diff options
| -rwxr-xr-x | extensions/.policy-test | 3 | ||||
| -rwxr-xr-x | extensions/.policy-test6 | 3 | ||||
| -rw-r--r-- | extensions/Makefile | 4 | ||||
| -rw-r--r-- | extensions/libip6t_policy.c | 8 | ||||
| -rw-r--r-- | extensions/libipt_policy.c | 8 | ||||
| -rw-r--r-- | include/linux/netfilter_ipv4/ipt_policy.h | 58 | ||||
| -rw-r--r-- | include/linux/netfilter_ipv6/ip6t_policy.h | 58 |
7 files changed, 126 insertions, 16 deletions
diff --git a/extensions/.policy-test b/extensions/.policy-test deleted file mode 100755 index c2bb7bd5..00000000 --- a/extensions/.policy-test +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -# -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_policy.h ] && echo policy diff --git a/extensions/.policy-test6 b/extensions/.policy-test6 deleted file mode 100755 index 5e6f4843..00000000 --- a/extensions/.policy-test6 +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -# -[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_policy.h ] && echo policy diff --git a/extensions/Makefile b/extensions/Makefile index a751b298..7164e1d2 100644 --- a/extensions/Makefile +++ b/extensions/Makefile @@ -5,8 +5,8 @@ # header files are present in the include/linux directory of this iptables # package (HW) # -PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG -PF6_EXT_SLIB:=connmark eui64 hl icmpv6 length limit mac mark multiport owner physdev standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE +PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG +PF6_EXT_SLIB:=connmark eui64 hl icmpv6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE # Optionals PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) diff --git a/extensions/libip6t_policy.c b/extensions/libip6t_policy.c index 54cd5f2b..74912b47 100644 --- a/extensions/libip6t_policy.c +++ b/extensions/libip6t_policy.c @@ -237,8 +237,8 @@ static int parse(int c, char **argv, int invert, unsigned int *flags, e->match.saddr = 1; e->invert.saddr = invert; - in6addrcpy(&e->saddr, addr); - in6addrcpy(&e->smask, &mask); + in6addrcpy(&e->saddr.a6, addr); + in6addrcpy(&e->smask.a6, &mask); break; case '7': if (e->match.daddr) @@ -252,8 +252,8 @@ static int parse(int c, char **argv, int invert, unsigned int *flags, e->match.daddr = 1; e->invert.daddr = invert; - in6addrcpy(&e->daddr, addr); - in6addrcpy(&e->dmask, &mask); + in6addrcpy(&e->daddr.a6, addr); + in6addrcpy(&e->dmask.a6, &mask); break; case '8': if (e->match.proto) diff --git a/extensions/libipt_policy.c b/extensions/libipt_policy.c index 55b969d1..6c8828e1 100644 --- a/extensions/libipt_policy.c +++ b/extensions/libipt_policy.c @@ -197,8 +197,8 @@ static int parse(int c, char **argv, int invert, unsigned int *flags, e->match.saddr = 1; e->invert.saddr = invert; - e->saddr = addr[0].s_addr; - e->smask = mask.s_addr; + e->saddr.a4 = addr[0]; + e->smask.a4 = mask; break; case '7': if (e->match.daddr) @@ -212,8 +212,8 @@ static int parse(int c, char **argv, int invert, unsigned int *flags, e->match.daddr = 1; e->invert.daddr = invert; - e->daddr = addr[0].s_addr; - e->dmask = mask.s_addr; + e->daddr.a4 = addr[0]; + e->dmask.a4 = mask; break; case '8': if (e->match.proto) diff --git a/include/linux/netfilter_ipv4/ipt_policy.h b/include/linux/netfilter_ipv4/ipt_policy.h new file mode 100644 index 00000000..a3f6eff3 --- /dev/null +++ b/include/linux/netfilter_ipv4/ipt_policy.h @@ -0,0 +1,58 @@ +#ifndef _IPT_POLICY_H +#define _IPT_POLICY_H + +#define IPT_POLICY_MAX_ELEM 4 + +enum ipt_policy_flags +{ + IPT_POLICY_MATCH_IN = 0x1, + IPT_POLICY_MATCH_OUT = 0x2, + IPT_POLICY_MATCH_NONE = 0x4, + IPT_POLICY_MATCH_STRICT = 0x8, +}; + +enum ipt_policy_modes +{ + IPT_POLICY_MODE_TRANSPORT, + IPT_POLICY_MODE_TUNNEL +}; + +struct ipt_policy_spec +{ + u_int8_t saddr:1, + daddr:1, + proto:1, + mode:1, + spi:1, + reqid:1; +}; + +union ipt_policy_addr +{ + struct in_addr a4; + struct in6_addr a6; +}; + +struct ipt_policy_elem +{ + union ipt_policy_addr saddr; + union ipt_policy_addr smask; + union ipt_policy_addr daddr; + union ipt_policy_addr dmask; + u_int32_t spi; + u_int32_t reqid; + u_int8_t proto; + u_int8_t mode; + + struct ipt_policy_spec match; + struct ipt_policy_spec invert; +}; + +struct ipt_policy_info +{ + struct ipt_policy_elem pol[IPT_POLICY_MAX_ELEM]; + u_int16_t flags; + u_int16_t len; +}; + +#endif /* _IPT_POLICY_H */ diff --git a/include/linux/netfilter_ipv6/ip6t_policy.h b/include/linux/netfilter_ipv6/ip6t_policy.h new file mode 100644 index 00000000..671bd818 --- /dev/null +++ b/include/linux/netfilter_ipv6/ip6t_policy.h @@ -0,0 +1,58 @@ +#ifndef _IP6T_POLICY_H +#define _IP6T_POLICY_H + +#define IP6T_POLICY_MAX_ELEM 4 + +enum ip6t_policy_flags +{ + IP6T_POLICY_MATCH_IN = 0x1, + IP6T_POLICY_MATCH_OUT = 0x2, + IP6T_POLICY_MATCH_NONE = 0x4, + IP6T_POLICY_MATCH_STRICT = 0x8, +}; + +enum ip6t_policy_modes +{ + IP6T_POLICY_MODE_TRANSPORT, + IP6T_POLICY_MODE_TUNNEL +}; + +struct ip6t_policy_spec +{ + u_int8_t saddr:1, + daddr:1, + proto:1, + mode:1, + spi:1, + reqid:1; +}; + +union ip6t_policy_addr +{ + struct in_addr a4; + struct in6_addr a6; +}; + +struct ip6t_policy_elem +{ + union ip6t_policy_addr saddr; + union ip6t_policy_addr smask; + union ip6t_policy_addr daddr; + union ip6t_policy_addr dmask; + u_int32_t spi; + u_int32_t reqid; + u_int8_t proto; + u_int8_t mode; + + struct ip6t_policy_spec match; + struct ip6t_policy_spec invert; +}; + +struct ip6t_policy_info +{ + struct ip6t_policy_elem pol[IP6T_POLICY_MAX_ELEM]; + u_int16_t flags; + u_int16_t len; +}; + +#endif /* _IP6T_POLICY_H */ |