diff options
Diffstat (limited to 'extensions')
| -rwxr-xr-x | extensions/.esp-test6 | 2 | ||||
| -rw-r--r-- | extensions/Makefile | 4 | ||||
| -rw-r--r-- | extensions/libip6t_esp.c | 185 | ||||
| -rw-r--r-- | extensions/libxt_esp.c (renamed from extensions/libipt_esp.c) | 63 |
4 files changed, 39 insertions, 215 deletions
diff --git a/extensions/.esp-test6 b/extensions/.esp-test6 deleted file mode 100755 index 7ded9452..00000000 --- a/extensions/.esp-test6 +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_esp.h ] && echo esp diff --git a/extensions/Makefile b/extensions/Makefile index 7a76ce0b..6b9a3e98 100644 --- a/extensions/Makefile +++ b/extensions/Makefile @@ -5,9 +5,9 @@ # header files are present in the include/linux directory of this iptables # package (HW) # -PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange owner policy realm state tos ttl unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE REDIRECT REJECT SAME SNAT TCPMSS TOS TTL TRACE ULOG +PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn hashlimit helper icmp iprange owner policy realm state tos ttl unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE REDIRECT REJECT SAME SNAT TCPMSS TOS TTL TRACE ULOG PF6_EXT_SLIB:=connlimit connmark eui64 hl icmp6 owner policy state CONNMARK HL LOG NFQUEUE MARK TCPMSS TRACE -PFX_EXT_SLIB:=length limit mac mark multiport physdev pkttype sctp standard tcp tcpmss udp NOTRACK +PFX_EXT_SLIB:=esp length limit mac mark multiport physdev pkttype sctp standard tcp tcpmss udp NOTRACK ifeq ($(DO_SELINUX), 1) PF_EXT_SE_SLIB:=SECMARK CONNSECMARK diff --git a/extensions/libip6t_esp.c b/extensions/libip6t_esp.c deleted file mode 100644 index 04cc5468..00000000 --- a/extensions/libip6t_esp.c +++ /dev/null @@ -1,185 +0,0 @@ -/* Shared library add-on to ip6tables to add ESP support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <errno.h> -#include <ip6tables.h> -#include <linux/netfilter_ipv6/ip6t_esp.h> - -/* Function which prints out usage message. */ -static void -help(void) -{ - printf( -"ESP v%s options:\n" -" --espspi [!] spi[:spi] match spi (range)\n", -IPTABLES_VERSION); -} - -static struct option opts[] = { - { .name = "espspi", .has_arg = 1, .flag = 0, .val = '1' }, - { .name = 0 } -}; - -static u_int32_t -parse_esp_spi(const char *spistr) -{ - unsigned long int spi; - char* ep; - - spi = strtoul(spistr, &ep, 0); - - if ( spistr == ep ) { - exit_error(PARAMETER_PROBLEM, - "ESP no valid digits in spi `%s'", spistr); - } - if ( spi == ULONG_MAX && errno == ERANGE ) { - exit_error(PARAMETER_PROBLEM, - "spi `%s' specified too big: would overflow", spistr); - } - if ( *spistr != '\0' && *ep != '\0' ) { - exit_error(PARAMETER_PROBLEM, - "ESP error parsing spi `%s'", spistr); - } - return (u_int32_t) spi; -} - -static void -parse_esp_spis(const char *spistring, u_int32_t *spis) -{ - char *buffer; - char *cp; - - buffer = strdup(spistring); - if ((cp = strchr(buffer, ':')) == NULL) - spis[0] = spis[1] = parse_esp_spi(buffer); - else { - *cp = '\0'; - cp++; - - spis[0] = buffer[0] ? parse_esp_spi(buffer) : 0; - spis[1] = cp[0] ? parse_esp_spi(cp) : 0xFFFFFFFF; - if (spis[0] > spis[1]) - exit_error(PARAMETER_PROBLEM, - "Invalid ESP spi range: %s", spistring); - } - free(buffer); -} - -/* Initialize the match. */ -static void -init(struct xt_entry_match *m, unsigned int *nfcache) -{ - struct ip6t_esp *espinfo = (struct ip6t_esp *)m->data; - - espinfo->spis[1] = 0xFFFFFFFF; -} - -#define ESP_SPI 0x01 - -/* Function which parses command options; returns true if it - ate an option */ -static int -parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, - unsigned int *nfcache, - struct xt_entry_match **match) -{ - struct ip6t_esp *espinfo = (struct ip6t_esp *)(*match)->data; - - switch (c) { - case '1': - if (*flags & ESP_SPI) - exit_error(PARAMETER_PROBLEM, - "Only one `--espspi' allowed"); - check_inverse(optarg, &invert, &optind, 0); - parse_esp_spis(argv[optind-1], espinfo->spis); - if (invert) - espinfo->invflags |= IP6T_ESP_INV_SPI; - *flags |= ESP_SPI; - break; - default: - return 0; - } - - return 1; -} - -/* Final check; we don't care. */ -static void -final_check(unsigned int flags) -{ -} - -static void -print_spis(const char *name, u_int32_t min, u_int32_t max, - int invert) -{ - const char *inv = invert ? "!" : ""; - - if (min != 0 || max != 0xFFFFFFFF || invert) { - if (min == max) - printf("%s:%s%u ", name, inv, min); - else - printf("%ss:%s%u:%u ", name, inv, min, max); - } -} - -/* Prints out the union ip6t_matchinfo. */ -static void -print(const void *ip, - const struct xt_entry_match *match, int numeric) -{ - const struct ip6t_esp *esp = (struct ip6t_esp *)match->data; - - printf("esp "); - print_spis("spi", esp->spis[0], esp->spis[1], - esp->invflags & IP6T_ESP_INV_SPI); - if (esp->invflags & ~IP6T_ESP_INV_MASK) - printf("Unknown invflags: 0x%X ", - esp->invflags & ~IP6T_ESP_INV_MASK); -} - -/* Saves the union ip6t_matchinfo in parsable form to stdout. */ -static void save(const void *ip, const struct xt_entry_match *match) -{ - const struct ip6t_esp *espinfo = (struct ip6t_esp *)match->data; - - if (!(espinfo->spis[0] == 0 - && espinfo->spis[1] == 0xFFFFFFFF)) { - printf("--espspi %s", - (espinfo->invflags & IP6T_ESP_INV_SPI) ? "! " : ""); - if (espinfo->spis[0] - != espinfo->spis[1]) - printf("%u:%u ", - espinfo->spis[0], - espinfo->spis[1]); - else - printf("%u ", - espinfo->spis[0]); - } - -} - -static -struct ip6tables_match esp = { - .name = "esp", - .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct ip6t_esp)), - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_esp)), - .help = &help, - .init = &init, - .parse = &parse, - .final_check = &final_check, - .print = &print, - .save = &save, - .extra_opts = opts -}; - -void -_init(void) -{ - register_match6(&esp); -} diff --git a/extensions/libipt_esp.c b/extensions/libxt_esp.c index b675f5bf..401c104a 100644 --- a/extensions/libipt_esp.c +++ b/extensions/libxt_esp.c @@ -5,8 +5,8 @@ #include <stdlib.h> #include <getopt.h> #include <errno.h> -#include <iptables.h> -#include <linux/netfilter_ipv4/ipt_esp.h> +#include <xtables.h> +#include <linux/netfilter/xt_esp.h> /* Function which prints out usage message. */ static void @@ -73,7 +73,7 @@ parse_esp_spis(const char *spistring, u_int32_t *spis) static void init(struct xt_entry_match *m, unsigned int *nfcache) { - struct ipt_esp *espinfo = (struct ipt_esp *)m->data; + struct xt_esp *espinfo = (struct xt_esp *)m->data; espinfo->spis[1] = 0xFFFFFFFF; } @@ -88,7 +88,7 @@ parse(int c, char **argv, int invert, unsigned int *flags, unsigned int *nfcache, struct xt_entry_match **match) { - struct ipt_esp *espinfo = (struct ipt_esp *)(*match)->data; + struct xt_esp *espinfo = (struct xt_esp *)(*match)->data; switch (c) { case '1': @@ -98,7 +98,7 @@ parse(int c, char **argv, int invert, unsigned int *flags, check_inverse(optarg, &invert, &optind, 0); parse_esp_spis(argv[optind-1], espinfo->spis); if (invert) - espinfo->invflags |= IPT_ESP_INV_SPI; + espinfo->invflags |= XT_ESP_INV_SPI; *flags |= ESP_SPI; break; default: @@ -121,17 +121,10 @@ print_spis(const char *name, u_int32_t min, u_int32_t max, const char *inv = invert ? "!" : ""; if (min != 0 || max != 0xFFFFFFFF || invert) { - printf("%s", name); - if (min == max) { - printf(":%s", inv); - printf("%u", min); - } else { - printf("s:%s", inv); - printf("%u",min); - printf(":"); - printf("%u",max); - } - printf(" "); + if (min == max) + printf("%s:%s%u ", name, inv, min); + else + printf("%ss:%s%u:%u ", name, inv, min, max); } } @@ -140,25 +133,25 @@ static void print(const void *ip, const struct xt_entry_match *match, int numeric) { - const struct ipt_esp *esp = (struct ipt_esp *)match->data; + const struct xt_esp *esp = (struct xt_esp *)match->data; printf("esp "); print_spis("spi", esp->spis[0], esp->spis[1], - esp->invflags & IPT_ESP_INV_SPI); - if (esp->invflags & ~IPT_ESP_INV_MASK) + esp->invflags & XT_ESP_INV_SPI); + if (esp->invflags & ~XT_ESP_INV_MASK) printf("Unknown invflags: 0x%X ", - esp->invflags & ~IPT_ESP_INV_MASK); + esp->invflags & ~XT_ESP_INV_MASK); } /* Saves the union ipt_matchinfo in parsable form to stdout. */ static void save(const void *ip, const struct xt_entry_match *match) { - const struct ipt_esp *espinfo = (struct ipt_esp *)match->data; + const struct xt_esp *espinfo = (struct xt_esp *)match->data; if (!(espinfo->spis[0] == 0 && espinfo->spis[1] == 0xFFFFFFFF)) { printf("--espspi %s", - (espinfo->invflags & IPT_ESP_INV_SPI) ? "! " : ""); + (espinfo->invflags & XT_ESP_INV_SPI) ? "! " : ""); if (espinfo->spis[0] != espinfo->spis[1]) printf("%u:%u ", @@ -171,12 +164,29 @@ static void save(const void *ip, const struct xt_entry_match *match) } -static struct iptables_match esp = { +static struct xtables_match esp = { + .next = NULL, + .family = AF_INET, + .name = "esp", + .version = IPTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_esp)), + .userspacesize = XT_ALIGN(sizeof(struct xt_esp)), + .help = &help, + .init = &init, + .parse = &parse, + .final_check = &final_check, + .print = &print, + .save = &save, + .extra_opts = opts +}; + +static struct xtables_match esp6 = { .next = NULL, + .family = AF_INET6, .name = "esp", .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_esp)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_esp)), + .size = XT_ALIGN(sizeof(struct xt_esp)), + .userspacesize = XT_ALIGN(sizeof(struct xt_esp)), .help = &help, .init = &init, .parse = &parse, @@ -189,5 +199,6 @@ static struct iptables_match esp = { void _init(void) { - register_match(&esp); + xtables_register_match(&esp); + xtables_register_match(&esp6); } |