weburl iptables patch

--- /dev/null   2015-01-24 13:07:13.213991073 +0300
+++ include/linux/netfilter_ipv4/ipt_weburl.h   2015-01-25 11:36:44.000000000 +0300
@@ -0,0 +1,45 @@
+/*  weburl --  A netfilter module to match URLs in HTTP requests
+ *         This module can match using string match or regular expressions
+ *         Originally designed for use with Gargoyle router firmware (gargoyle-router.com)
+ *
+ *
+ *  Copyright © 2008 by Eric Bishop <[email protected]>
+ *
+ *  This file is free software: you may copy, redistribute and/or modify it
+ *  under the terms of the GNU General Public License as published by the
+ *  Free Software Foundation, either version 2 of the License, or (at your
+ *  option) any later version.
+ *
+ *  This file is distributed in the hope that it will be useful, but
+ *  WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+
+
+
+#ifndef _IPT_WEBURL_H
+#define _IPT_WEBURL_H
+
+
+#define MAX_TEST_STR 1024
+
+#define WEBURL_CONTAINS_TYPE 1
+#define WEBURL_REGEX_TYPE 2
+#define WEBURL_EXACT_TYPE 3
+#define WEBURL_ALL_PART 4
+#define WEBURL_DOMAIN_PART 5
+#define WEBURL_PATH_PART 6
+
+struct ipt_weburl_info
+{
+   char test_str[MAX_TEST_STR];
+   unsigned char match_type;
+   unsigned char match_part;
+   unsigned char invert;
+};
+#endif /*_IPT_WEBURL_H*/
--- /dev/null   2015-01-24 13:07:13.213991073 +0300
+++ extensions/libipt_weburl.c  2015-01-25 11:36:54.000000000 +0300
@@ -0,0 +1,294 @@
+/*  weburl --  An iptables extension to match URLs in HTTP requests
+ *         This module can match using string match or regular expressions
+ *         Originally designed for use with Gargoyle router firmware (gargoyle-router.com)
+ *
+ *
+ *  Copyright © 2008-2010 by Eric Bishop <[email protected]>
+ *
+ *  This file is free software: you may copy, redistribute and/or modify it
+ *  under the terms of the GNU General Public License as published by the
+ *  Free Software Foundation, either version 2 of the License, or (at your
+ *  option) any later version.
+ *
+ *  This file is distributed in the hope that it will be useful, but
+ *  WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+
+/*
+ * in iptables 1.4.0 and higher, iptables.h includes xtables.h, which
+ * we can use to check whether we need to deal with the new requirements
+ * in pre-processor directives below
+ */
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ipt_weburl.h>
+
+#ifdef _XTABLES_H
+   #define iptables_rule_match xtables_rule_match
+   #define iptables_match      xtables_match
+   #define iptables_target     xtables_target
+   #define ipt_tryload     xt_tryload
+#endif
+
+/*
+ * XTABLES_VERSION_CODE is only defined in versions 1.4.1 and later, which
+ * also require the use of xtables_register_match
+ *
+ * Version 1.4.0 uses register_match like previous versions
+ */
+#ifdef XTABLES_VERSION_CODE
+   #define register_match          xtables_register_match
+#endif
+
+
+/* utility functions necessary for module to work across multiple iptables versions */
+static int  my_check_inverse(const char option[], int* invert, int *my_optind, int argc);
+static void param_problem_exit_error(char* msg);
+
+
+
+/* Function which prints out usage message. */
+static void help(void)
+{
+   printf( "weburl options:\n  --contains [!] [STRING]\n  --contains_regex [!] [REGEX]\n --matches_exactly [!] [STRING]\n --domain_only\n --path_only\n");
+}
+
+static struct option opts[] =
+{
+   { .name = "contains",       .has_arg = 1, .flag = 0, .val = WEBURL_CONTAINS_TYPE }, //string
+   { .name = "contains_regex",     .has_arg = 1, .flag = 0, .val = WEBURL_REGEX_TYPE },    //regex
+   { .name = "matches_exactly",    .has_arg = 1, .flag = 0, .val = WEBURL_EXACT_TYPE },    //exact string match
+   { .name = "domain_only",    .has_arg = 0, .flag = 0, .val = WEBURL_DOMAIN_PART },   //only match domain portion of url
+   { .name = "path_only",      .has_arg = 0, .flag = 0, .val = WEBURL_PATH_PART }, //only match path portion of url
+   { .name = 0 }
+};
+
+
+/* Function which parses command options; returns true if it
+   ate an option */
+static int parse(  int c,
+           char **argv,
+           int invert,
+           unsigned int *flags,
+#ifdef _XTABLES_H
+           const void *entry,
+#else
+           const struct ipt_entry *entry,
+           unsigned int *nfcache,
+#endif
+           struct ipt_entry_match **match
+           )
+{
+   struct ipt_weburl_info *info = (struct ipt_weburl_info *)(*match)->data;
+   int valid_arg = 0;
+
+   if(*flags < 10)
+   {
+       info->match_part = WEBURL_ALL_PART;
+   }
+
+   switch (c)
+   {
+       case WEBURL_CONTAINS_TYPE:
+       case WEBURL_REGEX_TYPE:
+       case WEBURL_EXACT_TYPE:
+           info->match_type = c;
+
+           //test whether to invert rule
+           my_check_inverse(optarg, &invert, &optind, 0);
+           info->invert = invert ? 1 : 0;
+
+           //test that test string is reasonable length, then to info
+           int testlen = strlen(argv[optind-1]);
+           if(testlen > 0 && testlen < MAX_TEST_STR)
+           {
+               strcpy(info->test_str, argv[optind-1]);
+           }
+           else if(testlen >= MAX_TEST_STR)
+           {
+               char err[100];
+               sprintf(err, "Parameter definition is too long, must be less than %d characters", MAX_TEST_STR);
+               param_problem_exit_error(err);
+           }
+           else
+           {
+               param_problem_exit_error("Parameter definition is incomplete");
+           }
+
+           if(*flags % 10 == 1)
+           {
+               param_problem_exit_error("You may only specify one string/pattern to match");
+           }
+           *flags = *flags + 1;
+
+           valid_arg = 1;
+           break;
+
+       case WEBURL_DOMAIN_PART:
+       case WEBURL_PATH_PART:
+           info->match_part = c;
+           if(*flags >= 10)
+           {
+               param_problem_exit_error("You may specify at most one part of the url to match:\n\t--domain_only, --path_only or neither (to match full url)\n");
+           }
+           *flags = *flags+10;
+
+           valid_arg = 1;
+           break;
+   }
+
+   return valid_arg;
+}
+
+
+
+static void print_weburl_args( struct ipt_weburl_info* info )
+{
+   //invert
+   if(info->invert > 0)
+   {
+       printf("! ");
+   }
+   else
+   {
+       printf(" ");
+   }
+   //match type
+   switch (info->match_type)
+   {
+       case WEBURL_CONTAINS_TYPE:
+           printf("--contains ");
+           break;
+       case WEBURL_REGEX_TYPE:
+           printf("--contains_regex ");
+           break;
+       case WEBURL_EXACT_TYPE:
+           printf("--matches_exactly ");
+           break;
+   }
+   //test string
+   printf("%s ", info->test_str);
+
+   //match part
+   switch(info->match_part)
+   {
+       case WEBURL_DOMAIN_PART:
+           printf("--domain_only ");
+           break;
+       case WEBURL_PATH_PART:
+           printf("--path_only ");
+           break;
+       case WEBURL_ALL_PART:
+           //print nothing
+           break;
+   }
+
+}
+
+/* Final check; must have specified a test string with either --contains or --contains_regex. */
+static void final_check(unsigned int flags)
+{
+   if (flags %10 == 0)
+   {
+       param_problem_exit_error("You must specify '--contains' or '--contains_regex' or '--matches_exactly'");
+   }
+}
+
+/* Prints out the matchinfo. */
+#ifdef _XTABLES_H
+static void print(const void *ip, const struct xt_entry_match *match, int numeric)
+#else
+static void print(const struct ipt_ip *ip, const struct ipt_entry_match *match, int numeric)
+#endif
+{
+   printf(" WEBURL ");
+   struct ipt_weburl_info *info = (struct ipt_weburl_info *)match->data;
+
+   print_weburl_args(info);
+}
+
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
+#ifdef _XTABLES_H
+static void save(const void *ip, const struct xt_entry_match *match)
+#else
+static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
+#endif
+{
+   struct ipt_weburl_info *info = (struct ipt_weburl_info *)match->data;
+   print_weburl_args(info);
+}
+
+static struct iptables_match weburl =
+{
+   .next       = NULL,
+   .name       = "weburl",
+   #ifdef XTABLES_VERSION_CODE
+       .version = XTABLES_VERSION,
+   #else
+       .version = IPTABLES_VERSION,
+   #endif
+   .size       = XT_ALIGN(sizeof(struct ipt_weburl_info)),
+   .userspacesize  = XT_ALIGN(sizeof(struct ipt_weburl_info)),
+   .help       = &help,
+   .parse      = &parse,
+   .final_check    = &final_check,
+   .print      = &print,
+   .save       = &save,
+   .extra_opts = opts
+};
+
+void _init(void)
+{
+   register_match(&weburl);
+}
+
+
+#ifndef TRUE
+#define TRUE 1
+#endif
+#ifndef FALSE
+#define FALSE 0
+#endif
+static int  my_check_inverse(const char option[], int* invert, int *my_optind, int argc)
+{
+   if (option && strcmp(option, "!") == 0)
+   {
+       if (*invert)
+       {
+           param_problem_exit_error("Multiple `!' flags not allowed");
+       }
+       *invert = TRUE;
+       if (my_optind != NULL)
+       {
+           ++*my_optind;
+           if (argc && *my_optind > argc)
+           {
+               param_problem_exit_error("no argument following `!'");
+           }
+       }
+       return TRUE;
+   }
+   return FALSE;
+}
+static void param_problem_exit_error(char* msg)
+{
+   #ifdef xtables_error
+       xtables_error(PARAMETER_PROBLEM, msg);
+   #else
+       exit_error(PARAMETER_PROBLEM, msg);
+   #endif
+}
+
+