Author: baggins Date: Fri Mar 18 21:10:33 2011 GMT Module: packages Tag: HEAD ---- Log message: - rel 5 - add support for IPv6 TPROXY (inlcuded in 2.6.37)
---- Files affected: packages/iptables: iptables.spec (1.296 -> 1.297) , iptables-TPROXY-IPv6.patch (NONE -> 1.1) (NEW) ---- Diffs: ================================================================ Index: packages/iptables/iptables.spec diff -u packages/iptables/iptables.spec:1.296 packages/iptables/iptables.spec:1.297 --- packages/iptables/iptables.spec:1.296 Sun Feb 6 12:53:49 2011 +++ packages/iptables/iptables.spec Fri Mar 18 22:10:28 2011 @@ -34,7 +34,7 @@ Summary(zh_CN.UTF-8): Linux内核包过滤管理工具 Name: iptables Version: 1.4.10 -Release: 4 +Release: 5 License: GPL v2 Group: Networking/Admin Source0: ftp://ftp.netfilter.org/pub/iptables/%{name}-%{version}.tar.bz2 @@ -63,6 +63,7 @@ Patch15: %{name}-owner-struct-size-vs.patch # ipt_stealth; currently disabled (broken, see below) Patch16: %{name}-stealth.patch +Patch17: %{name}-TPROXY-IPv6.patch URL: http://www.netfilter.org/ BuildRequires: autoconf >= 2.50 BuildRequires: automake @@ -191,6 +192,7 @@ %endif # builds but init() api is broken, see warnings #patch16 -p1 +%patch17 -p1 %build %{__libtoolize} @@ -428,6 +430,10 @@ All persons listed below can be reached at <cvs_login>@pld-linux.org $Log$ +Revision 1.297 2011/03/18 21:10:28 baggins +- rel 5 +- add support for IPv6 TPROXY (inlcuded in 2.6.37) + Revision 1.296 2011/02/06 11:53:49 qboosh - include needed headers (ipt_rpc.h, xt_layer7.h) in related patches, like upstream does ================================================================ Index: packages/iptables/iptables-TPROXY-IPv6.patch diff -u /dev/null packages/iptables/iptables-TPROXY-IPv6.patch:1.1 --- /dev/null Fri Mar 18 22:10:34 2011 +++ packages/iptables/iptables-TPROXY-IPv6.patch Fri Mar 18 22:10:28 2011 @@ -0,0 +1,505 @@ +Date: Thu, 21 Oct 2010 17:19:22 +0200 +From: KOVACS Krisztian <[email protected]> +Subject: [PATCH 1/2] tproxy: add IPv6 support for socket match + +This patch also adds userspace support for the --transparent mode +of matching, which the kernel already supports, but the iptables userspace +doesn't. + +Signed-off-by: Balazs Scheidler <[email protected]> +Signed-off-by: KOVACS Krisztian <[email protected]> +--- + extensions/libxt_socket.c | 103 ++++++++++++++++++++++++++++++++--- + extensions/libxt_socket.man | 6 ++ + include/linux/netfilter/xt_socket.h | 12 ++++ + 3 files changed, 112 insertions(+), 9 deletions(-) + create mode 100644 include/linux/netfilter/xt_socket.h + +diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c +index 1490473..5705466 100644 +--- a/extensions/libxt_socket.c ++++ b/extensions/libxt_socket.c +@@ -1,19 +1,106 @@ + /* + * Shared library add-on to iptables to add early socket matching support. + * +- * Copyright (C) 2007 BalaBit IT Ltd. ++ * Copyright (C) 2007, 2009 BalaBit IT Ltd. + */ ++#include <stdio.h> ++#include <getopt.h> + #include <xtables.h> ++#include <linux/netfilter/xt_socket.h> + +-static struct xtables_match socket_mt_reg = { +- .name = "socket", +- .version = XTABLES_VERSION, +- .family = NFPROTO_IPV4, +- .size = XT_ALIGN(0), +- .userspacesize = XT_ALIGN(0), ++static void socket_mt_help_v0(void) ++{ ++ printf("socket match has no options.\n\n"); ++} ++ ++static void socket_mt_help_v1(void) ++{ ++ printf("socket match options:\n" ++"--transparent Matches only if the socket's transparent option is set\n"); ++} ++ ++static const struct option socket_opts_v1[] = { ++ { "transparent", 0, NULL, '1' }, ++ { } ++}; ++ ++static int socket_mt_parse_v0(int c, char **argv, int invert, ++ unsigned int *flags, const void *entry, ++ struct xt_entry_match **match) ++{ ++ return 0; ++} ++ ++static int socket_mt_parse_v1(int c, char **argv, int invert, ++ unsigned int *flags, const void *entry, ++ struct xt_entry_match **match) ++{ ++ struct xt_socket_mtinfo1 *info = (void *) (*match)->data; ++ ++ switch (c) { ++ case '1': ++ if (*flags) ++ xtables_error(PARAMETER_PROBLEM, ++ "Can't specify multiple --transparent"); ++ info->flags |= XT_SOCKET_TRANSPARENT; ++ *flags = 1; ++ break; ++ default: ++ return 0; ++ } ++ return 1; ++} ++ ++static void socket_mt_check(unsigned int flags) ++{ ++} ++ ++static void socket_mt_print_v1(const void *ip, ++ const struct xt_entry_match *match, ++ int numeric) ++{ ++ const struct xt_socket_mtinfo1 *info = (const void *)match->data; ++ printf("socket "); ++ if (info->flags & XT_SOCKET_TRANSPARENT) ++ printf("transparent "); ++} ++ ++static void socket_mt_save_v1(const void *ip, ++ const struct xt_entry_match *match) ++{ ++ const struct xt_socket_mtinfo1 *info = (const void *)match->data; ++ ++ if (info->flags & XT_SOCKET_TRANSPARENT) ++ printf("--transparent "); ++} ++ ++static struct xtables_match socket_matches[] = { ++ { ++ .name = "socket", ++ .revision = 0, ++ .version = XTABLES_VERSION, ++ .family = NFPROTO_IPV4, ++ .parse = socket_mt_parse_v0, ++ .final_check = socket_mt_check, ++ .help = socket_mt_help_v0, ++ }, ++ { ++ .name = "socket", ++ .version = XTABLES_VERSION, ++ .revision = 1, ++ .family = NFPROTO_UNSPEC, ++ .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo1)), ++ .parse = socket_mt_parse_v1, ++ .print = socket_mt_print_v1, ++ .save = socket_mt_save_v1, ++ .final_check = socket_mt_check, ++ .help = socket_mt_help_v1, ++ .extra_opts = socket_opts_v1, ++ } + }; + + void _init(void) + { +- xtables_register_match(&socket_mt_reg); ++ xtables_register_matches(socket_matches, ARRAY_SIZE(socket_matches)); + } +diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man +index 50c8854..edc9d75 100644 +--- a/extensions/libxt_socket.man ++++ b/extensions/libxt_socket.man +@@ -1,2 +1,6 @@ + This matches if an open socket can be found by doing a socket lookup on the +-packet. ++packet which doesn\'t listen on the \'any\' IP address (0.0.0.0). ++.TP ++.BI "\-\-transparent" ++Enables additional check, that the actual socket's transparent socket option ++has to be set. +diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h +new file mode 100644 +index 0000000..6f475b8 +--- /dev/null ++++ b/include/linux/netfilter/xt_socket.h +@@ -0,0 +1,12 @@ ++#ifndef _XT_SOCKET_H ++#define _XT_SOCKET_H ++ ++enum { ++ XT_SOCKET_TRANSPARENT = 1 << 0, ++}; ++ ++struct xt_socket_mtinfo1 { ++ __u8 flags; ++}; ++ ++#endif /* _XT_SOCKET_H */ + + +Date: Thu, 21 Oct 2010 17:19:22 +0200 +From: KOVACS Krisztian <[email protected]> +Subject: [PATCH 2/2] tproxy: add IPv6 support to the TPROXY target + +Signed-off-by: Balazs Scheidler <[email protected]> +Signed-off-by: KOVACS Krisztian <[email protected]> +--- + extensions/libxt_TPROXY.c | 213 +++++++++++++++++++++++++++++------ + include/linux/netfilter/xt_TPROXY.h | 7 + + 2 files changed, 183 insertions(+), 37 deletions(-) + +diff --git a/extensions/libxt_TPROXY.c b/extensions/libxt_TPROXY.c +index cd0b50a..74d122c 100644 +--- a/extensions/libxt_TPROXY.c ++++ b/extensions/libxt_TPROXY.c +@@ -1,7 +1,7 @@ + /* + * Shared library add-on to iptables to add TPROXY target support. + * +- * Copyright (C) 2002-2008 BalaBit IT Ltd. ++ * Copyright (C) 2002-2009 BalaBit IT Ltd. + */ + #include <getopt.h> + #include <stdbool.h> +@@ -15,8 +15,8 @@ + #include <linux/netfilter/xt_TPROXY.h> + + static const struct option tproxy_tg_opts[] = { +- {.name = "on-port", .has_arg = true, .val = '1'}, +- {.name = "on-ip", .has_arg = true, .val = '2'}, ++ {.name = "on-port", .has_arg = true, .val = '1'}, ++ {.name = "on-ip", .has_arg = true, .val = '2'}, + {.name = "tproxy-mark", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, + }; +@@ -36,44 +36,64 @@ static void tproxy_tg_help(void) + " --tproxy-mark value[/mask] Mark packets with the given value/mask\n\n"); + } + +-static void parse_tproxy_lport(const char *s, struct xt_tproxy_target_info *info) ++static void parse_tproxy_lport(const char *s, unsigned short *lport) + { +- unsigned int lport; ++ unsigned int value; + +- if (xtables_strtoui(s, NULL, &lport, 0, UINT16_MAX)) +- info->lport = htons(lport); ++ if (xtables_strtoui(s, NULL, &value, 0, UINT16_MAX)) ++ *lport = htons(value); + else + xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-port", s); + } + +-static void parse_tproxy_laddr(const char *s, struct xt_tproxy_target_info *info) ++static void parse_tproxy_laddr_v0(const char *s, __be32 *laddr) + { +- struct in_addr *laddr; ++ struct in_addr *ina; + +- if ((laddr = xtables_numeric_to_ipaddr(s)) == NULL) ++ if ((ina = xtables_numeric_to_ipaddr(s)) == NULL) + xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s); + +- info->laddr = laddr->s_addr; ++ *laddr = ina->s_addr; + } + +-static void parse_tproxy_mark(char *s, struct xt_tproxy_target_info *info) ++static void parse_tproxy_laddr(const char *s, int family, union nf_inet_addr *laddr) ++{ ++ ++ if (family == NFPROTO_IPV6) { ++ struct in6_addr *addr6; ++ ++ if ((addr6 = xtables_numeric_to_ip6addr(s))) { ++ laddr->in6 = *addr6; ++ } else { ++ xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s); ++ } ++ } else { ++ struct in_addr *addr; ++ ++ if ((addr = xtables_numeric_to_ipaddr(s))) { ++ laddr->in = *addr; ++ } else { ++ xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s); ++ } ++ ++ } ++} ++ ++static void parse_tproxy_mark(char *s, unsigned int *value, unsigned int *mask) + { +- unsigned int value, mask = UINT32_MAX; + char *end; + +- if (!xtables_strtoui(s, &end, &value, 0, UINT32_MAX)) ++ *mask = UINT32_MAX; ++ if (!xtables_strtoui(s, &end, value, 0, UINT32_MAX)) + xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s); + if (*end == '/') +- if (!xtables_strtoui(end + 1, &end, &mask, 0, UINT32_MAX)) ++ if (!xtables_strtoui(end + 1, &end, mask, 0, UINT32_MAX)) + xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s); + if (*end != '\0') + xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s); +- +- info->mark_mask = mask; +- info->mark_value = value; + } + +-static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags, ++static int tproxy_tg_parse_v0(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) + { + struct xt_tproxy_target_info *tproxyinfo = (void *)(*target)->data; +@@ -82,19 +102,19 @@ static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags, + case '1': + xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT); + xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert); +- parse_tproxy_lport(optarg, tproxyinfo); ++ parse_tproxy_lport(optarg, &tproxyinfo->lport); + *flags |= PARAM_ONPORT; + return 1; + case '2': + xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP); + xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert); +- parse_tproxy_laddr(optarg, tproxyinfo); ++ parse_tproxy_laddr_v0(optarg, &tproxyinfo->laddr); + *flags |= PARAM_ONIP; + return 1; + case '3': + xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK); + xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert); +- parse_tproxy_mark(optarg, tproxyinfo); ++ parse_tproxy_mark(optarg, &tproxyinfo->mark_value, &tproxyinfo->mark_mask); + *flags |= PARAM_MARK; + return 1; + } +@@ -102,6 +122,47 @@ static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags, + return 0; + } + ++static int tproxy_tg_parse_v1(int family, int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, struct xt_entry_target **target) ++{ ++ struct xt_tproxy_target_info_v1 *tproxyinfo = (void *)(*target)->data; ++ ++ switch (c) { ++ case '1': ++ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT); ++ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert); ++ parse_tproxy_lport(optarg, &tproxyinfo->lport); ++ *flags |= PARAM_ONPORT; ++ return 1; ++ case '2': ++ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP); ++ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert); ++ parse_tproxy_laddr(optarg, family, &tproxyinfo->laddr); ++ *flags |= PARAM_ONIP; ++ return 1; ++ case '3': ++ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK); ++ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert); ++ parse_tproxy_mark(optarg, &tproxyinfo->mark_value, &tproxyinfo->mark_mask); ++ *flags |= PARAM_MARK; ++ return 1; ++ } ++ ++ return 0; ++} ++ ++static int tproxy_tg_parse4_v1(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, struct xt_entry_target **target) ++{ ++ return tproxy_tg_parse_v1(NFPROTO_IPV4, c, argv, invert, flags, entry, target); ++} ++ ++static int tproxy_tg_parse6_v1(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, struct xt_entry_target **target) ++{ ++ return tproxy_tg_parse_v1(NFPROTO_IPV6, c, argv, invert, flags, entry, target); ++} ++ + static void tproxy_tg_check(unsigned int flags) + { + if (!(flags & PARAM_ONPORT)) +@@ -109,7 +170,7 @@ static void tproxy_tg_check(unsigned int flags) + "TPROXY target: Parameter --on-port is required"); + } + +-static void tproxy_tg_print(const void *ip, const struct xt_entry_target *target, ++static void tproxy_tg_print_v0(const void *ip, const struct xt_entry_target *target, + int numeric) + { + const struct xt_tproxy_target_info *info = (const void *)target->data; +@@ -119,7 +180,31 @@ static void tproxy_tg_print(const void *ip, const struct xt_entry_target *target + (unsigned int)info->mark_mask); + } + +-static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target) ++static void tproxy_tg_print_v1(int family, const void *ip, const struct xt_entry_target *target, ++ int numeric) ++{ ++ const struct xt_tproxy_target_info_v1 *info = (const void *)target->data; ++ printf("TPROXY redirect %s:%u mark 0x%x/0x%x", ++ family == AF_INET ++ ? xtables_ipaddr_to_numeric(&info->laddr.in) ++ : xtables_ip6addr_to_numeric(&info->laddr.in6), ++ ntohs(info->lport), (unsigned int)info->mark_value, ++ (unsigned int)info->mark_mask); ++} ++ ++static void tproxy_tg_print4_v1(const void *ip, const struct xt_entry_target *target, ++ int numeric) ++{ ++ return tproxy_tg_print_v1(NFPROTO_IPV4, ip, target, numeric); ++} ++ ++static void tproxy_tg_print6_v1(const void *ip, const struct xt_entry_target *target, ++ int numeric) ++{ ++ return tproxy_tg_print_v1(NFPROTO_IPV6, ip, target, numeric); ++} ++ ++static void tproxy_tg_save_v0(const void *ip, const struct xt_entry_target *target) + { + const struct xt_tproxy_target_info *info = (const void *)target->data; + +@@ -130,21 +215,75 @@ static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target) + (unsigned int)info->mark_value, (unsigned int)info->mark_mask); + } + +-static struct xtables_target tproxy_tg_reg = { +- .name = "TPROXY", +- .family = NFPROTO_IPV4, +- .version = XTABLES_VERSION, +- .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info)), +- .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)), +- .help = tproxy_tg_help, +- .parse = tproxy_tg_parse, +- .final_check = tproxy_tg_check, +- .print = tproxy_tg_print, +- .save = tproxy_tg_save, +- .extra_opts = tproxy_tg_opts, ++static void tproxy_tg_save_v1(int family, const void *ip, const struct xt_entry_target *target) ++{ ++ const struct xt_tproxy_target_info_v1 *info = (const void *)target->data; ++ ++ printf("--on-port %u ", ntohs(info->lport)); ++ printf("--on-ip %s ", ++ family == AF_INET ++ ? xtables_ipaddr_to_numeric(&info->laddr.in) ++ : xtables_ip6addr_to_numeric(&info->laddr.in6)); ++ printf("--tproxy-mark 0x%x/0x%x ", ++ (unsigned int)info->mark_value, (unsigned int)info->mark_mask); ++} ++ ++static void tproxy_tg_save4_v1(const void *ip, const struct xt_entry_target *target) ++{ ++ return tproxy_tg_save_v1(NFPROTO_IPV4, ip, target); ++} ++ ++static void tproxy_tg_save6_v1(const void *ip, const struct xt_entry_target *target) ++{ ++ return tproxy_tg_save_v1(NFPROTO_IPV6, ip, target); ++} ++ ++ ++static struct xtables_target tproxy_tg_reg[] = { ++ { ++ .name = "TPROXY", ++ .family = NFPROTO_IPV4, ++ .version = XTABLES_VERSION, ++ .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)), ++ .help = tproxy_tg_help, ++ .parse = tproxy_tg_parse_v0, ++ .final_check = tproxy_tg_check, ++ .print = tproxy_tg_print_v0, ++ .save = tproxy_tg_save_v0, ++ .extra_opts = tproxy_tg_opts, ++ }, ++ { ++ .name = "TPROXY", ++ .family = NFPROTO_IPV4, ++ .version = XTABLES_VERSION, ++ .revision = 1, ++ .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)), ++ .help = tproxy_tg_help, ++ .parse = tproxy_tg_parse4_v1, ++ .final_check = tproxy_tg_check, ++ .print = tproxy_tg_print4_v1, ++ .save = tproxy_tg_save4_v1, ++ .extra_opts = tproxy_tg_opts, ++ }, ++ { ++ .name = "TPROXY", ++ .family = NFPROTO_IPV6, ++ .version = XTABLES_VERSION, ++ .revision = 1, ++ .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)), ++ .help = tproxy_tg_help, ++ .parse = tproxy_tg_parse6_v1, ++ .final_check = tproxy_tg_check, ++ .print = tproxy_tg_print6_v1, ++ .save = tproxy_tg_save6_v1, ++ .extra_opts = tproxy_tg_opts, ++ }, + }; + + void _init(void) + { +- xtables_register_target(&tproxy_tg_reg); ++ xtables_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg)); + } +diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/linux/netfilter/xt_TPROXY.h +index 152e8f9..28ff0e8 100644 +--- a/include/linux/netfilter/xt_TPROXY.h ++++ b/include/linux/netfilter/xt_TPROXY.h +@@ -11,4 +11,11 @@ struct xt_tproxy_target_info { + __be16 lport; + }; + ++struct xt_tproxy_target_info_v1 { ++ u_int32_t mark_mask; ++ u_int32_t mark_value; ++ union nf_inet_addr laddr; ++ __be16 lport; ++}; ++ + #endif /* _XT_TPROXY_H_target */ + + + ================================================================ ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/iptables/iptables.spec?r1=1.296&r2=1.297&f=u _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
