kernel_version = 0x10000 * x + 0x100 * y + z;
}
+#ifdef DISABLE_IPV6
+#undef __ipt_module
+#define __ipt_module(x) libxt_##x##_init, libipt_##x##_init,
+#else
#undef __ipt_module
#define __ipt_module(x) libxt_##x##_init, libipt_##x##_init, libip6t_##x##_init,
+#endif
static void fw3_init_extensions(void)
{
if (family == FW3_FAMILY_V6)
{
+#ifndef DISABLE_IPV6
h->family = FW3_FAMILY_V6;
h->table = table;
h->handle = ip6tc_init(fw3_flag_names[table]);
xtables_set_params(&xtg6);
xtables_set_nfproto(NFPROTO_IPV6);
+#endif
}
else
{
if (fw3_pr_debug)
debug(h, "-P %s %s\n", chain, fw3_flag_names[policy]);
+#ifndef DISABLE_IPV6
if (h->family == FW3_FAMILY_V6)
ip6tc_set_policy(chain, fw3_flag_names[policy], NULL, h->handle);
else
+#endif
iptc_set_policy(chain, fw3_flag_names[policy], NULL, h->handle);
}
debug(h, "-X %s\n", chain);
}
+#ifndef DISABLE_IPV6
if (h->family == FW3_FAMILY_V6)
{
if (ip6tc_flush_entries(chain, h->handle))
ip6tc_delete_chain(chain, h->handle);
}
else
+#endif
{
if (iptc_flush_entries(chain, h->handle))
iptc_delete_chain(chain, h->handle);
{
unsigned int num;
const struct ipt_entry *e;
- const struct ip6t_entry *e6;
const char *chain;
const char *t;
bool found;
+#ifndef DISABLE_IPV6
if (h->family == FW3_FAMILY_V6)
{
for (chain = ip6tc_first_chain(h->handle);
do {
found = false;
+ const struct ip6t_entry *e6;
for (num = 0, e6 = ip6tc_first_rule(chain, h->handle);
e6 != NULL;
num++, e6 = ip6tc_next_rule(e6, h->handle))
}
}
else
+#endif
{
for (chain = iptc_first_chain(h->handle);
chain != NULL;
{
const char *chain;
+#ifndef DISABLE_IPV6
if (h->family == FW3_FAMILY_V6)
{
for (chain = ip6tc_first_chain(h->handle);
}
}
else
+#endif
{
for (chain = iptc_first_chain(h->handle);
chain != NULL;
{
int rv;
+#ifndef DISABLE_IPV6
if (h->family == FW3_FAMILY_V6)
{
rv = ip6tc_commit(h->handle);
fprintf(stderr, "ip6tc_commit(): %s\n", ip6tc_strerror(errno));
}
else
+#endif
{
rv = iptc_commit(h->handle);
if (!rv)
fprintf(stderr, "iptc_commit(): %s\n", iptc_strerror(errno));
}
+}
+
+void
+fw3_ipt_close(struct fw3_ipt_handle *h)
+{
+ if (h->libv)
+ {
+ while (h->libc > 0)
+ {
+ h->libc--;
+ dlclose(h->libv[h->libc]);
+ }
+
+ free(h->libv);
+ }
free(h);
}
static bool
is_chain(struct fw3_ipt_handle *h, const char *name)
{
+#ifndef DISABLE_IPV6
if (h->family == FW3_FAMILY_V6)
return ip6tc_is_chain(name, h->handle);
else
+#endif
return iptc_is_chain(name, h->handle);
}
return NULL;
}
+static bool
+load_extension(struct fw3_ipt_handle *h, const char *name)
+{
+ char path[256];
+ void *lib, **tmp;
+ const char *pfx = (h->family == FW3_FAMILY_V6) ? "libip6t" : "libipt";
+
+ snprintf(path, sizeof(path), "/usr/lib/iptables/libxt_%s.so", name);
+ if (!(lib = dlopen(path, RTLD_NOW)))
+ {
+ snprintf(path, sizeof(path), "/usr/lib/iptables/%s_%s.so", pfx, name);
+ lib = dlopen(path, RTLD_NOW);
+ }
+
+ if (!lib)
+ return false;
+
+ tmp = realloc(h->libv, sizeof(lib) * (h->libc + 1));
+
+ if (!tmp)
+ return false;
+
+ h->libv = tmp;
+ h->libv[h->libc++] = lib;
+
+ return true;
+}
+
static struct xtables_match *
find_match(struct fw3_ipt_rule *r, const char *name)
{
- return xtables_find_match(name, XTF_TRY_LOAD, &r->matches);
+ struct xtables_match *m;
+
+ m = xtables_find_match(name, XTF_DONT_LOAD, &r->matches);
+
+ if (!m && load_extension(r->h, name))
+ m = xtables_find_match(name, XTF_DONT_LOAD, &r->matches);
+
+ return m;
}
static void
}
static struct xtables_target *
+find_target(struct fw3_ipt_rule *r, const char *name)
+{
+ struct xtables_target *t;
+
+ if (is_chain(r->h, name))
+ return xtables_find_target(XT_STANDARD_TARGET, XTF_LOAD_MUST_SUCCEED);
+
+ t = xtables_find_target(name, XTF_DONT_LOAD);
+
+ if (!t && load_extension(r->h, name))
+ t = xtables_find_target(name, XTF_DONT_LOAD);
+
+ return t;
+}
+
+static struct xtables_target *
get_target(struct fw3_ipt_rule *r, const char *name)
{
size_t s;
struct xtables_target *t;
struct xtables_globals *g;
- bool chain = is_chain(r->h, name);
-
- if (chain)
- t = xtables_find_target(XT_STANDARD_TARGET, XTF_LOAD_MUST_SUCCEED);
- else
- t = xtables_find_target(name, XTF_TRY_LOAD);
+ t = find_target(r, name);
if (!t)
return NULL;
pr = proto->protocol;
+#ifndef DISABLE_IPV6
if (r->h->family == FW3_FAMILY_V6)
{
if (pr == 1)
r->e6.ipv6.invflags |= XT_INV_PROTO;
}
else
+#endif
{
r->e.ip.proto = pr;
fw3_ipt_rule_in_out(struct fw3_ipt_rule *r,
struct fw3_device *in, struct fw3_device *out)
{
+#ifndef DISABLE_IPV6
if (r->h->family == FW3_FAMILY_V6)
{
if (in && !in->any)
}
}
else
+#endif
{
if (in && !in->any)
{
mask->s_addr = htonl(~((1 << (32 - prefix)) - 1));
}
+#ifndef DISABLE_IPV6
static void
ip6prefix2mask(int prefix, struct in6_addr *mask)
{
memset(mask, 0, sizeof(*mask));
}
}
+#endif
void
fw3_ipt_rule_src_dest(struct fw3_ipt_rule *r,
struct fw3_address *src, struct fw3_address *dest)
{
- int i;
-
if ((src && src->range) || (dest && dest->range))
{
fw3_ipt_rule_addarg(r, false, "-m", "iprange");
fw3_ipt_rule_addarg(r, src->invert, "--src-range",
fw3_address_to_string(src, false));
}
+#ifndef DISABLE_IPV6
else if (r->h->family == FW3_FAMILY_V6)
{
r->e6.ipv6.src = src->address.v6;
ip6prefix2mask(src->mask, &r->e6.ipv6.smsk);
+ int i;
for (i = 0; i < 4; i++)
r->e6.ipv6.src.s6_addr32[i] &= r->e6.ipv6.smsk.s6_addr32[i];
if (src->invert)
r->e6.ipv6.invflags |= IP6T_INV_SRCIP;
}
+#endif
else
{
r->e.ip.src = src->address.v4;
fw3_ipt_rule_addarg(r, dest->invert, "--dst-range",
fw3_address_to_string(dest, false));
}
+#ifndef DISABLE_IPV6
else if (r->h->family == FW3_FAMILY_V6)
{
r->e6.ipv6.dst = dest->address.v6;
ip6prefix2mask(dest->mask, &r->e6.ipv6.dmsk);
+ int i;
for (i = 0; i < 4; i++)
r->e6.ipv6.dst.s6_addr32[i] &= r->e6.ipv6.dmsk.s6_addr32[i];
if (dest->invert)
r->e6.ipv6.invflags |= IP6T_INV_DSTIP;
}
+#endif
else
{
r->e.ip.dst = dest->address.v4;
if (!icmp)
return;
+#ifndef DISABLE_IPV6
if (r->h->family == FW3_FAMILY_V6)
{
if (icmp->code6_min == 0 && icmp->code6_max == 0xFF)
fw3_ipt_rule_addarg(r, icmp->invert, "--icmpv6-type", buf);
}
else
+#endif
{
if (icmp->code_min == 0 && icmp->code_max == 0xFF)
sprintf(buf, "%u", icmp->type);
free(s);
}
+#ifndef DISABLE_IPV6
static void
rule_print6(struct ip6t_entry *e)
{
xtables_ip6mask_to_cidr(&e->ipv6.dmsk));
}
}
+#endif
static void
rule_print4(struct ipt_entry *e)
static void
rule_print(struct fw3_ipt_rule *r, const char *chain)
{
- struct xtables_rule_match *rm;
- struct xtables_match *m;
- struct xtables_target *t;
-
debug(r->h, "-A %s", chain);
+#ifndef DISABLE_IPV6
if (r->h->family == FW3_FAMILY_V6)
rule_print6(&r->e6);
else
+#endif
rule_print4(&r->e);
- for (rm = r->matches; rm; rm = rm->next)
- {
- m = rm->match;
- printf(" -m %s", fw3_xt_get_match_name(m));
-
- if (m->save)
- m->save(&r->e.ip, m->m);
- }
-
- if (r->target)
- {
- t = r->target;
- printf(" -j %s", fw3_xt_get_target_name(t));
-
- if (t->save)
- t->save(&r->e.ip, t->t);
- }
+ fw3_xt_print_matches(&r->e.ip, r->matches);
+ fw3_xt_print_target(&r->e.ip, r->target);
printf("\n");
}
struct xtables_target *et;
struct xtables_globals *g;
struct ipt_entry *e;
- struct ip6t_entry *e6;
int i, optc;
bool inv = false;
if (fw3_pr_debug)
rule_print(r, buf);
+#ifndef DISABLE_IPV6
if (r->h->family == FW3_FAMILY_V6)
{
+ struct ip6t_entry *e6;
+
s = XT_ALIGN(sizeof(struct ip6t_entry));
for (m = r->matches; m; m = m->next)
free(e6);
}
else
+#endif
{
s = XT_ALIGN(sizeof(struct ipt_entry));
projects / project / firewall3.git / blobdiff