static int
is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b,
unsigned char *matchmask)
{
unsigned int i;
STRUCT_ENTRY_TARGET *ta, *tb;
unsigned char *mptr;
/* Always compare head structures: ignore mask here. */
if (memcmp(&a->ipv6.src, &b->ipv6.src, sizeof(struct in6_addr))
|| memcmp(&a->ipv6.dst, &b->ipv6.dst, sizeof(struct in6_addr))
|| memcmp(&a->ipv6.smsk, &b->ipv6.smsk, sizeof(struct in6_addr))
|| memcmp(&a->ipv6.dmsk, &b->ipv6.dmsk, sizeof(struct in6_addr))
|| a->ipv6.proto != b->ipv6.proto
|| a->ipv6.tos != b->ipv6.tos
|| a->ipv6.flags != b->ipv6.flags
|| a->ipv6.invflags != b->ipv6.invflags)
return 0;
for (i = 0; i < IFNAMSIZ; i++) {
if (a->ipv6.iniface_mask[i] != b->ipv6.iniface_mask[i])
return 0;
if ((a->ipv6.iniface[i] & a->ipv6.iniface_mask[i])
!= (b->ipv6.iniface[i] & b->ipv6.iniface_mask[i]))
return 0;
if (a->ipv6.outiface_mask[i] != b->ipv6.outiface_mask[i])
return 0;
if ((a->ipv6.outiface[i] & a->ipv6.outiface_mask[i])
!= (b->ipv6.outiface[i] & b->ipv6.outiface_mask[i]))
return 0;
}
if (a->nfcache != b->nfcache
|| a->target_offset != b->target_offset
|| a->next_offset != b->next_offset)
return 0;
mptr = matchmask + sizeof(STRUCT_ENTRY);
if (IP6T_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
return 0;
ta = GET_TARGET((STRUCT_ENTRY *)a);
tb = GET_TARGET((STRUCT_ENTRY *)b);
if (ta->u.target_size != tb->u.target_size)
return 0;
if (strcmp(ta->u.user.name, tb->u.user.name) != 0)
return 0;
mptr += sizeof(*ta);
if (target_different(ta->data, tb->data,
ta->u.target_size - sizeof(*ta), mptr))
return 0;
return 1;
}
static unsigned char *
is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b,
unsigned char *matchmask)
{
unsigned int i;
unsigned char *mptr;
/* Always compare head structures: ignore mask here. */
if (memcmp(&a->ipv6.src, &b->ipv6.src, sizeof(struct in6_addr))
|| memcmp(&a->ipv6.dst, &b->ipv6.dst, sizeof(struct in6_addr))
|| memcmp(&a->ipv6.smsk, &b->ipv6.smsk, sizeof(struct in6_addr))
|| memcmp(&a->ipv6.dmsk, &b->ipv6.dmsk, sizeof(struct in6_addr))
|| a->ipv6.proto != b->ipv6.proto
|| a->ipv6.tos != b->ipv6.tos
|| a->ipv6.flags != b->ipv6.flags
|| a->ipv6.invflags != b->ipv6.invflags)
return NULL;
for (i = 0; i < IFNAMSIZ; i++) {
if (a->ipv6.iniface_mask[i] != b->ipv6.iniface_mask[i])
return NULL;
if ((a->ipv6.iniface[i] & a->ipv6.iniface_mask[i])
!= (b->ipv6.iniface[i] & b->ipv6.iniface_mask[i]))
return NULL;
if (a->ipv6.outiface_mask[i] != b->ipv6.outiface_mask[i])
return NULL;
if ((a->ipv6.outiface[i] & a->ipv6.outiface_mask[i])
!= (b->ipv6.outiface[i] & b->ipv6.outiface_mask[i]))
return NULL;
}
if (a->nfcache != b->nfcache
|| a->target_offset != b->target_offset
|| a->next_offset != b->next_offset)
return NULL;
mptr = matchmask + sizeof(STRUCT_ENTRY);
if (IP6T_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
return NULL;
mptr += IP6T_ALIGN(sizeof(struct ip6t_entry_target));
return mptr;
}
/* We want this to be readable, so only print out neccessary fields.
* Because that's the kind of world I want to live in. */
static void print_rule(const struct ip6t_entry *e,
ip6tc_handle_t *h, const char *chain, int counters)
{
struct ip6t_entry_target *t;
const char *target_name;
/* print counters */
if (counters)
printf("[%llu:%llu] ", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
/* print chain name */
printf("-A %s ", chain);
/* Print IP part. */
print_ip("-s", &(e->ipv6.src), &(e->ipv6.smsk),
e->ipv6.invflags & IP6T_INV_SRCIP);
print_ip("-d", &(e->ipv6.dst), &(e->ipv6.dmsk),
e->ipv6.invflags & IP6T_INV_DSTIP);
print_iface('i', e->ipv6.iniface, e->ipv6.iniface_mask,
e->ipv6.invflags & IP6T_INV_VIA_IN);
print_iface('o', e->ipv6.outiface, e->ipv6.outiface_mask,
e->ipv6.invflags & IP6T_INV_VIA_OUT);
print_proto(e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO);
#if 0
/* not definied in ipv6
* FIXME: linux/netfilter_ipv6/ip6_tables: IP6T_INV_FRAG why definied? */
if (e->ipv6.flags & IPT_F_FRAG)
printf("%s-f ",
e->ipv6.invflags & IP6T_INV_FRAG ? "! " : "");
#endif
if (e->ipv6.flags & IP6T_F_TOS)
printf("%s-? %d ",
e->ipv6.invflags & IP6T_INV_TOS ? "! " : "",
e->ipv6.tos);
/* Print matchinfo part */
if (e->target_offset) {
IP6T_MATCH_ITERATE(e, print_match, &e->ipv6);
}
/* Print target name */
target_name = ip6tc_get_target(e, h);
if (target_name && (*target_name != '\0'))
printf("-j %s ", target_name);
/* Print targinfo part */
t = ip6t_get_target((struct ip6t_entry *)e);
if (t->u.user.name[0]) {
struct ip6tables_target *target
= find_target(t->u.user.name, TRY_LOAD);
if (!target) {
fprintf(stderr, "Can't find library for target `%s'\n",
t->u.user.name);
exit(1);
}
if (target->save)
target->save(&e->ipv6, t);
else {
/* If the target size is greater than ip6t_entry_target
* there is something to be saved, we just don't know
* how to print it */
if (t->u.target_size !=
sizeof(struct ip6t_entry_target)) {
fprintf(stderr, "Target `%s' is missing "
"save function\n",
t->u.user.name);
exit(1);
}
}
}
printf("\n");
}
static int
dump_entry(struct ip6t_entry *e, const ip6tc_handle_t handle)
{
size_t i;
char buf[40];
int len;
struct ip6t_entry_target *t;
printf("Entry %u (%lu):\n", entry2index(handle, e),
entry2offset(handle, e));
puts("SRC IP: ");
inet_ntop(AF_INET6, &e->ipv6.src, buf, sizeof buf);
puts(buf);
putchar('/');
len = ipv6_prefix_length(&e->ipv6.smsk);
if (len != -1)
printf("%d", len);
else {
inet_ntop(AF_INET6, &e->ipv6.smsk, buf, sizeof buf);
puts(buf);
}
putchar('\n');
puts("DST IP: ");
inet_ntop(AF_INET6, &e->ipv6.dst, buf, sizeof buf);
puts(buf);
putchar('/');
len = ipv6_prefix_length(&e->ipv6.dmsk);
if (len != -1)
printf("%d", len);
else {
inet_ntop(AF_INET6, &e->ipv6.dmsk, buf, sizeof buf);
puts(buf);
}
putchar('\n');
printf("Interface: `%s'/", e->ipv6.iniface);
for (i = 0; i < IFNAMSIZ; i++)
printf("%c", e->ipv6.iniface_mask[i] ? 'X' : '.');
printf("to `%s'/", e->ipv6.outiface);
for (i = 0; i < IFNAMSIZ; i++)
printf("%c", e->ipv6.outiface_mask[i] ? 'X' : '.');
printf("\nProtocol: %u\n", e->ipv6.proto);
if (e->ipv6.flags & IP6T_F_TOS)
printf("TOS: %u\n", e->ipv6.tos);
printf("Flags: %02X\n", e->ipv6.flags);
printf("Invflags: %02X\n", e->ipv6.invflags);
printf("Counters: %llu packets, %llu bytes\n",
e->counters.pcnt, e->counters.bcnt);
printf("Cache: %08X ", e->nfcache);
if (e->nfcache & NFC_ALTERED) printf("ALTERED ");
if (e->nfcache & NFC_UNKNOWN) printf("UNKNOWN ");
if (e->nfcache & NFC_IP6_SRC) printf("IP6_SRC ");
if (e->nfcache & NFC_IP6_DST) printf("IP6_DST ");
if (e->nfcache & NFC_IP6_IF_IN) printf("IP6_IF_IN ");
if (e->nfcache & NFC_IP6_IF_OUT) printf("IP6_IF_OUT ");
if (e->nfcache & NFC_IP6_TOS) printf("IP6_TOS ");
if (e->nfcache & NFC_IP6_PROTO) printf("IP6_PROTO ");
if (e->nfcache & NFC_IP6_OPTIONS) printf("IP6_OPTIONS ");
if (e->nfcache & NFC_IP6_TCPFLAGS) printf("IP6_TCPFLAGS ");
if (e->nfcache & NFC_IP6_SRC_PT) printf("IP6_SRC_PT ");
if (e->nfcache & NFC_IP6_DST_PT) printf("IP6_DST_PT ");
if (e->nfcache & NFC_IP6_PROTO_UNKNOWN) printf("IP6_PROTO_UNKNOWN ");
printf("\n");
IP6T_MATCH_ITERATE(e, print_match);
t = ip6t_get_target(e);
printf("Target name: `%s' [%u]\n", t->u.user.name, t->u.target_size);
if (strcmp(t->u.user.name, IP6T_STANDARD_TARGET) == 0) {
int pos = *(int *)t->data;
if (pos < 0)
printf("verdict=%s\n",
pos == -NF_ACCEPT-1 ? "NF_ACCEPT"
: pos == -NF_DROP-1 ? "NF_DROP"
: pos == IP6T_RETURN ? "RETURN"
: "UNKNOWN");
else
printf("verdict=%u\n", pos);
} else if (strcmp(t->u.user.name, IP6T_ERROR_TARGET) == 0)
printf("error=`%s'\n", t->data);
printf("\n");
return 0;
}
