Import libxt_gateway into iptables Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx> Cc: <azez@xxxxxxxxxxxxxxx> --- extensions/Makefile | 2 extensions/libxt_gateway.c | 161 +++++++++++++++++++++++++++++++++++ extensions/libxt_gateway.man | 9 + include/linux/netfilter/xt_gateway.h | 19 ++++ 4 files changed, 190 insertions(+), 1 deletion(-) Index: iptables-modules/extensions/Makefile =================================================================== --- iptables-modules.orig/extensions/Makefile +++ iptables-modules/extensions/Makefile @@ -7,7 +7,7 @@ # PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange policy realm recent tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh policy rt HL LOG REJECT -PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport owner physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TEE TCPOPTSTRIP TRACE +PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp gateway hashlimit helper length limit mac mark multiport owner physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TEE TCPOPTSTRIP TRACE PF_EXT_SELINUX_SLIB:= PF6_EXT_SELINUX_SLIB:= Index: iptables-modules/extensions/libxt_gateway.c =================================================================== --- /dev/null +++ iptables-modules/extensions/libxt_gateway.c @@ -0,0 +1,161 @@ +/* + * Shared library add-on to iptables to add gateway IP address matching support. + * Based on iprange. + * Copyright (C) UFO Mechanic <azez@xxxxxxxxxxxxxxx> + * Copyright © CC Computer Consultants GmbH, 2007 + * Contact: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx> + */ +#include <sys/types.h> +#include <getopt.h> +#include <netdb.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include <xtables.h> +#include <iptables.h> +#include <linux/netfilter/xt_gateway.h> + +enum { + FLAG_GATEWAY = 1 << 0, + FLAG_NEXTHOP = 1 << 1, +}; + +static const struct option gateway_mt_opts[] = { + {.name = "gateway", .has_arg = true, .val = 'g'}, + {.name = "nexthop", .has_arg = true, .val = 'n'}, + {}, +}; + +static void gateway_mt_help(void) +{ + printf( + "gateway match v%s options:\n" + "[!] --gateway ip Match IP address of routed gateway\n" + "[!] --nexthop ip Match IP address of next hop\n" + "\n", + IPTABLES_VERSION); +} + +static int gateway_mt_parse(int c, char **argv, int invert, + unsigned int *flags, const void *entry, + struct xt_entry_match **match) +{ + struct xt_gateway_match_info *info = (void *)(*match)->data; + struct in_addr *ip; + + switch (c) { + case 'g': + if (*flags & FLAG_GATEWAY) + exit_error(PARAMETER_PROBLEM, "gateway match: Cannot" + "specify --gateway more than once"); + if (*flags & FLAG_NEXTHOP) + exit_error(PARAMETER_PROBLEM, "gateway match: You " + "cannot specify both --gateway and " + "--nexthop"); + + check_inverse(optarg, &invert, &optind, 0); + if (invert) + info->flags |= XT_GATEWAY_INVERT; + + ip = dotted_to_addr(optarg); + if (ip == NULL) + exit_error(PARAMETER_PROBLEM, "gateway match: Bad IP " + "address \"%s\"\n", optarg); + + info->gateway_v4 = ip->s_addr; + info->flags |= XT_GATEWAY_ROUTE; + *flags |= FLAG_GATEWAY; + return true; + + case 'n': + if (*flags & FLAG_NEXTHOP) + exit_error(PARAMETER_PROBLEM, "gateway match: Cannot" + "specify --nexthop more than once"); + if (*flags & FLAG_GATEWAY) + exit_error(PARAMETER_PROBLEM, "gateway match: You " + "cannot specify both --gateway and " + "--nexthop"); + + check_inverse(optarg, &invert, &optind, 0); + if (invert) + info->flags |= XT_GATEWAY_INVERT; + + ip = dotted_to_addr(optarg); + if (ip == NULL) + exit_error(PARAMETER_PROBLEM, "gateway match: Bad IP " + "address \"%s|'\n", optarg); + + info->gateway_v4 = ip->s_addr; + info->flags &= ~XT_GATEWAY_ROUTE; + *flags |= FLAG_NEXTHOP; + return true; + } + + return false; +} + +static void gateway_mt_check(unsigned int flags) +{ + if (flags == 0) + exit_error(PARAMETER_PROBLEM, "gateway match: --gateway or " + "--nexthop parameter required"); +} + +static void +gateway_mt_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + const struct xt_gateway_match_info *info = (const void *)match->data; + struct in_addr a; + + a.s_addr = info->gateway_v4; + + if (info->flags & XT_GATEWAY_ROUTE) + printf("gateway "); + else + printf("nexthop "); + + if (info->flags & XT_GATEWAY_INVERT) + printf("! "); + + printf("%s", addr_to_dotted(&a)); +} + +static void gateway_mt_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_gateway_match_info *info = (const void *)match->data; + struct in_addr a; + + a.s_addr = info->gateway_v4; + + if (info->flags & XT_GATEWAY_INVERT) + printf("! "); + + if (info->flags & XT_GATEWAY_ROUTE) + printf("--gateway "); + else + printf("--nexthop "); + + printf("%s ", addr_to_dotted(&a)); +} + +static struct xtables_match gateway_mt_reg = { + .name = "gateway", + .family = AF_INET, + .version = IPTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_gateway_match_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_gateway_match_info)), + .help = gateway_mt_help, + .parse = gateway_mt_parse, + .final_check = gateway_mt_check, + .print = gateway_mt_print, + .save = gateway_mt_save, + .extra_opts = gateway_mt_opts, +}; + +void _init(void) +{ + xtables_register_match(&gateway_mt_reg); +} Index: iptables-modules/extensions/libxt_gateway.man =================================================================== --- /dev/null +++ iptables-modules/extensions/libxt_gateway.man @@ -0,0 +1,9 @@ +This matches the gateway by IP address on routed packets. It does not mach +packets that are not routed, or which are directly addresses to the gateway. +.TP +[\fB!\fR] \fB--gateway\fR \fIaddress\fR +Matches if the packet is routed to a gateway with the specified IP address. +.TP +[\fB!\fR] \fB--nexthop\fR \fIaddress\fR +Matches if the packet is being directed to the specified IP address +either directly or as a route. Index: iptables-modules/include/linux/netfilter/xt_gateway.h =================================================================== --- /dev/null +++ iptables-modules/include/linux/netfilter/xt_gateway.h @@ -0,0 +1,19 @@ +#ifndef _XT_GATEWAY_H +#define _XT_GATEWAY_H + +enum { + /* Negate the condition */ + XT_GATEWAY_INVERT = 1 << 0, + /* and the gateway is not the final hop */ + XT_GATEWAY_ROUTE = 1 << 1, +}; + +struct xt_gateway_match_info { + union { + __be32 gateway_v4; + __be32 gateway_v6[4]; + }; + u_int8_t flags; +}; + +#endif /* _XT_GATEWAY_H */ - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html