SOURCES: iptables-tproxy.patch (NEW) - new from http://www.balabit.com/down...

dzeus dzeus at pld-linux.org
Tue May 13 07:45:46 CEST 2008 

Author: dzeus                        Date: Tue May 13 05:45:46 2008 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- new from http://www.balabit.com/downloads/files/tproxy/

---- Files affected:
SOURCES:
   iptables-tproxy.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/iptables-tproxy.patch
diff -u /dev/null SOURCES/iptables-tproxy.patch:1.1
--- /dev/null	Tue May 13 07:45:46 2008
+++ SOURCES/iptables-tproxy.patch	Tue May 13 07:45:41 2008
@@ -0,0 +1,228 @@
+--- extensions/.TPROXY-test
++++ extensions/.TPROXY-test
+@@ -0,0 +1,2 @@
++#! /bin/sh
++[ -f $KERNEL_DIR/include/linux/netfilter/xt_TPROXY.h ] && echo tproxy
+--- extensions/libxt_TPROXY.c	(revision 0)
++++ extensions/libxt_TPROXY.c	(revision 0)
+@@ -0,0 +1,155 @@
++/*
++ * Shared library add-on to iptables to add TPROXY target support.
++ *
++ * Copyright (C) 2002-2007 BalaBit IT Ltd.
++ */
++#include <getopt.h>
++#include <stdbool.h>
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <limits.h>
++
++#include <iptables.h>
++#include <xtables.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_TPROXY.h>
++
++static const struct option tproxy_tg_opts[] = {
++	{"on-port",     true, NULL, '1'},
++	{"on-ip",       true, NULL, '2'},
++	{"tproxy-mark", true, NULL, '3'},
++	{ .name = NULL },
++};
++
++#define PARAM_ONPORT	1
++#define PARAM_ONIP	2
++#define PARAM_MARK	4
++
++static void tproxy_tg_help(void)
++{
++	printf(
++"TPROXY target v%s options:\n"
++"  --on-port port                   Redirect connection to port, or the original port if 0\n"
++"  --on-ip ip                       Optionally redirect to the given IP\n"
++"  --tproxy-mark value/mask         Mark packets with the given value/mask\n\n",
++IPTABLES_VERSION);
++}
++
++static void parse_tproxy_lport(const char *s, struct xt_tproxy_target_info *info)
++{
++	unsigned int lport;
++
++	if (string_to_number(s, 0, 65535, &lport) != -1)
++		info->lport = htons(lport);
++	else
++		exit_error(PARAMETER_PROBLEM, "bad --on-port \"%s\"", s);
++}
++
++static void parse_tproxy_laddr(const char *s, struct xt_tproxy_target_info *info)
++{
++	struct in_addr *laddr;
++
++	if ((laddr = numeric_to_ipaddr(s)) == NULL)
++		exit_error(PARAMETER_PROBLEM, "bad --on-ip \"%s\"", s);
++	info->laddr = laddr->s_addr;
++}
++
++static void parse_tproxy_mark(char *s, struct xt_tproxy_target_info *info)
++{
++	unsigned long tmp;
++	char *slash;
++
++	slash = strchr(s, '/');
++	info->mark_mask = ULONG_MAX;
++	if (slash != NULL) {
++		*slash = '\0';
++		if (string_to_number_l(slash + 1, 0, ULONG_MAX, &tmp) < 0)
++			exit_error(PARAMETER_PROBLEM,
++			           "bad mask in --tproxy-mark \"%s\"", s);
++		info->mark_mask = tmp;
++	}
++	if (string_to_number_l(s, 0, ULONG_MAX, &tmp) < 0)
++		exit_error(PARAMETER_PROBLEM,
++		           "bad value in --tproxy-mark \"%s\"", s);
++	info->mark_value = tmp;
++}
++
++static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags,
++                        const void *entry, struct xt_entry_target **target)
++{
++	struct xt_tproxy_target_info *tproxyinfo = (void *)(*target)->data;
++
++	switch (c) {
++	case '1':
++		if (*flags & PARAM_ONPORT)
++			exit_error(PARAMETER_PROBLEM,
++				"TPROXY target: Can't specify --on-port twice");
++		parse_tproxy_lport(optarg, tproxyinfo);
++		*flags |= PARAM_ONPORT;
++		return 1;
++	case '2':
++		if (*flags & PARAM_ONIP)
++			exit_error(PARAMETER_PROBLEM,
++				"TPROXY target: Can't specify --on-ip twice");
++		parse_tproxy_laddr(optarg, tproxyinfo);
++		*flags |= PARAM_ONIP;
++		return 1;
++	case '3':
++		if (*flags & PARAM_MARK)
++			exit_error(PARAMETER_PROBLEM,
++				"TPROXY target: Can't specify --tproxy-mark twice");
++		parse_tproxy_mark(optarg, tproxyinfo);
++		*flags |= PARAM_MARK;
++		return 1;
++	}
++
++	return 0;
++}
++
++static void tproxy_tg_check(unsigned int flags)
++{
++	if (!(flags & PARAM_ONPORT))
++		exit_error(PARAMETER_PROBLEM,
++		           "TPROXY target: Parameter --on-port is required");
++}
++
++static void tproxy_tg_print(const void *ip, const struct xt_entry_target *target,
++                         int numeric)
++{
++	const struct xt_tproxy_target_info *info = (const void *)target->data;
++	printf("TPROXY redirect %s:%u mark 0x%x/0x%x",
++	       ipaddr_to_numeric((const struct in_addr *)&info->laddr),
++	       ntohs(info->lport), (unsigned int)info->mark_value,
++	       (unsigned int)info->mark_mask);
++}
++
++static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target)
++{
++	const struct xt_tproxy_target_info *info = (const void *)target->data;
++
++	printf("--on-port %u ", ntohs(info->lport));
++	printf("--on-ip %s ",
++	       ipaddr_to_numeric((const struct in_addr *)&info->laddr));
++	printf("--tproxy-mark 0x%x/0x%x ",
++	       (unsigned int)info->mark_value, (unsigned int)info->mark_mask);
++}
++
++static struct xtables_target tproxy_tg_reg = {
++	.name          = "TPROXY",
++	.family        = AF_INET,
++	.version       = IPTABLES_VERSION,
++	.size          = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
++	.userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
++	.help          = tproxy_tg_help,
++	.parse         = tproxy_tg_parse,
++	.final_check   = tproxy_tg_check,
++	.print         = tproxy_tg_print,
++	.save          = tproxy_tg_save,
++	.extra_opts    = tproxy_tg_opts,
++};
++
++void _init(void)
++{
++	xtables_register_target(&tproxy_tg_reg);
++}
+Index: extensions/libxt_socket.c
+===================================================================
+--- extensions/libxt_socket.c	(revision 0)
++++ extensions/libxt_socket.c	(revision 0)
+@@ -0,0 +1,39 @@
++/*
++ * Shared library add-on to iptables to add early socket matching support.
++ *
++ * Copyright (C) 2007-2008 BalaBit IT Ltd.
++ */
++#include <stdio.h>
++#include <getopt.h>
++#include <iptables.h>
++
++static void socket_mt_help(void)
++{
++	printf("socket v%s has no options\n\n", IPTABLES_VERSION);
++}
++
++static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags,
++                        const void *entry, struct xt_entry_match **match)
++{
++	return 0;
++}
++
++static void socket_mt_check(unsigned int flags)
++{
++}
++
++static struct xtables_match socket_mt_reg = {
++	.name          = "socket",
++	.version       = IPTABLES_VERSION,
++	.family        = AF_INET,
++	.size          = XT_ALIGN(0),
++	.userspacesize = XT_ALIGN(0),
++	.parse         = socket_mt_parse,
++	.final_check   = socket_mt_check,
++	.help          = socket_mt_help,
++};
++
++void _init(void)
++{
++	xtables_register_match(&socket_mt_reg);
++}
+Index: include/linux/netfilter/xt_TPROXY.h
+===================================================================
+--- include/linux/netfilter/xt_TPROXY.h	(revision 0)
++++ include/linux/netfilter/xt_TPROXY.h	(revision 0)
+@@ -0,0 +1,16 @@
++#ifndef _XT_TPROXY_H_target
++#define _XT_TPROXY_H_target
++
++/*
++ * TPROXY target is capable of marking the packet to perform
++ * redirection. We can get rid of that whenever we get support for
++ * mutliple targets in the same rule.
++ */
++struct xt_tproxy_target_info {
++	u_int32_t mark_mask;
++	u_int32_t mark_value;
++	__be32 laddr;
++	__be16 lport;
++};
++
++#endif /* _XT_TPROXY_H_target */
================================================================

More information about the pld-cvs-commit mailing list