2 * m_ipt.c iptables based targets
3 * utilities mostly ripped from iptables <duh, its the linux way>
5 * This program is free software; you can distribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version
8 * 2 of the License, or (at your option) any later version.
10 * Authors: J Hadi Salim (hadi@cyberus.ca)
12 * TODO: bad bad hardcoding IPT_LIB_DIR and PROC_SYS_MODPROBE
17 #include <sys/socket.h>
18 #include <netinet/in.h>
19 #include <arpa/inet.h>
20 #include <linux/types.h>
22 #include <linux/netfilter_ipv4/ip_tables.h>
25 #include <linux/tc_act/tc_ipt.h>
40 const char *pname = "tc-ipt";
41 const char *tname = "mangle";
42 const char *pversion = "0.1";
52 #define IPT_LIB_DIR "/usr/local/lib/iptables"
55 #ifndef PROC_SYS_MODPROBE
56 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
59 static const char *ipthooks[] = {
67 static struct option original_opts[] = {
72 static struct iptables_target *t_list = NULL;
73 static struct option *opts = original_opts;
74 static unsigned int global_option_offset = 0;
75 #define OPTION_OFFSET 256
79 register_target(struct iptables_target *me)
81 /* fprintf(stderr, "\nDummy register_target %s \n", me->name);
89 exit_tryhelp(int status)
91 fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
97 exit_error(enum exittype status, char *msg, ...)
102 fprintf(stderr, "%s v%s: ", pname, pversion);
103 vfprintf(stderr, msg, args);
105 fprintf(stderr, "\n");
106 if (status == PARAMETER_PROBLEM)
107 exit_tryhelp(status);
108 if (status == VERSION_PROBLEM)
110 "Perhaps iptables or your kernel needs to be upgraded.\n");
114 /* stolen from iptables 1.2.11
115 They should really have them as a library so i can link to them
116 Email them next time i remember
120 addr_to_dotted(const struct in_addr *addrp)
123 const unsigned char *bytep;
125 bytep = (const unsigned char *) &(addrp->s_addr);
126 sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]);
130 int string_to_number_ll(const char *s, unsigned long long min,
131 unsigned long long max,
132 unsigned long long *ret)
134 unsigned long long number;
137 /* Handle hex, octal, etc. */
139 number = strtoull(s, &end, 0);
140 if (*end == '\0' && end != s) {
141 /* we parsed a number, let's see if we want this */
142 if (errno != ERANGE && min <= number && (!max || number <= max)) {
150 int string_to_number_l(const char *s, unsigned long min, unsigned long max,
154 unsigned long long number;
156 result = string_to_number_ll(s, min, max, &number);
157 *ret = (unsigned long)number;
162 int string_to_number(const char *s, unsigned int min, unsigned int max,
166 unsigned long number;
168 result = string_to_number_l(s, min, max, &number);
169 *ret = (unsigned int)number;
174 static void free_opts(struct option *opts)
176 if (opts != original_opts) {
178 opts = original_opts;
179 global_option_offset = 0;
183 static struct option *
184 merge_options(struct option *oldopts, const struct option *newopts,
185 unsigned int *option_offset)
187 struct option *merge;
188 unsigned int num_old, num_new, i;
190 for (num_old = 0; oldopts[num_old].name; num_old++) ;
191 for (num_new = 0; newopts[num_new].name; num_new++) ;
193 *option_offset = global_option_offset + OPTION_OFFSET;
195 merge = malloc(sizeof (struct option) * (num_new + num_old + 1));
196 memcpy(merge, oldopts, num_old * sizeof (struct option));
197 for (i = 0; i < num_new; i++) {
198 merge[num_old + i] = newopts[i];
199 merge[num_old + i].val += *option_offset;
201 memset(merge + num_old + num_new, 0, sizeof (struct option));
207 fw_calloc(size_t count, size_t size)
211 if ((p = (void *) calloc(count, size)) == NULL) {
212 perror("iptables: calloc failed");
218 static struct iptables_target *
221 struct iptables_target *m;
222 for (m = t_list; m; m = m->next) {
223 if (strcmp(m->name, name) == 0)
230 static struct iptables_target *
231 get_target_name(char *name)
235 char *new_name, *lname;
236 struct iptables_target *m;
238 char path[sizeof (IPT_LIB_DIR) + sizeof ("/libipt_.so") + strlen(name)];
240 new_name = malloc(strlen(name) + 1);
241 lname = malloc(strlen(name) + 1);
243 memset(new_name, '\0', strlen(name) + 1);
245 exit_error(PARAMETER_PROBLEM, "get_target_name");
248 memset(lname, '\0', strlen(name) + 1);
250 exit_error(PARAMETER_PROBLEM, "get_target_name");
252 strcpy(new_name, name);
255 if (isupper(lname[0])) {
257 for (i = 0; i < strlen(name); i++) {
258 lname[i] = tolower(lname[i]);
262 if (islower(new_name[0])) {
264 for (i = 0; i < strlen(new_name); i++) {
265 new_name[i] = toupper(new_name[i]);
269 sprintf(path, IPT_LIB_DIR "/libipt_%s.so", new_name);
270 handle = dlopen(path, RTLD_LAZY);
272 sprintf(path, IPT_LIB_DIR "/libipt_%s.so", lname);
273 handle = dlopen(path, RTLD_LAZY);
275 fputs(dlerror(), stderr);
281 m = dlsym(handle, new_name);
282 if ((error = dlerror()) != NULL) {
283 m = (struct iptables_target *) dlsym(handle, lname);
284 if ((error = dlerror()) != NULL) {
285 m = find_t(new_name);
289 fputs(error, stderr);
290 fprintf(stderr, "\n");
302 struct in_addr *dotted_to_addr(const char *dotted)
304 static struct in_addr addr;
305 unsigned char *addrp;
307 unsigned int onebyte;
311 /* copy dotted string, because we need to modify it */
312 strncpy(buf, dotted, sizeof (buf) - 1);
313 addrp = (unsigned char *) &(addr.s_addr);
316 for (i = 0; i < 3; i++) {
317 if ((q = strchr(p, '.')) == NULL)
318 return (struct in_addr *) NULL;
321 if (string_to_number(p, 0, 255, &onebyte) == -1)
322 return (struct in_addr *) NULL;
324 addrp[i] = (unsigned char) onebyte;
328 /* we've checked 3 bytes, now we check the last one */
329 if (string_to_number(p, 0, 255, &onebyte) == -1)
330 return (struct in_addr *) NULL;
332 addrp[3] = (unsigned char) onebyte;
337 static void set_revision(char *name, u_int8_t revision)
339 /* Old kernel sources don't have ".revision" field,
340 * but we stole a byte from name. */
341 name[IPT_FUNCTION_MAXNAMELEN - 2] = '\0';
342 name[IPT_FUNCTION_MAXNAMELEN - 1] = revision;
346 * we may need to check for version mismatch
349 build_st(struct iptables_target *target, struct ipt_entry_target *t)
351 unsigned int nfcache = 0;
357 IPT_ALIGN(sizeof (struct ipt_entry_target)) + target->size;
360 target->t = fw_calloc(1, size);
361 target->t->u.target_size = size;
363 if (target->init != NULL)
364 target->init(target->t, &nfcache);
365 set_revision(target->t->u.user.name, target->revision);
369 strcpy(target->t->u.user.name, target->name);
376 static int parse_ipt(struct action_util *a,int *argc_p,
377 char ***argv_p, int tca_id, struct nlmsghdr *n)
379 struct iptables_target *m = NULL;
384 char **argv = *argv_p;
385 int argc = 0, iargc = 0;
390 __u32 hook = 0, index = 0;
395 for (i = 0; i < rargc; i++) {
396 if (NULL == argv[i] || 0 == strcmp(argv[i], "action")) {
404 fprintf(stderr,"bad arguements to ipt %d vs %d \n", argc, rargc);
409 c = getopt_long(argc, argv, "j:", opts, NULL);
414 m = get_target_name(optarg);
417 if (0 > build_st(m, NULL)) {
418 printf(" %s error \n", m->name);
422 merge_options(opts, m->extra_opts,
425 fprintf(stderr," failed to find target %s\n\n", optarg);
432 memset(&fw, 0, sizeof (fw));
434 m->parse(c - m->option_offset, argv, 0,
435 &m->tflags, NULL, &m->t);
437 fprintf(stderr," failed to find target %s\n\n", optarg);
447 if (iargc > optind) {
448 if (matches(argv[optind], "index") == 0) {
449 if (get_u32(&index, argv[optind + 1], 10)) {
450 fprintf(stderr, "Illegal \"index\"\n");
461 fprintf(stderr," ipt Parser BAD!! (%s)\n", *argv);
465 /* check that we passed the correct parameters to the target */
467 m->final_check(m->tflags);
470 struct tcmsg *t = NLMSG_DATA(n);
471 if (t->tcm_parent != TC_H_ROOT
472 && t->tcm_parent == TC_H_MAJ(TC_H_INGRESS)) {
473 hook = NF_IP_PRE_ROUTING;
475 hook = NF_IP_POST_ROUTING;
479 tail = NLMSG_TAIL(n);
480 addattr_l(n, MAX_MSG, tca_id, NULL, 0);
481 fprintf(stdout, "tablename: %s hook: %s\n ", tname, ipthooks[hook]);
482 fprintf(stdout, "\ttarget: ");
485 m->print(NULL, m->t, 0);
486 fprintf(stdout, " index %d\n", index);
488 if (strlen(tname) > 16) {
492 size = 1 + strlen(tname);
494 strncpy(k, tname, size);
496 addattr_l(n, MAX_MSG, TCA_IPT_TABLE, k, size);
497 addattr_l(n, MAX_MSG, TCA_IPT_HOOK, &hook, 4);
498 addattr_l(n, MAX_MSG, TCA_IPT_INDEX, &index, 4);
500 addattr_l(n, MAX_MSG, TCA_IPT_TARG, m->t, m->t->u.target_size);
501 tail->rta_len = (void *) NLMSG_TAIL(n) - (void *) tail;
505 *argc_p = rargc - iargc;
516 print_ipt(struct action_util *au,FILE * f, struct rtattr *arg)
518 struct rtattr *tb[TCA_IPT_MAX + 1];
519 struct ipt_entry_target *t = NULL;
524 parse_rtattr_nested(tb, TCA_IPT_MAX, arg);
526 if (tb[TCA_IPT_TABLE] == NULL) {
527 fprintf(f, "[NULL ipt table name ] assuming mangle ");
529 fprintf(f, "tablename: %s ",
530 (char *) RTA_DATA(tb[TCA_IPT_TABLE]));
533 if (tb[TCA_IPT_HOOK] == NULL) {
534 fprintf(f, "[NULL ipt hook name ]\n ");
538 hook = *(__u32 *) RTA_DATA(tb[TCA_IPT_HOOK]);
539 fprintf(f, " hook: %s \n", ipthooks[hook]);
542 if (tb[TCA_IPT_TARG] == NULL) {
543 fprintf(f, "\t[NULL ipt target parameters ] \n");
546 struct iptables_target *m = NULL;
547 t = RTA_DATA(tb[TCA_IPT_TARG]);
548 m = get_target_name(t->u.user.name);
550 if (0 > build_st(m, t)) {
551 fprintf(stderr, " %s error \n", m->name);
556 merge_options(opts, m->extra_opts,
559 fprintf(stderr, " failed to find target %s\n\n",
563 fprintf(f, "\ttarget ");
564 m->print(NULL, m->t, 0);
565 if (tb[TCA_IPT_INDEX] == NULL) {
566 fprintf(f, " [NULL ipt target index ]\n");
569 index = *(__u32 *) RTA_DATA(tb[TCA_IPT_INDEX]);
570 fprintf(f, " \n\tindex %d", index);
573 if (tb[TCA_IPT_CNT]) {
574 struct tc_cnt *c = RTA_DATA(tb[TCA_IPT_CNT]);;
575 fprintf(f, " ref %d bind %d", c->refcnt, c->bindcnt);
578 if (tb[TCA_IPT_TM]) {
579 struct tcf_t *tm = RTA_DATA(tb[TCA_IPT_TM]);
591 struct action_util ipt_action_util = {
593 .parse_aopt = parse_ipt,
594 .print_aopt = print_ipt,
git://git.onelab.eu / iproute2.git / blob