Home | History | Annotate | Download | only in extensions
      1 /*
      2  * Shared library add-on to iptables to add CONNSECMARK target support.
      3  *
      4  * Based on the MARK and CONNMARK targets.
      5  *
      6  * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris (at) redhat.com>
      7  */
      8 #include <stdio.h>
      9 #include <xtables.h>
     10 #include <linux/netfilter/xt_CONNSECMARK.h>
     11 
     12 #define PFX "CONNSECMARK target: "
     13 
     14 enum {
     15 	O_SAVE = 0,
     16 	O_RESTORE,
     17 	F_SAVE    = 1 << O_SAVE,
     18 	F_RESTORE = 1 << O_RESTORE,
     19 };
     20 
     21 static void CONNSECMARK_help(void)
     22 {
     23 	printf(
     24 "CONNSECMARK target options:\n"
     25 "  --save                   Copy security mark from packet to conntrack\n"
     26 "  --restore                Copy security mark from connection to packet\n");
     27 }
     28 
     29 static const struct xt_option_entry CONNSECMARK_opts[] = {
     30 	{.name = "save", .id = O_SAVE, .excl = F_RESTORE, .type = XTTYPE_NONE},
     31 	{.name = "restore", .id = O_RESTORE, .excl = F_SAVE,
     32 	 .type = XTTYPE_NONE},
     33 	XTOPT_TABLEEND,
     34 };
     35 
     36 static void CONNSECMARK_parse(struct xt_option_call *cb)
     37 {
     38 	struct xt_connsecmark_target_info *info = cb->data;
     39 
     40 	xtables_option_parse(cb);
     41 	switch (cb->entry->id) {
     42 	case O_SAVE:
     43 		info->mode = CONNSECMARK_SAVE;
     44 		break;
     45 	case O_RESTORE:
     46 		info->mode = CONNSECMARK_RESTORE;
     47 		break;
     48 	}
     49 }
     50 
     51 static void CONNSECMARK_check(struct xt_fcheck_call *cb)
     52 {
     53 	if (cb->xflags == 0)
     54 		xtables_error(PARAMETER_PROBLEM, PFX "parameter required");
     55 }
     56 
     57 static void print_connsecmark(const struct xt_connsecmark_target_info *info)
     58 {
     59 	switch (info->mode) {
     60 	case CONNSECMARK_SAVE:
     61 		printf("save");
     62 		break;
     63 
     64 	case CONNSECMARK_RESTORE:
     65 		printf("restore");
     66 		break;
     67 
     68 	default:
     69 		xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
     70 	}
     71 }
     72 
     73 static void
     74 CONNSECMARK_print(const void *ip, const struct xt_entry_target *target,
     75                   int numeric)
     76 {
     77 	const struct xt_connsecmark_target_info *info =
     78 		(struct xt_connsecmark_target_info*)(target)->data;
     79 
     80 	printf(" CONNSECMARK ");
     81 	print_connsecmark(info);
     82 }
     83 
     84 static void
     85 CONNSECMARK_save(const void *ip, const struct xt_entry_target *target)
     86 {
     87 	const struct xt_connsecmark_target_info *info =
     88 		(struct xt_connsecmark_target_info*)target->data;
     89 
     90 	printf("--");
     91 	print_connsecmark(info);
     92 }
     93 
     94 static struct xtables_target connsecmark_target = {
     95 	.family		= NFPROTO_UNSPEC,
     96 	.name		= "CONNSECMARK",
     97 	.version	= XTABLES_VERSION,
     98 	.revision	= 0,
     99 	.size		= XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
    100 	.userspacesize	= XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
    101 	.help		= CONNSECMARK_help,
    102 	.print		= CONNSECMARK_print,
    103 	.save		= CONNSECMARK_save,
    104 	.x6_parse	= CONNSECMARK_parse,
    105 	.x6_fcheck	= CONNSECMARK_check,
    106 	.x6_options	= CONNSECMARK_opts,
    107 };
    108 
    109 void _init(void)
    110 {
    111 	xtables_register_target(&connsecmark_target);
    112 }
    113