diff options
author | Florian Westphal <fw@strlen.de> | 2011-07-14 23:56:47 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-02-23 18:07:52 +0100 |
commit | 166b92d3fb2a7fc008df1b59332ef528a9a573ea (patch) | |
tree | 5717198bf8509ee63102e1d79bf33fc3bc9bd743 /extensions/libxt_rpfilter.c | |
parent | 2117f2b4519a027c8e8ccdb2c99f2025c8af898b (diff) |
extensions: add rpfilter module
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions/libxt_rpfilter.c')
-rw-r--r-- | extensions/libxt_rpfilter.c | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/extensions/libxt_rpfilter.c b/extensions/libxt_rpfilter.c new file mode 100644 index 00000000..168e703f --- /dev/null +++ b/extensions/libxt_rpfilter.c @@ -0,0 +1,96 @@ +#include <stdio.h> +#include <xtables.h> +#include <linux/netfilter/xt_rpfilter.h> + +enum { + O_RPF_LOOSE = 0, + O_RPF_VMARK = 1, + O_RPF_ACCEPT_LOCAL = 2, + O_RPF_INVERT = 3, +}; + +static void rpfilter_help(void) +{ + printf( +"rpfilter match options:\n" +" --loose permit reverse path via any interface\n" +" --validmark use skb nfmark when performing route lookup\n" +" --accept-local do not reject packets with a local source address\n" +" --invert match packets that failed the reverse path test\n" + ); +} + +static const struct xt_option_entry rpfilter_opts[] = { + {.name = "loose", .id = O_RPF_LOOSE, .type = XTTYPE_NONE, }, + {.name = "validmark", .id = O_RPF_VMARK, .type = XTTYPE_NONE, }, + {.name = "accept-local", .id = O_RPF_ACCEPT_LOCAL, .type = XTTYPE_NONE, }, + {.name = "invert", .id = O_RPF_INVERT, .type = XTTYPE_NONE, }, + XTOPT_TABLEEND, +}; + +static void rpfilter_parse(struct xt_option_call *cb) +{ + struct xt_rpfilter_info *rpfinfo = cb->data; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_RPF_LOOSE: + rpfinfo->flags |= XT_RPFILTER_LOOSE; + break; + case O_RPF_VMARK: + rpfinfo->flags |= XT_RPFILTER_VALID_MARK; + break; + case O_RPF_ACCEPT_LOCAL: + rpfinfo->flags |= XT_RPFILTER_ACCEPT_LOCAL; + break; + case O_RPF_INVERT: + rpfinfo->flags |= XT_RPFILTER_INVERT; + break; + } +} + +static void +rpfilter_print_prefix(const void *ip, const void *matchinfo, + const char *prefix) +{ + const struct xt_rpfilter_info *info = matchinfo; + if (info->flags & XT_RPFILTER_LOOSE) + printf(" %s%s", prefix, rpfilter_opts[O_RPF_LOOSE].name); + if (info->flags & XT_RPFILTER_VALID_MARK) + printf(" %s%s", prefix, rpfilter_opts[O_RPF_VMARK].name); + if (info->flags & XT_RPFILTER_ACCEPT_LOCAL) + printf(" %s%s", prefix, rpfilter_opts[O_RPF_ACCEPT_LOCAL].name); + if (info->flags & XT_RPFILTER_INVERT) + printf(" %s%s", prefix, rpfilter_opts[O_RPF_INVERT].name); +} + + +static void +rpfilter_print(const void *ip, const struct xt_entry_match *match, int numeric) +{ + printf(" rpfilter"); + return rpfilter_print_prefix(ip, match->data, ""); +} + +static void rpfilter_save(const void *ip, const struct xt_entry_match *match) +{ + return rpfilter_print_prefix(ip, match->data, "--"); +} + +static struct xtables_match rpfilter_match = { + .family = NFPROTO_UNSPEC, + .name = "rpfilter", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_rpfilter_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_rpfilter_info)), + .help = rpfilter_help, + .print = rpfilter_print, + .save = rpfilter_save, + .x6_parse = rpfilter_parse, + .x6_options = rpfilter_opts, +}; + +void _init(void) +{ + xtables_register_match(&rpfilter_match); +} |