diff options
author | edward-p | 2018-08-25 01:23:35 +0800 |
---|---|---|
committer | edward-p | 2018-08-25 01:23:35 +0800 |
commit | 4910a9bbf482dd7334bb31e6f3d16c4529f04303 (patch) | |
tree | 29fba1129ba91e0073e68a0617c55b9c1c75953f | |
parent | 1c3ab7b8f9d1a095701b61e1f6b2d6b3d70259b2 (diff) | |
download | aur-4910a9bbf482dd7334bb31e6f3d16c4529f04303.tar.gz |
add .install
-rw-r--r-- | .SRCINFO | 5 | ||||
-rw-r--r-- | PKGBUILD | 9 | ||||
-rw-r--r-- | iptables-fullcone-nat.install | 9 | ||||
-rw-r--r-- | libipt_FULLCONENAT.c | 171 |
4 files changed, 190 insertions, 4 deletions
@@ -1,8 +1,9 @@ pkgbase = iptables-fullcone-nat pkgdesc = iptables with FULLCONENAT extension - pkgver = 1.8.0.r73.g92f7b04f + pkgver = 1.8.0.r85.g0800d9b4 pkgrel = 1 url = https://github.com/Chion82/netfilter-full-cone-nat + install = iptables-fullcone-nat.install arch = i686 arch = x86_64 license = GPL2 @@ -27,6 +28,7 @@ pkgbase = iptables-fullcone-nat source = iptables-flush::https://git.archlinux.org/svntogit/packages.git/plain/trunk/iptables-flush?h=packages/iptables source = iptables.service::https://git.archlinux.org/svntogit/packages.git/plain/trunk/iptables.service?h=packages/iptables source = simple_firewall.rules::https://git.archlinux.org/svntogit/packages.git/plain/trunk/simple_firewall.rules?h=packages/iptables + source = iptables-fullcone-nat.install sha256sums = SKIP sha256sums = SKIP sha256sums = SKIP @@ -39,6 +41,7 @@ pkgbase = iptables-fullcone-nat sha256sums = SKIP sha256sums = SKIP sha256sums = SKIP + sha256sums = 28c1f28f2e8b2b95b562ff807ac472134f27da350cb787f7e0f2d59f80d16ac0 pkgname = iptables-fullcone-nat @@ -1,7 +1,7 @@ # Maintainer: Edward Pacman <micro DOT fedora AT gmail DOT com> pkgname=iptables-fullcone-nat -pkgver=1.8.0.r73.g92f7b04f +pkgver=1.8.0.r85.g0800d9b4 pkgrel=1 pkgdesc="iptables with FULLCONENAT extension" arch=('i686' 'x86_64') @@ -11,6 +11,7 @@ depends=('glibc' 'libmnl' 'libnftnl' 'libpcap' 'netfilter-full-cone-nat-dkms') makedepends=('git' 'linux-api-headers') provides=('iptables') conflicts=('iptables') +install=${pkgname}.install source=("file:///usr/src/netfilter-full-cone-nat-git+ec14efe/libipt_FULLCONENAT.c" "git://git.netfilter.org/iptables" "empty-filter.rules::https://git.archlinux.org/svntogit/packages.git/plain/trunk/empty-filter.rules?h=packages/iptables" @@ -22,7 +23,8 @@ source=("file:///usr/src/netfilter-full-cone-nat-git+ec14efe/libipt_FULLCONENAT. "ip6tables.service::https://git.archlinux.org/svntogit/packages.git/plain/trunk/ip6tables.service?h=packages/iptables" "iptables-flush::https://git.archlinux.org/svntogit/packages.git/plain/trunk/iptables-flush?h=packages/iptables" "iptables.service::https://git.archlinux.org/svntogit/packages.git/plain/trunk/iptables.service?h=packages/iptables" - "simple_firewall.rules::https://git.archlinux.org/svntogit/packages.git/plain/trunk/simple_firewall.rules?h=packages/iptables") + "simple_firewall.rules::https://git.archlinux.org/svntogit/packages.git/plain/trunk/simple_firewall.rules?h=packages/iptables" + "iptables-fullcone-nat.install") sha256sums=('SKIP' 'SKIP' 'SKIP' @@ -34,7 +36,8 @@ sha256sums=('SKIP' 'SKIP' 'SKIP' 'SKIP' - 'SKIP') + 'SKIP' + '28c1f28f2e8b2b95b562ff807ac472134f27da350cb787f7e0f2d59f80d16ac0') pkgver() { diff --git a/iptables-fullcone-nat.install b/iptables-fullcone-nat.install new file mode 100644 index 000000000000..2ca0842b500f --- /dev/null +++ b/iptables-fullcone-nat.install @@ -0,0 +1,9 @@ +post_install(){ + echo "Assuming eth0 is external interface:" + echo -e "\tiptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT #same as MASQUERADE" + echo -e "\tiptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT #automatically restore NAT for inbound packets" +} + +post_upgrade() { + post_install +} diff --git a/libipt_FULLCONENAT.c b/libipt_FULLCONENAT.c new file mode 100644 index 000000000000..9965cd7e09c1 --- /dev/null +++ b/libipt_FULLCONENAT.c @@ -0,0 +1,171 @@ +#include <stdio.h> +#include <netdb.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <xtables.h> +#include <limits.h> /* INT_MAX in ip_tables.h */ +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter/nf_nat.h> + +#ifndef NF_NAT_RANGE_PROTO_RANDOM_FULLY +#define NF_NAT_RANGE_PROTO_RANDOM_FULLY (1 << 4) +#endif + +enum { + O_TO_PORTS = 0, + O_RANDOM, + O_RANDOM_FULLY, +}; + +static void FULLCONENAT_help(void) +{ + printf( +"FULLCONENAT target options:\n" +" --to-ports <port>[-<port>]\n" +" Port (range) to map to.\n" +" --random\n" +" Randomize source port.\n" +" --random-fully\n" +" Fully randomize source port.\n"); +} + +static const struct xt_option_entry FULLCONENAT_opts[] = { + {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING}, + {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, + {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE}, + XTOPT_TABLEEND, +}; + +static void FULLCONENAT_init(struct xt_entry_target *t) +{ + struct nf_nat_ipv4_multi_range_compat *mr = (struct nf_nat_ipv4_multi_range_compat *)t->data; + + /* Actually, it's 0, but it's ignored at the moment. */ + mr->rangesize = 1; +} + +/* Parses ports */ +static void +parse_ports(const char *arg, struct nf_nat_ipv4_multi_range_compat *mr) +{ + char *end; + unsigned int port, maxport; + + mr->range[0].flags |= NF_NAT_RANGE_PROTO_SPECIFIED; + + if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX)) + xtables_param_act(XTF_BAD_VALUE, "FULLCONENAT", "--to-ports", arg); + + switch (*end) { + case '\0': + mr->range[0].min.tcp.port + = mr->range[0].max.tcp.port + = htons(port); + return; + case '-': + if (!xtables_strtoui(end + 1, NULL, &maxport, 0, UINT16_MAX)) + break; + + if (maxport < port) + break; + + mr->range[0].min.tcp.port = htons(port); + mr->range[0].max.tcp.port = htons(maxport); + return; + default: + break; + } + xtables_param_act(XTF_BAD_VALUE, "FULLCONENAT", "--to-ports", arg); +} + +static void FULLCONENAT_parse(struct xt_option_call *cb) +{ + const struct ipt_entry *entry = cb->xt_entry; + int portok; + struct nf_nat_ipv4_multi_range_compat *mr = cb->data; + + if (entry->ip.proto == IPPROTO_TCP + || entry->ip.proto == IPPROTO_UDP + || entry->ip.proto == IPPROTO_SCTP + || entry->ip.proto == IPPROTO_DCCP + || entry->ip.proto == IPPROTO_ICMP) + portok = 1; + else + portok = 0; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_TO_PORTS: + if (!portok) + xtables_error(PARAMETER_PROBLEM, + "Need TCP, UDP, SCTP or DCCP with port specification"); + parse_ports(cb->arg, mr); + break; + case O_RANDOM: + mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM; + break; + case O_RANDOM_FULLY: + mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; + break; + } +} + +static void +FULLCONENAT_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct nf_nat_ipv4_multi_range_compat *mr = (const void *)target->data; + const struct nf_nat_ipv4_range *r = &mr->range[0]; + + if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { + printf(" masq ports: "); + printf("%hu", ntohs(r->min.tcp.port)); + if (r->max.tcp.port != r->min.tcp.port) + printf("-%hu", ntohs(r->max.tcp.port)); + } + + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) + printf(" random"); + + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) + printf(" random-fully"); +} + +static void +FULLCONENAT_save(const void *ip, const struct xt_entry_target *target) +{ + const struct nf_nat_ipv4_multi_range_compat *mr = (const void *)target->data; + const struct nf_nat_ipv4_range *r = &mr->range[0]; + + if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { + printf(" --to-ports %hu", ntohs(r->min.tcp.port)); + if (r->max.tcp.port != r->min.tcp.port) + printf("-%hu", ntohs(r->max.tcp.port)); + } + + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) + printf(" --random"); + + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) + printf(" --random-fully"); +} + +static struct xtables_target fullconenat_tg_reg = { + .name = "FULLCONENAT", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), + .help = FULLCONENAT_help, + .init = FULLCONENAT_init, + .x6_parse = FULLCONENAT_parse, + .print = FULLCONENAT_print, + .save = FULLCONENAT_save, + .x6_options = FULLCONENAT_opts, +}; + +void _init(void) +{ + xtables_register_target(&fullconenat_tg_reg); +} |