2 * firewall3 - 3rd OpenWrt UCI firewall implementation
4 * Copyright (C) 2013 Jo-Philipp Wich <jow@openwrt.org>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 static struct option base_opts[] = {
23 { .name = "match", .has_arg = 1, .val = 'm' },
24 { .name = "jump", .has_arg = 1, .val = 'j' },
25 { .name = "append", .has_arg = 1, .val = 'A' },
29 static struct xtables_globals xtg = {
31 .program_version = "4",
32 .orig_opts = base_opts,
35 static struct xtables_globals xtg6 = {
37 .program_version = "6",
38 .orig_opts = base_opts,
41 /* Required by certain extensions like SNAT and DNAT */
45 get_kernel_version(void)
47 static struct utsname uts;
48 int x = 0, y = 0, z = 0;
50 if (uname(&uts) == -1)
51 sprintf(uts.release, "3.0.0");
53 sscanf(uts.release, "%d.%d.%d", &x, &y, &z);
54 kernel_version = LINUX_VERSION(x, y, z);
57 static void fw3_init_extensions(void)
61 libip6t_REJECT_init();
65 libipt_MASQUERADE_init();
66 libipt_REDIRECT_init();
70 libxt_conntrack_init();
78 libxt_standard_init();
85 struct fw3_ipt_handle *
86 fw3_ipt_open(enum fw3_family family, enum fw3_table table)
88 struct fw3_ipt_handle *h;
90 h = fw3_alloc(sizeof(*h));
94 if (family == FW3_FAMILY_V6)
96 h->family = FW3_FAMILY_V6;
98 h->handle = ip6tc_init(fw3_flag_names[table]);
100 xtables_set_params(&xtg6);
101 xtables_set_nfproto(NFPROTO_IPV6);
105 h->family = FW3_FAMILY_V4;
107 h->handle = iptc_init(fw3_flag_names[table]);
109 xtables_set_params(&xtg);
110 xtables_set_nfproto(NFPROTO_IPV4);
119 xtables_pending_matches = NULL;
120 xtables_pending_targets = NULL;
122 xtables_matches = NULL;
123 xtables_targets = NULL;
125 fw3_init_extensions();
131 debug(struct fw3_ipt_handle *h, const char *fmt, ...)
135 printf("%s -t %s ", (h->family == FW3_FAMILY_V6) ? "ip6tables" : "iptables",
136 fw3_flag_names[h->table]);
144 fw3_ipt_set_policy(struct fw3_ipt_handle *h, const char *chain,
145 enum fw3_flag policy)
148 debug(h, "-P %s %s\n", chain, fw3_flag_names[policy]);
150 if (h->family == FW3_FAMILY_V6)
151 ip6tc_set_policy(chain, fw3_flag_names[policy], NULL, h->handle);
153 iptc_set_policy(chain, fw3_flag_names[policy], NULL, h->handle);
157 fw3_ipt_delete_chain(struct fw3_ipt_handle *h, const char *chain)
161 debug(h, "-F %s\n", chain);
162 debug(h, "-X %s\n", chain);
165 if (h->family == FW3_FAMILY_V6)
167 if (ip6tc_flush_entries(chain, h->handle))
168 ip6tc_delete_chain(chain, h->handle);
172 if (iptc_flush_entries(chain, h->handle))
173 iptc_delete_chain(chain, h->handle);
178 fw3_ipt_delete_rules(struct fw3_ipt_handle *h, const char *target)
181 const struct ipt_entry *e;
182 const struct ip6t_entry *e6;
187 if (h->family == FW3_FAMILY_V6)
189 for (chain = ip6tc_first_chain(h->handle);
191 chain = ip6tc_next_chain(h->handle))
196 for (num = 0, e6 = ip6tc_first_rule(chain, h->handle);
198 num++, e6 = ip6tc_next_rule(e6, h->handle))
200 t = ip6tc_get_target(e6, h->handle);
202 if (*t && !strcmp(t, target))
205 debug(h, "-D %s %u\n", chain, num + 1);
207 ip6tc_delete_num_entry(chain, num, h->handle);
217 for (chain = iptc_first_chain(h->handle);
219 chain = iptc_next_chain(h->handle))
224 for (num = 0, e = iptc_first_rule(chain, h->handle);
226 num++, e = iptc_next_rule(e, h->handle))
228 t = iptc_get_target(e, h->handle);
230 if (*t && !strcmp(t, target))
233 debug(h, "-D %s %u\n", chain, num + 1);
235 iptc_delete_num_entry(chain, num, h->handle);
246 fw3_ipt_create_chain(struct fw3_ipt_handle *h, const char *fmt, ...)
252 vsnprintf(buf, sizeof(buf) - 1, fmt, ap);
256 debug(h, "-N %s\n", buf);
258 iptc_create_chain(buf, h->handle);
262 fw3_ipt_flush(struct fw3_ipt_handle *h)
266 if (h->family == FW3_FAMILY_V6)
268 for (chain = ip6tc_first_chain(h->handle);
270 chain = ip6tc_next_chain(h->handle))
272 ip6tc_flush_entries(chain, h->handle);
275 for (chain = ip6tc_first_chain(h->handle);
277 chain = ip6tc_next_chain(h->handle))
279 ip6tc_delete_chain(chain, h->handle);
284 for (chain = iptc_first_chain(h->handle);
286 chain = iptc_next_chain(h->handle))
288 iptc_flush_entries(chain, h->handle);
291 for (chain = iptc_first_chain(h->handle);
293 chain = iptc_next_chain(h->handle))
295 iptc_delete_chain(chain, h->handle);
301 fw3_ipt_commit(struct fw3_ipt_handle *h)
305 if (h->family == FW3_FAMILY_V6)
307 rv = ip6tc_commit(h->handle);
309 fprintf(stderr, "ip6tc_commit(): %s\n", ip6tc_strerror(errno));
313 rv = iptc_commit(h->handle);
315 fprintf(stderr, "iptc_commit(): %s\n", iptc_strerror(errno));
321 struct fw3_ipt_rule *
322 fw3_ipt_rule_new(struct fw3_ipt_handle *h)
324 struct fw3_ipt_rule *r;
326 r = fw3_alloc(sizeof(*r));
329 r->argv = fw3_alloc(sizeof(char *));
330 r->argv[r->argc++] = "fw3";
337 is_chain(struct fw3_ipt_handle *h, const char *name)
339 if (h->family == FW3_FAMILY_V6)
340 return ip6tc_is_chain(name, h->handle);
342 return iptc_is_chain(name, h->handle);
346 get_protoname(struct fw3_ipt_rule *r)
348 const struct xtables_pprot *pp;
351 for (pp = xtables_chain_protos; pp->name; pp++)
352 if (pp->num == r->protocol)
353 return (char *)pp->name;
358 static struct xtables_match *
359 find_match(struct fw3_ipt_rule *r, const char *name)
361 return xtables_find_match(name, XTF_TRY_LOAD, &r->matches);
365 init_match(struct fw3_ipt_rule *r, struct xtables_match *m, bool no_clone)
368 struct xtables_globals *g;
373 s = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size;
376 strcpy(m->m->u.user.name, m->real_name ? m->real_name : m->name);
377 m->m->u.user.revision = m->revision;
378 m->m->u.match_size = s;
380 /* free previous userspace data */
384 m->udata = fw3_alloc(m->udata_size);
390 /* don't merge options if no_clone is set and this match is a clone */
391 if (no_clone && (m == m->next))
394 /* merge option table */
395 g = (r->h->family == FW3_FAMILY_V6) ? &xtg6 : &xtg;
398 g->opts = xtables_options_xfrm(g->orig_opts, g->opts,
399 m->x6_options, &m->option_offset);
402 g->opts = xtables_merge_options(g->orig_opts, g->opts,
403 m->extra_opts, &m->option_offset);
407 need_protomatch(struct fw3_ipt_rule *r, const char *pname)
412 if (!xtables_find_match(pname, XTF_DONT_LOAD, NULL))
415 return !r->protocol_loaded;
418 static struct xtables_match *
419 load_protomatch(struct fw3_ipt_rule *r)
421 const char *pname = get_protoname(r);
423 if (!need_protomatch(r, pname))
426 return find_match(r, pname);
429 static struct xtables_target *
430 get_target(struct fw3_ipt_rule *r, const char *name)
433 struct xtables_target *t;
434 struct xtables_globals *g;
436 bool chain = is_chain(r->h, name);
439 t = xtables_find_target(XT_STANDARD_TARGET, XTF_LOAD_MUST_SUCCEED);
441 t = xtables_find_target(name, XTF_TRY_LOAD);
446 s = XT_ALIGN(sizeof(struct xt_entry_target)) + t->size;
450 strcpy(t->t->u.user.name, name);
452 strcpy(t->t->u.user.name, t->real_name);
454 t->t->u.user.revision = t->revision;
455 t->t->u.target_size = s;
460 t->udata = fw3_alloc(t->udata_size);
466 /* merge option table */
467 g = (r->h->family == FW3_FAMILY_V6) ? &xtg6 : &xtg;
470 g->opts = xtables_options_xfrm(g->orig_opts, g->opts,
471 t->x6_options, &t->option_offset);
473 g->opts = xtables_merge_options(g->orig_opts, g->opts,
474 t->extra_opts, &t->option_offset);
482 fw3_ipt_rule_proto(struct fw3_ipt_rule *r, struct fw3_protocol *proto)
486 if (!proto || proto->any)
489 pr = proto->protocol;
491 if (r->h->family == FW3_FAMILY_V6)
496 r->e6.ipv6.proto = pr;
497 r->e6.ipv6.flags |= IP6T_F_PROTO;
500 r->e6.ipv6.invflags |= XT_INV_PROTO;
507 r->e.ip.invflags |= XT_INV_PROTO;
514 fw3_ipt_rule_in_out(struct fw3_ipt_rule *r,
515 struct fw3_device *in, struct fw3_device *out)
517 if (r->h->family == FW3_FAMILY_V6)
521 xtables_parse_interface(in->name, r->e6.ipv6.iniface,
522 r->e6.ipv6.iniface_mask);
525 r->e6.ipv6.invflags |= IP6T_INV_VIA_IN;
528 if (out && !out->any)
530 xtables_parse_interface(out->name, r->e6.ipv6.outiface,
531 r->e6.ipv6.outiface_mask);
534 r->e6.ipv6.invflags |= IP6T_INV_VIA_OUT;
541 xtables_parse_interface(in->name, r->e.ip.iniface,
542 r->e.ip.iniface_mask);
545 r->e.ip.invflags |= IPT_INV_VIA_IN;
548 if (out && !out->any)
550 xtables_parse_interface(out->name, r->e.ip.outiface,
551 r->e.ip.outiface_mask);
554 r->e.ip.invflags |= IPT_INV_VIA_OUT;
561 ip4prefix2mask(int prefix, struct in_addr *mask)
563 mask->s_addr = htonl(~((1 << (32 - prefix)) - 1));
567 ip6prefix2mask(int prefix, struct in6_addr *mask)
569 char *p = (char *)mask;
573 memset(p, 0xff, prefix / 8);
574 memset(p + (prefix / 8) + 1, 0, (128 - prefix) / 8);
575 p[prefix / 8] = 0xff << (8 - (prefix & 7));
579 memset(mask, 0, sizeof(*mask));
584 fw3_ipt_rule_src_dest(struct fw3_ipt_rule *r,
585 struct fw3_address *src, struct fw3_address *dest)
589 if ((src && src->range) || (dest && dest->range))
591 fw3_ipt_rule_addarg(r, false, "-m", "iprange");
598 fw3_ipt_rule_addarg(r, src->invert, "--src-range",
599 fw3_address_to_string(src, false));
601 else if (r->h->family == FW3_FAMILY_V6)
603 r->e6.ipv6.src = src->address.v6;
604 ip6prefix2mask(src->mask, &r->e6.ipv6.smsk);
606 for (i = 0; i < 4; i++)
607 r->e6.ipv6.src.s6_addr32[i] &= r->e6.ipv6.smsk.s6_addr32[i];
610 r->e6.ipv6.invflags |= IP6T_INV_SRCIP;
614 r->e.ip.src = src->address.v4;
615 ip4prefix2mask(src->mask, &r->e.ip.smsk);
617 r->e.ip.src.s_addr &= r->e.ip.smsk.s_addr;
620 r->e.ip.invflags |= IPT_INV_SRCIP;
624 if (dest && dest->set)
628 fw3_ipt_rule_addarg(r, dest->invert, "--dst-range",
629 fw3_address_to_string(dest, false));
631 else if (r->h->family == FW3_FAMILY_V6)
633 r->e6.ipv6.dst = dest->address.v6;
634 ip6prefix2mask(dest->mask, &r->e6.ipv6.dmsk);
636 for (i = 0; i < 4; i++)
637 r->e6.ipv6.dst.s6_addr32[i] &= r->e6.ipv6.dmsk.s6_addr32[i];
640 r->e6.ipv6.invflags |= IP6T_INV_DSTIP;
644 r->e.ip.dst = dest->address.v4;
645 ip4prefix2mask(dest->mask, &r->e.ip.dmsk);
647 r->e.ip.dst.s_addr &= r->e.ip.dmsk.s_addr;
650 r->e.ip.invflags |= IPT_INV_DSTIP;
656 fw3_ipt_rule_sport_dport(struct fw3_ipt_rule *r,
657 struct fw3_port *sp, struct fw3_port *dp)
659 char buf[sizeof("65535:65535\0")];
661 if ((!sp || !sp->set) && (!dp || !dp->set))
664 if (!get_protoname(r))
669 if (sp->port_min == sp->port_max)
670 sprintf(buf, "%u", sp->port_min);
672 sprintf(buf, "%u:%u", sp->port_min, sp->port_max);
674 fw3_ipt_rule_addarg(r, sp->invert, "--sport", buf);
679 if (dp->port_min == dp->port_max)
680 sprintf(buf, "%u", dp->port_min);
682 sprintf(buf, "%u:%u", dp->port_min, dp->port_max);
684 fw3_ipt_rule_addarg(r, dp->invert, "--dport", buf);
689 fw3_ipt_rule_mac(struct fw3_ipt_rule *r, struct fw3_mac *mac)
694 fw3_ipt_rule_addarg(r, false, "-m", "mac");
695 fw3_ipt_rule_addarg(r, mac->invert, "--mac-source", ether_ntoa(&mac->mac));
699 fw3_ipt_rule_icmptype(struct fw3_ipt_rule *r, struct fw3_icmptype *icmp)
701 char buf[sizeof("255/255\0")];
706 if (r->h->family == FW3_FAMILY_V6)
708 if (icmp->code6_min == 0 && icmp->code6_max == 0xFF)
709 sprintf(buf, "%u", icmp->type6);
711 sprintf(buf, "%u/%u", icmp->type6, icmp->code6_min);
713 fw3_ipt_rule_addarg(r, icmp->invert, "--icmpv6-type", buf);
717 if (icmp->code_min == 0 && icmp->code_max == 0xFF)
718 sprintf(buf, "%u", icmp->type);
720 sprintf(buf, "%u/%u", icmp->type, icmp->code_min);
722 fw3_ipt_rule_addarg(r, icmp->invert, "--icmp-type", buf);
727 fw3_ipt_rule_limit(struct fw3_ipt_rule *r, struct fw3_limit *limit)
729 char buf[sizeof("-4294967296/second\0")];
731 if (!limit || limit->rate <= 0)
734 fw3_ipt_rule_addarg(r, false, "-m", "limit");
736 sprintf(buf, "%u/%s", limit->rate, fw3_limit_units[limit->unit]);
737 fw3_ipt_rule_addarg(r, limit->invert, "--limit", buf);
739 if (limit->burst > 0)
741 sprintf(buf, "%u", limit->burst);
742 fw3_ipt_rule_addarg(r, limit->invert, "--limit-burst", buf);
747 fw3_ipt_rule_ipset(struct fw3_ipt_rule *r, struct fw3_ipset *ipset,
750 char buf[sizeof("dst,dst,dst\0")];
753 struct fw3_ipset_datatype *type;
758 list_for_each_entry(type, &ipset->datatypes, list)
763 p += sprintf(p, "%s", type->dest ? "dst" : "src");
766 fw3_ipt_rule_addarg(r, false, "-m", "set");
768 fw3_ipt_rule_addarg(r, invert, "--match-set",
769 ipset->external ? ipset->external : ipset->name);
771 fw3_ipt_rule_addarg(r, false, buf, NULL);
775 fw3_ipt_rule_time(struct fw3_ipt_rule *r, struct fw3_time *time)
778 struct tm empty = { 0 };
780 char buf[84]; /* sizeof("1,2,3,...,30,31\0") */
783 bool d1 = memcmp(&time->datestart, &empty, sizeof(empty));
784 bool d2 = memcmp(&time->datestop, &empty, sizeof(empty));
786 if (!d1 && !d2 && !time->timestart && !time->timestop &&
787 !(time->monthdays & 0xFFFFFFFE) && !(time->weekdays & 0xFE))
792 fw3_ipt_rule_addarg(r, false, "-m", "time");
795 fw3_ipt_rule_addarg(r, false, "--utc", NULL);
799 strftime(buf, sizeof(buf), "%Y-%m-%dT%H:%M:%S", &time->datestart);
800 fw3_ipt_rule_addarg(r, false, "--datestart", buf);
805 strftime(buf, sizeof(buf), "%Y-%m-%dT%H:%M:%S", &time->datestop);
806 fw3_ipt_rule_addarg(r, false, "--datestop", buf);
811 sprintf(buf, "%02d:%02d:%02d",
812 time->timestart / 3600,
813 time->timestart % 3600 / 60,
814 time->timestart % 60);
816 fw3_ipt_rule_addarg(r, false, "--timestart", buf);
821 sprintf(buf, "%02d:%02d:%02d",
822 time->timestop / 3600,
823 time->timestop % 3600 / 60,
824 time->timestop % 60);
826 fw3_ipt_rule_addarg(r, false, "--timestop", buf);
829 if (time->monthdays & 0xFFFFFFFE)
831 for (i = 1, p = buf; i < 32; i++)
833 if (hasbit(time->monthdays, i))
838 p += sprintf(p, "%u", i);
842 fw3_ipt_rule_addarg(r, hasbit(time->monthdays, 0), "--monthdays", buf);
845 if (time->weekdays & 0xFE)
847 for (i = 1, p = buf; i < 8; i++)
849 if (hasbit(time->weekdays, i))
854 p += sprintf(p, "%u", i);
858 fw3_ipt_rule_addarg(r, hasbit(time->weekdays, 0), "--weekdays", buf);
863 fw3_ipt_rule_mark(struct fw3_ipt_rule *r, struct fw3_mark *mark)
865 char buf[sizeof("0xFFFFFFFF/0xFFFFFFFF\0")];
867 if (!mark || !mark->set)
870 if (mark->mask < 0xFFFFFFFF)
871 sprintf(buf, "0x%x/0x%x", mark->mark, mark->mask);
873 sprintf(buf, "0x%x", mark->mark);
875 fw3_ipt_rule_addarg(r, false, "-m", "mark");
876 fw3_ipt_rule_addarg(r, mark->invert, "--mark", buf);
880 fw3_ipt_rule_comment(struct fw3_ipt_rule *r, const char *fmt, ...)
889 vsnprintf(buf, sizeof(buf) - 1, fmt, ap);
892 fw3_ipt_rule_addarg(r, false, "-m", "comment");
893 fw3_ipt_rule_addarg(r, false, "--comment", buf);
897 fw3_ipt_rule_extra(struct fw3_ipt_rule *r, const char *extra)
901 if (!extra || !*extra)
904 s = fw3_strdup(extra);
906 for (p = strtok(s, " \t"); p; p = strtok(NULL, " \t"))
908 tmp = realloc(r->argv, (r->argc + 1) * sizeof(*r->argv));
914 r->argv[r->argc++] = fw3_strdup(p);
921 rule_print6(struct ip6t_entry *e)
923 char buf[INET6_ADDRSTRLEN];
926 if (e->ipv6.flags & IP6T_F_PROTO)
928 if (e->ipv6.flags & XT_INV_PROTO)
931 pname = get_protoname(container_of(e, struct fw3_ipt_rule, e6));
934 printf(" -p %s", pname);
936 printf(" -p %u", e->ipv6.proto);
939 if (e->ipv6.iniface[0])
941 if (e->ipv6.flags & IP6T_INV_VIA_IN)
944 printf(" -i %s", e->ipv6.iniface);
947 if (e->ipv6.outiface[0])
949 if (e->ipv6.flags & IP6T_INV_VIA_OUT)
952 printf(" -o %s", e->ipv6.outiface);
955 if (memcmp(&e->ipv6.src, &in6addr_any, sizeof(struct in6_addr)))
957 if (e->ipv6.flags & IP6T_INV_SRCIP)
960 printf(" -s %s/%u", inet_ntop(AF_INET6, &e->ipv6.src, buf, sizeof(buf)),
961 xtables_ip6mask_to_cidr(&e->ipv6.smsk));
964 if (memcmp(&e->ipv6.dst, &in6addr_any, sizeof(struct in6_addr)))
966 if (e->ipv6.flags & IP6T_INV_DSTIP)
969 printf(" -d %s/%u", inet_ntop(AF_INET6, &e->ipv6.dst, buf, sizeof(buf)),
970 xtables_ip6mask_to_cidr(&e->ipv6.dmsk));
975 rule_print4(struct ipt_entry *e)
977 struct in_addr in_zero = { 0 };
978 char buf[sizeof("255.255.255.255\0")];
983 if (e->ip.flags & XT_INV_PROTO)
986 pname = get_protoname(container_of(e, struct fw3_ipt_rule, e));
989 printf(" -p %s", pname);
991 printf(" -p %u", e->ip.proto);
994 if (e->ip.iniface[0])
996 if (e->ip.flags & IPT_INV_VIA_IN)
999 printf(" -i %s", e->ip.iniface);
1002 if (e->ip.outiface[0])
1004 if (e->ip.flags & IPT_INV_VIA_OUT)
1007 printf(" -o %s", e->ip.outiface);
1010 if (memcmp(&e->ip.src, &in_zero, sizeof(struct in_addr)))
1012 if (e->ip.flags & IPT_INV_SRCIP)
1015 printf(" -s %s/%u", inet_ntop(AF_INET, &e->ip.src, buf, sizeof(buf)),
1016 xtables_ipmask_to_cidr(&e->ip.smsk));
1019 if (memcmp(&e->ip.dst, &in_zero, sizeof(struct in_addr)))
1021 if (e->ip.flags & IPT_INV_DSTIP)
1024 printf(" -d %s/%u", inet_ntop(AF_INET, &e->ip.dst, buf, sizeof(buf)),
1025 xtables_ipmask_to_cidr(&e->ip.dmsk));
1030 rule_print(struct fw3_ipt_rule *r, const char *chain)
1032 struct xtables_rule_match *rm;
1033 struct xtables_match *m;
1034 struct xtables_target *t;
1036 debug(r->h, "-A %s", chain);
1038 if (r->h->family == FW3_FAMILY_V6)
1039 rule_print6(&r->e6);
1043 for (rm = r->matches; rm; rm = rm->next)
1046 printf(" -m %s", m->alias ? m->alias(m->m) : m->m->u.user.name);
1049 m->save(&r->e.ip, m->m);
1055 printf(" -j %s", t->alias ? t->alias(t->t) : t->t->u.user.name);
1058 t->save(&r->e.ip, t->t);
1065 parse_option(struct fw3_ipt_rule *r, int optc, bool inv)
1067 struct xtables_rule_match *m;
1068 struct xtables_match *em;
1070 /* is a target option */
1071 if (r->target && (r->target->parse || r->target->x6_parse) &&
1072 optc >= r->target->option_offset &&
1073 optc < (r->target->option_offset + 256))
1075 xtables_option_tpcall(optc, r->argv, inv, r->target, &r->e);
1079 /* try to dispatch argument to one of the match parsers */
1080 for (m = r->matches; m; m = m->next)
1084 if (m->completed || (!em->parse && !em->x6_parse))
1087 if (optc < em->option_offset ||
1088 optc >= (em->option_offset + 256))
1091 xtables_option_mpcall(optc, r->argv, inv, em, &r->e);
1095 /* unhandled option, might belong to a protocol match */
1096 if ((em = load_protomatch(r)) != NULL)
1098 init_match(r, em, false);
1100 r->protocol_loaded = true;
1107 fprintf(stderr, "parse_option(): option '%s' needs argument\n",
1111 fprintf(stderr, "parse_option(): unknown option '%s'\n",
1118 fw3_ipt_rule_addarg(struct fw3_ipt_rule *r, bool inv,
1119 const char *k, const char *v)
1127 n = inv + !!k + !!v;
1128 tmp = realloc(r->argv, (r->argc + n) * sizeof(*tmp));
1136 r->argv[r->argc++] = fw3_strdup("!");
1138 r->argv[r->argc++] = fw3_strdup(k);
1141 r->argv[r->argc++] = fw3_strdup(v);
1145 fw3_ipt_rule_append(struct fw3_ipt_rule *r, const char *fmt, ...)
1148 struct xtables_rule_match *m;
1149 struct xtables_match *em;
1150 struct xtables_target *et;
1151 struct xtables_globals *g;
1152 struct ipt_entry *e;
1153 struct ip6t_entry *e6;
1161 vsnprintf(buf, sizeof(buf) - 1, fmt, ap);
1164 g = (r->h->family == FW3_FAMILY_V6) ? &xtg6 : &xtg;
1165 g->opts = g->orig_opts;
1170 while ((optc = getopt_long(r->argc, r->argv, "m:j:", g->opts, NULL)) != -1)
1175 em = find_match(r, optarg);
1179 fprintf(stderr, "fw3_ipt_rule_append(): Can't find match '%s'\n", optarg);
1183 init_match(r, em, true);
1187 et = get_target(r, optarg);
1191 fprintf(stderr, "fw3_ipt_rule_append(): Can't find target '%s'\n", optarg);
1198 if ((optarg[0] == '!') && (optarg[1] == '\0'))
1204 fprintf(stderr, "fw3_ipt_rule_append(): Bad argument '%s'\n", optarg);
1208 if (parse_option(r, optc, inv))
1216 for (m = r->matches; m; m = m->next)
1217 xtables_option_mfcall(m->match);
1220 xtables_option_tfcall(r->target);
1225 if (r->h->family == FW3_FAMILY_V6)
1227 s = XT_ALIGN(sizeof(struct ip6t_entry));
1229 for (m = r->matches; m; m = m->next)
1230 s += m->match->m->u.match_size;
1232 e6 = fw3_alloc(s + r->target->t->u.target_size);
1234 memcpy(e6, &r->e6, sizeof(struct ip6t_entry));
1236 e6->target_offset = s;
1237 e6->next_offset = s + r->target->t->u.target_size;
1241 for (m = r->matches; m; m = m->next)
1243 memcpy(e6->elems + s, m->match->m, m->match->m->u.match_size);
1244 s += m->match->m->u.match_size;
1247 memcpy(e6->elems + s, r->target->t, r->target->t->u.target_size);
1248 ip6tc_append_entry(buf, e6, r->h->handle);
1253 s = XT_ALIGN(sizeof(struct ipt_entry));
1255 for (m = r->matches; m; m = m->next)
1256 s += m->match->m->u.match_size;
1258 e = fw3_alloc(s + r->target->t->u.target_size);
1260 memcpy(e, &r->e, sizeof(struct ipt_entry));
1262 e->target_offset = s;
1263 e->next_offset = s + r->target->t->u.target_size;
1267 for (m = r->matches; m; m = m->next)
1269 memcpy(e->elems + s, m->match->m, m->match->m->u.match_size);
1270 s += m->match->m->u.match_size;
1273 memcpy(e->elems + s, r->target->t, r->target->t->u.target_size);
1275 if (!iptc_append_entry(buf, e, r->h->handle))
1276 fprintf(stderr, "iptc_append_entry(): %s\n", iptc_strerror(errno));
1281 for (i = 1; i < r->argc; i++)
1286 xtables_rule_matches_free(&r->matches);
1291 /* reset all targets and matches */
1292 for (em = xtables_matches; em; em = em->next)
1295 for (et = xtables_targets; et; et = et->next)
1301 xtables_free_opts(1);
1304 struct fw3_ipt_rule *
1305 fw3_ipt_rule_create(struct fw3_ipt_handle *handle, struct fw3_protocol *proto,
1306 struct fw3_device *in, struct fw3_device *out,
1307 struct fw3_address *src, struct fw3_address *dest)
1309 struct fw3_ipt_rule *r;
1311 r = fw3_ipt_rule_new(handle);
1313 fw3_ipt_rule_proto(r, proto);
1314 fw3_ipt_rule_in_out(r, in, out);
1315 fw3_ipt_rule_src_dest(r, src, dest);
projects / project / firewall3.git / blob