diff options
Diffstat (limited to 'extensions')
| -rw-r--r-- | extensions/libipt_CLUSTERIP.c | 4 | ||||
| -rw-r--r-- | extensions/libipt_realm.c | 10 | ||||
| -rw-r--r-- | extensions/libxt_addrtype.c (renamed from extensions/libipt_addrtype.c) | 56 | ||||
| -rw-r--r-- | extensions/libxt_addrtype.man (renamed from extensions/libipt_addrtype.man) | 0 | ||||
| -rw-r--r-- | extensions/libxt_recent.c | 17 | ||||
| -rw-r--r-- | extensions/libxt_recent.man | 5 |
6 files changed, 52 insertions, 40 deletions
diff --git a/extensions/libipt_CLUSTERIP.c b/extensions/libipt_CLUSTERIP.c index 301e0e1d..f4b638b2 100644 --- a/extensions/libipt_CLUSTERIP.c +++ b/extensions/libipt_CLUSTERIP.c @@ -144,7 +144,7 @@ static void CLUSTERIP_print(const void *ip, const struct ipt_clusterip_tgt_info *cipinfo = (const struct ipt_clusterip_tgt_info *)target->data; - if (!cipinfo->flags & CLUSTERIP_FLAG_NEW) { + if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) { printf(" CLUSTERIP"); return; } @@ -164,7 +164,7 @@ static void CLUSTERIP_save(const void *ip, const struct xt_entry_target *target) /* if this is not a new entry, we don't need to save target * parameters */ - if (!cipinfo->flags & CLUSTERIP_FLAG_NEW) + if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) return; printf(" --new --hashmode %s --clustermac %s --total-nodes %d --local-node %d --hash-init %u", diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c index b60c57ee..a8d9dda0 100644 --- a/extensions/libipt_realm.c +++ b/extensions/libipt_realm.c @@ -41,7 +41,7 @@ static void realm_init(struct xt_entry_match *m) static void realm_parse(struct xt_option_call *cb) { - struct ipt_realm_info *realminfo = cb->data; + struct xt_realm_info *realminfo = cb->data; int id; char *end; @@ -87,7 +87,7 @@ print_realm(unsigned long id, unsigned long mask, int numeric) static void realm_print(const void *ip, const struct xt_entry_match *match, int numeric) { - const struct ipt_realm_info *ri = (const void *)match->data; + const struct xt_realm_info *ri = (const void *)match->data; if (ri->invert) printf(" !"); @@ -98,7 +98,7 @@ static void realm_print(const void *ip, const struct xt_entry_match *match, static void realm_save(const void *ip, const struct xt_entry_match *match) { - const struct ipt_realm_info *ri = (const void *)match->data; + const struct xt_realm_info *ri = (const void *)match->data; if (ri->invert) printf(" !"); @@ -111,8 +111,8 @@ static struct xtables_match realm_mt_reg = { .name = "realm", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_realm_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_realm_info)), + .size = XT_ALIGN(sizeof(struct xt_realm_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_realm_info)), .help = realm_help, .init = realm_init, .print = realm_print, diff --git a/extensions/libipt_addrtype.c b/extensions/libxt_addrtype.c index 3dec626b..59072b35 100644 --- a/extensions/libipt_addrtype.c +++ b/extensions/libxt_addrtype.c @@ -4,7 +4,7 @@ #include <stdio.h> #include <string.h> #include <xtables.h> -#include <linux/netfilter_ipv4/ipt_addrtype.h> +#include <linux/netfilter/xt_addrtype.h> enum { O_SRC_TYPE = 0, @@ -98,7 +98,7 @@ static void parse_types(const char *arg, uint16_t *mask) static void addrtype_parse_v0(struct xt_option_call *cb) { - struct ipt_addrtype_info *info = cb->data; + struct xt_addrtype_info *info = cb->data; xtables_option_parse(cb); switch (cb->entry->id) { @@ -117,25 +117,25 @@ static void addrtype_parse_v0(struct xt_option_call *cb) static void addrtype_parse_v1(struct xt_option_call *cb) { - struct ipt_addrtype_info_v1 *info = cb->data; + struct xt_addrtype_info_v1 *info = cb->data; xtables_option_parse(cb); switch (cb->entry->id) { case O_SRC_TYPE: parse_types(cb->arg, &info->source); if (cb->invert) - info->flags |= IPT_ADDRTYPE_INVERT_SOURCE; + info->flags |= XT_ADDRTYPE_INVERT_SOURCE; break; case O_DST_TYPE: parse_types(cb->arg, &info->dest); if (cb->invert) - info->flags |= IPT_ADDRTYPE_INVERT_DEST; + info->flags |= XT_ADDRTYPE_INVERT_DEST; break; case O_LIMIT_IFACE_IN: - info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_IN; + info->flags |= XT_ADDRTYPE_LIMIT_IFACE_IN; break; case O_LIMIT_IFACE_OUT: - info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_OUT; + info->flags |= XT_ADDRTYPE_LIMIT_IFACE_OUT; break; } } @@ -162,8 +162,7 @@ static void print_types(uint16_t mask) static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match, int numeric) { - const struct ipt_addrtype_info *info = - (struct ipt_addrtype_info *) match->data; + const struct xt_addrtype_info *info = (const void *)match->data; printf(" ADDRTYPE match"); if (info->source) { @@ -183,34 +182,30 @@ static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match static void addrtype_print_v1(const void *ip, const struct xt_entry_match *match, int numeric) { - const struct ipt_addrtype_info_v1 *info = - (struct ipt_addrtype_info_v1 *) match->data; + const struct xt_addrtype_info_v1 *info = (const void *)match->data; printf(" ADDRTYPE match"); if (info->source) { printf(" src-type "); - if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE) + if (info->flags & XT_ADDRTYPE_INVERT_SOURCE) printf("!"); print_types(info->source); } if (info->dest) { printf(" dst-type "); - if (info->flags & IPT_ADDRTYPE_INVERT_DEST) + if (info->flags & XT_ADDRTYPE_INVERT_DEST) printf("!"); print_types(info->dest); } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { + if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) printf(" limit-in"); - } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { + if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) printf(" limit-out"); - } } static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match) { - const struct ipt_addrtype_info *info = - (struct ipt_addrtype_info *) match->data; + const struct xt_addrtype_info *info = (const void *)match->data; if (info->source) { if (info->invert_source) @@ -228,27 +223,24 @@ static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match) static void addrtype_save_v1(const void *ip, const struct xt_entry_match *match) { - const struct ipt_addrtype_info_v1 *info = - (struct ipt_addrtype_info_v1 *) match->data; + const struct xt_addrtype_info_v1 *info = (const void *)match->data; if (info->source) { - if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE) + if (info->flags & XT_ADDRTYPE_INVERT_SOURCE) printf(" !"); printf(" --src-type "); print_types(info->source); } if (info->dest) { - if (info->flags & IPT_ADDRTYPE_INVERT_DEST) + if (info->flags & XT_ADDRTYPE_INVERT_DEST) printf(" !"); printf(" --dst-type "); print_types(info->dest); } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { + if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) printf(" --limit-iface-in"); - } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { + if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) printf(" --limit-iface-out"); - } } static const struct xt_option_entry addrtype_opts_v0[] = { @@ -276,8 +268,8 @@ static struct xtables_match addrtype_mt_reg[] = { .name = "addrtype", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_addrtype_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info)), + .size = XT_ALIGN(sizeof(struct xt_addrtype_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_addrtype_info)), .help = addrtype_help_v0, .print = addrtype_print_v0, .save = addrtype_save_v0, @@ -289,9 +281,9 @@ static struct xtables_match addrtype_mt_reg[] = { .name = "addrtype", .revision = 1, .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_addrtype_info_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_addrtype_info_v1)), .help = addrtype_help_v1, .print = addrtype_print_v1, .save = addrtype_save_v1, diff --git a/extensions/libipt_addrtype.man b/extensions/libxt_addrtype.man index 16fd9dfd..16fd9dfd 100644 --- a/extensions/libipt_addrtype.man +++ b/extensions/libxt_addrtype.man diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c index 1e1a111f..c7dce4e7 100644 --- a/extensions/libxt_recent.c +++ b/extensions/libxt_recent.c @@ -10,6 +10,7 @@ enum { O_UPDATE, O_REMOVE, O_SECONDS, + O_REAP, O_HITCOUNT, O_RTTL, O_NAME, @@ -19,6 +20,7 @@ enum { F_RCHECK = 1 << O_RCHECK, F_UPDATE = 1 << O_UPDATE, F_REMOVE = 1 << O_REMOVE, + F_SECONDS = 1 << O_SECONDS, F_ANY_OP = F_SET | F_RCHECK | F_UPDATE | F_REMOVE, }; @@ -33,7 +35,9 @@ static const struct xt_option_entry recent_opts[] = { {.name = "remove", .id = O_REMOVE, .type = XTTYPE_NONE, .excl = F_ANY_OP, .flags = XTOPT_INVERT}, {.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32, - .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds)}, + .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds), .min = 1}, + {.name = "reap", .id = O_REAP, .type = XTTYPE_NONE, + .also = F_SECONDS }, {.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32, .flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)}, {.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE, @@ -57,6 +61,8 @@ static void recent_help(void) " --seconds seconds For check and update commands above.\n" " Specifies that the match will only occur if source address last seen within\n" " the last 'seconds' seconds.\n" +" --reap Purge entries older then 'seconds'.\n" +" Can only be used in conjunction with the seconds option.\n" " --hitcount hits For check and update commands above.\n" " Specifies that the match will only occur if source address seen hits times.\n" " May be used in conjunction with the seconds option.\n" @@ -117,11 +123,16 @@ static void recent_parse(struct xt_option_call *cb) case O_RDEST: info->side = XT_RECENT_DEST; break; + case O_REAP: + info->check_set |= XT_RECENT_REAP; + break; } } static void recent_check(struct xt_fcheck_call *cb) { + struct xt_recent_mtinfo *info = cb->data; + if (!(cb->xflags & F_ANY_OP)) xtables_error(PARAMETER_PROBLEM, "recent: you must specify one of `--set', `--rcheck' " @@ -146,6 +157,8 @@ static void recent_print(const void *ip, const struct xt_entry_match *match, if (info->check_set & XT_RECENT_REMOVE) printf(" REMOVE"); if(info->seconds) printf(" seconds: %d", info->seconds); + if (info->check_set & XT_RECENT_REAP) + printf(" reap"); if(info->hit_count) printf(" hit_count: %d", info->hit_count); if (info->check_set & XT_RECENT_TTL) printf(" TTL-Match"); @@ -172,6 +185,8 @@ static void recent_save(const void *ip, const struct xt_entry_match *match) if (info->check_set & XT_RECENT_REMOVE) printf(" --remove"); if(info->seconds) printf(" --seconds %d", info->seconds); + if (info->check_set & XT_RECENT_REAP) + printf(" --reap"); if(info->hit_count) printf(" --hitcount %d", info->hit_count); if (info->check_set & XT_RECENT_TTL) printf(" --rttl"); diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man index 0392c2ca..8043df4a 100644 --- a/extensions/libxt_recent.man +++ b/extensions/libxt_recent.man @@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or \fB\-\-update\fP. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds. .TP +\fB\-\-reap\fP +This option can only be used in conjunction with \fB\-\-seconds\fP. +When used, this will cause entries older than the last given number of seconds +to be purged. +.TP \fB\-\-hitcount\fP \fIhits\fP This option must be used in conjunction with one of \fB\-\-rcheck\fP or \fB\-\-update\fP. When used, this will narrow the match to only happen when the |