From 524518261009f3f81febfdd8398becc4a80cc941 Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Sun, 27 Aug 2000 07:47:46 +0000 Subject: Patch-o-matic! now included. --- extensions/.ULOG-test | 2 + extensions/.ah-esp-test | 3 + extensions/.pool-test | 2 + extensions/Makefile | 13 +++- extensions/libipt_POOL.c | 151 +++++++++++++++++++++++++++++++++++++ extensions/libipt_ah.c | 191 +++++++++++++++++++++++++++++++++++++++++++++++ extensions/libipt_esp.c | 191 +++++++++++++++++++++++++++++++++++++++++++++++ extensions/libipt_pool.c | 143 +++++++++++++++++++++++++++++++++++ 8 files changed, 695 insertions(+), 1 deletion(-) create mode 100755 extensions/.ULOG-test create mode 100755 extensions/.ah-esp-test create mode 100755 extensions/.pool-test create mode 100644 extensions/libipt_POOL.c create mode 100644 extensions/libipt_ah.c create mode 100644 extensions/libipt_esp.c create mode 100644 extensions/libipt_pool.c (limited to 'extensions') diff --git a/extensions/.ULOG-test b/extensions/.ULOG-test new file mode 100755 index 00000000..7ca85237 --- /dev/null +++ b/extensions/.ULOG-test @@ -0,0 +1,2 @@ +#! /bin/sh +[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_ULOG.h ] && echo ULOG diff --git a/extensions/.ah-esp-test b/extensions/.ah-esp-test new file mode 100755 index 00000000..f8b779c9 --- /dev/null +++ b/extensions/.ah-esp-test @@ -0,0 +1,3 @@ +#! /bin/sh +# True if ah is applied. +[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_ah.h ] && echo ah esp diff --git a/extensions/.pool-test b/extensions/.pool-test new file mode 100755 index 00000000..54d04bfb --- /dev/null +++ b/extensions/.pool-test @@ -0,0 +1,2 @@ +#! /bin/sh +[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ip_pool.h ] && echo pool POOL diff --git a/extensions/Makefile b/extensions/Makefile index 2110df54..2817ce24 100644 --- a/extensions/Makefile +++ b/extensions/Makefile @@ -1,7 +1,18 @@ #! /usr/bin/make -PF_EXT_SLIB:=tcp udp icmp mac limit standard REJECT LOG unclean state multiport tos TOS mark MARK owner SNAT DNAT MASQUERADE REDIRECT #ULOG +PF_EXT_SLIB:=tcp udp icmp mac limit standard REJECT LOG unclean state multiport tos TOS mark MARK owner SNAT DNAT MASQUERADE REDIRECT MIRROR PF6_EXT_SLIB:=tcp udp icmp standard + +# Optionals +PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) +PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) + +PF_EXT_SLIB+=$(PF_EXT_SLIB_OPTS) +PF6_EXT_SLIB+=$(PF6_EXT_SLIB_OPTS) + +OPTIONALS+=$(patsubst %,IPv4:%,$(PF_EXT_SLIB_OPTS)) +OPTIONALS+=$(patsubst %,IPv6:%,$(PF6_EXT_SLIB_OPTS)) + SHARED_LIBS+=$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).so) SHARED_LIBS+=$(foreach T,$(PF6_EXT_SLIB),extensions/libip6t_$(T).so) EXTRA_INSTALLS+=$(foreach T, $(PF_EXT_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libipt_$(T).so) diff --git a/extensions/libipt_POOL.c b/extensions/libipt_POOL.c new file mode 100644 index 00000000..12d9572d --- /dev/null +++ b/extensions/libipt_POOL.c @@ -0,0 +1,151 @@ +/* Shared library add-on to iptables to add IP pool mangling target. */ +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include + +/* FIXME --RR */ +#include "../ippool/libippool.c" + +/* Function which prints out usage message. */ +static void +help(void) +{ + printf( +"POOL v%s options:\n" +" --add-srcip \n" +" --del-srcip \n" +" --add-dstip \n" +" --del-dstip \n" +" add/del src/dst IP from pool.\n\n", +NETFILTER_VERSION); +} + +static struct option opts[] = { + { "add-srcip", 1, 0, '1' }, + { "del-srcip", 1, 0, '2' }, + { "add-dstip", 1, 0, '3' }, + { "del-dstip", 1, 0, '4' }, + { 0 } +}; + +/* Initialize the target. */ +static void +init(struct ipt_entry_target *target, unsigned int *nfcache) +{ + struct ipt_pool_info *ipi = (struct ipt_pool_info *) target->data; + + ipi->src = ipi->dst = IP_POOL_NONE; + ipi->flags = 0; + + /* Can't cache this */ + *nfcache |= NFC_UNKNOWN; +} + +/* Function which parses command options; returns true if it + ate an option */ +static int +parse(int c, char **argv, int invert, unsigned int *flags, + const struct ipt_entry *entry, + struct ipt_entry_target **target) +{ + struct ipt_pool_info *ipi = (struct ipt_pool_info *) (*target)->data; + switch (c) { + case '1': /* --add-srcip */ + ipi->src = ip_pool_get_index(optarg); + ipi->flags &= ~IPT_POOL_DEL_SRC; + break; + case '2': /* --del-srcip */ + ipi->src = ip_pool_get_index(optarg); + ipi->flags |= IPT_POOL_DEL_SRC; + break; + case '3': /* --add-dstip */ + ipi->dst = ip_pool_get_index(optarg); + ipi->flags &= ~IPT_POOL_DEL_DST; + break; + case '4': /* --del-dstip */ + ipi->dst = ip_pool_get_index(optarg); + ipi->flags |= IPT_POOL_DEL_DST; + break; + default: + return 0; + } + return 1; +} + +/* Final check; don't care. */ +static void final_check(unsigned int flags) +{ +} + +/* Prints out the targinfo. */ +static void +print(const struct ipt_ip *ip, + const struct ipt_entry_target *target, + int numeric) +{ + char buf[256]; + struct ipt_pool_info *ipi = (struct ipt_pool_info *) target->data; + + printf("POOL"); + if (ipi->src != IP_POOL_NONE) { + printf(" --%s-srcip %s", + (ipi->flags & IPT_POOL_DEL_SRC) ? "del" : "add", + ip_pool_get_name(buf, sizeof(buf), ipi->src, numeric)); + } + if (ipi->dst != IP_POOL_NONE) { + printf(" --%s-dstip %s", + (ipi->flags & IPT_POOL_DEL_DST) ? "del" : "add", + ip_pool_get_name(buf, sizeof(buf), ipi->dst, numeric)); + } +} + +/* Saves the union ipt_targinfo in parsable form to stdout. */ +static void +save(const struct ipt_ip *ip, const struct ipt_entry_target *target) +{ + char buf[256]; + struct ipt_pool_info *ipi = (struct ipt_pool_info *) target->data; + + printf("-j POOL"); + if (ipi->src != IP_POOL_NONE) { + printf(" --%s-srcip %s", + (ipi->flags & IPT_POOL_DEL_SRC) ? "del" : "add", + ip_pool_get_name(buf, sizeof(buf), ipi->src, 0)); + } + if (ipi->dst != IP_POOL_NONE) { + printf(" --%s-dstip %s", + (ipi->flags & IPT_POOL_DEL_DST) ? "del" : "add", + ip_pool_get_name(buf, sizeof(buf), ipi->dst, 0)); + } +} + +struct iptables_target ipt_pool_target += { NULL, + "POOL", + NETFILTER_VERSION, + IPT_ALIGN(sizeof(struct ipt_pool_info)), + IPT_ALIGN(sizeof(struct ipt_pool_info)), + &help, + &init, + &parse, + &final_check, + &print, + &save, + opts +}; + +void _init(void) +{ + register_target(&ipt_pool_target); +} diff --git a/extensions/libipt_ah.c b/extensions/libipt_ah.c new file mode 100644 index 00000000..e779fa53 --- /dev/null +++ b/extensions/libipt_ah.c @@ -0,0 +1,191 @@ +/* Shared library add-on to iptables to add AH support. */ +#include +#include +#include +#include +#include +#include +#include +#include + +/* Function which prints out usage message. */ +static void +help(void) +{ + printf( +"AH v%s options:\n" +" --ahspi [!] spi[:spi]\n" +" match spi (range)\n", +NETFILTER_VERSION); +} + +static struct option opts[] = { + { "ahspi", 1, 0, '1' }, + {0} +}; + +static u_int32_t +parse_ah_spi(const char *spistr) +{ + unsigned long int spi; + char* ep; + + spi = strtoul(spistr,&ep,0) ; + + if ( spistr == ep ) { + exit_error(PARAMETER_PROBLEM, + "AH no valid digits in spi `%s'", spistr); + } + if ( spi == ULONG_MAX && errno == ERANGE ) { + exit_error(PARAMETER_PROBLEM, + "spi `%s' specified too big: would overflow", spistr); + } + if ( *spistr != '\0' && *ep != '\0' ) { + exit_error(PARAMETER_PROBLEM, + "AH error parsing spi `%s'", spistr); + } + return (u_int32_t) spi; +} + +static void +parse_ah_spis(const char *spistring, u_int32_t *spis) +{ + char *buffer; + char *cp; + + buffer = strdup(spistring); + if ((cp = strchr(buffer, ':')) == NULL) + spis[0] = spis[1] = parse_ah_spi(buffer); + else { + *cp = '\0'; + cp++; + + spis[0] = buffer[0] ? parse_ah_spi(buffer) : 0; + spis[1] = cp[0] ? parse_ah_spi(cp) : 0xFFFFFFFF; + } + free(buffer); +} + +/* Initialize the match. */ +static void +init(struct ipt_entry_match *m, unsigned int *nfcache) +{ + struct ipt_ah *ahinfo = (struct ipt_ah *)m->data; + + ahinfo->spis[1] = 0xFFFFFFFF; +} + +#define AH_SPI 0x01 + +/* Function which parses command options; returns true if it + ate an option */ +static int +parse(int c, char **argv, int invert, unsigned int *flags, + const struct ipt_entry *entry, + unsigned int *nfcache, + struct ipt_entry_match **match) +{ + struct ipt_ah *ahinfo = (struct ipt_ah *)(*match)->data; + + switch (c) { + case '1': + if (*flags & AH_SPI) + exit_error(PARAMETER_PROBLEM, + "Only one `--spi' allowed"); + if (check_inverse(optarg, &invert)) + optind++; + parse_ah_spis(argv[optind-1], ahinfo->spis); + if (invert) + ahinfo->invflags |= IPT_AH_INV_SPI; + *flags |= AH_SPI; + break; + default: + return 0; + } + + return 1; +} + +/* Final check; we don't care. */ +static void +final_check(unsigned int flags) +{ +} + +static void +print_spis(const char *name, u_int32_t min, u_int32_t max, + int invert) +{ + const char *inv = invert ? "!" : ""; + + if (min != 0 || max != 0xFFFFFFFF || invert) { + printf("%s", name); + if (min == max) { + printf(":%s", inv); + printf("%u", min); + } else { + printf("s:%s", inv); + printf("%u",min); + printf(":"); + printf("%u",max); + } + printf(" "); + } +} + +/* Prints out the union ipt_matchinfo. */ +static void +print(const struct ipt_ip *ip, + const struct ipt_entry_match *match, int numeric) +{ + const struct ipt_ah *ah = (struct ipt_ah *)match->data; + + printf("ah "); + print_spis("spi", ah->spis[0], ah->spis[1], + ah->invflags & IPT_AH_INV_SPI); + if (ah->invflags & ~IPT_AH_INV_MASK) + printf("Unknown invflags: 0x%X ", + ah->invflags & ~IPT_AH_INV_MASK); +} + +/* Saves the union ipt_matchinfo in parsable form to stdout. */ +static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) +{ + const struct ipt_ah *ahinfo = (struct ipt_ah *)match->data; + + if (ahinfo->spis[0] != 0 + && ahinfo->spis[1] != 0xFFFFFFFF) { + if (ahinfo->invflags & IPT_AH_INV_SPI) + printf("! "); + if (ahinfo->spis[0] + != ahinfo->spis[1]) + printf("--spi %u-%u ", + ahinfo->spis[0], + ahinfo->spis[1]); + else + printf("--spi %u ", + ahinfo->spis[0]); + } + +} + +struct iptables_match ah += { NULL, + "ah", + NETFILTER_VERSION, + IPT_ALIGN(sizeof(struct ipt_ah)), + IPT_ALIGN(sizeof(struct ipt_ah)), + &help, + &init, + &parse, + &final_check, + &print, + &save, + opts +}; + +void +_init(void) +{ + register_match(&ah); +} diff --git a/extensions/libipt_esp.c b/extensions/libipt_esp.c new file mode 100644 index 00000000..d60c2a65 --- /dev/null +++ b/extensions/libipt_esp.c @@ -0,0 +1,191 @@ +/* Shared library add-on to iptables to add ESP support. */ +#include +#include +#include +#include +#include +#include +#include +#include + +/* Function which prints out usage message. */ +static void +help(void) +{ + printf( +"ESP v%s options:\n" +" --espspi [!] spi[:spi]\n" +" match spi (range)\n", +NETFILTER_VERSION); +} + +static struct option opts[] = { + { "espspi", 1, 0, '1' }, + {0} +}; + +static u_int32_t +parse_esp_spi(const char *spistr) +{ + unsigned long int spi; + char* ep; + + spi = strtoul(spistr,&ep,0) ; + + if ( spistr == ep ) { + exit_error(PARAMETER_PROBLEM, + "ESP no valid digits in spi `%s'", spistr); + } + if ( spi == ULONG_MAX && errno == ERANGE ) { + exit_error(PARAMETER_PROBLEM, + "spi `%s' specified too big: would overflow", spistr); + } + if ( *spistr != '\0' && *ep != '\0' ) { + exit_error(PARAMETER_PROBLEM, + "ESP error parsing spi `%s'", spistr); + } + return (u_int32_t) spi; +} + +static void +parse_esp_spis(const char *spistring, u_int32_t *spis) +{ + char *buffer; + char *cp; + + buffer = strdup(spistring); + if ((cp = strchr(buffer, ':')) == NULL) + spis[0] = spis[1] = parse_esp_spi(buffer); + else { + *cp = '\0'; + cp++; + + spis[0] = buffer[0] ? parse_esp_spi(buffer) : 0; + spis[1] = cp[0] ? parse_esp_spi(cp) : 0xFFFFFFFF; + } + free(buffer); +} + +/* Initialize the match. */ +static void +init(struct ipt_entry_match *m, unsigned int *nfcache) +{ + struct ipt_esp *espinfo = (struct ipt_esp *)m->data; + + espinfo->spis[1] = 0xFFFFFFFF; +} + +#define ESP_SPI 0x01 + +/* Function which parses command options; returns true if it + ate an option */ +static int +parse(int c, char **argv, int invert, unsigned int *flags, + const struct ipt_entry *entry, + unsigned int *nfcache, + struct ipt_entry_match **match) +{ + struct ipt_esp *espinfo = (struct ipt_esp *)(*match)->data; + + switch (c) { + case '1': + if (*flags & ESP_SPI) + exit_error(PARAMETER_PROBLEM, + "Only one `--spi' allowed"); + if (check_inverse(optarg, &invert)) + optind++; + parse_esp_spis(argv[optind-1], espinfo->spis); + if (invert) + espinfo->invflags |= IPT_ESP_INV_SPI; + *flags |= ESP_SPI; + break; + default: + return 0; + } + + return 1; +} + +/* Final check; we don't care. */ +static void +final_check(unsigned int flags) +{ +} + +static void +print_spis(const char *name, u_int32_t min, u_int32_t max, + int invert) +{ + const char *inv = invert ? "!" : ""; + + if (min != 0 || max != 0xFFFFFFFF || invert) { + printf("%s", name); + if (min == max) { + printf(":%s", inv); + printf("%u", min); + } else { + printf("s:%s", inv); + printf("%u",min); + printf(":"); + printf("%u",max); + } + printf(" "); + } +} + +/* Prints out the union ipt_matchinfo. */ +static void +print(const struct ipt_ip *ip, + const struct ipt_entry_match *match, int numeric) +{ + const struct ipt_esp *esp = (struct ipt_esp *)match->data; + + printf("esp "); + print_spis("spi", esp->spis[0], esp->spis[1], + esp->invflags & IPT_ESP_INV_SPI); + if (esp->invflags & ~IPT_ESP_INV_MASK) + printf("Unknown invflags: 0x%X ", + esp->invflags & ~IPT_ESP_INV_MASK); +} + +/* Saves the union ipt_matchinfo in parsable form to stdout. */ +static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) +{ + const struct ipt_esp *espinfo = (struct ipt_esp *)match->data; + + if (espinfo->spis[0] != 0 + && espinfo->spis[1] != 0xFFFFFFFF) { + if (espinfo->invflags & IPT_ESP_INV_SPI) + printf("! "); + if (espinfo->spis[0] + != espinfo->spis[1]) + printf("--spi %u-%u ", + espinfo->spis[0], + espinfo->spis[1]); + else + printf("--spi %u ", + espinfo->spis[0]); + } + +} + +struct iptables_match esp += { NULL, + "esp", + NETFILTER_VERSION, + IPT_ALIGN(sizeof(struct ipt_esp)), + IPT_ALIGN(sizeof(struct ipt_esp)), + &help, + &init, + &parse, + &final_check, + &print, + &save, + opts +}; + +void +_init(void) +{ + register_match(&esp); +} diff --git a/extensions/libipt_pool.c b/extensions/libipt_pool.c new file mode 100644 index 00000000..23e2922d --- /dev/null +++ b/extensions/libipt_pool.c @@ -0,0 +1,143 @@ +/* Shared library add-on to iptables to add IP address pool matching. */ +#include +#include +#include +#include +#include +#include + +#include +#include +#include + +#include + +/* FIXME --RR */ +#include "../ippool/libippool.c" + +/* Function which prints out usage message. */ +static void +help(void) +{ + printf( +"pool v%s options:\n" +" [!] --srcpool NAME|INDEX\n" +" [!] --dstpool NAME|INDEX\n" +" Pool index (or name from %s) to match\n" +"\n", NETFILTER_VERSION, IPPOOL_CONF); +} + +static struct option opts[] = { + { "srcpool", 1, 0, '1' }, + { "dstpool", 1, 0, '2' }, + {0} +}; + +/* Initialize the match. */ +static void +init(struct ipt_entry_match *match, unsigned int *nfcache) +{ + struct ipt_pool_info *info = + (struct ipt_pool_info *)match->data; + + info->src = IP_POOL_NONE; + info->dst = IP_POOL_NONE; + info->flags = 0; + /* Can't cache this - XXX */ + *nfcache |= NFC_UNKNOWN; +} + +/* Function which parses command options; returns true if it ate an option */ +static int +parse(int c, char **argv, int invert, unsigned int *flags, + const struct ipt_entry *entry, + unsigned int *nfcache, + struct ipt_entry_match **match) +{ + struct ipt_pool_info *info = + (struct ipt_pool_info *)(*match)->data; + + switch (c) { + case '1': + if (check_inverse(optarg, &invert)) optind++; + info->src = ip_pool_get_index(argv[optind-1]); + if (invert) info->flags |= IPT_POOL_INV_SRC; + *flags = 1; + break; + case '2': + if (check_inverse(optarg, &invert)) optind++; + info->dst = ip_pool_get_index(argv[optind-1]); + if (invert) info->flags |= IPT_POOL_INV_DST; + *flags = 1; + break; + + default: + return 0; + } + + return 1; +} + +/* Final check; must have specified --srcpool or --dstpool. */ +static void final_check(unsigned int flags) +{ + if (!flags) + exit_error(PARAMETER_PROBLEM, "You must specify either `--srcpool or --dstpool'"); +} + +/* Prints out the matchinfo. */ +static void +print(const struct ipt_ip *ip, + const struct ipt_entry_match *match, + int numeric) +{ + char buf[256]; + struct ipt_pool_info *info = + (struct ipt_pool_info *)match->data; + + if (info->src != IP_POOL_NONE) + printf("%ssrcpool %s ", + (info->flags & IPT_POOL_INV_SRC) ? "!" : "", + ip_pool_get_name(buf, sizeof(buf), info->src, 0)); + if (info->dst != IP_POOL_NONE) + printf("%sdstpool %s ", + (info->flags & IPT_POOL_INV_DST) ? "!" : "", + ip_pool_get_name(buf, sizeof(buf), info->dst, 0)); +} + +/* Saves the matchinfo in parsable form to stdout. */ +static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) +{ + char buf[256]; + struct ipt_pool_info *info = + (struct ipt_pool_info *)match->data; + + if (info->src != IP_POOL_NONE) + printf("%s--srcpool %s", + (info->flags & IPT_POOL_INV_SRC) ? "! " : "", + ip_pool_get_name(buf, sizeof(buf), info->src, 0)); + if (info->dst != IP_POOL_NONE) + printf("%s--dstpool %s", + (info->flags & IPT_POOL_INV_DST) ? "! " : "", + ip_pool_get_name(buf, sizeof(buf), info->dst, 0)); +} + +struct iptables_match pool += { NULL, + "pool", + NETFILTER_VERSION, + IPT_ALIGN(sizeof(struct ipt_pool_info)), + IPT_ALIGN(sizeof(struct ipt_pool_info)), + &help, + &init, + &parse, + &final_check, + &print, + &save, + opts +}; + +void _init(void) +{ + register_match(&pool); +} -- cgit v1.2.3