Hi,
ChangeLog:
AH
- save function fix (problem with --len ! 0)
FRAG
- help fix
- save and prtint fix (problem with --len [!] 0)
ROUTE
- new match
RT v1.2.7 options:
--rt-type [!] type match the type
--rt-segsleft [!] num[:num] match the Segments Left field (range)
--rt-len [!] length total length of this header
--rt-0-res check the reserved filed, too (type 0)
--rt-0-addrs Type=0 addresses (list) - NOT SUPPORTED,
yet
The test packets copied to
http://www.securityaudit.hu/Netfilter/addons/TestPackets
(1 truncated AH packet and 4 routing packets)
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-------------------------/ Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /---------------------------------------------->
diff -urN netfilter.old/userspace/patch-o-matic/base/frag6.patch.ipv6.help netfilter/userspace/patch-o-matic/base/frag6.patch.ipv6.help
--- netfilter.old/userspace/patch-o-matic/base/frag6.patch.ipv6.help Mon Apr 22 03:25:56 2002
+++ netfilter/userspace/patch-o-matic/base/frag6.patch.ipv6.help Mon Apr 22 03:29:14 2002
@@ -8,7 +8,7 @@
--fragid [!] id[:id] match the id (range)
--fraglen [!] length total length of this header
--fragres check the reserved filed, too
- --fragfirst matches on the frst fragment
+ --fragfirst matches on the first fragment
[--fragmore|--fraglast] there are more fragments or this
is the last one
diff -urN netfilter.old/userspace/patch-o-matic/base/route6.patch.ipv6 netfilter/userspace/patch-o-matic/base/route6.patch.ipv6
--- netfilter.old/userspace/patch-o-matic/base/route6.patch.ipv6 Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/base/route6.patch.ipv6 Mon Apr 22 03:26:25 2002
@@ -0,0 +1,267 @@
+diff -urN linux-2.4.18.hoi.1.1/include/linux/netfilter_ipv6/ip6t_rt.h linux/include/linux/netfilter_ipv6/ip6t_rt.h
+--- linux-2.4.18.hoi.1.1/include/linux/netfilter_ipv6/ip6t_rt.h Thu Jan 1 01:00:00 1970
++++ linux/include/linux/netfilter_ipv6/ip6t_rt.h Mon Apr 22 01:04:24 2002
+@@ -0,0 +1,34 @@
++#ifndef _IP6T_RT_H
++#define _IP6T_RT_H
++
++struct ip6t_rt
++{
++ u_int32_t rt_type; /* Routing Type */
++ u_int32_t segsleft[2]; /* Segments Left */
++ u_int32_t hdrlen; /* Header Length */
++ u_int8_t flags; /* */
++ u_int8_t invflags; /* Inverse flags */
++};
++
++#define IP6T_RT_TYP 0x01
++#define IP6T_RT_SGS 0x02
++#define IP6T_RT_LEN 0x04
++#define IP6T_RT_RES 0x08
++#define IP6T_RT_FST 0x10
++
++/* Values for "invflags" field in struct ip6t_rt. */
++#define IP6T_RT_INV_TYP 0x01 /* Invert the sense of type. */
++#define IP6T_RT_INV_SGS 0x02 /* Invert the sense of Segments. */
++#define IP6T_RT_INV_LEN 0x04 /* Invert the sense of length. */
++#define IP6T_RT_INV_MASK 0x07 /* All possible flags. */
++
++#define MASK_HOPOPTS 128
++#define MASK_DSTOPTS 64
++#define MASK_ROUTING 32
++#define MASK_FRAGMENT 16
++#define MASK_AH 8
++#define MASK_ESP 4
++#define MASK_NONE 2
++#define MASK_PROTO 1
++
++#endif /*_IP6T_RT_H*/
+diff -urN linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_rt.c linux-2.4.18/net/ipv6/netfilter/ip6t_rt.c
+--- linux-2.4.18.hoi.1.1/net/ipv6/netfilter/ip6t_rt.c Thu Jan 1 01:00:00 1970
++++ linux-2.4.18/net/ipv6/netfilter/ip6t_rt.c Mon Apr 22 02:55:04 2002
+@@ -0,0 +1,225 @@
++/* Kernel module to match ROUTING parameters. */
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/ipv6.h>
++#include <linux/types.h>
++#include <net/checksum.h>
++#include <net/ipv6.h>
++
++#include <asm/byteorder.h>
++
++#include <linux/netfilter_ipv6/ip6_tables.h>
++#include <linux/netfilter_ipv6/ip6t_rt.h>
++
++EXPORT_NO_SYMBOLS;
++MODULE_LICENSE("GPL");
++MODULE_DESCRIPTION("IPv6 RT match");
++MODULE_AUTHOR("Andras Kis-Szabo <[EMAIL PROTECTED]>");
++
++#if 0
++#define DEBUGP printk
++#else
++#define DEBUGP(format, args...)
++#endif
++
++int ipv6_ext_hdr(u8 nexthdr)
++{
++ return ( (nexthdr == NEXTHDR_HOP) ||
++ (nexthdr == NEXTHDR_ROUTING) ||
++ (nexthdr == NEXTHDR_FRAGMENT) ||
++ (nexthdr == NEXTHDR_AUTH) ||
++ (nexthdr == NEXTHDR_ESP) ||
++ (nexthdr == NEXTHDR_NONE) ||
++ (nexthdr == NEXTHDR_DEST) );
++}
++
++/* Returns 1 if the id is matched by the range, 0 otherwise */
++static inline int
++segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, int invert)
++{
++ int r=0;
++ DEBUGP("rt segsleft_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ',
++ min,id,max);
++ r=(id >= min && id <= max) ^ invert;
++ DEBUGP(" result %s\n",r? "PASS" : "FAILED");
++ return r;
++}
++
++static int
++match(const struct sk_buff *skb,
++ const struct net_device *in,
++ const struct net_device *out,
++ const void *matchinfo,
++ int offset,
++ const void *protohdr,
++ u_int16_t datalen,
++ int *hotdrop)
++{
++ struct ipv6_rt_hdr *route = NULL;
++ const struct ip6t_rt *rtinfo = matchinfo;
++ unsigned int temp;
++ int len;
++ u8 nexthdr;
++ unsigned int ptr;
++ unsigned int hdrlen = 0;
++
++ /* type of the 1st exthdr */
++ nexthdr = skb->nh.ipv6h->nexthdr;
++ /* pointer to the 1st exthdr */
++ ptr = sizeof(struct ipv6hdr);
++ /* available length */
++ len = skb->len - ptr;
++ temp = 0;
++
++ while (ipv6_ext_hdr(nexthdr)) {
++ struct ipv6_opt_hdr *hdr;
++
++ DEBUGP("ipv6_rt header iteration \n");
++
++ /* Is there enough space for the next ext header? */
++ if (len < (int)sizeof(struct ipv6_opt_hdr))
++ return 0;
++ /* No more exthdr -> evaluate */
++ if (nexthdr == NEXTHDR_NONE) {
++ break;
++ }
++ /* ESP -> evaluate */
++ if (nexthdr == NEXTHDR_ESP) {
++ break;
++ }
++
++ hdr=skb->data+ptr;
++
++ /* Calculate the header length */
++ if (nexthdr == NEXTHDR_FRAGMENT) {
++ hdrlen = 8;
++ } else if (nexthdr == NEXTHDR_AUTH)
++ hdrlen = (hdr->hdrlen+2)<<2;
++ else
++ hdrlen = ipv6_optlen(hdr);
++
++ /* ROUTING -> evaluate */
++ if (nexthdr == NEXTHDR_ROUTING) {
++ temp |= MASK_ROUTING;
++ break;
++ }
++
++
++ /* set the flag */
++ switch (nexthdr){
++ case NEXTHDR_HOP:
++ case NEXTHDR_ROUTING:
++ case NEXTHDR_FRAGMENT:
++ case NEXTHDR_AUTH:
++ case NEXTHDR_DEST:
++ break;
++ default:
++ DEBUGP("ipv6_rt match: unknown nextheader %u\n",nexthdr);
++ return 0;
++ break;
++ }
++
++ nexthdr = hdr->nexthdr;
++ len -= hdrlen;
++ ptr += hdrlen;
++ if ( ptr > skb->len ) {
++ DEBUGP("ipv6_rt: new pointer is too large! \n");
++ break;
++ }
++ }
++
++ /* ROUTING header not found */
++ if ( temp != MASK_ROUTING ) return 0;
++
++ if (len < (int)sizeof(struct ipv6_rt_hdr)){
++ *hotdrop = 1;
++ return 0;
++ }
++
++ route=skb->data+ptr;
++
++ DEBUGP("IPv6 RT LEN %u %u ", hdrlen, route->hdrlen);
++ DEBUGP("TYPE %04X ", route->type);
++ DEBUGP("SGS_LEFT %u %08X\n", ntohl(route->segments_left), ntohl(route->segments_left));
++
++ DEBUGP("IPv6 RT segsleft %02X ",
++ (segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1],
++ ntohl(route->segments_left),
++ !!(rtinfo->invflags & IP6T_RT_INV_SGS))));
++ DEBUGP("type %02X %02X %02X ",
++ rtinfo->rt_type, route->type,
++ (!(rtinfo->flags & IP6T_RT_TYP) ||
++ ((rtinfo->rt_type == route->type) ^
++ !!(rtinfo->invflags & IP6T_RT_INV_TYP))));
++ DEBUGP("len %02X %04X %02X ",
++ rtinfo->hdrlen, hdrlen,
++ (!(rtinfo->flags & IP6T_RT_LEN) ||
++ ((rtinfo->hdrlen == hdrlen) ^
++ !!(rtinfo->invflags & IP6T_RT_INV_LEN))));
++ DEBUGP("res %02X %02X %02X ",
++ (rtinfo->flags & IP6T_RT_RES), ((struct rt0_hdr *)route)->bitmap,
++ !((rtinfo->flags & IP6T_RT_RES) && (((struct rt0_hdr *)route)->bitmap)));
++
++ return (route != NULL)
++ &&
++ (segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1],
++ ntohl(route->segments_left),
++ !!(rtinfo->invflags & IP6T_RT_INV_SGS)))
++ &&
++ (!(rtinfo->flags & IP6T_RT_LEN) ||
++ ((rtinfo->hdrlen == hdrlen) ^
++ !!(rtinfo->invflags & IP6T_RT_INV_LEN)))
++ &&
++ (!(rtinfo->flags & IP6T_RT_TYP) ||
++ ((rtinfo->rt_type == route->type) ^
++ !!(rtinfo->invflags & IP6T_RT_INV_TYP)))
++ &&
++ !((rtinfo->flags & IP6T_RT_RES) && (((struct rt0_hdr *)route)->bitmap));
++}
++
++/* Called when user tries to insert an entry of this type. */
++static int
++checkentry(const char *tablename,
++ const struct ip6t_ip6 *ip,
++ void *matchinfo,
++ unsigned int matchinfosize,
++ unsigned int hook_mask)
++{
++ const struct ip6t_rt *rtinfo = matchinfo;
++
++ if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_rt))) {
++ DEBUGP("ip6t_rt: matchsize %u != %u\n",
++ matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_rt)));
++ return 0;
++ }
++ if (rtinfo->invflags & ~IP6T_RT_INV_MASK) {
++ DEBUGP("ip6t_rt: unknown flags %X\n",
++ rtinfo->invflags);
++ return 0;
++ }
++ if ( (rtinfo->flags & (IP6T_RT_RES|IP6T_RT_FST)) &&
++ (!(rtinfo->flags & IP6T_RT_TYP) ||
++ (rtinfo->rt_type != 0) ||
++ (rtinfo->invflags & IP6T_RT_INV_TYP)) ) {
++ DEBUGP("`--rt-type 0' required before `--rt-0-*'");
++ return 0;
++ }
++
++ return 1;
++}
++
++static struct ip6t_match rt_match
++= { { NULL, NULL }, "rt", &match, &checkentry, NULL, THIS_MODULE };
++
++static int __init init(void)
++{
++ return ip6t_register_match(&rt_match);
++}
++
++static void __exit cleanup(void)
++{
++ ip6t_unregister_match(&rt_match);
++}
++
++module_init(init);
++module_exit(cleanup);
diff -urN netfilter.old/userspace/patch-o-matic/base/route6.patch.ipv6.config.in netfilter/userspace/patch-o-matic/base/route6.patch.ipv6.config.in
--- netfilter.old/userspace/patch-o-matic/base/route6.patch.ipv6.config.in Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/base/route6.patch.ipv6.config.in Mon Apr 22 03:27:11 2002
@@ -0,0 +1,4 @@
+ dep_tristate ' MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES
+ if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
+ dep_tristate ' Routing header match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_RT $CONFIG_IP6_NF_IPTABLES
+ fi
diff -urN netfilter.old/userspace/patch-o-matic/base/route6.patch.ipv6.configure.help netfilter/userspace/patch-o-matic/base/route6.patch.ipv6.configure.help
--- netfilter.old/userspace/patch-o-matic/base/route6.patch.ipv6.configure.help Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/base/route6.patch.ipv6.configure.help Mon Apr 22 03:28:00 2002
@@ -0,0 +1,9 @@
+CONFIG_IP6_NF_MATCH_MAC
+Fragmentation header match support (EXPERIMENTAL)
+CONFIG_IP6_NF_MATCH_RT
+ This match extension (`rt') allow you to select the packet based on the
+ fileds of the routing header of the IPv6 packets.
+
+ If you want to compile it as a module, say M here and read
+ Documentation/modules.txt. If unsure, say `N'.
+
diff -urN netfilter.old/userspace/patch-o-matic/base/route6.patch.ipv6.help netfilter/userspace/patch-o-matic/base/route6.patch.ipv6.help
--- netfilter.old/userspace/patch-o-matic/base/route6.patch.ipv6.help Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/base/route6.patch.ipv6.help Mon Apr 22 03:29:00 2002
@@ -0,0 +1,13 @@
+Author: Andras Kis-Szabo <[EMAIL PROTECTED]>
+Status: It works 4 me!
+
+ This match extension (`rt') allow you to select the packet based on the
+ fileds of the routing header of the IPv6 packets.
+
+ RT options:
+ --rt-type [!] type match the type
+ --rt-segsleft [!] num[:num] match the Segments Left field (range)
+ --rt-len [!] length total length of this header
+ --rt-0-res check the reserved filed, too (type 0)
+ --rt-0-addrs Type=0 addresses (list) - NOT SUPPORTED, yet
+
diff -urN netfilter.old/userspace/patch-o-matic/base/route6.patch.ipv6.makefile netfilter/userspace/patch-o-matic/base/route6.patch.ipv6.makefile
--- netfilter.old/userspace/patch-o-matic/base/route6.patch.ipv6.makefile Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/base/route6.patch.ipv6.makefile Mon Apr 22 03:29:42 2002
@@ -0,0 +1,2 @@
+obj-$(CONFIG_IP6_NF_MATCH_MAC) += ip6t_mac.o
+obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
diff -urN netfilter.old/userspace/extensions/.rt-test6 netfilter/userspace/extensions/.rt-test6
--- netfilter.old/userspace/extensions/.rt-test6 Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/extensions/.rt-test6 Mon Apr 22 00:56:58 2002
@@ -0,0 +1,2 @@
+#!/bin/sh
+[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_rt.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_rt.h ] && echo rt
diff -urN netfilter.old/userspace/extensions/libip6t_ah.c netfilter/userspace/extensions/libip6t_ah.c
--- netfilter.old/userspace/extensions/libip6t_ah.c Mon Apr 22 00:56:07 2002
+++ netfilter/userspace/extensions/libip6t_ah.c Mon Apr 22 03:15:18 2002
@@ -203,7 +203,7 @@
ahinfo->spis[0]);
}
- if (ahinfo->hdrlen != 0 ) {
+ if (ahinfo->hdrlen != 0 || (ahinfo->invflags & IP6T_AH_INV_LEN) ) {
printf("--ahlen %s%u ",
(ahinfo->invflags & IP6T_AH_INV_LEN) ? "! " : "",
ahinfo->hdrlen);
diff -urN netfilter.old/userspace/extensions/libip6t_frag.c netfilter/userspace/extensions/libip6t_frag.c
--- netfilter.old/userspace/extensions/libip6t_frag.c Mon Apr 22 00:56:07 2002
+++ netfilter/userspace/extensions/libip6t_frag.c Mon Apr 22 03:07:38 2002
@@ -17,7 +17,7 @@
" --fragid [!] id[:id] match the id (range)\n"
" --fraglen [!] length total length of this header\n"
" --fragres check the reserved filed, too\n"
-" --fragfirst matches on the frst fragment\n"
+" --fragfirst matches on the first fragment\n"
" [--fragmore|--fraglast] there are more fragments or this\n"
" is the last one\n",
NETFILTER_VERSION);
@@ -184,19 +184,6 @@
}
}
-static void
-print_len(const char *name, u_int32_t len, int invert)
-{
- const char *inv = invert ? "!" : "";
-
- if (len != 0 || invert) {
- printf("%s", name);
- printf(":%s", inv);
- printf("%u", len);
- printf(" ");
- }
-}
-
/* Prints out the union ip6t_matchinfo. */
static void
print(const struct ip6t_ip6 *ip,
@@ -207,8 +194,12 @@
printf("frag ");
print_ids("id", frag->ids[0], frag->ids[1],
frag->invflags & IP6T_FRAG_INV_IDS);
- print_len("length", frag->hdrlen,
- frag->invflags & IP6T_FRAG_INV_LEN);
+ if (frag->flags & IP6T_FRAG_LEN) {
+ printf("length");
+ printf(":%s", frag->invflags & IP6T_FRAG_INV_LEN ? "!" : "");
+ printf("%u", frag->hdrlen);
+ printf(" ");
+ }
if (frag->flags & IP6T_FRAG_RES) printf("reserved ");
if (frag->flags & IP6T_FRAG_FST) printf("first ");
if (frag->flags & IP6T_FRAG_MF) printf("more ");
@@ -237,7 +228,7 @@
fraginfo->ids[0]);
}
- if (fraginfo->hdrlen != 0 ) {
+ if (fraginfo->flags & IP6T_FRAG_LEN) {
printf("--fraglen %s%u ",
(fraginfo->invflags & IP6T_FRAG_INV_LEN) ? "! " : "",
fraginfo->hdrlen);
diff -urN netfilter.old/userspace/extensions/libip6t_rt.c netfilter/userspace/extensions/libip6t_rt.c
--- netfilter.old/userspace/extensions/libip6t_rt.c Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/extensions/libip6t_rt.c Mon Apr 22 03:03:34 2002
@@ -0,0 +1,274 @@
+/* Shared library add-on to ip6tables to add Routing header support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <errno.h>
+#include <ip6tables.h>
+#include <linux/netfilter_ipv6/ip6t_rt.h>
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+ printf(
+"RT v%s options:\n"
+" --rt-type [!] type match the type\n"
+" --rt-segsleft [!] num[:num] match the Segments Left field (range)\n"
+" --rt-len [!] length total length of this header\n"
+" --rt-0-res check the reserved filed, too (type 0)\n"
+" --rt-0-addrs Type=0 addresses (list) - NOT SUPPORTED, yet\n",
+NETFILTER_VERSION);
+}
+
+static struct option opts[] = {
+ { "rt-type", 1, 0, '1' },
+ { "rt-segsleft", 1, 0, '2' },
+ { "rt-len", 1, 0, '3' },
+ { "rt-0-res", 0, 0, '4' },
+ { "rt-0-addrs", 0, 0, '5' },
+ {0}
+};
+
+static u_int32_t
+parse_rt_num(const char *idstr, const char *typestr)
+{
+ unsigned long int id;
+ char* ep;
+
+ id = strtoul(idstr,&ep,0) ;
+
+ if ( idstr == ep ) {
+ exit_error(PARAMETER_PROBLEM,
+ "RT no valid digits in %s `%s'", typestr, idstr);
+ }
+ if ( id == ULONG_MAX && errno == ERANGE ) {
+ exit_error(PARAMETER_PROBLEM,
+ "%s `%s' specified too big: would overflow",
+ typestr, idstr);
+ }
+ if ( *idstr != '\0' && *ep != '\0' ) {
+ exit_error(PARAMETER_PROBLEM,
+ "RT error parsing %s `%s'", typestr, idstr);
+ }
+ return (u_int32_t) id;
+}
+
+static void
+parse_rt_segsleft(const char *idstring, u_int32_t *ids)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(idstring);
+ if ((cp = strchr(buffer, ':')) == NULL)
+ ids[0] = ids[1] = parse_rt_num(buffer,"segsleft");
+ else {
+ *cp = '\0';
+ cp++;
+
+ ids[0] = buffer[0] ? parse_rt_num(buffer,"segsleft") : 0;
+ ids[1] = cp[0] ? parse_rt_num(cp,"segsleft") : 0xFFFFFFFF;
+ }
+ free(buffer);
+}
+
+/* Initialize the match. */
+static void
+init(struct ip6t_entry_match *m, unsigned int *nfcache)
+{
+ struct ip6t_rt *rtinfo = (struct ip6t_rt *)m->data;
+
+ rtinfo->rt_type = 0x0L;
+ rtinfo->segsleft[0] = 0x0L;
+ rtinfo->segsleft[1] = 0xFFFFFFFF;
+ rtinfo->hdrlen = 0;
+ rtinfo->flags = 0;
+ rtinfo->invflags = 0;
+}
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ip6t_entry *entry,
+ unsigned int *nfcache,
+ struct ip6t_entry_match **match)
+{
+ struct ip6t_rt *rtinfo = (struct ip6t_rt *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & IP6T_RT_TYP)
+ exit_error(PARAMETER_PROBLEM,
+ "Only one `--rt-type' allowed");
+ check_inverse(optarg, &invert, &optind, 0);
+ rtinfo->rt_type = parse_rt_num(argv[optind-1], "type");
+ if (invert)
+ rtinfo->invflags |= IP6T_RT_INV_TYP;
+ rtinfo->flags |= IP6T_RT_TYP;
+ *flags |= IP6T_RT_TYP;
+ break;
+ case '2':
+ if (*flags & IP6T_RT_SGS)
+ exit_error(PARAMETER_PROBLEM,
+ "Only one `--rt-segsleft' allowed");
+ check_inverse(optarg, &invert, &optind, 0);
+ parse_rt_segsleft(argv[optind-1], rtinfo->segsleft);
+ if (invert)
+ rtinfo->invflags |= IP6T_RT_INV_SGS;
+ rtinfo->flags |= IP6T_RT_SGS;
+ *flags |= IP6T_RT_SGS;
+ break;
+ case '3':
+ if (*flags & IP6T_RT_LEN)
+ exit_error(PARAMETER_PROBLEM,
+ "Only one `--rt-len' allowed");
+ check_inverse(optarg, &invert, &optind, 0);
+ rtinfo->hdrlen = parse_rt_num(argv[optind-1], "length");
+ if (invert)
+ rtinfo->invflags |= IP6T_RT_INV_LEN;
+ rtinfo->flags |= IP6T_RT_LEN;
+ *flags |= IP6T_RT_LEN;
+ break;
+ case '4':
+ if (*flags & IP6T_RT_RES)
+ exit_error(PARAMETER_PROBLEM,
+ "Only one `--rt-0-res' allowed");
+ if ( !(*flags & IP6T_RT_TYP) || (rtinfo->rt_type != 0) || (rtinfo->invflags & IP6T_RT_INV_TYP) )
+ exit_error(PARAMETER_PROBLEM,
+ "`--rt-type 0' required before `--rt-0-res'");
+ rtinfo->flags |= IP6T_RT_RES;
+ *flags |= IP6T_RT_RES;
+ break;
+ case '5':
+ if (*flags & IP6T_RT_FST)
+ exit_error(PARAMETER_PROBLEM,
+ "Only one `--rt-0-addrs' allowed");
+ if ( !(*flags & IP6T_RT_TYP) || (rtinfo->rt_type != 0) || (rtinfo->invflags & IP6T_RT_INV_TYP) )
+ exit_error(PARAMETER_PROBLEM,
+ "`--rt-type 0' required before `--rt-0-res'");
+ /* TODO: implement it! */
+ exit_error(PARAMETER_PROBLEM,
+ " `--rt-0-addrs' not supported, yet");
+ rtinfo->flags |= IP6T_RT_FST;
+ *flags |= IP6T_RT_FST;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+/* Final check; we don't care. */
+static void
+final_check(unsigned int flags)
+{
+}
+
+static void
+print_nums(const char *name, u_int32_t min, u_int32_t max,
+ int invert)
+{
+ const char *inv = invert ? "!" : "";
+
+ if (min != 0 || max != 0xFFFFFFFF || invert) {
+ printf("%s", name);
+ if (min == max) {
+ printf(":%s", inv);
+ printf("%u", min);
+ } else {
+ printf("s:%s", inv);
+ printf("%u",min);
+ printf(":");
+ printf("%u",max);
+ }
+ printf(" ");
+ }
+}
+
+/* Prints out the union ip6t_matchinfo. */
+static void
+print(const struct ip6t_ip6 *ip,
+ const struct ip6t_entry_match *match, int numeric)
+{
+ const struct ip6t_rt *rtinfo = (struct ip6t_rt *)match->data;
+
+ printf("rt ");
+ if (rtinfo->flags & IP6T_RT_TYP)
+ printf("type:%s%d ", rtinfo->invflags & IP6T_RT_INV_TYP ? "!" : "",
+ rtinfo->rt_type);
+ print_nums("segsleft", rtinfo->segsleft[0], rtinfo->segsleft[1],
+ rtinfo->invflags & IP6T_RT_INV_SGS);
+ if (rtinfo->flags & IP6T_RT_LEN) {
+ printf("length");
+ printf(":%s", rtinfo->invflags & IP6T_RT_INV_LEN ? "!" : "");
+ printf("%u", rtinfo->hdrlen);
+ printf(" ");
+ }
+ if (rtinfo->flags & IP6T_RT_RES) printf("reserved ");
+ if (rtinfo->flags & IP6T_RT_FST) printf("type0-addrs ");
+ if (rtinfo->invflags & ~IP6T_RT_INV_MASK)
+ printf("Unknown invflags: 0x%X ",
+ rtinfo->invflags & ~IP6T_RT_INV_MASK);
+}
+
+/* Saves the union ip6t_matchinfo in parsable form to stdout. */
+static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
+{
+ const struct ip6t_rt *rtinfo = (struct ip6t_rt *)match->data;
+
+ if (rtinfo->flags & IP6T_RT_TYP) {
+ printf("--rt-type %s%u ",
+ (rtinfo->invflags & IP6T_RT_INV_TYP) ? "! " : "",
+ rtinfo->rt_type);
+ }
+
+ if (!(rtinfo->segsleft[0] == 0
+ && rtinfo->segsleft[1] == 0xFFFFFFFF)) {
+ printf("--rt-segsleft %s",
+ (rtinfo->invflags & IP6T_RT_INV_SGS) ? "! " : "");
+ if (rtinfo->segsleft[0]
+ != rtinfo->segsleft[1])
+ printf("%u:%u ",
+ rtinfo->segsleft[0],
+ rtinfo->segsleft[1]);
+ else
+ printf("%u ",
+ rtinfo->segsleft[0]);
+ }
+
+ if (rtinfo->flags & IP6T_RT_LEN) {
+ printf("--rt-len %s%u ",
+ (rtinfo->invflags & IP6T_RT_INV_LEN) ? "! " : "",
+ rtinfo->hdrlen);
+ }
+
+ if (rtinfo->flags & IP6T_RT_RES) printf("--rt-0-res ");
+ if (rtinfo->flags & IP6T_RT_FST) printf("--rt-0-addrs ");
+
+}
+
+static
+struct ip6tables_match rt
+= { NULL,
+ "rt",
+ NETFILTER_VERSION,
+ IP6T_ALIGN(sizeof(struct ip6t_rt)),
+ IP6T_ALIGN(sizeof(struct ip6t_rt)),
+ &help,
+ &init,
+ &parse,
+ &final_check,
+ &print,
+ &save,
+ opts
+};
+
+void
+_init(void)
+{
+ register_match6(&rt);
+}
