--- extensions/.TPROXY-testx +++ extensions/.TPROXY-testx @@ -0,0 +1,2 @@ +#! /bin/sh +[ -f $KERNEL_DIR/include/linux/netfilter/xt_TPROXY.h ] && echo TPROXY --- extensions/.socket-testx +++ extensions/.socket-testx @@ -0,0 +1,2 @@ +#! /bin/sh +[ -f $KERNEL_DIR/net/netfilter/xt_socket.c ] && echo socket Index: extensions/libxt_socket.c =================================================================== --- extensions/libxt_socket.c (revision 0) +++ extensions/libxt_socket.c (revision 0) @@ -0,0 +1,39 @@ +/* + * Shared library add-on to iptables to add early socket matching support. + * + * Copyright (C) 2007-2008 BalaBit IT Ltd. + */ +#include +#include +#include + +static void socket_mt_help(void) +{ + printf("socket v%s has no options\n\n", XTABLES_VERSION); +} + +static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + return 0; +} + +static void socket_mt_check(unsigned int flags) +{ +} + +static struct xtables_match socket_mt_reg = { + .name = "socket", + .version = XTABLES_VERSION, + .family = AF_INET, + .size = XT_ALIGN(0), + .userspacesize = XT_ALIGN(0), + .parse = socket_mt_parse, + .final_check = socket_mt_check, + .help = socket_mt_help, +}; + +void _init(void) +{ + xtables_register_match(&socket_mt_reg); +} --- extensions/libxt_TPROXY.c (revision 0) +++ extensions/libxt_TPROXY.c (revision 0) @@ -0,0 +1,155 @@ +/* + * Shared library add-on to iptables to add TPROXY target support. + * + * Copyright (C) 2002-2007 BalaBit IT Ltd. + */ +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +static const struct option tproxy_tg_opts[] = { + {"on-port", true, NULL, '1'}, + {"on-ip", true, NULL, '2'}, + {"tproxy-mark", true, NULL, '3'}, + { .name = NULL }, +}; + +#define PARAM_ONPORT 1 +#define PARAM_ONIP 2 +#define PARAM_MARK 4 + +static void tproxy_tg_help(void) +{ + printf( +"TPROXY target v%s options:\n" +" --on-port port Redirect connection to port, or the original port if 0\n" +" --on-ip ip Optionally redirect to the given IP\n" +" --tproxy-mark value/mask Mark packets with the given value/mask\n\n", +XTABLES_VERSION); +} + +static void parse_tproxy_lport(const char *s, struct xt_tproxy_target_info *info) +{ + unsigned int lport; + + if (string_to_number(s, 0, 65535, &lport) != -1) + info->lport = htons(lport); + else + exit_error(PARAMETER_PROBLEM, "bad --on-port \"%s\"", s); +} + +static void parse_tproxy_laddr(const char *s, struct xt_tproxy_target_info *info) +{ + struct in_addr *laddr; + + if ((laddr = numeric_to_ipaddr(s)) == NULL) + exit_error(PARAMETER_PROBLEM, "bad --on-ip \"%s\"", s); + info->laddr = laddr->s_addr; +} + +static void parse_tproxy_mark(char *s, struct xt_tproxy_target_info *info) +{ + unsigned long tmp; + char *slash; + + slash = strchr(s, '/'); + info->mark_mask = UINT_MAX; + if (slash != NULL) { + *slash = '\0'; + if (string_to_number_l(slash + 1, 0, ULONG_MAX, &tmp) < 0) + exit_error(PARAMETER_PROBLEM, + "bad mask in --tproxy-mark \"%s\"", s); + info->mark_mask = tmp; + } + if (string_to_number_l(s, 0, ULONG_MAX, &tmp) < 0) + exit_error(PARAMETER_PROBLEM, + "bad value in --tproxy-mark \"%s\"", s); + info->mark_value = tmp; +} + +static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_tproxy_target_info *tproxyinfo = (void *)(*target)->data; + + switch (c) { + case '1': + if (*flags & PARAM_ONPORT) + exit_error(PARAMETER_PROBLEM, + "TPROXY target: Can't specify --on-port twice"); + parse_tproxy_lport(optarg, tproxyinfo); + *flags |= PARAM_ONPORT; + return 1; + case '2': + if (*flags & PARAM_ONIP) + exit_error(PARAMETER_PROBLEM, + "TPROXY target: Can't specify --on-ip twice"); + parse_tproxy_laddr(optarg, tproxyinfo); + *flags |= PARAM_ONIP; + return 1; + case '3': + if (*flags & PARAM_MARK) + exit_error(PARAMETER_PROBLEM, + "TPROXY target: Can't specify --tproxy-mark twice"); + parse_tproxy_mark(optarg, tproxyinfo); + *flags |= PARAM_MARK; + return 1; + } + + return 0; +} + +static void tproxy_tg_check(unsigned int flags) +{ + if (!(flags & PARAM_ONPORT)) + exit_error(PARAMETER_PROBLEM, + "TPROXY target: Parameter --on-port is required"); +} + +static void tproxy_tg_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_tproxy_target_info *info = (const void *)target->data; + printf("TPROXY redirect %s:%u mark 0x%x/0x%x", + ipaddr_to_numeric((const struct in_addr *)&info->laddr), + ntohs(info->lport), (unsigned int)info->mark_value, + (unsigned int)info->mark_mask); +} + +static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_tproxy_target_info *info = (const void *)target->data; + + printf("--on-port %u ", ntohs(info->lport)); + printf("--on-ip %s ", + ipaddr_to_numeric((const struct in_addr *)&info->laddr)); + printf("--tproxy-mark 0x%x/0x%x ", + (unsigned int)info->mark_value, (unsigned int)info->mark_mask); +} + +static struct xtables_target tproxy_tg_reg = { + .name = "TPROXY", + .family = AF_INET, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)), + .help = tproxy_tg_help, + .parse = tproxy_tg_parse, + .final_check = tproxy_tg_check, + .print = tproxy_tg_print, + .save = tproxy_tg_save, + .extra_opts = tproxy_tg_opts, +}; + +void _init(void) +{ + xtables_register_target(&tproxy_tg_reg); +} Index: include/linux/netfilter/xt_TPROXY.h =================================================================== --- include/linux/netfilter/xt_TPROXY.h (revision 0) +++ include/linux/netfilter/xt_TPROXY.h (revision 0) @@ -0,0 +1,16 @@ +#ifndef _XT_TPROXY_H_target +#define _XT_TPROXY_H_target + +/* + * TPROXY target is capable of marking the packet to perform + * redirection. We can get rid of that whenever we get support for + * mutliple targets in the same rule. + */ +struct xt_tproxy_target_info { + u_int32_t mark_mask; + u_int32_t mark_value; + __be32 laddr; + __be16 lport; +}; + +#endif /* _XT_TPROXY_H_target */