1 #include <stdio.h>
2 #include <xtables.h>
3 #include <linux/netfilter/xt_rpfilter.h>
4
5 enum {
6 O_RPF_LOOSE = 0,
7 O_RPF_VMARK = 1,
8 O_RPF_ACCEPT_LOCAL = 2,
9 O_RPF_INVERT = 3,
10 };
11
rpfilter_help(void)12 static void rpfilter_help(void)
13 {
14 printf(
15 "rpfilter match options:\n"
16 " --loose permit reverse path via any interface\n"
17 " --validmark use skb nfmark when performing route lookup\n"
18 " --accept-local do not reject packets with a local source address\n"
19 " --invert match packets that failed the reverse path test\n"
20 );
21 }
22
23 static const struct xt_option_entry rpfilter_opts[] = {
24 {.name = "loose", .id = O_RPF_LOOSE, .type = XTTYPE_NONE, },
25 {.name = "validmark", .id = O_RPF_VMARK, .type = XTTYPE_NONE, },
26 {.name = "accept-local", .id = O_RPF_ACCEPT_LOCAL, .type = XTTYPE_NONE, },
27 {.name = "invert", .id = O_RPF_INVERT, .type = XTTYPE_NONE, },
28 XTOPT_TABLEEND,
29 };
30
rpfilter_parse(struct xt_option_call * cb)31 static void rpfilter_parse(struct xt_option_call *cb)
32 {
33 struct xt_rpfilter_info *rpfinfo = cb->data;
34
35 xtables_option_parse(cb);
36 switch (cb->entry->id) {
37 case O_RPF_LOOSE:
38 rpfinfo->flags |= XT_RPFILTER_LOOSE;
39 break;
40 case O_RPF_VMARK:
41 rpfinfo->flags |= XT_RPFILTER_VALID_MARK;
42 break;
43 case O_RPF_ACCEPT_LOCAL:
44 rpfinfo->flags |= XT_RPFILTER_ACCEPT_LOCAL;
45 break;
46 case O_RPF_INVERT:
47 rpfinfo->flags |= XT_RPFILTER_INVERT;
48 break;
49 }
50 }
51
52 static void
rpfilter_print_prefix(const void * ip,const void * matchinfo,const char * prefix)53 rpfilter_print_prefix(const void *ip, const void *matchinfo,
54 const char *prefix)
55 {
56 const struct xt_rpfilter_info *info = matchinfo;
57 if (info->flags & XT_RPFILTER_LOOSE)
58 printf(" %s%s", prefix, rpfilter_opts[O_RPF_LOOSE].name);
59 if (info->flags & XT_RPFILTER_VALID_MARK)
60 printf(" %s%s", prefix, rpfilter_opts[O_RPF_VMARK].name);
61 if (info->flags & XT_RPFILTER_ACCEPT_LOCAL)
62 printf(" %s%s", prefix, rpfilter_opts[O_RPF_ACCEPT_LOCAL].name);
63 if (info->flags & XT_RPFILTER_INVERT)
64 printf(" %s%s", prefix, rpfilter_opts[O_RPF_INVERT].name);
65 }
66
67
68 static void
rpfilter_print(const void * ip,const struct xt_entry_match * match,int numeric)69 rpfilter_print(const void *ip, const struct xt_entry_match *match, int numeric)
70 {
71 printf(" rpfilter");
72 return rpfilter_print_prefix(ip, match->data, "");
73 }
74
rpfilter_save(const void * ip,const struct xt_entry_match * match)75 static void rpfilter_save(const void *ip, const struct xt_entry_match *match)
76 {
77 return rpfilter_print_prefix(ip, match->data, "--");
78 }
79
rpfilter_xlate(struct xt_xlate * xl,const struct xt_xlate_mt_params * params)80 static int rpfilter_xlate(struct xt_xlate *xl,
81 const struct xt_xlate_mt_params *params)
82 {
83 const struct xt_rpfilter_info *info = (void *)params->match->data;
84 bool invert = info->flags & XT_RPFILTER_INVERT;
85
86 if (info->flags & XT_RPFILTER_ACCEPT_LOCAL) {
87 if (invert)
88 xt_xlate_add(xl, "fib saddr type != local ");
89 else
90 return 0;
91 }
92
93 xt_xlate_add(xl, "fib saddr ");
94
95 if (info->flags & XT_RPFILTER_VALID_MARK)
96 xt_xlate_add(xl, ". mark ");
97 if (!(info->flags & XT_RPFILTER_LOOSE))
98 xt_xlate_add(xl, ". iif ");
99
100 xt_xlate_add(xl, "oif %s0", invert ? "" : "!= ");
101
102 return 1;
103 }
104
105 static struct xtables_match rpfilter_match = {
106 .family = NFPROTO_UNSPEC,
107 .name = "rpfilter",
108 .version = XTABLES_VERSION,
109 .size = XT_ALIGN(sizeof(struct xt_rpfilter_info)),
110 .userspacesize = XT_ALIGN(sizeof(struct xt_rpfilter_info)),
111 .help = rpfilter_help,
112 .print = rpfilter_print,
113 .save = rpfilter_save,
114 .x6_parse = rpfilter_parse,
115 .x6_options = rpfilter_opts,
116 .xlate = rpfilter_xlate,
117 };
118
_init(void)119 void _init(void)
120 {
121 xtables_register_match(&rpfilter_match);
122 }
123