From 053a4fdf6536ca63ad640d0b75f54c3f4964ca2b Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 31 Aug 2012 04:06:38 +0200 Subject: build: support for automake-1.12 automake-1.12 wants that AM_PROG_AR be used when LT_INIT is. Signed-off-by: Jan Engelhardt --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 179c2d82..861f5b3e 100644 --- a/configure.ac +++ b/configure.ac @@ -13,6 +13,7 @@ AM_INIT_AUTOMAKE([-Wall]) AC_PROG_CC AM_PROG_CC_C_O AC_DISABLE_STATIC +m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) AM_PROG_LIBTOOL AC_ARG_WITH([kernel], -- cgit v1.2.3 From df60a301bf24c3b3e37188d9da155b97fd6dc076 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 31 Aug 2012 03:59:07 +0200 Subject: build: separate AC variable replacements from xtables.h It was/is a bit annoying that modifying xtables.h.in causes configure to rerun. Split the @foo@ things into a separate file to bypass this. Signed-off-by: Jan Engelhardt --- .gitignore | 2 +- Makefile.am | 2 +- configure.ac | 2 +- include/Makefile.am | 2 +- include/xtables-version.h.in | 2 + include/xtables.h | 526 ++++++++++++++++++++++++++++++++++++++++++ include/xtables.h.in | 527 ------------------------------------------- 7 files changed, 532 insertions(+), 531 deletions(-) create mode 100644 include/xtables-version.h.in create mode 100644 include/xtables.h delete mode 100644 include/xtables.h.in diff --git a/.gitignore b/.gitignore index b7c3dfb8..fa86c482 100644 --- a/.gitignore +++ b/.gitignore @@ -9,7 +9,7 @@ Makefile Makefile.in -/include/xtables.h +/include/xtables-version.h /include/iptables/internal.h /aclocal.m4 diff --git a/Makefile.am b/Makefile.am index 4eb63ebe..6400ba41 100644 --- a/Makefile.am +++ b/Makefile.am @@ -27,4 +27,4 @@ tarball: rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; config.status: extensions/GNUmakefile.in \ - include/xtables.h.in include/iptables/internal.h.in + include/xtables-version.h.in include/iptables/internal.h.in diff --git a/configure.ac b/configure.ac index 861f5b3e..4060f901 100644 --- a/configure.ac +++ b/configure.ac @@ -127,5 +127,5 @@ AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile libiptc/Makefile libiptc/libiptc.pc libiptc/libip4tc.pc libiptc/libip6tc.pc libxtables/Makefile utils/Makefile - include/xtables.h include/iptables/internal.h]) + include/xtables-version.h include/iptables/internal.h]) AC_OUTPUT diff --git a/include/Makefile.am b/include/Makefile.am index 6f7da598..e6951209 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -1,7 +1,7 @@ # -*- Makefile -*- include_HEADERS = -nobase_include_HEADERS = xtables.h +nobase_include_HEADERS = xtables.h xtables-version.h if ENABLE_LIBIPQ include_HEADERS += libipq/libipq.h diff --git a/include/xtables-version.h.in b/include/xtables-version.h.in new file mode 100644 index 00000000..cb13827c --- /dev/null +++ b/include/xtables-version.h.in @@ -0,0 +1,2 @@ +#define XTABLES_VERSION "libxtables.so.@libxtables_vmajor@" +#define XTABLES_VERSION_CODE @libxtables_vmajor@ diff --git a/include/xtables.h b/include/xtables.h new file mode 100644 index 00000000..3b15e67e --- /dev/null +++ b/include/xtables.h @@ -0,0 +1,526 @@ +#ifndef _XTABLES_H +#define _XTABLES_H + +/* + * Changing any structs/functions may incur a needed change + * in libxtables_vcurrent/vage too. + */ + +#include /* PF_* */ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifndef IPPROTO_SCTP +#define IPPROTO_SCTP 132 +#endif +#ifndef IPPROTO_DCCP +#define IPPROTO_DCCP 33 +#endif +#ifndef IPPROTO_MH +# define IPPROTO_MH 135 +#endif +#ifndef IPPROTO_UDPLITE +#define IPPROTO_UDPLITE 136 +#endif + +#include + +struct in_addr; + +/* + * .size is here so that there is a somewhat reasonable check + * against the chosen .type. + */ +#define XTOPT_POINTER(stype, member) \ + .ptroff = offsetof(stype, member), \ + .size = sizeof(((stype *)NULL)->member) +#define XTOPT_TABLEEND {.name = NULL} + +/** + * Select the format the input has to conform to, as well as the target type + * (area pointed to with XTOPT_POINTER). Note that the storing is not always + * uniform. @cb->val will be populated with as much as there is space, i.e. + * exactly 2 items for ranges, but the target area can receive more values + * (e.g. in case of ranges), or less values (e.g. %XTTYPE_HOSTMASK). + * + * %XTTYPE_NONE: option takes no argument + * %XTTYPE_UINT*: standard integer + * %XTTYPE_UINT*RC: colon-separated range of standard integers + * %XTTYPE_DOUBLE: double-precision floating point number + * %XTTYPE_STRING: arbitrary string + * %XTTYPE_TOSMASK: 8-bit TOS value with optional mask + * %XTTYPE_MARKMASK32: 32-bit mark with optional mask + * %XTTYPE_SYSLOGLEVEL: syslog level by name or number + * %XTTYPE_HOST: one host or address (ptr: union nf_inet_addr) + * %XTTYPE_HOSTMASK: one host or address, with an optional prefix length + * (ptr: union nf_inet_addr; only host portion is stored) + * %XTTYPE_PROTOCOL: protocol number/name from /etc/protocols (ptr: uint8_t) + * %XTTYPE_PORT: 16-bit port name or number (supports %XTOPT_NBO) + * %XTTYPE_PORTRC: colon-separated port range (names acceptable), + * (supports %XTOPT_NBO) + * %XTTYPE_PLEN: prefix length + * %XTTYPE_PLENMASK: prefix length (ptr: union nf_inet_addr) + * %XTTYPE_ETHERMAC: Ethernet MAC address in hex form + */ +enum xt_option_type { + XTTYPE_NONE, + XTTYPE_UINT8, + XTTYPE_UINT16, + XTTYPE_UINT32, + XTTYPE_UINT64, + XTTYPE_UINT8RC, + XTTYPE_UINT16RC, + XTTYPE_UINT32RC, + XTTYPE_UINT64RC, + XTTYPE_DOUBLE, + XTTYPE_STRING, + XTTYPE_TOSMASK, + XTTYPE_MARKMASK32, + XTTYPE_SYSLOGLEVEL, + XTTYPE_HOST, + XTTYPE_HOSTMASK, + XTTYPE_PROTOCOL, + XTTYPE_PORT, + XTTYPE_PORTRC, + XTTYPE_PLEN, + XTTYPE_PLENMASK, + XTTYPE_ETHERMAC, +}; + +/** + * %XTOPT_INVERT: option is invertible (usable with !) + * %XTOPT_MAND: option is mandatory + * %XTOPT_MULTI: option may be specified multiple times + * %XTOPT_PUT: store value into memory at @ptroff + * %XTOPT_NBO: store value in network-byte order + * (only certain XTTYPEs recognize this) + */ +enum xt_option_flags { + XTOPT_INVERT = 1 << 0, + XTOPT_MAND = 1 << 1, + XTOPT_MULTI = 1 << 2, + XTOPT_PUT = 1 << 3, + XTOPT_NBO = 1 << 4, +}; + +/** + * @name: name of option + * @type: type of input and validation method, see %XTTYPE_* + * @id: unique number (within extension) for option, 0-31 + * @excl: bitmask of flags that cannot be used with this option + * @also: bitmask of flags that must be used with this option + * @flags: bitmask of option flags, see %XTOPT_* + * @ptroff: offset into private structure for member + * @size: size of the item pointed to by @ptroff; this is a safeguard + * @min: lowest allowed value (for singular integral types) + * @max: highest allowed value (for singular integral types) + */ +struct xt_option_entry { + const char *name; + enum xt_option_type type; + unsigned int id, excl, also, flags; + unsigned int ptroff; + size_t size; + unsigned int min, max; +}; + +/** + * @arg: input from command line + * @ext_name: name of extension currently being processed + * @entry: current option being processed + * @data: per-extension kernel data block + * @xflags: options of the extension that have been used + * @invert: whether option was used with ! + * @nvals: number of results in uXX_multi + * @val: parsed result + * @udata: per-extension private scratch area + * (cf. xtables_{match,target}->udata_size) + */ +struct xt_option_call { + const char *arg, *ext_name; + const struct xt_option_entry *entry; + void *data; + unsigned int xflags; + bool invert; + uint8_t nvals; + union { + uint8_t u8, u8_range[2], syslog_level, protocol; + uint16_t u16, u16_range[2], port, port_range[2]; + uint32_t u32, u32_range[2]; + uint64_t u64, u64_range[2]; + double dbl; + struct { + union nf_inet_addr haddr, hmask; + uint8_t hlen; + }; + struct { + uint8_t tos_value, tos_mask; + }; + struct { + uint32_t mark, mask; + }; + uint8_t ethermac[6]; + } val; + /* Wished for a world where the ones below were gone: */ + union { + struct xt_entry_match **match; + struct xt_entry_target **target; + }; + void *xt_entry; + void *udata; +}; + +/** + * @ext_name: name of extension currently being processed + * @data: per-extension (kernel) data block + * @udata: per-extension private scratch area + * (cf. xtables_{match,target}->udata_size) + * @xflags: options of the extension that have been used + */ +struct xt_fcheck_call { + const char *ext_name; + void *data, *udata; + unsigned int xflags; +}; + +/** + * A "linear"/linked-list based name<->id map, for files similar to + * /etc/iproute2/. + */ +struct xtables_lmap { + char *name; + int id; + struct xtables_lmap *next; +}; + +/* Include file for additions: new matches and targets. */ +struct xtables_match +{ + /* + * ABI/API version this module requires. Must be first member, + * as the rest of this struct may be subject to ABI changes. + */ + const char *version; + + struct xtables_match *next; + + const char *name; + + /* Revision of match (0 by default). */ + u_int8_t revision; + + u_int16_t family; + + /* Size of match data. */ + size_t size; + + /* Size of match data relevent for userspace comparison purposes */ + size_t userspacesize; + + /* Function which prints out usage message. */ + void (*help)(void); + + /* Initialize the match. */ + void (*init)(struct xt_entry_match *m); + + /* Function which parses command options; returns true if it + ate an option */ + /* entry is struct ipt_entry for example */ + int (*parse)(int c, char **argv, int invert, unsigned int *flags, + const void *entry, + struct xt_entry_match **match); + + /* Final check; exit if not ok. */ + void (*final_check)(unsigned int flags); + + /* Prints out the match iff non-NULL: put space at end */ + /* ip is struct ipt_ip * for example */ + void (*print)(const void *ip, + const struct xt_entry_match *match, int numeric); + + /* Saves the match info in parsable form to stdout. */ + /* ip is struct ipt_ip * for example */ + void (*save)(const void *ip, const struct xt_entry_match *match); + + /* Pointer to list of extra command-line options */ + const struct option *extra_opts; + + /* New parser */ + void (*x6_parse)(struct xt_option_call *); + void (*x6_fcheck)(struct xt_fcheck_call *); + const struct xt_option_entry *x6_options; + + /* Size of per-extension instance extra "global" scratch space */ + size_t udata_size; + + /* Ignore these men behind the curtain: */ + void *udata; + unsigned int option_offset; + struct xt_entry_match *m; + unsigned int mflags; + unsigned int loaded; /* simulate loading so options are merged properly */ +}; + +struct xtables_target +{ + /* + * ABI/API version this module requires. Must be first member, + * as the rest of this struct may be subject to ABI changes. + */ + const char *version; + + struct xtables_target *next; + + + const char *name; + + /* Revision of target (0 by default). */ + u_int8_t revision; + + u_int16_t family; + + + /* Size of target data. */ + size_t size; + + /* Size of target data relevent for userspace comparison purposes */ + size_t userspacesize; + + /* Function which prints out usage message. */ + void (*help)(void); + + /* Initialize the target. */ + void (*init)(struct xt_entry_target *t); + + /* Function which parses command options; returns true if it + ate an option */ + /* entry is struct ipt_entry for example */ + int (*parse)(int c, char **argv, int invert, unsigned int *flags, + const void *entry, + struct xt_entry_target **targetinfo); + + /* Final check; exit if not ok. */ + void (*final_check)(unsigned int flags); + + /* Prints out the target iff non-NULL: put space at end */ + void (*print)(const void *ip, + const struct xt_entry_target *target, int numeric); + + /* Saves the targinfo in parsable form to stdout. */ + void (*save)(const void *ip, + const struct xt_entry_target *target); + + /* Pointer to list of extra command-line options */ + const struct option *extra_opts; + + /* New parser */ + void (*x6_parse)(struct xt_option_call *); + void (*x6_fcheck)(struct xt_fcheck_call *); + const struct xt_option_entry *x6_options; + + size_t udata_size; + + /* Ignore these men behind the curtain: */ + void *udata; + unsigned int option_offset; + struct xt_entry_target *t; + unsigned int tflags; + unsigned int used; + unsigned int loaded; /* simulate loading so options are merged properly */ +}; + +struct xtables_rule_match { + struct xtables_rule_match *next; + struct xtables_match *match; + /* Multiple matches of the same type: the ones before + the current one are completed from parsing point of view */ + bool completed; +}; + +/** + * struct xtables_pprot - + * + * A few hardcoded protocols for 'all' and in case the user has no + * /etc/protocols. + */ +struct xtables_pprot { + const char *name; + u_int8_t num; +}; + +enum xtables_tryload { + XTF_DONT_LOAD, + XTF_DURING_LOAD, + XTF_TRY_LOAD, + XTF_LOAD_MUST_SUCCEED, +}; + +enum xtables_exittype { + OTHER_PROBLEM = 1, + PARAMETER_PROBLEM, + VERSION_PROBLEM, + RESOURCE_PROBLEM, + XTF_ONLY_ONCE, + XTF_NO_INVERT, + XTF_BAD_VALUE, + XTF_ONE_ACTION, +}; + +struct xtables_globals +{ + unsigned int option_offset; + const char *program_name, *program_version; + struct option *orig_opts; + struct option *opts; + void (*exit_err)(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3))); +}; + +#define XT_GETOPT_TABLEEND {.name = NULL, .has_arg = false} + +#ifdef __cplusplus +extern "C" { +#endif + +extern const char *xtables_modprobe_program; +extern struct xtables_match *xtables_matches; +extern struct xtables_target *xtables_targets; + +extern void xtables_init(void); +extern void xtables_set_nfproto(uint8_t); +extern void *xtables_calloc(size_t, size_t); +extern void *xtables_malloc(size_t); +extern void *xtables_realloc(void *, size_t); + +extern int xtables_insmod(const char *, const char *, bool); +extern int xtables_load_ko(const char *, bool); +extern int xtables_set_params(struct xtables_globals *xtp); +extern void xtables_free_opts(int reset_offset); +extern struct option *xtables_merge_options(struct option *origopts, + struct option *oldopts, const struct option *newopts, + unsigned int *option_offset); + +extern int xtables_init_all(struct xtables_globals *xtp, uint8_t nfproto); +extern struct xtables_match *xtables_find_match(const char *name, + enum xtables_tryload, struct xtables_rule_match **match); +extern struct xtables_target *xtables_find_target(const char *name, + enum xtables_tryload); + +/* Your shared library should call one of these. */ +extern void xtables_register_match(struct xtables_match *me); +extern void xtables_register_matches(struct xtables_match *, unsigned int); +extern void xtables_register_target(struct xtables_target *me); +extern void xtables_register_targets(struct xtables_target *, unsigned int); + +extern bool xtables_strtoul(const char *, char **, uintmax_t *, + uintmax_t, uintmax_t); +extern bool xtables_strtoui(const char *, char **, unsigned int *, + unsigned int, unsigned int); +extern int xtables_service_to_port(const char *name, const char *proto); +extern u_int16_t xtables_parse_port(const char *port, const char *proto); +extern void +xtables_parse_interface(const char *arg, char *vianame, unsigned char *mask); + +/* this is a special 64bit data type that is 8-byte aligned */ +#define aligned_u64 u_int64_t __attribute__((aligned(8))) + +extern struct xtables_globals *xt_params; +#define xtables_error (xt_params->exit_err) + +extern void xtables_param_act(unsigned int, const char *, ...); + +extern const char *xtables_ipaddr_to_numeric(const struct in_addr *); +extern const char *xtables_ipaddr_to_anyname(const struct in_addr *); +extern const char *xtables_ipmask_to_numeric(const struct in_addr *); +extern struct in_addr *xtables_numeric_to_ipaddr(const char *); +extern struct in_addr *xtables_numeric_to_ipmask(const char *); +extern int xtables_ipmask_to_cidr(const struct in_addr *); +extern void xtables_ipparse_any(const char *, struct in_addr **, + struct in_addr *, unsigned int *); +extern void xtables_ipparse_multiple(const char *, struct in_addr **, + struct in_addr **, unsigned int *); + +extern struct in6_addr *xtables_numeric_to_ip6addr(const char *); +extern const char *xtables_ip6addr_to_numeric(const struct in6_addr *); +extern const char *xtables_ip6addr_to_anyname(const struct in6_addr *); +extern const char *xtables_ip6mask_to_numeric(const struct in6_addr *); +extern int xtables_ip6mask_to_cidr(const struct in6_addr *); +extern void xtables_ip6parse_any(const char *, struct in6_addr **, + struct in6_addr *, unsigned int *); +extern void xtables_ip6parse_multiple(const char *, struct in6_addr **, + struct in6_addr **, unsigned int *); + +/** + * Print the specified value to standard output, quoting dangerous + * characters if required. + */ +extern void xtables_save_string(const char *value); + +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) +# ifdef _INIT +# undef _init +# define _init _INIT +# endif + extern void init_extensions(void); + extern void init_extensions4(void); + extern void init_extensions6(void); +#else +# define _init __attribute__((constructor)) _INIT +#endif + +extern const struct xtables_pprot xtables_chain_protos[]; +extern u_int16_t xtables_parse_protocol(const char *s); + +/* kernel revision handling */ +extern int kernel_version; +extern void get_kernel_version(void); +#define LINUX_VERSION(x,y,z) (0x10000*(x) + 0x100*(y) + z) +#define LINUX_VERSION_MAJOR(x) (((x)>>16) & 0xFF) +#define LINUX_VERSION_MINOR(x) (((x)>> 8) & 0xFF) +#define LINUX_VERSION_PATCH(x) ( (x) & 0xFF) + +/* xtoptions.c */ +extern void xtables_option_metavalidate(const char *, + const struct xt_option_entry *); +extern struct option *xtables_options_xfrm(struct option *, struct option *, + const struct xt_option_entry *, + unsigned int *); +extern void xtables_option_parse(struct xt_option_call *); +extern void xtables_option_tpcall(unsigned int, char **, bool, + struct xtables_target *, void *); +extern void xtables_option_mpcall(unsigned int, char **, bool, + struct xtables_match *, void *); +extern void xtables_option_tfcall(struct xtables_target *); +extern void xtables_option_mfcall(struct xtables_match *); +extern void xtables_options_fcheck(const char *, unsigned int, + const struct xt_option_entry *); + +extern struct xtables_lmap *xtables_lmap_init(const char *); +extern void xtables_lmap_free(struct xtables_lmap *); +extern int xtables_lmap_name2id(const struct xtables_lmap *, const char *); +extern const char *xtables_lmap_id2name(const struct xtables_lmap *, int); + +#ifdef XTABLES_INTERNAL + +/* Shipped modules rely on this... */ + +# ifndef ARRAY_SIZE +# define ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x))) +# endif + +extern void _init(void); + +#endif + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* _XTABLES_H */ diff --git a/include/xtables.h.in b/include/xtables.h.in deleted file mode 100644 index db69c03b..00000000 --- a/include/xtables.h.in +++ /dev/null @@ -1,527 +0,0 @@ -#ifndef _XTABLES_H -#define _XTABLES_H - -/* - * Changing any structs/functions may incur a needed change - * in libxtables_vcurrent/vage too. - */ - -#include /* PF_* */ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#ifndef IPPROTO_SCTP -#define IPPROTO_SCTP 132 -#endif -#ifndef IPPROTO_DCCP -#define IPPROTO_DCCP 33 -#endif -#ifndef IPPROTO_MH -# define IPPROTO_MH 135 -#endif -#ifndef IPPROTO_UDPLITE -#define IPPROTO_UDPLITE 136 -#endif - -#define XTABLES_VERSION "libxtables.so.@libxtables_vmajor@" -#define XTABLES_VERSION_CODE @libxtables_vmajor@ - -struct in_addr; - -/* - * .size is here so that there is a somewhat reasonable check - * against the chosen .type. - */ -#define XTOPT_POINTER(stype, member) \ - .ptroff = offsetof(stype, member), \ - .size = sizeof(((stype *)NULL)->member) -#define XTOPT_TABLEEND {.name = NULL} - -/** - * Select the format the input has to conform to, as well as the target type - * (area pointed to with XTOPT_POINTER). Note that the storing is not always - * uniform. @cb->val will be populated with as much as there is space, i.e. - * exactly 2 items for ranges, but the target area can receive more values - * (e.g. in case of ranges), or less values (e.g. %XTTYPE_HOSTMASK). - * - * %XTTYPE_NONE: option takes no argument - * %XTTYPE_UINT*: standard integer - * %XTTYPE_UINT*RC: colon-separated range of standard integers - * %XTTYPE_DOUBLE: double-precision floating point number - * %XTTYPE_STRING: arbitrary string - * %XTTYPE_TOSMASK: 8-bit TOS value with optional mask - * %XTTYPE_MARKMASK32: 32-bit mark with optional mask - * %XTTYPE_SYSLOGLEVEL: syslog level by name or number - * %XTTYPE_HOST: one host or address (ptr: union nf_inet_addr) - * %XTTYPE_HOSTMASK: one host or address, with an optional prefix length - * (ptr: union nf_inet_addr; only host portion is stored) - * %XTTYPE_PROTOCOL: protocol number/name from /etc/protocols (ptr: uint8_t) - * %XTTYPE_PORT: 16-bit port name or number (supports %XTOPT_NBO) - * %XTTYPE_PORTRC: colon-separated port range (names acceptable), - * (supports %XTOPT_NBO) - * %XTTYPE_PLEN: prefix length - * %XTTYPE_PLENMASK: prefix length (ptr: union nf_inet_addr) - * %XTTYPE_ETHERMAC: Ethernet MAC address in hex form - */ -enum xt_option_type { - XTTYPE_NONE, - XTTYPE_UINT8, - XTTYPE_UINT16, - XTTYPE_UINT32, - XTTYPE_UINT64, - XTTYPE_UINT8RC, - XTTYPE_UINT16RC, - XTTYPE_UINT32RC, - XTTYPE_UINT64RC, - XTTYPE_DOUBLE, - XTTYPE_STRING, - XTTYPE_TOSMASK, - XTTYPE_MARKMASK32, - XTTYPE_SYSLOGLEVEL, - XTTYPE_HOST, - XTTYPE_HOSTMASK, - XTTYPE_PROTOCOL, - XTTYPE_PORT, - XTTYPE_PORTRC, - XTTYPE_PLEN, - XTTYPE_PLENMASK, - XTTYPE_ETHERMAC, -}; - -/** - * %XTOPT_INVERT: option is invertible (usable with !) - * %XTOPT_MAND: option is mandatory - * %XTOPT_MULTI: option may be specified multiple times - * %XTOPT_PUT: store value into memory at @ptroff - * %XTOPT_NBO: store value in network-byte order - * (only certain XTTYPEs recognize this) - */ -enum xt_option_flags { - XTOPT_INVERT = 1 << 0, - XTOPT_MAND = 1 << 1, - XTOPT_MULTI = 1 << 2, - XTOPT_PUT = 1 << 3, - XTOPT_NBO = 1 << 4, -}; - -/** - * @name: name of option - * @type: type of input and validation method, see %XTTYPE_* - * @id: unique number (within extension) for option, 0-31 - * @excl: bitmask of flags that cannot be used with this option - * @also: bitmask of flags that must be used with this option - * @flags: bitmask of option flags, see %XTOPT_* - * @ptroff: offset into private structure for member - * @size: size of the item pointed to by @ptroff; this is a safeguard - * @min: lowest allowed value (for singular integral types) - * @max: highest allowed value (for singular integral types) - */ -struct xt_option_entry { - const char *name; - enum xt_option_type type; - unsigned int id, excl, also, flags; - unsigned int ptroff; - size_t size; - unsigned int min, max; -}; - -/** - * @arg: input from command line - * @ext_name: name of extension currently being processed - * @entry: current option being processed - * @data: per-extension kernel data block - * @xflags: options of the extension that have been used - * @invert: whether option was used with ! - * @nvals: number of results in uXX_multi - * @val: parsed result - * @udata: per-extension private scratch area - * (cf. xtables_{match,target}->udata_size) - */ -struct xt_option_call { - const char *arg, *ext_name; - const struct xt_option_entry *entry; - void *data; - unsigned int xflags; - bool invert; - uint8_t nvals; - union { - uint8_t u8, u8_range[2], syslog_level, protocol; - uint16_t u16, u16_range[2], port, port_range[2]; - uint32_t u32, u32_range[2]; - uint64_t u64, u64_range[2]; - double dbl; - struct { - union nf_inet_addr haddr, hmask; - uint8_t hlen; - }; - struct { - uint8_t tos_value, tos_mask; - }; - struct { - uint32_t mark, mask; - }; - uint8_t ethermac[6]; - } val; - /* Wished for a world where the ones below were gone: */ - union { - struct xt_entry_match **match; - struct xt_entry_target **target; - }; - void *xt_entry; - void *udata; -}; - -/** - * @ext_name: name of extension currently being processed - * @data: per-extension (kernel) data block - * @udata: per-extension private scratch area - * (cf. xtables_{match,target}->udata_size) - * @xflags: options of the extension that have been used - */ -struct xt_fcheck_call { - const char *ext_name; - void *data, *udata; - unsigned int xflags; -}; - -/** - * A "linear"/linked-list based name<->id map, for files similar to - * /etc/iproute2/. - */ -struct xtables_lmap { - char *name; - int id; - struct xtables_lmap *next; -}; - -/* Include file for additions: new matches and targets. */ -struct xtables_match -{ - /* - * ABI/API version this module requires. Must be first member, - * as the rest of this struct may be subject to ABI changes. - */ - const char *version; - - struct xtables_match *next; - - const char *name; - - /* Revision of match (0 by default). */ - u_int8_t revision; - - u_int16_t family; - - /* Size of match data. */ - size_t size; - - /* Size of match data relevent for userspace comparison purposes */ - size_t userspacesize; - - /* Function which prints out usage message. */ - void (*help)(void); - - /* Initialize the match. */ - void (*init)(struct xt_entry_match *m); - - /* Function which parses command options; returns true if it - ate an option */ - /* entry is struct ipt_entry for example */ - int (*parse)(int c, char **argv, int invert, unsigned int *flags, - const void *entry, - struct xt_entry_match **match); - - /* Final check; exit if not ok. */ - void (*final_check)(unsigned int flags); - - /* Prints out the match iff non-NULL: put space at end */ - /* ip is struct ipt_ip * for example */ - void (*print)(const void *ip, - const struct xt_entry_match *match, int numeric); - - /* Saves the match info in parsable form to stdout. */ - /* ip is struct ipt_ip * for example */ - void (*save)(const void *ip, const struct xt_entry_match *match); - - /* Pointer to list of extra command-line options */ - const struct option *extra_opts; - - /* New parser */ - void (*x6_parse)(struct xt_option_call *); - void (*x6_fcheck)(struct xt_fcheck_call *); - const struct xt_option_entry *x6_options; - - /* Size of per-extension instance extra "global" scratch space */ - size_t udata_size; - - /* Ignore these men behind the curtain: */ - void *udata; - unsigned int option_offset; - struct xt_entry_match *m; - unsigned int mflags; - unsigned int loaded; /* simulate loading so options are merged properly */ -}; - -struct xtables_target -{ - /* - * ABI/API version this module requires. Must be first member, - * as the rest of this struct may be subject to ABI changes. - */ - const char *version; - - struct xtables_target *next; - - - const char *name; - - /* Revision of target (0 by default). */ - u_int8_t revision; - - u_int16_t family; - - - /* Size of target data. */ - size_t size; - - /* Size of target data relevent for userspace comparison purposes */ - size_t userspacesize; - - /* Function which prints out usage message. */ - void (*help)(void); - - /* Initialize the target. */ - void (*init)(struct xt_entry_target *t); - - /* Function which parses command options; returns true if it - ate an option */ - /* entry is struct ipt_entry for example */ - int (*parse)(int c, char **argv, int invert, unsigned int *flags, - const void *entry, - struct xt_entry_target **targetinfo); - - /* Final check; exit if not ok. */ - void (*final_check)(unsigned int flags); - - /* Prints out the target iff non-NULL: put space at end */ - void (*print)(const void *ip, - const struct xt_entry_target *target, int numeric); - - /* Saves the targinfo in parsable form to stdout. */ - void (*save)(const void *ip, - const struct xt_entry_target *target); - - /* Pointer to list of extra command-line options */ - const struct option *extra_opts; - - /* New parser */ - void (*x6_parse)(struct xt_option_call *); - void (*x6_fcheck)(struct xt_fcheck_call *); - const struct xt_option_entry *x6_options; - - size_t udata_size; - - /* Ignore these men behind the curtain: */ - void *udata; - unsigned int option_offset; - struct xt_entry_target *t; - unsigned int tflags; - unsigned int used; - unsigned int loaded; /* simulate loading so options are merged properly */ -}; - -struct xtables_rule_match { - struct xtables_rule_match *next; - struct xtables_match *match; - /* Multiple matches of the same type: the ones before - the current one are completed from parsing point of view */ - bool completed; -}; - -/** - * struct xtables_pprot - - * - * A few hardcoded protocols for 'all' and in case the user has no - * /etc/protocols. - */ -struct xtables_pprot { - const char *name; - u_int8_t num; -}; - -enum xtables_tryload { - XTF_DONT_LOAD, - XTF_DURING_LOAD, - XTF_TRY_LOAD, - XTF_LOAD_MUST_SUCCEED, -}; - -enum xtables_exittype { - OTHER_PROBLEM = 1, - PARAMETER_PROBLEM, - VERSION_PROBLEM, - RESOURCE_PROBLEM, - XTF_ONLY_ONCE, - XTF_NO_INVERT, - XTF_BAD_VALUE, - XTF_ONE_ACTION, -}; - -struct xtables_globals -{ - unsigned int option_offset; - const char *program_name, *program_version; - struct option *orig_opts; - struct option *opts; - void (*exit_err)(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3))); -}; - -#define XT_GETOPT_TABLEEND {.name = NULL, .has_arg = false} - -#ifdef __cplusplus -extern "C" { -#endif - -extern const char *xtables_modprobe_program; -extern struct xtables_match *xtables_matches; -extern struct xtables_target *xtables_targets; - -extern void xtables_init(void); -extern void xtables_set_nfproto(uint8_t); -extern void *xtables_calloc(size_t, size_t); -extern void *xtables_malloc(size_t); -extern void *xtables_realloc(void *, size_t); - -extern int xtables_insmod(const char *, const char *, bool); -extern int xtables_load_ko(const char *, bool); -extern int xtables_set_params(struct xtables_globals *xtp); -extern void xtables_free_opts(int reset_offset); -extern struct option *xtables_merge_options(struct option *origopts, - struct option *oldopts, const struct option *newopts, - unsigned int *option_offset); - -extern int xtables_init_all(struct xtables_globals *xtp, uint8_t nfproto); -extern struct xtables_match *xtables_find_match(const char *name, - enum xtables_tryload, struct xtables_rule_match **match); -extern struct xtables_target *xtables_find_target(const char *name, - enum xtables_tryload); - -/* Your shared library should call one of these. */ -extern void xtables_register_match(struct xtables_match *me); -extern void xtables_register_matches(struct xtables_match *, unsigned int); -extern void xtables_register_target(struct xtables_target *me); -extern void xtables_register_targets(struct xtables_target *, unsigned int); - -extern bool xtables_strtoul(const char *, char **, uintmax_t *, - uintmax_t, uintmax_t); -extern bool xtables_strtoui(const char *, char **, unsigned int *, - unsigned int, unsigned int); -extern int xtables_service_to_port(const char *name, const char *proto); -extern u_int16_t xtables_parse_port(const char *port, const char *proto); -extern void -xtables_parse_interface(const char *arg, char *vianame, unsigned char *mask); - -/* this is a special 64bit data type that is 8-byte aligned */ -#define aligned_u64 u_int64_t __attribute__((aligned(8))) - -extern struct xtables_globals *xt_params; -#define xtables_error (xt_params->exit_err) - -extern void xtables_param_act(unsigned int, const char *, ...); - -extern const char *xtables_ipaddr_to_numeric(const struct in_addr *); -extern const char *xtables_ipaddr_to_anyname(const struct in_addr *); -extern const char *xtables_ipmask_to_numeric(const struct in_addr *); -extern struct in_addr *xtables_numeric_to_ipaddr(const char *); -extern struct in_addr *xtables_numeric_to_ipmask(const char *); -extern int xtables_ipmask_to_cidr(const struct in_addr *); -extern void xtables_ipparse_any(const char *, struct in_addr **, - struct in_addr *, unsigned int *); -extern void xtables_ipparse_multiple(const char *, struct in_addr **, - struct in_addr **, unsigned int *); - -extern struct in6_addr *xtables_numeric_to_ip6addr(const char *); -extern const char *xtables_ip6addr_to_numeric(const struct in6_addr *); -extern const char *xtables_ip6addr_to_anyname(const struct in6_addr *); -extern const char *xtables_ip6mask_to_numeric(const struct in6_addr *); -extern int xtables_ip6mask_to_cidr(const struct in6_addr *); -extern void xtables_ip6parse_any(const char *, struct in6_addr **, - struct in6_addr *, unsigned int *); -extern void xtables_ip6parse_multiple(const char *, struct in6_addr **, - struct in6_addr **, unsigned int *); - -/** - * Print the specified value to standard output, quoting dangerous - * characters if required. - */ -extern void xtables_save_string(const char *value); - -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) -# ifdef _INIT -# undef _init -# define _init _INIT -# endif - extern void init_extensions(void); - extern void init_extensions4(void); - extern void init_extensions6(void); -#else -# define _init __attribute__((constructor)) _INIT -#endif - -extern const struct xtables_pprot xtables_chain_protos[]; -extern u_int16_t xtables_parse_protocol(const char *s); - -/* kernel revision handling */ -extern int kernel_version; -extern void get_kernel_version(void); -#define LINUX_VERSION(x,y,z) (0x10000*(x) + 0x100*(y) + z) -#define LINUX_VERSION_MAJOR(x) (((x)>>16) & 0xFF) -#define LINUX_VERSION_MINOR(x) (((x)>> 8) & 0xFF) -#define LINUX_VERSION_PATCH(x) ( (x) & 0xFF) - -/* xtoptions.c */ -extern void xtables_option_metavalidate(const char *, - const struct xt_option_entry *); -extern struct option *xtables_options_xfrm(struct option *, struct option *, - const struct xt_option_entry *, - unsigned int *); -extern void xtables_option_parse(struct xt_option_call *); -extern void xtables_option_tpcall(unsigned int, char **, bool, - struct xtables_target *, void *); -extern void xtables_option_mpcall(unsigned int, char **, bool, - struct xtables_match *, void *); -extern void xtables_option_tfcall(struct xtables_target *); -extern void xtables_option_mfcall(struct xtables_match *); -extern void xtables_options_fcheck(const char *, unsigned int, - const struct xt_option_entry *); - -extern struct xtables_lmap *xtables_lmap_init(const char *); -extern void xtables_lmap_free(struct xtables_lmap *); -extern int xtables_lmap_name2id(const struct xtables_lmap *, const char *); -extern const char *xtables_lmap_id2name(const struct xtables_lmap *, int); - -#ifdef XTABLES_INTERNAL - -/* Shipped modules rely on this... */ - -# ifndef ARRAY_SIZE -# define ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x))) -# endif - -extern void _init(void); - -#endif - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* _XTABLES_H */ -- cgit v1.2.3 From 954b76c317f641b7faf33cc26931d45585cc0dea Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 27 Sep 2012 21:36:35 +0200 Subject: libxtables: consolidate preference logic Alias support will require testing for more conditions, so move the revision comparison code into a separate function where it can be shared between matches and targets. Signed-off-by: Jan Engelhardt --- libxtables/xtables.c | 69 ++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 53 insertions(+), 16 deletions(-) diff --git a/libxtables/xtables.c b/libxtables/xtables.c index d8185796..7f0d3ccb 100644 --- a/libxtables/xtables.c +++ b/libxtables/xtables.c @@ -862,14 +862,58 @@ void xtables_register_match(struct xtables_match *me) xtables_pending_matches = me; } +/** + * Compare two actions for their preference + * @a: one action + * @b: another + * + * Like strcmp, returns a negative number if @a is less preferred than @b, + * positive number if @a is more preferred than @b, or zero if equally + * preferred. + */ +static int +xtables_mt_prefer(unsigned int a_rev, unsigned int a_fam, + unsigned int b_rev, unsigned int b_fam) +{ + /* Higher revision ranks higher. */ + if (a_rev < b_rev) + return -1; + if (a_rev > b_rev) + return 1; + + /* NFPROTO_ ranks higher than NFPROTO_UNSPEC. */ + if (a_fam == NFPROTO_UNSPEC && b_fam != NFPROTO_UNSPEC) + return -1; + if (a_fam != NFPROTO_UNSPEC && b_fam == NFPROTO_UNSPEC) + return 1; + + /* Must be the same thing. */ + return 0; +} + +static int xtables_match_prefer(const struct xtables_match *a, + const struct xtables_match *b) +{ + return xtables_mt_prefer(a->revision, a->family, + b->revision, b->family); +} + +static int xtables_target_prefer(const struct xtables_target *a, + const struct xtables_target *b) +{ + return xtables_mt_prefer(a->revision, a->family, + b->revision, b->family); +} + static void xtables_fully_register_pending_match(struct xtables_match *me) { struct xtables_match **i, *old; + int compare; old = xtables_find_match(me->name, XTF_DURING_LOAD, NULL); if (old) { - if (old->revision == me->revision && - old->family == me->family) { + compare = xtables_match_prefer(old, me); + if (compare == 0) { fprintf(stderr, "%s: match `%s' already registered.\n", xt_params->program_name, me->name); @@ -877,18 +921,14 @@ static void xtables_fully_register_pending_match(struct xtables_match *me) } /* Now we have two (or more) options, check compatibility. */ - if (compatible_match_revision(old->name, old->revision) - && old->revision > me->revision) + if (compare > 0 && + compatible_match_revision(old->name, old->revision)) return; /* See if new match can be used. */ if (!compatible_match_revision(me->name, me->revision)) return; - /* Prefer !AF_UNSPEC over AF_UNSPEC for same revision. */ - if (old->revision == me->revision && me->family == AF_UNSPEC) - return; - /* Delete old one. */ for (i = &xtables_matches; *i!=old; i = &(*i)->next); *i = old->next; @@ -962,13 +1002,14 @@ void xtables_register_target(struct xtables_target *me) static void xtables_fully_register_pending_target(struct xtables_target *me) { struct xtables_target *old; + int compare; old = xtables_find_target(me->name, XTF_DURING_LOAD); if (old) { struct xtables_target **i; - if (old->revision == me->revision && - old->family == me->family) { + compare = xtables_target_prefer(old, me); + if (compare == 0) { fprintf(stderr, "%s: target `%s' already registered.\n", xt_params->program_name, me->name); @@ -976,18 +1017,14 @@ static void xtables_fully_register_pending_target(struct xtables_target *me) } /* Now we have two (or more) options, check compatibility. */ - if (compatible_target_revision(old->name, old->revision) - && old->revision > me->revision) + if (compare > 0 && + compatible_target_revision(old->name, old->revision)) return; /* See if new target can be used. */ if (!compatible_target_revision(me->name, me->revision)) return; - /* Prefer !AF_UNSPEC over AF_UNSPEC for same revision. */ - if (old->revision == me->revision && me->family == AF_UNSPEC) - return; - /* Delete old one. */ for (i = &xtables_targets; *i!=old; i = &(*i)->next); *i = old->next; -- cgit v1.2.3 From cd2f9bdbb7f9b737e5d640aafeb78bcd8e3a7adf Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 4 Sep 2012 05:24:47 +0200 Subject: iptables: support for target aliases This patch allows for target names listed on the command line to be rewritten to new names and revisions. As before, we will pick a revision that is supported by the kernel - now including real_name in the search. This gives us the possibility to test for many action names. Signed-off-by: Jan Engelhardt --- configure.ac | 4 ++-- include/xtables.h | 3 +++ iptables/ip6tables.c | 7 ++++++- iptables/iptables.c | 8 +++++++- libxtables/xtables.c | 32 +++++++++++++++++++++++++------- 5 files changed, 43 insertions(+), 11 deletions(-) diff --git a/configure.ac b/configure.ac index 4060f901..adda50e4 100644 --- a/configure.ac +++ b/configure.ac @@ -2,8 +2,8 @@ AC_INIT([iptables], [1.4.15]) # See libtool.info "Libtool's versioning system" -libxtables_vcurrent=8 -libxtables_vage=1 +libxtables_vcurrent=9 +libxtables_vage=0 AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_HEADERS([config.h]) diff --git a/include/xtables.h b/include/xtables.h index 3b15e67e..7bdc331c 100644 --- a/include/xtables.h +++ b/include/xtables.h @@ -282,6 +282,9 @@ struct xtables_target const char *name; + /* Real target behind this, if any. */ + const char *real_name; + /* Revision of target (0 by default). */ u_int8_t revision; diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index b191d5df..752cf033 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -1286,8 +1286,13 @@ static void command_jump(struct iptables_command_state *cs) cs->target->t = xtables_calloc(1, size); cs->target->t->u.target_size = size; - strcpy(cs->target->t->u.user.name, cs->jumpto); + strcpy(cs->target->t->u.user.name, cs->target->real_name); cs->target->t->u.user.revision = cs->target->revision; + if (cs->target->real_name != cs->target->name) + fprintf(stderr, "WARNING: The %s target is obsolete. " + "Use %s instead.\n", + cs->jumpto, cs->target->real_name); + xs_init_target(cs->target); if (cs->target->x6_options != NULL) opts = xtables_options_xfrm(ip6tables_globals.orig_opts, opts, diff --git a/iptables/iptables.c b/iptables/iptables.c index 03ac63b8..a237e93c 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -1295,8 +1295,14 @@ static void command_jump(struct iptables_command_state *cs) cs->target->t = xtables_calloc(1, size); cs->target->t->u.target_size = size; - strcpy(cs->target->t->u.user.name, cs->jumpto); + strcpy(cs->target->t->u.user.name, cs->target->real_name); cs->target->t->u.user.revision = cs->target->revision; + if (cs->target->real_name != cs->target->name) + /* Alias support for userspace side */ + fprintf(stderr, "WARNING: The %s target is obsolete. " + "Use %s instead.\n", + cs->jumpto, cs->target->real_name); + xs_init_target(cs->target); if (cs->target->x6_options != NULL) diff --git a/libxtables/xtables.c b/libxtables/xtables.c index 7f0d3ccb..a2b24c5a 100644 --- a/libxtables/xtables.c +++ b/libxtables/xtables.c @@ -872,9 +872,18 @@ void xtables_register_match(struct xtables_match *me) * preferred. */ static int -xtables_mt_prefer(unsigned int a_rev, unsigned int a_fam, - unsigned int b_rev, unsigned int b_fam) +xtables_mt_prefer(bool a_alias, unsigned int a_rev, unsigned int a_fam, + bool b_alias, unsigned int b_rev, unsigned int b_fam) { + /* + * Alias ranks higher than no alias. + * (We want the new action to be used whenever possible.) + */ + if (!a_alias && b_alias) + return -1; + if (a_alias && !b_alias) + return 1; + /* Higher revision ranks higher. */ if (a_rev < b_rev) return -1; @@ -894,14 +903,21 @@ xtables_mt_prefer(unsigned int a_rev, unsigned int a_fam, static int xtables_match_prefer(const struct xtables_match *a, const struct xtables_match *b) { - return xtables_mt_prefer(a->revision, a->family, - b->revision, b->family); + return xtables_mt_prefer(false, a->revision, a->family, + false, b->revision, b->family); } static int xtables_target_prefer(const struct xtables_target *a, const struct xtables_target *b) { - return xtables_mt_prefer(a->revision, a->family, + /* + * Note that if x->real_name==NULL, it will be set to x->name in + * xtables_register_*; the direct pointer comparison here is therefore + * legitimate to detect an alias. + */ + return xtables_mt_prefer(a->name != a->real_name, + a->revision, a->family, + b->name != b->real_name, b->revision, b->family); } @@ -985,6 +1001,8 @@ void xtables_register_target(struct xtables_target *me) exit(1); } + if (me->real_name == NULL) + me->real_name = me->name; if (me->x6_options != NULL) xtables_option_metavalidate(me->name, me->x6_options); if (me->extra_opts != NULL) @@ -1018,11 +1036,11 @@ static void xtables_fully_register_pending_target(struct xtables_target *me) /* Now we have two (or more) options, check compatibility. */ if (compare > 0 && - compatible_target_revision(old->name, old->revision)) + compatible_target_revision(old->real_name, old->revision)) return; /* See if new target can be used. */ - if (!compatible_target_revision(me->name, me->revision)) + if (!compatible_target_revision(me->real_name, me->revision)) return; /* Delete old one. */ -- cgit v1.2.3 From 50f19190a60ff7d69e88406a71a2f27e09008566 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 4 Sep 2012 05:38:48 +0200 Subject: libxt_NOTRACK: replace as an alias to CT --notrack Note that we do not need any print/save functions for the alias entries, since the real CT entry will handle this. Signed-off-by: Jan Engelhardt --- extensions/GNUmakefile.in | 4 ++++ extensions/libxt_CT.c | 40 ++++++++++++++++++++++++++++++++++++++++ extensions/libxt_NOTRACK.c | 15 --------------- 3 files changed, 44 insertions(+), 15 deletions(-) delete mode 100644 extensions/libxt_NOTRACK.c diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index 218dc3ad..b6a5cb40 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -39,6 +39,7 @@ endif # Wildcard module list # pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c))) +pfx_build_mod += NOTRACK @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c))) @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c))) pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod}) @@ -96,6 +97,9 @@ lib%.so: lib%.oo lib%.oo: ${srcdir}/lib%.c ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; +libxt_NOTRACK.so: libxt_CT.so + ln -fs $< $@ + # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD xt_RATEEST_LIBADD = -lm xt_statistic_LIBADD = -lm diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c index 27a20e2e..a576a953 100644 --- a/extensions/libxt_CT.c +++ b/extensions/libxt_CT.c @@ -248,6 +248,20 @@ static void ct_save_v1(const void *ip, const struct xt_entry_target *target) printf(" --zone %u", info->zone); } +static void notrack_ct0_tg_init(struct xt_entry_target *target) +{ + struct xt_ct_target_info *info = (void *)target->data; + + info->flags = XT_CT_NOTRACK; +} + +static void notrack_ct1_tg_init(struct xt_entry_target *target) +{ + struct xt_ct_target_info_v1 *info = (void *)target->data; + + info->flags = XT_CT_NOTRACK; +} + static struct xtables_target ct_target_reg[] = { { .family = NFPROTO_UNSPEC, @@ -274,6 +288,32 @@ static struct xtables_target ct_target_reg[] = { .x6_parse = ct_parse_v1, .x6_options = ct_opts_v1, }, + { + .family = NFPROTO_UNSPEC, + .name = "NOTRACK", + .real_name = "CT", + .revision = 0, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ct_target_info)), + .userspacesize = offsetof(struct xt_ct_target_info, ct), + .init = notrack_ct0_tg_init, + }, + { + .family = NFPROTO_UNSPEC, + .name = "NOTRACK", + .real_name = "CT", + .revision = 1, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)), + .userspacesize = offsetof(struct xt_ct_target_info_v1, ct), + .init = notrack_ct1_tg_init, + }, + { + .family = NFPROTO_UNSPEC, + .name = "NOTRACK", + .revision = 0, + .version = XTABLES_VERSION, + }, }; void _init(void) diff --git a/extensions/libxt_NOTRACK.c b/extensions/libxt_NOTRACK.c deleted file mode 100644 index ca587002..00000000 --- a/extensions/libxt_NOTRACK.c +++ /dev/null @@ -1,15 +0,0 @@ -/* Shared library add-on to iptables to add NOTRACK target support. */ -#include - -static struct xtables_target notrack_target = { - .family = NFPROTO_UNSPEC, - .name = "NOTRACK", - .version = XTABLES_VERSION, - .size = XT_ALIGN(0), - .userspacesize = XT_ALIGN(0), -}; - -void _init(void) -{ - xtables_register_target(¬rack_target); -} -- cgit v1.2.3 From c436dad7cfdd80ca4a05ceed556c39babc266f55 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 27 Sep 2012 23:48:25 +0200 Subject: iptables: support for match aliases This patch allows for match names listed on the command line to be rewritten to new names and revisions, like we did for targets before. Signed-off-by: Jan Engelhardt --- include/xtables.h | 1 + iptables/ip6tables.c | 6 +++++- iptables/iptables.c | 6 +++++- libxtables/xtables.c | 12 ++++++++---- 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/include/xtables.h b/include/xtables.h index 7bdc331c..2cc1a028 100644 --- a/include/xtables.h +++ b/include/xtables.h @@ -213,6 +213,7 @@ struct xtables_match struct xtables_match *next; const char *name; + const char *real_name; /* Revision of match (0 by default). */ u_int8_t revision; diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index 752cf033..f93bfb33 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -1319,8 +1319,12 @@ static void command_match(struct iptables_command_state *cs) size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size; m->m = xtables_calloc(1, size); m->m->u.match_size = size; - strcpy(m->m->u.user.name, m->name); + strcpy(m->m->u.user.name, m->real_name); m->m->u.user.revision = m->revision; + if (m->real_name != m->name) + fprintf(stderr, "WARNING: The %s match is obsolete. " + "Use %s instead.\n", m->name, m->real_name); + xs_init_match(m); if (m == m->next) return; diff --git a/iptables/iptables.c b/iptables/iptables.c index a237e93c..5786bfdd 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -1330,8 +1330,12 @@ static void command_match(struct iptables_command_state *cs) size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size; m->m = xtables_calloc(1, size); m->m->u.match_size = size; - strcpy(m->m->u.user.name, m->name); + strcpy(m->m->u.user.name, m->real_name); m->m->u.user.revision = m->revision; + if (m->real_name != m->name) + fprintf(stderr, "WARNING: The %s match is obsolete. " + "Use %s instead.\n", m->name, m->real_name); + xs_init_match(m); if (m == m->next) return; diff --git a/libxtables/xtables.c b/libxtables/xtables.c index a2b24c5a..82c3643b 100644 --- a/libxtables/xtables.c +++ b/libxtables/xtables.c @@ -848,6 +848,8 @@ void xtables_register_match(struct xtables_match *me) exit(1); } + if (me->real_name == NULL) + me->real_name = me->name; if (me->x6_options != NULL) xtables_option_metavalidate(me->name, me->x6_options); if (me->extra_opts != NULL) @@ -903,8 +905,10 @@ xtables_mt_prefer(bool a_alias, unsigned int a_rev, unsigned int a_fam, static int xtables_match_prefer(const struct xtables_match *a, const struct xtables_match *b) { - return xtables_mt_prefer(false, a->revision, a->family, - false, b->revision, b->family); + return xtables_mt_prefer(a->name != a->real_name, + a->revision, a->family, + b->name != b->real_name, + b->revision, b->family); } static int xtables_target_prefer(const struct xtables_target *a, @@ -938,11 +942,11 @@ static void xtables_fully_register_pending_match(struct xtables_match *me) /* Now we have two (or more) options, check compatibility. */ if (compare > 0 && - compatible_match_revision(old->name, old->revision)) + compatible_match_revision(old->real_name, old->revision)) return; /* See if new match can be used. */ - if (!compatible_match_revision(me->name, me->revision)) + if (!compatible_match_revision(me->real_name, me->revision)) return; /* Delete old one. */ -- cgit v1.2.3 From 0d701631625898ac33fb53c67ed2b529668fe0d7 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 28 Sep 2012 00:12:42 +0200 Subject: libxt_state: replace as an alias to xt_conntrack Signed-off-by: Jan Engelhardt --- extensions/GNUmakefile.in | 4 +- extensions/libxt_conntrack.c | 191 +++++++++++++++++++++++++++++++++++++++++++ extensions/libxt_state.c | 137 ------------------------------- 3 files changed, 194 insertions(+), 138 deletions(-) delete mode 100644 extensions/libxt_state.c diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index b6a5cb40..0e7907e9 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -39,7 +39,7 @@ endif # Wildcard module list # pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c))) -pfx_build_mod += NOTRACK +pfx_build_mod += NOTRACK state @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c))) @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c))) pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod}) @@ -99,6 +99,8 @@ lib%.oo: ${srcdir}/lib%.c libxt_NOTRACK.so: libxt_CT.so ln -fs $< $@ +libxt_state.so: libxt_conntrack.so + ln -fs $< $@ # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD xt_RATEEST_LIBADD = -lm diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c index fff69f8a..c37f14d2 100644 --- a/extensions/libxt_conntrack.c +++ b/extensions/libxt_conntrack.c @@ -13,7 +13,11 @@ #include #include #include +#include #include +#ifndef XT_STATE_UNTRACKED +#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1)) +#endif struct ip_conntrack_old_tuple { struct { @@ -1003,6 +1007,144 @@ conntrack1_mt6_save(const void *ip, const struct xt_entry_match *match) conntrack_dump(&up, "--", NFPROTO_IPV6, true, false); } +static void +state_help(void) +{ + printf( +"state match options:\n" +" [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]\n" +" State(s) to match\n"); +} + +static const struct xt_option_entry state_opts[] = { + {.name = "state", .id = O_CTSTATE, .type = XTTYPE_STRING, + .flags = XTOPT_MAND | XTOPT_INVERT}, + XTOPT_TABLEEND, +}; + +static unsigned int +state_parse_state(const char *state, size_t len) +{ + if (strncasecmp(state, "INVALID", len) == 0) + return XT_STATE_INVALID; + else if (strncasecmp(state, "NEW", len) == 0) + return XT_STATE_BIT(IP_CT_NEW); + else if (strncasecmp(state, "ESTABLISHED", len) == 0) + return XT_STATE_BIT(IP_CT_ESTABLISHED); + else if (strncasecmp(state, "RELATED", len) == 0) + return XT_STATE_BIT(IP_CT_RELATED); + else if (strncasecmp(state, "UNTRACKED", len) == 0) + return XT_STATE_UNTRACKED; + return 0; +} + +static unsigned int +state_parse_states(const char *arg) +{ + const char *comma; + unsigned int mask = 0, flag; + + while ((comma = strchr(arg, ',')) != NULL) { + if (comma == arg) + goto badstate; + flag = state_parse_state(arg, comma-arg); + if (flag == 0) + goto badstate; + mask |= flag; + arg = comma+1; + } + if (!*arg) + xtables_error(PARAMETER_PROBLEM, "\"--state\" requires a list of " + "states with no spaces, e.g. " + "ESTABLISHED,RELATED"); + if (strlen(arg) == 0) + goto badstate; + flag = state_parse_state(arg, strlen(arg)); + if (flag == 0) + goto badstate; + mask |= flag; + return mask; + badstate: + xtables_error(PARAMETER_PROBLEM, "Bad state \"%s\"", arg); +} + +static void state_parse(struct xt_option_call *cb) +{ + struct xt_state_info *sinfo = cb->data; + + xtables_option_parse(cb); + sinfo->statemask = state_parse_states(cb->arg); + if (cb->invert) + sinfo->statemask = ~sinfo->statemask; +} + +static void state_ct1_parse(struct xt_option_call *cb) +{ + struct xt_conntrack_mtinfo1 *sinfo = cb->data; + + xtables_option_parse(cb); + sinfo->match_flags = XT_CONNTRACK_STATE; + sinfo->state_mask = state_parse_states(cb->arg); + if (cb->invert) + sinfo->invert_flags |= XT_CONNTRACK_STATE; +} + +static void state_ct23_parse(struct xt_option_call *cb) +{ + struct xt_conntrack_mtinfo3 *sinfo = cb->data; + + xtables_option_parse(cb); + sinfo->match_flags = XT_CONNTRACK_STATE; + sinfo->state_mask = state_parse_states(cb->arg); + if (cb->invert) + sinfo->invert_flags |= XT_CONNTRACK_STATE; +} + +static void state_print_state(unsigned int statemask) +{ + const char *sep = ""; + + if (statemask & XT_STATE_INVALID) { + printf("%sINVALID", sep); + sep = ","; + } + if (statemask & XT_STATE_BIT(IP_CT_NEW)) { + printf("%sNEW", sep); + sep = ","; + } + if (statemask & XT_STATE_BIT(IP_CT_RELATED)) { + printf("%sRELATED", sep); + sep = ","; + } + if (statemask & XT_STATE_BIT(IP_CT_ESTABLISHED)) { + printf("%sESTABLISHED", sep); + sep = ","; + } + if (statemask & XT_STATE_UNTRACKED) { + printf("%sUNTRACKED", sep); + sep = ","; + } +} + +static void +state_print(const void *ip, + const struct xt_entry_match *match, + int numeric) +{ + const struct xt_state_info *sinfo = (const void *)match->data; + + printf(" state "); + state_print_state(sinfo->statemask); +} + +static void state_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_state_info *sinfo = (const void *)match->data; + + printf(" --state "); + state_print_state(sinfo->statemask); +} + static struct xtables_match conntrack_mt_reg[] = { { .version = XTABLES_VERSION, @@ -1102,6 +1244,55 @@ static struct xtables_match conntrack_mt_reg[] = { .save = conntrack3_mt6_save, .x6_options = conntrack3_mt_opts, }, + { + .family = NFPROTO_UNSPEC, + .name = "state", + .real_name = "conntrack", + .revision = 1, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), + .help = state_help, + .x6_parse = state_ct1_parse, + .x6_options = state_opts, + }, + { + .family = NFPROTO_UNSPEC, + .name = "state", + .real_name = "conntrack", + .revision = 2, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), + .help = state_help, + .x6_parse = state_ct23_parse, + .x6_options = state_opts, + }, + { + .family = NFPROTO_UNSPEC, + .name = "state", + .real_name = "conntrack", + .revision = 3, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)), + .help = state_help, + .x6_parse = state_ct23_parse, + .x6_options = state_opts, + }, + { + .family = NFPROTO_UNSPEC, + .name = "state", + .revision = 0, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_state_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_state_info)), + .help = state_help, + .print = state_print, + .save = state_save, + .x6_parse = state_parse, + .x6_options = state_opts, + }, }; void _init(void) diff --git a/extensions/libxt_state.c b/extensions/libxt_state.c deleted file mode 100644 index eff444c8..00000000 --- a/extensions/libxt_state.c +++ /dev/null @@ -1,137 +0,0 @@ -#include -#include -#include -#include -#include - -#ifndef XT_STATE_UNTRACKED -#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1)) -#endif - -enum { - O_STATE = 0, -}; - -static void -state_help(void) -{ - printf( -"state match options:\n" -" [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]\n" -" State(s) to match\n"); -} - -static const struct xt_option_entry state_opts[] = { - {.name = "state", .id = O_STATE, .type = XTTYPE_STRING, - .flags = XTOPT_MAND | XTOPT_INVERT}, - XTOPT_TABLEEND, -}; - -static int -state_parse_state(const char *state, size_t len, struct xt_state_info *sinfo) -{ - if (strncasecmp(state, "INVALID", len) == 0) - sinfo->statemask |= XT_STATE_INVALID; - else if (strncasecmp(state, "NEW", len) == 0) - sinfo->statemask |= XT_STATE_BIT(IP_CT_NEW); - else if (strncasecmp(state, "ESTABLISHED", len) == 0) - sinfo->statemask |= XT_STATE_BIT(IP_CT_ESTABLISHED); - else if (strncasecmp(state, "RELATED", len) == 0) - sinfo->statemask |= XT_STATE_BIT(IP_CT_RELATED); - else if (strncasecmp(state, "UNTRACKED", len) == 0) - sinfo->statemask |= XT_STATE_UNTRACKED; - else - return 0; - return 1; -} - -static void -state_parse_states(const char *arg, struct xt_state_info *sinfo) -{ - const char *comma; - - while ((comma = strchr(arg, ',')) != NULL) { - if (comma == arg || !state_parse_state(arg, comma-arg, sinfo)) - xtables_error(PARAMETER_PROBLEM, "Bad state \"%s\"", arg); - arg = comma+1; - } - if (!*arg) - xtables_error(PARAMETER_PROBLEM, "\"--state\" requires a list of " - "states with no spaces, e.g. " - "ESTABLISHED,RELATED"); - if (strlen(arg) == 0 || !state_parse_state(arg, strlen(arg), sinfo)) - xtables_error(PARAMETER_PROBLEM, "Bad state \"%s\"", arg); -} - -static void state_parse(struct xt_option_call *cb) -{ - struct xt_state_info *sinfo = cb->data; - - xtables_option_parse(cb); - state_parse_states(cb->arg, sinfo); - if (cb->invert) - sinfo->statemask = ~sinfo->statemask; -} - -static void state_print_state(unsigned int statemask) -{ - const char *sep = ""; - - if (statemask & XT_STATE_INVALID) { - printf("%sINVALID", sep); - sep = ","; - } - if (statemask & XT_STATE_BIT(IP_CT_NEW)) { - printf("%sNEW", sep); - sep = ","; - } - if (statemask & XT_STATE_BIT(IP_CT_RELATED)) { - printf("%sRELATED", sep); - sep = ","; - } - if (statemask & XT_STATE_BIT(IP_CT_ESTABLISHED)) { - printf("%sESTABLISHED", sep); - sep = ","; - } - if (statemask & XT_STATE_UNTRACKED) { - printf("%sUNTRACKED", sep); - sep = ","; - } -} - -static void -state_print(const void *ip, - const struct xt_entry_match *match, - int numeric) -{ - const struct xt_state_info *sinfo = (const void *)match->data; - - printf(" state "); - state_print_state(sinfo->statemask); -} - -static void state_save(const void *ip, const struct xt_entry_match *match) -{ - const struct xt_state_info *sinfo = (const void *)match->data; - - printf(" --state "); - state_print_state(sinfo->statemask); -} - -static struct xtables_match state_match = { - .family = NFPROTO_UNSPEC, - .name = "state", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_state_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_state_info)), - .help = state_help, - .print = state_print, - .save = state_save, - .x6_parse = state_parse, - .x6_options = state_opts, -}; - -void _init(void) -{ - xtables_register_match(&state_match); -} -- cgit v1.2.3