void save_firewall_details(const struct iptables_command_state *cs, uint8_t invflags, uint16_t proto, const char *iniface, unsigned const char *iniface_mask, const char *outiface, unsigned const char *outiface_mask) { if (iniface != NULL) { print_iface('i', iniface, iniface_mask, invflags & IPT_INV_VIA_IN); } if (outiface != NULL) { print_iface('o', outiface, outiface_mask, invflags & IPT_INV_VIA_OUT); } if (proto > 0) { const struct protoent *pent = getprotobynumber(proto); if (invflags & XT_INV_PROTO) printf("! "); if (pent) printf("-p %s ", pent->p_name); else printf("-p %u ", proto); } }
/* Helper function for list_rules() */ static void list_em(struct ebt_u_entries *entries) { int i; struct ebt_u_entry *hlp; struct ebt_u_match_list *m_l; struct ebt_u_match *m; struct ebt_u_target *t; hlp = entries->entries->next; printf("\nBridge chain: %s, entries: %d, policy: %s\n", entries->name, entries->nentries, ebt_standard_targets[-entries->policy - 1]); for (i = 0; i < entries->nentries; i++) { /* The standard target's print() uses this to find out * the name of a udc */ hlp->replace = replace; /* Don't print anything about the protocol if no protocol was * specified, obviously this means any protocol will do. */ if (!(hlp->bitmask & EBT_NOPROTO)) { printf("-p "); if (hlp->invflags & EBT_IPROTO) printf("! "); if (hlp->bitmask & EBT_802_3) printf("Length "); else { const struct ethertypeent *ent; ent = getethertypebynumber(ntohs(hlp->ethproto)); if (!ent) printf("0x%x ", ntohs(hlp->ethproto)); else printf("%s ", ent->e_name); } } if (hlp->bitmask & EBT_SOURCEMAC) { printf("-s "); if (hlp->invflags & EBT_ISOURCE) printf("! "); ebt_print_mac_and_mask(hlp->sourcemac, hlp->sourcemsk); printf(" "); } if (hlp->bitmask & EBT_DESTMAC) { printf("-d "); if (hlp->invflags & EBT_IDEST) printf("! "); ebt_print_mac_and_mask(hlp->destmac, hlp->destmsk); printf(" "); } if (hlp->in[0] != '\0') { printf("-i "); if (hlp->invflags & EBT_IIN) printf("! "); print_iface(hlp->in); } if (hlp->logical_in[0] != '\0') { printf("--logical-in "); if (hlp->invflags & EBT_ILOGICALIN) printf("! "); print_iface(hlp->logical_in); } if (hlp->logical_out[0] != '\0') { printf("--logical-out "); if (hlp->invflags & EBT_ILOGICALOUT) printf("! "); print_iface(hlp->logical_out); } if (hlp->out[0] != '\0') { printf("-o "); if (hlp->invflags & EBT_IOUT) printf("! "); print_iface(hlp->out); } m_l = hlp->m_list; while (m_l) { m = ebt_find_match(m_l->m->u.name); if (!m) ebt_print_bug("Match not found"); m->print(hlp, m_l->m); m_l = m_l->next; } printf("-j "); if (strcmp(hlp->t->u.name, EBT_STANDARD_TARGET)) printf("%s ", hlp->t->u.name); t = ebt_find_target(hlp->t->u.name); if (!t) ebt_print_bug("Target '%s' not found", hlp->t->u.name); t->print(hlp, hlp->t); printf("\n"); hlp = hlp->next; } }
/* We want this to be readable, so only print out neccessary fields. * Because that's the kind of world I want to live in. */ static void print_rule(const struct ip6t_entry *e, ip6tc_handle_t *h, const char *chain, int counters) { struct ip6t_entry_target *t; const char *target_name; /* print counters */ if (counters) printf("[%llu:%llu] ", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt); /* print chain name */ printf("-A %s ", chain); /* Print IP part. */ print_ip("-s", &(e->ipv6.src), &(e->ipv6.smsk), e->ipv6.invflags & IP6T_INV_SRCIP); print_ip("-d", &(e->ipv6.dst), &(e->ipv6.dmsk), e->ipv6.invflags & IP6T_INV_DSTIP); print_iface('i', e->ipv6.iniface, e->ipv6.iniface_mask, e->ipv6.invflags & IP6T_INV_VIA_IN); print_iface('o', e->ipv6.outiface, e->ipv6.outiface_mask, e->ipv6.invflags & IP6T_INV_VIA_OUT); print_proto(e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO); #if 0 /* not definied in ipv6 * FIXME: linux/netfilter_ipv6/ip6_tables: IP6T_INV_FRAG why definied? */ if (e->ipv6.flags & IPT_F_FRAG) printf("%s-f ", e->ipv6.invflags & IP6T_INV_FRAG ? "! " : ""); #endif if (e->ipv6.flags & IP6T_F_TOS) printf("%s-? %d ", e->ipv6.invflags & IP6T_INV_TOS ? "! " : "", e->ipv6.tos); /* Print matchinfo part */ if (e->target_offset) { IP6T_MATCH_ITERATE(e, print_match, &e->ipv6); } /* Print target name */ target_name = ip6tc_get_target(e, h); if (target_name && (*target_name != '\0')) printf("-j %s ", target_name); /* Print targinfo part */ t = ip6t_get_target((struct ip6t_entry *)e); if (t->u.user.name[0]) { struct ip6tables_target *target = find_target(t->u.user.name, TRY_LOAD); if (!target) { fprintf(stderr, "Can't find library for target `%s'\n", t->u.user.name); exit(1); } if (target->save) target->save(&e->ipv6, t); else { /* If the target size is greater than ip6t_entry_target * there is something to be saved, we just don't know * how to print it */ if (t->u.target_size != sizeof(struct ip6t_entry_target)) { fprintf(stderr, "Target `%s' is missing " "save function\n", t->u.user.name); exit(1); } } } printf("\n"); }
/* We want this to be readable, so only print out neccessary fields. * Because that's the kind of world I want to live in. */ static void print_rule(const struct ipt_entry *e, iptc_handle_t *h, const char *chain, int counters) { struct ipt_entry_target *t; const char *target_name; /* print counters */ if (counters) printf("[%llu:%llu] ", e->counters.pcnt, e->counters.bcnt); /* print chain name */ printf("-A %s ", chain); /* Print IP part. */ print_ip("-s", e->ip.src.s_addr,e->ip.smsk.s_addr, e->ip.invflags & IPT_INV_SRCIP); print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr, e->ip.invflags & IPT_INV_DSTIP); print_iface('i', e->ip.iniface, e->ip.iniface_mask, e->ip.invflags & IPT_INV_VIA_IN); print_iface('o', e->ip.outiface, e->ip.outiface_mask, e->ip.invflags & IPT_INV_VIA_OUT); print_proto(e->ip.proto, e->ip.invflags & IPT_INV_PROTO); if (e->ip.flags & IPT_F_FRAG) printf("%s-f ", e->ip.invflags & IPT_INV_FRAG ? "! " : ""); /* Print matchinfo part */ if (e->target_offset) { IPT_MATCH_ITERATE(e, print_match, &e->ip); } /* Print target name */ target_name = iptc_get_target(e, h); if (target_name && (*target_name != '\0')) printf("-j %s ", target_name); /* Print targinfo part */ t = ipt_get_target((struct ipt_entry *)e); if (t->u.user.name[0]) { struct iptables_target *target = find_target(t->u.user.name, TRY_LOAD); if (!target) { fprintf(stderr, "Can't find library for target `%s'\n", t->u.user.name); exit(1); } if (target->save) target->save(&e->ip, t); else { /* If the target size is greater than ipt_entry_target * there is something to be saved, we just don't know * how to print it */ if (t->u.target_size != sizeof(struct ipt_entry_target)) { fprintf(stderr, "Target `%s' is missing " "save function\n", t->u.user.name); exit(1); } } } printf("\n"); }
/* We want this to be readable, so only print out neccessary fields. * Because that's the kind of world I want to live in. */ extern EXPORT const char* output_rule4(const struct ipt_entry *e, void *h, const char *chain, int counters) { const struct xt_entry_target *t; const char *target_name; char buf[BUFSIZ]; /* print counters for iptables-save */ if (counters > 0) ptr += sprintf(ptr,"[%llu:%llu] ", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt); /* print chain name */ ptr += sprintf(ptr,"-A %s", chain); /* Print IP part. */ print_ip("-s", e->ip.src.s_addr, e->ip.smsk.s_addr, e->ip.invflags & IPT_INV_SRCIP); print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr, e->ip.invflags & IPT_INV_DSTIP); print_iface('i', e->ip.iniface, e->ip.iniface_mask, e->ip.invflags & IPT_INV_VIA_IN); print_iface('o', e->ip.outiface, e->ip.outiface_mask, e->ip.invflags & IPT_INV_VIA_OUT); print_proto(e->ip.proto, e->ip.invflags & XT_INV_PROTO); if (e->ip.flags & IPT_F_FRAG) ptr += sprintf(ptr,"%s -f", e->ip.invflags & IPT_INV_FRAG ? " !" : ""); /* Print matchinfo part */ if (e->target_offset) { IPT_MATCH_ITERATE(e, print_match_save, &e->ip); } /* print counters for iptables -R */ if (counters < 0) ptr += sprintf(ptr," -c %llu %llu", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt); /* Print target name */ target_name = iptc_get_target(e, h); #ifdef OLD_IPTABLES if (target_name && (*target_name != '\0')) #ifdef IPT_F_GOTO ptr += sprintf(ptr," -%c %s", e->ip.flags & IPT_F_GOTO ? 'g' : 'j', target_name); #else ptr += sprintf(ptr," -j %s", target_name); #endif #endif /* Print targinfo part */ t = ipt_get_target((struct ipt_entry *)e); if (t->u.user.name[0]) { const struct xtables_target *target = xtables_find_target(t->u.user.name, XTF_TRY_LOAD); if (!target) { fprintf(stderr, "Can't find library for target `%s'\n", t->u.user.name); return NULL; } #ifndef OLD_IPTABLES ptr += sprintf(ptr, " -j %s", target->alias ? target->alias(t) : target_name); #endif if (target){ if (target->save){ memset(buf, 0, sizeof(buf)); switchStdout("/dev/null"); setvbuf(stdout, buf, _IOLBF, BUFSIZ); target->save(&e->ip, t); fflush(stdout); setbuf(stdout, NULL); revertStdout(); ptr += sprintf(ptr, "%s", buf); } else { /* If the target size is greater than xt_entry_target * there is something to be saved, we just don't know * how to print it */ if (t->u.target_size != sizeof(struct xt_entry_target)) { fprintf(stderr, "Target `%s' is missing " "save function\n", t->u.user.name); return NULL; } } } } #ifndef OLD_IPTABLES else if (target_name && (*target_name != '\0')){ #ifdef IPT_F_GOTO ptr += sprintf(ptr, " -%c %s", e->ip.flags & IPT_F_GOTO ? 'g' : 'j', target_name); #else ptr += sprintf(ptr, " -j %s", target_name); #endif } #endif *ptr = '\0'; ptr = buffer; return buffer; }
/* Helper function for list_rules() */ static void list_em(struct ebt_u_entries *entries) { int i, j, space = 0, digits; struct ebt_u_entry *hlp; struct ebt_u_match_list *m_l; struct ebt_u_watcher_list *w_l; struct ebt_u_match *m; struct ebt_u_watcher *w; struct ebt_u_target *t; if (replace->flags & LIST_MAC2) ebt_printstyle_mac = 2; else ebt_printstyle_mac = 0; hlp = entries->entries->next; if (replace->flags & LIST_X && entries->policy != EBT_ACCEPT) { printf("ebtables -t %s -P %s %s\n", replace->name, entries->name, ebt_standard_targets[-entries->policy - 1]); } else if (!(replace->flags & LIST_X)) { printf("\nBridge chain: %s, entries: %d, policy: %s\n", entries->name, entries->nentries, ebt_standard_targets[-entries->policy - 1]); } if (replace->flags & LIST_N) { i = entries->nentries; while (i > 9) { space++; i /= 10; } } for (i = 0; i < entries->nentries; i++) { if (replace->flags & LIST_N) { digits = 0; /* A little work to get nice rule numbers. */ j = i + 1; while (j > 9) { digits++; j /= 10; } for (j = 0; j < space - digits; j++) printf(" "); printf("%d. ", i + 1); } if (replace->flags & LIST_X) printf("ebtables -t %s -A %s ", replace->name, entries->name); /* The standard target's print() uses this to find out * the name of a udc */ hlp->replace = replace; /* Don't print anything about the protocol if no protocol was * specified, obviously this means any protocol will do. */ if (!(hlp->bitmask & EBT_NOPROTO)) { printf("-p "); if (hlp->invflags & EBT_IPROTO) printf("! "); if (hlp->bitmask & EBT_802_3) printf("Length "); else { struct ethertypeent *ent; ent = getethertypebynumber(ntohs(hlp->ethproto)); if (!ent) printf("0x%x ", ntohs(hlp->ethproto)); else printf("%s ", ent->e_name); } } if (hlp->bitmask & EBT_SOURCEMAC) { printf("-s "); if (hlp->invflags & EBT_ISOURCE) printf("! "); ebt_print_mac_and_mask(hlp->sourcemac, hlp->sourcemsk); printf(" "); } if (hlp->bitmask & EBT_DESTMAC) { printf("-d "); if (hlp->invflags & EBT_IDEST) printf("! "); ebt_print_mac_and_mask(hlp->destmac, hlp->destmsk); printf(" "); } if (hlp->in[0] != '\0') { printf("-i "); if (hlp->invflags & EBT_IIN) printf("! "); print_iface(hlp->in); } if (hlp->logical_in[0] != '\0') { printf("--logical-in "); if (hlp->invflags & EBT_ILOGICALIN) printf("! "); print_iface(hlp->logical_in); } if (hlp->logical_out[0] != '\0') { printf("--logical-out "); if (hlp->invflags & EBT_ILOGICALOUT) printf("! "); print_iface(hlp->logical_out); } if (hlp->out[0] != '\0') { printf("-o "); if (hlp->invflags & EBT_IOUT) printf("! "); print_iface(hlp->out); } m_l = hlp->m_list; while (m_l) { m = ebt_find_match(m_l->m->u.name); if (!m) ebt_print_bug("Match not found"); m->print(hlp, m_l->m); m_l = m_l->next; } w_l = hlp->w_list; while (w_l) { w = ebt_find_watcher(w_l->w->u.name); if (!w) ebt_print_bug("Watcher not found"); w->print(hlp, w_l->w); w_l = w_l->next; } printf("-j "); if (strcmp(hlp->t->u.name, EBT_STANDARD_TARGET)) printf("%s ", hlp->t->u.name); t = ebt_find_target(hlp->t->u.name); if (!t) ebt_print_bug("Target '%s' not found", hlp->t->u.name); t->print(hlp, hlp->t); if (replace->flags & LIST_C) { uint64_t pcnt = hlp->cnt.pcnt; uint64_t bcnt = hlp->cnt.bcnt; if (replace->flags & LIST_X) printf("-c %"PRIu64" %"PRIu64, pcnt, bcnt); else printf(", pcnt = %"PRIu64" -- bcnt = %"PRIu64, pcnt, bcnt); } printf("\n"); hlp = hlp->next; } }