From a49002efbdc5813ee193aa8fde3da3e35ff0d38f Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 28 Aug 2011 14:10:19 +0200 Subject: libxt_addrtype: rename from libipt_addrtype Signed-off-by: Jan Engelhardt --- extensions/libipt_addrtype.c | 308 ----------------------------------------- extensions/libipt_addrtype.man | 69 --------- extensions/libxt_addrtype.c | 308 +++++++++++++++++++++++++++++++++++++++++ extensions/libxt_addrtype.man | 69 +++++++++ 4 files changed, 377 insertions(+), 377 deletions(-) delete mode 100644 extensions/libipt_addrtype.c delete mode 100644 extensions/libipt_addrtype.man create mode 100644 extensions/libxt_addrtype.c create mode 100644 extensions/libxt_addrtype.man (limited to 'extensions') diff --git a/extensions/libipt_addrtype.c b/extensions/libipt_addrtype.c deleted file mode 100644 index 3dec626b..00000000 --- a/extensions/libipt_addrtype.c +++ /dev/null @@ -1,308 +0,0 @@ -/* Shared library add-on to iptables to add addrtype matching support - * - * This program is released under the terms of GNU GPL */ -#include -#include -#include -#include - -enum { - O_SRC_TYPE = 0, - O_DST_TYPE, - O_LIMIT_IFACE_IN, - O_LIMIT_IFACE_OUT, - F_SRC_TYPE = 1 << O_SRC_TYPE, - F_DST_TYPE = 1 << O_DST_TYPE, - F_LIMIT_IFACE_IN = 1 << O_LIMIT_IFACE_IN, - F_LIMIT_IFACE_OUT = 1 << O_LIMIT_IFACE_OUT, -}; - -/* from linux/rtnetlink.h, must match order of enumeration */ -static const char *const rtn_names[] = { - "UNSPEC", - "UNICAST", - "LOCAL", - "BROADCAST", - "ANYCAST", - "MULTICAST", - "BLACKHOLE", - "UNREACHABLE", - "PROHIBIT", - "THROW", - "NAT", - "XRESOLVE", - NULL -}; - -static void addrtype_help_types(void) -{ - int i; - - for (i = 0; rtn_names[i]; i++) - printf(" %s\n", rtn_names[i]); -} - -static void addrtype_help_v0(void) -{ - printf( -"Address type match options:\n" -" [!] --src-type type[,...] Match source address type\n" -" [!] --dst-type type[,...] Match destination address type\n" -"\n" -"Valid types: \n"); - addrtype_help_types(); -} - -static void addrtype_help_v1(void) -{ - printf( -"Address type match options:\n" -" [!] --src-type type[,...] Match source address type\n" -" [!] --dst-type type[,...] Match destination address type\n" -" --limit-iface-in Match only on the packet's incoming device\n" -" --limit-iface-out Match only on the packet's incoming device\n" -"\n" -"Valid types: \n"); - addrtype_help_types(); -} - -static int -parse_type(const char *name, size_t len, uint16_t *mask) -{ - int i; - - for (i = 0; rtn_names[i]; i++) - if (strncasecmp(name, rtn_names[i], len) == 0) { - /* build up bitmask for kernel module */ - *mask |= (1 << i); - return 1; - } - - return 0; -} - -static void parse_types(const char *arg, uint16_t *mask) -{ - const char *comma; - - while ((comma = strchr(arg, ',')) != NULL) { - if (comma == arg || !parse_type(arg, comma-arg, mask)) - xtables_error(PARAMETER_PROBLEM, - "addrtype: bad type `%s'", arg); - arg = comma + 1; - } - - if (strlen(arg) == 0 || !parse_type(arg, strlen(arg), mask)) - xtables_error(PARAMETER_PROBLEM, "addrtype: bad type \"%s\"", arg); -} - -static void addrtype_parse_v0(struct xt_option_call *cb) -{ - struct ipt_addrtype_info *info = cb->data; - - xtables_option_parse(cb); - switch (cb->entry->id) { - case O_SRC_TYPE: - parse_types(cb->arg, &info->source); - if (cb->invert) - info->invert_source = 1; - break; - case O_DST_TYPE: - parse_types(cb->arg, &info->dest); - if (cb->invert) - info->invert_dest = 1; - break; - } -} - -static void addrtype_parse_v1(struct xt_option_call *cb) -{ - struct ipt_addrtype_info_v1 *info = cb->data; - - xtables_option_parse(cb); - switch (cb->entry->id) { - case O_SRC_TYPE: - parse_types(cb->arg, &info->source); - if (cb->invert) - info->flags |= IPT_ADDRTYPE_INVERT_SOURCE; - break; - case O_DST_TYPE: - parse_types(cb->arg, &info->dest); - if (cb->invert) - info->flags |= IPT_ADDRTYPE_INVERT_DEST; - break; - case O_LIMIT_IFACE_IN: - info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_IN; - break; - case O_LIMIT_IFACE_OUT: - info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_OUT; - break; - } -} - -static void addrtype_check(struct xt_fcheck_call *cb) -{ - if (!(cb->xflags & (F_SRC_TYPE | F_DST_TYPE))) - xtables_error(PARAMETER_PROBLEM, - "addrtype: you must specify --src-type or --dst-type"); -} - -static void print_types(uint16_t mask) -{ - const char *sep = ""; - int i; - - for (i = 0; rtn_names[i]; i++) - if (mask & (1 << i)) { - printf("%s%s", sep, rtn_names[i]); - sep = ","; - } -} - -static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match, - int numeric) -{ - const struct ipt_addrtype_info *info = - (struct ipt_addrtype_info *) match->data; - - printf(" ADDRTYPE match"); - if (info->source) { - printf(" src-type "); - if (info->invert_source) - printf("!"); - print_types(info->source); - } - if (info->dest) { - printf(" dst-type"); - if (info->invert_dest) - printf("!"); - print_types(info->dest); - } -} - -static void addrtype_print_v1(const void *ip, const struct xt_entry_match *match, - int numeric) -{ - const struct ipt_addrtype_info_v1 *info = - (struct ipt_addrtype_info_v1 *) match->data; - - printf(" ADDRTYPE match"); - if (info->source) { - printf(" src-type "); - if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE) - printf("!"); - print_types(info->source); - } - if (info->dest) { - printf(" dst-type "); - if (info->flags & IPT_ADDRTYPE_INVERT_DEST) - printf("!"); - print_types(info->dest); - } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { - printf(" limit-in"); - } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { - printf(" limit-out"); - } -} - -static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match) -{ - const struct ipt_addrtype_info *info = - (struct ipt_addrtype_info *) match->data; - - if (info->source) { - if (info->invert_source) - printf(" !"); - printf(" --src-type "); - print_types(info->source); - } - if (info->dest) { - if (info->invert_dest) - printf(" !"); - printf(" --dst-type "); - print_types(info->dest); - } -} - -static void addrtype_save_v1(const void *ip, const struct xt_entry_match *match) -{ - const struct ipt_addrtype_info_v1 *info = - (struct ipt_addrtype_info_v1 *) match->data; - - if (info->source) { - if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE) - printf(" !"); - printf(" --src-type "); - print_types(info->source); - } - if (info->dest) { - if (info->flags & IPT_ADDRTYPE_INVERT_DEST) - printf(" !"); - printf(" --dst-type "); - print_types(info->dest); - } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { - printf(" --limit-iface-in"); - } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { - printf(" --limit-iface-out"); - } -} - -static const struct xt_option_entry addrtype_opts_v0[] = { - {.name = "src-type", .id = O_SRC_TYPE, .type = XTTYPE_STRING, - .flags = XTOPT_INVERT}, - {.name = "dst-type", .id = O_DST_TYPE, .type = XTTYPE_STRING, - .flags = XTOPT_INVERT}, - XTOPT_TABLEEND, -}; - -static const struct xt_option_entry addrtype_opts_v1[] = { - {.name = "src-type", .id = O_SRC_TYPE, .type = XTTYPE_STRING, - .flags = XTOPT_INVERT}, - {.name = "dst-type", .id = O_DST_TYPE, .type = XTTYPE_STRING, - .flags = XTOPT_INVERT}, - {.name = "limit-iface-in", .id = O_LIMIT_IFACE_IN, - .type = XTTYPE_NONE, .excl = F_LIMIT_IFACE_OUT}, - {.name = "limit-iface-out", .id = O_LIMIT_IFACE_OUT, - .type = XTTYPE_NONE, .excl = F_LIMIT_IFACE_IN}, - XTOPT_TABLEEND, -}; - -static struct xtables_match addrtype_mt_reg[] = { - { - .name = "addrtype", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_addrtype_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info)), - .help = addrtype_help_v0, - .print = addrtype_print_v0, - .save = addrtype_save_v0, - .x6_parse = addrtype_parse_v0, - .x6_fcheck = addrtype_check, - .x6_options = addrtype_opts_v0, - }, - { - .name = "addrtype", - .revision = 1, - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), - .help = addrtype_help_v1, - .print = addrtype_print_v1, - .save = addrtype_save_v1, - .x6_parse = addrtype_parse_v1, - .x6_fcheck = addrtype_check, - .x6_options = addrtype_opts_v1, - }, -}; - - -void _init(void) -{ - xtables_register_matches(addrtype_mt_reg, ARRAY_SIZE(addrtype_mt_reg)); -} diff --git a/extensions/libipt_addrtype.man b/extensions/libipt_addrtype.man deleted file mode 100644 index 16fd9dfd..00000000 --- a/extensions/libipt_addrtype.man +++ /dev/null @@ -1,69 +0,0 @@ -This module matches packets based on their -.B address type. -Address types are used within the kernel networking stack and categorize -addresses into various groups. The exact definition of that group depends on the specific layer three protocol. -.PP -The following address types are possible: -.TP -.BI "UNSPEC" -an unspecified address (i.e. 0.0.0.0) -.TP -.BI "UNICAST" -an unicast address -.TP -.BI "LOCAL" -a local address -.TP -.BI "BROADCAST" -a broadcast address -.TP -.BI "ANYCAST" -an anycast packet -.TP -.BI "MULTICAST" -a multicast address -.TP -.BI "BLACKHOLE" -a blackhole address -.TP -.BI "UNREACHABLE" -an unreachable address -.TP -.BI "PROHIBIT" -a prohibited address -.TP -.BI "THROW" -FIXME -.TP -.BI "NAT" -FIXME -.TP -.BI "XRESOLVE" -.TP -[\fB!\fP] \fB\-\-src\-type\fP \fItype\fP -Matches if the source address is of given type -.TP -[\fB!\fP] \fB\-\-dst\-type\fP \fItype\fP -Matches if the destination address is of given type -.TP -.BI "\-\-limit\-iface\-in" -The address type checking can be limited to the interface the packet is coming -in. This option is only valid in the -.BR PREROUTING , -.B INPUT -and -.B FORWARD -chains. It cannot be specified with the -\fB\-\-limit\-iface\-out\fP -option. -.TP -\fB\-\-limit\-iface\-out\fP -The address type checking can be limited to the interface the packet is going -out. This option is only valid in the -.BR POSTROUTING , -.B OUTPUT -and -.B FORWARD -chains. It cannot be specified with the -\fB\-\-limit\-iface\-in\fP -option. diff --git a/extensions/libxt_addrtype.c b/extensions/libxt_addrtype.c new file mode 100644 index 00000000..3dec626b --- /dev/null +++ b/extensions/libxt_addrtype.c @@ -0,0 +1,308 @@ +/* Shared library add-on to iptables to add addrtype matching support + * + * This program is released under the terms of GNU GPL */ +#include +#include +#include +#include + +enum { + O_SRC_TYPE = 0, + O_DST_TYPE, + O_LIMIT_IFACE_IN, + O_LIMIT_IFACE_OUT, + F_SRC_TYPE = 1 << O_SRC_TYPE, + F_DST_TYPE = 1 << O_DST_TYPE, + F_LIMIT_IFACE_IN = 1 << O_LIMIT_IFACE_IN, + F_LIMIT_IFACE_OUT = 1 << O_LIMIT_IFACE_OUT, +}; + +/* from linux/rtnetlink.h, must match order of enumeration */ +static const char *const rtn_names[] = { + "UNSPEC", + "UNICAST", + "LOCAL", + "BROADCAST", + "ANYCAST", + "MULTICAST", + "BLACKHOLE", + "UNREACHABLE", + "PROHIBIT", + "THROW", + "NAT", + "XRESOLVE", + NULL +}; + +static void addrtype_help_types(void) +{ + int i; + + for (i = 0; rtn_names[i]; i++) + printf(" %s\n", rtn_names[i]); +} + +static void addrtype_help_v0(void) +{ + printf( +"Address type match options:\n" +" [!] --src-type type[,...] Match source address type\n" +" [!] --dst-type type[,...] Match destination address type\n" +"\n" +"Valid types: \n"); + addrtype_help_types(); +} + +static void addrtype_help_v1(void) +{ + printf( +"Address type match options:\n" +" [!] --src-type type[,...] Match source address type\n" +" [!] --dst-type type[,...] Match destination address type\n" +" --limit-iface-in Match only on the packet's incoming device\n" +" --limit-iface-out Match only on the packet's incoming device\n" +"\n" +"Valid types: \n"); + addrtype_help_types(); +} + +static int +parse_type(const char *name, size_t len, uint16_t *mask) +{ + int i; + + for (i = 0; rtn_names[i]; i++) + if (strncasecmp(name, rtn_names[i], len) == 0) { + /* build up bitmask for kernel module */ + *mask |= (1 << i); + return 1; + } + + return 0; +} + +static void parse_types(const char *arg, uint16_t *mask) +{ + const char *comma; + + while ((comma = strchr(arg, ',')) != NULL) { + if (comma == arg || !parse_type(arg, comma-arg, mask)) + xtables_error(PARAMETER_PROBLEM, + "addrtype: bad type `%s'", arg); + arg = comma + 1; + } + + if (strlen(arg) == 0 || !parse_type(arg, strlen(arg), mask)) + xtables_error(PARAMETER_PROBLEM, "addrtype: bad type \"%s\"", arg); +} + +static void addrtype_parse_v0(struct xt_option_call *cb) +{ + struct ipt_addrtype_info *info = cb->data; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_SRC_TYPE: + parse_types(cb->arg, &info->source); + if (cb->invert) + info->invert_source = 1; + break; + case O_DST_TYPE: + parse_types(cb->arg, &info->dest); + if (cb->invert) + info->invert_dest = 1; + break; + } +} + +static void addrtype_parse_v1(struct xt_option_call *cb) +{ + struct ipt_addrtype_info_v1 *info = cb->data; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_SRC_TYPE: + parse_types(cb->arg, &info->source); + if (cb->invert) + info->flags |= IPT_ADDRTYPE_INVERT_SOURCE; + break; + case O_DST_TYPE: + parse_types(cb->arg, &info->dest); + if (cb->invert) + info->flags |= IPT_ADDRTYPE_INVERT_DEST; + break; + case O_LIMIT_IFACE_IN: + info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_IN; + break; + case O_LIMIT_IFACE_OUT: + info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_OUT; + break; + } +} + +static void addrtype_check(struct xt_fcheck_call *cb) +{ + if (!(cb->xflags & (F_SRC_TYPE | F_DST_TYPE))) + xtables_error(PARAMETER_PROBLEM, + "addrtype: you must specify --src-type or --dst-type"); +} + +static void print_types(uint16_t mask) +{ + const char *sep = ""; + int i; + + for (i = 0; rtn_names[i]; i++) + if (mask & (1 << i)) { + printf("%s%s", sep, rtn_names[i]); + sep = ","; + } +} + +static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + const struct ipt_addrtype_info *info = + (struct ipt_addrtype_info *) match->data; + + printf(" ADDRTYPE match"); + if (info->source) { + printf(" src-type "); + if (info->invert_source) + printf("!"); + print_types(info->source); + } + if (info->dest) { + printf(" dst-type"); + if (info->invert_dest) + printf("!"); + print_types(info->dest); + } +} + +static void addrtype_print_v1(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + const struct ipt_addrtype_info_v1 *info = + (struct ipt_addrtype_info_v1 *) match->data; + + printf(" ADDRTYPE match"); + if (info->source) { + printf(" src-type "); + if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE) + printf("!"); + print_types(info->source); + } + if (info->dest) { + printf(" dst-type "); + if (info->flags & IPT_ADDRTYPE_INVERT_DEST) + printf("!"); + print_types(info->dest); + } + if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { + printf(" limit-in"); + } + if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { + printf(" limit-out"); + } +} + +static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match) +{ + const struct ipt_addrtype_info *info = + (struct ipt_addrtype_info *) match->data; + + if (info->source) { + if (info->invert_source) + printf(" !"); + printf(" --src-type "); + print_types(info->source); + } + if (info->dest) { + if (info->invert_dest) + printf(" !"); + printf(" --dst-type "); + print_types(info->dest); + } +} + +static void addrtype_save_v1(const void *ip, const struct xt_entry_match *match) +{ + const struct ipt_addrtype_info_v1 *info = + (struct ipt_addrtype_info_v1 *) match->data; + + if (info->source) { + if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE) + printf(" !"); + printf(" --src-type "); + print_types(info->source); + } + if (info->dest) { + if (info->flags & IPT_ADDRTYPE_INVERT_DEST) + printf(" !"); + printf(" --dst-type "); + print_types(info->dest); + } + if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { + printf(" --limit-iface-in"); + } + if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { + printf(" --limit-iface-out"); + } +} + +static const struct xt_option_entry addrtype_opts_v0[] = { + {.name = "src-type", .id = O_SRC_TYPE, .type = XTTYPE_STRING, + .flags = XTOPT_INVERT}, + {.name = "dst-type", .id = O_DST_TYPE, .type = XTTYPE_STRING, + .flags = XTOPT_INVERT}, + XTOPT_TABLEEND, +}; + +static const struct xt_option_entry addrtype_opts_v1[] = { + {.name = "src-type", .id = O_SRC_TYPE, .type = XTTYPE_STRING, + .flags = XTOPT_INVERT}, + {.name = "dst-type", .id = O_DST_TYPE, .type = XTTYPE_STRING, + .flags = XTOPT_INVERT}, + {.name = "limit-iface-in", .id = O_LIMIT_IFACE_IN, + .type = XTTYPE_NONE, .excl = F_LIMIT_IFACE_OUT}, + {.name = "limit-iface-out", .id = O_LIMIT_IFACE_OUT, + .type = XTTYPE_NONE, .excl = F_LIMIT_IFACE_IN}, + XTOPT_TABLEEND, +}; + +static struct xtables_match addrtype_mt_reg[] = { + { + .name = "addrtype", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct ipt_addrtype_info)), + .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info)), + .help = addrtype_help_v0, + .print = addrtype_print_v0, + .save = addrtype_save_v0, + .x6_parse = addrtype_parse_v0, + .x6_fcheck = addrtype_check, + .x6_options = addrtype_opts_v0, + }, + { + .name = "addrtype", + .revision = 1, + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), + .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), + .help = addrtype_help_v1, + .print = addrtype_print_v1, + .save = addrtype_save_v1, + .x6_parse = addrtype_parse_v1, + .x6_fcheck = addrtype_check, + .x6_options = addrtype_opts_v1, + }, +}; + + +void _init(void) +{ + xtables_register_matches(addrtype_mt_reg, ARRAY_SIZE(addrtype_mt_reg)); +} diff --git a/extensions/libxt_addrtype.man b/extensions/libxt_addrtype.man new file mode 100644 index 00000000..16fd9dfd --- /dev/null +++ b/extensions/libxt_addrtype.man @@ -0,0 +1,69 @@ +This module matches packets based on their +.B address type. +Address types are used within the kernel networking stack and categorize +addresses into various groups. The exact definition of that group depends on the specific layer three protocol. +.PP +The following address types are possible: +.TP +.BI "UNSPEC" +an unspecified address (i.e. 0.0.0.0) +.TP +.BI "UNICAST" +an unicast address +.TP +.BI "LOCAL" +a local address +.TP +.BI "BROADCAST" +a broadcast address +.TP +.BI "ANYCAST" +an anycast packet +.TP +.BI "MULTICAST" +a multicast address +.TP +.BI "BLACKHOLE" +a blackhole address +.TP +.BI "UNREACHABLE" +an unreachable address +.TP +.BI "PROHIBIT" +a prohibited address +.TP +.BI "THROW" +FIXME +.TP +.BI "NAT" +FIXME +.TP +.BI "XRESOLVE" +.TP +[\fB!\fP] \fB\-\-src\-type\fP \fItype\fP +Matches if the source address is of given type +.TP +[\fB!\fP] \fB\-\-dst\-type\fP \fItype\fP +Matches if the destination address is of given type +.TP +.BI "\-\-limit\-iface\-in" +The address type checking can be limited to the interface the packet is coming +in. This option is only valid in the +.BR PREROUTING , +.B INPUT +and +.B FORWARD +chains. It cannot be specified with the +\fB\-\-limit\-iface\-out\fP +option. +.TP +\fB\-\-limit\-iface\-out\fP +The address type checking can be limited to the interface the packet is going +out. This option is only valid in the +.BR POSTROUTING , +.B OUTPUT +and +.B FORWARD +chains. It cannot be specified with the +\fB\-\-limit\-iface\-in\fP +option. -- cgit v1.2.3 From 3775fb69f63b76191bc3571bfa8538c18173d90f Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 28 Aug 2011 14:16:14 +0200 Subject: libxt_addrtype: add support for revision 1 Rev 1 was added to the kernel in commit v2.6.39-rc1~468^2~10^2~1 but there was no corresponding iptables patch so far. Cc: Florian Westphal Signed-off-by: Jan Engelhardt --- extensions/libxt_addrtype.c | 56 +++++++++++++++++++-------------------------- 1 file changed, 24 insertions(+), 32 deletions(-) (limited to 'extensions') diff --git a/extensions/libxt_addrtype.c b/extensions/libxt_addrtype.c index 3dec626b..59072b35 100644 --- a/extensions/libxt_addrtype.c +++ b/extensions/libxt_addrtype.c @@ -4,7 +4,7 @@ #include #include #include -#include +#include enum { O_SRC_TYPE = 0, @@ -98,7 +98,7 @@ static void parse_types(const char *arg, uint16_t *mask) static void addrtype_parse_v0(struct xt_option_call *cb) { - struct ipt_addrtype_info *info = cb->data; + struct xt_addrtype_info *info = cb->data; xtables_option_parse(cb); switch (cb->entry->id) { @@ -117,25 +117,25 @@ static void addrtype_parse_v0(struct xt_option_call *cb) static void addrtype_parse_v1(struct xt_option_call *cb) { - struct ipt_addrtype_info_v1 *info = cb->data; + struct xt_addrtype_info_v1 *info = cb->data; xtables_option_parse(cb); switch (cb->entry->id) { case O_SRC_TYPE: parse_types(cb->arg, &info->source); if (cb->invert) - info->flags |= IPT_ADDRTYPE_INVERT_SOURCE; + info->flags |= XT_ADDRTYPE_INVERT_SOURCE; break; case O_DST_TYPE: parse_types(cb->arg, &info->dest); if (cb->invert) - info->flags |= IPT_ADDRTYPE_INVERT_DEST; + info->flags |= XT_ADDRTYPE_INVERT_DEST; break; case O_LIMIT_IFACE_IN: - info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_IN; + info->flags |= XT_ADDRTYPE_LIMIT_IFACE_IN; break; case O_LIMIT_IFACE_OUT: - info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_OUT; + info->flags |= XT_ADDRTYPE_LIMIT_IFACE_OUT; break; } } @@ -162,8 +162,7 @@ static void print_types(uint16_t mask) static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match, int numeric) { - const struct ipt_addrtype_info *info = - (struct ipt_addrtype_info *) match->data; + const struct xt_addrtype_info *info = (const void *)match->data; printf(" ADDRTYPE match"); if (info->source) { @@ -183,34 +182,30 @@ static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match static void addrtype_print_v1(const void *ip, const struct xt_entry_match *match, int numeric) { - const struct ipt_addrtype_info_v1 *info = - (struct ipt_addrtype_info_v1 *) match->data; + const struct xt_addrtype_info_v1 *info = (const void *)match->data; printf(" ADDRTYPE match"); if (info->source) { printf(" src-type "); - if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE) + if (info->flags & XT_ADDRTYPE_INVERT_SOURCE) printf("!"); print_types(info->source); } if (info->dest) { printf(" dst-type "); - if (info->flags & IPT_ADDRTYPE_INVERT_DEST) + if (info->flags & XT_ADDRTYPE_INVERT_DEST) printf("!"); print_types(info->dest); } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { + if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) printf(" limit-in"); - } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { + if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) printf(" limit-out"); - } } static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match) { - const struct ipt_addrtype_info *info = - (struct ipt_addrtype_info *) match->data; + const struct xt_addrtype_info *info = (const void *)match->data; if (info->source) { if (info->invert_source) @@ -228,27 +223,24 @@ static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match) static void addrtype_save_v1(const void *ip, const struct xt_entry_match *match) { - const struct ipt_addrtype_info_v1 *info = - (struct ipt_addrtype_info_v1 *) match->data; + const struct xt_addrtype_info_v1 *info = (const void *)match->data; if (info->source) { - if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE) + if (info->flags & XT_ADDRTYPE_INVERT_SOURCE) printf(" !"); printf(" --src-type "); print_types(info->source); } if (info->dest) { - if (info->flags & IPT_ADDRTYPE_INVERT_DEST) + if (info->flags & XT_ADDRTYPE_INVERT_DEST) printf(" !"); printf(" --dst-type "); print_types(info->dest); } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { + if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) printf(" --limit-iface-in"); - } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { + if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) printf(" --limit-iface-out"); - } } static const struct xt_option_entry addrtype_opts_v0[] = { @@ -276,8 +268,8 @@ static struct xtables_match addrtype_mt_reg[] = { .name = "addrtype", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_addrtype_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info)), + .size = XT_ALIGN(sizeof(struct xt_addrtype_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_addrtype_info)), .help = addrtype_help_v0, .print = addrtype_print_v0, .save = addrtype_save_v0, @@ -289,9 +281,9 @@ static struct xtables_match addrtype_mt_reg[] = { .name = "addrtype", .revision = 1, .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_addrtype_info_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_addrtype_info_v1)), .help = addrtype_help_v1, .print = addrtype_print_v1, .save = addrtype_save_v1, -- cgit v1.2.3 From 14da56743c6cdf25da35b7b5ca7a5d201771990d Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sat, 27 Aug 2011 09:56:16 +0200 Subject: src: resolve old macro names that are indirections Command used: git grep -f <(pcregrep -hior '(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/) and then fix all occurrences. Signed-off-by: Jan Engelhardt --- extensions/libipt_realm.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'extensions') diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c index b60c57ee..a8d9dda0 100644 --- a/extensions/libipt_realm.c +++ b/extensions/libipt_realm.c @@ -41,7 +41,7 @@ static void realm_init(struct xt_entry_match *m) static void realm_parse(struct xt_option_call *cb) { - struct ipt_realm_info *realminfo = cb->data; + struct xt_realm_info *realminfo = cb->data; int id; char *end; @@ -87,7 +87,7 @@ print_realm(unsigned long id, unsigned long mask, int numeric) static void realm_print(const void *ip, const struct xt_entry_match *match, int numeric) { - const struct ipt_realm_info *ri = (const void *)match->data; + const struct xt_realm_info *ri = (const void *)match->data; if (ri->invert) printf(" !"); @@ -98,7 +98,7 @@ static void realm_print(const void *ip, const struct xt_entry_match *match, static void realm_save(const void *ip, const struct xt_entry_match *match) { - const struct ipt_realm_info *ri = (const void *)match->data; + const struct xt_realm_info *ri = (const void *)match->data; if (ri->invert) printf(" !"); @@ -111,8 +111,8 @@ static struct xtables_match realm_mt_reg = { .name = "realm", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_realm_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_realm_info)), + .size = XT_ALIGN(sizeof(struct xt_realm_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_realm_info)), .help = realm_help, .init = realm_init, .print = realm_print, -- cgit v1.2.3 From 8fe22aa0a242314349f6cd7219b56a60a9d75276 Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Mon, 5 Sep 2011 22:25:39 +0200 Subject: Improve readability of bitwise operation CLUSTERIP: improve readability of bitwise operation Signed-off-by: Thomas Jarosch Signed-off-by: Pablo Neira Ayuso --- extensions/libipt_CLUSTERIP.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'extensions') diff --git a/extensions/libipt_CLUSTERIP.c b/extensions/libipt_CLUSTERIP.c index 301e0e1d..f4b638b2 100644 --- a/extensions/libipt_CLUSTERIP.c +++ b/extensions/libipt_CLUSTERIP.c @@ -144,7 +144,7 @@ static void CLUSTERIP_print(const void *ip, const struct ipt_clusterip_tgt_info *cipinfo = (const struct ipt_clusterip_tgt_info *)target->data; - if (!cipinfo->flags & CLUSTERIP_FLAG_NEW) { + if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) { printf(" CLUSTERIP"); return; } @@ -164,7 +164,7 @@ static void CLUSTERIP_save(const void *ip, const struct xt_entry_target *target) /* if this is not a new entry, we don't need to save target * parameters */ - if (!cipinfo->flags & CLUSTERIP_FLAG_NEW) + if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) return; printf(" --new --hashmode %s --clustermac %s --total-nodes %d --local-node %d --hash-init %u", -- cgit v1.2.3 From 79ddbf202a06e6f018e087a328c2ca91e65a8463 Mon Sep 17 00:00:00 2001 From: Tim Gardner Date: Wed, 30 Nov 2011 08:16:53 -0700 Subject: libxt_recent: Add support for --reap option Support for the reap option was merged in the kernel as of 2.6.35. Cc: Pablo Neira Ayuso Cc: Jan Engelhardt Signed-off-by: Tim Gardner --- extensions/libxt_recent.c | 17 ++++++++++++++++- extensions/libxt_recent.man | 5 +++++ 2 files changed, 21 insertions(+), 1 deletion(-) (limited to 'extensions') diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c index 1e1a111f..c7dce4e7 100644 --- a/extensions/libxt_recent.c +++ b/extensions/libxt_recent.c @@ -10,6 +10,7 @@ enum { O_UPDATE, O_REMOVE, O_SECONDS, + O_REAP, O_HITCOUNT, O_RTTL, O_NAME, @@ -19,6 +20,7 @@ enum { F_RCHECK = 1 << O_RCHECK, F_UPDATE = 1 << O_UPDATE, F_REMOVE = 1 << O_REMOVE, + F_SECONDS = 1 << O_SECONDS, F_ANY_OP = F_SET | F_RCHECK | F_UPDATE | F_REMOVE, }; @@ -33,7 +35,9 @@ static const struct xt_option_entry recent_opts[] = { {.name = "remove", .id = O_REMOVE, .type = XTTYPE_NONE, .excl = F_ANY_OP, .flags = XTOPT_INVERT}, {.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32, - .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds)}, + .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds), .min = 1}, + {.name = "reap", .id = O_REAP, .type = XTTYPE_NONE, + .also = F_SECONDS }, {.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32, .flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)}, {.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE, @@ -57,6 +61,8 @@ static void recent_help(void) " --seconds seconds For check and update commands above.\n" " Specifies that the match will only occur if source address last seen within\n" " the last 'seconds' seconds.\n" +" --reap Purge entries older then 'seconds'.\n" +" Can only be used in conjunction with the seconds option.\n" " --hitcount hits For check and update commands above.\n" " Specifies that the match will only occur if source address seen hits times.\n" " May be used in conjunction with the seconds option.\n" @@ -117,11 +123,16 @@ static void recent_parse(struct xt_option_call *cb) case O_RDEST: info->side = XT_RECENT_DEST; break; + case O_REAP: + info->check_set |= XT_RECENT_REAP; + break; } } static void recent_check(struct xt_fcheck_call *cb) { + struct xt_recent_mtinfo *info = cb->data; + if (!(cb->xflags & F_ANY_OP)) xtables_error(PARAMETER_PROBLEM, "recent: you must specify one of `--set', `--rcheck' " @@ -146,6 +157,8 @@ static void recent_print(const void *ip, const struct xt_entry_match *match, if (info->check_set & XT_RECENT_REMOVE) printf(" REMOVE"); if(info->seconds) printf(" seconds: %d", info->seconds); + if (info->check_set & XT_RECENT_REAP) + printf(" reap"); if(info->hit_count) printf(" hit_count: %d", info->hit_count); if (info->check_set & XT_RECENT_TTL) printf(" TTL-Match"); @@ -172,6 +185,8 @@ static void recent_save(const void *ip, const struct xt_entry_match *match) if (info->check_set & XT_RECENT_REMOVE) printf(" --remove"); if(info->seconds) printf(" --seconds %d", info->seconds); + if (info->check_set & XT_RECENT_REAP) + printf(" --reap"); if(info->hit_count) printf(" --hitcount %d", info->hit_count); if (info->check_set & XT_RECENT_TTL) printf(" --rttl"); diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man index 0392c2ca..8043df4a 100644 --- a/extensions/libxt_recent.man +++ b/extensions/libxt_recent.man @@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or \fB\-\-update\fP. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds. .TP +\fB\-\-reap\fP +This option can only be used in conjunction with \fB\-\-seconds\fP. +When used, this will cause entries older than the last given number of seconds +to be purged. +.TP \fB\-\-hitcount\fP \fIhits\fP This option must be used in conjunction with one of \fB\-\-rcheck\fP or \fB\-\-update\fP. When used, this will narrow the match to only happen when the -- cgit v1.2.3