libxt_CONNSECMARK.c revision 932e648f38ac16b1ea14c1f66f23951388448c5a 
1/*
2 * Shared library add-on to iptables to add CONNSECMARK target support.
3 *
4 * Based on the MARK and CONNMARK targets.
5 *
6 * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
7 */
8#include <stdio.h>
9#include <string.h>
10#include <stdlib.h>
11#include <getopt.h>
12#include <xtables.h>
13#include <linux/netfilter/xt_CONNSECMARK.h>
14
15#define PFX "CONNSECMARK target: "
16
17static void CONNSECMARK_help(void)
18{
19	printf(
20"CONNSECMARK target v%s options:\n"
21"  --save                   Copy security mark from packet to conntrack\n"
22"  --restore                Copy security mark from connection to packet\n"
23"\n",
24IPTABLES_VERSION);
25}
26
27static const struct option CONNSECMARK_opts[] = {
28	{ "save", 0, 0, '1' },
29	{ "restore", 0, 0, '2' },
30	{ 0 }
31};
32
33static int
34CONNSECMARK_parse(int c, char **argv, int invert, unsigned int *flags,
35                  const void *entry, struct xt_entry_target **target)
36{
37	struct xt_connsecmark_target_info *info =
38		(struct xt_connsecmark_target_info*)(*target)->data;
39
40	switch (c) {
41	case '1':
42		if (*flags & CONNSECMARK_SAVE)
43			exit_error(PARAMETER_PROBLEM, PFX
44				   "Can't specify --save twice");
45		info->mode = CONNSECMARK_SAVE;
46		*flags |= CONNSECMARK_SAVE;
47		break;
48
49	case '2':
50		if (*flags & CONNSECMARK_RESTORE)
51			exit_error(PARAMETER_PROBLEM, PFX
52				   "Can't specify --restore twice");
53		info->mode = CONNSECMARK_RESTORE;
54		*flags |= CONNSECMARK_RESTORE;
55		break;
56
57	default:
58		return 0;
59	}
60
61	return 1;
62}
63
64static void CONNSECMARK_check(unsigned int flags)
65{
66	if (!flags)
67		exit_error(PARAMETER_PROBLEM, PFX "parameter required");
68
69	if (flags == (CONNSECMARK_SAVE|CONNSECMARK_RESTORE))
70		exit_error(PARAMETER_PROBLEM, PFX "only one flag of --save "
71		           "or --restore is allowed");
72}
73
74static void print_connsecmark(struct xt_connsecmark_target_info *info)
75{
76	switch (info->mode) {
77	case CONNSECMARK_SAVE:
78		printf("save ");
79		break;
80
81	case CONNSECMARK_RESTORE:
82		printf("restore ");
83		break;
84
85	default:
86		exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
87	}
88}
89
90static void
91CONNSECMARK_print(const void *ip, const struct xt_entry_target *target,
92                  int numeric)
93{
94	struct xt_connsecmark_target_info *info =
95		(struct xt_connsecmark_target_info*)(target)->data;
96
97	printf("CONNSECMARK ");
98	print_connsecmark(info);
99}
100
101static void
102CONNSECMARK_save(const void *ip, const struct xt_entry_target *target)
103{
104	struct xt_connsecmark_target_info *info =
105		(struct xt_connsecmark_target_info*)target->data;
106
107	printf("--");
108	print_connsecmark(info);
109}
110
111static struct xtables_target connsecmark_target = {
112	.family		= AF_INET,
113	.name		= "CONNSECMARK",
114	.version	= IPTABLES_VERSION,
115	.revision	= 0,
116	.size		= XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
117	.userspacesize	= XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
118	.parse		= CONNSECMARK_parse,
119	.help		= CONNSECMARK_help,
120	.final_check	= CONNSECMARK_check,
121	.print		= CONNSECMARK_print,
122	.save		= CONNSECMARK_save,
123	.extra_opts	= CONNSECMARK_opts,
124};
125
126static struct xtables_target connsecmark_target6 = {
127	.family		= AF_INET6,
128	.name		= "CONNSECMARK",
129	.version	= IPTABLES_VERSION,
130	.revision	= 0,
131	.size		= XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
132	.userspacesize	= XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
133	.parse		= CONNSECMARK_parse,
134	.help		= CONNSECMARK_help,
135	.final_check	= CONNSECMARK_check,
136	.print		= CONNSECMARK_print,
137	.save		= CONNSECMARK_save,
138	.extra_opts	= CONNSECMARK_opts,
139};
140
141void _init(void)
142{
143	xtables_register_target(&connsecmark_target);
144	xtables_register_target(&connsecmark_target6);
145}
146