#include <stdio.h>
|
#include <xtables.h>
|
#include <linux/netfilter/xt_rpfilter.h>
|
|
enum {
|
O_RPF_LOOSE = 0,
|
O_RPF_VMARK = 1,
|
O_RPF_ACCEPT_LOCAL = 2,
|
O_RPF_INVERT = 3,
|
};
|
|
static void rpfilter_help(void)
|
{
|
printf(
|
"rpfilter match options:\n"
|
" --loose permit reverse path via any interface\n"
|
" --validmark use skb nfmark when performing route lookup\n"
|
" --accept-local do not reject packets with a local source address\n"
|
" --invert match packets that failed the reverse path test\n"
|
);
|
}
|
|
static const struct xt_option_entry rpfilter_opts[] = {
|
{.name = "loose", .id = O_RPF_LOOSE, .type = XTTYPE_NONE, },
|
{.name = "validmark", .id = O_RPF_VMARK, .type = XTTYPE_NONE, },
|
{.name = "accept-local", .id = O_RPF_ACCEPT_LOCAL, .type = XTTYPE_NONE, },
|
{.name = "invert", .id = O_RPF_INVERT, .type = XTTYPE_NONE, },
|
XTOPT_TABLEEND,
|
};
|
|
static void rpfilter_parse(struct xt_option_call *cb)
|
{
|
struct xt_rpfilter_info *rpfinfo = cb->data;
|
|
xtables_option_parse(cb);
|
switch (cb->entry->id) {
|
case O_RPF_LOOSE:
|
rpfinfo->flags |= XT_RPFILTER_LOOSE;
|
break;
|
case O_RPF_VMARK:
|
rpfinfo->flags |= XT_RPFILTER_VALID_MARK;
|
break;
|
case O_RPF_ACCEPT_LOCAL:
|
rpfinfo->flags |= XT_RPFILTER_ACCEPT_LOCAL;
|
break;
|
case O_RPF_INVERT:
|
rpfinfo->flags |= XT_RPFILTER_INVERT;
|
break;
|
}
|
}
|
|
static void
|
rpfilter_print_prefix(const void *ip, const void *matchinfo,
|
const char *prefix)
|
{
|
const struct xt_rpfilter_info *info = matchinfo;
|
if (info->flags & XT_RPFILTER_LOOSE)
|
printf(" %s%s", prefix, rpfilter_opts[O_RPF_LOOSE].name);
|
if (info->flags & XT_RPFILTER_VALID_MARK)
|
printf(" %s%s", prefix, rpfilter_opts[O_RPF_VMARK].name);
|
if (info->flags & XT_RPFILTER_ACCEPT_LOCAL)
|
printf(" %s%s", prefix, rpfilter_opts[O_RPF_ACCEPT_LOCAL].name);
|
if (info->flags & XT_RPFILTER_INVERT)
|
printf(" %s%s", prefix, rpfilter_opts[O_RPF_INVERT].name);
|
}
|
|
|
static void
|
rpfilter_print(const void *ip, const struct xt_entry_match *match, int numeric)
|
{
|
printf(" rpfilter");
|
return rpfilter_print_prefix(ip, match->data, "");
|
}
|
|
static void rpfilter_save(const void *ip, const struct xt_entry_match *match)
|
{
|
return rpfilter_print_prefix(ip, match->data, "--");
|
}
|
|
static int rpfilter_xlate(struct xt_xlate *xl,
|
const struct xt_xlate_mt_params *params)
|
{
|
const struct xt_rpfilter_info *info = (void *)params->match->data;
|
bool invert = info->flags & XT_RPFILTER_INVERT;
|
|
if (info->flags & XT_RPFILTER_ACCEPT_LOCAL) {
|
if (invert)
|
xt_xlate_add(xl, "fib saddr type != local ");
|
else
|
return 0;
|
}
|
|
xt_xlate_add(xl, "fib saddr ");
|
|
if (info->flags & XT_RPFILTER_VALID_MARK)
|
xt_xlate_add(xl, ". mark ");
|
if (!(info->flags & XT_RPFILTER_LOOSE))
|
xt_xlate_add(xl, ". iif ");
|
|
xt_xlate_add(xl, "oif %s0", invert ? "" : "!= ");
|
|
return 1;
|
}
|
|
static struct xtables_match rpfilter_match = {
|
.family = NFPROTO_UNSPEC,
|
.name = "rpfilter",
|
.version = XTABLES_VERSION,
|
.size = XT_ALIGN(sizeof(struct xt_rpfilter_info)),
|
.userspacesize = XT_ALIGN(sizeof(struct xt_rpfilter_info)),
|
.help = rpfilter_help,
|
.print = rpfilter_print,
|
.save = rpfilter_save,
|
.x6_parse = rpfilter_parse,
|
.x6_options = rpfilter_opts,
|
.xlate = rpfilter_xlate,
|
};
|
|
void _init(void)
|
{
|
xtables_register_match(&rpfilter_match);
|
}
|
