From dacf69bce6093c0e58ec8990a19a314e3164cb70 Mon Sep 17 00:00:00 2001 From: Samuel Ortiz Date: Wed, 7 Jul 2010 19:00:52 +0200 Subject: [PATCH 1/3] extensions: Add nfnotif xt target extension This is the iptables support for the NFNOTIF x_tables target. Signed-off-by: Samuel Ortiz --- extensions/libxt_NFNOTIF.c | 135 ++++++++++++++++++++++++++++++++++ extensions/libxt_NFNOTIF.man | 11 +++ include/linux/netfilter/xt_NFNOTIF.h | 55 ++++++++++++++ 3 files changed, 201 insertions(+), 0 deletions(-) create mode 100644 extensions/libxt_NFNOTIF.c create mode 100644 extensions/libxt_NFNOTIF.man create mode 100644 include/linux/netfilter/xt_NFNOTIF.h diff --git a/extensions/libxt_NFNOTIF.c b/extensions/libxt_NFNOTIF.c new file mode 100644 index 0000000..e98058f --- /dev/null +++ b/extensions/libxt_NFNOTIF.c @@ -0,0 +1,135 @@ +/* + * Shared library add-on for iptables NFNOTIF target support. + * + * Copyright (C) 2010 Intel Corporation + * Samuel Ortiz + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * version 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA + * + */ + +#include +#include +#include +#include +#include + +#include +#include + +enum { + NFNOTIF_TG_OPT_LABEL = 1 << 0, + NFNOTIF_TG_OPT_ALL = 1 << 1, +}; + +static const struct option nfnotif_tg_opts[] = { + { .name = "label", .has_arg = true, .flag = 0, .val = 'l' }, + { .name = "all", .has_arg = false, .val = 'a' }, + { .name = NULL } +}; + +static void nfnotif_tg_help(void) +{ + printf( +"NFNOTIF target options:\n" +" --label string Unique rule identifier\n" +" --all Send a notification for all packets.\n" +" By default only the first hit will\n" +" trigger a notification.\n" +"\n"); +} + +static int nfnotif_tg_parse(int c, char **argv, int invert, + unsigned int *flags, + const void *entry, + struct xt_entry_target **target) +{ + struct nfnotif_tg_info *info = + (struct nfnotif_tg_info *)(*target)->data; + + switch (c) { + case 'l': + if (*flags & NFNOTIF_TG_OPT_LABEL) + xtables_error(PARAMETER_PROBLEM, + "Cannot specify label more than once"); + + if (strlen(optarg) > MAX_NFNOTIF_LABEL_SIZE - 1) + xtables_error(PARAMETER_PROBLEM, + "Maximum label length is %u for --label", + MAX_NFNOTIF_LABEL_SIZE - 1); + + strcpy(info->label, optarg); + *flags |= NFNOTIF_TG_OPT_LABEL; + break; + + case 'a': + if (!invert) + info->all_packets = 1; + return true; + + default: + return false; + } + + return true; +} + +static void nfnotif_tg_final_check(unsigned int flags) +{ + if (!(flags & NFNOTIF_TG_OPT_LABEL)) + xtables_error(PARAMETER_PROBLEM, "NFNOTIF target: " + "--label parameter required"); +} + +static void nfnotif_tg_print(const void *ip, + const struct xt_entry_target *target, + int numeric) +{ + struct nfnotif_tg_info *info = + (struct nfnotif_tg_info *) target->data; + + printf("label:%s ", info->label); + printf("all packets:%u ", info->all_packets); +} + +static void nfnotif_tg_save(const void *ip, + const struct xt_entry_target *target) +{ + struct nfnotif_tg_info *info = + (struct nfnotif_tg_info *) target->data; + + printf("--label %s ", info->label); + printf("--all %u ", info->all_packets); +} + +static struct xtables_target nfnotif_tg_reg = { + .family = NFPROTO_UNSPEC, + .name = "NFNOTIF", + .version = XTABLES_VERSION, + .revision = 0, + .size = XT_ALIGN(sizeof(struct nfnotif_tg_info)), + .userspacesize = offsetof(struct nfnotif_tg_info, notif), + .help = nfnotif_tg_help, + .parse = nfnotif_tg_parse, + .final_check = nfnotif_tg_final_check, + .print = nfnotif_tg_print, + .save = nfnotif_tg_save, + .extra_opts = nfnotif_tg_opts, +}; + +static __attribute__((constructor)) void nfnotif_tg_ldr(void) +{ + xtables_register_target(&nfnotif_tg_reg); +} diff --git a/extensions/libxt_NFNOTIF.man b/extensions/libxt_NFNOTIF.man new file mode 100644 index 0000000..b7a324d --- /dev/null +++ b/extensions/libxt_NFNOTIF.man @@ -0,0 +1,11 @@ +Whenever a packet hits this target, userspace is notified through a netlink +message. The message will contain the associated label as an attribute, in +order to match te notification with a previously set rule. + +\fB\-\-label\fP \fIstring\fP +This is a unique identifier for the notification rule. +.TP +\fB\-\-all\fP +Send a notification for all packets. Default behaviour is to send it only for +the first one hitting the target. + diff --git a/include/linux/netfilter/xt_NFNOTIF.h b/include/linux/netfilter/xt_NFNOTIF.h new file mode 100644 index 0000000..073df62 --- /dev/null +++ b/include/linux/netfilter/xt_NFNOTIF.h @@ -0,0 +1,55 @@ +/* + * linux/include/linux/netfilter/xt_NFNOTIF.h + * + * Header file for Xtables notification target module. + * + * Copyright (C) 2010 + * Samuel Ortiz + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version + * 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef _XT_NFNOTIF_H +#define _XT_NFNOTIF_H + +#include + +enum nfnotif_msg_type { + NFNOTIF_TG_MSG_PACKETS, + + NFNOTIF_TG_MSG_MAX +}; + +enum nfnotif_attr_type { + NFNOTIF_TG_ATTR_UNSPEC, + NFNOTIF_TG_ATTR_LABEL, + NFNOTIF_TG_ATTR_SEND_NOTIF, + + __NFNOTIF_TG_ATTR_AFTER_LAST +}; +#define NFNOTIF_TG_ATTR_MAX (__NFNOTIF_TG_ATTR_AFTER_LAST - 1) + +#define MAX_NFNOTIF_LABEL_SIZE 31 + +struct nfnotif_tg_info { + __u8 all_packets; + + char label[MAX_NFNOTIF_LABEL_SIZE]; + + /* for kernel module internal use only */ + struct nfnotif_tg *notif __attribute((aligned(8))); +}; + +#endif -- 1.7.1