initial commit for zentables-addons

* modules: xt_zenset, xt_RESET

Makefile.am

@@ -0,0 +1,17 @@
+# -*- Makefile -*-
+
+ACLOCAL_AMFLAGS  = -I m4
+SUBDIRS          = extensions
+
+tmpdir := $(shell mktemp -dtu)
+packer  = xz
+packext = .tar.xz
+
+.PHONY: tarball
+tarball:
+# do not use mkdir_p here.
+	mkdir ${tmpdir}
+	pushd ${top_srcdir} && git archive --prefix=${PACKAGE_NAME}-${PACKAGE_VERSION}/ HEAD | tar -C ${tmpdir} -x && popd;
+	pushd ${tmpdir}/${PACKAGE_NAME}-${PACKAGE_VERSION} && ./autogen.sh && popd;
+	tar --use=${packer} -C ${tmpdir} -cf ${PACKAGE_NAME}-${PACKAGE_VERSION}${packext} --owner=root --group=root ${PACKAGE_NAME}-${PACKAGE_VERSION}/;
+	rm -Rf ${tmpdir};

Makefile.extra

@@ -0,0 +1,31 @@
+# -*- Makefile -*-
+# AUTOMAKE
+
+export AM_CPPFLAGS
+export AM_CFLAGS
+XA_SRCDIR = ${srcdir}
+XA_TOPSRCDIR = ${top_srcdir}
+XA_ABSTOPSRCDIR = ${abs_top_srcdir}
+export XA_SRCDIR
+export XA_TOPSRCDIR
+export XA_ABSTOPSRCDIR
+
+_mcall = -f ${top_builddir}/Makefile.iptrules
+
+all-local: user-all-local
+
+install-exec-local: user-install-local
+
+clean-local: user-clean-local
+
+user-all-local:
+	${MAKE} ${_mcall} all;
+
+# Have no user-install-data-local ATM
+user-install-local: user-install-exec-local
+
+user-install-exec-local:
+	${MAKE} ${_mcall} install;
+
+user-clean-local:
+	${MAKE} ${_mcall} clean;

Makefile.iptrules.in

@@ -0,0 +1,62 @@
+# -*- Makefile -*-
+# MANUAL
+
+abs_top_srcdir  = @abs_top_srcdir@
+
+prefix          = @prefix@
+exec_prefix     = @exec_prefix@
+libexecdir      = @libexecdir@
+xtlibdir        = @xtlibdir@
+
+CC              = @CC@
+CCLD            = ${CC}
+CFLAGS          = @CFLAGS@
+LDFLAGS         = @LDFLAGS@
+
+libxtables_CFLAGS = @libxtables_CFLAGS@
+libxtables_LIBS   = @libxtables_LIBS@
+AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
+
+AM_DEFAULT_VERBOSITY = 0
+am__v_CC_0           = @echo "  CC    " $@;
+am__v_CCLD_0         = @echo "  CCLD  " $@;
+am__v_GEN_0          = @echo "  GEN   " $@;
+am__v_SILENT_0       = @
+am__v_CC_            = ${am__v_CC_${AM_DEFAULT_VERBOSITY}}
+am__v_CCLD_          = ${am__v_CCLD_${AM_DEFAULT_VERBOSITY}}
+am__v_GEN_           = ${am__v_GEN_${AM_DEFAULT_VERBOSITY}}
+am__v_SILENT_        = ${am__v_SILENT_${AM_DEFAULT_VERBOSITY}}
+AM_V_CC              = ${am__v_CC_${V}}
+AM_V_CCLD            = ${am__v_CCLD_${V}}
+AM_V_GEN             = ${am__v_GEN_${V}}
+AM_V_silent          = ${am__v_GEN_${V}}
+
+include ${XA_TOPSRCDIR}/mconfig
+-include ${XA_TOPSRCDIR}/mconfig.*
+include ${XA_SRCDIR}/Mbuild
+-include ${XA_SRCDIR}/Mbuild.*
+
+targets := $(filter-out %/,${obj-m})
+subdirs_list := $(filter %/,${obj-m})
+
+.SECONDARY:
+
+.PHONY: all install clean
+
+all: ${targets}
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i || exit $$?; done;
+
+install: ${targets}
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@ || exit $$?; done;
+	install -dm0755 "${DESTDIR}/${xtlibdir}";
+	@for i in $^; do install -pm0755 $$i "${DESTDIR}/${xtlibdir}"; done;
+
+clean:
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@ || exit $$?; done;
+	rm -f *.oo *.so;
+
+lib%.so: lib%.oo
+	${AM_V_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< ${libxtables_LIBS} ${LDLIBS};
+
+%.oo: ${XA_SRCDIR}/%.c
+	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CPPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CPPFLAGS} ${CFLAGS} -o $@ -c $<;

README.md

@@ -0,0 +1,55 @@
+# Zenedge add-ons for netfilter/iptables
+
+Zentables-addons is a set of extensions to netfilter/iptables
+developed by [Zenedge](http://www.zenedge.com) and
+based on [Xtables-addons](http://xtables-addons.sourceforge.net/).
+
+## Zenset
+
+Zenset is a netfilter/iptables extension which provides support for matching
+[Proxy Protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt)
+source address
+using [IP Set](http://ipset.netfilter.org/).
+
+## RESET
+
+RESET is a netfilter/iptables extension which provides support to finalize an
+established TCP connection by emulating a TCP RST to both ends.
+This extension is based on ipt\_REJECT.
+
+## Usage
+
+For example, for blocking the source address _10.10.10.10_ sent through _Proxy
+Protocol_ using _TCP RST_ and a _IP set_, we can use:
+```
+# ipset create blacklist hash:ip
+# ipset add blacklist 10.10.10.10
+# iptables -I INPUT -m zenset --proxy-protocol --match-set blacklist src -j RESET
+```
+
+## Installation
+
+### Dependencies
+
+```
+# apt-get install libmnl-dev libltdl7-dev iptables-dev libxtables10 libipset-dev ipset
+
+```
+
+### Building
+
+```
+$ ./autogen.sh
+$ ./configure
+$ make
+# make install
+```
+
+### Running
+
+```
+# depmode -a
+# modprobe xt_zenset
+# modprobe xt_RESET
+```
+

autogen.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+autoreconf -fi;
+rm -Rf autom4te*.cache;

configure.ac

@@ -0,0 +1,83 @@
+AC_INIT([xtables-addons], [2.10])
+AC_CONFIG_AUX_DIR([build-aux])
+AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_MACRO_DIR([m4])
+AC_PROG_INSTALL
+AM_INIT_AUTOMAKE([1.10b -Wall foreign subdir-objects])
+AC_PROG_CC
+AM_PROG_CC_C_O
+m4_ifdef([AM_PROG_AR], [AM_PROG_AR])
+AC_DISABLE_STATIC
+AC_PROG_LIBTOOL
+
+AC_ARG_WITH([kbuild],
+	AS_HELP_STRING([--with-kbuild=PATH],
+	[Path to kernel build directory [[/lib/modules/CURRENT/build]]])
+AS_HELP_STRING([--without-kbuild],
+	[Build only userspace tools]),
+	[kbuilddir="$withval"],
+	[kbuilddir="/lib/modules/$(uname -r)/build"])
+#
+# check for --without-kbuild
+#
+if [[ "$kbuilddir" == no ]]; then
+	kbuilddir="";
+fi
+
+AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
+	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
+PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.5])
+xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
+
+AC_ARG_WITH([xtlibdir],
+	AS_HELP_STRING([--with-xtlibdir=PATH],
+	[Path where to install Xtables extensions [[autodetect]]]),
+	[xtlibdir="$withval"])
+AC_MSG_CHECKING([Xtables module directory])
+AC_MSG_RESULT([$xtlibdir])
+
+regular_CPPFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
+	-D_REENTRANT -I\${XA_TOPSRCDIR}/include"
+regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
+	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
+	-Winline -pipe";
+
+if test -n "$kbuilddir"; then
+	AC_MSG_CHECKING([kernel version that we will build against])
+	krel="$(make -sC "$kbuilddir" M=$PWD kernelrelease)";
+	kmajor="${krel%%[[^0-9]]*}";
+	kmajor="$(($kmajor+0))";
+	krel="${krel:${#kmajor}}";
+	krel="${krel#.}";
+	kminor="${krel%%[[^0-9]]*}";
+	kminor="$(($kminor+0))";
+	krel="${krel:${#kminor}}";
+	krel="${krel#.}";
+	kmicro="${krel%%[[^0-9]]*}";
+	kmicro="$(($kmicro+0))";
+	krel="${krel:${#kmicro}}";
+	krel="${krel#.}";
+	kstable="${krel%%[[^0-9]]*}";
+	kstable="$(($kstable+0))";
+	if test -z "$kmajor" -o -z "$kminor" -o -z "$kmicro"; then
+		echo "WARNING: Version detection did not succeed. Continue at own luck.";
+	else
+		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
+		if test "$kmajor" -gt 4 -o "$kmajor" -eq 4 -a "$kminor" -gt 3; then
+			echo "WARNING: That kernel version is not officially supported yet. Continue at own luck.";
+		elif test "$kmajor" -eq 4 -a "$kminor" -le 3; then
+			:;
+		elif test "$kmajor" -eq 3 -a "$kminor" -ge 7; then
+			:;
+		else
+			echo "WARNING: That kernel version is not officially supported.";
+		fi;
+	fi;
+fi;
+
+AC_SUBST([regular_CPPFLAGS])
+AC_SUBST([regular_CFLAGS])
+AC_SUBST([kbuilddir])
+AC_SUBST([xtlibdir])
+AC_CONFIG_FILES([Makefile Makefile.iptrules extensions/Makefile])
+AC_OUTPUT

extensions/.gitignore

@@ -0,0 +1,12 @@
+.*.cmd
+.*.d
+.tmp_versions/
+*.ko
+*.mod.c
+Module.markers
+Module.symvers
+Modules.symvers
+modules.order
+
+*.so
+*.oo

extensions/Kbuild

@@ -0,0 +1,12 @@
+# -*- Makefile -*-
+
+include ${XA_ABSTOPSRCDIR}/mconfig
+-include ${XA_ABSTOPSRCDIR}/mconfig.*
+
+obj-m                    += compat_xtables.o
+
+obj-${build_zenset}      += xt_zenset.o
+obj-${build_RESET}       += xt_RESET.o
+
+-include ${M}/*.Kbuild
+-include ${M}/Kbuild.*

extensions/Makefile.am

@@ -0,0 +1,29 @@
+# -*- Makefile -*-
+# AUTOMAKE
+
+AM_CPPFLAGS = ${regular_CPPFLAGS} -I${abs_top_srcdir}/extensions
+AM_CFLAGS = ${regular_CFLAGS} ${libxtables_CFLAGS}
+
+# Not having Kbuild in Makefile.extra because it will already recurse
+.PHONY: modules modules_install clean_modules
+
+_kcall = -C ${kbuilddir} M=${abs_srcdir}
+
+modules:
+	@echo -n "Xtables-addons ${PACKAGE_VERSION} - Linux "
+	@if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} --no-print-directory -s kernelrelease; fi;
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} modules; fi;
+
+modules_install:
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} INSTALL_MOD_PATH=${DESTDIR} ext-mod-dir='$${INSTALL_MOD_DIR}' modules_install; fi;
+
+clean_modules:
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} clean; fi;
+
+all-local: modules
+
+install-exec-local: modules_install
+
+clean-local: clean_modules
+
+include ../Makefile.extra

extensions/Mbuild

@@ -0,0 +1,4 @@
+# -*- Makefile -*-
+
+obj-${build_zenset}      += libxt_zenset.so
+obj-${build_RESET}       += libxt_RESET.so

extensions/compat_skbuff.h

@@ -0,0 +1,16 @@
+#ifndef COMPAT_SKBUFF_H
+#define COMPAT_SKBUFF_H 1
+
+struct tcphdr;
+struct udphdr;
+
+#define skb_ifindex(skb) (skb)->skb_iif
+#define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
+
+#ifdef CONFIG_NETWORK_SECMARK
+#	define skb_secmark(skb) ((skb)->secmark)
+#else
+#	define skb_secmark(skb) 0
+#endif
+
+#endif /* COMPAT_SKBUFF_H */

extensions/compat_user.h

@@ -0,0 +1,12 @@
+/*
+ *	Userspace-level compat hacks
+ */
+#ifndef _XTABLES_COMPAT_USER_H
+#define _XTABLES_COMPAT_USER_H 1
+
+/* linux-glibc-devel 2.6.34 header screwup */
+#ifndef ALIGN
+#	define ALIGN(s, n) (((s) + ((n) - 1)) & ~((n) - 1))
+#endif
+
+#endif /* _XTABLES_COMPAT_USER_H */

extensions/compat_xtables.c

@@ -0,0 +1,45 @@
+/*
+ *	API compat layer
+ *	written by Jan Engelhardt, 2008 - 2010
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License, either
+ *	version 2 of the License, or any later version.
+ */
+#include <linux/ip.h>
+#include <linux/kernel.h>
+#include <linux/kmod.h>
+#include <linux/list.h>
+#include <linux/module.h>
+#include <linux/slab.h>
+#include <linux/spinlock.h>
+#include <linux/version.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_arp.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
+#include <net/route.h>
+#include <linux/export.h>
+#include "compat_skbuff.h"
+#include "compat_xtnu.h"
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+#	define WITH_IPV6 1
+#endif
+
+void *HX_memmem(const void *space, size_t spacesize,
+    const void *point, size_t pointsize)
+{
+	size_t i;
+
+	if (pointsize > spacesize)
+		return NULL;
+	for (i = 0; i <= spacesize - pointsize; ++i)
+		if (memcmp(space + i, point, pointsize) == 0)
+			return (void *)space + i;
+	return NULL;
+}
+EXPORT_SYMBOL_GPL(HX_memmem);
+
+MODULE_LICENSE("GPL");