void save_firewall_details(const struct iptables_command_state *cs,
uint8_t invflags, uint16_t proto,
const char *iniface,
unsigned const char *iniface_mask,
const char *outiface,
unsigned const char *outiface_mask)
{
if (iniface != NULL) {
print_iface('i', iniface, iniface_mask,
invflags & IPT_INV_VIA_IN);
}
if (outiface != NULL) {
print_iface('o', outiface, outiface_mask,
invflags & IPT_INV_VIA_OUT);
}
if (proto > 0) {
const struct protoent *pent = getprotobynumber(proto);
if (invflags & XT_INV_PROTO)
printf("! ");
if (pent)
printf("-p %s ", pent->p_name);
else
printf("-p %u ", proto);
}
}
/* Helper function for list_rules() */
static void list_em(struct ebt_u_entries *entries)
{
int i;
struct ebt_u_entry *hlp;
struct ebt_u_match_list *m_l;
struct ebt_u_match *m;
struct ebt_u_target *t;
hlp = entries->entries->next;
printf("\nBridge chain: %s, entries: %d, policy: %s\n",
entries->name, entries->nentries,
ebt_standard_targets[-entries->policy - 1]);
for (i = 0; i < entries->nentries; i++) {
/* The standard target's print() uses this to find out
* the name of a udc */
hlp->replace = replace;
/* Don't print anything about the protocol if no protocol was
* specified, obviously this means any protocol will do. */
if (!(hlp->bitmask & EBT_NOPROTO)) {
printf("-p ");
if (hlp->invflags & EBT_IPROTO)
printf("! ");
if (hlp->bitmask & EBT_802_3)
printf("Length ");
else {
const struct ethertypeent *ent;
ent = getethertypebynumber(ntohs(hlp->ethproto));
if (!ent)
printf("0x%x ", ntohs(hlp->ethproto));
else
printf("%s ", ent->e_name);
}
}
if (hlp->bitmask & EBT_SOURCEMAC) {
printf("-s ");
if (hlp->invflags & EBT_ISOURCE)
printf("! ");
ebt_print_mac_and_mask(hlp->sourcemac, hlp->sourcemsk);
printf(" ");
}
if (hlp->bitmask & EBT_DESTMAC) {
printf("-d ");
if (hlp->invflags & EBT_IDEST)
printf("! ");
ebt_print_mac_and_mask(hlp->destmac, hlp->destmsk);
printf(" ");
}
if (hlp->in[0] != '\0') {
printf("-i ");
if (hlp->invflags & EBT_IIN)
printf("! ");
print_iface(hlp->in);
}
if (hlp->logical_in[0] != '\0') {
printf("--logical-in ");
if (hlp->invflags & EBT_ILOGICALIN)
printf("! ");
print_iface(hlp->logical_in);
}
if (hlp->logical_out[0] != '\0') {
printf("--logical-out ");
if (hlp->invflags & EBT_ILOGICALOUT)
printf("! ");
print_iface(hlp->logical_out);
}
if (hlp->out[0] != '\0') {
printf("-o ");
if (hlp->invflags & EBT_IOUT)
printf("! ");
print_iface(hlp->out);
}
m_l = hlp->m_list;
while (m_l) {
m = ebt_find_match(m_l->m->u.name);
if (!m)
ebt_print_bug("Match not found");
m->print(hlp, m_l->m);
m_l = m_l->next;
}
printf("-j ");
if (strcmp(hlp->t->u.name, EBT_STANDARD_TARGET))
printf("%s ", hlp->t->u.name);
t = ebt_find_target(hlp->t->u.name);
if (!t)
ebt_print_bug("Target '%s' not found", hlp->t->u.name);
t->print(hlp, hlp->t);
printf("\n");
hlp = hlp->next;
}
}
/* We want this to be readable, so only print out neccessary fields.
* Because that's the kind of world I want to live in. */
static void print_rule(const struct ip6t_entry *e,
ip6tc_handle_t *h, const char *chain, int counters)
{
struct ip6t_entry_target *t;
const char *target_name;
/* print counters */
if (counters)
printf("[%llu:%llu] ", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
/* print chain name */
printf("-A %s ", chain);
/* Print IP part. */
print_ip("-s", &(e->ipv6.src), &(e->ipv6.smsk),
e->ipv6.invflags & IP6T_INV_SRCIP);
print_ip("-d", &(e->ipv6.dst), &(e->ipv6.dmsk),
e->ipv6.invflags & IP6T_INV_DSTIP);
print_iface('i', e->ipv6.iniface, e->ipv6.iniface_mask,
e->ipv6.invflags & IP6T_INV_VIA_IN);
print_iface('o', e->ipv6.outiface, e->ipv6.outiface_mask,
e->ipv6.invflags & IP6T_INV_VIA_OUT);
print_proto(e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO);
#if 0
/* not definied in ipv6
* FIXME: linux/netfilter_ipv6/ip6_tables: IP6T_INV_FRAG why definied? */
if (e->ipv6.flags & IPT_F_FRAG)
printf("%s-f ",
e->ipv6.invflags & IP6T_INV_FRAG ? "! " : "");
#endif
if (e->ipv6.flags & IP6T_F_TOS)
printf("%s-? %d ",
e->ipv6.invflags & IP6T_INV_TOS ? "! " : "",
e->ipv6.tos);
/* Print matchinfo part */
if (e->target_offset) {
IP6T_MATCH_ITERATE(e, print_match, &e->ipv6);
}
/* Print target name */
target_name = ip6tc_get_target(e, h);
if (target_name && (*target_name != '\0'))
printf("-j %s ", target_name);
/* Print targinfo part */
t = ip6t_get_target((struct ip6t_entry *)e);
if (t->u.user.name[0]) {
struct ip6tables_target *target
= find_target(t->u.user.name, TRY_LOAD);
if (!target) {
fprintf(stderr, "Can't find library for target `%s'\n",
t->u.user.name);
exit(1);
}
if (target->save)
target->save(&e->ipv6, t);
else {
/* If the target size is greater than ip6t_entry_target
* there is something to be saved, we just don't know
* how to print it */
if (t->u.target_size !=
sizeof(struct ip6t_entry_target)) {
fprintf(stderr, "Target `%s' is missing "
"save function\n",
t->u.user.name);
exit(1);
}
}
}
printf("\n");
}
/* We want this to be readable, so only print out neccessary fields.
* Because that's the kind of world I want to live in. */
static void print_rule(const struct ipt_entry *e,
iptc_handle_t *h, const char *chain, int counters)
{
struct ipt_entry_target *t;
const char *target_name;
/* print counters */
if (counters)
printf("[%llu:%llu] ", e->counters.pcnt, e->counters.bcnt);
/* print chain name */
printf("-A %s ", chain);
/* Print IP part. */
print_ip("-s", e->ip.src.s_addr,e->ip.smsk.s_addr,
e->ip.invflags & IPT_INV_SRCIP);
print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr,
e->ip.invflags & IPT_INV_DSTIP);
print_iface('i', e->ip.iniface, e->ip.iniface_mask,
e->ip.invflags & IPT_INV_VIA_IN);
print_iface('o', e->ip.outiface, e->ip.outiface_mask,
e->ip.invflags & IPT_INV_VIA_OUT);
print_proto(e->ip.proto, e->ip.invflags & IPT_INV_PROTO);
if (e->ip.flags & IPT_F_FRAG)
printf("%s-f ",
e->ip.invflags & IPT_INV_FRAG ? "! " : "");
/* Print matchinfo part */
if (e->target_offset) {
IPT_MATCH_ITERATE(e, print_match, &e->ip);
}
/* Print target name */
target_name = iptc_get_target(e, h);
if (target_name && (*target_name != '\0'))
printf("-j %s ", target_name);
/* Print targinfo part */
t = ipt_get_target((struct ipt_entry *)e);
if (t->u.user.name[0]) {
struct iptables_target *target
= find_target(t->u.user.name, TRY_LOAD);
if (!target) {
fprintf(stderr, "Can't find library for target `%s'\n",
t->u.user.name);
exit(1);
}
if (target->save)
target->save(&e->ip, t);
else {
/* If the target size is greater than ipt_entry_target
* there is something to be saved, we just don't know
* how to print it */
if (t->u.target_size !=
sizeof(struct ipt_entry_target)) {
fprintf(stderr, "Target `%s' is missing "
"save function\n",
t->u.user.name);
exit(1);
}
}
}
printf("\n");
}
/* We want this to be readable, so only print out neccessary fields.
* Because that's the kind of world I want to live in. */
extern EXPORT const char* output_rule4(const struct ipt_entry *e, void *h, const char *chain, int counters)
{
const struct xt_entry_target *t;
const char *target_name;
char buf[BUFSIZ];
/* print counters for iptables-save */
if (counters > 0)
ptr += sprintf(ptr,"[%llu:%llu] ", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
/* print chain name */
ptr += sprintf(ptr,"-A %s", chain);
/* Print IP part. */
print_ip("-s", e->ip.src.s_addr, e->ip.smsk.s_addr,
e->ip.invflags & IPT_INV_SRCIP);
print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr,
e->ip.invflags & IPT_INV_DSTIP);
print_iface('i', e->ip.iniface, e->ip.iniface_mask,
e->ip.invflags & IPT_INV_VIA_IN);
print_iface('o', e->ip.outiface, e->ip.outiface_mask,
e->ip.invflags & IPT_INV_VIA_OUT);
print_proto(e->ip.proto, e->ip.invflags & XT_INV_PROTO);
if (e->ip.flags & IPT_F_FRAG)
ptr += sprintf(ptr,"%s -f",
e->ip.invflags & IPT_INV_FRAG ? " !" : "");
/* Print matchinfo part */
if (e->target_offset) {
IPT_MATCH_ITERATE(e, print_match_save, &e->ip);
}
/* print counters for iptables -R */
if (counters < 0)
ptr += sprintf(ptr," -c %llu %llu", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
/* Print target name */
target_name = iptc_get_target(e, h);
#ifdef OLD_IPTABLES
if (target_name && (*target_name != '\0'))
#ifdef IPT_F_GOTO
ptr += sprintf(ptr," -%c %s", e->ip.flags & IPT_F_GOTO ? 'g' : 'j', target_name);
#else
ptr += sprintf(ptr," -j %s", target_name);
#endif
#endif
/* Print targinfo part */
t = ipt_get_target((struct ipt_entry *)e);
if (t->u.user.name[0]) {
const struct xtables_target *target =
xtables_find_target(t->u.user.name, XTF_TRY_LOAD);
if (!target) {
fprintf(stderr, "Can't find library for target `%s'\n",
t->u.user.name);
return NULL;
}
#ifndef OLD_IPTABLES
ptr += sprintf(ptr, " -j %s", target->alias ? target->alias(t) : target_name);
#endif
if (target){
if (target->save){
memset(buf, 0, sizeof(buf));
switchStdout("/dev/null");
setvbuf(stdout, buf, _IOLBF, BUFSIZ);
target->save(&e->ip, t);
fflush(stdout);
setbuf(stdout, NULL);
revertStdout();
ptr += sprintf(ptr, "%s", buf);
}
else {
/* If the target size is greater than xt_entry_target
* there is something to be saved, we just don't know
* how to print it */
if (t->u.target_size !=
sizeof(struct xt_entry_target)) {
fprintf(stderr, "Target `%s' is missing "
"save function\n",
t->u.user.name);
return NULL;
}
}
}
}
#ifndef OLD_IPTABLES
else if (target_name && (*target_name != '\0')){
#ifdef IPT_F_GOTO
ptr += sprintf(ptr, " -%c %s", e->ip.flags & IPT_F_GOTO ? 'g' : 'j', target_name);
#else
ptr += sprintf(ptr, " -j %s", target_name);
#endif
}
#endif
*ptr = '\0';
ptr = buffer;
return buffer;
}
/* Helper function for list_rules() */
static void list_em(struct ebt_u_entries *entries)
{
int i, j, space = 0, digits;
struct ebt_u_entry *hlp;
struct ebt_u_match_list *m_l;
struct ebt_u_watcher_list *w_l;
struct ebt_u_match *m;
struct ebt_u_watcher *w;
struct ebt_u_target *t;
if (replace->flags & LIST_MAC2)
ebt_printstyle_mac = 2;
else
ebt_printstyle_mac = 0;
hlp = entries->entries->next;
if (replace->flags & LIST_X && entries->policy != EBT_ACCEPT) {
printf("ebtables -t %s -P %s %s\n", replace->name,
entries->name, ebt_standard_targets[-entries->policy - 1]);
} else if (!(replace->flags & LIST_X)) {
printf("\nBridge chain: %s, entries: %d, policy: %s\n",
entries->name, entries->nentries,
ebt_standard_targets[-entries->policy - 1]);
}
if (replace->flags & LIST_N) {
i = entries->nentries;
while (i > 9) {
space++;
i /= 10;
}
}
for (i = 0; i < entries->nentries; i++) {
if (replace->flags & LIST_N) {
digits = 0;
/* A little work to get nice rule numbers. */
j = i + 1;
while (j > 9) {
digits++;
j /= 10;
}
for (j = 0; j < space - digits; j++)
printf(" ");
printf("%d. ", i + 1);
}
if (replace->flags & LIST_X)
printf("ebtables -t %s -A %s ",
replace->name, entries->name);
/* The standard target's print() uses this to find out
* the name of a udc */
hlp->replace = replace;
/* Don't print anything about the protocol if no protocol was
* specified, obviously this means any protocol will do. */
if (!(hlp->bitmask & EBT_NOPROTO)) {
printf("-p ");
if (hlp->invflags & EBT_IPROTO)
printf("! ");
if (hlp->bitmask & EBT_802_3)
printf("Length ");
else {
struct ethertypeent *ent;
ent = getethertypebynumber(ntohs(hlp->ethproto));
if (!ent)
printf("0x%x ", ntohs(hlp->ethproto));
else
printf("%s ", ent->e_name);
}
}
if (hlp->bitmask & EBT_SOURCEMAC) {
printf("-s ");
if (hlp->invflags & EBT_ISOURCE)
printf("! ");
ebt_print_mac_and_mask(hlp->sourcemac, hlp->sourcemsk);
printf(" ");
}
if (hlp->bitmask & EBT_DESTMAC) {
printf("-d ");
if (hlp->invflags & EBT_IDEST)
printf("! ");
ebt_print_mac_and_mask(hlp->destmac, hlp->destmsk);
printf(" ");
}
if (hlp->in[0] != '\0') {
printf("-i ");
if (hlp->invflags & EBT_IIN)
printf("! ");
print_iface(hlp->in);
}
if (hlp->logical_in[0] != '\0') {
printf("--logical-in ");
if (hlp->invflags & EBT_ILOGICALIN)
printf("! ");
print_iface(hlp->logical_in);
}
if (hlp->logical_out[0] != '\0') {
printf("--logical-out ");
if (hlp->invflags & EBT_ILOGICALOUT)
printf("! ");
print_iface(hlp->logical_out);
}
if (hlp->out[0] != '\0') {
printf("-o ");
if (hlp->invflags & EBT_IOUT)
printf("! ");
print_iface(hlp->out);
}
m_l = hlp->m_list;
while (m_l) {
m = ebt_find_match(m_l->m->u.name);
if (!m)
ebt_print_bug("Match not found");
m->print(hlp, m_l->m);
m_l = m_l->next;
}
w_l = hlp->w_list;
while (w_l) {
w = ebt_find_watcher(w_l->w->u.name);
if (!w)
ebt_print_bug("Watcher not found");
w->print(hlp, w_l->w);
w_l = w_l->next;
}
printf("-j ");
if (strcmp(hlp->t->u.name, EBT_STANDARD_TARGET))
printf("%s ", hlp->t->u.name);
t = ebt_find_target(hlp->t->u.name);
if (!t)
ebt_print_bug("Target '%s' not found", hlp->t->u.name);
t->print(hlp, hlp->t);
if (replace->flags & LIST_C) {
uint64_t pcnt = hlp->cnt.pcnt;
uint64_t bcnt = hlp->cnt.bcnt;
if (replace->flags & LIST_X)
printf("-c %"PRIu64" %"PRIu64, pcnt, bcnt);
else
printf(", pcnt = %"PRIu64" -- bcnt = %"PRIu64, pcnt, bcnt);
}
printf("\n");
hlp = hlp->next;
}
}
