diff options
-rw-r--r-- | extensions/libip6t_LOG.c | 18 | ||||
-rw-r--r-- | extensions/libipt_LOG.c | 17 | ||||
-rw-r--r-- | extensions/libxt_CHECKSUM.c | 96 | ||||
-rw-r--r-- | extensions/libxt_CHECKSUM.man | 8 | ||||
-rw-r--r-- | extensions/libxt_IDLETIMER.c | 138 | ||||
-rw-r--r-- | extensions/libxt_IDLETIMER.man | 20 | ||||
-rw-r--r-- | include/linux/netfilter/xt_CHECKSUM.h | 18 | ||||
-rw-r--r-- | include/linux/netfilter/xt_IDLETIMER.h | 45 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ipt_LOG.h | 3 | ||||
-rw-r--r-- | include/linux/netfilter_ipv6/ip6t_LOG.h | 3 |
10 files changed, 362 insertions, 4 deletions
diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c index 423d9884..ff9edc68 100644 --- a/extensions/libip6t_LOG.c +++ b/extensions/libip6t_LOG.c @@ -25,7 +25,8 @@ static void LOG_help(void) " --log-tcp-sequence Log TCP sequence numbers.\n" " --log-tcp-options Log TCP options.\n" " --log-ip-options Log IP options.\n" -" --log-uid Log UID owning the local socket.\n"); +" --log-uid Log UID owning the local socket.\n" +" --log-macdecode Decode MAC addresses and protocol.\n"); } static const struct option LOG_opts[] = { @@ -35,6 +36,7 @@ static const struct option LOG_opts[] = { { .name = "log-tcp-options", .has_arg = 0, .val = '2' }, { .name = "log-ip-options", .has_arg = 0, .val = '3' }, { .name = "log-uid", .has_arg = 0, .val = '4' }, + { .name = "log-macdecode", .has_arg = 0, .val = '5' }, { .name = NULL } }; @@ -96,6 +98,7 @@ parse_level(const char *level) #define IP6T_LOG_OPT_TCPOPT 0x08 #define IP6T_LOG_OPT_IPOPT 0x10 #define IP6T_LOG_OPT_UID 0x20 +#define IP6T_LOG_OPT_MACDECODE 0x40 static int LOG_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_target **target) @@ -179,6 +182,15 @@ static int LOG_parse(int c, char **argv, int invert, unsigned int *flags, *flags |= IP6T_LOG_OPT_UID; break; + case '5': + if (*flags & IP6T_LOG_OPT_MACDECODE) + xtables_error(PARAMETER_PROBLEM, + "Can't specify --log-macdecode twice"); + + loginfo->logflags |= IP6T_LOG_MACDECODE; + *flags |= IP6T_LOG_OPT_MACDECODE; + break; + default: return 0; } @@ -213,6 +225,8 @@ static void LOG_print(const void *ip, const struct xt_entry_target *target, printf("ip-options "); if (loginfo->logflags & IP6T_LOG_UID) printf("uid "); + if (loginfo->logflags & IP6T_LOG_MACDECODE) + printf("macdecode "); if (loginfo->logflags & ~(IP6T_LOG_MASK)) printf("unknown-flags "); } @@ -240,6 +254,8 @@ static void LOG_save(const void *ip, const struct xt_entry_target *target) printf("--log-ip-options "); if (loginfo->logflags & IP6T_LOG_UID) printf("--log-uid "); + if (loginfo->logflags & IP6T_LOG_MACDECODE) + printf("--log-macdecode "); } static struct xtables_target log_tg6_reg = { diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c index 9afb91d6..73c8f32d 100644 --- a/extensions/libipt_LOG.c +++ b/extensions/libipt_LOG.c @@ -25,7 +25,8 @@ static void LOG_help(void) " --log-tcp-sequence Log TCP sequence numbers.\n\n" " --log-tcp-options Log TCP options.\n\n" " --log-ip-options Log IP options.\n\n" -" --log-uid Log UID owning the local socket.\n\n"); +" --log-uid Log UID owning the local socket.\n\n" +" --log-macdecode Decode MAC addresses and protocol.\n\n"); } static const struct option LOG_opts[] = { @@ -35,6 +36,7 @@ static const struct option LOG_opts[] = { { .name = "log-tcp-options", .has_arg = 0, .val = '2' }, { .name = "log-ip-options", .has_arg = 0, .val = '3' }, { .name = "log-uid", .has_arg = 0, .val = '4' }, + { .name = "log-macdecode", .has_arg = 0, .val = '5' }, { .name = NULL } }; @@ -96,6 +98,7 @@ parse_level(const char *level) #define IPT_LOG_OPT_TCPOPT 0x08 #define IPT_LOG_OPT_IPOPT 0x10 #define IPT_LOG_OPT_UID 0x20 +#define IPT_LOG_OPT_MACDECODE 0x40 static int LOG_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_target **target) @@ -179,6 +182,14 @@ static int LOG_parse(int c, char **argv, int invert, unsigned int *flags, *flags |= IPT_LOG_OPT_UID; break; + case '5': + if (*flags & IPT_LOG_OPT_MACDECODE) + xtables_error(PARAMETER_PROBLEM, + "Can't specifiy --log-macdecode twice"); + + loginfo->logflags |= IPT_LOG_MACDECODE; + *flags |= IPT_LOG_OPT_MACDECODE; + break; default: return 0; } @@ -213,6 +224,8 @@ static void LOG_print(const void *ip, const struct xt_entry_target *target, printf("ip-options "); if (loginfo->logflags & IPT_LOG_UID) printf("uid "); + if (loginfo->logflags & IPT_LOG_MACDECODE) + printf("macdecode "); if (loginfo->logflags & ~(IPT_LOG_MASK)) printf("unknown-flags "); } @@ -242,6 +255,8 @@ static void LOG_save(const void *ip, const struct xt_entry_target *target) printf("--log-ip-options "); if (loginfo->logflags & IPT_LOG_UID) printf("--log-uid "); + if (loginfo->logflags & IPT_LOG_MACDECODE) + printf("--log-macdecode "); } static struct xtables_target log_tg_reg = { diff --git a/extensions/libxt_CHECKSUM.c b/extensions/libxt_CHECKSUM.c new file mode 100644 index 00000000..9a24443b --- /dev/null +++ b/extensions/libxt_CHECKSUM.c @@ -0,0 +1,96 @@ +/* Shared library add-on to xtables for CHECKSUM + * + * (C) 2002 by Harald Welte <laforge@gnumonks.org> + * (C) 2010 by Red Hat, Inc + * Author: Michael S. Tsirkin <mst@redhat.com> + * + * This program is distributed under the terms of GNU GPL v2, 1991 + * + * libxt_CHECKSUM.c borrowed some bits from libipt_ECN.c + */ +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> + +#include <xtables.h> +#include <linux/netfilter/xt_CHECKSUM.h> + +static void CHECKSUM_help(void) +{ + printf( +"CHECKSUM target options\n" +" --checksum-fill Fill in packet checksum.\n"); +} + +static const struct option CHECKSUM_opts[] = { + { "checksum-fill", 0, NULL, 'F' }, + { .name = NULL } +}; + +static int CHECKSUM_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_CHECKSUM_info *einfo + = (struct xt_CHECKSUM_info *)(*target)->data; + + switch (c) { + case 'F': + xtables_param_act(XTF_ONLY_ONCE, "CHECKSUM", "--checksum-fill", + *flags & XT_CHECKSUM_OP_FILL); + einfo->operation = XT_CHECKSUM_OP_FILL; + *flags |= XT_CHECKSUM_OP_FILL; + break; + default: + return 0; + } + + return 1; +} + +static void CHECKSUM_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "CHECKSUM target: Parameter --checksum-fill is required"); +} + +static void CHECKSUM_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_CHECKSUM_info *einfo = + (const struct xt_CHECKSUM_info *)target->data; + + printf("CHECKSUM "); + + if (einfo->operation & XT_CHECKSUM_OP_FILL) + printf("fill "); +} + +static void CHECKSUM_save(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_CHECKSUM_info *einfo = + (const struct xt_CHECKSUM_info *)target->data; + + if (einfo->operation & XT_CHECKSUM_OP_FILL) + printf("--checksum-fill "); +} + +static struct xtables_target checksum_tg_reg = { + .name = "CHECKSUM", + .version = XTABLES_VERSION, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)), + .help = CHECKSUM_help, + .parse = CHECKSUM_parse, + .final_check = CHECKSUM_check, + .print = CHECKSUM_print, + .save = CHECKSUM_save, + .extra_opts = CHECKSUM_opts, +}; + +void _init(void) +{ + xtables_register_target(&checksum_tg_reg); +} diff --git a/extensions/libxt_CHECKSUM.man b/extensions/libxt_CHECKSUM.man new file mode 100644 index 00000000..92ae700f --- /dev/null +++ b/extensions/libxt_CHECKSUM.man @@ -0,0 +1,8 @@ +This target allows to selectively work around broken/old applications. +It can only be used in the mangle table. +.TP +\fB\-\-checksum\-fill\fP +Compute and fill in the checksum in a packet that lacks a checksum. +This is particularly useful, if you need to work around old applications +such as dhcp clients, that do not work well with checksum offloads, +but don't want to disable checksum offload in your device. diff --git a/extensions/libxt_IDLETIMER.c b/extensions/libxt_IDLETIMER.c new file mode 100644 index 00000000..c931d0ee --- /dev/null +++ b/extensions/libxt_IDLETIMER.c @@ -0,0 +1,138 @@ +/* + * Shared library add-on for iptables to add IDLETIMER support. + * + * Copyright (C) 2010 Nokia Corporation. All rights reserved. + * + * Contact: Luciano Coelho <luciano.coelho@nokia.com> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * version 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA + * + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <stddef.h> + +#include <xtables.h> +#include <linux/netfilter/xt_IDLETIMER.h> + +enum { + IDLETIMER_TG_OPT_TIMEOUT = 1 << 0, + IDLETIMER_TG_OPT_LABEL = 1 << 1, +}; + +static const struct option idletimer_tg_opts[] = { + { .name = "timeout", .has_arg = true, .flag = 0, .val = 't' }, + { .name = "label", .has_arg = true, .flag = 0, .val = 'l' }, + { .name = NULL } +}; + +static void idletimer_tg_help(void) +{ + printf( +"IDLETIMER target options:\n" +" --timeout time Timeout until the notification is sent (in seconds)\n" +" --label string Unique rule identifier\n" +"\n"); +} + +static int idletimer_tg_parse(int c, char **argv, int invert, + unsigned int *flags, + const void *entry, + struct xt_entry_target **target) +{ + struct idletimer_tg_info *info = + (struct idletimer_tg_info *)(*target)->data; + + switch (c) { + case 't': + xtables_param_act(XTF_ONLY_ONCE, "IDLETIMER", "--timeout", + *flags & IDLETIMER_TG_OPT_TIMEOUT); + + info->timeout = atoi(optarg); + *flags |= IDLETIMER_TG_OPT_TIMEOUT; + break; + + case 'l': + xtables_param_act(XTF_ONLY_ONCE, "IDLETIMER", "--label", + *flags & IDLETIMER_TG_OPT_TIMEOUT); + + if (strlen(optarg) > MAX_IDLETIMER_LABEL_SIZE - 1) + xtables_param_act(XTF_BAD_VALUE, "IDLETIMER", "--label", + optarg); + + strcpy(info->label, optarg); + *flags |= IDLETIMER_TG_OPT_LABEL; + break; + + default: + return false; + } + + return true; +} + +static void idletimer_tg_final_check(unsigned int flags) +{ + if (!(flags & IDLETIMER_TG_OPT_TIMEOUT)) + xtables_error(PARAMETER_PROBLEM, "IDLETIMER target: " + "--timeout parameter required"); + if (!(flags & IDLETIMER_TG_OPT_LABEL)) + xtables_error(PARAMETER_PROBLEM, "IDLETIMER target: " + "--label parameter required"); +} + +static void idletimer_tg_print(const void *ip, + const struct xt_entry_target *target, + int numeric) +{ + struct idletimer_tg_info *info = + (struct idletimer_tg_info *) target->data; + + printf("timeout:%u ", info->timeout); + printf("label:%s ", info->label); +} + +static void idletimer_tg_save(const void *ip, + const struct xt_entry_target *target) +{ + struct idletimer_tg_info *info = + (struct idletimer_tg_info *) target->data; + + printf("--timeout %u ", info->timeout); + printf("--label %s ", info->label); +} + +static struct xtables_target idletimer_tg_reg = { + .family = NFPROTO_UNSPEC, + .name = "IDLETIMER", + .version = XTABLES_VERSION, + .revision = 0, + .size = XT_ALIGN(sizeof(struct idletimer_tg_info)), + .userspacesize = offsetof(struct idletimer_tg_info, timer), + .help = idletimer_tg_help, + .parse = idletimer_tg_parse, + .final_check = idletimer_tg_final_check, + .print = idletimer_tg_print, + .save = idletimer_tg_save, + .extra_opts = idletimer_tg_opts, +}; + +static __attribute__((constructor)) void idletimer_tg_ldr(void) +{ + xtables_register_target(&idletimer_tg_reg); +} diff --git a/extensions/libxt_IDLETIMER.man b/extensions/libxt_IDLETIMER.man new file mode 100644 index 00000000..e3c91cea --- /dev/null +++ b/extensions/libxt_IDLETIMER.man @@ -0,0 +1,20 @@ +This target can be used to identify when interfaces have been idle for a +certain period of time. Timers are identified by labels and are created when +a rule is set with a new label. The rules also take a timeout value (in +seconds) as an option. If more than one rule uses the same timer label, the +timer will be restarted whenever any of the rules get a hit. One entry for +each timer is created in sysfs. This attribute contains the timer remaining +for the timer to expire. The attributes are located under the xt_idletimer +class: +.PP +/sys/class/xt_idletimer/timers/<label> +.PP +When the timer expires, the target module sends a sysfs notification to the +userspace, which can then decide what to do (eg. disconnect to save power). +.TP +\fB\-\-timeout\fP \fIamount\fP +This is the time in seconds that will trigger the notification. +.TP +\fB\-\-label\fP \fIstring\fP +This is a unique identifier for the timer. The maximum length for the +label string is 27 characters. diff --git a/include/linux/netfilter/xt_CHECKSUM.h b/include/linux/netfilter/xt_CHECKSUM.h new file mode 100644 index 00000000..3b4fb77a --- /dev/null +++ b/include/linux/netfilter/xt_CHECKSUM.h @@ -0,0 +1,18 @@ +/* Header file for iptables ipt_CHECKSUM target + * + * (C) 2002 by Harald Welte <laforge@gnumonks.org> + * (C) 2010 Red Hat Inc + * Author: Michael S. Tsirkin <mst@redhat.com> + * + * This software is distributed under GNU GPL v2, 1991 +*/ +#ifndef _IPT_CHECKSUM_TARGET_H +#define _IPT_CHECKSUM_TARGET_H + +#define XT_CHECKSUM_OP_FILL 0x01 /* fill in checksum in IP header */ + +struct xt_CHECKSUM_info { + __u8 operation; /* bitset of operations */ +}; + +#endif /* _IPT_CHECKSUM_TARGET_H */ diff --git a/include/linux/netfilter/xt_IDLETIMER.h b/include/linux/netfilter/xt_IDLETIMER.h new file mode 100644 index 00000000..3e1aa1be --- /dev/null +++ b/include/linux/netfilter/xt_IDLETIMER.h @@ -0,0 +1,45 @@ +/* + * linux/include/linux/netfilter/xt_IDLETIMER.h + * + * Header file for Xtables timer target module. + * + * Copyright (C) 2004, 2010 Nokia Corporation + * Written by Timo Teras <ext-timo.teras@nokia.com> + * + * Converted to x_tables and forward-ported to 2.6.34 + * by Luciano Coelho <luciano.coelho@nokia.com> + * + * Contact: Luciano Coelho <luciano.coelho@nokia.com> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * version 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA + */ + +#ifndef _XT_IDLETIMER_H +#define _XT_IDLETIMER_H + +#include <linux/types.h> + +#define MAX_IDLETIMER_LABEL_SIZE 28 + +struct idletimer_tg_info { + __u32 timeout; + + char label[MAX_IDLETIMER_LABEL_SIZE]; + + /* for kernel module internal use only */ + struct idletimer_tg *timer __attribute((aligned(8))); +}; + +#endif diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h index 90fa6525..dcdbadf9 100644 --- a/include/linux/netfilter_ipv4/ipt_LOG.h +++ b/include/linux/netfilter_ipv4/ipt_LOG.h @@ -7,7 +7,8 @@ #define IPT_LOG_IPOPT 0x04 /* Log IP options */ #define IPT_LOG_UID 0x08 /* Log UID owning local socket */ #define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ -#define IPT_LOG_MASK 0x1f +#define IPT_LOG_MACDECODE 0x20 /* Decode MAC header */ +#define IPT_LOG_MASK 0x2f struct ipt_log_info { unsigned char level; diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h index 0d0119b0..9dd5579e 100644 --- a/include/linux/netfilter_ipv6/ip6t_LOG.h +++ b/include/linux/netfilter_ipv6/ip6t_LOG.h @@ -7,7 +7,8 @@ #define IP6T_LOG_IPOPT 0x04 /* Log IP options */ #define IP6T_LOG_UID 0x08 /* Log UID owning local socket */ #define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */ -#define IP6T_LOG_MASK 0x1f +#define IP6T_LOG_MACDECODE 0x20 /* Decode MAC header */ +#define IP6T_LOG_MASK 0x2f struct ip6t_log_info { unsigned char level; |