From 5b91d339b746219d2d0be374411639156b7794d1 Mon Sep 17 00:00:00 2001 From: laforge Date: Tue, 3 Feb 2004 08:19:04 +0000 Subject: latest version of CONNMARK (Henrik Nordstrom) --- extensions/libipt_CONNMARK.c | 102 ++++++++++++++++++++++++++++------------- extensions/libipt_CONNMARK.man | 22 +++++---- extensions/libipt_connmark.c | 56 ++++++++++++++-------- extensions/libipt_connmark.man | 9 ++++ 4 files changed, 129 insertions(+), 60 deletions(-) create mode 100644 extensions/libipt_connmark.man (limited to 'extensions') diff --git a/extensions/libipt_CONNMARK.c b/extensions/libipt_CONNMARK.c index 5222182..11cdc84 100644 --- a/extensions/libipt_CONNMARK.c +++ b/extensions/libipt_CONNMARK.c @@ -1,4 +1,24 @@ -/* Shared library add-on to iptables to add CONNMARK target support. */ +/* Shared library add-on to iptables to add CONNMARK target support. + * + * (C) 2002,2004 MARA Systems AB + * by Henrik Nordstrom + * + * Version 1.1 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ #include #include #include @@ -21,9 +41,9 @@ help(void) { printf( "CONNMARK target v%s options:\n" -" --set-mark value Set conntrack mark value\n" -" --save-mark Save the packet nfmark on the connection\n" -" --restore-mark Restore saved nfmark value\n" +" --set-mark value[/mask] Set conntrack mark value\n" +" --save-mark [--mask mask] Save the packet nfmark in the connection\n" +" --restore-mark [--mask mask] Restore saved nfmark value\n" "\n", IPTABLES_VERSION); } @@ -32,6 +52,7 @@ static struct option opts[] = { { "set-mark", 1, 0, '1' }, { "save-mark", 0, 0, '2' }, { "restore-mark", 0, 0, '3' }, + { "mask", 1, 0, '4' }, { 0 } }; @@ -55,7 +76,10 @@ parse(int c, char **argv, int invert, unsigned int *flags, char *end; case '1': markinfo->mode = IPT_CONNMARK_SET; + markinfo->mask = ~0; markinfo->mark = strtoul(optarg, &end, 0); + if (*end == '/' && end[1] != '\0') + markinfo->mask = strtoul(end+1, &end, 0); if (*end != '\0' || end == optarg) exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg); if (*flags) @@ -65,6 +89,7 @@ parse(int c, char **argv, int invert, unsigned int *flags, break; case '2': markinfo->mode = IPT_CONNMARK_SAVE; + markinfo->mask = ~0; if (*flags) exit_error(PARAMETER_PROBLEM, "CONNMARK target: Can't specify --save-mark twice"); @@ -72,11 +97,20 @@ parse(int c, char **argv, int invert, unsigned int *flags, break; case '3': markinfo->mode = IPT_CONNMARK_RESTORE; + markinfo->mask = ~0; if (*flags) exit_error(PARAMETER_PROBLEM, "CONNMARK target: Can't specify --restore-mark twice"); *flags = 1; break; + case '4': + if (!*flags) + exit_error(PARAMETER_PROBLEM, + "CONNMARK target: Can't specify --mask without a operation"); + markinfo->mark = strtoul(optarg, &end, 0); + if (*end != '\0' || end == optarg) + exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg); + break; default: return 0; } @@ -89,16 +123,10 @@ final_check(unsigned int flags) { if (!flags) exit_error(PARAMETER_PROBLEM, - "CONNMARK target: Parameter --set-mark is required"); -} - -static void -print_mark(unsigned long mark, int numeric) -{ - printf("0x%lx ", mark); + "CONNMARK target: No operation specified"); } -/* Prints out the targinfo. */ +/* Prints out the target info. */ static void print(const struct ipt_ip *ip, const struct ipt_entry_target *target, @@ -108,14 +136,21 @@ print(const struct ipt_ip *ip, (const struct ipt_connmark_target_info *)target->data; switch (markinfo->mode) { case IPT_CONNMARK_SET: - printf("CONNMARK set "); - print_mark(markinfo->mark, numeric); + printf("CONNMARK set 0x%lx", markinfo->mark); + if (markinfo->mask != ~0) + printf("/0x%lx", markinfo->mask); + printf(" "); break; case IPT_CONNMARK_SAVE: printf("CONNMARK save "); + if (markinfo->mask != ~0) + printf("mask 0x%lx", markinfo->mask); + printf(" "); break; case IPT_CONNMARK_RESTORE: printf("CONNMARK restore "); + if (markinfo->mask != ~0) + printf("mask 0x%lx", markinfo->mask); break; default: printf("ERROR: UNKNOWN CONNMARK MODE "); @@ -123,7 +158,7 @@ print(const struct ipt_ip *ip, } } -/* Saves the union ipt_targinfo in parsable form to stdout. */ +/* Saves the target into in parsable form to stdout. */ static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target) { @@ -132,13 +167,20 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target) switch (markinfo->mode) { case IPT_CONNMARK_SET: - printf("--set-mark 0x%lx ", markinfo->mark); + printf("--set-mark 0x%lx", markinfo->mark); + if (markinfo->mask != ~0) + printf("/0x%lx", markinfo->mask); + printf(" "); break; case IPT_CONNMARK_SAVE: printf("--save-mark "); + if (markinfo->mask != ~0) + printf("--mask 0x%lx", markinfo->mask); break; case IPT_CONNMARK_RESTORE: printf("--restore-mark "); + if (markinfo->mask != ~0) + printf("--mask 0x%lx", markinfo->mask); break; default: printf("ERROR: UNKNOWN CONNMARK MODE "); @@ -146,23 +188,21 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target) } } -static -struct iptables_target mark -= { NULL, - "CONNMARK", - IPTABLES_VERSION, - IPT_ALIGN(sizeof(struct ipt_connmark_target_info)), - IPT_ALIGN(sizeof(struct ipt_connmark_target_info)), - &help, - &init, - &parse, - &final_check, - &print, - &save, - opts +static struct iptables_target connmark_target = { + .name = "CONNMARK", + .version = IPTABLES_VERSION, + .size = IPT_ALIGN(sizeof(struct ipt_connmark_target_info)), + .userspacesize = IPT_ALIGN(sizeof(struct ipt_connmark_target_info)), + .help = &help, + .init = &init, + .parse = &parse, + .final_check = &final_check, + .print = &print, + .save = &save, + .extra_opts = opts }; void _init(void) { - register_target(&mark); + register_target(&connmark_target); } diff --git a/extensions/libipt_CONNMARK.man b/extensions/libipt_CONNMARK.man index 64a0222..8b4de5a 100644 --- a/extensions/libipt_CONNMARK.man +++ b/extensions/libipt_CONNMARK.man @@ -1,13 +1,15 @@ -This target allows you to mark that connection with an arbitrary walue. This -value can later be matched via the -.B connmark -match. +This module sets the netfilter mark value associated with a connection .TP -.BI "--set-mark " "mark" -Set the conntrack mark, +.B --set-mark mark[/mask] +Set connection mark. If a mask is specified then only those bits set in the +mask is modified. .TP -.BI "--save-mark" -Save the packet nfmark on the connection mark. +.B --save-mark [--mask mask] +Copy the netfilter packet mark value to the connection mark. If a mask +is specified then only those bits are copied. .TP -.BI "--restore-mark" -Restore the saved nfmark value from the connection mark. +.B --restore-mark [--mask mask] +Copy the connection mark value to the packet. If a mask is specified +then only those bits are copied. This is only valid in the +.B mangle +table. diff --git a/extensions/libipt_connmark.c b/extensions/libipt_connmark.c index 8f81f02..6afb78e 100644 --- a/extensions/libipt_connmark.c +++ b/extensions/libipt_connmark.c @@ -1,4 +1,24 @@ -/* Shared library add-on to iptables to add CONNMARK matching support. */ +/* Shared library add-on to iptables to add connmark matching support. + * + * (C) 2002,2004 MARA Systems AB + * by Henrik Nordstrom + * + * Version 1.1 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ #include #include #include @@ -50,7 +70,7 @@ parse(int c, char **argv, int invert, unsigned int *flags, if (*end == '/') { markinfo->mask = strtoul(end+1, &end, 0); } else - markinfo->mask = 0xffffffff; + markinfo->mask = ~0; if (*end != '\0' || end == optarg) exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg); if (invert) @@ -67,7 +87,7 @@ parse(int c, char **argv, int invert, unsigned int *flags, static void print_mark(unsigned long mark, unsigned long mask, int numeric) { - if(mask != 0xffffffff) + if(mask != ~0) printf("0x%lx/0x%lx ", mark, mask); else printf("0x%lx ", mark); @@ -96,7 +116,7 @@ print(const struct ipt_ip *ip, print_mark(info->mark, info->mask, numeric); } -/* Saves the union ipt_matchinfo in parsable form to stdout. */ +/* Saves the matchinfo in parsable form to stdout. */ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) { @@ -109,23 +129,21 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match) print_mark(info->mark, info->mask, 0); } -static -struct iptables_match mark -= { NULL, - "connmark", - IPTABLES_VERSION, - IPT_ALIGN(sizeof(struct ipt_connmark_info)), - IPT_ALIGN(sizeof(struct ipt_connmark_info)), - &help, - &init, - &parse, - &final_check, - &print, - &save, - opts +static struct iptables_match connmark_match = { + .name = "connmark", + .version = IPTABLES_VERSION, + .size = IPT_ALIGN(sizeof(struct ipt_connmark_info)), + .userspacesize = IPT_ALIGN(sizeof(struct ipt_connmark_info)), + .help = &help, + .init = &init, + .parse = &parse, + .final_check = &final_check, + .print = &print, + .save = &save, + .extra_opts = opts }; void _init(void) { - register_match(&mark); + register_match(&connmark_match); } diff --git a/extensions/libipt_connmark.man b/extensions/libipt_connmark.man new file mode 100644 index 0000000..a8e0600 --- /dev/null +++ b/extensions/libipt_connmark.man @@ -0,0 +1,9 @@ +This module matches the netfilter mark field associated with a connection +(which can be set using the +.B CONNMARK +target below). +.TP +.BI "--mark " "value[/mask]" +Matches packets in connections with the given mark value (if a mask is +specified, this is logically ANDed with the mark before the +comparison). -- cgit v1.2.3