Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / iptables / 73f72f541ac4dab538d4d418b9bbf1707b31342b / . / iptables.c
blob: 6d62cabc7c62ebdb942394fe42181475866a4728 [file] [log] [blame]
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1/* Code to take an iptables-style command line and do it. */
2
3/*
4 * Author: Paul.Russell@rustcorp.com.au and mneuling@radlogic.com.au
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21#include <getopt.h>
22#include <string.h>
23#include <netdb.h>
24#include <errno.h>
25#include <stdio.h>
26#include <stdlib.h>
27#include <dlfcn.h>
28#include <ctype.h>
29#include <stdarg.h>
30#include <limits.h>
31#include <iptables.h>
32
33#ifndef TRUE
34#define TRUE 1
35#endif
36#ifndef FALSE
37#define FALSE 0
38#endif
39
40#ifndef IPT_LIB_DIR
41#define IPT_LIB_DIR "/usr/local/lib/iptables"
42#endif
43
44#define FMT_NUMERIC 0x0001
45#define FMT_NOCOUNTS 0x0002
46#define FMT_KILOMEGAGIGA 0x0004
47#define FMT_OPTIONS 0x0008
48#define FMT_NOTABLE 0x0010
49#define FMT_NOTARGET 0x0020
50#define FMT_VIA 0x0040
51#define FMT_NONEWLINE 0x0080
52#define FMT_LINENUMBERS 0x0100
53
54#define FMT_PRINT_RULE (FMT_NOCOUNTS | FMT_OPTIONS | FMT_VIA \
55 | FMT_NUMERIC | FMT_NOTABLE)
56#define FMT(tab,notab) ((format) & FMT_NOTABLE ? (notab) : (tab))
57
58
59#define CMD_NONE 0x0000U
60#define CMD_INSERT 0x0001U
61#define CMD_DELETE 0x0002U
62#define CMD_DELETE_NUM 0x0004U
63#define CMD_REPLACE 0x0008U
64#define CMD_APPEND 0x0010U
65#define CMD_LIST 0x0020U
66#define CMD_FLUSH 0x0040U
67#define CMD_ZERO 0x0080U
68#define CMD_NEW_CHAIN 0x0100U
69#define CMD_DELETE_CHAIN 0x0200U
70#define CMD_SET_POLICY 0x0400U
71#define CMD_CHECK 0x0800U
72#define CMD_RENAME_CHAIN 0x1000U
73#define NUMBER_OF_CMD 13
74static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z',
75 'N', 'X', 'P', 'C', 'E' };
76
77#define OPTION_OFFSET 256
78
79#define OPT_NONE 0x00000U
80#define OPT_NUMERIC 0x00001U
81#define OPT_SOURCE 0x00002U
82#define OPT_DESTINATION 0x00004U
83#define OPT_PROTOCOL 0x00008U
84#define OPT_JUMP 0x00010U
85#define OPT_VERBOSE 0x00020U
86#define OPT_EXPANDED 0x00040U
87#define OPT_VIANAMEIN 0x00080U
88#define OPT_VIANAMEOUT 0x00100U
89#define OPT_FRAGMENT 0x00200U
90#define OPT_LINENUMBERS 0x00400U
91#define NUMBER_OF_OPT 11
92static const char optflags[NUMBER_OF_OPT]
93= { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', 'f', '3'};
94
95static struct option original_opts[] = {
96 { "append", 1, 0, 'A' },
97 { "delete", 1, 0, 'D' },
98 { "insert", 1, 0, 'I' },
99 { "replace", 1, 0, 'R' },
100 { "list", 2, 0, 'L' },
101 { "flush", 2, 0, 'F' },
102 { "zero", 2, 0, 'Z' },
103 { "check", 1, 0, 'C' },
104 { "new-chain", 1, 0, 'N' },
105 { "delete-chain", 2, 0, 'X' },
106 { "rename-chain", 2, 0, 'E' },
107 { "policy", 1, 0, 'P' },
108 { "source", 1, 0, 's' },
109 { "destination", 1, 0, 'd' },
110 { "src", 1, 0, 's' }, /* synonym */
111 { "dst", 1, 0, 'd' }, /* synonym */
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]112 { "protocol", 1, 0, 'p' },
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]113 { "in-interface", 1, 0, 'i' },
114 { "jump", 1, 0, 'j' },
115 { "table", 1, 0, 't' },
116 { "match", 1, 0, 'm' },
117 { "numeric", 0, 0, 'n' },
118 { "out-interface", 1, 0, 'o' },
119 { "verbose", 0, 0, 'v' },
120 { "exact", 0, 0, 'x' },
121 { "fragments", 0, 0, 'f' },
122 { "version", 0, 0, 'V' },
123 { "help", 2, 0, 'h' },
124 { "line-numbers", 0, 0, '0' },
125 { 0 }
126};
127
Rusty Russell4e242f82000-05-31 06:33:50 +0000[diff] [blame]128#ifndef __OPTIMIZE__
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]129static struct ipt_entry_target *
130ipt_get_target(struct ipt_entry *e)
131{
132 return (void *)e + e->target_offset;
133}
134#endif
135
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]136static struct option *opts = original_opts;
137static unsigned int global_option_offset = 0;
138
139/* Table of legal combinations of commands and options. If any of the
140 * given commands make an option legal, that option is legal (applies to
141 * CMD_LIST and CMD_ZERO only).
142 * Key:
143 * + compulsory
144 * x illegal
145 * optional
146 */
147
148static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
149/* Well, it's better than "Re: Linux vs FreeBSD" */
150{
151 /* -n -s -d -p -j -v -x -i -o -f --line */
152/*INSERT*/ {'x',' ',' ',' ',' ',' ','x',' ',' ',' ','x'},
153/*DELETE*/ {'x',' ',' ',' ',' ',' ','x',' ',' ',' ','x'},
154/*DELETE_NUM*/{'x','x','x','x','x',' ','x','x','x','x','x'},
155/*REPLACE*/ {'x',' ',' ',' ',' ',' ','x',' ',' ',' ','x'},
156/*APPEND*/ {'x',' ',' ',' ',' ',' ','x',' ',' ',' ','x'},
157/*LIST*/ {' ','x','x','x','x',' ',' ','x','x','x',' '},
158/*FLUSH*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
159/*ZERO*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
160/*NEW_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
161/*DEL_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
162/*SET_POLICY*/{'x','x','x','x','x',' ','x','x','x','x','x'},
Rusty Russella4860fd2000-06-17 16:13:02 +0000[diff] [blame]163/*CHECK*/ {'x','+','+','+','x',' ','x',' ',' ',' ','x'},
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]164/*RENAME*/ {'x','x','x','x','x',' ','x','x','x','x','x'}
165};
166
167static int inverse_for_options[NUMBER_OF_OPT] =
168{
169/* -n */ 0,
170/* -s */ IPT_INV_SRCIP,
171/* -d */ IPT_INV_DSTIP,
172/* -p */ IPT_INV_PROTO,
173/* -j */ 0,
174/* -v */ 0,
175/* -x */ 0,
176/* -i */ IPT_INV_VIA_IN,
177/* -o */ IPT_INV_VIA_OUT,
178/* -f */ IPT_INV_FRAG,
179/*--line*/ 0
180};
181
182const char *program_version;
183const char *program_name;
184
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]185/* Keeping track of external matches and targets: linked lists. */
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]186struct iptables_match *iptables_matches = NULL;
187struct iptables_target *iptables_targets = NULL;
188
189/* Extra debugging from libiptc */
190extern void dump_entries(const iptc_handle_t handle);
191
192/* A few hardcoded protocols for 'all' and in case the user has no
193 /etc/protocols */
194struct pprot {
195 char *name;
196 u_int8_t num;
197};
198
199static const struct pprot chain_protos[] = {
200 { "tcp", IPPROTO_TCP },
201 { "udp", IPPROTO_UDP },
202 { "icmp", IPPROTO_ICMP },
203 { "all", 0 },
204};
205
206static char *
Rusty Russell28381a42000-05-10 00:19:50 +0000[diff] [blame]207proto_to_name(u_int8_t proto, int nolookup)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]208{
209 unsigned int i;
210
Rusty Russell28381a42000-05-10 00:19:50 +0000[diff] [blame]211 if (proto && !nolookup) {
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]212 struct protoent *pent = getprotobynumber(proto);
213 if (pent)
214 return pent->p_name;
215 }
216
217 for (i = 0; i < sizeof(chain_protos)/sizeof(struct pprot); i++)
218 if (chain_protos[i].num == proto)
219 return chain_protos[i].name;
220
221 return NULL;
222}
223
224struct in_addr *
225dotted_to_addr(const char *dotted)
226{
227 static struct in_addr addr;
228 unsigned char *addrp;
229 char *p, *q;
230 int onebyte, i;
231 char buf[20];
232
233 /* copy dotted string, because we need to modify it */
234 strncpy(buf, dotted, sizeof(buf) - 1);
235 addrp = (unsigned char *) &(addr.s_addr);
236
237 p = buf;
238 for (i = 0; i < 3; i++) {
239 if ((q = strchr(p, '.')) == NULL)
240 return (struct in_addr *) NULL;
241
242 *q = '\0';
243 if ((onebyte = string_to_number(p, 0, 255)) == -1)
244 return (struct in_addr *) NULL;
245
246 addrp[i] = (unsigned char) onebyte;
247 p = q + 1;
248 }
249
250 /* we've checked 3 bytes, now we check the last one */
251 if ((onebyte = string_to_number(p, 0, 255)) == -1)
252 return (struct in_addr *) NULL;
253
254 addrp[3] = (unsigned char) onebyte;
255
256 return &addr;
257}
258
259static struct in_addr *
260network_to_addr(const char *name)
261{
262 struct netent *net;
263 static struct in_addr addr;
264
265 if ((net = getnetbyname(name)) != NULL) {
266 if (net->n_addrtype != AF_INET)
267 return (struct in_addr *) NULL;
268 addr.s_addr = htonl((unsigned long) net->n_net);
269 return &addr;
270 }
271
272 return (struct in_addr *) NULL;
273}
274
275static void
276inaddrcpy(struct in_addr *dst, struct in_addr *src)
277{
278 /* memcpy(dst, src, sizeof(struct in_addr)); */
279 dst->s_addr = src->s_addr;
280}
281
282void
283exit_error(enum exittype status, char *msg, ...)
284{
285 va_list args;
286
287 va_start(args, msg);
288 fprintf(stderr, "%s v%s: ", program_name, program_version);
289 vfprintf(stderr, msg, args);
290 va_end(args);
291 fprintf(stderr, "\n");
292 if (status == PARAMETER_PROBLEM)
293 exit_tryhelp(status);
294 if (status == VERSION_PROBLEM)
295 fprintf(stderr,
296 "Perhaps iptables or your kernel needs to be upgraded.\n");
297 exit(status);
298}
299
300void
301exit_tryhelp(int status)
302{
303 fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
304 program_name, program_name );
305 exit(status);
306}
307
308void
309exit_printhelp(void)
310{
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]311 struct iptables_match *m = NULL;
312 struct iptables_target *t = NULL;
313
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]314 printf("%s v%s\n\n"
315"Usage: %s -[ADC] chain rule-specification [options]\n"
316" %s -[RI] chain rulenum rule-specification [options]\n"
317" %s -D chain rulenum [options]\n"
318" %s -[LFZ] [chain] [options]\n"
319" %s -[NX] chain\n"
320" %s -E old-chain-name new-chain-name\n"
321" %s -P chain target [options]\n"
322" %s -h (print this help information)\n\n",
323 program_name, program_version, program_name, program_name,
324 program_name, program_name, program_name, program_name,
325 program_name, program_name);
326
327 printf(
328"Commands:\n"
329"Either long or short options are allowed.\n"
330" --append -A chain Append to chain\n"
331" --delete -D chain Delete matching rule from chain\n"
332" --delete -D chain rulenum\n"
333" Delete rule rulenum (1 = first) from chain\n"
334" --insert -I chain [rulenum]\n"
335" Insert in chain as rulenum (default 1=first)\n"
336" --replace -R chain rulenum\n"
337" Replace rule rulenum (1 = first) in chain\n"
338" --list -L [chain] List the rules in a chain or all chains\n"
339" --flush -F [chain] Delete all rules in chain or all chains\n"
340" --zero -Z [chain] Zero counters in chain or all chains\n"
341" --check -C chain Test this packet on chain\n"
342" --new -N chain Create a new user-defined chain\n"
343" --delete-chain\n"
344" -X [chain] Delete a user-defined chain\n"
345" --policy -P chain target\n"
346" Change policy on chain to target\n"
347" --rename-chain\n"
348" -E old-chain new-chain\n"
349" Change chain name, (moving any references)\n"
350
351"Options:\n"
352" --proto -p [!] proto protocol: by number or name, eg. `tcp'\n"
353" --source -s [!] address[/mask]\n"
354" source specification\n"
355" --destination -d [!] address[/mask]\n"
356" destination specification\n"
357" --in-interface -i [!] input name[+]\n"
358" network interface name ([+] for wildcard)\n"
359" --jump -j target\n"
360" target for rule\n"
361" --numeric -n numeric output of addresses and ports\n"
362" --out-interface -o [!] output name[+]\n"
363" network interface name ([+] for wildcard)\n"
364" --table -t table table to manipulate (default: `filter')\n"
365" --verbose -v verbose mode\n"
366" --exact -x expand numbers (display exact values)\n"
367"[!] --fragment -f match second or further fragments only\n"
368"[!] --version -V print package version.\n");
369
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]370 /* Print out any special helps. A user might like to be able to add a --help
371 to the commandline, and see expected results. So we call help for all
372 matches & targets */
373 for (t=iptables_targets;t;t=t->next) {
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]374 printf("\n");
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]375 t->help();
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]376 }
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]377 for (m=iptables_matches;m;m=m->next) {
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]378 printf("\n");
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]379 m->help();
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]380 }
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]381 exit(0);
382}
383
384static void
385generic_opt_check(int command, int options)
386{
387 int i, j, legal = 0;
388
389 /* Check that commands are valid with options. Complicated by the
390 * fact that if an option is legal with *any* command given, it is
391 * legal overall (ie. -z and -l).
392 */
393 for (i = 0; i < NUMBER_OF_OPT; i++) {
394 legal = 0; /* -1 => illegal, 1 => legal, 0 => undecided. */
395
396 for (j = 0; j < NUMBER_OF_CMD; j++) {
397 if (!(command & (1<<j)))
398 continue;
399
400 if (!(options & (1<<i))) {
401 if (commands_v_options[j][i] == '+')
402 exit_error(PARAMETER_PROBLEM,
403 "You need to supply the `-%c' "
404 "option for this command\n",
405 optflags[i]);
406 } else {
407 if (commands_v_options[j][i] != 'x')
408 legal = 1;
409 else if (legal == 0)
410 legal = -1;
411 }
412 }
413 if (legal == -1)
414 exit_error(PARAMETER_PROBLEM,
415 "Illegal option `-%c' with this command\n",
416 optflags[i]);
417 }
418}
419
420static char
421opt2char(int option)
422{
423 const char *ptr;
424 for (ptr = optflags; option > 1; option >>= 1, ptr++);
425
426 return *ptr;
427}
428
429static char
430cmd2char(int option)
431{
432 const char *ptr;
433 for (ptr = cmdflags; option > 1; option >>= 1, ptr++);
434
435 return *ptr;
436}
437
438static void
439add_command(int *cmd, const int newcmd, const int othercmds, int invert)
440{
441 if (invert)
442 exit_error(PARAMETER_PROBLEM, "unexpected ! flag");
443 if (*cmd & (~othercmds))
444 exit_error(PARAMETER_PROBLEM, "Can't use -%c with -%c\n",
445 cmd2char(newcmd), cmd2char(*cmd & (~othercmds)));
446 *cmd |= newcmd;
447}
448
449int
450check_inverse(const char option[], int *invert)
451{
452 if (option && strcmp(option, "!") == 0) {
453 if (*invert)
454 exit_error(PARAMETER_PROBLEM,
455 "Multiple `!' flags not allowed");
456
457 *invert = TRUE;
458 return TRUE;
459 }
460 return FALSE;
461}
462
463static void *
464fw_calloc(size_t count, size_t size)
465{
466 void *p;
467
468 if ((p = calloc(count, size)) == NULL) {
469 perror("iptables: calloc failed");
470 exit(1);
471 }
472 return p;
473}
474
475static void *
476fw_malloc(size_t size)
477{
478 void *p;
479
480 if ((p = malloc(size)) == NULL) {
481 perror("iptables: malloc failed");
482 exit(1);
483 }
484 return p;
485}
486
487static struct in_addr *
488host_to_addr(const char *name, unsigned int *naddr)
489{
490 struct hostent *host;
491 struct in_addr *addr;
492 unsigned int i;
493
494 *naddr = 0;
495 if ((host = gethostbyname(name)) != NULL) {
496 if (host->h_addrtype != AF_INET ||
497 host->h_length != sizeof(struct in_addr))
498 return (struct in_addr *) NULL;
499
500 while (host->h_addr_list[*naddr] != (char *) NULL)
501 (*naddr)++;
502 addr = fw_calloc(*naddr, sizeof(struct in_addr));
503 for (i = 0; i < *naddr; i++)
504 inaddrcpy(&(addr[i]),
505 (struct in_addr *) host->h_addr_list[i]);
506 return addr;
507 }
508
509 return (struct in_addr *) NULL;
510}
511
512static char *
513addr_to_host(const struct in_addr *addr)
514{
515 struct hostent *host;
516
517 if ((host = gethostbyaddr((char *) addr,
518 sizeof(struct in_addr), AF_INET)) != NULL)
519 return (char *) host->h_name;
520
521 return (char *) NULL;
522}
523
524/*
525 * All functions starting with "parse" should succeed, otherwise
526 * the program fails.
527 * Most routines return pointers to static data that may change
528 * between calls to the same or other routines with a few exceptions:
529 * "host_to_addr", "parse_hostnetwork", and "parse_hostnetworkmask"
530 * return global static data.
531*/
532
533static struct in_addr *
534parse_hostnetwork(const char *name, unsigned int *naddrs)
535{
536 struct in_addr *addrp, *addrptmp;
537
538 if ((addrptmp = dotted_to_addr(name)) != NULL ||
539 (addrptmp = network_to_addr(name)) != NULL) {
540 addrp = fw_malloc(sizeof(struct in_addr));
541 inaddrcpy(addrp, addrptmp);
542 *naddrs = 1;
543 return addrp;
544 }
545 if ((addrp = host_to_addr(name, naddrs)) != NULL)
546 return addrp;
547
548 exit_error(PARAMETER_PROBLEM, "host/network `%s' not found", name);
549}
550
551static struct in_addr *
552parse_mask(char *mask)
553{
554 static struct in_addr maskaddr;
555 struct in_addr *addrp;
556 int bits;
557
558 if (mask == NULL) {
559 /* no mask at all defaults to 32 bits */
560 maskaddr.s_addr = 0xFFFFFFFF;
561 return &maskaddr;
562 }
563 if ((addrp = dotted_to_addr(mask)) != NULL)
564 /* dotted_to_addr already returns a network byte order addr */
565 return addrp;
566 if ((bits = string_to_number(mask, 0, 32)) == -1)
567 exit_error(PARAMETER_PROBLEM,
568 "invalid mask `%s' specified", mask);
569 if (bits != 0) {
570 maskaddr.s_addr = htonl(0xFFFFFFFF << (32 - bits));
571 return &maskaddr;
572 }
573
574 maskaddr.s_addr = 0L;
575 return &maskaddr;
576}
577
578static void
579parse_hostnetworkmask(const char *name, struct in_addr **addrpp,
580 struct in_addr *maskp, unsigned int *naddrs)
581{
582 struct in_addr *addrp;
583 char buf[256];
584 char *p;
585 int i, j, k, n;
586
587 strncpy(buf, name, sizeof(buf) - 1);
588 if ((p = strrchr(buf, '/')) != NULL) {
589 *p = '\0';
590 addrp = parse_mask(p + 1);
591 } else
592 addrp = parse_mask(NULL);
593 inaddrcpy(maskp, addrp);
594
595 /* if a null mask is given, the name is ignored, like in "any/0" */
596 if (maskp->s_addr == 0L)
597 strcpy(buf, "0.0.0.0");
598
599 addrp = *addrpp = parse_hostnetwork(buf, naddrs);
600 n = *naddrs;
601 for (i = 0, j = 0; i < n; i++) {
602 addrp[j++].s_addr &= maskp->s_addr;
603 for (k = 0; k < j - 1; k++) {
604 if (addrp[k].s_addr == addrp[j - 1].s_addr) {
605 (*naddrs)--;
606 j--;
607 break;
608 }
609 }
610 }
611}
612
613struct iptables_match *
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]614find_match(const char *name, enum ipt_tryload tryload)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]615{
616 struct iptables_match *ptr;
617
618 for (ptr = iptables_matches; ptr; ptr = ptr->next) {
619 if (strcmp(name, ptr->name) == 0)
620 break;
621 }
622
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]623 if (!ptr && tryload != DONT_LOAD) {
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]624 char path[sizeof(IPT_LIB_DIR) + sizeof("/libipt_.so")
625 + strlen(name)];
626 sprintf(path, IPT_LIB_DIR "/libipt_%s.so", name);
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]627 if (dlopen(path, RTLD_NOW)) {
628 /* Found library. If it didn't register itself,
629 maybe they specified target as match. */
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]630 ptr = find_match(name, DONT_LOAD);
631
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]632 if (!ptr)
633 exit_error(PARAMETER_PROBLEM,
634 "Couldn't load match `%s'\n",
635 name);
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]636 } else if (tryload == LOAD_MUST_SUCCEED)
637 exit_error(PARAMETER_PROBLEM,
638 "Couldn't load match `%s'\n", name);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]639 }
640
641 return ptr;
642}
643
Rusty Russell28381a42000-05-10 00:19:50 +0000[diff] [blame]644/* Christophe Burki wants `-p 6' to imply `-m tcp'. */
645static struct iptables_match *
646find_proto(const char *pname, enum ipt_tryload tryload, int nolookup)
647{
648 int proto;
649
650 proto = string_to_number(pname, 0, 255);
651 if (proto != -1)
652 return find_match(proto_to_name(proto, nolookup), tryload);
653
654 return find_match(pname, tryload);
655}
656
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]657static u_int16_t
658parse_protocol(const char *s)
659{
Rusty Russell28381a42000-05-10 00:19:50 +0000[diff] [blame]660 int proto = string_to_number(s, 0, 255);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]661
662 if (proto == -1) {
663 struct protoent *pent;
664
665 if ((pent = getprotobyname(s)))
666 proto = pent->p_proto;
667 else {
668 unsigned int i;
669 for (i = 0;
670 i < sizeof(chain_protos)/sizeof(struct pprot);
671 i++) {
672 if (strcmp(s, chain_protos[i].name) == 0) {
673 proto = chain_protos[i].num;
674 break;
675 }
676 }
677 if (i == sizeof(chain_protos)/sizeof(struct pprot))
678 exit_error(PARAMETER_PROBLEM,
679 "unknown protocol `%s' specified",
680 s);
681 }
682 }
683
684 return (u_int16_t)proto;
685}
686
687static void
688parse_interface(const char *arg, char *vianame, unsigned char *mask)
689{
690 int vialen = strlen(arg);
691 unsigned int i;
692
693 memset(mask, 0, IFNAMSIZ);
694 memset(vianame, 0, IFNAMSIZ);
695
696 if (vialen + 1 > IFNAMSIZ)
697 exit_error(PARAMETER_PROBLEM,
698 "interface name `%s' must be shorter than IFNAMSIZ"
699 " (%i)", arg, IFNAMSIZ-1);
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]700
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]701 strcpy(vianame, arg);
702 if (vialen == 0)
703 memset(mask, 0, IFNAMSIZ);
704 else if (vianame[vialen - 1] == '+') {
705 memset(mask, 0xFF, vialen - 1);
706 memset(mask + vialen - 1, 0, IFNAMSIZ - vialen + 1);
707 /* Remove `+' */
708 vianame[vialen - 1] = '\0';
709 } else {
710 /* Include nul-terminator in match */
711 memset(mask, 0xFF, vialen + 1);
712 memset(mask + vialen + 1, 0, IFNAMSIZ - vialen - 1);
713 }
714 for (i = 0; vianame[i]; i++) {
715 if (!isalnum(vianame[i])) {
716 printf("Warning: wierd character in interface"
717 " `%s' (No aliases, :, ! or *).\n",
718 vianame);
719 break;
720 }
721 }
722}
723
724/* Can't be zero. */
725static int
726parse_rulenumber(const char *rule)
727{
728 int rulenum = string_to_number(rule, 1, INT_MAX);
729
730 if (rulenum == -1)
731 exit_error(PARAMETER_PROBLEM,
732 "Invalid rule number `%s'", rule);
733
734 return rulenum;
735}
736
737static const char *
738parse_target(const char *targetname)
739{
740 const char *ptr;
741
742 if (strlen(targetname) < 1)
743 exit_error(PARAMETER_PROBLEM,
744 "Invalid target name (too short)");
745
746 if (strlen(targetname)+1 > sizeof(ipt_chainlabel))
747 exit_error(PARAMETER_PROBLEM,
748 "Invalid target name `%s' (%i chars max)",
749 targetname, sizeof(ipt_chainlabel)-1);
750
751 for (ptr = targetname; *ptr; ptr++)
752 if (isspace(*ptr))
753 exit_error(PARAMETER_PROBLEM,
754 "Invalid target name `%s'", targetname);
755 return targetname;
756}
757
758static char *
759addr_to_network(const struct in_addr *addr)
760{
761 struct netent *net;
762
763 if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL)
764 return (char *) net->n_name;
765
766 return (char *) NULL;
767}
768
769char *
770addr_to_dotted(const struct in_addr *addrp)
771{
772 static char buf[20];
773 const unsigned char *bytep;
774
775 bytep = (const unsigned char *) &(addrp->s_addr);
776 sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]);
777 return buf;
778}
779static char *
780addr_to_anyname(const struct in_addr *addr)
781{
782 char *name;
783
784 if ((name = addr_to_host(addr)) != NULL ||
785 (name = addr_to_network(addr)) != NULL)
786 return name;
787
788 return addr_to_dotted(addr);
789}
790
791static char *
792mask_to_dotted(const struct in_addr *mask)
793{
794 int i;
795 static char buf[20];
796 u_int32_t maskaddr, bits;
797
798 maskaddr = ntohl(mask->s_addr);
799
800 if (maskaddr == 0xFFFFFFFFL)
801 /* we don't want to see "/32" */
802 return "";
803
804 i = 32;
805 bits = 0xFFFFFFFEL;
806 while (--i >= 0 && maskaddr != bits)
807 bits <<= 1;
808 if (i >= 0)
809 sprintf(buf, "/%d", i);
810 else
811 /* mask was not a decent combination of 1's and 0's */
812 sprintf(buf, "/%s", addr_to_dotted(mask));
813
814 return buf;
815}
816
817int
818string_to_number(const char *s, int min, int max)
819{
820 int number;
821 char *end;
822
823 /* Handle hex, octal, etc. */
824 number = (int)strtol(s, &end, 0);
825 if (*end == '\0' && end != s) {
826 /* we parsed a number, let's see if we want this */
827 if (min <= number && number <= max)
828 return number;
829 }
830 return -1;
831}
832
833static void
834set_option(unsigned int *options, unsigned int option, u_int8_t *invflg,
835 int invert)
836{
837 if (*options & option)
838 exit_error(PARAMETER_PROBLEM, "multiple -%c flags not allowed",
839 opt2char(option));
840 *options |= option;
841
842 if (invert) {
843 unsigned int i;
844 for (i = 0; 1 << i != option; i++);
845
846 if (!inverse_for_options[i])
847 exit_error(PARAMETER_PROBLEM,
848 "cannot have ! before -%c",
849 opt2char(option));
850 *invflg |= inverse_for_options[i];
851 }
852}
853
854struct iptables_target *
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]855find_target(const char *name, enum ipt_tryload tryload)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]856{
857 struct iptables_target *ptr;
858
859 /* Standard target? */
860 if (strcmp(name, "") == 0
861 || strcmp(name, IPTC_LABEL_ACCEPT) == 0
862 || strcmp(name, IPTC_LABEL_DROP) == 0
863 || strcmp(name, IPTC_LABEL_QUEUE) == 0
864 || strcmp(name, IPTC_LABEL_RETURN) == 0)
865 name = "standard";
866
867 for (ptr = iptables_targets; ptr; ptr = ptr->next) {
868 if (strcmp(name, ptr->name) == 0)
869 break;
870 }
871
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]872 if (!ptr && tryload != DONT_LOAD) {
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]873 char path[sizeof(IPT_LIB_DIR) + sizeof("/libipt_.so")
874 + strlen(name)];
875 sprintf(path, IPT_LIB_DIR "/libipt_%s.so", name);
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]876 if (dlopen(path, RTLD_NOW)) {
877 /* Found library. If it didn't register itself,
878 maybe they specified match as a target. */
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]879 ptr = find_target(name, DONT_LOAD);
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]880 if (!ptr)
881 exit_error(PARAMETER_PROBLEM,
882 "Couldn't load target `%s'\n",
883 name);
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]884 } else if (tryload == LOAD_MUST_SUCCEED)
885 exit_error(PARAMETER_PROBLEM,
886 "Couldn't load target `%s'\n", name);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]887 }
888
889 return ptr;
890}
891
892static struct option *
893merge_options(struct option *oldopts, struct option *newopts,
894 unsigned int *option_offset)
895{
896 unsigned int num_old, num_new, i;
897 struct option *merge;
898
899 for (num_old = 0; oldopts[num_old].name; num_old++);
900 for (num_new = 0; newopts[num_new].name; num_new++);
901
902 global_option_offset += OPTION_OFFSET;
903 *option_offset = global_option_offset;
904
905 merge = malloc(sizeof(struct option) * (num_new + num_old + 1));
906 memcpy(merge, oldopts, num_old * sizeof(struct option));
907 for (i = 0; i < num_new; i++) {
908 merge[num_old + i] = newopts[i];
909 merge[num_old + i].val += *option_offset;
910 }
911 memset(merge + num_old + num_new, 0, sizeof(struct option));
912
913 return merge;
914}
915
916void
917register_match(struct iptables_match *me)
918{
919 if (strcmp(me->version, program_version) != 0) {
920 fprintf(stderr, "%s: match `%s' v%s (I'm v%s).\n",
921 program_name, me->name, me->version, program_version);
922 exit(1);
923 }
924
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]925 if (find_match(me->name, DONT_LOAD)) {
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]926 fprintf(stderr, "%s: match `%s' already registered.\n",
927 program_name, me->name);
928 exit(1);
929 }
930
Rusty Russell73f72f52000-07-03 10:17:57 +0000[diff] [blame^]931 if (me->size != IPT_ALIGN(me->size)) {
932 fprintf(stderr, "%s: match `%s' has invalid size %u.\n",
933 program_name, me->name, me->size);
934 exit(1);
935 }
936
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]937 /* Prepend to list. */
938 me->next = iptables_matches;
939 iptables_matches = me;
940 me->m = NULL;
941 me->mflags = 0;
942
943 opts = merge_options(opts, me->extra_opts, &me->option_offset);
944}
945
946void
947register_target(struct iptables_target *me)
948{
949 if (strcmp(me->version, program_version) != 0) {
950 fprintf(stderr, "%s: target `%s' v%s (I'm v%s).\n",
951 program_name, me->name, me->version, program_version);
952 exit(1);
953 }
954
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]955 if (find_target(me->name, DONT_LOAD)) {
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]956 fprintf(stderr, "%s: target `%s' already registered.\n",
957 program_name, me->name);
958 exit(1);
959 }
960
Rusty Russell73f72f52000-07-03 10:17:57 +0000[diff] [blame^]961 if (me->size != IPT_ALIGN(me->size)) {
962 fprintf(stderr, "%s: target `%s' has invalid size %u.\n",
963 program_name, me->name, me->size);
964 exit(1);
965 }
966
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]967 /* Prepend to list. */
968 me->next = iptables_targets;
969 iptables_targets = me;
970 me->t = NULL;
971 me->tflags = 0;
972
973 opts = merge_options(opts, me->extra_opts, &me->option_offset);
974}
975
976static void
977print_header(unsigned int format, const char *chain, iptc_handle_t *handle)
978{
979 struct ipt_counters counters;
980 const char *pol = iptc_get_policy(chain, &counters, handle);
981 printf("Chain %s", chain);
982 if (pol) {
983 printf(" (policy %s", pol);
984 if (!(format & FMT_NOCOUNTS))
985 printf(" %llu packets, %llu bytes",
986 counters.pcnt, counters.bcnt);
987 printf(")\n");
988 } else {
989 unsigned int refs;
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]990 if (!iptc_get_references(&refs, chain, handle))
991 printf(" (ERROR obtaining refs)\n");
992 else
993 printf(" (%u references)\n", refs);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]994 }
995
996 if (format & FMT_LINENUMBERS)
997 printf(FMT("%-4s ", "%s "), "num");
998 if (!(format & FMT_NOCOUNTS)) {
999 if (format & FMT_KILOMEGAGIGA) {
1000 printf(FMT("%5s ","%s "), "pkts");
1001 printf(FMT("%5s ","%s "), "bytes");
1002 } else {
1003 printf(FMT("%8s ","%s "), "pkts");
1004 printf(FMT("%10s ","%s "), "bytes");
1005 }
1006 }
1007 if (!(format & FMT_NOTARGET))
1008 printf(FMT("%-9s ","%s "), "target");
1009 fputs(" prot ", stdout);
1010 if (format & FMT_OPTIONS)
1011 fputs("opt", stdout);
1012 if (format & FMT_VIA) {
1013 printf(FMT(" %-6s ","%s "), "in");
1014 printf(FMT("%-6s ","%s "), "out");
1015 }
1016 printf(FMT(" %-19s ","%s "), "source");
1017 printf(FMT(" %-19s "," %s "), "destination");
1018 printf("\n");
1019}
1020
1021static void
1022print_num(u_int64_t number, unsigned int format)
1023{
1024 if (format & FMT_KILOMEGAGIGA) {
1025 if (number > 99999) {
1026 number = (number + 500) / 1000;
1027 if (number > 9999) {
1028 number = (number + 500) / 1000;
1029 if (number > 9999) {
1030 number = (number + 500) / 1000;
1031 printf(FMT("%4lluG ","%lluG "),number);
1032 }
1033 else printf(FMT("%4lluM ","%lluM "), number);
1034 } else
1035 printf(FMT("%4lluK ","%lluK "), number);
1036 } else
1037 printf(FMT("%5llu ","%llu "), number);
1038 } else
1039 printf(FMT("%8llu ","%llu "), number);
1040}
1041
1042static int
1043print_match(const struct ipt_entry_match *m,
1044 const struct ipt_ip *ip,
1045 int numeric)
1046{
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]1047 struct iptables_match *match = find_match(m->u.user.name, TRY_LOAD);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1048
1049 if (match) {
1050 if (match->print)
1051 match->print(ip, m, numeric);
1052 } else {
Rusty Russell228e98d2000-04-27 10:28:06 +0000[diff] [blame]1053 if (m->u.user.name[0])
1054 printf("UNKNOWN match `%s' ", m->u.user.name);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1055 }
1056 /* Don't stop iterating. */
1057 return 0;
1058}
1059
1060/* e is called `fw' here for hysterical raisins */
1061static void
1062print_firewall(const struct ipt_entry *fw,
1063 const char *targname,
1064 unsigned int num,
1065 unsigned int format,
1066 const iptc_handle_t handle)
1067{
1068 struct iptables_target *target = NULL;
1069 const struct ipt_entry_target *t;
1070 u_int8_t flags;
1071 char buf[BUFSIZ];
1072
1073 /* User creates a chain called "REJECT": this overrides the
1074 `REJECT' target module. Keep feeding them rope until the
1075 revolution... Bwahahahahah */
1076 if (!iptc_is_chain(targname, handle))
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]1077 target = find_target(targname, TRY_LOAD);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1078 else
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]1079 target = find_target(IPT_STANDARD_TARGET, LOAD_MUST_SUCCEED);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1080
1081 t = ipt_get_target((struct ipt_entry *)fw);
1082 flags = fw->ip.flags;
1083
1084 if (format & FMT_LINENUMBERS)
1085 printf(FMT("%-4u ", "%u "), num+1);
1086
1087 if (!(format & FMT_NOCOUNTS)) {
1088 print_num(fw->counters.pcnt, format);
1089 print_num(fw->counters.bcnt, format);
1090 }
1091
1092 if (!(format & FMT_NOTARGET))
1093 printf(FMT("%-9s ", "%s "), targname);
1094
1095 fputc(fw->ip.invflags & IPT_INV_PROTO ? '!' : ' ', stdout);
1096 {
Rusty Russell28381a42000-05-10 00:19:50 +0000[diff] [blame]1097 char *pname = proto_to_name(fw->ip.proto, format&FMT_NUMERIC);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1098 if (pname)
1099 printf(FMT("%-5s", "%s "), pname);
1100 else
1101 printf(FMT("%-5hu", "%hu "), fw->ip.proto);
1102 }
1103
1104 if (format & FMT_OPTIONS) {
1105 if (format & FMT_NOTABLE)
1106 fputs("opt ", stdout);
1107 fputc(fw->ip.invflags & IPT_INV_FRAG ? '!' : '-', stdout);
1108 fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout);
1109 fputc(' ', stdout);
1110 }
1111
1112 if (format & FMT_VIA) {
1113 char iface[IFNAMSIZ+2];
1114
1115 if (fw->ip.invflags & IPT_INV_VIA_IN) {
1116 iface[0] = '!';
1117 iface[1] = '\0';
1118 }
1119 else iface[0] = '\0';
1120
1121 if (fw->ip.iniface[0] != '\0') {
1122 strcat(iface, fw->ip.iniface);
1123 /* If it doesn't compare the nul-term, it's a
1124 wildcard. */
1125 if (fw->ip.iniface_mask[strlen(fw->ip.iniface)] == 0)
1126 strcat(iface, "+");
1127 }
1128 else if (format & FMT_NUMERIC) strcat(iface, "*");
1129 else strcat(iface, "any");
1130 printf(FMT(" %-6s ","in %s "), iface);
1131
1132 if (fw->ip.invflags & IPT_INV_VIA_OUT) {
1133 iface[0] = '!';
1134 iface[1] = '\0';
1135 }
1136 else iface[0] = '\0';
1137
1138 if (fw->ip.outiface[0] != '\0') {
1139 strcat(iface, fw->ip.outiface);
1140 /* If it doesn't compare the nul-term, it's a
1141 wildcard. */
1142 if (fw->ip.outiface_mask[strlen(fw->ip.outiface)] == 0)
1143 strcat(iface, "+");
1144 }
1145 else if (format & FMT_NUMERIC) strcat(iface, "*");
1146 else strcat(iface, "any");
1147 printf(FMT("%-6s ","out %s "), iface);
1148 }
1149
1150 fputc(fw->ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout);
1151 if (fw->ip.smsk.s_addr == 0L && !(format & FMT_NUMERIC))
1152 printf(FMT("%-19s ","%s "), "anywhere");
1153 else {
1154 if (format & FMT_NUMERIC)
1155 sprintf(buf, "%s", addr_to_dotted(&(fw->ip.src)));
1156 else
1157 sprintf(buf, "%s", addr_to_anyname(&(fw->ip.src)));
1158 strcat(buf, mask_to_dotted(&(fw->ip.smsk)));
1159 printf(FMT("%-19s ","%s "), buf);
1160 }
1161
1162 fputc(fw->ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout);
1163 if (fw->ip.dmsk.s_addr == 0L && !(format & FMT_NUMERIC))
1164 printf(FMT("%-19s","-> %s"), "anywhere");
1165 else {
1166 if (format & FMT_NUMERIC)
1167 sprintf(buf, "%s", addr_to_dotted(&(fw->ip.dst)));
1168 else
1169 sprintf(buf, "%s", addr_to_anyname(&(fw->ip.dst)));
1170 strcat(buf, mask_to_dotted(&(fw->ip.dmsk)));
1171 printf(FMT("%-19s","-> %s"), buf);
1172 }
1173
1174 if (format & FMT_NOTABLE)
1175 fputs(" ", stdout);
1176
1177 IPT_MATCH_ITERATE(fw, print_match, &fw->ip, format & FMT_NUMERIC);
1178
1179 if (target) {
1180 if (target->print)
1181 /* Print the target information. */
1182 target->print(&fw->ip, t, format & FMT_NUMERIC);
Rusty Russell228e98d2000-04-27 10:28:06 +0000[diff] [blame]1183 } else if (t->u.target_size != sizeof(*t))
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1184 printf("[%u bytes of unknown target data] ",
Rusty Russell228e98d2000-04-27 10:28:06 +0000[diff] [blame]1185 t->u.target_size - sizeof(*t));
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1186
1187 if (!(format & FMT_NONEWLINE))
1188 fputc('\n', stdout);
1189}
1190
1191static void
1192print_firewall_line(const struct ipt_entry *fw,
1193 const iptc_handle_t h)
1194{
1195 struct ipt_entry_target *t;
1196
1197 t = ipt_get_target((struct ipt_entry *)fw);
Rusty Russell228e98d2000-04-27 10:28:06 +0000[diff] [blame]1198 print_firewall(fw, t->u.user.name, 0, FMT_PRINT_RULE, h);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1199}
1200
1201static int
1202append_entry(const ipt_chainlabel chain,
1203 struct ipt_entry *fw,
1204 unsigned int nsaddrs,
1205 const struct in_addr saddrs[],
1206 unsigned int ndaddrs,
1207 const struct in_addr daddrs[],
1208 int verbose,
1209 iptc_handle_t *handle)
1210{
1211 unsigned int i, j;
1212 int ret = 1;
1213
1214 for (i = 0; i < nsaddrs; i++) {
1215 fw->ip.src.s_addr = saddrs[i].s_addr;
1216 for (j = 0; j < ndaddrs; j++) {
1217 fw->ip.dst.s_addr = daddrs[j].s_addr;
1218 if (verbose)
1219 print_firewall_line(fw, *handle);
1220 ret &= iptc_append_entry(chain, fw, handle);
1221 }
1222 }
1223
1224 return ret;
1225}
1226
1227static int
1228replace_entry(const ipt_chainlabel chain,
1229 struct ipt_entry *fw,
1230 unsigned int rulenum,
1231 const struct in_addr *saddr,
1232 const struct in_addr *daddr,
1233 int verbose,
1234 iptc_handle_t *handle)
1235{
1236 fw->ip.src.s_addr = saddr->s_addr;
1237 fw->ip.dst.s_addr = daddr->s_addr;
1238
1239 if (verbose)
1240 print_firewall_line(fw, *handle);
1241 return iptc_replace_entry(chain, fw, rulenum, handle);
1242}
1243
1244static int
1245insert_entry(const ipt_chainlabel chain,
1246 struct ipt_entry *fw,
1247 unsigned int rulenum,
1248 unsigned int nsaddrs,
1249 const struct in_addr saddrs[],
1250 unsigned int ndaddrs,
1251 const struct in_addr daddrs[],
1252 int verbose,
1253 iptc_handle_t *handle)
1254{
1255 unsigned int i, j;
1256 int ret = 1;
1257
1258 for (i = 0; i < nsaddrs; i++) {
1259 fw->ip.src.s_addr = saddrs[i].s_addr;
1260 for (j = 0; j < ndaddrs; j++) {
1261 fw->ip.dst.s_addr = daddrs[j].s_addr;
1262 if (verbose)
1263 print_firewall_line(fw, *handle);
1264 ret &= iptc_insert_entry(chain, fw, rulenum, handle);
1265 }
1266 }
1267
1268 return ret;
1269}
1270
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]1271static unsigned char *
1272make_delete_mask(struct ipt_entry *fw)
1273{
1274 /* Establish mask for comparison */
1275 unsigned int size;
1276 struct iptables_match *m;
1277 unsigned char *mask, *mptr;
1278
1279 size = sizeof(struct ipt_entry);
1280 for (m = iptables_matches; m; m = m->next)
Rusty Russell73f72f52000-07-03 10:17:57 +0000[diff] [blame^]1281 size += IPT_ALIGN(sizeof(struct ipt_entry_match)) + m->size;
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]1282
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]1283 mask = fw_calloc(1, size
Rusty Russell73f72f52000-07-03 10:17:57 +0000[diff] [blame^]1284 + IPT_ALIGN(sizeof(struct ipt_entry_target))
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]1285 + iptables_targets->size);
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]1286
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]1287 memset(mask, 0xFF, sizeof(struct ipt_entry));
1288 mptr = mask + sizeof(struct ipt_entry);
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]1289
1290 for (m = iptables_matches; m; m = m->next) {
1291 memset(mptr, 0xFF,
Rusty Russell73f72f52000-07-03 10:17:57 +0000[diff] [blame^]1292 IPT_ALIGN(sizeof(struct ipt_entry_match))
1293 + m->userspacesize);
1294 mptr += IPT_ALIGN(sizeof(struct ipt_entry_match)) + m->size;
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]1295 }
1296
Rusty Russell73f72f52000-07-03 10:17:57 +0000[diff] [blame^]1297 memset(mptr, 0xFF,
1298 IPT_ALIGN(sizeof(struct ipt_entry_target))
1299 + iptables_targets->userspacesize);
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]1300
1301 return mask;
1302}
1303
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1304static int
1305delete_entry(const ipt_chainlabel chain,
1306 struct ipt_entry *fw,
1307 unsigned int nsaddrs,
1308 const struct in_addr saddrs[],
1309 unsigned int ndaddrs,
1310 const struct in_addr daddrs[],
1311 int verbose,
1312 iptc_handle_t *handle)
1313{
1314 unsigned int i, j;
1315 int ret = 1;
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]1316 unsigned char *mask;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1317
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]1318 mask = make_delete_mask(fw);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1319 for (i = 0; i < nsaddrs; i++) {
1320 fw->ip.src.s_addr = saddrs[i].s_addr;
1321 for (j = 0; j < ndaddrs; j++) {
1322 fw->ip.dst.s_addr = daddrs[j].s_addr;
1323 if (verbose)
1324 print_firewall_line(fw, *handle);
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]1325 ret &= iptc_delete_entry(chain, fw, mask, handle);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1326 }
1327 }
1328 return ret;
1329}
1330
1331static int
1332check_packet(const ipt_chainlabel chain,
1333 struct ipt_entry *fw,
1334 unsigned int nsaddrs,
1335 const struct in_addr saddrs[],
1336 unsigned int ndaddrs,
1337 const struct in_addr daddrs[],
1338 int verbose,
1339 iptc_handle_t *handle)
1340{
1341 int ret = 1;
1342 unsigned int i, j;
1343 const char *msg;
1344
1345 for (i = 0; i < nsaddrs; i++) {
1346 fw->ip.src.s_addr = saddrs[i].s_addr;
1347 for (j = 0; j < ndaddrs; j++) {
1348 fw->ip.dst.s_addr = daddrs[j].s_addr;
1349 if (verbose)
1350 print_firewall_line(fw, *handle);
1351 msg = iptc_check_packet(chain, fw, handle);
1352 if (!msg) ret = 0;
1353 else printf("%s\n", msg);
1354 }
1355 }
1356
1357 return ret;
1358}
1359
1360static int
1361for_each_chain(int (*fn)(const ipt_chainlabel, int, iptc_handle_t *),
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]1362 int verbose, int builtinstoo, iptc_handle_t *handle)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1363{
1364 int ret = 1;
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]1365 const char *chain;
1366 char *chains;
1367 unsigned int i, chaincount = 0;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1368
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]1369 chain = iptc_first_chain(handle);
1370 while (chain) {
1371 chaincount++;
1372 chain = iptc_next_chain(handle);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1373 }
1374
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]1375 chains = fw_malloc(sizeof(ipt_chainlabel) * chaincount);
1376 i = 0;
1377 chain = iptc_first_chain(handle);
1378 while (chain) {
1379 strcpy(chains + i*sizeof(ipt_chainlabel), chain);
1380 i++;
1381 chain = iptc_next_chain(handle);
1382 }
1383
1384 for (i = 0; i < chaincount; i++) {
1385 if (!builtinstoo
1386 && iptc_builtin(chains + i*sizeof(ipt_chainlabel),
1387 *handle))
1388 continue;
1389 ret &= fn(chains + i*sizeof(ipt_chainlabel), verbose, handle);
1390 }
1391
1392 free(chains);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1393 return ret;
1394}
1395
1396static int
1397flush_entries(const ipt_chainlabel chain, int verbose,
1398 iptc_handle_t *handle)
1399{
1400 if (!chain)
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]1401 return for_each_chain(flush_entries, verbose, 1, handle);
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]1402
1403 if (verbose)
1404 fprintf(stdout, "Flushing chain `%s'\n", chain);
1405 return iptc_flush_entries(chain, handle);
1406}
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1407
1408static int
1409zero_entries(const ipt_chainlabel chain, int verbose,
1410 iptc_handle_t *handle)
1411{
1412 if (!chain)
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]1413 return for_each_chain(zero_entries, verbose, 1, handle);
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]1414
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1415 if (verbose)
1416 fprintf(stdout, "Zeroing chain `%s'\n", chain);
1417 return iptc_zero_entries(chain, handle);
1418}
1419
1420static int
1421delete_chain(const ipt_chainlabel chain, int verbose,
1422 iptc_handle_t *handle)
1423{
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]1424 if (!chain)
1425 return for_each_chain(delete_chain, verbose, 0, handle);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1426
1427 if (verbose)
1428 fprintf(stdout, "Deleting chain `%s'\n", chain);
1429 return iptc_delete_chain(chain, handle);
1430}
1431
1432static int
1433list_entries(const ipt_chainlabel chain, int verbose, int numeric,
1434 int expanded, int linenumbers, iptc_handle_t *handle)
1435{
1436 int found = 0;
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]1437 unsigned int format;
1438 const char *this;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1439
1440 format = FMT_OPTIONS;
1441 if (!verbose)
1442 format |= FMT_NOCOUNTS;
1443 else
1444 format |= FMT_VIA;
1445
1446 if (numeric)
1447 format |= FMT_NUMERIC;
1448
1449 if (!expanded)
1450 format |= FMT_KILOMEGAGIGA;
1451
1452 if (linenumbers)
1453 format |= FMT_LINENUMBERS;
1454
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]1455 for (this = iptc_first_chain(handle);
1456 this;
1457 this = iptc_next_chain(handle)) {
1458 const struct ipt_entry *i;
1459 unsigned int num;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1460
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1461 if (chain && strcmp(chain, this) != 0)
1462 continue;
1463
1464 if (found) printf("\n");
1465
1466 print_header(format, this, handle);
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]1467 i = iptc_first_rule(this, handle);
1468
1469 num = 0;
1470 while (i) {
1471 print_firewall(i,
1472 iptc_get_target(i, handle),
1473 num++,
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1474 format,
1475 *handle);
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]1476 i = iptc_next_rule(i, handle);
1477 }
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1478 found = 1;
1479 }
1480
1481 errno = ENOENT;
1482 return found;
1483}
1484
1485static struct ipt_entry *
1486generate_entry(const struct ipt_entry *fw,
1487 struct iptables_match *matches,
1488 struct ipt_entry_target *target)
1489{
1490 unsigned int size;
1491 struct iptables_match *m;
1492 struct ipt_entry *e;
1493
1494 size = sizeof(struct ipt_entry);
1495 for (m = matches; m; m = m->next)
Rusty Russell228e98d2000-04-27 10:28:06 +0000[diff] [blame]1496 size += m->m->u.match_size;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1497
Rusty Russell228e98d2000-04-27 10:28:06 +0000[diff] [blame]1498 e = fw_malloc(size + target->u.target_size);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1499 *e = *fw;
1500 e->target_offset = size;
Rusty Russell228e98d2000-04-27 10:28:06 +0000[diff] [blame]1501 e->next_offset = size + target->u.target_size;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1502
1503 size = 0;
1504 for (m = matches; m; m = m->next) {
Rusty Russell228e98d2000-04-27 10:28:06 +0000[diff] [blame]1505 memcpy(e->elems + size, m->m, m->m->u.match_size);
1506 size += m->m->u.match_size;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1507 }
Rusty Russell228e98d2000-04-27 10:28:06 +0000[diff] [blame]1508 memcpy(e->elems + size, target, target->u.target_size);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1509
1510 return e;
1511}
1512
1513int do_command(int argc, char *argv[], char **table, iptc_handle_t *handle)
1514{
1515 struct ipt_entry fw, *e = NULL;
1516 int invert = 0;
1517 unsigned int nsaddrs = 0, ndaddrs = 0;
1518 struct in_addr *saddrs = NULL, *daddrs = NULL;
1519
1520 int c, verbose = 0;
1521 const char *chain = NULL;
1522 const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL;
1523 const char *policy = NULL, *newname = NULL;
1524 unsigned int rulenum = 0, options = 0, command = 0;
1525 int ret = 1;
1526 struct iptables_match *m;
1527 struct iptables_target *target = NULL;
1528 const char *jumpto = "";
1529 char *protocol = NULL;
1530
1531 memset(&fw, 0, sizeof(fw));
1532
1533 /* Suppress error messages: we may add new options if we
1534 demand-load a protocol. */
1535 opterr = 0;
1536
1537 while ((c = getopt_long(argc, argv,
1538 "-A:C:D:R:I:L::F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:x",
1539 opts, NULL)) != -1) {
1540 switch (c) {
1541 /*
1542 * Command selection
1543 */
1544 case 'A':
1545 add_command(&command, CMD_APPEND, CMD_NONE,
1546 invert);
1547 chain = optarg;
1548 break;
1549
1550 case 'D':
1551 add_command(&command, CMD_DELETE, CMD_NONE,
1552 invert);
1553 chain = optarg;
1554 if (optind < argc && argv[optind][0] != '-'
1555 && argv[optind][0] != '!') {
1556 rulenum = parse_rulenumber(argv[optind++]);
1557 command = CMD_DELETE_NUM;
1558 }
1559 break;
1560
1561 case 'C':
1562 add_command(&command, CMD_CHECK, CMD_NONE,
1563 invert);
1564 chain = optarg;
1565 break;
1566
1567 case 'R':
1568 add_command(&command, CMD_REPLACE, CMD_NONE,
1569 invert);
1570 chain = optarg;
1571 if (optind < argc && argv[optind][0] != '-'
1572 && argv[optind][0] != '!')
1573 rulenum = parse_rulenumber(argv[optind++]);
1574 else
1575 exit_error(PARAMETER_PROBLEM,
1576 "-%c requires a rule number",
1577 cmd2char(CMD_REPLACE));
1578 break;
1579
1580 case 'I':
1581 add_command(&command, CMD_INSERT, CMD_NONE,
1582 invert);
1583 chain = optarg;
1584 if (optind < argc && argv[optind][0] != '-'
1585 && argv[optind][0] != '!')
1586 rulenum = parse_rulenumber(argv[optind++]);
1587 else rulenum = 1;
1588 break;
1589
1590 case 'L':
1591 add_command(&command, CMD_LIST, CMD_ZERO,
1592 invert);
1593 if (optarg) chain = optarg;
1594 else if (optind < argc && argv[optind][0] != '-'
1595 && argv[optind][0] != '!')
1596 chain = argv[optind++];
1597 break;
1598
1599 case 'F':
1600 add_command(&command, CMD_FLUSH, CMD_NONE,
1601 invert);
1602 if (optarg) chain = optarg;
1603 else if (optind < argc && argv[optind][0] != '-'
1604 && argv[optind][0] != '!')
1605 chain = argv[optind++];
1606 break;
1607
1608 case 'Z':
1609 add_command(&command, CMD_ZERO, CMD_LIST,
1610 invert);
1611 if (optarg) chain = optarg;
1612 else if (optind < argc && argv[optind][0] != '-'
1613 && argv[optind][0] != '!')
1614 chain = argv[optind++];
1615 break;
1616
1617 case 'N':
1618 add_command(&command, CMD_NEW_CHAIN, CMD_NONE,
1619 invert);
1620 chain = optarg;
1621 break;
1622
1623 case 'X':
1624 add_command(&command, CMD_DELETE_CHAIN, CMD_NONE,
1625 invert);
1626 if (optarg) chain = optarg;
1627 else if (optind < argc && argv[optind][0] != '-'
1628 && argv[optind][0] != '!')
1629 chain = argv[optind++];
1630 break;
1631
1632 case 'E':
1633 add_command(&command, CMD_RENAME_CHAIN, CMD_NONE,
1634 invert);
1635 chain = optarg;
1636 if (optind < argc && argv[optind][0] != '-'
1637 && argv[optind][0] != '!')
1638 newname = argv[optind++];
M.P.Anand Babuc9f20d32000-06-09 09:22:38 +0000[diff] [blame]1639 else
1640 exit_error(PARAMETER_PROBLEM,
1641 "-%c requires old-chain-name and "
1642 "new-chain-name",
1643 cmd2char(CMD_RENAME_CHAIN));
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1644 break;
1645
1646 case 'P':
1647 add_command(&command, CMD_SET_POLICY, CMD_NONE,
1648 invert);
1649 chain = optarg;
1650 if (optind < argc && argv[optind][0] != '-'
1651 && argv[optind][0] != '!')
1652 policy = argv[optind++];
1653 else
1654 exit_error(PARAMETER_PROBLEM,
1655 "-%c requires a chain and a policy",
1656 cmd2char(CMD_SET_POLICY));
1657 break;
1658
1659 case 'h':
1660 if (!optarg)
1661 optarg = argv[optind];
1662
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]1663 /* iptables -p icmp -h */
1664 if (!iptables_matches && protocol)
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]1665 find_match(protocol, TRY_LOAD);
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]1666
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1667 exit_printhelp();
1668
1669 /*
1670 * Option selection
1671 */
1672 case 'p':
1673 if (check_inverse(optarg, &invert))
1674 optind++;
1675 set_option(&options, OPT_PROTOCOL, &fw.ip.invflags,
1676 invert);
1677
1678 /* Canonicalize into lower case */
1679 for (protocol = argv[optind-1]; *protocol; protocol++)
1680 *protocol = tolower(*protocol);
1681
1682 protocol = argv[optind-1];
1683 fw.ip.proto = parse_protocol(protocol);
1684
1685 if (fw.ip.proto == 0
1686 && (fw.ip.invflags & IPT_INV_PROTO))
1687 exit_error(PARAMETER_PROBLEM,
1688 "rule would never match protocol");
1689 fw.nfcache |= NFC_IP_PROTO;
1690 break;
1691
1692 case 's':
1693 if (check_inverse(optarg, &invert))
1694 optind++;
1695 set_option(&options, OPT_SOURCE, &fw.ip.invflags,
1696 invert);
1697 shostnetworkmask = argv[optind-1];
1698 fw.nfcache |= NFC_IP_SRC;
1699 break;
1700
1701 case 'd':
1702 if (check_inverse(optarg, &invert))
1703 optind++;
1704 set_option(&options, OPT_DESTINATION, &fw.ip.invflags,
1705 invert);
1706 dhostnetworkmask = argv[optind-1];
1707 fw.nfcache |= NFC_IP_DST;
1708 break;
1709
1710 case 'j':
1711 set_option(&options, OPT_JUMP, &fw.ip.invflags,
1712 invert);
1713 jumpto = parse_target(optarg);
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]1714 target = find_target(jumpto, TRY_LOAD);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1715
1716 if (target) {
Rusty Russell228e98d2000-04-27 10:28:06 +0000[diff] [blame]1717 size_t size;
1718
Rusty Russell73f72f52000-07-03 10:17:57 +0000[diff] [blame^]1719 size = IPT_ALIGN(sizeof(struct ipt_entry_target))
1720 + target->size;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1721
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]1722 target->t = fw_calloc(1, size);
Rusty Russell228e98d2000-04-27 10:28:06 +0000[diff] [blame]1723 target->t->u.target_size = size;
1724 strcpy(target->t->u.user.name, jumpto);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1725 target->init(target->t, &fw.nfcache);
1726 }
1727 break;
1728
1729
1730 case 'i':
1731 if (check_inverse(optarg, &invert))
1732 optind++;
1733 set_option(&options, OPT_VIANAMEIN, &fw.ip.invflags,
1734 invert);
1735 parse_interface(argv[optind-1],
1736 fw.ip.iniface,
1737 fw.ip.iniface_mask);
1738 fw.nfcache |= NFC_IP_IF_IN;
1739 break;
1740
1741 case 'o':
1742 if (check_inverse(optarg, &invert))
1743 optind++;
1744 set_option(&options, OPT_VIANAMEOUT, &fw.ip.invflags,
1745 invert);
1746 parse_interface(argv[optind-1],
1747 fw.ip.outiface,
1748 fw.ip.outiface_mask);
1749 fw.nfcache |= NFC_IP_IF_OUT;
1750 break;
1751
1752 case 'f':
1753 set_option(&options, OPT_FRAGMENT, &fw.ip.invflags,
1754 invert);
1755 fw.ip.flags |= IPT_F_FRAG;
1756 fw.nfcache |= NFC_IP_FRAG;
1757 break;
1758
1759 case 'v':
1760 if (!verbose)
1761 set_option(&options, OPT_VERBOSE,
1762 &fw.ip.invflags, invert);
1763 verbose++;
1764 break;
1765
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]1766 case 'm': {
1767 size_t size;
1768
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1769 if (invert)
1770 exit_error(PARAMETER_PROBLEM,
1771 "unexpected ! flag before --match");
1772
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]1773 m = find_match(optarg, LOAD_MUST_SUCCEED);
Rusty Russell73f72f52000-07-03 10:17:57 +0000[diff] [blame^]1774 size = IPT_ALIGN(sizeof(struct ipt_entry_match))
1775 + m->size;
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]1776 m->m = fw_calloc(1, size);
1777 m->m->u.match_size = size;
Rusty Russell27ff3472000-05-12 14:04:50 +0000[diff] [blame]1778 strcpy(m->m->u.user.name, m->name);
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]1779 m->init(m->m, &fw.nfcache);
1780 }
1781 break;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1782
1783 case 'n':
1784 set_option(&options, OPT_NUMERIC, &fw.ip.invflags,
1785 invert);
1786 break;
1787
1788 case 't':
1789 if (invert)
1790 exit_error(PARAMETER_PROBLEM,
1791 "unexpected ! flag before --table");
1792 *table = argv[optind-1];
1793 break;
1794
1795 case 'x':
1796 set_option(&options, OPT_EXPANDED, &fw.ip.invflags,
1797 invert);
1798 break;
1799
1800 case 'V':
1801 if (invert)
1802 printf("Not %s ;-)\n", program_version);
1803 else
1804 printf("%s v%s\n",
1805 program_name, program_version);
1806 exit(0);
1807
1808 case '0':
1809 set_option(&options, OPT_LINENUMBERS, &fw.ip.invflags,
1810 invert);
1811 break;
1812
1813 case 1: /* non option */
1814 if (optarg[0] == '!' && optarg[1] == '\0') {
1815 if (invert)
1816 exit_error(PARAMETER_PROBLEM,
1817 "multiple consecutive ! not"
1818 " allowed");
1819 invert = TRUE;
1820 optarg[0] = '\0';
1821 continue;
1822 }
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]1823 printf("Bad argument `%s'\n", optarg);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1824 exit_tryhelp(2);
1825
1826 default:
1827 /* FIXME: This scheme doesn't allow two of the same
1828 matches --RR */
1829 if (!target
1830 || !(target->parse(c - target->option_offset,
1831 argv, invert,
1832 &target->tflags,
1833 &fw, &target->t))) {
1834 for (m = iptables_matches; m; m = m->next) {
1835 if (m->parse(c - m->option_offset,
1836 argv, invert,
1837 &m->mflags,
1838 &fw,
1839 &fw.nfcache,
1840 &m->m))
1841 break;
1842 }
1843
1844 /* If you listen carefully, you can
Rusty Russell28381a42000-05-10 00:19:50 +0000[diff] [blame]1845 actually hear this code suck. */
Rusty Russell9e1d2142000-04-23 09:11:12 +0000[diff] [blame]1846 if (m == NULL
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1847 && protocol
Rusty Russell28381a42000-05-10 00:19:50 +0000[diff] [blame]1848 && !find_proto(protocol, DONT_LOAD,
1849 options&OPT_NUMERIC)
1850 && (m = find_proto(protocol, TRY_LOAD,
1851 options&OPT_NUMERIC))) {
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1852 /* Try loading protocol */
Rusty Russell228e98d2000-04-27 10:28:06 +0000[diff] [blame]1853 size_t size;
1854
Rusty Russell73f72f52000-07-03 10:17:57 +0000[diff] [blame^]1855 size = IPT_ALIGN(sizeof(struct ipt_entry_match))
1856 + m->size;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1857
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]1858 m->m = fw_calloc(1, size);
Rusty Russell228e98d2000-04-27 10:28:06 +0000[diff] [blame]1859 m->m->u.match_size = size;
Rusty Russell27ff3472000-05-12 14:04:50 +0000[diff] [blame]1860 strcpy(m->m->u.user.name, m->name);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1861 m->init(m->m, &fw.nfcache);
1862
1863 optind--;
1864 continue;
1865 }
1866 if (!m)
1867 exit_error(PARAMETER_PROBLEM,
1868 "Unknown arg `%s'",
1869 argv[optind-1]);
1870 }
1871 }
1872 invert = FALSE;
1873 }
1874
1875 for (m = iptables_matches; m; m = m->next)
1876 m->final_check(m->mflags);
1877 if (target)
1878 target->final_check(target->tflags);
1879
1880 /* Fix me: must put inverse options checking here --MN */
1881
1882 if (optind < argc)
1883 exit_error(PARAMETER_PROBLEM,
1884 "unknown arguments found on commandline");
1885 if (!command)
1886 exit_error(PARAMETER_PROBLEM, "no command specified");
1887 if (invert)
1888 exit_error(PARAMETER_PROBLEM,
1889 "nothing appropriate following !");
1890
Marc Boucher744bd022000-04-22 22:36:10 +0000[diff] [blame]1891 if (command & (CMD_REPLACE | CMD_INSERT | CMD_DELETE | CMD_APPEND |
1892 CMD_CHECK)) {
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1893 if (!(options & OPT_DESTINATION))
1894 dhostnetworkmask = "0.0.0.0/0";
1895 if (!(options & OPT_SOURCE))
1896 shostnetworkmask = "0.0.0.0/0";
1897 }
1898
1899 if (shostnetworkmask)
1900 parse_hostnetworkmask(shostnetworkmask, &saddrs,
1901 &(fw.ip.smsk), &nsaddrs);
1902
1903 if (dhostnetworkmask)
1904 parse_hostnetworkmask(dhostnetworkmask, &daddrs,
1905 &(fw.ip.dmsk), &ndaddrs);
1906
1907 if ((nsaddrs > 1 || ndaddrs > 1) &&
1908 (fw.ip.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP)))
1909 exit_error(PARAMETER_PROBLEM, "! not allowed with multiple"
1910 " source or destination IP addresses");
1911
1912 if (command == CMD_CHECK && fw.ip.invflags != 0)
1913 exit_error(PARAMETER_PROBLEM, "! not allowed with -%c",
1914 cmd2char(CMD_CHECK));
1915
1916 if (command == CMD_REPLACE && (nsaddrs != 1 || ndaddrs != 1))
1917 exit_error(PARAMETER_PROBLEM, "Replacement rule does not "
1918 "specify a unique address");
1919
1920 generic_opt_check(command, options);
1921
1922 if (chain && strlen(chain) > IPT_FUNCTION_MAXNAMELEN)
1923 exit_error(PARAMETER_PROBLEM,
1924 "chain name `%s' too long (must be under %i chars)",
1925 chain, IPT_FUNCTION_MAXNAMELEN);
1926
1927 *handle = iptc_init(*table);
1928 if (!*handle)
1929 exit_error(VERSION_PROBLEM,
1930 "can't initialize iptables table `%s': %s",
1931 *table, iptc_strerror(errno));
1932
Marc Boucher744bd022000-04-22 22:36:10 +0000[diff] [blame]1933 if (command == CMD_CHECK
1934 || command == CMD_APPEND
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1935 || command == CMD_DELETE
1936 || command == CMD_INSERT
1937 || command == CMD_REPLACE) {
Rusty Russella4860fd2000-06-17 16:13:02 +0000[diff] [blame]1938 if (strcmp(chain, "PREROUTING") == 0
1939 || strcmp(chain, "INPUT") == 0) {
1940 /* -o not valid with incoming packets. */
1941 if (options & OPT_VIANAMEOUT)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1942 exit_error(PARAMETER_PROBLEM,
1943 "Can't use -%c with %s\n",
1944 opt2char(OPT_VIANAMEOUT),
1945 chain);
Rusty Russella4860fd2000-06-17 16:13:02 +0000[diff] [blame]1946 /* -i required with -C */
1947 if (command == CMD_CHECK && !(options & OPT_VIANAMEIN))
1948 exit_error(PARAMETER_PROBLEM,
1949 "Need -%c with %s\n",
1950 opt2char(OPT_VIANAMEIN),
1951 chain);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1952 }
1953
Rusty Russella4860fd2000-06-17 16:13:02 +0000[diff] [blame]1954 if (strcmp(chain, "POSTROUTING") == 0
1955 || strcmp(chain, "OUTPUT") == 0) {
1956 /* -i not valid with outgoing packets */
1957 if (options & OPT_VIANAMEIN)
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1958 exit_error(PARAMETER_PROBLEM,
1959 "Can't use -%c with %s\n",
1960 opt2char(OPT_VIANAMEIN),
1961 chain);
Rusty Russella4860fd2000-06-17 16:13:02 +0000[diff] [blame]1962 /* -o required with -C */
1963 if (command == CMD_CHECK && !(options&OPT_VIANAMEOUT))
1964 exit_error(PARAMETER_PROBLEM,
1965 "Need -%c with %s\n",
1966 opt2char(OPT_VIANAMEOUT),
1967 chain);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1968 }
1969
1970 if (target && iptc_is_chain(jumpto, *handle)) {
1971 printf("Warning: using chain %s, not extension\n",
1972 jumpto);
1973
1974 target = NULL;
1975 }
1976
1977 /* If they didn't specify a target, or it's a chain
1978 name, use standard. */
1979 if (!target
1980 && (strlen(jumpto) == 0
1981 || iptc_is_chain(jumpto, *handle))) {
1982 size_t size;
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1983
Rusty Russell52a51492000-05-02 16:44:29 +0000[diff] [blame]1984 target = find_target(IPT_STANDARD_TARGET,
1985 LOAD_MUST_SUCCEED);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1986
1987 size = sizeof(struct ipt_entry_target)
Rusty Russell228e98d2000-04-27 10:28:06 +0000[diff] [blame]1988 + target->size;
Rusty Russell2e0a3212000-04-19 11:23:18 +0000[diff] [blame]1989 target->t = fw_calloc(1, size);
Rusty Russell228e98d2000-04-27 10:28:06 +0000[diff] [blame]1990 target->t->u.target_size = size;
1991 strcpy(target->t->u.user.name, jumpto);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1992 target->init(target->t, &fw.nfcache);
1993 }
1994
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]1995 if (!target) {
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1996 struct ipt_entry_target unknown_target;
Rusty Russell7e53bf92000-03-20 07:03:28 +0000[diff] [blame]1997
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]1998 /* Don't know it. Must be extension with no
1999 options? */
Rusty Russell228e98d2000-04-27 10:28:06 +0000[diff] [blame]2000 unknown_target.u.target_size = sizeof(unknown_target);
2001 strcpy(unknown_target.u.user.name, jumpto);
Marc Bouchere6869a82000-03-20 06:03:29 +0000[diff] [blame]2002
2003 e = generate_entry(&fw, iptables_matches,
2004 &unknown_target);
2005 } else {
2006 e = generate_entry(&fw, iptables_matches, target->t);
2007 }
2008 }
2009
2010 switch (command) {
2011 case CMD_APPEND:
2012 ret = append_entry(chain, e,
2013 nsaddrs, saddrs, ndaddrs, daddrs,
2014 options&OPT_VERBOSE,
2015 handle);
2016 break;
2017 case CMD_CHECK:
2018 ret = check_packet(chain, e,
2019 nsaddrs, saddrs, ndaddrs, daddrs,
2020 options&OPT_VERBOSE, handle);
2021 break;
2022 case CMD_DELETE:
2023 ret = delete_entry(chain, e,
2024 nsaddrs, saddrs, ndaddrs, daddrs,
2025 options&OPT_VERBOSE,
2026 handle);
2027 break;
2028 case CMD_DELETE_NUM:
2029 ret = iptc_delete_num_entry(chain, rulenum - 1, handle);
2030 break;
2031 case CMD_REPLACE:
2032 ret = replace_entry(chain, e, rulenum - 1,
2033 saddrs, daddrs, options&OPT_VERBOSE,
2034 handle);
2035 break;
2036 case CMD_INSERT:
2037 ret = insert_entry(chain, e, rulenum - 1,
2038 nsaddrs, saddrs, ndaddrs, daddrs,
2039 options&OPT_VERBOSE,
2040 handle);
2041 break;
2042 case CMD_LIST:
2043 ret = list_entries(chain,
2044 options&OPT_VERBOSE,
2045 options&OPT_NUMERIC,
2046 options&OPT_EXPANDED,
2047 options&OPT_LINENUMBERS,
2048 handle);
2049 break;
2050 case CMD_FLUSH:
2051 ret = flush_entries(chain, options&OPT_VERBOSE, handle);
2052 break;
2053 case CMD_ZERO:
2054 ret = zero_entries(chain, options&OPT_VERBOSE, handle);
2055 break;
2056 case CMD_LIST|CMD_ZERO:
2057 ret = list_entries(chain,
2058 options&OPT_VERBOSE,
2059 options&OPT_NUMERIC,
2060 options&OPT_EXPANDED,
2061 options&OPT_LINENUMBERS,
2062 handle);
2063 if (ret)
2064 ret = zero_entries(chain,
2065 options&OPT_VERBOSE, handle);
2066 break;
2067 case CMD_NEW_CHAIN:
2068 ret = iptc_create_chain(chain, handle);
2069 break;
2070 case CMD_DELETE_CHAIN:
2071 ret = delete_chain(chain, options&OPT_VERBOSE, handle);
2072 break;
2073 case CMD_RENAME_CHAIN:
2074 ret = iptc_rename_chain(chain, newname, handle);
2075 break;
2076 case CMD_SET_POLICY:
2077 ret = iptc_set_policy(chain, policy, handle);
2078 break;
2079 default:
2080 /* We should never reach this... */
2081 exit_tryhelp(2);
2082 }
2083
2084 if (verbose > 1)
2085 dump_entries(*handle);
2086
2087 return ret;
2088}