#include <errno.h> #include <stdbool.h> #include <string.h> #include <stdio.h> #include <stdint.h> #include <xtables.h> #include <linux/netfilter/xt_connlabel.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> enum { O_LABEL = 0, O_SET = 1, }; static struct nfct_labelmap *map; static void connlabel_mt_help(void) { puts( "connlabel match options:\n" "[!] --label name Match if label has been set on connection\n" " --set Set label on connection"); } static const struct xt_option_entry connlabel_mt_opts[] = { {.name = "label", .id = O_LABEL, .type = XTTYPE_STRING, .min = 1, .flags = XTOPT_MAND|XTOPT_INVERT}, {.name = "set", .id = O_SET, .type = XTTYPE_NONE}, XTOPT_TABLEEND, }; static void connlabel_mt_parse(struct xt_option_call *cb) { struct xt_connlabel_mtinfo *info = cb->data; int tmp; xtables_option_parse(cb); switch (cb->entry->id) { case O_LABEL: tmp = nfct_labelmap_get_bit(map, cb->arg); if (tmp < 0) xtables_error(PARAMETER_PROBLEM, "label '%s' not found", cb->arg); info->bit = tmp; if (cb->invert) info->options |= XT_CONNLABEL_OP_INVERT; break; case O_SET: info->options |= XT_CONNLABEL_OP_SET; break; } } static const char *connlabel_get_name(int b) { const char *name = nfct_labelmap_get_name(map, b); if (name && strcmp(name, "")) return name; return NULL; } static void connlabel_mt_print_op(const struct xt_connlabel_mtinfo *info, const char *prefix) { if (info->options & XT_CONNLABEL_OP_SET) printf(" %sset", prefix); } static void connlabel_mt_print(const void *ip, const struct xt_entry_match *match, int numeric) { const struct xt_connlabel_mtinfo *info = (const void *)match->data; const char *name = connlabel_get_name(info->bit); printf(" connlabel"); if (info->options & XT_CONNLABEL_OP_INVERT) printf(" !"); if (numeric || name == NULL) { printf(" %u", info->bit); } else { printf(" '%s'", name); } connlabel_mt_print_op(info, ""); } static void connlabel_mt_save(const void *ip, const struct xt_entry_match *match) { const struct xt_connlabel_mtinfo *info = (const void *)match->data; const char *name = connlabel_get_name(info->bit); if (info->options & XT_CONNLABEL_OP_INVERT) printf(" !"); if (name) printf(" --label \"%s\"", name); else printf(" --label \"%u\"", info->bit); connlabel_mt_print_op(info, "--"); } static struct xtables_match connlabel_mt_reg = { .family = NFPROTO_UNSPEC, .name = "connlabel", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_connlabel_mtinfo)), .userspacesize = offsetof(struct xt_connlabel_mtinfo, bit), .help = connlabel_mt_help, .print = connlabel_mt_print, .save = connlabel_mt_save, .x6_parse = connlabel_mt_parse, .x6_options = connlabel_mt_opts, }; void _init(void) { map = nfct_labelmap_new(NULL); if (!map) { fprintf(stderr, "cannot open connlabel.conf, not registering '%s' match: %s\n", connlabel_mt_reg.name, strerror(errno)); return; } xtables_register_match(&connlabel_mt_reg); }