[netfilter-cvslog] r6996 - in trunk/iptables: extensions
include/linux/netfilter
yasuyuki at netfilter.org
yasuyuki at netfilter.org
Sat Aug 4 10:25:43 CEST 2007
Author: yasuyuki at netfilter.org
Date: 2007-08-04 10:25:43 +0200 (Sat, 04 Aug 2007)
New Revision: 6996
Added:
trunk/iptables/extensions/.connbytes-testx
trunk/iptables/extensions/libxt_connbytes.c
trunk/iptables/include/linux/netfilter/xt_connbytes.h
Removed:
trunk/iptables/extensions/.connbytes-test
trunk/iptables/extensions/libipt_connbytes.c
Log:
Add IPv6 support to connbytes match
Deleted: trunk/iptables/extensions/.connbytes-test
===================================================================
--- trunk/iptables/extensions/.connbytes-test 2007-08-04 08:24:29 UTC (rev 6995)
+++ trunk/iptables/extensions/.connbytes-test 2007-08-04 08:25:43 UTC (rev 6996)
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_connbytes.h ] && echo connbytes
Added: trunk/iptables/extensions/.connbytes-testx
===================================================================
--- trunk/iptables/extensions/.connbytes-testx (rev 0)
+++ trunk/iptables/extensions/.connbytes-testx 2007-08-04 08:25:43 UTC (rev 6996)
@@ -0,0 +1,3 @@
+#! /bin/sh
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_connbytes.h ] || \
+[ -f $KERNEL_DIR/include/linux/netfilter/xt_connbytes.h ] && echo connbytes
Property changes on: trunk/iptables/extensions/.connbytes-testx
___________________________________________________________________
Name: svn:executable
+ *
Deleted: trunk/iptables/extensions/libipt_connbytes.c
===================================================================
--- trunk/iptables/extensions/libipt_connbytes.c 2007-08-04 08:24:29 UTC (rev 6995)
+++ trunk/iptables/extensions/libipt_connbytes.c 2007-08-04 08:25:43 UTC (rev 6996)
@@ -1,204 +0,0 @@
-/* Shared library add-on to iptables to add byte tracking support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter/nf_conntrack_common.h>
-#include <linux/netfilter_ipv4/ipt_connbytes.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"connbytes v%s options:\n"
-" [!] --connbytes from:[to]\n"
-" --connbytes-dir [original, reply, both]\n"
-" --connbytes-mode [packets, bytes, avgpkt]\n"
-"\n", IPTABLES_VERSION);
-}
-
-static const struct option opts[] = {
- { "connbytes", 1, 0, '1' },
- { "connbytes-dir", 1, 0, '2' },
- { "connbytes-mode", 1, 0, '3' },
- {0}
-};
-
-static void
-parse_range(const char *arg, struct ipt_connbytes_info *si)
-{
- char *colon,*p;
-
- si->count.from = strtoul(arg,&colon,10);
- if (*colon != ':')
- exit_error(PARAMETER_PROBLEM, "Bad range `%s'", arg);
- si->count.to = strtoul(colon+1,&p,10);
- if (p == colon+1) {
- /* second number omited */
- si->count.to = 0xffffffff;
- }
- if (si->count.from > si->count.to)
- exit_error(PARAMETER_PROBLEM, "%llu should be less than %llu",
- si->count.from, si->count.to);
-}
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry,
- unsigned int *nfcache,
- struct xt_entry_match **match)
-{
- struct ipt_connbytes_info *sinfo = (struct ipt_connbytes_info *)(*match)->data;
- unsigned long i;
-
- switch (c) {
- case '1':
- if (check_inverse(optarg, &invert, &optind, 0))
- optind++;
-
- parse_range(argv[optind-1], sinfo);
- if (invert) {
- i = sinfo->count.from;
- sinfo->count.from = sinfo->count.to;
- sinfo->count.to = i;
- }
- *flags |= 1;
- break;
- case '2':
- if (!strcmp(optarg, "original"))
- sinfo->direction = IPT_CONNBYTES_DIR_ORIGINAL;
- else if (!strcmp(optarg, "reply"))
- sinfo->direction = IPT_CONNBYTES_DIR_REPLY;
- else if (!strcmp(optarg, "both"))
- sinfo->direction = IPT_CONNBYTES_DIR_BOTH;
- else
- exit_error(PARAMETER_PROBLEM,
- "Unknown --connbytes-dir `%s'", optarg);
-
- *flags |= 2;
- break;
- case '3':
- if (!strcmp(optarg, "packets"))
- sinfo->what = IPT_CONNBYTES_PKTS;
- else if (!strcmp(optarg, "bytes"))
- sinfo->what = IPT_CONNBYTES_BYTES;
- else if (!strcmp(optarg, "avgpkt"))
- sinfo->what = IPT_CONNBYTES_AVGPKT;
- else
- exit_error(PARAMETER_PROBLEM,
- "Unknown --connbytes-mode `%s'", optarg);
- *flags |= 4;
- break;
- default:
- return 0;
- }
-
- return 1;
-}
-
-static void final_check(unsigned int flags)
-{
- if (flags != 7)
- exit_error(PARAMETER_PROBLEM, "You must specify `--connbytes'"
- "`--connbytes-dir' and `--connbytes-mode'");
-}
-
-static void print_mode(struct ipt_connbytes_info *sinfo)
-{
- switch (sinfo->what) {
- case IPT_CONNBYTES_PKTS:
- fputs("packets ", stdout);
- break;
- case IPT_CONNBYTES_BYTES:
- fputs("bytes ", stdout);
- break;
- case IPT_CONNBYTES_AVGPKT:
- fputs("avgpkt ", stdout);
- break;
- default:
- fputs("unknown ", stdout);
- break;
- }
-}
-
-static void print_direction(struct ipt_connbytes_info *sinfo)
-{
- switch (sinfo->direction) {
- case IPT_CONNBYTES_DIR_ORIGINAL:
- fputs("original ", stdout);
- break;
- case IPT_CONNBYTES_DIR_REPLY:
- fputs("reply ", stdout);
- break;
- case IPT_CONNBYTES_DIR_BOTH:
- fputs("both ", stdout);
- break;
- default:
- fputs("unknown ", stdout);
- break;
- }
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const void *ip,
- const struct xt_entry_match *match,
- int numeric)
-{
- struct ipt_connbytes_info *sinfo = (struct ipt_connbytes_info *)match->data;
-
- if (sinfo->count.from > sinfo->count.to)
- printf("connbytes ! %llu:%llu ", sinfo->count.to,
- sinfo->count.from);
- else
- printf("connbytes %llu:%llu ",sinfo->count.from,
- sinfo->count.to);
-
- fputs("connbytes mode ", stdout);
- print_mode(sinfo);
-
- fputs("connbytes direction ", stdout);
- print_direction(sinfo);
-}
-
-/* Saves the matchinfo in parsable form to stdout. */
-static void save(const void *ip, const struct xt_entry_match *match)
-{
- struct ipt_connbytes_info *sinfo = (struct ipt_connbytes_info *)match->data;
-
- if (sinfo->count.from > sinfo->count.to)
- printf("! --connbytes %llu:%llu ", sinfo->count.to,
- sinfo->count.from);
- else
- printf("--connbytes %llu:%llu ", sinfo->count.from,
- sinfo->count.to);
-
- fputs("--connbytes-mode ", stdout);
- print_mode(sinfo);
-
- fputs("--connbytes-dir ", stdout);
- print_direction(sinfo);
-}
-
-static struct iptables_match state = {
- .name = "connbytes",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_connbytes_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_connbytes_info)),
- .help = &help,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match(&state);
-}
Added: trunk/iptables/extensions/libxt_connbytes.c
===================================================================
--- trunk/iptables/extensions/libxt_connbytes.c (rev 0)
+++ trunk/iptables/extensions/libxt_connbytes.c 2007-08-04 08:25:43 UTC (rev 6996)
@@ -0,0 +1,220 @@
+/* Shared library add-on to iptables to add byte tracking support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter/nf_conntrack_common.h>
+#include <linux/netfilter/xt_connbytes.h>
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+ printf(
+"connbytes v%s options:\n"
+" [!] --connbytes from:[to]\n"
+" --connbytes-dir [original, reply, both]\n"
+" --connbytes-mode [packets, bytes, avgpkt]\n"
+"\n", IPTABLES_VERSION);
+}
+
+static const struct option opts[] = {
+ { "connbytes", 1, 0, '1' },
+ { "connbytes-dir", 1, 0, '2' },
+ { "connbytes-mode", 1, 0, '3' },
+ {0}
+};
+
+static void
+parse_range(const char *arg, struct xt_connbytes_info *si)
+{
+ char *colon,*p;
+
+ si->count.from = strtoul(arg,&colon,10);
+ if (*colon != ':')
+ exit_error(PARAMETER_PROBLEM, "Bad range `%s'", arg);
+ si->count.to = strtoul(colon+1,&p,10);
+ if (p == colon+1) {
+ /* second number omited */
+ si->count.to = 0xffffffff;
+ }
+ if (si->count.from > si->count.to)
+ exit_error(PARAMETER_PROBLEM, "%llu should be less than %llu",
+ si->count.from, si->count.to);
+}
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry,
+ unsigned int *nfcache,
+ struct xt_entry_match **match)
+{
+ struct xt_connbytes_info *sinfo = (struct xt_connbytes_info *)(*match)->data;
+ unsigned long i;
+
+ switch (c) {
+ case '1':
+ if (check_inverse(optarg, &invert, &optind, 0))
+ optind++;
+
+ parse_range(argv[optind-1], sinfo);
+ if (invert) {
+ i = sinfo->count.from;
+ sinfo->count.from = sinfo->count.to;
+ sinfo->count.to = i;
+ }
+ *flags |= 1;
+ break;
+ case '2':
+ if (!strcmp(optarg, "original"))
+ sinfo->direction = XT_CONNBYTES_DIR_ORIGINAL;
+ else if (!strcmp(optarg, "reply"))
+ sinfo->direction = XT_CONNBYTES_DIR_REPLY;
+ else if (!strcmp(optarg, "both"))
+ sinfo->direction = XT_CONNBYTES_DIR_BOTH;
+ else
+ exit_error(PARAMETER_PROBLEM,
+ "Unknown --connbytes-dir `%s'", optarg);
+
+ *flags |= 2;
+ break;
+ case '3':
+ if (!strcmp(optarg, "packets"))
+ sinfo->what = XT_CONNBYTES_PKTS;
+ else if (!strcmp(optarg, "bytes"))
+ sinfo->what = XT_CONNBYTES_BYTES;
+ else if (!strcmp(optarg, "avgpkt"))
+ sinfo->what = XT_CONNBYTES_AVGPKT;
+ else
+ exit_error(PARAMETER_PROBLEM,
+ "Unknown --connbytes-mode `%s'", optarg);
+ *flags |= 4;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void final_check(unsigned int flags)
+{
+ if (flags != 7)
+ exit_error(PARAMETER_PROBLEM, "You must specify `--connbytes'"
+ "`--connbytes-dir' and `--connbytes-mode'");
+}
+
+static void print_mode(struct xt_connbytes_info *sinfo)
+{
+ switch (sinfo->what) {
+ case XT_CONNBYTES_PKTS:
+ fputs("packets ", stdout);
+ break;
+ case XT_CONNBYTES_BYTES:
+ fputs("bytes ", stdout);
+ break;
+ case XT_CONNBYTES_AVGPKT:
+ fputs("avgpkt ", stdout);
+ break;
+ default:
+ fputs("unknown ", stdout);
+ break;
+ }
+}
+
+static void print_direction(struct xt_connbytes_info *sinfo)
+{
+ switch (sinfo->direction) {
+ case XT_CONNBYTES_DIR_ORIGINAL:
+ fputs("original ", stdout);
+ break;
+ case XT_CONNBYTES_DIR_REPLY:
+ fputs("reply ", stdout);
+ break;
+ case XT_CONNBYTES_DIR_BOTH:
+ fputs("both ", stdout);
+ break;
+ default:
+ fputs("unknown ", stdout);
+ break;
+ }
+}
+
+/* Prints out the matchinfo. */
+static void
+print(const void *ip,
+ const struct xt_entry_match *match,
+ int numeric)
+{
+ struct xt_connbytes_info *sinfo = (struct xt_connbytes_info *)match->data;
+
+ if (sinfo->count.from > sinfo->count.to)
+ printf("connbytes ! %llu:%llu ", sinfo->count.to,
+ sinfo->count.from);
+ else
+ printf("connbytes %llu:%llu ",sinfo->count.from,
+ sinfo->count.to);
+
+ fputs("connbytes mode ", stdout);
+ print_mode(sinfo);
+
+ fputs("connbytes direction ", stdout);
+ print_direction(sinfo);
+}
+
+/* Saves the matchinfo in parsable form to stdout. */
+static void save(const void *ip, const struct xt_entry_match *match)
+{
+ struct xt_connbytes_info *sinfo = (struct xt_connbytes_info *)match->data;
+
+ if (sinfo->count.from > sinfo->count.to)
+ printf("! --connbytes %llu:%llu ", sinfo->count.to,
+ sinfo->count.from);
+ else
+ printf("--connbytes %llu:%llu ", sinfo->count.from,
+ sinfo->count.to);
+
+ fputs("--connbytes-mode ", stdout);
+ print_mode(sinfo);
+
+ fputs("--connbytes-dir ", stdout);
+ print_direction(sinfo);
+}
+
+static struct xtables_match state = {
+ .family = AF_INET,
+ .name = "connbytes",
+ .version = IPTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_connbytes_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_connbytes_info)),
+ .help = &help,
+ .parse = &parse,
+ .final_check = &final_check,
+ .print = &print,
+ .save = &save,
+ .extra_opts = opts
+};
+
+static struct xtables_match state6 = {
+ .family = AF_INET6,
+ .name = "connbytes",
+ .version = IPTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_connbytes_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_connbytes_info)),
+ .help = &help,
+ .parse = &parse,
+ .final_check = &final_check,
+ .print = &print,
+ .save = &save,
+ .extra_opts = opts
+};
+
+void _init(void)
+{
+ xtables_register_match(&state);
+ xtables_register_match(&state6);
+}
Added: trunk/iptables/include/linux/netfilter/xt_connbytes.h
===================================================================
--- trunk/iptables/include/linux/netfilter/xt_connbytes.h (rev 0)
+++ trunk/iptables/include/linux/netfilter/xt_connbytes.h 2007-08-04 08:25:43 UTC (rev 6996)
@@ -0,0 +1,25 @@
+#ifndef _XT_CONNBYTES_H
+#define _XT_CONNBYTES_H
+
+enum xt_connbytes_what {
+ XT_CONNBYTES_PKTS,
+ XT_CONNBYTES_BYTES,
+ XT_CONNBYTES_AVGPKT,
+};
+
+enum xt_connbytes_direction {
+ XT_CONNBYTES_DIR_ORIGINAL,
+ XT_CONNBYTES_DIR_REPLY,
+ XT_CONNBYTES_DIR_BOTH,
+};
+
+struct xt_connbytes_info
+{
+ struct {
+ aligned_u64 from; /* count to be matched */
+ aligned_u64 to; /* count to be matched */
+ } count;
+ u_int8_t what; /* ipt_connbytes_what */
+ u_int8_t direction; /* ipt_connbytes_direction */
+};
+#endif
More information about the netfilter-cvslog
mailing list