extensions/libxt_CONNSECMARK.c

   1 /*
   2  * Shared library add-on to iptables to add CONNSECMARK target support.
   3  *
   4  * Based on the MARK and CONNMARK targets.
   5  *
   6  * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
   7  */
   8 #include <stdio.h>
   9 #include <string.h>
  10 #include <stdlib.h>
  11 #include <getopt.h>
  12 #include <xtables.h>
  13 #include <linux/netfilter/xt_CONNSECMARK.h>
  14
  15 #define PFX "CONNSECMARK target: "
  16
  17 static void CONNSECMARK_help(void)
  18 {
  19         printf(
  20 "CONNSECMARK target options:\n"
  21 "  --save                   Copy security mark from packet to conntrack\n"
  22 "  --restore                Copy security mark from connection to packet\n");
  23 }
  24
  25 static const struct option CONNSECMARK_opts[] = {
  26         { "save", 0, NULL, '1' },
  27         { "restore", 0, NULL, '2' },
  28         { .name = NULL }
  29 };
  30
  31 static int
  32 CONNSECMARK_parse(int c, char **argv, int invert, unsigned int *flags,
  33                   const void *entry, struct xt_entry_target **target)
  34 {
  35         struct xt_connsecmark_target_info *info =
  36                 (struct xt_connsecmark_target_info*)(*target)->data;
  37
  38         switch (c) {
  39         case '1':
  40                 if (*flags & CONNSECMARK_SAVE)
  41                         exit_error(PARAMETER_PROBLEM, PFX
  42                                    "Can't specify --save twice");
  43                 info->mode = CONNSECMARK_SAVE;
  44                 *flags |= CONNSECMARK_SAVE;
  45                 break;
  46
  47         case '2':
  48                 if (*flags & CONNSECMARK_RESTORE)
  49                         exit_error(PARAMETER_PROBLEM, PFX
  50                                    "Can't specify --restore twice");
  51                 info->mode = CONNSECMARK_RESTORE;
  52                 *flags |= CONNSECMARK_RESTORE;
  53                 break;
  54
  55         default:
  56                 return 0;
  57         }
  58
  59         return 1;
  60 }
  61
  62 static void CONNSECMARK_check(unsigned int flags)
  63 {
  64         if (!flags)
  65                 exit_error(PARAMETER_PROBLEM, PFX "parameter required");
  66
  67         if (flags == (CONNSECMARK_SAVE|CONNSECMARK_RESTORE))
  68                 exit_error(PARAMETER_PROBLEM, PFX "only one flag of --save "
  69                            "or --restore is allowed");
  70 }
  71
  72 static void print_connsecmark(struct xt_connsecmark_target_info *info)
  73 {
  74         switch (info->mode) {
  75         case CONNSECMARK_SAVE:
  76                 printf("save ");
  77                 break;
  78
  79         case CONNSECMARK_RESTORE:
  80                 printf("restore ");
  81                 break;
  82
  83         default:
  84                 exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
  85         }
  86 }
  87
  88 static void
  89 CONNSECMARK_print(const void *ip, const struct xt_entry_target *target,
  90                   int numeric)
  91 {
  92         struct xt_connsecmark_target_info *info =
  93                 (struct xt_connsecmark_target_info*)(target)->data;
  94
  95         printf("CONNSECMARK ");
  96         print_connsecmark(info);
  97 }
  98
  99 static void
 100 CONNSECMARK_save(const void *ip, const struct xt_entry_target *target)
 101 {
 102         struct xt_connsecmark_target_info *info =
 103                 (struct xt_connsecmark_target_info*)target->data;
 104
 105         printf("--");
 106         print_connsecmark(info);
 107 }
 108
 109 static struct xtables_target connsecmark_target = {
 110         .family         = AF_INET,
 111         .name           = "CONNSECMARK",
 112         .version        = XTABLES_VERSION,
 113         .revision       = 0,
 114         .size           = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
 115         .userspacesize  = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
 116         .parse          = CONNSECMARK_parse,
 117         .help           = CONNSECMARK_help,
 118         .final_check    = CONNSECMARK_check,
 119         .print          = CONNSECMARK_print,
 120         .save           = CONNSECMARK_save,
 121         .extra_opts     = CONNSECMARK_opts,
 122 };
 123
 124 static struct xtables_target connsecmark_target6 = {
 125         .family         = AF_INET6,
 126         .name           = "CONNSECMARK",
 127         .version        = XTABLES_VERSION,
 128         .revision       = 0,
 129         .size           = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
 130         .userspacesize  = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
 131         .parse          = CONNSECMARK_parse,
 132         .help           = CONNSECMARK_help,
 133         .final_check    = CONNSECMARK_check,
 134         .print          = CONNSECMARK_print,
 135         .save           = CONNSECMARK_save,
 136         .extra_opts     = CONNSECMARK_opts,
 137 };
 138
 139 void _init(void)
 140 {
 141         xtables_register_target(&connsecmark_target);
 142         xtables_register_target(&connsecmark_target6);
 143 }