Re: [IFGROUPv4 iptables] Interface group match

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Laszlo Attila Toth <panther@balabit.hu>
Cc: David Miller <davem@davemloft.net>, netdev@vger.kernel.org
Subject: Re: [IFGROUPv4 iptables] Interface group match
Date: Thu, 25 Oct 2007 17:25:50 +0200	[thread overview]
Message-ID: <4720B57E.4000402@trash.net> (raw)
In-Reply-To: <11933245933190-git-send-email-panther@balabit.hu>

Laszlo Attila Toth wrote:
> +++ extensions/libxt_ifgroup.c	(revision 0)
> @@ -0,0 +1,196 @@
> +/* 
> + * Shared library add-on to iptables to match 
> + * packets by the incoming interface group.
> + *
> + * (c) 2006, 2007 Balazs Scheidler <bazsi@balabit.hu>,
> + * Laszlo Attila Toth <panther@balabit.hu>
> + */
> +#include <stdio.h>
> +#include <netdb.h>
> +#include <string.h>
> +#include <stdlib.h>
> +#include <getopt.h>
> +#include <xtables.h>
> +#include <linux/netfilter/xt_ifgroup.h>
> +
> +static void
> +ifgroup_help(void)
> +{
> +	printf(
> +"ifgroup v%s options:\n"
> +"  --ifgroup-in  [!] group[/mask]  incoming interface group and its mask\n"
> +"  --ifgroup-out [!] group[/mask]  outgoing interface group and its mask\n"
> +"\n", IPTABLES_VERSION);
> +}
> +
> +static struct option opts[] = {
> +	{"ifgroup-in", 1, 0, '1'},
> +	{"ifgroup-out", 1, 0, '2'},

The third member is a pointer, please use NULL.

> +	{ }
> +};
> +
> +#define PARAM_MATCH_IN	0x01
> +#define PARAM_MATCH_OUT	0x02
> +
> +static int
> +ifgroup_parse(int c, char **argv, int invert, unsigned int *flags,
> +	      const void *entry, struct xt_entry_match **match)
> +{
> +	struct xt_ifgroup_info *info =
> +			 (struct xt_ifgroup_info *) (*match)->data;
> +	char *end;
> +	
> +	switch (c)
> +	{

This goes on the same line as the switch statement please.

> +		case '1':

And please no extra indentation for the case labels.

> +			if (*flags & PARAM_MATCH_IN)
> +				exit_error(PARAMETER_PROBLEM,
> +					"ifgroup match: Can't specify --ifgroup-in twice");
> +
> +			check_inverse(optarg, &invert, &optind, 0);
> +			
> +			info->in_group = strtoul(optarg, &end, 0);
> +			info->in_mask = 0xffffffffUL;

in_mask is not an unsigned long but an unsigned int.

> +			
> +			if (*end == '/')
> +				info->in_mask = strtoul(end+1, &end, 0);
> +
> +			if (*end != '\0' || end == optarg)
> +				exit_error(PARAMETER_PROBLEM,
> +					  "ifgroup match: Bad ifgroup value `%s'",
> +					   optarg);
> +			
> +			if (invert)
> +				info->flags |= XT_IFGROUP_INVERT_IN;
> +
> +			*flags |= PARAM_MATCH_IN;
> +			info->flags |= XT_IFGROUP_MATCH_IN;			
> +			break;
> +		case '2':
> +			if (*flags & PARAM_MATCH_OUT)
> +				exit_error(PARAMETER_PROBLEM,
> +					  "ifgroup match: Can't specify "
> +					  "--ifgroup-out twice");
> +
> +			check_inverse(optarg, &invert, &optind, 0);
> +			
> +			info->out_group = strtoul(optarg, &end, 0);
> +			info->out_mask = 0xffffffffUL;
> +			
> +			if (*end == '/')
> +				info->out_mask = strtoul(end+1, &end, 0);
> +
> +			if (*end != '\0' || end == optarg)
> +				exit_error(PARAMETER_PROBLEM,
> +					  "ifgroup match: Bad ifgroup "
> +					  "value `%s'",
> +					   optarg);
> +			
> +			if (invert)
> +				info->flags |= XT_IFGROUP_INVERT_OUT;
> +
> +			*flags |= PARAM_MATCH_OUT;
> +			info->flags |= XT_IFGROUP_MATCH_OUT;			
> +			break;
> +		default: 
> +			return 0;
> +	}
> +
> +	return 1;
> +}
> +
> +static void
> +ifgroup_final_check(unsigned int flags)
> +{
> +	if (!flags)
> +		exit_error(PARAMETER_PROBLEM,
> +			   "You must specify either "
> +			   "`--ifgroup-in' or `--ifgroup-out'");
> +}
> +
> +static void
> +ifgroup_print_value_in(struct xt_ifgroup_info *info)
> +{
> +	printf("0x%x/0x%x ", info->in_group, info->in_mask);
> +}
> +
> +static void
> +ifgroup_print_value_out(struct xt_ifgroup_info *info)
> +{
> +	printf("0x%x/0x%x ", info->out_group, info->out_mask);
> +}

Just a suggestion: not printing the mask when its ~0 would
improve readability.

> +
> +static void
> +ifgroup_print(const void *ip,
> +	      const struct xt_entry_match *match,
> +	      int numeric)
> +{
> +	struct xt_ifgroup_info *info =
> +		(struct xt_ifgroup_info *) match->data;
> +	
> +	printf("ifgroup ");
> +	
> +	if (info->flags & XT_IFGROUP_MATCH_IN) {
> +		printf("in %s",
> +		       info->flags & XT_IFGROUP_INVERT_IN ? "! " : "");
> +		ifgroup_print_value_in(info);
> +	}
> +	if (info->flags & XT_IFGROUP_MATCH_OUT) {
> +		printf("out %s",
> +		       info->flags & XT_IFGROUP_INVERT_OUT ? "! " : "");
> +		ifgroup_print_value_out(info);
> +	}
> +}
> +
> +static void
> +ifgroup_save(const void *ip, const struct xt_entry_match *match)
> +{
> +	struct xt_ifgroup_info *info =
> +		(struct xt_ifgroup_info *) match->data;
> +	
> +	if (info->flags & XT_IFGROUP_MATCH_IN) {
> +		printf("--ifgroup-in %s",
> +		       info->flags & XT_IFGROUP_INVERT_IN ? "! " : "");
> +		ifgroup_print_value_in(info);
> +	}
> +	if (info->flags & XT_IFGROUP_MATCH_OUT) {
> +		printf("--ifgroup-out %s",
> +		       info->flags & XT_IFGROUP_INVERT_OUT ? "! " : "");
> +		ifgroup_print_value_out(info);
> +	}
> +}

next prev parent reply	other threads:[~2007-10-25 15:27 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-10-25 15:03 [IFGROUPv4 0/3 (+3)] Interface group patches Laszlo Attila Toth
2007-10-25 15:03 ` [IFGROUPv4 1/3] rtnetlink: setlink changes atomic with single notification Laszlo Attila Toth
2007-10-25 15:03   ` [IFGROUPv4 2/3] Interface group: core (netlink) part Laszlo Attila Toth
2007-10-25 15:03     ` [IFGROUPv4 3/3] Netfilter Interface group match Laszlo Attila Toth
2007-10-25 15:03       ` [IFGROUPv4 iptables] " Laszlo Attila Toth
2007-10-25 15:03         ` [IFGROUPv4 iproute 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1 Laszlo Attila Toth
2007-10-25 15:03           ` [IFGROUPv4 iproute 2/2] Interface group as new ip link option Laszlo Attila Toth
2007-10-25 15:25         ` Patrick McHardy [this message]
2007-10-25 15:18       ` [IFGROUPv4 3/3] Netfilter Interface group match Patrick McHardy
2007-10-25 15:14     ` [IFGROUPv4 2/3] Interface group: core (netlink) part Patrick McHardy
2007-10-25 15:31       ` Laszlo Attila Toth
2007-10-25 15:40         ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4720B57E.4000402@trash.net \
    --to=kaber@trash.net \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    --cc=panther@balabit.hu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.