summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2007-01-10 14:53:55 +0000
committerPatrick McHardy <kaber@trash.net>2007-01-10 14:53:55 +0000
commitb1f568309a09e61f892dee3c23279cecff0b0ff4 (patch)
tree06295bca2568729fb219dc9c0e57251e89f4399c
parent83321c034d75278d070192a3125bf176718f60da (diff)
Remove extensions for unmaintained/obsolete patchlets
-rwxr-xr-xextensions/.BALANCE-test2
-rwxr-xr-xextensions/.FTOS-test2
-rwxr-xr-xextensions/.IPMARK-test3
-rwxr-xr-xextensions/.NETLINK-test2
-rwxr-xr-xextensions/.TCPLAG-test2
-rwxr-xr-xextensions/.XOR-test2
-rwxr-xr-xextensions/.account-test3
-rwxr-xr-xextensions/.childlevel-test2
-rwxr-xr-xextensions/.connrate-test2
-rwxr-xr-xextensions/.dstlimit-test2
-rwxr-xr-xextensions/.fuzzy-test2
-rwxr-xr-xextensions/.fuzzy-test62
-rwxr-xr-xextensions/.mport-test2
-rwxr-xr-xextensions/.nth-test3
-rwxr-xr-xextensions/.nth-test63
-rwxr-xr-xextensions/.osf-test3
-rwxr-xr-xextensions/.psd-test3
-rwxr-xr-xextensions/.random-test3
-rwxr-xr-xextensions/.random-test63
-rwxr-xr-xextensions/.record-rpc-test3
-rwxr-xr-xextensions/.time-test3
-rw-r--r--extensions/Makefile4
-rw-r--r--extensions/libip6t_TRACE.c63
-rw-r--r--extensions/libip6t_TRACE.man3
-rw-r--r--extensions/libip6t_fuzzy.c156
-rw-r--r--extensions/libip6t_fuzzy.man7
-rw-r--r--extensions/libip6t_nth.c229
-rw-r--r--extensions/libip6t_nth.man14
-rw-r--r--extensions/libip6t_random.c150
-rw-r--r--extensions/libip6t_random.man4
-rw-r--r--extensions/libipt_BALANCE.c150
-rw-r--r--extensions/libipt_BALANCE.man4
-rw-r--r--extensions/libipt_FTOS.c133
-rw-r--r--extensions/libipt_IPMARK.c168
-rw-r--r--extensions/libipt_IPMARK.man45
-rw-r--r--extensions/libipt_NETLINK.c157
-rw-r--r--extensions/libipt_TCPLAG.c215
-rw-r--r--extensions/libipt_TRACE.c63
-rw-r--r--extensions/libipt_TRACE.man3
-rw-r--r--extensions/libipt_XOR.c114
-rw-r--r--extensions/libipt_XOR.man7
-rw-r--r--extensions/libipt_account.c277
-rw-r--r--extensions/libipt_account.man47
-rw-r--r--extensions/libipt_childlevel.c115
-rw-r--r--extensions/libipt_childlevel.man5
-rw-r--r--extensions/libipt_connlimit.c132
-rw-r--r--extensions/libipt_connlimit.man21
-rw-r--r--extensions/libipt_dstlimit.c340
-rw-r--r--extensions/libipt_dstlimit.man37
-rw-r--r--extensions/libipt_fuzzy.c158
-rw-r--r--extensions/libipt_fuzzy.man7
-rw-r--r--extensions/libipt_mport.c287
-rw-r--r--extensions/libipt_mport.man19
-rw-r--r--extensions/libipt_nth.c230
-rw-r--r--extensions/libipt_nth.man14
-rw-r--r--extensions/libipt_osf.c165
-rw-r--r--extensions/libipt_osf.man47
-rw-r--r--extensions/libipt_psd.c194
-rw-r--r--extensions/libipt_psd.man18
-rw-r--r--extensions/libipt_random.c150
-rw-r--r--extensions/libipt_random.man4
-rw-r--r--extensions/libipt_record_rpc.c65
-rw-r--r--extensions/libipt_rpc.c373
-rw-r--r--extensions/libipt_time.c549
-rw-r--r--extensions/libipt_time.man16
65 files changed, 2 insertions, 5009 deletions
diff --git a/extensions/.BALANCE-test b/extensions/.BALANCE-test
deleted file mode 100755
index 3a46d745..00000000
--- a/extensions/.BALANCE-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_BALANCE.c ] && echo BALANCE
diff --git a/extensions/.FTOS-test b/extensions/.FTOS-test
deleted file mode 100755
index d07fce7a..00000000
--- a/extensions/.FTOS-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_FTOS.h ] && echo FTOS
diff --git a/extensions/.IPMARK-test b/extensions/.IPMARK-test
deleted file mode 100755
index 7996c889..00000000
--- a/extensions/.IPMARK-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if IPMARK patch is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_IPMARK.h ] && echo IPMARK
diff --git a/extensions/.NETLINK-test b/extensions/.NETLINK-test
deleted file mode 100755
index fe94c0c3..00000000
--- a/extensions/.NETLINK-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_NETLINK.c ] && echo NETLINK
diff --git a/extensions/.TCPLAG-test b/extensions/.TCPLAG-test
deleted file mode 100755
index 248f1281..00000000
--- a/extensions/.TCPLAG-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_TCPLAG.c ] && echo TCPLAG
diff --git a/extensions/.XOR-test b/extensions/.XOR-test
deleted file mode 100755
index 92707da2..00000000
--- a/extensions/.XOR-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_XOR.c ] && echo XOR
diff --git a/extensions/.account-test b/extensions/.account-test
deleted file mode 100755
index 68aeb166..00000000
--- a/extensions/.account-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if account match patch is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_account.h ] && echo account
diff --git a/extensions/.childlevel-test b/extensions/.childlevel-test
deleted file mode 100755
index 9f3b9658..00000000
--- a/extensions/.childlevel-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_childlevel.h ] && echo childlevel
diff --git a/extensions/.connrate-test b/extensions/.connrate-test
deleted file mode 100755
index d110c158..00000000
--- a/extensions/.connrate-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_connrate.h ] && echo connrate
diff --git a/extensions/.dstlimit-test b/extensions/.dstlimit-test
deleted file mode 100755
index b7c8ef9b..00000000
--- a/extensions/.dstlimit-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_dstlimit.c ] && echo dstlimit
diff --git a/extensions/.fuzzy-test b/extensions/.fuzzy-test
deleted file mode 100755
index f6575a99..00000000
--- a/extensions/.fuzzy-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_fuzzy.h ] && echo fuzzy
diff --git a/extensions/.fuzzy-test6 b/extensions/.fuzzy-test6
deleted file mode 100755
index 034263e1..00000000
--- a/extensions/.fuzzy-test6
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_fuzzy.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_fuzzy.h ] && echo fuzzy
diff --git a/extensions/.mport-test b/extensions/.mport-test
deleted file mode 100755
index 411a0839..00000000
--- a/extensions/.mport-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_mport.c ] && echo mport
diff --git a/extensions/.nth-test b/extensions/.nth-test
deleted file mode 100755
index 536da95d..00000000
--- a/extensions/.nth-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if nth is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_nth.h ] && echo nth
diff --git a/extensions/.nth-test6 b/extensions/.nth-test6
deleted file mode 100755
index 7dbe091a..00000000
--- a/extensions/.nth-test6
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if nth is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_nth.h ] && echo nth
diff --git a/extensions/.osf-test b/extensions/.osf-test
deleted file mode 100755
index bc3ad8f9..00000000
--- a/extensions/.osf-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if osf is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_osf.h ] && echo osf
diff --git a/extensions/.psd-test b/extensions/.psd-test
deleted file mode 100755
index 9d05088e..00000000
--- a/extensions/.psd-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if psd is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_psd.h ] && echo psd
diff --git a/extensions/.random-test b/extensions/.random-test
deleted file mode 100755
index 7626722f..00000000
--- a/extensions/.random-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if random is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_random.h ] && echo random
diff --git a/extensions/.random-test6 b/extensions/.random-test6
deleted file mode 100755
index 25a431fd..00000000
--- a/extensions/.random-test6
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if random is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_random.h ] && echo random
diff --git a/extensions/.record-rpc-test b/extensions/.record-rpc-test
deleted file mode 100755
index 4ff9fe24..00000000
--- a/extensions/.record-rpc-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#! /bin/sh
-# True if record rpc is applied.
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_record_rpc.c ] && echo record_rpc
diff --git a/extensions/.time-test b/extensions/.time-test
deleted file mode 100755
index 7f0390e2..00000000
--- a/extensions/.time-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if time is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_time.h ] && echo time
diff --git a/extensions/Makefile b/extensions/Makefile
index 036f302f..8baafee0 100644
--- a/extensions/Makefile
+++ b/extensions/Makefile
@@ -5,8 +5,8 @@
# header files are present in the include/linux directory of this iptables
# package (HW)
#
-PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TCPMSS TOS TRACE TTL ULOG
-PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE
+PF_EXT_SLIB:=ah addrtype comment connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TCPMSS TOS TTL ULOG
+PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK
ifeq ($(DO_SELINUX), 1)
PF_EXT_SE_SLIB:=SECMARK CONNSECMARK
diff --git a/extensions/libip6t_TRACE.c b/extensions/libip6t_TRACE.c
deleted file mode 100644
index 00d85910..00000000
--- a/extensions/libip6t_TRACE.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/* Shared library add-on to iptables to add TRACE target support. */
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <ip6tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"TRACE target v%s takes no options\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- { 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ip6t_entry_target *t, unsigned int *nfcache)
-{
-}
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ip6t_entry *entry,
- struct ip6t_entry_target **target)
-{
- return 0;
-}
-
-static void
-final_check(unsigned int flags)
-{
-}
-
-static
-struct ip6tables_target trace
-= { .next = NULL,
- .name = "TRACE",
- .version = IPTABLES_VERSION,
- .size = IP6T_ALIGN(0),
- .userspacesize = IP6T_ALIGN(0),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = NULL, /* print */
- .save = NULL, /* save */
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_target6(&trace);
-}
diff --git a/extensions/libip6t_TRACE.man b/extensions/libip6t_TRACE.man
deleted file mode 100644
index 549ab33b..00000000
--- a/extensions/libip6t_TRACE.man
+++ /dev/null
@@ -1,3 +0,0 @@
-This target has no options. It just turns on
-.B packet tracing
-for all packets that match this rule.
diff --git a/extensions/libip6t_fuzzy.c b/extensions/libip6t_fuzzy.c
deleted file mode 100644
index 749ddc8f..00000000
--- a/extensions/libip6t_fuzzy.c
+++ /dev/null
@@ -1,156 +0,0 @@
-/*
- Shared library add-on to iptables to add match support for the fuzzy match.
-
- This file is distributed under the terms of the GNU General Public
- License (GPL). Copies of the GPL can be obtained from:
- ftp://prep.ai.mit.edu/pub/gnu/GPL
-
-2002-08-07 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Initial version.
-2003-04-08 Maciej Soltysiak <solt@dns.toxicfilms.tv> : IPv6 Port
-2003-06-09 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Bug corrections in
-the save function , thanks to information given by Jean-Francois Patenaude.
-
-*/
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <ip6tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/netfilter_ipv6/ip6t_fuzzy.h>
-
-
-static void
-help(void)
-{
- printf(
-"fuzzy v%s options:\n"
-" --lower-limit number (in packets per second)\n"
-" --upper-limit number\n"
-,IPTABLES_VERSION);
-};
-
-static struct option opts[] = {
- { .name = "lower-limit", .has_arg = 1, .flag = 0, .val = '1' },
- { .name = "upper-limit", .has_arg = 1, .flag = 0, .val = '2' },
- { .name = 0 }
-};
-
-/* Initialize data structures */
-static void
-init(struct ip6t_entry_match *m, unsigned int *nfcache)
-{
- struct ip6t_fuzzy_info *presentinfo = (struct ip6t_fuzzy_info *)(m)->data;
- /*
- * Default rates ( I'll improve this very soon with something based
- * on real statistics of the running machine ) .
- */
-
- presentinfo->minimum_rate = 1000;
- presentinfo->maximum_rate = 2000;
-}
-
-#define IP6T_FUZZY_OPT_MINIMUM 0x01
-#define IP6T_FUZZY_OPT_MAXIMUM 0x02
-
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ip6t_entry *entry,
- unsigned int *nfcache,
- struct ip6t_entry_match **match)
-{
- struct ip6t_fuzzy_info *fuzzyinfo =
- (struct ip6t_fuzzy_info *)(*match)->data;
-
- u_int32_t num;
-
- switch (c) {
-
- case '1':
-
- if (invert)
- exit_error(PARAMETER_PROBLEM,"Can't specify ! --lower-limit");
-
- if (*flags & IP6T_FUZZY_OPT_MINIMUM)
- exit_error(PARAMETER_PROBLEM,"Can't specify --lower-limit twice");
-
- if (string_to_number(optarg,1,MAXFUZZYRATE,&num) == -1 || num < 1)
- exit_error(PARAMETER_PROBLEM,"BAD --lower-limit");
-
- fuzzyinfo->minimum_rate = num ;
-
- *flags |= IP6T_FUZZY_OPT_MINIMUM;
-
- break;
-
- case '2':
-
- if (invert)
- exit_error(PARAMETER_PROBLEM,"Can't specify ! --upper-limit");
-
- if (*flags & IP6T_FUZZY_OPT_MAXIMUM)
- exit_error(PARAMETER_PROBLEM,"Can't specify --upper-limit twice");
-
- if (string_to_number(optarg,1,MAXFUZZYRATE,&num) == -1 || num < 1)
- exit_error(PARAMETER_PROBLEM,"BAD --upper-limit");
-
- fuzzyinfo->maximum_rate = num;
-
- *flags |= IP6T_FUZZY_OPT_MAXIMUM;
-
- break ;
-
- default:
- return 0;
- }
- return 1;
-}
-
-static void final_check(unsigned int flags)
-{
-}
-
-static void
-print(const struct ip6t_ip6 *ipv6,
- const struct ip6t_entry_match *match,
- int numeric)
-{
- const struct ip6t_fuzzy_info *fuzzyinfo
- = (const struct ip6t_fuzzy_info *)match->data;
-
- printf(" fuzzy: lower limit = %u pps - upper limit = %u pps ",
- fuzzyinfo->minimum_rate, fuzzyinfo->maximum_rate);
-}
-
-/* Saves the union ip6t_targinfo in parsable form to stdout. */
-static void
-save(const struct ip6t_ip6 *ipv6, const struct ip6t_entry_match *match)
-{
- const struct ip6t_fuzzy_info *fuzzyinfo
- = (const struct ip6t_fuzzy_info *)match->data;
-
- printf("--lower-limit %u --upper-limit %u ",
- fuzzyinfo->minimum_rate, fuzzyinfo->maximum_rate);
-}
-
-struct ip6tables_match fuzzy_match = {
- .name = "fuzzy",
- .version = IPTABLES_VERSION,
- .size = IP6T_ALIGN(sizeof(struct ip6t_fuzzy_info)),
- .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_fuzzy_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match6(&fuzzy_match);
-}
diff --git a/extensions/libip6t_fuzzy.man b/extensions/libip6t_fuzzy.man
deleted file mode 100644
index 397727aa..00000000
--- a/extensions/libip6t_fuzzy.man
+++ /dev/null
@@ -1,7 +0,0 @@
-This module matches a rate limit based on a fuzzy logic controller [FLC]
-.TP
-.BI "--lower-limit " "number"
-Specifies the lower limit (in packets per second).
-.TP
-.BI "--upper-limit " "number"
-Specifies the upper limit (in packets per second).
diff --git a/extensions/libip6t_nth.c b/extensions/libip6t_nth.c
deleted file mode 100644
index 19b13f79..00000000
--- a/extensions/libip6t_nth.c
+++ /dev/null
@@ -1,229 +0,0 @@
-/*
- Shared library add-on to iptables to add match support for every Nth packet
-
- This file is distributed under the terms of the GNU General Public
- License (GPL). Copies of the GPL can be obtained from:
- ftp://prep.ai.mit.edu/pub/gnu/GPL
-
- 2001-07-17 Fabrice MARIE <fabrice@netfilter.org> : initial development.
- 2001-09-20 Richard Wagner (rwagner@cloudnet.com)
- * added support for multiple counters
- * added support for matching on individual packets
- in the counter cycle
-*/
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <ip6tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/netfilter_ipv6/ip6t_nth.h>
-
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"nth v%s options:\n"
-" --every Nth Match every Nth packet\n"
-" [--counter] num Use counter 0-%u (default:0)\n"
-" [--start] num Initialize the counter at the number 'num'\n"
-" instead of 0. Must be between 0 and Nth-1\n"
-" [--packet] num Match on 'num' packet. Must be between 0\n"
-" and Nth-1.\n\n"
-" If --packet is used for a counter than\n"
-" there must be Nth number of --packet\n"
-" rules, covering all values between 0 and\n"
-" Nth-1 inclusively.\n",
-IPTABLES_VERSION, IP6T_NTH_NUM_COUNTERS-1);
-}
-
-static struct option opts[] = {
- { "every", 1, 0, '1' },
- { "start", 1, 0, '2' },
- { "counter", 1, 0, '3' },
- { "packet", 1, 0, '4' },
- { 0 }
-};
-
-#define IP6T_NTH_OPT_EVERY 0x01
-#define IP6T_NTH_OPT_NOT_EVERY 0x02
-#define IP6T_NTH_OPT_START 0x04
-#define IP6T_NTH_OPT_COUNTER 0x08
-#define IP6T_NTH_OPT_PACKET 0x10
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ip6t_entry *entry,
- unsigned int *nfcache,
- struct ip6t_entry_match **match)
-{
- struct ip6t_nth_info *nthinfo = (struct ip6t_nth_info *)(*match)->data;
- unsigned int num;
-
- switch (c) {
- case '1':
- /* check for common mistakes... */
- if ((!invert) && (*flags & IP6T_NTH_OPT_EVERY))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --every twice");
- if (invert && (*flags & IP6T_NTH_OPT_NOT_EVERY))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify ! --every twice");
- if ((!invert) && (*flags & IP6T_NTH_OPT_NOT_EVERY))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --every with ! --every");
- if (invert && (*flags & IP6T_NTH_OPT_EVERY))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify ! --every with --every");
-
- /* Remember, this function will interpret a leading 0 to be
- Octal, a leading 0x to be hexdecimal... */
- if (string_to_number(optarg, 2, 100, &num) == -1 || num < 2)
- exit_error(PARAMETER_PROBLEM,
- "bad --every `%s', must be between 2 and 100", optarg);
-
- /* assign the values */
- nthinfo->every = num-1;
- nthinfo->startat = 0;
- nthinfo->packet = 0xFF;
- if(!(*flags & IP6T_NTH_OPT_EVERY))
- {
- nthinfo->counter = 0;
- }
- if (invert)
- {
- *flags |= IP6T_NTH_OPT_NOT_EVERY;
- nthinfo->not = 1;
- }
- else
- {
- *flags |= IP6T_NTH_OPT_EVERY;
- nthinfo->not = 0;
- }
- break;
- case '2':
- /* check for common mistakes... */
- if (!((*flags & IP6T_NTH_OPT_EVERY) ||
- (*flags & IP6T_NTH_OPT_NOT_EVERY)))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --start before --every");
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify with ! --start");
- if (*flags & IP6T_NTH_OPT_START)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --start twice");
- if (string_to_number(optarg, 0, nthinfo->every, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "bad --start `%s', must between 0 and %u", optarg, nthinfo->every);
- *flags |= IP6T_NTH_OPT_START;
- nthinfo->startat = num;
- break;
- case '3':
- /* check for common mistakes... */
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify with ! --counter");
- if (*flags & IP6T_NTH_OPT_COUNTER)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --counter twice");
- if (string_to_number(optarg, 0, IP6T_NTH_NUM_COUNTERS-1, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "bad --counter `%s', must between 0 and %u", optarg, IP6T_NTH_NUM_COUNTERS-1);
- /* assign the values */
- *flags |= IP6T_NTH_OPT_COUNTER;
- nthinfo->counter = num;
- break;
- case '4':
- /* check for common mistakes... */
- if (!((*flags & IP6T_NTH_OPT_EVERY) ||
- (*flags & IP6T_NTH_OPT_NOT_EVERY)))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --packet before --every");
- if ((*flags & IP6T_NTH_OPT_NOT_EVERY))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --packet with ! --every");
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify with ! --packet");
- if (*flags & IP6T_NTH_OPT_PACKET)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --packet twice");
- if (string_to_number(optarg, 0, nthinfo->every, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "bad --packet `%s', must between 0 and %u", optarg, nthinfo->every);
- *flags |= IP6T_NTH_OPT_PACKET;
- nthinfo->packet = num;
- break;
- default:
- return 0;
- }
- return 1;
-}
-
-/* Final check; nothing. */
-static void final_check(unsigned int flags)
-{
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ip6t_ip6 *ip,
- const struct ip6t_entry_match *match,
- int numeric)
-{
- const struct ip6t_nth_info *nthinfo
- = (const struct ip6t_nth_info *)match->data;
-
- if (nthinfo->not == 1)
- printf(" !");
- printf("every %uth ", (nthinfo->every +1));
- if (nthinfo->counter != 0)
- printf("counter #%u ", (nthinfo->counter));
- if (nthinfo->packet != 0xFF)
- printf("packet #%u ", nthinfo->packet);
- if (nthinfo->startat != 0)
- printf("start at %u ", nthinfo->startat);
-}
-
-/* Saves the union ip6t_targinfo in parsable form to stdout. */
-static void
-save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
-{
- const struct ip6t_nth_info *nthinfo
- = (const struct ip6t_nth_info *)match->data;
-
- if (nthinfo->not == 1)
- printf("! ");
- printf("--every %u ", (nthinfo->every +1));
- printf("--counter %u ", (nthinfo->counter));
- if (nthinfo->startat != 0)
- printf("--start %u ", nthinfo->startat );
- if (nthinfo->packet != 0xFF)
- printf("--packet %u ", nthinfo->packet );
-}
-
-struct ip6tables_match nth = {
- .name = "nth",
- .version = IPTABLES_VERSION,
- .size = IP6T_ALIGN(sizeof(struct ip6t_nth_info)),
- .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_nth_info)),
- .help = &help,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts,
-};
-
-void _init(void)
-{
- register_match6(&nth);
-}
diff --git a/extensions/libip6t_nth.man b/extensions/libip6t_nth.man
deleted file mode 100644
index d215fd55..00000000
--- a/extensions/libip6t_nth.man
+++ /dev/null
@@ -1,14 +0,0 @@
-This module matches every `n'th packet
-.TP
-.BI "--every " "value"
-Match every `value' packet
-.TP
-.BI "[" "--counter " "num" "]"
-Use internal counter number `num'. Default is `0'.
-.TP
-.BI "[" "--start " "num" "]"
-Initialize the counter at the number `num' insetad of `0'. Most between `0'
-and `value'-1.
-.TP
-.BI "[" "--packet " "num" "]"
-Match on `num' packet. Most be between `0' and `value'-1.
diff --git a/extensions/libip6t_random.c b/extensions/libip6t_random.c
deleted file mode 100644
index d34a2308..00000000
--- a/extensions/libip6t_random.c
+++ /dev/null
@@ -1,150 +0,0 @@
-/*
- Shared library add-on to iptables to add match support for random match.
-
- This file is distributed under the terms of the GNU General Public
- License (GPL). Copies of the GPL can be obtained from:
- ftp://prep.ai.mit.edu/pub/gnu/GPL
-
- 2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial development.
- 2003-04-30 Maciej Soltysiak <solt@dns.toxicfilms.tv> : IPv6 port.
-*/
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <ip6tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/netfilter_ipv6/ip6t_random.h>
-
-/**
- * The kernel random routing returns numbers between 0 and 255.
- * To ease the task of the user in choosing the probability
- * of matching, we want him to be able to use percentages.
- * Therefore we have to accept numbers in percentage here,
- * turn them into number between 0 and 255 for the kernel module,
- * and turn them back to percentages when we print/save
- * the rule.
- */
-
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"random v%s options:\n"
-" [--average] percent The probability in percentage of the match\n"
-" If ommited, a probability of 50%% percent is set.\n"
-" Percentage must be within : 1 <= percent <= 99.\n\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- { "average", 1, 0, '1' },
- { 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ip6t_entry_match *m, unsigned int *nfcache)
-{
- struct ip6t_rand_info *randinfo = (struct ip6t_rand_info *)(m)->data;
-
- /* We assign the average to be 50 which is our default value */
- /* 50 * 2.55 = 128 */
- randinfo->average = 128;
-}
-
-#define IP6T_RAND_OPT_AVERAGE 0x01
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ip6t_entry *entry,
- unsigned int *nfcache,
- struct ip6t_entry_match **match)
-{
- struct ip6t_rand_info *randinfo = (struct ip6t_rand_info *)(*match)->data;
- unsigned int num;
-
- switch (c) {
- case '1':
- /* check for common mistakes... */
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify ! --average");
- if (*flags & IP6T_RAND_OPT_AVERAGE)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --average twice");
-
- /* Remember, this function will interpret a leading 0 to be
- Octal, a leading 0x to be hexdecimal... */
- if (string_to_number(optarg, 1, 99, &num) == -1 || num < 1)
- exit_error(PARAMETER_PROBLEM,
- "bad --average `%s', must be between 1 and 99", optarg);
-
- /* assign the values */
- randinfo->average = (int)(num * 2.55);
- *flags |= IP6T_RAND_OPT_AVERAGE;
- break;
- default:
- return 0;
- }
- return 1;
-}
-
-/* Final check; nothing. */
-static void final_check(unsigned int flags)
-{
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ip6t_ip6 *ip,
- const struct ip6t_entry_match *match,
- int numeric)
-{
- const struct ip6t_rand_info *randinfo
- = (const struct ip6t_rand_info *)match->data;
- div_t result = div((randinfo->average*100), 255);
- if (result.rem > 127) /* round up... */
- ++result.quot;
-
- printf(" random %u%% ", result.quot);
-}
-
-/* Saves the union ip6t_targinfo in parsable form to stdout. */
-static void
-save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
-{
- const struct ip6t_rand_info *randinfo
- = (const struct ip6t_rand_info *)match->data;
- div_t result = div((randinfo->average *100), 255);
- if (result.rem > 127) /* round up... */
- ++result.quot;
-
- printf("--average %u ", result.quot);
-}
-
-struct ip6tables_match rand_match = {
- .name = "random",
- .version = IPTABLES_VERSION,
- .size = IP6T_ALIGN(sizeof(struct ip6t_rand_info)),
- .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_rand_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts,
-};
-
-void _init(void)
-{
- register_match6(&rand_match);
-}
diff --git a/extensions/libip6t_random.man b/extensions/libip6t_random.man
deleted file mode 100644
index f808a779..00000000
--- a/extensions/libip6t_random.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This module randomly matches a certain percentage of all packets.
-.TP
-.BI "--average " "percent"
-Matches the given percentage. If omitted, a probability of 50% is set.
diff --git a/extensions/libipt_BALANCE.c b/extensions/libipt_BALANCE.c
deleted file mode 100644
index 6d6392f8..00000000
--- a/extensions/libipt_BALANCE.c
+++ /dev/null
@@ -1,150 +0,0 @@
-/* Shared library add-on to iptables to add simple load-balance support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
-
-#define BREAKUP_IP(x) (x)>>24, ((x)>>16) & 0xFF, ((x)>>8) & 0xFF, (x) & 0xFF
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"BALANCE v%s options:\n"
-" --to-destination <ipaddr>-<ipaddr>\n"
-" Addresses to map destination to.\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- { "to-destination", 1, 0, '1' },
- { 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ipt_entry_target *t, unsigned int *nfcache)
-{
- struct ip_nat_multi_range *mr = (struct ip_nat_multi_range *)t->data;
-
- /* Actually, it's 0, but it's ignored at the moment. */
- mr->rangesize = 1;
-
-}
-
-/* Parses range of IPs */
-static void
-parse_to(char *arg, struct ip_nat_range *range)
-{
- char *dash;
- struct in_addr *ip;
-
- range->flags |= IP_NAT_RANGE_MAP_IPS;
- dash = strchr(arg, '-');
- if (dash)
- *dash = '\0';
- else
- exit_error(PARAMETER_PROBLEM, "Bad IP range `%s'\n", arg);
-
- ip = dotted_to_addr(arg);
- if (!ip)
- exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
- arg);
- range->min_ip = ip->s_addr;
- ip = dotted_to_addr(dash+1);
- if (!ip)
- exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
- dash+1);
- range->max_ip = ip->s_addr;
-}
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- struct ipt_entry_target **target)
-{
- struct ip_nat_multi_range *mr
- = (struct ip_nat_multi_range *)(*target)->data;
-
- switch (c) {
- case '1':
- if (check_inverse(optarg, &invert, NULL, 0))
- exit_error(PARAMETER_PROBLEM,
- "Unexpected `!' after --to-destination");
-
- parse_to(optarg, &mr->range[0]);
- *flags = 1;
- return 1;
-
- default:
- return 0;
- }
-}
-
-/* Final check; need --to-dest. */
-static void final_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "BALANCE needs --to-destination");
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_target *target,
- int numeric)
-{
- struct ip_nat_multi_range *mr
- = (struct ip_nat_multi_range *)target->data;
- struct ip_nat_range *r = &mr->range[0];
- struct in_addr a;
-
- a.s_addr = r->min_ip;
-
- printf("balance %s", addr_to_dotted(&a));
- a.s_addr = r->max_ip;
- printf("-%s ", addr_to_dotted(&a));
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
-{
- struct ip_nat_multi_range *mr
- = (struct ip_nat_multi_range *)target->data;
- struct ip_nat_range *r = &mr->range[0];
- struct in_addr a;
-
- a.s_addr = r->min_ip;
- printf("--to-destination %s", addr_to_dotted(&a));
- a.s_addr = r->max_ip;
- printf("-%s ", addr_to_dotted(&a));
-}
-
-static struct iptables_target balance = {
- .next = NULL,
- .name = "BALANCE",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
- .userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_target(&balance);
-}
diff --git a/extensions/libipt_BALANCE.man b/extensions/libipt_BALANCE.man
deleted file mode 100644
index 0eb09d07..00000000
--- a/extensions/libipt_BALANCE.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This allows you to DNAT connections in a round-robin way over a given range of destination addresses.
-.TP
-.BI "--to-destination " "ipaddr-ipaddr"
-Address range to round-robin over.
diff --git a/extensions/libipt_FTOS.c b/extensions/libipt_FTOS.c
deleted file mode 100644
index 62df4cde..00000000
--- a/extensions/libipt_FTOS.c
+++ /dev/null
@@ -1,133 +0,0 @@
-/* Shared library add-on to iptables for FTOS
- *
- * (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
- *
- * This program is distributed under the terms of GNU GPL v2, 1991
- *
- * libipt_FTOS.c borrowed heavily from libipt_TOS.c 11/09/2000
- *
- */
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_FTOS.h>
-
-struct finfo {
- struct ipt_entry_target t;
- u_int8_t ftos;
-};
-
-static void init(struct ipt_entry_target *t, unsigned int *nfcache)
-{
-}
-
-static void help(void)
-{
- printf(
-"FTOS target options\n"
-" --set-ftos value Set TOS field in packet header to value\n"
-" This value can be in decimal (ex: 32)\n"
-" or in hex (ex: 0x20)\n"
-);
-}
-
-static struct option opts[] = {
- { "set-ftos", 1, 0, 'F' },
- { 0 }
-};
-
-static void
-parse_ftos(const unsigned char *s, struct ipt_FTOS_info *finfo)
-{
- unsigned int ftos;
-
- if (string_to_number(s, 0, 255, &ftos) == -1)
- exit_error(PARAMETER_PROBLEM,
- "Invalid ftos `%s'\n", s);
- finfo->ftos = (u_int8_t )ftos;
- return;
-}
-
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- struct ipt_entry_target **target)
-{
- struct ipt_FTOS_info *finfo
- = (struct ipt_FTOS_info *)(*target)->data;
-
- switch (c) {
- case 'F':
- if (*flags)
- exit_error(PARAMETER_PROBLEM,
- "FTOS target: Only use --set-ftos ONCE!");
- parse_ftos(optarg, finfo);
- *flags = 1;
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-static void
-final_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "FTOS target: Parameter --set-ftos is required");
-}
-
-static void
-print_ftos(u_int8_t ftos, int numeric)
-{
- printf("0x%02x ", ftos);
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_target *target,
- int numeric)
-{
- const struct ipt_FTOS_info *finfo =
- (const struct ipt_FTOS_info *)target->data;
- printf("TOS set ");
- print_ftos(finfo->ftos, numeric);
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
-{
- const struct ipt_FTOS_info *finfo =
- (const struct ipt_FTOS_info *)target->data;
-
- printf("--set-ftos 0x%02x ", finfo->ftos);
-}
-
-static struct iptables_target ftos = {
- .next = NULL,
- .name = "FTOS",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_FTOS_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_FTOS_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_target(&ftos);
-}
diff --git a/extensions/libipt_IPMARK.c b/extensions/libipt_IPMARK.c
deleted file mode 100644
index 3e0942de..00000000
--- a/extensions/libipt_IPMARK.c
+++ /dev/null
@@ -1,168 +0,0 @@
-/* Shared library add-on to iptables to add IPMARK target support.
- * (C) 2003 by Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>
- *
- * based on original MARK target
- *
- * This program is distributed under the terms of GNU GPL
- */
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_IPMARK.h>
-
-#define IPT_ADDR_USED 1
-#define IPT_AND_MASK_USED 2
-#define IPT_OR_MASK_USED 4
-
-struct ipmarkinfo {
- struct ipt_entry_target t;
- struct ipt_ipmark_target_info ipmark;
-};
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"IPMARK target v%s options:\n"
-" --addr src/dst use source or destination ip address\n"
-" --and-mask value logical AND ip address with this value becomes MARK\n"
-" --or-mask value logical OR ip address with this value becomes MARK\n"
-"\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- { "addr", 1, 0, '1' },
- { "and-mask", 1, 0, '2' },
- { "or-mask", 1, 0, '3' },
- { 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ipt_entry_target *t, unsigned int *nfcache)
-{
- struct ipt_ipmark_target_info *ipmarkinfo =
- (struct ipt_ipmark_target_info *)t->data;
-
- ipmarkinfo->andmask=0xffffffff;
- ipmarkinfo->ormask=0;
-
-}
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- struct ipt_entry_target **target)
-{
- struct ipt_ipmark_target_info *ipmarkinfo
- = (struct ipt_ipmark_target_info *)(*target)->data;
-
- switch (c) {
- char *end;
- case '1':
- if(!strcmp(optarg, "src")) ipmarkinfo->addr=IPT_IPMARK_SRC;
- else if(!strcmp(optarg, "dst")) ipmarkinfo->addr=IPT_IPMARK_DST;
- else exit_error(PARAMETER_PROBLEM, "Bad addr value `%s' - should be `src' or `dst'", optarg);
- if (*flags & IPT_ADDR_USED)
- exit_error(PARAMETER_PROBLEM,
- "IPMARK target: Can't specify --addr twice");
- *flags |= IPT_ADDR_USED;
- break;
-
- case '2':
- ipmarkinfo->andmask = strtoul(optarg, &end, 0);
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad and-mask value `%s'", optarg);
- if (*flags & IPT_AND_MASK_USED)
- exit_error(PARAMETER_PROBLEM,
- "IPMARK target: Can't specify --and-mask twice");
- *flags |= IPT_AND_MASK_USED;
- break;
- case '3':
- ipmarkinfo->ormask = strtoul(optarg, &end, 0);
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad or-mask value `%s'", optarg);
- if (*flags & IPT_OR_MASK_USED)
- exit_error(PARAMETER_PROBLEM,
- "IPMARK target: Can't specify --or-mask twice");
- *flags |= IPT_OR_MASK_USED;
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-static void
-final_check(unsigned int flags)
-{
- if (!(flags & IPT_ADDR_USED))
- exit_error(PARAMETER_PROBLEM,
- "IPMARK target: Parameter --addr is required");
- if (!(flags & (IPT_AND_MASK_USED | IPT_OR_MASK_USED)))
- exit_error(PARAMETER_PROBLEM,
- "IPMARK target: Parameter --and-mask or --or-mask is required");
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_target *target,
- int numeric)
-{
- const struct ipt_ipmark_target_info *ipmarkinfo =
- (const struct ipt_ipmark_target_info *)target->data;
-
- if(ipmarkinfo->addr == IPT_IPMARK_SRC)
- printf("IPMARK src");
- else
- printf("IPMARK dst");
- printf(" ip and 0x%lx or 0x%lx", ipmarkinfo->andmask, ipmarkinfo->ormask);
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
-{
- const struct ipt_ipmark_target_info *ipmarkinfo =
- (const struct ipt_ipmark_target_info *)target->data;
-
- if(ipmarkinfo->addr == IPT_IPMARK_SRC)
- printf("--addr=src ");
- else
- printf("--addr=dst ");
- if(ipmarkinfo->andmask != 0xffffffff)
- printf("--and-mask 0x%lx ", ipmarkinfo->andmask);
- if(ipmarkinfo->ormask != 0)
- printf("--or-mask 0x%lx ", ipmarkinfo->ormask);
-}
-
-static struct iptables_target ipmark = {
- .next = NULL,
- .name = "IPMARK",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_target(&ipmark);
-}
diff --git a/extensions/libipt_IPMARK.man b/extensions/libipt_IPMARK.man
deleted file mode 100644
index e4659b01..00000000
--- a/extensions/libipt_IPMARK.man
+++ /dev/null
@@ -1,45 +0,0 @@
-Allows you to mark a received packet basing on its IP address. This
-can replace many mangle/mark entries with only one, if you use
-firewall based classifier.
-
-This target is to be used inside the mangle table, in the PREROUTING,
-POSTROUTING or FORWARD hooks.
-.TP
-.BI "--addr " "src/dst"
-Use source or destination IP address.
-.TP
-.BI "--and-mask " "mask"
-Perform bitwise `and' on the IP address and this mask.
-.TP
-.BI "--or-mask " "mask"
-Perform bitwise `or' on the IP address and this mask.
-.P
-The order of IP address bytes is reversed to meet "human order of bytes":
-192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then
-`or'.
-
-Examples:
-
-We create a queue for each user, the queue number is adequate
-to the IP address of the user, e.g.: all packets going to/from 192.168.5.2
-are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc.
-
-We have one classifier rule:
-.IP
-tc filter add dev eth3 parent 1:0 protocol ip fw
-.P
-Earlier we had many rules just like below:
-.IP
-iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
---set-mark 0x10502
-.IP
-iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
---set-mark 0x10503
-.P
-Using IPMARK target we can replace all the mangle/mark rules with only one:
-.IP
-iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst
---and-mask=0xffff --or-mask=0x10000
-.P
-On the routers with hundreds of users there should be significant load
-decrease (e.g. twice).
diff --git a/extensions/libipt_NETLINK.c b/extensions/libipt_NETLINK.c
deleted file mode 100644
index 403c4139..00000000
--- a/extensions/libipt_NETLINK.c
+++ /dev/null
@@ -1,157 +0,0 @@
-/* Provides a NETLINK target, identical to that of the ipchains -o flag */
-/* AUTHOR: Gianni Tedesco <gianni@ecsc.co.uk> */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_NETLINK.h>
-
-static void help(void)
-{
- printf("NETLINK v%s options:\n"
- " --nldrop Drop the packet too\n"
- " --nlmark <number> Mark the packet\n"
- " --nlsize <bytes> Limit packet size\n",
- IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- {"nldrop", 0, 0, 'd'},
- {"nlmark", 1, 0, 'm'},
- {"nlsize", 1, 0, 's'},
- {0}
-};
-
-static void init(struct ipt_entry_target *t, unsigned int *nfcache)
-{
- struct ipt_nldata *nld = (struct ipt_nldata *) t->data;
-
- nld->flags=0;
-
-}
-
-/* Parse command options */
-static int parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- struct ipt_entry_target **target)
-{
- struct ipt_nldata *nld=(struct ipt_nldata *)(*target)->data;
-
- switch (c) {
- case 'd':
- if (MASK(*flags, USE_DROP))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --nldrop twice");
-
- if ( check_inverse(optarg, &invert, NULL, 0) ) {
- MASK_UNSET(nld->flags, USE_DROP);
- } else {
- MASK_SET(nld->flags, USE_DROP);
- }
-
- MASK_SET(*flags, USE_DROP);
-
- break;
- case 'm':
- if (MASK(*flags, USE_MARK))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --nlmark twice");
-
- if (check_inverse(optarg, &invert, NULL, 0)) {
- MASK_UNSET(nld->flags, USE_MARK);
- }else{
- MASK_SET(nld->flags, USE_MARK);
- nld->mark=atoi(optarg);
- }
-
- MASK_SET(*flags, USE_MARK);
- break;
- case 's':
- if (MASK(*flags, USE_SIZE))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --nlsize twice");
-
- if ( atoi(optarg) <= 0 )
- exit_error(PARAMETER_PROBLEM,
- "--nlsize must be larger than zero");
-
-
- if (check_inverse(optarg, &invert, NULL, 0)) {
- MASK_UNSET(nld->flags, USE_SIZE);
- }else{
- MASK_SET(nld->flags, USE_SIZE);
- nld->size=atoi(optarg);
- }
- MASK_SET(*flags, USE_SIZE);
- break;
-
- default:
- return 0;
- }
- return 1;
-}
-
-static void final_check(unsigned int flags)
-{
- /* ?? */
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void save(const struct ipt_ip *ip,
- const struct ipt_entry_target *target)
-{
- const struct ipt_nldata *nld
- = (const struct ipt_nldata *) target->data;
-
- if ( MASK(nld->flags, USE_DROP) )
- printf("--nldrop ");
-
- if ( MASK(nld->flags, USE_MARK) )
- printf("--nlmark %i ", nld->mark);
-
- if ( MASK(nld->flags, USE_SIZE) )
- printf("--nlsize %i ", nld->size);
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_target *target, int numeric)
-{
- const struct ipt_nldata *nld
- = (const struct ipt_nldata *) target->data;
-
- if ( MASK(nld->flags, USE_DROP) )
- printf("nldrop ");
-
- if ( MASK(nld->flags, USE_MARK) )
- printf("nlmark %i ", nld->mark);
-
- if ( MASK(nld->flags, USE_SIZE) )
- printf("nlsize %i ", nld->size);
-}
-
-static struct iptables_target netlink = {
- .next = NULL,
- .name = "NETLINK",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_nldata)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_nldata)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_target(&netlink);
-}
-
diff --git a/extensions/libipt_TCPLAG.c b/extensions/libipt_TCPLAG.c
deleted file mode 100644
index 3042d738..00000000
--- a/extensions/libipt_TCPLAG.c
+++ /dev/null
@@ -1,215 +0,0 @@
-/* libipt_TCPLAG.c -- module for iptables to interface with TCPLAG target
- * Copyright (C) 2002 Telford Tendys <telford@triode.net.au>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-/*
- * Shared library add-on to iptables for TCPLAG target control
- *
- * This allows installation and removal of the TCPLAG target
- * Note that there is a lot more commentary in this file than
- * the average libipt target (i.e. more than none) but these
- * are just my deductions based on examination of the source
- * and
- */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_TCPLAG.h>
-
-/*
- * This merely dumps out text for the user
- * (saves keeping the manpage up to date)
- */
-static void help( void )
-{
- printf( "TCPLAG options:\n"
- " --log-level=n Set the syslog level to n (integer 0 to 7)\n\n"
- " --log-prefix=xx Prefix log messages with xx\n" );
-}
-
-/*
- * See "man getopt_long" for an explanation of this structure
- *
- * If one of our options DOES happen to come up then we get
- * a callback into parse(), our vals must not overlap with any
- * normal iptables short options (I think) because there is only
- * one actual options handler and it can't tell whose options it
- * is really looking at unless they are all distinct.
- *
- * These are exactly the same as the LOG target options
- * and have the same purpose.
- */
-static const struct option opts[] =
-{
- { "log-level", 1, 0, '!' },
- { "log-prefix", 1, 0, '#' },
- { 0 }
-};
-
-/*
- * This gives us a chance to install some initial values in
- * our own private data structure (which is at t->data).
- * Probably we could fiddle with t->tflags too but there is
- * no great advantage in doing so.
- */
-static void init( struct ipt_entry_target *t, unsigned int *nfcache )
-{
- struct ipt_tcplag *el = (struct ipt_tcplag *)t->data;
- memset( el, 0, sizeof( struct ipt_tcplag ));
- el->level = 4; /* Default to warning level */
- strcpy( el->prefix, "TCPLAG:" ); /* Give a reasonable default prefix */
-}
-
-/*
- * It doesn't take much thought to see how little thought has gone into
- * this particular API. However, to add to that I'd just like to say that
- * it can be made to work and small miracles are still miracles.
- *
- * The input parameters are as follows:
- *
- * c -- the 'val' from opts[] above, could possibly be something
- * we cannot recognise in which case return(0).
- * If we do recognise it then return(1).
- *
- * argv -- in case we want to take parameters from the command line,
- * not sure how to safely ensure that the parameter that
- * we want to take will really exist, presumably getopt_long()
- * will have already checked such things (what about optional
- * parameters huh?).
- *
- * invert -- if the option parameter had '!' in front of it, usually this
- * would inversion of the matching sense but I don't think it
- * is useful in the case of targets.
- *
- * flags -- always (*target)->tflags for those who feel it is better
- * to access this field indirectly <shrug> starts of
- * zero for a fresh target, gets fed into final_check().
- *
- * entry -- apparently useless
- *
- * target -- the record that holds data about this target,
- * most importantly, our private data is (*target)->data
- * (this has already been malloced for us).
- */
-static int parse( int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry, struct ipt_entry_target **target )
-{
- struct ipt_tcplag *el = (struct ipt_tcplag *)( *target )->data;
-/*
- * Yeah, we could complain about options being issued twice but
- * is it really worth the trouble? Will it make the world a better place?
- */
- switch( c )
- {
-/*
- * I really can't be bothered with the syslog naming convention,
- * it isn't terribly useful anyhow.
- */
- case '!':
- el->level = strtol( optarg, 0, 10 );
- return( 1 );
-/*
- * 15 chars should be plenty
- */
- case '#':
- strncpy( el->prefix, optarg, 15 );
- el->prefix[ 14 ] = 0; /* Force termination */
- return( 1 );
- }
- return( 0 );
-}
-
-/*
- * This gets given the (*target)->tflags value from
- * the parse() above and it gets called after all the
- * parsing of options is completed. Thus if one option
- * requires another option you can test the flags and
- * decide whether everything is in order.
- *
- * If there is a problem then do something like:
- * exit_error( PARAMETER_PROBLEM, "foobar parameters detected in TCPLAG target");
- *
- * In this case, no errors are possible
- */
-static void final_check( unsigned int flags ) { }
-/*
- * This print is for the purpose of user-readable display
- * such as what "iptables -L" would give. The notes in
- * iptables.h say that target could possibly be a null pointer
- * but coding of the various libipt_XX.c modules suggests
- * that it is safe to presume target is correctly initialised.
- */
-static void print(const struct ipt_ip *ip, const struct ipt_entry_target *target, int numeric)
-{
- const struct ipt_tcplag *el = (const struct ipt_tcplag *)target->data;
- printf("TCPLAG <%d>", el->level );
- if( el->prefix[ 0 ])
- {
- printf( "%s", el->prefix );
- }
-}
-
-/*
- * As above but command-line style printout
- * (machine-readable for restoring table)
- */
-static void save( const struct ipt_ip *ip, const struct ipt_entry_target *target )
-{
- const struct ipt_tcplag *el = (const struct ipt_tcplag *)target->data;
- printf("TCPLAG --log-level=%d", el->level );
- if( el->prefix[ 0 ])
- {
-/*
- * FIXME: Should have smarter quoting
- */
- printf( " --log-prefix='%s'", el->prefix );
- }
-}
-
-/*
- * The version must match the iptables version exactly
- * which is a big pain, could use `iptables -V` in makefile
- * but we can't guarantee compatibility with all iptables
- * so we are stuck with only supporting one particular version.
- */
-static struct iptables_target targ =
-{
-next: 0,
-name: "TCPLAG",
-version: IPTABLES_VERSION,
-size: IPT_ALIGN( sizeof( struct ipt_tcplag )),
-userspacesize: IPT_ALIGN( sizeof( struct ipt_tcplag )),
-help: &help,
-init: &init,
-parse: &parse,
-final_check: &final_check,
-print: &print,
-save: &save,
-extra_opts: opts
-};
-
-/*
- * Always nervous trusting _init() but oh well that is the standard
- * so have to go ahead and use it. This registers your target into
- * the list of available targets so that your options become available.
- */
-void _init( void ) { register_target( &targ ); }
diff --git a/extensions/libipt_TRACE.c b/extensions/libipt_TRACE.c
deleted file mode 100644
index 72179991..00000000
--- a/extensions/libipt_TRACE.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/* Shared library add-on to iptables to add TRACE target support. */
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"TRACE target v%s takes no options\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- { 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ipt_entry_target *t, unsigned int *nfcache)
-{
-}
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- struct ipt_entry_target **target)
-{
- return 0;
-}
-
-static void
-final_check(unsigned int flags)
-{
-}
-
-static
-struct iptables_target trace
-= { .next = NULL,
- .name = "TRACE",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(0),
- .userspacesize = IPT_ALIGN(0),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = NULL, /* print */
- .save = NULL, /* save */
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_target(&trace);
-}
diff --git a/extensions/libipt_TRACE.man b/extensions/libipt_TRACE.man
deleted file mode 100644
index 549ab33b..00000000
--- a/extensions/libipt_TRACE.man
+++ /dev/null
@@ -1,3 +0,0 @@
-This target has no options. It just turns on
-.B packet tracing
-for all packets that match this rule.
diff --git a/extensions/libipt_XOR.c b/extensions/libipt_XOR.c
deleted file mode 100644
index 23979164..00000000
--- a/extensions/libipt_XOR.c
+++ /dev/null
@@ -1,114 +0,0 @@
-/* Shared library add-on to iptables for the XOR target
- * (C) 2000 by Tim Vandermeersch <Tim.Vandermeersch@pandora.be>
- * Based on libipt_TTL.c
- *
- * Version 1.0
- *
- * This program is distributed under the terms of GNU GPL
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <iptables.h>
-
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_XOR.h>
-
-#define IPT_KEY_SET 1
-#define IPT_BLOCKSIZE_SET 2
-
-static void init(struct ipt_entry_target *t, unsigned int *nfcache)
-{
-}
-
-static void help(void)
-{
- printf(
- "XOR target v%s options\n"
- " --key string Set key to \"string\"\n"
- " --block-size Set block size\n",
- IPTABLES_VERSION);
-}
-
-static int parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- struct ipt_entry_target **target)
-{
- struct ipt_XOR_info *info = (struct ipt_XOR_info *) (*target)->data;
-
- if (!optarg)
- exit_error(PARAMETER_PROBLEM, "XOR: too few arguments");
-
- if (check_inverse(optarg, &invert, NULL, 0))
- exit_error(PARAMETER_PROBLEM, "XOR: unexpected '!'");
-
- switch (c) {
- case '1':
- strncpy(info->key, optarg, 30);
- info->key[29] = '\0';
- *flags |= IPT_KEY_SET;
- break;
- case '2':
- info->block_size = atoi(optarg);
- *flags |= IPT_BLOCKSIZE_SET;
- break;
- default:
- return 0;
- }
-
- return 1;
-}
-
-static void final_check(unsigned int flags)
-{
- if (!(flags & IPT_KEY_SET))
- exit_error(PARAMETER_PROBLEM, "XOR: You must specify a key");
- if (!(flags & IPT_BLOCKSIZE_SET))
- exit_error(PARAMETER_PROBLEM, "XOR: You must specify a block-size");
-}
-
-static void save (const struct ipt_ip *ip,
- const struct ipt_entry_target *target)
-{
- const struct ipt_XOR_info *info = (struct ipt_XOR_info *) target->data;
-
- printf("--key %s ", info->key);
- printf("--block-size %u ", info->block_size);
-}
-
-static void print (const struct ipt_ip *ip,
- const struct ipt_entry_target *target, int numeric)
-{
- const struct ipt_XOR_info *info = (struct ipt_XOR_info *) target->data;
-
- printf("key: %s ", info->key);
- printf("block-size: %u ", info->block_size);
-}
-
-static struct option opts[] = {
- { "key", 1, 0, '1' },
- { "block-size", 1, 0, '2' },
- { 0 }
-};
-
-static struct iptables_target XOR = {
- .next = NULL,
- .name = "XOR",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_XOR_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_XOR_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_target(&XOR);
-}
diff --git a/extensions/libipt_XOR.man b/extensions/libipt_XOR.man
deleted file mode 100644
index 712b4723..00000000
--- a/extensions/libipt_XOR.man
+++ /dev/null
@@ -1,7 +0,0 @@
-Encrypt TCP and UDP traffic using a simple XOR encryption
-.TP
-.BI "--key " "string"
-Set key to "string"
-.TP
-.BI "--block-size"
-Set block size
diff --git a/extensions/libipt_account.c b/extensions/libipt_account.c
deleted file mode 100644
index d049a03d..00000000
--- a/extensions/libipt_account.c
+++ /dev/null
@@ -1,277 +0,0 @@
-/*
- * accounting match helper (libipt_account.c)
- * (C) 2003,2004 by Piotr Gasid³o (quaker@barbara.eu.org)
- *
- * Version: 0.1.6
- *
- * This software is distributed under the terms of GNU GPL
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <iptables.h>
-#include <string.h>
-#include <getopt.h>
-
-#include <linux/netfilter_ipv4/ipt_account.h>
-
-#ifndef HIPQUAD
-#define HIPQUAD(addr) \
- ((unsigned char *)&addr)[3], \
- ((unsigned char *)&addr)[2], \
- ((unsigned char *)&addr)[1], \
- ((unsigned char *)&addr)[0]
-#endif
-
-static void help(void) {
- printf(
- "account v%s options:\n"
- "--aaddr network/netmask\n"
- " defines network/netmask for which make statistics.\n"
- "--aname name\n"
- " defines name of list where statistics will be kept. If no is\n"
- " specified DEFAULT will be used.\n"
- "--ashort\n"
- " table will colect only short statistics (only total counters\n"
- " without splitting it into protocols.\n"
- ,
- IPTABLES_VERSION);
-};
-
-static struct option opts[] = {
- { .name = "aaddr", .has_arg = 1, .flag = NULL, .val = 201 },
- { .name = "aname", .has_arg = 1, .flag = NULL, .val = 202 },
- { .name = "ashort", .has_arg = 0, .flag = NULL, .val = 203 },
- { .name = 0, .has_arg = 0, .flag = 0, .val = 0 }
-};
-
-/* Helper functions for parse_network */
-int parseip(const char *parameter, u_int32_t *ip) {
-
- char buffer[16], *bufferptr, *dot;
- unsigned int i, shift, part;
-
- if (strlen(parameter) > 15)
- return 0;
-
- strncpy(buffer, parameter, 15);
- buffer[15] = 0;
-
- bufferptr = buffer;
-
- for (i = 0, shift = 24, *ip = 0; i < 3; i++, shift -= 8) {
- /* no dot */
- if ((dot = strchr(bufferptr, '.')) == NULL)
- return 0;
- /* not a number */
- if ((part = strtol(bufferptr, (char**)NULL, 10)) < 0)
- return 0;
- /* to big number */
- if (part > 255)
- return 0;
- *ip |= part << shift;
- bufferptr = dot + 1;
- }
- /* not a number */
- if ((part = strtol(bufferptr, (char**)NULL, 10)) < 0)
- return 0;
- /* to big number */
- if (part > 255)
- return 0;
- *ip |= part;
- return 1;
-}
-
-static void parsenetwork(const char *parameter, u_int32_t *network) {
- if (!parseip(parameter, network))
- exit_error(PARAMETER_PROBLEM, "account: wrong ip in network");
-}
-
-static void parsenetmaskasbits(const char *parameter, u_int32_t *netmask) {
-
- u_int32_t bits;
-
- if ((bits = strtol(parameter, (char **)NULL, 10)) < 0 || bits > 32)
- exit_error(PARAMETER_PROBLEM, "account: wrong netmask");
-
- *netmask = 0xffffffff << (32 - bits);
-}
-
-static void parsenetmaskasip(const char *parameter, u_int32_t *netmask) {
- if (!parseip(parameter, netmask))
- exit_error(PARAMETER_PROBLEM, "account: wrong ip in netmask");
-}
-
-static void parsenetmask(const char *parameter, u_int32_t *netmask)
-{
- if (strchr(parameter, '.') != NULL)
- parsenetmaskasip(parameter, netmask);
- else
- parsenetmaskasbits(parameter, netmask);
-}
-
-static void parsenetworkandnetmask(const char *parameter, u_int32_t *network, u_int32_t *netmask)
-{
-
- char buffer[32], *slash;
-
- if (strlen(parameter) > 31)
- /* text is to long, even for 255.255.255.255/255.255.255.255 */
- exit_error(PARAMETER_PROBLEM, "account: wrong network/netmask");
-
- strncpy(buffer, parameter, 31);
- buffer[31] = 0;
-
- /* check whether netmask is given */
- if ((slash = strchr(buffer, '/')) != NULL) {
- parsenetmask(slash + 1, netmask);
- *slash = 0;
- } else
- *netmask = 0xffffffff;
- parsenetwork(buffer, network);
-
- if ((*network & *netmask) != *network)
- exit_error(PARAMETER_PROBLEM, "account: wrong network/netmask");
-}
-
-
-/* Function gets network & netmask from argument after --aaddr */
-static void parse_network(const char *parameter, struct t_ipt_account_info *info) {
-
- parsenetworkandnetmask(parameter, &info->network, &info->netmask);
-
-}
-
-/* validate netmask */
-inline int valid_netmask(u_int32_t netmask) {
- while (netmask & 0x80000000)
- netmask <<= 1;
- if (netmask != 0)
- return 0;
- return 1;
-}
-
-/* validate network/netmask pair */
-inline int valid_network_and_netmask(struct t_ipt_account_info *info) {
- if (!valid_netmask(info->netmask))
- return 0;
- if ((info->network & info->netmask) != info->network)
- return 0;
- return 1;
-}
-
-
-
-/* Function initializes match */
-static void init(struct ipt_entry_match *match,
- unsigned int *nfcache) {
-
- struct t_ipt_account_info *info = (struct t_ipt_account_info *)(match)->data;
-
-
- /* set default table name to DEFAULT */
- strncpy(info->name, "DEFAULT", IPT_ACCOUNT_NAME_LEN);
- info->shortlisting = 0;
-
-}
-
-/* Function parses match's arguments */
-static int parse(int c, char **argv,
- int invert,
- unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match) {
-
- struct t_ipt_account_info *info = (struct t_ipt_account_info *)(*match)->data;
-
- switch (c) {
-
- /* --aaddr */
- case 201:
- parse_network(optarg, info);
- if (!valid_network_and_netmask(info))
- exit_error(PARAMETER_PROBLEM, "account: wrong network/netmask");
- *flags = 1;
- break;
-
- /* --aname */
- case 202:
- if (strlen(optarg) < IPT_ACCOUNT_NAME_LEN)
- strncpy(info->name, optarg, IPT_ACCOUNT_NAME_LEN);
- else
- exit_error(PARAMETER_PROBLEM, "account: Too long table name");
- break;
- /* --ashort */
- case 203:
- info->shortlisting = 1;
- break;
- default:
- return 0;
- }
- return 1;
-}
-
-/* Final check whether network/netmask was specified */
-static void final_check(unsigned int flags) {
- if (!flags)
- exit_error(PARAMETER_PROBLEM, "account: You need specify '--aaddr' parameter");
-}
-
-/* Function used for printing rule with account match for iptables -L */
-static void print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric) {
-
- struct t_ipt_account_info *info = (struct t_ipt_account_info *)match->data;
-
- printf("account: ");
- printf("network/netmask: ");
- printf("%u.%u.%u.%u/%u.%u.%u.%u ",
- HIPQUAD(info->network),
- HIPQUAD(info->netmask)
- );
-
- printf("name: %s ", info->name);
- if (info->shortlisting)
- printf("short-listing ");
-}
-
-/* Function used for saving rule containing account match */
-static void save(const struct ipt_ip *ip,
- const struct ipt_entry_match *match) {
-
- struct t_ipt_account_info *info = (struct t_ipt_account_info *)match->data;
-
- printf("--aaddr ");
- printf("%u.%u.%u.%u/%u.%u.%u.%u ",
- HIPQUAD(info->network),
- HIPQUAD(info->netmask)
- );
-
- printf("--aname %s ", info->name);
- if (info->shortlisting)
- printf("--ashort ");
-}
-
-static struct iptables_match account = {
- .next = NULL,
- .name = "account",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct t_ipt_account_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct t_ipt_account_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-/* Function which registers match */
-void _init(void)
-{
- register_match(&account);
-}
-
diff --git a/extensions/libipt_account.man b/extensions/libipt_account.man
deleted file mode 100644
index fcbb179a..00000000
--- a/extensions/libipt_account.man
+++ /dev/null
@@ -1,47 +0,0 @@
-Account traffic for all hosts in defined network/netmask.
-
-Features:
-
-- long (one counter per protocol TCP/UDP/IMCP/Other) and short statistics
-
-- one iptables rule for all hosts in network/netmask
-
-- loading/saving counters (by reading/writting to procfs entries)
-
-.TP
-.BI "--aaddr " "network/netmask"
-defines network/netmask for which make statistics.
-.TP
-.BI "--aname " "name"
-defines name of list where statistics will be kept. If no is
-specified DEFAULT will be used.
-.TP
-.B "--ashort"
-table will colect only short statistics (only total counters
-without splitting it into protocols.
-.P
-Example usage:
-
-account traffic for/to 192.168.0.0/24 network into table mynetwork:
-
-# iptables -A FORWARD -m account --aname mynetwork --aaddr 192.168.0.0/24
-
-account traffic for/to WWW serwer for 192.168.0.0/24 network into table mywwwserver:
-
-# iptables -A INPUT -p tcp --dport 80
- -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort
-
-# iptables -A OUTPUT -p tcp --sport 80
- -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort
-
-read counters:
-
-# cat /proc/net/ipt_account/mynetwork
-# cat /proc/net/ipt_account/mywwwserver
-
-set counters:
-
-# echo "ip = 192.168.0.1 packets_src = 0" > /proc/net/ipt_account/mywwserver
-
-Webpage:
- http://www.barbara.eu.org/~quaker/ipt_account/
diff --git a/extensions/libipt_childlevel.c b/extensions/libipt_childlevel.c
deleted file mode 100644
index 1018c9e0..00000000
--- a/extensions/libipt_childlevel.c
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- Shared library add-on to iptables to add layer 7 matching support.
-
- http://l7-filter.sf.net
-
- By Matthew Strait <quadong@users.sf.net>, Dec 2003.
-
- This program is free software; you can redistribute it and/or
- modify it under the terms of the GNU General Public License
- as published by the Free Software Foundation; either version
- 2 of the License, or (at your option) any later version.
- http://www.gnu.org/licenses/gpl.txt
-*/
-
-#define _GNU_SOURCE
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <ctype.h>
-#include <dirent.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_childlevel.h>
-
-/* Function which prints out usage message. */
-static void help(void)
-{
- printf(
- "CHILDLEVEL match v%s options:\n"
- "--level <n> : Match childlevel n (0 == master)\n",
- IPTABLES_VERSION);
- fputc('\n', stdout);
-}
-
-static struct option opts[] = {
- { .name = "level", .has_arg = 1, .flag = 0, .val = '1' },
- { .name = 0 }
-};
-
-/* Function which parses command options; returns true if it ate an option */
-static int parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry, unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
- struct ipt_childlevel_info *childlevelinfo =
- (struct ipt_childlevel_info *)(*match)->data;
-
- switch (c) {
- case '1':
- check_inverse(optarg, &invert, &optind, 0);
- childlevelinfo->childlevel = atoi(argv[optind-1]);
- if (invert)
- childlevelinfo->invert = 1;
- *flags = 1;
- break;
- default:
- return 0;
- }
-
- return 1;
-}
-
-/* Final check; must have specified --level. */
-static void final_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "CHILDLEVEL match: You must specify `--level'");
-}
-
-static void print_protocol(int n, int invert, int numeric)
-{
- fputs("childlevel ", stdout);
- if (invert) fputc('!', stdout);
- printf("%d ", n);
-}
-
-/* Prints out the matchinfo. */
-static void print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric)
-{
- printf("CHILDLEVEL ");
-
- print_protocol(((struct ipt_childlevel_info *)match->data)->childlevel,
- ((struct ipt_childlevel_info *)match->data)->invert, numeric);
-}
-/* Saves the union ipt_matchinfo in parsable form to stdout. */
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
- const struct ipt_childlevel_info *info =
- (const struct ipt_childlevel_info*) match->data;
-
- printf("--childlevel %s%d ", (info->invert) ? "! ": "", info->childlevel);
-}
-
-static struct iptables_match childlevel = {
- .name = "childlevel",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_childlevel_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_childlevel_info)),
- .help = &help,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match(&childlevel);
-}
diff --git a/extensions/libipt_childlevel.man b/extensions/libipt_childlevel.man
deleted file mode 100644
index 3d9b3553..00000000
--- a/extensions/libipt_childlevel.man
+++ /dev/null
@@ -1,5 +0,0 @@
-This is an experimental module. It matches on whether the
-packet is part of a master connection or one of its children (or grandchildren,
-etc). For instance, most packets are level 0. FTP data transfer is level 1.
-.TP
-.BR "--childlevel " "[!] \fIlevel\fP"
diff --git a/extensions/libipt_connlimit.c b/extensions/libipt_connlimit.c
deleted file mode 100644
index 17b4d13b..00000000
--- a/extensions/libipt_connlimit.c
+++ /dev/null
@@ -1,132 +0,0 @@
-/* Shared library add-on to iptables to add connection limit support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include <linux/netfilter_ipv4/ipt_connlimit.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"connlimit v%s options:\n"
-"[!] --connlimit-above n match if the number of existing tcp connections is (not) above n\n"
-" --connlimit-mask n group hosts using mask\n"
-"\n", IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- { "connlimit-above", 1, 0, '1' },
- { "connlimit-mask", 1, 0, '2' },
- {0}
-};
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
- struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)(*match)->data;
- int i;
-
- if (0 == (*flags & 2)) {
- /* set default mask unless we've already seen a mask option */
- info->mask = htonl(0xFFFFFFFF);
- }
-
- switch (c) {
- case '1':
- check_inverse(optarg, &invert, &optind, 0);
- info->limit = atoi(argv[optind-1]);
- info->inverse = invert;
- *flags |= 1;
- break;
-
- case '2':
- i = atoi(argv[optind-1]);
- if ((i < 0) || (i > 32))
- exit_error(PARAMETER_PROBLEM,
- "--connlimit-mask must be between 0 and 32");
-
- if (i == 0)
- info->mask = 0;
- else
- info->mask = htonl(0xFFFFFFFF << (32 - i));
- *flags |= 2;
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-/* Final check */
-static void final_check(unsigned int flags)
-{
- if (!flags & 1)
- exit_error(PARAMETER_PROBLEM, "You must specify `--connlimit-above'");
-}
-
-static int
-count_bits(u_int32_t mask)
-{
- int i, bits;
-
- for (bits = 0, i = 31; i >= 0; i--) {
- if (mask & htonl((u_int32_t)1 << i)) {
- bits++;
- continue;
- }
- break;
- }
- return bits;
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric)
-{
- struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)match->data;
-
- printf("#conn/%d %s %d ", count_bits(info->mask),
- info->inverse ? "<" : ">", info->limit);
-}
-
-/* Saves the matchinfo in parsable form to stdout. */
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
- struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)match->data;
-
- printf("%s--connlimit-above %d ",info->inverse ? "! " : "",info->limit);
- printf("--connlimit-mask %d ",count_bits(info->mask));
-}
-
-static struct iptables_match connlimit = {
- .name = "connlimit",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_connlimit_info)),
- .userspacesize = offsetof(struct ipt_connlimit_info,data),
- .help = help,
- .parse = parse,
- .final_check = final_check,
- .print = print,
- .save = save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match(&connlimit);
-}
diff --git a/extensions/libipt_connlimit.man b/extensions/libipt_connlimit.man
deleted file mode 100644
index 55e53d14..00000000
--- a/extensions/libipt_connlimit.man
+++ /dev/null
@@ -1,21 +0,0 @@
-Allows you to restrict the number of parallel TCP connections to a
-server per client IP address (or address block).
-.TP
-[\fB!\fR] \fB--connlimit-above \fIn\fR
-match if the number of existing tcp connections is (not) above n
-.TP
-.BI "--connlimit-mask " "bits"
-group hosts using mask
-.P
-Examples:
-.TP
-# allow 2 telnet connections per client host
-iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
-.TP
-# you can also match the other way around:
-iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
-.TP
-# limit the nr of parallel http requests to 16 per class C sized \
-network (24 bit netmask)
-iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16
---connlimit-mask 24 -j REJECT
diff --git a/extensions/libipt_dstlimit.c b/extensions/libipt_dstlimit.c
deleted file mode 100644
index 3f3b6330..00000000
--- a/extensions/libipt_dstlimit.c
+++ /dev/null
@@ -1,340 +0,0 @@
-/* iptables match extension for limiting packets per destination
- *
- * (C) 2003 by Harald Welte <laforge@netfilter.org>
- *
- * Development of this code was funded by Astaro AG, http://www.astaro.com/
- *
- * Based on ipt_limit.c by
- * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr>
- * Hervé Eychenne <rv@wallfire.org>
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <stddef.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_dstlimit.h>
-
-#define IPT_DSTLIMIT_BURST 5
-
-/* miliseconds */
-#define IPT_DSTLIMIT_GCINTERVAL 1000
-#define IPT_DSTLIMIT_EXPIRE 10000
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"dstlimit v%s options:\n"
-"--dstlimit <avg> max average match rate\n"
-" [Packets per second unless followed by \n"
-" /sec /minute /hour /day postfixes]\n"
-"--dstlimit-mode <mode> mode\n"
-" dstip\n"
-" dstip-dstport\n"
-" srcip-dstip\n"
-" srcip-dstip-dstport\n"
-"--dstlimit-name <name> name for /proc/net/ipt_dstlimit/\n"
-"[--dstlimit-burst <num>] number to match in a burst, default %u\n"
-"[--dstlimit-htable-size <num>] number of hashtable buckets\n"
-"[--dstlimit-htable-max <num>] number of hashtable entries\n"
-"[--dstlimit-htable-gcinterval] interval between garbage collection runs\n"
-"[--dstlimit-htable-expire] after which time are idle entries expired?\n"
-"\n", IPTABLES_VERSION, IPT_DSTLIMIT_BURST);
-}
-
-static struct option opts[] = {
- { "dstlimit", 1, 0, '%' },
- { "dstlimit-burst", 1, 0, '$' },
- { "dstlimit-htable-size", 1, 0, '&' },
- { "dstlimit-htable-max", 1, 0, '*' },
- { "dstlimit-htable-gcinterval", 1, 0, '(' },
- { "dstlimit-htable-expire", 1, 0, ')' },
- { "dstlimit-mode", 1, 0, '_' },
- { "dstlimit-name", 1, 0, '"' },
- { 0 }
-};
-
-static
-int parse_rate(const char *rate, u_int32_t *val)
-{
- const char *delim;
- u_int32_t r;
- u_int32_t mult = 1; /* Seconds by default. */
-
- delim = strchr(rate, '/');
- if (delim) {
- if (strlen(delim+1) == 0)
- return 0;
-
- if (strncasecmp(delim+1, "second", strlen(delim+1)) == 0)
- mult = 1;
- else if (strncasecmp(delim+1, "minute", strlen(delim+1)) == 0)
- mult = 60;
- else if (strncasecmp(delim+1, "hour", strlen(delim+1)) == 0)
- mult = 60*60;
- else if (strncasecmp(delim+1, "day", strlen(delim+1)) == 0)
- mult = 24*60*60;
- else
- return 0;
- }
- r = atoi(rate);
- if (!r)
- return 0;
-
- /* This would get mapped to infinite (1/day is minimum they
- can specify, so we're ok at that end). */
- if (r / mult > IPT_DSTLIMIT_SCALE)
- exit_error(PARAMETER_PROBLEM, "Rate too fast `%s'\n", rate);
-
- *val = IPT_DSTLIMIT_SCALE * mult / r;
- return 1;
-}
-
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
- struct ipt_dstlimit_info *r = (struct ipt_dstlimit_info *)m->data;
-
- r->cfg.burst = IPT_DSTLIMIT_BURST;
- r->cfg.gc_interval = IPT_DSTLIMIT_GCINTERVAL;
- r->cfg.expire = IPT_DSTLIMIT_EXPIRE;
-
-}
-
-#define PARAM_LIMIT 0x00000001
-#define PARAM_BURST 0x00000002
-#define PARAM_MODE 0x00000004
-#define PARAM_NAME 0x00000008
-#define PARAM_SIZE 0x00000010
-#define PARAM_MAX 0x00000020
-#define PARAM_GCINTERVAL 0x00000040
-#define PARAM_EXPIRE 0x00000080
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
- struct ipt_dstlimit_info *r =
- (struct ipt_dstlimit_info *)(*match)->data;
- unsigned int num;
-
- switch(c) {
- case '%':
- if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
- if (!parse_rate(optarg, &r->cfg.avg))
- exit_error(PARAMETER_PROBLEM,
- "bad rate `%s'", optarg);
- *flags |= PARAM_LIMIT;
- break;
-
- case '$':
- if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
- if (string_to_number(optarg, 0, 10000, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "bad --dstlimit-burst `%s'", optarg);
- r->cfg.burst = num;
- *flags |= PARAM_BURST;
- break;
- case '&':
- if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
- if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "bad --dstlimit-htable-size: `%s'", optarg);
- r->cfg.size = num;
- *flags |= PARAM_SIZE;
- break;
- case '*':
- if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
- if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "bad --dstlimit-htable-max: `%s'", optarg);
- r->cfg.max = num;
- *flags |= PARAM_MAX;
- break;
- case '(':
- if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
- if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "bad --dstlimit-htable-gcinterval: `%s'",
- optarg);
- /* FIXME: not HZ dependent!! */
- r->cfg.gc_interval = num;
- *flags |= PARAM_GCINTERVAL;
- break;
- case ')':
- if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
- if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "bad --dstlimit-htable-expire: `%s'", optarg);
- /* FIXME: not HZ dependent */
- r->cfg.expire = num;
- *flags |= PARAM_EXPIRE;
- break;
- case '_':
- if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
- if (!strcmp(optarg, "dstip"))
- r->cfg.mode = IPT_DSTLIMIT_HASH_DIP;
- else if (!strcmp(optarg, "dstip-destport") ||
- !strcmp(optarg, "dstip-dstport"))
- r->cfg.mode = IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT;
- else if (!strcmp(optarg, "srcip-dstip"))
- r->cfg.mode = IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP;
- else if (!strcmp(optarg, "srcip-dstip-destport") ||
- !strcmp(optarg, "srcip-dstip-dstport"))
- r->cfg.mode = IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT;
- else
- exit_error(PARAMETER_PROBLEM,
- "bad --dstlimit-mode: `%s'\n", optarg);
- *flags |= PARAM_MODE;
- break;
- case '"':
- if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
- if (strlen(optarg) == 0)
- exit_error(PARAMETER_PROBLEM, "Zero-length name?");
- strncpy(r->name, optarg, sizeof(r->name));
- *flags |= PARAM_NAME;
- break;
- default:
- return 0;
- }
-
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "dstlimit does not support invert");
-
- return 1;
-}
-
-/* Final check; nothing. */
-static void final_check(unsigned int flags)
-{
- if (!(flags & PARAM_LIMIT))
- exit_error(PARAMETER_PROBLEM,
- "You have to specify --dstlimit");
- if (!(flags & PARAM_MODE))
- exit_error(PARAMETER_PROBLEM,
- "You have to specify --dstlimit-mode");
- if (!(flags & PARAM_NAME))
- exit_error(PARAMETER_PROBLEM,
- "You have to specify --dstlimit-name");
-}
-
-static struct rates
-{
- const char *name;
- u_int32_t mult;
-} rates[] = { { "day", IPT_DSTLIMIT_SCALE*24*60*60 },
- { "hour", IPT_DSTLIMIT_SCALE*60*60 },
- { "min", IPT_DSTLIMIT_SCALE*60 },
- { "sec", IPT_DSTLIMIT_SCALE } };
-
-static void print_rate(u_int32_t period)
-{
- unsigned int i;
-
- for (i = 1; i < sizeof(rates)/sizeof(struct rates); i++) {
- if (period > rates[i].mult
- || rates[i].mult/period < rates[i].mult%period)
- break;
- }
-
- printf("%u/%s ", rates[i-1].mult / period, rates[i-1].name);
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric)
-{
- struct ipt_dstlimit_info *r =
- (struct ipt_dstlimit_info *)match->data;
- printf("limit: avg "); print_rate(r->cfg.avg);
- printf("burst %u ", r->cfg.burst);
- switch (r->cfg.mode) {
- case (IPT_DSTLIMIT_HASH_DIP):
- printf("mode dstip ");
- break;
- case (IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT):
- printf("mode dstip-dstport ");
- break;
- case (IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP):
- printf("mode srcip-dstip ");
- break;
- case (IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT):
- printf("mode srcip-dstip-dstport ");
- break;
- }
- if (r->cfg.size)
- printf("htable-size %u ", r->cfg.size);
- if (r->cfg.max)
- printf("htable-max %u ", r->cfg.max);
- if (r->cfg.gc_interval != IPT_DSTLIMIT_GCINTERVAL)
- printf("htable-gcinterval %u ", r->cfg.gc_interval);
- if (r->cfg.expire != IPT_DSTLIMIT_EXPIRE)
- printf("htable-expire %u ", r->cfg.expire);
-}
-
-/* FIXME: Make minimalist: only print rate if not default --RR */
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
- struct ipt_dstlimit_info *r =
- (struct ipt_dstlimit_info *)match->data;
-
- printf("--dstlimit "); print_rate(r->cfg.avg);
- if (r->cfg.burst != IPT_DSTLIMIT_BURST)
- printf("--dstlimit-burst %u ", r->cfg.burst);
- switch (r->cfg.mode) {
- case (IPT_DSTLIMIT_HASH_DIP):
- printf("--mode dstip ");
- break;
- case (IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT):
- printf("--mode dstip-dstport ");
- break;
- case (IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP):
- printf("--mode srcip-dstip ");
- break;
- case (IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT):
- printf("--mode srcip-dstip-dstport ");
- break;
- }
- if (r->cfg.size)
- printf("--dstlimit-htable-size %u ", r->cfg.size);
- if (r->cfg.max)
- printf("--dstlimit-htable-max %u ", r->cfg.max);
- if (r->cfg.gc_interval != IPT_DSTLIMIT_GCINTERVAL)
- printf("--dstlimit-htable-gcinterval %u", r->cfg.gc_interval);
- if (r->cfg.expire != IPT_DSTLIMIT_EXPIRE)
- printf("--dstlimit-htable-expire %u ", r->cfg.expire);
-}
-
-static struct iptables_match dstlimit = {
- .next = NULL,
- .name = "dstlimit",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_dstlimit_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_dstlimit_info)),
- //offsetof(struct ipt_dstlimit_info, prev),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match(&dstlimit);
-}
diff --git a/extensions/libipt_dstlimit.man b/extensions/libipt_dstlimit.man
deleted file mode 100644
index 9df00f1c..00000000
--- a/extensions/libipt_dstlimit.man
+++ /dev/null
@@ -1,37 +0,0 @@
-This module allows you to limit the packet per second (pps) rate on a per
-destination IP or per destination port base. As opposed to the `limit' match,
-every destination ip / destination port has it's own limit.
-.TP
-THIS MODULE IS DEPRECATED AND HAS BEEN REPLACED BY ``hashlimit''
-.TP
-.BI "--dstlimit " "avg"
-Maximum average match rate (packets per second unless followed by /sec /minute /hour /day postfixes).
-.TP
-.BI "--dstlimit-mode " "mode"
-The limiting hashmode. Is the specified limit per
-.B dstip, dstip-dstport
-tuple,
-.B srcip-dstip
-tuple, or per
-.B srcipdstip-dstport
-tuple.
-.TP
-.BI "--dstlimit-name " "name"
-Name for /proc/net/ipt_dstlimit/* file entry
-.TP
-.BI "[" "--dstlimit-burst " "burst" "]"
-Number of packets to match in a burst. Default: 5
-.TP
-.BI "[" "--dstlimit-htable-size " "size" "]"
-Number of buckets in the hashtable
-.TP
-.BI "[" "--dstlimit-htable-max " "max" "]"
-Maximum number of entries in the hashtable
-.TP
-.BI "[" "--dstlimit-htable-gcinterval " "interval" "]"
-Interval between garbage collection runs of the hashtable (in miliseconds).
-Default is 1000 (1 second).
-.TP
-.BI "[" "--dstlimit-htable-expire " "time"
-After which time are idle entries expired from hashtable (in miliseconds)?
-Default is 10000 (10 seconds).
diff --git a/extensions/libipt_fuzzy.c b/extensions/libipt_fuzzy.c
deleted file mode 100644
index d574db8a..00000000
--- a/extensions/libipt_fuzzy.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/*
- Shared library add-on to iptables to add match support for the fuzzy match.
-
- This file is distributed under the terms of the GNU General Public
- License (GPL). Copies of the GPL can be obtained from:
- ftp://prep.ai.mit.edu/pub/gnu/GPL
-
-2002-08-07 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Initial version.
-2003-06-09 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Bug corrections in
-the save function , thanks to information given by Jean-Francois Patenaude .
-
-*/
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_fuzzy.h>
-
-
-static void
-help(void)
-{
- printf(
-"fuzzy v%s options:\n"
-" --lower-limit number (in packets per second)\n"
-" --upper-limit number\n"
-,IPTABLES_VERSION);
-};
-
-static struct option opts[] = {
- { "lower-limit", 1 , 0 , '1' } ,
- { "upper-limit", 1 , 0 , '2' } ,
- { 0 }
-};
-
-/* Initialize data structures */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
- struct ipt_fuzzy_info *presentinfo = (struct ipt_fuzzy_info *)(m)->data;
-
- /*
- * Default rates ( I'll improve this very soon with something based
- * on real statistics of the running machine ) .
- */
-
- presentinfo->minimum_rate = 1000;
- presentinfo->maximum_rate = 2000;
-}
-
-#define IPT_FUZZY_OPT_MINIMUM 0x01
-#define IPT_FUZZY_OPT_MAXIMUM 0x02
-
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
-
-struct ipt_fuzzy_info *fuzzyinfo = (struct ipt_fuzzy_info *)(*match)->data;
-
- u_int32_t num;
-
- switch (c) {
-
- case '1':
-
- if (invert)
- exit_error(PARAMETER_PROBLEM,"Can't specify ! --lower-limit");
-
- if (*flags & IPT_FUZZY_OPT_MINIMUM)
- exit_error(PARAMETER_PROBLEM,"Can't specify --lower-limit twice");
-
- if (string_to_number(optarg,1,MAXFUZZYRATE,&num) == -1 || num < 1)
- exit_error(PARAMETER_PROBLEM,"BAD --lower-limit");
-
- fuzzyinfo->minimum_rate = num ;
-
- *flags |= IPT_FUZZY_OPT_MINIMUM;
-
- break;
-
- case '2':
-
- if (invert)
- exit_error(PARAMETER_PROBLEM,"Can't specify ! --upper-limit");
-
- if (*flags & IPT_FUZZY_OPT_MAXIMUM)
- exit_error(PARAMETER_PROBLEM,"Can't specify --upper-limit twice");
-
- if (string_to_number(optarg,1,MAXFUZZYRATE,&num) == -1 || num < 1)
- exit_error(PARAMETER_PROBLEM,"BAD --upper-limit");
-
- fuzzyinfo->maximum_rate = num ;
-
- *flags |= IPT_FUZZY_OPT_MAXIMUM;
-
- break ;
-
- default:
- return 0;
- }
- return 1;
-}
-
-static void final_check(unsigned int flags)
-{
-}
-
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric)
-{
- const struct ipt_fuzzy_info *fuzzyinfo
- = (const struct ipt_fuzzy_info *)match->data;
-
- printf(" fuzzy: lower limit = %u pps - upper limit = %u pps ",fuzzyinfo->minimum_rate,fuzzyinfo->maximum_rate);
-
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
- const struct ipt_fuzzy_info *fuzzyinfo
- = (const struct ipt_fuzzy_info *)match->data;
-
- printf("--lower-limit %u ",fuzzyinfo->minimum_rate);
- printf("--upper-limit %u ",fuzzyinfo->maximum_rate);
-
-}
-
-static struct iptables_match fuzzy_match = {
- .next = NULL,
- .name = "fuzzy",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_fuzzy_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_fuzzy_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match(&fuzzy_match);
-}
diff --git a/extensions/libipt_fuzzy.man b/extensions/libipt_fuzzy.man
deleted file mode 100644
index 397727aa..00000000
--- a/extensions/libipt_fuzzy.man
+++ /dev/null
@@ -1,7 +0,0 @@
-This module matches a rate limit based on a fuzzy logic controller [FLC]
-.TP
-.BI "--lower-limit " "number"
-Specifies the lower limit (in packets per second).
-.TP
-.BI "--upper-limit " "number"
-Specifies the upper limit (in packets per second).
diff --git a/extensions/libipt_mport.c b/extensions/libipt_mport.c
deleted file mode 100644
index 624de134..00000000
--- a/extensions/libipt_mport.c
+++ /dev/null
@@ -1,287 +0,0 @@
-/* Shared library add-on to iptables to add multiple TCP port support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_mport.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"mport v%s options:\n"
-" --source-ports port[,port:port,port...]\n"
-" --sports ...\n"
-" match source port(s)\n"
-" --destination-ports port[,port:port,port...]\n"
-" --dports ...\n"
-" match destination port(s)\n"
-" --ports port[,port:port,port]\n"
-" match both source and destination port(s)\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- { "source-ports", 1, 0, '1' },
- { "sports", 1, 0, '1' }, /* synonym */
- { "destination-ports", 1, 0, '2' },
- { "dports", 1, 0, '2' }, /* synonym */
- { "ports", 1, 0, '3' },
- {0}
-};
-
-static void
-parse_multi_ports(const char *portstring, struct ipt_mport *minfo,
- const char *proto)
-{
- char *buffer, *cp, *next, *range;
- unsigned int i;
- u_int16_t m;
-
- buffer = strdup(portstring);
- if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed");
-
- minfo->pflags = 0;
-
- for (cp=buffer, i=0, m=1; cp && i<IPT_MULTI_PORTS; cp=next,i++,m<<=1)
- {
- next=strchr(cp, ',');
- if (next) *next++='\0';
- range = strchr(cp, ':');
- if (range) {
- if (i == IPT_MULTI_PORTS-1)
- exit_error(PARAMETER_PROBLEM,
- "too many ports specified");
- *range++ = '\0';
- }
- minfo->ports[i] = parse_port(cp, proto);
- if (range) {
- minfo->pflags |= m;
- minfo->ports[++i] = parse_port(range, proto);
- if (minfo->ports[i-1] >= minfo->ports[i])
- exit_error(PARAMETER_PROBLEM,
- "invalid portrange specified");
- m <<= 1;
- }
- }
- if (cp) exit_error(PARAMETER_PROBLEM, "too many ports specified");
- if (i == IPT_MULTI_PORTS-1)
- minfo->ports[i] = minfo->ports[i-1];
- else if (i < IPT_MULTI_PORTS-1) {
- minfo->ports[i] = ~0;
- minfo->pflags |= 1<<i;
- }
- free(buffer);
-}
-
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-}
-
-static const char *
-check_proto(const struct ipt_entry *entry)
-{
- if (entry->ip.proto == IPPROTO_TCP)
- return "tcp";
- else if (entry->ip.proto == IPPROTO_UDP)
- return "udp";
- else if (!entry->ip.proto)
- exit_error(PARAMETER_PROBLEM,
- "multiport needs `-p tcp' or `-p udp'");
- else
- exit_error(PARAMETER_PROBLEM,
- "multiport only works with TCP or UDP");
-}
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
- const char *proto;
- struct ipt_mport *minfo
- = (struct ipt_mport *)(*match)->data;
-
- switch (c) {
- case '1':
- check_inverse(argv[optind-1], &invert, &optind, 0);
- proto = check_proto(entry);
- parse_multi_ports(argv[optind-1], minfo, proto);
- minfo->flags = IPT_MPORT_SOURCE;
- break;
-
- case '2':
- check_inverse(argv[optind-1], &invert, &optind, 0);
- proto = check_proto(entry);
- parse_multi_ports(argv[optind-1], minfo, proto);
- minfo->flags = IPT_MPORT_DESTINATION;
- break;
-
- case '3':
- check_inverse(argv[optind-1], &invert, &optind, 0);
- proto = check_proto(entry);
- parse_multi_ports(argv[optind-1], minfo, proto);
- minfo->flags = IPT_MPORT_EITHER;
- break;
-
- default:
- return 0;
- }
-
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "multiport does not support invert");
-
- if (*flags)
- exit_error(PARAMETER_PROBLEM,
- "multiport can only have one option");
- *flags = 1;
- return 1;
-}
-
-/* Final check; must specify something. */
-static void
-final_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM, "mport expects an option");
-}
-
-static char *
-port_to_service(int port, u_int8_t proto)
-{
- struct servent *service;
-
- if ((service = getservbyport(htons(port),
- proto == IPPROTO_TCP ? "tcp" : "udp")))
- return service->s_name;
-
- return NULL;
-}
-
-static void
-print_port(u_int16_t port, u_int8_t protocol, int numeric)
-{
- char *service;
-
- if (numeric || (service = port_to_service(port, protocol)) == NULL)
- printf("%u", port);
- else
- printf("%s", service);
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric)
-{
- const struct ipt_mport *minfo
- = (const struct ipt_mport *)match->data;
- unsigned int i;
- u_int16_t pflags = minfo->pflags;
-
- printf("mport ");
-
- switch (minfo->flags) {
- case IPT_MPORT_SOURCE:
- printf("sports ");
- break;
-
- case IPT_MPORT_DESTINATION:
- printf("dports ");
- break;
-
- case IPT_MPORT_EITHER:
- printf("ports ");
- break;
-
- default:
- printf("ERROR ");
- break;
- }
-
- for (i=0; i < IPT_MULTI_PORTS; i++) {
- if (pflags & (1<<i)
- && minfo->ports[i] == 65535)
- break;
- if (i == IPT_MULTI_PORTS-1
- && minfo->ports[i-1] == minfo->ports[i])
- break;
- printf("%s", i ? "," : "");
- print_port(minfo->ports[i], ip->proto, numeric);
- if (pflags & (1<<i)) {
- printf(":");
- print_port(minfo->ports[++i], ip->proto, numeric);
- }
- }
- printf(" ");
-}
-
-/* Saves the union ipt_matchinfo in parsable form to stdout. */
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
- const struct ipt_mport *minfo
- = (const struct ipt_mport *)match->data;
- unsigned int i;
- u_int16_t pflags = minfo->pflags;
-
- switch (minfo->flags) {
- case IPT_MPORT_SOURCE:
- printf("--sports ");
- break;
-
- case IPT_MPORT_DESTINATION:
- printf("--dports ");
- break;
-
- case IPT_MPORT_EITHER:
- printf("--ports ");
- break;
- }
-
- for (i=0; i < IPT_MULTI_PORTS; i++) {
- if (pflags & (1<<i)
- && minfo->ports[i] == 65535)
- break;
- if (i == IPT_MULTI_PORTS-1
- && minfo->ports[i-1] == minfo->ports[i])
- break;
- printf("%s", i ? "," : "");
- print_port(minfo->ports[i], ip->proto, 1);
- if (pflags & (1<<i)) {
- printf(":");
- print_port(minfo->ports[++i], ip->proto, 1);
- }
- }
- printf(" ");
-}
-
-static struct iptables_match mport = {
- .next = NULL,
- .name = "mport",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_mport)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_mport)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void
-_init(void)
-{
- register_match(&mport);
-}
diff --git a/extensions/libipt_mport.man b/extensions/libipt_mport.man
deleted file mode 100644
index cead84e7..00000000
--- a/extensions/libipt_mport.man
+++ /dev/null
@@ -1,19 +0,0 @@
-This module matches a set of source or destination ports. Up to 15
-ports can be specified. It can only be used in conjunction with
-.B "-p tcp"
-or
-.BR "-p udp" .
-.TP
-.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the source port is one of the given ports. The flag
-.B --sports
-is a convenient alias for this option.
-.TP
-.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the destination port is one of the given ports. The flag
-.B --dports
-is a convenient alias for this option.
-.TP
-.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the both the source and destination ports are equal to each
-other and to one of the given ports.
diff --git a/extensions/libipt_nth.c b/extensions/libipt_nth.c
deleted file mode 100644
index 6f483b9f..00000000
--- a/extensions/libipt_nth.c
+++ /dev/null
@@ -1,230 +0,0 @@
-/*
- Shared library add-on to iptables to add match support for every Nth packet
-
- This file is distributed under the terms of the GNU General Public
- License (GPL). Copies of the GPL can be obtained from:
- ftp://prep.ai.mit.edu/pub/gnu/GPL
-
- 2001-07-17 Fabrice MARIE <fabrice@netfilter.org> : initial development.
- 2001-09-20 Richard Wagner (rwagner@cloudnet.com)
- * added support for multiple counters
- * added support for matching on individual packets
- in the counter cycle
-*/
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_nth.h>
-
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"nth v%s options:\n"
-" --every Nth Match every Nth packet\n"
-" [--counter num ] Use counter 0-%u (default:0)\n"
-" [--start num ] Initialize the counter at the number 'num'\n"
-" instead of 0. Must be between 0 and Nth-1\n"
-" [--packet num ] Match on 'num' packet. Must be between 0\n"
-" and Nth-1.\n\n"
-" If --packet is used for a counter than\n"
-" there must be Nth number of --packet\n"
-" rules, covering all values between 0 and\n"
-" Nth-1 inclusively.\n",
-IPTABLES_VERSION, IPT_NTH_NUM_COUNTERS-1);
-}
-
-static struct option opts[] = {
- { "every", 1, 0, '1' },
- { "start", 1, 0, '2' },
- { "counter", 1, 0, '3' },
- { "packet", 1, 0, '4' },
- { 0 }
-};
-
-#define IPT_NTH_OPT_EVERY 0x01
-#define IPT_NTH_OPT_NOT_EVERY 0x02
-#define IPT_NTH_OPT_START 0x04
-#define IPT_NTH_OPT_COUNTER 0x08
-#define IPT_NTH_OPT_PACKET 0x10
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
- struct ipt_nth_info *nthinfo = (struct ipt_nth_info *)(*match)->data;
- unsigned int num;
-
- switch (c) {
- case '1':
- /* check for common mistakes... */
- if ((!invert) && (*flags & IPT_NTH_OPT_EVERY))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --every twice");
- if (invert && (*flags & IPT_NTH_OPT_NOT_EVERY))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify ! --every twice");
- if ((!invert) && (*flags & IPT_NTH_OPT_NOT_EVERY))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --every with ! --every");
- if (invert && (*flags & IPT_NTH_OPT_EVERY))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify ! --every with --every");
-
- /* Remember, this function will interpret a leading 0 to be
- Octal, a leading 0x to be hexdecimal... */
- if (string_to_number(optarg, 2, 100, &num) == -1 || num < 2)
- exit_error(PARAMETER_PROBLEM,
- "bad --every `%s', must be between 2 and 100", optarg);
-
- /* assign the values */
- nthinfo->every = num-1;
- nthinfo->startat = 0;
- nthinfo->packet = 0xFF;
- if(!(*flags & IPT_NTH_OPT_EVERY))
- {
- nthinfo->counter = 0;
- }
- if (invert)
- {
- *flags |= IPT_NTH_OPT_NOT_EVERY;
- nthinfo->not = 1;
- }
- else
- {
- *flags |= IPT_NTH_OPT_EVERY;
- nthinfo->not = 0;
- }
- break;
- case '2':
- /* check for common mistakes... */
- if (!((*flags & IPT_NTH_OPT_EVERY) ||
- (*flags & IPT_NTH_OPT_NOT_EVERY)))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --start before --every");
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify with ! --start");
- if (*flags & IPT_NTH_OPT_START)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --start twice");
- if (string_to_number(optarg, 0, nthinfo->every, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "bad --start `%s', must between 0 and %u", optarg, nthinfo->every);
- *flags |= IPT_NTH_OPT_START;
- nthinfo->startat = num;
- break;
- case '3':
- /* check for common mistakes... */
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify with ! --counter");
- if (*flags & IPT_NTH_OPT_COUNTER)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --counter twice");
- if (string_to_number(optarg, 0, IPT_NTH_NUM_COUNTERS-1, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "bad --counter `%s', must between 0 and %u", optarg, IPT_NTH_NUM_COUNTERS-1);
- /* assign the values */
- *flags |= IPT_NTH_OPT_COUNTER;
- nthinfo->counter = num;
- break;
- case '4':
- /* check for common mistakes... */
- if (!((*flags & IPT_NTH_OPT_EVERY) ||
- (*flags & IPT_NTH_OPT_NOT_EVERY)))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --packet before --every");
- if ((*flags & IPT_NTH_OPT_NOT_EVERY))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --packet with ! --every");
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify with ! --packet");
- if (*flags & IPT_NTH_OPT_PACKET)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --packet twice");
- if (string_to_number(optarg, 0, nthinfo->every, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "bad --packet `%s', must between 0 and %u", optarg, nthinfo->every);
- *flags |= IPT_NTH_OPT_PACKET;
- nthinfo->packet = num;
- break;
- default:
- return 0;
- }
- return 1;
-}
-
-/* Final check; nothing. */
-static void final_check(unsigned int flags)
-{
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric)
-{
- const struct ipt_nth_info *nthinfo
- = (const struct ipt_nth_info *)match->data;
-
- if (nthinfo->not == 1)
- printf(" !");
- printf("every %uth ", (nthinfo->every +1));
- if (nthinfo->counter != 0)
- printf("counter #%u ", (nthinfo->counter));
- if (nthinfo->packet != 0xFF)
- printf("packet #%u ", nthinfo->packet);
- if (nthinfo->startat != 0)
- printf("start at %u ", nthinfo->startat);
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
- const struct ipt_nth_info *nthinfo
- = (const struct ipt_nth_info *)match->data;
-
- if (nthinfo->not == 1)
- printf("! ");
- printf("--every %u ", (nthinfo->every +1));
- printf("--counter %u ", (nthinfo->counter));
- if (nthinfo->startat != 0)
- printf("--start %u ", nthinfo->startat );
- if (nthinfo->packet != 0xFF)
- printf("--packet %u ", nthinfo->packet );
-}
-
-static struct iptables_match nth = {
- .next = NULL,
- .name = "nth",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_nth_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_nth_info)),
- .help = &help,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match(&nth);
-}
diff --git a/extensions/libipt_nth.man b/extensions/libipt_nth.man
deleted file mode 100644
index d215fd55..00000000
--- a/extensions/libipt_nth.man
+++ /dev/null
@@ -1,14 +0,0 @@
-This module matches every `n'th packet
-.TP
-.BI "--every " "value"
-Match every `value' packet
-.TP
-.BI "[" "--counter " "num" "]"
-Use internal counter number `num'. Default is `0'.
-.TP
-.BI "[" "--start " "num" "]"
-Initialize the counter at the number `num' insetad of `0'. Most between `0'
-and `value'-1.
-.TP
-.BI "[" "--packet " "num" "]"
-Match on `num' packet. Most be between `0' and `value'-1.
diff --git a/extensions/libipt_osf.c b/extensions/libipt_osf.c
deleted file mode 100644
index a2edb85a..00000000
--- a/extensions/libipt_osf.c
+++ /dev/null
@@ -1,165 +0,0 @@
-/*
- * libipt_osf.c
- *
- * Copyright (c) 2003 Evgeniy Polyakov <johnpol@2ka.mipt.ru>
- *
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-/*
- * iptables interface for OS fingerprint matching module.
- */
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <ctype.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_osf.h>
-
-static void help(void)
-{
- printf("OS fingerprint match options:\n"
- "--genre [!] string Match a OS genre by passive fingerprinting.\n"
- "--smart Use some smart extensions to determine OS (do not use TTL).\n"
- "--log level Log all(or only first) determined genres even if "
- "they do not match desired one. "
- "Level may be 0(all) or 1(only first entry).\n"
- "--netlink Log through netlink(NETLINK_NFLOG).\n",
- "--connector Log through kernel connector [in 2.6.12-mm+].\n"
- );
-}
-
-
-static struct option opts[] = {
- { .name = "genre", .has_arg = 1, .flag = 0, .val = '1' },
- { .name = "smart", .has_arg = 0, .flag = 0, .val = '2' },
- { .name = "log", .has_arg = 1, .flag = 0, .val = '3' },
- { .name = "netlink", .has_arg = 0, .flag = 0, .val = '4' },
- { .name = "connector", .has_arg = 0, .flag = 0, .val = '5' },
- { .name = 0 }
-};
-
-static void parse_string(const unsigned char *s, struct ipt_osf_info *info)
-{
- if (strlen(s) < MAXGENRELEN)
- strcpy(info->genre, s);
- else
- exit_error(PARAMETER_PROBLEM, "Genre string too long `%s' [%d], max=%d",
- s, strlen(s), MAXGENRELEN);
-}
-
-static int parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
- struct ipt_osf_info *info = (struct ipt_osf_info *)(*match)->data;
-
- switch(c)
- {
- case '1': /* --genre */
- if (*flags & IPT_OSF_GENRE)
- exit_error(PARAMETER_PROBLEM, "Can't specify multiple genre parameter");
- check_inverse(optarg, &invert, &optind, 0);
- parse_string(argv[optind-1], info);
- if (invert)
- info->invert = 1;
- info->len=strlen((char *)info->genre);
- *flags |= IPT_OSF_GENRE;
- break;
- case '2': /* --smart */
- if (*flags & IPT_OSF_SMART)
- exit_error(PARAMETER_PROBLEM, "Can't specify multiple smart parameter");
- *flags |= IPT_OSF_SMART;
- info->flags |= IPT_OSF_SMART;
- break;
- case '3': /* --log */
- if (*flags & IPT_OSF_LOG)
- exit_error(PARAMETER_PROBLEM, "Can't specify multiple log parameter");
- *flags |= IPT_OSF_LOG;
- info->loglevel = atoi(argv[optind-1]);
- info->flags |= IPT_OSF_LOG;
- break;
- case '4': /* --netlink */
- if (*flags & IPT_OSF_NETLINK)
- exit_error(PARAMETER_PROBLEM, "Can't specify multiple netlink parameter");
- *flags |= IPT_OSF_NETLINK;
- info->flags |= IPT_OSF_NETLINK;
- break;
- case '5': /* --connector */
- if (*flags & IPT_OSF_CONNECTOR)
- exit_error(PARAMETER_PROBLEM, "Can't specify multiple connector parameter");
- *flags |= IPT_OSF_CONNECTOR;
- info->flags |= IPT_OSF_CONNECTOR;
- break;
- default:
- return 0;
- }
-
- return 1;
-}
-
-static void final_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM, "OS fingerprint match: You must specify `--genre'");
-}
-
-static void print(const struct ipt_ip *ip, const struct ipt_entry_match *match, int numeric)
-{
- const struct ipt_osf_info *info = (const struct ipt_osf_info*) match->data;
-
- printf("OS fingerprint match %s%s ", (info->invert) ? "!" : "", info->genre);
-}
-
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
- const struct ipt_osf_info *info = (const struct ipt_osf_info*) match->data;
-
- printf("--genre %s%s ", (info->invert) ? "! ": "", info->genre);
- if (info->flags & IPT_OSF_SMART)
- printf("--smart ");
- if (info->flags & IPT_OSF_LOG)
- printf("--log %d ", info->loglevel);
- if (info->flags & IPT_OSF_NETLINK)
- printf("--netlink ");
- if (info->flags & IPT_OSF_CONNECTOR)
- printf("--connector ");
-}
-
-
-static struct iptables_match osf_match = {
- .name = "osf",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_osf_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_osf_info)),
- .help = &help,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-
-void _init(void)
-{
- register_match(&osf_match);
-}
diff --git a/extensions/libipt_osf.man b/extensions/libipt_osf.man
deleted file mode 100644
index 38d25a03..00000000
--- a/extensions/libipt_osf.man
+++ /dev/null
@@ -1,47 +0,0 @@
-The idea of passive OS fingerprint matching exists for quite a long time,
-but was created as extension fo OpenBSD pf only some weeks ago.
-Original idea was lurked in some OpenBSD mailing list (thanks
-grange@open...) and than adopted for Linux netfilter in form of this code.
-
-Original fingerprint table was created by Michal Zalewski <lcamtuf@coredump.cx>.
-
-This module compares some data(WS, MSS, options and it's order, ttl,
-df and others) from first SYN packet (actually from packets with SYN
-bit set) with dynamically loaded OS fingerprints.
-.TP
-.B "--log 1/0"
-If present, OSF will log determined genres even if they don't match
-desired one.
-0 - log all determined entries,
-1 - only first one.
-
-In syslog you find something like this:
-.IP
-ipt_osf: Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139
-.IP
-ipt_osf: Unknown: 16384:106:1:48:020405B401010402 44.33.22.11:1239 -> 11.22.33.44:80
-.TP
-.B "--smart"
-if present, OSF will use some smartness to determine remote OS.
-OSF will use initial TTL only if source of connection is in our local network.
-.TP
-.B "--netlink"
-If present, OSF will log all events also through netlink NETLINK_NFLOG groupt 1.
-.TP
-.BI "--genre " "[!] string"
-Match a OS genre by passive fingerprinting
-.P
-Example:
-
-#iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 1 --smart
-
-NOTE: -p tcp is obviously required as it is a TCP match.
-
-Fingerprints can be loaded and read through /proc/sys/net/ipv4/osf file.
-One can flush all fingerprints with following command:
-.IP
-echo -en FLUSH > /proc/sys/net/ipv4/osf
-.P
-Only one fingerprint per open/write/close.
-
-Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os
diff --git a/extensions/libipt_psd.c b/extensions/libipt_psd.c
deleted file mode 100644
index 3d0034ab..00000000
--- a/extensions/libipt_psd.c
+++ /dev/null
@@ -1,194 +0,0 @@
-/*
- Shared library add-on to iptables to add PSD support
-
- Copyright (C) 2000,2001 astaro AG
-
- This file is distributed under the terms of the GNU General Public
- License (GPL). Copies of the GPL can be obtained from:
- ftp://prep.ai.mit.edu/pub/gnu/GPL
-
- 2000-05-04 Markus Hennig <hennig@astaro.de> : initial
- 2000-08-18 Dennis Koslowski <koslowski@astaro.de> : first release
- 2000-12-01 Dennis Koslowski <koslowski@astaro.de> : UDP scans detection added
- 2001-02-04 Jan Rekorajski <baggins@pld.org.pl> : converted from target to match
- 2003-03-02 Harald Welte <laforge@netfilter.org>: fix 'storage' bug
-*/
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_psd.h>
-
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"psd v%s options:\n"
-" --psd-weight-threshold threshhold Portscan detection weight threshold\n\n"
-" --psd-delay-threshold delay Portscan detection delay threshold\n\n"
-" --psd-lo-ports-weight lo Privileged ports weight\n\n"
-" --psd-hi-ports-weight hi High ports weight\n\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- { "psd-weight-threshold", 1, 0, '1' },
- { "psd-delay-threshold", 1, 0, '2' },
- { "psd-lo-ports-weight", 1, 0, '3' },
- { "psd-hi-ports-weight", 1, 0, '4' },
- { 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
- struct ipt_psd_info *psdinfo = (struct ipt_psd_info *)m->data;
-
- psdinfo->weight_threshold = SCAN_WEIGHT_THRESHOLD;
- psdinfo->delay_threshold = SCAN_DELAY_THRESHOLD;
- psdinfo->lo_ports_weight = PORT_WEIGHT_PRIV;
- psdinfo->hi_ports_weight = PORT_WEIGHT_HIGH;
-}
-
-
-typedef struct _code {
- char *c_name;
- int c_val;
-} CODE;
-
-
-
-#define IPT_PSD_OPT_CTRESH 0x01
-#define IPT_PSD_OPT_DTRESH 0x02
-#define IPT_PSD_OPT_LPWEIGHT 0x04
-#define IPT_PSD_OPT_HPWEIGHT 0x08
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
- struct ipt_psd_info *psdinfo = (struct ipt_psd_info *)(*match)->data;
- unsigned int num;
-
- switch (c) {
- /* PSD-weight-threshold */
- case '1':
- if (*flags & IPT_PSD_OPT_CTRESH)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --psd-weight-threshold "
- "twice");
- if (string_to_number(optarg, 0, 10000, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "bad --psd-weight-threshold `%s'", optarg);
- psdinfo->weight_threshold = num;
- *flags |= IPT_PSD_OPT_CTRESH;
- break;
-
- /* PSD-delay-threshold */
- case '2':
- if (*flags & IPT_PSD_OPT_DTRESH)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --psd-delay-threshold twice");
- if (string_to_number(optarg, 0, 10000, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "bad --psd-delay-threshold `%s'", optarg);
- psdinfo->delay_threshold = num;
- *flags |= IPT_PSD_OPT_DTRESH;
- break;
-
- /* PSD-lo-ports-weight */
- case '3':
- if (*flags & IPT_PSD_OPT_LPWEIGHT)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --psd-lo-ports-weight twice");
- if (string_to_number(optarg, 0, 10000, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "bad --psd-lo-ports-weight `%s'", optarg);
- psdinfo->lo_ports_weight = num;
- *flags |= IPT_PSD_OPT_LPWEIGHT;
- break;
-
- /* PSD-hi-ports-weight */
- case '4':
- if (*flags & IPT_PSD_OPT_HPWEIGHT)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --psd-hi-ports-weight twice");
- if (string_to_number(optarg, 0, 10000, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "bad --psd-hi-ports-weight `%s'", optarg);
- psdinfo->hi_ports_weight = num;
- *flags |= IPT_PSD_OPT_HPWEIGHT;
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-/* Final check; nothing. */
-static void final_check(unsigned int flags)
-{
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric)
-{
- const struct ipt_psd_info *psdinfo
- = (const struct ipt_psd_info *)match->data;
-
- printf("psd ");
- printf("weight-threshold: %u ", psdinfo->weight_threshold);
- printf("delay-threshold: %u ", psdinfo->delay_threshold);
- printf("lo-ports-weight: %u ", psdinfo->lo_ports_weight);
- printf("hi-ports-weight: %u ", psdinfo->hi_ports_weight);
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
- const struct ipt_psd_info *psdinfo
- = (const struct ipt_psd_info *)match->data;
-
- printf("--psd-weight-threshold %u ", psdinfo->weight_threshold);
- printf("--psd-delay-threshold %u ", psdinfo->delay_threshold);
- printf("--psd-lo-ports-weight %u ", psdinfo->lo_ports_weight);
- printf("--psd-hi-ports-weight %u ", psdinfo->hi_ports_weight);
-}
-
-static struct iptables_match psd = {
- .next = NULL,
- .name = "psd",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_psd_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_psd_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match(&psd);
-}
diff --git a/extensions/libipt_psd.man b/extensions/libipt_psd.man
deleted file mode 100644
index b73fffc0..00000000
--- a/extensions/libipt_psd.man
+++ /dev/null
@@ -1,18 +0,0 @@
-Attempt to detect TCP and UDP port scans. This match was derived from
-Solar Designer's scanlogd.
-.TP
-.BI "--psd-weight-threshold " "threshold"
-Total weight of the latest TCP/UDP packets with different
-destination ports coming from the same host to be treated as port
-scan sequence.
-.TP
-.BI "--psd-delay-threshold " "delay"
-Delay (in hundredths of second) for the packets with different
-destination ports coming from the same host to be treated as
-possible port scan subsequence.
-.TP
-.BI "--psd-lo-ports-weight " "weight"
-Weight of the packet with privileged (<=1024) destination port.
-.TP
-.BI "--psd-hi-ports-weight " "weight"
-Weight of the packet with non-priviliged destination port.
diff --git a/extensions/libipt_random.c b/extensions/libipt_random.c
deleted file mode 100644
index d28ab8ce..00000000
--- a/extensions/libipt_random.c
+++ /dev/null
@@ -1,150 +0,0 @@
-/*
- Shared library add-on to iptables to add match support for random match.
-
- This file is distributed under the terms of the GNU General Public
- License (GPL). Copies of the GPL can be obtained from:
- ftp://prep.ai.mit.edu/pub/gnu/GPL
-
- 2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial development.
-*/
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_random.h>
-
-/**
- * The kernel random routing returns numbers between 0 and 255.
- * To ease the task of the user in choosing the probability
- * of matching, we want him to be able to use percentages.
- * Therefore we have to accept numbers in percentage here,
- * turn them into number between 0 and 255 for the kernel module,
- * and turn them back to percentages when we print/save
- * the rule.
- */
-
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"random v%s options:\n"
-" [--average percent ] The probability in percentage of the match\n"
-" If ommited, a probability of 50%% percent is set.\n"
-" Percentage must be within : 1 <= percent <= 99.\n\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- { "average", 1, 0, '1' },
- { 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
- struct ipt_rand_info *randinfo = (struct ipt_rand_info *)(m)->data;
-
- /* We assign the average to be 50 which is our default value */
- /* 50 * 2.55 = 128 */
- randinfo->average = 128;
-}
-
-#define IPT_RAND_OPT_AVERAGE 0x01
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
- struct ipt_rand_info *randinfo = (struct ipt_rand_info *)(*match)->data;
- unsigned int num;
-
- switch (c) {
- case '1':
- /* check for common mistakes... */
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify ! --average");
- if (*flags & IPT_RAND_OPT_AVERAGE)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --average twice");
-
- /* Remember, this function will interpret a leading 0 to be
- Octal, a leading 0x to be hexdecimal... */
- if (string_to_number(optarg, 1, 99, &num) == -1 || num < 1)
- exit_error(PARAMETER_PROBLEM,
- "bad --average `%s', must be between 1 and 99", optarg);
-
- /* assign the values */
- randinfo->average = (int)(num * 2.55);
- *flags |= IPT_RAND_OPT_AVERAGE;
- break;
- default:
- return 0;
- }
- return 1;
-}
-
-/* Final check; nothing. */
-static void final_check(unsigned int flags)
-{
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric)
-{
- const struct ipt_rand_info *randinfo
- = (const struct ipt_rand_info *)match->data;
- div_t result = div((randinfo->average*100), 255);
- if (result.rem > 127) /* round up... */
- ++result.quot;
-
- printf(" random %u%% ", result.quot);
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
- const struct ipt_rand_info *randinfo
- = (const struct ipt_rand_info *)match->data;
- div_t result = div((randinfo->average *100), 255);
- if (result.rem > 127) /* round up... */
- ++result.quot;
-
- printf("--average %u ", result.quot);
-}
-
-struct iptables_match rand_match = {
- .next = NULL,
- .name = "random",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_rand_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_rand_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match(&rand_match);
-}
diff --git a/extensions/libipt_random.man b/extensions/libipt_random.man
deleted file mode 100644
index f808a779..00000000
--- a/extensions/libipt_random.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This module randomly matches a certain percentage of all packets.
-.TP
-.BI "--average " "percent"
-Matches the given percentage. If omitted, a probability of 50% is set.
diff --git a/extensions/libipt_record_rpc.c b/extensions/libipt_record_rpc.c
deleted file mode 100644
index 571d286b..00000000
--- a/extensions/libipt_record_rpc.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/* Shared library add-on to iptables for rpc match */
-#include <stdio.h>
-#include <getopt.h>
-#include <iptables.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"record_rpc v%s takes no options\n"
-"\n", IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- {0}
-};
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
- return 0;
-}
-
-/* Final check; must have specified --mac. */
-static void final_check(unsigned int flags)
-{
-}
-
-/* Prints out the union ipt_matchinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric)
-{
-}
-
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
-}
-
-static
-struct iptables_match record_rpc = {
- .next = NULL,
- .name = "record_rpc",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(0),
- .userspacesize = IPT_ALIGN(0),
- .help = &help,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match(&record_rpc);
-}
diff --git a/extensions/libipt_rpc.c b/extensions/libipt_rpc.c
deleted file mode 100644
index dbfb3962..00000000
--- a/extensions/libipt_rpc.c
+++ /dev/null
@@ -1,373 +0,0 @@
-/* RPC extension for IP connection matching, Version 2.2
- * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>
- * - original rpc tracking module
- * - "recent" connection handling for kernel 2.3+ netfilter
- *
- * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au>
- * - upgraded conntrack modules to oldnat api - kernel 2.4.0+
- *
- * (C) 2002,2003 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
- * - upgraded conntrack modules to newnat api - kernel 2.4.20+
- * - extended matching to support filtering on procedures
- *
- * libipt_rpc.c,v 2.2 2003/01/12 18:30:00
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version
- * 2 of the License, or (at your option) any later version.
- **
- * Userspace library syntax:
- * --rpc [--rpcs procedure1,procedure2,...procedure128] [--static]
- *
- * Procedures can be supplied in either numeric or named formats.
- * Without --rpcs, this module will behave as the old record-rpc.
- **
- * Note to all:
- *
- * RPCs should not be exposed to the internet - ask the Pentagon;
- *
- * "The unidentified crackers pleaded guilty in July to charges
- * of juvenile delinquency stemming from a string of Pentagon
- * network intrusions in February.
- *
- * The youths, going by the names TooShort and Makaveli, used
- * a common server security hole to break in, according to
- * Dane Jasper, owner of the California Internet service
- * provider, Sonic. They used the hole, known as the 'statd'
- * exploit, to attempt more than 800 break-ins, Jasper said."
- *
- * From: Wired News; "Pentagon Kids Kicked Off Grid" - Nov 6, 1998
- * URL: http://www.wired.com/news/politics/0,1283,16098,00.html
- **
- */
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <rpc/rpc.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_rpc.h>
-#include <time.h>
-
-
-const int IPT_RPC_RPCS = 1;
-const int IPT_RPC_STRC = 2;
-
-const int IPT_RPC_INT_LBL = 1;
-const int IPT_RPC_INT_NUM = 2;
-const int IPT_RPC_INT_BTH = 3;
-
-const int IPT_RPC_CHAR_LEN = 11;
-const int IPT_RPC_MAX_ENTS = 128;
-
-const char preerr[11] = "RPC match:";
-
-
-static int k_itoa(char *string, int number)
-{
- int maxoctet = IPT_RPC_CHAR_LEN - 1;
- int store[IPT_RPC_CHAR_LEN];
- int counter;
-
-
- for (counter=0 ; maxoctet != 0 && number != 0; counter++, maxoctet--) {
- store[counter] = number / 10;
- store[counter] = number - ( store[counter] * 10 );
- number = number / 10;
- }
-
- for ( ; counter != 0; counter--, string++)
- *string = store[counter - 1] + 48;
-
- *string = 0;
-
- return(0);
-}
-
-
-static int k_atoi(char *string)
-{
- unsigned int result = 0;
- int maxoctet = IPT_RPC_CHAR_LEN;
-
-
- for ( ; *string != 0 && maxoctet != 0; maxoctet--, string++) {
- if (*string < 0)
- return(0);
- if (*string == 0)
- break;
- if (*string < 48 || *string > 57) {
- return(0);
- }
- result = result * 10 + ( *string - 48 );
- }
-
- return(result);
-}
-
-
-static void print_rpcs(char *c_procs, int i_procs, int labels)
-{
- int proc_ctr;
- char *proc_ptr;
- unsigned int proc_num;
- struct rpcent *rpcent;
-
-
- for (proc_ctr=0; proc_ctr <= i_procs; proc_ctr++) {
-
- if ( proc_ctr != 0 )
- printf(",");
-
- proc_ptr = c_procs;
- proc_ptr += proc_ctr * IPT_RPC_CHAR_LEN;
- proc_num = k_atoi(proc_ptr);
-
- /* labels(1) == no labels, only numbers
- * labels(2) == no numbers, only labels
- * labels(3) == both labels and numbers
- */
-
- if (labels == IPT_RPC_INT_LBL || labels == IPT_RPC_INT_BTH ) {
- if ( (rpcent = getrpcbynumber(proc_num)) == NULL )
- printf("unknown");
- else
- printf("%s", rpcent->r_name);
- }
-
- if (labels == IPT_RPC_INT_BTH )
- printf("(");
-
- if (labels == IPT_RPC_INT_NUM || labels == IPT_RPC_INT_BTH )
- printf("%i", proc_num);
-
- if (labels == IPT_RPC_INT_BTH )
- printf(")");
-
- }
-
-}
-
-
-static void help(void)
-{
- printf(
- "RPC v%s options:\n"
- " --rpcs list,of,procedures"
- "\ta list of rpc program numbers to apply\n"
- "\t\t\t\tie. 100003,mountd,rquotad (numeric or\n"
- "\t\t\t\tname form; see /etc/rpc).\n"
- " --strict"
- "\t\t\ta flag to force the drop of packets\n"
- "\t\t\t\tnot containing \"get\" portmapper requests.\n",
- IPTABLES_VERSION);
-}
-
-
-static struct option opts[] = {
- { "rpcs", 1, 0, '1'},
- { "strict", 0, 0, '2'},
- {0}
-};
-
-
-static void init(struct ipt_entry_match *match, unsigned int *nfcache)
-{
- struct ipt_rpc_info *rpcinfo = ((struct ipt_rpc_info *)match->data);
-
-
-
- /* initialise those funky user vars */
- rpcinfo->i_procs = -1;
- rpcinfo->strict = 0;
- memset((char *)rpcinfo->c_procs, 0, sizeof(rpcinfo->c_procs));
-}
-
-
-static void parse_rpcs_string(char *string, struct ipt_entry_match **match)
-{
- char err1[64] = "%s invalid --rpcs option-set: `%s' (at character %i)";
- char err2[64] = "%s unable to resolve rpc name entry: `%s'";
- char err3[64] = "%s maximum number of --rpc options (%i) exceeded";
- char buf[256];
- char *dup = buf;
- int idup = 0;
- int term = 0;
- char *src, *dst;
- char *c_procs;
- struct rpcent *rpcent_ptr;
- struct ipt_rpc_info *rpcinfo = (struct ipt_rpc_info *)(*match)->data;
-
-
- memset(buf, 0, sizeof(buf));
-
- for (src=string, dst=buf; term != 1 ; src++, dst++) {
-
- if ( *src != ',' && *src != '\0' ) {
- if ( ( *src >= 65 && *src <= 90 ) || ( *src >= 97 && *src <= 122) ) {
- *dst = *src;
- idup = 1;
-
- } else if ( *src >= 48 && *src <= 57 ) {
- *dst = *src;
-
- } else {
- exit_error(PARAMETER_PROBLEM, err1, preerr,
- string, src - string + 1);
-
- }
-
- } else {
- *dst = '\0';
- if ( idup == 1 ) {
- if ( (rpcent_ptr = getrpcbyname(dup)) == NULL )
- exit_error(PARAMETER_PROBLEM, err2,
- preerr, dup);
- idup = rpcent_ptr->r_number;
- } else {
- idup = k_atoi(dup);
- }
-
- rpcinfo->i_procs++;
- if ( rpcinfo->i_procs > IPT_RPC_MAX_ENTS )
- exit_error(PARAMETER_PROBLEM, err3, preerr,
- IPT_RPC_MAX_ENTS);
-
- c_procs = (char *)rpcinfo->c_procs;
- c_procs += rpcinfo->i_procs * IPT_RPC_CHAR_LEN;
-
- memset(buf, 0, sizeof(buf));
- k_itoa((char *)dup, idup);
-
- strcpy(c_procs, dup);
-
- if ( *src == '\0')
- term = 1;
-
- idup = 0;
- memset(buf, 0, sizeof(buf));
- dst = (char *)buf - 1;
- }
- }
-
- return;
-}
-
-
-static int parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
- struct ipt_rpc_info *rpcinfo = (struct ipt_rpc_info *)(*match)->data;
-
-
- switch (c)
- {
- case '1':
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "%s unexpected '!' with --rpcs\n", preerr);
- if (*flags & IPT_RPC_RPCS)
- exit_error(PARAMETER_PROBLEM,
- "%s repeated use of --rpcs\n", preerr);
- parse_rpcs_string(optarg, match);
-
- *flags |= IPT_RPC_RPCS;
- break;
-
- case '2':
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "%s unexpected '!' with --strict\n", preerr);
- if (*flags & IPT_RPC_STRC)
- exit_error(PARAMETER_PROBLEM,
- "%s repeated use of --strict\n", preerr);
- rpcinfo->strict = 1;
- *flags |= IPT_RPC_STRC;
- break;
-
- default:
- return 0;
- }
-
- return 1;
-
-}
-
-
-static void final_check(unsigned int flags)
-{
- if (flags != (flags | IPT_RPC_RPCS)) {
- printf("%s option \"--rpcs\" was not used ... reverting ", preerr);
- printf("to old \"record-rpc\" functionality ..\n");
- }
-}
-
-
-static void print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric)
-{
- struct ipt_rpc_info *rpcinfo = ((struct ipt_rpc_info *)match->data);
-
-
- printf("RPCs");
- if(rpcinfo->strict == 1)
- printf("[strict]");
-
- printf(": ");
-
- if(rpcinfo->i_procs == -1) {
- printf("any(*)");
-
- } else {
- print_rpcs((char *)&rpcinfo->c_procs, rpcinfo->i_procs, IPT_RPC_INT_BTH);
- }
- printf(" ");
-
-}
-
-
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
- struct ipt_rpc_info *rpcinfo = ((struct ipt_rpc_info *)match->data);
-
-
- if(rpcinfo->i_procs > -1) {
- printf("--rpcs ");
- print_rpcs((char *)&rpcinfo->c_procs, rpcinfo->i_procs, IPT_RPC_INT_NUM);
- printf(" ");
- }
-
- if(rpcinfo->strict == 1)
- printf("--strict ");
-
-}
-
-
-static struct iptables_match rpcstruct = {
- .next = NULL,
- .name = "rpc",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_rpc_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_rpc_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-
-void _init(void)
-{
- register_match(&rpcstruct);
-}
-
diff --git a/extensions/libipt_time.c b/extensions/libipt_time.c
deleted file mode 100644
index dcf2dc67..00000000
--- a/extensions/libipt_time.c
+++ /dev/null
@@ -1,549 +0,0 @@
-/* Shared library add-on to iptables to add TIME matching support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <stddef.h> /* for 'offsetof' */
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_time.h>
-#include <time.h>
-
-static int globaldays;
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"TIME v%s options:\n"
-" [ --timestart value ] [ --timestop value] [ --days listofdays ] [ --datestart value ] [ --datestop value ]\n"
-" timestart value : HH:MM (default 00:00)\n"
-" timestop value : HH:MM (default 23:59)\n"
-" Note: daylight savings time changes are not tracked\n"
-" listofdays value: a list of days to apply\n"
-" from Mon,Tue,Wed,Thu,Fri,Sat,Sun\n"
-" Coma speparated, no space, case sensitive.\n"
-" Defaults to all days.\n"
-" datestart value : YYYY[:MM[:DD[:hh[:mm[:ss]]]]]\n"
-" If any of month, day, hour, minute or second is\n"
-" not specified, then defaults to their smallest\n"
-" 1900 <= YYYY < 2037\n"
-" 1 <= MM <= 12\n"
-" 1 <= DD <= 31\n"
-" 0 <= hh <= 23\n"
-" 0 <= mm <= 59\n"
-" 0 <= ss <= 59\n"
-" datestop value : YYYY[:MM[:DD[:hh[:mm[:ss]]]]]\n"
-" If the whole option is ommited, default to never stop\n"
-" If any of month, day, hour, minute or second is\n"
-" not specified, then default to their smallest\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- { "timestart", 1, 0, '1' },
- { "timestop", 1, 0, '2' },
- { "days", 1, 0, '3'},
- { "datestart", 1, 0, '4' },
- { "datestop", 1, 0, '5' },
- {0}
-};
-
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
- struct ipt_time_info *info = (struct ipt_time_info *)m->data;
- globaldays = 0;
- /* By default, we match on everyday */
- info->days_match = 127;
- /* By default, we match on every hour:min of the day */
- info->time_start = 0;
- info->time_stop = 1439; /* (23*60+59 = 1439 */
- /* By default, we don't have any date-begin or date-end boundaries */
- info->date_start = 0;
- info->date_stop = LONG_MAX;
-}
-
-/**
- * param: part1, a pointer on a string 2 chars maximum long string, that will contain the hours.
- * param: part2, a pointer on a string 2 chars maximum long string, that will contain the minutes.
- * param: str_2_parse, the string to parse.
- * return: 1 if ok, 0 if error.
- */
-static int
-split_time(char **part1, char **part2, const char *str_2_parse)
-{
- unsigned short int i,j=0;
- char *rpart1 = *part1;
- char *rpart2 = *part2;
- unsigned char found_column = 0;
-
- /* Check the length of the string */
- if (strlen(str_2_parse) > 5)
- return 0;
- /* parse the first part until the ':' */
- for (i=0; i<2; i++)
- {
- if (str_2_parse[i] == ':')
- found_column = 1;
- else
- rpart1[i] = str_2_parse[i];
- }
- if (!found_column)
- i++;
- j=i;
- /* parse the second part */
- for (; i<strlen(str_2_parse); i++)
- {
- rpart2[i-j] = str_2_parse[i];
- }
- /* if we are here, format should be ok. */
- return 1;
-}
-
-static int
-parse_number(char *str, int num_min, int num_max, int *number)
-{
- /* if the number starts with 0, replace it with a space else
- string_to_number() will interpret it as octal !! */
- if (strlen(str) == 0)
- return 0;
-
- if ((str[0] == '0') && (str[1] != '\0'))
- str[0] = ' ';
-
- return string_to_number(str, num_min, num_max, number);
-}
-
-static void
-parse_time_string(int *hour, int *minute, const char *time)
-{
- char *hours;
- char *minutes;
- hours = (char *)malloc(3);
- minutes = (char *)malloc(3);
- memset(hours, 0, 3);
- memset(minutes, 0, 3);
-
- if (split_time((char **)&hours, (char **)&minutes, time) == 1)
- {
- *hour = 0;
- *minute = 0;
- if ((parse_number((char *)hours, 0, 23, hour) != -1) &&
- (parse_number((char *)minutes, 0, 59, minute) != -1))
- {
- free(hours);
- free(minutes);
- return;
- }
- }
-
- free(hours);
- free(minutes);
-
- /* If we are here, there was a problem ..*/
- exit_error(PARAMETER_PROBLEM,
- "invalid time `%s' specified, should be HH:MM format", time);
-}
-
-/* return 1->ok, return 0->error */
-static int
-parse_day(int *days, int from, int to, const char *string)
-{
- char *dayread;
- char *days_str[7] = {"Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"};
- unsigned short int days_of_week[7] = {64, 32, 16, 8, 4, 2, 1};
- unsigned int i;
-
- dayread = (char *)malloc(4);
- bzero(dayread, 4);
- if ((to-from) != 3) {
- free(dayread);
- return 0;
- }
- for (i=from; i<to; i++)
- dayread[i-from] = string[i];
- for (i=0; i<7; i++)
- if (strcmp(dayread, days_str[i]) == 0)
- {
- *days |= days_of_week[i];
- free(dayread);
- return 1;
- }
- /* if we are here, we didn't read a valid day */
- free(dayread);
- return 0;
-}
-
-static void
-parse_days_string(int *days, const char *daystring)
-{
- int len;
- int i=0;
- char *err = "invalid days `%s' specified, should be Sun,Mon,Tue... format";
-
- len = strlen(daystring);
- if (len < 3)
- exit_error(PARAMETER_PROBLEM, err, daystring);
- while(i<len)
- {
- if (parse_day(days, i, i+3, daystring) == 0)
- exit_error(PARAMETER_PROBLEM, err, daystring);
- i += 4;
- }
-}
-
-static int
-parse_date_field(const char *str_to_parse, int str_to_parse_s, int start_pos,
- char *dest, int *next_pos)
-{
- unsigned char found_value = 0;
- unsigned char found_column = 0;
- int i;
-
- for (i=0; i<2; i++)
- {
- if ((i+start_pos) >= str_to_parse_s) /* don't exit boundaries of the string.. */
- break;
- if (str_to_parse[i+start_pos] == ':')
- found_column = 1;
- else
- {
- found_value = 1;
- dest[i] = str_to_parse[i+start_pos];
- }
- }
- if (found_value == 0)
- return 0;
- *next_pos = i + start_pos;
- if (found_column == 0)
- ++(*next_pos);
- return 1;
-}
-
-static int
-split_date(char *year, char *month, char *day,
- char *hour, char *minute, char *second,
- const char *str_to_parse)
-{
- int i;
- unsigned char found_column = 0;
- int str_to_parse_s = strlen(str_to_parse);
-
- /* Check the length of the string */
- if ((str_to_parse_s > 19) || /* YYYY:MM:DD:HH:MM:SS */
- (str_to_parse_s < 4)) /* YYYY*/
- return 0;
-
- /* Clear the buffers */
- memset(year, 0, 4);
- memset(month, 0, 2);
- memset(day, 0, 2);
- memset(hour, 0, 2);
- memset(minute, 0, 2);
- memset(second, 0, 2);
-
- /* parse the year YYYY */
- found_column = 0;
- for (i=0; i<5; i++)
- {
- if (i >= str_to_parse_s)
- break;
- if (str_to_parse[i] == ':')
- {
- found_column = 1;
- break;
- }
- else
- year[i] = str_to_parse[i];
- }
- if (found_column == 1)
- ++i;
-
- /* parse the month if it exists */
- if (! parse_date_field(str_to_parse, str_to_parse_s, i, month, &i))
- return 1;
-
- if (! parse_date_field(str_to_parse, str_to_parse_s, i, day, &i))
- return 1;
-
- if (! parse_date_field(str_to_parse, str_to_parse_s, i, hour, &i))
- return 1;
-
- if (! parse_date_field(str_to_parse, str_to_parse_s, i, minute, &i))
- return 1;
-
- parse_date_field(str_to_parse, str_to_parse_s, i, second, &i);
-
- /* if we are here, format should be ok. */
- return 1;
-}
-
-static time_t
-parse_date_string(const char *str_to_parse)
-{
- char year[5];
- char month[3];
- char day[3];
- char hour[3];
- char minute[3];
- char second[3];
- struct tm t;
- time_t temp_time;
-
- memset(year, 0, 5);
- memset(month, 0, 3);
- memset(day, 0, 3);
- memset(hour, 0, 3);
- memset(minute, 0, 3);
- memset(second, 0, 3);
-
- if (split_date(year, month, day, hour, minute, second, str_to_parse) == 1)
- {
- memset((void *)&t, 0, sizeof(struct tm));
- t.tm_isdst = -1;
- t.tm_mday = 1;
- if (!((parse_number(year, 1900, 2037, &(t.tm_year)) == -1) ||
- (parse_number(month, 1, 12, &(t.tm_mon)) == -1) ||
- (parse_number(day, 1, 31, &(t.tm_mday)) == -1) ||
- (parse_number(hour, 0, 9999, &(t.tm_hour)) == -1) ||
- (parse_number(minute, 0, 59, &(t.tm_min)) == -1) ||
- (parse_number(second, 0, 59, &(t.tm_sec)) == -1)))
- {
- t.tm_year -= 1900;
- --(t.tm_mon);
- temp_time = mktime(&t);
- if (temp_time != -1)
- return temp_time;
- }
- }
- exit_error(PARAMETER_PROBLEM,
- "invalid date `%s' specified, should be YYYY[:MM[:DD[:hh[:mm[:ss]]]]] format", str_to_parse);
-}
-
-#define IPT_TIME_START 0x01
-#define IPT_TIME_STOP 0x02
-#define IPT_TIME_DAYS 0x04
-#define IPT_DATE_START 0x08
-#define IPT_DATE_STOP 0x10
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
- struct ipt_time_info *timeinfo = (struct ipt_time_info *)(*match)->data;
- int hours, minutes;
- time_t temp_date;
-
- switch (c)
- {
- /* timestart */
- case '1':
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "unexpected '!' with --timestart");
- if (*flags & IPT_TIME_START)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --timestart twice");
- parse_time_string(&hours, &minutes, optarg);
- timeinfo->time_start = (hours * 60) + minutes;
- *flags |= IPT_TIME_START;
- break;
- /* timestop */
- case '2':
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "unexpected '!' with --timestop");
- if (*flags & IPT_TIME_STOP)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --timestop twice");
- parse_time_string(&hours, &minutes, optarg);
- timeinfo->time_stop = (hours * 60) + minutes;
- *flags |= IPT_TIME_STOP;
- break;
-
- /* days */
- case '3':
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "unexpected '!' with --days");
- if (*flags & IPT_TIME_DAYS)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --days twice");
- parse_days_string(&globaldays, optarg);
- timeinfo->days_match = globaldays;
- *flags |= IPT_TIME_DAYS;
- break;
-
- /* datestart */
- case '4':
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "unexpected '!' with --datestart");
- if (*flags & IPT_DATE_START)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --datestart twice");
- temp_date = parse_date_string(optarg);
- timeinfo->date_start = temp_date;
- *flags |= IPT_DATE_START;
- break;
-
- /* datestop*/
- case '5':
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "unexpected '!' with --datestop");
- if (*flags & IPT_DATE_STOP)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --datestop twice");
- temp_date = parse_date_string(optarg);
- timeinfo->date_stop = temp_date;
- *flags |= IPT_DATE_STOP;
- break;
- default:
- return 0;
- }
- return 1;
-}
-
-/* Final check */
-static void
-final_check(unsigned int flags)
-{
- /* Nothing to do */
-}
-
-
-static void
-print_days(int daynum)
-{
- char *days[7] = {"Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"};
- unsigned short int days_of_week[7] = {64, 32, 16, 8, 4, 2, 1};
- unsigned short int i, nbdays=0;
-
- for (i=0; i<7; i++) {
- if ((days_of_week[i] & daynum) == days_of_week[i])
- {
- if (nbdays>0)
- printf(",%s", days[i]);
- else
- printf("%s", days[i]);
- ++nbdays;
- }
- }
- printf(" ");
-}
-
-static void
-divide_time(int fulltime, int *hours, int *minutes)
-{
- *hours = fulltime / 60;
- *minutes = fulltime % 60;
-}
-
-static void
-print_date(time_t date, char *command)
-{
- struct tm *t;
-
- /* If it's default value, don't print..*/
- if (((date == 0) || (date == LONG_MAX)) && (command != NULL))
- return;
- t = localtime(&date);
- if (command != NULL)
- printf("%s %d:%d:%d:%d:%d:%d ", command, (t->tm_year + 1900), (t->tm_mon + 1),
- t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
- else
- printf("%d-%d-%d %d:%d:%d ", (t->tm_year + 1900), (t->tm_mon + 1),
- t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric)
-{
- struct ipt_time_info *time = ((struct ipt_time_info *)match->data);
- int hour_start, hour_stop, minute_start, minute_stop;
-
- divide_time(time->time_start, &hour_start, &minute_start);
- divide_time(time->time_stop, &hour_stop, &minute_stop);
- printf("TIME ");
- if (time->time_start != 0)
- printf("from %d:%d ", hour_start, minute_start);
- if (time->time_stop != 1439) /* 23*60+59 = 1439 */
- printf("to %d:%d ", hour_stop, minute_stop);
- printf("on ");
- if (time->days_match == 127)
- printf("all days ");
- else
- print_days(time->days_match);
- if (time->date_start != 0)
- {
- printf("starting from ");
- print_date(time->date_start, NULL);
- }
- if (time->date_stop != LONG_MAX)
- {
- printf("until date ");
- print_date(time->date_stop, NULL);
- }
-}
-
-/* Saves the data in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
- struct ipt_time_info *time = ((struct ipt_time_info *)match->data);
- int hour_start, hour_stop, minute_start, minute_stop;
-
- divide_time(time->time_start, &hour_start, &minute_start);
- divide_time(time->time_stop, &hour_stop, &minute_stop);
- if (time->time_start != 0)
- printf("--timestart %.2d:%.2d ",
- hour_start, minute_start);
-
- if (time->time_stop != 1439) /* 23*60+59 = 1439 */
- printf("--timestop %.2d:%.2d ",
- hour_stop, minute_stop);
-
- if (time->days_match != 127)
- {
- printf("--days ");
- print_days(time->days_match);
- printf(" ");
- }
- print_date(time->date_start, "--datestart");
- print_date(time->date_stop, "--datestop");
-}
-
-/* have to use offsetof() instead of IPT_ALIGN(), since kerneltime must not
- * be compared when user deletes rule with '-D' */
-static
-struct iptables_match timestruct = {
- .next = NULL,
- .name = "time",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_time_info)),
- .userspacesize = offsetof(struct ipt_time_info, kerneltime),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match(&timestruct);
-}
diff --git a/extensions/libipt_time.man b/extensions/libipt_time.man
deleted file mode 100644
index 94b40531..00000000
--- a/extensions/libipt_time.man
+++ /dev/null
@@ -1,16 +0,0 @@
-This matches if the packet arrival time/date is within a given range. All options are facultative.
-.TP
-.BI " --timestart " "value"
-Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).
-.TP
-.BI "--timestop " "value"
-Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).
-.TP
-.BI "--days " "listofdays"
-Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)
-.TP
-.BI "--datestart " "date"
-Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]] ; h,m,s start from 0 ; default to 1970)
-.TP
-.BI "--datestop " "date"
-Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]] ; h,m,s start from 0 ; default to 2037)