Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / iptables / d7282413763b0ba85d512c1cd49174b762ff449c / . / extensions / libxt_policy.c
blob: 16e8c535d039114b2bac09022bd6ba0b25bc4df7 [file] [log] [blame]
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]1/* Shared library add-on to iptables to add policy support. */
Jan Engelhardt32b8e612010-07-23 21:16:14 +0200[diff] [blame]2#include <stdbool.h>
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]3#include <stdio.h>
4#include <netdb.h>
5#include <string.h>
6#include <stdlib.h>
7#include <syslog.h>
8#include <getopt.h>
9#include <netdb.h>
10#include <errno.h>
11#include <sys/socket.h>
12#include <netinet/in.h>
13#include <arpa/inet.h>
Jan Engelhardt5d9678a2008-11-20 10:15:35 +0100[diff] [blame]14#include <xtables.h>
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]15
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]16#include <linux/netfilter/xt_policy.h>
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]17
18/*
19 * HACK: global pointer to current matchinfo for making
20 * final checks and adjustments in final_check.
21 */
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]22static struct xt_policy_info *policy_info;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]23
Jan Engelhardt59d16402007-10-04 16:28:39 +0000[diff] [blame]24static void policy_help(void)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]25{
26 printf(
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]27"policy match options:\n"
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]28" --dir in|out match policy applied during decapsulation/\n"
29" policy to be applied during encapsulation\n"
30" --pol none|ipsec match policy\n"
31" --strict match entire policy instead of single element\n"
32" at any position\n"
33"[!] --reqid reqid match reqid\n"
34"[!] --spi spi match SPI\n"
35"[!] --proto proto match protocol (ah/esp/ipcomp)\n"
36"[!] --mode mode match mode (transport/tunnel)\n"
37"[!] --tunnel-src addr/mask match tunnel source\n"
38"[!] --tunnel-dst addr/mask match tunnel destination\n"
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]39" --next begin next element in policy\n");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]40}
41
Jan Engelhardt59d16402007-10-04 16:28:39 +0000[diff] [blame]42static const struct option policy_opts[] =
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]43{
44 {
45 .name = "dir",
Jan Engelhardt32b8e612010-07-23 21:16:14 +0200[diff] [blame]46 .has_arg = true,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]47 .val = '1',
48 },
49 {
50 .name = "pol",
Jan Engelhardt32b8e612010-07-23 21:16:14 +0200[diff] [blame]51 .has_arg = true,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]52 .val = '2',
53 },
54 {
55 .name = "strict",
Jan Engelhardt32b8e612010-07-23 21:16:14 +0200[diff] [blame]56 .has_arg = false,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]57 .val = '3'
58 },
59 {
60 .name = "reqid",
Jan Engelhardt32b8e612010-07-23 21:16:14 +0200[diff] [blame]61 .has_arg = true,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]62 .val = '4',
63 },
64 {
65 .name = "spi",
Jan Engelhardt32b8e612010-07-23 21:16:14 +0200[diff] [blame]66 .has_arg = true,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]67 .val = '5'
68 },
69 {
70 .name = "tunnel-src",
Jan Engelhardt32b8e612010-07-23 21:16:14 +0200[diff] [blame]71 .has_arg = true,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]72 .val = '6'
73 },
74 {
75 .name = "tunnel-dst",
Jan Engelhardt32b8e612010-07-23 21:16:14 +0200[diff] [blame]76 .has_arg = true,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]77 .val = '7'
78 },
79 {
80 .name = "proto",
Jan Engelhardt32b8e612010-07-23 21:16:14 +0200[diff] [blame]81 .has_arg = true,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]82 .val = '8'
83 },
84 {
85 .name = "mode",
Jan Engelhardt32b8e612010-07-23 21:16:14 +0200[diff] [blame]86 .has_arg = true,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]87 .val = '9'
88 },
89 {
90 .name = "next",
Jan Engelhardt32b8e612010-07-23 21:16:14 +0200[diff] [blame]91 .has_arg = false,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]92 .val = 'a'
93 },
Jan Engelhardt32b8e612010-07-23 21:16:14 +0200[diff] [blame]94 XT_GETOPT_TABLEEND,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]95};
96
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]97static int parse_direction(char *s)
98{
99 if (strcmp(s, "in") == 0)
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]100 return XT_POLICY_MATCH_IN;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]101 if (strcmp(s, "out") == 0)
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]102 return XT_POLICY_MATCH_OUT;
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]103 xtables_error(PARAMETER_PROBLEM, "policy_match: invalid dir \"%s\"", s);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]104}
105
106static int parse_policy(char *s)
107{
108 if (strcmp(s, "none") == 0)
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]109 return XT_POLICY_MATCH_NONE;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]110 if (strcmp(s, "ipsec") == 0)
111 return 0;
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]112 xtables_error(PARAMETER_PROBLEM, "policy match: invalid policy \"%s\"", s);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]113}
114
115static int parse_mode(char *s)
116{
117 if (strcmp(s, "transport") == 0)
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]118 return XT_POLICY_MODE_TRANSPORT;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]119 if (strcmp(s, "tunnel") == 0)
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]120 return XT_POLICY_MODE_TUNNEL;
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]121 xtables_error(PARAMETER_PROBLEM, "policy match: invalid mode \"%s\"", s);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]122}
123
Jan Engelhardtbf971282009-11-03 19:55:11 +0100[diff] [blame]124static int policy_parse(int c, char **argv, int invert, unsigned int *flags,
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]125 struct xt_policy_info *info, uint8_t family)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]126{
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]127 struct xt_policy_elem *e = &info->pol[info->len];
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]128 struct in_addr *addr = NULL, mask;
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]129 struct in6_addr *addr6 = NULL, mask6;
Jan Engelhardtda689572009-02-21 04:00:21 +0100[diff] [blame]130 unsigned int naddr = 0, num;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]131 int mode;
132
Jan Engelhardtbf971282009-11-03 19:55:11 +0100[diff] [blame]133 xtables_check_inverse(optarg, &invert, &optind, 0, argv);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]134
135 switch (c) {
136 case '1':
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]137 if (info->flags & (XT_POLICY_MATCH_IN | XT_POLICY_MATCH_OUT))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]138 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]139 "policy match: double --dir option");
140 if (invert)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]141 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]142 "policy match: can't invert --dir option");
143
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]144 info->flags |= parse_direction(optarg);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]145 break;
146 case '2':
147 if (invert)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]148 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]149 "policy match: can't invert --policy option");
150
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]151 info->flags |= parse_policy(optarg);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]152 break;
153 case '3':
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]154 if (info->flags & XT_POLICY_MATCH_STRICT)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]155 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]156 "policy match: double --strict option");
157
158 if (invert)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]159 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]160 "policy match: can't invert --strict option");
161
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]162 info->flags |= XT_POLICY_MATCH_STRICT;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]163 break;
164 case '4':
165 if (e->match.reqid)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]166 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]167 "policy match: double --reqid option");
168
169 e->match.reqid = 1;
170 e->invert.reqid = invert;
Jan Engelhardtda689572009-02-21 04:00:21 +0100[diff] [blame]171 if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX))
172 xtables_param_act(XTF_BAD_VALUE, "policy", "--spi", optarg);
173 e->reqid = num;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]174 break;
175 case '5':
176 if (e->match.spi)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]177 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]178 "policy match: double --spi option");
Patrick McHardy1d0f57c2006-01-12 09:12:47 +0000[diff] [blame]179
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]180 e->match.spi = 1;
181 e->invert.spi = invert;
Jan Engelhardtda689572009-02-21 04:00:21 +0100[diff] [blame]182 if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX))
183 xtables_param_act(XTF_BAD_VALUE, "policy", "--spi", optarg);
184 e->spi = num;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]185 break;
186 case '6':
187 if (e->match.saddr)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]188 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]189 "policy match: double --tunnel-src option");
190
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]191 if (family == NFPROTO_IPV6)
192 xtables_ip6parse_any(optarg, &addr6, &mask6, &naddr);
193 else
194 xtables_ipparse_any(optarg, &addr, &mask, &naddr);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]195 if (naddr > 1)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]196 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]197 "policy match: name resolves to multiple IPs");
198
199 e->match.saddr = 1;
200 e->invert.saddr = invert;
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]201 if (family == NFPROTO_IPV6) {
202 memcpy(&e->saddr.a6, addr6, sizeof(*addr6));
203 memcpy(&e->smask.a6, &mask6, sizeof(mask6));
204 } else {
205 e->saddr.a4 = addr[0];
206 e->smask.a4 = mask;
207 }
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]208 break;
209 case '7':
210 if (e->match.daddr)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]211 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]212 "policy match: double --tunnel-dst option");
213
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]214 if (family == NFPROTO_IPV6)
215 xtables_ip6parse_any(optarg, &addr6, &mask6, &naddr);
216 else
217 xtables_ipparse_any(optarg, &addr, &mask, &naddr);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]218 if (naddr > 1)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]219 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]220 "policy match: name resolves to multiple IPs");
221
222 e->match.daddr = 1;
223 e->invert.daddr = invert;
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]224 if (family == NFPROTO_IPV6) {
225 memcpy(&e->daddr.a6, addr6, sizeof(*addr6));
226 memcpy(&e->dmask.a6, &mask6, sizeof(mask6));
227 } else {
228 e->daddr.a4 = addr[0];
229 e->dmask.a4 = mask;
230 }
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]231 break;
232 case '8':
233 if (e->match.proto)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]234 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]235 "policy match: double --proto option");
236
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]237 e->proto = xtables_parse_protocol(optarg);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]238 if (e->proto != IPPROTO_AH && e->proto != IPPROTO_ESP &&
239 e->proto != IPPROTO_COMP)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]240 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]241 "policy match: protocol must ah/esp/ipcomp");
242 e->match.proto = 1;
243 e->invert.proto = invert;
244 break;
245 case '9':
246 if (e->match.mode)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]247 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]248 "policy match: double --mode option");
Patrick McHardy1d0f57c2006-01-12 09:12:47 +0000[diff] [blame]249
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]250 mode = parse_mode(optarg);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]251 e->match.mode = 1;
252 e->invert.mode = invert;
253 e->mode = mode;
254 break;
255 case 'a':
256 if (invert)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]257 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]258 "policy match: can't invert --next option");
259
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]260 if (++info->len == XT_POLICY_MAX_ELEM)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]261 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]262 "policy match: maximum policy depth reached");
263 break;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]264 }
265
266 policy_info = info;
267 return 1;
268}
269
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]270static int policy4_parse(int c, char **argv, int invert, unsigned int *flags,
271 const void *entry, struct xt_entry_match **match)
272{
Jan Engelhardtbf971282009-11-03 19:55:11 +0100[diff] [blame]273 return policy_parse(c, argv, invert, flags, (void *)(*match)->data,
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]274 NFPROTO_IPV4);
275}
276
277static int policy6_parse(int c, char **argv, int invert, unsigned int *flags,
278 const void *entry, struct xt_entry_match **match)
279{
Jan Engelhardtbf971282009-11-03 19:55:11 +0100[diff] [blame]280 return policy_parse(c, argv, invert, flags, (void *)(*match)->data,
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]281 NFPROTO_IPV6);
282}
283
Jan Engelhardt59d16402007-10-04 16:28:39 +0000[diff] [blame]284static void policy_check(unsigned int flags)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]285{
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]286 struct xt_policy_info *info = policy_info;
287 struct xt_policy_elem *e;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]288 int i;
289
290 if (info == NULL)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]291 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]292 "policy match: no parameters given");
293
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]294 if (!(info->flags & (XT_POLICY_MATCH_IN | XT_POLICY_MATCH_OUT)))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]295 xtables_error(PARAMETER_PROBLEM,
Jan Engelhardt028ad9e2010-01-31 16:49:50 +0100[diff] [blame]296 "policy match: neither --dir in nor --dir out specified");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]297
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]298 if (info->flags & XT_POLICY_MATCH_NONE) {
299 if (info->flags & XT_POLICY_MATCH_STRICT)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]300 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]301 "policy match: policy none but --strict given");
302
303 if (info->len != 0)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]304 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]305 "policy match: policy none but policy given");
306 } else
307 info->len++; /* increase len by 1, no --next after last element */
308
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]309 if (!(info->flags & XT_POLICY_MATCH_STRICT) && info->len > 1)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]310 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]311 "policy match: multiple elements but no --strict");
312
313 for (i = 0; i < info->len; i++) {
314 e = &info->pol[i];
Patrick McHardya46d88d2006-01-12 09:43:18 +0000[diff] [blame]315
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]316 if (info->flags & XT_POLICY_MATCH_STRICT &&
Noticed by Tom Eastep3f347562006-01-22 13:47:07 +0000[diff] [blame]317 !(e->match.reqid || e->match.spi || e->match.saddr ||
Patrick McHardya46d88d2006-01-12 09:43:18 +0000[diff] [blame]318 e->match.daddr || e->match.proto || e->match.mode))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]319 xtables_error(PARAMETER_PROBLEM,
Patrick McHardya46d88d2006-01-12 09:43:18 +0000[diff] [blame]320 "policy match: empty policy element");
321
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]322 if ((e->match.saddr || e->match.daddr)
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]323 && ((e->mode == XT_POLICY_MODE_TUNNEL && e->invert.mode) ||
324 (e->mode == XT_POLICY_MODE_TRANSPORT && !e->invert.mode)))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]325 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]326 "policy match: --tunnel-src/--tunnel-dst "
327 "is only valid in tunnel mode");
328 }
329}
330
Jan Engelhardt7ac40522011-01-07 12:34:04 +0100[diff] [blame]331static void print_mode(const char *prefix, uint8_t mode, int numeric)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]332{
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]333 printf(" %smode ", prefix);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]334
335 switch (mode) {
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]336 case XT_POLICY_MODE_TRANSPORT:
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]337 printf("transport");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]338 break;
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]339 case XT_POLICY_MODE_TUNNEL:
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]340 printf("tunnel");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]341 break;
342 default:
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]343 printf("???");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]344 break;
345 }
346}
347
Jan Engelhardt7ac40522011-01-07 12:34:04 +0100[diff] [blame]348static void print_proto(const char *prefix, uint8_t proto, int numeric)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]349{
Jan Engelhardtdd6e4b92011-05-07 00:05:24 +0200[diff] [blame]350 const struct protoent *p = NULL;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]351
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]352 printf(" %sproto ", prefix);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]353 if (!numeric)
354 p = getprotobynumber(proto);
355 if (p != NULL)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]356 printf("%s", p->p_name);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]357 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]358 printf("%u", proto);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]359}
360
361#define PRINT_INVERT(x) \
362do { \
363 if (x) \
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]364 printf(" !"); \
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]365} while(0)
366
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]367static void print_entry(const char *prefix, const struct xt_policy_elem *e,
368 bool numeric, uint8_t family)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]369{
370 if (e->match.reqid) {
371 PRINT_INVERT(e->invert.reqid);
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]372 printf(" %sreqid %u", prefix, e->reqid);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]373 }
374 if (e->match.spi) {
375 PRINT_INVERT(e->invert.spi);
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]376 printf(" %sspi 0x%x", prefix, e->spi);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]377 }
378 if (e->match.proto) {
379 PRINT_INVERT(e->invert.proto);
380 print_proto(prefix, e->proto, numeric);
381 }
382 if (e->match.mode) {
383 PRINT_INVERT(e->invert.mode);
384 print_mode(prefix, e->mode, numeric);
385 }
386 if (e->match.daddr) {
387 PRINT_INVERT(e->invert.daddr);
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]388 if (family == NFPROTO_IPV6)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]389 printf(" %stunnel-dst %s%s", prefix,
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]390 xtables_ip6addr_to_numeric(&e->daddr.a6),
391 xtables_ip6mask_to_numeric(&e->dmask.a6));
392 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]393 printf(" %stunnel-dst %s%s", prefix,
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]394 xtables_ipaddr_to_numeric(&e->daddr.a4),
395 xtables_ipmask_to_numeric(&e->dmask.a4));
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]396 }
397 if (e->match.saddr) {
398 PRINT_INVERT(e->invert.saddr);
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]399 if (family == NFPROTO_IPV6)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]400 printf(" %stunnel-src %s%s", prefix,
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]401 xtables_ip6addr_to_numeric(&e->saddr.a6),
402 xtables_ip6mask_to_numeric(&e->smask.a6));
403 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]404 printf(" %stunnel-src %s%s", prefix,
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]405 xtables_ipaddr_to_numeric(&e->saddr.a4),
406 xtables_ipmask_to_numeric(&e->smask.a4));
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]407 }
408}
409
Jan Engelhardtdd6e4b92011-05-07 00:05:24 +0200[diff] [blame]410static void print_flags(const char *prefix, const struct xt_policy_info *info)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]411{
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]412 if (info->flags & XT_POLICY_MATCH_IN)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]413 printf(" %sdir in", prefix);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]414 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]415 printf(" %sdir out", prefix);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]416
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]417 if (info->flags & XT_POLICY_MATCH_NONE)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]418 printf(" %spol none", prefix);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]419 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]420 printf(" %spol ipsec", prefix);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]421
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]422 if (info->flags & XT_POLICY_MATCH_STRICT)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]423 printf(" %sstrict", prefix);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]424}
425
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]426static void policy4_print(const void *ip, const struct xt_entry_match *match,
427 int numeric)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]428{
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]429 const struct xt_policy_info *info = (void *)match->data;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]430 unsigned int i;
431
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]432 printf(" policy match");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]433 print_flags("", info);
434 for (i = 0; i < info->len; i++) {
435 if (info->len > 1)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]436 printf(" [%u]", i);
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]437 print_entry("", &info->pol[i], numeric, NFPROTO_IPV4);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]438 }
439}
440
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]441static void policy6_print(const void *ip, const struct xt_entry_match *match,
442 int numeric)
443{
444 const struct xt_policy_info *info = (void *)match->data;
445 unsigned int i;
446
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]447 printf(" policy match");
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]448 print_flags("", info);
449 for (i = 0; i < info->len; i++) {
450 if (info->len > 1)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]451 printf(" [%u]", i);
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]452 print_entry("", &info->pol[i], numeric, NFPROTO_IPV6);
453 }
454}
455
456static void policy4_save(const void *ip, const struct xt_entry_match *match)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]457{
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]458 const struct xt_policy_info *info = (void *)match->data;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]459 unsigned int i;
460
461 print_flags("--", info);
462 for (i = 0; i < info->len; i++) {
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]463 print_entry("--", &info->pol[i], false, NFPROTO_IPV4);
464 if (i + 1 < info->len)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]465 printf(" --next");
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]466 }
467}
468
469static void policy6_save(const void *ip, const struct xt_entry_match *match)
470{
471 const struct xt_policy_info *info = (void *)match->data;
472 unsigned int i;
473
474 print_flags("--", info);
475 for (i = 0; i < info->len; i++) {
476 print_entry("--", &info->pol[i], false, NFPROTO_IPV6);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]477 if (i + 1 < info->len)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]478 printf(" --next");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]479 }
480}
481
Jan Engelhardtf2a77522009-06-25 20:12:12 +0200[diff] [blame]482static struct xtables_match policy_mt_reg[] = {
483 {
484 .name = "policy",
485 .version = XTABLES_VERSION,
486 .family = NFPROTO_IPV4,
487 .size = XT_ALIGN(sizeof(struct xt_policy_info)),
488 .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)),
489 .help = policy_help,
490 .parse = policy4_parse,
491 .final_check = policy_check,
492 .print = policy4_print,
493 .save = policy4_save,
494 .extra_opts = policy_opts,
495 },
496 {
497 .name = "policy",
498 .version = XTABLES_VERSION,
499 .family = NFPROTO_IPV6,
500 .size = XT_ALIGN(sizeof(struct xt_policy_info)),
501 .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)),
502 .help = policy_help,
503 .parse = policy6_parse,
504 .final_check = policy_check,
505 .print = policy6_print,
506 .save = policy6_save,
507 .extra_opts = policy_opts,
508 },
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]509};
510
511void _init(void)
512{
Jan Engelhardtf2a77522009-06-25 20:12:12 +0200[diff] [blame]513 xtables_register_matches(policy_mt_reg, ARRAY_SIZE(policy_mt_reg));
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]514}