};
/* Required by certain extensions like SNAT and DNAT */
-int kernel_version;
+int kernel_version = 0;
void
get_kernel_version(void)
sprintf(uts.release, "3.0.0");
sscanf(uts.release, "%d.%d.%d", &x, &y, &z);
- kernel_version = LINUX_VERSION(x, y, z);
+ kernel_version = 0x10000 * x + 0x100 * y + z;
}
+#ifdef DISABLE_IPV6
+#undef __ipt_module
+#define __ipt_module(x) libxt_##x##_init, libipt_##x##_init,
+#else
+#undef __ipt_module
+#define __ipt_module(x) libxt_##x##_init, libipt_##x##_init, libip6t_##x##_init,
+#endif
+
static void fw3_init_extensions(void)
{
- libip6t_icmp6_init();
- libip6t_LOG_init();
- libip6t_REJECT_init();
- libipt_DNAT_init();
- libipt_icmp_init();
- libipt_LOG_init();
- libipt_MASQUERADE_init();
- libipt_REDIRECT_init();
- libipt_REJECT_init();
- libipt_SNAT_init();
- libxt_comment_init();
- libxt_conntrack_init();
- libxt_CT_init();
- libxt_limit_init();
- libxt_mac_init();
- libxt_mark_init();
- libxt_MARK_init();
- libxt_set_init();
- libxt_SET_init();
- libxt_standard_init();
- libxt_TCPMSS_init();
- libxt_tcp_init();
- libxt_time_init();
- libxt_udp_init();
+ int i;
+ void (*initfuncs[])(void) = { FW3_IPT_MODULES };
+
+ for (i = 0; i < sizeof(initfuncs)/sizeof(initfuncs[0]); i++)
+ if (initfuncs[i])
+ initfuncs[i]();
}
struct fw3_ipt_handle *
if (family == FW3_FAMILY_V6)
{
+#ifndef DISABLE_IPV6
h->family = FW3_FAMILY_V6;
h->table = table;
h->handle = ip6tc_init(fw3_flag_names[table]);
xtables_set_params(&xtg6);
xtables_set_nfproto(NFPROTO_IPV6);
+#endif
}
else
{
return NULL;
}
- xtables_pending_matches = NULL;
- xtables_pending_targets = NULL;
-
- xtables_matches = NULL;
- xtables_targets = NULL;
-
+ fw3_xt_reset();
fw3_init_extensions();
return h;
if (fw3_pr_debug)
debug(h, "-P %s %s\n", chain, fw3_flag_names[policy]);
+#ifndef DISABLE_IPV6
if (h->family == FW3_FAMILY_V6)
ip6tc_set_policy(chain, fw3_flag_names[policy], NULL, h->handle);
else
+#endif
iptc_set_policy(chain, fw3_flag_names[policy], NULL, h->handle);
}
debug(h, "-X %s\n", chain);
}
+#ifndef DISABLE_IPV6
if (h->family == FW3_FAMILY_V6)
{
if (ip6tc_flush_entries(chain, h->handle))
ip6tc_delete_chain(chain, h->handle);
}
else
+#endif
{
if (iptc_flush_entries(chain, h->handle))
iptc_delete_chain(chain, h->handle);
{
unsigned int num;
const struct ipt_entry *e;
- const struct ip6t_entry *e6;
const char *chain;
const char *t;
bool found;
+#ifndef DISABLE_IPV6
if (h->family == FW3_FAMILY_V6)
{
for (chain = ip6tc_first_chain(h->handle);
do {
found = false;
+ const struct ip6t_entry *e6;
for (num = 0, e6 = ip6tc_first_rule(chain, h->handle);
e6 != NULL;
num++, e6 = ip6tc_next_rule(e6, h->handle))
}
}
else
+#endif
{
for (chain = iptc_first_chain(h->handle);
chain != NULL;
{
const char *chain;
+#ifndef DISABLE_IPV6
if (h->family == FW3_FAMILY_V6)
{
for (chain = ip6tc_first_chain(h->handle);
}
}
else
+#endif
{
for (chain = iptc_first_chain(h->handle);
chain != NULL;
{
int rv;
+#ifndef DISABLE_IPV6
if (h->family == FW3_FAMILY_V6)
{
rv = ip6tc_commit(h->handle);
fprintf(stderr, "ip6tc_commit(): %s\n", ip6tc_strerror(errno));
}
else
+#endif
{
rv = iptc_commit(h->handle);
if (!rv)
static bool
is_chain(struct fw3_ipt_handle *h, const char *name)
{
+#ifndef DISABLE_IPV6
if (h->family == FW3_FAMILY_V6)
return ip6tc_is_chain(name, h->handle);
else
+#endif
return iptc_is_chain(name, h->handle);
}
s = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size;
m->m = fw3_alloc(s);
- strcpy(m->m->u.user.name, m->real_name ? m->real_name : m->name);
+
+ fw3_xt_set_match_name(m);
+
m->m->u.user.revision = m->revision;
m->m->u.match_size = s;
/* free previous userspace data */
- if (m->udata_size)
- {
- free(m->udata);
- m->udata = fw3_alloc(m->udata_size);
- }
+ fw3_xt_free_match_udata(m);
if (m->init)
m->init(m->m);
/* merge option table */
g = (r->h->family == FW3_FAMILY_V6) ? &xtg6 : &xtg;
-
- if (m->x6_options)
- g->opts = xtables_options_xfrm(g->orig_opts, g->opts,
- m->x6_options, &m->option_offset);
-
- if (m->extra_opts)
- g->opts = xtables_merge_options(g->orig_opts, g->opts,
- m->extra_opts, &m->option_offset);
+ fw3_xt_merge_match_options(g, m);
}
static bool
s = XT_ALIGN(sizeof(struct xt_entry_target)) + t->size;
t->t = fw3_alloc(s);
- if (!t->real_name)
- strcpy(t->t->u.user.name, name);
- else
- strcpy(t->t->u.user.name, t->real_name);
+ fw3_xt_set_target_name(t, name);
t->t->u.user.revision = t->revision;
t->t->u.target_size = s;
- if (t->udata_size)
- {
- free(t->udata);
- t->udata = fw3_alloc(t->udata_size);
- }
+ /* free previous userspace data */
+ fw3_xt_free_target_udata(t);
if (t->init)
t->init(t->t);
/* merge option table */
g = (r->h->family == FW3_FAMILY_V6) ? &xtg6 : &xtg;
-
- if (t->x6_options)
- g->opts = xtables_options_xfrm(g->orig_opts, g->opts,
- t->x6_options, &t->option_offset);
- else
- g->opts = xtables_merge_options(g->orig_opts, g->opts,
- t->extra_opts, &t->option_offset);
+ fw3_xt_merge_target_options(g, t);
r->target = t;
pr = proto->protocol;
+#ifndef DISABLE_IPV6
if (r->h->family == FW3_FAMILY_V6)
{
if (pr == 1)
r->e6.ipv6.invflags |= XT_INV_PROTO;
}
else
+#endif
{
r->e.ip.proto = pr;
fw3_ipt_rule_in_out(struct fw3_ipt_rule *r,
struct fw3_device *in, struct fw3_device *out)
{
+#ifndef DISABLE_IPV6
if (r->h->family == FW3_FAMILY_V6)
{
if (in && !in->any)
}
}
else
+#endif
{
if (in && !in->any)
{
mask->s_addr = htonl(~((1 << (32 - prefix)) - 1));
}
+#ifndef DISABLE_IPV6
static void
ip6prefix2mask(int prefix, struct in6_addr *mask)
{
memset(mask, 0, sizeof(*mask));
}
}
+#endif
void
fw3_ipt_rule_src_dest(struct fw3_ipt_rule *r,
struct fw3_address *src, struct fw3_address *dest)
{
- int i;
-
if ((src && src->range) || (dest && dest->range))
{
fw3_ipt_rule_addarg(r, false, "-m", "iprange");
fw3_ipt_rule_addarg(r, src->invert, "--src-range",
fw3_address_to_string(src, false));
}
+#ifndef DISABLE_IPV6
else if (r->h->family == FW3_FAMILY_V6)
{
r->e6.ipv6.src = src->address.v6;
ip6prefix2mask(src->mask, &r->e6.ipv6.smsk);
+ int i;
for (i = 0; i < 4; i++)
r->e6.ipv6.src.s6_addr32[i] &= r->e6.ipv6.smsk.s6_addr32[i];
if (src->invert)
r->e6.ipv6.invflags |= IP6T_INV_SRCIP;
}
+#endif
else
{
r->e.ip.src = src->address.v4;
fw3_ipt_rule_addarg(r, dest->invert, "--dst-range",
fw3_address_to_string(dest, false));
}
+#ifndef DISABLE_IPV6
else if (r->h->family == FW3_FAMILY_V6)
{
r->e6.ipv6.dst = dest->address.v6;
ip6prefix2mask(dest->mask, &r->e6.ipv6.dmsk);
+ int i;
for (i = 0; i < 4; i++)
r->e6.ipv6.dst.s6_addr32[i] &= r->e6.ipv6.dmsk.s6_addr32[i];
if (dest->invert)
r->e6.ipv6.invflags |= IP6T_INV_DSTIP;
}
+#endif
else
{
r->e.ip.dst = dest->address.v4;
if (!icmp)
return;
+#ifndef DISABLE_IPV6
if (r->h->family == FW3_FAMILY_V6)
{
if (icmp->code6_min == 0 && icmp->code6_max == 0xFF)
fw3_ipt_rule_addarg(r, icmp->invert, "--icmpv6-type", buf);
}
else
+#endif
{
if (icmp->code_min == 0 && icmp->code_max == 0xFF)
sprintf(buf, "%u", icmp->type);
free(s);
}
+#ifndef DISABLE_IPV6
static void
rule_print6(struct ip6t_entry *e)
{
xtables_ip6mask_to_cidr(&e->ipv6.dmsk));
}
}
+#endif
static void
rule_print4(struct ipt_entry *e)
debug(r->h, "-A %s", chain);
+#ifndef DISABLE_IPV6
if (r->h->family == FW3_FAMILY_V6)
rule_print6(&r->e6);
else
+#endif
rule_print4(&r->e);
for (rm = r->matches; rm; rm = rm->next)
{
m = rm->match;
- printf(" -m %s", m->alias ? m->alias(m->m) : m->m->u.user.name);
+ printf(" -m %s", fw3_xt_get_match_name(m));
if (m->save)
m->save(&r->e.ip, m->m);
if (r->target)
{
t = r->target;
- printf(" -j %s", t->alias ? t->alias(t->t) : t->t->u.user.name);
+ printf(" -j %s", fw3_xt_get_target_name(t));
if (t->save)
t->save(&r->e.ip, t->t);
struct xtables_match *em;
/* is a target option */
- if (r->target && (r->target->parse || r->target->x6_parse) &&
+ if (r->target && fw3_xt_has_target_parse(r->target) &&
optc >= r->target->option_offset &&
optc < (r->target->option_offset + 256))
{
{
em = m->match;
- if (m->completed || (!em->parse && !em->x6_parse))
+ if (m->completed || !fw3_xt_has_match_parse(em))
continue;
if (optc < em->option_offset ||
struct xtables_target *et;
struct xtables_globals *g;
struct ipt_entry *e;
- struct ip6t_entry *e6;
int i, optc;
bool inv = false;
if (!em)
{
fprintf(stderr, "fw3_ipt_rule_append(): Can't find match '%s'\n", optarg);
- return;
+ goto free;
}
init_match(r, em, true);
if (!et)
{
fprintf(stderr, "fw3_ipt_rule_append(): Can't find target '%s'\n", optarg);
- return;
+ goto free;
}
break;
if (fw3_pr_debug)
rule_print(r, buf);
+#ifndef DISABLE_IPV6
if (r->h->family == FW3_FAMILY_V6)
{
+ struct ip6t_entry *e6;
+
s = XT_ALIGN(sizeof(struct ip6t_entry));
for (m = r->matches; m; m = m->next)
free(e6);
}
else
+#endif
{
s = XT_ALIGN(sizeof(struct ipt_entry));
free(e);
}
+free:
for (i = 1; i < r->argc; i++)
free(r->argv[i]);
xtables_rule_matches_free(&r->matches);
- free(r->target->t);
+ if (r->target)
+ free(r->target->t);
+
free(r);
/* reset all targets and matches */
projects / project / firewall3.git / blobdiff