1 /* Code to restore the iptables state, from file by iptables-save.
2 * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
3 * based on previous code from Rusty Russell <rusty@linuxcare.com.au>
5 * This code is distributed under the terms of GNU GPL v2
11 #include <sys/errno.h>
17 #include "libiptc/libiptc.h"
18 #include "iptables-multi.h"
21 #define DEBUGP(x, args...) fprintf(stderr, x, ## args)
23 #define DEBUGP(x, args...)
26 static int binary = 0, counters = 0, verbose = 0, noflush = 0;
28 /* Keeping track of external matches and targets. */
29 static const struct option options[] = {
30 {.name = "binary", .has_arg = false, .val = 'b'},
31 {.name = "counters", .has_arg = false, .val = 'c'},
32 {.name = "verbose", .has_arg = false, .val = 'v'},
33 {.name = "test", .has_arg = false, .val = 't'},
34 {.name = "help", .has_arg = false, .val = 'h'},
35 {.name = "noflush", .has_arg = false, .val = 'n'},
36 {.name = "modprobe", .has_arg = true, .val = 'M'},
37 {.name = "table", .has_arg = true, .val = 'T'},
41 static void print_usage(const char *name, const char *version) __attribute__((noreturn));
43 static void print_usage(const char *name, const char *version)
45 fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n"
52 " [ --table=<TABLE> ]\n"
53 " [ --modprobe=<command>]\n", name);
58 static iptc_handle_t create_handle(const char *tablename, const char *modprobe)
62 handle = iptc_init(tablename);
65 /* try to insmod the module if iptc_init failed */
66 load_xtables_ko(modprobe, 0);
67 handle = iptc_init(tablename);
71 exit_error(PARAMETER_PROBLEM, "%s: unable to initialize "
72 "table '%s'\n", program_name, tablename);
78 static int parse_counters(char *string, struct ipt_counters *ctr)
80 unsigned long long pcnt, bcnt;
83 ret = sscanf(string, "[%llu:%llu]",
84 (unsigned long long *)&pcnt,
85 (unsigned long long *)&bcnt);
91 /* global new argv and argc */
92 static char *newargv[255];
95 /* function adding one argument to newargv, updating newargc
96 * returns true if argument added, false otherwise */
97 static int add_argv(char *what) {
98 DEBUGP("add_argv: %s\n", what);
99 if (what && ((newargc + 1) < sizeof(newargv)/sizeof(char *))) {
100 newargv[newargc] = strdup(what);
107 static void free_argv(void) {
110 for (i = 0; i < newargc; i++)
114 #ifdef IPTABLES_MULTI
116 iptables_restore_main(int argc, char *argv[])
119 main(int argc, char *argv[])
122 iptc_handle_t handle = NULL;
125 char curtable[IPT_TABLE_MAXNAMELEN + 1];
127 const char *modprobe = NULL;
128 int in_table = 0, testing = 0;
129 const char *tablename = NULL;
131 program_name = "iptables-restore";
132 program_version = XTABLES_VERSION;
135 lib_dir = getenv("XTABLES_LIBDIR");
136 if (lib_dir == NULL) {
137 lib_dir = getenv("IPTABLES_LIB_DIR");
139 fprintf(stderr, "IPTABLES_LIB_DIR is deprecated\n");
142 lib_dir = XTABLES_LIBDIR;
144 #ifdef NO_SHARED_LIBS
148 while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
163 print_usage("iptables-restore",
178 if (optind == argc - 1) {
179 in = fopen(argv[optind], "r");
181 fprintf(stderr, "Can't open %s: %s\n", argv[optind],
186 else if (optind < argc) {
187 fprintf(stderr, "Unknown arguments found on commandline\n");
192 /* Grab standard input. */
193 while (fgets(buffer, sizeof(buffer), in)) {
197 if (buffer[0] == '\n')
199 else if (buffer[0] == '#') {
201 fputs(buffer, stdout);
203 } else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
205 DEBUGP("Calling commit\n");
206 ret = iptc_commit(&handle);
208 DEBUGP("Not calling commit, testing\n");
212 } else if ((buffer[0] == '*') && (!in_table)) {
216 table = strtok(buffer+1, " \t\n");
217 DEBUGP("line %u, table '%s'\n", line, table);
219 exit_error(PARAMETER_PROBLEM,
220 "%s: line %u table name invalid\n",
224 strncpy(curtable, table, IPT_TABLE_MAXNAMELEN);
225 curtable[IPT_TABLE_MAXNAMELEN] = '\0';
227 if (tablename && (strcmp(tablename, table) != 0))
232 handle = create_handle(table, modprobe);
234 DEBUGP("Cleaning all chains of table '%s'\n",
236 for_each_chain(flush_entries, verbose, 1,
239 DEBUGP("Deleting all user-defined chains "
240 "of table '%s'\n", table);
241 for_each_chain(delete_chain, verbose, 0,
248 } else if ((buffer[0] == ':') && (in_table)) {
250 char *policy, *chain;
252 chain = strtok(buffer+1, " \t\n");
253 DEBUGP("line %u, chain '%s'\n", line, chain);
255 exit_error(PARAMETER_PROBLEM,
256 "%s: line %u chain name invalid\n",
261 if (iptc_builtin(chain, handle) <= 0) {
262 if (noflush && iptc_is_chain(chain, handle)) {
263 DEBUGP("Flushing existing user defined chain '%s'\n", chain);
264 if (!iptc_flush_entries(chain, &handle))
265 exit_error(PARAMETER_PROBLEM,
266 "error flushing chain "
270 DEBUGP("Creating new chain '%s'\n", chain);
271 if (!iptc_create_chain(chain, &handle))
272 exit_error(PARAMETER_PROBLEM,
273 "error creating chain "
279 policy = strtok(NULL, " \t\n");
280 DEBUGP("line %u, policy '%s'\n", line, policy);
282 exit_error(PARAMETER_PROBLEM,
283 "%s: line %u policy invalid\n",
288 if (strcmp(policy, "-") != 0) {
289 struct ipt_counters count;
293 ctrs = strtok(NULL, " \t\n");
295 if (!ctrs || !parse_counters(ctrs, &count))
296 exit_error(PARAMETER_PROBLEM,
297 "invalid policy counters "
298 "for chain '%s'\n", chain);
302 sizeof(struct ipt_counters));
305 DEBUGP("Setting policy of chain %s to %s\n",
308 if (!iptc_set_policy(chain, policy, &count,
310 exit_error(OTHER_PROBLEM,
311 "Can't set policy `%s'"
312 " on `%s' line %u: %s\n",
314 iptc_strerror(errno));
319 } else if (in_table) {
328 int quote_open, escaped;
331 /* reset the newargv */
334 if (buffer[0] == '[') {
335 /* we have counters in our input */
336 ptr = strchr(buffer, ']');
338 exit_error(PARAMETER_PROBLEM,
339 "Bad line %u: need ]\n",
342 pcnt = strtok(buffer+1, ":");
344 exit_error(PARAMETER_PROBLEM,
345 "Bad line %u: need :\n",
348 bcnt = strtok(NULL, "]");
350 exit_error(PARAMETER_PROBLEM,
351 "Bad line %u: need ]\n",
354 /* start command parsing after counter */
355 parsestart = ptr + 1;
357 /* start command parsing at start of line */
363 add_argv((char *) &curtable);
365 if (counters && pcnt && bcnt) {
366 add_argv("--set-counters");
367 add_argv((char *) pcnt);
368 add_argv((char *) bcnt);
371 /* After fighting with strtok enough, here's now
372 * a 'real' parser. According to Rusty I'm now no
373 * longer a real hacker, but I can live with that */
379 for (curchar = parsestart; *curchar; curchar++) {
380 char param_buffer[1024];
384 param_buffer[param_len++] = *curchar;
387 } else if (*curchar == '\\') {
390 } else if (*curchar == '"') {
394 param_buffer[param_len++] = *curchar;
398 if (*curchar == '"') {
406 || * curchar == '\n') {
412 param_buffer[param_len] = '\0';
414 /* check if table name specified */
415 if (!strncmp(param_buffer, "-t", 3)
416 || !strncmp(param_buffer, "--table", 8)) {
417 exit_error(PARAMETER_PROBLEM,
418 "Line %u seems to have a "
419 "-t table option.\n", line);
423 add_argv(param_buffer);
426 /* regular character, copy to buffer */
427 param_buffer[param_len++] = *curchar;
429 if (param_len >= sizeof(param_buffer))
430 exit_error(PARAMETER_PROBLEM,
431 "Parameter too long!");
435 DEBUGP("calling do_command(%u, argv, &%s, handle):\n",
438 for (a = 0; a < newargc; a++)
439 DEBUGP("argv[%u]: %s\n", a, newargv[a]);
441 ret = do_command(newargc, newargv,
442 &newargv[2], &handle);
447 if (tablename && (strcmp(tablename, curtable) != 0))
450 fprintf(stderr, "%s: line %u failed\n",
456 fprintf(stderr, "%s: COMMIT expected at line %u\n",
457 program_name, line + 1);
git://git.onelab.eu / iptables.git / blob