Add comment match extension (Brad Fisher)

2 files changed, 128 insertions, 1 deletions

diff --git a/extensions/Makefile b/extensions/Makefile
index 81631c4..ac7eefa 100644
--- a/extensions/Makefile
+++ b/extensions/Makefile
@@ -5,7 +5,7 @@
 # header files are present in the include/linux directory of this iptables
 # package (HW)
 #
-PF_EXT_SLIB:=ah addrtype connlimit connmark conntrack dscp ecn esp helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
+PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
 PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport owner physdev standard tcp udp HL LOG MARK TRACE
 
 # Optionals
diff --git a/extensions/libipt_comment.c b/extensions/libipt_comment.c
new file mode 100644
index 0000000..778051e
--- /dev/null
+++ b/extensions/libipt_comment.c
@@ -0,0 +1,127 @@
+/* Shared library add-on to iptables to add comment match support.
+ *
+ * ChangeLog
+ *     2003-05-13: Brad Fisher <brad@info-link.net>
+ *         Initial comment match
+ *     2004-05-12: Brad Fisher <brad@info-link.net>
+ *         Port to patch-o-matic-ng
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ipt_comment.h>
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+	printf(
+		"COMMENT match options:\n"
+		"--comment COMMENT             Attach a comment to a rule\n\n"
+		);
+}
+
+static struct option opts[] = {
+	{ "comment", 1, 0, '1' },
+	{0}
+};
+
+/* Initialize the match. */
+static void
+init(struct ipt_entry_match *m, unsigned int *nfcache)
+{
+	*nfcache |= NFC_UNKNOWN;
+}
+
+static void
+parse_comment(const unsigned char *s, struct ipt_comment_info *info)
+{	
+	int slen = strlen(s);
+
+	if (slen >= IPT_MAX_COMMENT_LEN) {
+		exit_error(PARAMETER_PROBLEM,
+			"COMMENT must be shorter than %i characters", IPT_MAX_COMMENT_LEN);
+	}
+	strcpy(info->comment, s);
+}
+
+/* Function which parses command options; returns true if it
+   ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+      const struct ipt_entry *entry,
+      unsigned int *nfcache,
+      struct ipt_entry_match **match)
+{
+	struct ipt_comment_info *commentinfo = (struct ipt_comment_info *)(*match)->data;
+
+	switch (c) {
+	case '1':
+		check_inverse(argv[optind-1], &invert, &optind, 0);
+		if (invert) {
+			exit_error(PARAMETER_PROBLEM,
+					"Sorry, you can't have an inverted comment");
+		}
+		parse_comment(argv[optind-1], commentinfo);
+		*flags = 1;
+		break;
+
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+/* Final check; must have specified --comment. */
+static void
+final_check(unsigned int flags)
+{
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM,
+			   "COMMENT match: You must specify `--comment'");
+}
+
+/* Prints out the matchinfo. */
+static void
+print(const struct ipt_ip *ip,
+      const struct ipt_entry_match *match,
+      int numeric)
+{
+	struct ipt_comment_info *commentinfo = (struct ipt_comment_info *)match->data;
+
+	commentinfo->comment[IPT_MAX_COMMENT_LEN-1] = '\0';
+	printf("/* %s */ ", commentinfo->comment);
+}
+
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
+static void
+save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
+{
+	struct ipt_comment_info *commentinfo = (struct ipt_comment_info *)match->data;
+
+	commentinfo->comment[IPT_MAX_COMMENT_LEN-1] = '\0';
+	printf("--comment \"%s\" ", commentinfo->comment);
+}
+
+static struct iptables_match comment = {
+    NULL,
+    "comment",
+    IPTABLES_VERSION,
+    IPT_ALIGN(sizeof(struct ipt_comment_info)),
+    IPT_ALIGN(sizeof(struct ipt_comment_info)),
+    &help,
+    &init,
+    &parse,
+    &final_check,
+    &print,
+    &save,
+    opts
+};
+
+void _init(void)
+{
+	register_match(&comment);
+}