diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-02-11 16:16:50 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-02-11 16:19:24 +0100 |
| commit | 87f82cbd4f94cca74eb58506e117f226a2270759 (patch) | |
| tree | c49b2f0ba1b80c0953c41f6c865cab92e30038eb /extensions | |
| parent | aa562a660d1555b13cffbac1e744033e91f82707 (diff) | |
| parent | 24775a7a3178c163302560d2bd74ecc6ed0f7af4 (diff) | |
Merge branch 'ebtables-compat'
The ebtables-compat branch provides the compatibility layer to run
ebtables extensions. Currently, only the following matches / targets /
watchers are supported:
* 802_3
* ip
* mark_m and mark
* log
The remaining ones should be easy to port them to on top of libxtables,
they will follow up later.
Diffstat (limited to 'extensions')
| -rw-r--r-- | extensions/GNUmakefile.in | 44 | ||||
| -rw-r--r-- | extensions/libebt_802_3.c | 133 | ||||
| -rw-r--r-- | extensions/libebt_ip.c | 312 | ||||
| -rw-r--r-- | extensions/libebt_log.c | 197 | ||||
| -rw-r--r-- | extensions/libebt_mark.c | 191 | ||||
| -rw-r--r-- | extensions/libebt_mark_m.c | 118 |
6 files changed, 988 insertions, 7 deletions
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index 52915725..9eb4bf98 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -39,16 +39,20 @@ endif # Wildcard module list # pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c))) +pfb_build_mod := $(patsubst ${srcdir}/libebt_%.c,%,$(sort $(wildcard ${srcdir}/libebt_*.c))) pfx_symlinks := NOTRACK state @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c))) @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c))) pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod}) +pfb_build_mod := $(filter-out @blacklist_modules@,${pfb_build_mod}) pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod}) pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod}) pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod}) +pfb_objs := $(patsubst %,libebt_%.o,${pfb_build_mod}) pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod}) pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod}) pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks}) +pfb_solibs := $(patsubst %,libebt_%.so,${pfb_build_mod}) pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod}) pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod}) @@ -56,13 +60,14 @@ pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod}) # # Building blocks # -targets := libext.a libext4.a libext6.a matches.man targets.man +targets := libext.a libext4.a libext6.a libext_ebt.a matches.man targets.man targets_install := @ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs} +@ENABLE_STATIC_TRUE@ libext_ebt_objs := ${pfb_objs} @ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs} @ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs} -@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} -@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} +@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} +@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} .SECONDARY: @@ -75,7 +80,7 @@ install: ${targets_install} if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi; clean: - rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c; + rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c initextb.c; rm -f .*.d .*.dd; distclean: clean @@ -118,6 +123,9 @@ lib%.o: ${srcdir}/lib%.c libext.a: initext.o ${libext_objs} ${AM_VERBOSE_AR} ${AR} crs $@ $^; +libext_ebt.a: initextb.o ${libext_ebt_objs} + ${AM_VERBOSE_AR} ${AR} crs $@ $^; + libext4.a: initext4.o ${libext4_objs} ${AM_VERBOSE_AR} ${AR} crs $@ $^; @@ -125,6 +133,7 @@ libext6.a: initext6.o ${libext6_objs} ${AM_VERBOSE_AR} ${AR} crs $@ $^; initext_func := $(addprefix xt_,${pfx_build_mod}) +initextb_func := $(addprefix ebt_,${pfb_build_mod}) initext4_func := $(addprefix ipt_,${pf4_build_mod}) initext6_func := $(addprefix ip6t_,${pf6_build_mod}) @@ -133,6 +142,11 @@ initext6_func := $(addprefix ip6t_,${pf6_build_mod}) cmp -s $@ $@.tmp || mv $@.tmp $@; \ rm -f $@.tmp; +.initextb.dd: FORCE + @echo "${initextb_func}" >$@.tmp; \ + cmp -s $@ $@.tmp || mv $@.tmp $@; \ + rm -f $@.tmp; + .initext4.dd: FORCE @echo "${initext4_func}" >$@.tmp; \ cmp -s $@ $@.tmp || mv $@.tmp $@; \ @@ -159,6 +173,22 @@ initext.c: .initext.dd echo "}" >>$@; \ ); +initextb.c: .initextb.dd + ${AM_VERBOSE_GEN} + @( \ + echo "" >$@; \ + for i in ${initextb_func}; do \ + echo "extern void lib$${i}_init(void);" >>$@; \ + done; \ + echo "void init_extensionsb(void);" >>$@; \ + echo "void init_extensionsb(void)" >>$@; \ + echo "{" >>$@; \ + for i in ${initextb_func}; do \ + echo " ""lib$${i}_init();" >>$@; \ + done; \ + echo "}" >>$@; \ + ); + initext4.c: .initext4.dd ${AM_VERBOSE_GEN} @( \ @@ -219,8 +249,8 @@ man_run = \ fi; \ done >$@; -matches.man: .initext.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) - $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod} ${pfx_symlinks})) +matches.man: .initext.dd .initextb.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) + $(call man_run,$(call ex_matches,${pfx_build_mod} ${pfb_build_mod} ${pf4_build_mod} ${pf6_build_mod} ${pfx_symlinks})) targets.man: .initext.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) - $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod} ${pfx_symlinks})) + $(call man_run,$(call ex_targets,${pfx_build_mod} ${pfb_build_mod} ${pf4_build_mod} ${pf6_build_mod} ${pfx_symlinks})) diff --git a/extensions/libebt_802_3.c b/extensions/libebt_802_3.c new file mode 100644 index 00000000..3c4a1c3c --- /dev/null +++ b/extensions/libebt_802_3.c @@ -0,0 +1,133 @@ +/* 802_3 + * + * Author: + * Chris Vitale <csv@bluetail.com> + * + * May 2003 + * + * Adapted by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> + * to use libxtables for ebtables-compat + */ + +#include <stdbool.h> +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <xtables.h> +#include <linux/netfilter_bridge/ebt_802_3.h> + +#define _802_3_SAP '1' +#define _802_3_TYPE '2' + +static const struct option br802_3_opts[] = { + { .name = "802_3-sap", .has_arg = true, .val = _802_3_SAP }, + { .name = "802_3-type", .has_arg = true, .val = _802_3_TYPE }, + XT_GETOPT_TABLEEND, +}; + +static void br802_3_print_help(void) +{ + printf( +"802_3 options:\n" +"--802_3-sap [!] protocol : 802.3 DSAP/SSAP- 1 byte value (hex)\n" +" DSAP and SSAP are always the same. One SAP applies to both fields\n" +"--802_3-type [!] protocol : 802.3 SNAP Type- 2 byte value (hex)\n" +" Type implies SAP value 0xaa\n"); +} + +static void br802_3_init(struct xt_entry_match *match) +{ + struct ebt_802_3_info *info = (struct ebt_802_3_info *)match->data; + + info->invflags = 0; + info->bitmask = 0; +} + +static int +br802_3_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct ebt_802_3_info *info = (struct ebt_802_3_info *) (*match)->data; + unsigned int i; + char *end; + + switch (c) { + case _802_3_SAP: + if (invert) + info->invflags |= EBT_802_3_SAP; + i = strtoul(optarg, &end, 16); + if (i > 255 || *end != '\0') + xtables_error(PARAMETER_PROBLEM, + "Problem with specified " + "sap hex value, %x",i); + info->sap = i; /* one byte, so no byte order worries */ + info->bitmask |= EBT_802_3_SAP; + break; + case _802_3_TYPE: + if (invert) + info->invflags |= EBT_802_3_TYPE; + i = strtoul(optarg, &end, 16); + if (i > 65535 || *end != '\0') { + xtables_error(PARAMETER_PROBLEM, + "Problem with the specified " + "type hex value, %x",i); + } + info->type = htons(i); + info->bitmask |= EBT_802_3_TYPE; + break; + default: + return 0; + } + + *flags |= info->bitmask; + return 1; +} + +static void +br802_3_final_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "You must specify proper arguments"); +} + +static void br802_3_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + struct ebt_802_3_info *info = (struct ebt_802_3_info *)match->data; + + if (info->bitmask & EBT_802_3_SAP) { + printf("--802_3-sap "); + if (info->invflags & EBT_802_3_SAP) + printf("! "); + printf("0x%.2x ", info->sap); + } + if (info->bitmask & EBT_802_3_TYPE) { + printf("--802_3-type "); + if (info->invflags & EBT_802_3_TYPE) + printf("! "); + printf("0x%.4x ", ntohs(info->type)); + } +} + +static struct xtables_match br802_3_match = +{ + .name = "802_3", + .revision = 0, + .version = XTABLES_VERSION, + .family = NFPROTO_BRIDGE, + .size = XT_ALIGN(sizeof(struct ebt_802_3_info)), + .userspacesize = XT_ALIGN(sizeof(struct ebt_802_3_info)), + .init = br802_3_init, + .help = br802_3_print_help, + .parse = br802_3_parse, + .final_check = br802_3_final_check, + .print = br802_3_print, + .extra_opts = br802_3_opts, +}; + +void _init(void) +{ + xtables_register_match(&br802_3_match); +} diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c new file mode 100644 index 00000000..8b628760 --- /dev/null +++ b/extensions/libebt_ip.c @@ -0,0 +1,312 @@ +/* ebt_ip + * + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> + * + * Changes: + * added ip-sport and ip-dport; parsing of port arguments is + * based on code from iptables-1.2.7a + * Innominate Security Technologies AG <mhopf@innominate.com> + * September, 2002 + * + * Adapted by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> + * to use libxtables for ebtables-compat in 2015. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <getopt.h> +#include <netdb.h> +#include <xtables.h> +#include <linux/netfilter_bridge/ebt_ip.h> + +#define IP_SOURCE '1' +#define IP_DEST '2' +#define IP_EBT_TOS '3' /* include/bits/in.h seems to already define IP_TOS */ +#define IP_PROTO '4' +#define IP_SPORT '5' +#define IP_DPORT '6' + +static const struct option brip_opts[] = { + { .name = "ip-source", .has_arg = true, .val = IP_SOURCE }, + { .name = "ip-src", .has_arg = true, .val = IP_SOURCE }, + { .name = "ip-destination", .has_arg = true, .val = IP_DEST }, + { .name = "ip-dst", .has_arg = true, .val = IP_DEST }, + { .name = "ip-tos", .has_arg = true, .val = IP_EBT_TOS }, + { .name = "ip-protocol", .has_arg = true, .val = IP_PROTO }, + { .name = "ip-proto", .has_arg = true, .val = IP_PROTO }, + { .name = "ip-source-port", .has_arg = true, .val = IP_SPORT }, + { .name = "ip-sport", .has_arg = true, .val = IP_SPORT }, + { .name = "ip-destination-port",.has_arg = true, .val = IP_DPORT }, + { .name = "ip-dport", .has_arg = true, .val = IP_DPORT }, + XT_GETOPT_TABLEEND, +}; + +static void brip_print_help(void) +{ + printf( +"ip options:\n" +"--ip-src [!] address[/mask]: ip source specification\n" +"--ip-dst [!] address[/mask]: ip destination specification\n" +"--ip-tos [!] tos : ip tos specification\n" +"--ip-proto [!] protocol : ip protocol specification\n" +"--ip-sport [!] port[:port] : tcp/udp source port or port range\n" +"--ip-dport [!] port[:port] : tcp/udp destination port or port range\n"); +} + +static void brip_init(struct xt_entry_match *match) +{ + struct ebt_ip_info *info = (struct ebt_ip_info *)match->data; + + info->invflags = 0; + info->bitmask = 0; +} + +static void +parse_port_range(const char *protocol, const char *portstring, uint16_t *ports) +{ + char *buffer; + char *cp; + + buffer = strdup(portstring); + if ((cp = strchr(buffer, ':')) == NULL) + ports[0] = ports[1] = xtables_parse_port(buffer, NULL); + else { + *cp = '\0'; + cp++; + + ports[0] = buffer[0] ? xtables_parse_port(buffer, NULL) : 0; + ports[1] = cp[0] ? xtables_parse_port(cp, NULL) : 0xFFFF; + + if (ports[0] > ports[1]) + xtables_error(PARAMETER_PROBLEM, + "invalid portrange (min > max)"); + } + free(buffer); +} + +/* original code from ebtables: useful_functions.c */ +static int undot_ip(char *ip, unsigned char *ip2) +{ + char *p, *q, *end; + long int onebyte; + int i; + char buf[20]; + + strncpy(buf, ip, sizeof(buf) - 1); + + p = buf; + for (i = 0; i < 3; i++) { + if ((q = strchr(p, '.')) == NULL) + return -1; + *q = '\0'; + onebyte = strtol(p, &end, 10); + if (*end != '\0' || onebyte > 255 || onebyte < 0) + return -1; + ip2[i] = (unsigned char)onebyte; + p = q + 1; + } + + onebyte = strtol(p, &end, 10); + if (*end != '\0' || onebyte > 255 || onebyte < 0) + return -1; + ip2[3] = (unsigned char)onebyte; + + return 0; +} + +static int ip_mask(char *mask, unsigned char *mask2) +{ + char *end; + long int bits; + uint32_t mask22; + + if (undot_ip(mask, mask2)) { + /* not the /a.b.c.e format, maybe the /x format */ + bits = strtol(mask, &end, 10); + if (*end != '\0' || bits > 32 || bits < 0) + return -1; + if (bits != 0) { + mask22 = htonl(0xFFFFFFFF << (32 - bits)); + memcpy(mask2, &mask22, 4); + } else { + mask22 = 0xFFFFFFFF; + memcpy(mask2, &mask22, 4); + } + } + return 0; +} + +static void ebt_parse_ip_address(char *address, uint32_t *addr, uint32_t *msk) +{ + char *p; + + /* first the mask */ + if ((p = strrchr(address, '/')) != NULL) { + *p = '\0'; + if (ip_mask(p + 1, (unsigned char *)msk)) { + xtables_error(PARAMETER_PROBLEM, + "Problem with the IP mask '%s'", p + 1); + return; + } + } else + *msk = 0xFFFFFFFF; + + if (undot_ip(address, (unsigned char *)addr)) { + xtables_error(PARAMETER_PROBLEM, + "Problem with the IP address '%s'", address); + return; + } + *addr = *addr & *msk; +} + +static int +brip_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct ebt_ip_info *info = (struct ebt_ip_info *)(*match)->data; + + switch (c) { + case IP_SOURCE: + if (invert) + info->invflags |= EBT_IP_SOURCE; + ebt_parse_ip_address(optarg, &info->saddr, &info->smsk); + info->bitmask |= EBT_IP_SOURCE; + break; + case IP_DEST: + if (invert) + info->invflags |= EBT_IP_DEST; + ebt_parse_ip_address(optarg, &info->daddr, &info->dmsk); + info->bitmask |= EBT_IP_DEST; + break; + case IP_SPORT: + if (invert) + info->invflags |= EBT_IP_SPORT; + parse_port_range(NULL, optarg, info->sport); + info->bitmask |= EBT_IP_SPORT; + break; + case IP_DPORT: + if (invert) + info->invflags |= EBT_IP_DPORT; + parse_port_range(NULL, optarg, info->dport); + info->bitmask |= EBT_IP_DPORT; + break; + case IP_EBT_TOS: + if (invert) + info->invflags |= EBT_IP_TOS; + if (!xtables_strtoul(optarg, NULL, (uintmax_t *)&info->tos, + 0, 255)) + xtables_error(PARAMETER_PROBLEM, + "Problem with specified IP tos"); + info->bitmask |= EBT_IP_TOS; + break; + case IP_PROTO: + if (invert) + info->invflags |= EBT_IP_PROTO; + info->protocol = xtables_parse_protocol(optarg); + if (info->protocol == -1) + xtables_error(PARAMETER_PROBLEM, + "Unknown specified IP protocol - %s", + optarg); + info->bitmask |= EBT_IP_PROTO; + break; + default: + return 0; + } + + *flags |= info->bitmask; + return 1; +} + +static void brip_final_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "You must specify proper arguments"); +} + +static void print_port_range(uint16_t *ports) +{ + if (ports[0] == ports[1]) + printf("%d ", ports[0]); + else + printf("%d:%d ", ports[0], ports[1]); +} + +static void brip_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + struct ebt_ip_info *info = (struct ebt_ip_info *)match->data; + struct in_addr *addrp, *maskp; + + if (info->bitmask & EBT_IP_SOURCE) { + printf("--ip-src "); + if (info->invflags & EBT_IP_SOURCE) + printf("! "); + addrp = (struct in_addr *)&info->saddr; + maskp = (struct in_addr *)&info->smsk; + printf("%s%s ", xtables_ipaddr_to_numeric(addrp), + xtables_ipmask_to_numeric(maskp)); + } + if (info->bitmask & EBT_IP_DEST) { + printf("--ip-dst "); + if (info->invflags & EBT_IP_DEST) + printf("! "); + addrp = (struct in_addr *)&info->daddr; + maskp = (struct in_addr *)&info->dmsk; + printf("%s%s ", xtables_ipaddr_to_numeric(addrp), + xtables_ipmask_to_numeric(maskp)); + } + if (info->bitmask & EBT_IP_TOS) { + printf("--ip-tos "); + if (info->invflags & EBT_IP_TOS) + printf("! "); + printf("0x%02X ", info->tos); + } + if (info->bitmask & EBT_IP_PROTO) { + struct protoent *pe; + + printf("--ip-proto "); + if (info->invflags & EBT_IP_PROTO) + printf("! "); + pe = getprotobynumber(info->protocol); + if (pe == NULL) { + printf("%d ", info->protocol); + } else { + printf("%s ", pe->p_name); + } + } + if (info->bitmask & EBT_IP_SPORT) { + printf("--ip-sport "); + if (info->invflags & EBT_IP_SPORT) + printf("! "); + print_port_range(info->sport); + } + if (info->bitmask & EBT_IP_DPORT) { + printf("--ip-dport "); + if (info->invflags & EBT_IP_DPORT) + printf("! "); + print_port_range(info->dport); + } +} + +static struct xtables_match brip_match = { + .name = "ip", + .revision = 0, + .version = XTABLES_VERSION, + .family = NFPROTO_BRIDGE, + .size = XT_ALIGN(sizeof(struct ebt_ip_info)), + .userspacesize = XT_ALIGN(sizeof(struct ebt_ip_info)), + .init = brip_init, + .help = brip_print_help, + .parse = brip_parse, + .final_check = brip_final_check, + .print = brip_print, + .extra_opts = brip_opts, +}; + +void _init(void) +{ + xtables_register_match(&brip_match); +} diff --git a/extensions/libebt_log.c b/extensions/libebt_log.c new file mode 100644 index 00000000..0799185d --- /dev/null +++ b/extensions/libebt_log.c @@ -0,0 +1,197 @@ +/* + * Bart De Schuymer <bdschuym@pandora.be> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * Giuseppe Longo <giuseppelng@gmail.com> adapted the original code to the + * xtables-compat environment in 2015. + * + */ + +#include <stdio.h> +#include <stdlib.h> +#include <syslog.h> +#include <string.h> +#include <getopt.h> +#include <xtables.h> +#include <linux/netfilter_bridge/ebt_log.h> + +#define LOG_DEFAULT_LEVEL LOG_INFO + +#define LOG_PREFIX '1' +#define LOG_LEVEL '2' +#define LOG_ARP '3' +#define LOG_IP '4' +#define LOG_LOG '5' +#define LOG_IP6 '6' + +typedef struct _code { + char *c_name; + int c_val; +} CODE; + +static CODE eight_priority[] = { + { "emerg", LOG_EMERG }, + { "alert", LOG_ALERT }, + { "crit", LOG_CRIT }, + { "error", LOG_ERR }, + { "warning", LOG_WARNING }, + { "notice", LOG_NOTICE }, + { "info", LOG_INFO }, + { "debug", LOG_DEBUG } +}; + +static int name_to_loglevel(const char *arg) +{ + int i; + + for (i = 0; i < 8; i++) + if (!strcmp(arg, eight_priority[i].c_name)) + return eight_priority[i].c_val; + + /* return bad loglevel */ + return 9; +} + +static const struct option brlog_opts[] = { + { .name = "log-prefix", .has_arg = true, .val = LOG_PREFIX }, + { .name = "log-level", .has_arg = true, .val = LOG_LEVEL }, + { .name = "log-arp", .has_arg = false, .val = LOG_ARP }, + { .name = "log-ip", .has_arg = false, .val = LOG_IP }, + { .name = "log", .has_arg = false, .val = LOG_LOG }, + { .name = "log-ip6", .has_arg = false, .val = LOG_IP6 }, + XT_GETOPT_TABLEEND, +}; + +static void brlog_help(void) +{ + int i; + + printf( +"log options:\n" +"--log : use this if you're not specifying anything\n" +"--log-level level : level = [1-8] or a string\n" +"--log-prefix prefix : max. %d chars.\n" +"--log-ip : put ip info. in the log for ip packets\n" +"--log-arp : put (r)arp info. in the log for (r)arp packets\n" +"--log-ip6 : put ip6 info. in the log for ip6 packets\n" + , EBT_LOG_PREFIX_SIZE - 1); + for (i = 0; i < 8; i++) + printf("%d = %s\n", eight_priority[i].c_val, + eight_priority[i].c_name); +} + +static void brlog_init(struct xt_entry_target *t) +{ + struct ebt_log_info *loginfo = (struct ebt_log_info *)t->data; + + loginfo->bitmask = 0; + loginfo->prefix[0] = '\0'; + loginfo->loglevel = LOG_NOTICE; +} + +static int brlog_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct ebt_log_info *loginfo = (struct ebt_log_info *)(*target)->data; + long int i; + char *end; + + switch (c) { + case LOG_PREFIX: + if (invert) + xtables_error(PARAMETER_PROBLEM, + "Unexpected `!` after --log-prefix"); + if (strlen(optarg) > sizeof(loginfo->prefix) - 1) + xtables_error(PARAMETER_PROBLEM, + "Prefix too long"); + if (strchr(optarg, '\"')) + xtables_error(PARAMETER_PROBLEM, + "Use of \\\" is not allowed" + " in the prefix"); + strcpy((char *)loginfo->prefix, (char *)optarg); + break; + case LOG_LEVEL: + i = strtol(optarg, &end, 16); + if (*end != '\0' || i < 0 || i > 7) + loginfo->loglevel = name_to_loglevel(optarg); + else + loginfo->loglevel = i; + + if (loginfo->loglevel == 9) + xtables_error(PARAMETER_PROBLEM, + "Problem with the log-level"); + break; + case LOG_IP: + if (invert) + xtables_error(PARAMETER_PROBLEM, + "Unexpected `!' after --log-ip"); + loginfo->bitmask |= EBT_LOG_IP; + break; + case LOG_ARP: + if (invert) + xtables_error(PARAMETER_PROBLEM, + "Unexpected `!' after --log-arp"); + loginfo->bitmask |= EBT_LOG_ARP; + case LOG_LOG: + if (invert) + xtables_error(PARAMETER_PROBLEM, + "Unexpected `!' after --log"); + break; + case LOG_IP6: + if (invert) + xtables_error(PARAMETER_PROBLEM, + "Unexpected `!' after --log-ip6"); + loginfo->bitmask |= EBT_LOG_IP6; + break; + default: + return 0; + } + + *flags |= loginfo->bitmask; + return 1; +} + +static void brlog_final_check(unsigned int flags) +{ +} + +static void brlog_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + struct ebt_log_info *loginfo = (struct ebt_log_info *)target->data; + + printf("--log-level %s --log-prefix \"%s\"", + eight_priority[loginfo->loglevel].c_name, + loginfo->prefix); + + if (loginfo->bitmask & EBT_LOG_IP) + printf(" --log-ip"); + if (loginfo->bitmask & EBT_LOG_ARP) + printf(" --log-arp"); + if (loginfo->bitmask & EBT_LOG_IP6) + printf(" --log-ip6"); + printf(" "); +} + +static struct xtables_target brlog_target = { + .name = "log", + .revision = 0, + .version = XTABLES_VERSION, + .family = NFPROTO_BRIDGE, + .size = XT_ALIGN(sizeof(struct ebt_log_info)), + .userspacesize = XT_ALIGN(sizeof(struct ebt_log_info)), + .init = brlog_init, + .help = brlog_help, + .parse = brlog_parse, + .final_check = brlog_final_check, + .print = brlog_print, + .extra_opts = brlog_opts, +}; + +void _init(void) +{ + xtables_register_target(&brlog_target); +} diff --git a/extensions/libebt_mark.c b/extensions/libebt_mark.c new file mode 100644 index 00000000..587b4a63 --- /dev/null +++ b/extensions/libebt_mark.c @@ -0,0 +1,191 @@ +/* ebt_mark + * + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> + * + * July, 2002, September 2006 + * + * Adapted by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> + * to use libxtables for ebtables-compat in 2015. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <getopt.h> +#include <xtables.h> +#include <linux/netfilter_bridge/ebt_mark_t.h> +#include "iptables/nft.h" +#include "iptables/nft-bridge.h" + +static int mark_supplied; + +#define MARK_TARGET '1' +#define MARK_SETMARK '2' +#define MARK_ORMARK '3' +#define MARK_ANDMARK '4' +#define MARK_XORMARK '5' +static struct option brmark_opts[] = { + { .name = "mark-target",.has_arg = true, .val = MARK_TARGET }, + /* an oldtime messup, we should have always used the scheme + * <extension-name>-<option> */ + { .name = "set-mark", .has_arg = true, .val = MARK_SETMARK }, + { .name = "mark-set", .has_arg = true, .val = MARK_SETMARK }, + { .name = "mark-or", .has_arg = true, .val = MARK_ORMARK }, + { .name = "mark-and", .has_arg = true, .val = MARK_ANDMARK }, + { .name = "mark-xor", .has_arg = true, .val = MARK_XORMARK }, + XT_GETOPT_TABLEEND, +}; + +static void brmark_print_help(void) +{ + printf( + "mark target options:\n" + " --mark-set value : Set nfmark value\n" + " --mark-or value : Or nfmark with value (nfmark |= value)\n" + " --mark-and value : And nfmark with value (nfmark &= value)\n" + " --mark-xor value : Xor nfmark with value (nfmark ^= value)\n" + " --mark-target target : ACCEPT, DROP, RETURN or CONTINUE\n"); +} + +static void brmark_init(struct xt_entry_target *target) +{ + struct ebt_mark_t_info *info = (struct ebt_mark_t_info *)target->data; + + info->target = EBT_ACCEPT; + info->mark = 0; + mark_supplied = 0; +} + +#define OPT_MARK_TARGET 0x01 +#define OPT_MARK_SETMARK 0x02 +#define OPT_MARK_ORMARK 0x04 +#define OPT_MARK_ANDMARK 0x08 +#define OPT_MARK_XORMARK 0x10 + +static int +brmark_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct ebt_mark_t_info *info = (struct ebt_mark_t_info *) + (*target)->data; + char *end; + uint32_t mask; + + switch (c) { + case MARK_TARGET: + { unsigned int tmp; + EBT_CHECK_OPTION(flags, OPT_MARK_TARGET); + if (ebt_fill_target(optarg, &tmp)) + xtables_error(PARAMETER_PROBLEM, + "Illegal --mark-target target"); + /* the 4 lsb are left to designate the target */ + info->target = (info->target & ~EBT_VERDICT_BITS) | + (tmp & EBT_VERDICT_BITS); + } + return 1; + case MARK_SETMARK: + EBT_CHECK_OPTION(flags, OPT_MARK_SETMARK); + mask = (OPT_MARK_ORMARK|OPT_MARK_ANDMARK|OPT_MARK_XORMARK); + if (*flags & mask) + xtables_error(PARAMETER_PROBLEM, + "--mark-set cannot be used together with" + " specific --mark option"); + info->target = (info->target & EBT_VERDICT_BITS) | + MARK_SET_VALUE; + break; + case MARK_ORMARK: + EBT_CHECK_OPTION(flags, OPT_MARK_ORMARK); + mask = (OPT_MARK_SETMARK|OPT_MARK_ANDMARK|OPT_MARK_XORMARK); + if (*flags & mask) + xtables_error(PARAMETER_PROBLEM, + "--mark-or cannot be used together with" + " specific --mark option"); + info->target = (info->target & EBT_VERDICT_BITS) | + MARK_OR_VALUE; + break; + case MARK_ANDMARK: + EBT_CHECK_OPTION(flags, OPT_MARK_ANDMARK); + mask = (OPT_MARK_SETMARK|OPT_MARK_ORMARK|OPT_MARK_XORMARK); + if (*flags & mask) + xtables_error(PARAMETER_PROBLEM, + "--mark-and cannot be used together with" + " specific --mark option"); + info->target = (info->target & EBT_VERDICT_BITS) | + MARK_AND_VALUE; + break; + case MARK_XORMARK: + EBT_CHECK_OPTION(flags, OPT_MARK_XORMARK); + mask = (OPT_MARK_SETMARK|OPT_MARK_ANDMARK|OPT_MARK_ORMARK); + if (*flags & mask) + xtables_error(PARAMETER_PROBLEM, + "--mark-xor cannot be used together with" + " specific --mark option"); + info->target = (info->target & EBT_VERDICT_BITS) | + MARK_XOR_VALUE; + break; + default: + return 0; + } + /* mutual code */ + info->mark = strtoul(optarg, &end, 0); + if (*end != '\0' || end == optarg) + xtables_error(PARAMETER_PROBLEM, "Bad MARK value '%s'", + optarg); + + mark_supplied = 1; + return 1; +} + +static void brmark_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + struct ebt_mark_t_info *info = (struct ebt_mark_t_info *)target->data; + int tmp; + + tmp = info->target & ~EBT_VERDICT_BITS; + if (tmp == MARK_SET_VALUE) + printf("--mark-set"); + else if (tmp == MARK_OR_VALUE) + printf("--mark-or"); + else if (tmp == MARK_XOR_VALUE) + printf("--mark-xor"); + else if (tmp == MARK_AND_VALUE) + printf("--mark-and"); + else + xtables_error(PARAMETER_PROBLEM, "Unknown mark action"); + + printf(" 0x%lx", info->mark); + tmp = info->target | ~EBT_VERDICT_BITS; + printf(" --mark-target %s", ebt_target_name(tmp)); +} + +static void brmark_final_check(unsigned int flags) +{ + if (mark_supplied == 0) + xtables_error(PARAMETER_PROBLEM, "No mark value supplied"); + + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "You must specify some option"); +} + +static struct xtables_target brmark_target = { + .name = "mark", + .revision = 0, + .version = XTABLES_VERSION, + .family = NFPROTO_BRIDGE, + .size = XT_ALIGN(sizeof(struct ebt_mark_t_info)), + .userspacesize = XT_ALIGN(sizeof(struct ebt_mark_t_info)), + .help = brmark_print_help, + .init = brmark_init, + .parse = brmark_parse, + .final_check = brmark_final_check, + .print = brmark_print, + .extra_opts = brmark_opts, +}; + +void _init(void) +{ + xtables_register_target(&brmark_target); +} diff --git a/extensions/libebt_mark_m.c b/extensions/libebt_mark_m.c new file mode 100644 index 00000000..ef9eb6a6 --- /dev/null +++ b/extensions/libebt_mark_m.c @@ -0,0 +1,118 @@ +/* ebt_mark_m + * + * Authors: + * Bart De Schuymer <bdschuym@pandora.be> + * + * July, 2002 + * + * Adapted by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> + * to use libxtables for ebtables-compat in 2015. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <getopt.h> +#include <xtables.h> +#include <linux/netfilter_bridge/ebt_mark_m.h> + +#define MARK '1' + +static struct option brmark_m_opts[] = { + { .name = "mark", .has_arg = true, .val = MARK }, + XT_GETOPT_TABLEEND, +}; + +static void brmark_m_print_help(void) +{ + printf( +"mark option:\n" +"--mark [!] [value][/mask]: Match nfmask value (see man page)\n"); +} + +static void brmark_m_init(struct xt_entry_match *match) +{ + struct ebt_mark_m_info *info = (struct ebt_mark_m_info *)match->data; + + info->mark = 0; + info->mask = 0; + info->invert = 0; + info->bitmask = 0; +} + +#define OPT_MARK 0x01 +static int +brmark_m_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct ebt_mark_m_info *info = (struct ebt_mark_m_info *) + (*match)->data; + char *end; + + switch (c) { + case MARK: + if (invert) + info->invert = 1; + info->mark = strtoul(optarg, &end, 0); + info->bitmask = EBT_MARK_AND; + if (*end == '/') { + if (end == optarg) + info->bitmask = EBT_MARK_OR; + info->mask = strtoul(end+1, &end, 0); + } else { + info->mask = 0xffffffff; + } + if (*end != '\0' || end == optarg) + xtables_error(PARAMETER_PROBLEM, "Bad mark value '%s'", + optarg); + break; + default: + return 0; + } + + *flags |= info->bitmask; + return 1; +} + +static void brmark_m_final_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "You must specify proper arguments"); +} + +static void brmark_m_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + struct ebt_mark_m_info *info = (struct ebt_mark_m_info *)match->data; + + printf("--mark "); + if (info->invert) + printf("! "); + if (info->bitmask == EBT_MARK_OR) + printf("/0x%lx ", info->mask); + else if (info->mask != 0xffffffff) + printf("0x%lx/0x%lx ", info->mark, info->mask); + else + printf("0x%lx ", info->mark); +} + +static struct xtables_match brmark_m_match = { + .name = "mark_m", + .revision = 0, + .version = XTABLES_VERSION, + .family = NFPROTO_BRIDGE, + .size = XT_ALIGN(sizeof(struct ebt_mark_m_info)), + .userspacesize = XT_ALIGN(sizeof(struct ebt_mark_m_info)), + .init = brmark_m_init, + .help = brmark_m_print_help, + .parse = brmark_m_parse, + .final_check = brmark_m_final_check, + .print = brmark_m_print, + .extra_opts = brmark_m_opts, +}; + +void _init(void) +{ + xtables_register_match(&brmark_m_match); +} |