+++ /dev/null
-Date: Thu, 21 Oct 2010 17:19:22 +0200
-From: KOVACS Krisztian <hidden@balabit.hu>
-Subject: [PATCH 1/2] tproxy: add IPv6 support for socket match
-
-This patch also adds userspace support for the --transparent mode
-of matching, which the kernel already supports, but the iptables userspace
-doesn't.
-
-Signed-off-by: Balazs Scheidler <bazsi@balabit.hu>
-Signed-off-by: KOVACS Krisztian <hidden@balabit.hu>
----
- extensions/libxt_socket.c | 103 ++++++++++++++++++++++++++++++++---
- extensions/libxt_socket.man | 6 ++
- include/linux/netfilter/xt_socket.h | 12 ++++
- 3 files changed, 112 insertions(+), 9 deletions(-)
- create mode 100644 include/linux/netfilter/xt_socket.h
-
-diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c
-index 1490473..5705466 100644
---- a/extensions/libxt_socket.c
-+++ b/extensions/libxt_socket.c
-@@ -1,19 +1,106 @@
- /*
- * Shared library add-on to iptables to add early socket matching support.
- *
-- * Copyright (C) 2007 BalaBit IT Ltd.
-+ * Copyright (C) 2007, 2009 BalaBit IT Ltd.
- */
-+#include <stdio.h>
-+#include <getopt.h>
- #include <xtables.h>
-+#include <linux/netfilter/xt_socket.h>
-
--static struct xtables_match socket_mt_reg = {
-- .name = "socket",
-- .version = XTABLES_VERSION,
-- .family = NFPROTO_IPV4,
-- .size = XT_ALIGN(0),
-- .userspacesize = XT_ALIGN(0),
-+static void socket_mt_help_v0(void)
-+{
-+ printf("socket match has no options.\n\n");
-+}
-+
-+static void socket_mt_help_v1(void)
-+{
-+ printf("socket match options:\n"
-+"--transparent Matches only if the socket's transparent option is set\n");
-+}
-+
-+static const struct option socket_opts_v1[] = {
-+ { "transparent", 0, NULL, '1' },
-+ { }
-+};
-+
-+static int socket_mt_parse_v0(int c, char **argv, int invert,
-+ unsigned int *flags, const void *entry,
-+ struct xt_entry_match **match)
-+{
-+ return 0;
-+}
-+
-+static int socket_mt_parse_v1(int c, char **argv, int invert,
-+ unsigned int *flags, const void *entry,
-+ struct xt_entry_match **match)
-+{
-+ struct xt_socket_mtinfo1 *info = (void *) (*match)->data;
-+
-+ switch (c) {
-+ case '1':
-+ if (*flags)
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify multiple --transparent");
-+ info->flags |= XT_SOCKET_TRANSPARENT;
-+ *flags = 1;
-+ break;
-+ default:
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+static void socket_mt_check(unsigned int flags)
-+{
-+}
-+
-+static void socket_mt_print_v1(const void *ip,
-+ const struct xt_entry_match *match,
-+ int numeric)
-+{
-+ const struct xt_socket_mtinfo1 *info = (const void *)match->data;
-+ printf("socket ");
-+ if (info->flags & XT_SOCKET_TRANSPARENT)
-+ printf("transparent ");
-+}
-+
-+static void socket_mt_save_v1(const void *ip,
-+ const struct xt_entry_match *match)
-+{
-+ const struct xt_socket_mtinfo1 *info = (const void *)match->data;
-+
-+ if (info->flags & XT_SOCKET_TRANSPARENT)
-+ printf("--transparent ");
-+}
-+
-+static struct xtables_match socket_matches[] = {
-+ {
-+ .name = "socket",
-+ .revision = 0,
-+ .version = XTABLES_VERSION,
-+ .family = NFPROTO_IPV4,
-+ .parse = socket_mt_parse_v0,
-+ .final_check = socket_mt_check,
-+ .help = socket_mt_help_v0,
-+ },
-+ {
-+ .name = "socket",
-+ .version = XTABLES_VERSION,
-+ .revision = 1,
-+ .family = NFPROTO_UNSPEC,
-+ .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)),
-+ .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)),
-+ .parse = socket_mt_parse_v1,
-+ .print = socket_mt_print_v1,
-+ .save = socket_mt_save_v1,
-+ .final_check = socket_mt_check,
-+ .help = socket_mt_help_v1,
-+ .extra_opts = socket_opts_v1,
-+ }
- };
-
- void _init(void)
- {
-- xtables_register_match(&socket_mt_reg);
-+ xtables_register_matches(socket_matches, ARRAY_SIZE(socket_matches));
- }
-diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man
-index 50c8854..edc9d75 100644
---- a/extensions/libxt_socket.man
-+++ b/extensions/libxt_socket.man
-@@ -1,2 +1,6 @@
- This matches if an open socket can be found by doing a socket lookup on the
--packet.
-+packet which doesn\'t listen on the \'any\' IP address (0.0.0.0).
-+.TP
-+.BI "\-\-transparent"
-+Enables additional check, that the actual socket's transparent socket option
-+has to be set.
-diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
-new file mode 100644
-index 0000000..6f475b8
---- /dev/null
-+++ b/include/linux/netfilter/xt_socket.h
-@@ -0,0 +1,12 @@
-+#ifndef _XT_SOCKET_H
-+#define _XT_SOCKET_H
-+
-+enum {
-+ XT_SOCKET_TRANSPARENT = 1 << 0,
-+};
-+
-+struct xt_socket_mtinfo1 {
-+ __u8 flags;
-+};
-+
-+#endif /* _XT_SOCKET_H */
-
-
-Date: Thu, 21 Oct 2010 17:19:22 +0200
-From: KOVACS Krisztian <hidden@balabit.hu>
-Subject: [PATCH 2/2] tproxy: add IPv6 support to the TPROXY target
-
-Signed-off-by: Balazs Scheidler <bazsi@balabit.hu>
-Signed-off-by: KOVACS Krisztian <hidden@balabit.hu>
----
- extensions/libxt_TPROXY.c | 213 +++++++++++++++++++++++++++++------
- include/linux/netfilter/xt_TPROXY.h | 7 +
- 2 files changed, 183 insertions(+), 37 deletions(-)
-
-diff --git a/extensions/libxt_TPROXY.c b/extensions/libxt_TPROXY.c
-index cd0b50a..74d122c 100644
---- a/extensions/libxt_TPROXY.c
-+++ b/extensions/libxt_TPROXY.c
-@@ -1,7 +1,7 @@
- /*
- * Shared library add-on to iptables to add TPROXY target support.
- *
-- * Copyright (C) 2002-2008 BalaBit IT Ltd.
-+ * Copyright (C) 2002-2009 BalaBit IT Ltd.
- */
- #include <getopt.h>
- #include <stdbool.h>
-@@ -15,8 +15,8 @@
- #include <linux/netfilter/xt_TPROXY.h>
-
- static const struct option tproxy_tg_opts[] = {
-- {.name = "on-port", .has_arg = true, .val = '1'},
-- {.name = "on-ip", .has_arg = true, .val = '2'},
-+ {.name = "on-port", .has_arg = true, .val = '1'},
-+ {.name = "on-ip", .has_arg = true, .val = '2'},
- {.name = "tproxy-mark", .has_arg = true, .val = '3'},
- XT_GETOPT_TABLEEND,
- };
-@@ -36,44 +36,64 @@ static void tproxy_tg_help(void)
- " --tproxy-mark value[/mask] Mark packets with the given value/mask\n\n");
- }
-
--static void parse_tproxy_lport(const char *s, struct xt_tproxy_target_info *info)
-+static void parse_tproxy_lport(const char *s, unsigned short *lport)
- {
-- unsigned int lport;
-+ unsigned int value;
-
-- if (xtables_strtoui(s, NULL, &lport, 0, UINT16_MAX))
-- info->lport = htons(lport);
-+ if (xtables_strtoui(s, NULL, &value, 0, UINT16_MAX))
-+ *lport = htons(value);
- else
- xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-port", s);
- }
-
--static void parse_tproxy_laddr(const char *s, struct xt_tproxy_target_info *info)
-+static void parse_tproxy_laddr_v0(const char *s, __be32 *laddr)
- {
-- struct in_addr *laddr;
-+ struct in_addr *ina;
-
-- if ((laddr = xtables_numeric_to_ipaddr(s)) == NULL)
-+ if ((ina = xtables_numeric_to_ipaddr(s)) == NULL)
- xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s);
-
-- info->laddr = laddr->s_addr;
-+ *laddr = ina->s_addr;
- }
-
--static void parse_tproxy_mark(char *s, struct xt_tproxy_target_info *info)
-+static void parse_tproxy_laddr(const char *s, int family, union nf_inet_addr *laddr)
-+{
-+
-+ if (family == NFPROTO_IPV6) {
-+ struct in6_addr *addr6;
-+
-+ if ((addr6 = xtables_numeric_to_ip6addr(s))) {
-+ laddr->in6 = *addr6;
-+ } else {
-+ xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s);
-+ }
-+ } else {
-+ struct in_addr *addr;
-+
-+ if ((addr = xtables_numeric_to_ipaddr(s))) {
-+ laddr->in = *addr;
-+ } else {
-+ xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s);
-+ }
-+
-+ }
-+}
-+
-+static void parse_tproxy_mark(char *s, unsigned int *value, unsigned int *mask)
- {
-- unsigned int value, mask = UINT32_MAX;
- char *end;
-
-- if (!xtables_strtoui(s, &end, &value, 0, UINT32_MAX))
-+ *mask = UINT32_MAX;
-+ if (!xtables_strtoui(s, &end, value, 0, UINT32_MAX))
- xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s);
- if (*end == '/')
-- if (!xtables_strtoui(end + 1, &end, &mask, 0, UINT32_MAX))
-+ if (!xtables_strtoui(end + 1, &end, mask, 0, UINT32_MAX))
- xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s);
- if (*end != '\0')
- xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s);
--
-- info->mark_mask = mask;
-- info->mark_value = value;
- }
-
--static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags,
-+static int tproxy_tg_parse_v0(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_target **target)
- {
- struct xt_tproxy_target_info *tproxyinfo = (void *)(*target)->data;
-@@ -82,19 +102,19 @@ static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags,
- case '1':
- xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT);
- xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert);
-- parse_tproxy_lport(optarg, tproxyinfo);
-+ parse_tproxy_lport(optarg, &tproxyinfo->lport);
- *flags |= PARAM_ONPORT;
- return 1;
- case '2':
- xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP);
- xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert);
-- parse_tproxy_laddr(optarg, tproxyinfo);
-+ parse_tproxy_laddr_v0(optarg, &tproxyinfo->laddr);
- *flags |= PARAM_ONIP;
- return 1;
- case '3':
- xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK);
- xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert);
-- parse_tproxy_mark(optarg, tproxyinfo);
-+ parse_tproxy_mark(optarg, &tproxyinfo->mark_value, &tproxyinfo->mark_mask);
- *flags |= PARAM_MARK;
- return 1;
- }
-@@ -102,6 +122,47 @@ static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags,
- return 0;
- }
-
-+static int tproxy_tg_parse_v1(int family, int c, char **argv, int invert, unsigned int *flags,
-+ const void *entry, struct xt_entry_target **target)
-+{
-+ struct xt_tproxy_target_info_v1 *tproxyinfo = (void *)(*target)->data;
-+
-+ switch (c) {
-+ case '1':
-+ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT);
-+ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert);
-+ parse_tproxy_lport(optarg, &tproxyinfo->lport);
-+ *flags |= PARAM_ONPORT;
-+ return 1;
-+ case '2':
-+ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP);
-+ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert);
-+ parse_tproxy_laddr(optarg, family, &tproxyinfo->laddr);
-+ *flags |= PARAM_ONIP;
-+ return 1;
-+ case '3':
-+ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK);
-+ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert);
-+ parse_tproxy_mark(optarg, &tproxyinfo->mark_value, &tproxyinfo->mark_mask);
-+ *flags |= PARAM_MARK;
-+ return 1;
-+ }
-+
-+ return 0;
-+}
-+
-+static int tproxy_tg_parse4_v1(int c, char **argv, int invert, unsigned int *flags,
-+ const void *entry, struct xt_entry_target **target)
-+{
-+ return tproxy_tg_parse_v1(NFPROTO_IPV4, c, argv, invert, flags, entry, target);
-+}
-+
-+static int tproxy_tg_parse6_v1(int c, char **argv, int invert, unsigned int *flags,
-+ const void *entry, struct xt_entry_target **target)
-+{
-+ return tproxy_tg_parse_v1(NFPROTO_IPV6, c, argv, invert, flags, entry, target);
-+}
-+
- static void tproxy_tg_check(unsigned int flags)
- {
- if (!(flags & PARAM_ONPORT))
-@@ -109,7 +170,7 @@ static void tproxy_tg_check(unsigned int flags)
- "TPROXY target: Parameter --on-port is required");
- }
-
--static void tproxy_tg_print(const void *ip, const struct xt_entry_target *target,
-+static void tproxy_tg_print_v0(const void *ip, const struct xt_entry_target *target,
- int numeric)
- {
- const struct xt_tproxy_target_info *info = (const void *)target->data;
-@@ -119,7 +180,31 @@ static void tproxy_tg_print(const void *ip, const struct xt_entry_target *target
- (unsigned int)info->mark_mask);
- }
-
--static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target)
-+static void tproxy_tg_print_v1(int family, const void *ip, const struct xt_entry_target *target,
-+ int numeric)
-+{
-+ const struct xt_tproxy_target_info_v1 *info = (const void *)target->data;
-+ printf("TPROXY redirect %s:%u mark 0x%x/0x%x",
-+ family == AF_INET
-+ ? xtables_ipaddr_to_numeric(&info->laddr.in)
-+ : xtables_ip6addr_to_numeric(&info->laddr.in6),
-+ ntohs(info->lport), (unsigned int)info->mark_value,
-+ (unsigned int)info->mark_mask);
-+}
-+
-+static void tproxy_tg_print4_v1(const void *ip, const struct xt_entry_target *target,
-+ int numeric)
-+{
-+ return tproxy_tg_print_v1(NFPROTO_IPV4, ip, target, numeric);
-+}
-+
-+static void tproxy_tg_print6_v1(const void *ip, const struct xt_entry_target *target,
-+ int numeric)
-+{
-+ return tproxy_tg_print_v1(NFPROTO_IPV6, ip, target, numeric);
-+}
-+
-+static void tproxy_tg_save_v0(const void *ip, const struct xt_entry_target *target)
- {
- const struct xt_tproxy_target_info *info = (const void *)target->data;
-
-@@ -130,21 +215,75 @@ static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target)
- (unsigned int)info->mark_value, (unsigned int)info->mark_mask);
- }
-
--static struct xtables_target tproxy_tg_reg = {
-- .name = "TPROXY",
-- .family = NFPROTO_IPV4,
-- .version = XTABLES_VERSION,
-- .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
-- .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
-- .help = tproxy_tg_help,
-- .parse = tproxy_tg_parse,
-- .final_check = tproxy_tg_check,
-- .print = tproxy_tg_print,
-- .save = tproxy_tg_save,
-- .extra_opts = tproxy_tg_opts,
-+static void tproxy_tg_save_v1(int family, const void *ip, const struct xt_entry_target *target)
-+{
-+ const struct xt_tproxy_target_info_v1 *info = (const void *)target->data;
-+
-+ printf("--on-port %u ", ntohs(info->lport));
-+ printf("--on-ip %s ",
-+ family == AF_INET
-+ ? xtables_ipaddr_to_numeric(&info->laddr.in)
-+ : xtables_ip6addr_to_numeric(&info->laddr.in6));
-+ printf("--tproxy-mark 0x%x/0x%x ",
-+ (unsigned int)info->mark_value, (unsigned int)info->mark_mask);
-+}
-+
-+static void tproxy_tg_save4_v1(const void *ip, const struct xt_entry_target *target)
-+{
-+ return tproxy_tg_save_v1(NFPROTO_IPV4, ip, target);
-+}
-+
-+static void tproxy_tg_save6_v1(const void *ip, const struct xt_entry_target *target)
-+{
-+ return tproxy_tg_save_v1(NFPROTO_IPV6, ip, target);
-+}
-+
-+
-+static struct xtables_target tproxy_tg_reg[] = {
-+ {
-+ .name = "TPROXY",
-+ .family = NFPROTO_IPV4,
-+ .version = XTABLES_VERSION,
-+ .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
-+ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
-+ .help = tproxy_tg_help,
-+ .parse = tproxy_tg_parse_v0,
-+ .final_check = tproxy_tg_check,
-+ .print = tproxy_tg_print_v0,
-+ .save = tproxy_tg_save_v0,
-+ .extra_opts = tproxy_tg_opts,
-+ },
-+ {
-+ .name = "TPROXY",
-+ .family = NFPROTO_IPV4,
-+ .version = XTABLES_VERSION,
-+ .revision = 1,
-+ .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
-+ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
-+ .help = tproxy_tg_help,
-+ .parse = tproxy_tg_parse4_v1,
-+ .final_check = tproxy_tg_check,
-+ .print = tproxy_tg_print4_v1,
-+ .save = tproxy_tg_save4_v1,
-+ .extra_opts = tproxy_tg_opts,
-+ },
-+ {
-+ .name = "TPROXY",
-+ .family = NFPROTO_IPV6,
-+ .version = XTABLES_VERSION,
-+ .revision = 1,
-+ .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
-+ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
-+ .help = tproxy_tg_help,
-+ .parse = tproxy_tg_parse6_v1,
-+ .final_check = tproxy_tg_check,
-+ .print = tproxy_tg_print6_v1,
-+ .save = tproxy_tg_save6_v1,
-+ .extra_opts = tproxy_tg_opts,
-+ },
- };
-
- void _init(void)
- {
-- xtables_register_target(&tproxy_tg_reg);
-+ xtables_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
- }
-diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/linux/netfilter/xt_TPROXY.h
-index 152e8f9..28ff0e8 100644
---- a/include/linux/netfilter/xt_TPROXY.h
-+++ b/include/linux/netfilter/xt_TPROXY.h
-@@ -11,4 +11,11 @@ struct xt_tproxy_target_info {
- __be16 lport;
- };
-
-+struct xt_tproxy_target_info_v1 {
-+ u_int32_t mark_mask;
-+ u_int32_t mark_value;
-+ union nf_inet_addr laddr;
-+ __be16 lport;
-+};
-+
- #endif /* _XT_TPROXY_H_target */
-
-
-
projects / packages / iptables.git / commitdiff