Index: extensions/libipt_TPROXY.man
===================================================================
--- extensions/libipt_TPROXY.man	(revision 0)
+++ extensions/libipt_TPROXY.man	(revision 0)
@@ -0,0 +1,26 @@
+This target is only valid in the
+.B nat
+table, in the
+.B PREROUTING
+chain, and user-defined chains which are only called from that
+chain.  It redirects the packet to the machine itself by changing its
+routing but without changing the packets themselves. It marks the
+packets for the tproxy match. It takes two options:
+.TP
+.BR "--on-port " "\fIport\fP"
+This specifies a destination port to use. It is a required option, 0
+means the new destination port is the same as the original. This is
+only valid if the rule also specifies
+.B "-p tcp"
+or
+.BR "-p udp" .
+.TP
+.BR "--on-ip " "\fIaddress\fP"
+This specifies a destination address to use. By default the address is
+the IP address of the incoming interface. This is only valid if the
+rule also specifies
+.B "-p tcp"
+or
+.BR "-p udp" .
+.RS
+.PP
Index: extensions/libipt_TPROXY.c
===================================================================
--- extensions/libipt_TPROXY.c	(revision 0)
+++ extensions/libipt_TPROXY.c	(revision 0)
@@ -0,0 +1,136 @@
+/* Shared library add-on to iptables to add TPROXY target support.
+ *
+ * Copyright (C) 2002-2007 BalaBit IT Ltd.
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <xtables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_TPROXY.h>
+
+static const struct option tproxy_opts[] = {
+	{"on-port", 1, NULL, '1'},
+	{"on-ip",   1, NULL, '2'},
+	{"tproxy-mark", 1, NULL, '3'},
+	{NULL},
+};
+
+static void tproxy_help(void)
+{
+	printf(
+"TPROXY target v%s options:\n"
+"  --on-port port                   Redirect connection to port, or the original port if 0\n"
+"  --on-ip ip                       Optionally redirect to the given IP\n",
+"  --tproxy-mark value/mask         Mark packets with the given value/mask\n"
+IPTABLES_VERSION);
+}
+
+static void parse_tproxy_lport(const char *s, struct ipt_tproxy_target_info *info)
+{
+	unsigned int lport;
+
+	if (string_to_number(s, 0, 65535, &lport) != -1)
+	        info->lport = htons(lport);
+	else
+	        exit_error(PARAMETER_PROBLEM, "bad --on-proxy `%s'", s);
+}
+
+static void parse_tproxy_laddr(const char *s, struct ipt_tproxy_target_info *info)
+{
+	struct in_addr *laddr;
+
+	if ((laddr = dotted_to_addr(s)) == NULL)
+	        exit_error(PARAMETER_PROBLEM, "bad --on-ip `%s'", s);
+ 	info->laddr = laddr->s_addr;
+}
+
+static void parse_tproxy_mark(char *s, struct ipt_tproxy_target_info *info)
+{
+        char *slash;
+
+        slash = strchr(s, '/');
+        info->mark_mask = 0xFFFFFFFF;
+        if (slash) {
+        	if (string_to_number(slash + 1, 0, 0xFFFFFFFF, &info->mark_mask) < 0)
+        		exit_error(PARAMETER_PROBLEM, "bad mask in --tproxy-mark `%s'", s);
+		*slash = 0;
+        }
+        if (string_to_number(s, 0, 0xFFFFFFFF, &info->mark_value) < 0)
+        	exit_error(PARAMETER_PROBLEM, "bad value in --tproxy-mark `%s'", s);
+}
+
+static int tproxy_parse(int c, char **argv, int invert, unsigned int *flags,
+                        const void *entry, struct xt_entry_target **target)
+{
+	struct ipt_tproxy_target_info *tproxyinfo = (void *)(*target)->data;
+
+	switch (c) {
+	case '1':
+		if (*flags != 0)
+			exit_error(PARAMETER_PROBLEM,
+				"TPROXY target: Can't specify --on-port twice");
+		parse_tproxy_lport(optarg, tproxyinfo);
+		*flags = 1;
+		break;
+	case '2':
+		parse_tproxy_laddr(optarg, tproxyinfo);
+		break;
+        case '3':
+                parse_tproxy_mark(optarg, tproxyinfo);
+                break;
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+static void tproxy_check(unsigned int flags)
+{
+	if (flags == 0)
+		exit_error(PARAMETER_PROBLEM,
+		           "TPROXY target: Parameter --on-port is required");
+}
+
+static void tproxy_print(const void *ip, const struct xt_entry_target *target,
+                         int numeric)
+{
+	const struct ipt_tproxy_target_info *tproxyinfo = (const void *)target->data;
+	printf("TPROXY redirect %s:%d mark 0x%x/0x%x",
+	       addr_to_dotted((const struct in_addr *)&tproxyinfo->laddr),
+	       ntohs(tproxyinfo->lport), tproxyinfo->mark_value, tproxyinfo->mark_mask);
+}
+
+static void tproxy_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct ipt_tproxy_target_info *tproxyinfo = (const void *)target->data;
+
+	printf("--on-port %d ", ntohs(tproxyinfo->lport));
+	printf("--on-ip %s ",
+	       addr_to_dotted((const struct in_addr *)&tproxyinfo->laddr));
+	printf("--tproxy-mark 0x%x/0x%x ",
+	       tproxyinfo->mark_value, tproxyinfo->mark_mask);
+}
+
+static struct xtables_target tproxy_reg = {
+	.name          = "TPROXY",
+	.family        = AF_INET,
+	.version       = IPTABLES_VERSION,
+	.size          = XT_ALIGN(sizeof(struct ipt_tproxy_target_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct ipt_tproxy_target_info)),
+	.help          = tproxy_help,
+	.parse         = tproxy_parse,
+	.final_check   = tproxy_check,
+	.print         = tproxy_print,
+	.save          = tproxy_save,
+	.extra_opts    = tproxy_opts,
+};
+
+void _init(void)
+{
+	xtables_register_target(&tproxy_reg);
+}
Index: extensions/libipt_socket.c
===================================================================
--- extensions/libipt_socket.c	(revision 0)
+++ extensions/libipt_socket.c	(revision 0)
@@ -0,0 +1,49 @@
+/* Shared library add-on to iptables to add early socket matching support. */
+#include <stdio.h>
+#include <getopt.h>
+
+#include <iptables.h>
+
+static struct option opts[] = {
+	{ 0 }
+};
+
+static void
+print(const void *ip,
+      const struct xt_entry_match *match,
+      int numeric)
+{
+	printf("socket ");
+}
+
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+      const void *entry,
+      unsigned int *nfcache,
+      struct xt_entry_match **match)
+{
+	return 0;
+}
+
+static void
+final_check(unsigned int flags)
+{
+}
+
+static struct iptables_match socket_match = {
+	.next		= NULL,
+	.name		= "socket",
+	.version	= IPTABLES_VERSION,
+	.size		= IPT_ALIGN(0),
+	.userspacesize	= IPT_ALIGN(0),
+	.parse		= &parse,
+	.final_check	= &final_check,
+	.print		= &print,
+	.extra_opts	= opts
+};
+
+void
+_init(void)
+{
+	register_match(&socket_match);
+}
Index: extensions/.tproxy-test
===================================================================
--- extensions/.tproxy-test	(revision 0)
+++ extensions/.tproxy-test	(revision 0)
@@ -0,0 +1,3 @@
+#!/bin/sh
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_TPROXY.h ] && echo TPROXY
+[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_socket.c ] && echo socket

Property changes on: extensions/.tproxy-test
___________________________________________________________________
Name: svn:executable
   + *