iptables: add port trigger support patches

The patches create 2 files, libipt_TRIGGER.c and ipt_TRIGGER.h that add the support for target TRIGGER in iptables. Since the patch adds 2 new files, easy to maintain. The change in makefile is to take the library to the target.

iptables: add port trigger support patches
The patches create 2 files, libipt_TRIGGER.c and ipt_TRIGGER.h that add the support for target TRIGGER in iptables. Since the patch adds 2 new files, easy to maintain. The change in makefile is to take the library to the target.
04aca1e3 · Amit Kumar · Rahul Thakur · c1e9cb83 · 04aca1e3 · 04aca1e3
Commit 04aca1e3 authored 1 year ago by Amit Kumar Committed by Rahul Thakur 1 year ago
--- a/package/network/utils/iptables/Makefile
+++ b/package/network/utils/iptables/Makefile
@@ -715,6 +715,9 @@ define Package/libiptext/install
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
 	$(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+	$(CP) $(PKG_BUILD_DIR)/extensions/libipt_TRIGGER.so $(1)/usr/lib/iptables/
+	$(CP) $(PKG_BUILD_DIR)/extensions/libip6t_TRIGGER.so $(1)/usr/lib/iptables/
 endef

 define Package/libiptext6/install

--- a/package/network/utils/iptables/patches/900-ipt-TRIGGER.patch
+++ b/package/network/utils/iptables/patches/900-ipt-TRIGGER.patch
+--- a/extensions/libipt_TRIGGER.c
+++ b/extensions/libipt_TRIGGER.c
+@@ -0,0 +1,226 @@
+/* Port-triggering target. 
+ *
+ * Copyright (C) 2003, CyberTAN Corporation
+ * All Rights Reserved.
+ */
+
+/* Shared library add-on to iptables to add port-trigger support. */
+
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <iptables.h>
+#include <xtables.h>
+#include <linux/netfilter/nf_nat.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_TRIGGER.h>
+
+/* Function which prints out usage message. */
+static void
+TRIGGER_help(void)
+{
+	printf(
+"TRIGGER v%s options:\n"
+" --trigger-type (dnat|in|out)\n"
+"				Trigger type\n"
+" --trigger-proto proto\n"
+"				Trigger protocol\n"
+" --trigger-match port[-port]\n"
+"				Trigger destination port range\n"
+" --trigger-relate port[-port]\n"
+"				Port range to map related destination port range to.\n",
+" --trigger-timeout seconds\n"
+"				Trigger timeout\n\n"
+XTABLES_VERSION);
+}
+
+static struct option TRIGGER_opts[] = {
+	{.name = "trigger-type", .has_arg = true, .val = '1'},
+	{.name = "trigger-proto", .has_arg = true, .val = '2'},
+	{.name = "trigger-match", .has_arg = true, .val = '3'},
+	{.name = "trigger-relate", .has_arg = true, .val = '4'},
+	{.name = "trigger-timeout", .has_arg = true, .val = '5'},
+	XT_GETOPT_TABLEEND,
+};
+
+/* Initialize the target. */
+static void
+TRIGGER_init(struct xt_entry_target *t)
+{
+}
+
+/* Parses trigger timeout */
+static void
+parse_trigger_timeout(const char *arg, u_int16_t *trigger_timeout)
+{
+	int timeout_val;
+
+	timeout_val = atoi(arg);
+	if (timeout_val < 0 || timeout_val > 65535)
+		xtables_error(PARAMETER_PROBLEM, "timeout range `%s' invalid\n", arg);
+
+	*trigger_timeout = timeout_val;
+}
+
+/* Parses ports */
+static void
+parse_ports(const char *arg, u_int16_t *ports)
+{
+	const char *dash;
+	int port;
+
+	port = atoi(arg);
+	if (port == 0 || port > 65535)
+		xtables_error(PARAMETER_PROBLEM, "Port range `%s' invalid\n", arg);
+
+	dash = strchr(arg, '-');
+	if (!dash)
+		ports[0] = ports[1] = port;
+	else {
+		int maxport;
+
+		maxport = atoi(dash + 1);
+		if (maxport == 0 || maxport > 65535)
+			xtables_error(PARAMETER_PROBLEM,
+				   "Port range `%s' invalid\n", dash+1);
+		if (maxport < port)
+			xtables_error(PARAMETER_PROBLEM,
+				   "Port range `%s' invalid\n", arg);
+		ports[0] = port;
+		ports[1] = maxport;
+	}
+}
+
+
+/* Function which parses command options; returns true if it
+   ate an option */
+static int
+TRIGGER_parse(int c, char **argv, int invert, unsigned int *flags,
+      const void *entry,
+      struct xt_entry_target **target)
+{
+	struct ipt_trigger_info *info = (struct ipt_trigger_info *)(*target)->data;
+	info->trigger_timeout = TRIGGER_TIMEOUT;
+
+	switch (c) {
+	case '1':
+		if (!strcasecmp(optarg, "dnat"))
+			info->type = IPT_TRIGGER_DNAT;
+		else if (!strcasecmp(optarg, "in"))
+			info->type = IPT_TRIGGER_IN;
+		else if (!strcasecmp(optarg, "out"))
+			info->type = IPT_TRIGGER_OUT;
+		else
+			xtables_error(PARAMETER_PROBLEM,
+				   "unknown type `%s' specified", optarg);
+		return 1;
+
+	case '2':
+		if (!strcasecmp(optarg, "tcp"))
+			info->proto = IPPROTO_TCP;
+		else if (!strcasecmp(optarg, "udp"))
+			info->proto = IPPROTO_UDP;
+		else if (!strcasecmp(optarg, "all"))
+			info->proto = 0;
+		else
+			xtables_error(PARAMETER_PROBLEM,
+				   "unknown protocol `%s' specified", optarg);
+		return 1;
+
+	case '3':
+		parse_ports(optarg, info->ports.mport);
+		return 1;
+
+	case '4':
+		parse_ports(optarg, info->ports.rport);
+		*flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
+		return 1;
+
+	case '5':
+		parse_trigger_timeout(optarg, &info->trigger_timeout);
+		return 1;
+
+	default:
+		return 0;
+	}
+}
+
+/* Prints out the targinfo. */
+static void
+TRIGGER_print(const void *ip,
+      const struct xt_entry_target *target,
+      int numeric)
+{
+	struct ipt_trigger_info *info = (struct ipt_trigger_info *)target->data;
+
+	printf(" TRIGGER ");
+	if (info->type == IPT_TRIGGER_DNAT)
+		printf("type:dnat ");
+	else if (info->type == IPT_TRIGGER_IN)
+		printf("type:in ");
+	else if (info->type == IPT_TRIGGER_OUT)
+		printf("type:out ");
+
+	if (info->proto == IPPROTO_TCP)
+		printf("tcp ");
+	else if (info->proto == IPPROTO_UDP)
+		printf("udp ");
+
+	printf("match:%hu", info->ports.mport[0]);
+	if (info->ports.mport[1] > info->ports.mport[0])
+		printf("-%hu", info->ports.mport[1]);
+	printf(" ");
+
+	printf("relate:%hu", info->ports.rport[0]);
+	if (info->ports.rport[1] > info->ports.rport[0])
+		printf("-%hu", info->ports.rport[1]);
+
+	printf(" ");
+	printf("timeout:%hu", info->trigger_timeout);
+	printf(" ");
+}
+
+/* Saves the union ipt_targinfo in parsable form to stdout. */
+static void
+TRIGGER_save(const void *ip, const struct xt_entry_target *target)
+{
+	struct ipt_trigger_info *info = (struct ipt_trigger_info *)target->data;
+
+	printf(" --trigger-type");
+	if (info->type == IPT_TRIGGER_DNAT)
+		printf(" dnat");
+	else if (info->type == IPT_TRIGGER_IN)
+		printf(" in");
+	else if (info->type == IPT_TRIGGER_OUT)
+		printf(" out");
+	printf(" --trigger-proto");
+	if (info->proto == IPPROTO_TCP)
+		printf(" tcp");
+	else if (info->proto == IPPROTO_UDP)
+		printf(" udp");
+
+	printf(" --trigger-match %hu-%hu", info->ports.mport[0], info->ports.mport[1]);
+	printf(" --trigger-relate %hu-%hu", info->ports.rport[0], info->ports.rport[1]);
+	printf(" --trigger-timeout %hu", info->trigger_timeout);
+}
+
+static struct xtables_target trigger_reg = {
+	.family		= NFPROTO_IPV4,
+	.name		= "TRIGGER",
+	.version	= XTABLES_VERSION,
+	.size		= XT_ALIGN(sizeof(struct ipt_trigger_info)),
+	.userspacesize	= XT_ALIGN(sizeof(struct ipt_trigger_info)),
+	.help		= TRIGGER_help,
+	.init		= TRIGGER_init,
+	.parse		= TRIGGER_parse,
+	.print		= TRIGGER_print,
+	.save		= TRIGGER_save,
+	.extra_opts	= TRIGGER_opts 
+};
+
+void _init(void)
+{
+	xtables_register_target(&trigger_reg);
+}
+--- a/include/linux/netfilter_ipv4/ipt_TRIGGER.h
+++ b/include/linux/netfilter_ipv4/ipt_TRIGGER.h
+@@ -0,0 +1,26 @@
+#ifndef _IPT_TRIGGER_H_target
+#define _IPT_TRIGGER_H_target
+
+#define TRIGGER_TIMEOUT 600	/* 600 secs */
+
+enum ipt_trigger_type
+{
+	IPT_TRIGGER_DNAT = 1,
+	IPT_TRIGGER_IN = 2,
+	IPT_TRIGGER_OUT = 3,
+	IPT_TRIGGER_REFRESH = 4
+};
+
+struct ipt_trigger_ports {
+	u_int16_t mport[2];	/* Related destination port range */
+	u_int16_t rport[2];	/* Port range to map related destination port range to */
+};
+
+struct ipt_trigger_info {
+	enum ipt_trigger_type type;
+	u_int16_t proto;		/* Related protocol */
+	u_int16_t trigger_timeout;	/* Auto-disable duration */
+	struct ipt_trigger_ports ports;
+};
+
+#endif /*_IPT_TRIGGER_H_target*/
--- a/package/network/utils/iptables/patches/901-ip6t-TRIGGER.patch
+++ b/package/network/utils/iptables/patches/901-ip6t-TRIGGER.patch
+++ b/extensions/libip6t_TRIGGER.c
+@@ -0,0 +1,226 @@
+/* Port-triggering target. 
+ *
+ * Copyright (C) 2003, CyberTAN Corporation
+ * All Rights Reserved.
+ */
+
+/* Shared library add-on to ip6tables to add port-trigger support. */
+
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <ip6tables.h>
+#include <xtables.h>
+#include <linux/netfilter/nf_nat.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv4/ipt_TRIGGER.h>
+
+/* Function which prints out usage message. */
+static void
+TRIGGER_help(void)
+{
+	printf(
+"TRIGGER v%s options:\n"
+" --trigger-type (dnat|in|out)\n"
+"				Trigger type\n"
+" --trigger-proto proto\n"
+"				Trigger protocol\n"
+" --trigger-match port[-port]\n"
+"				Trigger destination port range\n"
+" --trigger-relate port[-port]\n"
+"				Port range to map related destination port range to.\n",
+" --trigger-timeout seconds\n"
+"				Trigger timeout\n\n"
+XTABLES_VERSION);
+}
+
+static struct option TRIGGER_opts[] = {
+	{.name = "trigger-type", .has_arg = true, .val = '1'},
+	{.name = "trigger-proto", .has_arg = true, .val = '2'},
+	{.name = "trigger-match", .has_arg = true, .val = '3'},
+	{.name = "trigger-relate", .has_arg = true, .val = '4'},
+	{.name = "trigger-timeout", .has_arg = true, .val = '5'},
+	XT_GETOPT_TABLEEND,
+};
+
+/* Initialize the target. */
+static void
+TRIGGER_init(struct xt_entry_target *t)
+{
+}
+
+/* Parses trigger timeout */
+static void
+parse_trigger_timeout(const char *arg, u_int16_t *trigger_timeout)
+{
+	int timeout_val;
+
+	timeout_val = atoi(arg);
+	if (timeout_val < 0 || timeout_val > 65535)
+		xtables_error(PARAMETER_PROBLEM, "timeout range `%s' invalid\n", arg);
+
+	*trigger_timeout = timeout_val;
+}
+
+/* Parses ports */
+static void
+parse_ports(const char *arg, u_int16_t *ports)
+{
+	const char *dash;
+	int port;
+
+	port = atoi(arg);
+	if (port == 0 || port > 65535)
+		xtables_error(PARAMETER_PROBLEM, "Port range `%s' invalid\n", arg);
+
+	dash = strchr(arg, '-');
+	if (!dash)
+		ports[0] = ports[1] = port;
+	else {
+		int maxport;
+
+		maxport = atoi(dash + 1);
+		if (maxport == 0 || maxport > 65535)
+			xtables_error(PARAMETER_PROBLEM,
+				   "Port range `%s' invalid\n", dash+1);
+		if (maxport < port)
+			xtables_error(PARAMETER_PROBLEM,
+				   "Port range `%s' invalid\n", arg);
+		ports[0] = port;
+		ports[1] = maxport;
+	}
+}
+
+
+/* Function which parses command options; returns true if it
+   ate an option */
+static int
+TRIGGER_parse(int c, char **argv, int invert, unsigned int *flags,
+      const void *entry,
+      struct xt_entry_target **target)
+{
+	struct ipt_trigger_info *info = (struct ipt_trigger_info *)(*target)->data;
+	info->trigger_timeout = TRIGGER_TIMEOUT;
+
+	switch (c) {
+	case '1':
+		if (!strcasecmp(optarg, "dnat"))
+			info->type = IPT_TRIGGER_DNAT;
+		else if (!strcasecmp(optarg, "in"))
+			info->type = IPT_TRIGGER_IN;
+		else if (!strcasecmp(optarg, "out"))
+			info->type = IPT_TRIGGER_OUT;
+		else
+			xtables_error(PARAMETER_PROBLEM,
+				   "unknown type `%s' specified", optarg);
+		return 1;
+
+	case '2':
+		if (!strcasecmp(optarg, "tcp"))
+			info->proto = IPPROTO_TCP;
+		else if (!strcasecmp(optarg, "udp"))
+			info->proto = IPPROTO_UDP;
+		else if (!strcasecmp(optarg, "all"))
+			info->proto = 0;
+		else
+			xtables_error(PARAMETER_PROBLEM,
+				   "unknown protocol `%s' specified", optarg);
+		return 1;
+
+	case '3':
+		parse_ports(optarg, info->ports.mport);
+		return 1;
+
+	case '4':
+		parse_ports(optarg, info->ports.rport);
+		*flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
+		return 1;
+
+	case '5':
+		parse_trigger_timeout(optarg, &info->trigger_timeout);
+		return 1;
+
+	default:
+		return 0;
+	}
+}
+
+/* Prints out the targinfo. */
+static void
+TRIGGER_print(const void *ip,
+      const struct xt_entry_target *target,
+      int numeric)
+{
+	struct ipt_trigger_info *info = (struct ipt_trigger_info *)target->data;
+
+	printf(" TRIGGER ");
+	if (info->type == IPT_TRIGGER_DNAT)
+		printf("type:dnat ");
+	else if (info->type == IPT_TRIGGER_IN)
+		printf("type:in ");
+	else if (info->type == IPT_TRIGGER_OUT)
+		printf("type:out ");
+
+	if (info->proto == IPPROTO_TCP)
+		printf("tcp ");
+	else if (info->proto == IPPROTO_UDP)
+		printf("udp ");
+
+	printf("match:%hu", info->ports.mport[0]);
+	if (info->ports.mport[1] > info->ports.mport[0])
+		printf("-%hu", info->ports.mport[1]);
+	printf(" ");
+
+	printf("relate:%hu", info->ports.rport[0]);
+	if (info->ports.rport[1] > info->ports.rport[0])
+		printf("-%hu", info->ports.rport[1]);
+
+	printf(" ");
+	printf("timeout:%hu", info->trigger_timeout);
+	printf(" ");
+}
+
+/* Saves the union ipt_targinfo in parsable form to stdout. */
+static void
+TRIGGER_save(const void *ip, const struct xt_entry_target *target)
+{
+	struct ipt_trigger_info *info = (struct ipt_trigger_info *)target->data;
+
+	printf(" --trigger-type");
+	if (info->type == IPT_TRIGGER_DNAT)
+		printf(" dnat");
+	else if (info->type == IPT_TRIGGER_IN)
+		printf(" in");
+	else if (info->type == IPT_TRIGGER_OUT)
+		printf(" out");
+	printf(" --trigger-proto");
+	if (info->proto == IPPROTO_TCP)
+		printf(" tcp");
+	else if (info->proto == IPPROTO_UDP)
+		printf(" udp");
+
+	printf(" --trigger-match %hu-%hu", info->ports.mport[0], info->ports.mport[1]);
+	printf(" --trigger-relate %hu-%hu", info->ports.rport[0], info->ports.rport[1]);
+	printf(" --trigger-timeout %hu", info->trigger_timeout);
+}
+
+static struct xtables_target trigger_reg = {
+	.family		= NFPROTO_IPV6,
+	.name		= "TRIGGER",
+	.version	= XTABLES_VERSION,
+	.size		= XT_ALIGN(sizeof(struct ipt_trigger_info)),
+	.userspacesize	= XT_ALIGN(sizeof(struct ipt_trigger_info)),
+	.help		= TRIGGER_help,
+	.init		= TRIGGER_init,
+	.parse		= TRIGGER_parse,
+	.print		= TRIGGER_print,
+	.save		= TRIGGER_save,
+	.extra_opts	= TRIGGER_opts 
+};
+
+void _init(void)
+{
+	xtables_register_target(&trigger_reg);
+}