Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / iptables / cd9e7aa106e80c44bd526af74b616701b0772d05 / . / xtables.c
blob: 4313f5ba25eb6edf2721d70c4f25e5a4365dfd08 [file] [log] [blame]
Yasuyuki KOZAKAI52088062007-07-24 05:44:11 +0000[diff] [blame]1/*
2 * (C) 2000-2006 by the netfilter coreteam <coreteam@netfilter.org>:
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
17 */
18
Yasuyuki KOZAKAI3dfa4482007-07-24 05:45:33 +0000[diff] [blame]19#include <errno.h>
Yasuyuki KOZAKAI0b82e8e2007-07-24 05:47:40 +0000[diff] [blame]20#include <fcntl.h>
Yasuyuki KOZAKAI04f8c542007-07-24 05:53:48 +0000[diff] [blame]21#include <netdb.h>
Jan Engelhardtcd9e7aa2008-01-20 13:18:54 +0000[diff] [blame^]22#include <stdbool.h>
Yasuyuki KOZAKAI3dfa4482007-07-24 05:45:33 +0000[diff] [blame]23#include <stdio.h>
24#include <stdlib.h>
Yasuyuki KOZAKAI0b82e8e2007-07-24 05:47:40 +0000[diff] [blame]25#include <string.h>
26#include <unistd.h>
Yasuyuki KOZAKAI0d502bc2007-07-24 05:52:07 +0000[diff] [blame]27#include <sys/socket.h>
Yasuyuki KOZAKAI0b82e8e2007-07-24 05:47:40 +0000[diff] [blame]28#include <sys/stat.h>
29#include <sys/types.h>
30#include <sys/wait.h>
Yasuyuki KOZAKAI3dfa4482007-07-24 05:45:33 +0000[diff] [blame]31
Yasuyuki KOZAKAI52088062007-07-24 05:44:11 +0000[diff] [blame]32#include <xtables.h>
Yasuyuki KOZAKAI3dfa4482007-07-24 05:45:33 +0000[diff] [blame]33
Mike Frysinger5a26b5f2007-12-19 14:51:17 +0000[diff] [blame]34#ifndef NO_SHARED_LIBS
35#include <dlfcn.h>
36#endif
37
Yasuyuki KOZAKAI0d502bc2007-07-24 05:52:07 +0000[diff] [blame]38#define NPROTO 255
39
Yasuyuki KOZAKAI0b82e8e2007-07-24 05:47:40 +0000[diff] [blame]40#ifndef PROC_SYS_MODPROBE
41#define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
42#endif
43
Yasuyuki KOZAKAI0d502bc2007-07-24 05:52:07 +0000[diff] [blame]44char *lib_dir;
45
Yasuyuki KOZAKAI0b82e8e2007-07-24 05:47:40 +0000[diff] [blame]46/* the path to command to load kernel module */
47const char *modprobe = NULL;
48
Yasuyuki KOZAKAI0d502bc2007-07-24 05:52:07 +0000[diff] [blame]49/* Keeping track of external matches and targets: linked lists. */
50struct xtables_match *xtables_matches;
51struct xtables_target *xtables_targets;
52
Yasuyuki KOZAKAI3dfa4482007-07-24 05:45:33 +0000[diff] [blame]53void *fw_calloc(size_t count, size_t size)
54{
55 void *p;
56
57 if ((p = calloc(count, size)) == NULL) {
58 perror("ip[6]tables: calloc failed");
59 exit(1);
60 }
61
62 return p;
63}
64
65void *fw_malloc(size_t size)
66{
67 void *p;
68
69 if ((p = malloc(size)) == NULL) {
70 perror("ip[6]tables: malloc failed");
71 exit(1);
72 }
73
74 return p;
75}
Yasuyuki KOZAKAI0b82e8e2007-07-24 05:47:40 +0000[diff] [blame]76
77static char *get_modprobe(void)
78{
79 int procfile;
80 char *ret;
81
82#define PROCFILE_BUFSIZ 1024
83 procfile = open(PROC_SYS_MODPROBE, O_RDONLY);
84 if (procfile < 0)
85 return NULL;
86
87 ret = (char *) malloc(PROCFILE_BUFSIZ);
88 if (ret) {
89 memset(ret, 0, PROCFILE_BUFSIZ);
90 switch (read(procfile, ret, PROCFILE_BUFSIZ)) {
91 case -1: goto fail;
92 case PROCFILE_BUFSIZ: goto fail; /* Partial read. Wierd */
93 }
94 if (ret[strlen(ret)-1]=='\n')
95 ret[strlen(ret)-1]=0;
96 close(procfile);
97 return ret;
98 }
99 fail:
100 free(ret);
101 close(procfile);
102 return NULL;
103}
104
105int xtables_insmod(const char *modname, const char *modprobe, int quiet)
106{
107 char *buf = NULL;
108 char *argv[4];
109 int status;
110
111 /* If they don't explicitly set it, read out of kernel */
112 if (!modprobe) {
113 buf = get_modprobe();
114 if (!buf)
115 return -1;
116 modprobe = buf;
117 }
118
119 switch (fork()) {
120 case 0:
121 argv[0] = (char *)modprobe;
122 argv[1] = (char *)modname;
123 if (quiet) {
124 argv[2] = "-q";
125 argv[3] = NULL;
126 } else {
127 argv[2] = NULL;
128 argv[3] = NULL;
129 }
130 execv(argv[0], argv);
131
132 /* not usually reached */
133 exit(1);
134 case -1:
135 return -1;
136
137 default: /* parent */
138 wait(&status);
139 }
140
141 free(buf);
142 if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
143 return 0;
144 return -1;
145}
146
Yasuyuki KOZAKAI0d502bc2007-07-24 05:52:07 +0000[diff] [blame]147int load_xtables_ko(const char *modprobe, int quiet)
148{
149 static int loaded = 0;
150 static int ret = -1;
151
152 if (!loaded) {
153 ret = xtables_insmod(afinfo.kmod, modprobe, quiet);
154 loaded = (ret == 0);
155 }
156
157 return ret;
158}
159
Yasuyuki KOZAKAI04f8c542007-07-24 05:53:48 +0000[diff] [blame]160int string_to_number_ll(const char *s, unsigned long long min,
161 unsigned long long max, unsigned long long *ret)
162{
163 unsigned long long number;
164 char *end;
165
166 /* Handle hex, octal, etc. */
167 errno = 0;
168 number = strtoull(s, &end, 0);
169 if (*end == '\0' && end != s) {
170 /* we parsed a number, let's see if we want this */
171 if (errno != ERANGE && min <= number && (!max || number <= max)) {
172 *ret = number;
173 return 0;
174 }
175 }
176 return -1;
177}
178
179int string_to_number_l(const char *s, unsigned long min, unsigned long max,
180 unsigned long *ret)
181{
182 int result;
183 unsigned long long number;
184
185 result = string_to_number_ll(s, min, max, &number);
186 *ret = (unsigned long)number;
187
188 return result;
189}
190
191int string_to_number(const char *s, unsigned int min, unsigned int max,
192 unsigned int *ret)
193{
194 int result;
195 unsigned long number;
196
197 result = string_to_number_l(s, min, max, &number);
198 *ret = (unsigned int)number;
199
200 return result;
201}
202
Jan Engelhardtcd9e7aa2008-01-20 13:18:54 +0000[diff] [blame^]203/*
204 * strtonum{,l} - string to number conversion
205 *
206 * If @end is NULL, we assume the caller does not want
207 * a case like "15a", so reject it.
208 */
209bool strtonuml(const char *s, char **end, unsigned long *value,
210 unsigned long min, unsigned long max)
211{
212 unsigned long v;
213 char *my_end;
214
215 errno = 0;
216 v = strtoul(s, &my_end, 0);
217
218 if (my_end == s)
219 return false;
220 if (end != NULL)
221 *end = my_end;
222
223 if (errno != ERANGE && min <= v && (max == 0 || v <= max)) {
224 if (value != NULL)
225 *value = v;
226 if (end == NULL)
227 return *my_end == '\0';
228 return true;
229 }
230
231 return false;
232}
233
234bool strtonum(const char *s, char **end, unsigned int *value,
235 unsigned int min, unsigned int max)
236{
237 unsigned long v;
238 bool ret;
239
240 ret = strtonuml(s, end, &v, min, max);
241 if (value != NULL)
242 *value = v;
243 return ret;
244}
245
Yasuyuki KOZAKAI04f8c542007-07-24 05:53:48 +0000[diff] [blame]246int service_to_port(const char *name, const char *proto)
247{
248 struct servent *service;
249
250 if ((service = getservbyname(name, proto)) != NULL)
251 return ntohs((unsigned short) service->s_port);
252
253 return -1;
254}
255
256u_int16_t parse_port(const char *port, const char *proto)
257{
258 unsigned int portnum;
259
260 if ((string_to_number(port, 0, 65535, &portnum)) != -1 ||
261 (portnum = service_to_port(port, proto)) != -1)
262 return (u_int16_t)portnum;
263
264 exit_error(PARAMETER_PROBLEM,
265 "invalid port/service `%s' specified", port);
266}
267
268void parse_interface(const char *arg, char *vianame, unsigned char *mask)
269{
270 int vialen = strlen(arg);
271 unsigned int i;
272
273 memset(mask, 0, IFNAMSIZ);
274 memset(vianame, 0, IFNAMSIZ);
275
276 if (vialen + 1 > IFNAMSIZ)
277 exit_error(PARAMETER_PROBLEM,
278 "interface name `%s' must be shorter than IFNAMSIZ"
279 " (%i)", arg, IFNAMSIZ-1);
280
281 strcpy(vianame, arg);
282 if ((vialen == 0) || (vialen == 1 && vianame[0] == '+'))
283 memset(mask, 0, IFNAMSIZ);
284 else if (vianame[vialen - 1] == '+') {
285 memset(mask, 0xFF, vialen - 1);
286 memset(mask + vialen - 1, 0, IFNAMSIZ - vialen + 1);
287 /* Don't remove `+' here! -HW */
288 } else {
289 /* Include nul-terminator in match */
290 memset(mask, 0xFF, vialen + 1);
291 memset(mask + vialen + 1, 0, IFNAMSIZ - vialen - 1);
292 for (i = 0; vianame[i]; i++) {
293 if (vianame[i] == ':' ||
294 vianame[i] == '!' ||
295 vianame[i] == '*') {
Max Kellermannaae4f822007-10-17 16:36:49 +0000[diff] [blame]296 fprintf(stderr,
297 "Warning: weird character in interface"
298 " `%s' (No aliases, :, ! or *).\n",
299 vianame);
Yasuyuki KOZAKAI04f8c542007-07-24 05:53:48 +0000[diff] [blame]300 break;
301 }
302 }
303 }
304}
305
Yasuyuki KOZAKAI0d502bc2007-07-24 05:52:07 +0000[diff] [blame]306struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
307 struct xtables_rule_match **matches)
308{
309 struct xtables_match *ptr;
310 const char *icmp6 = "icmp6";
311
312 /* This is ugly as hell. Nonetheless, there is no way of changing
313 * this without hurting backwards compatibility */
314 if ( (strcmp(name,"icmpv6") == 0) ||
315 (strcmp(name,"ipv6-icmp") == 0) ||
316 (strcmp(name,"icmp6") == 0) )
317 name = icmp6;
318
319 for (ptr = xtables_matches; ptr; ptr = ptr->next) {
320 if (strcmp(name, ptr->name) == 0) {
321 struct xtables_match *clone;
322
323 /* First match of this type: */
324 if (ptr->m == NULL)
325 break;
326
327 /* Second and subsequent clones */
328 clone = fw_malloc(sizeof(struct xtables_match));
329 memcpy(clone, ptr, sizeof(struct xtables_match));
330 clone->mflags = 0;
331 /* This is a clone: */
332 clone->next = clone;
333
334 ptr = clone;
335 break;
336 }
337 }
338
339#ifndef NO_SHARED_LIBS
340 if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
341 char path[strlen(lib_dir) + sizeof("/.so")
342 + strlen(afinfo.libprefix) + strlen(name)];
Yasuyuki KOZAKAI170af8c2007-08-04 05:22:17 +0000[diff] [blame]343
344 sprintf(path, "%s/libxt_%s.so", lib_dir, name);
345 if (dlopen(path, RTLD_NOW) != NULL)
Yasuyuki KOZAKAI0d502bc2007-07-24 05:52:07 +0000[diff] [blame]346 /* Found library. If it didn't register itself,
347 maybe they specified target as match. */
348 ptr = find_match(name, DONT_LOAD, NULL);
349
Yasuyuki KOZAKAI170af8c2007-08-04 05:22:17 +0000[diff] [blame]350 if (ptr == NULL) {
351 sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
352 name);
353 if (dlopen(path, RTLD_NOW) != NULL)
354 ptr = find_match(name, DONT_LOAD, NULL);
355 }
356
357 if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
Yasuyuki KOZAKAI0d502bc2007-07-24 05:52:07 +0000[diff] [blame]358 exit_error(PARAMETER_PROBLEM,
359 "Couldn't load match `%s':%s\n",
360 name, dlerror());
361 }
362#else
363 if (ptr && !ptr->loaded) {
364 if (tryload != DONT_LOAD)
365 ptr->loaded = 1;
366 else
367 ptr = NULL;
368 }
369 if(!ptr && (tryload == LOAD_MUST_SUCCEED)) {
370 exit_error(PARAMETER_PROBLEM,
371 "Couldn't find match `%s'\n", name);
372 }
373#endif
374
375 if (ptr && matches) {
376 struct xtables_rule_match **i;
377 struct xtables_rule_match *newentry;
378
379 newentry = fw_malloc(sizeof(struct xtables_rule_match));
380
381 for (i = matches; *i; i = &(*i)->next) {
382 if (strcmp(name, (*i)->match->name) == 0)
383 (*i)->completed = 1;
384 }
385 newentry->match = ptr;
386 newentry->completed = 0;
387 newentry->next = NULL;
388 *i = newentry;
389 }
390
391 return ptr;
392}
393
394
395struct xtables_target *find_target(const char *name, enum xt_tryload tryload)
396{
397 struct xtables_target *ptr;
398
399 /* Standard target? */
400 if (strcmp(name, "") == 0
401 || strcmp(name, XTC_LABEL_ACCEPT) == 0
402 || strcmp(name, XTC_LABEL_DROP) == 0
403 || strcmp(name, XTC_LABEL_QUEUE) == 0
404 || strcmp(name, XTC_LABEL_RETURN) == 0)
405 name = "standard";
406
407 for (ptr = xtables_targets; ptr; ptr = ptr->next) {
408 if (strcmp(name, ptr->name) == 0)
409 break;
410 }
411
412#ifndef NO_SHARED_LIBS
413 if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
414 char path[strlen(lib_dir) + sizeof("/.so")
415 + strlen(afinfo.libprefix) + strlen(name)];
Yasuyuki KOZAKAI170af8c2007-08-04 05:22:17 +0000[diff] [blame]416
417 sprintf(path, "%s/libxt_%s.so", lib_dir, name);
418 if (dlopen(path, RTLD_NOW) != NULL)
Yasuyuki KOZAKAI0d502bc2007-07-24 05:52:07 +0000[diff] [blame]419 /* Found library. If it didn't register itself,
420 maybe they specified match as a target. */
421 ptr = find_target(name, DONT_LOAD);
Yasuyuki KOZAKAI170af8c2007-08-04 05:22:17 +0000[diff] [blame]422
423 if (ptr == NULL) {
424 sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
425 name);
426 if (dlopen(path, RTLD_NOW) != NULL)
427 ptr = find_target(name, DONT_LOAD);
428 }
429 if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
Yasuyuki KOZAKAI0d502bc2007-07-24 05:52:07 +0000[diff] [blame]430 exit_error(PARAMETER_PROBLEM,
431 "Couldn't load target `%s':%s\n",
432 name, dlerror());
433 }
434#else
435 if (ptr && !ptr->loaded) {
436 if (tryload != DONT_LOAD)
437 ptr->loaded = 1;
438 else
439 ptr = NULL;
440 }
441 if(!ptr && (tryload == LOAD_MUST_SUCCEED)) {
442 exit_error(PARAMETER_PROBLEM,
443 "Couldn't find target `%s'\n", name);
444 }
445#endif
446
447 if (ptr)
448 ptr->used = 1;
449
450 return ptr;
451}
452
453static int compatible_revision(const char *name, u_int8_t revision, int opt)
454{
455 struct xt_get_revision rev;
456 socklen_t s = sizeof(rev);
457 int max_rev, sockfd;
458
459 sockfd = socket(afinfo.family, SOCK_RAW, IPPROTO_RAW);
460 if (sockfd < 0) {
Patrick McHardydf1ef382007-12-03 15:32:28 +0000[diff] [blame]461 if (errno == EPERM) {
462 /* revision 0 is always supported. */
463 if (revision != 0)
464 fprintf(stderr, "Could not determine whether "
465 "revision %u is supported, "
466 "assuming it is.\n",
467 revision);
468 return 1;
469 }
Yasuyuki KOZAKAI0d502bc2007-07-24 05:52:07 +0000[diff] [blame]470 fprintf(stderr, "Could not open socket to kernel: %s\n",
471 strerror(errno));
472 exit(1);
473 }
474
475 load_xtables_ko(modprobe, 1);
476
477 strcpy(rev.name, name);
478 rev.revision = revision;
479
480 max_rev = getsockopt(sockfd, afinfo.ipproto, opt, &rev, &s);
481 if (max_rev < 0) {
482 /* Definitely don't support this? */
483 if (errno == ENOENT || errno == EPROTONOSUPPORT) {
484 close(sockfd);
485 return 0;
486 } else if (errno == ENOPROTOOPT) {
487 close(sockfd);
488 /* Assume only revision 0 support (old kernel) */
489 return (revision == 0);
490 } else {
491 fprintf(stderr, "getsockopt failed strangely: %s\n",
492 strerror(errno));
493 exit(1);
494 }
495 }
496 close(sockfd);
497 return 1;
498}
499
500
501static int compatible_match_revision(const char *name, u_int8_t revision)
502{
503 return compatible_revision(name, revision, afinfo.so_rev_match);
504}
505
506static int compatible_target_revision(const char *name, u_int8_t revision)
507{
508 return compatible_revision(name, revision, afinfo.so_rev_target);
509}
510
511void xtables_register_match(struct xtables_match *me)
512{
513 struct xtables_match **i, *old;
514
515 if (strcmp(me->version, program_version) != 0) {
516 fprintf(stderr, "%s: match `%s' v%s (I'm v%s).\n",
517 program_name, me->name, me->version, program_version);
518 exit(1);
519 }
520
521 /* Revision field stole a char from name. */
522 if (strlen(me->name) >= XT_FUNCTION_MAXNAMELEN-1) {
523 fprintf(stderr, "%s: target `%s' has invalid name\n",
524 program_name, me->name);
525 exit(1);
526 }
527
528 if (me->family >= NPROTO) {
529 fprintf(stderr,
530 "%s: BUG: match %s has invalid protocol family\n",
531 program_name, me->name);
532 exit(1);
533 }
534
535 /* ignore not interested match */
536 if (me->family != afinfo.family)
537 return;
538
539 old = find_match(me->name, DURING_LOAD, NULL);
540 if (old) {
541 if (old->revision == me->revision) {
542 fprintf(stderr,
543 "%s: match `%s' already registered.\n",
544 program_name, me->name);
545 exit(1);
546 }
547
548 /* Now we have two (or more) options, check compatibility. */
549 if (compatible_match_revision(old->name, old->revision)
550 && old->revision > me->revision)
551 return;
552
553 /* Replace if compatible. */
554 if (!compatible_match_revision(me->name, me->revision))
555 return;
556
557 /* Delete old one. */
558 for (i = &xtables_matches; *i!=old; i = &(*i)->next);
559 *i = old->next;
560 }
561
562 if (me->size != XT_ALIGN(me->size)) {
563 fprintf(stderr, "%s: match `%s' has invalid size %u.\n",
564 program_name, me->name, (unsigned int)me->size);
565 exit(1);
566 }
567
568 /* Append to list. */
569 for (i = &xtables_matches; *i; i = &(*i)->next);
570 me->next = NULL;
571 *i = me;
572
573 me->m = NULL;
574 me->mflags = 0;
575}
576
577void xtables_register_target(struct xtables_target *me)
578{
579 struct xtables_target *old;
580
581 if (strcmp(me->version, program_version) != 0) {
582 fprintf(stderr, "%s: target `%s' v%s (I'm v%s).\n",
583 program_name, me->name, me->version, program_version);
584 exit(1);
585 }
586
587 /* Revision field stole a char from name. */
588 if (strlen(me->name) >= XT_FUNCTION_MAXNAMELEN-1) {
589 fprintf(stderr, "%s: target `%s' has invalid name\n",
590 program_name, me->name);
591 exit(1);
592 }
593
594 if (me->family >= NPROTO) {
595 fprintf(stderr,
596 "%s: BUG: target %s has invalid protocol family\n",
597 program_name, me->name);
598 exit(1);
599 }
600
601 /* ignore not interested target */
602 if (me->family != afinfo.family)
603 return;
604
605 old = find_target(me->name, DURING_LOAD);
606 if (old) {
607 struct xtables_target **i;
608
609 if (old->revision == me->revision) {
610 fprintf(stderr,
611 "%s: target `%s' already registered.\n",
612 program_name, me->name);
613 exit(1);
614 }
615
616 /* Now we have two (or more) options, check compatibility. */
617 if (compatible_target_revision(old->name, old->revision)
618 && old->revision > me->revision)
619 return;
620
621 /* Replace if compatible. */
622 if (!compatible_target_revision(me->name, me->revision))
623 return;
624
625 /* Delete old one. */
626 for (i = &xtables_targets; *i!=old; i = &(*i)->next);
627 *i = old->next;
628 }
629
630 if (me->size != XT_ALIGN(me->size)) {
631 fprintf(stderr, "%s: target `%s' has invalid size %u.\n",
632 program_name, me->name, (unsigned int)me->size);
633 exit(1);
634 }
635
636 /* Prepend to list. */
637 me->next = xtables_targets;
638 xtables_targets = me;
639 me->t = NULL;
640 me->tflags = 0;
641}