iptables with imq patch

8 files changed, 332 insertions, 0 deletions

diff --git a/net-firewall/iptables/files/iptables-1.6.0-imq.diff b/net-firewall/iptables/files/iptables-1.6.0-imq.diff
new file mode 100644
index 0000000..2252980
--- /dev/null
+++ b/net-firewall/iptables/files/iptables-1.6.0-imq.diff
@@ -0,0 +1,141 @@
+diff -Naupr iptables-1.6.0_orig/extensions/libxt_IMQ.c iptables-1.6.0/extensions/libxt_IMQ.c
+--- iptables-1.6.0_orig/extensions/libxt_IMQ.c	1970-01-01 07:00:00.000000000 +0700
++++ iptables-1.6.0/extensions/libxt_IMQ.c	2016-05-17 22:16:54.609657870 +0600
+@@ -0,0 +1,105 @@
++/* Shared library add-on to iptables to add IMQ target support. */
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <xtables.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_IMQ.h>
++
++/* Function which prints out usage message. */
++static void IMQ_help(void)
++{
++	printf(
++"IMQ target options:\n"
++"  --todev <N>		enqueue to imq<N>, defaults to 0\n");
++
++}
++
++static struct option IMQ_opts[] = {
++	{ "todev", 1, 0, '1' },
++	{ 0 }
++};
++
++/* Initialize the target. */
++static void IMQ_init(struct xt_entry_target *t)
++{
++	struct xt_imq_info *mr = (struct xt_imq_info*)t->data;
++
++	mr->todev = 0;
++}
++
++/* Function which parses command options; returns true if it
++   ate an option */
++static int IMQ_parse(int c, char **argv, int invert, unsigned int *flags,
++      const void *entry, struct xt_entry_target **target)
++{
++	struct xt_imq_info *mr = (struct xt_imq_info*)(*target)->data;
++	
++	switch(c) {
++	case '1':
++/*		if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
++			xtables_error(PARAMETER_PROBLEM,
++				   "Unexpected `!' after --todev");
++*/
++		mr->todev=atoi(optarg);
++		break;
++
++	default:
++		return 0;
++	}
++	return 1;
++}
++
++/* Prints out the targinfo. */
++static void IMQ_print(const void *ip,
++      const struct xt_entry_target *target,
++      int numeric)
++{
++	struct xt_imq_info *mr = (struct xt_imq_info*)target->data;
++
++	printf("IMQ: todev %u ", mr->todev);
++}
++
++/* Saves the union ipt_targinfo in parsable form to stdout. */
++static void IMQ_save(const void *ip, const struct xt_entry_target *target)
++{
++	struct xt_imq_info *mr = (struct xt_imq_info*)target->data;
++
++	printf(" --todev %u", mr->todev);
++}
++
++static struct xtables_target imq_target = {
++	.name		= "IMQ",
++	.version	= XTABLES_VERSION,
++	.family		= NFPROTO_IPV4,
++	.size		= XT_ALIGN(sizeof(struct xt_imq_info)),
++	.userspacesize	= XT_ALIGN(sizeof(struct xt_imq_info)),
++	.help		= IMQ_help,
++	.init		= IMQ_init,
++	.parse		= IMQ_parse,
++	.print		= IMQ_print,
++	.save		= IMQ_save,
++	.extra_opts	= IMQ_opts,
++};
++
++static struct xtables_target imq_target6 = {
++	.name		= "IMQ",
++	.version	= XTABLES_VERSION,
++	.family		= NFPROTO_IPV6,
++	.size		= XT_ALIGN(sizeof(struct xt_imq_info)),
++	.userspacesize	= XT_ALIGN(sizeof(struct xt_imq_info)),
++	.help		= IMQ_help,
++	.init		= IMQ_init,
++	.parse		= IMQ_parse,
++	.print		= IMQ_print,
++	.save		= IMQ_save,
++	.extra_opts	= IMQ_opts,
++};
++
++// void __attribute((constructor)) nf_ext_init(void){
++void _init(void){
++	xtables_register_target(&imq_target);
++	xtables_register_target(&imq_target6);
++}
+diff -Naupr iptables-1.6.0_orig/extensions/libxt_IMQ.man iptables-1.6.0/extensions/libxt_IMQ.man
+--- iptables-1.6.0_orig/extensions/libxt_IMQ.man	1970-01-01 07:00:00.000000000 +0700
++++ iptables-1.6.0/extensions/libxt_IMQ.man	2016-05-17 22:16:54.609657870 +0600
+@@ -0,0 +1,15 @@
++This target is used to redirect the traffic to the IMQ driver and you can apply
++QoS rules like HTB or CBQ.
++For example you can select only traffic comming from a specific interface or
++is going out on a specific interface.
++Also it permits to capture the traffic BEFORE NAT in the case of outgoing traffic
++or AFTER NAT in the case of incomming traffic.
++.TP
++\fB\-\-to\-dev\fP \fIvalue\fP
++Set the IMQ interface where to send this traffic
++.TP
++Example:
++.TP
++Redirect incomming traffic from interface eth0 to imq0 and outgoing traffic to imq1:
++iptables \-t mangle \-A FORWARD \-i eth0 \-j IMQ \-\-to\-dev 0
++iptables \-t mangle \-A FORWARD \-o eth0 \-j IMQ \-\-to\-dev 1
+diff -Naupr iptables-1.6.0_orig/include/linux/netfilter/xt_IMQ.h iptables-1.6.0/include/linux/netfilter/xt_IMQ.h
+--- iptables-1.6.0_orig/include/linux/netfilter/xt_IMQ.h	1970-01-01 07:00:00.000000000 +0700
++++ iptables-1.6.0/include/linux/netfilter/xt_IMQ.h	2016-05-17 22:16:54.609657870 +0600
+@@ -0,0 +1,9 @@
++#ifndef _XT_IMQ_H
++#define _XT_IMQ_H
++
++struct xt_imq_info {
++	unsigned int todev;     /* target imq device */
++};
++
++#endif /* _XT_IMQ_H */
++
diff --git a/net-firewall/iptables/files/iptables.init b/net-firewall/iptables/files/iptables.init
new file mode 100755
index 0000000..10394c6
--- /dev/null
+++ b/net-firewall/iptables/files/iptables.init
@@ -0,0 +1,129 @@
+#!/sbin/openrc-run
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="check save panic"
+extra_started_commands="reload"
+
+iptables_name=${SVCNAME}
+case ${iptables_name} in
+iptables|ip6tables) ;;
+*) iptables_name="iptables" ;;
+esac
+
+iptables_bin="/sbin/${iptables_name}"
+case ${iptables_name} in
+	iptables)  iptables_proc="/proc/net/ip_tables_names"
+	           iptables_save=${IPTABLES_SAVE};;
+	ip6tables) iptables_proc="/proc/net/ip6_tables_names"
+	           iptables_save=${IP6TABLES_SAVE};;
+esac
+
+depend() {
+	need localmount #434774
+	before net
+}
+
+set_table_policy() {
+	local chains table=$1 policy=$2
+	case ${table} in
+		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
+		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
+		filter) chains="INPUT FORWARD OUTPUT";;
+		*)      chains="";;
+	esac
+	local chain
+	for chain in ${chains} ; do
+		${iptables_bin} -w -t ${table} -P ${chain} ${policy}
+	done
+}
+
+checkkernel() {
+	if [ ! -e ${iptables_proc} ] ; then
+		eerror "Your kernel lacks ${iptables_name} support, please load"
+		eerror "appropriate modules and try again."
+		return 1
+	fi
+	return 0
+}
+checkconfig() {
+	if [ ! -f ${iptables_save} ] ; then
+		eerror "Not starting ${iptables_name}.  First create some rules then run:"
+		eerror "/etc/init.d/${iptables_name} save"
+		return 1
+	fi
+	return 0
+}
+
+start() {
+	checkconfig || return 1
+	ebegin "Loading ${iptables_name} state and starting firewall"
+	${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	eend $?
+}
+
+stop() {
+	if [ "${SAVE_ON_STOP}" = "yes" ] ; then
+		save || return 1
+	fi
+	checkkernel || return 1
+	ebegin "Stopping firewall"
+	local a
+	for a in $(cat ${iptables_proc}) ; do
+		set_table_policy $a ACCEPT
+
+		${iptables_bin} -w -F -t $a
+		${iptables_bin} -w -X -t $a
+	done
+	eend $?
+}
+
+reload() {
+	checkkernel || return 1
+	checkrules || return 1
+	ebegin "Flushing firewall"
+	local a
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} -w -F -t $a
+		${iptables_bin} -w -X -t $a
+	done
+	eend $?
+
+	start
+}
+
+checkrules() {
+	ebegin "Checking rules"
+	${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+	eend $?
+}
+
+check() {
+	# Short name for users of init.d script.
+	checkrules
+}
+
+save() {
+	ebegin "Saving ${iptables_name} state"
+	checkpath -q -d "$(dirname "${iptables_save}")"
+	checkpath -q -m 0600 -f "${iptables_save}"
+	${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
+	eend $?
+}
+
+panic() {
+	checkkernel || return 1
+	if service_started ${iptables_name}; then
+		rc-service ${iptables_name} stop
+	fi
+
+	local a
+	ebegin "Dropping all packets"
+	for a in $(cat ${iptables_proc}) ; do
+		${iptables_bin} -w -F -t $a
+		${iptables_bin} -w -X -t $a
+
+		set_table_policy $a DROP
+	done
+	eend $?
+}
diff --git a/net-firewall/iptables/files/systemd/ip6tables-restore.service b/net-firewall/iptables/files/systemd/ip6tables-restore.service
new file mode 100644
index 0000000..c149e92
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/ip6tables-restore.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Restore ip6tables firewall rules
+# if both are queued for some reason, don't store before restoring :)
+Before=ip6tables-store.service
+# sounds reasonable to have firewall up before any of the services go up
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ip6tables-restore /var/lib/ip6tables/rules-save
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/iptables/files/systemd/ip6tables-store.service b/net-firewall/iptables/files/systemd/ip6tables-store.service
new file mode 100644
index 0000000..9975378
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/ip6tables-store.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Store ip6tables firewall rules
+Before=shutdown.target
+DefaultDependencies=No
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "/sbin/ip6tables-save --counters > /var/lib/ip6tables/rules-save"
+
+[Install]
+WantedBy=shutdown.target
diff --git a/net-firewall/iptables/files/systemd/ip6tables.service b/net-firewall/iptables/files/systemd/ip6tables.service
new file mode 100644
index 0000000..0a6d7fa
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/ip6tables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Store and restore ip6tables firewall rules
+
+[Install]
+Also=ip6tables-store.service
+Also=ip6tables-restore.service
diff --git a/net-firewall/iptables/files/systemd/iptables-restore.service b/net-firewall/iptables/files/systemd/iptables-restore.service
new file mode 100644
index 0000000..2474ee3
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/iptables-restore.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Restore iptables firewall rules
+# if both are queued for some reason, don't store before restoring :)
+Before=iptables-store.service
+# sounds reasonable to have firewall up before any of the services go up
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore /var/lib/iptables/rules-save
+
+[Install]
+WantedBy=basic.target
diff --git a/net-firewall/iptables/files/systemd/iptables-store.service b/net-firewall/iptables/files/systemd/iptables-store.service
new file mode 100644
index 0000000..aa16e75
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/iptables-store.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Store iptables firewall rules
+Before=shutdown.target
+DefaultDependencies=No
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "/sbin/iptables-save --counters > /var/lib/iptables/rules-save"
+
+[Install]
+WantedBy=shutdown.target
diff --git a/net-firewall/iptables/files/systemd/iptables.service b/net-firewall/iptables/files/systemd/iptables.service
new file mode 100644
index 0000000..3643a3e
--- /dev/null
+++ b/net-firewall/iptables/files/systemd/iptables.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Store and restore iptables firewall rules
+
+[Install]
+Also=iptables-store.service
+Also=iptables-restore.service