[netfilter-cvslog] r6996 - in trunk/iptables: extensions include/linux/netfilter

Sat Aug 4 10:25:43 CEST 2007

Author: yasuyuki at netfilter.org
Date: 2007-08-04 10:25:43 +0200 (Sat, 04 Aug 2007)
New Revision: 6996

Added:
   trunk/iptables/extensions/.connbytes-testx
   trunk/iptables/extensions/libxt_connbytes.c
   trunk/iptables/include/linux/netfilter/xt_connbytes.h
Removed:
   trunk/iptables/extensions/.connbytes-test
   trunk/iptables/extensions/libipt_connbytes.c
Log:
Add IPv6 support to connbytes match



Deleted: trunk/iptables/extensions/.connbytes-test
===================================================================

--- trunk/iptables/extensions/.connbytes-test	2007-08-04 08:24:29 UTC (rev 6995)
+++ trunk/iptables/extensions/.connbytes-test	2007-08-04 08:25:43 UTC (rev 6996)
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_connbytes.h ] && echo connbytes

Added: trunk/iptables/extensions/.connbytes-testx
===================================================================
--- trunk/iptables/extensions/.connbytes-testx	                        (rev 0)
+++ trunk/iptables/extensions/.connbytes-testx	2007-08-04 08:25:43 UTC (rev 6996)
@@ -0,0 +1,3 @@
+#! /bin/sh
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_connbytes.h ] ||	\
+[ -f $KERNEL_DIR/include/linux/netfilter/xt_connbytes.h ] && echo connbytes


Property changes on: trunk/iptables/extensions/.connbytes-testx
___________________________________________________________________
Name: svn:executable
   + *

Deleted: trunk/iptables/extensions/libipt_connbytes.c
===================================================================
--- trunk/iptables/extensions/libipt_connbytes.c	2007-08-04 08:24:29 UTC (rev 6995)
+++ trunk/iptables/extensions/libipt_connbytes.c	2007-08-04 08:25:43 UTC (rev 6996)
@@ -1,204 +0,0 @@
-/* Shared library add-on to iptables to add byte tracking support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter/nf_conntrack_common.h>
-#include <linux/netfilter_ipv4/ipt_connbytes.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"connbytes v%s options:\n"
-" [!] --connbytes from:[to]\n"
-"     --connbytes-dir [original, reply, both]\n"
-"     --connbytes-mode [packets, bytes, avgpkt]\n"
-"\n", IPTABLES_VERSION);
-}
-
-static const struct option opts[] = {
-	{ "connbytes", 1, 0, '1' },
-	{ "connbytes-dir", 1, 0, '2' },
-	{ "connbytes-mode", 1, 0, '3' },
-	{0}
-};
-
-static void
-parse_range(const char *arg, struct ipt_connbytes_info *si)
-{
-	char *colon,*p;
-
-	si->count.from = strtoul(arg,&colon,10);
-	if (*colon != ':') 
-		exit_error(PARAMETER_PROBLEM, "Bad range `%s'", arg);
-	si->count.to = strtoul(colon+1,&p,10);
-	if (p == colon+1) {
-		/* second number omited */
-		si->count.to = 0xffffffff;
-	}
-	if (si->count.from > si->count.to)
-		exit_error(PARAMETER_PROBLEM, "%llu should be less than %llu",
-			   si->count.from, si->count.to);
-}
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const void *entry,
-      unsigned int *nfcache,
-      struct xt_entry_match **match)
-{
-	struct ipt_connbytes_info *sinfo = (struct ipt_connbytes_info *)(*match)->data;
-	unsigned long i;
-
-	switch (c) {
-	case '1':
-		if (check_inverse(optarg, &invert, &optind, 0))
-			optind++;
-
-		parse_range(argv[optind-1], sinfo);
-		if (invert) {
-			i = sinfo->count.from;
-			sinfo->count.from = sinfo->count.to;
-			sinfo->count.to = i;
-		}
-		*flags |= 1;
-		break;
-	case '2':
-		if (!strcmp(optarg, "original"))
-			sinfo->direction = IPT_CONNBYTES_DIR_ORIGINAL;
-		else if (!strcmp(optarg, "reply"))
-			sinfo->direction = IPT_CONNBYTES_DIR_REPLY;
-		else if (!strcmp(optarg, "both"))
-			sinfo->direction = IPT_CONNBYTES_DIR_BOTH;
-		else
-			exit_error(PARAMETER_PROBLEM,
-				   "Unknown --connbytes-dir `%s'", optarg);
-
-		*flags |= 2;
-		break;
-	case '3':
-		if (!strcmp(optarg, "packets"))
-			sinfo->what = IPT_CONNBYTES_PKTS;
-		else if (!strcmp(optarg, "bytes"))
-			sinfo->what = IPT_CONNBYTES_BYTES;
-		else if (!strcmp(optarg, "avgpkt"))
-			sinfo->what = IPT_CONNBYTES_AVGPKT;
-		else
-			exit_error(PARAMETER_PROBLEM,
-				   "Unknown --connbytes-mode `%s'", optarg);
-		*flags |= 4;
-		break;
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-static void final_check(unsigned int flags)
-{
-	if (flags != 7)
-		exit_error(PARAMETER_PROBLEM, "You must specify `--connbytes'"
-			   "`--connbytes-dir' and `--connbytes-mode'");
-}
-
-static void print_mode(struct ipt_connbytes_info *sinfo)
-{
-	switch (sinfo->what) {
-		case IPT_CONNBYTES_PKTS:
-			fputs("packets ", stdout);
-			break;
-		case IPT_CONNBYTES_BYTES:
-			fputs("bytes ", stdout);
-			break;
-		case IPT_CONNBYTES_AVGPKT:
-			fputs("avgpkt ", stdout);
-			break;
-		default:
-			fputs("unknown ", stdout);
-			break;
-	}
-}
-
-static void print_direction(struct ipt_connbytes_info *sinfo)
-{
-	switch (sinfo->direction) {
-		case IPT_CONNBYTES_DIR_ORIGINAL:
-			fputs("original ", stdout);
-			break;
-		case IPT_CONNBYTES_DIR_REPLY:
-			fputs("reply ", stdout);
-			break;
-		case IPT_CONNBYTES_DIR_BOTH:
-			fputs("both ", stdout);
-			break;
-		default:
-			fputs("unknown ", stdout);
-			break;
-	}
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const void *ip,
-      const struct xt_entry_match *match,
-      int numeric)
-{
-	struct ipt_connbytes_info *sinfo = (struct ipt_connbytes_info *)match->data;
-
-	if (sinfo->count.from > sinfo->count.to) 
-		printf("connbytes ! %llu:%llu ", sinfo->count.to,
-			sinfo->count.from);
-	else
-		printf("connbytes %llu:%llu ",sinfo->count.from,
-			sinfo->count.to);
-
-	fputs("connbytes mode ", stdout);
-	print_mode(sinfo);
-
-	fputs("connbytes direction ", stdout);
-	print_direction(sinfo);
-}
-
-/* Saves the matchinfo in parsable form to stdout. */
-static void save(const void *ip, const struct xt_entry_match *match)
-{
-	struct ipt_connbytes_info *sinfo = (struct ipt_connbytes_info *)match->data;
-
-	if (sinfo->count.from > sinfo->count.to) 
-		printf("! --connbytes %llu:%llu ", sinfo->count.to,
-			sinfo->count.from);
-	else
-		printf("--connbytes %llu:%llu ", sinfo->count.from,
-			sinfo->count.to);
-
-	fputs("--connbytes-mode ", stdout);
-	print_mode(sinfo);
-
-	fputs("--connbytes-dir ", stdout);
-	print_direction(sinfo);
-}
-
-static struct iptables_match state = {
-	.name 		= "connbytes",
-	.version 	= IPTABLES_VERSION,
-	.size 		= IPT_ALIGN(sizeof(struct ipt_connbytes_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_connbytes_info)),
-	.help		= &help,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save 		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_match(&state);
-}

Added: trunk/iptables/extensions/libxt_connbytes.c
===================================================================
--- trunk/iptables/extensions/libxt_connbytes.c	                        (rev 0)
+++ trunk/iptables/extensions/libxt_connbytes.c	2007-08-04 08:25:43 UTC (rev 6996)
@@ -0,0 +1,220 @@
+/* Shared library add-on to iptables to add byte tracking support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter/nf_conntrack_common.h>
+#include <linux/netfilter/xt_connbytes.h>
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+	printf(
+"connbytes v%s options:\n"
+" [!] --connbytes from:[to]\n"
+"     --connbytes-dir [original, reply, both]\n"
+"     --connbytes-mode [packets, bytes, avgpkt]\n"
+"\n", IPTABLES_VERSION);
+}
+
+static const struct option opts[] = {
+	{ "connbytes", 1, 0, '1' },
+	{ "connbytes-dir", 1, 0, '2' },
+	{ "connbytes-mode", 1, 0, '3' },
+	{0}
+};
+
+static void
+parse_range(const char *arg, struct xt_connbytes_info *si)
+{
+	char *colon,*p;
+
+	si->count.from = strtoul(arg,&colon,10);
+	if (*colon != ':') 
+		exit_error(PARAMETER_PROBLEM, "Bad range `%s'", arg);
+	si->count.to = strtoul(colon+1,&p,10);
+	if (p == colon+1) {
+		/* second number omited */
+		si->count.to = 0xffffffff;
+	}
+	if (si->count.from > si->count.to)
+		exit_error(PARAMETER_PROBLEM, "%llu should be less than %llu",
+			   si->count.from, si->count.to);
+}
+
+/* Function which parses command options; returns true if it
+   ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+      const void *entry,
+      unsigned int *nfcache,
+      struct xt_entry_match **match)
+{
+	struct xt_connbytes_info *sinfo = (struct xt_connbytes_info *)(*match)->data;
+	unsigned long i;
+
+	switch (c) {
+	case '1':
+		if (check_inverse(optarg, &invert, &optind, 0))
+			optind++;
+
+		parse_range(argv[optind-1], sinfo);
+		if (invert) {
+			i = sinfo->count.from;
+			sinfo->count.from = sinfo->count.to;
+			sinfo->count.to = i;
+		}
+		*flags |= 1;
+		break;
+	case '2':
+		if (!strcmp(optarg, "original"))
+			sinfo->direction = XT_CONNBYTES_DIR_ORIGINAL;
+		else if (!strcmp(optarg, "reply"))
+			sinfo->direction = XT_CONNBYTES_DIR_REPLY;
+		else if (!strcmp(optarg, "both"))
+			sinfo->direction = XT_CONNBYTES_DIR_BOTH;
+		else
+			exit_error(PARAMETER_PROBLEM,
+				   "Unknown --connbytes-dir `%s'", optarg);
+
+		*flags |= 2;
+		break;
+	case '3':
+		if (!strcmp(optarg, "packets"))
+			sinfo->what = XT_CONNBYTES_PKTS;
+		else if (!strcmp(optarg, "bytes"))
+			sinfo->what = XT_CONNBYTES_BYTES;
+		else if (!strcmp(optarg, "avgpkt"))
+			sinfo->what = XT_CONNBYTES_AVGPKT;
+		else
+			exit_error(PARAMETER_PROBLEM,
+				   "Unknown --connbytes-mode `%s'", optarg);
+		*flags |= 4;
+		break;
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+static void final_check(unsigned int flags)
+{
+	if (flags != 7)
+		exit_error(PARAMETER_PROBLEM, "You must specify `--connbytes'"
+			   "`--connbytes-dir' and `--connbytes-mode'");
+}
+
+static void print_mode(struct xt_connbytes_info *sinfo)
+{
+	switch (sinfo->what) {
+		case XT_CONNBYTES_PKTS:
+			fputs("packets ", stdout);
+			break;
+		case XT_CONNBYTES_BYTES:
+			fputs("bytes ", stdout);
+			break;
+		case XT_CONNBYTES_AVGPKT:
+			fputs("avgpkt ", stdout);
+			break;
+		default:
+			fputs("unknown ", stdout);
+			break;
+	}
+}
+
+static void print_direction(struct xt_connbytes_info *sinfo)
+{
+	switch (sinfo->direction) {
+		case XT_CONNBYTES_DIR_ORIGINAL:
+			fputs("original ", stdout);
+			break;
+		case XT_CONNBYTES_DIR_REPLY:
+			fputs("reply ", stdout);
+			break;
+		case XT_CONNBYTES_DIR_BOTH:
+			fputs("both ", stdout);
+			break;
+		default:
+			fputs("unknown ", stdout);
+			break;
+	}
+}
+
+/* Prints out the matchinfo. */
+static void
+print(const void *ip,
+      const struct xt_entry_match *match,
+      int numeric)
+{
+	struct xt_connbytes_info *sinfo = (struct xt_connbytes_info *)match->data;
+
+	if (sinfo->count.from > sinfo->count.to) 
+		printf("connbytes ! %llu:%llu ", sinfo->count.to,
+			sinfo->count.from);
+	else
+		printf("connbytes %llu:%llu ",sinfo->count.from,
+			sinfo->count.to);
+
+	fputs("connbytes mode ", stdout);
+	print_mode(sinfo);
+
+	fputs("connbytes direction ", stdout);
+	print_direction(sinfo);
+}
+
+/* Saves the matchinfo in parsable form to stdout. */
+static void save(const void *ip, const struct xt_entry_match *match)
+{
+	struct xt_connbytes_info *sinfo = (struct xt_connbytes_info *)match->data;
+
+	if (sinfo->count.from > sinfo->count.to) 
+		printf("! --connbytes %llu:%llu ", sinfo->count.to,
+			sinfo->count.from);
+	else
+		printf("--connbytes %llu:%llu ", sinfo->count.from,
+			sinfo->count.to);
+
+	fputs("--connbytes-mode ", stdout);
+	print_mode(sinfo);
+
+	fputs("--connbytes-dir ", stdout);
+	print_direction(sinfo);
+}
+
+static struct xtables_match state = {
+	.family		= AF_INET,
+	.name 		= "connbytes",
+	.version 	= IPTABLES_VERSION,
+	.size 		= XT_ALIGN(sizeof(struct xt_connbytes_info)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_connbytes_info)),
+	.help		= &help,
+	.parse		= &parse,
+	.final_check	= &final_check,
+	.print		= &print,
+	.save 		= &save,
+	.extra_opts	= opts
+};
+
+static struct xtables_match state6 = {
+	.family		= AF_INET6,
+	.name 		= "connbytes",
+	.version 	= IPTABLES_VERSION,
+	.size 		= XT_ALIGN(sizeof(struct xt_connbytes_info)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_connbytes_info)),
+	.help		= &help,
+	.parse		= &parse,
+	.final_check	= &final_check,
+	.print		= &print,
+	.save 		= &save,
+	.extra_opts	= opts
+};
+
+void _init(void)
+{
+	xtables_register_match(&state);
+	xtables_register_match(&state6);
+}

Added: trunk/iptables/include/linux/netfilter/xt_connbytes.h
===================================================================
--- trunk/iptables/include/linux/netfilter/xt_connbytes.h	                        (rev 0)
+++ trunk/iptables/include/linux/netfilter/xt_connbytes.h	2007-08-04 08:25:43 UTC (rev 6996)
@@ -0,0 +1,25 @@
+#ifndef _XT_CONNBYTES_H
+#define _XT_CONNBYTES_H
+
+enum xt_connbytes_what {
+	XT_CONNBYTES_PKTS,
+	XT_CONNBYTES_BYTES,
+	XT_CONNBYTES_AVGPKT,
+};
+
+enum xt_connbytes_direction {
+	XT_CONNBYTES_DIR_ORIGINAL,
+	XT_CONNBYTES_DIR_REPLY,
+	XT_CONNBYTES_DIR_BOTH,
+};
+
+struct xt_connbytes_info
+{
+	struct {
+		aligned_u64 from;	/* count to be matched */
+		aligned_u64 to;		/* count to be matched */
+	} count;
+	u_int8_t what;		/* ipt_connbytes_what */
+	u_int8_t direction;	/* ipt_connbytes_direction */
+};
+#endif


