Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / iptables / 1e01b0b82f70b0b11dcfbced485dbe7aeac4fb8c / . / extensions / libxt_state.c
blob: 66af518a2a8fe77a183b0b2e111d2bdfb7dcebc2 [file] [log] [blame]
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1/* Shared library add-on to iptables to add state tracking support. */
2#include <stdio.h>
3#include <netdb.h>
4#include <string.h>
5#include <stdlib.h>
6#include <getopt.h>
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]7#include <xtables.h>
Patrick McHardy40d54752007-04-18 07:00:36 +0000[diff] [blame]8#include <linux/netfilter/nf_conntrack_common.h>
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]9#include <linux/netfilter/xt_state.h>
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]10
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]11#ifndef XT_STATE_UNTRACKED
12#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
Harald Welte4dc734c2003-10-07 18:55:13 +0000[diff] [blame]13#endif
14
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]15static void
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]16state_help(void)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]17{
18 printf(
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]19"state match options:\n"
Harald Welte4dc734c2003-10-07 18:55:13 +0000[diff] [blame]20" [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]\n"
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]21" State(s) to match\n");
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]22}
23
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]24static const struct option state_opts[] = {
Patrick McHardy500f4832007-09-08 15:59:04 +0000[diff] [blame]25 { "state", 1, NULL, '1' },
Max Kellermann9ee386a2008-01-29 13:48:05 +0000[diff] [blame]26 { .name = NULL }
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]27};
28
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]29static int
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]30state_parse_state(const char *state, size_t len, struct xt_state_info *sinfo)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]31{
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]32 if (strncasecmp(state, "INVALID", len) == 0)
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]33 sinfo->statemask |= XT_STATE_INVALID;
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]34 else if (strncasecmp(state, "NEW", len) == 0)
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]35 sinfo->statemask |= XT_STATE_BIT(IP_CT_NEW);
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]36 else if (strncasecmp(state, "ESTABLISHED", len) == 0)
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]37 sinfo->statemask |= XT_STATE_BIT(IP_CT_ESTABLISHED);
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]38 else if (strncasecmp(state, "RELATED", len) == 0)
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]39 sinfo->statemask |= XT_STATE_BIT(IP_CT_RELATED);
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]40 else if (strncasecmp(state, "UNTRACKED", len) == 0)
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]41 sinfo->statemask |= XT_STATE_UNTRACKED;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]42 else
43 return 0;
44 return 1;
45}
46
47static void
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]48state_parse_states(const char *arg, struct xt_state_info *sinfo)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]49{
50 const char *comma;
51
52 while ((comma = strchr(arg, ',')) != NULL) {
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]53 if (comma == arg || !state_parse_state(arg, comma-arg, sinfo))
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]54 exit_error(PARAMETER_PROBLEM, "Bad state `%s'", arg);
55 arg = comma+1;
56 }
Pablo Neira Ayuso0ec8c0f2008-11-19 19:01:26 +0100[diff] [blame]57 if (!*arg)
58 exit_error(PARAMETER_PROBLEM, "`--state' requires a list of "
59 "states with no spaces, e.g. "
60 "ESTABLISHED,RELATED");
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]61 if (strlen(arg) == 0 || !state_parse_state(arg, strlen(arg), sinfo))
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]62 exit_error(PARAMETER_PROBLEM, "Bad state `%s'", arg);
63}
64
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]65static int
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]66state_parse(int c, char **argv, int invert, unsigned int *flags,
Yasuyuki KOZAKAIc0a9ab92007-07-24 06:02:05 +0000[diff] [blame]67 const void *entry,
Yasuyuki KOZAKAI193df8e2007-07-24 05:57:28 +0000[diff] [blame]68 struct xt_entry_match **match)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]69{
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]70 struct xt_state_info *sinfo = (struct xt_state_info *)(*match)->data;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]71
72 switch (c) {
73 case '1':
Harald Welteb77f1da2002-03-14 11:35:58 +0000[diff] [blame]74 check_inverse(optarg, &invert, &optind, 0);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]75
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]76 state_parse_states(argv[optind-1], sinfo);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]77 if (invert)
78 sinfo->statemask = ~sinfo->statemask;
79 *flags = 1;
80 break;
81
82 default:
83 return 0;
84 }
85
86 return 1;
87}
88
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]89static void state_final_check(unsigned int flags)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]90{
91 if (!flags)
92 exit_error(PARAMETER_PROBLEM, "You must specify `--state'");
93}
94
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]95static void state_print_state(unsigned int statemask)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]96{
97 const char *sep = "";
98
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]99 if (statemask & XT_STATE_INVALID) {
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]100 printf("%sINVALID", sep);
101 sep = ",";
102 }
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]103 if (statemask & XT_STATE_BIT(IP_CT_NEW)) {
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]104 printf("%sNEW", sep);
105 sep = ",";
106 }
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]107 if (statemask & XT_STATE_BIT(IP_CT_RELATED)) {
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]108 printf("%sRELATED", sep);
109 sep = ",";
110 }
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]111 if (statemask & XT_STATE_BIT(IP_CT_ESTABLISHED)) {
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]112 printf("%sESTABLISHED", sep);
113 sep = ",";
114 }
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]115 if (statemask & XT_STATE_UNTRACKED) {
Harald Welte4dc734c2003-10-07 18:55:13 +0000[diff] [blame]116 printf("%sUNTRACKED", sep);
117 sep = ",";
118 }
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]119 printf(" ");
120}
121
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]122static void
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]123state_print(const void *ip,
Yasuyuki KOZAKAI193df8e2007-07-24 05:57:28 +0000[diff] [blame]124 const struct xt_entry_match *match,
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]125 int numeric)
126{
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]127 struct xt_state_info *sinfo = (struct xt_state_info *)match->data;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]128
129 printf("state ");
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]130 state_print_state(sinfo->statemask);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]131}
132
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]133static void state_save(const void *ip, const struct xt_entry_match *match)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]134{
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]135 struct xt_state_info *sinfo = (struct xt_state_info *)match->data;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]136
137 printf("--state ");
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]138 state_print_state(sinfo->statemask);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]139}
140
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]141static struct xtables_match state_match = {
Jan Engelhardt03d99482008-11-18 12:27:54 +0100[diff] [blame]142 .family = NFPROTO_IPV4,
Pablo Neira8caee8b2004-12-28 13:11:59 +0000[diff] [blame]143 .name = "state",
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]144 .version = XTABLES_VERSION,
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]145 .size = XT_ALIGN(sizeof(struct xt_state_info)),
146 .userspacesize = XT_ALIGN(sizeof(struct xt_state_info)),
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]147 .help = state_help,
148 .parse = state_parse,
149 .final_check = state_final_check,
150 .print = state_print,
151 .save = state_save,
152 .extra_opts = state_opts,
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]153};
154
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]155static struct xtables_match state_match6 = {
Jan Engelhardt03d99482008-11-18 12:27:54 +0100[diff] [blame]156 .family = NFPROTO_IPV6,
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]157 .name = "state",
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]158 .version = XTABLES_VERSION,
Yasuyuki KOZAKAI1ff0b8d2007-08-04 08:09:51 +0000[diff] [blame]159 .size = XT_ALIGN(sizeof(struct xt_state_info)),
160 .userspacesize = XT_ALIGN(sizeof(struct xt_state_info)),
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]161 .help = state_help,
162 .parse = state_parse,
163 .final_check = state_final_check,
164 .print = state_print,
165 .save = state_save,
166 .extra_opts = state_opts,
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]167};
168
169void _init(void)
170{
László Attila Tóth72118882007-10-08 05:12:42 +0000[diff] [blame]171 xtables_register_match(&state_match);
172 xtables_register_match(&state_match6);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]173}