Пример #1
0
/*
 * insert the rule -rule- on chain -chain-
 * at the position pos.
 * Returns:
 * 	0
 * 	-1
 */
int
insert_rule(const char *rule, iptc_handle_t * t, const char *chain,
			int pos)
{
	int res;
	res = iptc_insert_entry(chain, (struct ipt_entry *) rule, 0, t);
	error
		("res is: %d rule is: %p chain is: %s pos is: %d t is: %p errno is: %d",
		 res, rule, chain, pos, t, errno);
	if (!res) {
		error("In insert_rule: %s.", iptc_strerror(errno));
		err_ret(ERR_NETRUL, -1);
	}
	return 0;
}
Пример #2
0
void iptc_add_rule(const char *table,
                   const char *chain,
                   const char *protocol,
                   const char *iniface,
                   const char *outiface,
                   const char *src,
                   const char *dest,
                   const char *srcports,
                   const char *destports,
                   const char *target,
                   const char *dnat_to,
                   const int append)
{
	iptc_handle_t handle;
	struct ipt_entry *chain_entry;
	struct ipt_entry_match *entry_match = NULL;
	struct ipt_entry_target *entry_target = NULL;
	ipt_chainlabel labelit;
	long match_size;
	int result = 0;

	chain_entry = calloc(1, sizeof(*chain_entry));

	if (src) {
		chain_entry->ip.src.s_addr = inet_addr(src);
		chain_entry->ip.smsk.s_addr = inet_addr("255.255.255.255");
	}
	if (dest) {
		chain_entry->ip.dst.s_addr = inet_addr(dest);
		chain_entry->ip.dmsk.s_addr = inet_addr("255.255.255.255");
	}

	if (iniface) strncpy(chain_entry->ip.iniface, iniface, IFNAMSIZ);
	if (outiface) strncpy(chain_entry->ip.outiface, outiface, IFNAMSIZ);

	if (strcmp(protocol, "TCP") == 0) {
		chain_entry->ip.proto = IPPROTO_TCP;
		entry_match = get_tcp_match(srcports, destports, &chain_entry->nfcache);
	}
	else if (strcmp(protocol, "UDP") == 0) {
		chain_entry->ip.proto = IPPROTO_UDP;
		entry_match = get_udp_match(srcports, destports, &chain_entry->nfcache);
	}
	else {
		trace(1, "Unsupported protocol: %s", protocol);
		return;
	}

	if (strcmp(target, "") == 0
	    || strcmp(target, IPTC_LABEL_ACCEPT) == 0
	    || strcmp(target, IPTC_LABEL_DROP) == 0
	    || strcmp(target, IPTC_LABEL_QUEUE) == 0
	    || strcmp(target, IPTC_LABEL_RETURN) == 0) {
		size_t size;

		size = IPT_ALIGN(sizeof(struct ipt_entry_target)) + IPT_ALIGN(sizeof(int));
		entry_target = calloc(1, size);
		entry_target->u.user.target_size = size;
		strncpy(entry_target->u.user.name, target, IPT_FUNCTION_MAXNAMELEN);
	}
	else if (strcmp(target, "DNAT") == 0) {
		entry_target = get_dnat_target(dnat_to, &chain_entry->nfcache);
	}

	if (entry_match)
		match_size = entry_match->u.match_size;
	else
		match_size = 0;

	chain_entry = realloc(chain_entry, sizeof(*chain_entry) + match_size + entry_target->u.target_size);
	memcpy(chain_entry->elems + match_size, entry_target, entry_target->u.target_size);
	chain_entry->target_offset = sizeof(*chain_entry) + match_size;
	chain_entry->next_offset = sizeof(*chain_entry) + match_size + entry_target->u.target_size;

	if (entry_match)
		memcpy(chain_entry->elems, entry_match, match_size);

	handle = iptc_init(table);
	if (!handle) {
		trace(1, "libiptc error: Can't initialize table %s, %s", table, iptc_strerror(errno));
		return;
	}

	strncpy(labelit, chain, sizeof(ipt_chainlabel));
	result = iptc_is_chain(chain, handle);
	if (!result) {
		trace(1, "libiptc error: Chain %s does not exist!", chain);
		return;
	}
	if (append)
		result = iptc_append_entry(labelit, chain_entry, &handle);
	else
		result = iptc_insert_entry(labelit, chain_entry, 0, &handle);

	if (!result) {
		trace(1, "libiptc error: Can't add, %s", iptc_strerror(errno));
		return;
	}
	result = iptc_commit(&handle);
	if (!result) {
	  trace(1, "libiptc error: Commit error, %s", iptc_strerror(errno));
		return;
	}
	else 
	  trace(3, "added new rule to block successfully");

	if (entry_match) free(entry_match);
	free(entry_target);
	free(chain_entry);
}
Пример #3
0
int ip4tables_add_rules(struct iptc_handle* handle, const char* chain_name, int rulenum, int dim, int src_dst, const char* target_name, const char* set_name, uint16_t protocol, int param, int cmd, bool ignore_errors)
{
	size_t size;
	struct ipt_entry *fw;
	struct xt_entry_target *target;
	struct xt_entry_match *match;
#ifdef HAVE_XT_SET_INFO_MATCH_V1
	struct xt_set_info_match_v1 *setinfo;
#else
	struct xt_set_info_match *setinfo;
#endif
	ipt_chainlabel chain;
	int res;
	int sav_errno;

	/* Add an entry */

	memset(chain, 0, sizeof(chain));

	size = XT_ALIGN(sizeof (struct ipt_entry)) +
			XT_ALIGN(sizeof(struct xt_entry_match)) +
			XT_ALIGN(sizeof(struct xt_entry_target) + 1) +
			XT_ALIGN(sizeof(*setinfo));

	if (protocol == IPPROTO_ICMP)
		size += XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(struct ipt_icmp));

	fw = (struct ipt_entry*)MALLOC(size);

	fw->target_offset = XT_ALIGN(sizeof(struct ipt_entry));

	// set
	match = (struct xt_entry_match*)((char*)fw + fw->target_offset);
	match->u.match_size = XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(*setinfo));
#ifdef HAVE_XT_SET_INFO_MATCH_V1
	match->u.user.revision = 1;
#else
	match->u.user.revision = 0;
#endif
	fw->target_offset += match->u.match_size;
	strcpy(match->u.user.name, "set");

#ifdef HAVE_XT_SET_INFO_MATCH_V1
	setinfo = (struct xt_set_info_match_v1 *)match->data;
#else
	setinfo = (struct xt_set_info_match *)match->data;
#endif
	get_set_byname(set_name, &setinfo->match_set, NFPROTO_IPV4, ignore_errors);
	if (setinfo->match_set.index == IPSET_INVALID_ID) {
		FREE(fw);
		return -1;
	}

	setinfo->match_set.dim = dim;
	setinfo->match_set.flags = src_dst;

	if (protocol != IPPROTO_NONE) {
		fw->ip.proto = protocol;

//		fw->ip.flags |= IP6T_F_PROTO ;		// IPv6 only

		if (protocol == IPPROTO_ICMP)
		{
			match = (struct xt_entry_match*)((char*)fw + fw->target_offset);
			match->u.match_size = XT_ALIGN(sizeof(struct xt_entry_match)) + XT_ALIGN(sizeof(struct ipt_icmp));
			match->u.user.revision = 0;
			fw->target_offset += match->u.match_size;
			strcpy(match->u.user.name, "icmp");

			struct ipt_icmp *icmpinfo = (struct ipt_icmp *)match->data;
			icmpinfo->type = param;		// type to match
			icmpinfo->code[0] = 0;		// code lower
			icmpinfo->code[1] = 0xff;	// code upper
			icmpinfo->invflags = 0;		// don't invert
		}
	}

// target is XTC_LABEL_DROP/XTC_LABEL_ACCEPT
	fw->next_offset = size;
	target = ipt_get_target(fw);
	target->u.user.target_size = XT_ALIGN(sizeof(struct xt_entry_target) + 1);
	strcpy(target->u.user.name, target_name);
//	fw->ip.flags |= IPT_F_GOTO;
	strcpy(chain, chain_name);

	// Use iptc_append_entry to add to the chain
	if (cmd == IPADDRESS_DEL) {
		unsigned char matchmask[fw->next_offset];
		memset(matchmask, 0xff, fw->next_offset);
		res = iptc_delete_entry(chain, fw, matchmask, handle);
	}
	else if (rulenum == -1)
		res = iptc_append_entry(chain, fw, handle) ;
	else
		res = iptc_insert_entry(chain, fw, rulenum, handle) ;

	sav_errno = errno;

	FREE(fw);

	if (res!= 1)
	{
		if (!ignore_errors)
			log_message(LOG_INFO, "iptc_insert_entry for chain %s returned %d: %s", chain, res, iptc_strerror(sav_errno)) ;

		return sav_errno;
	}

	return 0;
}
Пример #4
0
int ip4tables_process_entry( struct iptc_handle* handle, const char* chain_name, int rulenum, const char* target_name, const ip_address_t* src_ip_address, const ip_address_t* dst_ip_address, const char* in_iface, const char* out_iface, uint16_t protocol, uint16_t type, int cmd, bool force)
{
	size_t size;
	struct ipt_entry *fw;
	struct xt_entry_target *target;
	struct xt_entry_match *match ;
	ipt_chainlabel chain;
	int res;
	int sav_errno;

	/* Add an entry */

	memset (chain, 0, sizeof (chain));

	size = XT_ALIGN (sizeof (struct ipt_entry)) +
			XT_ALIGN (sizeof (struct xt_entry_target) + 1);

	if ( protocol == IPPROTO_ICMP )
		size += XT_ALIGN ( sizeof(struct xt_entry_match) ) + XT_ALIGN ( sizeof(struct ipt_icmp) ) ;

	fw = (struct ipt_entry*)MALLOC(size);

	fw->target_offset = XT_ALIGN ( sizeof ( struct ipt_entry ) ) ;

	if ( src_ip_address && src_ip_address->ifa.ifa_family != AF_UNSPEC )
	{
		memcpy(&fw->ip.src, &src_ip_address->u.sin.sin_addr, sizeof ( src_ip_address->u.sin.sin_addr ) );
		memset ( &fw->ip.smsk, 0xff, sizeof(fw->ip.smsk));
	}

	if ( dst_ip_address && dst_ip_address->ifa.ifa_family != AF_UNSPEC )
	{
		memcpy(&fw->ip.dst, &dst_ip_address->u.sin.sin_addr, sizeof ( dst_ip_address->u.sin.sin_addr ) );
		memset ( &fw->ip.dmsk, 0xff, sizeof(fw->ip.dmsk));
	}

	if (in_iface)
		set_iface(fw->ip.iniface, fw->ip.iniface_mask, in_iface);
	if (out_iface)
		set_iface(fw->ip.outiface, fw->ip.outiface_mask, out_iface);

	if ( protocol != IPPROTO_NONE ) {
		fw->ip.proto = protocol ;

//		fw->ip.flags |= IP6T_F_PROTO ;		// IPv6 only

		if ( protocol == IPPROTO_ICMP )
		{
			match = (struct xt_entry_match*)((char*)fw + fw->target_offset);
			match->u.match_size = XT_ALIGN ( sizeof (struct xt_entry_match) ) + XT_ALIGN ( sizeof (struct ipt_icmp) ) ;
			match->u.user.revision = 0;
			fw->target_offset += match->u.match_size ;
			strcpy ( match->u.user.name, "icmp" ) ;

			struct ipt_icmp *icmpinfo = (struct ipt_icmp *) match->data;
			icmpinfo->type = type ;		// type to match
			icmpinfo->code[0] = 0 ;		// code lower
			icmpinfo->code[1] = 0xff ;	// code upper
			icmpinfo->invflags = 0 ;	// don't invert
		}
	}

// target is XTC_LABEL_DROP/XTC_LABEL_ACCEPT
	fw->next_offset = size;
	target = ipt_get_target ( fw ) ;
	target->u.user.target_size = XT_ALIGN (sizeof (struct xt_entry_target) + 1);
	strcpy (target->u.user.name, target_name );
//	fw->ip.flags |= IPT_F_GOTO;
	strcpy (chain, chain_name);
	// Use iptc_append_entry to add to the chain
	if (cmd == IPADDRESS_DEL) {
		unsigned char matchmask[fw->next_offset];
		memset(matchmask, 0xff, fw->next_offset);
		res = iptc_delete_entry(chain, fw, matchmask, handle);
	}
	else if ( rulenum == -1 )
		res = iptc_append_entry (chain, fw, handle ) ;
	else
		res = iptc_insert_entry (chain, fw, rulenum, handle ) ;

	sav_errno = errno ;

	if (res !=  1 && (!force || sav_errno != ENOENT))
	{
		log_message(LOG_INFO, "ip4tables_process_entry for chain %s returned %d: %s", chain, res, iptc_strerror (sav_errno) ) ;

		return sav_errno ;
	}

	return 0 ;
}