--- /dev/null
+/*
+ * Shared library add-on to iptables to add TCPOPTSTRIP target support.
+ * Copyright (c) 2007 Sven Schnelle <svens@bitebene.org>
+ * Copyright © CC Computer Consultants GmbH, 2007
+ * Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <xtables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_TCPOPTSTRIP.h>
+#ifndef TCPOPT_MD5SIG
+# define TCPOPT_MD5SIG 19
+#endif
+
+enum {
+ FLAG_STRIP = 1 << 0,
+};
+
+struct tcp_optionmap {
+ const char *name, *desc;
+ const unsigned int option;
+};
+
+static const struct option tcpoptstrip_tg_opts[] = {
+ {.name = "strip-options", .has_arg = true, .val = 's'},
+ { .name = NULL }
+};
+
+static const struct tcp_optionmap tcp_optionmap[] = {
+ {"wscale", "Window scale", TCPOPT_WINDOW},
+ {"mss", "Maximum Segment Size", TCPOPT_MAXSEG},
+ {"sack-permitted", "SACK permitted", TCPOPT_SACK_PERMITTED},
+ {"sack", "Selective ACK", TCPOPT_SACK},
+ {"timestamp", "Timestamp", TCPOPT_TIMESTAMP},
+ {"md5", "MD5 signature", TCPOPT_MD5SIG},
+ { .name = NULL }
+};
+
+static void tcpoptstrip_tg_help(void)
+{
+ const struct tcp_optionmap *w;
+
+ printf(
+"TCPOPTSTRIP target options:\n"
+" --strip-options value strip specified TCP options denoted by value\n"
+" (separated by comma) from TCP header\n"
+" Instead of the numeric value, you can also use the following names:\n"
+ );
+
+ for (w = tcp_optionmap; w->name != NULL; ++w)
+ printf(" %-14s strip \"%s\" option\n", w->name, w->desc);
+}
+
+static void tcpoptstrip_tg_init(struct xt_entry_target *t)
+{
+ struct xt_tcpoptstrip_target_info *info = (void *)t->data;
+
+ /* strictly necessary? play safe for now. */
+ memset(info->strip_bmap, 0, sizeof(info->strip_bmap));
+}
+
+static void parse_list(struct xt_tcpoptstrip_target_info *info, char *arg)
+{
+ unsigned int option;
+ char *p;
+ int i;
+
+ while (true) {
+ p = strchr(arg, ',');
+ if (p != NULL)
+ *p = '\0';
+
+ option = 0;
+ for (i = 0; tcp_optionmap[i].name != NULL; ++i)
+ if (strcmp(tcp_optionmap[i].name, arg) == 0) {
+ option = tcp_optionmap[i].option;
+ break;
+ }
+
+ if (option == 0 && string_to_number(arg, 0, 255, &option) == -1)
+ exit_error(PARAMETER_PROBLEM,
+ "Bad TCP option value \"%s\"", arg);
+
+ if (option < 2)
+ exit_error(PARAMETER_PROBLEM,
+ "Option value may not be 0 or 1");
+
+ if (tcpoptstrip_test_bit(info->strip_bmap, option))
+ exit_error(PARAMETER_PROBLEM,
+ "Option \"%s\" already specified", arg);
+
+ tcpoptstrip_set_bit(info->strip_bmap, option);
+ if (p == NULL)
+ break;
+ arg = p + 1;
+ }
+}
+
+static int tcpoptstrip_tg_parse(int c, char **argv, int invert,
+ unsigned int *flags, const void *entry,
+ struct xt_entry_target **target)
+{
+ struct xt_tcpoptstrip_target_info *info = (void *)(*target)->data;
+
+ switch (c) {
+ case 's':
+ if (*flags & FLAG_STRIP)
+ exit_error(PARAMETER_PROBLEM,
+ "You can specify --strip-options only once");
+ parse_list(info, optarg);
+ *flags |= FLAG_STRIP;
+ return true;
+ }
+
+ return false;
+}
+
+static void tcpoptstrip_tg_check(unsigned int flags)
+{
+ if (flags == 0)
+ exit_error(PARAMETER_PROBLEM,
+ "TCPOPTSTRIP: --strip-options parameter required");
+}
+
+static void
+tcpoptstrip_print_list(const struct xt_tcpoptstrip_target_info *info,
+ bool numeric)
+{
+ unsigned int i, j;
+ const char *name;
+ bool first = true;
+
+ for (i = 0; i < 256; ++i) {
+ if (!tcpoptstrip_test_bit(info->strip_bmap, i))
+ continue;
+ if (!first)
+ printf(",");
+
+ first = false;
+ name = NULL;
+ if (!numeric)
+ for (j = 0; tcp_optionmap[j].name != NULL; ++j)
+ if (tcp_optionmap[j].option == i)
+ name = tcp_optionmap[j].name;
+
+ if (name != NULL)
+ printf("%s", name);
+ else
+ printf("%u", i);
+ }
+}
+
+static void
+tcpoptstrip_tg_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_tcpoptstrip_target_info *info =
+ (const void *)target->data;
+
+ printf("TCPOPTSTRIP options ");
+ tcpoptstrip_print_list(info, numeric);
+}
+
+static void
+tcpoptstrip_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_tcpoptstrip_target_info *info =
+ (const void *)target->data;
+
+ printf("--strip-options ");
+ tcpoptstrip_print_list(info, true);
+}
+
+static struct xtables_target tcpoptstrip_tg_reg = {
+ .version = XTABLES_VERSION,
+ .name = "TCPOPTSTRIP",
+ .family = AF_INET,
+ .size = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)),
+ .help = tcpoptstrip_tg_help,
+ .init = tcpoptstrip_tg_init,
+ .parse = tcpoptstrip_tg_parse,
+ .final_check = tcpoptstrip_tg_check,
+ .print = tcpoptstrip_tg_print,
+ .save = tcpoptstrip_tg_save,
+ .extra_opts = tcpoptstrip_tg_opts,
+};
+
+static struct xtables_target tcpoptstrip_tg6_reg = {
+ .version = XTABLES_VERSION,
+ .name = "TCPOPTSTRIP",
+ .family = AF_INET6,
+ .size = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)),
+ .help = tcpoptstrip_tg_help,
+ .init = tcpoptstrip_tg_init,
+ .parse = tcpoptstrip_tg_parse,
+ .final_check = tcpoptstrip_tg_check,
+ .print = tcpoptstrip_tg_print,
+ .save = tcpoptstrip_tg_save,
+ .extra_opts = tcpoptstrip_tg_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&tcpoptstrip_tg_reg);
+ xtables_register_target(&tcpoptstrip_tg6_reg);
+}
git://git.onelab.eu / iptables.git / blobdiff