From b4af04be14560b3fcc6cf23200148d408014a2f5 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 3 Dec 2010 20:15:35 +0100 Subject: include: update files with headers from Linux 2.6.37-rc1 Also includes the type change to __u{8,16,32} kernel types already. --- extensions/libxt_SECMARK.c | 8 ++++---- extensions/libxt_time.c | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) (limited to 'extensions') diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c index 9e231eee..7bf4ff08 100644 --- a/extensions/libxt_SECMARK.c +++ b/extensions/libxt_SECMARK.c @@ -40,13 +40,13 @@ static int SECMARK_parse(int c, char **argv, int invert, unsigned int *flags, "Can't specify --selctx twice"); info->mode = SECMARK_MODE_SEL; - if (strlen(optarg) > SECMARK_SELCTX_MAX-1) + if (strlen(optarg) > SECMARK_SECCTX_MAX-1) xtables_error(PARAMETER_PROBLEM, PFX "Maximum length %u exceeded by --selctx" " parameter (%zu)", - SECMARK_SELCTX_MAX-1, strlen(optarg)); + SECMARK_SECCTX_MAX-1, strlen(optarg)); - strcpy(info->u.sel.selctx, optarg); + strcpy(info->secctx, optarg); *flags |= SECMARK_MODE_SEL; break; default: @@ -66,7 +66,7 @@ static void print_secmark(const struct xt_secmark_target_info *info) { switch (info->mode) { case SECMARK_MODE_SEL: - printf("selctx %s ", info->u.sel.selctx);\ + printf("selctx %s ", info->secctx); break; default: diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c index 9f12266b..5462d930 100644 --- a/extensions/libxt_time.c +++ b/extensions/libxt_time.c @@ -20,6 +20,7 @@ #include #include +#include #include #include -- cgit v1.2.3 From 9e152fa9f1283ce4f4274cf251b2b2e69bbdfee6 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 3 Dec 2010 22:08:32 +0100 Subject: TPROXY: add support for revision 1 Signed-off-by: Jan Engelhardt --- extensions/libxt_TPROXY.c | 193 +++++++++++++++++++++++++++++++++++++++------- 1 file changed, 165 insertions(+), 28 deletions(-) (limited to 'extensions') diff --git a/extensions/libxt_TPROXY.c b/extensions/libxt_TPROXY.c index cd0b50a6..26419f5d 100644 --- a/extensions/libxt_TPROXY.c +++ b/extensions/libxt_TPROXY.c @@ -5,6 +5,7 @@ */ #include #include +#include #include #include #include @@ -36,27 +37,39 @@ static void tproxy_tg_help(void) " --tproxy-mark value[/mask] Mark packets with the given value/mask\n\n"); } -static void parse_tproxy_lport(const char *s, struct xt_tproxy_target_info *info) +static void parse_tproxy_lport(const char *s, uint16_t *portp) { unsigned int lport; if (xtables_strtoui(s, NULL, &lport, 0, UINT16_MAX)) - info->lport = htons(lport); + *portp = htons(lport); else xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-port", s); } -static void parse_tproxy_laddr(const char *s, struct xt_tproxy_target_info *info) +static void parse_tproxy_laddr(const char *s, union nf_inet_addr *addrp, + unsigned int nfproto) { - struct in_addr *laddr; + struct in6_addr *laddr6 = NULL; + struct in_addr *laddr4 = NULL; - if ((laddr = xtables_numeric_to_ipaddr(s)) == NULL) - xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s); - - info->laddr = laddr->s_addr; + if (nfproto == NFPROTO_IPV6) { + laddr6 = xtables_numeric_to_ip6addr(s); + if (laddr6 == NULL) + goto out; + addrp->in6 = *laddr6; + } else if (nfproto == NFPROTO_IPV4) { + laddr4 = xtables_numeric_to_ipaddr(s); + if (laddr4 == NULL) + goto out; + addrp->in = *laddr4; + } + return; + out: + xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s); } -static void parse_tproxy_mark(char *s, struct xt_tproxy_target_info *info) +static void parse_tproxy_mark(char *s, uint32_t *markp, uint32_t *maskp) { unsigned int value, mask = UINT32_MAX; char *end; @@ -69,32 +82,32 @@ static void parse_tproxy_mark(char *s, struct xt_tproxy_target_info *info) if (*end != '\0') xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s); - info->mark_mask = mask; - info->mark_value = value; + *markp = value; + *maskp = mask; } static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_target **target) { - struct xt_tproxy_target_info *tproxyinfo = (void *)(*target)->data; + struct xt_tproxy_target_info *info = (void *)(*target)->data; switch (c) { case '1': xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT); xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert); - parse_tproxy_lport(optarg, tproxyinfo); + parse_tproxy_lport(optarg, &info->lport); *flags |= PARAM_ONPORT; return 1; case '2': xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP); xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert); - parse_tproxy_laddr(optarg, tproxyinfo); + parse_tproxy_laddr(optarg, (void *)&info->laddr, NFPROTO_IPV4); *flags |= PARAM_ONIP; return 1; case '3': xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK); xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert); - parse_tproxy_mark(optarg, tproxyinfo); + parse_tproxy_mark(optarg, &info->mark_value, &info->mark_mask); *flags |= PARAM_MARK; return 1; } @@ -102,6 +115,49 @@ static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags, return 0; } +static int +tproxy_tg_parse1(int c, char **argv, int invert, unsigned int *flags, + struct xt_tproxy_target_info_v1 *info, unsigned int nfproto) +{ + switch (c) { + case '1': + xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT); + xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert); + parse_tproxy_lport(optarg, &info->lport); + *flags |= PARAM_ONPORT; + return true; + case '2': + xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP); + xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert); + parse_tproxy_laddr(optarg, (void *)&info->laddr, nfproto); + *flags |= PARAM_ONIP; + return true; + case '3': + xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK); + xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert); + parse_tproxy_mark(optarg, &info->mark_value, &info->mark_mask); + *flags |= PARAM_MARK; + return true; + } + return false; +} + +static int +tproxy_tg_parse4(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_tproxy_target_info_v1 *info = (void *)(*target)->data; + return tproxy_tg_parse1(c, argv, invert, flags, info, NFPROTO_IPV4); +} + +static int +tproxy_tg_parse6(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_tproxy_target_info_v1 *info = (void *)(*target)->data; + return tproxy_tg_parse1(c, argv, invert, flags, info, NFPROTO_IPV6); +} + static void tproxy_tg_check(unsigned int flags) { if (!(flags & PARAM_ONPORT)) @@ -119,6 +175,32 @@ static void tproxy_tg_print(const void *ip, const struct xt_entry_target *target (unsigned int)info->mark_mask); } +static void +tproxy_tg_print4(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_tproxy_target_info_v1 *info = + (const void *)target->data; + + printf("TPROXY redirect %s:%u mark 0x%x/0x%x", + xtables_ipaddr_to_numeric(&info->laddr.in), + ntohs(info->lport), (unsigned int)info->mark_value, + (unsigned int)info->mark_mask); +} + +static void +tproxy_tg_print6(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_tproxy_target_info_v1 *info = + (const void *)target->data; + + printf("TPROXY redirect %s:%u mark 0x%x/0x%x", + xtables_ip6addr_to_numeric(&info->laddr.in6), + ntohs(info->lport), (unsigned int)info->mark_value, + (unsigned int)info->mark_mask); +} + static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target) { const struct xt_tproxy_target_info *info = (const void *)target->data; @@ -130,21 +212,76 @@ static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target) (unsigned int)info->mark_value, (unsigned int)info->mark_mask); } -static struct xtables_target tproxy_tg_reg = { - .name = "TPROXY", - .family = NFPROTO_IPV4, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)), - .help = tproxy_tg_help, - .parse = tproxy_tg_parse, - .final_check = tproxy_tg_check, - .print = tproxy_tg_print, - .save = tproxy_tg_save, - .extra_opts = tproxy_tg_opts, +static void +tproxy_tg_save4(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_tproxy_target_info_v1 *info; + + info = (const void *)target->data; + printf("--on-port %u ", ntohs(info->lport)); + printf("--on-ip %s ", xtables_ipaddr_to_numeric(&info->laddr.in)); + printf("--tproxy-mark 0x%x/0x%x ", + (unsigned int)info->mark_value, (unsigned int)info->mark_mask); +} + +static void +tproxy_tg_save6(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_tproxy_target_info_v1 *info; + + info = (const void *)target->data; + printf("--on-port %u ", ntohs(info->lport)); + printf("--on-ip %s ", xtables_ip6addr_to_numeric(&info->laddr.in6)); + printf("--tproxy-mark 0x%x/0x%x ", + (unsigned int)info->mark_value, (unsigned int)info->mark_mask); +} + +static struct xtables_target tproxy_tg_reg[] = { + { + .name = "TPROXY", + .revision = 0, + .family = NFPROTO_IPV4, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)), + .help = tproxy_tg_help, + .parse = tproxy_tg_parse, + .final_check = tproxy_tg_check, + .print = tproxy_tg_print, + .save = tproxy_tg_save, + .extra_opts = tproxy_tg_opts, + }, + { + .name = "TPROXY", + .revision = 1, + .family = NFPROTO_IPV4, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)), + .help = tproxy_tg_help, + .parse = tproxy_tg_parse4, + .final_check = tproxy_tg_check, + .print = tproxy_tg_print4, + .save = tproxy_tg_save4, + .extra_opts = tproxy_tg_opts, + }, + { + .name = "TPROXY", + .revision = 1, + .family = NFPROTO_IPV6, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)), + .help = tproxy_tg_help, + .parse = tproxy_tg_parse6, + .final_check = tproxy_tg_check, + .print = tproxy_tg_print6, + .save = tproxy_tg_save6, + .extra_opts = tproxy_tg_opts, + }, }; void _init(void) { - xtables_register_target(&tproxy_tg_reg); + xtables_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg)); } -- cgit v1.2.3 From 4d2a77ff8cb4115925477cd5ce0ea972494107ab Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 3 Dec 2010 22:55:34 +0100 Subject: socket: add support for revision 1 Signed-off-by: Jan Engelhardt --- extensions/libxt_socket.c | 76 ++++++++++++++++++++++++++++++++++++++++----- extensions/libxt_socket.man | 3 ++ 2 files changed, 72 insertions(+), 7 deletions(-) (limited to 'extensions') diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c index 1490473b..e4dff78b 100644 --- a/extensions/libxt_socket.c +++ b/extensions/libxt_socket.c @@ -3,17 +3,79 @@ * * Copyright (C) 2007 BalaBit IT Ltd. */ +#include +#include +#include #include +#include -static struct xtables_match socket_mt_reg = { - .name = "socket", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(0), - .userspacesize = XT_ALIGN(0), +static const struct option socket_mt_opts[] = { + {.name = "transparent", .has_arg = false, .val = 't'}, + XT_GETOPT_TABLEEND, +}; + +static void socket_mt_help(void) +{ + printf( + "socket match options:\n" + " --transparent Ignore non-transparent sockets\n\n"); +} + +static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_socket_mtinfo1 *info = (void *)(*match)->data; + + switch (c) { + case 't': + info->flags |= XT_SOCKET_TRANSPARENT; + return true; + } + return false; +} + +static void +socket_mt_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_socket_mtinfo1 *info = (const void *)match->data; + + if (info->flags & XT_SOCKET_TRANSPARENT) + printf("--transparent "); +} + +static void +socket_mt_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + printf("socket "); + socket_mt_save(ip, match); +} + +static struct xtables_match socket_mt_reg[] = { + { + .name = "socket", + .revision = 0, + .family = NFPROTO_IPV4, + .version = XTABLES_VERSION, + .size = XT_ALIGN(0), + .userspacesize = XT_ALIGN(0), + }, + { + .name = "socket", + .revision = 1, + .family = NFPROTO_UNSPEC, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), + .help = socket_mt_help, + .parse = socket_mt_parse, + .print = socket_mt_print, + .save = socket_mt_save, + .extra_opts = socket_mt_opts, + }, }; void _init(void) { - xtables_register_match(&socket_mt_reg); + xtables_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg)); } diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man index 50c88542..41e8d674 100644 --- a/extensions/libxt_socket.man +++ b/extensions/libxt_socket.man @@ -1,2 +1,5 @@ This matches if an open socket can be found by doing a socket lookup on the packet. +.TP +\fB\-\-transparent\fP +Ignore non-transparent sockets. -- cgit v1.2.3 From d4105ad56335058af4b0b1be1278e01f5c0bd4ac Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sat, 4 Dec 2010 02:53:20 +0100 Subject: build: fix globbing of extensions in other locales In the fi_FI locale, [a-z] would not include 'w', for example. Rectify this by using [[:alnum:]] (to counter against different ordering) and forcing the POSIX locale (so that the alphabet has at least the 26 base characters). Signed-off-by: Jan Engelhardt --- extensions/GNUmakefile.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'extensions') diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index 709366a1..7c479018 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -155,8 +155,8 @@ initext6.c: .initext6.dd # # Manual pages # -ex_matches = $(sort $(shell echo $(1) | grep -Eo '\b[a-z0-9]+\b')) -ex_targets = $(sort $(shell echo $(1) | grep -Eo '\b[A-Z0-9]+\b')) +ex_matches = $(sort $(shell echo $(1) | LC_ALL=POSIX grep -Eo '\b[[:alnum:]]+\b')) +ex_targets = $(sort $(shell echo $(1) | LC_ALL=POSIX grep -Eo '\b[[:alnum:]]+\b')) man_run = \ ${AM_VERBOSE_GEN} \ for ext in $(1); do \ -- cgit v1.2.3 From f3578faae096f191a44742777275a23b566d7566 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Mon, 6 Dec 2010 13:32:58 +0100 Subject: libxt_owner: output numeric IDs when save is requested References: http://bugzilla.netfilter.org/show_bug.cgi?id=683 Signed-off-by: Jan Engelhardt --- extensions/libxt_owner.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'extensions') diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c index 4015f137..867ed499 100644 --- a/extensions/libxt_owner.c +++ b/extensions/libxt_owner.c @@ -558,9 +558,9 @@ static void owner_mt_save(const void *ip, const struct xt_entry_match *match) { const struct xt_owner_match_info *info = (void *)match->data; - owner_mt_print_item(info, "--socket-exists", XT_OWNER_SOCKET, false); - owner_mt_print_item(info, "--uid-owner", XT_OWNER_UID, false); - owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, false); + owner_mt_print_item(info, "--socket-exists", XT_OWNER_SOCKET, true); + owner_mt_print_item(info, "--uid-owner", XT_OWNER_UID, true); + owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, true); } static struct xtables_match owner_mt_reg[] = { -- cgit v1.2.3 From a3f101331deb9314caa0cfa1061c925865e79380 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sat, 11 Dec 2010 03:35:48 +0100 Subject: build: stop on error in subcommand make only evaluates $? of an entire shell invocation. As such, if any command in the chain can fail, $? needs to be thrown, and early so. Signed-off-by: Jan Engelhardt --- extensions/GNUmakefile.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'extensions') diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index 7c479018..74a058c1 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -165,14 +165,14 @@ man_run = \ if [ -f "$$f" ] && grep -Eq "$(3)|NFPROTO_UNSPEC" "$$cf"; then \ echo -e "\t+ $$f" >&2; \ echo ".SS $$ext"; \ - cat "$$f"; \ + cat "$$f" || exit $$?; \ continue; \ fi; \ f="${srcdir}/lib$(2)t_$$ext.man"; \ if [ -f "$$f" ]; then \ echo -e "\t+ $$f" >&2; \ echo ".SS $$ext"; \ - cat "$$f"; \ + cat "$$f" || exit $$?; \ continue; \ fi; \ done >$@; -- cgit v1.2.3