Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / iptables / e3928b77f18db0fdc615693017c6c15eb71bf4e0 / . / extensions / libxt_policy.c
blob: 0a64a80c25b7650841b61f9e87e439cce6a86309 [file] [log] [blame]
Patrick McHardy0c3753b2013-04-06 13:41:25 +0200[diff] [blame]1/*
2 * Copyright (c) 2005-2013 Patrick McHardy <kaber@trash.net>
3 */
4
Jan Engelhardt32b8e612010-07-23 21:16:14 +0200[diff] [blame]5#include <stdbool.h>
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]6#include <stdint.h>
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]7#include <stdio.h>
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]8#include <string.h>
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]9#include <netdb.h>
Jan Engelhardt5d9678a2008-11-20 10:15:35 +0100[diff] [blame]10#include <xtables.h>
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]11#include <linux/netfilter/xt_policy.h>
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]12
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]13enum {
14 O_DIRECTION = 0,
15 O_POLICY,
16 O_STRICT,
17 O_REQID,
18 O_SPI,
19 O_PROTO,
20 O_MODE,
21 O_TUNNELSRC,
22 O_TUNNELDST,
Jan Engelhardt15392932011-05-12 12:46:40 +0200[diff] [blame]23 O_NEXT,
24 F_STRICT = 1 << O_STRICT,
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]25};
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]26
Jan Engelhardt59d16402007-10-04 16:28:39 +0000[diff] [blame]27static void policy_help(void)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]28{
29 printf(
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]30"policy match options:\n"
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]31" --dir in|out match policy applied during decapsulation/\n"
32" policy to be applied during encapsulation\n"
33" --pol none|ipsec match policy\n"
34" --strict match entire policy instead of single element\n"
35" at any position\n"
Jan Engelhardt15392932011-05-12 12:46:40 +0200[diff] [blame]36"These options may be used repeatedly, to describe policy elements:\n"
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]37"[!] --reqid reqid match reqid\n"
38"[!] --spi spi match SPI\n"
39"[!] --proto proto match protocol (ah/esp/ipcomp)\n"
40"[!] --mode mode match mode (transport/tunnel)\n"
41"[!] --tunnel-src addr/mask match tunnel source\n"
42"[!] --tunnel-dst addr/mask match tunnel destination\n"
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]43" --next begin next element in policy\n");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]44}
45
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]46static const struct xt_option_entry policy_opts[] = {
Jan Engelhardt03deef52011-08-21 12:39:04 +0200[diff] [blame]47 {.name = "dir", .id = O_DIRECTION, .type = XTTYPE_STRING},
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]48 {.name = "pol", .id = O_POLICY, .type = XTTYPE_STRING},
49 {.name = "strict", .id = O_STRICT, .type = XTTYPE_NONE},
Jan Engelhardt15392932011-05-12 12:46:40 +0200[diff] [blame]50 {.name = "reqid", .id = O_REQID, .type = XTTYPE_UINT32,
51 .flags = XTOPT_MULTI | XTOPT_INVERT},
52 {.name = "spi", .id = O_SPI, .type = XTTYPE_UINT32,
53 .flags = XTOPT_MULTI | XTOPT_INVERT},
54 {.name = "tunnel-src", .id = O_TUNNELSRC, .type = XTTYPE_HOSTMASK,
55 .flags = XTOPT_MULTI | XTOPT_INVERT},
56 {.name = "tunnel-dst", .id = O_TUNNELDST, .type = XTTYPE_HOSTMASK,
57 .flags = XTOPT_MULTI | XTOPT_INVERT},
Jan Engelhardtcdc8e0b2011-05-12 13:59:38 +0200[diff] [blame]58 {.name = "proto", .id = O_PROTO, .type = XTTYPE_PROTOCOL,
Jan Engelhardt15392932011-05-12 12:46:40 +0200[diff] [blame]59 .flags = XTOPT_MULTI | XTOPT_INVERT},
60 {.name = "mode", .id = O_MODE, .type = XTTYPE_STRING,
61 .flags = XTOPT_MULTI | XTOPT_INVERT},
62 {.name = "next", .id = O_NEXT, .type = XTTYPE_NONE,
63 .flags = XTOPT_MULTI, .also = F_STRICT},
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]64 XTOPT_TABLEEND,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]65};
66
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]67static int parse_direction(const char *s)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]68{
69 if (strcmp(s, "in") == 0)
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]70 return XT_POLICY_MATCH_IN;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]71 if (strcmp(s, "out") == 0)
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]72 return XT_POLICY_MATCH_OUT;
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]73 xtables_error(PARAMETER_PROBLEM, "policy_match: invalid dir \"%s\"", s);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]74}
75
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]76static int parse_policy(const char *s)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]77{
78 if (strcmp(s, "none") == 0)
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]79 return XT_POLICY_MATCH_NONE;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]80 if (strcmp(s, "ipsec") == 0)
81 return 0;
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]82 xtables_error(PARAMETER_PROBLEM, "policy match: invalid policy \"%s\"", s);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]83}
84
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]85static int parse_mode(const char *s)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]86{
87 if (strcmp(s, "transport") == 0)
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]88 return XT_POLICY_MODE_TRANSPORT;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]89 if (strcmp(s, "tunnel") == 0)
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]90 return XT_POLICY_MODE_TUNNEL;
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]91 xtables_error(PARAMETER_PROBLEM, "policy match: invalid mode \"%s\"", s);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]92}
93
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]94static void policy_parse(struct xt_option_call *cb)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]95{
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]96 struct xt_policy_info *info = cb->data;
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]97 struct xt_policy_elem *e = &info->pol[info->len];
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]98
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]99 xtables_option_parse(cb);
100 switch (cb->entry->id) {
101 case O_DIRECTION:
102 info->flags |= parse_direction(cb->arg);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]103 break;
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]104 case O_POLICY:
105 info->flags |= parse_policy(cb->arg);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]106 break;
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]107 case O_STRICT:
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]108 info->flags |= XT_POLICY_MATCH_STRICT;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]109 break;
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]110 case O_REQID:
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]111 if (e->match.reqid)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]112 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]113 "policy match: double --reqid option");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]114 e->match.reqid = 1;
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]115 e->invert.reqid = cb->invert;
116 e->reqid = cb->val.u32;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]117 break;
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]118 case O_SPI:
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]119 if (e->match.spi)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]120 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]121 "policy match: double --spi option");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]122 e->match.spi = 1;
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]123 e->invert.spi = cb->invert;
124 e->spi = cb->val.u32;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]125 break;
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]126 case O_TUNNELSRC:
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]127 if (e->match.saddr)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]128 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]129 "policy match: double --tunnel-src option");
130
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]131 e->match.saddr = 1;
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]132 e->invert.saddr = cb->invert;
133 memcpy(&e->saddr, &cb->val.haddr, sizeof(cb->val.haddr));
134 memcpy(&e->smask, &cb->val.hmask, sizeof(cb->val.hmask));
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]135 break;
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]136 case O_TUNNELDST:
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]137 if (e->match.daddr)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]138 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]139 "policy match: double --tunnel-dst option");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]140 e->match.daddr = 1;
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]141 e->invert.daddr = cb->invert;
142 memcpy(&e->daddr, &cb->val.haddr, sizeof(cb->val.haddr));
143 memcpy(&e->dmask, &cb->val.hmask, sizeof(cb->val.hmask));
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]144 break;
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]145 case O_PROTO:
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]146 if (e->match.proto)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]147 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]148 "policy match: double --proto option");
Jan Engelhardtcdc8e0b2011-05-12 13:59:38 +0200[diff] [blame]149 e->proto = cb->val.protocol;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]150 if (e->proto != IPPROTO_AH && e->proto != IPPROTO_ESP &&
151 e->proto != IPPROTO_COMP)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]152 xtables_error(PARAMETER_PROBLEM,
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]153 "policy match: protocol must be ah/esp/ipcomp");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]154 e->match.proto = 1;
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]155 e->invert.proto = cb->invert;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]156 break;
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]157 case O_MODE:
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]158 if (e->match.mode)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]159 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]160 "policy match: double --mode option");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]161 e->match.mode = 1;
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]162 e->invert.mode = cb->invert;
163 e->mode = parse_mode(cb->arg);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]164 break;
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]165 case O_NEXT:
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]166 if (++info->len == XT_POLICY_MAX_ELEM)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]167 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]168 "policy match: maximum policy depth reached");
169 break;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]170 }
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]171}
172
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]173static void policy_check(struct xt_fcheck_call *cb)
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]174{
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]175 struct xt_policy_info *info = cb->data;
176 const struct xt_policy_elem *e;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]177 int i;
178
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]179 /*
180 * The old "no parameters given" check is carried out
181 * by testing for --dir.
182 */
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]183 if (!(info->flags & (XT_POLICY_MATCH_IN | XT_POLICY_MATCH_OUT)))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]184 xtables_error(PARAMETER_PROBLEM,
Jan Engelhardt028ad9e2010-01-31 16:49:50 +0100[diff] [blame]185 "policy match: neither --dir in nor --dir out specified");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]186
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]187 if (info->flags & XT_POLICY_MATCH_NONE) {
188 if (info->flags & XT_POLICY_MATCH_STRICT)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]189 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]190 "policy match: policy none but --strict given");
191
192 if (info->len != 0)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]193 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]194 "policy match: policy none but policy given");
195 } else
196 info->len++; /* increase len by 1, no --next after last element */
197
Jan Engelhardt15392932011-05-12 12:46:40 +0200[diff] [blame]198 /*
199 * This is already represented with O_NEXT requiring F_STRICT in the
200 * options table, but will keep this code as a comment for reference.
201 *
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]202 if (!(info->flags & XT_POLICY_MATCH_STRICT) && info->len > 1)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]203 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]204 "policy match: multiple elements but no --strict");
Jan Engelhardt15392932011-05-12 12:46:40 +0200[diff] [blame]205 */
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]206
207 for (i = 0; i < info->len; i++) {
208 e = &info->pol[i];
Patrick McHardya46d88d2006-01-12 09:43:18 +0000[diff] [blame]209
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]210 if (info->flags & XT_POLICY_MATCH_STRICT &&
Noticed by Tom Eastep3f347562006-01-22 13:47:07 +0000[diff] [blame]211 !(e->match.reqid || e->match.spi || e->match.saddr ||
Patrick McHardya46d88d2006-01-12 09:43:18 +0000[diff] [blame]212 e->match.daddr || e->match.proto || e->match.mode))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]213 xtables_error(PARAMETER_PROBLEM,
Jan Engelhardt15392932011-05-12 12:46:40 +0200[diff] [blame]214 "policy match: empty policy element %u. "
215 "--strict is in effect, but at least one of "
216 "reqid, spi, tunnel-src, tunnel-dst, proto or "
217 "mode is required.", i);
Patrick McHardya46d88d2006-01-12 09:43:18 +0000[diff] [blame]218
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]219 if ((e->match.saddr || e->match.daddr)
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]220 && ((e->mode == XT_POLICY_MODE_TUNNEL && e->invert.mode) ||
221 (e->mode == XT_POLICY_MODE_TRANSPORT && !e->invert.mode)))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]222 xtables_error(PARAMETER_PROBLEM,
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]223 "policy match: --tunnel-src/--tunnel-dst "
224 "is only valid in tunnel mode");
225 }
226}
227
Jan Engelhardt7ac40522011-01-07 12:34:04 +0100[diff] [blame]228static void print_mode(const char *prefix, uint8_t mode, int numeric)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]229{
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]230 printf(" %smode ", prefix);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]231
232 switch (mode) {
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]233 case XT_POLICY_MODE_TRANSPORT:
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]234 printf("transport");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]235 break;
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]236 case XT_POLICY_MODE_TUNNEL:
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]237 printf("tunnel");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]238 break;
239 default:
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]240 printf("???");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]241 break;
242 }
243}
244
Jan Engelhardt7ac40522011-01-07 12:34:04 +0100[diff] [blame]245static void print_proto(const char *prefix, uint8_t proto, int numeric)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]246{
Jan Engelhardtdd6e4b92011-05-07 00:05:24 +0200[diff] [blame]247 const struct protoent *p = NULL;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]248
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]249 printf(" %sproto ", prefix);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]250 if (!numeric)
251 p = getprotobynumber(proto);
252 if (p != NULL)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]253 printf("%s", p->p_name);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]254 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]255 printf("%u", proto);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]256}
257
258#define PRINT_INVERT(x) \
259do { \
260 if (x) \
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]261 printf(" !"); \
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]262} while(0)
263
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]264static void print_entry(const char *prefix, const struct xt_policy_elem *e,
265 bool numeric, uint8_t family)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]266{
267 if (e->match.reqid) {
268 PRINT_INVERT(e->invert.reqid);
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]269 printf(" %sreqid %u", prefix, e->reqid);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]270 }
271 if (e->match.spi) {
272 PRINT_INVERT(e->invert.spi);
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]273 printf(" %sspi 0x%x", prefix, e->spi);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]274 }
275 if (e->match.proto) {
276 PRINT_INVERT(e->invert.proto);
277 print_proto(prefix, e->proto, numeric);
278 }
279 if (e->match.mode) {
280 PRINT_INVERT(e->invert.mode);
281 print_mode(prefix, e->mode, numeric);
282 }
283 if (e->match.daddr) {
284 PRINT_INVERT(e->invert.daddr);
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]285 if (family == NFPROTO_IPV6)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]286 printf(" %stunnel-dst %s%s", prefix,
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]287 xtables_ip6addr_to_numeric(&e->daddr.a6),
288 xtables_ip6mask_to_numeric(&e->dmask.a6));
289 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]290 printf(" %stunnel-dst %s%s", prefix,
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]291 xtables_ipaddr_to_numeric(&e->daddr.a4),
292 xtables_ipmask_to_numeric(&e->dmask.a4));
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]293 }
294 if (e->match.saddr) {
295 PRINT_INVERT(e->invert.saddr);
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]296 if (family == NFPROTO_IPV6)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]297 printf(" %stunnel-src %s%s", prefix,
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]298 xtables_ip6addr_to_numeric(&e->saddr.a6),
299 xtables_ip6mask_to_numeric(&e->smask.a6));
300 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]301 printf(" %stunnel-src %s%s", prefix,
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]302 xtables_ipaddr_to_numeric(&e->saddr.a4),
303 xtables_ipmask_to_numeric(&e->smask.a4));
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]304 }
305}
306
Jan Engelhardtdd6e4b92011-05-07 00:05:24 +0200[diff] [blame]307static void print_flags(const char *prefix, const struct xt_policy_info *info)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]308{
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]309 if (info->flags & XT_POLICY_MATCH_IN)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]310 printf(" %sdir in", prefix);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]311 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]312 printf(" %sdir out", prefix);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]313
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]314 if (info->flags & XT_POLICY_MATCH_NONE)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]315 printf(" %spol none", prefix);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]316 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]317 printf(" %spol ipsec", prefix);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]318
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]319 if (info->flags & XT_POLICY_MATCH_STRICT)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]320 printf(" %sstrict", prefix);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]321}
322
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]323static void policy4_print(const void *ip, const struct xt_entry_match *match,
324 int numeric)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]325{
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]326 const struct xt_policy_info *info = (void *)match->data;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]327 unsigned int i;
328
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]329 printf(" policy match");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]330 print_flags("", info);
331 for (i = 0; i < info->len; i++) {
332 if (info->len > 1)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]333 printf(" [%u]", i);
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]334 print_entry("", &info->pol[i], numeric, NFPROTO_IPV4);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]335 }
336}
337
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]338static void policy6_print(const void *ip, const struct xt_entry_match *match,
339 int numeric)
340{
341 const struct xt_policy_info *info = (void *)match->data;
342 unsigned int i;
343
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]344 printf(" policy match");
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]345 print_flags("", info);
346 for (i = 0; i < info->len; i++) {
347 if (info->len > 1)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]348 printf(" [%u]", i);
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]349 print_entry("", &info->pol[i], numeric, NFPROTO_IPV6);
350 }
351}
352
353static void policy4_save(const void *ip, const struct xt_entry_match *match)
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]354{
Jan Engelhardtcd300542009-05-31 22:43:12 +0200[diff] [blame]355 const struct xt_policy_info *info = (void *)match->data;
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]356 unsigned int i;
357
358 print_flags("--", info);
359 for (i = 0; i < info->len; i++) {
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]360 print_entry("--", &info->pol[i], false, NFPROTO_IPV4);
361 if (i + 1 < info->len)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]362 printf(" --next");
Jan Engelhardt67cf1a92009-06-01 11:46:12 +0200[diff] [blame]363 }
364}
365
366static void policy6_save(const void *ip, const struct xt_entry_match *match)
367{
368 const struct xt_policy_info *info = (void *)match->data;
369 unsigned int i;
370
371 print_flags("--", info);
372 for (i = 0; i < info->len; i++) {
373 print_entry("--", &info->pol[i], false, NFPROTO_IPV6);
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]374 if (i + 1 < info->len)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]375 printf(" --next");
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]376 }
377}
378
Jan Engelhardtf2a77522009-06-25 20:12:12 +0200[diff] [blame]379static struct xtables_match policy_mt_reg[] = {
380 {
381 .name = "policy",
382 .version = XTABLES_VERSION,
383 .family = NFPROTO_IPV4,
384 .size = XT_ALIGN(sizeof(struct xt_policy_info)),
385 .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)),
386 .help = policy_help,
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]387 .x6_parse = policy_parse,
388 .x6_fcheck = policy_check,
Jan Engelhardtf2a77522009-06-25 20:12:12 +0200[diff] [blame]389 .print = policy4_print,
390 .save = policy4_save,
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]391 .x6_options = policy_opts,
Jan Engelhardtf2a77522009-06-25 20:12:12 +0200[diff] [blame]392 },
393 {
394 .name = "policy",
395 .version = XTABLES_VERSION,
396 .family = NFPROTO_IPV6,
397 .size = XT_ALIGN(sizeof(struct xt_policy_info)),
398 .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)),
399 .help = policy_help,
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]400 .x6_parse = policy_parse,
401 .x6_fcheck = policy_check,
Jan Engelhardtf2a77522009-06-25 20:12:12 +0200[diff] [blame]402 .print = policy6_print,
403 .save = policy6_save,
Jan Engelhardtd441ad62011-05-06 17:45:12 +0200[diff] [blame]404 .x6_options = policy_opts,
Jan Engelhardtf2a77522009-06-25 20:12:12 +0200[diff] [blame]405 },
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]406};
407
408void _init(void)
409{
Jan Engelhardtf2a77522009-06-25 20:12:12 +0200[diff] [blame]410 xtables_register_matches(policy_mt_reg, ARRAY_SIZE(policy_mt_reg));
Patrick McHardy524bb802005-11-19 09:00:03 +0000[diff] [blame]411}