libxt_CONNSECMARK.c revision 932e648f38ac16b1ea14c1f66f23951388448c5a
1/* 2 * Shared library add-on to iptables to add CONNSECMARK target support. 3 * 4 * Based on the MARK and CONNMARK targets. 5 * 6 * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com> 7 */ 8#include <stdio.h> 9#include <string.h> 10#include <stdlib.h> 11#include <getopt.h> 12#include <xtables.h> 13#include <linux/netfilter/xt_CONNSECMARK.h> 14 15#define PFX "CONNSECMARK target: " 16 17static void CONNSECMARK_help(void) 18{ 19 printf( 20"CONNSECMARK target v%s options:\n" 21" --save Copy security mark from packet to conntrack\n" 22" --restore Copy security mark from connection to packet\n" 23"\n", 24IPTABLES_VERSION); 25} 26 27static const struct option CONNSECMARK_opts[] = { 28 { "save", 0, 0, '1' }, 29 { "restore", 0, 0, '2' }, 30 { 0 } 31}; 32 33static int 34CONNSECMARK_parse(int c, char **argv, int invert, unsigned int *flags, 35 const void *entry, struct xt_entry_target **target) 36{ 37 struct xt_connsecmark_target_info *info = 38 (struct xt_connsecmark_target_info*)(*target)->data; 39 40 switch (c) { 41 case '1': 42 if (*flags & CONNSECMARK_SAVE) 43 exit_error(PARAMETER_PROBLEM, PFX 44 "Can't specify --save twice"); 45 info->mode = CONNSECMARK_SAVE; 46 *flags |= CONNSECMARK_SAVE; 47 break; 48 49 case '2': 50 if (*flags & CONNSECMARK_RESTORE) 51 exit_error(PARAMETER_PROBLEM, PFX 52 "Can't specify --restore twice"); 53 info->mode = CONNSECMARK_RESTORE; 54 *flags |= CONNSECMARK_RESTORE; 55 break; 56 57 default: 58 return 0; 59 } 60 61 return 1; 62} 63 64static void CONNSECMARK_check(unsigned int flags) 65{ 66 if (!flags) 67 exit_error(PARAMETER_PROBLEM, PFX "parameter required"); 68 69 if (flags == (CONNSECMARK_SAVE|CONNSECMARK_RESTORE)) 70 exit_error(PARAMETER_PROBLEM, PFX "only one flag of --save " 71 "or --restore is allowed"); 72} 73 74static void print_connsecmark(struct xt_connsecmark_target_info *info) 75{ 76 switch (info->mode) { 77 case CONNSECMARK_SAVE: 78 printf("save "); 79 break; 80 81 case CONNSECMARK_RESTORE: 82 printf("restore "); 83 break; 84 85 default: 86 exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode); 87 } 88} 89 90static void 91CONNSECMARK_print(const void *ip, const struct xt_entry_target *target, 92 int numeric) 93{ 94 struct xt_connsecmark_target_info *info = 95 (struct xt_connsecmark_target_info*)(target)->data; 96 97 printf("CONNSECMARK "); 98 print_connsecmark(info); 99} 100 101static void 102CONNSECMARK_save(const void *ip, const struct xt_entry_target *target) 103{ 104 struct xt_connsecmark_target_info *info = 105 (struct xt_connsecmark_target_info*)target->data; 106 107 printf("--"); 108 print_connsecmark(info); 109} 110 111static struct xtables_target connsecmark_target = { 112 .family = AF_INET, 113 .name = "CONNSECMARK", 114 .version = IPTABLES_VERSION, 115 .revision = 0, 116 .size = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)), 117 .userspacesize = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)), 118 .parse = CONNSECMARK_parse, 119 .help = CONNSECMARK_help, 120 .final_check = CONNSECMARK_check, 121 .print = CONNSECMARK_print, 122 .save = CONNSECMARK_save, 123 .extra_opts = CONNSECMARK_opts, 124}; 125 126static struct xtables_target connsecmark_target6 = { 127 .family = AF_INET6, 128 .name = "CONNSECMARK", 129 .version = IPTABLES_VERSION, 130 .revision = 0, 131 .size = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)), 132 .userspacesize = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)), 133 .parse = CONNSECMARK_parse, 134 .help = CONNSECMARK_help, 135 .final_check = CONNSECMARK_check, 136 .print = CONNSECMARK_print, 137 .save = CONNSECMARK_save, 138 .extra_opts = CONNSECMARK_opts, 139}; 140 141void _init(void) 142{ 143 xtables_register_target(&connsecmark_target); 144 xtables_register_target(&connsecmark_target6); 145} 146