[packages/iptables.git] / iptables-TPROXY-IPv6.patch

Date:   Thu, 21 Oct 2010 17:19:22 +0200
From:   KOVACS Krisztian <hidden@balabit.hu>
Subject: [PATCH 1/2] tproxy: add IPv6 support for socket match

This patch also adds userspace support for the --transparent mode
of matching, which the kernel already supports, but the iptables userspace
doesn't.

Signed-off-by: Balazs Scheidler <bazsi@balabit.hu>
Signed-off-by: KOVACS Krisztian <hidden@balabit.hu>
---
 extensions/libxt_socket.c           |  103 ++++++++++++++++++++++++++++++++---
 extensions/libxt_socket.man         |    6 ++
 include/linux/netfilter/xt_socket.h |   12 ++++
 3 files changed, 112 insertions(+), 9 deletions(-)
 create mode 100644 include/linux/netfilter/xt_socket.h

diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c
index 1490473..5705466 100644
--- a/extensions/libxt_socket.c
+++ b/extensions/libxt_socket.c
@@ -1,19 +1,106 @@
 /*
  * Shared library add-on to iptables to add early socket matching support.
  *
- * Copyright (C) 2007 BalaBit IT Ltd.
+ * Copyright (C) 2007, 2009 BalaBit IT Ltd.
  */
+#include <stdio.h>
+#include <getopt.h>
 #include <xtables.h>
+#include <linux/netfilter/xt_socket.h>
 
-static struct xtables_match socket_mt_reg = {
-       .name          = "socket",
-       .version       = XTABLES_VERSION,
-       .family        = NFPROTO_IPV4,
-       .size          = XT_ALIGN(0),
-       .userspacesize = XT_ALIGN(0),
+static void socket_mt_help_v0(void)
+{
+       printf("socket match has no options.\n\n");
+}
+
+static void socket_mt_help_v1(void)
+{
+       printf("socket match options:\n"
+"--transparent     Matches only if the socket's transparent option is set\n");
+}
+
+static const struct option socket_opts_v1[] = {
+       { "transparent", 0, NULL, '1' },
+       { }
+};
+
+static int socket_mt_parse_v0(int c, char **argv, int invert,
+                             unsigned int *flags, const void *entry,
+                             struct xt_entry_match **match)
+{
+       return 0;
+}
+
+static int socket_mt_parse_v1(int c, char **argv, int invert,
+                             unsigned int *flags, const void *entry,
+                             struct xt_entry_match **match)
+{
+       struct xt_socket_mtinfo1 *info = (void *) (*match)->data;
+
+       switch (c) {
+       case '1':
+               if (*flags)
+                       xtables_error(PARAMETER_PROBLEM,
+                                     "Can't specify multiple --transparent");
+               info->flags |= XT_SOCKET_TRANSPARENT;
+               *flags = 1;
+               break;
+       default:
+               return 0;
+       }
+       return 1;
+}
+
+static void socket_mt_check(unsigned int flags)
+{
+}
+
+static void socket_mt_print_v1(const void *ip,
+                              const struct xt_entry_match *match,
+                              int numeric)
+{
+       const struct xt_socket_mtinfo1 *info = (const void *)match->data;
+       printf("socket ");
+       if (info->flags & XT_SOCKET_TRANSPARENT)
+               printf("transparent ");
+}
+
+static void socket_mt_save_v1(const void *ip,
+                             const struct xt_entry_match *match)
+{
+       const struct xt_socket_mtinfo1 *info = (const void *)match->data;
+
+       if (info->flags & XT_SOCKET_TRANSPARENT)
+               printf("--transparent ");
+}
+
+static struct xtables_match socket_matches[] = {
+       {
+               .name           = "socket",
+               .revision       = 0,
+               .version        = XTABLES_VERSION,
+               .family         = NFPROTO_IPV4,
+               .parse          = socket_mt_parse_v0,
+               .final_check    = socket_mt_check,
+               .help           = socket_mt_help_v0,
+       },
+       {
+               .name           = "socket",
+               .version        = XTABLES_VERSION,
+               .revision       = 1,
+               .family         = NFPROTO_UNSPEC,
+               .size           = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)),
+               .userspacesize  = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)),
+               .parse          = socket_mt_parse_v1,
+               .print          = socket_mt_print_v1,
+               .save           = socket_mt_save_v1,
+               .final_check    = socket_mt_check,
+               .help           = socket_mt_help_v1,
+               .extra_opts     = socket_opts_v1,
+       }
 };
 
 void _init(void)
 {
-       xtables_register_match(&socket_mt_reg);
+       xtables_register_matches(socket_matches, ARRAY_SIZE(socket_matches));
 }
diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man
index 50c8854..edc9d75 100644
--- a/extensions/libxt_socket.man
+++ b/extensions/libxt_socket.man
@@ -1,2 +1,6 @@
 This matches if an open socket can be found by doing a socket lookup on the
-packet.
+packet which doesn\'t listen on the \'any\' IP address (0.0.0.0).
+.TP
+.BI "\-\-transparent"
+Enables additional check, that the actual socket's transparent socket option
+has to be set.
diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
new file mode 100644
index 0000000..6f475b8
--- /dev/null
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,12 @@
+#ifndef _XT_SOCKET_H
+#define _XT_SOCKET_H
+
+enum {
+       XT_SOCKET_TRANSPARENT = 1 << 0,
+};
+
+struct xt_socket_mtinfo1 {
+       __u8 flags;
+};
+
+#endif /* _XT_SOCKET_H */


Date:   Thu, 21 Oct 2010 17:19:22 +0200
From:   KOVACS Krisztian <hidden@balabit.hu>
Subject: [PATCH 2/2] tproxy: add IPv6 support to the TPROXY target

Signed-off-by: Balazs Scheidler <bazsi@balabit.hu>
Signed-off-by: KOVACS Krisztian <hidden@balabit.hu>
---
 extensions/libxt_TPROXY.c           |  213 +++++++++++++++++++++++++++++------
 include/linux/netfilter/xt_TPROXY.h |    7 +
 2 files changed, 183 insertions(+), 37 deletions(-)

diff --git a/extensions/libxt_TPROXY.c b/extensions/libxt_TPROXY.c
index cd0b50a..74d122c 100644
--- a/extensions/libxt_TPROXY.c
+++ b/extensions/libxt_TPROXY.c
@@ -1,7 +1,7 @@
 /*
  * Shared library add-on to iptables to add TPROXY target support.
  *
- * Copyright (C) 2002-2008 BalaBit IT Ltd.
+ * Copyright (C) 2002-2009 BalaBit IT Ltd.
  */
 #include <getopt.h>
 #include <stdbool.h>
@@ -15,8 +15,8 @@
 #include <linux/netfilter/xt_TPROXY.h>
 
 static const struct option tproxy_tg_opts[] = {
-       {.name = "on-port",     .has_arg = true, .val = '1'},
-       {.name = "on-ip",       .has_arg = true, .val = '2'},
+       {.name = "on-port",     .has_arg = true, .val = '1'},
+       {.name = "on-ip",       .has_arg = true, .val = '2'},
        {.name = "tproxy-mark", .has_arg = true, .val = '3'},
        XT_GETOPT_TABLEEND,
 };
@@ -36,44 +36,64 @@ static void tproxy_tg_help(void)
 "  --tproxy-mark value[/mask]      Mark packets with the given value/mask\n\n");
 }
 
-static void parse_tproxy_lport(const char *s, struct xt_tproxy_target_info *info)
+static void parse_tproxy_lport(const char *s, unsigned short *lport)
 {
-       unsigned int lport;
+       unsigned int value;
 
-       if (xtables_strtoui(s, NULL, &lport, 0, UINT16_MAX))
-               info->lport = htons(lport);
+       if (xtables_strtoui(s, NULL, &value, 0, UINT16_MAX))
+               *lport = htons(value);
        else
                xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-port", s);
 }
 
-static void parse_tproxy_laddr(const char *s, struct xt_tproxy_target_info *info)
+static void parse_tproxy_laddr_v0(const char *s, __be32 *laddr)
 {
-       struct in_addr *laddr;
+       struct in_addr *ina;
 
-       if ((laddr = xtables_numeric_to_ipaddr(s)) == NULL)
+       if ((ina = xtables_numeric_to_ipaddr(s)) == NULL)
                xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s);
 
-       info->laddr = laddr->s_addr;
+       *laddr = ina->s_addr;
 }
 
-static void parse_tproxy_mark(char *s, struct xt_tproxy_target_info *info)
+static void parse_tproxy_laddr(const char *s, int family, union nf_inet_addr *laddr)
+{
+
+       if (family == NFPROTO_IPV6) {
+               struct in6_addr *addr6;
+
+               if ((addr6 = xtables_numeric_to_ip6addr(s))) {
+                       laddr->in6 = *addr6;
+               } else {
+                       xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s);
+               }
+       } else {
+               struct in_addr *addr;
+
+               if ((addr = xtables_numeric_to_ipaddr(s))) {
+                       laddr->in = *addr;
+               } else {
+                       xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s);
+               }
+
+       }
+}
+
+static void parse_tproxy_mark(char *s, unsigned int *value, unsigned int *mask)
 {
-       unsigned int value, mask = UINT32_MAX;
        char *end;
 
-       if (!xtables_strtoui(s, &end, &value, 0, UINT32_MAX))
+       *mask = UINT32_MAX;
+       if (!xtables_strtoui(s, &end, value, 0, UINT32_MAX))
                xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s);
        if (*end == '/')
-               if (!xtables_strtoui(end + 1, &end, &mask, 0, UINT32_MAX))
+               if (!xtables_strtoui(end + 1, &end, mask, 0, UINT32_MAX))
                        xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s);
        if (*end != '\0')
                xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s);
-
-       info->mark_mask = mask;
-       info->mark_value = value;
 }
 
-static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+static int tproxy_tg_parse_v0(int c, char **argv, int invert, unsigned int *flags,
                        const void *entry, struct xt_entry_target **target)
 {
        struct xt_tproxy_target_info *tproxyinfo = (void *)(*target)->data;
@@ -82,19 +102,19 @@ static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags,
        case '1':
                xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT);
                xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert);
-               parse_tproxy_lport(optarg, tproxyinfo);
+               parse_tproxy_lport(optarg, &tproxyinfo->lport);
                *flags |= PARAM_ONPORT;
                return 1;
        case '2':
                xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP);
                xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert);
-               parse_tproxy_laddr(optarg, tproxyinfo);
+               parse_tproxy_laddr_v0(optarg, &tproxyinfo->laddr);
                *flags |= PARAM_ONIP;
                return 1;
        case '3':
                xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK);
                xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert);
-               parse_tproxy_mark(optarg, tproxyinfo);
+               parse_tproxy_mark(optarg, &tproxyinfo->mark_value, &tproxyinfo->mark_mask);
                *flags |= PARAM_MARK;
                return 1;
        }
@@ -102,6 +122,47 @@ static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags,
        return 0;
 }
 
+static int tproxy_tg_parse_v1(int family, int c, char **argv, int invert, unsigned int *flags,
+                       const void *entry, struct xt_entry_target **target)
+{
+       struct xt_tproxy_target_info_v1 *tproxyinfo = (void *)(*target)->data;
+
+       switch (c) {
+       case '1':
+               xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT);
+               xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert);
+               parse_tproxy_lport(optarg, &tproxyinfo->lport);
+               *flags |= PARAM_ONPORT;
+               return 1;
+       case '2':
+               xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP);
+               xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert);
+               parse_tproxy_laddr(optarg, family, &tproxyinfo->laddr);
+               *flags |= PARAM_ONIP;
+               return 1;
+       case '3':
+               xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK);
+               xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert);
+               parse_tproxy_mark(optarg, &tproxyinfo->mark_value, &tproxyinfo->mark_mask);
+               *flags |= PARAM_MARK;
+               return 1;
+       }
+
+       return 0;
+}
+
+static int tproxy_tg_parse4_v1(int c, char **argv, int invert, unsigned int *flags,
+                       const void *entry, struct xt_entry_target **target)
+{
+       return tproxy_tg_parse_v1(NFPROTO_IPV4, c, argv, invert, flags, entry, target);
+}
+
+static int tproxy_tg_parse6_v1(int c, char **argv, int invert, unsigned int *flags,
+                       const void *entry, struct xt_entry_target **target)
+{
+       return tproxy_tg_parse_v1(NFPROTO_IPV6, c, argv, invert, flags, entry, target);
+}
+
 static void tproxy_tg_check(unsigned int flags)
 {
        if (!(flags & PARAM_ONPORT))
@@ -109,7 +170,7 @@ static void tproxy_tg_check(unsigned int flags)
                           "TPROXY target: Parameter --on-port is required");
 }
 
-static void tproxy_tg_print(const void *ip, const struct xt_entry_target *target,
+static void tproxy_tg_print_v0(const void *ip, const struct xt_entry_target *target,
                         int numeric)
 {
        const struct xt_tproxy_target_info *info = (const void *)target->data;
@@ -119,7 +180,31 @@ static void tproxy_tg_print(const void *ip, const struct xt_entry_target *target
               (unsigned int)info->mark_mask);
 }
 
-static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target)
+static void tproxy_tg_print_v1(int family, const void *ip, const struct xt_entry_target *target,
+                        int numeric)
+{
+       const struct xt_tproxy_target_info_v1 *info = (const void *)target->data;
+       printf("TPROXY redirect %s:%u mark 0x%x/0x%x",
+              family == AF_INET
+              ? xtables_ipaddr_to_numeric(&info->laddr.in)
+              : xtables_ip6addr_to_numeric(&info->laddr.in6),
+              ntohs(info->lport), (unsigned int)info->mark_value,
+              (unsigned int)info->mark_mask);
+}
+
+static void tproxy_tg_print4_v1(const void *ip, const struct xt_entry_target *target,
+                              int numeric)
+{
+       return tproxy_tg_print_v1(NFPROTO_IPV4, ip, target, numeric);
+}
+
+static void tproxy_tg_print6_v1(const void *ip, const struct xt_entry_target *target,
+                              int numeric)
+{
+       return tproxy_tg_print_v1(NFPROTO_IPV6, ip, target, numeric);
+}
+
+static void tproxy_tg_save_v0(const void *ip, const struct xt_entry_target *target)
 {
        const struct xt_tproxy_target_info *info = (const void *)target->data;
 
@@ -130,21 +215,75 @@ static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target)
               (unsigned int)info->mark_value, (unsigned int)info->mark_mask);
 }
 
-static struct xtables_target tproxy_tg_reg = {
-       .name          = "TPROXY",
-       .family        = NFPROTO_IPV4,
-       .version       = XTABLES_VERSION,
-       .size          = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
-       .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
-       .help          = tproxy_tg_help,
-       .parse         = tproxy_tg_parse,
-       .final_check   = tproxy_tg_check,
-       .print         = tproxy_tg_print,
-       .save          = tproxy_tg_save,
-       .extra_opts    = tproxy_tg_opts,
+static void tproxy_tg_save_v1(int family, const void *ip, const struct xt_entry_target *target)
+{
+       const struct xt_tproxy_target_info_v1 *info = (const void *)target->data;
+
+       printf("--on-port %u ", ntohs(info->lport));
+       printf("--on-ip %s ",
+              family == AF_INET
+              ? xtables_ipaddr_to_numeric(&info->laddr.in)
+              : xtables_ip6addr_to_numeric(&info->laddr.in6));
+       printf("--tproxy-mark 0x%x/0x%x ",
+              (unsigned int)info->mark_value, (unsigned int)info->mark_mask);
+}
+
+static void tproxy_tg_save4_v1(const void *ip, const struct xt_entry_target *target)
+{
+       return tproxy_tg_save_v1(NFPROTO_IPV4, ip, target);
+}
+
+static void tproxy_tg_save6_v1(const void *ip, const struct xt_entry_target *target)
+{
+       return tproxy_tg_save_v1(NFPROTO_IPV6, ip, target);
+}
+
+
+static struct xtables_target tproxy_tg_reg[] = {
+       {
+               .name          = "TPROXY",
+               .family        = NFPROTO_IPV4,
+               .version       = XTABLES_VERSION,
+               .size          = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
+               .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
+               .help          = tproxy_tg_help,
+               .parse         = tproxy_tg_parse_v0,
+               .final_check   = tproxy_tg_check,
+               .print         = tproxy_tg_print_v0,
+               .save          = tproxy_tg_save_v0,
+               .extra_opts    = tproxy_tg_opts,
+       },
+       {
+               .name          = "TPROXY",
+               .family        = NFPROTO_IPV4,
+               .version       = XTABLES_VERSION,
+               .revision      = 1,
+               .size          = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
+               .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
+               .help          = tproxy_tg_help,
+               .parse         = tproxy_tg_parse4_v1,
+               .final_check   = tproxy_tg_check,
+               .print         = tproxy_tg_print4_v1,
+               .save          = tproxy_tg_save4_v1,
+               .extra_opts    = tproxy_tg_opts,
+       },
+       {
+               .name          = "TPROXY",
+               .family        = NFPROTO_IPV6,
+               .version       = XTABLES_VERSION,
+               .revision      = 1,
+               .size          = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
+               .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
+               .help          = tproxy_tg_help,
+               .parse         = tproxy_tg_parse6_v1,
+               .final_check   = tproxy_tg_check,
+               .print         = tproxy_tg_print6_v1,
+               .save          = tproxy_tg_save6_v1,
+               .extra_opts    = tproxy_tg_opts,
+       },
 };
 
 void _init(void)
 {
-       xtables_register_target(&tproxy_tg_reg);
+       xtables_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
 }
diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/linux/netfilter/xt_TPROXY.h
index 152e8f9..28ff0e8 100644
--- a/include/linux/netfilter/xt_TPROXY.h
+++ b/include/linux/netfilter/xt_TPROXY.h
@@ -11,4 +11,11 @@ struct xt_tproxy_target_info {
        __be16 lport;
 };
 
+struct xt_tproxy_target_info_v1 {
+       u_int32_t mark_mask;
+       u_int32_t mark_value;
+       union nf_inet_addr laddr;
+       __be16 lport;
+};
+
 #endif /* _XT_TPROXY_H_target */