Index: linux-2.6.17.1/include/linux/netfilter_ipv4/ipt_gateway.h =================================================================== --- /dev/null +++ linux-2.6.17.1/include/linux/netfilter_ipv4/ipt_gateway.h @@ -0,0 +1,13 @@ +#ifndef _IPT_GATEWAY_H +#define _IPT_GATEWAY_H + +#define IPT_GATEWAY_INV 0x1 /* Negate the condition */ +#define IPT_GATEWAY_ROUTE 0x2 /* ...and the gateway is not the final hop */ + +struct ipt_gateway_info { + /* Inclusive: network order. */ + u_int32_t gateway; + u_int8_t flags; +}; + +#endif /* _IPT_GATEWAY_H */ Index: linux-2.6.17.1/net/ipv4/netfilter/Kconfig =================================================================== --- linux-2.6.17.1.orig/net/ipv4/netfilter/Kconfig +++ linux-2.6.17.1/net/ipv4/netfilter/Kconfig @@ -361,6 +361,15 @@ config IP_NF_MATCH_IPRANGE To compile it as a module, choose M here. If unsure, say N. +config IP_NF_MATCH_GATEWAY + tristate "IP gateway match support" + depends on IP_NF_IPTABLES + help + This option makes possible to match the IP address of the + routed gateway for routed packets. + + To compile it as a module, choose M here. If unsure, say N. + config IP_NF_MATCH_TOS tristate "TOS match support" depends on IP_NF_IPTABLES Index: linux-2.6.17.1/net/ipv4/netfilter/Makefile =================================================================== --- linux-2.6.17.1.orig/net/ipv4/netfilter/Makefile +++ linux-2.6.17.1/net/ipv4/netfilter/Makefile @@ -53,6 +53,7 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o # matches obj-$(CONFIG_IP_NF_MATCH_HASHLIMIT) += ipt_hashlimit.o obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o +obj-$(CONFIG_IP_NF_MATCH_GATEWAY) += ipt_gateway.o obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o Index: linux-2.6.17.1/net/ipv4/netfilter/ipt_gateway.c =================================================================== --- /dev/null +++ linux-2.6.17.1/net/ipv4/netfilter/ipt_gateway.c @@ -0,0 +1,69 @@ +/* + * iptables module to match nexthop router by IP address + * (C) 2007 UFO Mechanic + * to save time and bugs, based on ip_range by + * (C) 2003 Jozsef Kadlecsik + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ +#include +#include +#include +#include +#include +#include + +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Sam Liddicott "); +MODULE_DESCRIPTION("iptables nexthop gateway IP match module"); + +#if 0 +#define DEBUGP printk +#else +#define DEBUGP(format, args...) +#endif + +static int +match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + const struct xt_match *match, + const void *matchinfo, + int offset, unsigned int protoff, int *hotdrop) +{ + const struct ipt_gateway_info *info = matchinfo; + const struct iphdr *iph = skb->nh.iph; + + return ( !!(info->flags & IPT_GATEWAY_INV) ^ + ( skb && skb->dst && skb->dst->neighbour && + skb->dst->neighbour->tbl && + skb->dst->neighbour->tbl->family == AF_INET && + /* so info->gateway is network bytes order */ + memcmp(&info->gateway, + &skb->dst->neighbour->primary_key, + skb->dst->neighbour->tbl->key_len)==0 && + ( (info->flags & IPT_GATEWAY_ROUTE) == 0 || iph->daddr != info->gateway) ) ); +} + +static struct ipt_match gateway_match = { + .name = "gateway", + .match = match, + .matchsize = sizeof(struct ipt_gateway_info), + .destroy = NULL, + .me = THIS_MODULE +}; + +static int __init ipt_gateway_init(void) +{ + return ipt_register_match(&gateway_match); +} + +static void __exit ipt_gateway_fini(void) +{ + ipt_unregister_match(&gateway_match); +} + +module_init(ipt_gateway_init); +module_exit(ipt_gateway_fini);