Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
adam.huang
Pkg Iptables
Commits
eb1d7c5f
Commit
eb1d7c5f
authored
Jun 04, 2020
by
Arturo Borrero Gonzalez
Browse files
New upstream version 1.8.5
parent
290749d4
Changes
125
Hide whitespace changes
Inline
Side-by-side
extensions/libipt_ECN.man
View file @
eb1d7c5f
This target
allows to
selectively work around known ECN blackholes.
This target selectively work
s
around known ECN blackholes.
It can only be used in the mangle table.
.TP
\fB\-\-ecn\-tcp\-remove\fP
...
...
extensions/libipt_ULOG.c
View file @
eb1d7c5f
...
...
@@ -11,6 +11,7 @@
*/
#include <stdio.h>
#include <string.h>
#include <strings.h>
#include <xtables.h>
/* For 64bit kernel / 32bit userspace */
#include <linux/netfilter_ipv4/ipt_ULOG.h>
...
...
extensions/libxt_AUDIT.man
View file @
eb1d7c5f
This target
allows to
create audit records for packets hitting the target.
This target create
s
audit records for packets hitting the target.
It can be used to record accepted, dropped, and rejected packets. See
auditd(8) for additional details.
.TP
...
...
extensions/libxt_CHECKSUM.man
View file @
eb1d7c5f
This target
allows to
selectively work around broken/old applications.
This target selectively work
s
around broken/old applications.
It can only be used in the mangle table.
.TP
\fB\-\-checksum\-fill\fP
...
...
extensions/libxt_CT.c
View file @
eb1d7c5f
...
...
@@ -348,6 +348,20 @@ static void notrack_ct2_tg_init(struct xt_entry_target *target)
info
->
flags
=
XT_CT_NOTRACK
|
XT_CT_NOTRACK_ALIAS
;
}
static
int
xlate_ct1_tg
(
struct
xt_xlate
*
xl
,
const
struct
xt_xlate_tg_params
*
params
)
{
struct
xt_ct_target_info_v1
*
info
=
(
struct
xt_ct_target_info_v1
*
)
params
->
target
->
data
;
if
(
info
->
flags
&
XT_CT_NOTRACK
)
xt_xlate_add
(
xl
,
"notrack"
);
else
return
0
;
return
1
;
}
static
struct
xtables_target
ct_target_reg
[]
=
{
{
.
family
=
NFPROTO_UNSPEC
,
...
...
@@ -387,6 +401,7 @@ static struct xtables_target ct_target_reg[] = {
.
alias
=
ct_print_name_alias
,
.
x6_parse
=
ct_parse_v1
,
.
x6_options
=
ct_opts_v1
,
.
xlate
=
xlate_ct1_tg
,
},
{
.
family
=
NFPROTO_UNSPEC
,
...
...
@@ -418,6 +433,7 @@ static struct xtables_target ct_target_reg[] = {
.
size
=
XT_ALIGN
(
sizeof
(
struct
xt_ct_target_info_v1
)),
.
userspacesize
=
offsetof
(
struct
xt_ct_target_info_v1
,
ct
),
.
init
=
notrack_ct2_tg_init
,
.
xlate
=
xlate_ct1_tg
,
},
{
.
family
=
NFPROTO_UNSPEC
,
...
...
extensions/libxt_CT.man
View file @
eb1d7c5f
The CT target
allows to
set parameters for a packet or its associated
The CT target set
s
parameters for a packet or its associated
connection. The target attaches a "template" connection tracking entry to
the packet, which is then used by the conntrack core when initializing
a new ct entry. This target is thus only valid in the "raw" table.
...
...
extensions/libxt_DSCP.man
View file @
eb1d7c5f
This target
allows to
alter the value of the DSCP bits within the TOS
This target alter
s
the value of the DSCP bits within the TOS
header of the IPv4 packet. As this manipulates a packet, it can only
be used in the mangle table.
.TP
...
...
extensions/libxt_HMARK.man
View file @
eb1d7c5f
...
...
@@ -56,5 +56,5 @@ iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW
\-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000
\-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe
.PP
iptables \-t mangle \-A PREROUTING -j HMARK \-\-hmark\-offset 10000
iptables \-t mangle \-A PREROUTING
\
-j HMARK \-\-hmark\-offset 10000
\-\-hmark-tuple src,dst,proto \-\-hmark-mod 10 \-\-hmark\-rnd 0xdeafbeef
extensions/libxt_IDLETIMER.c
View file @
eb1d7c5f
...
...
@@ -27,6 +27,7 @@
enum
{
O_TIMEOUT
=
0
,
O_LABEL
,
O_ALARM
,
};
#define s struct idletimer_tg_info
...
...
@@ -39,6 +40,17 @@ static const struct xt_option_entry idletimer_tg_opts[] = {
};
#undef s
#define s struct idletimer_tg_info_v1
static
const
struct
xt_option_entry
idletimer_tg_opts_v1
[]
=
{
{.
name
=
"timeout"
,
.
id
=
O_TIMEOUT
,
.
type
=
XTTYPE_UINT32
,
.
flags
=
XTOPT_MAND
|
XTOPT_PUT
,
XTOPT_POINTER
(
s
,
timeout
)},
{.
name
=
"label"
,
.
id
=
O_LABEL
,
.
type
=
XTTYPE_STRING
,
.
flags
=
XTOPT_MAND
|
XTOPT_PUT
,
XTOPT_POINTER
(
s
,
label
)},
{.
name
=
"alarm"
,
.
id
=
O_ALARM
,
.
type
=
XTTYPE_NONE
},
XTOPT_TABLEEND
,
};
#undef s
static
void
idletimer_tg_help
(
void
)
{
printf
(
...
...
@@ -48,6 +60,16 @@ static void idletimer_tg_help(void)
"
\n
"
);
}
static
void
idletimer_tg_help_v1
(
void
)
{
printf
(
"IDLETIMER target options:
\n
"
" --timeout time Timeout until the notification is sent (in seconds)
\n
"
" --label string Unique rule identifier
\n
"
" --alarm Use alarm instead of default timer
\n
"
"
\n
"
);
}
static
void
idletimer_tg_print
(
const
void
*
ip
,
const
struct
xt_entry_target
*
target
,
int
numeric
)
...
...
@@ -59,6 +81,20 @@ static void idletimer_tg_print(const void *ip,
printf
(
" label:%s"
,
info
->
label
);
}
static
void
idletimer_tg_print_v1
(
const
void
*
ip
,
const
struct
xt_entry_target
*
target
,
int
numeric
)
{
struct
idletimer_tg_info_v1
*
info
=
(
struct
idletimer_tg_info_v1
*
)
target
->
data
;
printf
(
" timeout:%u"
,
info
->
timeout
);
printf
(
" label:%s"
,
info
->
label
);
if
(
info
->
timer_type
==
XT_IDLETIMER_ALARM
)
printf
(
" alarm"
);
}
static
void
idletimer_tg_save
(
const
void
*
ip
,
const
struct
xt_entry_target
*
target
)
{
...
...
@@ -69,21 +105,58 @@ static void idletimer_tg_save(const void *ip,
printf
(
" --label %s"
,
info
->
label
);
}
static
struct
xtables_target
idletimer_tg_reg
=
{
.
family
=
NFPROTO_UNSPEC
,
.
name
=
"IDLETIMER"
,
.
version
=
XTABLES_VERSION
,
.
revision
=
0
,
.
size
=
XT_ALIGN
(
sizeof
(
struct
idletimer_tg_info
)),
.
userspacesize
=
offsetof
(
struct
idletimer_tg_info
,
timer
),
.
help
=
idletimer_tg_help
,
.
x6_parse
=
xtables_option_parse
,
.
print
=
idletimer_tg_print
,
.
save
=
idletimer_tg_save
,
.
x6_options
=
idletimer_tg_opts
,
static
void
idletimer_tg_save_v1
(
const
void
*
ip
,
const
struct
xt_entry_target
*
target
)
{
struct
idletimer_tg_info_v1
*
info
=
(
struct
idletimer_tg_info_v1
*
)
target
->
data
;
printf
(
" --timeout %u"
,
info
->
timeout
);
printf
(
" --label %s"
,
info
->
label
);
if
(
info
->
timer_type
==
XT_IDLETIMER_ALARM
)
printf
(
" --alarm"
);
}
static
void
idletimer_tg_parse_v1
(
struct
xt_option_call
*
cb
)
{
struct
idletimer_tg_info_v1
*
info
=
cb
->
data
;
xtables_option_parse
(
cb
);
if
(
cb
->
entry
->
id
==
O_ALARM
)
info
->
timer_type
=
XT_IDLETIMER_ALARM
;
}
static
struct
xtables_target
idletimer_tg_reg
[]
=
{
{
.
family
=
NFPROTO_UNSPEC
,
.
name
=
"IDLETIMER"
,
.
version
=
XTABLES_VERSION
,
.
revision
=
0
,
.
size
=
XT_ALIGN
(
sizeof
(
struct
idletimer_tg_info
)),
.
userspacesize
=
offsetof
(
struct
idletimer_tg_info
,
timer
),
.
help
=
idletimer_tg_help
,
.
x6_parse
=
xtables_option_parse
,
.
print
=
idletimer_tg_print
,
.
save
=
idletimer_tg_save
,
.
x6_options
=
idletimer_tg_opts
,
},
{
.
family
=
NFPROTO_UNSPEC
,
.
name
=
"IDLETIMER"
,
.
version
=
XTABLES_VERSION
,
.
revision
=
1
,
.
size
=
XT_ALIGN
(
sizeof
(
struct
idletimer_tg_info_v1
)),
.
userspacesize
=
offsetof
(
struct
idletimer_tg_info_v1
,
timer
),
.
help
=
idletimer_tg_help_v1
,
.
x6_parse
=
idletimer_tg_parse_v1
,
.
print
=
idletimer_tg_print_v1
,
.
save
=
idletimer_tg_save_v1
,
.
x6_options
=
idletimer_tg_opts_v1
,
},
};
void
_init
(
void
)
{
xtables_register_target
(
&
idletimer_tg_reg
);
xtables_register_target
s
(
idletimer_tg_reg
,
ARRAY_SIZE
(
idletimer_tg_reg
)
);
}
extensions/libxt_IDLETIMER.t
View file @
eb1d7c5f
...
...
@@ -2,3 +2,4 @@
-
j
IDLETIMER
--
timeout
;;
FAIL
-
j
IDLETIMER
--
timeout
42
;;
FAIL
-
j
IDLETIMER
--
timeout
42
--
label
foo
;
=
;
OK
-
j
IDLETIMER
--
timeout
42
--
label
foo
--
alarm
;;
OK
extensions/libxt_MARK.man
View file @
eb1d7c5f
This target is used to set the Netfilter mark value associated with the packet.
It can, for example, be used in conjunction with routing based on fwmark (needs
iproute2). If you plan on doing so, note that the mark needs to be set in
the
PREROUTING
chain of the mangle table to affect routing.
iproute2). If you plan on doing so, note that the mark needs to be set in
either the PREROUTING or the OUTPUT
chain of the mangle table to affect routing.
The mark field is 32 bits wide.
.TP
\fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
...
...
extensions/libxt_NOTRACK.t
View file @
eb1d7c5f
:
PREROUTING
,
OUTPUT
*raw
# ERROR: cannot find: iptables -I PREROUTING -t raw -j NOTRACK
#-j NOTRACK;=;OK
-
j
NOTRACK
;
=
;
OK
extensions/libxt_NOTRACK.txlate
0 → 100644
View file @
eb1d7c5f
iptables-translate -A PREROUTING -t raw -j NOTRACK
nft add rule ip raw PREROUTING counter notrack
extensions/libxt_SET.man
View file @
eb1d7c5f
...
...
@@ -42,5 +42,5 @@ and
\fB\-\-map\-queue\fP
flags can be used in the OUTPUT, FORWARD and POSTROUTING chains.
.PP
Use of -j SET requires that ipset kernel support is provided, which, for
Use of
\
-j SET requires that ipset kernel support is provided, which, for
standard kernels, is the case since Linux 2.6.39.
extensions/libxt_TCPMSS.man
View file @
eb1d7c5f
This target
allows to
alter the MSS value of TCP SYN packets, to control
This target alter
s
the MSS value of TCP SYN packets, to control
the maximum size for that connection (usually limiting it to your
outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively).
Of course, it can only be used
...
...
extensions/libxt_TOS.man
View file @
eb1d7c5f
...
...
@@ -32,5 +32,5 @@ longterm releases 2.6.32 (>=.42), 2.6.33 (>=.15), and 2.6.35 (>=.14), there is
a bug whereby IPv6 TOS mangling does not behave as documented and differs from
the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it
needs to be inverted before applying it to the original TOS field. However, the
aformentioned kernels forgo the inversion which breaks
-
-set-tos and its
aformentioned kernels forgo the inversion which breaks
\-\
-set
\
-tos and its
mnemonics.
extensions/libxt_addrtype.c
View file @
eb1d7c5f
...
...
@@ -5,6 +5,7 @@
* This program is released under the terms of GNU GPL */
#include <stdio.h>
#include <string.h>
#include <strings.h>
#include <xtables.h>
#include <linux/netfilter/xt_addrtype.h>
...
...
extensions/libxt_bpf.c
View file @
eb1d7c5f
...
...
@@ -61,14 +61,26 @@ static const struct xt_option_entry bpf_opts_v1[] = {
XTOPT_TABLEEND
,
};
static
int
bpf_obj_get
(
const
char
*
filepath
)
static
int
bpf_obj_get
_readonly
(
const
char
*
filepath
)
{
#if defined HAVE_LINUX_BPF_H && defined __NR_bpf && defined BPF_FS_MAGIC
union
bpf_attr
attr
;
memset
(
&
attr
,
0
,
sizeof
(
attr
));
attr
.
pathname
=
(
__u64
)
filepath
;
/* union bpf_attr includes this in an anonymous struct, but the
* file_flags field and the BPF_F_RDONLY constant are only present
* in Linux 4.15+ kernel headers (include/uapi/linux/bpf.h)
*/
struct
{
// this part of union bpf_attr is for BPF_OBJ_* commands
__aligned_u64
pathname
;
__u32
bpf_fd
;
__u32
file_flags
;
}
attr
=
{
.
pathname
=
(
__u64
)
filepath
,
.
file_flags
=
(
1U
<<
3
),
// BPF_F_RDONLY
};
int
fd
=
syscall
(
__NR_bpf
,
BPF_OBJ_GET
,
&
attr
,
sizeof
(
attr
));
if
(
fd
>=
0
)
return
fd
;
/* on any error fallback to default R/W access for pre-4.15-rc1 kernels */
attr
.
file_flags
=
0
;
return
syscall
(
__NR_bpf
,
BPF_OBJ_GET
,
&
attr
,
sizeof
(
attr
));
#else
xtables_error
(
OTHER_PROBLEM
,
...
...
@@ -125,7 +137,7 @@ static void bpf_parse_string(struct sock_filter *pc, __u16 *lenp, __u16 len_max,
static
void
bpf_parse_obj_pinned
(
struct
xt_bpf_info_v1
*
bi
,
const
char
*
filepath
)
{
bi
->
fd
=
bpf_obj_get
(
filepath
);
bi
->
fd
=
bpf_obj_get
_readonly
(
filepath
);
if
(
bi
->
fd
<
0
)
xtables_error
(
PARAMETER_PROBLEM
,
"bpf: failed to get bpf object"
);
...
...
extensions/libxt_bpf.man
View file @
eb1d7c5f
...
...
@@ -17,7 +17,7 @@ iptables \-A OUTPUT \-m bpf \-\-object\-pinned ${BPF_MOUNT}/{PINNED_PATH} \-j AC
\fB\-\-bytecode\fP \fIcode\fP
Pass the BPF byte code format as generated by the \fBnfbpf_compile\fP utility.
.PP
The code format is similar to the output of the tcpdump -ddd command: one line
The code format is similar to the output of the tcpdump
\
-ddd command: one line
that stores the number of instructions, followed by one line for each
instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal
notation. Fields encode the operation, jump offset if true, jump offset if
...
...
extensions/libxt_cluster.c
View file @
eb1d7c5f
...
...
@@ -156,7 +156,7 @@ static int cluster_xlate(struct xt_xlate *xl,
xt_xlate_add
(
xl
,
"%s %u seed 0x%08x "
,
jhash_st
,
info
->
total_nodes
,
info
->
hash_seed
);
for
(
node
=
0
;
node
<
32
;
node
++
)
{
if
(
info
->
node_mask
&
(
1
<<
node
))
{
if
(
info
->
node_mask
&
(
1
u
<<
node
))
{
if
(
needs_set
==
0
)
{
xt_xlate_add
(
xl
,
"{ "
);
needs_set
=
1
;
...
...
Prev
1
2
3
4
5
6
7
Next
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment