--- /dev/null
+diff -uprN iptables./extensions/.IPMARK-test iptables/extensions/.IPMARK-test
+--- iptables./extensions/.IPMARK-test 1970-01-01 01:00:00.000000000 +0100
++++ iptables/extensions/.IPMARK-test 2006-12-04 12:15:19.000000000 +0100
+@@ -0,0 +1,3 @@
++#!/bin/sh
++# True if IPMARK patch is applied.
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_IPMARK.h ] && echo IPMARK
+diff -uprN iptables./extensions/libipt_IPMARK.c iptables/extensions/libipt_IPMARK.c
+--- iptables./extensions/libipt_IPMARK.c 1970-01-01 01:00:00.000000000 +0100
++++ iptables/extensions/libipt_IPMARK.c 2008-05-15 12:22:18.000000000 +0200
+@@ -0,0 +1,183 @@
++/* Shared library add-on to iptables to add IPMARK target support.
++ * (C) 2003 by Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>
++ *
++ * based on original MARK target
++ *
++ * This program is distributed under the terms of GNU GPL
++ */
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <iptables.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_IPMARK.h>
++
++#define IPT_ADDR_USED 1
++#define IPT_AND_MASK_USED 2
++#define IPT_OR_MASK_USED 4
++
++/* Function which prints out usage message. */
++static void
++help(void)
++{
++ printf(
++"IPMARK target v%s options:\n"
++" --addr src/dst use source or destination ip address\n"
++" --and-mask value logical AND ip address with this value becomes MARK\n"
++" --or-mask value logical OR ip address with this value becomes MARK\n"
++"\n",
++IPTABLES_VERSION);
++}
++
++static struct option opts[] = {
++ { "addr", 1, 0, '1' },
++ { "and-mask", 1, 0, '2' },
++ { "or-mask", 1, 0, '3' },
++ { 0 }
++};
++
++/* Initialize the target. */
++static void
++#ifdef _XTABLES_H
++init(struct xt_entry_target *t)
++#else
++init(struct ipt_entry_target *t, unsigned int *nfcache)
++#endif
++{
++ struct ipt_ipmark_target_info *ipmarkinfo =
++ (struct ipt_ipmark_target_info *)t->data;
++
++ ipmarkinfo->andmask=0xffffffff;
++ ipmarkinfo->ormask=0;
++
++}
++
++/* Function which parses command options; returns true if it
++ ate an option */
++static int
++parse(int c, char **argv, int invert, unsigned int *flags,
++#ifdef _XTABLES_H
++ const void *entry, struct xt_entry_target **target)
++#else
++ const struct ipt_entry *entry, struct ipt_entry_target **target)
++#endif
++{
++ struct ipt_ipmark_target_info *ipmarkinfo
++ = (struct ipt_ipmark_target_info *)(*target)->data;
++
++ switch (c) {
++ char *end;
++ case '1':
++ if(!strcmp(optarg, "src")) ipmarkinfo->addr=IPT_IPMARK_SRC;
++ else if(!strcmp(optarg, "dst")) ipmarkinfo->addr=IPT_IPMARK_DST;
++ else exit_error(PARAMETER_PROBLEM, "Bad addr value `%s' - should be `src' or `dst'", optarg);
++ if (*flags & IPT_ADDR_USED)
++ exit_error(PARAMETER_PROBLEM,
++ "IPMARK target: Can't specify --addr twice");
++ *flags |= IPT_ADDR_USED;
++ break;
++
++ case '2':
++ ipmarkinfo->andmask = strtoul(optarg, &end, 0);
++ if (*end != '\0' || end == optarg)
++ exit_error(PARAMETER_PROBLEM, "Bad and-mask value `%s'", optarg);
++ if (*flags & IPT_AND_MASK_USED)
++ exit_error(PARAMETER_PROBLEM,
++ "IPMARK target: Can't specify --and-mask twice");
++ *flags |= IPT_AND_MASK_USED;
++ break;
++ case '3':
++ ipmarkinfo->ormask = strtoul(optarg, &end, 0);
++ if (*end != '\0' || end == optarg)
++ exit_error(PARAMETER_PROBLEM, "Bad or-mask value `%s'", optarg);
++ if (*flags & IPT_OR_MASK_USED)
++ exit_error(PARAMETER_PROBLEM,
++ "IPMARK target: Can't specify --or-mask twice");
++ *flags |= IPT_OR_MASK_USED;
++ break;
++
++ default:
++ return 0;
++ }
++
++ return 1;
++}
++
++static void
++final_check(unsigned int flags)
++{
++ if (!(flags & IPT_ADDR_USED))
++ exit_error(PARAMETER_PROBLEM,
++ "IPMARK target: Parameter --addr is required");
++ if (!(flags & (IPT_AND_MASK_USED | IPT_OR_MASK_USED)))
++ exit_error(PARAMETER_PROBLEM,
++ "IPMARK target: Parameter --and-mask or --or-mask is required");
++}
++
++/* Prints out the targinfo. */
++static void
++#ifdef _XTABLES_H
++print(const void *ip,
++ const struct xt_entry_target *target,
++#else
++print(const struct ipt_ip *ip,
++ const struct ipt_entry_target *target,
++#endif
++ int numeric)
++{
++ const struct ipt_ipmark_target_info *ipmarkinfo =
++ (const struct ipt_ipmark_target_info *)target->data;
++
++ if(ipmarkinfo->addr == IPT_IPMARK_SRC)
++ printf("IPMARK src");
++ else
++ printf("IPMARK dst");
++ printf(" ip and 0x%lx or 0x%lx", ipmarkinfo->andmask, ipmarkinfo->ormask);
++}
++
++/* Saves the union ipt_targinfo in parsable form to stdout. */
++static void
++#ifdef _XTABLES_H
++save(const void *ip,
++ const struct xt_entry_target *target)
++#else
++save(const struct ipt_ip *ip,
++ const struct ipt_entry_target *target)
++#endif
++{
++ const struct ipt_ipmark_target_info *ipmarkinfo =
++ (const struct ipt_ipmark_target_info *)target->data;
++
++ if (ipmarkinfo->addr == IPT_IPMARK_SRC)
++ printf("--addr=src ");
++ else
++ printf("--addr=dst ");
++
++ if (ipmarkinfo->andmask != 0xffffffff)
++ printf("--and-mask 0x%lx ", ipmarkinfo->andmask);
++
++ if (ipmarkinfo->ormask != 0)
++ printf("--or-mask 0x%lx ", ipmarkinfo->ormask);
++}
++
++static struct iptables_target ipmark = {
++ .next = NULL,
++ .name = "IPMARK",
++ .version = IPTABLES_VERSION,
++ .size = IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)),
++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)),
++ .help = &help,
++ .init = &init,
++ .parse = &parse,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts
++};
++
++void _init(void)
++{
++ register_target(&ipmark);
++}
+diff -uprN iptables./extensions/libipt_IPMARK.man iptables/extensions/libipt_IPMARK.man
+--- iptables./extensions/libipt_IPMARK.man 1970-01-01 01:00:00.000000000 +0100
++++ iptables/extensions/libipt_IPMARK.man 2006-12-04 12:15:19.000000000 +0100
+@@ -0,0 +1,45 @@
++Allows you to mark a received packet basing on its IP address. This
++can replace many mangle/mark entries with only one, if you use
++firewall based classifier.
++
++This target is to be used inside the mangle table, in the PREROUTING,
++POSTROUTING or FORWARD hooks.
++.TP
++.BI "--addr " "src/dst"
++Use source or destination IP address.
++.TP
++.BI "--and-mask " "mask"
++Perform bitwise `and' on the IP address and this mask.
++.TP
++.BI "--or-mask " "mask"
++Perform bitwise `or' on the IP address and this mask.
++.P
++The order of IP address bytes is reversed to meet "human order of bytes":
++192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then
++`or'.
++
++Examples:
++
++We create a queue for each user, the queue number is adequate
++to the IP address of the user, e.g.: all packets going to/from 192.168.5.2
++are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc.
++
++We have one classifier rule:
++.IP
++tc filter add dev eth3 parent 1:0 protocol ip fw
++.P
++Earlier we had many rules just like below:
++.IP
++iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
++--set-mark 0x10502
++.IP
++iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
++--set-mark 0x10503
++.P
++Using IPMARK target we can replace all the mangle/mark rules with only one:
++.IP
++iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst
++--and-mask=0xffff --or-mask=0x10000
++.P
++On the routers with hundreds of users there should be significant load
++decrease (e.g. twice).
projects / packages / iptables.git / commitdiff