static int athr_add_entry(struct ipt_entry *e, char *name,
int *i, int *cmds_added)
{
struct ipt_entry_target *t;
int ret;
struct xt_mtchk_param mtpar;
mtpar.table = name;
mtpar.entryinfo = &e->ip;
mtpar.hook_mask = e->comefrom;
mtpar.family = NFPROTO_IPV4;
t = ipt_get_target(e);
(*i)++;
athr_nf_match_invalid = 0;
ret = IPT_MATCH_ITERATE(e, athr_add_match, &mtpar, t, *i, name);
hw_acl_api ? hw_acl_api->add_cmds(cmds_added) : 0;
return ret;
}
/* We want this to be readable, so only print out neccessary fields.
* Because that's the kind of world I want to live in. */
static void print_rule(const struct ipt_entry *e,
iptc_handle_t *h, const char *chain, int counters)
{
struct ipt_entry_target *t;
const char *target_name;
/* print counters */
if (counters)
printf("[%llu:%llu] ", e->counters.pcnt, e->counters.bcnt);
/* print chain name */
printf("-A %s ", chain);
/* Print IP part. */
print_ip("-s", e->ip.src.s_addr,e->ip.smsk.s_addr,
e->ip.invflags & IPT_INV_SRCIP);
print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr,
e->ip.invflags & IPT_INV_DSTIP);
print_iface('i', e->ip.iniface, e->ip.iniface_mask,
e->ip.invflags & IPT_INV_VIA_IN);
print_iface('o', e->ip.outiface, e->ip.outiface_mask,
e->ip.invflags & IPT_INV_VIA_OUT);
print_proto(e->ip.proto, e->ip.invflags & IPT_INV_PROTO);
if (e->ip.flags & IPT_F_FRAG)
printf("%s-f ",
e->ip.invflags & IPT_INV_FRAG ? "! " : "");
/* Print matchinfo part */
if (e->target_offset) {
IPT_MATCH_ITERATE(e, print_match, &e->ip);
}
/* Print target name */
target_name = iptc_get_target(e, h);
if (target_name && (*target_name != '\0'))
printf("-j %s ", target_name);
/* Print targinfo part */
t = ipt_get_target((struct ipt_entry *)e);
if (t->u.user.name[0]) {
struct iptables_target *target
= find_target(t->u.user.name, TRY_LOAD);
if (!target) {
fprintf(stderr, "Can't find library for target `%s'\n",
t->u.user.name);
exit(1);
}
if (target->save)
target->save(&e->ip, t);
else {
/* If the target size is greater than ipt_entry_target
* there is something to be saved, we just don't know
* how to print it */
if (t->u.target_size !=
sizeof(struct ipt_entry_target)) {
fprintf(stderr, "Target `%s' is missing "
"save function\n",
t->u.user.name);
exit(1);
}
}
}
printf("\n");
}
int ip4tables_add_rules(struct iptc_handle* handle, const char* chain_name, int rulenum, int dim, int src_dst, const char* target_name, const char* set_name, uint16_t protocol, int param, int cmd, bool ignore_errors)
{
size_t size;
struct ipt_entry *fw;
struct xt_entry_target *target;
struct xt_entry_match *match;
#ifdef HAVE_XT_SET_INFO_MATCH_V1
struct xt_set_info_match_v1 *setinfo;
#else
struct xt_set_info_match *setinfo;
#endif
ipt_chainlabel chain;
int res;
int sav_errno;
/* Add an entry */
memset(chain, 0, sizeof(chain));
size = XT_ALIGN(sizeof (struct ipt_entry)) +
XT_ALIGN(sizeof(struct xt_entry_match)) +
XT_ALIGN(sizeof(struct xt_entry_target) + 1) +
XT_ALIGN(sizeof(*setinfo));
if (protocol == IPPROTO_ICMP)
size += XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(struct ipt_icmp));
fw = (struct ipt_entry*)MALLOC(size);
fw->target_offset = XT_ALIGN(sizeof(struct ipt_entry));
// set
match = (struct xt_entry_match*)((char*)fw + fw->target_offset);
match->u.match_size = XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(*setinfo));
#ifdef HAVE_XT_SET_INFO_MATCH_V1
match->u.user.revision = 1;
#else
match->u.user.revision = 0;
#endif
fw->target_offset += match->u.match_size;
strcpy(match->u.user.name, "set");
#ifdef HAVE_XT_SET_INFO_MATCH_V1
setinfo = (struct xt_set_info_match_v1 *)match->data;
#else
setinfo = (struct xt_set_info_match *)match->data;
#endif
get_set_byname(set_name, &setinfo->match_set, NFPROTO_IPV4, ignore_errors);
if (setinfo->match_set.index == IPSET_INVALID_ID) {
FREE(fw);
return -1;
}
setinfo->match_set.dim = dim;
setinfo->match_set.flags = src_dst;
if (protocol != IPPROTO_NONE) {
fw->ip.proto = protocol;
// fw->ip.flags |= IP6T_F_PROTO ; // IPv6 only
if (protocol == IPPROTO_ICMP)
{
match = (struct xt_entry_match*)((char*)fw + fw->target_offset);
match->u.match_size = XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(struct ipt_icmp));
match->u.user.revision = 0;
fw->target_offset += match->u.match_size;
strcpy(match->u.user.name, "icmp");
struct ipt_icmp *icmpinfo = (struct ipt_icmp *)match->data;
icmpinfo->type = param; // type to match
icmpinfo->code[0] = 0; // code lower
icmpinfo->code[1] = 0xff; // code upper
icmpinfo->invflags = 0; // don't invert
}
}
// target is XTC_LABEL_DROP/XTC_LABEL_ACCEPT
fw->next_offset = size;
target = ipt_get_target(fw);
target->u.user.target_size = XT_ALIGN(sizeof(struct xt_entry_target) + 1);
strcpy(target->u.user.name, target_name);
// fw->ip.flags |= IPT_F_GOTO;
strcpy(chain, chain_name);
// Use iptc_append_entry to add to the chain
if (cmd == IPADDRESS_DEL) {
unsigned char matchmask[fw->next_offset];
memset(matchmask, 0xff, fw->next_offset);
res = iptc_delete_entry(chain, fw, matchmask, handle);
}
else if (rulenum == -1)
res = iptc_append_entry(chain, fw, handle) ;
else
res = iptc_insert_entry(chain, fw, rulenum, handle) ;
sav_errno = errno;
FREE(fw);
if (res!= 1)
{
if (!ignore_errors)
log_message(LOG_INFO, "iptc_insert_entry for chain %s returned %d: %s", chain, res, iptc_strerror(sav_errno)) ;
return sav_errno;
}
return 0;
}
int ip4tables_process_entry( struct iptc_handle* handle, const char* chain_name, int rulenum, const char* target_name, const ip_address_t* src_ip_address, const ip_address_t* dst_ip_address, const char* in_iface, const char* out_iface, uint16_t protocol, uint16_t type, int cmd, bool force)
{
size_t size;
struct ipt_entry *fw;
struct xt_entry_target *target;
struct xt_entry_match *match ;
ipt_chainlabel chain;
int res;
int sav_errno;
/* Add an entry */
memset (chain, 0, sizeof (chain));
size = XT_ALIGN (sizeof (struct ipt_entry)) +
XT_ALIGN (sizeof (struct xt_entry_target) + 1);
if ( protocol == IPPROTO_ICMP )
size += XT_ALIGN ( sizeof(struct xt_entry_match) ) + XT_ALIGN ( sizeof(struct ipt_icmp) ) ;
fw = (struct ipt_entry*)MALLOC(size);
fw->target_offset = XT_ALIGN ( sizeof ( struct ipt_entry ) ) ;
if ( src_ip_address && src_ip_address->ifa.ifa_family != AF_UNSPEC )
{
memcpy(&fw->ip.src, &src_ip_address->u.sin.sin_addr, sizeof ( src_ip_address->u.sin.sin_addr ) );
memset ( &fw->ip.smsk, 0xff, sizeof(fw->ip.smsk));
}
if ( dst_ip_address && dst_ip_address->ifa.ifa_family != AF_UNSPEC )
{
memcpy(&fw->ip.dst, &dst_ip_address->u.sin.sin_addr, sizeof ( dst_ip_address->u.sin.sin_addr ) );
memset ( &fw->ip.dmsk, 0xff, sizeof(fw->ip.dmsk));
}
if (in_iface)
set_iface(fw->ip.iniface, fw->ip.iniface_mask, in_iface);
if (out_iface)
set_iface(fw->ip.outiface, fw->ip.outiface_mask, out_iface);
if ( protocol != IPPROTO_NONE ) {
fw->ip.proto = protocol ;
// fw->ip.flags |= IP6T_F_PROTO ; // IPv6 only
if ( protocol == IPPROTO_ICMP )
{
match = (struct xt_entry_match*)((char*)fw + fw->target_offset);
match->u.match_size = XT_ALIGN ( sizeof (struct xt_entry_match) ) + XT_ALIGN ( sizeof (struct ipt_icmp) ) ;
match->u.user.revision = 0;
fw->target_offset += match->u.match_size ;
strcpy ( match->u.user.name, "icmp" ) ;
struct ipt_icmp *icmpinfo = (struct ipt_icmp *) match->data;
icmpinfo->type = type ; // type to match
icmpinfo->code[0] = 0 ; // code lower
icmpinfo->code[1] = 0xff ; // code upper
icmpinfo->invflags = 0 ; // don't invert
}
}
// target is XTC_LABEL_DROP/XTC_LABEL_ACCEPT
fw->next_offset = size;
target = ipt_get_target ( fw ) ;
target->u.user.target_size = XT_ALIGN (sizeof (struct xt_entry_target) + 1);
strcpy (target->u.user.name, target_name );
// fw->ip.flags |= IPT_F_GOTO;
strcpy (chain, chain_name);
// Use iptc_append_entry to add to the chain
if (cmd == IPADDRESS_DEL) {
unsigned char matchmask[fw->next_offset];
memset(matchmask, 0xff, fw->next_offset);
res = iptc_delete_entry(chain, fw, matchmask, handle);
}
else if ( rulenum == -1 )
res = iptc_append_entry (chain, fw, handle ) ;
else
res = iptc_insert_entry (chain, fw, rulenum, handle ) ;
sav_errno = errno ;
if (res != 1 && (!force || sav_errno != ENOENT))
{
log_message(LOG_INFO, "ip4tables_process_entry for chain %s returned %d: %s", chain, res, iptc_strerror (sav_errno) ) ;
return sav_errno ;
}
return 0 ;
}
/* for const-correctness */
static inline const struct xt_entry_target *
ipt_get_target_c(const struct ipt_entry *e)
{
return ipt_get_target((struct ipt_entry *)e);
}
/* We want this to be readable, so only print out neccessary fields.
* Because that's the kind of world I want to live in. */
extern EXPORT const char* output_rule4(const struct ipt_entry *e, void *h, const char *chain, int counters)
{
const struct xt_entry_target *t;
const char *target_name;
char buf[BUFSIZ];
/* print counters for iptables-save */
if (counters > 0)
ptr += sprintf(ptr,"[%llu:%llu] ", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
/* print chain name */
ptr += sprintf(ptr,"-A %s", chain);
/* Print IP part. */
print_ip("-s", e->ip.src.s_addr, e->ip.smsk.s_addr,
e->ip.invflags & IPT_INV_SRCIP);
print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr,
e->ip.invflags & IPT_INV_DSTIP);
print_iface('i', e->ip.iniface, e->ip.iniface_mask,
e->ip.invflags & IPT_INV_VIA_IN);
print_iface('o', e->ip.outiface, e->ip.outiface_mask,
e->ip.invflags & IPT_INV_VIA_OUT);
print_proto(e->ip.proto, e->ip.invflags & XT_INV_PROTO);
if (e->ip.flags & IPT_F_FRAG)
ptr += sprintf(ptr,"%s -f",
e->ip.invflags & IPT_INV_FRAG ? " !" : "");
/* Print matchinfo part */
if (e->target_offset) {
IPT_MATCH_ITERATE(e, print_match_save, &e->ip);
}
/* print counters for iptables -R */
if (counters < 0)
ptr += sprintf(ptr," -c %llu %llu", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
/* Print target name */
target_name = iptc_get_target(e, h);
#ifdef OLD_IPTABLES
if (target_name && (*target_name != '\0'))
#ifdef IPT_F_GOTO
ptr += sprintf(ptr," -%c %s", e->ip.flags & IPT_F_GOTO ? 'g' : 'j', target_name);
#else
ptr += sprintf(ptr," -j %s", target_name);
#endif
#endif
/* Print targinfo part */
t = ipt_get_target((struct ipt_entry *)e);
if (t->u.user.name[0]) {
const struct xtables_target *target =
xtables_find_target(t->u.user.name, XTF_TRY_LOAD);
if (!target) {
fprintf(stderr, "Can't find library for target `%s'\n",
t->u.user.name);
return NULL;
}
#ifndef OLD_IPTABLES
ptr += sprintf(ptr, " -j %s", target->alias ? target->alias(t) : target_name);
#endif
if (target){
if (target->save){
memset(buf, 0, sizeof(buf));
switchStdout("/dev/null");
setvbuf(stdout, buf, _IOLBF, BUFSIZ);
target->save(&e->ip, t);
fflush(stdout);
setbuf(stdout, NULL);
revertStdout();
ptr += sprintf(ptr, "%s", buf);
}
else {
/* If the target size is greater than xt_entry_target
* there is something to be saved, we just don't know
* how to print it */
if (t->u.target_size !=
sizeof(struct xt_entry_target)) {
fprintf(stderr, "Target `%s' is missing "
"save function\n",
t->u.user.name);
return NULL;
}
}
}
}
#ifndef OLD_IPTABLES
else if (target_name && (*target_name != '\0')){
#ifdef IPT_F_GOTO
ptr += sprintf(ptr, " -%c %s", e->ip.flags & IPT_F_GOTO ? 'g' : 'j', target_name);
#else
ptr += sprintf(ptr, " -j %s", target_name);
#endif
}
#endif
*ptr = '\0';
ptr = buffer;
return buffer;
}
