1 #include <stdio.h>
2 #include <xtables.h>
3 #include <linux/netfilter/xt_rpfilter.h>
4
5 enum {
6 O_RPF_LOOSE = 0,
7 O_RPF_VMARK = 1,
8 O_RPF_ACCEPT_LOCAL = 2,
9 O_RPF_INVERT = 3,
10 };
11
rpfilter_help(void)12 static void rpfilter_help(void)
13 {
14 printf(
15 "rpfilter match options:\n"
16 " --loose permit reverse path via any interface\n"
17 " --validmark use skb nfmark when performing route lookup\n"
18 " --accept-local do not reject packets with a local source address\n"
19 " --invert match packets that failed the reverse path test\n"
20 );
21 }
22
23 static const struct xt_option_entry rpfilter_opts[] = {
24 {.name = "loose", .id = O_RPF_LOOSE, .type = XTTYPE_NONE, },
25 {.name = "validmark", .id = O_RPF_VMARK, .type = XTTYPE_NONE, },
26 {.name = "accept-local", .id = O_RPF_ACCEPT_LOCAL, .type = XTTYPE_NONE, },
27 {.name = "invert", .id = O_RPF_INVERT, .type = XTTYPE_NONE, },
28 XTOPT_TABLEEND,
29 };
30
rpfilter_parse(struct xt_option_call * cb)31 static void rpfilter_parse(struct xt_option_call *cb)
32 {
33 struct xt_rpfilter_info *rpfinfo = cb->data;
34
35 xtables_option_parse(cb);
36 switch (cb->entry->id) {
37 case O_RPF_LOOSE:
38 rpfinfo->flags |= XT_RPFILTER_LOOSE;
39 break;
40 case O_RPF_VMARK:
41 rpfinfo->flags |= XT_RPFILTER_VALID_MARK;
42 break;
43 case O_RPF_ACCEPT_LOCAL:
44 rpfinfo->flags |= XT_RPFILTER_ACCEPT_LOCAL;
45 break;
46 case O_RPF_INVERT:
47 rpfinfo->flags |= XT_RPFILTER_INVERT;
48 break;
49 }
50 }
51
52 static void
rpfilter_print_prefix(const void * ip,const void * matchinfo,const char * prefix)53 rpfilter_print_prefix(const void *ip, const void *matchinfo,
54 const char *prefix)
55 {
56 const struct xt_rpfilter_info *info = matchinfo;
57 if (info->flags & XT_RPFILTER_LOOSE)
58 printf(" %s%s", prefix, rpfilter_opts[O_RPF_LOOSE].name);
59 if (info->flags & XT_RPFILTER_VALID_MARK)
60 printf(" %s%s", prefix, rpfilter_opts[O_RPF_VMARK].name);
61 if (info->flags & XT_RPFILTER_ACCEPT_LOCAL)
62 printf(" %s%s", prefix, rpfilter_opts[O_RPF_ACCEPT_LOCAL].name);
63 if (info->flags & XT_RPFILTER_INVERT)
64 printf(" %s%s", prefix, rpfilter_opts[O_RPF_INVERT].name);
65 }
66
67
68 static void
rpfilter_print(const void * ip,const struct xt_entry_match * match,int numeric)69 rpfilter_print(const void *ip, const struct xt_entry_match *match, int numeric)
70 {
71 printf(" rpfilter");
72 return rpfilter_print_prefix(ip, match->data, "");
73 }
74
rpfilter_save(const void * ip,const struct xt_entry_match * match)75 static void rpfilter_save(const void *ip, const struct xt_entry_match *match)
76 {
77 return rpfilter_print_prefix(ip, match->data, "--");
78 }
79
80 static struct xtables_match rpfilter_match = {
81 .family = NFPROTO_UNSPEC,
82 .name = "rpfilter",
83 .version = XTABLES_VERSION,
84 .size = XT_ALIGN(sizeof(struct xt_rpfilter_info)),
85 .userspacesize = XT_ALIGN(sizeof(struct xt_rpfilter_info)),
86 .help = rpfilter_help,
87 .print = rpfilter_print,
88 .save = rpfilter_save,
89 .x6_parse = rpfilter_parse,
90 .x6_options = rpfilter_opts,
91 };
92
_init(void)93 void _init(void)
94 {
95 xtables_register_match(&rpfilter_match);
96 }
97