SOURCES: iptables-20070806.patch - ACCOUNT and IPMARK moved to separate pat...
zbyniu
zbyniu at pld-linux.org
Wed May 21 23:52:54 CEST 2008
Author: zbyniu Date: Wed May 21 21:52:54 2008 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- ACCOUNT and IPMARK moved to separate patches
- updated for xtables (iptables 1.4.1)
---- Files affected:
SOURCES:
iptables-20070806.patch (1.6 -> 1.7)
---- Diffs:
================================================================
Index: SOURCES/iptables-20070806.patch
diff -u SOURCES/iptables-20070806.patch:1.6 SOURCES/iptables-20070806.patch:1.7
--- SOURCES/iptables-20070806.patch:1.6 Wed Apr 9 19:15:40 2008
+++ SOURCES/iptables-20070806.patch Wed May 21 23:52:49 2008
@@ -1,17 +1,3 @@
-diff -urN iptables-1.3.8/extensions/.ACCOUNT-test iptables/extensions/.ACCOUNT-test
---- iptables-1.3.8/extensions/.ACCOUNT-test 1970-01-01 01:00:00.000000000 +0100
-+++ iptables/extensions/.ACCOUNT-test 2007-02-13 15:42:46.000000000 +0100
-@@ -0,0 +1,3 @@
-+#!/bin/sh
-+# True if ACCOUNT is applied.
-+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_ACCOUNT.h ] && echo ACCOUNT
-diff -urN iptables-1.3.8/extensions/.IPMARK-test iptables/extensions/.IPMARK-test
---- iptables-1.3.8/extensions/.IPMARK-test 1970-01-01 01:00:00.000000000 +0100
-+++ iptables/extensions/.IPMARK-test 2006-12-04 12:15:19.000000000 +0100
-@@ -0,0 +1,3 @@
-+#!/bin/sh
-+# True if IPMARK patch is applied.
-+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_IPMARK.h ] && echo IPMARK
diff -urN iptables-1.3.8/extensions/.IPV4OPTSSTRIP-test iptables/extensions/.IPV4OPTSSTRIP-test
--- iptables-1.3.8/extensions/.IPV4OPTSSTRIP-test 1970-01-01 01:00:00.000000000 +0100
+++ iptables/extensions/.IPV4OPTSSTRIP-test 2006-12-12 11:34:45.000000000 +0100
@@ -45,402 +31,6 @@
+#!/bin/sh
+# True if ipv4options is applied.
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_ipv4options.h ] && echo ipv4options
-diff -urN iptables-1.3.8/extensions/libipt_ACCOUNT.c iptables/extensions/libipt_ACCOUNT.c
---- iptables-1.3.8/extensions/libipt_ACCOUNT.c 1970-01-01 01:00:00.000000000 +0100
-+++ iptables/extensions/libipt_ACCOUNT.c 2006-10-26 12:17:57.000000000 +0200
-@@ -0,0 +1,171 @@
-+/* Shared library add-on to iptables to add ACCOUNT(ing) support.
-+ Author: Intra2net AG <opensource at intra2net.com>
-+*/
-+
-+#include <stdio.h>
-+#include <netdb.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <syslog.h>
-+#include <getopt.h>
-+#include <iptables.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+#include <linux/netfilter_ipv4/ipt_ACCOUNT.h>
-+
-+static struct option opts[] = {
-+ { .name = "addr", .has_arg = 1, .flag = 0, .val = 'a' },
-+ { .name = "tname", .has_arg = 1, .flag = 0, .val = 't' },
-+ { .name = 0 }
-+};
-+
-+/* Function which prints out usage message. */
-+static void help(void)
-+{
-+ printf(
-+"ACCOUNT v%s options:\n"
-+" --%s ip/netmask\t\tBase network IP and netmask used for this table\n"
-+" --%s name\t\t\tTable name for the userspace library\n",
-+IPTABLES_VERSION, opts[0].name, opts[1].name);
-+}
-+
-+/* Initialize the target. */
-+static void
-+init(struct xt_entry_target *t)
-+{
-+ struct ipt_acc_info *accountinfo = (struct ipt_acc_info *)t->data;
-+
-+ accountinfo->table_nr = -1;
-+}
-+
-+#define IPT_ACCOUNT_OPT_ADDR 0x01
-+#define IPT_ACCOUNT_OPT_TABLE 0x02
-+
-+/* Function which parses command options; returns true if it
-+ ate an option */
-+static int
-+parse(int c, char **argv, int invert, unsigned int *flags,
-+ const void *entry,
-+ struct xt_entry_target **target)
-+{
-+ struct ipt_acc_info *accountinfo = (struct ipt_acc_info *)(*target)->data;
-+ struct in_addr *addrs = NULL, mask;
-+ unsigned int naddrs = 0;
-+
-+ switch (c) {
-+ case 'a':
-+ if (*flags & IPT_ACCOUNT_OPT_ADDR)
-+ exit_error(PARAMETER_PROBLEM, "Can't specify --%s twice",
-+ opts[0].name);
-+
-+ if (check_inverse(optarg, &invert, NULL, 0))
-+ exit_error(PARAMETER_PROBLEM, "Unexpected `!' after --%s",
-+ opts[0].name);
-+
-+ //loginfo->level = parse_level(optarg);
-+ parse_hostnetworkmask(optarg, &addrs, &mask, &naddrs);
-+
-+ if (naddrs > 1)
-+ exit_error(PARAMETER_PROBLEM, "multiple IP addresses not allowed");
-+
-+ accountinfo->net_ip = addrs[0].s_addr;
-+ accountinfo->net_mask = mask.s_addr;
-+
-+ *flags |= IPT_ACCOUNT_OPT_ADDR;
-+ break;
-+
-+ case 't':
-+ if (*flags & IPT_ACCOUNT_OPT_TABLE)
-+ exit_error(PARAMETER_PROBLEM,
-+ "Can't specify --%s twice", opts[1].name);
-+
-+ if (check_inverse(optarg, &invert, NULL, 0))
-+ exit_error(PARAMETER_PROBLEM,
-+ "Unexpected `!' after --%s", opts[1].name);
-+
-+ if (strlen(optarg) > ACCOUNT_TABLE_NAME_LEN - 1)
-+ exit_error(PARAMETER_PROBLEM,
-+ "Maximum table name length %u for --%s",
-+ ACCOUNT_TABLE_NAME_LEN - 1, opts[1].name);
-+
-+ strcpy(accountinfo->table_name, optarg);
-+ *flags |= IPT_ACCOUNT_OPT_TABLE;
-+ break;
-+
-+ default:
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+/* Final check; nothing. */
-+static void final_check(unsigned int flags)
-+{
-+ if (!(flags&IPT_ACCOUNT_OPT_ADDR) || !(flags&IPT_ACCOUNT_OPT_TABLE))
-+ exit_error(PARAMETER_PROBLEM, "ACCOUNT: needs --%s and --%s",
-+ opts[0].name, opts[1].name);
-+}
-+
-+static void print_it(const struct ipt_ip *ip,
-+ const struct ipt_entry_target *target, char do_prefix)
-+{
-+ const struct ipt_acc_info *accountinfo
-+ = (const struct ipt_acc_info *)target->data;
-+ struct in_addr a;
-+
-+ if (!do_prefix)
-+ printf("ACCOUNT ");
-+
-+ // Network information
-+ if (do_prefix)
-+ printf("--");
-+ printf("%s ", opts[0].name);
-+
-+ a.s_addr = accountinfo->net_ip;
-+ printf("%s", addr_to_dotted(&a));
-+ a.s_addr = accountinfo->net_mask;
-+ printf("%s", mask_to_dotted(&a));
-+
-+ printf(" ");
-+ if (do_prefix)
-+ printf("--");
-+
-+ printf("%s %s", opts[1].name, accountinfo->table_name);
-+}
-+
-+/* Prints out the targinfo. */
-+static void
-+print(const void *ip,
-+ const struct xt_entry_target *target,
-+ int numeric)
-+{
-+ print_it (ip, target, 0);
-+}
-+
-+/* Saves the union ipt_targinfo in parsable form to stdout. */
-+static void
-+save(const void *ip, const struct xt_entry_target *target)
-+{
-+ print_it(ip, target, 1);
-+}
-+
-+static
-+struct iptables_target account
-+= {
-+ .next = NULL,
-+ .name = "ACCOUNT",
-+ .version = IPTABLES_VERSION,
-+ .size = IPT_ALIGN(sizeof(struct ipt_acc_info)),
-+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_acc_info)),
-+ .help = &help,
-+ .init = &init,
-+ .parse = &parse,
-+ .final_check = &final_check,
-+ .print = &print,
-+ .save = &save,
-+ .extra_opts = opts
-+};
-+
-+void _init(void)
-+{
-+ register_target(&account);
-+}
-diff -urN iptables-1.3.8/extensions/libipt_IPMARK.c iptables/extensions/libipt_IPMARK.c
---- iptables-1.3.8/extensions/libipt_IPMARK.c 1970-01-01 01:00:00.000000000 +0100
-+++ iptables/extensions/libipt_IPMARK.c 2006-12-04 12:15:20.000000000 +0100
-@@ -0,0 +1,168 @@
-+/* Shared library add-on to iptables to add IPMARK target support.
-+ * (C) 2003 by Grzegorz Janoszka <Grzegorz.Janoszka at pro.onet.pl>
-+ *
-+ * based on original MARK target
-+ *
-+ * This program is distributed under the terms of GNU GPL
-+ */
-+#include <stdio.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <getopt.h>
-+
-+#include <iptables.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+#include <linux/netfilter_ipv4/ipt_IPMARK.h>
-+
-+#define IPT_ADDR_USED 1
-+#define IPT_AND_MASK_USED 2
-+#define IPT_OR_MASK_USED 4
-+
-+struct ipmarkinfo {
-+ struct ipt_entry_target t;
-+ struct ipt_ipmark_target_info ipmark;
-+};
-+
-+/* Function which prints out usage message. */
-+static void
-+help(void)
-+{
-+ printf(
-+"IPMARK target v%s options:\n"
-+" --addr src/dst use source or destination ip address\n"
-+" --and-mask value logical AND ip address with this value becomes MARK\n"
-+" --or-mask value logical OR ip address with this value becomes MARK\n"
-+"\n",
-+IPTABLES_VERSION);
-+}
-+
-+static struct option opts[] = {
-+ { "addr", 1, 0, '1' },
-+ { "and-mask", 1, 0, '2' },
-+ { "or-mask", 1, 0, '3' },
-+ { 0 }
-+};
-+
-+/* Initialize the target. */
-+static void
-+init(struct xt_entry_target *t)
-+{
-+ struct ipt_ipmark_target_info *ipmarkinfo =
-+ (struct ipt_ipmark_target_info *)t->data;
-+
-+ ipmarkinfo->andmask=0xffffffff;
-+ ipmarkinfo->ormask=0;
-+
-+}
-+
-+/* Function which parses command options; returns true if it
-+ ate an option */
-+static int
-+parse(int c, char **argv, int invert, unsigned int *flags,
-+ const void *entry,
-+ struct xt_entry_target **target)
-+{
-+ struct ipt_ipmark_target_info *ipmarkinfo
-+ = (struct ipt_ipmark_target_info *)(*target)->data;
-+
-+ switch (c) {
-+ char *end;
-+ case '1':
-+ if(!strcmp(optarg, "src")) ipmarkinfo->addr=IPT_IPMARK_SRC;
-+ else if(!strcmp(optarg, "dst")) ipmarkinfo->addr=IPT_IPMARK_DST;
-+ else exit_error(PARAMETER_PROBLEM, "Bad addr value `%s' - should be `src' or `dst'", optarg);
-+ if (*flags & IPT_ADDR_USED)
-+ exit_error(PARAMETER_PROBLEM,
-+ "IPMARK target: Can't specify --addr twice");
-+ *flags |= IPT_ADDR_USED;
-+ break;
-+
-+ case '2':
-+ ipmarkinfo->andmask = strtoul(optarg, &end, 0);
-+ if (*end != '\0' || end == optarg)
-+ exit_error(PARAMETER_PROBLEM, "Bad and-mask value `%s'", optarg);
-+ if (*flags & IPT_AND_MASK_USED)
-+ exit_error(PARAMETER_PROBLEM,
-+ "IPMARK target: Can't specify --and-mask twice");
-+ *flags |= IPT_AND_MASK_USED;
-+ break;
-+ case '3':
-+ ipmarkinfo->ormask = strtoul(optarg, &end, 0);
-+ if (*end != '\0' || end == optarg)
-+ exit_error(PARAMETER_PROBLEM, "Bad or-mask value `%s'", optarg);
-+ if (*flags & IPT_OR_MASK_USED)
-+ exit_error(PARAMETER_PROBLEM,
-+ "IPMARK target: Can't specify --or-mask twice");
-+ *flags |= IPT_OR_MASK_USED;
-+ break;
-+
-+ default:
-+ return 0;
-+ }
-+
-+ return 1;
-+}
-+
-+static void
-+final_check(unsigned int flags)
-+{
-+ if (!(flags & IPT_ADDR_USED))
-+ exit_error(PARAMETER_PROBLEM,
-+ "IPMARK target: Parameter --addr is required");
-+ if (!(flags & (IPT_AND_MASK_USED | IPT_OR_MASK_USED)))
-+ exit_error(PARAMETER_PROBLEM,
-+ "IPMARK target: Parameter --and-mask or --or-mask is required");
-+}
-+
-+/* Prints out the targinfo. */
-+static void
-+print(const void *ip,
-+ const struct xt_entry_target *target,
-+ int numeric)
-+{
-+ const struct ipt_ipmark_target_info *ipmarkinfo =
-+ (const struct ipt_ipmark_target_info *)target->data;
-+
-+ if(ipmarkinfo->addr == IPT_IPMARK_SRC)
-+ printf("IPMARK src");
-+ else
-+ printf("IPMARK dst");
-+ printf(" ip and 0x%lx or 0x%lx", ipmarkinfo->andmask, ipmarkinfo->ormask);
-+}
-+
-+/* Saves the union ipt_targinfo in parsable form to stdout. */
-+static void
-+save(const void *ip, const struct xt_entry_target *target)
-+{
-+ const struct ipt_ipmark_target_info *ipmarkinfo =
-+ (const struct ipt_ipmark_target_info *)target->data;
-+
-+ if(ipmarkinfo->addr == IPT_IPMARK_SRC)
-+ printf("--addr=src ");
-+ else
-+ printf("--addr=dst ");
-+ if(ipmarkinfo->andmask != 0xffffffff)
-+ printf("--and-mask 0x%lx ", ipmarkinfo->andmask);
-+ if(ipmarkinfo->ormask != 0)
-+ printf("--or-mask 0x%lx ", ipmarkinfo->ormask);
-+}
-+
-+static struct iptables_target ipmark = {
-+ .next = NULL,
-+ .name = "IPMARK",
-+ .version = IPTABLES_VERSION,
-+ .size = IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)),
-+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)),
-+ .help = &help,
-+ .init = &init,
-+ .parse = &parse,
-+ .final_check = &final_check,
-+ .print = &print,
-+ .save = &save,
-+ .extra_opts = opts
-+};
-+
-+void _init(void)
-+{
-+ register_target(&ipmark);
-+}
-diff -urN iptables-1.3.8/extensions/libipt_IPMARK.man iptables/extensions/libipt_IPMARK.man
---- iptables-1.3.8/extensions/libipt_IPMARK.man 1970-01-01 01:00:00.000000000 +0100
-+++ iptables/extensions/libipt_IPMARK.man 2006-12-04 12:15:19.000000000 +0100
-@@ -0,0 +1,45 @@
-+Allows you to mark a received packet basing on its IP address. This
-+can replace many mangle/mark entries with only one, if you use
-+firewall based classifier.
-+
-+This target is to be used inside the mangle table, in the PREROUTING,
-+POSTROUTING or FORWARD hooks.
-+.TP
-+.BI "--addr " "src/dst"
-+Use source or destination IP address.
-+.TP
-+.BI "--and-mask " "mask"
-+Perform bitwise `and' on the IP address and this mask.
-+.TP
-+.BI "--or-mask " "mask"
-+Perform bitwise `or' on the IP address and this mask.
-+.P
-+The order of IP address bytes is reversed to meet "human order of bytes":
-+192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then
-+`or'.
-+
-+Examples:
-+
-+We create a queue for each user, the queue number is adequate
-+to the IP address of the user, e.g.: all packets going to/from 192.168.5.2
-+are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc.
-+
-+We have one classifier rule:
-+.IP
-+tc filter add dev eth3 parent 1:0 protocol ip fw
-+.P
-+Earlier we had many rules just like below:
-+.IP
-+iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
-+--set-mark 0x10502
-+.IP
-+iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
-+--set-mark 0x10503
-+.P
-+Using IPMARK target we can replace all the mangle/mark rules with only one:
-+.IP
-+iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst
-+--and-mask=0xffff --or-mask=0x10000
-+.P
-+On the routers with hundreds of users there should be significant load
-+decrease (e.g. twice).
diff -urN iptables-1.3.8/extensions/libipt_IPV4OPTSSTRIP.c iptables/extensions/libipt_IPV4OPTSSTRIP.c
--- iptables-1.3.8/extensions/libipt_IPV4OPTSSTRIP.c 1970-01-01 01:00:00.000000000 +0100
+++ iptables/extensions/libipt_IPV4OPTSSTRIP.c 2006-12-12 11:34:45.000000000 +0100
@@ -463,7 +53,7 @@
+static void help(void)
+{
+ printf("IPV4OPTSSTRIP v%s target takes no option !! Make sure you use it in the mangle table.\n",
-+ IPTABLES_VERSION);
++ XTABLES_VERSION);
+}
+
+static struct option opts[] = {
@@ -501,10 +91,10 @@
+ /* nothing to print, we don't take option... */
+}
+
-+static struct iptables_target IPV4OPTSSTRIP = {
++static struct xtables_target IPV4OPTSSTRIP = {
+ .next = NULL,
+ .name = "IPV4OPTSSTRIP",
-+ .version = IPTABLES_VERSION,
++ .version = XTABLES_VERSION,
+ .size = IPT_ALIGN(0),
+ .userspacesize = IPT_ALIGN(0),
+ .help = &help,
@@ -517,7 +107,7 @@
+
+void _init(void)
+{
-+ register_target(&IPV4OPTSSTRIP);
++ xtables_register_target(&IPV4OPTSSTRIP);
+}
diff -urN iptables-1.3.8/extensions/libipt_IPV4OPTSSTRIP.man iptables/extensions/libipt_IPV4OPTSSTRIP.man
--- iptables-1.3.8/extensions/libipt_IPV4OPTSSTRIP.man 1970-01-01 01:00:00.000000000 +0100
@@ -572,10 +162,10 @@
+{
+}
+
-+static struct iptables_target tarpit = {
++static struct xtables_target tarpit = {
+ .next = NULL,
+ .name = "TARPIT",
-+ .version = IPTABLES_VERSION,
++ .version = XTABLES_VERSION,
+ .size = IPT_ALIGN(0),
+ .userspacesize = IPT_ALIGN(0),
+ .help = &help,
@@ -588,7 +178,7 @@
+
+void _init(void)
+{
-+ register_target(&tarpit);
++ xtables_register_target(&tarpit);
+}
diff -urN iptables-1.3.8/extensions/libipt_TARPIT.man iptables/extensions/libipt_TARPIT.man
--- iptables-1.3.8/extensions/libipt_TARPIT.man 1970-01-01 01:00:00.000000000 +0100
@@ -673,7 +263,7 @@
+ "\n"
+ " NOTE: The country is inputed by its ISO3166 code.\n"
+ "\n"
-+ "\n", IPTABLES_VERSION
++ "\n", XTABLES_VERSION
+ );
+}
+
@@ -949,9 +539,9 @@
+ printf(" ");
+}
+
-+static struct iptables_match geoip = {
++static struct xtables_match geoip = {
+ .name = "geoip",
-+ .version = IPTABLES_VERSION,
++ .version = XTABLES_VERSION,
+ .size = IPT_ALIGN(sizeof(struct ipt_geoip_info)),
+ .userspacesize = offsetof(struct ipt_geoip_info, mem),
+ .help = &help,
@@ -965,7 +555,7 @@
+
+void _init(void)
+{
-+ register_match(&geoip);
++ xtables_register_match(&geoip);
+}
diff -urN iptables-1.3.8/extensions/libipt_geoip.man iptables/extensions/libipt_geoip.man
--- iptables-1.3.8/extensions/libipt_geoip.man 1970-01-01 01:00:00.000000000 +0100
@@ -1364,11 +954,11 @@
+
+
+static
-+struct iptables_match ipp2p=
++struct xtables_match ipp2p=
+{
+ .next = NULL,
+ .name = "ipp2p",
-+ .version = IPTABLES_VERSION,
++ .version = XTABLES_VERSION,
+ .size = IPT_ALIGN(sizeof(struct ipt_p2p_info)),
+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_p2p_info)),
+ .help = &help,
@@ -1384,7 +974,7 @@
+
+void _init(void)
+{
-+ register_match(&ipp2p);
++ xtables_register_match(&ipp2p);
+}
diff -urN iptables-1.3.8/extensions/libipt_ipp2p.man iptables/extensions/libipt_ipp2p.man
--- iptables-1.3.8/extensions/libipt_ipp2p.man 1970-01-01 01:00:00.000000000 +0100
@@ -1460,7 +1050,7 @@
+" [!] --ts (match timestamp flag)\n\n"
+" [!] --ra (match router-alert option)\n\n"
+" [!] --any-opt (match any option or no option at all if used with '!')\n",
-+IPTABLES_VERSION);
++XTABLES_VERSION);
+}
+
+static struct option opts[] = {
@@ -1729,10 +1319,10 @@
+ printf(" ");
+}
+
-+static struct iptables_match ipv4options_struct = {
++static struct xtables_match ipv4options_struct = {
+ .next = NULL,
+ .name = "ipv4options",
-+ .version = IPTABLES_VERSION,
++ .version = XTABLES_VERSION,
+ .size = IPT_ALIGN(sizeof(struct ipt_ipv4options_info)),
+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_ipv4options_info)),
+ .help = &help,
@@ -1745,7 +1335,7 @@
+
+void _init(void)
+{
-+ register_match(&ipv4options_struct);
++ xtables_register_match(&ipv4options_struct);
+}
diff -urN iptables-1.3.8/extensions/libipt_ipv4options.man iptables/extensions/libipt_ipv4options.man
--- iptables-1.3.8/extensions/libipt_ipv4options.man 1970-01-01 01:00:00.000000000 +0100
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/iptables-20070806.patch?r1=1.6&r2=1.7&f=u
More information about the pld-cvs-commit
mailing list