Commit 706c32c9 authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

Update upstream source from tag 'upstream/1.6.2'

Update to upstream version '1.6.2'
with Debian dir 709e57568379856beca5301ab2678ceffca94a99
parents a82b926a 5beab31f
......@@ -18,7 +18,7 @@
#define MARK '1'
static struct option brmark_m_opts[] = {
static const struct option brmark_m_opts[] = {
{ .name = "mark", .has_arg = true, .val = MARK },
XT_GETOPT_TABLEEND,
};
......
......@@ -30,7 +30,7 @@ enum {
NFLOG_NFLOG = 0x16,
};
static struct option brnflog_opts[] = {
static const struct option brnflog_opts[] = {
{ .name = "nflog-group", .has_arg = true, .val = NFLOG_GROUP},
{ .name = "nflog-prefix", .has_arg = true, .val = NFLOG_PREFIX},
{ .name = "nflog-range", .has_arg = true, .val = NFLOG_RANGE},
......
......@@ -163,13 +163,11 @@ static void DNAT_parse(struct xt_option_call *cb)
switch (cb->entry->id) {
case O_TO_DEST:
if (cb->xflags & F_X_TO_DEST) {
if (!kernel_version)
get_kernel_version();
if (kernel_version > LINUX_VERSION(2, 6, 10))
xtables_error(PARAMETER_PROBLEM,
"DNAT: Multiple --to-destination not supported");
xtables_error(PARAMETER_PROBLEM,
"DNAT: Multiple --to-destination not supported");
}
parse_to(cb->arg, portok, range);
cb->xflags |= F_X_TO_DEST;
break;
case O_PERSISTENT:
range->flags |= NF_NAT_RANGE_PERSISTENT;
......@@ -281,7 +279,7 @@ static int DNAT_xlate(struct xt_xlate *xl,
return 1;
}
static struct xtables_target snat_tg_reg = {
static struct xtables_target dnat_tg_reg = {
.name = "DNAT",
.version = XTABLES_VERSION,
.family = NFPROTO_IPV6,
......@@ -299,5 +297,5 @@ static struct xtables_target snat_tg_reg = {
void _init(void)
{
xtables_register_target(&snat_tg_reg);
xtables_register_target(&dnat_tg_reg);
}
ip6tables-translate -t nat -A prerouting -i eth1 -p tcp --dport 8080 -j DNAT --to-destination [fec0::1234]:80
nft add rule ip6 nat prerouting iifname eth1 tcp dport 8080 counter dnat to [fec0::1234]:80
ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:1-20
nft add rule ip6 nat prerouting meta l4proto tcp counter dnat to [fec0::1234]:1-20
ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:80 --persistent
nft add rule ip6 nat prerouting meta l4proto tcp counter dnat to [fec0::1234]:80 persistent
ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:80 --random --persistent
nft add rule ip6 nat prerouting meta l4proto tcp counter dnat to [fec0::1234]:80 random,persistent
iptables-translate -I INPUT -j LOG
nft insert rule ip filter INPUT counter log
ip6tables-translate -A FORWARD -p tcp -j LOG --log-level debug
nft add rule ip6 filter FORWARD meta l4proto tcp counter log level debug
ip6tables-translate -A FORWARD -p tcp -j LOG --log-prefix "Checking log"
nft add rule ip6 filter FORWARD meta l4proto tcp counter log prefix \"Checking log\"
......@@ -18,6 +18,7 @@
enum {
O_TO_PORTS = 0,
O_RANDOM,
O_RANDOM_FULLY,
};
static void MASQUERADE_help(void)
......@@ -27,12 +28,15 @@ static void MASQUERADE_help(void)
" --to-ports <port>[-<port>]\n"
" Port (range) to map to.\n"
" --random\n"
" Randomize source port.\n");
" Randomize source port.\n"
" --random-fully\n"
" Fully randomize source port.\n");
}
static const struct xt_option_entry MASQUERADE_opts[] = {
{.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
{.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
{.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE},
XTOPT_TABLEEND,
};
......@@ -96,6 +100,9 @@ static void MASQUERADE_parse(struct xt_option_call *cb)
case O_RANDOM:
r->flags |= NF_NAT_RANGE_PROTO_RANDOM;
break;
case O_RANDOM_FULLY:
r->flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY;
break;
}
}
......@@ -114,6 +121,9 @@ MASQUERADE_print(const void *ip, const struct xt_entry_target *target,
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
printf(" random");
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
printf(" random-fully");
}
static void
......@@ -129,6 +139,9 @@ MASQUERADE_save(const void *ip, const struct xt_entry_target *target)
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
printf(" --random");
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
printf(" --random-fully");
}
static int MASQUERADE_xlate(struct xt_xlate *xl,
......@@ -148,6 +161,10 @@ static int MASQUERADE_xlate(struct xt_xlate *xl,
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
xt_xlate_add(xl, "random ");
xt_xlate_add(xl, " ");
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
xt_xlate_add(xl, "random-fully ");
return 1;
}
......
ip6tables-translate -t nat -A POSTROUTING -j MASQUERADE
nft add rule ip6 nat POSTROUTING counter masquerade
ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10
nft add rule ip6 nat POSTROUTING meta l4proto tcp counter masquerade to :10
ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10-20 --random
nft add rule ip6 nat POSTROUTING meta l4proto tcp counter masquerade to :10-20 random
ip6tables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080
nft add rule ip6 nat prerouting tcp dport 80 counter redirect to :8080
ip6tables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080 --random
nft add rule ip6 nat prerouting tcp dport 80 counter redirect to :8080 random
ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip6 filter FORWARD tcp dport 22 counter reject
ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with icmp6-reject-route
nft add rule ip6 filter FORWARD tcp dport 22 counter reject with icmpv6 type reject-route
ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
nft add rule ip6 filter FORWARD tcp dport 22 counter reject with tcp reset
......@@ -166,13 +166,11 @@ static void SNAT_parse(struct xt_option_call *cb)
switch (cb->entry->id) {
case O_TO_SRC:
if (cb->xflags & F_X_TO_SRC) {
if (!kernel_version)
get_kernel_version();
if (kernel_version > LINUX_VERSION(2, 6, 10))
xtables_error(PARAMETER_PROBLEM,
"SNAT: Multiple --to-source not supported");
xtables_error(PARAMETER_PROBLEM,
"SNAT: Multiple --to-source not supported");
}
parse_to(cb->arg, portok, range);
cb->xflags |= F_X_TO_SRC;
break;
case O_PERSISTENT:
range->flags |= NF_NAT_RANGE_PERSISTENT;
......
ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:80
nft add rule ip6 nat postrouting oifname eth0 meta l4proto tcp counter snat to [fec0::1234]:80
ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:1-20
nft add rule ip6 nat postrouting oifname eth0 meta l4proto tcp counter snat to [fec0::1234]:1-20
ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:123 --random
nft add rule ip6 nat postrouting oifname eth0 meta l4proto tcp counter snat to [fec0::1234]:123 random
ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:123 --random-fully --persistent
nft add rule ip6 nat postrouting oifname eth0 meta l4proto tcp counter snat to [fec0::1234]:123 fully-random,persistent
ip6tables-translate -A INPUT -m ah --ahspi 500 -j DROP
nft add rule ip6 filter INPUT ah spi 500 counter drop
ip6tables-translate -A INPUT -m ah --ahspi 500:550 -j DROP
nft add rule ip6 filter INPUT ah spi 500-550 counter drop
ip6tables-translate -A INPUT -m ah ! --ahlen 120
nft add rule ip6 filter INPUT ah hdrlength != 120 counter
ip6tables-translate -A INPUT -m ah --ahres
nft add rule ip6 filter INPUT ah reserved 1 counter
ip6tables-translate -A INPUT -m ah --ahspi 500 ! --ahlen 120 -j DROP
nft add rule ip6 filter INPUT ah spi 500 ah hdrlength != 120 counter drop
ip6tables-translate -A INPUT -m ah --ahspi 500 --ahlen 120 --ahres -j ACCEPT
nft add rule ip6 filter INPUT ah spi 500 ah hdrlength 120 ah reserved 1 counter accept
ip6tables-translate -t filter -A INPUT -m frag --fragid 100:200 -j ACCEPT
nft add rule ip6 filter INPUT frag id 100-200 counter accept
ip6tables-translate -t filter -A INPUT -m frag --fragid 100 --fragres --fragmore -j ACCEPT
nft add rule ip6 filter INPUT frag id 100 frag reserved 1 frag more-fragments 1 counter accept
ip6tables-translate -t filter -A INPUT -m frag ! --fragid 100:200 -j ACCEPT
nft add rule ip6 filter INPUT frag id != 100-200 counter accept
ip6tables-translate -t filter -A INPUT -m frag --fragid 100:200 --fraglast -j ACCEPT
nft add rule ip6 filter INPUT frag id 100-200 frag more-fragments 0 counter accept
ip6tables-translate -t filter -A INPUT -m frag --fragid 100:200 --fragfirst -j ACCEPT
nft add rule ip6 filter INPUT frag id 100-200 frag frag-off 0 counter accept
ip6tables-translate -t filter -A INPUT -m frag --fraglast -j ACCEPT
nft add rule ip6 filter INPUT frag more-fragments 0 counter accept
ip6tables-translate -t filter -A INPUT -m hbh --hbh-len 22
nft add rule ip6 filter INPUT hbh hdrlength 22 counter
ip6tables-translate -t filter -A INPUT -m hbh ! --hbh-len 22
nft add rule ip6 filter INPUT hbh hdrlength != 22 counter
ip6tables-translate -t nat -A postrouting -m hl --hl-gt 3
nft add rule ip6 nat postrouting ip6 hoplimit gt 3 counter
ip6tables-translate -t nat -A postrouting -m hl ! --hl-eq 3
nft add rule ip6 nat postrouting ip6 hoplimit != 3 counter
......@@ -282,8 +282,6 @@ static int icmp6_xlate(struct xt_xlate *xl,
if (!type_xlate_print(xl, info->type, info->code[0], info->code[1]))
return 0;
xt_xlate_add(xl, " ");
return 1;
}
......
ip6tables-translate -t filter -A INPUT -m icmp6 --icmpv6-type 1 -j LOG
nft add rule ip6 filter INPUT icmpv6 type destination-unreachable counter log
ip6tables-translate -t filter -A INPUT -m icmp6 --icmpv6-type neighbour-advertisement -j LOG
nft add rule ip6 filter INPUT icmpv6 type nd-neighbor-advert counter log
ip6tables-translate -t filter -A INPUT -m icmp6 ! --icmpv6-type packet-too-big -j LOG
nft add rule ip6 filter INPUT icmpv6 type != packet-too-big counter log
ip6tables-translate -A INPUT -p mh --mh-type 1 -j ACCEPT
nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1 counter accept
ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT
nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1-3 counter accept
ip6tables-translate -A INPUT -m rt --rt-type 0 -j DROP
nft add rule ip6 filter INPUT rt type 0 counter drop
ip6tables-translate -A INPUT -m rt ! --rt-len 22 -j DROP
nft add rule ip6 filter INPUT rt hdrlength != 22 counter drop
ip6tables-translate -A INPUT -m rt --rt-segsleft 26 -j ACCEPT
nft add rule ip6 filter INPUT rt seg-left 26 counter accept
ip6tables-translate -A INPUT -m rt --rt-type 0 --rt-len 22 -j DROP
nft add rule ip6 filter INPUT rt type 0 rt hdrlength 22 counter drop
ip6tables-translate -A INPUT -m rt --rt-type 0 --rt-len 22 ! --rt-segsleft 26 -j ACCEPT
nft add rule ip6 filter INPUT rt type 0 rt seg-left != 26 rt hdrlength 22 counter accept
/* Shared library to add Segment Routing Header (SRH) matching support.
*
* Author:
* Ahmed Abdelsalam <amsalam20@gmail.com>
*/
#include <stdio.h>
#include <xtables.h>
#include <linux/netfilter_ipv6/ip6t_srh.h>
#include <string.h>
/* srh command-line options */
enum {
O_SRH_NEXTHDR,
O_SRH_LEN_EQ,
O_SRH_LEN_GT,
O_SRH_LEN_LT,
O_SRH_SEGS_EQ,
O_SRH_SEGS_GT,
O_SRH_SEGS_LT,
O_SRH_LAST_EQ,
O_SRH_LAST_GT,
O_SRH_LAST_LT,
O_SRH_TAG,
};
static void srh_help(void)
{
printf(
"srh match options:\n"
"[!] --srh-next-hdr next-hdr Next Header value of SRH\n"
"[!] --srh-hdr-len-eq hdr_len Hdr Ext Len value of SRH\n"
"[!] --srh-hdr-len-gt hdr_len Hdr Ext Len value of SRH\n"
"[!] --srh-hdr-len-lt hdr_len Hdr Ext Len value of SRH\n"
"[!] --srh-segs-left-eq segs_left Segments Left value of SRH\n"
"[!] --srh-segs-left-gt segs_left Segments Left value of SRH\n"
"[!] --srh-segs-left-lt segs_left Segments Left value of SRH\n"
"[!] --srh-last-entry-eq last_entry Last Entry value of SRH\n"
"[!] --srh-last-entry-gt last_entry Last Entry value of SRH\n"
"[!] --srh-last-entry-lt last_entry Last Entry value of SRH\n"
"[!] --srh-tag tag Tag value of SRH\n");
}
#define s struct ip6t_srh
static const struct xt_option_entry srh_opts[] = {
{ .name = "srh-next-hdr", .id = O_SRH_NEXTHDR, .type = XTTYPE_UINT8,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, next_hdr)},
{ .name = "srh-hdr-len-eq", .id = O_SRH_LEN_EQ, .type = XTTYPE_UINT8,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, hdr_len)},
{ .name = "srh-hdr-len-gt", .id = O_SRH_LEN_GT, .type = XTTYPE_UINT8,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, hdr_len)},
{ .name = "srh-hdr-len-lt", .id = O_SRH_LEN_LT, .type = XTTYPE_UINT8,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, hdr_len)},
{ .name = "srh-segs-left-eq", .id = O_SRH_SEGS_EQ, .type = XTTYPE_UINT8,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, segs_left)},
{ .name = "srh-segs-left-gt", .id = O_SRH_SEGS_GT, .type = XTTYPE_UINT8,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, segs_left)},
{ .name = "srh-segs-left-lt", .id = O_SRH_SEGS_LT, .type = XTTYPE_UINT8,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, segs_left)},
{ .name = "srh-last-entry-eq", .id = O_SRH_LAST_EQ, .type = XTTYPE_UINT8,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, last_entry)},
{ .name = "srh-last-entry-gt", .id = O_SRH_LAST_GT, .type = XTTYPE_UINT8,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, last_entry)},
{ .name = "srh-last-entry-lt", .id = O_SRH_LAST_LT, .type = XTTYPE_UINT8,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, last_entry)},
{ .name = "srh-tag", .id = O_SRH_TAG, .type = XTTYPE_UINT16,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, tag)},
{ }
};
#undef s
static void srh_init(struct xt_entry_match *m)
{
struct ip6t_srh *srhinfo = (void *)m->data;
srhinfo->mt_flags = 0;
srhinfo->mt_invflags = 0;
}
static void srh_parse(struct xt_option_call *cb)
{
struct ip6t_srh *srhinfo = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_SRH_NEXTHDR:
srhinfo->mt_flags |= IP6T_SRH_NEXTHDR;
if (cb->invert)
srhinfo->mt_invflags |= IP6T_SRH_INV_NEXTHDR;
break;
case O_SRH_LEN_EQ:
srhinfo->mt_flags |= IP6T_SRH_LEN_EQ;
if (cb->invert)
srhinfo->mt_invflags |= IP6T_SRH_INV_LEN_EQ;
break;
case O_SRH_LEN_GT:
srhinfo->mt_flags |= IP6T_SRH_LEN_GT;
if (cb->invert)
srhinfo->mt_invflags |= IP6T_SRH_INV_LEN_GT;
break;
case O_SRH_LEN_LT:
srhinfo->mt_flags |= IP6T_SRH_LEN_LT;
if (cb->invert)
srhinfo->mt_invflags |= IP6T_SRH_INV_LEN_LT;
break;
case O_SRH_SEGS_EQ:
srhinfo->mt_flags |= IP6T_SRH_SEGS_EQ;
if (cb->invert)
srhinfo->mt_invflags |= IP6T_SRH_INV_SEGS_EQ;
break;
case O_SRH_SEGS_GT:
srhinfo->mt_flags |= IP6T_SRH_SEGS_GT;
if (cb->invert)
srhinfo->mt_invflags |= IP6T_SRH_INV_SEGS_GT;
break;
case O_SRH_SEGS_LT:
srhinfo->mt_flags |= IP6T_SRH_SEGS_LT;
if (cb->invert)
srhinfo->mt_invflags |= IP6T_SRH_INV_SEGS_LT;
break;
case O_SRH_LAST_EQ:
srhinfo->mt_flags |= IP6T_SRH_LAST_EQ;
if (cb->invert)
srhinfo->mt_invflags |= IP6T_SRH_INV_LAST_EQ;
break;
case O_SRH_LAST_GT:
srhinfo->mt_flags |= IP6T_SRH_LAST_GT;
if (cb->invert)
srhinfo->mt_invflags |= IP6T_SRH_INV_LAST_GT;
break;
case O_SRH_LAST_LT:
srhinfo->mt_flags |= IP6T_SRH_LAST_LT;
if (cb->invert)
srhinfo->mt_invflags |= IP6T_SRH_INV_LAST_LT;
break;
case O_SRH_TAG:
srhinfo->mt_flags |= IP6T_SRH_TAG;
if (cb->invert)
srhinfo->mt_invflags |= IP6T_SRH_INV_TAG;
break;
}
}
static void srh_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
const struct ip6t_srh *srhinfo = (struct ip6t_srh *)match->data;
printf(" srh");
if (srhinfo->mt_flags & IP6T_SRH_NEXTHDR)
printf(" next-hdr:%s%d", srhinfo->mt_invflags & IP6T_SRH_INV_NEXTHDR ? "!" : "",
srhinfo->next_hdr);
if (srhinfo->mt_flags & IP6T_SRH_LEN_EQ)
printf(" hdr-len-eq:%s%d", srhinfo->mt_invflags & IP6T_SRH_INV_LEN_EQ ? "!" : "",
srhinfo->hdr_len);
if (srhinfo->mt_flags & IP6T_SRH_LEN_GT)
printf(" hdr-len-gt:%s%d", srhinfo->mt_invflags & IP6T_SRH_INV_LEN_GT ? "!" : "",
srhinfo->hdr_len);
if (srhinfo->mt_flags & IP6T_SRH_LEN_LT)
printf(" hdr-len-lt:%s%d", srhinfo->mt_invflags & IP6T_SRH_INV_LEN_LT ? "!" : "",
srhinfo->hdr_len);
if (srhinfo->mt_flags & IP6T_SRH_SEGS_EQ)
printf(" segs-left-eq:%s%d", srhinfo->mt_invflags & IP6T_SRH_INV_SEGS_EQ ? "!" : "",
srhinfo->segs_left);
if (srhinfo->mt_flags & IP6T_SRH_SEGS_GT)
printf(" segs-left-gt:%s%d", srhinfo->mt_invflags & IP6T_SRH_INV_SEGS_GT ? "!" : "",
srhinfo->segs_left);
if (srhinfo->mt_flags & IP6T_SRH_SEGS_LT)
printf(" segs-left-lt:%s%d", srhinfo->mt_invflags & IP6T_SRH_INV_SEGS_LT ? "!" : "",
srhinfo->segs_left);
if (srhinfo->mt_flags & IP6T_SRH_LAST_EQ)
printf(" last-entry-eq:%s%d", srhinfo->mt_invflags & IP6T_SRH_INV_LAST_EQ ? "!" : "",
srhinfo->last_entry);
if (srhinfo->mt_flags & IP6T_SRH_LAST_GT)
printf(" last-entry-gt:%s%d", srhinfo->mt_invflags & IP6T_SRH_INV_LAST_GT ? "!" : "",
srhinfo->last_entry);
if (srhinfo->mt_flags & IP6T_SRH_LAST_LT)
printf(" last-entry-lt:%s%d", srhinfo->mt_invflags & IP6T_SRH_INV_LAST_LT ? "!" : "",
srhinfo->last_entry);
if (srhinfo->mt_flags & IP6T_SRH_TAG)
printf(" tag:%s%d", srhinfo->mt_invflags & IP6T_SRH_INV_TAG ? "!" : "",
srhinfo->tag);
}
static void srh_save(const void *ip, const struct xt_entry_match *match)
{
const struct ip6t_srh *srhinfo = (struct ip6t_srh *)match->data;
if (srhinfo->mt_flags & IP6T_SRH_NEXTHDR)
printf("%s --srh-next-hdr %u", (srhinfo->mt_invflags & IP6T_SRH_INV_NEXTHDR) ? " !" : "",
srhinfo->next_hdr);
if (srhinfo->mt_flags & IP6T_SRH_LEN_EQ)
printf("%s --srh-hdr-len-eq %u", (srhinfo->mt_invflags & IP6T_SRH_INV_LEN_EQ) ? " !" : "",
srhinfo->hdr_len);
if (srhinfo->mt_flags & IP6T_SRH_LEN_GT)
printf("%s --srh-hdr-len-gt %u", (srhinfo->mt_invflags & IP6T_SRH_INV_LEN_GT) ? " !" : "",
srhinfo->hdr_len);
if (srhinfo->mt_flags & IP6T_SRH_LEN_LT)
printf("%s --srh-hdr-len-lt %u", (srhinfo->mt_invflags & IP6T_SRH_INV_LEN_LT) ? " !" : "",
srhinfo->hdr_len);
if (srhinfo->mt_flags & IP6T_SRH_SEGS_EQ)
printf("%s --srh-segs-left-eq %u", (srhinfo->mt_invflags & IP6T_SRH_INV_SEGS_EQ) ? " !" : "",
srhinfo->segs_left);
if (srhinfo->mt_flags & IP6T_SRH_SEGS_GT)
printf("%s --srh-segs-left-gt %u", (srhinfo->mt_invflags & IP6T_SRH_INV_SEGS_GT) ? " !" : "",
srhinfo->segs_left);
if (srhinfo->mt_flags & IP6T_SRH_SEGS_LT)
printf("%s --srh-segs-left-lt %u", (srhinfo->mt_invflags & IP6T_SRH_INV_SEGS_LT) ? " !" : "",
srhinfo->segs_left);
if (srhinfo->mt_flags & IP6T_SRH_LAST_EQ)
printf("%s --srh-last-entry-eq %u", (srhinfo->mt_invflags & IP6T_SRH_INV_LAST_EQ) ? " !" : "",
srhinfo->last_entry);
if (srhinfo->mt_flags & IP6T_SRH_LAST_GT)
printf("%s --srh-last-entry-gt %u", (srhinfo->mt_invflags & IP6T_SRH_INV_LAST_GT) ? " !" : "",
srhinfo->last_entry);
if (srhinfo->mt_flags & IP6T_SRH_LAST_LT)
printf("%s --srh-last-entry-lt %u", (srhinfo->mt_invflags & IP6T_SRH_INV_LAST_LT) ? " !" : "",
srhinfo->last_entry);
if (srhinfo->mt_flags & IP6T_SRH_TAG)
printf("%s --srh-tag %u", (srhinfo->mt_invflags & IP6T_SRH_INV_TAG) ? " !" : "",
srhinfo->tag);
}
static struct xtables_match srh_mt6_reg = {
.name = "srh",
.version = XTABLES_VERSION,
.family = NFPROTO_IPV6,
.size = XT_ALIGN(sizeof(struct ip6t_srh)),
.userspacesize = XT_ALIGN(sizeof(struct ip6t_srh)),
.help = srh_help,
.init = srh_init,
.print = srh_print,
.save = srh_save,
.x6_parse = srh_parse,
.x6_options = srh_opts,
};
void
_init(void)
{
xtables_register_match(&srh_mt6_reg);
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment