2 * firewall3 - 3rd OpenWrt UCI firewall implementation
4 * Copyright (C) 2013 Jo-Philipp Wich <jow@openwrt.org>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 static struct option base_opts[] = {
23 { .name = "match", .has_arg = 1, .val = 'm' },
24 { .name = "jump", .has_arg = 1, .val = 'j' },
25 { .name = "append", .has_arg = 1, .val = 'A' },
29 static struct xtables_globals xtg = {
31 .program_version = "4",
32 .orig_opts = base_opts,
35 static struct xtables_globals xtg6 = {
37 .program_version = "6",
38 .orig_opts = base_opts,
41 /* Required by certain extensions like SNAT and DNAT */
42 int kernel_version = 0;
45 get_kernel_version(void)
47 static struct utsname uts;
48 int x = 0, y = 0, z = 0;
50 if (uname(&uts) == -1)
51 sprintf(uts.release, "3.0.0");
53 sscanf(uts.release, "%d.%d.%d", &x, &y, &z);
54 kernel_version = 0x10000 * x + 0x100 * y + z;
59 #define __ipt_module(x) libxt_##x##_init, libipt_##x##_init,
62 #define __ipt_module(x) libxt_##x##_init, libipt_##x##_init, libip6t_##x##_init,
65 static void fw3_init_extensions(void)
68 void (*initfuncs[])(void) = { FW3_IPT_MODULES };
70 for (i = 0; i < sizeof(initfuncs)/sizeof(initfuncs[0]); i++)
75 struct fw3_ipt_handle *
76 fw3_ipt_open(enum fw3_family family, enum fw3_table table)
78 struct fw3_ipt_handle *h;
80 h = fw3_alloc(sizeof(*h));
84 if (family == FW3_FAMILY_V6)
87 h->family = FW3_FAMILY_V6;
89 h->handle = ip6tc_init(fw3_flag_names[table]);
91 xtables_set_params(&xtg6);
92 xtables_set_nfproto(NFPROTO_IPV6);
97 h->family = FW3_FAMILY_V4;
99 h->handle = iptc_init(fw3_flag_names[table]);
101 xtables_set_params(&xtg);
102 xtables_set_nfproto(NFPROTO_IPV4);
112 fw3_init_extensions();
118 debug(struct fw3_ipt_handle *h, const char *fmt, ...)
122 printf("%s -t %s ", (h->family == FW3_FAMILY_V6) ? "ip6tables" : "iptables",
123 fw3_flag_names[h->table]);
131 fw3_ipt_set_policy(struct fw3_ipt_handle *h, const char *chain,
132 enum fw3_flag policy)
135 debug(h, "-P %s %s\n", chain, fw3_flag_names[policy]);
138 if (h->family == FW3_FAMILY_V6)
139 ip6tc_set_policy(chain, fw3_flag_names[policy], NULL, h->handle);
142 iptc_set_policy(chain, fw3_flag_names[policy], NULL, h->handle);
146 fw3_ipt_flush_chain(struct fw3_ipt_handle *h, const char *chain)
149 debug(h, "-F %s\n", chain);
152 if (h->family == FW3_FAMILY_V6)
153 ip6tc_flush_entries(chain, h->handle);
156 iptc_flush_entries(chain, h->handle);
160 delete_rules(struct fw3_ipt_handle *h, const char *target)
163 const struct ipt_entry *e;
169 if (h->family == FW3_FAMILY_V6)
171 for (chain = ip6tc_first_chain(h->handle);
173 chain = ip6tc_next_chain(h->handle))
178 const struct ip6t_entry *e6;
179 for (num = 0, e6 = ip6tc_first_rule(chain, h->handle);
181 num++, e6 = ip6tc_next_rule(e6, h->handle))
183 t = ip6tc_get_target(e6, h->handle);
185 if (*t && !strcmp(t, target))
188 debug(h, "-D %s %u\n", chain, num + 1);
190 ip6tc_delete_num_entry(chain, num, h->handle);
201 for (chain = iptc_first_chain(h->handle);
203 chain = iptc_next_chain(h->handle))
208 for (num = 0, e = iptc_first_rule(chain, h->handle);
210 num++, e = iptc_next_rule(e, h->handle))
212 t = iptc_get_target(e, h->handle);
214 if (*t && !strcmp(t, target))
217 debug(h, "-D %s %u\n", chain, num + 1);
219 iptc_delete_num_entry(chain, num, h->handle);
230 fw3_ipt_delete_chain(struct fw3_ipt_handle *h, const char *chain)
232 delete_rules(h, chain);
235 debug(h, "-X %s\n", chain);
238 if (h->family == FW3_FAMILY_V6)
239 ip6tc_delete_chain(chain, h->handle);
242 iptc_delete_chain(chain, h->handle);
246 fw3_ipt_create_chain(struct fw3_ipt_handle *h, const char *fmt, ...)
252 vsnprintf(buf, sizeof(buf) - 1, fmt, ap);
256 debug(h, "-N %s\n", buf);
258 iptc_create_chain(buf, h->handle);
262 fw3_ipt_flush(struct fw3_ipt_handle *h)
267 if (h->family == FW3_FAMILY_V6)
269 for (chain = ip6tc_first_chain(h->handle);
271 chain = ip6tc_next_chain(h->handle))
273 ip6tc_flush_entries(chain, h->handle);
276 for (chain = ip6tc_first_chain(h->handle);
278 chain = ip6tc_next_chain(h->handle))
280 ip6tc_delete_chain(chain, h->handle);
286 for (chain = iptc_first_chain(h->handle);
288 chain = iptc_next_chain(h->handle))
290 iptc_flush_entries(chain, h->handle);
293 for (chain = iptc_first_chain(h->handle);
295 chain = iptc_next_chain(h->handle))
297 iptc_delete_chain(chain, h->handle);
303 fw3_ipt_commit(struct fw3_ipt_handle *h)
308 if (h->family == FW3_FAMILY_V6)
310 rv = ip6tc_commit(h->handle);
312 warn("ip6tc_commit(): %s", ip6tc_strerror(errno));
317 rv = iptc_commit(h->handle);
319 warn("iptc_commit(): %s", iptc_strerror(errno));
324 fw3_ipt_close(struct fw3_ipt_handle *h)
331 dlclose(h->libv[h->libc]);
340 struct fw3_ipt_rule *
341 fw3_ipt_rule_new(struct fw3_ipt_handle *h)
343 struct fw3_ipt_rule *r;
345 r = fw3_alloc(sizeof(*r));
348 r->argv = fw3_alloc(sizeof(char *));
349 r->argv[r->argc++] = "fw3";
356 is_chain(struct fw3_ipt_handle *h, const char *name)
359 if (h->family == FW3_FAMILY_V6)
360 return ip6tc_is_chain(name, h->handle);
363 return iptc_is_chain(name, h->handle);
367 get_protoname(struct fw3_ipt_rule *r)
369 const struct xtables_pprot *pp;
372 for (pp = xtables_chain_protos; pp->name; pp++)
373 if (pp->num == r->protocol)
374 return (char *)pp->name;
380 load_extension(struct fw3_ipt_handle *h, const char *name)
384 const char *pfx = (h->family == FW3_FAMILY_V6) ? "libip6t" : "libipt";
386 snprintf(path, sizeof(path), "/usr/lib/iptables/libxt_%s.so", name);
387 if (!(lib = dlopen(path, RTLD_NOW)))
389 snprintf(path, sizeof(path), "/usr/lib/iptables/%s_%s.so", pfx, name);
390 lib = dlopen(path, RTLD_NOW);
396 tmp = realloc(h->libv, sizeof(lib) * (h->libc + 1));
402 h->libv[h->libc++] = lib;
407 static struct xtables_match *
408 find_match(struct fw3_ipt_rule *r, const char *name)
410 struct xtables_match *m;
412 m = xtables_find_match(name, XTF_DONT_LOAD, &r->matches);
414 if (!m && load_extension(r->h, name))
415 m = xtables_find_match(name, XTF_DONT_LOAD, &r->matches);
421 init_match(struct fw3_ipt_rule *r, struct xtables_match *m, bool no_clone)
424 struct xtables_globals *g;
429 s = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size;
433 fw3_xt_set_match_name(m);
435 m->m->u.user.revision = m->revision;
436 m->m->u.match_size = s;
438 /* free previous userspace data */
439 fw3_xt_free_match_udata(m);
444 /* don't merge options if no_clone is set and this match is a clone */
445 if (no_clone && (m == m->next))
448 /* merge option table */
449 g = (r->h->family == FW3_FAMILY_V6) ? &xtg6 : &xtg;
450 fw3_xt_merge_match_options(g, m);
454 need_protomatch(struct fw3_ipt_rule *r, const char *pname)
459 if (!xtables_find_match(pname, XTF_DONT_LOAD, NULL))
462 return !r->protocol_loaded;
465 static struct xtables_match *
466 load_protomatch(struct fw3_ipt_rule *r)
468 const char *pname = get_protoname(r);
470 if (!need_protomatch(r, pname))
473 return find_match(r, pname);
476 static struct xtables_target *
477 find_target(struct fw3_ipt_rule *r, const char *name)
479 struct xtables_target *t;
481 if (is_chain(r->h, name))
482 return xtables_find_target(XT_STANDARD_TARGET, XTF_LOAD_MUST_SUCCEED);
484 t = xtables_find_target(name, XTF_DONT_LOAD);
486 if (!t && load_extension(r->h, name))
487 t = xtables_find_target(name, XTF_DONT_LOAD);
492 static struct xtables_target *
493 get_target(struct fw3_ipt_rule *r, const char *name)
496 struct xtables_target *t;
497 struct xtables_globals *g;
499 t = find_target(r, name);
504 s = XT_ALIGN(sizeof(struct xt_entry_target)) + t->size;
507 fw3_xt_set_target_name(t, name);
509 t->t->u.user.revision = t->revision;
510 t->t->u.target_size = s;
512 /* free previous userspace data */
513 fw3_xt_free_target_udata(t);
518 /* merge option table */
519 g = (r->h->family == FW3_FAMILY_V6) ? &xtg6 : &xtg;
520 fw3_xt_merge_target_options(g, t);
528 fw3_ipt_rule_proto(struct fw3_ipt_rule *r, struct fw3_protocol *proto)
532 if (!proto || proto->any)
535 pr = proto->protocol;
538 if (r->h->family == FW3_FAMILY_V6)
543 r->e6.ipv6.proto = pr;
544 r->e6.ipv6.flags |= IP6T_F_PROTO;
547 r->e6.ipv6.invflags |= XT_INV_PROTO;
555 r->e.ip.invflags |= XT_INV_PROTO;
562 fw3_ipt_rule_in_out(struct fw3_ipt_rule *r,
563 struct fw3_device *in, struct fw3_device *out)
566 if (r->h->family == FW3_FAMILY_V6)
570 xtables_parse_interface(in->name, r->e6.ipv6.iniface,
571 r->e6.ipv6.iniface_mask);
574 r->e6.ipv6.invflags |= IP6T_INV_VIA_IN;
577 if (out && !out->any)
579 xtables_parse_interface(out->name, r->e6.ipv6.outiface,
580 r->e6.ipv6.outiface_mask);
583 r->e6.ipv6.invflags |= IP6T_INV_VIA_OUT;
591 xtables_parse_interface(in->name, r->e.ip.iniface,
592 r->e.ip.iniface_mask);
595 r->e.ip.invflags |= IPT_INV_VIA_IN;
598 if (out && !out->any)
600 xtables_parse_interface(out->name, r->e.ip.outiface,
601 r->e.ip.outiface_mask);
604 r->e.ip.invflags |= IPT_INV_VIA_OUT;
611 ip4prefix2mask(int prefix, struct in_addr *mask)
613 mask->s_addr = htonl(~((1 << (32 - prefix)) - 1));
618 ip6prefix2mask(int prefix, struct in6_addr *mask)
620 char *p = (char *)mask;
624 memset(p, 0xff, prefix / 8);
625 memset(p + (prefix / 8) + 1, 0, (128 - prefix) / 8);
626 p[prefix / 8] = 0xff << (8 - (prefix & 7));
630 memset(mask, 0, sizeof(*mask));
636 fw3_ipt_rule_src_dest(struct fw3_ipt_rule *r,
637 struct fw3_address *src, struct fw3_address *dest)
639 if ((src && src->range) || (dest && dest->range))
641 fw3_ipt_rule_addarg(r, false, "-m", "iprange");
648 fw3_ipt_rule_addarg(r, src->invert, "--src-range",
649 fw3_address_to_string(src, false));
652 else if (r->h->family == FW3_FAMILY_V6)
654 r->e6.ipv6.src = src->address.v6;
655 ip6prefix2mask(src->mask, &r->e6.ipv6.smsk);
658 for (i = 0; i < 4; i++)
659 r->e6.ipv6.src.s6_addr32[i] &= r->e6.ipv6.smsk.s6_addr32[i];
662 r->e6.ipv6.invflags |= IP6T_INV_SRCIP;
667 r->e.ip.src = src->address.v4;
668 ip4prefix2mask(src->mask, &r->e.ip.smsk);
670 r->e.ip.src.s_addr &= r->e.ip.smsk.s_addr;
673 r->e.ip.invflags |= IPT_INV_SRCIP;
677 if (dest && dest->set)
681 fw3_ipt_rule_addarg(r, dest->invert, "--dst-range",
682 fw3_address_to_string(dest, false));
685 else if (r->h->family == FW3_FAMILY_V6)
687 r->e6.ipv6.dst = dest->address.v6;
688 ip6prefix2mask(dest->mask, &r->e6.ipv6.dmsk);
691 for (i = 0; i < 4; i++)
692 r->e6.ipv6.dst.s6_addr32[i] &= r->e6.ipv6.dmsk.s6_addr32[i];
695 r->e6.ipv6.invflags |= IP6T_INV_DSTIP;
700 r->e.ip.dst = dest->address.v4;
701 ip4prefix2mask(dest->mask, &r->e.ip.dmsk);
703 r->e.ip.dst.s_addr &= r->e.ip.dmsk.s_addr;
706 r->e.ip.invflags |= IPT_INV_DSTIP;
712 fw3_ipt_rule_sport_dport(struct fw3_ipt_rule *r,
713 struct fw3_port *sp, struct fw3_port *dp)
715 char buf[sizeof("65535:65535\0")];
717 if ((!sp || !sp->set) && (!dp || !dp->set))
720 if (!get_protoname(r))
725 if (sp->port_min == sp->port_max)
726 sprintf(buf, "%u", sp->port_min);
728 sprintf(buf, "%u:%u", sp->port_min, sp->port_max);
730 fw3_ipt_rule_addarg(r, sp->invert, "--sport", buf);
735 if (dp->port_min == dp->port_max)
736 sprintf(buf, "%u", dp->port_min);
738 sprintf(buf, "%u:%u", dp->port_min, dp->port_max);
740 fw3_ipt_rule_addarg(r, dp->invert, "--dport", buf);
745 fw3_ipt_rule_mac(struct fw3_ipt_rule *r, struct fw3_mac *mac)
750 fw3_ipt_rule_addarg(r, false, "-m", "mac");
751 fw3_ipt_rule_addarg(r, mac->invert, "--mac-source", ether_ntoa(&mac->mac));
755 fw3_ipt_rule_icmptype(struct fw3_ipt_rule *r, struct fw3_icmptype *icmp)
757 char buf[sizeof("255/255\0")];
763 if (r->h->family == FW3_FAMILY_V6)
765 if (icmp->code6_min == 0 && icmp->code6_max == 0xFF)
766 sprintf(buf, "%u", icmp->type6);
768 sprintf(buf, "%u/%u", icmp->type6, icmp->code6_min);
770 fw3_ipt_rule_addarg(r, icmp->invert, "--icmpv6-type", buf);
775 if (icmp->code_min == 0 && icmp->code_max == 0xFF)
776 sprintf(buf, "%u", icmp->type);
778 sprintf(buf, "%u/%u", icmp->type, icmp->code_min);
780 fw3_ipt_rule_addarg(r, icmp->invert, "--icmp-type", buf);
785 fw3_ipt_rule_limit(struct fw3_ipt_rule *r, struct fw3_limit *limit)
787 char buf[sizeof("-4294967296/second\0")];
789 if (!limit || limit->rate <= 0)
792 fw3_ipt_rule_addarg(r, false, "-m", "limit");
794 sprintf(buf, "%u/%s", limit->rate, fw3_limit_units[limit->unit]);
795 fw3_ipt_rule_addarg(r, limit->invert, "--limit", buf);
797 if (limit->burst > 0)
799 sprintf(buf, "%u", limit->burst);
800 fw3_ipt_rule_addarg(r, limit->invert, "--limit-burst", buf);
805 fw3_ipt_rule_ipset(struct fw3_ipt_rule *r, struct fw3_setmatch *match)
807 char buf[sizeof("dst,dst,dst\0")];
811 struct fw3_ipset *set;
812 struct fw3_ipset_datatype *type;
814 if (!match || !match->set || !match->ptr)
818 list_for_each_entry(type, &set->datatypes, list)
826 p += sprintf(p, "%s", match->dir[i] ? match->dir[i] : type->dir);
830 fw3_ipt_rule_addarg(r, false, "-m", "set");
832 fw3_ipt_rule_addarg(r, match->invert, "--match-set",
833 set->external ? set->external : set->name);
835 fw3_ipt_rule_addarg(r, false, buf, NULL);
839 fw3_ipt_rule_time(struct fw3_ipt_rule *r, struct fw3_time *time)
842 struct tm empty = { 0 };
844 char buf[84]; /* sizeof("1,2,3,...,30,31\0") */
847 bool d1 = memcmp(&time->datestart, &empty, sizeof(empty));
848 bool d2 = memcmp(&time->datestop, &empty, sizeof(empty));
850 if (!d1 && !d2 && !time->timestart && !time->timestop &&
851 !(time->monthdays & 0xFFFFFFFE) && !(time->weekdays & 0xFE))
856 fw3_ipt_rule_addarg(r, false, "-m", "time");
859 fw3_ipt_rule_addarg(r, false, "--utc", NULL);
863 strftime(buf, sizeof(buf), "%Y-%m-%dT%H:%M:%S", &time->datestart);
864 fw3_ipt_rule_addarg(r, false, "--datestart", buf);
869 strftime(buf, sizeof(buf), "%Y-%m-%dT%H:%M:%S", &time->datestop);
870 fw3_ipt_rule_addarg(r, false, "--datestop", buf);
875 sprintf(buf, "%02d:%02d:%02d",
876 time->timestart / 3600,
877 time->timestart % 3600 / 60,
878 time->timestart % 60);
880 fw3_ipt_rule_addarg(r, false, "--timestart", buf);
885 sprintf(buf, "%02d:%02d:%02d",
886 time->timestop / 3600,
887 time->timestop % 3600 / 60,
888 time->timestop % 60);
890 fw3_ipt_rule_addarg(r, false, "--timestop", buf);
893 if (time->monthdays & 0xFFFFFFFE)
895 for (i = 1, p = buf; i < 32; i++)
897 if (hasbit(time->monthdays, i))
902 p += sprintf(p, "%u", i);
906 fw3_ipt_rule_addarg(r, hasbit(time->monthdays, 0), "--monthdays", buf);
909 if (time->weekdays & 0xFE)
911 for (i = 1, p = buf; i < 8; i++)
913 if (hasbit(time->weekdays, i))
918 p += sprintf(p, "%u", i);
922 fw3_ipt_rule_addarg(r, hasbit(time->weekdays, 0), "--weekdays", buf);
927 fw3_ipt_rule_mark(struct fw3_ipt_rule *r, struct fw3_mark *mark)
929 char buf[sizeof("0xFFFFFFFF/0xFFFFFFFF\0")];
931 if (!mark || !mark->set)
934 if (mark->mask < 0xFFFFFFFF)
935 sprintf(buf, "0x%x/0x%x", mark->mark, mark->mask);
937 sprintf(buf, "0x%x", mark->mark);
939 fw3_ipt_rule_addarg(r, false, "-m", "mark");
940 fw3_ipt_rule_addarg(r, mark->invert, "--mark", buf);
944 fw3_ipt_rule_comment(struct fw3_ipt_rule *r, const char *fmt, ...)
953 vsnprintf(buf, sizeof(buf) - 1, fmt, ap);
956 fw3_ipt_rule_addarg(r, false, "-m", "comment");
957 fw3_ipt_rule_addarg(r, false, "--comment", buf);
961 fw3_ipt_rule_extra(struct fw3_ipt_rule *r, const char *extra)
965 if (!extra || !*extra)
968 s = fw3_strdup(extra);
970 for (p = strtok(s, " \t"); p; p = strtok(NULL, " \t"))
972 tmp = realloc(r->argv, (r->argc + 1) * sizeof(*r->argv));
978 r->argv[r->argc++] = fw3_strdup(p);
986 rule_print6(struct ip6t_entry *e)
988 char buf[INET6_ADDRSTRLEN];
991 if (e->ipv6.flags & IP6T_F_PROTO)
993 if (e->ipv6.flags & XT_INV_PROTO)
996 pname = get_protoname(container_of(e, struct fw3_ipt_rule, e6));
999 printf(" -p %s", pname);
1001 printf(" -p %u", e->ipv6.proto);
1004 if (e->ipv6.iniface[0])
1006 if (e->ipv6.flags & IP6T_INV_VIA_IN)
1009 printf(" -i %s", e->ipv6.iniface);
1012 if (e->ipv6.outiface[0])
1014 if (e->ipv6.flags & IP6T_INV_VIA_OUT)
1017 printf(" -o %s", e->ipv6.outiface);
1020 if (memcmp(&e->ipv6.src, &in6addr_any, sizeof(struct in6_addr)))
1022 if (e->ipv6.flags & IP6T_INV_SRCIP)
1025 printf(" -s %s/%u", inet_ntop(AF_INET6, &e->ipv6.src, buf, sizeof(buf)),
1026 xtables_ip6mask_to_cidr(&e->ipv6.smsk));
1029 if (memcmp(&e->ipv6.dst, &in6addr_any, sizeof(struct in6_addr)))
1031 if (e->ipv6.flags & IP6T_INV_DSTIP)
1034 printf(" -d %s/%u", inet_ntop(AF_INET6, &e->ipv6.dst, buf, sizeof(buf)),
1035 xtables_ip6mask_to_cidr(&e->ipv6.dmsk));
1041 rule_print4(struct ipt_entry *e)
1043 struct in_addr in_zero = { 0 };
1044 char buf[sizeof("255.255.255.255\0")];
1049 if (e->ip.flags & XT_INV_PROTO)
1052 pname = get_protoname(container_of(e, struct fw3_ipt_rule, e));
1055 printf(" -p %s", pname);
1057 printf(" -p %u", e->ip.proto);
1060 if (e->ip.iniface[0])
1062 if (e->ip.flags & IPT_INV_VIA_IN)
1065 printf(" -i %s", e->ip.iniface);
1068 if (e->ip.outiface[0])
1070 if (e->ip.flags & IPT_INV_VIA_OUT)
1073 printf(" -o %s", e->ip.outiface);
1076 if (memcmp(&e->ip.src, &in_zero, sizeof(struct in_addr)))
1078 if (e->ip.flags & IPT_INV_SRCIP)
1081 printf(" -s %s/%u", inet_ntop(AF_INET, &e->ip.src, buf, sizeof(buf)),
1082 xtables_ipmask_to_cidr(&e->ip.smsk));
1085 if (memcmp(&e->ip.dst, &in_zero, sizeof(struct in_addr)))
1087 if (e->ip.flags & IPT_INV_DSTIP)
1090 printf(" -d %s/%u", inet_ntop(AF_INET, &e->ip.dst, buf, sizeof(buf)),
1091 xtables_ipmask_to_cidr(&e->ip.dmsk));
1096 rule_print(struct fw3_ipt_rule *r, const char *prefix, const char *chain)
1098 debug(r->h, "%s %s", prefix, chain);
1100 #ifndef DISABLE_IPV6
1101 if (r->h->family == FW3_FAMILY_V6)
1102 rule_print6(&r->e6);
1107 fw3_xt_print_matches(&r->e.ip, r->matches);
1108 fw3_xt_print_target(&r->e.ip, r->target);
1114 parse_option(struct fw3_ipt_rule *r, int optc, bool inv)
1116 struct xtables_rule_match *m;
1117 struct xtables_match *em;
1119 /* is a target option */
1120 if (r->target && fw3_xt_has_target_parse(r->target) &&
1121 optc >= r->target->option_offset &&
1122 optc < (r->target->option_offset + 256))
1124 xtables_option_tpcall(optc, r->argv, inv, r->target, &r->e);
1128 /* try to dispatch argument to one of the match parsers */
1129 for (m = r->matches; m; m = m->next)
1133 if (m->completed || !fw3_xt_has_match_parse(em))
1136 if (optc < em->option_offset ||
1137 optc >= (em->option_offset + 256))
1140 xtables_option_mpcall(optc, r->argv, inv, em, &r->e);
1144 /* unhandled option, might belong to a protocol match */
1145 if ((em = load_protomatch(r)) != NULL)
1147 init_match(r, em, false);
1149 r->protocol_loaded = true;
1156 warn("parse_option(): option '%s' needs argument", r->argv[optind-1]);
1159 warn("parse_option(): unknown option '%s'", r->argv[optind-1]);
1165 fw3_ipt_rule_addarg(struct fw3_ipt_rule *r, bool inv,
1166 const char *k, const char *v)
1174 n = inv + !!k + !!v;
1175 tmp = realloc(r->argv, (r->argc + n) * sizeof(*tmp));
1183 r->argv[r->argc++] = fw3_strdup("!");
1185 r->argv[r->argc++] = fw3_strdup(k);
1188 r->argv[r->argc++] = fw3_strdup(v);
1191 static unsigned char *
1192 rule_mask(struct fw3_ipt_rule *r)
1195 unsigned char *p, *mask = NULL;
1196 struct xtables_rule_match *m;
1198 #define SZ(x) XT_ALIGN(sizeof(struct x))
1200 #ifndef DISABLE_IPV6
1201 if (r->h->family == FW3_FAMILY_V6)
1205 for (m = r->matches; m; m = m->next)
1206 s += SZ(ip6t_entry_match) + m->match->size;
1208 s += SZ(ip6t_entry_target) + r->target->size;
1210 mask = fw3_alloc(s);
1211 memset(mask, 0xFF, SZ(ip6t_entry));
1212 p = mask + SZ(ip6t_entry);
1214 for (m = r->matches; m; m = m->next)
1216 memset(p, 0xFF, SZ(ip6t_entry_match) + m->match->userspacesize);
1217 p += SZ(ip6t_entry_match) + m->match->size;
1220 memset(p, 0xFF, SZ(ip6t_entry_target) + r->target->userspacesize);
1227 for (m = r->matches; m; m = m->next)
1228 s += SZ(ipt_entry_match) + m->match->size;
1230 s += SZ(ipt_entry_target) + r->target->size;
1232 mask = fw3_alloc(s);
1233 memset(mask, 0xFF, SZ(ipt_entry));
1234 p = mask + SZ(ipt_entry);
1236 for (m = r->matches; m; m = m->next)
1238 memset(p, 0xFF, SZ(ipt_entry_match) + m->match->userspacesize);
1239 p += SZ(ipt_entry_match) + m->match->size;
1242 memset(p, 0xFF, SZ(ipt_entry_target) + r->target->userspacesize);
1249 rule_build(struct fw3_ipt_rule *r)
1252 struct xtables_rule_match *m;
1254 #ifndef DISABLE_IPV6
1255 if (r->h->family == FW3_FAMILY_V6)
1257 struct ip6t_entry *e6;
1259 s = XT_ALIGN(sizeof(struct ip6t_entry));
1261 for (m = r->matches; m; m = m->next)
1262 s += m->match->m->u.match_size;
1264 e6 = fw3_alloc(s + r->target->t->u.target_size);
1266 memcpy(e6, &r->e6, sizeof(struct ip6t_entry));
1268 e6->target_offset = s;
1269 e6->next_offset = s + r->target->t->u.target_size;
1273 for (m = r->matches; m; m = m->next)
1275 memcpy(e6->elems + s, m->match->m, m->match->m->u.match_size);
1276 s += m->match->m->u.match_size;
1279 memcpy(e6->elems + s, r->target->t, r->target->t->u.target_size);
1286 struct ipt_entry *e;
1288 s = XT_ALIGN(sizeof(struct ipt_entry));
1290 for (m = r->matches; m; m = m->next)
1291 s += m->match->m->u.match_size;
1293 e = fw3_alloc(s + r->target->t->u.target_size);
1295 memcpy(e, &r->e, sizeof(struct ipt_entry));
1297 e->target_offset = s;
1298 e->next_offset = s + r->target->t->u.target_size;
1302 for (m = r->matches; m; m = m->next)
1304 memcpy(e->elems + s, m->match->m, m->match->m->u.match_size);
1305 s += m->match->m->u.match_size;
1308 memcpy(e->elems + s, r->target->t, r->target->t->u.target_size);
1315 __fw3_ipt_rule_append(struct fw3_ipt_rule *r, bool repl, const char *fmt, ...)
1318 unsigned char *mask;
1320 struct xtables_rule_match *m;
1321 struct xtables_match *em;
1322 struct xtables_target *et;
1323 struct xtables_globals *g;
1331 vsnprintf(buf, sizeof(buf) - 1, fmt, ap);
1334 g = (r->h->family == FW3_FAMILY_V6) ? &xtg6 : &xtg;
1335 g->opts = g->orig_opts;
1340 while ((optc = getopt_long(r->argc, r->argv, "m:j:", g->opts, NULL)) != -1)
1345 em = find_match(r, optarg);
1349 warn("fw3_ipt_rule_append(): Can't find match '%s'", optarg);
1353 init_match(r, em, true);
1357 et = get_target(r, optarg);
1361 warn("fw3_ipt_rule_append(): Can't find target '%s'", optarg);
1368 if ((optarg[0] == '!') && (optarg[1] == '\0'))
1374 warn("fw3_ipt_rule_append(): Bad argument '%s'", optarg);
1378 if (parse_option(r, optc, inv))
1386 for (m = r->matches; m; m = m->next)
1387 xtables_option_mfcall(m->match);
1390 xtables_option_tfcall(r->target);
1392 rule = rule_build(r);
1394 #ifndef DISABLE_IPV6
1395 if (r->h->family == FW3_FAMILY_V6)
1399 mask = rule_mask(r);
1401 while (ip6tc_delete_entry(buf, rule, mask, r->h->handle))
1403 rule_print(r, "-D", buf);
1409 rule_print(r, "-A", buf);
1411 if (!ip6tc_append_entry(buf, rule, r->h->handle))
1412 warn("ip6tc_append_entry(): %s", ip6tc_strerror(errno));
1419 mask = rule_mask(r);
1421 while (iptc_delete_entry(buf, rule, mask, r->h->handle))
1423 rule_print(r, "-D", buf);
1429 rule_print(r, "-A", buf);
1431 if (!iptc_append_entry(buf, rule, r->h->handle))
1432 warn("iptc_append_entry(): %s\n", iptc_strerror(errno));
1438 for (i = 1; i < r->argc; i++)
1443 xtables_rule_matches_free(&r->matches);
1450 /* reset all targets and matches */
1451 for (em = xtables_matches; em; em = em->next)
1454 for (et = xtables_targets; et; et = et->next)
1460 xtables_free_opts(1);
1463 struct fw3_ipt_rule *
1464 fw3_ipt_rule_create(struct fw3_ipt_handle *handle, struct fw3_protocol *proto,
1465 struct fw3_device *in, struct fw3_device *out,
1466 struct fw3_address *src, struct fw3_address *dest)
1468 struct fw3_ipt_rule *r;
1470 r = fw3_ipt_rule_new(handle);
1472 fw3_ipt_rule_proto(r, proto);
1473 fw3_ipt_rule_in_out(r, in, out);
1474 fw3_ipt_rule_src_dest(r, src, dest);
projects / project / firewall3.git / blob