diff options
Diffstat (limited to 'extensions')
| -rw-r--r-- | extensions/.gitignore | 9 | ||||
| -rw-r--r-- | extensions/GNUmakefile.in | 56 | ||||
| -rw-r--r-- | extensions/libipt_CLUSTERIP.c | 4 | ||||
| -rw-r--r-- | extensions/libipt_realm.c | 10 | ||||
| -rw-r--r-- | extensions/libxt_addrtype.c (renamed from extensions/libipt_addrtype.c) | 56 | ||||
| -rw-r--r-- | extensions/libxt_addrtype.man (renamed from extensions/libipt_addrtype.man) | 0 | ||||
| -rw-r--r-- | extensions/libxt_recent.c | 17 | ||||
| -rw-r--r-- | extensions/libxt_recent.man | 5 |
8 files changed, 85 insertions, 72 deletions
diff --git a/extensions/.gitignore b/extensions/.gitignore new file mode 100644 index 00000000..2e74faf7 --- /dev/null +++ b/extensions/.gitignore @@ -0,0 +1,9 @@ +.*.d +.*.dd +*.oo + +/GNUmakefile +/initext.c +/initext?.c +/matches?.man +/targets?.man diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index b088684e..218dc3ad 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -1,28 +1,29 @@ # -*- Makefile -*- -top_builddir := @top_builddir@ -builddir := @builddir@ -top_srcdir := @top_srcdir@ -srcdir := @srcdir@ -ksourcedir := @ksourcedir@ -prefix := @prefix@ -exec_prefix := @exec_prefix@ -libdir := @libdir@ -libexecdir := @libexecdir@ -xtlibdir := @xtlibdir@ - -CC := @CC@ -CCLD := ${CC} -CFLAGS := @CFLAGS@ -CPPFLAGS := @CPPFLAGS@ -LDFLAGS := @LDFLAGS@ -regular_CFLAGS := @regular_CFLAGS@ -regular_CPPFLAGS := @regular_CPPFLAGS@ -kinclude_CPPFLAGS := @kinclude_CPPFLAGS@ - -AM_CFLAGS := ${regular_CFLAGS} +top_builddir = @top_builddir@ +builddir = @builddir@ +top_srcdir = @top_srcdir@ +srcdir = @srcdir@ +ksourcedir = @ksourcedir@ +prefix = @prefix@ +exec_prefix = @exec_prefix@ +libdir = @libdir@ +libexecdir = @libexecdir@ +xtlibdir = @xtlibdir@ + +CC = @CC@ +CCLD = ${CC} +CFLAGS = @CFLAGS@ +CPPFLAGS = @CPPFLAGS@ +LDFLAGS = @LDFLAGS@ +regular_CFLAGS = @regular_CFLAGS@ +regular_CPPFLAGS = @regular_CPPFLAGS@ +kinclude_CPPFLAGS = @kinclude_CPPFLAGS@ + +AM_CFLAGS = ${regular_CFLAGS} AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_builddir} -I${top_srcdir}/include ${kinclude_CPPFLAGS} AM_DEPFLAGS = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@ +AM_LDFLAGS = @noundef_LDFLAGS@ ifeq (${V},) AM_LIBTOOL_SILENT = --silent @@ -68,16 +69,7 @@ targets_install := .PHONY: all install clean distclean FORCE -all: ${targets} check - -check: ${targets} - @echo " CHECK unknown symbols in .so files"; \ - . ../libxtables/libxtables.la; \ - for i in lib*.so; do \ - [ "$$i" = "lib*.so" ] && continue; \ - LD_PRELOAD="$$dlname" LD_LIBRARY_PATH=../libxtables/.libs \ - ldd -r $$i 2>&1 >/dev/null; \ - done; +all: ${targets} install: ${targets_install} @mkdir -p "${DESTDIR}${xtlibdir}"; @@ -99,7 +91,7 @@ init%.o: init%.c # Shared libraries # lib%.so: lib%.oo - ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< ${$*_LIBADD}; + ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD}; lib%.oo: ${srcdir}/lib%.c ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; diff --git a/extensions/libipt_CLUSTERIP.c b/extensions/libipt_CLUSTERIP.c index 301e0e1d..f4b638b2 100644 --- a/extensions/libipt_CLUSTERIP.c +++ b/extensions/libipt_CLUSTERIP.c @@ -144,7 +144,7 @@ static void CLUSTERIP_print(const void *ip, const struct ipt_clusterip_tgt_info *cipinfo = (const struct ipt_clusterip_tgt_info *)target->data; - if (!cipinfo->flags & CLUSTERIP_FLAG_NEW) { + if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) { printf(" CLUSTERIP"); return; } @@ -164,7 +164,7 @@ static void CLUSTERIP_save(const void *ip, const struct xt_entry_target *target) /* if this is not a new entry, we don't need to save target * parameters */ - if (!cipinfo->flags & CLUSTERIP_FLAG_NEW) + if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) return; printf(" --new --hashmode %s --clustermac %s --total-nodes %d --local-node %d --hash-init %u", diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c index b60c57ee..a8d9dda0 100644 --- a/extensions/libipt_realm.c +++ b/extensions/libipt_realm.c @@ -41,7 +41,7 @@ static void realm_init(struct xt_entry_match *m) static void realm_parse(struct xt_option_call *cb) { - struct ipt_realm_info *realminfo = cb->data; + struct xt_realm_info *realminfo = cb->data; int id; char *end; @@ -87,7 +87,7 @@ print_realm(unsigned long id, unsigned long mask, int numeric) static void realm_print(const void *ip, const struct xt_entry_match *match, int numeric) { - const struct ipt_realm_info *ri = (const void *)match->data; + const struct xt_realm_info *ri = (const void *)match->data; if (ri->invert) printf(" !"); @@ -98,7 +98,7 @@ static void realm_print(const void *ip, const struct xt_entry_match *match, static void realm_save(const void *ip, const struct xt_entry_match *match) { - const struct ipt_realm_info *ri = (const void *)match->data; + const struct xt_realm_info *ri = (const void *)match->data; if (ri->invert) printf(" !"); @@ -111,8 +111,8 @@ static struct xtables_match realm_mt_reg = { .name = "realm", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_realm_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_realm_info)), + .size = XT_ALIGN(sizeof(struct xt_realm_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_realm_info)), .help = realm_help, .init = realm_init, .print = realm_print, diff --git a/extensions/libipt_addrtype.c b/extensions/libxt_addrtype.c index 3dec626b..59072b35 100644 --- a/extensions/libipt_addrtype.c +++ b/extensions/libxt_addrtype.c @@ -4,7 +4,7 @@ #include <stdio.h> #include <string.h> #include <xtables.h> -#include <linux/netfilter_ipv4/ipt_addrtype.h> +#include <linux/netfilter/xt_addrtype.h> enum { O_SRC_TYPE = 0, @@ -98,7 +98,7 @@ static void parse_types(const char *arg, uint16_t *mask) static void addrtype_parse_v0(struct xt_option_call *cb) { - struct ipt_addrtype_info *info = cb->data; + struct xt_addrtype_info *info = cb->data; xtables_option_parse(cb); switch (cb->entry->id) { @@ -117,25 +117,25 @@ static void addrtype_parse_v0(struct xt_option_call *cb) static void addrtype_parse_v1(struct xt_option_call *cb) { - struct ipt_addrtype_info_v1 *info = cb->data; + struct xt_addrtype_info_v1 *info = cb->data; xtables_option_parse(cb); switch (cb->entry->id) { case O_SRC_TYPE: parse_types(cb->arg, &info->source); if (cb->invert) - info->flags |= IPT_ADDRTYPE_INVERT_SOURCE; + info->flags |= XT_ADDRTYPE_INVERT_SOURCE; break; case O_DST_TYPE: parse_types(cb->arg, &info->dest); if (cb->invert) - info->flags |= IPT_ADDRTYPE_INVERT_DEST; + info->flags |= XT_ADDRTYPE_INVERT_DEST; break; case O_LIMIT_IFACE_IN: - info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_IN; + info->flags |= XT_ADDRTYPE_LIMIT_IFACE_IN; break; case O_LIMIT_IFACE_OUT: - info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_OUT; + info->flags |= XT_ADDRTYPE_LIMIT_IFACE_OUT; break; } } @@ -162,8 +162,7 @@ static void print_types(uint16_t mask) static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match, int numeric) { - const struct ipt_addrtype_info *info = - (struct ipt_addrtype_info *) match->data; + const struct xt_addrtype_info *info = (const void *)match->data; printf(" ADDRTYPE match"); if (info->source) { @@ -183,34 +182,30 @@ static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match static void addrtype_print_v1(const void *ip, const struct xt_entry_match *match, int numeric) { - const struct ipt_addrtype_info_v1 *info = - (struct ipt_addrtype_info_v1 *) match->data; + const struct xt_addrtype_info_v1 *info = (const void *)match->data; printf(" ADDRTYPE match"); if (info->source) { printf(" src-type "); - if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE) + if (info->flags & XT_ADDRTYPE_INVERT_SOURCE) printf("!"); print_types(info->source); } if (info->dest) { printf(" dst-type "); - if (info->flags & IPT_ADDRTYPE_INVERT_DEST) + if (info->flags & XT_ADDRTYPE_INVERT_DEST) printf("!"); print_types(info->dest); } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { + if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) printf(" limit-in"); - } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { + if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) printf(" limit-out"); - } } static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match) { - const struct ipt_addrtype_info *info = - (struct ipt_addrtype_info *) match->data; + const struct xt_addrtype_info *info = (const void *)match->data; if (info->source) { if (info->invert_source) @@ -228,27 +223,24 @@ static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match) static void addrtype_save_v1(const void *ip, const struct xt_entry_match *match) { - const struct ipt_addrtype_info_v1 *info = - (struct ipt_addrtype_info_v1 *) match->data; + const struct xt_addrtype_info_v1 *info = (const void *)match->data; if (info->source) { - if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE) + if (info->flags & XT_ADDRTYPE_INVERT_SOURCE) printf(" !"); printf(" --src-type "); print_types(info->source); } if (info->dest) { - if (info->flags & IPT_ADDRTYPE_INVERT_DEST) + if (info->flags & XT_ADDRTYPE_INVERT_DEST) printf(" !"); printf(" --dst-type "); print_types(info->dest); } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { + if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) printf(" --limit-iface-in"); - } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { + if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) printf(" --limit-iface-out"); - } } static const struct xt_option_entry addrtype_opts_v0[] = { @@ -276,8 +268,8 @@ static struct xtables_match addrtype_mt_reg[] = { .name = "addrtype", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_addrtype_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info)), + .size = XT_ALIGN(sizeof(struct xt_addrtype_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_addrtype_info)), .help = addrtype_help_v0, .print = addrtype_print_v0, .save = addrtype_save_v0, @@ -289,9 +281,9 @@ static struct xtables_match addrtype_mt_reg[] = { .name = "addrtype", .revision = 1, .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_addrtype_info_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_addrtype_info_v1)), .help = addrtype_help_v1, .print = addrtype_print_v1, .save = addrtype_save_v1, diff --git a/extensions/libipt_addrtype.man b/extensions/libxt_addrtype.man index 16fd9dfd..16fd9dfd 100644 --- a/extensions/libipt_addrtype.man +++ b/extensions/libxt_addrtype.man diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c index 1e1a111f..c7dce4e7 100644 --- a/extensions/libxt_recent.c +++ b/extensions/libxt_recent.c @@ -10,6 +10,7 @@ enum { O_UPDATE, O_REMOVE, O_SECONDS, + O_REAP, O_HITCOUNT, O_RTTL, O_NAME, @@ -19,6 +20,7 @@ enum { F_RCHECK = 1 << O_RCHECK, F_UPDATE = 1 << O_UPDATE, F_REMOVE = 1 << O_REMOVE, + F_SECONDS = 1 << O_SECONDS, F_ANY_OP = F_SET | F_RCHECK | F_UPDATE | F_REMOVE, }; @@ -33,7 +35,9 @@ static const struct xt_option_entry recent_opts[] = { {.name = "remove", .id = O_REMOVE, .type = XTTYPE_NONE, .excl = F_ANY_OP, .flags = XTOPT_INVERT}, {.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32, - .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds)}, + .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds), .min = 1}, + {.name = "reap", .id = O_REAP, .type = XTTYPE_NONE, + .also = F_SECONDS }, {.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32, .flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)}, {.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE, @@ -57,6 +61,8 @@ static void recent_help(void) " --seconds seconds For check and update commands above.\n" " Specifies that the match will only occur if source address last seen within\n" " the last 'seconds' seconds.\n" +" --reap Purge entries older then 'seconds'.\n" +" Can only be used in conjunction with the seconds option.\n" " --hitcount hits For check and update commands above.\n" " Specifies that the match will only occur if source address seen hits times.\n" " May be used in conjunction with the seconds option.\n" @@ -117,11 +123,16 @@ static void recent_parse(struct xt_option_call *cb) case O_RDEST: info->side = XT_RECENT_DEST; break; + case O_REAP: + info->check_set |= XT_RECENT_REAP; + break; } } static void recent_check(struct xt_fcheck_call *cb) { + struct xt_recent_mtinfo *info = cb->data; + if (!(cb->xflags & F_ANY_OP)) xtables_error(PARAMETER_PROBLEM, "recent: you must specify one of `--set', `--rcheck' " @@ -146,6 +157,8 @@ static void recent_print(const void *ip, const struct xt_entry_match *match, if (info->check_set & XT_RECENT_REMOVE) printf(" REMOVE"); if(info->seconds) printf(" seconds: %d", info->seconds); + if (info->check_set & XT_RECENT_REAP) + printf(" reap"); if(info->hit_count) printf(" hit_count: %d", info->hit_count); if (info->check_set & XT_RECENT_TTL) printf(" TTL-Match"); @@ -172,6 +185,8 @@ static void recent_save(const void *ip, const struct xt_entry_match *match) if (info->check_set & XT_RECENT_REMOVE) printf(" --remove"); if(info->seconds) printf(" --seconds %d", info->seconds); + if (info->check_set & XT_RECENT_REAP) + printf(" --reap"); if(info->hit_count) printf(" --hitcount %d", info->hit_count); if (info->check_set & XT_RECENT_TTL) printf(" --rttl"); diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man index 0392c2ca..8043df4a 100644 --- a/extensions/libxt_recent.man +++ b/extensions/libxt_recent.man @@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or \fB\-\-update\fP. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds. .TP +\fB\-\-reap\fP +This option can only be used in conjunction with \fB\-\-seconds\fP. +When used, this will cause entries older than the last given number of seconds +to be purged. +.TP \fB\-\-hitcount\fP \fIhits\fP This option must be used in conjunction with one of \fB\-\-rcheck\fP or \fB\-\-update\fP. When used, this will narrow the match to only happen when the |