diff options
Diffstat (limited to 'extensions')
| -rw-r--r-- | extensions/libip6t_LOG.c | 18 | ||||
| -rw-r--r-- | extensions/libipt_LOG.c | 17 | ||||
| -rw-r--r-- | extensions/libxt_CHECKSUM.c | 96 | ||||
| -rw-r--r-- | extensions/libxt_CHECKSUM.man | 8 | ||||
| -rw-r--r-- | extensions/libxt_IDLETIMER.c | 138 | ||||
| -rw-r--r-- | extensions/libxt_IDLETIMER.man | 20 | ||||
| -rw-r--r-- | extensions/libxt_cpu.c | 98 | ||||
| -rw-r--r-- | extensions/libxt_cpu.man | 16 | ||||
| -rw-r--r-- | extensions/libxt_ipvs.c | 365 | ||||
| -rw-r--r-- | extensions/libxt_ipvs.man | 24 |
10 files changed, 798 insertions, 2 deletions
diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c index 423d9884..ff9edc68 100644 --- a/extensions/libip6t_LOG.c +++ b/extensions/libip6t_LOG.c @@ -25,7 +25,8 @@ static void LOG_help(void) " --log-tcp-sequence Log TCP sequence numbers.\n" " --log-tcp-options Log TCP options.\n" " --log-ip-options Log IP options.\n" -" --log-uid Log UID owning the local socket.\n"); +" --log-uid Log UID owning the local socket.\n" +" --log-macdecode Decode MAC addresses and protocol.\n"); } static const struct option LOG_opts[] = { @@ -35,6 +36,7 @@ static const struct option LOG_opts[] = { { .name = "log-tcp-options", .has_arg = 0, .val = '2' }, { .name = "log-ip-options", .has_arg = 0, .val = '3' }, { .name = "log-uid", .has_arg = 0, .val = '4' }, + { .name = "log-macdecode", .has_arg = 0, .val = '5' }, { .name = NULL } }; @@ -96,6 +98,7 @@ parse_level(const char *level) #define IP6T_LOG_OPT_TCPOPT 0x08 #define IP6T_LOG_OPT_IPOPT 0x10 #define IP6T_LOG_OPT_UID 0x20 +#define IP6T_LOG_OPT_MACDECODE 0x40 static int LOG_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_target **target) @@ -179,6 +182,15 @@ static int LOG_parse(int c, char **argv, int invert, unsigned int *flags, *flags |= IP6T_LOG_OPT_UID; break; + case '5': + if (*flags & IP6T_LOG_OPT_MACDECODE) + xtables_error(PARAMETER_PROBLEM, + "Can't specify --log-macdecode twice"); + + loginfo->logflags |= IP6T_LOG_MACDECODE; + *flags |= IP6T_LOG_OPT_MACDECODE; + break; + default: return 0; } @@ -213,6 +225,8 @@ static void LOG_print(const void *ip, const struct xt_entry_target *target, printf("ip-options "); if (loginfo->logflags & IP6T_LOG_UID) printf("uid "); + if (loginfo->logflags & IP6T_LOG_MACDECODE) + printf("macdecode "); if (loginfo->logflags & ~(IP6T_LOG_MASK)) printf("unknown-flags "); } @@ -240,6 +254,8 @@ static void LOG_save(const void *ip, const struct xt_entry_target *target) printf("--log-ip-options "); if (loginfo->logflags & IP6T_LOG_UID) printf("--log-uid "); + if (loginfo->logflags & IP6T_LOG_MACDECODE) + printf("--log-macdecode "); } static struct xtables_target log_tg6_reg = { diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c index 9afb91d6..73c8f32d 100644 --- a/extensions/libipt_LOG.c +++ b/extensions/libipt_LOG.c @@ -25,7 +25,8 @@ static void LOG_help(void) " --log-tcp-sequence Log TCP sequence numbers.\n\n" " --log-tcp-options Log TCP options.\n\n" " --log-ip-options Log IP options.\n\n" -" --log-uid Log UID owning the local socket.\n\n"); +" --log-uid Log UID owning the local socket.\n\n" +" --log-macdecode Decode MAC addresses and protocol.\n\n"); } static const struct option LOG_opts[] = { @@ -35,6 +36,7 @@ static const struct option LOG_opts[] = { { .name = "log-tcp-options", .has_arg = 0, .val = '2' }, { .name = "log-ip-options", .has_arg = 0, .val = '3' }, { .name = "log-uid", .has_arg = 0, .val = '4' }, + { .name = "log-macdecode", .has_arg = 0, .val = '5' }, { .name = NULL } }; @@ -96,6 +98,7 @@ parse_level(const char *level) #define IPT_LOG_OPT_TCPOPT 0x08 #define IPT_LOG_OPT_IPOPT 0x10 #define IPT_LOG_OPT_UID 0x20 +#define IPT_LOG_OPT_MACDECODE 0x40 static int LOG_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_target **target) @@ -179,6 +182,14 @@ static int LOG_parse(int c, char **argv, int invert, unsigned int *flags, *flags |= IPT_LOG_OPT_UID; break; + case '5': + if (*flags & IPT_LOG_OPT_MACDECODE) + xtables_error(PARAMETER_PROBLEM, + "Can't specifiy --log-macdecode twice"); + + loginfo->logflags |= IPT_LOG_MACDECODE; + *flags |= IPT_LOG_OPT_MACDECODE; + break; default: return 0; } @@ -213,6 +224,8 @@ static void LOG_print(const void *ip, const struct xt_entry_target *target, printf("ip-options "); if (loginfo->logflags & IPT_LOG_UID) printf("uid "); + if (loginfo->logflags & IPT_LOG_MACDECODE) + printf("macdecode "); if (loginfo->logflags & ~(IPT_LOG_MASK)) printf("unknown-flags "); } @@ -242,6 +255,8 @@ static void LOG_save(const void *ip, const struct xt_entry_target *target) printf("--log-ip-options "); if (loginfo->logflags & IPT_LOG_UID) printf("--log-uid "); + if (loginfo->logflags & IPT_LOG_MACDECODE) + printf("--log-macdecode "); } static struct xtables_target log_tg_reg = { diff --git a/extensions/libxt_CHECKSUM.c b/extensions/libxt_CHECKSUM.c new file mode 100644 index 00000000..9a24443b --- /dev/null +++ b/extensions/libxt_CHECKSUM.c @@ -0,0 +1,96 @@ +/* Shared library add-on to xtables for CHECKSUM + * + * (C) 2002 by Harald Welte <laforge@gnumonks.org> + * (C) 2010 by Red Hat, Inc + * Author: Michael S. Tsirkin <mst@redhat.com> + * + * This program is distributed under the terms of GNU GPL v2, 1991 + * + * libxt_CHECKSUM.c borrowed some bits from libipt_ECN.c + */ +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> + +#include <xtables.h> +#include <linux/netfilter/xt_CHECKSUM.h> + +static void CHECKSUM_help(void) +{ + printf( +"CHECKSUM target options\n" +" --checksum-fill Fill in packet checksum.\n"); +} + +static const struct option CHECKSUM_opts[] = { + { "checksum-fill", 0, NULL, 'F' }, + { .name = NULL } +}; + +static int CHECKSUM_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_CHECKSUM_info *einfo + = (struct xt_CHECKSUM_info *)(*target)->data; + + switch (c) { + case 'F': + xtables_param_act(XTF_ONLY_ONCE, "CHECKSUM", "--checksum-fill", + *flags & XT_CHECKSUM_OP_FILL); + einfo->operation = XT_CHECKSUM_OP_FILL; + *flags |= XT_CHECKSUM_OP_FILL; + break; + default: + return 0; + } + + return 1; +} + +static void CHECKSUM_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "CHECKSUM target: Parameter --checksum-fill is required"); +} + +static void CHECKSUM_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_CHECKSUM_info *einfo = + (const struct xt_CHECKSUM_info *)target->data; + + printf("CHECKSUM "); + + if (einfo->operation & XT_CHECKSUM_OP_FILL) + printf("fill "); +} + +static void CHECKSUM_save(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_CHECKSUM_info *einfo = + (const struct xt_CHECKSUM_info *)target->data; + + if (einfo->operation & XT_CHECKSUM_OP_FILL) + printf("--checksum-fill "); +} + +static struct xtables_target checksum_tg_reg = { + .name = "CHECKSUM", + .version = XTABLES_VERSION, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)), + .help = CHECKSUM_help, + .parse = CHECKSUM_parse, + .final_check = CHECKSUM_check, + .print = CHECKSUM_print, + .save = CHECKSUM_save, + .extra_opts = CHECKSUM_opts, +}; + +void _init(void) +{ + xtables_register_target(&checksum_tg_reg); +} diff --git a/extensions/libxt_CHECKSUM.man b/extensions/libxt_CHECKSUM.man new file mode 100644 index 00000000..92ae700f --- /dev/null +++ b/extensions/libxt_CHECKSUM.man @@ -0,0 +1,8 @@ +This target allows to selectively work around broken/old applications. +It can only be used in the mangle table. +.TP +\fB\-\-checksum\-fill\fP +Compute and fill in the checksum in a packet that lacks a checksum. +This is particularly useful, if you need to work around old applications +such as dhcp clients, that do not work well with checksum offloads, +but don't want to disable checksum offload in your device. diff --git a/extensions/libxt_IDLETIMER.c b/extensions/libxt_IDLETIMER.c new file mode 100644 index 00000000..c931d0ee --- /dev/null +++ b/extensions/libxt_IDLETIMER.c @@ -0,0 +1,138 @@ +/* + * Shared library add-on for iptables to add IDLETIMER support. + * + * Copyright (C) 2010 Nokia Corporation. All rights reserved. + * + * Contact: Luciano Coelho <luciano.coelho@nokia.com> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * version 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA + * + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <stddef.h> + +#include <xtables.h> +#include <linux/netfilter/xt_IDLETIMER.h> + +enum { + IDLETIMER_TG_OPT_TIMEOUT = 1 << 0, + IDLETIMER_TG_OPT_LABEL = 1 << 1, +}; + +static const struct option idletimer_tg_opts[] = { + { .name = "timeout", .has_arg = true, .flag = 0, .val = 't' }, + { .name = "label", .has_arg = true, .flag = 0, .val = 'l' }, + { .name = NULL } +}; + +static void idletimer_tg_help(void) +{ + printf( +"IDLETIMER target options:\n" +" --timeout time Timeout until the notification is sent (in seconds)\n" +" --label string Unique rule identifier\n" +"\n"); +} + +static int idletimer_tg_parse(int c, char **argv, int invert, + unsigned int *flags, + const void *entry, + struct xt_entry_target **target) +{ + struct idletimer_tg_info *info = + (struct idletimer_tg_info *)(*target)->data; + + switch (c) { + case 't': + xtables_param_act(XTF_ONLY_ONCE, "IDLETIMER", "--timeout", + *flags & IDLETIMER_TG_OPT_TIMEOUT); + + info->timeout = atoi(optarg); + *flags |= IDLETIMER_TG_OPT_TIMEOUT; + break; + + case 'l': + xtables_param_act(XTF_ONLY_ONCE, "IDLETIMER", "--label", + *flags & IDLETIMER_TG_OPT_TIMEOUT); + + if (strlen(optarg) > MAX_IDLETIMER_LABEL_SIZE - 1) + xtables_param_act(XTF_BAD_VALUE, "IDLETIMER", "--label", + optarg); + + strcpy(info->label, optarg); + *flags |= IDLETIMER_TG_OPT_LABEL; + break; + + default: + return false; + } + + return true; +} + +static void idletimer_tg_final_check(unsigned int flags) +{ + if (!(flags & IDLETIMER_TG_OPT_TIMEOUT)) + xtables_error(PARAMETER_PROBLEM, "IDLETIMER target: " + "--timeout parameter required"); + if (!(flags & IDLETIMER_TG_OPT_LABEL)) + xtables_error(PARAMETER_PROBLEM, "IDLETIMER target: " + "--label parameter required"); +} + +static void idletimer_tg_print(const void *ip, + const struct xt_entry_target *target, + int numeric) +{ + struct idletimer_tg_info *info = + (struct idletimer_tg_info *) target->data; + + printf("timeout:%u ", info->timeout); + printf("label:%s ", info->label); +} + +static void idletimer_tg_save(const void *ip, + const struct xt_entry_target *target) +{ + struct idletimer_tg_info *info = + (struct idletimer_tg_info *) target->data; + + printf("--timeout %u ", info->timeout); + printf("--label %s ", info->label); +} + +static struct xtables_target idletimer_tg_reg = { + .family = NFPROTO_UNSPEC, + .name = "IDLETIMER", + .version = XTABLES_VERSION, + .revision = 0, + .size = XT_ALIGN(sizeof(struct idletimer_tg_info)), + .userspacesize = offsetof(struct idletimer_tg_info, timer), + .help = idletimer_tg_help, + .parse = idletimer_tg_parse, + .final_check = idletimer_tg_final_check, + .print = idletimer_tg_print, + .save = idletimer_tg_save, + .extra_opts = idletimer_tg_opts, +}; + +static __attribute__((constructor)) void idletimer_tg_ldr(void) +{ + xtables_register_target(&idletimer_tg_reg); +} diff --git a/extensions/libxt_IDLETIMER.man b/extensions/libxt_IDLETIMER.man new file mode 100644 index 00000000..e3c91cea --- /dev/null +++ b/extensions/libxt_IDLETIMER.man @@ -0,0 +1,20 @@ +This target can be used to identify when interfaces have been idle for a +certain period of time. Timers are identified by labels and are created when +a rule is set with a new label. The rules also take a timeout value (in +seconds) as an option. If more than one rule uses the same timer label, the +timer will be restarted whenever any of the rules get a hit. One entry for +each timer is created in sysfs. This attribute contains the timer remaining +for the timer to expire. The attributes are located under the xt_idletimer +class: +.PP +/sys/class/xt_idletimer/timers/<label> +.PP +When the timer expires, the target module sends a sysfs notification to the +userspace, which can then decide what to do (eg. disconnect to save power). +.TP +\fB\-\-timeout\fP \fIamount\fP +This is the time in seconds that will trigger the notification. +.TP +\fB\-\-label\fP \fIstring\fP +This is a unique identifier for the timer. The maximum length for the +label string is 27 characters. diff --git a/extensions/libxt_cpu.c b/extensions/libxt_cpu.c new file mode 100644 index 00000000..66b9d831 --- /dev/null +++ b/extensions/libxt_cpu.c @@ -0,0 +1,98 @@ +/* Shared library add-on to iptables to add CPU match support. */ +#include <stdio.h> +#include <netdb.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <xtables.h> +#include <linux/netfilter/xt_cpu.h> + +static void cpu_help(void) +{ + printf( +"cpu match options:\n" +"[!] --cpu number Match CPU number\n"); +} + +static const struct option cpu_opts[] = { + { "cpu", 1, NULL, '1' }, + { .name = NULL } +}; + +static void +parse_cpu(const char *s, struct xt_cpu_info *info) +{ + unsigned int cpu; + char *end; + + if (!xtables_strtoui(s, &end, &cpu, 0, UINT32_MAX)) + xtables_param_act(XTF_BAD_VALUE, "cpu", "--cpu", s); + + if (*end != '\0') + xtables_param_act(XTF_BAD_VALUE, "cpu", "--cpu", s); + + info->cpu = cpu; +} + +static int +cpu_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_cpu_info *cpuinfo = (struct xt_cpu_info *)(*match)->data; + + switch (c) { + case '1': + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_cpu(optarg, cpuinfo); + if (invert) + cpuinfo->invert = 1; + *flags = 1; + break; + + default: + return 0; + } + + return 1; +} + +static void cpu_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "You must specify `--cpu'"); +} + +static void +cpu_print(const void *ip, const struct xt_entry_match *match, int numeric) +{ + const struct xt_cpu_info *info = (void *)match->data; + + printf("cpu %s%u ", info->invert ? "! ":"", info->cpu); +} + +static void cpu_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_cpu_info *info = (void *)match->data; + + printf("%s--cpu %u ", info->invert ? "! ":"", info->cpu); +} + +static struct xtables_match cpu_match = { + .family = NFPROTO_UNSPEC, + .name = "cpu", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_cpu_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_cpu_info)), + .help = cpu_help, + .parse = cpu_parse, + .final_check = cpu_check, + .print = cpu_print, + .save = cpu_save, + .extra_opts = cpu_opts, +}; + +void _init(void) +{ + xtables_register_match(&cpu_match); +} diff --git a/extensions/libxt_cpu.man b/extensions/libxt_cpu.man new file mode 100644 index 00000000..f42ac7a5 --- /dev/null +++ b/extensions/libxt_cpu.man @@ -0,0 +1,16 @@ +.TP +[\fB!\fP] \fB\-\-cpu\fP \fInumber\fP + +Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1 +Can be used in combination with RPS (Remote Packet Steering) or +multiqueue NICS to spread network traffic on different queues. +.PP +Example: +.PP +iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 0 + \-j REDIRECT \-\-to\-port 8080 +.PP +iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 1 + \-j REDIRECT \-\-to\-port 8081 +.PP +Available since linux 2.6.36 diff --git a/extensions/libxt_ipvs.c b/extensions/libxt_ipvs.c new file mode 100644 index 00000000..6843551c --- /dev/null +++ b/extensions/libxt_ipvs.c @@ -0,0 +1,365 @@ +/* + * Shared library add-on to iptables to add IPVS matching. + * + * Detailed doc is in the kernel module source net/netfilter/xt_ipvs.c + * + * Author: Hannes Eder <heder@google.com> + */ +#include <sys/types.h> +#include <assert.h> +#include <ctype.h> +#include <errno.h> +#include <getopt.h> +#include <netdb.h> +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <xtables.h> +#include <linux/ip_vs.h> +#include <linux/netfilter/xt_ipvs.h> + +static const struct option ipvs_mt_opts[] = { + { .name = "ipvs", .has_arg = false, .val = '0' }, + { .name = "vproto", .has_arg = true, .val = '1' }, + { .name = "vaddr", .has_arg = true, .val = '2' }, + { .name = "vport", .has_arg = true, .val = '3' }, + { .name = "vdir", .has_arg = true, .val = '4' }, + { .name = "vmethod", .has_arg = true, .val = '5' }, + { .name = "vportctl", .has_arg = true, .val = '6' }, + { .name = NULL } +}; + +static void ipvs_mt_help(void) +{ + printf( +"IPVS match options:\n" +"[!] --ipvs packet belongs to an IPVS connection\n" +"\n" +"Any of the following options implies --ipvs (even negated)\n" +"[!] --vproto protocol VIP protocol to match; by number or name,\n" +" e.g. \"tcp\"\n" +"[!] --vaddr address[/mask] VIP address to match\n" +"[!] --vport port VIP port to match; by number or name,\n" +" e.g. \"http\"\n" +" --vdir {ORIGINAL|REPLY} flow direction of packet\n" +"[!] --vmethod {GATE|IPIP|MASQ} IPVS forwarding method used\n" +"[!] --vportctl port VIP port of the controlling connection to\n" +" match, e.g. 21 for FTP\n" + ); +} + +static void ipvs_mt_parse_addr_and_mask(const char *arg, + union nf_inet_addr *address, + union nf_inet_addr *mask, + unsigned int family) +{ + struct in_addr *addr = NULL; + struct in6_addr *addr6 = NULL; + unsigned int naddrs = 0; + + if (family == NFPROTO_IPV4) { + xtables_ipparse_any(arg, &addr, &mask->in, &naddrs); + if (naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + if (naddrs == 1) + memcpy(&address->in, addr, sizeof(*addr)); + } else if (family == NFPROTO_IPV6) { + xtables_ip6parse_any(arg, &addr6, &mask->in6, &naddrs); + if (naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + if (naddrs == 1) + memcpy(&address->in6, addr6, sizeof(*addr6)); + } else { + /* Hu? */ + assert(false); + } +} + +/* Function which parses command options; returns true if it ate an option */ +static int ipvs_mt_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match, + unsigned int family) +{ + struct xt_ipvs_mtinfo *data = (void *)(*match)->data; + char *p = NULL; + u_int8_t op = 0; + + if ('0' <= c && c <= '6') { + static const int ops[] = { + XT_IPVS_IPVS_PROPERTY, + XT_IPVS_PROTO, + XT_IPVS_VADDR, + XT_IPVS_VPORT, + XT_IPVS_DIR, + XT_IPVS_METHOD, + XT_IPVS_VPORTCTL + }; + op = ops[c - '0']; + } else + return 0; + + if (*flags & op & XT_IPVS_ONCE_MASK) + goto multiple_use; + + switch (c) { + case '0': /* --ipvs */ + /* Nothing to do here. */ + break; + + case '1': /* --vproto */ + /* Canonicalize into lower case */ + for (p = optarg; *p != '\0'; ++p) + *p = tolower(*p); + + data->l4proto = xtables_parse_protocol(optarg); + break; + + case '2': /* --vaddr */ + ipvs_mt_parse_addr_and_mask(optarg, &data->vaddr, + &data->vmask, family); + break; + + case '3': /* --vport */ + data->vport = htons(xtables_parse_port(optarg, "tcp")); + break; + + case '4': /* --vdir */ + xtables_param_act(XTF_NO_INVERT, "ipvs", "--vdir", invert); + if (strcasecmp(optarg, "ORIGINAL") == 0) { + data->bitmask |= XT_IPVS_DIR; + data->invert &= ~XT_IPVS_DIR; + } else if (strcasecmp(optarg, "REPLY") == 0) { + data->bitmask |= XT_IPVS_DIR; + data->invert |= XT_IPVS_DIR; + } else { + xtables_param_act(XTF_BAD_VALUE, + "ipvs", "--vdir", optarg); + } + break; + + case '5': /* --vmethod */ + if (strcasecmp(optarg, "GATE") == 0) + data->fwd_method = IP_VS_CONN_F_DROUTE; + else if (strcasecmp(optarg, "IPIP") == 0) + data->fwd_method = IP_VS_CONN_F_TUNNEL; + else if (strcasecmp(optarg, "MASQ") == 0) + data->fwd_method = IP_VS_CONN_F_MASQ; + else + xtables_param_act(XTF_BAD_VALUE, + "ipvs", "--vmethod", optarg); + break; + + case '6': /* --vportctl */ + data->vportctl = htons(xtables_parse_port(optarg, "tcp")); + break; + + default: + /* Hu? How did we come here? */ + assert(false); + return 0; + } + + if (op & XT_IPVS_ONCE_MASK) { + if (data->invert & XT_IPVS_IPVS_PROPERTY) + xtables_error(PARAMETER_PROBLEM, + "! --ipvs cannot be together with" + " other options"); + data->bitmask |= XT_IPVS_IPVS_PROPERTY; + } + + data->bitmask |= op; + if (invert) + data->invert |= op; + *flags |= op; + return 1; + +multiple_use: + xtables_error(PARAMETER_PROBLEM, + "multiple use of the same IPVS option is not allowed"); +} + +static int ipvs_mt4_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + return ipvs_mt_parse(c, argv, invert, flags, entry, match, + NFPROTO_IPV4); +} + +static int ipvs_mt6_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + return ipvs_mt_parse(c, argv, invert, flags, entry, match, + NFPROTO_IPV6); +} + +static void ipvs_mt_check(unsigned int flags) +{ + if (flags == 0) + xtables_error(PARAMETER_PROBLEM, + "IPVS: At least one option is required"); +} + +/* Shamelessly copied from libxt_conntrack.c */ +static void ipvs_mt_dump_addr(const union nf_inet_addr *addr, + const union nf_inet_addr *mask, + unsigned int family, bool numeric) +{ + char buf[BUFSIZ]; + + if (family == NFPROTO_IPV4) { + if (!numeric && addr->ip == 0) { + printf("anywhere "); + return; + } + if (numeric) + strcpy(buf, xtables_ipaddr_to_numeric(&addr->in)); + else + strcpy(buf, xtables_ipaddr_to_anyname(&addr->in)); + strcat(buf, xtables_ipmask_to_numeric(&mask->in)); + printf("%s ", buf); + } else if (family == NFPROTO_IPV6) { + if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 && + addr->ip6[2] == 0 && addr->ip6[3] == 0) { + printf("anywhere "); + return; + } + if (numeric) + strcpy(buf, xtables_ip6addr_to_numeric(&addr->in6)); + else + strcpy(buf, xtables_ip6addr_to_anyname(&addr->in6)); + strcat(buf, xtables_ip6mask_to_numeric(&mask->in6)); + printf("%s ", buf); + } +} + +static void ipvs_mt_dump(const void *ip, const struct xt_ipvs_mtinfo *data, + unsigned int family, bool numeric, const char *prefix) +{ + if (data->bitmask == XT_IPVS_IPVS_PROPERTY) { + if (data->invert & XT_IPVS_IPVS_PROPERTY) + printf("! "); + printf("%sipvs ", prefix); + } + + if (data->bitmask & XT_IPVS_PROTO) { + if (data->invert & XT_IPVS_PROTO) + printf("! "); + printf("%sproto %u ", prefix, data->l4proto); + } + + if (data->bitmask & XT_IPVS_VADDR) { + if (data->invert & XT_IPVS_VADDR) + printf("! "); + + printf("%svaddr ", prefix); + ipvs_mt_dump_addr(&data->vaddr, &data->vmask, family, numeric); + } + + if (data->bitmask & XT_IPVS_VPORT) { + if (data->invert & XT_IPVS_VPORT) + printf("! "); + + printf("%svport %u ", prefix, ntohs(data->vport)); + } + + if (data->bitmask & XT_IPVS_DIR) { + if (data->invert & XT_IPVS_DIR) + printf("%svdir REPLY ", prefix); + else + printf("%svdir ORIGINAL ", prefix); + } + + if (data->bitmask & XT_IPVS_METHOD) { + if (data->invert & XT_IPVS_METHOD) + printf("! "); + + printf("%svmethod ", prefix); + switch (data->fwd_method) { + case IP_VS_CONN_F_DROUTE: + printf("GATE "); + break; + case IP_VS_CONN_F_TUNNEL: + printf("IPIP "); + break; + case IP_VS_CONN_F_MASQ: + printf("MASQ "); + break; + default: + /* Hu? */ + printf("UNKNOWN "); + break; + } + } + + if (data->bitmask & XT_IPVS_VPORTCTL) { + if (data->invert & XT_IPVS_VPORTCTL) + printf("! "); + + printf("%svportctl %u ", prefix, ntohs(data->vportctl)); + } +} + +static void ipvs_mt4_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + const struct xt_ipvs_mtinfo *data = (const void *)match->data; + ipvs_mt_dump(ip, data, NFPROTO_IPV4, numeric, ""); +} + +static void ipvs_mt6_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + const struct xt_ipvs_mtinfo *data = (const void *)match->data; + ipvs_mt_dump(ip, data, NFPROTO_IPV6, numeric, ""); +} + +static void ipvs_mt4_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_ipvs_mtinfo *data = (const void *)match->data; + ipvs_mt_dump(ip, data, NFPROTO_IPV4, true, "--"); +} + +static void ipvs_mt6_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_ipvs_mtinfo *data = (const void *)match->data; + ipvs_mt_dump(ip, data, NFPROTO_IPV6, true, "--"); +} + +static struct xtables_match ipvs_matches_reg[] = { + { + .version = XTABLES_VERSION, + .name = "ipvs", + .revision = 0, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_ipvs_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_ipvs_mtinfo)), + .help = ipvs_mt_help, + .parse = ipvs_mt4_parse, + .final_check = ipvs_mt_check, + .print = ipvs_mt4_print, + .save = ipvs_mt4_save, + .extra_opts = ipvs_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "ipvs", + .revision = 0, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct xt_ipvs_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_ipvs_mtinfo)), + .help = ipvs_mt_help, + .parse = ipvs_mt6_parse, + .final_check = ipvs_mt_check, + .print = ipvs_mt6_print, + .save = ipvs_mt6_save, + .extra_opts = ipvs_mt_opts, + }, +}; + +void _init(void) +{ + xtables_register_matches(ipvs_matches_reg, + ARRAY_SIZE(ipvs_matches_reg)); +} diff --git a/extensions/libxt_ipvs.man b/extensions/libxt_ipvs.man new file mode 100644 index 00000000..8968e1ad --- /dev/null +++ b/extensions/libxt_ipvs.man @@ -0,0 +1,24 @@ +Match IPVS connection properties. +.TP +[\fB!\fR] \fB\-\-ipvs\fP +packet belongs to an IPVS connection +.TP +Any of the following options implies \-\-ipvs (even negated) +.TP +[\fB!\fR] \fB\-\-vproto\fP \fIprotocol\fP +VIP protocol to match; by number or name, e.g. "tcp" +.TP +[\fB!\fR] \fB\-\-vaddr\fP \fIaddress\fP[\fB/\fP\fImask\fP] +VIP address to match +.TP +[\fB!\fR] \fB\-\-vport\fP \fIport\fP +VIP port to match; by number or name, e.g. "http" +.TP +\fB\-\-vdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} +flow direction of packet +.TP +[\fB!\fR] \fB\-\-vmethod\fP {\fBGATE\fP|\fBIPIP\fP|\fBMASQ\fP} +IPVS forwarding method used +.TP +[\fB!\fR] \fB\-\-vportctl\fP \fIport\fP +VIP port of the controlling connection to match, e.g. 21 for FTP |