static int do_output(const char *tablename)
{
struct xtc_handle *h;
const char *chain = NULL;
if (!tablename)
return for_each_table(&do_output);
h = ip6tc_init(tablename);
if (h == NULL) {
xtables_load_ko(xtables_modprobe_program, false);
h = ip6tc_init(tablename);
}
if (!h)
xtables_error(OTHER_PROBLEM, "Cannot initialize: %s\n",
ip6tc_strerror(errno));
time_t now = time(NULL);
printf("# Generated by ip6tables-save v%s on %s",
IPTABLES_VERSION, ctime(&now));
printf("*%s\n", tablename);
/* Dump out chain names first,
* thereby preventing dependency conflicts */
for (chain = ip6tc_first_chain(h);
chain;
chain = ip6tc_next_chain(h)) {
printf(":%s ", chain);
if (ip6tc_builtin(chain, h)) {
struct xt_counters count;
printf("%s ",
ip6tc_get_policy(chain, &count, h));
printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
} else {
printf("- [0:0]\n");
}
}
for (chain = ip6tc_first_chain(h);
chain;
chain = ip6tc_next_chain(h)) {
const struct ip6t_entry *e;
/* Dump out rules */
e = ip6tc_first_rule(chain, h);
while(e) {
print_rule6(e, h, chain, show_counters);
e = ip6tc_next_rule(e, h);
}
}
now = time(NULL);
printf("COMMIT\n");
printf("# Completed on %s", ctime(&now));
ip6tc_free(h);
return 1;
}
static int
ip6tc_init_verify_append(const char * table,
const char * chain,
struct ip6t_entry * e)
{
IP6TC_HANDLE h;
h = ip6tc_init(table);
if(!h) {
syslog(LOG_ERR, "ip6tc_init error : %s", ip6tc_strerror(errno));
return -1;
}
if(!ip6tc_is_chain(chain, h)) {
syslog(LOG_ERR, "chain %s not found", chain);
goto error;
}
if(!ip6tc_append_entry(chain, e, h)) {
syslog(LOG_ERR, "ip6tc_append_entry() error : %s", ip6tc_strerror(errno));
goto error;
}
if(!ip6tc_commit(h)) {
syslog(LOG_ERR, "ip6tc_commit() error : %s", ip6tc_strerror(errno));
goto error;
}
return 0; /* ok */
error:
ip6tc_free(h);
return -1;
}
int
get_pinhole_info(unsigned short uid,
char * rem_host, int rem_hostlen, unsigned short * rem_port,
char * int_client, int int_clientlen, unsigned short * int_port,
int * proto, unsigned int * timestamp,
u_int64_t * packets, u_int64_t * bytes)
{
struct pinhole_t * p;
p = get_pinhole(uid);
if(!p)
return -2; /* Not found */
if(rem_host) {
if(inet_ntop(AF_INET6, &p->saddr, rem_host, rem_hostlen) == NULL)
return -1;
}
if(rem_port)
*rem_port = p->sport;
if(int_client) {
if(inet_ntop(AF_INET6, &p->daddr, int_client, int_clientlen) == NULL)
return -1;
}
if(int_port)
*int_port = p->dport;
if(proto)
*proto = p->proto;
if(timestamp)
*timestamp = p->timestamp;
if(packets || bytes) {
/* theses informations need to be read from netfilter */
IP6TC_HANDLE h;
const struct ip6t_entry * e;
const struct ip6t_entry_match * match;
h = ip6tc_init("filter");
if(!h) {
syslog(LOG_ERR, "ip6tc_init error : %s", ip6tc_strerror(errno));
return -1;
}
for(e = ip6tc_first_rule(miniupnpd_v6_filter_chain, h);
e;
e = ip6tc_next_rule(e, h)) {
if((e->ipv6.proto == p->proto) &&
(0 == memcmp(&e->ipv6.src, &p->saddr, sizeof(e->ipv6.src))) &&
(0 == memcmp(&e->ipv6.dst, &p->daddr, sizeof(e->ipv6.dst)))) {
const struct ip6t_tcp * info;
match = (const struct ip6t_entry_match *)&e->elems;
info = (const struct ip6t_tcp *)&match->data;
if((info->spts[0] == p->sport) && (info->dpts[0] == p->dport)) {
if(packets)
*packets = e->counters.pcnt;
if(bytes)
*bytes = e->counters.bcnt;
break;
}
}
}
ip6tc_free(h);
}
return 0;
}
int
delete_pinhole(unsigned short uid)
{
struct pinhole_t * p;
IP6TC_HANDLE h;
const struct ip6t_entry * e;
const struct ip6t_entry_match *match = NULL;
/*const struct ip6t_entry_target *target = NULL;*/
unsigned int index;
p = get_pinhole(uid);
if(!p)
return -2; /* not found */
h = ip6tc_init("filter");
if(!h) {
syslog(LOG_ERR, "ip6tc_init error : %s", ip6tc_strerror(errno));
return -1;
}
if(!ip6tc_is_chain(miniupnpd_v6_filter_chain, h)) {
syslog(LOG_ERR, "chain %s not found", miniupnpd_v6_filter_chain);
goto error;
}
index = 0;
for(e = ip6tc_first_rule(miniupnpd_v6_filter_chain, h);
e;
e = ip6tc_next_rule(e, h)) {
if((e->ipv6.proto == p->proto) &&
(0 == memcmp(&e->ipv6.src, &p->saddr, sizeof(e->ipv6.src))) &&
(0 == memcmp(&e->ipv6.dst, &p->daddr, sizeof(e->ipv6.dst)))) {
const struct ip6t_tcp * info;
match = (const struct ip6t_entry_match *)&e->elems;
info = (const struct ip6t_tcp *)&match->data;
if((info->spts[0] == p->sport) && (info->dpts[0] == p->dport)) {
if(!ip6tc_delete_num_entry(miniupnpd_v6_filter_chain, index, h)) {
syslog(LOG_ERR, "ip6tc_delete_num_entry(%s,%u,...): %s",
miniupnpd_v6_filter_chain, index, ip6tc_strerror(errno));
goto error;
}
if(!ip6tc_commit(h)) {
syslog(LOG_ERR, "ip6tc_commit(): %s",
ip6tc_strerror(errno));
goto error;
}
ip6tc_free(h);
LIST_REMOVE(p, entries);
return 0; /* ok */
}
}
index++;
}
ip6tc_free(h);
syslog(LOG_WARNING, "delete_pinhole() rule with PID=%hu not found", uid);
LIST_REMOVE(p, entries);
return -2; /* not found */
error:
ip6tc_free(h);
return -1;
}
/* Initializes a new iptables instance and returns an iptables resource associated with the new iptables table */
struct ip6tc_handle* ip6tables_open ( const char* tablename )
{
struct ip6tc_handle *h ;
if ( !( h = ip6tc_init ( tablename ) ) )
return NULL ;
return h ;
}
ip6tc_handle_t create_handle(const char *tablename, const char* modprobe)
{
ip6tc_handle_t handle;
handle = ip6tc_init(tablename);
if (!handle) {
/* try to insmod the module if iptc_init failed */
ip6tables_insmod("ip6_tables", modprobe);
handle = ip6tc_init(tablename);
}
if (!handle) {
exit_error(PARAMETER_PROBLEM, "%s: unable to initialize"
"table '%s'\n", program_name, tablename);
exit(1);
}
return handle;
}
static struct ip6tc_handle *create_handle(const char *tablename)
{
struct ip6tc_handle *handle;
handle = ip6tc_init(tablename);
if (!handle) {
/* try to insmod the module if iptc_init failed */
xtables_load_ko(xtables_modprobe_program, false);
handle = ip6tc_init(tablename);
}
if (!handle) {
xtables_error(PARAMETER_PROBLEM, "%s: unable to initialize "
"table '%s'\n", ip6tables_globals.program_name,
tablename);
exit(1);
}
return handle;
}
static int do_output(const char *tablename)
{
ip6tc_handle_t h;
const char *chain = NULL;
if (!tablename)
return for_each_table(&do_output);
h = ip6tc_init(tablename);
if (!h)
exit_error(OTHER_PROBLEM, "Can't initialize: %s\n",
ip6tc_strerror(errno));
if (!binary) {
time_t now = time(NULL);
printf("# Generated by ip6tables-save v%s on %s",
IPTABLES_VERSION, ctime(&now));
printf("*%s\n", tablename);
/* Dump out chain names first,
* thereby preventing dependency conflicts */
for (chain = ip6tc_first_chain(&h);
chain;
chain = ip6tc_next_chain(&h)) {
printf(":%s ", chain);
if (ip6tc_builtin(chain, h)) {
struct ip6t_counters count;
printf("%s ",
ip6tc_get_policy(chain, &count, &h));
printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
} else {
printf("- [0:0]\n");
}
}
for (chain = ip6tc_first_chain(&h);
chain;
chain = ip6tc_next_chain(&h)) {
const struct ip6t_entry *e;
/* Dump out rules */
e = ip6tc_first_rule(chain, &h);
while(e) {
print_rule(e, &h, chain, counters);
e = ip6tc_next_rule(e, &h);
}
}
now = time(NULL);
printf("COMMIT\n");
printf("# Completed on %s", ctime(&now));
} else {
/* Binary, huh? OK. */
exit_error(OTHER_PROBLEM, "Binary NYI\n");
}
ip6tc_free(&h);
return 1;
}