[netfilter-cvslog] r6713 - in trunk: iptables/extensions
patch-o-matic-ng/patchlets/IPV4OPTSSTRIP
patch-o-matic-ng/patchlets/IPV4OPTSSTRIP/iptables
patch-o-matic-ng/patchlets/IPV4OPTSSTRIP/iptables/extensions
patch-o-matic-ng/patchlets/ROUTE
patch-o-matic-ng/patchlets/ROUTE/iptables
patch-o-matic-ng/patchlets/ROUTE/iptables/extensions
patch-o-matic-ng/patchlets/TARPIT
patch-o-matic-ng/patchlets/TARPIT/iptables
patch-o-matic-ng/patchlets/TARPIT/iptables/extensions
patch-o-matic-ng/patchlets/ipv4options
patch-o-matic-ng/patchlets/ipv4options/iptables
patch-o-matic-ng/patchlets/ipv4options/iptables/extensions
patch-o-matic-ng/patchlets/u32
patch-o-matic-ng/patchlets/u32/iptables
patch-o-matic-ng/patchlets/u32/iptables/extensions
kaber at netfilter.org
kaber at netfilter.org
Tue Dec 12 11:34:45 CET 2006
Author: kaber at netfilter.org
Date: 2006-12-12 11:34:45 +0100 (Tue, 12 Dec 2006)
New Revision: 6713
Added:
trunk/patch-o-matic-ng/patchlets/IPV4OPTSSTRIP/iptables/
trunk/patch-o-matic-ng/patchlets/IPV4OPTSSTRIP/iptables/extensions/
trunk/patch-o-matic-ng/patchlets/IPV4OPTSSTRIP/iptables/extensions/.IPV4OPTSSTRIP-test
trunk/patch-o-matic-ng/patchlets/IPV4OPTSSTRIP/iptables/extensions/libipt_IPV4OPTSSTRIP.c
trunk/patch-o-matic-ng/patchlets/IPV4OPTSSTRIP/iptables/extensions/libipt_IPV4OPTSSTRIP.man
trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/
trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/
trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/.ROUTE-test
trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/.ROUTE-test6
trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/libip6t_ROUTE.c
trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/libip6t_ROUTE.man
trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/libipt_ROUTE.c
trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/libipt_ROUTE.man
trunk/patch-o-matic-ng/patchlets/TARPIT/iptables/
trunk/patch-o-matic-ng/patchlets/TARPIT/iptables/extensions/
trunk/patch-o-matic-ng/patchlets/TARPIT/iptables/extensions/.TARPIT-test
trunk/patch-o-matic-ng/patchlets/TARPIT/iptables/extensions/libipt_TARPIT.c
trunk/patch-o-matic-ng/patchlets/TARPIT/iptables/extensions/libipt_TARPIT.man
trunk/patch-o-matic-ng/patchlets/ipv4options/iptables/
trunk/patch-o-matic-ng/patchlets/ipv4options/iptables/extensions/
trunk/patch-o-matic-ng/patchlets/ipv4options/iptables/extensions/.ipv4options-test
trunk/patch-o-matic-ng/patchlets/ipv4options/iptables/extensions/libipt_ipv4options.c
trunk/patch-o-matic-ng/patchlets/ipv4options/iptables/extensions/libipt_ipv4options.man
trunk/patch-o-matic-ng/patchlets/u32/iptables/
trunk/patch-o-matic-ng/patchlets/u32/iptables/extensions/
trunk/patch-o-matic-ng/patchlets/u32/iptables/extensions/.u32-test
trunk/patch-o-matic-ng/patchlets/u32/iptables/extensions/libipt_u32.c
trunk/patch-o-matic-ng/patchlets/u32/iptables/extensions/libipt_u32.man
Removed:
trunk/iptables/extensions/.IPV4OPTSSTRIP-test
trunk/iptables/extensions/.ROUTE-test
trunk/iptables/extensions/.ROUTE-test6
trunk/iptables/extensions/.ipv4options-test
trunk/iptables/extensions/.u32-test
trunk/iptables/extensions/libip6t_ROUTE.c
trunk/iptables/extensions/libip6t_ROUTE.man
trunk/iptables/extensions/libipt_IPV4OPTSSTRIP.c
trunk/iptables/extensions/libipt_IPV4OPTSSTRIP.man
trunk/iptables/extensions/libipt_ROUTE.c
trunk/iptables/extensions/libipt_ROUTE.man
trunk/iptables/extensions/libipt_TARPIT.c
trunk/iptables/extensions/libipt_TARPIT.man
trunk/iptables/extensions/libipt_ipv4options.c
trunk/iptables/extensions/libipt_ipv4options.man
trunk/iptables/extensions/libipt_u32.c
trunk/iptables/extensions/libipt_u32.man
Modified:
trunk/iptables/extensions/Makefile
Log:
Move extensions for pom patches to individual patchlets.
Deleted: trunk/iptables/extensions/.IPV4OPTSSTRIP-test
===================================================================
--- trunk/iptables/extensions/.IPV4OPTSSTRIP-test 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/.IPV4OPTSSTRIP-test 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if IPV4OPTSSTRIP patch is applied.
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c ] && echo IPV4OPTSSTRIP
Deleted: trunk/iptables/extensions/.ROUTE-test
===================================================================
--- trunk/iptables/extensions/.ROUTE-test 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/.ROUTE-test 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_ROUTE.c ] && echo ROUTE
Deleted: trunk/iptables/extensions/.ROUTE-test6
===================================================================
--- trunk/iptables/extensions/.ROUTE-test6 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/.ROUTE-test6 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ROUTE.h ] && echo ROUTE
Deleted: trunk/iptables/extensions/.ipv4options-test
===================================================================
--- trunk/iptables/extensions/.ipv4options-test 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/.ipv4options-test 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if ipv4options is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_ipv4options.h ] && echo ipv4options
Deleted: trunk/iptables/extensions/.u32-test
===================================================================
--- trunk/iptables/extensions/.u32-test 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/.u32-test 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if u32 is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_u32.h ] && echo u32
Modified: trunk/iptables/extensions/Makefile
===================================================================
--- trunk/iptables/extensions/Makefile 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/Makefile 2006-12-12 10:34:45 UTC (rev 6713)
@@ -5,7 +5,7 @@
# header files are present in the include/linux directory of this iptables
# package (HW)
#
-PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
+PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TCPMSS TOS TRACE TTL ULOG
PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE
ifeq ($(DO_SELINUX), 1)
Deleted: trunk/iptables/extensions/libip6t_ROUTE.c
===================================================================
--- trunk/iptables/extensions/libip6t_ROUTE.c 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/libip6t_ROUTE.c 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,240 +0,0 @@
-/* Shared library add-on to iptables to add ROUTE v6 target support.
- * Author : Cedric de Launois, <delaunois at info.ucl.ac.be>
- * v 1.1 2004/11/23
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <arpa/inet.h>
-
-#include <ip6tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/netfilter_ipv6/ip6t_ROUTE.h>
-
-/* compile IP6T_ROUTE_TEE support even if kernel headers are unpatched */
-#ifndef IP6T_ROUTE_TEE
-#define IP6T_ROUTE_TEE 0x02
-#endif
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"ROUTE target v%s options:\n"
-" --oif \tifname \t\tRoute the packet through `ifname' network interface\n"
-" --gw \tip \t\tRoute the packet via this gateway\n"
-" --continue\t \t\tRoute packet and continue traversing the\n"
-" \t \t\trules. Not valid with --iif or --tee.\n"
-" --tee\t \t\tDuplicate packet, route the duplicate,\n"
-" \t \t\tcontinue traversing with original packet.\n"
-" \t \t\tNot valid with --iif or --continue.\n"
-"\n",
-"1.1");
-}
-
-static struct option opts[] = {
- { "oif", 1, 0, '1' },
- { "iif", 1, 0, '2' },
- { "gw", 1, 0, '3' },
- { "continue", 0, 0, '4' },
- { "tee", 0, 0, '5' },
- { 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ip6t_entry_target *t, unsigned int *nfcache)
-{
- struct ip6t_route_target_info *route_info =
- (struct ip6t_route_target_info*)t->data;
-
- route_info->oif[0] = '\0';
- route_info->iif[0] = '\0';
- route_info->gw[0] = 0;
- route_info->gw[1] = 0;
- route_info->gw[2] = 0;
- route_info->gw[3] = 0;
- route_info->flags = 0;
-}
-
-
-#define IP6T_ROUTE_OPT_OIF 0x01
-#define IP6T_ROUTE_OPT_IIF 0x02
-#define IP6T_ROUTE_OPT_GW 0x04
-#define IP6T_ROUTE_OPT_CONTINUE 0x08
-#define IP6T_ROUTE_OPT_TEE 0x10
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ip6t_entry *entry,
- struct ip6t_entry_target **target)
-{
- struct ip6t_route_target_info *route_info =
- (struct ip6t_route_target_info*)(*target)->data;
-
- switch (c) {
- case '1':
- if (*flags & IP6T_ROUTE_OPT_OIF)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --oif twice");
-
- if (check_inverse(optarg, &invert, NULL, 0))
- exit_error(PARAMETER_PROBLEM,
- "Unexpected `!' after --oif");
-
- if (strlen(optarg) > sizeof(route_info->oif) - 1)
- exit_error(PARAMETER_PROBLEM,
- "Maximum interface name length %u",
- sizeof(route_info->oif) - 1);
-
- strcpy(route_info->oif, optarg);
- *flags |= IP6T_ROUTE_OPT_OIF;
- break;
-
- case '2':
- exit_error(PARAMETER_PROBLEM,
- "--iif option not implemented");
- break;
-
- case '3':
- if (*flags & IP6T_ROUTE_OPT_GW)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --gw twice");
-
- if (check_inverse(optarg, &invert, NULL, 0))
- exit_error(PARAMETER_PROBLEM,
- "Unexpected `!' after --gw");
-
- if (!inet_pton(AF_INET6, optarg, (struct in6_addr*)&route_info->gw)) {
- exit_error(PARAMETER_PROBLEM,
- "Invalid IPv6 address %s",
- optarg);
- }
-
- *flags |= IP6T_ROUTE_OPT_GW;
- break;
-
- case '4':
- if (*flags & IP6T_ROUTE_OPT_CONTINUE)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --continue twice");
- if (*flags & IP6T_ROUTE_OPT_TEE)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --continue AND --tee");
-
- route_info->flags |= IP6T_ROUTE_CONTINUE;
- *flags |= IP6T_ROUTE_OPT_CONTINUE;
-
- break;
-
- case '5':
- if (*flags & IP6T_ROUTE_OPT_TEE)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --tee twice");
- if (*flags & IP6T_ROUTE_OPT_CONTINUE)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --tee AND --continue");
-
- route_info->flags |= IP6T_ROUTE_TEE;
- *flags |= IP6T_ROUTE_OPT_TEE;
-
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-
-static void
-final_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "ROUTE target: oif or gw option required");
-}
-
-
-/* Prints out the targinfo. */
-static void
-print(const struct ip6t_ip6 *ip,
- const struct ip6t_entry_target *target,
- int numeric)
-{
- const struct ip6t_route_target_info *route_info
- = (const struct ip6t_route_target_info *)target->data;
-
- printf("ROUTE ");
-
- if (route_info->oif[0])
- printf("oif:%s ", route_info->oif);
-
- if (route_info->gw[0]
- || route_info->gw[1]
- || route_info->gw[2]
- || route_info->gw[3]) {
- char address[INET6_ADDRSTRLEN];
- printf("gw:%s ", inet_ntop(AF_INET6, route_info->gw, address, INET6_ADDRSTRLEN));
- }
-
- if (route_info->flags & IP6T_ROUTE_CONTINUE)
- printf("continue");
-
- if (route_info->flags & IP6T_ROUTE_TEE)
- printf("tee");
-
-}
-
-
-static void save(const struct ip6t_ip6 *ip,
- const struct ip6t_entry_target *target)
-{
- const struct ip6t_route_target_info *route_info
- = (const struct ip6t_route_target_info *)target->data;
-
- if (route_info->oif[0])
- printf("--oif %s ", route_info->oif);
-
- if (route_info->gw[0]
- || route_info->gw[1]
- || route_info->gw[2]
- || route_info->gw[3]) {
- char address[INET6_ADDRSTRLEN];
- printf("--gw %s ", inet_ntop(AF_INET6, route_info->gw, address, INET6_ADDRSTRLEN));
- }
-
- if (route_info->flags & IP6T_ROUTE_CONTINUE)
- printf("--continue ");
-
- if (route_info->flags & IP6T_ROUTE_TEE)
- printf("--tee ");
-}
-
-
-static struct ip6tables_target route = {
- .name = "ROUTE",
- .version = IPTABLES_VERSION,
- .size = IP6T_ALIGN(sizeof(struct ip6t_route_target_info)),
- .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_route_target_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts,
-};
-
-void _init(void)
-{
- register_target6(&route);
-}
Deleted: trunk/iptables/extensions/libip6t_ROUTE.man
===================================================================
--- trunk/iptables/extensions/libip6t_ROUTE.man 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/libip6t_ROUTE.man 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,15 +0,0 @@
-This is used to explicitly override the core network stack's routing decision.
-.B mangle
-table.
-.TP
-.BI "--oif " "ifname"
-Route the packet through `ifname' network interface
-.TP
-.BI "--gw " "IPv6_address"
-Route the packet via this gateway
-.TP
-.BI "--continue "
-Behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--tee'
-.TP
-.BI "--tee "
-Make a copy of the packet, and route that copy to the given destination. For the original, uncopied packet, behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--continue'
Deleted: trunk/iptables/extensions/libipt_IPV4OPTSSTRIP.c
===================================================================
--- trunk/iptables/extensions/libipt_IPV4OPTSSTRIP.c 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/libipt_IPV4OPTSSTRIP.c 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,74 +0,0 @@
-/* Shared library add-on to iptables for IPV4OPTSSTRIP
- * This modules strip all the IP options.
- *
- * (C) 2001 by Fabrice MARIE <fabrice at netfilter.org>
- * This program is distributed under the terms of GNU GPL v2, 1991
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-
-static void help(void)
-{
- printf("IPV4OPTSSTRIP v%s target takes no option !! Make sure you use it in the mangle table.\n",
- IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- { 0 }
-};
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- struct ipt_entry_target **target)
-{
- return 0;
-}
-
-static void
-final_check(unsigned int flags)
-{
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_target *target,
- int numeric)
-{
- /* nothing to print, we don't take option... */
-}
-
-/* Saves the stuff in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
-{
- /* nothing to print, we don't take option... */
-}
-
-static struct iptables_target IPV4OPTSSTRIP = {
- .next = NULL,
- .name = "IPV4OPTSSTRIP",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(0),
- .userspacesize = IPT_ALIGN(0),
- .help = &help,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_target(&IPV4OPTSSTRIP);
-}
Deleted: trunk/iptables/extensions/libipt_IPV4OPTSSTRIP.man
===================================================================
--- trunk/iptables/extensions/libipt_IPV4OPTSSTRIP.man 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/libipt_IPV4OPTSSTRIP.man 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,5 +0,0 @@
-Strip all the IP options from a packet.
-
-The target doesn't take any option, and therefore is extremly easy to use :
-
-# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP
Deleted: trunk/iptables/extensions/libipt_ROUTE.c
===================================================================
--- trunk/iptables/extensions/libipt_ROUTE.c 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/libipt_ROUTE.c 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,264 +0,0 @@
-/* Shared library add-on to iptables to add ROUTE target support.
- * Author : Cedric de Launois, <delaunois at info.ucl.ac.be>
- * v 1.11 2004/11/23
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <net/if.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_ROUTE.h>
-
-/* compile IPT_ROUTE_TEE support even if kernel headers are unpatched */
-#ifndef IPT_ROUTE_TEE
-#define IPT_ROUTE_TEE 0x02
-#endif
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"ROUTE target v%s options:\n"
-" --oif \tifname \t\tRoute packet through `ifname' network interface\n"
-" --iif \tifname \t\tChange packet's incoming interface to `ifname'\n"
-" --gw \tip \t\tRoute packet via this gateway `ip'\n"
-" --continue\t \t\tRoute packet and continue traversing the\n"
-" \t \t\trules. Not valid with --iif or --tee.\n"
-" --tee\t \t\tDuplicate packet, route the duplicate,\n"
-" \t \t\tcontinue traversing with original packet.\n"
-" \t \t\tNot valid with --iif or --continue.\n"
-"\n",
-"1.11");
-}
-
-static struct option opts[] = {
- { "oif", 1, 0, '1' },
- { "iif", 1, 0, '2' },
- { "gw", 1, 0, '3' },
- { "continue", 0, 0, '4' },
- { "tee", 0, 0, '5' },
- { 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ipt_entry_target *t, unsigned int *nfcache)
-{
- struct ipt_route_target_info *route_info =
- (struct ipt_route_target_info*)t->data;
-
- route_info->oif[0] = '\0';
- route_info->iif[0] = '\0';
- route_info->gw = 0;
- route_info->flags = 0;
-}
-
-
-#define IPT_ROUTE_OPT_OIF 0x01
-#define IPT_ROUTE_OPT_IIF 0x02
-#define IPT_ROUTE_OPT_GW 0x04
-#define IPT_ROUTE_OPT_CONTINUE 0x08
-#define IPT_ROUTE_OPT_TEE 0x10
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- struct ipt_entry_target **target)
-{
- struct ipt_route_target_info *route_info =
- (struct ipt_route_target_info*)(*target)->data;
-
- switch (c) {
- case '1':
- if (*flags & IPT_ROUTE_OPT_OIF)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --oif twice");
-
- if (*flags & IPT_ROUTE_OPT_IIF)
- exit_error(PARAMETER_PROBLEM,
- "Can't use --oif and --iif together");
-
- if (check_inverse(optarg, &invert, NULL, 0))
- exit_error(PARAMETER_PROBLEM,
- "Unexpected `!' after --oif");
-
- if (strlen(optarg) > sizeof(route_info->oif) - 1)
- exit_error(PARAMETER_PROBLEM,
- "Maximum interface name length %u",
- sizeof(route_info->oif) - 1);
-
- strcpy(route_info->oif, optarg);
- *flags |= IPT_ROUTE_OPT_OIF;
- break;
-
- case '2':
- if (*flags & IPT_ROUTE_OPT_IIF)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --iif twice");
-
- if (*flags & IPT_ROUTE_OPT_OIF)
- exit_error(PARAMETER_PROBLEM,
- "Can't use --iif and --oif together");
-
- if (check_inverse(optarg, &invert, NULL, 0))
- exit_error(PARAMETER_PROBLEM,
- "Unexpected `!' after --iif");
-
- if (strlen(optarg) > sizeof(route_info->iif) - 1)
- exit_error(PARAMETER_PROBLEM,
- "Maximum interface name length %u",
- sizeof(route_info->iif) - 1);
-
- strcpy(route_info->iif, optarg);
- *flags |= IPT_ROUTE_OPT_IIF;
- break;
-
- case '3':
- if (*flags & IPT_ROUTE_OPT_GW)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --gw twice");
-
- if (check_inverse(optarg, &invert, NULL, 0))
- exit_error(PARAMETER_PROBLEM,
- "Unexpected `!' after --gw");
-
- if (!inet_aton(optarg, (struct in_addr*)&route_info->gw)) {
- exit_error(PARAMETER_PROBLEM,
- "Invalid IP address %s",
- optarg);
- }
-
- *flags |= IPT_ROUTE_OPT_GW;
- break;
-
- case '4':
- if (*flags & IPT_ROUTE_OPT_CONTINUE)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --continue twice");
- if (*flags & IPT_ROUTE_OPT_TEE)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --continue AND --tee");
-
- route_info->flags |= IPT_ROUTE_CONTINUE;
- *flags |= IPT_ROUTE_OPT_CONTINUE;
-
- break;
-
- case '5':
- if (*flags & IPT_ROUTE_OPT_TEE)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --tee twice");
- if (*flags & IPT_ROUTE_OPT_CONTINUE)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --tee AND --continue");
-
- route_info->flags |= IPT_ROUTE_TEE;
- *flags |= IPT_ROUTE_OPT_TEE;
-
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-
-static void
-final_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "ROUTE target: oif, iif or gw option required");
-
- if ((flags & (IPT_ROUTE_OPT_CONTINUE|IPT_ROUTE_OPT_TEE)) && (flags & IPT_ROUTE_OPT_IIF))
- exit_error(PARAMETER_PROBLEM,
- "ROUTE target: can't continue traversing the rules with iif option");
-}
-
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_target *target,
- int numeric)
-{
- const struct ipt_route_target_info *route_info
- = (const struct ipt_route_target_info *)target->data;
-
- printf("ROUTE ");
-
- if (route_info->oif[0])
- printf("oif:%s ", route_info->oif);
-
- if (route_info->iif[0])
- printf("iif:%s ", route_info->iif);
-
- if (route_info->gw) {
- struct in_addr ip = { route_info->gw };
- printf("gw:%s ", inet_ntoa(ip));
- }
-
- if (route_info->flags & IPT_ROUTE_CONTINUE)
- printf("continue");
-
- if (route_info->flags & IPT_ROUTE_TEE)
- printf("tee");
-
-}
-
-
-static void save(const struct ipt_ip *ip,
- const struct ipt_entry_target *target)
-{
- const struct ipt_route_target_info *route_info
- = (const struct ipt_route_target_info *)target->data;
-
- if (route_info->oif[0])
- printf("--oif %s ", route_info->oif);
-
- if (route_info->iif[0])
- printf("--iif %s ", route_info->iif);
-
- if (route_info->gw) {
- struct in_addr ip = { route_info->gw };
- printf("--gw %s ", inet_ntoa(ip));
- }
-
- if (route_info->flags & IPT_ROUTE_CONTINUE)
- printf("--continue ");
-
- if (route_info->flags & IPT_ROUTE_TEE)
- printf("--tee ");
-}
-
-
-static struct iptables_target route = {
- .next = NULL,
- .name = "ROUTE",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_route_target_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_route_target_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_target(&route);
-}
Deleted: trunk/iptables/extensions/libipt_ROUTE.man
===================================================================
--- trunk/iptables/extensions/libipt_ROUTE.man 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/libipt_ROUTE.man 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,18 +0,0 @@
-This is used to explicitly override the core network stack's routing decision.
-.B mangle
-table.
-.TP
-.BI "--oif " "ifname"
-Route the packet through `ifname' network interface
-.TP
-.BI "--iif " "ifname"
-Change the packet's incoming interface to `ifname'
-.TP
-.BI "--gw " "IP_address"
-Route the packet via this gateway
-.TP
-.BI "--continue "
-Behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--iif' or `--tee'
-.TP
-.BI "--tee "
-Make a copy of the packet, and route that copy to the given destination. For the original, uncopied packet, behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--iif' or `--continue'
Deleted: trunk/iptables/extensions/libipt_TARPIT.c
===================================================================
--- trunk/iptables/extensions/libipt_TARPIT.c 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/libipt_TARPIT.c 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,58 +0,0 @@
-/* Shared library add-on to iptables for TARPIT support */
-#include <stdio.h>
-#include <getopt.h>
-#include <iptables.h>
-
-static void
-help(void)
-{
- fputs(
-"TARPIT takes no options\n"
-"\n", stdout);
-}
-
-static struct option opts[] = {
- { 0 }
-};
-
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- struct ipt_entry_target **target)
-{
- return 0;
-}
-
-static void final_check(unsigned int flags)
-{
-}
-
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_target *target,
- int numeric)
-{
-}
-
-static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
-{
-}
-
-static struct iptables_target tarpit = {
- .next = NULL,
- .name = "TARPIT",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(0),
- .userspacesize = IPT_ALIGN(0),
- .help = &help,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_target(&tarpit);
-}
Deleted: trunk/iptables/extensions/libipt_TARPIT.man
===================================================================
--- trunk/iptables/extensions/libipt_TARPIT.man 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/libipt_TARPIT.man 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,34 +0,0 @@
-Captures and holds incoming TCP connections using no local
-per-connection resources. Connections are accepted, but immediately
-switched to the persist state (0 byte window), in which the remote
-side stops sending data and asks to continue every 60-240 seconds.
-Attempts to close the connection are ignored, forcing the remote side
-to time out the connection in 12-24 minutes.
-
-This offers similar functionality to LaBrea
-<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
-hardware or IPs. Any TCP port that you would normally DROP or REJECT
-can instead become a tarpit.
-
-To tarpit connections to TCP port 80 destined for the current machine:
-.IP
-iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
-.P
-To significantly slow down Code Red/Nimda-style scans of unused address
-space, forward unused ip addresses to a Linux box not acting as a router
-(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
-forwarding on the Linux box, and add:
-.IP
-iptables -A FORWARD -p tcp -j TARPIT
-.IP
-iptables -A FORWARD -j DROP
-.TP
-NOTE:
-If you use the conntrack module while you are using TARPIT, you should
-also use the NOTRACK target, or the kernel will unnecessarily allocate
-resources for each TARPITted connection. To TARPIT incoming
-connections to the standard IRC port while using conntrack, you could:
-.IP
-iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
-.IP
-iptables -A INPUT -p tcp --dport 6667 -j TARPIT
Deleted: trunk/iptables/extensions/libipt_ipv4options.c
===================================================================
--- trunk/iptables/extensions/libipt_ipv4options.c 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/libipt_ipv4options.c 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,311 +0,0 @@
-/* Shared library add-on to iptables to add ipv4 options matching support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_ipv4options.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"ipv4options v%s options:\n"
-" --ssrr (match strict source routing flag)\n"
-" --lsrr (match loose source routing flag)\n"
-" --no-srr (match packets with no source routing)\n\n"
-" [!] --rr (match record route flag)\n\n"
-" [!] --ts (match timestamp flag)\n\n"
-" [!] --ra (match router-alert option)\n\n"
-" [!] --any-opt (match any option or no option at all if used with '!')\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- { "ssrr", 0, 0, '1' },
- { "lsrr", 0, 0, '2' },
- { "no-srr", 0, 0, '3'},
- { "rr", 0, 0, '4'},
- { "ts", 0, 0, '5'},
- { "ra", 0, 0, '6'},
- { "any-opt", 0, 0, '7'},
- {0}
-};
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
- struct ipt_ipv4options_info *info = (struct ipt_ipv4options_info *)(*match)->data;
-
- switch (c)
- {
- /* strict-source-routing */
- case '1':
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "ipv4options: unexpected `!' with --ssrr");
- if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --ssrr twice");
- if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --ssrr with --lsrr");
- if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --ssrr with --no-srr");
-
- info->options |= IPT_IPV4OPTION_MATCH_SSRR;
- *flags |= IPT_IPV4OPTION_MATCH_SSRR;
- break;
-
- /* loose-source-routing */
- case '2':
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "ipv4options: unexpected `!' with --lsrr");
- if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --lsrr twice");
- if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --lsrr with --ssrr");
- if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --lsrr with --no-srr");
- info->options |= IPT_IPV4OPTION_MATCH_LSRR;
- *flags |= IPT_IPV4OPTION_MATCH_LSRR;
- break;
-
- /* no-source-routing */
- case '3':
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "ipv4options: unexpected `!' with --no-srr");
- if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --no-srr twice");
- if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --no-srr with --ssrr");
- if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --no-srr with --lsrr");
- info->options |= IPT_IPV4OPTION_DONT_MATCH_SRR;
- *flags |= IPT_IPV4OPTION_DONT_MATCH_SRR;
- break;
-
- /* record-route */
- case '4':
- if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_RR))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --rr twice");
- if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_RR))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify ! --rr twice");
- if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_RR))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --rr with ! --rr");
- if (invert && (*flags & IPT_IPV4OPTION_MATCH_RR))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify ! --rr with --rr");
- if (invert) {
- info->options |= IPT_IPV4OPTION_DONT_MATCH_RR;
- *flags |= IPT_IPV4OPTION_DONT_MATCH_RR;
- }
- else {
- info->options |= IPT_IPV4OPTION_MATCH_RR;
- *flags |= IPT_IPV4OPTION_MATCH_RR;
- }
- break;
-
- /* timestamp */
- case '5':
- if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --ts twice");
- if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify ! --ts twice");
- if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --ts with ! --ts");
- if (invert && (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify ! --ts with --ts");
- if (invert) {
- info->options |= IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP;
- *flags |= IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP;
- }
- else {
- info->options |= IPT_IPV4OPTION_MATCH_TIMESTAMP;
- *flags |= IPT_IPV4OPTION_MATCH_TIMESTAMP;
- }
- break;
-
- /* router-alert */
- case '6':
- if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --ra twice");
- if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify ! --rr twice");
- if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --ra with ! --ra");
- if (invert && (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify ! --ra with --ra");
- if (invert) {
- info->options |= IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT;
- *flags |= IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT;
- }
- else {
- info->options |= IPT_IPV4OPTION_MATCH_ROUTER_ALERT;
- *flags |= IPT_IPV4OPTION_MATCH_ROUTER_ALERT;
- }
- break;
-
- /* any option */
- case '7' :
- if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_ANY_OPT))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --any-opt twice");
- if (invert && (*flags & IPT_IPV4OPTION_MATCH_ANY_OPT))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify ! --any-opt with --any-opt");
- if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify ! --any-opt twice");
- if ((!invert) &&
- ((*flags & IPT_IPV4OPTION_DONT_MATCH_SRR) ||
- (*flags & IPT_IPV4OPTION_DONT_MATCH_RR) ||
- (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) ||
- (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --any-opt with any other negative ipv4options match");
- if (invert &&
- ((*flags & IPT_IPV4OPTION_MATCH_LSRR) ||
- (*flags & IPT_IPV4OPTION_MATCH_SSRR) ||
- (*flags & IPT_IPV4OPTION_MATCH_RR) ||
- (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
- (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify ! --any-opt with any other positive ipv4options match");
- if (invert) {
- info->options |= IPT_IPV4OPTION_DONT_MATCH_ANY_OPT;
- *flags |= IPT_IPV4OPTION_DONT_MATCH_ANY_OPT;
- }
- else {
- info->options |= IPT_IPV4OPTION_MATCH_ANY_OPT;
- *flags |= IPT_IPV4OPTION_MATCH_ANY_OPT;
- }
- break;
-
- default:
- return 0;
- }
- return 1;
-}
-
-static void
-final_check(unsigned int flags)
-{
- if (flags == 0)
- exit_error(PARAMETER_PROBLEM,
- "ipv4options match: you must specify some parameters. See iptables -m ipv4options --help for help.'");
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric)
-{
- struct ipt_ipv4options_info *info = ((struct ipt_ipv4options_info *)match->data);
-
- printf(" IPV4OPTS");
- if (info->options & IPT_IPV4OPTION_MATCH_SSRR)
- printf(" SSRR");
- else if (info->options & IPT_IPV4OPTION_MATCH_LSRR)
- printf(" LSRR");
- else if (info->options & IPT_IPV4OPTION_DONT_MATCH_SRR)
- printf(" !SRR");
- if (info->options & IPT_IPV4OPTION_MATCH_RR)
- printf(" RR");
- else if (info->options & IPT_IPV4OPTION_DONT_MATCH_RR)
- printf(" !RR");
- if (info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP)
- printf(" TS");
- else if (info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP)
- printf(" !TS");
- if (info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)
- printf(" RA");
- else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)
- printf(" !RA");
- if (info->options & IPT_IPV4OPTION_MATCH_ANY_OPT)
- printf(" ANYOPT ");
- else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
- printf(" NOOPT");
-
- printf(" ");
-}
-
-/* Saves the data in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
- struct ipt_ipv4options_info *info = ((struct ipt_ipv4options_info *)match->data);
-
- if (info->options & IPT_IPV4OPTION_MATCH_SSRR)
- printf(" --ssrr");
- else if (info->options & IPT_IPV4OPTION_MATCH_LSRR)
- printf(" --lsrr");
- else if (info->options & IPT_IPV4OPTION_DONT_MATCH_SRR)
- printf(" --no-srr");
- if (info->options & IPT_IPV4OPTION_MATCH_RR)
- printf(" --rr");
- else if (info->options & IPT_IPV4OPTION_DONT_MATCH_RR)
- printf(" ! --rr");
- if (info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP)
- printf(" --ts");
- else if (info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP)
- printf(" ! --ts");
- if (info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)
- printf(" --ra");
- else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)
- printf(" ! --ra");
- if (info->options & IPT_IPV4OPTION_MATCH_ANY_OPT)
- printf(" --any-opt");
- if (info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
- printf(" ! --any-opt");
-
- printf(" ");
-}
-
-static struct iptables_match ipv4options_struct = {
- .next = NULL,
- .name = "ipv4options",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_ipv4options_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_ipv4options_info)),
- .help = &help,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match(&ipv4options_struct);
-}
Deleted: trunk/iptables/extensions/libipt_ipv4options.man
===================================================================
--- trunk/iptables/extensions/libipt_ipv4options.man 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/libipt_ipv4options.man 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,32 +0,0 @@
-Match on IPv4 header options like source routing, record route,
-timestamp and router-alert.
-.TP
-.B "--ssrr"
-To match packets with the flag strict source routing.
-.TP
-.B "--lsrr"
-To match packets with the flag loose source routing.
-.TP
-.B "--no-srr"
-To match packets with no flag for source routing.
-.TP
-.B "\fR[\fB!\fR]\fB --rr"
-To match packets with the RR flag.
-.TP
-.B "\fR[\fB!\fR]\fB --ts"
-To match packets with the TS flag.
-.TP
-.B "\fR[\fB!\fR]\fB --ra"
-To match packets with the router-alert option.
-.TP
-.B "\fR[\fB!\fR]\fB --any-opt"
-To match a packet with at least one IP option, or no IP option
-at all if ! is chosen.
-.TP
-Examples:
-.TP
-$ iptables -A input -m ipv4options --rr -j DROP
-will drop packets with the record-route flag.
-.TP
-$ iptables -A input -m ipv4options --ts -j DROP
-will drop packets with the timestamp flag.
Deleted: trunk/iptables/extensions/libipt_u32.c
===================================================================
--- trunk/iptables/extensions/libipt_u32.c 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/libipt_u32.c 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,264 +0,0 @@
-/* Shared library add-on to iptables to add u32 matching,
- * generalized matching on values found at packet offsets
- *
- * Detailed doc is in the kernel module source
- * net/ipv4/netfilter/ipt_u32.c
- *
- * (C) 2002 by Don Cohen <don-netf at isis.cs3-inc.com>
- * Released under the terms of GNU GPL v2
- */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_u32.h>
-#include <errno.h>
-#include <ctype.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf( "u32 v%s options:\n"
- " --u32 tests\n"
- " tests := location = value | tests && location = value\n"
- " value := range | value , range\n"
- " range := number | number : number\n"
- " location := number | location operator number\n"
- " operator := & | << | >> | @\n"
- ,IPTABLES_VERSION);
-}
-
-/* defined in /usr/include/getopt.h maybe in man getopt */
-static struct option opts[] = {
- { "u32", 1, 0, '1' },
- { 0 }
-};
-
-/* shared printing code */
-static void print_u32(struct ipt_u32 *data)
-{
- unsigned int testind;
-
- for (testind=0; testind < data->ntests; testind++) {
- if (testind) printf("&&");
- {
- unsigned int i;
-
- printf("0x%x", data->tests[testind].location[0].number);
- for (i = 1; i < data->tests[testind].nnums; i++) {
- switch (data->tests[testind].location[i].nextop) {
- case IPT_U32_AND: printf("&"); break;
- case IPT_U32_LEFTSH: printf("<<"); break;
- case IPT_U32_RIGHTSH: printf(">>"); break;
- case IPT_U32_AT: printf("@"); break;
- }
- printf("0x%x", data->tests[testind].location[i].number);
- }
- printf("=");
- for (i = 0; i < data->tests[testind].nvalues; i++) {
- if (i) printf(",");
- if (data->tests[testind].value[i].min
- == data->tests[testind].value[i].max)
- printf("0x%x", data->tests[testind].value[i].min);
- else printf("0x%x:0x%x", data->tests[testind].value[i].min,
- data->tests[testind].value[i].max);
- }
- }
- }
- printf(" ");
-}
-
-/* string_to_number is not quite what we need here ... */
-u_int32_t parse_number(char **s, int pos)
-{
- u_int32_t number;
- char *end;
- errno = 0;
-
- number = strtoul(*s, &end, 0);
- if (end == *s)
- exit_error(PARAMETER_PROBLEM,
- "u32: at char %d expected number", pos);
- if (errno)
- exit_error(PARAMETER_PROBLEM,
- "u32: at char %d error reading number", pos);
- *s = end;
- return number;
-}
-
-/* Function which parses command options; returns true if it ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
- struct ipt_u32 *data = (struct ipt_u32 *)(*match)->data;
- char *arg = argv[optind-1]; /* the argument string */
- char *start = arg;
- int state=0, testind=0, locind=0, valind=0;
-
- if (c != '1') return 0;
- /* states: 0 = looking for numbers and operations, 1 = looking for ranges */
- while (1) { /* read next operand/number or range */
- while (isspace(*arg))
- arg++; /* skip white space */
- if (! *arg) { /* end of argument found */
- if (state == 0)
- exit_error(PARAMETER_PROBLEM,
- "u32: input ended in location spec");
- if (valind == 0)
- exit_error(PARAMETER_PROBLEM,
- "u32: test ended with no value spec");
- data->tests[testind].nnums = locind;
- data->tests[testind].nvalues = valind;
- testind++;
- data->ntests=testind;
- if (testind > U32MAXSIZE)
- exit_error(PARAMETER_PROBLEM,
- "u32: at char %d too many &&'s",
- arg-start);
- /* debugging
- print_u32(data);printf("\n");
- exit_error(PARAMETER_PROBLEM, "debugging output done"); */
- return 1;
- }
- if (state == 0) {
- /* reading location: read a number if nothing read yet,
- otherwise either op number or = to end location spec */
- if (*arg == '=') {
- if (locind == 0)
- exit_error(PARAMETER_PROBLEM,
- "u32: at char %d location spec missing", arg-start);
- else {
- arg++;
- state=1;
- }
- }
- else {
- if (locind) { /* need op before number */
- if (*arg == '&') {
- data->tests[testind].location[locind].nextop = IPT_U32_AND;
- }
- else if (*arg == '<') {
- arg++;
- if (*arg != '<')
- exit_error(PARAMETER_PROBLEM,
- "u32: at char %d a second < expected", arg-start);
- data->tests[testind].location[locind].nextop = IPT_U32_LEFTSH;
- }
- else if (*arg == '>') {
- arg++;
- if (*arg != '>')
- exit_error(PARAMETER_PROBLEM,
- "u32: at char %d a second > expected", arg-start);
- data->tests[testind].location[locind].nextop = IPT_U32_RIGHTSH;
- }
- else if (*arg == '@') {
- data->tests[testind].location[locind].nextop = IPT_U32_AT;
- }
- else exit_error(PARAMETER_PROBLEM,
- "u32: at char %d operator expected", arg-start);
- arg++;
- }
- /* now a number; string_to_number skips white space? */
- data->tests[testind].location[locind].number =
- parse_number(&arg, arg-start);
- locind++;
- if (locind > U32MAXSIZE)
- exit_error(PARAMETER_PROBLEM,
- "u32: at char %d too many operators", arg-start);
- }
- }
- else {
- /* state 1 - reading values: read a range if nothing read yet,
- otherwise either ,range or && to end test spec */
- if (*arg == '&') {
- arg++;
- if (*arg != '&')
- exit_error(PARAMETER_PROBLEM,
- "u32: at char %d a second & expected", arg-start);
- if (valind == 0)
- exit_error(PARAMETER_PROBLEM,
- "u32: at char %d value spec missing", arg-start);
- else {
- data->tests[testind].nnums = locind;
- data->tests[testind].nvalues = valind;
- testind++;
- if (testind > U32MAXSIZE)
- exit_error(PARAMETER_PROBLEM,
- "u32: at char %d too many &&'s", arg-start);
- arg++; state=0; locind=0; valind=0;
- }
- }
- else { /* read value range */
- if (valind) { /* need , before number */
- if (*arg != ',')
- exit_error(PARAMETER_PROBLEM,
- "u32: at char %d expected , or &&", arg-start);
- arg++;
- }
- data->tests[testind].value[valind].min = parse_number(&arg, arg-start);
- while (isspace(*arg))
- arg++; /* another place white space could be */
- if (*arg==':') {
- arg++;
- data->tests[testind].value[valind].max
- = parse_number(&arg, arg-start);
- }
- else data->tests[testind].value[valind].max
- = data->tests[testind].value[valind].min;
- valind++;
- if (valind > U32MAXSIZE)
- exit_error(PARAMETER_PROBLEM,
- "u32: at char %d too many ,'s", arg-start);
- }
- }
- }
-}
-
-/* Final check; must specify something. */
-static void
-final_check(unsigned int flags)
-{
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric)
-{
- printf("u32 ");
- print_u32((struct ipt_u32 *)match->data);
-}
-
-/* Saves the union ipt_matchinfo in parsable form to stdout. */
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
- printf("--u32 ");
- print_u32((struct ipt_u32 *)match->data);
-}
-
-struct iptables_match u32 = {
- .next = NULL,
- .name = "u32",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_u32)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_u32)),
- .help = &help,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void
-_init(void)
-{
- register_match(&u32);
-}
Deleted: trunk/iptables/extensions/libipt_u32.man
===================================================================
--- trunk/iptables/extensions/libipt_u32.man 2006-12-12 07:03:32 UTC (rev 6712)
+++ trunk/iptables/extensions/libipt_u32.man 2006-12-12 10:34:45 UTC (rev 6713)
@@ -1,8 +0,0 @@
-U32 allows you to extract quantities of up to 4 bytes from a packet,
-AND them with specified masks, shift them by specified amounts and
-test whether the results are in any of a set of specified ranges.
-The specification of what to extract is general enough to skip over
-headers with lengths stored in the packet, as in IP or TCP header
-lengths.
-
-Details and examples are in the kernel module source.
Copied: trunk/patch-o-matic-ng/patchlets/IPV4OPTSSTRIP/iptables/extensions/.IPV4OPTSSTRIP-test (from rev 6712, trunk/iptables/extensions/.IPV4OPTSSTRIP-test)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/IPV4OPTSSTRIP/iptables/extensions/.IPV4OPTSSTRIP-test (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/IPV4OPTSSTRIP/iptables/extensions/.IPV4OPTSSTRIP-test 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,3 @@
+#!/bin/sh
+# True if IPV4OPTSSTRIP patch is applied.
+[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c ] && echo IPV4OPTSSTRIP
Copied: trunk/patch-o-matic-ng/patchlets/IPV4OPTSSTRIP/iptables/extensions/libipt_IPV4OPTSSTRIP.c (from rev 6712, trunk/iptables/extensions/libipt_IPV4OPTSSTRIP.c)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/IPV4OPTSSTRIP/iptables/extensions/libipt_IPV4OPTSSTRIP.c (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/IPV4OPTSSTRIP/iptables/extensions/libipt_IPV4OPTSSTRIP.c 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,74 @@
+/* Shared library add-on to iptables for IPV4OPTSSTRIP
+ * This modules strip all the IP options.
+ *
+ * (C) 2001 by Fabrice MARIE <fabrice at netfilter.org>
+ * This program is distributed under the terms of GNU GPL v2, 1991
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+static void help(void)
+{
+ printf("IPV4OPTSSTRIP v%s target takes no option !! Make sure you use it in the mangle table.\n",
+ IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+ { 0 }
+};
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ipt_entry *entry,
+ struct ipt_entry_target **target)
+{
+ return 0;
+}
+
+static void
+final_check(unsigned int flags)
+{
+}
+
+/* Prints out the targinfo. */
+static void
+print(const struct ipt_ip *ip,
+ const struct ipt_entry_target *target,
+ int numeric)
+{
+ /* nothing to print, we don't take option... */
+}
+
+/* Saves the stuff in parsable form to stdout. */
+static void
+save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
+{
+ /* nothing to print, we don't take option... */
+}
+
+static struct iptables_target IPV4OPTSSTRIP = {
+ .next = NULL,
+ .name = "IPV4OPTSSTRIP",
+ .version = IPTABLES_VERSION,
+ .size = IPT_ALIGN(0),
+ .userspacesize = IPT_ALIGN(0),
+ .help = &help,
+ .parse = &parse,
+ .final_check = &final_check,
+ .print = &print,
+ .save = &save,
+ .extra_opts = opts
+};
+
+void _init(void)
+{
+ register_target(&IPV4OPTSSTRIP);
+}
Copied: trunk/patch-o-matic-ng/patchlets/IPV4OPTSSTRIP/iptables/extensions/libipt_IPV4OPTSSTRIP.man (from rev 6712, trunk/iptables/extensions/libipt_IPV4OPTSSTRIP.man)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/IPV4OPTSSTRIP/iptables/extensions/libipt_IPV4OPTSSTRIP.man (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/IPV4OPTSSTRIP/iptables/extensions/libipt_IPV4OPTSSTRIP.man 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,5 @@
+Strip all the IP options from a packet.
+
+The target doesn't take any option, and therefore is extremly easy to use :
+
+# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP
Copied: trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/.ROUTE-test (from rev 6712, trunk/iptables/extensions/.ROUTE-test)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/.ROUTE-test (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/.ROUTE-test 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,2 @@
+#! /bin/sh
+[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_ROUTE.c ] && echo ROUTE
Copied: trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/.ROUTE-test6 (from rev 6712, trunk/iptables/extensions/.ROUTE-test6)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/.ROUTE-test6 (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/.ROUTE-test6 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,2 @@
+#! /bin/sh
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ROUTE.h ] && echo ROUTE
Copied: trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/libip6t_ROUTE.c (from rev 6712, trunk/iptables/extensions/libip6t_ROUTE.c)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/libip6t_ROUTE.c (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/libip6t_ROUTE.c 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,240 @@
+/* Shared library add-on to iptables to add ROUTE v6 target support.
+ * Author : Cedric de Launois, <delaunois at info.ucl.ac.be>
+ * v 1.1 2004/11/23
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+
+#include <ip6tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_ROUTE.h>
+
+/* compile IP6T_ROUTE_TEE support even if kernel headers are unpatched */
+#ifndef IP6T_ROUTE_TEE
+#define IP6T_ROUTE_TEE 0x02
+#endif
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+ printf(
+"ROUTE target v%s options:\n"
+" --oif \tifname \t\tRoute the packet through `ifname' network interface\n"
+" --gw \tip \t\tRoute the packet via this gateway\n"
+" --continue\t \t\tRoute packet and continue traversing the\n"
+" \t \t\trules. Not valid with --iif or --tee.\n"
+" --tee\t \t\tDuplicate packet, route the duplicate,\n"
+" \t \t\tcontinue traversing with original packet.\n"
+" \t \t\tNot valid with --iif or --continue.\n"
+"\n",
+"1.1");
+}
+
+static struct option opts[] = {
+ { "oif", 1, 0, '1' },
+ { "iif", 1, 0, '2' },
+ { "gw", 1, 0, '3' },
+ { "continue", 0, 0, '4' },
+ { "tee", 0, 0, '5' },
+ { 0 }
+};
+
+/* Initialize the target. */
+static void
+init(struct ip6t_entry_target *t, unsigned int *nfcache)
+{
+ struct ip6t_route_target_info *route_info =
+ (struct ip6t_route_target_info*)t->data;
+
+ route_info->oif[0] = '\0';
+ route_info->iif[0] = '\0';
+ route_info->gw[0] = 0;
+ route_info->gw[1] = 0;
+ route_info->gw[2] = 0;
+ route_info->gw[3] = 0;
+ route_info->flags = 0;
+}
+
+
+#define IP6T_ROUTE_OPT_OIF 0x01
+#define IP6T_ROUTE_OPT_IIF 0x02
+#define IP6T_ROUTE_OPT_GW 0x04
+#define IP6T_ROUTE_OPT_CONTINUE 0x08
+#define IP6T_ROUTE_OPT_TEE 0x10
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ip6t_entry *entry,
+ struct ip6t_entry_target **target)
+{
+ struct ip6t_route_target_info *route_info =
+ (struct ip6t_route_target_info*)(*target)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & IP6T_ROUTE_OPT_OIF)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --oif twice");
+
+ if (check_inverse(optarg, &invert, NULL, 0))
+ exit_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --oif");
+
+ if (strlen(optarg) > sizeof(route_info->oif) - 1)
+ exit_error(PARAMETER_PROBLEM,
+ "Maximum interface name length %u",
+ sizeof(route_info->oif) - 1);
+
+ strcpy(route_info->oif, optarg);
+ *flags |= IP6T_ROUTE_OPT_OIF;
+ break;
+
+ case '2':
+ exit_error(PARAMETER_PROBLEM,
+ "--iif option not implemented");
+ break;
+
+ case '3':
+ if (*flags & IP6T_ROUTE_OPT_GW)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --gw twice");
+
+ if (check_inverse(optarg, &invert, NULL, 0))
+ exit_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --gw");
+
+ if (!inet_pton(AF_INET6, optarg, (struct in6_addr*)&route_info->gw)) {
+ exit_error(PARAMETER_PROBLEM,
+ "Invalid IPv6 address %s",
+ optarg);
+ }
+
+ *flags |= IP6T_ROUTE_OPT_GW;
+ break;
+
+ case '4':
+ if (*flags & IP6T_ROUTE_OPT_CONTINUE)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --continue twice");
+ if (*flags & IP6T_ROUTE_OPT_TEE)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --continue AND --tee");
+
+ route_info->flags |= IP6T_ROUTE_CONTINUE;
+ *flags |= IP6T_ROUTE_OPT_CONTINUE;
+
+ break;
+
+ case '5':
+ if (*flags & IP6T_ROUTE_OPT_TEE)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --tee twice");
+ if (*flags & IP6T_ROUTE_OPT_CONTINUE)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --tee AND --continue");
+
+ route_info->flags |= IP6T_ROUTE_TEE;
+ *flags |= IP6T_ROUTE_OPT_TEE;
+
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+
+static void
+final_check(unsigned int flags)
+{
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM,
+ "ROUTE target: oif or gw option required");
+}
+
+
+/* Prints out the targinfo. */
+static void
+print(const struct ip6t_ip6 *ip,
+ const struct ip6t_entry_target *target,
+ int numeric)
+{
+ const struct ip6t_route_target_info *route_info
+ = (const struct ip6t_route_target_info *)target->data;
+
+ printf("ROUTE ");
+
+ if (route_info->oif[0])
+ printf("oif:%s ", route_info->oif);
+
+ if (route_info->gw[0]
+ || route_info->gw[1]
+ || route_info->gw[2]
+ || route_info->gw[3]) {
+ char address[INET6_ADDRSTRLEN];
+ printf("gw:%s ", inet_ntop(AF_INET6, route_info->gw, address, INET6_ADDRSTRLEN));
+ }
+
+ if (route_info->flags & IP6T_ROUTE_CONTINUE)
+ printf("continue");
+
+ if (route_info->flags & IP6T_ROUTE_TEE)
+ printf("tee");
+
+}
+
+
+static void save(const struct ip6t_ip6 *ip,
+ const struct ip6t_entry_target *target)
+{
+ const struct ip6t_route_target_info *route_info
+ = (const struct ip6t_route_target_info *)target->data;
+
+ if (route_info->oif[0])
+ printf("--oif %s ", route_info->oif);
+
+ if (route_info->gw[0]
+ || route_info->gw[1]
+ || route_info->gw[2]
+ || route_info->gw[3]) {
+ char address[INET6_ADDRSTRLEN];
+ printf("--gw %s ", inet_ntop(AF_INET6, route_info->gw, address, INET6_ADDRSTRLEN));
+ }
+
+ if (route_info->flags & IP6T_ROUTE_CONTINUE)
+ printf("--continue ");
+
+ if (route_info->flags & IP6T_ROUTE_TEE)
+ printf("--tee ");
+}
+
+
+static struct ip6tables_target route = {
+ .name = "ROUTE",
+ .version = IPTABLES_VERSION,
+ .size = IP6T_ALIGN(sizeof(struct ip6t_route_target_info)),
+ .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_route_target_info)),
+ .help = &help,
+ .init = &init,
+ .parse = &parse,
+ .final_check = &final_check,
+ .print = &print,
+ .save = &save,
+ .extra_opts = opts,
+};
+
+void _init(void)
+{
+ register_target6(&route);
+}
Copied: trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/libip6t_ROUTE.man (from rev 6712, trunk/iptables/extensions/libip6t_ROUTE.man)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/libip6t_ROUTE.man (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/libip6t_ROUTE.man 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,15 @@
+This is used to explicitly override the core network stack's routing decision.
+.B mangle
+table.
+.TP
+.BI "--oif " "ifname"
+Route the packet through `ifname' network interface
+.TP
+.BI "--gw " "IPv6_address"
+Route the packet via this gateway
+.TP
+.BI "--continue "
+Behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--tee'
+.TP
+.BI "--tee "
+Make a copy of the packet, and route that copy to the given destination. For the original, uncopied packet, behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--continue'
Copied: trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/libipt_ROUTE.c (from rev 6712, trunk/iptables/extensions/libipt_ROUTE.c)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/libipt_ROUTE.c (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/libipt_ROUTE.c 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,264 @@
+/* Shared library add-on to iptables to add ROUTE target support.
+ * Author : Cedric de Launois, <delaunois at info.ucl.ac.be>
+ * v 1.11 2004/11/23
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <iptables.h>
+#include <net/if.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_ROUTE.h>
+
+/* compile IPT_ROUTE_TEE support even if kernel headers are unpatched */
+#ifndef IPT_ROUTE_TEE
+#define IPT_ROUTE_TEE 0x02
+#endif
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+ printf(
+"ROUTE target v%s options:\n"
+" --oif \tifname \t\tRoute packet through `ifname' network interface\n"
+" --iif \tifname \t\tChange packet's incoming interface to `ifname'\n"
+" --gw \tip \t\tRoute packet via this gateway `ip'\n"
+" --continue\t \t\tRoute packet and continue traversing the\n"
+" \t \t\trules. Not valid with --iif or --tee.\n"
+" --tee\t \t\tDuplicate packet, route the duplicate,\n"
+" \t \t\tcontinue traversing with original packet.\n"
+" \t \t\tNot valid with --iif or --continue.\n"
+"\n",
+"1.11");
+}
+
+static struct option opts[] = {
+ { "oif", 1, 0, '1' },
+ { "iif", 1, 0, '2' },
+ { "gw", 1, 0, '3' },
+ { "continue", 0, 0, '4' },
+ { "tee", 0, 0, '5' },
+ { 0 }
+};
+
+/* Initialize the target. */
+static void
+init(struct ipt_entry_target *t, unsigned int *nfcache)
+{
+ struct ipt_route_target_info *route_info =
+ (struct ipt_route_target_info*)t->data;
+
+ route_info->oif[0] = '\0';
+ route_info->iif[0] = '\0';
+ route_info->gw = 0;
+ route_info->flags = 0;
+}
+
+
+#define IPT_ROUTE_OPT_OIF 0x01
+#define IPT_ROUTE_OPT_IIF 0x02
+#define IPT_ROUTE_OPT_GW 0x04
+#define IPT_ROUTE_OPT_CONTINUE 0x08
+#define IPT_ROUTE_OPT_TEE 0x10
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ipt_entry *entry,
+ struct ipt_entry_target **target)
+{
+ struct ipt_route_target_info *route_info =
+ (struct ipt_route_target_info*)(*target)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & IPT_ROUTE_OPT_OIF)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --oif twice");
+
+ if (*flags & IPT_ROUTE_OPT_IIF)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't use --oif and --iif together");
+
+ if (check_inverse(optarg, &invert, NULL, 0))
+ exit_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --oif");
+
+ if (strlen(optarg) > sizeof(route_info->oif) - 1)
+ exit_error(PARAMETER_PROBLEM,
+ "Maximum interface name length %u",
+ sizeof(route_info->oif) - 1);
+
+ strcpy(route_info->oif, optarg);
+ *flags |= IPT_ROUTE_OPT_OIF;
+ break;
+
+ case '2':
+ if (*flags & IPT_ROUTE_OPT_IIF)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --iif twice");
+
+ if (*flags & IPT_ROUTE_OPT_OIF)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't use --iif and --oif together");
+
+ if (check_inverse(optarg, &invert, NULL, 0))
+ exit_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --iif");
+
+ if (strlen(optarg) > sizeof(route_info->iif) - 1)
+ exit_error(PARAMETER_PROBLEM,
+ "Maximum interface name length %u",
+ sizeof(route_info->iif) - 1);
+
+ strcpy(route_info->iif, optarg);
+ *flags |= IPT_ROUTE_OPT_IIF;
+ break;
+
+ case '3':
+ if (*flags & IPT_ROUTE_OPT_GW)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --gw twice");
+
+ if (check_inverse(optarg, &invert, NULL, 0))
+ exit_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --gw");
+
+ if (!inet_aton(optarg, (struct in_addr*)&route_info->gw)) {
+ exit_error(PARAMETER_PROBLEM,
+ "Invalid IP address %s",
+ optarg);
+ }
+
+ *flags |= IPT_ROUTE_OPT_GW;
+ break;
+
+ case '4':
+ if (*flags & IPT_ROUTE_OPT_CONTINUE)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --continue twice");
+ if (*flags & IPT_ROUTE_OPT_TEE)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --continue AND --tee");
+
+ route_info->flags |= IPT_ROUTE_CONTINUE;
+ *flags |= IPT_ROUTE_OPT_CONTINUE;
+
+ break;
+
+ case '5':
+ if (*flags & IPT_ROUTE_OPT_TEE)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --tee twice");
+ if (*flags & IPT_ROUTE_OPT_CONTINUE)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --tee AND --continue");
+
+ route_info->flags |= IPT_ROUTE_TEE;
+ *flags |= IPT_ROUTE_OPT_TEE;
+
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+
+static void
+final_check(unsigned int flags)
+{
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM,
+ "ROUTE target: oif, iif or gw option required");
+
+ if ((flags & (IPT_ROUTE_OPT_CONTINUE|IPT_ROUTE_OPT_TEE)) && (flags & IPT_ROUTE_OPT_IIF))
+ exit_error(PARAMETER_PROBLEM,
+ "ROUTE target: can't continue traversing the rules with iif option");
+}
+
+
+/* Prints out the targinfo. */
+static void
+print(const struct ipt_ip *ip,
+ const struct ipt_entry_target *target,
+ int numeric)
+{
+ const struct ipt_route_target_info *route_info
+ = (const struct ipt_route_target_info *)target->data;
+
+ printf("ROUTE ");
+
+ if (route_info->oif[0])
+ printf("oif:%s ", route_info->oif);
+
+ if (route_info->iif[0])
+ printf("iif:%s ", route_info->iif);
+
+ if (route_info->gw) {
+ struct in_addr ip = { route_info->gw };
+ printf("gw:%s ", inet_ntoa(ip));
+ }
+
+ if (route_info->flags & IPT_ROUTE_CONTINUE)
+ printf("continue");
+
+ if (route_info->flags & IPT_ROUTE_TEE)
+ printf("tee");
+
+}
+
+
+static void save(const struct ipt_ip *ip,
+ const struct ipt_entry_target *target)
+{
+ const struct ipt_route_target_info *route_info
+ = (const struct ipt_route_target_info *)target->data;
+
+ if (route_info->oif[0])
+ printf("--oif %s ", route_info->oif);
+
+ if (route_info->iif[0])
+ printf("--iif %s ", route_info->iif);
+
+ if (route_info->gw) {
+ struct in_addr ip = { route_info->gw };
+ printf("--gw %s ", inet_ntoa(ip));
+ }
+
+ if (route_info->flags & IPT_ROUTE_CONTINUE)
+ printf("--continue ");
+
+ if (route_info->flags & IPT_ROUTE_TEE)
+ printf("--tee ");
+}
+
+
+static struct iptables_target route = {
+ .next = NULL,
+ .name = "ROUTE",
+ .version = IPTABLES_VERSION,
+ .size = IPT_ALIGN(sizeof(struct ipt_route_target_info)),
+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_route_target_info)),
+ .help = &help,
+ .init = &init,
+ .parse = &parse,
+ .final_check = &final_check,
+ .print = &print,
+ .save = &save,
+ .extra_opts = opts
+};
+
+void _init(void)
+{
+ register_target(&route);
+}
Copied: trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/libipt_ROUTE.man (from rev 6712, trunk/iptables/extensions/libipt_ROUTE.man)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/libipt_ROUTE.man (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/ROUTE/iptables/extensions/libipt_ROUTE.man 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,18 @@
+This is used to explicitly override the core network stack's routing decision.
+.B mangle
+table.
+.TP
+.BI "--oif " "ifname"
+Route the packet through `ifname' network interface
+.TP
+.BI "--iif " "ifname"
+Change the packet's incoming interface to `ifname'
+.TP
+.BI "--gw " "IP_address"
+Route the packet via this gateway
+.TP
+.BI "--continue "
+Behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--iif' or `--tee'
+.TP
+.BI "--tee "
+Make a copy of the packet, and route that copy to the given destination. For the original, uncopied packet, behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--iif' or `--continue'
Added: trunk/patch-o-matic-ng/patchlets/TARPIT/iptables/extensions/.TARPIT-test
===================================================================
--- trunk/patch-o-matic-ng/patchlets/TARPIT/iptables/extensions/.TARPIT-test (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/TARPIT/iptables/extensions/.TARPIT-test 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,2 @@
+#! /bin/sh
+[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_TARPIT.c ] && echo TARPIT
Property changes on: trunk/patch-o-matic-ng/patchlets/TARPIT/iptables/extensions/.TARPIT-test
___________________________________________________________________
Name: svn:executable
+ *
Copied: trunk/patch-o-matic-ng/patchlets/TARPIT/iptables/extensions/libipt_TARPIT.c (from rev 6712, trunk/iptables/extensions/libipt_TARPIT.c)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/TARPIT/iptables/extensions/libipt_TARPIT.c (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/TARPIT/iptables/extensions/libipt_TARPIT.c 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,58 @@
+/* Shared library add-on to iptables for TARPIT support */
+#include <stdio.h>
+#include <getopt.h>
+#include <iptables.h>
+
+static void
+help(void)
+{
+ fputs(
+"TARPIT takes no options\n"
+"\n", stdout);
+}
+
+static struct option opts[] = {
+ { 0 }
+};
+
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ipt_entry *entry,
+ struct ipt_entry_target **target)
+{
+ return 0;
+}
+
+static void final_check(unsigned int flags)
+{
+}
+
+static void
+print(const struct ipt_ip *ip,
+ const struct ipt_entry_target *target,
+ int numeric)
+{
+}
+
+static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
+{
+}
+
+static struct iptables_target tarpit = {
+ .next = NULL,
+ .name = "TARPIT",
+ .version = IPTABLES_VERSION,
+ .size = IPT_ALIGN(0),
+ .userspacesize = IPT_ALIGN(0),
+ .help = &help,
+ .parse = &parse,
+ .final_check = &final_check,
+ .print = &print,
+ .save = &save,
+ .extra_opts = opts
+};
+
+void _init(void)
+{
+ register_target(&tarpit);
+}
Copied: trunk/patch-o-matic-ng/patchlets/TARPIT/iptables/extensions/libipt_TARPIT.man (from rev 6712, trunk/iptables/extensions/libipt_TARPIT.man)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/TARPIT/iptables/extensions/libipt_TARPIT.man (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/TARPIT/iptables/extensions/libipt_TARPIT.man 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,34 @@
+Captures and holds incoming TCP connections using no local
+per-connection resources. Connections are accepted, but immediately
+switched to the persist state (0 byte window), in which the remote
+side stops sending data and asks to continue every 60-240 seconds.
+Attempts to close the connection are ignored, forcing the remote side
+to time out the connection in 12-24 minutes.
+
+This offers similar functionality to LaBrea
+<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
+hardware or IPs. Any TCP port that you would normally DROP or REJECT
+can instead become a tarpit.
+
+To tarpit connections to TCP port 80 destined for the current machine:
+.IP
+iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
+.P
+To significantly slow down Code Red/Nimda-style scans of unused address
+space, forward unused ip addresses to a Linux box not acting as a router
+(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
+forwarding on the Linux box, and add:
+.IP
+iptables -A FORWARD -p tcp -j TARPIT
+.IP
+iptables -A FORWARD -j DROP
+.TP
+NOTE:
+If you use the conntrack module while you are using TARPIT, you should
+also use the NOTRACK target, or the kernel will unnecessarily allocate
+resources for each TARPITted connection. To TARPIT incoming
+connections to the standard IRC port while using conntrack, you could:
+.IP
+iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
+.IP
+iptables -A INPUT -p tcp --dport 6667 -j TARPIT
Copied: trunk/patch-o-matic-ng/patchlets/ipv4options/iptables/extensions/.ipv4options-test (from rev 6712, trunk/iptables/extensions/.ipv4options-test)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/ipv4options/iptables/extensions/.ipv4options-test (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/ipv4options/iptables/extensions/.ipv4options-test 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,3 @@
+#!/bin/sh
+# True if ipv4options is applied.
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_ipv4options.h ] && echo ipv4options
Copied: trunk/patch-o-matic-ng/patchlets/ipv4options/iptables/extensions/libipt_ipv4options.c (from rev 6712, trunk/iptables/extensions/libipt_ipv4options.c)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/ipv4options/iptables/extensions/libipt_ipv4options.c (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/ipv4options/iptables/extensions/libipt_ipv4options.c 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,311 @@
+/* Shared library add-on to iptables to add ipv4 options matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ipt_ipv4options.h>
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+ printf(
+"ipv4options v%s options:\n"
+" --ssrr (match strict source routing flag)\n"
+" --lsrr (match loose source routing flag)\n"
+" --no-srr (match packets with no source routing)\n\n"
+" [!] --rr (match record route flag)\n\n"
+" [!] --ts (match timestamp flag)\n\n"
+" [!] --ra (match router-alert option)\n\n"
+" [!] --any-opt (match any option or no option at all if used with '!')\n",
+IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+ { "ssrr", 0, 0, '1' },
+ { "lsrr", 0, 0, '2' },
+ { "no-srr", 0, 0, '3'},
+ { "rr", 0, 0, '4'},
+ { "ts", 0, 0, '5'},
+ { "ra", 0, 0, '6'},
+ { "any-opt", 0, 0, '7'},
+ {0}
+};
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ipt_entry *entry,
+ unsigned int *nfcache,
+ struct ipt_entry_match **match)
+{
+ struct ipt_ipv4options_info *info = (struct ipt_ipv4options_info *)(*match)->data;
+
+ switch (c)
+ {
+ /* strict-source-routing */
+ case '1':
+ if (invert)
+ exit_error(PARAMETER_PROBLEM,
+ "ipv4options: unexpected `!' with --ssrr");
+ if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --ssrr twice");
+ if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --ssrr with --lsrr");
+ if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --ssrr with --no-srr");
+
+ info->options |= IPT_IPV4OPTION_MATCH_SSRR;
+ *flags |= IPT_IPV4OPTION_MATCH_SSRR;
+ break;
+
+ /* loose-source-routing */
+ case '2':
+ if (invert)
+ exit_error(PARAMETER_PROBLEM,
+ "ipv4options: unexpected `!' with --lsrr");
+ if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --lsrr twice");
+ if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --lsrr with --ssrr");
+ if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --lsrr with --no-srr");
+ info->options |= IPT_IPV4OPTION_MATCH_LSRR;
+ *flags |= IPT_IPV4OPTION_MATCH_LSRR;
+ break;
+
+ /* no-source-routing */
+ case '3':
+ if (invert)
+ exit_error(PARAMETER_PROBLEM,
+ "ipv4options: unexpected `!' with --no-srr");
+ if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --no-srr twice");
+ if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --no-srr with --ssrr");
+ if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --no-srr with --lsrr");
+ info->options |= IPT_IPV4OPTION_DONT_MATCH_SRR;
+ *flags |= IPT_IPV4OPTION_DONT_MATCH_SRR;
+ break;
+
+ /* record-route */
+ case '4':
+ if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_RR))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --rr twice");
+ if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_RR))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify ! --rr twice");
+ if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_RR))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --rr with ! --rr");
+ if (invert && (*flags & IPT_IPV4OPTION_MATCH_RR))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify ! --rr with --rr");
+ if (invert) {
+ info->options |= IPT_IPV4OPTION_DONT_MATCH_RR;
+ *flags |= IPT_IPV4OPTION_DONT_MATCH_RR;
+ }
+ else {
+ info->options |= IPT_IPV4OPTION_MATCH_RR;
+ *flags |= IPT_IPV4OPTION_MATCH_RR;
+ }
+ break;
+
+ /* timestamp */
+ case '5':
+ if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --ts twice");
+ if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify ! --ts twice");
+ if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --ts with ! --ts");
+ if (invert && (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify ! --ts with --ts");
+ if (invert) {
+ info->options |= IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP;
+ *flags |= IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP;
+ }
+ else {
+ info->options |= IPT_IPV4OPTION_MATCH_TIMESTAMP;
+ *flags |= IPT_IPV4OPTION_MATCH_TIMESTAMP;
+ }
+ break;
+
+ /* router-alert */
+ case '6':
+ if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --ra twice");
+ if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify ! --rr twice");
+ if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --ra with ! --ra");
+ if (invert && (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify ! --ra with --ra");
+ if (invert) {
+ info->options |= IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT;
+ *flags |= IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT;
+ }
+ else {
+ info->options |= IPT_IPV4OPTION_MATCH_ROUTER_ALERT;
+ *flags |= IPT_IPV4OPTION_MATCH_ROUTER_ALERT;
+ }
+ break;
+
+ /* any option */
+ case '7' :
+ if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_ANY_OPT))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --any-opt twice");
+ if (invert && (*flags & IPT_IPV4OPTION_MATCH_ANY_OPT))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify ! --any-opt with --any-opt");
+ if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify ! --any-opt twice");
+ if ((!invert) &&
+ ((*flags & IPT_IPV4OPTION_DONT_MATCH_SRR) ||
+ (*flags & IPT_IPV4OPTION_DONT_MATCH_RR) ||
+ (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) ||
+ (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --any-opt with any other negative ipv4options match");
+ if (invert &&
+ ((*flags & IPT_IPV4OPTION_MATCH_LSRR) ||
+ (*flags & IPT_IPV4OPTION_MATCH_SSRR) ||
+ (*flags & IPT_IPV4OPTION_MATCH_RR) ||
+ (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
+ (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify ! --any-opt with any other positive ipv4options match");
+ if (invert) {
+ info->options |= IPT_IPV4OPTION_DONT_MATCH_ANY_OPT;
+ *flags |= IPT_IPV4OPTION_DONT_MATCH_ANY_OPT;
+ }
+ else {
+ info->options |= IPT_IPV4OPTION_MATCH_ANY_OPT;
+ *flags |= IPT_IPV4OPTION_MATCH_ANY_OPT;
+ }
+ break;
+
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void
+final_check(unsigned int flags)
+{
+ if (flags == 0)
+ exit_error(PARAMETER_PROBLEM,
+ "ipv4options match: you must specify some parameters. See iptables -m ipv4options --help for help.'");
+}
+
+/* Prints out the matchinfo. */
+static void
+print(const struct ipt_ip *ip,
+ const struct ipt_entry_match *match,
+ int numeric)
+{
+ struct ipt_ipv4options_info *info = ((struct ipt_ipv4options_info *)match->data);
+
+ printf(" IPV4OPTS");
+ if (info->options & IPT_IPV4OPTION_MATCH_SSRR)
+ printf(" SSRR");
+ else if (info->options & IPT_IPV4OPTION_MATCH_LSRR)
+ printf(" LSRR");
+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_SRR)
+ printf(" !SRR");
+ if (info->options & IPT_IPV4OPTION_MATCH_RR)
+ printf(" RR");
+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_RR)
+ printf(" !RR");
+ if (info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP)
+ printf(" TS");
+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP)
+ printf(" !TS");
+ if (info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)
+ printf(" RA");
+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)
+ printf(" !RA");
+ if (info->options & IPT_IPV4OPTION_MATCH_ANY_OPT)
+ printf(" ANYOPT ");
+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
+ printf(" NOOPT");
+
+ printf(" ");
+}
+
+/* Saves the data in parsable form to stdout. */
+static void
+save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
+{
+ struct ipt_ipv4options_info *info = ((struct ipt_ipv4options_info *)match->data);
+
+ if (info->options & IPT_IPV4OPTION_MATCH_SSRR)
+ printf(" --ssrr");
+ else if (info->options & IPT_IPV4OPTION_MATCH_LSRR)
+ printf(" --lsrr");
+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_SRR)
+ printf(" --no-srr");
+ if (info->options & IPT_IPV4OPTION_MATCH_RR)
+ printf(" --rr");
+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_RR)
+ printf(" ! --rr");
+ if (info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP)
+ printf(" --ts");
+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP)
+ printf(" ! --ts");
+ if (info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)
+ printf(" --ra");
+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)
+ printf(" ! --ra");
+ if (info->options & IPT_IPV4OPTION_MATCH_ANY_OPT)
+ printf(" --any-opt");
+ if (info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
+ printf(" ! --any-opt");
+
+ printf(" ");
+}
+
+static struct iptables_match ipv4options_struct = {
+ .next = NULL,
+ .name = "ipv4options",
+ .version = IPTABLES_VERSION,
+ .size = IPT_ALIGN(sizeof(struct ipt_ipv4options_info)),
+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_ipv4options_info)),
+ .help = &help,
+ .parse = &parse,
+ .final_check = &final_check,
+ .print = &print,
+ .save = &save,
+ .extra_opts = opts
+};
+
+void _init(void)
+{
+ register_match(&ipv4options_struct);
+}
Copied: trunk/patch-o-matic-ng/patchlets/ipv4options/iptables/extensions/libipt_ipv4options.man (from rev 6712, trunk/iptables/extensions/libipt_ipv4options.man)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/ipv4options/iptables/extensions/libipt_ipv4options.man (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/ipv4options/iptables/extensions/libipt_ipv4options.man 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,32 @@
+Match on IPv4 header options like source routing, record route,
+timestamp and router-alert.
+.TP
+.B "--ssrr"
+To match packets with the flag strict source routing.
+.TP
+.B "--lsrr"
+To match packets with the flag loose source routing.
+.TP
+.B "--no-srr"
+To match packets with no flag for source routing.
+.TP
+.B "\fR[\fB!\fR]\fB --rr"
+To match packets with the RR flag.
+.TP
+.B "\fR[\fB!\fR]\fB --ts"
+To match packets with the TS flag.
+.TP
+.B "\fR[\fB!\fR]\fB --ra"
+To match packets with the router-alert option.
+.TP
+.B "\fR[\fB!\fR]\fB --any-opt"
+To match a packet with at least one IP option, or no IP option
+at all if ! is chosen.
+.TP
+Examples:
+.TP
+$ iptables -A input -m ipv4options --rr -j DROP
+will drop packets with the record-route flag.
+.TP
+$ iptables -A input -m ipv4options --ts -j DROP
+will drop packets with the timestamp flag.
Copied: trunk/patch-o-matic-ng/patchlets/u32/iptables/extensions/.u32-test (from rev 6712, trunk/iptables/extensions/.u32-test)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/u32/iptables/extensions/.u32-test (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/u32/iptables/extensions/.u32-test 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,3 @@
+#!/bin/sh
+# True if u32 is applied.
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_u32.h ] && echo u32
Copied: trunk/patch-o-matic-ng/patchlets/u32/iptables/extensions/libipt_u32.c (from rev 6712, trunk/iptables/extensions/libipt_u32.c)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/u32/iptables/extensions/libipt_u32.c (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/u32/iptables/extensions/libipt_u32.c 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,264 @@
+/* Shared library add-on to iptables to add u32 matching,
+ * generalized matching on values found at packet offsets
+ *
+ * Detailed doc is in the kernel module source
+ * net/ipv4/netfilter/ipt_u32.c
+ *
+ * (C) 2002 by Don Cohen <don-netf at isis.cs3-inc.com>
+ * Released under the terms of GNU GPL v2
+ */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ipt_u32.h>
+#include <errno.h>
+#include <ctype.h>
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+ printf( "u32 v%s options:\n"
+ " --u32 tests\n"
+ " tests := location = value | tests && location = value\n"
+ " value := range | value , range\n"
+ " range := number | number : number\n"
+ " location := number | location operator number\n"
+ " operator := & | << | >> | @\n"
+ ,IPTABLES_VERSION);
+}
+
+/* defined in /usr/include/getopt.h maybe in man getopt */
+static struct option opts[] = {
+ { "u32", 1, 0, '1' },
+ { 0 }
+};
+
+/* shared printing code */
+static void print_u32(struct ipt_u32 *data)
+{
+ unsigned int testind;
+
+ for (testind=0; testind < data->ntests; testind++) {
+ if (testind) printf("&&");
+ {
+ unsigned int i;
+
+ printf("0x%x", data->tests[testind].location[0].number);
+ for (i = 1; i < data->tests[testind].nnums; i++) {
+ switch (data->tests[testind].location[i].nextop) {
+ case IPT_U32_AND: printf("&"); break;
+ case IPT_U32_LEFTSH: printf("<<"); break;
+ case IPT_U32_RIGHTSH: printf(">>"); break;
+ case IPT_U32_AT: printf("@"); break;
+ }
+ printf("0x%x", data->tests[testind].location[i].number);
+ }
+ printf("=");
+ for (i = 0; i < data->tests[testind].nvalues; i++) {
+ if (i) printf(",");
+ if (data->tests[testind].value[i].min
+ == data->tests[testind].value[i].max)
+ printf("0x%x", data->tests[testind].value[i].min);
+ else printf("0x%x:0x%x", data->tests[testind].value[i].min,
+ data->tests[testind].value[i].max);
+ }
+ }
+ }
+ printf(" ");
+}
+
+/* string_to_number is not quite what we need here ... */
+u_int32_t parse_number(char **s, int pos)
+{
+ u_int32_t number;
+ char *end;
+ errno = 0;
+
+ number = strtoul(*s, &end, 0);
+ if (end == *s)
+ exit_error(PARAMETER_PROBLEM,
+ "u32: at char %d expected number", pos);
+ if (errno)
+ exit_error(PARAMETER_PROBLEM,
+ "u32: at char %d error reading number", pos);
+ *s = end;
+ return number;
+}
+
+/* Function which parses command options; returns true if it ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ipt_entry *entry,
+ unsigned int *nfcache,
+ struct ipt_entry_match **match)
+{
+ struct ipt_u32 *data = (struct ipt_u32 *)(*match)->data;
+ char *arg = argv[optind-1]; /* the argument string */
+ char *start = arg;
+ int state=0, testind=0, locind=0, valind=0;
+
+ if (c != '1') return 0;
+ /* states: 0 = looking for numbers and operations, 1 = looking for ranges */
+ while (1) { /* read next operand/number or range */
+ while (isspace(*arg))
+ arg++; /* skip white space */
+ if (! *arg) { /* end of argument found */
+ if (state == 0)
+ exit_error(PARAMETER_PROBLEM,
+ "u32: input ended in location spec");
+ if (valind == 0)
+ exit_error(PARAMETER_PROBLEM,
+ "u32: test ended with no value spec");
+ data->tests[testind].nnums = locind;
+ data->tests[testind].nvalues = valind;
+ testind++;
+ data->ntests=testind;
+ if (testind > U32MAXSIZE)
+ exit_error(PARAMETER_PROBLEM,
+ "u32: at char %d too many &&'s",
+ arg-start);
+ /* debugging
+ print_u32(data);printf("\n");
+ exit_error(PARAMETER_PROBLEM, "debugging output done"); */
+ return 1;
+ }
+ if (state == 0) {
+ /* reading location: read a number if nothing read yet,
+ otherwise either op number or = to end location spec */
+ if (*arg == '=') {
+ if (locind == 0)
+ exit_error(PARAMETER_PROBLEM,
+ "u32: at char %d location spec missing", arg-start);
+ else {
+ arg++;
+ state=1;
+ }
+ }
+ else {
+ if (locind) { /* need op before number */
+ if (*arg == '&') {
+ data->tests[testind].location[locind].nextop = IPT_U32_AND;
+ }
+ else if (*arg == '<') {
+ arg++;
+ if (*arg != '<')
+ exit_error(PARAMETER_PROBLEM,
+ "u32: at char %d a second < expected", arg-start);
+ data->tests[testind].location[locind].nextop = IPT_U32_LEFTSH;
+ }
+ else if (*arg == '>') {
+ arg++;
+ if (*arg != '>')
+ exit_error(PARAMETER_PROBLEM,
+ "u32: at char %d a second > expected", arg-start);
+ data->tests[testind].location[locind].nextop = IPT_U32_RIGHTSH;
+ }
+ else if (*arg == '@') {
+ data->tests[testind].location[locind].nextop = IPT_U32_AT;
+ }
+ else exit_error(PARAMETER_PROBLEM,
+ "u32: at char %d operator expected", arg-start);
+ arg++;
+ }
+ /* now a number; string_to_number skips white space? */
+ data->tests[testind].location[locind].number =
+ parse_number(&arg, arg-start);
+ locind++;
+ if (locind > U32MAXSIZE)
+ exit_error(PARAMETER_PROBLEM,
+ "u32: at char %d too many operators", arg-start);
+ }
+ }
+ else {
+ /* state 1 - reading values: read a range if nothing read yet,
+ otherwise either ,range or && to end test spec */
+ if (*arg == '&') {
+ arg++;
+ if (*arg != '&')
+ exit_error(PARAMETER_PROBLEM,
+ "u32: at char %d a second & expected", arg-start);
+ if (valind == 0)
+ exit_error(PARAMETER_PROBLEM,
+ "u32: at char %d value spec missing", arg-start);
+ else {
+ data->tests[testind].nnums = locind;
+ data->tests[testind].nvalues = valind;
+ testind++;
+ if (testind > U32MAXSIZE)
+ exit_error(PARAMETER_PROBLEM,
+ "u32: at char %d too many &&'s", arg-start);
+ arg++; state=0; locind=0; valind=0;
+ }
+ }
+ else { /* read value range */
+ if (valind) { /* need , before number */
+ if (*arg != ',')
+ exit_error(PARAMETER_PROBLEM,
+ "u32: at char %d expected , or &&", arg-start);
+ arg++;
+ }
+ data->tests[testind].value[valind].min = parse_number(&arg, arg-start);
+ while (isspace(*arg))
+ arg++; /* another place white space could be */
+ if (*arg==':') {
+ arg++;
+ data->tests[testind].value[valind].max
+ = parse_number(&arg, arg-start);
+ }
+ else data->tests[testind].value[valind].max
+ = data->tests[testind].value[valind].min;
+ valind++;
+ if (valind > U32MAXSIZE)
+ exit_error(PARAMETER_PROBLEM,
+ "u32: at char %d too many ,'s", arg-start);
+ }
+ }
+ }
+}
+
+/* Final check; must specify something. */
+static void
+final_check(unsigned int flags)
+{
+}
+
+/* Prints out the matchinfo. */
+static void
+print(const struct ipt_ip *ip,
+ const struct ipt_entry_match *match,
+ int numeric)
+{
+ printf("u32 ");
+ print_u32((struct ipt_u32 *)match->data);
+}
+
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
+static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
+{
+ printf("--u32 ");
+ print_u32((struct ipt_u32 *)match->data);
+}
+
+struct iptables_match u32 = {
+ .next = NULL,
+ .name = "u32",
+ .version = IPTABLES_VERSION,
+ .size = IPT_ALIGN(sizeof(struct ipt_u32)),
+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_u32)),
+ .help = &help,
+ .parse = &parse,
+ .final_check = &final_check,
+ .print = &print,
+ .save = &save,
+ .extra_opts = opts
+};
+
+void
+_init(void)
+{
+ register_match(&u32);
+}
Copied: trunk/patch-o-matic-ng/patchlets/u32/iptables/extensions/libipt_u32.man (from rev 6712, trunk/iptables/extensions/libipt_u32.man)
===================================================================
--- trunk/patch-o-matic-ng/patchlets/u32/iptables/extensions/libipt_u32.man (rev 0)
+++ trunk/patch-o-matic-ng/patchlets/u32/iptables/extensions/libipt_u32.man 2006-12-12 10:34:45 UTC (rev 6713)
@@ -0,0 +1,8 @@
+U32 allows you to extract quantities of up to 4 bytes from a packet,
+AND them with specified masks, shift them by specified amounts and
+test whether the results are in any of a set of specified ranges.
+The specification of what to extract is general enough to skip over
+headers with lengths stored in the packet, as in IP or TCP header
+lengths.
+
+Details and examples are in the kernel module source.
More information about the netfilter-cvslog
mailing list