/*
* insert the rule -rule- on chain -chain-
* at the position pos.
* Returns:
* 0
* -1
*/
int
insert_rule(const char *rule, iptc_handle_t * t, const char *chain,
int pos)
{
int res;
res = iptc_insert_entry(chain, (struct ipt_entry *) rule, 0, t);
error
("res is: %d rule is: %p chain is: %s pos is: %d t is: %p errno is: %d",
res, rule, chain, pos, t, errno);
if (!res) {
error("In insert_rule: %s.", iptc_strerror(errno));
err_ret(ERR_NETRUL, -1);
}
return 0;
}
void iptc_add_rule(const char *table,
const char *chain,
const char *protocol,
const char *iniface,
const char *outiface,
const char *src,
const char *dest,
const char *srcports,
const char *destports,
const char *target,
const char *dnat_to,
const int append)
{
iptc_handle_t handle;
struct ipt_entry *chain_entry;
struct ipt_entry_match *entry_match = NULL;
struct ipt_entry_target *entry_target = NULL;
ipt_chainlabel labelit;
long match_size;
int result = 0;
chain_entry = calloc(1, sizeof(*chain_entry));
if (src) {
chain_entry->ip.src.s_addr = inet_addr(src);
chain_entry->ip.smsk.s_addr = inet_addr("255.255.255.255");
}
if (dest) {
chain_entry->ip.dst.s_addr = inet_addr(dest);
chain_entry->ip.dmsk.s_addr = inet_addr("255.255.255.255");
}
if (iniface) strncpy(chain_entry->ip.iniface, iniface, IFNAMSIZ);
if (outiface) strncpy(chain_entry->ip.outiface, outiface, IFNAMSIZ);
if (strcmp(protocol, "TCP") == 0) {
chain_entry->ip.proto = IPPROTO_TCP;
entry_match = get_tcp_match(srcports, destports, &chain_entry->nfcache);
}
else if (strcmp(protocol, "UDP") == 0) {
chain_entry->ip.proto = IPPROTO_UDP;
entry_match = get_udp_match(srcports, destports, &chain_entry->nfcache);
}
else {
trace(1, "Unsupported protocol: %s", protocol);
return;
}
if (strcmp(target, "") == 0
|| strcmp(target, IPTC_LABEL_ACCEPT) == 0
|| strcmp(target, IPTC_LABEL_DROP) == 0
|| strcmp(target, IPTC_LABEL_QUEUE) == 0
|| strcmp(target, IPTC_LABEL_RETURN) == 0) {
size_t size;
size = IPT_ALIGN(sizeof(struct ipt_entry_target)) + IPT_ALIGN(sizeof(int));
entry_target = calloc(1, size);
entry_target->u.user.target_size = size;
strncpy(entry_target->u.user.name, target, IPT_FUNCTION_MAXNAMELEN);
}
else if (strcmp(target, "DNAT") == 0) {
entry_target = get_dnat_target(dnat_to, &chain_entry->nfcache);
}
if (entry_match)
match_size = entry_match->u.match_size;
else
match_size = 0;
chain_entry = realloc(chain_entry, sizeof(*chain_entry) + match_size + entry_target->u.target_size);
memcpy(chain_entry->elems + match_size, entry_target, entry_target->u.target_size);
chain_entry->target_offset = sizeof(*chain_entry) + match_size;
chain_entry->next_offset = sizeof(*chain_entry) + match_size + entry_target->u.target_size;
if (entry_match)
memcpy(chain_entry->elems, entry_match, match_size);
handle = iptc_init(table);
if (!handle) {
trace(1, "libiptc error: Can't initialize table %s, %s", table, iptc_strerror(errno));
return;
}
strncpy(labelit, chain, sizeof(ipt_chainlabel));
result = iptc_is_chain(chain, handle);
if (!result) {
trace(1, "libiptc error: Chain %s does not exist!", chain);
return;
}
if (append)
result = iptc_append_entry(labelit, chain_entry, &handle);
else
result = iptc_insert_entry(labelit, chain_entry, 0, &handle);
if (!result) {
trace(1, "libiptc error: Can't add, %s", iptc_strerror(errno));
return;
}
result = iptc_commit(&handle);
if (!result) {
trace(1, "libiptc error: Commit error, %s", iptc_strerror(errno));
return;
}
else
trace(3, "added new rule to block successfully");
if (entry_match) free(entry_match);
free(entry_target);
free(chain_entry);
}
int ip4tables_add_rules(struct iptc_handle* handle, const char* chain_name, int rulenum, int dim, int src_dst, const char* target_name, const char* set_name, uint16_t protocol, int param, int cmd, bool ignore_errors)
{
size_t size;
struct ipt_entry *fw;
struct xt_entry_target *target;
struct xt_entry_match *match;
#ifdef HAVE_XT_SET_INFO_MATCH_V1
struct xt_set_info_match_v1 *setinfo;
#else
struct xt_set_info_match *setinfo;
#endif
ipt_chainlabel chain;
int res;
int sav_errno;
/* Add an entry */
memset(chain, 0, sizeof(chain));
size = XT_ALIGN(sizeof (struct ipt_entry)) +
XT_ALIGN(sizeof(struct xt_entry_match)) +
XT_ALIGN(sizeof(struct xt_entry_target) + 1) +
XT_ALIGN(sizeof(*setinfo));
if (protocol == IPPROTO_ICMP)
size += XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(struct ipt_icmp));
fw = (struct ipt_entry*)MALLOC(size);
fw->target_offset = XT_ALIGN(sizeof(struct ipt_entry));
// set
match = (struct xt_entry_match*)((char*)fw + fw->target_offset);
match->u.match_size = XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(*setinfo));
#ifdef HAVE_XT_SET_INFO_MATCH_V1
match->u.user.revision = 1;
#else
match->u.user.revision = 0;
#endif
fw->target_offset += match->u.match_size;
strcpy(match->u.user.name, "set");
#ifdef HAVE_XT_SET_INFO_MATCH_V1
setinfo = (struct xt_set_info_match_v1 *)match->data;
#else
setinfo = (struct xt_set_info_match *)match->data;
#endif
get_set_byname(set_name, &setinfo->match_set, NFPROTO_IPV4, ignore_errors);
if (setinfo->match_set.index == IPSET_INVALID_ID) {
FREE(fw);
return -1;
}
setinfo->match_set.dim = dim;
setinfo->match_set.flags = src_dst;
if (protocol != IPPROTO_NONE) {
fw->ip.proto = protocol;
// fw->ip.flags |= IP6T_F_PROTO ; // IPv6 only
if (protocol == IPPROTO_ICMP)
{
match = (struct xt_entry_match*)((char*)fw + fw->target_offset);
match->u.match_size = XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(struct ipt_icmp));
match->u.user.revision = 0;
fw->target_offset += match->u.match_size;
strcpy(match->u.user.name, "icmp");
struct ipt_icmp *icmpinfo = (struct ipt_icmp *)match->data;
icmpinfo->type = param; // type to match
icmpinfo->code[0] = 0; // code lower
icmpinfo->code[1] = 0xff; // code upper
icmpinfo->invflags = 0; // don't invert
}
}
// target is XTC_LABEL_DROP/XTC_LABEL_ACCEPT
fw->next_offset = size;
target = ipt_get_target(fw);
target->u.user.target_size = XT_ALIGN(sizeof(struct xt_entry_target) + 1);
strcpy(target->u.user.name, target_name);
// fw->ip.flags |= IPT_F_GOTO;
strcpy(chain, chain_name);
// Use iptc_append_entry to add to the chain
if (cmd == IPADDRESS_DEL) {
unsigned char matchmask[fw->next_offset];
memset(matchmask, 0xff, fw->next_offset);
res = iptc_delete_entry(chain, fw, matchmask, handle);
}
else if (rulenum == -1)
res = iptc_append_entry(chain, fw, handle) ;
else
res = iptc_insert_entry(chain, fw, rulenum, handle) ;
sav_errno = errno;
FREE(fw);
if (res!= 1)
{
if (!ignore_errors)
log_message(LOG_INFO, "iptc_insert_entry for chain %s returned %d: %s", chain, res, iptc_strerror(sav_errno)) ;
return sav_errno;
}
return 0;
}
int ip4tables_process_entry( struct iptc_handle* handle, const char* chain_name, int rulenum, const char* target_name, const ip_address_t* src_ip_address, const ip_address_t* dst_ip_address, const char* in_iface, const char* out_iface, uint16_t protocol, uint16_t type, int cmd, bool force)
{
size_t size;
struct ipt_entry *fw;
struct xt_entry_target *target;
struct xt_entry_match *match ;
ipt_chainlabel chain;
int res;
int sav_errno;
/* Add an entry */
memset (chain, 0, sizeof (chain));
size = XT_ALIGN (sizeof (struct ipt_entry)) +
XT_ALIGN (sizeof (struct xt_entry_target) + 1);
if ( protocol == IPPROTO_ICMP )
size += XT_ALIGN ( sizeof(struct xt_entry_match) ) + XT_ALIGN ( sizeof(struct ipt_icmp) ) ;
fw = (struct ipt_entry*)MALLOC(size);
fw->target_offset = XT_ALIGN ( sizeof ( struct ipt_entry ) ) ;
if ( src_ip_address && src_ip_address->ifa.ifa_family != AF_UNSPEC )
{
memcpy(&fw->ip.src, &src_ip_address->u.sin.sin_addr, sizeof ( src_ip_address->u.sin.sin_addr ) );
memset ( &fw->ip.smsk, 0xff, sizeof(fw->ip.smsk));
}
if ( dst_ip_address && dst_ip_address->ifa.ifa_family != AF_UNSPEC )
{
memcpy(&fw->ip.dst, &dst_ip_address->u.sin.sin_addr, sizeof ( dst_ip_address->u.sin.sin_addr ) );
memset ( &fw->ip.dmsk, 0xff, sizeof(fw->ip.dmsk));
}
if (in_iface)
set_iface(fw->ip.iniface, fw->ip.iniface_mask, in_iface);
if (out_iface)
set_iface(fw->ip.outiface, fw->ip.outiface_mask, out_iface);
if ( protocol != IPPROTO_NONE ) {
fw->ip.proto = protocol ;
// fw->ip.flags |= IP6T_F_PROTO ; // IPv6 only
if ( protocol == IPPROTO_ICMP )
{
match = (struct xt_entry_match*)((char*)fw + fw->target_offset);
match->u.match_size = XT_ALIGN ( sizeof (struct xt_entry_match) ) + XT_ALIGN ( sizeof (struct ipt_icmp) ) ;
match->u.user.revision = 0;
fw->target_offset += match->u.match_size ;
strcpy ( match->u.user.name, "icmp" ) ;
struct ipt_icmp *icmpinfo = (struct ipt_icmp *) match->data;
icmpinfo->type = type ; // type to match
icmpinfo->code[0] = 0 ; // code lower
icmpinfo->code[1] = 0xff ; // code upper
icmpinfo->invflags = 0 ; // don't invert
}
}
// target is XTC_LABEL_DROP/XTC_LABEL_ACCEPT
fw->next_offset = size;
target = ipt_get_target ( fw ) ;
target->u.user.target_size = XT_ALIGN (sizeof (struct xt_entry_target) + 1);
strcpy (target->u.user.name, target_name );
// fw->ip.flags |= IPT_F_GOTO;
strcpy (chain, chain_name);
// Use iptc_append_entry to add to the chain
if (cmd == IPADDRESS_DEL) {
unsigned char matchmask[fw->next_offset];
memset(matchmask, 0xff, fw->next_offset);
res = iptc_delete_entry(chain, fw, matchmask, handle);
}
else if ( rulenum == -1 )
res = iptc_append_entry (chain, fw, handle ) ;
else
res = iptc_insert_entry (chain, fw, rulenum, handle ) ;
sav_errno = errno ;
if (res != 1 && (!force || sav_errno != ENOENT))
{
log_message(LOG_INFO, "ip4tables_process_entry for chain %s returned %d: %s", chain, res, iptc_strerror (sav_errno) ) ;
return sav_errno ;
}
return 0 ;
}