Merge pull request #23 from mimuret/develop

add matching on mangle table PREROUTING CHAIN .
mimuret · Mar 11, 2016 · 7292217 · 7292217
2 parents 97175de + 5ba8043
commit 7292217
Show file tree

Hide file tree

Showing 32 changed files with 168 additions and 117 deletions.
diff --git a/modules/xt_dns.c b/modules/xt_dns.c
@@ -287,22 +287,18 @@ static bool dns_mt6(const struct sk_buff *skb, XT_PARAM *par) {
 }
 
 static struct xt_match dns_mt_reg[] __read_mostly = {
-    {
-        .name = "dns",
-        .table = "filter",
-        .family = NFPROTO_IPV4,
-        .match = dns_mt4,
-        .matchsize = sizeof(struct xt_dns),
-        .me = THIS_MODULE,
-    },
-    {
-        .name = "dns",
-        .table = "filter",
-        .family = NFPROTO_IPV6,
-        .match = dns_mt6,
-        .matchsize = sizeof(struct xt_dns),
-        .me = THIS_MODULE,
-    }};
+    {.name = "dns",
+     .family = NFPROTO_IPV4,
+     .match = dns_mt4,
+     .matchsize = sizeof(struct xt_dns),
+     .me = THIS_MODULE,
+     .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_PRE_ROUTING)},
+    {.name = "dns",
+     .family = NFPROTO_IPV6,
+     .match = dns_mt6,
+     .matchsize = sizeof(struct xt_dns),
+     .me = THIS_MODULE,
+     .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_PRE_ROUTING)}};
 static int __init dns_mt_init(void) {
     return xt_register_matches(dns_mt_reg, ARRAY_SIZE(dns_mt_reg));
 }

diff --git a/test/03.1_ipv4_udp_match.sh b/test/03.1_ipv4_udp_match.sh
diff --git a/test/03.2_ipv4_tcp_match.sh b/test/03.2_ipv4_tcp_match.sh
diff --git a/test/03.3_ipv6_udp_match.sh b/test/03.3_ipv6_udp_match.sh
diff --git a/test/03.4_ipv6_tcp_match.sh b/test/03.4_ipv6_tcp_match.sh
diff --git a/test/04.1_ipv4_udp_nomatch.sh b/test/04.1_ipv4_udp_nomatch.sh
diff --git a/test/04.2_ipv4_tcp_nomatch.sh b/test/04.2_ipv4_tcp_nomatch.sh
diff --git a/test/04.3_ipv6_udp_nomatch.sh b/test/04.3_ipv6_udp_nomatch.sh
diff --git a/test/04.4_ipv6_tcp_nomatch.sh b/test/04.4_ipv6_tcp_nomatch.sh
diff --git a/test/01_module_load.sh → test/1_module_load.sh b/test/01_module_load.sh → test/1_module_load.sh
diff --git a/test/02_rule_create.sh → test/2_rule_create.sh b/test/02_rule_create.sh → test/2_rule_create.sh
@@ -2,17 +2,20 @@
 
 function ipt() {
   cmd=$1
-  chain=$2
-  act=$3
-  ./test-ipt.sh $cmd $chain $act
+  table=$2
+  chain=$3
+  act=$4
+  ./test-ipt.sh $cmd $table $chain $act
 }
 function begin() {
   cmd=$1
-  chain=$2
-  ipt $cmd $chain "append"
+  table=$2
+  chain=$3
+  act=$4
+  ipt $cmd $table $chain "append"
 }
 function finish() {
-  ipt $cmd $chain "delete"
+  ipt $cmd $table $chain "delete"
 }
 function error() {
   echo "[ERR] $@"
@@ -26,10 +29,11 @@ function check() {
 }
 function main() {
   cmd=$1
-  chain=$2
-  begin $cmd $chain
+  table=$2
+  chain=$3
+  begin $cmd $table $chain
 
-  RULES=`$cmd --list-rules $chain -v`
+  RULES=`$cmd -t $table --list-rules $chain -v`
 
   check "-m dns --qr"
   check "-m dns ! --qr"
@@ -68,15 +72,17 @@ function main() {
   check "-m dns --maxsize 128"
   check "-m dns ! --maxsize 128"
 
-  finish $cmd $chain
+  finish $cmd $table $chain
 
-  echo "[PASS] $cmd add rules"
+  echo "[PASS] $cmd $table add rules"
   return 0
 }
 
 
-main "iptables" $(date +DNSTEST-IPv4-%Y%m%d)
+main "iptables" filter $(date +DNSTEST-IPv4-%Y%m%d)
+main "iptables" mangle $(date +DNSTEST-IPv4-%Y%m%d)
 
-main "ip6tables" $(date +DNSTEST-IPv6-%Y%m%d)
+main "ip6tables" filter $(date +DNSTEST-IPv6-%Y%m%d)
+main "ip6tables" mangle $(date +DNSTEST-IPv6-%Y%m%d)
 
 exit 0
diff --git a/test/3.1.1_check_ipv4_udp_input.sh b/test/3.1.1_check_ipv4_udp_input.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_match.sh iptables udp filter
diff --git a/test/3.1.2_check_ipv4_udp_prerouting.sh b/test/3.1.2_check_ipv4_udp_prerouting.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_match.sh iptables udp mangle
diff --git a/test/3.2.1_check_ipv4_tcp_input.sh b/test/3.2.1_check_ipv4_tcp_input.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_match.sh iptables tcp filter
diff --git a/test/3.2.2_check_ipv4_tcp_prerouting.sh b/test/3.2.2_check_ipv4_tcp_prerouting.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_match.sh iptables tcp mangle
diff --git a/test/3.3.1_check_ipv6_udp_input.sh b/test/3.3.1_check_ipv6_udp_input.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_match.sh ip6tables udp filter
diff --git a/test/3.3.2_check_ipv6_udp_prerouting.sh b/test/3.3.2_check_ipv6_udp_prerouting.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_match.sh ip6tables udp mangle
diff --git a/test/3.4.1_check_ipv6_tcp_input.sh b/test/3.4.1_check_ipv6_tcp_input.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_match.sh ip6tables tcp filter
diff --git a/test/3.4.2_check_ipv6_tcp_prerouting.sh b/test/3.4.2_check_ipv6_tcp_prerouting.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_match.sh ip6tables tcp mangle
diff --git a/test/4.1.1_check_no_ipv4_udp_input.sh b/test/4.1.1_check_no_ipv4_udp_input.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_nomatch.sh iptables udp filter
diff --git a/test/4.1.2_check_no_ipv4_udp_prerouting.sh b/test/4.1.2_check_no_ipv4_udp_prerouting.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_nomatch.sh iptables udp mangle
diff --git a/test/4.2.1_check_no_ipv4_tcp_input.sh b/test/4.2.1_check_no_ipv4_tcp_input.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_nomatch.sh iptables tcp filter
diff --git a/test/4.2.2_check_no_ipv4_tcp_prerouting.sh b/test/4.2.2_check_no_ipv4_tcp_prerouting.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_nomatch.sh iptables tcp mangle
diff --git a/test/4.3.1_check_no_ipv6_udp_input.sh b/test/4.3.1_check_no_ipv6_udp_input.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_nomatch.sh ip6tables udp filter
diff --git a/test/4.3.2_check_no_ipv6_udp_mangle.sh b/test/4.3.2_check_no_ipv6_udp_mangle.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_nomatch.sh ip6tables udp mangle
diff --git a/test/4.4.1_check_no_ipv6_tcp_input.sh b/test/4.4.1_check_no_ipv6_tcp_input.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_nomatch.sh ip6tables tcp filter
diff --git a/test/4.4.2_check_no_ipv6_tcp_prerouting.sh b/test/4.4.2_check_no_ipv6_tcp_prerouting.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_nomatch.sh ip6tables tcp mangle
diff --git a/test/Makefile.am b/test/Makefile.am
@@ -1,10 +1,18 @@
-TESTS=01_module_load.sh \
-02_rule_create.sh \
-03.1_ipv4_udp_match.sh \
-03.2_ipv4_tcp_match.sh \
-03.3_ipv6_udp_match.sh \
-03.4_ipv6_tcp_match.sh \
-04.1_ipv4_udp_nomatch.sh \
-04.2_ipv4_tcp_nomatch.sh \
-04.3_ipv6_udp_nomatch.sh \
-04.4_ipv6_tcp_nomatch.sh
+TESTS=1_module_load.sh \
+2_rule_create.sh \
+3.1.1_check_ipv4_udp_input.sh \
+3.1.2_check_ipv4_udp_prerouting.sh \
+3.2.1_check_ipv4_tcp_input.sh \
+3.2.2_check_ipv4_tcp_prerouting.sh \
+3.3.1_check_ipv6_udp_input.sh \
+3.3.2_check_ipv6_udp_prerouting.sh \
+3.4.1_check_ipv6_tcp_input.sh \
+3.4.2_check_ipv6_tcp_prerouting.sh \
+4.1.1_check_no_ipv4_udp_input.sh \
+4.1.2_check_no_ipv4_udp_prerouting.sh \
+4.2.1_check_no_ipv4_tcp_input.sh \
+4.2.2_check_no_ipv4_tcp_prerouting.sh \
+4.3.1_check_no_ipv6_udp_input.sh \
+4.3.2_check_no_ipv6_udp_mangle.sh \
+4.4.1_check_no_ipv6_tcp_input.sh \
+4.4.2_check_no_ipv6_tcp_prerouting.sh 
diff --git a/test/query_match.sh b/test/query_match.sh
@@ -1,9 +1,17 @@
 #!/bin/bash
 
-. query_match_common.sh
-
 IPT=$1
 PROTOCOL=$2
+TABLE=$3
+
+. query_match_common.sh
+
+if [ "$TABLE" = "filter" ] ; then
+  TARGET_CHAIN="INPUT"
+fi
+if [ "$TABLE" = "mangle" ] ; then
+  TARGET_CHAIN="PREROUTING"
+fi
 
 function match_check() {
   val=$1

diff --git a/test/query_match_common.sh b/test/query_match_common.sh
@@ -31,37 +31,37 @@ fi
 DNSTEST=$(date +DNSTEST-%Y%m%d)
 
 function ipt() {
-  ./test-ipt.sh $IPT $DNSTEST $1
+  ./test-ipt.sh $IPT $TABLE $DNSTEST $1
 }
 function begin() {
   ipt "append"
   if [ "$PROTOCOL" = "udp" ] ; then
-    $IPT -I INPUT -i lo -p udp --dport 53 -j $DNSTEST
+    $IPT -t $TABLE -I $TARGET_CHAIN -i lo -p udp --dport 53 -j $DNSTEST
   else
-    $IPT -I INPUT -i lo -p tcp --dport 53 -j $DNSTEST
+    $IPT -t $TABLE -I $TARGET_CHAIN -i lo -p tcp --dport 53 -j $DNSTEST
   fi
 }
 function finish() {
   if [ "$PROTOCOL" = "udp" ] ; then
-    $IPT -D INPUT -i lo -p udp --dport 53 -j $DNSTEST
+    $IPT -t $TABLE -D $TARGET_CHAIN -i lo -p udp --dport 53 -j $DNSTEST
   else
-    $IPT -D INPUT -i lo -p tcp --dport 53 -j $DNSTEST
+    $IPT -t $TABLE -D $TARGET_CHAIN -i lo -p tcp --dport 53 -j $DNSTEST
   fi
   ipt "delete"
 }
 function error() {
   echo "[FAIL] $@"
-  $IPT --list-rules $DNSTEST -v
+  $IPT -t $TABLE --list-rules $DNSTEST -v
   finish
   exit 1
 }
 function updateCheck() {
   rule=$1
-  $IPT --zero $DNSTEST
+  $IPT -t $TABLE --zero $DNSTEST
 
   echo $UPDATE_HEX | xxd -r -p | nc $SERVER 53 $NC_OPT > /dev/null 2>&1
 
-  res=$($IPT --list-rules $DNSTEST -v | grep -- "$rule")
+  res=$($IPT -t $TABLE --list-rules $DNSTEST -v | grep -- "$rule")
   if [ $? != 0 ] ; then
     echo "[ERR] $res"
     error $rule
@@ -76,9 +76,9 @@ function updateCheck() {
 function check() {
   rule=$1 ; shift
   domain=$1 ; shift
-  $IPT --zero $DNSTEST
+  $IPT -t $TABLE --zero $DNSTEST
   drill $domain @$SERVER $DRILL_OPT $@ > /dev/null 2>&1
-  res=$($IPT --list-rules $DNSTEST -v | grep -- "$rule ")
+  res=$($IPT -t $TABLE --list-rules $DNSTEST -v | grep -- "$rule ")
   if [ $? != 0 ] ; then
     echo "[ERR] $res"
     error $rule

diff --git a/test/query_nomatch.sh b/test/query_nomatch.sh
@@ -1,9 +1,17 @@
 #!/bin/bash
 
-. query_match_common.sh
-
 IPT=$1
 PROTOCOL=$2
+TABLE=$3
+
+. query_match_common.sh
+
+if [ "$TABLE" = "filter" ] ; then
+TARGET_CHAIN="INPUT"
+fi
+if [ "$TABLE" = "mangle" ] ; then
+TARGET_CHAIN="PREROUTING"
+fi
 
 function match_check() {
   val=$1