1 /*
2 * Shared library add-on to iptables to add CONNSECMARK target support.
3 *
4 * Based on the MARK and CONNMARK targets.
5 *
6 * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
7 */
8 #include <stdio.h>
9 #include <xtables.h>
10 #include <linux/netfilter/xt_CONNSECMARK.h>
11
12 #define PFX "CONNSECMARK target: "
13
14 enum {
15 O_SAVE = 0,
16 O_RESTORE,
17 F_SAVE = 1 << O_SAVE,
18 F_RESTORE = 1 << O_RESTORE,
19 };
20
CONNSECMARK_help(void)21 static void CONNSECMARK_help(void)
22 {
23 printf(
24 "CONNSECMARK target options:\n"
25 " --save Copy security mark from packet to conntrack\n"
26 " --restore Copy security mark from connection to packet\n");
27 }
28
29 static const struct xt_option_entry CONNSECMARK_opts[] = {
30 {.name = "save", .id = O_SAVE, .excl = F_RESTORE, .type = XTTYPE_NONE},
31 {.name = "restore", .id = O_RESTORE, .excl = F_SAVE,
32 .type = XTTYPE_NONE},
33 XTOPT_TABLEEND,
34 };
35
CONNSECMARK_parse(struct xt_option_call * cb)36 static void CONNSECMARK_parse(struct xt_option_call *cb)
37 {
38 struct xt_connsecmark_target_info *info = cb->data;
39
40 xtables_option_parse(cb);
41 switch (cb->entry->id) {
42 case O_SAVE:
43 info->mode = CONNSECMARK_SAVE;
44 break;
45 case O_RESTORE:
46 info->mode = CONNSECMARK_RESTORE;
47 break;
48 }
49 }
50
CONNSECMARK_check(struct xt_fcheck_call * cb)51 static void CONNSECMARK_check(struct xt_fcheck_call *cb)
52 {
53 if (cb->xflags == 0)
54 xtables_error(PARAMETER_PROBLEM, PFX "parameter required");
55 }
56
print_connsecmark(const struct xt_connsecmark_target_info * info)57 static void print_connsecmark(const struct xt_connsecmark_target_info *info)
58 {
59 switch (info->mode) {
60 case CONNSECMARK_SAVE:
61 printf("save");
62 break;
63
64 case CONNSECMARK_RESTORE:
65 printf("restore");
66 break;
67
68 default:
69 xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
70 }
71 }
72
73 static void
CONNSECMARK_print(const void * ip,const struct xt_entry_target * target,int numeric)74 CONNSECMARK_print(const void *ip, const struct xt_entry_target *target,
75 int numeric)
76 {
77 const struct xt_connsecmark_target_info *info =
78 (struct xt_connsecmark_target_info*)(target)->data;
79
80 printf(" CONNSECMARK ");
81 print_connsecmark(info);
82 }
83
84 static void
CONNSECMARK_save(const void * ip,const struct xt_entry_target * target)85 CONNSECMARK_save(const void *ip, const struct xt_entry_target *target)
86 {
87 const struct xt_connsecmark_target_info *info =
88 (struct xt_connsecmark_target_info*)target->data;
89
90 printf(" --");
91 print_connsecmark(info);
92 }
93
94 static struct xtables_target connsecmark_target = {
95 .family = NFPROTO_UNSPEC,
96 .name = "CONNSECMARK",
97 .version = XTABLES_VERSION,
98 .revision = 0,
99 .size = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
100 .userspacesize = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
101 .help = CONNSECMARK_help,
102 .print = CONNSECMARK_print,
103 .save = CONNSECMARK_save,
104 .x6_parse = CONNSECMARK_parse,
105 .x6_fcheck = CONNSECMARK_check,
106 .x6_options = CONNSECMARK_opts,
107 };
108
_init(void)109 void _init(void)
110 {
111 xtables_register_target(&connsecmark_target);
112 }
113