int xtables_eb_main(int argc, char *argv[])
{
int ret;
char *table = "filter";
struct nft_handle h = {
.family = NFPROTO_BRIDGE,
};
ebtables_globals.program_name = "ebtables";
ret = xtables_init_all(&ebtables_globals, NFPROTO_BRIDGE);
if (ret < 0) {
fprintf(stderr, "%s/%s Failed to initialize ebtables-compat\n",
ebtables_globals.program_name,
ebtables_globals.program_version);
exit(1);
}
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
init_extensionsb();
#endif
ret = do_commandeb(&h, argc, argv, &table);
if (ret)
ret = nft_commit(&h);
if (!ret)
fprintf(stderr, "%s\n", nft_strerror(errno));
exit(!ret);
}
static __attribute__((constructor)) void _init_function(void)
#endif
{
int ret = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
if (ret < 0) {
fprintf(stderr, "%s/%s Failed to initialize xtables\n",
ip6tables_globals.program_name,
ip6tables_globals.program_version);
exit(1);
}
}
int
iptables_main(int argc, char *argv[])
{
int ret;
char *table = "filter";
struct xtc_handle *handle = NULL;
FILE *pfLockFile = NULL;
pfLockFile = ATP_UTIL_LockProc(IPTABLES_LOCK_FILE);
if (NULL == pfLockFile) {
printf("iptables get lock failed\n");
exit(-1);
}
ATP_UTIL_RegUnLock(pfLockFile);
iptables_globals.program_name = "iptables";
ret = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
if (ret < 0) {
fprintf(stderr, "%s/%s Failed to initialize xtables\n",
iptables_globals.program_name,
iptables_globals.program_version);
exit(1);
}
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
init_extensions();
init_extensions4();
#endif
ret = do_command4(argc, argv, &table, &handle);
if (ret) {
ret = iptc_commit(handle);
iptc_free(handle);
}
if (!ret) {
if (errno == EINVAL) {
fprintf(stderr, "iptables: %s. "
"Run `dmesg' for more information.\n",
iptc_strerror(errno));
} else {
fprintf(stderr, "iptables: %s.\n",
iptc_strerror(errno));
}
if (errno == EAGAIN) {
exit(RESOURCE_PROBLEM);
}
}
exit(!ret);
}
int
main(int argc, char *argv[])
#endif
{
const char *tablename = NULL;
int c;
iptables_globals.program_name = "iptables-save";
c = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
if (c < 0) {
fprintf(stderr, "%s/%s Failed to initialize xtables\n",
iptables_globals.program_name,
iptables_globals.program_version);
exit(1);
}
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
init_extensions();
init_extensions4();
#endif
while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
switch (c) {
case 'b':
show_binary = 1;
break;
case 'c':
show_counters = 1;
break;
case 't':
tablename = optarg;
break;
case 'M':
xtables_modprobe_program = optarg;
break;
case 'd':
do_output(tablename);
exit(0);
}
}
if (optind < argc) {
fprintf(stderr, "Unknown arguments found on commandline\n");
exit(1);
}
return !do_output(tablename);
}
int
main(int argc, char *argv[])
{
int ret = 1;
int c;
int numtok;
size_t llen = 0;
char* iline = NULL;
ssize_t r = -1;
int nargc = 0;
char* nargv[256];
FILE* fp = stdin;
#ifdef IP6T
prog_name = "ip6tables-batch";
#else
prog_name = "iptables-batch";
#endif
#ifdef IP6T
c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
#else
c = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
#endif
if(c < 0) {
fprintf(stderr, "%s/%s Failed to initialize xtables\n",
prog_name,
prog_ver);
exit(1);
}
#ifdef NO_SHARED_LIBS
init_extensions();
#ifdef IP6T
init_extensions6();
else
int
main(int argc, char *argv[])
#endif
{
int ret;
char *table = "filter";
struct ip6tc_handle *handle = NULL;
ip6tables_globals.program_name = "ip6tables";
#if !defined(ALL_INCLUSIVE) && !defined(NO_SHARED_LIBS)
ret = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
if (ret < 0) {
fprintf(stderr, "%s/%s Failed to initialize xtables\n",
ip6tables_globals.program_name,
ip6tables_globals.program_version);
exit(1);
}
#endif
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
init_extensions();
#endif
ret = do_command6(argc, argv, &table, &handle);
if (ret) {
ret = ip6tc_commit(handle);
ip6tc_free(handle);
}
if (!ret) {
if (errno == EINVAL) {
fprintf(stderr, "ip6tables: %s. "
"Run `dmesg' for more information.\n",
ip6tc_strerror(errno));
} else {
fprintf(stderr, "[%s %d]ip6tables: %s.\n",
__FILE__,__LINE__,ip6tc_strerror(errno));
}
}
exit(!ret);
}
/* Format:
* :Chain name POLICY packets bytes
* rule
*/
static int
xtables_save_main(int family, const char *progname, int argc, char *argv[])
{
const char *tablename = NULL;
bool dump = false;
struct nft_handle h = {
.family = family,
};
int c;
xtables_globals.program_name = progname;
c = xtables_init_all(&xtables_globals, family);
if (c < 0) {
fprintf(stderr, "%s/%s Failed to initialize xtables\n",
xtables_globals.program_name,
xtables_globals.program_version);
exit(1);
}
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
init_extensions();
init_extensions4();
#endif
if (nft_init(&h, xtables_ipv4) < 0) {
fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
xtables_globals.program_name,
xtables_globals.program_version,
strerror(errno));
exit(EXIT_FAILURE);
}
while ((c = getopt_long(argc, argv, "bcdt:M:46", options, NULL)) != -1) {
switch (c) {
case 'b':
fprintf(stderr, "-b/--binary option is not implemented\n");
break;
case 'c':
show_counters = true;
break;
case 't':
/* Select specific table. */
tablename = optarg;
break;
case 'M':
xtables_modprobe_program = optarg;
break;
case 'd':
dump = true;
break;
case '4':
h.family = AF_INET;
break;
case '6':
h.family = AF_INET6;
xtables_set_nfproto(AF_INET6);
break;
}
}
if (optind < argc) {
fprintf(stderr, "Unknown arguments found on commandline\n");
exit(1);
}
if (dump) {
do_output(&h, tablename, show_counters);
exit(0);
}
return !do_output(&h, tablename, show_counters);
}
int main(int argc, char *argv[])
#endif
{
struct ip6tc_handle *handle = NULL;
char buffer[10240];
int c;
char curtable[IP6T_TABLE_MAXNAMELEN + 1];
FILE *in;
int in_table = 0, testing = 0;
line = 0;
ip6tables_globals.program_name = "ip6tables-restore";
c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
if (c < 0) {
fprintf(stderr, "%s/%s Failed to initialize xtables\n",
ip6tables_globals.program_name,
ip6tables_globals.program_version);
exit(1);
}
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
init_extensions();
init_extensions6();
#endif
while ((c = getopt_long(argc, argv, "bcvthnM:", options, NULL)) != -1) {
switch (c) {
case 'b':
binary = 1;
break;
case 'c':
counters = 1;
break;
case 'v':
verbose = 1;
break;
case 't':
testing = 1;
break;
case 'h':
print_usage("ip6tables-restore",
IPTABLES_VERSION);
break;
case 'n':
noflush = 1;
break;
case 'M':
xtables_modprobe_program = optarg;
break;
}
}
if (optind == argc - 1) {
in = fopen(argv[optind], "re");
if (!in) {
fprintf(stderr, "Can't open %s: %s\n", argv[optind],
strerror(errno));
exit(1);
}
}
else if (optind < argc) {
fprintf(stderr, "Unknown arguments found on commandline\n");
exit(1);
}
else in = stdin;
/* Grab standard input. */
while (fgets(buffer, sizeof(buffer), in)) {
int ret = 0;
line++;
if (buffer[0] == '\n')
continue;
else if (buffer[0] == '#') {
if (verbose)
fputs(buffer, stdout);
continue;
} else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
if (!testing) {
DEBUGP("Calling commit\n");
ret = ip6tc_commit(handle);
ip6tc_free(handle);
handle = NULL;
} else {
DEBUGP("Not calling commit, testing\n");
ret = 1;
}
in_table = 0;
} else if ((buffer[0] == '*') && (!in_table)) {
/* New table */
char *table;
table = strtok(buffer+1, " \t\n");
DEBUGP("line %u, table '%s'\n", line, table);
if (!table) {
xtables_error(PARAMETER_PROBLEM,
"%s: line %u table name invalid\n",
ip6tables_globals.program_name,
line);
exit(1);
}
strncpy(curtable, table, IP6T_TABLE_MAXNAMELEN);
curtable[IP6T_TABLE_MAXNAMELEN] = '\0';
if (handle)
ip6tc_free(handle);
handle = create_handle(table);
if (noflush == 0) {
DEBUGP("Cleaning all chains of table '%s'\n",
table);
for_each_chain6(flush_entries6, verbose, 1,
handle);
DEBUGP("Deleting all user-defined chains "
"of table '%s'\n", table);
for_each_chain6(delete_chain6, verbose, 0,
handle);
}
ret = 1;
in_table = 1;
} else if ((buffer[0] == ':') && (in_table)) {
/* New chain. */
char *policy, *chain;
chain = strtok(buffer+1, " \t\n");
DEBUGP("line %u, chain '%s'\n", line, chain);
if (!chain) {
xtables_error(PARAMETER_PROBLEM,
"%s: line %u chain name invalid\n",
ip6tables_globals.program_name,
line);
exit(1);
}
if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
xtables_error(PARAMETER_PROBLEM,
"Invalid chain name `%s' "
"(%u chars max)",
chain, XT_EXTENSION_MAXNAMELEN - 1);
if (ip6tc_builtin(chain, handle) <= 0) {
if (noflush && ip6tc_is_chain(chain, handle)) {
DEBUGP("Flushing existing user defined chain '%s'\n", chain);
if (!ip6tc_flush_entries(chain, handle))
xtables_error(PARAMETER_PROBLEM,
"error flushing chain "
"'%s':%s\n", chain,
strerror(errno));
} else {
DEBUGP("Creating new chain '%s'\n", chain);
if (!ip6tc_create_chain(chain, handle))
xtables_error(PARAMETER_PROBLEM,
"error creating chain "
"'%s':%s\n", chain,
strerror(errno));
}
}
policy = strtok(NULL, " \t\n");
DEBUGP("line %u, policy '%s'\n", line, policy);
if (!policy) {
xtables_error(PARAMETER_PROBLEM,
"%s: line %u policy invalid\n",
ip6tables_globals.program_name,
line);
exit(1);
}
if (strcmp(policy, "-") != 0) {
struct ip6t_counters count;
if (counters) {
char *ctrs;
ctrs = strtok(NULL, " \t\n");
if (!ctrs || !parse_counters(ctrs, &count))
xtables_error(PARAMETER_PROBLEM,
"invalid policy counters "
"for chain '%s'\n", chain);
} else {
memset(&count, 0,
sizeof(struct ip6t_counters));
}
DEBUGP("Setting policy of chain %s to %s\n",
chain, policy);
if (!ip6tc_set_policy(chain, policy, &count,
handle))
xtables_error(OTHER_PROBLEM,
"Can't set policy `%s'"
" on `%s' line %u: %s\n",
policy, chain, line,
ip6tc_strerror(errno));
}
ret = 1;
} else if (in_table) {
int a;
char *ptr = buffer;
char *pcnt = NULL;
char *bcnt = NULL;
char *parsestart;
/* the parser */
char *curchar;
int quote_open, escaped;
size_t param_len;
/* reset the newargv */
newargc = 0;
if (buffer[0] == '[') {
/* we have counters in our input */
ptr = strchr(buffer, ']');
if (!ptr)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need ]\n",
line);
pcnt = strtok(buffer+1, ":");
if (!pcnt)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need :\n",
line);
bcnt = strtok(NULL, "]");
if (!bcnt)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need ]\n",
line);
/* start command parsing after counter */
parsestart = ptr + 1;
} else {
/* start command parsing at start of line */
parsestart = buffer;
}
add_argv(argv[0]);
add_argv("-t");
add_argv(curtable);
if (counters && pcnt && bcnt) {
add_argv("--set-counters");
add_argv((char *) pcnt);
add_argv((char *) bcnt);
}
/* After fighting with strtok enough, here's now
* a 'real' parser. According to Rusty I'm now no
* longer a real hacker, but I can live with that */
quote_open = 0;
escaped = 0;
param_len = 0;
for (curchar = parsestart; *curchar; curchar++) {
char param_buffer[1024];
if (quote_open) {
if (escaped) {
param_buffer[param_len++] = *curchar;
escaped = 0;
continue;
} else if (*curchar == '\\') {
escaped = 1;
continue;
} else if (*curchar == '"') {
quote_open = 0;
*curchar = ' ';
} else {
param_buffer[param_len++] = *curchar;
continue;
}
} else {
if (*curchar == '"') {
quote_open = 1;
continue;
}
}
if (*curchar == ' '
|| *curchar == '\t'
|| * curchar == '\n') {
if (!param_len) {
/* two spaces? */
continue;
}
param_buffer[param_len] = '\0';
/* check if table name specified */
if (!strncmp(param_buffer, "-t", 2)
|| !strncmp(param_buffer, "--table", 8)) {
xtables_error(PARAMETER_PROBLEM,
"Line %u seems to have a "
"-t table option.\n", line);
exit(1);
}
add_argv(param_buffer);
param_len = 0;
} else {
/* regular character, copy to buffer */
param_buffer[param_len++] = *curchar;
if (param_len >= sizeof(param_buffer))
xtables_error(PARAMETER_PROBLEM,
"Parameter too long!");
}
}
DEBUGP("calling do_command6(%u, argv, &%s, handle):\n",
newargc, curtable);
for (a = 0; a < newargc; a++)
DEBUGP("argv[%u]: %s\n", a, newargv[a]);
ret = do_command6(newargc, newargv,
&newargv[2], &handle);
free_argv();
fflush(stdout);
}
if (!ret) {
fprintf(stderr, "%s: line %u failed\n",
ip6tables_globals.program_name,
line);
exit(1);
}
}
if (in_table) {
fprintf(stderr, "%s: COMMIT expected at line %u\n",
ip6tables_globals.program_name,
line + 1);
exit(1);
}
if (in != NULL)
fclose(in);
return 0;
}
int
iptables_restore_main(int argc, char *argv[])
{
struct xtc_handle *handle = NULL;
char buffer[10240];
int c;
char curtable[XT_TABLE_MAXNAMELEN + 1];
FILE *in;
int in_table = 0, testing = 0;
const char *tablename = NULL;
const struct xtc_ops *ops = &iptc_ops;
line = 0;
iptables_globals.program_name = "iptables-restore";
c = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
if (c < 0) {
fprintf(stderr, "%s/%s Failed to initialize xtables\n",
iptables_globals.program_name,
iptables_globals.program_version);
exit(1);
}
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
init_extensions();
init_extensions4();
#endif
while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
switch (c) {
case 'b':
binary = 1;
break;
case 'c':
counters = 1;
break;
case 'v':
verbose = 1;
break;
case 't':
testing = 1;
break;
case 'h':
print_usage("iptables-restore",
IPTABLES_VERSION);
break;
case 'n':
noflush = 1;
break;
case 'M':
xtables_modprobe_program = optarg;
break;
case 'T':
tablename = optarg;
break;
}
}
if (optind == argc - 1) {
in = fopen(argv[optind], "re");
if (!in) {
fprintf(stderr, "Can't open %s: %s\n", argv[optind],
strerror(errno));
exit(1);
}
}
else if (optind < argc) {
fprintf(stderr, "Unknown arguments found on commandline\n");
exit(1);
}
else in = stdin;
/* Grab standard input. */
while (fgets(buffer, sizeof(buffer), in)) {
int ret = 0;
line++;
if (buffer[0] == '\n')
continue;
else if (buffer[0] == '#') {
if (verbose)
fputs(buffer, stdout);
continue;
} else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
if (!testing) {
DEBUGP("Calling commit\n");
ret = ops->commit(handle);
ops->free(handle);
handle = NULL;
} else {
DEBUGP("Not calling commit, testing\n");
ret = 1;
}
in_table = 0;
} else if ((buffer[0] == '*') && (!in_table)) {
/* New table */
char *table;
table = strtok(buffer+1, " \t\n");
DEBUGP("line %u, table '%s'\n", line, table);
if (!table) {
xtables_error(PARAMETER_PROBLEM,
"%s: line %u table name invalid\n",
xt_params->program_name, line);
exit(1);
}
strncpy(curtable, table, XT_TABLE_MAXNAMELEN);
curtable[XT_TABLE_MAXNAMELEN] = '\0';
if (tablename && (strcmp(tablename, table) != 0))
continue;
if (handle)
ops->free(handle);
handle = create_handle(table);
if (noflush == 0) {
DEBUGP("Cleaning all chains of table '%s'\n",
table);
for_each_chain4(flush_entries4, verbose, 1,
handle);
DEBUGP("Deleting all user-defined chains "
"of table '%s'\n", table);
for_each_chain4(delete_chain4, verbose, 0,
handle);
}
ret = 1;
in_table = 1;
} else if ((buffer[0] == ':') && (in_table)) {
/* New chain. */
char *policy, *chain;
chain = strtok(buffer+1, " \t\n");
DEBUGP("line %u, chain '%s'\n", line, chain);
if (!chain) {
xtables_error(PARAMETER_PROBLEM,
"%s: line %u chain name invalid\n",
xt_params->program_name, line);
exit(1);
}
if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
xtables_error(PARAMETER_PROBLEM,
"Invalid chain name `%s' "
"(%u chars max)",
chain, XT_EXTENSION_MAXNAMELEN - 1);
if (ops->builtin(chain, handle) <= 0) {
if (noflush && ops->is_chain(chain, handle)) {
DEBUGP("Flushing existing user defined chain '%s'\n", chain);
if (!ops->flush_entries(chain, handle))
xtables_error(PARAMETER_PROBLEM,
"error flushing chain "
"'%s':%s\n", chain,
strerror(errno));
} else {
DEBUGP("Creating new chain '%s'\n", chain);
if (!ops->create_chain(chain, handle))
xtables_error(PARAMETER_PROBLEM,
"error creating chain "
"'%s':%s\n", chain,
strerror(errno));
}
}
policy = strtok(NULL, " \t\n");
DEBUGP("line %u, policy '%s'\n", line, policy);
if (!policy) {
xtables_error(PARAMETER_PROBLEM,
"%s: line %u policy invalid\n",
xt_params->program_name, line);
exit(1);
}
if (strcmp(policy, "-") != 0) {
struct xt_counters count;
if (counters) {
char *ctrs;
ctrs = strtok(NULL, " \t\n");
if (!ctrs || !parse_counters(ctrs, &count))
xtables_error(PARAMETER_PROBLEM,
"invalid policy counters "
"for chain '%s'\n", chain);
} else {
memset(&count, 0, sizeof(count));
}
DEBUGP("Setting policy of chain %s to %s\n",
chain, policy);
if (!ops->set_policy(chain, policy, &count,
handle))
xtables_error(OTHER_PROBLEM,
"Can't set policy `%s'"
" on `%s' line %u: %s\n",
policy, chain, line,
ops->strerror(errno));
}
ret = 1;
} else if (in_table) {
int a;
char *ptr = buffer;
char *pcnt = NULL;
char *bcnt = NULL;
char *parsestart;
/* reset the newargv */
newargc = 0;
if (buffer[0] == '[') {
/* we have counters in our input */
ptr = strchr(buffer, ']');
if (!ptr)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need ]\n",
line);
pcnt = strtok(buffer+1, ":");
if (!pcnt)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need :\n",
line);
bcnt = strtok(NULL, "]");
if (!bcnt)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need ]\n",
line);
/* start command parsing after counter */
parsestart = ptr + 1;
} else {
/* start command parsing at start of line */
parsestart = buffer;
}
add_argv(argv[0]);
add_argv("-t");
add_argv(curtable);
if (counters && pcnt && bcnt) {
add_argv("--set-counters");
add_argv((char *) pcnt);
add_argv((char *) bcnt);
}
add_param_to_argv(parsestart);
DEBUGP("calling do_command4(%u, argv, &%s, handle):\n",
newargc, curtable);
for (a = 0; a < newargc; a++)
DEBUGP("argv[%u]: %s\n", a, newargv[a]);
ret = do_command4(newargc, newargv,
&newargv[2], &handle);
free_argv();
fflush(stdout);
}
if (tablename && (strcmp(tablename, curtable) != 0))
continue;
if (!ret) {
fprintf(stderr, "%s: line %u failed\n",
xt_params->program_name, line);
exit(1);
}
}
if (in_table) {
fprintf(stderr, "%s: COMMIT expected at line %u\n",
xt_params->program_name, line + 1);
exit(1);
}
fclose(in);
return 0;
}
static int parse_ipt(struct action_util *a,int *argc_p,
char ***argv_p, int tca_id, struct nlmsghdr *n)
{
struct xtables_target *m = NULL;
struct ipt_entry fw;
struct rtattr *tail;
int c;
int rargc = *argc_p;
char **argv = *argv_p;
int argc = 0, iargc = 0;
char k[16];
int size = 0;
int iok = 0, ok = 0;
__u32 hook = 0, index = 0;
struct option *opts = NULL;
xtables_init_all(&tcipt_globals, NFPROTO_IPV4);
set_lib_dir();
{
int i;
for (i = 0; i < rargc; i++) {
if (NULL == argv[i] || 0 == strcmp(argv[i], "action")) {
break;
}
}
iargc = argc = i;
}
if (argc <= 2) {
fprintf(stderr,"bad arguements to ipt %d vs %d \n", argc, rargc);
return -1;
}
while (1) {
c = getopt_long(argc, argv, "j:", tcipt_globals.opts, NULL);
if (c == -1)
break;
switch (c) {
case 'j':
m = xtables_find_target(optarg, XTF_TRY_LOAD);
if (NULL != m) {
if (0 > build_st(m, NULL)) {
printf(" %s error \n", m->name);
return -1;
}
#if (XTABLES_VERSION_CODE >= 6)
opts = xtables_options_xfrm(tcipt_globals.orig_opts,
tcipt_globals.opts,
m->x6_options,
&m->option_offset);
#else
opts = xtables_merge_options(tcipt_globals.orig_opts,
tcipt_globals.opts,
m->extra_opts,
&m->option_offset);
#endif
if (opts == NULL) {
fprintf(stderr, " failed to find aditional options for target %s\n\n", optarg);
return -1;
} else
tcipt_globals.opts = opts;
} else {
fprintf(stderr," failed to find target %s\n\n", optarg);
return -1;
}
ok++;
break;
default:
memset(&fw, 0, sizeof (fw));
#if (XTABLES_VERSION_CODE >= 6)
if (m != NULL && m->x6_parse != NULL ) {
xtables_option_tpcall(c, argv, 0 , m, NULL);
#else
if (m != NULL && m->parse != NULL ) {
m->parse(c - m->option_offset, argv, 0, &m->tflags,
NULL, &m->t);
#endif
} else {
fprintf(stderr,"failed to find target %s\n\n", optarg);
return -1;
}
ok++;
break;
}
}
if (iargc > optind) {
if (matches(argv[optind], "index") == 0) {
if (get_u32(&index, argv[optind + 1], 10)) {
fprintf(stderr, "Illegal \"index\"\n");
xtables_free_opts(1);
return -1;
}
iok++;
optind += 2;
}
}
if (!ok && !iok) {
fprintf(stderr," ipt Parser BAD!! (%s)\n", *argv);
return -1;
}
/* check that we passed the correct parameters to the target */
#if (XTABLES_VERSION_CODE >= 6)
if (m)
xtables_option_tfcall(m);
#else
if (m && m->final_check)
m->final_check(m->tflags);
#endif
{
struct tcmsg *t = NLMSG_DATA(n);
if (t->tcm_parent != TC_H_ROOT
&& t->tcm_parent == TC_H_MAJ(TC_H_INGRESS)) {
hook = NF_IP_PRE_ROUTING;
} else {
hook = NF_IP_POST_ROUTING;
}
}
tail = NLMSG_TAIL(n);
addattr_l(n, MAX_MSG, tca_id, NULL, 0);
fprintf(stdout, "tablename: %s hook: %s\n ", tname, ipthooks[hook]);
fprintf(stdout, "\ttarget: ");
if (m)
m->print(NULL, m->t, 0);
fprintf(stdout, " index %d\n", index);
if (strlen(tname) > 16) {
size = 16;
k[15] = 0;
} else {
size = 1 + strlen(tname);
}
strncpy(k, tname, size);
addattr_l(n, MAX_MSG, TCA_IPT_TABLE, k, size);
addattr_l(n, MAX_MSG, TCA_IPT_HOOK, &hook, 4);
addattr_l(n, MAX_MSG, TCA_IPT_INDEX, &index, 4);
if (m)
addattr_l(n, MAX_MSG, TCA_IPT_TARG, m->t, m->t->u.target_size);
tail->rta_len = (void *) NLMSG_TAIL(n) - (void *) tail;
argc -= optind;
argv += optind;
*argc_p = rargc - iargc;
*argv_p = argv;
optind = 0;
xtables_free_opts(1);
if (m) {
/* Clear flags if target will be used again */
m->tflags = 0;
m->used = 0;
/* Free allocated memory */
if (m->t)
free(m->t);
}
return 0;
}
static int
print_ipt(struct action_util *au,FILE * f, struct rtattr *arg)
{
struct rtattr *tb[TCA_IPT_MAX + 1];
struct xt_entry_target *t = NULL;
struct option *opts = NULL;
if (arg == NULL)
return -1;
xtables_init_all(&tcipt_globals, NFPROTO_IPV4);
set_lib_dir();
parse_rtattr_nested(tb, TCA_IPT_MAX, arg);
if (tb[TCA_IPT_TABLE] == NULL) {
fprintf(f, "[NULL ipt table name ] assuming mangle ");
} else {
fprintf(f, "tablename: %s ",
rta_getattr_str(tb[TCA_IPT_TABLE]));
}
if (tb[TCA_IPT_HOOK] == NULL) {
fprintf(f, "[NULL ipt hook name ]\n ");
return -1;
} else {
__u32 hook;
hook = rta_getattr_u32(tb[TCA_IPT_HOOK]);
fprintf(f, " hook: %s \n", ipthooks[hook]);
}
if (tb[TCA_IPT_TARG] == NULL) {
fprintf(f, "\t[NULL ipt target parameters ] \n");
return -1;
} else {
struct xtables_target *m = NULL;
t = RTA_DATA(tb[TCA_IPT_TARG]);
m = xtables_find_target(t->u.user.name, XTF_TRY_LOAD);
if (NULL != m) {
if (0 > build_st(m, t)) {
fprintf(stderr, " %s error \n", m->name);
return -1;
}
#if (XTABLES_VERSION_CODE >= 6)
opts = xtables_options_xfrm(tcipt_globals.orig_opts,
tcipt_globals.opts,
m->x6_options,
&m->option_offset);
#else
opts = xtables_merge_options(tcipt_globals.orig_opts,
tcipt_globals.opts,
m->extra_opts,
&m->option_offset);
#endif
if (opts == NULL) {
fprintf(stderr, " failed to find aditional options for target %s\n\n", optarg);
return -1;
} else
tcipt_globals.opts = opts;
} else {
fprintf(stderr, " failed to find target %s\n\n",
t->u.user.name);
return -1;
}
fprintf(f, "\ttarget ");
m->print(NULL, m->t, 0);
if (tb[TCA_IPT_INDEX] == NULL) {
fprintf(f, " [NULL ipt target index ]\n");
} else {
__u32 index;
index = rta_getattr_u32(tb[TCA_IPT_INDEX]);
fprintf(f, " \n\tindex %d", index);
}
if (tb[TCA_IPT_CNT]) {
struct tc_cnt *c = RTA_DATA(tb[TCA_IPT_CNT]);;
fprintf(f, " ref %d bind %d", c->refcnt, c->bindcnt);
}
if (show_stats) {
if (tb[TCA_IPT_TM]) {
struct tcf_t *tm = RTA_DATA(tb[TCA_IPT_TM]);
print_tm(f,tm);
}
}
fprintf(f, " \n");
}
xtables_free_opts(1);
return 0;
}
struct action_util xt_action_util = {
.id = "xt",
.parse_aopt = parse_ipt,
.print_aopt = print_ipt,
};
EXPORT int init_helper(void){
int c = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
return c;
}
// cc-firewall; fire it up!
int main(int argc, char *argv[])
{
int c;
float seconds;
struct timeval tva, tvb;
iptables_globals.program_name = "firewall";
if (xtables_init_all(&iptables_globals, FIREWALL_NFPROTO) < 0) {
fprintf(stderr, "%s: Failed to initialize xtables\n", argv[0]);
exit(1);
}
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
init_extensions();
#endif
// Command-line processing
while((c = getopt_long(argc, argv, "hVdps", options, NULL)) != -1)
{
switch(c)
{
case 'p':
pretend = 1;
// fall through to enable debug also...
case 'd':
debug = 1;
break;
case 's':
strict = 1;
break;
case 'V':
fprintf(stderr, "%s v%s\n",
iptables_globals.program_name, iptables_globals.program_version);
fprintf(stderr, "Copyright (C) 2005-2008 Point Clark Networks\n");
fprintf(stderr, "Copyright (C) 2009-2011 ClearFoundation\n");
exit(1);
case 'h':
default:
fprintf(stderr, "%s [-h|--help]\n", argv[0]);
fprintf(stderr, "%s [-V|--version]\n", argv[0]);
fprintf(stderr, "%s [-s|--strict] [-d|--debug] [-p|--pretend] <configuration>\n", argv[0]);
exit(1);
}
}
// Can only be run by the superuser (root)
if(getuid() != 0 && geteuid() != 0)
{
fprintf(stderr, "%s: %s.\n", argv[0], strerror(EPERM));
exit(1);
}
// Must be passed a Lua script filename to execute
if(optind != argc - 1)
{
// No script filename supplied
fprintf(stderr, "%s: Required argument missing.\n", iptables_globals.program_name);
exit(1);
}
// Pre-load ip_tables kernel module
//iptables_insmod("ip_tables", NULL);
// Install exit handler
atexit(exit_handler);
// Initialize ifconfig context
IFC = if_init();
// Initialize Lua state
LUA = lua_open();
// Load Lua libraries
luaL_openlibs(LUA);
// Utility bindings
lua_pushcfunction(LUA, __lua_b_and);
lua_setglobal(LUA, "b_and");
lua_pushcfunction(LUA, __lua_b_or);
lua_setglobal(LUA, "b_or");
lua_pushcfunction(LUA, __lua_iptc_ip2bin);
lua_setglobal(LUA, "ip2bin");
lua_pushcfunction(LUA, __lua_iptc_bin2ip);
lua_setglobal(LUA, "bin2ip");
lua_pushcfunction(LUA, __lua_p_name);
lua_setglobal(LUA, "p_name");
lua_pushcfunction(LUA, __lua_gethostbyname);
lua_setglobal(LUA, "gethostbyname");
lua_pushcfunction(LUA, __lua_debug);
lua_setglobal(LUA, "debug");
lua_pushcfunction(LUA, __lua_echo);
lua_setglobal(LUA, "echo");
lua_pushcfunction(LUA, __lua_execute);
lua_setglobal(LUA, "execute");
// Iptables bindings
lua_pushcfunction(LUA, __lua_iptc_init);
lua_setglobal(LUA, "iptc_init");
lua_pushcfunction(LUA, __lua_iptc_create_chain);
lua_setglobal(LUA, "iptc_create_chain");
lua_pushcfunction(LUA, __lua_iptc_delete_chain);
lua_setglobal(LUA, "iptc_delete_chain");
lua_pushcfunction(LUA, __lua_iptc_delete_user_chains);
lua_setglobal(LUA, "iptc_delete_user_chains");
lua_pushcfunction(LUA, __lua_iptc_flush_chain);
lua_setglobal(LUA, "iptc_flush_chain");
lua_pushcfunction(LUA, __lua_iptc_flush_all_chains);
lua_setglobal(LUA, "iptc_flush_all_chains");
lua_pushcfunction(LUA, __lua_iptables);
lua_setglobal(LUA, "iptables");
lua_pushcfunction(LUA, __lua_iptc_set_policy);
lua_setglobal(LUA, "iptc_set_policy");
lua_pushcfunction(LUA, __lua_iptc_commit);
lua_setglobal(LUA, "iptc_commit");
// Network interface bindings (ifconfig.o)
lua_pushcfunction(LUA, __lua_if_list);
lua_setglobal(LUA, "if_list");
lua_pushcfunction(LUA, __lua_if_list_pppoe);
lua_setglobal(LUA, "if_list_pppoe");
lua_pushcfunction(LUA, __lua_if_address);
lua_setglobal(LUA, "if_address");
lua_pushcfunction(LUA, __lua_if_dst_address);
lua_setglobal(LUA, "if_dst_address");
lua_pushcfunction(LUA, __lua_if_netmask);
lua_setglobal(LUA, "if_netmask");
lua_pushcfunction(LUA, __lua_if_network);
lua_setglobal(LUA, "ip_network");
lua_pushcfunction(LUA, __lua_if_prefix);
lua_setglobal(LUA, "ip_prefix");
lua_pushcfunction(LUA, __lua_if_isup);
lua_setglobal(LUA, "if_isup");
lua_pushcfunction(LUA, __lua_if_isppp);
lua_setglobal(LUA, "if_isppp");
// Open syslog
{
int f;
char *facility = getenv("FW_FACILITY");
if(facility == NULL)
f = LOG_LOCAL0;
else if(strncasecmp(facility, "local0", 6) == 0)
f = LOG_LOCAL0;
else if(strncasecmp(facility, "local1", 6) == 0)
f = LOG_LOCAL1;
else if(strncasecmp(facility, "local2", 6) == 0)
f = LOG_LOCAL2;
else if(strncasecmp(facility, "local3", 6) == 0)
f = LOG_LOCAL3;
else if(strncasecmp(facility, "local4", 6) == 0)
f = LOG_LOCAL4;
else if(strncasecmp(facility, "local5", 6) == 0)
f = LOG_LOCAL5;
else if(strncasecmp(facility, "local6", 6) == 0)
f = LOG_LOCAL6;
else
f = LOG_LOCAL0;
if(!debug)
openlog(iptables_globals.program_name, 0, f);
else
openlog(iptables_globals.program_name, LOG_PERROR, f);
}
gettimeofday(&tva, NULL);
// Load, compile, and execute supplied Lua script
if(luaL_loadfile(LUA, (source = argv[optind])) || lua_pcall(LUA, 0, 0, 0))
{
syslog(LOG_ERR, "Error: %s\n", lua_tostring(LUA, -1));
return 1;
}
gettimeofday(&tvb, NULL);
if(!pretend)
{
seconds = tvb.tv_sec - tva.tv_sec;
seconds += (tvb.tv_usec - tva.tv_usec) / 1000000.0f;
syslog(LOG_INFO, "Execution time: %.03fs\n", seconds);
}
closelog();
return grc;
}
static int
print_ipt(struct action_util *au,FILE * f, struct rtattr *arg)
{
struct rtattr *tb[TCA_IPT_MAX + 1];
struct xt_entry_target *t = NULL;
if (arg == NULL)
return -1;
xtables_init_all(&tcipt_globals, NFPROTO_IPV4);
set_lib_dir();
parse_rtattr_nested(tb, TCA_IPT_MAX, arg);
if (tb[TCA_IPT_TABLE] == NULL) {
fprintf(f, "[NULL ipt table name ] assuming mangle ");
} else {
fprintf(f, "tablename: %s ",
rta_getattr_str(tb[TCA_IPT_TABLE]));
}
if (tb[TCA_IPT_HOOK] == NULL) {
fprintf(f, "[NULL ipt hook name ]\n ");
return -1;
} else {
__u32 hook;
hook = rta_getattr_u32(tb[TCA_IPT_HOOK]);
fprintf(f, " hook: %s \n", ipthooks[hook]);
}
if (tb[TCA_IPT_TARG] == NULL) {
fprintf(f, "\t[NULL ipt target parameters ] \n");
return -1;
} else {
struct xtables_target *m = NULL;
t = RTA_DATA(tb[TCA_IPT_TARG]);
m = xtables_find_target(t->u.user.name, XTF_TRY_LOAD);
if (NULL != m) {
if (0 > build_st(m, t)) {
fprintf(stderr, " %s error \n", m->name);
return -1;
}
tcipt_globals.opts =
xtables_merge_options(
#if (XTABLES_VERSION_CODE >= 6)
tcipt_globals.orig_opts,
#endif
tcipt_globals.opts,
m->extra_opts,
&m->option_offset);
} else {
fprintf(stderr, " failed to find target %s\n\n",
t->u.user.name);
return -1;
}
fprintf(f, "\ttarget ");
m->print(NULL, m->t, 0);
if (tb[TCA_IPT_INDEX] == NULL) {
fprintf(f, " [NULL ipt target index ]\n");
} else {
__u32 index;
index = rta_getattr_u32(tb[TCA_IPT_INDEX]);
fprintf(f, " \n\tindex %d", index);
}
if (tb[TCA_IPT_CNT]) {
struct tc_cnt *c = RTA_DATA(tb[TCA_IPT_CNT]);;
fprintf(f, " ref %d bind %d", c->refcnt, c->bindcnt);
}
if (show_stats) {
if (tb[TCA_IPT_TM]) {
struct tcf_t *tm = RTA_DATA(tb[TCA_IPT_TM]);
print_tm(f,tm);
}
}
fprintf(f, " \n");
}
xtables_free_opts(1);
return 0;
}
static int parse_ipt(struct action_util *a,int *argc_p,
char ***argv_p, int tca_id, struct nlmsghdr *n)
{
struct xtables_target *m = NULL;
struct ipt_entry fw;
struct rtattr *tail;
int c;
int rargc = *argc_p;
char **argv = *argv_p;
int argc = 0, iargc = 0;
char k[16];
int size = 0;
int iok = 0, ok = 0;
__u32 hook = 0, index = 0;
xtables_init_all(&tcipt_globals, NFPROTO_IPV4);
set_lib_dir();
{
int i;
for (i = 0; i < rargc; i++) {
if (NULL == argv[i] || 0 == strcmp(argv[i], "action")) {
break;
}
}
iargc = argc = i;
}
if (argc <= 2) {
fprintf(stderr,"bad arguements to ipt %d vs %d \n", argc, rargc);
return -1;
}
while (1) {
c = getopt_long(argc, argv, "j:", tcipt_globals.opts, NULL);
if (c == -1)
break;
switch (c) {
case 'j':
m = xtables_find_target(optarg, XTF_TRY_LOAD);
if (NULL != m) {
if (0 > build_st(m, NULL)) {
printf(" %s error \n", m->name);
return -1;
}
tcipt_globals.opts =
xtables_merge_options(
#if (XTABLES_VERSION_CODE >= 6)
tcipt_globals.orig_opts,
#endif
tcipt_globals.opts,
m->extra_opts,
&m->option_offset);
} else {
fprintf(stderr," failed to find target %s\n\n", optarg);
return -1;
}
ok++;
break;
default:
memset(&fw, 0, sizeof (fw));
if (m) {
m->parse(c - m->option_offset, argv, 0,
&m->tflags, NULL, &m->t);
} else {
fprintf(stderr," failed to find target %s\n\n", optarg);
return -1;
}
ok++;
break;
}
}
if (iargc > optind) {
if (matches(argv[optind], "index") == 0) {
if (get_u32(&index, argv[optind + 1], 10)) {
fprintf(stderr, "Illegal \"index\"\n");
xtables_free_opts(1);
return -1;
}
iok++;
optind += 2;
}
}
if (!ok && !iok) {
fprintf(stderr," ipt Parser BAD!! (%s)\n", *argv);
return -1;
}
if (m && m->final_check)
m->final_check(m->tflags);
{
struct tcmsg *t = NLMSG_DATA(n);
if (t->tcm_parent != TC_H_ROOT
&& t->tcm_parent == TC_H_MAJ(TC_H_INGRESS)) {
hook = NF_IP_PRE_ROUTING;
} else {
hook = NF_IP_POST_ROUTING;
}
}
tail = NLMSG_TAIL(n);
addattr_l(n, MAX_MSG, tca_id, NULL, 0);
fprintf(stdout, "tablename: %s hook: %s\n ", tname, ipthooks[hook]);
fprintf(stdout, "\ttarget: ");
if (m)
m->print(NULL, m->t, 0);
fprintf(stdout, " index %d\n", index);
if (strlen(tname) > 16) {
size = 16;
k[15] = 0;
} else {
size = 1 + strlen(tname);
}
strncpy(k, tname, size);
addattr_l(n, MAX_MSG, TCA_IPT_TABLE, k, size);
addattr_l(n, MAX_MSG, TCA_IPT_HOOK, &hook, 4);
addattr_l(n, MAX_MSG, TCA_IPT_INDEX, &index, 4);
if (m)
addattr_l(n, MAX_MSG, TCA_IPT_TARG, m->t, m->t->u.target_size);
tail->rta_len = (void *) NLMSG_TAIL(n) - (void *) tail;
argc -= optind;
argv += optind;
*argc_p = rargc - iargc;
*argv_p = argv;
optind = 0;
xtables_free_opts(1);
if (m) {
m->tflags = 0;
m->used = 0;
if (m->t)
free(m->t);
}
return 0;
}
int main ( int argc, char * argv[] )
{
int have_committed = 1; // prevent double commits, 'clean' state to begin with
int c;
program_name = argv[0];
program_name = "ipbatch CLI";
// this is really important for locating shared libs
program_version = IPTABLES_VERSION;
c = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
if (c < 0) {
fprintf(stderr, "%s/%s Failed to initialize xtables\n",
program_name,
program_version);
exit(1);
}
openlog( "SmoothIPSubsys", LOG_NDELAY | LOG_CONS, LOG_DAEMON );
/* lib_dir = getenv("IPTABLES_LIB_DIR");*/
/* if (!lib_dir)*/
/* lib_dir = IPT_LIB_DIR;*/
/* read lines from STDIN */
char buffer[ BUFFER_SIZE ];
int error = 0;
// syslog( LOG_ERR, "Checking input" );
// there are two special commands end is the same as eof and commit
// does an early commit rather than the changes only being committed at the end
while ( fgets( buffer, BUFFER_SIZE - 2, stdin ) != NULL ){
/* terminate the line at the carriage return */
if ( strlen( buffer ) > BUFFER_SIZE ){
// silently ignore long lines
continue;
}
buffer[ strlen( buffer ) - 1 ] = '\0';
//syslog( LOG_ERR, "Received command %s", buffer );
if ( strcmp( buffer, "end" ) == 0 ){
break;
}
if ( strcmp( buffer, "commit" ) == 0 ){
/* commit changes */
error = iptc_commit(handle);
iptc_free(handle);
handle = NULL;
have_committed = 1;
} else {
/* excute the command */
if(!have_committed) {
if(table_changed(buffer)) {
//syslog( LOG_ERR, "Table change for %s", buffer );
error = iptc_commit(handle);
iptc_free(handle);
handle = NULL;
have_committed = 1;
}
}
if(*buffer)
error = execute( buffer );
have_committed = 0;
}
if ( !error ){
/* if an error has occured then we're */
/* in trouble and might as well just */
/* leave */
syslog( LOG_ERR, "error: %s", iptc_strerror(errno));
return !error;
}
}
//syslog( LOG_ERR, "Finished" );
/* commit the changes, that is flush */
/* the iptables buffer */
if(!have_committed) {
error = iptc_commit(handle);
iptc_free(handle);
handle = NULL;
syslog( LOG_ERR, "Unable to commit IPTables rules \"%s\"", iptc_strerror( errno ) );
}
return !error;
}
