2 * m_ipt.c iptables based targets
3 * utilities mostly ripped from iptables <duh, its the linux way>
5 * This program is free software; you can distribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version
8 * 2 of the License, or (at your option) any later version.
10 * Authors: J Hadi Salim (hadi@cyberus.ca)
12 * TODO: bad bad hardcoding IPT_LIB_DIR and PROC_SYS_MODPROBE
17 #include <sys/socket.h>
18 #include <netinet/in.h>
19 #include <arpa/inet.h>
21 #include <linux/netfilter_ipv4/ip_tables.h>
24 #include <linux/tc_act/tc_ipt.h>
39 const char *pname = "tc-ipt";
40 const char *tname = "mangle";
41 const char *pversion = "0.1";
51 #define IPT_LIB_DIR "/usr/local/lib/iptables"
54 #ifndef PROC_SYS_MODPROBE
55 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
58 static const char *ipthooks[] = {
66 static struct option original_opts[] = {
71 static struct iptables_target *t_list = NULL;
72 static unsigned int global_option_offset = 0;
73 #define OPTION_OFFSET 256
77 register_target(struct iptables_target *me)
79 /* fprintf(stderr, "\nDummy register_target %s \n", me->name);
87 exit_tryhelp(int status)
89 fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
95 exit_error(enum exittype status, char *msg, ...)
100 fprintf(stderr, "%s v%s: ", pname, pversion);
101 vfprintf(stderr, msg, args);
103 fprintf(stderr, "\n");
104 if (status == PARAMETER_PROBLEM)
105 exit_tryhelp(status);
106 if (status == VERSION_PROBLEM)
108 "Perhaps iptables or your kernel needs to be upgraded.\n");
112 /* stolen from iptables 1.2.11
113 They should really have them as a library so i can link to them
114 Email them next time i remember
118 addr_to_dotted(const struct in_addr *addrp)
121 const unsigned char *bytep;
123 bytep = (const unsigned char *) &(addrp->s_addr);
124 sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]);
128 int string_to_number_ll(const char *s, unsigned long long min,
129 unsigned long long max,
130 unsigned long long *ret)
132 unsigned long long number;
135 /* Handle hex, octal, etc. */
137 number = strtoull(s, &end, 0);
138 if (*end == '\0' && end != s) {
139 /* we parsed a number, let's see if we want this */
140 if (errno != ERANGE && min <= number && (!max || number <= max)) {
148 int string_to_number_l(const char *s, unsigned long min, unsigned long max,
152 unsigned long long number;
154 result = string_to_number_ll(s, min, max, &number);
155 *ret = (unsigned long)number;
160 int string_to_number(const char *s, unsigned int min, unsigned int max,
164 unsigned long number;
166 result = string_to_number_l(s, min, max, &number);
167 *ret = (unsigned int)number;
172 static struct option *
173 copy_options(struct option *oldopts)
175 struct option *merge;
176 unsigned int num_old;
177 for (num_old = 0; oldopts[num_old].name; num_old++) ;
178 merge = malloc(sizeof (struct option) * (num_old + 1));
181 memcpy(merge, oldopts, num_old * sizeof (struct option));
182 memset(merge + num_old, 0, sizeof (struct option));
186 static struct option *
187 merge_options(struct option *oldopts, const struct option *newopts,
188 unsigned int *option_offset)
190 struct option *merge;
191 unsigned int num_old, num_new, i;
193 for (num_old = 0; oldopts[num_old].name; num_old++) ;
194 for (num_new = 0; newopts[num_new].name; num_new++) ;
196 *option_offset = global_option_offset + OPTION_OFFSET;
198 merge = malloc(sizeof (struct option) * (num_new + num_old + 1));
199 memcpy(merge, oldopts, num_old * sizeof (struct option));
200 for (i = 0; i < num_new; i++) {
201 merge[num_old + i] = newopts[i];
202 merge[num_old + i].val += *option_offset;
204 memset(merge + num_old + num_new, 0, sizeof (struct option));
210 fw_calloc(size_t count, size_t size)
214 if ((p = (void *) calloc(count, size)) == NULL) {
215 perror("iptables: calloc failed");
221 static struct iptables_target *
224 struct iptables_target *m;
225 for (m = t_list; m; m = m->next) {
226 if (strcmp(m->name, name) == 0)
233 static struct iptables_target *
234 get_target_name(char *name)
238 char *new_name, *lname;
239 struct iptables_target *m;
241 char path[sizeof (IPT_LIB_DIR) + sizeof ("/libipt_.so") + strlen(name)];
243 new_name = malloc(strlen(name) + 1);
244 lname = malloc(strlen(name) + 1);
246 memset(new_name, '\0', strlen(name) + 1);
248 exit_error(PARAMETER_PROBLEM, "get_target_name");
251 memset(lname, '\0', strlen(name) + 1);
253 exit_error(PARAMETER_PROBLEM, "get_target_name");
255 strcpy(new_name, name);
258 if (isupper(lname[0])) {
260 for (i = 0; i < strlen(name); i++) {
261 lname[i] = tolower(lname[i]);
265 if (islower(new_name[0])) {
267 for (i = 0; i < strlen(new_name); i++) {
268 new_name[i] = toupper(new_name[i]);
272 sprintf(path, IPT_LIB_DIR "/libipt_%s.so", new_name);
273 handle = dlopen(path, RTLD_LAZY);
275 sprintf(path, IPT_LIB_DIR "/libipt_%s.so", lname);
276 handle = dlopen(path, RTLD_LAZY);
278 fputs(dlerror(), stderr);
284 m = dlsym(handle, new_name);
285 if ((error = dlerror()) != NULL) {
286 m = (struct iptables_target *) dlsym(handle, lname);
287 if ((error = dlerror()) != NULL) {
288 m = find_t(new_name);
292 fputs(error, stderr);
293 fprintf(stderr, "\n");
305 struct in_addr *dotted_to_addr(const char *dotted)
307 static struct in_addr addr;
308 unsigned char *addrp;
310 unsigned int onebyte;
314 /* copy dotted string, because we need to modify it */
315 strncpy(buf, dotted, sizeof (buf) - 1);
316 addrp = (unsigned char *) &(addr.s_addr);
319 for (i = 0; i < 3; i++) {
320 if ((q = strchr(p, '.')) == NULL)
321 return (struct in_addr *) NULL;
324 if (string_to_number(p, 0, 255, &onebyte) == -1)
325 return (struct in_addr *) NULL;
327 addrp[i] = (unsigned char) onebyte;
331 /* we've checked 3 bytes, now we check the last one */
332 if (string_to_number(p, 0, 255, &onebyte) == -1)
333 return (struct in_addr *) NULL;
335 addrp[3] = (unsigned char) onebyte;
341 build_st(struct iptables_target *target, struct ipt_entry_target *t)
343 unsigned int nfcache = 0;
349 IPT_ALIGN(sizeof (struct ipt_entry_target)) + target->size;
352 target->t = fw_calloc(1, size);
353 target->init(target->t, &nfcache);
354 target->t->u.target_size = size;
358 strcpy(target->t->u.user.name, target->name);
365 static int parse_ipt(struct action_util *a,int *argc_p,
366 char ***argv_p, int tca_id, struct nlmsghdr *n)
368 struct iptables_target *m = NULL;
373 char **argv = *argv_p;
375 int argc = 0, iargc = 0;
380 __u32 hook = 0, index = 0;
385 for (i = 0; i < rargc; i++) {
386 if (NULL == argv[i] || 0 == strcmp(argv[i], "action")) {
394 fprintf(stderr,"bad arguements to ipt %d vs %d \n", argc, rargc);
398 opts = copy_options(original_opts);
404 c = getopt_long(argc, argv, "j:", opts, NULL);
409 m = get_target_name(optarg);
412 if (0 > build_st(m, NULL)) {
413 printf(" %s error \n", m->name);
417 merge_options(opts, m->extra_opts,
420 fprintf(stderr," failed to find target %s\n\n", optarg);
427 memset(&fw, 0, sizeof (fw));
429 unsigned int fake_flags = 0;
430 m->parse(c - m->option_offset, argv, 0,
431 &fake_flags, NULL, &m->t);
433 fprintf(stderr," failed to find target %s\n\n", optarg);
439 /*m->final_check(m->t); -- Is this necessary?
440 ** useful when theres depencies
441 ** eg ipt_TCPMSS.c has have the TCP match loaded
442 ** before this can be used;
443 ** also seems the ECN target needs it
451 if (iargc > optind) {
452 if (matches(argv[optind], "index") == 0) {
453 if (get_u32(&index, argv[optind + 1], 10)) {
454 fprintf(stderr, "Illegal \"index\"\n");
464 fprintf(stderr," ipt Parser BAD!! (%s)\n", *argv);
469 struct tcmsg *t = NLMSG_DATA(n);
470 if (t->tcm_parent != TC_H_ROOT
471 && t->tcm_parent == TC_H_MAJ(TC_H_INGRESS)) {
472 hook = NF_IP_PRE_ROUTING;
474 hook = NF_IP_POST_ROUTING;
478 tail = NLMSG_TAIL(n);
479 addattr_l(n, MAX_MSG, tca_id, NULL, 0);
480 fprintf(stdout, "tablename: %s hook: %s\n ", tname, ipthooks[hook]);
481 fprintf(stdout, "\ttarget: ");
484 m->print(NULL, m->t, 0);
485 fprintf(stdout, " index %d\n", index);
487 if (strlen(tname) > 16) {
491 size = 1 + strlen(tname);
493 strncpy(k, tname, size);
495 addattr_l(n, MAX_MSG, TCA_IPT_TABLE, k, size);
496 addattr_l(n, MAX_MSG, TCA_IPT_HOOK, &hook, 4);
497 addattr_l(n, MAX_MSG, TCA_IPT_INDEX, &index, 4);
499 addattr_l(n, MAX_MSG, TCA_IPT_TARG, m->t, m->t->u.target_size);
500 tail->rta_len = (void *) NLMSG_TAIL(n) - (void *) tail;
504 *argc_p = rargc - iargc;
514 print_ipt(struct action_util *au,FILE * f, struct rtattr *arg)
516 struct rtattr *tb[TCA_IPT_MAX + 1];
517 struct ipt_entry_target *t = NULL;
523 opts = copy_options(original_opts);
528 parse_rtattr_nested(tb, TCA_IPT_MAX, arg);
530 if (tb[TCA_IPT_TABLE] == NULL) {
531 fprintf(f, "[NULL ipt table name ] assuming mangle ");
533 fprintf(f, "tablename: %s ",
534 (char *) RTA_DATA(tb[TCA_IPT_TABLE]));
537 if (tb[TCA_IPT_HOOK] == NULL) {
538 fprintf(f, "[NULL ipt hook name ]\n ");
542 hook = *(__u32 *) RTA_DATA(tb[TCA_IPT_HOOK]);
543 fprintf(f, " hook: %s \n", ipthooks[hook]);
546 if (tb[TCA_IPT_TARG] == NULL) {
547 fprintf(f, "\t[NULL ipt target parameters ] \n");
550 struct iptables_target *m = NULL;
551 t = RTA_DATA(tb[TCA_IPT_TARG]);
552 m = get_target_name(t->u.user.name);
554 if (0 > build_st(m, t)) {
555 fprintf(stderr, " %s error \n", m->name);
560 merge_options(opts, m->extra_opts,
563 fprintf(stderr, " failed to find target %s\n\n",
567 fprintf(f, "\ttarget ");
568 m->print(NULL, m->t, 0);
569 if (tb[TCA_IPT_INDEX] == NULL) {
570 fprintf(f, " [NULL ipt target index ]\n");
573 index = *(__u32 *) RTA_DATA(tb[TCA_IPT_INDEX]);
574 fprintf(f, " \n\tindex %d", index);
577 if (tb[TCA_IPT_CNT]) {
578 struct tc_cnt *c = RTA_DATA(tb[TCA_IPT_CNT]);;
579 fprintf(f, " ref %d bind %d", c->refcnt, c->bindcnt);
582 if (tb[TCA_IPT_TM]) {
583 struct tcf_t *tm = RTA_DATA(tb[TCA_IPT_TM]);
594 struct action_util ipt_action_util = {
596 .parse_aopt = parse_ipt,
597 .print_aopt = print_ipt,