From 8d89535b38e719f644d858e83f73bee9adf5b1a0 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Fri, 29 Oct 2010 16:37:22 +0200 Subject: Bump version to 1.4.10 Signed-off-by: Patrick McHardy --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 6010afd6..eb447e09 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ -AC_INIT([iptables], [1.4.9]) +AC_INIT([iptables], [1.4.10]) # See libtool.info "Libtool's versioning system" libxtables_vcurrent=5 -- cgit v1.2.3 From d3b2e391e3b944581e20e216af76339cc87d0590 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 28 Nov 2010 15:35:06 +0100 Subject: iptables: reset options at the start of each command For each new command, iptables is supposed to start afresh with a blank option set (opts) that only contains the program-specific options (orig_opts), without any extension options. We failed to restore this pointer (in function do_command) after the previous free call in xtables_free_opts. Reported-by: Florian Westphal Signed-off-by: Jan Engelhardt --- ip6tables.c | 2 +- iptables.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ip6tables.c b/ip6tables.c index 8318f910..9b1629ee 100644 --- a/ip6tables.c +++ b/ip6tables.c @@ -147,7 +147,6 @@ void ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...) __ struct xtables_globals ip6tables_globals = { .option_offset = 0, .program_version = IPTABLES_VERSION, - .opts = original_opts, .orig_opts = original_opts, .exit_err = ip6tables_exit_error, }; @@ -1335,6 +1334,7 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand demand-load a protocol. */ opterr = 0; + opts = xt_params->orig_opts; while ((c = getopt_long(argc, argv, "-A:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:g:", opts, NULL)) != -1) { diff --git a/iptables.c b/iptables.c index c800fffd..1127bddc 100644 --- a/iptables.c +++ b/iptables.c @@ -147,7 +147,6 @@ void iptables_exit_error(enum xtables_exittype status, const char *msg, ...) __a struct xtables_globals iptables_globals = { .option_offset = 0, .program_version = IPTABLES_VERSION, - .opts = original_opts, .orig_opts = original_opts, .exit_err = iptables_exit_error, }; @@ -1358,6 +1357,7 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle demand-load a protocol. */ opterr = 0; + opts = xt_params->orig_opts; while ((c = getopt_long(argc, argv, "-A:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:", opts, NULL)) != -1) { -- cgit v1.2.3 From 2d68ae7ce6e40e3977ee11a57296cf76801ae320 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 28 Nov 2010 15:42:00 +0100 Subject: iptables: do not emit orig_opts twice This just happened to cross my eye; there was no error, but fixing this up saves a pitfall, and some memory. Signed-off-by: Jan Engelhardt --- xtables.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xtables.c b/xtables.c index d0aa8688..2137c98b 100644 --- a/xtables.c +++ b/xtables.c @@ -103,6 +103,10 @@ struct option *xtables_merge_options(struct option *orig_opts, memcpy(merge, orig_opts, sizeof(*mp) * num_oold); mp = merge + num_oold; + /* Since @opts also has @orig_opts already, skip the entries */ + oldopts += num_oold; + num_old -= num_oold; + /* Second, the new options */ xt_params->option_offset += 256; *option_offset = xt_params->option_offset; -- cgit v1.2.3 From b4af04be14560b3fcc6cf23200148d408014a2f5 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 3 Dec 2010 20:15:35 +0100 Subject: include: update files with headers from Linux 2.6.37-rc1 Also includes the type change to __u{8,16,32} kernel types already. --- extensions/libxt_SECMARK.c | 8 ++++---- extensions/libxt_time.c | 1 + include/linux/netfilter/xt_CHECKSUM.h | 8 +++++--- include/linux/netfilter/xt_CT.h | 10 +++++----- include/linux/netfilter/xt_IDLETIMER.h | 2 +- include/linux/netfilter/xt_SECMARK.h | 12 +++--------- include/linux/netfilter/xt_TCPOPTSTRIP.h | 2 +- include/linux/netfilter/xt_TPROXY.h | 17 ++++++++++++----- include/linux/netfilter/xt_cluster.h | 8 ++++---- include/linux/netfilter/xt_connlimit.h | 2 ++ include/linux/netfilter/xt_ipvs.h | 2 ++ include/linux/netfilter/xt_physdev.h | 3 +++ include/linux/netfilter/xt_policy.h | 11 +++++++++++ include/linux/netfilter/xt_quota.h | 6 +++--- include/linux/netfilter/xt_sctp.h | 4 ++-- include/linux/netfilter/xt_socket.h | 12 ++++++++++++ include/linux/netfilter/xt_time.h | 14 +++++++------- include/linux/netfilter/xt_u32.h | 16 ++++++++-------- 18 files changed, 86 insertions(+), 52 deletions(-) create mode 100644 include/linux/netfilter/xt_socket.h diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c index 9e231eee..7bf4ff08 100644 --- a/extensions/libxt_SECMARK.c +++ b/extensions/libxt_SECMARK.c @@ -40,13 +40,13 @@ static int SECMARK_parse(int c, char **argv, int invert, unsigned int *flags, "Can't specify --selctx twice"); info->mode = SECMARK_MODE_SEL; - if (strlen(optarg) > SECMARK_SELCTX_MAX-1) + if (strlen(optarg) > SECMARK_SECCTX_MAX-1) xtables_error(PARAMETER_PROBLEM, PFX "Maximum length %u exceeded by --selctx" " parameter (%zu)", - SECMARK_SELCTX_MAX-1, strlen(optarg)); + SECMARK_SECCTX_MAX-1, strlen(optarg)); - strcpy(info->u.sel.selctx, optarg); + strcpy(info->secctx, optarg); *flags |= SECMARK_MODE_SEL; break; default: @@ -66,7 +66,7 @@ static void print_secmark(const struct xt_secmark_target_info *info) { switch (info->mode) { case SECMARK_MODE_SEL: - printf("selctx %s ", info->u.sel.selctx);\ + printf("selctx %s ", info->secctx); break; default: diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c index 9f12266b..5462d930 100644 --- a/extensions/libxt_time.c +++ b/extensions/libxt_time.c @@ -20,6 +20,7 @@ #include #include +#include #include #include diff --git a/include/linux/netfilter/xt_CHECKSUM.h b/include/linux/netfilter/xt_CHECKSUM.h index 3b4fb77a..9a2e4661 100644 --- a/include/linux/netfilter/xt_CHECKSUM.h +++ b/include/linux/netfilter/xt_CHECKSUM.h @@ -6,8 +6,10 @@ * * This software is distributed under GNU GPL v2, 1991 */ -#ifndef _IPT_CHECKSUM_TARGET_H -#define _IPT_CHECKSUM_TARGET_H +#ifndef _XT_CHECKSUM_TARGET_H +#define _XT_CHECKSUM_TARGET_H + +#include #define XT_CHECKSUM_OP_FILL 0x01 /* fill in checksum in IP header */ @@ -15,4 +17,4 @@ struct xt_CHECKSUM_info { __u8 operation; /* bitset of operations */ }; -#endif /* _IPT_CHECKSUM_TARGET_H */ +#endif /* _XT_CHECKSUM_TARGET_H */ diff --git a/include/linux/netfilter/xt_CT.h b/include/linux/netfilter/xt_CT.h index 1b564106..fbf4c565 100644 --- a/include/linux/netfilter/xt_CT.h +++ b/include/linux/netfilter/xt_CT.h @@ -4,11 +4,11 @@ #define XT_CT_NOTRACK 0x1 struct xt_ct_target_info { - u_int16_t flags; - u_int16_t zone; - u_int32_t ct_events; - u_int32_t exp_events; - char helper[16]; + __u16 flags; + __u16 zone; + __u32 ct_events; + __u32 exp_events; + char helper[16]; /* Used internally by the kernel */ struct nf_conn *ct __attribute__((aligned(8))); diff --git a/include/linux/netfilter/xt_IDLETIMER.h b/include/linux/netfilter/xt_IDLETIMER.h index 3e1aa1be..208ae938 100644 --- a/include/linux/netfilter/xt_IDLETIMER.h +++ b/include/linux/netfilter/xt_IDLETIMER.h @@ -39,7 +39,7 @@ struct idletimer_tg_info { char label[MAX_IDLETIMER_LABEL_SIZE]; /* for kernel module internal use only */ - struct idletimer_tg *timer __attribute((aligned(8))); + struct idletimer_tg *timer __attribute__((aligned(8))); }; #endif diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h index 6fcd3448..989092bd 100644 --- a/include/linux/netfilter/xt_SECMARK.h +++ b/include/linux/netfilter/xt_SECMARK.h @@ -11,18 +11,12 @@ * packets are being marked for. */ #define SECMARK_MODE_SEL 0x01 /* SELinux */ -#define SECMARK_SELCTX_MAX 256 - -struct xt_secmark_target_selinux_info { - __u32 selsid; - char selctx[SECMARK_SELCTX_MAX]; -}; +#define SECMARK_SECCTX_MAX 256 struct xt_secmark_target_info { __u8 mode; - union { - struct xt_secmark_target_selinux_info sel; - } u; + __u32 secid; + char secctx[SECMARK_SECCTX_MAX]; }; #endif /*_XT_SECMARK_H_target */ diff --git a/include/linux/netfilter/xt_TCPOPTSTRIP.h b/include/linux/netfilter/xt_TCPOPTSTRIP.h index 2db54321..342ef14b 100644 --- a/include/linux/netfilter/xt_TCPOPTSTRIP.h +++ b/include/linux/netfilter/xt_TCPOPTSTRIP.h @@ -7,7 +7,7 @@ (((1U << (idx & 31)) & bmap[(idx) >> 5]) != 0) struct xt_tcpoptstrip_target_info { - u_int32_t strip_bmap[8]; + __u32 strip_bmap[8]; }; #endif /* _XT_TCPOPTSTRIP_H */ diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/linux/netfilter/xt_TPROXY.h index 152e8f97..8097e0b4 100644 --- a/include/linux/netfilter/xt_TPROXY.h +++ b/include/linux/netfilter/xt_TPROXY.h @@ -1,14 +1,21 @@ -#ifndef _XT_TPROXY_H_target -#define _XT_TPROXY_H_target +#ifndef _XT_TPROXY_H +#define _XT_TPROXY_H /* TPROXY target is capable of marking the packet to perform * redirection. We can get rid of that whenever we get support for * mutliple targets in the same rule. */ struct xt_tproxy_target_info { - u_int32_t mark_mask; - u_int32_t mark_value; + __u32 mark_mask; + __u32 mark_value; __be32 laddr; __be16 lport; }; -#endif /* _XT_TPROXY_H_target */ +struct xt_tproxy_target_info_v1 { + __u32 mark_mask; + __u32 mark_value; + union nf_inet_addr laddr; + __be16 lport; +}; + +#endif /* _XT_TPROXY_H */ diff --git a/include/linux/netfilter/xt_cluster.h b/include/linux/netfilter/xt_cluster.h index 88668265..66cfa3c7 100644 --- a/include/linux/netfilter/xt_cluster.h +++ b/include/linux/netfilter/xt_cluster.h @@ -6,10 +6,10 @@ enum xt_cluster_flags { }; struct xt_cluster_match_info { - u_int32_t total_nodes; - u_int32_t node_mask; - u_int32_t hash_seed; - u_int32_t flags; + __u32 total_nodes; + __u32 node_mask; + __u32 hash_seed; + __u32 flags; }; #define XT_CLUSTER_NODES_MAX 32 diff --git a/include/linux/netfilter/xt_connlimit.h b/include/linux/netfilter/xt_connlimit.h index 9ba54e48..7e3284bc 100644 --- a/include/linux/netfilter/xt_connlimit.h +++ b/include/linux/netfilter/xt_connlimit.h @@ -6,10 +6,12 @@ struct xt_connlimit_data; struct xt_connlimit_info { union { union nf_inet_addr mask; +#ifndef __KERNEL__ union { __be32 v4_mask; __be32 v6_mask[4]; }; +#endif }; unsigned int limit, inverse; diff --git a/include/linux/netfilter/xt_ipvs.h b/include/linux/netfilter/xt_ipvs.h index 1167aeb7..eff34ac1 100644 --- a/include/linux/netfilter/xt_ipvs.h +++ b/include/linux/netfilter/xt_ipvs.h @@ -1,6 +1,8 @@ #ifndef _XT_IPVS_H #define _XT_IPVS_H +#include + enum { XT_IPVS_IPVS_PROPERTY = 1 << 0, /* all other options imply this one */ XT_IPVS_PROTO = 1 << 1, diff --git a/include/linux/netfilter/xt_physdev.h b/include/linux/netfilter/xt_physdev.h index 7d53660a..8555e399 100644 --- a/include/linux/netfilter/xt_physdev.h +++ b/include/linux/netfilter/xt_physdev.h @@ -3,6 +3,9 @@ #include +#ifdef __KERNEL__ +#include +#endif #define XT_PHYSDEV_OP_IN 0x01 #define XT_PHYSDEV_OP_OUT 0x02 diff --git a/include/linux/netfilter/xt_policy.h b/include/linux/netfilter/xt_policy.h index d246eac8..be8ead05 100644 --- a/include/linux/netfilter/xt_policy.h +++ b/include/linux/netfilter/xt_policy.h @@ -26,19 +26,30 @@ struct xt_policy_spec { reqid:1; }; +#ifndef __KERNEL__ union xt_policy_addr { struct in_addr a4; struct in6_addr a6; }; +#endif struct xt_policy_elem { union { +#ifdef __KERNEL__ + struct { + union nf_inet_addr saddr; + union nf_inet_addr smask; + union nf_inet_addr daddr; + union nf_inet_addr dmask; + }; +#else struct { union xt_policy_addr saddr; union xt_policy_addr smask; union xt_policy_addr daddr; union xt_policy_addr dmask; }; +#endif }; __be32 spi; __u32 reqid; diff --git a/include/linux/netfilter/xt_quota.h b/include/linux/netfilter/xt_quota.h index b0d28c65..8bda65f0 100644 --- a/include/linux/netfilter/xt_quota.h +++ b/include/linux/netfilter/xt_quota.h @@ -9,9 +9,9 @@ enum xt_quota_flags { struct xt_quota_priv; struct xt_quota_info { - u_int32_t flags; - u_int32_t pad; - aligned_u64 quota; + __u32 flags; + __u32 pad; + aligned_u64 quota; /* Used internally by the kernel */ struct xt_quota_priv *master; diff --git a/include/linux/netfilter/xt_sctp.h b/include/linux/netfilter/xt_sctp.h index a501e619..29287be6 100644 --- a/include/linux/netfilter/xt_sctp.h +++ b/include/linux/netfilter/xt_sctp.h @@ -66,7 +66,7 @@ struct xt_sctp_info { #define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \ __sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap)) -static __inline__ bool +static inline bool __sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n) { unsigned int i; @@ -78,7 +78,7 @@ __sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n) #define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \ __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap)) -static __inline__ bool +static inline bool __sctp_chunkmap_is_all_set(const __u32 *chunkmap, unsigned int n) { unsigned int i; diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h new file mode 100644 index 00000000..6f475b8f --- /dev/null +++ b/include/linux/netfilter/xt_socket.h @@ -0,0 +1,12 @@ +#ifndef _XT_SOCKET_H +#define _XT_SOCKET_H + +enum { + XT_SOCKET_TRANSPARENT = 1 << 0, +}; + +struct xt_socket_mtinfo1 { + __u8 flags; +}; + +#endif /* _XT_SOCKET_H */ diff --git a/include/linux/netfilter/xt_time.h b/include/linux/netfilter/xt_time.h index 14b6df41..b8bd4568 100644 --- a/include/linux/netfilter/xt_time.h +++ b/include/linux/netfilter/xt_time.h @@ -2,13 +2,13 @@ #define _XT_TIME_H 1 struct xt_time_info { - u_int32_t date_start; - u_int32_t date_stop; - u_int32_t daytime_start; - u_int32_t daytime_stop; - u_int32_t monthdays_match; - u_int8_t weekdays_match; - u_int8_t flags; + __u32 date_start; + __u32 date_stop; + __u32 daytime_start; + __u32 daytime_stop; + __u32 monthdays_match; + __u8 weekdays_match; + __u8 flags; }; enum { diff --git a/include/linux/netfilter/xt_u32.h b/include/linux/netfilter/xt_u32.h index 9947f56c..e8c3d872 100644 --- a/include/linux/netfilter/xt_u32.h +++ b/include/linux/netfilter/xt_u32.h @@ -9,13 +9,13 @@ enum xt_u32_ops { }; struct xt_u32_location_element { - u_int32_t number; - u_int8_t nextop; + __u32 number; + __u8 nextop; }; struct xt_u32_value_element { - u_int32_t min; - u_int32_t max; + __u32 min; + __u32 max; }; /* @@ -27,14 +27,14 @@ struct xt_u32_value_element { struct xt_u32_test { struct xt_u32_location_element location[XT_U32_MAXSIZE+1]; struct xt_u32_value_element value[XT_U32_MAXSIZE+1]; - u_int8_t nnums; - u_int8_t nvalues; + __u8 nnums; + __u8 nvalues; }; struct xt_u32 { struct xt_u32_test tests[XT_U32_MAXSIZE+1]; - u_int8_t ntests; - u_int8_t invert; + __u8 ntests; + __u8 invert; }; #endif /* _XT_U32_H */ -- cgit v1.2.3 From 9e152fa9f1283ce4f4274cf251b2b2e69bbdfee6 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 3 Dec 2010 22:08:32 +0100 Subject: TPROXY: add support for revision 1 Signed-off-by: Jan Engelhardt --- extensions/libxt_TPROXY.c | 193 +++++++++++++++++++++++++++++++++++++++------- 1 file changed, 165 insertions(+), 28 deletions(-) diff --git a/extensions/libxt_TPROXY.c b/extensions/libxt_TPROXY.c index cd0b50a6..26419f5d 100644 --- a/extensions/libxt_TPROXY.c +++ b/extensions/libxt_TPROXY.c @@ -5,6 +5,7 @@ */ #include #include +#include #include #include #include @@ -36,27 +37,39 @@ static void tproxy_tg_help(void) " --tproxy-mark value[/mask] Mark packets with the given value/mask\n\n"); } -static void parse_tproxy_lport(const char *s, struct xt_tproxy_target_info *info) +static void parse_tproxy_lport(const char *s, uint16_t *portp) { unsigned int lport; if (xtables_strtoui(s, NULL, &lport, 0, UINT16_MAX)) - info->lport = htons(lport); + *portp = htons(lport); else xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-port", s); } -static void parse_tproxy_laddr(const char *s, struct xt_tproxy_target_info *info) +static void parse_tproxy_laddr(const char *s, union nf_inet_addr *addrp, + unsigned int nfproto) { - struct in_addr *laddr; + struct in6_addr *laddr6 = NULL; + struct in_addr *laddr4 = NULL; - if ((laddr = xtables_numeric_to_ipaddr(s)) == NULL) - xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s); - - info->laddr = laddr->s_addr; + if (nfproto == NFPROTO_IPV6) { + laddr6 = xtables_numeric_to_ip6addr(s); + if (laddr6 == NULL) + goto out; + addrp->in6 = *laddr6; + } else if (nfproto == NFPROTO_IPV4) { + laddr4 = xtables_numeric_to_ipaddr(s); + if (laddr4 == NULL) + goto out; + addrp->in = *laddr4; + } + return; + out: + xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s); } -static void parse_tproxy_mark(char *s, struct xt_tproxy_target_info *info) +static void parse_tproxy_mark(char *s, uint32_t *markp, uint32_t *maskp) { unsigned int value, mask = UINT32_MAX; char *end; @@ -69,32 +82,32 @@ static void parse_tproxy_mark(char *s, struct xt_tproxy_target_info *info) if (*end != '\0') xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s); - info->mark_mask = mask; - info->mark_value = value; + *markp = value; + *maskp = mask; } static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_target **target) { - struct xt_tproxy_target_info *tproxyinfo = (void *)(*target)->data; + struct xt_tproxy_target_info *info = (void *)(*target)->data; switch (c) { case '1': xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT); xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert); - parse_tproxy_lport(optarg, tproxyinfo); + parse_tproxy_lport(optarg, &info->lport); *flags |= PARAM_ONPORT; return 1; case '2': xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP); xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert); - parse_tproxy_laddr(optarg, tproxyinfo); + parse_tproxy_laddr(optarg, (void *)&info->laddr, NFPROTO_IPV4); *flags |= PARAM_ONIP; return 1; case '3': xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK); xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert); - parse_tproxy_mark(optarg, tproxyinfo); + parse_tproxy_mark(optarg, &info->mark_value, &info->mark_mask); *flags |= PARAM_MARK; return 1; } @@ -102,6 +115,49 @@ static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags, return 0; } +static int +tproxy_tg_parse1(int c, char **argv, int invert, unsigned int *flags, + struct xt_tproxy_target_info_v1 *info, unsigned int nfproto) +{ + switch (c) { + case '1': + xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT); + xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert); + parse_tproxy_lport(optarg, &info->lport); + *flags |= PARAM_ONPORT; + return true; + case '2': + xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP); + xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert); + parse_tproxy_laddr(optarg, (void *)&info->laddr, nfproto); + *flags |= PARAM_ONIP; + return true; + case '3': + xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK); + xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert); + parse_tproxy_mark(optarg, &info->mark_value, &info->mark_mask); + *flags |= PARAM_MARK; + return true; + } + return false; +} + +static int +tproxy_tg_parse4(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_tproxy_target_info_v1 *info = (void *)(*target)->data; + return tproxy_tg_parse1(c, argv, invert, flags, info, NFPROTO_IPV4); +} + +static int +tproxy_tg_parse6(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_tproxy_target_info_v1 *info = (void *)(*target)->data; + return tproxy_tg_parse1(c, argv, invert, flags, info, NFPROTO_IPV6); +} + static void tproxy_tg_check(unsigned int flags) { if (!(flags & PARAM_ONPORT)) @@ -119,6 +175,32 @@ static void tproxy_tg_print(const void *ip, const struct xt_entry_target *target (unsigned int)info->mark_mask); } +static void +tproxy_tg_print4(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_tproxy_target_info_v1 *info = + (const void *)target->data; + + printf("TPROXY redirect %s:%u mark 0x%x/0x%x", + xtables_ipaddr_to_numeric(&info->laddr.in), + ntohs(info->lport), (unsigned int)info->mark_value, + (unsigned int)info->mark_mask); +} + +static void +tproxy_tg_print6(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_tproxy_target_info_v1 *info = + (const void *)target->data; + + printf("TPROXY redirect %s:%u mark 0x%x/0x%x", + xtables_ip6addr_to_numeric(&info->laddr.in6), + ntohs(info->lport), (unsigned int)info->mark_value, + (unsigned int)info->mark_mask); +} + static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target) { const struct xt_tproxy_target_info *info = (const void *)target->data; @@ -130,21 +212,76 @@ static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target) (unsigned int)info->mark_value, (unsigned int)info->mark_mask); } -static struct xtables_target tproxy_tg_reg = { - .name = "TPROXY", - .family = NFPROTO_IPV4, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)), - .help = tproxy_tg_help, - .parse = tproxy_tg_parse, - .final_check = tproxy_tg_check, - .print = tproxy_tg_print, - .save = tproxy_tg_save, - .extra_opts = tproxy_tg_opts, +static void +tproxy_tg_save4(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_tproxy_target_info_v1 *info; + + info = (const void *)target->data; + printf("--on-port %u ", ntohs(info->lport)); + printf("--on-ip %s ", xtables_ipaddr_to_numeric(&info->laddr.in)); + printf("--tproxy-mark 0x%x/0x%x ", + (unsigned int)info->mark_value, (unsigned int)info->mark_mask); +} + +static void +tproxy_tg_save6(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_tproxy_target_info_v1 *info; + + info = (const void *)target->data; + printf("--on-port %u ", ntohs(info->lport)); + printf("--on-ip %s ", xtables_ip6addr_to_numeric(&info->laddr.in6)); + printf("--tproxy-mark 0x%x/0x%x ", + (unsigned int)info->mark_value, (unsigned int)info->mark_mask); +} + +static struct xtables_target tproxy_tg_reg[] = { + { + .name = "TPROXY", + .revision = 0, + .family = NFPROTO_IPV4, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)), + .help = tproxy_tg_help, + .parse = tproxy_tg_parse, + .final_check = tproxy_tg_check, + .print = tproxy_tg_print, + .save = tproxy_tg_save, + .extra_opts = tproxy_tg_opts, + }, + { + .name = "TPROXY", + .revision = 1, + .family = NFPROTO_IPV4, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)), + .help = tproxy_tg_help, + .parse = tproxy_tg_parse4, + .final_check = tproxy_tg_check, + .print = tproxy_tg_print4, + .save = tproxy_tg_save4, + .extra_opts = tproxy_tg_opts, + }, + { + .name = "TPROXY", + .revision = 1, + .family = NFPROTO_IPV6, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)), + .help = tproxy_tg_help, + .parse = tproxy_tg_parse6, + .final_check = tproxy_tg_check, + .print = tproxy_tg_print6, + .save = tproxy_tg_save6, + .extra_opts = tproxy_tg_opts, + }, }; void _init(void) { - xtables_register_target(&tproxy_tg_reg); + xtables_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg)); } -- cgit v1.2.3 From 4d2a77ff8cb4115925477cd5ce0ea972494107ab Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 3 Dec 2010 22:55:34 +0100 Subject: socket: add support for revision 1 Signed-off-by: Jan Engelhardt --- extensions/libxt_socket.c | 76 ++++++++++++++++++++++++++++++++++++++++----- extensions/libxt_socket.man | 3 ++ 2 files changed, 72 insertions(+), 7 deletions(-) diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c index 1490473b..e4dff78b 100644 --- a/extensions/libxt_socket.c +++ b/extensions/libxt_socket.c @@ -3,17 +3,79 @@ * * Copyright (C) 2007 BalaBit IT Ltd. */ +#include +#include +#include #include +#include -static struct xtables_match socket_mt_reg = { - .name = "socket", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(0), - .userspacesize = XT_ALIGN(0), +static const struct option socket_mt_opts[] = { + {.name = "transparent", .has_arg = false, .val = 't'}, + XT_GETOPT_TABLEEND, +}; + +static void socket_mt_help(void) +{ + printf( + "socket match options:\n" + " --transparent Ignore non-transparent sockets\n\n"); +} + +static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_socket_mtinfo1 *info = (void *)(*match)->data; + + switch (c) { + case 't': + info->flags |= XT_SOCKET_TRANSPARENT; + return true; + } + return false; +} + +static void +socket_mt_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_socket_mtinfo1 *info = (const void *)match->data; + + if (info->flags & XT_SOCKET_TRANSPARENT) + printf("--transparent "); +} + +static void +socket_mt_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + printf("socket "); + socket_mt_save(ip, match); +} + +static struct xtables_match socket_mt_reg[] = { + { + .name = "socket", + .revision = 0, + .family = NFPROTO_IPV4, + .version = XTABLES_VERSION, + .size = XT_ALIGN(0), + .userspacesize = XT_ALIGN(0), + }, + { + .name = "socket", + .revision = 1, + .family = NFPROTO_UNSPEC, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), + .help = socket_mt_help, + .parse = socket_mt_parse, + .print = socket_mt_print, + .save = socket_mt_save, + .extra_opts = socket_mt_opts, + }, }; void _init(void) { - xtables_register_match(&socket_mt_reg); + xtables_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg)); } diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man index 50c88542..41e8d674 100644 --- a/extensions/libxt_socket.man +++ b/extensions/libxt_socket.man @@ -1,2 +1,5 @@ This matches if an open socket can be found by doing a socket lookup on the packet. +.TP +\fB\-\-transparent\fP +Ignore non-transparent sockets. -- cgit v1.2.3 From d4105ad56335058af4b0b1be1278e01f5c0bd4ac Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sat, 4 Dec 2010 02:53:20 +0100 Subject: build: fix globbing of extensions in other locales In the fi_FI locale, [a-z] would not include 'w', for example. Rectify this by using [[:alnum:]] (to counter against different ordering) and forcing the POSIX locale (so that the alphabet has at least the 26 base characters). Signed-off-by: Jan Engelhardt --- extensions/GNUmakefile.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index 709366a1..7c479018 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -155,8 +155,8 @@ initext6.c: .initext6.dd # # Manual pages # -ex_matches = $(sort $(shell echo $(1) | grep -Eo '\b[a-z0-9]+\b')) -ex_targets = $(sort $(shell echo $(1) | grep -Eo '\b[A-Z0-9]+\b')) +ex_matches = $(sort $(shell echo $(1) | LC_ALL=POSIX grep -Eo '\b[[:alnum:]]+\b')) +ex_targets = $(sort $(shell echo $(1) | LC_ALL=POSIX grep -Eo '\b[[:alnum:]]+\b')) man_run = \ ${AM_VERBOSE_GEN} \ for ext in $(1); do \ -- cgit v1.2.3 From f3578faae096f191a44742777275a23b566d7566 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Mon, 6 Dec 2010 13:32:58 +0100 Subject: libxt_owner: output numeric IDs when save is requested References: http://bugzilla.netfilter.org/show_bug.cgi?id=683 Signed-off-by: Jan Engelhardt --- extensions/libxt_owner.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c index 4015f137..867ed499 100644 --- a/extensions/libxt_owner.c +++ b/extensions/libxt_owner.c @@ -558,9 +558,9 @@ static void owner_mt_save(const void *ip, const struct xt_entry_match *match) { const struct xt_owner_match_info *info = (void *)match->data; - owner_mt_print_item(info, "--socket-exists", XT_OWNER_SOCKET, false); - owner_mt_print_item(info, "--uid-owner", XT_OWNER_UID, false); - owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, false); + owner_mt_print_item(info, "--socket-exists", XT_OWNER_SOCKET, true); + owner_mt_print_item(info, "--uid-owner", XT_OWNER_UID, true); + owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, true); } static struct xtables_match owner_mt_reg[] = { -- cgit v1.2.3 From a3f101331deb9314caa0cfa1061c925865e79380 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sat, 11 Dec 2010 03:35:48 +0100 Subject: build: stop on error in subcommand make only evaluates $? of an entire shell invocation. As such, if any command in the chain can fail, $? needs to be thrown, and early so. Signed-off-by: Jan Engelhardt --- extensions/GNUmakefile.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index 7c479018..74a058c1 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -165,14 +165,14 @@ man_run = \ if [ -f "$$f" ] && grep -Eq "$(3)|NFPROTO_UNSPEC" "$$cf"; then \ echo -e "\t+ $$f" >&2; \ echo ".SS $$ext"; \ - cat "$$f"; \ + cat "$$f" || exit $$?; \ continue; \ fi; \ f="${srcdir}/lib$(2)t_$$ext.man"; \ if [ -f "$$f" ]; then \ echo -e "\t+ $$f" >&2; \ echo ".SS $$ext"; \ - cat "$$f"; \ + cat "$$f" || exit $$?; \ continue; \ fi; \ done >$@; -- cgit v1.2.3