2 * firewall3 - 3rd OpenWrt UCI firewall implementation
4 * Copyright (C) 2013 Jo-Philipp Wich <jow@openwrt.org>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 static struct option base_opts[] = {
23 { .name = "match", .has_arg = 1, .val = 'm' },
24 { .name = "jump", .has_arg = 1, .val = 'j' },
25 { .name = "append", .has_arg = 1, .val = 'A' },
29 static struct xtables_globals xtg = {
31 .program_version = "4",
32 .orig_opts = base_opts,
35 static struct xtables_globals xtg6 = {
37 .program_version = "6",
38 .orig_opts = base_opts,
41 /* Required by certain extensions like SNAT and DNAT */
45 get_kernel_version(void)
47 static struct utsname uts;
48 int x = 0, y = 0, z = 0;
50 if (uname(&uts) == -1)
51 sprintf(uts.release, "3.0.0");
53 sscanf(uts.release, "%d.%d.%d", &x, &y, &z);
54 kernel_version = LINUX_VERSION(x, y, z);
57 struct fw3_ipt_handle *
58 fw3_ipt_open(enum fw3_family family, enum fw3_table table)
60 struct fw3_ipt_handle *h;
62 h = fw3_alloc(sizeof(*h));
66 if (family == FW3_FAMILY_V6)
68 h->family = FW3_FAMILY_V6;
70 h->handle = ip6tc_init(fw3_flag_names[table]);
72 xtables_set_params(&xtg6);
73 xtables_set_nfproto(NFPROTO_IPV6);
77 h->family = FW3_FAMILY_V4;
79 h->handle = iptc_init(fw3_flag_names[table]);
81 xtables_set_params(&xtg);
82 xtables_set_nfproto(NFPROTO_IPV4);
91 xtables_pending_matches = NULL;
92 xtables_pending_targets = NULL;
94 xtables_matches = NULL;
95 xtables_targets = NULL;
105 fw3_ipt_set_policy(struct fw3_ipt_handle *h, const char *chain,
106 enum fw3_flag policy)
109 printf("-P %s %s\n", chain, fw3_flag_names[policy]);
111 if (h->family == FW3_FAMILY_V6)
112 ip6tc_set_policy(chain, fw3_flag_names[policy], NULL, h->handle);
114 iptc_set_policy(chain, fw3_flag_names[policy], NULL, h->handle);
118 fw3_ipt_delete_chain(struct fw3_ipt_handle *h, const char *chain)
122 printf("-F %s\n", chain);
123 printf("-X %s\n", chain);
126 if (h->family == FW3_FAMILY_V6)
128 if (ip6tc_flush_entries(chain, h->handle))
129 ip6tc_delete_chain(chain, h->handle);
133 if (iptc_flush_entries(chain, h->handle))
134 iptc_delete_chain(chain, h->handle);
139 fw3_ipt_delete_rules(struct fw3_ipt_handle *h, const char *target)
142 const struct ipt_entry *e;
143 const struct ip6t_entry *e6;
148 if (h->family == FW3_FAMILY_V6)
150 for (chain = ip6tc_first_chain(h->handle);
152 chain = ip6tc_next_chain(h->handle))
157 for (num = 0, e6 = ip6tc_first_rule(chain, h->handle);
159 num++, e6 = ip6tc_next_rule(e6, h->handle))
161 t = ip6tc_get_target(e6, h->handle);
163 if (*t && !strcmp(t, target))
166 printf("-D %s %u\n", chain, num + 1);
168 ip6tc_delete_num_entry(chain, num, h->handle);
178 for (chain = iptc_first_chain(h->handle);
180 chain = iptc_next_chain(h->handle))
185 for (num = 0, e = iptc_first_rule(chain, h->handle);
187 num++, e = iptc_next_rule(e, h->handle))
189 t = iptc_get_target(e, h->handle);
191 if (*t && !strcmp(t, target))
194 printf("-D %s %u\n", chain, num + 1);
196 iptc_delete_num_entry(chain, num, h->handle);
207 fw3_ipt_flush(struct fw3_ipt_handle *h)
211 if (h->family == FW3_FAMILY_V6)
213 for (chain = ip6tc_first_chain(h->handle);
215 chain = ip6tc_next_chain(h->handle))
217 ip6tc_flush_entries(chain, h->handle);
220 for (chain = ip6tc_first_chain(h->handle);
222 chain = ip6tc_next_chain(h->handle))
224 ip6tc_delete_chain(chain, h->handle);
229 for (chain = iptc_first_chain(h->handle);
231 chain = iptc_next_chain(h->handle))
233 iptc_flush_entries(chain, h->handle);
236 for (chain = iptc_first_chain(h->handle);
238 chain = iptc_next_chain(h->handle))
240 iptc_delete_chain(chain, h->handle);
246 fw3_ipt_commit(struct fw3_ipt_handle *h)
250 if (h->family == FW3_FAMILY_V6)
252 rv = ip6tc_commit(h->handle);
254 fprintf(stderr, "ip6tc_commit(): %s\n", ip6tc_strerror(errno));
258 rv = iptc_commit(h->handle);
260 fprintf(stderr, "iptc_commit(): %s\n", iptc_strerror(errno));
266 struct fw3_ipt_rule *
267 fw3_ipt_rule_new(struct fw3_ipt_handle *h)
269 struct fw3_ipt_rule *r;
271 r = fw3_alloc(sizeof(*r));
274 r->argv = fw3_alloc(sizeof(char *));
275 r->argv[r->argc++] = "fw3";
282 is_chain(struct fw3_ipt_handle *h, const char *name)
284 if (h->family == FW3_FAMILY_V6)
285 return ip6tc_is_chain(name, h->handle);
287 return iptc_is_chain(name, h->handle);
291 get_protoname(struct fw3_ipt_rule *r)
293 const struct xtables_pprot *pp;
296 for (pp = xtables_chain_protos; pp->name; pp++)
297 if (pp->num == r->protocol)
298 return (char *)pp->name;
303 static struct xtables_match *
304 find_match(struct fw3_ipt_rule *r, const char *name)
306 return xtables_find_match(name, XTF_TRY_LOAD, &r->matches);
310 init_match(struct fw3_ipt_rule *r, struct xtables_match *m, bool no_clone)
313 struct xtables_globals *g;
318 s = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size;
321 strcpy(m->m->u.user.name, m->real_name ? m->real_name : m->name);
322 m->m->u.user.revision = m->revision;
323 m->m->u.match_size = s;
325 /* free previous userspace data */
329 m->udata = fw3_alloc(m->udata_size);
335 /* don't merge options if no_clone is set and this match is a clone */
336 if (no_clone && (m == m->next))
339 /* merge option table */
340 g = (r->h->family == FW3_FAMILY_V6) ? &xtg6 : &xtg;
343 g->opts = xtables_options_xfrm(g->orig_opts, g->opts,
344 m->x6_options, &m->option_offset);
347 g->opts = xtables_merge_options(g->orig_opts, g->opts,
348 m->extra_opts, &m->option_offset);
352 need_protomatch(struct fw3_ipt_rule *r, const char *pname)
357 if (!xtables_find_match(pname, XTF_DONT_LOAD, NULL))
360 return !r->protocol_loaded;
363 static struct xtables_match *
364 load_protomatch(struct fw3_ipt_rule *r)
366 const char *pname = get_protoname(r);
368 if (!need_protomatch(r, pname))
371 return find_match(r, pname);
374 static struct xtables_target *
375 get_target(struct fw3_ipt_rule *r, const char *name)
378 struct xtables_target *t;
379 struct xtables_globals *g;
381 bool chain = is_chain(r->h, name);
384 t = xtables_find_target(XT_STANDARD_TARGET, XTF_LOAD_MUST_SUCCEED);
386 t = xtables_find_target(name, XTF_TRY_LOAD);
391 s = XT_ALIGN(sizeof(struct xt_entry_target)) + t->size;
395 strcpy(t->t->u.user.name, name);
397 strcpy(t->t->u.user.name, t->real_name);
399 t->t->u.user.revision = t->revision;
400 t->t->u.target_size = s;
405 t->udata = fw3_alloc(t->udata_size);
411 /* merge option table */
412 g = (r->h->family == FW3_FAMILY_V6) ? &xtg6 : &xtg;
415 g->opts = xtables_options_xfrm(g->orig_opts, g->opts,
416 t->x6_options, &t->option_offset);
418 g->opts = xtables_merge_options(g->orig_opts, g->opts,
419 t->extra_opts, &t->option_offset);
427 fw3_ipt_rule_proto(struct fw3_ipt_rule *r, struct fw3_protocol *proto)
431 if (!proto || proto->any)
434 pr = proto->protocol;
436 if (r->h->family == FW3_FAMILY_V6)
441 r->e6.ipv6.proto = pr;
442 r->e6.ipv6.flags |= IP6T_F_PROTO;
445 r->e6.ipv6.invflags |= XT_INV_PROTO;
452 r->e.ip.invflags |= XT_INV_PROTO;
459 fw3_ipt_rule_in_out(struct fw3_ipt_rule *r,
460 struct fw3_device *in, struct fw3_device *out)
462 if (r->h->family == FW3_FAMILY_V6)
466 xtables_parse_interface(in->name, r->e6.ipv6.iniface,
467 r->e6.ipv6.iniface_mask);
470 r->e6.ipv6.invflags |= IP6T_INV_VIA_IN;
473 if (out && !out->any)
475 xtables_parse_interface(out->name, r->e6.ipv6.outiface,
476 r->e6.ipv6.outiface_mask);
479 r->e6.ipv6.invflags |= IP6T_INV_VIA_OUT;
486 xtables_parse_interface(in->name, r->e.ip.iniface,
487 r->e.ip.iniface_mask);
490 r->e.ip.invflags |= IPT_INV_VIA_IN;
493 if (out && !out->any)
495 xtables_parse_interface(out->name, r->e.ip.outiface,
496 r->e.ip.outiface_mask);
499 r->e.ip.invflags |= IPT_INV_VIA_OUT;
506 ip4prefix2mask(int prefix, struct in_addr *mask)
508 mask->s_addr = htonl(~((1 << (32 - prefix)) - 1));
512 ip6prefix2mask(int prefix, struct in6_addr *mask)
514 char *p = (char *)mask;
518 memset(p, 0xff, prefix / 8);
519 memset(p + (prefix / 8) + 1, 0, (128 - prefix) / 8);
520 p[prefix / 8] = 0xff << (8 - (prefix & 7));
524 memset(mask, 0, sizeof(*mask));
529 fw3_ipt_rule_src_dest(struct fw3_ipt_rule *r,
530 struct fw3_address *src, struct fw3_address *dest)
534 if ((src && src->range) || (dest && dest->range))
536 fw3_ipt_rule_addarg(r, false, "-m", "iprange");
543 fw3_ipt_rule_addarg(r, src->invert, "--src-range",
544 fw3_address_to_string(src, false));
546 else if (r->h->family == FW3_FAMILY_V6)
548 r->e6.ipv6.src = src->address.v6;
549 ip6prefix2mask(src->mask, &r->e6.ipv6.smsk);
551 for (i = 0; i < 4; i++)
552 r->e6.ipv6.src.s6_addr32[i] &= r->e6.ipv6.smsk.s6_addr32[i];
555 r->e6.ipv6.invflags |= IP6T_INV_SRCIP;
559 r->e.ip.src = src->address.v4;
560 ip4prefix2mask(src->mask, &r->e.ip.smsk);
562 r->e.ip.src.s_addr &= r->e.ip.smsk.s_addr;
565 r->e.ip.invflags |= IPT_INV_SRCIP;
569 if (dest && dest->set)
573 fw3_ipt_rule_addarg(r, dest->invert, "--dst-range",
574 fw3_address_to_string(dest, false));
576 else if (r->h->family == FW3_FAMILY_V6)
578 r->e6.ipv6.dst = dest->address.v6;
579 ip6prefix2mask(dest->mask, &r->e6.ipv6.dmsk);
581 for (i = 0; i < 4; i++)
582 r->e6.ipv6.dst.s6_addr32[i] &= r->e6.ipv6.dmsk.s6_addr32[i];
585 r->e6.ipv6.invflags |= IP6T_INV_DSTIP;
589 r->e.ip.dst = dest->address.v4;
590 ip4prefix2mask(dest->mask, &r->e.ip.dmsk);
592 r->e.ip.dst.s_addr &= r->e.ip.dmsk.s_addr;
595 r->e.ip.invflags |= IPT_INV_DSTIP;
601 fw3_ipt_rule_sport_dport(struct fw3_ipt_rule *r,
602 struct fw3_port *sp, struct fw3_port *dp)
604 char buf[sizeof("65535:65535\0")];
606 if ((!sp || !sp->set) && (!dp || !dp->set))
609 if (!get_protoname(r))
614 if (sp->port_min == sp->port_max)
615 sprintf(buf, "%u", sp->port_min);
617 sprintf(buf, "%u:%u", sp->port_min, sp->port_max);
619 fw3_ipt_rule_addarg(r, sp->invert, "--sport", buf);
624 if (dp->port_min == dp->port_max)
625 sprintf(buf, "%u", dp->port_min);
627 sprintf(buf, "%u:%u", dp->port_min, dp->port_max);
629 fw3_ipt_rule_addarg(r, dp->invert, "--dport", buf);
634 fw3_ipt_rule_mac(struct fw3_ipt_rule *r, struct fw3_mac *mac)
639 fw3_ipt_rule_addarg(r, false, "-m", "mac");
640 fw3_ipt_rule_addarg(r, mac->invert, "--mac-source", ether_ntoa(&mac->mac));
644 fw3_ipt_rule_icmptype(struct fw3_ipt_rule *r, struct fw3_icmptype *icmp)
646 char buf[sizeof("255/255\0")];
651 if (r->h->family == FW3_FAMILY_V6)
653 if (icmp->code6_min == 0 && icmp->code6_max == 0xFF)
654 sprintf(buf, "%u", icmp->type6);
656 sprintf(buf, "%u/%u", icmp->type6, icmp->code6_min);
658 fw3_ipt_rule_addarg(r, icmp->invert, "--icmpv6-type", buf);
662 if (icmp->code_min == 0 && icmp->code_max == 0xFF)
663 sprintf(buf, "%u", icmp->type);
665 sprintf(buf, "%u/%u", icmp->type, icmp->code_min);
667 fw3_ipt_rule_addarg(r, icmp->invert, "--icmp-type", buf);
672 fw3_ipt_rule_limit(struct fw3_ipt_rule *r, struct fw3_limit *limit)
674 char buf[sizeof("-4294967296/second\0")];
676 if (!limit || limit->rate <= 0)
679 fw3_ipt_rule_addarg(r, false, "-m", "limit");
681 sprintf(buf, "%u/%s", limit->rate, fw3_limit_units[limit->unit]);
682 fw3_ipt_rule_addarg(r, limit->invert, "--limit", buf);
684 if (limit->burst > 0)
686 sprintf(buf, "%u", limit->burst);
687 fw3_ipt_rule_addarg(r, limit->invert, "--limit-burst", buf);
692 fw3_ipt_rule_ipset(struct fw3_ipt_rule *r, struct fw3_ipset *ipset,
695 char buf[sizeof("dst,dst,dst\0")];
698 struct fw3_ipset_datatype *type;
703 list_for_each_entry(type, &ipset->datatypes, list)
708 p += sprintf(p, "%s", type->dest ? "dst" : "src");
711 fw3_ipt_rule_addarg(r, false, "-m", "set");
713 fw3_ipt_rule_addarg(r, invert, "--match-set",
714 ipset->external ? ipset->external : ipset->name);
716 fw3_ipt_rule_addarg(r, false, buf, NULL);
720 fw3_ipt_rule_time(struct fw3_ipt_rule *r, struct fw3_time *time)
723 struct tm empty = { 0 };
725 char buf[84]; /* sizeof("1,2,3,...,30,31\0") */
728 bool d1 = memcmp(&time->datestart, &empty, sizeof(empty));
729 bool d2 = memcmp(&time->datestop, &empty, sizeof(empty));
731 if (!d1 && !d2 && !time->timestart && !time->timestop &&
732 !(time->monthdays & 0xFFFFFFFE) && !(time->weekdays & 0xFE))
737 fw3_ipt_rule_addarg(r, false, "-m", "time");
740 fw3_ipt_rule_addarg(r, false, "--utc", NULL);
744 strftime(buf, sizeof(buf), "%Y-%m-%dT%H:%M:%S", &time->datestart);
745 fw3_ipt_rule_addarg(r, false, "--datestart", buf);
750 strftime(buf, sizeof(buf), "%Y-%m-%dT%H:%M:%S", &time->datestop);
751 fw3_ipt_rule_addarg(r, false, "--datestop", buf);
756 sprintf(buf, "%02d:%02d:%02d",
757 time->timestart / 3600,
758 time->timestart % 3600 / 60,
759 time->timestart % 60);
761 fw3_ipt_rule_addarg(r, false, "--timestart", buf);
766 sprintf(buf, "%02d:%02d:%02d",
767 time->timestop / 3600,
768 time->timestop % 3600 / 60,
769 time->timestop % 60);
771 fw3_ipt_rule_addarg(r, false, "--timestop", buf);
774 if (time->monthdays & 0xFFFFFFFE)
776 for (i = 1, p = buf; i < 32; i++)
778 if (hasbit(time->monthdays, i))
783 p += sprintf(p, "%u", i);
787 fw3_ipt_rule_addarg(r, hasbit(time->monthdays, 0), "--monthdays", buf);
790 if (time->weekdays & 0xFE)
792 for (i = 1, p = buf; i < 8; i++)
794 if (hasbit(time->weekdays, i))
799 p += sprintf(p, "%u", i);
803 fw3_ipt_rule_addarg(r, hasbit(time->weekdays, 0), "--weekdays", buf);
808 fw3_ipt_rule_mark(struct fw3_ipt_rule *r, struct fw3_mark *mark)
810 char buf[sizeof("0xFFFFFFFF/0xFFFFFFFF\0")];
812 if (!mark || !mark->set)
815 if (mark->mask < 0xFFFFFFFF)
816 sprintf(buf, "0x%x/0x%x", mark->mark, mark->mask);
818 sprintf(buf, "0x%x", mark->mark);
820 fw3_ipt_rule_addarg(r, false, "-m", "mark");
821 fw3_ipt_rule_addarg(r, mark->invert, "--mark", buf);
825 fw3_ipt_rule_comment(struct fw3_ipt_rule *r, const char *fmt, ...)
834 vsnprintf(buf, sizeof(buf) - 1, fmt, ap);
837 fw3_ipt_rule_addarg(r, false, "-m", "comment");
838 fw3_ipt_rule_addarg(r, false, "--comment", buf);
842 fw3_ipt_rule_extra(struct fw3_ipt_rule *r, const char *extra)
846 if (!extra || !*extra)
849 s = fw3_strdup(extra);
851 for (p = strtok(s, " \t"); p; p = strtok(NULL, " \t"))
853 tmp = realloc(r->argv, (r->argc + 1) * sizeof(*r->argv));
859 r->argv[r->argc++] = fw3_strdup(p);
866 rule_print6(struct ip6t_entry *e)
868 char buf[INET6_ADDRSTRLEN];
871 if (e->ipv6.flags & IP6T_F_PROTO)
873 if (e->ipv6.flags & XT_INV_PROTO)
876 pname = get_protoname(container_of(e, struct fw3_ipt_rule, e6));
879 printf(" -p %s", pname);
881 printf(" -p %u", e->ipv6.proto);
884 if (e->ipv6.iniface[0])
886 if (e->ipv6.flags & IP6T_INV_VIA_IN)
889 printf(" -i %s", e->ipv6.iniface);
892 if (e->ipv6.outiface[0])
894 if (e->ipv6.flags & IP6T_INV_VIA_OUT)
897 printf(" -o %s", e->ipv6.outiface);
900 if (memcmp(&e->ipv6.src, &in6addr_any, sizeof(struct in6_addr)))
902 if (e->ipv6.flags & IP6T_INV_SRCIP)
905 printf(" -s %s/%u", inet_ntop(AF_INET6, &e->ipv6.src, buf, sizeof(buf)),
906 xtables_ip6mask_to_cidr(&e->ipv6.smsk));
909 if (memcmp(&e->ipv6.dst, &in6addr_any, sizeof(struct in6_addr)))
911 if (e->ipv6.flags & IP6T_INV_DSTIP)
914 printf(" -d %s/%u", inet_ntop(AF_INET6, &e->ipv6.dst, buf, sizeof(buf)),
915 xtables_ip6mask_to_cidr(&e->ipv6.dmsk));
920 rule_print4(struct ipt_entry *e)
922 struct in_addr in_zero = { 0 };
923 char buf[sizeof("255.255.255.255\0")];
928 if (e->ip.flags & XT_INV_PROTO)
931 pname = get_protoname(container_of(e, struct fw3_ipt_rule, e));
934 printf(" -p %s", pname);
936 printf(" -p %u", e->ip.proto);
939 if (e->ip.iniface[0])
941 if (e->ip.flags & IPT_INV_VIA_IN)
944 printf(" -i %s", e->ip.iniface);
947 if (e->ip.outiface[0])
949 if (e->ip.flags & IPT_INV_VIA_OUT)
952 printf(" -o %s", e->ip.outiface);
955 if (memcmp(&e->ip.src, &in_zero, sizeof(struct in_addr)))
957 if (e->ip.flags & IPT_INV_SRCIP)
960 printf(" -s %s/%u", inet_ntop(AF_INET, &e->ip.src, buf, sizeof(buf)),
961 xtables_ipmask_to_cidr(&e->ip.smsk));
964 if (memcmp(&e->ip.dst, &in_zero, sizeof(struct in_addr)))
966 if (e->ip.flags & IPT_INV_DSTIP)
969 printf(" -d %s/%u", inet_ntop(AF_INET, &e->ip.dst, buf, sizeof(buf)),
970 xtables_ipmask_to_cidr(&e->ip.dmsk));
975 rule_print(struct fw3_ipt_rule *r, const char *chain)
977 struct xtables_rule_match *rm;
978 struct xtables_match *m;
979 struct xtables_target *t;
981 printf("-A %s", chain);
983 if (r->h->family == FW3_FAMILY_V6)
988 for (rm = r->matches; rm; rm = rm->next)
991 printf(" -m %s", m->alias ? m->alias(m->m) : m->m->u.user.name);
994 m->save(&r->e.ip, m->m);
1000 printf(" -j %s", t->alias ? t->alias(t->t) : t->t->u.user.name);
1003 t->save(&r->e.ip, t->t);
1010 parse_option(struct fw3_ipt_rule *r, int optc, bool inv)
1012 struct xtables_rule_match *m;
1013 struct xtables_match *em;
1015 /* is a target option */
1016 if (r->target && (r->target->parse || r->target->x6_parse) &&
1017 optc >= r->target->option_offset &&
1018 optc < (r->target->option_offset + 256))
1020 xtables_option_tpcall(optc, r->argv, inv, r->target, &r->e);
1024 /* try to dispatch argument to one of the match parsers */
1025 for (m = r->matches; m; m = m->next)
1029 if (m->completed || (!em->parse && !em->x6_parse))
1032 if (optc < em->option_offset ||
1033 optc >= (em->option_offset + 256))
1036 xtables_option_mpcall(optc, r->argv, inv, em, &r->e);
1040 /* unhandled option, might belong to a protocol match */
1041 if ((em = load_protomatch(r)) != NULL)
1043 init_match(r, em, false);
1045 r->protocol_loaded = true;
1052 fprintf(stderr, "parse_option(): option '%s' needs argument\n",
1056 fprintf(stderr, "parse_option(): unknown option '%s'\n",
1063 fw3_ipt_rule_addarg(struct fw3_ipt_rule *r, bool inv,
1064 const char *k, const char *v)
1072 n = inv + !!k + !!v;
1073 tmp = realloc(r->argv, (r->argc + n) * sizeof(*tmp));
1081 r->argv[r->argc++] = fw3_strdup("!");
1083 r->argv[r->argc++] = fw3_strdup(k);
1086 r->argv[r->argc++] = fw3_strdup(v);
1090 fw3_ipt_rule_append(struct fw3_ipt_rule *r, const char *fmt, ...)
1093 struct xtables_rule_match *m;
1094 struct xtables_match *em;
1095 struct xtables_target *et;
1096 struct xtables_globals *g;
1097 struct ipt_entry *e;
1098 struct ip6t_entry *e6;
1106 vsnprintf(buf, sizeof(buf) - 1, fmt, ap);
1109 g = (r->h->family == FW3_FAMILY_V6) ? &xtg6 : &xtg;
1110 g->opts = g->orig_opts;
1115 while ((optc = getopt_long(r->argc, r->argv, "m:j:", g->opts, NULL)) != -1)
1120 em = find_match(r, optarg);
1124 fprintf(stderr, "fw3_ipt_rule_append(): Can't find match '%s'\n", optarg);
1128 init_match(r, em, true);
1132 et = get_target(r, optarg);
1136 fprintf(stderr, "fw3_ipt_rule_append(): Can't find target '%s'\n", optarg);
1143 if ((optarg[0] == '!') && (optarg[1] == '\0'))
1149 fprintf(stderr, "fw3_ipt_rule_append(): Bad argument '%s'\n", optarg);
1153 if (parse_option(r, optc, inv))
1161 for (m = r->matches; m; m = m->next)
1162 xtables_option_mfcall(m->match);
1165 xtables_option_tfcall(r->target);
1170 if (r->h->family == FW3_FAMILY_V6)
1172 s = XT_ALIGN(sizeof(struct ip6t_entry));
1174 for (m = r->matches; m; m = m->next)
1175 s += m->match->m->u.match_size;
1177 e6 = fw3_alloc(s + r->target->t->u.target_size);
1179 memcpy(e6, &r->e6, sizeof(struct ip6t_entry));
1181 e6->target_offset = s;
1182 e6->next_offset = s + r->target->t->u.target_size;
1186 for (m = r->matches; m; m = m->next)
1188 memcpy(e6->elems + s, m->match->m, m->match->m->u.match_size);
1189 s += m->match->m->u.match_size;
1192 memcpy(e6->elems + s, r->target->t, r->target->t->u.target_size);
1193 ip6tc_append_entry(buf, e6, r->h->handle);
1198 s = XT_ALIGN(sizeof(struct ipt_entry));
1200 for (m = r->matches; m; m = m->next)
1201 s += m->match->m->u.match_size;
1203 e = fw3_alloc(s + r->target->t->u.target_size);
1205 memcpy(e, &r->e, sizeof(struct ipt_entry));
1207 e->target_offset = s;
1208 e->next_offset = s + r->target->t->u.target_size;
1212 for (m = r->matches; m; m = m->next)
1214 memcpy(e->elems + s, m->match->m, m->match->m->u.match_size);
1215 s += m->match->m->u.match_size;
1218 memcpy(e->elems + s, r->target->t, r->target->t->u.target_size);
1220 if (!iptc_append_entry(buf, e, r->h->handle))
1221 fprintf(stderr, "iptc_append_entry(): %s\n", iptc_strerror(errno));
1226 for (i = 1; i < r->argc; i++)
1231 xtables_rule_matches_free(&r->matches);
1236 /* reset all targets and matches */
1237 for (em = xtables_matches; em; em = em->next)
1240 for (et = xtables_targets; et; et = et->next)
1246 xtables_free_opts(1);
1249 struct fw3_ipt_rule *
1250 fw3_ipt_rule_create(struct fw3_ipt_handle *handle, struct fw3_protocol *proto,
1251 struct fw3_device *in, struct fw3_device *out,
1252 struct fw3_address *src, struct fw3_address *dest)
1254 struct fw3_ipt_rule *r;
1256 r = fw3_ipt_rule_new(handle);
1258 fw3_ipt_rule_proto(r, proto);
1259 fw3_ipt_rule_in_out(r, in, out);
1260 fw3_ipt_rule_src_dest(r, src, dest);
projects / project / firewall3.git / blob