Netfilter: Import xt_gateway Originally from <azez@xxxxxxxxxxxxxxx>, http://lists.netfilter.org/pipermail/netfilter-devel/2007-June/027954.html This adds a gateway match to iptables that lets you match against the routed ipv4 gateway, it is very useful for SNAT if you want to avoid replicating your routing in your SNAT table. e.g. iptables -t nat -A POSTROUTING -m gateway --nexthop \ 172.16.1.1 -j SNAT --to-address 172.16.1.5 iptables -t nat -A POSTROUTING -m gateway --nexthop \ 192.168.1.1 -j SNAT --to-address 192.168.1.25 to help you choose the right SNAT address. It works by comparing the to-be-matched gateway IP address with the key in the neighbor table of the next-hop (the key is the layer 3 address). --gateway 1.2.3.4 only matches if the packet is destined to 1.2.3.4 as a ROUTE, i.e. 1.2.3.4 is not also the target address. --nexthop 1.2.3.4 matches if the next hop is specified as 1.2.3.4 either as a gateway or as a final destination. It cannot do magic, and match on non-routed aliases of routers, it only matches the targeted IP address from which the layer 2 address has been (or will be) actually derived. Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx> Cc: <azez@xxxxxxxxxxxxxxx> --- include/linux/netfilter/xt_gateway.h | 19 ++++++++ net/netfilter/Kconfig | 9 +++ net/netfilter/Makefile | 1 net/netfilter/xt_gateway.c | 83 +++++++++++++++++++++++++++++++++++ 4 files changed, 112 insertions(+) Index: linux-2.6/include/linux/netfilter/xt_gateway.h =================================================================== --- /dev/null +++ linux-2.6/include/linux/netfilter/xt_gateway.h @@ -0,0 +1,19 @@ +#ifndef _XT_GATEWAY_H +#define _XT_GATEWAY_H + +enum { + /* Negate the condition */ + XT_GATEWAY_INVERT = 1 << 0, + /* and the gateway is not the final hop */ + XT_GATEWAY_ROUTE = 1 << 1, +}; + +struct xt_gateway_match_info { + union { + __be32 gateway_v4; + __be32 gateway_v6[4]; + }; + u_int8_t flags; +}; + +#endif /* _XT_GATEWAY_H */ Index: linux-2.6/net/netfilter/Kconfig =================================================================== --- linux-2.6.orig/net/netfilter/Kconfig +++ linux-2.6/net/netfilter/Kconfig @@ -519,6 +519,15 @@ config NETFILTER_XT_MATCH_ESP To compile it as a module, choose M here. If unsure, say N. +config NETFILTER_XT_MATCH_GATEWAY + tristate '"gateway" match support' + depends on NETFILTER_XTABLES + ---help--- + This option makes possible to match the IP address of the + routed gateway for routed packets. + + To compile it as a module, choose M here. If unsure, say N. + config NETFILTER_XT_MATCH_HELPER tristate '"helper" match support' depends on NETFILTER_XTABLES Index: linux-2.6/net/netfilter/Makefile =================================================================== --- linux-2.6.orig/net/netfilter/Makefile +++ linux-2.6/net/netfilter/Makefile @@ -61,6 +61,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRAC obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o +obj-$(CONFIG_NETFILTER_XT_MATCH_GATEWAY) += xt_gateway.o obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o Index: linux-2.6/net/netfilter/xt_gateway.c =================================================================== --- /dev/null +++ linux-2.6/net/netfilter/xt_gateway.c @@ -0,0 +1,83 @@ +/* + * netfilter module to match nexthop router by IP address + * + * (C) 2007 UFO Mechanic <azez@xxxxxxxxxxxxxxx> + * Copyright © CC Computer Consultants GmbH, 2007 + * Contact: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx> + * + * to save time and bugs, based on ip_range by + * (C) 2003 Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ +#include <linux/ip.h> +#include <linux/module.h> +#include <linux/skbuff.h> +#include <linux/types.h> +#include <linux/netfilter/x_tables.h> +#include <linux/netfilter/xt_gateway.h> +#include <net/dst.h> +#include <net/neighbour.h> + +static bool gateway_match_it(const struct sk_buff *skb, + const struct xt_gateway_match_info *info) +{ + const struct iphdr *iph; + const struct dst_entry *dst; + const struct neighbour *neigh; + const struct neigh_table *tbl; + + dst = skb->dst; + if ((neigh = dst->neighbour) == NULL) + return false; + tbl = neigh->tbl; + if (memcmp(&info->gateway_v4, &neigh->primary_key, tbl->key_len) != 0) + return false; + if (!(info->flags & XT_GATEWAY_ROUTE)) + return true; + iph = ip_hdr(skb); + if (iph->daddr != info->gateway_v4) + return true; + + return false; +} + +static bool gateway_mt(const struct sk_buff *skb, const struct net_device *in, + const struct net_device *out, + const struct xt_match *match, const void *matchinfo, + int offset, unsigned int protoff, bool *hotdrop) +{ + const struct xt_gateway_match_info *info = matchinfo; + + return !!(info->flags & XT_GATEWAY_INVERT) ^ + gateway_match_it(skb, info); +} + +static struct xt_match gateway_mt_reg __read_mostly = { + .name = "gateway", + .family = AF_INET, + .hooks = (1 << NF_INET_FORWARD) | (1 << NF_INET_LOCAL_OUT) | + (1 << NF_INET_POST_ROUTING), + .match = gateway_mt, + .matchsize = sizeof(struct xt_gateway_match_info), + .me = THIS_MODULE, +}; + +static int __init gateway_mt_init(void) +{ + return xt_register_match(&gateway_mt_reg); +} + +static void __exit gateway_mt_exit(void) +{ + xt_unregister_match(&gateway_mt_reg); +} + +module_init(gateway_mt_init); +module_exit(gateway_mt_exit); +MODULE_AUTHOR("Sam Liddicott <azez@xxxxxxxxxxxxxxx>"); +MODULE_DESCRIPTION("netfilter nexthop/gateway match module"); +MODULE_LICENSE("GPL"); +MODULE_ALIAS("ipt_gateway"); - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
