[PATCHv4 0/2] Find address type on the packet's interface

[PATCHv4 0/2] Find address type on the packet's interface

[Laszlo Attila Toth]

Hi Patrick,

This extension of addrtype match lets the address type checking be
limited to the incoming or outgoing interface of the packets depending
on the current hook.

In the FORWARD chain only one check is allowed but the user can choose
which one would like to specifiy.

Because of this extension the match has a new revision. Rev 0 can be
used by older tools and rev 1 is for the modified iptables match.

The iptables patch is for revision 1 only.

Both the kernel module and the iptables module moved to xtables,
but the kernel module uses ipt_addrtype_info in revision 0.

Usage:
  iptables -A INPUT -m addrtype ... --limit-iface-in -j ACCEPT
  iptables -A OUTPUT -m addrtype ... --limit-iface-out -j ACCEPT
  # 2 rules in the FORWARD chain
  iptables -A FORWARD -m addrtype ... --limit-iface-in -j ACCEPT
  iptables -A FORWARD -m addrtype ... --limit-iface-out -j ACCEPT

Patches:
 [kernel 1/2] Find address type on a specific or on any interface
 [kernel 2/2] Addrtype match: limit addrtype check to an interface.
      Moved to xtables
 [iptables] Adress type match: limited to incoming or outgoing interface.
      Moved to xtables

Regards,
  Attila

[PATCHv4 1/2] Find address type on a specific or on any interface

[Laszlo Attila Toth]

Address type search can be limited to an interface by
inet_dev_addr_type function.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/net/route.h     |    1 +
 net/ipv4/fib_frontend.c |   20 ++++++++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/include/net/route.h b/include/net/route.h
index f7ce625..d155c29 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -119,6 +119,7 @@ extern unsigned short	ip_rt_frag_needed(struct iphdr *iph, unsigned short new_mt
 extern void		ip_rt_send_redirect(struct sk_buff *skb);
 
 extern unsigned		inet_addr_type(__be32 addr);
+extern unsigned		inet_dev_addr_type(__be32 addr, const struct net_device *dev);
 extern void		ip_rt_multicast_event(struct in_device *);
 extern int		ip_rt_ioctl(unsigned int cmd, void __user *arg);
 extern void		ip_rt_get_source(u8 *src, struct rtable *rt);
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 732d8f0..f116f61 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -155,7 +155,11 @@ out:
 	return dev;
 }
 
-unsigned inet_addr_type(__be32 addr)
+/*
+ * Find address type as if only "dev" was present in the system. If
+ * on_dev is NULL then all interfaces are taken into consideration.
+ */
+static inline unsigned __inet_dev_addr_type(__be32 addr, const struct net_device *dev)
 {
 	struct flowi		fl = { .nl_u = { .ip4_u = { .daddr = addr } } };
 	struct fib_result	res;
@@ -175,13 +179,24 @@ unsigned inet_addr_type(__be32 addr)
 	if (local_table) {
 		ret = RTN_UNICAST;
 		if (!local_table->tb_lookup(local_table, &fl, &res)) {
-			ret = res.type;
+			if ((!dev || dev == res.fi->fib_dev))
+				ret = res.type;
 			fib_res_put(&res);
 		}
 	}
 	return ret;
 }
 
+unsigned inet_addr_type(__be32 addr)
+{
+	return __inet_dev_addr_type(addr, NULL);
+}
+
+unsigned inet_dev_addr_type(__be32 addr, const struct net_device *dev)
+{
+       return __inet_dev_addr_type(addr, dev);
+}
+
 /* Given (packet source, input interface) and optional (dst, oif, tos):
    - (main) check, that source is valid i.e. not broadcast or our local
      address.
@@ -925,4 +940,5 @@ void __init ip_fib_init(void)
 }
 
 EXPORT_SYMBOL(inet_addr_type);
+EXPORT_SYMBOL(inet_dev_addr_type);
 EXPORT_SYMBOL(ip_dev_find);
-- 
1.5.2.5

[PATCHv4 2/2] Addrtype match: limit addrtype check to an interface. Moved to xtables

[Laszlo Attila Toth]

Addrtype match has a new revision (1), which lets address type checking
limited to the interface the current packet belongs to. Either incoming
or outgoing interface can be used depending on the current hook. In the
FORWARD hook two maches should be used if both interfaces have to be checked.
This revision uses xt_addrtype.h and it is xt_addrtype.c

Revision 0 lets older userspace programs use the match as earlier. The old
header, ipt_addrtype.h is used.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/netfilter/xt_addrtype.h |   18 ++++
 net/ipv4/netfilter/Kconfig            |   10 --
 net/ipv4/netfilter/Makefile           |    1 -
 net/ipv4/netfilter/ipt_addrtype.c     |   66 ---------------
 net/netfilter/Kconfig                 |   12 +++-
 net/netfilter/Makefile                |    1 +
 net/netfilter/xt_addrtype.c           |  149 +++++++++++++++++++++++++++++++++
 7 files changed, 179 insertions(+), 78 deletions(-)

diff --git a/include/linux/netfilter/xt_addrtype.h b/include/linux/netfilter/xt_addrtype.h
new file mode 100644
index 0000000..e3f0fd5
--- /dev/null
+++ b/include/linux/netfilter/xt_addrtype.h
@@ -0,0 +1,18 @@
+#ifndef _XT_ADDRTYPE_H
+#define _XT_ADDRTYPE_H
+
+enum
+{
+	XT_ADDRTYPE_INVERT_SOURCE	= 0x0001,
+	XT_ADDRTYPE_INVERT_DEST		= 0x0002,
+	XT_ADDRTYPE_LIMIT_IFACE_IN	= 0x0004,
+	XT_ADDRTYPE_LIMIT_IFACE_OUT	= 0x0008,
+};
+
+struct xt_addrtype_info {
+	u_int16_t	source;		/* source-type mask */
+	u_int16_t	dest;		/* dest-type mask */
+	u_int32_t	flags;
+};
+
+#endif
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 9aca9c5..4086ab2 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -120,16 +120,6 @@ config IP_NF_MATCH_OWNER
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
-config IP_NF_MATCH_ADDRTYPE
-	tristate  'address type match support'
-	depends on IP_NF_IPTABLES
-	help
-	  This option allows you to match what routing thinks of an address,
-	  eg. UNICAST, LOCAL, BROADCAST, ...
-	
-	  If you want to compile it as a module, say M here and read
-	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
-
 # `filter', generic and specific targets
 config IP_NF_FILTER
 	tristate "Packet filtering"
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 7456833..f107ade 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -41,7 +41,6 @@ obj-$(CONFIG_NF_NAT) += iptable_nat.o
 obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
 
 # matches
-obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
 obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
deleted file mode 100644
index 59f01f7..0000000
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- *  iptables module to match inet_addr_type() of an ip.
- *
- *  Copyright (c) 2004 Patrick McHardy <kaber@trash.net>
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License version 2 as
- *  published by the Free Software Foundation.
- */
-
-#include <linux/kernel.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/netdevice.h>
-#include <linux/ip.h>
-#include <net/route.h>
-
-#include <linux/netfilter_ipv4/ipt_addrtype.h>
-#include <linux/netfilter/x_tables.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("iptables addrtype match");
-
-static inline bool match_type(__be32 addr, u_int16_t mask)
-{
-	return !!(mask & (1 << inet_addr_type(addr)));
-}
-
-static bool match(const struct sk_buff *skb,
-		  const struct net_device *in, const struct net_device *out,
-		  const struct xt_match *match, const void *matchinfo,
-		  int offset, unsigned int protoff, bool *hotdrop)
-{
-	const struct ipt_addrtype_info *info = matchinfo;
-	const struct iphdr *iph = ip_hdr(skb);
-	bool ret = true;
-
-	if (info->source)
-		ret &= match_type(iph->saddr, info->source)^info->invert_source;
-	if (info->dest)
-		ret &= match_type(iph->daddr, info->dest)^info->invert_dest;
-
-	return ret;
-}
-
-static struct xt_match addrtype_match __read_mostly = {
-	.name		= "addrtype",
-	.family		= AF_INET,
-	.match		= match,
-	.matchsize	= sizeof(struct ipt_addrtype_info),
-	.me		= THIS_MODULE
-};
-
-static int __init ipt_addrtype_init(void)
-{
-	return xt_register_match(&addrtype_match);
-}
-
-static void __exit ipt_addrtype_fini(void)
-{
-	xt_unregister_match(&addrtype_match);
-}
-
-module_init(ipt_addrtype_init);
-module_exit(ipt_addrtype_fini);
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 21a9fcc..acff1db 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -363,7 +363,7 @@ config NETFILTER_XT_TARGET_TRACE
 	  the tables, chains, rules.
 
 	  If you want to compile it as a module, say M here and read
-	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
+	  <file:Documentation/kbuild/modules.txt>.  If unsure, say N.
 
 config NETFILTER_XT_TARGET_SECMARK
 	tristate '"SECMARK" target support'
@@ -411,6 +411,16 @@ config NETFILTER_XT_TARGET_TCPMSS
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config NETFILTER_XT_MATCH_ADDRTYPE
+	tristate  'address type match support'
+	depends on NETFILTER_XTABLES
+	help
+	  This option allows you to match what routing thinks of an address,
+	  eg. UNICAST, LOCAL, BROADCAST, ...
+	
+	  If you want to compile it as a module, say M here and read
+	  <file:Documentation/kbuild/modules.txt>.  If unsure, say N.
+
 config NETFILTER_XT_MATCH_COMMENT
 	tristate  '"comment" match support'
 	depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index ad0e36e..22dac5c 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -51,6 +51,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
 
 # matches
+obj-$(CONFIG_NETFILTER_XT_MATCH_ADDRTYPE)+= xt_addrtype.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o
diff --git a/net/netfilter/xt_addrtype.c b/net/netfilter/xt_addrtype.c
new file mode 100644
index 0000000..f463c34
--- /dev/null
+++ b/net/netfilter/xt_addrtype.c
@@ -0,0 +1,149 @@
+/*
+ *  iptables module to match inet_addr_type() of an ip.
+ *
+ *  Copyright (c) 2004 Patrick McHardy <kaber@trash.net>
+ *  (C) 2007 Laszlo Attila Toth <panther@balabit.hu>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 as
+ *  published by the Free Software Foundation.
+ */
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netdevice.h>
+#include <linux/ip.h>
+#include <net/route.h>
+
+#include <linux/netfilter_ipv4/ipt_addrtype.h>
+#include <linux/netfilter/xt_addrtype.h>
+#include <linux/netfilter/x_tables.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_DESCRIPTION("iptables addrtype match");
+MODULE_ALIAS("ipt_addrtype");
+
+static inline bool match_type(__be32 addr,
+			      const struct net_device *in,
+			      u_int16_t mask)
+{
+	return !!(mask & (1 << inet_dev_addr_type(addr, in)));
+}
+
+static bool addrtype_match_v0(const struct sk_buff *skb,
+			      const struct net_device *in,
+			      const struct net_device *out,
+			      const struct xt_match *match,
+			      const void *matchinfo,
+			      int offset,
+			      unsigned int protoff,
+			      bool *hotdrop)
+{
+	const struct ipt_addrtype_info *info = matchinfo;
+	const struct iphdr *iph = ip_hdr(skb);
+	bool ret = true;
+
+	if (info->source)
+		ret &= match_type(iph->saddr, NULL, info->source)^info->invert_source;
+	if (ret && info->dest)
+		ret &= match_type(iph->daddr, NULL, info->dest)^info->invert_dest;
+
+	return ret;
+}
+
+static bool addrtype_match(const struct sk_buff *skb,
+			   const struct net_device *in,
+			   const struct net_device *out,
+			   const struct xt_match *match,
+			   const void *matchinfo,
+			   int offset,
+			   unsigned int protoff,
+			   bool *hotdrop)
+{
+	const struct xt_addrtype_info *info = matchinfo;
+	const struct iphdr *iph = ip_hdr(skb);
+	const struct net_device *limit_dev = NULL;
+	bool ret = true;
+
+	if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN)
+		limit_dev = in;
+	else if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT)
+		limit_dev = out;
+
+
+	if (info->source)
+		ret &= match_type(iph->saddr, limit_dev, info->source) ^
+			(info->flags & XT_ADDRTYPE_INVERT_SOURCE);
+	if (ret && info->dest)
+		ret &= match_type(iph->daddr, limit_dev, info->dest) ^
+			(info->flags & XT_ADDRTYPE_INVERT_DEST);
+
+	return ret;
+}
+
+static bool addrtype_checkentry(const char *tablename,
+				const void *ip_void,
+				const struct xt_match *match,
+				void *matchinfo,
+				unsigned int hook_mask)
+{
+	struct xt_addrtype_info *info = matchinfo;
+
+	if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN &&
+	    info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) {
+		printk(KERN_ERR "ipt_addrtype: both incoming and outgoing interface"
+				"limitation cannot be selected\n");
+		return false;
+	}
+
+	if (hook_mask & (1 << NF_INET_PRE_ROUTING | 1 << NF_INET_LOCAL_IN) &&
+	    info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) {
+		printk(KERN_ERR "ipt_addrtype: output interface limitation "
+				"not valid in PRE_ROUTING and INPUT\n");
+		return false;
+	}
+	if (hook_mask & (1 << NF_INET_POST_ROUTING | 1 << NF_INET_LOCAL_OUT) &&
+	    info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) {
+		printk(KERN_ERR "ipt_addrtype: input interface limitation "
+				"not valid in POST_ROUTING and OUTPUT\n");
+		return false;
+	}
+	return true;
+}
+
+static struct xt_match xt_addrtype_match[] __read_mostly = {
+	{
+		.name		= "addrtype",
+		.family		= AF_INET,
+		.revision	= 0,
+		.match		= addrtype_match_v0,
+		.matchsize	= sizeof(struct ipt_addrtype_info),
+		.me		= THIS_MODULE
+	},
+	{
+		.name		= "addrtype",
+		.family		= AF_INET,
+		.revision	= 1,
+		.match		= addrtype_match,
+		.checkentry	= addrtype_checkentry,
+		.matchsize	= sizeof(struct xt_addrtype_info),
+		.me		= THIS_MODULE
+	}
+};
+
+static int __init xt_addrtype_init(void)
+{
+	return xt_register_matches(xt_addrtype_match,
+			ARRAY_SIZE(xt_addrtype_match));
+}
+
+static void __exit xt_addrtype_fini(void)
+{
+	xt_unregister_matches(xt_addrtype_match,
+			ARRAY_SIZE(xt_addrtype_match));
+}
+
+module_init(xt_addrtype_init);
+module_exit(xt_addrtype_fini);
-- 
1.5.2.5

[PATCHv4 iptables] Address type match: limited to incoming or outgoing interface. Moved to xtables

[Laszlo Attila Toth]

Address type checking can be limited to the incoming or outgoing interface
depending on the current chain. In the FORWARD chain only one of them is
allowed at the same time.

The match is moved to xtables and only the revision one is supported

The man page is updated to print the address in separate sections insted of
a single paragraph.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 extensions/Makefile                         |    4 
 extensions/libipt_addrtype.c                |  203 -----------------------
 extensions/libipt_addrtype.man              |   35 ++++
 extensions/libxt_addrtype.c                 |  239 ++++++++++++++++++++++++++++
 include/linux/netfilter/xt_addrtype.h       |   18 ++
 include/linux/netfilter_ipv4/ipt_addrtype.h |   11 -
 6 files changed, 294 insertions(+), 216 deletions(-)

Index: include/linux/netfilter/xt_addrtype.h
===================================================================
--- include/linux/netfilter/xt_addrtype.h	(revision 0)
+++ include/linux/netfilter/xt_addrtype.h	(revision 0)
@@ -0,0 +1,18 @@
+#ifndef _XT_ADDRTYPE_H
+#define _XT_ADDRTYPE_H
+
+enum
+{
+	XT_ADDRTYPE_INVERT_SOURCE	= 0x0001,
+	XT_ADDRTYPE_INVERT_DEST		= 0x0002,
+	XT_ADDRTYPE_LIMIT_IFACE_IN	= 0x0004,
+	XT_ADDRTYPE_LIMIT_IFACE_OUT	= 0x0008,
+};
+
+struct xt_addrtype_info {
+	u_int16_t	source;		/* source-type mask */
+	u_int16_t	dest;		/* dest-type mask */
+	u_int32_t	flags;
+};
+
+#endif
Index: include/linux/netfilter_ipv4/ipt_addrtype.h
===================================================================
--- include/linux/netfilter_ipv4/ipt_addrtype.h	(revision 7090)
+++ include/linux/netfilter_ipv4/ipt_addrtype.h	(working copy)
@@ -1,11 +0,0 @@
-#ifndef _IPT_ADDRTYPE_H
-#define _IPT_ADDRTYPE_H
-
-struct ipt_addrtype_info {
-	u_int16_t	source;		/* source-type mask */
-	u_int16_t	dest;		/* dest-type mask */
-	u_int32_t	invert_source;
-	u_int32_t	invert_dest;
-};
-
-#endif
Index: extensions/libipt_addrtype.c
===================================================================
--- extensions/libipt_addrtype.c	(revision 7090)
+++ extensions/libipt_addrtype.c	(working copy)
@@ -1,203 +0,0 @@
-/* Shared library add-on to iptables to add addrtype matching support 
- * 
- * This program is released under the terms of GNU GPL */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <getopt.h>
-#include <iptables.h>
-
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_addrtype.h>
-
-/* from linux/rtnetlink.h, must match order of enumeration */
-static const char *const rtn_names[] = {
-	"UNSPEC",
-	"UNICAST",
-	"LOCAL",
-	"BROADCAST",
-	"ANYCAST",
-	"MULTICAST",
-	"BLACKHOLE",
-	"UNREACHABLE",
-	"PROHIBIT",
-	"THROW",
-	"NAT",
-	"XRESOLVE",
-	NULL
-};
-
-static void addrtype_help_types(void)
-{
-	int i;
-
-	for (i = 0; rtn_names[i]; i++)
-		printf("                                %s\n", rtn_names[i]);
-}
-
-static void addrtype_help(void)
-{
-	printf(
-"Address type match v%s options:\n"
-" [!] --src-type type[,...]      Match source address type\n"
-" [!] --dst-type type[,...]      Match destination address type\n"
-"\n"
-"Valid types:           \n"
-, IPTABLES_VERSION);
-	addrtype_help_types();
-}
-
-static int
-parse_type(const char *name, size_t strlen, u_int16_t *mask)
-{
-	int i;
-
-	for (i = 0; rtn_names[i]; i++)
-		if (strncasecmp(name, rtn_names[i], strlen) == 0) {
-			/* build up bitmask for kernel module */
-			*mask |= (1 << i);
-			return 1;
-		}
-
-	return 0;
-}
-
-static void parse_types(const char *arg, u_int16_t *mask)
-{
-	const char *comma;
-
-	while ((comma = strchr(arg, ',')) != NULL) {
-		if (comma == arg || !parse_type(arg, comma-arg, mask))
-			exit_error(PARAMETER_PROBLEM,
-			           "addrtype: bad type `%s'", arg);
-		arg = comma + 1;
-	}
-
-	if (strlen(arg) == 0 || !parse_type(arg, strlen(arg), mask))
-		exit_error(PARAMETER_PROBLEM, "addrtype: bad type `%s'", arg);
-}
-	
-#define IPT_ADDRTYPE_OPT_SRCTYPE	0x1
-#define IPT_ADDRTYPE_OPT_DSTTYPE	0x2
-
-static int
-addrtype_parse(int c, char **argv, int invert, unsigned int *flags,
-               const void *entry, struct xt_entry_match **match)
-{
-	struct ipt_addrtype_info *info =
-		(struct ipt_addrtype_info *) (*match)->data;
-
-	switch (c) {
-	case '1':
-		if (*flags&IPT_ADDRTYPE_OPT_SRCTYPE)
-			exit_error(PARAMETER_PROBLEM,
-			           "addrtype: can't specify src-type twice");
-		check_inverse(optarg, &invert, &optind, 0);
-		parse_types(argv[optind-1], &info->source);
-		if (invert)
-			info->invert_source = 1;
-		*flags |= IPT_ADDRTYPE_OPT_SRCTYPE;
-		break;
-	case '2':
-		if (*flags&IPT_ADDRTYPE_OPT_DSTTYPE)
-			exit_error(PARAMETER_PROBLEM,
-			           "addrtype: can't specify dst-type twice");
-		check_inverse(optarg, &invert, &optind, 0);
-		parse_types(argv[optind-1], &info->dest);
-		if (invert)
-			info->invert_dest = 1;
-		*flags |= IPT_ADDRTYPE_OPT_DSTTYPE;
-		break;
-	default:
-		return 0;
-	}
-	
-	return 1;
-}
-
-static void addrtype_check(unsigned int flags)
-{
-	if (!(flags & (IPT_ADDRTYPE_OPT_SRCTYPE|IPT_ADDRTYPE_OPT_DSTTYPE)))
-		exit_error(PARAMETER_PROBLEM,
-			   "addrtype: you must specify --src-type or --dst-type");
-}
-
-static void print_types(u_int16_t mask)
-{
-	const char *sep = "";
-	int i;
-
-	for (i = 0; rtn_names[i]; i++)
-		if (mask & (1 << i)) {
-			printf("%s%s", sep, rtn_names[i]);
-			sep = ",";
-		}
-
-	printf(" ");
-}
-
-static void addrtype_print(const void *ip, const struct xt_entry_match *match,
-                           int numeric)
-{
-	const struct ipt_addrtype_info *info = 
-		(struct ipt_addrtype_info *) match->data;
-
-	printf("ADDRTYPE match ");
-	if (info->source) {
-		printf("src-type ");
-		if (info->invert_source)
-			printf("!");
-		print_types(info->source);
-	}
-	if (info->dest) {
-		printf("dst-type ");
-		if (info->invert_dest)
-			printf("!");
-		print_types(info->dest);
-	}
-}
-
-static void addrtype_save(const void *ip, const struct xt_entry_match *match)
-{
-	const struct ipt_addrtype_info *info =
-		(struct ipt_addrtype_info *) match->data;
-
-	if (info->source) {
-		printf("--src-type ");
-		if (info->invert_source)
-			printf("! ");
-		print_types(info->source);
-	}
-	if (info->dest) {
-		printf("--dst-type ");
-		if (info->invert_dest)
-			printf("! ");
-		print_types(info->dest);
-	}
-}
-
-static const struct option addrtype_opts[] = {
-	{ "src-type", 1, NULL, '1' },
-	{ "dst-type", 1, NULL, '2' },
-	{ }
-};
-
-static struct iptables_match addrtype_match = {
-	.name 		= "addrtype",
-	.version 	= IPTABLES_VERSION,
-	.size 		= IPT_ALIGN(sizeof(struct ipt_addrtype_info)),
-	.userspacesize 	= IPT_ALIGN(sizeof(struct ipt_addrtype_info)),
-	.help 		= addrtype_help,
-	.parse 		= addrtype_parse,
-	.final_check 	= addrtype_check,
-	.print 		= addrtype_print,
-	.save 		= addrtype_save,
-	.extra_opts 	= addrtype_opts,
-};
-
-
-void _init(void) 
-{
-	register_match(&addrtype_match);
-}
Index: extensions/libxt_addrtype.c
===================================================================
--- extensions/libxt_addrtype.c	(revision 0)
+++ extensions/libxt_addrtype.c	(revision 0)
@@ -0,0 +1,239 @@
+/* Shared library add-on to iptables to add addrtype matching support 
+ * 
+ * This program is released under the terms of GNU GPL */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter/xt_addrtype.h>
+
+/* from linux/rtnetlink.h, must match order of enumeration */
+static const char *const rtn_names[] = {
+	"UNSPEC",
+	"UNICAST",
+	"LOCAL",
+	"BROADCAST",
+	"ANYCAST",
+	"MULTICAST",
+	"BLACKHOLE",
+	"UNREACHABLE",
+	"PROHIBIT",
+	"THROW",
+	"NAT",
+	"XRESOLVE",
+	NULL
+};
+
+static void addrtype_help_types(void)
+{
+	int i;
+
+	for (i = 0; rtn_names[i]; i++)
+		printf("                                %s\n", rtn_names[i]);
+}
+
+static void addrtype_help(void)
+{
+	printf(
+"Address type match v%s options:\n"
+" [!] --src-type type[,...]      Match source address type\n"
+" [!] --dst-type type[,...]      Match destination address type\n"
+"     --limit-iface-in           Match only on the packet's incoming device\n"
+"     --limit-iface-out          Match only on the packet's incoming device\n"
+"\n"
+"Valid types:           \n"
+, IPTABLES_VERSION);
+	addrtype_help_types();
+}
+
+static int
+addrtype_parse_type(const char *name, size_t strlen, u_int16_t *mask)
+{
+	int i;
+
+	for (i = 0; rtn_names[i]; i++)
+		if (strncasecmp(name, rtn_names[i], strlen) == 0) {
+			/* build up bitmask for kernel module */
+			*mask |= (1 << i);
+			return 1;
+		}
+
+	return 0;
+}
+
+static void addrtype_parse_types(const char *arg, u_int16_t *mask)
+{
+	const char *comma;
+
+	while ((comma = strchr(arg, ',')) != NULL) {
+		if (comma == arg || !addrtype_parse_type(arg, comma-arg, mask))
+			exit_error(PARAMETER_PROBLEM,
+			           "addrtype: bad type `%s'", arg);
+		arg = comma + 1;
+	}
+
+	if (strlen(arg) == 0 || !addrtype_parse_type(arg, strlen(arg), mask))
+		exit_error(PARAMETER_PROBLEM, "addrtype: bad type `%s'", arg);
+}
+	
+#define XT_ADDRTYPE_OPT_SRCTYPE		0x1
+#define XT_ADDRTYPE_OPT_DSTTYPE		0x2
+#define XT_ADDRTYPE_OPT_LIMIT_IFACE_IN	0x4
+#define XT_ADDRTYPE_OPT_LIMIT_IFACE_OUT	0x8
+
+static int
+addrtype_parse(int c, char **argv, int invert, unsigned int *flags,
+               const void *entry, struct xt_entry_match **match)
+{
+	struct xt_addrtype_info *info =
+		(struct xt_addrtype_info *) (*match)->data;
+
+	switch (c) {
+	case '1':
+		if (*flags & XT_ADDRTYPE_OPT_SRCTYPE)
+			exit_error(PARAMETER_PROBLEM,
+			           "addrtype: can't specify src-type twice");
+		check_inverse(optarg, &invert, &optind, 0);
+		addrtype_parse_types(argv[optind-1], &info->source);
+		if (invert)
+			info->flags |= XT_ADDRTYPE_INVERT_SOURCE;
+		*flags |= XT_ADDRTYPE_OPT_SRCTYPE;
+		break;
+	case '2':
+		if (*flags & XT_ADDRTYPE_OPT_DSTTYPE)
+			exit_error(PARAMETER_PROBLEM,
+			           "addrtype: can't specify dst-type twice");
+		check_inverse(optarg, &invert, &optind, 0);
+		addrtype_parse_types(argv[optind-1], &info->dest);
+		if (invert)
+			info->flags |= XT_ADDRTYPE_INVERT_DEST;
+		*flags |= XT_ADDRTYPE_OPT_DSTTYPE;
+		break;
+	case '3':
+		if (*flags & XT_ADDRTYPE_OPT_LIMIT_IFACE_IN)
+			exit_error(PARAMETER_PROBLEM,
+			           "addrtype: can't specify limit-iface-in twice");
+		info->flags |= XT_ADDRTYPE_LIMIT_IFACE_IN;
+		*flags |= XT_ADDRTYPE_OPT_LIMIT_IFACE_IN;
+		break;
+	case '4':
+		if (*flags & XT_ADDRTYPE_OPT_LIMIT_IFACE_OUT)
+			exit_error(PARAMETER_PROBLEM,
+			           "addrtype: can't specify limit-iface-out twice");
+		info->flags |= XT_ADDRTYPE_LIMIT_IFACE_OUT;
+		*flags |= XT_ADDRTYPE_OPT_LIMIT_IFACE_OUT;
+		break;
+	default:
+		return 0;
+	}
+	
+	return 1;
+}
+
+static void addrtype_check(unsigned int flags)
+{
+	if (!(flags & (XT_ADDRTYPE_OPT_SRCTYPE|XT_ADDRTYPE_OPT_DSTTYPE)))
+		exit_error(PARAMETER_PROBLEM,
+			   "addrtype: you must specify --src-type or --dst-type");
+	if (flags & XT_ADDRTYPE_OPT_LIMIT_IFACE_IN &&
+	    flags & XT_ADDRTYPE_OPT_LIMIT_IFACE_OUT)
+		exit_error(PARAMETER_PROBLEM,
+			   "addrtype: you can't specify both --limit-iface-in "
+			   "and --limit-iface-out");
+}
+ 
+static void addrtype_print_types(u_int16_t mask)
+{
+	const char *sep = "";
+	int i;
+
+	for (i = 0; rtn_names[i]; i++)
+		if (mask & (1 << i)) {
+			printf("%s%s", sep, rtn_names[i]);
+			sep = ",";
+		}
+
+	printf(" ");
+}
+
+static void addrtype_print(const void *ip, const struct xt_entry_match *match,
+                           int numeric)
+{
+	const struct xt_addrtype_info *info = 
+		(struct xt_addrtype_info *) match->data;
+
+	printf("ADDRTYPE match ");
+	if (info->source) {
+		printf("src-type ");
+		if (info->flags & XT_ADDRTYPE_INVERT_SOURCE)
+			printf("!");
+		addrtype_print_types(info->source);
+	}
+	if (info->dest) {
+		printf("dst-type ");
+		if (info->flags & XT_ADDRTYPE_INVERT_DEST)
+			printf("!");
+		addrtype_print_types(info->dest);
+	}
+	if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) {
+		printf("limit-in ");
+	}
+	if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) {
+		printf("limit-out ");
+	}
+}
+
+static void addrtype_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_addrtype_info *info =
+		(struct xt_addrtype_info *) match->data;
+
+	if (info->source) {
+		printf("--src-type ");
+		if (info->flags & XT_ADDRTYPE_INVERT_SOURCE)
+			printf("! ");
+		addrtype_print_types(info->source);
+	}
+	if (info->dest) {
+		printf("--dst-type ");
+		if (info->flags & XT_ADDRTYPE_INVERT_DEST)
+			printf("! ");
+		addrtype_print_types(info->dest);
+	}
+	if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) {
+		printf("--limit-iface-in ");
+	}
+	if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) {
+		printf("--limit-iface-out ");
+	}
+}
+
+static const struct option addrtype_opts[] = {
+	{ "src-type", 1, NULL, '1' },
+	{ "dst-type", 1, NULL, '2' },
+	{ "limit-iface-in", 0, NULL, '3' },
+	{ "limit-iface-out", 0, NULL, '4' },
+	{ }
+};
+
+static struct xtables_match addrtype_match = {
+	.family         = AF_INET,
+	.name 		= "addrtype",
+	.version 	= IPTABLES_VERSION,
+	.revision	= 1,
+	.size 		= XT_ALIGN(sizeof(struct xt_addrtype_info)),
+	.userspacesize 	= XT_ALIGN(sizeof(struct xt_addrtype_info)),
+	.help 		= addrtype_help,
+	.parse 		= addrtype_parse,
+	.final_check 	= addrtype_check,
+	.print 		= addrtype_print,
+	.save 		= addrtype_save,
+	.extra_opts 	= addrtype_opts,
+};
+
+void _init(void) 
+{
+	xtables_register_match(&addrtype_match);
+}
Index: extensions/Makefile
===================================================================
--- extensions/Makefile	(revision 7090)
+++ extensions/Makefile	(working copy)
@@ -5,9 +5,9 @@
 # header files are present in the include/linux directory of this iptables
 # package (HW)
 #
-PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange owner policy realm recent tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG
+PF_EXT_SLIB:=ah conntrack ecn icmp iprange owner policy realm recent tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG
 PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh owner policy rt HL LOG REJECT
-PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE
+PFX_EXT_SLIB:=addrtype connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE
 
 PF_EXT_SELINUX_SLIB:=
 PF6_EXT_SELINUX_SLIB:=
Index: extensions/libipt_addrtype.man
===================================================================
--- extensions/libipt_addrtype.man	(revision 7090)
+++ extensions/libipt_addrtype.man	(working copy)
@@ -7,31 +7,66 @@
 .TP
 .BI "UNSPEC"
 an unspecified address (i.e. 0.0.0.0)
+.TP
 .BI "UNICAST"
 an unicast address
+.TP
 .BI "LOCAL"
 a local address
+.TP
 .BI "BROADCAST"
 a broadcast address
+.TP
 .BI "ANYCAST"
 an anycast packet
+.TP
 .BI "MULTICAST"
 a multicast address
+.TP
 .BI "BLACKHOLE"
 a blackhole address
+.TP
 .BI "UNREACHABLE"
 an unreachable address
+.TP
 .BI "PROHIBIT"
 a prohibited address
+.TP
 .BI "THROW"
 FIXME
+.TP
 .BI "NAT"
 FIXME
+.TP
 .BI "XRESOLVE"
 FIXME
 .TP
+Options:
+.TP
 .BI "--src-type " "type"
 Matches if the source address is of given type
 .TP
 .BI "--dst-type " "type"
 Matches if the destination address is of given type
+.TP
+.BI "--limit-iface-in"
+The address type checking can be limited to the interface the packet is coming
+in. This option is only valid in the
+.BR PREROUTING ,
+.B INPUT
+and
+.B FORWARD
+chains. It cannot be specified with the
+.B "--limit-iface-out"
+option.
+.TP
+.BI "--limit-iface-out"
+The address type checiking can be limited to the interface the packet is going
+out. This option is only valid in the
+.BR POSTROUTING ,
+.B OUTPUT
+and
+.B FORWARD
+chains. It cannot be specified with the
+.B --limit-iface-in
+option.

Re: [PATCHv4 0/2] Find address type on the packet's interface

[Patrick McHardy]

Laszlo Attila Toth wrote:
> Hi Patrick,
> 
> This extension of addrtype match lets the address type checking be
> limited to the incoming or outgoing interface of the packets depending
> on the current hook.
> 
> In the FORWARD chain only one check is allowed but the user can choose
> which one would like to specifiy.

Thanks for changing this.

> Because of this extension the match has a new revision. Rev 0 can be
> used by older tools and rev 1 is for the modified iptables match.
> 
> The iptables patch is for revision 1 only.
> 
> Both the kernel module and the iptables module moved to xtables,
> but the kernel module uses ipt_addrtype_info in revision 0.


I just read up on your and Jan's discussion, but you were too fast
for me :) I'm not sure whether this is really a good candidate
for x_tables. IPv4 and IPv6 addrtype have different meanings, the
IPv4 addrtype is based on routing, IPv6 solely on the address.
Especially things like "--addrtype local" won't work, which is
IMO the most useful feature. And since you don't actually add IPv6
support, I don't see any advantage in moving to x_tables. So I
think for now I'd prefer a change to the ipt_addrtype match.

Re: [PATCHv4 0/2] Find address type on the packet's interface

[Jan Engelhardt]

On Nov 19 2007 17:06, Patrick McHardy wrote:
>
> I just read up on your and Jan's discussion, but you were too fast
> for me :) I'm not sure whether this is really a good candidate
> for x_tables. IPv4 and IPv6 addrtype have different meanings, the
> IPv4 addrtype is based on routing, IPv6 solely on the address.
> Especially things like "--addrtype local" won't work, which is
> IMO the most useful feature. And since you don't actually add IPv6
> support, I don't see any advantage in moving to x_tables. So I
> think for now I'd prefer a change to the ipt_addrtype match.

IMHO it does not make any difference whether it is xt_*.c or ipt_*.c,
the cost is quite the same.
I am all for xt_*.c, because that's the "new shiny" thing.

Re: [PATCHv4 0/2] Find address type on the packet's interface

[Patrick McHardy]

Jan Engelhardt wrote:
> On Nov 19 2007 17:06, Patrick McHardy wrote:
>> I just read up on your and Jan's discussion, but you were too fast
>> for me :) I'm not sure whether this is really a good candidate
>> for x_tables. IPv4 and IPv6 addrtype have different meanings, the
>> IPv4 addrtype is based on routing, IPv6 solely on the address.
>> Especially things like "--addrtype local" won't work, which is
>> IMO the most useful feature. And since you don't actually add IPv6
>> support, I don't see any advantage in moving to x_tables. So I
>> think for now I'd prefer a change to the ipt_addrtype match.
> 
> IMHO it does not make any difference whether it is xt_*.c or ipt_*.c,
> the cost is quite the same.
> I am all for xt_*.c, because that's the "new shiny" thing.

x_tables is meant for unified matches and targets, as long as theres
nothing to unify, there's no point in moving it over. So far I think
we only have a single xtables match that doesn't support both IPv4
and IPv6 (xt_conntrack), and I'd like to keep it that way.

Re: [PATCHv4 0/2] Find address type on the packet's interface

[Jan Engelhardt]

On Nov 19 2007 18:12, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> On Nov 19 2007 17:06, Patrick McHardy wrote:
>> > I just read up on your and Jan's discussion, but you were too fast
>> > for me :) I'm not sure whether this is really a good candidate
>> > for x_tables. IPv4 and IPv6 addrtype have different meanings, the
>> > IPv4 addrtype is based on routing, IPv6 solely on the address.
>> > Especially things like "--addrtype local" won't work, which is
>> > IMO the most useful feature. And since you don't actually add IPv6
>> > support, I don't see any advantage in moving to x_tables. So I
>> > think for now I'd prefer a change to the ipt_addrtype match.
>> 
>> IMHO it does not make any difference whether it is xt_*.c or ipt_*.c,
>> the cost is quite the same.
>> I am all for xt_*.c, because that's the "new shiny" thing.
>
> x_tables is meant for unified matches and targets, as long as theres
> nothing to unify, there's no point in moving it over. So far I think
> we only have a single xtables match that doesn't support both IPv4
> and IPv6 (xt_conntrack), and I'd like to keep it that way.
>
Sorry, can't grant you that wish - I have plans to add IPv6 to xt_conntrack to
obsolete ip6t_state, though maybe that takes a bit of time ;-)

Re: [PATCHv4 0/2] Find address type on the packet's interface

[Patrick McHardy]

Jan Engelhardt wrote:
> On Nov 19 2007 18:12, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> On Nov 19 2007 17:06, Patrick McHardy wrote:
>>>> I just read up on your and Jan's discussion, but you were too fast
>>>> for me :) I'm not sure whether this is really a good candidate
>>>> for x_tables. IPv4 and IPv6 addrtype have different meanings, the
>>>> IPv4 addrtype is based on routing, IPv6 solely on the address.
>>>> Especially things like "--addrtype local" won't work, which is
>>>> IMO the most useful feature. And since you don't actually add IPv6
>>>> support, I don't see any advantage in moving to x_tables. So I
>>>> think for now I'd prefer a change to the ipt_addrtype match.
>>> IMHO it does not make any difference whether it is xt_*.c or ipt_*.c,
>>> the cost is quite the same.
>>> I am all for xt_*.c, because that's the "new shiny" thing.
>> x_tables is meant for unified matches and targets, as long as theres
>> nothing to unify, there's no point in moving it over. So far I think
>> we only have a single xtables match that doesn't support both IPv4
>> and IPv6 (xt_conntrack), and I'd like to keep it that way.
>>
> Sorry, can't grant you that wish - I have plans to add IPv6 to xt_conntrack to
> obsolete ip6t_state, though maybe that takes a bit of time ;-)


The wish was not to add more pure IPv4 modules, I'm perfectly happy
to finally add IPv6 support to xt_conntrack :)

Re: [PATCHv4 0/2] Find address type on the packet's interface

[Laszlo Attila Toth]

Patrick McHardy írta:
> Jan Engelhardt wrote:
>> On Nov 19 2007 17:06, Patrick McHardy wrote:
>>> I just read up on your and Jan's discussion, but you were too fast
>>> for me :) I'm not sure whether this is really a good candidate
>>> for x_tables. IPv4 and IPv6 addrtype have different meanings, the
>>> IPv4 addrtype is based on routing, IPv6 solely on the address.
>>> Especially things like "--addrtype local" won't work, which is
>>> IMO the most useful feature. And since you don't actually add IPv6
>>> support, I don't see any advantage in moving to x_tables. So I
>>> think for now I'd prefer a change to the ipt_addrtype match.
>>
>> IMHO it does not make any difference whether it is xt_*.c or ipt_*.c,
>> the cost is quite the same.
>> I am all for xt_*.c, because that's the "new shiny" thing.
> 
> x_tables is meant for unified matches and targets, as long as theres
> nothing to unify, there's no point in moving it over. So far I think
> we only have a single xtables match that doesn't support both IPv4
> and IPv6 (xt_conntrack), and I'd like to keep it that way.
> 
> 

I think x_tables is meant for similar functionality for IPv4 and IPv6 
with minor differences. This eliminates possible code duplications, but 
the exactly same usage from the user's view is not required.

-- 
Attila

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html