summaryrefslogtreecommitdiffstats
path: root/extensions
diff options
context:
space:
mode:
Diffstat (limited to 'extensions')
-rw-r--r--extensions/GNUmakefile.in8
-rw-r--r--extensions/libxt_SECMARK.c8
-rw-r--r--extensions/libxt_TPROXY.c193
-rw-r--r--extensions/libxt_owner.c6
-rw-r--r--extensions/libxt_socket.c76
-rw-r--r--extensions/libxt_socket.man3
-rw-r--r--extensions/libxt_time.c1
7 files changed, 249 insertions, 46 deletions
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 709366a1..74a058c1 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -155,8 +155,8 @@ initext6.c: .initext6.dd
#
# Manual pages
#
-ex_matches = $(sort $(shell echo $(1) | grep -Eo '\b[a-z0-9]+\b'))
-ex_targets = $(sort $(shell echo $(1) | grep -Eo '\b[A-Z0-9]+\b'))
+ex_matches = $(sort $(shell echo $(1) | LC_ALL=POSIX grep -Eo '\b[[:alnum:]]+\b'))
+ex_targets = $(sort $(shell echo $(1) | LC_ALL=POSIX grep -Eo '\b[[:alnum:]]+\b'))
man_run = \
${AM_VERBOSE_GEN} \
for ext in $(1); do \
@@ -165,14 +165,14 @@ man_run = \
if [ -f "$$f" ] && grep -Eq "$(3)|NFPROTO_UNSPEC" "$$cf"; then \
echo -e "\t+ $$f" >&2; \
echo ".SS $$ext"; \
- cat "$$f"; \
+ cat "$$f" || exit $$?; \
continue; \
fi; \
f="${srcdir}/lib$(2)t_$$ext.man"; \
if [ -f "$$f" ]; then \
echo -e "\t+ $$f" >&2; \
echo ".SS $$ext"; \
- cat "$$f"; \
+ cat "$$f" || exit $$?; \
continue; \
fi; \
done >$@;
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
index 9e231eee..7bf4ff08 100644
--- a/extensions/libxt_SECMARK.c
+++ b/extensions/libxt_SECMARK.c
@@ -40,13 +40,13 @@ static int SECMARK_parse(int c, char **argv, int invert, unsigned int *flags,
"Can't specify --selctx twice");
info->mode = SECMARK_MODE_SEL;
- if (strlen(optarg) > SECMARK_SELCTX_MAX-1)
+ if (strlen(optarg) > SECMARK_SECCTX_MAX-1)
xtables_error(PARAMETER_PROBLEM, PFX
"Maximum length %u exceeded by --selctx"
" parameter (%zu)",
- SECMARK_SELCTX_MAX-1, strlen(optarg));
+ SECMARK_SECCTX_MAX-1, strlen(optarg));
- strcpy(info->u.sel.selctx, optarg);
+ strcpy(info->secctx, optarg);
*flags |= SECMARK_MODE_SEL;
break;
default:
@@ -66,7 +66,7 @@ static void print_secmark(const struct xt_secmark_target_info *info)
{
switch (info->mode) {
case SECMARK_MODE_SEL:
- printf("selctx %s ", info->u.sel.selctx);\
+ printf("selctx %s ", info->secctx);
break;
default:
diff --git a/extensions/libxt_TPROXY.c b/extensions/libxt_TPROXY.c
index cd0b50a6..26419f5d 100644
--- a/extensions/libxt_TPROXY.c
+++ b/extensions/libxt_TPROXY.c
@@ -5,6 +5,7 @@
*/
#include <getopt.h>
#include <stdbool.h>
+#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
@@ -36,27 +37,39 @@ static void tproxy_tg_help(void)
" --tproxy-mark value[/mask] Mark packets with the given value/mask\n\n");
}
-static void parse_tproxy_lport(const char *s, struct xt_tproxy_target_info *info)
+static void parse_tproxy_lport(const char *s, uint16_t *portp)
{
unsigned int lport;
if (xtables_strtoui(s, NULL, &lport, 0, UINT16_MAX))
- info->lport = htons(lport);
+ *portp = htons(lport);
else
xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-port", s);
}
-static void parse_tproxy_laddr(const char *s, struct xt_tproxy_target_info *info)
+static void parse_tproxy_laddr(const char *s, union nf_inet_addr *addrp,
+ unsigned int nfproto)
{
- struct in_addr *laddr;
+ struct in6_addr *laddr6 = NULL;
+ struct in_addr *laddr4 = NULL;
- if ((laddr = xtables_numeric_to_ipaddr(s)) == NULL)
- xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s);
-
- info->laddr = laddr->s_addr;
+ if (nfproto == NFPROTO_IPV6) {
+ laddr6 = xtables_numeric_to_ip6addr(s);
+ if (laddr6 == NULL)
+ goto out;
+ addrp->in6 = *laddr6;
+ } else if (nfproto == NFPROTO_IPV4) {
+ laddr4 = xtables_numeric_to_ipaddr(s);
+ if (laddr4 == NULL)
+ goto out;
+ addrp->in = *laddr4;
+ }
+ return;
+ out:
+ xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s);
}
-static void parse_tproxy_mark(char *s, struct xt_tproxy_target_info *info)
+static void parse_tproxy_mark(char *s, uint32_t *markp, uint32_t *maskp)
{
unsigned int value, mask = UINT32_MAX;
char *end;
@@ -69,32 +82,32 @@ static void parse_tproxy_mark(char *s, struct xt_tproxy_target_info *info)
if (*end != '\0')
xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s);
- info->mark_mask = mask;
- info->mark_value = value;
+ *markp = value;
+ *maskp = mask;
}
static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
- struct xt_tproxy_target_info *tproxyinfo = (void *)(*target)->data;
+ struct xt_tproxy_target_info *info = (void *)(*target)->data;
switch (c) {
case '1':
xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT);
xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert);
- parse_tproxy_lport(optarg, tproxyinfo);
+ parse_tproxy_lport(optarg, &info->lport);
*flags |= PARAM_ONPORT;
return 1;
case '2':
xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP);
xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert);
- parse_tproxy_laddr(optarg, tproxyinfo);
+ parse_tproxy_laddr(optarg, (void *)&info->laddr, NFPROTO_IPV4);
*flags |= PARAM_ONIP;
return 1;
case '3':
xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK);
xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert);
- parse_tproxy_mark(optarg, tproxyinfo);
+ parse_tproxy_mark(optarg, &info->mark_value, &info->mark_mask);
*flags |= PARAM_MARK;
return 1;
}
@@ -102,6 +115,49 @@ static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags,
return 0;
}
+static int
+tproxy_tg_parse1(int c, char **argv, int invert, unsigned int *flags,
+ struct xt_tproxy_target_info_v1 *info, unsigned int nfproto)
+{
+ switch (c) {
+ case '1':
+ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT);
+ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert);
+ parse_tproxy_lport(optarg, &info->lport);
+ *flags |= PARAM_ONPORT;
+ return true;
+ case '2':
+ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP);
+ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert);
+ parse_tproxy_laddr(optarg, (void *)&info->laddr, nfproto);
+ *flags |= PARAM_ONIP;
+ return true;
+ case '3':
+ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK);
+ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert);
+ parse_tproxy_mark(optarg, &info->mark_value, &info->mark_mask);
+ *flags |= PARAM_MARK;
+ return true;
+ }
+ return false;
+}
+
+static int
+tproxy_tg_parse4(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_tproxy_target_info_v1 *info = (void *)(*target)->data;
+ return tproxy_tg_parse1(c, argv, invert, flags, info, NFPROTO_IPV4);
+}
+
+static int
+tproxy_tg_parse6(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_tproxy_target_info_v1 *info = (void *)(*target)->data;
+ return tproxy_tg_parse1(c, argv, invert, flags, info, NFPROTO_IPV6);
+}
+
static void tproxy_tg_check(unsigned int flags)
{
if (!(flags & PARAM_ONPORT))
@@ -119,6 +175,32 @@ static void tproxy_tg_print(const void *ip, const struct xt_entry_target *target
(unsigned int)info->mark_mask);
}
+static void
+tproxy_tg_print4(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_tproxy_target_info_v1 *info =
+ (const void *)target->data;
+
+ printf("TPROXY redirect %s:%u mark 0x%x/0x%x",
+ xtables_ipaddr_to_numeric(&info->laddr.in),
+ ntohs(info->lport), (unsigned int)info->mark_value,
+ (unsigned int)info->mark_mask);
+}
+
+static void
+tproxy_tg_print6(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_tproxy_target_info_v1 *info =
+ (const void *)target->data;
+
+ printf("TPROXY redirect %s:%u mark 0x%x/0x%x",
+ xtables_ip6addr_to_numeric(&info->laddr.in6),
+ ntohs(info->lport), (unsigned int)info->mark_value,
+ (unsigned int)info->mark_mask);
+}
+
static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target)
{
const struct xt_tproxy_target_info *info = (const void *)target->data;
@@ -130,21 +212,76 @@ static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target)
(unsigned int)info->mark_value, (unsigned int)info->mark_mask);
}
-static struct xtables_target tproxy_tg_reg = {
- .name = "TPROXY",
- .family = NFPROTO_IPV4,
- .version = XTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
- .help = tproxy_tg_help,
- .parse = tproxy_tg_parse,
- .final_check = tproxy_tg_check,
- .print = tproxy_tg_print,
- .save = tproxy_tg_save,
- .extra_opts = tproxy_tg_opts,
+static void
+tproxy_tg_save4(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_tproxy_target_info_v1 *info;
+
+ info = (const void *)target->data;
+ printf("--on-port %u ", ntohs(info->lport));
+ printf("--on-ip %s ", xtables_ipaddr_to_numeric(&info->laddr.in));
+ printf("--tproxy-mark 0x%x/0x%x ",
+ (unsigned int)info->mark_value, (unsigned int)info->mark_mask);
+}
+
+static void
+tproxy_tg_save6(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_tproxy_target_info_v1 *info;
+
+ info = (const void *)target->data;
+ printf("--on-port %u ", ntohs(info->lport));
+ printf("--on-ip %s ", xtables_ip6addr_to_numeric(&info->laddr.in6));
+ printf("--tproxy-mark 0x%x/0x%x ",
+ (unsigned int)info->mark_value, (unsigned int)info->mark_mask);
+}
+
+static struct xtables_target tproxy_tg_reg[] = {
+ {
+ .name = "TPROXY",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
+ .help = tproxy_tg_help,
+ .parse = tproxy_tg_parse,
+ .final_check = tproxy_tg_check,
+ .print = tproxy_tg_print,
+ .save = tproxy_tg_save,
+ .extra_opts = tproxy_tg_opts,
+ },
+ {
+ .name = "TPROXY",
+ .revision = 1,
+ .family = NFPROTO_IPV4,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
+ .help = tproxy_tg_help,
+ .parse = tproxy_tg_parse4,
+ .final_check = tproxy_tg_check,
+ .print = tproxy_tg_print4,
+ .save = tproxy_tg_save4,
+ .extra_opts = tproxy_tg_opts,
+ },
+ {
+ .name = "TPROXY",
+ .revision = 1,
+ .family = NFPROTO_IPV6,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
+ .help = tproxy_tg_help,
+ .parse = tproxy_tg_parse6,
+ .final_check = tproxy_tg_check,
+ .print = tproxy_tg_print6,
+ .save = tproxy_tg_save6,
+ .extra_opts = tproxy_tg_opts,
+ },
};
void _init(void)
{
- xtables_register_target(&tproxy_tg_reg);
+ xtables_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
}
diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c
index 4015f137..867ed499 100644
--- a/extensions/libxt_owner.c
+++ b/extensions/libxt_owner.c
@@ -558,9 +558,9 @@ static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_owner_match_info *info = (void *)match->data;
- owner_mt_print_item(info, "--socket-exists", XT_OWNER_SOCKET, false);
- owner_mt_print_item(info, "--uid-owner", XT_OWNER_UID, false);
- owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, false);
+ owner_mt_print_item(info, "--socket-exists", XT_OWNER_SOCKET, true);
+ owner_mt_print_item(info, "--uid-owner", XT_OWNER_UID, true);
+ owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, true);
}
static struct xtables_match owner_mt_reg[] = {
diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c
index 1490473b..e4dff78b 100644
--- a/extensions/libxt_socket.c
+++ b/extensions/libxt_socket.c
@@ -3,17 +3,79 @@
*
* Copyright (C) 2007 BalaBit IT Ltd.
*/
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
#include <xtables.h>
+#include <linux/netfilter/xt_socket.h>
-static struct xtables_match socket_mt_reg = {
- .name = "socket",
- .version = XTABLES_VERSION,
- .family = NFPROTO_IPV4,
- .size = XT_ALIGN(0),
- .userspacesize = XT_ALIGN(0),
+static const struct option socket_mt_opts[] = {
+ {.name = "transparent", .has_arg = false, .val = 't'},
+ XT_GETOPT_TABLEEND,
+};
+
+static void socket_mt_help(void)
+{
+ printf(
+ "socket match options:\n"
+ " --transparent Ignore non-transparent sockets\n\n");
+}
+
+static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_socket_mtinfo1 *info = (void *)(*match)->data;
+
+ switch (c) {
+ case 't':
+ info->flags |= XT_SOCKET_TRANSPARENT;
+ return true;
+ }
+ return false;
+}
+
+static void
+socket_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_socket_mtinfo1 *info = (const void *)match->data;
+
+ if (info->flags & XT_SOCKET_TRANSPARENT)
+ printf("--transparent ");
+}
+
+static void
+socket_mt_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ printf("socket ");
+ socket_mt_save(ip, match);
+}
+
+static struct xtables_match socket_mt_reg[] = {
+ {
+ .name = "socket",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(0),
+ .userspacesize = XT_ALIGN(0),
+ },
+ {
+ .name = "socket",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)),
+ .help = socket_mt_help,
+ .parse = socket_mt_parse,
+ .print = socket_mt_print,
+ .save = socket_mt_save,
+ .extra_opts = socket_mt_opts,
+ },
};
void _init(void)
{
- xtables_register_match(&socket_mt_reg);
+ xtables_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
}
diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man
index 50c88542..41e8d674 100644
--- a/extensions/libxt_socket.man
+++ b/extensions/libxt_socket.man
@@ -1,2 +1,5 @@
This matches if an open socket can be found by doing a socket lookup on the
packet.
+.TP
+\fB\-\-transparent\fP
+Ignore non-transparent sockets.
diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
index 9f12266b..5462d930 100644
--- a/extensions/libxt_time.c
+++ b/extensions/libxt_time.c
@@ -20,6 +20,7 @@
#include <time.h>
#include <limits.h>
+#include <linux/types.h>
#include <linux/netfilter/xt_time.h>
#include <xtables.h>