static void state_ct23_parse(struct xt_option_call *cb)
{
struct xt_conntrack_mtinfo3 *sinfo = cb->data;
xtables_option_parse(cb);
sinfo->match_flags = XT_CONNTRACK_STATE;
sinfo->state_mask = state_parse_states(cb->arg);
if (cb->invert)
sinfo->invert_flags |= XT_CONNTRACK_STATE;
}
static void ah_parse(struct xt_option_call *cb)
{
struct ipt_ah *ahinfo = cb->data;
xtables_option_parse(cb);
if (cb->nvals == 1)
ahinfo->spis[1] = ahinfo->spis[0];
if (cb->invert)
ahinfo->invflags |= IPT_AH_INV_SPI;
}
static void connmark_mt_parse(struct xt_option_call *cb)
{
struct xt_connmark_mtinfo1 *info = cb->data;
xtables_option_parse(cb);
if (cb->invert)
info->invert = true;
info->mark = cb->val.mark;
info->mask = cb->val.mask;
}
static void connmark_parse(struct xt_option_call *cb)
{
struct xt_connmark_info *markinfo = cb->data;
xtables_option_parse(cb);
markinfo->mark = cb->val.mark;
markinfo->mask = cb->val.mask;
if (cb->invert)
markinfo->invert = 1;
}
static void NETMAP_parse(struct xt_option_call *cb)
{
struct nf_nat_ipv4_multi_range_compat *mr = cb->data;
struct nf_nat_ipv4_range *range = &mr->range[0];
xtables_option_parse(cb);
range->flags |= NF_NAT_RANGE_MAP_IPS;
range->min_ip = cb->val.haddr.ip & cb->val.hmask.ip;
range->max_ip = range->min_ip | ~cb->val.hmask.ip;
}
static void DSCP_parse(struct xt_option_call *cb)
{
struct xt_DSCP_info *dinfo = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_SET_DSCP_CLASS:
dinfo->dscp = class_to_dscp(cb->arg);
break;
}
}
static void bpf_parse(struct xt_option_call *cb)
{
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_BCODE_STDIN:
bpf_parse_string(cb, cb->arg, ',');
break;
default:
xtables_error(PARAMETER_PROBLEM, "bpf: unknown option");
}
}
static void length_parse(struct xt_option_call *cb)
{
struct xt_length_info *info = cb->data;
xtables_option_parse(cb);
info->min = cb->val.u16_range[0];
info->max = cb->val.u16_range[0];
if (cb->nvals >= 2)
info->max = cb->val.u16_range[1];
if (cb->invert)
info->invert = 1;
}
static void ratelimit_parse(struct xt_option_call *cb)
{
struct xt_ratelimit_mtinfo *info = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_MODE:
if (parse_mode(&info->mode, cb->arg) < 0)
xtables_param_act(XTF_BAD_VALUE, "ratelimit",
"--ratelimit-mode", cb->arg);
break;
}
}
static void audit_parse(struct xt_option_call *cb)
{
struct xt_audit_info *einfo = cb->data;
xtables_option_parse(cb);
if (strcasecmp(cb->arg, "accept") == 0)
einfo->type = XT_AUDIT_TYPE_ACCEPT;
else if (strcasecmp(cb->arg, "drop") == 0)
einfo->type = XT_AUDIT_TYPE_DROP;
else if (strcasecmp(cb->arg, "reject") == 0)
einfo->type = XT_AUDIT_TYPE_REJECT;
else
xtables_error(PARAMETER_PROBLEM,
"Bad action type value \"%s\"", cb->arg);
}
static void udp_parse(struct xt_option_call *cb)
{
struct xt_udp *udpinfo = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_SOURCE_PORT:
if (cb->invert)
udpinfo->invflags |= XT_UDP_INV_SRCPT;
break;
case O_DEST_PORT:
if (cb->invert)
udpinfo->invflags |= XT_UDP_INV_DSTPT;
break;
}
}
static void hbh_parse(struct xt_option_call *cb)
{
struct ip6t_opts *optinfo = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_HBH_LEN:
if (cb->invert)
optinfo->invflags |= IP6T_OPTS_INV_LEN;
break;
case O_HBH_OPTS:
optinfo->optsnr = parse_options(cb->arg, optinfo->opts);
optinfo->flags |= IP6T_OPTS_OPTS;
break;
}
}
static void DNPT_parse(struct xt_option_call *cb)
{
struct ip6t_npt_tginfo *npt = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_SRC_PFX:
npt->src_pfx = cb->val.haddr;
npt->src_pfx_len = cb->val.hlen;
break;
case O_DST_PFX:
npt->dst_pfx = cb->val.haddr;
npt->dst_pfx_len = cb->val.hlen;
break;
}
}
static void limit_parse(struct xt_option_call *cb)
{
struct xt_rateinfo *r = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_LIMIT:
if (!parse_rate(cb->arg, &r->avg))
xtables_error(PARAMETER_PROBLEM,
"bad rate \"%s\"'", cb->arg);
break;
}
if (cb->invert)
xtables_error(PARAMETER_PROBLEM,
"limit does not support invert");
}
static void ipv6header_parse(struct xt_option_call *cb)
{
struct ip6t_ipv6header_info *info = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_HEADER:
if (!(info->matchflags = parse_header(cb->arg)))
xtables_error(PARAMETER_PROBLEM, "ip6t_ipv6header: cannot parse header names");
if (cb->invert)
info->invflags |= 0xFF;
break;
case O_SOFT:
info->modeflag |= 0xFF;
break;
}
}
static void ENCRYPT_parse(struct xt_option_call *cb)
{
struct xt_encrypt_info *encrypt = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_ENCRYPT_DECRYPT:
encrypt->decrypt = 1;
break;
case O_ENCRYPT_ALGORITHM:
strcpy(encrypt->alg_name, cb->arg);
break;
case O_ENCRYPT_PASSPHRASE:
strcpy(encrypt->passphrase, cb->arg);
break;
}
}
static void rt_parse(struct xt_option_call *cb)
{
struct ip6t_rt *rtinfo = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_RT_TYPE:
if (cb->invert)
rtinfo->invflags |= IP6T_RT_INV_TYP;
rtinfo->flags |= IP6T_RT_TYP;
break;
case O_RT_SEGSLEFT:
if (cb->nvals == 1)
rtinfo->segsleft[1] = rtinfo->segsleft[0];
if (cb->invert)
rtinfo->invflags |= IP6T_RT_INV_SGS;
rtinfo->flags |= IP6T_RT_SGS;
break;
case O_RT_LEN:
if (cb->invert)
rtinfo->invflags |= IP6T_RT_INV_LEN;
rtinfo->flags |= IP6T_RT_LEN;
break;
case O_RT0RES:
if (!(cb->xflags & F_RT_TYPE) || rtinfo->rt_type != 0 ||
rtinfo->invflags & IP6T_RT_INV_TYP)
xtables_error(PARAMETER_PROBLEM,
"`--rt-type 0' required before `--rt-0-res'");
rtinfo->flags |= IP6T_RT_RES;
break;
case O_RT0ADDRS:
if (!(cb->xflags & F_RT_TYPE) || rtinfo->rt_type != 0 ||
rtinfo->invflags & IP6T_RT_INV_TYP)
xtables_error(PARAMETER_PROBLEM,
"`--rt-type 0' required before `--rt-0-addrs'");
rtinfo->addrnr = parse_addresses(cb->arg, rtinfo->addrs);
rtinfo->flags |= IP6T_RT_FST;
break;
case O_RT0NSTRICT:
if (!(cb->xflags & F_RT0ADDRS))
xtables_error(PARAMETER_PROBLEM,
"`--rt-0-addr ...' required before `--rt-0-not-strict'");
rtinfo->flags |= IP6T_RT_FST_NSTRICT;
break;
}
}
static void HL_parse(struct xt_option_call *cb)
{
struct ip6t_HL_info *info = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_HL_SET:
info->mode = IP6T_HL_SET;
break;
case O_HL_INC:
info->mode = IP6T_HL_INC;
break;
case O_HL_DEC:
info->mode = IP6T_HL_DEC;
break;
}
}
static void ct_parse(struct xt_option_call *cb)
{
struct xt_ct_target_info *info = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_NOTRACK:
info->flags |= XT_CT_NOTRACK;
break;
case O_CTEVENTS:
info->ct_events = ct_parse_events(ct_event_tbl, ARRAY_SIZE(ct_event_tbl), cb->arg);
break;
case O_EXPEVENTS:
info->exp_events = ct_parse_events(exp_event_tbl, ARRAY_SIZE(exp_event_tbl), cb->arg);
break;
}
}
static void owner_mt_parse_v0(struct xt_option_call *cb)
{
struct ipt_owner_info *info = cb->data;
struct passwd *pwd;
struct group *grp;
unsigned int id;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_USER:
if ((pwd = getpwnam(cb->arg)) != NULL)
id = pwd->pw_uid;
else if (!xtables_strtoui(cb->arg, NULL, &id, 0, UINT32_MAX - 1))
xtables_param_act(XTF_BAD_VALUE, "owner", "--uid-owner", cb->arg);
if (cb->invert)
info->invert |= IPT_OWNER_UID;
info->match |= IPT_OWNER_UID;
info->uid = id;
break;
case O_GROUP:
if ((grp = getgrnam(cb->arg)) != NULL)
id = grp->gr_gid;
else if (!xtables_strtoui(cb->arg, NULL, &id, 0, UINT32_MAX - 1))
xtables_param_act(XTF_BAD_VALUE, "owner", "--gid-owner", cb->arg);
if (cb->invert)
info->invert |= IPT_OWNER_GID;
info->match |= IPT_OWNER_GID;
info->gid = id;
break;
case O_PROCESS:
if (cb->invert)
info->invert |= IPT_OWNER_PID;
info->match |= IPT_OWNER_PID;
break;
case O_SESSION:
if (cb->invert)
info->invert |= IPT_OWNER_SID;
info->match |= IPT_OWNER_SID;
break;
case O_COMM:
if (cb->invert)
info->invert |= IPT_OWNER_COMM;
info->match |= IPT_OWNER_COMM;
break;
}
}
static void ttl_parse(struct xt_option_call *cb)
{
struct ipt_ttl_info *info = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_TTL_EQ:
info->mode = cb->invert ? IPT_TTL_NE : IPT_TTL_EQ;
break;
case O_TTL_LT:
info->mode = IPT_TTL_LT;
break;
case O_TTL_GT:
info->mode = IPT_TTL_GT;
break;
}
}
static void addrtype_parse_v0(struct xt_option_call *cb)
{
struct ipt_addrtype_info *info = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_SRC_TYPE:
parse_types(cb->arg, &info->source);
if (cb->invert)
info->invert_source = 1;
break;
case O_DST_TYPE:
parse_types(cb->arg, &info->dest);
if (cb->invert)
info->invert_dest = 1;
break;
}
}
static void cgroup_parse_v1(struct xt_option_call *cb)
{
struct xt_cgroup_info_v1 *info = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_PATH:
info->has_path = true;
if (cb->invert)
info->invert_path = true;
break;
case O_CLASSID:
info->has_classid = true;
if (cb->invert)
info->invert_classid = true;
break;
}
}
static void NFQUEUE_parse_v1(struct xt_option_call *cb)
{
struct xt_NFQ_info_v1 *info = cb->data;
const uint16_t *r = cb->val.u16_range;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_QUEUE_BALANCE:
if (cb->nvals != 2)
xtables_error(PARAMETER_PROBLEM,
"Bad range \"%s\"", cb->arg);
if (r[0] >= r[1])
xtables_error(PARAMETER_PROBLEM, "%u should be less than %u",
r[0], r[1]);
info->queuenum = r[0];
info->queues_total = r[1] - r[0] + 1;
break;
}
}
static void osf_parse(struct xt_option_call *cb)
{
struct xt_osf_info *info = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_GENRE:
if (cb->invert)
info->flags |= XT_OSF_INVERT;
info->len = strlen(info->genre);
break;
case O_TTL:
info->flags |= XT_OSF_TTL;
break;
case O_LOGLEVEL:
info->flags |= XT_OSF_LOG;
break;
}
}
static void connmark_tg_parse(struct xt_option_call *cb)
{
struct xt_connmark_tginfo1 *info = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_SET_XMARK:
info->mode = XT_CONNMARK_SET;
info->ctmark = cb->val.mark;
info->ctmask = cb->val.mask;
break;
case O_SET_MARK:
info->mode = XT_CONNMARK_SET;
info->ctmark = cb->val.mark;
info->ctmask = cb->val.mark | cb->val.mask;
break;
case O_AND_MARK:
info->mode = XT_CONNMARK_SET;
info->ctmark = 0;
info->ctmask = ~cb->val.u32;
break;
case O_OR_MARK:
info->mode = XT_CONNMARK_SET;
info->ctmark = cb->val.u32;
info->ctmask = cb->val.u32;
break;
case O_XOR_MARK:
info->mode = XT_CONNMARK_SET;
info->ctmark = cb->val.u32;
info->ctmask = 0;
break;
case O_SAVE_MARK:
info->mode = XT_CONNMARK_SAVE;
break;
case O_RESTORE_MARK:
info->mode = XT_CONNMARK_RESTORE;
break;
case O_MASK:
info->nfmask = info->ctmask = cb->val.u32;
break;
}
}
static void time_parse(struct xt_option_call *cb)
{
struct xt_time_info *info = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_DATE_START:
info->date_start = time_parse_date(cb->arg, false);
break;
case O_DATE_STOP:
info->date_stop = time_parse_date(cb->arg, true);
break;
case O_TIME_START:
info->daytime_start = time_parse_minutes(cb->arg);
break;
case O_TIME_STOP:
info->daytime_stop = time_parse_minutes(cb->arg);
break;
case O_TIME_CONTIGUOUS:
info->flags |= XT_TIME_CONTIGUOUS;
break;
case O_LOCAL_TZ:
fprintf(stderr, "WARNING: --localtz is being replaced by "
"--kerneltz, since \"local\" is ambiguous. Note the "
"kernel timezone has caveats - "
"see manpage for details.\n");
/* fallthrough */
case O_KERNEL_TZ:
info->flags |= XT_TIME_LOCAL_TZ;
break;
case O_MONTHDAYS:
info->monthdays_match = time_parse_monthdays(cb->arg);
if (cb->invert)
info->monthdays_match ^= XT_TIME_ALL_MONTHDAYS;
break;
case O_WEEKDAYS:
info->weekdays_match = time_parse_weekdays(cb->arg);
if (cb->invert)
info->weekdays_match ^= XT_TIME_ALL_WEEKDAYS;
break;
}
}
static void SAME_parse(struct xt_option_call *cb)
{
struct ipt_same_info *mr = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_TO_ADDR:
if (mr->rangesize == IPT_SAME_MAX_RANGE)
xtables_error(PARAMETER_PROBLEM,
"Too many ranges specified, maximum "
"is %i ranges.\n",
IPT_SAME_MAX_RANGE);
parse_to(cb->arg, &mr->range[mr->rangesize]);
mr->rangesize++;
break;
case O_NODST:
mr->info |= IPT_SAME_NODST;
break;
}
}
static void rpfilter_parse(struct xt_option_call *cb)
{
struct xt_rpfilter_info *rpfinfo = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_RPF_LOOSE:
rpfinfo->flags |= XT_RPFILTER_LOOSE;
break;
case O_RPF_VMARK:
rpfinfo->flags |= XT_RPFILTER_VALID_MARK;
break;
case O_RPF_ACCEPT_LOCAL:
rpfinfo->flags |= XT_RPFILTER_ACCEPT_LOCAL;
break;
case O_RPF_INVERT:
rpfinfo->flags |= XT_RPFILTER_INVERT;
break;
}
}
static void ipvs_mt_parse(struct xt_option_call *cb)
{
struct xt_ipvs_mtinfo *data = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_VPROTO:
data->l4proto = cb->val.protocol;
break;
case O_VADDR:
memcpy(&data->vaddr, &cb->val.haddr, sizeof(cb->val.haddr));
memcpy(&data->vmask, &cb->val.hmask, sizeof(cb->val.hmask));
break;
case O_VDIR:
if (strcasecmp(cb->arg, "ORIGINAL") == 0) {
data->bitmask |= XT_IPVS_DIR;
data->invert &= ~XT_IPVS_DIR;
} else if (strcasecmp(cb->arg, "REPLY") == 0) {
data->bitmask |= XT_IPVS_DIR;
data->invert |= XT_IPVS_DIR;
} else {
xtables_param_act(XTF_BAD_VALUE,
"ipvs", "--vdir", cb->arg);
}
break;
case O_VMETHOD:
if (strcasecmp(cb->arg, "GATE") == 0)
data->fwd_method = IP_VS_CONN_F_DROUTE;
else if (strcasecmp(cb->arg, "IPIP") == 0)
data->fwd_method = IP_VS_CONN_F_TUNNEL;
else if (strcasecmp(cb->arg, "MASQ") == 0)
data->fwd_method = IP_VS_CONN_F_MASQ;
else
xtables_param_act(XTF_BAD_VALUE,
"ipvs", "--vmethod", cb->arg);
break;
}
data->bitmask |= 1 << cb->entry->id;
if (cb->invert)
data->invert |= 1 << cb->entry->id;
}
