Move libipt_range to libxt_range. Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx> --- extensions/Makefile | 2 extensions/libipt_iprange.c | 175 ----------------------------- extensions/libipt_iprange.man | 7 - extensions/libxt_iprange.c | 168 +++++++++++++++++++++++++++ extensions/libxt_iprange.man | 7 + include/linux/netfilter/xt_iprange.h | 17 ++ include/linux/netfilter_ipv4/ipt_iprange.h | 8 - 7 files changed, 196 insertions(+), 188 deletions(-) Index: iptables-modules/extensions/Makefile =================================================================== --- iptables-modules.orig/extensions/Makefile +++ iptables-modules/extensions/Makefile @@ -23,7 +23,6 @@ PF_EXT_SLIB += addrtype PF_EXT_SLIB += ah PF_EXT_SLIB += ecn PF_EXT_SLIB += icmp -PF_EXT_SLIB += iprange PF_EXT_SLIB += policy PF_EXT_SLIB += realm PF_EXT_SLIB += recent @@ -67,6 +66,7 @@ PFX_EXT_SLIB += dscp PFX_EXT_SLIB += esp PFX_EXT_SLIB += hashlimit PFX_EXT_SLIB += helper +PFX_EXT_SLIB += iprange PFX_EXT_SLIB += length PFX_EXT_SLIB += limit PFX_EXT_SLIB += mac Index: iptables-modules/extensions/libipt_iprange.c =================================================================== --- iptables-modules.orig/extensions/libipt_iprange.c +++ /dev/null @@ -1,175 +0,0 @@ -/* Shared library add-on to iptables to add IP range matching support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - -#include <iptables.h> -#include <linux/netfilter_ipv4/ipt_iprange.h> - -/* Function which prints out usage message. */ -static void iprange_help(void) -{ - printf( -"iprange match v%s options:\n" -"[!] --src-range ip-ip Match source IP in the specified range\n" -"[!] --dst-range ip-ip Match destination IP in the specified range\n" -"\n", -IPTABLES_VERSION); -} - -static const struct option iprange_opts[] = { - { "src-range", 1, NULL, '1' }, - { "dst-range", 1, NULL, '2' }, - { } -}; - -static void -parse_iprange(char *arg, struct ipt_iprange *range) -{ - char *dash; - const struct in_addr *ip; - - dash = strchr(arg, '-'); - if (dash) - *dash = '\0'; - - ip = numeric_to_ipaddr(arg); - if (!ip) - exit_error(PARAMETER_PROBLEM, "iprange match: Bad IP address `%s'\n", - arg); - range->min_ip = ip->s_addr; - - if (dash) { - ip = numeric_to_ipaddr(dash+1); - if (!ip) - exit_error(PARAMETER_PROBLEM, "iprange match: Bad IP address `%s'\n", - dash+1); - range->max_ip = ip->s_addr; - } else - range->max_ip = range->min_ip; -} - -/* Function which parses command options; returns true if it - ate an option */ -static int iprange_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) -{ - struct ipt_iprange_info *info = (struct ipt_iprange_info *)(*match)->data; - - switch (c) { - case '1': - if (*flags & IPRANGE_SRC) - exit_error(PARAMETER_PROBLEM, - "iprange match: Only use --src-range ONCE!"); - *flags |= IPRANGE_SRC; - - info->flags |= IPRANGE_SRC; - check_inverse(optarg, &invert, &optind, 0); - if (invert) { - info->flags |= IPRANGE_SRC_INV; - } - parse_iprange(optarg, &info->src); - - break; - - case '2': - if (*flags & IPRANGE_DST) - exit_error(PARAMETER_PROBLEM, - "iprange match: Only use --dst-range ONCE!"); - *flags |= IPRANGE_DST; - - info->flags |= IPRANGE_DST; - check_inverse(optarg, &invert, &optind, 0); - if (invert) - info->flags |= IPRANGE_DST_INV; - - parse_iprange(optarg, &info->dst); - - break; - - default: - return 0; - } - return 1; -} - -/* Final check; must have specified --src-range or --dst-range. */ -static void iprange_check(unsigned int flags) -{ - if (!flags) - exit_error(PARAMETER_PROBLEM, - "iprange match: You must specify `--src-range' or `--dst-range'"); -} - -static void -print_iprange(const struct ipt_iprange *range) -{ - const unsigned char *byte_min, *byte_max; - - byte_min = (const unsigned char *) &(range->min_ip); - byte_max = (const unsigned char *) &(range->max_ip); - printf("%d.%d.%d.%d-%d.%d.%d.%d ", - byte_min[0], byte_min[1], byte_min[2], byte_min[3], - byte_max[0], byte_max[1], byte_max[2], byte_max[3]); -} - -/* Prints out the info. */ -static void iprange_print(const void *ip, const struct xt_entry_match *match, - int numeric) -{ - struct ipt_iprange_info *info = (struct ipt_iprange_info *)match->data; - - if (info->flags & IPRANGE_SRC) { - printf("source IP range "); - if (info->flags & IPRANGE_SRC_INV) - printf("! "); - print_iprange(&info->src); - } - if (info->flags & IPRANGE_DST) { - printf("destination IP range "); - if (info->flags & IPRANGE_DST_INV) - printf("! "); - print_iprange(&info->dst); - } -} - -/* Saves the union ipt_info in parsable form to stdout. */ -static void iprange_save(const void *ip, const struct xt_entry_match *match) -{ - struct ipt_iprange_info *info = (struct ipt_iprange_info *)match->data; - - if (info->flags & IPRANGE_SRC) { - if (info->flags & IPRANGE_SRC_INV) - printf("! "); - printf("--src-range "); - print_iprange(&info->src); - if (info->flags & IPRANGE_DST) - fputc(' ', stdout); - } - if (info->flags & IPRANGE_DST) { - if (info->flags & IPRANGE_DST_INV) - printf("! "); - printf("--dst-range "); - print_iprange(&info->dst); - } -} - -static struct iptables_match iprange_match = { - .name = "iprange", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_iprange_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_iprange_info)), - .help = iprange_help, - .parse = iprange_parse, - .final_check = iprange_check, - .print = iprange_print, - .save = iprange_save, - .extra_opts = iprange_opts, -}; - -void _init(void) -{ - register_match(&iprange_match); -} Index: iptables-modules/extensions/libipt_iprange.man =================================================================== --- iptables-modules.orig/extensions/libipt_iprange.man +++ /dev/null @@ -1,7 +0,0 @@ -This matches on a given arbitrary range of IPv4 addresses -.TP -.BI "[!]" "--src-range " "ip-ip" -Match source IP in the specified range. -.TP -.BI "[!]" "--dst-range " "ip-ip" -Match destination IP in the specified range. Index: iptables-modules/extensions/libxt_iprange.c =================================================================== --- /dev/null +++ iptables-modules/extensions/libxt_iprange.c @@ -0,0 +1,168 @@ +/* Shared library add-on to iptables to add IP range matching support. */ +#include <stdio.h> +#include <netdb.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> + +#include <iptables.h> +#include <linux/netfilter_ipv4/ipt_iprange.h> + +static void iprange_help(void) +{ + printf( +"iprange match options:\n" +"[!] --src-range ip-ip Match source IP in the specified range\n" +"[!] --dst-range ip-ip Match destination IP in the specified range\n" +"\n"); +} + +static const struct option iprange_opts[] = { + {.name = "src-range", .has_arg = true, .val = '1'}, + {.name = "dst-range", .has_arg = true, .val = '2'}, + {}, +}; + +static void +parse_iprange(char *arg, struct ipt_iprange *range) +{ + char *dash; + const struct in_addr *ip; + + dash = strchr(arg, '-'); + if (dash != NULL) + *dash = '\0'; + + ip = numeric_to_ipaddr(arg); + if (ip != NULL) + exit_error(PARAMETER_PROBLEM, "iprange match: Bad IP address `%s'\n", + arg); + range->min_ip = ip->s_addr; + + if (dash != NULL) { + ip = numeric_to_ipaddr(dash+1); + if (ip != NULL) + exit_error(PARAMETER_PROBLEM, "iprange match: Bad IP address `%s'\n", + dash+1); + range->max_ip = ip->s_addr; + } else { + range->max_ip = range->min_ip; + } +} + +static int iprange_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct ipt_iprange_info *info = (struct ipt_iprange_info *)(*match)->data; + + switch (c) { + case '1': + if (*flags & IPRANGE_SRC) + exit_error(PARAMETER_PROBLEM, + "iprange match: Only use --src-range ONCE!"); + *flags |= IPRANGE_SRC; + + info->flags |= IPRANGE_SRC; + check_inverse(optarg, &invert, &optind, 0); + if (invert) + info->flags |= IPRANGE_SRC_INV; + parse_iprange(optarg, &info->src); + + break; + + case '2': + if (*flags & IPRANGE_DST) + exit_error(PARAMETER_PROBLEM, + "iprange match: Only use --dst-range ONCE!"); + *flags |= IPRANGE_DST; + + info->flags |= IPRANGE_DST; + check_inverse(optarg, &invert, &optind, 0); + if (invert) + info->flags |= IPRANGE_DST_INV; + + parse_iprange(optarg, &info->dst); + + break; + + default: + return 0; + } + return 1; +} + +static void iprange_check(unsigned int flags) +{ + if (flags == 0) + exit_error(PARAMETER_PROBLEM, + "iprange match: You must specify `--src-range' or `--dst-range'"); +} + +static void +print_iprange(const struct ipt_iprange *range) +{ + const unsigned char *byte_min, *byte_max; + + byte_min = (const unsigned char *)&range->min_ip; + byte_max = (const unsigned char *)&range->max_ip; + printf("%u.%u.%u.%u-%u.%u.%u.%u ", + byte_min[0], byte_min[1], byte_min[2], byte_min[3], + byte_max[0], byte_max[1], byte_max[2], byte_max[3]); +} + +static void iprange_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + const struct ipt_iprange_info *info = (const void *)match->data; + + if (info->flags & IPRANGE_SRC) { + printf("source IP range "); + if (info->flags & IPRANGE_SRC_INV) + printf("! "); + print_iprange(&info->src); + } + if (info->flags & IPRANGE_DST) { + printf("destination IP range "); + if (info->flags & IPRANGE_DST_INV) + printf("! "); + print_iprange(&info->dst); + } +} + +static void iprange_save(const void *ip, const struct xt_entry_match *match) +{ + const struct ipt_iprange_info *info = (const void *)match->data; + + if (info->flags & IPRANGE_SRC) { + if (info->flags & IPRANGE_SRC_INV) + printf("! "); + printf("--src-range "); + print_iprange(&info->src); + if (info->flags & IPRANGE_DST) + fputc(' ', stdout); + } + if (info->flags & IPRANGE_DST) { + if (info->flags & IPRANGE_DST_INV) + printf("! "); + printf("--dst-range "); + print_iprange(&info->dst); + } +} + +static struct iptables_match iprange_match = { + .name = "iprange", + .version = IPTABLES_VERSION, + .size = IPT_ALIGN(sizeof(struct ipt_iprange_info)), + .userspacesize = IPT_ALIGN(sizeof(struct ipt_iprange_info)), + .help = iprange_help, + .parse = iprange_parse, + .final_check = iprange_check, + .print = iprange_print, + .save = iprange_save, + .extra_opts = iprange_opts, +}; + +void _init(void) +{ + register_match(&iprange_match); +} Index: iptables-modules/extensions/libxt_iprange.man =================================================================== --- /dev/null +++ iptables-modules/extensions/libxt_iprange.man @@ -0,0 +1,7 @@ +This matches on a given arbitrary range of IP addresses. +.TP +[\fB!\fR] \fB--src-range\fR \fIfrom\fR-\fIto\fR +Match source IP in the specified range. +.TP +[\fB!\fR] \fB--dst-range\fR \fIfrom\fR-\fIto\fR +Match destination IP in the specified range. Index: iptables-modules/include/linux/netfilter/xt_iprange.h =================================================================== --- /dev/null +++ iptables-modules/include/linux/netfilter/xt_iprange.h @@ -0,0 +1,17 @@ +#ifndef _LINUX_NETFILTER_XT_IPRANGE_H +#define _LINUX_NETFILTER_XT_IPRANGE_H 1 + +enum { + IPRANGE_SRC = 1 << 0, /* match source IP address */ + IPRANGE_DST = 1 << 1, /* match destination IP address */ + IPRANGE_SRC_INV = 1 << 4, /* negate the condition */ + IPRANGE_DST_INV = 1 << 5, /* -"- */ +}; + +struct xt_iprange_mtinfo { + union nf_inet_addr src_min, src_max; + union nf_inet_addr dst_min, dst_max; + u_int8_t flags; +}; + +#endif /* _LINUX_NETFILTER_XT_IPRANGE_H */ Index: iptables-modules/include/linux/netfilter_ipv4/ipt_iprange.h =================================================================== --- iptables-modules.orig/include/linux/netfilter_ipv4/ipt_iprange.h +++ iptables-modules/include/linux/netfilter_ipv4/ipt_iprange.h @@ -1,14 +1,12 @@ #ifndef _IPT_IPRANGE_H #define _IPT_IPRANGE_H -#define IPRANGE_SRC 0x01 /* Match source IP address */ -#define IPRANGE_DST 0x02 /* Match destination IP address */ -#define IPRANGE_SRC_INV 0x10 /* Negate the condition */ -#define IPRANGE_DST_INV 0x20 /* Negate the condition */ +#include <linux/types.h> +#include <linux/netfilter/xt_iprange.h> struct ipt_iprange { /* Inclusive: network order. */ - u_int32_t min_ip, max_ip; + __be32 min_ip, max_ip; }; struct ipt_iprange_info - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html