diff options
Diffstat (limited to 'extensions')
| -rw-r--r-- | extensions/GNUmakefile.in | 2 | ||||
| -rw-r--r-- | extensions/libip6t_REJECT.man | 7 | ||||
| -rw-r--r-- | extensions/libipt_REJECT.man | 6 | ||||
| -rw-r--r-- | extensions/libxt_LOG.man | 6 | ||||
| -rw-r--r-- | extensions/libxt_NFQUEUE.man | 13 | ||||
| -rw-r--r-- | extensions/libxt_SYNPROXY.c | 127 | ||||
| -rw-r--r-- | extensions/libxt_cluster.man | 5 | ||||
| -rw-r--r-- | extensions/libxt_conntrack.man | 4 | ||||
| -rw-r--r-- | extensions/libxt_hashlimit.man | 2 | ||||
| -rw-r--r-- | extensions/libxt_recent.c | 2 | ||||
| -rw-r--r-- | extensions/libxt_recent.man | 3 | ||||
| -rw-r--r-- | extensions/libxt_set.h | 52 | ||||
| -rw-r--r-- | extensions/libxt_socket.c | 62 | ||||
| -rw-r--r-- | extensions/libxt_socket.man | 21 | ||||
| -rw-r--r-- | extensions/libxt_string.man | 10 |
15 files changed, 291 insertions, 31 deletions
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index 780e7150..52915725 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -21,7 +21,7 @@ regular_CPPFLAGS = @regular_CPPFLAGS@ kinclude_CPPFLAGS = @kinclude_CPPFLAGS@ AM_CFLAGS = ${regular_CFLAGS} -AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_builddir} -I${top_srcdir}/include ${kinclude_CPPFLAGS} @libnetfilter_conntrack_CFLAGS@ +AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_builddir} -I${top_srcdir}/include ${kinclude_CPPFLAGS} ${CPPFLAGS} @libnetfilter_conntrack_CFLAGS@ AM_DEPFLAGS = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@ AM_LDFLAGS = @noundef_LDFLAGS@ diff --git a/extensions/libip6t_REJECT.man b/extensions/libip6t_REJECT.man index 2d09e050..0030a51f 100644 --- a/extensions/libip6t_REJECT.man +++ b/extensions/libip6t_REJECT.man @@ -18,10 +18,9 @@ The type given can be \fBicmp6\-adm\-prohibited\fP, \fBadm\-prohibited\fP, \fBicmp6\-addr\-unreachable\fP, -\fBaddr\-unreach\fP, -\fBicmp6\-port\-unreachable\fP or -\fBport\-unreach\fP -which return the appropriate ICMPv6 error message (\fBport\-unreach\fP is +\fBaddr\-unreach\fP, or +\fBicmp6\-port\-unreachable\fP, +which return the appropriate ICMPv6 error message (\fBicmp6\-port\-unreachable\fP is the default). Finally, the option \fBtcp\-reset\fP can be used on rules which only match the TCP protocol: this causes a diff --git a/extensions/libipt_REJECT.man b/extensions/libipt_REJECT.man index c419a85e..926da033 100644 --- a/extensions/libipt_REJECT.man +++ b/extensions/libipt_REJECT.man @@ -18,9 +18,9 @@ The type given can be \fBicmp\-port\-unreachable\fP, \fBicmp\-proto\-unreachable\fP, \fBicmp\-net\-prohibited\fP, -\fBicmp\-host\-prohibited\fP or -\fBicmp\-admin\-prohibited\fP (*) -which return the appropriate ICMP error message (\fBport\-unreachable\fP is +\fBicmp\-host\-prohibited\fP, or +\fBicmp\-admin\-prohibited\fP (*), +which return the appropriate ICMP error message (\fBicmp\-port\-unreachable\fP is the default). The option \fBtcp\-reset\fP can be used on rules which only match the TCP protocol: this causes a diff --git a/extensions/libxt_LOG.man b/extensions/libxt_LOG.man index 6d3a83a4..354edf4c 100644 --- a/extensions/libxt_LOG.man +++ b/extensions/libxt_LOG.man @@ -1,10 +1,8 @@ Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IP/IPv6 header fields) via the kernel log -(where it can be read with -.I dmesg -or -.IR syslogd (8)). +(where it can be read with \fIdmesg(1)\fP or read in the syslog). +.PP This is a "non-terminating target", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man index 7a991291..1bfb7b84 100644 --- a/extensions/libxt_NFQUEUE.man +++ b/extensions/libxt_NFQUEUE.man @@ -1,11 +1,12 @@ -This target is an extension of the QUEUE target. As opposed to QUEUE, it allows -you to put a packet into any specific queue, identified by its 16-bit queue -number. -It can only be used with Kernel versions 2.6.14 or later, since it requires -the +This target passes the packet to userspace using the +\fBnfnetlink_queue\fP handler. The packet is put into the queue +identified by its 16-bit queue number. Userspace can inspect +and modify the packet if desired. Userspace must then drop or +reinject the packet into the kernel. Please see libnetfilter_queue +for details. .B nfnetlink_queue -kernel support. The \fBqueue-balance\fP option was added in Linux 2.6.31, +was added in Linux 2.6.14. The \fBqueue-balance\fP option was added in Linux 2.6.31, \fBqueue-bypass\fP in 2.6.39. .TP \fB\-\-queue\-num\fP \fIvalue\fP diff --git a/extensions/libxt_SYNPROXY.c b/extensions/libxt_SYNPROXY.c new file mode 100644 index 00000000..475590ea --- /dev/null +++ b/extensions/libxt_SYNPROXY.c @@ -0,0 +1,127 @@ + +/* + * Copyright (c) 2013 Patrick McHardy <kaber@trash.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +#include <stdbool.h> +#include <stdio.h> +#include <xtables.h> +#include <linux/netfilter/xt_SYNPROXY.h> + +enum { + O_SACK_PERM = 0, + O_TIMESTAMP, + O_WSCALE, + O_MSS, + O_ECN, +}; + +static void SYNPROXY_help(void) +{ + printf( +"SYNPROXY target options:\n" +" --sack-perm Set SACK_PERM\n" +" --timestamp Set TIMESTAMP\n" +" --wscale value Set window scaling factor\n" +" --mss value Set MSS value\n" +" --ecn Set ECN\n"); +} + +static const struct xt_option_entry SYNPROXY_opts[] = { + {.name = "sack-perm", .id = O_SACK_PERM, .type = XTTYPE_NONE, }, + {.name = "timestamp", .id = O_TIMESTAMP, .type = XTTYPE_NONE, }, + {.name = "wscale", .id = O_WSCALE, .type = XTTYPE_UINT32, }, + {.name = "mss", .id = O_MSS, .type = XTTYPE_UINT32, }, + {.name = "ecn", .id = O_ECN, .type = XTTYPE_NONE, }, + XTOPT_TABLEEND, +}; + +static void SYNPROXY_parse(struct xt_option_call *cb) +{ + struct xt_synproxy_info *info = cb->data; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_SACK_PERM: + info->options |= XT_SYNPROXY_OPT_SACK_PERM; + break; + case O_TIMESTAMP: + info->options |= XT_SYNPROXY_OPT_TIMESTAMP; + break; + case O_WSCALE: + info->options |= XT_SYNPROXY_OPT_WSCALE; + info->wscale = cb->val.u32; + break; + case O_MSS: + info->options |= XT_SYNPROXY_OPT_MSS; + info->mss = cb->val.u32; + break; + case O_ECN: + info->options |= XT_SYNPROXY_OPT_ECN; + break; + } +} + +static void SYNPROXY_check(struct xt_fcheck_call *cb) +{ +} + +static void SYNPROXY_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_synproxy_info *info = + (const struct xt_synproxy_info *)target->data; + + printf(" SYNPROXY "); + if (info->options & XT_SYNPROXY_OPT_SACK_PERM) + printf("sack-perm "); + if (info->options & XT_SYNPROXY_OPT_TIMESTAMP) + printf("timestamp "); + if (info->options & XT_SYNPROXY_OPT_WSCALE) + printf("wscale %u ", info->wscale); + if (info->options & XT_SYNPROXY_OPT_MSS) + printf("mss %u ", info->mss); + if (info->options & XT_SYNPROXY_OPT_ECN) + printf("ecn "); +} + +static void SYNPROXY_save(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_synproxy_info *info = + (const struct xt_synproxy_info *)target->data; + + if (info->options & XT_SYNPROXY_OPT_SACK_PERM) + printf(" --sack-perm"); + if (info->options & XT_SYNPROXY_OPT_TIMESTAMP) + printf(" --timestamp"); + if (info->options & XT_SYNPROXY_OPT_WSCALE) + printf(" --wscale %u", info->wscale); + if (info->options & XT_SYNPROXY_OPT_MSS) + printf(" --mss %u", info->mss); + if (info->options & XT_SYNPROXY_OPT_ECN) + printf(" --ecn"); +} + +static struct xtables_target synproxy_tg_reg = { + .family = NFPROTO_UNSPEC, + .name = "SYNPROXY", + .version = XTABLES_VERSION, + .revision = 0, + .size = XT_ALIGN(sizeof(struct xt_synproxy_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_synproxy_info)), + .help = SYNPROXY_help, + .print = SYNPROXY_print, + .save = SYNPROXY_save, + .x6_parse = SYNPROXY_parse, + .x6_fcheck = SYNPROXY_check, + .x6_options = SYNPROXY_opts, +}; + +void _init(void) +{ + xtables_register_target(&synproxy_tg_reg); +} diff --git a/extensions/libxt_cluster.man b/extensions/libxt_cluster.man index 62ad71cc..94b4b205 100644 --- a/extensions/libxt_cluster.man +++ b/extensions/libxt_cluster.man @@ -55,6 +55,11 @@ arptables \-A INPUT \-i eth2 \-\-h\-length 6 \-\-destination\-mac 01:00:5e:00:01:02 \-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27 .PP +\fBNOTE\fP: the arptables commands above use mainstream syntax. If you +are using arptables-jf included in some RedHat, CentOS and Fedora +versions, you will hit syntax errors. Therefore, you'll have to adapt +these to the arptables-jf syntax to get them working. +.PP In the case of TCP connections, pickup facility has to be disabled to avoid marking TCP ACK packets coming in the reply direction as valid. diff --git a/extensions/libxt_conntrack.man b/extensions/libxt_conntrack.man index 15fd1ddf..4b13f0f6 100644 --- a/extensions/libxt_conntrack.man +++ b/extensions/libxt_conntrack.man @@ -45,7 +45,7 @@ States for \fB\-\-ctstate\fP: The packet is associated with no known connection. .TP \fBNEW\fP -The packet has started a new connection, or otherwise associated +The packet has started a new connection or otherwise associated with a connection which has not seen packets in both directions. .TP \fBESTABLISHED\fP @@ -54,7 +54,7 @@ in both directions. .TP \fBRELATED\fP The packet is starting a new connection, but is associated with an -existing connection, such as an FTP data transfer, or an ICMP error. +existing connection, such as an FTP data transfer or an ICMP error. .TP \fBUNTRACKED\fP The packet is not tracked at all, which happens if you explicitly untrack it diff --git a/extensions/libxt_hashlimit.man b/extensions/libxt_hashlimit.man index 17cb2b00..6aac3f28 100644 --- a/extensions/libxt_hashlimit.man +++ b/extensions/libxt_hashlimit.man @@ -65,7 +65,7 @@ matching on source port matching on subnet "10000 packets per minute for every /28 subnet (groups of 8 addresses) in 10.0.0.0/8" => -\-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min +\-s 10.0.0.0/8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min .TP matching bytes per second "flows exceeding 512kbyte/s" => diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c index b3510d99..e1801f1c 100644 --- a/extensions/libxt_recent.c +++ b/extensions/libxt_recent.c @@ -104,7 +104,7 @@ static void recent_help(void) " --rsource Match/Save the source address of each packet in the recent list table (default).\n" " --rdest Match/Save the destination address of each packet in the recent list table.\n" " --mask netmask Netmask that will be applied to this recent list.\n" -"xt_recent by: Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/\n"); +"xt_recent by: Stephen Frost <sfrost@snowman.net>.\n"); } enum { diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man index d9bd5d2a..419be257 100644 --- a/extensions/libxt_recent.man +++ b/extensions/libxt_recent.man @@ -73,9 +73,6 @@ iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DR .IP iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP .PP -Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has -some examples of usage. -.PP \fB/proc/net/xt_recent/*\fP are the current lists of addresses and information about each entry of each list. .PP diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h index 47c3f5b6..5a1bdcf7 100644 --- a/extensions/libxt_set.h +++ b/extensions/libxt_set.h @@ -6,6 +6,7 @@ #include <sys/types.h> #include <sys/socket.h> #include <errno.h> +#include "../iptables/xshared.h" #ifdef DEBUG #define DEBUGP(x, args...) fprintf(stderr, x , ## args) @@ -71,13 +72,13 @@ get_set_byid(char *setname, ip_set_id_t idx) } static void -get_set_byname(const char *setname, struct xt_set_info *info) +get_set_byname_only(const char *setname, struct xt_set_info *info, + int sockfd, unsigned int version) { - struct ip_set_req_get_set req; + struct ip_set_req_get_set req = { .version = version }; socklen_t size = sizeof(struct ip_set_req_get_set); - int res, sockfd; + int res; - sockfd = get_version(&req.version); req.op = IP_SET_OP_GET_BYNAME; strncpy(req.set.name, setname, IPSET_MAXNAMELEN); req.set.name[IPSET_MAXNAMELEN - 1] = '\0'; @@ -101,6 +102,49 @@ get_set_byname(const char *setname, struct xt_set_info *info) } static void +get_set_byname(const char *setname, struct xt_set_info *info) +{ + struct ip_set_req_get_set_family req; + socklen_t size = sizeof(struct ip_set_req_get_set_family); + int res, sockfd, version; + + sockfd = get_version(&req.version); + version = req.version; + req.op = IP_SET_OP_GET_FNAME; + strncpy(req.set.name, setname, IPSET_MAXNAMELEN); + req.set.name[IPSET_MAXNAMELEN - 1] = '\0'; + res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req, &size); + + if (res != 0 && errno == EBADMSG) + /* Backward compatibility */ + return get_set_byname_only(setname, info, sockfd, version); + + close(sockfd); + if (res != 0) + xtables_error(OTHER_PROBLEM, + "Problem when communicating with ipset, errno=%d.\n", + errno); + if (size != sizeof(struct ip_set_req_get_set_family)) + xtables_error(OTHER_PROBLEM, + "Incorrect return size from kernel during ipset lookup, " + "(want %zu, got %zu)\n", + sizeof(struct ip_set_req_get_set_family), + (size_t)size); + if (req.set.index == IPSET_INVALID_ID) + xtables_error(PARAMETER_PROBLEM, + "Set %s doesn't exist.\n", setname); + if (!(req.family == afinfo->family || + req.family == NFPROTO_UNSPEC)) + xtables_error(PARAMETER_PROBLEM, + "The protocol family of set %s is %s, " + "which is not applicable.\n", + setname, + req.family == NFPROTO_IPV4 ? "IPv4" : "IPv6"); + + info->index = req.set.index; +} + +static void parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info) { char *saved = strdup(opt_arg); diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c index 39016493..f19c2804 100644 --- a/extensions/libxt_socket.c +++ b/extensions/libxt_socket.c @@ -9,6 +9,7 @@ enum { O_TRANSPARENT = 0, + O_NOWILDCARD = 1, }; static const struct xt_option_entry socket_mt_opts[] = { @@ -16,6 +17,12 @@ static const struct xt_option_entry socket_mt_opts[] = { XTOPT_TABLEEND, }; +static const struct xt_option_entry socket_mt_opts_v2[] = { + {.name = "transparent", .id = O_TRANSPARENT, .type = XTTYPE_NONE}, + {.name = "nowildcard", .id = O_NOWILDCARD, .type = XTTYPE_NONE}, + XTOPT_TABLEEND, +}; + static void socket_mt_help(void) { printf( @@ -23,6 +30,14 @@ static void socket_mt_help(void) " --transparent Ignore non-transparent sockets\n\n"); } +static void socket_mt_help_v2(void) +{ + printf( + "socket match options:\n" + " --nowildcard Do not ignore LISTEN sockets bound on INADDR_ANY\n" + " --transparent Ignore non-transparent sockets\n\n"); +} + static void socket_mt_parse(struct xt_option_call *cb) { struct xt_socket_mtinfo1 *info = cb->data; @@ -35,6 +50,21 @@ static void socket_mt_parse(struct xt_option_call *cb) } } +static void socket_mt_parse_v2(struct xt_option_call *cb) +{ + struct xt_socket_mtinfo2 *info = cb->data; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_TRANSPARENT: + info->flags |= XT_SOCKET_TRANSPARENT; + break; + case O_NOWILDCARD: + info->flags |= XT_SOCKET_NOWILDCARD; + break; + } +} + static void socket_mt_save(const void *ip, const struct xt_entry_match *match) { @@ -52,6 +82,25 @@ socket_mt_print(const void *ip, const struct xt_entry_match *match, socket_mt_save(ip, match); } +static void +socket_mt_save_v2(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_socket_mtinfo2 *info = (const void *)match->data; + + if (info->flags & XT_SOCKET_TRANSPARENT) + printf(" --transparent"); + if (info->flags & XT_SOCKET_NOWILDCARD) + printf(" --nowildcard"); +} + +static void +socket_mt_print_v2(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + printf(" socket"); + socket_mt_save_v2(ip, match); +} + static struct xtables_match socket_mt_reg[] = { { .name = "socket", @@ -74,6 +123,19 @@ static struct xtables_match socket_mt_reg[] = { .x6_parse = socket_mt_parse, .x6_options = socket_mt_opts, }, + { + .name = "socket", + .revision = 2, + .family = NFPROTO_UNSPEC, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo2)), + .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo2)), + .help = socket_mt_help_v2, + .print = socket_mt_print_v2, + .save = socket_mt_save_v2, + .x6_parse = socket_mt_parse_v2, + .x6_options = socket_mt_opts_v2, + }, }; void _init(void) diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man index 41e8d674..2ef32cec 100644 --- a/extensions/libxt_socket.man +++ b/extensions/libxt_socket.man @@ -1,5 +1,22 @@ -This matches if an open socket can be found by doing a socket lookup on the -packet. +This matches if an open TCP/UDP socket can be found by doing a socket lookup on the +packet. It matches if there is an established or non\-zero bound listening +socket (possibly with a non\-local address). The lookup is performed using +the \fBpacket\fP tuple of TCP/UDP packets, or the original TCP/UDP header +\fBembedded\fP in an ICMP/ICPMv6 error packet. .TP \fB\-\-transparent\fP Ignore non-transparent sockets. +.TP +\fB\-\-nowildcard\fP +Do not ignore sockets bound to 'any' address. +The socket match won't accept zero\-bound listeners by default, since +then local services could intercept traffic that would otherwise be forwarded. +This option therefore has security implications when used to match traffic being +forwarded to redirect such packets to local machine with policy routing. +When using the socket match to implement fully transparent +proxies bound to non\-local addresses it is recommended to use the \-\-transparent +option instead. +.PP +Example (assuming packets with mark 1 are delivered locally): +.IP +\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1 diff --git a/extensions/libxt_string.man b/extensions/libxt_string.man index b6b271d1..adc9c180 100644 --- a/extensions/libxt_string.man +++ b/extensions/libxt_string.man @@ -16,3 +16,13 @@ Matches the given pattern. .TP [\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP Matches the given pattern in hex notation. +.TP +Examples: +.IP +# The string pattern can be used for simple text characters. +.br +iptables \-A INPUT \-p tcp \-\-dport 80 \-m string \-\-algo bm \-\-string 'GET /index.html' \-j LOG +.IP +# The hex string pattern can be used for non-printable characters, like |0D 0A| or |0D0A|. +.br +iptables \-p udp \-\-dport 53 \-m string \-\-algo bm \-\-from 40 \-\-to 57 \-\-hex\-string '|03|www|09|netfilter|03|org|00|' |