static inline int get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e, char *hookname, char **chainname, char **comment, unsigned int *rulenum) { struct ip6t_standard_target *t = (void *)ip6t_get_target(s); if (strcmp(t->target.u.kernel.target->name, IP6T_ERROR_TARGET) == 0) { /* Head of user chain: ERROR target with chainname */ *chainname = t->target.data; (*rulenum) = 0; } else if (s == e) { (*rulenum)++; if (s->target_offset == sizeof(struct ip6t_entry) && strcmp(t->target.u.kernel.target->name, IP6T_STANDARD_TARGET) == 0 && t->verdict < 0 && unconditional(&s->ipv6)) { /* Tail of chains: STANDARD target (return/policy) */ *comment = *chainname == hookname ? (char *)comments[NF_IP6_TRACE_COMMENT_POLICY] : (char *)comments[NF_IP6_TRACE_COMMENT_RETURN]; } return 1; } else (*rulenum)++; return 0; }
/* We want this to be readable, so only print out neccessary fields. * Because that's the kind of world I want to live in. */ static void print_rule(const struct ip6t_entry *e, ip6tc_handle_t *h, const char *chain, int counters) { struct ip6t_entry_target *t; const char *target_name; /* print counters */ if (counters) printf("[%llu:%llu] ", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt); /* print chain name */ printf("-A %s ", chain); /* Print IP part. */ print_ip("-s", &(e->ipv6.src), &(e->ipv6.smsk), e->ipv6.invflags & IP6T_INV_SRCIP); print_ip("-d", &(e->ipv6.dst), &(e->ipv6.dmsk), e->ipv6.invflags & IP6T_INV_DSTIP); print_iface('i', e->ipv6.iniface, e->ipv6.iniface_mask, e->ipv6.invflags & IP6T_INV_VIA_IN); print_iface('o', e->ipv6.outiface, e->ipv6.outiface_mask, e->ipv6.invflags & IP6T_INV_VIA_OUT); print_proto(e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO); #if 0 /* not definied in ipv6 * FIXME: linux/netfilter_ipv6/ip6_tables: IP6T_INV_FRAG why definied? */ if (e->ipv6.flags & IPT_F_FRAG) printf("%s-f ", e->ipv6.invflags & IP6T_INV_FRAG ? "! " : ""); #endif if (e->ipv6.flags & IP6T_F_TOS) printf("%s-? %d ", e->ipv6.invflags & IP6T_INV_TOS ? "! " : "", e->ipv6.tos); /* Print matchinfo part */ if (e->target_offset) { IP6T_MATCH_ITERATE(e, print_match, &e->ipv6); } /* Print target name */ target_name = ip6tc_get_target(e, h); if (target_name && (*target_name != '\0')) printf("-j %s ", target_name); /* Print targinfo part */ t = ip6t_get_target((struct ip6t_entry *)e); if (t->u.user.name[0]) { struct ip6tables_target *target = find_target(t->u.user.name, TRY_LOAD); if (!target) { fprintf(stderr, "Can't find library for target `%s'\n", t->u.user.name); exit(1); } if (target->save) target->save(&e->ipv6, t); else { /* If the target size is greater than ip6t_entry_target * there is something to be saved, we just don't know * how to print it */ if (t->u.target_size != sizeof(struct ip6t_entry_target)) { fprintf(stderr, "Target `%s' is missing " "save function\n", t->u.user.name); exit(1); } } } printf("\n"); }
static int dump_entry(struct ip6t_entry *e, const ip6tc_handle_t handle) { size_t i; char buf[40]; int len; struct ip6t_entry_target *t; printf("Entry %u (%lu):\n", entry2index(handle, e), entry2offset(handle, e)); puts("SRC IP: "); inet_ntop(AF_INET6, &e->ipv6.src, buf, sizeof buf); puts(buf); putchar('/'); len = ipv6_prefix_length(&e->ipv6.smsk); if (len != -1) printf("%d", len); else { inet_ntop(AF_INET6, &e->ipv6.smsk, buf, sizeof buf); puts(buf); } putchar('\n'); puts("DST IP: "); inet_ntop(AF_INET6, &e->ipv6.dst, buf, sizeof buf); puts(buf); putchar('/'); len = ipv6_prefix_length(&e->ipv6.dmsk); if (len != -1) printf("%d", len); else { inet_ntop(AF_INET6, &e->ipv6.dmsk, buf, sizeof buf); puts(buf); } putchar('\n'); printf("Interface: `%s'/", e->ipv6.iniface); for (i = 0; i < IFNAMSIZ; i++) printf("%c", e->ipv6.iniface_mask[i] ? 'X' : '.'); printf("to `%s'/", e->ipv6.outiface); for (i = 0; i < IFNAMSIZ; i++) printf("%c", e->ipv6.outiface_mask[i] ? 'X' : '.'); printf("\nProtocol: %u\n", e->ipv6.proto); if (e->ipv6.flags & IP6T_F_TOS) printf("TOS: %u\n", e->ipv6.tos); printf("Flags: %02X\n", e->ipv6.flags); printf("Invflags: %02X\n", e->ipv6.invflags); printf("Counters: %llu packets, %llu bytes\n", e->counters.pcnt, e->counters.bcnt); printf("Cache: %08X ", e->nfcache); if (e->nfcache & NFC_ALTERED) printf("ALTERED "); if (e->nfcache & NFC_UNKNOWN) printf("UNKNOWN "); if (e->nfcache & NFC_IP6_SRC) printf("IP6_SRC "); if (e->nfcache & NFC_IP6_DST) printf("IP6_DST "); if (e->nfcache & NFC_IP6_IF_IN) printf("IP6_IF_IN "); if (e->nfcache & NFC_IP6_IF_OUT) printf("IP6_IF_OUT "); if (e->nfcache & NFC_IP6_TOS) printf("IP6_TOS "); if (e->nfcache & NFC_IP6_PROTO) printf("IP6_PROTO "); if (e->nfcache & NFC_IP6_OPTIONS) printf("IP6_OPTIONS "); if (e->nfcache & NFC_IP6_TCPFLAGS) printf("IP6_TCPFLAGS "); if (e->nfcache & NFC_IP6_SRC_PT) printf("IP6_SRC_PT "); if (e->nfcache & NFC_IP6_DST_PT) printf("IP6_DST_PT "); if (e->nfcache & NFC_IP6_PROTO_UNKNOWN) printf("IP6_PROTO_UNKNOWN "); printf("\n"); IP6T_MATCH_ITERATE(e, print_match); t = ip6t_get_target(e); printf("Target name: `%s' [%u]\n", t->u.user.name, t->u.target_size); if (strcmp(t->u.user.name, IP6T_STANDARD_TARGET) == 0) { int pos = *(int *)t->data; if (pos < 0) printf("verdict=%s\n", pos == -NF_ACCEPT-1 ? "NF_ACCEPT" : pos == -NF_DROP-1 ? "NF_DROP" : pos == IP6T_RETURN ? "RETURN" : "UNKNOWN"); else printf("verdict=%u\n", pos); } else if (strcmp(t->u.user.name, IP6T_ERROR_TARGET) == 0) printf("error=`%s'\n", t->data); printf("\n"); return 0; }
int ip6tables_add_rules(struct ip6tc_handle* handle, const char* chain_name, int rulenum, int dim, int src_dst, const char* target_name, const char* set_name, uint16_t protocol, int param, int cmd, bool ignore_errors) { size_t size; struct ip6t_entry *fw; struct xt_entry_target *target; struct xt_entry_match *match; #ifdef HAVE_XT_SET_INFO_MATCH_V1 struct xt_set_info_match_v1 *setinfo; #else struct xt_set_info_match *setinfo; #endif ip6t_chainlabel chain; int res; int sav_errno; /* Add an entry */ memset(chain, 0, sizeof(chain)); size = XT_ALIGN(sizeof (struct ip6t_entry)) + XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(struct xt_entry_target) + 1) + XT_ALIGN(sizeof(*setinfo)); if (protocol == IPPROTO_ICMPV6) size += XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(struct ip6t_icmp)); fw = (struct ip6t_entry*)MALLOC(size); fw->target_offset = XT_ALIGN(sizeof(struct ip6t_entry)); // set match = (struct xt_entry_match*)((char*)fw + fw->target_offset); match->u.match_size = XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(*setinfo)); #ifdef HAVE_XT_SET_INFO_MATCH_V1 match->u.user.revision = 1; #else match->u.user.revision = 0; #endif fw->target_offset += match->u.match_size; strcpy(match->u.user.name, "set"); #ifdef HAVE_XT_SET_INFO_MATCH_V1 setinfo = (struct xt_set_info_match_v1 *)match->data; #else setinfo = (struct xt_set_info_match *)match->data; #endif get_set_byname (set_name, &setinfo->match_set, NFPROTO_IPV6, ignore_errors); if (setinfo->match_set.index == IPSET_INVALID_ID) { FREE(fw); return -1; } setinfo->match_set.dim = dim; setinfo->match_set.flags = src_dst; if (protocol != IPPROTO_NONE) { fw->ipv6.proto = protocol; fw->ipv6.flags |= IP6T_F_PROTO ; // IPv6 only if (protocol == IPPROTO_ICMPV6) { match = (struct xt_entry_match*)((char*)fw + fw->target_offset); match->u.match_size = XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(struct ip6t_icmp)); match->u.user.revision = 0; fw->target_offset += match->u.match_size; strcpy(match->u.user.name, "icmp6"); struct ip6t_icmp *icmpinfo = (struct ip6t_icmp *)match->data; icmpinfo->type = param; // type to match icmpinfo->code[0] = 0; // code lower icmpinfo->code[1] = 0xff; // code upper icmpinfo->invflags = 0; // don't invert } } // target is XTC_LABEL_DROP/XTC_LABEL_ACCEPT fw->next_offset = size; target = ip6t_get_target(fw); target->u.user.target_size = XT_ALIGN(sizeof(struct xt_entry_target) + 1); strcpy(target->u.user.name, target_name); // fw->ip.flags |= IP6T_F_GOTO; strcpy(chain, chain_name); // Use iptc_append_entry to add to the chain if (cmd == IPADDRESS_DEL) { unsigned char matchmask[fw->next_offset]; memset(matchmask, 0xff, fw->next_offset); res = ip6tc_delete_entry(chain, fw, matchmask, handle); } else if (rulenum == -1) res = ip6tc_append_entry(chain, fw, handle) ; else res = ip6tc_insert_entry(chain, fw, rulenum, handle) ; sav_errno = errno; FREE(fw); if (res!= 1) { if (!ignore_errors) log_message(LOG_INFO, "ip6tc_insert_entry for chain %s returned %d: %s", chain, res, ip6tc_strerror(sav_errno)) ; return sav_errno; } return 0; }
int ip6tables_process_entry( struct ip6tc_handle* handle, const char* chain_name, int rulenum, const char* target_name, const ip_address_t* src_ip_address, const ip_address_t* dst_ip_address, const char* in_iface, const char* out_iface, uint16_t protocol, uint16_t type, int cmd, bool force) { size_t size; struct ip6t_entry *fw; struct xt_entry_target *target; struct xt_entry_match *match ; ip6t_chainlabel chain; int res; int sav_errno; /* Add an entry */ memset (chain, 0, sizeof (chain)); size = XT_ALIGN (sizeof (struct ip6t_entry)) + XT_ALIGN (sizeof (struct xt_entry_target) + 1); if ( protocol == IPPROTO_ICMPV6 ) size += XT_ALIGN ( sizeof(struct xt_entry_match) ) + XT_ALIGN ( sizeof(struct ip6t_icmp) ) ; fw = (struct ip6t_entry*)MALLOC(size); fw->target_offset = XT_ALIGN ( sizeof ( struct ip6t_entry ) ) ; if ( src_ip_address && src_ip_address->ifa.ifa_family != AF_UNSPEC ) { memcpy(&fw->ipv6.src, &src_ip_address->u.sin6_addr, sizeof ( src_ip_address->u.sin6_addr ) ); memset ( &fw->ipv6.smsk, 0xff, sizeof(fw->ipv6.smsk)); } if ( dst_ip_address && dst_ip_address->ifa.ifa_family != AF_UNSPEC ) { memcpy(&fw->ipv6.dst, &dst_ip_address->u.sin6_addr, sizeof ( dst_ip_address->u.sin6_addr ) ); memset ( &fw->ipv6.dmsk, 0xff, sizeof(fw->ipv6.smsk)); } if (in_iface) set_iface(fw->ipv6.iniface, fw->ipv6.iniface_mask, in_iface); if (out_iface) set_iface(fw->ipv6.outiface, fw->ipv6.outiface_mask, out_iface); if ( protocol != IPPROTO_NONE ) { fw->ipv6.proto = protocol ; fw->ipv6.flags |= IP6T_F_PROTO ; // IPv6 only if ( protocol == IPPROTO_ICMPV6 ) { match = (struct xt_entry_match*)((char*)fw + fw->target_offset); match->u.match_size = XT_ALIGN ( sizeof (struct xt_entry_match) ) + XT_ALIGN ( sizeof (struct ip6t_icmp) ) ; match->u.user.revision = 0; fw->target_offset += match->u.match_size ; strcpy ( match->u.user.name, "icmp6" ) ; struct ip6t_icmp *icmpinfo = (struct ip6t_icmp *) match->data; icmpinfo->type = type ; // type to match icmpinfo->code[0] = 0 ; // code lower icmpinfo->code[1] = 0xff ; // code upper icmpinfo->invflags = 0 ; // don't invert } } // target is XTC_LABEL_DROP/XTC_LABEL_ACCEPT fw->next_offset = size; target = ip6t_get_target ( fw ) ; target->u.user.target_size = XT_ALIGN (sizeof (struct xt_entry_target) + 1); strcpy (target->u.user.name, target_name ); // fw->ip.flags |= IPT_F_GOTO; strcpy (chain, chain_name); // Use iptc_append_entry to add to the chain if (cmd == IPADDRESS_DEL) { unsigned char matchmask[fw->next_offset]; memset(matchmask, 0xff, fw->next_offset); res = ip6tc_delete_entry ( chain, fw, matchmask, handle); } else if ( rulenum == -1 ) res = ip6tc_append_entry (chain, fw, handle ) ; else res = ip6tc_insert_entry (chain, fw, rulenum, handle ) ; sav_errno = errno ; if (res != 1 && (!force || sav_errno != ENOENT)) { log_message(LOG_INFO, "ip6tables_process_entry for chain %s returned %d: %s", chain, res, ip6tc_strerror (sav_errno) ) ; return sav_errno ; } return 0 ; }
static inline const struct xt_entry_target * ip6t_get_target_c(const struct ip6t_entry *e) { return ip6t_get_target((struct ip6t_entry *)e); }