diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..e43b0f98 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.DS_Store diff --git a/CMakeLists.txt b/CMakeLists.txt new file mode 100644 index 00000000..844f2b40 --- /dev/null +++ b/CMakeLists.txt @@ -0,0 +1,14 @@ +cmake_minimum_required(VERSION 2.8 FATAL_ERROR) +add_definitions(-std=c++11) +set(CXX_FLAGS "-Wall") +set(CMAKE_CXX_FLAGS, "${CXX_FLAGS}") + +set(CMAKE_BUILD_TYPE Debug) + +project(test) + +add_subdirectory( "vendor/iptables-1.8.7" ) +add_subdirectory( "vendor/libtins" ) +add_subdirectory( "openssl-OpenSSL_1_1_1g" ) + +add_executable (test web-monitor.cpp) \ No newline at end of file diff --git a/README.md b/README.md index e6e2f1b6..22bb6b8d 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,6 @@ # c-goof Vulnerable C++ project + +## Testing with Snyk + +Dependencies are in `vendor`. Clone this project, and run `snyk unmanaged test` from the project folder. To import the results in Snyk App, run `snyk unmanaged monitor`. diff --git a/build/Makefile b/build/Makefile new file mode 100644 index 00000000..8bb50d94 --- /dev/null +++ b/build/Makefile @@ -0,0 +1,181 @@ +# CMAKE generated file: DO NOT EDIT! +# Generated by "Unix Makefiles" Generator, CMake Version 3.21 + +# Default target executed when no arguments are given to make. +default_target: all +.PHONY : default_target + +# Allow only one "make -f Makefile2" at a time, but pass parallelism. +.NOTPARALLEL: + +#============================================================================= +# Special targets provided by cmake. + +# Disable implicit rules so canonical targets will work. +.SUFFIXES: + +# Disable VCS-based implicit rules. +% : %,v + +# Disable VCS-based implicit rules. +% : RCS/% + +# Disable VCS-based implicit rules. +% : RCS/%,v + +# Disable VCS-based implicit rules. +% : SCCS/s.% + +# Disable VCS-based implicit rules. +% : s.% + +.SUFFIXES: .hpux_make_needs_suffix_list + +# Command-line flag to silence nested $(MAKE). +$(VERBOSE)MAKESILENT = -s + +#Suppress display of executed commands. +$(VERBOSE).SILENT: + +# A target that is always out of date. +cmake_force: +.PHONY : cmake_force + +#============================================================================= +# Set environment variables for the build. + +# The shell in which to execute make rules. +SHELL = /bin/sh + +# The CMake executable. +CMAKE_COMMAND = /usr/local/Cellar/cmake/3.21.2/bin/cmake + +# The command to remove a file. +RM = /usr/local/Cellar/cmake/3.21.2/bin/cmake -E rm -f + +# Escaping for special characters. +EQUALS = = + +# The top-level source directory on which CMake was run. +CMAKE_SOURCE_DIR = /Users/michal/Downloads/web-monitor + +# The top-level build directory on which CMake was run. +CMAKE_BINARY_DIR = /Users/michal/Downloads/web-monitor/build + +#============================================================================= +# Targets provided globally by CMake. + +# Special rule for the target rebuild_cache +rebuild_cache: + @$(CMAKE_COMMAND) -E cmake_echo_color --switch=$(COLOR) --cyan "Running CMake to regenerate build system..." + /usr/local/Cellar/cmake/3.21.2/bin/cmake --regenerate-during-build -S$(CMAKE_SOURCE_DIR) -B$(CMAKE_BINARY_DIR) +.PHONY : rebuild_cache + +# Special rule for the target rebuild_cache +rebuild_cache/fast: rebuild_cache +.PHONY : rebuild_cache/fast + +# Special rule for the target edit_cache +edit_cache: + @$(CMAKE_COMMAND) -E cmake_echo_color --switch=$(COLOR) --cyan "Running CMake cache editor..." + /usr/local/Cellar/cmake/3.21.2/bin/ccmake -S$(CMAKE_SOURCE_DIR) -B$(CMAKE_BINARY_DIR) +.PHONY : edit_cache + +# Special rule for the target edit_cache +edit_cache/fast: edit_cache +.PHONY : edit_cache/fast + +# The main all target +all: cmake_check_build_system + $(CMAKE_COMMAND) -E cmake_progress_start /Users/michal/Downloads/web-monitor/build/CMakeFiles /Users/michal/Downloads/web-monitor/build//CMakeFiles/progress.marks + $(MAKE) $(MAKESILENT) -f CMakeFiles/Makefile2 all + $(CMAKE_COMMAND) -E cmake_progress_start /Users/michal/Downloads/web-monitor/build/CMakeFiles 0 +.PHONY : all + +# The main clean target +clean: + $(MAKE) $(MAKESILENT) -f CMakeFiles/Makefile2 clean +.PHONY : clean + +# The main clean target +clean/fast: clean +.PHONY : clean/fast + +# Prepare targets for installation. +preinstall: all + $(MAKE) $(MAKESILENT) -f CMakeFiles/Makefile2 preinstall +.PHONY : preinstall + +# Prepare targets for installation. +preinstall/fast: + $(MAKE) $(MAKESILENT) -f CMakeFiles/Makefile2 preinstall +.PHONY : preinstall/fast + +# clear depends +depend: + $(CMAKE_COMMAND) -S$(CMAKE_SOURCE_DIR) -B$(CMAKE_BINARY_DIR) --check-build-system CMakeFiles/Makefile.cmake 1 +.PHONY : depend + +#============================================================================= +# Target rules for targets named test + +# Build rule for target. +test: cmake_check_build_system + $(MAKE) $(MAKESILENT) -f CMakeFiles/Makefile2 test +.PHONY : test + +# fast build rule for target. +test/fast: + $(MAKE) $(MAKESILENT) -f CMakeFiles/test.dir/build.make CMakeFiles/test.dir/build +.PHONY : test/fast + +test.o: test.cpp.o +.PHONY : test.o + +# target to build an object file +test.cpp.o: + $(MAKE) $(MAKESILENT) -f CMakeFiles/test.dir/build.make CMakeFiles/test.dir/test.cpp.o +.PHONY : test.cpp.o + +test.i: test.cpp.i +.PHONY : test.i + +# target to preprocess a source file +test.cpp.i: + $(MAKE) $(MAKESILENT) -f CMakeFiles/test.dir/build.make CMakeFiles/test.dir/test.cpp.i +.PHONY : test.cpp.i + +test.s: test.cpp.s +.PHONY : test.s + +# target to generate assembly for a file +test.cpp.s: + $(MAKE) $(MAKESILENT) -f CMakeFiles/test.dir/build.make CMakeFiles/test.dir/test.cpp.s +.PHONY : test.cpp.s + +# Help Target +help: + @echo "The following are some of the valid targets for this Makefile:" + @echo "... all (the default if no target is provided)" + @echo "... clean" + @echo "... depend" + @echo "... edit_cache" + @echo "... rebuild_cache" + @echo "... test" + @echo "... test.o" + @echo "... test.i" + @echo "... test.s" +.PHONY : help + + + +#============================================================================= +# Special targets to cleanup operation of make. + +# Special rule to run CMake to check the build system integrity. +# No rule that depends on this can have commands that come from listfiles +# because they might be regenerated. +cmake_check_build_system: + $(CMAKE_COMMAND) -S$(CMAKE_SOURCE_DIR) -B$(CMAKE_BINARY_DIR) --check-build-system CMakeFiles/Makefile.cmake 0 +.PHONY : cmake_check_build_system + diff --git a/build/cmake_install.cmake b/build/cmake_install.cmake new file mode 100644 index 00000000..b6cd8002 --- /dev/null +++ b/build/cmake_install.cmake @@ -0,0 +1,49 @@ +# Install script for directory: /Users/michal/Downloads/web-monitor + +# Set the install prefix +if(NOT DEFINED CMAKE_INSTALL_PREFIX) + set(CMAKE_INSTALL_PREFIX "/usr/local") +endif() +string(REGEX REPLACE "/$" "" CMAKE_INSTALL_PREFIX "${CMAKE_INSTALL_PREFIX}") + +# Set the install configuration name. +if(NOT DEFINED CMAKE_INSTALL_CONFIG_NAME) + if(BUILD_TYPE) + string(REGEX REPLACE "^[^A-Za-z0-9_]+" "" + CMAKE_INSTALL_CONFIG_NAME "${BUILD_TYPE}") + else() + set(CMAKE_INSTALL_CONFIG_NAME "Debug") + endif() + message(STATUS "Install configuration: \"${CMAKE_INSTALL_CONFIG_NAME}\"") +endif() + +# Set the component getting installed. +if(NOT CMAKE_INSTALL_COMPONENT) + if(COMPONENT) + message(STATUS "Install component: \"${COMPONENT}\"") + set(CMAKE_INSTALL_COMPONENT "${COMPONENT}") + else() + set(CMAKE_INSTALL_COMPONENT) + endif() +endif() + +# Is this installation the result of a crosscompile? +if(NOT DEFINED CMAKE_CROSSCOMPILING) + set(CMAKE_CROSSCOMPILING "FALSE") +endif() + +# Set default install directory permissions. +if(NOT DEFINED CMAKE_OBJDUMP) + set(CMAKE_OBJDUMP "/Library/Developer/CommandLineTools/usr/bin/objdump") +endif() + +if(CMAKE_INSTALL_COMPONENT) + set(CMAKE_INSTALL_MANIFEST "install_manifest_${CMAKE_INSTALL_COMPONENT}.txt") +else() + set(CMAKE_INSTALL_MANIFEST "install_manifest.txt") +endif() + +string(REPLACE ";" "\n" CMAKE_INSTALL_MANIFEST_CONTENT + "${CMAKE_INSTALL_MANIFEST_FILES}") +file(WRITE "/Users/michal/Downloads/web-monitor/build/${CMAKE_INSTALL_MANIFEST}" + "${CMAKE_INSTALL_MANIFEST_CONTENT}") diff --git a/build/test b/build/test new file mode 100755 index 00000000..0a6094ed Binary files /dev/null and b/build/test differ diff --git a/cmake/packages.cmake b/cmake/packages.cmake new file mode 100644 index 00000000..e69de29b diff --git a/include/ip6tables.h b/include/ip6tables.h new file mode 100644 index 00000000..5f1c5b65 --- /dev/null +++ b/include/ip6tables.h @@ -0,0 +1,20 @@ +#ifndef _IP6TABLES_USER_H +#define _IP6TABLES_USER_H + +#include +#include +#include +#include + +/* Your shared library should call one of these. */ +extern int do_command6(int argc, char *argv[], char **table, + struct xtc_handle **handle, bool restore); + +extern int for_each_chain6(int (*fn)(const xt_chainlabel, int, struct xtc_handle *), int verbose, int builtinstoo, struct xtc_handle *handle); +extern int flush_entries6(const xt_chainlabel chain, int verbose, struct xtc_handle *handle); +extern int delete_chain6(const xt_chainlabel chain, int verbose, struct xtc_handle *handle); +void print_rule6(const struct ip6t_entry *e, struct xtc_handle *h, const char *chain, int counters); + +extern struct xtables_globals ip6tables_globals; + +#endif /*_IP6TABLES_USER_H*/ diff --git a/include/iptables.h b/include/iptables.h new file mode 100644 index 00000000..78c10abd --- /dev/null +++ b/include/iptables.h @@ -0,0 +1,25 @@ +#ifndef _IPTABLES_USER_H +#define _IPTABLES_USER_H + +#include +#include +#include +#include + +/* Your shared library should call one of these. */ +extern int do_command4(int argc, char *argv[], char **table, + struct xtc_handle **handle, bool restore); +extern int delete_chain4(const xt_chainlabel chain, int verbose, + struct xtc_handle *handle); +extern int flush_entries4(const xt_chainlabel chain, int verbose, + struct xtc_handle *handle); +extern int for_each_chain4(int (*fn)(const xt_chainlabel, int, struct xtc_handle *), + int verbose, int builtinstoo, struct xtc_handle *handle); +extern void print_rule4(const struct ipt_entry *e, + struct xtc_handle *handle, const char *chain, int counters); + +extern struct xtables_globals iptables_globals; + +extern struct xtables_globals xtables_globals; + +#endif /*_IPTABLES_USER_H*/ diff --git a/netmon.cpp b/netmon.cpp new file mode 100644 index 00000000..812a9b1d --- /dev/null +++ b/netmon.cpp @@ -0,0 +1,15 @@ +#include + +using namespace std; + +template +T sum(T a, T b){ + return a+b; +} + +int main(int argv, char ** argc){ + int a = 10, b = 20, result; + result = sum (a, b); + cout << "result = " << result << endl; + return 0; +} \ No newline at end of file diff --git a/vendor/iptables-1.8.7/.gitignore b/vendor/iptables-1.8.7/.gitignore new file mode 100644 index 00000000..e5595264 --- /dev/null +++ b/vendor/iptables-1.8.7/.gitignore @@ -0,0 +1,27 @@ +*.a +*.la +*.lo +*.so +*.o +.deps/ +.dirstamp +.libs/ +Makefile +Makefile.in + +/include/xtables-version.h + +/aclocal.m4 +/autom4te.cache/ +/build-aux/ +/config.* +/configure +/libtool +/stamp-h1 +/iptables/iptables-apply.8 + +/iptables/xtables-multi +/iptables/xtables-compat-multi + +# vim/nano swap file +*.swp diff --git a/vendor/iptables-1.8.7/COMMIT_NOTES b/vendor/iptables-1.8.7/COMMIT_NOTES new file mode 100644 index 00000000..592808c5 --- /dev/null +++ b/vendor/iptables-1.8.7/COMMIT_NOTES @@ -0,0 +1,19 @@ +A quick list of rules for committing stuff into netfilter git: + +- Always add an appropriate description, in git format + (i.e. first line is a summary) + +- Please try to include references to bugs when the description does not + include total discussion coverage or when the bug report is external to + netfilter-devel, e.g. + "Closes: netfilter bugzilla #123", or + "Reference: http://bugs.{debian,gentoo}.org/..." + +- If you touch any parts of libxtables (xtables.c, include/xtables.h.in), + make sure the so-version is updated _appropriately_ (i.e. read the + libtool manual about Versioning:: first, if need be) in configure.ac. + Adding fields to a struct always entails a vcurrent bump. + + - Check, whether a bump (vcurrent,vage) has already been made since the + last release (no more than one per release), e.g.: + git log v1.4.4.. configure.ac diff --git a/vendor/iptables-1.8.7/COPYING b/vendor/iptables-1.8.7/COPYING new file mode 100644 index 00000000..d159169d --- /dev/null +++ b/vendor/iptables-1.8.7/COPYING @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/vendor/iptables-1.8.7/INCOMPATIBILITIES b/vendor/iptables-1.8.7/INCOMPATIBILITIES new file mode 100644 index 00000000..ddb24087 --- /dev/null +++ b/vendor/iptables-1.8.7/INCOMPATIBILITIES @@ -0,0 +1,14 @@ +INCOMPATIBILITIES: + +- The REJECT target has an '--reject-with admin-prohib' option which used + with kernels that do not support it, will result in a plain DROP instead + of REJECT. Use with caution. + Kernels that do support it: + 2.4 - since 2.4.22-pre9 + 2.6 - all + +- There are some issues related to upgrading from 1.2.x to 1.3.x on a system + with dynamic ruleset changes during runtime. (Please see + https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=334). + After upgrading from 1.2 to 1.3, it suggest go do an iptables-save, then + iptables-restore to ensure your dynamic rule changes continue to work. diff --git a/vendor/iptables-1.8.7/INSTALL b/vendor/iptables-1.8.7/INSTALL new file mode 100644 index 00000000..d62b428c --- /dev/null +++ b/vendor/iptables-1.8.7/INSTALL @@ -0,0 +1,101 @@ +Installation instructions for iptables +====================================== + +iptables uses the well-known configure(autotools) infrastructure. + + $ ./configure + $ make + # make install + + +Prerequisites +============= + + * no kernel-source required + + * but obviously a compiler, glibc-devel and linux-kernel-headers + (/usr/include/linux) + + +Configuring and compiling +========================= + +./configure [options] + +--prefix= + + The prefix to put all installed files under. It defaults to + /usr/local, so the binaries will go into /usr/local/bin, sbin, + manpages into /usr/local/share/man, etc. + +--with-xtlibdir= + + The path to where Xtables extensions should be installed to. It + defaults to ${libdir}/xtables. + +--enable-devel (or --disable-devel) + + This option causes development files to be installed to + ${includedir}, which is needed for building additional packages, + such as Xtables-addons or other 3rd-party extensions. + + It is enabled by default. + +--enable-static + + Produce additional binaries, iptables-static/ip6tables-static, + which have all shipped extensions compiled in. + +--disable-shared + + Produce binaries that have dynamic loading of extensions disabled. + This implies --enable-static. + (See some details below.) + +--enable-libipq + + This option causes libipq to be installed into ${libdir} and + ${includedir}. + +--with-ksource= + + Xtables does not depend on kernel headers anymore, but you can + optionally specify a search path to include anyway. This is + probably only useful for development. + +If you want to enable debugging, use + + ./configure CFLAGS="-ggdb3 -O0" + +(-O0 is used to turn off instruction reordering, which makes debugging +much easier.) + +To show debug traces you can add -DDEBUG to CFLAGS option + + +Other notes +=========== + +The make process will automatically build multipurpose binaries. +These have the core (iptables), -save, -restore and -xml code +compiled into one binary, but extensions remain as modules. + + +Static and shared +================= + +Basically there are three configuration modes defined: + + --disable-static --enable-shared (this is the default) + + Build a binary that relies upon dynamic loading of extensions. + + --enable-static --enable-shared + + Build a binary that has the shipped extensions built-in, but + is still capable of loading additional extensions. + + --enable-static --disable-shared + + Shipped extensions are built-in, and dynamic loading is + deactivated. diff --git a/vendor/iptables-1.8.7/Makefile.am b/vendor/iptables-1.8.7/Makefile.am new file mode 100644 index 00000000..799bf8b8 --- /dev/null +++ b/vendor/iptables-1.8.7/Makefile.am @@ -0,0 +1,33 @@ +# -*- Makefile -*- + +ACLOCAL_AMFLAGS = -I m4 +AUTOMAKE_OPTIONS = foreign subdir-objects + +SUBDIRS = libiptc libxtables +if ENABLE_DEVEL +SUBDIRS += include +endif +if ENABLE_LIBIPQ +SUBDIRS += libipq +endif +SUBDIRS += utils +# Depends on libxtables: +SUBDIRS += extensions +# Depends on extensions/libext.a: +SUBDIRS += iptables + +if ENABLE_NFTABLES +confdir = $(sysconfdir) +dist_conf_DATA = etc/ethertypes +endif + +.PHONY: tarball +tarball: + rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; + pushd ${top_srcdir} && git archive --prefix=${PACKAGE_TARNAME}-${PACKAGE_VERSION}/ HEAD | tar -C /tmp -x && popd; + pushd /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION} && ./autogen.sh && popd; + tar -C /tmp -cjf ${PACKAGE_TARNAME}-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root ${PACKAGE_TARNAME}-${PACKAGE_VERSION}/; + rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; + +config.status: extensions/GNUmakefile.in \ + include/xtables-version.h.in diff --git a/vendor/iptables-1.8.7/autogen.sh b/vendor/iptables-1.8.7/autogen.sh new file mode 100755 index 00000000..a0c4395f --- /dev/null +++ b/vendor/iptables-1.8.7/autogen.sh @@ -0,0 +1,4 @@ +#!/bin/sh -e + +autoreconf -fi; +rm -Rf autom4te*.cache; diff --git a/vendor/iptables-1.8.7/configure.ac b/vendor/iptables-1.8.7/configure.ac new file mode 100644 index 00000000..6864378a --- /dev/null +++ b/vendor/iptables-1.8.7/configure.ac @@ -0,0 +1,274 @@ + +AC_INIT([iptables], [1.8.7]) + +# See libtool.info "Libtool's versioning system" +libxtables_vcurrent=16 +libxtables_vage=4 + +AC_CONFIG_AUX_DIR([build-aux]) +AC_CONFIG_HEADERS([config.h]) +AC_CONFIG_MACRO_DIR([m4]) +AC_PROG_INSTALL +AM_INIT_AUTOMAKE([-Wall]) +AC_PROG_CC +AM_PROG_CC_C_O +AC_DISABLE_STATIC +m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) +AM_PROG_LIBTOOL + +AC_ARG_WITH([kernel], + AS_HELP_STRING([--with-kernel=PATH], + [Path to kernel source/build directory]), + [kbuilddir="$withval"; ksourcedir="$withval";]) +AC_ARG_WITH([kbuild], + AS_HELP_STRING([--with-kbuild=PATH], + [Path to kernel build directory [[/lib/modules/CURRENT/build]]]), + [kbuilddir="$withval"]) +AC_ARG_WITH([ksource], + AS_HELP_STRING([--with-ksource=PATH], + [Path to kernel source directory [[/lib/modules/CURRENT/source]]]), + [ksourcedir="$withval"]) +AC_ARG_WITH([xtlibdir], + AS_HELP_STRING([--with-xtlibdir=PATH], + [Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]), + [xtlibdir="$withval"], + [xtlibdir="${libdir}/xtables"]) +AC_ARG_ENABLE([ipv4], + AS_HELP_STRING([--disable-ipv4], [Do not build iptables]), + [enable_ipv4="$enableval"], [enable_ipv4="yes"]) +AC_ARG_ENABLE([ipv6], + AS_HELP_STRING([--disable-ipv6], [Do not build ip6tables]), + [enable_ipv6="$enableval"], [enable_ipv6="yes"]) +AC_ARG_ENABLE([largefile], + AS_HELP_STRING([--disable-largefile], [Do not build largefile support]), + [enable_largefile="$enableval"], + [enable_largefile="yes"]) +AS_IF([test "$enable_largefile" = "yes"], [largefile_cppflags='-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64']) + +AC_ARG_ENABLE([devel], + AS_HELP_STRING([--enable-devel], + [Install Xtables development headers]), + [enable_devel="$enableval"], [enable_devel="yes"]) +AC_ARG_ENABLE([libipq], + AS_HELP_STRING([--enable-libipq], [Build and install libipq]), + [enable_libipq="$enableval"], [enable_libipq="no"]) +AC_ARG_ENABLE([bpf-compiler], + AS_HELP_STRING([--enable-bpf-compiler], [Build bpf compiler]), + [enable_bpfc="$enableval"], [enable_bpfc="no"]) +AC_ARG_ENABLE([nfsynproxy], + AS_HELP_STRING([--enable-nfsynproxy], [Build SYNPROXY configuration tool]), + [enable_nfsynproxy="$enableval"], [enable_nfsynproxy="no"]) +AC_ARG_WITH([pkgconfigdir], AS_HELP_STRING([--with-pkgconfigdir=PATH], + [Path to the pkgconfig directory [[LIBDIR/pkgconfig]]]), + [pkgconfigdir="$withval"], [pkgconfigdir='${libdir}/pkgconfig']) +AC_ARG_ENABLE([nftables], + AS_HELP_STRING([--disable-nftables], [Do not build nftables compat]), + [enable_nftables="$enableval"], [enable_nftables="yes"]) +AC_ARG_ENABLE([connlabel], + AS_HELP_STRING([--disable-connlabel], + [Do not build libnetfilter_conntrack]), + [enable_connlabel="$enableval"], [enable_connlabel="yes"]) +AC_ARG_WITH([xt-lock-name], AS_HELP_STRING([--with-xt-lock-name=PATH], + [Path to the xtables lock [[/run/xtables.lock]]]), + [xt_lock_name="$withval"], + [xt_lock_name="/run/xtables.lock"]) + +AC_MSG_CHECKING([whether $LD knows -Wl,--no-undefined]) +saved_LDFLAGS="$LDFLAGS"; +LDFLAGS="-Wl,--no-undefined"; +AC_LINK_IFELSE([AC_LANG_SOURCE([int main(void) {}])], + [noundef_LDFLAGS="$LDFLAGS"; AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no])] +) +LDFLAGS="$saved_LDFLAGS"; + +blacklist_modules="" +blacklist_x_modules="" +blacklist_b_modules="" +blacklist_a_modules="" +blacklist_4_modules="" +blacklist_6_modules="" + +AC_CHECK_HEADERS([linux/dccp.h linux/ip_vs.h linux/magic.h linux/proc_fs.h linux/bpf.h]) +if test "$ac_cv_header_linux_dccp_h" != "yes"; then + blacklist_modules="$blacklist_modules dccp"; +fi; +if test "$ac_cv_header_linux_ip_vs_h" != "yes"; then + blacklist_modules="$blacklist_modules ipvs"; +fi; + +AC_CHECK_SIZEOF([struct ip6_hdr], [], [#include ]) + +AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" = "yes"]) +AM_CONDITIONAL([ENABLE_SHARED], [test "$enable_shared" = "yes"]) +AM_CONDITIONAL([ENABLE_IPV4], [test "$enable_ipv4" = "yes"]) +AM_CONDITIONAL([ENABLE_IPV6], [test "$enable_ipv6" = "yes"]) +AM_CONDITIONAL([ENABLE_LARGEFILE], [test "$enable_largefile" = "yes"]) +AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"]) +AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"]) +AM_CONDITIONAL([ENABLE_BPFC], [test "$enable_bpfc" = "yes"]) +AM_CONDITIONAL([ENABLE_SYNCONF], [test "$enable_nfsynproxy" = "yes"]) +AM_CONDITIONAL([ENABLE_NFTABLES], [test "$enable_nftables" = "yes"]) +AM_CONDITIONAL([ENABLE_CONNLABEL], [test "$enable_connlabel" = "yes"]) + +if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then + AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library required by bpf compiler or nfsynproxy tool)) +fi + +PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0], + [nfnetlink=1], [nfnetlink=0]) +AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1]) + +if test "x$enable_nftables" = "xyes"; then + PKG_CHECK_MODULES([libmnl], [libmnl >= 1.0], [mnl=1], [mnl=0]) + + if test "$mnl" = 0; + then + echo "*** Error: No suitable libmnl found. ***" + echo " Please install the 'libmnl' package" + echo " Or consider --disable-nftables to skip" + echo " iptables-compat over nftables support." + exit 1 + fi + + PKG_CHECK_MODULES([libnftnl], [libnftnl >= 1.1.6], [nftables=1], [nftables=0]) + + if test "$nftables" = 0; + then + echo "*** Error: no suitable libnftnl found. ***" + echo " Please install the 'libnftnl' package" + echo " Or consider --disable-nftables to skip" + echo " iptables-compat over nftables support." + exit 1 + fi +fi + +AM_CONDITIONAL([HAVE_LIBMNL], [test "$mnl" = 1]) +AM_CONDITIONAL([HAVE_LIBNFTNL], [test "$nftables" = 1]) + +if test "$nftables" != 1; then + blacklist_b_modules="$blacklist_b_modules limit mark nflog mangle" + blacklist_a_modules="$blacklist_a_modules mangle" +fi + +if test "x$enable_connlabel" = "xyes"; then + PKG_CHECK_MODULES([libnetfilter_conntrack], + [libnetfilter_conntrack >= 1.0.6], + [nfconntrack=1], [nfconntrack=0]) + + if test "$nfconntrack" -ne 1; then + blacklist_modules="$blacklist_modules connlabel"; + echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built"; + enable_connlabel="no"; + fi; +else + blacklist_modules="$blacklist_modules connlabel"; +fi; + +AM_CONDITIONAL([HAVE_LIBNETFILTER_CONNTRACK], [test "$nfconntrack" = 1]) + +AC_SUBST([blacklist_modules]) +AC_SUBST([blacklist_x_modules]) +AC_SUBST([blacklist_b_modules]) +AC_SUBST([blacklist_a_modules]) +AC_SUBST([blacklist_4_modules]) +AC_SUBST([blacklist_6_modules]) + +regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \ + -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \ + -Wlogical-op \ + -Winline -pipe"; +regular_CPPFLAGS="${largefile_cppflags} -D_REENTRANT \ + -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" -DXTABLES_INTERNAL"; +kinclude_CPPFLAGS=""; +if [[ -n "$kbuilddir" ]]; then + kinclude_CPPFLAGS="$kinclude_CPPFLAGS -I$kbuilddir/include/uapi -I$kbuilddir/include"; +fi; +if [[ -n "$ksourcedir" ]]; then + kinclude_CPPFLAGS="$kinclude_CPPFLAGS -I$ksourcedir/include/uapi -I$ksourcedir/include"; +fi; +pkgdatadir='${datadir}/xtables'; + +define([EXPAND_VARIABLE], +[$2=[$]$1 +if test $prefix = 'NONE'; then + prefix="/usr/local" +fi +while true; do + case "[$]$2" in + *\[$]* ) eval "$2=[$]$2" ;; + *) break ;; + esac +done +eval "$2=[$]$2" +])dnl EXPAND_VARIABLE + +AC_SUBST([regular_CFLAGS]) +AC_SUBST([regular_CPPFLAGS]) +AC_SUBST([noundef_LDFLAGS]) +AC_SUBST([kinclude_CPPFLAGS]) +AC_SUBST([kbuilddir]) +AC_SUBST([ksourcedir]) +AC_SUBST([xtlibdir]) +AC_SUBST([pkgconfigdir]) +AC_SUBST([pkgdatadir]) +AC_SUBST([libxtables_vcurrent]) +AC_SUBST([libxtables_vage]) +libxtables_vmajor=$(($libxtables_vcurrent - $libxtables_vage)); +AC_SUBST([libxtables_vmajor]) + +AC_DEFINE_UNQUOTED([XT_LOCK_NAME], "${xt_lock_name}", + [Location of the iptables lock file]) +AC_SUBST([XT_LOCK_NAME], "${xt_lock_name}") + +AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile + iptables/Makefile iptables/xtables.pc + iptables/iptables.8 iptables/iptables-extensions.8.tmpl + iptables/iptables-save.8 iptables/iptables-restore.8 + iptables/iptables-apply.8 iptables/iptables-xml.1 + libipq/Makefile libipq/libipq.pc + libiptc/Makefile libiptc/libiptc.pc + libiptc/libip4tc.pc libiptc/libip6tc.pc + libxtables/Makefile utils/Makefile + include/xtables-version.h + iptables/xtables-monitor.8 + utils/nfnl_osf.8 + utils/nfbpf_compile.8]) +AC_OUTPUT + + +EXPAND_VARIABLE(xtlibdir, e_xtlibdir) +EXPAND_VARIABLE(pkgconfigdir, e_pkgconfigdir) + +echo " +Iptables Configuration: + IPv4 support: ${enable_ipv4} + IPv6 support: ${enable_ipv6} + Devel support: ${enable_devel} + IPQ support: ${enable_libipq} + Large file support: ${enable_largefile} + BPF utils support: ${enable_bpfc} + nfsynproxy util support: ${enable_nfsynproxy} + nftables support: ${enable_nftables} + connlabel support: ${enable_connlabel} + +Build parameters: + Put plugins into executable (static): ${enable_static} + Support plugins via dlopen (shared): ${enable_shared} + Installation prefix (--prefix): ${prefix} + Xtables extension directory: ${e_xtlibdir} + Pkg-config directory: ${e_pkgconfigdir} + Xtables lock file: ${xt_lock_name}" + +if [[ -n "$ksourcedir" ]]; then + echo " Kernel source directory: ${ksourcedir}" +fi; +if [[ -n "$kbuilddir" ]]; then + echo " Kernel build directory: ${kbuilddir}" +fi; + +echo " Host: ${host} + GCC binary: ${CC}" + +test x"$blacklist_modules" = "x" || echo " +Iptables modules that will not be built: $blacklist_modules" diff --git a/vendor/iptables-1.8.7/etc/ethertypes b/vendor/iptables-1.8.7/etc/ethertypes new file mode 100644 index 00000000..813177b7 --- /dev/null +++ b/vendor/iptables-1.8.7/etc/ethertypes @@ -0,0 +1,39 @@ +# +# Ethernet frame types +# This file describes some of the various Ethernet +# protocol types that are used on Ethernet networks. +# +# This list could be found on: +# http://www.iana.org/assignments/ethernet-numbers +# http://www.iana.org/assignments/ieee-802-numbers +# +# ... #Comment +# +IPv4 0800 ip ip4 # Internet IP (IPv4) +X25 0805 +ARP 0806 ether-arp # +FR_ARP 0808 # Frame Relay ARP [RFC1701] +BPQ 08FF # G8BPQ AX.25 Ethernet Packet +DEC 6000 # DEC Assigned proto +DNA_DL 6001 # DEC DNA Dump/Load +DNA_RC 6002 # DEC DNA Remote Console +DNA_RT 6003 # DEC DNA Routing +LAT 6004 # DEC LAT +DIAG 6005 # DEC Diagnostics +CUST 6006 # DEC Customer use +SCA 6007 # DEC Systems Comms Arch +TEB 6558 # Trans Ether Bridging [RFC1701] +RAW_FR 6559 # Raw Frame Relay [RFC1701] +RARP 8035 # Reverse ARP [RFC903] +AARP 80F3 # Appletalk AARP +ATALK 809B # Appletalk +802_1Q 8100 8021q 1q 802.1q dot1q # 802.1Q Virtual LAN tagged frame +IPX 8137 # Novell IPX +NetBEUI 8191 # NetBEUI +IPv6 86DD ip6 # IP version 6 +PPP 880B # PPP +ATMMPOA 884C # MultiProtocol over ATM +PPP_DISC 8863 # PPPoE discovery messages +PPP_SES 8864 # PPPoE session messages +ATMFATE 8884 # Frame-based ATM Transport over Ethernet +LOOP 9000 loopback # loop proto diff --git a/vendor/iptables-1.8.7/etc/xtables.conf b/vendor/iptables-1.8.7/etc/xtables.conf new file mode 100644 index 00000000..3c54ced0 --- /dev/null +++ b/vendor/iptables-1.8.7/etc/xtables.conf @@ -0,0 +1,74 @@ +family ipv4 { + table raw { + chain PREROUTING hook NF_INET_PRE_ROUTING prio -300 + chain OUTPUT hook NF_INET_LOCAL_OUT prio -300 + } + + table mangle { + chain PREROUTING hook NF_INET_PRE_ROUTING prio -150 + chain INPUT hook NF_INET_LOCAL_IN prio -150 + chain FORWARD hook NF_INET_FORWARD prio -150 + chain OUTPUT hook NF_INET_LOCAL_OUT prio -150 + chain POSTROUTING hook NF_INET_POST_ROUTING prio -150 + } + + table filter { + chain INPUT hook NF_INET_LOCAL_IN prio 0 + chain FORWARD hook NF_INET_FORWARD prio 0 + chain OUTPUT hook NF_INET_LOCAL_OUT prio 0 + } + + table nat { + chain PREROUTING hook NF_INET_PRE_ROUTING prio -100 + chain INPUT hook NF_INET_LOCAL_IN prio 100 + chain OUTPUT hook NF_INET_LOCAL_OUT prio -100 + chain POSTROUTING hook NF_INET_POST_ROUTING prio 100 + } + + table security { + chain INPUT hook NF_INET_LOCAL_IN prio 50 + chain FORWARD hook NF_INET_FORWARD prio 50 + chain OUTPUT hook NF_INET_LOCAL_OUT prio 50 + } +} + +family ipv6 { + table raw { + chain PREROUTING hook NF_INET_PRE_ROUTING prio -300 + chain OUTPUT hook NF_INET_LOCAL_OUT prio -300 + } + + table mangle { + chain PREROUTING hook NF_INET_PRE_ROUTING prio -150 + chain INPUT hook NF_INET_LOCAL_IN prio -150 + chain FORWARD hook NF_INET_FORWARD prio -150 + chain OUTPUT hook NF_INET_LOCAL_OUT prio -150 + chain POSTROUTING hook NF_INET_POST_ROUTING prio -150 + } + + table filter { + chain INPUT hook NF_INET_LOCAL_IN prio 0 + chain FORWARD hook NF_INET_FORWARD prio 0 + chain OUTPUT hook NF_INET_LOCAL_OUT prio 0 + } + + table nat { + chain PREROUTING hook NF_INET_PRE_ROUTING prio -100 + chain INPUT hook NF_INET_LOCAL_IN prio 100 + chain OUTPUT hook NF_INET_LOCAL_OUT prio -100 + chain POSTROUTING hook NF_INET_POST_ROUTING prio 100 + } + + table security { + chain INPUT hook NF_INET_LOCAL_IN prio 50 + chain FORWARD hook NF_INET_FORWARD prio 50 + chain OUTPUT hook NF_INET_LOCAL_OUT prio 50 + } +} + +family arp { + table filter { + chain INPUT hook NF_ARP_IN prio 0 + chain OUTPUT hook NF_ARP_OUT prio 0 + } +} diff --git a/vendor/iptables-1.8.7/extensions/.gitignore b/vendor/iptables-1.8.7/extensions/.gitignore new file mode 100644 index 00000000..b1260f0b --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/.gitignore @@ -0,0 +1,9 @@ +.*.d +.*.dd +*.oo + +/GNUmakefile +/initext.c +/initext?.c +/matches.man +/targets.man diff --git a/vendor/iptables-1.8.7/extensions/GNUmakefile.in b/vendor/iptables-1.8.7/extensions/GNUmakefile.in new file mode 100644 index 00000000..956ccb38 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/GNUmakefile.in @@ -0,0 +1,307 @@ +# -*- Makefile -*- + +top_builddir = @top_builddir@ +builddir = @builddir@ +top_srcdir = @top_srcdir@ +srcdir = @srcdir@ +ksourcedir = @ksourcedir@ +prefix = @prefix@ +exec_prefix = @exec_prefix@ +libdir = @libdir@ +libexecdir = @libexecdir@ +xtlibdir = @xtlibdir@ + +AR = @AR@ +CC = @CC@ +CCLD = ${CC} +CFLAGS = @CFLAGS@ +CPPFLAGS = @CPPFLAGS@ +LDFLAGS = @LDFLAGS@ +regular_CFLAGS = @regular_CFLAGS@ +regular_CPPFLAGS = @regular_CPPFLAGS@ +kinclude_CPPFLAGS = @kinclude_CPPFLAGS@ + +AM_CFLAGS = ${regular_CFLAGS} +AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_builddir} -I${top_srcdir}/include -I${top_srcdir} ${kinclude_CPPFLAGS} ${CPPFLAGS} @libnetfilter_conntrack_CFLAGS@ @libnftnl_CFLAGS@ +AM_DEPFLAGS = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@ +AM_LDFLAGS = @noundef_LDFLAGS@ + +ifeq (${V},) +AM_LIBTOOL_SILENT = --silent +AM_VERBOSE_CC = @echo " CC " $@; +AM_VERBOSE_CCLD = @echo " CCLD " $@; +AM_VERBOSE_CXX = @echo " CXX " $@; +AM_VERBOSE_CXXLD = @echo " CXXLD " $@; +AM_VERBOSE_AR = @echo " AR " $@; +AM_VERBOSE_GEN = @echo " GEN " $@; +endif + +# +# Wildcard module list +# +pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c))) +@ENABLE_NFTABLES_TRUE@ pfb_build_mod := $(patsubst ${srcdir}/libebt_%.c,%,$(sort $(wildcard ${srcdir}/libebt_*.c))) +@ENABLE_NFTABLES_TRUE@ pfa_build_mod := $(patsubst ${srcdir}/libarpt_%.c,%,$(sort $(wildcard ${srcdir}/libarpt_*.c))) +pfx_symlinks := NOTRACK state +@ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c))) +@ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c))) +pfx_build_mod := $(filter-out @blacklist_modules@ @blacklist_x_modules@,${pfx_build_mod}) +pfb_build_mod := $(filter-out @blacklist_modules@ @blacklist_b_modules@,${pfb_build_mod}) +pfa_build_mod := $(filter-out @blacklist_modules@ @blacklist_a_modules@,${pfa_build_mod}) +pf4_build_mod := $(filter-out @blacklist_modules@ @blacklist_4_modules@,${pf4_build_mod}) +pf6_build_mod := $(filter-out @blacklist_modules@ @blacklist_6_modules@,${pf6_build_mod}) +pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod}) +pfb_objs := $(patsubst %,libebt_%.o,${pfb_build_mod}) +pfa_objs := $(patsubst %,libarpt_%.o,${pfa_build_mod}) +pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod}) +pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod}) +pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod}) +pfb_solibs := $(patsubst %,libebt_%.so,${pfb_build_mod}) +pfa_solibs := $(patsubst %,libarpt_%.so,${pfa_build_mod}) +pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod}) +pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod}) +pfx_symlink_files := $(patsubst %,libxt_%.so,${pfx_symlinks}) + + +# +# Building blocks +# +targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man +targets_install := +@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs} +@ENABLE_STATIC_TRUE@ libext_ebt_objs := ${pfb_objs} +@ENABLE_STATIC_TRUE@ libext_arpt_objs := ${pfa_objs} +@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs} +@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs} +@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files} +@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} +@ENABLE_STATIC_FALSE@ symlinks_install := ${pfx_symlink_files} + +.SECONDARY: + +.PHONY: all install uninstall clean distclean FORCE + +all: ${targets} + +install: ${targets_install} ${symlinks_install} + @mkdir -p "${DESTDIR}${xtlibdir}"; + if test -n "${targets_install}"; then \ + install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/"; \ + fi; + if test -n "${symlinks_install}"; then \ + cp -P ${symlinks_install} "${DESTDIR}${xtlibdir}/"; \ + fi; + +uninstall: + dir=${DESTDIR}${xtlibdir}; { \ + test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; \ + } || { \ + test -z "${targets_install}" || ( \ + cd "$$dir" && rm -f ${targets_install} \ + ); \ + test -z "${symlinks_install}" || ( \ + cd "$$dir" && rm -f ${symlinks_install} \ + ); \ + rmdir -p --ignore-fail-on-non-empty "$$dir"; \ + } + +clean: + rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c initextb.c initexta.c; + rm -f .*.d .*.dd; + +distclean: clean + +init%.o: init%.c + ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init ${CFLAGS} -o $@ -c $<; + +-include .*.d + + +# +# Shared libraries +# +lib%.so: lib%.oo + ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} ${LDFLAGS} -shared -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD}; + +lib%.oo: ${srcdir}/lib%.c + ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; + +libxt_NOTRACK.so: libxt_CT.so + ln -fs $< $@ +libxt_state.so: libxt_conntrack.so + ln -fs $< $@ + +# Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD +xt_RATEEST_LIBADD = -lm +xt_statistic_LIBADD = -lm +xt_connlabel_LIBADD = @libnetfilter_conntrack_LIBS@ + +# +# Static bits +# +# If static building is disabled, libext*.a will still be generated, +# but will be empty. This is good since we can do with less case +# handling code in the Makefiles. +# +lib%.o: ${srcdir}/lib%.c + ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<; + +libext.a: initext.o ${libext_objs} + ${AM_VERBOSE_AR} ${AR} crs $@ $^; + +libext_ebt.a: initextb.o ${libext_ebt_objs} + ${AM_VERBOSE_AR} ${AR} crs $@ $^; + +libext_arpt.a: initexta.o ${libext_arpt_objs} + ${AM_VERBOSE_AR} ${AR} crs $@ $^; + +libext4.a: initext4.o ${libext4_objs} + ${AM_VERBOSE_AR} ${AR} crs $@ $^; + +libext6.a: initext6.o ${libext6_objs} + ${AM_VERBOSE_AR} ${AR} crs $@ $^; + +initext_func := $(addprefix xt_,${pfx_build_mod}) +initextb_func := $(addprefix ebt_,${pfb_build_mod}) +initexta_func := $(addprefix arpt_,${pfa_build_mod}) +initext4_func := $(addprefix ipt_,${pf4_build_mod}) +initext6_func := $(addprefix ip6t_,${pf6_build_mod}) + +.initext.dd: FORCE + @echo "${initext_func}" >$@.tmp; \ + cmp -s $@ $@.tmp || mv $@.tmp $@; \ + rm -f $@.tmp; + +.initextb.dd: FORCE + @echo "${initextb_func}" >$@.tmp; \ + cmp -s $@ $@.tmp || mv $@.tmp $@; \ + rm -f $@.tmp; + +.initexta.dd: FORCE + @echo "${initexta_func}" >$@.tmp; \ + cmp -s $@ $@.tmp || mv $@.tmp $@; \ + rm -f $@.tmp; + +.initext4.dd: FORCE + @echo "${initext4_func}" >$@.tmp; \ + cmp -s $@ $@.tmp || mv $@.tmp $@; \ + rm -f $@.tmp; + +.initext6.dd: FORCE + @echo "${initext6_func}" >$@.tmp; \ + cmp -s $@ $@.tmp || mv $@.tmp $@; \ + rm -f $@.tmp; + +initext.c: .initext.dd + ${AM_VERBOSE_GEN} + @( \ + echo "" >$@; \ + for i in ${initext_func}; do \ + echo "extern void lib$${i}_init(void);" >>$@; \ + done; \ + echo "void init_extensions(void);" >>$@; \ + echo "void init_extensions(void)" >>$@; \ + echo "{" >>$@; \ + for i in ${initext_func}; do \ + echo " ""lib$${i}_init();" >>$@; \ + done; \ + echo "}" >>$@; \ + ); + +initextb.c: .initextb.dd + ${AM_VERBOSE_GEN} + @( \ + echo "" >$@; \ + for i in ${initextb_func}; do \ + echo "extern void lib$${i}_init(void);" >>$@; \ + done; \ + echo "void init_extensionsb(void);" >>$@; \ + echo "void init_extensionsb(void)" >>$@; \ + echo "{" >>$@; \ + for i in ${initextb_func}; do \ + echo " ""lib$${i}_init();" >>$@; \ + done; \ + echo "}" >>$@; \ + ); + +initexta.c: .initexta.dd + ${AM_VERBOSE_GEN} + @( \ + echo "" >$@; \ + for i in ${initexta_func}; do \ + echo "extern void lib$${i}_init(void);" >>$@; \ + done; \ + echo "void init_extensionsa(void);" >>$@; \ + echo "void init_extensionsa(void)" >>$@; \ + echo "{" >>$@; \ + for i in ${initexta_func}; do \ + echo " ""lib$${i}_init();" >>$@; \ + done; \ + echo "}" >>$@; \ + ); + +initext4.c: .initext4.dd + ${AM_VERBOSE_GEN} + @( \ + echo "" >$@; \ + for i in ${initext4_func}; do \ + echo "extern void lib$${i}_init(void);" >>$@; \ + done; \ + echo "void init_extensions4(void);" >>$@; \ + echo "void init_extensions4(void)" >>$@; \ + echo "{" >>$@; \ + for i in ${initext4_func}; do \ + echo " ""lib$${i}_init();" >>$@; \ + done; \ + echo "}" >>$@; \ + ); + +initext6.c: .initext6.dd + ${AM_VERBOSE_GEN} + @( \ + echo "" >$@; \ + for i in ${initext6_func}; do \ + echo "extern void lib$${i}_init(void);" >>$@; \ + done; \ + echo "void init_extensions6(void);" >>$@; \ + echo "void init_extensions6(void)" >>$@; \ + echo "{" >>$@; \ + for i in ${initext6_func}; do \ + echo " ""lib$${i}_init();" >>$@; \ + done; \ + echo "}" >>$@; \ + ); + +# +# Manual pages +# +ex_matches = $(shell echo ${1} | LC_ALL=POSIX grep -Eo '\b[[:lower:][:digit:]_]+\b') +ex_targets = $(shell echo ${1} | LC_ALL=POSIX grep -Eo '\b[[:upper:][:digit:]_]+\b') +man_run = \ + ${AM_VERBOSE_GEN} \ + for ext in $(sort ${1}); do \ + f="${srcdir}/libxt_$$ext.man"; \ + if [ -f "$$f" ]; then \ + echo -e "\t+ $$f" >&2; \ + echo ".SS $$ext"; \ + cat "$$f" || exit $$?; \ + fi; \ + f="${srcdir}/libip6t_$$ext.man"; \ + if [ -f "$$f" ]; then \ + echo -e "\t+ $$f" >&2; \ + echo ".SS $$ext (IPv6-specific)"; \ + cat "$$f" || exit $$?; \ + fi; \ + f="${srcdir}/libipt_$$ext.man"; \ + if [ -f "$$f" ]; then \ + echo -e "\t+ $$f" >&2; \ + echo ".SS $$ext (IPv4-specific)"; \ + cat "$$f" || exit $$?; \ + fi; \ + done >$@; + +matches.man: .initext.dd .initextb.dd .initexta.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) + $(call man_run,$(call ex_matches,${pfx_build_mod} ${pfb_build_mod} ${pfa_build_mod} ${pf4_build_mod} ${pf6_build_mod} ${pfx_symlinks})) + +targets.man: .initext.dd .initextb.dd .initexta.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) + $(call man_run,$(call ex_targets,${pfx_build_mod} ${pfb_build_mod} ${pfa_build_mod} ${pf4_build_mod} ${pf6_build_mod} ${pfx_symlinks})) diff --git a/vendor/iptables-1.8.7/extensions/dscp_helper.c b/vendor/iptables-1.8.7/extensions/dscp_helper.c new file mode 100644 index 00000000..75b1fece --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/dscp_helper.c @@ -0,0 +1,79 @@ +/* + * DiffServ classname <-> DiffServ codepoint mapping functions. + * + * The latest list of the mappings can be found at: + * + * + * This code is released under the GNU GPL v2, 1991 + * + * Author: Iain Barnes + */ + +#include +#include +#include + + +static const struct ds_class +{ + const char *name; + unsigned int dscp; +} ds_classes[] = +{ + { "CS0", 0x00 }, + { "CS1", 0x08 }, + { "CS2", 0x10 }, + { "CS3", 0x18 }, + { "CS4", 0x20 }, + { "CS5", 0x28 }, + { "CS6", 0x30 }, + { "CS7", 0x38 }, + { "BE", 0x00 }, + { "AF11", 0x0a }, + { "AF12", 0x0c }, + { "AF13", 0x0e }, + { "AF21", 0x12 }, + { "AF22", 0x14 }, + { "AF23", 0x16 }, + { "AF31", 0x1a }, + { "AF32", 0x1c }, + { "AF33", 0x1e }, + { "AF41", 0x22 }, + { "AF42", 0x24 }, + { "AF43", 0x26 }, + { "EF", 0x2e } +}; + + + +static unsigned int +class_to_dscp(const char *name) +{ + unsigned int i; + + for (i = 0; i < ARRAY_SIZE(ds_classes); i++) { + if (!strncasecmp(name, ds_classes[i].name, + strlen(ds_classes[i].name))) + return ds_classes[i].dscp; + } + + xtables_error(PARAMETER_PROBLEM, + "Invalid DSCP value `%s'\n", name); +} + + +#if 0 +static const char * +dscp_to_name(unsigned int dscp) +{ + int i; + + for (i = 0; i < ARRAY_SIZE(ds_classes); ++i) + if (dscp == ds_classes[i].dscp) + return ds_classes[i].name; + + xtables_error(PARAMETER_PROBLEM, + "Invalid DSCP value `%d'\n", dscp); +} +#endif + diff --git a/vendor/iptables-1.8.7/extensions/generic.txlate b/vendor/iptables-1.8.7/extensions/generic.txlate new file mode 100644 index 00000000..0e256c37 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/generic.txlate @@ -0,0 +1,36 @@ +iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT +nft insert rule ip filter OUTPUT ip protocol udp ip daddr 8.8.8.8 counter accept + +iptables-translate -F -t nat +nft flush table ip nat + +iptables-translate -I INPUT -i iifname -s 10.0.0.0/8 +nft insert rule ip filter INPUT iifname "iifname" ip saddr 10.0.0.0/8 counter + +iptables-translate -A INPUT -i iif+ ! -d 10.0.0.0/8 +nft add rule ip filter INPUT iifname "iif*" ip daddr != 10.0.0.0/8 counter + +ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0 +nft insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter + +ebtables-translate -A FORWARD ! -i iname --logical-in ilogname -o out+ --logical-out lout+ -d 1:2:3:4:de:af +nft add rule bridge filter FORWARD iifname != "iname" meta ibrname "ilogname" oifname "out*" meta obrname "lout*" ether daddr 01:02:03:04:de:af counter + +ebtables-translate -I INPUT -p ip -d 1:2:3:4:5:6/ff:ff:ff:ff:00:00 +nft insert rule bridge filter INPUT ether type 0x800 ether daddr 01:02:03:04:00:00 and ff:ff:ff:ff:00:00 == 01:02:03:04:00:00 counter + +# asterisk is not special in iptables and it is even a valid interface name +iptables-translate -A FORWARD -i '*' -o 'eth*foo' +nft add rule ip filter FORWARD iifname "\*" oifname "eth\*foo" counter + +# escape all asterisks but translate only the first plus character +iptables-translate -A FORWARD -i 'eth*foo*+' -o 'eth++' +nft add rule ip filter FORWARD iifname "eth\*foo\**" oifname "eth+*" counter + +# skip for always matching interface names +iptables-translate -A FORWARD -i '+' +nft add rule ip filter FORWARD counter + +# match against invalid interface name to simulate never matching rule +iptables-translate -A FORWARD ! -i '+' +nft add rule ip filter FORWARD iifname "INVAL/D" counter diff --git a/vendor/iptables-1.8.7/extensions/iptables.t b/vendor/iptables-1.8.7/extensions/iptables.t new file mode 100644 index 00000000..b4b6d677 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/iptables.t @@ -0,0 +1,6 @@ +:FORWARD +-i alongifacename0;=;OK +-i thisinterfaceistoolong0;;FAIL +-i eth+ -o alongifacename+;=;OK +! -i eth0;=;OK +! -o eth+;=;OK diff --git a/vendor/iptables-1.8.7/extensions/libarpt_CLASSIFY.t b/vendor/iptables-1.8.7/extensions/libarpt_CLASSIFY.t new file mode 100644 index 00000000..0cf0f2ce --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libarpt_CLASSIFY.t @@ -0,0 +1,4 @@ +:OUTPUT +-o lo --destination-mac 11:22:33:44:55:66;-o lo --dst-mac 11:22:33:44:55:66;OK +--dst-mac Broadcast ;--dst-mac ff:ff:ff:ff:ff:ff;OK +! -o eth+ -d 1.2.3.4/24 -j CLASSIFY --set-class 0:0;-j CLASSIFY ! -o eth+ -d 1.2.3.0/24 --set-class 0:0;OK diff --git a/vendor/iptables-1.8.7/extensions/libarpt_MARK.t b/vendor/iptables-1.8.7/extensions/libarpt_MARK.t new file mode 100644 index 00000000..3b13d44f --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libarpt_MARK.t @@ -0,0 +1,4 @@ +:INPUT,OUTPUT +-j MARK -d 0.0.0.0/8 --set-mark 1;=;OK +-s ! 0.0.0.0 -j MARK --and-mark 0x17;-j MARK ! -s 0.0.0.0 --and-mark 17;OK +-j MARK -s 0.0.0.0 --or-mark 17;=;OK diff --git a/vendor/iptables-1.8.7/extensions/libarpt_mangle.c b/vendor/iptables-1.8.7/extensions/libarpt_mangle.c new file mode 100644 index 00000000..a2378a8b --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libarpt_mangle.c @@ -0,0 +1,193 @@ +/* + * Arturo Borrero Gonzalez adapted + * this code to libxtables for arptables-compat in 2015 + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "iptables/nft.h" +#include "iptables/nft-arp.h" + +static void arpmangle_print_help(void) +{ + printf( + "mangle target options:\n" + "--mangle-ip-s IP address\n" + "--mangle-ip-d IP address\n" + "--mangle-mac-s MAC address\n" + "--mangle-mac-d MAC address\n" + "--mangle-target target (DROP, CONTINUE or ACCEPT -- default is ACCEPT)\n"); +} + +#define MANGLE_IPS '1' +#define MANGLE_IPT '2' +#define MANGLE_DEVS '3' +#define MANGLE_DEVT '4' +#define MANGLE_TARGET '5' + +static const struct option arpmangle_opts[] = { + { .name = "mangle-ip-s", .has_arg = true, .val = MANGLE_IPS }, + { .name = "mangle-ip-d", .has_arg = true, .val = MANGLE_IPT }, + { .name = "mangle-mac-s", .has_arg = true, .val = MANGLE_DEVS }, + { .name = "mangle-mac-d", .has_arg = true, .val = MANGLE_DEVT }, + { .name = "mangle-target", .has_arg = true, .val = MANGLE_TARGET }, + XT_GETOPT_TABLEEND, +}; + +static void arpmangle_init(struct xt_entry_target *target) +{ + struct arpt_mangle *mangle = (struct arpt_mangle *)target->data; + + mangle->target = NF_ACCEPT; +} + +static int +arpmangle_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct arpt_mangle *mangle = (struct arpt_mangle *)(*target)->data; + struct in_addr *ipaddr, mask; + struct ether_addr *macaddr; + const struct arpt_entry *e = (const struct arpt_entry *)entry; + unsigned int nr; + int ret = 1; + + memset(&mask, 0, sizeof(mask)); + + switch (c) { + case MANGLE_IPS: + xtables_ipparse_any(optarg, &ipaddr, &mask, &nr); + mangle->u_s.src_ip.s_addr = ipaddr->s_addr; + free(ipaddr); + mangle->flags |= ARPT_MANGLE_SIP; + break; + case MANGLE_IPT: + xtables_ipparse_any(optarg, &ipaddr, &mask, &nr); + mangle->u_t.tgt_ip.s_addr = ipaddr->s_addr; + free(ipaddr); + mangle->flags |= ARPT_MANGLE_TIP; + break; + case MANGLE_DEVS: + if (e->arp.arhln_mask == 0) + xtables_error(PARAMETER_PROBLEM, + "no --h-length defined"); + if (e->arp.invflags & ARPT_INV_ARPHLN) + xtables_error(PARAMETER_PROBLEM, + "! --h-length not allowed for " + "--mangle-mac-s"); + if (e->arp.arhln != 6) + xtables_error(PARAMETER_PROBLEM, + "only --h-length 6 supported"); + macaddr = ether_aton(optarg); + if (macaddr == NULL) + xtables_error(PARAMETER_PROBLEM, + "invalid source MAC"); + memcpy(mangle->src_devaddr, macaddr, e->arp.arhln); + mangle->flags |= ARPT_MANGLE_SDEV; + break; + case MANGLE_DEVT: + if (e->arp.arhln_mask == 0) + xtables_error(PARAMETER_PROBLEM, + "no --h-length defined"); + if (e->arp.invflags & ARPT_INV_ARPHLN) + xtables_error(PARAMETER_PROBLEM, + "! hln not allowed for --mangle-mac-d"); + if (e->arp.arhln != 6) + xtables_error(PARAMETER_PROBLEM, + "only --h-length 6 supported"); + macaddr = ether_aton(optarg); + if (macaddr == NULL) + xtables_error(PARAMETER_PROBLEM, "invalid target MAC"); + memcpy(mangle->tgt_devaddr, macaddr, e->arp.arhln); + mangle->flags |= ARPT_MANGLE_TDEV; + break; + case MANGLE_TARGET: + if (!strcmp(optarg, "DROP")) + mangle->target = NF_DROP; + else if (!strcmp(optarg, "ACCEPT")) + mangle->target = NF_ACCEPT; + else if (!strcmp(optarg, "CONTINUE")) + mangle->target = XT_CONTINUE; + else + xtables_error(PARAMETER_PROBLEM, + "bad target for --mangle-target"); + break; + default: + ret = 0; + } + + return ret; +} + +static void arpmangle_final_check(unsigned int flags) +{ +} + +static const char *ipaddr_to(const struct in_addr *addrp, int numeric) +{ + if (numeric) + return xtables_ipaddr_to_numeric(addrp); + else + return xtables_ipaddr_to_anyname(addrp); +} + +static void +arpmangle_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + struct arpt_mangle *m = (struct arpt_mangle *)(target->data); + + if (m->flags & ARPT_MANGLE_SIP) { + printf(" --mangle-ip-s %s", + ipaddr_to(&(m->u_s.src_ip), numeric)); + } + if (m->flags & ARPT_MANGLE_SDEV) { + printf(" --mangle-mac-s "); + xtables_print_mac((unsigned char *)m->src_devaddr); + } + if (m->flags & ARPT_MANGLE_TIP) { + printf(" --mangle-ip-d %s", + ipaddr_to(&(m->u_t.tgt_ip), numeric)); + } + if (m->flags & ARPT_MANGLE_TDEV) { + printf(" --mangle-mac-d "); + xtables_print_mac((unsigned char *)m->tgt_devaddr); + } + if (m->target != NF_ACCEPT) { + printf(" --mangle-target %s", + m->target == NF_DROP ? "DROP" : "CONTINUE"); + } +} + +static void arpmangle_save(const void *ip, const struct xt_entry_target *target) +{ + arpmangle_print(ip, target, 0); +} + +static struct xtables_target arpmangle_target = { + .name = "mangle", + .revision = 0, + .version = XTABLES_VERSION, + .family = NFPROTO_ARP, + .size = XT_ALIGN(sizeof(struct arpt_mangle)), + .userspacesize = XT_ALIGN(sizeof(struct arpt_mangle)), + .help = arpmangle_print_help, + .init = arpmangle_init, + .parse = arpmangle_parse, + .final_check = arpmangle_final_check, + .print = arpmangle_print, + .save = arpmangle_save, + .extra_opts = arpmangle_opts, +}; + +void _init(void) +{ + xtables_register_target(&arpmangle_target); +} diff --git a/vendor/iptables-1.8.7/extensions/libarpt_mangle.t b/vendor/iptables-1.8.7/extensions/libarpt_mangle.t new file mode 100644 index 00000000..da966948 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libarpt_mangle.t @@ -0,0 +1,5 @@ +:OUTPUT +-j mangle -s 1.2.3.4 --mangle-ip-s 1.2.3.5;=;OK +-j mangle -d 1.2.3.4 --mangle-ip-d 1.2.3.5;=;OK +-j mangle -d 1.2.3.4 --mangle-mac-d 00:01:02:03:04:05;=;OK +-d 1.2.3.4 --h-length 5 -j mangle --mangle-mac-s 00:01:02:03:04:05;=;FAIL diff --git a/vendor/iptables-1.8.7/extensions/libarpt_standard.t b/vendor/iptables-1.8.7/extensions/libarpt_standard.t new file mode 100644 index 00000000..e84a00b7 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libarpt_standard.t @@ -0,0 +1,14 @@ +:INPUT +-s 192.168.0.1;=;OK +-s 0.0.0.0/8;=;OK +-s ! 0.0.0.0;! -s 0.0.0.0;OK +-d 192.168.0.1;=;OK +! -d 0.0.0.0;=;OK +-d 0.0.0.0/24;=;OK +-j DROP -i lo;=;OK +-j ACCEPT ! -i lo;=;OK +-i ppp+;=;OK +! -i ppp+;=;OK +-i lo --destination-mac 11:22:33:44:55:66;-i lo --dst-mac 11:22:33:44:55:66;OK +--source-mac Unicast;--src-mac 00:00:00:00:00:00/01:00:00:00:00:00;OK +! --src-mac Multicast;! --src-mac 01:00:00:00:00:00/01:00:00:00:00:00;OK diff --git a/vendor/iptables-1.8.7/extensions/libebt_802_3.c b/vendor/iptables-1.8.7/extensions/libebt_802_3.c new file mode 100644 index 00000000..f05d02ea --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_802_3.c @@ -0,0 +1,133 @@ +/* 802_3 + * + * Author: + * Chris Vitale + * + * May 2003 + * + * Adapted by Arturo Borrero Gonzalez + * to use libxtables for ebtables-compat + */ + +#include +#include +#include +#include +#include +#include +#include + +#define _802_3_SAP '1' +#define _802_3_TYPE '2' + +static const struct option br802_3_opts[] = { + { .name = "802_3-sap", .has_arg = true, .val = _802_3_SAP }, + { .name = "802_3-type", .has_arg = true, .val = _802_3_TYPE }, + XT_GETOPT_TABLEEND, +}; + +static void br802_3_print_help(void) +{ + printf( +"802_3 options:\n" +"--802_3-sap [!] protocol : 802.3 DSAP/SSAP- 1 byte value (hex)\n" +" DSAP and SSAP are always the same. One SAP applies to both fields\n" +"--802_3-type [!] protocol : 802.3 SNAP Type- 2 byte value (hex)\n" +" Type implies SAP value 0xaa\n"); +} + +static void br802_3_init(struct xt_entry_match *match) +{ + struct ebt_802_3_info *info = (struct ebt_802_3_info *)match->data; + + info->invflags = 0; + info->bitmask = 0; +} + +static int +br802_3_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct ebt_802_3_info *info = (struct ebt_802_3_info *) (*match)->data; + unsigned int i; + char *end; + + switch (c) { + case _802_3_SAP: + if (invert) + info->invflags |= EBT_802_3_SAP; + i = strtoul(optarg, &end, 16); + if (i > 255 || *end != '\0') + xtables_error(PARAMETER_PROBLEM, + "Problem with specified " + "sap hex value, %x",i); + info->sap = i; /* one byte, so no byte order worries */ + info->bitmask |= EBT_802_3_SAP; + break; + case _802_3_TYPE: + if (invert) + info->invflags |= EBT_802_3_TYPE; + i = strtoul(optarg, &end, 16); + if (i > 65535 || *end != '\0') { + xtables_error(PARAMETER_PROBLEM, + "Problem with the specified " + "type hex value, %x",i); + } + info->type = htons(i); + info->bitmask |= EBT_802_3_TYPE; + break; + default: + return 0; + } + + *flags |= info->bitmask; + return 1; +} + +static void +br802_3_final_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "You must specify proper arguments"); +} + +static void br802_3_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + struct ebt_802_3_info *info = (struct ebt_802_3_info *)match->data; + + if (info->bitmask & EBT_802_3_SAP) { + printf("--802_3-sap "); + if (info->invflags & EBT_802_3_SAP) + printf("! "); + printf("0x%.2x ", info->sap); + } + if (info->bitmask & EBT_802_3_TYPE) { + printf("--802_3-type "); + if (info->invflags & EBT_802_3_TYPE) + printf("! "); + printf("0x%.4x ", ntohs(info->type)); + } +} + +static struct xtables_match br802_3_match = +{ + .name = "802_3", + .revision = 0, + .version = XTABLES_VERSION, + .family = NFPROTO_BRIDGE, + .size = XT_ALIGN(sizeof(struct ebt_802_3_info)), + .userspacesize = XT_ALIGN(sizeof(struct ebt_802_3_info)), + .init = br802_3_init, + .help = br802_3_print_help, + .parse = br802_3_parse, + .final_check = br802_3_final_check, + .print = br802_3_print, + .extra_opts = br802_3_opts, +}; + +void _init(void) +{ + xtables_register_match(&br802_3_match); +} diff --git a/vendor/iptables-1.8.7/extensions/libebt_802_3.t b/vendor/iptables-1.8.7/extensions/libebt_802_3.t new file mode 100644 index 00000000..ddfb2f0a --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_802_3.t @@ -0,0 +1,3 @@ +:INPUT,FORWARD,OUTPUT +--802_3-sap ! 0x0a -j CONTINUE;=;OK +--802_3-type 0x000a -j RETURN;=;OK diff --git a/vendor/iptables-1.8.7/extensions/libebt_among.c b/vendor/iptables-1.8.7/extensions/libebt_among.c new file mode 100644 index 00000000..2b9a1b65 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_among.c @@ -0,0 +1,243 @@ +/* ebt_among + * + * Authors: + * Grzegorz Borowiak + * + * August, 2003 + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "iptables/nft.h" +#include "iptables/nft-bridge.h" + +#define AMONG_DST '1' +#define AMONG_SRC '2' +#define AMONG_DST_F '3' +#define AMONG_SRC_F '4' + +static const struct option bramong_opts[] = { + {"among-dst", required_argument, 0, AMONG_DST}, + {"among-src", required_argument, 0, AMONG_SRC}, + {"among-dst-file", required_argument, 0, AMONG_DST_F}, + {"among-src-file", required_argument, 0, AMONG_SRC_F}, + {0} +}; + +static void bramong_print_help(void) +{ + printf( +"`among' options:\n" +"--among-dst [!] list : matches if ether dst is in list\n" +"--among-src [!] list : matches if ether src is in list\n" +"--among-dst-file [!] file : obtain dst list from file\n" +"--among-src-file [!] file : obtain src list from file\n" +"list has form:\n" +" xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip],yy:yy:yy:yy:yy:yy[=ip.ip.ip.ip]" +",...,zz:zz:zz:zz:zz:zz[=ip.ip.ip.ip][,]\n" +"Things in brackets are optional.\n" +"If you want to allow two (or more) IP addresses to one MAC address, you\n" +"can specify two (or more) pairs with the same MAC, e.g.\n" +" 00:00:00:fa:eb:fe=153.19.120.250,00:00:00:fa:eb:fe=192.168.0.1\n" + ); +} + +static void +parse_nft_among_pair(char *buf, struct nft_among_pair *pair, bool have_ip) +{ + char *sep = index(buf, '='); + struct ether_addr *ether; + + if (sep) { + *sep = '\0'; + + if (!inet_aton(sep + 1, &pair->in)) + xtables_error(PARAMETER_PROBLEM, + "Invalid IP address '%s'\n", sep + 1); + } + ether = ether_aton(buf); + if (!ether) + xtables_error(PARAMETER_PROBLEM, + "Invalid MAC address '%s'\n", buf); + memcpy(&pair->ether, ether, sizeof(*ether)); +} + +static void +parse_nft_among_pairs(struct nft_among_pair *pairs, char *buf, + size_t cnt, bool have_ip) +{ + size_t tmpcnt = 0; + + buf = strtok(buf, ","); + while (buf) { + struct nft_among_pair pair = {}; + + parse_nft_among_pair(buf, &pair, have_ip); + nft_among_insert_pair(pairs, &tmpcnt, &pair); + buf = strtok(NULL, ","); + } +} + +static size_t count_nft_among_pairs(char *buf) +{ + size_t cnt = 0; + char *p = buf; + + if (!*buf) + return 0; + + do { + cnt++; + p = index(++p, ','); + } while (p); + + return cnt; +} + +static bool nft_among_pairs_have_ip(char *buf) +{ + return !!index(buf, '='); +} + +static int bramong_parse(int c, char **argv, int invert, + unsigned int *flags, const void *entry, + struct xt_entry_match **match) +{ + struct nft_among_data *data = (struct nft_among_data *)(*match)->data; + struct xt_entry_match *new_match; + bool have_ip, dst = false; + size_t new_size, cnt; + struct stat stats; + int fd = -1, poff; + long flen = 0; + + switch (c) { + case AMONG_DST_F: + dst = true; + /* fall through */ + case AMONG_SRC_F: + if ((fd = open(optarg, O_RDONLY)) == -1) + xtables_error(PARAMETER_PROBLEM, + "Couldn't open file '%s'", optarg); + if (fstat(fd, &stats) < 0) + xtables_error(PARAMETER_PROBLEM, + "fstat(%s) failed: '%s'", + optarg, strerror(errno)); + flen = stats.st_size; + /* use mmap because the file will probably be big */ + optarg = mmap(0, flen, PROT_READ | PROT_WRITE, + MAP_PRIVATE, fd, 0); + if (optarg == MAP_FAILED) + xtables_error(PARAMETER_PROBLEM, + "Couldn't map file to memory"); + if (optarg[flen-1] != '\n') + xtables_error(PARAMETER_PROBLEM, + "File should end with a newline"); + if (strchr(optarg, '\n') != optarg+flen-1) + xtables_error(PARAMETER_PROBLEM, + "File should only contain one line"); + optarg[flen-1] = '\0'; + /* fall through */ + case AMONG_DST: + if (c == AMONG_DST) + dst = true; + /* fall through */ + case AMONG_SRC: + break; + default: + return 0; + } + + cnt = count_nft_among_pairs(optarg); + if (cnt == 0) + return 0; + + new_size = data->src.cnt + data->dst.cnt + cnt; + new_size *= sizeof(struct nft_among_pair); + new_size += XT_ALIGN(sizeof(struct xt_entry_match)) + + sizeof(struct nft_among_data); + new_match = xtables_calloc(1, new_size); + memcpy(new_match, *match, (*match)->u.match_size); + new_match->u.match_size = new_size; + + data = (struct nft_among_data *)new_match->data; + have_ip = nft_among_pairs_have_ip(optarg); + poff = nft_among_prepare_data(data, dst, cnt, invert, have_ip); + parse_nft_among_pairs(data->pairs + poff, optarg, cnt, have_ip); + + free(*match); + *match = new_match; + + if (c == AMONG_DST_F || c == AMONG_SRC_F) { + munmap(argv, flen); + close(fd); + } + return 1; +} + +static void __bramong_print(struct nft_among_pair *pairs, + int cnt, bool inv, bool have_ip) +{ + const char *isep = inv ? "! " : ""; + int i; + + for (i = 0; i < cnt; i++) { + printf("%s", isep); + isep = ","; + + printf("%s", ether_ntoa(&pairs[i].ether)); + if (pairs[i].in.s_addr != INADDR_ANY) + printf("=%s", inet_ntoa(pairs[i].in)); + } + printf(" "); +} + +static void bramong_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + struct nft_among_data *data = (struct nft_among_data *)match->data; + + if (data->src.cnt) { + printf("--among-src "); + __bramong_print(data->pairs, + data->src.cnt, data->src.inv, data->src.ip); + } + if (data->dst.cnt) { + printf("--among-dst "); + __bramong_print(data->pairs + data->src.cnt, + data->dst.cnt, data->dst.inv, data->dst.ip); + } +} + +static struct xtables_match bramong_match = { + .name = "among", + .revision = 0, + .version = XTABLES_VERSION, + .family = NFPROTO_BRIDGE, + .size = XT_ALIGN(sizeof(struct nft_among_data)), + .userspacesize = XT_ALIGN(sizeof(struct nft_among_data)), + .help = bramong_print_help, + .parse = bramong_parse, + .print = bramong_print, + .extra_opts = bramong_opts, +}; + +void _init(void) +{ + xtables_register_match(&bramong_match); +} diff --git a/vendor/iptables-1.8.7/extensions/libebt_among.t b/vendor/iptables-1.8.7/extensions/libebt_among.t new file mode 100644 index 00000000..a02206f3 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_among.t @@ -0,0 +1,16 @@ +:INPUT,FORWARD,OUTPUT +--among-dst de:ad:0:be:ee:ff,c0:ff:ee:0:ba:be;--among-dst c0:ff:ee:0:ba:be,de:ad:0:be:ee:ff;OK +--among-dst ! c0:ff:ee:0:ba:be,de:ad:0:be:ee:ff;=;OK +--among-src be:ef:0:c0:ff:ee,c0:ff:ee:0:ba:be,de:ad:0:be:ee:ff;=;OK +--among-src de:ad:0:be:ee:ff=10.0.0.1,c0:ff:ee:0:ba:be=192.168.1.1;--among-src c0:ff:ee:0:ba:be=192.168.1.1,de:ad:0:be:ee:ff=10.0.0.1;OK +--among-src ! c0:ff:ee:0:ba:be=192.168.1.1,de:ad:0:be:ee:ff=10.0.0.1;=;OK +--among-src de:ad:0:be:ee:ff --among-dst c0:ff:ee:0:ba:be;=;OK +--among-src de:ad:0:be:ee:ff=10.0.0.1 --among-dst c0:ff:ee:0:ba:be=192.168.1.1;=;OK +--among-src ! de:ad:0:be:ee:ff --among-dst c0:ff:ee:0:ba:be;=;OK +--among-src de:ad:0:be:ee:ff=10.0.0.1 --among-dst ! c0:ff:ee:0:ba:be=192.168.1.1;=;OK +--among-src ! de:ad:0:be:ee:ff --among-dst c0:ff:ee:0:ba:be=192.168.1.1;=;OK +--among-src de:ad:0:be:ee:ff=10.0.0.1 --among-dst ! c0:ff:ee:0:ba:be=192.168.1.1;=;OK +--among-src;=;FAIL +--among-src 00:11=10.0.0.1;=;FAIL +--among-src de:ad:0:be:ee:ff=10.256.0.1;=;FAIL +--among-src c0:ff:ee:0:ba:be=192.168.1.1,de:ad:0:be:ee:ff;=;OK diff --git a/vendor/iptables-1.8.7/extensions/libebt_arp.c b/vendor/iptables-1.8.7/extensions/libebt_arp.c new file mode 100644 index 00000000..d5035b95 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_arp.c @@ -0,0 +1,363 @@ +/* ebt_arp + * + * Authors: + * Bart De Schuymer + * Tim Gardner + * + * April, 2002 + */ + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include "iptables/nft.h" +#include "iptables/nft-bridge.h" + +#define ARP_OPCODE '1' +#define ARP_HTYPE '2' +#define ARP_PTYPE '3' +#define ARP_IP_S '4' +#define ARP_IP_D '5' +#define ARP_MAC_S '6' +#define ARP_MAC_D '7' +#define ARP_GRAT '8' + +static const struct option brarp_opts[] = { + { "arp-opcode" , required_argument, 0, ARP_OPCODE }, + { "arp-op" , required_argument, 0, ARP_OPCODE }, + { "arp-htype" , required_argument, 0, ARP_HTYPE }, + { "arp-ptype" , required_argument, 0, ARP_PTYPE }, + { "arp-ip-src" , required_argument, 0, ARP_IP_S }, + { "arp-ip-dst" , required_argument, 0, ARP_IP_D }, + { "arp-mac-src" , required_argument, 0, ARP_MAC_S }, + { "arp-mac-dst" , required_argument, 0, ARP_MAC_D }, + { "arp-gratuitous", no_argument, 0, ARP_GRAT }, + XT_GETOPT_TABLEEND, +}; + +/* a few names */ +static char *opcodes[] = +{ + "Request", + "Reply", + "Request_Reverse", + "Reply_Reverse", + "DRARP_Request", + "DRARP_Reply", + "DRARP_Error", + "InARP_Request", + "ARP_NAK", +}; + +static void brarp_print_help(void) +{ + int i; + + printf( +"arp options:\n" +"--arp-opcode [!] opcode : ARP opcode (integer or string)\n" +"--arp-htype [!] type : ARP hardware type (integer or string)\n" +"--arp-ptype [!] type : ARP protocol type (hexadecimal or string)\n" +"--arp-ip-src [!] address[/mask]: ARP IP source specification\n" +"--arp-ip-dst [!] address[/mask]: ARP IP target specification\n" +"--arp-mac-src [!] address[/mask]: ARP MAC source specification\n" +"--arp-mac-dst [!] address[/mask]: ARP MAC target specification\n" +"[!] --arp-gratuitous : ARP gratuitous packet\n" +" opcode strings: \n"); + for (i = 0; i < ARRAY_SIZE(opcodes); i++) + printf(" %d = %s\n", i + 1, opcodes[i]); + printf( +" hardware type string: 1 = Ethernet\n" +" protocol type string: see "XT_PATH_ETHERTYPES"\n"); +} + +#define OPT_OPCODE 0x01 +#define OPT_HTYPE 0x02 +#define OPT_PTYPE 0x04 +#define OPT_IP_S 0x08 +#define OPT_IP_D 0x10 +#define OPT_MAC_S 0x20 +#define OPT_MAC_D 0x40 +#define OPT_GRAT 0x80 + +static int undot_ip(char *ip, unsigned char *ip2) +{ + char *p, *q, *end; + long int onebyte; + int i; + char buf[20]; + + strncpy(buf, ip, sizeof(buf) - 1); + + p = buf; + for (i = 0; i < 3; i++) { + if ((q = strchr(p, '.')) == NULL) + return -1; + *q = '\0'; + onebyte = strtol(p, &end, 10); + if (*end != '\0' || onebyte > 255 || onebyte < 0) + return -1; + ip2[i] = (unsigned char)onebyte; + p = q + 1; + } + + onebyte = strtol(p, &end, 10); + if (*end != '\0' || onebyte > 255 || onebyte < 0) + return -1; + ip2[3] = (unsigned char)onebyte; + + return 0; +} + +static int ip_mask(char *mask, unsigned char *mask2) +{ + char *end; + long int bits; + uint32_t mask22; + + if (undot_ip(mask, mask2)) { + /* not the /a.b.c.e format, maybe the /x format */ + bits = strtol(mask, &end, 10); + if (*end != '\0' || bits > 32 || bits < 0) + return -1; + if (bits != 0) { + mask22 = htonl(0xFFFFFFFF << (32 - bits)); + memcpy(mask2, &mask22, 4); + } else { + mask22 = 0xFFFFFFFF; + memcpy(mask2, &mask22, 4); + } + } + return 0; +} + +static void ebt_parse_ip_address(char *address, uint32_t *addr, uint32_t *msk) +{ + char *p; + + /* first the mask */ + if ((p = strrchr(address, '/')) != NULL) { + *p = '\0'; + if (ip_mask(p + 1, (unsigned char *)msk)) { + xtables_error(PARAMETER_PROBLEM, + "Problem with the IP mask '%s'", p + 1); + return; + } + } else + *msk = 0xFFFFFFFF; + + if (undot_ip(address, (unsigned char *)addr)) { + xtables_error(PARAMETER_PROBLEM, + "Problem with the IP address '%s'", address); + return; + } + *addr = *addr & *msk; +} + +static int +brarp_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct ebt_arp_info *arpinfo = (struct ebt_arp_info *)(*match)->data; + long int i; + char *end; + uint32_t *addr; + uint32_t *mask; + unsigned char *maddr; + unsigned char *mmask; + + switch (c) { + case ARP_OPCODE: + EBT_CHECK_OPTION(flags, OPT_OPCODE); + if (invert) + arpinfo->invflags |= EBT_ARP_OPCODE; + i = strtol(optarg, &end, 10); + if (i < 0 || i >= (0x1 << 16) || *end !='\0') { + for (i = 0; i < ARRAY_SIZE(opcodes); i++) + if (!strcasecmp(opcodes[i], optarg)) + break; + if (i == ARRAY_SIZE(opcodes)) + xtables_error(PARAMETER_PROBLEM, "Problem with specified ARP opcode"); + i++; + } + arpinfo->opcode = htons(i); + arpinfo->bitmask |= EBT_ARP_OPCODE; + break; + + case ARP_HTYPE: + EBT_CHECK_OPTION(flags, OPT_HTYPE); + if (invert) + arpinfo->invflags |= EBT_ARP_HTYPE; + i = strtol(optarg, &end, 10); + if (i < 0 || i >= (0x1 << 16) || *end !='\0') { + if (!strcasecmp("Ethernet", argv[optind - 1])) + i = 1; + else + xtables_error(PARAMETER_PROBLEM, "Problem with specified ARP hardware type"); + } + arpinfo->htype = htons(i); + arpinfo->bitmask |= EBT_ARP_HTYPE; + break; + case ARP_PTYPE: { + uint16_t proto; + + EBT_CHECK_OPTION(flags, OPT_PTYPE); + if (invert) + arpinfo->invflags |= EBT_ARP_PTYPE; + + i = strtol(optarg, &end, 16); + if (i < 0 || i >= (0x1 << 16) || *end !='\0') { + struct xt_ethertypeent *ent; + + ent = xtables_getethertypebyname(argv[optind - 1]); + if (!ent) + xtables_error(PARAMETER_PROBLEM, "Problem with specified ARP " + "protocol type"); + proto = ent->e_ethertype; + + } else + proto = i; + arpinfo->ptype = htons(proto); + arpinfo->bitmask |= EBT_ARP_PTYPE; + break; + } + + case ARP_IP_S: + case ARP_IP_D: + if (c == ARP_IP_S) { + EBT_CHECK_OPTION(flags, OPT_IP_S); + addr = &arpinfo->saddr; + mask = &arpinfo->smsk; + arpinfo->bitmask |= EBT_ARP_SRC_IP; + } else { + EBT_CHECK_OPTION(flags, OPT_IP_D); + addr = &arpinfo->daddr; + mask = &arpinfo->dmsk; + arpinfo->bitmask |= EBT_ARP_DST_IP; + } + if (invert) { + if (c == ARP_IP_S) + arpinfo->invflags |= EBT_ARP_SRC_IP; + else + arpinfo->invflags |= EBT_ARP_DST_IP; + } + ebt_parse_ip_address(optarg, addr, mask); + break; + case ARP_MAC_S: + case ARP_MAC_D: + if (c == ARP_MAC_S) { + EBT_CHECK_OPTION(flags, OPT_MAC_S); + maddr = arpinfo->smaddr; + mmask = arpinfo->smmsk; + arpinfo->bitmask |= EBT_ARP_SRC_MAC; + } else { + EBT_CHECK_OPTION(flags, OPT_MAC_D); + maddr = arpinfo->dmaddr; + mmask = arpinfo->dmmsk; + arpinfo->bitmask |= EBT_ARP_DST_MAC; + } + if (invert) { + if (c == ARP_MAC_S) + arpinfo->invflags |= EBT_ARP_SRC_MAC; + else + arpinfo->invflags |= EBT_ARP_DST_MAC; + } + if (xtables_parse_mac_and_mask(optarg, maddr, mmask)) + xtables_error(PARAMETER_PROBLEM, "Problem with ARP MAC address argument"); + break; + case ARP_GRAT: + EBT_CHECK_OPTION(flags, OPT_GRAT); + arpinfo->bitmask |= EBT_ARP_GRAT; + if (invert) + arpinfo->invflags |= EBT_ARP_GRAT; + break; + default: + return 0; + } + return 1; +} + +static void brarp_print(const void *ip, const struct xt_entry_match *match, int numeric) +{ + const struct ebt_arp_info *arpinfo = (struct ebt_arp_info *)match->data; + + if (arpinfo->bitmask & EBT_ARP_OPCODE) { + int opcode = ntohs(arpinfo->opcode); + printf("--arp-op "); + if (arpinfo->invflags & EBT_ARP_OPCODE) + printf("! "); + if (opcode > 0 && opcode <= ARRAY_SIZE(opcodes)) + printf("%s ", opcodes[opcode - 1]); + else + printf("%d ", opcode); + } + if (arpinfo->bitmask & EBT_ARP_HTYPE) { + printf("--arp-htype "); + if (arpinfo->invflags & EBT_ARP_HTYPE) + printf("! "); + printf("%d ", ntohs(arpinfo->htype)); + } + if (arpinfo->bitmask & EBT_ARP_PTYPE) { + printf("--arp-ptype "); + if (arpinfo->invflags & EBT_ARP_PTYPE) + printf("! "); + printf("0x%x ", ntohs(arpinfo->ptype)); + } + if (arpinfo->bitmask & EBT_ARP_SRC_IP) { + printf("--arp-ip-src "); + if (arpinfo->invflags & EBT_ARP_SRC_IP) + printf("! "); + printf("%s%s ", xtables_ipaddr_to_numeric((const struct in_addr*) &arpinfo->saddr), + xtables_ipmask_to_numeric((const struct in_addr*)&arpinfo->smsk)); + } + if (arpinfo->bitmask & EBT_ARP_DST_IP) { + printf("--arp-ip-dst "); + if (arpinfo->invflags & EBT_ARP_DST_IP) + printf("! "); + printf("%s%s ", xtables_ipaddr_to_numeric((const struct in_addr*) &arpinfo->daddr), + xtables_ipmask_to_numeric((const struct in_addr*)&arpinfo->dmsk)); + } + if (arpinfo->bitmask & EBT_ARP_SRC_MAC) { + printf("--arp-mac-src "); + if (arpinfo->invflags & EBT_ARP_SRC_MAC) + printf("! "); + xtables_print_mac_and_mask(arpinfo->smaddr, arpinfo->smmsk); + printf(" "); + } + if (arpinfo->bitmask & EBT_ARP_DST_MAC) { + printf("--arp-mac-dst "); + if (arpinfo->invflags & EBT_ARP_DST_MAC) + printf("! "); + xtables_print_mac_and_mask(arpinfo->dmaddr, arpinfo->dmmsk); + printf(" "); + } + if (arpinfo->bitmask & EBT_ARP_GRAT) { + if (arpinfo->invflags & EBT_ARP_GRAT) + printf("! "); + printf("--arp-gratuitous "); + } +} + +static struct xtables_match brarp_match = { + .name = "arp", + .version = XTABLES_VERSION, + .family = NFPROTO_BRIDGE, + .size = XT_ALIGN(sizeof(struct ebt_arp_info)), + .userspacesize = XT_ALIGN(sizeof(struct ebt_arp_info)), + .help = brarp_print_help, + .parse = brarp_parse, + .print = brarp_print, + .extra_opts = brarp_opts, +}; + +void _init(void) +{ + xtables_register_match(&brarp_match); +} diff --git a/vendor/iptables-1.8.7/extensions/libebt_arp.t b/vendor/iptables-1.8.7/extensions/libebt_arp.t new file mode 100644 index 00000000..14ff0f09 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_arp.t @@ -0,0 +1,12 @@ +:INPUT,FORWARD,OUTPUT +-p ARP --arp-op Request;=;OK +-p ARP --arp-htype ! 1;=;OK +-p ARP --arp-ptype 0x2;=;OK +-p ARP --arp-ip-src 1.2.3.4;=;OK +-p ARP ! --arp-ip-dst 1.2.3.4;-p ARP --arp-ip-dst ! 1.2.3.4 -j CONTINUE;OK +-p ARP --arp-ip-src ! 0.0.0.0;=;OK +-p ARP --arp-ip-dst ! 0.0.0.0/8;=;OK +-p ARP --arp-mac-src 00:de:ad:be:ef:00;=;OK +-p ARP --arp-mac-dst de:ad:be:ef:00:00/ff:ff:ff:ff:00:00;=;OK +-p ARP --arp-gratuitous;=;OK +--arp-htype 1;=;FAIL diff --git a/vendor/iptables-1.8.7/extensions/libebt_arpreply.c b/vendor/iptables-1.8.7/extensions/libebt_arpreply.c new file mode 100644 index 00000000..80ba2159 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_arpreply.c @@ -0,0 +1,101 @@ +/* ebt_arpreply + * + * Authors: + * Grzegorz Borowiak + * Bart De Schuymer + * + * August, 2003 + */ + +#include +#include +#include +#include +#include +#include +#include +#include "iptables/nft.h" +#include "iptables/nft-bridge.h" + +#define OPT_REPLY_MAC 0x01 +#define OPT_REPLY_TARGET 0x02 + +#define REPLY_MAC '1' +#define REPLY_TARGET '2' +static const struct option brarpreply_opts[] = { + { "arpreply-mac" , required_argument, 0, REPLY_MAC }, + { "arpreply-target" , required_argument, 0, REPLY_TARGET }, + XT_GETOPT_TABLEEND, +}; + +static void brarpreply_print_help(void) +{ + printf( + "arpreply target options:\n" + " --arpreply-mac address : source MAC of generated reply\n" + " --arpreply-target target : ACCEPT, DROP, RETURN or CONTINUE\n" + " (standard target is DROP)\n"); +} + +static void brarpreply_init(struct xt_entry_target *target) +{ + struct ebt_arpreply_info *replyinfo = (void *)target->data; + + replyinfo->target = EBT_DROP; +} + +static int +brarpreply_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **tg) + +{ + struct ebt_arpreply_info *replyinfo = (void *)(*tg)->data; + struct ether_addr *addr; + + switch (c) { + case REPLY_MAC: + EBT_CHECK_OPTION(flags, OPT_REPLY_MAC); + if (!(addr = ether_aton(optarg))) + xtables_error(PARAMETER_PROBLEM, "Problem with specified --arpreply-mac mac"); + memcpy(replyinfo->mac, addr, ETH_ALEN); + break; + case REPLY_TARGET: + EBT_CHECK_OPTION(flags, OPT_REPLY_TARGET); + if (ebt_fill_target(optarg, (unsigned int *)&replyinfo->target)) + xtables_error(PARAMETER_PROBLEM, "Illegal --arpreply-target target"); + break; + + default: + return 0; + } + return 1; +} + +static void brarpreply_print(const void *ip, const struct xt_entry_target *t, int numeric) +{ + struct ebt_arpreply_info *replyinfo = (void *)t->data; + + printf("--arpreply-mac "); + xtables_print_mac(replyinfo->mac); + if (replyinfo->target == EBT_DROP) + return; + printf(" --arpreply-target %s", ebt_target_name(replyinfo->target)); +} + +static struct xtables_target arpreply_target = { + .name = "arpreply", + .version = XTABLES_VERSION, + .family = NFPROTO_BRIDGE, + .init = brarpreply_init, + .size = XT_ALIGN(sizeof(struct ebt_arpreply_info)), + .userspacesize = XT_ALIGN(sizeof(struct ebt_arpreply_info)), + .help = brarpreply_print_help, + .parse = brarpreply_parse, + .print = brarpreply_print, + .extra_opts = brarpreply_opts, +}; + +void _init(void) +{ + xtables_register_target(&arpreply_target); +} diff --git a/vendor/iptables-1.8.7/extensions/libebt_arpreply.t b/vendor/iptables-1.8.7/extensions/libebt_arpreply.t new file mode 100644 index 00000000..6734501a --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_arpreply.t @@ -0,0 +1,4 @@ +:PREROUTING +*nat +-p ARP -i foo -j arpreply --arpreply-mac de:ad:00:be:ee:ff --arpreply-target ACCEPT;=;OK +-p ARP -i foo -j arpreply --arpreply-mac de:ad:00:be:ee:ff;=;OK diff --git a/vendor/iptables-1.8.7/extensions/libebt_dnat.c b/vendor/iptables-1.8.7/extensions/libebt_dnat.c new file mode 100644 index 00000000..9f5f721e --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_dnat.c @@ -0,0 +1,129 @@ +/* ebt_nat + * + * Authors: + * Bart De Schuymer + * + * June, 2002 + */ + +#include +#include +#include +#include +#include +#include +#include +#include "iptables/nft.h" +#include "iptables/nft-bridge.h" + +#define NAT_D '1' +#define NAT_D_TARGET '2' +static const struct option brdnat_opts[] = +{ + { "to-destination", required_argument, 0, NAT_D }, + { "to-dst" , required_argument, 0, NAT_D }, + { "dnat-target" , required_argument, 0, NAT_D_TARGET }, + { 0 } +}; + +static void brdnat_print_help(void) +{ + printf( + "dnat options:\n" + " --to-dst address : MAC address to map destination to\n" + " --dnat-target target : ACCEPT, DROP, RETURN or CONTINUE\n"); +} + +static void brdnat_init(struct xt_entry_target *target) +{ + struct ebt_nat_info *natinfo = (struct ebt_nat_info *)target->data; + + natinfo->target = EBT_ACCEPT; +} + +#define OPT_DNAT 0x01 +#define OPT_DNAT_TARGET 0x02 +static int brdnat_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct ebt_nat_info *natinfo = (struct ebt_nat_info *)(*target)->data; + struct ether_addr *addr; + + switch (c) { + case NAT_D: + EBT_CHECK_OPTION(flags, OPT_DNAT); + if (!(addr = ether_aton(optarg))) + xtables_error(PARAMETER_PROBLEM, "Problem with specified --to-destination mac"); + memcpy(natinfo->mac, addr, ETH_ALEN); + break; + case NAT_D_TARGET: + EBT_CHECK_OPTION(flags, OPT_DNAT_TARGET); + if (ebt_fill_target(optarg, (unsigned int *)&natinfo->target)) + xtables_error(PARAMETER_PROBLEM, "Illegal --dnat-target target"); + break; + default: + return 0; + } + return 1; +} + +static void brdnat_final_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "You must specify proper arguments"); +} + +static void brdnat_print(const void *ip, const struct xt_entry_target *target, int numeric) +{ + struct ebt_nat_info *natinfo = (struct ebt_nat_info *)target->data; + + printf("--to-dst "); + xtables_print_mac(natinfo->mac); + printf(" --dnat-target %s", ebt_target_name(natinfo->target)); +} + +static const char* brdnat_verdict(int verdict) +{ + switch (verdict) { + case EBT_ACCEPT: return "accept"; + case EBT_DROP: return "drop"; + case EBT_CONTINUE: return "continue"; + case EBT_RETURN: return "return"; + } + + return ""; +} + +static int brdnat_xlate(struct xt_xlate *xl, + const struct xt_xlate_tg_params *params) +{ + const struct ebt_nat_info *natinfo = (const void*)params->target->data; + + xt_xlate_add(xl, "ether daddr set %s %s ", + ether_ntoa((struct ether_addr *)natinfo->mac), + brdnat_verdict(natinfo->target)); + + return 1; +} + +static struct xtables_target brdnat_target = +{ + .name = "dnat", + .version = XTABLES_VERSION, + .family = NFPROTO_BRIDGE, + .size = XT_ALIGN(sizeof(struct ebt_nat_info)), + .userspacesize = XT_ALIGN(sizeof(struct ebt_nat_info)), + .help = brdnat_print_help, + .init = brdnat_init, + .parse = brdnat_parse, + .final_check = brdnat_final_check, + .print = brdnat_print, + .xlate = brdnat_xlate, + .extra_opts = brdnat_opts, +}; + +void _init(void) +{ + xtables_register_target(&brdnat_target); +} diff --git a/vendor/iptables-1.8.7/extensions/libebt_dnat.t b/vendor/iptables-1.8.7/extensions/libebt_dnat.t new file mode 100644 index 00000000..9428d237 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_dnat.t @@ -0,0 +1,5 @@ +:PREROUTING +*nat +-i someport -j dnat --to-dst de:ad:0:be:ee:ff;-i someport -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT;OK +-j dnat --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT;=;OK +-j dnat --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE;=;OK diff --git a/vendor/iptables-1.8.7/extensions/libebt_dnat.txlate b/vendor/iptables-1.8.7/extensions/libebt_dnat.txlate new file mode 100644 index 00000000..2652dd55 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_dnat.txlate @@ -0,0 +1,8 @@ +ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff +nft add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter + +ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT +nft add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter + +ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE +nft add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff continue counter diff --git a/vendor/iptables-1.8.7/extensions/libebt_ip.c b/vendor/iptables-1.8.7/extensions/libebt_ip.c new file mode 100644 index 00000000..acb9bfcd --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_ip.c @@ -0,0 +1,732 @@ +/* ebt_ip + * + * Authors: + * Bart De Schuymer + * + * Changes: + * added ip-sport and ip-dport; parsing of port arguments is + * based on code from iptables-1.2.7a + * Innominate Security Technologies AG + * September, 2002 + * + * Adapted by Arturo Borrero Gonzalez + * to use libxtables for ebtables-compat in 2015. + */ + +#include +#include +#include +#include +#include +#include +#include + +#include "libxt_icmp.h" + +#define EBT_IP_SOURCE 0x01 +#define EBT_IP_DEST 0x02 +#define EBT_IP_TOS 0x04 +#define EBT_IP_PROTO 0x08 +#define EBT_IP_SPORT 0x10 +#define EBT_IP_DPORT 0x20 +#define EBT_IP_ICMP 0x40 +#define EBT_IP_IGMP 0x80 +#define EBT_IP_MASK (EBT_IP_SOURCE | EBT_IP_DEST | EBT_IP_TOS | EBT_IP_PROTO |\ + EBT_IP_SPORT | EBT_IP_DPORT | EBT_IP_ICMP | EBT_IP_IGMP) + +struct ebt_ip_info { + __be32 saddr; + __be32 daddr; + __be32 smsk; + __be32 dmsk; + __u8 tos; + __u8 protocol; + __u8 bitmask; + __u8 invflags; + union { + __u16 sport[2]; + __u8 icmp_type[2]; + __u8 igmp_type[2]; + }; + union { + __u16 dport[2]; + __u8 icmp_code[2]; + }; +}; + +#define IP_SOURCE '1' +#define IP_DEST '2' +#define IP_EBT_TOS '3' /* include/bits/in.h seems to already define IP_TOS */ +#define IP_PROTO '4' +#define IP_SPORT '5' +#define IP_DPORT '6' +#define IP_EBT_ICMP '7' +#define IP_EBT_IGMP '8' + +static const struct option brip_opts[] = { + { .name = "ip-source", .has_arg = true, .val = IP_SOURCE }, + { .name = "ip-src", .has_arg = true, .val = IP_SOURCE }, + { .name = "ip-destination", .has_arg = true, .val = IP_DEST }, + { .name = "ip-dst", .has_arg = true, .val = IP_DEST }, + { .name = "ip-tos", .has_arg = true, .val = IP_EBT_TOS }, + { .name = "ip-protocol", .has_arg = true, .val = IP_PROTO }, + { .name = "ip-proto", .has_arg = true, .val = IP_PROTO }, + { .name = "ip-source-port", .has_arg = true, .val = IP_SPORT }, + { .name = "ip-sport", .has_arg = true, .val = IP_SPORT }, + { .name = "ip-destination-port",.has_arg = true, .val = IP_DPORT }, + { .name = "ip-dport", .has_arg = true, .val = IP_DPORT }, + { .name = "ip-icmp-type", .has_arg = true, .val = IP_EBT_ICMP }, + { .name = "ip-igmp-type", .has_arg = true, .val = IP_EBT_IGMP }, + XT_GETOPT_TABLEEND, +}; + +static const struct xt_icmp_names icmp_codes[] = { + { "echo-reply", 0, 0, 0xFF }, + /* Alias */ { "pong", 0, 0, 0xFF }, + + { "destination-unreachable", 3, 0, 0xFF }, + { "network-unreachable", 3, 0, 0 }, + { "host-unreachable", 3, 1, 1 }, + { "protocol-unreachable", 3, 2, 2 }, + { "port-unreachable", 3, 3, 3 }, + { "fragmentation-needed", 3, 4, 4 }, + { "source-route-failed", 3, 5, 5 }, + { "network-unknown", 3, 6, 6 }, + { "host-unknown", 3, 7, 7 }, + { "network-prohibited", 3, 9, 9 }, + { "host-prohibited", 3, 10, 10 }, + { "TOS-network-unreachable", 3, 11, 11 }, + { "TOS-host-unreachable", 3, 12, 12 }, + { "communication-prohibited", 3, 13, 13 }, + { "host-precedence-violation", 3, 14, 14 }, + { "precedence-cutoff", 3, 15, 15 }, + + { "source-quench", 4, 0, 0xFF }, + + { "redirect", 5, 0, 0xFF }, + { "network-redirect", 5, 0, 0 }, + { "host-redirect", 5, 1, 1 }, + { "TOS-network-redirect", 5, 2, 2 }, + { "TOS-host-redirect", 5, 3, 3 }, + + { "echo-request", 8, 0, 0xFF }, + /* Alias */ { "ping", 8, 0, 0xFF }, + + { "router-advertisement", 9, 0, 0xFF }, + + { "router-solicitation", 10, 0, 0xFF }, + + { "time-exceeded", 11, 0, 0xFF }, + /* Alias */ { "ttl-exceeded", 11, 0, 0xFF }, + { "ttl-zero-during-transit", 11, 0, 0 }, + { "ttl-zero-during-reassembly", 11, 1, 1 }, + + { "parameter-problem", 12, 0, 0xFF }, + { "ip-header-bad", 12, 0, 0 }, + { "required-option-missing", 12, 1, 1 }, + + { "timestamp-request", 13, 0, 0xFF }, + + { "timestamp-reply", 14, 0, 0xFF }, + + { "address-mask-request", 17, 0, 0xFF }, + + { "address-mask-reply", 18, 0, 0xFF } +}; + +static const struct xt_icmp_names igmp_types[] = { + { "membership-query", 0x11 }, + { "membership-report-v1", 0x12 }, + { "membership-report-v2", 0x16 }, + { "leave-group", 0x17 }, + { "membership-report-v3", 0x22 }, +}; + +static void brip_print_help(void) +{ + printf( +"ip options:\n" +"--ip-src [!] address[/mask]: ip source specification\n" +"--ip-dst [!] address[/mask]: ip destination specification\n" +"--ip-tos [!] tos : ip tos specification\n" +"--ip-proto [!] protocol : ip protocol specification\n" +"--ip-sport [!] port[:port] : tcp/udp source port or port range\n" +"--ip-dport [!] port[:port] : tcp/udp destination port or port range\n" +"--ip-icmp-type [!] type[[:type]/code[:code]] : icmp type/code or type/code range\n" +"--ip-igmp-type [!] type[:type] : igmp type or type range\n"); + + printf("\nValid ICMP Types:\n"); + xt_print_icmp_types(icmp_codes, ARRAY_SIZE(icmp_codes)); + printf("\nValid IGMP Types:\n"); + xt_print_icmp_types(igmp_types, ARRAY_SIZE(igmp_types)); +} + +static void brip_init(struct xt_entry_match *match) +{ + struct ebt_ip_info *info = (struct ebt_ip_info *)match->data; + + info->invflags = 0; + info->bitmask = 0; +} + +static void +parse_port_range(const char *protocol, const char *portstring, uint16_t *ports) +{ + char *buffer; + char *cp; + + buffer = strdup(portstring); + if ((cp = strchr(buffer, ':')) == NULL) + ports[0] = ports[1] = xtables_parse_port(buffer, NULL); + else { + *cp = '\0'; + cp++; + + ports[0] = buffer[0] ? xtables_parse_port(buffer, NULL) : 0; + ports[1] = cp[0] ? xtables_parse_port(cp, NULL) : 0xFFFF; + + if (ports[0] > ports[1]) + xtables_error(PARAMETER_PROBLEM, + "invalid portrange (min > max)"); + } + free(buffer); +} + +/* original code from ebtables: useful_functions.c */ +static int undot_ip(char *ip, unsigned char *ip2) +{ + char *p, *q, *end; + long int onebyte; + int i; + char buf[20]; + + strncpy(buf, ip, sizeof(buf) - 1); + + p = buf; + for (i = 0; i < 3; i++) { + if ((q = strchr(p, '.')) == NULL) + return -1; + *q = '\0'; + onebyte = strtol(p, &end, 10); + if (*end != '\0' || onebyte > 255 || onebyte < 0) + return -1; + ip2[i] = (unsigned char)onebyte; + p = q + 1; + } + + onebyte = strtol(p, &end, 10); + if (*end != '\0' || onebyte > 255 || onebyte < 0) + return -1; + ip2[3] = (unsigned char)onebyte; + + return 0; +} + +static int ip_mask(char *mask, unsigned char *mask2) +{ + char *end; + long int bits; + uint32_t mask22; + + if (undot_ip(mask, mask2)) { + /* not the /a.b.c.e format, maybe the /x format */ + bits = strtol(mask, &end, 10); + if (*end != '\0' || bits > 32 || bits < 0) + return -1; + if (bits != 0) { + mask22 = htonl(0xFFFFFFFF << (32 - bits)); + memcpy(mask2, &mask22, 4); + } else { + mask22 = 0xFFFFFFFF; + memcpy(mask2, &mask22, 4); + } + } + return 0; +} + +static void ebt_parse_ip_address(char *address, uint32_t *addr, uint32_t *msk) +{ + char *p; + + /* first the mask */ + if ((p = strrchr(address, '/')) != NULL) { + *p = '\0'; + if (ip_mask(p + 1, (unsigned char *)msk)) { + xtables_error(PARAMETER_PROBLEM, + "Problem with the IP mask '%s'", p + 1); + return; + } + } else + *msk = 0xFFFFFFFF; + + if (undot_ip(address, (unsigned char *)addr)) { + xtables_error(PARAMETER_PROBLEM, + "Problem with the IP address '%s'", address); + return; + } + *addr = *addr & *msk; +} + +static char *parse_range(const char *str, unsigned int res[]) +{ + char *next; + + if (!xtables_strtoui(str, &next, &res[0], 0, 255)) + return NULL; + + res[1] = res[0]; + if (*next == ':') { + str = next + 1; + if (!xtables_strtoui(str, &next, &res[1], 0, 255)) + return NULL; + } + + return next; +} + +static int ebt_parse_icmp(const struct xt_icmp_names *codes, size_t n_codes, + const char *icmptype, uint8_t type[], uint8_t code[]) +{ + unsigned int match = n_codes; + unsigned int i, number[2]; + + for (i = 0; i < n_codes; i++) { + if (strncasecmp(codes[i].name, icmptype, strlen(icmptype))) + continue; + if (match != n_codes) + xtables_error(PARAMETER_PROBLEM, "Ambiguous ICMP type `%s':" + " `%s' or `%s'?", + icmptype, codes[match].name, + codes[i].name); + match = i; + } + + if (match < n_codes) { + type[0] = type[1] = codes[match].type; + if (code) { + code[0] = codes[match].code_min; + code[1] = codes[match].code_max; + } + } else { + char *next = parse_range(icmptype, number); + if (!next) { + xtables_error(PARAMETER_PROBLEM, "Unknown ICMP type `%s'", + icmptype); + return -1; + } + + type[0] = (uint8_t) number[0]; + type[1] = (uint8_t) number[1]; + switch (*next) { + case 0: + if (code) { + code[0] = 0; + code[1] = 255; + } + return 0; + case '/': + if (code) { + next = parse_range(next+1, number); + code[0] = (uint8_t) number[0]; + code[1] = (uint8_t) number[1]; + if (next == NULL) + return -1; + if (next && *next == 0) + return 0; + } + /* fallthrough */ + default: + xtables_error(PARAMETER_PROBLEM, "unknown character %c", *next); + return -1; + } + } + return 0; +} + +static void print_icmp_code(uint8_t *code) +{ + if (!code) + return; + + if (code[0] == code[1]) + printf("/%"PRIu8 " ", code[0]); + else + printf("/%"PRIu8":%"PRIu8 " ", code[0], code[1]); +} + +static void ebt_print_icmp_type(const struct xt_icmp_names *codes, + size_t n_codes, uint8_t *type, uint8_t *code) +{ + unsigned int i; + + if (type[0] != type[1]) { + printf("%"PRIu8 ":%" PRIu8, type[0], type[1]); + print_icmp_code(code); + return; + } + + for (i = 0; i < n_codes; i++) { + if (codes[i].type != type[0]) + continue; + + if (!code || (codes[i].code_min == code[0] && + codes[i].code_max == code[1])) { + printf("%s ", codes[i].name); + return; + } + } + printf("%"PRIu8, type[0]); + print_icmp_code(code); +} + +static int +brip_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct ebt_ip_info *info = (struct ebt_ip_info *)(*match)->data; + + switch (c) { + case IP_SOURCE: + if (invert) + info->invflags |= EBT_IP_SOURCE; + ebt_parse_ip_address(optarg, &info->saddr, &info->smsk); + info->bitmask |= EBT_IP_SOURCE; + break; + case IP_DEST: + if (invert) + info->invflags |= EBT_IP_DEST; + ebt_parse_ip_address(optarg, &info->daddr, &info->dmsk); + info->bitmask |= EBT_IP_DEST; + break; + case IP_SPORT: + if (invert) + info->invflags |= EBT_IP_SPORT; + parse_port_range(NULL, optarg, info->sport); + info->bitmask |= EBT_IP_SPORT; + break; + case IP_DPORT: + if (invert) + info->invflags |= EBT_IP_DPORT; + parse_port_range(NULL, optarg, info->dport); + info->bitmask |= EBT_IP_DPORT; + break; + case IP_EBT_ICMP: + if (invert) + info->invflags |= EBT_IP_ICMP; + ebt_parse_icmp(icmp_codes, ARRAY_SIZE(icmp_codes), optarg, + info->icmp_type, info->icmp_code); + info->bitmask |= EBT_IP_ICMP; + break; + case IP_EBT_IGMP: + if (invert) + info->invflags |= EBT_IP_IGMP; + ebt_parse_icmp(igmp_types, ARRAY_SIZE(igmp_types), optarg, + info->igmp_type, NULL); + info->bitmask |= EBT_IP_IGMP; + break; + case IP_EBT_TOS: { + uintmax_t tosvalue; + + if (invert) + info->invflags |= EBT_IP_TOS; + if (!xtables_strtoul(optarg, NULL, &tosvalue, 0, 255)) + xtables_error(PARAMETER_PROBLEM, + "Problem with specified IP tos"); + info->tos = tosvalue; + info->bitmask |= EBT_IP_TOS; + } + break; + case IP_PROTO: + if (invert) + info->invflags |= EBT_IP_PROTO; + info->protocol = xtables_parse_protocol(optarg); + info->bitmask |= EBT_IP_PROTO; + break; + default: + return 0; + } + + *flags |= info->bitmask; + return 1; +} + +static void brip_final_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "You must specify proper arguments"); +} + +static void print_port_range(uint16_t *ports) +{ + if (ports[0] == ports[1]) + printf("%d ", ports[0]); + else + printf("%d:%d ", ports[0], ports[1]); +} + +static void brip_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + struct ebt_ip_info *info = (struct ebt_ip_info *)match->data; + struct in_addr *addrp, *maskp; + + if (info->bitmask & EBT_IP_SOURCE) { + printf("--ip-src "); + if (info->invflags & EBT_IP_SOURCE) + printf("! "); + addrp = (struct in_addr *)&info->saddr; + maskp = (struct in_addr *)&info->smsk; + printf("%s%s ", xtables_ipaddr_to_numeric(addrp), + xtables_ipmask_to_numeric(maskp)); + } + if (info->bitmask & EBT_IP_DEST) { + printf("--ip-dst "); + if (info->invflags & EBT_IP_DEST) + printf("! "); + addrp = (struct in_addr *)&info->daddr; + maskp = (struct in_addr *)&info->dmsk; + printf("%s%s ", xtables_ipaddr_to_numeric(addrp), + xtables_ipmask_to_numeric(maskp)); + } + if (info->bitmask & EBT_IP_TOS) { + printf("--ip-tos "); + if (info->invflags & EBT_IP_TOS) + printf("! "); + printf("0x%02X ", info->tos); + } + if (info->bitmask & EBT_IP_PROTO) { + struct protoent *pe; + + printf("--ip-proto "); + if (info->invflags & EBT_IP_PROTO) + printf("! "); + pe = getprotobynumber(info->protocol); + if (pe == NULL) { + printf("%d ", info->protocol); + } else { + printf("%s ", pe->p_name); + } + } + if (info->bitmask & EBT_IP_SPORT) { + printf("--ip-sport "); + if (info->invflags & EBT_IP_SPORT) + printf("! "); + print_port_range(info->sport); + } + if (info->bitmask & EBT_IP_DPORT) { + printf("--ip-dport "); + if (info->invflags & EBT_IP_DPORT) + printf("! "); + print_port_range(info->dport); + } + if (info->bitmask & EBT_IP_ICMP) { + printf("--ip-icmp-type "); + if (info->invflags & EBT_IP_ICMP) + printf("! "); + ebt_print_icmp_type(icmp_codes, ARRAY_SIZE(icmp_codes), + info->icmp_type, info->icmp_code); + } + if (info->bitmask & EBT_IP_IGMP) { + printf("--ip-igmp-type "); + if (info->invflags & EBT_IP_IGMP) + printf("! "); + ebt_print_icmp_type(igmp_types, ARRAY_SIZE(igmp_types), + info->igmp_type, NULL); + } +} + +static const char *brip_xlate_proto_to_name(uint8_t proto) +{ + switch (proto) { + case IPPROTO_TCP: + return "tcp"; + case IPPROTO_UDP: + return "udp"; + case IPPROTO_UDPLITE: + return "udplite"; + case IPPROTO_SCTP: + return "sctp"; + case IPPROTO_DCCP: + return "dccp"; + default: + return NULL; + } +} + +static void brip_xlate_icmp(struct xt_xlate *xl, + const struct ebt_ip_info *info, int bit) +{ + if ((info->bitmask & bit) == 0) + return; + + xt_xlate_add(xl, "icmp type "); + if (info->invflags & bit) + xt_xlate_add(xl, "!= "); + if (info->icmp_type[0] == info->icmp_type[1]) + xt_xlate_add(xl, "%d ", info->icmp_type[0]); + else + xt_xlate_add(xl, "%d-%d ", info->icmp_type[0], + info->icmp_type[1]); + if (info->icmp_code[0] == 0 && + info->icmp_code[1] == 0xff) + return; + + xt_xlate_add(xl, "icmp code "); + if (info->invflags & bit) + xt_xlate_add(xl, "!= "); + if (info->icmp_code[0] == info->icmp_code[1]) + xt_xlate_add(xl, "%d ", info->icmp_code[0]); + else + xt_xlate_add(xl, "%d-%d ", info->icmp_code[0], + info->icmp_code[1]); +} + +static void brip_xlate_igmp(struct xt_xlate *xl, + const struct ebt_ip_info *info, int bit) +{ + if ((info->bitmask & bit) == 0) + return; + + xt_xlate_add(xl, "@th,0,8 "); + if (info->invflags & bit) + xt_xlate_add(xl, "!= "); + if (info->icmp_type[0] == info->icmp_type[1]) + xt_xlate_add(xl, "%d ", info->icmp_type[0]); + else + xt_xlate_add(xl, "%d-%d ", info->icmp_type[0], + info->icmp_type[1]); +} + +static void brip_xlate_th(struct xt_xlate *xl, + const struct ebt_ip_info *info, int bit, + const char *pname) +{ + const uint16_t *ports; + + if ((info->bitmask & bit) == 0) + return; + + switch (bit) { + case EBT_IP_SPORT: + if (pname) + xt_xlate_add(xl, "%s sport ", pname); + else + xt_xlate_add(xl, "@th,0,16 "); + + ports = info->sport; + break; + case EBT_IP_DPORT: + if (pname) + xt_xlate_add(xl, "%s dport ", pname); + else + xt_xlate_add(xl, "@th,16,16 "); + + ports = info->dport; + break; + default: + return; + } + + if (info->invflags & bit) + xt_xlate_add(xl, "!= "); + + if (ports[0] == ports[1]) + xt_xlate_add(xl, "%d ", ports[0]); + else + xt_xlate_add(xl, "%d-%d ", ports[0], ports[1]); +} + +static void brip_xlate_nh(struct xt_xlate *xl, + const struct ebt_ip_info *info, int bit) +{ + struct in_addr *addrp, *maskp; + + if ((info->bitmask & bit) == 0) + return; + + switch (bit) { + case EBT_IP_SOURCE: + xt_xlate_add(xl, "ip saddr "); + addrp = (struct in_addr *)&info->saddr; + maskp = (struct in_addr *)&info->smsk; + break; + case EBT_IP_DEST: + xt_xlate_add(xl, "ip daddr "); + addrp = (struct in_addr *)&info->daddr; + maskp = (struct in_addr *)&info->dmsk; + break; + default: + return; + } + + if (info->invflags & bit) + xt_xlate_add(xl, "!= "); + + xt_xlate_add(xl, "%s%s ", xtables_ipaddr_to_numeric(addrp), + xtables_ipmask_to_numeric(maskp)); +} + +static int brip_xlate(struct xt_xlate *xl, + const struct xt_xlate_mt_params *params) +{ + const struct ebt_ip_info *info = (const void *)params->match->data; + const char *pname = NULL; + + brip_xlate_nh(xl, info, EBT_IP_SOURCE); + brip_xlate_nh(xl, info, EBT_IP_DEST); + + if (info->bitmask & EBT_IP_TOS) { + xt_xlate_add(xl, "ip dscp "); + if (info->invflags & EBT_IP_TOS) + xt_xlate_add(xl, "!= "); + xt_xlate_add(xl, "0x%02x ", info->tos & 0x3f); /* remove ECN bits */ + } + if (info->bitmask & EBT_IP_PROTO) { + struct protoent *pe; + + if (info->bitmask & (EBT_IP_SPORT|EBT_IP_DPORT|EBT_IP_ICMP) && + (info->invflags & EBT_IP_PROTO) == 0) { + /* port number or icmp given and not inverted, no need to print this */ + pname = brip_xlate_proto_to_name(info->protocol); + } else { + xt_xlate_add(xl, "ip protocol "); + if (info->invflags & EBT_IP_PROTO) + xt_xlate_add(xl, "!= "); + pe = getprotobynumber(info->protocol); + if (pe == NULL) + xt_xlate_add(xl, "%d ", info->protocol); + else + xt_xlate_add(xl, "%s ", pe->p_name); + } + } + + brip_xlate_th(xl, info, EBT_IP_SPORT, pname); + brip_xlate_th(xl, info, EBT_IP_DPORT, pname); + + brip_xlate_icmp(xl, info, EBT_IP_ICMP); + brip_xlate_igmp(xl, info, EBT_IP_IGMP); + + return 1; +} + +static struct xtables_match brip_match = { + .name = "ip", + .revision = 0, + .version = XTABLES_VERSION, + .family = NFPROTO_BRIDGE, + .size = XT_ALIGN(sizeof(struct ebt_ip_info)), + .userspacesize = XT_ALIGN(sizeof(struct ebt_ip_info)), + .init = brip_init, + .help = brip_print_help, + .parse = brip_parse, + .final_check = brip_final_check, + .print = brip_print, + .xlate = brip_xlate, + .extra_opts = brip_opts, +}; + +void _init(void) +{ + xtables_register_match(&brip_match); +} diff --git a/vendor/iptables-1.8.7/extensions/libebt_ip.t b/vendor/iptables-1.8.7/extensions/libebt_ip.t new file mode 100644 index 00000000..8be5dfbb --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_ip.t @@ -0,0 +1,13 @@ +:INPUT,FORWARD,OUTPUT +-p ip --ip-src ! 192.168.0.0/24 -j ACCEPT;-p IPv4 --ip-src ! 192.168.0.0/24 -j ACCEPT;OK +-p IPv4 --ip-dst 10.0.0.1;=;OK +-p IPv4 --ip-tos 0xFF;=;OK +-p IPv4 --ip-tos ! 0xFF;=;OK +-p IPv4 --ip-proto tcp --ip-dport 22;=;OK +-p IPv4 --ip-proto udp --ip-sport 1024:65535;=;OK +-p IPv4 --ip-proto 253;=;OK +-p IPv4 --ip-proto icmp --ip-icmp-type echo-request;=;OK +-p IPv4 --ip-proto icmp --ip-icmp-type 1/1;=;OK +-p ip --ip-protocol icmp --ip-icmp-type ! 1:10;-p IPv4 --ip-proto icmp --ip-icmp-type ! 1:10/0:255 -j CONTINUE;OK +--ip-proto icmp --ip-icmp-type 1/1;=;FAIL +! -p ip --ip-proto icmp --ip-icmp-type 1/1;=;FAIL diff --git a/vendor/iptables-1.8.7/extensions/libebt_ip.txlate b/vendor/iptables-1.8.7/extensions/libebt_ip.txlate new file mode 100644 index 00000000..b5882c34 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_ip.txlate @@ -0,0 +1,26 @@ +ebtables-translate -A FORWARD -p ip --ip-src ! 192.168.0.0/24 -j ACCEPT +nft add rule bridge filter FORWARD ip saddr != 192.168.0.0/24 counter accept + +ebtables-translate -I FORWARD -p ip --ip-dst 10.0.0.1 +nft insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter + +ebtables-translate -I OUTPUT 3 -p ip -o eth0 --ip-tos 0xff +nft insert rule bridge filter OUTPUT oifname "eth0" ip dscp 0x3f counter + +ebtables-translate -A FORWARD -p ip --ip-proto tcp --ip-dport 22 +nft add rule bridge filter FORWARD tcp dport 22 counter + +ebtables-translate -A FORWARD -p ip --ip-proto udp --ip-sport 1024:65535 +nft add rule bridge filter FORWARD udp sport 1024-65535 counter + +ebtables-translate -A FORWARD -p ip --ip-proto 253 +nft add rule bridge filter FORWARD ip protocol 253 counter + +ebtables-translate -A FORWARD -p ip --ip-protocol icmp --ip-icmp-type "echo-request" +nft add rule bridge filter FORWARD icmp type 8 counter + +ebtables-translate -A FORWARD -p ip --ip-proto icmp --ip-icmp-type 1/1 +nft add rule bridge filter FORWARD icmp type 1 icmp code 1 counter + +ebtables-translate -A FORWARD -p ip --ip-protocol icmp --ip-icmp-type ! 1:10 +nft add rule bridge filter FORWARD icmp type != 1-10 counter diff --git a/vendor/iptables-1.8.7/extensions/libebt_ip6.c b/vendor/iptables-1.8.7/extensions/libebt_ip6.c new file mode 100644 index 00000000..b8a5a5d8 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_ip6.c @@ -0,0 +1,632 @@ +/* ebt_ip6 + * + * Authors: + * Kuo-Lang Tseng + * Manohar Castelino + * + * Summary: + * This is just a modification of the IPv4 code written by + * Bart De Schuymer + * with the changes required to support IPv6 + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "libxt_icmp.h" + +#define IP_SOURCE '1' +#define IP_DEST '2' +#define IP_TCLASS '3' +#define IP_PROTO '4' +#define IP_SPORT '5' +#define IP_DPORT '6' +#define IP_ICMP6 '7' + +static const struct option brip6_opts[] = { + { .name = "ip6-source", .has_arg = true, .val = IP_SOURCE }, + { .name = "ip6-src", .has_arg = true, .val = IP_SOURCE }, + { .name = "ip6-destination", .has_arg = true, .val = IP_DEST }, + { .name = "ip6-dst", .has_arg = true, .val = IP_DEST }, + { .name = "ip6-tclass", .has_arg = true, .val = IP_TCLASS }, + { .name = "ip6-protocol", .has_arg = true, .val = IP_PROTO }, + { .name = "ip6-proto", .has_arg = true, .val = IP_PROTO }, + { .name = "ip6-source-port", .has_arg = true, .val = IP_SPORT }, + { .name = "ip6-sport", .has_arg = true, .val = IP_SPORT }, + { .name = "ip6-destination-port",.has_arg = true,.val = IP_DPORT }, + { .name = "ip6-dport", .has_arg = true, .val = IP_DPORT }, + { .name = "ip6-icmp-type", .has_arg = true, .val = IP_ICMP6 }, + XT_GETOPT_TABLEEND, +}; + +static const struct xt_icmp_names icmpv6_codes[] = { + { "destination-unreachable", 1, 0, 0xFF }, + { "no-route", 1, 0, 0 }, + { "communication-prohibited", 1, 1, 1 }, + { "address-unreachable", 1, 3, 3 }, + { "port-unreachable", 1, 4, 4 }, + + { "packet-too-big", 2, 0, 0xFF }, + + { "time-exceeded", 3, 0, 0xFF }, + /* Alias */ { "ttl-exceeded", 3, 0, 0xFF }, + { "ttl-zero-during-transit", 3, 0, 0 }, + { "ttl-zero-during-reassembly", 3, 1, 1 }, + + { "parameter-problem", 4, 0, 0xFF }, + { "bad-header", 4, 0, 0 }, + { "unknown-header-type", 4, 1, 1 }, + { "unknown-option", 4, 2, 2 }, + + { "echo-request", 128, 0, 0xFF }, + /* Alias */ { "ping", 128, 0, 0xFF }, + + { "echo-reply", 129, 0, 0xFF }, + /* Alias */ { "pong", 129, 0, 0xFF }, + + { "router-solicitation", 133, 0, 0xFF }, + + { "router-advertisement", 134, 0, 0xFF }, + + { "neighbour-solicitation", 135, 0, 0xFF }, + /* Alias */ { "neighbor-solicitation", 135, 0, 0xFF }, + + { "neighbour-advertisement", 136, 0, 0xFF }, + /* Alias */ { "neighbor-advertisement", 136, 0, 0xFF }, + + { "redirect", 137, 0, 0xFF }, +}; + +static void +parse_port_range(const char *protocol, const char *portstring, uint16_t *ports) +{ + char *buffer; + char *cp; + + buffer = strdup(portstring); + if ((cp = strchr(buffer, ':')) == NULL) + ports[0] = ports[1] = xtables_parse_port(buffer, NULL); + else { + *cp = '\0'; + cp++; + + ports[0] = buffer[0] ? xtables_parse_port(buffer, NULL) : 0; + ports[1] = cp[0] ? xtables_parse_port(cp, NULL) : 0xFFFF; + + if (ports[0] > ports[1]) + xtables_error(PARAMETER_PROBLEM, + "invalid portrange (min > max)"); + } + free(buffer); +} + +static char *parse_range(const char *str, unsigned int res[]) +{ + char *next; + + if (!xtables_strtoui(str, &next, &res[0], 0, 255)) + return NULL; + + res[1] = res[0]; + if (*next == ':') { + str = next + 1; + if (!xtables_strtoui(str, &next, &res[1], 0, 255)) + return NULL; + } + + return next; +} + +static int +parse_icmpv6(const char *icmpv6type, uint8_t type[], uint8_t code[]) +{ + static const unsigned int limit = ARRAY_SIZE(icmpv6_codes); + unsigned int match = limit; + unsigned int i, number[2]; + + for (i = 0; i < limit; i++) { + if (strncasecmp(icmpv6_codes[i].name, icmpv6type, strlen(icmpv6type))) + continue; + if (match != limit) + xtables_error(PARAMETER_PROBLEM, "Ambiguous ICMPv6 type `%s':" + " `%s' or `%s'?", + icmpv6type, icmpv6_codes[match].name, + icmpv6_codes[i].name); + match = i; + } + + if (match < limit) { + type[0] = type[1] = icmpv6_codes[match].type; + code[0] = icmpv6_codes[match].code_min; + code[1] = icmpv6_codes[match].code_max; + } else { + char *next = parse_range(icmpv6type, number); + if (!next) { + xtables_error(PARAMETER_PROBLEM, "Unknown ICMPv6 type `%s'", + icmpv6type); + return -1; + } + type[0] = (uint8_t) number[0]; + type[1] = (uint8_t) number[1]; + switch (*next) { + case 0: + code[0] = 0; + code[1] = 255; + return 0; + case '/': + next = parse_range(next+1, number); + code[0] = (uint8_t) number[0]; + code[1] = (uint8_t) number[1]; + if (next == NULL) + return -1; + if (next && *next == 0) + return 0; + /* fallthrough */ + default: + xtables_error(PARAMETER_PROBLEM, "unknown character %c", *next); + return -1; + } + } + return 0; +} + +static void print_port_range(uint16_t *ports) +{ + if (ports[0] == ports[1]) + printf("%d ", ports[0]); + else + printf("%d:%d ", ports[0], ports[1]); +} + +static void print_icmp_code(uint8_t *code) +{ + if (code[0] == code[1]) + printf("/%"PRIu8 " ", code[0]); + else + printf("/%"PRIu8":%"PRIu8 " ", code[0], code[1]); +} + +static void print_icmp_type(uint8_t *type, uint8_t *code) +{ + unsigned int i; + + if (type[0] != type[1]) { + printf("%"PRIu8 ":%" PRIu8, type[0], type[1]); + print_icmp_code(code); + return; + } + + for (i = 0; i < ARRAY_SIZE(icmpv6_codes); i++) { + if (icmpv6_codes[i].type != type[0]) + continue; + + if (icmpv6_codes[i].code_min == code[0] && + icmpv6_codes[i].code_max == code[1]) { + printf("%s ", icmpv6_codes[i].name); + return; + } + } + printf("%"PRIu8, type[0]); + print_icmp_code(code); +} + +static void brip6_print_help(void) +{ + printf( +"ip6 options:\n" +"--ip6-src [!] address[/mask]: ipv6 source specification\n" +"--ip6-dst [!] address[/mask]: ipv6 destination specification\n" +"--ip6-tclass [!] tclass : ipv6 traffic class specification\n" +"--ip6-proto [!] protocol : ipv6 protocol specification\n" +"--ip6-sport [!] port[:port] : tcp/udp source port or port range\n" +"--ip6-dport [!] port[:port] : tcp/udp destination port or port range\n" +"--ip6-icmp-type [!] type[[:type]/code[:code]] : ipv6-icmp type/code or type/code range\n"); + printf("Valid ICMPv6 Types:"); + xt_print_icmp_types(icmpv6_codes, ARRAY_SIZE(icmpv6_codes)); +} + +static void brip6_init(struct xt_entry_match *match) +{ + struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info *)match->data; + + ipinfo->invflags = 0; + ipinfo->bitmask = 0; + memset(ipinfo->saddr.s6_addr, 0, sizeof(ipinfo->saddr.s6_addr)); + memset(ipinfo->smsk.s6_addr, 0, sizeof(ipinfo->smsk.s6_addr)); + memset(ipinfo->daddr.s6_addr, 0, sizeof(ipinfo->daddr.s6_addr)); + memset(ipinfo->dmsk.s6_addr, 0, sizeof(ipinfo->dmsk.s6_addr)); +} + +static struct in6_addr *numeric_to_addr(const char *num) +{ + static struct in6_addr ap; + int err; + + if ((err=inet_pton(AF_INET6, num, &ap)) == 1) + return ≈ + return (struct in6_addr *)NULL; +} + +static struct in6_addr *parse_ip6_mask(char *mask) +{ + static struct in6_addr maskaddr; + struct in6_addr *addrp; + unsigned int bits; + + if (mask == NULL) { + /* no mask at all defaults to 128 bits */ + memset(&maskaddr, 0xff, sizeof maskaddr); + return &maskaddr; + } + if ((addrp = numeric_to_addr(mask)) != NULL) + return addrp; + if (!xtables_strtoui(mask, NULL, &bits, 0, 128)) + xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Mask '%s' specified", mask); + if (bits != 0) { + char *p = (char *)&maskaddr; + memset(p, 0xff, bits / 8); + memset(p + (bits / 8) + 1, 0, (128 - bits) / 8); + p[bits / 8] = 0xff << (8 - (bits & 7)); + return &maskaddr; + } + + memset(&maskaddr, 0, sizeof maskaddr); + return &maskaddr; +} + +/* Set the ipv6 mask and address. Callers should check ebt_errormsg[0]. + * The string pointed to by address can be altered. */ +static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct in6_addr *msk) +{ + struct in6_addr *tmp_addr; + char buf[256]; + char *p; + int i; + int err; + + strncpy(buf, address, sizeof(buf) - 1); + /* first the mask */ + buf[sizeof(buf) - 1] = '\0'; + if ((p = strrchr(buf, '/')) != NULL) { + *p = '\0'; + tmp_addr = parse_ip6_mask(p + 1); + } else + tmp_addr = parse_ip6_mask(NULL); + + *msk = *tmp_addr; + + /* if a null mask is given, the name is ignored, like in "any/0" */ + if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any))) + strcpy(buf, "::"); + + if ((err=inet_pton(AF_INET6, buf, addr)) < 1) { + xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf); + return; + } + + for (i = 0; i < 4; i++) + addr->s6_addr32[i] &= msk->s6_addr32[i]; +} + +#define OPT_SOURCE 0x01 +#define OPT_DEST 0x02 +#define OPT_TCLASS 0x04 +#define OPT_PROTO 0x08 +#define OPT_SPORT 0x10 +#define OPT_DPORT 0x20 +static int +brip6_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct ebt_ip6_info *info = (struct ebt_ip6_info *)(*match)->data; + unsigned int i; + char *end; + + switch (c) { + case IP_SOURCE: + if (invert) + info->invflags |= EBT_IP6_SOURCE; + ebt_parse_ip6_address(optarg, &info->saddr, &info->smsk); + info->bitmask |= EBT_IP6_SOURCE; + break; + case IP_DEST: + if (invert) + info->invflags |= EBT_IP6_DEST; + ebt_parse_ip6_address(optarg, &info->daddr, &info->dmsk); + info->bitmask |= EBT_IP6_DEST; + break; + case IP_SPORT: + if (invert) + info->invflags |= EBT_IP6_SPORT; + parse_port_range(NULL, optarg, info->sport); + info->bitmask |= EBT_IP6_SPORT; + break; + case IP_DPORT: + if (invert) + info->invflags |= EBT_IP6_DPORT; + parse_port_range(NULL, optarg, info->dport); + info->bitmask |= EBT_IP6_DPORT; + break; + case IP_ICMP6: + if (invert) + info->invflags |= EBT_IP6_ICMP6; + if (parse_icmpv6(optarg, info->icmpv6_type, info->icmpv6_code)) + return 0; + info->bitmask |= EBT_IP6_ICMP6; + break; + case IP_TCLASS: + if (invert) + info->invflags |= EBT_IP6_TCLASS; + if (!xtables_strtoui(optarg, &end, &i, 0, 255)) + xtables_error(PARAMETER_PROBLEM, "Problem with specified IPv6 traffic class '%s'", optarg); + info->tclass = i; + info->bitmask |= EBT_IP6_TCLASS; + break; + case IP_PROTO: + if (invert) + info->invflags |= EBT_IP6_PROTO; + info->protocol = xtables_parse_protocol(optarg); + info->bitmask |= EBT_IP6_PROTO; + break; + default: + return 0; + } + + *flags |= info->bitmask; + return 1; +} + +static void brip6_final_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "You must specify proper arguments"); +} + +static void brip6_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info *)match->data; + + if (ipinfo->bitmask & EBT_IP6_SOURCE) { + printf("--ip6-src "); + if (ipinfo->invflags & EBT_IP6_SOURCE) + printf("! "); + printf("%s", xtables_ip6addr_to_numeric(&ipinfo->saddr)); + printf("%s ", xtables_ip6mask_to_numeric(&ipinfo->smsk)); + } + if (ipinfo->bitmask & EBT_IP6_DEST) { + printf("--ip6-dst "); + if (ipinfo->invflags & EBT_IP6_DEST) + printf("! "); + printf("%s", xtables_ip6addr_to_numeric(&ipinfo->daddr)); + printf("%s ", xtables_ip6mask_to_numeric(&ipinfo->dmsk)); + } + if (ipinfo->bitmask & EBT_IP6_TCLASS) { + printf("--ip6-tclass "); + if (ipinfo->invflags & EBT_IP6_TCLASS) + printf("! "); + printf("0x%02X ", ipinfo->tclass); + } + if (ipinfo->bitmask & EBT_IP6_PROTO) { + struct protoent *pe; + + printf("--ip6-proto "); + if (ipinfo->invflags & EBT_IP6_PROTO) + printf("! "); + pe = getprotobynumber(ipinfo->protocol); + if (pe == NULL) { + printf("%d ", ipinfo->protocol); + } else { + printf("%s ", pe->p_name); + } + } + if (ipinfo->bitmask & EBT_IP6_SPORT) { + printf("--ip6-sport "); + if (ipinfo->invflags & EBT_IP6_SPORT) + printf("! "); + print_port_range(ipinfo->sport); + } + if (ipinfo->bitmask & EBT_IP6_DPORT) { + printf("--ip6-dport "); + if (ipinfo->invflags & EBT_IP6_DPORT) + printf("! "); + print_port_range(ipinfo->dport); + } + if (ipinfo->bitmask & EBT_IP6_ICMP6) { + printf("--ip6-icmp-type "); + if (ipinfo->invflags & EBT_IP6_ICMP6) + printf("! "); + print_icmp_type(ipinfo->icmpv6_type, ipinfo->icmpv6_code); + } +} + +static void brip_xlate_th(struct xt_xlate *xl, + const struct ebt_ip6_info *info, int bit, + const char *pname) +{ + const uint16_t *ports; + + if ((info->bitmask & bit) == 0) + return; + + switch (bit) { + case EBT_IP6_SPORT: + if (pname) + xt_xlate_add(xl, "%s sport ", pname); + else + xt_xlate_add(xl, "@th,0,16 "); + + ports = info->sport; + break; + case EBT_IP6_DPORT: + if (pname) + xt_xlate_add(xl, "%s dport ", pname); + else + xt_xlate_add(xl, "@th,16,16 "); + + ports = info->dport; + break; + default: + return; + } + + if (info->invflags & bit) + xt_xlate_add(xl, "!= "); + + if (ports[0] == ports[1]) + xt_xlate_add(xl, "%d ", ports[0]); + else + xt_xlate_add(xl, "%d-%d ", ports[0], ports[1]); +} + +static void brip_xlate_nh(struct xt_xlate *xl, + const struct ebt_ip6_info *info, int bit) +{ + struct in6_addr *addrp, *maskp; + + if ((info->bitmask & bit) == 0) + return; + + switch (bit) { + case EBT_IP6_SOURCE: + xt_xlate_add(xl, "ip6 saddr "); + addrp = (struct in6_addr *)&info->saddr; + maskp = (struct in6_addr *)&info->smsk; + break; + case EBT_IP6_DEST: + xt_xlate_add(xl, "ip6 daddr "); + addrp = (struct in6_addr *)&info->daddr; + maskp = (struct in6_addr *)&info->dmsk; + break; + default: + return; + } + + if (info->invflags & bit) + xt_xlate_add(xl, "!= "); + + xt_xlate_add(xl, "%s%s ", xtables_ip6addr_to_numeric(addrp), + xtables_ip6mask_to_numeric(maskp)); +} + +static const char *brip6_xlate_proto_to_name(uint8_t proto) +{ + switch (proto) { + case IPPROTO_TCP: + return "tcp"; + case IPPROTO_UDP: + return "udp"; + case IPPROTO_UDPLITE: + return "udplite"; + case IPPROTO_SCTP: + return "sctp"; + case IPPROTO_DCCP: + return "dccp"; + default: + return NULL; + } +} + +static int brip6_xlate(struct xt_xlate *xl, + const struct xt_xlate_mt_params *params) +{ + const struct ebt_ip6_info *info = (const void *)params->match->data; + const char *pname = NULL; + + if ((info->bitmask & (EBT_IP6_SOURCE|EBT_IP6_DEST|EBT_IP6_ICMP6|EBT_IP6_TCLASS)) == 0) + xt_xlate_add(xl, "ether type ip6 "); + + brip_xlate_nh(xl, info, EBT_IP6_SOURCE); + brip_xlate_nh(xl, info, EBT_IP6_DEST); + + if (info->bitmask & EBT_IP6_TCLASS) { + xt_xlate_add(xl, "ip6 dscp "); + if (info->invflags & EBT_IP6_TCLASS) + xt_xlate_add(xl, "!= "); + xt_xlate_add(xl, "0x%02x ", info->tclass & 0x3f); /* remove ECN bits */ + } + + if (info->bitmask & EBT_IP6_PROTO) { + struct protoent *pe; + + if (info->bitmask & (EBT_IP6_SPORT|EBT_IP6_DPORT|EBT_IP6_ICMP6) && + (info->invflags & EBT_IP6_PROTO) == 0) { + /* port number given and not inverted, no need to + * add explicit 'meta l4proto'. + */ + pname = brip6_xlate_proto_to_name(info->protocol); + } else { + xt_xlate_add(xl, "meta l4proto "); + if (info->invflags & EBT_IP6_PROTO) + xt_xlate_add(xl, "!= "); + pe = getprotobynumber(info->protocol); + if (pe == NULL) + xt_xlate_add(xl, "%d ", info->protocol); + else + xt_xlate_add(xl, "%s ", pe->p_name); + } + } + + brip_xlate_th(xl, info, EBT_IP6_SPORT, pname); + brip_xlate_th(xl, info, EBT_IP6_DPORT, pname); + + if (info->bitmask & EBT_IP6_ICMP6) { + xt_xlate_add(xl, "icmpv6 type "); + if (info->invflags & EBT_IP6_ICMP6) + xt_xlate_add(xl, "!= "); + + if (info->icmpv6_type[0] == info->icmpv6_type[1]) + xt_xlate_add(xl, "%d ", info->icmpv6_type[0]); + else + xt_xlate_add(xl, "%d-%d ", info->icmpv6_type[0], + info->icmpv6_type[1]); + + if (info->icmpv6_code[0] == 0 && + info->icmpv6_code[1] == 0xff) + return 1; + + xt_xlate_add(xl, "icmpv6 code "); + if (info->invflags & EBT_IP6_ICMP6) + xt_xlate_add(xl, "!= "); + + if (info->icmpv6_code[0] == info->icmpv6_code[1]) + xt_xlate_add(xl, "%d ", info->icmpv6_code[0]); + else + xt_xlate_add(xl, "%d-%d ", info->icmpv6_code[0], + info->icmpv6_code[1]); + } + + return 1; +} + +static struct xtables_match brip6_match = { + .name = "ip6", + .revision = 0, + .version = XTABLES_VERSION, + .family = NFPROTO_BRIDGE, + .size = XT_ALIGN(sizeof(struct ebt_ip6_info)), + .userspacesize = XT_ALIGN(sizeof(struct ebt_ip6_info)), + .init = brip6_init, + .help = brip6_print_help, + .parse = brip6_parse, + .final_check = brip6_final_check, + .print = brip6_print, + .xlate = brip6_xlate, + .extra_opts = brip6_opts, +}; + +void _init(void) +{ + xtables_register_match(&brip6_match); +} diff --git a/vendor/iptables-1.8.7/extensions/libebt_ip6.t b/vendor/iptables-1.8.7/extensions/libebt_ip6.t new file mode 100644 index 00000000..fa1038af --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_ip6.t @@ -0,0 +1,15 @@ +:INPUT,FORWARD,OUTPUT +-p ip6 --ip6-src ! dead::beef/64 -j ACCEPT;-p IPv6 --ip6-src ! dead::/64 -j ACCEPT;OK +-p IPv6 --ip6-dst dead:beef::/64 -j ACCEPT;=;OK +-p IPv6 --ip6-dst f00:ba::;=;OK +-p IPv6 --ip6-tclass 0xFF;=;OK +-p IPv6 --ip6-proto tcp --ip6-dport 22;=;OK +-p IPv6 --ip6-proto tcp --ip6-dport ! 22;=;OK +-p IPv6 --ip6-proto udp --ip6-sport 1024:65535;=;OK +-p IPv6 --ip6-proto 253;=;OK +-p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type echo-request -j CONTINUE;=;OK +-p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type echo-request;=;OK +-p ip6 --ip6-protocol icmpv6 --ip6-icmp-type 1/1;-p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type communication-prohibited -j CONTINUE;OK +-p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type ! 1:10/0:255;=;OK +--ip6-proto ipv6-icmp ! --ip6-icmp-type 1:10/0:255;=;FAIL +! -p IPv6 --ip6-proto ipv6-icmp ! --ip6-icmp-type 1:10/0:255;=;FAIL diff --git a/vendor/iptables-1.8.7/extensions/libebt_ip6.txlate b/vendor/iptables-1.8.7/extensions/libebt_ip6.txlate new file mode 100644 index 00000000..0271734c --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_ip6.txlate @@ -0,0 +1,29 @@ +ebtables-translate -A FORWARD -p ip6 --ip6-src ! dead::beef/64 -j ACCEPT +nft add rule bridge filter FORWARD ip6 saddr != dead::/64 counter accept + +ebtables-translate -A FORWARD -p ip6 ! --ip6-dst dead:beef::/64 -j ACCEPT +nft add rule bridge filter FORWARD ip6 daddr != dead:beef::/64 counter accept + +ebtables-translate -I FORWARD -p ip6 --ip6-dst f00:ba:: +nft insert rule bridge filter FORWARD ip6 daddr f00:ba:: counter + +ebtables-translate -I OUTPUT -o eth0 -p ip6 --ip6-tclass 0xff +nft insert rule bridge filter OUTPUT oifname "eth0" ip6 dscp 0x3f counter + +ebtables-translate -A FORWARD -p ip6 --ip6-proto tcp --ip6-dport 22 +nft add rule bridge filter FORWARD ether type ip6 tcp dport 22 counter + +ebtables-translate -A FORWARD -p ip6 --ip6-proto udp --ip6-sport 1024:65535 +nft add rule bridge filter FORWARD ether type ip6 udp sport 1024-65535 counter + +ebtables-translate -A FORWARD -p ip6 --ip6-proto 253 +nft add rule bridge filter FORWARD ether type ip6 meta l4proto 253 counter + +ebtables-translate -A FORWARD -p ip6 --ip6-protocol icmpv6 --ip6-icmp-type "echo-request" +nft add rule bridge filter FORWARD icmpv6 type 128 counter + +ebtables-translate -A FORWARD -p ip6 --ip6-protocol icmpv6 --ip6-icmp-type 1/1 +nft add rule bridge filter FORWARD icmpv6 type 1 icmpv6 code 1 counter + +ebtables-translate -A FORWARD -p ip6 --ip6-protocol icmpv6 --ip6-icmp-type ! 1:10 +nft add rule bridge filter FORWARD icmpv6 type != 1-10 counter diff --git a/vendor/iptables-1.8.7/extensions/libebt_limit.txlate b/vendor/iptables-1.8.7/extensions/libebt_limit.txlate new file mode 100644 index 00000000..b6af15d5 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_limit.txlate @@ -0,0 +1,8 @@ +ebtables-translate -A INPUT --limit 3/m --limit-burst 3 +nft add rule bridge filter INPUT limit rate 3/minute burst 3 packets counter + +ebtables-translate -A INPUT --limit 10/s --limit-burst 5 +nft add rule bridge filter INPUT limit rate 10/second burst 5 packets counter + +ebtables-translate -A INPUT --limit 10/s --limit-burst 0 +nft add rule bridge filter INPUT limit rate 10/second counter diff --git a/vendor/iptables-1.8.7/extensions/libebt_log.c b/vendor/iptables-1.8.7/extensions/libebt_log.c new file mode 100644 index 00000000..8858cf0e --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_log.c @@ -0,0 +1,217 @@ +/* + * Bart De Schuymer + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * Giuseppe Longo adapted the original code to the + * xtables-compat environment in 2015. + * + */ + +#include +#include +#include +#include +#include +#include +#include + +#define LOG_DEFAULT_LEVEL LOG_INFO + +#define LOG_PREFIX '1' +#define LOG_LEVEL '2' +#define LOG_ARP '3' +#define LOG_IP '4' +#define LOG_LOG '5' +#define LOG_IP6 '6' + +struct code { + char *c_name; + int c_val; +}; + +static struct code eight_priority[] = { + { "emerg", LOG_EMERG }, + { "alert", LOG_ALERT }, + { "crit", LOG_CRIT }, + { "error", LOG_ERR }, + { "warning", LOG_WARNING }, + { "notice", LOG_NOTICE }, + { "info", LOG_INFO }, + { "debug", LOG_DEBUG } +}; + +static int name_to_loglevel(const char *arg) +{ + int i; + + for (i = 0; i < 8; i++) + if (!strcmp(arg, eight_priority[i].c_name)) + return eight_priority[i].c_val; + + /* return bad loglevel */ + return 9; +} + +static const struct option brlog_opts[] = { + { .name = "log-prefix", .has_arg = true, .val = LOG_PREFIX }, + { .name = "log-level", .has_arg = true, .val = LOG_LEVEL }, + { .name = "log-arp", .has_arg = false, .val = LOG_ARP }, + { .name = "log-ip", .has_arg = false, .val = LOG_IP }, + { .name = "log", .has_arg = false, .val = LOG_LOG }, + { .name = "log-ip6", .has_arg = false, .val = LOG_IP6 }, + XT_GETOPT_TABLEEND, +}; + +static void brlog_help(void) +{ + int i; + + printf( +"log options:\n" +"--log : use this if you're not specifying anything\n" +"--log-level level : level = [1-8] or a string\n" +"--log-prefix prefix : max. %d chars.\n" +"--log-ip : put ip info. in the log for ip packets\n" +"--log-arp : put (r)arp info. in the log for (r)arp packets\n" +"--log-ip6 : put ip6 info. in the log for ip6 packets\n" + , EBT_LOG_PREFIX_SIZE - 1); + for (i = 0; i < 8; i++) + printf("%d = %s\n", eight_priority[i].c_val, + eight_priority[i].c_name); +} + +static void brlog_init(struct xt_entry_target *t) +{ + struct ebt_log_info *loginfo = (struct ebt_log_info *)t->data; + + loginfo->bitmask = 0; + loginfo->prefix[0] = '\0'; + loginfo->loglevel = LOG_NOTICE; +} + +static unsigned int log_chk_inv(int inv, unsigned int bit, const char *suffix) +{ + if (inv) + xtables_error(PARAMETER_PROBLEM, + "Unexpected `!' after --log%s", suffix); + return bit; +} + +static int brlog_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct ebt_log_info *loginfo = (struct ebt_log_info *)(*target)->data; + long int i; + char *end; + + switch (c) { + case LOG_PREFIX: + if (invert) + xtables_error(PARAMETER_PROBLEM, + "Unexpected `!` after --log-prefix"); + if (strlen(optarg) > sizeof(loginfo->prefix) - 1) + xtables_error(PARAMETER_PROBLEM, + "Prefix too long"); + if (strchr(optarg, '\"')) + xtables_error(PARAMETER_PROBLEM, + "Use of \\\" is not allowed" + " in the prefix"); + strcpy((char *)loginfo->prefix, (char *)optarg); + break; + case LOG_LEVEL: + i = strtol(optarg, &end, 16); + if (*end != '\0' || i < 0 || i > 7) + loginfo->loglevel = name_to_loglevel(optarg); + else + loginfo->loglevel = i; + + if (loginfo->loglevel == 9) + xtables_error(PARAMETER_PROBLEM, + "Problem with the log-level"); + break; + case LOG_IP: + loginfo->bitmask |= log_chk_inv(invert, EBT_LOG_IP, "-ip"); + break; + case LOG_ARP: + loginfo->bitmask |= log_chk_inv(invert, EBT_LOG_ARP, "-arp"); + break; + case LOG_LOG: + loginfo->bitmask |= log_chk_inv(invert, 0, ""); + break; + case LOG_IP6: + loginfo->bitmask |= log_chk_inv(invert, EBT_LOG_IP6, "-ip6"); + break; + default: + return 0; + } + + *flags |= loginfo->bitmask; + return 1; +} + +static void brlog_final_check(unsigned int flags) +{ +} + +static void brlog_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + struct ebt_log_info *loginfo = (struct ebt_log_info *)target->data; + + printf("--log-level %s --log-prefix \"%s\"", + eight_priority[loginfo->loglevel].c_name, + loginfo->prefix); + + if (loginfo->bitmask & EBT_LOG_IP) + printf(" --log-ip"); + if (loginfo->bitmask & EBT_LOG_ARP) + printf(" --log-arp"); + if (loginfo->bitmask & EBT_LOG_IP6) + printf(" --log-ip6"); + printf(" "); +} + +static int brlog_xlate(struct xt_xlate *xl, + const struct xt_xlate_tg_params *params) +{ + const struct ebt_log_info *loginfo = (const void *)params->target->data; + + xt_xlate_add(xl, "log"); + if (loginfo->prefix[0]) { + if (params->escape_quotes) + xt_xlate_add(xl, " prefix \\\"%s\\\"", loginfo->prefix); + else + xt_xlate_add(xl, " prefix \"%s\"", loginfo->prefix); + } + + if (loginfo->loglevel != LOG_DEFAULT_LEVEL) + xt_xlate_add(xl, " level %s", eight_priority[loginfo->loglevel].c_name); + + xt_xlate_add(xl, " flags ether "); + + return 1; +} + +static struct xtables_target brlog_target = { + .name = "log", + .revision = 0, + .version = XTABLES_VERSION, + .family = NFPROTO_BRIDGE, + .size = XT_ALIGN(sizeof(struct ebt_log_info)), + .userspacesize = XT_ALIGN(sizeof(struct ebt_log_info)), + .init = brlog_init, + .help = brlog_help, + .parse = brlog_parse, + .final_check = brlog_final_check, + .print = brlog_print, + .xlate = brlog_xlate, + .extra_opts = brlog_opts, +}; + +void _init(void) +{ + xtables_register_target(&brlog_target); +} diff --git a/vendor/iptables-1.8.7/extensions/libebt_log.t b/vendor/iptables-1.8.7/extensions/libebt_log.t new file mode 100644 index 00000000..a0df6169 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_log.t @@ -0,0 +1,6 @@ +:INPUT,FORWARD,OUTPUT +--log;=;OK +--log-level crit;=;OK +--log-level 1;--log-level alert --log-prefix "";OK +--log-level emerg --log-ip --log-arp --log-ip6;--log-level emerg --log-prefix "" --log-ip --log-arp --log-ip6 -j CONTINUE;OK +--log-level crit --log-ip --log-arp --log-ip6 --log-prefix foo;--log-level crit --log-prefix "foo" --log-ip --log-arp --log-ip6 -j CONTINUE;OK diff --git a/vendor/iptables-1.8.7/extensions/libebt_log.txlate b/vendor/iptables-1.8.7/extensions/libebt_log.txlate new file mode 100644 index 00000000..7ef8d5e1 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_log.txlate @@ -0,0 +1,15 @@ +ebtables-translate -A INPUT --log +nft add rule bridge filter INPUT log level notice flags ether counter + +ebtables-translate -A INPUT --log-level 1 +nft add rule bridge filter INPUT log level alert flags ether counter + +ebtables-translate -A INPUT --log-level crit +nft add rule bridge filter INPUT log level crit flags ether counter + +ebtables-translate -A INPUT --log-level emerg --log-ip --log-arp --log-ip6 +nft add rule bridge filter INPUT log level emerg flags ether counter + +ebtables-translate -A INPUT --log-level crit --log-ip --log-arp --log-ip6 --log-prefix foo +nft add rule bridge filter INPUT log prefix "foo" level crit flags ether counter + diff --git a/vendor/iptables-1.8.7/extensions/libebt_mark.c b/vendor/iptables-1.8.7/extensions/libebt_mark.c new file mode 100644 index 00000000..423c5c91 --- /dev/null +++ b/vendor/iptables-1.8.7/extensions/libebt_mark.c @@ -0,0 +1,228 @@ +/* ebt_mark + * + * Authors: + * Bart De Schuymer + * + * July, 2002, September 2006 + * + * Adapted by Arturo Borrero Gonzalez + * to use libxtables for ebtables-compat in 2015. + */ + +#include +#include +#include +#include +#include +#include +#include "iptables/nft.h" +#include "iptables/nft-bridge.h" + +#define MARK_TARGET '1' +#define MARK_SETMARK '2' +#define MARK_ORMARK '3' +#define MARK_ANDMARK '4' +#define MARK_XORMARK '5' +static const struct option brmark_opts[] = { + { .name = "mark-target",.has_arg = true, .val = MARK_TARGET }, + /* an oldtime messup, we should have always used the scheme + * -