[tproxy] TProxy v4: libxt_TPROXY

Tue Jul 31 12:40:18 CEST 2007

Applies on top of iptables-svn6974.

---
 extensions/.tproxy-testx  |    3 +
 extensions/libxt_TPROXY.c |  114 ++++++++++++++++++++++++++++++++++++++++++++++
 extensions/libxt_socket.c |   49 +++++++++++++++++++
 3 files changed, 166 insertions(+)

Index: iptables/extensions/.tproxy-testx
===================================================================

--- /dev/null
+++ iptables/extensions/.tproxy-testx
@@ -0,0 +1,3 @@
+#!/bin/sh
+[ -f "$KERNEL_DIR/include/linux/netfilter/xt_TPROXY.h" ] && echo TPROXY;
+echo socket;
Index: iptables/extensions/libxt_TPROXY.c
===================================================================
--- /dev/null
+++ iptables/extensions/libxt_TPROXY.c
@@ -0,0 +1,114 @@
+/* Shared library add-on to iptables to add TPROXY target support.
+ *
+ * Copyright (C) 2002-2007 BalaBit IT Ltd.
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <xtables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/xt_TPROXY.h>
+
+static const struct option tproxy_opts[] = {
+	{"on-port", 1, NULL, '1'},
+	{"on-ip",   1, NULL, '2'},
+	{NULL},
+};
+
+static void tproxy_help(void)
+{
+	printf(
+"TPROXY target v%s options:\n"
+"  --on-port port                   Redirect connection to port, or the original port if 0\n"
+"  --on-ip ip                       Optionally redirect to the given IP\n",
+IPTABLES_VERSION);
+}
+
+static void parse_tproxy_lport(const char *s, struct xt_tproxy_info *info)
+{
+	unsigned int lport;
+
+	if (string_to_number(s, 0, 65535, &lport) != -1)
+	        info->lport = htons(lport);
+	else
+	        exit_error(PARAMETER_PROBLEM, "bad --on-proxy `%s'", s);
+}
+
+static void parse_tproxy_laddr(const char *s, struct xt_tproxy_info *info)
+{
+	struct in_addr *laddr;
+
+	if ((laddr = dotted_to_addr(s)) == NULL)
+	        exit_error(PARAMETER_PROBLEM, "bad --on-ip `%s'", s);
+ 	info->laddr = laddr->s_addr;
+}
+
+static int tproxy_parse(int c, char **argv, int invert, unsigned int *flags,
+                        const void *entry, struct xt_entry_target **target)
+{
+	struct xt_tproxy_info *tproxyinfo = (void *)(*target)->data;
+
+	switch (c) {
+	case '1':
+		if (*flags != 0)
+			exit_error(PARAMETER_PROBLEM,
+				"TPROXY target: Can't specify --to-port twice");
+		parse_tproxy_lport(optarg, tproxyinfo);
+		*flags = 1;
+		break;
+	case '2':
+		parse_tproxy_laddr(optarg, tproxyinfo);
+		break;
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+static void tproxy_check(unsigned int flags)
+{
+	if (flags == 0)
+		exit_error(PARAMETER_PROBLEM,
+		           "TPROXY target: Parameter --on-port is required");
+}
+
+static void tproxy_print(const void *ip, const struct xt_entry_target *target,
+                         int numeric)
+{
+	const struct xt_tproxy_info *tproxyinfo = (const void *)target->data;
+	printf("TPROXY redirect %s:%d",
+	       addr_to_dotted((const struct in_addr *)&tproxyinfo->laddr),
+	       ntohs(tproxyinfo->lport));
+}
+
+static void tproxy_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct xt_tproxy_info *tproxyinfo = (const void *)target->data;
+
+	printf("--on-port %d ", ntohs(tproxyinfo->lport));
+	printf("--on-ip %s ",
+	       addr_to_dotted((const struct in_addr *)&tproxyinfo->laddr));
+}
+
+static struct xtables_target tproxy_reg = {
+	.name          = "TPROXY",
+	.family        = AF_INET,
+	.version       = IPTABLES_VERSION,
+	.size          = XT_ALIGN(sizeof(struct xt_tproxy_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_info)),
+	.help          = tproxy_help,
+	.parse         = tproxy_parse,
+	.final_check   = tproxy_check,
+	.print         = tproxy_print,
+	.save          = tproxy_save,
+	.extra_opts    = tproxy_opts,
+};
+
+void _init(void)
+{
+	xtables_register_target(&tproxy_reg);
+}
Index: iptables/extensions/libxt_socket.c
===================================================================
--- /dev/null
+++ iptables/extensions/libxt_socket.c
@@ -0,0 +1,49 @@
+/* Shared library add-on to iptables to add early socket matching support. */
+#include <stdio.h>
+#include <getopt.h>
+#include <xtables.h>
+
+static void socket_print(const void *ip, const struct xt_entry_match *match,
+                         int numeric)
+{
+	printf("socket ");
+}
+
+static int socket_parse(int c, char **argv, int invert, unsigned int *flags,
+                        const void *entry, unsigned int *nfcache,
+                        struct xt_entry_match **match)
+{
+	return 0;
+}
+
+static void socket_check(unsigned int flags)
+{
+}
+
+static struct xtables_match socket_reg = {
+	.name          = "socket",
+	.family        = AF_INET,
+	.version       = IPTABLES_VERSION,
+	.size          = XT_ALIGN(0),
+	.userspacesize = XT_ALIGN(0),
+	.parse         = socket_parse,
+	.final_check   = socket_check,
+	.print         = socket_print,
+};
+
+static struct xtables_match socket_reg6 = {
+	.name          = "socket",
+	.family        = AF_INET6,
+	.version       = IPTABLES_VERSION,
+	.size          = XT_ALIGN(0),
+	.userspacesize = XT_ALIGN(0),
+	.parse         = socket_parse,
+	.final_check   = socket_check,
+	.print         = socket_print,
+};
+
+void _init(void)
+{
+	xtables_register_match(&socket_reg);
+	xtables_register_match(&socket_reg6);
+}
