1 /* Code to restore the iptables state, from file by ip6tables-save.
2 * Author: Andras Kis-Szabo <kisza@sch.bme.hu>
4 * based on iptables-restore
6 * Harald Welte <laforge@gnumonks.org>
7 * Rusty Russell <rusty@linuxcare.com.au>
8 * This code is distributed under the terms of GNU GPL v2
14 #include <sys/errno.h>
18 #include "ip6tables.h"
20 #include "libiptc/libip6tc.h"
21 #include "ip6tables-multi.h"
24 #define DEBUGP(x, args...) fprintf(stderr, x, ## args)
26 #define DEBUGP(x, args...)
29 static int binary = 0, counters = 0, verbose = 0, noflush = 0;
31 /* Keeping track of external matches and targets. */
32 static const struct option options[] = {
33 {.name = "binary", .has_arg = false, .val = 'b'},
34 {.name = "counters", .has_arg = false, .val = 'c'},
35 {.name = "verbose", .has_arg = false, .val = 'v'},
36 {.name = "test", .has_arg = false, .val = 't'},
37 {.name = "help", .has_arg = false, .val = 'h'},
38 {.name = "noflush", .has_arg = false, .val = 'n'},
39 {.name = "modprobe", .has_arg = true, .val = 'M'},
43 static void print_usage(const char *name, const char *version) __attribute__((noreturn));
45 static void print_usage(const char *name, const char *version)
47 fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n"
54 " [ --modprobe=<command>]\n", name);
59 static ip6tc_handle_t create_handle(const char *tablename,
62 ip6tc_handle_t handle;
64 handle = ip6tc_init(tablename);
67 /* try to insmod the module if iptc_init failed */
68 load_xtables_ko(modprobe, 0);
69 handle = ip6tc_init(tablename);
73 exit_error(PARAMETER_PROBLEM, "%s: unable to initialize "
74 "table '%s'\n", program_name, tablename);
80 static int parse_counters(char *string, struct ip6t_counters *ctr)
82 unsigned long long pcnt, bcnt;
85 ret = sscanf(string, "[%llu:%llu]",
86 (unsigned long long *)&pcnt,
87 (unsigned long long *)&bcnt);
93 /* global new argv and argc */
94 static char *newargv[255];
97 /* function adding one argument to newargv, updating newargc
98 * returns true if argument added, false otherwise */
99 static int add_argv(char *what) {
100 DEBUGP("add_argv: %s\n", what);
101 if (what && ((newargc + 1) < sizeof(newargv)/sizeof(char *))) {
102 newargv[newargc] = strdup(what);
109 static void free_argv(void) {
112 for (i = 0; i < newargc; i++)
116 #ifdef IPTABLES_MULTI
117 int ip6tables_restore_main(int argc, char *argv[])
119 int main(int argc, char *argv[])
122 ip6tc_handle_t handle = NULL;
125 char curtable[IP6T_TABLE_MAXNAMELEN + 1];
127 const char *modprobe = NULL;
128 int in_table = 0, testing = 0;
130 program_name = "ip6tables-restore";
131 program_version = XTABLES_VERSION;
134 lib_dir = getenv("XTABLES_LIBDIR");
135 if (lib_dir == NULL) {
136 lib_dir = getenv("IP6TABLES_LIB_DIR");
138 fprintf(stderr, "IP6TABLES_LIB_DIR is deprecated\n");
141 lib_dir = XTABLES_LIBDIR;
143 #ifdef NO_SHARED_LIBS
147 while ((c = getopt_long(argc, argv, "bcvthnM:", options, NULL)) != -1) {
162 print_usage("ip6tables-restore",
174 if (optind == argc - 1) {
175 in = fopen(argv[optind], "r");
177 fprintf(stderr, "Can't open %s: %s\n", argv[optind],
182 else if (optind < argc) {
183 fprintf(stderr, "Unknown arguments found on commandline\n");
188 /* Grab standard input. */
189 while (fgets(buffer, sizeof(buffer), in)) {
193 if (buffer[0] == '\n')
195 else if (buffer[0] == '#') {
197 fputs(buffer, stdout);
199 } else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
201 DEBUGP("Calling commit\n");
202 ret = ip6tc_commit(&handle);
204 DEBUGP("Not calling commit, testing\n");
208 } else if ((buffer[0] == '*') && (!in_table)) {
212 table = strtok(buffer+1, " \t\n");
213 DEBUGP("line %u, table '%s'\n", line, table);
215 exit_error(PARAMETER_PROBLEM,
216 "%s: line %u table name invalid\n",
220 strncpy(curtable, table, IP6T_TABLE_MAXNAMELEN);
221 curtable[IP6T_TABLE_MAXNAMELEN] = '\0';
226 handle = create_handle(table, modprobe);
228 DEBUGP("Cleaning all chains of table '%s'\n",
230 for_each_chain(flush_entries, verbose, 1,
233 DEBUGP("Deleting all user-defined chains "
234 "of table '%s'\n", table);
235 for_each_chain(delete_chain, verbose, 0,
242 } else if ((buffer[0] == ':') && (in_table)) {
244 char *policy, *chain;
246 chain = strtok(buffer+1, " \t\n");
247 DEBUGP("line %u, chain '%s'\n", line, chain);
249 exit_error(PARAMETER_PROBLEM,
250 "%s: line %u chain name invalid\n",
255 if (ip6tc_builtin(chain, handle) <= 0) {
256 if (noflush && ip6tc_is_chain(chain, handle)) {
257 DEBUGP("Flushing existing user defined chain '%s'\n", chain);
258 if (!ip6tc_flush_entries(chain, &handle))
259 exit_error(PARAMETER_PROBLEM,
260 "error flushing chain "
264 DEBUGP("Creating new chain '%s'\n", chain);
265 if (!ip6tc_create_chain(chain, &handle))
266 exit_error(PARAMETER_PROBLEM,
267 "error creating chain "
273 policy = strtok(NULL, " \t\n");
274 DEBUGP("line %u, policy '%s'\n", line, policy);
276 exit_error(PARAMETER_PROBLEM,
277 "%s: line %u policy invalid\n",
282 if (strcmp(policy, "-") != 0) {
283 struct ip6t_counters count;
287 ctrs = strtok(NULL, " \t\n");
289 if (!ctrs || !parse_counters(ctrs, &count))
290 exit_error(PARAMETER_PROBLEM,
291 "invalid policy counters "
292 "for chain '%s'\n", chain);
296 sizeof(struct ip6t_counters));
299 DEBUGP("Setting policy of chain %s to %s\n",
302 if (!ip6tc_set_policy(chain, policy, &count,
304 exit_error(OTHER_PROBLEM,
305 "Can't set policy `%s'"
306 " on `%s' line %u: %s\n",
308 ip6tc_strerror(errno));
313 } else if (in_table) {
322 int quote_open, escaped;
325 /* reset the newargv */
328 if (buffer[0] == '[') {
329 /* we have counters in our input */
330 ptr = strchr(buffer, ']');
332 exit_error(PARAMETER_PROBLEM,
333 "Bad line %u: need ]\n",
336 pcnt = strtok(buffer+1, ":");
338 exit_error(PARAMETER_PROBLEM,
339 "Bad line %u: need :\n",
342 bcnt = strtok(NULL, "]");
344 exit_error(PARAMETER_PROBLEM,
345 "Bad line %u: need ]\n",
348 /* start command parsing after counter */
349 parsestart = ptr + 1;
351 /* start command parsing at start of line */
357 add_argv((char *) &curtable);
359 if (counters && pcnt && bcnt) {
360 add_argv("--set-counters");
361 add_argv((char *) pcnt);
362 add_argv((char *) bcnt);
365 /* After fighting with strtok enough, here's now
366 * a 'real' parser. According to Rusty I'm now no
367 * longer a real hacker, but I can live with that */
373 for (curchar = parsestart; *curchar; curchar++) {
374 char param_buffer[1024];
378 param_buffer[param_len++] = *curchar;
381 } else if (*curchar == '\\') {
384 } else if (*curchar == '"') {
388 param_buffer[param_len++] = *curchar;
392 if (*curchar == '"') {
400 || * curchar == '\n') {
406 param_buffer[param_len] = '\0';
408 /* check if table name specified */
409 if (!strncmp(param_buffer, "-t", 3)
410 || !strncmp(param_buffer, "--table", 8)) {
411 exit_error(PARAMETER_PROBLEM,
412 "Line %u seems to have a "
413 "-t table option.\n", line);
417 add_argv(param_buffer);
420 /* regular character, copy to buffer */
421 param_buffer[param_len++] = *curchar;
423 if (param_len >= sizeof(param_buffer))
424 exit_error(PARAMETER_PROBLEM,
425 "Parameter too long!");
429 DEBUGP("calling do_command6(%u, argv, &%s, handle):\n",
432 for (a = 0; a < newargc; a++)
433 DEBUGP("argv[%u]: %s\n", a, newargv[a]);
435 ret = do_command6(newargc, newargv,
436 &newargv[2], &handle);
442 fprintf(stderr, "%s: line %u failed\n",
448 fprintf(stderr, "%s: COMMIT expected at line %u\n",
449 program_name, line + 1);