From: Felix Fietkau Date: Wed, 6 Aug 2014 10:30:09 +0000 (+0000) Subject: netfilter: introduce xt_id match X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=5f0ced0960877f75db3c70854a65bfdfddb27b69;p=openwrt%2Fsvn-archive%2Fopenwrt.git netfilter: introduce xt_id match This commit implements a new netfilter match "xt_id" which can be used to attach unsigned 32bit IDs to iptables rules. Signed-off-by: Jo-Philipp Wich Backport of r41945 SVN-Revision: 42007 --- diff --git a/include/netfilter.mk b/include/netfilter.mk index 906eb0f085..7a6fea5768 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -36,12 +36,13 @@ $(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_FILTER, $(P_V4)iptabl $(eval $(if $(NF_KMOD),$(call nf_add,IPT_CORE,CONFIG_IP_NF_MANGLE, $(P_V4)iptable_mangle),)) # userland only -$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CORE,CONFIG_IP_NF_IPTABLES, xt_standard ipt_icmp xt_tcp xt_udp xt_comment xt_set xt_SET))) +$(eval $(if $(NF_KMOD),,$(call nf_add,IPT_CORE,CONFIG_IP_NF_IPTABLES, xt_standard ipt_icmp xt_tcp xt_udp xt_comment xt_id xt_set xt_SET))) $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_LIMIT, $(P_XT)xt_limit)) $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_MAC, $(P_XT)xt_mac)) $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_MULTIPORT, $(P_XT)xt_multiport)) $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_COMMENT, $(P_XT)xt_comment)) +$(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_MATCH_ID, $(P_XT)xt_id)) $(eval $(call nf_add,IPT_CORE,CONFIG_NETFILTER_XT_TARGET_LOG, $(P_XT)xt_LOG, ge 3.4.0)) $(eval $(call nf_add,IPT_CORE,CONFIG_IP_NF_TARGET_LOG, $(P_V4)ipt_LOG, lt 3.4.0)) diff --git a/package/network/utils/iptables/patches/500-add-xt_id-match.patch b/package/network/utils/iptables/patches/500-add-xt_id-match.patch new file mode 100644 index 0000000000..94762f0ab7 --- /dev/null +++ b/package/network/utils/iptables/patches/500-add-xt_id-match.patch @@ -0,0 +1,59 @@ +--- /dev/null ++++ b/extensions/libxt_id.c +@@ -0,0 +1,45 @@ ++/* Shared library add-on to iptables to add id match support. */ ++ ++#include ++#include ++#include ++ ++enum { ++ O_ID = 0, ++}; ++ ++static const struct xt_option_entry id_opts[] = { ++ { ++ .name = "id", ++ .id = O_ID, ++ .type = XTTYPE_UINT32, ++ .flags = XTOPT_MAND | XTOPT_PUT, ++ XTOPT_POINTER(struct xt_id_info, id) ++ }, ++ XTOPT_TABLEEND, ++}; ++ ++/* Saves the union ipt_matchinfo in parsable form to stdout. */ ++static void ++id_save(const void *ip, const struct xt_entry_match *match) ++{ ++ struct xt_id_info *idinfo = (void *)match->data; ++ ++ printf(" --id %lu", idinfo->id); ++} ++ ++static struct xtables_match id_match = { ++ .family = NFPROTO_UNSPEC, ++ .name = "id", ++ .version = XTABLES_VERSION, ++ .size = XT_ALIGN(sizeof(struct xt_id_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_id_info)), ++ .save = id_save, ++ .x6_parse = xtables_option_parse, ++ .x6_options = id_opts, ++}; ++ ++void _init(void) ++{ ++ xtables_register_match(&id_match); ++} +--- /dev/null ++++ b/include/linux/netfilter/xt_id.h +@@ -0,0 +1,8 @@ ++#ifndef _XT_ID_H ++#define _XT_ID_H ++ ++struct xt_id_info { ++ __u32 id; ++}; ++ ++#endif /* XT_ID_H */ diff --git a/target/linux/generic/patches-3.10/615-netfilter_add_xt_id_match.patch b/target/linux/generic/patches-3.10/615-netfilter_add_xt_id_match.patch new file mode 100644 index 0000000000..6fa94a3895 --- /dev/null +++ b/target/linux/generic/patches-3.10/615-netfilter_add_xt_id_match.patch @@ -0,0 +1,95 @@ +--- a/include/uapi/linux/netfilter/Kbuild ++++ b/include/uapi/linux/netfilter/Kbuild +@@ -51,6 +51,7 @@ header-y += xt_ecn.h + header-y += xt_esp.h + header-y += xt_hashlimit.h + header-y += xt_helper.h ++header-y += xt_id.h + header-y += xt_iprange.h + header-y += xt_ipvs.h + header-y += xt_layer7.h +--- /dev/null ++++ b/include/uapi/linux/netfilter/xt_id.h +@@ -0,0 +1,8 @@ ++#ifndef _XT_ID_H ++#define _XT_ID_H ++ ++struct xt_id_info { ++ u32 id; ++}; ++ ++#endif /* XT_ID_H */ +--- a/net/netfilter/Kconfig ++++ b/net/netfilter/Kconfig +@@ -989,6 +989,13 @@ config NETFILTER_XT_MATCH_HL + in the IPv6 header, or the time-to-live field in the IPv4 + header of the packet. + ++config NETFILTER_XT_MATCH_ID ++ tristate '"id" match support' ++ depends on NETFILTER_ADVANCED ++ ---help--- ++ This option adds a `id' dummy-match, which allows you to put ++ numeric IDs into your iptables ruleset. ++ + config NETFILTER_XT_MATCH_IPRANGE + tristate '"iprange" address range match support' + depends on NETFILTER_ADVANCED +--- a/net/netfilter/Makefile ++++ b/net/netfilter/Makefile +@@ -115,6 +115,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += + obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o + obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o + obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o ++obj-$(CONFIG_NETFILTER_XT_MATCH_ID) += xt_id.o + obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) += xt_iprange.o + obj-$(CONFIG_NETFILTER_XT_MATCH_IPVS) += xt_ipvs.o + obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o +--- /dev/null ++++ b/net/netfilter/xt_id.c +@@ -0,0 +1,45 @@ ++/* ++ * Implements a dummy match to allow attaching IDs to rules ++ * ++ * 2014-08-01 Jo-Philipp Wich ++ */ ++ ++#include ++#include ++#include ++#include ++ ++MODULE_AUTHOR("Jo-Philipp Wich "); ++MODULE_DESCRIPTION("Xtables: No-op match which can be tagged with a 32bit ID"); ++MODULE_LICENSE("GPL"); ++MODULE_ALIAS("ipt_id"); ++MODULE_ALIAS("ip6t_id"); ++ ++static bool ++id_mt(const struct sk_buff *skb, struct xt_action_param *par) ++{ ++ /* We always match */ ++ return true; ++} ++ ++static struct xt_match id_mt_reg __read_mostly = { ++ .name = "id", ++ .revision = 0, ++ .family = NFPROTO_UNSPEC, ++ .match = id_mt, ++ .matchsize = sizeof(struct xt_id_info), ++ .me = THIS_MODULE, ++}; ++ ++static int __init id_mt_init(void) ++{ ++ return xt_register_match(&id_mt_reg); ++} ++ ++static void __exit id_mt_exit(void) ++{ ++ xt_unregister_match(&id_mt_reg); ++} ++ ++module_init(id_mt_init); ++module_exit(id_mt_exit);