libxt_physdev.c 4.48 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
#include <stdio.h>
#include <xtables.h>
#include <linux/netfilter/xt_physdev.h>

enum {
	O_PHYSDEV_IN = 0,
	O_PHYSDEV_OUT,
	O_PHYSDEV_IS_IN,
	O_PHYSDEV_IS_OUT,
	O_PHYSDEV_IS_BRIDGED,
};

static void physdev_help(void)
{
	printf(
"physdev match options:\n"
" [!] --physdev-in inputname[+]		bridge port name ([+] for wildcard)\n"
" [!] --physdev-out outputname[+]	bridge port name ([+] for wildcard)\n"
" [!] --physdev-is-in			arrived on a bridge device\n"
" [!] --physdev-is-out			will leave on a bridge device\n"
" [!] --physdev-is-bridged		it's a bridged packet\n");
}

#define s struct xt_physdev_info
static const struct xt_option_entry physdev_opts[] = {
	{.name = "physdev-in", .id = O_PHYSDEV_IN, .type = XTTYPE_STRING,
	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, physindev)},
	{.name = "physdev-out", .id = O_PHYSDEV_OUT, .type = XTTYPE_STRING,
	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, physoutdev)},
	{.name = "physdev-is-in", .id = O_PHYSDEV_IS_IN, .type = XTTYPE_NONE,
	 .flags = XTOPT_INVERT},
	{.name = "physdev-is-out", .id = O_PHYSDEV_IS_OUT,
	 .type = XTTYPE_NONE, .flags = XTOPT_INVERT},
	{.name = "physdev-is-bridged", .id = O_PHYSDEV_IS_BRIDGED,
	 .type = XTTYPE_NONE, .flags = XTOPT_INVERT},
	XTOPT_TABLEEND,
};
#undef s

static void physdev_parse(struct xt_option_call *cb)
{
	struct xt_physdev_info *info = cb->data;

	xtables_option_parse(cb);
	switch (cb->entry->id) {
	case O_PHYSDEV_IN:
		xtables_parse_interface(cb->arg, info->physindev,
				(unsigned char *)info->in_mask);
		if (cb->invert)
			info->invert |= XT_PHYSDEV_OP_IN;
		info->bitmask |= XT_PHYSDEV_OP_IN;
		break;
	case O_PHYSDEV_OUT:
		xtables_parse_interface(cb->arg, info->physoutdev,
				(unsigned char *)info->out_mask);
		if (cb->invert)
			info->invert |= XT_PHYSDEV_OP_OUT;
		info->bitmask |= XT_PHYSDEV_OP_OUT;
		break;
	case O_PHYSDEV_IS_IN:
		info->bitmask |= XT_PHYSDEV_OP_ISIN;
		if (cb->invert)
			info->invert |= XT_PHYSDEV_OP_ISIN;
		break;
	case O_PHYSDEV_IS_OUT:
		info->bitmask |= XT_PHYSDEV_OP_ISOUT;
		if (cb->invert)
			info->invert |= XT_PHYSDEV_OP_ISOUT;
		break;
	case O_PHYSDEV_IS_BRIDGED:
		if (cb->invert)
			info->invert |= XT_PHYSDEV_OP_BRIDGED;
		info->bitmask |= XT_PHYSDEV_OP_BRIDGED;
		break;
	}
}

static void physdev_check(struct xt_fcheck_call *cb)
{
	if (cb->xflags == 0)
		xtables_error(PARAMETER_PROBLEM, "PHYSDEV: no physdev option specified");
}

static void
physdev_print(const void *ip, const struct xt_entry_match *match, int numeric)
{
	const struct xt_physdev_info *info = (const void *)match->data;

	printf(" PHYSDEV match");
	if (info->bitmask & XT_PHYSDEV_OP_ISIN)
		printf("%s --physdev-is-in",
		       info->invert & XT_PHYSDEV_OP_ISIN ? " !":"");
	if (info->bitmask & XT_PHYSDEV_OP_IN)
		printf("%s --physdev-in %s",
		(info->invert & XT_PHYSDEV_OP_IN) ? " !":"", info->physindev);

	if (info->bitmask & XT_PHYSDEV_OP_ISOUT)
		printf("%s --physdev-is-out",
		       info->invert & XT_PHYSDEV_OP_ISOUT ? " !":"");
	if (info->bitmask & XT_PHYSDEV_OP_OUT)
		printf("%s --physdev-out %s",
		(info->invert & XT_PHYSDEV_OP_OUT) ? " !":"", info->physoutdev);
	if (info->bitmask & XT_PHYSDEV_OP_BRIDGED)
		printf("%s --physdev-is-bridged",
		       info->invert & XT_PHYSDEV_OP_BRIDGED ? " !":"");
}

static void physdev_save(const void *ip, const struct xt_entry_match *match)
{
	const struct xt_physdev_info *info = (const void *)match->data;

	if (info->bitmask & XT_PHYSDEV_OP_ISIN)
		printf("%s --physdev-is-in",
		       (info->invert & XT_PHYSDEV_OP_ISIN) ? " !" : "");
	if (info->bitmask & XT_PHYSDEV_OP_IN)
		printf("%s --physdev-in %s",
		       (info->invert & XT_PHYSDEV_OP_IN) ? " !" : "",
		       info->physindev);

	if (info->bitmask & XT_PHYSDEV_OP_ISOUT)
		printf("%s --physdev-is-out",
		       (info->invert & XT_PHYSDEV_OP_ISOUT) ? " !" : "");
	if (info->bitmask & XT_PHYSDEV_OP_OUT)
		printf("%s --physdev-out %s",
		       (info->invert & XT_PHYSDEV_OP_OUT) ? " !" : "",
		       info->physoutdev);
	if (info->bitmask & XT_PHYSDEV_OP_BRIDGED)
		printf("%s --physdev-is-bridged",
		       (info->invert & XT_PHYSDEV_OP_BRIDGED) ? " !" : "");
}

static struct xtables_match physdev_match = {
	.family		= NFPROTO_UNSPEC,
	.name		= "physdev",
	.version	= XTABLES_VERSION,
	.size		= XT_ALIGN(sizeof(struct xt_physdev_info)),
	.userspacesize	= XT_ALIGN(sizeof(struct xt_physdev_info)),
	.help		= physdev_help,
	.print		= physdev_print,
	.save		= physdev_save,
	.x6_parse	= physdev_parse,
	.x6_fcheck	= physdev_check,
	.x6_options	= physdev_opts,
};

void _init(void)
{
	xtables_register_match(&physdev_match);
}