Extend ipset option syntax to support specifying directions inplace.
[project/firewall3.git] / iptables.c
index fd230d3..e1ad2d4 100644 (file)
@@ -39,7 +39,7 @@ static struct xtables_globals xtg6 = {
 };
 
 /* Required by certain extensions like SNAT and DNAT */
-int kernel_version;
+int kernel_version = 0;
 
 void
 get_kernel_version(void)
@@ -51,7 +51,25 @@ get_kernel_version(void)
                sprintf(uts.release, "3.0.0");
 
        sscanf(uts.release, "%d.%d.%d", &x, &y, &z);
-       kernel_version = LINUX_VERSION(x, y, z);
+       kernel_version = 0x10000 * x + 0x100 * y + z;
+}
+
+#ifdef DISABLE_IPV6
+#undef __ipt_module
+#define __ipt_module(x) libxt_##x##_init, libipt_##x##_init,
+#else
+#undef __ipt_module
+#define __ipt_module(x) libxt_##x##_init, libipt_##x##_init, libip6t_##x##_init,
+#endif
+
+static void fw3_init_extensions(void)
+{
+       int i;
+       void (*initfuncs[])(void) = { FW3_IPT_MODULES };
+
+       for (i = 0; i < sizeof(initfuncs)/sizeof(initfuncs[0]); i++)
+               if (initfuncs[i])
+                       initfuncs[i]();
 }
 
 struct fw3_ipt_handle *
@@ -65,12 +83,14 @@ fw3_ipt_open(enum fw3_family family, enum fw3_table table)
 
        if (family == FW3_FAMILY_V6)
        {
+#ifndef DISABLE_IPV6
                h->family = FW3_FAMILY_V6;
                h->table  = table;
                h->handle = ip6tc_init(fw3_flag_names[table]);
 
                xtables_set_params(&xtg6);
                xtables_set_nfproto(NFPROTO_IPV6);
+#endif
        }
        else
        {
@@ -88,17 +108,23 @@ fw3_ipt_open(enum fw3_family family, enum fw3_table table)
                return NULL;
        }
 
-       xtables_pending_matches = NULL;
-       xtables_pending_targets = NULL;
+       fw3_xt_reset();
+       fw3_init_extensions();
 
-       xtables_matches = NULL;
-       xtables_targets = NULL;
+       return h;
+}
+
+static void
+debug(struct fw3_ipt_handle *h, const char *fmt, ...)
+{
+       va_list ap;
 
-       init_extensions();
-       init_extensions4();
-       init_extensions6();
+       printf("%s -t %s ", (h->family == FW3_FAMILY_V6) ? "ip6tables" : "iptables",
+                           fw3_flag_names[h->table]);
 
-       return h;
+       va_start(ap, fmt);
+       vprintf(fmt, ap);
+       va_end(ap);
 }
 
 void
@@ -106,11 +132,13 @@ fw3_ipt_set_policy(struct fw3_ipt_handle *h, const char *chain,
                    enum fw3_flag policy)
 {
        if (fw3_pr_debug)
-               printf("-P %s %s\n", chain, fw3_flag_names[policy]);
+               debug(h, "-P %s %s\n", chain, fw3_flag_names[policy]);
 
+#ifndef DISABLE_IPV6
        if (h->family == FW3_FAMILY_V6)
                ip6tc_set_policy(chain, fw3_flag_names[policy], NULL, h->handle);
        else
+#endif
                iptc_set_policy(chain, fw3_flag_names[policy], NULL, h->handle);
 }
 
@@ -119,16 +147,18 @@ fw3_ipt_delete_chain(struct fw3_ipt_handle *h, const char *chain)
 {
        if (fw3_pr_debug)
        {
-               printf("-F %s\n", chain);
-               printf("-X %s\n", chain);
+               debug(h, "-F %s\n", chain);
+               debug(h, "-X %s\n", chain);
        }
 
+#ifndef DISABLE_IPV6
        if (h->family == FW3_FAMILY_V6)
        {
                if (ip6tc_flush_entries(chain, h->handle))
                        ip6tc_delete_chain(chain, h->handle);
        }
        else
+#endif
        {
                if (iptc_flush_entries(chain, h->handle))
                        iptc_delete_chain(chain, h->handle);
@@ -140,11 +170,11 @@ fw3_ipt_delete_rules(struct fw3_ipt_handle *h, const char *target)
 {
        unsigned int num;
        const struct ipt_entry *e;
-       const struct ip6t_entry *e6;
        const char *chain;
        const char *t;
        bool found;
 
+#ifndef DISABLE_IPV6
        if (h->family == FW3_FAMILY_V6)
        {
                for (chain = ip6tc_first_chain(h->handle);
@@ -154,6 +184,7 @@ fw3_ipt_delete_rules(struct fw3_ipt_handle *h, const char *target)
                        do {
                                found = false;
 
+                               const struct ip6t_entry *e6;
                                for (num = 0, e6 = ip6tc_first_rule(chain, h->handle);
                                         e6 != NULL;
                                         num++, e6 = ip6tc_next_rule(e6, h->handle))
@@ -163,7 +194,7 @@ fw3_ipt_delete_rules(struct fw3_ipt_handle *h, const char *target)
                                        if (*t && !strcmp(t, target))
                                        {
                                                if (fw3_pr_debug)
-                                                       printf("-D %s %u\n", chain, num + 1);
+                                                       debug(h, "-D %s %u\n", chain, num + 1);
 
                                                ip6tc_delete_num_entry(chain, num, h->handle);
                                                found = true;
@@ -174,6 +205,7 @@ fw3_ipt_delete_rules(struct fw3_ipt_handle *h, const char *target)
                }
        }
        else
+#endif
        {
                for (chain = iptc_first_chain(h->handle);
                     chain != NULL;
@@ -191,7 +223,7 @@ fw3_ipt_delete_rules(struct fw3_ipt_handle *h, const char *target)
                                        if (*t && !strcmp(t, target))
                                        {
                                                if (fw3_pr_debug)
-                                                       printf("-D %s %u\n", chain, num + 1);
+                                                       debug(h, "-D %s %u\n", chain, num + 1);
 
                                                iptc_delete_num_entry(chain, num, h->handle);
                                                found = true;
@@ -204,10 +236,27 @@ fw3_ipt_delete_rules(struct fw3_ipt_handle *h, const char *target)
 }
 
 void
+fw3_ipt_create_chain(struct fw3_ipt_handle *h, const char *fmt, ...)
+{
+       char buf[32];
+       va_list ap;
+
+       va_start(ap, fmt);
+       vsnprintf(buf, sizeof(buf) - 1, fmt, ap);
+       va_end(ap);
+
+       if (fw3_pr_debug)
+               debug(h, "-N %s\n", buf);
+
+       iptc_create_chain(buf, h->handle);
+}
+
+void
 fw3_ipt_flush(struct fw3_ipt_handle *h)
 {
        const char *chain;
 
+#ifndef DISABLE_IPV6
        if (h->family == FW3_FAMILY_V6)
        {
                for (chain = ip6tc_first_chain(h->handle);
@@ -225,6 +274,7 @@ fw3_ipt_flush(struct fw3_ipt_handle *h)
                }
        }
        else
+#endif
        {
                for (chain = iptc_first_chain(h->handle);
                     chain != NULL;
@@ -247,6 +297,7 @@ fw3_ipt_commit(struct fw3_ipt_handle *h)
 {
        int rv;
 
+#ifndef DISABLE_IPV6
        if (h->family == FW3_FAMILY_V6)
        {
                rv = ip6tc_commit(h->handle);
@@ -254,11 +305,27 @@ fw3_ipt_commit(struct fw3_ipt_handle *h)
                        fprintf(stderr, "ip6tc_commit(): %s\n", ip6tc_strerror(errno));
        }
        else
+#endif
        {
                rv = iptc_commit(h->handle);
                if (!rv)
                        fprintf(stderr, "iptc_commit(): %s\n", iptc_strerror(errno));
        }
+}
+
+void
+fw3_ipt_close(struct fw3_ipt_handle *h)
+{
+       if (h->libv)
+       {
+               while (h->libc > 0)
+               {
+                       h->libc--;
+                       dlclose(h->libv[h->libc]);
+               }
+
+               free(h->libv);
+       }
 
        free(h);
 }
@@ -281,9 +348,11 @@ fw3_ipt_rule_new(struct fw3_ipt_handle *h)
 static bool
 is_chain(struct fw3_ipt_handle *h, const char *name)
 {
+#ifndef DISABLE_IPV6
        if (h->family == FW3_FAMILY_V6)
                return ip6tc_is_chain(name, h->handle);
        else
+#endif
                return iptc_is_chain(name, h->handle);
 }
 
@@ -300,10 +369,45 @@ get_protoname(struct fw3_ipt_rule *r)
        return NULL;
 }
 
+static bool
+load_extension(struct fw3_ipt_handle *h, const char *name)
+{
+       char path[256];
+       void *lib, **tmp;
+       const char *pfx = (h->family == FW3_FAMILY_V6) ? "libip6t" : "libipt";
+
+       snprintf(path, sizeof(path), "/usr/lib/iptables/libxt_%s.so", name);
+       if (!(lib = dlopen(path, RTLD_NOW)))
+       {
+               snprintf(path, sizeof(path), "/usr/lib/iptables/%s_%s.so", pfx, name);
+               lib = dlopen(path, RTLD_NOW);
+       }
+
+       if (!lib)
+               return false;
+
+       tmp = realloc(h->libv, sizeof(lib) * (h->libc + 1));
+
+       if (!tmp)
+               return false;
+
+       h->libv = tmp;
+       h->libv[h->libc++] = lib;
+
+       return true;
+}
+
 static struct xtables_match *
 find_match(struct fw3_ipt_rule *r, const char *name)
 {
-       return xtables_find_match(name, XTF_TRY_LOAD, &r->matches);
+       struct xtables_match *m;
+
+       m = xtables_find_match(name, XTF_DONT_LOAD, &r->matches);
+
+       if (!m && load_extension(r->h, name))
+               m = xtables_find_match(name, XTF_DONT_LOAD, &r->matches);
+
+       return m;
 }
 
 static void
@@ -318,16 +422,14 @@ init_match(struct fw3_ipt_rule *r, struct xtables_match *m, bool no_clone)
        s = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size;
 
        m->m = fw3_alloc(s);
-       strcpy(m->m->u.user.name, m->real_name ? m->real_name : m->name);
+
+       fw3_xt_set_match_name(m);
+
        m->m->u.user.revision = m->revision;
        m->m->u.match_size = s;
 
        /* free previous userspace data */
-       if (m->udata_size)
-       {
-               free(m->udata);
-               m->udata = fw3_alloc(m->udata_size);
-       }
+       fw3_xt_free_match_udata(m);
 
        if (m->init)
                m->init(m->m);
@@ -338,14 +440,7 @@ init_match(struct fw3_ipt_rule *r, struct xtables_match *m, bool no_clone)
 
        /* merge option table */
        g = (r->h->family == FW3_FAMILY_V6) ? &xtg6 : &xtg;
-
-       if (m->x6_options)
-               g->opts = xtables_options_xfrm(g->orig_opts, g->opts,
-                                                                          m->x6_options, &m->option_offset);
-
-       if (m->extra_opts)
-               g->opts = xtables_merge_options(g->orig_opts, g->opts,
-                                                                               m->extra_opts, &m->option_offset);
+       fw3_xt_merge_match_options(g, m);
 }
 
 static bool
@@ -372,18 +467,29 @@ load_protomatch(struct fw3_ipt_rule *r)
 }
 
 static struct xtables_target *
+find_target(struct fw3_ipt_rule *r, const char *name)
+{
+       struct xtables_target *t;
+
+       if (is_chain(r->h, name))
+               return xtables_find_target(XT_STANDARD_TARGET, XTF_LOAD_MUST_SUCCEED);
+
+       t = xtables_find_target(name, XTF_DONT_LOAD);
+
+       if (!t && load_extension(r->h, name))
+               t = xtables_find_target(name, XTF_DONT_LOAD);
+
+       return t;
+}
+
+static struct xtables_target *
 get_target(struct fw3_ipt_rule *r, const char *name)
 {
        size_t s;
        struct xtables_target *t;
        struct xtables_globals *g;
 
-       bool chain = is_chain(r->h, name);
-
-       if (chain)
-               t = xtables_find_target(XT_STANDARD_TARGET, XTF_LOAD_MUST_SUCCEED);
-       else
-               t = xtables_find_target(name, XTF_TRY_LOAD);
+       t = find_target(r, name);
 
        if (!t)
                return NULL;
@@ -391,32 +497,20 @@ get_target(struct fw3_ipt_rule *r, const char *name)
        s = XT_ALIGN(sizeof(struct xt_entry_target)) + t->size;
        t->t = fw3_alloc(s);
 
-       if (!t->real_name)
-               strcpy(t->t->u.user.name, name);
-       else
-               strcpy(t->t->u.user.name, t->real_name);
+       fw3_xt_set_target_name(t, name);
 
        t->t->u.user.revision = t->revision;
        t->t->u.target_size = s;
 
-       if (t->udata_size)
-       {
-               free(t->udata);
-               t->udata = fw3_alloc(t->udata_size);
-       }
+       /* free previous userspace data */
+       fw3_xt_free_target_udata(t);
 
        if (t->init)
                t->init(t->t);
 
        /* merge option table */
        g = (r->h->family == FW3_FAMILY_V6) ? &xtg6 : &xtg;
-
-       if (t->x6_options)
-               g->opts = xtables_options_xfrm(g->orig_opts, g->opts,
-                                              t->x6_options, &t->option_offset);
-       else
-               g->opts = xtables_merge_options(g->orig_opts, g->opts,
-                                               t->extra_opts, &t->option_offset);
+       fw3_xt_merge_target_options(g, t);
 
        r->target = t;
 
@@ -433,6 +527,7 @@ fw3_ipt_rule_proto(struct fw3_ipt_rule *r, struct fw3_protocol *proto)
 
        pr = proto->protocol;
 
+#ifndef DISABLE_IPV6
        if (r->h->family == FW3_FAMILY_V6)
        {
                if (pr == 1)
@@ -445,6 +540,7 @@ fw3_ipt_rule_proto(struct fw3_ipt_rule *r, struct fw3_protocol *proto)
                        r->e6.ipv6.invflags |= XT_INV_PROTO;
        }
        else
+#endif
        {
                r->e.ip.proto = pr;
 
@@ -459,6 +555,7 @@ void
 fw3_ipt_rule_in_out(struct fw3_ipt_rule *r,
                     struct fw3_device *in, struct fw3_device *out)
 {
+#ifndef DISABLE_IPV6
        if (r->h->family == FW3_FAMILY_V6)
        {
                if (in && !in->any)
@@ -480,6 +577,7 @@ fw3_ipt_rule_in_out(struct fw3_ipt_rule *r,
                }
        }
        else
+#endif
        {
                if (in && !in->any)
                {
@@ -508,6 +606,7 @@ ip4prefix2mask(int prefix, struct in_addr *mask)
        mask->s_addr = htonl(~((1 << (32 - prefix)) - 1));
 }
 
+#ifndef DISABLE_IPV6
 static void
 ip6prefix2mask(int prefix, struct in6_addr *mask)
 {
@@ -524,13 +623,12 @@ ip6prefix2mask(int prefix, struct in6_addr *mask)
                memset(mask, 0, sizeof(*mask));
        }
 }
+#endif
 
 void
 fw3_ipt_rule_src_dest(struct fw3_ipt_rule *r,
                       struct fw3_address *src, struct fw3_address *dest)
 {
-       int i;
-
        if ((src && src->range) || (dest && dest->range))
        {
                fw3_ipt_rule_addarg(r, false, "-m", "iprange");
@@ -543,17 +641,20 @@ fw3_ipt_rule_src_dest(struct fw3_ipt_rule *r,
                        fw3_ipt_rule_addarg(r, src->invert, "--src-range",
                                            fw3_address_to_string(src, false));
                }
+#ifndef DISABLE_IPV6
                else if (r->h->family == FW3_FAMILY_V6)
                {
                        r->e6.ipv6.src = src->address.v6;
                        ip6prefix2mask(src->mask, &r->e6.ipv6.smsk);
 
+                       int i;
                        for (i = 0; i < 4; i++)
                                r->e6.ipv6.src.s6_addr32[i] &= r->e6.ipv6.smsk.s6_addr32[i];
 
                        if (src->invert)
                                r->e6.ipv6.invflags |= IP6T_INV_SRCIP;
                }
+#endif
                else
                {
                        r->e.ip.src = src->address.v4;
@@ -573,17 +674,20 @@ fw3_ipt_rule_src_dest(struct fw3_ipt_rule *r,
                        fw3_ipt_rule_addarg(r, dest->invert, "--dst-range",
                                            fw3_address_to_string(dest, false));
                }
+#ifndef DISABLE_IPV6
                else if (r->h->family == FW3_FAMILY_V6)
                {
                        r->e6.ipv6.dst = dest->address.v6;
                        ip6prefix2mask(dest->mask, &r->e6.ipv6.dmsk);
 
+                       int i;
                        for (i = 0; i < 4; i++)
                                r->e6.ipv6.dst.s6_addr32[i] &= r->e6.ipv6.dmsk.s6_addr32[i];
 
                        if (dest->invert)
                                r->e6.ipv6.invflags |= IP6T_INV_DSTIP;
                }
+#endif
                else
                {
                        r->e.ip.dst = dest->address.v4;
@@ -648,6 +752,7 @@ fw3_ipt_rule_icmptype(struct fw3_ipt_rule *r, struct fw3_icmptype *icmp)
        if (!icmp)
                return;
 
+#ifndef DISABLE_IPV6
        if (r->h->family == FW3_FAMILY_V6)
        {
                if (icmp->code6_min == 0 && icmp->code6_max == 0xFF)
@@ -658,6 +763,7 @@ fw3_ipt_rule_icmptype(struct fw3_ipt_rule *r, struct fw3_icmptype *icmp)
                fw3_ipt_rule_addarg(r, icmp->invert, "--icmpv6-type", buf);
        }
        else
+#endif
        {
                if (icmp->code_min == 0 && icmp->code_max == 0xFF)
                        sprintf(buf, "%u", icmp->type);
@@ -689,29 +795,35 @@ fw3_ipt_rule_limit(struct fw3_ipt_rule *r, struct fw3_limit *limit)
 }
 
 void
-fw3_ipt_rule_ipset(struct fw3_ipt_rule *r, struct fw3_ipset *ipset,
-                   bool invert)
+fw3_ipt_rule_ipset(struct fw3_ipt_rule *r, struct fw3_setmatch *match)
 {
        char buf[sizeof("dst,dst,dst\0")];
        char *p = buf;
+       int i = 0;
 
+       struct fw3_ipset *set;
        struct fw3_ipset_datatype *type;
 
-       if (!ipset)
+       if (!match || !match->set || !match->ptr)
                return;
 
-       list_for_each_entry(type, &ipset->datatypes, list)
+       set = match->ptr;
+       list_for_each_entry(type, &set->datatypes, list)
        {
+               if (i >= 3)
+                       break;
+
                if (p > buf)
                        *p++ = ',';
 
-               p += sprintf(p, "%s", type->dest ? "dst" : "src");
+               p += sprintf(p, "%s", match->dir[i] ? match->dir[i] : type->dir);
+               i++;
        }
 
        fw3_ipt_rule_addarg(r, false, "-m", "set");
 
-       fw3_ipt_rule_addarg(r, invert, "--match-set",
-                           ipset->external ? ipset->external : ipset->name);
+       fw3_ipt_rule_addarg(r, match->invert, "--match-set",
+                           set->external ? set->external : set->name);
 
        fw3_ipt_rule_addarg(r, false, buf, NULL);
 }
@@ -862,6 +974,7 @@ fw3_ipt_rule_extra(struct fw3_ipt_rule *r, const char *extra)
        free(s);
 }
 
+#ifndef DISABLE_IPV6
 static void
 rule_print6(struct ip6t_entry *e)
 {
@@ -915,6 +1028,7 @@ rule_print6(struct ip6t_entry *e)
                                    xtables_ip6mask_to_cidr(&e->ipv6.dmsk));
        }
 }
+#endif
 
 static void
 rule_print4(struct ipt_entry *e)
@@ -974,34 +1088,17 @@ rule_print4(struct ipt_entry *e)
 static void
 rule_print(struct fw3_ipt_rule *r, const char *chain)
 {
-       struct xtables_rule_match *rm;
-       struct xtables_match *m;
-       struct xtables_target *t;
-
-       printf("-A %s", chain);
+       debug(r->h, "-A %s", chain);
 
+#ifndef DISABLE_IPV6
        if (r->h->family == FW3_FAMILY_V6)
                rule_print6(&r->e6);
        else
+#endif
                rule_print4(&r->e);
 
-       for (rm = r->matches; rm; rm = rm->next)
-       {
-               m = rm->match;
-               printf(" -m %s", m->alias ? m->alias(m->m) : m->m->u.user.name);
-
-               if (m->save)
-                       m->save(&r->e.ip, m->m);
-       }
-
-       if (r->target)
-       {
-               t = r->target;
-               printf(" -j %s", t->alias ? t->alias(t->t) : t->t->u.user.name);
-
-               if (t->save)
-                       t->save(&r->e.ip, t->t);
-       }
+       fw3_xt_print_matches(&r->e.ip, r->matches);
+       fw3_xt_print_target(&r->e.ip, r->target);
 
        printf("\n");
 }
@@ -1013,7 +1110,7 @@ parse_option(struct fw3_ipt_rule *r, int optc, bool inv)
        struct xtables_match *em;
 
        /* is a target option */
-       if (r->target && (r->target->parse || r->target->x6_parse) &&
+       if (r->target && fw3_xt_has_target_parse(r->target) &&
                optc >= r->target->option_offset &&
                optc < (r->target->option_offset + 256))
        {
@@ -1026,7 +1123,7 @@ parse_option(struct fw3_ipt_rule *r, int optc, bool inv)
        {
                em = m->match;
 
-               if (m->completed || (!em->parse && !em->x6_parse))
+               if (m->completed || !fw3_xt_has_match_parse(em))
                        continue;
 
                if (optc < em->option_offset ||
@@ -1095,7 +1192,6 @@ fw3_ipt_rule_append(struct fw3_ipt_rule *r, const char *fmt, ...)
        struct xtables_target *et;
        struct xtables_globals *g;
        struct ipt_entry *e;
-       struct ip6t_entry *e6;
 
        int i, optc;
        bool inv = false;
@@ -1122,7 +1218,7 @@ fw3_ipt_rule_append(struct fw3_ipt_rule *r, const char *fmt, ...)
                        if (!em)
                        {
                                fprintf(stderr, "fw3_ipt_rule_append(): Can't find match '%s'\n", optarg);
-                               return;
+                               goto free;
                        }
 
                        init_match(r, em, true);
@@ -1134,7 +1230,7 @@ fw3_ipt_rule_append(struct fw3_ipt_rule *r, const char *fmt, ...)
                        if (!et)
                        {
                                fprintf(stderr, "fw3_ipt_rule_append(): Can't find target '%s'\n", optarg);
-                               return;
+                               goto free;
                        }
 
                        break;
@@ -1167,8 +1263,11 @@ fw3_ipt_rule_append(struct fw3_ipt_rule *r, const char *fmt, ...)
        if (fw3_pr_debug)
                rule_print(r, buf);
 
+#ifndef DISABLE_IPV6
        if (r->h->family == FW3_FAMILY_V6)
        {
+               struct ip6t_entry *e6;
+
                s = XT_ALIGN(sizeof(struct ip6t_entry));
 
                for (m = r->matches; m; m = m->next)
@@ -1194,6 +1293,7 @@ fw3_ipt_rule_append(struct fw3_ipt_rule *r, const char *fmt, ...)
                free(e6);
        }
        else
+#endif
        {
                s = XT_ALIGN(sizeof(struct ipt_entry));
 
@@ -1223,6 +1323,7 @@ fw3_ipt_rule_append(struct fw3_ipt_rule *r, const char *fmt, ...)
                free(e);
        }
 
+free:
        for (i = 1; i < r->argc; i++)
                free(r->argv[i]);
 
@@ -1230,7 +1331,9 @@ fw3_ipt_rule_append(struct fw3_ipt_rule *r, const char *fmt, ...)
 
        xtables_rule_matches_free(&r->matches);
 
-       free(r->target->t);
+       if (r->target)
+               free(r->target->t);
+
        free(r);
 
        /* reset all targets and matches */