- new from http://www.balabit.com/downloads/files/tproxy/

Changed files:
    iptables-tproxy.patch -> 1.1

diff --git a/iptables-tproxy.patch b/iptables-tproxy.patch
new file mode 100644 (file)
index 0000000..f78ec1f
--- /dev/null
+++ b/iptables-tproxy.patch
@@ -0,0 +1,228 @@
+--- extensions/.TPROXY-test
++++ extensions/.TPROXY-test
+@@ -0,0 +1,2 @@
++#! /bin/sh
++[ -f $KERNEL_DIR/include/linux/netfilter/xt_TPROXY.h ] && echo tproxy
+--- extensions/libxt_TPROXY.c  (revision 0)
++++ extensions/libxt_TPROXY.c  (revision 0)
+@@ -0,0 +1,155 @@
++/*
++ * Shared library add-on to iptables to add TPROXY target support.
++ *
++ * Copyright (C) 2002-2007 BalaBit IT Ltd.
++ */
++#include <getopt.h>
++#include <stdbool.h>
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <limits.h>
++
++#include <iptables.h>
++#include <xtables.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_TPROXY.h>
++
++static const struct option tproxy_tg_opts[] = {
++      {"on-port",     true, NULL, '1'},
++      {"on-ip",       true, NULL, '2'},
++      {"tproxy-mark", true, NULL, '3'},
++      { .name = NULL },
++};
++
++#define PARAM_ONPORT  1
++#define PARAM_ONIP    2
++#define PARAM_MARK    4
++
++static void tproxy_tg_help(void)
++{
++      printf(
++"TPROXY target v%s options:\n"
++"  --on-port port                   Redirect connection to port, or the original port if 0\n"
++"  --on-ip ip                       Optionally redirect to the given IP\n"
++"  --tproxy-mark value/mask         Mark packets with the given value/mask\n\n",
++IPTABLES_VERSION);
++}
++
++static void parse_tproxy_lport(const char *s, struct xt_tproxy_target_info *info)
++{
++      unsigned int lport;
++
++      if (string_to_number(s, 0, 65535, &lport) != -1)
++              info->lport = htons(lport);
++      else
++              exit_error(PARAMETER_PROBLEM, "bad --on-port \"%s\"", s);
++}
++
++static void parse_tproxy_laddr(const char *s, struct xt_tproxy_target_info *info)
++{
++      struct in_addr *laddr;
++
++      if ((laddr = numeric_to_ipaddr(s)) == NULL)
++              exit_error(PARAMETER_PROBLEM, "bad --on-ip \"%s\"", s);
++      info->laddr = laddr->s_addr;
++}
++
++static void parse_tproxy_mark(char *s, struct xt_tproxy_target_info *info)
++{
++      unsigned long tmp;
++      char *slash;
++
++      slash = strchr(s, '/');
++      info->mark_mask = ULONG_MAX;
++      if (slash != NULL) {
++              *slash = '\0';
++              if (string_to_number_l(slash + 1, 0, ULONG_MAX, &tmp) < 0)
++                      exit_error(PARAMETER_PROBLEM,
++                                 "bad mask in --tproxy-mark \"%s\"", s);
++              info->mark_mask = tmp;
++      }
++      if (string_to_number_l(s, 0, ULONG_MAX, &tmp) < 0)
++              exit_error(PARAMETER_PROBLEM,
++                         "bad value in --tproxy-mark \"%s\"", s);
++      info->mark_value = tmp;
++}
++
++static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags,
++                        const void *entry, struct xt_entry_target **target)
++{
++      struct xt_tproxy_target_info *tproxyinfo = (void *)(*target)->data;
++
++      switch (c) {
++      case '1':
++              if (*flags & PARAM_ONPORT)
++                      exit_error(PARAMETER_PROBLEM,
++                              "TPROXY target: Can't specify --on-port twice");
++              parse_tproxy_lport(optarg, tproxyinfo);
++              *flags |= PARAM_ONPORT;
++              return 1;
++      case '2':
++              if (*flags & PARAM_ONIP)
++                      exit_error(PARAMETER_PROBLEM,
++                              "TPROXY target: Can't specify --on-ip twice");
++              parse_tproxy_laddr(optarg, tproxyinfo);
++              *flags |= PARAM_ONIP;
++              return 1;
++      case '3':
++              if (*flags & PARAM_MARK)
++                      exit_error(PARAMETER_PROBLEM,
++                              "TPROXY target: Can't specify --tproxy-mark twice");
++              parse_tproxy_mark(optarg, tproxyinfo);
++              *flags |= PARAM_MARK;
++              return 1;
++      }
++
++      return 0;
++}
++
++static void tproxy_tg_check(unsigned int flags)
++{
++      if (!(flags & PARAM_ONPORT))
++              exit_error(PARAMETER_PROBLEM,
++                         "TPROXY target: Parameter --on-port is required");
++}
++
++static void tproxy_tg_print(const void *ip, const struct xt_entry_target *target,
++                         int numeric)
++{
++      const struct xt_tproxy_target_info *info = (const void *)target->data;
++      printf("TPROXY redirect %s:%u mark 0x%x/0x%x",
++             ipaddr_to_numeric((const struct in_addr *)&info->laddr),
++             ntohs(info->lport), (unsigned int)info->mark_value,
++             (unsigned int)info->mark_mask);
++}
++
++static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target)
++{
++      const struct xt_tproxy_target_info *info = (const void *)target->data;
++
++      printf("--on-port %u ", ntohs(info->lport));
++      printf("--on-ip %s ",
++             ipaddr_to_numeric((const struct in_addr *)&info->laddr));
++      printf("--tproxy-mark 0x%x/0x%x ",
++             (unsigned int)info->mark_value, (unsigned int)info->mark_mask);
++}
++
++static struct xtables_target tproxy_tg_reg = {
++      .name          = "TPROXY",
++      .family        = AF_INET,
++      .version       = IPTABLES_VERSION,
++      .size          = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
++      .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
++      .help          = tproxy_tg_help,
++      .parse         = tproxy_tg_parse,
++      .final_check   = tproxy_tg_check,
++      .print         = tproxy_tg_print,
++      .save          = tproxy_tg_save,
++      .extra_opts    = tproxy_tg_opts,
++};
++
++void _init(void)
++{
++      xtables_register_target(&tproxy_tg_reg);
++}
+Index: extensions/libxt_socket.c
+===================================================================
+--- extensions/libxt_socket.c  (revision 0)
++++ extensions/libxt_socket.c  (revision 0)
+@@ -0,0 +1,39 @@
++/*
++ * Shared library add-on to iptables to add early socket matching support.
++ *
++ * Copyright (C) 2007-2008 BalaBit IT Ltd.
++ */
++#include <stdio.h>
++#include <getopt.h>
++#include <iptables.h>
++
++static void socket_mt_help(void)
++{
++      printf("socket v%s has no options\n\n", IPTABLES_VERSION);
++}
++
++static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags,
++                        const void *entry, struct xt_entry_match **match)
++{
++      return 0;
++}
++
++static void socket_mt_check(unsigned int flags)
++{
++}
++
++static struct xtables_match socket_mt_reg = {
++      .name          = "socket",
++      .version       = IPTABLES_VERSION,
++      .family        = AF_INET,
++      .size          = XT_ALIGN(0),
++      .userspacesize = XT_ALIGN(0),
++      .parse         = socket_mt_parse,
++      .final_check   = socket_mt_check,
++      .help          = socket_mt_help,
++};
++
++void _init(void)
++{
++      xtables_register_match(&socket_mt_reg);
++}
+Index: include/linux/netfilter/xt_TPROXY.h
+===================================================================
+--- include/linux/netfilter/xt_TPROXY.h        (revision 0)
++++ include/linux/netfilter/xt_TPROXY.h        (revision 0)
+@@ -0,0 +1,16 @@
++#ifndef _XT_TPROXY_H_target
++#define _XT_TPROXY_H_target
++
++/*
++ * TPROXY target is capable of marking the packet to perform
++ * redirection. We can get rid of that whenever we get support for
++ * mutliple targets in the same rule.
++ */
++struct xt_tproxy_target_info {
++      u_int32_t mark_mask;
++      u_int32_t mark_value;
++      __be32 laddr;
++      __be16 lport;
++};
++
++#endif /* _XT_TPROXY_H_target */