|
Packit |
7b22a4 |
#include <stdio.h>
|
|
Packit |
7b22a4 |
#include <xtables.h>
|
|
Packit |
7b22a4 |
#include <linux/netfilter/xt_rpfilter.h>
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
enum {
|
|
Packit |
7b22a4 |
O_RPF_LOOSE = 0,
|
|
Packit |
7b22a4 |
O_RPF_VMARK = 1,
|
|
Packit |
7b22a4 |
O_RPF_ACCEPT_LOCAL = 2,
|
|
Packit |
7b22a4 |
O_RPF_INVERT = 3,
|
|
Packit |
7b22a4 |
};
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
static void rpfilter_help(void)
|
|
Packit |
7b22a4 |
{
|
|
Packit |
7b22a4 |
printf(
|
|
Packit |
7b22a4 |
"rpfilter match options:\n"
|
|
Packit |
7b22a4 |
" --loose permit reverse path via any interface\n"
|
|
Packit |
7b22a4 |
" --validmark use skb nfmark when performing route lookup\n"
|
|
Packit |
7b22a4 |
" --accept-local do not reject packets with a local source address\n"
|
|
Packit |
7b22a4 |
" --invert match packets that failed the reverse path test\n"
|
|
Packit |
7b22a4 |
);
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
static const struct xt_option_entry rpfilter_opts[] = {
|
|
Packit |
7b22a4 |
{.name = "loose", .id = O_RPF_LOOSE, .type = XTTYPE_NONE, },
|
|
Packit |
7b22a4 |
{.name = "validmark", .id = O_RPF_VMARK, .type = XTTYPE_NONE, },
|
|
Packit |
7b22a4 |
{.name = "accept-local", .id = O_RPF_ACCEPT_LOCAL, .type = XTTYPE_NONE, },
|
|
Packit |
7b22a4 |
{.name = "invert", .id = O_RPF_INVERT, .type = XTTYPE_NONE, },
|
|
Packit |
7b22a4 |
XTOPT_TABLEEND,
|
|
Packit |
7b22a4 |
};
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
static void rpfilter_parse(struct xt_option_call *cb)
|
|
Packit |
7b22a4 |
{
|
|
Packit |
7b22a4 |
struct xt_rpfilter_info *rpfinfo = cb->data;
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
xtables_option_parse(cb);
|
|
Packit |
7b22a4 |
switch (cb->entry->id) {
|
|
Packit |
7b22a4 |
case O_RPF_LOOSE:
|
|
Packit |
7b22a4 |
rpfinfo->flags |= XT_RPFILTER_LOOSE;
|
|
Packit |
7b22a4 |
break;
|
|
Packit |
7b22a4 |
case O_RPF_VMARK:
|
|
Packit |
7b22a4 |
rpfinfo->flags |= XT_RPFILTER_VALID_MARK;
|
|
Packit |
7b22a4 |
break;
|
|
Packit |
7b22a4 |
case O_RPF_ACCEPT_LOCAL:
|
|
Packit |
7b22a4 |
rpfinfo->flags |= XT_RPFILTER_ACCEPT_LOCAL;
|
|
Packit |
7b22a4 |
break;
|
|
Packit |
7b22a4 |
case O_RPF_INVERT:
|
|
Packit |
7b22a4 |
rpfinfo->flags |= XT_RPFILTER_INVERT;
|
|
Packit |
7b22a4 |
break;
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
static void
|
|
Packit |
7b22a4 |
rpfilter_print_prefix(const void *ip, const void *matchinfo,
|
|
Packit |
7b22a4 |
const char *prefix)
|
|
Packit |
7b22a4 |
{
|
|
Packit |
7b22a4 |
const struct xt_rpfilter_info *info = matchinfo;
|
|
Packit |
7b22a4 |
if (info->flags & XT_RPFILTER_LOOSE)
|
|
Packit |
7b22a4 |
printf(" %s%s", prefix, rpfilter_opts[O_RPF_LOOSE].name);
|
|
Packit |
7b22a4 |
if (info->flags & XT_RPFILTER_VALID_MARK)
|
|
Packit |
7b22a4 |
printf(" %s%s", prefix, rpfilter_opts[O_RPF_VMARK].name);
|
|
Packit |
7b22a4 |
if (info->flags & XT_RPFILTER_ACCEPT_LOCAL)
|
|
Packit |
7b22a4 |
printf(" %s%s", prefix, rpfilter_opts[O_RPF_ACCEPT_LOCAL].name);
|
|
Packit |
7b22a4 |
if (info->flags & XT_RPFILTER_INVERT)
|
|
Packit |
7b22a4 |
printf(" %s%s", prefix, rpfilter_opts[O_RPF_INVERT].name);
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
static void
|
|
Packit |
7b22a4 |
rpfilter_print(const void *ip, const struct xt_entry_match *match, int numeric)
|
|
Packit |
7b22a4 |
{
|
|
Packit |
7b22a4 |
printf(" rpfilter");
|
|
Packit |
7b22a4 |
return rpfilter_print_prefix(ip, match->data, "");
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
static void rpfilter_save(const void *ip, const struct xt_entry_match *match)
|
|
Packit |
7b22a4 |
{
|
|
Packit |
7b22a4 |
return rpfilter_print_prefix(ip, match->data, "--");
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
static int rpfilter_xlate(struct xt_xlate *xl,
|
|
Packit |
7b22a4 |
const struct xt_xlate_mt_params *params)
|
|
Packit |
7b22a4 |
{
|
|
Packit |
7b22a4 |
const struct xt_rpfilter_info *info = (void *)params->match->data;
|
|
Packit |
7b22a4 |
bool invert = info->flags & XT_RPFILTER_INVERT;
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
if (info->flags & XT_RPFILTER_ACCEPT_LOCAL) {
|
|
Packit |
7b22a4 |
if (invert)
|
|
Packit |
7b22a4 |
xt_xlate_add(xl, "fib saddr type != local ");
|
|
Packit |
7b22a4 |
else
|
|
Packit |
7b22a4 |
return 0;
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
xt_xlate_add(xl, "fib saddr ");
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
if (info->flags & XT_RPFILTER_VALID_MARK)
|
|
Packit |
7b22a4 |
xt_xlate_add(xl, ". mark ");
|
|
Packit |
7b22a4 |
if (!(info->flags & XT_RPFILTER_LOOSE))
|
|
Packit |
7b22a4 |
xt_xlate_add(xl, ". iif ");
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
xt_xlate_add(xl, "oif %s0", invert ? "" : "!= ");
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
return 1;
|
|
Packit |
7b22a4 |
}
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
static struct xtables_match rpfilter_match = {
|
|
Packit |
7b22a4 |
.family = NFPROTO_UNSPEC,
|
|
Packit |
7b22a4 |
.name = "rpfilter",
|
|
Packit |
7b22a4 |
.version = XTABLES_VERSION,
|
|
Packit |
7b22a4 |
.size = XT_ALIGN(sizeof(struct xt_rpfilter_info)),
|
|
Packit |
7b22a4 |
.userspacesize = XT_ALIGN(sizeof(struct xt_rpfilter_info)),
|
|
Packit |
7b22a4 |
.help = rpfilter_help,
|
|
Packit |
7b22a4 |
.print = rpfilter_print,
|
|
Packit |
7b22a4 |
.save = rpfilter_save,
|
|
Packit |
7b22a4 |
.x6_parse = rpfilter_parse,
|
|
Packit |
7b22a4 |
.x6_options = rpfilter_opts,
|
|
Packit |
7b22a4 |
.xlate = rpfilter_xlate,
|
|
Packit |
7b22a4 |
};
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
void _init(void)
|
|
Packit |
7b22a4 |
{
|
|
Packit |
7b22a4 |
xtables_register_match(&rpfilter_match);
|
|
Packit |
7b22a4 |
}
|