - -static struct ip6tables_match optstruct = { -#if HOPBYHOP - .name = "hbh", -#else - .name = "dst", -#endif - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_opts)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_opts)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts, -}; - -void -_init(void) -{ - register_match6(&optstruct); -} diff --git a/extensions/libip6t_hbh.man b/extensions/libip6t_hbh.man deleted file mode 100644 index 938e1f3..0000000 --- a/extensions/libip6t_hbh.man +++ /dev/null @@ -1,7 +0,0 @@ -This module matches the parameters in Hop-by-Hop Options header -.TP -.BR "--hbh-len " "[!] \fIlength\fP" -Total length of this header in octets. -.TP -.BR "--hbh-opts " "\fItype\fP[:\fIlength\fP][,\fItype\fP[:\fIlength\fP]...]" -numeric type of option and the length of the option data in octets. diff --git a/extensions/libip6t_hl.man b/extensions/libip6t_hl.man deleted file mode 100644 index d33e431..0000000 --- a/extensions/libip6t_hl.man +++ /dev/null @@ -1,10 +0,0 @@ -This module matches the Hop Limit field in the IPv6 header. -.TP -.BR "--hl-eq " "[!] \fIvalue\fP" -Matches if Hop Limit equals \fIvalue\fP. -.TP -.BI "--hl-lt " "value" -Matches if Hop Limit is less than \fIvalue\fP. -.TP -.BI "--hl-gt " "value" -Matches if Hop Limit is greater than \fIvalue\fP. diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c deleted file mode 100644 index 6940d0e..0000000 --- a/extensions/libip6t_icmp6.c +++ /dev/null @@ -1,278 +0,0 @@ -/* Shared library add-on to iptables to add ICMP support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6_tables.h> - -struct icmpv6_names { - const char *name; - u_int8_t type; - u_int8_t code_min, code_max; -}; - -static const struct icmpv6_names icmpv6_codes[] = { - { "destination-unreachable", 1, 0, 0xFF }, - { "no-route", 1, 0, 0 }, - { "communication-prohibited", 1, 1, 1 }, - { "address-unreachable", 1, 3, 3 }, - { "port-unreachable", 1, 4, 4 }, - - { "packet-too-big", 2, 0, 0xFF }, - - { "time-exceeded", 3, 0, 0xFF }, - /* Alias */ { "ttl-exceeded", 3, 0, 0xFF }, - { "ttl-zero-during-transit", 3, 0, 0 }, - { "ttl-zero-during-reassembly", 3, 1, 1 }, - - { "parameter-problem", 4, 0, 0xFF }, - { "bad-header", 4, 0, 0 }, - { "unknown-header-type", 4, 1, 1 }, - { "unknown-option", 4, 2, 2 }, - - { "echo-request", 128, 0, 0xFF }, - /* Alias */ { "ping", 128, 0, 0xFF }, - - { "echo-reply", 129, 0, 0xFF }, - /* Alias */ { "pong", 129, 0, 0xFF }, - - { "router-solicitation", 133, 0, 0xFF }, - - { "router-advertisement", 134, 0, 0xFF }, - - { "neighbour-solicitation", 135, 0, 0xFF }, - /* Alias */ { "neighbor-solicitation", 135, 0, 0xFF }, - - { "neighbour-advertisement", 136, 0, 0xFF }, - /* Alias */ { "neighbor-advertisement", 136, 0, 0xFF }, - - { "redirect", 137, 0, 0xFF }, - -}; - -static void -print_icmpv6types() -{ - unsigned int i; - printf("Valid ICMPv6 Types:"); - - for (i = 0; i < sizeof(icmpv6_codes)/sizeof(struct icmpv6_names); i++) { - if (i && icmpv6_codes[i].type == icmpv6_codes[i-1].type) { - if (icmpv6_codes[i].code_min == icmpv6_codes[i-1].code_min - && (icmpv6_codes[i].code_max - == icmpv6_codes[i-1].code_max)) - printf(" (%s)", icmpv6_codes[i].name); - else - printf("\n %s", icmpv6_codes[i].name); - } - else - printf("\n%s", icmpv6_codes[i].name); - } - printf("\n"); -} - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"ICMPv6 v%s options:\n" -" --icmpv6-type [!] typename match icmpv6 type\n" -" (or numeric type or type/code)\n" -"\n", IPTABLES_VERSION); - print_icmpv6types(); -} - -static struct option opts[] = { - { "icmpv6-type", 1, 0, '1' }, - {0} -}; - -static void -parse_icmpv6(const char *icmpv6type, u_int8_t *type, u_int8_t code[]) -{ - unsigned int limit = sizeof(icmpv6_codes)/sizeof(struct icmpv6_names); - unsigned int match = limit; - unsigned int i; - - for (i = 0; i < limit; i++) { - if (strncasecmp(icmpv6_codes[i].name, icmpv6type, strlen(icmpv6type)) - == 0) { - if (match != limit) - exit_error(PARAMETER_PROBLEM, - "Ambiguous ICMPv6 type `%s':" - " `%s' or `%s'?", - icmpv6type, - icmpv6_codes[match].name, - icmpv6_codes[i].name); - match = i; - } - } - - if (match != limit) { - *type = icmpv6_codes[match].type; - code[0] = icmpv6_codes[match].code_min; - code[1] = icmpv6_codes[match].code_max; - } else { - char *slash; - char buffer[strlen(icmpv6type) + 1]; - unsigned int number; - - strcpy(buffer, icmpv6type); - slash = strchr(buffer, '/'); - - if (slash) - *slash = '\0'; - - if (string_to_number(buffer, 0, 255, &number) == -1) - exit_error(PARAMETER_PROBLEM, - "Invalid ICMPv6 type `%s'\n", buffer); - *type = number; - if (slash) { - if (string_to_number(slash+1, 0, 255, &number) == -1) - exit_error(PARAMETER_PROBLEM, - "Invalid ICMPv6 code `%s'\n", - slash+1); - code[0] = code[1] = number; - } else { - code[0] = 0; - code[1] = 0xFF; - } - } -} - -/* Initialize the match. */ -static void -init(struct ip6t_entry_match *m, unsigned int *nfcache) -{ - struct ip6t_icmp *icmpv6info = (struct ip6t_icmp *)m->data; - - icmpv6info->code[1] = 0xFF; -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_icmp *icmpv6info = (struct ip6t_icmp *)(*match)->data; - - switch (c) { - case '1': - if (*flags == 1) - exit_error(PARAMETER_PROBLEM, - "icmpv6 match: only use --icmpv6-type once!"); - check_inverse(optarg, &invert, &optind, 0); - parse_icmpv6(argv[optind-1], &icmpv6info->type, - icmpv6info->code); - if (invert) - icmpv6info->invflags |= IP6T_ICMP_INV; - *flags = 1; - break; - - default: - return 0; - } - - return 1; -} - -static void print_icmpv6type(u_int8_t type, - u_int8_t code_min, u_int8_t code_max, - int invert, - int numeric) -{ - if (!numeric) { - unsigned int i; - - for (i = 0; - i < sizeof(icmpv6_codes)/sizeof(struct icmpv6_names); - i++) { - if (icmpv6_codes[i].type == type - && icmpv6_codes[i].code_min == code_min - && icmpv6_codes[i].code_max == code_max) - break; - } - - if (i != sizeof(icmpv6_codes)/sizeof(struct icmpv6_names)) { - printf("%s%s ", - invert ? "!" : "", - icmpv6_codes[i].name); - return; - } - } - - if (invert) - printf("!"); - - printf("type %u", type); - if (code_min == 0 && code_max == 0xFF) - printf(" "); - else if (code_min == code_max) - printf(" code %u ", code_min); - else - printf(" codes %u-%u ", code_min, code_max); -} - -/* Prints out the union ipt_matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - const struct ip6t_icmp *icmpv6 = (struct ip6t_icmp *)match->data; - - printf("ipv6-icmp "); - print_icmpv6type(icmpv6->type, icmpv6->code[0], icmpv6->code[1], - icmpv6->invflags & IP6T_ICMP_INV, - numeric); - - if (icmpv6->invflags & ~IP6T_ICMP_INV) - printf("Unknown invflags: 0x%X ", - icmpv6->invflags & ~IP6T_ICMP_INV); -} - -/* Saves the match in parsable form to stdout. */ -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - const struct ip6t_icmp *icmpv6 = (struct ip6t_icmp *)match->data; - - if (icmpv6->invflags & IP6T_ICMP_INV) - printf("! "); - - printf("--icmpv6-type %u", icmpv6->type); - if (icmpv6->code[0] != 0 || icmpv6->code[1] != 0xFF) - printf("/%u", icmpv6->code[0]); - printf(" "); -} - -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "icmpv6 match: You must specify `--icmpv6-type'"); -} - -static struct ip6tables_match icmpv6 = { - .name = "icmp6", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_icmp)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_icmp)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts, -}; - -void _init(void) -{ - register_match6(&icmpv6); -} diff --git a/extensions/libip6t_icmp6.man b/extensions/libip6t_icmp6.man deleted file mode 100644 index 2047180..0000000 --- a/extensions/libip6t_icmp6.man +++ /dev/null @@ -1,14 +0,0 @@ -This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is -specified. It provides the following option: -.TP -.BR "--icmpv6-type " "[!] \fItype\fP[/\fIcode\fP]|\fItypename\fP" -This allows specification of the ICMPv6 type, which can be a numeric -ICMPv6 -.IR type , -.IR type -and -.IR code , -or one of the ICMPv6 type names shown by the command -.nf - ip6tables -p ipv6-icmp -h -.fi diff --git a/extensions/libip6t_ipv6header.c b/extensions/libip6t_ipv6header.c deleted file mode 100644 index a260e6e..0000000 --- a/extensions/libip6t_ipv6header.c +++ /dev/null @@ -1,316 +0,0 @@ -/* ipv6header match - matches IPv6 packets based -on whether they contain certain headers */ - -/* Original idea: Brad Chapman - * Rewritten by: Andras Kis-Szabo <kisza@sch.bme.hu> */ - -#include <getopt.h> -#include <ip6tables.h> -#include <stddef.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <netdb.h> -#include <sys/types.h> - -#include <linux/netfilter_ipv6/ip6_tables.h> -#include <linux/netfilter_ipv6/ip6t_ipv6header.h> - -/* This maybe required -#include <linux/in.h> -#include <linux/in6.h> -*/ - - -/* A few hardcoded protocols for 'all' and in case the user has no - * /etc/protocols */ -struct pprot { - char *name; - u_int8_t num; -}; - -struct numflag { - u_int8_t proto; - u_int8_t flag; -}; - -static const struct pprot chain_protos[] = { - { "hop-by-hop", IPPROTO_HOPOPTS }, - { "protocol", IPPROTO_RAW }, - { "hop", IPPROTO_HOPOPTS }, - { "dst", IPPROTO_DSTOPTS }, - { "route", IPPROTO_ROUTING }, - { "frag", IPPROTO_FRAGMENT }, - { "auth", IPPROTO_AH }, - { "esp", IPPROTO_ESP }, - { "none", IPPROTO_NONE }, - { "prot", IPPROTO_RAW }, - { "0", IPPROTO_HOPOPTS }, - { "60", IPPROTO_DSTOPTS }, - { "43", IPPROTO_ROUTING }, - { "44", IPPROTO_FRAGMENT }, - { "51", IPPROTO_AH }, - { "50", IPPROTO_ESP }, - { "59", IPPROTO_NONE }, - { "255", IPPROTO_RAW }, - /* { "all", 0 }, */ -}; - -static const struct numflag chain_flags[] = { - { IPPROTO_HOPOPTS, MASK_HOPOPTS }, - { IPPROTO_DSTOPTS, MASK_DSTOPTS }, - { IPPROTO_ROUTING, MASK_ROUTING }, - { IPPROTO_FRAGMENT, MASK_FRAGMENT }, - { IPPROTO_AH, MASK_AH }, - { IPPROTO_ESP, MASK_ESP }, - { IPPROTO_NONE, MASK_NONE }, - { IPPROTO_RAW, MASK_PROTO }, -}; - -static char * -proto_to_name(u_int8_t proto, int nolookup) -{ - unsigned int i; - - if (proto && !nolookup) { - struct protoent *pent = getprotobynumber(proto); - if (pent) - return pent->p_name; - } - - for (i = 0; i < sizeof(chain_protos)/sizeof(struct pprot); i++) - if (chain_protos[i].num == proto) - return chain_protos[i].name; - - return NULL; -} - -static u_int16_t -name_to_proto(const char *s) -{ - unsigned int proto=0; - struct protoent *pent; - - if ((pent = getprotobyname(s))) - proto = pent->p_proto; - else { - unsigned int i; - for (i = 0; - i < sizeof(chain_protos)/sizeof(struct pprot); - i++) { - if (strcmp(s, chain_protos[i].name) == 0) { - proto = chain_protos[i].num; - break; - } - } - - if (i == sizeof(chain_protos)/sizeof(struct pprot)) - exit_error(PARAMETER_PROBLEM, - "unknown header `%s' specified", - s); - } - - return (u_int16_t)proto; -} - -static unsigned int -add_proto_to_mask(int proto){ - unsigned int i=0, flag=0; - - for (i = 0; - i < sizeof(chain_flags)/sizeof(struct numflag); - i++) { - if (proto == chain_flags[i].proto){ - flag = chain_flags[i].flag; - break; - } - } - - if (i == sizeof(chain_flags)/sizeof(struct numflag)) - exit_error(PARAMETER_PROBLEM, - "unknown header `%d' specified", - proto); - - return flag; -} - -static void -help(void) -{ - printf( -"ipv6header v%s match options:\n" -"--header [!] headers Type of header to match, by name\n" -" names: hop,dst,route,frag,auth,esp,none,proto\n" -" long names: hop-by-hop,ipv6-opts,ipv6-route,\n" -" ipv6-frag,ah,esp,ipv6-nonxt,protocol\n" -" numbers: 0,60,43,44,51,50,59\n" -"--soft The header CONTAINS the specified extensions\n", - IPTABLES_VERSION); -} - -static struct option opts[] = { - { "header", 1, 0, '1' }, - { "soft", 0, 0, '2' }, - { 0 } -}; - -static void -init(struct ip6t_entry_match *m, unsigned int *nfcache) -{ - struct ip6t_ipv6header_info *info = (struct ip6t_ipv6header_info *)m->data; - - info->matchflags = 0x00; - info->invflags = 0x00; - info->modeflag = 0x00; -} - -static unsigned int -parse_header(const char *flags) { - unsigned int ret = 0; - char *ptr; - char *buffer; - - buffer = strdup(flags); - - for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) - ret |= add_proto_to_mask(name_to_proto(ptr)); - - free(buffer); - return ret; -} - -#define IPV6_HDR_HEADER 0x01 -#define IPV6_HDR_SOFT 0x02 - -/* Parses command options; returns 0 if it ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_ipv6header_info *info = (struct ip6t_ipv6header_info *)(*match)->data; - - switch (c) { - case '1' : - /* Parse the provided header names */ - if (*flags & IPV6_HDR_HEADER) - exit_error(PARAMETER_PROBLEM, - "Only one `--header' allowed"); - - check_inverse(optarg, &invert, &optind, 0); - - if (! (info->matchflags = parse_header(argv[optind-1])) ) - exit_error(PARAMETER_PROBLEM, "ip6t_ipv6header: cannot parse header names"); - - if (invert) - info->invflags |= 0xFF; - *flags |= IPV6_HDR_HEADER; - break; - case '2' : - /* Soft-mode requested? */ - if (*flags & IPV6_HDR_SOFT) - exit_error(PARAMETER_PROBLEM, - "Only one `--soft' allowed"); - - info->modeflag |= 0xFF; - *flags |= IPV6_HDR_SOFT; - break; - default: - return 0; - } - - return 1; -} - -/* Checks the flags variable */ -static void -final_check(unsigned int flags) -{ - if (!flags) exit_error(PARAMETER_PROBLEM, "ip6t_ipv6header: no options specified"); -} - -static void -print_header(u_int8_t flags){ - int have_flag = 0; - - while (flags) { - unsigned int i; - - for (i = 0; (flags & chain_flags[i].flag) == 0; i++); - - if (have_flag) - printf(","); - - printf("%s", proto_to_name(chain_flags[i].proto,0)); - have_flag = 1; - - flags &= ~chain_flags[i].flag; - } - - if (!have_flag) - printf("NONE"); -} - -/* Prints out the match */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - const struct ip6t_ipv6header_info *info = (const struct ip6t_ipv6header_info *)match->data; - printf("ipv6header "); - - if (info->matchflags || info->invflags) { - printf("flags:%s", info->invflags ? "!" : ""); - if (numeric) - printf("0x%02X ", info->matchflags); - else { - print_header(info->matchflags); - printf(" "); - } - } - - if (info->modeflag) - printf("soft "); - - return; -} - -/* Saves the match */ -static void -save(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match) -{ - - const struct ip6t_ipv6header_info *info = (const struct ip6t_ipv6header_info *)match->data; - - printf("--header "); - printf("%s", info->invflags ? "!" : ""); - print_header(info->matchflags); - printf(" "); - if (info->modeflag) - printf("--soft "); - - return; -} - -static -struct ip6tables_match ipv6header = { - .name = "ipv6header", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_ipv6header_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_ipv6header_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts, -}; - -void _init(void) -{ - register_match6(&ipv6header); -} diff --git a/extensions/libip6t_ipv6header.man b/extensions/libip6t_ipv6header.man deleted file mode 100644 index fe3fe98..0000000 --- a/extensions/libip6t_ipv6header.man +++ /dev/null @@ -1,29 +0,0 @@ -This module matches IPv6 extension headers and/or upper layer header. -.TP -.BR "--header " "[!] \fIheader\fP[,\fIheader\fP...]" -Matches the packet which EXACTLY includes all specified headers. The headers -encapsulated with ESP header are out of scope. -.IR header -can be -.IR hop | hop-by-hop -(Hop-by-Hop Options header), -.IR dst -(Destination Options header), -.IR route -(Routing header), -.IR frag -(Fragment header), -.IR auth -(Authentication header), -.IR esp -(Encapsulating Security Payload header), -.IR none -(No Next header) which matches 59 in the 'Next Header field' of IPv6 header or any IPv6 extension headers, or -.IR proto -which matches any upper layer protocol header. A protocol name from /etc/protocols and numeric value also allowed. The number 255 is equivalent to -.IR proto . -.TP -.BR "[--soft]" -Matches if the packet includes all specified headers with -.BR --header , -AT LEAST. diff --git a/extensions/libip6t_length.c b/extensions/libip6t_length.c deleted file mode 100644 index 9f7ba16..0000000 --- a/extensions/libip6t_length.c +++ /dev/null @@ -1,152 +0,0 @@ -/* Shared library add-on to ip6tables to add packet length matching support. */ - -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6t_length.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"length v%s options:\n" -"[!] --length length[:length] Match packet length against value or range\n" -" of values (inclusive)\n", -IPTABLES_VERSION); - -} - -static struct option opts[] = { - { "length", 1, 0, '1' }, - {0} -}; - -static u_int16_t -parse_length(const char *s) -{ - - unsigned int len; - - if (string_to_number(s, 0, 0xFFFF, &len) == -1) - exit_error(PARAMETER_PROBLEM, "length invalid: `%s'\n", s); - else - return (u_int16_t )len; -} - -/* If a single value is provided, min and max are both set to the value */ -static void -parse_lengths(const char *s, struct ip6t_length_info *info) -{ - char *buffer; - char *cp; - - buffer = strdup(s); - if ((cp = strchr(buffer, ':')) == NULL) - info->min = info->max = parse_length(buffer); - else { - *cp = '\0'; - cp++; - - info->min = buffer[0] ? parse_length(buffer) : 0; - info->max = cp[0] ? parse_length(cp) : 0xFFFF; - } - free(buffer); - - if (info->min > info->max) - exit_error(PARAMETER_PROBLEM, - "length min. range value `%u' greater than max. " - "range value `%u'", info->min, info->max); - -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_length_info *info = (struct ip6t_length_info *)(*match)->data; - - switch (c) { - case '1': - if (*flags) - exit_error(PARAMETER_PROBLEM, - "length: `--length' may only be " - "specified once"); - check_inverse(optarg, &invert, &optind, 0); - parse_lengths(argv[optind-1], info); - if (invert) - info->invert = 1; - *flags = 1; - break; - - default: - return 0; - } - return 1; -} - -/* Final check; must have specified --length. */ -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "length: You must specify `--length'"); -} - -/* Common match printing code. */ -static void -print_length(struct ip6t_length_info *info) -{ - if (info->invert) - printf("! "); - - if (info->max == info->min) - printf("%u ", info->min); - else - printf("%u:%u ", info->min, info->max); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - printf("length "); - print_length((struct ip6t_length_info *)match->data); -} - -/* Saves the union ip6t_matchinfo in parsable form to stdout. */ -static void -save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - printf("--length "); - print_length((struct ip6t_length_info *)match->data); -} - -struct ip6tables_match length = { - .name = "length", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_length_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_length_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts, -}; - -void _init(void) -{ - register_match6(&length); -} diff --git a/extensions/libip6t_length.man b/extensions/libip6t_length.man deleted file mode 100644 index d781a04..0000000 --- a/extensions/libip6t_length.man +++ /dev/null @@ -1,4 +0,0 @@ -This module matches the length of the IPv6 payload in octets, or range of it. -IPv6 header itself isn't counted. -.TP -.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]" diff --git a/extensions/libip6t_limit.c b/extensions/libip6t_limit.c deleted file mode 100644 index 6c88ee1..0000000 --- a/extensions/libip6t_limit.c +++ /dev/null @@ -1,195 +0,0 @@ -/* Shared library add-on to iptables to add limit support. - * - * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr> - * Hervé Eychenne <rv@wallfire.org> - */ - -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ip6tables.h> -#include <stddef.h> -#include <linux/netfilter_ipv6/ip6_tables.h> -/* For 64bit kernel / 32bit userspace */ -#include "../include/linux/netfilter_ipv6/ip6t_limit.h" - -#define IP6T_LIMIT_AVG "3/hour" -#define IP6T_LIMIT_BURST 5 - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"limit v%s options:\n" -"--limit avg max average match rate: default "IP6T_LIMIT_AVG"\n" -" [Packets per second unless followed by \n" -" /sec /minute /hour /day postfixes]\n" -"--limit-burst number number to match in a burst, default %u\n" -"\n", IPTABLES_VERSION, IP6T_LIMIT_BURST); -} - -static struct option opts[] = { - { "limit", 1, 0, '%' }, - { "limit-burst", 1, 0, '$' }, - { 0 } -}; - -static -int parse_rate(const char *rate, u_int32_t *val) -{ - const char *delim; - u_int32_t r; - u_int32_t mult = 1; /* Seconds by default. */ - - delim = strchr(rate, '/'); - if (delim) { - if (strlen(delim+1) == 0) - return 0; - - if (strncasecmp(delim+1, "second", strlen(delim+1)) == 0) - mult = 1; - else if (strncasecmp(delim+1, "minute", strlen(delim+1)) == 0) - mult = 60; - else if (strncasecmp(delim+1, "hour", strlen(delim+1)) == 0) - mult = 60*60; - else if (strncasecmp(delim+1, "day", strlen(delim+1)) == 0) - mult = 24*60*60; - else - return 0; - } - r = atoi(rate); - if (!r) - return 0; - - /* This would get mapped to infinite (1/day is minimum they - can specify, so we're ok at that end). */ - if (r / mult > IP6T_LIMIT_SCALE) - exit_error(PARAMETER_PROBLEM, "Rate too fast `%s'\n", rate); - - *val = IP6T_LIMIT_SCALE * mult / r; - return 1; -} - -/* Initialize the match. */ -static void -init(struct ip6t_entry_match *m, unsigned int *nfcache) -{ - struct ip6t_rateinfo *r = (struct ip6t_rateinfo *)m->data; - - parse_rate(IP6T_LIMIT_AVG, &r->avg); - r->burst = IP6T_LIMIT_BURST; - -} - -/* FIXME: handle overflow: - if (r->avg*r->burst/r->burst != r->avg) - exit_error(PARAMETER_PROBLEM, - "Sorry: burst too large for that avg rate.\n"); -*/ - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_rateinfo *r = (struct ip6t_rateinfo *)(*match)->data; - unsigned int num; - - switch(c) { - case '%': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (!parse_rate(optarg, &r->avg)) - exit_error(PARAMETER_PROBLEM, - "bad rate `%s'", optarg); - break; - - case '$': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (string_to_number(optarg, 0, 10000, &num) == -1) - exit_error(PARAMETER_PROBLEM, - "bad --limit-burst `%s'", optarg); - r->burst = num; - break; - - default: - return 0; - } - - if (invert) - exit_error(PARAMETER_PROBLEM, - "limit does not support invert"); - - return 1; -} - -/* Final check; nothing. */ -static void final_check(unsigned int flags) -{ -} - -static struct rates -{ - const char *name; - u_int32_t mult; -} rates[] = { { "day", IP6T_LIMIT_SCALE*24*60*60 }, - { "hour", IP6T_LIMIT_SCALE*60*60 }, - { "min", IP6T_LIMIT_SCALE*60 }, - { "sec", IP6T_LIMIT_SCALE } }; - -static void print_rate(u_int32_t period) -{ - unsigned int i; - - for (i = 1; i < sizeof(rates)/sizeof(struct rates); i++) { - if (period > rates[i].mult - || rates[i].mult % period != 0) - break; - } - - printf("%u/%s ", rates[i-1].mult / period, rates[i-1].name); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - struct ip6t_rateinfo *r = (struct ip6t_rateinfo *)match->data; - printf("limit: avg "); print_rate(r->avg); - printf("burst %u ", r->burst); -} - -/* FIXME: Make minimalist: only print rate if not default --RR */ -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - struct ip6t_rateinfo *r = (struct ip6t_rateinfo *)match->data; - - printf("--limit "); print_rate(r->avg); - if (r->burst != IP6T_LIMIT_BURST) - printf("--limit-burst %u ", r->burst); -} - -static struct ip6tables_match limit = { - .name = "limit", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_rateinfo)), - .userspacesize = offsetof(struct ip6t_rateinfo, prev), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts, -}; - -void _init(void) -{ - register_match6(&limit); -} diff --git a/extensions/libip6t_limit.man b/extensions/libip6t_limit.man deleted file mode 100644 index 84b63d4..0000000 --- a/extensions/libip6t_limit.man +++ /dev/null @@ -1,15 +0,0 @@ -This module matches at a limited rate using a token bucket filter. -A rule using this extension will match until this limit is reached -(unless the `!' flag is used). It can be used in combination with the -.B LOG -target to give limited logging, for example. -.TP -.BI "--limit " "rate" -Maximum average matching rate: specified as a number, with an optional -`/second', `/minute', `/hour', or `/day' suffix; the default is -3/hour. -.TP -.BI "--limit-burst " "number" -Maximum initial number of packets to match: this number gets -recharged by one every time the limit specified above is not reached, -up to this number; the default is 5. diff --git a/extensions/libip6t_mac.c b/extensions/libip6t_mac.c deleted file mode 100644 index e47f21f..0000000 --- a/extensions/libip6t_mac.c +++ /dev/null @@ -1,139 +0,0 @@ -/* Shared library add-on to iptables to add MAC address support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#if defined(__GLIBC__) && __GLIBC__ == 2 -#include <net/ethernet.h> -#else -#include <linux/if_ether.h> -#endif -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6t_mac.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"MAC v%s options:\n" -" --mac-source [!] XX:XX:XX:XX:XX:XX\n" -" Match source MAC address\n" -"\n", IPTABLES_VERSION); -} - -static struct option opts[] = { - { "mac-source", 1, 0, '1' }, - {0} -}; - -static void -parse_mac(const char *mac, struct ip6t_mac_info *info) -{ - unsigned int i = 0; - - if (strlen(mac) != ETH_ALEN*3-1) - exit_error(PARAMETER_PROBLEM, "Bad mac address `%s'", mac); - - for (i = 0; i < ETH_ALEN; i++) { - long number; - char *end; - - number = strtol(mac + i*3, &end, 16); - - if (end == mac + i*3 + 2 - && number >= 0 - && number <= 255) - info->srcaddr[i] = number; - else - exit_error(PARAMETER_PROBLEM, - "Bad mac address `%s'", mac); - } -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_mac_info *macinfo = (struct ip6t_mac_info *)(*match)->data; - - switch (c) { - case '1': - check_inverse(optarg, &invert, &optind, 0); - parse_mac(argv[optind-1], macinfo); - if (invert) - macinfo->invert = 1; - *flags = 1; - break; - - default: - return 0; - } - - return 1; -} - -static void print_mac(unsigned char macaddress[ETH_ALEN]) -{ - unsigned int i; - - printf("%02X", macaddress[0]); - for (i = 1; i < ETH_ALEN; i++) - printf(":%02X", macaddress[i]); - printf(" "); -} - -/* Final check; must have specified --mac. */ -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "You must specify `--mac-source'"); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - printf("MAC "); - - if (((struct ip6t_mac_info *)match->data)->invert) - printf("! "); - - print_mac(((struct ip6t_mac_info *)match->data)->srcaddr); -} - -/* Saves the union ip6t_matchinfo in parsable form to stdout. */ -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - if (((struct ip6t_mac_info *)match->data)->invert) - printf("! "); - - printf("--mac-source "); - print_mac(((struct ip6t_mac_info *)match->data)->srcaddr); -} - -static struct ip6tables_match mac = { - .name = "mac", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_mac_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_mac_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts, -}; - -void _init(void) -{ - register_match6(&mac); -} diff --git a/extensions/libip6t_mac.man b/extensions/libip6t_mac.man deleted file mode 100644 index 5321ca1..0000000 --- a/extensions/libip6t_mac.man +++ /dev/null @@ -1,10 +0,0 @@ -.TP -.BR "--mac-source " "[!] \fIaddress\fP" -Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. -Note that this only makes sense for packets coming from an Ethernet device -and entering the -.BR PREROUTING , -.B FORWARD -or -.B INPUT -chains. diff --git a/extensions/libip6t_mark.man b/extensions/libip6t_mark.man deleted file mode 100644 index a2a1395..0000000 --- a/extensions/libip6t_mark.man +++ /dev/null @@ -1,9 +0,0 @@ -This module matches the netfilter mark field associated with a packet -(which can be set using the -.B MARK -target below). -.TP -.BR "--mark " "\fIvalue\fP[/\fImask\fP]" -Matches packets with the given unsigned mark value (if a \fImask\fP is -specified, this is logically ANDed with the \fImask\fP before the -comparison). diff --git a/extensions/libip6t_multiport.c b/extensions/libip6t_multiport.c deleted file mode 100644 index 166abce..0000000 --- a/extensions/libip6t_multiport.c +++ /dev/null @@ -1,458 +0,0 @@ -/* Shared library add-on to iptables to add multiple TCP port support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ip6tables.h> -/* To ensure that iptables compiles with an old kernel */ -#include "../include/linux/netfilter_ipv6/ip6t_multiport.h" - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"multiport v%s options:\n" -" --source-ports port[,port,port...]\n" -" --sports ...\n" -" match source port(s)\n" -" --destination-ports port[,port,port...]\n" -" --dports ...\n" -" match destination port(s)\n" -" --ports port[,port,port]\n" -" match both source and destination port(s)\n" -" NOTE: this kernel does not support port ranges in multiport.\n", -IPTABLES_VERSION); -} - -static void -help_v1(void) -{ - printf( -"multiport v%s options:\n" -" --source-ports [!] port[,port:port,port...]\n" -" --sports ...\n" -" match source port(s)\n" -" --destination-ports [!] port[,port:port,port...]\n" -" --dports ...\n" -" match destination port(s)\n" -" --ports [!] port[,port:port,port]\n" -" match both source and destination port(s)\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "source-ports", 1, 0, '1' }, - { "sports", 1, 0, '1' }, /* synonym */ - { "destination-ports", 1, 0, '2' }, - { "dports", 1, 0, '2' }, /* synonym */ - { "ports", 1, 0, '3' }, - {0} -}; - -static char * -proto_to_name(u_int8_t proto) -{ - switch (proto) { - case IPPROTO_TCP: - return "tcp"; - case IPPROTO_UDP: - return "udp"; - case IPPROTO_SCTP: - return "sctp"; - case IPPROTO_DCCP: - return "dccp"; - default: - return NULL; - } -} - -static unsigned int -parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto) -{ - char *buffer, *cp, *next; - unsigned int i; - - buffer = strdup(portstring); - if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed"); - - for (cp=buffer, i=0; cp && i<IP6T_MULTI_PORTS; cp=next,i++) - { - next=strchr(cp, ','); - if (next) *next++='\0'; - ports[i] = parse_port(cp, proto); - } - if (cp) exit_error(PARAMETER_PROBLEM, "too many ports specified"); - free(buffer); - return i; -} - -static void -parse_multi_ports_v1(const char *portstring, - struct ip6t_multiport_v1 *multiinfo, - const char *proto) -{ - char *buffer, *cp, *next, *range; - unsigned int i; - u_int16_t m; - - buffer = strdup(portstring); - if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed"); - - for (i=0; i<IP6T_MULTI_PORTS; i++) - multiinfo->pflags[i] = 0; - - for (cp=buffer, i=0; cp && i<IP6T_MULTI_PORTS; cp=next, i++) { - next=strchr(cp, ','); - if (next) *next++='\0'; - range = strchr(cp, ':'); - if (range) { - if (i == IP6T_MULTI_PORTS-1) - exit_error(PARAMETER_PROBLEM, - "too many ports specified"); - *range++ = '\0'; - } - multiinfo->ports[i] = parse_port(cp, proto); - if (range) { - multiinfo->pflags[i] = 1; - multiinfo->ports[++i] = parse_port(range, proto); - if (multiinfo->ports[i-1] >= multiinfo->ports[i]) - exit_error(PARAMETER_PROBLEM, - "invalid portrange specified"); - m <<= 1; - } - } - multiinfo->count = i; - if (cp) exit_error(PARAMETER_PROBLEM, "too many ports specified"); - free(buffer); -} - -/* Initialize the match. */ -static void -init(struct ip6t_entry_match *m, unsigned int *nfcache) -{ -} - -static const char * -check_proto(const struct ip6t_entry *entry) -{ - char *proto; - - if ((proto = proto_to_name(entry->ipv6.proto)) != NULL) - return proto; - else if (!entry->ipv6.proto) - exit_error(PARAMETER_PROBLEM, - "multiport needs `-p tcp', `-p udp', `-p sctp' or `-p dccp'"); - else - exit_error(PARAMETER_PROBLEM, - "multiport only works with TCP, UDP, SCTP and DCCP"); -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - const char *proto; - struct ip6t_multiport *multiinfo - = (struct ip6t_multiport *)(*match)->data; - - switch (c) { - case '1': - check_inverse(argv[optind-1], &invert, &optind, 0); - proto = check_proto(entry); - multiinfo->count = parse_multi_ports(argv[optind-1], - multiinfo->ports, proto); - multiinfo->flags = IP6T_MULTIPORT_SOURCE; - break; - - case '2': - check_inverse(argv[optind-1], &invert, &optind, 0); - proto = check_proto(entry); - multiinfo->count = parse_multi_ports(argv[optind-1], - multiinfo->ports, proto); - multiinfo->flags = IP6T_MULTIPORT_DESTINATION; - break; - - case '3': - check_inverse(argv[optind-1], &invert, &optind, 0); - proto = check_proto(entry); - multiinfo->count = parse_multi_ports(argv[optind-1], - multiinfo->ports, proto); - multiinfo->flags = IP6T_MULTIPORT_EITHER; - break; - - default: - return 0; - } - - if (invert) - exit_error(PARAMETER_PROBLEM, - "multiport does not support invert"); - - if (*flags) - exit_error(PARAMETER_PROBLEM, - "multiport can only have one option"); - *flags = 1; - return 1; -} - -static int -parse_v1(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - const char *proto; - struct ip6t_multiport_v1 *multiinfo - = (struct ip6t_multiport_v1 *)(*match)->data; - - switch (c) { - case '1': - check_inverse(argv[optind-1], &invert, &optind, 0); - proto = check_proto(entry); - parse_multi_ports_v1(argv[optind-1], multiinfo, proto); - multiinfo->flags = IP6T_MULTIPORT_SOURCE; - break; - - case '2': - check_inverse(argv[optind-1], &invert, &optind, 0); - proto = check_proto(entry); - parse_multi_ports_v1(argv[optind-1], multiinfo, proto); - multiinfo->flags = IP6T_MULTIPORT_DESTINATION; - break; - - case '3': - check_inverse(argv[optind-1], &invert, &optind, 0); - proto = check_proto(entry); - parse_multi_ports_v1(argv[optind-1], multiinfo, proto); - multiinfo->flags = IP6T_MULTIPORT_EITHER; - break; - - default: - return 0; - } - - if (invert) - multiinfo->invert = 1; - - if (*flags) - exit_error(PARAMETER_PROBLEM, - "multiport can only have one option"); - *flags = 1; - return 1; -} - -/* Final check; must specify something. */ -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, "multiport expection an option"); -} - -static char * -port_to_service(int port, u_int8_t proto) -{ - struct servent *service; - - if ((service = getservbyport(htons(port), proto_to_name(proto)))) - return service->s_name; - - return NULL; -} - -static void -print_port(u_int16_t port, u_int8_t protocol, int numeric) -{ - char *service; - - if (numeric || (service = port_to_service(port, protocol)) == NULL) - printf("%u", port); - else - printf("%s", service); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - const struct ip6t_multiport *multiinfo - = (const struct ip6t_multiport *)match->data; - unsigned int i; - - printf("multiport "); - - switch (multiinfo->flags) { - case IP6T_MULTIPORT_SOURCE: - printf("sports "); - break; - - case IP6T_MULTIPORT_DESTINATION: - printf("dports "); - break; - - case IP6T_MULTIPORT_EITHER: - printf("ports "); - break; - - default: - printf("ERROR "); - break; - } - - for (i=0; i < multiinfo->count; i++) { - printf("%s", i ? "," : ""); - print_port(multiinfo->ports[i], ip->proto, numeric); - } - printf(" "); -} - -static void -print_v1(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - const struct ip6t_multiport_v1 *multiinfo - = (const struct ip6t_multiport_v1 *)match->data; - unsigned int i; - - printf("multiport "); - - switch (multiinfo->flags) { - case IP6T_MULTIPORT_SOURCE: - printf("sports "); - break; - - case IP6T_MULTIPORT_DESTINATION: - printf("dports "); - break; - - case IP6T_MULTIPORT_EITHER: - printf("ports "); - break; - - default: - printf("ERROR "); - break; - } - - if (multiinfo->invert) - printf("! "); - - for (i=0; i < multiinfo->count; i++) { - printf("%s", i ? "," : ""); - print_port(multiinfo->ports[i], ip->proto, numeric); - if (multiinfo->pflags[i]) { - printf(":"); - print_port(multiinfo->ports[++i], ip->proto, numeric); - } - } - printf(" "); -} - -/* Saves the union ip6t_matchinfo in parsable form to stdout. */ -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - const struct ip6t_multiport *multiinfo - = (const struct ip6t_multiport *)match->data; - unsigned int i; - - switch (multiinfo->flags) { - case IP6T_MULTIPORT_SOURCE: - printf("--sports "); - break; - - case IP6T_MULTIPORT_DESTINATION: - printf("--dports "); - break; - - case IP6T_MULTIPORT_EITHER: - printf("--ports "); - break; - } - - for (i=0; i < multiinfo->count; i++) { - printf("%s", i ? "," : ""); - print_port(multiinfo->ports[i], ip->proto, 1); - } - printf(" "); -} - -static void save_v1(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match) -{ - const struct ip6t_multiport_v1 *multiinfo - = (const struct ip6t_multiport_v1 *)match->data; - unsigned int i; - - switch (multiinfo->flags) { - case IP6T_MULTIPORT_SOURCE: - printf("--sports "); - break; - - case IP6T_MULTIPORT_DESTINATION: - printf("--dports "); - break; - - case IP6T_MULTIPORT_EITHER: - printf("--ports "); - break; - } - - if (multiinfo->invert) - printf("! "); - - for (i=0; i < multiinfo->count; i++) { - printf("%s", i ? "," : ""); - print_port(multiinfo->ports[i], ip->proto, 1); - if (multiinfo->pflags[i]) { - printf(":"); - print_port(multiinfo->ports[++i], ip->proto, 1); - } - } - printf(" "); -} - -static struct ip6tables_match multiport = { - .name = "multiport", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_multiport)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_multiport)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts, -}; - -static struct ip6tables_match multiport_v1 = { - .next = NULL, - .name = "multiport", - .revision = 1, - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_multiport_v1)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_multiport_v1)), - .help = &help_v1, - .init = &init, - .parse = &parse_v1, - .final_check = &final_check, - .print = &print_v1, - .save = &save_v1, - .extra_opts = opts -}; - -void -_init(void) -{ - register_match6(&multiport); - register_match6(&multiport_v1); -} diff --git a/extensions/libip6t_multiport.man b/extensions/libip6t_multiport.man deleted file mode 100644 index 6f75a6e..0000000 --- a/extensions/libip6t_multiport.man +++ /dev/null @@ -1,20 +0,0 @@ -This module matches a set of source or destination ports. Up to 15 -ports can be specified. It can only be used in conjunction -with -.B "-p tcp" -or -.BR "-p udp" . -.TP -.BR "--source-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]" -Match if the source port is one of the given ports. The flag -.B --sports -is a convenient alias for this option. -.TP -.BR "--destination-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]" -Match if the destination port is one of the given ports. The flag -.B --dports -is a convenient alias for this option. -.TP -.BR "--ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]" -Match if the both the source and destination ports are equal to each -other and to one of the given ports. diff --git a/extensions/libip6t_owner.c b/extensions/libip6t_owner.c deleted file mode 100644 index 99b5c13..0000000 --- a/extensions/libip6t_owner.c +++ /dev/null @@ -1,248 +0,0 @@ -/* Shared library add-on to iptables to add OWNER matching support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <pwd.h> -#include <grp.h> - -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6t_owner.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ -#ifdef IP6T_OWNER_COMM - printf( -"OWNER match v%s options:\n" -"[!] --uid-owner userid Match local uid\n" -"[!] --gid-owner groupid Match local gid\n" -"[!] --pid-owner processid Match local pid\n" -"[!] --sid-owner sessionid Match local sid\n" -"[!] --cmd-owner name Match local command name\n" -"\n", -IPTABLES_VERSION); -#else - printf( -"OWNER match v%s options:\n" -"[!] --uid-owner userid Match local uid\n" -"[!] --gid-owner groupid Match local gid\n" -"[!] --pid-owner processid Match local pid\n" -"[!] --sid-owner sessionid Match local sid\n" -"\n", -IPTABLES_VERSION); -#endif /* IP6T_OWNER_COMM */ -} - -static struct option opts[] = { - { "uid-owner", 1, 0, '1' }, - { "gid-owner", 1, 0, '2' }, - { "pid-owner", 1, 0, '3' }, - { "sid-owner", 1, 0, '4' }, -#ifdef IP6T_OWNER_COMM - { "cmd-owner", 1, 0, '5' }, -#endif - {0} -}; - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_owner_info *ownerinfo = (struct ip6t_owner_info *)(*match)->data; - - switch (c) { - char *end; - struct passwd *pwd; - struct group *grp; - case '1': - check_inverse(optarg, &invert, &optind, 0); - - if ((pwd = getpwnam(optarg))) - ownerinfo->uid = pwd->pw_uid; - else { - ownerinfo->uid = strtoul(optarg, &end, 0); - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, "Bad OWNER UID value `%s'", optarg); - } - if (invert) - ownerinfo->invert |= IP6T_OWNER_UID; - ownerinfo->match |= IP6T_OWNER_UID; - *flags = 1; - break; - - case '2': - check_inverse(optarg, &invert, &optind, 0); - if ((grp = getgrnam(optarg))) - ownerinfo->gid = grp->gr_gid; - else { - ownerinfo->gid = strtoul(optarg, &end, 0); - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, "Bad OWNER GID value `%s'", optarg); - } - if (invert) - ownerinfo->invert |= IP6T_OWNER_GID; - ownerinfo->match |= IP6T_OWNER_GID; - *flags = 1; - break; - - case '3': - check_inverse(optarg, &invert, &optind, 0); - ownerinfo->pid = strtoul(optarg, &end, 0); - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, "Bad OWNER PID value `%s'", optarg); - if (invert) - ownerinfo->invert |= IP6T_OWNER_PID; - ownerinfo->match |= IP6T_OWNER_PID; - *flags = 1; - break; - - case '4': - check_inverse(optarg, &invert, &optind, 0); - ownerinfo->sid = strtoul(optarg, &end, 0); - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, "Bad OWNER SID value `%s'", optarg); - if (invert) - ownerinfo->invert |= IP6T_OWNER_SID; - ownerinfo->match |= IP6T_OWNER_SID; - *flags = 1; - break; - -#ifdef IP6T_OWNER_COMM - case '5': - check_inverse(optarg, &invert, &optind, 0); - if(strlen(optarg) > sizeof(ownerinfo->comm)) - exit_error(PARAMETER_PROBLEM, "OWNER CMD `%s' too long, max %d characters", optarg, sizeof(ownerinfo->comm)); - - strncpy(ownerinfo->comm, optarg, sizeof(ownerinfo->comm)); - ownerinfo->comm[sizeof(ownerinfo->comm)-1] = '\0'; - - if (invert) - ownerinfo->invert |= IP6T_OWNER_COMM; - ownerinfo->match |= IP6T_OWNER_COMM; - *flags = 1; - break; -#endif - - default: - return 0; - } - return 1; -} - -static void -print_item(struct ip6t_owner_info *info, u_int8_t flag, int numeric, char *label) -{ - if(info->match & flag) { - - if (info->invert & flag) - printf("! "); - - printf(label); - - switch(info->match & flag) { - case IP6T_OWNER_UID: - if(!numeric) { - struct passwd *pwd = getpwuid(info->uid); - - if(pwd && pwd->pw_name) { - printf("%s ", pwd->pw_name); - break; - } - /* FALLTHROUGH */ - } - printf("%u ", info->uid); - break; - case IP6T_OWNER_GID: - if(!numeric) { - struct group *grp = getgrgid(info->gid); - - if(grp && grp->gr_name) { - printf("%s ", grp->gr_name); - break; - } - /* FALLTHROUGH */ - } - printf("%u ", info->gid); - break; - case IP6T_OWNER_PID: - printf("%u ", info->pid); - break; - case IP6T_OWNER_SID: - printf("%u ", info->sid); - break; -#ifdef IP6T_OWNER_COMM - case IP6T_OWNER_COMM: - printf("%.*s ", (int)sizeof(info->comm), info->comm); - break; -#endif - default: - break; - } - } -} - -/* Final check; must have specified --own. */ -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "OWNER match: You must specify one or more options"); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - struct ip6t_owner_info *info = (struct ip6t_owner_info *)match->data; - - print_item(info, IP6T_OWNER_UID, numeric, "OWNER UID match "); - print_item(info, IP6T_OWNER_GID, numeric, "OWNER GID match "); - print_item(info, IP6T_OWNER_PID, numeric, "OWNER PID match "); - print_item(info, IP6T_OWNER_SID, numeric, "OWNER SID match "); -#ifdef IP6T_OWNER_COMM - print_item(info, IP6T_OWNER_COMM, numeric, "OWNER CMD match "); -#endif -} - -/* Saves the union ip6t_matchinfo in parsable form to stdout. */ -static void -save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - struct ip6t_owner_info *info = (struct ip6t_owner_info *)match->data; - - print_item(info, IP6T_OWNER_UID, 0, "--uid-owner "); - print_item(info, IP6T_OWNER_GID, 0, "--gid-owner "); - print_item(info, IP6T_OWNER_PID, 0, "--pid-owner "); - print_item(info, IP6T_OWNER_SID, 0, "--sid-owner "); -#ifdef IP6T_OWNER_COMM - print_item(info, IP6T_OWNER_COMM, 0, "--cmd-owner "); -#endif -} - -static struct ip6tables_match owner = { - .name = "owner", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_owner_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_owner_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts, -}; - -void _init(void) -{ - register_match6(&owner); -} diff --git a/extensions/libip6t_owner.man b/extensions/libip6t_owner.man deleted file mode 100644 index edd72b1..0000000 --- a/extensions/libip6t_owner.man +++ /dev/null @@ -1,23 +0,0 @@ -This module attempts to match various characteristics of the packet -creator, for locally-generated packets. It is only valid in the -.B OUTPUT -chain, and even this some packets (such as ICMPv6 ping responses) may -have no owner, and hence never match. This is regarded as experimental. -.TP -.BI "--uid-owner " "userid" -Matches if the packet was created by a process with the given -effective user id. -.TP -.BI "--gid-owner " "groupid" -Matches if the packet was created by a process with the given -effective group id. -.TP -.BI "--pid-owner " "processid" -Matches if the packet was created by a process with the given -process id. -.TP -.BI "--sid-owner " "sessionid" -Matches if the packet was created by a process in the given session -group. -.TP -.B NOTE: pid, sid and command matching are broken on SMP diff --git a/extensions/libip6t_physdev.c b/extensions/libip6t_physdev.c deleted file mode 100644 index e7fa22e..0000000 --- a/extensions/libip6t_physdev.c +++ /dev/null @@ -1,192 +0,0 @@ -/* Shared library add-on to iptables to add bridge port matching support. */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ctype.h> -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6t_physdev.h> -#if defined(__GLIBC__) && __GLIBC__ == 2 -#include <net/ethernet.h> -#else -#include <linux/if_ether.h> -#endif - -static void -help(void) -{ - printf( -"physdev v%s options:\n" -" --physdev-in [!] input name[+] bridge port name ([+] for wildcard)\n" -" --physdev-out [!] output name[+] bridge port name ([+] for wildcard)\n" -" [!] --physdev-is-in arrived on a bridge device\n" -" [!] --physdev-is-out will leave on a bridge device\n" -" [!] --physdev-is-bridged it's a bridged packet\n" -"\n", IPTABLES_VERSION); -} - -static struct option opts[] = { - { "physdev-in", 1, 0, '1' }, - { "physdev-out", 1, 0, '2' }, - { "physdev-is-in", 0, 0, '3' }, - { "physdev-is-out", 0, 0, '4' }, - { "physdev-is-bridged", 0, 0, '5' }, - {0} -}; - -static void -init(struct ip6t_entry_match *m, unsigned int *nfcache) -{ -} - -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_physdev_info *info = - (struct ip6t_physdev_info*)(*match)->data; - - switch (c) { - case '1': - if (*flags & IP6T_PHYSDEV_OP_IN) - goto multiple_use; - check_inverse(optarg, &invert, &optind, 0); - parse_interface(argv[optind-1], info->physindev, - (unsigned char *)info->in_mask); - if (invert) - info->invert |= IP6T_PHYSDEV_OP_IN; - info->bitmask |= IP6T_PHYSDEV_OP_IN; - *flags |= IP6T_PHYSDEV_OP_IN; - break; - - case '2': - if (*flags & IP6T_PHYSDEV_OP_OUT) - goto multiple_use; - check_inverse(optarg, &invert, &optind, 0); - parse_interface(argv[optind-1], info->physoutdev, - (unsigned char *)info->out_mask); - if (invert) - info->invert |= IP6T_PHYSDEV_OP_OUT; - info->bitmask |= IP6T_PHYSDEV_OP_OUT; - *flags |= IP6T_PHYSDEV_OP_OUT; - break; - - case '3': - if (*flags & IP6T_PHYSDEV_OP_ISIN) - goto multiple_use; - check_inverse(optarg, &invert, &optind, 0); - info->bitmask |= IP6T_PHYSDEV_OP_ISIN; - if (invert) - info->invert |= IP6T_PHYSDEV_OP_ISIN; - *flags |= IP6T_PHYSDEV_OP_ISIN; - break; - - case '4': - if (*flags & IP6T_PHYSDEV_OP_ISOUT) - goto multiple_use; - check_inverse(optarg, &invert, &optind, 0); - info->bitmask |= IP6T_PHYSDEV_OP_ISOUT; - if (invert) - info->invert |= IP6T_PHYSDEV_OP_ISOUT; - *flags |= IP6T_PHYSDEV_OP_ISOUT; - break; - - case '5': - if (*flags & IP6T_PHYSDEV_OP_BRIDGED) - goto multiple_use; - check_inverse(optarg, &invert, &optind, 0); - if (invert) - info->invert |= IP6T_PHYSDEV_OP_BRIDGED; - *flags |= IP6T_PHYSDEV_OP_BRIDGED; - info->bitmask |= IP6T_PHYSDEV_OP_BRIDGED; - break; - - default: - return 0; - } - - return 1; -multiple_use: - exit_error(PARAMETER_PROBLEM, - "multiple use of the same physdev option is not allowed"); - -} - -static void final_check(unsigned int flags) -{ - if (flags == 0) - exit_error(PARAMETER_PROBLEM, "PHYSDEV: no physdev option specified"); -} - -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - struct ip6t_physdev_info *info = - (struct ip6t_physdev_info*)match->data; - - printf("PHYSDEV match"); - if (info->bitmask & IP6T_PHYSDEV_OP_ISIN) - printf("%s --physdev-is-in", - info->invert & IP6T_PHYSDEV_OP_ISIN ? " !":""); - if (info->bitmask & IP6T_PHYSDEV_OP_IN) - printf("%s --physdev-in %s", - (info->invert & IP6T_PHYSDEV_OP_IN) ? " !":"", info->physindev); - - if (info->bitmask & IP6T_PHYSDEV_OP_ISOUT) - printf("%s --physdev-is-out", - info->invert & IP6T_PHYSDEV_OP_ISOUT ? " !":""); - if (info->bitmask & IP6T_PHYSDEV_OP_OUT) - printf("%s --physdev-out %s", - (info->invert & IP6T_PHYSDEV_OP_OUT) ? " !":"", info->physoutdev); - if (info->bitmask & IP6T_PHYSDEV_OP_BRIDGED) - printf("%s --physdev-is-bridged", - info->invert & IP6T_PHYSDEV_OP_BRIDGED ? " !":""); - printf(" "); -} - -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - struct ip6t_physdev_info *info = - (struct ip6t_physdev_info*)match->data; - - if (info->bitmask & IP6T_PHYSDEV_OP_ISIN) - printf("%s --physdev-is-in", - info->invert & IP6T_PHYSDEV_OP_ISIN ? " !":""); - if (info->bitmask & IP6T_PHYSDEV_OP_IN) - printf("%s --physdev-in %s", - (info->invert & IP6T_PHYSDEV_OP_IN) ? " !":"", info->physindev); - - if (info->bitmask & IP6T_PHYSDEV_OP_ISOUT) - printf("%s --physdev-is-out", - info->invert & IP6T_PHYSDEV_OP_ISOUT ? " !":""); - if (info->bitmask & IP6T_PHYSDEV_OP_OUT) - printf("%s --physdev-out %s", - (info->invert & IP6T_PHYSDEV_OP_OUT) ? " !":"", info->physoutdev); - if (info->bitmask & IP6T_PHYSDEV_OP_BRIDGED) - printf("%s --physdev-is-bridged", - info->invert & IP6T_PHYSDEV_OP_BRIDGED ? " !":""); - printf(" "); -} - -static struct ip6tables_match physdev = { - .name = "physdev", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_physdev_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_physdev_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts, -}; - -void _init(void) -{ - register_match6(&physdev); -} diff --git a/extensions/libip6t_physdev.man b/extensions/libip6t_physdev.man deleted file mode 100644 index 1e635fc..0000000 --- a/extensions/libip6t_physdev.man +++ /dev/null @@ -1,42 +0,0 @@ -This module matches on the bridge port input and output devices enslaved -to a bridge device. This module is a part of the infrastructure that enables -a transparent bridging IP firewall and is only useful for kernel versions -above version 2.5.44. -.TP -.BR --physdev-in " [!] \fIname\fP" -Name of a bridge port via which a packet is received (only for -packets entering the -.BR INPUT , -.B FORWARD -and -.B PREROUTING -chains). If the interface name ends in a "+", then any -interface which begins with this name will match. If the packet didn't arrive -through a bridge device, this packet won't match this option, unless '!' is used. -.TP -.BR --physdev-out " [!] \fIname\fP" -Name of a bridge port via which a packet is going to be sent (for packets -entering the -.BR FORWARD , -.B OUTPUT -and -.B POSTROUTING -chains). If the interface name ends in a "+", then any -interface which begins with this name will match. Note that in the -.BR nat " and " mangle -.B OUTPUT -chains one cannot match on the bridge output port, however one can in the -.B "filter OUTPUT" -chain. If the packet won't leave by a bridge device or it is yet unknown what -the output device will be, then the packet won't match this option, unless -'!' is used. -.TP -.RB "[!] " --physdev-is-in -Matches if the packet has entered through a bridge interface. -.TP -.RB "[!] " --physdev-is-out -Matches if the packet will leave through a bridge interface. -.TP -.RB "[!] " --physdev-is-bridged -Matches if the packet is being bridged and therefore is not being routed. -This is only useful in the FORWARD and POSTROUTING chains. diff --git a/extensions/libip6t_policy.c b/extensions/libip6t_policy.c deleted file mode 100644 index 2f4453e..0000000 --- a/extensions/libip6t_policy.c +++ /dev/null @@ -1,478 +0,0 @@ -/* Shared library add-on to iptables to add policy support. */ - -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <syslog.h> -#include <getopt.h> -#include <netdb.h> -#include <errno.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <ip6tables.h> - -#include <linux/netfilter_ipv6/ip6_tables.h> -#include "../include/linux/netfilter_ipv6/ip6t_policy.h" - -/* - * HACK: global pointer to current matchinfo for making - * final checks and adjustments in final_check. - */ -static struct ip6t_policy_info *policy_info; - -static void help(void) -{ - printf( -"policy v%s options:\n" -" --dir in|out match policy applied during decapsulation/\n" -" policy to be applied during encapsulation\n" -" --pol none|ipsec match policy\n" -" --strict match entire policy instead of single element\n" -" at any position\n" -"[!] --reqid reqid match reqid\n" -"[!] --spi spi match SPI\n" -"[!] --proto proto match protocol (ah/esp/ipcomp)\n" -"[!] --mode mode match mode (transport/tunnel)\n" -"[!] --tunnel-src addr/masklen match tunnel source\n" -"[!] --tunnel-dst addr/masklen match tunnel destination\n" -" --next begin next element in policy\n", - IPTABLES_VERSION); -} - -static struct option opts[] = -{ - { - .name = "dir", - .has_arg = 1, - .val = '1', - }, - { - .name = "pol", - .has_arg = 1, - .val = '2', - }, - { - .name = "strict", - .val = '3' - }, - { - .name = "reqid", - .has_arg = 1, - .val = '4', - }, - { - .name = "spi", - .has_arg = 1, - .val = '5' - }, - { - .name = "tunnel-src", - .has_arg = 1, - .val = '6' - }, - { - .name = "tunnel-dst", - .has_arg = 1, - .val = '7' - }, - { - .name = "proto", - .has_arg = 1, - .val = '8' - }, - { - .name = "mode", - .has_arg = 1, - .val = '9' - }, - { - .name = "next", - .val = 'a' - }, - { } -}; - -/* FIXME - Duplicated code from ip6tables.c */ -/* Duplicated to stop too many changes in other files .... */ -static void -in6addrcpy(struct in6_addr *dst, struct in6_addr *src) -{ - memcpy(dst, src, sizeof(struct in6_addr)); - /* dst->s6_addr = src->s6_addr; */ -} - -static char * -addr_to_numeric(const struct in6_addr *addrp) -{ - /* 0000:0000:0000:0000:0000:000.000.000.000 - * 0000:0000:0000:0000:0000:0000:0000:0000 */ - static char buf[50+1]; - return (char *)inet_ntop(AF_INET6, addrp, buf, sizeof(buf)); -} - -static char * -mask_to_numeric(const struct in6_addr *addrp) -{ - static char buf[50+2]; - int l = ipv6_prefix_length(addrp); - if (l == -1) { - strcpy(buf, "/"); - strcat(buf, addr_to_numeric(addrp)); - return buf; - } - sprintf(buf, "/%d", l); - return buf; -} - -/* These should be in include/ip6tables.h... */ -extern u_int16_t parse_protocol(const char *s); -extern void parse_hostnetworkmask(const char *name, struct in6_addr **addrpp, - struct in6_addr *maskp, unsigned int *naddrs); - -/* End duplicated code from ip6tables.c */ - -static void init(struct ip6t_entry_match *m, unsigned int *nfcache) -{ - *nfcache |= NFC_UNKNOWN; -} - -static int parse_direction(char *s) -{ - if (strcmp(s, "in") == 0) - return IP6T_POLICY_MATCH_IN; - if (strcmp(s, "out") == 0) - return IP6T_POLICY_MATCH_OUT; - exit_error(PARAMETER_PROBLEM, "policy_match: invalid dir `%s'", s); -} - -static int parse_policy(char *s) -{ - if (strcmp(s, "none") == 0) - return IP6T_POLICY_MATCH_NONE; - if (strcmp(s, "ipsec") == 0) - return 0; - exit_error(PARAMETER_PROBLEM, "policy match: invalid policy `%s'", s); -} - -static int parse_mode(char *s) -{ - if (strcmp(s, "transport") == 0) - return IP6T_POLICY_MODE_TRANSPORT; - if (strcmp(s, "tunnel") == 0) - return IP6T_POLICY_MODE_TUNNEL; - exit_error(PARAMETER_PROBLEM, "policy match: invalid mode `%s'", s); -} - -static int parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_policy_info *info = (void *)(*match)->data; - struct ip6t_policy_elem *e = &info->pol[info->len]; - struct in6_addr *addr = NULL, mask; - unsigned int naddr = 0; - int mode; - - check_inverse(optarg, &invert, &optind, 0); - - switch (c) { - case '1': - if (info->flags & (IP6T_POLICY_MATCH_IN|IP6T_POLICY_MATCH_OUT)) - exit_error(PARAMETER_PROBLEM, - "policy match: double --dir option"); - if (invert) - exit_error(PARAMETER_PROBLEM, - "policy match: can't invert --dir option"); - - info->flags |= parse_direction(argv[optind-1]); - break; - case '2': - if (invert) - exit_error(PARAMETER_PROBLEM, - "policy match: can't invert --policy option"); - - info->flags |= parse_policy(argv[optind-1]); - break; - case '3': - if (info->flags & IP6T_POLICY_MATCH_STRICT) - exit_error(PARAMETER_PROBLEM, - "policy match: double --strict option"); - - if (invert) - exit_error(PARAMETER_PROBLEM, - "policy match: can't invert --strict option"); - - info->flags |= IP6T_POLICY_MATCH_STRICT; - break; - case '4': - if (e->match.reqid) - exit_error(PARAMETER_PROBLEM, - "policy match: double --reqid option"); - - e->match.reqid = 1; - e->invert.reqid = invert; - e->reqid = strtol(argv[optind-1], NULL, 10); - break; - case '5': - if (e->match.spi) - exit_error(PARAMETER_PROBLEM, - "policy match: double --spi option"); - - e->match.spi = 1; - e->invert.spi = invert; - e->spi = strtol(argv[optind-1], NULL, 0x10); - break; - case '6': - if (e->match.saddr) - exit_error(PARAMETER_PROBLEM, - "policy match: double --tunnel-src option"); - - parse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr); - if (naddr > 1) - exit_error(PARAMETER_PROBLEM, - "policy match: name resolves to multiple IPs"); - - e->match.saddr = 1; - e->invert.saddr = invert; - in6addrcpy(&e->saddr.a6, addr); - in6addrcpy(&e->smask.a6, &mask); - break; - case '7': - if (e->match.daddr) - exit_error(PARAMETER_PROBLEM, - "policy match: double --tunnel-dst option"); - - parse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr); - if (naddr > 1) - exit_error(PARAMETER_PROBLEM, - "policy match: name resolves to multiple IPs"); - - e->match.daddr = 1; - e->invert.daddr = invert; - in6addrcpy(&e->daddr.a6, addr); - in6addrcpy(&e->dmask.a6, &mask); - break; - case '8': - if (e->match.proto) - exit_error(PARAMETER_PROBLEM, - "policy match: double --proto option"); - - e->proto = parse_protocol(argv[optind-1]); - if (e->proto != IPPROTO_AH && e->proto != IPPROTO_ESP && - e->proto != IPPROTO_COMP) - exit_error(PARAMETER_PROBLEM, - "policy match: protocol must ah/esp/ipcomp"); - e->match.proto = 1; - e->invert.proto = invert; - break; - case '9': - if (e->match.mode) - exit_error(PARAMETER_PROBLEM, - "policy match: double --mode option"); - - mode = parse_mode(argv[optind-1]); - e->match.mode = 1; - e->invert.mode = invert; - e->mode = mode; - break; - case 'a': - if (invert) - exit_error(PARAMETER_PROBLEM, - "policy match: can't invert --next option"); - - if (++info->len == IP6T_POLICY_MAX_ELEM) - exit_error(PARAMETER_PROBLEM, - "policy match: maximum policy depth reached"); - break; - default: - return 0; - } - - policy_info = info; - return 1; -} - -static void final_check(unsigned int flags) -{ - struct ip6t_policy_info *info = policy_info; - struct ip6t_policy_elem *e; - int i; - - if (info == NULL) - exit_error(PARAMETER_PROBLEM, - "policy match: no parameters given"); - - if (!(info->flags & (IP6T_POLICY_MATCH_IN|IP6T_POLICY_MATCH_OUT))) - exit_error(PARAMETER_PROBLEM, - "policy match: neither --in nor --out specified"); - - if (info->flags & IP6T_POLICY_MATCH_NONE) { - if (info->flags & IP6T_POLICY_MATCH_STRICT) - exit_error(PARAMETER_PROBLEM, - "policy match: policy none but --strict given"); - - if (info->len != 0) - exit_error(PARAMETER_PROBLEM, - "policy match: policy none but policy given"); - } else - info->len++; /* increase len by 1, no --next after last element */ - - if (!(info->flags & IP6T_POLICY_MATCH_STRICT) && info->len > 1) - exit_error(PARAMETER_PROBLEM, - "policy match: multiple elements but no --strict"); - - for (i = 0; i < info->len; i++) { - e = &info->pol[i]; - - if (info->flags & IP6T_POLICY_MATCH_STRICT && - !(e->match.reqid || e->match.spi || e->match.saddr || - e->match.daddr || e->match.proto || e->match.mode)) - exit_error(PARAMETER_PROBLEM, - "policy match: empty policy element"); - - if ((e->match.saddr || e->match.daddr) - && ((e->mode == IP6T_POLICY_MODE_TUNNEL && e->invert.mode) || - (e->mode == IP6T_POLICY_MODE_TRANSPORT && !e->invert.mode))) - exit_error(PARAMETER_PROBLEM, - "policy match: --tunnel-src/--tunnel-dst " - "is only valid in tunnel mode"); - } -} - -static void print_mode(char *prefix, u_int8_t mode, int numeric) -{ - printf("%smode ", prefix); - - switch (mode) { - case IP6T_POLICY_MODE_TRANSPORT: - printf("transport "); - break; - case IP6T_POLICY_MODE_TUNNEL: - printf("tunnel "); - break; - default: - printf("??? "); - break; - } -} - -static void print_proto(char *prefix, u_int8_t proto, int numeric) -{ - struct protoent *p = NULL; - - printf("%sproto ", prefix); - if (!numeric) - p = getprotobynumber(proto); - if (p != NULL) - printf("%s ", p->p_name); - else - printf("%u ", proto); -} - -#define PRINT_INVERT(x) \ -do { \ - if (x) \ - printf("! "); \ -} while(0) - -static void print_entry(char *prefix, const struct ip6t_policy_elem *e, - int numeric) -{ - if (e->match.reqid) { - PRINT_INVERT(e->invert.reqid); - printf("%sreqid %u ", prefix, e->reqid); - } - if (e->match.spi) { - PRINT_INVERT(e->invert.spi); - printf("%sspi 0x%x ", prefix, e->spi); - } - if (e->match.proto) { - PRINT_INVERT(e->invert.proto); - print_proto(prefix, e->proto, numeric); - } - if (e->match.mode) { - PRINT_INVERT(e->invert.mode); - print_mode(prefix, e->mode, numeric); - } - if (e->match.daddr) { - PRINT_INVERT(e->invert.daddr); - printf("%stunnel-dst %s%s ", prefix, - addr_to_numeric((struct in6_addr *)&e->daddr), - mask_to_numeric((struct in6_addr *)&e->dmask)); - } - if (e->match.saddr) { - PRINT_INVERT(e->invert.saddr); - printf("%stunnel-src %s%s ", prefix, - addr_to_numeric((struct in6_addr *)&e->saddr), - mask_to_numeric((struct in6_addr *)&e->smask)); - } -} - -static void print_flags(char *prefix, const struct ip6t_policy_info *info) -{ - if (info->flags & IP6T_POLICY_MATCH_IN) - printf("%sdir in ", prefix); - else - printf("%sdir out ", prefix); - - if (info->flags & IP6T_POLICY_MATCH_NONE) - printf("%spol none ", prefix); - else - printf("%spol ipsec ", prefix); - - if (info->flags & IP6T_POLICY_MATCH_STRICT) - printf("%sstrict ", prefix); -} - -static void print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - const struct ip6t_policy_info *info = (void *)match->data; - unsigned int i; - - printf("policy match "); - print_flags("", info); - for (i = 0; i < info->len; i++) { - if (info->len > 1) - printf("[%u] ", i); - print_entry("", &info->pol[i], numeric); - } - - printf("\n"); -} - -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - const struct ip6t_policy_info *info = (void *)match->data; - unsigned int i; - - print_flags("--", info); - for (i = 0; i < info->len; i++) { - print_entry("--", &info->pol[i], 0); - if (i + 1 < info->len) - printf("--next "); - } -} - -struct ip6tables_match policy = { - .name = "policy", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_policy_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_policy_info)), - .help = help, - .init = init, - .parse = parse, - .final_check = final_check, - .print = print, - .save = save, - .extra_opts = opts -}; - -void _init(void) -{ - register_match6(&policy); -} diff --git a/extensions/libip6t_policy.man b/extensions/libip6t_policy.man deleted file mode 100644 index eed163e..0000000 --- a/extensions/libip6t_policy.man +++ /dev/null @@ -1,48 +0,0 @@ -This modules matches the policy used by IPsec for handling a packet. -.TP -.BI "--dir " "in|out" -Used to select whether to match the policy used for decapsulation or the -policy that will be used for encapsulation. -.B in -is valid in the -.B PREROUTING, INPUT and FORWARD -chains, -.B out -is valid in the -.B POSTROUTING, OUTPUT and FORWARD -chains. -.TP -.BI "--pol " "none|ipsec" -Matches if the packet is subject to IPsec processing. -.TP -.BI "--strict" -Selects whether to match the exact policy or match if any rule of -the policy matches the given policy. -.TP -.BI "--reqid " "id" -Matches the reqid of the policy rule. The reqid can be specified with -.B setkey(8) -using -.B unique:id -as level. -.TP -.BI "--spi " "spi" -Matches the SPI of the SA. -.TP -.BI "--proto " "ah|esp|ipcomp" -Matches the encapsulation protocol. -.TP -.BI "--mode " "tunnel|transport" -Matches the encapsulation mode. -.TP -.BI "--tunnel-src " "addr[/mask]" -Matches the source end-point address of a tunnel mode SA. -Only valid with --mode tunnel. -.TP -.BI "--tunnel-dst " "addr[/mask]" -Matches the destination end-point address of a tunnel mode SA. -Only valid with --mode tunnel. -.TP -.BI "--next" -Start the next element in the policy specification. Can only be used with ---strict diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c deleted file mode 100644 index 251604b..0000000 --- a/extensions/libip6t_rt.c +++ /dev/null @@ -1,362 +0,0 @@ -/* Shared library add-on to ip6tables to add Routing header support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <errno.h> -#include <ip6tables.h> -/*#include <linux/in6.h>*/ -#include <linux/netfilter_ipv6/ip6t_rt.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <arpa/inet.h> - -/*#define DEBUG 1*/ - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"RT v%s options:\n" -" --rt-type [!] type match the type\n" -" --rt-segsleft [!] num[:num] match the Segments Left field (range)\n" -" --rt-len [!] length total length of this header\n" -" --rt-0-res check the reserved filed, too (type 0)\n" -" --rt-0-addrs ADDR[,ADDR...] Type=0 addresses (list, max: %d)\n" -" --rt-0-not-strict List of Type=0 addresses not a strict list\n", -IPTABLES_VERSION, IP6T_RT_HOPS); -} - -static struct option opts[] = { - { "rt-type", 1, 0, '1' }, - { "rt-segsleft", 1, 0, '2' }, - { "rt-len", 1, 0, '3' }, - { "rt-0-res", 0, 0, '4' }, - { "rt-0-addrs", 1, 0, '5' }, - { "rt-0-not-strict", 0, 0, '6' }, - {0} -}; - -static u_int32_t -parse_rt_num(const char *idstr, const char *typestr) -{ - unsigned long int id; - char* ep; - - id = strtoul(idstr,&ep,0) ; - - if ( idstr == ep ) { - exit_error(PARAMETER_PROBLEM, - "RT no valid digits in %s `%s'", typestr, idstr); - } - if ( id == ULONG_MAX && errno == ERANGE ) { - exit_error(PARAMETER_PROBLEM, - "%s `%s' specified too big: would overflow", - typestr, idstr); - } - if ( *idstr != '\0' && *ep != '\0' ) { - exit_error(PARAMETER_PROBLEM, - "RT error parsing %s `%s'", typestr, idstr); - } - return (u_int32_t) id; -} - -static void -parse_rt_segsleft(const char *idstring, u_int32_t *ids) -{ - char *buffer; - char *cp; - - buffer = strdup(idstring); - if ((cp = strchr(buffer, ':')) == NULL) - ids[0] = ids[1] = parse_rt_num(buffer,"segsleft"); - else { - *cp = '\0'; - cp++; - - ids[0] = buffer[0] ? parse_rt_num(buffer,"segsleft") : 0; - ids[1] = cp[0] ? parse_rt_num(cp,"segsleft") : 0xFFFFFFFF; - } - free(buffer); -} - -static char * -addr_to_numeric(const struct in6_addr *addrp) -{ - static char buf[50+1]; - return (char *)inet_ntop(AF_INET6, addrp, buf, sizeof(buf)); -} - -static struct in6_addr * -numeric_to_addr(const char *num) -{ - static struct in6_addr ap; - int err; - - if ((err=inet_pton(AF_INET6, num, &ap)) == 1) - return ≈ -#ifdef DEBUG - fprintf(stderr, "\nnumeric2addr: %d\n", err); -#endif - exit_error(PARAMETER_PROBLEM, "bad address: %s", num); - - return (struct in6_addr *)NULL; -} - - -static int -parse_addresses(const char *addrstr, struct in6_addr *addrp) -{ - char *buffer, *cp, *next; - unsigned int i; - - buffer = strdup(addrstr); - if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed"); - - for (cp=buffer, i=0; cp && i<IP6T_RT_HOPS; cp=next,i++) - { - next=strchr(cp, ','); - if (next) *next++='\0'; - memcpy(&(addrp[i]), numeric_to_addr(cp), sizeof(struct in6_addr)); -#if DEBUG - printf("addr str: %s\n", cp); - printf("addr ip6: %s\n", addr_to_numeric((numeric_to_addr(cp)))); - printf("addr [%d]: %s\n", i, addr_to_numeric(&(addrp[i]))); -#endif - } - if (cp) exit_error(PARAMETER_PROBLEM, "too many addresses specified"); - - free(buffer); - -#if DEBUG - printf("addr nr: %d\n", i); -#endif - - return i; -} - -/* Initialize the match. */ -static void -init(struct ip6t_entry_match *m, unsigned int *nfcache) -{ - struct ip6t_rt *rtinfo = (struct ip6t_rt *)m->data; - - rtinfo->rt_type = 0x0L; - rtinfo->segsleft[0] = 0x0L; - rtinfo->segsleft[1] = 0xFFFFFFFF; - rtinfo->hdrlen = 0; - rtinfo->flags = 0; - rtinfo->invflags = 0; - rtinfo->addrnr = 0; -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_rt *rtinfo = (struct ip6t_rt *)(*match)->data; - - switch (c) { - case '1': - if (*flags & IP6T_RT_TYP) - exit_error(PARAMETER_PROBLEM, - "Only one `--rt-type' allowed"); - check_inverse(optarg, &invert, &optind, 0); - rtinfo->rt_type = parse_rt_num(argv[optind-1], "type"); - if (invert) - rtinfo->invflags |= IP6T_RT_INV_TYP; - rtinfo->flags |= IP6T_RT_TYP; - *flags |= IP6T_RT_TYP; - break; - case '2': - if (*flags & IP6T_RT_SGS) - exit_error(PARAMETER_PROBLEM, - "Only one `--rt-segsleft' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_rt_segsleft(argv[optind-1], rtinfo->segsleft); - if (invert) - rtinfo->invflags |= IP6T_RT_INV_SGS; - rtinfo->flags |= IP6T_RT_SGS; - *flags |= IP6T_RT_SGS; - break; - case '3': - if (*flags & IP6T_RT_LEN) - exit_error(PARAMETER_PROBLEM, - "Only one `--rt-len' allowed"); - check_inverse(optarg, &invert, &optind, 0); - rtinfo->hdrlen = parse_rt_num(argv[optind-1], "length"); - if (invert) - rtinfo->invflags |= IP6T_RT_INV_LEN; - rtinfo->flags |= IP6T_RT_LEN; - *flags |= IP6T_RT_LEN; - break; - case '4': - if (*flags & IP6T_RT_RES) - exit_error(PARAMETER_PROBLEM, - "Only one `--rt-0-res' allowed"); - if ( !(*flags & IP6T_RT_TYP) || (rtinfo->rt_type != 0) || (rtinfo->invflags & IP6T_RT_INV_TYP) ) - exit_error(PARAMETER_PROBLEM, - "`--rt-type 0' required before `--rt-0-res'"); - rtinfo->flags |= IP6T_RT_RES; - *flags |= IP6T_RT_RES; - break; - case '5': - if (*flags & IP6T_RT_FST) - exit_error(PARAMETER_PROBLEM, - "Only one `--rt-0-addrs' allowed"); - if ( !(*flags & IP6T_RT_TYP) || (rtinfo->rt_type != 0) || (rtinfo->invflags & IP6T_RT_INV_TYP) ) - exit_error(PARAMETER_PROBLEM, - "`--rt-type 0' required before `--rt-0-addrs'"); - check_inverse(optarg, &invert, &optind, 0); - if (invert) - exit_error(PARAMETER_PROBLEM, - " '!' not allowed with `--rt-0-addrs'"); - rtinfo->addrnr = parse_addresses(argv[optind-1], rtinfo->addrs); - rtinfo->flags |= IP6T_RT_FST; - *flags |= IP6T_RT_FST; - break; - case '6': - if (*flags & IP6T_RT_FST_NSTRICT) - exit_error(PARAMETER_PROBLEM, - "Only one `--rt-0-not-strict' allowed"); - if ( !(*flags & IP6T_RT_FST) ) - exit_error(PARAMETER_PROBLEM, - "`--rt-0-addr ...' required before `--rt-0-not-strict'"); - rtinfo->flags |= IP6T_RT_FST_NSTRICT; - *flags |= IP6T_RT_FST_NSTRICT; - break; - default: - return 0; - } - - return 1; -} - -/* Final check; we don't care. */ -static void -final_check(unsigned int flags) -{ -} - -static void -print_nums(const char *name, u_int32_t min, u_int32_t max, - int invert) -{ - const char *inv = invert ? "!" : ""; - - if (min != 0 || max != 0xFFFFFFFF || invert) { - printf("%s", name); - if (min == max) { - printf(":%s", inv); - printf("%u", min); - } else { - printf("s:%s", inv); - printf("%u",min); - printf(":"); - printf("%u",max); - } - printf(" "); - } -} - -static void -print_addresses(int addrnr, struct in6_addr *addrp) -{ - unsigned int i; - - for(i=0; i<addrnr; i++){ - printf("%s%c", addr_to_numeric(&(addrp[i])), (i!=addrnr-1)?',':' '); - } -} - -/* Prints out the union ip6t_matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, int numeric) -{ - const struct ip6t_rt *rtinfo = (struct ip6t_rt *)match->data; - - printf("rt "); - if (rtinfo->flags & IP6T_RT_TYP) - printf("type:%s%d ", rtinfo->invflags & IP6T_RT_INV_TYP ? "!" : "", - rtinfo->rt_type); - print_nums("segsleft", rtinfo->segsleft[0], rtinfo->segsleft[1], - rtinfo->invflags & IP6T_RT_INV_SGS); - if (rtinfo->flags & IP6T_RT_LEN) { - printf("length"); - printf(":%s", rtinfo->invflags & IP6T_RT_INV_LEN ? "!" : ""); - printf("%u", rtinfo->hdrlen); - printf(" "); - } - if (rtinfo->flags & IP6T_RT_RES) printf("reserved "); - if (rtinfo->flags & IP6T_RT_FST) printf("0-addrs "); - print_addresses(rtinfo->addrnr, (struct in6_addr *)rtinfo->addrs); - if (rtinfo->flags & IP6T_RT_FST_NSTRICT) printf("0-not-strict "); - if (rtinfo->invflags & ~IP6T_RT_INV_MASK) - printf("Unknown invflags: 0x%X ", - rtinfo->invflags & ~IP6T_RT_INV_MASK); -} - -/* Saves the union ip6t_matchinfo in parsable form to stdout. */ -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - const struct ip6t_rt *rtinfo = (struct ip6t_rt *)match->data; - - if (rtinfo->flags & IP6T_RT_TYP) { - printf("--rt-type %s%u ", - (rtinfo->invflags & IP6T_RT_INV_TYP) ? "! " : "", - rtinfo->rt_type); - } - - if (!(rtinfo->segsleft[0] == 0 - && rtinfo->segsleft[1] == 0xFFFFFFFF)) { - printf("--rt-segsleft %s", - (rtinfo->invflags & IP6T_RT_INV_SGS) ? "! " : ""); - if (rtinfo->segsleft[0] - != rtinfo->segsleft[1]) - printf("%u:%u ", - rtinfo->segsleft[0], - rtinfo->segsleft[1]); - else - printf("%u ", - rtinfo->segsleft[0]); - } - - if (rtinfo->flags & IP6T_RT_LEN) { - printf("--rt-len %s%u ", - (rtinfo->invflags & IP6T_RT_INV_LEN) ? "! " : "", - rtinfo->hdrlen); - } - - if (rtinfo->flags & IP6T_RT_RES) printf("--rt-0-res "); - if (rtinfo->flags & IP6T_RT_FST) printf("--rt-0-addrs "); - print_addresses(rtinfo->addrnr, (struct in6_addr *)rtinfo->addrs); - if (rtinfo->flags & IP6T_RT_FST_NSTRICT) printf("--rt-0-not-strict "); - -} - -static struct ip6tables_match rt = { - .name = "rt", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_rt)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_rt)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts, -}; - -void -_init(void) -{ - register_match6(&rt); -} diff --git a/extensions/libip6t_rt.man b/extensions/libip6t_rt.man deleted file mode 100644 index e56d5f4..0000000 --- a/extensions/libip6t_rt.man +++ /dev/null @@ -1,19 +0,0 @@ -Match on IPv6 routing header -.TP -.BR "--rt-type" " [!] \fItype\fP" -Match the type (numeric). -.TP -.BR "--rt-segsleft" " [!] \fInum\fP[:\fInum\fP]" -Match the `segments left' field (range). -.TP -.BR "--rt-len" " [!] \fIlength\fP" -Match the length of this header. -.TP -.BR "--rt-0-res" -Match the reserved field, too (type=0) -.TP -.BR "--rt-0-addrs" " \fIADDR\fP[,\fIADDR\fP...]" -Match type=0 addresses (list). -.TP -.BR "--rt-0-not-strict" -List of type=0 addresses is not a strict list. diff --git a/extensions/libip6t_sctp.c b/extensions/libip6t_sctp.c deleted file mode 100644 index aee7072..0000000 --- a/extensions/libip6t_sctp.c +++ /dev/null @@ -1,550 +0,0 @@ -/* Shared library add-on to iptables for SCTP matching - * - * (C) 2003 by Harald Welte <laforge@gnumonks.org> - * - * This program is distributed under the terms of GNU GPL v2, 1991 - * - * libipt_ecn.c borrowed heavily from libipt_dscp.c - * - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <netdb.h> -#include <ctype.h> - -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6_tables.h> - -#ifndef ARRAY_SIZE -#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) -#endif - -#include <linux/netfilter/xt_sctp.h> - -/* Some ZS!#@:$%*#$! has replaced the ELEMCOUNT macro in ipt_sctp.h with - * ARRAY_SIZE without noticing that this file is used from userserspace, - * and userspace doesn't have ARRAY_SIZE */ - -#ifndef ELEMCOUNT -#define ELEMCOUNT ARRAY_SIZE -#endif - -#if 0 -#define DEBUGP(format, first...) printf(format, ##first) -#define static -#else -#define DEBUGP(format, fist...) -#endif - -static void -print_chunk(u_int32_t chunknum, int numeric); - -/* Initialize the match. */ -static void -init(struct ip6t_entry_match *m, - unsigned int *nfcache) -{ - int i; - struct xt_sctp_info *einfo = (struct xt_sctp_info *)m->data; - - memset(einfo, 0, sizeof(struct xt_sctp_info)); - - for (i = 0; i < XT_NUM_SCTP_FLAGS; i++) { - einfo->flag_info[i].chunktype = -1; - } -} - -static void help(void) -{ - printf( -"SCTP match v%s options\n" -" --source-port [!] port[:port] match source port(s)\n" -" --sport ...\n" -" --destination-port [!] port[:port] match destination port(s)\n" -" --dport ...\n" -" --chunk-types [!] (all|any|none) (chunktype[:flags])+ match if all, any or none of\n" -" chunktypes are present\n" -"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK ALL NONE\n", - IPTABLES_VERSION); -} - -static struct option opts[] = { - { .name = "source-port", .has_arg = 1, .flag = 0, .val = '1' }, - { .name = "sport", .has_arg = 1, .flag = 0, .val = '1' }, - { .name = "destination-port", .has_arg = 1, .flag = 0, .val = '2' }, - { .name = "dport", .has_arg = 1, .flag = 0, .val = '2' }, - { .name = "chunk-types", .has_arg = 1, .flag = 0, .val = '3' }, - { .name = 0 } -}; - -static void -parse_sctp_ports(const char *portstring, - u_int16_t *ports) -{ - char *buffer; - char *cp; - - buffer = strdup(portstring); - DEBUGP("%s\n", portstring); - if ((cp = strchr(buffer, ':')) == NULL) { - ports[0] = ports[1] = parse_port(buffer, "sctp"); - } - else { - *cp = '\0'; - cp++; - - ports[0] = buffer[0] ? parse_port(buffer, "sctp") : 0; - ports[1] = cp[0] ? parse_port(cp, "sctp") : 0xFFFF; - - if (ports[0] > ports[1]) - exit_error(PARAMETER_PROBLEM, - "invalid portrange (min > max)"); - } - free(buffer); -} - -struct sctp_chunk_names { - const char *name; - unsigned int chunk_type; - const char *valid_flags; -}; - -/*'ALL' and 'NONE' will be treated specially. */ -static struct sctp_chunk_names sctp_chunk_names[] -= { { .name = "DATA", .chunk_type = 0, .valid_flags = "-----UBE"}, - { .name = "INIT", .chunk_type = 1, .valid_flags = "--------"}, - { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------"}, - { .name = "SACK", .chunk_type = 3, .valid_flags = "--------"}, - { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------"}, - { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------"}, - { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T"}, - { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------"}, - { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------"}, - { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------"}, - { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------"}, - { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------"}, - { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------"}, - { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------"}, - { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T"}, - { .name = "ASCONF", .chunk_type = 31, .valid_flags = "--------"}, - { .name = "ASCONF_ACK", .chunk_type = 30, .valid_flags = "--------"}, -}; - -static void -save_chunk_flag_info(struct xt_sctp_flag_info *flag_info, - int *flag_count, - int chunktype, - int bit, - int set) -{ - int i; - - for (i = 0; i < *flag_count; i++) { - if (flag_info[i].chunktype == chunktype) { - DEBUGP("Previous match found\n"); - flag_info[i].chunktype = chunktype; - flag_info[i].flag_mask |= (1 << bit); - if (set) { - flag_info[i].flag |= (1 << bit); - } - - return; - } - } - - if (*flag_count == XT_NUM_SCTP_FLAGS) { - exit_error (PARAMETER_PROBLEM, - "Number of chunk types with flags exceeds currently allowed limit." - "Increasing this limit involves changing XT_NUM_SCTP_FLAGS and" - "recompiling both the kernel space and user space modules\n"); - } - - flag_info[*flag_count].chunktype = chunktype; - flag_info[*flag_count].flag_mask |= (1 << bit); - if (set) { - flag_info[*flag_count].flag |= (1 << bit); - } - (*flag_count)++; -} - -static void -parse_sctp_chunk(struct xt_sctp_info *einfo, - const char *chunks) -{ - char *ptr; - char *buffer; - unsigned int i, j; - int found = 0; - char *chunk_flags; - - buffer = strdup(chunks); - DEBUGP("Buffer: %s\n", buffer); - - SCTP_CHUNKMAP_RESET(einfo->chunkmap); - - if (!strcasecmp(buffer, "ALL")) { - SCTP_CHUNKMAP_SET_ALL(einfo->chunkmap); - goto out; - } - - if (!strcasecmp(buffer, "NONE")) { - SCTP_CHUNKMAP_RESET(einfo->chunkmap); - goto out; - } - - for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) { - found = 0; - DEBUGP("Next Chunk type %s\n", ptr); - - if ((chunk_flags = strchr(ptr, ':')) != NULL) { - *chunk_flags++ = 0; - } - - for (i = 0; i < ELEMCOUNT(sctp_chunk_names); i++) { - if (strcasecmp(sctp_chunk_names[i].name, ptr) == 0) { - DEBUGP("Chunk num %d\n", sctp_chunk_names[i].chunk_type); - SCTP_CHUNKMAP_SET(einfo->chunkmap, - sctp_chunk_names[i].chunk_type); - found = 1; - break; - } - } - if (!found) - exit_error(PARAMETER_PROBLEM, - "Unknown sctp chunk `%s'", ptr); - - if (chunk_flags) { - DEBUGP("Chunk flags %s\n", chunk_flags); - for (j = 0; j < strlen(chunk_flags); j++) { - char *p; - int bit; - - if ((p = strchr(sctp_chunk_names[i].valid_flags, - toupper(chunk_flags[j]))) != NULL) { - bit = p - sctp_chunk_names[i].valid_flags; - bit = 7 - bit; - - save_chunk_flag_info(einfo->flag_info, - &(einfo->flag_count), i, bit, - isupper(chunk_flags[j])); - } else { - exit_error(PARAMETER_PROBLEM, - "Invalid flags for chunk type %d\n", i); - } - } - } - } -out: - free(buffer); -} - -static void -parse_sctp_chunks(struct xt_sctp_info *einfo, - const char *match_type, - const char *chunks) -{ - DEBUGP("Match type: %s Chunks: %s\n", match_type, chunks); - if (!strcasecmp(match_type, "ANY")) { - einfo->chunk_match_type = SCTP_CHUNK_MATCH_ANY; - } else if (!strcasecmp(match_type, "ALL")) { - einfo->chunk_match_type = SCTP_CHUNK_MATCH_ALL; - } else if (!strcasecmp(match_type, "ONLY")) { - einfo->chunk_match_type = SCTP_CHUNK_MATCH_ONLY; - } else { - exit_error (PARAMETER_PROBLEM, - "Match type has to be one of \"ALL\", \"ANY\" or \"ONLY\""); - } - - SCTP_CHUNKMAP_RESET(einfo->chunkmap); - parse_sctp_chunk(einfo, chunks); -} - -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct xt_sctp_info *einfo - = (struct xt_sctp_info *)(*match)->data; - - switch (c) { - case '1': - if (*flags & XT_SCTP_SRC_PORTS) - exit_error(PARAMETER_PROBLEM, - "Only one `--source-port' allowed"); - einfo->flags |= XT_SCTP_SRC_PORTS; - check_inverse(optarg, &invert, &optind, 0); - parse_sctp_ports(argv[optind-1], einfo->spts); - if (invert) - einfo->invflags |= XT_SCTP_SRC_PORTS; - *flags |= XT_SCTP_SRC_PORTS; - break; - - case '2': - if (*flags & XT_SCTP_DEST_PORTS) - exit_error(PARAMETER_PROBLEM, - "Only one `--destination-port' allowed"); - einfo->flags |= XT_SCTP_DEST_PORTS; - check_inverse(optarg, &invert, &optind, 0); - parse_sctp_ports(argv[optind-1], einfo->dpts); - if (invert) - einfo->invflags |= XT_SCTP_DEST_PORTS; - *flags |= XT_SCTP_DEST_PORTS; - break; - - case '3': - if (*flags & XT_SCTP_CHUNK_TYPES) - exit_error(PARAMETER_PROBLEM, - "Only one `--chunk-types' allowed"); - check_inverse(optarg, &invert, &optind, 0); - - if (!argv[optind] - || argv[optind][0] == '-' || argv[optind][0] == '!') - exit_error(PARAMETER_PROBLEM, - "--chunk-types requires two args"); - - einfo->flags |= XT_SCTP_CHUNK_TYPES; - parse_sctp_chunks(einfo, argv[optind-1], argv[optind]); - if (invert) - einfo->invflags |= XT_SCTP_CHUNK_TYPES; - optind++; - *flags |= XT_SCTP_CHUNK_TYPES; - break; - - default: - return 0; - } - return 1; -} - -static void -final_check(unsigned int flags) -{ -} - -static char * -port_to_service(int port) -{ - struct servent *service; - - if ((service = getservbyport(htons(port), "sctp"))) - return service->s_name; - - return NULL; -} - -static void -print_port(u_int16_t port, int numeric) -{ - char *service; - - if (numeric || (service = port_to_service(port)) == NULL) - printf("%u", port); - else - printf("%s", service); -} - -static void -print_ports(const char *name, u_int16_t min, u_int16_t max, - int invert, int numeric) -{ - const char *inv = invert ? "!" : ""; - - if (min != 0 || max != 0xFFFF || invert) { - printf("%s", name); - if (min == max) { - printf(":%s", inv); - print_port(min, numeric); - } else { - printf("s:%s", inv); - print_port(min, numeric); - printf(":"); - print_port(max, numeric); - } - printf(" "); - } -} - -static void -print_chunk_flags(u_int32_t chunknum, u_int8_t chunk_flags, u_int8_t chunk_flags_mask) -{ - int i; - - DEBUGP("type: %d\tflags: %x\tflag mask: %x\n", chunknum, chunk_flags, - chunk_flags_mask); - - if (chunk_flags_mask) { - printf(":"); - } - - for (i = 7; i >= 0; i--) { - if (chunk_flags_mask & (1 << i)) { - if (chunk_flags & (1 << i)) { - printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]); - } else { - printf("%c", tolower(sctp_chunk_names[chunknum].valid_flags[7-i])); - } - } - } -} - -static void -print_chunk(u_int32_t chunknum, int numeric) -{ - if (numeric) { - printf("0x%04X", chunknum); - } - else { - int i; - - for (i = 0; i < ELEMCOUNT(sctp_chunk_names); i++) { - if (sctp_chunk_names[i].chunk_type == chunknum) - printf("%s", sctp_chunk_names[chunknum].name); - } - } -} - -static void -print_chunks(u_int32_t chunk_match_type, - const u_int32_t *chunkmap, - const struct xt_sctp_flag_info *flag_info, - int flag_count, - int numeric) -{ - int i, j; - int flag; - - switch (chunk_match_type) { - case SCTP_CHUNK_MATCH_ANY: printf("any "); break; - case SCTP_CHUNK_MATCH_ALL: printf("all "); break; - case SCTP_CHUNK_MATCH_ONLY: printf("only "); break; - default: printf("Never reach herer\n"); break; - } - - if (SCTP_CHUNKMAP_IS_CLEAR(chunkmap)) { - printf("NONE "); - goto out; - } - - if (SCTP_CHUNKMAP_IS_ALL_SET(chunkmap)) { - printf("ALL "); - goto out; - } - - flag = 0; - for (i = 0; i < 256; i++) { - if (SCTP_CHUNKMAP_IS_SET(chunkmap, i)) { - if (flag) - printf(","); - flag = 1; - print_chunk(i, numeric); - for (j = 0; j < flag_count; j++) { - if (flag_info[j].chunktype == i) { - print_chunk_flags(i, flag_info[j].flag, - flag_info[j].flag_mask); - } - } - } - } - - if (flag) - printf(" "); -out: - return; -} - -/* Prints out the matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - const struct xt_sctp_info *einfo = - (const struct xt_sctp_info *)match->data; - - printf("sctp "); - - if (einfo->flags & XT_SCTP_SRC_PORTS) { - print_ports("spt", einfo->spts[0], einfo->spts[1], - einfo->invflags & XT_SCTP_SRC_PORTS, - numeric); - } - - if (einfo->flags & XT_SCTP_DEST_PORTS) { - print_ports("dpt", einfo->dpts[0], einfo->dpts[1], - einfo->invflags & XT_SCTP_DEST_PORTS, - numeric); - } - - if (einfo->flags & XT_SCTP_CHUNK_TYPES) { - /* FIXME: print_chunks() is used in save() where the printing of '!' - s taken care of, so we need to do that here as well */ - if (einfo->invflags & XT_SCTP_CHUNK_TYPES) { - printf("! "); - } - print_chunks(einfo->chunk_match_type, einfo->chunkmap, - einfo->flag_info, einfo->flag_count, numeric); - } -} - -/* Saves the union xt_matchinfo in parsable form to stdout. */ -static void -save(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match) -{ - const struct xt_sctp_info *einfo = - (const struct xt_sctp_info *)match->data; - - if (einfo->flags & XT_SCTP_SRC_PORTS) { - if (einfo->invflags & XT_SCTP_SRC_PORTS) - printf("! "); - if (einfo->spts[0] != einfo->spts[1]) - printf("--sport %u:%u ", - einfo->spts[0], einfo->spts[1]); - else - printf("--sport %u ", einfo->spts[0]); - } - - if (einfo->flags & XT_SCTP_DEST_PORTS) { - if (einfo->invflags & XT_SCTP_DEST_PORTS) - printf("! "); - if (einfo->dpts[0] != einfo->dpts[1]) - printf("--dport %u:%u ", - einfo->dpts[0], einfo->dpts[1]); - else - printf("--dport %u ", einfo->dpts[0]); - } - - if (einfo->flags & XT_SCTP_CHUNK_TYPES) { - if (einfo->invflags & XT_SCTP_CHUNK_TYPES) - printf("! "); - printf("--chunk-types "); - - print_chunks(einfo->chunk_match_type, einfo->chunkmap, - einfo->flag_info, einfo->flag_count, 0); - } -} - -static -struct ip6tables_match sctp -= { .name = "sctp", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct xt_sctp_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct xt_sctp_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void _init(void) -{ - register_match6(&sctp); -} - diff --git a/extensions/libip6t_standard.c b/extensions/libip6t_standard.c deleted file mode 100644 index c48882f..0000000 --- a/extensions/libip6t_standard.c +++ /dev/null @@ -1,66 +0,0 @@ -/* Shared library add-on to iptables for standard target support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <limits.h> -#include <getopt.h> -#include <ip6tables.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"Standard v%s options:\n" -"(If target is DROP, ACCEPT, RETURN or nothing)\n", IPTABLES_VERSION); -} - -static struct option opts[] = { - {0} -}; - -/* Initialize the target. */ -static void -init(struct ip6t_entry_target *t, unsigned int *nfcache) -{ -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - struct ip6t_entry_target **target) -{ - return 0; -} - -/* Final check; don't care. */ -static void final_check(unsigned int flags) -{ -} - -/* Saves the targinfo in parsable form to stdout. */ -static void -save(const struct ip6t_ip6 *ip6, const struct ip6t_entry_target *target) -{ -} - -static struct ip6tables_target standard = { - .name = "standard", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(int)), - .userspacesize = IP6T_ALIGN(sizeof(int)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .save = &save, - .extra_opts = opts, -}; - -void _init(void) -{ - register_target6(&standard); -} diff --git a/extensions/libip6t_state.c b/extensions/libip6t_state.c deleted file mode 100644 index 84fd1a4..0000000 --- a/extensions/libip6t_state.c +++ /dev/null @@ -1,163 +0,0 @@ -/* Ugly hack to make state matching for ipv6 work before iptables-1.4.x is finished */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ip6tables.h> -#include <linux/netfilter_ipv4/ip_conntrack.h> -#include <linux/netfilter_ipv4/ipt_state.h> - -#ifndef IPT_STATE_UNTRACKED -#define IPT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1)) -#endif - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"state v%s options:\n" -" [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]\n" -" State(s) to match\n" -"\n", IPTABLES_VERSION); -} - -static struct option opts[] = { - { "state", 1, 0, '1' }, - {0} -}; - -static int -parse_state(const char *state, size_t strlen, struct ipt_state_info *sinfo) -{ - if (strncasecmp(state, "INVALID", strlen) == 0) - sinfo->statemask |= IPT_STATE_INVALID; - else if (strncasecmp(state, "NEW", strlen) == 0) - sinfo->statemask |= IPT_STATE_BIT(IP_CT_NEW); - else if (strncasecmp(state, "ESTABLISHED", strlen) == 0) - sinfo->statemask |= IPT_STATE_BIT(IP_CT_ESTABLISHED); - else if (strncasecmp(state, "RELATED", strlen) == 0) - sinfo->statemask |= IPT_STATE_BIT(IP_CT_RELATED); - else if (strncasecmp(state, "UNTRACKED", strlen) == 0) - sinfo->statemask |= IPT_STATE_UNTRACKED; - else - return 0; - return 1; -} - -static void -parse_states(const char *arg, struct ipt_state_info *sinfo) -{ - const char *comma; - - while ((comma = strchr(arg, ',')) != NULL) { - if (comma == arg || !parse_state(arg, comma-arg, sinfo)) - exit_error(PARAMETER_PROBLEM, "Bad state `%s'", arg); - arg = comma+1; - } - - if (strlen(arg) == 0 || !parse_state(arg, strlen(arg), sinfo)) - exit_error(PARAMETER_PROBLEM, "Bad state `%s'", arg); -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ipt_state_info *sinfo = (struct ipt_state_info *)(*match)->data; - - switch (c) { - case '1': - check_inverse(optarg, &invert, &optind, 0); - - parse_states(argv[optind-1], sinfo); - if (invert) - sinfo->statemask = ~sinfo->statemask; - *flags = 1; - break; - - default: - return 0; - } - - return 1; -} - -/* Final check; must have specified --state. */ -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, "You must specify `--state'"); -} - -static void print_state(unsigned int statemask) -{ - const char *sep = ""; - - if (statemask & IPT_STATE_INVALID) { - printf("%sINVALID", sep); - sep = ","; - } - if (statemask & IPT_STATE_BIT(IP_CT_NEW)) { - printf("%sNEW", sep); - sep = ","; - } - if (statemask & IPT_STATE_BIT(IP_CT_RELATED)) { - printf("%sRELATED", sep); - sep = ","; - } - if (statemask & IPT_STATE_BIT(IP_CT_ESTABLISHED)) { - printf("%sESTABLISHED", sep); - sep = ","; - } - if (statemask & IPT_STATE_UNTRACKED) { - printf("%sUNTRACKED", sep); - sep = ","; - } - printf(" "); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, - int numeric) -{ - struct ipt_state_info *sinfo = (struct ipt_state_info *)match->data; - - printf("state "); - print_state(sinfo->statemask); -} - -/* Saves the matchinfo in parsable form to stdout. */ -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - struct ipt_state_info *sinfo = (struct ipt_state_info *)match->data; - - printf("--state "); - print_state(sinfo->statemask); -} - -static struct ip6tables_match state = { - .next = NULL, - .name = "state", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ipt_state_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct ipt_state_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void _init(void) -{ - register_match6(&state); -} diff --git a/extensions/libip6t_tcp.c b/extensions/libip6t_tcp.c deleted file mode 100644 index 734387c..0000000 --- a/extensions/libip6t_tcp.c +++ /dev/null @@ -1,416 +0,0 @@ -/* Shared library add-on to iptables to add TCP support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6_tables.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"TCP v%s options:\n" -" --tcp-flags [!] mask comp match when TCP flags & mask == comp\n" -" (Flags: SYN ACK FIN RST URG PSH ALL NONE)\n" -"[!] --syn match when only SYN flag set\n" -" (equivalent to --tcp-flags SYN,RST,ACK SYN)\n" -" --source-port [!] port[:port]\n" -" --sport ...\n" -" match source port(s)\n" -" --destination-port [!] port[:port]\n" -" --dport ...\n" -" match destination port(s)\n" -" --tcp-option [!] number match if TCP option set\n\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "source-port", 1, 0, '1' }, - { "sport", 1, 0, '1' }, /* synonym */ - { "destination-port", 1, 0, '2' }, - { "dport", 1, 0, '2' }, /* synonym */ - { "syn", 0, 0, '3' }, - { "tcp-flags", 1, 0, '4' }, - { "tcp-option", 1, 0, '5' }, - {0} -}; - -static void -parse_tcp_ports(const char *portstring, u_int16_t *ports) -{ - char *buffer; - char *cp; - - buffer = strdup(portstring); - if ((cp = strchr(buffer, ':')) == NULL) - ports[0] = ports[1] = parse_port(buffer, "tcp"); - else { - *cp = '\0'; - cp++; - - ports[0] = buffer[0] ? parse_port(buffer, "tcp") : 0; - ports[1] = cp[0] ? parse_port(cp, "tcp") : 0xFFFF; - - if (ports[0] > ports[1]) - exit_error(PARAMETER_PROBLEM, - "invalid portrange (min > max)"); - } - free(buffer); -} - -struct tcp_flag_names { - const char *name; - unsigned int flag; -}; - -static struct tcp_flag_names tcp_flag_names[] -= { { "FIN", 0x01 }, - { "SYN", 0x02 }, - { "RST", 0x04 }, - { "PSH", 0x08 }, - { "ACK", 0x10 }, - { "URG", 0x20 }, - { "ALL", 0x3F }, - { "NONE", 0 }, -}; - -static unsigned int -parse_tcp_flag(const char *flags) -{ - unsigned int ret = 0; - char *ptr; - char *buffer; - - buffer = strdup(flags); - - for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) { - unsigned int i; - for (i = 0; - i < sizeof(tcp_flag_names)/sizeof(struct tcp_flag_names); - i++) { - if (strcasecmp(tcp_flag_names[i].name, ptr) == 0) { - ret |= tcp_flag_names[i].flag; - break; - } - } - if (i == sizeof(tcp_flag_names)/sizeof(struct tcp_flag_names)) - exit_error(PARAMETER_PROBLEM, - "Unknown TCP flag `%s'", ptr); - } - - free(buffer); - return ret; -} - -static void -parse_tcp_flags(struct ip6t_tcp *tcpinfo, - const char *mask, - const char *cmp, - int invert) -{ - tcpinfo->flg_mask = parse_tcp_flag(mask); - tcpinfo->flg_cmp = parse_tcp_flag(cmp); - - if (invert) - tcpinfo->invflags |= IP6T_TCP_INV_FLAGS; -} - -static void -parse_tcp_option(const char *option, u_int8_t *result) -{ - unsigned int ret; - - if (string_to_number(option, 1, 255, &ret) == -1) - exit_error(PARAMETER_PROBLEM, "Bad TCP option `%s'", option); - - *result = (u_int8_t)ret; -} - -/* Initialize the match. */ -static void -init(struct ip6t_entry_match *m, unsigned int *nfcache) -{ - struct ip6t_tcp *tcpinfo = (struct ip6t_tcp *)m->data; - - tcpinfo->spts[1] = tcpinfo->dpts[1] = 0xFFFF; -} - -#define TCP_SRC_PORTS 0x01 -#define TCP_DST_PORTS 0x02 -#define TCP_FLAGS 0x04 -#define TCP_OPTION 0x08 - -/* Function which parses command options; returns true if it - ate an option. */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_tcp *tcpinfo = (struct ip6t_tcp *)(*match)->data; - - switch (c) { - case '1': - if (*flags & TCP_SRC_PORTS) - exit_error(PARAMETER_PROBLEM, - "Only one `--source-port' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_tcp_ports(argv[optind-1], tcpinfo->spts); - if (invert) - tcpinfo->invflags |= IP6T_TCP_INV_SRCPT; - *flags |= TCP_SRC_PORTS; - break; - - case '2': - if (*flags & TCP_DST_PORTS) - exit_error(PARAMETER_PROBLEM, - "Only one `--destination-port' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_tcp_ports(argv[optind-1], tcpinfo->dpts); - if (invert) - tcpinfo->invflags |= IP6T_TCP_INV_DSTPT; - *flags |= TCP_DST_PORTS; - break; - - case '3': - if (*flags & TCP_FLAGS) - exit_error(PARAMETER_PROBLEM, - "Only one of `--syn' or `--tcp-flags' " - " allowed"); - parse_tcp_flags(tcpinfo, "SYN,RST,ACK", "SYN", invert); - *flags |= TCP_FLAGS; - break; - - case '4': - if (*flags & TCP_FLAGS) - exit_error(PARAMETER_PROBLEM, - "Only one of `--syn' or `--tcp-flags' " - " allowed"); - check_inverse(optarg, &invert, &optind, 0); - - if (!argv[optind] - || argv[optind][0] == '-' || argv[optind][0] == '!') - exit_error(PARAMETER_PROBLEM, - "--tcp-flags requires two args."); - - parse_tcp_flags(tcpinfo, argv[optind-1], argv[optind], - invert); - optind++; - *flags |= TCP_FLAGS; - break; - - case '5': - if (*flags & TCP_OPTION) - exit_error(PARAMETER_PROBLEM, - "Only one `--tcp-option' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_tcp_option(argv[optind-1], &tcpinfo->option); - if (invert) - tcpinfo->invflags |= IP6T_TCP_INV_OPTION; - *flags |= TCP_OPTION; - break; - - default: - return 0; - } - - return 1; -} - -/* Final check; we don't care. */ -static void -final_check(unsigned int flags) -{ -} - -static char * -port_to_service(int port) -{ - struct servent *service; - - if ((service = getservbyport(htons(port), "tcp"))) - return service->s_name; - - return NULL; -} - -static void -print_port(u_int16_t port, int numeric) -{ - char *service; - - if (numeric || (service = port_to_service(port)) == NULL) - printf("%u", port); - else - printf("%s", service); -} - -static void -print_ports(const char *name, u_int16_t min, u_int16_t max, - int invert, int numeric) -{ - const char *inv = invert ? "!" : ""; - - if (min != 0 || max != 0xFFFF || invert) { - printf("%s", name); - if (min == max) { - printf(":%s", inv); - print_port(min, numeric); - } else { - printf("s:%s", inv); - print_port(min, numeric); - printf(":"); - print_port(max, numeric); - } - printf(" "); - } -} - -static void -print_option(u_int8_t option, int invert, int numeric) -{ - if (option || invert) - printf("option=%s%u ", invert ? "!" : "", option); -} - -static void -print_tcpf(u_int8_t flags) -{ - int have_flag = 0; - - while (flags) { - unsigned int i; - - for (i = 0; (flags & tcp_flag_names[i].flag) == 0; i++); - - if (have_flag) - printf(","); - printf("%s", tcp_flag_names[i].name); - have_flag = 1; - - flags &= ~tcp_flag_names[i].flag; - } - - if (!have_flag) - printf("NONE"); -} - -static void -print_flags(u_int8_t mask, u_int8_t cmp, int invert, int numeric) -{ - if (mask || invert) { - printf("flags:%s", invert ? "!" : ""); - if (numeric) - printf("0x%02X/0x%02X ", mask, cmp); - else { - print_tcpf(mask); - printf("/"); - print_tcpf(cmp); - printf(" "); - } - } -} - -/* Prints out the union ipt_matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, int numeric) -{ - const struct ip6t_tcp *tcp = (struct ip6t_tcp *)match->data; - - printf("tcp "); - print_ports("spt", tcp->spts[0], tcp->spts[1], - tcp->invflags & IP6T_TCP_INV_SRCPT, - numeric); - print_ports("dpt", tcp->dpts[0], tcp->dpts[1], - tcp->invflags & IP6T_TCP_INV_DSTPT, - numeric); - print_option(tcp->option, - tcp->invflags & IP6T_TCP_INV_OPTION, - numeric); - print_flags(tcp->flg_mask, tcp->flg_cmp, - tcp->invflags & IP6T_TCP_INV_FLAGS, - numeric); - if (tcp->invflags & ~IP6T_TCP_INV_MASK) - printf("Unknown invflags: 0x%X ", - tcp->invflags & ~IP6T_TCP_INV_MASK); -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - const struct ip6t_tcp *tcpinfo = (struct ip6t_tcp *)match->data; - - if (tcpinfo->spts[0] != 0 - || tcpinfo->spts[1] != 0xFFFF) { - if (tcpinfo->invflags & IP6T_TCP_INV_SRCPT) - printf("! "); - if (tcpinfo->spts[0] - != tcpinfo->spts[1]) - printf("--sport %u:%u ", - tcpinfo->spts[0], - tcpinfo->spts[1]); - else - printf("--sport %u ", - tcpinfo->spts[0]); - } - - if (tcpinfo->dpts[0] != 0 - || tcpinfo->dpts[1] != 0xFFFF) { - if (tcpinfo->invflags & IP6T_TCP_INV_DSTPT) - printf("! "); - if (tcpinfo->dpts[0] - != tcpinfo->dpts[1]) - printf("--dport %u:%u ", - tcpinfo->dpts[0], - tcpinfo->dpts[1]); - else - printf("--dport %u ", - tcpinfo->dpts[0]); - } - - if (tcpinfo->option - || (tcpinfo->invflags & IP6T_TCP_INV_OPTION)) { - if (tcpinfo->invflags & IP6T_TCP_INV_OPTION) - printf("! "); - printf("--tcp-option %u ", tcpinfo->option); - } - - if (tcpinfo->flg_mask - || (tcpinfo->invflags & IP6T_TCP_INV_FLAGS)) { - if (tcpinfo->invflags & IP6T_TCP_INV_FLAGS) - printf("! "); - - printf("--tcp-flags "); - if (tcpinfo->flg_mask != 0xFF) { - print_tcpf(tcpinfo->flg_mask); - } - printf(" "); - print_tcpf(tcpinfo->flg_cmp); - printf(" "); - } -} - -static struct ip6tables_match tcp = { - .name = "tcp", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_tcp)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_tcp)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts, -}; - -void -_init(void) -{ - register_match6(&tcp); -} diff --git a/extensions/libip6t_tcp.man b/extensions/libip6t_tcp.man deleted file mode 100644 index 75d172e..0000000 --- a/extensions/libip6t_tcp.man +++ /dev/null @@ -1,45 +0,0 @@ -These extensions are loaded if `--protocol tcp' is specified. It -provides the following options: -.TP -.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" -Source port or port range specification. This can either be a service -name or a port number. An inclusive range can also be specified, -using the format -.IR port : port . -If the first port is omitted, "0" is assumed; if the last is omitted, -"65535" is assumed. -If the second port greater then the first they will be swapped. -The flag -.B --sport -is a convenient alias for this option. -.TP -.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" -Destination port or port range specification. The flag -.B --dport -is a convenient alias for this option. -.TP -.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP" -Match when the TCP flags are as specified. The first argument is the -flags which we should examine, written as a comma-separated list, and -the second argument is a comma-separated list of flags which must be -set. Flags are: -.BR "SYN ACK FIN RST URG PSH ALL NONE" . -Hence the command -.nf - ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -.fi -will only match packets with the SYN flag set, and the ACK, FIN and -RST flags unset. -.TP -.B "[!] --syn" -Only match TCP packets with the SYN bit set and the ACK and RST bits -cleared. Such packets are used to request TCP connection initiation; -for example, blocking such packets coming in an interface will prevent -incoming TCP connections, but outgoing TCP connections will be -unaffected. -It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP. -If the "!" flag precedes the "--syn", the sense of the -option is inverted. -.TP -.BR "--tcp-option " "[!] \fInumber\fP" -Match if TCP option set. diff --git a/extensions/libip6t_udp.c b/extensions/libip6t_udp.c deleted file mode 100644 index cd3c3d4..0000000 --- a/extensions/libip6t_udp.c +++ /dev/null @@ -1,228 +0,0 @@ -/* Shared library add-on to iptables to add UDP support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6_tables.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"UDP v%s options:\n" -" --source-port [!] port[:port]\n" -" --sport ...\n" -" match source port(s)\n" -" --destination-port [!] port[:port]\n" -" --dport ...\n" -" match destination port(s)\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "source-port", 1, 0, '1' }, - { "sport", 1, 0, '1' }, /* synonym */ - { "destination-port", 1, 0, '2' }, - { "dport", 1, 0, '2' }, /* synonym */ - {0} -}; - -static void -parse_udp_ports(const char *portstring, u_int16_t *ports) -{ - char *buffer; - char *cp; - - buffer = strdup(portstring); - if ((cp = strchr(buffer, ':')) == NULL) - ports[0] = ports[1] = parse_port(buffer, "udp"); - else { - *cp = '\0'; - cp++; - - ports[0] = buffer[0] ? parse_port(buffer, "udp") : 0; - ports[1] = cp[0] ? parse_port(cp, "udp") : 0xFFFF; - - if (ports[0] > ports[1]) - exit_error(PARAMETER_PROBLEM, - "invalid portrange (min > max)"); - } - free(buffer); -} - -/* Initialize the match. */ -static void -init(struct ip6t_entry_match *m, unsigned int *nfcache) -{ - struct ip6t_udp *udpinfo = (struct ip6t_udp *)m->data; - - udpinfo->spts[1] = udpinfo->dpts[1] = 0xFFFF; -} - -#define UDP_SRC_PORTS 0x01 -#define UDP_DST_PORTS 0x02 - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ip6t_entry *entry, - unsigned int *nfcache, - struct ip6t_entry_match **match) -{ - struct ip6t_udp *udpinfo = (struct ip6t_udp *)(*match)->data; - - switch (c) { - case '1': - if (*flags & UDP_SRC_PORTS) - exit_error(PARAMETER_PROBLEM, - "Only one `--source-port' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_udp_ports(argv[optind-1], udpinfo->spts); - if (invert) - udpinfo->invflags |= IP6T_UDP_INV_SRCPT; - *flags |= UDP_SRC_PORTS; - break; - - case '2': - if (*flags & UDP_DST_PORTS) - exit_error(PARAMETER_PROBLEM, - "Only one `--destination-port' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_udp_ports(argv[optind-1], udpinfo->dpts); - if (invert) - udpinfo->invflags |= IP6T_UDP_INV_DSTPT; - *flags |= UDP_DST_PORTS; - break; - - default: - return 0; - } - - return 1; -} - -/* Final check; we don't care. */ -static void -final_check(unsigned int flags) -{ -} - -static char * -port_to_service(int port) -{ - struct servent *service; - - if ((service = getservbyport(htons(port), "udp"))) - return service->s_name; - - return NULL; -} - -static void -print_port(u_int16_t port, int numeric) -{ - char *service; - - if (numeric || (service = port_to_service(port)) == NULL) - printf("%u", port); - else - printf("%s", service); -} - -static void -print_ports(const char *name, u_int16_t min, u_int16_t max, - int invert, int numeric) -{ - const char *inv = invert ? "!" : ""; - - if (min != 0 || max != 0xFFFF || invert) { - printf("%s", name); - if (min == max) { - printf(":%s", inv); - print_port(min, numeric); - } else { - printf("s:%s", inv); - print_port(min, numeric); - printf(":"); - print_port(max, numeric); - } - printf(" "); - } -} - -/* Prints out the union ipt_matchinfo. */ -static void -print(const struct ip6t_ip6 *ip, - const struct ip6t_entry_match *match, int numeric) -{ - const struct ip6t_udp *udp = (struct ip6t_udp *)match->data; - - printf("udp "); - print_ports("spt", udp->spts[0], udp->spts[1], - udp->invflags & IP6T_UDP_INV_SRCPT, - numeric); - print_ports("dpt", udp->dpts[0], udp->dpts[1], - udp->invflags & IP6T_UDP_INV_DSTPT, - numeric); - if (udp->invflags & ~IP6T_UDP_INV_MASK) - printf("Unknown invflags: 0x%X ", - udp->invflags & ~IP6T_UDP_INV_MASK); -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) -{ - const struct ip6t_udp *udpinfo = (struct ip6t_udp *)match->data; - - if (udpinfo->spts[0] != 0 - || udpinfo->spts[1] != 0xFFFF) { - if (udpinfo->invflags & IP6T_UDP_INV_SRCPT) - printf("! "); - if (udpinfo->spts[0] - != udpinfo->spts[1]) - printf("--sport %u:%u ", - udpinfo->spts[0], - udpinfo->spts[1]); - else - printf("--sport %u ", - udpinfo->spts[0]); - } - - if (udpinfo->dpts[0] != 0 - || udpinfo->dpts[1] != 0xFFFF) { - if (udpinfo->invflags & IP6T_UDP_INV_DSTPT) - printf("! "); - if (udpinfo->dpts[0] - != udpinfo->dpts[1]) - printf("--dport %u:%u ", - udpinfo->dpts[0], - udpinfo->dpts[1]); - else - printf("--dport %u ", - udpinfo->dpts[0]); - } -} - -static struct ip6tables_match udp = { - .name = "udp", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_udp)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_udp)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts, -}; - -void -_init(void) -{ - register_match6(&udp); -} diff --git a/extensions/libip6t_udp.man b/extensions/libip6t_udp.man deleted file mode 100644 index 0408479..0000000 --- a/extensions/libip6t_udp.man +++ /dev/null @@ -1,14 +0,0 @@ -These extensions are loaded if `--protocol udp' is specified. It -provides the following options: -.TP -.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" -Source port or port range specification. -See the description of the -.B --source-port -option of the TCP extension for details. -.TP -.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" -Destination port or port range specification. -See the description of the -.B --destination-port -option of the TCP extension for details. diff --git a/extensions/libipt_2connmark.c b/extensions/libipt_2connmark.c deleted file mode 100644 index 18c7586..0000000 --- a/extensions/libipt_2connmark.c +++ /dev/null @@ -1,151 +0,0 @@ -/* Shared library add-on to iptables to add connmark matching support. - * - * (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> - * by Henrik Nordstrom <hno@marasystems.com> - * - * Version 1.1 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include "../include/linux/netfilter_ipv4/ipt_2connmark.h" - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"CONNMARK match v%s options:\n" -"[!] --mark value[/mask] Match nfmark value with optional mask\n" -"\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "mark", 1, 0, '1' }, - {0} -}; - -/* Initialize the match. */ -static void -init(struct ipt_entry_match *m, unsigned int *nfcache) -{ - /* Can't cache this. */ - *nfcache |= NFC_UNKNOWN; -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_connmark_info *markinfo = (struct ipt_connmark_info *)(*match)->data; - - switch (c) { - char *end; - case '1': - check_inverse(optarg, &invert, &optind, 0); - - markinfo->mark = strtoul(optarg, &end, 0); - markinfo->mask = 0xffffffffUL; - - if (*end == '/') - markinfo->mask = strtoul(end+1, &end, 0); - - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg); - if (invert) - markinfo->invert = 1; - *flags = 1; - break; - - default: - return 0; - } - return 1; -} - -static void -print_mark(unsigned long mark, unsigned long mask, int numeric) -{ - if(mask != 0xffffffffUL) - printf("0x%lx/0x%lx ", mark, mask); - else - printf("0x%lx ", mark); -} - -/* Final check; must have specified --mark. */ -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "MARK match: You must specify `--mark'"); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - struct ipt_connmark_info *info = (struct ipt_connmark_info *)match->data; - - printf("CONNMARK match "); - if (info->invert) - printf("!"); - print_mark(info->mark, info->mask, numeric); -} - -/* Saves the matchinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct ipt_connmark_info *info = (struct ipt_connmark_info *)match->data; - - if (info->invert) - printf("! "); - - printf("--mark "); - print_mark(info->mark, info->mask, 0); -} - -static struct iptables_match connmark_match = { - .name = "connmark", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_connmark_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_connmark_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_2connmark_init(void) -{ - register_match(&connmark_match); -} diff --git a/extensions/libipt_2dscp.c b/extensions/libipt_2dscp.c deleted file mode 100644 index 1cf8c2e..0000000 --- a/extensions/libipt_2dscp.c +++ /dev/null @@ -1,172 +0,0 @@ -/* Shared library add-on to iptables for DSCP - * - * (C) 2002 by Harald Welte <laforge@gnumonks.org> - * - * This program is distributed under the terms of GNU GPL v2, 1991 - * - * libipt_dscp.c borrowed heavily from libipt_tos.c - * - * --class support added by Iain Barnes - * - * For a list of DSCP codepoints see - * http://www.iana.org/assignments/dscp-registry - * - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ipt_2dscp.h> - -/* This is evil, but it's my code - HW*/ -#include "libipt_dscp_helper.c" - -static void help(void) -{ - printf( -"DSCP match v%s options\n" -"[!] --dscp value Match DSCP codepoint with numerical value\n" -" This value can be in decimal (ex: 32)\n" -" or in hex (ex: 0x20)\n" -"[!] --dscp-class name Match the DiffServ class. This value may\n" -" be any of the BE,EF, AFxx or CSx classes\n" -"\n" -" These two options are mutually exclusive !\n" - , IPTABLES_VERSION -); -} - -static struct option opts[] = { - { "dscp", 1, 0, 'F' }, - { "dscp-class", 1, 0, 'G' }, - { 0 } -}; - -static void -parse_dscp(const char *s, struct ipt_dscp_info *dinfo) -{ - unsigned int dscp; - - if (string_to_number(s, 0, 255, &dscp) == -1) - exit_error(PARAMETER_PROBLEM, - "Invalid dscp `%s'\n", s); - - if (dscp > IPT_DSCP_MAX) - exit_error(PARAMETER_PROBLEM, - "DSCP `%d` out of range\n", dscp); - - dinfo->dscp = (u_int8_t )dscp; - return; -} - - -static void -parse_class(const char *s, struct ipt_dscp_info *dinfo) -{ - unsigned int dscp = class_to_dscp(s); - - /* Assign the value */ - dinfo->dscp = (u_int8_t)dscp; -} - - -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_dscp_info *dinfo - = (struct ipt_dscp_info *)(*match)->data; - - switch (c) { - case 'F': - if (*flags) - exit_error(PARAMETER_PROBLEM, - "DSCP match: Only use --dscp ONCE!"); - check_inverse(optarg, &invert, &optind, 0); - parse_dscp(argv[optind-1], dinfo); - if (invert) - dinfo->invert = 1; - *flags = 1; - break; - - case 'G': - if (*flags) - exit_error(PARAMETER_PROBLEM, - "DSCP match: Only use --dscp-class ONCE!"); - check_inverse(optarg, &invert, &optind, 0); - parse_class(argv[optind - 1], dinfo); - if (invert) - dinfo->invert = 1; - *flags = 1; - break; - - default: - return 0; - } - - return 1; -} - -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "DSCP match: Parameter --dscp is required"); -} - -static void -print_dscp(u_int8_t dscp, int invert, int numeric) -{ - if (invert) - fputc('!', stdout); - - printf("0x%02x ", dscp); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - const struct ipt_dscp_info *dinfo = - (const struct ipt_dscp_info *)match->data; - printf("DSCP match "); - print_dscp(dinfo->dscp, dinfo->invert, numeric); -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - const struct ipt_dscp_info *dinfo = - (const struct ipt_dscp_info *)match->data; - - printf("--dscp "); - print_dscp(dinfo->dscp, dinfo->invert, 1); -} - -static struct iptables_match dscp = { - .next = NULL, - .name = "dscp", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_dscp_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_dscp_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_2dscp_init(void) -{ - register_match(&dscp); -} diff --git a/extensions/libipt_2ecn.c b/extensions/libipt_2ecn.c deleted file mode 100644 index 2d5a38e..0000000 --- a/extensions/libipt_2ecn.c +++ /dev/null @@ -1,171 +0,0 @@ -/* Shared library add-on to iptables for ECN matching - * - * (C) 2002 by Harald Welte <laforge@gnumonks.org> - * - * This program is distributed under the terms of GNU GPL v2, 1991 - * - * libipt_ecn.c borrowed heavily from libipt_dscp.c - * - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ipt_2ecn.h> - -static void help(void) -{ - printf( -"ECN match v%s options\n" -"[!] --ecn-tcp-cwr Match CWR bit of TCP header\n" -"[!] --ecn-tcp-ece Match ECE bit of TCP header\n" -"[!] --ecn-ip-ect [0..3] Match ECN codepoint in IPv4 header\n", - IPTABLES_VERSION); -} - -static struct option opts[] = { - { .name = "ecn-tcp-cwr", .has_arg = 0, .flag = 0, .val = 'F' }, - { .name = "ecn-tcp-ece", .has_arg = 0, .flag = 0, .val = 'G' }, - { .name = "ecn-ip-ect", .has_arg = 1, .flag = 0, .val = 'H' }, - { .name = 0 } -}; - -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - unsigned int result; - struct ipt_ecn_info *einfo - = (struct ipt_ecn_info *)(*match)->data; - - switch (c) { - case 'F': - if (*flags & IPT_ECN_OP_MATCH_CWR) - exit_error(PARAMETER_PROBLEM, - "ECN match: can only use parameter ONCE!"); - check_inverse(optarg, &invert, &optind, 0); - einfo->operation |= IPT_ECN_OP_MATCH_CWR; - if (invert) - einfo->invert |= IPT_ECN_OP_MATCH_CWR; - *flags |= IPT_ECN_OP_MATCH_CWR; - break; - - case 'G': - if (*flags & IPT_ECN_OP_MATCH_ECE) - exit_error(PARAMETER_PROBLEM, - "ECN match: can only use parameter ONCE!"); - check_inverse(optarg, &invert, &optind, 0); - einfo->operation |= IPT_ECN_OP_MATCH_ECE; - if (invert) - einfo->invert |= IPT_ECN_OP_MATCH_ECE; - *flags |= IPT_ECN_OP_MATCH_ECE; - break; - - case 'H': - if (*flags & IPT_ECN_OP_MATCH_IP) - exit_error(PARAMETER_PROBLEM, - "ECN match: can only use parameter ONCE!"); - check_inverse(optarg, &invert, &optind, 0); - if (invert) - einfo->invert |= IPT_ECN_OP_MATCH_IP; - *flags |= IPT_ECN_OP_MATCH_IP; - einfo->operation |= IPT_ECN_OP_MATCH_IP; - if (string_to_number(optarg, 0, 3, &result)) - exit_error(PARAMETER_PROBLEM, - "ECN match: Value out of range"); - einfo->ip_ect = result; - break; - default: - return 0; - } - - return 1; -} - -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "ECN match: some option required"); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - const struct ipt_ecn_info *einfo = - (const struct ipt_ecn_info *)match->data; - - printf("ECN match "); - - if (einfo->operation & IPT_ECN_OP_MATCH_ECE) { - if (einfo->invert & IPT_ECN_OP_MATCH_ECE) - fputc('!', stdout); - printf("ECE "); - } - - if (einfo->operation & IPT_ECN_OP_MATCH_CWR) { - if (einfo->invert & IPT_ECN_OP_MATCH_CWR) - fputc('!', stdout); - printf("CWR "); - } - - if (einfo->operation & IPT_ECN_OP_MATCH_IP) { - if (einfo->invert & IPT_ECN_OP_MATCH_IP) - fputc('!', stdout); - printf("ECT=%d ", einfo->ip_ect); - } -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - const struct ipt_ecn_info *einfo = - (const struct ipt_ecn_info *)match->data; - - if (einfo->operation & IPT_ECN_OP_MATCH_ECE) { - if (einfo->invert & IPT_ECN_OP_MATCH_ECE) - printf("! "); - printf("--ecn-tcp-ece "); - } - - if (einfo->operation & IPT_ECN_OP_MATCH_CWR) { - if (einfo->invert & IPT_ECN_OP_MATCH_CWR) - printf("! "); - printf("--ecn-tcp-cwr "); - } - - if (einfo->operation & IPT_ECN_OP_MATCH_IP) { - if (einfo->invert & IPT_ECN_OP_MATCH_IP) - printf("! "); - printf("--ecn-ip-ect %d", einfo->ip_ect); - } -} - -static -struct iptables_match ecn -= { .name = "ecn", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_ecn_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_ecn_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_2ecn_init(void) -{ - register_match(&ecn); -} diff --git a/extensions/libipt_2mark.c b/extensions/libipt_2mark.c deleted file mode 100644 index 5dbd2c8..0000000 --- a/extensions/libipt_2mark.c +++ /dev/null @@ -1,143 +0,0 @@ -/* Shared library add-on to iptables to add NFMARK matching support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -/* For 64bit kernel / 32bit userspace */ -#include "../include/linux/netfilter_ipv4/ipt_2mark.h" - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"MARK match v%s options:\n" -"[!] --mark value[/mask] Match nfmark value with optional mask\n" -"\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "mark", 1, 0, '1' }, - {0} -}; - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_mark_info *markinfo = (struct ipt_mark_info *)(*match)->data; - - switch (c) { - char *end; - case '1': - check_inverse(optarg, &invert, &optind, 0); -#ifdef KERNEL_64_USERSPACE_32 - markinfo->mark = strtoull(optarg, &end, 0); - if (*end == '/') { - markinfo->mask = strtoull(end+1, &end, 0); - } else - markinfo->mask = 0xffffffffffffffffULL; -#else - markinfo->mark = strtoul(optarg, &end, 0); - if (*end == '/') { - markinfo->mask = strtoul(end+1, &end, 0); - } else - markinfo->mask = 0xffffffff; -#endif - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg); - if (invert) - markinfo->invert = 1; - *flags = 1; - break; - - default: - return 0; - } - return 1; -} - -#ifdef KERNEL_64_USERSPACE_32 -static void -print_mark(unsigned long long mark, unsigned long long mask, int numeric) -{ - if(mask != 0xffffffffffffffffULL) - printf("0x%llx/0x%llx ", mark, mask); - else - printf("0x%llx ", mark); -} -#else -static void -print_mark(unsigned long mark, unsigned long mask, int numeric) -{ - if(mask != 0xffffffff) - printf("0x%lx/0x%lx ", mark, mask); - else - printf("0x%lx ", mark); -} -#endif - -/* Final check; must have specified --mark. */ -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "MARK match: You must specify `--mark'"); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - struct ipt_mark_info *info = (struct ipt_mark_info *)match->data; - - printf("MARK match "); - - if (info->invert) - printf("!"); - - print_mark(info->mark, info->mask, numeric); -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct ipt_mark_info *info = (struct ipt_mark_info *)match->data; - - if (info->invert) - printf("! "); - - printf("--mark "); - print_mark(info->mark, info->mask, 0); -} - -static struct iptables_match mark = { - .next = NULL, - .name = "mark", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_mark_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_mark_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_2mark_init(void) -{ - register_match(&mark); -} diff --git a/extensions/libipt_2set.c b/extensions/libipt_2set.c deleted file mode 100644 index 697ed55..0000000 --- a/extensions/libipt_2set.c +++ /dev/null @@ -1,167 +0,0 @@ -/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> - * Patrick Schaaf <bof@bof.de> - * Martin Josefsson <gandalf@wlug.westbo.se> - * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - */ - -/* Shared library add-on to iptables to add IP set matching. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ctype.h> -#include <errno.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_conntrack.h> -#include <linux/netfilter_ipv4/ipt_set.h> -#include "libipt_2set.h" - -/* Function which prints out usage message. */ -static void help(void) -{ - printf("set v%s options:\n" - " [!] --set name flags\n" - " 'name' is the set name from to match,\n" - " 'flags' are the comma separated list of\n" - " 'src' and 'dst'.\n" - "\n", IPTABLES_VERSION); -} - -static struct option opts[] = { - {"set", 1, 0, '1'}, - {0} -}; - -/* Initialize the match. */ -static void init(struct ipt_entry_match *match, unsigned int *nfcache) -{ - struct ipt_set_info_match *info = - (struct ipt_set_info_match *) match->data; - - - memset(info, 0, sizeof(struct ipt_set_info_match)); - -} - -/* Function which parses command options; returns true if it ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, struct ipt_entry_match **match) -{ - struct ipt_set_info_match *myinfo = - (struct ipt_set_info_match *) (*match)->data; - struct ipt_set_info *info = &myinfo->match_set; - - switch (c) { - case '1': /* --set <set> <flag>[,<flag> */ - if (info->flags[0]) - exit_error(PARAMETER_PROBLEM, - "--set can be specified only once"); - - check_inverse(optarg, &invert, &optind, 0); - if (invert) - info->flags[0] |= IPSET_MATCH_INV; - - if (!argv[optind] - || argv[optind][0] == '-' - || argv[optind][0] == '!') - exit_error(PARAMETER_PROBLEM, - "--set requires two args."); - - if (strlen(argv[optind-1]) > IP_SET_MAXNAMELEN - 1) - exit_error(PARAMETER_PROBLEM, - "setname `%s' too long, max %d characters.", - argv[optind-1], IP_SET_MAXNAMELEN - 1); - - get_set_byname(argv[optind - 1], info); - parse_bindings(argv[optind], info); - DEBUGP("parse: set index %u\n", info->index); - optind++; - - *flags = 1; - break; - - default: - return 0; - } - - return 1; -} - -/* Final check; must have specified --set. */ -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "You must specify `--set' with proper arguments"); - DEBUGP("final check OK\n"); -} - -static void -print_match(const char *prefix, const struct ipt_set_info *info) -{ - int i; - char setname[IP_SET_MAXNAMELEN]; - - get_set_byid(setname, info->index); - printf("%s%s %s", - (info->flags[0] & IPSET_MATCH_INV) ? "! " : "", - prefix, - setname); - for (i = 0; i < IP_SET_MAX_BINDINGS; i++) { - if (!info->flags[i]) - break; - printf("%s%s", - i == 0 ? " " : ",", - info->flags[i] & IPSET_SRC ? "src" : "dst"); - } - printf(" "); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, int numeric) -{ - struct ipt_set_info_match *info = - (struct ipt_set_info_match *) match->data; - - print_match("set", &info->match_set); -} - -/* Saves the matchinfo in parsable form to stdout. */ -static void save(const struct ipt_ip *ip, - const struct ipt_entry_match *match) -{ - struct ipt_set_info_match *info = - (struct ipt_set_info_match *) match->data; - - print_match("--set", &info->match_set); -} - -static -struct iptables_match set = { - .name = "set", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_set_info_match)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_set_info_match)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_2set_init(void) -{ - register_match(&set); -} diff --git a/extensions/libipt_2tcpmss.c b/extensions/libipt_2tcpmss.c deleted file mode 100644 index 28eea83..0000000 --- a/extensions/libipt_2tcpmss.c +++ /dev/null @@ -1,152 +0,0 @@ -/* Shared library add-on to iptables to add tcp MSS matching support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ipt_2tcpmss.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"tcpmss match v%s options:\n" -"[!] --mss value[:value] Match TCP MSS range.\n" -" (only valid for TCP SYN or SYN/ACK packets)\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "mss", 1, 0, '1' }, - {0} -}; - -static u_int16_t -parse_tcp_mssvalue(const char *mssvalue) -{ - unsigned int mssvaluenum; - - if (string_to_number(mssvalue, 0, 65535, &mssvaluenum) != -1) - return (u_int16_t)mssvaluenum; - - exit_error(PARAMETER_PROBLEM, - "Invalid mss `%s' specified", mssvalue); -} - -static void -parse_tcp_mssvalues(const char *mssvaluestring, - u_int16_t *mss_min, u_int16_t *mss_max) -{ - char *buffer; - char *cp; - - buffer = strdup(mssvaluestring); - if ((cp = strchr(buffer, ':')) == NULL) - *mss_min = *mss_max = parse_tcp_mssvalue(buffer); - else { - *cp = '\0'; - cp++; - - *mss_min = buffer[0] ? parse_tcp_mssvalue(buffer) : 0; - *mss_max = cp[0] ? parse_tcp_mssvalue(cp) : 0xFFFF; - } - free(buffer); -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_tcpmss_match_info *mssinfo = - (struct ipt_tcpmss_match_info *)(*match)->data; - - switch (c) { - case '1': - if (*flags) - exit_error(PARAMETER_PROBLEM, - "Only one `--mss' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_tcp_mssvalues(argv[optind-1], - &mssinfo->mss_min, &mssinfo->mss_max); - if (invert) - mssinfo->invert = 1; - *flags = 1; - break; - default: - return 0; - } - return 1; -} - -static void -print_tcpmss(u_int16_t mss_min, u_int16_t mss_max, int invert, int numeric) -{ - if (invert) - printf("! "); - - if (mss_min == mss_max) - printf("%u ", mss_min); - else - printf("%u:%u ", mss_min, mss_max); -} - -/* Final check; must have specified --mss. */ -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "tcpmss match: You must specify `--mss'"); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - const struct ipt_tcpmss_match_info *mssinfo = - (const struct ipt_tcpmss_match_info *)match->data; - - printf("tcpmss match "); - print_tcpmss(mssinfo->mss_min, mssinfo->mss_max, - mssinfo->invert, numeric); -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - const struct ipt_tcpmss_match_info *mssinfo = - (const struct ipt_tcpmss_match_info *)match->data; - - printf("--mss "); - print_tcpmss(mssinfo->mss_min, mssinfo->mss_max, - mssinfo->invert, 0); -} - -static struct iptables_match tcpmss = { - .next = NULL, - .name = "tcpmss", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_tcpmss_match_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_tcpmss_match_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_2tcpmss_init(void) -{ - register_match(&tcpmss); -} diff --git a/extensions/libipt_2tos.c b/extensions/libipt_2tos.c deleted file mode 100644 index 49dbac5..0000000 --- a/extensions/libipt_2tos.c +++ /dev/null @@ -1,172 +0,0 @@ -/* Shared library add-on to iptables to add TOS matching support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ipt_tos_.h> - -/* TOS names and values. */ -static -struct TOS_value -{ - unsigned char TOS; - const char *name; -} TOS_values[] = { - { IPTOS_LOWDELAY, "Minimize-Delay" }, - { IPTOS_THROUGHPUT, "Maximize-Throughput" }, - { IPTOS_RELIABILITY, "Maximize-Reliability" }, - { IPTOS_MINCOST, "Minimize-Cost" }, - { IPTOS_NORMALSVC, "Normal-Service" }, -}; - -/* Function which prints out usage message. */ -static void -help(void) -{ - unsigned int i; - - printf( -"TOS match v%s options:\n" -"[!] --tos value Match Type of Service field from one of the\n" -" following numeric or descriptive values:\n", -IPTABLES_VERSION); - - for (i = 0; i < sizeof(TOS_values)/sizeof(struct TOS_value);i++) - printf(" %s %u (0x%02x)\n", - TOS_values[i].name, - TOS_values[i].TOS, - TOS_values[i].TOS); - fputc('\n', stdout); -} - -static struct option opts[] = { - { "tos", 1, 0, '1' }, - {0} -}; - -static void -parse_tos(const char *s, struct ipt_tos_info *info) -{ - unsigned int i; - unsigned int tos; - - if (string_to_number(s, 0, 255, &tos) != -1) { - if (tos == IPTOS_LOWDELAY - || tos == IPTOS_THROUGHPUT - || tos == IPTOS_RELIABILITY - || tos == IPTOS_MINCOST - || tos == IPTOS_NORMALSVC) { - info->tos = (u_int8_t )tos; - return; - } - } else { - for (i = 0; i<sizeof(TOS_values)/sizeof(struct TOS_value); i++) - if (strcasecmp(s,TOS_values[i].name) == 0) { - info->tos = TOS_values[i].TOS; - return; - } - } - exit_error(PARAMETER_PROBLEM, "Bad TOS value `%s'", s); -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_tos_info *tosinfo = (struct ipt_tos_info *)(*match)->data; - - switch (c) { - case '1': - /* Ensure that `--tos' haven't been used yet. */ - if (*flags == 1) - exit_error(PARAMETER_PROBLEM, - "tos match: only use --tos once!"); - - check_inverse(optarg, &invert, &optind, 0); - parse_tos(argv[optind-1], tosinfo); - if (invert) - tosinfo->invert = 1; - *flags = 1; - break; - - default: - return 0; - } - return 1; -} - -static void -print_tos(u_int8_t tos, int numeric) -{ - unsigned int i; - - if (!numeric) { - for (i = 0; i<sizeof(TOS_values)/sizeof(struct TOS_value); i++) - if (TOS_values[i].TOS == tos) { - printf("%s ", TOS_values[i].name); - return; - } - } - printf("0x%02x ", tos); -} - -/* Final check; must have specified --tos. */ -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "TOS match: You must specify `--tos'"); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - const struct ipt_tos_info *info = (const struct ipt_tos_info *)match->data; - - printf("TOS match "); - if (info->invert) - printf("!"); - print_tos(info->tos, numeric); -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - const struct ipt_tos_info *info = (const struct ipt_tos_info *)match->data; - - if (info->invert) - printf("! "); - printf("--tos "); - print_tos(info->tos, 0); -} - -static struct iptables_match tos = { - .next = NULL, - .name = "tos", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_tos_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_tos_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_2tos_init(void) -{ - register_match(&tos); -} diff --git a/extensions/libipt_2ttl.c b/extensions/libipt_2ttl.c deleted file mode 100644 index 5e16713..0000000 --- a/extensions/libipt_2ttl.c +++ /dev/null @@ -1,172 +0,0 @@ -/* Shared library add-on to iptables to add TTL matching support - * (C) 2000 by Harald Welte <laforge@gnumonks.org> - * - * $Id: libipt_ttl.c 4544 2005-11-18 17:59:56Z /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org $ - * - * This program is released under the terms of GNU GPL */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <getopt.h> -#include <iptables.h> - -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ipt_2ttl.h> - -static void help(void) -{ - printf( -"TTL match v%s options:\n" -" --ttl-eq value Match time to live value\n" -" --ttl-lt value Match TTL < value\n" -" --ttl-gt value Match TTL > value\n" -, IPTABLES_VERSION); -} - -static int parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_ttl_info *info = (struct ipt_ttl_info *) (*match)->data; - unsigned int value; - - check_inverse(optarg, &invert, &optind, 0); - - switch (c) { - case '2': - if (string_to_number(optarg, 0, 255, &value) == -1) - exit_error(PARAMETER_PROBLEM, - "ttl: Expected value between 0 and 255"); - - if (invert) - info->mode = IPT_TTL_NE; - else - info->mode = IPT_TTL_EQ; - - /* is 0 allowed? */ - info->ttl = value; - break; - case '3': - if (string_to_number(optarg, 0, 255, &value) == -1) - exit_error(PARAMETER_PROBLEM, - "ttl: Expected value between 0 and 255"); - - if (invert) - exit_error(PARAMETER_PROBLEM, - "ttl: unexpected `!'"); - - info->mode = IPT_TTL_LT; - info->ttl = value; - break; - case '4': - if (string_to_number(optarg, 0, 255, &value) == -1) - exit_error(PARAMETER_PROBLEM, - "ttl: Expected value between 0 and 255"); - - if (invert) - exit_error(PARAMETER_PROBLEM, - "ttl: unexpected `!'"); - - info->mode = IPT_TTL_GT; - info->ttl = value; - break; - default: - return 0; - - } - - if (*flags) - exit_error(PARAMETER_PROBLEM, - "Can't specify TTL option twice"); - *flags = 1; - - return 1; -} - -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "TTL match: You must specify one of " - "`--ttl-eq', `--ttl-lt', `--ttl-gt"); -} - -static void print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - const struct ipt_ttl_info *info = - (struct ipt_ttl_info *) match->data; - - printf("TTL match "); - switch (info->mode) { - case IPT_TTL_EQ: - printf("TTL == "); - break; - case IPT_TTL_NE: - printf("TTL != "); - break; - case IPT_TTL_LT: - printf("TTL < "); - break; - case IPT_TTL_GT: - printf("TTL > "); - break; - } - printf("%u ", info->ttl); -} - -static void save(const struct ipt_ip *ip, - const struct ipt_entry_match *match) -{ - const struct ipt_ttl_info *info = - (struct ipt_ttl_info *) match->data; - - switch (info->mode) { - case IPT_TTL_EQ: - printf("--ttl-eq "); - break; - case IPT_TTL_NE: - printf("! --ttl-eq "); - break; - case IPT_TTL_LT: - printf("--ttl-lt "); - break; - case IPT_TTL_GT: - printf("--ttl-gt "); - break; - default: - /* error */ - break; - } - printf("%u ", info->ttl); -} - -static struct option opts[] = { - { "ttl", 1, 0, '2' }, - { "ttl-eq", 1, 0, '2'}, - { "ttl-lt", 1, 0, '3'}, - { "ttl-gt", 1, 0, '4'}, - { 0 } -}; - -static struct iptables_match ttl = { - .next = NULL, - .name = "ttl", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_ttl_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_ttl_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - - -void ipt_2ttl_init(void) -{ - register_match(&ttl); -} diff --git a/extensions/libipt_CLASSIFY.c b/extensions/libipt_CLASSIFY.c deleted file mode 100644 index 8fad60b..0000000 --- a/extensions/libipt_CLASSIFY.c +++ /dev/null @@ -1,129 +0,0 @@ -/* Shared library add-on to iptables to add CLASSIFY target support. */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ipt_CLASSIFY.h> -#include <linux/types.h> -#include <linux/pkt_sched.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"CLASSIFY target v%s options:\n" -" --set-class [MAJOR:MINOR] Set skb->priority value\n" -"\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "set-class", 1, 0, '1' }, - { 0 } -}; - -/* Initialize the target. */ -static void -init(struct ipt_entry_target *t, unsigned int *nfcache) -{ -} - -int string_to_priority(const char *s, unsigned int *p) -{ - unsigned int i, j; - - if (sscanf(s, "%x:%x", &i, &j) != 2) - return 1; - - *p = TC_H_MAKE(i<<16, j); - return 0; -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ipt_classify_target_info *clinfo - = (struct ipt_classify_target_info *)(*target)->data; - - switch (c) { - case '1': - if (string_to_priority(optarg, &clinfo->priority)) - exit_error(PARAMETER_PROBLEM, - "Bad class value `%s'", optarg); - if (*flags) - exit_error(PARAMETER_PROBLEM, - "CLASSIFY: Can't specify --set-class twice"); - *flags = 1; - break; - - default: - return 0; - } - - return 1; -} - -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "CLASSIFY: Parameter --set-class is required"); -} - -static void -print_class(unsigned int priority, int numeric) -{ - printf("%x:%x ", TC_H_MAJ(priority)>>16, TC_H_MIN(priority)); -} - -/* Prints out the targinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - const struct ipt_classify_target_info *clinfo = - (const struct ipt_classify_target_info *)target->data; - printf("CLASSIFY set "); - print_class(clinfo->priority, numeric); -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - const struct ipt_classify_target_info *clinfo = - (const struct ipt_classify_target_info *)target->data; - - printf("--set-class %.4x:%.4x ", - TC_H_MAJ(clinfo->priority)>>16, TC_H_MIN(clinfo->priority)); -} - -static struct iptables_target classify = { - .next = NULL, - .name = "CLASSIFY", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_classify_target_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_classify_target_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_CLASSIFY_init(void) -{ - register_target(&classify); -} diff --git a/extensions/libipt_CLASSIFY.man b/extensions/libipt_CLASSIFY.man deleted file mode 100644 index 393c329..0000000 --- a/extensions/libipt_CLASSIFY.man +++ /dev/null @@ -1,4 +0,0 @@ -This module allows you to set the skb->priority value (and thus classify the packet into a specific CBQ class). -.TP -.BI "--set-class " "MAJOR:MINOR" -Set the major and minor class value. diff --git a/extensions/libipt_CLUSTERIP.c b/extensions/libipt_CLUSTERIP.c deleted file mode 100644 index 1ab77cc..0000000 --- a/extensions/libipt_CLUSTERIP.c +++ /dev/null @@ -1,268 +0,0 @@ -/* Shared library add-on to iptables to add CLUSTERIP target support. - * (C) 2003 by Harald Welte <laforge@gnumonks.org> - * - * Development of this code was funded by SuSE AG, http://www.suse.com/ - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <stddef.h> - -#if defined(__GLIBC__) && __GLIBC__ == 2 -#include <net/ethernet.h> -#else -#include <linux/if_ether.h> -#endif - -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include "../include/linux/netfilter_ipv4/ipt_CLUSTERIP.h" - -static void -help(void) -{ - printf( -"CLUSTERIP target v%s options:\n" -" --new Create a new ClusterIP\n" -" --hashmode <mode> Specify hashing mode\n" -" sourceip\n" -" sourceip-sourceport\n" -" sourceip-sourceport-destport\n" -" --clustermac <mac> Set clusterIP MAC address\n" -" --total-nodes <num> Set number of total nodes in cluster\n" -" --local-node <num> Set the local node number\n" -" --hash-init <num> Set init value of the Jenkins hash\n" -"\n", -IPTABLES_VERSION); -} - -#define PARAM_NEW 0x0001 -#define PARAM_HMODE 0x0002 -#define PARAM_MAC 0x0004 -#define PARAM_TOTALNODE 0x0008 -#define PARAM_LOCALNODE 0x0010 -#define PARAM_HASHINIT 0x0020 - -static struct option opts[] = { - { "new", 0, 0, '1' }, - { "hashmode", 1, 0, '2' }, - { "clustermac", 1, 0, '3' }, - { "total-nodes", 1, 0, '4' }, - { "local-node", 1, 0, '5' }, - { "hash-init", 1, 0, '6' }, - { 0 } -}; - -static void -init(struct ipt_entry_target *t, unsigned int *nfcache) -{ -} - -static void -parse_mac(const char *mac, char *macbuf) -{ - unsigned int i = 0; - - if (strlen(mac) != ETH_ALEN*3-1) - exit_error(PARAMETER_PROBLEM, "Bad mac address `%s'", mac); - - for (i = 0; i < ETH_ALEN; i++) { - long number; - char *end; - - number = strtol(mac + i*3, &end, 16); - - if (end == mac + i*3 + 2 - && number >= 0 - && number <= 255) - macbuf[i] = number; - else - exit_error(PARAMETER_PROBLEM, - "Bad mac address `%s'", mac); - } -} - -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ipt_clusterip_tgt_info *cipinfo - = (struct ipt_clusterip_tgt_info *)(*target)->data; - - switch (c) { - unsigned int num; - case '1': - cipinfo->flags |= CLUSTERIP_FLAG_NEW; - if (*flags & PARAM_NEW) - exit_error(PARAMETER_PROBLEM, "Can only specify `--new' once\n"); - *flags |= PARAM_NEW; - break; - case '2': - if (!(*flags & PARAM_NEW)) - exit_error(PARAMETER_PROBLEM, "Can only specify hashmode combined with `--new'\n"); - if (*flags & PARAM_HMODE) - exit_error(PARAMETER_PROBLEM, "Can only specify hashmode once\n"); - if (!strcmp(optarg, "sourceip")) - cipinfo->hash_mode = CLUSTERIP_HASHMODE_SIP; - else if (!strcmp(optarg, "sourceip-sourceport")) - cipinfo->hash_mode = CLUSTERIP_HASHMODE_SIP_SPT; - else if (!strcmp(optarg, "sourceip-sourceport-destport")) - cipinfo->hash_mode = CLUSTERIP_HASHMODE_SIP_SPT_DPT; - else - exit_error(PARAMETER_PROBLEM, "Unknown hashmode `%s'\n", - optarg); - *flags |= PARAM_HMODE; - break; - case '3': - if (!(*flags & PARAM_NEW)) - exit_error(PARAMETER_PROBLEM, "Can only specify MAC combined with `--new'\n"); - if (*flags & PARAM_MAC) - exit_error(PARAMETER_PROBLEM, "Can only specify MAC once\n"); - parse_mac(optarg, (char *)cipinfo->clustermac); - if (!(cipinfo->clustermac[0] & 0x01)) - exit_error(PARAMETER_PROBLEM, "MAC has to be a multicast ethernet address\n"); - *flags |= PARAM_MAC; - break; - case '4': - if (!(*flags & PARAM_NEW)) - exit_error(PARAMETER_PROBLEM, "Can only specify node number combined with `--new'\n"); - if (*flags & PARAM_TOTALNODE) - exit_error(PARAMETER_PROBLEM, "Can only specify total node number once\n"); - if (string_to_number(optarg, 1, CLUSTERIP_MAX_NODES, &num) < 0) - exit_error(PARAMETER_PROBLEM, "Unable to parse `%s'\n", optarg); - cipinfo->num_total_nodes = (u_int16_t)num; - *flags |= PARAM_TOTALNODE; - break; - case '5': - if (!(*flags & PARAM_NEW)) - exit_error(PARAMETER_PROBLEM, "Can only specify node number combined with `--new'\n"); - if (*flags & PARAM_LOCALNODE) - exit_error(PARAMETER_PROBLEM, "Can only specify local node number once\n"); - if (string_to_number(optarg, 1, CLUSTERIP_MAX_NODES, &num) < 0) - exit_error(PARAMETER_PROBLEM, "Unable to parse `%s'\n", optarg); - cipinfo->num_local_nodes = 1; - cipinfo->local_nodes[0] = (u_int16_t)num; - *flags |= PARAM_LOCALNODE; - break; - case '6': - if (!(*flags & PARAM_NEW)) - exit_error(PARAMETER_PROBLEM, "Can only specify hash init value combined with `--new'\n"); - if (*flags & PARAM_HASHINIT) - exit_error(PARAMETER_PROBLEM, "Can specify hash init value only once\n"); - if (string_to_number(optarg, 0, UINT_MAX, &num) < 0) - exit_error(PARAMETER_PROBLEM, "Unable to parse `%s'\n", optarg); - cipinfo->hash_initval = num; - *flags |= PARAM_HASHINIT; - break; - default: - return 0; - } - - return 1; -} - -static void -final_check(unsigned int flags) -{ - if (flags == 0) - return; - - if ((flags & (PARAM_NEW|PARAM_HMODE|PARAM_MAC|PARAM_TOTALNODE|PARAM_LOCALNODE)) - == (PARAM_NEW|PARAM_HMODE|PARAM_MAC|PARAM_TOTALNODE|PARAM_LOCALNODE)) - return; - - exit_error(PARAMETER_PROBLEM, "CLUSTERIP target: Invalid parameter combination\n"); -} - -static char *hashmode2str(enum clusterip_hashmode mode) -{ - char *retstr; - switch (mode) { - case CLUSTERIP_HASHMODE_SIP: - retstr = "sourceip"; - break; - case CLUSTERIP_HASHMODE_SIP_SPT: - retstr = "sourceip-sourceport"; - break; - case CLUSTERIP_HASHMODE_SIP_SPT_DPT: - retstr = "sourceip-sourceport-destport"; - break; - default: - retstr = "unknown-error"; - break; - } - return retstr; -} - -static char *mac2str(const u_int8_t mac[ETH_ALEN]) -{ - static char buf[ETH_ALEN*3]; - sprintf(buf, "%02X:%02X:%02X:%02X:%02X:%02X", - mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]); - return buf; -} - - -/* Prints out the targinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - const struct ipt_clusterip_tgt_info *cipinfo = - (const struct ipt_clusterip_tgt_info *)target->data; - - if (!cipinfo->flags & CLUSTERIP_FLAG_NEW) { - printf("CLUSTERIP"); - return; - } - - printf("CLUSTERIP hashmode=%s clustermac=%s total_nodes=%u local_node=%u hash_init=%u", - hashmode2str(cipinfo->hash_mode), - mac2str(cipinfo->clustermac), - cipinfo->num_total_nodes, - cipinfo->local_nodes[0], - cipinfo->hash_initval); -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - const struct ipt_clusterip_tgt_info *cipinfo = - (const struct ipt_clusterip_tgt_info *)target->data; - - /* if this is not a new entry, we don't need to save target - * parameters */ - if (!cipinfo->flags & CLUSTERIP_FLAG_NEW) - return; - - printf("--new --hashmode %s --clustermac %s --total-nodes %d --local-node %d --hash-init %u", - hashmode2str(cipinfo->hash_mode), - mac2str(cipinfo->clustermac), - cipinfo->num_total_nodes, - cipinfo->local_nodes[0], - cipinfo->hash_initval); -} - -static struct iptables_target clusterip = { - .next = NULL, - .name = "CLUSTERIP", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_clusterip_tgt_info)), - .userspacesize = offsetof(struct ipt_clusterip_tgt_info, config), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_CLUSTERIP_init(void) -{ - register_target(&clusterip); -} diff --git a/extensions/libipt_CLUSTERIP.man b/extensions/libipt_CLUSTERIP.man deleted file mode 100644 index 8e766f3..0000000 --- a/extensions/libipt_CLUSTERIP.man +++ /dev/null @@ -1,24 +0,0 @@ -This module allows you to configure a simple cluster of nodes that share -a certain IP and MAC address without an explicit load balancer in front of -them. Connections are statically distributed between the nodes in this -cluster. -.TP -.BI "--new " -Create a new ClusterIP. You always have to set this on the first rule -for a given ClusterIP. -.TP -.BI "--hashmode " "mode" -Specify the hashing mode. Has to be one of -.B sourceip, sourceip-sourceport, sourceip-sourceport-destport -.TP -.BI "--clustermac " "mac" -Specify the ClusterIP MAC address. Has to be a link-layer multicast address -.TP -.BI "--total-nodes " "num" -Number of total nodes within this cluster. -.TP -.BI "--local-node " "num" -Local node number within this cluster. -.TP -.BI "--hash-init " "rnd" -Specify the random seed used for hash initialization. diff --git a/extensions/libipt_CONNMARK.c b/extensions/libipt_CONNMARK.c deleted file mode 100644 index 30dc4b0..0000000 --- a/extensions/libipt_CONNMARK.c +++ /dev/null @@ -1,220 +0,0 @@ -/* Shared library add-on to iptables to add CONNMARK target support. - * - * (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> - * by Henrik Nordstrom <hno@marasystems.com> - * - * Version 1.1 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include "../include/linux/netfilter_ipv4/ipt_CONNMARK.h" - -#if 0 -struct markinfo { - struct ipt_entry_target t; - struct ipt_connmark_target_info mark; -}; -#endif - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"CONNMARK target v%s options:\n" -" --set-mark value[/mask] Set conntrack mark value\n" -" --save-mark [--mask mask] Save the packet nfmark in the connection\n" -" --restore-mark [--mask mask] Restore saved nfmark value\n" -"\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "set-mark", 1, 0, '1' }, - { "save-mark", 0, 0, '2' }, - { "restore-mark", 0, 0, '3' }, - { "mask", 1, 0, '4' }, - { 0 } -}; - -/* Initialize the target. */ -static void -init(struct ipt_entry_target *t, unsigned int *nfcache) -{ -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ipt_connmark_target_info *markinfo - = (struct ipt_connmark_target_info *)(*target)->data; - - markinfo->mask = 0xffffffffUL; - - switch (c) { - char *end; - case '1': - markinfo->mode = IPT_CONNMARK_SET; - - markinfo->mark = strtoul(optarg, &end, 0); - if (*end == '/' && end[1] != '\0') - markinfo->mask = strtoul(end+1, &end, 0); - - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg); - if (*flags) - exit_error(PARAMETER_PROBLEM, - "CONNMARK target: Can't specify --set-mark twice"); - *flags = 1; - break; - case '2': - markinfo->mode = IPT_CONNMARK_SAVE; - if (*flags) - exit_error(PARAMETER_PROBLEM, - "CONNMARK target: Can't specify --save-mark twice"); - *flags = 1; - break; - case '3': - markinfo->mode = IPT_CONNMARK_RESTORE; - if (*flags) - exit_error(PARAMETER_PROBLEM, - "CONNMARK target: Can't specify --restore-mark twice"); - *flags = 1; - break; - case '4': - if (!*flags) - exit_error(PARAMETER_PROBLEM, - "CONNMARK target: Can't specify --mask without a operation"); - markinfo->mask = strtoul(optarg, &end, 0); - - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, "Bad MASK value `%s'", optarg); - break; - default: - return 0; - } - - return 1; -} - -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "CONNMARK target: No operation specified"); -} - -static void -print_mark(unsigned long mark) -{ - printf("0x%lx", mark); -} - -static void -print_mask(const char *text, unsigned long mask) -{ - if (mask != 0xffffffffUL) - printf("%s0x%lx", text, mask); -} - - -/* Prints out the target info. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - const struct ipt_connmark_target_info *markinfo = - (const struct ipt_connmark_target_info *)target->data; - switch (markinfo->mode) { - case IPT_CONNMARK_SET: - printf("CONNMARK set "); - print_mark(markinfo->mark); - print_mask("/", markinfo->mask); - printf(" "); - break; - case IPT_CONNMARK_SAVE: - printf("CONNMARK save "); - print_mask("mask ", markinfo->mask); - printf(" "); - break; - case IPT_CONNMARK_RESTORE: - printf("CONNMARK restore "); - print_mask("mask ", markinfo->mask); - break; - default: - printf("ERROR: UNKNOWN CONNMARK MODE "); - break; - } -} - -/* Saves the target into in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - const struct ipt_connmark_target_info *markinfo = - (const struct ipt_connmark_target_info *)target->data; - - switch (markinfo->mode) { - case IPT_CONNMARK_SET: - printf("--set-mark "); - print_mark(markinfo->mark); - print_mask("/", markinfo->mask); - printf(" "); - break; - case IPT_CONNMARK_SAVE: - printf("--save-mark "); - print_mask("--mask ", markinfo->mask); - break; - case IPT_CONNMARK_RESTORE: - printf("--restore-mark "); - print_mask("--mask ", markinfo->mask); - break; - default: - printf("ERROR: UNKNOWN CONNMARK MODE "); - break; - } -} - -static struct iptables_target connmark_target = { - .name = "CONNMARK", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_connmark_target_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_connmark_target_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_CONNMARK_init(void) -{ - register_target(&connmark_target); -} diff --git a/extensions/libipt_CONNMARK.man b/extensions/libipt_CONNMARK.man deleted file mode 100644 index 8b4de5a..0000000 --- a/extensions/libipt_CONNMARK.man +++ /dev/null @@ -1,15 +0,0 @@ -This module sets the netfilter mark value associated with a connection -.TP -.B --set-mark mark[/mask] -Set connection mark. If a mask is specified then only those bits set in the -mask is modified. -.TP -.B --save-mark [--mask mask] -Copy the netfilter packet mark value to the connection mark. If a mask -is specified then only those bits are copied. -.TP -.B --restore-mark [--mask mask] -Copy the connection mark value to the packet. If a mask is specified -then only those bits are copied. This is only valid in the -.B mangle -table. diff --git a/extensions/libipt_CONNSECMARK.c b/extensions/libipt_CONNSECMARK.c deleted file mode 100644 index bcd89ea..0000000 --- a/extensions/libipt_CONNSECMARK.c +++ /dev/null @@ -1,126 +0,0 @@ -/* - * Shared library add-on to iptables to add CONNSECMARK target support. - * - * Based on the MARK and CONNMARK targets. - * - * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com> - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter/xt_CONNSECMARK.h> - -#define PFX "CONNSECMARK target: " - -static void help(void) -{ - printf( -"CONNSECMARK target v%s options:\n" -" --save Copy security mark from packet to conntrack\n" -" --restore Copy security mark from connection to packet\n" -"\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "save", 0, 0, '1' }, - { "restore", 0, 0, '2' }, - { 0 } -}; - -static int parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, struct ipt_entry_target **target) -{ - struct xt_connsecmark_target_info *info = - (struct xt_connsecmark_target_info*)(*target)->data; - - switch (c) { - case '1': - if (*flags & CONNSECMARK_SAVE) - exit_error(PARAMETER_PROBLEM, PFX - "Can't specify --save twice"); - info->mode = CONNSECMARK_SAVE; - *flags |= CONNSECMARK_SAVE; - break; - - case '2': - if (*flags & CONNSECMARK_RESTORE) - exit_error(PARAMETER_PROBLEM, PFX - "Can't specify --restore twice"); - info->mode = CONNSECMARK_RESTORE; - *flags |= CONNSECMARK_RESTORE; - break; - - default: - return 0; - } - - return 1; -} - -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, PFX "parameter required"); - - if (flags == (CONNSECMARK_SAVE|CONNSECMARK_RESTORE)) - exit_error(PARAMETER_PROBLEM, PFX "only one flag of --save " - "or --restore is allowed"); -} - -static void print_connsecmark(struct xt_connsecmark_target_info *info) -{ - switch (info->mode) { - case CONNSECMARK_SAVE: - printf("save "); - break; - - case CONNSECMARK_RESTORE: - printf("restore "); - break; - - default: - exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode); - } -} - -static void print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, int numeric) -{ - struct xt_connsecmark_target_info *info = - (struct xt_connsecmark_target_info*)(target)->data; - - printf("CONNSECMARK "); - print_connsecmark(info); -} - -static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - struct xt_connsecmark_target_info *info = - (struct xt_connsecmark_target_info*)target->data; - - printf("--"); - print_connsecmark(info); -} - -static struct iptables_target connsecmark = { - .next = NULL, - .name = "CONNSECMARK", - .version = IPTABLES_VERSION, - .revision = 0, - .size = IPT_ALIGN(sizeof(struct xt_connsecmark_target_info)), - .userspacesize = IPT_ALIGN(sizeof(struct xt_connsecmark_target_info)), - .parse = &parse, - .help = &help, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_CONNSECMARK_init(void) -{ - register_target(&connsecmark); -} diff --git a/extensions/libipt_CONNSECMARK.man b/extensions/libipt_CONNSECMARK.man deleted file mode 100644 index b94353a..0000000 --- a/extensions/libipt_CONNSECMARK.man +++ /dev/null @@ -1,15 +0,0 @@ -This module copies security markings from packets to connections -(if unlabeled), and from connections back to packets (also only -if unlabeled). Typically used in conjunction with SECMARK, it is -only valid in the -.B mangle -table. -.TP -.B --save -If the packet has a security marking, copy it to the connection -if the connection is not marked. -.TP -.B --restore -If the packet does not have a security marking, and the connection -does, copy the security marking from the connection to the packet. - diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c deleted file mode 100644 index fdc2115..0000000 --- a/extensions/libipt_DNAT.c +++ /dev/null @@ -1,250 +0,0 @@ -/* Shared library add-on to iptables to add destination-NAT support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ip_nat_rule.h> -#include <netinet/in.h> - -/* Dest NAT data consists of a multi-range, indicating where to map - to. */ -struct ipt_natinfo -{ - struct ipt_entry_target t; - struct ip_nat_multi_range mr; -}; - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"DNAT v%s options:\n" -" --to-destination <ipaddr>[-<ipaddr>][:port-port]\n" -" Address to map destination to.\n" -" (You can use this more than once)\n\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "to-destination", 1, 0, '1' }, - { 0 } -}; - -static struct ipt_natinfo * -append_range(struct ipt_natinfo *info, const struct ip_nat_range *range) -{ - unsigned int size; - - /* One rangesize already in struct ipt_natinfo */ - size = IPT_ALIGN(sizeof(*info) + info->mr.rangesize * sizeof(*range)); - - info = realloc(info, size); - if (!info) - exit_error(OTHER_PROBLEM, "Out of memory\n"); - - info->t.u.target_size = size; - info->mr.range[info->mr.rangesize] = *range; - info->mr.rangesize++; - - return info; -} - -/* Ranges expected in network order. */ -static struct ipt_entry_target * -parse_to(char *arg, int portok, struct ipt_natinfo *info) -{ - struct ip_nat_range range; - char *colon, *dash, *error; - struct in_addr *ip; - - memset(&range, 0, sizeof(range)); - colon = strchr(arg, ':'); - - if (colon) { - int port; - - if (!portok) - exit_error(PARAMETER_PROBLEM, - "Need TCP or UDP with port specification"); - - range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED; - - port = atoi(colon+1); - if (port <= 0 || port > 65535) - exit_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", colon+1); - - error = strchr(colon+1, ':'); - if (error) - exit_error(PARAMETER_PROBLEM, - "Invalid port:port syntax - use dash\n"); - - dash = strchr(colon, '-'); - if (!dash) { - range.min.tcp.port - = range.max.tcp.port - = htons(port); - } else { - int maxport; - - maxport = atoi(dash + 1); - if (maxport <= 0 || maxport > 65535) - exit_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", dash+1); - if (maxport < port) - /* People are stupid. */ - exit_error(PARAMETER_PROBLEM, - "Port range `%s' funky\n", colon+1); - range.min.tcp.port = htons(port); - range.max.tcp.port = htons(maxport); - } - /* Starts with a colon? No IP info...*/ - if (colon == arg) - return &(append_range(info, &range)->t); - *colon = '\0'; - } - - range.flags |= IP_NAT_RANGE_MAP_IPS; - dash = strchr(arg, '-'); - if (colon && dash && dash > colon) - dash = NULL; - - if (dash) - *dash = '\0'; - - ip = dotted_to_addr(arg); - if (!ip) - exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n", - arg); - range.min_ip = ip->s_addr; - if (dash) { - ip = dotted_to_addr(dash+1); - if (!ip) - exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n", - dash+1); - range.max_ip = ip->s_addr; - } else - range.max_ip = range.min_ip; - - return &(append_range(info, &range)->t); -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ipt_natinfo *info = (void *)*target; - int portok; - - if (entry->ip.proto == IPPROTO_TCP - || entry->ip.proto == IPPROTO_UDP - || entry->ip.proto == IPPROTO_ICMP) - portok = 1; - else - portok = 0; - - switch (c) { - case '1': - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --to-destination"); - - if (*flags) { - if (!kernel_version) - get_kernel_version(); - if (kernel_version > LINUX_VERSION(2, 6, 10)) - exit_error(PARAMETER_PROBLEM, - "Multiple --to-destination not supported"); - } - *target = parse_to(optarg, portok, info); - *flags = 1; - return 1; - - default: - return 0; - } -} - -/* Final check; must have specfied --to-source. */ -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "You must specify --to-destination"); -} - -static void print_range(const struct ip_nat_range *r) -{ - if (r->flags & IP_NAT_RANGE_MAP_IPS) { - struct in_addr a; - - a.s_addr = r->min_ip; - printf("%s", addr_to_dotted(&a)); - if (r->max_ip != r->min_ip) { - a.s_addr = r->max_ip; - printf("-%s", addr_to_dotted(&a)); - } - } - if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) { - printf(":"); - printf("%hu", ntohs(r->min.tcp.port)); - if (r->max.tcp.port != r->min.tcp.port) - printf("-%hu", ntohs(r->max.tcp.port)); - } -} - -/* Prints out the targinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - struct ipt_natinfo *info = (void *)target; - unsigned int i = 0; - - printf("to:"); - for (i = 0; i < info->mr.rangesize; i++) { - print_range(&info->mr.range[i]); - printf(" "); - } -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - struct ipt_natinfo *info = (void *)target; - unsigned int i = 0; - - for (i = 0; i < info->mr.rangesize; i++) { - printf("--to-destination "); - print_range(&info->mr.range[i]); - printf(" "); - } -} - -static struct iptables_target dnat = { - .next = NULL, - .name = "DNAT", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)), - .userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_DNAT_init(void) -{ - register_target(&dnat); -} diff --git a/extensions/libipt_DNAT.man b/extensions/libipt_DNAT.man deleted file mode 100644 index 366dcb7..0000000 --- a/extensions/libipt_DNAT.man +++ /dev/null @@ -1,31 +0,0 @@ -This target is only valid in the -.B nat -table, in the -.B PREROUTING -and -.B OUTPUT -chains, and user-defined chains which are only called from those -chains. It specifies that the destination address of the packet -should be modified (and all future packets in this connection will -also be mangled), and rules should cease being examined. It takes one -type of option: -.TP -.BR "--to-destination " "[\fIipaddr\fP][-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" -which can specify a single new destination IP address, an inclusive -range of IP addresses, and optionally, a port range (which is only -valid if the rule also specifies -.B "-p tcp" -or -.BR "-p udp" ). -If no port range is specified, then the destination port will never be -modified. If no IP address is specified then only the destination port -will be modified. -.RS -.PP -In Kernels up to 2.6.10 you can add several --to-destination options. For -those kernels, if you specify more than one destination address, either via an -address range or multiple --to-destination options, a simple round-robin (one -after another in cycle) load balancing takes place between these addresses. -Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges -anymore. - diff --git a/extensions/libipt_DSCP.c b/extensions/libipt_DSCP.c deleted file mode 100644 index ca06835..0000000 --- a/extensions/libipt_DSCP.c +++ /dev/null @@ -1,164 +0,0 @@ -/* Shared library add-on to iptables for DSCP - * - * (C) 2000- 2002 by Matthew G. Marsh <mgm@paktronix.com>, - * Harald Welte <laforge@gnumonks.org> - * - * This program is distributed under the terms of GNU GPL v2, 1991 - * - * libipt_DSCP.c borrowed heavily from libipt_TOS.c - * - * --set-class added by Iain Barnes - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ipt_DSCP.h> - -/* This is evil, but it's my code - HW*/ -#include "libipt_dscp_helper.c" - - -static void init(struct ipt_entry_target *t, unsigned int *nfcache) -{ -} - -static void help(void) -{ - printf( -"DSCP target options\n" -" --set-dscp value Set DSCP field in packet header to value\n" -" This value can be in decimal (ex: 32)\n" -" or in hex (ex: 0x20)\n" -" --set-dscp-class class Set the DSCP field in packet header to the\n" -" value represented by the DiffServ class value.\n" -" This class may be EF,BE or any of the CSxx\n" -" or AFxx classes.\n" -"\n" -" These two options are mutually exclusive !\n" -); -} - -static struct option opts[] = { - { "set-dscp", 1, 0, 'F' }, - { "set-dscp-class", 1, 0, 'G' }, - { 0 } -}; - -static void -parse_dscp(const char *s, struct ipt_DSCP_info *dinfo) -{ - unsigned int dscp; - - if (string_to_number(s, 0, 255, &dscp) == -1) - exit_error(PARAMETER_PROBLEM, - "Invalid dscp `%s'\n", s); - - if (dscp > IPT_DSCP_MAX) - exit_error(PARAMETER_PROBLEM, - "DSCP `%d` out of range\n", dscp); - - dinfo->dscp = (u_int8_t )dscp; - return; -} - - -static void -parse_class(const char *s, struct ipt_DSCP_info *dinfo) -{ - unsigned int dscp = class_to_dscp(s); - - /* Assign the value */ - dinfo->dscp = (u_int8_t)dscp; -} - - -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ipt_DSCP_info *dinfo - = (struct ipt_DSCP_info *)(*target)->data; - - switch (c) { - case 'F': - if (*flags) - exit_error(PARAMETER_PROBLEM, - "DSCP target: Only use --set-dscp ONCE!"); - parse_dscp(optarg, dinfo); - *flags = 1; - break; - case 'G': - if (*flags) - exit_error(PARAMETER_PROBLEM, - "DSCP target: Only use --set-dscp-class ONCE!"); - parse_class(optarg, dinfo); - *flags = 1; - break; - - default: - return 0; - } - - return 1; -} - -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "DSCP target: Parameter --set-dscp is required"); -} - -static void -print_dscp(u_int8_t dscp, int numeric) -{ - printf("0x%02x ", dscp); -} - -/* Prints out the targinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - const struct ipt_DSCP_info *dinfo = - (const struct ipt_DSCP_info *)target->data; - printf("DSCP set "); - print_dscp(dinfo->dscp, numeric); -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - const struct ipt_DSCP_info *dinfo = - (const struct ipt_DSCP_info *)target->data; - - printf("--set-dscp 0x%02x ", dinfo->dscp); -} - -static struct iptables_target dscp = { - .next = NULL, - .name = "DSCP", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_DSCP_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_DSCP_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_DSCP_init(void) -{ - register_target(&dscp); -} diff --git a/extensions/libipt_DSCP.man b/extensions/libipt_DSCP.man deleted file mode 100644 index e8e5cf5..0000000 --- a/extensions/libipt_DSCP.man +++ /dev/null @@ -1,9 +0,0 @@ -This target allows to alter the value of the DSCP bits within the TOS -header of the IPv4 packet. As this manipulates a packet, it can only -be used in the mangle table. -.TP -.BI "--set-dscp " "value" -Set the DSCP field to a numerical value (can be decimal or hex) -.TP -.BI "--set-dscp-class " "class" -Set the DSCP field to a DiffServ class. diff --git a/extensions/libipt_ECN.c b/extensions/libipt_ECN.c deleted file mode 100644 index 2dfa891..0000000 --- a/extensions/libipt_ECN.c +++ /dev/null @@ -1,185 +0,0 @@ -/* Shared library add-on to iptables for ECN, $Version$ - * - * (C) 2002 by Harald Welte <laforge@gnumonks.org> - * - * This program is distributed under the terms of GNU GPL v2, 1991 - * - * libipt_ECN.c borrowed heavily from libipt_DSCP.c - * - * $Id: libipt_ECN.c 3507 2004-12-28 13:11:59Z /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=rusty/emailAddress=rusty@netfilter.org $ - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ipt_ECN.h> - -static void init(struct ipt_entry_target *t, unsigned int *nfcache) -{ -} - -static void help(void) -{ - printf( -"ECN target v%s options\n" -" --ecn-tcp-remove Remove all ECN bits from TCP header\n", - IPTABLES_VERSION); -} - -#if 0 -"ECN target v%s EXPERIMENTAL options (use with extreme care!)\n" -" --ecn-ip-ect Set the IPv4 ECT codepoint (0 to 3)\n" -" --ecn-tcp-cwr Set the IPv4 CWR bit (0 or 1)\n" -" --ecn-tcp-ece Set the IPv4 ECE bit (0 or 1)\n", -#endif - - -static struct option opts[] = { - { "ecn-tcp-remove", 0, 0, 'F' }, - { "ecn-tcp-cwr", 1, 0, 'G' }, - { "ecn-tcp-ece", 1, 0, 'H' }, - { "ecn-ip-ect", 1, 0, '9' }, - { 0 } -}; - -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - unsigned int result; - struct ipt_ECN_info *einfo - = (struct ipt_ECN_info *)(*target)->data; - - switch (c) { - case 'F': - if (*flags) - exit_error(PARAMETER_PROBLEM, - "ECN target: Only use --ecn-tcp-remove ONCE!"); - einfo->operation = IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR; - einfo->proto.tcp.ece = 0; - einfo->proto.tcp.cwr = 0; - *flags = 1; - break; - case 'G': - if (*flags & IPT_ECN_OP_SET_CWR) - exit_error(PARAMETER_PROBLEM, - "ECN target: Only use --ecn-tcp-cwr ONCE!"); - if (string_to_number(optarg, 0, 1, &result)) - exit_error(PARAMETER_PROBLEM, - "ECN target: Value out of range"); - einfo->operation |= IPT_ECN_OP_SET_CWR; - einfo->proto.tcp.cwr = result; - *flags |= IPT_ECN_OP_SET_CWR; - break; - case 'H': - if (*flags & IPT_ECN_OP_SET_ECE) - exit_error(PARAMETER_PROBLEM, - "ECN target: Only use --ecn-tcp-ece ONCE!"); - if (string_to_number(optarg, 0, 1, &result)) - exit_error(PARAMETER_PROBLEM, - "ECN target: Value out of range"); - einfo->operation |= IPT_ECN_OP_SET_ECE; - einfo->proto.tcp.ece = result; - *flags |= IPT_ECN_OP_SET_ECE; - break; - case '9': - if (*flags & IPT_ECN_OP_SET_IP) - exit_error(PARAMETER_PROBLEM, - "ECN target: Only use --ecn-ip-ect ONCE!"); - if (string_to_number(optarg, 0, 3, &result)) - exit_error(PARAMETER_PROBLEM, - "ECN target: Value out of range"); - einfo->operation |= IPT_ECN_OP_SET_IP; - einfo->ip_ect = result; - *flags |= IPT_ECN_OP_SET_IP; - break; - default: - return 0; - } - - return 1; -} - -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "ECN target: Parameter --ecn-tcp-remove is required"); -} - -/* Prints out the targinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - const struct ipt_ECN_info *einfo = - (const struct ipt_ECN_info *)target->data; - - printf("ECN "); - - if (einfo->operation == (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR) - && einfo->proto.tcp.ece == 0 - && einfo->proto.tcp.cwr == 0) - printf("TCP remove "); - else { - if (einfo->operation & IPT_ECN_OP_SET_ECE) - printf("ECE=%u ", einfo->proto.tcp.ece); - - if (einfo->operation & IPT_ECN_OP_SET_CWR) - printf("CWR=%u ", einfo->proto.tcp.cwr); - - if (einfo->operation & IPT_ECN_OP_SET_IP) - printf("ECT codepoint=%u ", einfo->ip_ect); - } -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - const struct ipt_ECN_info *einfo = - (const struct ipt_ECN_info *)target->data; - - if (einfo->operation == (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR) - && einfo->proto.tcp.ece == 0 - && einfo->proto.tcp.cwr == 0) - printf("--ecn-tcp-remove "); - else { - - if (einfo->operation & IPT_ECN_OP_SET_ECE) - printf("--ecn-tcp-ece %d ", einfo->proto.tcp.ece); - - if (einfo->operation & IPT_ECN_OP_SET_CWR) - printf("--ecn-tcp-cwr %d ", einfo->proto.tcp.cwr); - - if (einfo->operation & IPT_ECN_OP_SET_IP) - printf("--ecn-ip-ect %d ", einfo->ip_ect); - } -} - -static -struct iptables_target ecn = { - .next = NULL, - .name = "ECN", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_ECN_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_ECN_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_ECN_init(void) -{ - register_target(&ecn); -} diff --git a/extensions/libipt_ECN.man b/extensions/libipt_ECN.man deleted file mode 100644 index 3668490..0000000 --- a/extensions/libipt_ECN.man +++ /dev/null @@ -1,7 +0,0 @@ -This target allows to selectively work around known ECN blackholes. -It can only be used in the mangle table. -.TP -.BI "--ecn-tcp-remove" -Remove all ECN bits from the TCP header. Of course, it can only be used -in conjunction with -.BR "-p tcp" . diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c deleted file mode 100644 index 7d3fd82..0000000 --- a/extensions/libipt_LOG.c +++ /dev/null @@ -1,290 +0,0 @@ -/* Shared library add-on to iptables to add LOG support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <syslog.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ipt_LOG.h> - -#define LOG_DEFAULT_LEVEL LOG_WARNING - -#ifndef IPT_LOG_UID /* Old kernel */ -#define IPT_LOG_UID 0x08 /* Log UID owning local socket */ -#undef IPT_LOG_MASK -#define IPT_LOG_MASK 0x0f -#endif - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"LOG v%s options:\n" -" --log-level level Level of logging (numeric or see syslog.conf)\n" -" --log-prefix prefix Prefix log messages with this prefix.\n\n" -" --log-tcp-sequence Log TCP sequence numbers.\n\n" -" --log-tcp-options Log TCP options.\n\n" -" --log-ip-options Log IP options.\n\n" -" --log-uid Log UID owning the local socket.\n\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { .name = "log-level", .has_arg = 1, .flag = 0, .val = '!' }, - { .name = "log-prefix", .has_arg = 1, .flag = 0, .val = '#' }, - { .name = "log-tcp-sequence", .has_arg = 0, .flag = 0, .val = '1' }, - { .name = "log-tcp-options", .has_arg = 0, .flag = 0, .val = '2' }, - { .name = "log-ip-options", .has_arg = 0, .flag = 0, .val = '3' }, - { .name = "log-uid", .has_arg = 0, .flag = 0, .val = '4' }, - { .name = 0 } -}; - -/* Initialize the target. */ -static void -init(struct ipt_entry_target *t, unsigned int *nfcache) -{ - struct ipt_log_info *loginfo = (struct ipt_log_info *)t->data; - - loginfo->level = LOG_DEFAULT_LEVEL; - -} - -struct ipt_log_names { - const char *name; - unsigned int level; -}; - -static struct ipt_log_names ipt_log_names[] -= { { .name = "alert", .level = LOG_ALERT }, - { .name = "crit", .level = LOG_CRIT }, - { .name = "debug", .level = LOG_DEBUG }, - { .name = "emerg", .level = LOG_EMERG }, - { .name = "error", .level = LOG_ERR }, /* DEPRECATED */ - { .name = "info", .level = LOG_INFO }, - { .name = "notice", .level = LOG_NOTICE }, - { .name = "panic", .level = LOG_EMERG }, /* DEPRECATED */ - { .name = "warning", .level = LOG_WARNING } -}; - -static u_int8_t -parse_level(const char *level) -{ - unsigned int lev = -1; - unsigned int set = 0; - - if (string_to_number(level, 0, 7, &lev) == -1) { - unsigned int i = 0; - - for (i = 0; - i < sizeof(ipt_log_names) / sizeof(struct ipt_log_names); - i++) { - if (strncasecmp(level, ipt_log_names[i].name, - strlen(level)) == 0) { - if (set++) - exit_error(PARAMETER_PROBLEM, - "log-level `%s' ambiguous", - level); - lev = ipt_log_names[i].level; - } - } - - if (!set) - exit_error(PARAMETER_PROBLEM, - "log-level `%s' unknown", level); - } - - return (u_int8_t)lev; -} - -#define IPT_LOG_OPT_LEVEL 0x01 -#define IPT_LOG_OPT_PREFIX 0x02 -#define IPT_LOG_OPT_TCPSEQ 0x04 -#define IPT_LOG_OPT_TCPOPT 0x08 -#define IPT_LOG_OPT_IPOPT 0x10 -#define IPT_LOG_OPT_UID 0x20 - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ipt_log_info *loginfo = (struct ipt_log_info *)(*target)->data; - - switch (c) { - case '!': - if (*flags & IPT_LOG_OPT_LEVEL) - exit_error(PARAMETER_PROBLEM, - "Can't specify --log-level twice"); - - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --log-level"); - - loginfo->level = parse_level(optarg); - *flags |= IPT_LOG_OPT_LEVEL; - break; - - case '#': - if (*flags & IPT_LOG_OPT_PREFIX) - exit_error(PARAMETER_PROBLEM, - "Can't specify --log-prefix twice"); - - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --log-prefix"); - - if (strlen(optarg) > sizeof(loginfo->prefix) - 1) - exit_error(PARAMETER_PROBLEM, - "Maximum prefix length %u for --log-prefix", - (unsigned int)sizeof(loginfo->prefix) - 1); - - if (strlen(optarg) == 0) - exit_error(PARAMETER_PROBLEM, - "No prefix specified for --log-prefix"); - - if (strlen(optarg) != strlen(strtok(optarg, "\n"))) - exit_error(PARAMETER_PROBLEM, - "Newlines not allowed in --log-prefix"); - - strcpy(loginfo->prefix, optarg); - *flags |= IPT_LOG_OPT_PREFIX; - break; - - case '1': - if (*flags & IPT_LOG_OPT_TCPSEQ) - exit_error(PARAMETER_PROBLEM, - "Can't specify --log-tcp-sequence " - "twice"); - - loginfo->logflags |= IPT_LOG_TCPSEQ; - *flags |= IPT_LOG_OPT_TCPSEQ; - break; - - case '2': - if (*flags & IPT_LOG_OPT_TCPOPT) - exit_error(PARAMETER_PROBLEM, - "Can't specify --log-tcp-options twice"); - - loginfo->logflags |= IPT_LOG_TCPOPT; - *flags |= IPT_LOG_OPT_TCPOPT; - break; - - case '3': - if (*flags & IPT_LOG_OPT_IPOPT) - exit_error(PARAMETER_PROBLEM, - "Can't specify --log-ip-options twice"); - - loginfo->logflags |= IPT_LOG_IPOPT; - *flags |= IPT_LOG_OPT_IPOPT; - break; - - case '4': - if (*flags & IPT_LOG_OPT_UID) - exit_error(PARAMETER_PROBLEM, - "Can't specify --log-uid twice"); - - loginfo->logflags |= IPT_LOG_UID; - *flags |= IPT_LOG_OPT_UID; - break; - - default: - return 0; - } - - return 1; -} - -/* Final check; nothing. */ -static void final_check(unsigned int flags) -{ -} - -/* Prints out the targinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - const struct ipt_log_info *loginfo - = (const struct ipt_log_info *)target->data; - unsigned int i = 0; - - printf("LOG "); - if (numeric) - printf("flags %u level %u ", - loginfo->logflags, loginfo->level); - else { - for (i = 0; - i < sizeof(ipt_log_names) / sizeof(struct ipt_log_names); - i++) { - if (loginfo->level == ipt_log_names[i].level) { - printf("level %s ", ipt_log_names[i].name); - break; - } - } - if (i == sizeof(ipt_log_names) / sizeof(struct ipt_log_names)) - printf("UNKNOWN level %u ", loginfo->level); - if (loginfo->logflags & IPT_LOG_TCPSEQ) - printf("tcp-sequence "); - if (loginfo->logflags & IPT_LOG_TCPOPT) - printf("tcp-options "); - if (loginfo->logflags & IPT_LOG_IPOPT) - printf("ip-options "); - if (loginfo->logflags & IPT_LOG_UID) - printf("uid "); - if (loginfo->logflags & ~(IPT_LOG_MASK)) - printf("unknown-flags "); - } - - if (strcmp(loginfo->prefix, "") != 0) - printf("prefix `%s' ", loginfo->prefix); -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - const struct ipt_log_info *loginfo - = (const struct ipt_log_info *)target->data; - - if (strcmp(loginfo->prefix, "") != 0) - printf("--log-prefix \"%s\" ", loginfo->prefix); - - if (loginfo->level != LOG_DEFAULT_LEVEL) - printf("--log-level %d ", loginfo->level); - - if (loginfo->logflags & IPT_LOG_TCPSEQ) - printf("--log-tcp-sequence "); - if (loginfo->logflags & IPT_LOG_TCPOPT) - printf("--log-tcp-options "); - if (loginfo->logflags & IPT_LOG_IPOPT) - printf("--log-ip-options "); - if (loginfo->logflags & IPT_LOG_UID) - printf("--log-uid "); -} - -static -struct iptables_target log -= { - .name = "LOG", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_log_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_log_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_LOG_init(void) -{ - register_target(&log); -} diff --git a/extensions/libipt_LOG.man b/extensions/libipt_LOG.man deleted file mode 100644 index 597ba3f..0000000 --- a/extensions/libipt_LOG.man +++ /dev/null @@ -1,31 +0,0 @@ -Turn on kernel logging of matching packets. When this option is set -for a rule, the Linux kernel will print some information on all -matching packets (like most IP header fields) via the kernel log -(where it can be read with -.I dmesg -or -.IR syslogd (8)). -This is a "non-terminating target", i.e. rule traversal continues at -the next rule. So if you want to LOG the packets you refuse, use two -separate rules with the same matching criteria, first using target LOG -then DROP (or REJECT). -.TP -.BI "--log-level " "level" -Level of logging (numeric or see \fIsyslog.conf\fP(5)). -.TP -.BI "--log-prefix " "prefix" -Prefix log messages with the specified prefix; up to 29 letters long, -and useful for distinguishing messages in the logs. -.TP -.B --log-tcp-sequence -Log TCP sequence numbers. This is a security risk if the log is -readable by users. -.TP -.B --log-tcp-options -Log options from the TCP packet header. -.TP -.B --log-ip-options -Log options from the IP packet header. -.TP -.B --log-uid -Log the userid of the process which generated the packet. diff --git a/extensions/libipt_MARK.c b/extensions/libipt_MARK.c deleted file mode 100644 index ca2fe58..0000000 --- a/extensions/libipt_MARK.c +++ /dev/null @@ -1,243 +0,0 @@ -/* Shared library add-on to iptables to add MARK target support. */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -/* For 64bit kernel / 32bit userspace */ -#include "../include/linux/netfilter_ipv4/ipt_MARK.h" - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"MARK target v%s options:\n" -" --set-mark value Set nfmark value\n" -" --and-mark value Binary AND the nfmark with value\n" -" --or-mark value Binary OR the nfmark with value\n" -"\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "set-mark", 1, 0, '1' }, - { "and-mark", 1, 0, '2' }, - { "or-mark", 1, 0, '3' }, - { 0 } -}; - -/* Initialize the target. */ -static void -init(struct ipt_entry_target *t, unsigned int *nfcache) -{ -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse_v0(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ipt_mark_target_info *markinfo - = (struct ipt_mark_target_info *)(*target)->data; - - switch (c) { - case '1': -#ifdef KERNEL_64_USERSPACE_32 - if (string_to_number_ll(optarg, 0, 0, - &markinfo->mark)) -#else - if (string_to_number_l(optarg, 0, 0, - &markinfo->mark)) -#endif - exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg); - if (*flags) - exit_error(PARAMETER_PROBLEM, - "MARK target: Can't specify --set-mark twice"); - *flags = 1; - break; - case '2': - exit_error(PARAMETER_PROBLEM, - "MARK target: kernel too old for --and-mark"); - case '3': - exit_error(PARAMETER_PROBLEM, - "MARK target: kernel too old for --or-mark"); - default: - return 0; - } - - return 1; -} - -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "MARK target: Parameter --set/and/or-mark" - " is required"); -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse_v1(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ipt_mark_target_info_v1 *markinfo - = (struct ipt_mark_target_info_v1 *)(*target)->data; - - switch (c) { - case '1': - markinfo->mode = IPT_MARK_SET; - break; - case '2': - markinfo->mode = IPT_MARK_AND; - break; - case '3': - markinfo->mode = IPT_MARK_OR; - break; - default: - return 0; - } - -#ifdef KERNEL_64_USERSPACE_32 - if (string_to_number_ll(optarg, 0, 0, &markinfo->mark)) -#else - if (string_to_number_l(optarg, 0, 0, &markinfo->mark)) -#endif - exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg); - - if (*flags) - exit_error(PARAMETER_PROBLEM, - "MARK target: Can't specify --set-mark twice"); - - *flags = 1; - return 1; -} - -#ifdef KERNEL_64_USERSPACE_32 -static void -print_mark(unsigned long long mark) -{ - printf("0x%llx ", mark); -} -#else -static void -print_mark(unsigned long mark) -{ - printf("0x%lx ", mark); -} -#endif - -/* Prints out the targinfo. */ -static void -print_v0(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - const struct ipt_mark_target_info *markinfo = - (const struct ipt_mark_target_info *)target->data; - printf("MARK set "); - print_mark(markinfo->mark); -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save_v0(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - const struct ipt_mark_target_info *markinfo = - (const struct ipt_mark_target_info *)target->data; - - printf("--set-mark "); - print_mark(markinfo->mark); -} - -/* Prints out the targinfo. */ -static void -print_v1(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - const struct ipt_mark_target_info_v1 *markinfo = - (const struct ipt_mark_target_info_v1 *)target->data; - - switch (markinfo->mode) { - case IPT_MARK_SET: - printf("MARK set "); - break; - case IPT_MARK_AND: - printf("MARK and "); - break; - case IPT_MARK_OR: - printf("MARK or "); - break; - } - print_mark(markinfo->mark); -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save_v1(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - const struct ipt_mark_target_info_v1 *markinfo = - (const struct ipt_mark_target_info_v1 *)target->data; - - switch (markinfo->mode) { - case IPT_MARK_SET: - printf("--set-mark "); - break; - case IPT_MARK_AND: - printf("--and-mark "); - break; - case IPT_MARK_OR: - printf("--or-mark "); - break; - } - print_mark(markinfo->mark); -} - -static -struct iptables_target mark_v0 = { - .next = NULL, - .name = "MARK", - .version = IPTABLES_VERSION, - .revision = 0, - .size = IPT_ALIGN(sizeof(struct ipt_mark_target_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_mark_target_info)), - .help = &help, - .init = &init, - .parse = &parse_v0, - .final_check = &final_check, - .print = &print_v0, - .save = &save_v0, - .extra_opts = opts -}; - -static -struct iptables_target mark_v1 = { - .next = NULL, - .name = "MARK", - .version = IPTABLES_VERSION, - .revision = 1, - .size = IPT_ALIGN(sizeof(struct ipt_mark_target_info_v1)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_mark_target_info_v1)), - .help = &help, - .init = &init, - .parse = &parse_v1, - .final_check = &final_check, - .print = &print_v1, - .save = &save_v1, - .extra_opts = opts -}; - -void ipt_MARK_init(void) -{ - register_target(&mark_v0); - register_target(&mark_v1); -} diff --git a/extensions/libipt_MARK.man b/extensions/libipt_MARK.man deleted file mode 100644 index 7ddf23e..0000000 --- a/extensions/libipt_MARK.man +++ /dev/null @@ -1,13 +0,0 @@ -This is used to set the netfilter mark value associated with the -packet. It is only valid in the -.B mangle -table. It can for example be used in conjunction with iproute2. -.TP -.BI "--set-mark " "value" -Set nfmark value -.TP -.BI "--and-mark " "value" -Binary AND the nfmark with value -.TP -.BI "--or-mark " "value" -Binary OR the nfmark with value diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c deleted file mode 100644 index f809e78..0000000 --- a/extensions/libipt_MASQUERADE.c +++ /dev/null @@ -1,166 +0,0 @@ -/* Shared library add-on to iptables to add masquerade support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ip_nat_rule.h> -#include <netinet/in.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"MASQUERADE v%s options:\n" -" --to-ports <port>[-<port>]\n" -" Port (range) to map to.\n\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "to-ports", 1, 0, '1' }, - { 0 } -}; - -/* Initialize the target. */ -static void -init(struct ipt_entry_target *t, unsigned int *nfcache) -{ - struct ip_nat_multi_range *mr = (struct ip_nat_multi_range *)t->data; - - /* Actually, it's 0, but it's ignored at the moment. */ - mr->rangesize = 1; - -} - -/* Parses ports */ -static void -parse_ports(const char *arg, struct ip_nat_multi_range *mr) -{ - const char *dash; - int port; - - mr->range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED; - - port = atoi(arg); - if (port <= 0 || port > 65535) - exit_error(PARAMETER_PROBLEM, "Port `%s' not valid\n", arg); - - dash = strchr(arg, '-'); - if (!dash) { - mr->range[0].min.tcp.port - = mr->range[0].max.tcp.port - = htons(port); - } else { - int maxport; - - maxport = atoi(dash + 1); - if (maxport == 0 || maxport > 65535) - exit_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", dash+1); - if (maxport < port) - /* People are stupid. Present reader excepted. */ - exit_error(PARAMETER_PROBLEM, - "Port range `%s' funky\n", arg); - mr->range[0].min.tcp.port = htons(port); - mr->range[0].max.tcp.port = htons(maxport); - } -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - int portok; - struct ip_nat_multi_range *mr - = (struct ip_nat_multi_range *)(*target)->data; - - if (entry->ip.proto == IPPROTO_TCP - || entry->ip.proto == IPPROTO_UDP - || entry->ip.proto == IPPROTO_ICMP) - portok = 1; - else - portok = 0; - - switch (c) { - case '1': - if (!portok) - exit_error(PARAMETER_PROBLEM, - "Need TCP or UDP with port specification"); - - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --to-ports"); - - parse_ports(optarg, mr); - return 1; - - default: - return 0; - } -} - -/* Final check; don't care. */ -static void final_check(unsigned int flags) -{ -} - -/* Prints out the targinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - struct ip_nat_multi_range *mr - = (struct ip_nat_multi_range *)target->data; - struct ip_nat_range *r = &mr->range[0]; - - if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) { - printf("masq ports: "); - printf("%hu", ntohs(r->min.tcp.port)); - if (r->max.tcp.port != r->min.tcp.port) - printf("-%hu", ntohs(r->max.tcp.port)); - printf(" "); - } -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - struct ip_nat_multi_range *mr - = (struct ip_nat_multi_range *)target->data; - struct ip_nat_range *r = &mr->range[0]; - - if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) { - printf("--to-ports %hu", ntohs(r->min.tcp.port)); - if (r->max.tcp.port != r->min.tcp.port) - printf("-%hu", ntohs(r->max.tcp.port)); - printf(" "); - } -} - -static struct iptables_target masq = { NULL, - .name = "MASQUERADE", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)), - .userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_MASQUERADE_init(void) -{ - register_target(&masq); -} diff --git a/extensions/libipt_MASQUERADE.man b/extensions/libipt_MASQUERADE.man deleted file mode 100644 index e82063c..0000000 --- a/extensions/libipt_MASQUERADE.man +++ /dev/null @@ -1,22 +0,0 @@ -This target is only valid in the -.B nat -table, in the -.B POSTROUTING -chain. It should only be used with dynamically assigned IP (dialup) -connections: if you have a static IP address, you should use the SNAT -target. Masquerading is equivalent to specifying a mapping to the IP -address of the interface the packet is going out, but also has the -effect that connections are -.I forgotten -when the interface goes down. This is the correct behavior when the -next dialup is unlikely to have the same interface address (and hence -any established connections are lost anyway). It takes one option: -.TP -.BR "--to-ports " "\fIport\fP[-\fIport\fP]" -This specifies a range of source ports to use, overriding the default -.B SNAT -source port-selection heuristics (see above). This is only valid -if the rule also specifies -.B "-p tcp" -or -.BR "-p udp" . diff --git a/extensions/libipt_MIRROR.c b/extensions/libipt_MIRROR.c deleted file mode 100644 index 6988c90..0000000 --- a/extensions/libipt_MIRROR.c +++ /dev/null @@ -1,62 +0,0 @@ -/* Shared library add-on to iptables to add MIRROR target support. */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"MIRROR target v%s takes no options\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { 0 } -}; - -/* Initialize the target. */ -static void -init(struct ipt_entry_target *t, unsigned int *nfcache) -{ -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - return 0; -} - -static void -final_check(unsigned int flags) -{ -} - -static struct iptables_target mirror = { - .next = NULL, - .name = "MIRROR", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(0), - .userspacesize = IPT_ALIGN(0), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = NULL, - .save = NULL, - .extra_opts = opts -}; - -void ipt_MIRROR_init(void) -{ - register_target(&mirror); -} diff --git a/extensions/libipt_MIRROR.man b/extensions/libipt_MIRROR.man deleted file mode 100644 index 7b720bc..0000000 --- a/extensions/libipt_MIRROR.man +++ /dev/null @@ -1,12 +0,0 @@ -This is an experimental demonstration target which inverts the source -and destination fields in the IP header and retransmits the packet. -It is only valid in the -.BR INPUT , -.B FORWARD -and -.B PREROUTING -chains, and user-defined chains which are only called from those -chains. Note that the outgoing packets are -.B NOT -seen by any packet filtering chains, connection tracking or NAT, to -avoid loops and other problems. diff --git a/extensions/libipt_NETMAP.c b/extensions/libipt_NETMAP.c deleted file mode 100644 index 8e9eaca..0000000 --- a/extensions/libipt_NETMAP.c +++ /dev/null @@ -1,200 +0,0 @@ -/* Shared library add-on to iptables to add static NAT support. - Author: Svenning Soerensen <svenning@post5.tele.dk> -*/ - -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ip_nat_rule.h> -#include <netinet/in.h> - -#define MODULENAME "NETMAP" - -static struct option opts[] = { - { "to", 1, 0, '1' }, - { 0 } -}; - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf(MODULENAME" v%s options:\n" - " --%s address[/mask]\n" - " Network address to map to.\n\n", - IPTABLES_VERSION, opts[0].name); -} - -static u_int32_t -bits2netmask(int bits) -{ - u_int32_t netmask, bm; - - if (bits >= 32 || bits < 0) - return(~0); - for (netmask = 0, bm = 0x80000000; bits; bits--, bm >>= 1) - netmask |= bm; - return htonl(netmask); -} - -static int -netmask2bits(u_int32_t netmask) -{ - u_int32_t bm; - int bits; - - netmask = ntohl(netmask); - for (bits = 0, bm = 0x80000000; netmask & bm; netmask <<= 1) - bits++; - if (netmask) - return -1; /* holes in netmask */ - return bits; -} - -/* Initialize the target. */ -static void -init(struct ipt_entry_target *t, unsigned int *nfcache) -{ - struct ip_nat_multi_range *mr = (struct ip_nat_multi_range *)t->data; - - /* Actually, it's 0, but it's ignored at the moment. */ - mr->rangesize = 1; - -} - -/* Parses network address */ -static void -parse_to(char *arg, struct ip_nat_range *range) -{ - char *slash; - struct in_addr *ip; - u_int32_t netmask; - unsigned int bits; - - range->flags |= IP_NAT_RANGE_MAP_IPS; - slash = strchr(arg, '/'); - if (slash) - *slash = '\0'; - - ip = dotted_to_addr(arg); - if (!ip) - exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n", - arg); - range->min_ip = ip->s_addr; - if (slash) { - if (strchr(slash+1, '.')) { - ip = dotted_to_mask(slash+1); - if (!ip) - exit_error(PARAMETER_PROBLEM, "Bad netmask `%s'\n", - slash+1); - netmask = ip->s_addr; - } - else { - if (string_to_number(slash+1, 0, 32, &bits) == -1) - exit_error(PARAMETER_PROBLEM, "Bad netmask `%s'\n", - slash+1); - netmask = bits2netmask(bits); - } - /* Don't allow /0 (/1 is probably insane, too) */ - if (netmask == 0) - exit_error(PARAMETER_PROBLEM, "Netmask needed\n"); - } - else - netmask = ~0; - - if (range->min_ip & ~netmask) { - if (slash) - *slash = '/'; - exit_error(PARAMETER_PROBLEM, "Bad network address `%s'\n", - arg); - } - range->max_ip = range->min_ip | ~netmask; -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ip_nat_multi_range *mr - = (struct ip_nat_multi_range *)(*target)->data; - - switch (c) { - case '1': - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --%s", opts[0].name); - - parse_to(optarg, &mr->range[0]); - *flags = 1; - return 1; - - default: - return 0; - } -} - -/* Final check; need --to */ -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - MODULENAME" needs --%s", opts[0].name); -} - -/* Prints out the targinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - struct ip_nat_multi_range *mr - = (struct ip_nat_multi_range *)target->data; - struct ip_nat_range *r = &mr->range[0]; - struct in_addr a; - int bits; - - a.s_addr = r->min_ip; - printf("%s", addr_to_dotted(&a)); - a.s_addr = ~(r->min_ip ^ r->max_ip); - bits = netmask2bits(a.s_addr); - if (bits < 0) - printf("/%s", addr_to_dotted(&a)); - else - printf("/%d", bits); -} - -/* Saves the targinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - printf("--%s ", opts[0].name); - print(ip, target, 0); -} - -static struct iptables_target target_module = { - .next = NULL, - .name = MODULENAME, - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)), - .userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_NETMAP_init(void) -{ - register_target(&target_module); -} - diff --git a/extensions/libipt_NETMAP.man b/extensions/libipt_NETMAP.man deleted file mode 100644 index d49a025..0000000 --- a/extensions/libipt_NETMAP.man +++ /dev/null @@ -1,9 +0,0 @@ -This target allows you to statically map a whole network of addresses onto -another network of addresses. It can only be used from rules in the -.B nat -table. -.TP -.BI "--to " "address[/mask]" -Network address to map to. The resulting address will be constructed in the -following way: All 'one' bits in the mask are filled in from the new `address'. -All bits that are zero in the mask are filled in from the original address. diff --git a/extensions/libipt_NFLOG.c b/extensions/libipt_NFLOG.c deleted file mode 100644 index d054383..0000000 --- a/extensions/libipt_NFLOG.c +++ /dev/null @@ -1,161 +0,0 @@ -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <getopt.h> -#include <iptables.h> - -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter/xt_NFLOG.h> - -enum { - NFLOG_GROUP = 0x1, - NFLOG_PREFIX = 0x2, - NFLOG_RANGE = 0x4, - NFLOG_THRESHOLD = 0x8, -}; - -static struct option opts[] = { - { "nflog-group", 1, 0, NFLOG_GROUP }, - { "nflog-prefix", 1, 0, NFLOG_PREFIX }, - { "nflog-range", 1, 0, NFLOG_RANGE }, - { "nflog-threshold", 1, 0, NFLOG_THRESHOLD }, -}; - -static void help(void) -{ - printf("NFLOG v%s options:\n" - " --nflog-group NUM NETLINK group used for logging\n" - " --nflog-range NUM Number of byte to copy\n" - " --nflog-threshold NUM Message threshold of in-kernel queue\n" - " --nflog-prefix STRING Prefix string for log messages\n\n", - IPTABLES_VERSION); -} - -static void init(struct xt_entry_target *t, unsigned int *nfcache) -{ - struct xt_nflog_info *info = (struct xt_nflog_info *)t->data; - - info->group = XT_NFLOG_DEFAULT_GROUP; - info->threshold = XT_NFLOG_DEFAULT_THRESHOLD; -} - -static int parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct xt_entry_target **target) -{ - struct xt_nflog_info *info = (struct xt_nflog_info *)(*target)->data; - int n; - - switch (c) { - case NFLOG_GROUP: - if (*flags & NFLOG_GROUP) - exit_error(PARAMETER_PROBLEM, - "Can't specify --nflog-group twice"); - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --nflog-group"); - - n = atoi(optarg); - if (n < 1 || n > 32) - exit_error(PARAMETER_PROBLEM, - "--nflog-group has to be between 1 and 32"); - info->group = 1 << (n - 1); - break; - case NFLOG_PREFIX: - if (*flags & NFLOG_PREFIX) - exit_error(PARAMETER_PROBLEM, - "Can't specify --nflog-prefix twice"); - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --nflog-prefix"); - - n = strlen(optarg); - if (n == 0) - exit_error(PARAMETER_PROBLEM, - "No prefix specified for --nflog-prefix"); - if (n >= sizeof(info->prefix)) - exit_error(PARAMETER_PROBLEM, - "--nflog-prefix too long, max %Zu characters", - sizeof(info->prefix) - 1); - if (n != strlen(strtok(optarg, "\n"))) - exit_error(PARAMETER_PROBLEM, - "Newlines are not allowed in --nflog-prefix"); - strcpy(info->prefix, optarg); - break; - case NFLOG_RANGE: - if (*flags & NFLOG_RANGE) - exit_error(PARAMETER_PROBLEM, - "Can't specify --nflog-range twice"); - n = atoi(optarg); - if (n < 0) - exit_error(PARAMETER_PROBLEM, - "Invalid --nflog-range, must be >= 0"); - info->len = n; - break; - case NFLOG_THRESHOLD: - if (*flags & NFLOG_THRESHOLD) - exit_error(PARAMETER_PROBLEM, - "Can't specify --nflog-threshold twice"); - n = atoi(optarg); - if (n < 1) - exit_error(PARAMETER_PROBLEM, - "Invalid --nflog-threshold, must be >= 1"); - info->threshold = n; - break; - default: - return 0; - } - *flags |= c; - return 1; -} - -static void final_check(unsigned int flags) -{ - return; -} - -static void nflog_print(const struct xt_nflog_info *info, char *prefix) -{ - if (info->prefix[0] != '\0') - printf("%snflog-prefix \"%s\" ", prefix, info->prefix); - if (info->group != XT_NFLOG_DEFAULT_GROUP) - printf("%snflog-group %u ", prefix, ffs(info->group)); - if (info->len) - printf("%snflog-range %u ", prefix, info->len); - if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD) - printf("%snflog-threshold %u ", prefix, info->threshold); -} - -static void print(const struct ipt_ip *ip, const struct xt_entry_target *target, - int numeric) -{ - const struct xt_nflog_info *info = (struct xt_nflog_info *)target->data; - - nflog_print(info, ""); -} - -static void save(const struct ipt_ip *ip, const struct xt_entry_target *target) -{ - const struct xt_nflog_info *info = (struct xt_nflog_info *)target->data; - - nflog_print(info, "--"); -} - -static struct iptables_target nflog = { - .name = "NFLOG", - .version = IPTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_nflog_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_nflog_info)), - .help = help, - .init = init, - .parse = parse, - .final_check = final_check, - .print = print, - .save = save, - .extra_opts = opts, -}; - -void ipt_NFLOG_init(void) -{ - register_target(&nflog); -} diff --git a/extensions/libipt_NFQUEUE.c b/extensions/libipt_NFQUEUE.c deleted file mode 100644 index c4573ff..0000000 --- a/extensions/libipt_NFQUEUE.c +++ /dev/null @@ -1,114 +0,0 @@ -/* Shared library add-on to iptables for NFQ - * - * (C) 2005 by Harald Welte <laforge@netfilter.org> - * - * This program is distributed under the terms of GNU GPL v2, 1991 - * - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ipt_NFQUEUE.h> - -static void init(struct ipt_entry_target *t, unsigned int *nfcache) -{ -} - -static void help(void) -{ - printf( -"NFQUEUE target options\n" -" --queue-num value Send packet to QUEUE number <value>.\n" -" Valid queue numbers are 0-65535\n" -); -} - -static struct option opts[] = { - { "queue-num", 1, 0, 'F' }, - { 0 } -}; - -static void -parse_num(const char *s, struct ipt_NFQ_info *tinfo) -{ - unsigned int num; - - if (string_to_number(s, 0, 65535, &num) == -1) - exit_error(PARAMETER_PROBLEM, - "Invalid queue number `%s'\n", s); - - tinfo->queuenum = num & 0xffff; - return; -} - -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ipt_NFQ_info *tinfo - = (struct ipt_NFQ_info *)(*target)->data; - - switch (c) { - case 'F': - if (*flags) - exit_error(PARAMETER_PROBLEM, "NFQUEUE target: " - "Only use --queue-num ONCE!"); - parse_num(optarg, tinfo); - break; - default: - return 0; - } - - return 1; -} - -static void -final_check(unsigned int flags) -{ -} - -/* Prints out the targinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - const struct ipt_NFQ_info *tinfo = - (const struct ipt_NFQ_info *)target->data; - printf("NFQUEUE num %u", tinfo->queuenum); -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - const struct ipt_NFQ_info *tinfo = - (const struct ipt_NFQ_info *)target->data; - - printf("--queue-num %u ", tinfo->queuenum); -} - -static struct iptables_target nfqueue = { - .next = NULL, - .name = "NFQUEUE", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_NFQ_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_NFQ_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_NFQUEUE_init(void) -{ - register_target(&nfqueue); -} diff --git a/extensions/libipt_NFQUEUE.man b/extensions/libipt_NFQUEUE.man deleted file mode 100644 index c4e9d11..0000000 --- a/extensions/libipt_NFQUEUE.man +++ /dev/null @@ -1,12 +0,0 @@ -This target is an extension of the QUEUE target. As opposed to QUEUE, it allows -you to put a packet into any specific queue, identified by its 16-bit queue -number. -.TP -.BR "--queue-num " "\fIvalue" -This specifies the QUEUE number to use. Valud queue numbers are 0 to 65535. The default value is 0. -.TP -It can only be used with Kernel versions 2.6.14 or later, since it requires -the -.B -nfnetlink_queue -kernel support. diff --git a/extensions/libipt_NOTRACK.c b/extensions/libipt_NOTRACK.c deleted file mode 100644 index f9dfefe..0000000 --- a/extensions/libipt_NOTRACK.c +++ /dev/null @@ -1,63 +0,0 @@ -/* Shared library add-on to iptables to add NOTRACK target support. */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"NOTRACK target v%s takes no options\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { 0 } -}; - -/* Initialize the target. */ -static void -init(struct ipt_entry_target *t, unsigned int *nfcache) -{ -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - return 0; -} - -static void -final_check(unsigned int flags) -{ -} - -static -struct iptables_target notrack -= { .next = NULL, - .name = "NOTRACK", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(0), - .userspacesize = IPT_ALIGN(0), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = NULL, /* print */ - .save = NULL, /* save */ - .extra_opts = opts -}; - -void ipt_NOTRACK_init(void) -{ - register_target(¬rack); -} diff --git a/extensions/libipt_NOTRACK.man b/extensions/libipt_NOTRACK.man deleted file mode 100644 index 30e830a..0000000 --- a/extensions/libipt_NOTRACK.man +++ /dev/null @@ -1,5 +0,0 @@ -This target disables connection tracking for all packets matching that rule. -.TP -It can only be used in the -.B raw -table. diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c deleted file mode 100644 index 7fb46f6..0000000 --- a/extensions/libipt_REDIRECT.c +++ /dev/null @@ -1,171 +0,0 @@ -/* Shared library add-on to iptables to add redirect support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ip_nat_rule.h> -#include <netinet/in.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"REDIRECT v%s options:\n" -" --to-ports <port>[-<port>]\n" -" Port (range) to map to.\n\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "to-ports", 1, 0, '1' }, - { 0 } -}; - -/* Initialize the target. */ -static void -init(struct ipt_entry_target *t, unsigned int *nfcache) -{ - struct ip_nat_multi_range *mr = (struct ip_nat_multi_range *)t->data; - - /* Actually, it's 0, but it's ignored at the moment. */ - mr->rangesize = 1; - -} - -/* Parses ports */ -static void -parse_ports(const char *arg, struct ip_nat_multi_range *mr) -{ - const char *dash; - int port; - - mr->range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED; - - if (strchr(arg, '.')) - exit_error(PARAMETER_PROBLEM, "IP address not permitted\n"); - - port = atoi(arg); - if (port == 0 || port > 65535) - exit_error(PARAMETER_PROBLEM, "Port `%s' not valid\n", arg); - - dash = strchr(arg, '-'); - if (!dash) { - mr->range[0].min.tcp.port - = mr->range[0].max.tcp.port - = htons(port); - } else { - int maxport; - - maxport = atoi(dash + 1); - if (maxport == 0 || maxport > 65535) - exit_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", dash+1); - if (maxport < port) - /* People are stupid. */ - exit_error(PARAMETER_PROBLEM, - "Port range `%s' funky\n", arg); - mr->range[0].min.tcp.port = htons(port); - mr->range[0].max.tcp.port = htons(maxport); - } -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ip_nat_multi_range *mr - = (struct ip_nat_multi_range *)(*target)->data; - int portok; - - if (entry->ip.proto == IPPROTO_TCP - || entry->ip.proto == IPPROTO_UDP - || entry->ip.proto == IPPROTO_ICMP) - portok = 1; - else - portok = 0; - - switch (c) { - case '1': - if (!portok) - exit_error(PARAMETER_PROBLEM, - "Need TCP or UDP with port specification"); - - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --to-ports"); - - parse_ports(optarg, mr); - return 1; - - default: - return 0; - } -} - -/* Final check; don't care. */ -static void final_check(unsigned int flags) -{ -} - -/* Prints out the targinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - struct ip_nat_multi_range *mr - = (struct ip_nat_multi_range *)target->data; - struct ip_nat_range *r = &mr->range[0]; - - if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) { - printf("redir ports "); - printf("%hu", ntohs(r->min.tcp.port)); - if (r->max.tcp.port != r->min.tcp.port) - printf("-%hu", ntohs(r->max.tcp.port)); - printf(" "); - } -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - struct ip_nat_multi_range *mr - = (struct ip_nat_multi_range *)target->data; - struct ip_nat_range *r = &mr->range[0]; - - if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) { - printf("--to-ports "); - printf("%hu", ntohs(r->min.tcp.port)); - if (r->max.tcp.port != r->min.tcp.port) - printf("-%hu", ntohs(r->max.tcp.port)); - printf(" "); - } -} - -static struct iptables_target redir = { - .next = NULL, - .name = "REDIRECT", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)), - .userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_REDIRECT_init(void) -{ - register_target(&redir); -} diff --git a/extensions/libipt_REDIRECT.man b/extensions/libipt_REDIRECT.man deleted file mode 100644 index aeca3cb..0000000 --- a/extensions/libipt_REDIRECT.man +++ /dev/null @@ -1,19 +0,0 @@ -This target is only valid in the -.B nat -table, in the -.B PREROUTING -and -.B OUTPUT -chains, and user-defined chains which are only called from those -chains. It redirects the packet to the machine itself by changing the -destination IP to the primary address of the incoming interface -(locally-generated packets are mapped to the 127.0.0.1 address). It -takes one option: -.TP -.BR "--to-ports " "\fIport\fP[-\fIport\fP]" -This specifies a destination port or range of ports to use: without -this, the destination port is never altered. This is only valid -if the rule also specifies -.B "-p tcp" -or -.BR "-p udp" . diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c deleted file mode 100644 index 6564476..0000000 --- a/extensions/libipt_REJECT.c +++ /dev/null @@ -1,189 +0,0 @@ -/* Shared library add-on to iptables to add customized REJECT support. - * - * (C) 2000 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ipt_REJECT.h> -#include <linux/version.h> - -/* If we are compiling against a kernel that does not support - * IPT_ICMP_ADMIN_PROHIBITED, we are emulating it. - * The result will be a plain DROP of the packet instead of - * reject. -- Maciej Soltysiak <solt@dns.toxicfilms.tv> - */ -#ifndef IPT_ICMP_ADMIN_PROHIBITED -#define IPT_ICMP_ADMIN_PROHIBITED IPT_TCP_RESET + 1 -#endif - -struct reject_names { - const char *name; - const char *alias; - enum ipt_reject_with with; - const char *desc; -}; - -static const struct reject_names reject_table[] = { - {"icmp-net-unreachable", "net-unreach", - IPT_ICMP_NET_UNREACHABLE, "ICMP network unreachable"}, - {"icmp-host-unreachable", "host-unreach", - IPT_ICMP_HOST_UNREACHABLE, "ICMP host unreachable"}, - {"icmp-proto-unreachable", "proto-unreach", - IPT_ICMP_PROT_UNREACHABLE, "ICMP protocol unreachable"}, - {"icmp-port-unreachable", "port-unreach", - IPT_ICMP_PORT_UNREACHABLE, "ICMP port unreachable (default)"}, -#if 0 - {"echo-reply", "echoreply", - IPT_ICMP_ECHOREPLY, "for ICMP echo only: faked ICMP echo reply"}, -#endif - {"icmp-net-prohibited", "net-prohib", - IPT_ICMP_NET_PROHIBITED, "ICMP network prohibited"}, - {"icmp-host-prohibited", "host-prohib", - IPT_ICMP_HOST_PROHIBITED, "ICMP host prohibited"}, - {"tcp-reset", "tcp-rst", - IPT_TCP_RESET, "TCP RST packet"}, - {"icmp-admin-prohibited", "admin-prohib", - IPT_ICMP_ADMIN_PROHIBITED, "ICMP administratively prohibited (*)"} -}; - -static void -print_reject_types() -{ - unsigned int i; - - printf("Valid reject types:\n"); - - for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++) { - printf(" %-25s\t%s\n", reject_table[i].name, reject_table[i].desc); - printf(" %-25s\talias\n", reject_table[i].alias); - } - printf("\n"); -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"REJECT options:\n" -"--reject-with type drop input packet and send back\n" -" a reply packet according to type:\n"); - - print_reject_types(); - - printf("(*) See man page or read the INCOMPATIBILITES file for compatibility issues.\n"); -} - -static struct option opts[] = { - { "reject-with", 1, 0, '1' }, - { 0 } -}; - -/* Allocate and initialize the target. */ -static void -init(struct ipt_entry_target *t, unsigned int *nfcache) -{ - struct ipt_reject_info *reject = (struct ipt_reject_info *)t->data; - - /* default */ - reject->with = IPT_ICMP_PORT_UNREACHABLE; - -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ipt_reject_info *reject = (struct ipt_reject_info *)(*target)->data; - unsigned int limit = sizeof(reject_table)/sizeof(struct reject_names); - unsigned int i; - - switch(c) { - case '1': - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --reject-with"); - for (i = 0; i < limit; i++) { - if ((strncasecmp(reject_table[i].name, optarg, strlen(optarg)) == 0) - || (strncasecmp(reject_table[i].alias, optarg, strlen(optarg)) == 0)) { - reject->with = reject_table[i].with; - return 1; - } - } - /* This due to be dropped late in 2.4 pre-release cycle --RR */ - if (strncasecmp("echo-reply", optarg, strlen(optarg)) == 0 - || strncasecmp("echoreply", optarg, strlen(optarg)) == 0) - fprintf(stderr, "--reject-with echo-reply no longer" - " supported\n"); - exit_error(PARAMETER_PROBLEM, "unknown reject type `%s'",optarg); - default: - /* Fall through */ - break; - } - return 0; -} - -/* Final check; nothing. */ -static void final_check(unsigned int flags) -{ -} - -/* Prints out ipt_reject_info. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - const struct ipt_reject_info *reject - = (const struct ipt_reject_info *)target->data; - unsigned int i; - - for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++) { - if (reject_table[i].with == reject->with) - break; - } - printf("reject-with %s ", reject_table[i].name); -} - -/* Saves ipt_reject in parsable form to stdout. */ -static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - const struct ipt_reject_info *reject - = (const struct ipt_reject_info *)target->data; - unsigned int i; - - for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++) - if (reject_table[i].with == reject->with) - break; - - printf("--reject-with %s ", reject_table[i].name); -} - -static struct iptables_target reject = { - .next = NULL, - .name = "REJECT", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_reject_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_reject_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_REJECT_init(void) -{ - register_target(&reject); -} diff --git a/extensions/libipt_REJECT.man b/extensions/libipt_REJECT.man deleted file mode 100644 index 174bf7b..0000000 --- a/extensions/libipt_REJECT.man +++ /dev/null @@ -1,34 +0,0 @@ -This is used to send back an error packet in response to the matched -packet: otherwise it is equivalent to -.B DROP -so it is a terminating TARGET, ending rule traversal. -This target is only valid in the -.BR INPUT , -.B FORWARD -and -.B OUTPUT -chains, and user-defined chains which are only called from those -chains. The following option controls the nature of the error packet -returned: -.TP -.BI "--reject-with " "type" -The type given can be -.nf -.B " icmp-net-unreachable" -.B " icmp-host-unreachable" -.B " icmp-port-unreachable" -.B " icmp-proto-unreachable" -.B " icmp-net-prohibited" -.B " icmp-host-prohibited or" -.B " icmp-admin-prohibited (*)" -.fi -which return the appropriate ICMP error message (\fBport-unreachable\fP is -the default). The option -.B tcp-reset -can be used on rules which only match the TCP protocol: this causes a -TCP RST packet to be sent back. This is mainly useful for blocking -.I ident -(113/tcp) probes which frequently occur when sending mail to broken mail -hosts (which won't accept your mail otherwise). -.TP -(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c deleted file mode 100644 index d8912f3..0000000 --- a/extensions/libipt_SAME.c +++ /dev/null @@ -1,208 +0,0 @@ -/* Shared library add-on to iptables to add simple non load-balancing SNAT support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ip_nat_rule.h> -/* For 64bit kernel / 32bit userspace */ -#include "../include/linux/netfilter_ipv4/ipt_SAME.h" - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"SAME v%s options:\n" -" --to <ipaddr>-<ipaddr>\n" -" Addresses to map source to.\n" -" May be specified more than\n" -" once for multiple ranges.\n" -" --nodst\n" -" Don't use destination-ip in\n" -" source selection\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "to", 1, 0, '1' }, - { "nodst", 0, 0, '2'}, - { 0 } -}; - -/* Initialize the target. */ -static void -init(struct ipt_entry_target *t, unsigned int *nfcache) -{ - struct ipt_same_info *mr = (struct ipt_same_info *)t->data; - - /* Set default to 0 */ - mr->rangesize = 0; - mr->info = 0; - mr->ipnum = 0; - -} - -/* Parses range of IPs */ -static void -parse_to(char *arg, struct ip_nat_range *range) -{ - char *dash; - struct in_addr *ip; - - range->flags |= IP_NAT_RANGE_MAP_IPS; - dash = strchr(arg, '-'); - - if (dash) - *dash = '\0'; - - ip = dotted_to_addr(arg); - if (!ip) - exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n", - arg); - range->min_ip = ip->s_addr; - - if (dash) { - ip = dotted_to_addr(dash+1); - if (!ip) - exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n", - dash+1); - } - range->max_ip = ip->s_addr; - if (dash) - if (range->min_ip > range->max_ip) - exit_error(PARAMETER_PROBLEM, "Bad IP range `%s-%s'\n", - arg, dash+1); -} - -#define IPT_SAME_OPT_TO 0x01 -#define IPT_SAME_OPT_NODST 0x02 - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ipt_same_info *mr - = (struct ipt_same_info *)(*target)->data; - - switch (c) { - case '1': - if (mr->rangesize == IPT_SAME_MAX_RANGE) - exit_error(PARAMETER_PROBLEM, - "Too many ranges specified, maximum " - "is %i ranges.\n", - IPT_SAME_MAX_RANGE); - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --to"); - - parse_to(optarg, &mr->range[mr->rangesize]); - mr->rangesize++; - *flags |= IPT_SAME_OPT_TO; - break; - - case '2': - if (*flags & IPT_SAME_OPT_NODST) - exit_error(PARAMETER_PROBLEM, - "Can't specify --nodst twice"); - - mr->info |= IPT_SAME_NODST; - *flags |= IPT_SAME_OPT_NODST; - break; - - default: - return 0; - } - - return 1; -} - -/* Final check; need --to. */ -static void final_check(unsigned int flags) -{ - if (!(flags & IPT_SAME_OPT_TO)) - exit_error(PARAMETER_PROBLEM, - "SAME needs --to"); -} - -/* Prints out the targinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - int count; - struct ipt_same_info *mr - = (struct ipt_same_info *)target->data; - - printf("same:"); - - for (count = 0; count < mr->rangesize; count++) { - struct ip_nat_range *r = &mr->range[count]; - struct in_addr a; - - a.s_addr = r->min_ip; - - printf("%s", addr_to_dotted(&a)); - a.s_addr = r->max_ip; - - if (r->min_ip == r->max_ip) - printf(" "); - else - printf("-%s ", addr_to_dotted(&a)); - } - - if (mr->info & IPT_SAME_NODST) - printf("nodst "); -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - int count; - struct ipt_same_info *mr - = (struct ipt_same_info *)target->data; - - for (count = 0; count < mr->rangesize; count++) { - struct ip_nat_range *r = &mr->range[count]; - struct in_addr a; - - a.s_addr = r->min_ip; - printf("--to %s", addr_to_dotted(&a)); - a.s_addr = r->max_ip; - - if (r->min_ip == r->max_ip) - printf(" "); - else - printf("-%s ", addr_to_dotted(&a)); - } - - if (mr->info & IPT_SAME_NODST) - printf("--nodst "); -} - -static struct iptables_target same = { - .next = NULL, - .name = "SAME", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_same_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_same_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_SAME_init(void) -{ - register_target(&same); -} diff --git a/extensions/libipt_SAME.man b/extensions/libipt_SAME.man deleted file mode 100644 index 817c200..0000000 --- a/extensions/libipt_SAME.man +++ /dev/null @@ -1,11 +0,0 @@ -Similar to SNAT/DNAT depending on chain: it takes a range of addresses -(`--to 1.2.3.4-1.2.3.7') and gives a client the same -source-/destination-address for each connection. -.TP -.BI "--to " "<ipaddr>-<ipaddr>" -Addresses to map source to. May be specified more than once for -multiple ranges. -.TP -.B "--nodst" -Don't use the destination-ip in the calculations when selecting the -new source-ip diff --git a/extensions/libipt_SECMARK.c b/extensions/libipt_SECMARK.c deleted file mode 100644 index c7f0fb2..0000000 --- a/extensions/libipt_SECMARK.c +++ /dev/null @@ -1,125 +0,0 @@ -/* - * Shared library add-on to iptables to add SECMARK target support. - * - * Based on the MARK target. - * - * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com> - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter/xt_SECMARK.h> - -#define PFX "SECMARK target: " - -static void help(void) -{ - printf( -"SECMARK target v%s options:\n" -" --selctx value Set the SELinux security context\n" -"\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "selctx", 1, 0, '1' }, - { 0 } -}; - -/* Initialize the target. */ -static void init(struct ipt_entry_target *t, unsigned int *nfcache) -{ } - -/* - * Function which parses command options; returns true if it - * ate an option. - */ -static int parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, struct ipt_entry_target **target) -{ - struct xt_secmark_target_info *info = - (struct xt_secmark_target_info*)(*target)->data; - - switch (c) { - case '1': - if (*flags & SECMARK_MODE_SEL) - exit_error(PARAMETER_PROBLEM, PFX - "Can't specify --selctx twice"); - info->mode = SECMARK_MODE_SEL; - - if (strlen(optarg) > SECMARK_SELCTX_MAX-1) - exit_error(PARAMETER_PROBLEM, PFX - "Maximum length %u exceeded by --selctx" - " parameter (%zu)", - SECMARK_SELCTX_MAX-1, strlen(optarg)); - - strcpy(info->u.sel.selctx, optarg); - *flags |= SECMARK_MODE_SEL; - break; - default: - return 0; - } - - return 1; -} - -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, PFX "parameter required"); -} - -static void print_secmark(struct xt_secmark_target_info *info) -{ - switch (info->mode) { - case SECMARK_MODE_SEL: - printf("selctx %s ", info->u.sel.selctx);\ - break; - - default: - exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode); - } -} - -static void print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, int numeric) -{ - struct xt_secmark_target_info *info = - (struct xt_secmark_target_info*)(target)->data; - - printf("SECMARK "); - print_secmark(info); -} - -/* Saves the target info in parsable form to stdout. */ -static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - struct xt_secmark_target_info *info = - (struct xt_secmark_target_info*)target->data; - - printf("--"); - print_secmark(info); -} - -static struct iptables_target secmark = { - .next = NULL, - .name = "SECMARK", - .version = IPTABLES_VERSION, - .revision = 0, - .size = IPT_ALIGN(sizeof(struct xt_secmark_target_info)), - .userspacesize = IPT_ALIGN(sizeof(struct xt_secmark_target_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_SECMARK_init(void) -{ - register_target(&secmark); -} diff --git a/extensions/libipt_SECMARK.man b/extensions/libipt_SECMARK.man deleted file mode 100644 index f892de9..0000000 --- a/extensions/libipt_SECMARK.man +++ /dev/null @@ -1,7 +0,0 @@ -This is used to set the security mark value associated with the -packet for use by security subsystems such as SELinux. It is only -valid in the -.B mangle -table. -.TP -.BI "--selctx " "security_context" diff --git a/extensions/libipt_SET.c b/extensions/libipt_SET.c deleted file mode 100644 index f483418..0000000 --- a/extensions/libipt_SET.c +++ /dev/null @@ -1,180 +0,0 @@ -/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> - * Patrick Schaaf <bof@bof.de> - * Martin Josefsson <gandalf@wlug.westbo.se> - * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - */ - -/* Shared library add-on to iptables to add IP set mangling target. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ctype.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ip_nat_rule.h> -#include <linux/netfilter_ipv4/ip_set.h> -#include <linux/netfilter_ipv4/ipt_set.h> -#include "libipt_set.h" - -/* Function which prints out usage message. */ -static void help(void) -{ - printf("SET v%s options:\n" - " --add-set name flags\n" - " --del-set name flags\n" - " add/del src/dst IP/port from/to named sets,\n" - " where flags are the comma separated list of\n" - " 'src' and 'dst'.\n" - "\n", IPTABLES_VERSION); -} - -static struct option opts[] = { - {"add-set", 1, 0, '1'}, - {"del-set", 1, 0, '2'}, - {0} -}; - -/* Initialize the target. */ -static void init(struct ipt_entry_target *target, unsigned int *nfcache) -{ - struct ipt_set_info_target *info = - (struct ipt_set_info_target *) target->data; - - memset(info, 0, sizeof(struct ipt_set_info_target)); - info->add_set.index = - info->del_set.index = IP_SET_INVALID_ID; - -} - -static void -parse_target(char **argv, int invert, unsigned int *flags, - struct ipt_set_info *info, const char *what) -{ - if (info->flags[0]) - exit_error(PARAMETER_PROBLEM, - "--%s can be specified only once", what); - - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --%s", what); - - if (!argv[optind] - || argv[optind][0] == '-' || argv[optind][0] == '!') - exit_error(PARAMETER_PROBLEM, - "--%s requires two args.", what); - - if (strlen(argv[optind-1]) > IP_SET_MAXNAMELEN - 1) - exit_error(PARAMETER_PROBLEM, - "setname `%s' too long, max %d characters.", - argv[optind-1], IP_SET_MAXNAMELEN - 1); - - get_set_byname(argv[optind - 1], info); - parse_bindings(argv[optind], info); - optind++; - - *flags = 1; -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, struct ipt_entry_target **target) -{ - struct ipt_set_info_target *myinfo = - (struct ipt_set_info_target *) (*target)->data; - - switch (c) { - case '1': /* --add-set <set> <flags> */ - parse_target(argv, invert, flags, - &myinfo->add_set, "add-set"); - break; - case '2': /* --del-set <set>[:<flags>] <flags> */ - parse_target(argv, invert, flags, - &myinfo->del_set, "del-set"); - break; - - default: - return 0; - } - return 1; -} - -/* Final check; must specify at least one. */ -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "You must specify either `--add-set' or `--del-set'"); -} - -static void -print_target(const char *prefix, const struct ipt_set_info *info) -{ - int i; - char setname[IP_SET_MAXNAMELEN]; - - if (info->index == IP_SET_INVALID_ID) - return; - get_set_byid(setname, info->index); - printf("%s %s", prefix, setname); - for (i = 0; i < IP_SET_MAX_BINDINGS; i++) { - if (!info->flags[i]) - break; - printf("%s%s", - i == 0 ? " " : ",", - info->flags[i] & IPSET_SRC ? "src" : "dst"); - } - printf(" "); -} - -/* Prints out the targinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, int numeric) -{ - struct ipt_set_info_target *info = - (struct ipt_set_info_target *) target->data; - - print_target("add-set", &info->add_set); - print_target("del-set", &info->del_set); -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - struct ipt_set_info_target *info = - (struct ipt_set_info_target *) target->data; - - print_target("--add-set", &info->add_set); - print_target("--del-set", &info->del_set); -} - -static -struct iptables_target ipt_set_target -= { - .name = "SET", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_set_info_target)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_set_info_target)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_SET_init(void) -{ - register_target(&ipt_set_target); -} diff --git a/extensions/libipt_SET.man b/extensions/libipt_SET.man deleted file mode 100644 index 8f25bea..0000000 --- a/extensions/libipt_SET.man +++ /dev/null @@ -1,16 +0,0 @@ -This modules adds and/or deletes entries from IP sets which can be defined -by ipset(8). -.TP -.BR "--add-set " "setname flag[,flag...]" -add the address(es)/port(s) of the packet to the sets -.TP -.BR "--del-set " "setname flag[,flag...]" -delete the address(es)/port(s) of the packet from the sets, -where flags are -.BR "src" -and/or -.BR "dst" -and there can be no more than six of them. -.TP -The bindings to follow must previously be defined in order to use -multilevel adding/deleting by the SET target. diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c deleted file mode 100644 index 94b85c7..0000000 --- a/extensions/libipt_SNAT.c +++ /dev/null @@ -1,250 +0,0 @@ -/* Shared library add-on to iptables to add source-NAT support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ip_nat_rule.h> -#include <netinet/in.h> - -/* Source NAT data consists of a multi-range, indicating where to map - to. */ -struct ipt_natinfo -{ - struct ipt_entry_target t; - struct ip_nat_multi_range mr; -}; - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"SNAT v%s options:\n" -" --to-source <ipaddr>[-<ipaddr>][:port-port]\n" -" Address to map source to.\n" -" (You can use this more than once)\n\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "to-source", 1, 0, '1' }, - { 0 } -}; - -static struct ipt_natinfo * -append_range(struct ipt_natinfo *info, const struct ip_nat_range *range) -{ - unsigned int size; - - /* One rangesize already in struct ipt_natinfo */ - size = IPT_ALIGN(sizeof(*info) + info->mr.rangesize * sizeof(*range)); - - info = realloc(info, size); - if (!info) - exit_error(OTHER_PROBLEM, "Out of memory\n"); - - info->t.u.target_size = size; - info->mr.range[info->mr.rangesize] = *range; - info->mr.rangesize++; - - return info; -} - -/* Ranges expected in network order. */ -static struct ipt_entry_target * -parse_to(char *arg, int portok, struct ipt_natinfo *info) -{ - struct ip_nat_range range; - char *colon, *dash, *error; - struct in_addr *ip; - - memset(&range, 0, sizeof(range)); - colon = strchr(arg, ':'); - - if (colon) { - int port; - - if (!portok) - exit_error(PARAMETER_PROBLEM, - "Need TCP or UDP with port specification"); - - range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED; - - port = atoi(colon+1); - if (port <= 0 || port > 65535) - exit_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", colon+1); - - error = strchr(colon+1, ':'); - if (error) - exit_error(PARAMETER_PROBLEM, - "Invalid port:port syntax - use dash\n"); - - dash = strchr(colon, '-'); - if (!dash) { - range.min.tcp.port - = range.max.tcp.port - = htons(port); - } else { - int maxport; - - maxport = atoi(dash + 1); - if (maxport <= 0 || maxport > 65535) - exit_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", dash+1); - if (maxport < port) - /* People are stupid. */ - exit_error(PARAMETER_PROBLEM, - "Port range `%s' funky\n", colon+1); - range.min.tcp.port = htons(port); - range.max.tcp.port = htons(maxport); - } - /* Starts with a colon? No IP info...*/ - if (colon == arg) - return &(append_range(info, &range)->t); - *colon = '\0'; - } - - range.flags |= IP_NAT_RANGE_MAP_IPS; - dash = strchr(arg, '-'); - if (colon && dash && dash > colon) - dash = NULL; - - if (dash) - *dash = '\0'; - - ip = dotted_to_addr(arg); - if (!ip) - exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n", - arg); - range.min_ip = ip->s_addr; - if (dash) { - ip = dotted_to_addr(dash+1); - if (!ip) - exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n", - dash+1); - range.max_ip = ip->s_addr; - } else - range.max_ip = range.min_ip; - - return &(append_range(info, &range)->t); -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ipt_natinfo *info = (void *)*target; - int portok; - - if (entry->ip.proto == IPPROTO_TCP - || entry->ip.proto == IPPROTO_UDP - || entry->ip.proto == IPPROTO_ICMP) - portok = 1; - else - portok = 0; - - switch (c) { - case '1': - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --to-source"); - - if (*flags) { - if (!kernel_version) - get_kernel_version(); - if (kernel_version > LINUX_VERSION(2, 6, 10)) - exit_error(PARAMETER_PROBLEM, - "Multiple --to-source not supported"); - } - *target = parse_to(optarg, portok, info); - *flags = 1; - return 1; - - default: - return 0; - } -} - -/* Final check; must have specfied --to-source. */ -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "You must specify --to-source"); -} - -static void print_range(const struct ip_nat_range *r) -{ - if (r->flags & IP_NAT_RANGE_MAP_IPS) { - struct in_addr a; - - a.s_addr = r->min_ip; - printf("%s", addr_to_dotted(&a)); - if (r->max_ip != r->min_ip) { - a.s_addr = r->max_ip; - printf("-%s", addr_to_dotted(&a)); - } - } - if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) { - printf(":"); - printf("%hu", ntohs(r->min.tcp.port)); - if (r->max.tcp.port != r->min.tcp.port) - printf("-%hu", ntohs(r->max.tcp.port)); - } -} - -/* Prints out the targinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - struct ipt_natinfo *info = (void *)target; - unsigned int i = 0; - - printf("to:"); - for (i = 0; i < info->mr.rangesize; i++) { - print_range(&info->mr.range[i]); - printf(" "); - } -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - struct ipt_natinfo *info = (void *)target; - unsigned int i = 0; - - for (i = 0; i < info->mr.rangesize; i++) { - printf("--to-source "); - print_range(&info->mr.range[i]); - printf(" "); - } -} - -static struct iptables_target snat = { - .next = NULL, - .name = "SNAT", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)), - .userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_SNAT_init(void) -{ - register_target(&snat); -} diff --git a/extensions/libipt_SNAT.man b/extensions/libipt_SNAT.man deleted file mode 100644 index 2d9427f..0000000 --- a/extensions/libipt_SNAT.man +++ /dev/null @@ -1,28 +0,0 @@ -This target is only valid in the -.B nat -table, in the -.B POSTROUTING -chain. It specifies that the source address of the packet should be -modified (and all future packets in this connection will also be -mangled), and rules should cease being examined. It takes one type -of option: -.TP -.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" -which can specify a single new source IP address, an inclusive range -of IP addresses, and optionally, a port range (which is only valid if -the rule also specifies -.B "-p tcp" -or -.BR "-p udp" ). -If no port range is specified, then source ports below 512 will be -mapped to other ports below 512: those between 512 and 1023 inclusive -will be mapped to ports below 1024, and other ports will be mapped to -1024 or above. Where possible, no port alteration will occur. -.RS -.PP -In Kernels up to 2.6.10, you can add several --to-source options. For those -kernels, if you specify more than one source address, either via an address -range or multiple --to-source options, a simple round-robin (one after another -in cycle) takes place between these addresses. -Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges -anymore. diff --git a/extensions/libipt_TCPMSS.c b/extensions/libipt_TCPMSS.c deleted file mode 100644 index bf9af58..0000000 --- a/extensions/libipt_TCPMSS.c +++ /dev/null @@ -1,134 +0,0 @@ -/* Shared library add-on to iptables to add TCPMSS target support. - * - * Copyright (c) 2000 Marc Boucher -*/ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ipt_TCPMSS.h> - -struct mssinfo { - struct ipt_entry_target t; - struct ipt_tcpmss_info mss; -}; - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"TCPMSS target v%s mutually-exclusive options:\n" -" --set-mss value explicitly set MSS option to specified value\n" -" --clamp-mss-to-pmtu automatically clamp MSS value to (path_MTU - 40)\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "set-mss", 1, 0, '1' }, - { "clamp-mss-to-pmtu", 0, 0, '2' }, - { 0 } -}; - -/* Initialize the target. */ -static void -init(struct ipt_entry_target *t, unsigned int *nfcache) -{ -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ipt_tcpmss_info *mssinfo - = (struct ipt_tcpmss_info *)(*target)->data; - - switch (c) { - unsigned int mssval; - - case '1': - if (*flags) - exit_error(PARAMETER_PROBLEM, - "TCPMSS target: Only one option may be specified"); - if (string_to_number(optarg, 0, 65535 - 40, &mssval) == -1) - exit_error(PARAMETER_PROBLEM, "Bad TCPMSS value `%s'", optarg); - - mssinfo->mss = mssval; - *flags = 1; - break; - - case '2': - if (*flags) - exit_error(PARAMETER_PROBLEM, - "TCPMSS target: Only one option may be specified"); - mssinfo->mss = IPT_TCPMSS_CLAMP_PMTU; - *flags = 1; - break; - - default: - return 0; - } - - return 1; -} - -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "TCPMSS target: At least one parameter is required"); -} - -/* Prints out the targinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - const struct ipt_tcpmss_info *mssinfo = - (const struct ipt_tcpmss_info *)target->data; - if(mssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) - printf("TCPMSS clamp to PMTU "); - else - printf("TCPMSS set %u ", mssinfo->mss); -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - const struct ipt_tcpmss_info *mssinfo = - (const struct ipt_tcpmss_info *)target->data; - - if(mssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) - printf("--clamp-mss-to-pmtu "); - else - printf("--set-mss %u ", mssinfo->mss); -} - -static struct iptables_target mss = { - .next = NULL, - .name = "TCPMSS", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_tcpmss_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_tcpmss_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_TCPMSS_init(void) -{ - register_target(&mss); -} diff --git a/extensions/libipt_TCPMSS.man b/extensions/libipt_TCPMSS.man deleted file mode 100644 index 30668b0..0000000 --- a/extensions/libipt_TCPMSS.man +++ /dev/null @@ -1,41 +0,0 @@ -This target allows to alter the MSS value of TCP SYN packets, to control -the maximum size for that connection (usually limiting it to your -outgoing interface's MTU minus 40). Of course, it can only be used -in conjunction with -.BR "-p tcp" . -It is only valid in the -.BR mangle -table. -.br -This target is used to overcome criminally braindead ISPs or servers -which block ICMP Fragmentation Needed packets. The symptoms of this -problem are that everything works fine from your Linux -firewall/router, but machines behind it can never exchange large -packets: -.PD 0 -.RS 0.1i -.TP 0.3i -1) -Web browsers connect, then hang with no data received. -.TP -2) -Small mail works fine, but large emails hang. -.TP -3) -ssh works fine, but scp hangs after initial handshaking. -.RE -.PD -Workaround: activate this option and add a rule to your firewall -configuration like: -.nf - iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\ - -j TCPMSS --clamp-mss-to-pmtu -.fi -.TP -.BI "--set-mss " "value" -Explicitly set MSS option to specified value. -.TP -.B "--clamp-mss-to-pmtu" -Automatically clamp MSS value to (path_MTU - 40). -.TP -These options are mutually exclusive. diff --git a/extensions/libipt_TOS.c b/extensions/libipt_TOS.c deleted file mode 100644 index 1acd995..0000000 --- a/extensions/libipt_TOS.c +++ /dev/null @@ -1,174 +0,0 @@ -/* Shared library add-on to iptables to add TOS target support. */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ipt_TOS.h> - -struct tosinfo { - struct ipt_entry_target t; - struct ipt_tos_target_info tos; -}; - -/* TOS names and values. */ -static -struct TOS_value -{ - unsigned char TOS; - const char *name; -} TOS_values[] = { - { IPTOS_LOWDELAY, "Minimize-Delay" }, - { IPTOS_THROUGHPUT, "Maximize-Throughput" }, - { IPTOS_RELIABILITY, "Maximize-Reliability" }, - { IPTOS_MINCOST, "Minimize-Cost" }, - { IPTOS_NORMALSVC, "Normal-Service" }, -}; - -/* Function which prints out usage message. */ -static void -help(void) -{ - unsigned int i; - - printf( -"TOS target v%s options:\n" -" --set-tos value Set Type of Service field to one of the\n" -" following numeric or descriptive values:\n", -IPTABLES_VERSION); - - for (i = 0; i < sizeof(TOS_values)/sizeof(struct TOS_value);i++) - printf(" %s %u (0x%02x)\n", - TOS_values[i].name, - TOS_values[i].TOS, - TOS_values[i].TOS); - fputc('\n', stdout); -} - -static struct option opts[] = { - { "set-tos", 1, 0, '1' }, - { 0 } -}; - -/* Initialize the target. */ -static void -init(struct ipt_entry_target *t, unsigned int *nfcache) -{ -} - -static void -parse_tos(const char *s, struct ipt_tos_target_info *info) -{ - unsigned int i, tos; - - if (string_to_number(s, 0, 255, &tos) != -1) { - if (tos == IPTOS_LOWDELAY - || tos == IPTOS_THROUGHPUT - || tos == IPTOS_RELIABILITY - || tos == IPTOS_MINCOST - || tos == IPTOS_NORMALSVC) { - info->tos = (u_int8_t )tos; - return; - } - } else { - for (i = 0; i<sizeof(TOS_values)/sizeof(struct TOS_value); i++) - if (strcasecmp(s,TOS_values[i].name) == 0) { - info->tos = TOS_values[i].TOS; - return; - } - } - exit_error(PARAMETER_PROBLEM, "Bad TOS value `%s'", s); -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ipt_tos_target_info *tosinfo - = (struct ipt_tos_target_info *)(*target)->data; - - switch (c) { - case '1': - if (*flags) - exit_error(PARAMETER_PROBLEM, - "TOS target: Cant specify --set-tos twice"); - parse_tos(optarg, tosinfo); - *flags = 1; - break; - - default: - return 0; - } - - return 1; -} - -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "TOS target: Parameter --set-tos is required"); -} - -static void -print_tos(u_int8_t tos, int numeric) -{ - unsigned int i; - - if (!numeric) { - for (i = 0; i<sizeof(TOS_values)/sizeof(struct TOS_value); i++) - if (TOS_values[i].TOS == tos) { - printf("%s ", TOS_values[i].name); - return; - } - } - printf("0x%02x ", tos); -} - -/* Prints out the targinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, - int numeric) -{ - const struct ipt_tos_target_info *tosinfo = - (const struct ipt_tos_target_info *)target->data; - printf("TOS set "); - print_tos(tosinfo->tos, numeric); -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ - const struct ipt_tos_target_info *tosinfo = - (const struct ipt_tos_target_info *)target->data; - - printf("--set-tos 0x%02x ", tosinfo->tos); -} - -static struct iptables_target tos = { - .next = NULL, - .name = "TOS", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_tos_target_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_tos_target_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_TOS_init(void) -{ - register_target(&tos); -} diff --git a/extensions/libipt_TOS.man b/extensions/libipt_TOS.man deleted file mode 100644 index c31b068..0000000 --- a/extensions/libipt_TOS.man +++ /dev/null @@ -1,11 +0,0 @@ -This is used to set the 8-bit Type of Service field in the IP header. -It is only valid in the -.B mangle -table. -.TP -.BI "--set-tos " "tos" -You can use a numeric TOS values, or use -.nf - iptables -j TOS -h -.fi -to see the list of valid TOS names. diff --git a/extensions/libipt_TTL.c b/extensions/libipt_TTL.c deleted file mode 100644 index beafbe2..0000000 --- a/extensions/libipt_TTL.c +++ /dev/null @@ -1,166 +0,0 @@ -/* Shared library add-on to iptables for the TTL target - * (C) 2000 by Harald Welte <laforge@gnumonks.org> - * - * $Id: libipt_TTL.c 3507 2004-12-28 13:11:59Z /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=rusty/emailAddress=rusty@netfilter.org $ - * - * This program is distributed under the terms of GNU GPL - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> - -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ipt_TTL.h> - -#define IPT_TTL_USED 1 - -static void init(struct ipt_entry_target *t, unsigned int *nfcache) -{ -} - -static void help(void) -{ - printf( -"TTL target v%s options\n" -" --ttl-set value Set TTL to <value 0-255>\n" -" --ttl-dec value Decrement TTL by <value 1-255>\n" -" --ttl-inc value Increment TTL by <value 1-255>\n" -, IPTABLES_VERSION); -} - -static int parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ipt_TTL_info *info = (struct ipt_TTL_info *) (*target)->data; - unsigned int value; - - if (*flags & IPT_TTL_USED) { - exit_error(PARAMETER_PROBLEM, - "Can't specify TTL option twice"); - } - - if (!optarg) - exit_error(PARAMETER_PROBLEM, - "TTL: You must specify a value"); - - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "TTL: unexpected `!'"); - - if (string_to_number(optarg, 0, 255, &value) == -1) - exit_error(PARAMETER_PROBLEM, - "TTL: Expected value between 0 and 255"); - - switch (c) { - - case '1': - info->mode = IPT_TTL_SET; - break; - - case '2': - if (value == 0) { - exit_error(PARAMETER_PROBLEM, - "TTL: decreasing by 0?"); - } - - info->mode = IPT_TTL_DEC; - break; - - case '3': - if (value == 0) { - exit_error(PARAMETER_PROBLEM, - "TTL: increasing by 0?"); - } - - info->mode = IPT_TTL_INC; - break; - - default: - return 0; - - } - - info->ttl = value; - *flags |= IPT_TTL_USED; - - return 1; -} - -static void final_check(unsigned int flags) -{ - if (!(flags & IPT_TTL_USED)) - exit_error(PARAMETER_PROBLEM, - "TTL: You must specify an action"); -} - -static void save(const struct ipt_ip *ip, - const struct ipt_entry_target *target) -{ - const struct ipt_TTL_info *info = - (struct ipt_TTL_info *) target->data; - - switch (info->mode) { - case IPT_TTL_SET: - printf("--ttl-set "); - break; - case IPT_TTL_DEC: - printf("--ttl-dec "); - break; - - case IPT_TTL_INC: - printf("--ttl-inc "); - break; - } - printf("%u ", info->ttl); -} - -static void print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, int numeric) -{ - const struct ipt_TTL_info *info = - (struct ipt_TTL_info *) target->data; - - printf("TTL "); - switch (info->mode) { - case IPT_TTL_SET: - printf("set to "); - break; - case IPT_TTL_DEC: - printf("decrement by "); - break; - case IPT_TTL_INC: - printf("increment by "); - break; - } - printf("%u ", info->ttl); -} - -static struct option opts[] = { - { "ttl-set", 1, 0, '1' }, - { "ttl-dec", 1, 0, '2' }, - { "ttl-inc", 1, 0, '3' }, - { 0 } -}; - -static struct iptables_target TTL = { - .next = NULL, - .name = "TTL", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_TTL_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_TTL_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_TTL_init(void) -{ - register_target(&TTL); -} diff --git a/extensions/libipt_TTL.man b/extensions/libipt_TTL.man deleted file mode 100644 index 97c46c4..0000000 --- a/extensions/libipt_TTL.man +++ /dev/null @@ -1,19 +0,0 @@ -This is used to modify the IPv4 TTL header field. The TTL field determines -how many hops (routers) a packet can traverse until it's time to live is -exceeded. -.TP -Setting or incrementing the TTL field can potentially be very dangerous, -so it should be avoided at any cost. -.TP -.B Don't ever set or increment the value on packets that leave your local network! -.B mangle -table. -.TP -.BI "--ttl-set " "value" -Set the TTL value to `value'. -.TP -.BI "--ttl-dec " "value" -Decrement the TTL value `value' times. -.TP -.BI "--ttl-inc " "value" -Increment the TTL value `value' times. diff --git a/extensions/libipt_ULOG.c b/extensions/libipt_ULOG.c deleted file mode 100644 index a8546e0..0000000 --- a/extensions/libipt_ULOG.c +++ /dev/null @@ -1,237 +0,0 @@ -/* Shared library add-on to iptables to add ULOG support. - * - * (C) 2000 by Harald Welte <laforge@gnumonks.org> - * - * multipart netlink support based on ideas by Sebastian Zander - * <zander@fokus.gmd.de> - * - * This software is released under the terms of GNU GPL - * - * libipt_ULOG.c,v 1.7 2001/01/30 11:55:02 laforge Exp - */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <syslog.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -/* For 64bit kernel / 32bit userspace */ -#include "../include/linux/netfilter_ipv4/ipt_ULOG.h" - - -void print_groups(unsigned int gmask) -{ - int b; - unsigned int test; - - for (b = 31; b >= 0; b--) { - test = (1 << b); - if (gmask & test) - printf("%d ", b + 1); - } -} - -/* Function which prints out usage message. */ -static void help(void) -{ - printf("ULOG v%s options:\n" - " --ulog-nlgroup nlgroup NETLINK group used for logging\n" - " --ulog-cprange size Bytes of each packet to be passed\n" - " --ulog-qthreshold Threshold of in-kernel queue\n" - " --ulog-prefix prefix Prefix log messages with this prefix.\n\n", - IPTABLES_VERSION); -} - -static struct option opts[] = { - {"ulog-nlgroup", 1, 0, '!'}, - {"ulog-prefix", 1, 0, '#'}, - {"ulog-cprange", 1, 0, 'A'}, - {"ulog-qthreshold", 1, 0, 'B'}, - {0} -}; - -/* Initialize the target. */ -static void init(struct ipt_entry_target *t, unsigned int *nfcache) -{ - struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) t->data; - - loginfo->nl_group = ULOG_DEFAULT_NLGROUP; - loginfo->qthreshold = ULOG_DEFAULT_QTHRESHOLD; - -} - -#define IPT_LOG_OPT_NLGROUP 0x01 -#define IPT_LOG_OPT_PREFIX 0x02 -#define IPT_LOG_OPT_CPRANGE 0x04 -#define IPT_LOG_OPT_QTHRESHOLD 0x08 - -/* Function which parses command options; returns true if it - ate an option */ -static int parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - struct ipt_ulog_info *loginfo = - (struct ipt_ulog_info *) (*target)->data; - int group_d; - - switch (c) { - case '!': - if (*flags & IPT_LOG_OPT_NLGROUP) - exit_error(PARAMETER_PROBLEM, - "Can't specify --ulog-nlgroup twice"); - - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --ulog-nlgroup"); - group_d = atoi(optarg); - if (group_d > 32 || group_d < 1) - exit_error(PARAMETER_PROBLEM, - "--ulog-nlgroup has to be between 1 and 32"); - - loginfo->nl_group = (1 << (group_d - 1)); - - *flags |= IPT_LOG_OPT_NLGROUP; - break; - - case '#': - if (*flags & IPT_LOG_OPT_PREFIX) - exit_error(PARAMETER_PROBLEM, - "Can't specify --ulog-prefix twice"); - - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, - "Unexpected `!' after --ulog-prefix"); - - if (strlen(optarg) > sizeof(loginfo->prefix) - 1) - exit_error(PARAMETER_PROBLEM, - "Maximum prefix length %u for --ulog-prefix", - (unsigned int)sizeof(loginfo->prefix) - 1); - - if (strlen(optarg) == 0) - exit_error(PARAMETER_PROBLEM, - "No prefix specified for --ulog-prefix"); - - if (strlen(optarg) != strlen(strtok(optarg, "\n"))) - exit_error(PARAMETER_PROBLEM, - "Newlines not allowed in --ulog-prefix"); - - strcpy(loginfo->prefix, optarg); - *flags |= IPT_LOG_OPT_PREFIX; - break; - case 'A': - if (*flags & IPT_LOG_OPT_CPRANGE) - exit_error(PARAMETER_PROBLEM, - "Can't specify --ulog-cprange twice"); - if (atoi(optarg) < 0) - exit_error(PARAMETER_PROBLEM, - "Negative copy range?"); -#ifdef KERNEL_64_USERSPACE_32 - loginfo->copy_range = (unsigned long long)atoll(optarg); -#else - loginfo->copy_range = atoi(optarg); -#endif - *flags |= IPT_LOG_OPT_CPRANGE; - break; - case 'B': - if (*flags & IPT_LOG_OPT_QTHRESHOLD) - exit_error(PARAMETER_PROBLEM, - "Can't specify --ulog-qthreshold twice"); - if (atoi(optarg) < 1) - exit_error(PARAMETER_PROBLEM, - "Negative or zero queue threshold ?"); - if (atoi(optarg) > ULOG_MAX_QLEN) - exit_error(PARAMETER_PROBLEM, - "Maximum queue length exceeded"); -#ifdef KERNEL_64_USERSPACE_32 - loginfo->qthreshold = (unsigned long long)atoll(optarg); -#else - loginfo->qthreshold = atoi(optarg); -#endif - *flags |= IPT_LOG_OPT_QTHRESHOLD; - break; - default: - return 0; - } - return 1; -} - -/* Final check; nothing. */ -static void final_check(unsigned int flags) -{ -} - -/* Saves the union ipt_targinfo in parsable form to stdout. */ -static void save(const struct ipt_ip *ip, - const struct ipt_entry_target *target) -{ - const struct ipt_ulog_info *loginfo - = (const struct ipt_ulog_info *) target->data; - - if (strcmp(loginfo->prefix, "") != 0) - printf("--ulog-prefix \"%s\" ", loginfo->prefix); - - if (loginfo->nl_group != ULOG_DEFAULT_NLGROUP) { - printf("--ulog-nlgroup "); - print_groups(loginfo->nl_group); - } -#ifdef KERNEL_64_USERSPACE_32 - if (loginfo->copy_range) - printf("--ulog-cprange %llu ", loginfo->copy_range); - - if (loginfo->qthreshold != ULOG_DEFAULT_QTHRESHOLD) - printf("--ulog-qthreshold %llu ", loginfo->qthreshold); -#else - if (loginfo->copy_range) - printf("--ulog-cprange %u ", (unsigned int)loginfo->copy_range); - - if (loginfo->qthreshold != ULOG_DEFAULT_QTHRESHOLD) - printf("--ulog-qthreshold %u ", (unsigned int)loginfo->qthreshold); -#endif -} - -/* Prints out the targinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_target *target, int numeric) -{ - const struct ipt_ulog_info *loginfo - = (const struct ipt_ulog_info *) target->data; - - printf("ULOG "); -#ifdef KERNEL_64_USERSPACE_32 - printf("copy_range %llu nlgroup ", loginfo->copy_range); -#else - printf("copy_range %u nlgroup ", (unsigned int)loginfo->copy_range); -#endif - print_groups(loginfo->nl_group); - if (strcmp(loginfo->prefix, "") != 0) - printf("prefix `%s' ", loginfo->prefix); -#ifdef KERNEL_64_USERSPACE_32 - printf("queue_threshold %llu ", loginfo->qthreshold); -#else - printf("queue_threshold %u ", (unsigned int)loginfo->qthreshold); -#endif -} - -static struct iptables_target ulog = { - .next = NULL, - .name = "ULOG", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_ulog_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_ulog_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_ULOG_init(void) -{ - register_target(&ulog); -} diff --git a/extensions/libipt_ULOG.man b/extensions/libipt_ULOG.man deleted file mode 100644 index 51aa619..0000000 --- a/extensions/libipt_ULOG.man +++ /dev/null @@ -1,27 +0,0 @@ -This target provides userspace logging of matching packets. When this -target is set for a rule, the Linux kernel will multicast this packet -through a -.IR netlink -socket. One or more userspace processes may then subscribe to various -multicast groups and receive the packets. -Like LOG, this is a "non-terminating target", i.e. rule traversal -continues at the next rule. -.TP -.BI "--ulog-nlgroup " "nlgroup" -This specifies the netlink group (1-32) to which the packet is sent. -Default value is 1. -.TP -.BI "--ulog-prefix " "prefix" -Prefix log messages with the specified prefix; up to 32 characters -long, and useful for distinguishing messages in the logs. -.TP -.BI "--ulog-cprange " "size" -Number of bytes to be copied to userspace. A value of 0 always copies -the entire packet, regardless of its size. Default is 0. -.TP -.BI "--ulog-qthreshold " "size" -Number of packet to queue inside kernel. Setting this value to, e.g. 10 -accumulates ten packets inside the kernel and transmits them as one -netlink multipart message to userspace. Default is 1 (for backwards -compatibility). -.br diff --git a/extensions/libipt_addrtype.c b/extensions/libipt_addrtype.c deleted file mode 100644 index 644e515..0000000 --- a/extensions/libipt_addrtype.c +++ /dev/null @@ -1,207 +0,0 @@ -/* Shared library add-on to iptables to add addrtype matching support - * - * This program is released under the terms of GNU GPL */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <getopt.h> -#include <iptables.h> - -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ipt_addrtype.h> - -/* from linux/rtnetlink.h, must match order of enumeration */ -static char *rtn_names[] = { - "UNSPEC", - "UNICAST", - "LOCAL", - "BROADCAST", - "ANYCAST", - "MULTICAST", - "BLACKHOLE", - "UNREACHABLE", - "PROHIBIT", - "THROW", - "NAT", - "XRESOLVE", - NULL -}; - -static void help_types(void) -{ - int i; - - for (i = 0; rtn_names[i]; i++) - printf(" %s\n", rtn_names[i]); -} - -static void help(void) -{ - printf( -"Address type match v%s options:\n" -" [!] --src-type type[,...] Match source address type\n" -" [!] --dst-type type[,...] Match destination address type\n" -"\n" -"Valid types: \n" -, IPTABLES_VERSION); - help_types(); -} - -static int -parse_type(const char *name, size_t strlen, u_int16_t *mask) -{ - int i; - - for (i = 0; rtn_names[i]; i++) - if (strncasecmp(name, rtn_names[i], strlen) == 0) { - /* build up bitmask for kernel module */ - *mask |= (1 << i); - return 1; - } - - return 0; -} - -static void parse_types(const char *arg, u_int16_t *mask) -{ - const char *comma; - - while ((comma = strchr(arg, ',')) != NULL) { - if (comma == arg || !parse_type(arg, comma-arg, mask)) - exit_error(PARAMETER_PROBLEM, - "addrtype: bad type `%s'", arg); - arg = comma + 1; - } - - if (strlen(arg) == 0 || !parse_type(arg, strlen(arg), mask)) - exit_error(PARAMETER_PROBLEM, "addrtype: bad type `%s'", arg); -} - -#define IPT_ADDRTYPE_OPT_SRCTYPE 0x1 -#define IPT_ADDRTYPE_OPT_DSTTYPE 0x2 - -static int parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_addrtype_info *info = - (struct ipt_addrtype_info *) (*match)->data; - - switch (c) { - case '1': - if (*flags&IPT_ADDRTYPE_OPT_SRCTYPE) - exit_error(PARAMETER_PROBLEM, - "addrtype: can't specify src-type twice"); - check_inverse(optarg, &invert, &optind, 0); - parse_types(argv[optind-1], &info->source); - if (invert) - info->invert_source = 1; - *flags |= IPT_ADDRTYPE_OPT_SRCTYPE; - break; - case '2': - if (*flags&IPT_ADDRTYPE_OPT_DSTTYPE) - exit_error(PARAMETER_PROBLEM, - "addrtype: can't specify dst-type twice"); - check_inverse(optarg, &invert, &optind, 0); - parse_types(argv[optind-1], &info->dest); - if (invert) - info->invert_dest = 1; - *flags |= IPT_ADDRTYPE_OPT_DSTTYPE; - break; - default: - return 0; - } - - return 1; -} - -static void final_check(unsigned int flags) -{ - if (!(flags & (IPT_ADDRTYPE_OPT_SRCTYPE|IPT_ADDRTYPE_OPT_DSTTYPE))) - exit_error(PARAMETER_PROBLEM, - "addrtype: you must specify --src-type or --dst-type"); -} - -static void print_types(u_int16_t mask) -{ - const char *sep = ""; - int i; - - for (i = 0; rtn_names[i]; i++) - if (mask & (1 << i)) { - printf("%s%s", sep, rtn_names[i]); - sep = ","; - } - - printf(" "); -} - -static void print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - const struct ipt_addrtype_info *info = - (struct ipt_addrtype_info *) match->data; - - printf("ADDRTYPE match "); - if (info->source) { - printf("src-type "); - if (info->invert_source) - printf("!"); - print_types(info->source); - } - if (info->dest) { - printf("dst-type "); - if (info->invert_dest) - printf("!"); - print_types(info->dest); - } -} - -static void save(const struct ipt_ip *ip, - const struct ipt_entry_match *match) -{ - const struct ipt_addrtype_info *info = - (struct ipt_addrtype_info *) match->data; - - if (info->source) { - printf("--src-type "); - if (info->invert_source) - printf("! "); - print_types(info->source); - } - if (info->dest) { - printf("--dst-type "); - if (info->invert_dest) - printf("! "); - print_types(info->dest); - } -} - -static struct option opts[] = { - { "src-type", 1, 0, '1' }, - { "dst-type", 1, 0, '2' }, - { 0 } -}; - -static -struct iptables_match addrtype = { - .next = NULL, - .name = "addrtype", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_addrtype_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_addrtype_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - - -void ipt_addrtype_init(void) -{ - register_match(&addrtype); -} diff --git a/extensions/libipt_addrtype.man b/extensions/libipt_addrtype.man deleted file mode 100644 index 2c3bbab..0000000 --- a/extensions/libipt_addrtype.man +++ /dev/null @@ -1,37 +0,0 @@ -This module matches packets based on their -.B address type. -Address types are used within the kernel networking stack and categorize -addresses into various groups. The exact definition of that group depends on the specific layer three protocol. -.TP -The following address types are possible: -.TP -.BI "UNSPEC" -an unspecified address (i.e. 0.0.0.0) -.BI "UNICAST" -an unicast address -.BI "LOCAL" -a local address -.BI "BROADCAST" -a broadcast address -.BI "ANYCAST" -an anycast packet -.BI "MULTICAST" -a multicast address -.BI "BLACKHOLE" -a blackhole address -.BI "UNREACHABLE" -an unreachable address -.BI "PROHIBIT" -a prohibited address -.BI "THROW" -FIXME -.BI "NAT" -FIXME -.BI "XRESOLVE" -FIXME -.TP -.BI "--src-type " "type" -Matches if the source address is of given type -.TP -.BI "--dst-type " "type" -Matches if the destination address is of given type diff --git a/extensions/libipt_ah.c b/extensions/libipt_ah.c deleted file mode 100644 index e04bbe5..0000000 --- a/extensions/libipt_ah.c +++ /dev/null @@ -1,190 +0,0 @@ -/* Shared library add-on to iptables to add AH support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <errno.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ipt_ah.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"AH v%s options:\n" -" --ahspi [!] spi[:spi]\n" -" match spi (range)\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "ahspi", 1, 0, '1' }, - {0} -}; - -static u_int32_t -parse_ah_spi(const char *spistr) -{ - unsigned long int spi; - char* ep; - - spi = strtoul(spistr,&ep,0) ; - - if ( spistr == ep ) { - exit_error(PARAMETER_PROBLEM, - "AH no valid digits in spi `%s'", spistr); - } - if ( spi == ULONG_MAX && errno == ERANGE ) { - exit_error(PARAMETER_PROBLEM, - "spi `%s' specified too big: would overflow", spistr); - } - if ( *spistr != '\0' && *ep != '\0' ) { - exit_error(PARAMETER_PROBLEM, - "AH error parsing spi `%s'", spistr); - } - return (u_int32_t) spi; -} - -static void -parse_ah_spis(const char *spistring, u_int32_t *spis) -{ - char *buffer; - char *cp; - - buffer = strdup(spistring); - if ((cp = strchr(buffer, ':')) == NULL) - spis[0] = spis[1] = parse_ah_spi(buffer); - else { - *cp = '\0'; - cp++; - - spis[0] = buffer[0] ? parse_ah_spi(buffer) : 0; - spis[1] = cp[0] ? parse_ah_spi(cp) : 0xFFFFFFFF; - } - free(buffer); -} - -/* Initialize the match. */ -static void -init(struct ipt_entry_match *m, unsigned int *nfcache) -{ - struct ipt_ah *ahinfo = (struct ipt_ah *)m->data; - - ahinfo->spis[1] = 0xFFFFFFFF; -} - -#define AH_SPI 0x01 - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_ah *ahinfo = (struct ipt_ah *)(*match)->data; - - switch (c) { - case '1': - if (*flags & AH_SPI) - exit_error(PARAMETER_PROBLEM, - "Only one `--ahspi' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_ah_spis(argv[optind-1], ahinfo->spis); - if (invert) - ahinfo->invflags |= IPT_AH_INV_SPI; - *flags |= AH_SPI; - break; - default: - return 0; - } - - return 1; -} - -/* Final check; we don't care. */ -static void -final_check(unsigned int flags) -{ -} - -static void -print_spis(const char *name, u_int32_t min, u_int32_t max, - int invert) -{ - const char *inv = invert ? "!" : ""; - - if (min != 0 || max != 0xFFFFFFFF || invert) { - printf("%s", name); - if (min == max) { - printf(":%s", inv); - printf("%u", min); - } else { - printf("s:%s", inv); - printf("%u",min); - printf(":"); - printf("%u",max); - } - printf(" "); - } -} - -/* Prints out the union ipt_matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, int numeric) -{ - const struct ipt_ah *ah = (struct ipt_ah *)match->data; - - printf("ah "); - print_spis("spi", ah->spis[0], ah->spis[1], - ah->invflags & IPT_AH_INV_SPI); - if (ah->invflags & ~IPT_AH_INV_MASK) - printf("Unknown invflags: 0x%X ", - ah->invflags & ~IPT_AH_INV_MASK); -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - const struct ipt_ah *ahinfo = (struct ipt_ah *)match->data; - - if (!(ahinfo->spis[0] == 0 - && ahinfo->spis[1] == 0xFFFFFFFF)) { - printf("--ahspi %s", - (ahinfo->invflags & IPT_AH_INV_SPI) ? "! " : ""); - if (ahinfo->spis[0] - != ahinfo->spis[1]) - printf("%u:%u ", - ahinfo->spis[0], - ahinfo->spis[1]); - else - printf("%u ", - ahinfo->spis[0]); - } - -} - -static struct iptables_match ah = { - .next = NULL, - .name = "ah", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_ah)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_ah)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void -ipt_ah_init(void) -{ - register_match(&ah); -} diff --git a/extensions/libipt_ah.man b/extensions/libipt_ah.man deleted file mode 100644 index 7300c18..0000000 --- a/extensions/libipt_ah.man +++ /dev/null @@ -1,3 +0,0 @@ -This module matches the SPIs in Authentication header of IPsec packets. -.TP -.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]" diff --git a/extensions/libipt_comment.c b/extensions/libipt_comment.c deleted file mode 100644 index 405b7e2..0000000 --- a/extensions/libipt_comment.c +++ /dev/null @@ -1,119 +0,0 @@ -/* Shared library add-on to iptables to add comment match support. - * - * ChangeLog - * 2003-05-13: Brad Fisher <brad@info-link.net> - * Initial comment match - * 2004-05-12: Brad Fisher <brad@info-link.net> - * Port to patch-o-matic-ng - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ipt_comment.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( - "COMMENT match options:\n" - "--comment COMMENT Attach a comment to a rule\n\n" - ); -} - -static struct option opts[] = { - { "comment", 1, 0, '1' }, - {0} -}; - -static void -parse_comment(const char *s, struct ipt_comment_info *info) -{ - int slen = strlen(s); - - if (slen >= IPT_MAX_COMMENT_LEN) { - exit_error(PARAMETER_PROBLEM, - "COMMENT must be shorter than %i characters", IPT_MAX_COMMENT_LEN); - } - strcpy((char *)info->comment, s); -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_comment_info *commentinfo = (struct ipt_comment_info *)(*match)->data; - - switch (c) { - case '1': - check_inverse(argv[optind-1], &invert, &optind, 0); - if (invert) { - exit_error(PARAMETER_PROBLEM, - "Sorry, you can't have an inverted comment"); - } - parse_comment(argv[optind-1], commentinfo); - *flags = 1; - break; - - default: - return 0; - } - return 1; -} - -/* Final check; must have specified --comment. */ -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "COMMENT match: You must specify `--comment'"); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - struct ipt_comment_info *commentinfo = (struct ipt_comment_info *)match->data; - - commentinfo->comment[IPT_MAX_COMMENT_LEN-1] = '\0'; - printf("/* %s */ ", commentinfo->comment); -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct ipt_comment_info *commentinfo = (struct ipt_comment_info *)match->data; - - commentinfo->comment[IPT_MAX_COMMENT_LEN-1] = '\0'; - printf("--comment \"%s\" ", commentinfo->comment); -} - -static struct iptables_match comment = { - .next = NULL, - .name = "comment", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_comment_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_comment_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_comment_init(void) -{ - register_match(&comment); -} diff --git a/extensions/libipt_comment.man b/extensions/libipt_comment.man deleted file mode 100644 index 2f4ce55..0000000 --- a/extensions/libipt_comment.man +++ /dev/null @@ -1,6 +0,0 @@ -Allows you to add comments (up to 256 characters) to any rule. -.TP -.BI "--comment " "comment" -.TP -Example: -iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A privatized IP block" diff --git a/extensions/libipt_condition.c b/extensions/libipt_condition.c deleted file mode 100644 index e91cb8e..0000000 --- a/extensions/libipt_condition.c +++ /dev/null @@ -1,106 +0,0 @@ -/* Shared library add-on to iptables for condition match */ -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <getopt.h> -#include <iptables.h> - -#include<linux/netfilter_ipv4/ip_tables.h> -#include<linux/netfilter_ipv4/ipt_condition.h> - - -static void -help(void) -{ - printf("condition match v%s options:\n" - "--condition [!] filename " - "Match on boolean value stored in /proc file\n", - IPTABLES_VERSION); -} - - -static struct option opts[] = { - { .name = "condition", .has_arg = 1, .flag = 0, .val = 'X' }, - { .name = 0 } -}; - -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct condition_info *info = - (struct condition_info *) (*match)->data; - - if (c == 'X') { - if (*flags) - exit_error(PARAMETER_PROBLEM, - "Can't specify multiple conditions"); - - check_inverse(optarg, &invert, &optind, 0); - - if (strlen(argv[optind - 1]) < CONDITION_NAME_LEN) - strcpy(info->name, argv[optind - 1]); - else - exit_error(PARAMETER_PROBLEM, - "File name too long"); - - info->invert = invert; - *flags = 1; - return 1; - } - - return 0; -} - - -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "Condition match: must specify --condition"); -} - - -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, int numeric) -{ - const struct condition_info *info = - (const struct condition_info *) match->data; - - printf("condition %s%s ", (info->invert) ? "!" : "", info->name); -} - - -static void -save(const struct ipt_ip *ip, - const struct ipt_entry_match *match) -{ - const struct condition_info *info = - (const struct condition_info *) match->data; - - printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name); -} - - -static struct iptables_match condition = { - .name = "condition", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct condition_info)), - .userspacesize = IPT_ALIGN(sizeof(struct condition_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - - -void -ipt_condition_init(void) -{ - register_match(&condition); -} diff --git a/extensions/libipt_condition.man b/extensions/libipt_condition.man deleted file mode 100644 index ce2aa95..0000000 --- a/extensions/libipt_condition.man +++ /dev/null @@ -1,4 +0,0 @@ -This matches if a specific /proc filename is '0' or '1'. -.TP -.BI "--condition " "[!] \fIfilename\fP" -Match on boolean value stored in /proc/net/ipt_condition/filename file diff --git a/extensions/libipt_connbytes.c b/extensions/libipt_connbytes.c deleted file mode 100644 index fec4ce0..0000000 --- a/extensions/libipt_connbytes.c +++ /dev/null @@ -1,205 +0,0 @@ -/* Shared library add-on to iptables to add byte tracking support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_conntrack.h> -#include <linux/netfilter_ipv4/ipt_connbytes.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"connbytes v%s options:\n" -" [!] --connbytes from:[to]\n" -" --connbytes-dir [original, reply, both]\n" -" --connbytes-mode [packets, bytes, avgpkt]\n" -"\n", IPTABLES_VERSION); -} - -static struct option opts[] = { - { "connbytes", 1, 0, '1' }, - { "connbytes-dir", 1, 0, '2' }, - { "connbytes-mode", 1, 0, '3' }, - {0} -}; - -static void -parse_range(const char *arg, struct ipt_connbytes_info *si) -{ - char *colon,*p; - - si->count.from = strtoul(arg,&colon,10); - if (*colon != ':') - exit_error(PARAMETER_PROBLEM, "Bad range `%s'", arg); - si->count.to = strtoul(colon+1,&p,10); - if (p == colon+1) { - /* second number omited */ - si->count.to = 0xffffffff; - } - if (si->count.from > si->count.to) - exit_error(PARAMETER_PROBLEM, "%llu should be less than %llu", - si->count.from, si->count.to); -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_connbytes_info *sinfo = (struct ipt_connbytes_info *)(*match)->data; - unsigned long i; - - switch (c) { - case '1': - if (check_inverse(optarg, &invert, &optind, 0)) - optind++; - - parse_range(argv[optind-1], sinfo); - if (invert) { - i = sinfo->count.from; - sinfo->count.from = sinfo->count.to; - sinfo->count.to = i; - } - *flags |= 1; - break; - case '2': - if (!strcmp(optarg, "original")) - sinfo->direction = IPT_CONNBYTES_DIR_ORIGINAL; - else if (!strcmp(optarg, "reply")) - sinfo->direction = IPT_CONNBYTES_DIR_REPLY; - else if (!strcmp(optarg, "both")) - sinfo->direction = IPT_CONNBYTES_DIR_BOTH; - else - exit_error(PARAMETER_PROBLEM, - "Unknown --connbytes-dir `%s'", optarg); - - *flags |= 2; - break; - case '3': - if (!strcmp(optarg, "packets")) - sinfo->what = IPT_CONNBYTES_PKTS; - else if (!strcmp(optarg, "bytes")) - sinfo->what = IPT_CONNBYTES_BYTES; - else if (!strcmp(optarg, "avgpkt")) - sinfo->what = IPT_CONNBYTES_AVGPKT; - else - exit_error(PARAMETER_PROBLEM, - "Unknown --connbytes-mode `%s'", optarg); - *flags |= 4; - break; - default: - return 0; - } - - return 1; -} - -static void final_check(unsigned int flags) -{ - if (flags != 7) - exit_error(PARAMETER_PROBLEM, "You must specify `--connbytes'" - "`--connbytes-dir' and `--connbytes-mode'"); -} - -static void print_mode(struct ipt_connbytes_info *sinfo) -{ - switch (sinfo->what) { - case IPT_CONNBYTES_PKTS: - fputs("packets ", stdout); - break; - case IPT_CONNBYTES_BYTES: - fputs("bytes ", stdout); - break; - case IPT_CONNBYTES_AVGPKT: - fputs("avgpkt ", stdout); - break; - default: - fputs("unknown ", stdout); - break; - } -} - -static void print_direction(struct ipt_connbytes_info *sinfo) -{ - switch (sinfo->direction) { - case IPT_CONNBYTES_DIR_ORIGINAL: - fputs("original ", stdout); - break; - case IPT_CONNBYTES_DIR_REPLY: - fputs("reply ", stdout); - break; - case IPT_CONNBYTES_DIR_BOTH: - fputs("both ", stdout); - break; - default: - fputs("unknown ", stdout); - break; - } -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - struct ipt_connbytes_info *sinfo = (struct ipt_connbytes_info *)match->data; - - if (sinfo->count.from > sinfo->count.to) - printf("connbytes ! %llu:%llu ", sinfo->count.to, - sinfo->count.from); - else - printf("connbytes %llu:%llu ",sinfo->count.from, - sinfo->count.to); - - fputs("connbytes mode ", stdout); - print_mode(sinfo); - - fputs("connbytes direction ", stdout); - print_direction(sinfo); -} - -/* Saves the matchinfo in parsable form to stdout. */ -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct ipt_connbytes_info *sinfo = (struct ipt_connbytes_info *)match->data; - - if (sinfo->count.from > sinfo->count.to) - printf("! --connbytes %llu:%llu ", sinfo->count.to, - sinfo->count.from); - else - printf("--connbytes %llu:%llu ", sinfo->count.from, - sinfo->count.to); - - fputs("--connbytes-mode ", stdout); - print_mode(sinfo); - - fputs("--connbytes-dir ", stdout); - print_direction(sinfo); -} - -static struct iptables_match state = { - .next = NULL, - .name = "connbytes", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_connbytes_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_connbytes_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_connbytes_init(void) -{ - register_match(&state); -} diff --git a/extensions/libipt_connbytes.man b/extensions/libipt_connbytes.man deleted file mode 100644 index ce7b665..0000000 --- a/extensions/libipt_connbytes.man +++ /dev/null @@ -1,30 +0,0 @@ -Match by how many bytes or packets a connection (or one of the two -flows constituting the connection) have tranferred so far, or by -average bytes per packet. - -The counters are 64bit and are thus not expected to overflow ;) - -The primary use is to detect long-lived downloads and mark them to be -scheduled using a lower priority band in traffic control. - -The transfered bytes per connection can also be viewed through -/proc/net/ip_conntrack and accessed via ctnetlink -.TP -[\fB!\fR]\fB --connbytes \fIfrom\fB:\fR[\fIto\fR] -match packets from a connection whose packets/bytes/average packet -size is more than FROM and less than TO bytes/packets. if TO is -omitted only FROM check is done. "!" is used to match packets not -falling in the range. -.TP -\fB--connbytes-dir\fR [\fBoriginal\fR|\fBreply\fR|\fBboth\fR] -which packets to consider -.TP -\fB--connbytes-mode\fR [\fBpackets\fR|\fBbytes\fR|\fBavgpkt\fR] -whether to check the amount of packets, number of bytes transferred or -the average size (in bytes) of all packets received so far. Note that -when "both" is used together with "avgpkt", and data is going (mainly) -only in one direction (for example HTTP), the average packet size will -be about half of the actual data packets. -.TP -Example: -iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ... diff --git a/extensions/libipt_connmark.man b/extensions/libipt_connmark.man deleted file mode 100644 index a8e0600..0000000 --- a/extensions/libipt_connmark.man +++ /dev/null @@ -1,9 +0,0 @@ -This module matches the netfilter mark field associated with a connection -(which can be set using the -.B CONNMARK -target below). -.TP -.BI "--mark " "value[/mask]" -Matches packets in connections with the given mark value (if a mask is -specified, this is logically ANDed with the mark before the -comparison). diff --git a/extensions/libipt_connrate.c b/extensions/libipt_connrate.c deleted file mode 100644 index fbb18ec..0000000 --- a/extensions/libipt_connrate.c +++ /dev/null @@ -1,179 +0,0 @@ -/* Shared library add-on to iptables to add connection rate tracking - * support. - * - * Copyright (c) 2004 Nuutti Kotivuori <naked@iki.fi> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - **/ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_conntrack.h> -#include <linux/netfilter_ipv4/ipt_connrate.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"connrate v%s options:\n" -" --connrate [!] [from]:[to]\n" -" Match connection transfer rate in bytes\n" -" per second. `inf' can be used for maximum\n" -" expressible value.\n" -"\n", IPTABLES_VERSION); -} - -static struct option opts[] = { - { "connrate", 1, 0, '1' }, - {0} -}; - -static u_int32_t -parse_value(const char *arg, u_int32_t def) -{ - char *end; - size_t len; - u_int32_t value; - - len = strlen(arg); - if(len == 0) - return def; - if(strcmp(arg, "inf") == 0) - return 0xFFFFFFFF; - value = strtoul(arg, &end, 0); - if(*end != '\0') - exit_error(PARAMETER_PROBLEM, - "Bad value in range `%s'", arg); - return value; -} - -static void -parse_range(const char *arg, struct ipt_connrate_info *si) -{ - char *buffer; - char *colon; - - buffer = strdup(arg); - if ((colon = strchr(buffer, ':')) == NULL) - exit_error(PARAMETER_PROBLEM, "Bad range `%s'", arg); - *colon = '\0'; - si->from = parse_value(buffer, 0); - si->to = parse_value(colon+1, 0xFFFFFFFF); - if (si->from > si->to) - exit_error(PARAMETER_PROBLEM, "%u should be less than %u", si->from,si->to); - free(buffer); -} - -#define CONNRATE_OPT 0x01 - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_connrate_info *sinfo = (struct ipt_connrate_info *)(*match)->data; - u_int32_t tmp; - - switch (c) { - case '1': - if (*flags & CONNRATE_OPT) - exit_error(PARAMETER_PROBLEM, - "Only one `--connrate' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_range(argv[optind-1], sinfo); - if (invert) { - tmp = sinfo->from; - sinfo->from = sinfo->to; - sinfo->to = tmp; - } - *flags |= CONNRATE_OPT; - break; - - default: - return 0; - } - - return 1; -} - -static void final_check(unsigned int flags) -{ - if (!(flags & CONNRATE_OPT)) - exit_error(PARAMETER_PROBLEM, - "connrate match: You must specify `--connrate'"); -} - -static void -print_value(u_int32_t value) -{ - if(value == 0xFFFFFFFF) - printf("inf"); - else - printf("%u", value); -} - -static void -print_range(struct ipt_connrate_info *sinfo) -{ - if (sinfo->from > sinfo->to) { - printf("! "); - print_value(sinfo->to); - printf(":"); - print_value(sinfo->from); - } else { - print_value(sinfo->from); - printf(":"); - print_value(sinfo->to); - } -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - struct ipt_connrate_info *sinfo = (struct ipt_connrate_info *)match->data; - - printf("connrate "); - print_range(sinfo); - printf(" "); -} - -/* Saves the matchinfo in parsable form to stdout. */ -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct ipt_connrate_info *sinfo = (struct ipt_connrate_info *)match->data; - - printf("--connrate "); - print_range(sinfo); - printf(" "); -} - -static struct iptables_match state = { - .next = NULL, - .name = "connrate", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_connrate_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_connrate_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_connrate_init(void) -{ - register_match(&state); -} diff --git a/extensions/libipt_connrate.man b/extensions/libipt_connrate.man deleted file mode 100644 index 45cba9d..0000000 --- a/extensions/libipt_connrate.man +++ /dev/null @@ -1,6 +0,0 @@ -This module matches the current transfer rate in a connection. -.TP -.BI "--connrate " "[!] [\fIfrom\fP]:[\fIto\fP]" -Match against the current connection transfer rate being within 'from' -and 'to' bytes per second. When the "!" argument is used before the -range, the sense of the match is inverted. diff --git a/extensions/libipt_conntrack.c b/extensions/libipt_conntrack.c deleted file mode 100644 index e26b523..0000000 --- a/extensions/libipt_conntrack.c +++ /dev/null @@ -1,550 +0,0 @@ -/* Shared library add-on to iptables for conntrack matching support. - * GPL (C) 2001 Marc Boucher (marc@mbsi.ca). - */ - -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ctype.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_conntrack.h> -#include <linux/netfilter_ipv4/ip_conntrack_tuple.h> -/* For 64bit kernel / 32bit userspace */ -#include "../include/linux/netfilter_ipv4/ipt_conntrack.h" - -#ifndef IPT_CONNTRACK_STATE_UNTRACKED -#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3)) -#endif - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"conntrack match v%s options:\n" -" [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT][,...]\n" -" State(s) to match\n" -" [!] --ctproto proto Protocol to match; by number or name, eg. `tcp'\n" -" --ctorigsrc [!] address[/mask]\n" -" Original source specification\n" -" --ctorigdst [!] address[/mask]\n" -" Original destination specification\n" -" --ctreplsrc [!] address[/mask]\n" -" Reply source specification\n" -" --ctrepldst [!] address[/mask]\n" -" Reply destination specification\n" -" [!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED][,...]\n" -" Status(es) to match\n" -" [!] --ctexpire time[:time] Match remaining lifetime in seconds against\n" -" value or range of values (inclusive)\n" -"\n", IPTABLES_VERSION); -} - - - -static struct option opts[] = { - { "ctstate", 1, 0, '1' }, - { "ctproto", 1, 0, '2' }, - { "ctorigsrc", 1, 0, '3' }, - { "ctorigdst", 1, 0, '4' }, - { "ctreplsrc", 1, 0, '5' }, - { "ctrepldst", 1, 0, '6' }, - { "ctstatus", 1, 0, '7' }, - { "ctexpire", 1, 0, '8' }, - {0} -}; - -static int -parse_state(const char *state, size_t strlen, struct ipt_conntrack_info *sinfo) -{ - if (strncasecmp(state, "INVALID", strlen) == 0) - sinfo->statemask |= IPT_CONNTRACK_STATE_INVALID; - else if (strncasecmp(state, "NEW", strlen) == 0) - sinfo->statemask |= IPT_CONNTRACK_STATE_BIT(IP_CT_NEW); - else if (strncasecmp(state, "ESTABLISHED", strlen) == 0) - sinfo->statemask |= IPT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED); - else if (strncasecmp(state, "RELATED", strlen) == 0) - sinfo->statemask |= IPT_CONNTRACK_STATE_BIT(IP_CT_RELATED); - else if (strncasecmp(state, "UNTRACKED", strlen) == 0) - sinfo->statemask |= IPT_CONNTRACK_STATE_UNTRACKED; - else if (strncasecmp(state, "SNAT", strlen) == 0) - sinfo->statemask |= IPT_CONNTRACK_STATE_SNAT; - else if (strncasecmp(state, "DNAT", strlen) == 0) - sinfo->statemask |= IPT_CONNTRACK_STATE_DNAT; - else - return 0; - return 1; -} - -static void -parse_states(const char *arg, struct ipt_conntrack_info *sinfo) -{ - const char *comma; - - while ((comma = strchr(arg, ',')) != NULL) { - if (comma == arg || !parse_state(arg, comma-arg, sinfo)) - exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg); - arg = comma+1; - } - - if (strlen(arg) == 0 || !parse_state(arg, strlen(arg), sinfo)) - exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg); -} - -static int -parse_status(const char *status, size_t strlen, struct ipt_conntrack_info *sinfo) -{ - if (strncasecmp(status, "NONE", strlen) == 0) - sinfo->statusmask |= 0; - else if (strncasecmp(status, "EXPECTED", strlen) == 0) - sinfo->statusmask |= IPS_EXPECTED; - else if (strncasecmp(status, "SEEN_REPLY", strlen) == 0) - sinfo->statusmask |= IPS_SEEN_REPLY; - else if (strncasecmp(status, "ASSURED", strlen) == 0) - sinfo->statusmask |= IPS_ASSURED; -#ifdef IPS_CONFIRMED - else if (strncasecmp(status, "CONFIRMED", strlen) == 0) - sinfo->stausmask |= IPS_CONFIRMED; -#endif - else - return 0; - return 1; -} - -static void -parse_statuses(const char *arg, struct ipt_conntrack_info *sinfo) -{ - const char *comma; - - while ((comma = strchr(arg, ',')) != NULL) { - if (comma == arg || !parse_status(arg, comma-arg, sinfo)) - exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg); - arg = comma+1; - } - - if (strlen(arg) == 0 || !parse_status(arg, strlen(arg), sinfo)) - exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg); -} - -#ifdef KERNEL_64_USERSPACE_32 -static unsigned long long -parse_expire(const char *s) -{ - unsigned long long len; - - if (string_to_number_ll(s, 0, 0, &len) == -1) - exit_error(PARAMETER_PROBLEM, "expire value invalid: `%s'\n", s); - else - return len; -} -#else -static unsigned long -parse_expire(const char *s) -{ - unsigned int len; - - if (string_to_number(s, 0, 0, &len) == -1) - exit_error(PARAMETER_PROBLEM, "expire value invalid: `%s'\n", s); - else - return len; -} -#endif - -/* If a single value is provided, min and max are both set to the value */ -static void -parse_expires(const char *s, struct ipt_conntrack_info *sinfo) -{ - char *buffer; - char *cp; - - buffer = strdup(s); - if ((cp = strchr(buffer, ':')) == NULL) - sinfo->expires_min = sinfo->expires_max = parse_expire(buffer); - else { - *cp = '\0'; - cp++; - - sinfo->expires_min = buffer[0] ? parse_expire(buffer) : 0; - sinfo->expires_max = cp[0] ? parse_expire(cp) : -1; - } - free(buffer); - - if (sinfo->expires_min > sinfo->expires_max) - exit_error(PARAMETER_PROBLEM, -#ifdef KERNEL_64_USERSPACE_32 - "expire min. range value `%llu' greater than max. " - "range value `%llu'", sinfo->expires_min, sinfo->expires_max); -#else - "expire min. range value `%lu' greater than max. " - "range value `%lu'", sinfo->expires_min, sinfo->expires_max); -#endif -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_conntrack_info *sinfo = (struct ipt_conntrack_info *)(*match)->data; - char *protocol = NULL; - unsigned int naddrs = 0; - struct in_addr *addrs = NULL; - - - switch (c) { - case '1': - check_inverse(optarg, &invert, &optind, 0); - - parse_states(argv[optind-1], sinfo); - if (invert) { - sinfo->invflags |= IPT_CONNTRACK_STATE; - } - sinfo->flags |= IPT_CONNTRACK_STATE; - break; - - case '2': - check_inverse(optarg, &invert, &optind, 0); - - if(invert) - sinfo->invflags |= IPT_CONNTRACK_PROTO; - - /* Canonicalize into lower case */ - for (protocol = argv[optind-1]; *protocol; protocol++) - *protocol = tolower(*protocol); - - protocol = argv[optind-1]; - sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = parse_protocol(protocol); - - if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0 - && (sinfo->invflags & IPT_INV_PROTO)) - exit_error(PARAMETER_PROBLEM, - "rule would never match protocol"); - - sinfo->flags |= IPT_CONNTRACK_PROTO; - break; - - case '3': - check_inverse(optarg, &invert, &optind, 9); - - if (invert) - sinfo->invflags |= IPT_CONNTRACK_ORIGSRC; - - parse_hostnetworkmask(argv[optind-1], &addrs, - &sinfo->sipmsk[IP_CT_DIR_ORIGINAL], - &naddrs); - if(naddrs > 1) - exit_error(PARAMETER_PROBLEM, - "multiple IP addresses not allowed"); - - if(naddrs == 1) { - sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip = addrs[0].s_addr; - } - - sinfo->flags |= IPT_CONNTRACK_ORIGSRC; - break; - - case '4': - check_inverse(optarg, &invert, &optind, 0); - - if (invert) - sinfo->invflags |= IPT_CONNTRACK_ORIGDST; - - parse_hostnetworkmask(argv[optind-1], &addrs, - &sinfo->dipmsk[IP_CT_DIR_ORIGINAL], - &naddrs); - if(naddrs > 1) - exit_error(PARAMETER_PROBLEM, - "multiple IP addresses not allowed"); - - if(naddrs == 1) { - sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip = addrs[0].s_addr; - } - - sinfo->flags |= IPT_CONNTRACK_ORIGDST; - break; - - case '5': - check_inverse(optarg, &invert, &optind, 0); - - if (invert) - sinfo->invflags |= IPT_CONNTRACK_REPLSRC; - - parse_hostnetworkmask(argv[optind-1], &addrs, - &sinfo->sipmsk[IP_CT_DIR_REPLY], - &naddrs); - if(naddrs > 1) - exit_error(PARAMETER_PROBLEM, - "multiple IP addresses not allowed"); - - if(naddrs == 1) { - sinfo->tuple[IP_CT_DIR_REPLY].src.ip = addrs[0].s_addr; - } - - sinfo->flags |= IPT_CONNTRACK_REPLSRC; - break; - - case '6': - check_inverse(optarg, &invert, &optind, 0); - - if (invert) - sinfo->invflags |= IPT_CONNTRACK_REPLDST; - - parse_hostnetworkmask(argv[optind-1], &addrs, - &sinfo->dipmsk[IP_CT_DIR_REPLY], - &naddrs); - if(naddrs > 1) - exit_error(PARAMETER_PROBLEM, - "multiple IP addresses not allowed"); - - if(naddrs == 1) { - sinfo->tuple[IP_CT_DIR_REPLY].dst.ip = addrs[0].s_addr; - } - - sinfo->flags |= IPT_CONNTRACK_REPLDST; - break; - - case '7': - check_inverse(optarg, &invert, &optind, 0); - - parse_statuses(argv[optind-1], sinfo); - if (invert) { - sinfo->invflags |= IPT_CONNTRACK_STATUS; - } - sinfo->flags |= IPT_CONNTRACK_STATUS; - break; - - case '8': - check_inverse(optarg, &invert, &optind, 0); - - parse_expires(argv[optind-1], sinfo); - if (invert) { - sinfo->invflags |= IPT_CONNTRACK_EXPIRES; - } - sinfo->flags |= IPT_CONNTRACK_EXPIRES; - break; - - default: - return 0; - } - - *flags = sinfo->flags; - return 1; -} - -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, "You must specify one or more options"); -} - -static void -print_state(unsigned int statemask) -{ - const char *sep = ""; - - if (statemask & IPT_CONNTRACK_STATE_INVALID) { - printf("%sINVALID", sep); - sep = ","; - } - if (statemask & IPT_CONNTRACK_STATE_BIT(IP_CT_NEW)) { - printf("%sNEW", sep); - sep = ","; - } - if (statemask & IPT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) { - printf("%sRELATED", sep); - sep = ","; - } - if (statemask & IPT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) { - printf("%sESTABLISHED", sep); - sep = ","; - } - if (statemask & IPT_CONNTRACK_STATE_UNTRACKED) { - printf("%sUNTRACKED", sep); - sep = ","; - } - if (statemask & IPT_CONNTRACK_STATE_SNAT) { - printf("%sSNAT", sep); - sep = ","; - } - if (statemask & IPT_CONNTRACK_STATE_DNAT) { - printf("%sDNAT", sep); - sep = ","; - } - printf(" "); -} - -static void -print_status(unsigned int statusmask) -{ - const char *sep = ""; - - if (statusmask & IPS_EXPECTED) { - printf("%sEXPECTED", sep); - sep = ","; - } - if (statusmask & IPS_SEEN_REPLY) { - printf("%sSEEN_REPLY", sep); - sep = ","; - } - if (statusmask & IPS_ASSURED) { - printf("%sASSURED", sep); - sep = ","; - } -#ifdef IPS_CONFIRMED - if (statusmask & IPS_CONFIRMED) { - printf("%sCONFIRMED", sep); - sep =","; - } -#endif - if (statusmask == 0) { - printf("%sNONE", sep); - sep = ","; - } - printf(" "); -} - -static void -print_addr(struct in_addr *addr, struct in_addr *mask, int inv, int numeric) -{ - char buf[BUFSIZ]; - - if (inv) - printf("! "); - - if (mask->s_addr == 0L && !numeric) - printf("%s ", "anywhere"); - else { - if (numeric) - sprintf(buf, "%s", addr_to_dotted(addr)); - else - sprintf(buf, "%s", addr_to_anyname(addr)); - strcat(buf, mask_to_dotted(mask)); - printf("%s ", buf); - } -} - -/* Saves the matchinfo in parsable form to stdout. */ -static void -matchinfo_print(const struct ipt_ip *ip, const struct ipt_entry_match *match, int numeric, const char *optpfx) -{ - struct ipt_conntrack_info *sinfo = (struct ipt_conntrack_info *)match->data; - - if(sinfo->flags & IPT_CONNTRACK_STATE) { - printf("%sctstate ", optpfx); - if (sinfo->invflags & IPT_CONNTRACK_STATE) - printf("! "); - print_state(sinfo->statemask); - } - - if(sinfo->flags & IPT_CONNTRACK_PROTO) { - printf("%sctproto ", optpfx); - if (sinfo->invflags & IPT_CONNTRACK_PROTO) - printf("! "); - printf("%u ", sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum); - } - - if(sinfo->flags & IPT_CONNTRACK_ORIGSRC) { - printf("%sctorigsrc ", optpfx); - - print_addr( - (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip, - &sinfo->sipmsk[IP_CT_DIR_ORIGINAL], - sinfo->invflags & IPT_CONNTRACK_ORIGSRC, - numeric); - } - - if(sinfo->flags & IPT_CONNTRACK_ORIGDST) { - printf("%sctorigdst ", optpfx); - - print_addr( - (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip, - &sinfo->dipmsk[IP_CT_DIR_ORIGINAL], - sinfo->invflags & IPT_CONNTRACK_ORIGDST, - numeric); - } - - if(sinfo->flags & IPT_CONNTRACK_REPLSRC) { - printf("%sctreplsrc ", optpfx); - - print_addr( - (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].src.ip, - &sinfo->sipmsk[IP_CT_DIR_REPLY], - sinfo->invflags & IPT_CONNTRACK_REPLSRC, - numeric); - } - - if(sinfo->flags & IPT_CONNTRACK_REPLDST) { - printf("%sctrepldst ", optpfx); - - print_addr( - (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].dst.ip, - &sinfo->dipmsk[IP_CT_DIR_REPLY], - sinfo->invflags & IPT_CONNTRACK_REPLDST, - numeric); - } - - if(sinfo->flags & IPT_CONNTRACK_STATUS) { - printf("%sctstatus ", optpfx); - if (sinfo->invflags & IPT_CONNTRACK_STATUS) - printf("! "); - print_status(sinfo->statusmask); - } - - if(sinfo->flags & IPT_CONNTRACK_EXPIRES) { - printf("%sctexpire ", optpfx); - if (sinfo->invflags & IPT_CONNTRACK_EXPIRES) - printf("! "); - -#ifdef KERNEL_64_USERSPACE_32 - if (sinfo->expires_max == sinfo->expires_min) - printf("%llu ", sinfo->expires_min); - else - printf("%llu:%llu ", sinfo->expires_min, sinfo->expires_max); -#else - if (sinfo->expires_max == sinfo->expires_min) - printf("%lu ", sinfo->expires_min); - else - printf("%lu:%lu ", sinfo->expires_min, sinfo->expires_max); -#endif - } -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - matchinfo_print(ip, match, numeric, ""); -} - -/* Saves the matchinfo in parsable form to stdout. */ -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - matchinfo_print(ip, match, 1, "--"); -} - -static struct iptables_match conntrack = { - .next = NULL, - .name = "conntrack", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_conntrack_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_conntrack_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_conntrack_init(void) -{ - register_match(&conntrack); -} diff --git a/extensions/libipt_conntrack.man b/extensions/libipt_conntrack.man deleted file mode 100644 index b732b28..0000000 --- a/extensions/libipt_conntrack.man +++ /dev/null @@ -1,49 +0,0 @@ -This module, when combined with connection tracking, allows access to -more connection tracking information than the "state" match. -(this module is present only if iptables was compiled under a kernel -supporting this feature) -.TP -.BI "--ctstate " "state" -Where state is a comma separated list of the connection states to -match. Possible states are -.B INVALID -meaning that the packet is associated with no known connection, -.B ESTABLISHED -meaning that the packet is associated with a connection which has seen -packets in both directions, -.B NEW -meaning that the packet has started a new connection, or otherwise -associated with a connection which has not seen packets in both -directions, and -.B RELATED -meaning that the packet is starting a new connection, but is -associated with an existing connection, such as an FTP data transfer, -or an ICMP error. -.B SNAT -A virtual state, matching if the original source address differs from -the reply destination. -.B DNAT -A virtual state, matching if the original destination differs from the -reply source. -.TP -.BI "--ctproto " "proto" -Protocol to match (by number or name) -.TP -.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]" -Match against original source address -.TP -.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]" -Match against original destination address -.TP -.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]" -Match against reply source address -.TP -.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]" -Match against reply destination address -.TP -.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]" -Match against internal conntrack states -.TP -.BI "--ctexpire " "\fItime\fP[\fI:time\fP]" -Match remaining lifetime in seconds against given value -or range of values (inclusive) diff --git a/extensions/libipt_dccp.c b/extensions/libipt_dccp.c deleted file mode 100644 index 9770639..0000000 --- a/extensions/libipt_dccp.c +++ /dev/null @@ -1,374 +0,0 @@ -/* Shared library add-on to iptables for DCCP matching - * - * (C) 2005 by Harald Welte <laforge@netfilter.org> - * - * This program is distributed under the terms of GNU GPL v2, 1991 - * - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <netdb.h> -#include <ctype.h> - -#include <iptables.h> -#include <linux/dccp.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ipt_dccp.h> - -#if 0 -#define DEBUGP(format, first...) printf(format, ##first) -#define static -#else -#define DEBUGP(format, fist...) -#endif - -/* Initialize the match. */ -static void -init(struct ipt_entry_match *m, - unsigned int *nfcache) -{ - struct ipt_dccp_info *einfo = (struct ipt_dccp_info *)m->data; - - memset(einfo, 0, sizeof(struct ipt_dccp_info)); -} - -static void help(void) -{ - printf( -"DCCP match v%s options\n" -" --source-port [!] port[:port] match source port(s)\n" -" --sport ...\n" -" --destination-port [!] port[:port] match destination port(s)\n" -" --dport ...\n" -, - IPTABLES_VERSION); -} - -static struct option opts[] = { - { .name = "source-port", .has_arg = 1, .flag = 0, .val = '1' }, - { .name = "sport", .has_arg = 1, .flag = 0, .val = '1' }, - { .name = "destination-port", .has_arg = 1, .flag = 0, .val = '2' }, - { .name = "dport", .has_arg = 1, .flag = 0, .val = '2' }, - { .name = "dccp-types", .has_arg = 1, .flag = 0, .val = '3' }, - { .name = "dccp-option", .has_arg = 1, .flag = 0, .val = '4' }, - { .name = 0 } -}; - -static void -parse_dccp_ports(const char *portstring, - u_int16_t *ports) -{ - char *buffer; - char *cp; - - buffer = strdup(portstring); - DEBUGP("%s\n", portstring); - if ((cp = strchr(buffer, ':')) == NULL) { - ports[0] = ports[1] = parse_port(buffer, "dccp"); - } - else { - *cp = '\0'; - cp++; - - ports[0] = buffer[0] ? parse_port(buffer, "dccp") : 0; - ports[1] = cp[0] ? parse_port(cp, "dccp") : 0xFFFF; - - if (ports[0] > ports[1]) - exit_error(PARAMETER_PROBLEM, - "invalid portrange (min > max)"); - } - free(buffer); -} - -static char *dccp_pkt_types[] = { - [DCCP_PKT_REQUEST] = "REQUEST", - [DCCP_PKT_RESPONSE] = "RESPONSE", - [DCCP_PKT_DATA] = "DATA", - [DCCP_PKT_ACK] = "ACK", - [DCCP_PKT_DATAACK] = "DATAACK", - [DCCP_PKT_CLOSEREQ] = "CLOSEREQ", - [DCCP_PKT_CLOSE] = "CLOSE", - [DCCP_PKT_RESET] = "RESET", - [DCCP_PKT_SYNC] = "SYNC", - [DCCP_PKT_SYNCACK] = "SYNCACK", - [DCCP_PKT_INVALID] = "INVALID", -}; - -static u_int16_t -parse_dccp_types(const char *typestring) -{ - u_int16_t typemask = 0; - char *ptr, *buffer; - - buffer = strdup(typestring); - - for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) { - unsigned int i; - for (i = 0; i < sizeof(dccp_pkt_types)/sizeof(char *); i++) { - if (!strcasecmp(dccp_pkt_types[i], ptr)) { - typemask |= (1 << i); - break; - } - } - if (i == sizeof(dccp_pkt_types)/sizeof(char *)) - exit_error(PARAMETER_PROBLEM, - "Unknown DCCP type `%s'", ptr); - } - - free(buffer); - return typemask; -} - -static u_int8_t parse_dccp_option(char *optstring) -{ - unsigned int ret; - - if (string_to_number(optstring, 1, 255, &ret) == -1) - exit_error(PARAMETER_PROBLEM, "Bad DCCP option `%s'", - optstring); - - return (u_int8_t)ret; -} - -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_dccp_info *einfo - = (struct ipt_dccp_info *)(*match)->data; - - switch (c) { - case '1': - if (*flags & IPT_DCCP_SRC_PORTS) - exit_error(PARAMETER_PROBLEM, - "Only one `--source-port' allowed"); - einfo->flags |= IPT_DCCP_SRC_PORTS; - check_inverse(optarg, &invert, &optind, 0); - parse_dccp_ports(argv[optind-1], einfo->spts); - if (invert) - einfo->invflags |= IPT_DCCP_SRC_PORTS; - *flags |= IPT_DCCP_SRC_PORTS; - break; - - case '2': - if (*flags & IPT_DCCP_DEST_PORTS) - exit_error(PARAMETER_PROBLEM, - "Only one `--destination-port' allowed"); - einfo->flags |= IPT_DCCP_DEST_PORTS; - check_inverse(optarg, &invert, &optind, 0); - parse_dccp_ports(argv[optind-1], einfo->dpts); - if (invert) - einfo->invflags |= IPT_DCCP_DEST_PORTS; - *flags |= IPT_DCCP_DEST_PORTS; - break; - - case '3': - if (*flags & IPT_DCCP_TYPE) - exit_error(PARAMETER_PROBLEM, - "Only one `--dccp-types' allowed"); - einfo->flags |= IPT_DCCP_TYPE; - check_inverse(optarg, &invert, &optind, 0); - einfo->typemask = parse_dccp_types(argv[optind-1]); - if (invert) - einfo->invflags |= IPT_DCCP_TYPE; - *flags |= IPT_DCCP_TYPE; - break; - - case '4': - if (*flags & IPT_DCCP_OPTION) - exit_error(PARAMETER_PROBLEM, - "Only one `--dccp-option' allowed"); - einfo->flags |= IPT_DCCP_OPTION; - check_inverse(optarg, &invert, &optind, 0); - einfo->option = parse_dccp_option(argv[optind-1]); - if (invert) - einfo->invflags |= IPT_DCCP_OPTION; - *flags |= IPT_DCCP_OPTION; - break; - default: - return 0; - } - return 1; -} - -static void -final_check(unsigned int flags) -{ -} - -static char * -port_to_service(int port) -{ - struct servent *service; - - if ((service = getservbyport(htons(port), "dccp"))) - return service->s_name; - - return NULL; -} - -static void -print_port(u_int16_t port, int numeric) -{ - char *service; - - if (numeric || (service = port_to_service(port)) == NULL) - printf("%u", port); - else - printf("%s", service); -} - -static void -print_ports(const char *name, u_int16_t min, u_int16_t max, - int invert, int numeric) -{ - const char *inv = invert ? "!" : ""; - - if (min != 0 || max != 0xFFFF || invert) { - printf("%s", name); - if (min == max) { - printf(":%s", inv); - print_port(min, numeric); - } else { - printf("s:%s", inv); - print_port(min, numeric); - printf(":"); - print_port(max, numeric); - } - printf(" "); - } -} - -static void -print_types(u_int16_t types, int inverted, int numeric) -{ - int have_type = 0; - - if (inverted) - printf("! "); - - while (types) { - unsigned int i; - - for (i = 0; !(types & (1 << i)); i++); - - if (have_type) - printf(","); - else - have_type = 1; - - if (numeric) - printf("%u", i); - else - printf("%s", dccp_pkt_types[i]); - - types &= ~(1 << i); - } -} - -static void -print_option(u_int8_t option, int invert, int numeric) -{ - if (option || invert) - printf("option=%s%u ", invert ? "!" : "", option); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - const struct ipt_dccp_info *einfo = - (const struct ipt_dccp_info *)match->data; - - printf("dccp "); - - if (einfo->flags & IPT_DCCP_SRC_PORTS) { - print_ports("spt", einfo->spts[0], einfo->spts[1], - einfo->invflags & IPT_DCCP_SRC_PORTS, - numeric); - } - - if (einfo->flags & IPT_DCCP_DEST_PORTS) { - print_ports("dpt", einfo->dpts[0], einfo->dpts[1], - einfo->invflags & IPT_DCCP_DEST_PORTS, - numeric); - } - - if (einfo->flags & IPT_DCCP_TYPE) { - print_types(einfo->typemask, - einfo->invflags & IPT_DCCP_TYPE, - numeric); - } - - if (einfo->flags & IPT_DCCP_OPTION) { - print_option(einfo->option, - einfo->invflags & IPT_DCCP_OPTION, numeric); - } -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, - const struct ipt_entry_match *match) -{ - const struct ipt_dccp_info *einfo = - (const struct ipt_dccp_info *)match->data; - - if (einfo->flags & IPT_DCCP_SRC_PORTS) { - if (einfo->invflags & IPT_DCCP_SRC_PORTS) - printf("! "); - if (einfo->spts[0] != einfo->spts[1]) - printf("--sport %u:%u ", - einfo->spts[0], einfo->spts[1]); - else - printf("--sport %u ", einfo->spts[0]); - } - - if (einfo->flags & IPT_DCCP_DEST_PORTS) { - if (einfo->invflags & IPT_DCCP_DEST_PORTS) - printf("! "); - if (einfo->dpts[0] != einfo->dpts[1]) - printf("--dport %u:%u ", - einfo->dpts[0], einfo->dpts[1]); - else - printf("--dport %u ", einfo->dpts[0]); - } - - if (einfo->flags & IPT_DCCP_TYPE) { - printf("--dccp-type "); - print_types(einfo->typemask, einfo->invflags & IPT_DCCP_TYPE,0); - } - - if (einfo->flags & IPT_DCCP_OPTION) { - printf("--dccp-option %s%u ", - einfo->typemask & IPT_DCCP_OPTION ? "! " : "", - einfo->option); - } -} - -static -struct iptables_match dccp -= { .name = "dccp", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_dccp_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_dccp_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_dccp_init(void) -{ - register_match(&dccp); -} - diff --git a/extensions/libipt_dccp.man b/extensions/libipt_dccp.man deleted file mode 100644 index 6443ec3..0000000 --- a/extensions/libipt_dccp.man +++ /dev/null @@ -1,12 +0,0 @@ -.TP -\fB--source-port\fR,\fB--sport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR] -.TP -\fB--destination-port\fR,\fB--dport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR] -.TP -\fB--dccp-types\fR [\fB!\fR] \fImask\fP -Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated -list of packet types. Packet types are: -.BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" . -.TP -\fB--dccp-option\fR [\fB!\fR\] \fInumber\fP -Match if DCP option set. diff --git a/extensions/libipt_dscp.man b/extensions/libipt_dscp.man deleted file mode 100644 index 4a84210..0000000 --- a/extensions/libipt_dscp.man +++ /dev/null @@ -1,10 +0,0 @@ -This module matches the 6 bit DSCP field within the TOS field in the -IP header. DSCP has superseded TOS within the IETF. -.TP -.BI "--dscp " "value" -Match against a numeric (decimal or hex) value [0-32]. -.TP -.BI "--dscp-class " "\fIDiffServ Class\fP" -Match the DiffServ class. This value may be any of the -BE, EF, AFxx or CSx classes. It will then be converted -into it's according numeric value. diff --git a/extensions/libipt_dscp_helper.c b/extensions/libipt_dscp_helper.c deleted file mode 100644 index 31adb6c..0000000 --- a/extensions/libipt_dscp_helper.c +++ /dev/null @@ -1,82 +0,0 @@ -/* - * DiffServ classname <-> DiffServ codepoint mapping functions. - * - * The latest list of the mappings can be found at: - * <http://www.iana.org/assignments/dscp-registry> - * - * This code is released under the GNU GPL v2, 1991 - * - * Author: Iain Barnes - */ - -#include <stdio.h> -#include <string.h> -#include <iptables_common.h> - - - -static struct ds_class -{ - const char *name; - unsigned int dscp; -} ds_classes[] = -{ - { "CS0", 0x00 }, - { "CS1", 0x08 }, - { "CS2", 0x10 }, - { "CS3", 0x18 }, - { "CS4", 0x20 }, - { "CS5", 0x28 }, - { "CS6", 0x30 }, - { "CS7", 0x38 }, - { "BE", 0x00 }, - { "AF11", 0x0a }, - { "AF12", 0x0c }, - { "AF13", 0x0e }, - { "AF21", 0x12 }, - { "AF22", 0x14 }, - { "AF23", 0x16 }, - { "AF31", 0x1a }, - { "AF32", 0x1c }, - { "AF33", 0x1e }, - { "AF41", 0x22 }, - { "AF42", 0x24 }, - { "AF43", 0x26 }, - { "EF", 0x2e } -}; - - - -static unsigned int -class_to_dscp(const char *name) -{ - int i; - - for (i = 0; i < sizeof(ds_classes) / sizeof(struct ds_class); i++) { - if (!strncasecmp(name, ds_classes[i].name, - strlen(ds_classes[i].name))) - return ds_classes[i].dscp; - } - - exit_error(PARAMETER_PROBLEM, - "Invalid DSCP value `%s'\n", name); -} - - -#if 0 -static const char * -dscp_to_name(unsigned int dscp) -{ - int i; - - for (i = 0; i < sizeof(ds_classes) / sizeof(struct ds_class); i++) { - if (dscp == ds_classes[i].dscp) - return ds_classes[i].name; - } - - - exit_error(PARAMETER_PROBLEM, - "Invalid DSCP value `%d'\n", dscp); -} -#endif - diff --git a/extensions/libipt_ecn.man b/extensions/libipt_ecn.man deleted file mode 100644 index 8ecfef5..0000000 --- a/extensions/libipt_ecn.man +++ /dev/null @@ -1,11 +0,0 @@ -This allows you to match the ECN bits of the IPv4 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168 -.TP -.BI "--ecn-tcp-cwr" -This matches if the TCP ECN CWR (Congestion Window Received) bit is set. -.TP -.BI "--ecn-tcp-ece" -This matches if the TCP ECN ECE (ECN Echo) bit is set. -.TP -.BI "--ecn-ip-ect " "num" -This matches a particular IPv4 ECT (ECN-Capable Transport). You have to specify -a number between `0' and `3'. diff --git a/extensions/libipt_esp.c b/extensions/libipt_esp.c deleted file mode 100644 index d75a407..0000000 --- a/extensions/libipt_esp.c +++ /dev/null @@ -1,193 +0,0 @@ -/* Shared library add-on to iptables to add ESP support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <errno.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ipt_esp.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"ESP v%s options:\n" -" --espspi [!] spi[:spi]\n" -" match spi (range)\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "espspi", 1, 0, '1' }, - {0} -}; - -static u_int32_t -parse_esp_spi(const char *spistr) -{ - unsigned long int spi; - char* ep; - - spi = strtoul(spistr,&ep,0) ; - - if ( spistr == ep ) { - exit_error(PARAMETER_PROBLEM, - "ESP no valid digits in spi `%s'", spistr); - } - if ( spi == ULONG_MAX && errno == ERANGE ) { - exit_error(PARAMETER_PROBLEM, - "spi `%s' specified too big: would overflow", spistr); - } - if ( *spistr != '\0' && *ep != '\0' ) { - exit_error(PARAMETER_PROBLEM, - "ESP error parsing spi `%s'", spistr); - } - return (u_int32_t) spi; -} - -static void -parse_esp_spis(const char *spistring, u_int32_t *spis) -{ - char *buffer; - char *cp; - - buffer = strdup(spistring); - if ((cp = strchr(buffer, ':')) == NULL) - spis[0] = spis[1] = parse_esp_spi(buffer); - else { - *cp = '\0'; - cp++; - - spis[0] = buffer[0] ? parse_esp_spi(buffer) : 0; - spis[1] = cp[0] ? parse_esp_spi(cp) : 0xFFFFFFFF; - if (spis[0] > spis[1]) - exit_error(PARAMETER_PROBLEM, - "Invalid ESP spi range: %s", spistring); - } - free(buffer); -} - -/* Initialize the match. */ -static void -init(struct ipt_entry_match *m, unsigned int *nfcache) -{ - struct ipt_esp *espinfo = (struct ipt_esp *)m->data; - - espinfo->spis[1] = 0xFFFFFFFF; -} - -#define ESP_SPI 0x01 - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_esp *espinfo = (struct ipt_esp *)(*match)->data; - - switch (c) { - case '1': - if (*flags & ESP_SPI) - exit_error(PARAMETER_PROBLEM, - "Only one `--espspi' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_esp_spis(argv[optind-1], espinfo->spis); - if (invert) - espinfo->invflags |= IPT_ESP_INV_SPI; - *flags |= ESP_SPI; - break; - default: - return 0; - } - - return 1; -} - -/* Final check; we don't care. */ -static void -final_check(unsigned int flags) -{ -} - -static void -print_spis(const char *name, u_int32_t min, u_int32_t max, - int invert) -{ - const char *inv = invert ? "!" : ""; - - if (min != 0 || max != 0xFFFFFFFF || invert) { - printf("%s", name); - if (min == max) { - printf(":%s", inv); - printf("%u", min); - } else { - printf("s:%s", inv); - printf("%u",min); - printf(":"); - printf("%u",max); - } - printf(" "); - } -} - -/* Prints out the union ipt_matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, int numeric) -{ - const struct ipt_esp *esp = (struct ipt_esp *)match->data; - - printf("esp "); - print_spis("spi", esp->spis[0], esp->spis[1], - esp->invflags & IPT_ESP_INV_SPI); - if (esp->invflags & ~IPT_ESP_INV_MASK) - printf("Unknown invflags: 0x%X ", - esp->invflags & ~IPT_ESP_INV_MASK); -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - const struct ipt_esp *espinfo = (struct ipt_esp *)match->data; - - if (!(espinfo->spis[0] == 0 - && espinfo->spis[1] == 0xFFFFFFFF)) { - printf("--espspi %s", - (espinfo->invflags & IPT_ESP_INV_SPI) ? "! " : ""); - if (espinfo->spis[0] - != espinfo->spis[1]) - printf("%u:%u ", - espinfo->spis[0], - espinfo->spis[1]); - else - printf("%u ", - espinfo->spis[0]); - } - -} - -static struct iptables_match esp = { - .next = NULL, - .name = "esp", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_esp)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_esp)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void -ipt_esp_init(void) -{ - register_match(&esp); -} diff --git a/extensions/libipt_esp.man b/extensions/libipt_esp.man deleted file mode 100644 index 7898e02..0000000 --- a/extensions/libipt_esp.man +++ /dev/null @@ -1,3 +0,0 @@ -This module matches the SPIs in ESP header of IPsec packets. -.TP -.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]" diff --git a/extensions/libipt_hashlimit.c b/extensions/libipt_hashlimit.c deleted file mode 100644 index ce77628..0000000 --- a/extensions/libipt_hashlimit.c +++ /dev/null @@ -1,369 +0,0 @@ -/* iptables match extension for limiting packets per destination - * - * (C) 2003-2004 by Harald Welte <laforge@netfilter.org> - * - * Development of this code was funded by Astaro AG, http://www.astaro.com/ - * - * Based on ipt_limit.c by - * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr> - * Hervé Eychenne <rv@wallfire.org> - * - * Error corections by nmalykh@bilim.com (22.01.2005) - */ - -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <stddef.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ipt_hashlimit.h> - -#define IPT_HASHLIMIT_BURST 5 - -/* miliseconds */ -#define IPT_HASHLIMIT_GCINTERVAL 1000 -#define IPT_HASHLIMIT_EXPIRE 10000 - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"hashlimit v%s options:\n" -"--hashlimit <avg> max average match rate\n" -" [Packets per second unless followed by \n" -" /sec /minute /hour /day postfixes]\n" -"--hashlimit-mode <mode> mode is a comma-separated list of\n" -" dstip,srcip,dstport,srcport\n" -"--hashlimit-name <name> name for /proc/net/ipt_hashlimit/\n" -"[--hashlimit-burst <num>] number to match in a burst, default %u\n" -"[--hashlimit-htable-size <num>] number of hashtable buckets\n" -"[--hashlimit-htable-max <num>] number of hashtable entries\n" -"[--hashlimit-htable-gcinterval] interval between garbage collection runs\n" -"[--hashlimit-htable-expire] after which time are idle entries expired?\n" -"\n", IPTABLES_VERSION, IPT_HASHLIMIT_BURST); -} - -static struct option opts[] = { - { "hashlimit", 1, 0, '%' }, - { "hashlimit-burst", 1, 0, '$' }, - { "hashlimit-htable-size", 1, 0, '&' }, - { "hashlimit-htable-max", 1, 0, '*' }, - { "hashlimit-htable-gcinterval", 1, 0, '(' }, - { "hashlimit-htable-expire", 1, 0, ')' }, - { "hashlimit-mode", 1, 0, '_' }, - { "hashlimit-name", 1, 0, '"' }, - { 0 } -}; - -static -int parse_rate(const char *rate, u_int32_t *val) -{ - const char *delim; - u_int32_t r; - u_int32_t mult = 1; /* Seconds by default. */ - - delim = strchr(rate, '/'); - if (delim) { - if (strlen(delim+1) == 0) - return 0; - - if (strncasecmp(delim+1, "second", strlen(delim+1)) == 0) - mult = 1; - else if (strncasecmp(delim+1, "minute", strlen(delim+1)) == 0) - mult = 60; - else if (strncasecmp(delim+1, "hour", strlen(delim+1)) == 0) - mult = 60*60; - else if (strncasecmp(delim+1, "day", strlen(delim+1)) == 0) - mult = 24*60*60; - else - return 0; - } - r = atoi(rate); - if (!r) - return 0; - - /* This would get mapped to infinite (1/day is minimum they - can specify, so we're ok at that end). */ - if (r / mult > IPT_HASHLIMIT_SCALE) - exit_error(PARAMETER_PROBLEM, "Rate too fast `%s'\n", rate); - - *val = IPT_HASHLIMIT_SCALE * mult / r; - return 1; -} - -/* Initialize the match. */ -static void -init(struct ipt_entry_match *m, unsigned int *nfcache) -{ - struct ipt_hashlimit_info *r = (struct ipt_hashlimit_info *)m->data; - - r->cfg.burst = IPT_HASHLIMIT_BURST; - r->cfg.gc_interval = IPT_HASHLIMIT_GCINTERVAL; - r->cfg.expire = IPT_HASHLIMIT_EXPIRE; - -} - - -/* Parse a 'mode' parameter into the required bitmask */ -static int parse_mode(struct ipt_hashlimit_info *r, char *optarg) -{ - char *tok; - char *arg = strdup(optarg); - - if (!arg) - return -1; - - r->cfg.mode = 0; - - for (tok = strtok(arg, ",|"); - tok; - tok = strtok(NULL, ",|")) { - if (!strcmp(tok, "dstip")) - r->cfg.mode |= IPT_HASHLIMIT_HASH_DIP; - else if (!strcmp(tok, "srcip")) - r->cfg.mode |= IPT_HASHLIMIT_HASH_SIP; - else if (!strcmp(tok, "srcport")) - r->cfg.mode |= IPT_HASHLIMIT_HASH_SPT; - else if (!strcmp(tok, "dstport")) - r->cfg.mode |= IPT_HASHLIMIT_HASH_DPT; - else { - free(arg); - return -1; - } - } - free(arg); - return 0; -} - -#define PARAM_LIMIT 0x00000001 -#define PARAM_BURST 0x00000002 -#define PARAM_MODE 0x00000004 -#define PARAM_NAME 0x00000008 -#define PARAM_SIZE 0x00000010 -#define PARAM_MAX 0x00000020 -#define PARAM_GCINTERVAL 0x00000040 -#define PARAM_EXPIRE 0x00000080 - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_hashlimit_info *r = - (struct ipt_hashlimit_info *)(*match)->data; - unsigned int num; - - switch(c) { - case '%': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (!parse_rate(optarg, &r->cfg.avg)) - exit_error(PARAMETER_PROBLEM, - "bad rate `%s'", optarg); - *flags |= PARAM_LIMIT; - break; - - case '$': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (string_to_number(optarg, 0, 10000, &num) == -1) - exit_error(PARAMETER_PROBLEM, - "bad --hashlimit-burst `%s'", optarg); - r->cfg.burst = num; - *flags |= PARAM_BURST; - break; - case '&': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (string_to_number(optarg, 0, 0xffffffff, &num) == -1) - exit_error(PARAMETER_PROBLEM, - "bad --hashlimit-htable-size: `%s'", optarg); - r->cfg.size = num; - *flags |= PARAM_SIZE; - break; - case '*': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (string_to_number(optarg, 0, 0xffffffff, &num) == -1) - exit_error(PARAMETER_PROBLEM, - "bad --hashlimit-htable-max: `%s'", optarg); - r->cfg.max = num; - *flags |= PARAM_MAX; - break; - case '(': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (string_to_number(optarg, 0, 0xffffffff, &num) == -1) - exit_error(PARAMETER_PROBLEM, - "bad --hashlimit-htable-gcinterval: `%s'", - optarg); - /* FIXME: not HZ dependent!! */ - r->cfg.gc_interval = num; - *flags |= PARAM_GCINTERVAL; - break; - case ')': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (string_to_number(optarg, 0, 0xffffffff, &num) == -1) - exit_error(PARAMETER_PROBLEM, - "bad --hashlimit-htable-expire: `%s'", optarg); - /* FIXME: not HZ dependent */ - r->cfg.expire = num; - *flags |= PARAM_EXPIRE; - break; - case '_': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (parse_mode(r, optarg) < 0) - exit_error(PARAMETER_PROBLEM, - "bad --hashlimit-mode: `%s'\n", optarg); - *flags |= PARAM_MODE; - break; - case '"': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (strlen(optarg) == 0) - exit_error(PARAMETER_PROBLEM, "Zero-length name?"); - strncpy(r->name, optarg, sizeof(r->name)); - *flags |= PARAM_NAME; - break; - default: - return 0; - } - - if (invert) - exit_error(PARAMETER_PROBLEM, - "hashlimit does not support invert"); - - return 1; -} - -/* Final check; nothing. */ -static void final_check(unsigned int flags) -{ - if (!(flags & PARAM_LIMIT)) - exit_error(PARAMETER_PROBLEM, - "You have to specify --hashlimit"); - if (!(flags & PARAM_MODE)) - exit_error(PARAMETER_PROBLEM, - "You have to specify --hashlimit-mode"); - if (!(flags & PARAM_NAME)) - exit_error(PARAMETER_PROBLEM, - "You have to specify --hashlimit-name"); -} - -static struct rates -{ - const char *name; - u_int32_t mult; -} rates[] = { { "day", IPT_HASHLIMIT_SCALE*24*60*60 }, - { "hour", IPT_HASHLIMIT_SCALE*60*60 }, - { "min", IPT_HASHLIMIT_SCALE*60 }, - { "sec", IPT_HASHLIMIT_SCALE } }; - -static void print_rate(u_int32_t period) -{ - unsigned int i; - - for (i = 1; i < sizeof(rates)/sizeof(struct rates); i++) { - if (period > rates[i].mult - || rates[i].mult/period < rates[i].mult%period) - break; - } - - printf("%u/%s ", rates[i-1].mult / period, rates[i-1].name); -} - -static void print_mode(const struct ipt_hashlimit_info *r, char separator) -{ - int prevmode = 0; - - if (r->cfg.mode & IPT_HASHLIMIT_HASH_SIP) { - if (prevmode) - putchar(separator); - fputs("srcip", stdout); - prevmode = 1; - } - if (r->cfg.mode & IPT_HASHLIMIT_HASH_SPT) { - if (prevmode) - putchar(separator); - fputs("srcport", stdout); - prevmode = 1; - } - if (r->cfg.mode & IPT_HASHLIMIT_HASH_DIP) { - if (prevmode) - putchar(separator); - fputs("dstip", stdout); - prevmode = 1; - } - if (r->cfg.mode & IPT_HASHLIMIT_HASH_DPT) { - if (prevmode) - putchar(separator); - fputs("dstport", stdout); - } - putchar(' '); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - struct ipt_hashlimit_info *r = - (struct ipt_hashlimit_info *)match->data; - fputs("limit: avg ", stdout); print_rate(r->cfg.avg); - printf("burst %u ", r->cfg.burst); - fputs("mode ", stdout); - print_mode(r, '-'); - if (r->cfg.size) - printf("htable-size %u ", r->cfg.size); - if (r->cfg.max) - printf("htable-max %u ", r->cfg.max); - if (r->cfg.gc_interval != IPT_HASHLIMIT_GCINTERVAL) - printf("htable-gcinterval %u ", r->cfg.gc_interval); - if (r->cfg.expire != IPT_HASHLIMIT_EXPIRE) - printf("htable-expire %u ", r->cfg.expire); -} - -/* FIXME: Make minimalist: only print rate if not default --RR */ -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct ipt_hashlimit_info *r = - (struct ipt_hashlimit_info *)match->data; - - fputs("--hashlimit ", stdout); print_rate(r->cfg.avg); - if (r->cfg.burst != IPT_HASHLIMIT_BURST) - printf("--hashlimit-burst %u ", r->cfg.burst); - - fputs("--hashlimit-mode ", stdout); - print_mode(r, ','); - - printf("--hashlimit-name %s ", r->name); - - if (r->cfg.size) - printf("--hashlimit-htable-size %u ", r->cfg.size); - if (r->cfg.max) - printf("--hashlimit-htable-max %u ", r->cfg.max); - if (r->cfg.gc_interval != IPT_HASHLIMIT_GCINTERVAL) - printf("--hashlimit-htable-gcinterval %u", r->cfg.gc_interval); - if (r->cfg.expire != IPT_HASHLIMIT_EXPIRE) - printf("--hashlimit-htable-expire %u ", r->cfg.expire); -} - -static struct iptables_match hashlimit = { NULL, - .name = "hashlimit", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_hashlimit_info)), - .userspacesize = offsetof(struct ipt_hashlimit_info, hinfo), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_hashlimit_init(void) -{ - register_match(&hashlimit); -} diff --git a/extensions/libipt_hashlimit.man b/extensions/libipt_hashlimit.man deleted file mode 100644 index 1b0a5d4..0000000 --- a/extensions/libipt_hashlimit.man +++ /dev/null @@ -1,35 +0,0 @@ -This patch adds a new match called 'hashlimit'. -The idea is to have something like 'limit', but either per -destination-ip or per (destip,destport) tuple. - -It gives you the ability to express -.IP - '1000 packets per second for every host in 192.168.0.0/16' -.IP - '100 packets per second for every service of 192.168.1.1' -.P -with a single iptables rule. -.TP -.BI "--hashlimit " "rate" -A rate just like the limit match -.TP -.BI "--hashlimit-burst " "num" -Burst value, just like limit match -.TP -.BI "--hashlimit-mode " "destip | destip-destport" -Limit per IP or per port -.TP -.BI "--hashlimit-name " "foo" -The name for the /proc/net/ipt_hashlimit/foo entry -.TP -.BI "--hashlimit-htable-size " "num" -The number of buckets of the hash table -.TP -.BI "--hashlimit-htable-max " "num" -Maximum entries in the hash -.TP -.BI "--hashlimit-htable-expire " "num" -After how many miliseconds do hash entries expire -.TP -.BI "--hashlimit-htable-gcinterval " "num" -How many miliseconds between garbage collection intervals diff --git a/extensions/libipt_helper.c b/extensions/libipt_helper.c deleted file mode 100644 index f7e0ce0..0000000 --- a/extensions/libipt_helper.c +++ /dev/null @@ -1,101 +0,0 @@ -/* Shared library add-on to iptables to add related packet matching support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ipt_helper.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"helper match v%s options:\n" -"[!] --helper string Match helper identified by string\n" -"\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "helper", 1, 0, '1' }, - {0} -}; - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_helper_info *info = (struct ipt_helper_info *)(*match)->data; - - switch (c) { - case '1': - if (*flags) - exit_error(PARAMETER_PROBLEM, - "helper match: Only use --helper ONCE!"); - check_inverse(optarg, &invert, &invert, 0); - strncpy(info->name, optarg, 29); - info->name[29] = '\0'; - if (invert) - info->invert = 1; - *flags = 1; - break; - - default: - return 0; - } - return 1; -} - -/* Final check; must have specified --helper. */ -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "helper match: You must specify `--helper'"); -} - -/* Prints out the info. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - struct ipt_helper_info *info = (struct ipt_helper_info *)match->data; - - printf("helper match %s\"%s\" ", info->invert ? "! " : "", info->name); -} - -/* Saves the union ipt_info in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct ipt_helper_info *info = (struct ipt_helper_info *)match->data; - - printf("%s--helper \"%s\" ",info->invert ? "! " : "", info->name); -} - -static struct iptables_match helper = { - .next = NULL, - .name = "helper", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_helper_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_helper_init(void) -{ - register_match(&helper); -} diff --git a/extensions/libipt_helper.man b/extensions/libipt_helper.man deleted file mode 100644 index c3221ad..0000000 --- a/extensions/libipt_helper.man +++ /dev/null @@ -1,11 +0,0 @@ -This module matches packets related to a specific conntrack-helper. -.TP -.BI "--helper " "string" -Matches packets related to the specified conntrack-helper. -.RS -.PP -string can be "ftp" for packets related to a ftp-session on default port. -For other ports append -portnr to the value, ie. "ftp-2121". -.PP -Same rules apply for other conntrack-helpers. -.RE diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c deleted file mode 100644 index 3a7b1c0..0000000 --- a/extensions/libipt_icmp.c +++ /dev/null @@ -1,307 +0,0 @@ -/* Shared library add-on to iptables to add ICMP support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> - -/* special hack for icmp-type 'any': - * Up to kernel <=2.4.20 the problem was: - * '-p icmp ' matches all icmp packets - * '-p icmp -m icmp' matches _only_ ICMP type 0 :( - * This is now fixed by initializing the field * to icmp type 0xFF - * See: https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=37 - */ - -struct icmp_names { - const char *name; - u_int8_t type; - u_int8_t code_min, code_max; -}; - -static const struct icmp_names icmp_codes[] = { - { "any", 0xFF, 0, 0xFF }, - { "echo-reply", 0, 0, 0xFF }, - /* Alias */ { "pong", 0, 0, 0xFF }, - - { "destination-unreachable", 3, 0, 0xFF }, - { "network-unreachable", 3, 0, 0 }, - { "host-unreachable", 3, 1, 1 }, - { "protocol-unreachable", 3, 2, 2 }, - { "port-unreachable", 3, 3, 3 }, - { "fragmentation-needed", 3, 4, 4 }, - { "source-route-failed", 3, 5, 5 }, - { "network-unknown", 3, 6, 6 }, - { "host-unknown", 3, 7, 7 }, - { "network-prohibited", 3, 9, 9 }, - { "host-prohibited", 3, 10, 10 }, - { "TOS-network-unreachable", 3, 11, 11 }, - { "TOS-host-unreachable", 3, 12, 12 }, - { "communication-prohibited", 3, 13, 13 }, - { "host-precedence-violation", 3, 14, 14 }, - { "precedence-cutoff", 3, 15, 15 }, - - { "source-quench", 4, 0, 0xFF }, - - { "redirect", 5, 0, 0xFF }, - { "network-redirect", 5, 0, 0 }, - { "host-redirect", 5, 1, 1 }, - { "TOS-network-redirect", 5, 2, 2 }, - { "TOS-host-redirect", 5, 3, 3 }, - - { "echo-request", 8, 0, 0xFF }, - /* Alias */ { "ping", 8, 0, 0xFF }, - - { "router-advertisement", 9, 0, 0xFF }, - - { "router-solicitation", 10, 0, 0xFF }, - - { "time-exceeded", 11, 0, 0xFF }, - /* Alias */ { "ttl-exceeded", 11, 0, 0xFF }, - { "ttl-zero-during-transit", 11, 0, 0 }, - { "ttl-zero-during-reassembly", 11, 1, 1 }, - - { "parameter-problem", 12, 0, 0xFF }, - { "ip-header-bad", 12, 0, 0 }, - { "required-option-missing", 12, 1, 1 }, - - { "timestamp-request", 13, 0, 0xFF }, - - { "timestamp-reply", 14, 0, 0xFF }, - - { "address-mask-request", 17, 0, 0xFF }, - - { "address-mask-reply", 18, 0, 0xFF } -}; - -static void -print_icmptypes() -{ - unsigned int i; - printf("Valid ICMP Types:"); - - for (i = 0; i < sizeof(icmp_codes)/sizeof(struct icmp_names); i++) { - if (i && icmp_codes[i].type == icmp_codes[i-1].type) { - if (icmp_codes[i].code_min == icmp_codes[i-1].code_min - && (icmp_codes[i].code_max - == icmp_codes[i-1].code_max)) - printf(" (%s)", icmp_codes[i].name); - else - printf("\n %s", icmp_codes[i].name); - } - else - printf("\n%s", icmp_codes[i].name); - } - printf("\n"); -} - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"ICMP v%s options:\n" -" --icmp-type [!] typename match icmp type\n" -" (or numeric type or type/code)\n" -"\n", IPTABLES_VERSION); - print_icmptypes(); -} - -static struct option opts[] = { - { "icmp-type", 1, 0, '1' }, - {0} -}; - -static void -parse_icmp(const char *icmptype, u_int8_t *type, u_int8_t code[]) -{ - unsigned int limit = sizeof(icmp_codes)/sizeof(struct icmp_names); - unsigned int match = limit; - unsigned int i; - - for (i = 0; i < limit; i++) { - if (strncasecmp(icmp_codes[i].name, icmptype, strlen(icmptype)) - == 0) { - if (match != limit) - exit_error(PARAMETER_PROBLEM, - "Ambiguous ICMP type `%s':" - " `%s' or `%s'?", - icmptype, - icmp_codes[match].name, - icmp_codes[i].name); - match = i; - } - } - - if (match != limit) { - *type = icmp_codes[match].type; - code[0] = icmp_codes[match].code_min; - code[1] = icmp_codes[match].code_max; - } else { - char *slash; - char buffer[strlen(icmptype) + 1]; - unsigned int number; - - strcpy(buffer, icmptype); - slash = strchr(buffer, '/'); - - if (slash) - *slash = '\0'; - - if (string_to_number(buffer, 0, 255, &number) == -1) - exit_error(PARAMETER_PROBLEM, - "Invalid ICMP type `%s'\n", buffer); - *type = number; - if (slash) { - if (string_to_number(slash+1, 0, 255, &number) == -1) - exit_error(PARAMETER_PROBLEM, - "Invalid ICMP code `%s'\n", - slash+1); - code[0] = code[1] = number; - } else { - code[0] = 0; - code[1] = 0xFF; - } - } -} - -/* Initialize the match. */ -static void -init(struct ipt_entry_match *m, unsigned int *nfcache) -{ - struct ipt_icmp *icmpinfo = (struct ipt_icmp *)m->data; - - icmpinfo->type = 0xFF; - icmpinfo->code[1] = 0xFF; -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_icmp *icmpinfo = (struct ipt_icmp *)(*match)->data; - - switch (c) { - case '1': - if (*flags == 1) - exit_error(PARAMETER_PROBLEM, - "icmp match: only use --icmp-type once!"); - check_inverse(optarg, &invert, &optind, 0); - parse_icmp(argv[optind-1], &icmpinfo->type, - icmpinfo->code); - if (invert) - icmpinfo->invflags |= IPT_ICMP_INV; - *flags = 1; - break; - - default: - return 0; - } - - return 1; -} - -static void print_icmptype(u_int8_t type, - u_int8_t code_min, u_int8_t code_max, - int invert, - int numeric) -{ - if (!numeric) { - unsigned int i; - - for (i = 0; - i < sizeof(icmp_codes)/sizeof(struct icmp_names); - i++) { - if (icmp_codes[i].type == type - && icmp_codes[i].code_min == code_min - && icmp_codes[i].code_max == code_max) - break; - } - - if (i != sizeof(icmp_codes)/sizeof(struct icmp_names)) { - printf("%s%s ", - invert ? "!" : "", - icmp_codes[i].name); - return; - } - } - - if (invert) - printf("!"); - - printf("type %u", type); - if (code_min == 0 && code_max == 0xFF) - printf(" "); - else if (code_min == code_max) - printf(" code %u ", code_min); - else - printf(" codes %u-%u ", code_min, code_max); -} - -/* Prints out the union ipt_matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - const struct ipt_icmp *icmp = (struct ipt_icmp *)match->data; - - printf("icmp "); - print_icmptype(icmp->type, icmp->code[0], icmp->code[1], - icmp->invflags & IPT_ICMP_INV, - numeric); - - if (icmp->invflags & ~IPT_ICMP_INV) - printf("Unknown invflags: 0x%X ", - icmp->invflags & ~IPT_ICMP_INV); -} - -/* Saves the match in parsable form to stdout. */ -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - const struct ipt_icmp *icmp = (struct ipt_icmp *)match->data; - - if (icmp->invflags & IPT_ICMP_INV) - printf("! "); - - /* special hack for 'any' case */ - if (icmp->type == 0xFF) { - printf("--icmp-type any "); - } else { - printf("--icmp-type %u", icmp->type); - if (icmp->code[0] != 0 || icmp->code[1] != 0xFF) - printf("/%u", icmp->code[0]); - printf(" "); - } -} - -/* Final check; we don't care. */ -static void final_check(unsigned int flags) -{ -} - -static struct iptables_match icmp = { - .next = NULL, - .name = "icmp", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_icmp)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_icmp)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_icmp_init(void) -{ - register_match(&icmp); -} diff --git a/extensions/libipt_icmp.man b/extensions/libipt_icmp.man deleted file mode 100644 index 5b91514..0000000 --- a/extensions/libipt_icmp.man +++ /dev/null @@ -1,9 +0,0 @@ -This extension is loaded if `--protocol icmp' is specified. It -provides the following option: -.TP -.BR "--icmp-type " "[!] \fItypename\fP" -This allows specification of the ICMP type, which can be a numeric -ICMP type, or one of the ICMP type names shown by the command -.nf - iptables -p icmp -h -.fi diff --git a/extensions/libipt_iprange.c b/extensions/libipt_iprange.c deleted file mode 100644 index 847802b..0000000 --- a/extensions/libipt_iprange.c +++ /dev/null @@ -1,184 +0,0 @@ -/* Shared library add-on to iptables to add IP range matching support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ipt_iprange.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"iprange match v%s options:\n" -"[!] --src-range ip-ip Match source IP in the specified range\n" -"[!] --dst-range ip-ip Match destination IP in the specified range\n" -"\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "src-range", 1, 0, '1' }, - { "dst-range", 1, 0, '2' }, - {0} -}; - -static void -parse_iprange(char *arg, struct ipt_iprange *range) -{ - char *dash; - struct in_addr *ip; - - dash = strchr(arg, '-'); - if (dash) - *dash = '\0'; - - ip = dotted_to_addr(arg); - if (!ip) - exit_error(PARAMETER_PROBLEM, "iprange match: Bad IP address `%s'\n", - arg); - range->min_ip = ip->s_addr; - - if (dash) { - ip = dotted_to_addr(dash+1); - if (!ip) - exit_error(PARAMETER_PROBLEM, "iprange match: Bad IP address `%s'\n", - dash+1); - range->max_ip = ip->s_addr; - } else - range->max_ip = range->min_ip; -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_iprange_info *info = (struct ipt_iprange_info *)(*match)->data; - - switch (c) { - case '1': - if (*flags & IPRANGE_SRC) - exit_error(PARAMETER_PROBLEM, - "iprange match: Only use --src-range ONCE!"); - *flags |= IPRANGE_SRC; - - info->flags |= IPRANGE_SRC; - check_inverse(optarg, &invert, &optind, 0); - if (invert) { - info->flags |= IPRANGE_SRC_INV; - } - parse_iprange(optarg, &info->src); - - break; - - case '2': - if (*flags & IPRANGE_DST) - exit_error(PARAMETER_PROBLEM, - "iprange match: Only use --dst-range ONCE!"); - *flags |= IPRANGE_DST; - - info->flags |= IPRANGE_DST; - check_inverse(optarg, &invert, &optind, 0); - if (invert) - info->flags |= IPRANGE_DST_INV; - - parse_iprange(optarg, &info->dst); - - break; - - default: - return 0; - } - return 1; -} - -/* Final check; must have specified --src-range or --dst-range. */ -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "iprange match: You must specify `--src-range' or `--dst-range'"); -} - -static void -print_iprange(const struct ipt_iprange *range) -{ - const unsigned char *byte_min, *byte_max; - - byte_min = (const unsigned char *) &(range->min_ip); - byte_max = (const unsigned char *) &(range->max_ip); - printf("%d.%d.%d.%d-%d.%d.%d.%d ", - byte_min[0], byte_min[1], byte_min[2], byte_min[3], - byte_max[0], byte_max[1], byte_max[2], byte_max[3]); -} - -/* Prints out the info. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - struct ipt_iprange_info *info = (struct ipt_iprange_info *)match->data; - - if (info->flags & IPRANGE_SRC) { - printf("source IP range "); - if (info->flags & IPRANGE_SRC_INV) - printf("! "); - print_iprange(&info->src); - } - if (info->flags & IPRANGE_DST) { - printf("destination IP range "); - if (info->flags & IPRANGE_DST_INV) - printf("! "); - print_iprange(&info->dst); - } -} - -/* Saves the union ipt_info in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct ipt_iprange_info *info = (struct ipt_iprange_info *)match->data; - - if (info->flags & IPRANGE_SRC) { - if (info->flags & IPRANGE_SRC_INV) - printf("! "); - printf("--src-range "); - print_iprange(&info->src); - if (info->flags & IPRANGE_DST) - fputc(' ', stdout); - } - if (info->flags & IPRANGE_DST) { - if (info->flags & IPRANGE_DST_INV) - printf("! "); - printf("--dst-range "); - print_iprange(&info->dst); - } -} - -static struct iptables_match iprange = { - .next = NULL, - .name = "iprange", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_iprange_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_iprange_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_iprange_init(void) -{ - register_match(&iprange); -} diff --git a/extensions/libipt_iprange.man b/extensions/libipt_iprange.man deleted file mode 100644 index 57e1cff..0000000 --- a/extensions/libipt_iprange.man +++ /dev/null @@ -1,7 +0,0 @@ -This matches on a given arbitrary range of IPv4 addresses -.TP -.BI "[!]" "--src-range " "ip-ip" -Match source IP in the specified range. -.TP -.BI "[!]" "--dst-range " "ip-ip" -Match destination IP in the specified range. diff --git a/extensions/libipt_length.c b/extensions/libipt_length.c deleted file mode 100644 index 38c70b5..0000000 --- a/extensions/libipt_length.c +++ /dev/null @@ -1,151 +0,0 @@ -/* Shared library add-on to iptables to add packet length matching support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ipt_length.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"length v%s options:\n" -"[!] --length length[:length] Match packet length against value or range\n" -" of values (inclusive)\n", -IPTABLES_VERSION); - -} - -static struct option opts[] = { - { "length", 1, 0, '1' }, - {0} -}; - -static u_int16_t -parse_length(const char *s) -{ - unsigned int len; - - if (string_to_number(s, 0, 0xFFFF, &len) == -1) - exit_error(PARAMETER_PROBLEM, "length invalid: `%s'\n", s); - else - return (u_int16_t )len; -} - -/* If a single value is provided, min and max are both set to the value */ -static void -parse_lengths(const char *s, struct ipt_length_info *info) -{ - char *buffer; - char *cp; - - buffer = strdup(s); - if ((cp = strchr(buffer, ':')) == NULL) - info->min = info->max = parse_length(buffer); - else { - *cp = '\0'; - cp++; - - info->min = buffer[0] ? parse_length(buffer) : 0; - info->max = cp[0] ? parse_length(cp) : 0xFFFF; - } - free(buffer); - - if (info->min > info->max) - exit_error(PARAMETER_PROBLEM, - "length min. range value `%u' greater than max. " - "range value `%u'", info->min, info->max); - -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_length_info *info = (struct ipt_length_info *)(*match)->data; - - switch (c) { - case '1': - if (*flags) - exit_error(PARAMETER_PROBLEM, - "length: `--length' may only be " - "specified once"); - check_inverse(optarg, &invert, &optind, 0); - parse_lengths(argv[optind-1], info); - if (invert) - info->invert = 1; - *flags = 1; - break; - - default: - return 0; - } - return 1; -} - -/* Final check; must have specified --length. */ -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "length: You must specify `--length'"); -} - -/* Common match printing code. */ -static void -print_length(struct ipt_length_info *info) -{ - if (info->invert) - printf("! "); - - if (info->max == info->min) - printf("%u ", info->min); - else - printf("%u:%u ", info->min, info->max); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - printf("length "); - print_length((struct ipt_length_info *)match->data); -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - printf("--length "); - print_length((struct ipt_length_info *)match->data); -} - -static struct iptables_match length = { - .next = NULL, - .name = "length", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_length_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_length_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_length_init(void) -{ - register_match(&length); -} diff --git a/extensions/libipt_length.man b/extensions/libipt_length.man deleted file mode 100644 index 43bbdcf..0000000 --- a/extensions/libipt_length.man +++ /dev/null @@ -1,4 +0,0 @@ -This module matches the length of a packet against a specific value -or range of values. -.TP -.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]" diff --git a/extensions/libipt_limit.c b/extensions/libipt_limit.c deleted file mode 100644 index 5e75d93..0000000 --- a/extensions/libipt_limit.c +++ /dev/null @@ -1,196 +0,0 @@ -/* Shared library add-on to iptables to add limit support. - * - * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr> - * Hervé Eychenne <rv@wallfire.org> - */ - -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <stddef.h> -#include <linux/netfilter_ipv4/ip_tables.h> -/* For 64bit kernel / 32bit userspace */ -#include "../include/linux/netfilter_ipv4/ipt_limit.h" - -#define IPT_LIMIT_AVG "3/hour" -#define IPT_LIMIT_BURST 5 - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"limit v%s options:\n" -"--limit avg max average match rate: default "IPT_LIMIT_AVG"\n" -" [Packets per second unless followed by \n" -" /sec /minute /hour /day postfixes]\n" -"--limit-burst number number to match in a burst, default %u\n" -"\n", IPTABLES_VERSION, IPT_LIMIT_BURST); -} - -static struct option opts[] = { - { "limit", 1, 0, '%' }, - { "limit-burst", 1, 0, '$' }, - { 0 } -}; - -static -int parse_rate(const char *rate, u_int32_t *val) -{ - const char *delim; - u_int32_t r; - u_int32_t mult = 1; /* Seconds by default. */ - - delim = strchr(rate, '/'); - if (delim) { - if (strlen(delim+1) == 0) - return 0; - - if (strncasecmp(delim+1, "second", strlen(delim+1)) == 0) - mult = 1; - else if (strncasecmp(delim+1, "minute", strlen(delim+1)) == 0) - mult = 60; - else if (strncasecmp(delim+1, "hour", strlen(delim+1)) == 0) - mult = 60*60; - else if (strncasecmp(delim+1, "day", strlen(delim+1)) == 0) - mult = 24*60*60; - else - return 0; - } - r = atoi(rate); - if (!r) - return 0; - - /* This would get mapped to infinite (1/day is minimum they - can specify, so we're ok at that end). */ - if (r / mult > IPT_LIMIT_SCALE) - exit_error(PARAMETER_PROBLEM, "Rate too fast `%s'\n", rate); - - *val = IPT_LIMIT_SCALE * mult / r; - return 1; -} - -/* Initialize the match. */ -static void -init(struct ipt_entry_match *m, unsigned int *nfcache) -{ - struct ipt_rateinfo *r = (struct ipt_rateinfo *)m->data; - - parse_rate(IPT_LIMIT_AVG, &r->avg); - r->burst = IPT_LIMIT_BURST; - -} - -/* FIXME: handle overflow: - if (r->avg*r->burst/r->burst != r->avg) - exit_error(PARAMETER_PROBLEM, - "Sorry: burst too large for that avg rate.\n"); -*/ - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_rateinfo *r = (struct ipt_rateinfo *)(*match)->data; - unsigned int num; - - switch(c) { - case '%': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (!parse_rate(optarg, &r->avg)) - exit_error(PARAMETER_PROBLEM, - "bad rate `%s'", optarg); - break; - - case '$': - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; - if (string_to_number(optarg, 0, 10000, &num) == -1) - exit_error(PARAMETER_PROBLEM, - "bad --limit-burst `%s'", optarg); - r->burst = num; - break; - - default: - return 0; - } - - if (invert) - exit_error(PARAMETER_PROBLEM, - "limit does not support invert"); - - return 1; -} - -/* Final check; nothing. */ -static void final_check(unsigned int flags) -{ -} - -static struct rates -{ - const char *name; - u_int32_t mult; -} rates[] = { { "day", IPT_LIMIT_SCALE*24*60*60 }, - { "hour", IPT_LIMIT_SCALE*60*60 }, - { "min", IPT_LIMIT_SCALE*60 }, - { "sec", IPT_LIMIT_SCALE } }; - -static void print_rate(u_int32_t period) -{ - unsigned int i; - - for (i = 1; i < sizeof(rates)/sizeof(struct rates); i++) { - if (period > rates[i].mult - || rates[i].mult/period < rates[i].mult%period) - break; - } - - printf("%u/%s ", rates[i-1].mult / period, rates[i-1].name); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - struct ipt_rateinfo *r = (struct ipt_rateinfo *)match->data; - printf("limit: avg "); print_rate(r->avg); - printf("burst %u ", r->burst); -} - -/* FIXME: Make minimalist: only print rate if not default --RR */ -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct ipt_rateinfo *r = (struct ipt_rateinfo *)match->data; - - printf("--limit "); print_rate(r->avg); - if (r->burst != IPT_LIMIT_BURST) - printf("--limit-burst %u ", r->burst); -} - -static struct iptables_match limit = { - .next = NULL, - .name = "limit", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_rateinfo)), - .userspacesize = offsetof(struct ipt_rateinfo, prev), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_limit_init(void) -{ - register_match(&limit); -} diff --git a/extensions/libipt_limit.man b/extensions/libipt_limit.man deleted file mode 100644 index 84b63d4..0000000 --- a/extensions/libipt_limit.man +++ /dev/null @@ -1,15 +0,0 @@ -This module matches at a limited rate using a token bucket filter. -A rule using this extension will match until this limit is reached -(unless the `!' flag is used). It can be used in combination with the -.B LOG -target to give limited logging, for example. -.TP -.BI "--limit " "rate" -Maximum average matching rate: specified as a number, with an optional -`/second', `/minute', `/hour', or `/day' suffix; the default is -3/hour. -.TP -.BI "--limit-burst " "number" -Maximum initial number of packets to match: this number gets -recharged by one every time the limit specified above is not reached, -up to this number; the default is 5. diff --git a/extensions/libipt_mac.c b/extensions/libipt_mac.c deleted file mode 100644 index 59f9fc0..0000000 --- a/extensions/libipt_mac.c +++ /dev/null @@ -1,140 +0,0 @@ -/* Shared library add-on to iptables to add MAC address support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#if defined(__GLIBC__) && __GLIBC__ == 2 -#include <net/ethernet.h> -#else -#include <linux/if_ether.h> -#endif -#include <iptables.h> -#include <linux/netfilter_ipv4/ipt_mac.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"MAC v%s options:\n" -" --mac-source [!] XX:XX:XX:XX:XX:XX\n" -" Match source MAC address\n" -"\n", IPTABLES_VERSION); -} - -static struct option opts[] = { - { "mac-source", 1, 0, '1' }, - {0} -}; - -static void -parse_mac(const char *mac, struct ipt_mac_info *info) -{ - unsigned int i = 0; - - if (strlen(mac) != ETH_ALEN*3-1) - exit_error(PARAMETER_PROBLEM, "Bad mac address `%s'", mac); - - for (i = 0; i < ETH_ALEN; i++) { - long number; - char *end; - - number = strtol(mac + i*3, &end, 16); - - if (end == mac + i*3 + 2 - && number >= 0 - && number <= 255) - info->srcaddr[i] = number; - else - exit_error(PARAMETER_PROBLEM, - "Bad mac address `%s'", mac); - } -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_mac_info *macinfo = (struct ipt_mac_info *)(*match)->data; - - switch (c) { - case '1': - check_inverse(optarg, &invert, &optind, 0); - parse_mac(argv[optind-1], macinfo); - if (invert) - macinfo->invert = 1; - *flags = 1; - break; - - default: - return 0; - } - - return 1; -} - -static void print_mac(unsigned char macaddress[ETH_ALEN]) -{ - unsigned int i; - - printf("%02X", macaddress[0]); - for (i = 1; i < ETH_ALEN; i++) - printf(":%02X", macaddress[i]); - printf(" "); -} - -/* Final check; must have specified --mac. */ -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "You must specify `--mac-source'"); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - printf("MAC "); - - if (((struct ipt_mac_info *)match->data)->invert) - printf("! "); - - print_mac(((struct ipt_mac_info *)match->data)->srcaddr); -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - if (((struct ipt_mac_info *)match->data)->invert) - printf("! "); - - printf("--mac-source "); - print_mac(((struct ipt_mac_info *)match->data)->srcaddr); -} - -static struct iptables_match mac = { - .next = NULL, - .name = "mac", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_mac_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_mac_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_mac_init(void) -{ - register_match(&mac); -} diff --git a/extensions/libipt_mac.man b/extensions/libipt_mac.man deleted file mode 100644 index 5321ca1..0000000 --- a/extensions/libipt_mac.man +++ /dev/null @@ -1,10 +0,0 @@ -.TP -.BR "--mac-source " "[!] \fIaddress\fP" -Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. -Note that this only makes sense for packets coming from an Ethernet device -and entering the -.BR PREROUTING , -.B FORWARD -or -.B INPUT -chains. diff --git a/extensions/libipt_mark.man b/extensions/libipt_mark.man deleted file mode 100644 index a2a1395..0000000 --- a/extensions/libipt_mark.man +++ /dev/null @@ -1,9 +0,0 @@ -This module matches the netfilter mark field associated with a packet -(which can be set using the -.B MARK -target below). -.TP -.BR "--mark " "\fIvalue\fP[/\fImask\fP]" -Matches packets with the given unsigned mark value (if a \fImask\fP is -specified, this is logically ANDed with the \fImask\fP before the -comparison). diff --git a/extensions/libipt_multiport.c b/extensions/libipt_multiport.c deleted file mode 100644 index 694d69d..0000000 --- a/extensions/libipt_multiport.c +++ /dev/null @@ -1,468 +0,0 @@ -/* Shared library add-on to iptables to add multiple TCP port support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <netinet/in.h> -/* To ensure that iptables compiles with an old kernel */ -#include "../include/linux/netfilter_ipv4/ipt_multiport.h" - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"multiport v%s options:\n" -" --source-ports port[,port,port...]\n" -" --sports ...\n" -" match source port(s)\n" -" --destination-ports port[,port,port...]\n" -" --dports ...\n" -" match destination port(s)\n" -" --ports port[,port,port]\n" -" match both source and destination port(s)\n" -" NOTE: this kernel does not support port ranges in multiport.\n", -IPTABLES_VERSION); -} - -static void -help_v1(void) -{ - printf( -"multiport v%s options:\n" -" --source-ports [!] port[,port:port,port...]\n" -" --sports ...\n" -" match source port(s)\n" -" --destination-ports [!] port[,port:port,port...]\n" -" --dports ...\n" -" match destination port(s)\n" -" --ports [!] port[,port:port,port]\n" -" match both source and destination port(s)\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "source-ports", 1, 0, '1' }, - { "sports", 1, 0, '1' }, /* synonym */ - { "destination-ports", 1, 0, '2' }, - { "dports", 1, 0, '2' }, /* synonym */ - { "ports", 1, 0, '3' }, - {0} -}; - -static char * -proto_to_name(u_int8_t proto) -{ - switch (proto) { - case IPPROTO_TCP: - return "tcp"; - case IPPROTO_UDP: - return "udp"; - case IPPROTO_UDPLITE: - return "udplite"; - case IPPROTO_SCTP: - return "sctp"; - case IPPROTO_DCCP: - return "dccp"; - default: - return NULL; - } -} - -static unsigned int -parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto) -{ - char *buffer, *cp, *next; - unsigned int i; - - buffer = strdup(portstring); - if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed"); - - for (cp=buffer, i=0; cp && i<IPT_MULTI_PORTS; cp=next,i++) - { - next=strchr(cp, ','); - if (next) *next++='\0'; - ports[i] = parse_port(cp, proto); - } - if (cp) exit_error(PARAMETER_PROBLEM, "too many ports specified"); - free(buffer); - return i; -} - -static void -parse_multi_ports_v1(const char *portstring, - struct ipt_multiport_v1 *multiinfo, - const char *proto) -{ - char *buffer, *cp, *next, *range; - unsigned int i; - u_int16_t m; - - buffer = strdup(portstring); - if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed"); - - for (i=0; i<IPT_MULTI_PORTS; i++) - multiinfo->pflags[i] = 0; - - for (cp=buffer, i=0; cp && i<IPT_MULTI_PORTS; cp=next, i++) { - next=strchr(cp, ','); - if (next) *next++='\0'; - range = strchr(cp, ':'); - if (range) { - if (i == IPT_MULTI_PORTS-1) - exit_error(PARAMETER_PROBLEM, - "too many ports specified"); - *range++ = '\0'; - } - multiinfo->ports[i] = parse_port(cp, proto); - if (range) { - multiinfo->pflags[i] = 1; - multiinfo->ports[++i] = parse_port(range, proto); - if (multiinfo->ports[i-1] >= multiinfo->ports[i]) - exit_error(PARAMETER_PROBLEM, - "invalid portrange specified"); - m <<= 1; - } - } - multiinfo->count = i; - if (cp) exit_error(PARAMETER_PROBLEM, "too many ports specified"); - free(buffer); -} - -/* Initialize the match. */ -static void -init(struct ipt_entry_match *m, unsigned int *nfcache) -{ -} - -static const char * -check_proto(const struct ipt_entry *entry) -{ - char *proto; - - if (entry->ip.invflags & IPT_INV_PROTO) - exit_error(PARAMETER_PROBLEM, - "multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP"); - - if ((proto = proto_to_name(entry->ip.proto)) != NULL) - return proto; - else if (!entry->ip.proto) - exit_error(PARAMETER_PROBLEM, - "multiport needs `-p tcp', `-p udp', `-p udplite', " - "`-p sctp' or `-p dccp'"); - else - exit_error(PARAMETER_PROBLEM, - "multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP"); -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - const char *proto; - struct ipt_multiport *multiinfo - = (struct ipt_multiport *)(*match)->data; - - switch (c) { - case '1': - check_inverse(argv[optind-1], &invert, &optind, 0); - proto = check_proto(entry); - multiinfo->count = parse_multi_ports(argv[optind-1], - multiinfo->ports, proto); - multiinfo->flags = IPT_MULTIPORT_SOURCE; - break; - - case '2': - check_inverse(argv[optind-1], &invert, &optind, 0); - proto = check_proto(entry); - multiinfo->count = parse_multi_ports(argv[optind-1], - multiinfo->ports, proto); - multiinfo->flags = IPT_MULTIPORT_DESTINATION; - break; - - case '3': - check_inverse(argv[optind-1], &invert, &optind, 0); - proto = check_proto(entry); - multiinfo->count = parse_multi_ports(argv[optind-1], - multiinfo->ports, proto); - multiinfo->flags = IPT_MULTIPORT_EITHER; - break; - - default: - return 0; - } - - if (invert) - exit_error(PARAMETER_PROBLEM, - "multiport does not support invert"); - - if (*flags) - exit_error(PARAMETER_PROBLEM, - "multiport can only have one option"); - *flags = 1; - return 1; -} - -static int -parse_v1(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - const char *proto; - struct ipt_multiport_v1 *multiinfo - = (struct ipt_multiport_v1 *)(*match)->data; - - switch (c) { - case '1': - check_inverse(argv[optind-1], &invert, &optind, 0); - proto = check_proto(entry); - parse_multi_ports_v1(argv[optind-1], multiinfo, proto); - multiinfo->flags = IPT_MULTIPORT_SOURCE; - break; - - case '2': - check_inverse(argv[optind-1], &invert, &optind, 0); - proto = check_proto(entry); - parse_multi_ports_v1(argv[optind-1], multiinfo, proto); - multiinfo->flags = IPT_MULTIPORT_DESTINATION; - break; - - case '3': - check_inverse(argv[optind-1], &invert, &optind, 0); - proto = check_proto(entry); - parse_multi_ports_v1(argv[optind-1], multiinfo, proto); - multiinfo->flags = IPT_MULTIPORT_EITHER; - break; - - default: - return 0; - } - - if (invert) - multiinfo->invert = 1; - - if (*flags) - exit_error(PARAMETER_PROBLEM, - "multiport can only have one option"); - *flags = 1; - return 1; -} - -/* Final check; must specify something. */ -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, "multiport expection an option"); -} - -static char * -port_to_service(int port, u_int8_t proto) -{ - struct servent *service; - - if ((service = getservbyport(htons(port), proto_to_name(proto)))) - return service->s_name; - - return NULL; -} - -static void -print_port(u_int16_t port, u_int8_t protocol, int numeric) -{ - char *service; - - if (numeric || (service = port_to_service(port, protocol)) == NULL) - printf("%u", port); - else - printf("%s", service); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - const struct ipt_multiport *multiinfo - = (const struct ipt_multiport *)match->data; - unsigned int i; - - printf("multiport "); - - switch (multiinfo->flags) { - case IPT_MULTIPORT_SOURCE: - printf("sports "); - break; - - case IPT_MULTIPORT_DESTINATION: - printf("dports "); - break; - - case IPT_MULTIPORT_EITHER: - printf("ports "); - break; - - default: - printf("ERROR "); - break; - } - - for (i=0; i < multiinfo->count; i++) { - printf("%s", i ? "," : ""); - print_port(multiinfo->ports[i], ip->proto, numeric); - } - printf(" "); -} - -static void -print_v1(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - const struct ipt_multiport_v1 *multiinfo - = (const struct ipt_multiport_v1 *)match->data; - unsigned int i; - - printf("multiport "); - - switch (multiinfo->flags) { - case IPT_MULTIPORT_SOURCE: - printf("sports "); - break; - - case IPT_MULTIPORT_DESTINATION: - printf("dports "); - break; - - case IPT_MULTIPORT_EITHER: - printf("ports "); - break; - - default: - printf("ERROR "); - break; - } - - if (multiinfo->invert) - printf("! "); - - for (i=0; i < multiinfo->count; i++) { - printf("%s", i ? "," : ""); - print_port(multiinfo->ports[i], ip->proto, numeric); - if (multiinfo->pflags[i]) { - printf(":"); - print_port(multiinfo->ports[++i], ip->proto, numeric); - } - } - printf(" "); -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - const struct ipt_multiport *multiinfo - = (const struct ipt_multiport *)match->data; - unsigned int i; - - switch (multiinfo->flags) { - case IPT_MULTIPORT_SOURCE: - printf("--sports "); - break; - - case IPT_MULTIPORT_DESTINATION: - printf("--dports "); - break; - - case IPT_MULTIPORT_EITHER: - printf("--ports "); - break; - } - - for (i=0; i < multiinfo->count; i++) { - printf("%s", i ? "," : ""); - print_port(multiinfo->ports[i], ip->proto, 1); - } - printf(" "); -} - -static void save_v1(const struct ipt_ip *ip, - const struct ipt_entry_match *match) -{ - const struct ipt_multiport_v1 *multiinfo - = (const struct ipt_multiport_v1 *)match->data; - unsigned int i; - - switch (multiinfo->flags) { - case IPT_MULTIPORT_SOURCE: - printf("--sports "); - break; - - case IPT_MULTIPORT_DESTINATION: - printf("--dports "); - break; - - case IPT_MULTIPORT_EITHER: - printf("--ports "); - break; - } - - if (multiinfo->invert) - printf("! "); - - for (i=0; i < multiinfo->count; i++) { - printf("%s", i ? "," : ""); - print_port(multiinfo->ports[i], ip->proto, 1); - if (multiinfo->pflags[i]) { - printf(":"); - print_port(multiinfo->ports[++i], ip->proto, 1); - } - } - printf(" "); -} - -static struct iptables_match multiport = { - .next = NULL, - .name = "multiport", - .revision = 0, - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_multiport)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_multiport)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -static struct iptables_match multiport_v1 = { - .next = NULL, - .name = "multiport", - .version = IPTABLES_VERSION, - .revision = 1, - .size = IPT_ALIGN(sizeof(struct ipt_multiport_v1)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_multiport_v1)), - .help = &help_v1, - .init = &init, - .parse = &parse_v1, - .final_check = &final_check, - .print = &print_v1, - .save = &save_v1, - .extra_opts = opts -}; - -void -ipt_multiport_init(void) -{ - register_match(&multiport); - register_match(&multiport_v1); -} diff --git a/extensions/libipt_multiport.man b/extensions/libipt_multiport.man deleted file mode 100644 index ba760e9..0000000 --- a/extensions/libipt_multiport.man +++ /dev/null @@ -1,20 +0,0 @@ -This module matches a set of source or destination ports. Up to 15 -ports can be specified. A port range (port:port) counts as two -ports. It can only be used in conjunction with -.B "-p tcp" -or -.BR "-p udp" . -.TP -.BR "--source-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]" -Match if the source port is one of the given ports. The flag -.B --sports -is a convenient alias for this option. -.TP -.BR "--destination-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]" -Match if the destination port is one of the given ports. The flag -.B --dports -is a convenient alias for this option. -.TP -.BR "--ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]" -Match if either the source or destination ports are equal to one of -the given ports. diff --git a/extensions/libipt_owner.c b/extensions/libipt_owner.c deleted file mode 100644 index 89e1a7c..0000000 --- a/extensions/libipt_owner.c +++ /dev/null @@ -1,250 +0,0 @@ -/* Shared library add-on to iptables to add OWNER matching support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <pwd.h> -#include <grp.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ipt_owner.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ -#ifdef IPT_OWNER_COMM - printf( -"OWNER match v%s options:\n" -"[!] --uid-owner userid Match local uid\n" -"[!] --gid-owner groupid Match local gid\n" -"[!] --pid-owner processid Match local pid\n" -"[!] --sid-owner sessionid Match local sid\n" -"[!] --cmd-owner name Match local command name\n" -"NOTE: pid, sid and command matching are broken on SMP\n" -"\n", -IPTABLES_VERSION); -#else - printf( -"OWNER match v%s options:\n" -"[!] --uid-owner userid Match local uid\n" -"[!] --gid-owner groupid Match local gid\n" -"[!] --pid-owner processid Match local pid\n" -"[!] --sid-owner sessionid Match local sid\n" -"NOTE: pid and sid matching are broken on SMP\n" -"\n", -IPTABLES_VERSION); -#endif /* IPT_OWNER_COMM */ -} - -static struct option opts[] = { - { "uid-owner", 1, 0, '1' }, - { "gid-owner", 1, 0, '2' }, - { "pid-owner", 1, 0, '3' }, - { "sid-owner", 1, 0, '4' }, -#ifdef IPT_OWNER_COMM - { "cmd-owner", 1, 0, '5' }, -#endif - {0} -}; - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_owner_info *ownerinfo = (struct ipt_owner_info *)(*match)->data; - - switch (c) { - char *end; - struct passwd *pwd; - struct group *grp; - case '1': - check_inverse(optarg, &invert, &optind, 0); - if ((pwd = getpwnam(optarg))) - ownerinfo->uid = pwd->pw_uid; - else { - ownerinfo->uid = strtoul(optarg, &end, 0); - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, "Bad OWNER UID value `%s'", optarg); - } - if (invert) - ownerinfo->invert |= IPT_OWNER_UID; - ownerinfo->match |= IPT_OWNER_UID; - *flags = 1; - break; - - case '2': - check_inverse(optarg, &invert, &optind, 0); - if ((grp = getgrnam(optarg))) - ownerinfo->gid = grp->gr_gid; - else { - ownerinfo->gid = strtoul(optarg, &end, 0); - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, "Bad OWNER GID value `%s'", optarg); - } - if (invert) - ownerinfo->invert |= IPT_OWNER_GID; - ownerinfo->match |= IPT_OWNER_GID; - *flags = 1; - break; - - case '3': - check_inverse(optarg, &invert, &optind, 0); - ownerinfo->pid = strtoul(optarg, &end, 0); - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, "Bad OWNER PID value `%s'", optarg); - if (invert) - ownerinfo->invert |= IPT_OWNER_PID; - ownerinfo->match |= IPT_OWNER_PID; - *flags = 1; - break; - - case '4': - check_inverse(optarg, &invert, &optind, 0); - ownerinfo->sid = strtoul(optarg, &end, 0); - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, "Bad OWNER SID value `%s'", optarg); - if (invert) - ownerinfo->invert |= IPT_OWNER_SID; - ownerinfo->match |= IPT_OWNER_SID; - *flags = 1; - break; - -#ifdef IPT_OWNER_COMM - case '5': - check_inverse(optarg, &invert, &optind, 0); - if(strlen(optarg) > sizeof(ownerinfo->comm)) - exit_error(PARAMETER_PROBLEM, "OWNER CMD `%s' too long, max %u characters", optarg, (unsigned int)sizeof(ownerinfo->comm)); - - strncpy(ownerinfo->comm, optarg, sizeof(ownerinfo->comm)); - ownerinfo->comm[sizeof(ownerinfo->comm)-1] = '\0'; - - if (invert) - ownerinfo->invert |= IPT_OWNER_COMM; - ownerinfo->match |= IPT_OWNER_COMM; - *flags = 1; - break; -#endif - - default: - return 0; - } - return 1; -} - -static void -print_item(struct ipt_owner_info *info, u_int8_t flag, int numeric, char *label) -{ - if(info->match & flag) { - - if (info->invert & flag) - printf("! "); - - printf(label); - - switch(info->match & flag) { - case IPT_OWNER_UID: - if(!numeric) { - struct passwd *pwd = getpwuid(info->uid); - - if(pwd && pwd->pw_name) { - printf("%s ", pwd->pw_name); - break; - } - /* FALLTHROUGH */ - } - printf("%u ", info->uid); - break; - case IPT_OWNER_GID: - if(!numeric) { - struct group *grp = getgrgid(info->gid); - - if(grp && grp->gr_name) { - printf("%s ", grp->gr_name); - break; - } - /* FALLTHROUGH */ - } - printf("%u ", info->gid); - break; - case IPT_OWNER_PID: - printf("%u ", info->pid); - break; - case IPT_OWNER_SID: - printf("%u ", info->sid); - break; -#ifdef IPT_OWNER_COMM - case IPT_OWNER_COMM: - printf("%.*s ", (int)sizeof(info->comm), info->comm); - break; -#endif - default: - break; - } - } -} - -/* Final check; must have specified --own. */ -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "OWNER match: You must specify one or more options"); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - struct ipt_owner_info *info = (struct ipt_owner_info *)match->data; - - print_item(info, IPT_OWNER_UID, numeric, "OWNER UID match "); - print_item(info, IPT_OWNER_GID, numeric, "OWNER GID match "); - print_item(info, IPT_OWNER_PID, numeric, "OWNER PID match "); - print_item(info, IPT_OWNER_SID, numeric, "OWNER SID match "); -#ifdef IPT_OWNER_COMM - print_item(info, IPT_OWNER_COMM, numeric, "OWNER CMD match "); -#endif -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct ipt_owner_info *info = (struct ipt_owner_info *)match->data; - - print_item(info, IPT_OWNER_UID, 0, "--uid-owner "); - print_item(info, IPT_OWNER_GID, 0, "--gid-owner "); - print_item(info, IPT_OWNER_PID, 0, "--pid-owner "); - print_item(info, IPT_OWNER_SID, 0, "--sid-owner "); -#ifdef IPT_OWNER_COMM - print_item(info, IPT_OWNER_COMM, 0, "--cmd-owner "); -#endif -} - -static struct iptables_match owner = { - .next = NULL, - .name = "owner", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_owner_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_owner_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_owner_init(void) -{ - register_match(&owner); -} diff --git a/extensions/libipt_owner.man b/extensions/libipt_owner.man deleted file mode 100644 index b635e7d..0000000 --- a/extensions/libipt_owner.man +++ /dev/null @@ -1,28 +0,0 @@ -This module attempts to match various characteristics of the packet -creator, for locally-generated packets. It is only valid in the -.B OUTPUT -chain, and even this some packets (such as ICMP ping responses) may -have no owner, and hence never match. -.TP -.BI "--uid-owner " "userid" -Matches if the packet was created by a process with the given -effective user id. -.TP -.BI "--gid-owner " "groupid" -Matches if the packet was created by a process with the given -effective group id. -.TP -.BI "--pid-owner " "processid" -Matches if the packet was created by a process with the given -process id. -.TP -.BI "--sid-owner " "sessionid" -Matches if the packet was created by a process in the given session -group. -.TP -.BI "--cmd-owner " "name" -Matches if the packet was created by a process with the given command name. -(this option is present only if iptables was compiled under a kernel -supporting this feature) -.TP -.B NOTE: pid, sid and command matching are broken on SMP diff --git a/extensions/libipt_physdev.c b/extensions/libipt_physdev.c deleted file mode 100644 index ab87cf8..0000000 --- a/extensions/libipt_physdev.c +++ /dev/null @@ -1,193 +0,0 @@ -/* Shared library add-on to iptables to add bridge port matching support. */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ctype.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ipt_physdev.h> -#if defined(__GLIBC__) && __GLIBC__ == 2 -#include <net/ethernet.h> -#else -#include <linux/if_ether.h> -#endif - -static void -help(void) -{ - printf( -"physdev v%s options:\n" -" --physdev-in [!] input name[+] bridge port name ([+] for wildcard)\n" -" --physdev-out [!] output name[+] bridge port name ([+] for wildcard)\n" -" [!] --physdev-is-in arrived on a bridge device\n" -" [!] --physdev-is-out will leave on a bridge device\n" -" [!] --physdev-is-bridged it's a bridged packet\n" -"\n", IPTABLES_VERSION); -} - -static struct option opts[] = { - { "physdev-in", 1, 0, '1' }, - { "physdev-out", 1, 0, '2' }, - { "physdev-is-in", 0, 0, '3' }, - { "physdev-is-out", 0, 0, '4' }, - { "physdev-is-bridged", 0, 0, '5' }, - {0} -}; - -static void -init(struct ipt_entry_match *m, unsigned int *nfcache) -{ -} - -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_physdev_info *info = - (struct ipt_physdev_info*)(*match)->data; - - switch (c) { - case '1': - if (*flags & IPT_PHYSDEV_OP_IN) - goto multiple_use; - check_inverse(optarg, &invert, &optind, 0); - parse_interface(argv[optind-1], info->physindev, - (unsigned char *)info->in_mask); - if (invert) - info->invert |= IPT_PHYSDEV_OP_IN; - info->bitmask |= IPT_PHYSDEV_OP_IN; - *flags |= IPT_PHYSDEV_OP_IN; - break; - - case '2': - if (*flags & IPT_PHYSDEV_OP_OUT) - goto multiple_use; - check_inverse(optarg, &invert, &optind, 0); - parse_interface(argv[optind-1], info->physoutdev, - (unsigned char *)info->out_mask); - if (invert) - info->invert |= IPT_PHYSDEV_OP_OUT; - info->bitmask |= IPT_PHYSDEV_OP_OUT; - *flags |= IPT_PHYSDEV_OP_OUT; - break; - - case '3': - if (*flags & IPT_PHYSDEV_OP_ISIN) - goto multiple_use; - check_inverse(optarg, &invert, &optind, 0); - info->bitmask |= IPT_PHYSDEV_OP_ISIN; - if (invert) - info->invert |= IPT_PHYSDEV_OP_ISIN; - *flags |= IPT_PHYSDEV_OP_ISIN; - break; - - case '4': - if (*flags & IPT_PHYSDEV_OP_ISOUT) - goto multiple_use; - check_inverse(optarg, &invert, &optind, 0); - info->bitmask |= IPT_PHYSDEV_OP_ISOUT; - if (invert) - info->invert |= IPT_PHYSDEV_OP_ISOUT; - *flags |= IPT_PHYSDEV_OP_ISOUT; - break; - - case '5': - if (*flags & IPT_PHYSDEV_OP_BRIDGED) - goto multiple_use; - check_inverse(optarg, &invert, &optind, 0); - if (invert) - info->invert |= IPT_PHYSDEV_OP_BRIDGED; - *flags |= IPT_PHYSDEV_OP_BRIDGED; - info->bitmask |= IPT_PHYSDEV_OP_BRIDGED; - break; - - default: - return 0; - } - - return 1; -multiple_use: - exit_error(PARAMETER_PROBLEM, - "multiple use of the same physdev option is not allowed"); - -} - -static void final_check(unsigned int flags) -{ - if (flags == 0) - exit_error(PARAMETER_PROBLEM, "PHYSDEV: no physdev option specified"); -} - -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - struct ipt_physdev_info *info = - (struct ipt_physdev_info*)match->data; - - printf("PHYSDEV match"); - if (info->bitmask & IPT_PHYSDEV_OP_ISIN) - printf("%s --physdev-is-in", - info->invert & IPT_PHYSDEV_OP_ISIN ? " !":""); - if (info->bitmask & IPT_PHYSDEV_OP_IN) - printf("%s --physdev-in %s", - (info->invert & IPT_PHYSDEV_OP_IN) ? " !":"", info->physindev); - - if (info->bitmask & IPT_PHYSDEV_OP_ISOUT) - printf("%s --physdev-is-out", - info->invert & IPT_PHYSDEV_OP_ISOUT ? " !":""); - if (info->bitmask & IPT_PHYSDEV_OP_OUT) - printf("%s --physdev-out %s", - (info->invert & IPT_PHYSDEV_OP_OUT) ? " !":"", info->physoutdev); - if (info->bitmask & IPT_PHYSDEV_OP_BRIDGED) - printf("%s --physdev-is-bridged", - info->invert & IPT_PHYSDEV_OP_BRIDGED ? " !":""); - printf(" "); -} - -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct ipt_physdev_info *info = - (struct ipt_physdev_info*)match->data; - - if (info->bitmask & IPT_PHYSDEV_OP_ISIN) - printf("%s --physdev-is-in", - info->invert & IPT_PHYSDEV_OP_ISIN ? " !":""); - if (info->bitmask & IPT_PHYSDEV_OP_IN) - printf("%s --physdev-in %s", - (info->invert & IPT_PHYSDEV_OP_IN) ? " !":"", info->physindev); - - if (info->bitmask & IPT_PHYSDEV_OP_ISOUT) - printf("%s --physdev-is-out", - info->invert & IPT_PHYSDEV_OP_ISOUT ? " !":""); - if (info->bitmask & IPT_PHYSDEV_OP_OUT) - printf("%s --physdev-out %s", - (info->invert & IPT_PHYSDEV_OP_OUT) ? " !":"", info->physoutdev); - if (info->bitmask & IPT_PHYSDEV_OP_BRIDGED) - printf("%s --physdev-is-bridged", - info->invert & IPT_PHYSDEV_OP_BRIDGED ? " !":""); - printf(" "); -} - -static struct iptables_match physdev = { - .next = NULL, - .name = "physdev", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_physdev_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_physdev_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_physdev_init(void) -{ - register_match(&physdev); -} diff --git a/extensions/libipt_physdev.man b/extensions/libipt_physdev.man deleted file mode 100644 index 1e635fc..0000000 --- a/extensions/libipt_physdev.man +++ /dev/null @@ -1,42 +0,0 @@ -This module matches on the bridge port input and output devices enslaved -to a bridge device. This module is a part of the infrastructure that enables -a transparent bridging IP firewall and is only useful for kernel versions -above version 2.5.44. -.TP -.BR --physdev-in " [!] \fIname\fP" -Name of a bridge port via which a packet is received (only for -packets entering the -.BR INPUT , -.B FORWARD -and -.B PREROUTING -chains). If the interface name ends in a "+", then any -interface which begins with this name will match. If the packet didn't arrive -through a bridge device, this packet won't match this option, unless '!' is used. -.TP -.BR --physdev-out " [!] \fIname\fP" -Name of a bridge port via which a packet is going to be sent (for packets -entering the -.BR FORWARD , -.B OUTPUT -and -.B POSTROUTING -chains). If the interface name ends in a "+", then any -interface which begins with this name will match. Note that in the -.BR nat " and " mangle -.B OUTPUT -chains one cannot match on the bridge output port, however one can in the -.B "filter OUTPUT" -chain. If the packet won't leave by a bridge device or it is yet unknown what -the output device will be, then the packet won't match this option, unless -'!' is used. -.TP -.RB "[!] " --physdev-is-in -Matches if the packet has entered through a bridge interface. -.TP -.RB "[!] " --physdev-is-out -Matches if the packet will leave through a bridge interface. -.TP -.RB "[!] " --physdev-is-bridged -Matches if the packet is being bridged and therefore is not being routed. -This is only useful in the FORWARD and POSTROUTING chains. diff --git a/extensions/libipt_pkttype.c b/extensions/libipt_pkttype.c deleted file mode 100644 index 7fa1c99..0000000 --- a/extensions/libipt_pkttype.c +++ /dev/null @@ -1,167 +0,0 @@ -/* - * Shared library add-on to iptables to match - * packets by their type (BROADCAST, UNICAST, MULTICAST). - * - * Michal Ludvig <michal@logix.cz> - */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#if defined(__GLIBC__) && __GLIBC__ == 2 -#include <net/ethernet.h> -#else -#include <linux/if_ether.h> -#endif -#include <iptables.h> -#include <linux/if_packet.h> -#include <linux/netfilter_ipv4/ipt_pkttype.h> - -#define PKTTYPE_VERSION "0.1" - -struct pkttypes { - const char *name; - unsigned char pkttype; - unsigned char printhelp; - const char *help; -}; - -static const struct pkttypes supported_types[] = { - {"unicast", PACKET_HOST, 1, "to us"}, - {"broadcast", PACKET_BROADCAST, 1, "to all"}, - {"multicast", PACKET_MULTICAST, 1, "to group"}, -/* - {"otherhost", PACKET_OTHERHOST, 1, "to someone else"}, - {"outgoing", PACKET_OUTGOING, 1, "outgoing of any type"}, -*/ - /* aliases */ - {"bcast", PACKET_BROADCAST, 0, NULL}, - {"mcast", PACKET_MULTICAST, 0, NULL}, - {"host", PACKET_HOST, 0, NULL} -}; - -static void print_types() -{ - unsigned int i; - - printf("Valid packet types:\n"); - for (i = 0; i < sizeof(supported_types)/sizeof(struct pkttypes); i++) - { - if(supported_types[i].printhelp == 1) - printf("\t%-14s\t\t%s\n", supported_types[i].name, supported_types[i].help); - } - printf("\n"); -} - -/* Function which prints out usage message. */ -static void help(void) -{ - printf( -"pkt_type v%s options:\n" -" --pkt-type [!] packettype\tmatch packet type\n" -"\n", PKTTYPE_VERSION); - print_types(); -} - -static struct option opts[] = { - {"pkt-type", 1, 0, '1'}, - {0} -}; - -static void parse_pkttype(const char *pkttype, struct ipt_pkttype_info *info) -{ - unsigned int i; - - for (i = 0; i < sizeof(supported_types)/sizeof(struct pkttypes); i++) - { - if(strcasecmp(pkttype, supported_types[i].name)==0) - { - info->pkttype=supported_types[i].pkttype; - return; - } - } - - exit_error(PARAMETER_PROBLEM, "Bad packet type '%s'", pkttype); -} - -static int parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_pkttype_info *info = (struct ipt_pkttype_info *)(*match)->data; - - switch(c) - { - case '1': - check_inverse(optarg, &invert, &optind, 0); - parse_pkttype(argv[optind-1], info); - if(invert) - info->invert=1; - *flags=1; - break; - - default: - return 0; - } - - return 1; -} - -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, "You must specify `--pkt-type'"); -} - -static void print_pkttype(struct ipt_pkttype_info *info) -{ - unsigned int i; - - for (i = 0; i < sizeof(supported_types)/sizeof(struct pkttypes); i++) - { - if(supported_types[i].pkttype==info->pkttype) - { - printf("%s ", supported_types[i].name); - return; - } - } - - printf("%d ", info->pkttype); /* in case we didn't find an entry in named-packtes */ -} - -static void print(const struct ipt_ip *ip, const struct ipt_entry_match *match, int numeric) -{ - struct ipt_pkttype_info *info = (struct ipt_pkttype_info *)match->data; - - printf("PKTTYPE %s= ", info->invert?"!":""); - print_pkttype(info); -} - -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct ipt_pkttype_info *info = (struct ipt_pkttype_info *)match->data; - - printf("--pkt-type %s", info->invert?"! ":""); - print_pkttype(info); -} - -static struct iptables_match pkttype = { - .next = NULL, - .name = "pkttype", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_pkttype_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_pkttype_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_pkttype_init(void) -{ - register_match(&pkttype); -} diff --git a/extensions/libipt_pkttype.man b/extensions/libipt_pkttype.man deleted file mode 100644 index b52810b..0000000 --- a/extensions/libipt_pkttype.man +++ /dev/null @@ -1,3 +0,0 @@ -This module matches the link-layer packet type. -.TP -.BI "--pkt-type " "[\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP]" diff --git a/extensions/libipt_policy.c b/extensions/libipt_policy.c deleted file mode 100644 index cd8b43d..0000000 --- a/extensions/libipt_policy.c +++ /dev/null @@ -1,436 +0,0 @@ -/* Shared library add-on to iptables to add policy support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <syslog.h> -#include <getopt.h> -#include <netdb.h> -#include <errno.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <iptables.h> - -#include <linux/netfilter_ipv4/ip_tables.h> -#include "../include/linux/netfilter_ipv4/ipt_policy.h" - -/* - * HACK: global pointer to current matchinfo for making - * final checks and adjustments in final_check. - */ -static struct ipt_policy_info *policy_info; - -static void help(void) -{ - printf( -"policy v%s options:\n" -" --dir in|out match policy applied during decapsulation/\n" -" policy to be applied during encapsulation\n" -" --pol none|ipsec match policy\n" -" --strict match entire policy instead of single element\n" -" at any position\n" -"[!] --reqid reqid match reqid\n" -"[!] --spi spi match SPI\n" -"[!] --proto proto match protocol (ah/esp/ipcomp)\n" -"[!] --mode mode match mode (transport/tunnel)\n" -"[!] --tunnel-src addr/mask match tunnel source\n" -"[!] --tunnel-dst addr/mask match tunnel destination\n" -" --next begin next element in policy\n", - IPTABLES_VERSION); -} - -static struct option opts[] = -{ - { - .name = "dir", - .has_arg = 1, - .val = '1', - }, - { - .name = "pol", - .has_arg = 1, - .val = '2', - }, - { - .name = "strict", - .val = '3' - }, - { - .name = "reqid", - .has_arg = 1, - .val = '4', - }, - { - .name = "spi", - .has_arg = 1, - .val = '5' - }, - { - .name = "tunnel-src", - .has_arg = 1, - .val = '6' - }, - { - .name = "tunnel-dst", - .has_arg = 1, - .val = '7' - }, - { - .name = "proto", - .has_arg = 1, - .val = '8' - }, - { - .name = "mode", - .has_arg = 1, - .val = '9' - }, - { - .name = "next", - .val = 'a' - }, - { } -}; - -static void init(struct ipt_entry_match *m, unsigned int *nfcache) -{ - *nfcache |= NFC_UNKNOWN; -} - -static int parse_direction(char *s) -{ - if (strcmp(s, "in") == 0) - return IPT_POLICY_MATCH_IN; - if (strcmp(s, "out") == 0) - return IPT_POLICY_MATCH_OUT; - exit_error(PARAMETER_PROBLEM, "policy_match: invalid dir `%s'", s); -} - -static int parse_policy(char *s) -{ - if (strcmp(s, "none") == 0) - return IPT_POLICY_MATCH_NONE; - if (strcmp(s, "ipsec") == 0) - return 0; - exit_error(PARAMETER_PROBLEM, "policy match: invalid policy `%s'", s); -} - -static int parse_mode(char *s) -{ - if (strcmp(s, "transport") == 0) - return IPT_POLICY_MODE_TRANSPORT; - if (strcmp(s, "tunnel") == 0) - return IPT_POLICY_MODE_TUNNEL; - exit_error(PARAMETER_PROBLEM, "policy match: invalid mode `%s'", s); -} - -static int parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_policy_info *info = (void *)(*match)->data; - struct ipt_policy_elem *e = &info->pol[info->len]; - struct in_addr *addr = NULL, mask; - unsigned int naddr = 0; - int mode; - - check_inverse(optarg, &invert, &optind, 0); - - switch (c) { - case '1': - if (info->flags & (IPT_POLICY_MATCH_IN|IPT_POLICY_MATCH_OUT)) - exit_error(PARAMETER_PROBLEM, - "policy match: double --dir option"); - if (invert) - exit_error(PARAMETER_PROBLEM, - "policy match: can't invert --dir option"); - - info->flags |= parse_direction(argv[optind-1]); - break; - case '2': - if (invert) - exit_error(PARAMETER_PROBLEM, - "policy match: can't invert --policy option"); - - info->flags |= parse_policy(argv[optind-1]); - break; - case '3': - if (info->flags & IPT_POLICY_MATCH_STRICT) - exit_error(PARAMETER_PROBLEM, - "policy match: double --strict option"); - - if (invert) - exit_error(PARAMETER_PROBLEM, - "policy match: can't invert --strict option"); - - info->flags |= IPT_POLICY_MATCH_STRICT; - break; - case '4': - if (e->match.reqid) - exit_error(PARAMETER_PROBLEM, - "policy match: double --reqid option"); - - e->match.reqid = 1; - e->invert.reqid = invert; - e->reqid = strtol(argv[optind-1], NULL, 10); - break; - case '5': - if (e->match.spi) - exit_error(PARAMETER_PROBLEM, - "policy match: double --spi option"); - - e->match.spi = 1; - e->invert.spi = invert; - e->spi = strtol(argv[optind-1], NULL, 0x10); - break; - case '6': - if (e->match.saddr) - exit_error(PARAMETER_PROBLEM, - "policy match: double --tunnel-src option"); - - parse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr); - if (naddr > 1) - exit_error(PARAMETER_PROBLEM, - "policy match: name resolves to multiple IPs"); - - e->match.saddr = 1; - e->invert.saddr = invert; - e->saddr.a4 = addr[0]; - e->smask.a4 = mask; - break; - case '7': - if (e->match.daddr) - exit_error(PARAMETER_PROBLEM, - "policy match: double --tunnel-dst option"); - - parse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr); - if (naddr > 1) - exit_error(PARAMETER_PROBLEM, - "policy match: name resolves to multiple IPs"); - - e->match.daddr = 1; - e->invert.daddr = invert; - e->daddr.a4 = addr[0]; - e->dmask.a4 = mask; - break; - case '8': - if (e->match.proto) - exit_error(PARAMETER_PROBLEM, - "policy match: double --proto option"); - - e->proto = parse_protocol(argv[optind-1]); - if (e->proto != IPPROTO_AH && e->proto != IPPROTO_ESP && - e->proto != IPPROTO_COMP) - exit_error(PARAMETER_PROBLEM, - "policy match: protocol must ah/esp/ipcomp"); - e->match.proto = 1; - e->invert.proto = invert; - break; - case '9': - if (e->match.mode) - exit_error(PARAMETER_PROBLEM, - "policy match: double --mode option"); - - mode = parse_mode(argv[optind-1]); - e->match.mode = 1; - e->invert.mode = invert; - e->mode = mode; - break; - case 'a': - if (invert) - exit_error(PARAMETER_PROBLEM, - "policy match: can't invert --next option"); - - if (++info->len == IPT_POLICY_MAX_ELEM) - exit_error(PARAMETER_PROBLEM, - "policy match: maximum policy depth reached"); - break; - default: - return 0; - } - - policy_info = info; - return 1; -} - -static void final_check(unsigned int flags) -{ - struct ipt_policy_info *info = policy_info; - struct ipt_policy_elem *e; - int i; - - if (info == NULL) - exit_error(PARAMETER_PROBLEM, - "policy match: no parameters given"); - - if (!(info->flags & (IPT_POLICY_MATCH_IN|IPT_POLICY_MATCH_OUT))) - exit_error(PARAMETER_PROBLEM, - "policy match: neither --in nor --out specified"); - - if (info->flags & IPT_POLICY_MATCH_NONE) { - if (info->flags & IPT_POLICY_MATCH_STRICT) - exit_error(PARAMETER_PROBLEM, - "policy match: policy none but --strict given"); - - if (info->len != 0) - exit_error(PARAMETER_PROBLEM, - "policy match: policy none but policy given"); - } else - info->len++; /* increase len by 1, no --next after last element */ - - if (!(info->flags & IPT_POLICY_MATCH_STRICT) && info->len > 1) - exit_error(PARAMETER_PROBLEM, - "policy match: multiple elements but no --strict"); - - for (i = 0; i < info->len; i++) { - e = &info->pol[i]; - - if (info->flags & IPT_POLICY_MATCH_STRICT && - !(e->match.reqid || e->match.spi || e->match.saddr || - e->match.daddr || e->match.proto || e->match.mode)) - exit_error(PARAMETER_PROBLEM, - "policy match: empty policy element"); - - if ((e->match.saddr || e->match.daddr) - && ((e->mode == IPT_POLICY_MODE_TUNNEL && e->invert.mode) || - (e->mode == IPT_POLICY_MODE_TRANSPORT && !e->invert.mode))) - exit_error(PARAMETER_PROBLEM, - "policy match: --tunnel-src/--tunnel-dst " - "is only valid in tunnel mode"); - } -} - -static void print_mode(char *prefix, u_int8_t mode, int numeric) -{ - printf("%smode ", prefix); - - switch (mode) { - case IPT_POLICY_MODE_TRANSPORT: - printf("transport "); - break; - case IPT_POLICY_MODE_TUNNEL: - printf("tunnel "); - break; - default: - printf("??? "); - break; - } -} - -static void print_proto(char *prefix, u_int8_t proto, int numeric) -{ - struct protoent *p = NULL; - - printf("%sproto ", prefix); - if (!numeric) - p = getprotobynumber(proto); - if (p != NULL) - printf("%s ", p->p_name); - else - printf("%u ", proto); -} - -#define PRINT_INVERT(x) \ -do { \ - if (x) \ - printf("! "); \ -} while(0) - -static void print_entry(char *prefix, const struct ipt_policy_elem *e, - int numeric) -{ - if (e->match.reqid) { - PRINT_INVERT(e->invert.reqid); - printf("%sreqid %u ", prefix, e->reqid); - } - if (e->match.spi) { - PRINT_INVERT(e->invert.spi); - printf("%sspi 0x%x ", prefix, e->spi); - } - if (e->match.proto) { - PRINT_INVERT(e->invert.proto); - print_proto(prefix, e->proto, numeric); - } - if (e->match.mode) { - PRINT_INVERT(e->invert.mode); - print_mode(prefix, e->mode, numeric); - } - if (e->match.daddr) { - PRINT_INVERT(e->invert.daddr); - printf("%stunnel-dst %s%s ", prefix, - addr_to_dotted((struct in_addr *)&e->daddr), - mask_to_dotted((struct in_addr *)&e->dmask)); - } - if (e->match.saddr) { - PRINT_INVERT(e->invert.saddr); - printf("%stunnel-src %s%s ", prefix, - addr_to_dotted((struct in_addr *)&e->saddr), - mask_to_dotted((struct in_addr *)&e->smask)); - } -} - -static void print_flags(char *prefix, const struct ipt_policy_info *info) -{ - if (info->flags & IPT_POLICY_MATCH_IN) - printf("%sdir in ", prefix); - else - printf("%sdir out ", prefix); - - if (info->flags & IPT_POLICY_MATCH_NONE) - printf("%spol none ", prefix); - else - printf("%spol ipsec ", prefix); - - if (info->flags & IPT_POLICY_MATCH_STRICT) - printf("%sstrict ", prefix); -} - -static void print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - const struct ipt_policy_info *info = (void *)match->data; - unsigned int i; - - printf("policy match "); - print_flags("", info); - for (i = 0; i < info->len; i++) { - if (info->len > 1) - printf("[%u] ", i); - print_entry("", &info->pol[i], numeric); - } -} - -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - const struct ipt_policy_info *info = (void *)match->data; - unsigned int i; - - print_flags("--", info); - for (i = 0; i < info->len; i++) { - print_entry("--", &info->pol[i], 0); - if (i + 1 < info->len) - printf("--next "); - } -} - -struct iptables_match policy = { - .name = "policy", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_policy_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_policy_info)), - .help = help, - .init = init, - .parse = parse, - .final_check = final_check, - .print = print, - .save = save, - .extra_opts = opts -}; - -void ipt_policy_init(void) -{ - register_match(&policy); -} diff --git a/extensions/libipt_policy.man b/extensions/libipt_policy.man deleted file mode 100644 index eed163e..0000000 --- a/extensions/libipt_policy.man +++ /dev/null @@ -1,48 +0,0 @@ -This modules matches the policy used by IPsec for handling a packet. -.TP -.BI "--dir " "in|out" -Used to select whether to match the policy used for decapsulation or the -policy that will be used for encapsulation. -.B in -is valid in the -.B PREROUTING, INPUT and FORWARD -chains, -.B out -is valid in the -.B POSTROUTING, OUTPUT and FORWARD -chains. -.TP -.BI "--pol " "none|ipsec" -Matches if the packet is subject to IPsec processing. -.TP -.BI "--strict" -Selects whether to match the exact policy or match if any rule of -the policy matches the given policy. -.TP -.BI "--reqid " "id" -Matches the reqid of the policy rule. The reqid can be specified with -.B setkey(8) -using -.B unique:id -as level. -.TP -.BI "--spi " "spi" -Matches the SPI of the SA. -.TP -.BI "--proto " "ah|esp|ipcomp" -Matches the encapsulation protocol. -.TP -.BI "--mode " "tunnel|transport" -Matches the encapsulation mode. -.TP -.BI "--tunnel-src " "addr[/mask]" -Matches the source end-point address of a tunnel mode SA. -Only valid with --mode tunnel. -.TP -.BI "--tunnel-dst " "addr[/mask]" -Matches the destination end-point address of a tunnel mode SA. -Only valid with --mode tunnel. -.TP -.BI "--next" -Start the next element in the policy specification. Can only be used with ---strict diff --git a/extensions/libipt_quota.c b/extensions/libipt_quota.c deleted file mode 100644 index 68e3672..0000000 --- a/extensions/libipt_quota.c +++ /dev/null @@ -1,107 +0,0 @@ -/* - * Shared library add-on to iptables to add quota support - * - * Sam Johnston <samj@samj.net> - */ -#include <stddef.h> -#include <stdio.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> - -#include <linux/netfilter/xt_quota.h> -#include <linux/netfilter_ipv4/ip_tables.h> - -static struct option opts[] = { - {"quota", 1, 0, '1'}, - {0} -}; - -/* print usage */ -static void -help(void) -{ - printf("quota options:\n" - " --quota quota quota (bytes)\n" "\n"); -} - -/* print matchinfo */ -static void -print(const struct ipt_ip *ip, const struct ipt_entry_match *match, int numeric) -{ - struct xt_quota_info *q = (struct xt_quota_info *) match->data; - printf("quota: %llu bytes", (unsigned long long) q->quota); -} - -/* save matchinfo */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct xt_quota_info *q = (struct xt_quota_info *) match->data; - printf("--quota %llu ", (unsigned long long) q->quota); -} - -/* parse quota option */ -static int -parse_quota(const char *s, u_int64_t * quota) -{ - *quota = strtoull(s, (char **) NULL, 10); - -#ifdef DEBUG_IPT_QUOTA - printf("Quota: %llu\n", *quota); -#endif - - if (*quota == -1) - exit_error(PARAMETER_PROBLEM, "quota invalid: '%s'\n", s); - else - return 1; -} - -/* parse all options, returning true if we found any for us */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, struct ipt_entry_match **match) -{ - struct xt_quota_info *info = (struct xt_quota_info *) (*match)->data; - - switch (c) { - case '1': - if (check_inverse(optarg, &invert, NULL, 0)) - exit_error(PARAMETER_PROBLEM, "quota: unexpected '!'"); - if (!parse_quota(optarg, &info->quota)) - exit_error(PARAMETER_PROBLEM, - "bad quota: '%s'", optarg); - break; - - default: - return 0; - } - return 1; -} - -/* no final check */ -static void -final_check(unsigned int flags) -{ -} - -struct iptables_match quota = { - .next = NULL, - .name = "quota", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof (struct xt_quota_info)), - .userspacesize = offsetof(struct xt_quota_info, quota), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void -ipt_quota_init(void) -{ - register_match("a); -} diff --git a/extensions/libipt_quota.man b/extensions/libipt_quota.man deleted file mode 100644 index 8a07ec0..0000000 --- a/extensions/libipt_quota.man +++ /dev/null @@ -1,7 +0,0 @@ -Implements network quotas by decrementing a byte counter with each -packet. -.TP -.BI "--quota " "bytes" -The quota in bytes. -.P -KNOWN BUGS: this does not work on SMP systems. diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c deleted file mode 100644 index 966d76e..0000000 --- a/extensions/libipt_realm.c +++ /dev/null @@ -1,272 +0,0 @@ -/* Shared library add-on to iptables to add realm matching support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <errno.h> -#include <ctype.h> -#include <getopt.h> -#if defined(__GLIBC__) && __GLIBC__ == 2 -#include <net/ethernet.h> -#else -#include <linux/if_ether.h> -#endif -#include <iptables.h> -#include <linux/netfilter_ipv4/ipt_realm.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"realm v%s options:\n" -" --realm [!] value[/mask]\n" -" Match realm\n" -"\n", IPTABLES_VERSION); -} - -static struct option opts[] = { - { "realm", 1, 0, '1' }, - {0} -}; - -struct realmname { - int id; - char* name; - int len; - struct realmname* next; -}; - -/* array of realms from /etc/iproute2/rt_realms */ -static struct realmname *realms = NULL; -/* 1 if loading failed */ -static int rdberr = 0; - - -void load_realms() -{ - const char* rfnm = "/etc/iproute2/rt_realms"; - char buf[512]; - FILE *fil; - char *cur, *nxt; - int id; - struct realmname *oldnm = NULL, *newnm = NULL; - - fil = fopen(rfnm, "r"); - if (!fil) { - rdberr = 1; - return; - } - - while (fgets(buf, sizeof(buf), fil)) { - cur = buf; - while ((*cur == ' ') || (*cur == '\t')) - cur++; - if ((*cur == '#') || (*cur == '\n') || (*cur == 0)) - continue; - - /* iproute2 allows hex and dec format */ - errno = 0; - id = strtoul(cur, &nxt, strncmp(cur, "0x", 2) ? 10 : 16); - if ((nxt == cur) || errno) - continue; - - /* same boundaries as in iproute2 */ - if (id < 0 || id > 255) - continue; - cur = nxt; - - if (!isspace(*cur)) - continue; - while ((*cur == ' ') || (*cur == '\t')) - cur++; - if ((*cur == '#') || (*cur == '\n') || (*cur == 0)) - continue; - nxt = cur; - while ((*nxt != 0) && !isspace(*nxt)) - nxt++; - if (nxt == cur) - continue; - - /* found valid data */ - newnm = (struct realmname*)malloc(sizeof(struct realmname)); - if (newnm == NULL) { - perror("libipt_realm: malloc failed"); - exit(1); - } - newnm->id = id; - newnm->len = nxt - cur; - newnm->name = (char*)malloc(newnm->len + 1); - if (newnm->name == NULL) { - perror("libipt_realm: malloc failed"); - exit(1); - } - strncpy(newnm->name, cur, newnm->len); - newnm->name[newnm->len] = 0; - newnm->next = NULL; - - if (oldnm) - oldnm->next = newnm; - else - realms = newnm; - oldnm = newnm; - } - - fclose(fil); -} - -/* get realm id for name, -1 if error/not found */ -int realm_name2id(const char* name) -{ - struct realmname* cur; - - if ((realms == NULL) && (rdberr == 0)) - load_realms(); - cur = realms; - if (cur == NULL) - return -1; - while (cur) { - if (!strncmp(name, cur->name, cur->len + 1)) - return cur->id; - cur = cur->next; - } - return -1; -} - -/* get realm name for id, NULL if error/not found */ -const char* realm_id2name(int id) -{ - struct realmname* cur; - - if ((realms == NULL) && (rdberr == 0)) - load_realms(); - cur = realms; - if (cur == NULL) - return NULL; - while (cur) { - if (id == cur->id) - return cur->name; - cur = cur->next; - } - return NULL; -} - - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_realm_info *realminfo = (struct ipt_realm_info *)(*match)->data; - int id; - - switch (c) { - char *end; - case '1': - check_inverse(argv[optind-1], &invert, &optind, 0); - end = optarg = argv[optind-1]; - realminfo->id = strtoul(optarg, &end, 0); - if (end != optarg && (*end == '/' || *end == '\0')) { - if (*end == '/') - realminfo->mask = strtoul(end+1, &end, 0); - else - realminfo->mask = 0xffffffff; - if (*end != '\0' || end == optarg) - exit_error(PARAMETER_PROBLEM, - "Bad realm value `%s'", optarg); - } else { - id = realm_name2id(optarg); - if (id == -1) - exit_error(PARAMETER_PROBLEM, - "Realm `%s' not found", optarg); - realminfo->id = (u_int32_t)id; - realminfo->mask = 0xffffffff; - } - if (invert) - realminfo->invert = 1; - *flags = 1; - break; - - default: - return 0; - } - return 1; -} - -static void -print_realm(unsigned long id, unsigned long mask, int numeric) -{ - const char* name = NULL; - - if (mask != 0xffffffff) - printf("0x%lx/0x%lx ", id, mask); - else { - if (numeric == 0) - name = realm_id2name(id); - if (name) - printf("%s ", name); - else - printf("0x%lx ", id); - } -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - struct ipt_realm_info *ri = (struct ipt_realm_info *) match->data; - - if (ri->invert) - printf("! "); - - printf("realm "); - print_realm(ri->id, ri->mask, numeric); -} - - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct ipt_realm_info *ri = (struct ipt_realm_info *) match->data; - - if (ri->invert) - printf("! "); - - printf("--realm "); - print_realm(ri->id, ri->mask, 0); -} - -/* Final check; must have specified --mark. */ -static void -final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "realm match: You must specify `--realm'"); -} - -static struct iptables_match realm = { NULL, - .name = "realm", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_realm_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_realm_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_realm_init(void) -{ - register_match(&realm); -} - - diff --git a/extensions/libipt_realm.man b/extensions/libipt_realm.man deleted file mode 100644 index b33da0e..0000000 --- a/extensions/libipt_realm.man +++ /dev/null @@ -1,7 +0,0 @@ -This matches the routing realm. Routing realms are used in complex routing -setups involving dynamic routing protocols like BGP. -.TP -.BI "--realm " "[!] " "value[/mask]" -Matches a given realm number (and optionally mask). If not a number, value -can be a named realm from /etc/iproute2/rt_realms (mask can not be used in -that case). diff --git a/extensions/libipt_recent.c b/extensions/libipt_recent.c deleted file mode 100644 index beb180c..0000000 --- a/extensions/libipt_recent.c +++ /dev/null @@ -1,240 +0,0 @@ -/* Shared library add-on to iptables to add recent matching support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ipt_recent.h> - -/* Need these in order to not fail when compiling against an older kernel. */ -#ifndef RECENT_NAME -#define RECENT_NAME "ipt_recent" -#endif /* RECENT_NAME */ - -#ifndef RECENT_VER -#define RECENT_VER "unknown" -#endif /* RECENT_VER */ - -#ifndef IPT_RECENT_NAME_LEN -#define IPT_RECENT_NAME_LEN 200 -#endif /* IPT_RECENT_NAME_LEN */ - -/* Options for this module */ -static struct option opts[] = { - { .name = "set", .has_arg = 0, .flag = 0, .val = 201 }, - { .name = "rcheck", .has_arg = 0, .flag = 0, .val = 202 }, - { .name = "update", .has_arg = 0, .flag = 0, .val = 203 }, - { .name = "seconds", .has_arg = 1, .flag = 0, .val = 204 }, - { .name = "hitcount", .has_arg = 1, .flag = 0, .val = 205 }, - { .name = "remove", .has_arg = 0, .flag = 0, .val = 206 }, - { .name = "rttl", .has_arg = 0, .flag = 0, .val = 207 }, - { .name = "name", .has_arg = 1, .flag = 0, .val = 208 }, - { .name = "rsource", .has_arg = 0, .flag = 0, .val = 209 }, - { .name = "rdest", .has_arg = 0, .flag = 0, .val = 210 }, - { .name = 0, .has_arg = 0, .flag = 0, .val = 0 } -}; - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"recent v%s options:\n" -"[!] --set Add source address to list, always matches.\n" -"[!] --rcheck Match if source address in list.\n" -"[!] --update Match if source address in list, also update last-seen time.\n" -"[!] --remove Match if source address in list, also removes that address from list.\n" -" --seconds seconds For check and update commands above.\n" -" Specifies that the match will only occur if source address last seen within\n" -" the last 'seconds' seconds.\n" -" --hitcount hits For check and update commands above.\n" -" Specifies that the match will only occur if source address seen hits times.\n" -" May be used in conjunction with the seconds option.\n" -" --rttl For check and update commands above.\n" -" Specifies that the match will only occur if the source address and the TTL\n" -" match between this packet and the one which was set.\n" -" Useful if you have problems with people spoofing their source address in order\n" -" to DoS you via this module.\n" -" --name name Name of the recent list to be used. DEFAULT used if none given.\n" -" --rsource Match/Save the source address of each packet in the recent list table (default).\n" -" --rdest Match/Save the destination address of each packet in the recent list table.\n" -RECENT_NAME " " RECENT_VER ": Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/\n" -, -IPTABLES_VERSION); - -} - -/* Initialize the match. */ -static void -init(struct ipt_entry_match *match, unsigned int *nfcache) -{ - struct ipt_recent_info *info = (struct ipt_recent_info *)(match)->data; - - - strncpy(info->name,"DEFAULT",IPT_RECENT_NAME_LEN); - /* eventhough IPT_RECENT_NAME_LEN is currently defined as 200, - * better be safe, than sorry */ - info->name[IPT_RECENT_NAME_LEN-1] = '\0'; - info->side = IPT_RECENT_SOURCE; -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_recent_info *info = (struct ipt_recent_info *)(*match)->data; - switch (c) { - case 201: - if (*flags) exit_error(PARAMETER_PROBLEM, - "recent: only one of `--set', `--rcheck' " - "`--update' or `--remove' may be set"); - check_inverse(optarg, &invert, &optind, 0); - info->check_set |= IPT_RECENT_SET; - if (invert) info->invert = 1; - *flags = 1; - break; - - case 202: - if (*flags) exit_error(PARAMETER_PROBLEM, - "recent: only one of `--set', `--rcheck' " - "`--update' or `--remove' may be set"); - check_inverse(optarg, &invert, &optind, 0); - info->check_set |= IPT_RECENT_CHECK; - if(invert) info->invert = 1; - *flags = 1; - break; - - case 203: - if (*flags) exit_error(PARAMETER_PROBLEM, - "recent: only one of `--set', `--rcheck' " - "`--update' or `--remove' may be set"); - check_inverse(optarg, &invert, &optind, 0); - info->check_set |= IPT_RECENT_UPDATE; - if (invert) info->invert = 1; - *flags = 1; - break; - - case 206: - if (*flags) exit_error(PARAMETER_PROBLEM, - "recent: only one of `--set', `--rcheck' " - "`--update' or `--remove' may be set"); - check_inverse(optarg, &invert, &optind, 0); - info->check_set |= IPT_RECENT_REMOVE; - if (invert) info->invert = 1; - *flags = 1; - break; - - case 204: - info->seconds = atoi(optarg); - break; - - case 205: - info->hit_count = atoi(optarg); - break; - - case 207: - info->check_set |= IPT_RECENT_TTL; - break; - - case 208: - strncpy(info->name,optarg,IPT_RECENT_NAME_LEN); - info->name[IPT_RECENT_NAME_LEN-1] = '\0'; - break; - - case 209: - info->side = IPT_RECENT_SOURCE; - break; - - case 210: - info->side = IPT_RECENT_DEST; - break; - - default: - return 0; - } - - return 1; -} - -/* Final check; must have specified a specific option. */ -static void -final_check(unsigned int flags) -{ - - if (!flags) - exit_error(PARAMETER_PROBLEM, - "recent: you must specify one of `--set', `--rcheck' " - "`--update' or `--remove'"); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - struct ipt_recent_info *info = (struct ipt_recent_info *)match->data; - - if (info->invert) - fputc('!', stdout); - - printf("recent: "); - if(info->check_set & IPT_RECENT_SET) printf("SET "); - if(info->check_set & IPT_RECENT_CHECK) printf("CHECK "); - if(info->check_set & IPT_RECENT_UPDATE) printf("UPDATE "); - if(info->check_set & IPT_RECENT_REMOVE) printf("REMOVE "); - if(info->seconds) printf("seconds: %d ",info->seconds); - if(info->hit_count) printf("hit_count: %d ",info->hit_count); - if(info->check_set & IPT_RECENT_TTL) printf("TTL-Match "); - if(info->name) printf("name: %s ",info->name); - if(info->side == IPT_RECENT_SOURCE) printf("side: source "); - if(info->side == IPT_RECENT_DEST) printf("side: dest"); -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct ipt_recent_info *info = (struct ipt_recent_info *)match->data; - - if (info->invert) - printf("! "); - - if(info->check_set & IPT_RECENT_SET) printf("--set "); - if(info->check_set & IPT_RECENT_CHECK) printf("--rcheck "); - if(info->check_set & IPT_RECENT_UPDATE) printf("--update "); - if(info->check_set & IPT_RECENT_REMOVE) printf("--remove "); - if(info->seconds) printf("--seconds %d ",info->seconds); - if(info->hit_count) printf("--hitcount %d ",info->hit_count); - if(info->check_set & IPT_RECENT_TTL) printf("--rttl "); - if(info->name) printf("--name %s ",info->name); - if(info->side == IPT_RECENT_SOURCE) printf("--rsource "); - if(info->side == IPT_RECENT_DEST) printf("--rdest "); -} - -/* Structure for iptables to use to communicate with module */ -static struct iptables_match recent = { - .next = NULL, - .name = "recent", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_recent_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_recent_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_recent_init(void) -{ - register_match(&recent); -} diff --git a/extensions/libipt_recent.man b/extensions/libipt_recent.man deleted file mode 100644 index bf5d710..0000000 --- a/extensions/libipt_recent.man +++ /dev/null @@ -1,93 +0,0 @@ -Allows you to dynamically create a list of IP addresses and then match -against that list in a few different ways. - -For example, you can create a `badguy' list out of people attempting -to connect to port 139 on your firewall and then DROP all future -packets from them without considering them. -.TP -.BI "--name " "name" -Specify the list to use for the commands. If no name is given then 'DEFAULT' -will be used. -.TP -[\fB!\fR] \fB--set\fR -This will add the source address of the packet to the list. If the -source address is already in the list, this will update the existing -entry. This will always return success (or failure if `!' is passed -in). -.TP -[\fB!\fR] \fB--rcheck\fR -Check if the source address of the packet is currently in -the list. -.TP -[\fB!\fR] \fB--update\fR -Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it -matches. -.TP -[\fB!\fR] \fB--remove\fR -Check if the source address of the packet is currently in the list and -if so that address will be removed from the list and the rule will -return true. If the address is not found, false is returned. -.TP -[\fB!\fR] \fB--seconds \fIseconds\fR -This option must be used in conjunction with one of \fB--rcheck\fR or -\fB--update\fR. When used, this will narrow the match to only happen -when the address is in the list and was seen within the last given -number of seconds. -.TP -[\fB!\fR] \fB--hitcount \fIhits\fR -This option must be used in conjunction with one of \fB--rcheck\fR or -\fB--update\fR. When used, this will narrow the match to only happen -when the address is in the list and packets had been received greater -than or equal to the given value. This option may be used along with -\fB--seconds\fR to create an even narrower match requiring a certain -number of hits within a specific time frame. -.TP -\fB--rttl\fR -This option must be used in conjunction with one of \fB--rcheck\fR or -\fB--update\fR. When used, this will narrow the match to only happen -when the address is in the list and the TTL of the current packet -matches that of the packet which hit the \fB--set\fR rule. This may be -useful if you have problems with people faking their source address in -order to DoS you via this module by disallowing others access to your -site by sending bogus packets to you. -.P -Examples: -.IP -# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP - -# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP -.P -Official website (http://snowman.net/projects/ipt_recent/) also has -some examples of usage. - -/proc/net/ipt_recent/* are the current lists of addresses and information -about each entry of each list. - -Each file in /proc/net/ipt_recent/ can be read from to see the current list -or written two using the following commands to modify the list: -.TP -echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT -to Add to the DEFAULT list -.TP -echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT -to Remove from the DEFAULT list -.TP -echo clear > /proc/net/ipt_recent/DEFAULT -to empty the DEFAULT list. -.P -The module itself accepts parameters, defaults shown: -.TP -.BI "ip_list_tot=" "100" -Number of addresses remembered per table -.TP -.BI "ip_pkt_list_tot=" "20" -Number of packets per address remembered -.TP -.BI "ip_list_hash_size=" "0" -Hash table size. 0 means to calculate it based on ip_list_tot, default: 512 -.TP -.BI "ip_list_perms=" "0644" -Permissions for /proc/net/ipt_recent/* files -.TP -.BI "debug=" "0" -Set to 1 to get lots of debugging info diff --git a/extensions/libipt_sctp.c b/extensions/libipt_sctp.c deleted file mode 100644 index 6301953..0000000 --- a/extensions/libipt_sctp.c +++ /dev/null @@ -1,551 +0,0 @@ -/* Shared library add-on to iptables for SCTP matching - * - * (C) 2003 by Harald Welte <laforge@gnumonks.org> - * - * This program is distributed under the terms of GNU GPL v2, 1991 - * - * libipt_ecn.c borrowed heavily from libipt_dscp.c - * - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <netdb.h> -#include <ctype.h> -#include <netinet/in.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> - -#ifndef ARRAY_SIZE -#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) -#endif - -#include <linux/netfilter_ipv4/ipt_sctp.h> - -/* Some ZS!#@:$%*#$! has replaced the ELEMCOUNT macro in ipt_sctp.h with - * ARRAY_SIZE without noticing that this file is used from userserspace, - * and userspace doesn't have ARRAY_SIZE */ - -#ifndef ELEMCOUNT -#define ELEMCOUNT ARRAY_SIZE -#endif - -#if 0 -#define DEBUGP(format, first...) printf(format, ##first) -#define static -#else -#define DEBUGP(format, fist...) -#endif - -static void -print_chunk(u_int32_t chunknum, int numeric); - -/* Initialize the match. */ -static void -init(struct ipt_entry_match *m, - unsigned int *nfcache) -{ - int i; - struct ipt_sctp_info *einfo = (struct ipt_sctp_info *)m->data; - - memset(einfo, 0, sizeof(struct ipt_sctp_info)); - - for (i = 0; i < IPT_NUM_SCTP_FLAGS; i++) { - einfo->flag_info[i].chunktype = -1; - } -} - -static void help(void) -{ - printf( -"SCTP match v%s options\n" -" --source-port [!] port[:port] match source port(s)\n" -" --sport ...\n" -" --destination-port [!] port[:port] match destination port(s)\n" -" --dport ...\n" -" --chunk-types [!] (all|any|none) (chunktype[:flags])+ match if all, any or none of\n" -" chunktypes are present\n" -"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK ALL NONE\n", - IPTABLES_VERSION); -} - -static struct option opts[] = { - { .name = "source-port", .has_arg = 1, .flag = 0, .val = '1' }, - { .name = "sport", .has_arg = 1, .flag = 0, .val = '1' }, - { .name = "destination-port", .has_arg = 1, .flag = 0, .val = '2' }, - { .name = "dport", .has_arg = 1, .flag = 0, .val = '2' }, - { .name = "chunk-types", .has_arg = 1, .flag = 0, .val = '3' }, - { .name = 0 } -}; - -static void -parse_sctp_ports(const char *portstring, - u_int16_t *ports) -{ - char *buffer; - char *cp; - - buffer = strdup(portstring); - DEBUGP("%s\n", portstring); - if ((cp = strchr(buffer, ':')) == NULL) { - ports[0] = ports[1] = parse_port(buffer, "sctp"); - } - else { - *cp = '\0'; - cp++; - - ports[0] = buffer[0] ? parse_port(buffer, "sctp") : 0; - ports[1] = cp[0] ? parse_port(cp, "sctp") : 0xFFFF; - - if (ports[0] > ports[1]) - exit_error(PARAMETER_PROBLEM, - "invalid portrange (min > max)"); - } - free(buffer); -} - -struct sctp_chunk_names { - const char *name; - unsigned int chunk_type; - const char *valid_flags; -}; - -/*'ALL' and 'NONE' will be treated specially. */ -static struct sctp_chunk_names sctp_chunk_names[] -= { { .name = "DATA", .chunk_type = 0, .valid_flags = "-----UBE"}, - { .name = "INIT", .chunk_type = 1, .valid_flags = "--------"}, - { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------"}, - { .name = "SACK", .chunk_type = 3, .valid_flags = "--------"}, - { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------"}, - { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------"}, - { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T"}, - { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------"}, - { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------"}, - { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------"}, - { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------"}, - { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------"}, - { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------"}, - { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------"}, - { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T"}, - { .name = "ASCONF", .chunk_type = 31, .valid_flags = "--------"}, - { .name = "ASCONF_ACK", .chunk_type = 30, .valid_flags = "--------"}, -}; - -static void -save_chunk_flag_info(struct ipt_sctp_flag_info *flag_info, - int *flag_count, - int chunktype, - int bit, - int set) -{ - int i; - - for (i = 0; i < *flag_count; i++) { - if (flag_info[i].chunktype == chunktype) { - DEBUGP("Previous match found\n"); - flag_info[i].chunktype = chunktype; - flag_info[i].flag_mask |= (1 << bit); - if (set) { - flag_info[i].flag |= (1 << bit); - } - - return; - } - } - - if (*flag_count == IPT_NUM_SCTP_FLAGS) { - exit_error (PARAMETER_PROBLEM, - "Number of chunk types with flags exceeds currently allowed limit." - "Increasing this limit involves changing IPT_NUM_SCTP_FLAGS and" - "recompiling both the kernel space and user space modules\n"); - } - - flag_info[*flag_count].chunktype = chunktype; - flag_info[*flag_count].flag_mask |= (1 << bit); - if (set) { - flag_info[*flag_count].flag |= (1 << bit); - } - (*flag_count)++; -} - -static void -parse_sctp_chunk(struct ipt_sctp_info *einfo, - const char *chunks) -{ - char *ptr; - char *buffer; - unsigned int i, j; - int found = 0; - char *chunk_flags; - - buffer = strdup(chunks); - DEBUGP("Buffer: %s\n", buffer); - - SCTP_CHUNKMAP_RESET(einfo->chunkmap); - - if (!strcasecmp(buffer, "ALL")) { - SCTP_CHUNKMAP_SET_ALL(einfo->chunkmap); - goto out; - } - - if (!strcasecmp(buffer, "NONE")) { - SCTP_CHUNKMAP_RESET(einfo->chunkmap); - goto out; - } - - for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) { - found = 0; - DEBUGP("Next Chunk type %s\n", ptr); - - if ((chunk_flags = strchr(ptr, ':')) != NULL) { - *chunk_flags++ = 0; - } - - for (i = 0; i < ELEMCOUNT(sctp_chunk_names); i++) { - if (strcasecmp(sctp_chunk_names[i].name, ptr) == 0) { - DEBUGP("Chunk num %d\n", sctp_chunk_names[i].chunk_type); - SCTP_CHUNKMAP_SET(einfo->chunkmap, - sctp_chunk_names[i].chunk_type); - found = 1; - break; - } - } - if (!found) - exit_error(PARAMETER_PROBLEM, - "Unknown sctp chunk `%s'", ptr); - - if (chunk_flags) { - DEBUGP("Chunk flags %s\n", chunk_flags); - for (j = 0; j < strlen(chunk_flags); j++) { - char *p; - int bit; - - if ((p = strchr(sctp_chunk_names[i].valid_flags, - toupper(chunk_flags[j]))) != NULL) { - bit = p - sctp_chunk_names[i].valid_flags; - bit = 7 - bit; - - save_chunk_flag_info(einfo->flag_info, - &(einfo->flag_count), i, bit, - isupper(chunk_flags[j])); - } else { - exit_error(PARAMETER_PROBLEM, - "Invalid flags for chunk type %d\n", i); - } - } - } - } -out: - free(buffer); -} - -static void -parse_sctp_chunks(struct ipt_sctp_info *einfo, - const char *match_type, - const char *chunks) -{ - DEBUGP("Match type: %s Chunks: %s\n", match_type, chunks); - if (!strcasecmp(match_type, "ANY")) { - einfo->chunk_match_type = SCTP_CHUNK_MATCH_ANY; - } else if (!strcasecmp(match_type, "ALL")) { - einfo->chunk_match_type = SCTP_CHUNK_MATCH_ALL; - } else if (!strcasecmp(match_type, "ONLY")) { - einfo->chunk_match_type = SCTP_CHUNK_MATCH_ONLY; - } else { - exit_error (PARAMETER_PROBLEM, - "Match type has to be one of \"ALL\", \"ANY\" or \"ONLY\""); - } - - SCTP_CHUNKMAP_RESET(einfo->chunkmap); - parse_sctp_chunk(einfo, chunks); -} - -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_sctp_info *einfo - = (struct ipt_sctp_info *)(*match)->data; - - switch (c) { - case '1': - if (*flags & IPT_SCTP_SRC_PORTS) - exit_error(PARAMETER_PROBLEM, - "Only one `--source-port' allowed"); - einfo->flags |= IPT_SCTP_SRC_PORTS; - check_inverse(optarg, &invert, &optind, 0); - parse_sctp_ports(argv[optind-1], einfo->spts); - if (invert) - einfo->invflags |= IPT_SCTP_SRC_PORTS; - *flags |= IPT_SCTP_SRC_PORTS; - break; - - case '2': - if (*flags & IPT_SCTP_DEST_PORTS) - exit_error(PARAMETER_PROBLEM, - "Only one `--destination-port' allowed"); - einfo->flags |= IPT_SCTP_DEST_PORTS; - check_inverse(optarg, &invert, &optind, 0); - parse_sctp_ports(argv[optind-1], einfo->dpts); - if (invert) - einfo->invflags |= IPT_SCTP_DEST_PORTS; - *flags |= IPT_SCTP_DEST_PORTS; - break; - - case '3': - if (*flags & IPT_SCTP_CHUNK_TYPES) - exit_error(PARAMETER_PROBLEM, - "Only one `--chunk-types' allowed"); - check_inverse(optarg, &invert, &optind, 0); - - if (!argv[optind] - || argv[optind][0] == '-' || argv[optind][0] == '!') - exit_error(PARAMETER_PROBLEM, - "--chunk-types requires two args"); - - einfo->flags |= IPT_SCTP_CHUNK_TYPES; - parse_sctp_chunks(einfo, argv[optind-1], argv[optind]); - if (invert) - einfo->invflags |= IPT_SCTP_CHUNK_TYPES; - optind++; - *flags |= IPT_SCTP_CHUNK_TYPES; - break; - - default: - return 0; - } - return 1; -} - -static void -final_check(unsigned int flags) -{ -} - -static char * -port_to_service(int port) -{ - struct servent *service; - - if ((service = getservbyport(htons(port), "sctp"))) - return service->s_name; - - return NULL; -} - -static void -print_port(u_int16_t port, int numeric) -{ - char *service; - - if (numeric || (service = port_to_service(port)) == NULL) - printf("%u", port); - else - printf("%s", service); -} - -static void -print_ports(const char *name, u_int16_t min, u_int16_t max, - int invert, int numeric) -{ - const char *inv = invert ? "!" : ""; - - if (min != 0 || max != 0xFFFF || invert) { - printf("%s", name); - if (min == max) { - printf(":%s", inv); - print_port(min, numeric); - } else { - printf("s:%s", inv); - print_port(min, numeric); - printf(":"); - print_port(max, numeric); - } - printf(" "); - } -} - -static void -print_chunk_flags(u_int32_t chunknum, u_int8_t chunk_flags, u_int8_t chunk_flags_mask) -{ - int i; - - DEBUGP("type: %d\tflags: %x\tflag mask: %x\n", chunknum, chunk_flags, - chunk_flags_mask); - - if (chunk_flags_mask) { - printf(":"); - } - - for (i = 7; i >= 0; i--) { - if (chunk_flags_mask & (1 << i)) { - if (chunk_flags & (1 << i)) { - printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]); - } else { - printf("%c", tolower(sctp_chunk_names[chunknum].valid_flags[7-i])); - } - } - } -} - -static void -print_chunk(u_int32_t chunknum, int numeric) -{ - if (numeric) { - printf("0x%04X", chunknum); - } - else { - int i; - - for (i = 0; i < ELEMCOUNT(sctp_chunk_names); i++) { - if (sctp_chunk_names[i].chunk_type == chunknum) - printf("%s", sctp_chunk_names[chunknum].name); - } - } -} - -static void -print_chunks(u_int32_t chunk_match_type, - const u_int32_t *chunkmap, - const struct ipt_sctp_flag_info *flag_info, - int flag_count, - int numeric) -{ - int i, j; - int flag; - - switch (chunk_match_type) { - case SCTP_CHUNK_MATCH_ANY: printf("any "); break; - case SCTP_CHUNK_MATCH_ALL: printf("all "); break; - case SCTP_CHUNK_MATCH_ONLY: printf("only "); break; - default: printf("Never reach herer\n"); break; - } - - if (SCTP_CHUNKMAP_IS_CLEAR(chunkmap)) { - printf("NONE "); - goto out; - } - - if (SCTP_CHUNKMAP_IS_ALL_SET(chunkmap)) { - printf("ALL "); - goto out; - } - - flag = 0; - for (i = 0; i < 256; i++) { - if (SCTP_CHUNKMAP_IS_SET(chunkmap, i)) { - if (flag) - printf(","); - flag = 1; - print_chunk(i, numeric); - for (j = 0; j < flag_count; j++) { - if (flag_info[j].chunktype == i) { - print_chunk_flags(i, flag_info[j].flag, - flag_info[j].flag_mask); - } - } - } - } - - if (flag) - printf(" "); -out: - return; -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - const struct ipt_sctp_info *einfo = - (const struct ipt_sctp_info *)match->data; - - printf("sctp "); - - if (einfo->flags & IPT_SCTP_SRC_PORTS) { - print_ports("spt", einfo->spts[0], einfo->spts[1], - einfo->invflags & IPT_SCTP_SRC_PORTS, - numeric); - } - - if (einfo->flags & IPT_SCTP_DEST_PORTS) { - print_ports("dpt", einfo->dpts[0], einfo->dpts[1], - einfo->invflags & IPT_SCTP_DEST_PORTS, - numeric); - } - - if (einfo->flags & IPT_SCTP_CHUNK_TYPES) { - /* FIXME: print_chunks() is used in save() where the printing of '!' - s taken care of, so we need to do that here as well */ - if (einfo->invflags & IPT_SCTP_CHUNK_TYPES) { - printf("! "); - } - print_chunks(einfo->chunk_match_type, einfo->chunkmap, - einfo->flag_info, einfo->flag_count, numeric); - } -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, - const struct ipt_entry_match *match) -{ - const struct ipt_sctp_info *einfo = - (const struct ipt_sctp_info *)match->data; - - if (einfo->flags & IPT_SCTP_SRC_PORTS) { - if (einfo->invflags & IPT_SCTP_SRC_PORTS) - printf("! "); - if (einfo->spts[0] != einfo->spts[1]) - printf("--sport %u:%u ", - einfo->spts[0], einfo->spts[1]); - else - printf("--sport %u ", einfo->spts[0]); - } - - if (einfo->flags & IPT_SCTP_DEST_PORTS) { - if (einfo->invflags & IPT_SCTP_DEST_PORTS) - printf("! "); - if (einfo->dpts[0] != einfo->dpts[1]) - printf("--dport %u:%u ", - einfo->dpts[0], einfo->dpts[1]); - else - printf("--dport %u ", einfo->dpts[0]); - } - - if (einfo->flags & IPT_SCTP_CHUNK_TYPES) { - if (einfo->invflags & IPT_SCTP_CHUNK_TYPES) - printf("! "); - printf("--chunk-types "); - - print_chunks(einfo->chunk_match_type, einfo->chunkmap, - einfo->flag_info, einfo->flag_count, 0); - } -} - -static -struct iptables_match sctp -= { .name = "sctp", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_sctp_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_sctp_info)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_sctp_init(void) -{ - register_match(&sctp); -} - diff --git a/extensions/libipt_sctp.man b/extensions/libipt_sctp.man deleted file mode 100644 index 97b467d..0000000 --- a/extensions/libipt_sctp.man +++ /dev/null @@ -1,28 +0,0 @@ -.TP -\fB--source-port\fR,\fB--sport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR] -.TP -\fB--destination-port\fR,\fB--dport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR] -.TP -\fB--chunk-types\fR [\fB!\fR] \fBall\fR|\fBany\fR|\fBonly \fIchunktype\fR[\fB:\fIflags\fR] [...] -The flag letter in upper case indicates that the flag is to match if set, -in the lower case indicates to match if unset. - -Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK - -chunk type available flags -.br -DATA U B E u b e -.br -ABORT T t -.br -SHUTDOWN_COMPLETE T t - -(lowercase means flag should be "off", uppercase means "on") -.P -Examples: - -iptables -A INPUT -p sctp --dport 80 -j DROP - -iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP - -iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT diff --git a/extensions/libipt_set.h b/extensions/libipt_set.h deleted file mode 100644 index 02de0fa..0000000 --- a/extensions/libipt_set.h +++ /dev/null @@ -1,104 +0,0 @@ -#ifndef _LIBIPT_SET_H -#define _LIBIPT_SET_H - -#include <sys/types.h> -#include <sys/socket.h> -#include <errno.h> - -#ifdef DEBUG -#define DEBUGP(x, args...) fprintf(stderr, x, ## args) -#else -#define DEBUGP(x, args...) -#endif - -static void -parse_bindings(const char *optarg, struct ipt_set_info *info) -{ - char *saved = strdup(optarg); - char *ptr, *tmp = saved; - int i = 0; - - while (i < (IP_SET_MAX_BINDINGS - 1) && tmp != NULL) { - ptr = strsep(&tmp, ","); - if (strncmp(ptr, "src", 3) == 0) - info->flags[i++] |= IPSET_SRC; - else if (strncmp(ptr, "dst", 3) == 0) - info->flags[i++] |= IPSET_DST; - else - exit_error(PARAMETER_PROBLEM, - "You must spefify (the comma separated list of) 'src' or 'dst'."); - } - - if (tmp) - exit_error(PARAMETER_PROBLEM, - "Can't follow bindings deeper than %i.", - IP_SET_MAX_BINDINGS - 1); - - free(saved); -} - -static int get_set_getsockopt(void *data, socklen_t * size) -{ - int sockfd = -1; - sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); - if (sockfd < 0) - exit_error(OTHER_PROBLEM, - "Can't open socket to ipset.\n"); - /* Send! */ - return getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size); -} - -static void get_set_byname(const char *setname, struct ipt_set_info *info) -{ - struct ip_set_req_get_set req; - socklen_t size = sizeof(struct ip_set_req_get_set); - int res; - - req.op = IP_SET_OP_GET_BYNAME; - req.version = IP_SET_PROTOCOL_VERSION; - strncpy(req.set.name, setname, IP_SET_MAXNAMELEN); - req.set.name[IP_SET_MAXNAMELEN - 1] = '\0'; - res = get_set_getsockopt(&req, &size); - if (res != 0) - exit_error(OTHER_PROBLEM, - "Problem when communicating with ipset, errno=%d.\n", - errno); - if (size != sizeof(struct ip_set_req_get_set)) - exit_error(OTHER_PROBLEM, - "Incorrect return size from kernel during ipset lookup, " - "(want %ld, got %ld)\n", - sizeof(struct ip_set_req_get_set), size); - if (req.set.index == IP_SET_INVALID_ID) - exit_error(PARAMETER_PROBLEM, - "Set %s doesn't exist.\n", setname); - - info->index = req.set.index; -} - -static void get_set_byid(char * setname, ip_set_id_t index) -{ - struct ip_set_req_get_set req; - socklen_t size = sizeof(struct ip_set_req_get_set); - int res; - - req.op = IP_SET_OP_GET_BYINDEX; - req.version = IP_SET_PROTOCOL_VERSION; - req.set.index = index; - res = get_set_getsockopt(&req, &size); - if (res != 0) - exit_error(OTHER_PROBLEM, - "Problem when communicating with ipset, errno=%d.\n", - errno); - if (size != sizeof(struct ip_set_req_get_set)) - exit_error(OTHER_PROBLEM, - "Incorrect return size from kernel during ipset lookup, " - "(want %ld, got %ld)\n", - sizeof(struct ip_set_req_get_set), size); - if (req.set.name[0] == '\0') - exit_error(PARAMETER_PROBLEM, - "Set id %i in kernel doesn't exist.\n", index); - - strncpy(setname, req.set.name, IP_SET_MAXNAMELEN); -} - -#endif /*_LIBIPT_SET_H*/ diff --git a/extensions/libipt_set.man b/extensions/libipt_set.man deleted file mode 100644 index d280577..0000000 --- a/extensions/libipt_set.man +++ /dev/null @@ -1,17 +0,0 @@ -This modules macthes IP sets which can be defined by ipset(8). -.TP -.BR "--set " "setname flag[,flag...]" -where flags are -.BR "src" -and/or -.BR "dst" -and there can be no more than six of them. Hence the command -.nf - iptables -A FORWARD -m set --set test src,dst -.fi -will match packets, for which (depending on the type of the set) the source -address or port number of the packet can be found in the specified set. If -there is a binding belonging to the mached set element or there is a default -binding for the given set, then the rule will match the packet only if -additionally (depending on the type of the set) the destination address or -port number of the packet can be found in the set according to the binding. diff --git a/extensions/libipt_standard.c b/extensions/libipt_standard.c deleted file mode 100644 index 9c3cdc2..0000000 --- a/extensions/libipt_standard.c +++ /dev/null @@ -1,69 +0,0 @@ -/* Shared library add-on to iptables for standard target support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <limits.h> -#include <getopt.h> -#include <iptables.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"Standard v%s options:\n" -"(If target is DROP, ACCEPT, RETURN or nothing)\n", IPTABLES_VERSION); -} - -static struct option opts[] = { - {0} -}; - -/* Initialize the target. */ -static void -init(struct ipt_entry_target *t, unsigned int *nfcache) -{ -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - struct ipt_entry_target **target) -{ - return 0; -} - -/* Final check; don't care. */ -static void final_check(unsigned int flags) -{ -} - -/* Saves the targinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -{ -} - -static -struct iptables_target standard = { - .next = NULL, - .name = "standard", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(int)), - .userspacesize = IPT_ALIGN(sizeof(int)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = NULL, - .save = &save, - .extra_opts = opts -}; - -void ipt_standard_init(void) -{ - register_target(&standard); -} diff --git a/extensions/libipt_state.c b/extensions/libipt_state.c deleted file mode 100644 index 48d834d..0000000 --- a/extensions/libipt_state.c +++ /dev/null @@ -1,163 +0,0 @@ -/* Shared library add-on to iptables to add state tracking support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_conntrack.h> -#include <linux/netfilter_ipv4/ipt_state.h> - -#ifndef IPT_STATE_UNTRACKED -#define IPT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1)) -#endif - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"state v%s options:\n" -" [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]\n" -" State(s) to match\n" -"\n", IPTABLES_VERSION); -} - -static struct option opts[] = { - { "state", 1, 0, '1' }, - {0} -}; - -static int -parse_state(const char *state, size_t strlen, struct ipt_state_info *sinfo) -{ - if (strncasecmp(state, "INVALID", strlen) == 0) - sinfo->statemask |= IPT_STATE_INVALID; - else if (strncasecmp(state, "NEW", strlen) == 0) - sinfo->statemask |= IPT_STATE_BIT(IP_CT_NEW); - else if (strncasecmp(state, "ESTABLISHED", strlen) == 0) - sinfo->statemask |= IPT_STATE_BIT(IP_CT_ESTABLISHED); - else if (strncasecmp(state, "RELATED", strlen) == 0) - sinfo->statemask |= IPT_STATE_BIT(IP_CT_RELATED); - else if (strncasecmp(state, "UNTRACKED", strlen) == 0) - sinfo->statemask |= IPT_STATE_UNTRACKED; - else - return 0; - return 1; -} - -static void -parse_states(const char *arg, struct ipt_state_info *sinfo) -{ - const char *comma; - - while ((comma = strchr(arg, ',')) != NULL) { - if (comma == arg || !parse_state(arg, comma-arg, sinfo)) - exit_error(PARAMETER_PROBLEM, "Bad state `%s'", arg); - arg = comma+1; - } - - if (strlen(arg) == 0 || !parse_state(arg, strlen(arg), sinfo)) - exit_error(PARAMETER_PROBLEM, "Bad state `%s'", arg); -} - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_state_info *sinfo = (struct ipt_state_info *)(*match)->data; - - switch (c) { - case '1': - check_inverse(optarg, &invert, &optind, 0); - - parse_states(argv[optind-1], sinfo); - if (invert) - sinfo->statemask = ~sinfo->statemask; - *flags = 1; - break; - - default: - return 0; - } - - return 1; -} - -/* Final check; must have specified --state. */ -static void final_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, "You must specify `--state'"); -} - -static void print_state(unsigned int statemask) -{ - const char *sep = ""; - - if (statemask & IPT_STATE_INVALID) { - printf("%sINVALID", sep); - sep = ","; - } - if (statemask & IPT_STATE_BIT(IP_CT_NEW)) { - printf("%sNEW", sep); - sep = ","; - } - if (statemask & IPT_STATE_BIT(IP_CT_RELATED)) { - printf("%sRELATED", sep); - sep = ","; - } - if (statemask & IPT_STATE_BIT(IP_CT_ESTABLISHED)) { - printf("%sESTABLISHED", sep); - sep = ","; - } - if (statemask & IPT_STATE_UNTRACKED) { - printf("%sUNTRACKED", sep); - sep = ","; - } - printf(" "); -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - struct ipt_state_info *sinfo = (struct ipt_state_info *)match->data; - - printf("state "); - print_state(sinfo->statemask); -} - -/* Saves the matchinfo in parsable form to stdout. */ -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct ipt_state_info *sinfo = (struct ipt_state_info *)match->data; - - printf("--state "); - print_state(sinfo->statemask); -} - -static struct iptables_match state = { - .next = NULL, - .name = "state", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_state_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_state_info)), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void ipt_state_init(void) -{ - register_match(&state); -} diff --git a/extensions/libipt_state.man b/extensions/libipt_state.man deleted file mode 100644 index 7107868..0000000 --- a/extensions/libipt_state.man +++ /dev/null @@ -1,21 +0,0 @@ -This module, when combined with connection tracking, allows access to -the connection tracking state for this packet. -.TP -.BI "--state " "state" -Where state is a comma separated list of the connection states to -match. Possible states are -.B INVALID -meaning that the packet could not be identified for some reason which -includes running out of memory and ICMP errors which don't correspond to any -known connection, -.B ESTABLISHED -meaning that the packet is associated with a connection which has seen -packets in both directions, -.B NEW -meaning that the packet has started a new connection, or otherwise -associated with a connection which has not seen packets in both -directions, and -.B RELATED -meaning that the packet is starting a new connection, but is -associated with an existing connection, such as an FTP data transfer, -or an ICMP error. diff --git a/extensions/libipt_statistic.c b/extensions/libipt_statistic.c deleted file mode 100644 index 58ac983..0000000 --- a/extensions/libipt_statistic.c +++ /dev/null @@ -1,175 +0,0 @@ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <stddef.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter/xt_statistic.h> - -static void -help(void) -{ - printf( -"statistic match v%s options:\n" -" --mode mode Match mode (random, nth)\n" -" random mode:\n" -" --probability p Probability\n" -" nth mode:\n" -" --every n Match every nth packet\n" -" --packet p Initial counter value (0 <= p <= n-1, default 0)\n" -"\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "mode", 1, 0, '1' }, - { "probability", 1, 0, '2' }, - { "every", 1, 0, '3' }, - { "packet", 1, 0, '4' }, - { 0 } -}; - -static struct xt_statistic_info *info; - -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - double prob; - - info = (void *)(*match)->data; - - if (invert) - info->flags |= XT_STATISTIC_INVERT; - - switch (c) { - case '1': - if (*flags & 0x1) - exit_error(PARAMETER_PROBLEM, "double --mode"); - if (!strcmp(optarg, "random")) - info->mode = XT_STATISTIC_MODE_RANDOM; - else if (!strcmp(optarg, "nth")) - info->mode = XT_STATISTIC_MODE_NTH; - else - exit_error(PARAMETER_PROBLEM, "Bad mode `%s'", optarg); - *flags |= 0x1; - break; - case '2': - if (*flags & 0x2) - exit_error(PARAMETER_PROBLEM, "double --probability"); - prob = atof(optarg); - if (prob < 0 || prob > 1) - exit_error(PARAMETER_PROBLEM, - "--probability must be between 0 and 1"); - info->u.random.probability = 0x80000000 * prob; - *flags |= 0x2; - break; - case '3': - if (*flags & 0x4) - exit_error(PARAMETER_PROBLEM, "double --every"); - if (string_to_number(optarg, 0, 0xFFFFFFFF, - &info->u.nth.every) == -1) - exit_error(PARAMETER_PROBLEM, - "cannot parse --every `%s'", optarg); - if (info->u.nth.every == 0) - exit_error(PARAMETER_PROBLEM, "--every cannot be 0"); - info->u.nth.every--; - *flags |= 0x4; - break; - case '4': - if (*flags & 0x8) - exit_error(PARAMETER_PROBLEM, "double --packet"); - if (string_to_number(optarg, 0, 0xFFFFFFFF, - &info->u.nth.packet) == -1) - exit_error(PARAMETER_PROBLEM, - "cannot parse --packet `%s'", optarg); - *flags |= 0x8; - break; - default: - return 0; - } - return 1; -} - -/* Final check; must have specified --mark. */ -static void -final_check(unsigned int flags) -{ - if (!(flags & 0x1)) - exit_error(PARAMETER_PROBLEM, "no mode specified"); - if ((flags & 0x2) && (flags & (0x4 | 0x8))) - exit_error(PARAMETER_PROBLEM, - "both nth and random parameters given"); - if (flags & 0x2 && info->mode != XT_STATISTIC_MODE_RANDOM) - exit_error(PARAMETER_PROBLEM, - "--probability can only be used in random mode"); - if (flags & 0x4 && info->mode != XT_STATISTIC_MODE_NTH) - exit_error(PARAMETER_PROBLEM, - "--every can only be used in nth mode"); - if (flags & 0x8 && info->mode != XT_STATISTIC_MODE_NTH) - exit_error(PARAMETER_PROBLEM, - "--packet can only be used in nth mode"); - info->u.nth.count = info->u.nth.every - info->u.nth.packet; -} - -/* Prints out the matchinfo. */ -static void print_match(const struct xt_statistic_info *info, char *prefix) -{ - if (info->flags & XT_STATISTIC_INVERT) - printf("! "); - - switch (info->mode) { - case XT_STATISTIC_MODE_RANDOM: - printf("%smode random %sprobability %f ", prefix, prefix, - 1.0 * info->u.random.probability / 0x80000000); - break; - case XT_STATISTIC_MODE_NTH: - printf("%smode nth %severy %u ", prefix, prefix, - info->u.nth.every + 1); - if (info->u.nth.packet) - printf("%spacket %u ", prefix, info->u.nth.packet); - break; - } -} - -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - struct xt_statistic_info *info = (struct xt_statistic_info *)match->data; - - printf("statistic "); - print_match(info, ""); -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - struct xt_statistic_info *info = (struct xt_statistic_info *)match->data; - - print_match(info, "--"); -} - -static struct iptables_match statistic = { - .name = "statistic", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct xt_statistic_info)), - .userspacesize = offsetof(struct xt_statistic_info, u.nth.count), - .help = help, - .parse = parse, - .final_check = final_check, - .print = print, - .save = save, - .extra_opts = opts -}; - -void ipt_statistic_init(void) -{ - register_match(&statistic); -} diff --git a/extensions/libipt_string.c b/extensions/libipt_string.c deleted file mode 100644 index 82bf748..0000000 --- a/extensions/libipt_string.c +++ /dev/null @@ -1,354 +0,0 @@ -/* Shared library add-on to iptables to add string matching support. - * - * Copyright (C) 2000 Emmanuel Roger <winfield@freegates.be> - * - * 2005-08-05 Pablo Neira Ayuso <pablo@eurodev.net> - * - reimplemented to use new string matching iptables match - * - add functionality to match packets by using window offsets - * - add functionality to select the string matching algorithm - * - * ChangeLog - * 29.12.2003: Michael Rash <mbr@cipherdyne.org> - * Fixed iptables save/restore for ascii strings - * that contain space chars, and hex strings that - * contain embedded NULL chars. Updated to print - * strings in hex mode if any non-printable char - * is contained within the string. - * - * 27.01.2001: Gianni Tedesco <gianni@ecsc.co.uk> - * Changed --tos to --string in save(). Also - * updated to work with slightly modified - * ipt_string_info. - */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ctype.h> -#include <iptables.h> -#include <stddef.h> -#include <linux/netfilter_ipv4/ipt_string.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"STRING match v%s options:\n" -"--from Offset to start searching from\n" -"--to Offset to stop searching\n" -"--algo Algorithm\n" -"--string [!] string Match a string in a packet\n" -"--hex-string [!] string Match a hex string in a packet\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "from", 1, 0, '1' }, - { "to", 1, 0, '2' }, - { "algo", 1, 0, '3' }, - { "string", 1, 0, '4' }, - { "hex-string", 1, 0, '5' }, - {0} -}; - -static void -init(struct ipt_entry_match *m, unsigned int *nfcache) -{ - struct ipt_string_info *i = (struct ipt_string_info *) m->data; - - if (i->to_offset == 0) - i->to_offset = (u_int16_t) ~0UL; -} - -static void -parse_string(const char *s, struct ipt_string_info *info) -{ - if (strlen(s) <= IPT_STRING_MAX_PATTERN_SIZE) { - strncpy(info->pattern, s, IPT_STRING_MAX_PATTERN_SIZE); - info->patlen = strlen(s); - return; - } - exit_error(PARAMETER_PROBLEM, "STRING too long `%s'", s); -} - -static void -parse_algo(const char *s, struct ipt_string_info *info) -{ - if (strlen(s) <= IPT_STRING_MAX_ALGO_NAME_SIZE) { - strncpy(info->algo, s, IPT_STRING_MAX_ALGO_NAME_SIZE); - return; - } - exit_error(PARAMETER_PROBLEM, "ALGO too long `%s'", s); -} - -static void -parse_hex_string(const char *s, struct ipt_string_info *info) -{ - int i=0, slen, sindex=0, schar; - short hex_f = 0, literal_f = 0; - char hextmp[3]; - - slen = strlen(s); - - if (slen == 0) { - exit_error(PARAMETER_PROBLEM, - "STRING must contain at least one char"); - } - - while (i < slen) { - if (s[i] == '\\' && !hex_f) { - literal_f = 1; - } else if (s[i] == '\\') { - exit_error(PARAMETER_PROBLEM, - "Cannot include literals in hex data"); - } else if (s[i] == '|') { - if (hex_f) - hex_f = 0; - else { - hex_f = 1; - /* get past any initial whitespace just after the '|' */ - while (s[i+1] == ' ') - i++; - } - if (i+1 >= slen) - break; - else - i++; /* advance to the next character */ - } - - if (literal_f) { - if (i+1 >= slen) { - exit_error(PARAMETER_PROBLEM, - "Bad literal placement at end of string"); - } - info->pattern[sindex] = s[i+1]; - i += 2; /* skip over literal char */ - literal_f = 0; - } else if (hex_f) { - if (i+1 >= slen) { - exit_error(PARAMETER_PROBLEM, - "Odd number of hex digits"); - } - if (i+2 >= slen) { - /* must end with a "|" */ - exit_error(PARAMETER_PROBLEM, "Invalid hex block"); - } - if (! isxdigit(s[i])) /* check for valid hex char */ - exit_error(PARAMETER_PROBLEM, "Invalid hex char `%c'", s[i]); - if (! isxdigit(s[i+1])) /* check for valid hex char */ - exit_error(PARAMETER_PROBLEM, "Invalid hex char `%c'", s[i+1]); - hextmp[0] = s[i]; - hextmp[1] = s[i+1]; - hextmp[2] = '\0'; - if (! sscanf(hextmp, "%x", &schar)) - exit_error(PARAMETER_PROBLEM, - "Invalid hex char `%c'", s[i]); - info->pattern[sindex] = (char) schar; - if (s[i+2] == ' ') - i += 3; /* spaces included in the hex block */ - else - i += 2; - } else { /* the char is not part of hex data, so just copy */ - info->pattern[sindex] = s[i]; - i++; - } - if (sindex > IPT_STRING_MAX_PATTERN_SIZE) - exit_error(PARAMETER_PROBLEM, "STRING too long `%s'", s); - sindex++; - } - info->patlen = sindex; -} - -#define STRING 0x1 -#define ALGO 0x2 -#define FROM 0x4 -#define TO 0x8 - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_string_info *stringinfo = (struct ipt_string_info *)(*match)->data; - - switch (c) { - case '1': - if (*flags & FROM) - exit_error(PARAMETER_PROBLEM, - "Can't specify multiple --from"); - stringinfo->from_offset = atoi(optarg); - *flags |= FROM; - break; - case '2': - if (*flags & TO) - exit_error(PARAMETER_PROBLEM, - "Can't specify multiple --to"); - stringinfo->to_offset = atoi(optarg); - *flags |= TO; - break; - case '3': - if (*flags & ALGO) - exit_error(PARAMETER_PROBLEM, - "Can't specify multiple --algo"); - parse_algo(optarg, stringinfo); - *flags |= ALGO; - break; - case '4': - if (*flags & STRING) - exit_error(PARAMETER_PROBLEM, - "Can't specify multiple --string"); - check_inverse(optarg, &invert, &optind, 0); - parse_string(argv[optind-1], stringinfo); - if (invert) - stringinfo->invert = 1; - stringinfo->patlen=strlen((char *)&stringinfo->pattern); - *flags |= STRING; - break; - - case '5': - if (*flags & STRING) - exit_error(PARAMETER_PROBLEM, - "Can't specify multiple --hex-string"); - - check_inverse(optarg, &invert, &optind, 0); - parse_hex_string(argv[optind-1], stringinfo); /* sets length */ - if (invert) - stringinfo->invert = 1; - *flags |= STRING; - break; - - default: - return 0; - } - return 1; -} - - -/* Final check; must have specified --string. */ -static void -final_check(unsigned int flags) -{ - if (!(flags & STRING)) - exit_error(PARAMETER_PROBLEM, - "STRING match: You must specify `--string' or " - "`--hex-string'"); - if (!(flags & ALGO)) - exit_error(PARAMETER_PROBLEM, - "STRING match: You must specify `--algo'"); -} - -/* Test to see if the string contains non-printable chars or quotes */ -static unsigned short int -is_hex_string(const char *str, const unsigned short int len) -{ - unsigned int i; - for (i=0; i < len; i++) - if (! isprint(str[i])) - return 1; /* string contains at least one non-printable char */ - /* use hex output if the last char is a "\" */ - if ((unsigned char) str[len-1] == 0x5c) - return 1; - return 0; -} - -/* Print string with "|" chars included as one would pass to --hex-string */ -static void -print_hex_string(const char *str, const unsigned short int len) -{ - unsigned int i; - /* start hex block */ - printf("\"|"); - for (i=0; i < len; i++) { - /* see if we need to prepend a zero */ - if ((unsigned char) str[i] <= 0x0F) - printf("0%x", (unsigned char) str[i]); - else - printf("%x", (unsigned char) str[i]); - } - /* close hex block */ - printf("|\" "); -} - -static void -print_string(const char *str, const unsigned short int len) -{ - unsigned int i; - printf("\""); - for (i=0; i < len; i++) { - if ((unsigned char) str[i] == 0x22) /* escape any embedded quotes */ - printf("%c", 0x5c); - printf("%c", (unsigned char) str[i]); - } - printf("\" "); /* closing space and quote */ -} - -/* Prints out the matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, - int numeric) -{ - const struct ipt_string_info *info = - (const struct ipt_string_info*) match->data; - - if (is_hex_string(info->pattern, info->patlen)) { - printf("STRING match %s", (info->invert) ? "!" : ""); - print_hex_string(info->pattern, info->patlen); - } else { - printf("STRING match %s", (info->invert) ? "!" : ""); - print_string(info->pattern, info->patlen); - } - printf("ALGO name %s ", info->algo); - if (info->from_offset != 0) - printf("FROM %u ", info->from_offset); - if (info->to_offset != 0) - printf("TO %u ", info->to_offset); -} - - -/* Saves the union ipt_matchinfo in parseable form to stdout. */ -static void -save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - const struct ipt_string_info *info = - (const struct ipt_string_info*) match->data; - - if (is_hex_string(info->pattern, info->patlen)) { - printf("--hex-string %s", (info->invert) ? "! ": ""); - print_hex_string(info->pattern, info->patlen); - } else { - printf("--string %s", (info->invert) ? "! ": ""); - print_string(info->pattern, info->patlen); - } - printf("--algo %s ", info->algo); - if (info->from_offset != 0) - printf("--from %u ", info->from_offset); - if (info->to_offset != 0) - printf("--to %u ", info->to_offset); -} - - -static struct iptables_match string = { - .name = "string", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_string_info)), - .userspacesize = offsetof(struct ipt_string_info, config), - .help = help, - .init = init, - .parse = parse, - .final_check = final_check, - .print = print, - .save = save, - .extra_opts = opts -}; - - -void ipt_string_init(void) -{ - register_match(&string); -} diff --git a/extensions/libipt_string.man b/extensions/libipt_string.man deleted file mode 100644 index 3f3e5b7..0000000 --- a/extensions/libipt_string.man +++ /dev/null @@ -1,15 +0,0 @@ -This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14. -.TP -.BI "--algo " "bm|kmp" -Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) -.TP -.BI "--from " "offset" -Set the offset from which it starts looking for any matching. If not passed, default is 0. -.TP -.BI "--to " "offset" -Set the offset from which it starts looking for any matching. If not passed, default is the packet size. -.TP -.BI "--string " "pattern" -Matches the given pattern. -.BI "--hex-string " "pattern" -Matches the given pattern in hex notation. diff --git a/extensions/libipt_tcp.c b/extensions/libipt_tcp.c deleted file mode 100644 index 935212c..0000000 --- a/extensions/libipt_tcp.c +++ /dev/null @@ -1,417 +0,0 @@ -/* Shared library add-on to iptables to add TCP support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <netinet/in.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"TCP v%s options:\n" -" --tcp-flags [!] mask comp match when TCP flags & mask == comp\n" -" (Flags: SYN ACK FIN RST URG PSH ALL NONE)\n" -"[!] --syn match when only SYN flag set\n" -" (equivalent to --tcp-flags SYN,RST,ACK SYN)\n" -" --source-port [!] port[:port]\n" -" --sport ...\n" -" match source port(s)\n" -" --destination-port [!] port[:port]\n" -" --dport ...\n" -" match destination port(s)\n" -" --tcp-option [!] number match if TCP option set\n\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "source-port", 1, 0, '1' }, - { "sport", 1, 0, '1' }, /* synonym */ - { "destination-port", 1, 0, '2' }, - { "dport", 1, 0, '2' }, /* synonym */ - { "syn", 0, 0, '3' }, - { "tcp-flags", 1, 0, '4' }, - { "tcp-option", 1, 0, '5' }, - {0} -}; - -static void -parse_tcp_ports(const char *portstring, u_int16_t *ports) -{ - char *buffer; - char *cp; - - buffer = strdup(portstring); - if ((cp = strchr(buffer, ':')) == NULL) - ports[0] = ports[1] = parse_port(buffer, "tcp"); - else { - *cp = '\0'; - cp++; - - ports[0] = buffer[0] ? parse_port(buffer, "tcp") : 0; - ports[1] = cp[0] ? parse_port(cp, "tcp") : 0xFFFF; - - if (ports[0] > ports[1]) - exit_error(PARAMETER_PROBLEM, - "invalid portrange (min > max)"); - } - free(buffer); -} - -struct tcp_flag_names { - const char *name; - unsigned int flag; -}; - -static struct tcp_flag_names tcp_flag_names[] -= { { "FIN", 0x01 }, - { "SYN", 0x02 }, - { "RST", 0x04 }, - { "PSH", 0x08 }, - { "ACK", 0x10 }, - { "URG", 0x20 }, - { "ALL", 0x3F }, - { "NONE", 0 }, -}; - -static unsigned int -parse_tcp_flag(const char *flags) -{ - unsigned int ret = 0; - char *ptr; - char *buffer; - - buffer = strdup(flags); - - for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) { - unsigned int i; - for (i = 0; - i < sizeof(tcp_flag_names)/sizeof(struct tcp_flag_names); - i++) { - if (strcasecmp(tcp_flag_names[i].name, ptr) == 0) { - ret |= tcp_flag_names[i].flag; - break; - } - } - if (i == sizeof(tcp_flag_names)/sizeof(struct tcp_flag_names)) - exit_error(PARAMETER_PROBLEM, - "Unknown TCP flag `%s'", ptr); - } - - free(buffer); - return ret; -} - -static void -parse_tcp_flags(struct ipt_tcp *tcpinfo, - const char *mask, - const char *cmp, - int invert) -{ - tcpinfo->flg_mask = parse_tcp_flag(mask); - tcpinfo->flg_cmp = parse_tcp_flag(cmp); - - if (invert) - tcpinfo->invflags |= IPT_TCP_INV_FLAGS; -} - -static void -parse_tcp_option(const char *option, u_int8_t *result) -{ - unsigned int ret; - - if (string_to_number(option, 1, 255, &ret) == -1) - exit_error(PARAMETER_PROBLEM, "Bad TCP option `%s'", option); - - *result = (u_int8_t)ret; -} - -/* Initialize the match. */ -static void -init(struct ipt_entry_match *m, unsigned int *nfcache) -{ - struct ipt_tcp *tcpinfo = (struct ipt_tcp *)m->data; - - tcpinfo->spts[1] = tcpinfo->dpts[1] = 0xFFFF; -} - -#define TCP_SRC_PORTS 0x01 -#define TCP_DST_PORTS 0x02 -#define TCP_FLAGS 0x04 -#define TCP_OPTION 0x08 - -/* Function which parses command options; returns true if it - ate an option. */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_tcp *tcpinfo = (struct ipt_tcp *)(*match)->data; - - switch (c) { - case '1': - if (*flags & TCP_SRC_PORTS) - exit_error(PARAMETER_PROBLEM, - "Only one `--source-port' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_tcp_ports(argv[optind-1], tcpinfo->spts); - if (invert) - tcpinfo->invflags |= IPT_TCP_INV_SRCPT; - *flags |= TCP_SRC_PORTS; - break; - - case '2': - if (*flags & TCP_DST_PORTS) - exit_error(PARAMETER_PROBLEM, - "Only one `--destination-port' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_tcp_ports(argv[optind-1], tcpinfo->dpts); - if (invert) - tcpinfo->invflags |= IPT_TCP_INV_DSTPT; - *flags |= TCP_DST_PORTS; - break; - - case '3': - if (*flags & TCP_FLAGS) - exit_error(PARAMETER_PROBLEM, - "Only one of `--syn' or `--tcp-flags' " - " allowed"); - parse_tcp_flags(tcpinfo, "SYN,RST,ACK,FIN", "SYN", invert); - *flags |= TCP_FLAGS; - break; - - case '4': - if (*flags & TCP_FLAGS) - exit_error(PARAMETER_PROBLEM, - "Only one of `--syn' or `--tcp-flags' " - " allowed"); - check_inverse(optarg, &invert, &optind, 0); - - if (!argv[optind] - || argv[optind][0] == '-' || argv[optind][0] == '!') - exit_error(PARAMETER_PROBLEM, - "--tcp-flags requires two args."); - - parse_tcp_flags(tcpinfo, argv[optind-1], argv[optind], - invert); - optind++; - *flags |= TCP_FLAGS; - break; - - case '5': - if (*flags & TCP_OPTION) - exit_error(PARAMETER_PROBLEM, - "Only one `--tcp-option' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_tcp_option(argv[optind-1], &tcpinfo->option); - if (invert) - tcpinfo->invflags |= IPT_TCP_INV_OPTION; - *flags |= TCP_OPTION; - break; - - default: - return 0; - } - - return 1; -} - -/* Final check; we don't care. */ -static void -final_check(unsigned int flags) -{ -} - -static char * -port_to_service(int port) -{ - struct servent *service; - - if ((service = getservbyport(htons(port), "tcp"))) - return service->s_name; - - return NULL; -} - -static void -print_port(u_int16_t port, int numeric) -{ - char *service; - - if (numeric || (service = port_to_service(port)) == NULL) - printf("%u", port); - else - printf("%s", service); -} - -static void -print_ports(const char *name, u_int16_t min, u_int16_t max, - int invert, int numeric) -{ - const char *inv = invert ? "!" : ""; - - if (min != 0 || max != 0xFFFF || invert) { - printf("%s", name); - if (min == max) { - printf(":%s", inv); - print_port(min, numeric); - } else { - printf("s:%s", inv); - print_port(min, numeric); - printf(":"); - print_port(max, numeric); - } - printf(" "); - } -} - -static void -print_option(u_int8_t option, int invert, int numeric) -{ - if (option || invert) - printf("option=%s%u ", invert ? "!" : "", option); -} - -static void -print_tcpf(u_int8_t flags) -{ - int have_flag = 0; - - while (flags) { - unsigned int i; - - for (i = 0; (flags & tcp_flag_names[i].flag) == 0; i++); - - if (have_flag) - printf(","); - printf("%s", tcp_flag_names[i].name); - have_flag = 1; - - flags &= ~tcp_flag_names[i].flag; - } - - if (!have_flag) - printf("NONE"); -} - -static void -print_flags(u_int8_t mask, u_int8_t cmp, int invert, int numeric) -{ - if (mask || invert) { - printf("flags:%s", invert ? "!" : ""); - if (numeric) - printf("0x%02X/0x%02X ", mask, cmp); - else { - print_tcpf(mask); - printf("/"); - print_tcpf(cmp); - printf(" "); - } - } -} - -/* Prints out the union ipt_matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, int numeric) -{ - const struct ipt_tcp *tcp = (struct ipt_tcp *)match->data; - - printf("tcp "); - print_ports("spt", tcp->spts[0], tcp->spts[1], - tcp->invflags & IPT_TCP_INV_SRCPT, - numeric); - print_ports("dpt", tcp->dpts[0], tcp->dpts[1], - tcp->invflags & IPT_TCP_INV_DSTPT, - numeric); - print_option(tcp->option, - tcp->invflags & IPT_TCP_INV_OPTION, - numeric); - print_flags(tcp->flg_mask, tcp->flg_cmp, - tcp->invflags & IPT_TCP_INV_FLAGS, - numeric); - if (tcp->invflags & ~IPT_TCP_INV_MASK) - printf("Unknown invflags: 0x%X ", - tcp->invflags & ~IPT_TCP_INV_MASK); -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - const struct ipt_tcp *tcpinfo = (struct ipt_tcp *)match->data; - - if (tcpinfo->spts[0] != 0 - || tcpinfo->spts[1] != 0xFFFF) { - if (tcpinfo->invflags & IPT_TCP_INV_SRCPT) - printf("! "); - if (tcpinfo->spts[0] - != tcpinfo->spts[1]) - printf("--sport %u:%u ", - tcpinfo->spts[0], - tcpinfo->spts[1]); - else - printf("--sport %u ", - tcpinfo->spts[0]); - } - - if (tcpinfo->dpts[0] != 0 - || tcpinfo->dpts[1] != 0xFFFF) { - if (tcpinfo->invflags & IPT_TCP_INV_DSTPT) - printf("! "); - if (tcpinfo->dpts[0] - != tcpinfo->dpts[1]) - printf("--dport %u:%u ", - tcpinfo->dpts[0], - tcpinfo->dpts[1]); - else - printf("--dport %u ", - tcpinfo->dpts[0]); - } - - if (tcpinfo->option - || (tcpinfo->invflags & IPT_TCP_INV_OPTION)) { - if (tcpinfo->invflags & IPT_TCP_INV_OPTION) - printf("! "); - printf("--tcp-option %u ", tcpinfo->option); - } - - if (tcpinfo->flg_mask - || (tcpinfo->invflags & IPT_TCP_INV_FLAGS)) { - if (tcpinfo->invflags & IPT_TCP_INV_FLAGS) - printf("! "); - printf("--tcp-flags "); - if (tcpinfo->flg_mask != 0xFF) { - print_tcpf(tcpinfo->flg_mask); - } - printf(" "); - print_tcpf(tcpinfo->flg_cmp); - printf(" "); - } -} - -static struct iptables_match tcp = { - .next = NULL, - .name = "tcp", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_tcp)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_tcp)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void -ipt_tcp_init(void) -{ - register_match(&tcp); -} diff --git a/extensions/libipt_tcp.man b/extensions/libipt_tcp.man deleted file mode 100644 index 648c81e..0000000 --- a/extensions/libipt_tcp.man +++ /dev/null @@ -1,45 +0,0 @@ -These extensions are loaded if `--protocol tcp' is specified. It -provides the following options: -.TP -.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" -Source port or port range specification. This can either be a service -name or a port number. An inclusive range can also be specified, -using the format -.IR port : port . -If the first port is omitted, "0" is assumed; if the last is omitted, -"65535" is assumed. -If the second port greater then the first they will be swapped. -The flag -.B --sport -is a convenient alias for this option. -.TP -.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" -Destination port or port range specification. The flag -.B --dport -is a convenient alias for this option. -.TP -.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP" -Match when the TCP flags are as specified. The first argument is the -flags which we should examine, written as a comma-separated list, and -the second argument is a comma-separated list of flags which must be -set. Flags are: -.BR "SYN ACK FIN RST URG PSH ALL NONE" . -Hence the command -.nf - iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -.fi -will only match packets with the SYN flag set, and the ACK, FIN and -RST flags unset. -.TP -.B "[!] --syn" -Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits -cleared. Such packets are used to request TCP connection initiation; -for example, blocking such packets coming in an interface will prevent -incoming TCP connections, but outgoing TCP connections will be -unaffected. -It is equivalent to \fB--tcp-flags SYN,RST,ACK,FIN SYN\fP. -If the "!" flag precedes the "--syn", the sense of the -option is inverted. -.TP -.BR "--tcp-option " "[!] \fInumber\fP" -Match if TCP option set. diff --git a/extensions/libipt_tcpmss.man b/extensions/libipt_tcpmss.man deleted file mode 100644 index 91fe322..0000000 --- a/extensions/libipt_tcpmss.man +++ /dev/null @@ -1,4 +0,0 @@ -This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time. -.TP -.BI "[!] "--mss " value[:value]" -Match a given TCP MSS value or range. diff --git a/extensions/libipt_tos.man b/extensions/libipt_tos.man deleted file mode 100644 index c612b29..0000000 --- a/extensions/libipt_tos.man +++ /dev/null @@ -1,9 +0,0 @@ -This module matches the 8 bits of Type of Service field in the IP -header (ie. including the precedence bits). -.TP -.BI "--tos " "tos" -The argument is either a standard name, (use -.br - iptables -m tos -h -.br -to see the list), or a numeric value to match. diff --git a/extensions/libipt_ttl.man b/extensions/libipt_ttl.man deleted file mode 100644 index f043c79..0000000 --- a/extensions/libipt_ttl.man +++ /dev/null @@ -1,10 +0,0 @@ -This module matches the time to live field in the IP header. -.TP -.BI "--ttl-eq " "ttl" -Matches the given TTL value. -.TP -.BI "--ttl-gt " "ttl" -Matches if TTL is greater than the given TTL value. -.TP -.BI "--ttl-lt " "ttl" -Matches if TTL is less than the given TTL value. diff --git a/extensions/libipt_udp.c b/extensions/libipt_udp.c deleted file mode 100644 index 1b36430..0000000 --- a/extensions/libipt_udp.c +++ /dev/null @@ -1,231 +0,0 @@ -/* Shared library add-on to iptables to add UDP support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ip_tables.h> -#include <netinet/in.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"UDP v%s options:\n" -" --source-port [!] port[:port]\n" -" --sport ...\n" -" match source port(s)\n" -" --destination-port [!] port[:port]\n" -" --dport ...\n" -" match destination port(s)\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { "source-port", 1, 0, '1' }, - { "sport", 1, 0, '1' }, /* synonym */ - { "destination-port", 1, 0, '2' }, - { "dport", 1, 0, '2' }, /* synonym */ - {0} -}; - -static void -parse_udp_ports(const char *portstring, u_int16_t *ports) -{ - char *buffer; - char *cp; - - buffer = strdup(portstring); - if ((cp = strchr(buffer, ':')) == NULL) - ports[0] = ports[1] = parse_port(buffer, "udp"); - else { - *cp = '\0'; - cp++; - - ports[0] = buffer[0] ? parse_port(buffer, "udp") : 0; - ports[1] = cp[0] ? parse_port(cp, "udp") : 0xFFFF; - - if (ports[0] > ports[1]) - exit_error(PARAMETER_PROBLEM, - "invalid portrange (min > max)"); - } - free(buffer); -} - -/* Initialize the match. */ -static void -init(struct ipt_entry_match *m, unsigned int *nfcache) -{ - struct ipt_udp *udpinfo = (struct ipt_udp *)m->data; - - udpinfo->spts[1] = udpinfo->dpts[1] = 0xFFFF; -} - -#define UDP_SRC_PORTS 0x01 -#define UDP_DST_PORTS 0x02 - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - struct ipt_udp *udpinfo = (struct ipt_udp *)(*match)->data; - - switch (c) { - case '1': - if (*flags & UDP_SRC_PORTS) - exit_error(PARAMETER_PROBLEM, - "Only one `--source-port' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_udp_ports(argv[optind-1], udpinfo->spts); - if (invert) - udpinfo->invflags |= IPT_UDP_INV_SRCPT; - *flags |= UDP_SRC_PORTS; - break; - - case '2': - if (*flags & UDP_DST_PORTS) - exit_error(PARAMETER_PROBLEM, - "Only one `--destination-port' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_udp_ports(argv[optind-1], udpinfo->dpts); - if (invert) - udpinfo->invflags |= IPT_UDP_INV_DSTPT; - *flags |= UDP_DST_PORTS; - break; - - default: - return 0; - } - - return 1; -} - -/* Final check; we don't care. */ -static void -final_check(unsigned int flags) -{ -} - -static char * -port_to_service(int port) -{ - struct servent *service; - - if ((service = getservbyport(htons(port), "udp"))) - return service->s_name; - - return NULL; -} - -static void -print_port(u_int16_t port, int numeric) -{ - char *service; - - if (numeric || (service = port_to_service(port)) == NULL) - printf("%u", port); - else - printf("%s", service); -} - -static void -print_ports(const char *name, u_int16_t min, u_int16_t max, - int invert, int numeric) -{ - const char *inv = invert ? "!" : ""; - - if (min != 0 || max != 0xFFFF || invert) { - printf("%s", name); - if (min == max) { - printf(":%s", inv); - print_port(min, numeric); - } else { - printf("s:%s", inv); - print_port(min, numeric); - printf(":"); - print_port(max, numeric); - } - printf(" "); - } -} - -/* Prints out the union ipt_matchinfo. */ -static void -print(const struct ipt_ip *ip, - const struct ipt_entry_match *match, int numeric) -{ - const struct ipt_udp *udp = (struct ipt_udp *)match->data; - - printf("udp "); - print_ports("spt", udp->spts[0], udp->spts[1], - udp->invflags & IPT_UDP_INV_SRCPT, - numeric); - print_ports("dpt", udp->dpts[0], udp->dpts[1], - udp->invflags & IPT_UDP_INV_DSTPT, - numeric); - if (udp->invflags & ~IPT_UDP_INV_MASK) - printf("Unknown invflags: 0x%X ", - udp->invflags & ~IPT_UDP_INV_MASK); -} - -/* Saves the union ipt_matchinfo in parsable form to stdout. */ -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -{ - const struct ipt_udp *udpinfo = (struct ipt_udp *)match->data; - - if (udpinfo->spts[0] != 0 - || udpinfo->spts[1] != 0xFFFF) { - if (udpinfo->invflags & IPT_UDP_INV_SRCPT) - printf("! "); - if (udpinfo->spts[0] - != udpinfo->spts[1]) - printf("--sport %u:%u ", - udpinfo->spts[0], - udpinfo->spts[1]); - else - printf("--sport %u ", - udpinfo->spts[0]); - } - - if (udpinfo->dpts[0] != 0 - || udpinfo->dpts[1] != 0xFFFF) { - if (udpinfo->invflags & IPT_UDP_INV_DSTPT) - printf("! "); - if (udpinfo->dpts[0] - != udpinfo->dpts[1]) - printf("--dport %u:%u ", - udpinfo->dpts[0], - udpinfo->dpts[1]); - else - printf("--dport %u ", - udpinfo->dpts[0]); - } -} - -static -struct iptables_match udp = { - .next = NULL, - .name = "udp", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_udp)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_udp)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void -ipt_udp_init(void) -{ - register_match(&udp); -} diff --git a/extensions/libipt_udp.man b/extensions/libipt_udp.man deleted file mode 100644 index 0408479..0000000 --- a/extensions/libipt_udp.man +++ /dev/null @@ -1,14 +0,0 @@ -These extensions are loaded if `--protocol udp' is specified. It -provides the following options: -.TP -.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]" -Source port or port range specification. -See the description of the -.B --source-port -option of the TCP extension for details. -.TP -.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]" -Destination port or port range specification. -See the description of the -.B --destination-port -option of the TCP extension for details. diff --git a/extensions/libipt_unclean.c b/extensions/libipt_unclean.c deleted file mode 100644 index 6f4333a..0000000 --- a/extensions/libipt_unclean.c +++ /dev/null @@ -1,54 +0,0 @@ -/* Shared library add-on to iptables for unclean. */ -#include <stdio.h> -#include <stdlib.h> -#include <getopt.h> -#include <iptables.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"unclean v%s takes no options\n" -"\n", IPTABLES_VERSION); -} - -static struct option opts[] = { - {0} -}; - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, - unsigned int *nfcache, - struct ipt_entry_match **match) -{ - return 0; -} - -/* Final check; must have specified --mac. */ -static void final_check(unsigned int flags) -{ -} - -static -struct iptables_match unclean = { - .next = NULL, - .name = "unclean", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(0), - .userspacesize = IPT_ALIGN(0), - .help = &help, - .parse = &parse, - .final_check = &final_check, - .print = NULL, - .save = NULL, - .extra_opts = opts -}; - -void ipt_unclean_init(void) -{ - register_match(&unclean); -} diff --git a/extensions/libipt_unclean.man b/extensions/libipt_unclean.man deleted file mode 100644 index 3fecd55..0000000 --- a/extensions/libipt_unclean.man +++ /dev/null @@ -1,2 +0,0 @@ -This module takes no options, but attempts to match packets which seem -malformed or unusual. This is regarded as experimental. diff --git a/extensions/rename-dups.sh b/extensions/rename-dups.sh deleted file mode 100755 index bd940bc..0000000 --- a/extensions/rename-dups.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh - -t1=`mktemp` -t2=`mktemp` - -ls *.c | tr [A-Z] [a-z] | sort > $t1 -cat $t1 | sort -u > $t2 -for f in `diff $t1 $t2 | grep "< " | awk -F"< " '{print $2}'`; do - n=`echo $f | sed -e 's/t_/t_2/g'`; - "Renaming $f --> $n."; - p4 integrate $f $n; - p4 delete $f; -done; - -rm -f $t1 $t2 - - |