static int athr_add_entry(struct ipt_entry *e, char *name, int *i, int *cmds_added) { struct ipt_entry_target *t; int ret; struct xt_mtchk_param mtpar; mtpar.table = name; mtpar.entryinfo = &e->ip; mtpar.hook_mask = e->comefrom; mtpar.family = NFPROTO_IPV4; t = ipt_get_target(e); (*i)++; athr_nf_match_invalid = 0; ret = IPT_MATCH_ITERATE(e, athr_add_match, &mtpar, t, *i, name); hw_acl_api ? hw_acl_api->add_cmds(cmds_added) : 0; return ret; }
/* We want this to be readable, so only print out neccessary fields. * Because that's the kind of world I want to live in. */ static void print_rule(const struct ipt_entry *e, iptc_handle_t *h, const char *chain, int counters) { struct ipt_entry_target *t; const char *target_name; /* print counters */ if (counters) printf("[%llu:%llu] ", e->counters.pcnt, e->counters.bcnt); /* print chain name */ printf("-A %s ", chain); /* Print IP part. */ print_ip("-s", e->ip.src.s_addr,e->ip.smsk.s_addr, e->ip.invflags & IPT_INV_SRCIP); print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr, e->ip.invflags & IPT_INV_DSTIP); print_iface('i', e->ip.iniface, e->ip.iniface_mask, e->ip.invflags & IPT_INV_VIA_IN); print_iface('o', e->ip.outiface, e->ip.outiface_mask, e->ip.invflags & IPT_INV_VIA_OUT); print_proto(e->ip.proto, e->ip.invflags & IPT_INV_PROTO); if (e->ip.flags & IPT_F_FRAG) printf("%s-f ", e->ip.invflags & IPT_INV_FRAG ? "! " : ""); /* Print matchinfo part */ if (e->target_offset) { IPT_MATCH_ITERATE(e, print_match, &e->ip); } /* Print target name */ target_name = iptc_get_target(e, h); if (target_name && (*target_name != '\0')) printf("-j %s ", target_name); /* Print targinfo part */ t = ipt_get_target((struct ipt_entry *)e); if (t->u.user.name[0]) { struct iptables_target *target = find_target(t->u.user.name, TRY_LOAD); if (!target) { fprintf(stderr, "Can't find library for target `%s'\n", t->u.user.name); exit(1); } if (target->save) target->save(&e->ip, t); else { /* If the target size is greater than ipt_entry_target * there is something to be saved, we just don't know * how to print it */ if (t->u.target_size != sizeof(struct ipt_entry_target)) { fprintf(stderr, "Target `%s' is missing " "save function\n", t->u.user.name); exit(1); } } } printf("\n"); }
int ip4tables_add_rules(struct iptc_handle* handle, const char* chain_name, int rulenum, int dim, int src_dst, const char* target_name, const char* set_name, uint16_t protocol, int param, int cmd, bool ignore_errors) { size_t size; struct ipt_entry *fw; struct xt_entry_target *target; struct xt_entry_match *match; #ifdef HAVE_XT_SET_INFO_MATCH_V1 struct xt_set_info_match_v1 *setinfo; #else struct xt_set_info_match *setinfo; #endif ipt_chainlabel chain; int res; int sav_errno; /* Add an entry */ memset(chain, 0, sizeof(chain)); size = XT_ALIGN(sizeof (struct ipt_entry)) + XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(struct xt_entry_target) + 1) + XT_ALIGN(sizeof(*setinfo)); if (protocol == IPPROTO_ICMP) size += XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(struct ipt_icmp)); fw = (struct ipt_entry*)MALLOC(size); fw->target_offset = XT_ALIGN(sizeof(struct ipt_entry)); // set match = (struct xt_entry_match*)((char*)fw + fw->target_offset); match->u.match_size = XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(*setinfo)); #ifdef HAVE_XT_SET_INFO_MATCH_V1 match->u.user.revision = 1; #else match->u.user.revision = 0; #endif fw->target_offset += match->u.match_size; strcpy(match->u.user.name, "set"); #ifdef HAVE_XT_SET_INFO_MATCH_V1 setinfo = (struct xt_set_info_match_v1 *)match->data; #else setinfo = (struct xt_set_info_match *)match->data; #endif get_set_byname(set_name, &setinfo->match_set, NFPROTO_IPV4, ignore_errors); if (setinfo->match_set.index == IPSET_INVALID_ID) { FREE(fw); return -1; } setinfo->match_set.dim = dim; setinfo->match_set.flags = src_dst; if (protocol != IPPROTO_NONE) { fw->ip.proto = protocol; // fw->ip.flags |= IP6T_F_PROTO ; // IPv6 only if (protocol == IPPROTO_ICMP) { match = (struct xt_entry_match*)((char*)fw + fw->target_offset); match->u.match_size = XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(struct ipt_icmp)); match->u.user.revision = 0; fw->target_offset += match->u.match_size; strcpy(match->u.user.name, "icmp"); struct ipt_icmp *icmpinfo = (struct ipt_icmp *)match->data; icmpinfo->type = param; // type to match icmpinfo->code[0] = 0; // code lower icmpinfo->code[1] = 0xff; // code upper icmpinfo->invflags = 0; // don't invert } } // target is XTC_LABEL_DROP/XTC_LABEL_ACCEPT fw->next_offset = size; target = ipt_get_target(fw); target->u.user.target_size = XT_ALIGN(sizeof(struct xt_entry_target) + 1); strcpy(target->u.user.name, target_name); // fw->ip.flags |= IPT_F_GOTO; strcpy(chain, chain_name); // Use iptc_append_entry to add to the chain if (cmd == IPADDRESS_DEL) { unsigned char matchmask[fw->next_offset]; memset(matchmask, 0xff, fw->next_offset); res = iptc_delete_entry(chain, fw, matchmask, handle); } else if (rulenum == -1) res = iptc_append_entry(chain, fw, handle) ; else res = iptc_insert_entry(chain, fw, rulenum, handle) ; sav_errno = errno; FREE(fw); if (res!= 1) { if (!ignore_errors) log_message(LOG_INFO, "iptc_insert_entry for chain %s returned %d: %s", chain, res, iptc_strerror(sav_errno)) ; return sav_errno; } return 0; }
int ip4tables_process_entry( struct iptc_handle* handle, const char* chain_name, int rulenum, const char* target_name, const ip_address_t* src_ip_address, const ip_address_t* dst_ip_address, const char* in_iface, const char* out_iface, uint16_t protocol, uint16_t type, int cmd, bool force) { size_t size; struct ipt_entry *fw; struct xt_entry_target *target; struct xt_entry_match *match ; ipt_chainlabel chain; int res; int sav_errno; /* Add an entry */ memset (chain, 0, sizeof (chain)); size = XT_ALIGN (sizeof (struct ipt_entry)) + XT_ALIGN (sizeof (struct xt_entry_target) + 1); if ( protocol == IPPROTO_ICMP ) size += XT_ALIGN ( sizeof(struct xt_entry_match) ) + XT_ALIGN ( sizeof(struct ipt_icmp) ) ; fw = (struct ipt_entry*)MALLOC(size); fw->target_offset = XT_ALIGN ( sizeof ( struct ipt_entry ) ) ; if ( src_ip_address && src_ip_address->ifa.ifa_family != AF_UNSPEC ) { memcpy(&fw->ip.src, &src_ip_address->u.sin.sin_addr, sizeof ( src_ip_address->u.sin.sin_addr ) ); memset ( &fw->ip.smsk, 0xff, sizeof(fw->ip.smsk)); } if ( dst_ip_address && dst_ip_address->ifa.ifa_family != AF_UNSPEC ) { memcpy(&fw->ip.dst, &dst_ip_address->u.sin.sin_addr, sizeof ( dst_ip_address->u.sin.sin_addr ) ); memset ( &fw->ip.dmsk, 0xff, sizeof(fw->ip.dmsk)); } if (in_iface) set_iface(fw->ip.iniface, fw->ip.iniface_mask, in_iface); if (out_iface) set_iface(fw->ip.outiface, fw->ip.outiface_mask, out_iface); if ( protocol != IPPROTO_NONE ) { fw->ip.proto = protocol ; // fw->ip.flags |= IP6T_F_PROTO ; // IPv6 only if ( protocol == IPPROTO_ICMP ) { match = (struct xt_entry_match*)((char*)fw + fw->target_offset); match->u.match_size = XT_ALIGN ( sizeof (struct xt_entry_match) ) + XT_ALIGN ( sizeof (struct ipt_icmp) ) ; match->u.user.revision = 0; fw->target_offset += match->u.match_size ; strcpy ( match->u.user.name, "icmp" ) ; struct ipt_icmp *icmpinfo = (struct ipt_icmp *) match->data; icmpinfo->type = type ; // type to match icmpinfo->code[0] = 0 ; // code lower icmpinfo->code[1] = 0xff ; // code upper icmpinfo->invflags = 0 ; // don't invert } } // target is XTC_LABEL_DROP/XTC_LABEL_ACCEPT fw->next_offset = size; target = ipt_get_target ( fw ) ; target->u.user.target_size = XT_ALIGN (sizeof (struct xt_entry_target) + 1); strcpy (target->u.user.name, target_name ); // fw->ip.flags |= IPT_F_GOTO; strcpy (chain, chain_name); // Use iptc_append_entry to add to the chain if (cmd == IPADDRESS_DEL) { unsigned char matchmask[fw->next_offset]; memset(matchmask, 0xff, fw->next_offset); res = iptc_delete_entry(chain, fw, matchmask, handle); } else if ( rulenum == -1 ) res = iptc_append_entry (chain, fw, handle ) ; else res = iptc_insert_entry (chain, fw, rulenum, handle ) ; sav_errno = errno ; if (res != 1 && (!force || sav_errno != ENOENT)) { log_message(LOG_INFO, "ip4tables_process_entry for chain %s returned %d: %s", chain, res, iptc_strerror (sav_errno) ) ; return sav_errno ; } return 0 ; }
/* for const-correctness */ static inline const struct xt_entry_target * ipt_get_target_c(const struct ipt_entry *e) { return ipt_get_target((struct ipt_entry *)e); }
/* We want this to be readable, so only print out neccessary fields. * Because that's the kind of world I want to live in. */ extern EXPORT const char* output_rule4(const struct ipt_entry *e, void *h, const char *chain, int counters) { const struct xt_entry_target *t; const char *target_name; char buf[BUFSIZ]; /* print counters for iptables-save */ if (counters > 0) ptr += sprintf(ptr,"[%llu:%llu] ", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt); /* print chain name */ ptr += sprintf(ptr,"-A %s", chain); /* Print IP part. */ print_ip("-s", e->ip.src.s_addr, e->ip.smsk.s_addr, e->ip.invflags & IPT_INV_SRCIP); print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr, e->ip.invflags & IPT_INV_DSTIP); print_iface('i', e->ip.iniface, e->ip.iniface_mask, e->ip.invflags & IPT_INV_VIA_IN); print_iface('o', e->ip.outiface, e->ip.outiface_mask, e->ip.invflags & IPT_INV_VIA_OUT); print_proto(e->ip.proto, e->ip.invflags & XT_INV_PROTO); if (e->ip.flags & IPT_F_FRAG) ptr += sprintf(ptr,"%s -f", e->ip.invflags & IPT_INV_FRAG ? " !" : ""); /* Print matchinfo part */ if (e->target_offset) { IPT_MATCH_ITERATE(e, print_match_save, &e->ip); } /* print counters for iptables -R */ if (counters < 0) ptr += sprintf(ptr," -c %llu %llu", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt); /* Print target name */ target_name = iptc_get_target(e, h); #ifdef OLD_IPTABLES if (target_name && (*target_name != '\0')) #ifdef IPT_F_GOTO ptr += sprintf(ptr," -%c %s", e->ip.flags & IPT_F_GOTO ? 'g' : 'j', target_name); #else ptr += sprintf(ptr," -j %s", target_name); #endif #endif /* Print targinfo part */ t = ipt_get_target((struct ipt_entry *)e); if (t->u.user.name[0]) { const struct xtables_target *target = xtables_find_target(t->u.user.name, XTF_TRY_LOAD); if (!target) { fprintf(stderr, "Can't find library for target `%s'\n", t->u.user.name); return NULL; } #ifndef OLD_IPTABLES ptr += sprintf(ptr, " -j %s", target->alias ? target->alias(t) : target_name); #endif if (target){ if (target->save){ memset(buf, 0, sizeof(buf)); switchStdout("/dev/null"); setvbuf(stdout, buf, _IOLBF, BUFSIZ); target->save(&e->ip, t); fflush(stdout); setbuf(stdout, NULL); revertStdout(); ptr += sprintf(ptr, "%s", buf); } else { /* If the target size is greater than xt_entry_target * there is something to be saved, we just don't know * how to print it */ if (t->u.target_size != sizeof(struct xt_entry_target)) { fprintf(stderr, "Target `%s' is missing " "save function\n", t->u.user.name); return NULL; } } } } #ifndef OLD_IPTABLES else if (target_name && (*target_name != '\0')){ #ifdef IPT_F_GOTO ptr += sprintf(ptr, " -%c %s", e->ip.flags & IPT_F_GOTO ? 'g' : 'j', target_name); #else ptr += sprintf(ptr, " -j %s", target_name); #endif } #endif *ptr = '\0'; ptr = buffer; return buffer; }