summaryrefslogtreecommitdiff
path: root/extensions
diff options
context:
space:
mode:
Diffstat (limited to 'extensions')
-rw-r--r--extensions/GNUmakefile.in190
-rw-r--r--extensions/dscp_helper.c79
-rw-r--r--extensions/libip6t_HL.c157
-rw-r--r--extensions/libip6t_HL.man17
-rw-r--r--extensions/libip6t_LOG.c262
-rw-r--r--extensions/libip6t_LOG.man31
-rw-r--r--extensions/libip6t_REJECT.c146
-rw-r--r--extensions/libip6t_REJECT.man33
-rw-r--r--extensions/libip6t_ah.c207
-rw-r--r--extensions/libip6t_ah.man10
-rw-r--r--extensions/libip6t_dst.c241
-rw-r--r--extensions/libip6t_dst.man7
-rw-r--r--extensions/libip6t_eui64.c15
-rw-r--r--extensions/libip6t_eui64.man10
-rw-r--r--extensions/libip6t_frag.c252
-rw-r--r--extensions/libip6t_frag.man20
-rw-r--r--extensions/libip6t_hbh.c228
-rw-r--r--extensions/libip6t_hbh.man7
-rw-r--r--extensions/libip6t_hl.c144
-rw-r--r--extensions/libip6t_hl.man10
-rw-r--r--extensions/libip6t_icmp6.c263
-rw-r--r--extensions/libip6t_icmp6.man14
-rw-r--r--extensions/libip6t_ipv6header.c290
-rw-r--r--extensions/libip6t_ipv6header.man37
-rw-r--r--extensions/libip6t_mh.c240
-rw-r--r--extensions/libip6t_mh.man12
-rw-r--r--extensions/libip6t_rt.c344
-rw-r--r--extensions/libip6t_rt.man19
-rw-r--r--extensions/libipt_CLUSTERIP.c249
-rw-r--r--extensions/libipt_CLUSTERIP.man24
-rw-r--r--extensions/libipt_DNAT.c269
-rw-r--r--extensions/libipt_DNAT.man39
-rw-r--r--extensions/libipt_ECN.c169
-rw-r--r--extensions/libipt_ECN.man7
-rw-r--r--extensions/libipt_LOG.c264
-rw-r--r--extensions/libipt_LOG.man31
-rw-r--r--extensions/libipt_MASQUERADE.c163
-rw-r--r--extensions/libipt_MASQUERADE.man30
-rw-r--r--extensions/libipt_MIRROR.c15
-rw-r--r--extensions/libipt_MIRROR.man12
-rw-r--r--extensions/libipt_NETMAP.c182
-rw-r--r--extensions/libipt_NETMAP.man9
-rw-r--r--extensions/libipt_REDIRECT.c171
-rw-r--r--extensions/libipt_REDIRECT.man25
-rw-r--r--extensions/libipt_REJECT.c167
-rw-r--r--extensions/libipt_REJECT.man32
-rw-r--r--extensions/libipt_SAME.c217
-rw-r--r--extensions/libipt_SAME.man17
-rw-r--r--extensions/libipt_SNAT.c269
-rw-r--r--extensions/libipt_SNAT.man37
-rw-r--r--extensions/libipt_TTL.c157
-rw-r--r--extensions/libipt_TTL.man19
-rw-r--r--extensions/libipt_ULOG.c198
-rw-r--r--extensions/libipt_ULOG.man27
-rw-r--r--extensions/libipt_addrtype.c360
-rw-r--r--extensions/libipt_addrtype.man69
-rw-r--r--extensions/libipt_ah.c170
-rw-r--r--extensions/libipt_ah.man3
-rw-r--r--extensions/libipt_ecn.c160
-rw-r--r--extensions/libipt_ecn.man11
-rw-r--r--extensions/libipt_icmp.c285
-rw-r--r--extensions/libipt_icmp.man9
-rw-r--r--extensions/libipt_realm.c253
-rw-r--r--extensions/libipt_realm.man7
-rw-r--r--extensions/libipt_ttl.c167
-rw-r--r--extensions/libipt_ttl.man10
-rw-r--r--extensions/libipt_unclean.c15
-rw-r--r--extensions/libipt_unclean.man2
-rw-r--r--extensions/libxt_CLASSIFY.c115
-rw-r--r--extensions/libxt_CLASSIFY.man5
-rw-r--r--extensions/libxt_CONNMARK.c445
-rw-r--r--extensions/libxt_CONNMARK.man53
-rw-r--r--extensions/libxt_CONNSECMARK.c127
-rw-r--r--extensions/libxt_CONNSECMARK.man15
-rw-r--r--extensions/libxt_CT.c192
-rw-r--r--extensions/libxt_CT.man25
-rw-r--r--extensions/libxt_DSCP.c149
-rw-r--r--extensions/libxt_DSCP.man9
-rw-r--r--extensions/libxt_LED.c155
-rw-r--r--extensions/libxt_LED.man30
-rw-r--r--extensions/libxt_MARK.c347
-rw-r--r--extensions/libxt_MARK.man27
-rw-r--r--extensions/libxt_NFLOG.c158
-rw-r--r--extensions/libxt_NFLOG.man29
-rw-r--r--extensions/libxt_NFQUEUE.c204
-rw-r--r--extensions/libxt_NFQUEUE.man18
-rw-r--r--extensions/libxt_NOTRACK.c15
-rw-r--r--extensions/libxt_NOTRACK.man5
-rw-r--r--extensions/libxt_RATEEST.c222
-rw-r--r--extensions/libxt_RATEEST.man12
-rw-r--r--extensions/libxt_SECMARK.c113
-rw-r--r--extensions/libxt_SECMARK.man7
-rw-r--r--extensions/libxt_SET.c286
-rw-r--r--extensions/libxt_SET.man18
-rw-r--r--extensions/libxt_TCPMSS.c154
-rw-r--r--extensions/libxt_TCPMSS.man47
-rw-r--r--extensions/libxt_TCPOPTSTRIP.c198
-rw-r--r--extensions/libxt_TCPOPTSTRIP.man7
-rw-r--r--extensions/libxt_TEE.c202
-rw-r--r--extensions/libxt_TEE.man12
-rw-r--r--extensions/libxt_TOS.c245
-rw-r--r--extensions/libxt_TOS.man27
-rw-r--r--extensions/libxt_TPROXY.c150
-rw-r--r--extensions/libxt_TPROXY.man21
-rw-r--r--extensions/libxt_TRACE.c21
-rw-r--r--extensions/libxt_TRACE.man11
-rw-r--r--extensions/libxt_cluster.c238
-rw-r--r--extensions/libxt_cluster.man62
-rw-r--r--extensions/libxt_comment.c108
-rw-r--r--extensions/libxt_comment.man6
-rw-r--r--extensions/libxt_connbytes.c199
-rw-r--r--extensions/libxt_connbytes.man36
-rw-r--r--extensions/libxt_connlimit.c216
-rw-r--r--extensions/libxt_connlimit.man27
-rw-r--r--extensions/libxt_connmark.c205
-rw-r--r--extensions/libxt_connmark.man6
-rw-r--r--extensions/libxt_conntrack.c1243
-rw-r--r--extensions/libxt_conntrack.man85
-rw-r--r--extensions/libxt_dccp.c354
-rw-r--r--extensions/libxt_dccp.man12
-rw-r--r--extensions/libxt_dscp.c150
-rw-r--r--extensions/libxt_dscp.man10
-rw-r--r--extensions/libxt_esp.c169
-rw-r--r--extensions/libxt_esp.man3
-rw-r--r--extensions/libxt_hashlimit.c711
-rw-r--r--extensions/libxt_hashlimit.man59
-rw-r--r--extensions/libxt_helper.c87
-rw-r--r--extensions/libxt_helper.man11
-rw-r--r--extensions/libxt_iprange.c387
-rw-r--r--extensions/libxt_iprange.man7
-rw-r--r--extensions/libxt_length.c133
-rw-r--r--extensions/libxt_length.man5
-rw-r--r--extensions/libxt_limit.c177
-rw-r--r--extensions/libxt_limit.man15
-rw-r--r--extensions/libxt_mac.c131
-rw-r--r--extensions/libxt_mac.man10
-rw-r--r--extensions/libxt_mark.c185
-rw-r--r--extensions/libxt_mark.man9
-rw-r--r--extensions/libxt_multiport.c575
-rw-r--r--extensions/libxt_multiport.man23
-rw-r--r--extensions/libxt_osf.c155
-rw-r--r--extensions/libxt_osf.man45
-rw-r--r--extensions/libxt_owner.c614
-rw-r--r--extensions/libxt_owner.man19
-rw-r--r--extensions/libxt_physdev.c180
-rw-r--r--extensions/libxt_physdev.man42
-rw-r--r--extensions/libxt_pkttype.c158
-rw-r--r--extensions/libxt_pkttype.man3
-rw-r--r--extensions/libxt_policy.c513
-rw-r--r--extensions/libxt_policy.man48
-rw-r--r--extensions/libxt_quota.c97
-rw-r--r--extensions/libxt_quota.man5
-rw-r--r--extensions/libxt_rateest.c453
-rw-r--r--extensions/libxt_rateest.man55
-rw-r--r--extensions/libxt_recent.c233
-rw-r--r--extensions/libxt_recent.man104
-rw-r--r--extensions/libxt_sctp.c515
-rw-r--r--extensions/libxt_sctp.man28
-rw-r--r--extensions/libxt_set.c250
-rw-r--r--extensions/libxt_set.h147
-rw-r--r--extensions/libxt_set.man23
-rw-r--r--extensions/libxt_socket.c19
-rw-r--r--extensions/libxt_socket.man2
-rw-r--r--extensions/libxt_standard.c24
-rw-r--r--extensions/libxt_state.c158
-rw-r--r--extensions/libxt_state.man24
-rw-r--r--extensions/libxt_statistic.c180
-rw-r--r--extensions/libxt_statistic.man30
-rw-r--r--extensions/libxt_string.c389
-rw-r--r--extensions/libxt_string.man18
-rw-r--r--extensions/libxt_tcp.c395
-rw-r--r--extensions/libxt_tcp.man44
-rw-r--r--extensions/libxt_tcpmss.c128
-rw-r--r--extensions/libxt_tcpmss.man4
-rw-r--r--extensions/libxt_time.c485
-rw-r--r--extensions/libxt_time.man69
-rw-r--r--extensions/libxt_tos.c178
-rw-r--r--extensions/libxt_tos.man12
-rw-r--r--extensions/libxt_u32.c284
-rw-r--r--extensions/libxt_u32.man129
-rw-r--r--extensions/libxt_udp.c211
-rw-r--r--extensions/libxt_udp.man14
-rw-r--r--extensions/tos_values.c96
183 files changed, 23715 insertions, 0 deletions
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
new file mode 100644
index 0000000..709366a
--- /dev/null
+++ b/extensions/GNUmakefile.in
@@ -0,0 +1,190 @@
+# -*- Makefile -*-
+
+top_builddir := @top_builddir@
+builddir := @builddir@
+top_srcdir := @top_srcdir@
+srcdir := @srcdir@
+ksourcedir := @ksourcedir@
+prefix := @prefix@
+exec_prefix := @exec_prefix@
+libdir := @libdir@
+libexecdir := @libexecdir@
+xtlibdir := @xtlibdir@
+
+CC := @CC@
+CCLD := ${CC}
+CFLAGS := @CFLAGS@
+LDFLAGS := @LDFLAGS@
+regular_CFLAGS := @regular_CFLAGS@
+kinclude_CFLAGS := @kinclude_CFLAGS@
+
+AM_CFLAGS := ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CFLAGS}
+AM_DEPFLAGS = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
+
+ifeq (${V},)
+AM_LIBTOOL_SILENT = --silent
+AM_VERBOSE_CC = @echo " CC " $@;
+AM_VERBOSE_CCLD = @echo " CCLD " $@;
+AM_VERBOSE_CXX = @echo " CXX " $@;
+AM_VERBOSE_CXXLD = @echo " CXXLD " $@;
+AM_VERBOSE_AR = @echo " AR " $@;
+AM_VERBOSE_GEN = @echo " GEN " $@;
+endif
+
+#
+# Wildcard module list
+#
+pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(wildcard ${srcdir}/libxt_*.c))
+@ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(wildcard ${srcdir}/libipt_*.c))
+@ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(wildcard ${srcdir}/libip6t_*.c))
+pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
+pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod})
+pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
+pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod})
+pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod})
+pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod})
+pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod})
+pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod})
+pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod})
+
+
+#
+# Building blocks
+#
+targets := libext4.a libext6.a matches4.man matches6.man \
+ targets4.man targets6.man
+targets_install :=
+@ENABLE_STATIC_TRUE@ libext4_objs := ${pfx_objs} ${pf4_objs}
+@ENABLE_STATIC_TRUE@ libext6_objs := ${pfx_objs} ${pf6_objs}
+@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+
+.SECONDARY:
+
+.PHONY: all install clean distclean FORCE
+
+all: ${targets}
+
+install: ${targets_install}
+ @mkdir -p "${DESTDIR}${xtlibdir}";
+ if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi;
+
+clean:
+ rm -f *.o *.oo *.so *.a {matches,targets}[46].man initext4.c initext6.c;
+
+distclean: clean
+ rm -f .*.d .*.dd;
+
+init%.o: init%.c
+ ${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init ${CFLAGS} -o $@ -c $<;
+
+-include .*.d
+
+
+#
+# Shared libraries
+#
+lib%.so: lib%.oo
+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
+
+lib%.oo: ${srcdir}/lib%.c
+ ${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+
+
+#
+# Static bits
+#
+# If static building is disabled, libext*.a will still be generated,
+# but will be empty. This is good since we can do with less case
+# handling code in the Makefiles.
+#
+lib%.o: ${srcdir}/lib%.c
+ ${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<;
+
+libext4.a: initext4.o ${libext4_objs}
+ ${AM_VERBOSE_AR} ${AR} crs $@ $^;
+
+libext6.a: initext6.o ${libext6_objs}
+ ${AM_VERBOSE_AR} ${AR} crs $@ $^;
+
+initext_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ipt_,${pf4_build_mod})
+initext6_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ip6t_,${pf6_build_mod})
+
+.initext4.dd: FORCE
+ @echo "${initext_func}" >$@.tmp; \
+ cmp -s $@ $@.tmp || mv $@.tmp $@; \
+ rm -f $@.tmp;
+
+.initext6.dd: FORCE
+ @echo "${initext6_func}" >$@.tmp; \
+ cmp -s $@ $@.tmp || mv $@.tmp $@; \
+ rm -f $@.tmp;
+
+initext4.c: .initext4.dd
+ ${AM_VERBOSE_GEN}
+ @( \
+ echo "" >$@; \
+ for i in ${initext_func}; do \
+ echo "extern void lib$${i}_init(void);" >>$@; \
+ done; \
+ echo "void init_extensions(void);" >>$@; \
+ echo "void init_extensions(void)" >>$@; \
+ echo "{" >>$@; \
+ for i in ${initext_func}; do \
+ echo " ""lib$${i}_init();" >>$@; \
+ done; \
+ echo "}" >>$@; \
+ );
+
+initext6.c: .initext6.dd
+ ${AM_VERBOSE_GEN}
+ @( \
+ echo "" >$@; \
+ for i in ${initext6_func}; do \
+ echo "extern void lib$${i}_init(void);" >>$@; \
+ done; \
+ echo "void init_extensions(void);" >>$@; \
+ echo "void init_extensions(void)" >>$@; \
+ echo "{" >>$@; \
+ for i in ${initext6_func}; do \
+ echo " ""lib$${i}_init();" >>$@; \
+ done; \
+ echo "}" >>$@; \
+ );
+
+#
+# Manual pages
+#
+ex_matches = $(sort $(shell echo $(1) | grep -Eo '\b[a-z0-9]+\b'))
+ex_targets = $(sort $(shell echo $(1) | grep -Eo '\b[A-Z0-9]+\b'))
+man_run = \
+ ${AM_VERBOSE_GEN} \
+ for ext in $(1); do \
+ f="${srcdir}/libxt_$$ext.man"; \
+ cf="${srcdir}/libxt_$$ext.c"; \
+ if [ -f "$$f" ] && grep -Eq "$(3)|NFPROTO_UNSPEC" "$$cf"; then \
+ echo -e "\t+ $$f" >&2; \
+ echo ".SS $$ext"; \
+ cat "$$f"; \
+ continue; \
+ fi; \
+ f="${srcdir}/lib$(2)t_$$ext.man"; \
+ if [ -f "$$f" ]; then \
+ echo -e "\t+ $$f" >&2; \
+ echo ".SS $$ext"; \
+ cat "$$f"; \
+ continue; \
+ fi; \
+ done >$@;
+
+matches4.man: .initext4.dd $(wildcard ${srcdir}/lib*.man)
+ $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf4_build_mod}),ip,NFPROTO_IPV4)
+
+matches6.man: .initext6.dd $(wildcard ${srcdir}/lib*.man)
+ $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf6_build_mod}),ip6,NFPROTO_IPV6)
+
+targets4.man: .initext4.dd $(wildcard ${srcdir}/lib*.man)
+ $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf4_build_mod}),ip,NFPROTO_IPV4)
+
+targets6.man: .initext6.dd $(wildcard ${srcdir}/lib*.man)
+ $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf6_build_mod}),ip6,NFPROTO_IPV6)
diff --git a/extensions/dscp_helper.c b/extensions/dscp_helper.c
new file mode 100644
index 0000000..75b1fec
--- /dev/null
+++ b/extensions/dscp_helper.c
@@ -0,0 +1,79 @@
+/*
+ * DiffServ classname <-> DiffServ codepoint mapping functions.
+ *
+ * The latest list of the mappings can be found at:
+ * <http://www.iana.org/assignments/dscp-registry>
+ *
+ * This code is released under the GNU GPL v2, 1991
+ *
+ * Author: Iain Barnes
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <xtables.h>
+
+
+static const struct ds_class
+{
+ const char *name;
+ unsigned int dscp;
+} ds_classes[] =
+{
+ { "CS0", 0x00 },
+ { "CS1", 0x08 },
+ { "CS2", 0x10 },
+ { "CS3", 0x18 },
+ { "CS4", 0x20 },
+ { "CS5", 0x28 },
+ { "CS6", 0x30 },
+ { "CS7", 0x38 },
+ { "BE", 0x00 },
+ { "AF11", 0x0a },
+ { "AF12", 0x0c },
+ { "AF13", 0x0e },
+ { "AF21", 0x12 },
+ { "AF22", 0x14 },
+ { "AF23", 0x16 },
+ { "AF31", 0x1a },
+ { "AF32", 0x1c },
+ { "AF33", 0x1e },
+ { "AF41", 0x22 },
+ { "AF42", 0x24 },
+ { "AF43", 0x26 },
+ { "EF", 0x2e }
+};
+
+
+
+static unsigned int
+class_to_dscp(const char *name)
+{
+ unsigned int i;
+
+ for (i = 0; i < ARRAY_SIZE(ds_classes); i++) {
+ if (!strncasecmp(name, ds_classes[i].name,
+ strlen(ds_classes[i].name)))
+ return ds_classes[i].dscp;
+ }
+
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid DSCP value `%s'\n", name);
+}
+
+
+#if 0
+static const char *
+dscp_to_name(unsigned int dscp)
+{
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(ds_classes); ++i)
+ if (dscp == ds_classes[i].dscp)
+ return ds_classes[i].name;
+
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid DSCP value `%d'\n", dscp);
+}
+#endif
+
diff --git a/extensions/libip6t_HL.c b/extensions/libip6t_HL.c
new file mode 100644
index 0000000..bff0611
--- /dev/null
+++ b/extensions/libip6t_HL.c
@@ -0,0 +1,157 @@
+/*
+ * IPv6 Hop Limit Target module
+ * Maciej Soltysiak <solt@dns.toxicfilms.tv>
+ * Based on HW's ttl target
+ * This program is distributed under the terms of GNU GPL
+ */
+
+#include <getopt.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <xtables.h>
+
+#include <linux/netfilter_ipv6/ip6t_HL.h>
+
+#define IP6T_HL_USED 1
+
+static void HL_help(void)
+{
+ printf(
+"HL target options\n"
+" --hl-set value Set HL to <value 0-255>\n"
+" --hl-dec value Decrement HL by <value 1-255>\n"
+" --hl-inc value Increment HL by <value 1-255>\n");
+}
+
+static int HL_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct ip6t_HL_info *info = (struct ip6t_HL_info *) (*target)->data;
+ unsigned int value;
+
+ if (*flags & IP6T_HL_USED) {
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify HL option twice");
+ }
+
+ if (!optarg)
+ xtables_error(PARAMETER_PROBLEM,
+ "HL: You must specify a value");
+
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "HL: unexpected `!'");
+
+ if (!xtables_strtoui(optarg, NULL, &value, 0, UINT8_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "HL: Expected value between 0 and 255");
+
+ switch (c) {
+
+ case '1':
+ info->mode = IP6T_HL_SET;
+ break;
+
+ case '2':
+ if (value == 0) {
+ xtables_error(PARAMETER_PROBLEM,
+ "HL: decreasing by 0?");
+ }
+
+ info->mode = IP6T_HL_DEC;
+ break;
+
+ case '3':
+ if (value == 0) {
+ xtables_error(PARAMETER_PROBLEM,
+ "HL: increasing by 0?");
+ }
+
+ info->mode = IP6T_HL_INC;
+ break;
+
+ default:
+ return 0;
+
+ }
+
+ info->hop_limit = value;
+ *flags |= IP6T_HL_USED;
+
+ return 1;
+}
+
+static void HL_check(unsigned int flags)
+{
+ if (!(flags & IP6T_HL_USED))
+ xtables_error(PARAMETER_PROBLEM,
+ "HL: You must specify an action");
+}
+
+static void HL_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct ip6t_HL_info *info =
+ (struct ip6t_HL_info *) target->data;
+
+ switch (info->mode) {
+ case IP6T_HL_SET:
+ printf("--hl-set ");
+ break;
+ case IP6T_HL_DEC:
+ printf("--hl-dec ");
+ break;
+
+ case IP6T_HL_INC:
+ printf("--hl-inc ");
+ break;
+ }
+ printf("%u ", info->hop_limit);
+}
+
+static void HL_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct ip6t_HL_info *info =
+ (struct ip6t_HL_info *) target->data;
+
+ printf("HL ");
+ switch (info->mode) {
+ case IP6T_HL_SET:
+ printf("set to ");
+ break;
+ case IP6T_HL_DEC:
+ printf("decrement by ");
+ break;
+ case IP6T_HL_INC:
+ printf("increment by ");
+ break;
+ }
+ printf("%u ", info->hop_limit);
+}
+
+static const struct option HL_opts[] = {
+ { "hl-set", 1, NULL, '1' },
+ { "hl-dec", 1, NULL, '2' },
+ { "hl-inc", 1, NULL, '3' },
+ { .name = NULL }
+};
+
+static struct xtables_target hl_tg6_reg = {
+ .name = "HL",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct ip6t_HL_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ip6t_HL_info)),
+ .help = HL_help,
+ .parse = HL_parse,
+ .final_check = HL_check,
+ .print = HL_print,
+ .save = HL_save,
+ .extra_opts = HL_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&hl_tg6_reg);
+}
diff --git a/extensions/libip6t_HL.man b/extensions/libip6t_HL.man
new file mode 100644
index 0000000..0f3afb1
--- /dev/null
+++ b/extensions/libip6t_HL.man
@@ -0,0 +1,17 @@
+This is used to modify the Hop Limit field in IPv6 header. The Hop Limit field
+is similar to what is known as TTL value in IPv4. Setting or incrementing the
+Hop Limit field can potentially be very dangerous, so it should be avoided at
+any cost. This target is only valid in
+.B mangle
+table.
+.PP
+.B Don't ever set or increment the value on packets that leave your local network!
+.TP
+\fB\-\-hl\-set\fP \fIvalue\fP
+Set the Hop Limit to `value'.
+.TP
+\fB\-\-hl\-dec\fP \fIvalue\fP
+Decrement the Hop Limit `value' times.
+.TP
+\fB\-\-hl\-inc\fP \fIvalue\fP
+Increment the Hop Limit `value' times.
diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c
new file mode 100644
index 0000000..423d988
--- /dev/null
+++ b/extensions/libip6t_LOG.c
@@ -0,0 +1,262 @@
+/* Shared library add-on to ip6tables to add LOG support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter_ipv6/ip6t_LOG.h>
+
+#ifndef IP6T_LOG_UID /* Old kernel */
+#define IP6T_LOG_UID 0x08
+#undef IP6T_LOG_MASK
+#define IP6T_LOG_MASK 0x0f
+#endif
+
+#define LOG_DEFAULT_LEVEL LOG_WARNING
+
+static void LOG_help(void)
+{
+ printf(
+"LOG target options:\n"
+" --log-level level Level of logging (numeric or see syslog.conf)\n"
+" --log-prefix prefix Prefix log messages with this prefix.\n"
+" --log-tcp-sequence Log TCP sequence numbers.\n"
+" --log-tcp-options Log TCP options.\n"
+" --log-ip-options Log IP options.\n"
+" --log-uid Log UID owning the local socket.\n");
+}
+
+static const struct option LOG_opts[] = {
+ { .name = "log-level", .has_arg = 1, .val = '!' },
+ { .name = "log-prefix", .has_arg = 1, .val = '#' },
+ { .name = "log-tcp-sequence", .has_arg = 0, .val = '1' },
+ { .name = "log-tcp-options", .has_arg = 0, .val = '2' },
+ { .name = "log-ip-options", .has_arg = 0, .val = '3' },
+ { .name = "log-uid", .has_arg = 0, .val = '4' },
+ { .name = NULL }
+};
+
+static void LOG_init(struct xt_entry_target *t)
+{
+ struct ip6t_log_info *loginfo = (struct ip6t_log_info *)t->data;
+
+ loginfo->level = LOG_DEFAULT_LEVEL;
+
+}
+
+struct ip6t_log_names {
+ const char *name;
+ unsigned int level;
+};
+
+static const struct ip6t_log_names ip6t_log_names[]
+= { { .name = "alert", .level = LOG_ALERT },
+ { .name = "crit", .level = LOG_CRIT },
+ { .name = "debug", .level = LOG_DEBUG },
+ { .name = "emerg", .level = LOG_EMERG },
+ { .name = "error", .level = LOG_ERR }, /* DEPRECATED */
+ { .name = "info", .level = LOG_INFO },
+ { .name = "notice", .level = LOG_NOTICE },
+ { .name = "panic", .level = LOG_EMERG }, /* DEPRECATED */
+ { .name = "warning", .level = LOG_WARNING }
+};
+
+static u_int8_t
+parse_level(const char *level)
+{
+ unsigned int lev = -1;
+ unsigned int set = 0;
+
+ if (!xtables_strtoui(level, NULL, &lev, 0, 7)) {
+ unsigned int i = 0;
+
+ for (i = 0; i < ARRAY_SIZE(ip6t_log_names); ++i)
+ if (strncasecmp(level, ip6t_log_names[i].name,
+ strlen(level)) == 0) {
+ if (set++)
+ xtables_error(PARAMETER_PROBLEM,
+ "log-level `%s' ambiguous",
+ level);
+ lev = ip6t_log_names[i].level;
+ }
+
+ if (!set)
+ xtables_error(PARAMETER_PROBLEM,
+ "log-level `%s' unknown", level);
+ }
+
+ return lev;
+}
+
+#define IP6T_LOG_OPT_LEVEL 0x01
+#define IP6T_LOG_OPT_PREFIX 0x02
+#define IP6T_LOG_OPT_TCPSEQ 0x04
+#define IP6T_LOG_OPT_TCPOPT 0x08
+#define IP6T_LOG_OPT_IPOPT 0x10
+#define IP6T_LOG_OPT_UID 0x20
+
+static int LOG_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct ip6t_log_info *loginfo = (struct ip6t_log_info *)(*target)->data;
+
+ switch (c) {
+ case '!':
+ if (*flags & IP6T_LOG_OPT_LEVEL)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --log-level twice");
+
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --log-level");
+
+ loginfo->level = parse_level(optarg);
+ *flags |= IP6T_LOG_OPT_LEVEL;
+ break;
+
+ case '#':
+ if (*flags & IP6T_LOG_OPT_PREFIX)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --log-prefix twice");
+
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --log-prefix");
+
+ if (strlen(optarg) > sizeof(loginfo->prefix) - 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "Maximum prefix length %u for --log-prefix",
+ (unsigned int)sizeof(loginfo->prefix) - 1);
+
+ if (strlen(optarg) == 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "No prefix specified for --log-prefix");
+
+ if (strlen(optarg) != strlen(strtok(optarg, "\n")))
+ xtables_error(PARAMETER_PROBLEM,
+ "Newlines not allowed in --log-prefix");
+
+ strcpy(loginfo->prefix, optarg);
+ *flags |= IP6T_LOG_OPT_PREFIX;
+ break;
+
+ case '1':
+ if (*flags & IP6T_LOG_OPT_TCPSEQ)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --log-tcp-sequence "
+ "twice");
+
+ loginfo->logflags |= IP6T_LOG_TCPSEQ;
+ *flags |= IP6T_LOG_OPT_TCPSEQ;
+ break;
+
+ case '2':
+ if (*flags & IP6T_LOG_OPT_TCPOPT)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --log-tcp-options twice");
+
+ loginfo->logflags |= IP6T_LOG_TCPOPT;
+ *flags |= IP6T_LOG_OPT_TCPOPT;
+ break;
+
+ case '3':
+ if (*flags & IP6T_LOG_OPT_IPOPT)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --log-ip-options twice");
+
+ loginfo->logflags |= IP6T_LOG_IPOPT;
+ *flags |= IP6T_LOG_OPT_IPOPT;
+ break;
+
+ case '4':
+ if (*flags & IP6T_LOG_OPT_UID)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --log-uid twice");
+
+ loginfo->logflags |= IP6T_LOG_UID;
+ *flags |= IP6T_LOG_OPT_UID;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void LOG_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct ip6t_log_info *loginfo
+ = (const struct ip6t_log_info *)target->data;
+ unsigned int i = 0;
+
+ printf("LOG ");
+ if (numeric)
+ printf("flags %u level %u ",
+ loginfo->logflags, loginfo->level);
+ else {
+ for (i = 0; i < ARRAY_SIZE(ip6t_log_names); ++i)
+ if (loginfo->level == ip6t_log_names[i].level) {
+ printf("level %s ", ip6t_log_names[i].name);
+ break;
+ }
+ if (i == ARRAY_SIZE(ip6t_log_names))
+ printf("UNKNOWN level %u ", loginfo->level);
+ if (loginfo->logflags & IP6T_LOG_TCPSEQ)
+ printf("tcp-sequence ");
+ if (loginfo->logflags & IP6T_LOG_TCPOPT)
+ printf("tcp-options ");
+ if (loginfo->logflags & IP6T_LOG_IPOPT)
+ printf("ip-options ");
+ if (loginfo->logflags & IP6T_LOG_UID)
+ printf("uid ");
+ if (loginfo->logflags & ~(IP6T_LOG_MASK))
+ printf("unknown-flags ");
+ }
+
+ if (strcmp(loginfo->prefix, "") != 0)
+ printf("prefix `%s' ", loginfo->prefix);
+}
+
+static void LOG_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct ip6t_log_info *loginfo
+ = (const struct ip6t_log_info *)target->data;
+
+ if (strcmp(loginfo->prefix, "") != 0)
+ printf("--log-prefix \"%s\" ", loginfo->prefix);
+
+ if (loginfo->level != LOG_DEFAULT_LEVEL)
+ printf("--log-level %d ", loginfo->level);
+
+ if (loginfo->logflags & IP6T_LOG_TCPSEQ)
+ printf("--log-tcp-sequence ");
+ if (loginfo->logflags & IP6T_LOG_TCPOPT)
+ printf("--log-tcp-options ");
+ if (loginfo->logflags & IP6T_LOG_IPOPT)
+ printf("--log-ip-options ");
+ if (loginfo->logflags & IP6T_LOG_UID)
+ printf("--log-uid ");
+}
+
+static struct xtables_target log_tg6_reg = {
+ .name = "LOG",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct ip6t_log_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ip6t_log_info)),
+ .help = LOG_help,
+ .init = LOG_init,
+ .parse = LOG_parse,
+ .print = LOG_print,
+ .save = LOG_save,
+ .extra_opts = LOG_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&log_tg6_reg);
+}
diff --git a/extensions/libip6t_LOG.man b/extensions/libip6t_LOG.man
new file mode 100644
index 0000000..b7803fe
--- /dev/null
+++ b/extensions/libip6t_LOG.man
@@ -0,0 +1,31 @@
+Turn on kernel logging of matching packets. When this option is set
+for a rule, the Linux kernel will print some information on all
+matching packets (like most IPv6 IPv6-header fields) via the kernel log
+(where it can be read with
+.I dmesg
+or
+.IR syslogd (8)).
+This is a "non-terminating target", i.e. rule traversal continues at
+the next rule. So if you want to LOG the packets you refuse, use two
+separate rules with the same matching criteria, first using target LOG
+then DROP (or REJECT).
+.TP
+\fB\-\-log\-level\fP \fIlevel\fP
+Level of logging (numeric or see \fIsyslog.conf\fP(5)).
+.TP
+\fB\-\-log\-prefix\fP \fIprefix\fP
+Prefix log messages with the specified prefix; up to 29 letters long,
+and useful for distinguishing messages in the logs.
+.TP
+\fB\-\-log\-tcp\-sequence\fP
+Log TCP sequence numbers. This is a security risk if the log is
+readable by users.
+.TP
+\fB\-\-log\-tcp\-options\fP
+Log options from the TCP packet header.
+.TP
+\fB\-\-log\-ip\-options\fP
+Log options from the IPv6 packet header.
+.TP
+\fB\-\-log\-uid\fP
+Log the userid of the process which generated the packet.
diff --git a/extensions/libip6t_REJECT.c b/extensions/libip6t_REJECT.c
new file mode 100644
index 0000000..b8195d7
--- /dev/null
+++ b/extensions/libip6t_REJECT.c
@@ -0,0 +1,146 @@
+/* Shared library add-on to ip6tables to add customized REJECT support.
+ *
+ * (C) 2000 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * ported to IPv6 by Harald Welte <laforge@gnumonks.org>
+ *
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter_ipv6/ip6t_REJECT.h>
+
+struct reject_names {
+ const char *name;
+ const char *alias;
+ enum ip6t_reject_with with;
+ const char *desc;
+};
+
+static const struct reject_names reject_table[] = {
+ {"icmp6-no-route", "no-route",
+ IP6T_ICMP6_NO_ROUTE, "ICMPv6 no route"},
+ {"icmp6-adm-prohibited", "adm-prohibited",
+ IP6T_ICMP6_ADM_PROHIBITED, "ICMPv6 administratively prohibited"},
+#if 0
+ {"icmp6-not-neighbor", "not-neighbor"},
+ IP6T_ICMP6_NOT_NEIGHBOR, "ICMPv6 not a neighbor"},
+#endif
+ {"icmp6-addr-unreachable", "addr-unreach",
+ IP6T_ICMP6_ADDR_UNREACH, "ICMPv6 address unreachable"},
+ {"icmp6-port-unreachable", "port-unreach",
+ IP6T_ICMP6_PORT_UNREACH, "ICMPv6 port unreachable"},
+ {"tcp-reset", "tcp-reset",
+ IP6T_TCP_RESET, "TCP RST packet"}
+};
+
+static void
+print_reject_types(void)
+{
+ unsigned int i;
+
+ printf("Valid reject types:\n");
+
+ for (i = 0; i < ARRAY_SIZE(reject_table); ++i) {
+ printf(" %-25s\t%s\n", reject_table[i].name, reject_table[i].desc);
+ printf(" %-25s\talias\n", reject_table[i].alias);
+ }
+ printf("\n");
+}
+
+static void REJECT_help(void)
+{
+ printf(
+"REJECT target options:\n"
+"--reject-with type drop input packet and send back\n"
+" a reply packet according to type:\n");
+
+ print_reject_types();
+}
+
+static const struct option REJECT_opts[] = {
+ { "reject-with", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+static void REJECT_init(struct xt_entry_target *t)
+{
+ struct ip6t_reject_info *reject = (struct ip6t_reject_info *)t->data;
+
+ /* default */
+ reject->with = IP6T_ICMP6_PORT_UNREACH;
+
+}
+
+static int REJECT_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct ip6t_reject_info *reject =
+ (struct ip6t_reject_info *)(*target)->data;
+ unsigned int i;
+
+ switch(c) {
+ case '1':
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --reject-with");
+ for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
+ if ((strncasecmp(reject_table[i].name, optarg, strlen(optarg)) == 0)
+ || (strncasecmp(reject_table[i].alias, optarg, strlen(optarg)) == 0)) {
+ reject->with = reject_table[i].with;
+ return 1;
+ }
+ xtables_error(PARAMETER_PROBLEM, "unknown reject type \"%s\"", optarg);
+ default:
+ /* Fall through */
+ break;
+ }
+ return 0;
+}
+
+static void REJECT_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct ip6t_reject_info *reject
+ = (const struct ip6t_reject_info *)target->data;
+ unsigned int i;
+
+ for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
+ if (reject_table[i].with == reject->with)
+ break;
+ printf("reject-with %s ", reject_table[i].name);
+}
+
+static void REJECT_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct ip6t_reject_info *reject
+ = (const struct ip6t_reject_info *)target->data;
+ unsigned int i;
+
+ for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
+ if (reject_table[i].with == reject->with)
+ break;
+
+ printf("--reject-with %s ", reject_table[i].name);
+}
+
+static struct xtables_target reject_tg6_reg = {
+ .name = "REJECT",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct ip6t_reject_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ip6t_reject_info)),
+ .help = REJECT_help,
+ .init = REJECT_init,
+ .parse = REJECT_parse,
+ .print = REJECT_print,
+ .save = REJECT_save,
+ .extra_opts = REJECT_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&reject_tg6_reg);
+}
diff --git a/extensions/libip6t_REJECT.man b/extensions/libip6t_REJECT.man
new file mode 100644
index 0000000..2d09e05
--- /dev/null
+++ b/extensions/libip6t_REJECT.man
@@ -0,0 +1,33 @@
+This is used to send back an error packet in response to the matched
+packet: otherwise it is equivalent to
+.B DROP
+so it is a terminating TARGET, ending rule traversal.
+This target is only valid in the
+.BR INPUT ,
+.B FORWARD
+and
+.B OUTPUT
+chains, and user-defined chains which are only called from those
+chains. The following option controls the nature of the error packet
+returned:
+.TP
+\fB\-\-reject\-with\fP \fItype\fP
+The type given can be
+\fBicmp6\-no\-route\fP,
+\fBno\-route\fP,
+\fBicmp6\-adm\-prohibited\fP,
+\fBadm\-prohibited\fP,
+\fBicmp6\-addr\-unreachable\fP,
+\fBaddr\-unreach\fP,
+\fBicmp6\-port\-unreachable\fP or
+\fBport\-unreach\fP
+which return the appropriate ICMPv6 error message (\fBport\-unreach\fP is
+the default). Finally, the option
+\fBtcp\-reset\fP
+can be used on rules which only match the TCP protocol: this causes a
+TCP RST packet to be sent back. This is mainly useful for blocking
+.I ident
+(113/tcp) probes which frequently occur when sending mail to broken mail
+hosts (which won't accept your mail otherwise).
+\fBtcp\-reset\fP
+can only be used with kernel versions 2.6.14 or later.
diff --git a/extensions/libip6t_ah.c b/extensions/libip6t_ah.c
new file mode 100644
index 0000000..285704c
--- /dev/null
+++ b/extensions/libip6t_ah.c
@@ -0,0 +1,207 @@
+/* Shared library add-on to ip6tables to add AH support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <errno.h>
+#include <xtables.h>
+#include <linux/netfilter_ipv6/ip6t_ah.h>
+
+static void ah_help(void)
+{
+ printf(
+"ah match options:\n"
+"[!] --ahspi spi[:spi] match spi (range)\n"
+"[!] --ahlen length total length of this header\n"
+" --ahres check the reserved filed, too\n");
+}
+
+static const struct option ah_opts[] = {
+ { .name = "ahspi", .has_arg = 1, .val = '1' },
+ { .name = "ahlen", .has_arg = 1, .val = '2' },
+ { .name = "ahres", .has_arg = 0, .val = '3' },
+ { .name = NULL }
+};
+
+static u_int32_t
+parse_ah_spi(const char *spistr, const char *typestr)
+{
+ unsigned long int spi;
+ char* ep;
+
+ spi = strtoul(spistr, &ep, 0);
+
+ if ( spistr == ep )
+ xtables_error(PARAMETER_PROBLEM,
+ "AH no valid digits in %s `%s'", typestr, spistr);
+
+ if ( spi == ULONG_MAX && errno == ERANGE )
+ xtables_error(PARAMETER_PROBLEM,
+ "%s `%s' specified too big: would overflow",
+ typestr, spistr);
+
+ if ( *spistr != '\0' && *ep != '\0' )
+ xtables_error(PARAMETER_PROBLEM,
+ "AH error parsing %s `%s'", typestr, spistr);
+
+ return spi;
+}
+
+static void
+parse_ah_spis(const char *spistring, u_int32_t *spis)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(spistring);
+ if ((cp = strchr(buffer, ':')) == NULL)
+ spis[0] = spis[1] = parse_ah_spi(buffer, "spi");
+ else {
+ *cp = '\0';
+ cp++;
+
+ spis[0] = buffer[0] ? parse_ah_spi(buffer, "spi") : 0;
+ spis[1] = cp[0] ? parse_ah_spi(cp, "spi") : 0xFFFFFFFF;
+ }
+ free(buffer);
+}
+
+static void ah_init(struct xt_entry_match *m)
+{
+ struct ip6t_ah *ahinfo = (struct ip6t_ah *)m->data;
+
+ ahinfo->spis[1] = 0xFFFFFFFF;
+ ahinfo->hdrlen = 0;
+ ahinfo->hdrres = 0;
+}
+
+static int ah_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ip6t_ah *ahinfo = (struct ip6t_ah *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & IP6T_AH_SPI)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--ahspi' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_ah_spis(optarg, ahinfo->spis);
+ if (invert)
+ ahinfo->invflags |= IP6T_AH_INV_SPI;
+ *flags |= IP6T_AH_SPI;
+ break;
+ case '2':
+ if (*flags & IP6T_AH_LEN)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--ahlen' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ ahinfo->hdrlen = parse_ah_spi(optarg, "length");
+ if (invert)
+ ahinfo->invflags |= IP6T_AH_INV_LEN;
+ *flags |= IP6T_AH_LEN;
+ break;
+ case '3':
+ if (*flags & IP6T_AH_RES)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--ahres' allowed");
+ ahinfo->hdrres = 1;
+ *flags |= IP6T_AH_RES;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+print_spis(const char *name, u_int32_t min, u_int32_t max,
+ int invert)
+{
+ const char *inv = invert ? "!" : "";
+
+ if (min != 0 || max != 0xFFFFFFFF || invert) {
+ if (min == max)
+ printf("%s:%s%u ", name, inv, min);
+ else
+ printf("%ss:%s%u:%u ", name, inv, min, max);
+ }
+}
+
+static void
+print_len(const char *name, u_int32_t len, int invert)
+{
+ const char *inv = invert ? "!" : "";
+
+ if (len != 0 || invert)
+ printf("%s:%s%u ", name, inv, len);
+}
+
+static void ah_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ip6t_ah *ah = (struct ip6t_ah *)match->data;
+
+ printf("ah ");
+ print_spis("spi", ah->spis[0], ah->spis[1],
+ ah->invflags & IP6T_AH_INV_SPI);
+ print_len("length", ah->hdrlen,
+ ah->invflags & IP6T_AH_INV_LEN);
+
+ if (ah->hdrres)
+ printf("reserved ");
+
+ if (ah->invflags & ~IP6T_AH_INV_MASK)
+ printf("Unknown invflags: 0x%X ",
+ ah->invflags & ~IP6T_AH_INV_MASK);
+}
+
+static void ah_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ip6t_ah *ahinfo = (struct ip6t_ah *)match->data;
+
+ if (!(ahinfo->spis[0] == 0
+ && ahinfo->spis[1] == 0xFFFFFFFF)) {
+ printf("%s--ahspi ",
+ (ahinfo->invflags & IP6T_AH_INV_SPI) ? "! " : "");
+ if (ahinfo->spis[0]
+ != ahinfo->spis[1])
+ printf("%u:%u ",
+ ahinfo->spis[0],
+ ahinfo->spis[1]);
+ else
+ printf("%u ",
+ ahinfo->spis[0]);
+ }
+
+ if (ahinfo->hdrlen != 0 || (ahinfo->invflags & IP6T_AH_INV_LEN) ) {
+ printf("%s--ahlen %u ",
+ (ahinfo->invflags & IP6T_AH_INV_LEN) ? "! " : "",
+ ahinfo->hdrlen);
+ }
+
+ if (ahinfo->hdrres != 0 )
+ printf("--ahres ");
+}
+
+static struct xtables_match ah_mt6_reg = {
+ .name = "ah",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct ip6t_ah)),
+ .userspacesize = XT_ALIGN(sizeof(struct ip6t_ah)),
+ .help = ah_help,
+ .init = ah_init,
+ .parse = ah_parse,
+ .print = ah_print,
+ .save = ah_save,
+ .extra_opts = ah_opts,
+};
+
+void
+_init(void)
+{
+ xtables_register_match(&ah_mt6_reg);
+}
diff --git a/extensions/libip6t_ah.man b/extensions/libip6t_ah.man
new file mode 100644
index 0000000..9c24dcf
--- /dev/null
+++ b/extensions/libip6t_ah.man
@@ -0,0 +1,10 @@
+This module matches the parameters in Authentication header of IPsec packets.
+.TP
+[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
+Matches SPI.
+.TP
+[\fB!\fP] \fB\-\-ahlen\fP \fIlength\fP
+Total length of this header in octets.
+.TP
+\fB\-\-ahres\fP
+Matches if the reserved field is filled with zero.
diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
new file mode 100644
index 0000000..72df6ad
--- /dev/null
+++ b/extensions/libip6t_dst.c
@@ -0,0 +1,241 @@
+/* Shared library add-on to ip6tables to add Dst header support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <errno.h>
+#include <xtables.h>
+#include <linux/netfilter_ipv6/ip6t_opts.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+
+static void dst_help(void)
+{
+ printf(
+"dst match options:\n"
+"[!] --dst-len length total length of this header\n"
+" --dst-opts TYPE[:LEN][,TYPE[:LEN]...]\n"
+" Options and its length (list, max: %d)\n",
+IP6T_OPTS_OPTSNR);
+}
+
+static const struct option dst_opts[] = {
+ { .name = "dst-len", .has_arg = 1, .val = '1' },
+ { .name = "dst-opts", .has_arg = 1, .val = '2' },
+ { .name = "dst-not-strict", .has_arg = 1, .val = '3' },
+ { .name = NULL }
+};
+
+static u_int32_t
+parse_opts_num(const char *idstr, const char *typestr)
+{
+ unsigned long int id;
+ char* ep;
+
+ id = strtoul(idstr, &ep, 0);
+
+ if ( idstr == ep ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "dst: no valid digits in %s `%s'", typestr, idstr);
+ }
+ if ( id == ULONG_MAX && errno == ERANGE ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "%s `%s' specified too big: would overflow",
+ typestr, idstr);
+ }
+ if ( *idstr != '\0' && *ep != '\0' ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "dst: error parsing %s `%s'", typestr, idstr);
+ }
+ return id;
+}
+
+static int
+parse_options(const char *optsstr, u_int16_t *opts)
+{
+ char *buffer, *cp, *next, *range;
+ unsigned int i;
+
+ buffer = strdup(optsstr);
+ if (!buffer)
+ xtables_error(OTHER_PROBLEM, "strdup failed");
+
+ for (cp = buffer, i = 0; cp && i < IP6T_OPTS_OPTSNR; cp = next, i++)
+ {
+ next = strchr(cp, ',');
+
+ if (next)
+ *next++='\0';
+
+ range = strchr(cp, ':');
+
+ if (range) {
+ if (i == IP6T_OPTS_OPTSNR-1)
+ xtables_error(PARAMETER_PROBLEM,
+ "too many ports specified");
+ *range++ = '\0';
+ }
+
+ opts[i] = (parse_opts_num(cp, "opt") & 0xFF) << 8;
+ if (range) {
+ if (opts[i] == 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "PAD0 hasn't got length");
+ opts[i] |= parse_opts_num(range, "length") & 0xFF;
+ } else
+ opts[i] |= (0x00FF);
+
+#ifdef DEBUG
+ printf("opts str: %s %s\n", cp, range);
+ printf("opts opt: %04X\n", opts[i]);
+#endif
+ }
+
+ if (cp)
+ xtables_error(PARAMETER_PROBLEM, "too many addresses specified");
+
+ free(buffer);
+
+#ifdef DEBUG
+ printf("addr nr: %d\n", i);
+#endif
+
+ return i;
+}
+
+static void dst_init(struct xt_entry_match *m)
+{
+ struct ip6t_opts *optinfo = (struct ip6t_opts *)m->data;
+
+ optinfo->hdrlen = 0;
+ optinfo->flags = 0;
+ optinfo->invflags = 0;
+ optinfo->optsnr = 0;
+}
+
+static int dst_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ip6t_opts *optinfo = (struct ip6t_opts *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & IP6T_OPTS_LEN)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--dst-len' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ optinfo->hdrlen = parse_opts_num(optarg, "length");
+ if (invert)
+ optinfo->invflags |= IP6T_OPTS_INV_LEN;
+ optinfo->flags |= IP6T_OPTS_LEN;
+ *flags |= IP6T_OPTS_LEN;
+ break;
+ case '2':
+ if (*flags & IP6T_OPTS_OPTS)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--dst-opts' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ " '!' not allowed with `--dst-opts'");
+ optinfo->optsnr = parse_options(optarg, optinfo->opts);
+ optinfo->flags |= IP6T_OPTS_OPTS;
+ *flags |= IP6T_OPTS_OPTS;
+ break;
+ case '3':
+ if (*flags & IP6T_OPTS_NSTRICT)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--dst-not-strict' allowed");
+ if ( !(*flags & IP6T_OPTS_OPTS) )
+ xtables_error(PARAMETER_PROBLEM,
+ "`--dst-opts ...' required before "
+ "`--dst-not-strict'");
+ optinfo->flags |= IP6T_OPTS_NSTRICT;
+ *flags |= IP6T_OPTS_NSTRICT;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+print_options(unsigned int optsnr, u_int16_t *optsp)
+{
+ unsigned int i;
+
+ for(i = 0; i < optsnr; i++) {
+ printf("%d", (optsp[i] & 0xFF00) >> 8);
+
+ if ((optsp[i] & 0x00FF) != 0x00FF)
+ printf(":%d", (optsp[i] & 0x00FF));
+
+ printf("%c", (i != optsnr - 1) ? ',' : ' ');
+ }
+}
+
+static void dst_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
+
+ printf("dst ");
+ if (optinfo->flags & IP6T_OPTS_LEN)
+ printf("length:%s%u ",
+ optinfo->invflags & IP6T_OPTS_INV_LEN ? "!" : "",
+ optinfo->hdrlen);
+
+ if (optinfo->flags & IP6T_OPTS_OPTS)
+ printf("opts ");
+
+ print_options(optinfo->optsnr, (u_int16_t *)optinfo->opts);
+
+ if (optinfo->flags & IP6T_OPTS_NSTRICT)
+ printf("not-strict ");
+
+ if (optinfo->invflags & ~IP6T_OPTS_INV_MASK)
+ printf("Unknown invflags: 0x%X ",
+ optinfo->invflags & ~IP6T_OPTS_INV_MASK);
+}
+
+static void dst_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
+
+ if (optinfo->flags & IP6T_OPTS_LEN) {
+ printf("%s--dst-len %u ",
+ (optinfo->invflags & IP6T_OPTS_INV_LEN) ? "! " : "",
+ optinfo->hdrlen);
+ }
+
+ if (optinfo->flags & IP6T_OPTS_OPTS)
+ printf("--dst-opts ");
+
+ print_options(optinfo->optsnr, (u_int16_t *)optinfo->opts);
+
+ if (optinfo->flags & IP6T_OPTS_NSTRICT)
+ printf("--dst-not-strict ");
+}
+
+static struct xtables_match dst_mt6_reg = {
+ .name = "dst",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct ip6t_opts)),
+ .userspacesize = XT_ALIGN(sizeof(struct ip6t_opts)),
+ .help = dst_help,
+ .init = dst_init,
+ .parse = dst_parse,
+ .print = dst_print,
+ .save = dst_save,
+ .extra_opts = dst_opts,
+};
+
+void
+_init(void)
+{
+ xtables_register_match(&dst_mt6_reg);
+}
diff --git a/extensions/libip6t_dst.man b/extensions/libip6t_dst.man
new file mode 100644
index 0000000..bfbb501
--- /dev/null
+++ b/extensions/libip6t_dst.man
@@ -0,0 +1,7 @@
+This module matches the parameters in Destination Options header
+.TP
+[\fB!\fP] \fB\-\-dst\-len\fP \fIlength\fP
+Total length of this header in octets.
+.TP
+\fB\-\-dst\-opts\fP \fItype\fP[\fB:\fP\fIlength\fP][\fB,\fP\fItype\fP[\fB:\fP\fIlength\fP]...]
+numeric type of option and the length of the option data in octets.
diff --git a/extensions/libip6t_eui64.c b/extensions/libip6t_eui64.c
new file mode 100644
index 0000000..607bf86
--- /dev/null
+++ b/extensions/libip6t_eui64.c
@@ -0,0 +1,15 @@
+/* Shared library add-on to ip6tables to add EUI64 address checking support. */
+#include <xtables.h>
+
+static struct xtables_match eui64_mt6_reg = {
+ .name = "eui64",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(int)),
+ .userspacesize = XT_ALIGN(sizeof(int)),
+};
+
+void _init(void)
+{
+ xtables_register_match(&eui64_mt6_reg);
+}
diff --git a/extensions/libip6t_eui64.man b/extensions/libip6t_eui64.man
new file mode 100644
index 0000000..cd80b98
--- /dev/null
+++ b/extensions/libip6t_eui64.man
@@ -0,0 +1,10 @@
+This module matches the EUI-64 part of a stateless autoconfigured IPv6 address.
+It compares the EUI-64 derived from the source MAC address in Ethernet frame
+with the lower 64 bits of the IPv6 source address. But "Universal/Local"
+bit is not compared. This module doesn't match other link layer frame, and
+is only valid in the
+.BR PREROUTING ,
+.BR INPUT
+and
+.BR FORWARD
+chains.
diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c
new file mode 100644
index 0000000..5a280cc
--- /dev/null
+++ b/extensions/libip6t_frag.c
@@ -0,0 +1,252 @@
+/* Shared library add-on to ip6tables to add Fragmentation header support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <errno.h>
+#include <xtables.h>
+#include <linux/netfilter_ipv6/ip6t_frag.h>
+
+static void frag_help(void)
+{
+ printf(
+"frag match options:\n"
+"[!] --fragid id[:id] match the id (range)\n"
+"[!] --fraglen length total length of this header\n"
+" --fragres check the reserved filed, too\n"
+" --fragfirst matches on the first fragment\n"
+" [--fragmore|--fraglast] there are more fragments or this\n"
+" is the last one\n");
+}
+
+static const struct option frag_opts[] = {
+ { .name = "fragid", .has_arg = 1, .val = '1' },
+ { .name = "fraglen", .has_arg = 1, .val = '2' },
+ { .name = "fragres", .has_arg = 0, .val = '3' },
+ { .name = "fragfirst", .has_arg = 0, .val = '4' },
+ { .name = "fragmore", .has_arg = 0, .val = '5' },
+ { .name = "fraglast", .has_arg = 0, .val = '6' },
+ { .name = NULL }
+};
+
+static u_int32_t
+parse_frag_id(const char *idstr, const char *typestr)
+{
+ unsigned long int id;
+ char* ep;
+
+ id = strtoul(idstr, &ep, 0);
+
+ if ( idstr == ep ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "FRAG no valid digits in %s `%s'", typestr, idstr);
+ }
+ if ( id == ULONG_MAX && errno == ERANGE ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "%s `%s' specified too big: would overflow",
+ typestr, idstr);
+ }
+ if ( *idstr != '\0' && *ep != '\0' ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "FRAG error parsing %s `%s'", typestr, idstr);
+ }
+ return id;
+}
+
+static void
+parse_frag_ids(const char *idstring, u_int32_t *ids)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(idstring);
+ if ((cp = strchr(buffer, ':')) == NULL)
+ ids[0] = ids[1] = parse_frag_id(buffer,"id");
+ else {
+ *cp = '\0';
+ cp++;
+
+ ids[0] = buffer[0] ? parse_frag_id(buffer,"id") : 0;
+ ids[1] = cp[0] ? parse_frag_id(cp,"id") : 0xFFFFFFFF;
+ }
+ free(buffer);
+}
+
+static void frag_init(struct xt_entry_match *m)
+{
+ struct ip6t_frag *fraginfo = (struct ip6t_frag *)m->data;
+
+ fraginfo->ids[0] = 0x0L;
+ fraginfo->ids[1] = 0xFFFFFFFF;
+ fraginfo->hdrlen = 0;
+ fraginfo->flags = 0;
+ fraginfo->invflags = 0;
+}
+
+static int frag_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ip6t_frag *fraginfo = (struct ip6t_frag *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & IP6T_FRAG_IDS)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--fragid' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_frag_ids(optarg, fraginfo->ids);
+ if (invert)
+ fraginfo->invflags |= IP6T_FRAG_INV_IDS;
+ fraginfo->flags |= IP6T_FRAG_IDS;
+ *flags |= IP6T_FRAG_IDS;
+ break;
+ case '2':
+ if (*flags & IP6T_FRAG_LEN)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--fraglen' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ fraginfo->hdrlen = parse_frag_id(optarg, "length");
+ if (invert)
+ fraginfo->invflags |= IP6T_FRAG_INV_LEN;
+ fraginfo->flags |= IP6T_FRAG_LEN;
+ *flags |= IP6T_FRAG_LEN;
+ break;
+ case '3':
+ if (*flags & IP6T_FRAG_RES)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--fragres' allowed");
+ fraginfo->flags |= IP6T_FRAG_RES;
+ *flags |= IP6T_FRAG_RES;
+ break;
+ case '4':
+ if (*flags & IP6T_FRAG_FST)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--fragfirst' allowed");
+ fraginfo->flags |= IP6T_FRAG_FST;
+ *flags |= IP6T_FRAG_FST;
+ break;
+ case '5':
+ if (*flags & (IP6T_FRAG_MF|IP6T_FRAG_NMF))
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--fragmore' or `--fraglast' allowed");
+ fraginfo->flags |= IP6T_FRAG_MF;
+ *flags |= IP6T_FRAG_MF;
+ break;
+ case '6':
+ if (*flags & (IP6T_FRAG_MF|IP6T_FRAG_NMF))
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--fragmore' or `--fraglast' allowed");
+ fraginfo->flags |= IP6T_FRAG_NMF;
+ *flags |= IP6T_FRAG_NMF;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+print_ids(const char *name, u_int32_t min, u_int32_t max,
+ int invert)
+{
+ const char *inv = invert ? "!" : "";
+
+ if (min != 0 || max != 0xFFFFFFFF || invert) {
+ printf("%s", name);
+ if (min == max)
+ printf(":%s%u ", inv, min);
+ else
+ printf("s:%s%u:%u ", inv, min, max);
+ }
+}
+
+static void frag_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ip6t_frag *frag = (struct ip6t_frag *)match->data;
+
+ printf("frag ");
+ print_ids("id", frag->ids[0], frag->ids[1],
+ frag->invflags & IP6T_FRAG_INV_IDS);
+
+ if (frag->flags & IP6T_FRAG_LEN) {
+ printf("length:%s%u ",
+ frag->invflags & IP6T_FRAG_INV_LEN ? "!" : "",
+ frag->hdrlen);
+ }
+
+ if (frag->flags & IP6T_FRAG_RES)
+ printf("reserved ");
+
+ if (frag->flags & IP6T_FRAG_FST)
+ printf("first ");
+
+ if (frag->flags & IP6T_FRAG_MF)
+ printf("more ");
+
+ if (frag->flags & IP6T_FRAG_NMF)
+ printf("last ");
+
+ if (frag->invflags & ~IP6T_FRAG_INV_MASK)
+ printf("Unknown invflags: 0x%X ",
+ frag->invflags & ~IP6T_FRAG_INV_MASK);
+}
+
+static void frag_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ip6t_frag *fraginfo = (struct ip6t_frag *)match->data;
+
+ if (!(fraginfo->ids[0] == 0
+ && fraginfo->ids[1] == 0xFFFFFFFF)) {
+ printf("%s--fragid ",
+ (fraginfo->invflags & IP6T_FRAG_INV_IDS) ? "! " : "");
+ if (fraginfo->ids[0]
+ != fraginfo->ids[1])
+ printf("%u:%u ",
+ fraginfo->ids[0],
+ fraginfo->ids[1]);
+ else
+ printf("%u ",
+ fraginfo->ids[0]);
+ }
+
+ if (fraginfo->flags & IP6T_FRAG_LEN) {
+ printf("%s--fraglen %u ",
+ (fraginfo->invflags & IP6T_FRAG_INV_LEN) ? "! " : "",
+ fraginfo->hdrlen);
+ }
+
+ if (fraginfo->flags & IP6T_FRAG_RES)
+ printf("--fragres ");
+
+ if (fraginfo->flags & IP6T_FRAG_FST)
+ printf("--fragfirst ");
+
+ if (fraginfo->flags & IP6T_FRAG_MF)
+ printf("--fragmore ");
+
+ if (fraginfo->flags & IP6T_FRAG_NMF)
+ printf("--fraglast ");
+}
+
+static struct xtables_match frag_mt6_reg = {
+ .name = "frag",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct ip6t_frag)),
+ .userspacesize = XT_ALIGN(sizeof(struct ip6t_frag)),
+ .help = frag_help,
+ .init = frag_init,
+ .parse = frag_parse,
+ .print = frag_print,
+ .save = frag_save,
+ .extra_opts = frag_opts,
+};
+
+void
+_init(void)
+{
+ xtables_register_match(&frag_mt6_reg);
+}
diff --git a/extensions/libip6t_frag.man b/extensions/libip6t_frag.man
new file mode 100644
index 0000000..7bfa227
--- /dev/null
+++ b/extensions/libip6t_frag.man
@@ -0,0 +1,20 @@
+This module matches the parameters in Fragment header.
+.TP
+[\fB!\fP] \fB\-\-fragid\fP \fIid\fP[\fB:\fP\fIid\fP]
+Matches the given Identification or range of it.
+.TP
+[\fB!\fP] \fB\-\-fraglen\fP \fIlength\fP
+This option cannot be used with kernel version 2.6.10 or later. The length of
+Fragment header is static and this option doesn't make sense.
+.TP
+\fB\-\-fragres\fP
+Matches if the reserved fields are filled with zero.
+.TP
+\fB\-\-fragfirst\fP
+Matches on the first fragment.
+.TP
+\fB\-\-fragmore\fP
+Matches if there are more fragments.
+.TP
+\fB\-\-fraglast\fP
+Matches if this is the last fragment.
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
new file mode 100644
index 0000000..520ec9e
--- /dev/null
+++ b/extensions/libip6t_hbh.c
@@ -0,0 +1,228 @@
+/* Shared library add-on to ip6tables to add Hop-by-Hop header support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <errno.h>
+#include <xtables.h>
+/*#include <linux/in6.h>*/
+#include <linux/netfilter_ipv6/ip6t_opts.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+
+#define DEBUG 0
+
+static void hbh_help(void)
+{
+ printf(
+"hbh match options:\n"
+"[!] --hbh-len length total length of this header\n"
+" --hbh-opts TYPE[:LEN][,TYPE[:LEN]...] \n"
+" Options and its length (list, max: %d)\n",
+IP6T_OPTS_OPTSNR);
+}
+
+static const struct option hbh_opts[] = {
+ { "hbh-len", 1, NULL, '1' },
+ { "hbh-opts", 1, NULL, '2' },
+ { "hbh-not-strict", 1, NULL, '3' },
+ { .name = NULL }
+};
+
+static u_int32_t
+parse_opts_num(const char *idstr, const char *typestr)
+{
+ unsigned long int id;
+ char* ep;
+
+ id = strtoul(idstr,&ep,0) ;
+
+ if ( idstr == ep ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "hbh: no valid digits in %s `%s'", typestr, idstr);
+ }
+ if ( id == ULONG_MAX && errno == ERANGE ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "%s `%s' specified too big: would overflow",
+ typestr, idstr);
+ }
+ if ( *idstr != '\0' && *ep != '\0' ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "hbh: error parsing %s `%s'", typestr, idstr);
+ }
+ return id;
+}
+
+static int
+parse_options(const char *optsstr, u_int16_t *opts)
+{
+ char *buffer, *cp, *next, *range;
+ unsigned int i;
+
+ buffer = strdup(optsstr);
+ if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
+
+ for (cp=buffer, i=0; cp && i<IP6T_OPTS_OPTSNR; cp=next,i++)
+ {
+ next=strchr(cp, ',');
+ if (next) *next++='\0';
+ range = strchr(cp, ':');
+ if (range) {
+ if (i == IP6T_OPTS_OPTSNR-1)
+ xtables_error(PARAMETER_PROBLEM,
+ "too many ports specified");
+ *range++ = '\0';
+ }
+ opts[i] = (parse_opts_num(cp, "opt") & 0xFF) << 8;
+ if (range) {
+ if (opts[i] == 0)
+ xtables_error(PARAMETER_PROBLEM, "PAD0 has not got length");
+ opts[i] |= parse_opts_num(range, "length") & 0xFF;
+ } else {
+ opts[i] |= (0x00FF);
+ }
+
+#if DEBUG
+ printf("opts str: %s %s\n", cp, range);
+ printf("opts opt: %04X\n", opts[i]);
+#endif
+ }
+ if (cp) xtables_error(PARAMETER_PROBLEM, "too many addresses specified");
+
+ free(buffer);
+
+#if DEBUG
+ printf("addr nr: %d\n", i);
+#endif
+
+ return i;
+}
+
+static void hbh_init(struct xt_entry_match *m)
+{
+ struct ip6t_opts *optinfo = (struct ip6t_opts *)m->data;
+
+ optinfo->hdrlen = 0;
+ optinfo->flags = 0;
+ optinfo->invflags = 0;
+ optinfo->optsnr = 0;
+}
+
+static int hbh_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ip6t_opts *optinfo = (struct ip6t_opts *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & IP6T_OPTS_LEN)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--hbh-len' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ optinfo->hdrlen = parse_opts_num(optarg, "length");
+ if (invert)
+ optinfo->invflags |= IP6T_OPTS_INV_LEN;
+ optinfo->flags |= IP6T_OPTS_LEN;
+ *flags |= IP6T_OPTS_LEN;
+ break;
+ case '2':
+ if (*flags & IP6T_OPTS_OPTS)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--hbh-opts' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ " '!' not allowed with `--hbh-opts'");
+ optinfo->optsnr = parse_options(optarg, optinfo->opts);
+ optinfo->flags |= IP6T_OPTS_OPTS;
+ *flags |= IP6T_OPTS_OPTS;
+ break;
+ case '3':
+ if (*flags & IP6T_OPTS_NSTRICT)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--hbh-not-strict' allowed");
+ if ( !(*flags & IP6T_OPTS_OPTS) )
+ xtables_error(PARAMETER_PROBLEM,
+ "`--hbh-opts ...' required before `--hbh-not-strict'");
+ optinfo->flags |= IP6T_OPTS_NSTRICT;
+ *flags |= IP6T_OPTS_NSTRICT;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+print_options(unsigned int optsnr, u_int16_t *optsp)
+{
+ unsigned int i;
+
+ for(i=0; i<optsnr; i++){
+ printf("%d", (optsp[i] & 0xFF00)>>8);
+ if ((optsp[i] & 0x00FF) != 0x00FF){
+ printf(":%d", (optsp[i] & 0x00FF));
+ }
+ printf("%c", (i!=optsnr-1)?',':' ');
+ }
+}
+
+static void hbh_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
+
+ printf("hbh ");
+ if (optinfo->flags & IP6T_OPTS_LEN) {
+ printf("length");
+ printf(":%s", optinfo->invflags & IP6T_OPTS_INV_LEN ? "!" : "");
+ printf("%u", optinfo->hdrlen);
+ printf(" ");
+ }
+ if (optinfo->flags & IP6T_OPTS_OPTS) printf("opts ");
+ print_options(optinfo->optsnr, (u_int16_t *)optinfo->opts);
+ if (optinfo->flags & IP6T_OPTS_NSTRICT) printf("not-strict ");
+ if (optinfo->invflags & ~IP6T_OPTS_INV_MASK)
+ printf("Unknown invflags: 0x%X ",
+ optinfo->invflags & ~IP6T_OPTS_INV_MASK);
+}
+
+static void hbh_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
+
+ if (optinfo->flags & IP6T_OPTS_LEN) {
+ printf("%s--hbh-len %u ",
+ (optinfo->invflags & IP6T_OPTS_INV_LEN) ? "! " : "",
+ optinfo->hdrlen);
+ }
+
+ if (optinfo->flags & IP6T_OPTS_OPTS)
+ printf("--hbh-opts ");
+ print_options(optinfo->optsnr, (u_int16_t *)optinfo->opts);
+ if (optinfo->flags & IP6T_OPTS_NSTRICT)
+ printf("--hbh-not-strict ");
+}
+
+static struct xtables_match hbh_mt6_reg = {
+ .name = "hbh",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct ip6t_opts)),
+ .userspacesize = XT_ALIGN(sizeof(struct ip6t_opts)),
+ .help = hbh_help,
+ .init = hbh_init,
+ .parse = hbh_parse,
+ .print = hbh_print,
+ .save = hbh_save,
+ .extra_opts = hbh_opts,
+};
+
+void
+_init(void)
+{
+ xtables_register_match(&hbh_mt6_reg);
+}
diff --git a/extensions/libip6t_hbh.man b/extensions/libip6t_hbh.man
new file mode 100644
index 0000000..2d92e04
--- /dev/null
+++ b/extensions/libip6t_hbh.man
@@ -0,0 +1,7 @@
+This module matches the parameters in Hop-by-Hop Options header
+.TP
+[\fB!\fP] \fB\-\-hbh\-len\fP \fIlength\fP
+Total length of this header in octets.
+.TP
+\fB\-\-hbh\-opts\fP \fItype\fP[\fB:\fP\fIlength\fP][\fB,\fP\fItype\fP[\fB:\fP\fIlength\fP]...]
+numeric type of option and the length of the option data in octets.
diff --git a/extensions/libip6t_hl.c b/extensions/libip6t_hl.c
new file mode 100644
index 0000000..09589b1
--- /dev/null
+++ b/extensions/libip6t_hl.c
@@ -0,0 +1,144 @@
+/*
+ * IPv6 Hop Limit matching module
+ * Maciej Soltysiak <solt@dns.toxicfilms.tv>
+ * Based on HW's ttl match
+ * This program is released under the terms of GNU GPL
+ * Cleanups by Stephane Ouellette <ouellettes@videotron.ca>
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include <xtables.h>
+
+#include <linux/netfilter_ipv6/ip6t_hl.h>
+
+static void hl_help(void)
+{
+ printf(
+"hl match options:\n"
+"[!] --hl-eq value Match hop limit value\n"
+" --hl-lt value Match HL < value\n"
+" --hl-gt value Match HL > value\n");
+}
+
+static int hl_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ip6t_hl_info *info = (struct ip6t_hl_info *) (*match)->data;
+ u_int8_t value;
+
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ value = atoi(optarg);
+
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify HL option twice");
+
+ if (!optarg)
+ xtables_error(PARAMETER_PROBLEM,
+ "hl: You must specify a value");
+ switch (c) {
+ case '2':
+ if (invert)
+ info->mode = IP6T_HL_NE;
+ else
+ info->mode = IP6T_HL_EQ;
+
+ /* is 0 allowed? */
+ info->hop_limit = value;
+ *flags = 1;
+
+ break;
+ case '3':
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "hl: unexpected `!'");
+
+ info->mode = IP6T_HL_LT;
+ info->hop_limit = value;
+ *flags = 1;
+
+ break;
+ case '4':
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "hl: unexpected `!'");
+
+ info->mode = IP6T_HL_GT;
+ info->hop_limit = value;
+ *flags = 1;
+
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void hl_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "HL match: You must specify one of "
+ "`--hl-eq', `--hl-lt', `--hl-gt'");
+}
+
+static void hl_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ static const char *const op[] = {
+ [IP6T_HL_EQ] = "==",
+ [IP6T_HL_NE] = "!=",
+ [IP6T_HL_LT] = "<",
+ [IP6T_HL_GT] = ">" };
+
+ const struct ip6t_hl_info *info =
+ (struct ip6t_hl_info *) match->data;
+
+ printf("HL match HL %s %u ", op[info->mode], info->hop_limit);
+}
+
+static void hl_save(const void *ip, const struct xt_entry_match *match)
+{
+ static const char *const op[] = {
+ [IP6T_HL_EQ] = "--hl-eq",
+ [IP6T_HL_NE] = "! --hl-eq",
+ [IP6T_HL_LT] = "--hl-lt",
+ [IP6T_HL_GT] = "--hl-gt" };
+
+ const struct ip6t_hl_info *info =
+ (struct ip6t_hl_info *) match->data;
+
+ printf("%s %u ", op[info->mode], info->hop_limit);
+}
+
+static const struct option hl_opts[] = {
+ { .name = "hl", .has_arg = 1, .val = '2' },
+ { .name = "hl-eq", .has_arg = 1, .val = '2' },
+ { .name = "hl-lt", .has_arg = 1, .val = '3' },
+ { .name = "hl-gt", .has_arg = 1, .val = '4' },
+ { .name = NULL }
+};
+
+static struct xtables_match hl_mt6_reg = {
+ .name = "hl",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct ip6t_hl_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ip6t_hl_info)),
+ .help = hl_help,
+ .parse = hl_parse,
+ .final_check = hl_check,
+ .print = hl_print,
+ .save = hl_save,
+ .extra_opts = hl_opts,
+};
+
+
+void _init(void)
+{
+ xtables_register_match(&hl_mt6_reg);
+}
diff --git a/extensions/libip6t_hl.man b/extensions/libip6t_hl.man
new file mode 100644
index 0000000..dfbfaf8
--- /dev/null
+++ b/extensions/libip6t_hl.man
@@ -0,0 +1,10 @@
+This module matches the Hop Limit field in the IPv6 header.
+.TP
+[\fB!\fP] \fB\-\-hl\-eq\fP \fIvalue\fP
+Matches if Hop Limit equals \fIvalue\fP.
+.TP
+\fB\-\-hl\-lt\fP \fIvalue\fP
+Matches if Hop Limit is less than \fIvalue\fP.
+.TP
+\fB\-\-hl\-gt\fP \fIvalue\fP
+Matches if Hop Limit is greater than \fIvalue\fP.
diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
new file mode 100644
index 0000000..fb321b3
--- /dev/null
+++ b/extensions/libip6t_icmp6.c
@@ -0,0 +1,263 @@
+/* Shared library add-on to ip6tables to add ICMP support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <limits.h> /* INT_MAX in ip6_tables.h */
+#include <linux/netfilter_ipv6/ip6_tables.h>
+
+struct icmpv6_names {
+ const char *name;
+ u_int8_t type;
+ u_int8_t code_min, code_max;
+};
+
+static const struct icmpv6_names icmpv6_codes[] = {
+ { "destination-unreachable", 1, 0, 0xFF },
+ { "no-route", 1, 0, 0 },
+ { "communication-prohibited", 1, 1, 1 },
+ { "address-unreachable", 1, 3, 3 },
+ { "port-unreachable", 1, 4, 4 },
+
+ { "packet-too-big", 2, 0, 0xFF },
+
+ { "time-exceeded", 3, 0, 0xFF },
+ /* Alias */ { "ttl-exceeded", 3, 0, 0xFF },
+ { "ttl-zero-during-transit", 3, 0, 0 },
+ { "ttl-zero-during-reassembly", 3, 1, 1 },
+
+ { "parameter-problem", 4, 0, 0xFF },
+ { "bad-header", 4, 0, 0 },
+ { "unknown-header-type", 4, 1, 1 },
+ { "unknown-option", 4, 2, 2 },
+
+ { "echo-request", 128, 0, 0xFF },
+ /* Alias */ { "ping", 128, 0, 0xFF },
+
+ { "echo-reply", 129, 0, 0xFF },
+ /* Alias */ { "pong", 129, 0, 0xFF },
+
+ { "router-solicitation", 133, 0, 0xFF },
+
+ { "router-advertisement", 134, 0, 0xFF },
+
+ { "neighbour-solicitation", 135, 0, 0xFF },
+ /* Alias */ { "neighbor-solicitation", 135, 0, 0xFF },
+
+ { "neighbour-advertisement", 136, 0, 0xFF },
+ /* Alias */ { "neighbor-advertisement", 136, 0, 0xFF },
+
+ { "redirect", 137, 0, 0xFF },
+
+};
+
+static void
+print_icmpv6types(void)
+{
+ unsigned int i;
+ printf("Valid ICMPv6 Types:");
+
+ for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i) {
+ if (i && icmpv6_codes[i].type == icmpv6_codes[i-1].type) {
+ if (icmpv6_codes[i].code_min == icmpv6_codes[i-1].code_min
+ && (icmpv6_codes[i].code_max
+ == icmpv6_codes[i-1].code_max))
+ printf(" (%s)", icmpv6_codes[i].name);
+ else
+ printf("\n %s", icmpv6_codes[i].name);
+ }
+ else
+ printf("\n%s", icmpv6_codes[i].name);
+ }
+ printf("\n");
+}
+
+static void icmp6_help(void)
+{
+ printf(
+"icmpv6 match options:\n"
+"[!] --icmpv6-type typename match icmpv6 type\n"
+" (or numeric type or type/code)\n");
+ print_icmpv6types();
+}
+
+static const struct option icmp6_opts[] = {
+ { "icmpv6-type", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+static void
+parse_icmpv6(const char *icmpv6type, u_int8_t *type, u_int8_t code[])
+{
+ static const unsigned int limit = ARRAY_SIZE(icmpv6_codes);
+ unsigned int match = limit;
+ unsigned int i;
+
+ for (i = 0; i < limit; i++) {
+ if (strncasecmp(icmpv6_codes[i].name, icmpv6type, strlen(icmpv6type))
+ == 0) {
+ if (match != limit)
+ xtables_error(PARAMETER_PROBLEM,
+ "Ambiguous ICMPv6 type `%s':"
+ " `%s' or `%s'?",
+ icmpv6type,
+ icmpv6_codes[match].name,
+ icmpv6_codes[i].name);
+ match = i;
+ }
+ }
+
+ if (match != limit) {
+ *type = icmpv6_codes[match].type;
+ code[0] = icmpv6_codes[match].code_min;
+ code[1] = icmpv6_codes[match].code_max;
+ } else {
+ char *slash;
+ char buffer[strlen(icmpv6type) + 1];
+ unsigned int number;
+
+ strcpy(buffer, icmpv6type);
+ slash = strchr(buffer, '/');
+
+ if (slash)
+ *slash = '\0';
+
+ if (!xtables_strtoui(buffer, NULL, &number, 0, UINT8_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid ICMPv6 type `%s'\n", buffer);
+ *type = number;
+ if (slash) {
+ if (!xtables_strtoui(slash+1, NULL, &number, 0, UINT8_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid ICMPv6 code `%s'\n",
+ slash+1);
+ code[0] = code[1] = number;
+ } else {
+ code[0] = 0;
+ code[1] = 0xFF;
+ }
+ }
+}
+
+static void icmp6_init(struct xt_entry_match *m)
+{
+ struct ip6t_icmp *icmpv6info = (struct ip6t_icmp *)m->data;
+
+ icmpv6info->code[1] = 0xFF;
+}
+
+static int icmp6_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ip6t_icmp *icmpv6info = (struct ip6t_icmp *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags == 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "icmpv6 match: only use --icmpv6-type once!");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_icmpv6(optarg, &icmpv6info->type,
+ icmpv6info->code);
+ if (invert)
+ icmpv6info->invflags |= IP6T_ICMP_INV;
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void print_icmpv6type(u_int8_t type,
+ u_int8_t code_min, u_int8_t code_max,
+ int invert,
+ int numeric)
+{
+ if (!numeric) {
+ unsigned int i;
+
+ for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
+ if (icmpv6_codes[i].type == type
+ && icmpv6_codes[i].code_min == code_min
+ && icmpv6_codes[i].code_max == code_max)
+ break;
+
+ if (i != ARRAY_SIZE(icmpv6_codes)) {
+ printf("%s%s ",
+ invert ? "!" : "",
+ icmpv6_codes[i].name);
+ return;
+ }
+ }
+
+ if (invert)
+ printf("!");
+
+ printf("type %u", type);
+ if (code_min == 0 && code_max == 0xFF)
+ printf(" ");
+ else if (code_min == code_max)
+ printf(" code %u ", code_min);
+ else
+ printf(" codes %u-%u ", code_min, code_max);
+}
+
+static void icmp6_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ip6t_icmp *icmpv6 = (struct ip6t_icmp *)match->data;
+
+ printf("ipv6-icmp ");
+ print_icmpv6type(icmpv6->type, icmpv6->code[0], icmpv6->code[1],
+ icmpv6->invflags & IP6T_ICMP_INV,
+ numeric);
+
+ if (icmpv6->invflags & ~IP6T_ICMP_INV)
+ printf("Unknown invflags: 0x%X ",
+ icmpv6->invflags & ~IP6T_ICMP_INV);
+}
+
+static void icmp6_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ip6t_icmp *icmpv6 = (struct ip6t_icmp *)match->data;
+
+ if (icmpv6->invflags & IP6T_ICMP_INV)
+ printf("! ");
+
+ printf("--icmpv6-type %u", icmpv6->type);
+ if (icmpv6->code[0] != 0 || icmpv6->code[1] != 0xFF)
+ printf("/%u", icmpv6->code[0]);
+ printf(" ");
+}
+
+static void icmp6_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "icmpv6 match: You must specify `--icmpv6-type'");
+}
+
+static struct xtables_match icmp6_mt6_reg = {
+ .name = "icmp6",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct ip6t_icmp)),
+ .userspacesize = XT_ALIGN(sizeof(struct ip6t_icmp)),
+ .help = icmp6_help,
+ .init = icmp6_init,
+ .parse = icmp6_parse,
+ .final_check = icmp6_check,
+ .print = icmp6_print,
+ .save = icmp6_save,
+ .extra_opts = icmp6_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&icmp6_mt6_reg);
+}
diff --git a/extensions/libip6t_icmp6.man b/extensions/libip6t_icmp6.man
new file mode 100644
index 0000000..817e21c
--- /dev/null
+++ b/extensions/libip6t_icmp6.man
@@ -0,0 +1,14 @@
+This extension can be used if `\-\-protocol ipv6\-icmp' or `\-\-protocol icmpv6' is
+specified. It provides the following option:
+.TP
+[\fB!\fP] \fB\-\-icmpv6\-type\fP \fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP
+This allows specification of the ICMPv6 type, which can be a numeric
+ICMPv6
+.IR type ,
+.IR type
+and
+.IR code ,
+or one of the ICMPv6 type names shown by the command
+.nf
+ ip6tables \-p ipv6\-icmp \-h
+.fi
diff --git a/extensions/libip6t_ipv6header.c b/extensions/libip6t_ipv6header.c
new file mode 100644
index 0000000..af1f5ef
--- /dev/null
+++ b/extensions/libip6t_ipv6header.c
@@ -0,0 +1,290 @@
+/* ipv6header match - matches IPv6 packets based
+on whether they contain certain headers */
+
+/* Original idea: Brad Chapman
+ * Rewritten by: Andras Kis-Szabo <kisza@sch.bme.hu> */
+
+#include <getopt.h>
+#include <xtables.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netdb.h>
+#include <sys/types.h>
+
+#include <linux/netfilter_ipv6/ip6t_ipv6header.h>
+
+/* This maybe required
+#include <linux/in.h>
+#include <linux/in6.h>
+*/
+
+
+/* A few hardcoded protocols for 'all' and in case the user has no
+ * /etc/protocols */
+struct pprot {
+ char *name;
+ u_int8_t num;
+};
+
+struct numflag {
+ u_int8_t proto;
+ u_int8_t flag;
+};
+
+static const struct pprot chain_protos[] = {
+ { "hop-by-hop", IPPROTO_HOPOPTS },
+ { "protocol", IPPROTO_RAW },
+ { "hop", IPPROTO_HOPOPTS },
+ { "dst", IPPROTO_DSTOPTS },
+ { "route", IPPROTO_ROUTING },
+ { "frag", IPPROTO_FRAGMENT },
+ { "auth", IPPROTO_AH },
+ { "esp", IPPROTO_ESP },
+ { "none", IPPROTO_NONE },
+ { "prot", IPPROTO_RAW },
+ { "0", IPPROTO_HOPOPTS },
+ { "60", IPPROTO_DSTOPTS },
+ { "43", IPPROTO_ROUTING },
+ { "44", IPPROTO_FRAGMENT },
+ { "51", IPPROTO_AH },
+ { "50", IPPROTO_ESP },
+ { "59", IPPROTO_NONE },
+ { "255", IPPROTO_RAW },
+ /* { "all", 0 }, */
+};
+
+static const struct numflag chain_flags[] = {
+ { IPPROTO_HOPOPTS, MASK_HOPOPTS },
+ { IPPROTO_DSTOPTS, MASK_DSTOPTS },
+ { IPPROTO_ROUTING, MASK_ROUTING },
+ { IPPROTO_FRAGMENT, MASK_FRAGMENT },
+ { IPPROTO_AH, MASK_AH },
+ { IPPROTO_ESP, MASK_ESP },
+ { IPPROTO_NONE, MASK_NONE },
+ { IPPROTO_RAW, MASK_PROTO },
+};
+
+static char *
+proto_to_name(u_int8_t proto, int nolookup)
+{
+ unsigned int i;
+
+ if (proto && !nolookup) {
+ struct protoent *pent = getprotobynumber(proto);
+ if (pent)
+ return pent->p_name;
+ }
+
+ for (i = 0; i < ARRAY_SIZE(chain_protos); ++i)
+ if (chain_protos[i].num == proto)
+ return chain_protos[i].name;
+
+ return NULL;
+}
+
+static u_int16_t
+name_to_proto(const char *s)
+{
+ unsigned int proto=0;
+ struct protoent *pent;
+
+ if ((pent = getprotobyname(s)))
+ proto = pent->p_proto;
+ else {
+ unsigned int i;
+ for (i = 0; i < ARRAY_SIZE(chain_protos); ++i)
+ if (strcmp(s, chain_protos[i].name) == 0) {
+ proto = chain_protos[i].num;
+ break;
+ }
+
+ if (i == ARRAY_SIZE(chain_protos))
+ xtables_error(PARAMETER_PROBLEM,
+ "unknown header `%s' specified",
+ s);
+ }
+
+ return proto;
+}
+
+static unsigned int
+add_proto_to_mask(int proto){
+ unsigned int i=0, flag=0;
+
+ for (i = 0; i < ARRAY_SIZE(chain_flags); ++i)
+ if (proto == chain_flags[i].proto){
+ flag = chain_flags[i].flag;
+ break;
+ }
+
+ if (i == ARRAY_SIZE(chain_flags))
+ xtables_error(PARAMETER_PROBLEM,
+ "unknown header `%d' specified",
+ proto);
+
+ return flag;
+}
+
+static void ipv6header_help(void)
+{
+ printf(
+"ipv6header match options:\n"
+"[!] --header headers Type of header to match, by name\n"
+" names: hop,dst,route,frag,auth,esp,none,proto\n"
+" long names: hop-by-hop,ipv6-opts,ipv6-route,\n"
+" ipv6-frag,ah,esp,ipv6-nonxt,protocol\n"
+" numbers: 0,60,43,44,51,50,59\n"
+"--soft The header CONTAINS the specified extensions\n");
+}
+
+static const struct option ipv6header_opts[] = {
+ { "header", 1, NULL, '1' },
+ { "soft", 0, NULL, '2' },
+ { .name = NULL }
+};
+
+static void ipv6header_init(struct xt_entry_match *m)
+{
+ struct ip6t_ipv6header_info *info = (struct ip6t_ipv6header_info *)m->data;
+
+ info->matchflags = 0x00;
+ info->invflags = 0x00;
+ info->modeflag = 0x00;
+}
+
+static unsigned int
+parse_header(const char *flags) {
+ unsigned int ret = 0;
+ char *ptr;
+ char *buffer;
+
+ buffer = strdup(flags);
+
+ for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ","))
+ ret |= add_proto_to_mask(name_to_proto(ptr));
+
+ free(buffer);
+ return ret;
+}
+
+#define IPV6_HDR_HEADER 0x01
+#define IPV6_HDR_SOFT 0x02
+
+static int
+ipv6header_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ip6t_ipv6header_info *info = (struct ip6t_ipv6header_info *)(*match)->data;
+
+ switch (c) {
+ case '1' :
+ /* Parse the provided header names */
+ if (*flags & IPV6_HDR_HEADER)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--header' allowed");
+
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ if (! (info->matchflags = parse_header(optarg)) )
+ xtables_error(PARAMETER_PROBLEM, "ip6t_ipv6header: cannot parse header names");
+
+ if (invert)
+ info->invflags |= 0xFF;
+ *flags |= IPV6_HDR_HEADER;
+ break;
+ case '2' :
+ /* Soft-mode requested? */
+ if (*flags & IPV6_HDR_SOFT)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--soft' allowed");
+
+ info->modeflag |= 0xFF;
+ *flags |= IPV6_HDR_SOFT;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void ipv6header_check(unsigned int flags)
+{
+ if (!flags) xtables_error(PARAMETER_PROBLEM, "ip6t_ipv6header: no options specified");
+}
+
+static void
+print_header(u_int8_t flags){
+ int have_flag = 0;
+
+ while (flags) {
+ unsigned int i;
+
+ for (i = 0; (flags & chain_flags[i].flag) == 0; i++);
+
+ if (have_flag)
+ printf(",");
+
+ printf("%s", proto_to_name(chain_flags[i].proto,0));
+ have_flag = 1;
+
+ flags &= ~chain_flags[i].flag;
+ }
+
+ if (!have_flag)
+ printf("NONE");
+}
+
+static void ipv6header_print(const void *ip,
+ const struct xt_entry_match *match, int numeric)
+{
+ const struct ip6t_ipv6header_info *info = (const struct ip6t_ipv6header_info *)match->data;
+ printf("ipv6header ");
+
+ if (info->matchflags || info->invflags) {
+ printf("flags:%s", info->invflags ? "!" : "");
+ if (numeric)
+ printf("0x%02X ", info->matchflags);
+ else {
+ print_header(info->matchflags);
+ printf(" ");
+ }
+ }
+
+ if (info->modeflag)
+ printf("soft ");
+}
+
+static void ipv6header_save(const void *ip, const struct xt_entry_match *match)
+{
+
+ const struct ip6t_ipv6header_info *info = (const struct ip6t_ipv6header_info *)match->data;
+
+ printf("%s--header ", info->invflags ? "! " : "");
+ print_header(info->matchflags);
+ printf(" ");
+ if (info->modeflag)
+ printf("--soft ");
+}
+
+static struct xtables_match ipv6header_mt6_reg = {
+ .name = "ipv6header",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct ip6t_ipv6header_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ip6t_ipv6header_info)),
+ .help = ipv6header_help,
+ .init = ipv6header_init,
+ .parse = ipv6header_parse,
+ .final_check = ipv6header_check,
+ .print = ipv6header_print,
+ .save = ipv6header_save,
+ .extra_opts = ipv6header_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&ipv6header_mt6_reg);
+}
diff --git a/extensions/libip6t_ipv6header.man b/extensions/libip6t_ipv6header.man
new file mode 100644
index 0000000..a998861
--- /dev/null
+++ b/extensions/libip6t_ipv6header.man
@@ -0,0 +1,37 @@
+This module matches IPv6 extension headers and/or upper layer header.
+.TP
+\fB\-\-soft\fP
+Matches if the packet includes \fBany\fP of the headers specified with
+\fB\-\-header\fP.
+.TP
+[\fB!\fP] \fB\-\-header\fP \fIheader\fP[\fB,\fP\fIheader\fP...]
+Matches the packet which EXACTLY includes all specified headers. The headers
+encapsulated with ESP header are out of scope.
+Possible \fIheader\fP types can be:
+.TP
+\fBhop\fP|\fBhop\-by\-hop\fP
+Hop-by-Hop Options header
+.TP
+\fBdst\fP
+Destination Options header
+.TP
+\fBroute\fP
+Routing header
+.TP
+\fBfrag\fP
+Fragment header
+.TP
+\fBauth\fP
+Authentication header
+.TP
+\fBesp\fP
+Encapsulating Security Payload header
+.TP
+\fBnone\fP
+No Next header which matches 59 in the 'Next Header field' of IPv6 header or
+any IPv6 extension headers
+.TP
+\fBproto\fP
+which matches any upper layer protocol header. A protocol name from
+/etc/protocols and numeric value also allowed. The number 255 is equivalent to
+\fBproto\fP.
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
new file mode 100644
index 0000000..95cd65d
--- /dev/null
+++ b/extensions/libip6t_mh.c
@@ -0,0 +1,240 @@
+/* Shared library add-on to ip6tables to add mobility header support. */
+/*
+ * Copyright (C)2006 USAGI/WIDE Project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Author:
+ * Masahide NAKAMURA @USAGI <masahide.nakamura.cz@hitachi.com>
+ *
+ * Based on libip6t_{icmpv6,udp}.c
+ */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter_ipv6/ip6t_mh.h>
+
+struct mh_name {
+ const char *name;
+ u_int8_t type;
+};
+
+static const struct mh_name mh_names[] = {
+ { "binding-refresh-request", 0, },
+ /* Alias */ { "brr", 0, },
+ { "home-test-init", 1, },
+ /* Alias */ { "hoti", 1, },
+ { "careof-test-init", 2, },
+ /* Alias */ { "coti", 2, },
+ { "home-test", 3, },
+ /* Alias */ { "hot", 3, },
+ { "careof-test", 4, },
+ /* Alias */ { "cot", 4, },
+ { "binding-update", 5, },
+ /* Alias */ { "bu", 5, },
+ { "binding-acknowledgement", 6, },
+ /* Alias */ { "ba", 6, },
+ { "binding-error", 7, },
+ /* Alias */ { "be", 7, },
+};
+
+static void print_types_all(void)
+{
+ unsigned int i;
+ printf("Valid MH types:");
+
+ for (i = 0; i < ARRAY_SIZE(mh_names); ++i) {
+ if (i && mh_names[i].type == mh_names[i-1].type)
+ printf(" (%s)", mh_names[i].name);
+ else
+ printf("\n%s", mh_names[i].name);
+ }
+ printf("\n");
+}
+
+static void mh_help(void)
+{
+ printf(
+"mh match options:\n"
+"[!] --mh-type type[:type] match mh type\n");
+ print_types_all();
+}
+
+static void mh_init(struct xt_entry_match *m)
+{
+ struct ip6t_mh *mhinfo = (struct ip6t_mh *)m->data;
+
+ mhinfo->types[1] = 0xFF;
+}
+
+static unsigned int name_to_type(const char *name)
+{
+ int namelen = strlen(name);
+ static const unsigned int limit = ARRAY_SIZE(mh_names);
+ unsigned int match = limit;
+ unsigned int i;
+
+ for (i = 0; i < limit; i++) {
+ if (strncasecmp(mh_names[i].name, name, namelen) == 0) {
+ int len = strlen(mh_names[i].name);
+ if (match == limit || len == namelen)
+ match = i;
+ }
+ }
+
+ if (match != limit) {
+ return mh_names[match].type;
+ } else {
+ unsigned int number;
+
+ if (!xtables_strtoui(name, NULL, &number, 0, UINT8_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid MH type `%s'\n", name);
+ return number;
+ }
+}
+
+static void parse_mh_types(const char *mhtype, u_int8_t *types)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(mhtype);
+ if ((cp = strchr(buffer, ':')) == NULL)
+ types[0] = types[1] = name_to_type(buffer);
+ else {
+ *cp = '\0';
+ cp++;
+
+ types[0] = buffer[0] ? name_to_type(buffer) : 0;
+ types[1] = cp[0] ? name_to_type(cp) : 0xFF;
+
+ if (types[0] > types[1])
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid MH type range (min > max)");
+ }
+ free(buffer);
+}
+
+#define MH_TYPES 0x01
+
+static int mh_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ip6t_mh *mhinfo = (struct ip6t_mh *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & MH_TYPES)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--mh-type' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_mh_types(optarg, mhinfo->types);
+ if (invert)
+ mhinfo->invflags |= IP6T_MH_INV_TYPE;
+ *flags |= MH_TYPES;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static const char *type_to_name(u_int8_t type)
+{
+ unsigned int i;
+
+ for (i = 0; i < ARRAY_SIZE(mh_names); ++i)
+ if (mh_names[i].type == type)
+ return mh_names[i].name;
+
+ return NULL;
+}
+
+static void print_type(u_int8_t type, int numeric)
+{
+ const char *name;
+ if (numeric || !(name = type_to_name(type)))
+ printf("%u", type);
+ else
+ printf("%s", name);
+}
+
+static void print_types(u_int8_t min, u_int8_t max, int invert, int numeric)
+{
+ const char *inv = invert ? "!" : "";
+
+ if (min != 0 || max != 0xFF || invert) {
+ if (min == max) {
+ printf("%s", inv);
+ print_type(min, numeric);
+ } else {
+ printf("%s", inv);
+ print_type(min, numeric);
+ printf(":");
+ print_type(max, numeric);
+ }
+ printf(" ");
+ }
+}
+
+static void mh_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ip6t_mh *mhinfo = (struct ip6t_mh *)match->data;
+
+ printf("mh ");
+ print_types(mhinfo->types[0], mhinfo->types[1],
+ mhinfo->invflags & IP6T_MH_INV_TYPE,
+ numeric);
+ if (mhinfo->invflags & ~IP6T_MH_INV_MASK)
+ printf("Unknown invflags: 0x%X ",
+ mhinfo->invflags & ~IP6T_MH_INV_MASK);
+}
+
+static void mh_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ip6t_mh *mhinfo = (struct ip6t_mh *)match->data;
+
+ if (mhinfo->types[0] == 0 && mhinfo->types[1] == 0xFF)
+ return;
+
+ if (mhinfo->invflags & IP6T_MH_INV_TYPE)
+ printf("! ");
+
+ if (mhinfo->types[0] != mhinfo->types[1])
+ printf("--mh-type %u:%u ", mhinfo->types[0], mhinfo->types[1]);
+ else
+ printf("--mh-type %u ", mhinfo->types[0]);
+}
+
+static const struct option mh_opts[] = {
+ { "mh-type", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+static struct xtables_match mh_mt6_reg = {
+ .name = "mh",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct ip6t_mh)),
+ .userspacesize = XT_ALIGN(sizeof(struct ip6t_mh)),
+ .help = mh_help,
+ .init = mh_init,
+ .parse = mh_parse,
+ .print = mh_print,
+ .save = mh_save,
+ .extra_opts = mh_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&mh_mt6_reg);
+}
diff --git a/extensions/libip6t_mh.man b/extensions/libip6t_mh.man
new file mode 100644
index 0000000..4559e78
--- /dev/null
+++ b/extensions/libip6t_mh.man
@@ -0,0 +1,12 @@
+This extension is loaded if `\-\-protocol ipv6\-mh' or `\-\-protocol mh' is
+specified. It provides the following option:
+.TP
+[\fB!\fP] \fB\-\-mh\-type\fP \fItype\fP[\fB:\fP\fItype\fP]
+This allows specification of the Mobility Header(MH) type, which can be
+a numeric MH
+.IR type ,
+.IR type
+or one of the MH type names shown by the command
+.nf
+ ip6tables \-p ipv6\-mh \-h
+.fi
diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
new file mode 100644
index 0000000..a04023d
--- /dev/null
+++ b/extensions/libip6t_rt.c
@@ -0,0 +1,344 @@
+/* Shared library add-on to ip6tables to add Routing header support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <errno.h>
+#include <xtables.h>
+/*#include <linux/in6.h>*/
+#include <linux/netfilter_ipv6/ip6t_rt.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+
+/*#define DEBUG 1*/
+
+static void rt_help(void)
+{
+ printf(
+"rt match options:\n"
+"[!] --rt-type type match the type\n"
+"[!] --rt-segsleft num[:num] match the Segments Left field (range)\n"
+"[!] --rt-len length total length of this header\n"
+" --rt-0-res check the reserved filed, too (type 0)\n"
+" --rt-0-addrs ADDR[,ADDR...] Type=0 addresses (list, max: %d)\n"
+" --rt-0-not-strict List of Type=0 addresses not a strict list\n",
+IP6T_RT_HOPS);
+}
+
+static const struct option rt_opts[] = {
+ { "rt-type", 1, NULL, '1' },
+ { "rt-segsleft", 1, NULL, '2' },
+ { "rt-len", 1, NULL, '3' },
+ { "rt-0-res", 0, NULL, '4' },
+ { "rt-0-addrs", 1, NULL, '5' },
+ { "rt-0-not-strict", 0, NULL, '6' },
+ { .name = NULL }
+};
+
+static u_int32_t
+parse_rt_num(const char *idstr, const char *typestr)
+{
+ unsigned long int id;
+ char* ep;
+
+ id = strtoul(idstr,&ep,0) ;
+
+ if ( idstr == ep ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "RT no valid digits in %s `%s'", typestr, idstr);
+ }
+ if ( id == ULONG_MAX && errno == ERANGE ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "%s `%s' specified too big: would overflow",
+ typestr, idstr);
+ }
+ if ( *idstr != '\0' && *ep != '\0' ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "RT error parsing %s `%s'", typestr, idstr);
+ }
+ return id;
+}
+
+static void
+parse_rt_segsleft(const char *idstring, u_int32_t *ids)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(idstring);
+ if ((cp = strchr(buffer, ':')) == NULL)
+ ids[0] = ids[1] = parse_rt_num(buffer,"segsleft");
+ else {
+ *cp = '\0';
+ cp++;
+
+ ids[0] = buffer[0] ? parse_rt_num(buffer,"segsleft") : 0;
+ ids[1] = cp[0] ? parse_rt_num(cp,"segsleft") : 0xFFFFFFFF;
+ }
+ free(buffer);
+}
+
+static char *
+addr_to_numeric(const struct in6_addr *addrp)
+{
+ static char buf[50+1];
+ return (char *)inet_ntop(AF_INET6, addrp, buf, sizeof(buf));
+}
+
+static struct in6_addr *
+numeric_to_addr(const char *num)
+{
+ static struct in6_addr ap;
+ int err;
+
+ if ((err=inet_pton(AF_INET6, num, &ap)) == 1)
+ return &ap;
+#ifdef DEBUG
+ fprintf(stderr, "\nnumeric2addr: %d\n", err);
+#endif
+ xtables_error(PARAMETER_PROBLEM, "bad address: %s", num);
+
+ return (struct in6_addr *)NULL;
+}
+
+
+static int
+parse_addresses(const char *addrstr, struct in6_addr *addrp)
+{
+ char *buffer, *cp, *next;
+ unsigned int i;
+
+ buffer = strdup(addrstr);
+ if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
+
+ for (cp=buffer, i=0; cp && i<IP6T_RT_HOPS; cp=next,i++)
+ {
+ next=strchr(cp, ',');
+ if (next) *next++='\0';
+ memcpy(&(addrp[i]), numeric_to_addr(cp), sizeof(struct in6_addr));
+#if DEBUG
+ printf("addr str: %s\n", cp);
+ printf("addr ip6: %s\n", addr_to_numeric((numeric_to_addr(cp))));
+ printf("addr [%d]: %s\n", i, addr_to_numeric(&(addrp[i])));
+#endif
+ }
+ if (cp) xtables_error(PARAMETER_PROBLEM, "too many addresses specified");
+
+ free(buffer);
+
+#if DEBUG
+ printf("addr nr: %d\n", i);
+#endif
+
+ return i;
+}
+
+static void rt_init(struct xt_entry_match *m)
+{
+ struct ip6t_rt *rtinfo = (struct ip6t_rt *)m->data;
+
+ rtinfo->rt_type = 0x0L;
+ rtinfo->segsleft[0] = 0x0L;
+ rtinfo->segsleft[1] = 0xFFFFFFFF;
+ rtinfo->hdrlen = 0;
+ rtinfo->flags = 0;
+ rtinfo->invflags = 0;
+ rtinfo->addrnr = 0;
+}
+
+static int rt_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ip6t_rt *rtinfo = (struct ip6t_rt *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & IP6T_RT_TYP)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--rt-type' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ rtinfo->rt_type = parse_rt_num(optarg, "type");
+ if (invert)
+ rtinfo->invflags |= IP6T_RT_INV_TYP;
+ rtinfo->flags |= IP6T_RT_TYP;
+ *flags |= IP6T_RT_TYP;
+ break;
+ case '2':
+ if (*flags & IP6T_RT_SGS)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--rt-segsleft' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_rt_segsleft(optarg, rtinfo->segsleft);
+ if (invert)
+ rtinfo->invflags |= IP6T_RT_INV_SGS;
+ rtinfo->flags |= IP6T_RT_SGS;
+ *flags |= IP6T_RT_SGS;
+ break;
+ case '3':
+ if (*flags & IP6T_RT_LEN)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--rt-len' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ rtinfo->hdrlen = parse_rt_num(optarg, "length");
+ if (invert)
+ rtinfo->invflags |= IP6T_RT_INV_LEN;
+ rtinfo->flags |= IP6T_RT_LEN;
+ *flags |= IP6T_RT_LEN;
+ break;
+ case '4':
+ if (*flags & IP6T_RT_RES)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--rt-0-res' allowed");
+ if ( !(*flags & IP6T_RT_TYP) || (rtinfo->rt_type != 0) || (rtinfo->invflags & IP6T_RT_INV_TYP) )
+ xtables_error(PARAMETER_PROBLEM,
+ "`--rt-type 0' required before `--rt-0-res'");
+ rtinfo->flags |= IP6T_RT_RES;
+ *flags |= IP6T_RT_RES;
+ break;
+ case '5':
+ if (*flags & IP6T_RT_FST)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--rt-0-addrs' allowed");
+ if ( !(*flags & IP6T_RT_TYP) || (rtinfo->rt_type != 0) || (rtinfo->invflags & IP6T_RT_INV_TYP) )
+ xtables_error(PARAMETER_PROBLEM,
+ "`--rt-type 0' required before `--rt-0-addrs'");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ " '!' not allowed with `--rt-0-addrs'");
+ rtinfo->addrnr = parse_addresses(optarg, rtinfo->addrs);
+ rtinfo->flags |= IP6T_RT_FST;
+ *flags |= IP6T_RT_FST;
+ break;
+ case '6':
+ if (*flags & IP6T_RT_FST_NSTRICT)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--rt-0-not-strict' allowed");
+ if ( !(*flags & IP6T_RT_FST) )
+ xtables_error(PARAMETER_PROBLEM,
+ "`--rt-0-addr ...' required before `--rt-0-not-strict'");
+ rtinfo->flags |= IP6T_RT_FST_NSTRICT;
+ *flags |= IP6T_RT_FST_NSTRICT;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+print_nums(const char *name, u_int32_t min, u_int32_t max,
+ int invert)
+{
+ const char *inv = invert ? "!" : "";
+
+ if (min != 0 || max != 0xFFFFFFFF || invert) {
+ printf("%s", name);
+ if (min == max) {
+ printf(":%s", inv);
+ printf("%u", min);
+ } else {
+ printf("s:%s", inv);
+ printf("%u",min);
+ printf(":");
+ printf("%u",max);
+ }
+ printf(" ");
+ }
+}
+
+static void
+print_addresses(unsigned int addrnr, struct in6_addr *addrp)
+{
+ unsigned int i;
+
+ for(i=0; i<addrnr; i++){
+ printf("%s%c", addr_to_numeric(&(addrp[i])), (i!=addrnr-1)?',':' ');
+ }
+}
+
+static void rt_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ip6t_rt *rtinfo = (struct ip6t_rt *)match->data;
+
+ printf("rt ");
+ if (rtinfo->flags & IP6T_RT_TYP)
+ printf("type:%s%d ", rtinfo->invflags & IP6T_RT_INV_TYP ? "!" : "",
+ rtinfo->rt_type);
+ print_nums("segsleft", rtinfo->segsleft[0], rtinfo->segsleft[1],
+ rtinfo->invflags & IP6T_RT_INV_SGS);
+ if (rtinfo->flags & IP6T_RT_LEN) {
+ printf("length");
+ printf(":%s", rtinfo->invflags & IP6T_RT_INV_LEN ? "!" : "");
+ printf("%u", rtinfo->hdrlen);
+ printf(" ");
+ }
+ if (rtinfo->flags & IP6T_RT_RES) printf("reserved ");
+ if (rtinfo->flags & IP6T_RT_FST) printf("0-addrs ");
+ print_addresses(rtinfo->addrnr, (struct in6_addr *)rtinfo->addrs);
+ if (rtinfo->flags & IP6T_RT_FST_NSTRICT) printf("0-not-strict ");
+ if (rtinfo->invflags & ~IP6T_RT_INV_MASK)
+ printf("Unknown invflags: 0x%X ",
+ rtinfo->invflags & ~IP6T_RT_INV_MASK);
+}
+
+static void rt_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ip6t_rt *rtinfo = (struct ip6t_rt *)match->data;
+
+ if (rtinfo->flags & IP6T_RT_TYP) {
+ printf("%s--rt-type %u ",
+ (rtinfo->invflags & IP6T_RT_INV_TYP) ? "! " : "",
+ rtinfo->rt_type);
+ }
+
+ if (!(rtinfo->segsleft[0] == 0
+ && rtinfo->segsleft[1] == 0xFFFFFFFF)) {
+ printf("%s--rt-segsleft ",
+ (rtinfo->invflags & IP6T_RT_INV_SGS) ? "! " : "");
+ if (rtinfo->segsleft[0]
+ != rtinfo->segsleft[1])
+ printf("%u:%u ",
+ rtinfo->segsleft[0],
+ rtinfo->segsleft[1]);
+ else
+ printf("%u ",
+ rtinfo->segsleft[0]);
+ }
+
+ if (rtinfo->flags & IP6T_RT_LEN) {
+ printf("%s--rt-len %u ",
+ (rtinfo->invflags & IP6T_RT_INV_LEN) ? "! " : "",
+ rtinfo->hdrlen);
+ }
+
+ if (rtinfo->flags & IP6T_RT_RES) printf("--rt-0-res ");
+ if (rtinfo->flags & IP6T_RT_FST) printf("--rt-0-addrs ");
+ print_addresses(rtinfo->addrnr, (struct in6_addr *)rtinfo->addrs);
+ if (rtinfo->flags & IP6T_RT_FST_NSTRICT) printf("--rt-0-not-strict ");
+
+}
+
+static struct xtables_match rt_mt6_reg = {
+ .name = "rt",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct ip6t_rt)),
+ .userspacesize = XT_ALIGN(sizeof(struct ip6t_rt)),
+ .help = rt_help,
+ .init = rt_init,
+ .parse = rt_parse,
+ .print = rt_print,
+ .save = rt_save,
+ .extra_opts = rt_opts,
+};
+
+void
+_init(void)
+{
+ xtables_register_match(&rt_mt6_reg);
+}
diff --git a/extensions/libip6t_rt.man b/extensions/libip6t_rt.man
new file mode 100644
index 0000000..0443e0a
--- /dev/null
+++ b/extensions/libip6t_rt.man
@@ -0,0 +1,19 @@
+Match on IPv6 routing header
+.TP
+[\fB!\fP] \fB\-\-rt\-type\fP \fItype\fP
+Match the type (numeric).
+.TP
+[\fB!\fP] \fB\-\-rt\-segsleft\fP \fInum\fP[\fB:\fP\fInum\fP]
+Match the `segments left' field (range).
+.TP
+[\fB!\fP] \fB\-\-rt\-len\fP \fIlength\fP
+Match the length of this header.
+.TP
+\fB\-\-rt\-0\-res\fP
+Match the reserved field, too (type=0)
+.TP
+\fB\-\-rt\-0\-addrs\fP \fIaddr\fP[\fB,\fP\fIaddr\fP...]
+Match type=0 addresses (list).
+.TP
+\fB\-\-rt\-0\-not\-strict\fP
+List of type=0 addresses is not a strict list.
diff --git a/extensions/libipt_CLUSTERIP.c b/extensions/libipt_CLUSTERIP.c
new file mode 100644
index 0000000..279aacf
--- /dev/null
+++ b/extensions/libipt_CLUSTERIP.c
@@ -0,0 +1,249 @@
+/* Shared library add-on to iptables to add CLUSTERIP target support.
+ * (C) 2003 by Harald Welte <laforge@gnumonks.org>
+ *
+ * Development of this code was funded by SuSE AG, http://www.suse.com/
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <stddef.h>
+
+#if defined(__GLIBC__) && __GLIBC__ == 2
+#include <net/ethernet.h>
+#else
+#include <linux/if_ether.h>
+#endif
+
+#include <xtables.h>
+#include <linux/netfilter_ipv4/ipt_CLUSTERIP.h>
+
+static void CLUSTERIP_help(void)
+{
+ printf(
+"CLUSTERIP target options:\n"
+" --new Create a new ClusterIP\n"
+" --hashmode <mode> Specify hashing mode\n"
+" sourceip\n"
+" sourceip-sourceport\n"
+" sourceip-sourceport-destport\n"
+" --clustermac <mac> Set clusterIP MAC address\n"
+" --total-nodes <num> Set number of total nodes in cluster\n"
+" --local-node <num> Set the local node number\n"
+" --hash-init <num> Set init value of the Jenkins hash\n");
+}
+
+#define PARAM_NEW 0x0001
+#define PARAM_HMODE 0x0002
+#define PARAM_MAC 0x0004
+#define PARAM_TOTALNODE 0x0008
+#define PARAM_LOCALNODE 0x0010
+#define PARAM_HASHINIT 0x0020
+
+static const struct option CLUSTERIP_opts[] = {
+ { "new", 0, NULL, '1' },
+ { "hashmode", 1, NULL, '2' },
+ { "clustermac", 1, NULL, '3' },
+ { "total-nodes", 1, NULL, '4' },
+ { "local-node", 1, NULL, '5' },
+ { "hash-init", 1, NULL, '6' },
+ { .name = NULL }
+};
+
+static void
+parse_mac(const char *mac, char *macbuf)
+{
+ unsigned int i = 0;
+
+ if (strlen(mac) != ETH_ALEN*3-1)
+ xtables_error(PARAMETER_PROBLEM, "Bad mac address \"%s\"", mac);
+
+ for (i = 0; i < ETH_ALEN; i++) {
+ long number;
+ char *end;
+
+ number = strtol(mac + i*3, &end, 16);
+
+ if (end == mac + i*3 + 2
+ && number >= 0
+ && number <= 255)
+ macbuf[i] = number;
+ else
+ xtables_error(PARAMETER_PROBLEM,
+ "Bad mac address `%s'", mac);
+ }
+}
+
+static int CLUSTERIP_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct ipt_clusterip_tgt_info *cipinfo
+ = (struct ipt_clusterip_tgt_info *)(*target)->data;
+
+ switch (c) {
+ unsigned int num;
+ case '1':
+ cipinfo->flags |= CLUSTERIP_FLAG_NEW;
+ if (*flags & PARAM_NEW)
+ xtables_error(PARAMETER_PROBLEM, "Can only specify \"--new\" once\n");
+ *flags |= PARAM_NEW;
+ break;
+ case '2':
+ if (!(*flags & PARAM_NEW))
+ xtables_error(PARAMETER_PROBLEM, "Can only specify hashmode combined with \"--new\"\n");
+ if (*flags & PARAM_HMODE)
+ xtables_error(PARAMETER_PROBLEM, "Can only specify hashmode once\n");
+ if (!strcmp(optarg, "sourceip"))
+ cipinfo->hash_mode = CLUSTERIP_HASHMODE_SIP;
+ else if (!strcmp(optarg, "sourceip-sourceport"))
+ cipinfo->hash_mode = CLUSTERIP_HASHMODE_SIP_SPT;
+ else if (!strcmp(optarg, "sourceip-sourceport-destport"))
+ cipinfo->hash_mode = CLUSTERIP_HASHMODE_SIP_SPT_DPT;
+ else
+ xtables_error(PARAMETER_PROBLEM, "Unknown hashmode \"%s\"\n",
+ optarg);
+ *flags |= PARAM_HMODE;
+ break;
+ case '3':
+ if (!(*flags & PARAM_NEW))
+ xtables_error(PARAMETER_PROBLEM, "Can only specify MAC combined with \"--new\"\n");
+ if (*flags & PARAM_MAC)
+ xtables_error(PARAMETER_PROBLEM, "Can only specify MAC once\n");
+ parse_mac(optarg, (char *)cipinfo->clustermac);
+ if (!(cipinfo->clustermac[0] & 0x01))
+ xtables_error(PARAMETER_PROBLEM, "MAC has to be a multicast ethernet address\n");
+ *flags |= PARAM_MAC;
+ break;
+ case '4':
+ if (!(*flags & PARAM_NEW))
+ xtables_error(PARAMETER_PROBLEM, "Can only specify node number combined with \"--new\"\n");
+ if (*flags & PARAM_TOTALNODE)
+ xtables_error(PARAMETER_PROBLEM, "Can only specify total node number once\n");
+ if (!xtables_strtoui(optarg, NULL, &num, 1, CLUSTERIP_MAX_NODES))
+ xtables_error(PARAMETER_PROBLEM, "Unable to parse \"%s\"\n", optarg);
+ cipinfo->num_total_nodes = num;
+ *flags |= PARAM_TOTALNODE;
+ break;
+ case '5':
+ if (!(*flags & PARAM_NEW))
+ xtables_error(PARAMETER_PROBLEM, "Can only specify node number combined with \"--new\"\n");
+ if (*flags & PARAM_LOCALNODE)
+ xtables_error(PARAMETER_PROBLEM, "Can only specify local node number once\n");
+ if (!xtables_strtoui(optarg, NULL, &num, 1, CLUSTERIP_MAX_NODES))
+ xtables_error(PARAMETER_PROBLEM, "Unable to parse \"%s\"\n", optarg);
+ cipinfo->num_local_nodes = 1;
+ cipinfo->local_nodes[0] = num;
+ *flags |= PARAM_LOCALNODE;
+ break;
+ case '6':
+ if (!(*flags & PARAM_NEW))
+ xtables_error(PARAMETER_PROBLEM, "Can only specify hash init value combined with \"--new\"\n");
+ if (*flags & PARAM_HASHINIT)
+ xtables_error(PARAMETER_PROBLEM, "Can specify hash init value only once\n");
+ if (!xtables_strtoui(optarg, NULL, &num, 0, UINT_MAX))
+ xtables_error(PARAMETER_PROBLEM, "Unable to parse \"%s\"\n", optarg);
+ cipinfo->hash_initval = num;
+ *flags |= PARAM_HASHINIT;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void CLUSTERIP_check(unsigned int flags)
+{
+ if (flags == 0)
+ return;
+
+ if ((flags & (PARAM_NEW|PARAM_HMODE|PARAM_MAC|PARAM_TOTALNODE|PARAM_LOCALNODE))
+ == (PARAM_NEW|PARAM_HMODE|PARAM_MAC|PARAM_TOTALNODE|PARAM_LOCALNODE))
+ return;
+
+ xtables_error(PARAMETER_PROBLEM, "CLUSTERIP target: Invalid parameter combination\n");
+}
+
+static char *hashmode2str(enum clusterip_hashmode mode)
+{
+ char *retstr;
+ switch (mode) {
+ case CLUSTERIP_HASHMODE_SIP:
+ retstr = "sourceip";
+ break;
+ case CLUSTERIP_HASHMODE_SIP_SPT:
+ retstr = "sourceip-sourceport";
+ break;
+ case CLUSTERIP_HASHMODE_SIP_SPT_DPT:
+ retstr = "sourceip-sourceport-destport";
+ break;
+ default:
+ retstr = "unknown-error";
+ break;
+ }
+ return retstr;
+}
+
+static char *mac2str(const u_int8_t mac[ETH_ALEN])
+{
+ static char buf[ETH_ALEN*3];
+ sprintf(buf, "%02X:%02X:%02X:%02X:%02X:%02X",
+ mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]);
+ return buf;
+}
+
+static void CLUSTERIP_print(const void *ip,
+ const struct xt_entry_target *target, int numeric)
+{
+ const struct ipt_clusterip_tgt_info *cipinfo =
+ (const struct ipt_clusterip_tgt_info *)target->data;
+
+ if (!cipinfo->flags & CLUSTERIP_FLAG_NEW) {
+ printf("CLUSTERIP");
+ return;
+ }
+
+ printf("CLUSTERIP hashmode=%s clustermac=%s total_nodes=%u local_node=%u hash_init=%u",
+ hashmode2str(cipinfo->hash_mode),
+ mac2str(cipinfo->clustermac),
+ cipinfo->num_total_nodes,
+ cipinfo->local_nodes[0],
+ cipinfo->hash_initval);
+}
+
+static void CLUSTERIP_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct ipt_clusterip_tgt_info *cipinfo =
+ (const struct ipt_clusterip_tgt_info *)target->data;
+
+ /* if this is not a new entry, we don't need to save target
+ * parameters */
+ if (!cipinfo->flags & CLUSTERIP_FLAG_NEW)
+ return;
+
+ printf("--new --hashmode %s --clustermac %s --total-nodes %d --local-node %d --hash-init %u",
+ hashmode2str(cipinfo->hash_mode),
+ mac2str(cipinfo->clustermac),
+ cipinfo->num_total_nodes,
+ cipinfo->local_nodes[0],
+ cipinfo->hash_initval);
+}
+
+static struct xtables_target clusterip_tg_reg = {
+ .name = "CLUSTERIP",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_clusterip_tgt_info)),
+ .userspacesize = offsetof(struct ipt_clusterip_tgt_info, config),
+ .help = CLUSTERIP_help,
+ .parse = CLUSTERIP_parse,
+ .final_check = CLUSTERIP_check,
+ .print = CLUSTERIP_print,
+ .save = CLUSTERIP_save,
+ .extra_opts = CLUSTERIP_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&clusterip_tg_reg);
+}
diff --git a/extensions/libipt_CLUSTERIP.man b/extensions/libipt_CLUSTERIP.man
new file mode 100644
index 0000000..8ec6d6b
--- /dev/null
+++ b/extensions/libipt_CLUSTERIP.man
@@ -0,0 +1,24 @@
+This module allows you to configure a simple cluster of nodes that share
+a certain IP and MAC address without an explicit load balancer in front of
+them. Connections are statically distributed between the nodes in this
+cluster.
+.TP
+\fB\-\-new\fP
+Create a new ClusterIP. You always have to set this on the first rule
+for a given ClusterIP.
+.TP
+\fB\-\-hashmode\fP \fImode\fP
+Specify the hashing mode. Has to be one of
+\fBsourceip\fP, \fBsourceip\-sourceport\fP, \fBsourceip\-sourceport\-destport\fP.
+.TP
+\fB\-\-clustermac\fP \fImac\fP
+Specify the ClusterIP MAC address. Has to be a link\-layer multicast address
+.TP
+\fB\-\-total\-nodes\fP \fInum\fP
+Number of total nodes within this cluster.
+.TP
+\fB\-\-local\-node\fP \fInum\fP
+Local node number within this cluster.
+.TP
+\fB\-\-hash\-init\fP \fIrnd\fP
+Specify the random seed used for hash initialization.
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
new file mode 100644
index 0000000..57c5888
--- /dev/null
+++ b/extensions/libipt_DNAT.c
@@ -0,0 +1,269 @@
+/* Shared library add-on to iptables to add destination-NAT support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <iptables.h> /* get_kernel_version */
+#include <limits.h> /* INT_MAX in ip_tables.h */
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <net/netfilter/nf_nat.h>
+
+#define IPT_DNAT_OPT_DEST 0x1
+#define IPT_DNAT_OPT_RANDOM 0x2
+
+/* Dest NAT data consists of a multi-range, indicating where to map
+ to. */
+struct ipt_natinfo
+{
+ struct xt_entry_target t;
+ struct nf_nat_multi_range mr;
+};
+
+static void DNAT_help(void)
+{
+ printf(
+"DNAT target options:\n"
+" --to-destination <ipaddr>[-<ipaddr>][:port-port]\n"
+" Address to map destination to.\n"
+"[--random] [--persistent]\n");
+}
+
+static const struct option DNAT_opts[] = {
+ { "to-destination", 1, NULL, '1' },
+ { "random", 0, NULL, '2' },
+ { "persistent", 0, NULL, '3' },
+ { .name = NULL }
+};
+
+static struct ipt_natinfo *
+append_range(struct ipt_natinfo *info, const struct nf_nat_range *range)
+{
+ unsigned int size;
+
+ /* One rangesize already in struct ipt_natinfo */
+ size = XT_ALIGN(sizeof(*info) + info->mr.rangesize * sizeof(*range));
+
+ info = realloc(info, size);
+ if (!info)
+ xtables_error(OTHER_PROBLEM, "Out of memory\n");
+
+ info->t.u.target_size = size;
+ info->mr.range[info->mr.rangesize] = *range;
+ info->mr.rangesize++;
+
+ return info;
+}
+
+/* Ranges expected in network order. */
+static struct xt_entry_target *
+parse_to(char *arg, int portok, struct ipt_natinfo *info)
+{
+ struct nf_nat_range range;
+ char *colon, *dash, *error;
+ const struct in_addr *ip;
+
+ memset(&range, 0, sizeof(range));
+ colon = strchr(arg, ':');
+
+ if (colon) {
+ int port;
+
+ if (!portok)
+ xtables_error(PARAMETER_PROBLEM,
+ "Need TCP, UDP, SCTP or DCCP with port specification");
+
+ range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
+
+ port = atoi(colon+1);
+ if (port <= 0 || port > 65535)
+ xtables_error(PARAMETER_PROBLEM,
+ "Port `%s' not valid\n", colon+1);
+
+ error = strchr(colon+1, ':');
+ if (error)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid port:port syntax - use dash\n");
+
+ dash = strchr(colon, '-');
+ if (!dash) {
+ range.min.tcp.port
+ = range.max.tcp.port
+ = htons(port);
+ } else {
+ int maxport;
+
+ maxport = atoi(dash + 1);
+ if (maxport <= 0 || maxport > 65535)
+ xtables_error(PARAMETER_PROBLEM,
+ "Port `%s' not valid\n", dash+1);
+ if (maxport < port)
+ /* People are stupid. */
+ xtables_error(PARAMETER_PROBLEM,
+ "Port range `%s' funky\n", colon+1);
+ range.min.tcp.port = htons(port);
+ range.max.tcp.port = htons(maxport);
+ }
+ /* Starts with a colon? No IP info...*/
+ if (colon == arg)
+ return &(append_range(info, &range)->t);
+ *colon = '\0';
+ }
+
+ range.flags |= IP_NAT_RANGE_MAP_IPS;
+ dash = strchr(arg, '-');
+ if (colon && dash && dash > colon)
+ dash = NULL;
+
+ if (dash)
+ *dash = '\0';
+
+ ip = xtables_numeric_to_ipaddr(arg);
+ if (!ip)
+ xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
+ arg);
+ range.min_ip = ip->s_addr;
+ if (dash) {
+ ip = xtables_numeric_to_ipaddr(dash+1);
+ if (!ip)
+ xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
+ dash+1);
+ range.max_ip = ip->s_addr;
+ } else
+ range.max_ip = range.min_ip;
+
+ return &(append_range(info, &range)->t);
+}
+
+static int DNAT_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *e, struct xt_entry_target **target)
+{
+ const struct ipt_entry *entry = e;
+ struct ipt_natinfo *info = (void *)*target;
+ int portok;
+
+ if (entry->ip.proto == IPPROTO_TCP
+ || entry->ip.proto == IPPROTO_UDP
+ || entry->ip.proto == IPPROTO_SCTP
+ || entry->ip.proto == IPPROTO_DCCP
+ || entry->ip.proto == IPPROTO_ICMP)
+ portok = 1;
+ else
+ portok = 0;
+
+ switch (c) {
+ case '1':
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --to-destination");
+
+ if (*flags & IPT_DNAT_OPT_DEST) {
+ if (!kernel_version)
+ get_kernel_version();
+ if (kernel_version > LINUX_VERSION(2, 6, 10))
+ xtables_error(PARAMETER_PROBLEM,
+ "Multiple --to-destination not supported");
+ }
+ *target = parse_to(optarg, portok, info);
+ /* WTF do we need this for?? */
+ if (*flags & IPT_DNAT_OPT_RANDOM)
+ info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_DNAT_OPT_DEST;
+ return 1;
+
+ case '2':
+ if (*flags & IPT_DNAT_OPT_DEST) {
+ info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_DNAT_OPT_RANDOM;
+ } else
+ *flags |= IPT_DNAT_OPT_RANDOM;
+ return 1;
+
+ case '3':
+ info->mr.range[0].flags |= IP_NAT_RANGE_PERSISTENT;
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+
+static void DNAT_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "You must specify --to-destination");
+}
+
+static void print_range(const struct nf_nat_range *r)
+{
+ if (r->flags & IP_NAT_RANGE_MAP_IPS) {
+ struct in_addr a;
+
+ a.s_addr = r->min_ip;
+ printf("%s", xtables_ipaddr_to_numeric(&a));
+ if (r->max_ip != r->min_ip) {
+ a.s_addr = r->max_ip;
+ printf("-%s", xtables_ipaddr_to_numeric(&a));
+ }
+ }
+ if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) {
+ printf(":");
+ printf("%hu", ntohs(r->min.tcp.port));
+ if (r->max.tcp.port != r->min.tcp.port)
+ printf("-%hu", ntohs(r->max.tcp.port));
+ }
+}
+
+static void DNAT_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct ipt_natinfo *info = (const void *)target;
+ unsigned int i = 0;
+
+ printf("to:");
+ for (i = 0; i < info->mr.rangesize; i++) {
+ print_range(&info->mr.range[i]);
+ printf(" ");
+ if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("random ");
+ if (info->mr.range[i].flags & IP_NAT_RANGE_PERSISTENT)
+ printf("persistent ");
+ }
+}
+
+static void DNAT_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct ipt_natinfo *info = (const void *)target;
+ unsigned int i = 0;
+
+ for (i = 0; i < info->mr.rangesize; i++) {
+ printf("--to-destination ");
+ print_range(&info->mr.range[i]);
+ printf(" ");
+ if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("--random ");
+ if (info->mr.range[i].flags & IP_NAT_RANGE_PERSISTENT)
+ printf("--persistent ");
+ }
+}
+
+static struct xtables_target dnat_tg_reg = {
+ .name = "DNAT",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
+ .userspacesize = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
+ .help = DNAT_help,
+ .parse = DNAT_parse,
+ .final_check = DNAT_check,
+ .print = DNAT_print,
+ .save = DNAT_save,
+ .extra_opts = DNAT_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&dnat_tg_reg);
+}
diff --git a/extensions/libipt_DNAT.man b/extensions/libipt_DNAT.man
new file mode 100644
index 0000000..d1e0a3a
--- /dev/null
+++ b/extensions/libipt_DNAT.man
@@ -0,0 +1,39 @@
+This target is only valid in the
+.B nat
+table, in the
+.B PREROUTING
+and
+.B OUTPUT
+chains, and user-defined chains which are only called from those
+chains. It specifies that the destination address of the packet
+should be modified (and all future packets in this connection will
+also be mangled), and rules should cease being examined. It takes one
+type of option:
+.TP
+\fB\-\-to\-destination\fP [\fIipaddr\fP][\fB\-\fP\fIipaddr\fP][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]]
+which can specify a single new destination IP address, an inclusive
+range of IP addresses, and optionally, a port range (which is only
+valid if the rule also specifies
+\fB\-p tcp\fP
+or
+\fB\-p udp\fP).
+If no port range is specified, then the destination port will never be
+modified. If no IP address is specified then only the destination port
+will be modified.
+
+In Kernels up to 2.6.10 you can add several \-\-to\-destination options. For
+those kernels, if you specify more than one destination address, either via an
+address range or multiple \-\-to\-destination options, a simple round-robin (one
+after another in cycle) load balancing takes place between these addresses.
+Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
+anymore.
+.TP
+\fB\-\-random\fP
+If option
+\fB\-\-random\fP
+is used then port mapping will be randomized (kernel >= 2.6.22).
+.TP
+\fB\-\-persistent\fP
+Gives a client the same source-/destination-address for each connection.
+This supersedes the SAME target. Support for persistent mappings is available
+from 2.6.29-rc2.
diff --git a/extensions/libipt_ECN.c b/extensions/libipt_ECN.c
new file mode 100644
index 0000000..bf1f8a5
--- /dev/null
+++ b/extensions/libipt_ECN.c
@@ -0,0 +1,169 @@
+/* Shared library add-on to iptables for ECN, $Version$
+ *
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ *
+ * This program is distributed under the terms of GNU GPL v2, 1991
+ *
+ * libipt_ECN.c borrowed heavily from libipt_DSCP.c
+ *
+ * $Id$
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter_ipv4/ipt_ECN.h>
+
+static void ECN_help(void)
+{
+ printf(
+"ECN target options\n"
+" --ecn-tcp-remove Remove all ECN bits from TCP header\n");
+}
+
+#if 0
+"ECN target v%s EXPERIMENTAL options (use with extreme care!)\n"
+" --ecn-ip-ect Set the IPv4 ECT codepoint (0 to 3)\n"
+" --ecn-tcp-cwr Set the IPv4 CWR bit (0 or 1)\n"
+" --ecn-tcp-ece Set the IPv4 ECE bit (0 or 1)\n",
+#endif
+
+
+static const struct option ECN_opts[] = {
+ { "ecn-tcp-remove", 0, NULL, 'F' },
+ { "ecn-tcp-cwr", 1, NULL, 'G' },
+ { "ecn-tcp-ece", 1, NULL, 'H' },
+ { "ecn-ip-ect", 1, NULL, '9' },
+ { .name = NULL }
+};
+
+static int ECN_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ unsigned int result;
+ struct ipt_ECN_info *einfo
+ = (struct ipt_ECN_info *)(*target)->data;
+
+ switch (c) {
+ case 'F':
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "ECN target: Only use --ecn-tcp-remove ONCE!");
+ einfo->operation = IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR;
+ einfo->proto.tcp.ece = 0;
+ einfo->proto.tcp.cwr = 0;
+ *flags = 1;
+ break;
+ case 'G':
+ if (*flags & IPT_ECN_OP_SET_CWR)
+ xtables_error(PARAMETER_PROBLEM,
+ "ECN target: Only use --ecn-tcp-cwr ONCE!");
+ if (!xtables_strtoui(optarg, NULL, &result, 0, 1))
+ xtables_error(PARAMETER_PROBLEM,
+ "ECN target: Value out of range");
+ einfo->operation |= IPT_ECN_OP_SET_CWR;
+ einfo->proto.tcp.cwr = result;
+ *flags |= IPT_ECN_OP_SET_CWR;
+ break;
+ case 'H':
+ if (*flags & IPT_ECN_OP_SET_ECE)
+ xtables_error(PARAMETER_PROBLEM,
+ "ECN target: Only use --ecn-tcp-ece ONCE!");
+ if (!xtables_strtoui(optarg, NULL, &result, 0, 1))
+ xtables_error(PARAMETER_PROBLEM,
+ "ECN target: Value out of range");
+ einfo->operation |= IPT_ECN_OP_SET_ECE;
+ einfo->proto.tcp.ece = result;
+ *flags |= IPT_ECN_OP_SET_ECE;
+ break;
+ case '9':
+ if (*flags & IPT_ECN_OP_SET_IP)
+ xtables_error(PARAMETER_PROBLEM,
+ "ECN target: Only use --ecn-ip-ect ONCE!");
+ if (!xtables_strtoui(optarg, NULL, &result, 0, 3))
+ xtables_error(PARAMETER_PROBLEM,
+ "ECN target: Value out of range");
+ einfo->operation |= IPT_ECN_OP_SET_IP;
+ einfo->ip_ect = result;
+ *flags |= IPT_ECN_OP_SET_IP;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void ECN_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "ECN target: Parameter --ecn-tcp-remove is required");
+}
+
+static void ECN_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct ipt_ECN_info *einfo =
+ (const struct ipt_ECN_info *)target->data;
+
+ printf("ECN ");
+
+ if (einfo->operation == (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)
+ && einfo->proto.tcp.ece == 0
+ && einfo->proto.tcp.cwr == 0)
+ printf("TCP remove ");
+ else {
+ if (einfo->operation & IPT_ECN_OP_SET_ECE)
+ printf("ECE=%u ", einfo->proto.tcp.ece);
+
+ if (einfo->operation & IPT_ECN_OP_SET_CWR)
+ printf("CWR=%u ", einfo->proto.tcp.cwr);
+
+ if (einfo->operation & IPT_ECN_OP_SET_IP)
+ printf("ECT codepoint=%u ", einfo->ip_ect);
+ }
+}
+
+static void ECN_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct ipt_ECN_info *einfo =
+ (const struct ipt_ECN_info *)target->data;
+
+ if (einfo->operation == (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)
+ && einfo->proto.tcp.ece == 0
+ && einfo->proto.tcp.cwr == 0)
+ printf("--ecn-tcp-remove ");
+ else {
+
+ if (einfo->operation & IPT_ECN_OP_SET_ECE)
+ printf("--ecn-tcp-ece %d ", einfo->proto.tcp.ece);
+
+ if (einfo->operation & IPT_ECN_OP_SET_CWR)
+ printf("--ecn-tcp-cwr %d ", einfo->proto.tcp.cwr);
+
+ if (einfo->operation & IPT_ECN_OP_SET_IP)
+ printf("--ecn-ip-ect %d ", einfo->ip_ect);
+ }
+}
+
+static struct xtables_target ecn_tg_reg = {
+ .name = "ECN",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_ECN_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_ECN_info)),
+ .help = ECN_help,
+ .parse = ECN_parse,
+ .final_check = ECN_check,
+ .print = ECN_print,
+ .save = ECN_save,
+ .extra_opts = ECN_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&ecn_tg_reg);
+}
diff --git a/extensions/libipt_ECN.man b/extensions/libipt_ECN.man
new file mode 100644
index 0000000..a9cbe10
--- /dev/null
+++ b/extensions/libipt_ECN.man
@@ -0,0 +1,7 @@
+This target allows to selectively work around known ECN blackholes.
+It can only be used in the mangle table.
+.TP
+\fB\-\-ecn\-tcp\-remove\fP
+Remove all ECN bits from the TCP header. Of course, it can only be used
+in conjunction with
+\fB\-p tcp\fP.
diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c
new file mode 100644
index 0000000..9afb91d
--- /dev/null
+++ b/extensions/libipt_LOG.c
@@ -0,0 +1,264 @@
+/* Shared library add-on to iptables to add LOG support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter_ipv4/ipt_LOG.h>
+
+#define LOG_DEFAULT_LEVEL LOG_WARNING
+
+#ifndef IPT_LOG_UID /* Old kernel */
+#define IPT_LOG_UID 0x08 /* Log UID owning local socket */
+#undef IPT_LOG_MASK
+#define IPT_LOG_MASK 0x0f
+#endif
+
+static void LOG_help(void)
+{
+ printf(
+"LOG target options:\n"
+" --log-level level Level of logging (numeric or see syslog.conf)\n"
+" --log-prefix prefix Prefix log messages with this prefix.\n\n"
+" --log-tcp-sequence Log TCP sequence numbers.\n\n"
+" --log-tcp-options Log TCP options.\n\n"
+" --log-ip-options Log IP options.\n\n"
+" --log-uid Log UID owning the local socket.\n\n");
+}
+
+static const struct option LOG_opts[] = {
+ { .name = "log-level", .has_arg = 1, .val = '!' },
+ { .name = "log-prefix", .has_arg = 1, .val = '#' },
+ { .name = "log-tcp-sequence", .has_arg = 0, .val = '1' },
+ { .name = "log-tcp-options", .has_arg = 0, .val = '2' },
+ { .name = "log-ip-options", .has_arg = 0, .val = '3' },
+ { .name = "log-uid", .has_arg = 0, .val = '4' },
+ { .name = NULL }
+};
+
+static void LOG_init(struct xt_entry_target *t)
+{
+ struct ipt_log_info *loginfo = (struct ipt_log_info *)t->data;
+
+ loginfo->level = LOG_DEFAULT_LEVEL;
+
+}
+
+struct ipt_log_names {
+ const char *name;
+ unsigned int level;
+};
+
+static const struct ipt_log_names ipt_log_names[]
+= { { .name = "alert", .level = LOG_ALERT },
+ { .name = "crit", .level = LOG_CRIT },
+ { .name = "debug", .level = LOG_DEBUG },
+ { .name = "emerg", .level = LOG_EMERG },
+ { .name = "error", .level = LOG_ERR }, /* DEPRECATED */
+ { .name = "info", .level = LOG_INFO },
+ { .name = "notice", .level = LOG_NOTICE },
+ { .name = "panic", .level = LOG_EMERG }, /* DEPRECATED */
+ { .name = "warning", .level = LOG_WARNING }
+};
+
+static u_int8_t
+parse_level(const char *level)
+{
+ unsigned int lev = -1;
+ unsigned int set = 0;
+
+ if (!xtables_strtoui(level, NULL, &lev, 0, 7)) {
+ unsigned int i = 0;
+
+ for (i = 0; i < ARRAY_SIZE(ipt_log_names); ++i)
+ if (strncasecmp(level, ipt_log_names[i].name,
+ strlen(level)) == 0) {
+ if (set++)
+ xtables_error(PARAMETER_PROBLEM,
+ "log-level `%s' ambiguous",
+ level);
+ lev = ipt_log_names[i].level;
+ }
+
+ if (!set)
+ xtables_error(PARAMETER_PROBLEM,
+ "log-level `%s' unknown", level);
+ }
+
+ return lev;
+}
+
+#define IPT_LOG_OPT_LEVEL 0x01
+#define IPT_LOG_OPT_PREFIX 0x02
+#define IPT_LOG_OPT_TCPSEQ 0x04
+#define IPT_LOG_OPT_TCPOPT 0x08
+#define IPT_LOG_OPT_IPOPT 0x10
+#define IPT_LOG_OPT_UID 0x20
+
+static int LOG_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct ipt_log_info *loginfo = (struct ipt_log_info *)(*target)->data;
+
+ switch (c) {
+ case '!':
+ if (*flags & IPT_LOG_OPT_LEVEL)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --log-level twice");
+
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --log-level");
+
+ loginfo->level = parse_level(optarg);
+ *flags |= IPT_LOG_OPT_LEVEL;
+ break;
+
+ case '#':
+ if (*flags & IPT_LOG_OPT_PREFIX)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --log-prefix twice");
+
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --log-prefix");
+
+ if (strlen(optarg) > sizeof(loginfo->prefix) - 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "Maximum prefix length %u for --log-prefix",
+ (unsigned int)sizeof(loginfo->prefix) - 1);
+
+ if (strlen(optarg) == 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "No prefix specified for --log-prefix");
+
+ if (strlen(optarg) != strlen(strtok(optarg, "\n")))
+ xtables_error(PARAMETER_PROBLEM,
+ "Newlines not allowed in --log-prefix");
+
+ strcpy(loginfo->prefix, optarg);
+ *flags |= IPT_LOG_OPT_PREFIX;
+ break;
+
+ case '1':
+ if (*flags & IPT_LOG_OPT_TCPSEQ)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --log-tcp-sequence "
+ "twice");
+
+ loginfo->logflags |= IPT_LOG_TCPSEQ;
+ *flags |= IPT_LOG_OPT_TCPSEQ;
+ break;
+
+ case '2':
+ if (*flags & IPT_LOG_OPT_TCPOPT)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --log-tcp-options twice");
+
+ loginfo->logflags |= IPT_LOG_TCPOPT;
+ *flags |= IPT_LOG_OPT_TCPOPT;
+ break;
+
+ case '3':
+ if (*flags & IPT_LOG_OPT_IPOPT)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --log-ip-options twice");
+
+ loginfo->logflags |= IPT_LOG_IPOPT;
+ *flags |= IPT_LOG_OPT_IPOPT;
+ break;
+
+ case '4':
+ if (*flags & IPT_LOG_OPT_UID)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --log-uid twice");
+
+ loginfo->logflags |= IPT_LOG_UID;
+ *flags |= IPT_LOG_OPT_UID;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void LOG_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct ipt_log_info *loginfo
+ = (const struct ipt_log_info *)target->data;
+ unsigned int i = 0;
+
+ printf("LOG ");
+ if (numeric)
+ printf("flags %u level %u ",
+ loginfo->logflags, loginfo->level);
+ else {
+ for (i = 0; i < ARRAY_SIZE(ipt_log_names); ++i)
+ if (loginfo->level == ipt_log_names[i].level) {
+ printf("level %s ", ipt_log_names[i].name);
+ break;
+ }
+ if (i == ARRAY_SIZE(ipt_log_names))
+ printf("UNKNOWN level %u ", loginfo->level);
+ if (loginfo->logflags & IPT_LOG_TCPSEQ)
+ printf("tcp-sequence ");
+ if (loginfo->logflags & IPT_LOG_TCPOPT)
+ printf("tcp-options ");
+ if (loginfo->logflags & IPT_LOG_IPOPT)
+ printf("ip-options ");
+ if (loginfo->logflags & IPT_LOG_UID)
+ printf("uid ");
+ if (loginfo->logflags & ~(IPT_LOG_MASK))
+ printf("unknown-flags ");
+ }
+
+ if (strcmp(loginfo->prefix, "") != 0)
+ printf("prefix `%s' ", loginfo->prefix);
+}
+
+static void LOG_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct ipt_log_info *loginfo
+ = (const struct ipt_log_info *)target->data;
+
+ if (strcmp(loginfo->prefix, "") != 0) {
+ printf("--log-prefix ");
+ xtables_save_string(loginfo->prefix);
+ }
+
+ if (loginfo->level != LOG_DEFAULT_LEVEL)
+ printf("--log-level %d ", loginfo->level);
+
+ if (loginfo->logflags & IPT_LOG_TCPSEQ)
+ printf("--log-tcp-sequence ");
+ if (loginfo->logflags & IPT_LOG_TCPOPT)
+ printf("--log-tcp-options ");
+ if (loginfo->logflags & IPT_LOG_IPOPT)
+ printf("--log-ip-options ");
+ if (loginfo->logflags & IPT_LOG_UID)
+ printf("--log-uid ");
+}
+
+static struct xtables_target log_tg_reg = {
+ .name = "LOG",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_log_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_log_info)),
+ .help = LOG_help,
+ .init = LOG_init,
+ .parse = LOG_parse,
+ .print = LOG_print,
+ .save = LOG_save,
+ .extra_opts = LOG_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&log_tg_reg);
+}
diff --git a/extensions/libipt_LOG.man b/extensions/libipt_LOG.man
new file mode 100644
index 0000000..47c35e0
--- /dev/null
+++ b/extensions/libipt_LOG.man
@@ -0,0 +1,31 @@
+Turn on kernel logging of matching packets. When this option is set
+for a rule, the Linux kernel will print some information on all
+matching packets (like most IP header fields) via the kernel log
+(where it can be read with
+.I dmesg
+or
+.IR syslogd (8)).
+This is a "non-terminating target", i.e. rule traversal continues at
+the next rule. So if you want to LOG the packets you refuse, use two
+separate rules with the same matching criteria, first using target LOG
+then DROP (or REJECT).
+.TP
+\fB\-\-log\-level\fP \fIlevel\fP
+Level of logging (numeric or see \fIsyslog.conf\fP(5)).
+.TP
+\fB\-\-log\-prefix\fP \fIprefix\fP
+Prefix log messages with the specified prefix; up to 29 letters long,
+and useful for distinguishing messages in the logs.
+.TP
+\fB\-\-log\-tcp\-sequence\fP
+Log TCP sequence numbers. This is a security risk if the log is
+readable by users.
+.TP
+\fB\-\-log\-tcp\-options\fP
+Log options from the TCP packet header.
+.TP
+\fB\-\-log\-ip\-options\fP
+Log options from the IP packet header.
+.TP
+\fB\-\-log\-uid\fP
+Log the userid of the process which generated the packet.
diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c
new file mode 100644
index 0000000..3386ff3
--- /dev/null
+++ b/extensions/libipt_MASQUERADE.c
@@ -0,0 +1,163 @@
+/* Shared library add-on to iptables to add masquerade support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <limits.h> /* INT_MAX in ip_tables.h */
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <net/netfilter/nf_nat.h>
+
+static void MASQUERADE_help(void)
+{
+ printf(
+"MASQUERADE target options:\n"
+" --to-ports <port>[-<port>]\n"
+" Port (range) to map to.\n"
+" --random\n"
+" Randomize source port.\n");
+}
+
+static const struct option MASQUERADE_opts[] = {
+ { "to-ports", 1, NULL, '1' },
+ { "random", 0, NULL, '2' },
+ { .name = NULL }
+};
+
+static void MASQUERADE_init(struct xt_entry_target *t)
+{
+ struct nf_nat_multi_range *mr = (struct nf_nat_multi_range *)t->data;
+
+ /* Actually, it's 0, but it's ignored at the moment. */
+ mr->rangesize = 1;
+
+}
+
+/* Parses ports */
+static void
+parse_ports(const char *arg, struct nf_nat_multi_range *mr)
+{
+ char *end;
+ unsigned int port, maxport;
+
+ mr->range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
+
+ if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "MASQUERADE", "--to-ports", arg);
+
+ switch (*end) {
+ case '\0':
+ mr->range[0].min.tcp.port
+ = mr->range[0].max.tcp.port
+ = htons(port);
+ return;
+ case '-':
+ if (!xtables_strtoui(end + 1, NULL, &maxport, 0, UINT16_MAX))
+ break;
+
+ if (maxport < port)
+ break;
+
+ mr->range[0].min.tcp.port = htons(port);
+ mr->range[0].max.tcp.port = htons(maxport);
+ return;
+ default:
+ break;
+ }
+ xtables_param_act(XTF_BAD_VALUE, "MASQUERADE", "--to-ports", arg);
+}
+
+static int MASQUERADE_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *e, struct xt_entry_target **target)
+{
+ const struct ipt_entry *entry = e;
+ int portok;
+ struct nf_nat_multi_range *mr
+ = (struct nf_nat_multi_range *)(*target)->data;
+
+ if (entry->ip.proto == IPPROTO_TCP
+ || entry->ip.proto == IPPROTO_UDP
+ || entry->ip.proto == IPPROTO_SCTP
+ || entry->ip.proto == IPPROTO_DCCP
+ || entry->ip.proto == IPPROTO_ICMP)
+ portok = 1;
+ else
+ portok = 0;
+
+ switch (c) {
+ case '1':
+ if (!portok)
+ xtables_error(PARAMETER_PROBLEM,
+ "Need TCP, UDP, SCTP or DCCP with port specification");
+
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --to-ports");
+
+ parse_ports(optarg, mr);
+ return 1;
+
+ case '2':
+ mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+
+static void
+MASQUERADE_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct nf_nat_multi_range *mr = (const void *)target->data;
+ const struct nf_nat_range *r = &mr->range[0];
+
+ if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) {
+ printf("masq ports: ");
+ printf("%hu", ntohs(r->min.tcp.port));
+ if (r->max.tcp.port != r->min.tcp.port)
+ printf("-%hu", ntohs(r->max.tcp.port));
+ printf(" ");
+ }
+
+ if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("random ");
+}
+
+static void
+MASQUERADE_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct nf_nat_multi_range *mr = (const void *)target->data;
+ const struct nf_nat_range *r = &mr->range[0];
+
+ if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) {
+ printf("--to-ports %hu", ntohs(r->min.tcp.port));
+ if (r->max.tcp.port != r->min.tcp.port)
+ printf("-%hu", ntohs(r->max.tcp.port));
+ printf(" ");
+ }
+
+ if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("--random ");
+}
+
+static struct xtables_target masquerade_tg_reg = {
+ .name = "MASQUERADE",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
+ .userspacesize = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
+ .help = MASQUERADE_help,
+ .init = MASQUERADE_init,
+ .parse = MASQUERADE_parse,
+ .print = MASQUERADE_print,
+ .save = MASQUERADE_save,
+ .extra_opts = MASQUERADE_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&masquerade_tg_reg);
+}
diff --git a/extensions/libipt_MASQUERADE.man b/extensions/libipt_MASQUERADE.man
new file mode 100644
index 0000000..8f42993
--- /dev/null
+++ b/extensions/libipt_MASQUERADE.man
@@ -0,0 +1,30 @@
+This target is only valid in the
+.B nat
+table, in the
+.B POSTROUTING
+chain. It should only be used with dynamically assigned IP (dialup)
+connections: if you have a static IP address, you should use the SNAT
+target. Masquerading is equivalent to specifying a mapping to the IP
+address of the interface the packet is going out, but also has the
+effect that connections are
+.I forgotten
+when the interface goes down. This is the correct behavior when the
+next dialup is unlikely to have the same interface address (and hence
+any established connections are lost anyway). It takes one option:
+.TP
+\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
+This specifies a range of source ports to use, overriding the default
+.B SNAT
+source port-selection heuristics (see above). This is only valid
+if the rule also specifies
+\fB\-p tcp\fP
+or
+\fB\-p udp\fP.
+.TP
+\fB\-\-random\fP
+Randomize source port mapping
+If option
+\fB\-\-random\fP
+is used then port mapping will be randomized (kernel >= 2.6.21).
+.RS
+.PP
diff --git a/extensions/libipt_MIRROR.c b/extensions/libipt_MIRROR.c
new file mode 100644
index 0000000..fb78751
--- /dev/null
+++ b/extensions/libipt_MIRROR.c
@@ -0,0 +1,15 @@
+/* Shared library add-on to iptables to add MIRROR target support. */
+#include <xtables.h>
+
+static struct xtables_target mirror_tg_reg = {
+ .name = "MIRROR",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(0),
+ .userspacesize = XT_ALIGN(0),
+};
+
+void _init(void)
+{
+ xtables_register_target(&mirror_tg_reg);
+}
diff --git a/extensions/libipt_MIRROR.man b/extensions/libipt_MIRROR.man
new file mode 100644
index 0000000..7b720bc
--- /dev/null
+++ b/extensions/libipt_MIRROR.man
@@ -0,0 +1,12 @@
+This is an experimental demonstration target which inverts the source
+and destination fields in the IP header and retransmits the packet.
+It is only valid in the
+.BR INPUT ,
+.B FORWARD
+and
+.B PREROUTING
+chains, and user-defined chains which are only called from those
+chains. Note that the outgoing packets are
+.B NOT
+seen by any packet filtering chains, connection tracking or NAT, to
+avoid loops and other problems.
diff --git a/extensions/libipt_NETMAP.c b/extensions/libipt_NETMAP.c
new file mode 100644
index 0000000..b05022b
--- /dev/null
+++ b/extensions/libipt_NETMAP.c
@@ -0,0 +1,182 @@
+/* Shared library add-on to iptables to add static NAT support.
+ Author: Svenning Soerensen <svenning@post5.tele.dk>
+*/
+
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <net/netfilter/nf_nat.h>
+
+#define MODULENAME "NETMAP"
+
+static const struct option NETMAP_opts[] = {
+ { "to", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+static void NETMAP_help(void)
+{
+ printf(MODULENAME" target options:\n"
+ " --%s address[/mask]\n"
+ " Network address to map to.\n\n",
+ NETMAP_opts[0].name);
+}
+
+static u_int32_t
+bits2netmask(int bits)
+{
+ u_int32_t netmask, bm;
+
+ if (bits >= 32 || bits < 0)
+ return(~0);
+ for (netmask = 0, bm = 0x80000000; bits; bits--, bm >>= 1)
+ netmask |= bm;
+ return htonl(netmask);
+}
+
+static int
+netmask2bits(u_int32_t netmask)
+{
+ u_int32_t bm;
+ int bits;
+
+ netmask = ntohl(netmask);
+ for (bits = 0, bm = 0x80000000; netmask & bm; netmask <<= 1)
+ bits++;
+ if (netmask)
+ return -1; /* holes in netmask */
+ return bits;
+}
+
+static void NETMAP_init(struct xt_entry_target *t)
+{
+ struct nf_nat_multi_range *mr = (struct nf_nat_multi_range *)t->data;
+
+ /* Actually, it's 0, but it's ignored at the moment. */
+ mr->rangesize = 1;
+
+}
+
+/* Parses network address */
+static void
+parse_to(char *arg, struct nf_nat_range *range)
+{
+ char *slash;
+ const struct in_addr *ip;
+ u_int32_t netmask;
+ unsigned int bits;
+
+ range->flags |= IP_NAT_RANGE_MAP_IPS;
+ slash = strchr(arg, '/');
+ if (slash)
+ *slash = '\0';
+
+ ip = xtables_numeric_to_ipaddr(arg);
+ if (!ip)
+ xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
+ arg);
+ range->min_ip = ip->s_addr;
+ if (slash) {
+ if (strchr(slash+1, '.')) {
+ ip = xtables_numeric_to_ipmask(slash+1);
+ if (!ip)
+ xtables_error(PARAMETER_PROBLEM, "Bad netmask \"%s\"\n",
+ slash+1);
+ netmask = ip->s_addr;
+ }
+ else {
+ if (!xtables_strtoui(slash+1, NULL, &bits, 0, 32))
+ xtables_error(PARAMETER_PROBLEM, "Bad netmask \"%s\"\n",
+ slash+1);
+ netmask = bits2netmask(bits);
+ }
+ /* Don't allow /0 (/1 is probably insane, too) */
+ if (netmask == 0)
+ xtables_error(PARAMETER_PROBLEM, "Netmask needed\n");
+ }
+ else
+ netmask = ~0;
+
+ if (range->min_ip & ~netmask) {
+ if (slash)
+ *slash = '/';
+ xtables_error(PARAMETER_PROBLEM, "Bad network address \"%s\"\n",
+ arg);
+ }
+ range->max_ip = range->min_ip | ~netmask;
+}
+
+static int NETMAP_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct nf_nat_multi_range *mr
+ = (struct nf_nat_multi_range *)(*target)->data;
+
+ switch (c) {
+ case '1':
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --%s", NETMAP_opts[0].name);
+
+ parse_to(optarg, &mr->range[0]);
+ *flags = 1;
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+
+static void NETMAP_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ MODULENAME" needs --%s", NETMAP_opts[0].name);
+}
+
+static void NETMAP_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct nf_nat_multi_range *mr = (const void *)target->data;
+ const struct nf_nat_range *r = &mr->range[0];
+ struct in_addr a;
+ int bits;
+
+ a.s_addr = r->min_ip;
+ printf("%s", xtables_ipaddr_to_numeric(&a));
+ a.s_addr = ~(r->min_ip ^ r->max_ip);
+ bits = netmask2bits(a.s_addr);
+ if (bits < 0)
+ printf("/%s", xtables_ipaddr_to_numeric(&a));
+ else
+ printf("/%d", bits);
+}
+
+static void NETMAP_save(const void *ip, const struct xt_entry_target *target)
+{
+ printf("--%s ", NETMAP_opts[0].name);
+ NETMAP_print(ip, target, 0);
+}
+
+static struct xtables_target netmap_tg_reg = {
+ .name = MODULENAME,
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
+ .userspacesize = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
+ .help = NETMAP_help,
+ .init = NETMAP_init,
+ .parse = NETMAP_parse,
+ .final_check = NETMAP_check,
+ .print = NETMAP_print,
+ .save = NETMAP_save,
+ .extra_opts = NETMAP_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&netmap_tg_reg);
+}
diff --git a/extensions/libipt_NETMAP.man b/extensions/libipt_NETMAP.man
new file mode 100644
index 0000000..a7e90b8
--- /dev/null
+++ b/extensions/libipt_NETMAP.man
@@ -0,0 +1,9 @@
+This target allows you to statically map a whole network of addresses onto
+another network of addresses. It can only be used from rules in the
+.B nat
+table.
+.TP
+\fB\-\-to\fP \fIaddress\fP[\fB/\fP\fImask\fP]
+Network address to map to. The resulting address will be constructed in the
+following way: All 'one' bits in the mask are filled in from the new `address'.
+All bits that are zero in the mask are filled in from the original address.
diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c
new file mode 100644
index 0000000..324d0eb
--- /dev/null
+++ b/extensions/libipt_REDIRECT.c
@@ -0,0 +1,171 @@
+/* Shared library add-on to iptables to add redirect support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <limits.h> /* INT_MAX in ip_tables.h */
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <net/netfilter/nf_nat.h>
+
+#define IPT_REDIRECT_OPT_DEST 0x01
+#define IPT_REDIRECT_OPT_RANDOM 0x02
+
+static void REDIRECT_help(void)
+{
+ printf(
+"REDIRECT target options:\n"
+" --to-ports <port>[-<port>]\n"
+" Port (range) to map to.\n"
+" [--random]\n");
+}
+
+static const struct option REDIRECT_opts[] = {
+ { "to-ports", 1, NULL, '1' },
+ { "random", 0, NULL, '2' },
+ { .name = NULL }
+};
+
+static void REDIRECT_init(struct xt_entry_target *t)
+{
+ struct nf_nat_multi_range *mr = (struct nf_nat_multi_range *)t->data;
+
+ /* Actually, it's 0, but it's ignored at the moment. */
+ mr->rangesize = 1;
+
+}
+
+/* Parses ports */
+static void
+parse_ports(const char *arg, struct nf_nat_multi_range *mr)
+{
+ char *end;
+ unsigned int port, maxport;
+
+ mr->range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
+
+ if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX) &&
+ (port = xtables_service_to_port(arg, NULL)) == (unsigned)-1)
+ xtables_param_act(XTF_BAD_VALUE, "REDIRECT", "--to-ports", arg);
+
+ switch (*end) {
+ case '\0':
+ mr->range[0].min.tcp.port
+ = mr->range[0].max.tcp.port
+ = htons(port);
+ return;
+ case '-':
+ if (!xtables_strtoui(end + 1, NULL, &maxport, 0, UINT16_MAX) &&
+ (maxport = xtables_service_to_port(end + 1, NULL)) == (unsigned)-1)
+ break;
+
+ if (maxport < port)
+ break;
+
+ mr->range[0].min.tcp.port = htons(port);
+ mr->range[0].max.tcp.port = htons(maxport);
+ return;
+ default:
+ break;
+ }
+ xtables_param_act(XTF_BAD_VALUE, "REDIRECT", "--to-ports", arg);
+}
+
+static int REDIRECT_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *e, struct xt_entry_target **target)
+{
+ const struct ipt_entry *entry = e;
+ struct nf_nat_multi_range *mr
+ = (struct nf_nat_multi_range *)(*target)->data;
+ int portok;
+
+ if (entry->ip.proto == IPPROTO_TCP
+ || entry->ip.proto == IPPROTO_UDP
+ || entry->ip.proto == IPPROTO_SCTP
+ || entry->ip.proto == IPPROTO_DCCP
+ || entry->ip.proto == IPPROTO_ICMP)
+ portok = 1;
+ else
+ portok = 0;
+
+ switch (c) {
+ case '1':
+ if (!portok)
+ xtables_error(PARAMETER_PROBLEM,
+ "Need TCP, UDP, SCTP or DCCP with port specification");
+
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --to-ports");
+
+ parse_ports(optarg, mr);
+ if (*flags & IPT_REDIRECT_OPT_RANDOM)
+ mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_REDIRECT_OPT_DEST;
+ return 1;
+
+ case '2':
+ if (*flags & IPT_REDIRECT_OPT_DEST) {
+ mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_REDIRECT_OPT_RANDOM;
+ } else
+ *flags |= IPT_REDIRECT_OPT_RANDOM;
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+
+static void REDIRECT_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct nf_nat_multi_range *mr = (const void *)target->data;
+ const struct nf_nat_range *r = &mr->range[0];
+
+ if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) {
+ printf("redir ports ");
+ printf("%hu", ntohs(r->min.tcp.port));
+ if (r->max.tcp.port != r->min.tcp.port)
+ printf("-%hu", ntohs(r->max.tcp.port));
+ printf(" ");
+ if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("random ");
+ }
+}
+
+static void REDIRECT_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct nf_nat_multi_range *mr = (const void *)target->data;
+ const struct nf_nat_range *r = &mr->range[0];
+
+ if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) {
+ printf("--to-ports ");
+ printf("%hu", ntohs(r->min.tcp.port));
+ if (r->max.tcp.port != r->min.tcp.port)
+ printf("-%hu", ntohs(r->max.tcp.port));
+ printf(" ");
+ if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("--random ");
+ }
+}
+
+static struct xtables_target redirect_tg_reg = {
+ .name = "REDIRECT",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
+ .userspacesize = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
+ .help = REDIRECT_help,
+ .init = REDIRECT_init,
+ .parse = REDIRECT_parse,
+ .print = REDIRECT_print,
+ .save = REDIRECT_save,
+ .extra_opts = REDIRECT_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&redirect_tg_reg);
+}
diff --git a/extensions/libipt_REDIRECT.man b/extensions/libipt_REDIRECT.man
new file mode 100644
index 0000000..90ab19d
--- /dev/null
+++ b/extensions/libipt_REDIRECT.man
@@ -0,0 +1,25 @@
+This target is only valid in the
+.B nat
+table, in the
+.B PREROUTING
+and
+.B OUTPUT
+chains, and user-defined chains which are only called from those
+chains. It redirects the packet to the machine itself by changing the
+destination IP to the primary address of the incoming interface
+(locally-generated packets are mapped to the 127.0.0.1 address).
+.TP
+\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
+This specifies a destination port or range of ports to use: without
+this, the destination port is never altered. This is only valid
+if the rule also specifies
+\fB\-p tcp\fP
+or
+\fB\-p udp\fP.
+.TP
+\fB\-\-random\fP
+If option
+\fB\-\-random\fP
+is used then port mapping will be randomized (kernel >= 2.6.22).
+.RS
+.PP
diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c
new file mode 100644
index 0000000..85d9e53
--- /dev/null
+++ b/extensions/libipt_REJECT.c
@@ -0,0 +1,167 @@
+/* Shared library add-on to iptables to add customized REJECT support.
+ *
+ * (C) 2000 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter_ipv4/ipt_REJECT.h>
+#include <linux/version.h>
+
+/* If we are compiling against a kernel that does not support
+ * IPT_ICMP_ADMIN_PROHIBITED, we are emulating it.
+ * The result will be a plain DROP of the packet instead of
+ * reject. -- Maciej Soltysiak <solt@dns.toxicfilms.tv>
+ */
+#ifndef IPT_ICMP_ADMIN_PROHIBITED
+#define IPT_ICMP_ADMIN_PROHIBITED IPT_TCP_RESET + 1
+#endif
+
+struct reject_names {
+ const char *name;
+ const char *alias;
+ enum ipt_reject_with with;
+ const char *desc;
+};
+
+static const struct reject_names reject_table[] = {
+ {"icmp-net-unreachable", "net-unreach",
+ IPT_ICMP_NET_UNREACHABLE, "ICMP network unreachable"},
+ {"icmp-host-unreachable", "host-unreach",
+ IPT_ICMP_HOST_UNREACHABLE, "ICMP host unreachable"},
+ {"icmp-proto-unreachable", "proto-unreach",
+ IPT_ICMP_PROT_UNREACHABLE, "ICMP protocol unreachable"},
+ {"icmp-port-unreachable", "port-unreach",
+ IPT_ICMP_PORT_UNREACHABLE, "ICMP port unreachable (default)"},
+#if 0
+ {"echo-reply", "echoreply",
+ IPT_ICMP_ECHOREPLY, "for ICMP echo only: faked ICMP echo reply"},
+#endif
+ {"icmp-net-prohibited", "net-prohib",
+ IPT_ICMP_NET_PROHIBITED, "ICMP network prohibited"},
+ {"icmp-host-prohibited", "host-prohib",
+ IPT_ICMP_HOST_PROHIBITED, "ICMP host prohibited"},
+ {"tcp-reset", "tcp-rst",
+ IPT_TCP_RESET, "TCP RST packet"},
+ {"icmp-admin-prohibited", "admin-prohib",
+ IPT_ICMP_ADMIN_PROHIBITED, "ICMP administratively prohibited (*)"}
+};
+
+static void
+print_reject_types(void)
+{
+ unsigned int i;
+
+ printf("Valid reject types:\n");
+
+ for (i = 0; i < ARRAY_SIZE(reject_table); ++i) {
+ printf(" %-25s\t%s\n", reject_table[i].name, reject_table[i].desc);
+ printf(" %-25s\talias\n", reject_table[i].alias);
+ }
+ printf("\n");
+}
+
+static void REJECT_help(void)
+{
+ printf(
+"REJECT target options:\n"
+"--reject-with type drop input packet and send back\n"
+" a reply packet according to type:\n");
+
+ print_reject_types();
+
+ printf("(*) See man page or read the INCOMPATIBILITES file for compatibility issues.\n");
+}
+
+static const struct option REJECT_opts[] = {
+ { "reject-with", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+static void REJECT_init(struct xt_entry_target *t)
+{
+ struct ipt_reject_info *reject = (struct ipt_reject_info *)t->data;
+
+ /* default */
+ reject->with = IPT_ICMP_PORT_UNREACHABLE;
+
+}
+
+static int REJECT_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct ipt_reject_info *reject = (struct ipt_reject_info *)(*target)->data;
+ static const unsigned int limit = ARRAY_SIZE(reject_table);
+ unsigned int i;
+
+ switch(c) {
+ case '1':
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --reject-with");
+ for (i = 0; i < limit; i++) {
+ if ((strncasecmp(reject_table[i].name, optarg, strlen(optarg)) == 0)
+ || (strncasecmp(reject_table[i].alias, optarg, strlen(optarg)) == 0)) {
+ reject->with = reject_table[i].with;
+ return 1;
+ }
+ }
+ /* This due to be dropped late in 2.4 pre-release cycle --RR */
+ if (strncasecmp("echo-reply", optarg, strlen(optarg)) == 0
+ || strncasecmp("echoreply", optarg, strlen(optarg)) == 0)
+ fprintf(stderr, "--reject-with echo-reply no longer"
+ " supported\n");
+ xtables_error(PARAMETER_PROBLEM, "unknown reject type \"%s\"", optarg);
+ default:
+ /* Fall through */
+ break;
+ }
+ return 0;
+}
+
+static void REJECT_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct ipt_reject_info *reject
+ = (const struct ipt_reject_info *)target->data;
+ unsigned int i;
+
+ for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
+ if (reject_table[i].with == reject->with)
+ break;
+ printf("reject-with %s ", reject_table[i].name);
+}
+
+static void REJECT_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct ipt_reject_info *reject
+ = (const struct ipt_reject_info *)target->data;
+ unsigned int i;
+
+ for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
+ if (reject_table[i].with == reject->with)
+ break;
+
+ printf("--reject-with %s ", reject_table[i].name);
+}
+
+static struct xtables_target reject_tg_reg = {
+ .name = "REJECT",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_reject_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_reject_info)),
+ .help = REJECT_help,
+ .init = REJECT_init,
+ .parse = REJECT_parse,
+ .print = REJECT_print,
+ .save = REJECT_save,
+ .extra_opts = REJECT_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&reject_tg_reg);
+}
diff --git a/extensions/libipt_REJECT.man b/extensions/libipt_REJECT.man
new file mode 100644
index 0000000..c419a85
--- /dev/null
+++ b/extensions/libipt_REJECT.man
@@ -0,0 +1,32 @@
+This is used to send back an error packet in response to the matched
+packet: otherwise it is equivalent to
+.B DROP
+so it is a terminating TARGET, ending rule traversal.
+This target is only valid in the
+.BR INPUT ,
+.B FORWARD
+and
+.B OUTPUT
+chains, and user-defined chains which are only called from those
+chains. The following option controls the nature of the error packet
+returned:
+.TP
+\fB\-\-reject\-with\fP \fItype\fP
+The type given can be
+\fBicmp\-net\-unreachable\fP,
+\fBicmp\-host\-unreachable\fP,
+\fBicmp\-port\-unreachable\fP,
+\fBicmp\-proto\-unreachable\fP,
+\fBicmp\-net\-prohibited\fP,
+\fBicmp\-host\-prohibited\fP or
+\fBicmp\-admin\-prohibited\fP (*)
+which return the appropriate ICMP error message (\fBport\-unreachable\fP is
+the default). The option
+\fBtcp\-reset\fP
+can be used on rules which only match the TCP protocol: this causes a
+TCP RST packet to be sent back. This is mainly useful for blocking
+.I ident
+(113/tcp) probes which frequently occur when sending mail to broken mail
+hosts (which won't accept your mail otherwise).
+.PP
+(*) Using icmp\-admin\-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c
new file mode 100644
index 0000000..ed02ef9
--- /dev/null
+++ b/extensions/libipt_SAME.c
@@ -0,0 +1,217 @@
+/* Shared library add-on to iptables to add simple non load-balancing SNAT support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <net/netfilter/nf_nat.h>
+/* For 64bit kernel / 32bit userspace */
+#include <linux/netfilter_ipv4/ipt_SAME.h>
+
+static void SAME_help(void)
+{
+ printf(
+"SAME target options:\n"
+" --to <ipaddr>-<ipaddr>\n"
+" Addresses to map source to.\n"
+" May be specified more than\n"
+" once for multiple ranges.\n"
+" --nodst\n"
+" Don't use destination-ip in\n"
+" source selection\n"
+" --random\n"
+" Randomize source port\n");
+}
+
+static const struct option SAME_opts[] = {
+ { "to", 1, NULL, '1' },
+ { "nodst", 0, NULL, '2'},
+ { "random", 0, NULL, '3' },
+ { .name = NULL }
+};
+
+static void SAME_init(struct xt_entry_target *t)
+{
+ struct ipt_same_info *mr = (struct ipt_same_info *)t->data;
+
+ /* Set default to 0 */
+ mr->rangesize = 0;
+ mr->info = 0;
+ mr->ipnum = 0;
+
+}
+
+/* Parses range of IPs */
+static void
+parse_to(char *arg, struct nf_nat_range *range)
+{
+ char *dash;
+ const struct in_addr *ip;
+
+ range->flags |= IP_NAT_RANGE_MAP_IPS;
+ dash = strchr(arg, '-');
+
+ if (dash)
+ *dash = '\0';
+
+ ip = xtables_numeric_to_ipaddr(arg);
+ if (!ip)
+ xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
+ arg);
+ range->min_ip = ip->s_addr;
+
+ if (dash) {
+ ip = xtables_numeric_to_ipaddr(dash+1);
+ if (!ip)
+ xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
+ dash+1);
+ }
+ range->max_ip = ip->s_addr;
+ if (dash)
+ if (range->min_ip > range->max_ip)
+ xtables_error(PARAMETER_PROBLEM, "Bad IP range \"%s-%s\"\n",
+ arg, dash+1);
+}
+
+#define IPT_SAME_OPT_TO 0x01
+#define IPT_SAME_OPT_NODST 0x02
+#define IPT_SAME_OPT_RANDOM 0x04
+
+static int SAME_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct ipt_same_info *mr
+ = (struct ipt_same_info *)(*target)->data;
+ unsigned int count;
+
+ switch (c) {
+ case '1':
+ if (mr->rangesize == IPT_SAME_MAX_RANGE)
+ xtables_error(PARAMETER_PROBLEM,
+ "Too many ranges specified, maximum "
+ "is %i ranges.\n",
+ IPT_SAME_MAX_RANGE);
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --to");
+
+ parse_to(optarg, &mr->range[mr->rangesize]);
+ /* WTF do we need this for? */
+ if (*flags & IPT_SAME_OPT_RANDOM)
+ mr->range[mr->rangesize].flags
+ |= IP_NAT_RANGE_PROTO_RANDOM;
+ mr->rangesize++;
+ *flags |= IPT_SAME_OPT_TO;
+ break;
+
+ case '2':
+ if (*flags & IPT_SAME_OPT_NODST)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --nodst twice");
+
+ mr->info |= IPT_SAME_NODST;
+ *flags |= IPT_SAME_OPT_NODST;
+ break;
+
+ case '3':
+ *flags |= IPT_SAME_OPT_RANDOM;
+ for (count=0; count < mr->rangesize; count++)
+ mr->range[count].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void SAME_check(unsigned int flags)
+{
+ if (!(flags & IPT_SAME_OPT_TO))
+ xtables_error(PARAMETER_PROBLEM,
+ "SAME needs --to");
+}
+
+static void SAME_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ unsigned int count;
+ const struct ipt_same_info *mr = (const void *)target->data;
+ int random_selection = 0;
+
+ printf("same:");
+
+ for (count = 0; count < mr->rangesize; count++) {
+ const struct nf_nat_range *r = &mr->range[count];
+ struct in_addr a;
+
+ a.s_addr = r->min_ip;
+
+ printf("%s", xtables_ipaddr_to_numeric(&a));
+ a.s_addr = r->max_ip;
+
+ if (r->min_ip == r->max_ip)
+ printf(" ");
+ else
+ printf("-%s ", xtables_ipaddr_to_numeric(&a));
+ if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
+ random_selection = 1;
+ }
+
+ if (mr->info & IPT_SAME_NODST)
+ printf("nodst ");
+
+ if (random_selection)
+ printf("random ");
+}
+
+static void SAME_save(const void *ip, const struct xt_entry_target *target)
+{
+ unsigned int count;
+ const struct ipt_same_info *mr = (const void *)target->data;
+ int random_selection = 0;
+
+ for (count = 0; count < mr->rangesize; count++) {
+ const struct nf_nat_range *r = &mr->range[count];
+ struct in_addr a;
+
+ a.s_addr = r->min_ip;
+ printf("--to %s", xtables_ipaddr_to_numeric(&a));
+ a.s_addr = r->max_ip;
+
+ if (r->min_ip == r->max_ip)
+ printf(" ");
+ else
+ printf("-%s ", xtables_ipaddr_to_numeric(&a));
+ if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
+ random_selection = 1;
+ }
+
+ if (mr->info & IPT_SAME_NODST)
+ printf("--nodst ");
+
+ if (random_selection)
+ printf("--random ");
+}
+
+static struct xtables_target same_tg_reg = {
+ .name = "SAME",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_same_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_same_info)),
+ .help = SAME_help,
+ .init = SAME_init,
+ .parse = SAME_parse,
+ .final_check = SAME_check,
+ .print = SAME_print,
+ .save = SAME_save,
+ .extra_opts = SAME_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&same_tg_reg);
+}
diff --git a/extensions/libipt_SAME.man b/extensions/libipt_SAME.man
new file mode 100644
index 0000000..a99dc73
--- /dev/null
+++ b/extensions/libipt_SAME.man
@@ -0,0 +1,17 @@
+Similar to SNAT/DNAT depending on chain: it takes a range of addresses
+(`\-\-to 1.2.3.4\-1.2.3.7') and gives a client the same
+source-/destination-address for each connection.
+.PP
+N.B.: The DNAT target's \fB\-\-persistent\fP option replaced the SAME target.
+.TP
+\fB\-\-to\fP \fIipaddr\fP[\fB\-\fP\fIipaddr\fP]
+Addresses to map source to. May be specified more than once for
+multiple ranges.
+.TP
+\fB\-\-nodst\fP
+Don't use the destination-ip in the calculations when selecting the
+new source-ip
+.TP
+\fB\-\-random\fP
+Port mapping will be forcibly randomized to avoid attacks based on
+port prediction (kernel >= 2.6.21).
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
new file mode 100644
index 0000000..f7c93d8
--- /dev/null
+++ b/extensions/libipt_SNAT.c
@@ -0,0 +1,269 @@
+/* Shared library add-on to iptables to add source-NAT support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <iptables.h>
+#include <limits.h> /* INT_MAX in ip_tables.h */
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <net/netfilter/nf_nat.h>
+
+#define IPT_SNAT_OPT_SOURCE 0x01
+#define IPT_SNAT_OPT_RANDOM 0x02
+
+/* Source NAT data consists of a multi-range, indicating where to map
+ to. */
+struct ipt_natinfo
+{
+ struct xt_entry_target t;
+ struct nf_nat_multi_range mr;
+};
+
+static void SNAT_help(void)
+{
+ printf(
+"SNAT target options:\n"
+" --to-source <ipaddr>[-<ipaddr>][:port-port]\n"
+" Address to map source to.\n"
+"[--random] [--persistent]\n");
+}
+
+static const struct option SNAT_opts[] = {
+ { "to-source", 1, NULL, '1' },
+ { "random", 0, NULL, '2' },
+ { "persistent", 0, NULL, '3' },
+ { .name = NULL }
+};
+
+static struct ipt_natinfo *
+append_range(struct ipt_natinfo *info, const struct nf_nat_range *range)
+{
+ unsigned int size;
+
+ /* One rangesize already in struct ipt_natinfo */
+ size = XT_ALIGN(sizeof(*info) + info->mr.rangesize * sizeof(*range));
+
+ info = realloc(info, size);
+ if (!info)
+ xtables_error(OTHER_PROBLEM, "Out of memory\n");
+
+ info->t.u.target_size = size;
+ info->mr.range[info->mr.rangesize] = *range;
+ info->mr.rangesize++;
+
+ return info;
+}
+
+/* Ranges expected in network order. */
+static struct xt_entry_target *
+parse_to(char *arg, int portok, struct ipt_natinfo *info)
+{
+ struct nf_nat_range range;
+ char *colon, *dash, *error;
+ const struct in_addr *ip;
+
+ memset(&range, 0, sizeof(range));
+ colon = strchr(arg, ':');
+
+ if (colon) {
+ int port;
+
+ if (!portok)
+ xtables_error(PARAMETER_PROBLEM,
+ "Need TCP, UDP, SCTP or DCCP with port specification");
+
+ range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
+
+ port = atoi(colon+1);
+ if (port <= 0 || port > 65535)
+ xtables_error(PARAMETER_PROBLEM,
+ "Port `%s' not valid\n", colon+1);
+
+ error = strchr(colon+1, ':');
+ if (error)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid port:port syntax - use dash\n");
+
+ dash = strchr(colon, '-');
+ if (!dash) {
+ range.min.tcp.port
+ = range.max.tcp.port
+ = htons(port);
+ } else {
+ int maxport;
+
+ maxport = atoi(dash + 1);
+ if (maxport <= 0 || maxport > 65535)
+ xtables_error(PARAMETER_PROBLEM,
+ "Port `%s' not valid\n", dash+1);
+ if (maxport < port)
+ /* People are stupid. */
+ xtables_error(PARAMETER_PROBLEM,
+ "Port range `%s' funky\n", colon+1);
+ range.min.tcp.port = htons(port);
+ range.max.tcp.port = htons(maxport);
+ }
+ /* Starts with a colon? No IP info...*/
+ if (colon == arg)
+ return &(append_range(info, &range)->t);
+ *colon = '\0';
+ }
+
+ range.flags |= IP_NAT_RANGE_MAP_IPS;
+ dash = strchr(arg, '-');
+ if (colon && dash && dash > colon)
+ dash = NULL;
+
+ if (dash)
+ *dash = '\0';
+
+ ip = xtables_numeric_to_ipaddr(arg);
+ if (!ip)
+ xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
+ arg);
+ range.min_ip = ip->s_addr;
+ if (dash) {
+ ip = xtables_numeric_to_ipaddr(dash+1);
+ if (!ip)
+ xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
+ dash+1);
+ range.max_ip = ip->s_addr;
+ } else
+ range.max_ip = range.min_ip;
+
+ return &(append_range(info, &range)->t);
+}
+
+static int SNAT_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *e, struct xt_entry_target **target)
+{
+ const struct ipt_entry *entry = e;
+ struct ipt_natinfo *info = (void *)*target;
+ int portok;
+
+ if (entry->ip.proto == IPPROTO_TCP
+ || entry->ip.proto == IPPROTO_UDP
+ || entry->ip.proto == IPPROTO_SCTP
+ || entry->ip.proto == IPPROTO_DCCP
+ || entry->ip.proto == IPPROTO_ICMP)
+ portok = 1;
+ else
+ portok = 0;
+
+ switch (c) {
+ case '1':
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --to-source");
+
+ if (*flags & IPT_SNAT_OPT_SOURCE) {
+ if (!kernel_version)
+ get_kernel_version();
+ if (kernel_version > LINUX_VERSION(2, 6, 10))
+ xtables_error(PARAMETER_PROBLEM,
+ "Multiple --to-source not supported");
+ }
+ *target = parse_to(optarg, portok, info);
+ /* WTF do we need this for?? */
+ if (*flags & IPT_SNAT_OPT_RANDOM)
+ info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_SNAT_OPT_SOURCE;
+ return 1;
+
+ case '2':
+ if (*flags & IPT_SNAT_OPT_SOURCE) {
+ info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_SNAT_OPT_RANDOM;
+ } else
+ *flags |= IPT_SNAT_OPT_RANDOM;
+ return 1;
+
+ case '3':
+ info->mr.range[0].flags |= IP_NAT_RANGE_PERSISTENT;
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+
+static void SNAT_check(unsigned int flags)
+{
+ if (!(flags & IPT_SNAT_OPT_SOURCE))
+ xtables_error(PARAMETER_PROBLEM,
+ "You must specify --to-source");
+}
+
+static void print_range(const struct nf_nat_range *r)
+{
+ if (r->flags & IP_NAT_RANGE_MAP_IPS) {
+ struct in_addr a;
+
+ a.s_addr = r->min_ip;
+ printf("%s", xtables_ipaddr_to_numeric(&a));
+ if (r->max_ip != r->min_ip) {
+ a.s_addr = r->max_ip;
+ printf("-%s", xtables_ipaddr_to_numeric(&a));
+ }
+ }
+ if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) {
+ printf(":");
+ printf("%hu", ntohs(r->min.tcp.port));
+ if (r->max.tcp.port != r->min.tcp.port)
+ printf("-%hu", ntohs(r->max.tcp.port));
+ }
+}
+
+static void SNAT_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct ipt_natinfo *info = (const void *)target;
+ unsigned int i = 0;
+
+ printf("to:");
+ for (i = 0; i < info->mr.rangesize; i++) {
+ print_range(&info->mr.range[i]);
+ printf(" ");
+ if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("random ");
+ if (info->mr.range[i].flags & IP_NAT_RANGE_PERSISTENT)
+ printf("persistent ");
+ }
+}
+
+static void SNAT_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct ipt_natinfo *info = (const void *)target;
+ unsigned int i = 0;
+
+ for (i = 0; i < info->mr.rangesize; i++) {
+ printf("--to-source ");
+ print_range(&info->mr.range[i]);
+ printf(" ");
+ if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("--random ");
+ if (info->mr.range[i].flags & IP_NAT_RANGE_PERSISTENT)
+ printf("--persistent ");
+ }
+}
+
+static struct xtables_target snat_tg_reg = {
+ .name = "SNAT",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
+ .userspacesize = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
+ .help = SNAT_help,
+ .parse = SNAT_parse,
+ .final_check = SNAT_check,
+ .print = SNAT_print,
+ .save = SNAT_save,
+ .extra_opts = SNAT_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&snat_tg_reg);
+}
diff --git a/extensions/libipt_SNAT.man b/extensions/libipt_SNAT.man
new file mode 100644
index 0000000..6b828fd
--- /dev/null
+++ b/extensions/libipt_SNAT.man
@@ -0,0 +1,37 @@
+This target is only valid in the
+.B nat
+table, in the
+.B POSTROUTING
+chain. It specifies that the source address of the packet should be
+modified (and all future packets in this connection will also be
+mangled), and rules should cease being examined. It takes one type
+of option:
+.TP
+\fB\-\-to\-source\fP \fIipaddr\fP[\fB\-\fP\fIipaddr\fP][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]]
+which can specify a single new source IP address, an inclusive range
+of IP addresses, and optionally, a port range (which is only valid if
+the rule also specifies
+\fB\-p tcp\fP
+or
+\fB\-p udp\fP).
+If no port range is specified, then source ports below 512 will be
+mapped to other ports below 512: those between 512 and 1023 inclusive
+will be mapped to ports below 1024, and other ports will be mapped to
+1024 or above. Where possible, no port alteration will
+
+In Kernels up to 2.6.10, you can add several \-\-to\-source options. For those
+kernels, if you specify more than one source address, either via an address
+range or multiple \-\-to\-source options, a simple round-robin (one after another
+in cycle) takes place between these addresses.
+Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
+anymore.
+.TP
+\fB\-\-random\fP
+If option
+\fB\-\-random\fP
+is used then port mapping will be randomized (kernel >= 2.6.21).
+.TP
+\fB\-\-persistent\fP
+Gives a client the same source-/destination-address for each connection.
+This supersedes the SAME target. Support for persistent mappings is available
+from 2.6.29-rc2.
diff --git a/extensions/libipt_TTL.c b/extensions/libipt_TTL.c
new file mode 100644
index 0000000..4db9bbe
--- /dev/null
+++ b/extensions/libipt_TTL.c
@@ -0,0 +1,157 @@
+/* Shared library add-on to iptables for the TTL target
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org>
+ *
+ * $Id$
+ *
+ * This program is distributed under the terms of GNU GPL
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+
+#include <linux/netfilter_ipv4/ipt_TTL.h>
+
+#define IPT_TTL_USED 1
+
+static void TTL_help(void)
+{
+ printf(
+"TTL target options\n"
+" --ttl-set value Set TTL to <value 0-255>\n"
+" --ttl-dec value Decrement TTL by <value 1-255>\n"
+" --ttl-inc value Increment TTL by <value 1-255>\n");
+}
+
+static int TTL_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct ipt_TTL_info *info = (struct ipt_TTL_info *) (*target)->data;
+ unsigned int value;
+
+ if (*flags & IPT_TTL_USED) {
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify TTL option twice");
+ }
+
+ if (!optarg)
+ xtables_error(PARAMETER_PROBLEM,
+ "TTL: You must specify a value");
+
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "TTL: unexpected `!'");
+
+ if (!xtables_strtoui(optarg, NULL, &value, 0, UINT8_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "TTL: Expected value between 0 and 255");
+
+ switch (c) {
+
+ case '1':
+ info->mode = IPT_TTL_SET;
+ break;
+
+ case '2':
+ if (value == 0) {
+ xtables_error(PARAMETER_PROBLEM,
+ "TTL: decreasing by 0?");
+ }
+
+ info->mode = IPT_TTL_DEC;
+ break;
+
+ case '3':
+ if (value == 0) {
+ xtables_error(PARAMETER_PROBLEM,
+ "TTL: increasing by 0?");
+ }
+
+ info->mode = IPT_TTL_INC;
+ break;
+
+ default:
+ return 0;
+
+ }
+
+ info->ttl = value;
+ *flags |= IPT_TTL_USED;
+
+ return 1;
+}
+
+static void TTL_check(unsigned int flags)
+{
+ if (!(flags & IPT_TTL_USED))
+ xtables_error(PARAMETER_PROBLEM,
+ "TTL: You must specify an action");
+}
+
+static void TTL_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct ipt_TTL_info *info =
+ (struct ipt_TTL_info *) target->data;
+
+ switch (info->mode) {
+ case IPT_TTL_SET:
+ printf("--ttl-set ");
+ break;
+ case IPT_TTL_DEC:
+ printf("--ttl-dec ");
+ break;
+
+ case IPT_TTL_INC:
+ printf("--ttl-inc ");
+ break;
+ }
+ printf("%u ", info->ttl);
+}
+
+static void TTL_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct ipt_TTL_info *info =
+ (struct ipt_TTL_info *) target->data;
+
+ printf("TTL ");
+ switch (info->mode) {
+ case IPT_TTL_SET:
+ printf("set to ");
+ break;
+ case IPT_TTL_DEC:
+ printf("decrement by ");
+ break;
+ case IPT_TTL_INC:
+ printf("increment by ");
+ break;
+ }
+ printf("%u ", info->ttl);
+}
+
+static const struct option TTL_opts[] = {
+ { "ttl-set", 1, NULL, '1' },
+ { "ttl-dec", 1, NULL, '2' },
+ { "ttl-inc", 1, NULL, '3' },
+ { .name = NULL }
+};
+
+static struct xtables_target ttl_tg_reg = {
+ .name = "TTL",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_TTL_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_TTL_info)),
+ .help = TTL_help,
+ .parse = TTL_parse,
+ .final_check = TTL_check,
+ .print = TTL_print,
+ .save = TTL_save,
+ .extra_opts = TTL_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&ttl_tg_reg);
+}
diff --git a/extensions/libipt_TTL.man b/extensions/libipt_TTL.man
new file mode 100644
index 0000000..89fc18f
--- /dev/null
+++ b/extensions/libipt_TTL.man
@@ -0,0 +1,19 @@
+This is used to modify the IPv4 TTL header field. The TTL field determines
+how many hops (routers) a packet can traverse until it's time to live is
+exceeded.
+.PP
+Setting or incrementing the TTL field can potentially be very dangerous,
+so it should be avoided at any cost.
+.PP
+.B Don't ever set or increment the value on packets that leave your local network!
+.B mangle
+table.
+.TP
+\fB\-\-ttl\-set\fP \fIvalue\fP
+Set the TTL value to `value'.
+.TP
+\fB\-\-ttl\-dec\fP \fIvalue\fP
+Decrement the TTL value `value' times.
+.TP
+\fB\-\-ttl\-inc\fP \fIvalue\fP
+Increment the TTL value `value' times.
diff --git a/extensions/libipt_ULOG.c b/extensions/libipt_ULOG.c
new file mode 100644
index 0000000..4d009b7
--- /dev/null
+++ b/extensions/libipt_ULOG.c
@@ -0,0 +1,198 @@
+/* Shared library add-on to iptables to add ULOG support.
+ *
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org>
+ *
+ * multipart netlink support based on ideas by Sebastian Zander
+ * <zander@fokus.gmd.de>
+ *
+ * This software is released under the terms of GNU GPL
+ *
+ * libipt_ULOG.c,v 1.7 2001/01/30 11:55:02 laforge Exp
+ */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <getopt.h>
+#include <xtables.h>
+/* For 64bit kernel / 32bit userspace */
+#include <linux/netfilter_ipv4/ipt_ULOG.h>
+
+
+static void print_groups(unsigned int gmask)
+{
+ int b;
+ unsigned int test;
+
+ for (b = 31; b >= 0; b--) {
+ test = (1 << b);
+ if (gmask & test)
+ printf("%d ", b + 1);
+ }
+}
+
+static void ULOG_help(void)
+{
+ printf("ULOG target options:\n"
+ " --ulog-nlgroup nlgroup NETLINK group used for logging\n"
+ " --ulog-cprange size Bytes of each packet to be passed\n"
+ " --ulog-qthreshold Threshold of in-kernel queue\n"
+ " --ulog-prefix prefix Prefix log messages with this prefix.\n");
+}
+
+static const struct option ULOG_opts[] = {
+ {"ulog-nlgroup", 1, NULL, '!'},
+ {"ulog-prefix", 1, NULL, '#'},
+ {"ulog-cprange", 1, NULL, 'A'},
+ {"ulog-qthreshold", 1, NULL, 'B'},
+ { .name = NULL }
+};
+
+static void ULOG_init(struct xt_entry_target *t)
+{
+ struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) t->data;
+
+ loginfo->nl_group = ULOG_DEFAULT_NLGROUP;
+ loginfo->qthreshold = ULOG_DEFAULT_QTHRESHOLD;
+
+}
+
+#define IPT_LOG_OPT_NLGROUP 0x01
+#define IPT_LOG_OPT_PREFIX 0x02
+#define IPT_LOG_OPT_CPRANGE 0x04
+#define IPT_LOG_OPT_QTHRESHOLD 0x08
+
+static int ULOG_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct ipt_ulog_info *loginfo =
+ (struct ipt_ulog_info *) (*target)->data;
+ int group_d;
+
+ switch (c) {
+ case '!':
+ if (*flags & IPT_LOG_OPT_NLGROUP)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --ulog-nlgroup twice");
+
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --ulog-nlgroup");
+ group_d = atoi(optarg);
+ if (group_d > 32 || group_d < 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "--ulog-nlgroup has to be between 1 and 32");
+
+ loginfo->nl_group = (1 << (group_d - 1));
+
+ *flags |= IPT_LOG_OPT_NLGROUP;
+ break;
+
+ case '#':
+ if (*flags & IPT_LOG_OPT_PREFIX)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --ulog-prefix twice");
+
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --ulog-prefix");
+
+ if (strlen(optarg) > sizeof(loginfo->prefix) - 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "Maximum prefix length %u for --ulog-prefix",
+ (unsigned int)sizeof(loginfo->prefix) - 1);
+
+ if (strlen(optarg) == 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "No prefix specified for --ulog-prefix");
+
+ if (strlen(optarg) != strlen(strtok(optarg, "\n")))
+ xtables_error(PARAMETER_PROBLEM,
+ "Newlines not allowed in --ulog-prefix");
+
+ strcpy(loginfo->prefix, optarg);
+ *flags |= IPT_LOG_OPT_PREFIX;
+ break;
+ case 'A':
+ if (*flags & IPT_LOG_OPT_CPRANGE)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --ulog-cprange twice");
+ if (atoi(optarg) < 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "Negative copy range?");
+ loginfo->copy_range = atoi(optarg);
+ *flags |= IPT_LOG_OPT_CPRANGE;
+ break;
+ case 'B':
+ if (*flags & IPT_LOG_OPT_QTHRESHOLD)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --ulog-qthreshold twice");
+ if (atoi(optarg) < 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "Negative or zero queue threshold ?");
+ if (atoi(optarg) > ULOG_MAX_QLEN)
+ xtables_error(PARAMETER_PROBLEM,
+ "Maximum queue length exceeded");
+ loginfo->qthreshold = atoi(optarg);
+ *flags |= IPT_LOG_OPT_QTHRESHOLD;
+ break;
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void ULOG_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct ipt_ulog_info *loginfo
+ = (const struct ipt_ulog_info *) target->data;
+
+ if (strcmp(loginfo->prefix, "") != 0) {
+ fputs("--ulog-prefix ", stdout);
+ xtables_save_string(loginfo->prefix);
+ }
+
+ if (loginfo->nl_group != ULOG_DEFAULT_NLGROUP) {
+ printf("--ulog-nlgroup ");
+ print_groups(loginfo->nl_group);
+ }
+ if (loginfo->copy_range)
+ printf("--ulog-cprange %u ", (unsigned int)loginfo->copy_range);
+
+ if (loginfo->qthreshold != ULOG_DEFAULT_QTHRESHOLD)
+ printf("--ulog-qthreshold %u ", (unsigned int)loginfo->qthreshold);
+}
+
+static void ULOG_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct ipt_ulog_info *loginfo
+ = (const struct ipt_ulog_info *) target->data;
+
+ printf("ULOG ");
+ printf("copy_range %u nlgroup ", (unsigned int)loginfo->copy_range);
+ print_groups(loginfo->nl_group);
+ if (strcmp(loginfo->prefix, "") != 0)
+ printf("prefix `%s' ", loginfo->prefix);
+ printf("queue_threshold %u ", (unsigned int)loginfo->qthreshold);
+}
+
+static struct xtables_target ulog_tg_reg = {
+ .name = "ULOG",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_ulog_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_ulog_info)),
+ .help = ULOG_help,
+ .init = ULOG_init,
+ .parse = ULOG_parse,
+ .print = ULOG_print,
+ .save = ULOG_save,
+ .extra_opts = ULOG_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&ulog_tg_reg);
+}
diff --git a/extensions/libipt_ULOG.man b/extensions/libipt_ULOG.man
new file mode 100644
index 0000000..649b6e3
--- /dev/null
+++ b/extensions/libipt_ULOG.man
@@ -0,0 +1,27 @@
+This target provides userspace logging of matching packets. When this
+target is set for a rule, the Linux kernel will multicast this packet
+through a
+.IR netlink
+socket. One or more userspace processes may then subscribe to various
+multicast groups and receive the packets.
+Like LOG, this is a "non-terminating target", i.e. rule traversal
+continues at the next rule.
+.TP
+\fB\-\-ulog\-nlgroup\fP \fInlgroup\fP
+This specifies the netlink group (1-32) to which the packet is sent.
+Default value is 1.
+.TP
+\fB\-\-ulog\-prefix\fP \fIprefix\fP
+Prefix log messages with the specified prefix; up to 32 characters
+long, and useful for distinguishing messages in the logs.
+.TP
+\fB\-\-ulog\-cprange\fP \fIsize\fP
+Number of bytes to be copied to userspace. A value of 0 always copies
+the entire packet, regardless of its size. Default is 0.
+.TP
+\fB\-\-ulog\-qthreshold\fP \fIsize\fP
+Number of packet to queue inside kernel. Setting this value to, e.g. 10
+accumulates ten packets inside the kernel and transmits them as one
+netlink multipart message to userspace. Default is 1 (for backwards
+compatibility).
+.br
diff --git a/extensions/libipt_addrtype.c b/extensions/libipt_addrtype.c
new file mode 100644
index 0000000..ad63dcf
--- /dev/null
+++ b/extensions/libipt_addrtype.c
@@ -0,0 +1,360 @@
+/* Shared library add-on to iptables to add addrtype matching support
+ *
+ * This program is released under the terms of GNU GPL */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include <xtables.h>
+
+#include <linux/netfilter_ipv4/ipt_addrtype.h>
+
+/* from linux/rtnetlink.h, must match order of enumeration */
+static const char *const rtn_names[] = {
+ "UNSPEC",
+ "UNICAST",
+ "LOCAL",
+ "BROADCAST",
+ "ANYCAST",
+ "MULTICAST",
+ "BLACKHOLE",
+ "UNREACHABLE",
+ "PROHIBIT",
+ "THROW",
+ "NAT",
+ "XRESOLVE",
+ NULL
+};
+
+static void addrtype_help_types(void)
+{
+ int i;
+
+ for (i = 0; rtn_names[i]; i++)
+ printf(" %s\n", rtn_names[i]);
+}
+
+static void addrtype_help_v0(void)
+{
+ printf(
+"Address type match options:\n"
+" [!] --src-type type[,...] Match source address type\n"
+" [!] --dst-type type[,...] Match destination address type\n"
+"\n"
+"Valid types: \n");
+ addrtype_help_types();
+}
+
+static void addrtype_help_v1(void)
+{
+ printf(
+"Address type match options:\n"
+" [!] --src-type type[,...] Match source address type\n"
+" [!] --dst-type type[,...] Match destination address type\n"
+" --limit-iface-in Match only on the packet's incoming device\n"
+" --limit-iface-out Match only on the packet's incoming device\n"
+"\n"
+"Valid types: \n");
+ addrtype_help_types();
+}
+
+static int
+parse_type(const char *name, size_t len, u_int16_t *mask)
+{
+ int i;
+
+ for (i = 0; rtn_names[i]; i++)
+ if (strncasecmp(name, rtn_names[i], len) == 0) {
+ /* build up bitmask for kernel module */
+ *mask |= (1 << i);
+ return 1;
+ }
+
+ return 0;
+}
+
+static void parse_types(const char *arg, u_int16_t *mask)
+{
+ const char *comma;
+
+ while ((comma = strchr(arg, ',')) != NULL) {
+ if (comma == arg || !parse_type(arg, comma-arg, mask))
+ xtables_error(PARAMETER_PROBLEM,
+ "addrtype: bad type `%s'", arg);
+ arg = comma + 1;
+ }
+
+ if (strlen(arg) == 0 || !parse_type(arg, strlen(arg), mask))
+ xtables_error(PARAMETER_PROBLEM, "addrtype: bad type \"%s\"", arg);
+}
+
+#define IPT_ADDRTYPE_OPT_SRCTYPE 0x1
+#define IPT_ADDRTYPE_OPT_DSTTYPE 0x2
+#define IPT_ADDRTYPE_OPT_LIMIT_IFACE_IN 0x4
+#define IPT_ADDRTYPE_OPT_LIMIT_IFACE_OUT 0x8
+
+static int
+addrtype_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ipt_addrtype_info *info =
+ (struct ipt_addrtype_info *) (*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags&IPT_ADDRTYPE_OPT_SRCTYPE)
+ xtables_error(PARAMETER_PROBLEM,
+ "addrtype: can't specify src-type twice");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_types(optarg, &info->source);
+ if (invert)
+ info->invert_source = 1;
+ *flags |= IPT_ADDRTYPE_OPT_SRCTYPE;
+ break;
+ case '2':
+ if (*flags&IPT_ADDRTYPE_OPT_DSTTYPE)
+ xtables_error(PARAMETER_PROBLEM,
+ "addrtype: can't specify dst-type twice");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_types(optarg, &info->dest);
+ if (invert)
+ info->invert_dest = 1;
+ *flags |= IPT_ADDRTYPE_OPT_DSTTYPE;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static int
+addrtype_parse_v1(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ipt_addrtype_info_v1 *info =
+ (struct ipt_addrtype_info_v1 *) (*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & IPT_ADDRTYPE_OPT_SRCTYPE)
+ xtables_error(PARAMETER_PROBLEM,
+ "addrtype: can't specify src-type twice");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_types(optarg, &info->source);
+ if (invert)
+ info->flags |= IPT_ADDRTYPE_INVERT_SOURCE;
+ *flags |= IPT_ADDRTYPE_OPT_SRCTYPE;
+ break;
+ case '2':
+ if (*flags & IPT_ADDRTYPE_OPT_DSTTYPE)
+ xtables_error(PARAMETER_PROBLEM,
+ "addrtype: can't specify dst-type twice");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_types(optarg, &info->dest);
+ if (invert)
+ info->flags |= IPT_ADDRTYPE_INVERT_DEST;
+ *flags |= IPT_ADDRTYPE_OPT_DSTTYPE;
+ break;
+ case '3':
+ if (*flags & IPT_ADDRTYPE_OPT_LIMIT_IFACE_IN)
+ xtables_error(PARAMETER_PROBLEM,
+ "addrtype: can't specify limit-iface-in twice");
+ info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_IN;
+ *flags |= IPT_ADDRTYPE_OPT_LIMIT_IFACE_IN;
+ break;
+ case '4':
+ if (*flags & IPT_ADDRTYPE_OPT_LIMIT_IFACE_OUT)
+ xtables_error(PARAMETER_PROBLEM,
+ "addrtype: can't specify limit-iface-out twice");
+ info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_OUT;
+ *flags |= IPT_ADDRTYPE_OPT_LIMIT_IFACE_OUT;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void addrtype_check_v0(unsigned int flags)
+{
+ if (!(flags & (IPT_ADDRTYPE_OPT_SRCTYPE|IPT_ADDRTYPE_OPT_DSTTYPE)))
+ xtables_error(PARAMETER_PROBLEM,
+ "addrtype: you must specify --src-type or --dst-type");
+}
+
+static void addrtype_check_v1(unsigned int flags)
+{
+ if (!(flags & (IPT_ADDRTYPE_OPT_SRCTYPE|IPT_ADDRTYPE_OPT_DSTTYPE)))
+ xtables_error(PARAMETER_PROBLEM,
+ "addrtype: you must specify --src-type or --dst-type");
+ if (flags & IPT_ADDRTYPE_OPT_LIMIT_IFACE_IN &&
+ flags & IPT_ADDRTYPE_OPT_LIMIT_IFACE_OUT)
+ xtables_error(PARAMETER_PROBLEM,
+ "addrtype: you can't specify both --limit-iface-in "
+ "and --limit-iface-out");
+}
+
+static void print_types(u_int16_t mask)
+{
+ const char *sep = "";
+ int i;
+
+ for (i = 0; rtn_names[i]; i++)
+ if (mask & (1 << i)) {
+ printf("%s%s", sep, rtn_names[i]);
+ sep = ",";
+ }
+
+ printf(" ");
+}
+
+static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ipt_addrtype_info *info =
+ (struct ipt_addrtype_info *) match->data;
+
+ printf("ADDRTYPE match ");
+ if (info->source) {
+ printf("src-type ");
+ if (info->invert_source)
+ printf("!");
+ print_types(info->source);
+ }
+ if (info->dest) {
+ printf("dst-type ");
+ if (info->invert_dest)
+ printf("!");
+ print_types(info->dest);
+ }
+}
+
+static void addrtype_print_v1(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ipt_addrtype_info_v1 *info =
+ (struct ipt_addrtype_info_v1 *) match->data;
+
+ printf("ADDRTYPE match ");
+ if (info->source) {
+ printf("src-type ");
+ if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE)
+ printf("!");
+ print_types(info->source);
+ }
+ if (info->dest) {
+ printf("dst-type ");
+ if (info->flags & IPT_ADDRTYPE_INVERT_DEST)
+ printf("!");
+ print_types(info->dest);
+ }
+ if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
+ printf("limit-in ");
+ }
+ if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
+ printf("limit-out ");
+ }
+}
+
+static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ipt_addrtype_info *info =
+ (struct ipt_addrtype_info *) match->data;
+
+ if (info->source) {
+ if (info->invert_source)
+ printf("! ");
+ printf("--src-type ");
+ print_types(info->source);
+ }
+ if (info->dest) {
+ if (info->invert_dest)
+ printf("! ");
+ printf("--dst-type ");
+ print_types(info->dest);
+ }
+}
+
+static void addrtype_save_v1(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ipt_addrtype_info_v1 *info =
+ (struct ipt_addrtype_info_v1 *) match->data;
+
+ if (info->source) {
+ if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE)
+ printf("! ");
+ printf("--src-type ");
+ print_types(info->source);
+ }
+ if (info->dest) {
+ if (info->flags & IPT_ADDRTYPE_INVERT_DEST)
+ printf("! ");
+ printf("--dst-type ");
+ print_types(info->dest);
+ }
+ if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
+ printf("--limit-iface-in ");
+ }
+ if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
+ printf("--limit-iface-out ");
+ }
+}
+
+static const struct option addrtype_opts[] = {
+ { "src-type", 1, NULL, '1' },
+ { "dst-type", 1, NULL, '2' },
+ { .name = NULL }
+};
+
+static const struct option addrtype_opts_v0[] = {
+ { "src-type", 1, NULL, '1' },
+ { "dst-type", 1, NULL, '2' },
+ { .name = NULL }
+};
+
+static const struct option addrtype_opts_v1[] = {
+ { "src-type", 1, NULL, '1' },
+ { "dst-type", 1, NULL, '2' },
+ { "limit-iface-in", 0, NULL, '3' },
+ { "limit-iface-out", 0, NULL, '4' },
+ { .name = NULL }
+};
+
+static struct xtables_match addrtype_mt_reg[] = {
+ {
+ .name = "addrtype",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_addrtype_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info)),
+ .help = addrtype_help_v0,
+ .parse = addrtype_parse_v0,
+ .final_check = addrtype_check_v0,
+ .print = addrtype_print_v0,
+ .save = addrtype_save_v0,
+ .extra_opts = addrtype_opts_v0,
+ },
+ {
+ .name = "addrtype",
+ .revision = 1,
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)),
+ .help = addrtype_help_v1,
+ .parse = addrtype_parse_v1,
+ .final_check = addrtype_check_v1,
+ .print = addrtype_print_v1,
+ .save = addrtype_save_v1,
+ .extra_opts = addrtype_opts_v1,
+ },
+};
+
+
+void _init(void)
+{
+ xtables_register_matches(addrtype_mt_reg, ARRAY_SIZE(addrtype_mt_reg));
+}
diff --git a/extensions/libipt_addrtype.man b/extensions/libipt_addrtype.man
new file mode 100644
index 0000000..16fd9df
--- /dev/null
+++ b/extensions/libipt_addrtype.man
@@ -0,0 +1,69 @@
+This module matches packets based on their
+.B address type.
+Address types are used within the kernel networking stack and categorize
+addresses into various groups. The exact definition of that group depends on the specific layer three protocol.
+.PP
+The following address types are possible:
+.TP
+.BI "UNSPEC"
+an unspecified address (i.e. 0.0.0.0)
+.TP
+.BI "UNICAST"
+an unicast address
+.TP
+.BI "LOCAL"
+a local address
+.TP
+.BI "BROADCAST"
+a broadcast address
+.TP
+.BI "ANYCAST"
+an anycast packet
+.TP
+.BI "MULTICAST"
+a multicast address
+.TP
+.BI "BLACKHOLE"
+a blackhole address
+.TP
+.BI "UNREACHABLE"
+an unreachable address
+.TP
+.BI "PROHIBIT"
+a prohibited address
+.TP
+.BI "THROW"
+FIXME
+.TP
+.BI "NAT"
+FIXME
+.TP
+.BI "XRESOLVE"
+.TP
+[\fB!\fP] \fB\-\-src\-type\fP \fItype\fP
+Matches if the source address is of given type
+.TP
+[\fB!\fP] \fB\-\-dst\-type\fP \fItype\fP
+Matches if the destination address is of given type
+.TP
+.BI "\-\-limit\-iface\-in"
+The address type checking can be limited to the interface the packet is coming
+in. This option is only valid in the
+.BR PREROUTING ,
+.B INPUT
+and
+.B FORWARD
+chains. It cannot be specified with the
+\fB\-\-limit\-iface\-out\fP
+option.
+.TP
+\fB\-\-limit\-iface\-out\fP
+The address type checking can be limited to the interface the packet is going
+out. This option is only valid in the
+.BR POSTROUTING ,
+.B OUTPUT
+and
+.B FORWARD
+chains. It cannot be specified with the
+\fB\-\-limit\-iface\-in\fP
+option.
diff --git a/extensions/libipt_ah.c b/extensions/libipt_ah.c
new file mode 100644
index 0000000..170cd8b
--- /dev/null
+++ b/extensions/libipt_ah.c
@@ -0,0 +1,170 @@
+/* Shared library add-on to iptables to add AH support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <errno.h>
+#include <xtables.h>
+#include <linux/netfilter_ipv4/ipt_ah.h>
+
+static void ah_help(void)
+{
+ printf(
+"ah match options:\n"
+"[!] --ahspi spi[:spi]\n"
+" match spi (range)\n");
+}
+
+static const struct option ah_opts[] = {
+ { "ahspi", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+static u_int32_t
+parse_ah_spi(const char *spistr)
+{
+ unsigned long int spi;
+ char* ep;
+
+ spi = strtoul(spistr,&ep,0) ;
+
+ if ( spistr == ep ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "AH no valid digits in spi `%s'", spistr);
+ }
+ if ( spi == ULONG_MAX && errno == ERANGE ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "spi `%s' specified too big: would overflow", spistr);
+ }
+ if ( *spistr != '\0' && *ep != '\0' ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "AH error parsing spi `%s'", spistr);
+ }
+ return spi;
+}
+
+static void
+parse_ah_spis(const char *spistring, u_int32_t *spis)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(spistring);
+ if ((cp = strchr(buffer, ':')) == NULL)
+ spis[0] = spis[1] = parse_ah_spi(buffer);
+ else {
+ *cp = '\0';
+ cp++;
+
+ spis[0] = buffer[0] ? parse_ah_spi(buffer) : 0;
+ spis[1] = cp[0] ? parse_ah_spi(cp) : 0xFFFFFFFF;
+ }
+ free(buffer);
+}
+
+static void ah_init(struct xt_entry_match *m)
+{
+ struct ipt_ah *ahinfo = (struct ipt_ah *)m->data;
+
+ ahinfo->spis[1] = 0xFFFFFFFF;
+}
+
+#define AH_SPI 0x01
+
+static int ah_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ipt_ah *ahinfo = (struct ipt_ah *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & AH_SPI)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--ahspi' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_ah_spis(optarg, ahinfo->spis);
+ if (invert)
+ ahinfo->invflags |= IPT_AH_INV_SPI;
+ *flags |= AH_SPI;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+print_spis(const char *name, u_int32_t min, u_int32_t max,
+ int invert)
+{
+ const char *inv = invert ? "!" : "";
+
+ if (min != 0 || max != 0xFFFFFFFF || invert) {
+ printf("%s", name);
+ if (min == max) {
+ printf(":%s", inv);
+ printf("%u", min);
+ } else {
+ printf("s:%s", inv);
+ printf("%u",min);
+ printf(":");
+ printf("%u",max);
+ }
+ printf(" ");
+ }
+}
+
+static void ah_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ipt_ah *ah = (struct ipt_ah *)match->data;
+
+ printf("ah ");
+ print_spis("spi", ah->spis[0], ah->spis[1],
+ ah->invflags & IPT_AH_INV_SPI);
+ if (ah->invflags & ~IPT_AH_INV_MASK)
+ printf("Unknown invflags: 0x%X ",
+ ah->invflags & ~IPT_AH_INV_MASK);
+}
+
+static void ah_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ipt_ah *ahinfo = (struct ipt_ah *)match->data;
+
+ if (!(ahinfo->spis[0] == 0
+ && ahinfo->spis[1] == 0xFFFFFFFF)) {
+ printf("%s--ahspi ",
+ (ahinfo->invflags & IPT_AH_INV_SPI) ? "! " : "");
+ if (ahinfo->spis[0]
+ != ahinfo->spis[1])
+ printf("%u:%u ",
+ ahinfo->spis[0],
+ ahinfo->spis[1]);
+ else
+ printf("%u ",
+ ahinfo->spis[0]);
+ }
+
+}
+
+static struct xtables_match ah_mt_reg = {
+ .name = "ah",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_ah)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_ah)),
+ .help = ah_help,
+ .init = ah_init,
+ .parse = ah_parse,
+ .print = ah_print,
+ .save = ah_save,
+ .extra_opts = ah_opts,
+};
+
+void
+_init(void)
+{
+ xtables_register_match(&ah_mt_reg);
+}
diff --git a/extensions/libipt_ah.man b/extensions/libipt_ah.man
new file mode 100644
index 0000000..d26455e
--- /dev/null
+++ b/extensions/libipt_ah.man
@@ -0,0 +1,3 @@
+This module matches the SPIs in Authentication header of IPsec packets.
+.TP
+[\fB!\fP] \fB\-\-ahspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
diff --git a/extensions/libipt_ecn.c b/extensions/libipt_ecn.c
new file mode 100644
index 0000000..ec3ff2d
--- /dev/null
+++ b/extensions/libipt_ecn.c
@@ -0,0 +1,160 @@
+/* Shared library add-on to iptables for ECN matching
+ *
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ *
+ * This program is distributed under the terms of GNU GPL v2, 1991
+ *
+ * libipt_ecn.c borrowed heavily from libipt_dscp.c
+ *
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter_ipv4/ipt_ecn.h>
+
+static void ecn_help(void)
+{
+ printf(
+"ECN match options\n"
+"[!] --ecn-tcp-cwr Match CWR bit of TCP header\n"
+"[!] --ecn-tcp-ece Match ECE bit of TCP header\n"
+"[!] --ecn-ip-ect [0..3] Match ECN codepoint in IPv4 header\n");
+}
+
+static const struct option ecn_opts[] = {
+ { .name = "ecn-tcp-cwr", .has_arg = 0, .val = 'F' },
+ { .name = "ecn-tcp-ece", .has_arg = 0, .val = 'G' },
+ { .name = "ecn-ip-ect", .has_arg = 1, .val = 'H' },
+ { .name = NULL }
+};
+
+static int ecn_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ unsigned int result;
+ struct ipt_ecn_info *einfo
+ = (struct ipt_ecn_info *)(*match)->data;
+
+ switch (c) {
+ case 'F':
+ if (*flags & IPT_ECN_OP_MATCH_CWR)
+ xtables_error(PARAMETER_PROBLEM,
+ "ECN match: can only use parameter ONCE!");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ einfo->operation |= IPT_ECN_OP_MATCH_CWR;
+ if (invert)
+ einfo->invert |= IPT_ECN_OP_MATCH_CWR;
+ *flags |= IPT_ECN_OP_MATCH_CWR;
+ break;
+
+ case 'G':
+ if (*flags & IPT_ECN_OP_MATCH_ECE)
+ xtables_error(PARAMETER_PROBLEM,
+ "ECN match: can only use parameter ONCE!");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ einfo->operation |= IPT_ECN_OP_MATCH_ECE;
+ if (invert)
+ einfo->invert |= IPT_ECN_OP_MATCH_ECE;
+ *flags |= IPT_ECN_OP_MATCH_ECE;
+ break;
+
+ case 'H':
+ if (*flags & IPT_ECN_OP_MATCH_IP)
+ xtables_error(PARAMETER_PROBLEM,
+ "ECN match: can only use parameter ONCE!");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert)
+ einfo->invert |= IPT_ECN_OP_MATCH_IP;
+ *flags |= IPT_ECN_OP_MATCH_IP;
+ einfo->operation |= IPT_ECN_OP_MATCH_IP;
+ if (!xtables_strtoui(optarg, NULL, &result, 0, 3))
+ xtables_error(PARAMETER_PROBLEM,
+ "ECN match: Value out of range");
+ einfo->ip_ect = result;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void ecn_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "ECN match: some option required");
+}
+
+static void ecn_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ipt_ecn_info *einfo =
+ (const struct ipt_ecn_info *)match->data;
+
+ printf("ECN match ");
+
+ if (einfo->operation & IPT_ECN_OP_MATCH_ECE) {
+ if (einfo->invert & IPT_ECN_OP_MATCH_ECE)
+ fputc('!', stdout);
+ printf("ECE ");
+ }
+
+ if (einfo->operation & IPT_ECN_OP_MATCH_CWR) {
+ if (einfo->invert & IPT_ECN_OP_MATCH_CWR)
+ fputc('!', stdout);
+ printf("CWR ");
+ }
+
+ if (einfo->operation & IPT_ECN_OP_MATCH_IP) {
+ if (einfo->invert & IPT_ECN_OP_MATCH_IP)
+ fputc('!', stdout);
+ printf("ECT=%d ", einfo->ip_ect);
+ }
+}
+
+static void ecn_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ipt_ecn_info *einfo =
+ (const struct ipt_ecn_info *)match->data;
+
+ if (einfo->operation & IPT_ECN_OP_MATCH_ECE) {
+ if (einfo->invert & IPT_ECN_OP_MATCH_ECE)
+ printf("! ");
+ printf("--ecn-tcp-ece ");
+ }
+
+ if (einfo->operation & IPT_ECN_OP_MATCH_CWR) {
+ if (einfo->invert & IPT_ECN_OP_MATCH_CWR)
+ printf("! ");
+ printf("--ecn-tcp-cwr ");
+ }
+
+ if (einfo->operation & IPT_ECN_OP_MATCH_IP) {
+ if (einfo->invert & IPT_ECN_OP_MATCH_IP)
+ printf("! ");
+ printf("--ecn-ip-ect %d", einfo->ip_ect);
+ }
+}
+
+static struct xtables_match ecn_mt_reg = {
+ .name = "ecn",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_ecn_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_ecn_info)),
+ .help = ecn_help,
+ .parse = ecn_parse,
+ .final_check = ecn_check,
+ .print = ecn_print,
+ .save = ecn_save,
+ .extra_opts = ecn_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&ecn_mt_reg);
+}
diff --git a/extensions/libipt_ecn.man b/extensions/libipt_ecn.man
new file mode 100644
index 0000000..7f80647
--- /dev/null
+++ b/extensions/libipt_ecn.man
@@ -0,0 +1,11 @@
+This allows you to match the ECN bits of the IPv4 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168
+.TP
+[\fB!\fP] \fB\-\-ecn\-tcp\-cwr\fP
+This matches if the TCP ECN CWR (Congestion Window Received) bit is set.
+.TP
+[\fB!\fP] \fB\-\-ecn\-tcp\-ece\fP
+This matches if the TCP ECN ECE (ECN Echo) bit is set.
+.TP
+[\fB!\fP] \fB\-\-ecn\-ip\-ect\fP \fInum\fP
+This matches a particular IPv4 ECT (ECN-Capable Transport). You have to specify
+a number between `0' and `3'.
diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
new file mode 100644
index 0000000..37b2fdc
--- /dev/null
+++ b/extensions/libipt_icmp.c
@@ -0,0 +1,285 @@
+/* Shared library add-on to iptables to add ICMP support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <limits.h> /* INT_MAX in ip_tables.h */
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+/* special hack for icmp-type 'any':
+ * Up to kernel <=2.4.20 the problem was:
+ * '-p icmp ' matches all icmp packets
+ * '-p icmp -m icmp' matches _only_ ICMP type 0 :(
+ * This is now fixed by initializing the field * to icmp type 0xFF
+ * See: https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=37
+ */
+
+struct icmp_names {
+ const char *name;
+ u_int8_t type;
+ u_int8_t code_min, code_max;
+};
+
+static const struct icmp_names icmp_codes[] = {
+ { "any", 0xFF, 0, 0xFF },
+ { "echo-reply", 0, 0, 0xFF },
+ /* Alias */ { "pong", 0, 0, 0xFF },
+
+ { "destination-unreachable", 3, 0, 0xFF },
+ { "network-unreachable", 3, 0, 0 },
+ { "host-unreachable", 3, 1, 1 },
+ { "protocol-unreachable", 3, 2, 2 },
+ { "port-unreachable", 3, 3, 3 },
+ { "fragmentation-needed", 3, 4, 4 },
+ { "source-route-failed", 3, 5, 5 },
+ { "network-unknown", 3, 6, 6 },
+ { "host-unknown", 3, 7, 7 },
+ { "network-prohibited", 3, 9, 9 },
+ { "host-prohibited", 3, 10, 10 },
+ { "TOS-network-unreachable", 3, 11, 11 },
+ { "TOS-host-unreachable", 3, 12, 12 },
+ { "communication-prohibited", 3, 13, 13 },
+ { "host-precedence-violation", 3, 14, 14 },
+ { "precedence-cutoff", 3, 15, 15 },
+
+ { "source-quench", 4, 0, 0xFF },
+
+ { "redirect", 5, 0, 0xFF },
+ { "network-redirect", 5, 0, 0 },
+ { "host-redirect", 5, 1, 1 },
+ { "TOS-network-redirect", 5, 2, 2 },
+ { "TOS-host-redirect", 5, 3, 3 },
+
+ { "echo-request", 8, 0, 0xFF },
+ /* Alias */ { "ping", 8, 0, 0xFF },
+
+ { "router-advertisement", 9, 0, 0xFF },
+
+ { "router-solicitation", 10, 0, 0xFF },
+
+ { "time-exceeded", 11, 0, 0xFF },
+ /* Alias */ { "ttl-exceeded", 11, 0, 0xFF },
+ { "ttl-zero-during-transit", 11, 0, 0 },
+ { "ttl-zero-during-reassembly", 11, 1, 1 },
+
+ { "parameter-problem", 12, 0, 0xFF },
+ { "ip-header-bad", 12, 0, 0 },
+ { "required-option-missing", 12, 1, 1 },
+
+ { "timestamp-request", 13, 0, 0xFF },
+
+ { "timestamp-reply", 14, 0, 0xFF },
+
+ { "address-mask-request", 17, 0, 0xFF },
+
+ { "address-mask-reply", 18, 0, 0xFF }
+};
+
+static void
+print_icmptypes(void)
+{
+ unsigned int i;
+ printf("Valid ICMP Types:");
+
+ for (i = 0; i < ARRAY_SIZE(icmp_codes); ++i) {
+ if (i && icmp_codes[i].type == icmp_codes[i-1].type) {
+ if (icmp_codes[i].code_min == icmp_codes[i-1].code_min
+ && (icmp_codes[i].code_max
+ == icmp_codes[i-1].code_max))
+ printf(" (%s)", icmp_codes[i].name);
+ else
+ printf("\n %s", icmp_codes[i].name);
+ }
+ else
+ printf("\n%s", icmp_codes[i].name);
+ }
+ printf("\n");
+}
+
+static void icmp_help(void)
+{
+ printf(
+"icmp match options:\n"
+"[!] --icmp-type typename match icmp type\n"
+"[!] --icmp-type type[/code] (or numeric type or type/code)\n");
+ print_icmptypes();
+}
+
+static const struct option icmp_opts[] = {
+ { "icmp-type", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+static void
+parse_icmp(const char *icmptype, u_int8_t *type, u_int8_t code[])
+{
+ static const unsigned int limit = ARRAY_SIZE(icmp_codes);
+ unsigned int match = limit;
+ unsigned int i;
+
+ for (i = 0; i < limit; i++) {
+ if (strncasecmp(icmp_codes[i].name, icmptype, strlen(icmptype))
+ == 0) {
+ if (match != limit)
+ xtables_error(PARAMETER_PROBLEM,
+ "Ambiguous ICMP type `%s':"
+ " `%s' or `%s'?",
+ icmptype,
+ icmp_codes[match].name,
+ icmp_codes[i].name);
+ match = i;
+ }
+ }
+
+ if (match != limit) {
+ *type = icmp_codes[match].type;
+ code[0] = icmp_codes[match].code_min;
+ code[1] = icmp_codes[match].code_max;
+ } else {
+ char *slash;
+ char buffer[strlen(icmptype) + 1];
+ unsigned int number;
+
+ strcpy(buffer, icmptype);
+ slash = strchr(buffer, '/');
+
+ if (slash)
+ *slash = '\0';
+
+ if (!xtables_strtoui(buffer, NULL, &number, 0, UINT8_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid ICMP type `%s'\n", buffer);
+ *type = number;
+ if (slash) {
+ if (!xtables_strtoui(slash+1, NULL, &number, 0, UINT8_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid ICMP code `%s'\n",
+ slash+1);
+ code[0] = code[1] = number;
+ } else {
+ code[0] = 0;
+ code[1] = 0xFF;
+ }
+ }
+}
+
+static void icmp_init(struct xt_entry_match *m)
+{
+ struct ipt_icmp *icmpinfo = (struct ipt_icmp *)m->data;
+
+ icmpinfo->type = 0xFF;
+ icmpinfo->code[1] = 0xFF;
+}
+
+static int icmp_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ipt_icmp *icmpinfo = (struct ipt_icmp *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags == 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "icmp match: only use --icmp-type once!");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_icmp(optarg, &icmpinfo->type,
+ icmpinfo->code);
+ if (invert)
+ icmpinfo->invflags |= IPT_ICMP_INV;
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void print_icmptype(u_int8_t type,
+ u_int8_t code_min, u_int8_t code_max,
+ int invert,
+ int numeric)
+{
+ if (!numeric) {
+ unsigned int i;
+
+ for (i = 0; i < ARRAY_SIZE(icmp_codes); ++i)
+ if (icmp_codes[i].type == type
+ && icmp_codes[i].code_min == code_min
+ && icmp_codes[i].code_max == code_max)
+ break;
+
+ if (i != ARRAY_SIZE(icmp_codes)) {
+ printf("%s%s ",
+ invert ? "!" : "",
+ icmp_codes[i].name);
+ return;
+ }
+ }
+
+ if (invert)
+ printf("!");
+
+ printf("type %u", type);
+ if (code_min == 0 && code_max == 0xFF)
+ printf(" ");
+ else if (code_min == code_max)
+ printf(" code %u ", code_min);
+ else
+ printf(" codes %u-%u ", code_min, code_max);
+}
+
+static void icmp_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ipt_icmp *icmp = (struct ipt_icmp *)match->data;
+
+ printf("icmp ");
+ print_icmptype(icmp->type, icmp->code[0], icmp->code[1],
+ icmp->invflags & IPT_ICMP_INV,
+ numeric);
+
+ if (icmp->invflags & ~IPT_ICMP_INV)
+ printf("Unknown invflags: 0x%X ",
+ icmp->invflags & ~IPT_ICMP_INV);
+}
+
+static void icmp_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ipt_icmp *icmp = (struct ipt_icmp *)match->data;
+
+ if (icmp->invflags & IPT_ICMP_INV)
+ printf("! ");
+
+ /* special hack for 'any' case */
+ if (icmp->type == 0xFF) {
+ printf("--icmp-type any ");
+ } else {
+ printf("--icmp-type %u", icmp->type);
+ if (icmp->code[0] != 0 || icmp->code[1] != 0xFF)
+ printf("/%u", icmp->code[0]);
+ printf(" ");
+ }
+}
+
+static struct xtables_match icmp_mt_reg = {
+ .name = "icmp",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_icmp)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_icmp)),
+ .help = icmp_help,
+ .init = icmp_init,
+ .parse = icmp_parse,
+ .print = icmp_print,
+ .save = icmp_save,
+ .extra_opts = icmp_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&icmp_mt_reg);
+}
diff --git a/extensions/libipt_icmp.man b/extensions/libipt_icmp.man
new file mode 100644
index 0000000..1039704
--- /dev/null
+++ b/extensions/libipt_icmp.man
@@ -0,0 +1,9 @@
+This extension can be used if `\-\-protocol icmp' is specified. It
+provides the following option:
+.TP
+[\fB!\fP] \fB\-\-icmp\-type\fP {\fItype\fP[\fB/\fP\fIcode\fP]|\fItypename\fP}
+This allows specification of the ICMP type, which can be a numeric
+ICMP type, type/code pair, or one of the ICMP type names shown by the command
+.nf
+ iptables \-p icmp \-h
+.fi
diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c
new file mode 100644
index 0000000..cd4b324
--- /dev/null
+++ b/extensions/libipt_realm.c
@@ -0,0 +1,253 @@
+/* Shared library add-on to iptables to add realm matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <ctype.h>
+#include <getopt.h>
+#if defined(__GLIBC__) && __GLIBC__ == 2
+#include <net/ethernet.h>
+#else
+#include <linux/if_ether.h>
+#endif
+#include <xtables.h>
+#include <linux/netfilter_ipv4/ipt_realm.h>
+
+static void realm_help(void)
+{
+ printf(
+"realm match options:\n"
+"[!] --realm value[/mask]\n"
+" Match realm\n");
+}
+
+static const struct option realm_opts[] = {
+ { "realm", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+struct realmname {
+ int id;
+ char* name;
+ int len;
+ struct realmname* next;
+};
+
+/* array of realms from /etc/iproute2/rt_realms */
+static struct realmname *realms;
+/* 1 if loading failed */
+static int rdberr;
+
+static void load_realms(void)
+{
+ const char* rfnm = "/etc/iproute2/rt_realms";
+ char buf[512];
+ FILE *fil;
+ char *cur, *nxt;
+ int id;
+ struct realmname *oldnm = NULL, *newnm = NULL;
+
+ fil = fopen(rfnm, "r");
+ if (!fil) {
+ rdberr = 1;
+ return;
+ }
+
+ while (fgets(buf, sizeof(buf), fil)) {
+ cur = buf;
+ while ((*cur == ' ') || (*cur == '\t'))
+ cur++;
+ if ((*cur == '#') || (*cur == '\n') || (*cur == 0))
+ continue;
+
+ /* iproute2 allows hex and dec format */
+ errno = 0;
+ id = strtoul(cur, &nxt, strncmp(cur, "0x", 2) ? 10 : 16);
+ if ((nxt == cur) || errno)
+ continue;
+
+ /* same boundaries as in iproute2 */
+ if (id < 0 || id > 255)
+ continue;
+ cur = nxt;
+
+ if (!isspace(*cur))
+ continue;
+ while ((*cur == ' ') || (*cur == '\t'))
+ cur++;
+ if ((*cur == '#') || (*cur == '\n') || (*cur == 0))
+ continue;
+ nxt = cur;
+ while ((*nxt != 0) && !isspace(*nxt))
+ nxt++;
+ if (nxt == cur)
+ continue;
+
+ /* found valid data */
+ newnm = malloc(sizeof(struct realmname));
+ if (newnm == NULL) {
+ perror("libipt_realm: malloc failed");
+ exit(1);
+ }
+ newnm->id = id;
+ newnm->len = nxt - cur;
+ newnm->name = malloc(newnm->len + 1);
+ if (newnm->name == NULL) {
+ perror("libipt_realm: malloc failed");
+ exit(1);
+ }
+ strncpy(newnm->name, cur, newnm->len);
+ newnm->name[newnm->len] = 0;
+ newnm->next = NULL;
+
+ if (oldnm)
+ oldnm->next = newnm;
+ else
+ realms = newnm;
+ oldnm = newnm;
+ }
+
+ fclose(fil);
+}
+
+/* get realm id for name, -1 if error/not found */
+static int realm_name2id(const char* name)
+{
+ struct realmname* cur;
+
+ if ((realms == NULL) && (rdberr == 0))
+ load_realms();
+ cur = realms;
+ if (cur == NULL)
+ return -1;
+ while (cur) {
+ if (!strncmp(name, cur->name, cur->len + 1))
+ return cur->id;
+ cur = cur->next;
+ }
+ return -1;
+}
+
+/* get realm name for id, NULL if error/not found */
+static const char *realm_id2name(int id)
+{
+ struct realmname* cur;
+
+ if ((realms == NULL) && (rdberr == 0))
+ load_realms();
+ cur = realms;
+ if (cur == NULL)
+ return NULL;
+ while (cur) {
+ if (id == cur->id)
+ return cur->name;
+ cur = cur->next;
+ }
+ return NULL;
+}
+
+static int realm_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ipt_realm_info *realminfo = (struct ipt_realm_info *)(*match)->data;
+ int id;
+
+ switch (c) {
+ char *end;
+ case '1':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ end = optarg = optarg;
+ realminfo->id = strtoul(optarg, &end, 0);
+ if (end != optarg && (*end == '/' || *end == '\0')) {
+ if (*end == '/')
+ realminfo->mask = strtoul(end+1, &end, 0);
+ else
+ realminfo->mask = 0xffffffff;
+ if (*end != '\0' || end == optarg)
+ xtables_error(PARAMETER_PROBLEM,
+ "Bad realm value `%s'", optarg);
+ } else {
+ id = realm_name2id(optarg);
+ if (id == -1)
+ xtables_error(PARAMETER_PROBLEM,
+ "Realm `%s' not found", optarg);
+ realminfo->id = id;
+ realminfo->mask = 0xffffffff;
+ }
+ if (invert)
+ realminfo->invert = 1;
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void
+print_realm(unsigned long id, unsigned long mask, int numeric)
+{
+ const char* name = NULL;
+
+ if (mask != 0xffffffff)
+ printf("0x%lx/0x%lx ", id, mask);
+ else {
+ if (numeric == 0)
+ name = realm_id2name(id);
+ if (name)
+ printf("%s ", name);
+ else
+ printf("0x%lx ", id);
+ }
+}
+
+static void realm_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ipt_realm_info *ri = (const void *)match->data;
+
+ if (ri->invert)
+ printf("! ");
+
+ printf("realm ");
+ print_realm(ri->id, ri->mask, numeric);
+}
+
+static void realm_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ipt_realm_info *ri = (const void *)match->data;
+
+ if (ri->invert)
+ printf("! ");
+
+ printf("--realm ");
+ print_realm(ri->id, ri->mask, 0);
+}
+
+static void realm_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "realm match: You must specify `--realm'");
+}
+
+static struct xtables_match realm_mt_reg = {
+ .name = "realm",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_realm_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_realm_info)),
+ .help = realm_help,
+ .parse = realm_parse,
+ .final_check = realm_check,
+ .print = realm_print,
+ .save = realm_save,
+ .extra_opts = realm_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&realm_mt_reg);
+}
diff --git a/extensions/libipt_realm.man b/extensions/libipt_realm.man
new file mode 100644
index 0000000..a40b1ad
--- /dev/null
+++ b/extensions/libipt_realm.man
@@ -0,0 +1,7 @@
+This matches the routing realm. Routing realms are used in complex routing
+setups involving dynamic routing protocols like BGP.
+.TP
+[\fB!\fP] \fB\-\-realm\fP \fIvalue\fP[\fB/\fP\fImask\fP]
+Matches a given realm number (and optionally mask). If not a number, value
+can be a named realm from /etc/iproute2/rt_realms (mask can not be used in
+that case).
diff --git a/extensions/libipt_ttl.c b/extensions/libipt_ttl.c
new file mode 100644
index 0000000..e2fbcd5
--- /dev/null
+++ b/extensions/libipt_ttl.c
@@ -0,0 +1,167 @@
+/* Shared library add-on to iptables to add TTL matching support
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org>
+ *
+ * $Id$
+ *
+ * This program is released under the terms of GNU GPL */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include <xtables.h>
+
+#include <linux/netfilter_ipv4/ipt_ttl.h>
+
+static void ttl_help(void)
+{
+ printf(
+"ttl match options:\n"
+" --ttl-eq value Match time to live value\n"
+" --ttl-lt value Match TTL < value\n"
+" --ttl-gt value Match TTL > value\n");
+}
+
+static int ttl_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ipt_ttl_info *info = (struct ipt_ttl_info *) (*match)->data;
+ unsigned int value;
+
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ switch (c) {
+ case '2':
+ if (!xtables_strtoui(optarg, NULL, &value, 0, UINT8_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "ttl: Expected value between 0 and 255");
+
+ if (invert)
+ info->mode = IPT_TTL_NE;
+ else
+ info->mode = IPT_TTL_EQ;
+
+ /* is 0 allowed? */
+ info->ttl = value;
+ break;
+ case '3':
+ if (!xtables_strtoui(optarg, NULL, &value, 0, UINT8_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "ttl: Expected value between 0 and 255");
+
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "ttl: unexpected `!'");
+
+ info->mode = IPT_TTL_LT;
+ info->ttl = value;
+ break;
+ case '4':
+ if (!xtables_strtoui(optarg, NULL, &value, 0, UINT8_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "ttl: Expected value between 0 and 255");
+
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "ttl: unexpected `!'");
+
+ info->mode = IPT_TTL_GT;
+ info->ttl = value;
+ break;
+ default:
+ return 0;
+
+ }
+
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify TTL option twice");
+ *flags = 1;
+
+ return 1;
+}
+
+static void ttl_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "TTL match: You must specify one of "
+ "`--ttl-eq', `--ttl-lt', `--ttl-gt");
+}
+
+static void ttl_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ipt_ttl_info *info =
+ (struct ipt_ttl_info *) match->data;
+
+ printf("TTL match ");
+ switch (info->mode) {
+ case IPT_TTL_EQ:
+ printf("TTL == ");
+ break;
+ case IPT_TTL_NE:
+ printf("TTL != ");
+ break;
+ case IPT_TTL_LT:
+ printf("TTL < ");
+ break;
+ case IPT_TTL_GT:
+ printf("TTL > ");
+ break;
+ }
+ printf("%u ", info->ttl);
+}
+
+static void ttl_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ipt_ttl_info *info =
+ (struct ipt_ttl_info *) match->data;
+
+ switch (info->mode) {
+ case IPT_TTL_EQ:
+ printf("--ttl-eq ");
+ break;
+ case IPT_TTL_NE:
+ printf("! --ttl-eq ");
+ break;
+ case IPT_TTL_LT:
+ printf("--ttl-lt ");
+ break;
+ case IPT_TTL_GT:
+ printf("--ttl-gt ");
+ break;
+ default:
+ /* error */
+ break;
+ }
+ printf("%u ", info->ttl);
+}
+
+static const struct option ttl_opts[] = {
+ { "ttl", 1, NULL, '2' },
+ { "ttl-eq", 1, NULL, '2'},
+ { "ttl-lt", 1, NULL, '3'},
+ { "ttl-gt", 1, NULL, '4'},
+ { .name = NULL }
+};
+
+static struct xtables_match ttl_mt_reg = {
+ .name = "ttl",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_ttl_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_ttl_info)),
+ .help = ttl_help,
+ .parse = ttl_parse,
+ .final_check = ttl_check,
+ .print = ttl_print,
+ .save = ttl_save,
+ .extra_opts = ttl_opts,
+};
+
+
+void _init(void)
+{
+ xtables_register_match(&ttl_mt_reg);
+}
diff --git a/extensions/libipt_ttl.man b/extensions/libipt_ttl.man
new file mode 100644
index 0000000..849f704
--- /dev/null
+++ b/extensions/libipt_ttl.man
@@ -0,0 +1,10 @@
+This module matches the time to live field in the IP header.
+.TP
+\fB\-\-ttl\-eq\fP \fIttl\fP
+Matches the given TTL value.
+.TP
+\fB\-\-ttl\-gt\fP \fIttl\fP
+Matches if TTL is greater than the given TTL value.
+.TP
+\fB\-\-ttl\-lt\fP \fIttl\fP
+Matches if TTL is less than the given TTL value.
diff --git a/extensions/libipt_unclean.c b/extensions/libipt_unclean.c
new file mode 100644
index 0000000..bc4a4a0
--- /dev/null
+++ b/extensions/libipt_unclean.c
@@ -0,0 +1,15 @@
+/* Shared library add-on to iptables for unclean. */
+#include <xtables.h>
+
+static struct xtables_match unclean_mt_reg = {
+ .name = "unclean",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(0),
+ .userspacesize = XT_ALIGN(0),
+};
+
+void _init(void)
+{
+ xtables_register_match(&unclean_mt_reg);
+}
diff --git a/extensions/libipt_unclean.man b/extensions/libipt_unclean.man
new file mode 100644
index 0000000..3fecd55
--- /dev/null
+++ b/extensions/libipt_unclean.man
@@ -0,0 +1,2 @@
+This module takes no options, but attempts to match packets which seem
+malformed or unusual. This is regarded as experimental.
diff --git a/extensions/libxt_CLASSIFY.c b/extensions/libxt_CLASSIFY.c
new file mode 100644
index 0000000..82b8f4e
--- /dev/null
+++ b/extensions/libxt_CLASSIFY.c
@@ -0,0 +1,115 @@
+/* Shared library add-on to iptables to add CLASSIFY target support. */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_CLASSIFY.h>
+#include <linux/types.h>
+#include <linux/pkt_sched.h>
+
+static void
+CLASSIFY_help(void)
+{
+ printf(
+"CLASSIFY target options:\n"
+"--set-class MAJOR:MINOR Set skb->priority value (always hexadecimal!)\n");
+}
+
+static const struct option CLASSIFY_opts[] = {
+ { "set-class", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+static int CLASSIFY_string_to_priority(const char *s, unsigned int *p)
+{
+ unsigned int i, j;
+
+ if (sscanf(s, "%x:%x", &i, &j) != 2)
+ return 1;
+
+ *p = TC_H_MAKE(i<<16, j);
+ return 0;
+}
+
+static int
+CLASSIFY_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry,
+ struct xt_entry_target **target)
+{
+ struct xt_classify_target_info *clinfo
+ = (struct xt_classify_target_info *)(*target)->data;
+
+ switch (c) {
+ case '1':
+ if (CLASSIFY_string_to_priority(optarg, &clinfo->priority))
+ xtables_error(PARAMETER_PROBLEM,
+ "Bad class value `%s'", optarg);
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "CLASSIFY: Can't specify --set-class twice");
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+CLASSIFY_final_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "CLASSIFY: Parameter --set-class is required");
+}
+
+static void
+CLASSIFY_print_class(unsigned int priority, int numeric)
+{
+ printf("%x:%x ", TC_H_MAJ(priority)>>16, TC_H_MIN(priority));
+}
+
+static void
+CLASSIFY_print(const void *ip,
+ const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_classify_target_info *clinfo =
+ (const struct xt_classify_target_info *)target->data;
+ printf("CLASSIFY set ");
+ CLASSIFY_print_class(clinfo->priority, numeric);
+}
+
+static void
+CLASSIFY_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_classify_target_info *clinfo =
+ (const struct xt_classify_target_info *)target->data;
+
+ printf("--set-class %.4x:%.4x ",
+ TC_H_MAJ(clinfo->priority)>>16, TC_H_MIN(clinfo->priority));
+}
+
+static struct xtables_target classify_target = {
+ .family = NFPROTO_UNSPEC,
+ .name = "CLASSIFY",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_classify_target_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_classify_target_info)),
+ .help = CLASSIFY_help,
+ .parse = CLASSIFY_parse,
+ .final_check = CLASSIFY_final_check,
+ .print = CLASSIFY_print,
+ .save = CLASSIFY_save,
+ .extra_opts = CLASSIFY_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&classify_target);
+}
diff --git a/extensions/libxt_CLASSIFY.man b/extensions/libxt_CLASSIFY.man
new file mode 100644
index 0000000..0270fd1
--- /dev/null
+++ b/extensions/libxt_CLASSIFY.man
@@ -0,0 +1,5 @@
+This module allows you to set the skb\->priority value (and thus classify the packet into a specific CBQ class).
+.TP
+\fB\-\-set\-class\fP \fImajor\fP\fB:\fP\fIminor\fP
+Set the major and minor class value. The values are always interpreted as
+hexadecimal even if no 0x prefix is given.
diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
new file mode 100644
index 0000000..6aba5f3
--- /dev/null
+++ b/extensions/libxt_CONNMARK.c
@@ -0,0 +1,445 @@
+/* Shared library add-on to iptables to add CONNMARK target support.
+ *
+ * (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * Version 1.1
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_CONNMARK.h>
+
+struct xt_connmark_target_info {
+ unsigned long mark;
+ unsigned long mask;
+ u_int8_t mode;
+};
+
+enum {
+ F_MARK = 1 << 0,
+ F_SR_MARK = 1 << 1,
+};
+
+static void CONNMARK_help(void)
+{
+ printf(
+"CONNMARK target options:\n"
+" --set-mark value[/mask] Set conntrack mark value\n"
+" --save-mark [--mask mask] Save the packet nfmark in the connection\n"
+" --restore-mark [--mask mask] Restore saved nfmark value\n");
+}
+
+static const struct option CONNMARK_opts[] = {
+ { "set-mark", 1, NULL, '1' },
+ { "save-mark", 0, NULL, '2' },
+ { "restore-mark", 0, NULL, '3' },
+ { "mask", 1, NULL, '4' },
+ { .name = NULL }
+};
+
+static const struct option connmark_tg_opts[] = {
+ {.name = "set-xmark", .has_arg = true, .val = '='},
+ {.name = "set-mark", .has_arg = true, .val = '-'},
+ {.name = "and-mark", .has_arg = true, .val = '&'},
+ {.name = "or-mark", .has_arg = true, .val = '|'},
+ {.name = "xor-mark", .has_arg = true, .val = '^'},
+ {.name = "save-mark", .has_arg = false, .val = 'S'},
+ {.name = "restore-mark", .has_arg = false, .val = 'R'},
+ {.name = "ctmask", .has_arg = true, .val = 'c'},
+ {.name = "nfmask", .has_arg = true, .val = 'n'},
+ {.name = "mask", .has_arg = true, .val = 'm'},
+ {.name = NULL},
+};
+
+static void connmark_tg_help(void)
+{
+ printf(
+"CONNMARK target options:\n"
+" --set-xmark value[/ctmask] Zero mask bits and XOR ctmark with value\n"
+" --save-mark [--ctmask mask] [--nfmask mask]\n"
+" Copy ctmark to nfmark using masks\n"
+" --restore-mark [--ctmask mask] [--nfmask mask]\n"
+" Copy nfmark to ctmark using masks\n"
+" --set-mark value[/mask] Set conntrack mark value\n"
+" --save-mark [--mask mask] Save the packet nfmark in the connection\n"
+" --restore-mark [--mask mask] Restore saved nfmark value\n"
+" --and-mark value Binary AND the ctmark with bits\n"
+" --or-mark value Binary OR the ctmark with bits\n"
+" --xor-mark value Binary XOR the ctmark with bits\n"
+);
+}
+
+static void connmark_tg_init(struct xt_entry_target *target)
+{
+ struct xt_connmark_tginfo1 *info = (void *)target->data;
+
+ /*
+ * Need these defaults for --save-mark/--restore-mark if no
+ * --ctmark or --nfmask is given.
+ */
+ info->ctmask = UINT32_MAX;
+ info->nfmask = UINT32_MAX;
+}
+
+static int
+CONNMARK_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_connmark_target_info *markinfo
+ = (struct xt_connmark_target_info *)(*target)->data;
+
+ switch (c) {
+ char *end;
+ case '1':
+ markinfo->mode = XT_CONNMARK_SET;
+
+ markinfo->mark = strtoul(optarg, &end, 0);
+ if (*end == '/' && end[1] != '\0')
+ markinfo->mask = strtoul(end+1, &end, 0);
+
+ if (*end != '\0' || end == optarg)
+ xtables_error(PARAMETER_PROBLEM, "Bad MARK value \"%s\"", optarg);
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "CONNMARK target: Can't specify --set-mark twice");
+ *flags = 1;
+ break;
+ case '2':
+ markinfo->mode = XT_CONNMARK_SAVE;
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "CONNMARK target: Can't specify --save-mark twice");
+ *flags = 1;
+ break;
+ case '3':
+ markinfo->mode = XT_CONNMARK_RESTORE;
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "CONNMARK target: Can't specify --restore-mark twice");
+ *flags = 1;
+ break;
+ case '4':
+ if (!*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "CONNMARK target: Can't specify --mask without a operation");
+ markinfo->mask = strtoul(optarg, &end, 0);
+
+ if (*end != '\0' || end == optarg)
+ xtables_error(PARAMETER_PROBLEM, "Bad MASK value \"%s\"", optarg);
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static int connmark_tg_parse(int c, char **argv, int invert,
+ unsigned int *flags, const void *entry,
+ struct xt_entry_target **target)
+{
+ struct xt_connmark_tginfo1 *info = (void *)(*target)->data;
+ unsigned int value, mask = UINT32_MAX;
+ char *end;
+
+ switch (c) {
+ case '=': /* --set-xmark */
+ case '-': /* --set-mark */
+ xtables_param_act(XTF_ONE_ACTION, "CONNMARK", *flags & F_MARK);
+ if (!xtables_strtoui(optarg, &end, &value, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "CONNMARK", "--set-xmark/--set-mark", optarg);
+ if (*end == '/')
+ if (!xtables_strtoui(end + 1, &end, &mask, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "CONNMARK", "--set-xmark/--set-mark", optarg);
+ if (*end != '\0')
+ xtables_param_act(XTF_BAD_VALUE, "CONNMARK", "--set-xmark/--set-mark", optarg);
+ info->mode = XT_CONNMARK_SET;
+ info->ctmark = value;
+ info->ctmask = mask;
+ if (c == '-')
+ info->ctmask |= value;
+ *flags |= F_MARK;
+ return true;
+
+ case '&': /* --and-mark */
+ xtables_param_act(XTF_ONE_ACTION, "CONNMARK", *flags & F_MARK);
+ if (!xtables_strtoui(optarg, NULL, &mask, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "CONNMARK", "--and-mark", optarg);
+ info->mode = XT_CONNMARK_SET;
+ info->ctmark = 0;
+ info->ctmask = ~mask;
+ *flags |= F_MARK;
+ return true;
+
+ case '|': /* --or-mark */
+ xtables_param_act(XTF_ONE_ACTION, "CONNMARK", *flags & F_MARK);
+ if (!xtables_strtoui(optarg, NULL, &value, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "CONNMARK", "--or-mark", optarg);
+ info->mode = XT_CONNMARK_SET;
+ info->ctmark = value;
+ info->ctmask = value;
+ *flags |= F_MARK;
+ return true;
+
+ case '^': /* --xor-mark */
+ xtables_param_act(XTF_ONE_ACTION, "CONNMARK", *flags & F_MARK);
+ if (!xtables_strtoui(optarg, NULL, &value, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "CONNMARK", "--xor-mark", optarg);
+ info->mode = XT_CONNMARK_SET;
+ info->ctmark = value;
+ info->ctmask = 0;
+ *flags |= F_MARK;
+ return true;
+
+ case 'S': /* --save-mark */
+ xtables_param_act(XTF_ONE_ACTION, "CONNMARK", *flags & F_MARK);
+ info->mode = XT_CONNMARK_SAVE;
+ *flags |= F_MARK | F_SR_MARK;
+ return true;
+
+ case 'R': /* --restore-mark */
+ xtables_param_act(XTF_ONE_ACTION, "CONNMARK", *flags & F_MARK);
+ info->mode = XT_CONNMARK_RESTORE;
+ *flags |= F_MARK | F_SR_MARK;
+ return true;
+
+ case 'n': /* --nfmask */
+ if (!(*flags & F_SR_MARK))
+ xtables_error(PARAMETER_PROBLEM, "CONNMARK: --save-mark "
+ "or --restore-mark is required for "
+ "--nfmask");
+ if (!xtables_strtoui(optarg, NULL, &value, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "CONNMARK", "--nfmask", optarg);
+ info->nfmask = value;
+ return true;
+
+ case 'c': /* --ctmask */
+ if (!(*flags & F_SR_MARK))
+ xtables_error(PARAMETER_PROBLEM, "CONNMARK: --save-mark "
+ "or --restore-mark is required for "
+ "--ctmask");
+ if (!xtables_strtoui(optarg, NULL, &value, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "CONNMARK", "--ctmask", optarg);
+ info->ctmask = value;
+ return true;
+
+ case 'm': /* --mask */
+ if (!(*flags & F_SR_MARK))
+ xtables_error(PARAMETER_PROBLEM, "CONNMARK: --save-mark "
+ "or --restore-mark is required for "
+ "--mask");
+ if (!xtables_strtoui(optarg, NULL, &value, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "CONNMARK", "--mask", optarg);
+ info->nfmask = info->ctmask = value;
+ return true;
+ }
+
+ return false;
+}
+
+static void connmark_tg_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "CONNMARK target: No operation specified");
+}
+
+static void
+print_mark(unsigned long mark)
+{
+ printf("0x%lx", mark);
+}
+
+static void
+print_mask(const char *text, unsigned long mask)
+{
+ if (mask != 0xffffffffUL)
+ printf("%s0x%lx", text, mask);
+}
+
+static void CONNMARK_print(const void *ip,
+ const struct xt_entry_target *target, int numeric)
+{
+ const struct xt_connmark_target_info *markinfo =
+ (const struct xt_connmark_target_info *)target->data;
+ switch (markinfo->mode) {
+ case XT_CONNMARK_SET:
+ printf("CONNMARK set ");
+ print_mark(markinfo->mark);
+ print_mask("/", markinfo->mask);
+ printf(" ");
+ break;
+ case XT_CONNMARK_SAVE:
+ printf("CONNMARK save ");
+ print_mask("mask ", markinfo->mask);
+ printf(" ");
+ break;
+ case XT_CONNMARK_RESTORE:
+ printf("CONNMARK restore ");
+ print_mask("mask ", markinfo->mask);
+ break;
+ default:
+ printf("ERROR: UNKNOWN CONNMARK MODE ");
+ break;
+ }
+}
+
+static void
+connmark_tg_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_connmark_tginfo1 *info = (const void *)target->data;
+
+ switch (info->mode) {
+ case XT_CONNMARK_SET:
+ if (info->ctmark == 0)
+ printf("CONNMARK and 0x%x ",
+ (unsigned int)(u_int32_t)~info->ctmask);
+ else if (info->ctmark == info->ctmask)
+ printf("CONNMARK or 0x%x ", info->ctmark);
+ else if (info->ctmask == 0)
+ printf("CONNMARK xor 0x%x ", info->ctmark);
+ else if (info->ctmask == 0xFFFFFFFFU)
+ printf("CONNMARK set 0x%x ", info->ctmark);
+ else
+ printf("CONNMARK xset 0x%x/0x%x ",
+ info->ctmark, info->ctmask);
+ break;
+ case XT_CONNMARK_SAVE:
+ if (info->nfmask == UINT32_MAX && info->ctmask == UINT32_MAX)
+ printf("CONNMARK save ");
+ else if (info->nfmask == info->ctmask)
+ printf("CONNMARK save mask 0x%x ", info->nfmask);
+ else
+ printf("CONNMARK save nfmask 0x%x ctmask ~0x%x ",
+ info->nfmask, info->ctmask);
+ break;
+ case XT_CONNMARK_RESTORE:
+ if (info->ctmask == UINT32_MAX && info->nfmask == UINT32_MAX)
+ printf("CONNMARK restore ");
+ else if (info->ctmask == info->nfmask)
+ printf("CONNMARK restore mask 0x%x ", info->ctmask);
+ else
+ printf("CONNMARK restore ctmask 0x%x nfmask ~0x%x ",
+ info->ctmask, info->nfmask);
+ break;
+
+ default:
+ printf("ERROR: UNKNOWN CONNMARK MODE");
+ break;
+ }
+}
+
+static void CONNMARK_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_connmark_target_info *markinfo =
+ (const struct xt_connmark_target_info *)target->data;
+
+ switch (markinfo->mode) {
+ case XT_CONNMARK_SET:
+ printf("--set-mark ");
+ print_mark(markinfo->mark);
+ print_mask("/", markinfo->mask);
+ printf(" ");
+ break;
+ case XT_CONNMARK_SAVE:
+ printf("--save-mark ");
+ print_mask("--mask ", markinfo->mask);
+ break;
+ case XT_CONNMARK_RESTORE:
+ printf("--restore-mark ");
+ print_mask("--mask ", markinfo->mask);
+ break;
+ default:
+ printf("ERROR: UNKNOWN CONNMARK MODE ");
+ break;
+ }
+}
+
+static void CONNMARK_init(struct xt_entry_target *t)
+{
+ struct xt_connmark_target_info *markinfo
+ = (struct xt_connmark_target_info *)t->data;
+
+ markinfo->mask = 0xffffffffUL;
+}
+
+static void
+connmark_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_connmark_tginfo1 *info = (const void *)target->data;
+
+ switch (info->mode) {
+ case XT_CONNMARK_SET:
+ printf("--set-xmark 0x%x/0x%x ", info->ctmark, info->ctmask);
+ break;
+ case XT_CONNMARK_SAVE:
+ printf("--save-mark --nfmask 0x%x --ctmask 0x%x ",
+ info->nfmask, info->ctmask);
+ break;
+ case XT_CONNMARK_RESTORE:
+ printf("--restore-mark --nfmask 0x%x --ctmask 0x%x ",
+ info->nfmask, info->ctmask);
+ break;
+ default:
+ printf("ERROR: UNKNOWN CONNMARK MODE");
+ break;
+ }
+}
+
+static struct xtables_target connmark_tg_reg[] = {
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "CONNMARK",
+ .revision = 0,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_connmark_target_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_target_info)),
+ .help = CONNMARK_help,
+ .init = CONNMARK_init,
+ .parse = CONNMARK_parse,
+ .final_check = connmark_tg_check,
+ .print = CONNMARK_print,
+ .save = CONNMARK_save,
+ .extra_opts = CONNMARK_opts,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "CONNMARK",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .size = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)),
+ .help = connmark_tg_help,
+ .init = connmark_tg_init,
+ .parse = connmark_tg_parse,
+ .final_check = connmark_tg_check,
+ .print = connmark_tg_print,
+ .save = connmark_tg_save,
+ .extra_opts = connmark_tg_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_targets(connmark_tg_reg, ARRAY_SIZE(connmark_tg_reg));
+}
diff --git a/extensions/libxt_CONNMARK.man b/extensions/libxt_CONNMARK.man
new file mode 100644
index 0000000..13c6b4b
--- /dev/null
+++ b/extensions/libxt_CONNMARK.man
@@ -0,0 +1,53 @@
+This module sets the netfilter mark value associated with a connection. The
+mark is 32 bits wide.
+.TP
+\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
+Zero out the bits given by \fImask\fR and XOR \fIvalue\fR into the ctmark.
+.TP
+\fB\-\-save\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP]
+Copy the packet mark (nfmark) to the connection mark (ctmark) using the given
+masks. The new nfmark value is determined as follows:
+.IP
+ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)
+.IP
+i.e. \fIctmask\fR defines what bits to clear and \fInfmask\fR what bits of the
+nfmark to XOR into the ctmark. \fIctmask\fR and \fInfmask\fR default to
+0xFFFFFFFF.
+.TP
+\fB\-\-restore\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP]
+Copy the connection mark (ctmark) to the packet mark (nfmark) using the given
+masks. The new ctmark value is determined as follows:
+.IP
+nfmark = (nfmark & ~\fInfmask\fR) ^ (ctmark & \fIctmask\fR);
+.IP
+i.e. \fInfmask\fR defines what bits to clear and \fIctmask\fR what bits of the
+ctmark to XOR into the nfmark. \fIctmask\fR and \fInfmask\fR default to
+0xFFFFFFFF.
+.IP
+\fB\-\-restore\-mark\fP is only valid in the \fBmangle\fP table.
+.PP
+The following mnemonics are available for \fB\-\-set\-xmark\fP:
+.TP
+\fB\-\-and\-mark\fP \fIbits\fP
+Binary AND the ctmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark
+0/\fR\fIinvbits\fR, where \fIinvbits\fR is the binary negation of \fIbits\fR.)
+.TP
+\fB\-\-or\-mark\fP \fIbits\fP
+Binary OR the ctmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark\fP
+\fIbits\fR\fB/\fR\fIbits\fR.)
+.TP
+\fB\-\-xor\-mark\fP \fIbits\fP
+Binary XOR the ctmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark\fP
+\fIbits\fR\fB/0\fR.)
+.TP
+\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
+Set the connection mark. If a mask is specified then only those bits set in the
+mask are modified.
+.TP
+\fB\-\-save\-mark\fP [\fB\-\-mask\fP \fImask\fP]
+Copy the nfmark to the ctmark. If a mask is specified, only those bits are
+copied.
+.TP
+\fB\-\-restore\-mark\fP [\fB\-\-mask\fP \fImask\fP]
+Copy the ctmark to the nfmark. If a mask is specified, only those bits are
+copied. This is only valid in the \fBmangle\fR table.
diff --git a/extensions/libxt_CONNSECMARK.c b/extensions/libxt_CONNSECMARK.c
new file mode 100644
index 0000000..d95339f
--- /dev/null
+++ b/extensions/libxt_CONNSECMARK.c
@@ -0,0 +1,127 @@
+/*
+ * Shared library add-on to iptables to add CONNSECMARK target support.
+ *
+ * Based on the MARK and CONNMARK targets.
+ *
+ * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter/xt_CONNSECMARK.h>
+
+#define PFX "CONNSECMARK target: "
+
+static void CONNSECMARK_help(void)
+{
+ printf(
+"CONNSECMARK target options:\n"
+" --save Copy security mark from packet to conntrack\n"
+" --restore Copy security mark from connection to packet\n");
+}
+
+static const struct option CONNSECMARK_opts[] = {
+ { "save", 0, NULL, '1' },
+ { "restore", 0, NULL, '2' },
+ { .name = NULL }
+};
+
+static int
+CONNSECMARK_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_connsecmark_target_info *info =
+ (struct xt_connsecmark_target_info*)(*target)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & CONNSECMARK_SAVE)
+ xtables_error(PARAMETER_PROBLEM, PFX
+ "Can't specify --save twice");
+ info->mode = CONNSECMARK_SAVE;
+ *flags |= CONNSECMARK_SAVE;
+ break;
+
+ case '2':
+ if (*flags & CONNSECMARK_RESTORE)
+ xtables_error(PARAMETER_PROBLEM, PFX
+ "Can't specify --restore twice");
+ info->mode = CONNSECMARK_RESTORE;
+ *flags |= CONNSECMARK_RESTORE;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void CONNSECMARK_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM, PFX "parameter required");
+
+ if (flags == (CONNSECMARK_SAVE|CONNSECMARK_RESTORE))
+ xtables_error(PARAMETER_PROBLEM, PFX "only one flag of --save "
+ "or --restore is allowed");
+}
+
+static void print_connsecmark(const struct xt_connsecmark_target_info *info)
+{
+ switch (info->mode) {
+ case CONNSECMARK_SAVE:
+ printf("save ");
+ break;
+
+ case CONNSECMARK_RESTORE:
+ printf("restore ");
+ break;
+
+ default:
+ xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
+ }
+}
+
+static void
+CONNSECMARK_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_connsecmark_target_info *info =
+ (struct xt_connsecmark_target_info*)(target)->data;
+
+ printf("CONNSECMARK ");
+ print_connsecmark(info);
+}
+
+static void
+CONNSECMARK_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_connsecmark_target_info *info =
+ (struct xt_connsecmark_target_info*)target->data;
+
+ printf("--");
+ print_connsecmark(info);
+}
+
+static struct xtables_target connsecmark_target = {
+ .family = NFPROTO_UNSPEC,
+ .name = "CONNSECMARK",
+ .version = XTABLES_VERSION,
+ .revision = 0,
+ .size = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
+ .parse = CONNSECMARK_parse,
+ .help = CONNSECMARK_help,
+ .final_check = CONNSECMARK_check,
+ .print = CONNSECMARK_print,
+ .save = CONNSECMARK_save,
+ .extra_opts = CONNSECMARK_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&connsecmark_target);
+}
diff --git a/extensions/libxt_CONNSECMARK.man b/extensions/libxt_CONNSECMARK.man
new file mode 100644
index 0000000..a72e710
--- /dev/null
+++ b/extensions/libxt_CONNSECMARK.man
@@ -0,0 +1,15 @@
+This module copies security markings from packets to connections
+(if unlabeled), and from connections back to packets (also only
+if unlabeled). Typically used in conjunction with SECMARK, it is
+only valid in the
+.B mangle
+table.
+.TP
+\fB\-\-save\fP
+If the packet has a security marking, copy it to the connection
+if the connection is not marked.
+.TP
+\fB\-\-restore\fP
+If the packet does not have a security marking, and the connection
+does, copy the security marking from the connection to the packet.
+
diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c
new file mode 100644
index 0000000..6be6ea0
--- /dev/null
+++ b/extensions/libxt_CT.c
@@ -0,0 +1,192 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter/nf_conntrack_common.h>
+#include <linux/netfilter/xt_CT.h>
+
+static void ct_help(void)
+{
+ printf(
+"CT target options:\n"
+" --notrack Don't track connection\n"
+" --helper name Use conntrack helper 'name' for connection\n"
+" --ctevents event[,event...] Generate specified conntrack events for connection\n"
+" --expevents event[,event...] Generate specified expectation events for connection\n"
+" --zone ID Assign/Lookup connection in zone ID\n"
+ );
+}
+
+enum ct_options {
+ CT_OPT_NOTRACK = 0x1,
+ CT_OPT_HELPER = 0x2,
+ CT_OPT_CTEVENTS = 0x4,
+ CT_OPT_EXPEVENTS = 0x8,
+ CT_OPT_ZONE = 0x10,
+};
+
+static const struct option ct_opts[] = {
+ { "notrack", 0, NULL, CT_OPT_NOTRACK },
+ { "helper", 1, NULL, CT_OPT_HELPER },
+ { "ctevents", 1, NULL, CT_OPT_CTEVENTS },
+ { "expevents", 1, NULL, CT_OPT_EXPEVENTS },
+ { "zone", 1, NULL, CT_OPT_ZONE },
+ { .name = NULL },
+};
+
+struct event_tbl {
+ const char *name;
+ unsigned int event;
+};
+
+static const struct event_tbl ct_event_tbl[] = {
+ { "new", IPCT_NEW },
+ { "related", IPCT_RELATED },
+ { "destroy", IPCT_DESTROY },
+ { "reply", IPCT_REPLY },
+ { "assured", IPCT_ASSURED },
+ { "protoinfo", IPCT_PROTOINFO },
+ { "helper", IPCT_HELPER },
+ { "mark", IPCT_MARK },
+ { "natseqinfo", IPCT_NATSEQADJ },
+ { "secmark", IPCT_SECMARK },
+};
+
+static const struct event_tbl exp_event_tbl[] = {
+ { "new", IPEXP_NEW },
+};
+
+static uint32_t ct_parse_events(const struct event_tbl *tbl, unsigned int size,
+ const char *events)
+{
+ char str[strlen(events) + 1], *e = str, *t;
+ unsigned int mask = 0, i;
+
+ strcpy(str, events);
+ while ((t = strsep(&e, ","))) {
+ for (i = 0; i < size; i++) {
+ if (strcmp(t, tbl[i].name))
+ continue;
+ mask |= 1 << tbl[i].event;
+ break;
+ }
+
+ if (i == size)
+ xtables_error(PARAMETER_PROBLEM, "Unknown event type \"%s\"", t);
+ }
+
+ return mask;
+}
+
+static void ct_print_events(const char *pfx, const struct event_tbl *tbl,
+ unsigned int size, uint32_t mask)
+{
+ const char *sep = "";
+ unsigned int i;
+
+ printf("%s ", pfx);
+ for (i = 0; i < size; i++) {
+ if (mask & (1 << tbl[i].event)) {
+ printf("%s%s", sep, tbl[i].name);
+ sep = ",";
+ }
+ }
+ printf(" ");
+}
+
+static int ct_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_ct_target_info *info = (struct xt_ct_target_info *)(*target)->data;
+ unsigned int zone;
+
+ switch (c) {
+ case CT_OPT_NOTRACK:
+ xtables_param_act(XTF_ONLY_ONCE, "CT", "--notrack", *flags & CT_OPT_NOTRACK);
+ info->flags |= XT_CT_NOTRACK;
+ break;
+ case CT_OPT_HELPER:
+ xtables_param_act(XTF_ONLY_ONCE, "CT", "--helper", *flags & CT_OPT_HELPER);
+ strncpy(info->helper, optarg, sizeof(info->helper));
+ info->helper[sizeof(info->helper) - 1] = '\0';
+ break;
+ case CT_OPT_CTEVENTS:
+ xtables_param_act(XTF_ONLY_ONCE, "CT", "--ctevents", *flags & CT_OPT_CTEVENTS);
+ info->ct_events = ct_parse_events(ct_event_tbl, ARRAY_SIZE(ct_event_tbl), optarg);
+ break;
+ case CT_OPT_EXPEVENTS:
+ xtables_param_act(XTF_ONLY_ONCE, "CT", "--expevents", *flags & CT_OPT_EXPEVENTS);
+ info->exp_events = ct_parse_events(exp_event_tbl, ARRAY_SIZE(exp_event_tbl), optarg);
+ break;
+ case CT_OPT_ZONE:
+ xtables_param_act(XTF_ONLY_ONCE, "CT", "--zone", *flags & CT_OPT_ZONE);
+ if (!xtables_strtoui(optarg, NULL, &zone, 0, UINT16_MAX))
+ xtables_error(PARAMETER_PROBLEM, "Bad zone value \"%s\"", optarg);
+ info->zone = zone;
+ break;
+ default:
+ return 0;
+ }
+
+ *flags |= c;
+ return 1;
+}
+
+static void ct_print(const void *ip, const struct xt_entry_target *target, int numeric)
+{
+ const struct xt_ct_target_info *info =
+ (const struct xt_ct_target_info *)target->data;
+
+ printf("CT ");
+ if (info->flags & XT_CT_NOTRACK)
+ printf("notrack ");
+ if (info->helper[0])
+ printf("helper %s ", info->helper);
+ if (info->ct_events)
+ ct_print_events("ctevents", ct_event_tbl,
+ ARRAY_SIZE(ct_event_tbl), info->ct_events);
+ if (info->exp_events)
+ ct_print_events("expevents", exp_event_tbl,
+ ARRAY_SIZE(exp_event_tbl), info->exp_events);
+ if (info->zone)
+ printf("zone %u ", info->zone);
+}
+
+static void ct_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_ct_target_info *info =
+ (const struct xt_ct_target_info *)target->data;
+
+ if (info->flags & XT_CT_NOTRACK)
+ printf("--notrack ");
+ if (info->helper[0])
+ printf("--helper %s ", info->helper);
+ if (info->ct_events)
+ ct_print_events("--ctevents", ct_event_tbl,
+ ARRAY_SIZE(ct_event_tbl), info->ct_events);
+ if (info->exp_events)
+ ct_print_events("--expevents", exp_event_tbl,
+ ARRAY_SIZE(exp_event_tbl), info->exp_events);
+ if (info->zone)
+ printf("--zone %u ", info->zone);
+}
+
+static struct xtables_target ct_target = {
+ .family = NFPROTO_UNSPEC,
+ .name = "CT",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_ct_target_info)),
+ .userspacesize = offsetof(struct xt_ct_target_info, ct),
+ .help = ct_help,
+ .parse = ct_parse,
+ .print = ct_print,
+ .save = ct_save,
+ .extra_opts = ct_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&ct_target);
+}
diff --git a/extensions/libxt_CT.man b/extensions/libxt_CT.man
new file mode 100644
index 0000000..ff258b7
--- /dev/null
+++ b/extensions/libxt_CT.man
@@ -0,0 +1,25 @@
+The CT target allows to set parameters for a packet or its associated
+connection. The target attaches a "template" connection tracking entry to
+the packet, which is then used by the conntrack core when initializing
+a new ct entry. This target is thus only valid in the "raw" table.
+.TP
+\fB\-\-notrack\fP
+Disables connection tracking for this packet.
+.TP
+\fB\-\-helper\fP \fIname\fP
+Use the helper identified by \fIname\fP for the connection. This is more
+flexible than loading the conntrack helper modules with preset ports.
+.TP
+\fB\-\-ctevents\fP \fIevent\fP[\fB,\fP...]
+Only generate the specified conntrack events for this connection. Possible
+event types are: \fBnew\fP, \fBrelated\fP, \fBdestroy\fP, \fBreply\fP,
+\fBassured\fP, \fBprotoinfo\fP, \fBhelper\fP, \fBmark\fP (this refers to
+the ctmark, not nfmark), \fBnatseqinfo\fP, \fBsecmark\fP (ctsecmark).
+.TP
+\fB\-\-expevents\fP \fIevent\fP[\fB,\fP...]
+Only generate the specified expectation events for this connection.
+Possible event types are: \fBnew\fP.
+.TP
+\fB\-\-zone\fP \fIid\fP
+Assign this packet to zone \fIid\fP and only have lookups done in that zone.
+By default, packets have zone 0.
diff --git a/extensions/libxt_DSCP.c b/extensions/libxt_DSCP.c
new file mode 100644
index 0000000..82ac10c
--- /dev/null
+++ b/extensions/libxt_DSCP.c
@@ -0,0 +1,149 @@
+/* Shared library add-on to iptables for DSCP
+ *
+ * (C) 2000- 2002 by Matthew G. Marsh <mgm@paktronix.com>,
+ * Harald Welte <laforge@gnumonks.org>
+ *
+ * This program is distributed under the terms of GNU GPL v2, 1991
+ *
+ * libipt_DSCP.c borrowed heavily from libipt_TOS.c
+ *
+ * --set-class added by Iain Barnes
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_DSCP.h>
+
+/* This is evil, but it's my code - HW*/
+#include "dscp_helper.c"
+
+static void DSCP_help(void)
+{
+ printf(
+"DSCP target options\n"
+" --set-dscp value Set DSCP field in packet header to value\n"
+" This value can be in decimal (ex: 32)\n"
+" or in hex (ex: 0x20)\n"
+" --set-dscp-class class Set the DSCP field in packet header to the\n"
+" value represented by the DiffServ class value.\n"
+" This class may be EF,BE or any of the CSxx\n"
+" or AFxx classes.\n"
+"\n"
+" These two options are mutually exclusive !\n"
+);
+}
+
+static const struct option DSCP_opts[] = {
+ { "set-dscp", 1, NULL, 'F' },
+ { "set-dscp-class", 1, NULL, 'G' },
+ { .name = NULL }
+};
+
+static void
+parse_dscp(const char *s, struct xt_DSCP_info *dinfo)
+{
+ unsigned int dscp;
+
+ if (!xtables_strtoui(s, NULL, &dscp, 0, UINT8_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid dscp `%s'\n", s);
+
+ if (dscp > XT_DSCP_MAX)
+ xtables_error(PARAMETER_PROBLEM,
+ "DSCP `%d` out of range\n", dscp);
+
+ dinfo->dscp = dscp;
+}
+
+
+static void
+parse_class(const char *s, struct xt_DSCP_info *dinfo)
+{
+ unsigned int dscp = class_to_dscp(s);
+
+ /* Assign the value */
+ dinfo->dscp = dscp;
+}
+
+
+static int DSCP_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_DSCP_info *dinfo
+ = (struct xt_DSCP_info *)(*target)->data;
+
+ switch (c) {
+ case 'F':
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "DSCP target: Only use --set-dscp ONCE!");
+ parse_dscp(optarg, dinfo);
+ *flags = 1;
+ break;
+ case 'G':
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "DSCP target: Only use --set-dscp-class ONCE!");
+ parse_class(optarg, dinfo);
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void DSCP_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "DSCP target: Parameter --set-dscp is required");
+}
+
+static void
+print_dscp(u_int8_t dscp, int numeric)
+{
+ printf("0x%02x ", dscp);
+}
+
+static void DSCP_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_DSCP_info *dinfo =
+ (const struct xt_DSCP_info *)target->data;
+ printf("DSCP set ");
+ print_dscp(dinfo->dscp, numeric);
+}
+
+static void DSCP_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_DSCP_info *dinfo =
+ (const struct xt_DSCP_info *)target->data;
+
+ printf("--set-dscp 0x%02x ", dinfo->dscp);
+}
+
+static struct xtables_target dscp_target = {
+ .family = NFPROTO_UNSPEC,
+ .name = "DSCP",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_DSCP_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_DSCP_info)),
+ .help = DSCP_help,
+ .parse = DSCP_parse,
+ .final_check = DSCP_check,
+ .print = DSCP_print,
+ .save = DSCP_save,
+ .extra_opts = DSCP_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&dscp_target);
+}
diff --git a/extensions/libxt_DSCP.man b/extensions/libxt_DSCP.man
new file mode 100644
index 0000000..551ba2e
--- /dev/null
+++ b/extensions/libxt_DSCP.man
@@ -0,0 +1,9 @@
+This target allows to alter the value of the DSCP bits within the TOS
+header of the IPv4 packet. As this manipulates a packet, it can only
+be used in the mangle table.
+.TP
+\fB\-\-set\-dscp\fP \fIvalue\fP
+Set the DSCP field to a numerical value (can be decimal or hex)
+.TP
+\fB\-\-set\-dscp\-class\fP \fIclass\fP
+Set the DSCP field to a DiffServ class.
diff --git a/extensions/libxt_LED.c b/extensions/libxt_LED.c
new file mode 100644
index 0000000..af0e091
--- /dev/null
+++ b/extensions/libxt_LED.c
@@ -0,0 +1,155 @@
+/*
+ * libxt_LED.c - shared library add-on to iptables to add customized LED
+ * trigger support.
+ *
+ * (C) 2008 Adam Nielsen <a.nielsen@shikadi.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <stddef.h>
+
+#include <xtables.h>
+
+#include <linux/netfilter/xt_LED.h>
+
+static const struct option LED_opts[] = {
+ {.name = "led-trigger-id", .has_arg = true, .val = 'i'},
+ {.name = "led-delay", .has_arg = true, .val = 'd'},
+ {.name = "led-always-blink", .has_arg = false, .val = 'a'},
+ {.name = NULL},
+};
+
+static void LED_help(void)
+{
+ printf(
+"LED target options:\n"
+"--led-trigger-id name suffix for led trigger name\n"
+"--led-delay ms leave the LED on for this number of\n"
+" milliseconds after triggering.\n"
+"--led-always-blink blink on arriving packets, even if\n"
+" the LED is already on.\n"
+ );
+}
+
+static int LED_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_led_info *led = (void *)(*target)->data;
+
+ switch (c) {
+ case 'i':
+ xtables_param_act(XTF_NO_INVERT, "LED",
+ "--led-trigger-id", invert);
+ if (strlen("netfilter-") + strlen(optarg) > sizeof(led->id))
+ xtables_error(PARAMETER_PROBLEM,
+ "--led-trigger-id must be 16 chars or less");
+ if (optarg[0] == '\0')
+ xtables_error(PARAMETER_PROBLEM,
+ "--led-trigger-id cannot be blank");
+
+ /* "netfilter-" + 16 char id == 26 == sizeof(led->id) */
+ strcpy(led->id, "netfilter-");
+ strcat(led->id, optarg);
+ *flags = 1;
+ return true;
+
+ case 'd':
+ xtables_param_act(XTF_NO_INVERT, "LED", "--led-delay", invert);
+ if (strncasecmp(optarg, "inf", 3) == 0)
+ led->delay = -1;
+ else
+ led->delay = strtoul(optarg, NULL, 0);
+
+ return true;
+
+ case 'a':
+ if (!invert)
+ led->always_blink = 1;
+ return true;
+ }
+ return false;
+}
+
+static void LED_final_check(unsigned int flags)
+{
+ if (flags == 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "--led-trigger-id must be specified");
+}
+
+static void LED_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_led_info *led = (void *)target->data;
+ const char *id = led->id + strlen("netfilter-"); /* trim off prefix */
+
+ printf("led-trigger-id:\"");
+ /* Escape double quotes and backslashes in the ID */
+ while (*id != '\0') {
+ if (*id == '"' || *id == '\\')
+ printf("\\");
+ printf("%c", *id++);
+ }
+ printf("\" ");
+
+ if (led->delay == -1)
+ printf("led-delay:inf ");
+ else
+ printf("led-delay:%dms ", led->delay);
+
+ if (led->always_blink)
+ printf("led-always-blink ");
+}
+
+static void LED_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_led_info *led = (void *)target->data;
+ const char *id = led->id + strlen("netfilter-"); /* trim off prefix */
+
+ printf("--led-trigger-id \"");
+ /* Escape double quotes and backslashes in the ID */
+ while (*id != '\0') {
+ if (*id == '"' || *id == '\\')
+ printf("\\");
+ printf("%c", *id++);
+ }
+ printf("\" ");
+
+ /* Only print the delay if it's not zero (the default) */
+ if (led->delay > 0)
+ printf("--led-delay %d ", led->delay);
+ else if (led->delay == -1)
+ printf("--led-delay inf ");
+
+ /* Only print always_blink if it's not set to the default */
+ if (led->always_blink)
+ printf("--led-always-blink ");
+}
+
+static struct xtables_target led_tg_reg = {
+ .version = XTABLES_VERSION,
+ .name = "LED",
+ .family = PF_UNSPEC,
+ .revision = 0,
+ .size = XT_ALIGN(sizeof(struct xt_led_info)),
+ .userspacesize = offsetof(struct xt_led_info, internal_data),
+ .help = LED_help,
+ .parse = LED_parse,
+ .final_check = LED_final_check,
+ .extra_opts = LED_opts,
+ .print = LED_print,
+ .save = LED_save,
+};
+
+void _init(void)
+{
+ xtables_register_target(&led_tg_reg);
+}
diff --git a/extensions/libxt_LED.man b/extensions/libxt_LED.man
new file mode 100644
index 0000000..81c2f29
--- /dev/null
+++ b/extensions/libxt_LED.man
@@ -0,0 +1,30 @@
+This creates an LED-trigger that can then be attached to system indicator
+lights, to blink or illuminate them when certain packets pass through the
+system. One example might be to light up an LED for a few minutes every time
+an SSH connection is made to the local machine. The following options control
+the trigger behavior:
+.TP
+\fB\-\-led\-trigger\-id\fP \fIname\fP
+This is the name given to the LED trigger. The actual name of the trigger
+will be prefixed with "netfilter-".
+.TP
+\fB\-\-led-delay\fP \fIms\fP
+This indicates how long (in milliseconds) the LED should be left illuminated
+when a packet arrives before being switched off again. The default is 0
+(blink as fast as possible.) The special value \fIinf\fP can be given to
+leave the LED on permanently once activated. (In this case the trigger will
+need to be manually detached and reattached to the LED device to switch it
+off again.)
+.TP
+\fB\-\-led\-always\-blink\fP
+Always make the LED blink on packet arrival, even if the LED is already on.
+This allows notification of new packets even with long delay values (which
+otherwise would result in a silent prolonging of the delay time.)
+.TP
+Example:
+.TP
+Create an LED trigger for incoming SSH traffic:
+iptables \-A INPUT \-p tcp \-\-dport 22 \-j LED \-\-led\-trigger\-id ssh
+.TP
+Then attach the new trigger to an LED:
+echo netfilter\-ssh >/sys/class/leds/\fIledname\fP/trigger
diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c
new file mode 100644
index 0000000..dbfc7c0
--- /dev/null
+++ b/extensions/libxt_MARK.c
@@ -0,0 +1,347 @@
+/* Shared library add-on to iptables to add MARK target support. */
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_MARK.h>
+
+/* Version 0 */
+struct xt_mark_target_info {
+ unsigned long mark;
+};
+
+/* Version 1 */
+enum {
+ XT_MARK_SET=0,
+ XT_MARK_AND,
+ XT_MARK_OR,
+};
+
+struct xt_mark_target_info_v1 {
+ unsigned long mark;
+ u_int8_t mode;
+};
+
+enum {
+ F_MARK = 1 << 0,
+};
+
+static void MARK_help(void)
+{
+ printf(
+"MARK target options:\n"
+" --set-mark value Set nfmark value\n"
+" --and-mark value Binary AND the nfmark with value\n"
+" --or-mark value Binary OR the nfmark with value\n");
+}
+
+static const struct option MARK_opts[] = {
+ { "set-mark", 1, NULL, '1' },
+ { "and-mark", 1, NULL, '2' },
+ { "or-mark", 1, NULL, '3' },
+ { .name = NULL }
+};
+
+static const struct option mark_tg_opts[] = {
+ {.name = "set-xmark", .has_arg = true, .val = 'X'},
+ {.name = "set-mark", .has_arg = true, .val = '='},
+ {.name = "and-mark", .has_arg = true, .val = '&'},
+ {.name = "or-mark", .has_arg = true, .val = '|'},
+ {.name = "xor-mark", .has_arg = true, .val = '^'},
+ { .name = NULL }
+};
+
+static void mark_tg_help(void)
+{
+ printf(
+"MARK target options:\n"
+" --set-xmark value[/mask] Clear bits in mask and XOR value into nfmark\n"
+" --set-mark value[/mask] Clear bits in mask and OR value into nfmark\n"
+" --and-mark bits Binary AND the nfmark with bits\n"
+" --or-mark bits Binary OR the nfmark with bits\n"
+" --xor-mask bits Binary XOR the nfmark with bits\n"
+"\n");
+}
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int
+MARK_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_mark_target_info *markinfo
+ = (struct xt_mark_target_info *)(*target)->data;
+ unsigned int mark = 0;
+
+ switch (c) {
+ case '1':
+ if (!xtables_strtoui(optarg, NULL, &mark, 0, UINT32_MAX))
+ xtables_error(PARAMETER_PROBLEM, "Bad MARK value \"%s\"", optarg);
+ markinfo->mark = mark;
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "MARK target: Can't specify --set-mark twice");
+ *flags = 1;
+ break;
+ case '2':
+ xtables_error(PARAMETER_PROBLEM,
+ "MARK target: kernel too old for --and-mark");
+ case '3':
+ xtables_error(PARAMETER_PROBLEM,
+ "MARK target: kernel too old for --or-mark");
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void MARK_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "MARK target: Parameter --set/and/or-mark"
+ " is required");
+}
+
+static int
+MARK_parse_v1(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_mark_target_info_v1 *markinfo
+ = (struct xt_mark_target_info_v1 *)(*target)->data;
+ unsigned int mark = 0;
+
+ switch (c) {
+ case '1':
+ markinfo->mode = XT_MARK_SET;
+ break;
+ case '2':
+ markinfo->mode = XT_MARK_AND;
+ break;
+ case '3':
+ markinfo->mode = XT_MARK_OR;
+ break;
+ default:
+ return 0;
+ }
+
+ if (!xtables_strtoui(optarg, NULL, &mark, 0, UINT32_MAX))
+ xtables_error(PARAMETER_PROBLEM, "Bad MARK value \"%s\"", optarg);
+ markinfo->mark = mark;
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "MARK target: Can't specify --set-mark twice");
+
+ *flags = 1;
+ return 1;
+}
+
+static int mark_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_mark_tginfo2 *info = (void *)(*target)->data;
+ unsigned int value, mask = UINT32_MAX;
+ char *end;
+
+ switch (c) {
+ case 'X': /* --set-xmark */
+ case '=': /* --set-mark */
+ xtables_param_act(XTF_ONE_ACTION, "MARK", *flags & F_MARK);
+ xtables_param_act(XTF_NO_INVERT, "MARK", "--set-xmark/--set-mark", invert);
+ if (!xtables_strtoui(optarg, &end, &value, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "MARK", "--set-xmark/--set-mark", optarg);
+ if (*end == '/')
+ if (!xtables_strtoui(end + 1, &end, &mask, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "MARK", "--set-xmark/--set-mark", optarg);
+ if (*end != '\0')
+ xtables_param_act(XTF_BAD_VALUE, "MARK", "--set-xmark/--set-mark", optarg);
+ info->mark = value;
+ info->mask = mask;
+
+ if (c == '=')
+ info->mask = value | mask;
+ break;
+
+ case '&': /* --and-mark */
+ xtables_param_act(XTF_ONE_ACTION, "MARK", *flags & F_MARK);
+ xtables_param_act(XTF_NO_INVERT, "MARK", "--and-mark", invert);
+ if (!xtables_strtoui(optarg, NULL, &mask, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "MARK", "--and-mark", optarg);
+ info->mark = 0;
+ info->mask = ~mask;
+ break;
+
+ case '|': /* --or-mark */
+ xtables_param_act(XTF_ONE_ACTION, "MARK", *flags & F_MARK);
+ xtables_param_act(XTF_NO_INVERT, "MARK", "--or-mark", invert);
+ if (!xtables_strtoui(optarg, NULL, &value, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "MARK", "--or-mark", optarg);
+ info->mark = value;
+ info->mask = value;
+ break;
+
+ case '^': /* --xor-mark */
+ xtables_param_act(XTF_ONE_ACTION, "MARK", *flags & F_MARK);
+ xtables_param_act(XTF_NO_INVERT, "MARK", "--xor-mark", invert);
+ if (!xtables_strtoui(optarg, NULL, &value, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "MARK", "--xor-mark", optarg);
+ info->mark = value;
+ info->mask = 0;
+ break;
+
+ default:
+ return false;
+ }
+
+ *flags |= F_MARK;
+ return true;
+}
+
+static void mark_tg_check(unsigned int flags)
+{
+ if (flags == 0)
+ xtables_error(PARAMETER_PROBLEM, "MARK: One of the --set-xmark, "
+ "--{and,or,xor,set}-mark options is required");
+}
+
+static void
+print_mark(unsigned long mark)
+{
+ printf("0x%lx ", mark);
+}
+
+static void MARK_print_v0(const void *ip,
+ const struct xt_entry_target *target, int numeric)
+{
+ const struct xt_mark_target_info *markinfo =
+ (const struct xt_mark_target_info *)target->data;
+ printf("MARK set ");
+ print_mark(markinfo->mark);
+}
+
+static void MARK_save_v0(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_mark_target_info *markinfo =
+ (const struct xt_mark_target_info *)target->data;
+
+ printf("--set-mark ");
+ print_mark(markinfo->mark);
+}
+
+static void MARK_print_v1(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_mark_target_info_v1 *markinfo =
+ (const struct xt_mark_target_info_v1 *)target->data;
+
+ switch (markinfo->mode) {
+ case XT_MARK_SET:
+ printf("MARK set ");
+ break;
+ case XT_MARK_AND:
+ printf("MARK and ");
+ break;
+ case XT_MARK_OR:
+ printf("MARK or ");
+ break;
+ }
+ print_mark(markinfo->mark);
+}
+
+static void mark_tg_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_mark_tginfo2 *info = (const void *)target->data;
+
+ if (info->mark == 0)
+ printf("MARK and 0x%x ", (unsigned int)(u_int32_t)~info->mask);
+ else if (info->mark == info->mask)
+ printf("MARK or 0x%x ", info->mark);
+ else if (info->mask == 0)
+ printf("MARK xor 0x%x ", info->mark);
+ else if (info->mask == 0xffffffffU)
+ printf("MARK set 0x%x ", info->mark);
+ else
+ printf("MARK xset 0x%x/0x%x ", info->mark, info->mask);
+}
+
+static void MARK_save_v1(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_mark_target_info_v1 *markinfo =
+ (const struct xt_mark_target_info_v1 *)target->data;
+
+ switch (markinfo->mode) {
+ case XT_MARK_SET:
+ printf("--set-mark ");
+ break;
+ case XT_MARK_AND:
+ printf("--and-mark ");
+ break;
+ case XT_MARK_OR:
+ printf("--or-mark ");
+ break;
+ }
+ print_mark(markinfo->mark);
+}
+
+static void mark_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_mark_tginfo2 *info = (const void *)target->data;
+
+ printf("--set-xmark 0x%x/0x%x ", info->mark, info->mask);
+}
+
+static struct xtables_target mark_tg_reg[] = {
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "MARK",
+ .version = XTABLES_VERSION,
+ .revision = 0,
+ .size = XT_ALIGN(sizeof(struct xt_mark_target_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info)),
+ .help = MARK_help,
+ .parse = MARK_parse_v0,
+ .final_check = MARK_check,
+ .print = MARK_print_v0,
+ .save = MARK_save_v0,
+ .extra_opts = MARK_opts,
+ },
+ {
+ .family = NFPROTO_IPV4,
+ .name = "MARK",
+ .version = XTABLES_VERSION,
+ .revision = 1,
+ .size = XT_ALIGN(sizeof(struct xt_mark_target_info_v1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info_v1)),
+ .help = MARK_help,
+ .parse = MARK_parse_v1,
+ .final_check = MARK_check,
+ .print = MARK_print_v1,
+ .save = MARK_save_v1,
+ .extra_opts = MARK_opts,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "MARK",
+ .revision = 2,
+ .family = NFPROTO_UNSPEC,
+ .size = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
+ .help = mark_tg_help,
+ .parse = mark_tg_parse,
+ .final_check = mark_tg_check,
+ .print = mark_tg_print,
+ .save = mark_tg_save,
+ .extra_opts = mark_tg_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
+}
diff --git a/extensions/libxt_MARK.man b/extensions/libxt_MARK.man
new file mode 100644
index 0000000..aaeceb4
--- /dev/null
+++ b/extensions/libxt_MARK.man
@@ -0,0 +1,27 @@
+This target is used to set the Netfilter mark value associated with the packet.
+It can, for example, be used in conjunction with routing based on fwmark (needs
+iproute2). If you plan on doing so, note that the mark needs to be set in the
+PREROUTING chain of the mangle table to affect routing.
+The mark field is 32 bits wide.
+.TP
+\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
+Zeroes out the bits given by \fImask\fR and XORs \fIvalue\fR into the packet
+mark ("nfmark"). If \fImask\fR is omitted, 0xFFFFFFFF is assumed.
+.TP
+\fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
+Zeroes out the bits given by \fImask\fR and ORs \fIvalue\fR into the packet
+mark. If \fImask\fR is omitted, 0xFFFFFFFF is assumed.
+.PP
+The following mnemonics are available:
+.TP
+\fB\-\-and\-mark\fP \fIbits\fP
+Binary AND the nfmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark
+0/\fR\fIinvbits\fR, where \fIinvbits\fR is the binary negation of \fIbits\fR.)
+.TP
+\fB\-\-or\-mark\fP \fIbits\fP
+Binary OR the nfmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark\fP
+\fIbits\fR\fB/\fR\fIbits\fR.)
+.TP
+\fB\-\-xor\-mark\fP \fIbits\fP
+Binary XOR the nfmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark\fP
+\fIbits\fR\fB/0\fR.)
diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c
new file mode 100644
index 0000000..e2185d5
--- /dev/null
+++ b/extensions/libxt_NFLOG.c
@@ -0,0 +1,158 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <getopt.h>
+#include <xtables.h>
+
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_NFLOG.h>
+
+enum {
+ NFLOG_GROUP = 0x1,
+ NFLOG_PREFIX = 0x2,
+ NFLOG_RANGE = 0x4,
+ NFLOG_THRESHOLD = 0x8,
+};
+
+static const struct option NFLOG_opts[] = {
+ { "nflog-group", 1, NULL, NFLOG_GROUP },
+ { "nflog-prefix", 1, NULL, NFLOG_PREFIX },
+ { "nflog-range", 1, NULL, NFLOG_RANGE },
+ { "nflog-threshold", 1, NULL, NFLOG_THRESHOLD },
+ { .name = NULL }
+};
+
+static void NFLOG_help(void)
+{
+ printf("NFLOG target options:\n"
+ " --nflog-group NUM NETLINK group used for logging\n"
+ " --nflog-range NUM Number of byte to copy\n"
+ " --nflog-threshold NUM Message threshold of in-kernel queue\n"
+ " --nflog-prefix STRING Prefix string for log messages\n");
+}
+
+static void NFLOG_init(struct xt_entry_target *t)
+{
+ struct xt_nflog_info *info = (struct xt_nflog_info *)t->data;
+
+ info->group = 0;
+ info->threshold = XT_NFLOG_DEFAULT_THRESHOLD;
+}
+
+static int NFLOG_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_nflog_info *info = (struct xt_nflog_info *)(*target)->data;
+ int n;
+ size_t length;
+
+ switch (c) {
+ case NFLOG_GROUP:
+ if (*flags & NFLOG_GROUP)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --nflog-group twice");
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --nflog-group");
+
+ n = atoi(optarg);
+ if (n < 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "--nflog-group can not be negative");
+ info->group = n;
+ break;
+ case NFLOG_PREFIX:
+ if (*flags & NFLOG_PREFIX)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --nflog-prefix twice");
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --nflog-prefix");
+
+ length = strlen(optarg);
+ if (length == 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "No prefix specified for --nflog-prefix");
+ if (length >= sizeof(info->prefix))
+ xtables_error(PARAMETER_PROBLEM,
+ "--nflog-prefix too long, max %Zu characters",
+ sizeof(info->prefix) - 1);
+ if (length != strlen(strtok(optarg, "\n")))
+ xtables_error(PARAMETER_PROBLEM,
+ "Newlines are not allowed in --nflog-prefix");
+ strcpy(info->prefix, optarg);
+ break;
+ case NFLOG_RANGE:
+ if (*flags & NFLOG_RANGE)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --nflog-range twice");
+ n = atoi(optarg);
+ if (n < 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid --nflog-range, must be >= 0");
+ info->len = n;
+ break;
+ case NFLOG_THRESHOLD:
+ if (*flags & NFLOG_THRESHOLD)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify --nflog-threshold twice");
+ n = atoi(optarg);
+ if (n < 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid --nflog-threshold, must be >= 1");
+ info->threshold = n;
+ break;
+ default:
+ return 0;
+ }
+ *flags |= c;
+ return 1;
+}
+
+static void nflog_print(const struct xt_nflog_info *info, char *prefix)
+{
+ if (info->prefix[0] != '\0') {
+ printf("%snflog-prefix ", prefix);
+ xtables_save_string(info->prefix);
+ }
+ if (info->group)
+ printf("%snflog-group %u ", prefix, info->group);
+ if (info->len)
+ printf("%snflog-range %u ", prefix, info->len);
+ if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD)
+ printf("%snflog-threshold %u ", prefix, info->threshold);
+}
+
+static void NFLOG_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_nflog_info *info = (struct xt_nflog_info *)target->data;
+
+ nflog_print(info, "");
+}
+
+static void NFLOG_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_nflog_info *info = (struct xt_nflog_info *)target->data;
+
+ nflog_print(info, "--");
+}
+
+static struct xtables_target nflog_target = {
+ .family = NFPROTO_UNSPEC,
+ .name = "NFLOG",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_nflog_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_nflog_info)),
+ .help = NFLOG_help,
+ .init = NFLOG_init,
+ .parse = NFLOG_parse,
+ .print = NFLOG_print,
+ .save = NFLOG_save,
+ .extra_opts = NFLOG_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&nflog_target);
+}
diff --git a/extensions/libxt_NFLOG.man b/extensions/libxt_NFLOG.man
new file mode 100644
index 0000000..66f0b97
--- /dev/null
+++ b/extensions/libxt_NFLOG.man
@@ -0,0 +1,29 @@
+This target provides logging of matching packets. When this target is
+set for a rule, the Linux kernel will pass the packet to the loaded
+logging backend to log the packet. This is usually used in combination
+with nfnetlink_log as logging backend, which will multicast the packet
+through a
+.IR netlink
+socket to the specified multicast group. One or more userspace processes
+may subscribe to the group to receive the packets. Like LOG, this is a
+non-terminating target, i.e. rule traversal continues at the next rule.
+.TP
+\fB\-\-nflog\-group\fP \fInlgroup\fP
+The netlink group (1 \- 2^32\-1) to which packets are (only applicable for
+nfnetlink_log). The default value is 0.
+.TP
+\fB\-\-nflog\-prefix\fP \fIprefix\fP
+A prefix string to include in the log message, up to 64 characters
+long, useful for distinguishing messages in the logs.
+.TP
+\fB\-\-nflog\-range\fP \fIsize\fP
+The number of bytes to be copied to userspace (only applicable for
+nfnetlink_log). nfnetlink_log instances may specify their own
+range, this option overrides it.
+.TP
+\fB\-\-nflog\-threshold\fP \fIsize\fP
+Number of packets to queue inside the kernel before sending them
+to userspace (only applicable for nfnetlink_log). Higher values
+result in less overhead per packet, but increase delay until the
+packets reach userspace. The default value is 1.
+.BR
diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c
new file mode 100644
index 0000000..2d9d98a
--- /dev/null
+++ b/extensions/libxt_NFQUEUE.c
@@ -0,0 +1,204 @@
+/* Shared library add-on to iptables for NFQ
+ *
+ * (C) 2005 by Harald Welte <laforge@netfilter.org>
+ *
+ * This program is distributed under the terms of GNU GPL v2, 1991
+ *
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_NFQUEUE.h>
+
+static void NFQUEUE_help(void)
+{
+ printf(
+"NFQUEUE target options\n"
+" --queue-num value Send packet to QUEUE number <value>.\n"
+" Valid queue numbers are 0-65535\n"
+);
+}
+
+static void NFQUEUE_help_v1(void)
+{
+ NFQUEUE_help();
+ printf(
+" --queue-balance first:last Balance flows between queues <value> to <value>.\n");
+}
+
+static const struct option NFQUEUE_opts[] = {
+ { "queue-num", 1, NULL, 'F' },
+ { "queue-balance", 1, NULL, 'B' },
+ { .name = NULL }
+};
+
+static void exit_badqueue(const char *s)
+{
+ xtables_error(PARAMETER_PROBLEM, "Invalid queue number `%s'\n", s);
+}
+
+static void
+parse_num(const char *s, struct xt_NFQ_info *tinfo)
+{
+ unsigned int num;
+
+ if (!xtables_strtoui(s, NULL, &num, 0, UINT16_MAX))
+ exit_badqueue(s);
+
+ tinfo->queuenum = num;
+}
+
+static int
+NFQUEUE_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_NFQ_info *tinfo
+ = (struct xt_NFQ_info *)(*target)->data;
+
+ switch (c) {
+ case 'F':
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM, "NFQUEUE target: "
+ "Only use --queue-num ONCE!");
+ parse_num(optarg, tinfo);
+ break;
+ case 'B':
+ xtables_error(PARAMETER_PROBLEM, "NFQUEUE target: "
+ "--queue-balance not supported (kernel too old?)");
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static int
+NFQUEUE_parse_v1(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_NFQ_info_v1 *info = (void *)(*target)->data;
+ char *colon;
+ unsigned int firstqueue, lastqueue;
+
+ switch (c) {
+ case 'F': /* fallthrough */
+ case 'B':
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM, "NFQUEUE target: "
+ "Only use --queue-num ONCE!");
+
+ if (!xtables_strtoui(optarg, &colon, &firstqueue, 0, UINT16_MAX))
+ exit_badqueue(optarg);
+
+ info->queuenum = firstqueue;
+
+ if (c == 'F') {
+ if (*colon)
+ exit_badqueue(optarg);
+ break;
+ }
+
+ if (*colon != ':')
+ xtables_error(PARAMETER_PROBLEM, "Bad range \"%s\"", optarg);
+
+ if (!xtables_strtoui(colon + 1, NULL, &lastqueue, 1, UINT16_MAX))
+ exit_badqueue(optarg);
+
+ if (firstqueue >= lastqueue)
+ xtables_error(PARAMETER_PROBLEM, "%u should be less than %u",
+ firstqueue, lastqueue);
+ info->queues_total = lastqueue - firstqueue + 1;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void NFQUEUE_print(const void *ip,
+ const struct xt_entry_target *target, int numeric)
+{
+ const struct xt_NFQ_info *tinfo =
+ (const struct xt_NFQ_info *)target->data;
+ printf("NFQUEUE num %u", tinfo->queuenum);
+}
+
+static void NFQUEUE_print_v1(const void *ip,
+ const struct xt_entry_target *target, int numeric)
+{
+ const struct xt_NFQ_info_v1 *tinfo = (const void *)target->data;
+ unsigned int last = tinfo->queues_total;
+
+ if (last > 1) {
+ last += tinfo->queuenum - 1;
+ printf("NFQUEUE balance %u:%u", tinfo->queuenum, last);
+ } else {
+ printf("NFQUEUE num %u", tinfo->queuenum);
+ }
+}
+
+static void NFQUEUE_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_NFQ_info *tinfo =
+ (const struct xt_NFQ_info *)target->data;
+
+ printf("--queue-num %u ", tinfo->queuenum);
+}
+
+static void NFQUEUE_save_v1(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_NFQ_info_v1 *tinfo = (const void *)target->data;
+ unsigned int last = tinfo->queues_total;
+
+ if (last > 1) {
+ last += tinfo->queuenum - 1;
+ printf("--queue-balance %u:%u ", tinfo->queuenum, last);
+ } else {
+ printf("--queue-num %u ", tinfo->queuenum);
+ }
+}
+
+static void NFQUEUE_init_v1(struct xt_entry_target *t)
+{
+ struct xt_NFQ_info_v1 *tinfo = (void *)t->data;
+ tinfo->queues_total = 1;
+}
+
+static struct xtables_target nfqueue_target = {
+ .family = NFPROTO_UNSPEC,
+ .name = "NFQUEUE",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_NFQ_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_NFQ_info)),
+ .help = NFQUEUE_help,
+ .parse = NFQUEUE_parse,
+ .print = NFQUEUE_print,
+ .save = NFQUEUE_save,
+ .extra_opts = NFQUEUE_opts
+};
+
+static struct xtables_target nfqueue_target_v1 = {
+ .family = NFPROTO_UNSPEC,
+ .revision = 1,
+ .name = "NFQUEUE",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_NFQ_info_v1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_NFQ_info_v1)),
+ .help = NFQUEUE_help_v1,
+ .init = NFQUEUE_init_v1,
+ .parse = NFQUEUE_parse_v1,
+ .print = NFQUEUE_print_v1,
+ .save = NFQUEUE_save_v1,
+ .extra_opts = NFQUEUE_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&nfqueue_target);
+ xtables_register_target(&nfqueue_target_v1);
+}
diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man
new file mode 100644
index 0000000..59eddfc
--- /dev/null
+++ b/extensions/libxt_NFQUEUE.man
@@ -0,0 +1,18 @@
+This target is an extension of the QUEUE target. As opposed to QUEUE, it allows
+you to put a packet into any specific queue, identified by its 16-bit queue
+number.
+It can only be used with Kernel versions 2.6.14 or later, since it requires
+the
+.B
+nfnetlink_queue
+kernel support. The \fBqueue-balance\fP option was added in Linux 2.6.31.
+.TP
+\fB\-\-queue\-num\fP \fIvalue\fP
+This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0.
+.PP
+.TP
+\fB\-\-queue\-balance\fP \fIvalue\fP\fB:\fP\fIvalue\fP
+This specifies a range of queues to use. Packets are then balanced across the given queues.
+This is useful for multicore systems: start multiple instances of the userspace program on
+queues x, x+1, .. x+n and use "\-\-queue\-balance \fIx\fP\fB:\fP\fIx+n\fP".
+Packets belonging to the same connection are put into the same nfqueue.
diff --git a/extensions/libxt_NOTRACK.c b/extensions/libxt_NOTRACK.c
new file mode 100644
index 0000000..ca58700
--- /dev/null
+++ b/extensions/libxt_NOTRACK.c
@@ -0,0 +1,15 @@
+/* Shared library add-on to iptables to add NOTRACK target support. */
+#include <xtables.h>
+
+static struct xtables_target notrack_target = {
+ .family = NFPROTO_UNSPEC,
+ .name = "NOTRACK",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(0),
+ .userspacesize = XT_ALIGN(0),
+};
+
+void _init(void)
+{
+ xtables_register_target(&notrack_target);
+}
diff --git a/extensions/libxt_NOTRACK.man b/extensions/libxt_NOTRACK.man
new file mode 100644
index 0000000..c2cdf5a
--- /dev/null
+++ b/extensions/libxt_NOTRACK.man
@@ -0,0 +1,5 @@
+This target disables connection tracking for all packets matching that rule.
+.PP
+It can only be used in the
+.B raw
+table.
diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c
new file mode 100644
index 0000000..4b7831f
--- /dev/null
+++ b/extensions/libxt_RATEEST.c
@@ -0,0 +1,222 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <getopt.h>
+#include <math.h>
+
+#include <xtables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_RATEEST.h>
+
+/* hack to pass raw values to final_check */
+static struct xt_rateest_target_info *RATEEST_info;
+static unsigned int interval;
+static unsigned int ewma_log;
+
+static void
+RATEEST_help(void)
+{
+ printf(
+"RATEEST target options:\n"
+" --rateest-name name Rate estimator name\n"
+" --rateest-interval sec Rate measurement interval in seconds\n"
+" --rateest-ewmalog value Rate measurement averaging time constant\n");
+}
+
+enum RATEEST_options {
+ RATEEST_OPT_NAME,
+ RATEEST_OPT_INTERVAL,
+ RATEEST_OPT_EWMALOG,
+};
+
+static const struct option RATEEST_opts[] = {
+ { "rateest-name", 1, NULL, RATEEST_OPT_NAME },
+ { "rateest-interval", 1, NULL, RATEEST_OPT_INTERVAL },
+ { "rateest-ewmalog", 1, NULL, RATEEST_OPT_EWMALOG },
+ { .name = NULL },
+};
+
+/* Copied from iproute */
+#define TIME_UNITS_PER_SEC 1000000
+
+static int
+RATEEST_get_time(unsigned int *time, const char *str)
+{
+ double t;
+ char *p;
+
+ t = strtod(str, &p);
+ if (p == str)
+ return -1;
+
+ if (*p) {
+ if (strcasecmp(p, "s") == 0 || strcasecmp(p, "sec")==0 ||
+ strcasecmp(p, "secs")==0)
+ t *= TIME_UNITS_PER_SEC;
+ else if (strcasecmp(p, "ms") == 0 || strcasecmp(p, "msec")==0 ||
+ strcasecmp(p, "msecs") == 0)
+ t *= TIME_UNITS_PER_SEC/1000;
+ else if (strcasecmp(p, "us") == 0 || strcasecmp(p, "usec")==0 ||
+ strcasecmp(p, "usecs") == 0)
+ t *= TIME_UNITS_PER_SEC/1000000;
+ else
+ return -1;
+ }
+
+ *time = t;
+ return 0;
+}
+
+static void
+RATEEST_print_time(unsigned int time)
+{
+ double tmp = time;
+
+ if (tmp >= TIME_UNITS_PER_SEC)
+ printf("%.1fs ", tmp/TIME_UNITS_PER_SEC);
+ else if (tmp >= TIME_UNITS_PER_SEC/1000)
+ printf("%.1fms ", tmp/(TIME_UNITS_PER_SEC/1000));
+ else
+ printf("%uus ", time);
+}
+
+static void
+RATEEST_init(struct xt_entry_target *target)
+{
+ interval = 0;
+ ewma_log = 0;
+}
+
+static int
+RATEEST_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_rateest_target_info *info = (void *)(*target)->data;
+
+ RATEEST_info = info;
+
+ switch (c) {
+ case RATEEST_OPT_NAME:
+ if (*flags & (1 << c))
+ xtables_error(PARAMETER_PROBLEM,
+ "RATEEST: can't specify --rateest-name twice");
+ *flags |= 1 << c;
+
+ strncpy(info->name, optarg, sizeof(info->name) - 1);
+ break;
+
+ case RATEEST_OPT_INTERVAL:
+ if (*flags & (1 << c))
+ xtables_error(PARAMETER_PROBLEM,
+ "RATEEST: can't specify --rateest-interval twice");
+ *flags |= 1 << c;
+
+ if (RATEEST_get_time(&interval, optarg) < 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "RATEEST: bad interval value `%s'", optarg);
+
+ break;
+
+ case RATEEST_OPT_EWMALOG:
+ if (*flags & (1 << c))
+ xtables_error(PARAMETER_PROBLEM,
+ "RATEEST: can't specify --rateest-ewmalog twice");
+ *flags |= 1 << c;
+
+ if (RATEEST_get_time(&ewma_log, optarg) < 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "RATEEST: bad ewmalog value `%s'", optarg);
+
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+RATEEST_final_check(unsigned int flags)
+{
+ struct xt_rateest_target_info *info = RATEEST_info;
+
+ if (!(flags & (1 << RATEEST_OPT_NAME)))
+ xtables_error(PARAMETER_PROBLEM, "RATEEST: no name specified");
+ if (!(flags & (1 << RATEEST_OPT_INTERVAL)))
+ xtables_error(PARAMETER_PROBLEM, "RATEEST: no interval specified");
+ if (!(flags & (1 << RATEEST_OPT_EWMALOG)))
+ xtables_error(PARAMETER_PROBLEM, "RATEEST: no ewmalog specified");
+
+ for (info->interval = 0; info->interval <= 5; info->interval++) {
+ if (interval <= (1 << info->interval) * (TIME_UNITS_PER_SEC / 4))
+ break;
+ }
+
+ if (info->interval > 5)
+ xtables_error(PARAMETER_PROBLEM,
+ "RATEEST: interval value is too large");
+ info->interval -= 2;
+
+ for (info->ewma_log = 1; info->ewma_log < 32; info->ewma_log++) {
+ double w = 1.0 - 1.0 / (1 << info->ewma_log);
+ if (interval / (-log(w)) > ewma_log)
+ break;
+ }
+ info->ewma_log--;
+
+ if (info->ewma_log == 0 || info->ewma_log >= 31)
+ xtables_error(PARAMETER_PROBLEM,
+ "RATEEST: ewmalog value is out of range");
+}
+
+static void
+__RATEEST_print(const struct xt_entry_target *target, const char *prefix)
+{
+ const struct xt_rateest_target_info *info = (const void *)target->data;
+ unsigned int local_interval;
+ unsigned int local_ewma_log;
+
+ local_interval = (TIME_UNITS_PER_SEC << (info->interval + 2)) / 4;
+ local_ewma_log = local_interval * (1 << (info->ewma_log));
+
+ printf("%sname %s ", prefix, info->name);
+ printf("%sinterval ", prefix);
+ RATEEST_print_time(local_interval);
+ printf("%sewmalog ", prefix);
+ RATEEST_print_time(local_ewma_log);
+}
+
+static void
+RATEEST_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ __RATEEST_print(target, "");
+}
+
+static void
+RATEEST_save(const void *ip, const struct xt_entry_target *target)
+{
+ __RATEEST_print(target, "--rateest-");
+}
+
+static struct xtables_target rateest_tg_reg = {
+ .family = NFPROTO_UNSPEC,
+ .name = "RATEEST",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
+ .help = RATEEST_help,
+ .init = RATEEST_init,
+ .parse = RATEEST_parse,
+ .final_check = RATEEST_final_check,
+ .print = RATEEST_print,
+ .save = RATEEST_save,
+ .extra_opts = RATEEST_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&rateest_tg_reg);
+}
diff --git a/extensions/libxt_RATEEST.man b/extensions/libxt_RATEEST.man
new file mode 100644
index 0000000..37de759
--- /dev/null
+++ b/extensions/libxt_RATEEST.man
@@ -0,0 +1,12 @@
+The RATEEST target collects statistics, performs rate estimation calculation
+and saves the results for later evaluation using the \fBrateest\fP match.
+.TP
+\fB\-\-rateest\-name\fP \fIname\fP
+Count matched packets into the pool referred to by \fIname\fP, which is freely
+choosable.
+.TP
+\fB\-\-rateest\-interval\fP \fIamount\fP{\fBs\fP|\fBms\fP|\fBus\fP}
+Rate measurement interval, in seconds, milliseconds or microseconds.
+.TP
+\fB\-\-rateest\-ewmalog\fP \fIvalue\fP
+Rate measurement averaging time constant.
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
new file mode 100644
index 0000000..2152b6f
--- /dev/null
+++ b/extensions/libxt_SECMARK.c
@@ -0,0 +1,113 @@
+/*
+ * Shared library add-on to iptables to add SECMARK target support.
+ *
+ * Based on the MARK target.
+ *
+ * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter/xt_SECMARK.h>
+
+#define PFX "SECMARK target: "
+
+static void SECMARK_help(void)
+{
+ printf(
+"SECMARK target options:\n"
+" --selctx value Set the SELinux security context\n");
+}
+
+static const struct option SECMARK_opts[] = {
+ { "selctx", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+static int SECMARK_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_secmark_target_info *info =
+ (struct xt_secmark_target_info*)(*target)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & SECMARK_MODE_SEL)
+ xtables_error(PARAMETER_PROBLEM, PFX
+ "Can't specify --selctx twice");
+ info->mode = SECMARK_MODE_SEL;
+
+ if (strlen(optarg) > SECMARK_SELCTX_MAX-1)
+ xtables_error(PARAMETER_PROBLEM, PFX
+ "Maximum length %u exceeded by --selctx"
+ " parameter (%zu)",
+ SECMARK_SELCTX_MAX-1, strlen(optarg));
+
+ strcpy(info->u.sel.selctx, optarg);
+ *flags |= SECMARK_MODE_SEL;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void SECMARK_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM, PFX "parameter required");
+}
+
+static void print_secmark(const struct xt_secmark_target_info *info)
+{
+ switch (info->mode) {
+ case SECMARK_MODE_SEL:
+ printf("selctx %s ", info->u.sel.selctx);\
+ break;
+
+ default:
+ xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
+ }
+}
+
+static void SECMARK_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_secmark_target_info *info =
+ (struct xt_secmark_target_info*)(target)->data;
+
+ printf("SECMARK ");
+ print_secmark(info);
+}
+
+static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_secmark_target_info *info =
+ (struct xt_secmark_target_info*)target->data;
+
+ printf("--");
+ print_secmark(info);
+}
+
+static struct xtables_target secmark_target = {
+ .family = NFPROTO_UNSPEC,
+ .name = "SECMARK",
+ .version = XTABLES_VERSION,
+ .revision = 0,
+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
+ .help = SECMARK_help,
+ .parse = SECMARK_parse,
+ .final_check = SECMARK_check,
+ .print = SECMARK_print,
+ .save = SECMARK_save,
+ .extra_opts = SECMARK_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&secmark_target);
+}
diff --git a/extensions/libxt_SECMARK.man b/extensions/libxt_SECMARK.man
new file mode 100644
index 0000000..e44efce
--- /dev/null
+++ b/extensions/libxt_SECMARK.man
@@ -0,0 +1,7 @@
+This is used to set the security mark value associated with the
+packet for use by security subsystems such as SELinux. It is only
+valid in the
+.B mangle
+table. The mark is 32 bits wide.
+.TP
+\fB\-\-selctx\fP \fIsecurity_context\fP
diff --git a/extensions/libxt_SET.c b/extensions/libxt_SET.c
new file mode 100644
index 0000000..f6386a9
--- /dev/null
+++ b/extensions/libxt_SET.c
@@ -0,0 +1,286 @@
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ * Patrick Schaaf <bof@bof.de>
+ * Martin Josefsson <gandalf@wlug.westbo.se>
+ * Copyright (C) 2003-2010 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+/* Shared library add-on to iptables to add IP set mangling target. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <ctype.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_set.h>
+#include "libxt_set.h"
+
+static void
+set_target_help(void)
+{
+ printf("SET target options:\n"
+ " --add-set name flags\n"
+ " --del-set name flags\n"
+ " add/del src/dst IP/port from/to named sets,\n"
+ " where flags are the comma separated list of\n"
+ " 'src' and 'dst' specifications.\n");
+}
+
+static const struct option set_target_opts[] = {
+ { .name = "add-set", .has_arg = true, .val = '1'},
+ { .name = "del-set", .has_arg = true, .val = '2'},
+ { .name = NULL }
+};
+
+static void
+set_target_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "You must specify either `--add-set' or `--del-set'");
+}
+
+static void
+set_target_init_v0(struct xt_entry_target *target)
+{
+ struct xt_set_info_target_v0 *info =
+ (struct xt_set_info_target_v0 *) target->data;
+
+ info->add_set.index =
+ info->del_set.index = IPSET_INVALID_ID;
+
+}
+
+static void
+parse_target_v0(char **argv, int invert, unsigned int *flags,
+ struct xt_set_info_v0 *info, const char *what)
+{
+ if (info->u.flags[0])
+ xtables_error(PARAMETER_PROBLEM,
+ "--%s can be specified only once", what);
+
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --%s", what);
+
+ if (!argv[optind]
+ || argv[optind][0] == '-' || argv[optind][0] == '!')
+ xtables_error(PARAMETER_PROBLEM,
+ "--%s requires two args.", what);
+
+ if (strlen(optarg) > IPSET_MAXNAMELEN - 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "setname `%s' too long, max %d characters.",
+ optarg, IPSET_MAXNAMELEN - 1);
+
+ get_set_byname(optarg, (struct xt_set_info *)info);
+ parse_dirs_v0(argv[optind], info);
+ optind++;
+
+ *flags = 1;
+}
+
+static int
+set_target_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_set_info_target_v0 *myinfo =
+ (struct xt_set_info_target_v0 *) (*target)->data;
+
+ switch (c) {
+ case '1': /* --add-set <set> <flags> */
+ parse_target_v0(argv, invert, flags,
+ &myinfo->add_set, "add-set");
+ break;
+ case '2': /* --del-set <set>[:<flags>] <flags> */
+ parse_target_v0(argv, invert, flags,
+ &myinfo->del_set, "del-set");
+ break;
+
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void
+print_target_v0(const char *prefix, const struct xt_set_info_v0 *info)
+{
+ int i;
+ char setname[IPSET_MAXNAMELEN];
+
+ if (info->index == IPSET_INVALID_ID)
+ return;
+ get_set_byid(setname, info->index);
+ printf("%s %s", prefix, setname);
+ for (i = 0; i < IPSET_DIM_MAX; i++) {
+ if (!info->u.flags[i])
+ break;
+ printf("%s%s",
+ i == 0 ? " " : ",",
+ info->u.flags[i] & IPSET_SRC ? "src" : "dst");
+ }
+ printf(" ");
+}
+
+static void
+set_target_print_v0(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_set_info_target_v0 *info = (const void *)target->data;
+
+ print_target_v0("add-set", &info->add_set);
+ print_target_v0("del-set", &info->del_set);
+}
+
+static void
+set_target_save_v0(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_set_info_target_v0 *info = (const void *)target->data;
+
+ print_target_v0("--add-set", &info->add_set);
+ print_target_v0("--del-set", &info->del_set);
+}
+
+static void
+set_target_init(struct xt_entry_target *target)
+{
+ struct xt_set_info_target *info =
+ (struct xt_set_info_target *) target->data;
+
+ info->add_set.index =
+ info->del_set.index = IPSET_INVALID_ID;
+
+}
+
+static void
+parse_target(char **argv, int invert, unsigned int *flags,
+ struct xt_set_info *info, const char *what)
+{
+ if (info->dim)
+ xtables_error(PARAMETER_PROBLEM,
+ "--%s can be specified only once", what);
+
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' after --%s", what);
+
+ if (!argv[optind]
+ || argv[optind][0] == '-' || argv[optind][0] == '!')
+ xtables_error(PARAMETER_PROBLEM,
+ "--%s requires two args.", what);
+
+ if (strlen(optarg) > IPSET_MAXNAMELEN - 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "setname `%s' too long, max %d characters.",
+ optarg, IPSET_MAXNAMELEN - 1);
+
+ get_set_byname(optarg, info);
+ parse_dirs(argv[optind], info);
+ optind++;
+
+ *flags = 1;
+}
+
+static int
+set_target_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_set_info_target *myinfo =
+ (struct xt_set_info_target *) (*target)->data;
+
+ switch (c) {
+ case '1': /* --add-set <set> <flags> */
+ parse_target(argv, invert, flags,
+ &myinfo->add_set, "add-set");
+ break;
+ case '2': /* --del-set <set>[:<flags>] <flags> */
+ parse_target(argv, invert, flags,
+ &myinfo->del_set, "del-set");
+ break;
+
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void
+print_target(const char *prefix, const struct xt_set_info *info)
+{
+ int i;
+ char setname[IPSET_MAXNAMELEN];
+
+ if (info->index == IPSET_INVALID_ID)
+ return;
+ get_set_byid(setname, info->index);
+ printf("%s %s", prefix, setname);
+ for (i = 1; i <= IPSET_DIM_MAX; i++) {
+ printf("%s%s",
+ i == 1 ? " " : ",",
+ info->flags & (1 << i) ? "src" : "dst");
+ }
+ printf(" ");
+}
+
+static void
+set_target_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_set_info_target *info = (const void *)target->data;
+
+ print_target("add-set", &info->add_set);
+ print_target("del-set", &info->del_set);
+}
+
+static void
+set_target_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_set_info_target *info = (const void *)target->data;
+
+ print_target("--add-set", &info->add_set);
+ print_target("--del-set", &info->del_set);
+}
+
+static struct xtables_target set_tg_reg[] = {
+ {
+ .name = "SET",
+ .revision = 0,
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct xt_set_info_target_v0)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_target_v0)),
+ .help = set_target_help,
+ .init = set_target_init_v0,
+ .parse = set_target_parse_v0,
+ .final_check = set_target_check,
+ .print = set_target_print_v0,
+ .save = set_target_save_v0,
+ .extra_opts = set_target_opts,
+ },
+ {
+ .name = "SET",
+ .revision = 1,
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_UNSPEC,
+ .size = XT_ALIGN(sizeof(struct xt_set_info_target)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_target)),
+ .help = set_target_help,
+ .init = set_target_init,
+ .parse = set_target_parse,
+ .final_check = set_target_check,
+ .print = set_target_print,
+ .save = set_target_save,
+ .extra_opts = set_target_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_targets(set_tg_reg, ARRAY_SIZE(set_tg_reg));
+}
diff --git a/extensions/libxt_SET.man b/extensions/libxt_SET.man
new file mode 100644
index 0000000..ea80c2a
--- /dev/null
+++ b/extensions/libxt_SET.man
@@ -0,0 +1,18 @@
+This modules adds and/or deletes entries from IP sets which can be defined
+by ipset(8).
+.TP
+\fB\-\-add\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...]
+add the address(es)/port(s) of the packet to the sets
+.TP
+\fB\-\-del\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...]
+delete the address(es)/port(s) of the packet from the sets
+.IP
+where flags are
+.BR "src"
+and/or
+.BR "dst"
+specifications and there can be no more than six of them.
+.PP
+Use of -j SET requires that ipset kernel support is provided. As standard
+kernels do not ship this currently, the ipset or Xtables-addons package needs
+to be installed.
diff --git a/extensions/libxt_TCPMSS.c b/extensions/libxt_TCPMSS.c
new file mode 100644
index 0000000..ac9e2d0
--- /dev/null
+++ b/extensions/libxt_TCPMSS.c
@@ -0,0 +1,154 @@
+/* Shared library add-on to iptables to add TCPMSS target support.
+ *
+ * Copyright (c) 2000 Marc Boucher
+*/
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_TCPMSS.h>
+
+struct mssinfo {
+ struct xt_entry_target t;
+ struct xt_tcpmss_info mss;
+};
+
+static void __TCPMSS_help(int hdrsize)
+{
+ printf(
+"TCPMSS target mutually-exclusive options:\n"
+" --set-mss value explicitly set MSS option to specified value\n"
+" --clamp-mss-to-pmtu automatically clamp MSS value to (path_MTU - %d)\n",
+hdrsize);
+}
+
+static void TCPMSS_help(void)
+{
+ __TCPMSS_help(40);
+}
+
+static void TCPMSS_help6(void)
+{
+ __TCPMSS_help(60);
+}
+
+static const struct option TCPMSS_opts[] = {
+ { "set-mss", 1, NULL, '1' },
+ { "clamp-mss-to-pmtu", 0, NULL, '2' },
+ { .name = NULL }
+};
+
+static int __TCPMSS_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target,
+ int hdrsize)
+{
+ struct xt_tcpmss_info *mssinfo
+ = (struct xt_tcpmss_info *)(*target)->data;
+
+ switch (c) {
+ unsigned int mssval;
+
+ case '1':
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "TCPMSS target: Only one option may be specified");
+ if (!xtables_strtoui(optarg, NULL, &mssval,
+ 0, UINT16_MAX - hdrsize))
+ xtables_error(PARAMETER_PROBLEM, "Bad TCPMSS value \"%s\"", optarg);
+
+ mssinfo->mss = mssval;
+ *flags = 1;
+ break;
+
+ case '2':
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "TCPMSS target: Only one option may be specified");
+ mssinfo->mss = XT_TCPMSS_CLAMP_PMTU;
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static int TCPMSS_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ return __TCPMSS_parse(c, argv, invert, flags, entry, target, 40);
+}
+
+static int TCPMSS_parse6(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ return __TCPMSS_parse(c, argv, invert, flags, entry, target, 60);
+}
+
+static void TCPMSS_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "TCPMSS target: At least one parameter is required");
+}
+
+static void TCPMSS_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_tcpmss_info *mssinfo =
+ (const struct xt_tcpmss_info *)target->data;
+ if(mssinfo->mss == XT_TCPMSS_CLAMP_PMTU)
+ printf("TCPMSS clamp to PMTU ");
+ else
+ printf("TCPMSS set %u ", mssinfo->mss);
+}
+
+static void TCPMSS_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_tcpmss_info *mssinfo =
+ (const struct xt_tcpmss_info *)target->data;
+
+ if(mssinfo->mss == XT_TCPMSS_CLAMP_PMTU)
+ printf("--clamp-mss-to-pmtu ");
+ else
+ printf("--set-mss %u ", mssinfo->mss);
+}
+
+static struct xtables_target tcpmss_target = {
+ .family = NFPROTO_IPV4,
+ .name = "TCPMSS",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
+ .help = TCPMSS_help,
+ .parse = TCPMSS_parse,
+ .final_check = TCPMSS_check,
+ .print = TCPMSS_print,
+ .save = TCPMSS_save,
+ .extra_opts = TCPMSS_opts,
+};
+
+static struct xtables_target tcpmss_target6 = {
+ .family = NFPROTO_IPV6,
+ .name = "TCPMSS",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
+ .help = TCPMSS_help6,
+ .parse = TCPMSS_parse6,
+ .final_check = TCPMSS_check,
+ .print = TCPMSS_print,
+ .save = TCPMSS_save,
+ .extra_opts = TCPMSS_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&tcpmss_target);
+ xtables_register_target(&tcpmss_target6);
+}
diff --git a/extensions/libxt_TCPMSS.man b/extensions/libxt_TCPMSS.man
new file mode 100644
index 0000000..ac8fb4e
--- /dev/null
+++ b/extensions/libxt_TCPMSS.man
@@ -0,0 +1,47 @@
+This target allows to alter the MSS value of TCP SYN packets, to control
+the maximum size for that connection (usually limiting it to your
+outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively).
+Of course, it can only be used
+in conjunction with
+\fB\-p tcp\fP.
+.PP
+This target is used to overcome criminally braindead ISPs or servers
+which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big"
+packets. The symptoms of this
+problem are that everything works fine from your Linux
+firewall/router, but machines behind it can never exchange large
+packets:
+.PD 0
+.RS 0.1i
+.TP 0.3i
+1)
+Web browsers connect, then hang with no data received.
+.TP
+2)
+Small mail works fine, but large emails hang.
+.TP
+3)
+ssh works fine, but scp hangs after initial handshaking.
+.RE
+.PD
+Workaround: activate this option and add a rule to your firewall
+configuration like:
+.IP
+ iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN
+ \-j TCPMSS \-\-clamp\-mss\-to\-pmtu
+.TP
+\fB\-\-set\-mss\fP \fIvalue\fP
+Explicitly sets MSS option to specified value. If the MSS of the packet is
+already lower than \fIvalue\fP, it will \fBnot\fP be increased (from Linux
+2.6.25 onwards) to avoid more problems with hosts relying on a proper MSS.
+.TP
+\fB\-\-clamp\-mss\-to\-pmtu\fP
+Automatically clamp MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6).
+This may not function as desired where asymmetric routes with differing
+path MTU exist \(em the kernel uses the path MTU which it would use to send
+packets from itself to the source and destination IP addresses. Prior to
+Linux 2.6.25, only the path MTU to the destination IP address was
+considered by this option; subsequent kernels also consider the path MTU
+to the source IP address.
+.PP
+These options are mutually exclusive.
diff --git a/extensions/libxt_TCPOPTSTRIP.c b/extensions/libxt_TCPOPTSTRIP.c
new file mode 100644
index 0000000..a063d0d
--- /dev/null
+++ b/extensions/libxt_TCPOPTSTRIP.c
@@ -0,0 +1,198 @@
+/*
+ * Shared library add-on to iptables to add TCPOPTSTRIP target support.
+ * Copyright (c) 2007 Sven Schnelle <svens@bitebene.org>
+ * Copyright © CC Computer Consultants GmbH, 2007
+ * Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <xtables.h>
+#include <netinet/tcp.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_TCPOPTSTRIP.h>
+#ifndef TCPOPT_MD5SIG
+# define TCPOPT_MD5SIG 19
+#endif
+
+enum {
+ FLAG_STRIP = 1 << 0,
+};
+
+struct tcp_optionmap {
+ const char *name, *desc;
+ const unsigned int option;
+};
+
+static const struct option tcpoptstrip_tg_opts[] = {
+ {.name = "strip-options", .has_arg = true, .val = 's'},
+ { .name = NULL }
+};
+
+static const struct tcp_optionmap tcp_optionmap[] = {
+ {"wscale", "Window scale", TCPOPT_WINDOW},
+ {"mss", "Maximum Segment Size", TCPOPT_MAXSEG},
+ {"sack-permitted", "SACK permitted", TCPOPT_SACK_PERMITTED},
+ {"sack", "Selective ACK", TCPOPT_SACK},
+ {"timestamp", "Timestamp", TCPOPT_TIMESTAMP},
+ {"md5", "MD5 signature", TCPOPT_MD5SIG},
+ { .name = NULL }
+};
+
+static void tcpoptstrip_tg_help(void)
+{
+ const struct tcp_optionmap *w;
+
+ printf(
+"TCPOPTSTRIP target options:\n"
+" --strip-options value strip specified TCP options denoted by value\n"
+" (separated by comma) from TCP header\n"
+" Instead of the numeric value, you can also use the following names:\n"
+ );
+
+ for (w = tcp_optionmap; w->name != NULL; ++w)
+ printf(" %-14s strip \"%s\" option\n", w->name, w->desc);
+}
+
+static void tcpoptstrip_tg_init(struct xt_entry_target *t)
+{
+ struct xt_tcpoptstrip_target_info *info = (void *)t->data;
+
+ /* strictly necessary? play safe for now. */
+ memset(info->strip_bmap, 0, sizeof(info->strip_bmap));
+}
+
+static void parse_list(struct xt_tcpoptstrip_target_info *info, char *arg)
+{
+ unsigned int option;
+ char *p;
+ int i;
+
+ while (true) {
+ p = strchr(arg, ',');
+ if (p != NULL)
+ *p = '\0';
+
+ option = 0;
+ for (i = 0; tcp_optionmap[i].name != NULL; ++i)
+ if (strcmp(tcp_optionmap[i].name, arg) == 0) {
+ option = tcp_optionmap[i].option;
+ break;
+ }
+
+ if (option == 0 &&
+ !xtables_strtoui(arg, NULL, &option, 0, UINT8_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "Bad TCP option value \"%s\"", arg);
+
+ if (option < 2)
+ xtables_error(PARAMETER_PROBLEM,
+ "Option value may not be 0 or 1");
+
+ if (tcpoptstrip_test_bit(info->strip_bmap, option))
+ xtables_error(PARAMETER_PROBLEM,
+ "Option \"%s\" already specified", arg);
+
+ tcpoptstrip_set_bit(info->strip_bmap, option);
+ if (p == NULL)
+ break;
+ arg = p + 1;
+ }
+}
+
+static int tcpoptstrip_tg_parse(int c, char **argv, int invert,
+ unsigned int *flags, const void *entry,
+ struct xt_entry_target **target)
+{
+ struct xt_tcpoptstrip_target_info *info = (void *)(*target)->data;
+
+ switch (c) {
+ case 's':
+ if (*flags & FLAG_STRIP)
+ xtables_error(PARAMETER_PROBLEM,
+ "You can specify --strip-options only once");
+ parse_list(info, optarg);
+ *flags |= FLAG_STRIP;
+ return true;
+ }
+
+ return false;
+}
+
+static void tcpoptstrip_tg_check(unsigned int flags)
+{
+ if (flags == 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "TCPOPTSTRIP: --strip-options parameter required");
+}
+
+static void
+tcpoptstrip_print_list(const struct xt_tcpoptstrip_target_info *info,
+ bool numeric)
+{
+ unsigned int i, j;
+ const char *name;
+ bool first = true;
+
+ for (i = 0; i < 256; ++i) {
+ if (!tcpoptstrip_test_bit(info->strip_bmap, i))
+ continue;
+ if (!first)
+ printf(",");
+
+ first = false;
+ name = NULL;
+ if (!numeric)
+ for (j = 0; tcp_optionmap[j].name != NULL; ++j)
+ if (tcp_optionmap[j].option == i)
+ name = tcp_optionmap[j].name;
+
+ if (name != NULL)
+ printf("%s", name);
+ else
+ printf("%u", i);
+ }
+}
+
+static void
+tcpoptstrip_tg_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_tcpoptstrip_target_info *info =
+ (const void *)target->data;
+
+ printf("TCPOPTSTRIP options ");
+ tcpoptstrip_print_list(info, numeric);
+}
+
+static void
+tcpoptstrip_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_tcpoptstrip_target_info *info =
+ (const void *)target->data;
+
+ printf("--strip-options ");
+ tcpoptstrip_print_list(info, true);
+}
+
+static struct xtables_target tcpoptstrip_tg_reg = {
+ .version = XTABLES_VERSION,
+ .name = "TCPOPTSTRIP",
+ .family = NFPROTO_UNSPEC,
+ .size = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)),
+ .help = tcpoptstrip_tg_help,
+ .init = tcpoptstrip_tg_init,
+ .parse = tcpoptstrip_tg_parse,
+ .final_check = tcpoptstrip_tg_check,
+ .print = tcpoptstrip_tg_print,
+ .save = tcpoptstrip_tg_save,
+ .extra_opts = tcpoptstrip_tg_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&tcpoptstrip_tg_reg);
+}
diff --git a/extensions/libxt_TCPOPTSTRIP.man b/extensions/libxt_TCPOPTSTRIP.man
new file mode 100644
index 0000000..2a07709
--- /dev/null
+++ b/extensions/libxt_TCPOPTSTRIP.man
@@ -0,0 +1,7 @@
+This target will strip TCP options off a TCP packet. (It will actually replace
+them by NO-OPs.) As such, you will need to add the \fB\-p tcp\fP parameters.
+.TP
+\fB\-\-strip\-options\fP \fIoption\fP[\fB,\fP\fIoption\fP...]
+Strip the given option(s). The options may be specified by TCP option number or
+by symbolic name. The list of recognized options can be obtained by calling
+iptables with \fB\-j TCPOPTSTRIP \-h\fP.
diff --git a/extensions/libxt_TEE.c b/extensions/libxt_TEE.c
new file mode 100644
index 0000000..e4c0607
--- /dev/null
+++ b/extensions/libxt_TEE.c
@@ -0,0 +1,202 @@
+/*
+ * "TEE" target extension for iptables
+ * Copyright © Sebastian Claßen <sebastian.classen [at] freenet.ag>, 2007
+ * Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2010
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License; either
+ * version 2 of the License, or any later version, as published by the
+ * Free Software Foundation.
+ */
+#include <sys/socket.h>
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <arpa/inet.h>
+#include <net/if.h>
+#include <netinet/in.h>
+
+#include <xtables.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_TEE.h>
+
+enum {
+ FLAG_GATEWAY = 1 << 0,
+ FLAG_OIF = 1 << 1,
+};
+
+static const struct option tee_tg_opts[] = {
+ {.name = "gateway", .has_arg = true, .val = 'g'},
+ {.name = "oif", .has_arg = true, .val = 'o'},
+ {NULL},
+};
+
+static void tee_tg_help(void)
+{
+ printf(
+"TEE target options:\n"
+" --gateway IPADDR Route packet via the gateway given by address\n"
+" --oif NAME Include oif in route calculation\n"
+"\n");
+}
+
+static int tee_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_tee_tginfo *info = (void *)(*target)->data;
+ const struct in_addr *ia;
+
+ switch (c) {
+ case 'g':
+ if (*flags & FLAG_GATEWAY)
+ xtables_error(PARAMETER_PROBLEM,
+ "Cannot specify --gateway more than once");
+
+ ia = xtables_numeric_to_ipaddr(optarg);
+ if (ia == NULL)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid IP address %s", optarg);
+
+ memcpy(&info->gw, ia, sizeof(*ia));
+ *flags |= FLAG_GATEWAY;
+ return true;
+ case 'o':
+ if (*flags & FLAG_OIF)
+ xtables_error(PARAMETER_PROBLEM,
+ "Cannot specify --oif more than once");
+ if (strlen(optarg) >= sizeof(info->oif))
+ xtables_error(PARAMETER_PROBLEM,
+ "oif name too long");
+ strcpy(info->oif, optarg);
+ *flags |= FLAG_OIF;
+ return true;
+ }
+
+ return false;
+}
+
+static int tee_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_tee_tginfo *info = (void *)(*target)->data;
+ const struct in6_addr *ia;
+
+ switch (c) {
+ case 'g':
+ if (*flags & FLAG_GATEWAY)
+ xtables_error(PARAMETER_PROBLEM,
+ "Cannot specify --gateway more than once");
+
+ ia = xtables_numeric_to_ip6addr(optarg);
+ if (ia == NULL)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid IP address %s", optarg);
+
+ memcpy(&info->gw, ia, sizeof(*ia));
+ *flags |= FLAG_GATEWAY;
+ return true;
+ case 'o':
+ if (*flags & FLAG_OIF)
+ xtables_error(PARAMETER_PROBLEM,
+ "Cannot specify --oif more than once");
+ if (strlen(optarg) >= sizeof(info->oif))
+ xtables_error(PARAMETER_PROBLEM,
+ "oif name too long");
+ strcpy(info->oif, optarg);
+ *flags |= FLAG_OIF;
+ return true;
+ }
+
+ return false;
+}
+
+static void tee_tg_check(unsigned int flags)
+{
+ if (flags == 0)
+ xtables_error(PARAMETER_PROBLEM, "TEE target: "
+ "--gateway parameter required");
+}
+
+static void tee_tg_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_tee_tginfo *info = (const void *)target->data;
+
+ if (numeric)
+ printf("TEE gw:%s ", xtables_ipaddr_to_numeric(&info->gw.in));
+ else
+ printf("TEE gw:%s ", xtables_ipaddr_to_anyname(&info->gw.in));
+ if (*info->oif != '\0')
+ printf("oif=%s ", info->oif);
+}
+
+static void tee_tg6_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_tee_tginfo *info = (const void *)target->data;
+
+ if (numeric)
+ printf("TEE gw:%s ", xtables_ip6addr_to_numeric(&info->gw.in6));
+ else
+ printf("TEE gw:%s ", xtables_ip6addr_to_anyname(&info->gw.in6));
+ if (*info->oif != '\0')
+ printf("oif=%s ", info->oif);
+}
+
+static void tee_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_tee_tginfo *info = (const void *)target->data;
+
+ printf("--gateway %s ", xtables_ipaddr_to_numeric(&info->gw.in));
+ if (*info->oif != '\0')
+ printf("--oif %s ", info->oif);
+}
+
+static void tee_tg6_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_tee_tginfo *info = (const void *)target->data;
+
+ printf("--gateway %s ", xtables_ip6addr_to_numeric(&info->gw.in6));
+ if (*info->oif != '\0')
+ printf("--oif %s ", info->oif);
+}
+
+static struct xtables_target tee_tg_reg = {
+ .name = "TEE",
+ .version = XTABLES_VERSION,
+ .revision = 1,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
+ .help = tee_tg_help,
+ .parse = tee_tg_parse,
+ .final_check = tee_tg_check,
+ .print = tee_tg_print,
+ .save = tee_tg_save,
+ .extra_opts = tee_tg_opts,
+};
+
+static struct xtables_target tee_tg6_reg = {
+ .name = "TEE",
+ .version = XTABLES_VERSION,
+ .revision = 1,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
+ .help = tee_tg_help,
+ .parse = tee_tg6_parse,
+ .final_check = tee_tg_check,
+ .print = tee_tg6_print,
+ .save = tee_tg6_save,
+ .extra_opts = tee_tg_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&tee_tg_reg);
+ xtables_register_target(&tee_tg6_reg);
+}
diff --git a/extensions/libxt_TEE.man b/extensions/libxt_TEE.man
new file mode 100644
index 0000000..456d150
--- /dev/null
+++ b/extensions/libxt_TEE.man
@@ -0,0 +1,12 @@
+The \fBTEE\fP target will clone a packet and redirect this clone to another
+machine on the \fBlocal\fP network segment. In other words, the nexthop
+must be the target, or you will have to configure the nexthop to forward it
+further if so desired.
+.TP
+\fB\-\-gateway\fP \fIipaddr\fP
+Send the cloned packet to the host reachable at the given IP address.
+Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.
+.PP
+To forward all incoming traffic on eth0 to an Network Layer logging box:
+.PP
+\-t mangle \-A PREROUTING \-i eth0 \-j TEE \-\-gateway 2001:db8::1
diff --git a/extensions/libxt_TOS.c b/extensions/libxt_TOS.c
new file mode 100644
index 0000000..dc60cc0
--- /dev/null
+++ b/extensions/libxt_TOS.c
@@ -0,0 +1,245 @@
+/*
+ * Shared library add-on to iptables to add TOS target support
+ *
+ * Copyright © CC Computer Consultants GmbH, 2007
+ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <getopt.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netinet/in.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_DSCP.h>
+#include "tos_values.c"
+
+struct ipt_tos_target_info {
+ u_int8_t tos;
+};
+
+enum {
+ FLAG_TOS = 1 << 0,
+};
+
+static const struct option tos_tg_opts_v0[] = {
+ {.name = "set-tos", .has_arg = true, .val = '='},
+ { .name = NULL }
+};
+
+static const struct option tos_tg_opts[] = {
+ {.name = "set-tos", .has_arg = true, .val = '='},
+ {.name = "and-tos", .has_arg = true, .val = '&'},
+ {.name = "or-tos", .has_arg = true, .val = '|'},
+ {.name = "xor-tos", .has_arg = true, .val = '^'},
+ { .name = NULL }
+};
+
+static void tos_tg_help_v0(void)
+{
+ const struct tos_symbol_info *symbol;
+
+ printf(
+"TOS target options:\n"
+" --set-tos value Set Type of Service/Priority field to value\n"
+" --set-tos symbol Set TOS field (IPv4 only) by symbol\n"
+" Accepted symbolic names for value are:\n");
+
+ for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol)
+ printf(" (0x%02x) %2u %s\n",
+ symbol->value, symbol->value, symbol->name);
+
+ printf("\n");
+}
+
+static void tos_tg_help(void)
+{
+ const struct tos_symbol_info *symbol;
+
+ printf(
+"TOS target v%s options:\n"
+" --set-tos value[/mask] Set Type of Service/Priority field to value\n"
+" (Zero out bits in mask and XOR value into TOS)\n"
+" --set-tos symbol Set TOS field (IPv4 only) by symbol\n"
+" (this zeroes the 4-bit Precedence part!)\n"
+" Accepted symbolic names for value are:\n",
+XTABLES_VERSION);
+
+ for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol)
+ printf(" (0x%02x) %2u %s\n",
+ symbol->value, symbol->value, symbol->name);
+
+ printf(
+"\n"
+" --and-tos bits Binary AND the TOS value with bits\n"
+" --or-tos bits Binary OR the TOS value with bits\n"
+" --xor-tos bits Binary XOR the TOS value with bits\n"
+);
+}
+
+static int tos_tg_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct ipt_tos_target_info *info = (void *)(*target)->data;
+ struct tos_value_mask tvm;
+
+ switch (c) {
+ case '=':
+ xtables_param_act(XTF_ONLY_ONCE, "TOS", "--set-tos", *flags & FLAG_TOS);
+ xtables_param_act(XTF_NO_INVERT, "TOS", "--set-tos", invert);
+ if (!tos_parse_symbolic(optarg, &tvm, 0xFF))
+ xtables_param_act(XTF_BAD_VALUE, "TOS", "--set-tos", optarg);
+ if (tvm.mask != 0xFF)
+ xtables_error(PARAMETER_PROBLEM, "tos match: Your kernel "
+ "is too old to support anything besides "
+ "/0xFF as a mask.");
+ info->tos = tvm.value;
+ *flags |= FLAG_TOS;
+ return true;
+ }
+
+ return false;
+}
+
+static int tos_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_tos_target_info *info = (void *)(*target)->data;
+ struct tos_value_mask tvm;
+ unsigned int bits;
+
+ switch (c) {
+ case '=': /* --set-tos */
+ xtables_param_act(XTF_ONLY_ONCE, "TOS", "--set-tos", *flags & FLAG_TOS);
+ xtables_param_act(XTF_NO_INVERT, "TOS", "--set-tos", invert);
+ if (!tos_parse_symbolic(optarg, &tvm, 0x3F))
+ xtables_param_act(XTF_BAD_VALUE, "TOS", "--set-tos", optarg);
+ info->tos_value = tvm.value;
+ info->tos_mask = tvm.mask;
+ break;
+
+ case '&': /* --and-tos */
+ xtables_param_act(XTF_ONLY_ONCE, "TOS", "--and-tos", *flags & FLAG_TOS);
+ xtables_param_act(XTF_NO_INVERT, "TOS", "--and-tos", invert);
+ if (!xtables_strtoui(optarg, NULL, &bits, 0, UINT8_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "TOS", "--and-tos", optarg);
+ info->tos_value = 0;
+ info->tos_mask = ~bits;
+ break;
+
+ case '|': /* --or-tos */
+ xtables_param_act(XTF_ONLY_ONCE, "TOS", "--or-tos", *flags & FLAG_TOS);
+ xtables_param_act(XTF_NO_INVERT, "TOS", "--or-tos", invert);
+ if (!xtables_strtoui(optarg, NULL, &bits, 0, UINT8_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "TOS", "--or-tos", optarg);
+ info->tos_value = bits;
+ info->tos_mask = bits;
+ break;
+
+ case '^': /* --xor-tos */
+ xtables_param_act(XTF_ONLY_ONCE, "TOS", "--xor-tos", *flags & FLAG_TOS);
+ xtables_param_act(XTF_NO_INVERT, "TOS", "--xor-tos", invert);
+ if (!xtables_strtoui(optarg, NULL, &bits, 0, UINT8_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "TOS", "--xor-tos", optarg);
+ info->tos_value = bits;
+ info->tos_mask = 0;
+ break;
+
+ default:
+ return false;
+ }
+
+ *flags |= FLAG_TOS;
+ return true;
+}
+
+static void tos_tg_check(unsigned int flags)
+{
+ if (flags == 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "TOS: The --set-tos parameter is required");
+}
+
+static void tos_tg_print_v0(const void *ip,
+ const struct xt_entry_target *target, int numeric)
+{
+ const struct ipt_tos_target_info *info = (const void *)target->data;
+
+ printf("TOS set ");
+ if (numeric || !tos_try_print_symbolic("", info->tos, 0xFF))
+ printf("0x%02x ", info->tos);
+}
+
+static void tos_tg_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_tos_target_info *info = (const void *)target->data;
+
+ if (numeric)
+ printf("TOS set 0x%02x/0x%02x ",
+ info->tos_value, info->tos_mask);
+ else if (tos_try_print_symbolic("TOS set ",
+ info->tos_value, info->tos_mask))
+ /* already printed by call */
+ return;
+ else if (info->tos_value == 0)
+ printf("TOS and 0x%02x ",
+ (unsigned int)(u_int8_t)~info->tos_mask);
+ else if (info->tos_value == info->tos_mask)
+ printf("TOS or 0x%02x ", info->tos_value);
+ else if (info->tos_mask == 0)
+ printf("TOS xor 0x%02x ", info->tos_value);
+ else
+ printf("TOS set 0x%02x/0x%02x ",
+ info->tos_value, info->tos_mask);
+}
+
+static void tos_tg_save_v0(const void *ip, const struct xt_entry_target *target)
+{
+ const struct ipt_tos_target_info *info = (const void *)target->data;
+
+ printf("--set-tos 0x%02x ", info->tos);
+}
+
+static void tos_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_tos_target_info *info = (const void *)target->data;
+
+ printf("--set-tos 0x%02x/0x%02x ", info->tos_value, info->tos_mask);
+}
+
+static struct xtables_target tos_tg_reg[] = {
+ {
+ .version = XTABLES_VERSION,
+ .name = "TOS",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct xt_tos_target_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)),
+ .help = tos_tg_help_v0,
+ .parse = tos_tg_parse_v0,
+ .final_check = tos_tg_check,
+ .print = tos_tg_print_v0,
+ .save = tos_tg_save_v0,
+ .extra_opts = tos_tg_opts_v0,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "TOS",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .size = XT_ALIGN(sizeof(struct xt_tos_target_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)),
+ .help = tos_tg_help,
+ .parse = tos_tg_parse,
+ .final_check = tos_tg_check,
+ .print = tos_tg_print,
+ .save = tos_tg_save,
+ .extra_opts = tos_tg_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_targets(tos_tg_reg, ARRAY_SIZE(tos_tg_reg));
+}
diff --git a/extensions/libxt_TOS.man b/extensions/libxt_TOS.man
new file mode 100644
index 0000000..d5cbfcb
--- /dev/null
+++ b/extensions/libxt_TOS.man
@@ -0,0 +1,27 @@
+This module sets the Type of Service field in the IPv4 header (including the
+"precedence" bits) or the Priority field in the IPv6 header. Note that TOS
+shares the same bits as DSCP and ECN. The TOS target is only valid in the
+\fBmangle\fR table.
+.TP
+\fB\-\-set\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP]
+Zeroes out the bits given by \fImask\fR and XORs \fIvalue\fR into the
+TOS/Priority field. If \fImask\fR is omitted, 0xFF is assumed.
+.TP
+\fB\-\-set\-tos\fP \fIsymbol\fP
+You can specify a symbolic name when using the TOS target for IPv4. It implies
+a mask of 0xFF. The list of recognized TOS names can be obtained by calling
+iptables with \fB\-j TOS \-h\fP.
+.PP
+The following mnemonics are available:
+.TP
+\fB\-\-and\-tos\fP \fIbits\fP
+Binary AND the TOS value with \fIbits\fR. (Mnemonic for \fB\-\-set\-tos
+0/\fR\fIinvbits\fR, where \fIinvbits\fR is the binary negation of \fIbits\fR.)
+.TP
+\fB\-\-or\-tos\fP \fIbits\fP
+Binary OR the TOS value with \fIbits\fR. (Mnemonic for \fB\-\-set\-tos\fP
+\fIbits\fR\fB/\fR\fIbits\fR.)
+.TP
+\fB\-\-xor\-tos\fP \fIbits\fP
+Binary XOR the TOS value with \fIbits\fR. (Mnemonic for \fB\-\-set\-tos\fP
+\fIbits\fR\fB/0\fR.)
diff --git a/extensions/libxt_TPROXY.c b/extensions/libxt_TPROXY.c
new file mode 100644
index 0000000..d410c52
--- /dev/null
+++ b/extensions/libxt_TPROXY.c
@@ -0,0 +1,150 @@
+/*
+ * Shared library add-on to iptables to add TPROXY target support.
+ *
+ * Copyright (C) 2002-2008 BalaBit IT Ltd.
+ */
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <limits.h>
+
+#include <xtables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_TPROXY.h>
+
+static const struct option tproxy_tg_opts[] = {
+ { .name = "on-port", .has_arg = 1, .val = '1'},
+ { .name = "on-ip", .has_arg = 1, .val = '2'},
+ { .name = "tproxy-mark", .has_arg = 1, .val = '3'},
+ {NULL},
+};
+
+enum {
+ PARAM_ONPORT = 1 << 0,
+ PARAM_ONIP = 1 << 1,
+ PARAM_MARK = 1 << 2,
+};
+
+static void tproxy_tg_help(void)
+{
+ printf(
+"TPROXY target options:\n"
+" --on-port port Redirect connection to port, or the original port if 0\n"
+" --on-ip ip Optionally redirect to the given IP\n"
+" --tproxy-mark value[/mask] Mark packets with the given value/mask\n\n");
+}
+
+static void parse_tproxy_lport(const char *s, struct xt_tproxy_target_info *info)
+{
+ unsigned int lport;
+
+ if (xtables_strtoui(s, NULL, &lport, 0, UINT16_MAX))
+ info->lport = htons(lport);
+ else
+ xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-port", s);
+}
+
+static void parse_tproxy_laddr(const char *s, struct xt_tproxy_target_info *info)
+{
+ struct in_addr *laddr;
+
+ if ((laddr = xtables_numeric_to_ipaddr(s)) == NULL)
+ xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s);
+
+ info->laddr = laddr->s_addr;
+}
+
+static void parse_tproxy_mark(char *s, struct xt_tproxy_target_info *info)
+{
+ unsigned int value, mask = UINT32_MAX;
+ char *end;
+
+ if (!xtables_strtoui(s, &end, &value, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s);
+ if (*end == '/')
+ if (!xtables_strtoui(end + 1, &end, &mask, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s);
+ if (*end != '\0')
+ xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s);
+
+ info->mark_mask = mask;
+ info->mark_value = value;
+}
+
+static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_tproxy_target_info *tproxyinfo = (void *)(*target)->data;
+
+ switch (c) {
+ case '1':
+ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT);
+ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert);
+ parse_tproxy_lport(optarg, tproxyinfo);
+ *flags |= PARAM_ONPORT;
+ return 1;
+ case '2':
+ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP);
+ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert);
+ parse_tproxy_laddr(optarg, tproxyinfo);
+ *flags |= PARAM_ONIP;
+ return 1;
+ case '3':
+ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK);
+ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert);
+ parse_tproxy_mark(optarg, tproxyinfo);
+ *flags |= PARAM_MARK;
+ return 1;
+ }
+
+ return 0;
+}
+
+static void tproxy_tg_check(unsigned int flags)
+{
+ if (!(flags & PARAM_ONPORT))
+ xtables_error(PARAMETER_PROBLEM,
+ "TPROXY target: Parameter --on-port is required");
+}
+
+static void tproxy_tg_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_tproxy_target_info *info = (const void *)target->data;
+ printf("TPROXY redirect %s:%u mark 0x%x/0x%x",
+ xtables_ipaddr_to_numeric((const struct in_addr *)&info->laddr),
+ ntohs(info->lport), (unsigned int)info->mark_value,
+ (unsigned int)info->mark_mask);
+}
+
+static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_tproxy_target_info *info = (const void *)target->data;
+
+ printf("--on-port %u ", ntohs(info->lport));
+ printf("--on-ip %s ",
+ xtables_ipaddr_to_numeric((const struct in_addr *)&info->laddr));
+ printf("--tproxy-mark 0x%x/0x%x ",
+ (unsigned int)info->mark_value, (unsigned int)info->mark_mask);
+}
+
+static struct xtables_target tproxy_tg_reg = {
+ .name = "TPROXY",
+ .family = NFPROTO_IPV4,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
+ .help = tproxy_tg_help,
+ .parse = tproxy_tg_parse,
+ .final_check = tproxy_tg_check,
+ .print = tproxy_tg_print,
+ .save = tproxy_tg_save,
+ .extra_opts = tproxy_tg_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&tproxy_tg_reg);
+}
diff --git a/extensions/libxt_TPROXY.man b/extensions/libxt_TPROXY.man
new file mode 100644
index 0000000..0129f84
--- /dev/null
+++ b/extensions/libxt_TPROXY.man
@@ -0,0 +1,21 @@
+This target is only valid in the \fBmangle\fR table, in the \fBPREROUTING\fR
+chain and user-defined chains which are only called from this chain. It
+redirects the packet to a local socket without changing the packet header in
+any way. It can also change the mark value which can then be used in advanced
+routing rules.
+It takes three options:
+.TP
+\fB\-\-on\-port\fP \fIport\fP
+This specifies a destination port to use. It is a required option, 0 means the
+new destination port is the same as the original. This is only valid if the
+rule also specifies \fB\-p tcp\fP or \fB\-p udp\fP.
+.TP
+\fB\-\-on\-ip\fP \fIaddress\fP
+This specifies a destination address to use. By default the address is the IP
+address of the incoming interface. This is only valid if the rule also
+specifies \fB\-p tcp\fP or \fB\-p udp\fP.
+.TP
+\fB\-\-tproxy\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
+Marks packets with the given value/mask. The fwmark value set here can be used
+by advanced routing. (Required for transparent proxying to work: otherwise
+these packets will get forwarded, which is probably not what you want.)
diff --git a/extensions/libxt_TRACE.c b/extensions/libxt_TRACE.c
new file mode 100644
index 0000000..0282e6f
--- /dev/null
+++ b/extensions/libxt_TRACE.c
@@ -0,0 +1,21 @@
+/* Shared library add-on to iptables to add TRACE target support. */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/x_tables.h>
+
+static struct xtables_target trace_target = {
+ .family = NFPROTO_UNSPEC,
+ .name = "TRACE",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(0),
+ .userspacesize = XT_ALIGN(0),
+};
+
+void _init(void)
+{
+ xtables_register_target(&trace_target);
+}
diff --git a/extensions/libxt_TRACE.man b/extensions/libxt_TRACE.man
new file mode 100644
index 0000000..d28c3a0
--- /dev/null
+++ b/extensions/libxt_TRACE.man
@@ -0,0 +1,11 @@
+This target marks packes so that the kernel will log every rule which match
+the packets as those traverse the tables, chains, rules. (The ipt_LOG or
+ip6t_LOG module
+is required for the logging.) The packets are logged with the string prefix:
+"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
+plain rule, "return" for implicit rule at the end of a user defined chain
+and "policy" for the policy of the built in chains.
+.br
+It can only be used in the
+.BR raw
+table.
diff --git a/extensions/libxt_cluster.c b/extensions/libxt_cluster.c
new file mode 100644
index 0000000..ea5d9fb
--- /dev/null
+++ b/extensions/libxt_cluster.c
@@ -0,0 +1,238 @@
+/*
+ * (C) 2009 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <stddef.h>
+
+#include <xtables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_cluster.h>
+
+/* hack to keep for check */
+static unsigned int total_nodes;
+static unsigned int node_mask;
+
+static void
+cluster_help(void)
+{
+ printf(
+"cluster match options:\n"
+" --cluster-total-nodes <num> Set number of total nodes in cluster\n"
+" [!] --cluster-local-node <num> Set the local node number\n"
+" [!] --cluster-local-nodemask <num> Set the local node mask\n"
+" --cluster-hash-seed <num> Set seed value of the Jenkins hash\n");
+}
+
+enum {
+ CLUSTER_OPT_TOTAL_NODES,
+ CLUSTER_OPT_LOCAL_NODE,
+ CLUSTER_OPT_NODE_MASK,
+ CLUSTER_OPT_HASH_SEED,
+};
+
+static const struct option cluster_opts[] = {
+ { "cluster-total-nodes", 1, NULL, CLUSTER_OPT_TOTAL_NODES },
+ { "cluster-local-node", 1, NULL, CLUSTER_OPT_LOCAL_NODE },
+ { "cluster-local-nodemask", 1, NULL, CLUSTER_OPT_NODE_MASK },
+ { "cluster-hash-seed", 1, NULL, CLUSTER_OPT_HASH_SEED },
+ { .name = NULL }
+};
+
+static int
+cluster_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_cluster_match_info *info = (void *)(*match)->data;
+ unsigned int num;
+
+ switch (c) {
+ case CLUSTER_OPT_TOTAL_NODES:
+ if (*flags & (1 << c)) {
+ xtables_error(PARAMETER_PROBLEM,
+ "Can only specify "
+ "`--cluster-total-nodes' once");
+ }
+ if (!xtables_strtoui(optarg, NULL, &num, 1,
+ XT_CLUSTER_NODES_MAX)) {
+ xtables_error(PARAMETER_PROBLEM,
+ "Unable to parse `%s' in "
+ "`--cluster-total-nodes'", optarg);
+ }
+ total_nodes = num;
+ info->total_nodes = total_nodes = num;
+ *flags |= 1 << c;
+ break;
+ case CLUSTER_OPT_LOCAL_NODE:
+ if (*flags & (1 << c)) {
+ xtables_error(PARAMETER_PROBLEM,
+ "Can only specify "
+ "`--cluster-local-node' once");
+ }
+ if (*flags & (1 << CLUSTER_OPT_NODE_MASK)) {
+ xtables_error(PARAMETER_PROBLEM, "You cannot use "
+ "`--cluster-local-nodemask' and "
+ "`--cluster-local-node'");
+ }
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ if (!xtables_strtoui(optarg, NULL, &num, 1,
+ XT_CLUSTER_NODES_MAX)) {
+ xtables_error(PARAMETER_PROBLEM,
+ "Unable to parse `%s' in "
+ "`--cluster-local-node'", optarg);
+ }
+ if (invert)
+ info->flags |= (1 << XT_CLUSTER_F_INV);
+
+ info->node_mask = node_mask = (1 << (num - 1));
+ *flags |= 1 << c;
+ break;
+ case CLUSTER_OPT_NODE_MASK:
+ if (*flags & (1 << c)) {
+ xtables_error(PARAMETER_PROBLEM,
+ "Can only specify "
+ "`--cluster-local-node' once");
+ }
+ if (*flags & (1 << CLUSTER_OPT_LOCAL_NODE)) {
+ xtables_error(PARAMETER_PROBLEM, "You cannot use "
+ "`--cluster-local-nodemask' and "
+ "`--cluster-local-node'");
+ }
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ if (!xtables_strtoui(optarg, NULL, &num, 1,
+ XT_CLUSTER_NODES_MAX)) {
+ xtables_error(PARAMETER_PROBLEM,
+ "Unable to parse `%s' in "
+ "`--cluster-local-node'", optarg);
+ }
+ if (invert)
+ info->flags |= (1 << XT_CLUSTER_F_INV);
+
+ info->node_mask = node_mask = num;
+ *flags |= 1 << c;
+ break;
+
+ case CLUSTER_OPT_HASH_SEED:
+ if (*flags & (1 << c)) {
+ xtables_error(PARAMETER_PROBLEM,
+ "Can only specify "
+ "`--cluster-hash-seed' once");
+ }
+ if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX)) {
+ xtables_error(PARAMETER_PROBLEM,
+ "Unable to parse `%s'", optarg);
+ }
+ info->hash_seed = num;
+ *flags |= 1 << c;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+cluster_check(unsigned int flags)
+{
+ if ((flags & ((1 << CLUSTER_OPT_TOTAL_NODES) |
+ (1 << CLUSTER_OPT_LOCAL_NODE) |
+ (1 << CLUSTER_OPT_HASH_SEED)))
+ == ((1 << CLUSTER_OPT_TOTAL_NODES) |
+ (1 << CLUSTER_OPT_LOCAL_NODE) |
+ (1 << CLUSTER_OPT_HASH_SEED))) {
+ if (node_mask >= (1ULL << total_nodes)) {
+ xtables_error(PARAMETER_PROBLEM,
+ "cluster match: "
+ "`--cluster-local-node' "
+ "must be <= `--cluster-total-nodes'");
+ }
+ return;
+ }
+ if ((flags & ((1 << CLUSTER_OPT_TOTAL_NODES) |
+ (1 << CLUSTER_OPT_NODE_MASK) |
+ (1 << CLUSTER_OPT_HASH_SEED)))
+ == ((1 << CLUSTER_OPT_TOTAL_NODES) |
+ (1 << CLUSTER_OPT_NODE_MASK) |
+ (1 << CLUSTER_OPT_HASH_SEED))) {
+ if (node_mask >= (1ULL << total_nodes)) {
+ xtables_error(PARAMETER_PROBLEM,
+ "cluster match: "
+ "`--cluster-local-nodemask' too big "
+ "for `--cluster-total-nodes'");
+ }
+ return;
+ }
+ if (!(flags & (1 << CLUSTER_OPT_TOTAL_NODES))) {
+ xtables_error(PARAMETER_PROBLEM,
+ "cluster match: `--cluster-total-nodes' "
+ "is missing");
+ }
+ if (!(flags & (1 << CLUSTER_OPT_HASH_SEED))) {
+ xtables_error(PARAMETER_PROBLEM,
+ "cluster match: `--cluster-hash-seed' "
+ "is missing");
+ }
+ if (!(flags & ((1 << (CLUSTER_OPT_LOCAL_NODE) |
+ (1 << (CLUSTER_OPT_NODE_MASK)))))) {
+ xtables_error(PARAMETER_PROBLEM,
+ "cluster match: `--cluster-local-node' or"
+ "`--cluster-local-nodemask' is missing");
+ }
+}
+
+static void
+cluster_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_cluster_match_info *info = (void *)match->data;
+
+ printf("cluster ");
+ if (info->flags & XT_CLUSTER_F_INV)
+ printf("!node_mask=0x%08x ", info->node_mask);
+ else
+ printf("node_mask=0x%08x ", info->node_mask);
+
+ printf("total_nodes=%u hash_seed=0x%08x ",
+ info->total_nodes, info->hash_seed);
+}
+
+static void
+cluster_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_cluster_match_info *info = (void *)match->data;
+
+ if (info->flags & XT_CLUSTER_F_INV)
+ printf("! --cluster-local-nodemask 0x%08x ", info->node_mask);
+ else
+ printf("--cluster-local-nodemask 0x%08x ", info->node_mask);
+
+ printf("--cluster-total-nodes %u --cluster-hash-seed 0x%08x ",
+ info->total_nodes, info->hash_seed);
+}
+
+static struct xtables_match cluster_mt_reg = {
+ .family = NFPROTO_UNSPEC,
+ .name = "cluster",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_cluster_match_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_cluster_match_info)),
+ .help = cluster_help,
+ .parse = cluster_parse,
+ .final_check = cluster_check,
+ .print = cluster_print,
+ .save = cluster_save,
+ .extra_opts = cluster_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&cluster_mt_reg);
+}
diff --git a/extensions/libxt_cluster.man b/extensions/libxt_cluster.man
new file mode 100644
index 0000000..62ad71c
--- /dev/null
+++ b/extensions/libxt_cluster.man
@@ -0,0 +1,62 @@
+Allows you to deploy gateway and back-end load-sharing clusters without the
+need of load-balancers.
+.PP
+This match requires that all the nodes see the same packets. Thus, the cluster
+match decides if this node has to handle a packet given the following options:
+.TP
+\fB\-\-cluster\-total\-nodes\fP \fInum\fP
+Set number of total nodes in cluster.
+.TP
+[\fB!\fP] \fB\-\-cluster\-local\-node\fP \fInum\fP
+Set the local node number ID.
+.TP
+[\fB!\fP] \fB\-\-cluster\-local\-nodemask\fP \fImask\fP
+Set the local node number ID mask. You can use this option instead
+of \fB\-\-cluster\-local\-node\fP.
+.TP
+\fB\-\-cluster\-hash\-seed\fP \fIvalue\fP
+Set seed value of the Jenkins hash.
+.PP
+Example:
+.IP
+iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster
+\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
+\-\-cluster\-hash\-seed 0xdeadbeef
+\-j MARK \-\-set-mark 0xffff
+.IP
+iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster
+\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
+\-\-cluster\-hash\-seed 0xdeadbeef
+\-j MARK -\-set\-mark 0xffff
+.IP
+iptables \-A PREROUTING \-t mangle \-i eth1
+\-m mark ! \-\-mark 0xffff \-j DROP
+.IP
+iptables \-A PREROUTING \-t mangle \-i eth2
+\-m mark ! \-\-mark 0xffff \-j DROP
+.PP
+And the following commands to make all nodes see the same packets:
+.IP
+ip maddr add 01:00:5e:00:01:01 dev eth1
+.IP
+ip maddr add 01:00:5e:00:01:02 dev eth2
+.IP
+arptables \-A OUTPUT \-o eth1 \-\-h\-length 6
+\-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01
+.IP
+arptables \-A INPUT \-i eth1 \-\-h-length 6
+\-\-destination-mac 01:00:5e:00:01:01
+\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
+.IP
+arptables \-A OUTPUT \-o eth2 \-\-h\-length 6
+\-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:02
+.IP
+arptables \-A INPUT \-i eth2 \-\-h\-length 6
+\-\-destination\-mac 01:00:5e:00:01:02
+\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
+.PP
+In the case of TCP connections, pickup facility has to be disabled
+to avoid marking TCP ACK packets coming in the reply direction as
+valid.
+.IP
+echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
diff --git a/extensions/libxt_comment.c b/extensions/libxt_comment.c
new file mode 100644
index 0000000..0068a6e
--- /dev/null
+++ b/extensions/libxt_comment.c
@@ -0,0 +1,108 @@
+/* Shared library add-on to iptables to add comment match support.
+ *
+ * ChangeLog
+ * 2003-05-13: Brad Fisher <brad@info-link.net>
+ * Initial comment match
+ * 2004-05-12: Brad Fisher <brad@info-link.net>
+ * Port to patch-o-matic-ng
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_comment.h>
+
+static void comment_help(void)
+{
+ printf(
+ "comment match options:\n"
+ "--comment COMMENT Attach a comment to a rule\n");
+}
+
+static const struct option comment_opts[] = {
+ { "comment", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+static void
+parse_comment(const char *s, struct xt_comment_info *info)
+{
+ int slen = strlen(s);
+
+ if (slen >= XT_MAX_COMMENT_LEN) {
+ xtables_error(PARAMETER_PROBLEM,
+ "COMMENT must be shorter than %i characters", XT_MAX_COMMENT_LEN);
+ }
+ strcpy((char *)info->comment, s);
+}
+
+static int
+comment_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_comment_info *commentinfo = (struct xt_comment_info *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert) {
+ xtables_error(PARAMETER_PROBLEM,
+ "Sorry, you can't have an inverted comment");
+ }
+ parse_comment(optarg, commentinfo);
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void comment_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "COMMENT match: You must specify `--comment'");
+}
+
+static void
+comment_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ struct xt_comment_info *commentinfo = (void *)match->data;
+
+ commentinfo->comment[XT_MAX_COMMENT_LEN-1] = '\0';
+ printf("/* %s */ ", commentinfo->comment);
+}
+
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
+static void
+comment_save(const void *ip, const struct xt_entry_match *match)
+{
+ struct xt_comment_info *commentinfo = (void *)match->data;
+
+ commentinfo->comment[XT_MAX_COMMENT_LEN-1] = '\0';
+ printf("--comment ");
+ xtables_save_string((const char *)commentinfo->comment);
+}
+
+static struct xtables_match comment_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "comment",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_comment_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_comment_info)),
+ .help = comment_help,
+ .parse = comment_parse,
+ .final_check = comment_check,
+ .print = comment_print,
+ .save = comment_save,
+ .extra_opts = comment_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&comment_match);
+}
diff --git a/extensions/libxt_comment.man b/extensions/libxt_comment.man
new file mode 100644
index 0000000..faaee2a
--- /dev/null
+++ b/extensions/libxt_comment.man
@@ -0,0 +1,6 @@
+Allows you to add comments (up to 256 characters) to any rule.
+.TP
+\fB\-\-comment\fP \fIcomment\fP
+.TP
+Example:
+iptables \-A INPUT \-i eth1 \-m comment \-\-comment "my local LAN"
diff --git a/extensions/libxt_connbytes.c b/extensions/libxt_connbytes.c
new file mode 100644
index 0000000..5ebdd34
--- /dev/null
+++ b/extensions/libxt_connbytes.c
@@ -0,0 +1,199 @@
+/* Shared library add-on to iptables to add byte tracking support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter/nf_conntrack_common.h>
+#include <linux/netfilter/xt_connbytes.h>
+
+static void connbytes_help(void)
+{
+ printf(
+"connbytes match options:\n"
+" [!] --connbytes from:[to]\n"
+" --connbytes-dir [original, reply, both]\n"
+" --connbytes-mode [packets, bytes, avgpkt]\n");
+}
+
+static const struct option connbytes_opts[] = {
+ { "connbytes", 1, NULL, '1' },
+ { "connbytes-dir", 1, NULL, '2' },
+ { "connbytes-mode", 1, NULL, '3' },
+ { .name = NULL }
+};
+
+static void
+parse_range(const char *arg, struct xt_connbytes_info *si)
+{
+ char *colon,*p;
+
+ si->count.from = strtoul(arg,&colon,10);
+ if (*colon != ':')
+ xtables_error(PARAMETER_PROBLEM, "Bad range \"%s\"", arg);
+ si->count.to = strtoul(colon+1,&p,10);
+ if (p == colon+1) {
+ /* second number omited */
+ si->count.to = 0xffffffff;
+ }
+ if (si->count.from > si->count.to)
+ xtables_error(PARAMETER_PROBLEM, "%llu should be less than %llu",
+ (unsigned long long)si->count.from,
+ (unsigned long long)si->count.to);
+}
+
+static int
+connbytes_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_connbytes_info *sinfo = (struct xt_connbytes_info *)(*match)->data;
+ unsigned long i;
+
+ switch (c) {
+ case '1':
+ if (xtables_check_inverse(optarg, &invert, &optind, 0, argv))
+ optind++;
+
+ parse_range(optarg, sinfo);
+ if (invert) {
+ i = sinfo->count.from;
+ sinfo->count.from = sinfo->count.to;
+ sinfo->count.to = i;
+ }
+ *flags |= 1;
+ break;
+ case '2':
+ if (!strcmp(optarg, "original"))
+ sinfo->direction = XT_CONNBYTES_DIR_ORIGINAL;
+ else if (!strcmp(optarg, "reply"))
+ sinfo->direction = XT_CONNBYTES_DIR_REPLY;
+ else if (!strcmp(optarg, "both"))
+ sinfo->direction = XT_CONNBYTES_DIR_BOTH;
+ else
+ xtables_error(PARAMETER_PROBLEM,
+ "Unknown --connbytes-dir `%s'", optarg);
+
+ *flags |= 2;
+ break;
+ case '3':
+ if (!strcmp(optarg, "packets"))
+ sinfo->what = XT_CONNBYTES_PKTS;
+ else if (!strcmp(optarg, "bytes"))
+ sinfo->what = XT_CONNBYTES_BYTES;
+ else if (!strcmp(optarg, "avgpkt"))
+ sinfo->what = XT_CONNBYTES_AVGPKT;
+ else
+ xtables_error(PARAMETER_PROBLEM,
+ "Unknown --connbytes-mode `%s'", optarg);
+ *flags |= 4;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void connbytes_check(unsigned int flags)
+{
+ if (flags != 7)
+ xtables_error(PARAMETER_PROBLEM, "You must specify `--connbytes'"
+ "`--connbytes-dir' and `--connbytes-mode'");
+}
+
+static void print_mode(const struct xt_connbytes_info *sinfo)
+{
+ switch (sinfo->what) {
+ case XT_CONNBYTES_PKTS:
+ fputs("packets ", stdout);
+ break;
+ case XT_CONNBYTES_BYTES:
+ fputs("bytes ", stdout);
+ break;
+ case XT_CONNBYTES_AVGPKT:
+ fputs("avgpkt ", stdout);
+ break;
+ default:
+ fputs("unknown ", stdout);
+ break;
+ }
+}
+
+static void print_direction(const struct xt_connbytes_info *sinfo)
+{
+ switch (sinfo->direction) {
+ case XT_CONNBYTES_DIR_ORIGINAL:
+ fputs("original ", stdout);
+ break;
+ case XT_CONNBYTES_DIR_REPLY:
+ fputs("reply ", stdout);
+ break;
+ case XT_CONNBYTES_DIR_BOTH:
+ fputs("both ", stdout);
+ break;
+ default:
+ fputs("unknown ", stdout);
+ break;
+ }
+}
+
+static void
+connbytes_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_connbytes_info *sinfo = (const void *)match->data;
+
+ if (sinfo->count.from > sinfo->count.to)
+ printf("connbytes ! %llu:%llu ",
+ (unsigned long long)sinfo->count.to,
+ (unsigned long long)sinfo->count.from);
+ else
+ printf("connbytes %llu:%llu ",
+ (unsigned long long)sinfo->count.from,
+ (unsigned long long)sinfo->count.to);
+
+ fputs("connbytes mode ", stdout);
+ print_mode(sinfo);
+
+ fputs("connbytes direction ", stdout);
+ print_direction(sinfo);
+}
+
+static void connbytes_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_connbytes_info *sinfo = (const void *)match->data;
+
+ if (sinfo->count.from > sinfo->count.to)
+ printf("! --connbytes %llu:%llu ",
+ (unsigned long long)sinfo->count.to,
+ (unsigned long long)sinfo->count.from);
+ else
+ printf("--connbytes %llu:%llu ",
+ (unsigned long long)sinfo->count.from,
+ (unsigned long long)sinfo->count.to);
+
+ fputs("--connbytes-mode ", stdout);
+ print_mode(sinfo);
+
+ fputs("--connbytes-dir ", stdout);
+ print_direction(sinfo);
+}
+
+static struct xtables_match connbytes_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "connbytes",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_connbytes_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_connbytes_info)),
+ .help = connbytes_help,
+ .parse = connbytes_parse,
+ .final_check = connbytes_check,
+ .print = connbytes_print,
+ .save = connbytes_save,
+ .extra_opts = connbytes_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&connbytes_match);
+}
diff --git a/extensions/libxt_connbytes.man b/extensions/libxt_connbytes.man
new file mode 100644
index 0000000..0504a55
--- /dev/null
+++ b/extensions/libxt_connbytes.man
@@ -0,0 +1,36 @@
+Match by how many bytes or packets a connection (or one of the two
+flows constituting the connection) has transferred so far, or by
+average bytes per packet.
+.PP
+The counters are 64-bit and are thus not expected to overflow ;)
+.PP
+The primary use is to detect long-lived downloads and mark them to be
+scheduled using a lower priority band in traffic control.
+.PP
+The transferred bytes per connection can also be viewed through
+`conntrack \-L` and accessed via ctnetlink.
+.PP
+NOTE that for connections which have no accounting information, the match will
+always return false. The "net.netfilter.nf_conntrack_acct" sysctl flag controls
+whether \fBnew\fP connections will be byte/packet counted. Existing connection
+flows will not be gaining/losing a/the accounting structure when be sysctl flag
+is flipped.
+.TP
+[\fB!\fP] \fB\-\-connbytes\fP \fIfrom\fP[\fB:\fP\fIto\fP]
+match packets from a connection whose packets/bytes/average packet
+size is more than FROM and less than TO bytes/packets. if TO is
+omitted only FROM check is done. "!" is used to match packets not
+falling in the range.
+.TP
+\fB\-\-connbytes\-dir\fP {\fBoriginal\fP|\fBreply\fP|\fBboth\fP}
+which packets to consider
+.TP
+\fB\-\-connbytes\-mode\fP {\fBpackets\fP|\fBbytes\fP|\fBavgpkt\fP}
+whether to check the amount of packets, number of bytes transferred or
+the average size (in bytes) of all packets received so far. Note that
+when "both" is used together with "avgpkt", and data is going (mainly)
+only in one direction (for example HTTP), the average packet size will
+be about half of the actual data packets.
+.TP
+Example:
+iptables .. \-m connbytes \-\-connbytes 10000:100000 \-\-connbytes\-dir both \-\-connbytes\-mode bytes ...
diff --git a/extensions/libxt_connlimit.c b/extensions/libxt_connlimit.c
new file mode 100644
index 0000000..a215915
--- /dev/null
+++ b/extensions/libxt_connlimit.c
@@ -0,0 +1,216 @@
+/* Shared library add-on to iptables to add connection limit support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter/xt_connlimit.h>
+
+static void connlimit_help(void)
+{
+ printf(
+"connlimit match options:\n"
+"[!] --connlimit-above n match if the number of existing "
+" connections is (not) above n\n"
+" --connlimit-mask n group hosts using mask\n");
+}
+
+static const struct option connlimit_opts[] = {
+ {"connlimit-above", 1, NULL, 'A'},
+ {"connlimit-mask", 1, NULL, 'M'},
+ { .name = NULL }
+};
+
+static void connlimit_init(struct xt_entry_match *match)
+{
+ struct xt_connlimit_info *info = (void *)match->data;
+
+ /* This will also initialize the v4 mask correctly */
+ memset(info->v6_mask, 0xFF, sizeof(info->v6_mask));
+}
+
+static void prefix_to_netmask(u_int32_t *mask, unsigned int prefix_len)
+{
+ if (prefix_len == 0) {
+ mask[0] = mask[1] = mask[2] = mask[3] = 0;
+ } else if (prefix_len <= 32) {
+ mask[0] <<= 32 - prefix_len;
+ mask[1] = mask[2] = mask[3] = 0;
+ } else if (prefix_len <= 64) {
+ mask[1] <<= 32 - (prefix_len - 32);
+ mask[2] = mask[3] = 0;
+ } else if (prefix_len <= 96) {
+ mask[2] <<= 32 - (prefix_len - 64);
+ mask[3] = 0;
+ } else if (prefix_len <= 128) {
+ mask[3] <<= 32 - (prefix_len - 96);
+ }
+ mask[0] = htonl(mask[0]);
+ mask[1] = htonl(mask[1]);
+ mask[2] = htonl(mask[2]);
+ mask[3] = htonl(mask[3]);
+}
+
+static int connlimit_parse(int c, char **argv, int invert, unsigned int *flags,
+ struct xt_connlimit_info *info, unsigned int family)
+{
+ char *err;
+ int i;
+
+ switch (c) {
+ case 'A':
+ if (*flags & 0x1)
+ xtables_error(PARAMETER_PROBLEM,
+ "--connlimit-above may be given only once");
+ *flags |= 0x1;
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ info->limit = strtoul(optarg, NULL, 0);
+ info->inverse = invert;
+ break;
+ case 'M':
+ if (*flags & 0x2)
+ xtables_error(PARAMETER_PROBLEM,
+ "--connlimit-mask may be given only once");
+
+ *flags |= 0x2;
+ i = strtoul(optarg, &err, 0);
+ if (family == NFPROTO_IPV6) {
+ if (i > 128 || *err != '\0')
+ xtables_error(PARAMETER_PROBLEM,
+ "--connlimit-mask must be between "
+ "0 and 128");
+ prefix_to_netmask(info->v6_mask, i);
+ } else {
+ if (i > 32 || *err != '\0')
+ xtables_error(PARAMETER_PROBLEM,
+ "--connlimit-mask must be between "
+ "0 and 32");
+ if (i == 0)
+ info->v4_mask = 0;
+ else
+ info->v4_mask = htonl(0xFFFFFFFF << (32 - i));
+ }
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static int connlimit_parse4(int c, char **argv, int invert,
+ unsigned int *flags, const void *entry,
+ struct xt_entry_match **match)
+{
+ return connlimit_parse(c, argv, invert, flags,
+ (void *)(*match)->data, NFPROTO_IPV4);
+}
+
+static int connlimit_parse6(int c, char **argv, int invert,
+ unsigned int *flags, const void *entry,
+ struct xt_entry_match **match)
+{
+ return connlimit_parse(c, argv, invert, flags,
+ (void *)(*match)->data, NFPROTO_IPV6);
+}
+
+static void connlimit_check(unsigned int flags)
+{
+ if (!(flags & 0x1))
+ xtables_error(PARAMETER_PROBLEM,
+ "You must specify \"--connlimit-above\"");
+}
+
+static unsigned int count_bits4(u_int32_t mask)
+{
+ unsigned int bits = 0;
+
+ for (mask = ~ntohl(mask); mask != 0; mask >>= 1)
+ ++bits;
+
+ return 32 - bits;
+}
+
+static unsigned int count_bits6(const u_int32_t *mask)
+{
+ unsigned int bits = 0, i;
+ u_int32_t tmp[4];
+
+ for (i = 0; i < 4; ++i)
+ for (tmp[i] = ~ntohl(mask[i]); tmp[i] != 0; tmp[i] >>= 1)
+ ++bits;
+ return 128 - bits;
+}
+
+static void connlimit_print4(const void *ip,
+ const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_connlimit_info *info = (const void *)match->data;
+
+ printf("#conn/%u %s %u ", count_bits4(info->v4_mask),
+ info->inverse ? "<=" : ">", info->limit);
+}
+
+static void connlimit_print6(const void *ip,
+ const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_connlimit_info *info = (const void *)match->data;
+ printf("#conn/%u %s %u ", count_bits6(info->v6_mask),
+ info->inverse ? "<=" : ">", info->limit);
+}
+
+static void connlimit_save4(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_connlimit_info *info = (const void *)match->data;
+
+ printf("%s--connlimit-above %u --connlimit-mask %u ",
+ info->inverse ? "! " : "", info->limit,
+ count_bits4(info->v4_mask));
+}
+
+static void connlimit_save6(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_connlimit_info *info = (const void *)match->data;
+
+ printf("%s--connlimit-above %u --connlimit-mask %u ",
+ info->inverse ? "! " : "", info->limit,
+ count_bits6(info->v6_mask));
+}
+
+static struct xtables_match connlimit_mt_reg[] = {
+ {
+ .name = "connlimit",
+ .family = NFPROTO_IPV4,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_connlimit_info)),
+ .userspacesize = offsetof(struct xt_connlimit_info, data),
+ .help = connlimit_help,
+ .init = connlimit_init,
+ .parse = connlimit_parse4,
+ .final_check = connlimit_check,
+ .print = connlimit_print4,
+ .save = connlimit_save4,
+ .extra_opts = connlimit_opts,
+ },
+ {
+ .name = "connlimit",
+ .family = NFPROTO_IPV6,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_connlimit_info)),
+ .userspacesize = offsetof(struct xt_connlimit_info, data),
+ .help = connlimit_help,
+ .init = connlimit_init,
+ .parse = connlimit_parse6,
+ .final_check = connlimit_check,
+ .print = connlimit_print6,
+ .save = connlimit_save6,
+ .extra_opts = connlimit_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_matches(connlimit_mt_reg, ARRAY_SIZE(connlimit_mt_reg));
+}
diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man
new file mode 100644
index 0000000..c85d768
--- /dev/null
+++ b/extensions/libxt_connlimit.man
@@ -0,0 +1,27 @@
+Allows you to restrict the number of parallel connections to a server per
+client IP address (or client address block).
+.TP
+[\fB!\fP] \fB\-\-connlimit\-above\fP \fIn\fP
+Match if the number of existing connections is (not) above \fIn\fR.
+.TP
+\fB\-\-connlimit\-mask\fP \fIprefix_length\fP
+Group hosts using the prefix length. For IPv4, this must be a number between
+(including) 0 and 32. For IPv6, between 0 and 128.
+.P
+Examples:
+.TP
+# allow 2 telnet connections per client host
+iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-above 2 \-j REJECT
+.TP
+# you can also match the other way around:
+iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit ! \-\-connlimit\-above 2 \-j ACCEPT
+.TP
+# limit the number of parallel HTTP requests to 16 per class C sized \
+network (24 bit netmask)
+iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16
+\-\-connlimit\-mask 24 \-j REJECT
+.TP
+# limit the number of parallel HTTP requests to 16 for the link local network
+(ipv6)
+ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above
+16 \-\-connlimit\-mask 64 \-j REJECT
diff --git a/extensions/libxt_connmark.c b/extensions/libxt_connmark.c
new file mode 100644
index 0000000..38aa563
--- /dev/null
+++ b/extensions/libxt_connmark.c
@@ -0,0 +1,205 @@
+/* Shared library add-on to iptables to add connmark matching support.
+ *
+ * (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * Version 1.1
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_connmark.h>
+
+struct xt_connmark_info {
+ unsigned long mark, mask;
+ u_int8_t invert;
+};
+
+enum {
+ F_MARK = 1 << 0,
+};
+
+static void connmark_mt_help(void)
+{
+ printf(
+"connmark match options:\n"
+"[!] --mark value[/mask] Match ctmark value with optional mask\n");
+}
+
+static const struct option connmark_mt_opts[] = {
+ {.name = "mark", .has_arg = true, .val = '1'},
+ { .name = NULL }
+};
+
+static int
+connmark_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_connmark_mtinfo1 *info = (void *)(*match)->data;
+ unsigned int mark, mask = UINT32_MAX;
+ char *end;
+
+ switch (c) {
+ case '1': /* --mark */
+ xtables_param_act(XTF_ONLY_ONCE, "connmark", "--mark", *flags & F_MARK);
+ if (!xtables_strtoui(optarg, &end, &mark, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "connmark", "--mark", optarg);
+ if (*end == '/')
+ if (!xtables_strtoui(end + 1, &end, &mask, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "connmark", "--mark", optarg);
+ if (*end != '\0')
+ xtables_param_act(XTF_BAD_VALUE, "connmark", "--mark", optarg);
+
+ if (invert)
+ info->invert = true;
+ info->mark = mark;
+ info->mask = mask;
+ *flags |= F_MARK;
+ return true;
+ }
+ return false;
+}
+
+static int
+connmark_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_connmark_info *markinfo = (struct xt_connmark_info *)(*match)->data;
+
+ switch (c) {
+ char *end;
+ case '1':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ markinfo->mark = strtoul(optarg, &end, 0);
+ markinfo->mask = 0xffffffffUL;
+
+ if (*end == '/')
+ markinfo->mask = strtoul(end+1, &end, 0);
+
+ if (*end != '\0' || end == optarg)
+ xtables_error(PARAMETER_PROBLEM, "Bad MARK value \"%s\"", optarg);
+ if (invert)
+ markinfo->invert = 1;
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void print_mark(unsigned int mark, unsigned int mask)
+{
+ if (mask != 0xffffffffU)
+ printf("0x%x/0x%x ", mark, mask);
+ else
+ printf("0x%x ", mark);
+}
+
+static void connmark_mt_check(unsigned int flags)
+{
+ if (flags == 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "connmark: The --mark option is required");
+}
+
+static void
+connmark_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_connmark_info *info = (const void *)match->data;
+
+ printf("CONNMARK match ");
+ if (info->invert)
+ printf("!");
+ print_mark(info->mark, info->mask);
+}
+
+static void
+connmark_mt_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_connmark_mtinfo1 *info = (const void *)match->data;
+
+ printf("connmark match ");
+ if (info->invert)
+ printf("!");
+ print_mark(info->mark, info->mask);
+}
+
+static void connmark_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_connmark_info *info = (const void *)match->data;
+
+ if (info->invert)
+ printf("! ");
+
+ printf("--mark ");
+ print_mark(info->mark, info->mask);
+}
+
+static void
+connmark_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_connmark_mtinfo1 *info = (const void *)match->data;
+
+ if (info->invert)
+ printf("! ");
+
+ printf("--mark ");
+ print_mark(info->mark, info->mask);
+}
+
+static struct xtables_match connmark_mt_reg[] = {
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "connmark",
+ .revision = 0,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_connmark_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_info)),
+ .help = connmark_mt_help,
+ .parse = connmark_parse,
+ .final_check = connmark_mt_check,
+ .print = connmark_print,
+ .save = connmark_save,
+ .extra_opts = connmark_mt_opts,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "connmark",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .size = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)),
+ .help = connmark_mt_help,
+ .parse = connmark_mt_parse,
+ .final_check = connmark_mt_check,
+ .print = connmark_mt_print,
+ .save = connmark_mt_save,
+ .extra_opts = connmark_mt_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_matches(connmark_mt_reg, ARRAY_SIZE(connmark_mt_reg));
+}
diff --git a/extensions/libxt_connmark.man b/extensions/libxt_connmark.man
new file mode 100644
index 0000000..ee87d9e
--- /dev/null
+++ b/extensions/libxt_connmark.man
@@ -0,0 +1,6 @@
+This module matches the netfilter mark field associated with a connection
+(which can be set using the \fBCONNMARK\fR target below).
+.TP
+[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
+Matches packets in connections with the given mark value (if a mask is
+specified, this is logically ANDed with the mark before the comparison).
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
new file mode 100644
index 0000000..5557d3e
--- /dev/null
+++ b/extensions/libxt_conntrack.c
@@ -0,0 +1,1243 @@
+/*
+ * libxt_conntrack
+ * Shared library add-on to iptables for conntrack matching support.
+ *
+ * GPL (C) 2001 Marc Boucher (marc@mbsi.ca).
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <ctype.h>
+#include <getopt.h>
+#include <netdb.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <xtables.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/xt_conntrack.h>
+#include <linux/netfilter/nf_conntrack_common.h>
+#include <arpa/inet.h>
+
+struct ip_conntrack_old_tuple {
+ struct {
+ __be32 ip;
+ union {
+ __u16 all;
+ } u;
+ } src;
+
+ struct {
+ __be32 ip;
+ union {
+ __u16 all;
+ } u;
+
+ /* The protocol. */
+ __u16 protonum;
+ } dst;
+};
+
+struct xt_conntrack_info {
+ unsigned int statemask, statusmask;
+
+ struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
+ struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
+
+ unsigned long expires_min, expires_max;
+
+ /* Flags word */
+ u_int8_t flags;
+ /* Inverse flags */
+ u_int8_t invflags;
+};
+
+static void conntrack_mt_help(void)
+{
+ printf(
+"conntrack match options:\n"
+"[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]\n"
+" State(s) to match\n"
+"[!] --ctproto proto Protocol to match; by number or name, e.g. \"tcp\"\n"
+"[!] --ctorigsrc address[/mask]\n"
+"[!] --ctorigdst address[/mask]\n"
+"[!] --ctreplsrc address[/mask]\n"
+"[!] --ctrepldst address[/mask]\n"
+" Original/Reply source/destination address\n"
+"[!] --ctorigsrcport port\n"
+"[!] --ctorigdstport port\n"
+"[!] --ctreplsrcport port\n"
+"[!] --ctrepldstport port\n"
+" TCP/UDP/SCTP orig./reply source/destination port\n"
+"[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]\n"
+" Status(es) to match\n"
+"[!] --ctexpire time[:time] Match remaining lifetime in seconds against\n"
+" value or range of values (inclusive)\n"
+" --ctdir {ORIGINAL|REPLY} Flow direction of packet\n");
+}
+
+static const struct option conntrack_mt_opts_v0[] = {
+ {.name = "ctstate", .has_arg = true, .val = '1'},
+ {.name = "ctproto", .has_arg = true, .val = '2'},
+ {.name = "ctorigsrc", .has_arg = true, .val = '3'},
+ {.name = "ctorigdst", .has_arg = true, .val = '4'},
+ {.name = "ctreplsrc", .has_arg = true, .val = '5'},
+ {.name = "ctrepldst", .has_arg = true, .val = '6'},
+ {.name = "ctstatus", .has_arg = true, .val = '7'},
+ {.name = "ctexpire", .has_arg = true, .val = '8'},
+ { .name = NULL }
+};
+
+static const struct option conntrack_mt_opts[] = {
+ {.name = "ctstate", .has_arg = true, .val = '1'},
+ {.name = "ctproto", .has_arg = true, .val = '2'},
+ {.name = "ctorigsrc", .has_arg = true, .val = '3'},
+ {.name = "ctorigdst", .has_arg = true, .val = '4'},
+ {.name = "ctreplsrc", .has_arg = true, .val = '5'},
+ {.name = "ctrepldst", .has_arg = true, .val = '6'},
+ {.name = "ctstatus", .has_arg = true, .val = '7'},
+ {.name = "ctexpire", .has_arg = true, .val = '8'},
+ {.name = "ctorigsrcport", .has_arg = true, .val = 'a'},
+ {.name = "ctorigdstport", .has_arg = true, .val = 'b'},
+ {.name = "ctreplsrcport", .has_arg = true, .val = 'c'},
+ {.name = "ctrepldstport", .has_arg = true, .val = 'd'},
+ {.name = "ctdir", .has_arg = true, .val = 'e'},
+ {.name = NULL},
+};
+
+static int
+parse_state(const char *state, size_t len, struct xt_conntrack_info *sinfo)
+{
+ if (strncasecmp(state, "INVALID", len) == 0)
+ sinfo->statemask |= XT_CONNTRACK_STATE_INVALID;
+ else if (strncasecmp(state, "NEW", len) == 0)
+ sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW);
+ else if (strncasecmp(state, "ESTABLISHED", len) == 0)
+ sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
+ else if (strncasecmp(state, "RELATED", len) == 0)
+ sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
+ else if (strncasecmp(state, "UNTRACKED", len) == 0)
+ sinfo->statemask |= XT_CONNTRACK_STATE_UNTRACKED;
+ else if (strncasecmp(state, "SNAT", len) == 0)
+ sinfo->statemask |= XT_CONNTRACK_STATE_SNAT;
+ else if (strncasecmp(state, "DNAT", len) == 0)
+ sinfo->statemask |= XT_CONNTRACK_STATE_DNAT;
+ else
+ return 0;
+ return 1;
+}
+
+static void
+parse_states(const char *arg, struct xt_conntrack_info *sinfo)
+{
+ const char *comma;
+
+ while ((comma = strchr(arg, ',')) != NULL) {
+ if (comma == arg || !parse_state(arg, comma-arg, sinfo))
+ xtables_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg);
+ arg = comma+1;
+ }
+ if (!*arg)
+ xtables_error(PARAMETER_PROBLEM, "\"--ctstate\" requires a list of "
+ "states with no spaces, e.g. "
+ "ESTABLISHED,RELATED");
+ if (strlen(arg) == 0 || !parse_state(arg, strlen(arg), sinfo))
+ xtables_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg);
+}
+
+static bool
+conntrack_ps_state(struct xt_conntrack_mtinfo2 *info, const char *state,
+ size_t z)
+{
+ if (strncasecmp(state, "INVALID", z) == 0)
+ info->state_mask |= XT_CONNTRACK_STATE_INVALID;
+ else if (strncasecmp(state, "NEW", z) == 0)
+ info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW);
+ else if (strncasecmp(state, "ESTABLISHED", z) == 0)
+ info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
+ else if (strncasecmp(state, "RELATED", z) == 0)
+ info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
+ else if (strncasecmp(state, "UNTRACKED", z) == 0)
+ info->state_mask |= XT_CONNTRACK_STATE_UNTRACKED;
+ else if (strncasecmp(state, "SNAT", z) == 0)
+ info->state_mask |= XT_CONNTRACK_STATE_SNAT;
+ else if (strncasecmp(state, "DNAT", z) == 0)
+ info->state_mask |= XT_CONNTRACK_STATE_DNAT;
+ else
+ return false;
+ return true;
+}
+
+static void
+conntrack_ps_states(struct xt_conntrack_mtinfo2 *info, const char *arg)
+{
+ const char *comma;
+
+ while ((comma = strchr(arg, ',')) != NULL) {
+ if (comma == arg || !conntrack_ps_state(info, arg, comma - arg))
+ xtables_error(PARAMETER_PROBLEM,
+ "Bad ctstate \"%s\"", arg);
+ arg = comma + 1;
+ }
+
+ if (strlen(arg) == 0 || !conntrack_ps_state(info, arg, strlen(arg)))
+ xtables_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg);
+}
+
+static int
+parse_status(const char *status, size_t len, struct xt_conntrack_info *sinfo)
+{
+ if (strncasecmp(status, "NONE", len) == 0)
+ sinfo->statusmask |= 0;
+ else if (strncasecmp(status, "EXPECTED", len) == 0)
+ sinfo->statusmask |= IPS_EXPECTED;
+ else if (strncasecmp(status, "SEEN_REPLY", len) == 0)
+ sinfo->statusmask |= IPS_SEEN_REPLY;
+ else if (strncasecmp(status, "ASSURED", len) == 0)
+ sinfo->statusmask |= IPS_ASSURED;
+#ifdef IPS_CONFIRMED
+ else if (strncasecmp(status, "CONFIRMED", len) == 0)
+ sinfo->statusmask |= IPS_CONFIRMED;
+#endif
+ else
+ return 0;
+ return 1;
+}
+
+static void
+parse_statuses(const char *arg, struct xt_conntrack_info *sinfo)
+{
+ const char *comma;
+
+ while ((comma = strchr(arg, ',')) != NULL) {
+ if (comma == arg || !parse_status(arg, comma-arg, sinfo))
+ xtables_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg);
+ arg = comma+1;
+ }
+
+ if (strlen(arg) == 0 || !parse_status(arg, strlen(arg), sinfo))
+ xtables_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg);
+}
+
+static bool
+conntrack_ps_status(struct xt_conntrack_mtinfo2 *info, const char *status,
+ size_t z)
+{
+ if (strncasecmp(status, "NONE", z) == 0)
+ info->status_mask |= 0;
+ else if (strncasecmp(status, "EXPECTED", z) == 0)
+ info->status_mask |= IPS_EXPECTED;
+ else if (strncasecmp(status, "SEEN_REPLY", z) == 0)
+ info->status_mask |= IPS_SEEN_REPLY;
+ else if (strncasecmp(status, "ASSURED", z) == 0)
+ info->status_mask |= IPS_ASSURED;
+ else if (strncasecmp(status, "CONFIRMED", z) == 0)
+ info->status_mask |= IPS_CONFIRMED;
+ else
+ return false;
+ return true;
+}
+
+static void
+conntrack_ps_statuses(struct xt_conntrack_mtinfo2 *info, const char *arg)
+{
+ const char *comma;
+
+ while ((comma = strchr(arg, ',')) != NULL) {
+ if (comma == arg || !conntrack_ps_status(info, arg, comma - arg))
+ xtables_error(PARAMETER_PROBLEM,
+ "Bad ctstatus \"%s\"", arg);
+ arg = comma + 1;
+ }
+
+ if (strlen(arg) == 0 || !conntrack_ps_status(info, arg, strlen(arg)))
+ xtables_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg);
+}
+
+static unsigned long
+parse_expire(const char *s)
+{
+ unsigned int len;
+
+ if (!xtables_strtoui(s, NULL, &len, 0, UINT32_MAX))
+ xtables_error(PARAMETER_PROBLEM, "expire value invalid: \"%s\"\n", s);
+ else
+ return len;
+}
+
+/* If a single value is provided, min and max are both set to the value */
+static void
+parse_expires(const char *s, struct xt_conntrack_info *sinfo)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(s);
+ if ((cp = strchr(buffer, ':')) == NULL)
+ sinfo->expires_min = sinfo->expires_max =
+ parse_expire(buffer);
+ else {
+ *cp = '\0';
+ cp++;
+
+ sinfo->expires_min = buffer[0] ? parse_expire(buffer) : 0;
+ sinfo->expires_max = cp[0]
+ ? parse_expire(cp)
+ : (unsigned long)-1;
+ }
+ free(buffer);
+
+ if (sinfo->expires_min > sinfo->expires_max)
+ xtables_error(PARAMETER_PROBLEM,
+ "expire min. range value `%lu' greater than max. "
+ "range value `%lu'", sinfo->expires_min, sinfo->expires_max);
+}
+
+static void
+conntrack_ps_expires(struct xt_conntrack_mtinfo2 *info, const char *s)
+{
+ unsigned int min, max;
+ char *end;
+
+ if (!xtables_strtoui(s, &end, &min, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "conntrack", "--expires", s);
+ max = min;
+ if (*end == ':')
+ if (!xtables_strtoui(end + 1, &end, &max, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "conntrack", "--expires", s);
+ if (*end != '\0')
+ xtables_param_act(XTF_BAD_VALUE, "conntrack", "--expires", s);
+
+ if (min > max)
+ xtables_error(PARAMETER_PROBLEM,
+ "expire min. range value \"%u\" greater than max. "
+ "range value \"%u\"", min, max);
+
+ info->expires_min = min;
+ info->expires_max = max;
+}
+
+static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_conntrack_info *sinfo = (void *)(*match)->data;
+ char *protocol = NULL;
+ unsigned int naddrs = 0;
+ struct in_addr *addrs = NULL;
+
+
+ switch (c) {
+ case '1':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ parse_states(optarg, sinfo);
+ if (invert) {
+ sinfo->invflags |= XT_CONNTRACK_STATE;
+ }
+ sinfo->flags |= XT_CONNTRACK_STATE;
+ break;
+
+ case '2':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ if(invert)
+ sinfo->invflags |= XT_CONNTRACK_PROTO;
+
+ /* Canonicalize into lower case */
+ for (protocol = optarg; *protocol; protocol++)
+ *protocol = tolower(*protocol);
+
+ protocol = optarg;
+ sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum =
+ xtables_parse_protocol(protocol);
+
+ if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0
+ && (sinfo->invflags & XT_INV_PROTO))
+ xtables_error(PARAMETER_PROBLEM,
+ "rule would never match protocol");
+
+ sinfo->flags |= XT_CONNTRACK_PROTO;
+ break;
+
+ case '3':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ if (invert)
+ sinfo->invflags |= XT_CONNTRACK_ORIGSRC;
+
+ xtables_ipparse_any(optarg, &addrs,
+ &sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
+ &naddrs);
+ if(naddrs > 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiple IP addresses not allowed");
+
+ if(naddrs == 1) {
+ sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip = addrs[0].s_addr;
+ }
+
+ sinfo->flags |= XT_CONNTRACK_ORIGSRC;
+ break;
+
+ case '4':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ if (invert)
+ sinfo->invflags |= XT_CONNTRACK_ORIGDST;
+
+ xtables_ipparse_any(optarg, &addrs,
+ &sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
+ &naddrs);
+ if(naddrs > 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiple IP addresses not allowed");
+
+ if(naddrs == 1) {
+ sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip = addrs[0].s_addr;
+ }
+
+ sinfo->flags |= XT_CONNTRACK_ORIGDST;
+ break;
+
+ case '5':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ if (invert)
+ sinfo->invflags |= XT_CONNTRACK_REPLSRC;
+
+ xtables_ipparse_any(optarg, &addrs,
+ &sinfo->sipmsk[IP_CT_DIR_REPLY],
+ &naddrs);
+ if(naddrs > 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiple IP addresses not allowed");
+
+ if(naddrs == 1) {
+ sinfo->tuple[IP_CT_DIR_REPLY].src.ip = addrs[0].s_addr;
+ }
+
+ sinfo->flags |= XT_CONNTRACK_REPLSRC;
+ break;
+
+ case '6':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ if (invert)
+ sinfo->invflags |= XT_CONNTRACK_REPLDST;
+
+ xtables_ipparse_any(optarg, &addrs,
+ &sinfo->dipmsk[IP_CT_DIR_REPLY],
+ &naddrs);
+ if(naddrs > 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiple IP addresses not allowed");
+
+ if(naddrs == 1) {
+ sinfo->tuple[IP_CT_DIR_REPLY].dst.ip = addrs[0].s_addr;
+ }
+
+ sinfo->flags |= XT_CONNTRACK_REPLDST;
+ break;
+
+ case '7':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ parse_statuses(optarg, sinfo);
+ if (invert) {
+ sinfo->invflags |= XT_CONNTRACK_STATUS;
+ }
+ sinfo->flags |= XT_CONNTRACK_STATUS;
+ break;
+
+ case '8':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ parse_expires(optarg, sinfo);
+ if (invert) {
+ sinfo->invflags |= XT_CONNTRACK_EXPIRES;
+ }
+ sinfo->flags |= XT_CONNTRACK_EXPIRES;
+ break;
+
+ default:
+ return 0;
+ }
+
+ *flags = sinfo->flags;
+ return 1;
+}
+
+static int
+conntrack_mt_parse(int c, bool invert, unsigned int *flags,
+ struct xt_conntrack_mtinfo2 *info)
+{
+ unsigned int port;
+ char *p;
+
+ switch (c) {
+ case '1': /* --ctstate */
+ conntrack_ps_states(info, optarg);
+ info->match_flags |= XT_CONNTRACK_STATE;
+ if (invert)
+ info->invert_flags |= XT_CONNTRACK_STATE;
+ break;
+
+ case '2': /* --ctproto */
+ /* Canonicalize into lower case */
+ for (p = optarg; *p != '\0'; ++p)
+ *p = tolower(*p);
+ info->l4proto = xtables_parse_protocol(optarg);
+
+ if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO))
+ xtables_error(PARAMETER_PROBLEM, "conntrack: rule would "
+ "never match protocol");
+
+ info->match_flags |= XT_CONNTRACK_PROTO;
+ if (invert)
+ info->invert_flags |= XT_CONNTRACK_PROTO;
+ break;
+
+ case '7': /* --ctstatus */
+ conntrack_ps_statuses(info, optarg);
+ info->match_flags |= XT_CONNTRACK_STATUS;
+ if (invert)
+ info->invert_flags |= XT_CONNTRACK_STATUS;
+ break;
+
+ case '8': /* --ctexpire */
+ conntrack_ps_expires(info, optarg);
+ info->match_flags |= XT_CONNTRACK_EXPIRES;
+ if (invert)
+ info->invert_flags |= XT_CONNTRACK_EXPIRES;
+ break;
+
+ case 'a': /* --ctorigsrcport */
+ if (!xtables_strtoui(optarg, NULL, &port, 0, UINT16_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "conntrack",
+ "--ctorigsrcport", optarg);
+ info->match_flags |= XT_CONNTRACK_ORIGSRC_PORT;
+ info->origsrc_port = htons(port);
+ if (invert)
+ info->invert_flags |= XT_CONNTRACK_ORIGSRC_PORT;
+ break;
+
+ case 'b': /* --ctorigdstport */
+ if (!xtables_strtoui(optarg, NULL, &port, 0, UINT16_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "conntrack",
+ "--ctorigdstport", optarg);
+ info->match_flags |= XT_CONNTRACK_ORIGDST_PORT;
+ info->origdst_port = htons(port);
+ if (invert)
+ info->invert_flags |= XT_CONNTRACK_ORIGDST_PORT;
+ break;
+
+ case 'c': /* --ctreplsrcport */
+ if (!xtables_strtoui(optarg, NULL, &port, 0, UINT16_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "conntrack",
+ "--ctreplsrcport", optarg);
+ info->match_flags |= XT_CONNTRACK_REPLSRC_PORT;
+ info->replsrc_port = htons(port);
+ if (invert)
+ info->invert_flags |= XT_CONNTRACK_REPLSRC_PORT;
+ break;
+
+ case 'd': /* --ctrepldstport */
+ if (!xtables_strtoui(optarg, NULL, &port, 0, UINT16_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "conntrack",
+ "--ctrepldstport", optarg);
+ info->match_flags |= XT_CONNTRACK_REPLDST_PORT;
+ info->repldst_port = htons(port);
+ if (invert)
+ info->invert_flags |= XT_CONNTRACK_REPLDST_PORT;
+ break;
+
+ case 'e': /* --ctdir */
+ xtables_param_act(XTF_NO_INVERT, "conntrack", "--ctdir", invert);
+ if (strcasecmp(optarg, "ORIGINAL") == 0) {
+ info->match_flags |= XT_CONNTRACK_DIRECTION;
+ info->invert_flags &= ~XT_CONNTRACK_DIRECTION;
+ } else if (strcasecmp(optarg, "REPLY") == 0) {
+ info->match_flags |= XT_CONNTRACK_DIRECTION;
+ info->invert_flags |= XT_CONNTRACK_DIRECTION;
+ } else {
+ xtables_param_act(XTF_BAD_VALUE, "conntrack", "--ctdir", optarg);
+ }
+ break;
+
+ default:
+ return false;
+ }
+
+ *flags = info->match_flags;
+ return true;
+}
+
+static int
+conntrack_mt4_parse(int c, bool invert, unsigned int *flags,
+ struct xt_conntrack_mtinfo2 *info)
+{
+ struct in_addr *addr = NULL;
+ unsigned int naddrs = 0;
+
+ switch (c) {
+ case '3': /* --ctorigsrc */
+ xtables_ipparse_any(optarg, &addr, &info->origsrc_mask.in,
+ &naddrs);
+ if (naddrs > 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiple IP addresses not allowed");
+ if (naddrs == 1)
+ memcpy(&info->origsrc_addr.in, addr, sizeof(*addr));
+ info->match_flags |= XT_CONNTRACK_ORIGSRC;
+ if (invert)
+ info->invert_flags |= XT_CONNTRACK_ORIGSRC;
+ break;
+
+ case '4': /* --ctorigdst */
+ xtables_ipparse_any(optarg, &addr, &info->origdst_mask.in,
+ &naddrs);
+ if (naddrs > 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiple IP addresses not allowed");
+ if (naddrs == 1)
+ memcpy(&info->origdst_addr.in, addr, sizeof(*addr));
+ info->match_flags |= XT_CONNTRACK_ORIGDST;
+ if (invert)
+ info->invert_flags |= XT_CONNTRACK_ORIGDST;
+ break;
+
+ case '5': /* --ctreplsrc */
+ xtables_ipparse_any(optarg, &addr, &info->replsrc_mask.in,
+ &naddrs);
+ if (naddrs > 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiple IP addresses not allowed");
+ if (naddrs == 1)
+ memcpy(&info->replsrc_addr.in, addr, sizeof(*addr));
+ info->match_flags |= XT_CONNTRACK_REPLSRC;
+ if (invert)
+ info->invert_flags |= XT_CONNTRACK_REPLSRC;
+ break;
+
+ case '6': /* --ctrepldst */
+ xtables_ipparse_any(optarg, &addr, &info->repldst_mask.in,
+ &naddrs);
+ if (naddrs > 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiple IP addresses not allowed");
+ if (naddrs == 1)
+ memcpy(&info->repldst_addr.in, addr, sizeof(*addr));
+ info->match_flags |= XT_CONNTRACK_REPLDST;
+ if (invert)
+ info->invert_flags |= XT_CONNTRACK_REPLDST;
+ break;
+
+
+ default:
+ return conntrack_mt_parse(c, invert, flags, info);
+ }
+
+ *flags = info->match_flags;
+ return true;
+}
+
+static int
+conntrack_mt6_parse(int c, bool invert, unsigned int *flags,
+ struct xt_conntrack_mtinfo2 *info)
+{
+ struct in6_addr *addr = NULL;
+ unsigned int naddrs = 0;
+
+ switch (c) {
+ case '3': /* --ctorigsrc */
+ xtables_ip6parse_any(optarg, &addr,
+ &info->origsrc_mask.in6, &naddrs);
+ if (naddrs > 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiple IP addresses not allowed");
+ if (naddrs == 1)
+ memcpy(&info->origsrc_addr.in6, addr, sizeof(*addr));
+ info->match_flags |= XT_CONNTRACK_ORIGSRC;
+ if (invert)
+ info->invert_flags |= XT_CONNTRACK_ORIGSRC;
+ break;
+
+ case '4': /* --ctorigdst */
+ xtables_ip6parse_any(optarg, &addr,
+ &info->origdst_mask.in6, &naddrs);
+ if (naddrs > 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiple IP addresses not allowed");
+ if (naddrs == 1)
+ memcpy(&info->origdst_addr.in, addr, sizeof(*addr));
+ info->match_flags |= XT_CONNTRACK_ORIGDST;
+ if (invert)
+ info->invert_flags |= XT_CONNTRACK_ORIGDST;
+ break;
+
+ case '5': /* --ctreplsrc */
+ xtables_ip6parse_any(optarg, &addr,
+ &info->replsrc_mask.in6, &naddrs);
+ if (naddrs > 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiple IP addresses not allowed");
+ if (naddrs == 1)
+ memcpy(&info->replsrc_addr.in, addr, sizeof(*addr));
+ info->match_flags |= XT_CONNTRACK_REPLSRC;
+ if (invert)
+ info->invert_flags |= XT_CONNTRACK_REPLSRC;
+ break;
+
+ case '6': /* --ctrepldst */
+ xtables_ip6parse_any(optarg, &addr,
+ &info->repldst_mask.in6, &naddrs);
+ if (naddrs > 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiple IP addresses not allowed");
+ if (naddrs == 1)
+ memcpy(&info->repldst_addr.in, addr, sizeof(*addr));
+ info->match_flags |= XT_CONNTRACK_REPLDST;
+ if (invert)
+ info->invert_flags |= XT_CONNTRACK_REPLDST;
+ break;
+
+
+ default:
+ return conntrack_mt_parse(c, invert, flags, info);
+ }
+
+ *flags = info->match_flags;
+ return true;
+}
+
+#define cinfo_transform(r, l) \
+ do { \
+ memcpy((r), (l), offsetof(typeof(*(l)), state_mask)); \
+ (r)->state_mask = (l)->state_mask; \
+ (r)->status_mask = (l)->status_mask; \
+ } while (false);
+
+static int
+conntrack1_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
+ struct xt_conntrack_mtinfo2 up;
+
+ cinfo_transform(&up, info);
+ if (!conntrack_mt4_parse(c, invert, flags, &up))
+ return false;
+ cinfo_transform(info, &up);
+ return true;
+}
+
+static int
+conntrack1_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
+ struct xt_conntrack_mtinfo2 up;
+
+ cinfo_transform(&up, info);
+ if (!conntrack_mt6_parse(c, invert, flags, &up))
+ return false;
+ cinfo_transform(info, &up);
+ return true;
+}
+
+static int
+conntrack2_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ return conntrack_mt4_parse(c, invert, flags, (void *)(*match)->data);
+}
+
+static int
+conntrack2_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ return conntrack_mt6_parse(c, invert, flags, (void *)(*match)->data);
+}
+
+static void conntrack_mt_check(unsigned int flags)
+{
+ if (flags == 0)
+ xtables_error(PARAMETER_PROBLEM, "conntrack: At least one option "
+ "is required");
+}
+
+static void
+print_state(unsigned int statemask)
+{
+ const char *sep = "";
+
+ if (statemask & XT_CONNTRACK_STATE_INVALID) {
+ printf("%sINVALID", sep);
+ sep = ",";
+ }
+ if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) {
+ printf("%sNEW", sep);
+ sep = ",";
+ }
+ if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) {
+ printf("%sRELATED", sep);
+ sep = ",";
+ }
+ if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) {
+ printf("%sESTABLISHED", sep);
+ sep = ",";
+ }
+ if (statemask & XT_CONNTRACK_STATE_UNTRACKED) {
+ printf("%sUNTRACKED", sep);
+ sep = ",";
+ }
+ if (statemask & XT_CONNTRACK_STATE_SNAT) {
+ printf("%sSNAT", sep);
+ sep = ",";
+ }
+ if (statemask & XT_CONNTRACK_STATE_DNAT) {
+ printf("%sDNAT", sep);
+ sep = ",";
+ }
+ printf(" ");
+}
+
+static void
+print_status(unsigned int statusmask)
+{
+ const char *sep = "";
+
+ if (statusmask & IPS_EXPECTED) {
+ printf("%sEXPECTED", sep);
+ sep = ",";
+ }
+ if (statusmask & IPS_SEEN_REPLY) {
+ printf("%sSEEN_REPLY", sep);
+ sep = ",";
+ }
+ if (statusmask & IPS_ASSURED) {
+ printf("%sASSURED", sep);
+ sep = ",";
+ }
+ if (statusmask & IPS_CONFIRMED) {
+ printf("%sCONFIRMED", sep);
+ sep = ",";
+ }
+ if (statusmask == 0)
+ printf("%sNONE", sep);
+ printf(" ");
+}
+
+static void
+conntrack_dump_addr(const union nf_inet_addr *addr,
+ const union nf_inet_addr *mask,
+ unsigned int family, bool numeric)
+{
+ if (family == NFPROTO_IPV4) {
+ if (!numeric && addr->ip == 0) {
+ printf("anywhere ");
+ return;
+ }
+ if (numeric)
+ printf("%s%s ",
+ xtables_ipaddr_to_numeric(&addr->in),
+ xtables_ipmask_to_numeric(&mask->in));
+ else
+ printf("%s%s ",
+ xtables_ipaddr_to_anyname(&addr->in),
+ xtables_ipmask_to_numeric(&mask->in));
+ } else if (family == NFPROTO_IPV6) {
+ if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 &&
+ addr->ip6[2] == 0 && addr->ip6[3] == 0) {
+ printf("anywhere ");
+ return;
+ }
+ if (numeric)
+ printf("%s%s ",
+ xtables_ip6addr_to_numeric(&addr->in6),
+ xtables_ip6mask_to_numeric(&mask->in6));
+ else
+ printf("%s%s ",
+ xtables_ip6addr_to_anyname(&addr->in6),
+ xtables_ip6mask_to_numeric(&mask->in6));
+ }
+}
+
+static void
+print_addr(const struct in_addr *addr, const struct in_addr *mask,
+ int inv, int numeric)
+{
+ char buf[BUFSIZ];
+
+ if (inv)
+ printf("! ");
+
+ if (mask->s_addr == 0L && !numeric)
+ printf("%s ", "anywhere");
+ else {
+ if (numeric)
+ strcpy(buf, xtables_ipaddr_to_numeric(addr));
+ else
+ strcpy(buf, xtables_ipaddr_to_anyname(addr));
+ strcat(buf, xtables_ipmask_to_numeric(mask));
+ printf("%s ", buf);
+ }
+}
+
+static void
+matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, const char *optpfx)
+{
+ const struct xt_conntrack_info *sinfo = (const void *)match->data;
+
+ if(sinfo->flags & XT_CONNTRACK_STATE) {
+ if (sinfo->invflags & XT_CONNTRACK_STATE)
+ printf("! ");
+ printf("%sctstate ", optpfx);
+ print_state(sinfo->statemask);
+ }
+
+ if(sinfo->flags & XT_CONNTRACK_PROTO) {
+ if (sinfo->invflags & XT_CONNTRACK_PROTO)
+ printf("! ");
+ printf("%sctproto ", optpfx);
+ printf("%u ", sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum);
+ }
+
+ if(sinfo->flags & XT_CONNTRACK_ORIGSRC) {
+ if (sinfo->invflags & XT_CONNTRACK_ORIGSRC)
+ printf("! ");
+ printf("%sctorigsrc ", optpfx);
+
+ print_addr(
+ (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
+ &sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
+ false,
+ numeric);
+ }
+
+ if(sinfo->flags & XT_CONNTRACK_ORIGDST) {
+ if (sinfo->invflags & XT_CONNTRACK_ORIGDST)
+ printf("! ");
+ printf("%sctorigdst ", optpfx);
+
+ print_addr(
+ (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
+ &sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
+ false,
+ numeric);
+ }
+
+ if(sinfo->flags & XT_CONNTRACK_REPLSRC) {
+ if (sinfo->invflags & XT_CONNTRACK_REPLSRC)
+ printf("! ");
+ printf("%sctreplsrc ", optpfx);
+
+ print_addr(
+ (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
+ &sinfo->sipmsk[IP_CT_DIR_REPLY],
+ false,
+ numeric);
+ }
+
+ if(sinfo->flags & XT_CONNTRACK_REPLDST) {
+ if (sinfo->invflags & XT_CONNTRACK_REPLDST)
+ printf("! ");
+ printf("%sctrepldst ", optpfx);
+
+ print_addr(
+ (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
+ &sinfo->dipmsk[IP_CT_DIR_REPLY],
+ false,
+ numeric);
+ }
+
+ if(sinfo->flags & XT_CONNTRACK_STATUS) {
+ if (sinfo->invflags & XT_CONNTRACK_STATUS)
+ printf("! ");
+ printf("%sctstatus ", optpfx);
+ print_status(sinfo->statusmask);
+ }
+
+ if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
+ if (sinfo->invflags & XT_CONNTRACK_EXPIRES)
+ printf("! ");
+ printf("%sctexpire ", optpfx);
+
+ if (sinfo->expires_max == sinfo->expires_min)
+ printf("%lu ", sinfo->expires_min);
+ else
+ printf("%lu:%lu ", sinfo->expires_min, sinfo->expires_max);
+ }
+
+ if (sinfo->flags & XT_CONNTRACK_DIRECTION) {
+ if (sinfo->invflags & XT_CONNTRACK_DIRECTION)
+ printf("%sctdir REPLY", optpfx);
+ else
+ printf("%sctdir ORIGINAL", optpfx);
+ }
+
+}
+
+static void
+conntrack_dump(const struct xt_conntrack_mtinfo2 *info, const char *prefix,
+ unsigned int family, bool numeric)
+{
+ if (info->match_flags & XT_CONNTRACK_STATE) {
+ if (info->invert_flags & XT_CONNTRACK_STATE)
+ printf("! ");
+ printf("%sctstate ", prefix);
+ print_state(info->state_mask);
+ }
+
+ if (info->match_flags & XT_CONNTRACK_PROTO) {
+ if (info->invert_flags & XT_CONNTRACK_PROTO)
+ printf("! ");
+ printf("%sctproto %u ", prefix, info->l4proto);
+ }
+
+ if (info->match_flags & XT_CONNTRACK_ORIGSRC) {
+ if (info->invert_flags & XT_CONNTRACK_ORIGSRC)
+ printf("! ");
+ printf("%sctorigsrc ", prefix);
+ conntrack_dump_addr(&info->origsrc_addr, &info->origsrc_mask,
+ family, numeric);
+ }
+
+ if (info->match_flags & XT_CONNTRACK_ORIGDST) {
+ if (info->invert_flags & XT_CONNTRACK_ORIGDST)
+ printf("! ");
+ printf("%sctorigdst ", prefix);
+ conntrack_dump_addr(&info->origdst_addr, &info->origdst_mask,
+ family, numeric);
+ }
+
+ if (info->match_flags & XT_CONNTRACK_REPLSRC) {
+ if (info->invert_flags & XT_CONNTRACK_REPLSRC)
+ printf("! ");
+ printf("%sctreplsrc ", prefix);
+ conntrack_dump_addr(&info->replsrc_addr, &info->replsrc_mask,
+ family, numeric);
+ }
+
+ if (info->match_flags & XT_CONNTRACK_REPLDST) {
+ if (info->invert_flags & XT_CONNTRACK_REPLDST)
+ printf("! ");
+ printf("%sctrepldst ", prefix);
+ conntrack_dump_addr(&info->repldst_addr, &info->repldst_mask,
+ family, numeric);
+ }
+
+ if (info->match_flags & XT_CONNTRACK_ORIGSRC_PORT) {
+ if (info->invert_flags & XT_CONNTRACK_ORIGSRC_PORT)
+ printf("! ");
+ printf("%sctorigsrcport %u ", prefix,
+ ntohs(info->origsrc_port));
+ }
+
+ if (info->match_flags & XT_CONNTRACK_ORIGDST_PORT) {
+ if (info->invert_flags & XT_CONNTRACK_ORIGDST_PORT)
+ printf("! ");
+ printf("%sctorigdstport %u ", prefix,
+ ntohs(info->origdst_port));
+ }
+
+ if (info->match_flags & XT_CONNTRACK_REPLSRC_PORT) {
+ if (info->invert_flags & XT_CONNTRACK_REPLSRC_PORT)
+ printf("! ");
+ printf("%sctreplsrcport %u ", prefix,
+ ntohs(info->replsrc_port));
+ }
+
+ if (info->match_flags & XT_CONNTRACK_REPLDST_PORT) {
+ if (info->invert_flags & XT_CONNTRACK_REPLDST_PORT)
+ printf("! ");
+ printf("%sctrepldstport %u ", prefix,
+ ntohs(info->repldst_port));
+ }
+
+ if (info->match_flags & XT_CONNTRACK_STATUS) {
+ if (info->invert_flags & XT_CONNTRACK_STATUS)
+ printf("! ");
+ printf("%sctstatus ", prefix);
+ print_status(info->status_mask);
+ }
+
+ if (info->match_flags & XT_CONNTRACK_EXPIRES) {
+ if (info->invert_flags & XT_CONNTRACK_EXPIRES)
+ printf("! ");
+ printf("%sctexpire ", prefix);
+
+ if (info->expires_max == info->expires_min)
+ printf("%u ", (unsigned int)info->expires_min);
+ else
+ printf("%u:%u ", (unsigned int)info->expires_min,
+ (unsigned int)info->expires_max);
+ }
+
+ if (info->match_flags & XT_CONNTRACK_DIRECTION) {
+ if (info->invert_flags & XT_CONNTRACK_DIRECTION)
+ printf("%sctdir REPLY", prefix);
+ else
+ printf("%sctdir ORIGINAL", prefix);
+ }
+}
+
+static void conntrack_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ matchinfo_print(ip, match, numeric, "");
+}
+
+static void
+conntrack1_mt4_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_conntrack_mtinfo1 *info = (void *)match->data;
+ struct xt_conntrack_mtinfo2 up;
+
+ cinfo_transform(&up, info);
+ conntrack_dump(&up, "", NFPROTO_IPV4, numeric);
+}
+
+static void
+conntrack1_mt6_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_conntrack_mtinfo1 *info = (void *)match->data;
+ struct xt_conntrack_mtinfo2 up;
+
+ cinfo_transform(&up, info);
+ conntrack_dump(&up, "", NFPROTO_IPV6, numeric);
+}
+
+static void
+conntrack_mt_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ conntrack_dump((const void *)match->data, "", NFPROTO_IPV4, numeric);
+}
+
+static void
+conntrack_mt6_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ conntrack_dump((const void *)match->data, "", NFPROTO_IPV6, numeric);
+}
+
+static void conntrack_save(const void *ip, const struct xt_entry_match *match)
+{
+ matchinfo_print(ip, match, 1, "--");
+}
+
+static void conntrack_mt_save(const void *ip,
+ const struct xt_entry_match *match)
+{
+ conntrack_dump((const void *)match->data, "--", NFPROTO_IPV4, true);
+}
+
+static void conntrack_mt6_save(const void *ip,
+ const struct xt_entry_match *match)
+{
+ conntrack_dump((const void *)match->data, "--", NFPROTO_IPV6, true);
+}
+
+static void
+conntrack1_mt4_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_conntrack_mtinfo1 *info = (void *)match->data;
+ struct xt_conntrack_mtinfo2 up;
+
+ cinfo_transform(&up, info);
+ conntrack_dump(&up, "--", NFPROTO_IPV4, true);
+}
+
+static void
+conntrack1_mt6_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_conntrack_mtinfo1 *info = (void *)match->data;
+ struct xt_conntrack_mtinfo2 up;
+
+ cinfo_transform(&up, info);
+ conntrack_dump(&up, "--", NFPROTO_IPV6, true);
+}
+
+static struct xtables_match conntrack_mt_reg[] = {
+ {
+ .version = XTABLES_VERSION,
+ .name = "conntrack",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct xt_conntrack_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_info)),
+ .help = conntrack_mt_help,
+ .parse = conntrack_parse,
+ .final_check = conntrack_mt_check,
+ .print = conntrack_print,
+ .save = conntrack_save,
+ .extra_opts = conntrack_mt_opts_v0,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "conntrack",
+ .revision = 1,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
+ .help = conntrack_mt_help,
+ .parse = conntrack1_mt4_parse,
+ .final_check = conntrack_mt_check,
+ .print = conntrack1_mt4_print,
+ .save = conntrack1_mt4_save,
+ .extra_opts = conntrack_mt_opts,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "conntrack",
+ .revision = 1,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
+ .help = conntrack_mt_help,
+ .parse = conntrack1_mt6_parse,
+ .final_check = conntrack_mt_check,
+ .print = conntrack1_mt6_print,
+ .save = conntrack1_mt6_save,
+ .extra_opts = conntrack_mt_opts,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "conntrack",
+ .revision = 2,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
+ .help = conntrack_mt_help,
+ .parse = conntrack2_mt4_parse,
+ .final_check = conntrack_mt_check,
+ .print = conntrack_mt_print,
+ .save = conntrack_mt_save,
+ .extra_opts = conntrack_mt_opts,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "conntrack",
+ .revision = 2,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
+ .help = conntrack_mt_help,
+ .parse = conntrack2_mt6_parse,
+ .final_check = conntrack_mt_check,
+ .print = conntrack_mt6_print,
+ .save = conntrack_mt6_save,
+ .extra_opts = conntrack_mt_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_matches(conntrack_mt_reg, ARRAY_SIZE(conntrack_mt_reg));
+}
diff --git a/extensions/libxt_conntrack.man b/extensions/libxt_conntrack.man
new file mode 100644
index 0000000..ec51ef5
--- /dev/null
+++ b/extensions/libxt_conntrack.man
@@ -0,0 +1,85 @@
+This module, when combined with connection tracking, allows access to the
+connection tracking state for this packet/connection.
+.TP
+[\fB!\fR] \fB\-\-ctstate\fP \fIstatelist\fP
+\fIstatelist\fR is a comma separated list of the connection states to match.
+Possible states are listed below.
+.TP
+[\fB!\fR] \fB\-\-ctproto\fP \fIl4proto\fP
+Layer-4 protocol to match (by number or name)
+.TP
+[\fB!\fR] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
+.TP
+[\fB!\fR] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
+.TP
+[\fB!\fR] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
+.TP
+[\fB!\fR] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
+Match against original/reply source/destination address
+.TP
+[\fB!\fR] \fB\-\-ctorigsrcport\fP \fIport\fP
+.TP
+[\fB!\fR] \fB\-\-ctorigdstport\fP \fIport\fP
+.TP
+[\fB!\fR] \fB\-\-ctreplsrcport\fP \fIport\fP
+.TP
+[\fB!\fR] \fB\-\-ctrepldstport\fP \fIport\fP
+Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key.
+.TP
+[\fB!\fR] \fB\-\-ctstatus\fP \fIstatelist\fP
+\fIstatuslist\fR is a comma separated list of the connection statuses to match.
+Possible statuses are listed below.
+.TP
+[\fB!\fR] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP]
+Match remaining lifetime in seconds against given value or range of values
+(inclusive)
+.TP
+\fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP}
+Match packets that are flowing in the specified direction. If this flag is not
+specified at all, matches packets in both directions.
+.PP
+States for \fB\-\-ctstate\fP:
+.TP
+\fBINVALID\fR
+meaning that the packet is associated with no known connection
+.TP
+\fBNEW\fR
+meaning that the packet has started a new connection, or otherwise associated
+with a connection which has not seen packets in both directions, and
+.TP
+\fBESTABLISHED\fR
+meaning that the packet is associated with a connection which has seen packets
+in both directions,
+.TP
+\fBRELATED\fR
+meaning that the packet is starting a new connection, but is associated with an
+existing connection, such as an FTP data transfer, or an ICMP error.
+.TP
+\fBUNTRACKED\fR
+meaning that the packet is not tracked at all, which happens if you use
+the NOTRACK target in raw table.
+.TP
+\fBSNAT\fR
+A virtual state, matching if the original source address differs from the reply
+destination.
+.TP
+\fBDNAT\fR
+A virtual state, matching if the original destination differs from the reply
+source.
+.PP
+Statuses for \fB\-\-ctstatus\fP:
+.TP
+\fBNONE\fR
+None of the below.
+.TP
+\fBEXPECTED\fR
+This is an expected connection (i.e. a conntrack helper set it up)
+.TP
+\fBSEEN_REPLY\fR
+Conntrack has seen packets in both directions.
+.TP
+\fBASSURED\fR
+Conntrack entry should never be early-expired.
+.TP
+\fBCONFIRMED\fR
+Connection is confirmed: originating packet has left box.
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
new file mode 100644
index 0000000..8d0b13a
--- /dev/null
+++ b/extensions/libxt_dccp.c
@@ -0,0 +1,354 @@
+/* Shared library add-on to iptables for DCCP matching
+ *
+ * (C) 2005 by Harald Welte <laforge@netfilter.org>
+ *
+ * This program is distributed under the terms of GNU GPL v2, 1991
+ *
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <netdb.h>
+#include <ctype.h>
+
+#include <netinet/in.h>
+#include <xtables.h>
+#include <linux/dccp.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_dccp.h>
+
+#if 0
+#define DEBUGP(format, first...) printf(format, ##first)
+#define static
+#else
+#define DEBUGP(format, fist...)
+#endif
+
+static void dccp_init(struct xt_entry_match *m)
+{
+ struct xt_dccp_info *einfo = (struct xt_dccp_info *)m->data;
+
+ memset(einfo, 0, sizeof(struct xt_dccp_info));
+}
+
+static void dccp_help(void)
+{
+ printf(
+"dccp match options\n"
+"[!] --source-port port[:port] match source port(s)\n"
+" --sport ...\n"
+"[!] --destination-port port[:port] match destination port(s)\n"
+" --dport ...\n");
+}
+
+static const struct option dccp_opts[] = {
+ { .name = "source-port", .has_arg = 1, .val = '1' },
+ { .name = "sport", .has_arg = 1, .val = '1' },
+ { .name = "destination-port", .has_arg = 1, .val = '2' },
+ { .name = "dport", .has_arg = 1, .val = '2' },
+ { .name = "dccp-types", .has_arg = 1, .val = '3' },
+ { .name = "dccp-option", .has_arg = 1, .val = '4' },
+ { .name = NULL }
+};
+
+static void
+parse_dccp_ports(const char *portstring,
+ u_int16_t *ports)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(portstring);
+ DEBUGP("%s\n", portstring);
+ if ((cp = strchr(buffer, ':')) == NULL) {
+ ports[0] = ports[1] = xtables_parse_port(buffer, "dccp");
+ }
+ else {
+ *cp = '\0';
+ cp++;
+
+ ports[0] = buffer[0] ? xtables_parse_port(buffer, "dccp") : 0;
+ ports[1] = cp[0] ? xtables_parse_port(cp, "dccp") : 0xFFFF;
+
+ if (ports[0] > ports[1])
+ xtables_error(PARAMETER_PROBLEM,
+ "invalid portrange (min > max)");
+ }
+ free(buffer);
+}
+
+static const char *const dccp_pkt_types[] = {
+ [DCCP_PKT_REQUEST] = "REQUEST",
+ [DCCP_PKT_RESPONSE] = "RESPONSE",
+ [DCCP_PKT_DATA] = "DATA",
+ [DCCP_PKT_ACK] = "ACK",
+ [DCCP_PKT_DATAACK] = "DATAACK",
+ [DCCP_PKT_CLOSEREQ] = "CLOSEREQ",
+ [DCCP_PKT_CLOSE] = "CLOSE",
+ [DCCP_PKT_RESET] = "RESET",
+ [DCCP_PKT_SYNC] = "SYNC",
+ [DCCP_PKT_SYNCACK] = "SYNCACK",
+ [DCCP_PKT_INVALID] = "INVALID",
+};
+
+static u_int16_t
+parse_dccp_types(const char *typestring)
+{
+ u_int16_t typemask = 0;
+ char *ptr, *buffer;
+
+ buffer = strdup(typestring);
+
+ for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
+ unsigned int i;
+ for (i = 0; i < ARRAY_SIZE(dccp_pkt_types); ++i)
+ if (!strcasecmp(dccp_pkt_types[i], ptr)) {
+ typemask |= (1 << i);
+ break;
+ }
+ if (i == ARRAY_SIZE(dccp_pkt_types))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unknown DCCP type `%s'", ptr);
+ }
+
+ free(buffer);
+ return typemask;
+}
+
+static u_int8_t parse_dccp_option(char *optstring)
+{
+ unsigned int ret;
+
+ if (!xtables_strtoui(optstring, NULL, &ret, 1, UINT8_MAX))
+ xtables_error(PARAMETER_PROBLEM, "Bad DCCP option \"%s\"",
+ optstring);
+
+ return ret;
+}
+
+static int
+dccp_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_dccp_info *einfo
+ = (struct xt_dccp_info *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & XT_DCCP_SRC_PORTS)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--source-port' allowed");
+ einfo->flags |= XT_DCCP_SRC_PORTS;
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_dccp_ports(optarg, einfo->spts);
+ if (invert)
+ einfo->invflags |= XT_DCCP_SRC_PORTS;
+ *flags |= XT_DCCP_SRC_PORTS;
+ break;
+
+ case '2':
+ if (*flags & XT_DCCP_DEST_PORTS)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--destination-port' allowed");
+ einfo->flags |= XT_DCCP_DEST_PORTS;
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_dccp_ports(optarg, einfo->dpts);
+ if (invert)
+ einfo->invflags |= XT_DCCP_DEST_PORTS;
+ *flags |= XT_DCCP_DEST_PORTS;
+ break;
+
+ case '3':
+ if (*flags & XT_DCCP_TYPE)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--dccp-types' allowed");
+ einfo->flags |= XT_DCCP_TYPE;
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ einfo->typemask = parse_dccp_types(optarg);
+ if (invert)
+ einfo->invflags |= XT_DCCP_TYPE;
+ *flags |= XT_DCCP_TYPE;
+ break;
+
+ case '4':
+ if (*flags & XT_DCCP_OPTION)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--dccp-option' allowed");
+ einfo->flags |= XT_DCCP_OPTION;
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ einfo->option = parse_dccp_option(optarg);
+ if (invert)
+ einfo->invflags |= XT_DCCP_OPTION;
+ *flags |= XT_DCCP_OPTION;
+ break;
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static char *
+port_to_service(int port)
+{
+ struct servent *service;
+
+ if ((service = getservbyport(htons(port), "dccp")))
+ return service->s_name;
+
+ return NULL;
+}
+
+static void
+print_port(u_int16_t port, int numeric)
+{
+ char *service;
+
+ if (numeric || (service = port_to_service(port)) == NULL)
+ printf("%u", port);
+ else
+ printf("%s", service);
+}
+
+static void
+print_ports(const char *name, u_int16_t min, u_int16_t max,
+ int invert, int numeric)
+{
+ const char *inv = invert ? "!" : "";
+
+ if (min != 0 || max != 0xFFFF || invert) {
+ printf("%s", name);
+ if (min == max) {
+ printf(":%s", inv);
+ print_port(min, numeric);
+ } else {
+ printf("s:%s", inv);
+ print_port(min, numeric);
+ printf(":");
+ print_port(max, numeric);
+ }
+ printf(" ");
+ }
+}
+
+static void
+print_types(u_int16_t types, int inverted, int numeric)
+{
+ int have_type = 0;
+
+ if (inverted)
+ printf("! ");
+
+ while (types) {
+ unsigned int i;
+
+ for (i = 0; !(types & (1 << i)); i++);
+
+ if (have_type)
+ printf(",");
+ else
+ have_type = 1;
+
+ if (numeric)
+ printf("%u", i);
+ else
+ printf("%s", dccp_pkt_types[i]);
+
+ types &= ~(1 << i);
+ }
+}
+
+static void
+print_option(u_int8_t option, int invert, int numeric)
+{
+ if (option || invert)
+ printf("option=%s%u ", invert ? "!" : "", option);
+}
+
+static void
+dccp_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_dccp_info *einfo =
+ (const struct xt_dccp_info *)match->data;
+
+ printf("dccp ");
+
+ if (einfo->flags & XT_DCCP_SRC_PORTS) {
+ print_ports("spt", einfo->spts[0], einfo->spts[1],
+ einfo->invflags & XT_DCCP_SRC_PORTS,
+ numeric);
+ }
+
+ if (einfo->flags & XT_DCCP_DEST_PORTS) {
+ print_ports("dpt", einfo->dpts[0], einfo->dpts[1],
+ einfo->invflags & XT_DCCP_DEST_PORTS,
+ numeric);
+ }
+
+ if (einfo->flags & XT_DCCP_TYPE) {
+ print_types(einfo->typemask,
+ einfo->invflags & XT_DCCP_TYPE,
+ numeric);
+ }
+
+ if (einfo->flags & XT_DCCP_OPTION) {
+ print_option(einfo->option,
+ einfo->invflags & XT_DCCP_OPTION, numeric);
+ }
+}
+
+static void dccp_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_dccp_info *einfo =
+ (const struct xt_dccp_info *)match->data;
+
+ if (einfo->flags & XT_DCCP_SRC_PORTS) {
+ if (einfo->invflags & XT_DCCP_SRC_PORTS)
+ printf("! ");
+ if (einfo->spts[0] != einfo->spts[1])
+ printf("--sport %u:%u ",
+ einfo->spts[0], einfo->spts[1]);
+ else
+ printf("--sport %u ", einfo->spts[0]);
+ }
+
+ if (einfo->flags & XT_DCCP_DEST_PORTS) {
+ if (einfo->invflags & XT_DCCP_DEST_PORTS)
+ printf("! ");
+ if (einfo->dpts[0] != einfo->dpts[1])
+ printf("--dport %u:%u ",
+ einfo->dpts[0], einfo->dpts[1]);
+ else
+ printf("--dport %u ", einfo->dpts[0]);
+ }
+
+ if (einfo->flags & XT_DCCP_TYPE) {
+ printf("--dccp-type ");
+ print_types(einfo->typemask, einfo->invflags & XT_DCCP_TYPE,0);
+ }
+
+ if (einfo->flags & XT_DCCP_OPTION) {
+ printf("--dccp-option %s%u ",
+ einfo->typemask & XT_DCCP_OPTION ? "! " : "",
+ einfo->option);
+ }
+}
+
+static struct xtables_match dccp_match = {
+ .name = "dccp",
+ .family = NFPROTO_UNSPEC,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_dccp_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_dccp_info)),
+ .help = dccp_help,
+ .init = dccp_init,
+ .parse = dccp_parse,
+ .print = dccp_print,
+ .save = dccp_save,
+ .extra_opts = dccp_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&dccp_match);
+}
diff --git a/extensions/libxt_dccp.man b/extensions/libxt_dccp.man
new file mode 100644
index 0000000..82c3f70
--- /dev/null
+++ b/extensions/libxt_dccp.man
@@ -0,0 +1,12 @@
+.TP
+[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
+.TP
+[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
+.TP
+[\fB!\fP] \fB\-\-dccp\-types\fP \fImask\fP
+Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated
+list of packet types. Packet types are:
+.BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" .
+.TP
+[\fB!\fP] \fB\-\-dccp\-option\fP \fInumber\fP
+Match if DCP option set.
diff --git a/extensions/libxt_dscp.c b/extensions/libxt_dscp.c
new file mode 100644
index 0000000..1569f7d
--- /dev/null
+++ b/extensions/libxt_dscp.c
@@ -0,0 +1,150 @@
+/* Shared library add-on to iptables for DSCP
+ *
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ *
+ * This program is distributed under the terms of GNU GPL v2, 1991
+ *
+ * libipt_dscp.c borrowed heavily from libipt_tos.c
+ *
+ * --class support added by Iain Barnes
+ *
+ * For a list of DSCP codepoints see
+ * http://www.iana.org/assignments/dscp-registry
+ *
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_dscp.h>
+
+/* This is evil, but it's my code - HW*/
+#include "dscp_helper.c"
+
+static void dscp_help(void)
+{
+ printf(
+"dscp match options\n"
+"[!] --dscp value Match DSCP codepoint with numerical value\n"
+" This value can be in decimal (ex: 32)\n"
+" or in hex (ex: 0x20)\n"
+"[!] --dscp-class name Match the DiffServ class. This value may\n"
+" be any of the BE,EF, AFxx or CSx classes\n"
+"\n"
+" These two options are mutually exclusive !\n");
+}
+
+static const struct option dscp_opts[] = {
+ { "dscp", 1, NULL, 'F' },
+ { "dscp-class", 1, NULL, 'G' },
+ { .name = NULL }
+};
+
+static void
+parse_dscp(const char *s, struct xt_dscp_info *dinfo)
+{
+ unsigned int dscp;
+
+ if (!xtables_strtoui(s, NULL, &dscp, 0, UINT8_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid dscp `%s'\n", s);
+
+ if (dscp > XT_DSCP_MAX)
+ xtables_error(PARAMETER_PROBLEM,
+ "DSCP `%d` out of range\n", dscp);
+
+ dinfo->dscp = dscp;
+}
+
+
+static void
+parse_class(const char *s, struct xt_dscp_info *dinfo)
+{
+ unsigned int dscp = class_to_dscp(s);
+
+ /* Assign the value */
+ dinfo->dscp = dscp;
+}
+
+
+static int
+dscp_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_dscp_info *dinfo
+ = (struct xt_dscp_info *)(*match)->data;
+
+ switch (c) {
+ case 'F':
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "DSCP match: Only use --dscp ONCE!");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_dscp(optarg, dinfo);
+ if (invert)
+ dinfo->invert = 1;
+ *flags = 1;
+ break;
+
+ case 'G':
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "DSCP match: Only use --dscp-class ONCE!");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_class(optarg, dinfo);
+ if (invert)
+ dinfo->invert = 1;
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void dscp_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "DSCP match: Parameter --dscp is required");
+}
+
+static void
+dscp_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_dscp_info *dinfo =
+ (const struct xt_dscp_info *)match->data;
+ printf("DSCP match %s0x%02x", dinfo->invert ? "!" : "", dinfo->dscp);
+}
+
+static void dscp_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_dscp_info *dinfo =
+ (const struct xt_dscp_info *)match->data;
+
+ printf("%s--dscp 0x%02x ", dinfo->invert ? "! " : "", dinfo->dscp);
+}
+
+static struct xtables_match dscp_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "dscp",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_dscp_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_dscp_info)),
+ .help = dscp_help,
+ .parse = dscp_parse,
+ .final_check = dscp_check,
+ .print = dscp_print,
+ .save = dscp_save,
+ .extra_opts = dscp_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&dscp_match);
+}
diff --git a/extensions/libxt_dscp.man b/extensions/libxt_dscp.man
new file mode 100644
index 0000000..63a17da
--- /dev/null
+++ b/extensions/libxt_dscp.man
@@ -0,0 +1,10 @@
+This module matches the 6 bit DSCP field within the TOS field in the
+IP header. DSCP has superseded TOS within the IETF.
+.TP
+[\fB!\fP] \fB\-\-dscp\fP \fIvalue\fP
+Match against a numeric (decimal or hex) value [0-63].
+.TP
+[\fB!\fP] \fB\-\-dscp\-class\fP \fIclass\fP
+Match the DiffServ class. This value may be any of the
+BE, EF, AFxx or CSx classes. It will then be converted
+into its according numeric value.
diff --git a/extensions/libxt_esp.c b/extensions/libxt_esp.c
new file mode 100644
index 0000000..18218f4
--- /dev/null
+++ b/extensions/libxt_esp.c
@@ -0,0 +1,169 @@
+/* Shared library add-on to iptables to add ESP support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <errno.h>
+#include <limits.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_esp.h>
+
+static void esp_help(void)
+{
+ printf(
+"esp match options:\n"
+"[!] --espspi spi[:spi]\n"
+" match spi (range)\n");
+}
+
+static const struct option esp_opts[] = {
+ { "espspi", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+static u_int32_t
+parse_esp_spi(const char *spistr)
+{
+ unsigned long int spi;
+ char* ep;
+
+ spi = strtoul(spistr,&ep,0) ;
+
+ if ( spistr == ep ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "ESP no valid digits in spi `%s'", spistr);
+ }
+ if ( spi == ULONG_MAX && errno == ERANGE ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "spi `%s' specified too big: would overflow", spistr);
+ }
+ if ( *spistr != '\0' && *ep != '\0' ) {
+ xtables_error(PARAMETER_PROBLEM,
+ "ESP error parsing spi `%s'", spistr);
+ }
+ return spi;
+}
+
+static void
+parse_esp_spis(const char *spistring, u_int32_t *spis)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(spistring);
+ if ((cp = strchr(buffer, ':')) == NULL)
+ spis[0] = spis[1] = parse_esp_spi(buffer);
+ else {
+ *cp = '\0';
+ cp++;
+
+ spis[0] = buffer[0] ? parse_esp_spi(buffer) : 0;
+ spis[1] = cp[0] ? parse_esp_spi(cp) : 0xFFFFFFFF;
+ if (spis[0] > spis[1])
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid ESP spi range: %s", spistring);
+ }
+ free(buffer);
+}
+
+static void esp_init(struct xt_entry_match *m)
+{
+ struct xt_esp *espinfo = (struct xt_esp *)m->data;
+
+ espinfo->spis[1] = 0xFFFFFFFF;
+}
+
+#define ESP_SPI 0x01
+
+static int
+esp_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_esp *espinfo = (struct xt_esp *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & ESP_SPI)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--espspi' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_esp_spis(optarg, espinfo->spis);
+ if (invert)
+ espinfo->invflags |= XT_ESP_INV_SPI;
+ *flags |= ESP_SPI;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+print_spis(const char *name, u_int32_t min, u_int32_t max,
+ int invert)
+{
+ const char *inv = invert ? "!" : "";
+
+ if (min != 0 || max != 0xFFFFFFFF || invert) {
+ if (min == max)
+ printf("%s:%s%u ", name, inv, min);
+ else
+ printf("%ss:%s%u:%u ", name, inv, min, max);
+ }
+}
+
+static void
+esp_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_esp *esp = (struct xt_esp *)match->data;
+
+ printf("esp ");
+ print_spis("spi", esp->spis[0], esp->spis[1],
+ esp->invflags & XT_ESP_INV_SPI);
+ if (esp->invflags & ~XT_ESP_INV_MASK)
+ printf("Unknown invflags: 0x%X ",
+ esp->invflags & ~XT_ESP_INV_MASK);
+}
+
+static void esp_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_esp *espinfo = (struct xt_esp *)match->data;
+
+ if (!(espinfo->spis[0] == 0
+ && espinfo->spis[1] == 0xFFFFFFFF)) {
+ printf("%s--espspi ",
+ (espinfo->invflags & XT_ESP_INV_SPI) ? "! " : "");
+ if (espinfo->spis[0]
+ != espinfo->spis[1])
+ printf("%u:%u ",
+ espinfo->spis[0],
+ espinfo->spis[1]);
+ else
+ printf("%u ",
+ espinfo->spis[0]);
+ }
+
+}
+
+static struct xtables_match esp_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "esp",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_esp)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_esp)),
+ .help = esp_help,
+ .init = esp_init,
+ .parse = esp_parse,
+ .print = esp_print,
+ .save = esp_save,
+ .extra_opts = esp_opts,
+};
+
+void
+_init(void)
+{
+ xtables_register_match(&esp_match);
+}
diff --git a/extensions/libxt_esp.man b/extensions/libxt_esp.man
new file mode 100644
index 0000000..699a41c
--- /dev/null
+++ b/extensions/libxt_esp.man
@@ -0,0 +1,3 @@
+This module matches the SPIs in ESP header of IPsec packets.
+.TP
+[\fB!\fP] \fB\-\-espspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
new file mode 100644
index 0000000..7442dfc
--- /dev/null
+++ b/extensions/libxt_hashlimit.c
@@ -0,0 +1,711 @@
+/* ip6tables match extension for limiting packets per destination
+ *
+ * (C) 2003-2004 by Harald Welte <laforge@netfilter.org>
+ *
+ * Development of this code was funded by Astaro AG, http://www.astaro.com/
+ *
+ * Based on ipt_limit.c by
+ * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr>
+ * Hervé Eychenne <rv@wallfire.org>
+ *
+ * Error corections by nmalykh@bilim.com (22.01.2005)
+ */
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <stddef.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_hashlimit.h>
+
+#define XT_HASHLIMIT_BURST 5
+
+/* miliseconds */
+#define XT_HASHLIMIT_GCINTERVAL 1000
+#define XT_HASHLIMIT_EXPIRE 10000
+
+static void hashlimit_help(void)
+{
+ printf(
+"hashlimit match options:\n"
+"--hashlimit <avg> max average match rate\n"
+" [Packets per second unless followed by \n"
+" /sec /minute /hour /day postfixes]\n"
+"--hashlimit-mode <mode> mode is a comma-separated list of\n"
+" dstip,srcip,dstport,srcport\n"
+"--hashlimit-name <name> name for /proc/net/ipt_hashlimit/\n"
+"[--hashlimit-burst <num>] number to match in a burst, default %u\n"
+"[--hashlimit-htable-size <num>] number of hashtable buckets\n"
+"[--hashlimit-htable-max <num>] number of hashtable entries\n"
+"[--hashlimit-htable-gcinterval] interval between garbage collection runs\n"
+"[--hashlimit-htable-expire] after which time are idle entries expired?\n",
+XT_HASHLIMIT_BURST);
+}
+
+static void hashlimit_mt_help(void)
+{
+ printf(
+"hashlimit match options:\n"
+" --hashlimit-upto <avg> max average match rate\n"
+" [Packets per second unless followed by \n"
+" /sec /minute /hour /day postfixes]\n"
+" --hashlimit-above <avg> min average match rate\n"
+" --hashlimit-mode <mode> mode is a comma-separated list of\n"
+" dstip,srcip,dstport,srcport (or none)\n"
+" --hashlimit-srcmask <length> source address grouping prefix length\n"
+" --hashlimit-dstmask <length> destination address grouping prefix length\n"
+" --hashlimit-name <name> name for /proc/net/ipt_hashlimit\n"
+" --hashlimit-burst <num> number to match in a burst, default %u\n"
+" --hashlimit-htable-size <num> number of hashtable buckets\n"
+" --hashlimit-htable-max <num> number of hashtable entries\n"
+" --hashlimit-htable-gcinterval interval between garbage collection runs\n"
+" --hashlimit-htable-expire after which time are idle entries expired?\n"
+"\n", XT_HASHLIMIT_BURST);
+}
+
+static const struct option hashlimit_opts[] = {
+ { "hashlimit", 1, NULL, '%' },
+ { "hashlimit-burst", 1, NULL, '$' },
+ { "hashlimit-htable-size", 1, NULL, '&' },
+ { "hashlimit-htable-max", 1, NULL, '*' },
+ { "hashlimit-htable-gcinterval", 1, NULL, '(' },
+ { "hashlimit-htable-expire", 1, NULL, ')' },
+ { "hashlimit-mode", 1, NULL, '_' },
+ { "hashlimit-name", 1, NULL, '"' },
+ { .name = NULL }
+};
+
+static const struct option hashlimit_mt_opts[] = {
+ {.name = "hashlimit-upto", .has_arg = true, .val = '%'},
+ {.name = "hashlimit-above", .has_arg = true, .val = '^'},
+ {.name = "hashlimit", .has_arg = true, .val = '%'},
+ {.name = "hashlimit-srcmask", .has_arg = true, .val = '<'},
+ {.name = "hashlimit-dstmask", .has_arg = true, .val = '>'},
+ {.name = "hashlimit-burst", .has_arg = true, .val = '$'},
+ {.name = "hashlimit-htable-size", .has_arg = true, .val = '&'},
+ {.name = "hashlimit-htable-max", .has_arg = true, .val = '*'},
+ {.name = "hashlimit-htable-gcinterval", .has_arg = true, .val = '('},
+ {.name = "hashlimit-htable-expire", .has_arg = true, .val = ')'},
+ {.name = "hashlimit-mode", .has_arg = true, .val = '_'},
+ {.name = "hashlimit-name", .has_arg = true, .val = '"'},
+ {},
+};
+
+static
+int parse_rate(const char *rate, u_int32_t *val)
+{
+ const char *delim;
+ u_int32_t r;
+ u_int32_t mult = 1; /* Seconds by default. */
+
+ delim = strchr(rate, '/');
+ if (delim) {
+ if (strlen(delim+1) == 0)
+ return 0;
+
+ if (strncasecmp(delim+1, "second", strlen(delim+1)) == 0)
+ mult = 1;
+ else if (strncasecmp(delim+1, "minute", strlen(delim+1)) == 0)
+ mult = 60;
+ else if (strncasecmp(delim+1, "hour", strlen(delim+1)) == 0)
+ mult = 60*60;
+ else if (strncasecmp(delim+1, "day", strlen(delim+1)) == 0)
+ mult = 24*60*60;
+ else
+ return 0;
+ }
+ r = atoi(rate);
+ if (!r)
+ return 0;
+
+ /* This would get mapped to infinite (1/day is minimum they
+ can specify, so we're ok at that end). */
+ if (r / mult > XT_HASHLIMIT_SCALE)
+ xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate);
+
+ *val = XT_HASHLIMIT_SCALE * mult / r;
+ return 1;
+}
+
+static void hashlimit_init(struct xt_entry_match *m)
+{
+ struct xt_hashlimit_info *r = (struct xt_hashlimit_info *)m->data;
+
+ r->cfg.mode = 0;
+ r->cfg.burst = XT_HASHLIMIT_BURST;
+ r->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
+ r->cfg.expire = XT_HASHLIMIT_EXPIRE;
+
+}
+
+static void hashlimit_mt4_init(struct xt_entry_match *match)
+{
+ struct xt_hashlimit_mtinfo1 *info = (void *)match->data;
+
+ info->cfg.mode = 0;
+ info->cfg.burst = XT_HASHLIMIT_BURST;
+ info->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
+ info->cfg.expire = XT_HASHLIMIT_EXPIRE;
+ info->cfg.srcmask = 32;
+ info->cfg.dstmask = 32;
+}
+
+static void hashlimit_mt6_init(struct xt_entry_match *match)
+{
+ struct xt_hashlimit_mtinfo1 *info = (void *)match->data;
+
+ info->cfg.mode = 0;
+ info->cfg.burst = XT_HASHLIMIT_BURST;
+ info->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
+ info->cfg.expire = XT_HASHLIMIT_EXPIRE;
+ info->cfg.srcmask = 128;
+ info->cfg.dstmask = 128;
+}
+
+/* Parse a 'mode' parameter into the required bitmask */
+static int parse_mode(uint32_t *mode, char *option_arg)
+{
+ char *tok;
+ char *arg = strdup(option_arg);
+
+ if (!arg)
+ return -1;
+
+ for (tok = strtok(arg, ",|");
+ tok;
+ tok = strtok(NULL, ",|")) {
+ if (!strcmp(tok, "dstip"))
+ *mode |= XT_HASHLIMIT_HASH_DIP;
+ else if (!strcmp(tok, "srcip"))
+ *mode |= XT_HASHLIMIT_HASH_SIP;
+ else if (!strcmp(tok, "srcport"))
+ *mode |= XT_HASHLIMIT_HASH_SPT;
+ else if (!strcmp(tok, "dstport"))
+ *mode |= XT_HASHLIMIT_HASH_DPT;
+ else {
+ free(arg);
+ return -1;
+ }
+ }
+ free(arg);
+ return 0;
+}
+
+enum {
+ PARAM_LIMIT = 1 << 0,
+ PARAM_BURST = 1 << 1,
+ PARAM_MODE = 1 << 2,
+ PARAM_NAME = 1 << 3,
+ PARAM_SIZE = 1 << 4,
+ PARAM_MAX = 1 << 5,
+ PARAM_GCINTERVAL = 1 << 6,
+ PARAM_EXPIRE = 1 << 7,
+ PARAM_SRCMASK = 1 << 8,
+ PARAM_DSTMASK = 1 << 9,
+};
+
+static int
+hashlimit_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_hashlimit_info *r =
+ (struct xt_hashlimit_info *)(*match)->data;
+ unsigned int num;
+
+ switch(c) {
+ case '%':
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit",
+ *flags & PARAM_LIMIT);
+ if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break;
+ if (!parse_rate(optarg, &r->cfg.avg))
+ xtables_error(PARAMETER_PROBLEM,
+ "bad rate `%s'", optarg);
+ *flags |= PARAM_LIMIT;
+ break;
+
+ case '$':
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-burst",
+ *flags & PARAM_BURST);
+ if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break;
+ if (!xtables_strtoui(optarg, NULL, &num, 0, 10000))
+ xtables_error(PARAMETER_PROBLEM,
+ "bad --hashlimit-burst `%s'", optarg);
+ r->cfg.burst = num;
+ *flags |= PARAM_BURST;
+ break;
+ case '&':
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-htable-size",
+ *flags & PARAM_SIZE);
+ if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break;
+ if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "bad --hashlimit-htable-size: `%s'", optarg);
+ r->cfg.size = num;
+ *flags |= PARAM_SIZE;
+ break;
+ case '*':
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-htable-max",
+ *flags & PARAM_MAX);
+ if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break;
+ if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "bad --hashlimit-htable-max: `%s'", optarg);
+ r->cfg.max = num;
+ *flags |= PARAM_MAX;
+ break;
+ case '(':
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit",
+ "--hashlimit-htable-gcinterval",
+ *flags & PARAM_GCINTERVAL);
+ if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break;
+ if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "bad --hashlimit-htable-gcinterval: `%s'",
+ optarg);
+ /* FIXME: not HZ dependent!! */
+ r->cfg.gc_interval = num;
+ *flags |= PARAM_GCINTERVAL;
+ break;
+ case ')':
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit",
+ "--hashlimit-htable-expire", *flags & PARAM_EXPIRE);
+ if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break;
+ if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "bad --hashlimit-htable-expire: `%s'", optarg);
+ /* FIXME: not HZ dependent */
+ r->cfg.expire = num;
+ *flags |= PARAM_EXPIRE;
+ break;
+ case '_':
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-mode",
+ *flags & PARAM_MODE);
+ if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break;
+ if (parse_mode(&r->cfg.mode, optarg) < 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "bad --hashlimit-mode: `%s'\n", optarg);
+ *flags |= PARAM_MODE;
+ break;
+ case '"':
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-name",
+ *flags & PARAM_NAME);
+ if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break;
+ if (strlen(optarg) == 0)
+ xtables_error(PARAMETER_PROBLEM, "Zero-length name?");
+ strncpy(r->name, optarg, sizeof(r->name));
+ *flags |= PARAM_NAME;
+ break;
+ default:
+ return 0;
+ }
+
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "hashlimit does not support invert");
+
+ return 1;
+}
+
+static int
+hashlimit_mt_parse(struct xt_hashlimit_mtinfo1 *info, unsigned int *flags,
+ int c, int invert, unsigned int maxmask)
+{
+ unsigned int num;
+
+ switch(c) {
+ case '%': /* --hashlimit / --hashlimit-below */
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-upto",
+ *flags & PARAM_LIMIT);
+ if (invert)
+ info->cfg.mode |= XT_HASHLIMIT_INVERT;
+ if (!parse_rate(optarg, &info->cfg.avg))
+ xtables_param_act(XTF_BAD_VALUE, "hashlimit",
+ "--hashlimit-upto", optarg);
+ *flags |= PARAM_LIMIT;
+ return true;
+
+ case '^': /* --hashlimit-above == !--hashlimit-below */
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-above",
+ *flags & PARAM_LIMIT);
+ if (!invert)
+ info->cfg.mode |= XT_HASHLIMIT_INVERT;
+ if (!parse_rate(optarg, &info->cfg.avg))
+ xtables_param_act(XTF_BAD_VALUE, "hashlimit",
+ "--hashlimit-above", optarg);
+ *flags |= PARAM_LIMIT;
+ return true;
+
+ case '$': /* --hashlimit-burst */
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-burst",
+ *flags & PARAM_BURST);
+ if (!xtables_strtoui(optarg, NULL, &num, 0, 10000))
+ xtables_param_act(XTF_BAD_VALUE, "hashlimit",
+ "--hashlimit-burst", optarg);
+ info->cfg.burst = num;
+ *flags |= PARAM_BURST;
+ return true;
+
+ case '&': /* --hashlimit-htable-size */
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-htable-size",
+ *flags & PARAM_SIZE);
+ if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "hashlimit",
+ "--hashlimit-htable-size", optarg);
+ info->cfg.size = num;
+ *flags |= PARAM_SIZE;
+ return true;
+
+ case '*': /* --hashlimit-htable-max */
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-htable-max",
+ *flags & PARAM_MAX);
+ if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "hashlimit",
+ "--hashlimit-htable-max", optarg);
+ info->cfg.max = num;
+ *flags |= PARAM_MAX;
+ return true;
+
+ case '(': /* --hashlimit-htable-gcinterval */
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit",
+ "--hashlimit-htable-gcinterval",
+ *flags & PARAM_GCINTERVAL);
+ if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "hashlimit",
+ "--hashlimit-htable-gcinterval", optarg);
+ /* FIXME: not HZ dependent!! */
+ info->cfg.gc_interval = num;
+ *flags |= PARAM_GCINTERVAL;
+ return true;
+
+ case ')': /* --hashlimit-htable-expire */
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit",
+ "--hashlimit-htable-expire", *flags & PARAM_EXPIRE);
+ if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "hashlimit",
+ "--hashlimit-htable-expire", optarg);
+ /* FIXME: not HZ dependent */
+ info->cfg.expire = num;
+ *flags |= PARAM_EXPIRE;
+ return true;
+
+ case '_':
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-mode",
+ *flags & PARAM_MODE);
+ if (parse_mode(&info->cfg.mode, optarg) < 0)
+ xtables_param_act(XTF_BAD_VALUE, "hashlimit",
+ "--hashlimit-mode", optarg);
+ *flags |= PARAM_MODE;
+ return true;
+
+ case '"': /* --hashlimit-name */
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-name",
+ *flags & PARAM_NAME);
+ if (strlen(optarg) == 0)
+ xtables_error(PARAMETER_PROBLEM, "Zero-length name?");
+ strncpy(info->name, optarg, sizeof(info->name));
+ info->name[sizeof(info->name)-1] = '\0';
+ *flags |= PARAM_NAME;
+ return true;
+
+ case '<': /* --hashlimit-srcmask */
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-srcmask",
+ *flags & PARAM_SRCMASK);
+ if (!xtables_strtoui(optarg, NULL, &num, 0, maxmask))
+ xtables_param_act(XTF_BAD_VALUE, "hashlimit",
+ "--hashlimit-srcmask", optarg);
+ info->cfg.srcmask = num;
+ *flags |= PARAM_SRCMASK;
+ return true;
+
+ case '>': /* --hashlimit-dstmask */
+ xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-dstmask",
+ *flags & PARAM_DSTMASK);
+ if (!xtables_strtoui(optarg, NULL, &num, 0, maxmask))
+ xtables_param_act(XTF_BAD_VALUE, "hashlimit",
+ "--hashlimit-dstmask", optarg);
+ info->cfg.dstmask = num;
+ *flags |= PARAM_DSTMASK;
+ return true;
+ }
+ return false;
+}
+
+static int
+hashlimit_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ return hashlimit_mt_parse((void *)(*match)->data,
+ flags, c, invert, 32);
+}
+
+static int
+hashlimit_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ return hashlimit_mt_parse((void *)(*match)->data,
+ flags, c, invert, 128);
+}
+
+static void hashlimit_check(unsigned int flags)
+{
+ if (!(flags & PARAM_LIMIT))
+ xtables_error(PARAMETER_PROBLEM,
+ "You have to specify --hashlimit");
+ if (!(flags & PARAM_MODE))
+ xtables_error(PARAMETER_PROBLEM,
+ "You have to specify --hashlimit-mode");
+ if (!(flags & PARAM_NAME))
+ xtables_error(PARAMETER_PROBLEM,
+ "You have to specify --hashlimit-name");
+}
+
+static void hashlimit_mt_check(unsigned int flags)
+{
+ if (!(flags & PARAM_LIMIT))
+ xtables_error(PARAMETER_PROBLEM, "You have to specify "
+ "--hashlimit-upto or --hashlimit-above");
+ if (!(flags & PARAM_NAME))
+ xtables_error(PARAMETER_PROBLEM,
+ "You have to specify --hashlimit-name");
+}
+
+static const struct rates
+{
+ const char *name;
+ u_int32_t mult;
+} rates[] = { { "day", XT_HASHLIMIT_SCALE*24*60*60 },
+ { "hour", XT_HASHLIMIT_SCALE*60*60 },
+ { "min", XT_HASHLIMIT_SCALE*60 },
+ { "sec", XT_HASHLIMIT_SCALE } };
+
+static void print_rate(u_int32_t period)
+{
+ unsigned int i;
+
+ for (i = 1; i < ARRAY_SIZE(rates); ++i)
+ if (period > rates[i].mult
+ || rates[i].mult/period < rates[i].mult%period)
+ break;
+
+ printf("%u/%s ", rates[i-1].mult / period, rates[i-1].name);
+}
+
+static void print_mode(unsigned int mode, char separator)
+{
+ bool prevmode = false;
+
+ if (mode & XT_HASHLIMIT_HASH_SIP) {
+ fputs("srcip", stdout);
+ prevmode = 1;
+ }
+ if (mode & XT_HASHLIMIT_HASH_SPT) {
+ if (prevmode)
+ putchar(separator);
+ fputs("srcport", stdout);
+ prevmode = 1;
+ }
+ if (mode & XT_HASHLIMIT_HASH_DIP) {
+ if (prevmode)
+ putchar(separator);
+ fputs("dstip", stdout);
+ prevmode = 1;
+ }
+ if (mode & XT_HASHLIMIT_HASH_DPT) {
+ if (prevmode)
+ putchar(separator);
+ fputs("dstport", stdout);
+ }
+ putchar(' ');
+}
+
+static void hashlimit_print(const void *ip,
+ const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_hashlimit_info *r = (const void *)match->data;
+ fputs("limit: avg ", stdout); print_rate(r->cfg.avg);
+ printf("burst %u ", r->cfg.burst);
+ fputs("mode ", stdout);
+ print_mode(r->cfg.mode, '-');
+ if (r->cfg.size)
+ printf("htable-size %u ", r->cfg.size);
+ if (r->cfg.max)
+ printf("htable-max %u ", r->cfg.max);
+ if (r->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
+ printf("htable-gcinterval %u ", r->cfg.gc_interval);
+ if (r->cfg.expire != XT_HASHLIMIT_EXPIRE)
+ printf("htable-expire %u ", r->cfg.expire);
+}
+
+static void
+hashlimit_mt_print(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask)
+{
+ if (info->cfg.mode & XT_HASHLIMIT_INVERT)
+ fputs("limit: above ", stdout);
+ else
+ fputs("limit: up to ", stdout);
+ print_rate(info->cfg.avg);
+ printf("burst %u ", info->cfg.burst);
+ if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT |
+ XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) {
+ fputs("mode ", stdout);
+ print_mode(info->cfg.mode, '-');
+ }
+ if (info->cfg.size != 0)
+ printf("htable-size %u ", info->cfg.size);
+ if (info->cfg.max != 0)
+ printf("htable-max %u ", info->cfg.max);
+ if (info->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
+ printf("htable-gcinterval %u ", info->cfg.gc_interval);
+ if (info->cfg.expire != XT_HASHLIMIT_EXPIRE)
+ printf("htable-expire %u ", info->cfg.expire);
+
+ if (info->cfg.srcmask != dmask)
+ printf("srcmask %u ", info->cfg.srcmask);
+ if (info->cfg.dstmask != dmask)
+ printf("dstmask %u ", info->cfg.dstmask);
+}
+
+static void
+hashlimit_mt4_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+ hashlimit_mt_print(info, 32);
+}
+
+static void
+hashlimit_mt6_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+ hashlimit_mt_print(info, 128);
+}
+
+static void hashlimit_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_hashlimit_info *r = (const void *)match->data;
+
+ fputs("--hashlimit ", stdout); print_rate(r->cfg.avg);
+ printf("--hashlimit-burst %u ", r->cfg.burst);
+
+ fputs("--hashlimit-mode ", stdout);
+ print_mode(r->cfg.mode, ',');
+
+ printf("--hashlimit-name %s ", r->name);
+
+ if (r->cfg.size)
+ printf("--hashlimit-htable-size %u ", r->cfg.size);
+ if (r->cfg.max)
+ printf("--hashlimit-htable-max %u ", r->cfg.max);
+ if (r->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
+ printf("--hashlimit-htable-gcinterval %u ", r->cfg.gc_interval);
+ if (r->cfg.expire != XT_HASHLIMIT_EXPIRE)
+ printf("--hashlimit-htable-expire %u ", r->cfg.expire);
+}
+
+static void
+hashlimit_mt_save(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask)
+{
+ if (info->cfg.mode & XT_HASHLIMIT_INVERT)
+ fputs("--hashlimit-above ", stdout);
+ else
+ fputs("--hashlimit-upto ", stdout);
+ print_rate(info->cfg.avg);
+ printf("--hashlimit-burst %u ", info->cfg.burst);
+
+ if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT |
+ XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) {
+ fputs("--hashlimit-mode ", stdout);
+ print_mode(info->cfg.mode, ',');
+ }
+
+ printf("--hashlimit-name %s ", info->name);
+
+ if (info->cfg.size != 0)
+ printf("--hashlimit-htable-size %u ", info->cfg.size);
+ if (info->cfg.max != 0)
+ printf("--hashlimit-htable-max %u ", info->cfg.max);
+ if (info->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
+ printf("--hashlimit-htable-gcinterval %u ", info->cfg.gc_interval);
+ if (info->cfg.expire != XT_HASHLIMIT_EXPIRE)
+ printf("--hashlimit-htable-expire %u ", info->cfg.expire);
+
+ if (info->cfg.srcmask != dmask)
+ printf("--hashlimit-srcmask %u ", info->cfg.srcmask);
+ if (info->cfg.dstmask != dmask)
+ printf("--hashlimit-dstmask %u ", info->cfg.dstmask);
+}
+
+static void
+hashlimit_mt4_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+ hashlimit_mt_save(info, 32);
+}
+
+static void
+hashlimit_mt6_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+ hashlimit_mt_save(info, 128);
+}
+
+static struct xtables_match hashlimit_mt_reg[] = {
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "hashlimit",
+ .version = XTABLES_VERSION,
+ .revision = 0,
+ .size = XT_ALIGN(sizeof(struct xt_hashlimit_info)),
+ .userspacesize = offsetof(struct xt_hashlimit_info, hinfo),
+ .help = hashlimit_help,
+ .init = hashlimit_init,
+ .parse = hashlimit_parse,
+ .final_check = hashlimit_check,
+ .print = hashlimit_print,
+ .save = hashlimit_save,
+ .extra_opts = hashlimit_opts,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "hashlimit",
+ .revision = 1,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)),
+ .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
+ .help = hashlimit_mt_help,
+ .init = hashlimit_mt4_init,
+ .parse = hashlimit_mt4_parse,
+ .final_check = hashlimit_mt_check,
+ .print = hashlimit_mt4_print,
+ .save = hashlimit_mt4_save,
+ .extra_opts = hashlimit_mt_opts,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "hashlimit",
+ .revision = 1,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)),
+ .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
+ .help = hashlimit_mt_help,
+ .init = hashlimit_mt6_init,
+ .parse = hashlimit_mt6_parse,
+ .final_check = hashlimit_mt_check,
+ .print = hashlimit_mt6_print,
+ .save = hashlimit_mt6_save,
+ .extra_opts = hashlimit_mt_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg));
+}
diff --git a/extensions/libxt_hashlimit.man b/extensions/libxt_hashlimit.man
new file mode 100644
index 0000000..b870f55
--- /dev/null
+++ b/extensions/libxt_hashlimit.man
@@ -0,0 +1,59 @@
+\fBhashlimit\fR uses hash buckets to express a rate limiting match (like the
+\fBlimit\fR match) for a group of connections using a \fBsingle\fR iptables
+rule. Grouping can be done per-hostgroup (source and/or destination address)
+and/or per-port. It gives you the ability to express "\fIN\fR packets per time
+quantum per group":
+.TP
+matching on source host
+"1000 packets per second for every host in 192.168.0.0/16"
+.TP
+matching on source port
+"100 packets per second for every service of 192.168.1.1"
+.TP
+matching on subnet
+"10000 packets per minute for every /28 subnet in 10.0.0.0/8"
+.PP
+A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and
+\fB\-\-hashlimit\-name\fP are required.
+.TP
+\fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
+Match if the rate is below or equal to \fIamount\fR/quantum. It is specified as
+a number, with an optional time quantum suffix; the default is 3/hour.
+.TP
+\fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
+Match if the rate is above \fIamount\fR/quantum.
+.TP
+\fB\-\-hashlimit\-burst\fP \fIamount\fP
+Maximum initial number of packets to match: this number gets recharged by one
+every time the limit specified above is not reached, up to this number; the
+default is 5.
+.TP
+\fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP...
+A comma-separated list of objects to take into consideration. If no
+\-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the
+expensive of doing the hash housekeeping.
+.TP
+\fB\-\-hashlimit\-srcmask\fP \fIprefix\fP
+When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be
+grouped according to the given prefix length and the so-created subnet will be
+subject to hashlimit. \fIprefix\fR must be between (inclusive) 0 and 32. Note
+that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying
+srcip for \-\-hashlimit\-mode, but is technically more expensive.
+.TP
+\fB\-\-hashlimit\-dstmask\fP \fIprefix\fP
+Like \-\-hashlimit\-srcmask, but for destination addresses.
+.TP
+\fB\-\-hashlimit\-name\fP \fIfoo\fP
+The name for the /proc/net/ipt_hashlimit/foo entry.
+.TP
+\fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP
+The number of buckets of the hash table
+.TP
+\fB\-\-hashlimit\-htable\-max\fP \fIentries\fP
+Maximum entries in the hash.
+.TP
+\fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP
+After how many milliseconds do hash entries expire.
+.TP
+\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP
+How many milliseconds between garbage collection intervals.
diff --git a/extensions/libxt_helper.c b/extensions/libxt_helper.c
new file mode 100644
index 0000000..35b5f15
--- /dev/null
+++ b/extensions/libxt_helper.c
@@ -0,0 +1,87 @@
+/* Shared library add-on to iptables to add related packet matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_helper.h>
+
+static void helper_help(void)
+{
+ printf(
+"helper match options:\n"
+"[!] --helper string Match helper identified by string\n");
+}
+
+static const struct option helper_opts[] = {
+ { "helper", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+static int
+helper_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_helper_info *info = (struct xt_helper_info *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "helper match: Only use --helper ONCE!");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ strncpy(info->name, optarg, 29);
+ info->name[29] = '\0';
+ if (invert)
+ info->invert = 1;
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void helper_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "helper match: You must specify `--helper'");
+}
+
+static void
+helper_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_helper_info *info = (const void *)match->data;
+
+ printf("helper match %s\"%s\" ", info->invert ? "! " : "", info->name);
+}
+
+static void helper_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_helper_info *info = (const void *)match->data;
+
+ printf("%s--helper ",info->invert ? "! " : "");
+ xtables_save_string(info->name);
+}
+
+static struct xtables_match helper_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "helper",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_helper_info)),
+ .help = helper_help,
+ .parse = helper_parse,
+ .final_check = helper_check,
+ .print = helper_print,
+ .save = helper_save,
+ .extra_opts = helper_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&helper_match);
+}
diff --git a/extensions/libxt_helper.man b/extensions/libxt_helper.man
new file mode 100644
index 0000000..772b135
--- /dev/null
+++ b/extensions/libxt_helper.man
@@ -0,0 +1,11 @@
+This module matches packets related to a specific conntrack-helper.
+.TP
+[\fB!\fP] \fB\-\-helper\fP \fIstring\fP
+Matches packets related to the specified conntrack-helper.
+.RS
+.PP
+string can be "ftp" for packets related to a ftp-session on default port.
+For other ports append \-portnr to the value, ie. "ftp\-2121".
+.PP
+Same rules apply for other conntrack-helpers.
+.RE
diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c
new file mode 100644
index 0000000..55a2f84
--- /dev/null
+++ b/extensions/libxt_iprange.c
@@ -0,0 +1,387 @@
+/* Shared library add-on to iptables to add IP range matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <netinet/in.h>
+#include <xtables.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/xt_iprange.h>
+
+struct ipt_iprange {
+ /* Inclusive: network order. */
+ __be32 min_ip, max_ip;
+};
+
+struct ipt_iprange_info {
+ struct ipt_iprange src;
+ struct ipt_iprange dst;
+
+ /* Flags from above */
+ u_int8_t flags;
+};
+
+enum {
+ F_SRCIP = 1 << 0,
+ F_DSTIP = 1 << 1,
+};
+
+static void iprange_mt_help(void)
+{
+ printf(
+"iprange match options:\n"
+"[!] --src-range ip[-ip] Match source IP in the specified range\n"
+"[!] --dst-range ip[-ip] Match destination IP in the specified range\n");
+}
+
+static const struct option iprange_mt_opts[] = {
+ {.name = "src-range", .has_arg = true, .val = '1'},
+ {.name = "dst-range", .has_arg = true, .val = '2'},
+ { .name = NULL }
+};
+
+static void
+iprange_parse_spec(const char *from, const char *to, union nf_inet_addr *range,
+ uint8_t family, const char *optname)
+{
+ const char *spec[2] = {from, to};
+ struct in6_addr *ia6;
+ struct in_addr *ia4;
+ unsigned int i;
+
+ memset(range, 0, sizeof(union nf_inet_addr) * 2);
+
+ if (family == NFPROTO_IPV6) {
+ for (i = 0; i < ARRAY_SIZE(spec); ++i) {
+ ia6 = xtables_numeric_to_ip6addr(spec[i]);
+ if (ia6 == NULL)
+ xtables_param_act(XTF_BAD_VALUE, "iprange",
+ optname, spec[i]);
+ range[i].in6 = *ia6;
+ }
+ } else {
+ for (i = 0; i < ARRAY_SIZE(spec); ++i) {
+ ia4 = xtables_numeric_to_ipaddr(spec[i]);
+ if (ia4 == NULL)
+ xtables_param_act(XTF_BAD_VALUE, "iprange",
+ optname, spec[i]);
+ range[i].in = *ia4;
+ }
+ }
+}
+
+static void iprange_parse_range(char *arg, union nf_inet_addr *range,
+ u_int8_t family, const char *optname)
+{
+ char *dash;
+
+ dash = strchr(arg, '-');
+ if (dash == NULL) {
+ iprange_parse_spec(arg, arg, range, family, optname);
+ return;
+ }
+
+ *dash = '\0';
+ iprange_parse_spec(arg, dash + 1, range, family, optname);
+ if (memcmp(&range[0], &range[1], sizeof(*range)) > 0)
+ fprintf(stderr, "xt_iprange: range %s-%s is reversed and "
+ "will never match\n", arg, dash + 1);
+}
+
+static int iprange_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ipt_iprange_info *info = (struct ipt_iprange_info *)(*match)->data;
+ union nf_inet_addr range[2];
+
+ switch (c) {
+ case '1':
+ if (*flags & IPRANGE_SRC)
+ xtables_error(PARAMETER_PROBLEM,
+ "iprange match: Only use --src-range ONCE!");
+ *flags |= IPRANGE_SRC;
+
+ info->flags |= IPRANGE_SRC;
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert)
+ info->flags |= IPRANGE_SRC_INV;
+ iprange_parse_range(optarg, range, NFPROTO_IPV4, "--src-range");
+ info->src.min_ip = range[0].ip;
+ info->src.max_ip = range[1].ip;
+ break;
+
+ case '2':
+ if (*flags & IPRANGE_DST)
+ xtables_error(PARAMETER_PROBLEM,
+ "iprange match: Only use --dst-range ONCE!");
+ *flags |= IPRANGE_DST;
+
+ info->flags |= IPRANGE_DST;
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert)
+ info->flags |= IPRANGE_DST_INV;
+
+ iprange_parse_range(optarg, range, NFPROTO_IPV4, "--dst-range");
+ info->dst.min_ip = range[0].ip;
+ info->dst.max_ip = range[1].ip;
+ break;
+
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static int
+iprange_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_iprange_mtinfo *info = (void *)(*match)->data;
+
+ switch (c) {
+ case '1': /* --src-range */
+ iprange_parse_range(optarg, &info->src_min, NFPROTO_IPV4,
+ "--src-range");
+ info->flags |= IPRANGE_SRC;
+ if (invert)
+ info->flags |= IPRANGE_SRC_INV;
+ *flags |= F_SRCIP;
+ return true;
+
+ case '2': /* --dst-range */
+ iprange_parse_range(optarg, &info->dst_min, NFPROTO_IPV4,
+ "--dst-range");
+ info->flags |= IPRANGE_DST;
+ if (invert)
+ info->flags |= IPRANGE_DST_INV;
+ *flags |= F_DSTIP;
+ return true;
+ }
+ return false;
+}
+
+static int
+iprange_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_iprange_mtinfo *info = (void *)(*match)->data;
+
+ switch (c) {
+ case '1': /* --src-range */
+ iprange_parse_range(optarg, &info->src_min, NFPROTO_IPV6,
+ "--src-range");
+ info->flags |= IPRANGE_SRC;
+ if (invert)
+ info->flags |= IPRANGE_SRC_INV;
+ *flags |= F_SRCIP;
+ return true;
+
+ case '2': /* --dst-range */
+ iprange_parse_range(optarg, &info->dst_min, NFPROTO_IPV6,
+ "--dst-range");
+ info->flags |= IPRANGE_DST;
+ if (invert)
+ info->flags |= IPRANGE_DST_INV;
+ *flags |= F_DSTIP;
+ return true;
+ }
+ return false;
+}
+
+static void iprange_mt_check(unsigned int flags)
+{
+ if (flags == 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "iprange match: You must specify `--src-range' or `--dst-range'");
+}
+
+static void
+print_iprange(const struct ipt_iprange *range)
+{
+ const unsigned char *byte_min, *byte_max;
+
+ byte_min = (const unsigned char *)&range->min_ip;
+ byte_max = (const unsigned char *)&range->max_ip;
+ printf("%u.%u.%u.%u-%u.%u.%u.%u ",
+ byte_min[0], byte_min[1], byte_min[2], byte_min[3],
+ byte_max[0], byte_max[1], byte_max[2], byte_max[3]);
+}
+
+static void iprange_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ipt_iprange_info *info = (const void *)match->data;
+
+ if (info->flags & IPRANGE_SRC) {
+ printf("source IP range ");
+ if (info->flags & IPRANGE_SRC_INV)
+ printf("! ");
+ print_iprange(&info->src);
+ }
+ if (info->flags & IPRANGE_DST) {
+ printf("destination IP range ");
+ if (info->flags & IPRANGE_DST_INV)
+ printf("! ");
+ print_iprange(&info->dst);
+ }
+}
+
+static void
+iprange_mt4_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_iprange_mtinfo *info = (const void *)match->data;
+
+ if (info->flags & IPRANGE_SRC) {
+ printf("source IP range ");
+ if (info->flags & IPRANGE_SRC_INV)
+ printf("! ");
+ /*
+ * ipaddr_to_numeric() uses a static buffer, so cannot
+ * combine the printf() calls.
+ */
+ printf("%s", xtables_ipaddr_to_numeric(&info->src_min.in));
+ printf("-%s ", xtables_ipaddr_to_numeric(&info->src_max.in));
+ }
+ if (info->flags & IPRANGE_DST) {
+ printf("destination IP range ");
+ if (info->flags & IPRANGE_DST_INV)
+ printf("! ");
+ printf("%s", xtables_ipaddr_to_numeric(&info->dst_min.in));
+ printf("-%s ", xtables_ipaddr_to_numeric(&info->dst_max.in));
+ }
+}
+
+static void
+iprange_mt6_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_iprange_mtinfo *info = (const void *)match->data;
+
+ if (info->flags & IPRANGE_SRC) {
+ printf("source IP range ");
+ if (info->flags & IPRANGE_SRC_INV)
+ printf("! ");
+ /*
+ * ipaddr_to_numeric() uses a static buffer, so cannot
+ * combine the printf() calls.
+ */
+ printf("%s", xtables_ip6addr_to_numeric(&info->src_min.in6));
+ printf("-%s ", xtables_ip6addr_to_numeric(&info->src_max.in6));
+ }
+ if (info->flags & IPRANGE_DST) {
+ printf("destination IP range ");
+ if (info->flags & IPRANGE_DST_INV)
+ printf("! ");
+ printf("%s", xtables_ip6addr_to_numeric(&info->dst_min.in6));
+ printf("-%s ", xtables_ip6addr_to_numeric(&info->dst_max.in6));
+ }
+}
+
+static void iprange_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ipt_iprange_info *info = (const void *)match->data;
+
+ if (info->flags & IPRANGE_SRC) {
+ if (info->flags & IPRANGE_SRC_INV)
+ printf("! ");
+ printf("--src-range ");
+ print_iprange(&info->src);
+ if (info->flags & IPRANGE_DST)
+ fputc(' ', stdout);
+ }
+ if (info->flags & IPRANGE_DST) {
+ if (info->flags & IPRANGE_DST_INV)
+ printf("! ");
+ printf("--dst-range ");
+ print_iprange(&info->dst);
+ }
+}
+
+static void iprange_mt4_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_iprange_mtinfo *info = (const void *)match->data;
+
+ if (info->flags & IPRANGE_SRC) {
+ if (info->flags & IPRANGE_SRC_INV)
+ printf("! ");
+ printf("--src-range %s", xtables_ipaddr_to_numeric(&info->src_min.in));
+ printf("-%s ", xtables_ipaddr_to_numeric(&info->src_max.in));
+ }
+ if (info->flags & IPRANGE_DST) {
+ if (info->flags & IPRANGE_DST_INV)
+ printf("! ");
+ printf("--dst-range %s", xtables_ipaddr_to_numeric(&info->dst_min.in));
+ printf("-%s ", xtables_ipaddr_to_numeric(&info->dst_max.in));
+ }
+}
+
+static void iprange_mt6_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_iprange_mtinfo *info = (const void *)match->data;
+
+ if (info->flags & IPRANGE_SRC) {
+ if (info->flags & IPRANGE_SRC_INV)
+ printf("! ");
+ printf("--src-range %s", xtables_ip6addr_to_numeric(&info->src_min.in6));
+ printf("-%s ", xtables_ip6addr_to_numeric(&info->src_max.in6));
+ }
+ if (info->flags & IPRANGE_DST) {
+ if (info->flags & IPRANGE_DST_INV)
+ printf("! ");
+ printf("--dst-range %s", xtables_ip6addr_to_numeric(&info->dst_min.in6));
+ printf("-%s ", xtables_ip6addr_to_numeric(&info->dst_max.in6));
+ }
+}
+
+static struct xtables_match iprange_mt_reg[] = {
+ {
+ .version = XTABLES_VERSION,
+ .name = "iprange",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_iprange_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_iprange_info)),
+ .help = iprange_mt_help,
+ .parse = iprange_parse,
+ .final_check = iprange_mt_check,
+ .print = iprange_print,
+ .save = iprange_save,
+ .extra_opts = iprange_mt_opts,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "iprange",
+ .revision = 1,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)),
+ .help = iprange_mt_help,
+ .parse = iprange_mt4_parse,
+ .final_check = iprange_mt_check,
+ .print = iprange_mt4_print,
+ .save = iprange_mt4_save,
+ .extra_opts = iprange_mt_opts,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "iprange",
+ .revision = 1,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)),
+ .help = iprange_mt_help,
+ .parse = iprange_mt6_parse,
+ .final_check = iprange_mt_check,
+ .print = iprange_mt6_print,
+ .save = iprange_mt6_save,
+ .extra_opts = iprange_mt_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_matches(iprange_mt_reg, ARRAY_SIZE(iprange_mt_reg));
+}
diff --git a/extensions/libxt_iprange.man b/extensions/libxt_iprange.man
new file mode 100644
index 0000000..9f65de4
--- /dev/null
+++ b/extensions/libxt_iprange.man
@@ -0,0 +1,7 @@
+This matches on a given arbitrary range of IP addresses.
+.TP
+[\fB!\fR] \fB\-\-src\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP]
+Match source IP in the specified range.
+.TP
+[\fB!\fR] \fB\-\-dst\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP]
+Match destination IP in the specified range.
diff --git a/extensions/libxt_length.c b/extensions/libxt_length.c
new file mode 100644
index 0000000..96e8b6c
--- /dev/null
+++ b/extensions/libxt_length.c
@@ -0,0 +1,133 @@
+/* Shared library add-on to iptables to add packet length matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_length.h>
+
+static void length_help(void)
+{
+ printf(
+"length match options:\n"
+"[!] --length length[:length] Match packet length against value or range\n"
+" of values (inclusive)\n");
+}
+
+static const struct option length_opts[] = {
+ { "length", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+static u_int16_t
+parse_length(const char *s)
+{
+ unsigned int len;
+
+ if (!xtables_strtoui(s, NULL, &len, 0, UINT32_MAX))
+ xtables_error(PARAMETER_PROBLEM, "length invalid: \"%s\"\n", s);
+ else
+ return len;
+}
+
+/* If a single value is provided, min and max are both set to the value */
+static void
+parse_lengths(const char *s, struct xt_length_info *info)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(s);
+ if ((cp = strchr(buffer, ':')) == NULL)
+ info->min = info->max = parse_length(buffer);
+ else {
+ *cp = '\0';
+ cp++;
+
+ info->min = buffer[0] ? parse_length(buffer) : 0;
+ info->max = cp[0] ? parse_length(cp) : 0xFFFF;
+ }
+ free(buffer);
+
+ if (info->min > info->max)
+ xtables_error(PARAMETER_PROBLEM,
+ "length min. range value `%u' greater than max. "
+ "range value `%u'", info->min, info->max);
+
+}
+
+static int
+length_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_length_info *info = (struct xt_length_info *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "length: `--length' may only be "
+ "specified once");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_lengths(optarg, info);
+ if (invert)
+ info->invert = 1;
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void length_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "length: You must specify `--length'");
+}
+
+static void
+length_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_length_info *info = (void *)match->data;
+
+ printf("length %s", info->invert ? "!" : "");
+ if (info->min == info->max)
+ printf("%u ", info->min);
+ else
+ printf("%u:%u ", info->min, info->max);
+}
+
+static void length_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_length_info *info = (void *)match->data;
+
+ printf("%s--length ", info->invert ? "! " : "");
+ if (info->min == info->max)
+ printf("%u ", info->min);
+ else
+ printf("%u:%u ", info->min, info->max);
+}
+
+static struct xtables_match length_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "length",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_length_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_length_info)),
+ .help = length_help,
+ .parse = length_parse,
+ .final_check = length_check,
+ .print = length_print,
+ .save = length_save,
+ .extra_opts = length_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&length_match);
+}
diff --git a/extensions/libxt_length.man b/extensions/libxt_length.man
new file mode 100644
index 0000000..07b6ea6
--- /dev/null
+++ b/extensions/libxt_length.man
@@ -0,0 +1,5 @@
+This module matches the length of the layer-3 payload (e.g. layer-4 packet)
+of a packet against a specific value
+or range of values.
+.TP
+[\fB!\fP] \fB\-\-length\fP \fIlength\fP[\fB:\fP\fIlength\fP]
diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c
new file mode 100644
index 0000000..c836303
--- /dev/null
+++ b/extensions/libxt_limit.c
@@ -0,0 +1,177 @@
+/* Shared library add-on to iptables to add limit support.
+ *
+ * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr>
+ * Hervé Eychenne <rv@wallfire.org>
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <stddef.h>
+#include <linux/netfilter/x_tables.h>
+/* For 64bit kernel / 32bit userspace */
+#include <linux/netfilter/xt_limit.h>
+
+#define XT_LIMIT_AVG "3/hour"
+#define XT_LIMIT_BURST 5
+
+static void limit_help(void)
+{
+ printf(
+"limit match options:\n"
+"--limit avg max average match rate: default "XT_LIMIT_AVG"\n"
+" [Packets per second unless followed by \n"
+" /sec /minute /hour /day postfixes]\n"
+"--limit-burst number number to match in a burst, default %u\n",
+XT_LIMIT_BURST);
+}
+
+static const struct option limit_opts[] = {
+ { "limit", 1, NULL, '%' },
+ { "limit-burst", 1, NULL, '$' },
+ { .name = NULL }
+};
+
+static
+int parse_rate(const char *rate, u_int32_t *val)
+{
+ const char *delim;
+ u_int32_t r;
+ u_int32_t mult = 1; /* Seconds by default. */
+
+ delim = strchr(rate, '/');
+ if (delim) {
+ if (strlen(delim+1) == 0)
+ return 0;
+
+ if (strncasecmp(delim+1, "second", strlen(delim+1)) == 0)
+ mult = 1;
+ else if (strncasecmp(delim+1, "minute", strlen(delim+1)) == 0)
+ mult = 60;
+ else if (strncasecmp(delim+1, "hour", strlen(delim+1)) == 0)
+ mult = 60*60;
+ else if (strncasecmp(delim+1, "day", strlen(delim+1)) == 0)
+ mult = 24*60*60;
+ else
+ return 0;
+ }
+ r = atoi(rate);
+ if (!r)
+ return 0;
+
+ /* This would get mapped to infinite (1/day is minimum they
+ can specify, so we're ok at that end). */
+ if (r / mult > XT_LIMIT_SCALE)
+ xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate);
+
+ *val = XT_LIMIT_SCALE * mult / r;
+ return 1;
+}
+
+static void limit_init(struct xt_entry_match *m)
+{
+ struct xt_rateinfo *r = (struct xt_rateinfo *)m->data;
+
+ parse_rate(XT_LIMIT_AVG, &r->avg);
+ r->burst = XT_LIMIT_BURST;
+
+}
+
+/* FIXME: handle overflow:
+ if (r->avg*r->burst/r->burst != r->avg)
+ xtables_error(PARAMETER_PROBLEM,
+ "Sorry: burst too large for that avg rate.\n");
+*/
+
+static int
+limit_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_rateinfo *r = (struct xt_rateinfo *)(*match)->data;
+ unsigned int num;
+
+ switch(c) {
+ case '%':
+ if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break;
+ if (!parse_rate(optarg, &r->avg))
+ xtables_error(PARAMETER_PROBLEM,
+ "bad rate `%s'", optarg);
+ break;
+
+ case '$':
+ if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break;
+ if (!xtables_strtoui(optarg, NULL, &num, 0, 10000))
+ xtables_error(PARAMETER_PROBLEM,
+ "bad --limit-burst `%s'", optarg);
+ r->burst = num;
+ break;
+
+ default:
+ return 0;
+ }
+
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "limit does not support invert");
+
+ return 1;
+}
+
+static const struct rates
+{
+ const char *name;
+ u_int32_t mult;
+} rates[] = { { "day", XT_LIMIT_SCALE*24*60*60 },
+ { "hour", XT_LIMIT_SCALE*60*60 },
+ { "min", XT_LIMIT_SCALE*60 },
+ { "sec", XT_LIMIT_SCALE } };
+
+static void print_rate(u_int32_t period)
+{
+ unsigned int i;
+
+ for (i = 1; i < ARRAY_SIZE(rates); ++i)
+ if (period > rates[i].mult
+ || rates[i].mult/period < rates[i].mult%period)
+ break;
+
+ printf("%u/%s ", rates[i-1].mult / period, rates[i-1].name);
+}
+
+static void
+limit_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_rateinfo *r = (const void *)match->data;
+ printf("limit: avg "); print_rate(r->avg);
+ printf("burst %u ", r->burst);
+}
+
+static void limit_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_rateinfo *r = (const void *)match->data;
+
+ printf("--limit "); print_rate(r->avg);
+ if (r->burst != XT_LIMIT_BURST)
+ printf("--limit-burst %u ", r->burst);
+}
+
+static struct xtables_match limit_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "limit",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_rateinfo)),
+ .userspacesize = offsetof(struct xt_rateinfo, prev),
+ .help = limit_help,
+ .init = limit_init,
+ .parse = limit_parse,
+ .print = limit_print,
+ .save = limit_save,
+ .extra_opts = limit_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&limit_match);
+}
diff --git a/extensions/libxt_limit.man b/extensions/libxt_limit.man
new file mode 100644
index 0000000..9f51ce3
--- /dev/null
+++ b/extensions/libxt_limit.man
@@ -0,0 +1,15 @@
+This module matches at a limited rate using a token bucket filter.
+A rule using this extension will match until this limit is reached
+(unless the `!' flag is used). It can be used in combination with the
+.B LOG
+target to give limited logging, for example.
+.TP
+\fB\-\-limit\fP \fIrate\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
+Maximum average matching rate: specified as a number, with an optional
+`/second', `/minute', `/hour', or `/day' suffix; the default is
+3/hour.
+.TP
+\fB\-\-limit\-burst\fP \fInumber\fP
+Maximum initial number of packets to match: this number gets
+recharged by one every time the limit specified above is not reached,
+up to this number; the default is 5.
diff --git a/extensions/libxt_mac.c b/extensions/libxt_mac.c
new file mode 100644
index 0000000..00996a0
--- /dev/null
+++ b/extensions/libxt_mac.c
@@ -0,0 +1,131 @@
+/* Shared library add-on to iptables to add MAC address support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#if defined(__GLIBC__) && __GLIBC__ == 2
+#include <net/ethernet.h>
+#else
+#include <linux/if_ether.h>
+#endif
+#include <xtables.h>
+#include <linux/netfilter/xt_mac.h>
+
+static void mac_help(void)
+{
+ printf(
+"mac match options:\n"
+"[!] --mac-source XX:XX:XX:XX:XX:XX\n"
+" Match source MAC address\n");
+}
+
+static const struct option mac_opts[] = {
+ { "mac-source", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+static void
+parse_mac(const char *mac, struct xt_mac_info *info)
+{
+ unsigned int i = 0;
+
+ if (strlen(mac) != ETH_ALEN*3-1)
+ xtables_error(PARAMETER_PROBLEM, "Bad mac address \"%s\"", mac);
+
+ for (i = 0; i < ETH_ALEN; i++) {
+ long number;
+ char *end;
+
+ number = strtol(mac + i*3, &end, 16);
+
+ if (end == mac + i*3 + 2
+ && number >= 0
+ && number <= 255)
+ info->srcaddr[i] = number;
+ else
+ xtables_error(PARAMETER_PROBLEM,
+ "Bad mac address `%s'", mac);
+ }
+}
+
+static int
+mac_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_mac_info *macinfo = (struct xt_mac_info *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_mac(optarg, macinfo);
+ if (invert)
+ macinfo->invert = 1;
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void print_mac(const unsigned char macaddress[ETH_ALEN])
+{
+ unsigned int i;
+
+ printf("%02X", macaddress[0]);
+ for (i = 1; i < ETH_ALEN; i++)
+ printf(":%02X", macaddress[i]);
+ printf(" ");
+}
+
+static void mac_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "You must specify `--mac-source'");
+}
+
+static void
+mac_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_mac_info *info = (void *)match->data;
+ printf("MAC ");
+
+ if (info->invert)
+ printf("! ");
+
+ print_mac(info->srcaddr);
+}
+
+static void mac_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_mac_info *info = (void *)match->data;
+
+ if (info->invert)
+ printf("! ");
+
+ printf("--mac-source ");
+ print_mac(info->srcaddr);
+}
+
+static struct xtables_match mac_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "mac",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_mac_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_mac_info)),
+ .help = mac_help,
+ .parse = mac_parse,
+ .final_check = mac_check,
+ .print = mac_print,
+ .save = mac_save,
+ .extra_opts = mac_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&mac_match);
+}
diff --git a/extensions/libxt_mac.man b/extensions/libxt_mac.man
new file mode 100644
index 0000000..66072a2
--- /dev/null
+++ b/extensions/libxt_mac.man
@@ -0,0 +1,10 @@
+.TP
+[\fB!\fP] \fB\-\-mac\-source\fP \fIaddress\fP
+Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
+Note that this only makes sense for packets coming from an Ethernet device
+and entering the
+.BR PREROUTING ,
+.B FORWARD
+or
+.B INPUT
+chains.
diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c
new file mode 100644
index 0000000..8013c9a
--- /dev/null
+++ b/extensions/libxt_mark.c
@@ -0,0 +1,185 @@
+/* Shared library add-on to iptables to add NFMARK matching support. */
+#include <stdbool.h>
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_mark.h>
+
+struct xt_mark_info {
+ unsigned long mark, mask;
+ u_int8_t invert;
+};
+
+enum {
+ F_MARK = 1 << 0,
+};
+
+static void mark_mt_help(void)
+{
+ printf(
+"mark match options:\n"
+"[!] --mark value[/mask] Match nfmark value with optional mask\n");
+}
+
+static const struct option mark_mt_opts[] = {
+ {.name = "mark", .has_arg = true, .val = '1'},
+ { .name = NULL }
+};
+
+static int mark_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_mark_mtinfo1 *info = (void *)(*match)->data;
+ unsigned int mark, mask = UINT32_MAX;
+ char *end;
+
+ switch (c) {
+ case '1': /* --mark */
+ xtables_param_act(XTF_ONLY_ONCE, "mark", "--mark", *flags & F_MARK);
+ if (!xtables_strtoui(optarg, &end, &mark, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "mark", "--mark", optarg);
+ if (*end == '/')
+ if (!xtables_strtoui(end + 1, &end, &mask, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "mark", "--mark", optarg);
+ if (*end != '\0')
+ xtables_param_act(XTF_BAD_VALUE, "mark", "--mark", optarg);
+
+ if (invert)
+ info->invert = true;
+ info->mark = mark;
+ info->mask = mask;
+ *flags |= F_MARK;
+ return true;
+ }
+ return false;
+}
+
+static int
+mark_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_mark_info *markinfo = (struct xt_mark_info *)(*match)->data;
+
+ switch (c) {
+ char *end;
+ case '1':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ markinfo->mark = strtoul(optarg, &end, 0);
+ if (*end == '/') {
+ markinfo->mask = strtoul(end+1, &end, 0);
+ } else
+ markinfo->mask = 0xffffffff;
+ if (*end != '\0' || end == optarg)
+ xtables_error(PARAMETER_PROBLEM, "Bad MARK value \"%s\"", optarg);
+ if (invert)
+ markinfo->invert = 1;
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void print_mark(unsigned int mark, unsigned int mask)
+{
+ if (mask != 0xffffffffU)
+ printf("0x%x/0x%x ", mark, mask);
+ else
+ printf("0x%x ", mark);
+}
+
+static void mark_mt_check(unsigned int flags)
+{
+ if (flags == 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "mark match: The --mark option is required");
+}
+
+static void
+mark_mt_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_mark_mtinfo1 *info = (const void *)match->data;
+
+ printf("mark match ");
+ if (info->invert)
+ printf("!");
+ print_mark(info->mark, info->mask);
+}
+
+static void
+mark_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_mark_info *info = (const void *)match->data;
+
+ printf("MARK match ");
+
+ if (info->invert)
+ printf("!");
+
+ print_mark(info->mark, info->mask);
+}
+
+static void mark_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_mark_mtinfo1 *info = (const void *)match->data;
+
+ if (info->invert)
+ printf("! ");
+
+ printf("--mark ");
+ print_mark(info->mark, info->mask);
+}
+
+static void
+mark_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_mark_info *info = (const void *)match->data;
+
+ if (info->invert)
+ printf("! ");
+
+ printf("--mark ");
+ print_mark(info->mark, info->mask);
+}
+
+static struct xtables_match mark_mt_reg[] = {
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "mark",
+ .revision = 0,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_mark_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_mark_info)),
+ .help = mark_mt_help,
+ .parse = mark_parse,
+ .final_check = mark_mt_check,
+ .print = mark_print,
+ .save = mark_save,
+ .extra_opts = mark_mt_opts,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "mark",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .size = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
+ .help = mark_mt_help,
+ .parse = mark_mt_parse,
+ .final_check = mark_mt_check,
+ .print = mark_mt_print,
+ .save = mark_mt_save,
+ .extra_opts = mark_mt_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_matches(mark_mt_reg, ARRAY_SIZE(mark_mt_reg));
+}
diff --git a/extensions/libxt_mark.man b/extensions/libxt_mark.man
new file mode 100644
index 0000000..264b17d
--- /dev/null
+++ b/extensions/libxt_mark.man
@@ -0,0 +1,9 @@
+This module matches the netfilter mark field associated with a packet
+(which can be set using the
+.B MARK
+target below).
+.TP
+[\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
+Matches packets with the given unsigned mark value (if a \fImask\fP is
+specified, this is logically ANDed with the \fImask\fP before the
+comparison).
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
new file mode 100644
index 0000000..e8a0dab
--- /dev/null
+++ b/extensions/libxt_multiport.c
@@ -0,0 +1,575 @@
+/* Shared library add-on to iptables to add multiple TCP port support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <libiptc/libiptc.h>
+#include <libiptc/libip6tc.h>
+#include <limits.h> /* INT_MAX in ip_tables.h/ip6_tables.h */
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/xt_multiport.h>
+
+/* Function which prints out usage message. */
+static void multiport_help(void)
+{
+ printf(
+"multiport match options:\n"
+" --source-ports port[,port,port...]\n"
+" --sports ...\n"
+" match source port(s)\n"
+" --destination-ports port[,port,port...]\n"
+" --dports ...\n"
+" match destination port(s)\n"
+" --ports port[,port,port]\n"
+" match both source and destination port(s)\n"
+" NOTE: this kernel does not support port ranges in multiport.\n");
+}
+
+static void multiport_help_v1(void)
+{
+ printf(
+"multiport match options:\n"
+"[!] --source-ports port[,port:port,port...]\n"
+" --sports ...\n"
+" match source port(s)\n"
+"[!] --destination-ports port[,port:port,port...]\n"
+" --dports ...\n"
+" match destination port(s)\n"
+"[!] --ports port[,port:port,port]\n"
+" match both source and destination port(s)\n");
+}
+
+static const struct option multiport_opts[] = {
+ { "source-ports", 1, NULL, '1' },
+ { "sports", 1, NULL, '1' }, /* synonym */
+ { "destination-ports", 1, NULL, '2' },
+ { "dports", 1, NULL, '2' }, /* synonym */
+ { "ports", 1, NULL, '3' },
+ { .name = NULL }
+};
+
+static char *
+proto_to_name(u_int8_t proto)
+{
+ switch (proto) {
+ case IPPROTO_TCP:
+ return "tcp";
+ case IPPROTO_UDP:
+ return "udp";
+ case IPPROTO_UDPLITE:
+ return "udplite";
+ case IPPROTO_SCTP:
+ return "sctp";
+ case IPPROTO_DCCP:
+ return "dccp";
+ default:
+ return NULL;
+ }
+}
+
+static unsigned int
+parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto)
+{
+ char *buffer, *cp, *next;
+ unsigned int i;
+
+ buffer = strdup(portstring);
+ if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
+
+ for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
+ {
+ next=strchr(cp, ',');
+ if (next) *next++='\0';
+ ports[i] = xtables_parse_port(cp, proto);
+ }
+ if (cp) xtables_error(PARAMETER_PROBLEM, "too many ports specified");
+ free(buffer);
+ return i;
+}
+
+static void
+parse_multi_ports_v1(const char *portstring,
+ struct xt_multiport_v1 *multiinfo,
+ const char *proto)
+{
+ char *buffer, *cp, *next, *range;
+ unsigned int i;
+ u_int16_t m;
+
+ buffer = strdup(portstring);
+ if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
+
+ for (i=0; i<XT_MULTI_PORTS; i++)
+ multiinfo->pflags[i] = 0;
+
+ for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next, i++) {
+ next=strchr(cp, ',');
+ if (next) *next++='\0';
+ range = strchr(cp, ':');
+ if (range) {
+ if (i == XT_MULTI_PORTS-1)
+ xtables_error(PARAMETER_PROBLEM,
+ "too many ports specified");
+ *range++ = '\0';
+ }
+ multiinfo->ports[i] = xtables_parse_port(cp, proto);
+ if (range) {
+ multiinfo->pflags[i] = 1;
+ multiinfo->ports[++i] = xtables_parse_port(range, proto);
+ if (multiinfo->ports[i-1] >= multiinfo->ports[i])
+ xtables_error(PARAMETER_PROBLEM,
+ "invalid portrange specified");
+ m <<= 1;
+ }
+ }
+ multiinfo->count = i;
+ if (cp) xtables_error(PARAMETER_PROBLEM, "too many ports specified");
+ free(buffer);
+}
+
+static const char *
+check_proto(u_int16_t pnum, u_int8_t invflags)
+{
+ char *proto;
+
+ if (invflags & XT_INV_PROTO)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP");
+
+ if ((proto = proto_to_name(pnum)) != NULL)
+ return proto;
+ else if (!pnum)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiport needs `-p tcp', `-p udp', `-p udplite', "
+ "`-p sctp' or `-p dccp'");
+ else
+ xtables_error(PARAMETER_PROBLEM,
+ "multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP");
+}
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int
+__multiport_parse(int c, char **argv, int invert, unsigned int *flags,
+ struct xt_entry_match **match, u_int16_t pnum,
+ u_int8_t invflags)
+{
+ const char *proto;
+ struct xt_multiport *multiinfo
+ = (struct xt_multiport *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ proto = check_proto(pnum, invflags);
+ multiinfo->count = parse_multi_ports(optarg,
+ multiinfo->ports, proto);
+ multiinfo->flags = XT_MULTIPORT_SOURCE;
+ break;
+
+ case '2':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ proto = check_proto(pnum, invflags);
+ multiinfo->count = parse_multi_ports(optarg,
+ multiinfo->ports, proto);
+ multiinfo->flags = XT_MULTIPORT_DESTINATION;
+ break;
+
+ case '3':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ proto = check_proto(pnum, invflags);
+ multiinfo->count = parse_multi_ports(optarg,
+ multiinfo->ports, proto);
+ multiinfo->flags = XT_MULTIPORT_EITHER;
+ break;
+
+ default:
+ return 0;
+ }
+
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiport does not support invert");
+
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiport can only have one option");
+ *flags = 1;
+ return 1;
+}
+
+static int
+multiport_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *e, struct xt_entry_match **match)
+{
+ const struct ipt_entry *entry = e;
+ return __multiport_parse(c, argv, invert, flags, match,
+ entry->ip.proto, entry->ip.invflags);
+}
+
+static int
+multiport_parse6(int c, char **argv, int invert, unsigned int *flags,
+ const void *e, struct xt_entry_match **match)
+{
+ const struct ip6t_entry *entry = e;
+ return __multiport_parse(c, argv, invert, flags, match,
+ entry->ipv6.proto, entry->ipv6.invflags);
+}
+
+static int
+__multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags,
+ struct xt_entry_match **match, u_int16_t pnum,
+ u_int8_t invflags)
+{
+ const char *proto;
+ struct xt_multiport_v1 *multiinfo
+ = (struct xt_multiport_v1 *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ proto = check_proto(pnum, invflags);
+ parse_multi_ports_v1(optarg, multiinfo, proto);
+ multiinfo->flags = XT_MULTIPORT_SOURCE;
+ break;
+
+ case '2':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ proto = check_proto(pnum, invflags);
+ parse_multi_ports_v1(optarg, multiinfo, proto);
+ multiinfo->flags = XT_MULTIPORT_DESTINATION;
+ break;
+
+ case '3':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ proto = check_proto(pnum, invflags);
+ parse_multi_ports_v1(optarg, multiinfo, proto);
+ multiinfo->flags = XT_MULTIPORT_EITHER;
+ break;
+
+ default:
+ return 0;
+ }
+
+ if (invert)
+ multiinfo->invert = 1;
+
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "multiport can only have one option");
+ *flags = 1;
+ return 1;
+}
+
+static int
+multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags,
+ const void *e, struct xt_entry_match **match)
+{
+ const struct ipt_entry *entry = e;
+ return __multiport_parse_v1(c, argv, invert, flags, match,
+ entry->ip.proto, entry->ip.invflags);
+}
+
+static int
+multiport_parse6_v1(int c, char **argv, int invert, unsigned int *flags,
+ const void *e, struct xt_entry_match **match)
+{
+ const struct ip6t_entry *entry = e;
+ return __multiport_parse_v1(c, argv, invert, flags, match,
+ entry->ipv6.proto, entry->ipv6.invflags);
+}
+
+/* Final check; must specify something. */
+static void multiport_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM, "multiport expection an option");
+}
+
+static char *
+port_to_service(int port, u_int8_t proto)
+{
+ struct servent *service;
+
+ if ((service = getservbyport(htons(port), proto_to_name(proto))))
+ return service->s_name;
+
+ return NULL;
+}
+
+static void
+print_port(u_int16_t port, u_int8_t protocol, int numeric)
+{
+ char *service;
+
+ if (numeric || (service = port_to_service(port, protocol)) == NULL)
+ printf("%u", port);
+ else
+ printf("%s", service);
+}
+
+/* Prints out the matchinfo. */
+static void
+__multiport_print(const struct xt_entry_match *match, int numeric,
+ u_int16_t proto)
+{
+ const struct xt_multiport *multiinfo
+ = (const struct xt_multiport *)match->data;
+ unsigned int i;
+
+ printf("multiport ");
+
+ switch (multiinfo->flags) {
+ case XT_MULTIPORT_SOURCE:
+ printf("sports ");
+ break;
+
+ case XT_MULTIPORT_DESTINATION:
+ printf("dports ");
+ break;
+
+ case XT_MULTIPORT_EITHER:
+ printf("ports ");
+ break;
+
+ default:
+ printf("ERROR ");
+ break;
+ }
+
+ for (i=0; i < multiinfo->count; i++) {
+ printf("%s", i ? "," : "");
+ print_port(multiinfo->ports[i], proto, numeric);
+ }
+ printf(" ");
+}
+
+static void multiport_print(const void *ip_void,
+ const struct xt_entry_match *match, int numeric)
+{
+ const struct ipt_ip *ip = ip_void;
+ __multiport_print(match, numeric, ip->proto);
+}
+
+static void multiport_print6(const void *ip_void,
+ const struct xt_entry_match *match, int numeric)
+{
+ const struct ip6t_ip6 *ip = ip_void;
+ __multiport_print(match, numeric, ip->proto);
+}
+
+static void __multiport_print_v1(const struct xt_entry_match *match,
+ int numeric, u_int16_t proto)
+{
+ const struct xt_multiport_v1 *multiinfo
+ = (const struct xt_multiport_v1 *)match->data;
+ unsigned int i;
+
+ printf("multiport ");
+
+ switch (multiinfo->flags) {
+ case XT_MULTIPORT_SOURCE:
+ printf("sports ");
+ break;
+
+ case XT_MULTIPORT_DESTINATION:
+ printf("dports ");
+ break;
+
+ case XT_MULTIPORT_EITHER:
+ printf("ports ");
+ break;
+
+ default:
+ printf("ERROR ");
+ break;
+ }
+
+ if (multiinfo->invert)
+ printf("! ");
+
+ for (i=0; i < multiinfo->count; i++) {
+ printf("%s", i ? "," : "");
+ print_port(multiinfo->ports[i], proto, numeric);
+ if (multiinfo->pflags[i]) {
+ printf(":");
+ print_port(multiinfo->ports[++i], proto, numeric);
+ }
+ }
+ printf(" ");
+}
+
+static void multiport_print_v1(const void *ip_void,
+ const struct xt_entry_match *match, int numeric)
+{
+ const struct ipt_ip *ip = ip_void;
+ __multiport_print_v1(match, numeric, ip->proto);
+}
+
+static void multiport_print6_v1(const void *ip_void,
+ const struct xt_entry_match *match, int numeric)
+{
+ const struct ip6t_ip6 *ip = ip_void;
+ __multiport_print_v1(match, numeric, ip->proto);
+}
+
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
+static void __multiport_save(const struct xt_entry_match *match,
+ u_int16_t proto)
+{
+ const struct xt_multiport *multiinfo
+ = (const struct xt_multiport *)match->data;
+ unsigned int i;
+
+ switch (multiinfo->flags) {
+ case XT_MULTIPORT_SOURCE:
+ printf("--sports ");
+ break;
+
+ case XT_MULTIPORT_DESTINATION:
+ printf("--dports ");
+ break;
+
+ case XT_MULTIPORT_EITHER:
+ printf("--ports ");
+ break;
+ }
+
+ for (i=0; i < multiinfo->count; i++) {
+ printf("%s", i ? "," : "");
+ print_port(multiinfo->ports[i], proto, 1);
+ }
+ printf(" ");
+}
+
+static void multiport_save(const void *ip_void,
+ const struct xt_entry_match *match)
+{
+ const struct ipt_ip *ip = ip_void;
+ __multiport_save(match, ip->proto);
+}
+
+static void multiport_save6(const void *ip_void,
+ const struct xt_entry_match *match)
+{
+ const struct ip6t_ip6 *ip = ip_void;
+ __multiport_save(match, ip->proto);
+}
+
+static void __multiport_save_v1(const struct xt_entry_match *match,
+ u_int16_t proto)
+{
+ const struct xt_multiport_v1 *multiinfo
+ = (const struct xt_multiport_v1 *)match->data;
+ unsigned int i;
+
+ if (multiinfo->invert)
+ printf("! ");
+
+ switch (multiinfo->flags) {
+ case XT_MULTIPORT_SOURCE:
+ printf("--sports ");
+ break;
+
+ case XT_MULTIPORT_DESTINATION:
+ printf("--dports ");
+ break;
+
+ case XT_MULTIPORT_EITHER:
+ printf("--ports ");
+ break;
+ }
+
+ for (i=0; i < multiinfo->count; i++) {
+ printf("%s", i ? "," : "");
+ print_port(multiinfo->ports[i], proto, 1);
+ if (multiinfo->pflags[i]) {
+ printf(":");
+ print_port(multiinfo->ports[++i], proto, 1);
+ }
+ }
+ printf(" ");
+}
+
+static void multiport_save_v1(const void *ip_void,
+ const struct xt_entry_match *match)
+{
+ const struct ipt_ip *ip = ip_void;
+ __multiport_save_v1(match, ip->proto);
+}
+
+static void multiport_save6_v1(const void *ip_void,
+ const struct xt_entry_match *match)
+{
+ const struct ip6t_ip6 *ip = ip_void;
+ __multiport_save_v1(match, ip->proto);
+}
+
+static struct xtables_match multiport_mt_reg[] = {
+ {
+ .family = NFPROTO_IPV4,
+ .name = "multiport",
+ .revision = 0,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_multiport)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
+ .help = multiport_help,
+ .parse = multiport_parse,
+ .final_check = multiport_check,
+ .print = multiport_print,
+ .save = multiport_save,
+ .extra_opts = multiport_opts,
+ },
+ {
+ .family = NFPROTO_IPV6,
+ .name = "multiport",
+ .revision = 0,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_multiport)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
+ .help = multiport_help,
+ .parse = multiport_parse6,
+ .final_check = multiport_check,
+ .print = multiport_print6,
+ .save = multiport_save6,
+ .extra_opts = multiport_opts,
+ },
+ {
+ .family = NFPROTO_IPV4,
+ .name = "multiport",
+ .version = XTABLES_VERSION,
+ .revision = 1,
+ .size = XT_ALIGN(sizeof(struct xt_multiport_v1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_multiport_v1)),
+ .help = multiport_help_v1,
+ .parse = multiport_parse_v1,
+ .final_check = multiport_check,
+ .print = multiport_print_v1,
+ .save = multiport_save_v1,
+ .extra_opts = multiport_opts,
+ },
+ {
+ .family = NFPROTO_IPV6,
+ .name = "multiport",
+ .version = XTABLES_VERSION,
+ .revision = 1,
+ .size = XT_ALIGN(sizeof(struct xt_multiport_v1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_multiport_v1)),
+ .help = multiport_help_v1,
+ .parse = multiport_parse6_v1,
+ .final_check = multiport_check,
+ .print = multiport_print6_v1,
+ .save = multiport_save6_v1,
+ .extra_opts = multiport_opts,
+ },
+};
+
+void
+_init(void)
+{
+ xtables_register_matches(multiport_mt_reg, ARRAY_SIZE(multiport_mt_reg));
+}
diff --git a/extensions/libxt_multiport.man b/extensions/libxt_multiport.man
new file mode 100644
index 0000000..caf5c56
--- /dev/null
+++ b/extensions/libxt_multiport.man
@@ -0,0 +1,23 @@
+This module matches a set of source or destination ports. Up to 15
+ports can be specified. A port range (port:port) counts as two
+ports. It can only be used in conjunction with
+\fB\-p tcp\fP
+or
+\fB\-p udp\fP.
+.TP
+[\fB!\fP] \fB\-\-source\-ports\fP,\fB\-\-sports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
+Match if the source port is one of the given ports. The flag
+\fB\-\-sports\fP
+is a convenient alias for this option. Multiple ports or port ranges are
+separated using a comma, and a port range is specified using a colon.
+\fB53,1024:65535\fP would therefore match ports 53 and all from 1024 through
+65535.
+.TP
+[\fB!\fP] \fB\-\-destination\-ports\fP,\fB\-\-dports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
+Match if the destination port is one of the given ports. The flag
+\fB\-\-dports\fP
+is a convenient alias for this option.
+.TP
+[\fB!\fP] \fB\-\-ports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]...
+Match if either the source or destination ports are equal to one of
+the given ports.
diff --git a/extensions/libxt_osf.c b/extensions/libxt_osf.c
new file mode 100644
index 0000000..07b86e4
--- /dev/null
+++ b/extensions/libxt_osf.c
@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 2003+ Evgeniy Polyakov <zbr@ioremap.net>
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * xtables interface for OS fingerprint matching module.
+ */
+
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <ctype.h>
+
+#include <linux/types.h>
+
+#include <xtables.h>
+
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+
+#include <linux/netfilter/xt_osf.h>
+
+static void osf_help(void)
+{
+ printf("OS fingerprint match options:\n"
+ "[!] --genre string Match a OS genre by passive fingerprinting.\n"
+ "--ttl level Use some TTL check extensions to determine OS:\n"
+ " 0 true ip and fingerprint TTL comparison. Works for LAN.\n"
+ " 1 check if ip TTL is less than fingerprint one. Works for global addresses.\n"
+ " 2 do not compare TTL at all. Allows to detect NMAP, but can produce false results.\n"
+ "--log level Log determined genres into dmesg even if they do not match desired one:\n"
+ " 0 log all matched or unknown signatures.\n"
+ " 1 log only first one.\n"
+ " 2 log all known matched signatures.\n"
+ );
+}
+
+
+static const struct option osf_opts[] = {
+ { .name = "genre", .has_arg = true, .val = '1' },
+ { .name = "ttl", .has_arg = true, .val = '2' },
+ { .name = "log", .has_arg = true, .val = '3' },
+ { .name = NULL }
+};
+
+
+static void osf_parse_string(const char *s, struct xt_osf_info *info)
+{
+ if (strlen(s) < MAXGENRELEN)
+ strcpy(info->genre, s);
+ else
+ xtables_error(PARAMETER_PROBLEM,
+ "Genre string too long `%s' [%zd], max=%d",
+ s, strlen(s), MAXGENRELEN);
+}
+
+static int osf_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry,
+ struct xt_entry_match **match)
+{
+ struct xt_osf_info *info = (struct xt_osf_info *)(*match)->data;
+
+ switch(c) {
+ case '1': /* --genre */
+ if (*flags & XT_OSF_GENRE)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify multiple genre parameter");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ osf_parse_string(argv[optind-1], info);
+ if (invert)
+ info->flags |= XT_OSF_INVERT;
+ info->len=strlen(info->genre);
+ *flags |= XT_OSF_GENRE;
+ break;
+ case '2': /* --ttl */
+ if (*flags & XT_OSF_TTL)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify multiple ttl parameter");
+ *flags |= XT_OSF_TTL;
+ info->flags |= XT_OSF_TTL;
+ if (!xtables_strtoui(argv[optind-1], NULL, &info->ttl, 0, 2))
+ xtables_error(PARAMETER_PROBLEM, "TTL parameter is too big");
+ break;
+ case '3': /* --log */
+ if (*flags & XT_OSF_LOG)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify multiple log parameter");
+ *flags |= XT_OSF_LOG;
+ if (!xtables_strtoui(argv[optind-1], NULL, &info->loglevel, 0, 2))
+ xtables_error(PARAMETER_PROBLEM, "Log level parameter is too big");
+ info->flags |= XT_OSF_LOG;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void osf_final_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "OS fingerprint match: You must specify `--genre'");
+}
+
+static void osf_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_osf_info *info = (const struct xt_osf_info*) match->data;
+
+ printf("OS fingerprint match %s%s ", (info->flags & XT_OSF_INVERT) ? "! " : "", info->genre);
+}
+
+static void osf_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_osf_info *info = (const struct xt_osf_info*) match->data;
+
+ printf("--genre %s%s ", (info->flags & XT_OSF_INVERT) ? "! ": "", info->genre);
+}
+
+static struct xtables_match osf_match = {
+ .name = "osf",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_osf_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_osf_info)),
+ .help = osf_help,
+ .parse = osf_parse,
+ .print = osf_print,
+ .final_check = osf_final_check,
+ .save = osf_save,
+ .extra_opts = osf_opts,
+ .family = NFPROTO_IPV4
+};
+
+void _init(void)
+{
+ xtables_register_match(&osf_match);
+}
diff --git a/extensions/libxt_osf.man b/extensions/libxt_osf.man
new file mode 100644
index 0000000..f3a85fb
--- /dev/null
+++ b/extensions/libxt_osf.man
@@ -0,0 +1,45 @@
+The osf module does passive operating system fingerprinting. This modules
+compares some data (Window Size, MSS, options and their order, TTL, DF,
+and others) from packets with the SYN bit set.
+.TP
+[\fB!\fP] \fB\-\-genre\fP \fIstring\fP
+Match an operating system genre by using a passive fingerprinting.
+.TP
+\fB\-\-ttl\fP \fIlevel\fP
+Do additional TTL checks on the packet to determine the operating system.
+\fIlevel\fP can be one of the following values:
+.IP \(bu 4
+0 - True IP address and fingerprint TTL comparison. This generally works for
+LANs.
+.IP \(bu 4
+1 - Check if the IP header's TTL is less than the fingerprint one. Works for
+globally-routable addresses.
+.IP \(bu 4
+2 - Do not compare the TTL at all.
+.TP
+\fB\-\-log\fP \fIlevel\fP
+Log determined genres into dmesg even if they do not match the desired one.
+\fIlevel\fP can be one of the following values:
+.IP \(bu 4
+0 - Log all matched or unknown signatures
+.IP \(bu 4
+1 - Log only the first one
+.IP \(bu 4
+2 - Log all known matched signatures
+.PP
+You may find something like this in syslog:
+.PP
+Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 ->
+11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4
+.PP
+OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load
+fingerprints from a file, use:
+.PP
+\fBnfnl_osf -f /usr/share/xtables/pf.os\fP
+.PP
+To remove them again,
+.PP
+\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP
+.PP
+The fingerprint database can be downlaoded from
+http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c
new file mode 100644
index 0000000..b595d97
--- /dev/null
+++ b/extensions/libxt_owner.c
@@ -0,0 +1,614 @@
+/*
+ * libxt_owner - iptables addon for xt_owner
+ *
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <getopt.h>
+#include <grp.h>
+#include <netdb.h>
+#include <pwd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_owner.h>
+
+/* match and invert flags */
+enum {
+ IPT_OWNER_UID = 0x01,
+ IPT_OWNER_GID = 0x02,
+ IPT_OWNER_PID = 0x04,
+ IPT_OWNER_SID = 0x08,
+ IPT_OWNER_COMM = 0x10,
+ IP6T_OWNER_UID = IPT_OWNER_UID,
+ IP6T_OWNER_GID = IPT_OWNER_GID,
+ IP6T_OWNER_PID = IPT_OWNER_PID,
+ IP6T_OWNER_SID = IPT_OWNER_SID,
+ IP6T_OWNER_COMM = IPT_OWNER_COMM,
+};
+
+struct ipt_owner_info {
+ uid_t uid;
+ gid_t gid;
+ pid_t pid;
+ pid_t sid;
+ char comm[16];
+ u_int8_t match, invert; /* flags */
+};
+
+struct ip6t_owner_info {
+ uid_t uid;
+ gid_t gid;
+ pid_t pid;
+ pid_t sid;
+ char comm[16];
+ u_int8_t match, invert; /* flags */
+};
+
+/*
+ * Note: "UINT32_MAX - 1" is used in the code because -1 is a reserved
+ * UID/GID value anyway.
+ */
+
+enum {
+ FLAG_UID_OWNER = 1 << 0,
+ FLAG_GID_OWNER = 1 << 1,
+ FLAG_SOCKET_EXISTS = 1 << 2,
+ FLAG_PID_OWNER = 1 << 3,
+ FLAG_SID_OWNER = 1 << 4,
+ FLAG_COMM = 1 << 5,
+};
+
+static void owner_mt_help_v0(void)
+{
+#ifdef IPT_OWNER_COMM
+ printf(
+"owner match options:\n"
+"[!] --uid-owner userid Match local UID\n"
+"[!] --gid-owner groupid Match local GID\n"
+"[!] --pid-owner processid Match local PID\n"
+"[!] --sid-owner sessionid Match local SID\n"
+"[!] --cmd-owner name Match local command name\n"
+"NOTE: PID, SID and command matching are broken on SMP\n");
+#else
+ printf(
+"owner match options:\n"
+"[!] --uid-owner userid Match local UID\n"
+"[!] --gid-owner groupid Match local GID\n"
+"[!] --pid-owner processid Match local PID\n"
+"[!] --sid-owner sessionid Match local SID\n"
+"NOTE: PID and SID matching are broken on SMP\n");
+#endif /* IPT_OWNER_COMM */
+}
+
+static void owner_mt6_help_v0(void)
+{
+ printf(
+"owner match options:\n"
+"[!] --uid-owner userid Match local UID\n"
+"[!] --gid-owner groupid Match local GID\n"
+"[!] --pid-owner processid Match local PID\n"
+"[!] --sid-owner sessionid Match local SID\n"
+"NOTE: PID and SID matching are broken on SMP\n");
+}
+
+static void owner_mt_help(void)
+{
+ printf(
+"owner match options:\n"
+"[!] --uid-owner userid[-userid] Match local UID\n"
+"[!] --gid-owner groupid[-groupid] Match local GID\n"
+"[!] --socket-exists Match if socket exists\n");
+}
+
+static const struct option owner_mt_opts_v0[] = {
+ {.name = "uid-owner", .has_arg = true, .val = 'u'},
+ {.name = "gid-owner", .has_arg = true, .val = 'g'},
+ {.name = "pid-owner", .has_arg = true, .val = 'p'},
+ {.name = "sid-owner", .has_arg = true, .val = 's'},
+#ifdef IPT_OWNER_COMM
+ {.name = "cmd-owner", .has_arg = true, .val = 'c'},
+#endif
+ { .name = NULL }
+};
+
+static const struct option owner_mt6_opts_v0[] = {
+ {.name = "uid-owner", .has_arg = true, .val = 'u'},
+ {.name = "gid-owner", .has_arg = true, .val = 'g'},
+ {.name = "pid-owner", .has_arg = true, .val = 'p'},
+ {.name = "sid-owner", .has_arg = true, .val = 's'},
+ { .name = NULL }
+};
+
+static const struct option owner_mt_opts[] = {
+ {.name = "uid-owner", .has_arg = true, .val = 'u'},
+ {.name = "gid-owner", .has_arg = true, .val = 'g'},
+ {.name = "socket-exists", .has_arg = false, .val = 'k'},
+ { .name = NULL }
+};
+
+static int
+owner_mt_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ipt_owner_info *info = (void *)(*match)->data;
+ struct passwd *pwd;
+ struct group *grp;
+ unsigned int id;
+
+ switch (c) {
+ case 'u':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--uid-owner", *flags & FLAG_UID_OWNER);
+ if ((pwd = getpwnam(optarg)) != NULL)
+ id = pwd->pw_uid;
+ else if (!xtables_strtoui(optarg, NULL, &id, 0, UINT32_MAX - 1))
+ xtables_param_act(XTF_BAD_VALUE, "owner", "--uid-owner", optarg);
+ if (invert)
+ info->invert |= IPT_OWNER_UID;
+ info->match |= IPT_OWNER_UID;
+ info->uid = id;
+ *flags |= FLAG_UID_OWNER;
+ return true;
+
+ case 'g':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--gid-owner", *flags & FLAG_GID_OWNER);
+ if ((grp = getgrnam(optarg)) != NULL)
+ id = grp->gr_gid;
+ else if (!xtables_strtoui(optarg, NULL, &id, 0, UINT32_MAX - 1))
+ xtables_param_act(XTF_BAD_VALUE, "owner", "--gid-owner", optarg);
+ if (invert)
+ info->invert |= IPT_OWNER_GID;
+ info->match |= IPT_OWNER_GID;
+ info->gid = id;
+ *flags |= FLAG_GID_OWNER;
+ return true;
+
+ case 'p':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--pid-owner", *flags & FLAG_PID_OWNER);
+ if (!xtables_strtoui(optarg, NULL, &id, 0, INT_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "owner", "--pid-owner", optarg);
+ if (invert)
+ info->invert |= IPT_OWNER_PID;
+ info->match |= IPT_OWNER_PID;
+ info->pid = id;
+ *flags |= FLAG_PID_OWNER;
+ return true;
+
+ case 's':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--sid-owner", *flags & FLAG_SID_OWNER);
+ if (!xtables_strtoui(optarg, NULL, &id, 0, INT_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "owner", "--sid-value", optarg);
+ if (invert)
+ info->invert |= IPT_OWNER_SID;
+ info->match |= IPT_OWNER_SID;
+ info->sid = id;
+ *flags |= FLAG_SID_OWNER;
+ return true;
+
+#ifdef IPT_OWNER_COMM
+ case 'c':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--cmd-owner", *flags & FLAG_COMM);
+ if (strlen(optarg) > sizeof(info->comm))
+ xtables_error(PARAMETER_PROBLEM, "owner match: command "
+ "\"%s\" too long, max. %zu characters",
+ optarg, sizeof(info->comm));
+
+ info->comm[sizeof(info->comm)-1] = '\0';
+ strncpy(info->comm, optarg, sizeof(info->comm));
+
+ if (invert)
+ info->invert |= IPT_OWNER_COMM;
+ info->match |= IPT_OWNER_COMM;
+ *flags |= FLAG_COMM;
+ return true;
+#endif
+ }
+ return false;
+}
+
+static int
+owner_mt6_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ip6t_owner_info *info = (void *)(*match)->data;
+ struct passwd *pwd;
+ struct group *grp;
+ unsigned int id;
+
+ switch (c) {
+ case 'u':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--uid-owner",
+ *flags & FLAG_UID_OWNER);
+ if ((pwd = getpwnam(optarg)) != NULL)
+ id = pwd->pw_uid;
+ else if (!xtables_strtoui(optarg, NULL, &id, 0, UINT32_MAX - 1))
+ xtables_param_act(XTF_BAD_VALUE, "owner", "--uid-owner", optarg);
+ if (invert)
+ info->invert |= IP6T_OWNER_UID;
+ info->match |= IP6T_OWNER_UID;
+ info->uid = id;
+ *flags |= FLAG_UID_OWNER;
+ return true;
+
+ case 'g':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--gid-owner",
+ *flags & FLAG_GID_OWNER);
+ if ((grp = getgrnam(optarg)) != NULL)
+ id = grp->gr_gid;
+ else if (!xtables_strtoui(optarg, NULL, &id, 0, UINT32_MAX - 1))
+ xtables_param_act(XTF_BAD_VALUE, "owner", "--gid-owner", optarg);
+ if (invert)
+ info->invert |= IP6T_OWNER_GID;
+ info->match |= IP6T_OWNER_GID;
+ info->gid = id;
+ *flags |= FLAG_GID_OWNER;
+ return true;
+
+ case 'p':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--pid-owner",
+ *flags & FLAG_PID_OWNER);
+ if (!xtables_strtoui(optarg, NULL, &id, 0, INT_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "owner", "--pid-owner", optarg);
+ if (invert)
+ info->invert |= IP6T_OWNER_PID;
+ info->match |= IP6T_OWNER_PID;
+ info->pid = id;
+ *flags |= FLAG_PID_OWNER;
+ return true;
+
+ case 's':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--sid-owner",
+ *flags & FLAG_SID_OWNER);
+ if (!xtables_strtoui(optarg, NULL, &id, 0, INT_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "owner", "--sid-owner", optarg);
+ if (invert)
+ info->invert |= IP6T_OWNER_SID;
+ info->match |= IP6T_OWNER_SID;
+ info->sid = id;
+ *flags |= FLAG_SID_OWNER;
+ return true;
+ }
+ return false;
+}
+
+static void owner_parse_range(const char *s, unsigned int *from,
+ unsigned int *to, const char *opt)
+{
+ char *end;
+
+ /* -1 is reversed, so the max is one less than that. */
+ if (!xtables_strtoui(s, &end, from, 0, UINT32_MAX - 1))
+ xtables_param_act(XTF_BAD_VALUE, "owner", opt, s);
+ *to = *from;
+ if (*end == '-' || *end == ':')
+ if (!xtables_strtoui(end + 1, &end, to, 0, UINT32_MAX - 1))
+ xtables_param_act(XTF_BAD_VALUE, "owner", opt, s);
+ if (*end != '\0')
+ xtables_param_act(XTF_BAD_VALUE, "owner", opt, s);
+}
+
+static int owner_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_owner_match_info *info = (void *)(*match)->data;
+ struct passwd *pwd;
+ struct group *grp;
+ unsigned int from, to;
+
+ switch (c) {
+ case 'u':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--uid-owner",
+ *flags & FLAG_UID_OWNER);
+ if ((pwd = getpwnam(optarg)) != NULL)
+ from = to = pwd->pw_uid;
+ else
+ owner_parse_range(optarg, &from, &to, "--uid-owner");
+ if (invert)
+ info->invert |= XT_OWNER_UID;
+ info->match |= XT_OWNER_UID;
+ info->uid_min = from;
+ info->uid_max = to;
+ *flags |= FLAG_UID_OWNER;
+ return true;
+
+ case 'g':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--gid-owner",
+ *flags & FLAG_GID_OWNER);
+ if ((grp = getgrnam(optarg)) != NULL)
+ from = to = grp->gr_gid;
+ else
+ owner_parse_range(optarg, &from, &to, "--gid-owner");
+ if (invert)
+ info->invert |= XT_OWNER_GID;
+ info->match |= XT_OWNER_GID;
+ info->gid_min = from;
+ info->gid_max = to;
+ *flags |= FLAG_GID_OWNER;
+ return true;
+
+ case 'k':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--socket-exists",
+ *flags & FLAG_SOCKET_EXISTS);
+ if (invert)
+ info->invert |= XT_OWNER_SOCKET;
+ info->match |= XT_OWNER_SOCKET;
+ *flags |= FLAG_SOCKET_EXISTS;
+ return true;
+
+ }
+ return false;
+}
+
+static void owner_mt_check(unsigned int flags)
+{
+ if (flags == 0)
+ xtables_error(PARAMETER_PROBLEM, "owner: At least one of "
+ "--uid-owner, --gid-owner or --socket-exists "
+ "is required");
+}
+
+static void
+owner_mt_print_item_v0(const struct ipt_owner_info *info, const char *label,
+ u_int8_t flag, bool numeric)
+{
+ if (!(info->match & flag))
+ return;
+ if (info->invert & flag)
+ printf("! ");
+ printf("%s ", label);
+
+ switch (info->match & flag) {
+ case IPT_OWNER_UID:
+ if (!numeric) {
+ struct passwd *pwd = getpwuid(info->uid);
+
+ if (pwd != NULL && pwd->pw_name != NULL) {
+ printf("%s ", pwd->pw_name);
+ break;
+ }
+ }
+ printf("%u ", (unsigned int)info->uid);
+ break;
+
+ case IPT_OWNER_GID:
+ if (!numeric) {
+ struct group *grp = getgrgid(info->gid);
+
+ if (grp != NULL && grp->gr_name != NULL) {
+ printf("%s ", grp->gr_name);
+ break;
+ }
+ }
+ printf("%u ", (unsigned int)info->gid);
+ break;
+
+ case IPT_OWNER_PID:
+ printf("%u ", (unsigned int)info->pid);
+ break;
+
+ case IPT_OWNER_SID:
+ printf("%u ", (unsigned int)info->sid);
+ break;
+
+#ifdef IPT_OWNER_COMM
+ case IPT_OWNER_COMM:
+ printf("%.*s ", (int)sizeof(info->comm), info->comm);
+ break;
+#endif
+ }
+}
+
+static void
+owner_mt6_print_item_v0(const struct ip6t_owner_info *info, const char *label,
+ u_int8_t flag, bool numeric)
+{
+ if (!(info->match & flag))
+ return;
+ if (info->invert & flag)
+ printf("! ");
+ printf("%s ", label);
+
+ switch (info->match & flag) {
+ case IP6T_OWNER_UID:
+ if (!numeric) {
+ struct passwd *pwd = getpwuid(info->uid);
+
+ if (pwd != NULL && pwd->pw_name != NULL) {
+ printf("%s ", pwd->pw_name);
+ break;
+ }
+ }
+ printf("%u ", (unsigned int)info->uid);
+ break;
+
+ case IP6T_OWNER_GID:
+ if (!numeric) {
+ struct group *grp = getgrgid(info->gid);
+
+ if (grp != NULL && grp->gr_name != NULL) {
+ printf("%s ", grp->gr_name);
+ break;
+ }
+ }
+ printf("%u ", (unsigned int)info->gid);
+ break;
+
+ case IP6T_OWNER_PID:
+ printf("%u ", (unsigned int)info->pid);
+ break;
+
+ case IP6T_OWNER_SID:
+ printf("%u ", (unsigned int)info->sid);
+ break;
+ }
+}
+
+static void
+owner_mt_print_item(const struct xt_owner_match_info *info, const char *label,
+ u_int8_t flag, bool numeric)
+{
+ if (!(info->match & flag))
+ return;
+ if (info->invert & flag)
+ printf("! ");
+ printf("%s ", label);
+
+ switch (info->match & flag) {
+ case XT_OWNER_UID:
+ if (info->uid_min != info->uid_max) {
+ printf("%u-%u ", (unsigned int)info->uid_min,
+ (unsigned int)info->uid_max);
+ break;
+ } else if (!numeric) {
+ const struct passwd *pwd = getpwuid(info->uid_min);
+
+ if (pwd != NULL && pwd->pw_name != NULL) {
+ printf("%s ", pwd->pw_name);
+ break;
+ }
+ }
+ printf("%u ", (unsigned int)info->uid_min);
+ break;
+
+ case XT_OWNER_GID:
+ if (info->gid_min != info->gid_max) {
+ printf("%u-%u ", (unsigned int)info->gid_min,
+ (unsigned int)info->gid_max);
+ break;
+ } else if (!numeric) {
+ const struct group *grp = getgrgid(info->gid_min);
+
+ if (grp != NULL && grp->gr_name != NULL) {
+ printf("%s ", grp->gr_name);
+ break;
+ }
+ }
+ printf("%u ", (unsigned int)info->gid_min);
+ break;
+ }
+}
+
+static void
+owner_mt_print_v0(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ipt_owner_info *info = (void *)match->data;
+
+ owner_mt_print_item_v0(info, "owner UID match", IPT_OWNER_UID, numeric);
+ owner_mt_print_item_v0(info, "owner GID match", IPT_OWNER_GID, numeric);
+ owner_mt_print_item_v0(info, "owner PID match", IPT_OWNER_PID, numeric);
+ owner_mt_print_item_v0(info, "owner SID match", IPT_OWNER_SID, numeric);
+#ifdef IPT_OWNER_COMM
+ owner_mt_print_item_v0(info, "owner CMD match", IPT_OWNER_COMM, numeric);
+#endif
+}
+
+static void
+owner_mt6_print_v0(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ip6t_owner_info *info = (void *)match->data;
+
+ owner_mt6_print_item_v0(info, "owner UID match", IPT_OWNER_UID, numeric);
+ owner_mt6_print_item_v0(info, "owner GID match", IPT_OWNER_GID, numeric);
+ owner_mt6_print_item_v0(info, "owner PID match", IPT_OWNER_PID, numeric);
+ owner_mt6_print_item_v0(info, "owner SID match", IPT_OWNER_SID, numeric);
+}
+
+static void owner_mt_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_owner_match_info *info = (void *)match->data;
+
+ owner_mt_print_item(info, "owner socket exists", XT_OWNER_SOCKET, numeric);
+ owner_mt_print_item(info, "owner UID match", XT_OWNER_UID, numeric);
+ owner_mt_print_item(info, "owner GID match", XT_OWNER_GID, numeric);
+}
+
+static void
+owner_mt_save_v0(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ipt_owner_info *info = (void *)match->data;
+
+ owner_mt_print_item_v0(info, "--uid-owner", IPT_OWNER_UID, true);
+ owner_mt_print_item_v0(info, "--gid-owner", IPT_OWNER_GID, true);
+ owner_mt_print_item_v0(info, "--pid-owner", IPT_OWNER_PID, true);
+ owner_mt_print_item_v0(info, "--sid-owner", IPT_OWNER_SID, true);
+#ifdef IPT_OWNER_COMM
+ owner_mt_print_item_v0(info, "--cmd-owner", IPT_OWNER_COMM, true);
+#endif
+}
+
+static void
+owner_mt6_save_v0(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ip6t_owner_info *info = (void *)match->data;
+
+ owner_mt6_print_item_v0(info, "--uid-owner", IPT_OWNER_UID, true);
+ owner_mt6_print_item_v0(info, "--gid-owner", IPT_OWNER_GID, true);
+ owner_mt6_print_item_v0(info, "--pid-owner", IPT_OWNER_PID, true);
+ owner_mt6_print_item_v0(info, "--sid-owner", IPT_OWNER_SID, true);
+}
+
+static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_owner_match_info *info = (void *)match->data;
+
+ owner_mt_print_item(info, "--socket-exists", XT_OWNER_SOCKET, false);
+ owner_mt_print_item(info, "--uid-owner", XT_OWNER_UID, false);
+ owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, false);
+}
+
+static struct xtables_match owner_mt_reg[] = {
+ {
+ .version = XTABLES_VERSION,
+ .name = "owner",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_owner_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_owner_info)),
+ .help = owner_mt_help_v0,
+ .parse = owner_mt_parse_v0,
+ .final_check = owner_mt_check,
+ .print = owner_mt_print_v0,
+ .save = owner_mt_save_v0,
+ .extra_opts = owner_mt_opts_v0,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "owner",
+ .revision = 0,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct ip6t_owner_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ip6t_owner_info)),
+ .help = owner_mt6_help_v0,
+ .parse = owner_mt6_parse_v0,
+ .final_check = owner_mt_check,
+ .print = owner_mt6_print_v0,
+ .save = owner_mt6_save_v0,
+ .extra_opts = owner_mt6_opts_v0,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "owner",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .size = XT_ALIGN(sizeof(struct xt_owner_match_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)),
+ .help = owner_mt_help,
+ .parse = owner_mt_parse,
+ .final_check = owner_mt_check,
+ .print = owner_mt_print,
+ .save = owner_mt_save,
+ .extra_opts = owner_mt_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
+}
diff --git a/extensions/libxt_owner.man b/extensions/libxt_owner.man
new file mode 100644
index 0000000..49b58ce
--- /dev/null
+++ b/extensions/libxt_owner.man
@@ -0,0 +1,19 @@
+This module attempts to match various characteristics of the packet creator,
+for locally generated packets. This match is only valid in the OUTPUT and
+POSTROUTING chains. Forwarded packets do not have any socket associated with
+them. Packets from kernel threads do have a socket, but usually no owner.
+.TP
+[\fB!\fP] \fB\-\-uid\-owner\fP \fIusername\fP
+.TP
+[\fB!\fP] \fB\-\-uid\-owner\fP \fIuserid\fP[\fB\-\fP\fIuserid\fP]
+Matches if the packet socket's file structure (if it has one) is owned by the
+given user. You may also specify a numerical UID, or an UID range.
+.TP
+[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupname\fP
+.TP
+[\fB!\fP] \fB\-\-gid\-owner\fP \fIgroupid\fP[\fB\-\fP\fIgroupid\fP]
+Matches if the packet socket's file structure is owned by the given group.
+You may also specify a numerical GID, or a GID range.
+.TP
+[\fB!\fP] \fB\-\-socket\-exists\fP
+Matches if the packet is associated with a socket.
diff --git a/extensions/libxt_physdev.c b/extensions/libxt_physdev.c
new file mode 100644
index 0000000..5382ab6
--- /dev/null
+++ b/extensions/libxt_physdev.c
@@ -0,0 +1,180 @@
+/* Shared library add-on to iptables to add bridge port matching support. */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <ctype.h>
+#include <xtables.h>
+#include <linux/netfilter/xt_physdev.h>
+#if defined(__GLIBC__) && __GLIBC__ == 2
+#include <net/ethernet.h>
+#else
+#include <linux/if_ether.h>
+#endif
+
+static void physdev_help(void)
+{
+ printf(
+"physdev match options:\n"
+" [!] --physdev-in inputname[+] bridge port name ([+] for wildcard)\n"
+" [!] --physdev-out outputname[+] bridge port name ([+] for wildcard)\n"
+" [!] --physdev-is-in arrived on a bridge device\n"
+" [!] --physdev-is-out will leave on a bridge device\n"
+" [!] --physdev-is-bridged it's a bridged packet\n");
+}
+
+static const struct option physdev_opts[] = {
+ { "physdev-in", 1, NULL, '1' },
+ { "physdev-out", 1, NULL, '2' },
+ { "physdev-is-in", 0, NULL, '3' },
+ { "physdev-is-out", 0, NULL, '4' },
+ { "physdev-is-bridged", 0, NULL, '5' },
+ { .name = NULL }
+};
+
+static int
+physdev_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_physdev_info *info =
+ (struct xt_physdev_info*)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & XT_PHYSDEV_OP_IN)
+ goto multiple_use;
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ xtables_parse_interface(optarg, info->physindev,
+ (unsigned char *)info->in_mask);
+ if (invert)
+ info->invert |= XT_PHYSDEV_OP_IN;
+ info->bitmask |= XT_PHYSDEV_OP_IN;
+ *flags |= XT_PHYSDEV_OP_IN;
+ break;
+
+ case '2':
+ if (*flags & XT_PHYSDEV_OP_OUT)
+ goto multiple_use;
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ xtables_parse_interface(optarg, info->physoutdev,
+ (unsigned char *)info->out_mask);
+ if (invert)
+ info->invert |= XT_PHYSDEV_OP_OUT;
+ info->bitmask |= XT_PHYSDEV_OP_OUT;
+ *flags |= XT_PHYSDEV_OP_OUT;
+ break;
+
+ case '3':
+ if (*flags & XT_PHYSDEV_OP_ISIN)
+ goto multiple_use;
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ info->bitmask |= XT_PHYSDEV_OP_ISIN;
+ if (invert)
+ info->invert |= XT_PHYSDEV_OP_ISIN;
+ *flags |= XT_PHYSDEV_OP_ISIN;
+ break;
+
+ case '4':
+ if (*flags & XT_PHYSDEV_OP_ISOUT)
+ goto multiple_use;
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ info->bitmask |= XT_PHYSDEV_OP_ISOUT;
+ if (invert)
+ info->invert |= XT_PHYSDEV_OP_ISOUT;
+ *flags |= XT_PHYSDEV_OP_ISOUT;
+ break;
+
+ case '5':
+ if (*flags & XT_PHYSDEV_OP_BRIDGED)
+ goto multiple_use;
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert)
+ info->invert |= XT_PHYSDEV_OP_BRIDGED;
+ *flags |= XT_PHYSDEV_OP_BRIDGED;
+ info->bitmask |= XT_PHYSDEV_OP_BRIDGED;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+multiple_use:
+ xtables_error(PARAMETER_PROBLEM,
+ "multiple use of the same physdev option is not allowed");
+
+}
+
+static void physdev_check(unsigned int flags)
+{
+ if (flags == 0)
+ xtables_error(PARAMETER_PROBLEM, "PHYSDEV: no physdev option specified");
+}
+
+static void
+physdev_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_physdev_info *info = (const void *)match->data;
+
+ printf("PHYSDEV match");
+ if (info->bitmask & XT_PHYSDEV_OP_ISIN)
+ printf("%s --physdev-is-in",
+ info->invert & XT_PHYSDEV_OP_ISIN ? " !":"");
+ if (info->bitmask & XT_PHYSDEV_OP_IN)
+ printf("%s --physdev-in %s",
+ (info->invert & XT_PHYSDEV_OP_IN) ? " !":"", info->physindev);
+
+ if (info->bitmask & XT_PHYSDEV_OP_ISOUT)
+ printf("%s --physdev-is-out",
+ info->invert & XT_PHYSDEV_OP_ISOUT ? " !":"");
+ if (info->bitmask & XT_PHYSDEV_OP_OUT)
+ printf("%s --physdev-out %s",
+ (info->invert & XT_PHYSDEV_OP_OUT) ? " !":"", info->physoutdev);
+ if (info->bitmask & XT_PHYSDEV_OP_BRIDGED)
+ printf("%s --physdev-is-bridged",
+ info->invert & XT_PHYSDEV_OP_BRIDGED ? " !":"");
+ printf(" ");
+}
+
+static void physdev_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_physdev_info *info = (const void *)match->data;
+
+ if (info->bitmask & XT_PHYSDEV_OP_ISIN)
+ printf("%s--physdev-is-in ",
+ (info->invert & XT_PHYSDEV_OP_ISIN) ? "! " : "");
+ if (info->bitmask & XT_PHYSDEV_OP_IN)
+ printf("%s--physdev-in %s ",
+ (info->invert & XT_PHYSDEV_OP_IN) ? "! " : "",
+ info->physindev);
+
+ if (info->bitmask & XT_PHYSDEV_OP_ISOUT)
+ printf("%s--physdev-is-out ",
+ (info->invert & XT_PHYSDEV_OP_ISOUT) ? "! " : "");
+ if (info->bitmask & XT_PHYSDEV_OP_OUT)
+ printf("%s--physdev-out %s ",
+ (info->invert & XT_PHYSDEV_OP_OUT) ? "! " : "",
+ info->physoutdev);
+ if (info->bitmask & XT_PHYSDEV_OP_BRIDGED)
+ printf("%s--physdev-is-bridged ",
+ (info->invert & XT_PHYSDEV_OP_BRIDGED) ? "! " : "");
+}
+
+static struct xtables_match physdev_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "physdev",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_physdev_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_physdev_info)),
+ .help = physdev_help,
+ .parse = physdev_parse,
+ .final_check = physdev_check,
+ .print = physdev_print,
+ .save = physdev_save,
+ .extra_opts = physdev_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&physdev_match);
+}
diff --git a/extensions/libxt_physdev.man b/extensions/libxt_physdev.man
new file mode 100644
index 0000000..53beb2e
--- /dev/null
+++ b/extensions/libxt_physdev.man
@@ -0,0 +1,42 @@
+This module matches on the bridge port input and output devices enslaved
+to a bridge device. This module is a part of the infrastructure that enables
+a transparent bridging IP firewall and is only useful for kernel versions
+above version 2.5.44.
+.TP
+[\fB!\fP] \fB\-\-physdev\-in\fP \fIname\fP
+Name of a bridge port via which a packet is received (only for
+packets entering the
+.BR INPUT ,
+.B FORWARD
+and
+.B PREROUTING
+chains). If the interface name ends in a "+", then any
+interface which begins with this name will match. If the packet didn't arrive
+through a bridge device, this packet won't match this option, unless '!' is used.
+.TP
+[\fB!\fP] \fB\-\-physdev\-out\fP \fIname\fP
+Name of a bridge port via which a packet is going to be sent (for packets
+entering the
+.BR FORWARD ,
+.B OUTPUT
+and
+.B POSTROUTING
+chains). If the interface name ends in a "+", then any
+interface which begins with this name will match. Note that in the
+.BR nat " and " mangle
+.B OUTPUT
+chains one cannot match on the bridge output port, however one can in the
+.B "filter OUTPUT"
+chain. If the packet won't leave by a bridge device or if it is yet unknown what
+the output device will be, then the packet won't match this option,
+unless '!' is used.
+.TP
+[\fB!\fP] \fB\-\-physdev\-is\-in\fP
+Matches if the packet has entered through a bridge interface.
+.TP
+[\fB!\fP] \fB\-\-physdev\-is\-out\fP
+Matches if the packet will leave through a bridge interface.
+.TP
+[\fB!\fP] \fB\-\-physdev\-is\-bridged\fP
+Matches if the packet is being bridged and therefore is not being routed.
+This is only useful in the FORWARD and POSTROUTING chains.
diff --git a/extensions/libxt_pkttype.c b/extensions/libxt_pkttype.c
new file mode 100644
index 0000000..cd83e73
--- /dev/null
+++ b/extensions/libxt_pkttype.c
@@ -0,0 +1,158 @@
+/*
+ * Shared library add-on to iptables to match
+ * packets by their type (BROADCAST, UNICAST, MULTICAST).
+ *
+ * Michal Ludvig <michal@logix.cz>
+ */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#if defined(__GLIBC__) && __GLIBC__ == 2
+#include <net/ethernet.h>
+#else
+#include <linux/if_ether.h>
+#endif
+#include <xtables.h>
+#include <linux/if_packet.h>
+#include <linux/netfilter/xt_pkttype.h>
+
+#define PKTTYPE_VERSION "0.1"
+
+struct pkttypes {
+ const char *name;
+ unsigned char pkttype;
+ unsigned char printhelp;
+ const char *help;
+};
+
+static const struct pkttypes supported_types[] = {
+ {"unicast", PACKET_HOST, 1, "to us"},
+ {"broadcast", PACKET_BROADCAST, 1, "to all"},
+ {"multicast", PACKET_MULTICAST, 1, "to group"},
+/*
+ {"otherhost", PACKET_OTHERHOST, 1, "to someone else"},
+ {"outgoing", PACKET_OUTGOING, 1, "outgoing of any type"},
+*/
+ /* aliases */
+ {"bcast", PACKET_BROADCAST, 0, NULL},
+ {"mcast", PACKET_MULTICAST, 0, NULL},
+ {"host", PACKET_HOST, 0, NULL}
+};
+
+static void print_types(void)
+{
+ unsigned int i;
+
+ printf("Valid packet types:\n");
+ for (i = 0; i < ARRAY_SIZE(supported_types); ++i)
+ if(supported_types[i].printhelp == 1)
+ printf("\t%-14s\t\t%s\n", supported_types[i].name, supported_types[i].help);
+ printf("\n");
+}
+
+static void pkttype_help(void)
+{
+ printf(
+"pkttype match options:\n"
+"[!] --pkt-type packettype match packet type\n");
+ print_types();
+}
+
+static const struct option pkttype_opts[] = {
+ {"pkt-type", 1, NULL, '1'},
+ { .name = NULL }
+};
+
+static void parse_pkttype(const char *pkttype, struct xt_pkttype_info *info)
+{
+ unsigned int i;
+
+ for (i = 0; i < ARRAY_SIZE(supported_types); ++i)
+ if(strcasecmp(pkttype, supported_types[i].name)==0)
+ {
+ info->pkttype=supported_types[i].pkttype;
+ return;
+ }
+
+ xtables_error(PARAMETER_PROBLEM, "Bad packet type '%s'", pkttype);
+}
+
+static int pkttype_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_pkttype_info *info = (struct xt_pkttype_info *)(*match)->data;
+
+ switch(c)
+ {
+ case '1':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_pkttype(optarg, info);
+ if(invert)
+ info->invert=1;
+ *flags=1;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void pkttype_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM, "You must specify \"--pkt-type\"");
+}
+
+static void print_pkttype(const struct xt_pkttype_info *info)
+{
+ unsigned int i;
+
+ for (i = 0; i < ARRAY_SIZE(supported_types); ++i)
+ if(supported_types[i].pkttype==info->pkttype)
+ {
+ printf("%s ", supported_types[i].name);
+ return;
+ }
+
+ printf("%d ", info->pkttype); /* in case we didn't find an entry in named-packtes */
+}
+
+static void pkttype_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_pkttype_info *info = (const void *)match->data;
+
+ printf("PKTTYPE %s= ", info->invert?"!":"");
+ print_pkttype(info);
+}
+
+static void pkttype_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_pkttype_info *info = (const void *)match->data;
+
+ printf("%s--pkt-type ", info->invert ? "! " : "");
+ print_pkttype(info);
+}
+
+static struct xtables_match pkttype_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "pkttype",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_pkttype_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_pkttype_info)),
+ .help = pkttype_help,
+ .parse = pkttype_parse,
+ .final_check = pkttype_check,
+ .print = pkttype_print,
+ .save = pkttype_save,
+ .extra_opts = pkttype_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&pkttype_match);
+}
diff --git a/extensions/libxt_pkttype.man b/extensions/libxt_pkttype.man
new file mode 100644
index 0000000..4560c76
--- /dev/null
+++ b/extensions/libxt_pkttype.man
@@ -0,0 +1,3 @@
+This module matches the link-layer packet type.
+.TP
+[\fB!\fP] \fB\-\-pkt\-type\fP {\fBunicast\fP|\fBbroadcast\fP|\fBmulticast\fP}
diff --git a/extensions/libxt_policy.c b/extensions/libxt_policy.c
new file mode 100644
index 0000000..a87ddd8
--- /dev/null
+++ b/extensions/libxt_policy.c
@@ -0,0 +1,513 @@
+/* Shared library add-on to iptables to add policy support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <getopt.h>
+#include <netdb.h>
+#include <errno.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <xtables.h>
+
+#include <linux/netfilter/xt_policy.h>
+
+/*
+ * HACK: global pointer to current matchinfo for making
+ * final checks and adjustments in final_check.
+ */
+static struct xt_policy_info *policy_info;
+
+static void policy_help(void)
+{
+ printf(
+"policy match options:\n"
+" --dir in|out match policy applied during decapsulation/\n"
+" policy to be applied during encapsulation\n"
+" --pol none|ipsec match policy\n"
+" --strict match entire policy instead of single element\n"
+" at any position\n"
+"[!] --reqid reqid match reqid\n"
+"[!] --spi spi match SPI\n"
+"[!] --proto proto match protocol (ah/esp/ipcomp)\n"
+"[!] --mode mode match mode (transport/tunnel)\n"
+"[!] --tunnel-src addr/mask match tunnel source\n"
+"[!] --tunnel-dst addr/mask match tunnel destination\n"
+" --next begin next element in policy\n");
+}
+
+static const struct option policy_opts[] =
+{
+ {
+ .name = "dir",
+ .has_arg = 1,
+ .val = '1',
+ },
+ {
+ .name = "pol",
+ .has_arg = 1,
+ .val = '2',
+ },
+ {
+ .name = "strict",
+ .val = '3'
+ },
+ {
+ .name = "reqid",
+ .has_arg = 1,
+ .val = '4',
+ },
+ {
+ .name = "spi",
+ .has_arg = 1,
+ .val = '5'
+ },
+ {
+ .name = "tunnel-src",
+ .has_arg = 1,
+ .val = '6'
+ },
+ {
+ .name = "tunnel-dst",
+ .has_arg = 1,
+ .val = '7'
+ },
+ {
+ .name = "proto",
+ .has_arg = 1,
+ .val = '8'
+ },
+ {
+ .name = "mode",
+ .has_arg = 1,
+ .val = '9'
+ },
+ {
+ .name = "next",
+ .val = 'a'
+ },
+ { .name = NULL }
+};
+
+static int parse_direction(char *s)
+{
+ if (strcmp(s, "in") == 0)
+ return XT_POLICY_MATCH_IN;
+ if (strcmp(s, "out") == 0)
+ return XT_POLICY_MATCH_OUT;
+ xtables_error(PARAMETER_PROBLEM, "policy_match: invalid dir \"%s\"", s);
+}
+
+static int parse_policy(char *s)
+{
+ if (strcmp(s, "none") == 0)
+ return XT_POLICY_MATCH_NONE;
+ if (strcmp(s, "ipsec") == 0)
+ return 0;
+ xtables_error(PARAMETER_PROBLEM, "policy match: invalid policy \"%s\"", s);
+}
+
+static int parse_mode(char *s)
+{
+ if (strcmp(s, "transport") == 0)
+ return XT_POLICY_MODE_TRANSPORT;
+ if (strcmp(s, "tunnel") == 0)
+ return XT_POLICY_MODE_TUNNEL;
+ xtables_error(PARAMETER_PROBLEM, "policy match: invalid mode \"%s\"", s);
+}
+
+static int policy_parse(int c, char **argv, int invert, unsigned int *flags,
+ struct xt_policy_info *info, uint8_t family)
+{
+ struct xt_policy_elem *e = &info->pol[info->len];
+ struct in_addr *addr = NULL, mask;
+ struct in6_addr *addr6 = NULL, mask6;
+ unsigned int naddr = 0, num;
+ int mode;
+
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ switch (c) {
+ case '1':
+ if (info->flags & (XT_POLICY_MATCH_IN | XT_POLICY_MATCH_OUT))
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: double --dir option");
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: can't invert --dir option");
+
+ info->flags |= parse_direction(optarg);
+ break;
+ case '2':
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: can't invert --policy option");
+
+ info->flags |= parse_policy(optarg);
+ break;
+ case '3':
+ if (info->flags & XT_POLICY_MATCH_STRICT)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: double --strict option");
+
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: can't invert --strict option");
+
+ info->flags |= XT_POLICY_MATCH_STRICT;
+ break;
+ case '4':
+ if (e->match.reqid)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: double --reqid option");
+
+ e->match.reqid = 1;
+ e->invert.reqid = invert;
+ if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "policy", "--spi", optarg);
+ e->reqid = num;
+ break;
+ case '5':
+ if (e->match.spi)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: double --spi option");
+
+ e->match.spi = 1;
+ e->invert.spi = invert;
+ if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "policy", "--spi", optarg);
+ e->spi = num;
+ break;
+ case '6':
+ if (e->match.saddr)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: double --tunnel-src option");
+
+ if (family == NFPROTO_IPV6)
+ xtables_ip6parse_any(optarg, &addr6, &mask6, &naddr);
+ else
+ xtables_ipparse_any(optarg, &addr, &mask, &naddr);
+ if (naddr > 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: name resolves to multiple IPs");
+
+ e->match.saddr = 1;
+ e->invert.saddr = invert;
+ if (family == NFPROTO_IPV6) {
+ memcpy(&e->saddr.a6, addr6, sizeof(*addr6));
+ memcpy(&e->smask.a6, &mask6, sizeof(mask6));
+ } else {
+ e->saddr.a4 = addr[0];
+ e->smask.a4 = mask;
+ }
+ break;
+ case '7':
+ if (e->match.daddr)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: double --tunnel-dst option");
+
+ if (family == NFPROTO_IPV6)
+ xtables_ip6parse_any(optarg, &addr6, &mask6, &naddr);
+ else
+ xtables_ipparse_any(optarg, &addr, &mask, &naddr);
+ if (naddr > 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: name resolves to multiple IPs");
+
+ e->match.daddr = 1;
+ e->invert.daddr = invert;
+ if (family == NFPROTO_IPV6) {
+ memcpy(&e->daddr.a6, addr6, sizeof(*addr6));
+ memcpy(&e->dmask.a6, &mask6, sizeof(mask6));
+ } else {
+ e->daddr.a4 = addr[0];
+ e->dmask.a4 = mask;
+ }
+ break;
+ case '8':
+ if (e->match.proto)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: double --proto option");
+
+ e->proto = xtables_parse_protocol(optarg);
+ if (e->proto != IPPROTO_AH && e->proto != IPPROTO_ESP &&
+ e->proto != IPPROTO_COMP)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: protocol must ah/esp/ipcomp");
+ e->match.proto = 1;
+ e->invert.proto = invert;
+ break;
+ case '9':
+ if (e->match.mode)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: double --mode option");
+
+ mode = parse_mode(optarg);
+ e->match.mode = 1;
+ e->invert.mode = invert;
+ e->mode = mode;
+ break;
+ case 'a':
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: can't invert --next option");
+
+ if (++info->len == XT_POLICY_MAX_ELEM)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: maximum policy depth reached");
+ break;
+ default:
+ return 0;
+ }
+
+ policy_info = info;
+ return 1;
+}
+
+static int policy4_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ return policy_parse(c, argv, invert, flags, (void *)(*match)->data,
+ NFPROTO_IPV4);
+}
+
+static int policy6_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ return policy_parse(c, argv, invert, flags, (void *)(*match)->data,
+ NFPROTO_IPV6);
+}
+
+static void policy_check(unsigned int flags)
+{
+ struct xt_policy_info *info = policy_info;
+ struct xt_policy_elem *e;
+ int i;
+
+ if (info == NULL)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: no parameters given");
+
+ if (!(info->flags & (XT_POLICY_MATCH_IN | XT_POLICY_MATCH_OUT)))
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: neither --dir in nor --dir out specified");
+
+ if (info->flags & XT_POLICY_MATCH_NONE) {
+ if (info->flags & XT_POLICY_MATCH_STRICT)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: policy none but --strict given");
+
+ if (info->len != 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: policy none but policy given");
+ } else
+ info->len++; /* increase len by 1, no --next after last element */
+
+ if (!(info->flags & XT_POLICY_MATCH_STRICT) && info->len > 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: multiple elements but no --strict");
+
+ for (i = 0; i < info->len; i++) {
+ e = &info->pol[i];
+
+ if (info->flags & XT_POLICY_MATCH_STRICT &&
+ !(e->match.reqid || e->match.spi || e->match.saddr ||
+ e->match.daddr || e->match.proto || e->match.mode))
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: empty policy element");
+
+ if ((e->match.saddr || e->match.daddr)
+ && ((e->mode == XT_POLICY_MODE_TUNNEL && e->invert.mode) ||
+ (e->mode == XT_POLICY_MODE_TRANSPORT && !e->invert.mode)))
+ xtables_error(PARAMETER_PROBLEM,
+ "policy match: --tunnel-src/--tunnel-dst "
+ "is only valid in tunnel mode");
+ }
+}
+
+static void print_mode(const char *prefix, u_int8_t mode, int numeric)
+{
+ printf("%smode ", prefix);
+
+ switch (mode) {
+ case XT_POLICY_MODE_TRANSPORT:
+ printf("transport ");
+ break;
+ case XT_POLICY_MODE_TUNNEL:
+ printf("tunnel ");
+ break;
+ default:
+ printf("??? ");
+ break;
+ }
+}
+
+static void print_proto(const char *prefix, u_int8_t proto, int numeric)
+{
+ struct protoent *p = NULL;
+
+ printf("%sproto ", prefix);
+ if (!numeric)
+ p = getprotobynumber(proto);
+ if (p != NULL)
+ printf("%s ", p->p_name);
+ else
+ printf("%u ", proto);
+}
+
+#define PRINT_INVERT(x) \
+do { \
+ if (x) \
+ printf("! "); \
+} while(0)
+
+static void print_entry(const char *prefix, const struct xt_policy_elem *e,
+ bool numeric, uint8_t family)
+{
+ if (e->match.reqid) {
+ PRINT_INVERT(e->invert.reqid);
+ printf("%sreqid %u ", prefix, e->reqid);
+ }
+ if (e->match.spi) {
+ PRINT_INVERT(e->invert.spi);
+ printf("%sspi 0x%x ", prefix, e->spi);
+ }
+ if (e->match.proto) {
+ PRINT_INVERT(e->invert.proto);
+ print_proto(prefix, e->proto, numeric);
+ }
+ if (e->match.mode) {
+ PRINT_INVERT(e->invert.mode);
+ print_mode(prefix, e->mode, numeric);
+ }
+ if (e->match.daddr) {
+ PRINT_INVERT(e->invert.daddr);
+ if (family == NFPROTO_IPV6)
+ printf("%stunnel-dst %s%s ", prefix,
+ xtables_ip6addr_to_numeric(&e->daddr.a6),
+ xtables_ip6mask_to_numeric(&e->dmask.a6));
+ else
+ printf("%stunnel-dst %s%s ", prefix,
+ xtables_ipaddr_to_numeric(&e->daddr.a4),
+ xtables_ipmask_to_numeric(&e->dmask.a4));
+ }
+ if (e->match.saddr) {
+ PRINT_INVERT(e->invert.saddr);
+ if (family == NFPROTO_IPV6)
+ printf("%stunnel-src %s%s ", prefix,
+ xtables_ip6addr_to_numeric(&e->saddr.a6),
+ xtables_ip6mask_to_numeric(&e->smask.a6));
+ else
+ printf("%stunnel-src %s%s ", prefix,
+ xtables_ipaddr_to_numeric(&e->saddr.a4),
+ xtables_ipmask_to_numeric(&e->smask.a4));
+ }
+}
+
+static void print_flags(char *prefix, const struct xt_policy_info *info)
+{
+ if (info->flags & XT_POLICY_MATCH_IN)
+ printf("%sdir in ", prefix);
+ else
+ printf("%sdir out ", prefix);
+
+ if (info->flags & XT_POLICY_MATCH_NONE)
+ printf("%spol none ", prefix);
+ else
+ printf("%spol ipsec ", prefix);
+
+ if (info->flags & XT_POLICY_MATCH_STRICT)
+ printf("%sstrict ", prefix);
+}
+
+static void policy4_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_policy_info *info = (void *)match->data;
+ unsigned int i;
+
+ printf("policy match ");
+ print_flags("", info);
+ for (i = 0; i < info->len; i++) {
+ if (info->len > 1)
+ printf("[%u] ", i);
+ print_entry("", &info->pol[i], numeric, NFPROTO_IPV4);
+ }
+}
+
+static void policy6_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_policy_info *info = (void *)match->data;
+ unsigned int i;
+
+ printf("policy match ");
+ print_flags("", info);
+ for (i = 0; i < info->len; i++) {
+ if (info->len > 1)
+ printf("[%u] ", i);
+ print_entry("", &info->pol[i], numeric, NFPROTO_IPV6);
+ }
+}
+
+static void policy4_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_policy_info *info = (void *)match->data;
+ unsigned int i;
+
+ print_flags("--", info);
+ for (i = 0; i < info->len; i++) {
+ print_entry("--", &info->pol[i], false, NFPROTO_IPV4);
+ if (i + 1 < info->len)
+ printf("--next ");
+ }
+}
+
+static void policy6_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_policy_info *info = (void *)match->data;
+ unsigned int i;
+
+ print_flags("--", info);
+ for (i = 0; i < info->len; i++) {
+ print_entry("--", &info->pol[i], false, NFPROTO_IPV6);
+ if (i + 1 < info->len)
+ printf("--next ");
+ }
+}
+
+static struct xtables_match policy_mt_reg[] = {
+ {
+ .name = "policy",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct xt_policy_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)),
+ .help = policy_help,
+ .parse = policy4_parse,
+ .final_check = policy_check,
+ .print = policy4_print,
+ .save = policy4_save,
+ .extra_opts = policy_opts,
+ },
+ {
+ .name = "policy",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct xt_policy_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)),
+ .help = policy_help,
+ .parse = policy6_parse,
+ .final_check = policy_check,
+ .print = policy6_print,
+ .save = policy6_save,
+ .extra_opts = policy_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_matches(policy_mt_reg, ARRAY_SIZE(policy_mt_reg));
+}
diff --git a/extensions/libxt_policy.man b/extensions/libxt_policy.man
new file mode 100644
index 0000000..3500025
--- /dev/null
+++ b/extensions/libxt_policy.man
@@ -0,0 +1,48 @@
+This modules matches the policy used by IPsec for handling a packet.
+.TP
+\fB\-\-dir\fP {\fBin\fP|\fBout\fP}
+Used to select whether to match the policy used for decapsulation or the
+policy that will be used for encapsulation.
+.B in
+is valid in the
+.B PREROUTING, INPUT and FORWARD
+chains,
+.B out
+is valid in the
+.B POSTROUTING, OUTPUT and FORWARD
+chains.
+.TP
+\fB\-\-pol\fP {\fBnone\fP|\fBipsec\fP}
+Matches if the packet is subject to IPsec processing.
+.TP
+\fB\-\-strict\fP
+Selects whether to match the exact policy or match if any rule of
+the policy matches the given policy.
+.TP
+[\fB!\fP] \fB\-\-reqid\fP \fIid\fP
+Matches the reqid of the policy rule. The reqid can be specified with
+.B setkey(8)
+using
+.B unique:id
+as level.
+.TP
+[\fB!\fP] \fB\-\-spi\fP \fIspi\fP
+Matches the SPI of the SA.
+.TP
+[\fB!\fP] \fB\-\-proto\fP {\fBah\fP|\fBesp\fP|\fBipcomp\fP}
+Matches the encapsulation protocol.
+.TP
+[\fB!\fP] \fB\-\-mode\fP {\fBtunnel\fP|\fBtransport\fP}
+Matches the encapsulation mode.
+.TP
+[\fB!\fP] \fB\-\-tunnel\-src\fP \fIaddr\fP[\fB/\fP\fImask\fP]
+Matches the source end-point address of a tunnel mode SA.
+Only valid with \fB\-\-mode tunnel\fP.
+.TP
+[\fB!\fP] \fB\-\-tunnel\-dst\fP \fIaddr\fP[\fB/\fP\fImask\fP]
+Matches the destination end-point address of a tunnel mode SA.
+Only valid with \fB\-\-mode tunnel\fP.
+.TP
+\fB\-\-next\fP
+Start the next element in the policy specification. Can only be used with
+\fB\-\-strict\fP.
diff --git a/extensions/libxt_quota.c b/extensions/libxt_quota.c
new file mode 100644
index 0000000..ac7c686
--- /dev/null
+++ b/extensions/libxt_quota.c
@@ -0,0 +1,97 @@
+/*
+ * Shared library add-on to iptables to add quota support
+ *
+ * Sam Johnston <samj@samj.net>
+ */
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+
+#include <linux/netfilter/xt_quota.h>
+
+static const struct option quota_opts[] = {
+ {"quota", 1, NULL, '1'},
+ { .name = NULL }
+};
+
+static void quota_help(void)
+{
+ printf("quota match options:\n"
+ "[!] --quota quota quota (bytes)\n");
+}
+
+static void
+quota_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_quota_info *q = (const void *)match->data;
+ printf("quota: %llu bytes", (unsigned long long) q->quota);
+}
+
+static void
+quota_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_quota_info *q = (const void *)match->data;
+ printf("--quota %llu ", (unsigned long long) q->quota);
+}
+
+/* parse quota option */
+static int
+parse_quota(const char *s, u_int64_t * quota)
+{
+ *quota = strtoull(s, NULL, 10);
+
+#ifdef DEBUG_XT_QUOTA
+ printf("Quota: %llu\n", *quota);
+#endif
+
+ if (*quota == UINT64_MAX)
+ xtables_error(PARAMETER_PROBLEM, "quota invalid: '%s'\n", s);
+ else
+ return 1;
+}
+
+static int
+quota_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_quota_info *info = (struct xt_quota_info *) (*match)->data;
+
+ switch (c) {
+ case '1':
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM, "quota: unexpected '!'");
+ if (!parse_quota(optarg, &info->quota))
+ xtables_error(PARAMETER_PROBLEM,
+ "bad quota: '%s'", optarg);
+
+ if (invert)
+ info->flags |= XT_QUOTA_INVERT;
+
+ break;
+
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static struct xtables_match quota_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "quota",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof (struct xt_quota_info)),
+ .userspacesize = offsetof(struct xt_quota_info, quota),
+ .help = quota_help,
+ .parse = quota_parse,
+ .print = quota_print,
+ .save = quota_save,
+ .extra_opts = quota_opts,
+};
+
+void
+_init(void)
+{
+ xtables_register_match(&quota_match);
+}
diff --git a/extensions/libxt_quota.man b/extensions/libxt_quota.man
new file mode 100644
index 0000000..8d9e18b
--- /dev/null
+++ b/extensions/libxt_quota.man
@@ -0,0 +1,5 @@
+Implements network quotas by decrementing a byte counter with each
+packet.
+.TP
+[\fB!\fP] \fB\-\-quota\fP \fIbytes\fP
+The quota in bytes.
diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c
new file mode 100644
index 0000000..ad0884e
--- /dev/null
+++ b/extensions/libxt_rateest.c
@@ -0,0 +1,453 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_rateest.h>
+
+/* Ugly hack to pass info to final_check function. We should fix the API */
+static struct xt_rateest_match_info *rateest_info;
+
+static void rateest_help(void)
+{
+ printf(
+"rateest match options:\n"
+" --rateest1 name Rate estimator name\n"
+" --rateest2 name Rate estimator name\n"
+" --rateest-delta Compare difference(s) to given rate(s)\n"
+" --rateest-bps1 [bps] Compare bps\n"
+" --rateest-pps1 [pps] Compare pps\n"
+" --rateest-bps2 [bps] Compare bps\n"
+" --rateest-pps2 [pps] Compare pps\n"
+" [!] --rateest-lt Match if rate is less than given rate/estimator\n"
+" [!] --rateest-gt Match if rate is greater than given rate/estimator\n"
+" [!] --rateest-eq Match if rate is equal to given rate/estimator\n");
+}
+
+enum rateest_options {
+ OPT_RATEEST1,
+ OPT_RATEEST2,
+ OPT_RATEEST_BPS1,
+ OPT_RATEEST_PPS1,
+ OPT_RATEEST_BPS2,
+ OPT_RATEEST_PPS2,
+ OPT_RATEEST_DELTA,
+ OPT_RATEEST_LT,
+ OPT_RATEEST_GT,
+ OPT_RATEEST_EQ,
+};
+
+static const struct option rateest_opts[] = {
+ { "rateest1", 1, NULL, OPT_RATEEST1 },
+ { "rateest", 1, NULL, OPT_RATEEST1 }, /* alias for absolute mode */
+ { "rateest2", 1, NULL, OPT_RATEEST2 },
+ { "rateest-bps1", 0, NULL, OPT_RATEEST_BPS1 },
+ { "rateest-pps1", 0, NULL, OPT_RATEEST_PPS1 },
+ { "rateest-bps2", 0, NULL, OPT_RATEEST_BPS2 },
+ { "rateest-pps2", 0, NULL, OPT_RATEEST_PPS2 },
+ { "rateest-bps", 0, NULL, OPT_RATEEST_BPS2 }, /* alias for absolute mode */
+ { "rateest-pps", 0, NULL, OPT_RATEEST_PPS2 }, /* alias for absolute mode */
+ { "rateest-delta", 0, NULL, OPT_RATEEST_DELTA },
+ { "rateest-lt", 0, NULL, OPT_RATEEST_LT },
+ { "rateest-gt", 0, NULL, OPT_RATEEST_GT },
+ { "rateest-eq", 0, NULL, OPT_RATEEST_EQ },
+ { .name = NULL }
+};
+
+/* Copied from iproute. See http://physics.nist.gov/cuu/Units/binary.html */
+static const struct rate_suffix {
+ const char *name;
+ double scale;
+} suffixes[] = {
+ { "bit", 1. },
+ { "Kibit", 1024. },
+ { "kbit", 1000. },
+ { "mibit", 1024.*1024. },
+ { "mbit", 1000000. },
+ { "gibit", 1024.*1024.*1024. },
+ { "gbit", 1000000000. },
+ { "tibit", 1024.*1024.*1024.*1024. },
+ { "tbit", 1000000000000. },
+ { "Bps", 8. },
+ { "KiBps", 8.*1024. },
+ { "KBps", 8000. },
+ { "MiBps", 8.*1024*1024. },
+ { "MBps", 8000000. },
+ { "GiBps", 8.*1024.*1024.*1024. },
+ { "GBps", 8000000000. },
+ { "TiBps", 8.*1024.*1024.*1024.*1024. },
+ { "TBps", 8000000000000. },
+ { .name = NULL }
+};
+
+static int
+rateest_get_rate(u_int32_t *rate, const char *str)
+{
+ char *p;
+ double bps = strtod(str, &p);
+ const struct rate_suffix *s;
+
+ if (p == str)
+ return -1;
+
+ if (*p == '\0') {
+ *rate = bps / 8.; /* assume bytes/sec */
+ return 0;
+ }
+
+ for (s = suffixes; s->name; ++s) {
+ if (strcasecmp(s->name, p) == 0) {
+ *rate = (bps * s->scale) / 8.;
+ return 0;
+ }
+ }
+
+ return -1;
+}
+
+static int
+rateest_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_rateest_match_info *info = (void *)(*match)->data;
+ unsigned int val;
+
+ rateest_info = info;
+
+ switch (c) {
+ case OPT_RATEEST1:
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: rateest can't be inverted");
+
+ if (*flags & (1 << c))
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: can't specify --rateest1 twice");
+ *flags |= 1 << c;
+
+ strncpy(info->name1, optarg, sizeof(info->name1) - 1);
+ break;
+
+ case OPT_RATEEST2:
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: rateest can't be inverted");
+
+ if (*flags & (1 << c))
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: can't specify --rateest2 twice");
+ *flags |= 1 << c;
+
+ strncpy(info->name2, optarg, sizeof(info->name2) - 1);
+ info->flags |= XT_RATEEST_MATCH_REL;
+ break;
+
+ case OPT_RATEEST_BPS1:
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: rateest-bps can't be inverted");
+
+ if (*flags & (1 << c))
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: can't specify --rateest-bps1 twice");
+ *flags |= 1 << c;
+
+ info->flags |= XT_RATEEST_MATCH_BPS;
+
+ /* The rate is optional and only required in absolute mode */
+ if (!argv[optind] || *argv[optind] == '-' || *argv[optind] == '!')
+ break;
+
+ if (rateest_get_rate(&info->bps1, argv[optind]) < 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: could not parse rate `%s'",
+ argv[optind]);
+ optind++;
+ break;
+
+ case OPT_RATEEST_PPS1:
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: rateest-pps can't be inverted");
+
+ if (*flags & (1 << c))
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: can't specify --rateest-pps1 twice");
+ *flags |= 1 << c;
+
+ info->flags |= XT_RATEEST_MATCH_PPS;
+
+ /* The rate is optional and only required in absolute mode */
+ if (!argv[optind] || *argv[optind] == '-' || *argv[optind] == '!')
+ break;
+
+ if (!xtables_strtoui(argv[optind], NULL, &val, 0, UINT32_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: could not parse pps `%s'",
+ argv[optind]);
+ info->pps1 = val;
+ optind++;
+ break;
+
+ case OPT_RATEEST_BPS2:
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: rateest-bps can't be inverted");
+
+ if (*flags & (1 << c))
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: can't specify --rateest-bps2 twice");
+ *flags |= 1 << c;
+
+ info->flags |= XT_RATEEST_MATCH_BPS;
+
+ /* The rate is optional and only required in absolute mode */
+ if (!argv[optind] || *argv[optind] == '-' || *argv[optind] == '!')
+ break;
+
+ if (rateest_get_rate(&info->bps2, argv[optind]) < 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: could not parse rate `%s'",
+ argv[optind]);
+ optind++;
+ break;
+
+ case OPT_RATEEST_PPS2:
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: rateest-pps can't be inverted");
+
+ if (*flags & (1 << c))
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: can't specify --rateest-pps2 twice");
+ *flags |= 1 << c;
+
+ info->flags |= XT_RATEEST_MATCH_PPS;
+
+ /* The rate is optional and only required in absolute mode */
+ if (!argv[optind] || *argv[optind] == '-' || *argv[optind] == '!')
+ break;
+
+ if (!xtables_strtoui(argv[optind], NULL, &val, 0, UINT32_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: could not parse pps `%s'",
+ argv[optind]);
+ info->pps2 = val;
+ optind++;
+ break;
+
+ case OPT_RATEEST_DELTA:
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: rateest-delta can't be inverted");
+
+ if (*flags & (1 << c))
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: can't specify --rateest-delta twice");
+ *flags |= 1 << c;
+
+ info->flags |= XT_RATEEST_MATCH_DELTA;
+ break;
+
+ case OPT_RATEEST_EQ:
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ if (*flags & (1 << c))
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: can't specify lt/gt/eq twice");
+ *flags |= 1 << c;
+
+ info->mode = XT_RATEEST_MATCH_EQ;
+ if (invert)
+ info->flags |= XT_RATEEST_MATCH_INVERT;
+ break;
+
+ case OPT_RATEEST_LT:
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ if (*flags & (1 << c))
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: can't specify lt/gt/eq twice");
+ *flags |= 1 << c;
+
+ info->mode = XT_RATEEST_MATCH_LT;
+ if (invert)
+ info->flags |= XT_RATEEST_MATCH_INVERT;
+ break;
+
+ case OPT_RATEEST_GT:
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ if (*flags & (1 << c))
+ xtables_error(PARAMETER_PROBLEM,
+ "rateest: can't specify lt/gt/eq twice");
+ *flags |= 1 << c;
+
+ info->mode = XT_RATEEST_MATCH_GT;
+ if (invert)
+ info->flags |= XT_RATEEST_MATCH_INVERT;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+rateest_final_check(unsigned int flags)
+{
+ struct xt_rateest_match_info *info = rateest_info;
+
+ if (info == NULL)
+ xtables_error(PARAMETER_PROBLEM, "rateest match: "
+ "you need to specify some flags");
+ if (!(info->flags & XT_RATEEST_MATCH_REL))
+ info->flags |= XT_RATEEST_MATCH_ABS;
+}
+
+static void
+rateest_print_rate(u_int32_t rate, int numeric)
+{
+ double tmp = (double)rate*8;
+
+ if (numeric)
+ printf("%u ", rate);
+ else if (tmp >= 1000.0*1000000.0)
+ printf("%.0fMbit ", tmp/1000000.0);
+ else if (tmp >= 1000.0 * 1000.0)
+ printf("%.0fKbit ", tmp/1000.0);
+ else
+ printf("%.0fbit ", tmp);
+}
+
+static void
+rateest_print_mode(const struct xt_rateest_match_info *info,
+ const char *prefix)
+{
+ if (info->flags & XT_RATEEST_MATCH_INVERT)
+ printf("! ");
+
+ switch (info->mode) {
+ case XT_RATEEST_MATCH_EQ:
+ printf("%seq ", prefix);
+ break;
+ case XT_RATEEST_MATCH_LT:
+ printf("%slt ", prefix);
+ break;
+ case XT_RATEEST_MATCH_GT:
+ printf("%sgt ", prefix);
+ break;
+ default:
+ exit(1);
+ }
+}
+
+static void
+rateest_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_rateest_match_info *info = (const void *)match->data;
+
+ printf("rateest match ");
+
+ printf("%s ", info->name1);
+ if (info->flags & XT_RATEEST_MATCH_DELTA)
+ printf("delta ");
+
+ if (info->flags & XT_RATEEST_MATCH_BPS) {
+ printf("bps ");
+ if (info->flags & XT_RATEEST_MATCH_DELTA)
+ rateest_print_rate(info->bps1, numeric);
+ if (info->flags & XT_RATEEST_MATCH_ABS) {
+ rateest_print_mode(info, "");
+ rateest_print_rate(info->bps2, numeric);
+ }
+ }
+ if (info->flags & XT_RATEEST_MATCH_PPS) {
+ printf("pps ");
+ if (info->flags & XT_RATEEST_MATCH_DELTA)
+ printf("%u ", info->pps1);
+ if (info->flags & XT_RATEEST_MATCH_ABS) {
+ rateest_print_mode(info, "");
+ printf("%u ", info->pps2);
+ }
+ }
+
+ if (info->flags & XT_RATEEST_MATCH_REL) {
+ rateest_print_mode(info, "");
+
+ printf("%s ", info->name2);
+ if (info->flags & XT_RATEEST_MATCH_DELTA)
+ printf("delta ");
+
+ if (info->flags & XT_RATEEST_MATCH_BPS) {
+ printf("bps ");
+ if (info->flags & XT_RATEEST_MATCH_DELTA)
+ rateest_print_rate(info->bps2, numeric);
+ }
+ if (info->flags & XT_RATEEST_MATCH_PPS) {
+ printf("pps ");
+ if (info->flags & XT_RATEEST_MATCH_DELTA)
+ printf("%u ", info->pps2);
+ }
+ }
+}
+
+static void
+rateest_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_rateest_match_info *info = (const void *)match->data;
+
+ if (info->flags & XT_RATEEST_MATCH_REL) {
+ printf("--rateest1 %s ", info->name1);
+ if (info->flags & XT_RATEEST_MATCH_BPS)
+ printf("--rateest-bps ");
+ if (info->flags & XT_RATEEST_MATCH_PPS)
+ printf("--rateest-pps ");
+ rateest_print_mode(info, "--rateest-");
+ printf("--rateest2 %s ", info->name2);
+ } else {
+ printf("--rateest %s ", info->name1);
+ if (info->flags & XT_RATEEST_MATCH_BPS) {
+ printf("--rateest-bps1 ");
+ rateest_print_rate(info->bps1, 0);
+ printf("--rateest-bps2 ");
+ rateest_print_rate(info->bps2, 0);
+ rateest_print_mode(info, "--rateest-");
+ }
+ if (info->flags & XT_RATEEST_MATCH_PPS) {
+ printf("--rateest-pps ");
+ rateest_print_mode(info, "--rateest-");
+ printf("%u ", info->pps2);
+ }
+ }
+}
+
+static struct xtables_match rateest_mt_reg = {
+ .family = NFPROTO_UNSPEC,
+ .name = "rateest",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_rateest_match_info)),
+ .userspacesize = XT_ALIGN(offsetof(struct xt_rateest_match_info, est1)),
+ .help = rateest_help,
+ .parse = rateest_parse,
+ .final_check = rateest_final_check,
+ .print = rateest_print,
+ .save = rateest_save,
+ .extra_opts = rateest_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&rateest_mt_reg);
+}
diff --git a/extensions/libxt_rateest.man b/extensions/libxt_rateest.man
new file mode 100644
index 0000000..de064af
--- /dev/null
+++ b/extensions/libxt_rateest.man
@@ -0,0 +1,55 @@
+The rate estimator can match on estimated rates as collected by the RATEEST
+target. It supports matching on absolute bps/pps values, comparing two rate
+estimators and matching on the difference between two rate estimators.
+.TP
+\fB\-\-rateest1\fP \fIname\fP
+Name of the first rate estimator.
+.TP
+\fB\-\-rateest2\fP \fIname\fP
+Name of the second rate estimator (if difference is to be calculated).
+.TP
+\fB\-\-rateest\-delta\fP
+Compare difference(s) to given rate(s)
+.TP
+\fB\-\-rateest\-bps1\fP \fIvalue\fP
+.TP
+\fB\-\-rateest\-bps2\fP \fIvalue\fP
+Compare bytes per second.
+.TP
+\fB\-\-rateest\-pps1\fP \fIvalue\fP
+.TP
+\fB\-\-rateest\-pps2\fP \fIvalue\fP
+Compare packets per second.
+.TP
+[\fB!\fP] \fB\-\-rateest\-lt\fP
+Match if rate is less than given rate/estimator.
+.TP
+[\fB!\fP] \fB\-\-rateest\-gt\fP
+Match if rate is greater than given rate/estimator.
+.TP
+[\fB!\fP] \fB\-\-rateest\-eq\fP
+Match if rate is equal to given rate/estimator.
+.PP
+Example: This is what can be used to route outgoing data connections from an
+FTP server over two lines based on the available bandwidth at the time the data
+connection was started:
+.PP
+# Estimate outgoing rates
+.PP
+iptables \-t mangle \-A POSTROUTING \-o eth0 \-j RATEEST \-\-rateest\-name eth0
+\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s
+.PP
+iptables \-t mangle \-A POSTROUTING \-o ppp0 \-j RATEEST \-\-rateest\-name ppp0
+\-\-rateest\-interval 250ms \-\-rateest\-ewma 0.5s
+.PP
+# Mark based on available bandwidth
+.PP
+iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp
+\-m rateest \-\-rateest\-delta \-\-rateest1 eth0 \-\-rateest\-bps1 2.5mbit \-\-rateest\-gt
+\-\-rateest2 ppp0 \-\-rateest\-bps2 2mbit \-j CONNMARK \-\-set\-mark 1
+.PP
+iptables \-t mangle \-A balance \-m conntrack \-\-ctstate NEW \-m helper \-\-helper ftp
+\-m rateest \-\-rateest\-delta \-\-rateest1 ppp0 \-\-rateest\-bps1 2mbit \-\-rateest\-gt
+\-\-rateest2 eth0 \-\-rateest\-bps2 2.5mbit \-j CONNMARK \-\-set\-mark 2
+.PP
+iptables \-t mangle \-A balance \-j CONNMARK \-\-restore\-mark
diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
new file mode 100644
index 0000000..ecc17ad
--- /dev/null
+++ b/extensions/libxt_recent.c
@@ -0,0 +1,233 @@
+/* Shared library add-on to iptables to add recent matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_recent.h>
+
+static const struct option recent_opts[] = {
+ { .name = "set", .has_arg = 0, .val = 201 },
+ { .name = "rcheck", .has_arg = 0, .val = 202 },
+ { .name = "update", .has_arg = 0, .val = 203 },
+ { .name = "seconds", .has_arg = 1, .val = 204 },
+ { .name = "hitcount", .has_arg = 1, .val = 205 },
+ { .name = "remove", .has_arg = 0, .val = 206 },
+ { .name = "rttl", .has_arg = 0, .val = 207 },
+ { .name = "name", .has_arg = 1, .val = 208 },
+ { .name = "rsource", .has_arg = 0, .val = 209 },
+ { .name = "rdest", .has_arg = 0, .val = 210 },
+ { .name = NULL }
+};
+
+static void recent_help(void)
+{
+ printf(
+"recent match options:\n"
+"[!] --set Add source address to list, always matches.\n"
+"[!] --rcheck Match if source address in list.\n"
+"[!] --update Match if source address in list, also update last-seen time.\n"
+"[!] --remove Match if source address in list, also removes that address from list.\n"
+" --seconds seconds For check and update commands above.\n"
+" Specifies that the match will only occur if source address last seen within\n"
+" the last 'seconds' seconds.\n"
+" --hitcount hits For check and update commands above.\n"
+" Specifies that the match will only occur if source address seen hits times.\n"
+" May be used in conjunction with the seconds option.\n"
+" --rttl For check and update commands above.\n"
+" Specifies that the match will only occur if the source address and the TTL\n"
+" match between this packet and the one which was set.\n"
+" Useful if you have problems with people spoofing their source address in order\n"
+" to DoS you via this module.\n"
+" --name name Name of the recent list to be used. DEFAULT used if none given.\n"
+" --rsource Match/Save the source address of each packet in the recent list table (default).\n"
+" --rdest Match/Save the destination address of each packet in the recent list table.\n"
+"xt_recent by: Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/\n");
+}
+
+static void recent_init(struct xt_entry_match *match)
+{
+ struct xt_recent_mtinfo *info = (void *)(match)->data;
+
+ strncpy(info->name,"DEFAULT", XT_RECENT_NAME_LEN);
+ /* even though XT_RECENT_NAME_LEN is currently defined as 200,
+ * better be safe, than sorry */
+ info->name[XT_RECENT_NAME_LEN-1] = '\0';
+ info->side = XT_RECENT_SOURCE;
+}
+
+#define RECENT_CMDS \
+ (XT_RECENT_SET | XT_RECENT_CHECK | \
+ XT_RECENT_UPDATE | XT_RECENT_REMOVE)
+
+static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_recent_mtinfo *info = (void *)(*match)->data;
+
+ switch (c) {
+ case 201:
+ if (*flags & RECENT_CMDS)
+ xtables_error(PARAMETER_PROBLEM,
+ "recent: only one of `--set', `--rcheck' "
+ "`--update' or `--remove' may be set");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ info->check_set |= XT_RECENT_SET;
+ if (invert) info->invert = 1;
+ *flags |= XT_RECENT_SET;
+ break;
+
+ case 202:
+ if (*flags & RECENT_CMDS)
+ xtables_error(PARAMETER_PROBLEM,
+ "recent: only one of `--set', `--rcheck' "
+ "`--update' or `--remove' may be set");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ info->check_set |= XT_RECENT_CHECK;
+ if(invert) info->invert = 1;
+ *flags |= XT_RECENT_CHECK;
+ break;
+
+ case 203:
+ if (*flags & RECENT_CMDS)
+ xtables_error(PARAMETER_PROBLEM,
+ "recent: only one of `--set', `--rcheck' "
+ "`--update' or `--remove' may be set");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ info->check_set |= XT_RECENT_UPDATE;
+ if (invert) info->invert = 1;
+ *flags |= XT_RECENT_UPDATE;
+ break;
+
+ case 204:
+ info->seconds = atoi(optarg);
+ break;
+
+ case 205:
+ info->hit_count = atoi(optarg);
+ break;
+
+ case 206:
+ if (*flags & RECENT_CMDS)
+ xtables_error(PARAMETER_PROBLEM,
+ "recent: only one of `--set', `--rcheck' "
+ "`--update' or `--remove' may be set");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ info->check_set |= XT_RECENT_REMOVE;
+ if (invert) info->invert = 1;
+ *flags |= XT_RECENT_REMOVE;
+ break;
+
+ case 207:
+ info->check_set |= XT_RECENT_TTL;
+ *flags |= XT_RECENT_TTL;
+ break;
+
+ case 208:
+ strncpy(info->name,optarg, XT_RECENT_NAME_LEN);
+ info->name[XT_RECENT_NAME_LEN-1] = '\0';
+ break;
+
+ case 209:
+ info->side = XT_RECENT_SOURCE;
+ break;
+
+ case 210:
+ info->side = XT_RECENT_DEST;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void recent_check(unsigned int flags)
+{
+ if (!(flags & RECENT_CMDS))
+ xtables_error(PARAMETER_PROBLEM,
+ "recent: you must specify one of `--set', `--rcheck' "
+ "`--update' or `--remove'");
+ if ((flags & XT_RECENT_TTL) &&
+ (flags & (XT_RECENT_SET | XT_RECENT_REMOVE)))
+ xtables_error(PARAMETER_PROBLEM,
+ "recent: --rttl may only be used with --rcheck or "
+ "--update");
+}
+
+static void recent_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_recent_mtinfo *info = (const void *)match->data;
+
+ if (info->invert)
+ fputc('!', stdout);
+
+ printf("recent: ");
+ if (info->check_set & XT_RECENT_SET)
+ printf("SET ");
+ if (info->check_set & XT_RECENT_CHECK)
+ printf("CHECK ");
+ if (info->check_set & XT_RECENT_UPDATE)
+ printf("UPDATE ");
+ if (info->check_set & XT_RECENT_REMOVE)
+ printf("REMOVE ");
+ if(info->seconds) printf("seconds: %d ",info->seconds);
+ if(info->hit_count) printf("hit_count: %d ",info->hit_count);
+ if (info->check_set & XT_RECENT_TTL)
+ printf("TTL-Match ");
+ if(info->name) printf("name: %s ",info->name);
+ if (info->side == XT_RECENT_SOURCE)
+ printf("side: source ");
+ if (info->side == XT_RECENT_DEST)
+ printf("side: dest ");
+}
+
+static void recent_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_recent_mtinfo *info = (const void *)match->data;
+
+ if (info->invert)
+ printf("! ");
+
+ if (info->check_set & XT_RECENT_SET)
+ printf("--set ");
+ if (info->check_set & XT_RECENT_CHECK)
+ printf("--rcheck ");
+ if (info->check_set & XT_RECENT_UPDATE)
+ printf("--update ");
+ if (info->check_set & XT_RECENT_REMOVE)
+ printf("--remove ");
+ if(info->seconds) printf("--seconds %d ",info->seconds);
+ if(info->hit_count) printf("--hitcount %d ",info->hit_count);
+ if (info->check_set & XT_RECENT_TTL)
+ printf("--rttl ");
+ if(info->name) printf("--name %s ",info->name);
+ if (info->side == XT_RECENT_SOURCE)
+ printf("--rsource ");
+ if (info->side == XT_RECENT_DEST)
+ printf("--rdest ");
+}
+
+static struct xtables_match recent_mt_reg = {
+ .name = "recent",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_UNSPEC,
+ .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+ .help = recent_help,
+ .init = recent_init,
+ .parse = recent_parse,
+ .final_check = recent_check,
+ .print = recent_print,
+ .save = recent_save,
+ .extra_opts = recent_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&recent_mt_reg);
+}
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
new file mode 100644
index 0000000..532c328
--- /dev/null
+++ b/extensions/libxt_recent.man
@@ -0,0 +1,104 @@
+Allows you to dynamically create a list of IP addresses and then match against
+that list in a few different ways.
+.PP
+For example, you can create a "badguy" list out of people attempting to connect
+to port 139 on your firewall and then DROP all future packets from them without
+considering them.
+.PP
+\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are
+mutually exclusive.
+.TP
+\fB\-\-name\fP \fIname\fP
+Specify the list to use for the commands. If no name is given then
+\fBDEFAULT\fR will be used.
+.TP
+[\fB!\fR] \fB\-\-set\fP
+This will add the source address of the packet to the list. If the source
+address is already in the list, this will update the existing entry. This will
+always return success (or failure if \fB!\fR is passed in).
+.TP
+\fB\-\-rsource\fP
+Match/save the source address of each packet in the recent list table. This
+is the default.
+.TP
+\fB\-\-rdest\fP
+Match/save the destination address of each packet in the recent list table.
+.TP
+[\fB!\fR] \fB\-\-rcheck\fP
+Check if the source address of the packet is currently in the list.
+.TP
+[\fB!\fR] \fB\-\-update\fP
+Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it
+matches.
+.TP
+[\fB!\fR] \fB\-\-remove\fP
+Check if the source address of the packet is currently in the list and if so
+that address will be removed from the list and the rule will return true. If
+the address is not found, false is returned.
+.TP
+\fB\-\-seconds\fP \fIseconds\fP
+This option must be used in conjunction with one of \fB\-\-rcheck\fP or
+\fB\-\-update\fP. When used, this will narrow the match to only happen when the
+address is in the list and was seen within the last given number of seconds.
+.TP
+\fB\-\-hitcount\fP \fIhits\fP
+This option must be used in conjunction with one of \fB\-\-rcheck\fP or
+\fB\-\-update\fP. When used, this will narrow the match to only happen when the
+address is in the list and packets had been received greater than or equal to
+the given value. This option may be used along with \fB\-\-seconds\fP to create
+an even narrower match requiring a certain number of hits within a specific
+time frame. The maximum value for the hitcount parameter is given by the
+"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this
+value on the command line will cause the rule to be rejected.
+.TP
+\fB\-\-rttl\fP
+This option may only be used in conjunction with one of \fB\-\-rcheck\fP or
+\fB\-\-update\fP. When used, this will narrow the match to only happen when the
+address is in the list and the TTL of the current packet matches that of the
+packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems
+with people faking their source address in order to DoS you via this module by
+disallowing others access to your site by sending bogus packets to you.
+.PP
+Examples:
+.IP
+iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP
+.IP
+iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP
+.PP
+Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has
+some examples of usage.
+.PP
+\fB/proc/net/xt_recent/*\fR are the current lists of addresses and information
+about each entry of each list.
+.PP
+Each file in \fB/proc/net/xt_recent/\fR can be read from to see the current
+list or written two using the following commands to modify the list:
+.TP
+\fBecho +\fR\fIaddr\fR\fB >/proc/net/xt_recent/DEFAULT\fR
+to add \fIaddr\fR to the DEFAULT list
+.TP
+\fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
+to remove \fIaddr\fR from the DEFAULT list
+.TP
+\fBecho / >/proc/net/xt_recent/DEFAULT\fR
+to flush the DEFAULT list (remove all entries).
+.PP
+The module itself accepts parameters, defaults shown:
+.TP
+\fBip_list_tot\fR=\fI100\fR
+Number of addresses remembered per table.
+.TP
+\fBip_pkt_list_tot\fR=\fI20\fR
+Number of packets per address remembered.
+.TP
+\fBip_list_hash_size\fR=\fI0\fR
+Hash table size. 0 means to calculate it based on ip_list_tot, default: 512.
+.TP
+\fBip_list_perms\fR=\fI0644\fR
+Permissions for /proc/net/xt_recent/* files.
+.TP
+\fBip_list_uid\fR=\fI0\fR
+Numerical UID for ownership of /proc/net/xt_recent/* files.
+.TP
+\fBip_list_gid\fR=\fI0\fR
+Numerical GID for ownership of /proc/net/xt_recent/* files.
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
new file mode 100644
index 0000000..d321fb8
--- /dev/null
+++ b/extensions/libxt_sctp.c
@@ -0,0 +1,515 @@
+/* Shared library add-on to iptables for SCTP matching
+ *
+ * (C) 2003 by Harald Welte <laforge@gnumonks.org>
+ *
+ * This program is distributed under the terms of GNU GPL v2, 1991
+ *
+ * libipt_ecn.c borrowed heavily from libipt_dscp.c
+ *
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <netdb.h>
+#include <ctype.h>
+
+#include <netinet/in.h>
+#include <xtables.h>
+
+#include <linux/netfilter/xt_sctp.h>
+
+#if 0
+#define DEBUGP(format, first...) printf(format, ##first)
+#define static
+#else
+#define DEBUGP(format, fist...)
+#endif
+
+static void
+print_chunk(u_int32_t chunknum, int numeric);
+
+static void sctp_init(struct xt_entry_match *m)
+{
+ int i;
+ struct xt_sctp_info *einfo = (struct xt_sctp_info *)m->data;
+
+ memset(einfo, 0, sizeof(struct xt_sctp_info));
+
+ for (i = 0; i < XT_NUM_SCTP_FLAGS; i++) {
+ einfo->flag_info[i].chunktype = -1;
+ }
+}
+
+static void sctp_help(void)
+{
+ printf(
+"sctp match options\n"
+"[!] --source-port port[:port] match source port(s)\n"
+" --sport ...\n"
+"[!] --destination-port port[:port] match destination port(s)\n"
+" --dport ...\n"
+"[!] --chunk-types (all|any|none) (chunktype[:flags])+ match if all, any or none of\n"
+" chunktypes are present\n"
+"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN ALL NONE\n");
+}
+
+static const struct option sctp_opts[] = {
+ { .name = "source-port", .has_arg = 1, .val = '1' },
+ { .name = "sport", .has_arg = 1, .val = '1' },
+ { .name = "destination-port", .has_arg = 1, .val = '2' },
+ { .name = "dport", .has_arg = 1, .val = '2' },
+ { .name = "chunk-types", .has_arg = 1, .val = '3' },
+ { .name = NULL }
+};
+
+static void
+parse_sctp_ports(const char *portstring,
+ u_int16_t *ports)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(portstring);
+ DEBUGP("%s\n", portstring);
+ if ((cp = strchr(buffer, ':')) == NULL) {
+ ports[0] = ports[1] = xtables_parse_port(buffer, "sctp");
+ }
+ else {
+ *cp = '\0';
+ cp++;
+
+ ports[0] = buffer[0] ? xtables_parse_port(buffer, "sctp") : 0;
+ ports[1] = cp[0] ? xtables_parse_port(cp, "sctp") : 0xFFFF;
+
+ if (ports[0] > ports[1])
+ xtables_error(PARAMETER_PROBLEM,
+ "invalid portrange (min > max)");
+ }
+ free(buffer);
+}
+
+struct sctp_chunk_names {
+ const char *name;
+ unsigned int chunk_type;
+ const char *valid_flags;
+};
+
+/*'ALL' and 'NONE' will be treated specially. */
+static const struct sctp_chunk_names sctp_chunk_names[]
+= { { .name = "DATA", .chunk_type = 0, .valid_flags = "----IUBE"},
+ { .name = "INIT", .chunk_type = 1, .valid_flags = "--------"},
+ { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------"},
+ { .name = "SACK", .chunk_type = 3, .valid_flags = "--------"},
+ { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------"},
+ { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------"},
+ { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T"},
+ { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------"},
+ { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------"},
+ { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------"},
+ { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------"},
+ { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------"},
+ { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------"},
+ { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------"},
+ { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T"},
+ { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------"},
+ { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------"},
+ { .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------"},
+};
+
+static void
+save_chunk_flag_info(struct xt_sctp_flag_info *flag_info,
+ int *flag_count,
+ int chunktype,
+ int bit,
+ int set)
+{
+ int i;
+
+ for (i = 0; i < *flag_count; i++) {
+ if (flag_info[i].chunktype == chunktype) {
+ DEBUGP("Previous match found\n");
+ flag_info[i].chunktype = chunktype;
+ flag_info[i].flag_mask |= (1 << bit);
+ if (set) {
+ flag_info[i].flag |= (1 << bit);
+ }
+
+ return;
+ }
+ }
+
+ if (*flag_count == XT_NUM_SCTP_FLAGS) {
+ xtables_error (PARAMETER_PROBLEM,
+ "Number of chunk types with flags exceeds currently allowed limit."
+ "Increasing this limit involves changing IPT_NUM_SCTP_FLAGS and"
+ "recompiling both the kernel space and user space modules\n");
+ }
+
+ flag_info[*flag_count].chunktype = chunktype;
+ flag_info[*flag_count].flag_mask |= (1 << bit);
+ if (set) {
+ flag_info[*flag_count].flag |= (1 << bit);
+ }
+ (*flag_count)++;
+}
+
+static void
+parse_sctp_chunk(struct xt_sctp_info *einfo,
+ const char *chunks)
+{
+ char *ptr;
+ char *buffer;
+ unsigned int i, j;
+ int found = 0;
+ char *chunk_flags;
+
+ buffer = strdup(chunks);
+ DEBUGP("Buffer: %s\n", buffer);
+
+ SCTP_CHUNKMAP_RESET(einfo->chunkmap);
+
+ if (!strcasecmp(buffer, "ALL")) {
+ SCTP_CHUNKMAP_SET_ALL(einfo->chunkmap);
+ goto out;
+ }
+
+ if (!strcasecmp(buffer, "NONE")) {
+ SCTP_CHUNKMAP_RESET(einfo->chunkmap);
+ goto out;
+ }
+
+ for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
+ found = 0;
+ DEBUGP("Next Chunk type %s\n", ptr);
+
+ if ((chunk_flags = strchr(ptr, ':')) != NULL) {
+ *chunk_flags++ = 0;
+ }
+
+ for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i)
+ if (strcasecmp(sctp_chunk_names[i].name, ptr) == 0) {
+ DEBUGP("Chunk num %d\n", sctp_chunk_names[i].chunk_type);
+ SCTP_CHUNKMAP_SET(einfo->chunkmap,
+ sctp_chunk_names[i].chunk_type);
+ found = 1;
+ break;
+ }
+ if (!found)
+ xtables_error(PARAMETER_PROBLEM,
+ "Unknown sctp chunk `%s'", ptr);
+
+ if (chunk_flags) {
+ DEBUGP("Chunk flags %s\n", chunk_flags);
+ for (j = 0; j < strlen(chunk_flags); j++) {
+ char *p;
+ int bit;
+
+ if ((p = strchr(sctp_chunk_names[i].valid_flags,
+ toupper(chunk_flags[j]))) != NULL) {
+ bit = p - sctp_chunk_names[i].valid_flags;
+ bit = 7 - bit;
+
+ save_chunk_flag_info(einfo->flag_info,
+ &(einfo->flag_count), i, bit,
+ isupper(chunk_flags[j]));
+ } else {
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid flags for chunk type %d\n", i);
+ }
+ }
+ }
+ }
+out:
+ free(buffer);
+}
+
+static void
+parse_sctp_chunks(struct xt_sctp_info *einfo,
+ const char *match_type,
+ const char *chunks)
+{
+ DEBUGP("Match type: %s Chunks: %s\n", match_type, chunks);
+ if (!strcasecmp(match_type, "ANY")) {
+ einfo->chunk_match_type = SCTP_CHUNK_MATCH_ANY;
+ } else if (!strcasecmp(match_type, "ALL")) {
+ einfo->chunk_match_type = SCTP_CHUNK_MATCH_ALL;
+ } else if (!strcasecmp(match_type, "ONLY")) {
+ einfo->chunk_match_type = SCTP_CHUNK_MATCH_ONLY;
+ } else {
+ xtables_error (PARAMETER_PROBLEM,
+ "Match type has to be one of \"ALL\", \"ANY\" or \"ONLY\"");
+ }
+
+ SCTP_CHUNKMAP_RESET(einfo->chunkmap);
+ parse_sctp_chunk(einfo, chunks);
+}
+
+static int
+sctp_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_sctp_info *einfo
+ = (struct xt_sctp_info *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & XT_SCTP_SRC_PORTS)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--source-port' allowed");
+ einfo->flags |= XT_SCTP_SRC_PORTS;
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_sctp_ports(optarg, einfo->spts);
+ if (invert)
+ einfo->invflags |= XT_SCTP_SRC_PORTS;
+ *flags |= XT_SCTP_SRC_PORTS;
+ break;
+
+ case '2':
+ if (*flags & XT_SCTP_DEST_PORTS)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--destination-port' allowed");
+ einfo->flags |= XT_SCTP_DEST_PORTS;
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_sctp_ports(optarg, einfo->dpts);
+ if (invert)
+ einfo->invflags |= XT_SCTP_DEST_PORTS;
+ *flags |= XT_SCTP_DEST_PORTS;
+ break;
+
+ case '3':
+ if (*flags & XT_SCTP_CHUNK_TYPES)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--chunk-types' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ if (!argv[optind]
+ || argv[optind][0] == '-' || argv[optind][0] == '!')
+ xtables_error(PARAMETER_PROBLEM,
+ "--chunk-types requires two args");
+
+ einfo->flags |= XT_SCTP_CHUNK_TYPES;
+ parse_sctp_chunks(einfo, optarg, argv[optind]);
+ if (invert)
+ einfo->invflags |= XT_SCTP_CHUNK_TYPES;
+ optind++;
+ *flags |= XT_SCTP_CHUNK_TYPES;
+ break;
+
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static char *
+port_to_service(int port)
+{
+ struct servent *service;
+
+ if ((service = getservbyport(htons(port), "sctp")))
+ return service->s_name;
+
+ return NULL;
+}
+
+static void
+print_port(u_int16_t port, int numeric)
+{
+ char *service;
+
+ if (numeric || (service = port_to_service(port)) == NULL)
+ printf("%u", port);
+ else
+ printf("%s", service);
+}
+
+static void
+print_ports(const char *name, u_int16_t min, u_int16_t max,
+ int invert, int numeric)
+{
+ const char *inv = invert ? "!" : "";
+
+ if (min != 0 || max != 0xFFFF || invert) {
+ printf("%s", name);
+ if (min == max) {
+ printf(":%s", inv);
+ print_port(min, numeric);
+ } else {
+ printf("s:%s", inv);
+ print_port(min, numeric);
+ printf(":");
+ print_port(max, numeric);
+ }
+ printf(" ");
+ }
+}
+
+static void
+print_chunk_flags(u_int32_t chunknum, u_int8_t chunk_flags, u_int8_t chunk_flags_mask)
+{
+ int i;
+
+ DEBUGP("type: %d\tflags: %x\tflag mask: %x\n", chunknum, chunk_flags,
+ chunk_flags_mask);
+
+ if (chunk_flags_mask) {
+ printf(":");
+ }
+
+ for (i = 7; i >= 0; i--) {
+ if (chunk_flags_mask & (1 << i)) {
+ if (chunk_flags & (1 << i)) {
+ printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]);
+ } else {
+ printf("%c", tolower(sctp_chunk_names[chunknum].valid_flags[7-i]));
+ }
+ }
+ }
+}
+
+static void
+print_chunk(u_int32_t chunknum, int numeric)
+{
+ if (numeric) {
+ printf("0x%04X", chunknum);
+ }
+ else {
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i)
+ if (sctp_chunk_names[i].chunk_type == chunknum)
+ printf("%s", sctp_chunk_names[chunknum].name);
+ }
+}
+
+static void
+print_chunks(const struct xt_sctp_info *einfo, int numeric)
+{
+ u_int32_t chunk_match_type = einfo->chunk_match_type;
+ const struct xt_sctp_flag_info *flag_info = einfo->flag_info;
+ int flag_count = einfo->flag_count;
+ int i, j;
+ int flag;
+
+ switch (chunk_match_type) {
+ case SCTP_CHUNK_MATCH_ANY: printf("any "); break;
+ case SCTP_CHUNK_MATCH_ALL: printf("all "); break;
+ case SCTP_CHUNK_MATCH_ONLY: printf("only "); break;
+ default: printf("Never reach herer\n"); break;
+ }
+
+ if (SCTP_CHUNKMAP_IS_CLEAR(einfo->chunkmap)) {
+ printf("NONE ");
+ goto out;
+ }
+
+ if (SCTP_CHUNKMAP_IS_ALL_SET(einfo->chunkmap)) {
+ printf("ALL ");
+ goto out;
+ }
+
+ flag = 0;
+ for (i = 0; i < 256; i++) {
+ if (SCTP_CHUNKMAP_IS_SET(einfo->chunkmap, i)) {
+ if (flag)
+ printf(",");
+ flag = 1;
+ print_chunk(i, numeric);
+ for (j = 0; j < flag_count; j++) {
+ if (flag_info[j].chunktype == i) {
+ print_chunk_flags(i, flag_info[j].flag,
+ flag_info[j].flag_mask);
+ }
+ }
+ }
+ }
+
+ if (flag)
+ printf(" ");
+out:
+ return;
+}
+
+static void
+sctp_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_sctp_info *einfo =
+ (const struct xt_sctp_info *)match->data;
+
+ printf("sctp ");
+
+ if (einfo->flags & XT_SCTP_SRC_PORTS) {
+ print_ports("spt", einfo->spts[0], einfo->spts[1],
+ einfo->invflags & XT_SCTP_SRC_PORTS,
+ numeric);
+ }
+
+ if (einfo->flags & XT_SCTP_DEST_PORTS) {
+ print_ports("dpt", einfo->dpts[0], einfo->dpts[1],
+ einfo->invflags & XT_SCTP_DEST_PORTS,
+ numeric);
+ }
+
+ if (einfo->flags & XT_SCTP_CHUNK_TYPES) {
+ /* FIXME: print_chunks() is used in save() where the printing of '!'
+ s taken care of, so we need to do that here as well */
+ if (einfo->invflags & XT_SCTP_CHUNK_TYPES) {
+ printf("! ");
+ }
+ print_chunks(einfo, numeric);
+ }
+}
+
+static void sctp_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_sctp_info *einfo =
+ (const struct xt_sctp_info *)match->data;
+
+ if (einfo->flags & XT_SCTP_SRC_PORTS) {
+ if (einfo->invflags & XT_SCTP_SRC_PORTS)
+ printf("! ");
+ if (einfo->spts[0] != einfo->spts[1])
+ printf("--sport %u:%u ",
+ einfo->spts[0], einfo->spts[1]);
+ else
+ printf("--sport %u ", einfo->spts[0]);
+ }
+
+ if (einfo->flags & XT_SCTP_DEST_PORTS) {
+ if (einfo->invflags & XT_SCTP_DEST_PORTS)
+ printf("! ");
+ if (einfo->dpts[0] != einfo->dpts[1])
+ printf("--dport %u:%u ",
+ einfo->dpts[0], einfo->dpts[1]);
+ else
+ printf("--dport %u ", einfo->dpts[0]);
+ }
+
+ if (einfo->flags & XT_SCTP_CHUNK_TYPES) {
+ if (einfo->invflags & XT_SCTP_CHUNK_TYPES)
+ printf("! ");
+ printf("--chunk-types ");
+
+ print_chunks(einfo, 0);
+ }
+}
+
+static struct xtables_match sctp_match = {
+ .name = "sctp",
+ .family = NFPROTO_UNSPEC,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_sctp_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_sctp_info)),
+ .help = sctp_help,
+ .init = sctp_init,
+ .parse = sctp_parse,
+ .print = sctp_print,
+ .save = sctp_save,
+ .extra_opts = sctp_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&sctp_match);
+}
diff --git a/extensions/libxt_sctp.man b/extensions/libxt_sctp.man
new file mode 100644
index 0000000..9c0bd8c
--- /dev/null
+++ b/extensions/libxt_sctp.man
@@ -0,0 +1,28 @@
+.TP
+[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
+.TP
+[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
+.TP
+[\fB!\fP] \fB\-\-chunk\-types\fP {\fBall\fP|\fBany\fP|\fBonly\fP} \fIchunktype\fP[\fB:\fP\fIflags\fP] [...]
+The flag letter in upper case indicates that the flag is to match if set,
+in the lower case indicates to match if unset.
+
+Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN
+
+chunk type available flags
+.br
+DATA I U B E i u b e
+.br
+ABORT T t
+.br
+SHUTDOWN_COMPLETE T t
+
+(lowercase means flag should be "off", uppercase means "on")
+.P
+Examples:
+
+iptables \-A INPUT \-p sctp \-\-dport 80 \-j DROP
+
+iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA,INIT \-j DROP
+
+iptables \-A INPUT \-p sctp \-\-chunk\-types any DATA:Be \-j ACCEPT
diff --git a/extensions/libxt_set.c b/extensions/libxt_set.c
new file mode 100644
index 0000000..75fa3c2
--- /dev/null
+++ b/extensions/libxt_set.c
@@ -0,0 +1,250 @@
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ * Patrick Schaaf <bof@bof.de>
+ * Martin Josefsson <gandalf@wlug.westbo.se>
+ * Copyright (C) 2003-2010 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+/* Shared library add-on to iptables to add IP set matching. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <ctype.h>
+#include <errno.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_set.h>
+#include "libxt_set.h"
+
+static void
+set_help(void)
+{
+ printf("set match options:\n"
+ " [!] --match-set name flags\n"
+ " 'name' is the set name from to match,\n"
+ " 'flags' are the comma separated list of\n"
+ " 'src' and 'dst' specifications.\n");
+}
+
+static const struct option set_opts[] = {
+ { .name = "match-set", .has_arg = true, .val = '1'},
+ { .name = "set", .has_arg = true, .val = '2'},
+ { .name = NULL }
+};
+
+static void
+set_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "You must specify `--match-set' with proper arguments");
+}
+
+static int
+set_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_set_info_match_v0 *myinfo =
+ (struct xt_set_info_match_v0 *) (*match)->data;
+ struct xt_set_info_v0 *info = &myinfo->match_set;
+
+ switch (c) {
+ case '2':
+ fprintf(stderr,
+ "--set option deprecated, please use --match-set\n");
+ case '1': /* --match-set <set> <flag>[,<flag> */
+ if (info->u.flags[0])
+ xtables_error(PARAMETER_PROBLEM,
+ "--match-set can be specified only once");
+
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert)
+ info->u.flags[0] |= IPSET_MATCH_INV;
+
+ if (!argv[optind]
+ || argv[optind][0] == '-'
+ || argv[optind][0] == '!')
+ xtables_error(PARAMETER_PROBLEM,
+ "--match-set requires two args.");
+
+ if (strlen(optarg) > IPSET_MAXNAMELEN - 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "setname `%s' too long, max %d characters.",
+ optarg, IPSET_MAXNAMELEN - 1);
+
+ get_set_byname(optarg, (struct xt_set_info *)info);
+ parse_dirs_v0(argv[optind], info);
+ DEBUGP("parse: set index %u\n", info->index);
+ optind++;
+
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+print_match_v0(const char *prefix, const struct xt_set_info_v0 *info)
+{
+ int i;
+ char setname[IPSET_MAXNAMELEN];
+
+ get_set_byid(setname, info->index);
+ printf("%s%s %s",
+ (info->u.flags[0] & IPSET_MATCH_INV) ? "! " : "",
+ prefix,
+ setname);
+ for (i = 0; i < IPSET_DIM_MAX; i++) {
+ if (!info->u.flags[i])
+ break;
+ printf("%s%s",
+ i == 0 ? " " : ",",
+ info->u.flags[i] & IPSET_SRC ? "src" : "dst");
+ }
+ printf(" ");
+}
+
+/* Prints out the matchinfo. */
+static void
+set_print_v0(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_set_info_match_v0 *info = (const void *)match->data;
+
+ print_match_v0("match-set", &info->match_set);
+}
+
+static void
+set_save_v0(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_set_info_match_v0 *info = (const void *)match->data;
+
+ print_match_v0("--match-set", &info->match_set);
+}
+
+static int
+set_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_set_info_match *myinfo =
+ (struct xt_set_info_match *) (*match)->data;
+ struct xt_set_info *info = &myinfo->match_set;
+
+ switch (c) {
+ case '2':
+ fprintf(stderr,
+ "--set option deprecated, please use --match-set\n");
+ case '1': /* --match-set <set> <flag>[,<flag> */
+ if (info->dim)
+ xtables_error(PARAMETER_PROBLEM,
+ "--match-set can be specified only once");
+
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ if (invert)
+ info->flags |= IPSET_INV_MATCH;
+
+ if (!argv[optind]
+ || argv[optind][0] == '-'
+ || argv[optind][0] == '!')
+ xtables_error(PARAMETER_PROBLEM,
+ "--match-set requires two args.");
+
+ if (strlen(optarg) > IPSET_MAXNAMELEN - 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "setname `%s' too long, max %d characters.",
+ optarg, IPSET_MAXNAMELEN - 1);
+
+ get_set_byname(optarg, info);
+ parse_dirs(argv[optind], info);
+ DEBUGP("parse: set index %u\n", info->index);
+ optind++;
+
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+print_match(const char *prefix, const struct xt_set_info *info)
+{
+ int i;
+ char setname[IPSET_MAXNAMELEN];
+
+ get_set_byid(setname, info->index);
+ printf("%s%s %s",
+ (info->flags & IPSET_INV_MATCH) ? "! " : "",
+ prefix,
+ setname);
+ for (i = 1; i <= info->dim; i++) {
+ printf("%s%s",
+ i == 1 ? " " : ",",
+ info->flags & (1 << i) ? "src" : "dst");
+ }
+ printf(" ");
+}
+
+/* Prints out the matchinfo. */
+static void
+set_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_set_info_match *info = (const void *)match->data;
+
+ print_match("match-set", &info->match_set);
+}
+
+static void
+set_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_set_info_match *info = (const void *)match->data;
+
+ print_match("--match-set", &info->match_set);
+}
+
+static struct xtables_match set_mt_reg[] = {
+ {
+ .name = "set",
+ .revision = 0,
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct xt_set_info_match_v0)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_match_v0)),
+ .help = set_help,
+ .parse = set_parse_v0,
+ .final_check = set_check,
+ .print = set_print_v0,
+ .save = set_save_v0,
+ .extra_opts = set_opts,
+ },
+ {
+ .name = "set",
+ .revision = 1,
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_UNSPEC,
+ .size = XT_ALIGN(sizeof(struct xt_set_info_match)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_match)),
+ .help = set_help,
+ .parse = set_parse,
+ .final_check = set_check,
+ .print = set_print,
+ .save = set_save,
+ .extra_opts = set_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_matches(set_mt_reg, ARRAY_SIZE(set_mt_reg));
+}
diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h
new file mode 100644
index 0000000..6b93691
--- /dev/null
+++ b/extensions/libxt_set.h
@@ -0,0 +1,147 @@
+#ifndef _LIBXT_SET_H
+#define _LIBXT_SET_H
+
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <errno.h>
+
+#ifdef DEBUG
+#define DEBUGP(x, args...) fprintf(stderr, x , ## args)
+#else
+#define DEBUGP(x, args...)
+#endif
+
+static int
+get_version(unsigned *version)
+{
+ int res, sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+ struct ip_set_req_version req_version;
+ socklen_t size = sizeof(req_version);
+
+ if (sockfd < 0)
+ xtables_error(OTHER_PROBLEM,
+ "Can't open socket to ipset.\n");
+
+ req_version.op = IP_SET_OP_VERSION;
+ res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req_version, &size);
+ if (res != 0)
+ xtables_error(OTHER_PROBLEM,
+ "Kernel module xt_set is not loaded in.\n");
+
+ *version = req_version.version;
+
+ return sockfd;
+}
+
+static void
+get_set_byid(char *setname, ip_set_id_t idx)
+{
+ struct ip_set_req_get_set req;
+ socklen_t size = sizeof(struct ip_set_req_get_set);
+ int res, sockfd;
+
+ sockfd = get_version(&req.version);
+ req.op = IP_SET_OP_GET_BYINDEX;
+ req.set.index = idx;
+ res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req, &size);
+ close(sockfd);
+
+ if (res != 0)
+ xtables_error(OTHER_PROBLEM,
+ "Problem when communicating with ipset, errno=%d.\n",
+ errno);
+ if (size != sizeof(struct ip_set_req_get_set))
+ xtables_error(OTHER_PROBLEM,
+ "Incorrect return size from kernel during ipset lookup, "
+ "(want %zu, got %zu)\n",
+ sizeof(struct ip_set_req_get_set), (size_t)size);
+ if (req.set.name[0] == '\0')
+ xtables_error(PARAMETER_PROBLEM,
+ "Set with index %i in kernel doesn't exist.\n", idx);
+
+ strncpy(setname, req.set.name, IPSET_MAXNAMELEN);
+}
+
+static void
+get_set_byname(const char *setname, struct xt_set_info *info)
+{
+ struct ip_set_req_get_set req;
+ socklen_t size = sizeof(struct ip_set_req_get_set);
+ int res, sockfd;
+
+ sockfd = get_version(&req.version);
+ req.op = IP_SET_OP_GET_BYNAME;
+ strncpy(req.set.name, setname, IPSET_MAXNAMELEN);
+ req.set.name[IPSET_MAXNAMELEN - 1] = '\0';
+ res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req, &size);
+ close(sockfd);
+
+ if (res != 0)
+ xtables_error(OTHER_PROBLEM,
+ "Problem when communicating with ipset, errno=%d.\n",
+ errno);
+ if (size != sizeof(struct ip_set_req_get_set))
+ xtables_error(OTHER_PROBLEM,
+ "Incorrect return size from kernel during ipset lookup, "
+ "(want %zu, got %zu)\n",
+ sizeof(struct ip_set_req_get_set), (size_t)size);
+ if (req.set.index == IPSET_INVALID_ID)
+ xtables_error(PARAMETER_PROBLEM,
+ "Set %s doesn't exist.\n", setname);
+
+ info->index = req.set.index;
+}
+
+static void
+parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info)
+{
+ char *saved = strdup(opt_arg);
+ char *ptr, *tmp = saved;
+ int i = 0;
+
+ while (i < (IPSET_DIM_MAX - 1) && tmp != NULL) {
+ ptr = strsep(&tmp, ",");
+ if (strncmp(ptr, "src", 3) == 0)
+ info->u.flags[i++] |= IPSET_SRC;
+ else if (strncmp(ptr, "dst", 3) == 0)
+ info->u.flags[i++] |= IPSET_DST;
+ else
+ xtables_error(PARAMETER_PROBLEM,
+ "You must spefify (the comma separated list of) 'src' or 'dst'.");
+ }
+
+ if (tmp)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't be more src/dst options than %i.",
+ IPSET_DIM_MAX - 1);
+
+ free(saved);
+}
+
+static void
+parse_dirs(const char *opt_arg, struct xt_set_info *info)
+{
+ char *saved = strdup(opt_arg);
+ char *ptr, *tmp = saved;
+ int i = 0;
+
+ while (i < (IPSET_DIM_MAX - 1) && tmp != NULL) {
+ info->dim++;
+ ptr = strsep(&tmp, ",");
+ if (strncmp(ptr, "src", 3) == 0)
+ info->flags |= (1 << info->dim);
+ else if (strncmp(ptr, "dst", 3) != 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "You must spefify (the comma separated list of) 'src' or 'dst'.");
+ }
+
+ if (tmp)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't be more src/dst options than %i.",
+ IPSET_DIM_MAX - 1);
+
+ free(saved);
+}
+
+#endif /*_LIBXT_SET_H*/
diff --git a/extensions/libxt_set.man b/extensions/libxt_set.man
new file mode 100644
index 0000000..aca1bfc
--- /dev/null
+++ b/extensions/libxt_set.man
@@ -0,0 +1,23 @@
+This module matches IP sets which can be defined by ipset(8).
+.TP
+[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]...
+where flags are the comma separated list of
+.BR "src"
+and/or
+.BR "dst"
+specifications and there can be no more than six of them. Hence the command
+.IP
+ iptables \-A FORWARD \-m set \-\-match\-set test src,dst
+.IP
+will match packets, for which (if the set type is ipportmap) the source
+address and destination port pair can be found in the specified set. If
+the set type of the specified set is single dimension (for example ipmap),
+then the command will match packets for which the source address can be
+found in the specified set.
+.PP
+The option \fB\-\-match\-set\fR can be replaced by \fB\-\-set\fR if that does
+not clash with an option of other extensions.
+.PP
+Use of -m set requires that ipset kernel support is provided. As standard
+kernels do not ship this currently, the ipset or Xtables-addons package needs
+to be installed.
diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c
new file mode 100644
index 0000000..1490473
--- /dev/null
+++ b/extensions/libxt_socket.c
@@ -0,0 +1,19 @@
+/*
+ * Shared library add-on to iptables to add early socket matching support.
+ *
+ * Copyright (C) 2007 BalaBit IT Ltd.
+ */
+#include <xtables.h>
+
+static struct xtables_match socket_mt_reg = {
+ .name = "socket",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(0),
+ .userspacesize = XT_ALIGN(0),
+};
+
+void _init(void)
+{
+ xtables_register_match(&socket_mt_reg);
+}
diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man
new file mode 100644
index 0000000..50c8854
--- /dev/null
+++ b/extensions/libxt_socket.man
@@ -0,0 +1,2 @@
+This matches if an open socket can be found by doing a socket lookup on the
+packet.
diff --git a/extensions/libxt_standard.c b/extensions/libxt_standard.c
new file mode 100644
index 0000000..c64ba29
--- /dev/null
+++ b/extensions/libxt_standard.c
@@ -0,0 +1,24 @@
+/* Shared library add-on to iptables for standard target support. */
+#include <stdio.h>
+#include <xtables.h>
+
+static void standard_help(void)
+{
+ printf(
+"standard match options:\n"
+"(If target is DROP, ACCEPT, RETURN or nothing)\n");
+}
+
+static struct xtables_target standard_target = {
+ .family = NFPROTO_UNSPEC,
+ .name = "standard",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(int)),
+ .userspacesize = XT_ALIGN(sizeof(int)),
+ .help = standard_help,
+};
+
+void _init(void)
+{
+ xtables_register_target(&standard_target);
+}
diff --git a/extensions/libxt_state.c b/extensions/libxt_state.c
new file mode 100644
index 0000000..d8159e5
--- /dev/null
+++ b/extensions/libxt_state.c
@@ -0,0 +1,158 @@
+/* Shared library add-on to iptables to add state tracking support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter/nf_conntrack_common.h>
+#include <linux/netfilter/xt_state.h>
+
+#ifndef XT_STATE_UNTRACKED
+#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
+#endif
+
+static void
+state_help(void)
+{
+ printf(
+"state match options:\n"
+" [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]\n"
+" State(s) to match\n");
+}
+
+static const struct option state_opts[] = {
+ { "state", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+static int
+state_parse_state(const char *state, size_t len, struct xt_state_info *sinfo)
+{
+ if (strncasecmp(state, "INVALID", len) == 0)
+ sinfo->statemask |= XT_STATE_INVALID;
+ else if (strncasecmp(state, "NEW", len) == 0)
+ sinfo->statemask |= XT_STATE_BIT(IP_CT_NEW);
+ else if (strncasecmp(state, "ESTABLISHED", len) == 0)
+ sinfo->statemask |= XT_STATE_BIT(IP_CT_ESTABLISHED);
+ else if (strncasecmp(state, "RELATED", len) == 0)
+ sinfo->statemask |= XT_STATE_BIT(IP_CT_RELATED);
+ else if (strncasecmp(state, "UNTRACKED", len) == 0)
+ sinfo->statemask |= XT_STATE_UNTRACKED;
+ else
+ return 0;
+ return 1;
+}
+
+static void
+state_parse_states(const char *arg, struct xt_state_info *sinfo)
+{
+ const char *comma;
+
+ while ((comma = strchr(arg, ',')) != NULL) {
+ if (comma == arg || !state_parse_state(arg, comma-arg, sinfo))
+ xtables_error(PARAMETER_PROBLEM, "Bad state \"%s\"", arg);
+ arg = comma+1;
+ }
+ if (!*arg)
+ xtables_error(PARAMETER_PROBLEM, "\"--state\" requires a list of "
+ "states with no spaces, e.g. "
+ "ESTABLISHED,RELATED");
+ if (strlen(arg) == 0 || !state_parse_state(arg, strlen(arg), sinfo))
+ xtables_error(PARAMETER_PROBLEM, "Bad state \"%s\"", arg);
+}
+
+static int
+state_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry,
+ struct xt_entry_match **match)
+{
+ struct xt_state_info *sinfo = (struct xt_state_info *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ state_parse_states(optarg, sinfo);
+ if (invert)
+ sinfo->statemask = ~sinfo->statemask;
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void state_final_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM, "You must specify \"--state\"");
+}
+
+static void state_print_state(unsigned int statemask)
+{
+ const char *sep = "";
+
+ if (statemask & XT_STATE_INVALID) {
+ printf("%sINVALID", sep);
+ sep = ",";
+ }
+ if (statemask & XT_STATE_BIT(IP_CT_NEW)) {
+ printf("%sNEW", sep);
+ sep = ",";
+ }
+ if (statemask & XT_STATE_BIT(IP_CT_RELATED)) {
+ printf("%sRELATED", sep);
+ sep = ",";
+ }
+ if (statemask & XT_STATE_BIT(IP_CT_ESTABLISHED)) {
+ printf("%sESTABLISHED", sep);
+ sep = ",";
+ }
+ if (statemask & XT_STATE_UNTRACKED) {
+ printf("%sUNTRACKED", sep);
+ sep = ",";
+ }
+ printf(" ");
+}
+
+static void
+state_print(const void *ip,
+ const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_state_info *sinfo = (const void *)match->data;
+
+ printf("state ");
+ state_print_state(sinfo->statemask);
+}
+
+static void state_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_state_info *sinfo = (const void *)match->data;
+
+ printf("--state ");
+ state_print_state(sinfo->statemask);
+}
+
+static struct xtables_match state_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "state",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_state_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_state_info)),
+ .help = state_help,
+ .parse = state_parse,
+ .final_check = state_final_check,
+ .print = state_print,
+ .save = state_save,
+ .extra_opts = state_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&state_match);
+}
diff --git a/extensions/libxt_state.man b/extensions/libxt_state.man
new file mode 100644
index 0000000..37d095b
--- /dev/null
+++ b/extensions/libxt_state.man
@@ -0,0 +1,24 @@
+This module, when combined with connection tracking, allows access to
+the connection tracking state for this packet.
+.TP
+[\fB!\fP] \fB\-\-state\fP \fIstate\fP
+Where state is a comma separated list of the connection states to
+match. Possible states are
+.B INVALID
+meaning that the packet could not be identified for some reason which
+includes running out of memory and ICMP errors which don't correspond to any
+known connection,
+.B ESTABLISHED
+meaning that the packet is associated with a connection which has seen
+packets in both directions,
+.B NEW
+meaning that the packet has started a new connection, or otherwise
+associated with a connection which has not seen packets in both
+directions, and
+.B RELATED
+meaning that the packet is starting a new connection, but is
+associated with an existing connection, such as an FTP data transfer,
+or an ICMP error.
+.B UNTRACKED
+meaning that the packet is not tracked at all, which happens if you use
+the NOTRACK target in raw table.
diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
new file mode 100644
index 0000000..913aa2c
--- /dev/null
+++ b/extensions/libxt_statistic.c
@@ -0,0 +1,180 @@
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_statistic.h>
+
+static void statistic_help(void)
+{
+ printf(
+"statistic match options:\n"
+" --mode mode Match mode (random, nth)\n"
+" random mode:\n"
+" --probability p Probability\n"
+" nth mode:\n"
+" --every n Match every nth packet\n"
+" --packet p Initial counter value (0 <= p <= n-1, default 0)\n");
+}
+
+static const struct option statistic_opts[] = {
+ { "mode", 1, NULL, '1' },
+ { "probability", 1, NULL, '2' },
+ { "every", 1, NULL, '3' },
+ { "packet", 1, NULL, '4' },
+ { .name = NULL }
+};
+
+static struct xt_statistic_info *global_info;
+
+static void statistic_mt_init(struct xt_entry_match *match)
+{
+ global_info = (void *)match->data;
+}
+
+static int
+statistic_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_statistic_info *info = (void *)(*match)->data;
+ unsigned int val;
+ double prob;
+
+ if (invert)
+ info->flags |= XT_STATISTIC_INVERT;
+
+ switch (c) {
+ case '1':
+ if (*flags & 0x1)
+ xtables_error(PARAMETER_PROBLEM, "double --mode");
+ if (!strcmp(optarg, "random"))
+ info->mode = XT_STATISTIC_MODE_RANDOM;
+ else if (!strcmp(optarg, "nth"))
+ info->mode = XT_STATISTIC_MODE_NTH;
+ else
+ xtables_error(PARAMETER_PROBLEM, "Bad mode \"%s\"", optarg);
+ *flags |= 0x1;
+ break;
+ case '2':
+ if (*flags & 0x2)
+ xtables_error(PARAMETER_PROBLEM, "double --probability");
+ prob = atof(optarg);
+ if (prob < 0 || prob > 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "--probability must be between 0 and 1");
+ info->u.random.probability = 0x80000000 * prob;
+ *flags |= 0x2;
+ break;
+ case '3':
+ if (*flags & 0x4)
+ xtables_error(PARAMETER_PROBLEM, "double --every");
+ if (!xtables_strtoui(optarg, NULL, &val, 0, UINT32_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "cannot parse --every `%s'", optarg);
+ info->u.nth.every = val;
+ if (info->u.nth.every == 0)
+ xtables_error(PARAMETER_PROBLEM, "--every cannot be 0");
+ info->u.nth.every--;
+ *flags |= 0x4;
+ break;
+ case '4':
+ if (*flags & 0x8)
+ xtables_error(PARAMETER_PROBLEM, "double --packet");
+ if (!xtables_strtoui(optarg, NULL, &val, 0, UINT32_MAX))
+ xtables_error(PARAMETER_PROBLEM,
+ "cannot parse --packet `%s'", optarg);
+ info->u.nth.packet = val;
+ *flags |= 0x8;
+ break;
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void statistic_check(unsigned int flags)
+{
+ if (!(flags & 0x1))
+ xtables_error(PARAMETER_PROBLEM, "no mode specified");
+ if ((flags & 0x2) && (flags & (0x4 | 0x8)))
+ xtables_error(PARAMETER_PROBLEM,
+ "both nth and random parameters given");
+ if (flags & 0x2 && global_info->mode != XT_STATISTIC_MODE_RANDOM)
+ xtables_error(PARAMETER_PROBLEM,
+ "--probability can only be used in random mode");
+ if (flags & 0x4 && global_info->mode != XT_STATISTIC_MODE_NTH)
+ xtables_error(PARAMETER_PROBLEM,
+ "--every can only be used in nth mode");
+ if (flags & 0x8 && global_info->mode != XT_STATISTIC_MODE_NTH)
+ xtables_error(PARAMETER_PROBLEM,
+ "--packet can only be used in nth mode");
+ if ((flags & 0x8) && !(flags & 0x4))
+ xtables_error(PARAMETER_PROBLEM,
+ "--packet can only be used with --every");
+ /* at this point, info->u.nth.every have been decreased. */
+ if (global_info->u.nth.packet > global_info->u.nth.every)
+ xtables_error(PARAMETER_PROBLEM,
+ "the --packet p must be 0 <= p <= n-1");
+
+
+ global_info->u.nth.count = global_info->u.nth.every -
+ global_info->u.nth.packet;
+}
+
+static void print_match(const struct xt_statistic_info *info, char *prefix)
+{
+ if (info->flags & XT_STATISTIC_INVERT)
+ printf("! ");
+
+ switch (info->mode) {
+ case XT_STATISTIC_MODE_RANDOM:
+ printf("%smode random %sprobability %f ", prefix, prefix,
+ 1.0 * info->u.random.probability / 0x80000000);
+ break;
+ case XT_STATISTIC_MODE_NTH:
+ printf("%smode nth %severy %u ", prefix, prefix,
+ info->u.nth.every + 1);
+ if (info->u.nth.packet)
+ printf("%spacket %u ", prefix, info->u.nth.packet);
+ break;
+ }
+}
+
+static void
+statistic_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_statistic_info *info = (const void *)match->data;
+
+ printf("statistic ");
+ print_match(info, "");
+}
+
+static void statistic_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_statistic_info *info = (const void *)match->data;
+
+ print_match(info, "--");
+}
+
+static struct xtables_match statistic_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "statistic",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_statistic_info)),
+ .userspacesize = offsetof(struct xt_statistic_info, u.nth.count),
+ .init = statistic_mt_init,
+ .help = statistic_help,
+ .parse = statistic_parse,
+ .final_check = statistic_check,
+ .print = statistic_print,
+ .save = statistic_save,
+ .extra_opts = statistic_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&statistic_match);
+}
diff --git a/extensions/libxt_statistic.man b/extensions/libxt_statistic.man
new file mode 100644
index 0000000..8fc3b29
--- /dev/null
+++ b/extensions/libxt_statistic.man
@@ -0,0 +1,30 @@
+This module matches packets based on some statistic condition.
+It supports two distinct modes settable with the
+\fB\-\-mode\fP
+option.
+.PP
+Supported options:
+.TP
+\fB\-\-mode\fP \fImode\fP
+Set the matching mode of the matching rule, supported modes are
+.B random
+and
+.B nth.
+.TP
+\fB\-\-probability\fP \fIp\fP
+Set the probability from 0 to 1 for a packet to be randomly
+matched. It works only with the
+.B random
+mode.
+.TP
+\fB\-\-every\fP \fIn\fP
+Match one packet every nth packet. It works only with the
+.B nth
+mode (see also the
+\fB\-\-packet\fP
+option).
+.TP
+\fB\-\-packet\fP \fIp\fP
+Set the initial counter value (0 <= p <= n\-1, default 0) for the
+.B nth
+mode.
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
new file mode 100644
index 0000000..df6302e
--- /dev/null
+++ b/extensions/libxt_string.c
@@ -0,0 +1,389 @@
+/* Shared library add-on to iptables to add string matching support.
+ *
+ * Copyright (C) 2000 Emmanuel Roger <winfield@freegates.be>
+ *
+ * 2005-08-05 Pablo Neira Ayuso <pablo@eurodev.net>
+ * - reimplemented to use new string matching iptables match
+ * - add functionality to match packets by using window offsets
+ * - add functionality to select the string matching algorithm
+ *
+ * ChangeLog
+ * 29.12.2003: Michael Rash <mbr@cipherdyne.org>
+ * Fixed iptables save/restore for ascii strings
+ * that contain space chars, and hex strings that
+ * contain embedded NULL chars. Updated to print
+ * strings in hex mode if any non-printable char
+ * is contained within the string.
+ *
+ * 27.01.2001: Gianni Tedesco <gianni@ecsc.co.uk>
+ * Changed --tos to --string in save(). Also
+ * updated to work with slightly modified
+ * ipt_string_info.
+ */
+#define _GNU_SOURCE 1
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <ctype.h>
+#include <xtables.h>
+#include <stddef.h>
+#include <linux/netfilter/xt_string.h>
+
+static void string_help(void)
+{
+ printf(
+"string match options:\n"
+"--from Offset to start searching from\n"
+"--to Offset to stop searching\n"
+"--algo Algorithm\n"
+"--icase Ignore case (default: 0)\n"
+"[!] --string string Match a string in a packet\n"
+"[!] --hex-string string Match a hex string in a packet\n");
+}
+
+static const struct option string_opts[] = {
+ { "from", 1, NULL, '1' },
+ { "to", 1, NULL, '2' },
+ { "algo", 1, NULL, '3' },
+ { "string", 1, NULL, '4' },
+ { "hex-string", 1, NULL, '5' },
+ { "icase", 0, NULL, '6' },
+ { .name = NULL }
+};
+
+static void string_init(struct xt_entry_match *m)
+{
+ struct xt_string_info *i = (struct xt_string_info *) m->data;
+
+ if (i->to_offset == 0)
+ i->to_offset = UINT16_MAX;
+}
+
+static void
+parse_string(const char *s, struct xt_string_info *info)
+{
+ /* xt_string does not need \0 at the end of the pattern */
+ if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) {
+ strncpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
+ info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE);
+ return;
+ }
+ xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
+}
+
+static void
+parse_algo(const char *s, struct xt_string_info *info)
+{
+ /* xt_string needs \0 for algo name */
+ if (strlen(s) < XT_STRING_MAX_ALGO_NAME_SIZE) {
+ strncpy(info->algo, s, XT_STRING_MAX_ALGO_NAME_SIZE);
+ return;
+ }
+ xtables_error(PARAMETER_PROBLEM, "ALGO too long \"%s\"", s);
+}
+
+static void
+parse_hex_string(const char *s, struct xt_string_info *info)
+{
+ int i=0, slen, sindex=0, schar;
+ short hex_f = 0, literal_f = 0;
+ char hextmp[3];
+
+ slen = strlen(s);
+
+ if (slen == 0) {
+ xtables_error(PARAMETER_PROBLEM,
+ "STRING must contain at least one char");
+ }
+
+ while (i < slen) {
+ if (s[i] == '\\' && !hex_f) {
+ literal_f = 1;
+ } else if (s[i] == '\\') {
+ xtables_error(PARAMETER_PROBLEM,
+ "Cannot include literals in hex data");
+ } else if (s[i] == '|') {
+ if (hex_f)
+ hex_f = 0;
+ else {
+ hex_f = 1;
+ /* get past any initial whitespace just after the '|' */
+ while (s[i+1] == ' ')
+ i++;
+ }
+ if (i+1 >= slen)
+ break;
+ else
+ i++; /* advance to the next character */
+ }
+
+ if (literal_f) {
+ if (i+1 >= slen) {
+ xtables_error(PARAMETER_PROBLEM,
+ "Bad literal placement at end of string");
+ }
+ info->pattern[sindex] = s[i+1];
+ i += 2; /* skip over literal char */
+ literal_f = 0;
+ } else if (hex_f) {
+ if (i+1 >= slen) {
+ xtables_error(PARAMETER_PROBLEM,
+ "Odd number of hex digits");
+ }
+ if (i+2 >= slen) {
+ /* must end with a "|" */
+ xtables_error(PARAMETER_PROBLEM, "Invalid hex block");
+ }
+ if (! isxdigit(s[i])) /* check for valid hex char */
+ xtables_error(PARAMETER_PROBLEM, "Invalid hex char '%c'", s[i]);
+ if (! isxdigit(s[i+1])) /* check for valid hex char */
+ xtables_error(PARAMETER_PROBLEM, "Invalid hex char '%c'", s[i+1]);
+ hextmp[0] = s[i];
+ hextmp[1] = s[i+1];
+ hextmp[2] = '\0';
+ if (! sscanf(hextmp, "%x", &schar))
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid hex char `%c'", s[i]);
+ info->pattern[sindex] = (char) schar;
+ if (s[i+2] == ' ')
+ i += 3; /* spaces included in the hex block */
+ else
+ i += 2;
+ } else { /* the char is not part of hex data, so just copy */
+ info->pattern[sindex] = s[i];
+ i++;
+ }
+ if (sindex > XT_STRING_MAX_PATTERN_SIZE)
+ xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
+ sindex++;
+ }
+ info->patlen = sindex;
+}
+
+#define STRING 0x1
+#define ALGO 0x2
+#define FROM 0x4
+#define TO 0x8
+#define ICASE 0x10
+
+static int
+string_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_string_info *stringinfo =
+ (struct xt_string_info *)(*match)->data;
+ const int revision = (*match)->u.user.revision;
+
+ switch (c) {
+ case '1':
+ if (*flags & FROM)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify multiple --from");
+ stringinfo->from_offset = atoi(optarg);
+ *flags |= FROM;
+ break;
+ case '2':
+ if (*flags & TO)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify multiple --to");
+ stringinfo->to_offset = atoi(optarg);
+ *flags |= TO;
+ break;
+ case '3':
+ if (*flags & ALGO)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify multiple --algo");
+ parse_algo(optarg, stringinfo);
+ *flags |= ALGO;
+ break;
+ case '4':
+ if (*flags & STRING)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify multiple --string");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_string(optarg, stringinfo);
+ if (invert) {
+ if (revision == 0)
+ stringinfo->u.v0.invert = 1;
+ else
+ stringinfo->u.v1.flags |= XT_STRING_FLAG_INVERT;
+ }
+ *flags |= STRING;
+ break;
+
+ case '5':
+ if (*flags & STRING)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can't specify multiple --hex-string");
+
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_hex_string(optarg, stringinfo); /* sets length */
+ if (invert) {
+ if (revision == 0)
+ stringinfo->u.v0.invert = 1;
+ else
+ stringinfo->u.v1.flags |= XT_STRING_FLAG_INVERT;
+ }
+ *flags |= STRING;
+ break;
+
+ case '6':
+ if (revision == 0)
+ xtables_error(VERSION_PROBLEM,
+ "Kernel doesn't support --icase");
+
+ stringinfo->u.v1.flags |= XT_STRING_FLAG_IGNORECASE;
+ *flags |= ICASE;
+ break;
+
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void string_check(unsigned int flags)
+{
+ if (!(flags & STRING))
+ xtables_error(PARAMETER_PROBLEM,
+ "STRING match: You must specify `--string' or "
+ "`--hex-string'");
+ if (!(flags & ALGO))
+ xtables_error(PARAMETER_PROBLEM,
+ "STRING match: You must specify `--algo'");
+}
+
+/* Test to see if the string contains non-printable chars or quotes */
+static unsigned short int
+is_hex_string(const char *str, const unsigned short int len)
+{
+ unsigned int i;
+ for (i=0; i < len; i++)
+ if (! isprint(str[i]))
+ return 1; /* string contains at least one non-printable char */
+ /* use hex output if the last char is a "\" */
+ if ((unsigned char) str[len-1] == 0x5c)
+ return 1;
+ return 0;
+}
+
+/* Print string with "|" chars included as one would pass to --hex-string */
+static void
+print_hex_string(const char *str, const unsigned short int len)
+{
+ unsigned int i;
+ /* start hex block */
+ printf("\"|");
+ for (i=0; i < len; i++) {
+ /* see if we need to prepend a zero */
+ if ((unsigned char) str[i] <= 0x0F)
+ printf("0%x", (unsigned char) str[i]);
+ else
+ printf("%x", (unsigned char) str[i]);
+ }
+ /* close hex block */
+ printf("|\" ");
+}
+
+static void
+print_string(const char *str, const unsigned short int len)
+{
+ unsigned int i;
+ printf("\"");
+ for (i=0; i < len; i++) {
+ if ((unsigned char) str[i] == 0x22) /* escape any embedded quotes */
+ printf("%c", 0x5c);
+ printf("%c", (unsigned char) str[i]);
+ }
+ printf("\" "); /* closing space and quote */
+}
+
+static void
+string_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_string_info *info =
+ (const struct xt_string_info*) match->data;
+ const int revision = match->u.user.revision;
+ int invert = (revision == 0 ? info->u.v0.invert :
+ info->u.v1.flags & XT_STRING_FLAG_INVERT);
+
+ if (is_hex_string(info->pattern, info->patlen)) {
+ printf("STRING match %s", invert ? "!" : "");
+ print_hex_string(info->pattern, info->patlen);
+ } else {
+ printf("STRING match %s", invert ? "!" : "");
+ print_string(info->pattern, info->patlen);
+ }
+ printf("ALGO name %s ", info->algo);
+ if (info->from_offset != 0)
+ printf("FROM %u ", info->from_offset);
+ if (info->to_offset != 0)
+ printf("TO %u ", info->to_offset);
+ if (revision > 0 && info->u.v1.flags & XT_STRING_FLAG_IGNORECASE)
+ printf("ICASE ");
+}
+
+static void string_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_string_info *info =
+ (const struct xt_string_info*) match->data;
+ const int revision = match->u.user.revision;
+ int invert = (revision == 0 ? info->u.v0.invert :
+ info->u.v1.flags & XT_STRING_FLAG_INVERT);
+
+ if (is_hex_string(info->pattern, info->patlen)) {
+ printf("%s--hex-string ", (invert) ? "! ": "");
+ print_hex_string(info->pattern, info->patlen);
+ } else {
+ printf("%s--string ", (invert) ? "! ": "");
+ print_string(info->pattern, info->patlen);
+ }
+ printf("--algo %s ", info->algo);
+ if (info->from_offset != 0)
+ printf("--from %u ", info->from_offset);
+ if (info->to_offset != 0)
+ printf("--to %u ", info->to_offset);
+ if (revision > 0 && info->u.v1.flags & XT_STRING_FLAG_IGNORECASE)
+ printf("--icase ");
+}
+
+
+static struct xtables_match string_mt_reg[] = {
+ {
+ .name = "string",
+ .revision = 0,
+ .family = NFPROTO_UNSPEC,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_string_info)),
+ .userspacesize = offsetof(struct xt_string_info, config),
+ .help = string_help,
+ .init = string_init,
+ .parse = string_parse,
+ .final_check = string_check,
+ .print = string_print,
+ .save = string_save,
+ .extra_opts = string_opts,
+ },
+ {
+ .name = "string",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_string_info)),
+ .userspacesize = offsetof(struct xt_string_info, config),
+ .help = string_help,
+ .init = string_init,
+ .parse = string_parse,
+ .final_check = string_check,
+ .print = string_print,
+ .save = string_save,
+ .extra_opts = string_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_matches(string_mt_reg, ARRAY_SIZE(string_mt_reg));
+}
diff --git a/extensions/libxt_string.man b/extensions/libxt_string.man
new file mode 100644
index 0000000..b6b271d
--- /dev/null
+++ b/extensions/libxt_string.man
@@ -0,0 +1,18 @@
+This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.
+.TP
+\fB\-\-algo\fP {\fBbm\fP|\fBkmp\fP}
+Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
+.TP
+\fB\-\-from\fP \fIoffset\fP
+Set the offset from which it starts looking for any matching. If not passed, default is 0.
+.TP
+\fB\-\-to\fP \fIoffset\fP
+Set the offset up to which should be scanned. That is, byte \fIoffset\fP-1
+(counting from 0) is the last one that is scanned.
+If not passed, default is the packet size.
+.TP
+[\fB!\fP] \fB\-\-string\fP \fIpattern\fP
+Matches the given pattern.
+.TP
+[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP
+Matches the given pattern in hex notation.
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
new file mode 100644
index 0000000..75551d7
--- /dev/null
+++ b/extensions/libxt_tcp.c
@@ -0,0 +1,395 @@
+/* Shared library add-on to iptables to add TCP support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <netinet/in.h>
+#include <xtables.h>
+#include <linux/netfilter/xt_tcpudp.h>
+
+static void tcp_help(void)
+{
+ printf(
+"tcp match options:\n"
+"[!] --tcp-flags mask comp match when TCP flags & mask == comp\n"
+" (Flags: SYN ACK FIN RST URG PSH ALL NONE)\n"
+"[!] --syn match when only SYN flag set\n"
+" (equivalent to --tcp-flags SYN,RST,ACK,FIN SYN)\n"
+"[!] --source-port port[:port]\n"
+" --sport ...\n"
+" match source port(s)\n"
+"[!] --destination-port port[:port]\n"
+" --dport ...\n"
+" match destination port(s)\n"
+"[!] --tcp-option number match if TCP option set\n");
+}
+
+static const struct option tcp_opts[] = {
+ { "source-port", 1, NULL, '1' },
+ { "sport", 1, NULL, '1' }, /* synonym */
+ { "destination-port", 1, NULL, '2' },
+ { "dport", 1, NULL, '2' }, /* synonym */
+ { "syn", 0, NULL, '3' },
+ { "tcp-flags", 1, NULL, '4' },
+ { "tcp-option", 1, NULL, '5' },
+ { .name = NULL }
+};
+
+static void
+parse_tcp_ports(const char *portstring, u_int16_t *ports)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(portstring);
+ if ((cp = strchr(buffer, ':')) == NULL)
+ ports[0] = ports[1] = xtables_parse_port(buffer, "tcp");
+ else {
+ *cp = '\0';
+ cp++;
+
+ ports[0] = buffer[0] ? xtables_parse_port(buffer, "tcp") : 0;
+ ports[1] = cp[0] ? xtables_parse_port(cp, "tcp") : 0xFFFF;
+
+ if (ports[0] > ports[1])
+ xtables_error(PARAMETER_PROBLEM,
+ "invalid portrange (min > max)");
+ }
+ free(buffer);
+}
+
+struct tcp_flag_names {
+ const char *name;
+ unsigned int flag;
+};
+
+static const struct tcp_flag_names tcp_flag_names[]
+= { { "FIN", 0x01 },
+ { "SYN", 0x02 },
+ { "RST", 0x04 },
+ { "PSH", 0x08 },
+ { "ACK", 0x10 },
+ { "URG", 0x20 },
+ { "ALL", 0x3F },
+ { "NONE", 0 },
+};
+
+static unsigned int
+parse_tcp_flag(const char *flags)
+{
+ unsigned int ret = 0;
+ char *ptr;
+ char *buffer;
+
+ buffer = strdup(flags);
+
+ for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
+ unsigned int i;
+ for (i = 0; i < ARRAY_SIZE(tcp_flag_names); ++i)
+ if (strcasecmp(tcp_flag_names[i].name, ptr) == 0) {
+ ret |= tcp_flag_names[i].flag;
+ break;
+ }
+ if (i == ARRAY_SIZE(tcp_flag_names))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unknown TCP flag `%s'", ptr);
+ }
+
+ free(buffer);
+ return ret;
+}
+
+static void
+parse_tcp_flags(struct xt_tcp *tcpinfo,
+ const char *mask,
+ const char *cmp,
+ int invert)
+{
+ tcpinfo->flg_mask = parse_tcp_flag(mask);
+ tcpinfo->flg_cmp = parse_tcp_flag(cmp);
+
+ if (invert)
+ tcpinfo->invflags |= XT_TCP_INV_FLAGS;
+}
+
+static void
+parse_tcp_option(const char *option, u_int8_t *result)
+{
+ unsigned int ret;
+
+ if (!xtables_strtoui(option, NULL, &ret, 1, UINT8_MAX))
+ xtables_error(PARAMETER_PROBLEM, "Bad TCP option \"%s\"", option);
+
+ *result = ret;
+}
+
+static void tcp_init(struct xt_entry_match *m)
+{
+ struct xt_tcp *tcpinfo = (struct xt_tcp *)m->data;
+
+ tcpinfo->spts[1] = tcpinfo->dpts[1] = 0xFFFF;
+}
+
+#define TCP_SRC_PORTS 0x01
+#define TCP_DST_PORTS 0x02
+#define TCP_FLAGS 0x04
+#define TCP_OPTION 0x08
+
+static int
+tcp_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_tcp *tcpinfo = (struct xt_tcp *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & TCP_SRC_PORTS)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--source-port' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_tcp_ports(optarg, tcpinfo->spts);
+ if (invert)
+ tcpinfo->invflags |= XT_TCP_INV_SRCPT;
+ *flags |= TCP_SRC_PORTS;
+ break;
+
+ case '2':
+ if (*flags & TCP_DST_PORTS)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--destination-port' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_tcp_ports(optarg, tcpinfo->dpts);
+ if (invert)
+ tcpinfo->invflags |= XT_TCP_INV_DSTPT;
+ *flags |= TCP_DST_PORTS;
+ break;
+
+ case '3':
+ if (*flags & TCP_FLAGS)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one of `--syn' or `--tcp-flags' "
+ " allowed");
+ parse_tcp_flags(tcpinfo, "SYN,RST,ACK,FIN", "SYN", invert);
+ *flags |= TCP_FLAGS;
+ break;
+
+ case '4':
+ if (*flags & TCP_FLAGS)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one of `--syn' or `--tcp-flags' "
+ " allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+
+ if (!argv[optind]
+ || argv[optind][0] == '-' || argv[optind][0] == '!')
+ xtables_error(PARAMETER_PROBLEM,
+ "--tcp-flags requires two args.");
+
+ parse_tcp_flags(tcpinfo, optarg, argv[optind],
+ invert);
+ optind++;
+ *flags |= TCP_FLAGS;
+ break;
+
+ case '5':
+ if (*flags & TCP_OPTION)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--tcp-option' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_tcp_option(optarg, &tcpinfo->option);
+ if (invert)
+ tcpinfo->invflags |= XT_TCP_INV_OPTION;
+ *flags |= TCP_OPTION;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static char *
+port_to_service(int port)
+{
+ struct servent *service;
+
+ if ((service = getservbyport(htons(port), "tcp")))
+ return service->s_name;
+
+ return NULL;
+}
+
+static void
+print_port(u_int16_t port, int numeric)
+{
+ char *service;
+
+ if (numeric || (service = port_to_service(port)) == NULL)
+ printf("%u", port);
+ else
+ printf("%s", service);
+}
+
+static void
+print_ports(const char *name, u_int16_t min, u_int16_t max,
+ int invert, int numeric)
+{
+ const char *inv = invert ? "!" : "";
+
+ if (min != 0 || max != 0xFFFF || invert) {
+ printf("%s", name);
+ if (min == max) {
+ printf(":%s", inv);
+ print_port(min, numeric);
+ } else {
+ printf("s:%s", inv);
+ print_port(min, numeric);
+ printf(":");
+ print_port(max, numeric);
+ }
+ printf(" ");
+ }
+}
+
+static void
+print_option(u_int8_t option, int invert, int numeric)
+{
+ if (option || invert)
+ printf("option=%s%u ", invert ? "!" : "", option);
+}
+
+static void
+print_tcpf(u_int8_t flags)
+{
+ int have_flag = 0;
+
+ while (flags) {
+ unsigned int i;
+
+ for (i = 0; (flags & tcp_flag_names[i].flag) == 0; i++);
+
+ if (have_flag)
+ printf(",");
+ printf("%s", tcp_flag_names[i].name);
+ have_flag = 1;
+
+ flags &= ~tcp_flag_names[i].flag;
+ }
+
+ if (!have_flag)
+ printf("NONE");
+}
+
+static void
+print_flags(u_int8_t mask, u_int8_t cmp, int invert, int numeric)
+{
+ if (mask || invert) {
+ printf("flags:%s", invert ? "!" : "");
+ if (numeric)
+ printf("0x%02X/0x%02X ", mask, cmp);
+ else {
+ print_tcpf(mask);
+ printf("/");
+ print_tcpf(cmp);
+ printf(" ");
+ }
+ }
+}
+
+static void
+tcp_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_tcp *tcp = (struct xt_tcp *)match->data;
+
+ printf("tcp ");
+ print_ports("spt", tcp->spts[0], tcp->spts[1],
+ tcp->invflags & XT_TCP_INV_SRCPT,
+ numeric);
+ print_ports("dpt", tcp->dpts[0], tcp->dpts[1],
+ tcp->invflags & XT_TCP_INV_DSTPT,
+ numeric);
+ print_option(tcp->option,
+ tcp->invflags & XT_TCP_INV_OPTION,
+ numeric);
+ print_flags(tcp->flg_mask, tcp->flg_cmp,
+ tcp->invflags & XT_TCP_INV_FLAGS,
+ numeric);
+ if (tcp->invflags & ~XT_TCP_INV_MASK)
+ printf("Unknown invflags: 0x%X ",
+ tcp->invflags & ~XT_TCP_INV_MASK);
+}
+
+static void tcp_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_tcp *tcpinfo = (struct xt_tcp *)match->data;
+
+ if (tcpinfo->spts[0] != 0
+ || tcpinfo->spts[1] != 0xFFFF) {
+ if (tcpinfo->invflags & XT_TCP_INV_SRCPT)
+ printf("! ");
+ if (tcpinfo->spts[0]
+ != tcpinfo->spts[1])
+ printf("--sport %u:%u ",
+ tcpinfo->spts[0],
+ tcpinfo->spts[1]);
+ else
+ printf("--sport %u ",
+ tcpinfo->spts[0]);
+ }
+
+ if (tcpinfo->dpts[0] != 0
+ || tcpinfo->dpts[1] != 0xFFFF) {
+ if (tcpinfo->invflags & XT_TCP_INV_DSTPT)
+ printf("! ");
+ if (tcpinfo->dpts[0]
+ != tcpinfo->dpts[1])
+ printf("--dport %u:%u ",
+ tcpinfo->dpts[0],
+ tcpinfo->dpts[1]);
+ else
+ printf("--dport %u ",
+ tcpinfo->dpts[0]);
+ }
+
+ if (tcpinfo->option
+ || (tcpinfo->invflags & XT_TCP_INV_OPTION)) {
+ if (tcpinfo->invflags & XT_TCP_INV_OPTION)
+ printf("! ");
+ printf("--tcp-option %u ", tcpinfo->option);
+ }
+
+ if (tcpinfo->flg_mask
+ || (tcpinfo->invflags & XT_TCP_INV_FLAGS)) {
+ if (tcpinfo->invflags & XT_TCP_INV_FLAGS)
+ printf("! ");
+ printf("--tcp-flags ");
+ if (tcpinfo->flg_mask != 0xFF) {
+ print_tcpf(tcpinfo->flg_mask);
+ }
+ printf(" ");
+ print_tcpf(tcpinfo->flg_cmp);
+ printf(" ");
+ }
+}
+
+static struct xtables_match tcp_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "tcp",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_tcp)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tcp)),
+ .help = tcp_help,
+ .init = tcp_init,
+ .parse = tcp_parse,
+ .print = tcp_print,
+ .save = tcp_save,
+ .extra_opts = tcp_opts,
+};
+
+void
+_init(void)
+{
+ xtables_register_match(&tcp_match);
+}
diff --git a/extensions/libxt_tcp.man b/extensions/libxt_tcp.man
new file mode 100644
index 0000000..7a16118
--- /dev/null
+++ b/extensions/libxt_tcp.man
@@ -0,0 +1,44 @@
+These extensions can be used if `\-\-protocol tcp' is specified. It
+provides the following options:
+.TP
+[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
+Source port or port range specification. This can either be a service
+name or a port number. An inclusive range can also be specified,
+using the format \fIfirst\fP\fB:\fP\fIlast\fP.
+If the first port is omitted, "0" is assumed; if the last is omitted,
+"65535" is assumed.
+If the first port is greater than the second one they will be swapped.
+The flag
+\fB\-\-sport\fP
+is a convenient alias for this option.
+.TP
+[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
+Destination port or port range specification. The flag
+\fB\-\-dport\fP
+is a convenient alias for this option.
+.TP
+[\fB!\fP] \fB\-\-tcp\-flags\fP \fImask\fP \fIcomp\fP
+Match when the TCP flags are as specified. The first argument \fImask\fP is the
+flags which we should examine, written as a comma-separated list, and
+the second argument \fIcomp\fP is a comma-separated list of flags which must be
+set. Flags are:
+.BR "SYN ACK FIN RST URG PSH ALL NONE" .
+Hence the command
+.nf
+ iptables \-A FORWARD \-p tcp \-\-tcp\-flags SYN,ACK,FIN,RST SYN
+.fi
+will only match packets with the SYN flag set, and the ACK, FIN and
+RST flags unset.
+.TP
+[\fB!\fP] \fB\-\-syn\fP
+Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
+cleared. Such packets are used to request TCP connection initiation;
+for example, blocking such packets coming in an interface will prevent
+incoming TCP connections, but outgoing TCP connections will be
+unaffected.
+It is equivalent to \fB\-\-tcp\-flags SYN,RST,ACK,FIN SYN\fP.
+If the "!" flag precedes the "\-\-syn", the sense of the
+option is inverted.
+.TP
+[\fB!\fP] \fB\-\-tcp\-option\fP \fInumber\fP
+Match if TCP option set.
diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c
new file mode 100644
index 0000000..b54a890
--- /dev/null
+++ b/extensions/libxt_tcpmss.c
@@ -0,0 +1,128 @@
+/* Shared library add-on to iptables to add tcp MSS matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_tcpmss.h>
+
+static void tcpmss_help(void)
+{
+ printf(
+"tcpmss match options:\n"
+"[!] --mss value[:value] Match TCP MSS range.\n"
+" (only valid for TCP SYN or SYN/ACK packets)\n");
+}
+
+static const struct option tcpmss_opts[] = {
+ { "mss", 1, NULL, '1' },
+ { .name = NULL }
+};
+
+static u_int16_t
+parse_tcp_mssvalue(const char *mssvalue)
+{
+ unsigned int mssvaluenum;
+
+ if (xtables_strtoui(mssvalue, NULL, &mssvaluenum, 0, UINT16_MAX))
+ return mssvaluenum;
+
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid mss `%s' specified", mssvalue);
+}
+
+static void
+parse_tcp_mssvalues(const char *mssvaluestring,
+ u_int16_t *mss_min, u_int16_t *mss_max)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(mssvaluestring);
+ if ((cp = strchr(buffer, ':')) == NULL)
+ *mss_min = *mss_max = parse_tcp_mssvalue(buffer);
+ else {
+ *cp = '\0';
+ cp++;
+
+ *mss_min = buffer[0] ? parse_tcp_mssvalue(buffer) : 0;
+ *mss_max = cp[0] ? parse_tcp_mssvalue(cp) : 0xFFFF;
+ }
+ free(buffer);
+}
+
+static int
+tcpmss_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_tcpmss_match_info *mssinfo =
+ (struct xt_tcpmss_match_info *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--mss' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_tcp_mssvalues(optarg,
+ &mssinfo->mss_min, &mssinfo->mss_max);
+ if (invert)
+ mssinfo->invert = 1;
+ *flags = 1;
+ break;
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void tcpmss_check(unsigned int flags)
+{
+ if (!flags)
+ xtables_error(PARAMETER_PROBLEM,
+ "tcpmss match: You must specify `--mss'");
+}
+
+static void
+tcpmss_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_tcpmss_match_info *info = (void *)match->data;
+
+ printf("tcpmss match %s", info->invert ? "!" : "");
+ if (info->mss_min == info->mss_max)
+ printf("%u ", info->mss_min);
+ else
+ printf("%u:%u ", info->mss_min, info->mss_max);
+}
+
+static void tcpmss_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_tcpmss_match_info *info = (void *)match->data;
+
+ printf("%s--mss ", info->invert ? "! " : "");
+ if (info->mss_min == info->mss_max)
+ printf("%u ", info->mss_min);
+ else
+ printf("%u:%u ", info->mss_min, info->mss_max);
+}
+
+static struct xtables_match tcpmss_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "tcpmss",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_tcpmss_match_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_match_info)),
+ .help = tcpmss_help,
+ .parse = tcpmss_parse,
+ .final_check = tcpmss_check,
+ .print = tcpmss_print,
+ .save = tcpmss_save,
+ .extra_opts = tcpmss_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&tcpmss_match);
+}
diff --git a/extensions/libxt_tcpmss.man b/extensions/libxt_tcpmss.man
new file mode 100644
index 0000000..8ee715c
--- /dev/null
+++ b/extensions/libxt_tcpmss.man
@@ -0,0 +1,4 @@
+This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
+.TP
+[\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP]
+Match a given TCP MSS value or range.
diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
new file mode 100644
index 0000000..098fc9c
--- /dev/null
+++ b/extensions/libxt_time.c
@@ -0,0 +1,485 @@
+/*
+ * libxt_time - iptables part for xt_time
+ * Copyright © CC Computer Consultants GmbH, 2007
+ * Contact: <jengelh@computergmbh.de>
+ *
+ * libxt_time.c is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 or 3 of the License.
+ *
+ * Based on libipt_time.c.
+ */
+#include <sys/types.h>
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <time.h>
+#include <limits.h>
+
+#include <linux/netfilter/xt_time.h>
+#include <xtables.h>
+
+enum { /* getopt "seen" bits */
+ F_DATE_START = 1 << 0,
+ F_DATE_STOP = 1 << 1,
+ F_TIME_START = 1 << 2,
+ F_TIME_STOP = 1 << 3,
+ F_MONTHDAYS = 1 << 4,
+ F_WEEKDAYS = 1 << 5,
+ F_TIMEZONE = 1 << 6,
+};
+
+static const char *const week_days[] = {
+ NULL, "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", "Sun",
+};
+
+static const struct option time_opts[] = {
+ {"datestart", true, NULL, 'D'},
+ {"datestop", true, NULL, 'E'},
+ {"timestart", true, NULL, 'X'},
+ {"timestop", true, NULL, 'Y'},
+ {"weekdays", true, NULL, 'w'},
+ {"monthdays", true, NULL, 'm'},
+ {"localtz", false, NULL, 'l'},
+ {"utc", false, NULL, 'u'},
+ { .name = NULL }
+};
+
+static void time_help(void)
+{
+ printf(
+"time match options:\n"
+" --datestart time Start and stop time, to be given in ISO 8601\n"
+" --datestop time (YYYY[-MM[-DD[Thh[:mm[:ss]]]]])\n"
+" --timestart time Start and stop daytime (hh:mm[:ss])\n"
+" --timestop time (between 00:00:00 and 23:59:59)\n"
+"[!] --monthdays value List of days on which to match, separated by comma\n"
+" (Possible days: 1 to 31; defaults to all)\n"
+"[!] --weekdays value List of weekdays on which to match, sep. by comma\n"
+" (Possible days: Mon,Tue,Wed,Thu,Fri,Sat,Sun or 1 to 7\n"
+" Defaults to all weekdays.)\n"
+" --localtz/--utc Time is interpreted as UTC/local time\n");
+}
+
+static void time_init(struct xt_entry_match *m)
+{
+ struct xt_time_info *info = (void *)m->data;
+
+ /* By default, we match on every day, every daytime */
+ info->monthdays_match = XT_TIME_ALL_MONTHDAYS;
+ info->weekdays_match = XT_TIME_ALL_WEEKDAYS;
+ info->daytime_start = XT_TIME_MIN_DAYTIME;
+ info->daytime_stop = XT_TIME_MAX_DAYTIME;
+
+ /* ...and have no date-begin or date-end boundary */
+ info->date_start = 0;
+ info->date_stop = INT_MAX;
+
+ /* local time is default */
+ info->flags |= XT_TIME_LOCAL_TZ;
+}
+
+static time_t time_parse_date(const char *s, bool end)
+{
+ unsigned int month = 1, day = 1, hour = 0, minute = 0, second = 0;
+ unsigned int year = end ? 2038 : 1970;
+ const char *os = s;
+ struct tm tm;
+ time_t ret;
+ char *e;
+
+ year = strtoul(s, &e, 10);
+ if ((*e != '-' && *e != '\0') || year < 1970 || year > 2038)
+ goto out;
+ if (*e == '\0')
+ goto eval;
+
+ s = e + 1;
+ month = strtoul(s, &e, 10);
+ if ((*e != '-' && *e != '\0') || month > 12)
+ goto out;
+ if (*e == '\0')
+ goto eval;
+
+ s = e + 1;
+ day = strtoul(s, &e, 10);
+ if ((*e != 'T' && *e != '\0') || day > 31)
+ goto out;
+ if (*e == '\0')
+ goto eval;
+
+ s = e + 1;
+ hour = strtoul(s, &e, 10);
+ if ((*e != ':' && *e != '\0') || hour > 23)
+ goto out;
+ if (*e == '\0')
+ goto eval;
+
+ s = e + 1;
+ minute = strtoul(s, &e, 10);
+ if ((*e != ':' && *e != '\0') || minute > 59)
+ goto out;
+ if (*e == '\0')
+ goto eval;
+
+ s = e + 1;
+ second = strtoul(s, &e, 10);
+ if (*e != '\0' || second > 59)
+ goto out;
+
+ eval:
+ tm.tm_year = year - 1900;
+ tm.tm_mon = month - 1;
+ tm.tm_mday = day;
+ tm.tm_hour = hour;
+ tm.tm_min = minute;
+ tm.tm_sec = second;
+ ret = mktime(&tm);
+ if (ret >= 0)
+ return ret;
+ perror("mktime");
+ xtables_error(OTHER_PROBLEM, "mktime returned an error");
+
+ out:
+ xtables_error(PARAMETER_PROBLEM, "Invalid date \"%s\" specified. Should "
+ "be YYYY[-MM[-DD[Thh[:mm[:ss]]]]]", os);
+ return -1;
+}
+
+static unsigned int time_parse_minutes(const char *s)
+{
+ unsigned int hour, minute, second = 0;
+ char *e;
+
+ hour = strtoul(s, &e, 10);
+ if (*e != ':' || hour > 23)
+ goto out;
+
+ s = e + 1;
+ minute = strtoul(s, &e, 10);
+ if ((*e != ':' && *e != '\0') || minute > 59)
+ goto out;
+ if (*e == '\0')
+ goto eval;
+
+ s = e + 1;
+ second = strtoul(s, &e, 10);
+ if (*e != '\0' || second > 59)
+ goto out;
+
+ eval:
+ return 60 * 60 * hour + 60 * minute + second;
+
+ out:
+ xtables_error(PARAMETER_PROBLEM, "invalid time \"%s\" specified, "
+ "should be hh:mm[:ss] format and within the boundaries", s);
+ return -1;
+}
+
+static const char *my_strseg(char *buf, unsigned int buflen,
+ const char **arg, char delim)
+{
+ const char *sep;
+
+ if (*arg == NULL || **arg == '\0')
+ return NULL;
+ sep = strchr(*arg, delim);
+ if (sep == NULL) {
+ snprintf(buf, buflen, "%s", *arg);
+ *arg = NULL;
+ return buf;
+ }
+ snprintf(buf, buflen, "%.*s", (unsigned int)(sep - *arg), *arg);
+ *arg = sep + 1;
+ return buf;
+}
+
+static uint32_t time_parse_monthdays(const char *arg)
+{
+ char day[3], *err = NULL;
+ uint32_t ret = 0;
+ unsigned int i;
+
+ while (my_strseg(day, sizeof(day), &arg, ',') != NULL) {
+ i = strtoul(day, &err, 0);
+ if ((*err != ',' && *err != '\0') || i > 31)
+ xtables_error(PARAMETER_PROBLEM,
+ "%s is not a valid day for --monthdays", day);
+ ret |= 1 << i;
+ }
+
+ return ret;
+}
+
+static unsigned int time_parse_weekdays(const char *arg)
+{
+ char day[4], *err = NULL;
+ unsigned int i, ret = 0;
+ bool valid;
+
+ while (my_strseg(day, sizeof(day), &arg, ',') != NULL) {
+ i = strtoul(day, &err, 0);
+ if (*err == '\0') {
+ if (i == 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "No, the week does NOT begin with Sunday.");
+ ret |= 1 << i;
+ continue;
+ }
+
+ valid = false;
+ for (i = 1; i < ARRAY_SIZE(week_days); ++i)
+ if (strncmp(day, week_days[i], 2) == 0) {
+ ret |= 1 << i;
+ valid = true;
+ }
+
+ if (!valid)
+ xtables_error(PARAMETER_PROBLEM,
+ "%s is not a valid day specifier", day);
+ }
+
+ return ret;
+}
+
+static int time_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_time_info *info = (void *)(*match)->data;
+
+ switch (c) {
+ case 'D': /* --datestart */
+ if (*flags & F_DATE_START)
+ xtables_error(PARAMETER_PROBLEM,
+ "Cannot specify --datestart twice");
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected \"!\" with --datestart");
+ info->date_start = time_parse_date(optarg, false);
+ *flags |= F_DATE_START;
+ return 1;
+ case 'E': /* --datestop */
+ if (*flags & F_DATE_STOP)
+ xtables_error(PARAMETER_PROBLEM,
+ "Cannot specify --datestop more than once");
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "unexpected \"!\" with --datestop");
+ info->date_stop = time_parse_date(optarg, true);
+ *flags |= F_DATE_STOP;
+ return 1;
+ case 'X': /* --timestart */
+ if (*flags & F_TIME_START)
+ xtables_error(PARAMETER_PROBLEM,
+ "Cannot specify --timestart more than once");
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected \"!\" with --timestart");
+ info->daytime_start = time_parse_minutes(optarg);
+ *flags |= F_TIME_START;
+ return 1;
+ case 'Y': /* --timestop */
+ if (*flags & F_TIME_STOP)
+ xtables_error(PARAMETER_PROBLEM,
+ "Cannot specify --timestop more than once");
+ if (invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected \"!\" with --timestop");
+ info->daytime_stop = time_parse_minutes(optarg);
+ *flags |= F_TIME_STOP;
+ return 1;
+ case 'l': /* --localtz */
+ if (*flags & F_TIMEZONE)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can only specify exactly one of --localtz or --utc");
+ info->flags |= XT_TIME_LOCAL_TZ;
+ *flags |= F_TIMEZONE;
+ return 1;
+ case 'm': /* --monthdays */
+ if (*flags & F_MONTHDAYS)
+ xtables_error(PARAMETER_PROBLEM,
+ "Cannot specify --monthdays more than once");
+ info->monthdays_match = time_parse_monthdays(optarg);
+ if (invert)
+ info->monthdays_match ^= XT_TIME_ALL_MONTHDAYS;
+ *flags |= F_MONTHDAYS;
+ return 1;
+ case 'w': /* --weekdays */
+ if (*flags & F_WEEKDAYS)
+ xtables_error(PARAMETER_PROBLEM,
+ "Cannot specify --weekdays more than once");
+ info->weekdays_match = time_parse_weekdays(optarg);
+ if (invert)
+ info->weekdays_match ^= XT_TIME_ALL_WEEKDAYS;
+ *flags |= F_WEEKDAYS;
+ return 1;
+ case 'u': /* --utc */
+ if (*flags & F_TIMEZONE)
+ xtables_error(PARAMETER_PROBLEM,
+ "Can only specify exactly one of --localtz or --utc");
+ info->flags &= ~XT_TIME_LOCAL_TZ;
+ *flags |= F_TIMEZONE;
+ return 1;
+ }
+ return 0;
+}
+
+static void time_print_date(time_t date, const char *command)
+{
+ struct tm *t;
+
+ /* If it is the default value, do not print it. */
+ if (date == 0 || date == LONG_MAX)
+ return;
+
+ t = localtime(&date);
+ if (command != NULL)
+ /*
+ * Need a contiguous string (no whitespaces), hence using
+ * the ISO 8601 "T" variant.
+ */
+ printf("%s %04u-%02u-%02uT%02u:%02u:%02u ",
+ command, t->tm_year + 1900, t->tm_mon + 1,
+ t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
+ else
+ printf("%04u-%02u-%02u %02u:%02u:%02u ",
+ t->tm_year + 1900, t->tm_mon + 1, t->tm_mday,
+ t->tm_hour, t->tm_min, t->tm_sec);
+}
+
+static void time_print_monthdays(uint32_t mask, bool human_readable)
+{
+ unsigned int i, nbdays = 0;
+
+ for (i = 1; i <= 31; ++i)
+ if (mask & (1 << i)) {
+ if (nbdays++ > 0)
+ printf(",");
+ printf("%u", i);
+ if (human_readable)
+ switch (i % 10) {
+ case 1:
+ printf("st");
+ break;
+ case 2:
+ printf("nd");
+ break;
+ case 3:
+ printf("rd");
+ break;
+ default:
+ printf("th");
+ break;
+ }
+ }
+ printf(" ");
+}
+
+static void time_print_weekdays(unsigned int mask)
+{
+ unsigned int i, nbdays = 0;
+
+ for (i = 1; i <= 7; ++i)
+ if (mask & (1 << i)) {
+ if (nbdays > 0)
+ printf(",%s", week_days[i]);
+ else
+ printf("%s", week_days[i]);
+ ++nbdays;
+ }
+ printf(" ");
+}
+
+static inline void divide_time(unsigned int fulltime, unsigned int *hours,
+ unsigned int *minutes, unsigned int *seconds)
+{
+ *seconds = fulltime % 60;
+ fulltime /= 60;
+ *minutes = fulltime % 60;
+ *hours = fulltime / 60;
+}
+
+static void time_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_time_info *info = (const void *)match->data;
+ unsigned int h, m, s;
+
+ printf("TIME ");
+
+ if (info->daytime_start != XT_TIME_MIN_DAYTIME ||
+ info->daytime_stop != XT_TIME_MAX_DAYTIME) {
+ divide_time(info->daytime_start, &h, &m, &s);
+ printf("from %02u:%02u:%02u ", h, m, s);
+ divide_time(info->daytime_stop, &h, &m, &s);
+ printf("to %02u:%02u:%02u ", h, m, s);
+ }
+ if (info->weekdays_match != XT_TIME_ALL_WEEKDAYS) {
+ printf("on ");
+ time_print_weekdays(info->weekdays_match);
+ }
+ if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) {
+ printf("on ");
+ time_print_monthdays(info->monthdays_match, true);
+ }
+ if (info->date_start != 0) {
+ printf("starting from ");
+ time_print_date(info->date_start, NULL);
+ }
+ if (info->date_stop != INT_MAX) {
+ printf("until date ");
+ time_print_date(info->date_stop, NULL);
+ }
+ if (!(info->flags & XT_TIME_LOCAL_TZ))
+ printf("UTC ");
+}
+
+static void time_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_time_info *info = (const void *)match->data;
+ unsigned int h, m, s;
+
+ if (info->daytime_start != XT_TIME_MIN_DAYTIME ||
+ info->daytime_stop != XT_TIME_MAX_DAYTIME) {
+ divide_time(info->daytime_start, &h, &m, &s);
+ printf("--timestart %02u:%02u:%02u ", h, m, s);
+ divide_time(info->daytime_stop, &h, &m, &s);
+ printf("--timestop %02u:%02u:%02u ", h, m, s);
+ }
+ if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) {
+ printf("--monthdays ");
+ time_print_monthdays(info->monthdays_match, false);
+ }
+ if (info->weekdays_match != XT_TIME_ALL_WEEKDAYS) {
+ printf("--weekdays ");
+ time_print_weekdays(info->weekdays_match);
+ printf(" ");
+ }
+ time_print_date(info->date_start, "--datestart");
+ time_print_date(info->date_stop, "--datestop");
+ if (!(info->flags & XT_TIME_LOCAL_TZ))
+ printf("--utc ");
+}
+
+static struct xtables_match time_match = {
+ .name = "time",
+ .family = NFPROTO_UNSPEC,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_time_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_time_info)),
+ .help = time_help,
+ .init = time_init,
+ .parse = time_parse,
+ .print = time_print,
+ .save = time_save,
+ .extra_opts = time_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&time_match);
+}
diff --git a/extensions/libxt_time.man b/extensions/libxt_time.man
new file mode 100644
index 0000000..83625a2
--- /dev/null
+++ b/extensions/libxt_time.man
@@ -0,0 +1,69 @@
+This matches if the packet arrival time/date is within a given range. All
+options are optional, but are ANDed when specified.
+.TP
+\fB\-\-datestart\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]]
+.TP
+\fB\-\-datestop\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]]
+.IP
+Only match during the given time, which must be in ISO 8601 "T" notation.
+The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07.
+.IP
+If \-\-datestart or \-\-datestop are not specified, it will default to 1970-01-01
+and 2038-01-19, respectively.
+.TP
+\fB\-\-timestart\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]
+.TP
+\fB\-\-timestop\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]
+.IP
+Only match during the given daytime. The possible time range is 00:00:00 to
+23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted
+as base-10.
+.TP
+[\fB!\fR] \fB\-\-monthdays\fP \fIday\fP[\fB,\fP\fIday\fP...]
+.IP
+Only match on the given days of the month. Possible values are \fB1\fR
+to \fB31\fR. Note that specifying \fB31\fR will of course not match
+on months which do not have a 31st day; the same goes for 28- or 29-day
+February.
+.TP
+[\fB!\fR] \fB\-\-weekdays\fP \fIday\fP[\fB,\fP\fIday\fP...]
+.IP
+Only match on the given weekdays. Possible values are \fBMon\fR, \fBTue\fR,
+\fBWed\fR, \fBThu\fR, \fBFri\fR, \fBSat\fR, \fBSun\fR, or values from \fB1\fR
+to \fB7\fR, respectively. You may also use two-character variants (\fBMo\fP,
+\fBTu\fR, etc.).
+.TP
+\fB\-\-utc\fP
+.IP
+Interpret the times given for \fB\-\-datestart\fP, \fB\-\-datestop\fP,
+\fB\-\-timestart\fP and \fB\-\-timestop\fP to be UTC.
+.TP
+\fB\-\-localtz\fP
+.IP
+Interpret the times given for \fB\-\-datestart\fP, \fB\-\-datestop\fP,
+\fB\-\-timestart\fP and \fB\-\-timestop\fP to be local kernel time. (Default)
+.PP
+EXAMPLES. To match on weekends, use:
+.IP
+\-m time \-\-weekdays Sa,Su
+.PP
+Or, to match (once) on a national holiday block:
+.IP
+\-m time \-\-datestart 2007\-12\-24 \-\-datestop 2007\-12\-27
+.PP
+Since the stop time is actually inclusive, you would need the following stop
+time to not match the first second of the new day:
+.IP
+\-m time \-\-datestart 2007\-01\-01T17:00 \-\-datestop 2007\-01\-01T23:59:59
+.PP
+During lunch hour:
+.IP
+\-m time \-\-timestart 12:30 \-\-timestop 13:30
+.PP
+The fourth Friday in the month:
+.IP
+\-m time \-\-weekdays Fr \-\-monthdays 22,23,24,25,26,27,28
+.PP
+(Note that this exploits a certain mathematical property. It is not possible to
+say "fourth Thursday OR fourth Friday" in one rule. It is possible with
+multiple rules, though.)
diff --git a/extensions/libxt_tos.c b/extensions/libxt_tos.c
new file mode 100644
index 0000000..6b8cd89
--- /dev/null
+++ b/extensions/libxt_tos.c
@@ -0,0 +1,178 @@
+/*
+ * Shared library add-on to iptables to add tos match support
+ *
+ * Copyright © CC Computer Consultants GmbH, 2007
+ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <getopt.h>
+#include <netdb.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_dscp.h>
+#include "tos_values.c"
+
+struct ipt_tos_info {
+ u_int8_t tos;
+ u_int8_t invert;
+};
+
+enum {
+ FLAG_TOS = 1 << 0,
+};
+
+static const struct option tos_mt_opts[] = {
+ {.name = "tos", .has_arg = true, .val = 't'},
+ { .name = NULL }
+};
+
+static void tos_mt_help(void)
+{
+ const struct tos_symbol_info *symbol;
+
+ printf(
+"tos match options:\n"
+"[!] --tos value[/mask] Match Type of Service/Priority field value\n"
+"[!] --tos symbol Match TOS field (IPv4 only) by symbol\n"
+" Accepted symbolic names for value are:\n");
+
+ for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol)
+ printf(" (0x%02x) %2u %s\n",
+ symbol->value, symbol->value, symbol->name);
+
+ printf("\n");
+}
+
+static int tos_mt_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ipt_tos_info *info = (void *)(*match)->data;
+ struct tos_value_mask tvm;
+
+ switch (c) {
+ case 't':
+ xtables_param_act(XTF_ONLY_ONCE, "tos", "--tos", *flags & FLAG_TOS);
+ if (!tos_parse_symbolic(optarg, &tvm, 0xFF))
+ xtables_param_act(XTF_BAD_VALUE, "tos", "--tos", optarg);
+ if (tvm.mask != 0xFF)
+ xtables_error(PARAMETER_PROBLEM, "tos: Your kernel is "
+ "too old to support anything besides /0xFF "
+ "as a mask.");
+ info->tos = tvm.value;
+ if (invert)
+ info->invert = true;
+ *flags |= FLAG_TOS;
+ return true;
+ }
+ return false;
+}
+
+static int tos_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_tos_match_info *info = (void *)(*match)->data;
+ struct tos_value_mask tvm = {.mask = 0xFF};
+
+ switch (c) {
+ case 't':
+ xtables_param_act(XTF_ONLY_ONCE, "tos", "--tos", *flags & FLAG_TOS);
+ if (!tos_parse_symbolic(optarg, &tvm, 0x3F))
+ xtables_param_act(XTF_BAD_VALUE, "tos", "--tos", optarg);
+ info->tos_value = tvm.value;
+ info->tos_mask = tvm.mask;
+ if (invert)
+ info->invert = true;
+ *flags |= FLAG_TOS;
+ return true;
+ }
+ return false;
+}
+
+static void tos_mt_check(unsigned int flags)
+{
+ if (flags == 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "tos: --tos parameter required");
+}
+
+static void tos_mt_print_v0(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ipt_tos_info *info = (const void *)match->data;
+
+ printf("tos match ");
+ if (info->invert)
+ printf("!");
+ if (numeric || !tos_try_print_symbolic("", info->tos, 0x3F))
+ printf("0x%02x ", info->tos);
+}
+
+static void tos_mt_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_tos_match_info *info = (const void *)match->data;
+
+ printf("tos match ");
+ if (info->invert)
+ printf("!");
+ if (numeric ||
+ !tos_try_print_symbolic("", info->tos_value, info->tos_mask))
+ printf("0x%02x/0x%02x ", info->tos_value, info->tos_mask);
+}
+
+static void tos_mt_save_v0(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ipt_tos_info *info = (const void *)match->data;
+
+ if (info->invert)
+ printf("! ");
+ printf("--tos 0x%02x ", info->tos);
+}
+
+static void tos_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_tos_match_info *info = (const void *)match->data;
+
+ if (info->invert)
+ printf("! ");
+ printf("--tos 0x%02x/0x%02x ", info->tos_value, info->tos_mask);
+}
+
+static struct xtables_match tos_mt_reg[] = {
+ {
+ .version = XTABLES_VERSION,
+ .name = "tos",
+ .family = NFPROTO_IPV4,
+ .revision = 0,
+ .size = XT_ALIGN(sizeof(struct ipt_tos_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_tos_info)),
+ .help = tos_mt_help,
+ .parse = tos_mt_parse_v0,
+ .final_check = tos_mt_check,
+ .print = tos_mt_print_v0,
+ .save = tos_mt_save_v0,
+ .extra_opts = tos_mt_opts,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "tos",
+ .family = NFPROTO_UNSPEC,
+ .revision = 1,
+ .size = XT_ALIGN(sizeof(struct xt_tos_match_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tos_match_info)),
+ .help = tos_mt_help,
+ .parse = tos_mt_parse,
+ .final_check = tos_mt_check,
+ .print = tos_mt_print,
+ .save = tos_mt_save,
+ .extra_opts = tos_mt_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_matches(tos_mt_reg, ARRAY_SIZE(tos_mt_reg));
+}
diff --git a/extensions/libxt_tos.man b/extensions/libxt_tos.man
new file mode 100644
index 0000000..ae73e63
--- /dev/null
+++ b/extensions/libxt_tos.man
@@ -0,0 +1,12 @@
+This module matches the 8-bit Type of Service field in the IPv4 header (i.e.
+including the "Precedence" bits) or the (also 8-bit) Priority field in the IPv6
+header.
+.TP
+[\fB!\fP] \fB\-\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP]
+Matches packets with the given TOS mark value. If a mask is specified, it is
+logically ANDed with the TOS mark before the comparison.
+.TP
+[\fB!\fP] \fB\-\-tos\fP \fIsymbol\fP
+You can specify a symbolic name when using the tos match for IPv4. The list of
+recognized TOS names can be obtained by calling iptables with \fB\-m tos \-h\fP.
+Note that this implies a mask of 0x3F, i.e. all but the ECN bits.
diff --git a/extensions/libxt_u32.c b/extensions/libxt_u32.c
new file mode 100644
index 0000000..9a61c8a
--- /dev/null
+++ b/extensions/libxt_u32.c
@@ -0,0 +1,284 @@
+/* Shared library add-on to iptables to add u32 matching,
+ * generalized matching on values found at packet offsets
+ *
+ * Detailed doc is in the kernel module source
+ * net/netfilter/xt_u32.c
+ *
+ * (C) 2002 by Don Cohen <don-netf@isis.cs3-inc.com>
+ * Released under the terms of GNU GPL v2
+ *
+ * Copyright © CC Computer Consultants GmbH, 2007
+ * Contact: <jengelh@computergmbh.de>
+ */
+#include <sys/types.h>
+#include <ctype.h>
+#include <errno.h>
+#include <getopt.h>
+#include <netdb.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_u32.h>
+
+static const struct option u32_opts[] = {
+ {"u32", 1, NULL, 'u'},
+ { .name = NULL }
+};
+
+static void u32_help(void)
+{
+ printf(
+ "u32 match options:\n"
+ "[!] --u32 tests\n"
+ "\t\t""tests := location \"=\" value | tests \"&&\" location \"=\" value\n"
+ "\t\t""value := range | value \",\" range\n"
+ "\t\t""range := number | number \":\" number\n"
+ "\t\t""location := number | location operator number\n"
+ "\t\t""operator := \"&\" | \"<<\" | \">>\" | \"@\"\n");
+}
+
+static void u32_dump(const struct xt_u32 *data)
+{
+ const struct xt_u32_test *ct;
+ unsigned int testind, i;
+
+ for (testind = 0; testind < data->ntests; ++testind) {
+ ct = &data->tests[testind];
+
+ if (testind > 0)
+ printf("&&");
+
+ printf("0x%x", ct->location[0].number);
+ for (i = 1; i < ct->nnums; ++i) {
+ switch (ct->location[i].nextop) {
+ case XT_U32_AND:
+ printf("&");
+ break;
+ case XT_U32_LEFTSH:
+ printf("<<");
+ break;
+ case XT_U32_RIGHTSH:
+ printf(">>");
+ break;
+ case XT_U32_AT:
+ printf("@");
+ break;
+ }
+ printf("0x%x", ct->location[i].number);
+ }
+
+ printf("=");
+ for (i = 0; i < ct->nvalues; ++i) {
+ if (i > 0)
+ printf(",");
+ if (ct->value[i].min == ct->value[i].max)
+ printf("0x%x", ct->value[i].min);
+ else
+ printf("0x%x:0x%x", ct->value[i].min,
+ ct->value[i].max);
+ }
+ }
+ printf(" ");
+}
+
+/* string_to_number() is not quite what we need here ... */
+static u_int32_t parse_number(char **s, int pos)
+{
+ u_int32_t number;
+ char *end;
+
+ errno = 0;
+ number = strtoul(*s, &end, 0);
+ if (end == *s)
+ xtables_error(PARAMETER_PROBLEM,
+ "u32: at char %d: expected number", pos);
+ if (errno != 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "u32: at char %d: error reading number", pos);
+ *s = end;
+ return number;
+}
+
+static int u32_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_u32 *data = (void *)(*match)->data;
+ unsigned int testind = 0, locind = 0, valind = 0;
+ struct xt_u32_test *ct = &data->tests[testind]; /* current test */
+ char *arg = optarg; /* the argument string */
+ char *start = arg;
+ int state = 0;
+
+ if (c != 'u')
+ return 0;
+
+ data->invert = invert;
+
+ /*
+ * states:
+ * 0 = looking for numbers and operations,
+ * 1 = looking for ranges
+ */
+ while (1) {
+ /* read next operand/number or range */
+ while (isspace(*arg))
+ ++arg;
+
+ if (*arg == '\0') {
+ /* end of argument found */
+ if (state == 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "u32: abrupt end of input after location specifier");
+ if (valind == 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "u32: test ended with no value specified");
+
+ ct->nnums = locind;
+ ct->nvalues = valind;
+ data->ntests = ++testind;
+
+ if (testind > XT_U32_MAXSIZE)
+ xtables_error(PARAMETER_PROBLEM,
+ "u32: at char %u: too many \"&&\"s",
+ (unsigned int)(arg - start));
+ return 1;
+ }
+
+ if (state == 0) {
+ /*
+ * reading location: read a number if nothing read yet,
+ * otherwise either op number or = to end location spec
+ */
+ if (*arg == '=') {
+ if (locind == 0) {
+ xtables_error(PARAMETER_PROBLEM,
+ "u32: at char %u: "
+ "location spec missing",
+ (unsigned int)(arg - start));
+ } else {
+ ++arg;
+ state = 1;
+ }
+ } else {
+ if (locind != 0) {
+ /* need op before number */
+ if (*arg == '&') {
+ ct->location[locind].nextop = XT_U32_AND;
+ } else if (*arg == '<') {
+ if (*++arg != '<')
+ xtables_error(PARAMETER_PROBLEM,
+ "u32: at char %u: a second '<' was expected", (unsigned int)(arg - start));
+ ct->location[locind].nextop = XT_U32_LEFTSH;
+ } else if (*arg == '>') {
+ if (*++arg != '>')
+ xtables_error(PARAMETER_PROBLEM,
+ "u32: at char %u: a second '>' was expected", (unsigned int)(arg - start));
+ ct->location[locind].nextop = XT_U32_RIGHTSH;
+ } else if (*arg == '@') {
+ ct->location[locind].nextop = XT_U32_AT;
+ } else {
+ xtables_error(PARAMETER_PROBLEM,
+ "u32: at char %u: operator expected", (unsigned int)(arg - start));
+ }
+ ++arg;
+ }
+ /* now a number; string_to_number skips white space? */
+ ct->location[locind].number =
+ parse_number(&arg, arg - start);
+ if (++locind > XT_U32_MAXSIZE)
+ xtables_error(PARAMETER_PROBLEM,
+ "u32: at char %u: too many operators", (unsigned int)(arg - start));
+ }
+ } else {
+ /*
+ * state 1 - reading values: read a range if nothing
+ * read yet, otherwise either ,range or && to end
+ * test spec
+ */
+ if (*arg == '&') {
+ if (*++arg != '&')
+ xtables_error(PARAMETER_PROBLEM,
+ "u32: at char %u: a second '&' was expected", (unsigned int)(arg - start));
+ if (valind == 0) {
+ xtables_error(PARAMETER_PROBLEM,
+ "u32: at char %u: value spec missing", (unsigned int)(arg - start));
+ } else {
+ ct->nnums = locind;
+ ct->nvalues = valind;
+ ct = &data->tests[++testind];
+ if (testind > XT_U32_MAXSIZE)
+ xtables_error(PARAMETER_PROBLEM,
+ "u32: at char %u: too many \"&&\"s", (unsigned int)(arg - start));
+ ++arg;
+ state = 0;
+ locind = 0;
+ valind = 0;
+ }
+ } else { /* read value range */
+ if (valind > 0) { /* need , before number */
+ if (*arg != ',')
+ xtables_error(PARAMETER_PROBLEM,
+ "u32: at char %u: expected \",\" or \"&&\"", (unsigned int)(arg - start));
+ ++arg;
+ }
+ ct->value[valind].min =
+ parse_number(&arg, arg - start);
+
+ while (isspace(*arg))
+ ++arg;
+
+ if (*arg == ':') {
+ ++arg;
+ ct->value[valind].max =
+ parse_number(&arg, arg-start);
+ } else {
+ ct->value[valind].max =
+ ct->value[valind].min;
+ }
+
+ if (++valind > XT_U32_MAXSIZE)
+ xtables_error(PARAMETER_PROBLEM,
+ "u32: at char %u: too many \",\"s", (unsigned int)(arg - start));
+ }
+ }
+ }
+}
+
+static void u32_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_u32 *data = (const void *)match->data;
+ printf("u32 ");
+ if (data->invert)
+ printf("! ");
+ u32_dump(data);
+}
+
+static void u32_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_u32 *data = (const void *)match->data;
+ if (data->invert)
+ printf("! ");
+ printf("--u32 ");
+ u32_dump(data);
+}
+
+static struct xtables_match u32_match = {
+ .name = "u32",
+ .family = NFPROTO_UNSPEC,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_u32)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_u32)),
+ .help = u32_help,
+ .parse = u32_parse,
+ .print = u32_print,
+ .save = u32_save,
+ .extra_opts = u32_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&u32_match);
+}
diff --git a/extensions/libxt_u32.man b/extensions/libxt_u32.man
new file mode 100644
index 0000000..2ffab30
--- /dev/null
+++ b/extensions/libxt_u32.man
@@ -0,0 +1,129 @@
+U32 tests whether quantities of up to 4 bytes extracted from a packet have
+specified values. The specification of what to extract is general enough to
+find data at given offsets from tcp headers or payloads.
+.TP
+[\fB!\fP] \fB\-\-u32\fP \fItests\fP
+The argument amounts to a program in a small language described below.
+.IP
+tests := location "=" value | tests "&&" location "=" value
+.IP
+value := range | value "," range
+.IP
+range := number | number ":" number
+.PP
+a single number, \fIn\fR, is interpreted the same as \fIn:n\fR. \fIn:m\fR is
+interpreted as the range of numbers \fB>=n\fR and \fB<=m\fR.
+.IP "" 4
+location := number | location operator number
+.IP "" 4
+operator := "&" | "<<" | ">>" | "@"
+.PP
+The operators \fB&\fR, \fB<<\fR, \fB>>\fR and \fB&&\fR mean the same as in C.
+The \fB=\fR is really a set membership operator and the value syntax describes
+a set. The \fB@\fR operator is what allows moving to the next header and is
+described further below.
+.PP
+There are currently some artificial implementation limits on the size of the
+tests:
+.IP " *"
+no more than 10 of "\fB=\fR" (and 9 "\fB&&\fR"s) in the u32 argument
+.IP " *"
+no more than 10 ranges (and 9 commas) per value
+.IP " *"
+no more than 10 numbers (and 9 operators) per location
+.PP
+To describe the meaning of location, imagine the following machine that
+interprets it. There are three registers:
+.IP
+A is of type \fBchar *\fR, initially the address of the IP header
+.IP
+B and C are unsigned 32 bit integers, initially zero
+.PP
+The instructions are:
+.IP
+number B = number;
+.IP
+C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3)
+.IP
+&number C = C & number
+.IP
+<< number C = C << number
+.IP
+>> number C = C >> number
+.IP
+@number A = A + C; then do the instruction number
+.PP
+Any access of memory outside [skb\->data,skb\->end] causes the match to fail.
+Otherwise the result of the computation is the final value of C.
+.PP
+Whitespace is allowed but not required in the tests. However, the characters
+that do occur there are likely to require shell quoting, so it is a good idea
+to enclose the arguments in quotes.
+.PP
+Example:
+.IP
+match IP packets with total length >= 256
+.IP
+The IP header contains a total length field in bytes 2-3.
+.IP
+\-\-u32 "\fB0 & 0xFFFF = 0x100:0xFFFF\fP"
+.IP
+read bytes 0-3
+.IP
+AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the range
+[0x100:0xFFFF]
+.PP
+Example: (more realistic, hence more complicated)
+.IP
+match ICMP packets with icmp type 0
+.IP
+First test that it is an ICMP packet, true iff byte 9 (protocol) = 1
+.IP
+\-\-u32 "\fB6 & 0xFF = 1 &&\fP ...
+.IP
+read bytes 6-9, use \fB&\fR to throw away bytes 6-8 and compare the result to
+1. Next test that it is not a fragment. (If so, it might be part of such a
+packet but we cannot always tell.) N.B.: This test is generally needed if you
+want to match anything beyond the IP header. The last 6 bits of byte 6 and all
+of byte 7 are 0 iff this is a complete packet (not a fragment). Alternatively,
+you can allow first fragments by only testing the last 5 bits of byte 6.
+.IP
+ ... \fB4 & 0x3FFF = 0 &&\fR ...
+.IP
+Last test: the first byte past the IP header (the type) is 0. This is where we
+have to use the @syntax. The length of the IP header (IHL) in 32 bit words is
+stored in the right half of byte 0 of the IP header itself.
+.IP
+ ... \fB0 >> 22 & 0x3C @ 0 >> 24 = 0\fR"
+.IP
+The first 0 means read bytes 0-3, \fB>>22\fR means shift that 22 bits to the
+right. Shifting 24 bits would give the first byte, so only 22 bits is four
+times that plus a few more bits. \fB&3C\fR then eliminates the two extra bits
+on the right and the first four bits of the first byte. For instance, if IHL=5,
+then the IP header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in
+binary) xxxx0101 yyzzzzzz, \fB>>22\fR gives the 10 bit value xxxx0101yy and
+\fB&3C\fR gives 010100. \fB@\fR means to use this number as a new offset into
+the packet, and read four bytes starting from there. This is the first 4 bytes
+of the ICMP payload, of which byte 0 is the ICMP type. Therefore, we simply
+shift the value 24 to the right to throw out all but the first byte and compare
+the result with 0.
+.PP
+Example:
+.IP
+TCP payload bytes 8-12 is any of 1, 2, 5 or 8
+.IP
+First we test that the packet is a tcp packet (similar to ICMP).
+.IP
+\-\-u32 "\fB6 & 0xFF = 6 &&\fP ...
+.IP
+Next, test that it is not a fragment (same as above).
+.IP
+ ... \fB0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8\fR"
+.IP
+\fB0>>22&3C\fR as above computes the number of bytes in the IP header. \fB@\fR
+makes this the new offset into the packet, which is the start of the TCP
+header. The length of the TCP header (again in 32 bit words) is the left half
+of byte 12 of the TCP header. The \fB12>>26&3C\fR computes this length in bytes
+(similar to the IP header before). "@" makes this the new offset, which is the
+start of the TCP payload. Finally, 8 reads bytes 8-12 of the payload and
+\fB=\fR checks whether the result is any of 1, 2, 5 or 8.
diff --git a/extensions/libxt_udp.c b/extensions/libxt_udp.c
new file mode 100644
index 0000000..135e7af
--- /dev/null
+++ b/extensions/libxt_udp.c
@@ -0,0 +1,211 @@
+/* Shared library add-on to iptables to add UDP support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <netinet/in.h>
+#include <xtables.h>
+#include <linux/netfilter/xt_tcpudp.h>
+
+static void udp_help(void)
+{
+ printf(
+"udp match options:\n"
+"[!] --source-port port[:port]\n"
+" --sport ...\n"
+" match source port(s)\n"
+"[!] --destination-port port[:port]\n"
+" --dport ...\n"
+" match destination port(s)\n");
+}
+
+static const struct option udp_opts[] = {
+ { "source-port", 1, NULL, '1' },
+ { "sport", 1, NULL, '1' }, /* synonym */
+ { "destination-port", 1, NULL, '2' },
+ { "dport", 1, NULL, '2' }, /* synonym */
+ { .name = NULL }
+};
+
+static void
+parse_udp_ports(const char *portstring, u_int16_t *ports)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(portstring);
+ if ((cp = strchr(buffer, ':')) == NULL)
+ ports[0] = ports[1] = xtables_parse_port(buffer, "udp");
+ else {
+ *cp = '\0';
+ cp++;
+
+ ports[0] = buffer[0] ? xtables_parse_port(buffer, "udp") : 0;
+ ports[1] = cp[0] ? xtables_parse_port(cp, "udp") : 0xFFFF;
+
+ if (ports[0] > ports[1])
+ xtables_error(PARAMETER_PROBLEM,
+ "invalid portrange (min > max)");
+ }
+ free(buffer);
+}
+
+static void udp_init(struct xt_entry_match *m)
+{
+ struct xt_udp *udpinfo = (struct xt_udp *)m->data;
+
+ udpinfo->spts[1] = udpinfo->dpts[1] = 0xFFFF;
+}
+
+#define UDP_SRC_PORTS 0x01
+#define UDP_DST_PORTS 0x02
+
+static int
+udp_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_udp *udpinfo = (struct xt_udp *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & UDP_SRC_PORTS)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--source-port' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_udp_ports(optarg, udpinfo->spts);
+ if (invert)
+ udpinfo->invflags |= XT_UDP_INV_SRCPT;
+ *flags |= UDP_SRC_PORTS;
+ break;
+
+ case '2':
+ if (*flags & UDP_DST_PORTS)
+ xtables_error(PARAMETER_PROBLEM,
+ "Only one `--destination-port' allowed");
+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+ parse_udp_ports(optarg, udpinfo->dpts);
+ if (invert)
+ udpinfo->invflags |= XT_UDP_INV_DSTPT;
+ *flags |= UDP_DST_PORTS;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static char *
+port_to_service(int port)
+{
+ struct servent *service;
+
+ if ((service = getservbyport(htons(port), "udp")))
+ return service->s_name;
+
+ return NULL;
+}
+
+static void
+print_port(u_int16_t port, int numeric)
+{
+ char *service;
+
+ if (numeric || (service = port_to_service(port)) == NULL)
+ printf("%u", port);
+ else
+ printf("%s", service);
+}
+
+static void
+print_ports(const char *name, u_int16_t min, u_int16_t max,
+ int invert, int numeric)
+{
+ const char *inv = invert ? "!" : "";
+
+ if (min != 0 || max != 0xFFFF || invert) {
+ printf("%s", name);
+ if (min == max) {
+ printf(":%s", inv);
+ print_port(min, numeric);
+ } else {
+ printf("s:%s", inv);
+ print_port(min, numeric);
+ printf(":");
+ print_port(max, numeric);
+ }
+ printf(" ");
+ }
+}
+
+static void
+udp_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_udp *udp = (struct xt_udp *)match->data;
+
+ printf("udp ");
+ print_ports("spt", udp->spts[0], udp->spts[1],
+ udp->invflags & XT_UDP_INV_SRCPT,
+ numeric);
+ print_ports("dpt", udp->dpts[0], udp->dpts[1],
+ udp->invflags & XT_UDP_INV_DSTPT,
+ numeric);
+ if (udp->invflags & ~XT_UDP_INV_MASK)
+ printf("Unknown invflags: 0x%X ",
+ udp->invflags & ~XT_UDP_INV_MASK);
+}
+
+static void udp_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_udp *udpinfo = (struct xt_udp *)match->data;
+
+ if (udpinfo->spts[0] != 0
+ || udpinfo->spts[1] != 0xFFFF) {
+ if (udpinfo->invflags & XT_UDP_INV_SRCPT)
+ printf("! ");
+ if (udpinfo->spts[0]
+ != udpinfo->spts[1])
+ printf("--sport %u:%u ",
+ udpinfo->spts[0],
+ udpinfo->spts[1]);
+ else
+ printf("--sport %u ",
+ udpinfo->spts[0]);
+ }
+
+ if (udpinfo->dpts[0] != 0
+ || udpinfo->dpts[1] != 0xFFFF) {
+ if (udpinfo->invflags & XT_UDP_INV_DSTPT)
+ printf("! ");
+ if (udpinfo->dpts[0]
+ != udpinfo->dpts[1])
+ printf("--dport %u:%u ",
+ udpinfo->dpts[0],
+ udpinfo->dpts[1]);
+ else
+ printf("--dport %u ",
+ udpinfo->dpts[0]);
+ }
+}
+
+static struct xtables_match udp_match = {
+ .family = NFPROTO_UNSPEC,
+ .name = "udp",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_udp)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_udp)),
+ .help = udp_help,
+ .init = udp_init,
+ .parse = udp_parse,
+ .print = udp_print,
+ .save = udp_save,
+ .extra_opts = udp_opts,
+};
+
+void
+_init(void)
+{
+ xtables_register_match(&udp_match);
+}
diff --git a/extensions/libxt_udp.man b/extensions/libxt_udp.man
new file mode 100644
index 0000000..5339c8e
--- /dev/null
+++ b/extensions/libxt_udp.man
@@ -0,0 +1,14 @@
+These extensions can be used if `\-\-protocol udp' is specified. It
+provides the following options:
+.TP
+[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
+Source port or port range specification.
+See the description of the
+\fB\-\-source\-port\fP
+option of the TCP extension for details.
+.TP
+[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
+Destination port or port range specification.
+See the description of the
+\fB\-\-destination\-port\fP
+option of the TCP extension for details.
diff --git a/extensions/tos_values.c b/extensions/tos_values.c
new file mode 100644
index 0000000..e8f1563
--- /dev/null
+++ b/extensions/tos_values.c
@@ -0,0 +1,96 @@
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <linux/ip.h>
+
+#ifndef IPTOS_NORMALSVC
+# define IPTOS_NORMALSVC 0
+#endif
+
+struct tos_value_mask {
+ uint8_t value, mask;
+};
+
+static const struct tos_symbol_info {
+ unsigned char value;
+ const char *name;
+} tos_symbol_names[] = {
+ {IPTOS_LOWDELAY, "Minimize-Delay"},
+ {IPTOS_THROUGHPUT, "Maximize-Throughput"},
+ {IPTOS_RELIABILITY, "Maximize-Reliability"},
+ {IPTOS_MINCOST, "Minimize-Cost"},
+ {IPTOS_NORMALSVC, "Normal-Service"},
+ { .name = NULL }
+};
+
+/*
+ * tos_parse_numeric - parse sth. like "15/255"
+ *
+ * @s: input string
+ * @info: accompanying structure
+ * @bits: number of bits that are allowed
+ * (8 for IPv4 TOS field, 4 for IPv6 Priority Field)
+ */
+static bool tos_parse_numeric(const char *str, struct tos_value_mask *tvm,
+ unsigned int bits)
+{
+ const unsigned int max = (1 << bits) - 1;
+ unsigned int value;
+ char *end;
+
+ xtables_strtoui(str, &end, &value, 0, max);
+ tvm->value = value;
+ tvm->mask = max;
+
+ if (*end == '/') {
+ const char *p = end + 1;
+
+ if (!xtables_strtoui(p, &end, &value, 0, max))
+ xtables_error(PARAMETER_PROBLEM, "Illegal value: \"%s\"",
+ str);
+ tvm->mask = value;
+ }
+
+ if (*end != '\0')
+ xtables_error(PARAMETER_PROBLEM, "Illegal value: \"%s\"", str);
+ return true;
+}
+
+static bool tos_parse_symbolic(const char *str, struct tos_value_mask *tvm,
+ unsigned int def_mask)
+{
+ const unsigned int max = UINT8_MAX;
+ const struct tos_symbol_info *symbol;
+ char *tmp;
+
+ if (xtables_strtoui(str, &tmp, NULL, 0, max))
+ return tos_parse_numeric(str, tvm, max);
+
+ /* Do not consider ECN bits */
+ tvm->mask = def_mask;
+ for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol)
+ if (strcasecmp(str, symbol->name) == 0) {
+ tvm->value = symbol->value;
+ return true;
+ }
+
+ xtables_error(PARAMETER_PROBLEM, "Symbolic name \"%s\" is unknown", str);
+ return false;
+}
+
+static bool tos_try_print_symbolic(const char *prefix,
+ u_int8_t value, u_int8_t mask)
+{
+ const struct tos_symbol_info *symbol;
+
+ if (mask != 0x3F)
+ return false;
+
+ for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol)
+ if (value == symbol->value) {
+ printf("%s%s ", prefix, symbol->name);
+ return true;
+ }
+
+ return false;
+}