summaryrefslogtreecommitdiffstats
path: root/extensions
diff options
context:
space:
mode:
Diffstat (limited to 'extensions')
-rw-r--r--extensions/libip6t_HL.c6
-rw-r--r--extensions/libip6t_LOG.c10
-rw-r--r--extensions/libipt_LOG.c10
-rw-r--r--extensions/libxt_NFLOG.man2
-rw-r--r--extensions/libxt_RATEEST.c109
-rw-r--r--extensions/libxt_hashlimit.c57
-rw-r--r--extensions/libxt_rateest.c12
-rw-r--r--extensions/libxt_state.c2
8 files changed, 99 insertions, 109 deletions
diff --git a/extensions/libip6t_HL.c b/extensions/libip6t_HL.c
index 254b1914..52ca5d3e 100644
--- a/extensions/libip6t_HL.c
+++ b/extensions/libip6t_HL.c
@@ -20,12 +20,12 @@ enum {
#define s struct ip6t_HL_info
static const struct xt_option_entry HL_opts[] = {
- {.name = "ttl-set", .type = XTTYPE_UINT8, .id = O_HL_SET,
+ {.name = "hl-set", .type = XTTYPE_UINT8, .id = O_HL_SET,
.excl = F_ANY, .flags = XTOPT_PUT, XTOPT_POINTER(s, hop_limit)},
- {.name = "ttl-dec", .type = XTTYPE_UINT8, .id = O_HL_DEC,
+ {.name = "hl-dec", .type = XTTYPE_UINT8, .id = O_HL_DEC,
.excl = F_ANY, .flags = XTOPT_PUT, XTOPT_POINTER(s, hop_limit),
.min = 1},
- {.name = "ttl-inc", .type = XTTYPE_UINT8, .id = O_HL_INC,
+ {.name = "hl-inc", .type = XTTYPE_UINT8, .id = O_HL_INC,
.excl = F_ANY, .flags = XTOPT_PUT, XTOPT_POINTER(s, hop_limit),
.min = 1},
XTOPT_TABLEEND,
diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c
index a419ec91..2b1ae289 100644
--- a/extensions/libip6t_LOG.c
+++ b/extensions/libip6t_LOG.c
@@ -87,19 +87,19 @@ static void LOG_parse(struct xt_option_call *cb)
"Newlines not allowed in --log-prefix");
break;
case O_LOG_TCPSEQ:
- info->logflags = IP6T_LOG_TCPSEQ;
+ info->logflags |= IP6T_LOG_TCPSEQ;
break;
case O_LOG_TCPOPTS:
- info->logflags = IP6T_LOG_TCPOPT;
+ info->logflags |= IP6T_LOG_TCPOPT;
break;
case O_LOG_IPOPTS:
- info->logflags = IP6T_LOG_IPOPT;
+ info->logflags |= IP6T_LOG_IPOPT;
break;
case O_LOG_UID:
- info->logflags = IP6T_LOG_UID;
+ info->logflags |= IP6T_LOG_UID;
break;
case O_LOG_MAC:
- info->logflags = IP6T_LOG_MACDECODE;
+ info->logflags |= IP6T_LOG_MACDECODE;
break;
}
}
diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c
index b270bcf6..77f16d19 100644
--- a/extensions/libipt_LOG.c
+++ b/extensions/libipt_LOG.c
@@ -87,19 +87,19 @@ static void LOG_parse(struct xt_option_call *cb)
"Newlines not allowed in --log-prefix");
break;
case O_LOG_TCPSEQ:
- info->logflags = IPT_LOG_TCPSEQ;
+ info->logflags |= IPT_LOG_TCPSEQ;
break;
case O_LOG_TCPOPTS:
- info->logflags = IPT_LOG_TCPOPT;
+ info->logflags |= IPT_LOG_TCPOPT;
break;
case O_LOG_IPOPTS:
- info->logflags = IPT_LOG_IPOPT;
+ info->logflags |= IPT_LOG_IPOPT;
break;
case O_LOG_UID:
- info->logflags = IPT_LOG_UID;
+ info->logflags |= IPT_LOG_UID;
break;
case O_LOG_MAC:
- info->logflags = IPT_LOG_MACDECODE;
+ info->logflags |= IPT_LOG_MACDECODE;
break;
}
}
diff --git a/extensions/libxt_NFLOG.man b/extensions/libxt_NFLOG.man
index 66f0b973..1b6dbf16 100644
--- a/extensions/libxt_NFLOG.man
+++ b/extensions/libxt_NFLOG.man
@@ -9,7 +9,7 @@ may subscribe to the group to receive the packets. Like LOG, this is a
non-terminating target, i.e. rule traversal continues at the next rule.
.TP
\fB\-\-nflog\-group\fP \fInlgroup\fP
-The netlink group (1 \- 2^32\-1) to which packets are (only applicable for
+The netlink group (0 - 2^16\-1) to which packets are (only applicable for
nfnetlink_log). The default value is 0.
.TP
\fB\-\-nflog\-prefix\fP \fIprefix\fP
diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c
index 6369e9e4..acdefb90 100644
--- a/extensions/libxt_RATEEST.c
+++ b/extensions/libxt_RATEEST.c
@@ -1,19 +1,16 @@
-#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
-#include <stddef.h>
-#include <getopt.h>
#include <math.h>
#include <xtables.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_RATEEST.h>
-/* hack to pass raw values to final_check */
-static struct xt_rateest_target_info *RATEEST_info;
-static unsigned int interval;
-static unsigned int ewma_log;
+struct rateest_tg_udata {
+ unsigned int interval;
+ unsigned int ewma_log;
+};
static void
RATEEST_help(void)
@@ -25,18 +22,23 @@ RATEEST_help(void)
" --rateest-ewmalog value Rate measurement averaging time constant\n");
}
-enum RATEEST_options {
- RATEEST_OPT_NAME,
- RATEEST_OPT_INTERVAL,
- RATEEST_OPT_EWMALOG,
+enum {
+ O_NAME = 0,
+ O_INTERVAL,
+ O_EWMALOG,
};
-static const struct option RATEEST_opts[] = {
- {.name = "rateest-name", .has_arg = true, .val = RATEEST_OPT_NAME},
- {.name = "rateest-interval", .has_arg = true, .val = RATEEST_OPT_INTERVAL},
- {.name = "rateest-ewmalog", .has_arg = true, .val = RATEEST_OPT_EWMALOG},
- XT_GETOPT_TABLEEND,
+#define s struct xt_rateest_target_info
+static const struct xt_option_entry RATEEST_opts[] = {
+ {.name = "rateest-name", .id = O_NAME, .type = XTTYPE_STRING,
+ .flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, name)},
+ {.name = "rateest-interval", .id = O_INTERVAL, .type = XTTYPE_STRING,
+ .flags = XTOPT_MAND},
+ {.name = "rateest-ewmalog", .id = O_EWMALOG, .type = XTTYPE_STRING,
+ .flags = XTOPT_MAND},
+ XTOPT_TABLEEND,
};
+#undef s
/* Copied from iproute */
#define TIME_UNITS_PER_SEC 1000000
@@ -82,66 +84,34 @@ RATEEST_print_time(unsigned int time)
printf(" %uus", time);
}
-static int
-RATEEST_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_target **target)
+static void RATEEST_parse(struct xt_option_call *cb)
{
- struct xt_rateest_target_info *info = (void *)(*target)->data;
-
- RATEEST_info = info;
+ struct rateest_tg_udata *udata = cb->udata;
- switch (c) {
- case RATEEST_OPT_NAME:
- if (*flags & (1 << c))
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_INTERVAL:
+ if (RATEEST_get_time(&udata->interval, cb->arg) < 0)
xtables_error(PARAMETER_PROBLEM,
- "RATEEST: can't specify --rateest-name twice");
- *flags |= 1 << c;
-
- strncpy(info->name, optarg, sizeof(info->name) - 1);
+ "RATEEST: bad interval value \"%s\"",
+ cb->arg);
break;
-
- case RATEEST_OPT_INTERVAL:
- if (*flags & (1 << c))
+ case O_EWMALOG:
+ if (RATEEST_get_time(&udata->ewma_log, cb->arg) < 0)
xtables_error(PARAMETER_PROBLEM,
- "RATEEST: can't specify --rateest-interval twice");
- *flags |= 1 << c;
-
- if (RATEEST_get_time(&interval, optarg) < 0)
- xtables_error(PARAMETER_PROBLEM,
- "RATEEST: bad interval value `%s'", optarg);
-
- break;
-
- case RATEEST_OPT_EWMALOG:
- if (*flags & (1 << c))
- xtables_error(PARAMETER_PROBLEM,
- "RATEEST: can't specify --rateest-ewmalog twice");
- *flags |= 1 << c;
-
- if (RATEEST_get_time(&ewma_log, optarg) < 0)
- xtables_error(PARAMETER_PROBLEM,
- "RATEEST: bad ewmalog value `%s'", optarg);
-
+ "RATEEST: bad ewmalog value \"%s\"",
+ cb->arg);
break;
}
-
- return 1;
}
-static void
-RATEEST_final_check(unsigned int flags)
+static void RATEEST_final_check(struct xt_fcheck_call *cb)
{
- struct xt_rateest_target_info *info = RATEEST_info;
-
- if (!(flags & (1 << RATEEST_OPT_NAME)))
- xtables_error(PARAMETER_PROBLEM, "RATEEST: no name specified");
- if (!(flags & (1 << RATEEST_OPT_INTERVAL)))
- xtables_error(PARAMETER_PROBLEM, "RATEEST: no interval specified");
- if (!(flags & (1 << RATEEST_OPT_EWMALOG)))
- xtables_error(PARAMETER_PROBLEM, "RATEEST: no ewmalog specified");
+ struct xt_rateest_target_info *info = cb->data;
+ struct rateest_tg_udata *udata = cb->udata;
for (info->interval = 0; info->interval <= 5; info->interval++) {
- if (interval <= (1 << info->interval) * (TIME_UNITS_PER_SEC / 4))
+ if (udata->interval <= (1 << info->interval) * (TIME_UNITS_PER_SEC / 4))
break;
}
@@ -152,7 +122,7 @@ RATEEST_final_check(unsigned int flags)
for (info->ewma_log = 1; info->ewma_log < 32; info->ewma_log++) {
double w = 1.0 - 1.0 / (1 << info->ewma_log);
- if (interval / (-log(w)) > ewma_log)
+ if (udata->interval / (-log(w)) > udata->ewma_log)
break;
}
info->ewma_log--;
@@ -197,13 +167,14 @@ static struct xtables_target rateest_tg_reg = {
.name = "RATEEST",
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
+ .userspacesize = offsetof(struct xt_rateest_target_info, est),
.help = RATEEST_help,
- .parse = RATEEST_parse,
- .final_check = RATEEST_final_check,
+ .x6_parse = RATEEST_parse,
+ .x6_fcheck = RATEEST_final_check,
.print = RATEEST_print,
.save = RATEEST_save,
- .extra_opts = RATEEST_opts,
+ .x6_options = RATEEST_opts,
+ .udata_size = sizeof(struct rateest_tg_udata),
};
void _init(void)
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index e683f9ad..a838680c 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -25,6 +25,10 @@
#define XT_HASHLIMIT_GCINTERVAL 1000
#define XT_HASHLIMIT_EXPIRE 10000
+struct hashlimit_mt_udata {
+ uint32_t mult;
+};
+
static void hashlimit_help(void)
{
printf(
@@ -56,8 +60,9 @@ enum {
O_HTABLE_MAX,
O_HTABLE_GCINT,
O_HTABLE_EXPIRE,
- F_UPTO = 1 << O_UPTO,
- F_ABOVE = 1 << O_ABOVE,
+ F_UPTO = 1 << O_UPTO,
+ F_ABOVE = 1 << O_ABOVE,
+ F_HTABLE_EXPIRE = 1 << O_HTABLE_EXPIRE,
};
static void hashlimit_mt_help(void)
@@ -141,25 +146,25 @@ static const struct xt_option_entry hashlimit_mt_opts[] = {
#undef s
static
-int parse_rate(const char *rate, uint32_t *val)
+int parse_rate(const char *rate, uint32_t *val, struct hashlimit_mt_udata *ud)
{
const char *delim;
uint32_t r;
- uint32_t mult = 1; /* Seconds by default. */
+ ud->mult = 1; /* Seconds by default. */
delim = strchr(rate, '/');
if (delim) {
if (strlen(delim+1) == 0)
return 0;
if (strncasecmp(delim+1, "second", strlen(delim+1)) == 0)
- mult = 1;
+ ud->mult = 1;
else if (strncasecmp(delim+1, "minute", strlen(delim+1)) == 0)
- mult = 60;
+ ud->mult = 60;
else if (strncasecmp(delim+1, "hour", strlen(delim+1)) == 0)
- mult = 60*60;
+ ud->mult = 60*60;
else if (strncasecmp(delim+1, "day", strlen(delim+1)) == 0)
- mult = 24*60*60;
+ ud->mult = 24*60*60;
else
return 0;
}
@@ -169,10 +174,10 @@ int parse_rate(const char *rate, uint32_t *val)
/* This would get mapped to infinite (1/day is minimum they
can specify, so we're ok at that end). */
- if (r / mult > XT_HASHLIMIT_SCALE)
+ if (r / ud->mult > XT_HASHLIMIT_SCALE)
xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate);
- *val = XT_HASHLIMIT_SCALE * mult / r;
+ *val = XT_HASHLIMIT_SCALE * ud->mult / r;
return 1;
}
@@ -248,14 +253,14 @@ static void hashlimit_parse(struct xt_option_call *cb)
case O_UPTO:
if (cb->invert)
info->cfg.mode |= XT_HASHLIMIT_INVERT;
- if (!parse_rate(cb->arg, &info->cfg.avg))
+ if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata))
xtables_param_act(XTF_BAD_VALUE, "hashlimit",
"--hashlimit-upto", cb->arg);
break;
case O_ABOVE:
if (!cb->invert)
info->cfg.mode |= XT_HASHLIMIT_INVERT;
- if (!parse_rate(cb->arg, &info->cfg.avg))
+ if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata))
xtables_param_act(XTF_BAD_VALUE, "hashlimit",
"--hashlimit-above", cb->arg);
break;
@@ -276,14 +281,14 @@ static void hashlimit_mt_parse(struct xt_option_call *cb)
case O_UPTO:
if (cb->invert)
info->cfg.mode |= XT_HASHLIMIT_INVERT;
- if (!parse_rate(cb->arg, &info->cfg.avg))
+ if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata))
xtables_param_act(XTF_BAD_VALUE, "hashlimit",
"--hashlimit-upto", cb->arg);
break;
case O_ABOVE:
if (!cb->invert)
info->cfg.mode |= XT_HASHLIMIT_INVERT;
- if (!parse_rate(cb->arg, &info->cfg.avg))
+ if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata))
xtables_param_act(XTF_BAD_VALUE, "hashlimit",
"--hashlimit-above", cb->arg);
break;
@@ -303,9 +308,26 @@ static void hashlimit_mt_parse(struct xt_option_call *cb)
static void hashlimit_check(struct xt_fcheck_call *cb)
{
+ const struct hashlimit_mt_udata *udata = cb->udata;
+ struct xt_hashlimit_info *info = cb->data;
+
if (!(cb->xflags & (F_UPTO | F_ABOVE)))
xtables_error(PARAMETER_PROBLEM,
"You have to specify --hashlimit");
+ if (!(cb->xflags & F_HTABLE_EXPIRE))
+ info->cfg.expire = udata->mult;
+}
+
+static void hashlimit_mt_check(struct xt_fcheck_call *cb)
+{
+ const struct hashlimit_mt_udata *udata = cb->udata;
+ struct xt_hashlimit_mtinfo1 *info = cb->data;
+
+ if (!(cb->xflags & (F_UPTO | F_ABOVE)))
+ xtables_error(PARAMETER_PROBLEM,
+ "You have to specify --hashlimit");
+ if (!(cb->xflags & F_HTABLE_EXPIRE))
+ info->cfg.expire = udata->mult;
}
static const struct rates
@@ -508,6 +530,7 @@ static struct xtables_match hashlimit_mt_reg[] = {
.print = hashlimit_print,
.save = hashlimit_save,
.x6_options = hashlimit_mt_opts,
+ .udata_size = sizeof(struct hashlimit_mt_udata),
},
{
.version = XTABLES_VERSION,
@@ -519,10 +542,11 @@ static struct xtables_match hashlimit_mt_reg[] = {
.help = hashlimit_mt_help,
.init = hashlimit_mt4_init,
.x6_parse = hashlimit_mt_parse,
- .x6_fcheck = hashlimit_check,
+ .x6_fcheck = hashlimit_mt_check,
.print = hashlimit_mt4_print,
.save = hashlimit_mt4_save,
.x6_options = hashlimit_mt_opts,
+ .udata_size = sizeof(struct hashlimit_mt_udata),
},
{
.version = XTABLES_VERSION,
@@ -534,10 +558,11 @@ static struct xtables_match hashlimit_mt_reg[] = {
.help = hashlimit_mt_help,
.init = hashlimit_mt6_init,
.x6_parse = hashlimit_mt_parse,
- .x6_fcheck = hashlimit_check,
+ .x6_fcheck = hashlimit_mt_check,
.print = hashlimit_mt6_print,
.save = hashlimit_mt6_save,
.x6_options = hashlimit_mt_opts,
+ .udata_size = sizeof(struct hashlimit_mt_udata),
},
};
diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c
index 509b3e31..5f42a137 100644
--- a/extensions/libxt_rateest.c
+++ b/extensions/libxt_rateest.c
@@ -8,9 +8,6 @@
#include <xtables.h>
#include <linux/netfilter/xt_rateest.h>
-/* Ugly hack to pass info to final_check function. We should fix the API */
-static struct xt_rateest_match_info *rateest_info;
-
static void rateest_help(void)
{
printf(
@@ -115,8 +112,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags,
struct xt_rateest_match_info *info = (void *)(*match)->data;
unsigned int val;
- rateest_info = info;
-
switch (c) {
case OPT_RATEEST1:
xtables_check_inverse(optarg, &invert, &optind, 0, argv);
@@ -302,10 +297,9 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags,
return 1;
}
-static void
-rateest_final_check(unsigned int flags)
+static void rateest_final_check(struct xt_fcheck_call *cb)
{
- struct xt_rateest_match_info *info = rateest_info;
+ struct xt_rateest_match_info *info = cb->data;
if (info == NULL)
xtables_error(PARAMETER_PROBLEM, "rateest match: "
@@ -439,7 +433,7 @@ static struct xtables_match rateest_mt_reg = {
.userspacesize = XT_ALIGN(offsetof(struct xt_rateest_match_info, est1)),
.help = rateest_help,
.parse = rateest_parse,
- .final_check = rateest_final_check,
+ .x6_fcheck = rateest_final_check,
.print = rateest_print,
.save = rateest_save,
.extra_opts = rateest_opts,
diff --git a/extensions/libxt_state.c b/extensions/libxt_state.c
index 3fc747d8..eff444c8 100644
--- a/extensions/libxt_state.c
+++ b/extensions/libxt_state.c
@@ -23,7 +23,7 @@ state_help(void)
static const struct xt_option_entry state_opts[] = {
{.name = "state", .id = O_STATE, .type = XTTYPE_STRING,
- .flags = XTOPT_MAND},
+ .flags = XTOPT_MAND | XTOPT_INVERT},
XTOPT_TABLEEND,
};