+++ /dev/null
-.makefirst
-ip6tables
-ip6tables-restore
-ip6tables-save
-iptables
-iptables-restore
-iptables-save
-*.d
endif
COPT_FLAGS:=-O2
-CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -D__KERNGLUE__ -Iinclude/ -DIPTABLES_VERSION=\"$(IPTABLES_VERSION)\" #-g -DDEBUG #-pg # -DIPTC_DEBUG
+CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -Iinclude/ -DIPTABLES_VERSION=\"$(IPTABLES_VERSION)\" #-g -DDEBUG #-pg # -DIPTC_DEBUG
ifdef NO_SHARED_LIBS
CFLAGS += -DNO_SHARED_LIBS=1
+++ /dev/null
-#!/bin/bash
-
-if test -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_addrtype.h; then
- echo "addrtype"
-fi
+++ /dev/null
-#!/bin/sh
-# True if dccp is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_dccp.h ] && echo dccp
# header files are present in the include/linux directory of this iptables
# package (HW)
#
-PF_EXT_SLIB:=ah comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
+PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport owner physdev standard tcp udp HL LOG MARK TRACE
# Optionals
+++ /dev/null
-/* Shared library add-on to iptables to add CONNMARK target support.
- *
- * (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
- * by Henrik Nordstrom <hno@marasystems.com>
- *
- * Version 1.1
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <ip6tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include "../include/linux/netfilter_ipv4/ipt_CONNMARK.h"
-
-#if 0
-struct markinfo {
- struct ipt_entry_target t;
- struct ipt_connmark_target_info mark;
-};
-#endif
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"CONNMARK target v%s options:\n"
-" --set-mark value[/mask] Set conntrack mark value\n"
-" --save-mark [--mask mask] Save the packet nfmark in the connection\n"
-" --restore-mark [--mask mask] Restore saved nfmark value\n"
-"\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- { "set-mark", 1, 0, '1' },
- { "save-mark", 0, 0, '2' },
- { "restore-mark", 0, 0, '3' },
- { "mask", 1, 0, '4' },
- { 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ip6t_entry_target *t, unsigned int *nfcache)
-{
-}
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ip6t_entry *entry,
- struct ip6t_entry_target **target)
-{
- struct ipt_connmark_target_info *markinfo
- = (struct ipt_connmark_target_info *)(*target)->data;
-
- markinfo->mask = 0xffffffffUL;
-
- switch (c) {
- char *end;
- case '1':
- markinfo->mode = IPT_CONNMARK_SET;
-
- markinfo->mark = strtoul(optarg, &end, 0);
- if (*end == '/' && end[1] != '\0')
- markinfo->mask = strtoul(end+1, &end, 0);
-
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
- if (*flags)
- exit_error(PARAMETER_PROBLEM,
- "CONNMARK target: Can't specify --set-mark twice");
- *flags = 1;
- break;
- case '2':
- markinfo->mode = IPT_CONNMARK_SAVE;
- if (*flags)
- exit_error(PARAMETER_PROBLEM,
- "CONNMARK target: Can't specify --save-mark twice");
- *flags = 1;
- break;
- case '3':
- markinfo->mode = IPT_CONNMARK_RESTORE;
- if (*flags)
- exit_error(PARAMETER_PROBLEM,
- "CONNMARK target: Can't specify --restore-mark twice");
- *flags = 1;
- break;
- case '4':
- if (!*flags)
- exit_error(PARAMETER_PROBLEM,
- "CONNMARK target: Can't specify --mask without a operation");
- markinfo->mask = strtoul(optarg, &end, 0);
-
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad MASK value `%s'", optarg);
- break;
- default:
- return 0;
- }
-
- return 1;
-}
-
-static void
-final_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "CONNMARK target: No operation specified");
-}
-
-static void
-print_mark(unsigned long mark)
-{
- printf("0x%lx", mark);
-}
-
-static void
-print_mask(const char *text, unsigned long mask)
-{
- if (mask != 0xffffffffUL)
- printf("%s0x%lx", text, mask);
-}
-
-
-/* Prints out the target info. */
-static void
-print(const struct ip6t_ip6 *ip,
- const struct ip6t_entry_target *target,
- int numeric)
-{
- const struct ipt_connmark_target_info *markinfo =
- (const struct ipt_connmark_target_info *)target->data;
- switch (markinfo->mode) {
- case IPT_CONNMARK_SET:
- printf("CONNMARK set ");
- print_mark(markinfo->mark);
- print_mask("/", markinfo->mask);
- printf(" ");
- break;
- case IPT_CONNMARK_SAVE:
- printf("CONNMARK save ");
- print_mask("mask ", markinfo->mask);
- printf(" ");
- break;
- case IPT_CONNMARK_RESTORE:
- printf("CONNMARK restore ");
- print_mask("mask ", markinfo->mask);
- break;
- default:
- printf("ERROR: UNKNOWN CONNMARK MODE ");
- break;
- }
-}
-
-/* Saves the target into in parsable form to stdout. */
-static void
-save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
-{
- const struct ipt_connmark_target_info *markinfo =
- (const struct ipt_connmark_target_info *)target->data;
-
- switch (markinfo->mode) {
- case IPT_CONNMARK_SET:
- printf("--set-mark ");
- print_mark(markinfo->mark);
- print_mask("/", markinfo->mask);
- printf(" ");
- break;
- case IPT_CONNMARK_SAVE:
- printf("--save-mark ");
- print_mask("--mask ", markinfo->mask);
- break;
- case IPT_CONNMARK_RESTORE:
- printf("--restore-mark ");
- print_mask("--mask ", markinfo->mask);
- break;
- default:
- printf("ERROR: UNKNOWN CONNMARK MODE ");
- break;
- }
-}
-
-static struct ip6tables_target connmark_target = {
- .name = "CONNMARK",
- .version = IPTABLES_VERSION,
- .size = IP6T_ALIGN(sizeof(struct ipt_connmark_target_info)),
- .userspacesize = IP6T_ALIGN(sizeof(struct ipt_connmark_target_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_target6(&connmark_target);
-}
+++ /dev/null
-/* Shared library add-on to ip666666tables for NFQ
- *
- * (C) 2005 by Harald Welte <laforge@netfilter.org>
- *
- * This program is distributed under the terms of GNU GPL v2, 1991
- *
- */
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <ip6tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/netfilter_ipv4/ipt_NFQUEUE.h>
-
-static void init(struct ip6t_entry_target *t, unsigned int *nfcache)
-{
-}
-
-static void help(void)
-{
- printf(
-"NFQUEUE target options\n"
-" --queue-num value Send packet to QUEUE number <value>.\n"
-" Valid queue numbers are 0-65535\n"
-);
-}
-
-static struct option opts[] = {
- { "queue-num", 1, 0, 'F' },
- { 0 }
-};
-
-static void
-parse_num(const char *s, struct ipt_NFQ_info *tinfo)
-{
- unsigned int num;
-
- if (string_to_number(s, 0, 65535, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "Invalid queue number `%s'\n", s);
-
- tinfo->queuenum = num & 0xffff;
- return;
-}
-
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ip6t_entry *entry,
- struct ip6t_entry_target **target)
-{
- struct ipt_NFQ_info *tinfo
- = (struct ipt_NFQ_info *)(*target)->data;
-
- switch (c) {
- case 'F':
- if (*flags)
- exit_error(PARAMETER_PROBLEM, "NFQUEUE target: "
- "Only use --queue-num ONCE!");
- parse_num(optarg, tinfo);
- break;
- default:
- return 0;
- }
-
- return 1;
-}
-
-static void
-final_check(unsigned int flags)
-{
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ip6t_ip6 *ip,
- const struct ip6t_entry_target *target,
- int numeric)
-{
- const struct ipt_NFQ_info *tinfo =
- (const struct ipt_NFQ_info *)target->data;
- printf("NFQUEUE num %u", tinfo->queuenum);
-}
-
-/* Saves the union ip6t_targinfo in parsable form to stdout. */
-static void
-save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
-{
- const struct ipt_NFQ_info *tinfo =
- (const struct ipt_NFQ_info *)target->data;
-
- printf("--queue-num %u ", tinfo->queuenum);
-}
-
-static struct ip6tables_target nfqueue = {
- .next = NULL,
- .name = "NFQUEUE",
- .version = IPTABLES_VERSION,
- .size = IP6T_ALIGN(sizeof(struct ipt_NFQ_info)),
- .userspacesize = IP6T_ALIGN(sizeof(struct ipt_NFQ_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_target6(&nfqueue);
-}
+++ /dev/null
-This target is an extension of the QUEUE target. As opposed to QUEUE, it allows
-you to put a packet into any specific queue, identified by its 16-bit queue
-number.
-.TP
-.BR "--queue-num " "\fIvalue"
-This specifies the QUEUE number to use. Valud queue numbers are 0 to 65535. The default value is 0.
-.TP
-It can only be used with Kernel versions 2.6.14 or later, since it requires
-the
-.B
-nfnetlink_queue
-kernel support.
+++ /dev/null
-/* Shared library add-on to iptables to add connmark matching support.
- *
- * (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
- * by Henrik Nordstrom <hno@marasystems.com>
- *
- * Version 1.1
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <ip6tables.h>
-#include "../include/linux/netfilter_ipv4/ipt_connmark.h"
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"CONNMARK match v%s options:\n"
-"[!] --mark value[/mask] Match nfmark value with optional mask\n"
-"\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- { "mark", 1, 0, '1' },
- {0}
-};
-
-/* Initialize the match. */
-static void
-init(struct ip6t_entry_match *m, unsigned int *nfcache)
-{
- /* Can't cache this. */
- *nfcache |= NFC_UNKNOWN;
-}
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ip6t_entry *entry,
- unsigned int *nfcache,
- struct ip6t_entry_match **match)
-{
- struct ipt_connmark_info *markinfo = (struct ipt_connmark_info *)(*match)->data;
-
- switch (c) {
- char *end;
- case '1':
- check_inverse(optarg, &invert, &optind, 0);
-
- markinfo->mark = strtoul(optarg, &end, 0);
- markinfo->mask = 0xffffffffUL;
-
- if (*end == '/')
- markinfo->mask = strtoul(end+1, &end, 0);
-
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
- if (invert)
- markinfo->invert = 1;
- *flags = 1;
- break;
-
- default:
- return 0;
- }
- return 1;
-}
-
-static void
-print_mark(unsigned long mark, unsigned long mask, int numeric)
-{
- if(mask != 0xffffffffUL)
- printf("0x%lx/0x%lx ", mark, mask);
- else
- printf("0x%lx ", mark);
-}
-
-/* Final check; must have specified --mark. */
-static void
-final_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "MARK match: You must specify `--mark'");
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const struct ip6t_ip6 *ip,
- const struct ip6t_entry_match *match,
- int numeric)
-{
- struct ipt_connmark_info *info = (struct ipt_connmark_info *)match->data;
-
- printf("CONNMARK match ");
- if (info->invert)
- printf("!");
- print_mark(info->mark, info->mask, numeric);
-}
-
-/* Saves the matchinfo in parsable form to stdout. */
-static void
-save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
-{
- struct ipt_connmark_info *info = (struct ipt_connmark_info *)match->data;
-
- if (info->invert)
- printf("! ");
-
- printf("--mark ");
- print_mark(info->mark, info->mask, 0);
-}
-
-static struct ip6tables_match connmark_match = {
- .name = "connmark",
- .version = IPTABLES_VERSION,
- .size = IP6T_ALIGN(sizeof(struct ipt_connmark_info)),
- .userspacesize = IP6T_ALIGN(sizeof(struct ipt_connmark_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match6(&connmark_match);
-}
+++ /dev/null
-/* Shared library add-on to iptables to add policy support. */
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <netdb.h>
-#include <errno.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <ip6tables.h>
-
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include "../include/linux/netfilter_ipv6/ip6t_policy.h"
-
-/*
- * HACK: global pointer to current matchinfo for making
- * final checks and adjustments in final_check.
- */
-static struct ip6t_policy_info *policy_info;
-
-static void help(void)
-{
- printf(
-"policy v%s options:\n"
-" --dir in|out match policy applied during decapsulation/\n"
-" policy to be applied during encapsulation\n"
-" --pol none|ipsec match policy\n"
-" --strict match entire policy instead of single element\n"
-" at any position\n"
-"[!] --reqid reqid match reqid\n"
-"[!] --spi spi match SPI\n"
-"[!] --proto proto match protocol (ah/esp/ipcomp)\n"
-"[!] --mode mode match mode (transport/tunnel)\n"
-"[!] --tunnel-src addr/masklen match tunnel source\n"
-"[!] --tunnel-dst addr/masklen match tunnel destination\n"
-" --next begin next element in policy\n",
- IPTABLES_VERSION);
-}
-
-static struct option opts[] =
-{
- {
- .name = "dir",
- .has_arg = 1,
- .val = '1',
- },
- {
- .name = "pol",
- .has_arg = 1,
- .val = '2',
- },
- {
- .name = "strict",
- .val = '3'
- },
- {
- .name = "reqid",
- .has_arg = 1,
- .val = '4',
- },
- {
- .name = "spi",
- .has_arg = 1,
- .val = '5'
- },
- {
- .name = "tunnel-src",
- .has_arg = 1,
- .val = '6'
- },
- {
- .name = "tunnel-dst",
- .has_arg = 1,
- .val = '7'
- },
- {
- .name = "proto",
- .has_arg = 1,
- .val = '8'
- },
- {
- .name = "mode",
- .has_arg = 1,
- .val = '9'
- },
- {
- .name = "next",
- .val = 'a'
- },
- { }
-};
-
-/* FIXME - Duplicated code from ip6tables.c */
-/* Duplicated to stop too many changes in other files .... */
-static void
-in6addrcpy(struct in6_addr *dst, struct in6_addr *src)
-{
- memcpy(dst, src, sizeof(struct in6_addr));
- /* dst->s6_addr = src->s6_addr; */
-}
-
-static char *
-addr_to_numeric(const struct in6_addr *addrp)
-{
- /* 0000:0000:0000:0000:0000:000.000.000.000
- * 0000:0000:0000:0000:0000:0000:0000:0000 */
- static char buf[50+1];
- return (char *)inet_ntop(AF_INET6, addrp, buf, sizeof(buf));
-}
-
-static char *
-mask_to_numeric(const struct in6_addr *addrp)
-{
- static char buf[50+2];
- int l = ipv6_prefix_length(addrp);
- if (l == -1) {
- strcpy(buf, "/");
- strcat(buf, addr_to_numeric(addrp));
- return buf;
- }
- sprintf(buf, "/%d", l);
- return buf;
-}
-
-/* These should be in include/ip6tables.h... */
-extern u_int16_t parse_protocol(const char *s);
-extern void parse_hostnetworkmask(const char *name, struct in6_addr **addrpp,
- struct in6_addr *maskp, unsigned int *naddrs);
-
-/* End duplicated code from ip6tables.c */
-
-static void init(struct ip6t_entry_match *m, unsigned int *nfcache)
-{
- *nfcache |= NFC_UNKNOWN;
-}
-
-static int parse_direction(char *s)
-{
- if (strcmp(s, "in") == 0)
- return IP6T_POLICY_MATCH_IN;
- if (strcmp(s, "out") == 0)
- return IP6T_POLICY_MATCH_OUT;
- exit_error(PARAMETER_PROBLEM, "policy_match: invalid dir `%s'", s);
-}
-
-static int parse_policy(char *s)
-{
- if (strcmp(s, "none") == 0)
- return IP6T_POLICY_MATCH_NONE;
- if (strcmp(s, "ipsec") == 0)
- return 0;
- exit_error(PARAMETER_PROBLEM, "policy match: invalid policy `%s'", s);
-}
-
-static int parse_mode(char *s)
-{
- if (strcmp(s, "transport") == 0)
- return IP6T_POLICY_MODE_TRANSPORT;
- if (strcmp(s, "tunnel") == 0)
- return IP6T_POLICY_MODE_TUNNEL;
- exit_error(PARAMETER_PROBLEM, "policy match: invalid mode `%s'", s);
-}
-
-static int parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ip6t_entry *entry,
- unsigned int *nfcache,
- struct ip6t_entry_match **match)
-{
- struct ip6t_policy_info *info = (void *)(*match)->data;
- struct ip6t_policy_elem *e = &info->pol[info->len];
- struct in6_addr *addr = NULL, mask;
- unsigned int naddr = 0;
- int mode;
-
- check_inverse(optarg, &invert, &optind, 0);
-
- switch (c) {
- case '1':
- if (info->flags & (IP6T_POLICY_MATCH_IN|IP6T_POLICY_MATCH_OUT))
- exit_error(PARAMETER_PROBLEM,
- "policy match: double --dir option");
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "policy match: can't invert --dir option");
-
- info->flags |= parse_direction(argv[optind-1]);
- break;
- case '2':
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "policy match: can't invert --policy option");
-
- info->flags |= parse_policy(argv[optind-1]);
- break;
- case '3':
- if (info->flags & IP6T_POLICY_MATCH_STRICT)
- exit_error(PARAMETER_PROBLEM,
- "policy match: double --strict option");
-
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "policy match: can't invert --strict option");
-
- info->flags |= IP6T_POLICY_MATCH_STRICT;
- break;
- case '4':
- if (e->match.reqid)
- exit_error(PARAMETER_PROBLEM,
- "policy match: double --reqid option");
-
- e->match.reqid = 1;
- e->invert.reqid = invert;
- e->reqid = strtol(argv[optind-1], NULL, 10);
- break;
- case '5':
- if (e->match.spi)
- exit_error(PARAMETER_PROBLEM,
- "policy match: double --spi option");
-
- e->match.spi = 1;
- e->invert.spi = invert;
- e->spi = strtol(argv[optind-1], NULL, 0x10);
- break;
- case '6':
- if (e->match.saddr)
- exit_error(PARAMETER_PROBLEM,
- "policy match: double --tunnel-src option");
-
- parse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr);
- if (naddr > 1)
- exit_error(PARAMETER_PROBLEM,
- "policy match: name resolves to multiple IPs");
-
- e->match.saddr = 1;
- e->invert.saddr = invert;
- in6addrcpy(&e->saddr.a6, addr);
- in6addrcpy(&e->smask.a6, &mask);
- break;
- case '7':
- if (e->match.daddr)
- exit_error(PARAMETER_PROBLEM,
- "policy match: double --tunnel-dst option");
-
- parse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr);
- if (naddr > 1)
- exit_error(PARAMETER_PROBLEM,
- "policy match: name resolves to multiple IPs");
-
- e->match.daddr = 1;
- e->invert.daddr = invert;
- in6addrcpy(&e->daddr.a6, addr);
- in6addrcpy(&e->dmask.a6, &mask);
- break;
- case '8':
- if (e->match.proto)
- exit_error(PARAMETER_PROBLEM,
- "policy match: double --proto option");
-
- e->proto = parse_protocol(argv[optind-1]);
- if (e->proto != IPPROTO_AH && e->proto != IPPROTO_ESP &&
- e->proto != IPPROTO_COMP)
- exit_error(PARAMETER_PROBLEM,
- "policy match: protocol must ah/esp/ipcomp");
- e->match.proto = 1;
- e->invert.proto = invert;
- break;
- case '9':
- if (e->match.mode)
- exit_error(PARAMETER_PROBLEM,
- "policy match: double --mode option");
-
- mode = parse_mode(argv[optind-1]);
- e->match.mode = 1;
- e->invert.mode = invert;
- e->mode = mode;
- break;
- case 'a':
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "policy match: can't invert --next option");
-
- if (++info->len == IP6T_POLICY_MAX_ELEM)
- exit_error(PARAMETER_PROBLEM,
- "policy match: maximum policy depth reached");
- break;
- default:
- return 0;
- }
-
- policy_info = info;
- return 1;
-}
-
-static void final_check(unsigned int flags)
-{
- struct ip6t_policy_info *info = policy_info;
- struct ip6t_policy_elem *e;
- int i;
-
- if (info == NULL)
- exit_error(PARAMETER_PROBLEM,
- "policy match: no parameters given");
-
- if (!(info->flags & (IP6T_POLICY_MATCH_IN|IP6T_POLICY_MATCH_OUT)))
- exit_error(PARAMETER_PROBLEM,
- "policy match: neither --in nor --out specified");
-
- if (info->flags & IP6T_POLICY_MATCH_NONE) {
- if (info->flags & IP6T_POLICY_MATCH_STRICT)
- exit_error(PARAMETER_PROBLEM,
- "policy match: policy none but --strict given");
-
- if (info->len != 0)
- exit_error(PARAMETER_PROBLEM,
- "policy match: policy none but policy given");
- } else
- info->len++; /* increase len by 1, no --next after last element */
-
- if (!(info->flags & IP6T_POLICY_MATCH_STRICT) && info->len > 1)
- exit_error(PARAMETER_PROBLEM,
- "policy match: multiple elements but no --strict");
-
- for (i = 0; i < info->len; i++) {
- e = &info->pol[i];
-
- if (info->flags & IP6T_POLICY_MATCH_STRICT &&
- !(e->match.reqid || e->match.spi || e->match.saddr ||
- e->match.daddr || e->match.proto || e->match.mode))
- exit_error(PARAMETER_PROBLEM,
- "policy match: empty policy element");
-
- if ((e->match.saddr || e->match.daddr)
- && ((e->mode == IP6T_POLICY_MODE_TUNNEL && e->invert.mode) ||
- (e->mode == IP6T_POLICY_MODE_TRANSPORT && !e->invert.mode)))
- exit_error(PARAMETER_PROBLEM,
- "policy match: --tunnel-src/--tunnel-dst "
- "is only valid in tunnel mode");
- }
-}
-
-static void print_mode(char *prefix, u_int8_t mode, int numeric)
-{
- printf("%smode ", prefix);
-
- switch (mode) {
- case IP6T_POLICY_MODE_TRANSPORT:
- printf("transport ");
- break;
- case IP6T_POLICY_MODE_TUNNEL:
- printf("tunnel ");
- break;
- default:
- printf("??? ");
- break;
- }
-}
-
-static void print_proto(char *prefix, u_int8_t proto, int numeric)
-{
- struct protoent *p = NULL;
-
- printf("%sproto ", prefix);
- if (!numeric)
- p = getprotobynumber(proto);
- if (p != NULL)
- printf("%s ", p->p_name);
- else
- printf("%u ", proto);
-}
-
-#define PRINT_INVERT(x) \
-do { \
- if (x) \
- printf("! "); \
-} while(0)
-
-static void print_entry(char *prefix, const struct ip6t_policy_elem *e,
- int numeric)
-{
- if (e->match.reqid) {
- PRINT_INVERT(e->invert.reqid);
- printf("%sreqid %u ", prefix, e->reqid);
- }
- if (e->match.spi) {
- PRINT_INVERT(e->invert.spi);
- printf("%sspi 0x%x ", prefix, e->spi);
- }
- if (e->match.proto) {
- PRINT_INVERT(e->invert.proto);
- print_proto(prefix, e->proto, numeric);
- }
- if (e->match.mode) {
- PRINT_INVERT(e->invert.mode);
- print_mode(prefix, e->mode, numeric);
- }
- if (e->match.daddr) {
- PRINT_INVERT(e->invert.daddr);
- printf("%stunnel-dst %s%s ", prefix,
- addr_to_numeric((struct in6_addr *)&e->daddr),
- mask_to_numeric((struct in6_addr *)&e->dmask));
- }
- if (e->match.saddr) {
- PRINT_INVERT(e->invert.saddr);
- printf("%stunnel-src %s%s ", prefix,
- addr_to_numeric((struct in6_addr *)&e->saddr),
- mask_to_numeric((struct in6_addr *)&e->smask));
- }
-}
-
-static void print_flags(char *prefix, const struct ip6t_policy_info *info)
-{
- if (info->flags & IP6T_POLICY_MATCH_IN)
- printf("%sdir in ", prefix);
- else
- printf("%sdir out ", prefix);
-
- if (info->flags & IP6T_POLICY_MATCH_NONE)
- printf("%spol none ", prefix);
- else
- printf("%spol ipsec ", prefix);
-
- if (info->flags & IP6T_POLICY_MATCH_STRICT)
- printf("%sstrict ", prefix);
-}
-
-static void print(const struct ip6t_ip6 *ip,
- const struct ip6t_entry_match *match,
- int numeric)
-{
- const struct ip6t_policy_info *info = (void *)match->data;
- unsigned int i;
-
- printf("policy match ");
- print_flags("", info);
- for (i = 0; i < info->len; i++) {
- if (info->len > 1)
- printf("[%u] ", i);
- print_entry("", &info->pol[i], numeric);
- }
-
- printf("\n");
-}
-
-static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
-{
- const struct ip6t_policy_info *info = (void *)match->data;
- unsigned int i;
-
- print_flags("--", info);
- for (i = 0; i < info->len; i++) {
- print_entry("--", &info->pol[i], 0);
- if (i + 1 < info->len)
- printf("--next ");
- }
-}
-
-struct ip6tables_match policy = {
- .name = "policy",
- .version = IPTABLES_VERSION,
- .size = IP6T_ALIGN(sizeof(struct ip6t_policy_info)),
- .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_policy_info)),
- .help = help,
- .init = init,
- .parse = parse,
- .final_check = final_check,
- .print = print,
- .save = save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match6(&policy);
-}
+++ /dev/null
-This modules matches the policy used by IPsec for handling a packet.
-.TP
-.BI "--dir " "in|out"
-Used to select whether to match the policy used for decapsulation or the
-policy that will be used for encapsulation.
-.B in
-is valid in the
-.B PREROUTING, INPUT and FORWARD
-chains,
-.B out
-is valid in the
-.B POSTROUTING, OUTPUT and FORWARD
-chains.
-.TP
-.BI "--pol " "none|ipsec"
-Matches if the packet is subject to IPsec processing.
-.TP
-.BI "--strict"
-Selects whether to match the exact policy or match if any rule of
-the policy matches the given policy.
-.TP
-.BI "--reqid " "id"
-Matches the reqid of the policy rule. The reqid can be specified with
-.B setkey(8)
-using
-.B unique:id
-as level.
-.TP
-.BI "--spi " "spi"
-Matches the SPI of the SA.
-.TP
-.BI "--proto " "ah|esp|ipcomp"
-Matches the encapsulation protocol.
-.TP
-.BI "--mode " "tunnel|transport"
-Matches the encapsulation mode.
-.TP
-.BI "--tunnel-src " "addr[/mask]"
-Matches the source end-point address of a tunnel mode SA.
-Only valid with --mode tunnel.
-.TP
-.BI "--tunnel-dst " "addr[/mask]"
-Matches the destination end-point address of a tunnel mode SA.
-Only valid with --mode tunnel.
-.TP
-.BI "--next"
-Start the next element in the policy specification. Can only be used with
---strict
+++ /dev/null
-/* Ugly hack to make state matching for ipv6 work before iptables-1.4.x is finished */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <ip6tables.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include <linux/netfilter_ipv4/ipt_state.h>
-
-#ifndef IPT_STATE_UNTRACKED
-#define IPT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
-#endif
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"state v%s options:\n"
-" [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]\n"
-" State(s) to match\n"
-"\n", IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- { "state", 1, 0, '1' },
- {0}
-};
-
-static int
-parse_state(const char *state, size_t strlen, struct ipt_state_info *sinfo)
-{
- if (strncasecmp(state, "INVALID", strlen) == 0)
- sinfo->statemask |= IPT_STATE_INVALID;
- else if (strncasecmp(state, "NEW", strlen) == 0)
- sinfo->statemask |= IPT_STATE_BIT(IP_CT_NEW);
- else if (strncasecmp(state, "ESTABLISHED", strlen) == 0)
- sinfo->statemask |= IPT_STATE_BIT(IP_CT_ESTABLISHED);
- else if (strncasecmp(state, "RELATED", strlen) == 0)
- sinfo->statemask |= IPT_STATE_BIT(IP_CT_RELATED);
- else if (strncasecmp(state, "UNTRACKED", strlen) == 0)
- sinfo->statemask |= IPT_STATE_UNTRACKED;
- else
- return 0;
- return 1;
-}
-
-static void
-parse_states(const char *arg, struct ipt_state_info *sinfo)
-{
- const char *comma;
-
- while ((comma = strchr(arg, ',')) != NULL) {
- if (comma == arg || !parse_state(arg, comma-arg, sinfo))
- exit_error(PARAMETER_PROBLEM, "Bad state `%s'", arg);
- arg = comma+1;
- }
-
- if (strlen(arg) == 0 || !parse_state(arg, strlen(arg), sinfo))
- exit_error(PARAMETER_PROBLEM, "Bad state `%s'", arg);
-}
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ip6t_entry *entry,
- unsigned int *nfcache,
- struct ip6t_entry_match **match)
-{
- struct ipt_state_info *sinfo = (struct ipt_state_info *)(*match)->data;
-
- switch (c) {
- case '1':
- check_inverse(optarg, &invert, &optind, 0);
-
- parse_states(argv[optind-1], sinfo);
- if (invert)
- sinfo->statemask = ~sinfo->statemask;
- *flags = 1;
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-/* Final check; must have specified --state. */
-static void final_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM, "You must specify `--state'");
-}
-
-static void print_state(unsigned int statemask)
-{
- const char *sep = "";
-
- if (statemask & IPT_STATE_INVALID) {
- printf("%sINVALID", sep);
- sep = ",";
- }
- if (statemask & IPT_STATE_BIT(IP_CT_NEW)) {
- printf("%sNEW", sep);
- sep = ",";
- }
- if (statemask & IPT_STATE_BIT(IP_CT_RELATED)) {
- printf("%sRELATED", sep);
- sep = ",";
- }
- if (statemask & IPT_STATE_BIT(IP_CT_ESTABLISHED)) {
- printf("%sESTABLISHED", sep);
- sep = ",";
- }
- if (statemask & IPT_STATE_UNTRACKED) {
- printf("%sUNTRACKED", sep);
- sep = ",";
- }
- printf(" ");
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const struct ip6t_ip6 *ip,
- const struct ip6t_entry_match *match,
- int numeric)
-{
- struct ipt_state_info *sinfo = (struct ipt_state_info *)match->data;
-
- printf("state ");
- print_state(sinfo->statemask);
-}
-
-/* Saves the matchinfo in parsable form to stdout. */
-static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
-{
- struct ipt_state_info *sinfo = (struct ipt_state_info *)match->data;
-
- printf("--state ");
- print_state(sinfo->statemask);
-}
-
-static struct ip6tables_match state = {
- .next = NULL,
- .name = "state",
- .version = IPTABLES_VERSION,
- .size = IP6T_ALIGN(sizeof(struct ipt_state_info)),
- .userspacesize = IP6T_ALIGN(sizeof(struct ipt_state_info)),
- .help = &help,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match6(&state);
-}
+++ /dev/null
-/* Shared library add-on to iptables for NFQ
- *
- * (C) 2005 by Harald Welte <laforge@netfilter.org>
- *
- * This program is distributed under the terms of GNU GPL v2, 1991
- *
- */
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_NFQUEUE.h>
-
-static void init(struct ipt_entry_target *t, unsigned int *nfcache)
-{
-}
-
-static void help(void)
-{
- printf(
-"NFQUEUE target options\n"
-" --queue-num value Send packet to QUEUE number <value>.\n"
-" Valid queue numbers are 0-65535\n"
-);
-}
-
-static struct option opts[] = {
- { "queue-num", 1, 0, 'F' },
- { 0 }
-};
-
-static void
-parse_num(const char *s, struct ipt_NFQ_info *tinfo)
-{
- unsigned int num;
-
- if (string_to_number(s, 0, 65535, &num) == -1)
- exit_error(PARAMETER_PROBLEM,
- "Invalid queue number `%s'\n", s);
-
- tinfo->queuenum = num & 0xffff;
- return;
-}
-
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- struct ipt_entry_target **target)
-{
- struct ipt_NFQ_info *tinfo
- = (struct ipt_NFQ_info *)(*target)->data;
-
- switch (c) {
- case 'F':
- if (*flags)
- exit_error(PARAMETER_PROBLEM, "NFQUEUE target: "
- "Only use --queue-num ONCE!");
- parse_num(optarg, tinfo);
- break;
- default:
- return 0;
- }
-
- return 1;
-}
-
-static void
-final_check(unsigned int flags)
-{
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_target *target,
- int numeric)
-{
- const struct ipt_NFQ_info *tinfo =
- (const struct ipt_NFQ_info *)target->data;
- printf("NFQUEUE num %u", tinfo->queuenum);
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
-{
- const struct ipt_NFQ_info *tinfo =
- (const struct ipt_NFQ_info *)target->data;
-
- printf("--queue-num %u ", tinfo->queuenum);
-}
-
-static struct iptables_target nfqueue = {
- .next = NULL,
- .name = "NFQUEUE",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_NFQ_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_NFQ_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_target(&nfqueue);
-}
+++ /dev/null
-This target is an extension of the QUEUE target. As opposed to QUEUE, it allows
-you to put a packet into any specific queue, identified by its 16-bit queue
-number.
-.TP
-.BR "--queue-num " "\fIvalue"
-This specifies the QUEUE number to use. Valud queue numbers are 0 to 65535. The default value is 0.
-.TP
-It can only be used with Kernel versions 2.6.14 or later, since it requires
-the
-.B
-nfnetlink_queue
-kernel support.
+++ /dev/null
-/* Shared library add-on to iptables for DCCP matching
- *
- * (C) 2005 by Harald Welte <laforge@netfilter.org>
- *
- * This program is distributed under the terms of GNU GPL v2, 1991
- *
- */
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <netdb.h>
-#include <ctype.h>
-
-#include <iptables.h>
-#include <linux/dccp.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_dccp.h>
-
-#if 0
-#define DEBUGP(format, first...) printf(format, ##first)
-#define static
-#else
-#define DEBUGP(format, fist...)
-#endif
-
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m,
- unsigned int *nfcache)
-{
- struct ipt_dccp_info *einfo = (struct ipt_dccp_info *)m->data;
-
- memset(einfo, 0, sizeof(struct ipt_dccp_info));
-}
-
-static void help(void)
-{
- printf(
-"DCCP match v%s options\n"
-" --source-port [!] port[:port] match source port(s)\n"
-" --sport ...\n"
-" --destination-port [!] port[:port] match destination port(s)\n"
-" --dport ...\n"
-,
- IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
- { .name = "source-port", .has_arg = 1, .flag = 0, .val = '1' },
- { .name = "sport", .has_arg = 1, .flag = 0, .val = '1' },
- { .name = "destination-port", .has_arg = 1, .flag = 0, .val = '2' },
- { .name = "dport", .has_arg = 1, .flag = 0, .val = '2' },
- { .name = "dccp-types", .has_arg = 1, .flag = 0, .val = '3' },
- { .name = "dccp-option", .has_arg = 1, .flag = 0, .val = '4' },
- { .name = 0 }
-};
-
-static int
-service_to_port(const char *name)
-{
- struct servent *service;
-
- if ((service = getservbyname(name, "dccp")) != NULL)
- return ntohs((unsigned short) service->s_port);
-
- return -1;
-}
-
-static u_int16_t
-parse_dccp_port(const char *port)
-{
- unsigned int portnum;
-
- DEBUGP("%s\n", port);
- if (string_to_number(port, 0, 65535, &portnum) != -1 ||
- (portnum = service_to_port(port)) != -1)
- return (u_int16_t)portnum;
-
- exit_error(PARAMETER_PROBLEM,
- "invalid DCCP port/service `%s' specified", port);
-}
-
-static void
-parse_dccp_ports(const char *portstring,
- u_int16_t *ports)
-{
- char *buffer;
- char *cp;
-
- buffer = strdup(portstring);
- DEBUGP("%s\n", portstring);
- if ((cp = strchr(buffer, ':')) == NULL) {
- ports[0] = ports[1] = parse_dccp_port(buffer);
- }
- else {
- *cp = '\0';
- cp++;
-
- ports[0] = buffer[0] ? parse_dccp_port(buffer) : 0;
- ports[1] = cp[0] ? parse_dccp_port(cp) : 0xFFFF;
-
- if (ports[0] > ports[1])
- exit_error(PARAMETER_PROBLEM,
- "invalid portrange (min > max)");
- }
- free(buffer);
-}
-
-static char *dccp_pkt_types[] = {
- [DCCP_PKT_REQUEST] = "REQUEST",
- [DCCP_PKT_RESPONSE] = "RESPONSE",
- [DCCP_PKT_DATA] = "DATA",
- [DCCP_PKT_ACK] = "ACK",
- [DCCP_PKT_DATAACK] = "DATAACK",
- [DCCP_PKT_CLOSEREQ] = "CLOSEREQ",
- [DCCP_PKT_CLOSE] = "CLOSE",
- [DCCP_PKT_RESET] = "RESET",
- [DCCP_PKT_SYNC] = "SYNC",
- [DCCP_PKT_SYNCACK] = "SYNCACK",
- [DCCP_PKT_INVALID] = "INVALID",
-};
-
-static u_int16_t
-parse_dccp_types(const char *typestring)
-{
- u_int16_t typemask = 0;
- char *ptr, *buffer;
-
- buffer = strdup(typestring);
-
- for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
- unsigned int i;
- for (i = 0; i < sizeof(dccp_pkt_types)/sizeof(char *); i++) {
- if (!strcasecmp(dccp_pkt_types[i], ptr)) {
- typemask |= (1 << i);
- break;
- }
- }
- if (i == sizeof(dccp_pkt_types)/sizeof(char *))
- exit_error(PARAMETER_PROBLEM,
- "Unknown DCCP type `%s'", ptr);
- }
-
- free(buffer);
- return typemask;
-}
-
-static u_int8_t parse_dccp_option(char *optstring)
-{
- unsigned int ret;
-
- if (string_to_number(optstring, 1, 255, &ret) == -1)
- exit_error(PARAMETER_PROBLEM, "Bad DCCP option `%s'",
- optstring);
-
- return (u_int8_t)ret;
-}
-
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
- struct ipt_dccp_info *einfo
- = (struct ipt_dccp_info *)(*match)->data;
-
- switch (c) {
- case '1':
- if (*flags & IPT_DCCP_SRC_PORTS)
- exit_error(PARAMETER_PROBLEM,
- "Only one `--source-port' allowed");
- einfo->flags |= IPT_DCCP_SRC_PORTS;
- check_inverse(optarg, &invert, &optind, 0);
- parse_dccp_ports(argv[optind-1], einfo->spts);
- if (invert)
- einfo->invflags |= IPT_DCCP_SRC_PORTS;
- *flags |= IPT_DCCP_SRC_PORTS;
- break;
-
- case '2':
- if (*flags & IPT_DCCP_DEST_PORTS)
- exit_error(PARAMETER_PROBLEM,
- "Only one `--destination-port' allowed");
- einfo->flags |= IPT_DCCP_DEST_PORTS;
- check_inverse(optarg, &invert, &optind, 0);
- parse_dccp_ports(argv[optind-1], einfo->dpts);
- if (invert)
- einfo->invflags |= IPT_DCCP_DEST_PORTS;
- *flags |= IPT_DCCP_DEST_PORTS;
- break;
-
- case '3':
- if (*flags & IPT_DCCP_TYPE)
- exit_error(PARAMETER_PROBLEM,
- "Only one `--dccp-types' allowed");
- einfo->flags |= IPT_DCCP_TYPE;
- check_inverse(optarg, &invert, &optind, 0);
- einfo->typemask = parse_dccp_types(argv[optind-1]);
- if (invert)
- einfo->invflags |= IPT_DCCP_TYPE;
- *flags |= IPT_DCCP_TYPE;
- break;
-
- case '4':
- if (*flags & IPT_DCCP_OPTION)
- exit_error(PARAMETER_PROBLEM,
- "Only one `--dccp-option' allowed");
- einfo->flags |= IPT_DCCP_OPTION;
- check_inverse(optarg, &invert, &optind, 0);
- einfo->option = parse_dccp_option(argv[optind-1]);
- if (invert)
- einfo->invflags |= IPT_DCCP_OPTION;
- *flags |= IPT_DCCP_OPTION;
- break;
- default:
- return 0;
- }
- return 1;
-}
-
-static void
-final_check(unsigned int flags)
-{
-}
-
-static char *
-port_to_service(int port)
-{
- struct servent *service;
-
- if ((service = getservbyport(htons(port), "dccp")))
- return service->s_name;
-
- return NULL;
-}
-
-static void
-print_port(u_int16_t port, int numeric)
-{
- char *service;
-
- if (numeric || (service = port_to_service(port)) == NULL)
- printf("%u", port);
- else
- printf("%s", service);
-}
-
-static void
-print_ports(const char *name, u_int16_t min, u_int16_t max,
- int invert, int numeric)
-{
- const char *inv = invert ? "!" : "";
-
- if (min != 0 || max != 0xFFFF || invert) {
- printf("%s", name);
- if (min == max) {
- printf(":%s", inv);
- print_port(min, numeric);
- } else {
- printf("s:%s", inv);
- print_port(min, numeric);
- printf(":");
- print_port(max, numeric);
- }
- printf(" ");
- }
-}
-
-static void
-print_types(u_int16_t types, int inverted, int numeric)
-{
- int have_type = 0;
-
- if (inverted)
- printf("! ");
-
- while (types) {
- unsigned int i;
-
- for (i = 0; !(types & (1 << i)); i++);
-
- if (have_type)
- printf(",");
- else
- have_type = 1;
-
- if (numeric)
- printf("%u", i);
- else
- printf("%s", dccp_pkt_types[i]);
-
- types &= ~(1 << i);
- }
-}
-
-static void
-print_option(u_int8_t option, int invert, int numeric)
-{
- if (option || invert)
- printf("option=%s%u ", invert ? "!" : "", option);
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric)
-{
- const struct ipt_dccp_info *einfo =
- (const struct ipt_dccp_info *)match->data;
-
- printf("dccp ");
-
- if (einfo->flags & IPT_DCCP_SRC_PORTS) {
- print_ports("spt", einfo->spts[0], einfo->spts[1],
- einfo->invflags & IPT_DCCP_SRC_PORTS,
- numeric);
- }
-
- if (einfo->flags & IPT_DCCP_DEST_PORTS) {
- print_ports("dpt", einfo->dpts[0], einfo->dpts[1],
- einfo->invflags & IPT_DCCP_DEST_PORTS,
- numeric);
- }
-
- if (einfo->flags & IPT_DCCP_TYPE) {
- print_types(einfo->typemask,
- einfo->invflags & IPT_DCCP_TYPE,
- numeric);
- }
-
- if (einfo->flags & IPT_DCCP_OPTION) {
- print_option(einfo->option,
- einfo->invflags & IPT_DCCP_OPTION, numeric);
- }
-}
-
-/* Saves the union ipt_matchinfo in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip,
- const struct ipt_entry_match *match)
-{
- const struct ipt_dccp_info *einfo =
- (const struct ipt_dccp_info *)match->data;
-
- if (einfo->flags & IPT_DCCP_SRC_PORTS) {
- if (einfo->invflags & IPT_DCCP_SRC_PORTS)
- printf("! ");
- if (einfo->spts[0] != einfo->spts[1])
- printf("--sport %u:%u ",
- einfo->spts[0], einfo->spts[1]);
- else
- printf("--sport %u ", einfo->spts[0]);
- }
-
- if (einfo->flags & IPT_DCCP_DEST_PORTS) {
- if (einfo->invflags & IPT_DCCP_DEST_PORTS)
- printf("! ");
- if (einfo->dpts[0] != einfo->dpts[1])
- printf("--dport %u:%u ",
- einfo->dpts[0], einfo->dpts[1]);
- else
- printf("--dport %u ", einfo->dpts[0]);
- }
-
- if (einfo->flags & IPT_DCCP_TYPE) {
- printf("--dccp-type ");
- print_types(einfo->typemask, einfo->invflags & IPT_DCCP_TYPE,0);
- }
-
- if (einfo->flags & IPT_DCCP_OPTION) {
- printf("--dccp-option %s%u ",
- einfo->typemask & IPT_DCCP_OPTION ? "! " : "",
- einfo->option);
- }
-}
-
-static
-struct iptables_match dccp
-= { .name = "dccp",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_dccp_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_dccp_info)),
- .help = &help,
- .init = &init,
- .parse = &parse,
- .final_check = &final_check,
- .print = &print,
- .save = &save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match(&dccp);
-}
-
+++ /dev/null
-.TP
-\fB--source-port\fR,\fB--sport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
-.TP
-\fB--destination-port\fR,\fB--dport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
-.TP
-\fB--dccp-types\fR [\fB!\fR] \fImask\fP
-Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated
-list of packet types. Packet types are:
-.BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" .
-.TP
-\fB--dccp-option\fR [\fB!\fR\] \fInumber\fP
-Match if DCP option set.
+++ /dev/null
-/* Shared library add-on to iptables to add policy support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <netdb.h>
-#include <errno.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <iptables.h>
-
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include "../include/linux/netfilter_ipv4/ipt_policy.h"
-
-/*
- * HACK: global pointer to current matchinfo for making
- * final checks and adjustments in final_check.
- */
-static struct ipt_policy_info *policy_info;
-
-static void help(void)
-{
- printf(
-"policy v%s options:\n"
-" --dir in|out match policy applied during decapsulation/\n"
-" policy to be applied during encapsulation\n"
-" --pol none|ipsec match policy\n"
-" --strict match entire policy instead of single element\n"
-" at any position\n"
-"[!] --reqid reqid match reqid\n"
-"[!] --spi spi match SPI\n"
-"[!] --proto proto match protocol (ah/esp/ipcomp)\n"
-"[!] --mode mode match mode (transport/tunnel)\n"
-"[!] --tunnel-src addr/mask match tunnel source\n"
-"[!] --tunnel-dst addr/mask match tunnel destination\n"
-" --next begin next element in policy\n",
- IPTABLES_VERSION);
-}
-
-static struct option opts[] =
-{
- {
- .name = "dir",
- .has_arg = 1,
- .val = '1',
- },
- {
- .name = "pol",
- .has_arg = 1,
- .val = '2',
- },
- {
- .name = "strict",
- .val = '3'
- },
- {
- .name = "reqid",
- .has_arg = 1,
- .val = '4',
- },
- {
- .name = "spi",
- .has_arg = 1,
- .val = '5'
- },
- {
- .name = "tunnel-src",
- .has_arg = 1,
- .val = '6'
- },
- {
- .name = "tunnel-dst",
- .has_arg = 1,
- .val = '7'
- },
- {
- .name = "proto",
- .has_arg = 1,
- .val = '8'
- },
- {
- .name = "mode",
- .has_arg = 1,
- .val = '9'
- },
- {
- .name = "next",
- .val = 'a'
- },
- { }
-};
-
-static void init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
- *nfcache |= NFC_UNKNOWN;
-}
-
-static int parse_direction(char *s)
-{
- if (strcmp(s, "in") == 0)
- return IPT_POLICY_MATCH_IN;
- if (strcmp(s, "out") == 0)
- return IPT_POLICY_MATCH_OUT;
- exit_error(PARAMETER_PROBLEM, "policy_match: invalid dir `%s'", s);
-}
-
-static int parse_policy(char *s)
-{
- if (strcmp(s, "none") == 0)
- return IPT_POLICY_MATCH_NONE;
- if (strcmp(s, "ipsec") == 0)
- return 0;
- exit_error(PARAMETER_PROBLEM, "policy match: invalid policy `%s'", s);
-}
-
-static int parse_mode(char *s)
-{
- if (strcmp(s, "transport") == 0)
- return IPT_POLICY_MODE_TRANSPORT;
- if (strcmp(s, "tunnel") == 0)
- return IPT_POLICY_MODE_TUNNEL;
- exit_error(PARAMETER_PROBLEM, "policy match: invalid mode `%s'", s);
-}
-
-static int parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
- struct ipt_policy_info *info = (void *)(*match)->data;
- struct ipt_policy_elem *e = &info->pol[info->len];
- struct in_addr *addr = NULL, mask;
- unsigned int naddr = 0;
- int mode;
-
- check_inverse(optarg, &invert, &optind, 0);
-
- switch (c) {
- case '1':
- if (info->flags & (IPT_POLICY_MATCH_IN|IPT_POLICY_MATCH_OUT))
- exit_error(PARAMETER_PROBLEM,
- "policy match: double --dir option");
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "policy match: can't invert --dir option");
-
- info->flags |= parse_direction(argv[optind-1]);
- break;
- case '2':
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "policy match: can't invert --policy option");
-
- info->flags |= parse_policy(argv[optind-1]);
- break;
- case '3':
- if (info->flags & IPT_POLICY_MATCH_STRICT)
- exit_error(PARAMETER_PROBLEM,
- "policy match: double --strict option");
-
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "policy match: can't invert --strict option");
-
- info->flags |= IPT_POLICY_MATCH_STRICT;
- break;
- case '4':
- if (e->match.reqid)
- exit_error(PARAMETER_PROBLEM,
- "policy match: double --reqid option");
-
- e->match.reqid = 1;
- e->invert.reqid = invert;
- e->reqid = strtol(argv[optind-1], NULL, 10);
- break;
- case '5':
- if (e->match.spi)
- exit_error(PARAMETER_PROBLEM,
- "policy match: double --spi option");
-
- e->match.spi = 1;
- e->invert.spi = invert;
- e->spi = strtol(argv[optind-1], NULL, 0x10);
- break;
- case '6':
- if (e->match.saddr)
- exit_error(PARAMETER_PROBLEM,
- "policy match: double --tunnel-src option");
-
- parse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr);
- if (naddr > 1)
- exit_error(PARAMETER_PROBLEM,
- "policy match: name resolves to multiple IPs");
-
- e->match.saddr = 1;
- e->invert.saddr = invert;
- e->saddr.a4 = addr[0];
- e->smask.a4 = mask;
- break;
- case '7':
- if (e->match.daddr)
- exit_error(PARAMETER_PROBLEM,
- "policy match: double --tunnel-dst option");
-
- parse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr);
- if (naddr > 1)
- exit_error(PARAMETER_PROBLEM,
- "policy match: name resolves to multiple IPs");
-
- e->match.daddr = 1;
- e->invert.daddr = invert;
- e->daddr.a4 = addr[0];
- e->dmask.a4 = mask;
- break;
- case '8':
- if (e->match.proto)
- exit_error(PARAMETER_PROBLEM,
- "policy match: double --proto option");
-
- e->proto = parse_protocol(argv[optind-1]);
- if (e->proto != IPPROTO_AH && e->proto != IPPROTO_ESP &&
- e->proto != IPPROTO_COMP)
- exit_error(PARAMETER_PROBLEM,
- "policy match: protocol must ah/esp/ipcomp");
- e->match.proto = 1;
- e->invert.proto = invert;
- break;
- case '9':
- if (e->match.mode)
- exit_error(PARAMETER_PROBLEM,
- "policy match: double --mode option");
-
- mode = parse_mode(argv[optind-1]);
- e->match.mode = 1;
- e->invert.mode = invert;
- e->mode = mode;
- break;
- case 'a':
- if (invert)
- exit_error(PARAMETER_PROBLEM,
- "policy match: can't invert --next option");
-
- if (++info->len == IPT_POLICY_MAX_ELEM)
- exit_error(PARAMETER_PROBLEM,
- "policy match: maximum policy depth reached");
- break;
- default:
- return 0;
- }
-
- policy_info = info;
- return 1;
-}
-
-static void final_check(unsigned int flags)
-{
- struct ipt_policy_info *info = policy_info;
- struct ipt_policy_elem *e;
- int i;
-
- if (info == NULL)
- exit_error(PARAMETER_PROBLEM,
- "policy match: no parameters given");
-
- if (!(info->flags & (IPT_POLICY_MATCH_IN|IPT_POLICY_MATCH_OUT)))
- exit_error(PARAMETER_PROBLEM,
- "policy match: neither --in nor --out specified");
-
- if (info->flags & IPT_POLICY_MATCH_NONE) {
- if (info->flags & IPT_POLICY_MATCH_STRICT)
- exit_error(PARAMETER_PROBLEM,
- "policy match: policy none but --strict given");
-
- if (info->len != 0)
- exit_error(PARAMETER_PROBLEM,
- "policy match: policy none but policy given");
- } else
- info->len++; /* increase len by 1, no --next after last element */
-
- if (!(info->flags & IPT_POLICY_MATCH_STRICT) && info->len > 1)
- exit_error(PARAMETER_PROBLEM,
- "policy match: multiple elements but no --strict");
-
- for (i = 0; i < info->len; i++) {
- e = &info->pol[i];
-
- if (info->flags & IPT_POLICY_MATCH_STRICT &&
- !(e->match.reqid || e->match.spi || e->match.saddr ||
- e->match.daddr || e->match.proto || e->match.mode))
- exit_error(PARAMETER_PROBLEM,
- "policy match: empty policy element");
-
- if ((e->match.saddr || e->match.daddr)
- && ((e->mode == IPT_POLICY_MODE_TUNNEL && e->invert.mode) ||
- (e->mode == IPT_POLICY_MODE_TRANSPORT && !e->invert.mode)))
- exit_error(PARAMETER_PROBLEM,
- "policy match: --tunnel-src/--tunnel-dst "
- "is only valid in tunnel mode");
- }
-}
-
-static void print_mode(char *prefix, u_int8_t mode, int numeric)
-{
- printf("%smode ", prefix);
-
- switch (mode) {
- case IPT_POLICY_MODE_TRANSPORT:
- printf("transport ");
- break;
- case IPT_POLICY_MODE_TUNNEL:
- printf("tunnel ");
- break;
- default:
- printf("??? ");
- break;
- }
-}
-
-static void print_proto(char *prefix, u_int8_t proto, int numeric)
-{
- struct protoent *p = NULL;
-
- printf("%sproto ", prefix);
- if (!numeric)
- p = getprotobynumber(proto);
- if (p != NULL)
- printf("%s ", p->p_name);
- else
- printf("%u ", proto);
-}
-
-#define PRINT_INVERT(x) \
-do { \
- if (x) \
- printf("! "); \
-} while(0)
-
-static void print_entry(char *prefix, const struct ipt_policy_elem *e,
- int numeric)
-{
- if (e->match.reqid) {
- PRINT_INVERT(e->invert.reqid);
- printf("%sreqid %u ", prefix, e->reqid);
- }
- if (e->match.spi) {
- PRINT_INVERT(e->invert.spi);
- printf("%sspi 0x%x ", prefix, e->spi);
- }
- if (e->match.proto) {
- PRINT_INVERT(e->invert.proto);
- print_proto(prefix, e->proto, numeric);
- }
- if (e->match.mode) {
- PRINT_INVERT(e->invert.mode);
- print_mode(prefix, e->mode, numeric);
- }
- if (e->match.daddr) {
- PRINT_INVERT(e->invert.daddr);
- printf("%stunnel-dst %s%s ", prefix,
- addr_to_dotted((struct in_addr *)&e->daddr),
- mask_to_dotted((struct in_addr *)&e->dmask));
- }
- if (e->match.saddr) {
- PRINT_INVERT(e->invert.saddr);
- printf("%stunnel-src %s%s ", prefix,
- addr_to_dotted((struct in_addr *)&e->saddr),
- mask_to_dotted((struct in_addr *)&e->smask));
- }
-}
-
-static void print_flags(char *prefix, const struct ipt_policy_info *info)
-{
- if (info->flags & IPT_POLICY_MATCH_IN)
- printf("%sdir in ", prefix);
- else
- printf("%sdir out ", prefix);
-
- if (info->flags & IPT_POLICY_MATCH_NONE)
- printf("%spol none ", prefix);
- else
- printf("%spol ipsec ", prefix);
-
- if (info->flags & IPT_POLICY_MATCH_STRICT)
- printf("%sstrict ", prefix);
-}
-
-static void print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric)
-{
- const struct ipt_policy_info *info = (void *)match->data;
- unsigned int i;
-
- printf("policy match ");
- print_flags("", info);
- for (i = 0; i < info->len; i++) {
- if (info->len > 1)
- printf("[%u] ", i);
- print_entry("", &info->pol[i], numeric);
- }
-}
-
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
- const struct ipt_policy_info *info = (void *)match->data;
- unsigned int i;
-
- print_flags("--", info);
- for (i = 0; i < info->len; i++) {
- print_entry("--", &info->pol[i], 0);
- if (i + 1 < info->len)
- printf("--next ");
- }
-}
-
-struct iptables_match policy = {
- .name = "policy",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_policy_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_policy_info)),
- .help = help,
- .init = init,
- .parse = parse,
- .final_check = final_check,
- .print = print,
- .save = save,
- .extra_opts = opts
-};
-
-void _init(void)
-{
- register_match(&policy);
-}
+++ /dev/null
-This modules matches the policy used by IPsec for handling a packet.
-.TP
-.BI "--dir " "in|out"
-Used to select whether to match the policy used for decapsulation or the
-policy that will be used for encapsulation.
-.B in
-is valid in the
-.B PREROUTING, INPUT and FORWARD
-chains,
-.B out
-is valid in the
-.B POSTROUTING, OUTPUT and FORWARD
-chains.
-.TP
-.BI "--pol " "none|ipsec"
-Matches if the packet is subject to IPsec processing.
-.TP
-.BI "--strict"
-Selects whether to match the exact policy or match if any rule of
-the policy matches the given policy.
-.TP
-.BI "--reqid " "id"
-Matches the reqid of the policy rule. The reqid can be specified with
-.B setkey(8)
-using
-.B unique:id
-as level.
-.TP
-.BI "--spi " "spi"
-Matches the SPI of the SA.
-.TP
-.BI "--proto " "ah|esp|ipcomp"
-Matches the encapsulation protocol.
-.TP
-.BI "--mode " "tunnel|transport"
-Matches the encapsulation mode.
-.TP
-.BI "--tunnel-src " "addr[/mask]"
-Matches the source end-point address of a tunnel mode SA.
-Only valid with --mode tunnel.
-.TP
-.BI "--tunnel-dst " "addr[/mask]"
-Matches the destination end-point address of a tunnel mode SA.
-Only valid with --mode tunnel.
-.TP
-.BI "--next"
-Start the next element in the policy specification. Can only be used with
---strict
+++ /dev/null
-/* Shared library add-on to iptables to add IP address pool matching. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <ctype.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include <linux/netfilter_ipv4/ipt_pool.h>
-
-#include <libippool/ip_pool_support.h>
-
-/* FIXME --RR */
-#include "../ippool/libippool.c"
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
- printf(
-"pool v%s options:\n"
-" [!] --srcpool NAME|INDEX\n"
-" [!] --dstpool NAME|INDEX\n"
-" Pool index (or name from %s) to match\n"
-"\n", IPTABLES_VERSION, IPPOOL_CONF);
-}
-
-static struct option opts[] = {
- { "srcpool", 1, 0, '1' },
- { "dstpool", 1, 0, '2' },
- {0}
-};
-
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *match, unsigned int *nfcache)
-{
- struct ipt_pool_info *info =
- (struct ipt_pool_info *)match->data;
-
- info->src = IP_POOL_NONE;
- info->dst = IP_POOL_NONE;
- info->flags = 0;
- /* Can't cache this - XXX */
- *nfcache |= NFC_UNKNOWN;
-}
-
-/* Function which parses command options; returns true if it ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match)
-{
- struct ipt_pool_info *info =
- (struct ipt_pool_info *)(*match)->data;
-
- switch (c) {
- case '1':
- check_inverse(optarg, &invert, &optind, 0);
- info->src = ip_pool_get_index(argv[optind-1]);
- if (invert) info->flags |= IPT_POOL_INV_SRC;
- *flags = 1;
- break;
- case '2':
- check_inverse(optarg, &invert, &optind, 0);
- info->dst = ip_pool_get_index(argv[optind-1]);
- if (invert) info->flags |= IPT_POOL_INV_DST;
- *flags = 1;
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-/* Final check; must have specified --srcpool or --dstpool. */
-static void final_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM, "You must specify either `--srcpool or --dstpool'");
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
- int numeric)
-{
- char buf[256];
- struct ipt_pool_info *info =
- (struct ipt_pool_info *)match->data;
-
- if (info->src != IP_POOL_NONE)
- printf("%ssrcpool %s ",
- (info->flags & IPT_POOL_INV_SRC) ? "!" : "",
- ip_pool_get_name(buf, sizeof(buf), info->src, 0));
- if (info->dst != IP_POOL_NONE)
- printf("%sdstpool %s ",
- (info->flags & IPT_POOL_INV_DST) ? "!" : "",
- ip_pool_get_name(buf, sizeof(buf), info->dst, 0));
-}
-
-/* Saves the matchinfo in parsable form to stdout. */
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
- char buf[256];
- struct ipt_pool_info *info =
- (struct ipt_pool_info *)match->data;
-
- if (info->src != IP_POOL_NONE)
- printf("%s--srcpool %s",
- (info->flags & IPT_POOL_INV_SRC) ? "! " : "",
- ip_pool_get_name(buf, sizeof(buf), info->src, 0));
- if (info->dst != IP_POOL_NONE)
- printf("%s--dstpool %s",
- (info->flags & IPT_POOL_INV_DST) ? "! " : "",
- ip_pool_get_name(buf, sizeof(buf), info->dst, 0));
-}
-
-static
-struct iptables_match pool
-= { NULL,
- "pool",
- IPTABLES_VERSION,
- IPT_ALIGN(sizeof(struct ipt_pool_info)),
- IPT_ALIGN(sizeof(struct ipt_pool_info)),
- &help,
- &init,
- &parse,
- &final_check,
- &print,
- &save,
- opts
-};
-
-void _init(void)
-{
- register_match(&pool);
-}
+++ /dev/null
-This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.
-.TP
-.BI "--algo " "bm|kmp"
-Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
-.TP
-.BI "--from " "offset"
-Set the offset from which it starts looking for any matching. If not passed, default is 0.
-.TP
-.BI "--to " "offset"
-Set the offset from which it starts looking for any matching. If not passed, default is the packet size.
-.TP
-.BI "--string " "pattern"
-Matches the given pattern.
-.BI "--hex-string " "pattern"
-Matches the given pattern in hex notation.
+++ /dev/null
-/* iptables module for using NFQUEUE mechanism
- *
- * (C) 2005 Harald Welte <laforge@netfilter.org>
- *
- * This software is distributed under GNU GPL v2, 1991
- *
-*/
-#ifndef _IPT_NFQ_TARGET_H
-#define _IPT_NFQ_TARGET_H
-
-/* target info */
-struct ipt_NFQ_info {
- u_int16_t queuenum;
-};
-
-#endif /* _IPT_DSCP_TARGET_H */
+++ /dev/null
-#ifndef _IPT_POLICY_H
-#define _IPT_POLICY_H
-
-#define IPT_POLICY_MAX_ELEM 4
-
-#ifndef __KERNEL__
-#include <netinet/in.h>
-#endif
-
-enum ipt_policy_flags
-{
- IPT_POLICY_MATCH_IN = 0x1,
- IPT_POLICY_MATCH_OUT = 0x2,
- IPT_POLICY_MATCH_NONE = 0x4,
- IPT_POLICY_MATCH_STRICT = 0x8,
-};
-
-enum ipt_policy_modes
-{
- IPT_POLICY_MODE_TRANSPORT,
- IPT_POLICY_MODE_TUNNEL
-};
-
-struct ipt_policy_spec
-{
- u_int8_t saddr:1,
- daddr:1,
- proto:1,
- mode:1,
- spi:1,
- reqid:1;
-};
-
-union ipt_policy_addr
-{
- struct in_addr a4;
- struct in6_addr a6;
-};
-
-struct ipt_policy_elem
-{
- union ipt_policy_addr saddr;
- union ipt_policy_addr smask;
- union ipt_policy_addr daddr;
- union ipt_policy_addr dmask;
- u_int32_t spi;
- u_int32_t reqid;
- u_int8_t proto;
- u_int8_t mode;
-
- struct ipt_policy_spec match;
- struct ipt_policy_spec invert;
-};
-
-struct ipt_policy_info
-{
- struct ipt_policy_elem pol[IPT_POLICY_MAX_ELEM];
- u_int16_t flags;
- u_int16_t len;
-};
-
-#endif /* _IPT_POLICY_H */
+++ /dev/null
-#ifndef _IP6T_POLICY_H
-#define _IP6T_POLICY_H
-
-#define IP6T_POLICY_MAX_ELEM 4
-
-enum ip6t_policy_flags
-{
- IP6T_POLICY_MATCH_IN = 0x1,
- IP6T_POLICY_MATCH_OUT = 0x2,
- IP6T_POLICY_MATCH_NONE = 0x4,
- IP6T_POLICY_MATCH_STRICT = 0x8,
-};
-
-enum ip6t_policy_modes
-{
- IP6T_POLICY_MODE_TRANSPORT,
- IP6T_POLICY_MODE_TUNNEL
-};
-
-struct ip6t_policy_spec
-{
- u_int8_t saddr:1,
- daddr:1,
- proto:1,
- mode:1,
- spi:1,
- reqid:1;
-};
-
-union ip6t_policy_addr
-{
- struct in_addr a4;
- struct in6_addr a6;
-};
-
-struct ip6t_policy_elem
-{
- union ip6t_policy_addr saddr;
- union ip6t_policy_addr smask;
- union ip6t_policy_addr daddr;
- union ip6t_policy_addr dmask;
- u_int32_t spi;
- u_int32_t reqid;
- u_int8_t proto;
- u_int8_t mode;
-
- struct ip6t_policy_spec match;
- struct ip6t_policy_spec invert;
-};
-
-struct ip6t_policy_info
-{
- struct ip6t_policy_elem pol[IP6T_POLICY_MAX_ELEM];
- u_int16_t flags;
- u_int16_t len;
-};
-
-#endif /* _IP6T_POLICY_H */
+++ /dev/null
-.TH IP6TABLES 8 "Mar 09, 2002" "" ""
-.\"
-.\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
-.\" It is based on iptables man page.
-.\"
-.\" iptables page by Herve Eychenne <rv@wallfire.org>
-.\" It is based on ipchains man page.
-.\"
-.\" ipchains page by Paul ``Rusty'' Russell March 1997
-.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation; either version 2 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-ip6tables \- IPv6 packet filter administration
-.SH SYNOPSIS
-.BR "ip6tables [-t table] -[AD] " "chain rule-specification [options]"
-.br
-.BR "ip6tables [-t table] -I " "chain [rulenum] rule-specification [options]"
-.br
-.BR "ip6tables [-t table] -R " "chain rulenum rule-specification [options]"
-.br
-.BR "ip6tables [-t table] -D " "chain rulenum [options]"
-.br
-.BR "ip6tables [-t table] -[LFZ] " "[chain] [options]"
-.br
-.BR "ip6tables [-t table] -N " "chain"
-.br
-.BR "ip6tables [-t table] -X " "[chain]"
-.br
-.BR "ip6tables [-t table] -P " "chain target [options]"
-.br
-.BR "ip6tables [-t table] -E " "old-chain-name new-chain-name"
-.SH DESCRIPTION
-.B Ip6tables
-is used to set up, maintain, and inspect the tables of IPv6 packet
-filter rules in the Linux kernel. Several different tables
-may be defined. Each table contains a number of built-in
-chains and may also contain user-defined chains.
-
-Each chain is a list of rules which can match a set of packets. Each
-rule specifies what to do with a packet that matches. This is called
-a `target', which may be a jump to a user-defined chain in the same
-table.
-
-.SH TARGETS
-A firewall rule specifies criteria for a packet, and a target. If the
-packet does not match, the next rule in the chain is the examined; if
-it does match, then the next rule is specified by the value of the
-target, which can be the name of a user-defined chain or one of the
-special values
-.IR ACCEPT ,
-.IR DROP ,
-.IR QUEUE ,
-or
-.IR RETURN .
-.PP
-.I ACCEPT
-means to let the packet through.
-.I DROP
-means to drop the packet on the floor.
-.I QUEUE
-means to pass the packet to userspace (if supported by the kernel).
-.I RETURN
-means stop traversing this chain and resume at the next rule in the
-previous (calling) chain. If the end of a built-in chain is reached
-or a rule in a built-in chain with target
-.I RETURN
-is matched, the target specified by the chain policy determines the
-fate of the packet.
-.SH TABLES
-There are currently two independent tables (which tables are present
-at any time depends on the kernel configuration options and which
-modules are present), as nat table has not been implemented yet.
-.TP
-.BI "-t, --table " "table"
-This option specifies the packet matching table which the command
-should operate on. If the kernel is configured with automatic module
-loading, an attempt will be made to load the appropriate module for
-that table if it is not already there.
-
-The tables are as follows:
-.RS
-.TP .4i
-.BR "filter" :
-This is the default table (if no -t option is passed). It contains
-the built-in chains
-.B INPUT
-(for packets coming into the box itself),
-.B FORWARD
-(for packets being routed through the box), and
-.B OUTPUT
-(for locally-generated packets).
-.TP
-.BR "mangle" :
-This table is used for specialized packet alteration. Until kernel
-2.4.17 it had two built-in chains:
-.B PREROUTING
-(for altering incoming packets before routing) and
-.B OUTPUT
-(for altering locally-generated packets before routing).
-Since kernel 2.4.18, three other built-in chains are also supported:
-.B INPUT
-(for packets coming into the box itself),
-.B FORWARD
-(for altering packets being routed through the box), and
-.B POSTROUTING
-(for altering packets as they are about to go out).
-.RE
-.SH OPTIONS
-The options that are recognized by
-.B ip6tables
-can be divided into several different groups.
-.SS COMMANDS
-These options specify the specific action to perform. Only one of them
-can be specified on the command line unless otherwise specified
-below. For all the long versions of the command and option names, you
-need to use only enough letters to ensure that
-.B ip6tables
-can differentiate it from all other options.
-.TP
-.BI "-A, --append " "chain rule-specification"
-Append one or more rules to the end of the selected chain.
-When the source and/or destination names resolve to more than one
-address, a rule will be added for each possible address combination.
-.TP
-.BI "-D, --delete " "chain rule-specification"
-.ns
-.TP
-.BI "-D, --delete " "chain rulenum"
-Delete one or more rules from the selected chain. There are two
-versions of this command: the rule can be specified as a number in the
-chain (starting at 1 for the first rule) or a rule to match.
-.TP
-.B "-I, --insert"
-Insert one or more rules in the selected chain as the given rule
-number. So, if the rule number is 1, the rule or rules are inserted
-at the head of the chain. This is also the default if no rule number
-is specified.
-.TP
-.BI "-R, --replace " "chain rulenum rule-specification"
-Replace a rule in the selected chain. If the source and/or
-destination names resolve to multiple addresses, the command will
-fail. Rules are numbered starting at 1.
-.TP
-.BR "-L, --list " "[\fIchain\fP]"
-List all rules in the selected chain. If no chain is selected, all
-chains are listed. As every other iptables command, it applies to the
-specified table (filter is the default), so mangle rules get listed by
-.nf
- ip6tables -t mangle -n -L
-.fi
-Please note that it is often used with the
-.B -n
-option, in order to avoid long reverse DNS lookups.
-It is legal to specify the
-.B -Z
-(zero) option as well, in which case the chain(s) will be atomically
-listed and zeroed. The exact output is affected by the other
-arguments given. The exact rules are suppressed until you use
-.nf
- ip6tables -L -v
-.fi
-.TP
-.BR "-F, --flush " "[\fIchain\fP]"
-Flush the selected chain (all the chains in the table if none is given).
-This is equivalent to deleting all the rules one by one.
-.TP
-.BR "-Z, --zero " "[\fIchain\fP]"
-Zero the packet and byte counters in all chains. It is legal to
-specify the
-.B "-L, --list"
-(list) option as well, to see the counters immediately before they are
-cleared. (See above.)
-.TP
-.BI "-N, --new-chain " "chain"
-Create a new user-defined chain by the given name. There must be no
-target of that name already.
-.TP
-.BR "-X, --delete-chain " "[\fIchain\fP]"
-Delete the optional user-defined chain specified. There must be no references
-to the chain. If there are, you must delete or replace the referring
-rules before the chain can be deleted. If no argument is given, it
-will attempt to delete every non-builtin chain in the table.
-.TP
-.BI "-P, --policy " "chain target"
-Set the policy for the chain to the given target. See the section
-.B TARGETS
-for the legal targets. Only built-in (non-user-defined) chains can have
-policies, and neither built-in nor user-defined chains can be policy
-targets.
-.TP
-.BI "-E, --rename-chain " "old-chain new-chain"
-Rename the user specified chain to the user supplied name. This is
-cosmetic, and has no effect on the structure of the table.
-.TP
-.B -h
-Help.
-Give a (currently very brief) description of the command syntax.
-.SS PARAMETERS
-The following parameters make up a rule specification (as used in the
-add, delete, insert, replace and append commands).
-.TP
-.BR "-p, --protocol " "[!] \fIprotocol\fP"
-The protocol of the rule or of the packet to check.
-The specified protocol can be one of
-.IR tcp ,
-.IR udp ,
-.IR ipv6-icmp|icmpv6 ,
-or
-.IR all ,
-or it can be a numeric value, representing one of these protocols or a
-different one. A protocol name from /etc/protocols is also allowed.
-A "!" argument before the protocol inverts the
-test. The number zero is equivalent to
-.IR all .
-Protocol
-.I all
-will match with all protocols and is taken as default when this
-option is omitted.
-.TP
-.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
-Source specification.
-.I Address
-can be either a hostname (please note that specifying
-any name to be resolved with a remote query such as DNS is a really bad idea),
-a network IPv6 address (with /mask), or a plain IPv6 address.
-(the network name isn't supported now).
-The
-.I mask
-can be either a network mask or a plain number,
-specifying the number of 1's at the left side of the network mask.
-Thus, a mask of
-.I 64
-is equivalent to
-.IR ffff:ffff:ffff:ffff:0000:0000:0000:0000 .
-A "!" argument before the address specification inverts the sense of
-the address. The flag
-.B --src
-is an alias for this option.
-.TP
-.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
-Destination specification.
-See the description of the
-.B -s
-(source) flag for a detailed description of the syntax. The flag
-.B --dst
-is an alias for this option.
-.TP
-.BI "-j, --jump " "target"
-This specifies the target of the rule; i.e., what to do if the packet
-matches it. The target can be a user-defined chain (other than the
-one this rule is in), one of the special builtin targets which decide
-the fate of the packet immediately, or an extension (see
-.B EXTENSIONS
-below). If this
-option is omitted in a rule, then matching the rule will have no
-effect on the packet's fate, but the counters on the rule will be
-incremented.
-.TP
-.BR "-i, --in-interface " "[!] \fIname\fP"
-Name of an interface via which a packet is going to be received (only for
-packets entering the
-.BR INPUT ,
-.B FORWARD
-and
-.B PREROUTING
-chains). When the "!" argument is used before the interface name, the
-sense is inverted. If the interface name ends in a "+", then any
-interface which begins with this name will match. If this option is
-omitted, any interface name will match.
-.TP
-.BR "-o, --out-interface " "[!] \fIname\fP"
-Name of an interface via which a packet is going to be sent (for packets
-entering the
-.BR FORWARD
-and
-.B OUTPUT
-chains). When the "!" argument is used before the interface name, the
-sense is inverted. If the interface name ends in a "+", then any
-interface which begins with this name will match. If this option is
-omitted, any interface name will match.
-.TP
-.\" Currently not supported (header-based)
-.\"
-.\" .B "[!] " "-f, --fragment"
-.\" This means that the rule only refers to second and further fragments
-.\" of fragmented packets. Since there is no way to tell the source or
-.\" destination ports of such a packet (or ICMP type), such a packet will
-.\" not match any rules which specify them. When the "!" argument
-.\" precedes the "-f" flag, the rule will only match head fragments, or
-.\" unfragmented packets.
-.\" .TP
-.B "-c, --set-counters " "PKTS BYTES"
-This enables the administrator to initialize the packet and byte
-counters of a rule (during
-.B INSERT,
-.B APPEND,
-.B REPLACE
-operations).
-.SS "OTHER OPTIONS"
-The following additional options can be specified:
-.TP
-.B "-v, --verbose"
-Verbose output. This option makes the list command show the interface
-name, the rule options (if any), and the TOS masks. The packet and
-byte counters are also listed, with the suffix 'K', 'M' or 'G' for
-1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
-the
-.B -x
-flag to change this).
-For appending, insertion, deletion and replacement, this causes
-detailed information on the rule or rules to be printed.
-.TP
-.B "-n, --numeric"
-Numeric output.
-IP addresses and port numbers will be printed in numeric format.
-By default, the program will try to display them as host names,
-network names, or services (whenever applicable).
-.TP
-.B "-x, --exact"
-Expand numbers.
-Display the exact value of the packet and byte counters,
-instead of only the rounded number in K's (multiples of 1000)
-M's (multiples of 1000K) or G's (multiples of 1000M). This option is
-only relevant for the
-.B -L
-command.
-.TP
-.B "--line-numbers"
-When listing rules, add line numbers to the beginning of each rule,
-corresponding to that rule's position in the chain.
-.TP
-.B "--modprobe=command"
-When adding or inserting rules into a chain, use
-.B command
-to load any necessary modules (targets, match extensions, etc).
-.SH MATCH EXTENSIONS
-ip6tables can use extended packet matching modules. These are loaded
-in two ways: implicitly, when
-.B -p
-or
-.B --protocol
-is specified, or with the
-.B -m
-or
-.B --match
-options, followed by the matching module name; after these, various
-extra command line options become available, depending on the specific
-module. You can specify multiple extended match modules in one line,
-and you can use the
-.B -h
-or
-.B --help
-options after the module has been specified to receive help specific
-to that module.
-
-The following are included in the base package, and most of these can
-be preceded by a
-.B !
-to invert the sense of the match.
-.\" @MATCH@
-.SS ah
-This module matches the SPIs in AH header of IPSec packets.
-.TP
-.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
-.SS condition
-This matches if a specific /proc filename is '0' or '1'.
-.TP
-.BI "--condition " "[!] filename"
-Match on boolean value stored in /proc/net/ip6t_condition/filename file
-.SS dst
-This module matches the IPv6 destination header options
-.TP
-.BI "--dst-len" "[!]" "length"
-Total length of this header
-.TP
-.BI "--dst-opts " "TYPE[:LEN],[,TYPE[:LEN]...]"
-Options and it's length (List).
-.SS esp
-This module matches the SPIs in ESP header of IPSec packets.
-.TP
-.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]"
-.SS eui64
-This module matches the EUI64 part of a stateless autoconfigured IPv6 address. It compares the source MAC address with the lower 64 bits of the IPv6 address.
-.SS frag
-This module matches the time IPv6 fragmentathion header
-.TP
-.BI "--fragid " "[!]" "id[:id]"
-Matches the given fragmentation ID (range).
-.TP
-.BI "--fraglen " "[!]" "length"
-Matches the total length of this header.
-.TP
-.BI "--fragres "
-Matches the reserved field, too.
-.TP
-.BI "--fragfirst "
-Matches on the first fragment.
-.TP
-.BI "[--fragmore]"
-Matches if there are more fragments.
-.TP
-.BI "[--fraglast]"
-Matches if this is the last fragement.
-.SS fuzzy
-This module matches a rate limit based on a fuzzy logic controller [FLC]
-.TP
-.BI "--lower-limit "number"
-Specifies the lower limit (in packets per second).
-.TP
-.BI "--upper-limit " "number"
-Specifies the upper limit (in packets per second).
-.SS hbh
-This module matches the IPv6 hop-by-hop header options
-.TP
-.BI "--hbh-len" "[!]" "length"
-Total length of this header
-.TP
-.BI "--hbh-opts " "TYPE[:LEN],[,TYPE[:LEN]...]"
-Options and it's length (List).
-.SS hl
-This module matches the HOPLIMIT field in the IPv6 header.
-.TP
-.BI "--hl-eq " "value"
-Matches if HOPLIMIT equals the given value.
-.TP
-.BI "--hl-lt " "ttl"
-Matches if HOPLIMIT is less than the given value.
-.TP
-.BI "--hl-gt " "ttl"
-Matches if HOPLIMIT is greater than the given value.
-.SS icmpv6
-This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is
-specified. It provides the following option:
-.TP
-.BR "--icmpv6-type " "[!] \fItypename\fP"
-This allows specification of the ICMP type, which can be a numeric
-IPv6-ICMP type, or one of the IPv6-ICMP type names shown by the command
-.nf
- ip6tables -p ipv6-icmp -h
-.fi
-.SS ipv6header
-This module matches on IPv6 option headers
-.TP
-.BI "--header " "[!]" "headers"
-Matches the given type of headers.
-Names: hop,dst,route,frag,auth,esp,none,proto
-Long Names: hop-by-hop,ipv6-opts,ipv6-route,ipv6-frag,ah,esp,ipv6-nonxt,protocol
-Numbers: 0,60,43,44,51,50,59
-.TP
-.BI "--soft"
-The header CONTAINS the specified extensions.
-.SS length
-This module matches the length of a packet against a specific value
-or range of values.
-.TP
-.BR "--length " "\fIlength\fP[:\fIlength\fP]"
-.SS limit
-This module matches at a limited rate using a token bucket filter.
-A rule using this extension will match until this limit is reached
-(unless the `!' flag is used). It can be used in combination with the
-.B LOG
-target to give limited logging, for example.
-.TP
-.BI "--limit " "rate"
-Maximum average matching rate: specified as a number, with an optional
-`/second', `/minute', `/hour', or `/day' suffix; the default is
-3/hour.
-.TP
-.BI "--limit-burst " "number"
-Maximum initial number of packets to match: this number gets
-recharged by one every time the limit specified above is not reached,
-up to this number; the default is 5.
-.SS mac
-.TP
-.BR "--mac-source " "[!] \fIaddress\fP"
-Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
-Note that this only makes sense for packets coming from an Ethernet device
-and entering the
-.BR PREROUTING ,
-.B FORWARD
-or
-.B INPUT
-chains.
-.SS mark
-This module matches the netfilter mark field associated with a packet
-(which can be set using the
-.B MARK
-target below).
-.TP
-.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
-Matches packets with the given unsigned mark value (if a mask is
-specified, this is logically ANDed with the mask before the
-comparison).
-.SS multiport
-This module matches a set of source or destination ports. Up to 15
-ports can be specified. A port range (port:port) counts as two
-ports. It can only be used in conjunction with
-.B "-p tcp"
-or
-.BR "-p udp" .
-.TP
-.BR "--source-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
-Match if the source port is one of the given ports. The flag
-.B --sports
-is a convenient alias for this option.
-.TP
-.BR "--destination-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
-Match if the destination port is one of the given ports. The flag
-.B --dports
-is a convenient alias for this option.
-.TP
-.BR "--ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
-Match if the both the source and destination ports are equal to each
-other and to one of the given ports.
-.SS nth
-This module matches every `n'th packet
-.TP
-.BI "--every " "value"
-Match every `value' packet
-.TP
-.BI "[" "--counter " "num" "]"
-Use internal counter number `num'. Default is `0'.
-.TP
-.BI "[" "--start " "num" "]"
-Initialize the counter at the number `num' insetad of `0'. Most between `0'
-and `value'-1.
-.TP
-.BI "[" "--packet " "num" "]"
-Match on `num' packet. Most be between `0' and `value'-1.
-.SS owner
-This module attempts to match various characteristics of the packet
-creator, for locally-generated packets. It is only valid in the
-.B OUTPUT
-chain, and even this some packets (such as ICMP ping responses) may
-have no owner, and hence never match. This is regarded as experimental.
-.TP
-.BI "--uid-owner " "userid"
-Matches if the packet was created by a process with the given
-effective user id.
-.TP
-.BI "--gid-owner " "groupid"
-Matches if the packet was created by a process with the given
-effective group id.
-.TP
-.BI "--pid-owner " "processid"
-Matches if the packet was created by a process with the given
-process id.
-.TP
-.BI "--sid-owner " "sessionid"
-Matches if the packet was created by a process in the given session
-group.
-.TP
-.B NOTE: pid, sid and command matching are broken on SMP
-.SS physdev
-This module matches on the bridge port input and output devices enslaved
-to a bridge device. This module is a part of the infrastructure that enables
-a transparent bridging IP firewall and is only useful for kernel versions
-above version 2.5.44.
-.TP
-.B --physdev-in name
-Name of a bridge port via which a packet is received (only for
-packets entering the
-.BR INPUT ,
-.B FORWARD
-and
-.B PREROUTING
-chains). If the interface name ends in a "+", then any
-interface which begins with this name will match. If the packet didn't arrive
-through a bridge device, this packet won't match this option, unless '!' is used.
-.TP
-.B --physdev-out name
-Name of a bridge port via which a packet is going to be sent (for packets
-entering the
-.BR FORWARD ,
-.B OUTPUT
-and
-.B POSTROUTING
-chains). If the interface name ends in a "+", then any
-interface which begins with this name will match. Note that in the
-.BR nat " and " mangle
-.B OUTPUT
-chains one cannot match on the bridge output port, however one can in the
-.B "filter OUTPUT"
-chain. If the packet won't leave by a bridge device or it is yet unknown what
-the output device will be, then the packet won't match this option, unless
-'!' is used.
-.TP
-.B --physdev-is-in
-Matches if the packet has entered through a bridge interface.
-.TP
-.B --physdev-is-out
-Matches if the packet will leave through a bridge interface.
-.TP
-.B --physdev-is-bridged
-Matches if the packet is being bridged and therefore is not being routed.
-This is only useful in the FORWARD and POSTROUTING chains.
-.SS random
-This module randomly matches a certain percentage of all packets.
-.TP
-.BI "--average " "percent"
-Matches the given percentage. If omitted, a probability of 50% is set.
-.SS rt
-Match on IPv6 routing header
-.TP
-.BI "--rt-type " "[!]" "type"
-Match the type (numeric).
-.TP
-.BI "--rt-segsleft" "[!]" "num[:num]"
-Match the `segments left' field (range).
-.TP
-.BI "--rt-len" "[!]" "length"
-Match the length of this header
-.TP
-.BI "--rt-0-res"
-Match the reserved field, too (type=0)
-.TP
-.BI "--rt-0-addrs ADDR[,ADDR...]
-Match type=0 addresses (list).
-.TP
-.BI "--rt-0-not-strict"
-List of type=0 addresses is not a strict list.
-.SS tcp
-These extensions are loaded if `--protocol tcp' is specified. It
-provides the following options:
-.TP
-.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
-Source port or port range specification. This can either be a service
-name or a port number. An inclusive range can also be specified,
-using the format
-.IR port : port .
-If the first port is omitted, "0" is assumed; if the last is omitted,
-"65535" is assumed.
-If the second port greater then the first they will be swapped.
-The flag
-.B --sport
-is a convenient alias for this option.
-.TP
-.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
-Destination port or port range specification. The flag
-.B --dport
-is a convenient alias for this option.
-.TP
-.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
-Match when the TCP flags are as specified. The first argument is the
-flags which we should examine, written as a comma-separated list, and
-the second argument is a comma-separated list of flags which must be
-set. Flags are:
-.BR "SYN ACK FIN RST URG PSH ALL NONE" .
-Hence the command
-.nf
- ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
-.fi
-will only match packets with the SYN flag set, and the ACK, FIN and
-RST flags unset.
-.TP
-.B "[!] --syn"
-Only match TCP packets with the SYN bit set and the ACK and RST bits
-cleared. Such packets are used to request TCP connection initiation;
-for example, blocking such packets coming in an interface will prevent
-incoming TCP connections, but outgoing TCP connections will be
-unaffected.
-It is equivalent to \fB--tcp-flags SYN,RST,ACK SYN\fP.
-If the "!" flag precedes the "--syn", the sense of the
-option is inverted.
-.TP
-.BR "--tcp-option " "[!] \fInumber\fP"
-Match if TCP option set.
-.SS udp
-These extensions are loaded if `--protocol udp' is specified. It
-provides the following options:
-.TP
-.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
-Source port or port range specification.
-See the description of the
-.B --source-port
-option of the TCP extension for details.
-.TP
-.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
-Destination port or port range specification.
-See the description of the
-.B --destination-port
-option of the TCP extension for details.
-.SH TARGET EXTENSIONS
-ip6tables can use extended target modules: the following are included
-in the standard distribution.
-.\" @TARGET@
-.SS HL
-This is used to modify the IPv6 HOPLIMIT header field. The HOPLIMIT field is
-similar to what is known as TTL value in IPv4. Setting or incrementing the
-HOPLIMIT field can potentially be very dangerous, so it should be avoided at
-any cost.
-.TP
-.B Don't ever set or increment the value on packets that leave your local network!
-.B mangle
-table.
-.TP
-.BI "--hl-set " "value"
-Set the HOPLIMIT value to `value'.
-.TP
-.BI "--hl-dec " "value"
-Decrement the HOPLIMIT value `value' times.
-.TP
-.BI "--hl-inc " "value"
-Increment the HOPLIMIT value `value' times.
-.SS LOG
-Turn on kernel logging of matching packets. When this option is set
-for a rule, the Linux kernel will print some information on all
-matching packets (like most IPv6 IPv6-header fields) via the kernel log
-(where it can be read with
-.I dmesg
-or
-.IR syslogd (8)).
-This is a "non-terminating target", i.e. rule traversal continues at
-the next rule. So if you want to LOG the packets you refuse, use two
-separate rules with the same matching criteria, first using target LOG
-then DROP (or REJECT).
-.TP
-.BI "--log-level " "level"
-Level of logging (numeric or see \fIsyslog.conf\fP(5)).
-.TP
-.BI "--log-prefix " "prefix"
-Prefix log messages with the specified prefix; up to 29 letters long,
-and useful for distinguishing messages in the logs.
-.TP
-.B --log-tcp-sequence
-Log TCP sequence numbers. This is a security risk if the log is
-readable by users.
-.TP
-.B --log-tcp-options
-Log options from the TCP packet header.
-.TP
-.B --log-ip-options
-Log options from the IPv6 packet header.
-.TP
-.B --log-uid
-Log the userid of the process which generated the packet.
-.SS MARK
-This is used to set the netfilter mark value associated with the
-packet. It is only valid in the
-.B mangle
-table.
-.TP
-.BI "--set-mark " "mark"
-.SS REJECT
-This is used to send back an error packet in response to the matched
-packet: otherwise it is equivalent to
-.B DROP
-so it is a terminating TARGET, ending rule traversal.
-This target is only valid in the
-.BR INPUT ,
-.B FORWARD
-and
-.B OUTPUT
-chains, and user-defined chains which are only called from those
-chains. The following option controls the nature of the error packet
-returned:
-.TP
-.BI "--reject-with " "type"
-The type given can be
-.nf
-.B " icmp6-no-route"
-.B " no-route"
-.B " icmp6-adm-prohibited"
-.B " adm-prohibited"
-.B " icmp6-addr-unreachable"
-.B " addr-unreach"
-.B " icmp6-port-unreachable"
-.B " port-unreach"
-.fi
-which return the appropriate IPv6-ICMP error message (\fBport-unreach\fP is
-the default). Finally, the option
-.B tcp-reset
-can be used on rules which only match the TCP protocol: this causes a
-TCP RST packet to be sent back. This is mainly useful for blocking
-.I ident
-(113/tcp) probes which frequently occur when sending mail to broken mail
-hosts (which won't accept your mail otherwise).
-
-.SS ROUTE
-This is used to explicitly override the core network stack's routing decision.
-.B mangle
-table.
-.TP
-.BI "--oif " "ifname"
-Route the packet through `ifname' network interface
-.TP
-.BI "--gw " "IPv6_address"
-Route the packet via this gateway
-.TP
-.BI "--continue "
-Behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--tee'
-.TP
-.BI "--tee "
-Make a copy of the packet, and route that copy to the given destination. For the original, uncopied packet, behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--continue'
-.SS TRACE
-This target has no options. It just turns on
-.B packet tracing
-for all packets that match this rule.
-.SH DIAGNOSTICS
-Various error messages are printed to standard error. The exit code
-is 0 for correct functioning. Errors which appear to be caused by
-invalid or abused command line parameters cause an exit code of 2, and
-other errors cause an exit code of 1.
-.SH BUGS
-Bugs? What's this? ;-)
-Well... the counters are not reliable on sparc64.
-.SH COMPATIBILITY WITH IPCHAINS
-This
-.B ip6tables
-is very similar to ipchains by Rusty Russell. The main difference is
-that the chains
-.B INPUT
-and
-.B OUTPUT
-are only traversed for packets coming into the local host and
-originating from the local host respectively. Hence every packet only
-passes through one of the three chains (except loopback traffic, which
-involves both INPUT and OUTPUT chains); previously a forwarded packet
-would pass through all three.
-.PP
-The other main difference is that
-.B -i
-refers to the input interface;
-.B -o
-refers to the output interface, and both are available for packets
-entering the
-.B FORWARD
-chain.
-.\" .PP The various forms of NAT have been separated out;
-.\" .B iptables
-.\" is a pure packet filter when using the default `filter' table, with
-.\" optional extension modules. This should simplify much of the previous
-.\" confusion over the combination of IP masquerading and packet filtering
-.\" seen previously. So the following options are handled differently:
-.\" .br
-.\" -j MASQ
-.\" .br
-.\" -M -S
-.\" .br
-.\" -M -L
-.\" .br
-There are several other changes in ip6tables.
-.SH SEE ALSO
-.BR ip6tables-save (8),
-.BR ip6tables-restore(8),
-.BR iptables (8),
-.BR iptables-save (8),
-.BR iptables-restore (8).
-.P
-The packet-filtering-HOWTO details iptables usage for
-packet filtering, the NAT-HOWTO details NAT,
-the netfilter-extensions-HOWTO details the extensions that are
-not in the standard distribution,
-and the netfilter-hacking-HOWTO details the netfilter internals.
-.br
-See
-.BR "http://www.netfilter.org/" .
-.SH AUTHORS
-Rusty Russell wrote iptables, in early consultation with Michael
-Neuling.
-.PP
-Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
-selection framework in iptables, then wrote the mangle table, the owner match,
-the mark stuff, and ran around doing cool stuff everywhere.
-.PP
-James Morris wrote the TOS target, and tos match.
-.PP
-Jozsef Kadlecsik wrote the REJECT target.
-.PP
-Harald Welte wrote the ULOG target, TTL match+target and libipulog.
-.PP
-The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
-James Morris, Harald Welte and Rusty Russell.
-.PP
-ip6tables man page created by Andras Kis-Szabo, based on
-iptables man page written by Herve Eychenne <rv@wallfire.org>.
-.\" .. and did I mention that we are incredibly cool people?
-.\" .. sexy, too ..
-.\" .. witty, charming, powerful ..
-.\" .. and most of all, modest ..
+++ /dev/null
-2.2.8
- - Nasty off-by-one bug fixed in iptree type of sets
- (bug reported by Pablo Sole)
-
-2.2.7
- All patches were submitted by Jones Desougi
- - missing or confusing error message fixes for ipporthash
- - minor correction in debugging in nethash
- - copy-paste bug in kernel set types at memory allocation
- checking fixed
- - unified memory allocations in ipset
-
-2.2.6
- - memory allocation in iptree is changed to GFP_ATOMIC because
- we hold a lock (bug reported by Radek Hladik)
- - compatibility fix: __nocast is not defined in all 2.6 branches
- (problem reported by Ming-Ching Tiew)
- - manpage corrections
-
-2.2.5
- - garbage collector of iptree type of sets is fixed: flushing
- sets/removing kernel module could corrupt the timer
- - new ipporthash type added
- - manpage fixes and corrections
-
-2.2.4
- - half-fixed memory allocation bug in iphash and nethash finally
- completely fixed (bug reported by Nikolai Malykh)
- - restrictions to enter zero-valued entries into all non-hash type sets
- were removed
- - Too strict check on the set size of ipmap type was corrected
-
-2.2.3
- - memory allocation bug in iphash and nethash in connection with the SET
- target was fixed (bug reported by Nikolai Malykh)
- - lockhelp.h was removed from the 2.6.13 kernel tree, ip_set.c is
- updated accordingly (Cardoso Didier, Samir Bellabes)
- - manpage is updated to clearly state the command order in restore mode
-
-2.2.2
- - Jiffies rollover bug in ip_set_iptree reported and fixed by Rob Nielsen
- - Compiler warning in the non-SMP case fixed (Marcus Sundberg)
- - slab cache names shrunk in order to be compatible with 2.4.* (Marcus
- Sundberg)
-
-2.2.1
- - Magic number in ip_set_nethash.h was mistyped (bug reported by Rob
- Carlson)
- - ipset can now test IP addresses in nethash type of sets (i.e. addresses
- in netblocks added to the set)
-
-2.2.0
- - Locking bug in ip_set_nethash.c (Clifford Wolf and Rob Carlson)
- - Makefile contained an unnecessary variable in IPSET_LIB_DIR (Clifford
- Wolf)
- - Safety checkings of restore in ipset was incomplete (Robin H. Johnson)
- - More careful resizing by avoiding locking completely
- - stdin stored internally in a temporary file, so we can feed 'ipset -R'
- from a pipe
- - iptree maptype added
-
-2.1
- - Lock debugging used with debugless lock definiton (Piotr Chytla and
- others).
- - Bindings were not properly filled out at listing (kernel)
- - When listing sets from kernel, id was not added to the set structure
- (ipset)
- - nethash maptype added
- - ipset manpage corrections (macipmap)
-
-2.0.1
- - Missing -fPIC in Makefile (Robert Iakobashvili)
- - Cut'n'paste bug at saving macipmap types (Vincent Bernat).
- - Bug in printing/saving SET targets reported and fixed by Michal
- Pokrywka
-
-2.0
- - Chaining of sets are changed: child sets replaced by bindings
- - Kernel-userspace communication reorganized to minimize the number
- of syscalls
- - Save and restore functionality implemented
- - iphash type reworked: clashing resolved by double-hashing and by
- dynamically growing the set
-
-1.0
- - Renamed to ipset
- - Rewritten to support child pools
- - portmap, iphash pool support added
- - too much other mods here and there to list...
-
+++ /dev/null
-Original changelog as ippool:
-
-0.3.2b
-- Fixed missing kfree(pool) (Martin Josefsson)
-
-0.3.2a
-- Added libipt_pool.c and libipt_POOL.c (Martin Josefsson)
-
-
-0.3.2
-- Passes pointers to skb's around instead of ip's in the (Martin Josefsson)
- kernel modules.
-- Added a new pooltype, macipmap, which matches ip's (Martin Josefsson)
- against macaddresses.
-- Cleaned up a lot of typedefs. (Martin Josefsson)
-- Fixed an unlocking of the wrong lock. (Martin Josefsson)
-- Fixed a refcount bug when allocated memory was too (Martin Josefsson)
- small.
-- Fixed a free() of unallocated memory. (Martin Josefsson)
-- Switched from kmalloc/kfree to vmalloc/vfree for (Martin Josefsson)
- pool-listings/additions.
-
-
-0.3.1
-- Changed the API between userspace modules and base. (Joakim Axelsson)
- Moved the memberdata pointer to module self.
- As a result of this Protocolversion is increased to 4.
-- Fixed problems with crashing null-pooltype (Joakim Axelsson)
-- Fixed problems with compiling warnings (Joakim Axelsson)
- in null pooltype.
-
-
-0.3.0:
-- Changed the listing to use getsockopt. (Joakim Axelsson)
- /proc is left for debuging purpose.
- This is a mayor change.
- Protocolversion is increased to 3
-- Added support for --quiet (Joakim Axelsson)
-- Added support for --sorted (Joakim Axelsson)
-- Added support for --numeric (Joakim Axelsson)
-- Added support for --exact (Joakim Axelsson)
-- Added -Z (Zero) which zero's the counter (Joakim Axelsson)
- on one or all pools.
-- Added support for --debug that prints all debug-messages (Joakim Axelsosn)
- in userspace. Need to be compiled with
- IP_POOL_DEBUG tho.
-- Added null pooltype. For demostration and (Joakim Axelsson)
- pooltype skeleton mostly
-- Fixed bug with possibly renaming to an already (Joakim Axelsson)
- existing pool.
-- Change error to OTHER_PROBLEM on add and del IP. (Joakim Axelsson)
-
-0.2.1-0.2.3
-- Better handling of references (Patrick Schaaf)
-- Various bugfixes (Patrick Schaaf)
-- Cleaning up the code in kernelspace (Patrick Schaaf)
-
-0.2.0:
-- Rewrote the entrie system. Modulized it. (Joakim Axelsson)
+++ /dev/null
-IPSET_VERSION:=2.2.8
-
-IPSET_LIB_DIR:=$(LIBDIR)/ipset
-
-IPSET_CFLAGS:=# -g -DIPSET_DEBUG #-pg # -DIPTC_DEBUG
-SETTYPES:=ipmap portmap macipmap iphash nethash iptree ipporthash
-
-ifneq ($(wildcard $(KERNEL_DIR)/include/linux/netfilter_ipv4/ip_set.h),)
-
-EXTRAS+=ipset/ipset
-EXTRAS+=$(foreach T, $(SETTYPES),ipset/libipset_$(T).so)
-EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/ipset $(DESTDIR)$(MANDIR)/man8/ipset.8
-EXTRA_INSTALLS+=$(foreach T, $(SETTYPES), $(DESTDIR)$(LIBDIR)/ipset/libipset_$(T).so)
-
-#Dependencies
-ipset/libipset.d: $(foreach T, $(SETTYPES),ipset/ipset_$(T).c)
- @-$(CC) -M -MG $(CFLAGS) $(IPSET_CFLAGS) $^ | sed -e 's@^.*\.o:@$*.d $*.a($*.o):@' > $@
-
-#The ipset(8) self
-ipset/ipset.o: ipset/ipset.c
- $(CC) $(CFLAGS) $(IPSET_CFLAGS) -DIPSET_VERSION=\"$(IPSET_VERSION)\" -DIPSET_LIB_DIR=\"$(IPSET_LIB_DIR)\" -c -o $@ $<
-
-ipset/ipset: ipset/ipset.o
- $(CC) $(CFLAGS) $(IPSET_CFLAGS) -ldl -rdynamic -o $@ $^
-
-#Pooltypes
-ipset/ipset_%.o: ipset/ipset_%.c
- $(CC) $(SH_CFLAGS) $(IPSET_CFLAGS) -o $@ -c $<
-
-ipset/libipset_%.so: ipset/ipset_%.o
- $(LD) -shared -o $@ $<
-
-$(DESTDIR)$(LIBDIR)/ipset/libipset_%.so: ipset/libipset_%.so
- @[ -d $(DESTDIR)$(LIBDIR)/ipset ] || mkdir -p $(DESTDIR)$(LIBDIR)/ipset
- cp $< $@
-
-$(DESTDIR)$(BINDIR)/ipset: ipset/ipset
- @[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
- cp $< $@
-
-$(DESTDIR)$(MANDIR)/man8/ipset.8: ipset/ipset.8
- @[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
- cp $< $@
-
-endif
+++ /dev/null
-- rewrite kernel-userspace communication from sockopt to netlink
-- IPv6 support
+++ /dev/null
-.TH IPSET 8 "Feb 05, 2004" "" ""
-.\"
-.\" Man page written by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation; either version 2 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-ipset \- administration tool for IP sets
-.SH SYNOPSIS
-.BR "ipset -N " "set type-specification [options]"
-.br
-.BR "ipset -[XFLSHh] " "[set] [options]"
-.br
-.BR "ipset -[EW] " "from-set to-set"
-.br
-.BR "ipset -[ADU] " "set entry"
-.br
-.BR "ipset -B " "set entry -b binding"
-.br
-.BR "ipset -T " "set entry [-b binding]"
-.br
-.BR "ipset -R "
-.SH DESCRIPTION
-.B ipset
-is used to set up, maintain and inspect so called IP sets in the Linux
-kernel. Depending on the type, an IP set may store IP addresses, (TCP/UDP)
-port numbers or additional informations besides IP addresses: the word IP
-means a general term here. See the set type definitions below.
-.P
-Any entry in a set can be bound to another set, which forms a relationship
-between a set element and the set it is bound to. In order to define a
-binding it is not required that the entry be already added to the set.
-The sets may have a default binding, which is valid for every set element
-for which there is no binding defined at all.
-.P
-IP set bindings pointing to sets and iptables matches and targets
-referring to sets creates references, which protects the given sets in
-the kernel. A set cannot be removed (destroyed) while there is a single
-reference pointing to it.
-.SH OPTIONS
-The options that are recognized by
-.B ipset
-can be divided into several different groups.
-.SS COMMANDS
-These options specify the specific action to perform. Only one of them
-can be specified on the command line unless otherwise specified
-below. For all the long versions of the command and option names, you
-need to use only enough letters to ensure that
-.B ipset
-can differentiate it from all other options.
-.TP
-.BI "-N, --create " "\fIsetname\fP type type-specific-options"
-Create a set identified with setname and specified type.
-Type-specific options must be supplied.
-.TP
-.BI "-X, --destroy " "[\fIsetname\fP]"
-Destroy the specified set, or all sets if none or the keyword
-.B
-:all:
-is specified.
-Before destroying the set, all bindings belonging to the
-set elements and the default binding of the set are removed.
-
-If the set has got references, nothing is done.
-.TP
-.BI "-F, --flush " "[\fIsetname\fP]"
-Delete all entries from the specified set, or flush
-all sets if none or the keyword
-.B
-:all:
-is given. Bindings are not affected by the flush operation.
-.TP
-.BI "-E, --rename " "\fIfrom-setname\fP \fIto-setname\fP"
-Rename a set. Set identified by to-setname must not exist.
-.TP
-.BI "-W, --swap " "\fIfrom-setname\fP \fIto-setname\fP"
-Swap two sets as they referenced in the Linux kernel.
-.B
-iptables
-rules or
-.B
-ipset
-bindings pointing to the content of from-setname will point to
-the content of to-setname and vice versa. Both sets must exist.
-.TP
-.BI "-L, --list " "[\fIsetname\fP]"
-List the entries and bindings for the specified set, or for
-all sets if none or the keyword
-.B
-:all:
-is given. The
-.B "-n, --numeric"
-option can be used to suppress name lookups and generate numeric
-output. When the
-.B "-s, --sorted"
-option is given, the entries are listed sorted (if the given set
-type supports the operation).
-.TP
-.BI "-S, --save " "[\fIsetname\fP]"
-Save the given set, or all sets if none or the keyword
-.B
-:all:
-is specified to stdout in a format that --restore can read.
-.TP
-.BI "-R, --restore "
-Restore a saved session generated by --save. The saved session
-can be fed from stdin.
-
-When generating a session file please note that the supported commands
-(create set, add element, bind) must appear in a strict order: first create
-the set, then add all elements. Then create the next set, add all its elements
-and so on. Finally you can list all binding commands. Also, it is a restore
-operation, so the sets being restored must not exist.
-.TP
-.BI "-A, --add " "\fIsetname\fP \fIIP\fP"
-Add an IP to a set.
-.TP
-.BI "-D, --del " "\fIsetname\fP \fIIP\fP"
-Delete an IP from a set.
-.TP
-.BI "-T, --test " "\fIsetname\fP \fIIP
-Test wether an IP is in a set or not. Exit status number is zero
-if the tested IP is in the set and nonzero if it is missing from
-the set.
-.TP
-.BI "-T, --test " "\fIsetname\fP \fIIP\fP \fI--binding\fP \fIto-setname\fP"
-Test wether the IP belonging to the set points to the specified binding.
-Exit status number is zero if the binding points to the specified set,
-otherwise it is nonzero. The keyword
-.B
-:default:
-can be used to test the default binding of the set.
-.TP
-.BI "-B, --bind " "\fIsetname\fP \fIIP\fP \fI--binding\fP \fIto-setname\fP"
-Bind the IP in setname to to-setname.
-.TP
-.BI "-U, --unbind " "\fIsetname\fP \fIIP\fP"
-Delete the binding belonging to IP in set setname.
-.TP
-.BI "-H, --help " "[settype]"
-Print help and settype specific help if settype specified.
-.P
-At the
-.B
--B, -U
-and
-.B
--T
-commands you can use the token
-.B
-:default:
-to bind, unbind or test the default binding of a set instead
-of an IP. At the
-.B
--U
-command you can use the token
-.B
-:all:
-to destroy the bindings of all elements of a set.
-.SS "OTHER OPTIONS"
-The following additional options can be specified:
-.TP
-.B "-b, --binding setname"
-The option specifies the value of the binding for the
-.B "-B"
-binding command, for which it is a mandatory option.
-You can use it in the
-.B "-T"
-test command as well to test bindings.
-.TP
-.B "-s, --sorted"
-Sorted output. When listing sets, entries are listed sorted.
-.TP
-.B "-n, --numeric"
-Numeric output. When listing sets, bindings, IP addresses and
-port numbers will be printed in numeric format. By default the
-program will try to display them as host names, network names
-or services (whenever applicable), which can trigger
-.B
-slow
-DNS
-lookups.
-.TP
-.B "-q, --quiet"
-Suppress any output to stdout and stderr. ipset will still return
-possible errors.
-.SH SET TYPES
-ipset supports the following set types:
-.SS ipmap
-The ipmap set type uses a memory range, where each bit represents
-one IP address. An ipmap set can store up to 65536 (B-class network)
-IP addresses. The ipmap set type is very fast and memory cheap, great
-for use when one want to match certain IPs in a range. Using the
-.B "--netmask"
-option with a CIDR netmask value between 0-32 when creating an ipmap
-set, you will be able to store and match network addresses: i.e an
-IP address will be in the set if the value resulted by masking the address
-with the specified netmask can be found in the set.
-.P
-Options to use when creating an ipmap set:
-.TP
-.BR "--from " from-IP
-.TP
-.BR "--to " to-IP
-Create an ipmap set from the specified range.
-.TP
-.BR "--network " IP/mask
-Create an ipmap set from the specified network.
-.TP
-.BR "--netmask " CIDR-netmask
-When the optional
-.B "--netmask"
-parameter specified, network addresses will be
-stored in the set instead of IP addresses, and the from-IP parameter
-must be a network address.
-.SS macipmap
-The macipmap set type uses a memory range, where each 8 bytes
-represents one IP and a MAC addresses. A macipmap set type can store
-up to 65536 (B-class network) IP addresses with MAC.
-When adding an entry to a macipmap set, you must specify the entry as
-.I IP%MAC.
-When deleting or testing macipmap entries, the
-.I %MAC
-part is not mandatory.
-.P
-Options to use when creating an macipmap set:
-.TP
-.BR "--from " from-IP
-.TP
-.BR "--to " to-IP
-Create a macipmap set from the specified range.
-.TP
-.BR "--network " IP/mask
-Create a macipmap set from the specified network.
-.TP
-.BR "--matchunset"
-When the optional
-.B "--matchunset"
-parameter specified, IP addresses which could be stored
-in the set but not set yet, will always match.
-.P
-Please note, the
-.I
-set
-and
-.I
-SET
-netfilter kernel modules
-.B
-always
-use the source MAC address from the packet to match, add or delete
-entries from a macipmap type of set.
-.SS portmap
-The portmap set type uses a memory range, where each bit represents
-one port. A portmap set type can store up to 65536 ports.
-The portmap set type is very fast and memory cheap.
-.P
-Options to use when creating an portmap set:
-.TP
-.BR "--from " from-port
-.TP
-.BR "--to " to-port
-Create a portmap set from the specified range.
-.SS iphash
-The iphash set type uses a hash to store IP addresses.
-In order to avoid clashes in the hash double-hashing, and as a last
-resort, dynamic growing of the hash performed. The iphash set type is
-great to store random addresses. By supplyig the
-.B "--netmask"
-option with a CIDR netmask value between 0-32 at creating the set,
-you will be able to store and match network addresses instead: i.e
-an IP address will be in the set if the value of the address
-masked with the specified netmask can be found in the set.
-.P
-Options to use when creating an iphash set:
-.TP
-.BR "--hashsize " hashsize
-The initial hash size (default 1024)
-.TP
-.BR "--probes " probes
-How many times try to resolve clashing at adding an IP to the hash
-by double-hashing (default 8).
-.TP
-.BR "--resize " percent
-Increase the hash size by this many percent (default 50) when adding
-an IP to the hash could not be performed after
-.B
-probes
-number of double-hashing.
-.TP
-.BR "--netmask " CIDR-netmask
-When the optional
-.B "--netmask"
-parameter specified, network addresses will be
-stored in the set instead of IP addresses.
-.P
-Sets created by zero valued resize parameter won't be resized at all.
-The lookup time in an iphash type of set approximately linearly grows with
-the value of the
-.B
-probes
-parameter. At the same time higher
-.B
-probes
-values result a better utilized hash while smaller values
-produce a larger, sparse hash.
-.SS nethash
-The nethash set type uses a hash to store different size of
-network addresses. The
-.I
-IP
-"address" used in the ipset commands must be in the form
-.I
-IP-address/cidr-size
-where the CIDR block size must be in the inclusive range of 1-31.
-In order to avoid clashes in the hash
-double-hashing, and as a last resort, dynamic growing of the hash performed.
-.P
-Options to use when creating an nethash set:
-.TP
-.BR "--hashsize " hashsize
-The initial hash size (default 1024)
-.TP
-.BR "--probes " probes
-How many times try to resolve clashing at adding an IP to the hash
-by double-hashing (default 4).
-.TP
-.BR "--resize " percent
-Increase the hash size by this many percent (default 50) when adding
-an IP to the hash could not be performed after
-.P
-An IP address will be in a nethash type of set if it is in any of the
-netblocks added to the set and the matching always start from the smallest
-size of netblock (most specific netmask) to the biggest ones (least
-specific netmasks). When adding/deleting IP addresses
-to a nethash set by the
-.I
-SET
-netfilter kernel module, it will be added/deleted by the smallest
-netblock size which can be found in the set.
-.P
-The lookup time in a nethash type of set is approximately linearly
-grows with the times of the
-.B
-probes
-parameter and the number of different mask parameters in the hash.
-Otherwise the same speed and memory efficiency comments applies here
-as at the iphash type.
-.SS ipporthash
-The ipporthash set type uses a hash to store IP address and port pairs.
-In order to avoid clashes in the hash double-hashing, and as a last
-resort, dynamic growing of the hash performed. An ipporthash set can
-store up to 65536 (B-class network) IP addresses with all possible port
-values. When adding, deleting and testing values in an ipporthash type of
-set, the entries must be specified as
-.B
-"IP%port".
-.P
-The ipporthash types of sets evaluates two src/dst parameters of the
-.I
-set
-match and
-.I
-SET
-target.
-.P
-Options to use when creating an ipporthash set:
-.TP
-.BR "--from " from-IP
-.TP
-.BR "--to " to-IP
-Create an ipporthash set from the specified range.
-.TP
-.BR "--network " IP/mask
-Create an ipporthash set from the specified network.
-.TP
-.BR "--hashsize " hashsize
-The initial hash size (default 1024)
-.TP
-.BR "--probes " probes
-How many times try to resolve clashing at adding an IP to the hash
-by double-hashing (default 8).
-.TP
-.BR "--resize " percent
-Increase the hash size by this many percent (default 50) when adding
-an IP to the hash could not be performed after
-.B
-probes
-number of double-hashing.
-.P
-The same resizing, speed and memory efficiency comments applies here
-as at the iphash type.
-.SS iptree
-The iptree set type uses a tree to store IP addresses, optionally
-with timeout values.
-.P
-Options to use when creating an iptree set:
-.TP
-.BR "--timeout " value
-The timeout value for the entries in seconds (default 0)
-.P
-If a set was created with a nonzero valued
-.B "--timeout"
-parameter then one may add IP addresses to the set with a specific
-timeout value using the syntax
-.I IP%timeout-value.
-.SH GENERAL RESTRICTIONS
-Setnames starting with colon (:) cannot be defined. Zero valued set
-entries cannot be used with hash type of sets.
-.SH COMMENTS
-If you want to store same size subnets from a given network
-(say /24 blocks from a /8 network), use the ipmap set type.
-If you want to store random same size networks (say random /24 blocks),
-use the iphash set type. If you have got random size of netblocks,
-use nethash.
-.SH DIAGNOSTICS
-Various error messages are printed to standard error. The exit code
-is 0 for correct functioning. Errors which appear to be caused by
-invalid or abused command line parameters cause an exit code of 2, and
-other errors cause an exit code of 1.
-.SH BUGS
-Bugs? No, just funny features. :-)
-OK, just kidding...
-.SH SEE ALSO
-.BR iptables (8),
-.SH AUTHORS
-Jozsef Kadlecsik wrote ipset, which is based on ippool by
-Joakim Axelsson, Patrick Schaaf and Martin Josefsson.
-.\" .. and did I mention that we are incredibly cool people?
-.\" .. sexy, too ..
-.\" .. witty, charming, powerful ..
-.\" .. and most of all, modest ..
+++ /dev/null
-/* Copyright 2000-2002 Joakim Axelsson (gozem@linux.nu)
- * Patrick Schaaf (bof@bof.de)
- * Copyright 2003-2004 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include <time.h>
-#include <ctype.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <arpa/inet.h>
-#include <stdarg.h>
-#include <netdb.h>
-#include <dlfcn.h>
-#include <asm/bitops.h>
-
-#include "ipset.h"
-
-char program_name[] = "ipset";
-char program_version[] = IPSET_VERSION;
-
-/* The list of loaded set types */
-static struct settype *all_settypes = NULL;
-
-/* Array of sets */
-struct set **set_list = NULL;
-ip_set_id_t max_sets = 0;
-
-/* Suppress output to stdout and stderr? */
-static int option_quiet = 0;
-
-/* Data for restore mode */
-static int restore = 0;
-void *restore_data = NULL;
-struct ip_set_restore *restore_set = NULL;
-size_t restore_offset = 0, restore_size;
-unsigned line = 0;
-
-#define TEMPFILE_PATTERN "/ipsetXXXXXX"
-
-#ifdef IPSET_DEBUG
-int option_debug = 0;
-#endif
-
-#define OPTION_OFFSET 256
-static unsigned int global_option_offset = 0;
-
-/* Most of these command parsing functions are borrowed from iptables.c */
-
-static const char cmdflags[] = { ' ', /* CMD_NONE */
- 'N', 'X', 'F', 'E', 'W', 'L', 'S', 'R',
- 'A', 'D', 'T', 'B', 'U', 'H', 'V',
-};
-
-/* Options */
-#define OPT_NONE 0x0000U
-#define OPT_NUMERIC 0x0001U /* -n */
-#define OPT_SORTED 0x0002U /* -s */
-#define OPT_QUIET 0x0004U /* -q */
-#define OPT_DEBUG 0x0008U /* -z */
-#define OPT_BINDING 0x0010U /* -b */
-#define NUMBER_OF_OPT 5
-static const char optflags[] =
- { 'n', 's', 'q', 'z', 'b' };
-
-static struct option opts_long[] = {
- /* set operations */
- {"create", 1, 0, 'N'},
- {"destroy", 2, 0, 'X'},
- {"flush", 2, 0, 'F'},
- {"rename", 1, 0, 'E'},
- {"swap", 1, 0, 'W'},
- {"list", 2, 0, 'L'},
-
- {"save", 2, 0, 'S'},
- {"restore", 0, 0, 'R'},
-
- /* ip in set operations */
- {"add", 1, 0, 'A'},
- {"del", 1, 0, 'D'},
- {"test", 1, 0, 'T'},
-
- /* binding operations */
- {"bind", 1, 0, 'B'},
- {"unbind", 1, 0, 'U'},
-
- /* free options */
- {"numeric", 0, 0, 'n'},
- {"sorted", 0, 0, 's'},
- {"quiet", 0, 0, 'q'},
- {"binding", 1, 0, 'b'},
-
-#ifdef IPSET_DEBUG
- /* debug (if compiled with it) */
- {"debug", 0, 0, 'z'},
-#endif
-
- /* version and help */
- {"version", 0, 0, 'V'},
- {"help", 2, 0, 'H'},
-
- /* end */
- {0}
-};
-
-static char opts_short[] =
- "-N:X::F::E:W:L::S::RA:D:T:B:U:nsqzb:Vh::H::";
-
-/* Table of legal combinations of commands and options. If any of the
- * given commands make an option legal, that option is legal.
- * Key:
- * + compulsory
- * x illegal
- * optional
- */
-
-static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] = {
- /* -n -s -q -z -b */
- /*CREATE*/ {'x', 'x', ' ', ' ', 'x'},
- /*DESTROY*/ {'x', 'x', ' ', ' ', 'x'},
- /*FLUSH*/ {'x', 'x', ' ', ' ', 'x'},
- /*RENAME*/ {'x', 'x', ' ', ' ', 'x'},
- /*SWAP*/ {'x', 'x', ' ', ' ', 'x'},
- /*LIST*/ {' ', ' ', 'x', ' ', 'x'},
- /*SAVE*/ {'x', 'x', ' ', ' ', 'x'},
- /*RESTORE*/ {'x', 'x', ' ', ' ', 'x'},
- /*ADD*/ {'x', 'x', ' ', ' ', 'x'},
- /*DEL*/ {'x', 'x', ' ', ' ', 'x'},
- /*TEST*/ {'x', 'x', ' ', ' ', ' '},
- /*BIND*/ {'x', 'x', ' ', ' ', '+'},
- /*UNBIND*/ {'x', 'x', ' ', ' ', 'x'},
- /*HELP*/ {'x', 'x', 'x', ' ', 'x'},
- /*VERSION*/ {'x', 'x', 'x', ' ', 'x'},
-};
-
-/* Main parser function */
-int parse_commandline(int argc, char *argv[]);
-
-void exit_tryhelp(int status)
-{
- fprintf(stderr,
- "Try `%s -H' or '%s --help' for more information.\n",
- program_name, program_name);
- exit(status);
-}
-
-void exit_error(enum exittype status, char *msg, ...)
-{
- va_list args;
-
- if (!option_quiet) {
- va_start(args, msg);
- fprintf(stderr, "%s v%s: ", program_name, program_version);
- vfprintf(stderr, msg, args);
- va_end(args);
- fprintf(stderr, "\n");
- if (line)
- fprintf(stderr, "Restore failed at line %u:\n", line);
- if (status == PARAMETER_PROBLEM)
- exit_tryhelp(status);
- if (status == VERSION_PROBLEM)
- fprintf(stderr,
- "Perhaps %s or your kernel needs to be upgraded.\n",
- program_name);
- }
-
- exit(status);
-}
-
-void ipset_printf(char *msg, ...)
-{
- va_list args;
-
- if (!option_quiet) {
- va_start(args, msg);
- vfprintf(stdout, msg, args);
- va_end(args);
- fprintf(stdout, "\n");
- }
-}
-
-static void generic_opt_check(int command, int options)
-{
- int i, j, legal = 0;
-
- /* Check that commands are valid with options. Complicated by the
- * fact that if an option is legal with *any* command given, it is
- * legal overall (ie. -z and -l).
- */
- for (i = 0; i < NUMBER_OF_OPT; i++) {
- legal = 0; /* -1 => illegal, 1 => legal, 0 => undecided. */
-
- for (j = 1; j <= NUMBER_OF_CMD; j++) {
- if (command != j)
- continue;
-
- if (!(options & (1 << i))) {
- if (commands_v_options[j-1][i] == '+')
- exit_error(PARAMETER_PROBLEM,
- "You need to supply the `-%c' "
- "option for this command\n",
- optflags[i]);
- } else {
- if (commands_v_options[j-1][i] != 'x')
- legal = 1;
- else if (legal == 0)
- legal = -1;
- }
- }
- if (legal == -1)
- exit_error(PARAMETER_PROBLEM,
- "Illegal option `-%c' with this command\n",
- optflags[i]);
- }
-}
-
-static char opt2char(int option)
-{
- const char *ptr;
- for (ptr = optflags; option > 1; option >>= 1, ptr++);
-
- return *ptr;
-}
-
-static char cmd2char(int option)
-{
- if (option <= CMD_NONE || option > NUMBER_OF_CMD)
- return ' ';
-
- return cmdflags[option];
-}
-
-static int kernel_getsocket(void)
-{
- int sockfd = -1;
-
- sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
- if (sockfd < 0)
- exit_error(OTHER_PROBLEM,
- "You need to be root to perform this command.");
-
- return sockfd;
-}
-
-static void kernel_error(unsigned cmd, int err)
-{
- unsigned int i;
- struct translate_error {
- int err;
- unsigned cmd;
- char *message;
- } table[] =
- { /* Generic error codes */
- { EPERM, 0, "Missing capability" },
- { EBADF, 0, "Invalid socket option" },
- { EINVAL, 0, "Size mismatch for expected socket data" },
- { ENOMEM, 0, "Not enough memory" },
- { EFAULT, 0, "Failed to copy data" },
- { EPROTO, 0, "ipset kernel/userspace version mismatch" },
- { EBADMSG, 0, "Unknown command" },
- /* Per command error codes */
- /* Reserved ones for add/del/test to handle internally:
- * EEXIST
- */
- { ENOENT, CMD_CREATE, "Unknown set type" },
- { ENOENT, 0, "Unknown set" },
- { EAGAIN, 0, "Sets are busy, try again later" },
- { ERANGE, CMD_CREATE, "No free slot remained to add a new set" },
- { ERANGE, 0, "IP/port is outside of the set" },
- { ENOEXEC, CMD_CREATE, "Invalid parameters to create a set" },
- { ENOEXEC, CMD_SWAP, "Sets with different types cannot be swapped" },
- { EEXIST, CMD_CREATE, "Set already exists" },
- { EEXIST, CMD_RENAME, "Set with new name already exists" },
- { EBUSY, 0, "Set is in use, operation not permitted" },
- };
- for (i = 0; i < sizeof(table)/sizeof(struct translate_error); i++) {
- if ((table[i].cmd == cmd || table[i].cmd == 0)
- && table[i].err == err)
- exit_error(err == EPROTO ? VERSION_PROBLEM
- : OTHER_PROBLEM,
- table[i].message);
- }
- exit_error(OTHER_PROBLEM, "Error from kernel: %s", strerror(err));
-}
-
-static void kernel_getfrom(unsigned cmd, void *data, size_t * size)
-{
- int res;
- int sockfd = kernel_getsocket();
-
- /* Send! */
- res = getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
-
- DP("res=%d errno=%d", res, errno);
-
- if (res != 0)
- kernel_error(cmd, errno);
-}
-
-static int kernel_sendto_handleerrno(unsigned cmd, unsigned op,
- void *data, size_t size)
-{
- int res;
- int sockfd = kernel_getsocket();
-
- /* Send! */
- res = setsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
-
- DP("res=%d errno=%d", res, errno);
-
- if (res != 0) {
- if (errno == EEXIST)
- return -1;
- else
- kernel_error(cmd, errno);
- }
-
- return 0; /* all ok */
-}
-
-static void kernel_sendto(unsigned cmd, void *data, size_t size)
-{
- int res;
- int sockfd = kernel_getsocket();
-
- /* Send! */
- res = setsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
-
- DP("res=%d errno=%d", res, errno);
-
- if (res != 0)
- kernel_error(cmd, errno);
-}
-
-static int kernel_getfrom_handleerrno(unsigned cmd, void *data, size_t * size)
-{
- int res;
- int sockfd = kernel_getsocket();
-
- /* Send! */
- res = getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
-
- DP("res=%d errno=%d", res, errno);
-
- if (res != 0) {
- if (errno == EAGAIN)
- return -1;
- else
- kernel_error(cmd, errno);
- }
-
- return 0; /* all ok */
-}
-
-static void check_protocolversion(void)
-{
- struct ip_set_req_version req_version;
- size_t size = sizeof(struct ip_set_req_version);
- int sockfd = kernel_getsocket();
- int res;
-
- req_version.op = IP_SET_OP_VERSION;
- res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req_version, &size);
-
- if (res != 0) {
- ipset_printf("I'm of protocol version %u.\n"
- "Kernel module is not loaded in, "
- "cannot verify kernel version.",
- IP_SET_PROTOCOL_VERSION);
- return;
- }
- if (req_version.version != IP_SET_PROTOCOL_VERSION)
- exit_error(OTHER_PROBLEM,
- "Kernel ipset code is of protocol version %u."
- "I'm of protocol version %u.\n"
- "Please upgrade your kernel and/or ipset(8) utillity.",
- req_version.version, IP_SET_PROTOCOL_VERSION);
-}
-
-static void set_command(int *cmd, const int newcmd)
-{
- if (*cmd != CMD_NONE)
- exit_error(PARAMETER_PROBLEM, "Can't use -%c with -%c\n",
- cmd2char(*cmd), cmd2char(newcmd));
- *cmd = newcmd;
-}
-
-static void add_option(unsigned int *options, unsigned int option)
-{
- if (*options & option)
- exit_error(PARAMETER_PROBLEM,
- "multiple -%c flags not allowed",
- opt2char(option));
- *options |= option;
-}
-
-void *ipset_malloc(size_t size)
-{
- void *p;
-
- if (size == 0)
- return NULL;
-
- if ((p = malloc(size)) == NULL) {
- perror("ipset: not enough memory");
- exit(1);
- }
- return p;
-}
-
-char *ipset_strdup(const char *s)
-{
- char *p;
-
- if ((p = strdup(s)) == NULL) {
- perror("ipset: not enough memory");
- exit(1);
- }
- return p;
-}
-
-void ipset_free(void **data)
-{
- if (*data == NULL)
- return;
-
- free(*data);
- *data = NULL;
-}
-
-static struct option *merge_options(struct option *oldopts,
- const struct option *newopts,
- unsigned int *option_offset)
-{
- unsigned int num_old, num_new, i;
- struct option *merge;
-
- for (num_old = 0; oldopts[num_old].name; num_old++);
- for (num_new = 0; newopts[num_new].name; num_new++);
-
- global_option_offset += OPTION_OFFSET;
- *option_offset = global_option_offset;
-
- merge = ipset_malloc(sizeof(struct option) * (num_new + num_old + 1));
- memcpy(merge, oldopts, num_old * sizeof(struct option));
- for (i = 0; i < num_new; i++) {
- merge[num_old + i] = newopts[i];
- merge[num_old + i].val += *option_offset;
- }
- memset(merge + num_old + num_new, 0, sizeof(struct option));
-
- return merge;
-}
-
-static char *ip_tohost(const struct in_addr *addr)
-{
- struct hostent *host;
-
- if ((host = gethostbyaddr((char *) addr,
- sizeof(struct in_addr),
- AF_INET)) != NULL) {
- DP("%s", host->h_name);
- return (char *) host->h_name;
- }
-
- return (char *) NULL;
-}
-
-static char *ip_tonetwork(const struct in_addr *addr)
-{
- struct netent *net;
-
- if ((net = getnetbyaddr((long) ntohl(addr->s_addr),
- AF_INET)) != NULL) {
- DP("%s", net->n_name);
- return (char *) net->n_name;
- }
-
- return (char *) NULL;
-}
-
-/* Return a string representation of an IP address.
- * Please notice that a pointer to static char* area is returned.
- */
-char *ip_tostring(ip_set_ip_t ip, unsigned options)
-{
- struct in_addr addr;
- addr.s_addr = htonl(ip);
-
- if (!(options & OPT_NUMERIC)) {
- char *name;
- if ((name = ip_tohost(&addr)) != NULL ||
- (name = ip_tonetwork(&addr)) != NULL)
- return name;
- }
-
- return inet_ntoa(addr);
-}
-
-char *binding_ip_tostring(struct set *set, ip_set_ip_t ip, unsigned options)
-{
- return ip_tostring(ip, options);
-}
-char *ip_tostring_numeric(ip_set_ip_t ip)
-{
- return ip_tostring(ip, OPT_NUMERIC);
-}
-
-/* Fills the 'ip' with the parsed ip or host in host byte order */
-void parse_ip(const char *str, ip_set_ip_t * ip)
-{
- struct hostent *host;
- struct in_addr addr;
-
- DP("%s", str);
-
- if (inet_aton(str, &addr) != 0) {
- *ip = ntohl(addr.s_addr); /* We want host byte order */
- return;
- }
-
- host = gethostbyname(str);
- if (host != NULL) {
- if (host->h_addrtype != AF_INET ||
- host->h_length != sizeof(struct in_addr))
- exit_error(PARAMETER_PROBLEM,
- "host/network `%s' not an internet name",
- str);
- if (host->h_addr_list[1] != 0)
- exit_error(PARAMETER_PROBLEM,
- "host/network `%s' resolves to serveral ip-addresses. "
- "Please specify one.", str);
-
- *ip = ntohl(((struct in_addr *) host->h_addr_list[0])->s_addr);
- return;
- }
-
- exit_error(PARAMETER_PROBLEM, "host/network `%s' not found", str);
-}
-
-/* Fills 'mask' with the parsed mask in host byte order */
-void parse_mask(const char *str, ip_set_ip_t * mask)
-{
- struct in_addr addr;
- unsigned int bits;
-
- DP("%s", str);
-
- if (str == NULL) {
- /* no mask at all defaults to 32 bits */
- *mask = 0xFFFFFFFF;
- return;
- }
- if (strchr(str, '.') && inet_aton(str, &addr) != 0) {
- *mask = ntohl(addr.s_addr); /* We want host byte order */
- return;
- }
- if (sscanf(str, "%d", &bits) != 1 || bits < 0 || bits > 32)
- exit_error(PARAMETER_PROBLEM,
- "invalid mask `%s' specified", str);
-
- DP("bits: %d", bits);
-
- *mask = bits != 0 ? 0xFFFFFFFF << (32 - bits) : 0L;
-}
-
-/* Combines parse_ip and parse_mask */
-void
-parse_ipandmask(const char *str, ip_set_ip_t * ip, ip_set_ip_t * mask)
-{
- char buf[256];
- char *p;
-
- strncpy(buf, str, sizeof(buf) - 1);
- buf[255] = '\0';
-
- if ((p = strrchr(buf, '/')) != NULL) {
- *p = '\0';
- parse_mask(p + 1, mask);
- } else
- parse_mask(NULL, mask);
-
- /* if a null mask is given, the name is ignored, like in "any/0" */
- if (*mask == 0U)
- *ip = 0U;
- else
- parse_ip(buf, ip);
-
- DP("%s ip: %08X (%s) mask: %08X",
- str, *ip, ip_tostring_numeric(*ip), *mask);
-
- /* Apply the netmask */
- *ip &= *mask;
-
- DP("%s ip: %08X (%s) mask: %08X",
- str, *ip, ip_tostring_numeric(*ip), *mask);
-}
-
-/* Return a string representation of a port
- * Please notice that a pointer to static char* area is returned
- * and we assume TCP protocol.
- */
-char *port_tostring(ip_set_ip_t port, unsigned options)
-{
- struct servent *service;
- static char name[] = "65535";
-
- if (!(options & OPT_NUMERIC)) {
- if ((service = getservbyport(htons(port), "tcp")))
- return service->s_name;
- }
- sprintf(name, "%u", port);
- return name;
-}
-
-int
-string_to_number(const char *str, unsigned int min, unsigned int max,
- ip_set_ip_t *port)
-{
- long number;
- char *end;
-
- /* Handle hex, octal, etc. */
- errno = 0;
- number = strtol(str, &end, 0);
- if (*end == '\0' && end != str) {
- /* we parsed a number, let's see if we want this */
- if (errno != ERANGE && min <= number && number <= max) {
- *port = number;
- return 0;
- }
- }
- return -1;
-}
-
-static int
-string_to_port(const char *str, ip_set_ip_t *port)
-{
- struct servent *service;
-
- if ((service = getservbyname(str, "tcp")) != NULL) {
- *port = ntohs((unsigned short) service->s_port);
- return 0;
- }
-
- return -1;
-}
-
-/* Fills the 'ip' with the parsed port in host byte order */
-void parse_port(const char *str, ip_set_ip_t *port)
-{
- if ((string_to_number(str, 0, 65535, port) != 0)
- && (string_to_port(str, port) != 0))
- exit_error(PARAMETER_PROBLEM,
- "Invalid TCP port `%s' specified", str);
-}
-
-/*
- * Settype functions
- */
-static struct settype *settype_find(const char *typename)
-{
- struct settype *runner = all_settypes;
-
- DP("%s", typename);
-
- while (runner != NULL) {
- if (strncmp(runner->typename, typename,
- IP_SET_MAXNAMELEN) == 0)
- return runner;
-
- runner = runner->next;
- }
-
- return NULL; /* not found */
-}
-
-static struct settype *settype_load(const char *typename)
-{
- char path[sizeof(IPSET_LIB_DIR) + sizeof(IPSET_LIB_NAME) +
- strlen(typename)];
- struct settype *settype;
-
- /* do some search in list */
- settype = settype_find(typename);
- if (settype != NULL)
- return settype; /* found */
-
- /* Else we have to load it */
- sprintf(path, IPSET_LIB_DIR IPSET_LIB_NAME, typename);
-
- if (dlopen(path, RTLD_NOW)) {
- /* Found library. */
-
- settype = settype_find(typename);
-
- if (settype != NULL)
- return settype;
- }
-
- /* Can't load the settype */
- exit_error(PARAMETER_PROBLEM,
- "Couldn't load settype `%s':%s\n",
- typename, dlerror());
-
- return NULL; /* Never executed, but keep compilers happy */
-}
-
-static char *check_set_name(char *setname)
-{
- if (strlen(setname) > IP_SET_MAXNAMELEN - 1)
- exit_error(PARAMETER_PROBLEM,
- "Setname '%s' too long, max %d characters.",
- setname, IP_SET_MAXNAMELEN - 1);
-
- return setname;
-}
-
-static struct settype *check_set_typename(const char *typename)
-{
- if (strlen(typename) > IP_SET_MAXNAMELEN - 1)
- exit_error(PARAMETER_PROBLEM,
- "Typename '%s' too long, max %d characters.",
- typename, IP_SET_MAXNAMELEN - 1);
-
- return settype_load(typename);
-}
-
-#define MAX(a,b) ((a) > (b) ? (a) : (b))
-
-/* Register a new set type */
-void settype_register(struct settype *settype)
-{
- struct settype *chk;
- size_t size;
-
- DP("%s", settype->typename);
-
- /* Check if this typename already exists */
- chk = settype_find(settype->typename);
-
- if (chk != NULL)
- exit_error(OTHER_PROBLEM,
- "Set type '%s' already registered!\n",
- settype->typename);
-
- /* Check version */
- if (settype->protocol_version != IP_SET_PROTOCOL_VERSION)
- exit_error(OTHER_PROBLEM,
- "Set type %s is of wrong protocol version %u!"
- " I'm of version %u.\n", settype->typename,
- settype->protocol_version,
- IP_SET_PROTOCOL_VERSION);
-
- /* Initialize internal data */
- settype->header = ipset_malloc(settype->header_size);
- size = MAX(settype->create_size, settype->adt_size);
- settype->data = ipset_malloc(size);
-
- /* Insert first */
- settype->next = all_settypes;
- all_settypes = settype;
-
- DP("%s registered", settype->typename);
-}
-
-/* Find set functions */
-static struct set *set_find_byid(ip_set_id_t id)
-{
- struct set *set = NULL;
- ip_set_id_t i;
-
- for (i = 0; i < max_sets; i++)
- if (set_list[i] && set_list[i]->id == id) {
- set = set_list[i];
- break;
- }
-
- if (set == NULL)
- exit_error(PARAMETER_PROBLEM,
- "Set identified by id %u is not found", id);
- return set;
-}
-
-static struct set *set_find_byname(const char *name)
-{
- struct set *set = NULL;
- ip_set_id_t i;
-
- for (i = 0; i < max_sets; i++)
- if (set_list[i]
- && strncmp(set_list[i]->name, name,
- IP_SET_MAXNAMELEN) == 0) {
- set = set_list[i];
- break;
- }
- if (set == NULL)
- exit_error(PARAMETER_PROBLEM,
- "Set %s is not found", name);
- return set;
-}
-
-static ip_set_id_t set_find_free_index(const char *name)
-{
- ip_set_id_t i, index = IP_SET_INVALID_ID;
-
- for (i = 0; i < max_sets; i++) {
- if (index == IP_SET_INVALID_ID
- && set_list[i] == NULL)
- index = i;
- if (set_list[i] != NULL
- && strncmp(set_list[i]->name, name,
- IP_SET_MAXNAMELEN) == 0)
- exit_error(PARAMETER_PROBLEM,
- "Set %s is already defined, cannot be restored",
- name);
- }
-
- if (index == IP_SET_INVALID_ID)
- exit_error(PARAMETER_PROBLEM,
- "Set %s cannot be restored, "
- "max number of set %u reached",
- name, max_sets);
-
- return index;
-}
-
-/*
- * Send create set order to kernel
- */
-static void set_create(const char *name, struct settype *settype)
-{
- struct ip_set_req_create req_create;
- size_t size;
- void *data;
-
- DP("%s %s", name, settype->typename);
-
- req_create.op = IP_SET_OP_CREATE;
- req_create.version = IP_SET_PROTOCOL_VERSION;
- strcpy(req_create.name, name);
- strcpy(req_create.typename, settype->typename);
-
- /* Final checks */
- settype->create_final(settype->data, settype->flags);
-
- /* Alloc memory for the data to send */
- size = sizeof(struct ip_set_req_create) + settype->create_size;
- data = ipset_malloc(size);
-
- /* Add up ip_set_req_create and the settype data */
- memcpy(data, &req_create, sizeof(struct ip_set_req_create));
- memcpy(data + sizeof(struct ip_set_req_create),
- settype->data, settype->create_size);
-
- kernel_sendto(CMD_CREATE, data, size);
- free(data);
-}
-
-static void set_restore_create(const char *name, struct settype *settype)
-{
- struct set *set;
-
- DP("%s %s %u %u %u %u", name, settype->typename,
- restore_offset, sizeof(struct ip_set_restore),
- settype->create_size, restore_size);
-
- /* Sanity checking */
- if (restore_offset
- + sizeof(struct ip_set_restore)
- + settype->create_size > restore_size)
- exit_error(PARAMETER_PROBLEM,
- "Giving up, restore file is screwed up!");
-
- /* Final checks */
- settype->create_final(settype->data, settype->flags);
-
- /* Fill out restore_data */
- restore_set = (struct ip_set_restore *)
- (restore_data + restore_offset);
- strcpy(restore_set->name, name);
- strcpy(restore_set->typename, settype->typename);
- restore_set->index = set_find_free_index(name);
- restore_set->header_size = settype->create_size;
- restore_set->members_size = 0;
-
- DP("name %s, restore index %u", restore_set->name, restore_set->index);
- /* Add settype data */
-
- memcpy(restore_data + restore_offset + sizeof(struct ip_set_restore),
- settype->data, settype->create_size);
-
- restore_offset += sizeof(struct ip_set_restore)
- + settype->create_size;
-
- /* Add set to set_list */
- set = ipset_malloc(sizeof(struct set));
- strcpy(set->name, name);
- set->settype = settype;
- set->index = restore_set->index;
- set_list[restore_set->index] = set;
-}
-
-/*
- * Send destroy/flush order to kernel for one or all sets
- */
-static void set_destroy(const char *name, unsigned op, unsigned cmd)
-{
- struct ip_set_req_std req;
-
- DP("%s %s", cmd == CMD_DESTROY ? "destroy" : "flush", name);
-
- req.op = op;
- req.version = IP_SET_PROTOCOL_VERSION;
- strcpy(req.name, name);
-
- kernel_sendto(cmd, &req, sizeof(struct ip_set_req_std));
-}
-
-/*
- * Send rename/swap order to kernel
- */
-static void set_rename(const char *name, const char *newname,
- unsigned op, unsigned cmd)
-{
- struct ip_set_req_create req;
-
- DP("%s %s %s", cmd == CMD_RENAME ? "rename" : "swap",
- name, newname);
-
- req.op = op;
- req.version = IP_SET_PROTOCOL_VERSION;
- strcpy(req.name, name);
- strcpy(req.typename, newname);
-
- kernel_sendto(cmd, &req,
- sizeof(struct ip_set_req_create));
-}
-
-/*
- * Send MAX_SETS, LIST_SIZE and/or SAVE_SIZE orders to kernel
- */
-static size_t load_set_list(const char name[IP_SET_MAXNAMELEN],
- ip_set_id_t *index,
- unsigned op, unsigned cmd)
-{
- void *data = NULL;
- struct ip_set_req_max_sets req_max_sets;
- struct ip_set_name_list *name_list;
- struct set *set;
- ip_set_id_t i;
- size_t size, req_size;
- int repeated = 0, res = 0;
-
- DP("%s %s", cmd == CMD_MAX_SETS ? "MAX_SETS"
- : cmd == CMD_LIST_SIZE ? "LIST_SIZE"
- : "SAVE_SIZE",
- name);
-
-tryagain:
- if (set_list) {
- for (i = 0; i < max_sets; i++)
- if (set_list[i])
- free(set_list[i]);
- free(set_list);
- set_list = NULL;
- }
- /* Get max_sets */
- req_max_sets.op = IP_SET_OP_MAX_SETS;
- req_max_sets.version = IP_SET_PROTOCOL_VERSION;
- strcpy(req_max_sets.set.name, name);
- size = sizeof(req_max_sets);
- kernel_getfrom(CMD_MAX_SETS, &req_max_sets, &size);
-
- DP("got MAX_SETS: sets %d, max_sets %d",
- req_max_sets.sets, req_max_sets.max_sets);
-
- max_sets = req_max_sets.max_sets;
- set_list = ipset_malloc(max_sets * sizeof(struct set *));
- memset(set_list, 0, max_sets * sizeof(struct set *));
- *index = req_max_sets.set.index;
-
- if (req_max_sets.sets == 0)
- /* No sets in kernel */
- return 0;
-
- /* Get setnames */
- size = req_size = sizeof(struct ip_set_req_setnames)
- + req_max_sets.sets * sizeof(struct ip_set_name_list);
- data = ipset_malloc(size);
- ((struct ip_set_req_setnames *) data)->op = op;
- ((struct ip_set_req_setnames *) data)->index = *index;
-
- res = kernel_getfrom_handleerrno(cmd, data, &size);
-
- if (res != 0 || size != req_size) {
- free(data);
- if (repeated++ < LIST_TRIES)
- goto tryagain;
- exit_error(OTHER_PROBLEM,
- "Tried to get sets from kernel %d times"
- " and failed. Please try again when the load on"
- " the sets has gone down.", LIST_TRIES);
- }
-
- /* Load in setnames */
- size = sizeof(struct ip_set_req_setnames);
- while (size + sizeof(struct ip_set_name_list) <= req_size) {
- name_list = (struct ip_set_name_list *)
- (data + size);
- set = ipset_malloc(sizeof(struct set));
- strcpy(set->name, name_list->name);
- set->index = name_list->index;
- set->id = name_list->id;
- set->settype = settype_load(name_list->typename);
- set_list[name_list->index] = set;
- DP("loaded %s, type %s, index %u",
- set->name, set->settype->typename, set->index);
- size += sizeof(struct ip_set_name_list);
- }
- /* Size to get set members, bindings */
- size = ((struct ip_set_req_setnames *)data)->size;
- free(data);
-
- return size;
-}
-
-/*
- * Save operation
- */
-static size_t save_bindings(void *data, size_t offset, size_t len)
-{
- struct ip_set_hash_save *hash =
- (struct ip_set_hash_save *) (data + offset);
- struct set *set;
-
- DP("offset %u, len %u", offset, len);
- if (offset + sizeof(struct ip_set_hash_save) > len)
- exit_error(OTHER_PROBLEM,
- "Save operation failed, try again later.");
-
- set = set_find_byid(hash->id);
- if (!(set && set_list[hash->binding]))
- exit_error(OTHER_PROBLEM,
- "Save binding failed, try again later.");
- printf("-B %s %s -b %s\n",
- set->name,
- set->settype->bindip_tostring(set, hash->ip, OPT_NUMERIC),
- set_list[hash->binding]->name);
-
- return sizeof(struct ip_set_hash_save);
-}
-
-static size_t save_set(void *data, int *bindings,
- size_t offset, size_t len)
-{
- struct ip_set_save *set_save =
- (struct ip_set_save *) (data + offset);
- struct set *set;
- struct settype *settype;
- size_t used;
-
- DP("offset %u, len %u", offset, len);
- if (offset + sizeof(struct ip_set_save) > len
- || offset + sizeof(struct ip_set_save)
- + set_save->header_size + set_save->members_size > len)
- exit_error(OTHER_PROBLEM,
- "Save operation failed, try again later.");
-
- if (set_save->index == IP_SET_INVALID_ID) {
- /* Marker */
- *bindings = 1;
- return sizeof(struct ip_set_save);
- }
- set = set_list[set_save->index];
- if (!set)
- exit_error(OTHER_PROBLEM,
- "Save set failed, try again later.");
- settype = set->settype;
-
- /* Init set header */
- used = sizeof(struct ip_set_save);
- settype->initheader(set, data + offset + used);
-
- /* Print create set */
- settype->saveheader(set, OPT_NUMERIC);
-
- /* Print add IPs */
- used += set_save->header_size;
- settype->saveips(set, data + offset + used,
- set_save->members_size, OPT_NUMERIC);
-
- return (used + set_save->members_size);
-}
-
-static size_t save_default_bindings(void *data, int *bindings)
-{
- struct ip_set_save *set_save = (struct ip_set_save *) data;
- struct set *set;
-
- if (set_save->index == IP_SET_INVALID_ID) {
- /* Marker */
- *bindings = 1;
- return sizeof(struct ip_set_save);
- }
-
- set = set_list[set_save->index];
- DP("%s, binding %u", set->name, set_save->binding);
- if (set_save->binding != IP_SET_INVALID_ID) {
- if (!set_list[set_save->binding])
- exit_error(OTHER_PROBLEM,
- "Save set failed, try again later.");
-
- printf("-B %s %s -b %s\n",
- set->name, IPSET_TOKEN_DEFAULT,
- set_list[set_save->binding]->name);
- }
- return (sizeof(struct ip_set_save)
- + set_save->header_size
- + set_save->members_size);
-}
-
-static int try_save_sets(const char name[IP_SET_MAXNAMELEN])
-{
- void *data = NULL;
- size_t size, req_size = 0;
- ip_set_id_t index;
- int res = 0, bindings = 0;
- time_t now = time(NULL);
-
- /* Load set_list from kernel */
- size = load_set_list(name, &index,
- IP_SET_OP_SAVE_SIZE, CMD_SAVE);
-
- if (size) {
- /* Get sets, bindings and print them */
- /* Take into account marker */
- req_size = (size += sizeof(struct ip_set_save));
- data = ipset_malloc(size);
- ((struct ip_set_req_list *) data)->op = IP_SET_OP_SAVE;
- ((struct ip_set_req_list *) data)->index = index;
- res = kernel_getfrom_handleerrno(CMD_SAVE, data, &size);
-
- if (res != 0 || size != req_size) {
- free(data);
- return -EAGAIN;
- }
- }
-
- printf("# Generated by ipset %s on %s", IPSET_VERSION, ctime(&now));
- size = 0;
- while (size < req_size) {
- DP("size: %u, req_size: %u", size, req_size);
- if (bindings)
- size += save_bindings(data, size, req_size);
- else
- size += save_set(data, &bindings, size, req_size);
- }
- /* Re-read data to save default bindings */
- bindings = 0;
- size = 0;
- while (size < req_size && bindings == 0)
- size += save_default_bindings(data + size, &bindings);
-
- printf("COMMIT\n");
- now = time(NULL);
- printf("# Completed on %s", ctime(&now));
- ipset_free(&data);
- return res;
-}
-
-/*
- * Performs a save to stdout
- */
-static void set_save(const char name[IP_SET_MAXNAMELEN])
-{
- int i;
-
- DP("%s", name);
- for (i = 0; i < LIST_TRIES; i++)
- if (try_save_sets(name) == 0)
- return;
-
- if (errno == EAGAIN)
- exit_error(OTHER_PROBLEM,
- "Tried to save sets from kernel %d times"
- " and failed. Please try again when the load on"
- " the sets has gone down.", LIST_TRIES);
- else
- kernel_error(CMD_SAVE, errno);
-}
-
-/*
- * Restore operation
- */
-
-/* global new argv and argc */
-static char *newargv[255];
-static int newargc = 0;
-
-/* Build faked argv from parsed line */
-static void build_argv(int line, char *buffer) {
- char *ptr;
- int i;
-
- /* Reset */
- for (i = 1; i < newargc; i++)
- free(newargv[i]);
- newargc = 1;
-
- ptr = strtok(buffer, " \t\n");
- newargv[newargc++] = ipset_strdup(ptr);
- while ((ptr = strtok(NULL, " \t\n")) != NULL) {
- if ((newargc + 1) < sizeof(newargv)/sizeof(char *))
- newargv[newargc++] = ipset_strdup(ptr);
- else
- exit_error(PARAMETER_PROBLEM,
- "Line %d is too long to restore\n", line);
- }
-}
-
-static FILE *create_tempfile(void)
-{
- char buffer[1024];
- char *tmpdir = NULL;
- char *filename;
- int fd;
- FILE *file;
-
- if (!(tmpdir = getenv("TMPDIR")) && !(tmpdir = getenv("TMP")))
- tmpdir = "/tmp";
- filename = ipset_malloc(strlen(tmpdir) + strlen(TEMPFILE_PATTERN) + 1);
- strcpy(filename, tmpdir);
- strcat(filename, TEMPFILE_PATTERN);
-
- (void) umask(077); /* Create with restrictive permissions */
- fd = mkstemp(filename);
- if (fd == -1)
- exit_error(OTHER_PROBLEM, "Could not create temporary file.");
- if (!(file = fdopen(fd, "r+")))
- exit_error(OTHER_PROBLEM, "Could not open temporary file.");
- if (unlink(filename) == -1)
- exit_error(OTHER_PROBLEM, "Could not unlink temporary file.");
- free(filename);
-
- while (fgets(buffer, sizeof(buffer), stdin)) {
- fputs(buffer, file);
- }
- fseek(file, 0L, SEEK_SET);
-
- return file;
-}
-
-/*
- * Performs a restore from a file
- */
-static void set_restore(char *argv0)
-{
- char buffer[1024];
- char *ptr, *name = NULL;
- char cmd = ' ';
- int line = 0, first_pass, i, bindings = 0;
- struct settype *settype = NULL;
- struct ip_set_req_setnames *header;
- ip_set_id_t index;
- FILE *in;
- int res;
-
- /* Create and store stdin in temporary file */
- in = create_tempfile();
-
- /* Load existing sets from kernel */
- load_set_list(IPSET_TOKEN_ALL, &index,
- IP_SET_OP_LIST_SIZE, CMD_RESTORE);
-
- restore_size = sizeof(struct ip_set_req_setnames)/* header */
- + sizeof(struct ip_set_restore); /* marker */
- DP("restore_size: %u", restore_size);
- /* First pass: calculate required amount of data */
- while (fgets(buffer, sizeof(buffer), in)) {
- line++;
-
- if (buffer[0] == '\n')
- continue;
- else if (buffer[0] == '#')
- continue;
- else if (strcmp(buffer, "COMMIT\n") == 0) {
- /* Enable restore mode */
- restore = 1;
- break;
- }
-
- /* -N, -A or -B */
- ptr = strtok(buffer, " \t\n");
- DP("ptr: %s", ptr);
- if (ptr == NULL
- || ptr[0] != '-'
- || !(ptr[1] == 'N'
- || ptr[1] == 'A'
- || ptr[1] == 'B')
- || ptr[2] != '\0') {
- exit_error(PARAMETER_PROBLEM,
- "Line %u does not start as a valid restore command\n",
- line);
- }
- cmd = ptr[1];
- /* setname */
- ptr = strtok(NULL, " \t\n");
- DP("setname: %s", ptr);
- if (ptr == NULL)
- exit_error(PARAMETER_PROBLEM,
- "Missing set name in line %u\n",
- line);
- DP("cmd %c", cmd);
- switch (cmd) {
- case 'N': {
- name = check_set_name(ptr);
- /* settype */
- ptr = strtok(NULL, " \t\n");
- if (ptr == NULL)
- exit_error(PARAMETER_PROBLEM,
- "Missing settype in line %u\n",
- line);
- if (bindings)
- exit_error(PARAMETER_PROBLEM,
- "Invalid line %u: create must precede bindings\n",
- line);
- settype = check_set_typename(ptr);
- restore_size += sizeof(struct ip_set_restore)
- + settype->create_size;
- DP("restore_size (N): %u", restore_size);
- break;
- }
- case 'A': {
- if (name == NULL
- || strncmp(name, ptr, sizeof(name)) != 0)
- exit_error(PARAMETER_PROBLEM,
- "Add IP to set %s in line %u without "
- "preceding corresponding create set line\n",
- ptr, line);
- if (bindings)
- exit_error(PARAMETER_PROBLEM,
- "Invalid line %u: adding entries must precede bindings\n",
- line);
- restore_size += settype->adt_size;
- DP("restore_size (A): %u", restore_size);
- break;
- }
- case 'B': {
- bindings = 1;
- restore_size += sizeof(struct ip_set_hash_save);
- DP("restore_size (B): %u", restore_size);
- break;
- }
- default: {
- exit_error(PARAMETER_PROBLEM,
- "Unrecognized restore command in line %u\n",
- line);
- }
- } /* end of switch */
- }
- /* Sanity checking */
- if (!restore)
- exit_error(PARAMETER_PROBLEM,
- "Missing COMMIT line\n");
- DP("restore_size: %u", restore_size);
- restore_data = ipset_malloc(restore_size);
- header = (struct ip_set_req_setnames *) restore_data;
- header->op = IP_SET_OP_RESTORE;
- header->size = restore_size;
- restore_offset = sizeof(struct ip_set_req_setnames);
-
- /* Rewind to scan the file again */
- fseek(in, 0L, SEEK_SET);
- first_pass = line;
- line = 0;
-
- /* Initialize newargv/newargc */
- newargv[newargc++] = ipset_strdup(argv0);
-
- /* Second pass: build up restore request */
- while (fgets(buffer, sizeof(buffer), in)) {
- line++;
-
- if (buffer[0] == '\n')
- continue;
- else if (buffer[0] == '#')
- continue;
- else if (strcmp(buffer, "COMMIT\n") == 0)
- goto do_restore;
- DP("restoring: %s", buffer);
- /* Build faked argv, argc */
- build_argv(line, buffer);
- for (i = 0; i < newargc; i++)
- DP("argv[%u]: %s", i, newargv[i]);
-
- /* Parse line */
- parse_commandline(newargc, newargv);
- }
- exit_error(PARAMETER_PROBLEM,
- "Broken restore file\n");
- do_restore:
- if (bindings == 0
- && restore_size ==
- (restore_offset + sizeof(struct ip_set_restore))) {
- /* No bindings */
- struct ip_set_restore *marker =
- (struct ip_set_restore *) (restore_data + restore_offset);
-
- DP("restore marker");
- marker->index = IP_SET_INVALID_ID;
- marker->header_size = marker->members_size = 0;
- restore_offset += sizeof(struct ip_set_restore);
- }
- if (restore_size != restore_offset)
- exit_error(PARAMETER_PROBLEM,
- "Giving up, restore file is screwed up!");
- res = kernel_getfrom_handleerrno(CMD_RESTORE, restore_data, &restore_size);
-
- if (res != 0) {
- if (restore_size != sizeof(struct ip_set_req_setnames))
- exit_error(PARAMETER_PROBLEM,
- "Communication with kernel failed (%u %u)!",
- restore_size, sizeof(struct ip_set_req_setnames));
- /* Check errors */
- header = (struct ip_set_req_setnames *) restore_data;
- if (header->size != 0)
- exit_error(PARAMETER_PROBLEM,
- "Committing restoring failed at line %u!",
- header->size);
- }
-}
-
-/*
- * Send ADT_GET order to kernel for a set
- */
-static struct set *set_adt_get(const char *name)
-{
- struct ip_set_req_adt_get req_adt_get;
- struct set *set;
- size_t size;
-
- DP("%s", name);
-
- req_adt_get.op = IP_SET_OP_ADT_GET;
- req_adt_get.version = IP_SET_PROTOCOL_VERSION;
- strcpy(req_adt_get.set.name, name);
- size = sizeof(struct ip_set_req_adt_get);
-
- kernel_getfrom(CMD_ADT_GET, &req_adt_get, &size);
-
- set = ipset_malloc(sizeof(struct set));
- strcpy(set->name, name);
- set->index = req_adt_get.set.index;
- set->settype = settype_load(req_adt_get.typename);
-
- return set;
-}
-
-/*
- * Send add/del/test order to kernel for a set
- */
-static int set_adtip(struct set *set, const char *adt,
- unsigned op, unsigned cmd)
-{
- struct ip_set_req_adt *req_adt;
- size_t size;
- void *data;
- int res = 0;
-
- DP("%s -> %s", set->name, adt);
-
- /* Alloc memory for the data to send */
- size = sizeof(struct ip_set_req_adt) + set->settype->adt_size ;
- DP("alloc size %i", size);
- data = ipset_malloc(size);
-
- /* Fill out the request */
- req_adt = (struct ip_set_req_adt *) data;
- req_adt->op = op;
- req_adt->index = set->index;
- memcpy(data + sizeof(struct ip_set_req_adt),
- set->settype->data, set->settype->adt_size);
-
- if (kernel_sendto_handleerrno(cmd, op, data, size) == -1)
- switch (op) {
- case IP_SET_OP_ADD_IP:
- exit_error(OTHER_PROBLEM, "%s is already in set %s.",
- adt, set->name);
- break;
- case IP_SET_OP_DEL_IP:
- exit_error(OTHER_PROBLEM, "%s is not in set %s.",
- adt, set->name);
- break;
- case IP_SET_OP_TEST_IP:
- ipset_printf("%s is in set %s.", adt, set->name);
- res = 0;
- break;
- default:
- break;
- }
- else
- switch (op) {
- case IP_SET_OP_TEST_IP:
- ipset_printf("%s is NOT in set %s.", adt, set->name);
- res = 1;
- break;
- default:
- break;
- }
- free(data);
-
- return res;
-}
-
-static void set_restore_add(struct set *set, const char *adt)
-{
- DP("%s %s", set->name, adt);
- /* Sanity checking */
- if (restore_offset + set->settype->adt_size > restore_size)
- exit_error(PARAMETER_PROBLEM,
- "Giving up, restore file is screwed up!");
-
- memcpy(restore_data + restore_offset,
- set->settype->data, set->settype->adt_size);
- restore_set->members_size += set->settype->adt_size;
- restore_offset += set->settype->adt_size;
-}
-
-/*
- * Send bind/unbind/test binding order to kernel for a set
- */
-static int set_bind(struct set *set, const char *adt,
- const char *binding,
- unsigned op, unsigned cmd)
-{
- struct ip_set_req_bind *req_bind;
- size_t size;
- void *data;
- int res = 0;
-
- /* set may be null: '-U :all: :all:|:default:' */
- DP("(%s, %s) -> %s", set ? set->name : IPSET_TOKEN_ALL, adt, binding);
-
- /* Alloc memory for the data to send */
- size = sizeof(struct ip_set_req_bind);
- if (op != IP_SET_OP_UNBIND_SET && adt[0] == ':')
- /* Set default binding */
- size += IP_SET_MAXNAMELEN;
- else if (!(op == IP_SET_OP_UNBIND_SET && set == NULL))
- size += set->settype->adt_size;
- DP("alloc size %i", size);
- data = ipset_malloc(size);
-
- /* Fill out the request */
- req_bind = (struct ip_set_req_bind *) data;
- req_bind->op = op;
- req_bind->index = set ? set->index : IP_SET_INVALID_ID;
- if (adt[0] == ':') {
- /* ':default:' and ':all:' */
- strncpy(req_bind->binding, adt, IP_SET_MAXNAMELEN);
- if (op != IP_SET_OP_UNBIND_SET && adt[0] == ':')
- strncpy(data + sizeof(struct ip_set_req_bind),
- binding, IP_SET_MAXNAMELEN);
- } else {
- strncpy(req_bind->binding, binding, IP_SET_MAXNAMELEN);
- memcpy(data + sizeof(struct ip_set_req_bind),
- set->settype->data, set->settype->adt_size);
- }
-
- if (op == IP_SET_OP_TEST_BIND_SET) {
- if (kernel_sendto_handleerrno(cmd, op, data, size) == -1) {
- ipset_printf("%s in set %s is bound to %s.",
- adt, set->name, binding);
- res = 0;
- } else {
- ipset_printf("%s in set %s is NOT bound to %s.",
- adt, set->name, binding);
- res = 1;
- }
- } else
- kernel_sendto(cmd, data, size);
- free(data);
-
- return res;
-}
-
-static void set_restore_bind(struct set *set,
- const char *adt,
- const char *binding)
-{
- struct ip_set_hash_save *hash_restore;
-
- if (restore == 1) {
- /* Marker */
- struct ip_set_restore *marker =
- (struct ip_set_restore *) (restore_data + restore_offset);
-
- DP("restore marker");
- if (restore_offset + sizeof(struct ip_set_restore)
- > restore_size)
- exit_error(PARAMETER_PROBLEM,
- "Giving up, restore file is screwed up!");
- marker->index = IP_SET_INVALID_ID;
- marker->header_size = marker->members_size = 0;
- restore_offset += sizeof(struct ip_set_restore);
- restore = 2;
- }
- /* Sanity checking */
- if (restore_offset + sizeof(struct ip_set_hash_save) > restore_size)
- exit_error(PARAMETER_PROBLEM,
- "Giving up, restore file is screwed up!");
-
- hash_restore = (struct ip_set_hash_save *) (restore_data + restore_offset);
- DP("%s -> %s", adt, binding);
- if (strcmp(adt, IPSET_TOKEN_DEFAULT) == 0)
- hash_restore->ip = 0;
- else
- set->settype->bindip_parse(adt, &hash_restore->ip);
- hash_restore->id = set->index;
- hash_restore->binding = (set_find_byname(binding))->index;
- DP("id %u, ip %u, binding %u",
- hash_restore->id, hash_restore->ip, hash_restore->binding);
- restore_offset += sizeof(struct ip_set_hash_save);
-}
-
-/*
- * Print operation
- */
-
-static void print_bindings(struct set *set,
- void *data, size_t size, unsigned options,
- char * (*printip)(struct set *set,
- ip_set_ip_t ip, unsigned options))
-{
- size_t offset = 0;
- struct ip_set_hash_list *hash;
-
- while (offset < size) {
- hash = (struct ip_set_hash_list *) (data + offset);
- printf("%s -> %s\n",
- printip(set, hash->ip, options),
- set_list[hash->binding]->name);
- offset += sizeof(struct ip_set_hash_list);
- }
-}
-
-/* Help function to set_list() */
-static size_t print_set(void *data, unsigned options)
-{
- struct ip_set_list *setlist = (struct ip_set_list *) data;
- struct set *set = set_list[setlist->index];
- struct settype *settype = set->settype;
- size_t offset;
-
- /* Pretty print the set */
- printf("Name: %s\n", set->name);
- printf("Type: %s\n", settype->typename);
- printf("References: %d\n", setlist->ref);
- printf("Default binding: %s\n",
- setlist->binding == IP_SET_INVALID_ID ? ""
- : set_list[setlist->binding]->name);
-
- /* Init header */
- offset = sizeof(struct ip_set_list);
- settype->initheader(set, data + offset);
-
- /* Pretty print the type header */
- printf("Header:");
- settype->printheader(set, options);
-
- /* Pretty print all IPs */
- printf("Members:\n");
- offset += setlist->header_size;
- if (options & OPT_SORTED)
- settype->printips_sorted(set, data + offset,
- setlist->members_size, options);
- else
- settype->printips(set, data + offset,
- setlist->members_size, options);
-
- /* Print bindings */
- printf("Bindings:\n");
- offset += setlist->members_size;
- print_bindings(set,
- data + offset, setlist->bindings_size, options,
- settype->bindip_tostring);
-
- printf("\n"); /* One newline between sets */
-
- return (offset + setlist->bindings_size);
-}
-
-static int try_list_sets(const char name[IP_SET_MAXNAMELEN],
- unsigned options)
-{
- void *data = NULL;
- ip_set_id_t index;
- size_t size, req_size;
- int res = 0;
-
- DP("%s", name);
- /* Load set_list from kernel */
- size = req_size = load_set_list(name, &index,
- IP_SET_OP_LIST_SIZE, CMD_LIST);
-
- if (size) {
- /* Get sets and print them */
- data = ipset_malloc(size);
- ((struct ip_set_req_list *) data)->op = IP_SET_OP_LIST;
- ((struct ip_set_req_list *) data)->index = index;
- res = kernel_getfrom_handleerrno(CMD_LIST, data, &size);
- DP("get_lists getsockopt() res=%d errno=%d", res, errno);
-
- if (res != 0 || size != req_size) {
- free(data);
- return -EAGAIN;
- }
- size = 0;
- }
- while (size != req_size)
- size += print_set(data + size, options);
-
- ipset_free(&data);
- return res;
-}
-
-/* Print a set or all sets
- * All sets: name = NULL
- */
-static void list_sets(const char name[IP_SET_MAXNAMELEN], unsigned options)
-{
- int i;
-
- DP("%s", name);
- for (i = 0; i < LIST_TRIES; i++)
- if (try_list_sets(name, options) == 0)
- return;
-
- if (errno == EAGAIN)
- exit_error(OTHER_PROBLEM,
- "Tried to list sets from kernel %d times"
- " and failed. Please try again when the load on"
- " the sets has gone down.", LIST_TRIES);
- else
- kernel_error(CMD_LIST, errno);
-}
-
-/* Prints help
- * If settype is non null help for that type is printed as well
- */
-static void set_help(const struct settype *settype)
-{
-#ifdef IPSET_DEBUG
- char debughelp[] =
- " --debug -z Enable debugging\n\n";
-#else
- char debughelp[] = "\n";
-#endif
-
- printf("%s v%s\n\n"
- "Usage: %s -N new-set settype [options]\n"
- " %s -[XFLSH] [set] [options]\n"
- " %s -[EW] from-set to-set\n"
- " %s -[ADTU] set IP\n"
- " %s -B set IP option\n"
- " %s -R\n"
- " %s -h (print this help information)\n\n",
- program_name, program_version,
- program_name, program_name, program_name,
- program_name, program_name, program_name,
- program_name);
-
- printf("Commands:\n"
- "Either long or short options are allowed.\n"
- " --create -N setname settype <options>\n"
- " Create a new set\n"
- " --destroy -X [setname]\n"
- " Destroy a set or all sets\n"
- " --flush -F [setname]\n"
- " Flush a set or all sets\n"
- " --rename -E from-set to-set\n"
- " Rename from-set to to-set\n"
- " --swap -W from-set to-set\n"
- " Swap the content of two existing sets\n"
- " --list -L [setname] [options]\n"
- " List the IPs in a set or all sets\n"
- " --save -S [setname]\n"
- " Save the set or all sets to stdout\n"
- " --restore -R [option]\n"
- " Restores a saved state\n"
- " --add -A setname IP\n"
- " Add an IP to a set\n"
- " --del -D setname IP\n"
- " Deletes an IP from a set\n"
- " --test -T setname IP \n"
- " Tests if an IP exists in a set.\n"
- " --bind -B setname IP|:default: -b bind-setname\n"
- " Bind the IP in setname to bind-setname.\n"
- " --unbind -U setname IP|:all:|:default:\n"
- " Delete binding belonging to IP,\n"
- " all bindings or default binding of setname.\n"
- " --unbind -U :all: :all:|:default:\n"
- " Delete all bindings or all default bindings.\n"
- " --help -H [settype]\n"
- " Prints this help, and settype specific help\n"
- " --version -V\n"
- " Prints version information\n\n"
- "Options:\n"
- " --sorted -s Numeric sort of the IPs in -L\n"
- " --numeric -n Numeric output of addresses in a -L\n"
- " --quiet -q Suppress any output to stdout and stderr.\n"
- " --binding -b Specifies the binding for -B\n");
- printf(debughelp);
-
- if (settype != NULL) {
- printf("Type '%s' specific:\n", settype->typename);
- settype->usage();
- }
-}
-
-static int find_cmd(const char option)
-{
- int i;
-
- for (i = 1; i <= NUMBER_OF_CMD; i++)
- if (cmdflags[i] == option)
- return i;
-
- return CMD_NONE;
-}
-
-static int parse_adt_cmdline(unsigned command,
- const char *name,
- char *adt,
- struct set **set,
- struct settype **settype)
-{
- int res = 0;
-
- /* -U :all: :all:|:default: */
- if (command == CMD_UNBIND) {
- if (strcmp(name, IPSET_TOKEN_ALL) == 0) {
- if (strcmp(adt, IPSET_TOKEN_DEFAULT) == 0
- || strcmp(adt, IPSET_TOKEN_ALL) == 0) {
- *set = NULL;
- *settype = NULL;
- return 1;
- } else
- exit_error(PARAMETER_PROBLEM,
- "-U %s requires %s or %s as binding name",
- IPSET_TOKEN_ALL,
- IPSET_TOKEN_DEFAULT,
- IPSET_TOKEN_ALL);
- }
- }
- *set = restore ? set_find_byname(name)
- : set_adt_get(name);
-
- /* Reset space for adt data */
- *settype = (*set)->settype;
- memset((*settype)->data, 0, (*settype)->adt_size);
-
- if ((command == CMD_TEST
- || command == CMD_BIND
- || command == CMD_UNBIND)
- && (strcmp(adt, IPSET_TOKEN_DEFAULT) == 0
- || strcmp(adt, IPSET_TOKEN_ALL) == 0))
- res = 1;
- else
- res = (*settype)->adt_parser(
- command,
- adt,
- (*settype)->data);
-
- return res;
-}
-
-/* Main worker function */
-int parse_commandline(int argc, char *argv[])
-{
- int res = 0;
- unsigned command = CMD_NONE;
- unsigned options = 0;
- int c;
-
- char *name = NULL; /* All except -H, -R */
- char *newname = NULL; /* -E, -W */
- char *adt = NULL; /* -A, -D, -T, -B, -U */
- char *binding = NULL; /* -B */
- struct set *set = NULL; /* -A, -D, -T, -B, -U */
- struct settype *settype = NULL; /* -N, -H */
- char all_sets[] = IPSET_TOKEN_ALL;
-
- struct option *opts = opts_long;
-
- /* Suppress error messages: we may add new options if we
- demand-load a protocol. */
- opterr = 0;
- /* Reset optind to 0 for restore */
- optind = 0;
-
- while ((c = getopt_long(argc, argv, opts_short, opts, NULL)) != -1) {
-
- DP("commandline parsed: opt %c (%s)", c, argv[optind]);
-
- switch (c) {
- /*
- * Command selection
- */
- case 'h':
- case 'H':{ /* Help: -H [typename [options]] */
- check_protocolversion();
- set_command(&command, CMD_HELP);
-
- if (optarg)
- settype = check_set_typename(optarg);
- else if (optind < argc
- && argv[optind][0] != '-')
- settype = check_set_typename(argv[optind++]);
-
- break;
- }
-
- case 'V':{ /* Version */
- printf("%s v%s Protocol version %u.\n",
- program_name, program_version,
- IP_SET_PROTOCOL_VERSION);
- check_protocolversion();
- exit(0);
- }
-
- case 'N':{ /* Create: -N name typename options */
- set_command(&command, CMD_CREATE);
-
- name = check_set_name(optarg);
-
- /* Protect reserved names (binding) */
- if (name[0] == ':')
- exit_error(PARAMETER_PROBLEM,
- "setname might not start with colon",
- cmd2char(CMD_CREATE));
-
- if (optind < argc
- && argv[optind][0] != '-')
- settype = check_set_typename(argv[optind++]);
- else
- exit_error(PARAMETER_PROBLEM,
- "-%c requires setname and settype",
- cmd2char(CMD_CREATE));
-
- DP("merge options");
- /* Merge the create options */
- opts = merge_options(opts,
- settype->create_opts,
- &settype->option_offset);
-
- /* Reset space for create data */
- memset(settype->data, 0, settype->create_size);
-
- /* Zero the flags */
- settype->flags = 0;
-
- DP("call create_init");
- /* Call the settype create_init */
- settype->create_init(settype->data);
-
- break;
- }
-
- case 'X': /* Destroy */
- case 'F': /* Flush */
- case 'L': /* List */
- case 'S':{ /* Save */
- set_command(&command, find_cmd(c));
-
- if (optarg)
- name = check_set_name(optarg);
- else if (optind < argc
- && argv[optind][0] != '-')
- name = check_set_name(argv[optind++]);
- else
- name = all_sets;
-
- break;
- }
-
- case 'R':{ /* Restore */
- set_command(&command, find_cmd(c));
-
- break;
- }
-
- case 'E': /* Rename */
- case 'W':{ /* Swap */
- set_command(&command, find_cmd(c));
- name = check_set_name(optarg);
-
- if (optind < argc
- && argv[optind][0] != '-')
- newname = check_set_name(argv[optind++]);
- else
- exit_error(PARAMETER_PROBLEM,
- "-%c requires a setname "
- "and the new name for that set",
- cmd2char(CMD_RENAME));
-
- break;
- }
-
- case 'A': /* Add IP */
- case 'D': /* Del IP */
- case 'T': /* Test IP */
- case 'B': /* Bind IP */
- case 'U':{ /* Unbind IP */
- set_command(&command, find_cmd(c));
-
- name = check_set_name(optarg);
-
- /* IP */
- if (optind < argc
- && argv[optind][0] != '-')
- adt = argv[optind++];
- else
- exit_error(PARAMETER_PROBLEM,
- "-%c requires setname and IP",
- c);
-
- res = parse_adt_cmdline(command, name, adt,
- &set, &settype);
-
- if (!res)
- exit_error(PARAMETER_PROBLEM,
- "Unknown arg `%s'",
- argv[optind - 1]);
-
- break;
- }
-
- /* options */
-
- case 'n':
- add_option(&options, OPT_NUMERIC);
- break;
-
- case 's':
- add_option(&options, OPT_SORTED);
- break;
-
- case 'q':
- add_option(&options, OPT_QUIET);
- option_quiet = 1;
- break;
-
-#ifdef IPSET_DEBUG
- case 'z': /* debug */
- add_option(&options, OPT_DEBUG);
- option_debug = 1;
- break;
-#endif
-
- case 'b':
- add_option(&options, OPT_BINDING);
- binding = check_set_name(optarg);
- break;
-
- case 1: /* non option */
- printf("Bad argument `%s'\n", optarg);
- exit_tryhelp(2);
- break; /*always good */
-
- default:{
- DP("default");
-
- switch (command) {
- case CMD_CREATE:
- res = settype->create_parse(
- c - settype->option_offset,
- argv,
- settype->data,
- &settype->flags);
- break;
-
- default:
- res = 0; /* failed */
- } /* switch (command) */
-
-
- if (!res)
- exit_error(PARAMETER_PROBLEM,
- "Unknown arg `%s'",
- argv[optind - 1]);
-
- }
-
- DP("next arg");
- } /* switch */
-
- } /* while( getopt_long() ) */
-
-
- if (optind < argc)
- exit_error(PARAMETER_PROBLEM,
- "unknown arguments found on commandline");
- if (command == CMD_NONE)
- exit_error(PARAMETER_PROBLEM, "no command specified");
-
- /* Check options */
- generic_opt_check(command, options);
-
- DP("cmd: %c", cmd2char(command));
-
- switch (command) {
- case CMD_CREATE:
- DP("CMD_CREATE");
- if (restore)
- set_restore_create(name, settype);
- else
- set_create(name, settype);
- break;
-
- case CMD_DESTROY:
- set_destroy(name, IP_SET_OP_DESTROY, CMD_DESTROY);
- break;
-
- case CMD_FLUSH:
- set_destroy(name, IP_SET_OP_FLUSH, CMD_FLUSH);
- break;
-
- case CMD_RENAME:
- set_rename(name, newname, IP_SET_OP_RENAME, CMD_RENAME);
- break;
-
- case CMD_SWAP:
- set_rename(name, newname, IP_SET_OP_SWAP, CMD_SWAP);
- break;
-
- case CMD_LIST:
- list_sets(name, options);
- break;
-
- case CMD_SAVE:
- set_save(name);
- break;
-
- case CMD_RESTORE:
- set_restore(argv[0]);
- break;
-
- case CMD_ADD:
- if (restore)
- set_restore_add(set, adt);
- else
- set_adtip(set, adt, IP_SET_OP_ADD_IP, CMD_ADD);
- break;
-
- case CMD_DEL:
- set_adtip(set, adt, IP_SET_OP_DEL_IP, CMD_DEL);
- break;
-
- case CMD_TEST:
- if (binding)
- res = set_bind(set, adt, binding,
- IP_SET_OP_TEST_BIND_SET, CMD_TEST);
- else
- res = set_adtip(set, adt,
- IP_SET_OP_TEST_IP, CMD_TEST);
- break;
-
- case CMD_BIND:
- if (restore)
- set_restore_bind(set, adt, binding);
- else
- set_bind(set, adt, binding,
- IP_SET_OP_BIND_SET, CMD_BIND);
- break;
-
- case CMD_UNBIND:
- set_bind(set, adt, "", IP_SET_OP_UNBIND_SET, CMD_UNBIND);
- break;
-
- case CMD_HELP:
- set_help(settype);
- break;
-
- default:
- /* Will never happen */
- break; /* Keep the compiler happy */
-
- } /* switch( command ) */
-
- return res;
-}
-
-
-int main(int argc, char *argv[])
-{
- return parse_commandline(argc, argv);
-
-}
+++ /dev/null
-#ifndef __IPSET_H
-#define __IPSET_H
-
-/* Copyright 2000-2004 Joakim Axelsson (gozem@linux.nu)
- * Patrick Schaaf (bof@bof.de)
- * Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include <getopt.h>
-#include <sys/types.h>
-#include <netdb.h>
-
-#include <linux/netfilter_ipv4/ip_set.h>
-
-#define IPSET_LIB_NAME "/libipset_%s.so"
-#define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
-
-#define LIST_TRIES 5
-
-#ifdef IPSET_DEBUG
-extern int option_debug;
-#define DP(format, args...) if (option_debug) \
- do { \
- fprintf(stderr, "%s: %s (DBG): ", __FILE__, __FUNCTION__);\
- fprintf(stderr, format "\n" , ## args); \
- } while (0)
-#else
-#define DP(format, args...)
-#endif
-
-/* Commands */
-enum set_commands {
- CMD_NONE,
- CMD_CREATE, /* -N */
- CMD_DESTROY, /* -X */
- CMD_FLUSH, /* -F */
- CMD_RENAME, /* -E */
- CMD_SWAP, /* -W */
- CMD_LIST, /* -L */
- CMD_SAVE, /* -S */
- CMD_RESTORE, /* -R */
- CMD_ADD, /* -A */
- CMD_DEL, /* -D */
- CMD_TEST, /* -T */
- CMD_BIND, /* -B */
- CMD_UNBIND, /* -U */
- CMD_HELP, /* -H */
- CMD_VERSION, /* -V */
- NUMBER_OF_CMD = CMD_VERSION,
- /* Internal commands */
- CMD_MAX_SETS,
- CMD_LIST_SIZE,
- CMD_SAVE_SIZE,
- CMD_ADT_GET,
-};
-
-enum exittype {
- OTHER_PROBLEM = 1,
- PARAMETER_PROBLEM,
- VERSION_PROBLEM
-};
-
-/* The view of an ipset in userspace */
-struct set {
- char name[IP_SET_MAXNAMELEN]; /* Name of the set */
- ip_set_id_t id; /* Unique set id */
- ip_set_id_t index; /* Array index */
- unsigned ref; /* References in kernel */
- struct settype *settype; /* Pointer to set type functions */
-};
-
-struct settype {
- struct settype *next;
-
- char typename[IP_SET_MAXNAMELEN];
-
- int protocol_version;
-
- /*
- * Create set
- */
-
- /* Size of create data. Will be sent to kernel */
- size_t create_size;
-
- /* Initialize the create. */
- void (*create_init) (void *data);
-
- /* Function which parses command options; returns true if it ate an option */
- int (*create_parse) (int c, char *argv[], void *data,
- unsigned *flags);
-
- /* Final check; exit if not ok. */
- void (*create_final) (void *data, unsigned int flags);
-
- /* Pointer to list of extra command-line options for create */
- struct option *create_opts;
-
- /*
- * Add/del/test IP
- */
-
- /* Size of data. Will be sent to kernel */
- size_t adt_size;
-
- /* Function which parses command options */
- ip_set_ip_t (*adt_parser) (unsigned cmd, const char *optarg, void *data);
-
- /*
- * Printing
- */
-
- /* Size of header. */
- size_t header_size;
-
- /* Initialize the type-header */
- void (*initheader) (struct set *set, const void *data);
-
- /* Pretty print the type-header */
- void (*printheader) (struct set *set, unsigned options);
-
- /* Pretty print all IPs */
- void (*printips) (struct set *set, void *data, size_t len, unsigned options);
-
- /* Pretty print all IPs sorted */
- void (*printips_sorted) (struct set *set, void *data, size_t len, unsigned options);
-
- /* Print save arguments for creating the set */
- void (*saveheader) (struct set *set, unsigned options);
-
- /* Print save for all IPs */
- void (*saveips) (struct set *set, void *data, size_t len, unsigned options);
-
- /* Conver a single IP (binding) to string */
- char * (*bindip_tostring)(struct set *set, ip_set_ip_t ip, unsigned options);
-
- /* Parse an IP at restoring bindings. FIXME */
- void (*bindip_parse) (const char *str, ip_set_ip_t * ip);
-
- /* Print usage */
- void (*usage) (void);
-
- /* Internal data */
- void *header;
- void *data;
- unsigned int option_offset;
- unsigned int flags;
-};
-
-extern void settype_register(struct settype *settype);
-
-/* extern void unregister_settype(set_type_t *set_type); */
-
-extern void exit_error(enum exittype status, char *msg, ...);
-
-extern char *binding_ip_tostring(struct set *set,
- ip_set_ip_t ip, unsigned options);
-extern char *ip_tostring(ip_set_ip_t ip, unsigned options);
-extern char *ip_tostring_numeric(ip_set_ip_t ip);
-extern void parse_ip(const char *str, ip_set_ip_t * ip);
-extern void parse_mask(const char *str, ip_set_ip_t * mask);
-extern void parse_ipandmask(const char *str, ip_set_ip_t * ip,
- ip_set_ip_t * mask);
-extern char *port_tostring(ip_set_ip_t port, unsigned options);
-extern void parse_port(const char *str, ip_set_ip_t * port);
-extern int string_to_number(const char *str, unsigned int min, unsigned int max,
- ip_set_ip_t *port);
-
-extern void *ipset_malloc(size_t size);
-extern char *ipset_strdup(const char *);
-extern void ipset_free(void **data);
-
-#endif /* __IPSET_H */
+++ /dev/null
-/* Copyright 2004 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <time.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <asm/bitops.h>
-#include <asm/types.h>
-
-#include <linux/netfilter_ipv4/ip_set_iphash.h>
-#include <linux/netfilter_ipv4/ip_set_jhash.h>
-
-#include "ipset.h"
-
-#define BUFLEN 30;
-
-#define OPT_CREATE_HASHSIZE 0x01U
-#define OPT_CREATE_PROBES 0x02U
-#define OPT_CREATE_RESIZE 0x04U
-#define OPT_CREATE_NETMASK 0x08U
-
-/* Initialize the create. */
-void create_init(void *data)
-{
- struct ip_set_req_iphash_create *mydata =
- (struct ip_set_req_iphash_create *) data;
-
- DP("create INIT");
-
- /* Default create parameters */
- mydata->hashsize = 1024;
- mydata->probes = 8;
- mydata->resize = 50;
-
- mydata->netmask = 0xFFFFFFFF;
-}
-
-/* Function which parses command options; returns true if it ate an option */
-int create_parse(int c, char *argv[], void *data, unsigned *flags)
-{
- struct ip_set_req_iphash_create *mydata =
- (struct ip_set_req_iphash_create *) data;
- unsigned int bits;
- ip_set_ip_t value;
-
- DP("create_parse");
-
- switch (c) {
- case '1':
-
- if (string_to_number(optarg, 1, UINT_MAX - 1, &mydata->hashsize))
- exit_error(PARAMETER_PROBLEM, "Invalid hashsize `%s' specified", optarg);
-
- *flags |= OPT_CREATE_HASHSIZE;
-
- DP("--hashsize %u", mydata->hashsize);
-
- break;
-
- case '2':
-
- if (string_to_number(optarg, 1, 65535, &value))
- exit_error(PARAMETER_PROBLEM, "Invalid probes `%s' specified", optarg);
-
- mydata->probes = value;
- *flags |= OPT_CREATE_PROBES;
-
- DP("--probes %u", mydata->probes);
-
- break;
-
- case '3':
-
- if (string_to_number(optarg, 0, 65535, &value))
- exit_error(PARAMETER_PROBLEM, "Invalid resize `%s' specified", optarg);
-
- mydata->resize = value;
- *flags |= OPT_CREATE_RESIZE;
-
- DP("--resize %u", mydata->resize);
-
- break;
-
- case '4':
-
- if (string_to_number(optarg, 0, 32, &bits))
- exit_error(PARAMETER_PROBLEM,
- "Invalid netmask `%s' specified", optarg);
-
- if (bits != 0)
- mydata->netmask = 0xFFFFFFFF << (32 - bits);
-
- *flags |= OPT_CREATE_NETMASK;
-
- DP("--netmask %x", mydata->netmask);
-
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-/* Final check; exit if not ok. */
-void create_final(void *data, unsigned int flags)
-{
-#ifdef IPSET_DEBUG
- struct ip_set_req_iphash_create *mydata =
- (struct ip_set_req_iphash_create *) data;
-
- DP("hashsize %u probes %u resize %u",
- mydata->hashsize, mydata->probes, mydata->resize);
-#endif
-}
-
-/* Create commandline options */
-static struct option create_opts[] = {
- {"hashsize", 1, 0, '1'},
- {"probes", 1, 0, '2'},
- {"resize", 1, 0, '3'},
- {"netmask", 1, 0, '4'},
- {0}
-};
-
-/* Add, del, test parser */
-ip_set_ip_t adt_parser(unsigned cmd, const char *optarg, void *data)
-{
- struct ip_set_req_iphash *mydata =
- (struct ip_set_req_iphash *) data;
-
- parse_ip(optarg, &mydata->ip);
- if (!mydata->ip)
- exit_error(PARAMETER_PROBLEM,
- "Zero valued IP address `%s' specified", optarg);
-
- return mydata->ip;
-};
-
-/*
- * Print and save
- */
-
-void initheader(struct set *set, const void *data)
-{
- struct ip_set_req_iphash_create *header =
- (struct ip_set_req_iphash_create *) data;
- struct ip_set_iphash *map =
- (struct ip_set_iphash *) set->settype->header;
-
- memset(map, 0, sizeof(struct ip_set_iphash));
- map->hashsize = header->hashsize;
- map->probes = header->probes;
- map->resize = header->resize;
- map->netmask = header->netmask;
-}
-
-unsigned int
-mask_to_bits(ip_set_ip_t mask)
-{
- unsigned int bits = 32;
- ip_set_ip_t maskaddr;
-
- if (mask == 0xFFFFFFFF)
- return bits;
-
- maskaddr = 0xFFFFFFFE;
- while (--bits >= 0 && maskaddr != mask)
- maskaddr <<= 1;
-
- return bits;
-}
-
-void printheader(struct set *set, unsigned options)
-{
- struct ip_set_iphash *mysetdata =
- (struct ip_set_iphash *) set->settype->header;
-
- printf(" hashsize: %u", mysetdata->hashsize);
- printf(" probes: %u", mysetdata->probes);
- printf(" resize: %u", mysetdata->resize);
- if (mysetdata->netmask == 0xFFFFFFFF)
- printf("\n");
- else
- printf(" netmask: %d\n", mask_to_bits(mysetdata->netmask));
-}
-
-void printips(struct set *set, void *data, size_t len, unsigned options)
-{
- size_t offset = 0;
- ip_set_ip_t *ip;
-
- while (offset < len) {
- ip = data + offset;
- if (*ip)
- printf("%s\n", ip_tostring(*ip, options));
- offset += sizeof(ip_set_ip_t);
- }
-}
-
-void saveheader(struct set *set, unsigned options)
-{
- struct ip_set_iphash *mysetdata =
- (struct ip_set_iphash *) set->settype->header;
-
- printf("-N %s %s --hashsize %u --probes %u --resize %u",
- set->name, set->settype->typename,
- mysetdata->hashsize, mysetdata->probes, mysetdata->resize);
- if (mysetdata->netmask == 0xFFFFFFFF)
- printf("\n");
- else
- printf(" --netmask %d\n", mask_to_bits(mysetdata->netmask));
-}
-
-/* Print save for an IP */
-void saveips(struct set *set, void *data, size_t len, unsigned options)
-{
- size_t offset = 0;
- ip_set_ip_t *ip;
-
- while (offset < len) {
- ip = data + offset;
- if (*ip)
- printf("-A %s %s\n", set->name,
- ip_tostring(*ip, options));
- offset += sizeof(ip_set_ip_t);
- }
-}
-
-void usage(void)
-{
- printf
- ("-N set iphash [--hashsize hashsize] [--probes probes ]\n"
- " [--resize resize] [--netmask CIDR-netmask]\n"
- "-A set IP\n"
- "-D set IP\n"
- "-T set IP\n");
-}
-
-static struct settype settype_iphash = {
- .typename = SETTYPE_NAME,
- .protocol_version = IP_SET_PROTOCOL_VERSION,
-
- /* Create */
- .create_size = sizeof(struct ip_set_req_iphash_create),
- .create_init = &create_init,
- .create_parse = &create_parse,
- .create_final = &create_final,
- .create_opts = create_opts,
-
- /* Add/del/test */
- .adt_size = sizeof(struct ip_set_req_iphash),
- .adt_parser = &adt_parser,
-
- /* Printing */
- .header_size = sizeof(struct ip_set_iphash),
- .initheader = &initheader,
- .printheader = &printheader,
- .printips = &printips, /* We only have the unsorted version */
- .printips_sorted = &printips,
- .saveheader = &saveheader,
- .saveips = &saveips,
-
- /* Bindings */
- .bindip_tostring = &binding_ip_tostring,
- .bindip_parse = &parse_ip,
-
- .usage = &usage,
-};
-
-void _init(void)
-{
- settype_register(&settype_iphash);
-
-}
+++ /dev/null
-/* Copyright 2000-2004 Joakim Axelsson (gozem@linux.nu)
- * Patrick Schaaf (bof@bof.de)
- * Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <asm/bitops.h>
-
-#include <linux/netfilter_ipv4/ip_set_ipmap.h>
-#include "ipset.h"
-
-#define BUFLEN 30;
-
-#define OPT_CREATE_FROM 0x01U
-#define OPT_CREATE_TO 0x02U
-#define OPT_CREATE_NETWORK 0x04U
-#define OPT_CREATE_NETMASK 0x08U
-
-#define OPT_ADDDEL_IP 0x01U
-
-/* Initialize the create. */
-void create_init(void *data)
-{
- struct ip_set_req_ipmap_create *mydata =
- (struct ip_set_req_ipmap_create *) data;
-
- DP("create INIT");
- mydata->netmask = 0xFFFFFFFF;
-}
-
-/* Function which parses command options; returns true if it ate an option */
-int create_parse(int c, char *argv[], void *data, unsigned *flags)
-{
- struct ip_set_req_ipmap_create *mydata =
- (struct ip_set_req_ipmap_create *) data;
- unsigned int bits;
-
- DP("create_parse");
-
- switch (c) {
- case '1':
- parse_ip(optarg, &mydata->from);
-
- *flags |= OPT_CREATE_FROM;
-
- DP("--from %x (%s)", mydata->from,
- ip_tostring_numeric(mydata->from));
-
- break;
-
- case '2':
- parse_ip(optarg, &mydata->to);
-
- *flags |= OPT_CREATE_TO;
-
- DP("--to %x (%s)", mydata->to,
- ip_tostring_numeric(mydata->to));
-
- break;
-
- case '3':
- parse_ipandmask(optarg, &mydata->from, &mydata->to);
-
- /* Make to the last of from + mask */
- if (mydata->to)
- mydata->to = mydata->from | ~(mydata->to);
- else {
- mydata->from = 0x00000000;
- mydata->to = 0xFFFFFFFF;
- }
- *flags |= OPT_CREATE_NETWORK;
-
- DP("--network from %x (%s)",
- mydata->from, ip_tostring_numeric(mydata->from));
- DP("--network to %x (%s)",
- mydata->to, ip_tostring_numeric(mydata->to));
-
- break;
-
- case '4':
- if (string_to_number(optarg, 0, 32, &bits))
- exit_error(PARAMETER_PROBLEM,
- "Invalid netmask `%s' specified", optarg);
-
- if (bits != 0)
- mydata->netmask = 0xFFFFFFFF << (32 - bits);
-
- *flags |= OPT_CREATE_NETMASK;
-
- DP("--netmask %x", mydata->netmask);
-
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-#define ERRSTRLEN 256
-
-/* Final check; exit if not ok. */
-void create_final(void *data, unsigned int flags)
-{
- struct ip_set_req_ipmap_create *mydata =
- (struct ip_set_req_ipmap_create *) data;
- ip_set_ip_t range;
- char errstr[ERRSTRLEN];
-
- if (flags == 0)
- exit_error(PARAMETER_PROBLEM,
- "Need to specify --from and --to, or --network\n");
-
- if (flags & OPT_CREATE_NETWORK) {
- /* --network */
- if ((flags & OPT_CREATE_FROM) || (flags & OPT_CREATE_TO))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --from or --to with --network\n");
- } else {
- /* --from --to */
- if ((flags & OPT_CREATE_FROM) == 0
- || (flags & OPT_CREATE_TO) == 0)
- exit_error(PARAMETER_PROBLEM,
- "Need to specify both --from and --to\n");
- }
-
- DP("from : %x to: %x diff: %x",
- mydata->from, mydata->to,
- mydata->to - mydata->from);
-
- if (mydata->from > mydata->to)
- exit_error(PARAMETER_PROBLEM,
- "From can't be lower than to.\n");
-
- if (flags & OPT_CREATE_NETMASK) {
- unsigned int mask_bits, netmask_bits;
- ip_set_ip_t mask;
-
- if ((mydata->from & mydata->netmask) != mydata->from)
- exit_error(PARAMETER_PROBLEM,
- "%s is not a network address according to netmask %d\n",
- ip_tostring_numeric(mydata->from),
- mask_to_bits(mydata->netmask));
-
- mask = range_to_mask(mydata->from, mydata->to, &mask_bits);
- if (!mask
- && (mydata->from || mydata->to != 0xFFFFFFFF)) {
- strncpy(errstr, ip_tostring_numeric(mydata->from),
- ERRSTRLEN-2);
- errstr[ERRSTRLEN-1] = '\0';
- exit_error(PARAMETER_PROBLEM,
- "%s-%s is not a full network (%x)\n",
- errstr,
- ip_tostring_numeric(mydata->to), mask);
- }
- netmask_bits = mask_to_bits(mydata->netmask);
-
- if (netmask_bits <= mask_bits) {
- strncpy(errstr, ip_tostring_numeric(mydata->from),
- ERRSTRLEN-2);
- errstr[ERRSTRLEN-1] = '\0';
- exit_error(PARAMETER_PROBLEM,
- "%d netmask specifies larger or equal netblock than %s-%s (%d)\n",
- netmask_bits,
- errstr,
- ip_tostring_numeric(mydata->to),
- mask_bits);
- }
- range = (1<<(netmask_bits - mask_bits)) - 1;
- } else {
- range = mydata->to - mydata->from;
- }
- if (range > MAX_RANGE)
- exit_error(PARAMETER_PROBLEM,
- "Range to large. Max is %d IPs in range\n",
- MAX_RANGE+1);
-}
-
-/* Create commandline options */
-static struct option create_opts[] = {
- {"from", 1, 0, '1'},
- {"to", 1, 0, '2'},
- {"network", 1, 0, '3'},
- {"netmask", 1, 0, '4'},
- {0}
-};
-
-/* Add, del, test parser */
-ip_set_ip_t adt_parser(unsigned cmd, const char *optarg, void *data)
-{
- struct ip_set_req_ipmap *mydata =
- (struct ip_set_req_ipmap *) data;
-
- DP("ipmap: %p %p", optarg, data);
-
- parse_ip(optarg, &mydata->ip);
- DP("%s", ip_tostring_numeric(mydata->ip));
-
- return 1;
-}
-
-/*
- * Print and save
- */
-
-void initheader(struct set *set, const void *data)
-{
- struct ip_set_req_ipmap_create *header =
- (struct ip_set_req_ipmap_create *) data;
- struct ip_set_ipmap *map =
- (struct ip_set_ipmap *) set->settype->header;
-
- memset(map, 0, sizeof(struct ip_set_ipmap));
- map->first_ip = header->from;
- map->last_ip = header->to;
- map->netmask = header->netmask;
-
- if (map->netmask == 0xFFFFFFFF) {
- map->hosts = 1;
- map->sizeid = map->last_ip - map->first_ip + 1;
- } else {
- unsigned int mask_bits, netmask_bits;
- ip_set_ip_t mask;
-
- mask = range_to_mask(header->from, header->to, &mask_bits);
- netmask_bits = mask_to_bits(header->netmask);
-
- DP("bits: %i %i", mask_bits, netmask_bits);
- map->hosts = 2 << (32 - netmask_bits - 1);
- map->sizeid = 2 << (netmask_bits - mask_bits - 1);
- }
-
- DP("%i %i", map->hosts, map->sizeid );
-}
-
-void printheader(struct set *set, unsigned options)
-{
- struct ip_set_ipmap *mysetdata =
- (struct ip_set_ipmap *) set->settype->header;
-
- printf(" from: %s", ip_tostring(mysetdata->first_ip, options));
- printf(" to: %s", ip_tostring(mysetdata->last_ip, options));
- if (mysetdata->netmask == 0xFFFFFFFF)
- printf("\n");
- else
- printf(" netmask: %d\n", mask_to_bits(mysetdata->netmask));
-}
-
-void printips_sorted(struct set *set, void *data, size_t len, unsigned options)
-{
- struct ip_set_ipmap *mysetdata =
- (struct ip_set_ipmap *) set->settype->header;
- ip_set_ip_t id;
-
- for (id = 0; id < mysetdata->sizeid; id++)
- if (test_bit(id, data))
- printf("%s\n",
- ip_tostring(mysetdata->first_ip
- + id * mysetdata->hosts,
- options));
-}
-
-void saveheader(struct set *set, unsigned options)
-{
- struct ip_set_ipmap *mysetdata =
- (struct ip_set_ipmap *) set->settype->header;
-
- printf("-N %s %s --from %s",
- set->name, set->settype->typename,
- ip_tostring(mysetdata->first_ip, options));
- printf(" --to %s",
- ip_tostring(mysetdata->last_ip, options));
- if (mysetdata->netmask == 0xFFFFFFFF)
- printf("\n");
- else
- printf(" --netmask %d\n",
- mask_to_bits(mysetdata->netmask));
-}
-
-void saveips(struct set *set, void *data, size_t len, unsigned options)
-{
- struct ip_set_ipmap *mysetdata =
- (struct ip_set_ipmap *) set->settype->header;
- ip_set_ip_t id;
-
- DP("%s", set->name);
- for (id = 0; id < mysetdata->sizeid; id++)
- if (test_bit(id, data))
- printf("-A %s %s\n",
- set->name,
- ip_tostring(mysetdata->first_ip
- + id * mysetdata->hosts,
- options));
-}
-
-void usage(void)
-{
- printf
- ("-N set ipmap --from IP --to IP [--netmask CIDR-netmask]\n"
- "-N set ipmap --network IP/mask [--netmask CIDR-netmask]\n"
- "-A set IP\n"
- "-D set IP\n"
- "-T set IP\n");
-}
-
-static struct settype settype_ipmap = {
- .typename = SETTYPE_NAME,
- .protocol_version = IP_SET_PROTOCOL_VERSION,
-
- /* Create */
- .create_size = sizeof(struct ip_set_req_ipmap_create),
- .create_init = &create_init,
- .create_parse = &create_parse,
- .create_final = &create_final,
- .create_opts = create_opts,
-
- /* Add/del/test */
- .adt_size = sizeof(struct ip_set_req_ipmap),
- .adt_parser = &adt_parser,
-
- /* Printing */
- .header_size = sizeof(struct ip_set_ipmap),
- .initheader = &initheader,
- .printheader = &printheader,
- .printips = &printips_sorted, /* We only have sorted version */
- .printips_sorted = &printips_sorted,
- .saveheader = &saveheader,
- .saveips = &saveips,
-
- /* Bindings */
- .bindip_tostring = &binding_ip_tostring,
- .bindip_parse = &parse_ip,
-
- .usage = &usage,
-};
-
-void _init(void)
-{
- settype_register(&settype_ipmap);
-
-}
+++ /dev/null
-/* Copyright 2004 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <time.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <asm/bitops.h>
-#include <asm/types.h>
-
-#include <linux/netfilter_ipv4/ip_set_ipporthash.h>
-#include <linux/netfilter_ipv4/ip_set_jhash.h>
-
-#include "ipset.h"
-
-#define OPT_CREATE_HASHSIZE 0x01U
-#define OPT_CREATE_PROBES 0x02U
-#define OPT_CREATE_RESIZE 0x04U
-#define OPT_CREATE_NETWORK 0x08U
-#define OPT_CREATE_FROM 0x10U
-#define OPT_CREATE_TO 0x20U
-
-/* Initialize the create. */
-void create_init(void *data)
-{
- struct ip_set_req_ipporthash_create *mydata =
- (struct ip_set_req_ipporthash_create *) data;
-
- DP("create INIT");
-
- /* Default create parameters */
- mydata->hashsize = 1024;
- mydata->probes = 8;
- mydata->resize = 50;
-}
-
-/* Function which parses command options; returns true if it ate an option */
-int create_parse(int c, char *argv[], void *data, unsigned *flags)
-{
- struct ip_set_req_ipporthash_create *mydata =
- (struct ip_set_req_ipporthash_create *) data;
- ip_set_ip_t value;
-
- DP("create_parse");
-
- switch (c) {
- case '1':
-
- if (string_to_number(optarg, 1, UINT_MAX - 1, &mydata->hashsize))
- exit_error(PARAMETER_PROBLEM, "Invalid hashsize `%s' specified", optarg);
-
- *flags |= OPT_CREATE_HASHSIZE;
-
- DP("--hashsize %u", mydata->hashsize);
-
- break;
-
- case '2':
-
- if (string_to_number(optarg, 1, 65535, &value))
- exit_error(PARAMETER_PROBLEM, "Invalid probes `%s' specified", optarg);
-
- mydata->probes = value;
- *flags |= OPT_CREATE_PROBES;
-
- DP("--probes %u", mydata->probes);
-
- break;
-
- case '3':
-
- if (string_to_number(optarg, 0, 65535, &value))
- exit_error(PARAMETER_PROBLEM, "Invalid resize `%s' specified", optarg);
-
- mydata->resize = value;
- *flags |= OPT_CREATE_RESIZE;
-
- DP("--resize %u", mydata->resize);
-
- break;
-
- case '4':
- parse_ip(optarg, &mydata->from);
-
- *flags |= OPT_CREATE_FROM;
-
- DP("--from %x (%s)", mydata->from,
- ip_tostring_numeric(mydata->from));
-
- break;
-
- case '5':
- parse_ip(optarg, &mydata->to);
-
- *flags |= OPT_CREATE_TO;
-
- DP("--to %x (%s)", mydata->to,
- ip_tostring_numeric(mydata->to));
-
- break;
-
- case '6':
- parse_ipandmask(optarg, &mydata->from, &mydata->to);
-
- /* Make to the last of from + mask */
- if (mydata->to)
- mydata->to = mydata->from | ~(mydata->to);
- else {
- mydata->from = 0x00000000;
- mydata->to = 0xFFFFFFFF;
- }
- *flags |= OPT_CREATE_NETWORK;
-
- DP("--network from %x (%s)",
- mydata->from, ip_tostring_numeric(mydata->from));
- DP("--network to %x (%s)",
- mydata->to, ip_tostring_numeric(mydata->to));
-
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-/* Final check; exit if not ok. */
-void create_final(void *data, unsigned int flags)
-{
- struct ip_set_req_ipporthash_create *mydata =
- (struct ip_set_req_ipporthash_create *) data;
-
-#ifdef IPSET_DEBUG
- DP("hashsize %u probes %u resize %u",
- mydata->hashsize, mydata->probes, mydata->resize);
-#endif
-
- if (flags & OPT_CREATE_NETWORK) {
- /* --network */
- if ((flags & OPT_CREATE_FROM) || (flags & OPT_CREATE_TO))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --from or --to with --network\n");
- } else if (flags & (OPT_CREATE_FROM | OPT_CREATE_TO)) {
- /* --from --to */
- if (!(flags & OPT_CREATE_FROM) || !(flags & OPT_CREATE_TO))
- exit_error(PARAMETER_PROBLEM,
- "Need to specify both --from and --to\n");
- } else {
- exit_error(PARAMETER_PROBLEM,
- "Need to specify --from and --to, or --network\n");
-
- }
-
- DP("from : %x to: %x diff: %x",
- mydata->from, mydata->to,
- mydata->to - mydata->from);
-
- if (mydata->from > mydata->to)
- exit_error(PARAMETER_PROBLEM,
- "From can't be higher than to.\n");
-
- if (mydata->to - mydata->from > MAX_RANGE)
- exit_error(PARAMETER_PROBLEM,
- "Range to large. Max is %d IPs in range\n",
- MAX_RANGE+1);
-}
-
-/* Create commandline options */
-static struct option create_opts[] = {
- {"hashsize", 1, 0, '1'},
- {"probes", 1, 0, '2'},
- {"resize", 1, 0, '3'},
- {"from", 1, 0, '4'},
- {"to", 1, 0, '5'},
- {"network", 1, 0, '6'},
- {0}
-};
-
-/* Add, del, test parser */
-ip_set_ip_t adt_parser(unsigned cmd, const char *optarg, void *data)
-{
- struct ip_set_req_ipporthash *mydata =
- (struct ip_set_req_ipporthash *) data;
- char *saved = ipset_strdup(optarg);
- char *ptr, *tmp = saved;
-
- DP("ipporthash: %p %p", optarg, data);
-
- ptr = strsep(&tmp, "%");
- parse_ip(ptr, &mydata->ip);
-
- if (tmp)
- parse_port(tmp, &mydata->port);
- else
- exit_error(PARAMETER_PROBLEM,
- "IP address and port must be specified: ip%%port");
- free(saved);
- return 1;
-};
-
-/*
- * Print and save
- */
-
-void initheader(struct set *set, const void *data)
-{
- struct ip_set_req_ipporthash_create *header =
- (struct ip_set_req_ipporthash_create *) data;
- struct ip_set_ipporthash *map =
- (struct ip_set_ipporthash *) set->settype->header;
-
- memset(map, 0, sizeof(struct ip_set_ipporthash));
- map->hashsize = header->hashsize;
- map->probes = header->probes;
- map->resize = header->resize;
- map->first_ip = header->from;
- map->last_ip = header->to;
-}
-
-void printheader(struct set *set, unsigned options)
-{
- struct ip_set_ipporthash *mysetdata =
- (struct ip_set_ipporthash *) set->settype->header;
-
- printf(" from: %s", ip_tostring(mysetdata->first_ip, options));
- printf(" to: %s", ip_tostring(mysetdata->last_ip, options));
- printf(" hashsize: %u", mysetdata->hashsize);
- printf(" probes: %u", mysetdata->probes);
- printf(" resize: %u\n", mysetdata->resize);
-}
-
-void printips(struct set *set, void *data, size_t len, unsigned options)
-{
- struct ip_set_ipporthash *mysetdata =
- (struct ip_set_ipporthash *) set->settype->header;
- size_t offset = 0;
- ip_set_ip_t *ipptr, ip;
- uint16_t port;
-
- while (offset < len) {
- ipptr = data + offset;
- if (*ipptr) {
- ip = (*ipptr>>16) + mysetdata->first_ip;
- port = (uint16_t) *ipptr;
- printf("%s%%%s\n",
- ip_tostring(ip, options),
- port_tostring(port, options));
- }
- offset += sizeof(ip_set_ip_t);
- }
-}
-
-void saveheader(struct set *set, unsigned options)
-{
- struct ip_set_ipporthash *mysetdata =
- (struct ip_set_ipporthash *) set->settype->header;
-
- printf("-N %s %s --from %s",
- set->name, set->settype->typename,
- ip_tostring(mysetdata->first_ip, options));
- printf(" --to %s",
- ip_tostring(mysetdata->last_ip, options));
- printf(" --hashsize %u --probes %u --resize %u\n",
- mysetdata->hashsize, mysetdata->probes, mysetdata->resize);
-}
-
-/* Print save for an IP */
-void saveips(struct set *set, void *data, size_t len, unsigned options)
-{
- struct ip_set_ipporthash *mysetdata =
- (struct ip_set_ipporthash *) set->settype->header;
- size_t offset = 0;
- ip_set_ip_t *ipptr, ip;
- uint16_t port;
-
- while (offset < len) {
- ipptr = data + offset;
- if (*ipptr) {
- ip = (*ipptr>>16) + mysetdata->first_ip;
- port = (uint16_t) *ipptr;
- printf("-A %s %s%%%s\n", set->name,
- ip_tostring(ip, options),
- port_tostring(port, options));
- }
- offset += sizeof(ip_set_ip_t);
- }
-}
-
-static char buffer[22];
-
-static char * unpack_ipport_tostring(struct set *set, ip_set_ip_t bip, unsigned options)
-{
- struct ip_set_ipporthash *mysetdata =
- (struct ip_set_ipporthash *) set->settype->header;
- ip_set_ip_t ip, port;
-
- ip = (bip>>16) + mysetdata->first_ip;
- port = (uint16_t) bip;
- sprintf(buffer, "%s%%%s",
- ip_tostring(ip, options), port_tostring(port, options));
-
- return buffer;
-}
-
-void usage(void)
-{
- printf
- ("-N set ipporthash --from IP --to IP\n"
- " [--hashsize hashsize] [--probes probes ] [--resize resize]\n"
- "-N set ipporthash --network IP/mask\n"
- " [--hashsize hashsize] [--probes probes ] [--resize resize]\n"
- "-A set IP%%port\n"
- "-D set IP%%port\n"
- "-T set IP%%port\n");
-}
-
-static struct settype settype_ipporthash = {
- .typename = SETTYPE_NAME,
- .protocol_version = IP_SET_PROTOCOL_VERSION,
-
- /* Create */
- .create_size = sizeof(struct ip_set_req_ipporthash_create),
- .create_init = &create_init,
- .create_parse = &create_parse,
- .create_final = &create_final,
- .create_opts = create_opts,
-
- /* Add/del/test */
- .adt_size = sizeof(struct ip_set_req_ipporthash),
- .adt_parser = &adt_parser,
-
- /* Printing */
- .header_size = sizeof(struct ip_set_ipporthash),
- .initheader = &initheader,
- .printheader = &printheader,
- .printips = &printips, /* We only have the unsorted version */
- .printips_sorted = &printips,
- .saveheader = &saveheader,
- .saveips = &saveips,
-
- /* Bindings */
- .bindip_tostring = &unpack_ipport_tostring,
- .bindip_parse = &parse_ip,
-
- .usage = &usage,
-};
-
-void _init(void)
-{
- settype_register(&settype_ipporthash);
-
-}
+++ /dev/null
-/* Copyright 2005 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <linux/netfilter_ipv4/ip_set_iptree.h>
-#include "ipset.h"
-
-#define BUFLEN 30;
-
-#define OPT_CREATE_TIMEOUT 0x01U
-
-/* Initialize the create. */
-void create_init(void *data)
-{
- struct ip_set_req_iptree_create *mydata =
- (struct ip_set_req_iptree_create *) data;
-
- DP("create INIT");
- mydata->timeout = 0;
-}
-
-/* Function which parses command options; returns true if it ate an option */
-int create_parse(int c, char *argv[], void *data, unsigned *flags)
-{
- struct ip_set_req_iptree_create *mydata =
- (struct ip_set_req_iptree_create *) data;
-
- DP("create_parse");
-
- switch (c) {
- case '1':
- string_to_number(optarg, 0, UINT_MAX, &mydata->timeout);
-
- *flags |= OPT_CREATE_TIMEOUT;
-
- DP("--timeout %u", mydata->timeout);
-
- break;
- default:
- return 0;
- }
-
- return 1;
-}
-
-/* Final check; exit if not ok. */
-void create_final(void *data, unsigned int flags)
-{
-}
-
-/* Create commandline options */
-static struct option create_opts[] = {
- {"timeout", 1, 0, '1'},
- {0}
-};
-
-/* Add, del, test parser */
-ip_set_ip_t adt_parser(unsigned cmd, const char *optarg, void *data)
-{
- struct ip_set_req_iptree *mydata =
- (struct ip_set_req_iptree *) data;
- char *saved = ipset_strdup(optarg);
- char *ptr, *tmp = saved;
-
- DP("iptree: %p %p", optarg, data);
-
- ptr = strsep(&tmp, "%");
- parse_ip(ptr, &mydata->ip);
-
- if (tmp)
- string_to_number(tmp, 0, UINT_MAX, &mydata->timeout);
- else
- mydata->timeout = 0;
-
- free(saved);
- return 1;
-}
-
-/*
- * Print and save
- */
-
-void initheader(struct set *set, const void *data)
-{
- struct ip_set_req_iptree_create *header =
- (struct ip_set_req_iptree_create *) data;
- struct ip_set_iptree *map =
- (struct ip_set_iptree *) set->settype->header;
-
- map->timeout = header->timeout;
-}
-
-void printheader(struct set *set, unsigned options)
-{
- struct ip_set_iptree *mysetdata =
- (struct ip_set_iptree *) set->settype->header;
-
- if (mysetdata->timeout)
- printf(" timeout: %u", mysetdata->timeout);
- printf("\n");
-}
-
-void printips_sorted(struct set *set, void *data, size_t len, unsigned options)
-{
- struct ip_set_iptree *mysetdata =
- (struct ip_set_iptree *) set->settype->header;
- struct ip_set_req_iptree *req;
- size_t offset = 0;
-
- while (len >= offset + sizeof(struct ip_set_req_iptree)) {
- req = (struct ip_set_req_iptree *)(data + offset);
- if (mysetdata->timeout)
- printf("%s%%%u\n", ip_tostring(req->ip, options),
- req->timeout);
- else
- printf("%s\n", ip_tostring(req->ip, options));
- offset += sizeof(struct ip_set_req_iptree);
- }
-}
-
-void saveheader(struct set *set, unsigned options)
-{
- struct ip_set_iptree *mysetdata =
- (struct ip_set_iptree *) set->settype->header;
-
- if (mysetdata->timeout)
- printf("-N %s %s --timeout %u\n",
- set->name, set->settype->typename,
- mysetdata->timeout);
- else
- printf("-N %s %s\n",
- set->name, set->settype->typename);
-}
-
-void saveips(struct set *set, void *data, size_t len, unsigned options)
-{
- struct ip_set_iptree *mysetdata =
- (struct ip_set_iptree *) set->settype->header;
- struct ip_set_req_iptree *req;
- size_t offset = 0;
-
- DP("%s", set->name);
-
- while (len >= offset + sizeof(struct ip_set_req_iptree)) {
- req = (struct ip_set_req_iptree *)(data + offset);
- if (mysetdata->timeout)
- printf("-A %s %s%%%u\n",
- set->name,
- ip_tostring(req->ip, options),
- req->timeout);
- else
- printf("-A %s %s\n",
- set->name,
- ip_tostring(req->ip, options));
- offset += sizeof(struct ip_set_req_iptree);
- }
-}
-
-void usage(void)
-{
- printf
- ("-N set iptree [--timeout value]\n"
- "-A set IP[%%timeout]\n"
- "-D set IP\n"
- "-T set IP\n");
-}
-
-static struct settype settype_iptree = {
- .typename = SETTYPE_NAME,
- .protocol_version = IP_SET_PROTOCOL_VERSION,
-
- /* Create */
- .create_size = sizeof(struct ip_set_req_iptree_create),
- .create_init = &create_init,
- .create_parse = &create_parse,
- .create_final = &create_final,
- .create_opts = create_opts,
-
- /* Add/del/test */
- .adt_size = sizeof(struct ip_set_req_iptree),
- .adt_parser = &adt_parser,
-
- /* Printing */
- .header_size = sizeof(struct ip_set_iptree),
- .initheader = &initheader,
- .printheader = &printheader,
- .printips = &printips_sorted, /* We only have sorted version */
- .printips_sorted = &printips_sorted,
- .saveheader = &saveheader,
- .saveips = &saveips,
-
- /* Bindings */
- .bindip_tostring = &binding_ip_tostring,
- .bindip_parse = &parse_ip,
-
- .usage = &usage,
-};
-
-void _init(void)
-{
- settype_register(&settype_iptree);
-
-}
+++ /dev/null
-/* Copyright 2000, 2001, 2002 Joakim Axelsson (gozem@linux.nu)
- * Patrick Schaaf (bof@bof.de)
- * Martin Josefsson (gandalf@wlug.westbo.se)
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <asm/bitops.h>
-#include <linux/if_ether.h>
-
-#include <linux/netfilter_ipv4/ip_set_macipmap.h>
-#include "ipset.h"
-
-#define BUFLEN 30;
-
-#define OPT_CREATE_FROM 0x01U
-#define OPT_CREATE_TO 0x02U
-#define OPT_CREATE_NETWORK 0x04U
-#define OPT_CREATE_MATCHUNSET 0x08U
-
-#define OPT_ADDDEL_IP 0x01U
-#define OPT_ADDDEL_MAC 0x02U
-
-/* Initialize the create. */
-void create_init(void *data)
-{
- DP("create INIT");
- /* Nothing */
-}
-
-/* Function which parses command options; returns true if it ate an option */
-int create_parse(int c, char *argv[], void *data, unsigned *flags)
-{
- struct ip_set_req_macipmap_create *mydata =
- (struct ip_set_req_macipmap_create *) data;
-
- DP("create_parse");
-
- switch (c) {
- case '1':
- parse_ip(optarg, &mydata->from);
-
- *flags |= OPT_CREATE_FROM;
-
- DP("--from %x (%s)", mydata->from,
- ip_tostring_numeric(mydata->from));
-
- break;
-
- case '2':
- parse_ip(optarg, &mydata->to);
-
- *flags |= OPT_CREATE_TO;
-
- DP("--to %x (%s)", mydata->to,
- ip_tostring_numeric(mydata->to));
-
- break;
-
- case '3':
- parse_ipandmask(optarg, &mydata->from, &mydata->to);
-
- /* Make to the last of from + mask */
- mydata->to = mydata->from | (~mydata->to);
-
- *flags |= OPT_CREATE_NETWORK;
-
- DP("--network from %x (%s)",
- mydata->from, ip_tostring_numeric(mydata->from));
- DP("--network to %x (%s)",
- mydata->to, ip_tostring_numeric(mydata->to));
-
- break;
-
- case '4':
- mydata->flags |= IPSET_MACIP_MATCHUNSET;
-
- *flags |= OPT_CREATE_MATCHUNSET;
-
- DP("--matchunset");
-
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-/* Final check; exit if not ok. */
-void create_final(void *data, unsigned int flags)
-{
- struct ip_set_req_macipmap_create *mydata =
- (struct ip_set_req_macipmap_create *) data;
-
- if (flags == 0)
- exit_error(PARAMETER_PROBLEM,
- "Need to specify --from and --to, or --network\n");
-
- if (flags & OPT_CREATE_NETWORK) {
- /* --network */
- if ((flags & OPT_CREATE_FROM) || (flags & OPT_CREATE_TO))
- exit_error(PARAMETER_PROBLEM,
- "Can't specify --from or --to with --network\n");
- } else {
- /* --from --to */
- if ((flags & OPT_CREATE_FROM) == 0
- || (flags & OPT_CREATE_TO) == 0)
- exit_error(PARAMETER_PROBLEM,
- "Need to specify both --from and --to\n");
- }
-
-
- DP("from : %x to: %x diff: %d match unset: %d", mydata->from,
- mydata->to, mydata->to - mydata->from,
- flags & OPT_CREATE_MATCHUNSET);
-
- if (mydata->from > mydata->to)
- exit_error(PARAMETER_PROBLEM,
- "From can't be lower than to.\n");
-
- if (mydata->to - mydata->from > MAX_RANGE)
- exit_error(PARAMETER_PROBLEM,
- "Range too large. Max is %d IPs in range\n",
- MAX_RANGE+1);
-}
-
-/* Create commandline options */
-static struct option create_opts[] = {
- {"from", 1, 0, '1'},
- {"to", 1, 0, '2'},
- {"network", 1, 0, '3'},
- {"matchunset", 0, 0, '4'},
- {0}
-};
-
-static void parse_mac(const char *mac, unsigned char *ethernet)
-{
- unsigned int i = 0;
-
- if (strlen(mac) != ETH_ALEN * 3 - 1)
- exit_error(PARAMETER_PROBLEM, "Bad mac address `%s'", mac);
-
- for (i = 0; i < ETH_ALEN; i++) {
- long number;
- char *end;
-
- number = strtol(mac + i * 3, &end, 16);
-
- if (end == mac + i * 3 + 2 && number >= 0 && number <= 255)
- ethernet[i] = number;
- else
- exit_error(PARAMETER_PROBLEM,
- "Bad mac address `%s'", mac);
- }
-}
-
-/* Add, del, test parser */
-ip_set_ip_t adt_parser(unsigned cmd, const char *optarg, void *data)
-{
- struct ip_set_req_macipmap *mydata =
- (struct ip_set_req_macipmap *) data;
- char *saved = ipset_strdup(optarg);
- char *ptr, *tmp = saved;
-
- DP("macipmap: %p %p", optarg, data);
-
- ptr = strsep(&tmp, "%");
- parse_ip(ptr, &mydata->ip);
-
- if (tmp)
- parse_mac(tmp, mydata->ethernet);
- else
- memset(mydata->ethernet, 0, ETH_ALEN);
-
- free(saved);
- return 1;
-}
-
-/*
- * Print and save
- */
-
-void initheader(struct set *set, const void *data)
-{
- struct ip_set_req_macipmap_create *header =
- (struct ip_set_req_macipmap_create *) data;
- struct ip_set_macipmap *map =
- (struct ip_set_macipmap *) set->settype->header;
-
- memset(map, 0, sizeof(struct ip_set_macipmap));
- map->first_ip = header->from;
- map->last_ip = header->to;
- map->flags = header->flags;
-}
-
-void printheader(struct set *set, unsigned options)
-{
- struct ip_set_macipmap *mysetdata =
- (struct ip_set_macipmap *) set->settype->header;
-
- printf(" from: %s", ip_tostring(mysetdata->first_ip, options));
- printf(" to: %s", ip_tostring(mysetdata->last_ip, options));
-
- if (mysetdata->flags & IPSET_MACIP_MATCHUNSET)
- printf(" matchunset");
- printf("\n");
-}
-
-static void print_mac(unsigned char macaddress[ETH_ALEN])
-{
- unsigned int i;
-
- printf("%02X", macaddress[0]);
- for (i = 1; i < ETH_ALEN; i++)
- printf(":%02X", macaddress[i]);
-}
-
-void printips_sorted(struct set *set, void *data, size_t len, unsigned options)
-{
- struct ip_set_macipmap *mysetdata =
- (struct ip_set_macipmap *) set->settype->header;
- struct ip_set_macip *table =
- (struct ip_set_macip *) data;
- u_int32_t addr = mysetdata->first_ip;
-
- while (addr <= mysetdata->last_ip) {
- if (test_bit(IPSET_MACIP_ISSET,
- (void *)&table[addr - mysetdata->first_ip].flags)) {
- printf("%s%%", ip_tostring(addr, options));
- print_mac(table[addr - mysetdata->first_ip].
- ethernet);
- printf("\n");
- }
- addr++;
- }
-}
-
-void saveheader(struct set *set, unsigned options)
-{
- struct ip_set_macipmap *mysetdata =
- (struct ip_set_macipmap *) set->settype->header;
-
- printf("-N %s %s --from %s",
- set->name, set->settype->typename,
- ip_tostring(mysetdata->first_ip, options));
- printf(" --to %s", ip_tostring(mysetdata->last_ip, options));
-
- if (mysetdata->flags & IPSET_MACIP_MATCHUNSET)
- printf(" --matchunset");
- printf("\n");
-}
-
-void saveips(struct set *set, void *data, size_t len, unsigned options)
-{
- struct ip_set_macipmap *mysetdata =
- (struct ip_set_macipmap *) set->settype->header;
- struct ip_set_macip *table =
- (struct ip_set_macip *) data;
- u_int32_t addr = mysetdata->first_ip;
-
- while (addr <= mysetdata->last_ip) {
- if (test_bit(IPSET_MACIP_ISSET,
- (void *)&table[addr - mysetdata->first_ip].flags)) {
- printf("-A %s %s%%",
- set->name, ip_tostring(addr, options));
- print_mac(table[addr - mysetdata->first_ip].
- ethernet);
- printf("\n");
- }
- addr++;
- }
-}
-
-void usage(void)
-{
- printf
- ("-N set macipmap --from IP --to IP [--matchunset]\n"
- "-N set macipmap --network IP/mask [--matchunset]\n"
- "-A set IP%%MAC\n"
- "-D set IP[%%MAC]\n"
- "-T set IP[%%MAC]\n");
-}
-
-static struct settype settype_macipmap = {
- .typename = SETTYPE_NAME,
- .protocol_version = IP_SET_PROTOCOL_VERSION,
-
- /* Create */
- .create_size = sizeof(struct ip_set_req_macipmap_create),
- .create_init = &create_init,
- .create_parse = &create_parse,
- .create_final = &create_final,
- .create_opts = create_opts,
-
- /* Add/del/test */
- .adt_size = sizeof(struct ip_set_req_macipmap),
- .adt_parser = &adt_parser,
-
- /* Printing */
- .header_size = sizeof(struct ip_set_macipmap),
- .initheader = &initheader,
- .printheader = &printheader,
- .printips = &printips_sorted, /* We only have sorted version */
- .printips_sorted = &printips_sorted,
- .saveheader = &saveheader,
- .saveips = &saveips,
-
- /* Bindings */
- .bindip_tostring = &binding_ip_tostring,
- .bindip_parse = &parse_ip,
-
- .usage = &usage,
-};
-
-void _init(void)
-{
- settype_register(&settype_macipmap);
-
-}
+++ /dev/null
-/* Copyright 2004 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <time.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <asm/bitops.h>
-#include <asm/types.h>
-
-#include <linux/netfilter_ipv4/ip_set_nethash.h>
-#include <linux/netfilter_ipv4/ip_set_jhash.h>
-
-#include "ipset.h"
-
-#define BUFLEN 30;
-
-#define OPT_CREATE_HASHSIZE 0x01U
-#define OPT_CREATE_PROBES 0x02U
-#define OPT_CREATE_RESIZE 0x04U
-
-/* Initialize the create. */
-void create_init(void *data)
-{
- struct ip_set_req_nethash_create *mydata =
- (struct ip_set_req_nethash_create *) data;
-
- DP("create INIT");
-
- /* Default create parameters */
- mydata->hashsize = 1024;
- mydata->probes = 4;
- mydata->resize = 50;
-}
-
-/* Function which parses command options; returns true if it ate an option */
-int create_parse(int c, char *argv[], void *data, unsigned *flags)
-{
- struct ip_set_req_nethash_create *mydata =
- (struct ip_set_req_nethash_create *) data;
- ip_set_ip_t value;
-
- DP("create_parse");
-
- switch (c) {
- case '1':
-
- if (string_to_number(optarg, 1, UINT_MAX - 1, &mydata->hashsize))
- exit_error(PARAMETER_PROBLEM, "Invalid hashsize `%s' specified", optarg);
-
- *flags |= OPT_CREATE_HASHSIZE;
-
- DP("--hashsize %u", mydata->hashsize);
-
- break;
-
- case '2':
-
- if (string_to_number(optarg, 1, 65535, &value))
- exit_error(PARAMETER_PROBLEM, "Invalid probes `%s' specified", optarg);
-
- mydata->probes = value;
- *flags |= OPT_CREATE_PROBES;
-
- DP("--probes %u", mydata->probes);
-
- break;
-
- case '3':
-
- if (string_to_number(optarg, 0, 65535, &value))
- exit_error(PARAMETER_PROBLEM, "Invalid resize `%s' specified", optarg);
-
- mydata->resize = value;
- *flags |= OPT_CREATE_RESIZE;
-
- DP("--resize %u", mydata->resize);
-
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-/* Final check; exit if not ok. */
-void create_final(void *data, unsigned int flags)
-{
-#ifdef IPSET_DEBUG
- struct ip_set_req_nethash_create *mydata =
- (struct ip_set_req_nethash_create *) data;
-
- DP("hashsize %u probes %u resize %u",
- mydata->hashsize, mydata->probes, mydata->resize);
-#endif
-}
-
-/* Create commandline options */
-static struct option create_opts[] = {
- {"hashsize", 1, 0, '1'},
- {"probes", 1, 0, '2'},
- {"resize", 1, 0, '3'},
- {0}
-};
-
-/* Add, del, test parser */
-ip_set_ip_t adt_parser(unsigned cmd, const char *optarg, void *data)
-{
- struct ip_set_req_nethash *mydata =
- (struct ip_set_req_nethash *) data;
- char *saved = ipset_strdup(optarg);
- char *ptr, *tmp = saved;
- ip_set_ip_t cidr;
-
- ptr = strsep(&tmp, "/");
-
- if (tmp == NULL) {
- if (cmd == CMD_TEST)
- cidr = 32;
- else
- exit_error(PARAMETER_PROBLEM,
- "Missing cidr from `%s'", optarg);
- } else
- if (string_to_number(tmp, 1, 31, &cidr))
- exit_error(PARAMETER_PROBLEM,
- "Out of range cidr `%s' specified", optarg);
-
- mydata->cidr = cidr;
- parse_ip(ptr, &mydata->ip);
- if (!mydata->ip)
- exit_error(PARAMETER_PROBLEM,
- "Zero valued IP address `%s' specified", ptr);
- free(saved);
-
- return mydata->ip;
-};
-
-/*
- * Print and save
- */
-
-void initheader(struct set *set, const void *data)
-{
- struct ip_set_req_nethash_create *header =
- (struct ip_set_req_nethash_create *) data;
- struct ip_set_nethash *map =
- (struct ip_set_nethash *) set->settype->header;
-
- memset(map, 0, sizeof(struct ip_set_nethash));
- map->hashsize = header->hashsize;
- map->probes = header->probes;
- map->resize = header->resize;
-}
-
-unsigned int
-mask_to_bits(ip_set_ip_t mask)
-{
- unsigned int bits = 32;
- ip_set_ip_t maskaddr;
-
- if (mask == 0xFFFFFFFF)
- return bits;
-
- maskaddr = 0xFFFFFFFE;
- while (--bits >= 0 && maskaddr != mask)
- maskaddr <<= 1;
-
- return bits;
-}
-
-void printheader(struct set *set, unsigned options)
-{
- struct ip_set_nethash *mysetdata =
- (struct ip_set_nethash *) set->settype->header;
-
- printf(" hashsize: %u", mysetdata->hashsize);
- printf(" probes: %u", mysetdata->probes);
- printf(" resize: %u\n", mysetdata->resize);
-}
-
-static char buf[20];
-
-static char * unpack_ip_tostring(ip_set_ip_t ip, unsigned options)
-{
- int i, j = 3;
- unsigned char a, b;
-
- ip = htonl(ip);
- for (i = 3; i >= 0; i--)
- if (((unsigned char *)&ip)[i] != 0) {
- j = i;
- break;
- }
-
- a = ((unsigned char *)&ip)[j];
- if (a <= 128) {
- a = (a - 1) * 2;
- b = 7;
- } else if (a <= 192) {
- a = (a - 129) * 4;
- b = 6;
- } else if (a <= 224) {
- a = (a - 193) * 8;
- b = 5;
- } else if (a <= 240) {
- a = (a - 225) * 16;
- b = 4;
- } else if (a <= 248) {
- a = (a - 241) * 32;
- b = 3;
- } else if (a <= 252) {
- a = (a - 249) * 64;
- b = 2;
- } else if (a <= 254) {
- a = (a - 253) * 128;
- b = 1;
- } else {
- a = b = 0;
- }
- ((unsigned char *)&ip)[j] = a;
- b += j * 8;
-
- sprintf(buf, "%u.%u.%u.%u/%u",
- ((unsigned char *)&ip)[0],
- ((unsigned char *)&ip)[1],
- ((unsigned char *)&ip)[2],
- ((unsigned char *)&ip)[3],
- b);
-
- DP("%s %s", ip_tostring(ntohl(ip), options), buf);
- return buf;
-}
-
-void printips(struct set *set, void *data, size_t len, unsigned options)
-{
- size_t offset = 0;
- ip_set_ip_t *ip;
-
- while (offset < len) {
- ip = data + offset;
- if (*ip)
- printf("%s\n", unpack_ip_tostring(*ip, options));
- offset += sizeof(ip_set_ip_t);
- }
-}
-
-void saveheader(struct set *set, unsigned options)
-{
- struct ip_set_nethash *mysetdata =
- (struct ip_set_nethash *) set->settype->header;
-
- printf("-N %s %s --hashsize %u --probes %u --resize %u\n",
- set->name, set->settype->typename,
- mysetdata->hashsize, mysetdata->probes, mysetdata->resize);
-}
-
-/* Print save for an IP */
-void saveips(struct set *set, void *data, size_t len, unsigned options)
-{
- size_t offset = 0;
- ip_set_ip_t *ip;
-
- while (offset < len) {
- ip = data + offset;
- if (*ip)
- printf("-A %s %s\n", set->name,
- unpack_ip_tostring(*ip, options));
- offset += sizeof(ip_set_ip_t);
- }
-}
-
-static char * net_tostring(struct set *set, ip_set_ip_t ip, unsigned options)
-{
- return unpack_ip_tostring(ip, options);
-}
-
-static void parse_net(const char *str, ip_set_ip_t *ip)
-{
- char *saved = strdup(str);
- char *ptr, *tmp = saved;
- ip_set_ip_t cidr;
-
- ptr = strsep(&tmp, "/");
-
- if (tmp == NULL)
- exit_error(PARAMETER_PROBLEM,
- "Missing cidr from `%s'", str);
-
- if (string_to_number(tmp, 1, 31, &cidr))
- exit_error(PARAMETER_PROBLEM,
- "Out of range cidr `%s' specified", str);
-
- parse_ip(ptr, ip);
- free(saved);
-
- *ip = pack(*ip, cidr);
-}
-
-void usage(void)
-{
- printf
- ("-N set nethash [--hashsize hashsize] [--probes probes ]\n"
- " [--resize resize]\n"
- "-A set IP/cidr\n"
- "-D set IP/cidr\n"
- "-T set IP/cidr\n");
-}
-
-static struct settype settype_nethash = {
- .typename = SETTYPE_NAME,
- .protocol_version = IP_SET_PROTOCOL_VERSION,
-
- /* Create */
- .create_size = sizeof(struct ip_set_req_nethash_create),
- .create_init = &create_init,
- .create_parse = &create_parse,
- .create_final = &create_final,
- .create_opts = create_opts,
-
- /* Add/del/test */
- .adt_size = sizeof(struct ip_set_req_nethash),
- .adt_parser = &adt_parser,
-
- /* Printing */
- .header_size = sizeof(struct ip_set_nethash),
- .initheader = &initheader,
- .printheader = &printheader,
- .printips = &printips, /* We only have the unsorted version */
- .printips_sorted = &printips,
- .saveheader = &saveheader,
- .saveips = &saveips,
-
- /* Bindings */
- .bindip_tostring = &net_tostring,
- .bindip_parse = &parse_net,
-
- .usage = &usage,
-};
-
-void _init(void)
-{
- settype_register(&settype_nethash);
-
-}
+++ /dev/null
-/* Copyright 2004 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-
-#include <stdio.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <asm/bitops.h>
-
-#include <linux/netfilter_ipv4/ip_set_portmap.h>
-#include "ipset.h"
-
-
-#define BUFLEN 30;
-
-#define OPT_CREATE_FROM 0x01U
-#define OPT_CREATE_TO 0x02U
-
-#define OPT_ADDDEL_PORT 0x01U
-
-/* Initialize the create. */
-void create_init(void *data)
-{
- DP("create INIT");
- /* Nothing */
-}
-
-/* Function which parses command options; returns true if it ate an option */
-int create_parse(int c, char *argv[], void *data, unsigned *flags)
-{
- struct ip_set_req_portmap_create *mydata =
- (struct ip_set_req_portmap_create *) data;
-
- DP("create_parse");
-
- switch (c) {
- case '1':
- parse_port(optarg, &mydata->from);
-
- *flags |= OPT_CREATE_FROM;
-
- DP("--from %x (%s)", mydata->from,
- port_tostring(mydata->from, 0));
-
- break;
-
- case '2':
- parse_port(optarg, &mydata->to);
-
- *flags |= OPT_CREATE_TO;
-
- DP("--to %x (%s)", mydata->to,
- port_tostring(mydata->to, 0));
-
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-/* Final check; exit if not ok. */
-void create_final(void *data, unsigned int flags)
-{
- struct ip_set_req_portmap_create *mydata =
- (struct ip_set_req_portmap_create *) data;
-
- if (flags == 0) {
- exit_error(PARAMETER_PROBLEM,
- "Need to specify --from and --to\n");
- } else {
- /* --from --to */
- if ((flags & OPT_CREATE_FROM) == 0
- || (flags & OPT_CREATE_TO) == 0)
- exit_error(PARAMETER_PROBLEM,
- "Need to specify both --from and --to\n");
- }
-
- DP("from : %x to: %x diff: %d", mydata->from, mydata->to,
- mydata->to - mydata->from);
-
- if (mydata->from > mydata->to)
- exit_error(PARAMETER_PROBLEM,
- "From can't be lower than to.\n");
-
- if (mydata->to - mydata->from > MAX_RANGE)
- exit_error(PARAMETER_PROBLEM,
- "Range too large. Max is %d ports in range\n",
- MAX_RANGE+1);
-}
-
-/* Create commandline options */
-static struct option create_opts[] = {
- {"from", 1, 0, '1'},
- {"to", 1, 0, '2'},
- {0}
-};
-
-/* Add, del, test parser */
-ip_set_ip_t adt_parser(unsigned cmd, const char *optarg, void *data)
-{
- struct ip_set_req_portmap *mydata =
- (struct ip_set_req_portmap *) data;
-
- parse_port(optarg, &mydata->port);
- DP("%s", port_tostring(mydata->port, 0));
-
- return 1;
-}
-
-/*
- * Print and save
- */
-
-void initheader(struct set *set, const void *data)
-{
- struct ip_set_req_portmap_create *header =
- (struct ip_set_req_portmap_create *) data;
- struct ip_set_portmap *map =
- (struct ip_set_portmap *) set->settype->header;
-
- memset(map, 0, sizeof(struct ip_set_portmap));
- map->first_port = header->from;
- map->last_port = header->to;
-}
-
-void printheader(struct set *set, unsigned options)
-{
- struct ip_set_portmap *mysetdata =
- (struct ip_set_portmap *) set->settype->header;
-
- printf(" from: %s", port_tostring(mysetdata->first_port, options));
- printf(" to: %s\n", port_tostring(mysetdata->last_port, options));
-}
-
-void printports_sorted(struct set *set, void *data, size_t len, unsigned options)
-{
- struct ip_set_portmap *mysetdata =
- (struct ip_set_portmap *) set->settype->header;
- u_int32_t addr = mysetdata->first_port;
-
- DP("%u -- %u", mysetdata->first_port, mysetdata->last_port);
- while (addr <= mysetdata->last_port) {
- if (test_bit(addr - mysetdata->first_port, data))
- printf("%s\n", port_tostring(addr, options));
- addr++;
- }
-}
-
-char * binding_port_tostring(struct set *set, ip_set_ip_t ip, unsigned options)
-{
- return port_tostring(ip, options);
-}
-
-void saveheader(struct set *set, unsigned options)
-{
- struct ip_set_portmap *mysetdata =
- (struct ip_set_portmap *) set->settype->header;
-
- printf("-N %s %s --from %s",
- set->name,
- set->settype->typename,
- port_tostring(mysetdata->first_port, options));
- printf(" --to %s\n",
- port_tostring(mysetdata->last_port, options));
-}
-
-void saveports(struct set *set, void *data, size_t len, unsigned options)
-{
- struct ip_set_portmap *mysetdata =
- (struct ip_set_portmap *) set->settype->header;
- u_int32_t addr = mysetdata->first_port;
-
- while (addr <= mysetdata->last_port) {
- if (test_bit(addr - mysetdata->first_port, data))
- printf("-A %s %s\n",
- set->name,
- port_tostring(addr, options));
- addr++;
- }
-}
-
-void usage(void)
-{
- printf
- ("-N set portmap --from PORT --to PORT\n"
- "-A set PORT\n"
- "-D set PORT\n"
- "-T set PORT\n");
-}
-
-static struct settype settype_portmap = {
- .typename = SETTYPE_NAME,
- .protocol_version = IP_SET_PROTOCOL_VERSION,
-
- /* Create */
- .create_size = sizeof(struct ip_set_req_portmap_create),
- .create_init = &create_init,
- .create_parse = &create_parse,
- .create_final = &create_final,
- .create_opts = create_opts,
-
- /* Add/del/test */
- .adt_size = sizeof(struct ip_set_req_portmap),
- .adt_parser = &adt_parser,
-
- /* Printing */
- .header_size = sizeof(struct ip_set_portmap),
- .initheader = &initheader,
- .printheader = &printheader,
- .printips = &printports_sorted, /* We only have sorted version */
- .printips_sorted = &printports_sorted,
- .saveheader = &saveheader,
- .saveips = &saveports,
-
- /* Bindings */
- .bindip_tostring = &binding_port_tostring,
- .bindip_parse = &parse_port,
-
- .usage = &usage,
-};
-
-void _init(void)
-{
- settype_register(&settype_portmap);
-
-}
+++ /dev/null
-#ifndef _LIBIPT_SET_H
-#define _LIBIPT_SET_H
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <errno.h>
-
-static int get_set_getsockopt(void *data, size_t * size)
-{
- int sockfd = -1;
- sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
- if (sockfd < 0)
- exit_error(OTHER_PROBLEM,
- "Can't open socket to ipset.\n");
- /* Send! */
- return getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
-}
-
-static void
-parse_bindings(const char *optarg, struct ipt_set_info *info)
-{
- char *saved = strdup(optarg);
- char *ptr, *tmp = saved;
- int i = 0;
-
- while (i < IP_SET_MAX_BINDINGS && tmp != NULL) {
- ptr = strsep(&tmp, ",");
- if (strncmp(ptr, "src", 3) == 0)
- info->flags[i++] |= IPSET_SRC;
- else if (strncmp(ptr, "dst", 3) == 0)
- info->flags[i++] |= IPSET_DST;
- else
- exit_error(PARAMETER_PROBLEM,
- "You must spefify (the comma separated list of) 'src' or 'dst'.");
- }
-
- if (tmp)
- exit_error(PARAMETER_PROBLEM,
- "Can't follow bindings deeper than %i.",
- IP_SET_MAX_BINDINGS);
-
- free(saved);
-}
-
-#endif /*_LIBIPT_SET_H*/
+++ /dev/null
-# Load additional iptables modules (nat helpers)
-# Default: -none-
-# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
-# are loaded after the firewall rules are applied. Options for the helpers are
-# stored in /etc/modules.conf.
-#IPTABLES_MODULES=""
-
-# Unload modules on restart and stop
-# Value: yes|no, default: yes
-# This option has to be 'yes' to get to a sane state for a firewall
-# restart or stop. Only set to 'no' if there are problems unloading netfilter
-# modules.
-#IPTABLES_MODULES_UNLOAD="yes"
-
-# Save current firewall rules on stop.
-# Value: yes|no, default: no
-# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
-# (e.g. on system shutdown).
-#IPTABLES_SAVE_ON_STOP="no"
-
-# Save current firewall rules on restart.
-# Value: yes|no, default: no
-# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
-# restarted.
-#IPTABLES_SAVE_ON_RESTART="no"
-
-# Save (and restore) rule and chain counter.
-# Value: yes|no, default: no
-# Save counters for rules and chains to /etc/sysconfig/iptables if
-# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
-# SAVE_ON_RESTART is enabled.
-#IPTABLES_SAVE_COUNTER="no"
-
-# Numeric status output
-# Value: yes|no, default: no
-# Print IP addresses and port numbers in numeric format in the status output.
-#IPTABLES_STATUS_NUMERIC="no"
+++ /dev/null
-.TH IPTABLES 8 "Mar 09, 2002" "" ""
-.\"
-.\" Man page written by Herve Eychenne <rv@wallfire.org> (May 1999)
-.\" It is based on ipchains page.
-.\" TODO: add a word for protocol helpers (FTP, IRC, SNMP-ALG)
-.\"
-.\" ipchains page by Paul ``Rusty'' Russell March 1997
-.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation; either version 2 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-iptables \- administration tool for IPv4 packet filtering and NAT
-.SH SYNOPSIS
-.BR "iptables [-t table] -[AD] " "chain rule-specification [options]"
-.br
-.BR "iptables [-t table] -I " "chain [rulenum] rule-specification [options]"
-.br
-.BR "iptables [-t table] -R " "chain rulenum rule-specification [options]"
-.br
-.BR "iptables [-t table] -D " "chain rulenum [options]"
-.br
-.BR "iptables [-t table] -[LFZ] " "[chain] [options]"
-.br
-.BR "iptables [-t table] -N " "chain"
-.br
-.BR "iptables [-t table] -X " "[chain]"
-.br
-.BR "iptables [-t table] -P " "chain target [options]"
-.br
-.BR "iptables [-t table] -E " "old-chain-name new-chain-name"
-.SH DESCRIPTION
-.B Iptables
-is used to set up, maintain, and inspect the tables of IP packet
-filter rules in the Linux kernel. Several different tables
-may be defined. Each table contains a number of built-in
-chains and may also contain user-defined chains.
-
-Each chain is a list of rules which can match a set of packets. Each
-rule specifies what to do with a packet that matches. This is called
-a `target', which may be a jump to a user-defined chain in the same
-table.
-
-.SH TARGETS
-A firewall rule specifies criteria for a packet, and a target. If the
-packet does not match, the next rule in the chain is the examined; if
-it does match, then the next rule is specified by the value of the
-target, which can be the name of a user-defined chain or one of the
-special values
-.IR ACCEPT ,
-.IR DROP ,
-.IR QUEUE ,
-or
-.IR RETURN .
-.PP
-.I ACCEPT
-means to let the packet through.
-.I DROP
-means to drop the packet on the floor.
-.I QUEUE
-means to pass the packet to userspace (if supported by the kernel).
-.I RETURN
-means stop traversing this chain and resume at the next rule in the
-previous (calling) chain. If the end of a built-in chain is reached
-or a rule in a built-in chain with target
-.I RETURN
-is matched, the target specified by the chain policy determines the
-fate of the packet.
-.SH TABLES
-There are currently three independent tables (which tables are present
-at any time depends on the kernel configuration options and which
-modules are present).
-.TP
-.BI "-t, --table " "table"
-This option specifies the packet matching table which the command
-should operate on. If the kernel is configured with automatic module
-loading, an attempt will be made to load the appropriate module for
-that table if it is not already there.
-
-The tables are as follows:
-.RS
-.TP .4i
-.BR "filter" :
-This is the default table (if no -t option is passed). It contains
-the built-in chains
-.B INPUT
-(for packets destined to local sockets),
-.B FORWARD
-(for packets being routed through the box), and
-.B OUTPUT
-(for locally-generated packets).
-.TP
-.BR "nat" :
-This table is consulted when a packet that creates a new
-connection is encountered. It consists of three built-ins:
-.B PREROUTING
-(for altering packets as soon as they come in),
-.B OUTPUT
-(for altering locally-generated packets before routing), and
-.B POSTROUTING
-(for altering packets as they are about to go out).
-.TP
-.BR "mangle" :
-This table is used for specialized packet alteration. Until kernel
-2.4.17 it had two built-in chains:
-.B PREROUTING
-(for altering incoming packets before routing) and
-.B OUTPUT
-(for altering locally-generated packets before routing).
-Since kernel 2.4.18, three other built-in chains are also supported:
-.B INPUT
-(for packets coming into the box itself),
-.B FORWARD
-(for altering packets being routed through the box), and
-.B POSTROUTING
-(for altering packets as they are about to go out).
-.TP
-.BR "raw" :
-This table is used mainly for configuring exemptions from connection
-tracking in combination with the NOTRACK target. It registers at the netfilter
-hooks with higher priority and is thus called before ip_conntrack, or any other
-IP tables. It provides the following built-in chains:
-.B PREROUTING
-(for packets arriving via any network interface)
-.B OUTPUT
-(for packets generated by local processes)
-.RE
-.SH OPTIONS
-The options that are recognized by
-.B iptables
-can be divided into several different groups.
-.SS COMMANDS
-These options specify the specific action to perform. Only one of them
-can be specified on the command line unless otherwise specified
-below. For all the long versions of the command and option names, you
-need to use only enough letters to ensure that
-.B iptables
-can differentiate it from all other options.
-.TP
-.BI "-A, --append " "chain rule-specification"
-Append one or more rules to the end of the selected chain.
-When the source and/or destination names resolve to more than one
-address, a rule will be added for each possible address combination.
-.TP
-.BI "-D, --delete " "chain rule-specification"
-.ns
-.TP
-.BI "-D, --delete " "chain rulenum"
-Delete one or more rules from the selected chain. There are two
-versions of this command: the rule can be specified as a number in the
-chain (starting at 1 for the first rule) or a rule to match.
-.TP
-.BR "-I, --insert " "\fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP"
-Insert one or more rules in the selected chain as the given rule
-number. So, if the rule number is 1, the rule or rules are inserted
-at the head of the chain. This is also the default if no rule number
-is specified.
-.TP
-.BI "-R, --replace " "chain rulenum rule-specification"
-Replace a rule in the selected chain. If the source and/or
-destination names resolve to multiple addresses, the command will
-fail. Rules are numbered starting at 1.
-.TP
-.BR "-L, --list " "[\fIchain\fP]"
-List all rules in the selected chain. If no chain is selected, all
-chains are listed. As every other iptables command, it applies to the
-specified table (filter is the default), so NAT rules get listed by
-.nf
- iptables -t nat -n -L
-.fi
-Please note that it is often used with the
-.B -n
-option, in order to avoid long reverse DNS lookups.
-It is legal to specify the
-.B -Z
-(zero) option as well, in which case the chain(s) will be atomically
-listed and zeroed. The exact output is affected by the other
-arguments given. The exact rules are suppressed until you use
-.nf
- iptables -L -v
-.fi
-.TP
-.BR "-F, --flush " "[\fIchain\fP]"
-Flush the selected chain (all the chains in the table if none is given).
-This is equivalent to deleting all the rules one by one.
-.TP
-.BR "-Z, --zero " "[\fIchain\fP]"
-Zero the packet and byte counters in all chains. It is legal to
-specify the
-.B "-L, --list"
-(list) option as well, to see the counters immediately before they are
-cleared. (See above.)
-.TP
-.BI "-N, --new-chain " "chain"
-Create a new user-defined chain by the given name. There must be no
-target of that name already.
-.TP
-.BR "-X, --delete-chain " "[\fIchain\fP]"
-Delete the optional user-defined chain specified. There must be no references
-to the chain. If there are, you must delete or replace the referring
-rules before the chain can be deleted. If no argument is given, it
-will attempt to delete every non-builtin chain in the table.
-.TP
-.BI "-P, --policy " "chain target"
-Set the policy for the chain to the given target. See the section
-.B TARGETS
-for the legal targets. Only built-in (non-user-defined) chains can have
-policies, and neither built-in nor user-defined chains can be policy
-targets.
-.TP
-.BI "-E, --rename-chain " "old-chain new-chain"
-Rename the user specified chain to the user supplied name. This is
-cosmetic, and has no effect on the structure of the table.
-.TP
-.B -h
-Help.
-Give a (currently very brief) description of the command syntax.
-.SS PARAMETERS
-The following parameters make up a rule specification (as used in the
-add, delete, insert, replace and append commands).
-.TP
-.BR "-p, --protocol " "[!] \fIprotocol\fP"
-The protocol of the rule or of the packet to check.
-The specified protocol can be one of
-.IR tcp ,
-.IR udp ,
-.IR icmp ,
-or
-.IR all ,
-or it can be a numeric value, representing one of these protocols or a
-different one. A protocol name from /etc/protocols is also allowed.
-A "!" argument before the protocol inverts the
-test. The number zero is equivalent to
-.IR all .
-Protocol
-.I all
-will match with all protocols and is taken as default when this
-option is omitted.
-.TP
-.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
-Source specification.
-.I Address
-can be either a network name, a hostname (please note that specifying
-any name to be resolved with a remote query such as DNS is a really bad idea),
-a network IP address (with /mask), or a plain IP address.
-The
-.I mask
-can be either a network mask or a plain number,
-specifying the number of 1's at the left side of the network mask.
-Thus, a mask of
-.I 24
-is equivalent to
-.IR 255.255.255.0 .
-A "!" argument before the address specification inverts the sense of
-the address. The flag
-.B --src
-is an alias for this option.
-.TP
-.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
-Destination specification.
-See the description of the
-.B -s
-(source) flag for a detailed description of the syntax. The flag
-.B --dst
-is an alias for this option.
-.TP
-.BI "-j, --jump " "target"
-This specifies the target of the rule; i.e., what to do if the packet
-matches it. The target can be a user-defined chain (other than the
-one this rule is in), one of the special builtin targets which decide
-the fate of the packet immediately, or an extension (see
-.B EXTENSIONS
-below). If this
-option is omitted in a rule, then matching the rule will have no
-effect on the packet's fate, but the counters on the rule will be
-incremented.
-.TP
-.BR "-i, --in-interface " "[!] \fIname\fP"
-Name of an interface via which a packet was received (only for
-packets entering the
-.BR INPUT ,
-.B FORWARD
-and
-.B PREROUTING
-chains). When the "!" argument is used before the interface name, the
-sense is inverted. If the interface name ends in a "+", then any
-interface which begins with this name will match. If this option is
-omitted, any interface name will match.
-.TP
-.BR "-o, --out-interface " "[!] \fIname\fP"
-Name of an interface via which a packet is going to be sent (for packets
-entering the
-.BR FORWARD ,
-.B OUTPUT
-and
-.B POSTROUTING
-chains). When the "!" argument is used before the interface name, the
-sense is inverted. If the interface name ends in a "+", then any
-interface which begins with this name will match. If this option is
-omitted, any interface name will match.
-.TP
-.B "[!] " "-f, --fragment"
-This means that the rule only refers to second and further fragments
-of fragmented packets. Since there is no way to tell the source or
-destination ports of such a packet (or ICMP type), such a packet will
-not match any rules which specify them. When the "!" argument
-precedes the "-f" flag, the rule will only match head fragments, or
-unfragmented packets.
-.TP
-.BI "-c, --set-counters " "PKTS BYTES"
-This enables the administrator to initialize the packet and byte
-counters of a rule (during
-.B INSERT,
-.B APPEND,
-.B REPLACE
-operations).
-.SS "OTHER OPTIONS"
-The following additional options can be specified:
-.TP
-.B "-v, --verbose"
-Verbose output. This option makes the list command show the interface
-name, the rule options (if any), and the TOS masks. The packet and
-byte counters are also listed, with the suffix 'K', 'M' or 'G' for
-1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
-the
-.B -x
-flag to change this).
-For appending, insertion, deletion and replacement, this causes
-detailed information on the rule or rules to be printed.
-.TP
-.B "-n, --numeric"
-Numeric output.
-IP addresses and port numbers will be printed in numeric format.
-By default, the program will try to display them as host names,
-network names, or services (whenever applicable).
-.TP
-.B "-x, --exact"
-Expand numbers.
-Display the exact value of the packet and byte counters,
-instead of only the rounded number in K's (multiples of 1000)
-M's (multiples of 1000K) or G's (multiples of 1000M). This option is
-only relevant for the
-.B -L
-command.
-.TP
-.B "--line-numbers"
-When listing rules, add line numbers to the beginning of each rule,
-corresponding to that rule's position in the chain.
-.TP
-.B "--modprobe=command"
-When adding or inserting rules into a chain, use
-.B command
-to load any necessary modules (targets, match extensions, etc).
-.SH MATCH EXTENSIONS
-iptables can use extended packet matching modules. These are loaded
-in two ways: implicitly, when
-.B -p
-or
-.B --protocol
-is specified, or with the
-.B -m
-or
-.B --match
-options, followed by the matching module name; after these, various
-extra command line options become available, depending on the specific
-module. You can specify multiple extended match modules in one line,
-and you can use the
-.B -h
-or
-.B --help
-options after the module has been specified to receive help specific
-to that module.
-
-The following are included in the base package, and most of these can
-be preceded by a
-.B !
-to invert the sense of the match.
-.\" @MATCH@
-.SS account
-Account traffic for all hosts in defined network/netmask.
-
-Features:
-
-- long (one counter per protocol TCP/UDP/IMCP/Other) and short statistics
-
-- one iptables rule for all hosts in network/netmask
-
-- loading/saving counters (by reading/writting to procfs entries)
-
-.TP
-.BI "--aaddr " "network/netmask"
-defines network/netmask for which make statistics.
-.TP
-.BI "--aname " "name"
-defines name of list where statistics will be kept. If no is
-specified DEFAULT will be used.
-.TP
-.B "--ashort"
-table will colect only short statistics (only total counters
-without splitting it into protocols.
-.P
-Example usage:
-
-account traffic for/to 192.168.0.0/24 network into table mynetwork:
-
-# iptables -A FORWARD -m account --aname mynetwork --aaddr 192.168.0.0/24
-
-account traffic for/to WWW serwer for 192.168.0.0/24 network into table mywwwserver:
-
-# iptables -A INPUT -p tcp --dport 80
- -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort
-
-# iptables -A OUTPUT -p tcp --sport 80
- -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort
-
-read counters:
-
-# cat /proc/net/ipt_account/mynetwork
-# cat /proc/net/ipt_account/mywwwserver
-
-set counters:
-
-# echo "ip = 192.168.0.1 packets_src = 0" > /proc/net/ipt_account/mywwserver
-
-Webpage:
- http://www.barbara.eu.org/~quaker/ipt_account/
-.SS addrtype
-This module matches packets based on their
-.B address type.
-Address types are used within the kernel networking stack and categorize
-addresses into various groups. The exact definition of that group depends on the specific layer three protocol.
-.TP
-The following address types are possible:
-.TP
-.BI "UNSPEC"
-an unspecified address (i.e. 0.0.0.0)
-.BI "UNICAST"
-an unicast address
-.BI "LOCAL"
-a local address
-.BI "BROADCAST"
-a broadcast address
-.BI "ANYCAST"
-an anycast packet
-.BI "MULTICAST"
-a multicast address
-.BI "BLACKHOLE"
-a blackhole address
-.BI "UNREACHABLE"
-an unreachable address
-.BI "PROHIBIT"
-a prohibited address
-.BI "THROW"
-FIXME
-.BI "NAT"
-FIXME
-.BI "XRESOLVE"
-FIXME
-.TP
-.BI "--src-type " "type"
-Matches if the source address is of given type
-.TP
-.BI "--dst-type " "type"
-Matches if the destination address is of given type
-.SS ah
-This module matches the SPIs in AH header of IPSec packets.
-.TP
-.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
-.SS childlevel
-This is an experimental module. It matches on whether the
-packet is part of a master connection or one of its children (or grandchildren,
-etc). For instance, most packets are level 0. FTP data transfer is level 1.
-.TP
-.BR "--childlevel " "[!] \fIlevel\fP"
-.SS comment
-Allows you to add comments (up to 256 characters) to any rule.
-.TP
-.BI "--comment " "comment"
-.TP
-Example:
-iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A privatized IP block"
-.SS condition
-This matches if a specific /proc filename is '0' or '1'.
-.TP
-.BI "--condition " "[!] filename"
-Match on boolean value stored in /proc/net/ipt_condition/filename file
-.SS connbytes
-Match by how many bytes or packets a connection (or one of the two
-flows constituting the connection) have tranferred so far, or by
-average bytes per packet.
-
-The counters are 64bit and are thus not expected to overflow ;)
-
-The primary use is to detect long-lived downloads and mark them to be
-scheduled using a lower priority band in traffic control.
-
-The transfered bytes per connection can also be viewed through
-/proc/net/ip_conntrack and accessed via ctnetlink
-.TP
-[\fB!\fR]\fB --connbytes \fIfrom\fB:\fR[\fIto\fR]
-match packets from a connection whose packets/bytes/average packet
-size is more than FROM and less than TO bytes/packets. if TO is
-omitted only FROM check is done. "!" is used to match packets not
-falling in the range.
-.TP
-\fB--connbytes-dir\fR [\fBoriginal\fR|\fBreply\fR|\fBboth\fR]
-which packets to consider
-.TP
-\fB--connbytes-mode\fR [\fBpackets\fR|\fBbytes\fR|\fBavgpkt\fR]
-whether to check the amount of packets, number of bytes transferred or
-the average size (in bytes) of all packets received so far. Note that
-when "both" is used together with "avgpkt", and data is going (mainly)
-only in one direction (for example HTTP), the average packet size will
-be about half of the actual data packets.
-.TP
-Example:
-iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ...
-.SS connlimit
-Allows you to restrict the number of parallel TCP connections to a
-server per client IP address (or address block).
-.TP
-[\fB!\fR] \fB--connlimit-above \fIn\fR
-match if the number of existing tcp connections is (not) above n
-.TP
-.BI "--connlimit-mask " "bits"
-group hosts using mask
-.P
-Examples:
-.TP
-# allow 2 telnet connections per client host
-iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
-.TP
-# you can also match the other way around:
-iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
-.TP
-# limit the nr of parallel http requests to 16 per class C sized \
-network (24 bit netmask)
-iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16
---connlimit-mask 24 -j REJECT
-.SS connmark
-This module matches the netfilter mark field associated with a connection
-(which can be set using the
-.B CONNMARK
-target below).
-.TP
-.BI "--mark " "value[/mask]"
-Matches packets in connections with the given mark value (if a mask is
-specified, this is logically ANDed with the mark before the
-comparison).
-.SS connrate
-This module matches the current transfer rate in a connection.
-.TP
-.BI "--connrate " "[!] [\fIfrom\fP]:[\fIto\fP]"
-Match against the current connection transfer rate being within 'from'
-and 'to' bytes per second. When the "!" argument is used before the
-range, the sense of the match is inverted.
-.SS conntrack
-This module, when combined with connection tracking, allows access to
-more connection tracking information than the "state" match.
-(this module is present only if iptables was compiled under a kernel
-supporting this feature)
-.TP
-.BI "--ctstate " "state"
-Where state is a comma separated list of the connection states to
-match. Possible states are
-.B INVALID
-meaning that the packet is associated with no known connection,
-.B ESTABLISHED
-meaning that the packet is associated with a connection which has seen
-packets in both directions,
-.B NEW
-meaning that the packet has started a new connection, or otherwise
-associated with a connection which has not seen packets in both
-directions, and
-.B RELATED
-meaning that the packet is starting a new connection, but is
-associated with an existing connection, such as an FTP data transfer,
-or an ICMP error.
-.B SNAT
-A virtual state, matching if the original source address differs from
-the reply destination.
-.B DNAT
-A virtual state, matching if the original destination differs from the
-reply source.
-.TP
-.BI "--ctproto " "proto"
-Protocol to match (by number or name)
-.TP
-.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]"
-Match against original source address
-.TP
-.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]"
-Match against original destination address
-.TP
-.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]"
-Match against reply source address
-.TP
-.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]"
-Match against reply destination address
-.TP
-.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]"
-Match against internal conntrack states
-.TP
-.BI "--ctexpire " "\fItime\fP[\fI:time\fP]"
-Match remaining lifetime in seconds against given value
-or range of values (inclusive)
-.SS dscp
-This module matches the 6 bit DSCP field within the TOS field in the
-IP header. DSCP has superseded TOS within the IETF.
-.TP
-.BI "--dscp " "value"
-Match against a numeric (decimal or hex) value [0-32].
-.TP
-.BI "--dscp-class " "\fIDiffServ Class\fP"
-Match the DiffServ class. This value may be any of the
-BE, EF, AFxx or CSx classes. It will then be converted
-into it's according numeric value.
-.SS dstlimit
-This module allows you to limit the packet per second (pps) rate on a per
-destination IP or per destination port base. As opposed to the `limit' match,
-every destination ip / destination port has it's own limit.
-.TP
-.BI "--dstlimit " "avg"
-Maximum average match rate (packets per second unless followed by /sec /minute /hour /day postfixes).
-.TP
-.BI "--dstlimit-mode " "mode"
-The limiting hashmode. Is the specified limit per
-.B dstip, dstip-dstport
-tuple,
-.B srcip-dstip
-tuple, or per
-.B srcipdstip-dstport
-tuple.
-.TP
-.BI "--dstlimit-name " "name"
-Name for /proc/net/ipt_dstlimit/* file entry
-.TP
-.BI "[" "--dstlimit-burst " "burst" "]"
-Number of packets to match in a burst. Default: 5
-.TP
-.BI "[" "--dstlimit-htable-size " "size" "]"
-Number of buckets in the hashtable
-.TP
-.BI "[" "--dstlimit-htable-max " "max" "]"
-Maximum number of entries in the hashtable
-.TP
-.BI "[" "--dstlimit-htable-gcinterval " "interval" "]"
-Interval between garbage collection runs of the hashtable (in miliseconds).
-Default is 1000 (1 second).
-.TP
-.BI "[" "--dstlimit-htable-expire " "time"
-After which time are idle entries expired from hashtable (in miliseconds)?
-Default is 10000 (10 seconds).
-.SS ecn
-This allows you to match the ECN bits of the IPv4 and TCP header. ECN is the Explicit Congestion Notification mechanism as specified in RFC3168
-.TP
-.BI "--ecn-tcp-cwr"
-This matches if the TCP ECN CWR (Congestion Window Received) bit is set.
-.TP
-.BI "--ecn-tcp-ece"
-This matches if the TCP ECN ECE (ECN Echo) bit is set.
-.TP
-.BI "--ecn-ip-ect " "num"
-This matches a particular IPv4 ECT (ECN-Capable Transport). You have to specify
-a number between `0' and `3'.
-.SS esp
-This module matches the SPIs in ESP header of IPSec packets.
-.TP
-.BR "--espspi " "[!] \fIspi\fP[:\fIspi\fP]"
-.SS fuzzy
-This module matches a rate limit based on a fuzzy logic controller [FLC]
-.TP
-.BI "--lower-limit "number"
-Specifies the lower limit (in packets per second).
-.TP
-.BI "--upper-limit " "number"
-Specifies the upper limit (in packets per second).
-.SS hashlimit
-This patch adds a new match called 'hashlimit'.
-The idea is to have something like 'limit', but either per
-destination-ip or per (destip,destport) tuple.
-
-It gives you the ability to express
-.IP
- '1000 packets per second for every host in 192.168.0.0/16'
-.IP
- '100 packets per second for every service of 192.168.1.1'
-.P
-with a single iptables rule.
-.TP
-.BI "--hashlimit " "rate"
-A rate just like the limit match
-.TP
-.BI "--hashlimit-burst " "num"
-Burst value, just like limit match
-.TP
-.BI "--hashlimit-mode " "destip | destip-destport"
-Limit per IP or per port
-.TP
-.BI "--hashlimit-name " "foo"
-The name for the /proc/net/ipt_hashlimit/foo entry
-.TP
-.BI "--hashlimit-htable-size " "num"
-The number of buckets of the hash table
-.TP
-.BI "--hashlimit-htable-max " "num"
-Maximum entries in the hash
-.TP
-.BI "--hashlimit-htable-expire " "num"
-After how many miliseconds do hash entries expire
-.TP
-.BI "--hashlimit-htable-gcinterval " "num"
-How many miliseconds between garbage collection intervals
-.SS helper
-This module matches packets related to a specific conntrack-helper.
-.TP
-.BI "--helper " "string"
-Matches packets related to the specified conntrack-helper.
-.RS
-.PP
-string can be "ftp" for packets related to a ftp-session on default port.
-For other ports append -portnr to the value, ie. "ftp-2121".
-.PP
-Same rules apply for other conntrack-helpers.
-.RE
-.SS icmp
-This extension is loaded if `--protocol icmp' is specified. It
-provides the following option:
-.TP
-.BR "--icmp-type " "[!] \fItypename\fP"
-This allows specification of the ICMP type, which can be a numeric
-ICMP type, or one of the ICMP type names shown by the command
-.nf
- iptables -p icmp -h
-.fi
-.SS iprange
-This matches on a given arbitrary range of IPv4 addresses
-.TP
-.BI "[!]" "--src-range " "ip-ip"
-Match source IP in the specified range.
-.TP
-.BI "[!]" "--dst-range " "ip-ip"
-Match destination IP in the specified range.
-.SS ipv4options
-Match on IPv4 header options like source routing, record route,
-timestamp and router-alert.
-.TP
-.B "--ssrr"
-To match packets with the flag strict source routing.
-.TP
-.B "--lsrr"
-To match packets with the flag loose source routing.
-.TP
-.B "--no-srr"
-To match packets with no flag for source routing.
-.TP
-.B "\fR[\fB!\fR]\fB --rr"
-To match packets with the RR flag.
-.TP
-.B "\fR[\fB!\fR]\fB --ts"
-To match packets with the TS flag.
-.TP
-.B "\fR[\fB!\fR]\fB --ra"
-To match packets with the router-alert option.
-.TP
-.B "\fR[\fB!\fR]\fB --any-opt"
-To match a packet with at least one IP option, or no IP option
-at all if ! is chosen.
-.TP
-Examples:
-.TP
-$ iptables -A input -m ipv4options --rr -j DROP
-will drop packets with the record-route flag.
-.TP
-$ iptables -A input -m ipv4options --ts -j DROP
-will drop packets with the timestamp flag.
-.SS length
-This module matches the length of a packet against a specific value
-or range of values.
-.TP
-.BR "--length " "\fIlength\fP[:\fIlength\fP]"
-.SS limit
-This module matches at a limited rate using a token bucket filter.
-A rule using this extension will match until this limit is reached
-(unless the `!' flag is used). It can be used in combination with the
-.B LOG
-target to give limited logging, for example.
-.TP
-.BI "--limit " "rate"
-Maximum average matching rate: specified as a number, with an optional
-`/second', `/minute', `/hour', or `/day' suffix; the default is
-3/hour.
-.TP
-.BI "--limit-burst " "number"
-Maximum initial number of packets to match: this number gets
-recharged by one every time the limit specified above is not reached,
-up to this number; the default is 5.
-.SS mac
-.TP
-.BR "--mac-source " "[!] \fIaddress\fP"
-Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
-Note that this only makes sense for packets coming from an Ethernet device
-and entering the
-.BR PREROUTING ,
-.B FORWARD
-or
-.B INPUT
-chains.
-.SS mark
-This module matches the netfilter mark field associated with a packet
-(which can be set using the
-.B MARK
-target below).
-.TP
-.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
-Matches packets with the given unsigned mark value (if a mask is
-specified, this is logically ANDed with the mask before the
-comparison).
-.SS mport
-This module matches a set of source or destination ports. Up to 15
-ports can be specified. It can only be used in conjunction with
-.B "-p tcp"
-or
-.BR "-p udp" .
-.TP
-.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the source port is one of the given ports. The flag
-.B --sports
-is a convenient alias for this option.
-.TP
-.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the destination port is one of the given ports. The flag
-.B --dports
-is a convenient alias for this option.
-.TP
-.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the both the source and destination ports are equal to each
-other and to one of the given ports.
-.SS multiport
-This module matches a set of source or destination ports. Up to 15
-ports can be specified. A port range (port:port) counts as two
-ports. It can only be used in conjunction with
-.B "-p tcp"
-or
-.BR "-p udp" .
-.TP
-.BR "--source-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
-Match if the source port is one of the given ports. The flag
-.B --sports
-is a convenient alias for this option.
-.TP
-.BR "--destination-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
-Match if the destination port is one of the given ports. The flag
-.B --dports
-is a convenient alias for this option.
-.TP
-.BR "--ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
-Match if either the source or destination ports are equal to one of
-the given ports.
-.SS nth
-This module matches every `n'th packet
-.TP
-.BI "--every " "value"
-Match every `value' packet
-.TP
-.BI "[" "--counter " "num" "]"
-Use internal counter number `num'. Default is `0'.
-.TP
-.BI "[" "--start " "num" "]"
-Initialize the counter at the number `num' insetad of `0'. Most between `0'
-and `value'-1.
-.TP
-.BI "[" "--packet " "num" "]"
-Match on `num' packet. Most be between `0' and `value'-1.
-.SS osf
-The idea of passive OS fingerprint matching exists for quite a long time,
-but was created as extension fo OpenBSD pf only some weeks ago.
-Original idea was lurked in some OpenBSD mailing list (thanks
-grange@open...) and than adopted for Linux netfilter in form of this code.
-
-Original fingerprint table was created by Michal Zalewski <lcamtuf@coredump.cx>.
-
-This module compares some data(WS, MSS, options and it's order, ttl,
-df and others) from first SYN packet (actually from packets with SYN
-bit set) with dynamically loaded OS fingerprints.
-.TP
-.B "--log 1/0"
-If present, OSF will log determined genres even if they don't match
-desired one.
-0 - log all determined entries,
-1 - only first one.
-
-In syslog you find something like this:
-.IP
-ipt_osf: Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139
-.IP
-ipt_osf: Unknown: 16384:106:1:48:020405B401010402 44.33.22.11:1239 -> 11.22.33.44:80
-.TP
-.B "--smart"
-if present, OSF will use some smartness to determine remote OS.
-OSF will use initial TTL only if source of connection is in our local network.
-.TP
-.B "--netlink"
-If present, OSF will log all events also through netlink NETLINK_NFLOG groupt 1.
-.TP
-.BI "--genre " "[!] string"
-Match a OS genre by passive fingerprinting
-.P
-Example:
-
-#iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 1 --smart
-
-NOTE: -p tcp is obviously required as it is a TCP match.
-
-Fingerprints can be loaded and read through /proc/sys/net/ipv4/osf file.
-One can flush all fingerprints with following command:
-.IP
-echo -en FLUSH > /proc/sys/net/ipv4/osf
-.P
-Only one fingerprint per open/write/close.
-
-Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os
-.SS owner
-This module attempts to match various characteristics of the packet
-creator, for locally-generated packets. It is only valid in the
-.B OUTPUT
-chain, and even this some packets (such as ICMP ping responses) may
-have no owner, and hence never match.
-.TP
-.BI "--uid-owner " "userid"
-Matches if the packet was created by a process with the given
-effective user id.
-.TP
-.BI "--gid-owner " "groupid"
-Matches if the packet was created by a process with the given
-effective group id.
-.TP
-.BI "--pid-owner " "processid"
-Matches if the packet was created by a process with the given
-process id.
-.TP
-.BI "--sid-owner " "sessionid"
-Matches if the packet was created by a process in the given session
-group.
-.TP
-.BI "--cmd-owner " "name"
-Matches if the packet was created by a process with the given command name.
-(this option is present only if iptables was compiled under a kernel
-supporting this feature)
-.TP
-.B NOTE: pid, sid and command matching are broken on SMP
-.SS physdev
-This module matches on the bridge port input and output devices enslaved
-to a bridge device. This module is a part of the infrastructure that enables
-a transparent bridging IP firewall and is only useful for kernel versions
-above version 2.5.44.
-.TP
-.B --physdev-in name
-Name of a bridge port via which a packet is received (only for
-packets entering the
-.BR INPUT ,
-.B FORWARD
-and
-.B PREROUTING
-chains). If the interface name ends in a "+", then any
-interface which begins with this name will match. If the packet didn't arrive
-through a bridge device, this packet won't match this option, unless '!' is used.
-.TP
-.B --physdev-out name
-Name of a bridge port via which a packet is going to be sent (for packets
-entering the
-.BR FORWARD ,
-.B OUTPUT
-and
-.B POSTROUTING
-chains). If the interface name ends in a "+", then any
-interface which begins with this name will match. Note that in the
-.BR nat " and " mangle
-.B OUTPUT
-chains one cannot match on the bridge output port, however one can in the
-.B "filter OUTPUT"
-chain. If the packet won't leave by a bridge device or it is yet unknown what
-the output device will be, then the packet won't match this option, unless
-'!' is used.
-.TP
-.B --physdev-is-in
-Matches if the packet has entered through a bridge interface.
-.TP
-.B --physdev-is-out
-Matches if the packet will leave through a bridge interface.
-.TP
-.B --physdev-is-bridged
-Matches if the packet is being bridged and therefore is not being routed.
-This is only useful in the FORWARD and POSTROUTING chains.
-.SS pkttype
-This module matches the link-layer packet type.
-.TP
-.BI "--pkt-type " "[\fIunicast\fP|\fIbroadcast\fP|\fImulticast\fP]"
-.SS psd
-Attempt to detect TCP and UDP port scans. This match was derived from
-Solar Designer's scanlogd.
-.TP
-.BI "--psd-weight-threshold " "threshold"
-Total weight of the latest TCP/UDP packets with different
-destination ports coming from the same host to be treated as port
-scan sequence.
-.TP
-.BI "--psd-delay-threshold " "delay"
-Delay (in hundredths of second) for the packets with different
-destination ports coming from the same host to be treated as
-possible port scan subsequence.
-.TP
-.BI "--psd-lo-ports-weight " "weight"
-Weight of the packet with privileged (<=1024) destination port.
-.TP
-.BI "--psd-hi-ports-weight " "weight"
-Weight of the packet with non-priviliged destination port.
-.SS quota
-Implements network quotas by decrementing a byte counter with each
-packet.
-.TP
-.BI "--quota " "bytes"
-The quota in bytes.
-.P
-KNOWN BUGS: this does not work on SMP systems.
-.SS random
-This module randomly matches a certain percentage of all packets.
-.TP
-.BI "--average " "percent"
-Matches the given percentage. If omitted, a probability of 50% is set.
-.SS realm
-This matches the routing realm. Routing realms are used in complex routing
-setups involving dynamic routing protocols like BGP.
-.TP
-.BI "--realm " "[!]" "value[/mask]"
-Matches a given realm number (and optionally mask).
-.SS recent
-Allows you to dynamically create a list of IP addresses and then match
-against that list in a few different ways.
-
-For example, you can create a `badguy' list out of people attempting
-to connect to port 139 on your firewall and then DROP all future
-packets from them without considering them.
-.TP
-.BI "--name " "name"
-Specify the list to use for the commands. If no name is given then 'DEFAULT'
-will be used.
-.TP
-[\fB!\fR] \fB--set\fR
-This will add the source address of the packet to the list. If the
-source address is already in the list, this will update the existing
-entry. This will always return success (or failure if `!' is passed
-in).
-.TP
-[\fB!\fR] \fB--rcheck\fR
-Check if the source address of the packet is currently in
-the list.
-.TP
-[\fB!\fR] \fB--update\fR
-Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it
-matches.
-.TP
-[\fB!\fR] \fB--remove\fR
-Check if the source address of the packet is currently in the list and
-if so that address will be removed from the list and the rule will
-return true. If the address is not found, false is returned.
-.TP
-[\fB!\fR] \fB--seconds \fIseconds\fR
-This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and was seen within the last given
-number of seconds.
-.TP
-[\fB!\fR] \fB--hitcount \fIhits\fR
-This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and packets had been received greater
-than or equal to the given value. This option may be used along with
-\fB--seconds\fR to create an even narrower match requiring a certain
-number of hits within a specific time frame.
-.TP
-\fB--rttl\fR
-This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and the TTL of the current packet
-matches that of the packet which hit the \fB--set\fR rule. This may be
-useful if you have problems with people faking their source address in
-order to DoS you via this module by disallowing others access to your
-site by sending bogus packets to you.
-.P
-Examples:
-.IP
-# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
-
-# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
-.P
-Official website (http://snowman.net/projects/ipt_recent/) also has
-some examples of usage.
-
-/proc/net/ipt_recent/* are the current lists of addresses and information
-about each entry of each list.
-
-Each file in /proc/net/ipt_recent/ can be read from to see the current list
-or written two using the following commands to modify the list:
-.TP
-echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
-to Add to the DEFAULT list
-.TP
-echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
-to Remove from the DEFAULT list
-.TP
-echo clear > /proc/net/ipt_recent/DEFAULT
-to empty the DEFAULT list.
-.P
-The module itself accepts parameters, defaults shown:
-.TP
-.BI "ip_list_tot=" "100"
-Number of addresses remembered per table
-.TP
-.BI "ip_pkt_list_tot=" "20"
-Number of packets per address remembered
-.TP
-.BI "ip_list_hash_size=" "0"
-Hash table size. 0 means to calculate it based on ip_list_tot, default: 512
-.TP
-.BI "ip_list_perms=" "0644"
-Permissions for /proc/net/ipt_recent/* files
-.TP
-.BI "debug=" "0"
-Set to 1 to get lots of debugging info
-.SS sctp
-.TP
-\fB--source-port\fR,\fB--sport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
-.TP
-\fB--destination-port\fR,\fB--dport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
-.TP
-\fB--chunk-types\fR [\fB!\fR] \fBall\fR|\fBany\fR|\fBonly \fIchunktype\fR[\fB:\fIflags\fR] [...]
-The flag letter in upper case indicates that the flag is to match if set,
-in the lower case indicates to match if unset.
-
-Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK
-
-chunk type available flags
-.br
-DATA U B E u b e
-.br
-ABORT T t
-.br
-SHUTDOWN_COMPLETE T t
-
-(lowercase means flag should be "off", uppercase means "on")
-.P
-Examples:
-
-iptables -A INPUT -p sctp --dport 80 -j DROP
-
-iptables -A INPUT -p sctp --chunk-types any DATA,INIT -j DROP
-
-iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT
-.SS set
-This modules macthes IP sets which can be defined by ipset(8).
-.TP
-.BR "--set " "setname flag[,flag...]"
-where flags are
-.BR "src"
-and/or
-.BR "dst"
-and there can be no more than six of them. Hence the command
-.nf
- iptables -A FORWARD -m set --set test src,dst
-.fi
-will match packets, for which (depending on the type of the set) the source
-address or port number of the packet can be found in the specified set. If
-there is a binding belonging to the mached set element or there is a default
-binding for the given set, then the rule will match the packet only if
-additionally (depending on the type of the set) the destination address or
-port number of the packet can be found in the set according to the binding.
-.SS state
-This module, when combined with connection tracking, allows access to
-the connection tracking state for this packet.
-.TP
-.BI "--state " "state"
-Where state is a comma separated list of the connection states to
-match. Possible states are
-.B INVALID
-meaning that the packet could not be identified for some reason which
-includes running out of memory and ICMP errors which don't correspond to any
-known connection,
-.B ESTABLISHED
-meaning that the packet is associated with a connection which has seen
-packets in both directions,
-.B NEW
-meaning that the packet has started a new connection, or otherwise
-associated with a connection which has not seen packets in both
-directions, and
-.B RELATED
-meaning that the packet is starting a new connection, but is
-associated with an existing connection, such as an FTP data transfer,
-or an ICMP error.
-.SS tcp
-These extensions are loaded if `--protocol tcp' is specified. It
-provides the following options:
-.TP
-.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
-Source port or port range specification. This can either be a service
-name or a port number. An inclusive range can also be specified,
-using the format
-.IR port : port .
-If the first port is omitted, "0" is assumed; if the last is omitted,
-"65535" is assumed.
-If the second port greater then the first they will be swapped.
-The flag
-.B --sport
-is a convenient alias for this option.
-.TP
-.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
-Destination port or port range specification. The flag
-.B --dport
-is a convenient alias for this option.
-.TP
-.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
-Match when the TCP flags are as specified. The first argument is the
-flags which we should examine, written as a comma-separated list, and
-the second argument is a comma-separated list of flags which must be
-set. Flags are:
-.BR "SYN ACK FIN RST URG PSH ALL NONE" .
-Hence the command
-.nf
- iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
-.fi
-will only match packets with the SYN flag set, and the ACK, FIN and
-RST flags unset.
-.TP
-.B "[!] --syn"
-Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
-cleared. Such packets are used to request TCP connection initiation;
-for example, blocking such packets coming in an interface will prevent
-incoming TCP connections, but outgoing TCP connections will be
-unaffected.
-It is equivalent to \fB--tcp-flags SYN,RST,ACK,FIN SYN\fP.
-If the "!" flag precedes the "--syn", the sense of the
-option is inverted.
-.TP
-.BR "--tcp-option " "[!] \fInumber\fP"
-Match if TCP option set.
-.TP
-.BR "--mss " "\fIvalue\fP[:\fIvalue\fP]"
-Match TCP SYN or SYN/ACK packets with the specified MSS value (or range),
-which control the maximum packet size for that connection.
-.SS tcpmss
-This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
-.TP
-.BI "[!] "--mss " "value[:value]"
-Match a given TCP MSS value or range.
-.SS time
-This matches if the packet arrival time/date is within a given range. All options are facultative.
-.TP
-.BI " --timestart " "value"
-Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).
-.TP
-.BI "--timestop " "value"
-Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).
-.TP
-.BI "--days " "listofdays"
-Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)
-.TP
-.BI "--datestart " "date"
-Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]] ; h,m,s start from 0 ; default to 1970)
-.TP
-.BI "--datestop " "date"
-Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]] ; h,m,s start from 0 ; default to 2037)
-.SS tos
-This module matches the 8 bits of Type of Service field in the IP
-header (ie. including the precedence bits).
-.TP
-.BI "--tos " "tos"
-The argument is either a standard name, (use
-.br
- iptables -m tos -h
-.br
-to see the list), or a numeric value to match.
-.SS ttl
-This module matches the time to live field in the IP header.
-.TP
-.BI "--ttl-eq " "ttl"
-Matches the given TTL value.
-.TP
-.BI "--ttl-gt " "ttl"
-Matches if TTL is greater than the given TTL value.
-.TP
-.BI "--ttl-lt " "ttl"
-Matches if TTL is less than the given TTL value.
-.SS u32
-U32 allows you to extract quantities of up to 4 bytes from a packet,
-AND them with specified masks, shift them by specified amounts and
-test whether the results are in any of a set of specified ranges.
-The specification of what to extract is general enough to skip over
-headers with lengths stored in the packet, as in IP or TCP header
-lengths.
-
-Details and examples are in the kernel module source.
-.SS udp
-These extensions are loaded if `--protocol udp' is specified. It
-provides the following options:
-.TP
-.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
-Source port or port range specification.
-See the description of the
-.B --source-port
-option of the TCP extension for details.
-.TP
-.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
-Destination port or port range specification.
-See the description of the
-.B --destination-port
-option of the TCP extension for details.
-.SS unclean
-This module takes no options, but attempts to match packets which seem
-malformed or unusual. This is regarded as experimental.
-.SH TARGET EXTENSIONS
-iptables can use extended target modules: the following are included
-in the standard distribution.
-.\" @TARGET@
-.SS BALANCE
-This allows you to DNAT connections in a round-robin way over a given range of destination addresses.
-.TP
-.BI "--to-destination " "ipaddr-ipaddr"
-Address range to round-robin over.
-.SS CLASSIFY
-This module allows you to set the skb->priority value (and thus classify the packet into a specific CBQ class).
-.TP
-.BI "--set-class " "MAJOR:MINOR"
-Set the major and minor class value.
-.SS CLUSTERIP
-This module allows you to configure a simple cluster of nodes that share
-a certain IP and MAC address without an explicit load balancer in front of
-them. Connections are statically distributed between the nodes in this
-cluster.
-.TP
-.BI "--new "
-Create a new ClusterIP. You always have to set this on the first rule
-for a given ClusterIP.
-.TP
-.BI "--hashmode " "mode"
-Specify the hashing mode. Has to be one of
-.B sourceip, sourceip-sourceport, sourceip-sourceport-destport
-.TP
-.BI "--clustermac " "mac"
-Specify the ClusterIP MAC address. Has to be a link-layer multicast address
-.TP
-.BI "--total-nodes " "num"
-Number of total nodes within this cluster.
-.TP
-.BI "--local-node " "num"
-Local node number within this cluster.
-.TP
-.BI "--hash-init " "rnd"
-Specify the random seed used for hash initialization.
-.SS CONNMARK
-This module sets the netfilter mark value associated with a connection
-.TP
-.B --set-mark mark[/mask]
-Set connection mark. If a mask is specified then only those bits set in the
-mask is modified.
-.TP
-.B --save-mark [--mask mask]
-Copy the netfilter packet mark value to the connection mark. If a mask
-is specified then only those bits are copied.
-.TP
-.B --restore-mark [--mask mask]
-Copy the connection mark value to the packet. If a mask is specified
-then only those bits are copied. This is only valid in the
-.B mangle
-table.
-.SS DNAT
-This target is only valid in the
-.B nat
-table, in the
-.B PREROUTING
-and
-.B OUTPUT
-chains, and user-defined chains which are only called from those
-chains. It specifies that the destination address of the packet
-should be modified (and all future packets in this connection will
-also be mangled), and rules should cease being examined. It takes one
-type of option:
-.TP
-.BR "--to-destination " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
-which can specify a single new destination IP address, an inclusive
-range of IP addresses, and optionally, a port range (which is only
-valid if the rule also specifies
-.B "-p tcp"
-or
-.BR "-p udp" ).
-If no port range is specified, then the destination port will never be
-modified.
-.RS
-.PP
-You can add several --to-destination options. If you specify more
-than one destination address, either via an address range or multiple
---to-destination options, a simple round-robin (one after another in
-cycle) load balancing takes place between these adresses.
-.SS DSCP
-This target allows to alter the value of the DSCP bits within the TOS
-header of the IPv4 packet. As this manipulates a packet, it can only
-be used in the mangle table.
-.TP
-.BI "--set-dscp " "value"
-Set the DSCP field to a numerical value (can be decimal or hex)
-.TP
-.BI "--set-dscp-class " "class"
-Set the DSCP field to a DiffServ class.
-.SS ECN
-This target allows to selectively work around known ECN blackholes.
-It can only be used in the mangle table.
-.TP
-.BI "--ecn-tcp-remove"
-Remove all ECN bits from the TCP header. Of course, it can only be used
-in conjunction with
-.BR "-p tcp" .
-.SS IPMARK
-Allows you to mark a received packet basing on its IP address. This
-can replace many mangle/mark entries with only one, if you use
-firewall based classifier.
-
-This target is to be used inside the mangle table, in the PREROUTING,
-POSTROUTING or FORWARD hooks.
-.TP
-.BI "--addr " "src/dst"
-Use source or destination IP address.
-.TP
-.BI "--and-mask " "mask"
-Perform bitwise `and' on the IP address and this mask.
-.TP
-.BI "--or-mask " "mask"
-Perform bitwise `or' on the IP address and this mask.
-.P
-The order of IP address bytes is reversed to meet "human order of bytes":
-192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then
-`or'.
-
-Examples:
-
-We create a queue for each user, the queue number is adequate
-to the IP address of the user, e.g.: all packets going to/from 192.168.5.2
-are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc.
-
-We have one classifier rule:
-.IP
-tc filter add dev eth3 parent 1:0 protocol ip fw
-.P
-Earlier we had many rules just like below:
-.IP
-iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
---set-mark 0x10502
-.IP
-iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
---set-mark 0x10503
-.P
-Using IPMARK target we can replace all the mangle/mark rules with only one:
-.IP
-iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst
---and-mask=0xffff --or-mask=0x10000
-.P
-On the routers with hundreds of users there should be significant load
-decrease (e.g. twice).
-.SS IPV4OPTSSTRIP
-Strip all the IP options from a packet.
-
-The target doesn't take any option, and therefore is extremly easy to use :
-
-# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP
-.SS LOG
-Turn on kernel logging of matching packets. When this option is set
-for a rule, the Linux kernel will print some information on all
-matching packets (like most IP header fields) via the kernel log
-(where it can be read with
-.I dmesg
-or
-.IR syslogd (8)).
-This is a "non-terminating target", i.e. rule traversal continues at
-the next rule. So if you want to LOG the packets you refuse, use two
-separate rules with the same matching criteria, first using target LOG
-then DROP (or REJECT).
-.TP
-.BI "--log-level " "level"
-Level of logging (numeric or see \fIsyslog.conf\fP(5)).
-.TP
-.BI "--log-prefix " "prefix"
-Prefix log messages with the specified prefix; up to 29 letters long,
-and useful for distinguishing messages in the logs.
-.TP
-.B --log-tcp-sequence
-Log TCP sequence numbers. This is a security risk if the log is
-readable by users.
-.TP
-.B --log-tcp-options
-Log options from the TCP packet header.
-.TP
-.B --log-ip-options
-Log options from the IP packet header.
-.TP
-.B --log-uid
-Log the userid of the process which generated the packet.
-.SS MARK
-This is used to set the netfilter mark value associated with the
-packet. It is only valid in the
-.B mangle
-table. It can for example be used in conjunction with iproute2.
-.TP
-.BI "--set-mark " "mark"
-.SS MASQUERADE
-This target is only valid in the
-.B nat
-table, in the
-.B POSTROUTING
-chain. It should only be used with dynamically assigned IP (dialup)
-connections: if you have a static IP address, you should use the SNAT
-target. Masquerading is equivalent to specifying a mapping to the IP
-address of the interface the packet is going out, but also has the
-effect that connections are
-.I forgotten
-when the interface goes down. This is the correct behavior when the
-next dialup is unlikely to have the same interface address (and hence
-any established connections are lost anyway). It takes one option:
-.TP
-.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
-This specifies a range of source ports to use, overriding the default
-.B SNAT
-source port-selection heuristics (see above). This is only valid
-if the rule also specifies
-.B "-p tcp"
-or
-.BR "-p udp" .
-.SS MIRROR
-This is an experimental demonstration target which inverts the source
-and destination fields in the IP header and retransmits the packet.
-It is only valid in the
-.BR INPUT ,
-.B FORWARD
-and
-.B PREROUTING
-chains, and user-defined chains which are only called from those
-chains. Note that the outgoing packets are
-.B NOT
-seen by any packet filtering chains, connection tracking or NAT, to
-avoid loops and other problems.
-.SS NETMAP
-This target allows you to statically map a whole network of addresses onto
-another network of addresses. It can only be used from rules in the
-.B nat
-table.
-.TP
-.BI "--to " "address[/mask]"
-Network address to map to. The resulting address will be constructed in the
-following way: All 'one' bits in the mask are filled in from the new `address'.
-All bits that are zero in the mask are filled in from the original address.
-.SS NOTRACK
-This target disables connection tracking for all packets matching that rule.
-.TP
-It can only be used in the
-.B raw
-table.
-.SS REDIRECT
-This target is only valid in the
-.B nat
-table, in the
-.B PREROUTING
-and
-.B OUTPUT
-chains, and user-defined chains which are only called from those
-chains. It redirects the packet to the machine itself by changing the
-destination IP to the primary address of the incoming interface
-(locally-generated packets are mapped to the 127.0.0.1 address). It
-takes one option:
-.TP
-.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
-This specifies a destination port or range of ports to use: without
-this, the destination port is never altered. This is only valid
-if the rule also specifies
-.B "-p tcp"
-or
-.BR "-p udp" .
-.SS REJECT
-This is used to send back an error packet in response to the matched
-packet: otherwise it is equivalent to
-.B DROP
-so it is a terminating TARGET, ending rule traversal.
-This target is only valid in the
-.BR INPUT ,
-.B FORWARD
-and
-.B OUTPUT
-chains, and user-defined chains which are only called from those
-chains. The following option controls the nature of the error packet
-returned:
-.TP
-.BI "--reject-with " "type"
-The type given can be
-.nf
-.B " icmp-net-unreachable"
-.B " icmp-host-unreachable"
-.B " icmp-port-unreachable"
-.B " icmp-proto-unreachable"
-.B " icmp-net-prohibited"
-.B " icmp-host-prohibited or"
-.B " icmp-admin-prohibited (*)"
-.fi
-which return the appropriate ICMP error message (\fBport-unreachable\fP is
-the default). The option
-.B tcp-reset
-can be used on rules which only match the TCP protocol: this causes a
-TCP RST packet to be sent back. This is mainly useful for blocking
-.I ident
-(113/tcp) probes which frequently occur when sending mail to broken mail
-hosts (which won't accept your mail otherwise).
-.TP
-(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
-.SS ROUTE
-This is used to explicitly override the core network stack's routing decision.
-.B mangle
-table.
-.TP
-.BI "--oif " "ifname"
-Route the packet through `ifname' network interface
-.TP
-.BI "--iif " "ifname"
-Change the packet's incoming interface to `ifname'
-.TP
-.BI "--gw " "IP_address"
-Route the packet via this gateway
-.TP
-.BI "--continue "
-Behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--iif' or `--tee'
-.TP
-.BI "--tee "
-Make a copy of the packet, and route that copy to the given destination. For the original, uncopied packet, behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--iif' or `--continue'
-.SS SAME
-Similar to SNAT/DNAT depending on chain: it takes a range of addresses
-(`--to 1.2.3.4-1.2.3.7') and gives a client the same
-source-/destination-address for each connection.
-.TP
-.BI "--to " "<ipaddr>-<ipaddr>"
-Addresses to map source to. May be specified more than once for
-multiple ranges.
-.TP
-.B "--nodst"
-Don't use the destination-ip in the calculations when selecting the
-new source-ip
-.SS SET
-This modules adds and/or deletes entries from IP sets which can be defined
-by ipset(8).
-.TP
-.BR "--add-set " "setname flag[,flag...]"
-add the address(es)/port(s) of the packet to the sets
-.TP
-.BR "--del-set " "setname flag[,flag...]"
-delete the address(es)/port(s) of the packet from the sets,
-where flags are
-.BR "src"
-and/or
-.BR "dst"
-and there can be no more than six of them.
-.TP
-The bindings to follow must previously be defined in order to use
-multilevel adding/deleting by the SET target.
-.SS SNAT
-This target is only valid in the
-.B nat
-table, in the
-.B POSTROUTING
-chain. It specifies that the source address of the packet should be
-modified (and all future packets in this connection will also be
-mangled), and rules should cease being examined. It takes one type
-of option:
-.TP
-.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
-which can specify a single new source IP address, an inclusive range
-of IP addresses, and optionally, a port range (which is only valid if
-the rule also specifies
-.B "-p tcp"
-or
-.BR "-p udp" ).
-If no port range is specified, then source ports below 512 will be
-mapped to other ports below 512: those between 512 and 1023 inclusive
-will be mapped to ports below 1024, and other ports will be mapped to
-1024 or above. Where possible, no port alteration will occur.
-.RS
-.PP
-You can add several --to-source options. If you specify more
-than one source address, either via an address range or multiple
---to-source options, a simple round-robin (one after another in
-cycle) takes place between these adresses.
-.SS TARPIT
-Captures and holds incoming TCP connections using no local
-per-connection resources. Connections are accepted, but immediately
-switched to the persist state (0 byte window), in which the remote
-side stops sending data and asks to continue every 60-240 seconds.
-Attempts to close the connection are ignored, forcing the remote side
-to time out the connection in 12-24 minutes.
-
-This offers similar functionality to LaBrea
-<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
-hardware or IPs. Any TCP port that you would normally DROP or REJECT
-can instead become a tarpit.
-
-To tarpit connections to TCP port 80 destined for the current machine:
-.IP
-iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
-.P
-To significantly slow down Code Red/Nimda-style scans of unused address
-space, forward unused ip addresses to a Linux box not acting as a router
-(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
-forwarding on the Linux box, and add:
-.IP
-iptables -A FORWARD -p tcp -j TARPIT
-.IP
-iptables -A FORWARD -j DROP
-.TP
-NOTE:
-If you use the conntrack module while you are using TARPIT, you should
-also use the NOTRACK target, or the kernel will unnecessarily allocate
-resources for each TARPITted connection. To TARPIT incoming
-connections to the standard IRC port while using conntrack, you could:
-.IP
-iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
-.IP
-iptables -A INPUT -p tcp --dport 6667 -j TARPIT
-.SS TCPMSS
-This target allows to alter the MSS value of TCP SYN packets, to control
-the maximum size for that connection (usually limiting it to your
-outgoing interface's MTU minus 40). Of course, it can only be used
-in conjunction with
-.BR "-p tcp" .
-.br
-This target is used to overcome criminally braindead ISPs or servers
-which block ICMP Fragmentation Needed packets. The symptoms of this
-problem are that everything works fine from your Linux
-firewall/router, but machines behind it can never exchange large
-packets:
-.PD 0
-.RS 0.1i
-.TP 0.3i
-1)
-Web browsers connect, then hang with no data received.
-.TP
-2)
-Small mail works fine, but large emails hang.
-.TP
-3)
-ssh works fine, but scp hangs after initial handshaking.
-.RE
-.PD
-Workaround: activate this option and add a rule to your firewall
-configuration like:
-.nf
- iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
- -j TCPMSS --clamp-mss-to-pmtu
-.fi
-.TP
-.BI "--set-mss " "value"
-Explicitly set MSS option to specified value.
-.TP
-.B "--clamp-mss-to-pmtu"
-Automatically clamp MSS value to (path_MTU - 40).
-.TP
-These options are mutually exclusive.
-.SS TOS
-This is used to set the 8-bit Type of Service field in the IP header.
-It is only valid in the
-.B mangle
-table.
-.TP
-.BI "--set-tos " "tos"
-You can use a numeric TOS values, or use
-.nf
- iptables -j TOS -h
-.fi
-to see the list of valid TOS names.
-.SS TRACE
-This target has no options. It just turns on
-.B packet tracing
-for all packets that match this rule.
-.SS TTL
-This is used to modify the IPv4 TTL header field. The TTL field determines
-how many hops (routers) a packet can traverse until it's time to live is
-exceeded.
-.TP
-Setting or incrementing the TTL field can potentially be very dangerous,
-so it should be avoided at any cost.
-.TP
-.B Don't ever set or increment the value on packets that leave your local network!
-.B mangle
-table.
-.TP
-.BI "--ttl-set " "value"
-Set the TTL value to `value'.
-.TP
-.BI "--ttl-dec " "value"
-Decrement the TTL value `value' times.
-.TP
-.BI "--ttl-inc " "value"
-Increment the TTL value `value' times.
-.SS ULOG
-This target provides userspace logging of matching packets. When this
-target is set for a rule, the Linux kernel will multicast this packet
-through a
-.IR netlink
-socket. One or more userspace processes may then subscribe to various
-multicast groups and receive the packets.
-Like LOG, this is a "non-terminating target", i.e. rule traversal
-continues at the next rule.
-.TP
-.BI "--ulog-nlgroup " "nlgroup"
-This specifies the netlink group (1-32) to which the packet is sent.
-Default value is 1.
-.TP
-.BI "--ulog-prefix " "prefix"
-Prefix log messages with the specified prefix; up to 32 characters
-long, and useful for distinguishing messages in the logs.
-.TP
-.BI "--ulog-cprange " "size"
-Number of bytes to be copied to userspace. A value of 0 always copies
-the entire packet, regardless of its size. Default is 0.
-.TP
-.BI "--ulog-qthreshold " "size"
-Number of packet to queue inside kernel. Setting this value to, e.g. 10
-accumulates ten packets inside the kernel and transmits them as one
-netlink multipart message to userspace. Default is 1 (for backwards
-compatibility).
-.br
-.SS XOR
-Encrypt TCP and UDP traffic using a simple XOR encryption
-.TP
-.BI "--key " "string"
-Set key to "string"
-.TP
-.BI "--block-size"
-Set block size
-.SH DIAGNOSTICS
-Various error messages are printed to standard error. The exit code
-is 0 for correct functioning. Errors which appear to be caused by
-invalid or abused command line parameters cause an exit code of 2, and
-other errors cause an exit code of 1.
-.SH BUGS
-Bugs? What's this? ;-)
-Well, you might want to have a look at http://bugzilla.netfilter.org/
-.SH COMPATIBILITY WITH IPCHAINS
-This
-.B iptables
-is very similar to ipchains by Rusty Russell. The main difference is
-that the chains
-.B INPUT
-and
-.B OUTPUT
-are only traversed for packets coming into the local host and
-originating from the local host respectively. Hence every packet only
-passes through one of the three chains (except loopback traffic, which
-involves both INPUT and OUTPUT chains); previously a forwarded packet
-would pass through all three.
-.PP
-The other main difference is that
-.B -i
-refers to the input interface;
-.B -o
-refers to the output interface, and both are available for packets
-entering the
-.B FORWARD
-chain.
-.PP The various forms of NAT have been separated out;
-.B iptables
-is a pure packet filter when using the default `filter' table, with
-optional extension modules. This should simplify much of the previous
-confusion over the combination of IP masquerading and packet filtering
-seen previously. So the following options are handled differently:
-.nf
- -j MASQ
- -M -S
- -M -L
-.fi
-There are several other changes in iptables.
-.SH SEE ALSO
-.BR iptables-save (8),
-.BR iptables-restore (8),
-.BR ip6tables (8),
-.BR ip6tables-save (8),
-.BR ip6tables-restore (8).
-.P
-The packet-filtering-HOWTO details iptables usage for
-packet filtering, the NAT-HOWTO details NAT,
-the netfilter-extensions-HOWTO details the extensions that are
-not in the standard distribution,
-and the netfilter-hacking-HOWTO details the netfilter internals.
-.br
-See
-.BR "http://www.netfilter.org/" .
-.SH AUTHORS
-Rusty Russell wrote iptables, in early consultation with Michael
-Neuling.
-.PP
-Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
-selection framework in iptables, then wrote the mangle table, the owner match,
-the mark stuff, and ran around doing cool stuff everywhere.
-.PP
-James Morris wrote the TOS target, and tos match.
-.PP
-Jozsef Kadlecsik wrote the REJECT target.
-.PP
-Harald Welte wrote the ULOG target, TTL, DSCP, ECN matches and targets.
-.PP
-The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
-Patrick McHardy, James Morris, Harald Welte and Rusty Russell.
-.PP
-Man page written by Herve Eychenne <rv@wallfire.org>.
-.\" .. and did I mention that we are incredibly cool people?
-.\" .. sexy, too ..
-.\" .. witty, charming, powerful ..
-.\" .. and most of all, modest ..
+++ /dev/null
-#!/bin/sh
-#
-# iptables Start iptables firewall
-#
-# chkconfig: 2345 08 92
-# description: Starts, stops and saves iptables firewall
-#
-# config: /etc/sysconfig/iptables
-# config: /etc/sysconfig/iptables-config
-
-# Source function library.
-. /etc/init.d/functions
-
-IPTABLES=iptables
-IPTABLES_DATA=/etc/sysconfig/$IPTABLES
-IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
-IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
-PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
-VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
-
-if [ ! -x /sbin/$IPTABLES ]; then
- echo -n $"/sbin/$IPTABLES does not exist."; warning; echo
- exit 0
-fi
-
-if lsmod 2>/dev/null | grep -q ipchains ; then
- echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo
- exit 0
-fi
-
-# Old or new modutils
-/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
- && NEW_MODUTILS=1 \
- || NEW_MODUTILS=0
-
-# Default firewall configuration:
-IPTABLES_MODULES=""
-IPTABLES_MODULES_UNLOAD="yes"
-IPTABLES_SAVE_ON_STOP="no"
-IPTABLES_SAVE_ON_RESTART="no"
-IPTABLES_SAVE_COUNTER="no"
-IPTABLES_STATUS_NUMERIC="no"
-
-# Load firewall configuration.
-[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
-
-rmmod_r() {
- # Unload module with all referring modules.
- # At first all referring modules will be unloaded, then the module itself.
- local mod=$1
- local ret=0
- local ref=
-
- # Get referring modules.
- # New modutils have another output format.
- [ $NEW_MODUTILS = 1 ] \
- && ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \
- || ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1`
-
- # recursive call for all referring modules
- for i in $ref; do
- rmmod_r $i
- let ret+=$?;
- done
-
- # Unload module.
- # The extra test is for 2.6: The module might have autocleaned,
- # after all referring modules are unloaded.
- if grep -q "^${mod}" /proc/modules ; then
- modprobe -r $mod > /dev/null 2>&1
- let ret+=$?;
- fi
-
- return $ret
-}
-
-flush_n_delete() {
- # Flush firewall rules and delete chains.
- [ -e "$PROC_IPTABLES_NAMES" ] || return 1
-
- # Check if firewall is configured (has tables)
- tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
- [ -z "$tables" ] && return 1
-
- echo -n $"Flushing firewall rules: "
- ret=0
- # For all tables
- for i in $tables; do
- # Flush firewall rules.
- $IPTABLES -t $i -F;
- let ret+=$?;
-
- # Delete firewall chains.
- $IPTABLES -t $i -X;
- let ret+=$?;
-
- # Set counter to zero.
- $IPTABLES -t $i -Z;
- let ret+=$?;
- done
-
- [ $ret -eq 0 ] && success || failure
- echo
- return $ret
-}
-
-set_policy() {
- # Set policy for configured tables.
- policy=$1
-
- # Check if iptable module is loaded
- [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
-
- # Check if firewall is configured (has tables)
- tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
- [ -z "$tables" ] && return 1
-
- echo -n $"Setting chains to policy $policy: "
- ret=0
- for i in $tables; do
- echo -n "$i "
- case "$i" in
- filter)
- $IPTABLES -t filter -P INPUT $policy \
- && $IPTABLES -t filter -P OUTPUT $policy \
- && $IPTABLES -t filter -P FORWARD $policy \
- || let ret+=1
- ;;
- nat)
- $IPTABLES -t nat -P PREROUTING $policy \
- && $IPTABLES -t nat -P POSTROUTING $policy \
- && $IPTABLES -t nat -P OUTPUT $policy \
- || let ret+=1
- ;;
- mangle)
- $IPTABLES -t mangle -P PREROUTING $policy \
- && $IPTABLES -t mangle -P POSTROUTING $policy \
- && $IPTABLES -t mangle -P INPUT $policy \
- && $IPTABLES -t mangle -P OUTPUT $policy \
- && $IPTABLES -t mangle -P FORWARD $policy \
- || let ret+=1
- ;;
- *)
- let ret+=1
- ;;
- esac
- done
-
- [ $ret -eq 0 ] && success || failure
- echo
- return $ret
-}
-
-start() {
- # Do not start if there is no config file.
- [ -f "$IPTABLES_DATA" ] || return 1
-
- echo -n $"Applying $IPTABLES firewall rules: "
-
- OPT=
- [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
-
- $IPTABLES-restore $OPT $IPTABLES_DATA
- if [ $? -eq 0 ]; then
- success; echo
- else
- failure; echo; return 1
- fi
-
- # Load additional modules (helpers)
- if [ -n "$IPTABLES_MODULES" ]; then
- echo -n $"Loading additional $IPTABLES modules: "
- ret=0
- for mod in $IPTABLES_MODULES; do
- echo -n "$mod "
- modprobe $mod > /dev/null 2>&1
- let ret+=$?;
- done
- [ $ret -eq 0 ] && success || failure
- echo
- fi
-
- touch $VAR_SUBSYS_IPTABLES
- return $ret
-}
-
-stop() {
- # Do not stop if iptables module is not loaded.
- [ -e "$PROC_IPTABLES_NAMES" ] || return 1
-
- flush_n_delete
- set_policy ACCEPT
-
- if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
- echo -n $"Unloading $IPTABLES modules: "
- ret=0
- rmmod_r ${IPV}_tables
- let ret+=$?;
- rmmod_r ${IPV}_conntrack
- let ret+=$?;
- [ $ret -eq 0 ] && success || failure
- echo
- fi
-
- rm -f $VAR_SUBSYS_IPTABLES
- return $ret
-}
-
-save() {
- # Check if iptable module is loaded
- [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
-
- # Check if firewall is configured (has tables)
- tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
- [ -z "$tables" ] && return 1
-
- echo -n $"Saving firewall rules to $IPTABLES_DATA: "
-
- OPT=
- [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
-
- ret=0
- TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \
- && chmod 600 "$TMP_FILE" \
- && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
- && size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \
- || ret=1
- if [ $ret -eq 0 ]; then
- if [ -e $IPTABLES_DATA ]; then
- cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
- && chmod 600 $IPTABLES_DATA.save \
- || ret=1
- fi
- if [ $ret -eq 0 ]; then
- cp -f $TMP_FILE $IPTABLES_DATA \
- && chmod 600 $IPTABLES_DATA \
- || ret=1
- fi
- fi
- [ $ret -eq 0 ] && success || failure
- echo
- rm -f $TMP_FILE
- return $ret
-}
-
-status() {
- # Do not print status if lockfile is missing and iptables modules are not
- # loaded.
- # Check if iptable module is loaded
- if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
- echo $"Firewall is stopped."
- return 1
- fi
-
- # Check if firewall is configured (has tables)
- if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
- echo $"Firewall is not configured. "
- return 1
- fi
- tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
- if [ -z "$tables" ]; then
- echo $"Firewall is not configured. "
- return 1
- fi
-
- NUM=
- [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
-
- for table in $tables; do
- echo $"Table: $table"
- $IPTABLES -t $table --list $NUM && echo
- done
-
- return 0
-}
-
-restart() {
- [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
- stop
- start
-}
-
-case "$1" in
- start)
- stop
- start
- RETVAL=$?
- ;;
- stop)
- [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
- stop
- RETVAL=$?
- ;;
- restart)
- restart
- RETVAL=$?
- ;;
- condrestart)
- [ -e "$VAR_SUBSYS_IPTABLES" ] && restart
- ;;
- status)
- status
- RETVAL=$?
- ;;
- panic)
- flush_n_delete
- set_policy DROP
- RETVAL=$?
- ;;
- save)
- save
- RETVAL=$?
- ;;
- *)
- echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
- exit 1
- ;;
-esac
-
-exit $RETVAL
+++ /dev/null
-%define name iptables
-%define version 1.3.2
-%define release 20050720.1%{?pldistro:.%{pldistro}}%{?date:.%{date}}
-
-Vendor: PlanetLab
-Packager: PlanetLab Central <support@planet-lab.org>
-Distribution: PlanetLab 3.0
-URL: http://cvs.planet-lab.org/cvs/iptables
-
-%define build_devel 1
-%define linux_header 0
-
-Name: %{name}
-Summary: Tools for managing Linux kernel packet filtering capabilities.
-Version: %{version}
-Release: %{release}
-Source: http://www.netfilter.org/%{name}-%{version}.tar.bz2
-%define SOURCE1 iptables.init
-%define SOURCE2 iptables-config
-Group: System Environment/Base
-#URL: http://www.netfilter.org/
-BuildRoot: %{_tmppath}/%{name}-buildroot
-License: GPL
-BuildPrereq: /usr/bin/perl
-Requires: kernel >= 2.4.20
-Requires(post,postun): chkconfig
-Prefix: %{_prefix}
-
-%package ipv6
-Summary: IPv6 support for iptables.
-Group: System Environment/Base
-Requires: %{name} = %{version}
-
-%if %{build_devel}
-%package devel
-Summary: Development package for iptables.
-Group: System Environment/Base
-Requires: %{name} = %{version}
-%endif
-
-%description
-The iptables utility controls the network packet filtering code in the
-Linux kernel. If you need to set up firewalls and/or IP masquerading,
-you should install this package.
-
-%description ipv6
-The iptables package contains IPv6 (the next version of the IP
-protocol) support for iptables. Iptables controls the Linux kernel
-network packet filtering code, allowing you to set up firewalls and IP
-masquerading.
-
-Install iptables-ipv6 if you need to set up firewalling for your
-network and you are using ipv6.
-
-%if %{build_devel}
-%description devel
-The iptables utility controls the network packet filtering code in the
-Linux kernel. If you need to set up firewalls and/or IP masquerading,
-you should install this package.
-%endif
-
-%prep
-rm -rf %{buildroot}
-
-%setup -q
-
-# Put it to a reasonable place
-find . -type f -exec perl -pi -e "s,/usr,%{prefix},g" {} \;
-
-%build
-TOPDIR=`pwd`
-OPT="$RPM_OPT_FLAGS -I$TOPDIR/include"
-# bootstrap to avoid BuildRequires of kernel-source
-for KERNEL_DIR in $RPM_BUILD_DIR/linux-* /lib/modules/`uname -r`/build /usr ; do
- if [ -f $KERNEL_DIR/include/linux/version.h ] ; then
- break
- fi
-done
-make COPT_FLAGS="$OPT" KERNEL_DIR=$KERNEL_DIR LIBDIR=/%{_lib}
-make COPT_FLAGS="$OPT" KERNEL_DIR=$KERNEL_DIR LIBDIR=/%{_lib} iptables-save iptables-restore
-make COPT_FLAGS="$OPT" KERNEL_DIR=$KERNEL_DIR LIBDIR=/%{_lib} ip6tables-save ip6tables-restore
-
-%install
-# bootstrap to avoid BuildRequires of kernel-source
-for KERNEL_DIR in $RPM_BUILD_DIR/linux-* /lib/modules/`uname -r`/build /usr ; do
- if [ -f $KERNEL_DIR/include/linux/version.h ] ; then
- break
- fi
-done
-make install DESTDIR=%{buildroot} KERNEL_DIR=$KERNEL_DIR BINDIR=/sbin LIBDIR=/%{_lib} MANDIR=%{_mandir}
-%if %{build_devel}
-make install-devel DESTDIR=%{buildroot} KERNEL_DIR=$KERNEL_DIR BINDIR=/sbin LIBDIR=%{_libdir} MANDIR=%{_mandir} INCDIR=%{_includedir}
-%endif
-cp ip{6,}tables-{save,restore} $RPM_BUILD_ROOT/sbin
-cp iptables-*.8 $RPM_BUILD_ROOT%{_mandir}/man8
-mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
-install -c -m755 %{SOURCE1} $RPM_BUILD_ROOT/etc/rc.d/init.d/iptables
-sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init
-install -c -m755 ip6tables.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ip6tables
-mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
-install -c -m755 %{SOURCE2} $RPM_BUILD_ROOT/etc/sysconfig/iptables-config
-sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config
-install -c -m755 ip6tables-config $RPM_BUILD_ROOT/etc/sysconfig/ip6tables-config
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%post
-/sbin/chkconfig --add iptables
-
-%preun
-if [ "$1" = 0 ]; then
- /sbin/chkconfig --del iptables
-fi
-
-%post ipv6
-/sbin/chkconfig --add ip6tables
-
-%preun ipv6
-if [ "$1" = 0 ]; then
- /sbin/chkconfig --del ip6tables
-fi
-
-%files
-%defattr(-,root,root,0755)
-%doc COPYING INSTALL INCOMPATIBILITIES
-%config %attr(0755,root,root) /etc/rc.d/init.d/iptables
-%config(noreplace) %attr(0600,root,root) /etc/sysconfig/iptables-config
-/sbin/iptables*
-%{_mandir}/man8/iptables*
-%dir /%{_lib}/iptables
-/%{_lib}/iptables/libipt*
-/sbin/ipset*
-%{_mandir}/man8/ipset*
-%dir /%{_lib}/ipset
-/%{_lib}/ipset/libipset*
-
-%files ipv6
-%defattr(-,root,root,0755)
-%config %attr(0755,root,root) /etc/rc.d/init.d/ip6tables
-%config(noreplace) %attr(0600,root,root) /etc/sysconfig/ip6tables-config
-/sbin/ip6tables*
-%{_mandir}/man8/ip6tables*
-/%{_lib}/iptables/libip6t*
-
-%if %{build_devel}
-%files devel
-%defattr(-,root,root,0755)
-%{_includedir}/libipq.h
-%{_libdir}/libipq.a
-%{_libdir}/libiptc.a
-%{_mandir}/man3/*
-%endif
-
-%changelog
-* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
-- rebuilt
-
-* Thu Feb 26 2004 Thomas Woerner <twoerner@redhat.com> 1.2.9-2.3
-- fixed iptables-restore -c fault if there are no counters (#116421)
-
-* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
-- rebuilt
-
-* Sun Jan 25 2004 Dan Walsh <dwalsh@redhat.com> 1.2.9-1.2
-- Close File descriptors to prevent SELinux error message
-
-* Wed Jan 7 2004 Thomas Woerner <twoerner@redhat.com> 1.2.9-1.1
-- rebuild
-
-* Wed Dec 17 2003 Thomas Woerner <twoerner@redhat.com> 1.2.9-1
-- vew version 1.2.9
-- new config options in ipXtables-config:
- IPTABLES_MODULES_UNLOAD
-- more documentation in ipXtables-config
-- fix for netlink security issue in libipq (devel package)
-- print fix for libipt_icmp (#109546)
-
-* Thu Oct 23 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-13
-- marked all messages in iptables init script for translation (#107462)
-- enabled devel package (#105884, #106101)
-- bumped build for fedora for libipt_recent.so (#106002)
-
-* Tue Sep 23 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-12.1
-- fixed lost udp port range in ip6tables-save (#104484)
-- fixed non numeric multiport port output in ipXtables-savs
-
-* Mon Sep 22 2003 Florian La Roche <Florian.LaRoche@redhat.de> 1.2.8-11
-- do not link against -lnsl
-
-* Wed Sep 17 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-10
-- made variables in rmmod_r local
-
-* Tue Jul 22 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-9
-- fixed permission for init script
-
-* Sat Jul 19 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-8
-- fixed save when iptables file is missing and iptables-config permissions
-
-* Tue Jul 8 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-7
-- fixes for ip6tables: module unloading, setting policy only for existing
- tables
-
-* Thu Jul 3 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-6
-- IPTABLES_SAVE_COUNTER defaults to no, now
-- install config file in /etc/sysconfig
-- exchange unload of ip_tables and ip_conntrack
-- fixed start function
-
-* Wed Jul 2 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-5
-- new config option IPTABLES_SAVE_ON_RESTART
-- init script: new status, save and restart
-- fixes #44905, #65389, #80785, #82860, #91040, #91560 and #91374
-
-* Mon Jun 30 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-4
-- new config option IPTABLES_STATUS_NUMERIC
-- cleared IPTABLES_MODULES in iptables-config
-
-* Mon Jun 30 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-3
-- new init scripts
-
-* Sat Jun 28 2003 Florian La Roche <Florian.LaRoche@redhat.de>
-- remove check for very old kernel versions in init scripts
-- sync up both init scripts and remove some further ugly things
-- add some docu into rpm
-
-* Thu Jun 26 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-2
-- rebuild
-
-* Mon Jun 16 2003 Thomas Woerner <twoerner@redhat.com> 1.2.8-1
-- update to 1.2.8
-
-* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
-- rebuilt
-
-* Mon Jan 13 2003 Bill Nottingham <notting@redhat.com> 1.2.7a-1
-- update to 1.2.7a
-- add a plethora of bugfixes courtesy Michael Schwendt <mschewndt@yahoo.com>
-
-* Fri Dec 13 2002 Elliot Lee <sopwith@redhat.com> 1.2.6a-3
-- Fix multilib
-
-* Wed Aug 07 2002 Karsten Hopp <karsten@redhat.de>
-- fixed iptables and ip6tables initscript output, based on #70511
-- check return status of all iptables calls, not just the last one
- in a 'for' loop.
-
-* Mon Jul 29 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.6a-1
-- 1.2.6a (bugfix release, #69747)
-
-* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
-- automated rebuild
-
-* Thu May 23 2002 Tim Powers <timp@redhat.com>
-- automated rebuild
-
-* Mon Mar 4 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.5-3
-- Add some fixes from CVS, fixing bug #60465
-
-* Tue Feb 12 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.5-2
-- Merge ip6tables improvements from Ian Prowell <iprowell@prowell.org>
- #59402
-- Update URL (#59354)
-- Use /sbin/chkconfig rather than chkconfig in %postun script
-
-* Fri Jan 11 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.5-1
-- 1.2.5
-
-* Wed Jan 09 2002 Tim Powers <timp@redhat.com>
-- automated rebuild
-
-* Mon Nov 5 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.4-2
-- Fix %preun script
-
-* Tue Oct 30 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.4-1
-- Update to 1.2.4 (various fixes, including security fixes; among others:
- #42990, #50500, #53325, #54280)
-- Fix init script (#31133)
-
-* Mon Sep 3 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.3-1
-- 1.2.3 (5 security fixes, some other fixes)
-- Fix updating (#53032)
-
-* Mon Aug 27 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.2-4
-- Fix #50990
-- Add some fixes from current CVS; should fix #52620
-
-* Mon Jul 16 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.2-3
-- Add some fixes from the current CVS tree; fixes #49154 and some IPv6
- issues
-
-* Tue Jun 26 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.2-2
-- Fix iptables-save reject-with (#45632), Patch from Michael Schwendt
- <mschwendt@yahoo.com>
-
-* Tue May 8 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.2.2-1
-- 1.2.2
-
-* Wed Mar 21 2001 Bernhard Rosenkraenzer <bero@redhat.com>
-- 1.2.1a, fixes #28412, #31136, #31460, #31133
-
-* Thu Mar 1 2001 Bernhard Rosenkraenzer <bero@redhat.com>
-- Yet another initscript fix (#30173)
-- Fix the fixes; they fixed some issues but broke more important
- stuff :/ (#30176)
-
-* Tue Feb 27 2001 Bernhard Rosenkraenzer <bero@redhat.com>
-- Fix up initscript (#27962)
-- Add fixes from CVS to iptables-{restore,save}, fixing #28412
-
-* Fri Feb 09 2001 Karsten Hopp <karsten@redhat.de>
-- create /etc/sysconfig/iptables mode 600 (same problem as #24245)
-
-* Mon Feb 05 2001 Karsten Hopp <karsten@redhat.de>
-- fix bugzilla #25986 (initscript not marked as config file)
-- fix bugzilla #25962 (iptables-restore)
-- mv chkconfig --del from postun to preun
-
-* Thu Feb 1 2001 Trond Eivind Glomsrød <teg@redhat.com>
-- Fix check for ipchains
-
-* Mon Jan 29 2001 Bernhard Rosenkraenzer <bero@redhat.com>
-- Some fixes to init scripts
-
-* Wed Jan 24 2001 Bernhard Rosenkraenzer <bero@redhat.com>
-- Add some fixes from CVS, fixes among other things Bug #24732
-
-* Wed Jan 17 2001 Bernhard Rosenkraenzer <bero@redhat.com>
-- Add missing man pages, fix up init script (Bug #17676)
-
-* Mon Jan 15 2001 Bill Nottingham <notting@redhat.com>
-- add init script
-
-* Mon Jan 15 2001 Bernhard Rosenkraenzer <bero@redhat.com>
-- 1.2
-- fix up ipv6 split
-- add init script
-- Move the plugins from /usr/lib/iptables to /lib/iptables.
- This needs to work before /usr is mounted...
-- Use -O1 on alpha (compiler bug)
-
-* Sat Jan 6 2001 Bernhard Rosenkraenzer <bero@redhat.com>
-- 1.1.2
-- Add IPv6 support (in separate package)
-
-* Thu Aug 17 2000 Bill Nottingham <notting@redhat.com>
-- build everywhere
-
-* Tue Jul 25 2000 Bernhard Rosenkraenzer <bero@redhat.com>
-- 1.1.1
-
-* Thu Jul 13 2000 Prospector <bugzilla@redhat.com>
-- automatic rebuild
-
-* Tue Jun 27 2000 Preston Brown <pbrown@redhat.com>
-- move iptables to /sbin.
-- excludearch alpha for now, not building there because of compiler bug(?)
-
-* Fri Jun 9 2000 Bill Nottingham <notting@redhat.com>
-- don't obsolete ipchains either
-- update to 1.1.0
-
-* Mon Jun 4 2000 Bill Nottingham <notting@redhat.com>
-- remove explicit kernel requirement
-
-* Tue May 2 2000 Bernhard Rosenkränzer <bero@redhat.com>
-- initial package
+++ /dev/null
-/* Library which manipulates firewall rules. Version 0.1. */
-
-/* Architecture of firewall rules is as follows:
- *
- * Chains go INPUT, FORWARD, OUTPUT then user chains.
- * Each user chain starts with an ERROR node.
- * Every chain ends with an unconditional jump: a RETURN for user chains,
- * and a POLICY for built-ins.
- */
-
-/* (C)1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See
- COPYING for details). */
-
-#include <assert.h>
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <arpa/inet.h>
-
-#ifdef DEBUG_CONNTRACK
-#define inline
-#endif
-
-#if !defined(__GLIBC__) || (__GLIBC__ < 2)
-typedef unsigned int socklen_t;
-#endif
-
-#include "libiptc/libip6tc.h"
-
-#define HOOK_PRE_ROUTING NF_IP6_PRE_ROUTING
-#define HOOK_LOCAL_IN NF_IP6_LOCAL_IN
-#define HOOK_FORWARD NF_IP6_FORWARD
-#define HOOK_LOCAL_OUT NF_IP6_LOCAL_OUT
-#define HOOK_POST_ROUTING NF_IP6_POST_ROUTING
-
-#define STRUCT_ENTRY_TARGET struct ip6t_entry_target
-#define STRUCT_ENTRY struct ip6t_entry
-#define STRUCT_ENTRY_MATCH struct ip6t_entry_match
-#define STRUCT_GETINFO struct ip6t_getinfo
-#define STRUCT_GET_ENTRIES struct ip6t_get_entries
-#define STRUCT_COUNTERS struct ip6t_counters
-#define STRUCT_COUNTERS_INFO struct ip6t_counters_info
-#define STRUCT_STANDARD_TARGET struct ip6t_standard_target
-#define STRUCT_REPLACE struct ip6t_replace
-
-#define STRUCT_TC_HANDLE struct ip6tc_handle
-#define TC_HANDLE_T ip6tc_handle_t
-
-#define ENTRY_ITERATE IP6T_ENTRY_ITERATE
-#define TABLE_MAXNAMELEN IP6T_TABLE_MAXNAMELEN
-#define FUNCTION_MAXNAMELEN IP6T_FUNCTION_MAXNAMELEN
-
-#define GET_TARGET ip6t_get_target
-
-#define ERROR_TARGET IP6T_ERROR_TARGET
-#define NUMHOOKS NF_IP6_NUMHOOKS
-
-#define IPT_CHAINLABEL ip6t_chainlabel
-
-#define TC_DUMP_ENTRIES dump_entries6
-#define TC_IS_CHAIN ip6tc_is_chain
-#define TC_FIRST_CHAIN ip6tc_first_chain
-#define TC_NEXT_CHAIN ip6tc_next_chain
-#define TC_FIRST_RULE ip6tc_first_rule
-#define TC_NEXT_RULE ip6tc_next_rule
-#define TC_GET_TARGET ip6tc_get_target
-#define TC_BUILTIN ip6tc_builtin
-#define TC_GET_POLICY ip6tc_get_policy
-#define TC_INSERT_ENTRY ip6tc_insert_entry
-#define TC_REPLACE_ENTRY ip6tc_replace_entry
-#define TC_APPEND_ENTRY ip6tc_append_entry
-#define TC_DELETE_ENTRY ip6tc_delete_entry
-#define TC_DELETE_NUM_ENTRY ip6tc_delete_num_entry
-#define TC_CHECK_PACKET ip6tc_check_packet
-#define TC_FLUSH_ENTRIES ip6tc_flush_entries
-#define TC_ZERO_ENTRIES ip6tc_zero_entries
-#define TC_ZERO_COUNTER ip6tc_zero_counter
-#define TC_READ_COUNTER ip6tc_read_counter
-#define TC_SET_COUNTER ip6tc_set_counter
-#define TC_CREATE_CHAIN ip6tc_create_chain
-#define TC_GET_REFERENCES ip6tc_get_references
-#define TC_DELETE_CHAIN ip6tc_delete_chain
-#define TC_RENAME_CHAIN ip6tc_rename_chain
-#define TC_SET_POLICY ip6tc_set_policy
-#define TC_GET_RAW_SOCKET ip6tc_get_raw_socket
-#define TC_INIT ip6tc_init
-#define TC_FREE ip6tc_free
-#define TC_COMMIT ip6tc_commit
-#define TC_STRERROR ip6tc_strerror
-
-#define TC_AF AF_INET6
-#define TC_IPPROTO IPPROTO_IPV6
-
-#define SO_SET_REPLACE IP6T_SO_SET_REPLACE
-#define SO_SET_ADD_COUNTERS IP6T_SO_SET_ADD_COUNTERS
-#define SO_GET_INFO IP6T_SO_GET_INFO
-#define SO_GET_ENTRIES IP6T_SO_GET_ENTRIES
-#define SO_GET_VERSION IP6T_SO_GET_VERSION
-
-#define STANDARD_TARGET IP6T_STANDARD_TARGET
-#define LABEL_RETURN IP6TC_LABEL_RETURN
-#define LABEL_ACCEPT IP6TC_LABEL_ACCEPT
-#define LABEL_DROP IP6TC_LABEL_DROP
-#define LABEL_QUEUE IP6TC_LABEL_QUEUE
-
-#define ALIGN IP6T_ALIGN
-#define RETURN IP6T_RETURN
-
-#include "libiptc.c"
-
-#define BIT6(a, l) \
- ((ntohl(a->in6_u.u6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1)
-
-int
-ipv6_prefix_length(const struct in6_addr *a)
-{
- int l, i;
- for (l = 0; l < 128; l++) {
- if (BIT6(a, l) == 0)
- break;
- }
- for (i = l + 1; i < 128; i++) {
- if (BIT6(a, i) == 1)
- return -1;
- }
- return l;
-}
-
-static int
-dump_entry(struct ip6t_entry *e, const ip6tc_handle_t handle)
-{
- size_t i;
- char buf[40];
- int len;
- struct ip6t_entry_target *t;
-
- printf("Entry %u (%lu):\n", entry2index(handle, e),
- entry2offset(handle, e));
- puts("SRC IP: ");
- inet_ntop(AF_INET6, &e->ipv6.src, buf, sizeof buf);
- puts(buf);
- putchar('/');
- len = ipv6_prefix_length(&e->ipv6.smsk);
- if (len != -1)
- printf("%d", len);
- else {
- inet_ntop(AF_INET6, &e->ipv6.smsk, buf, sizeof buf);
- puts(buf);
- }
- putchar('\n');
-
- puts("DST IP: ");
- inet_ntop(AF_INET6, &e->ipv6.dst, buf, sizeof buf);
- puts(buf);
- putchar('/');
- len = ipv6_prefix_length(&e->ipv6.dmsk);
- if (len != -1)
- printf("%d", len);
- else {
- inet_ntop(AF_INET6, &e->ipv6.dmsk, buf, sizeof buf);
- puts(buf);
- }
- putchar('\n');
-
- printf("Interface: `%s'/", e->ipv6.iniface);
- for (i = 0; i < IFNAMSIZ; i++)
- printf("%c", e->ipv6.iniface_mask[i] ? 'X' : '.');
- printf("to `%s'/", e->ipv6.outiface);
- for (i = 0; i < IFNAMSIZ; i++)
- printf("%c", e->ipv6.outiface_mask[i] ? 'X' : '.');
- printf("\nProtocol: %u\n", e->ipv6.proto);
- if (e->ipv6.flags & IP6T_F_TOS)
- printf("TOS: %u\n", e->ipv6.tos);
- printf("Flags: %02X\n", e->ipv6.flags);
- printf("Invflags: %02X\n", e->ipv6.invflags);
- printf("Counters: %llu packets, %llu bytes\n",
- e->counters.pcnt, e->counters.bcnt);
- printf("Cache: %08X ", e->nfcache);
- if (e->nfcache & NFC_ALTERED) printf("ALTERED ");
- if (e->nfcache & NFC_UNKNOWN) printf("UNKNOWN ");
- if (e->nfcache & NFC_IP6_SRC) printf("IP6_SRC ");
- if (e->nfcache & NFC_IP6_DST) printf("IP6_DST ");
- if (e->nfcache & NFC_IP6_IF_IN) printf("IP6_IF_IN ");
- if (e->nfcache & NFC_IP6_IF_OUT) printf("IP6_IF_OUT ");
- if (e->nfcache & NFC_IP6_TOS) printf("IP6_TOS ");
- if (e->nfcache & NFC_IP6_PROTO) printf("IP6_PROTO ");
- if (e->nfcache & NFC_IP6_OPTIONS) printf("IP6_OPTIONS ");
- if (e->nfcache & NFC_IP6_TCPFLAGS) printf("IP6_TCPFLAGS ");
- if (e->nfcache & NFC_IP6_SRC_PT) printf("IP6_SRC_PT ");
- if (e->nfcache & NFC_IP6_DST_PT) printf("IP6_DST_PT ");
- if (e->nfcache & NFC_IP6_PROTO_UNKNOWN) printf("IP6_PROTO_UNKNOWN ");
- printf("\n");
-
- IP6T_MATCH_ITERATE(e, print_match);
-
- t = ip6t_get_target(e);
- printf("Target name: `%s' [%u]\n", t->u.user.name, t->u.target_size);
- if (strcmp(t->u.user.name, IP6T_STANDARD_TARGET) == 0) {
- int pos = *(int *)t->data;
- if (pos < 0)
- printf("verdict=%s\n",
- pos == -NF_ACCEPT-1 ? "NF_ACCEPT"
- : pos == -NF_DROP-1 ? "NF_DROP"
- : pos == IP6T_RETURN ? "RETURN"
- : "UNKNOWN");
- else
- printf("verdict=%u\n", pos);
- } else if (strcmp(t->u.user.name, IP6T_ERROR_TARGET) == 0)
- printf("error=`%s'\n", t->data);
-
- printf("\n");
- return 0;
-}
-
-static int
-is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b,
- unsigned char *matchmask)
-{
- unsigned int i;
- STRUCT_ENTRY_TARGET *ta, *tb;
- unsigned char *mptr;
-
- /* Always compare head structures: ignore mask here. */
- if (memcmp(&a->ipv6.src, &b->ipv6.src, sizeof(struct in6_addr))
- || memcmp(&a->ipv6.dst, &b->ipv6.dst, sizeof(struct in6_addr))
- || memcmp(&a->ipv6.smsk, &b->ipv6.smsk, sizeof(struct in6_addr))
- || memcmp(&a->ipv6.dmsk, &b->ipv6.dmsk, sizeof(struct in6_addr))
- || a->ipv6.proto != b->ipv6.proto
- || a->ipv6.tos != b->ipv6.tos
- || a->ipv6.flags != b->ipv6.flags
- || a->ipv6.invflags != b->ipv6.invflags)
- return 0;
-
- for (i = 0; i < IFNAMSIZ; i++) {
- if (a->ipv6.iniface_mask[i] != b->ipv6.iniface_mask[i])
- return 0;
- if ((a->ipv6.iniface[i] & a->ipv6.iniface_mask[i])
- != (b->ipv6.iniface[i] & b->ipv6.iniface_mask[i]))
- return 0;
- if (a->ipv6.outiface_mask[i] != b->ipv6.outiface_mask[i])
- return 0;
- if ((a->ipv6.outiface[i] & a->ipv6.outiface_mask[i])
- != (b->ipv6.outiface[i] & b->ipv6.outiface_mask[i]))
- return 0;
- }
-
- if (a->nfcache != b->nfcache
- || a->target_offset != b->target_offset
- || a->next_offset != b->next_offset)
- return 0;
-
- mptr = matchmask + sizeof(STRUCT_ENTRY);
- if (IP6T_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
- return 0;
-
- ta = GET_TARGET((STRUCT_ENTRY *)a);
- tb = GET_TARGET((STRUCT_ENTRY *)b);
- if (ta->u.target_size != tb->u.target_size)
- return 0;
- if (strcmp(ta->u.user.name, tb->u.user.name) != 0)
- return 0;
- mptr += sizeof(*ta);
-
- if (target_different(ta->data, tb->data,
- ta->u.target_size - sizeof(*ta), mptr))
- return 0;
-
- return 1;
-}
-
-/* All zeroes == unconditional rule. */
-static inline int
-unconditional(const struct ip6t_ip6 *ipv6)
-{
- unsigned int i;
-
- for (i = 0; i < sizeof(*ipv6); i++)
- if (((char *)ipv6)[i])
- break;
-
- return (i == sizeof(*ipv6));
-}
-
-#ifdef IPTC_DEBUG
-/* Do every conceivable sanity check on the handle */
-static void
-do_check(TC_HANDLE_T h, unsigned int line)
-{
- unsigned int i, n;
- unsigned int user_offset; /* Offset of first user chain */
- int was_return;
-
- assert(h->changed == 0 || h->changed == 1);
- if (strcmp(h->info.name, "filter") == 0) {
- assert(h->info.valid_hooks
- == (1 << NF_IP6_LOCAL_IN
- | 1 << NF_IP6_FORWARD
- | 1 << NF_IP6_LOCAL_OUT));
-
- /* Hooks should be first three */
- assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == 0);
-
- n = get_chain_end(h, 0);
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_FORWARD] == n);
-
- n = get_chain_end(h, n);
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
-
- user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
- } else if (strcmp(h->info.name, "nat") == 0) {
- assert((h->info.valid_hooks
- == (1 << NF_IP6_PRE_ROUTING
- | 1 << NF_IP6_LOCAL_OUT
- | 1 << NF_IP6_POST_ROUTING)) ||
- (h->info.valid_hooks
- == (1 << NF_IP6_PRE_ROUTING
- | 1 << NF_IP6_LOCAL_IN
- | 1 << NF_IP6_LOCAL_OUT
- | 1 << NF_IP6_POST_ROUTING)));
-
- assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0);
-
- n = get_chain_end(h, 0);
-
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_POST_ROUTING] == n);
- n = get_chain_end(h, n);
-
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
- user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
-
- if (h->info.valid_hooks & (1 << NF_IP6_LOCAL_IN)) {
- n = get_chain_end(h, n);
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == n);
- user_offset = h->info.hook_entry[NF_IP6_LOCAL_IN];
- }
-
- } else if (strcmp(h->info.name, "mangle") == 0) {
- /* This code is getting ugly because linux < 2.4.18-pre6 had
- * two mangle hooks, linux >= 2.4.18-pre6 has five mangle hooks
- * */
- assert((h->info.valid_hooks
- == (1 << NF_IP6_PRE_ROUTING
- | 1 << NF_IP6_LOCAL_OUT)) ||
- (h->info.valid_hooks
- == (1 << NF_IP6_PRE_ROUTING
- | 1 << NF_IP6_LOCAL_IN
- | 1 << NF_IP6_FORWARD
- | 1 << NF_IP6_LOCAL_OUT
- | 1 << NF_IP6_POST_ROUTING)));
-
- /* Hooks should be first five */
- assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0);
-
- n = get_chain_end(h, 0);
-
- if (h->info.valid_hooks & (1 << NF_IP6_LOCAL_IN)) {
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == n);
- n = get_chain_end(h, n);
- }
-
- if (h->info.valid_hooks & (1 << NF_IP6_FORWARD)) {
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_FORWARD] == n);
- n = get_chain_end(h, n);
- }
-
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
- user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
-
- if (h->info.valid_hooks & (1 << NF_IP6_POST_ROUTING)) {
- n = get_chain_end(h, n);
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_POST_ROUTING] == n);
- user_offset = h->info.hook_entry[NF_IP6_POST_ROUTING];
- }
- } else {
- fprintf(stderr, "Unknown table `%s'\n", h->info.name);
- abort();
- }
-
- /* User chain == end of last builtin + policy entry */
- user_offset = get_chain_end(h, user_offset);
- user_offset += get_entry(h, user_offset)->next_offset;
-
- /* Overflows should be end of entry chains, and unconditional
- policy nodes. */
- for (i = 0; i < NUMHOOKS; i++) {
- STRUCT_ENTRY *e;
- STRUCT_STANDARD_TARGET *t;
-
- if (!(h->info.valid_hooks & (1 << i)))
- continue;
- assert(h->info.underflow[i]
- == get_chain_end(h, h->info.hook_entry[i]));
-
- e = get_entry(h, get_chain_end(h, h->info.hook_entry[i]));
- assert(unconditional(&e->ipv6));
- assert(e->target_offset == sizeof(*e));
- t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
- printf("target_size=%u, align=%u\n",
- t->target.u.target_size, ALIGN(sizeof(*t)));
- assert(t->target.u.target_size == ALIGN(sizeof(*t)));
- assert(e->next_offset == sizeof(*e) + ALIGN(sizeof(*t)));
-
- assert(strcmp(t->target.u.user.name, STANDARD_TARGET)==0);
- assert(t->verdict == -NF_DROP-1 || t->verdict == -NF_ACCEPT-1);
-
- /* Hooks and underflows must be valid entries */
- entry2index(h, get_entry(h, h->info.hook_entry[i]));
- entry2index(h, get_entry(h, h->info.underflow[i]));
- }
-
- assert(h->info.size
- >= h->info.num_entries * (sizeof(STRUCT_ENTRY)
- +sizeof(STRUCT_STANDARD_TARGET)));
-
- assert(h->entries.size
- >= (h->new_number
- * (sizeof(STRUCT_ENTRY)
- + sizeof(STRUCT_STANDARD_TARGET))));
- assert(strcmp(h->info.name, h->entries.name) == 0);
-
- i = 0; n = 0;
- was_return = 0;
-
-#if 0
- /* Check all the entries. */
- ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
- check_entry, &i, &n, user_offset, &was_return, h);
-
- assert(i == h->new_number);
- assert(n == h->entries.size);
-
- /* Final entry must be error node */
- assert(strcmp(GET_TARGET(index2entry(h, h->new_number-1))
- ->u.user.name,
- ERROR_TARGET) == 0);
-#endif
-}
-#endif /*IPTC_DEBUG*/
+++ /dev/null
---- libiptc.c 2003-06-30 18:26:59.000000000 +0200
-+++ libiptc.c 2003-06-30 18:27:24.000000000 +0200
-@@ -64,19 +61,35 @@
- char error[TABLE_MAXNAMELEN];
- };
-
--struct chain_cache
-+struct rule_head
- {
-+ struct list_head list;
-+
-+ struct chain_head *chain;
-+
-+ unsigned int size;
-+ STRUCT_ENTRY entry[0];
-+}
-+
-+struct chain_head
-+{
-+ struct list_head list;
-+
- char name[TABLE_MAXNAMELEN];
-- /* This is the first rule in chain. */
-- unsigned int start_off;
-- /* Last rule in chain */
-- unsigned int end_off;
-+ unsigned int hooknum;
-+ struct list_head rules;
- };
-
- STRUCT_TC_HANDLE
- {
- /* Have changes been made? */
- int changed;
-+
-+ struct list_head chains;
-+
-+ struct chain_head *chain_iterator_cur;
-+
-+#if 0
- /* Size in here reflects original state. */
- STRUCT_GETINFO info;
-
-@@ -98,6 +111,7 @@
- /* Number in here reflects current state. */
- unsigned int new_number;
- STRUCT_GET_ENTRIES entries;
-+#endif
- };
-
- static void
-@@ -375,173 +389,25 @@
- }
- return 0;
- }
--
--static inline int
--add_chain(STRUCT_ENTRY *e, TC_HANDLE_T h, STRUCT_ENTRY **prev)
--{
-- unsigned int builtin;
--
-- /* Last entry. End it. */
-- if (entry2offset(h, e) + e->next_offset == h->entries.size) {
-- /* This is the ERROR node at end of the table */
-- h->cache_chain_heads[h->cache_num_chains-1].end_off =
-- entry2offset(h, *prev);
-- return 0;
-- }
--
-- /* We know this is the start of a new chain if it's an ERROR
-- target, or a hook entry point */
-- if (strcmp(GET_TARGET(e)->u.user.name, ERROR_TARGET) == 0) {
-- /* prev was last entry in previous chain */
-- h->cache_chain_heads[h->cache_num_chains-1].end_off
-- = entry2offset(h, *prev);
--
-- strcpy(h->cache_chain_heads[h->cache_num_chains].name,
-- (const char *)GET_TARGET(e)->data);
-- h->cache_chain_heads[h->cache_num_chains].start_off
-- = entry2offset(h, (void *)e + e->next_offset);
-- h->cache_num_chains++;
-- } else if ((builtin = is_hook_entry(e, h)) != 0) {
-- if (h->cache_num_chains > 0)
-- /* prev was last entry in previous chain */
-- h->cache_chain_heads[h->cache_num_chains-1].end_off
-- = entry2offset(h, *prev);
--
-- strcpy(h->cache_chain_heads[h->cache_num_chains].name,
-- h->hooknames[builtin-1]);
-- h->cache_chain_heads[h->cache_num_chains].start_off
-- = entry2offset(h, (void *)e);
-- h->cache_num_chains++;
-- }
--
-- *prev = e;
-- return 0;
--}
--
- static int alphasort(const void *a, const void *b)
- {
- return strcmp(((struct chain_cache *)a)->name,
- ((struct chain_cache *)b)->name);
- }
-
--static int populate_cache(TC_HANDLE_T h)
--{
-- unsigned int i;
-- STRUCT_ENTRY *prev;
--
-- /* # chains < # rules / 2 + num builtins - 1 */
-- h->cache_chain_heads = malloc((h->new_number / 2 + 4)
-- * sizeof(struct chain_cache));
-- if (!h->cache_chain_heads) {
-- errno = ENOMEM;
-- return 0;
-- }
--
-- h->cache_num_chains = 0;
-- h->cache_num_builtins = 0;
--
-- /* Count builtins */
-- for (i = 0; i < NUMHOOKS; i++) {
-- if (h->info.valid_hooks & (1 << i))
-- h->cache_num_builtins++;
-- }
--
-- prev = NULL;
-- ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
-- add_chain, h, &prev);
--
-- qsort(h->cache_chain_heads + h->cache_num_builtins,
-- h->cache_num_chains - h->cache_num_builtins,
-- sizeof(struct chain_cache), alphasort);
--
-- return 1;
--}
--
--static int
--correct_cache(TC_HANDLE_T h, unsigned int offset, int delta)
--{
-- int i; /* needs to be signed because deleting first
-- chain can make it drop to -1 */
--
-- if (!delta)
-- return 1;
--
-- for (i = 0; i < h->cache_num_chains; i++) {
-- struct chain_cache *cc = &h->cache_chain_heads[i];
--
-- if (delta < 0) {
-- /* take care about deleted chains */
-- if (cc->start_off >= offset+delta
-- && cc->end_off <= offset) {
-- /* this chain is within the deleted range,
-- * let's remove it from the cache */
-- void *start;
-- unsigned int size;
--
-- h->cache_num_chains--;
-- if (i+1 >= h->cache_num_chains)
-- continue;
-- start = &h->cache_chain_heads[i+1];
-- size = (h->cache_num_chains-i)
-- * sizeof(struct chain_cache);
-- memmove(cc, start, size);
--
-- /* iterate over same index again, since
-- * it is now a different chain */
-- i--;
-- continue;
-- }
-- }
--
-- if (cc->start_off > offset)
-- cc->start_off += delta;
--
-- if (cc->end_off >= offset)
-- cc->end_off += delta;
-- }
-- /* HW_FIXME: sorting might be needed, but just in case a new chain was
-- * added */
--
-- return 1;
--}
--
--static int
--add_chain_cache(TC_HANDLE_T h, const char *name, unsigned int start_off,
-- unsigned int end_off)
--{
-- struct chain_cache *ccs = realloc(h->cache_chain_heads,
-- (h->new_number / 2 + 4 + 1)
-- * sizeof(struct chain_cache));
-- struct chain_cache *newcc;
--
-- if (!ccs)
-- return 0;
--
-- h->cache_chain_heads = ccs;
-- newcc = &h->cache_chain_heads[h->cache_num_chains];
-- h->cache_num_chains++;
--
-- strncpy(newcc->name, name, TABLE_MAXNAMELEN-1);
-- newcc->start_off = start_off;
-- newcc->end_off = end_off;
--
-- return 1;
--}
--
--/* Returns cache ptr if found, otherwise NULL. */
--static struct chain_cache *
-+/* Returns chain head if found, otherwise NULL. */
-+static struct chain_head *
- find_label(const char *name, TC_HANDLE_T handle)
- {
-- unsigned int i;
-+ struct list_head *pos;
-
-- if (handle->cache_chain_heads == NULL
-- && !populate_cache(handle))
-+ if (!handle->chains)
- return NULL;
-
-- /* FIXME: Linear search through builtins, then binary --RR */
-- for (i = 0; i < handle->cache_num_chains; i++) {
-- if (strcmp(handle->cache_chain_heads[i].name, name) == 0)
-- return &handle->cache_chain_heads[i];
-+ list_for_each(pos, &handle->chains) {
-+ struct chain_head *c = list_entry(pos, struct chain_head, list);
-+ if (!strcmp(c->name, name))
-+ return c;
- }
-
- return NULL;
-@@ -594,34 +460,30 @@
- const char *
- TC_FIRST_CHAIN(TC_HANDLE_T *handle)
- {
-- if ((*handle)->cache_chain_heads == NULL
-- && !populate_cache(*handle))
-- return NULL;
-+ (*handle)->chain_iterator_cur = (*handle)->chains;
-
-- (*handle)->cache_chain_iteration
-- = &(*handle)->cache_chain_heads[0];
--
-- return (*handle)->cache_chain_iteration->name;
-+ return (*handle)->chains.name;
- }
-
- /* Iterator functions to run through the chains. Returns NULL at end. */
- const char *
- TC_NEXT_CHAIN(TC_HANDLE_T *handle)
- {
-- (*handle)->cache_chain_iteration++;
-+ struct chain_head *next = list_entry(&(*handle)->chain_iterator_cur->list.next, struct chain_head, list);
-+ (*handle)->chain_iterator_cur = next;
-
-- if ((*handle)->cache_chain_iteration - (*handle)->cache_chain_heads
-- == (*handle)->cache_num_chains)
-+ if (next == (*handle)->chains)
- return NULL;
-
-- return (*handle)->cache_chain_iteration->name;
-+ return next->name;
- }
-
- /* Get first rule in the given chain: NULL for empty chain. */
- const STRUCT_ENTRY *
- TC_FIRST_RULE(const char *chain, TC_HANDLE_T *handle)
- {
-- struct chain_cache *c;
-+ struct chain_head *c;
-+ struct rule_head *r;
-
- c = find_label(chain, *handle);
- if (!c) {
-@@ -630,22 +492,26 @@
- }
-
- /* Empty chain: single return/policy rule */
-- if (c->start_off == c->end_off)
-+ if (list_empty(c->rules))
- return NULL;
-
-- (*handle)->cache_rule_end = offset2entry(*handle, c->end_off);
-- return offset2entry(*handle, c->start_off);
-+ r = list_entry(&c->rules.next, struct rule_head, list);
-+ (*handle)->rule_iterator_cur = r;
-+
-+ return r->entry;
- }
-
- /* Returns NULL when rules run out. */
- const STRUCT_ENTRY *
- TC_NEXT_RULE(const STRUCT_ENTRY *prev, TC_HANDLE_T *handle)
- {
-- if ((void *)prev + prev->next_offset
-- == (void *)(*handle)->cache_rule_end)
-+ struct rule_head *r = list_entry((*handle)->rule_iterator_cur->list.next, struct rule_head, list);
-+
-+ if (r == r->chain)
- return NULL;
-
-- return (void *)prev + prev->next_offset;
-+ /* NOTE: prev is without any influence ! */
-+ return r->entry;
- }
-
- #if 0
-@@ -773,7 +639,7 @@
- return target_name(*handle, e);
- }
-
--static inline int
-+static int
- correct_verdict(STRUCT_ENTRY *e,
- char *base,
- unsigned int offset, int delta_offset)
-@@ -874,16 +740,8 @@
- newh->entries.size = (*handle)->entries.size + rules_size;
- newh->hooknames = (*handle)->hooknames;
-
-- newh->cache_chain_heads = (*handle)->cache_chain_heads;
-- newh->cache_num_builtins = (*handle)->cache_num_builtins;
-- newh->cache_num_chains = (*handle)->cache_num_chains;
-- newh->cache_rule_end = (*handle)->cache_rule_end;
-- newh->cache_chain_iteration = (*handle)->cache_chain_iteration;
-- if (!correct_cache(newh, offset, rules_size)) {
-- free(newh);
-- return 0;
-- }
--
-+ if ((*handle)->cache_chain_heads)
-+ free((*handle)->cache_chain_heads);
- free(*handle);
- *handle = newh;
-
-@@ -942,10 +800,6 @@
- (*handle)->new_number -= num_rules;
- (*handle)->entries.size -= rules_size;
-
-- /* Fix the chain cache */
-- if (!correct_cache(*handle, offset, -(int)rules_size))
-- return 0;
--
- return set_verdict(offset, -(int)rules_size, handle);
- }
-
-@@ -1449,7 +1303,6 @@
- STRUCT_ENTRY ret;
- STRUCT_STANDARD_TARGET target;
- } newc;
-- unsigned int destination;
-
- iptc_fn = TC_CREATE_CHAIN;
-
-@@ -1487,21 +1340,11 @@
- = ALIGN(sizeof(STRUCT_STANDARD_TARGET));
- newc.target.verdict = RETURN;
-
-- destination = index2offset(*handle, (*handle)->new_number -1);
--
- /* Add just before terminal entry */
- ret = insert_rules(2, sizeof(newc), &newc.head,
-- destination,
-+ index2offset(*handle, (*handle)->new_number - 1),
- (*handle)->new_number - 1,
- 0, handle);
--
-- set_changed(*handle);
--
-- /* add chain cache info for this chain */
-- add_chain_cache(*handle, chain,
-- destination+newc.head.next_offset,
-- destination+newc.head.next_offset);
--
- return ret;
- }
-
-@@ -1629,11 +1472,6 @@
-
- memset(t->error, 0, sizeof(t->error));
- strcpy(t->error, newname);
--
-- /* update chain cache */
-- memset(c->name, 0, sizeof(c->name));
-- strcpy(c->name, newname);
--
- set_changed(*handle);
-
- return 1;
+++ /dev/null
-/* Library which manipulates firewall rules. Version 0.1. */
-
-/* Architecture of firewall rules is as follows:
- *
- * Chains go INPUT, FORWARD, OUTPUT then user chains.
- * Each user chain starts with an ERROR node.
- * Every chain ends with an unconditional jump: a RETURN for user chains,
- * and a POLICY for built-ins.
- */
-
-/* (C)1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See
- COPYING for details). */
-
-#include <assert.h>
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <unistd.h>
-
-#ifdef DEBUG_CONNTRACK
-#define inline
-#endif
-
-#if !defined(__GLIBC__) || (__GLIBC__ < 2)
-typedef unsigned int socklen_t;
-#endif
-
-#include "libiptc/libiptc.h"
-
-#define IP_VERSION 4
-#define IP_OFFSET 0x1FFF
-
-#define HOOK_PRE_ROUTING NF_IP_PRE_ROUTING
-#define HOOK_LOCAL_IN NF_IP_LOCAL_IN
-#define HOOK_FORWARD NF_IP_FORWARD
-#define HOOK_LOCAL_OUT NF_IP_LOCAL_OUT
-#define HOOK_POST_ROUTING NF_IP_POST_ROUTING
-#ifdef NF_IP_DROPPING
-#define HOOK_DROPPING NF_IP_DROPPING
-#endif
-
-#define STRUCT_ENTRY_TARGET struct ipt_entry_target
-#define STRUCT_ENTRY struct ipt_entry
-#define STRUCT_ENTRY_MATCH struct ipt_entry_match
-#define STRUCT_GETINFO struct ipt_getinfo
-#define STRUCT_GET_ENTRIES struct ipt_get_entries
-#define STRUCT_COUNTERS struct ipt_counters
-#define STRUCT_COUNTERS_INFO struct ipt_counters_info
-#define STRUCT_STANDARD_TARGET struct ipt_standard_target
-#define STRUCT_REPLACE struct ipt_replace
-
-#define STRUCT_TC_HANDLE struct iptc_handle
-#define TC_HANDLE_T iptc_handle_t
-
-#define ENTRY_ITERATE IPT_ENTRY_ITERATE
-#define TABLE_MAXNAMELEN IPT_TABLE_MAXNAMELEN
-#define FUNCTION_MAXNAMELEN IPT_FUNCTION_MAXNAMELEN
-
-#define GET_TARGET ipt_get_target
-
-#define ERROR_TARGET IPT_ERROR_TARGET
-#define NUMHOOKS NF_IP_NUMHOOKS
-
-#define IPT_CHAINLABEL ipt_chainlabel
-
-#define TC_DUMP_ENTRIES dump_entries
-#define TC_IS_CHAIN iptc_is_chain
-#define TC_FIRST_CHAIN iptc_first_chain
-#define TC_NEXT_CHAIN iptc_next_chain
-#define TC_FIRST_RULE iptc_first_rule
-#define TC_NEXT_RULE iptc_next_rule
-#define TC_GET_TARGET iptc_get_target
-#define TC_BUILTIN iptc_builtin
-#define TC_GET_POLICY iptc_get_policy
-#define TC_INSERT_ENTRY iptc_insert_entry
-#define TC_REPLACE_ENTRY iptc_replace_entry
-#define TC_APPEND_ENTRY iptc_append_entry
-#define TC_DELETE_ENTRY iptc_delete_entry
-#define TC_DELETE_NUM_ENTRY iptc_delete_num_entry
-#define TC_CHECK_PACKET iptc_check_packet
-#define TC_FLUSH_ENTRIES iptc_flush_entries
-#define TC_ZERO_ENTRIES iptc_zero_entries
-#define TC_READ_COUNTER iptc_read_counter
-#define TC_ZERO_COUNTER iptc_zero_counter
-#define TC_SET_COUNTER iptc_set_counter
-#define TC_CREATE_CHAIN iptc_create_chain
-#define TC_GET_REFERENCES iptc_get_references
-#define TC_DELETE_CHAIN iptc_delete_chain
-#define TC_RENAME_CHAIN iptc_rename_chain
-#define TC_SET_POLICY iptc_set_policy
-#define TC_GET_RAW_SOCKET iptc_get_raw_socket
-#define TC_INIT iptc_init
-#define TC_FREE iptc_free
-#define TC_COMMIT iptc_commit
-#define TC_STRERROR iptc_strerror
-
-#define TC_AF AF_INET
-#define TC_IPPROTO IPPROTO_IP
-
-#define SO_SET_REPLACE IPT_SO_SET_REPLACE
-#define SO_SET_ADD_COUNTERS IPT_SO_SET_ADD_COUNTERS
-#define SO_GET_INFO IPT_SO_GET_INFO
-#define SO_GET_ENTRIES IPT_SO_GET_ENTRIES
-#define SO_GET_VERSION IPT_SO_GET_VERSION
-
-#define STANDARD_TARGET IPT_STANDARD_TARGET
-#define LABEL_RETURN IPTC_LABEL_RETURN
-#define LABEL_ACCEPT IPTC_LABEL_ACCEPT
-#define LABEL_DROP IPTC_LABEL_DROP
-#define LABEL_QUEUE IPTC_LABEL_QUEUE
-
-#define ALIGN IPT_ALIGN
-#define RETURN IPT_RETURN
-
-#include "libiptc.c"
-
-#define IP_PARTS_NATIVE(n) \
-(unsigned int)((n)>>24)&0xFF, \
-(unsigned int)((n)>>16)&0xFF, \
-(unsigned int)((n)>>8)&0xFF, \
-(unsigned int)((n)&0xFF)
-
-#define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n))
-
-int
-dump_entry(STRUCT_ENTRY *e, const TC_HANDLE_T handle)
-{
- size_t i;
- STRUCT_ENTRY_TARGET *t;
-
- printf("Entry %u (%lu):\n", entry2index(handle, e),
- entry2offset(handle, e));
- printf("SRC IP: %u.%u.%u.%u/%u.%u.%u.%u\n",
- IP_PARTS(e->ip.src.s_addr),IP_PARTS(e->ip.smsk.s_addr));
- printf("DST IP: %u.%u.%u.%u/%u.%u.%u.%u\n",
- IP_PARTS(e->ip.dst.s_addr),IP_PARTS(e->ip.dmsk.s_addr));
- printf("Interface: `%s'/", e->ip.iniface);
- for (i = 0; i < IFNAMSIZ; i++)
- printf("%c", e->ip.iniface_mask[i] ? 'X' : '.');
- printf("to `%s'/", e->ip.outiface);
- for (i = 0; i < IFNAMSIZ; i++)
- printf("%c", e->ip.outiface_mask[i] ? 'X' : '.');
- printf("\nProtocol: %u\n", e->ip.proto);
- printf("Flags: %02X\n", e->ip.flags);
- printf("Invflags: %02X\n", e->ip.invflags);
- printf("Counters: %llu packets, %llu bytes\n",
- e->counters.pcnt, e->counters.bcnt);
- printf("Cache: %08X ", e->nfcache);
- if (e->nfcache & NFC_ALTERED) printf("ALTERED ");
- if (e->nfcache & NFC_UNKNOWN) printf("UNKNOWN ");
- if (e->nfcache & NFC_IP_SRC) printf("IP_SRC ");
- if (e->nfcache & NFC_IP_DST) printf("IP_DST ");
- if (e->nfcache & NFC_IP_IF_IN) printf("IP_IF_IN ");
- if (e->nfcache & NFC_IP_IF_OUT) printf("IP_IF_OUT ");
- if (e->nfcache & NFC_IP_TOS) printf("IP_TOS ");
- if (e->nfcache & NFC_IP_PROTO) printf("IP_PROTO ");
- if (e->nfcache & NFC_IP_OPTIONS) printf("IP_OPTIONS ");
- if (e->nfcache & NFC_IP_TCPFLAGS) printf("IP_TCPFLAGS ");
- if (e->nfcache & NFC_IP_SRC_PT) printf("IP_SRC_PT ");
- if (e->nfcache & NFC_IP_DST_PT) printf("IP_DST_PT ");
- if (e->nfcache & NFC_IP_PROTO_UNKNOWN) printf("IP_PROTO_UNKNOWN ");
- printf("\n");
-
- IPT_MATCH_ITERATE(e, print_match);
-
- t = GET_TARGET(e);
- printf("Target name: `%s' [%u]\n", t->u.user.name, t->u.target_size);
- if (strcmp(t->u.user.name, STANDARD_TARGET) == 0) {
- int pos = *(int *)t->data;
- if (pos < 0)
- printf("verdict=%s\n",
- pos == -NF_ACCEPT-1 ? "NF_ACCEPT"
- : pos == -NF_DROP-1 ? "NF_DROP"
- : pos == -NF_QUEUE-1 ? "NF_QUEUE"
- : pos == RETURN ? "RETURN"
- : "UNKNOWN");
- else
- printf("verdict=%u\n", pos);
- } else if (strcmp(t->u.user.name, IPT_ERROR_TARGET) == 0)
- printf("error=`%s'\n", t->data);
-
- printf("\n");
- return 0;
-}
-
-static int
-is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b, unsigned char *matchmask)
-{
- unsigned int i;
- STRUCT_ENTRY_TARGET *ta, *tb;
- unsigned char *mptr;
-
- /* Always compare head structures: ignore mask here. */
- if (a->ip.src.s_addr != b->ip.src.s_addr
- || a->ip.dst.s_addr != b->ip.dst.s_addr
- || a->ip.smsk.s_addr != b->ip.smsk.s_addr
- || a->ip.dmsk.s_addr != b->ip.dmsk.s_addr
- || a->ip.proto != b->ip.proto
- || a->ip.flags != b->ip.flags
- || a->ip.invflags != b->ip.invflags)
- return 0;
-
- for (i = 0; i < IFNAMSIZ; i++) {
- if (a->ip.iniface_mask[i] != b->ip.iniface_mask[i])
- return 0;
- if ((a->ip.iniface[i] & a->ip.iniface_mask[i])
- != (b->ip.iniface[i] & b->ip.iniface_mask[i]))
- return 0;
- if (a->ip.outiface_mask[i] != b->ip.outiface_mask[i])
- return 0;
- if ((a->ip.outiface[i] & a->ip.outiface_mask[i])
- != (b->ip.outiface[i] & b->ip.outiface_mask[i]))
- return 0;
- }
-
- if (a->nfcache != b->nfcache
- || a->target_offset != b->target_offset
- || a->next_offset != b->next_offset)
- return 0;
-
- mptr = matchmask + sizeof(STRUCT_ENTRY);
- if (IPT_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
- return 0;
-
- ta = GET_TARGET((STRUCT_ENTRY *)a);
- tb = GET_TARGET((STRUCT_ENTRY *)b);
- if (ta->u.target_size != tb->u.target_size)
- return 0;
- if (strcmp(ta->u.user.name, tb->u.user.name) != 0)
- return 0;
-
- mptr += sizeof(*ta);
- if (target_different(ta->data, tb->data,
- ta->u.target_size - sizeof(*ta), mptr))
- return 0;
-
- return 1;
-}
-
-/***************************** DEBUGGING ********************************/
-static inline int
-unconditional(const struct ipt_ip *ip)
-{
- unsigned int i;
-
- for (i = 0; i < sizeof(*ip)/sizeof(u_int32_t); i++)
- if (((u_int32_t *)ip)[i])
- return 0;
-
- return 1;
-}
-
-static inline int
-check_match(const STRUCT_ENTRY_MATCH *m, unsigned int *off)
-{
- assert(m->u.match_size >= sizeof(STRUCT_ENTRY_MATCH));
- assert(ALIGN(m->u.match_size) == m->u.match_size);
-
- (*off) += m->u.match_size;
- return 0;
-}
-
-static inline int
-check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off,
- unsigned int user_offset, int *was_return,
- TC_HANDLE_T h)
-{
- unsigned int toff;
- STRUCT_STANDARD_TARGET *t;
-
- assert(e->target_offset >= sizeof(STRUCT_ENTRY));
- assert(e->next_offset >= e->target_offset
- + sizeof(STRUCT_ENTRY_TARGET));
- toff = sizeof(STRUCT_ENTRY);
- IPT_MATCH_ITERATE(e, check_match, &toff);
-
- assert(toff == e->target_offset);
-
- t = (STRUCT_STANDARD_TARGET *)
- GET_TARGET((STRUCT_ENTRY *)e);
- /* next_offset will have to be multiple of entry alignment. */
- assert(e->next_offset == ALIGN(e->next_offset));
- assert(e->target_offset == ALIGN(e->target_offset));
- assert(t->target.u.target_size == ALIGN(t->target.u.target_size));
- assert(!TC_IS_CHAIN(t->target.u.user.name, h));
-
- if (strcmp(t->target.u.user.name, STANDARD_TARGET) == 0) {
- assert(t->target.u.target_size
- == ALIGN(sizeof(STRUCT_STANDARD_TARGET)));
-
- assert(t->verdict == -NF_DROP-1
- || t->verdict == -NF_ACCEPT-1
- || t->verdict == RETURN
- || t->verdict < (int)h->entries.size);
-
- if (t->verdict >= 0) {
- STRUCT_ENTRY *te = get_entry(h, t->verdict);
- int idx;
-
- idx = entry2index(h, te);
- assert(strcmp(GET_TARGET(te)->u.user.name,
- IPT_ERROR_TARGET)
- != 0);
- assert(te != e);
-
- /* Prior node must be error node, or this node. */
- assert(t->verdict == entry2offset(h, e)+e->next_offset
- || strcmp(GET_TARGET(index2entry(h, idx-1))
- ->u.user.name, IPT_ERROR_TARGET)
- == 0);
- }
-
- if (t->verdict == RETURN
- && unconditional(&e->ip)
- && e->target_offset == sizeof(*e))
- *was_return = 1;
- else
- *was_return = 0;
- } else if (strcmp(t->target.u.user.name, IPT_ERROR_TARGET) == 0) {
- assert(t->target.u.target_size
- == ALIGN(sizeof(struct ipt_error_target)));
-
- /* If this is in user area, previous must have been return */
- if (*off > user_offset)
- assert(*was_return);
-
- *was_return = 0;
- }
- else *was_return = 0;
-
- if (*off == user_offset)
- assert(strcmp(t->target.u.user.name, IPT_ERROR_TARGET) == 0);
-
- (*off) += e->next_offset;
- (*i)++;
- return 0;
-}
-
-#ifdef IPTC_DEBUG
-/* Do every conceivable sanity check on the handle */
-static void
-do_check(TC_HANDLE_T h, unsigned int line)
-{
- unsigned int i, n;
- unsigned int user_offset; /* Offset of first user chain */
- int was_return;
-
- assert(h->changed == 0 || h->changed == 1);
- if (strcmp(h->info.name, "filter") == 0) {
- assert(h->info.valid_hooks
- == (1 << NF_IP_LOCAL_IN
- | 1 << NF_IP_FORWARD
- | 1 << NF_IP_LOCAL_OUT));
-
- /* Hooks should be first three */
- assert(h->info.hook_entry[NF_IP_LOCAL_IN] == 0);
-
- n = get_chain_end(h, 0);
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP_FORWARD] == n);
-
- n = get_chain_end(h, n);
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
-
- user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
- } else if (strcmp(h->info.name, "nat") == 0) {
- assert((h->info.valid_hooks
- == (1 << NF_IP_PRE_ROUTING
- | 1 << NF_IP_POST_ROUTING
- | 1 << NF_IP_LOCAL_OUT)) ||
- (h->info.valid_hooks
- == (1 << NF_IP_PRE_ROUTING
- | 1 << NF_IP_LOCAL_IN
- | 1 << NF_IP_POST_ROUTING
- | 1 << NF_IP_LOCAL_OUT)));
-
- assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
-
- n = get_chain_end(h, 0);
-
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP_POST_ROUTING] == n);
- n = get_chain_end(h, n);
-
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
- user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
-
- if (h->info.valid_hooks & (1 << NF_IP_LOCAL_IN)) {
- n = get_chain_end(h, n);
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP_LOCAL_IN] == n);
- user_offset = h->info.hook_entry[NF_IP_LOCAL_IN];
- }
-
- } else if (strcmp(h->info.name, "mangle") == 0) {
- /* This code is getting ugly because linux < 2.4.18-pre6 had
- * two mangle hooks, linux >= 2.4.18-pre6 has five mangle hooks
- * */
- assert((h->info.valid_hooks
- == (1 << NF_IP_PRE_ROUTING
- | 1 << NF_IP_LOCAL_OUT)) ||
- (h->info.valid_hooks
- == (1 << NF_IP_PRE_ROUTING
- | 1 << NF_IP_LOCAL_IN
- | 1 << NF_IP_FORWARD
- | 1 << NF_IP_LOCAL_OUT
- | 1 << NF_IP_POST_ROUTING)));
-
- /* Hooks should be first five */
- assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
-
- n = get_chain_end(h, 0);
-
- if (h->info.valid_hooks & (1 << NF_IP_LOCAL_IN)) {
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP_LOCAL_IN] == n);
- n = get_chain_end(h, n);
- }
-
- if (h->info.valid_hooks & (1 << NF_IP_FORWARD)) {
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP_FORWARD] == n);
- n = get_chain_end(h, n);
- }
-
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
- user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
-
- if (h->info.valid_hooks & (1 << NF_IP_POST_ROUTING)) {
- n = get_chain_end(h, n);
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP_POST_ROUTING] == n);
- user_offset = h->info.hook_entry[NF_IP_POST_ROUTING];
- }
-
-#ifdef NF_IP_DROPPING
- } else if (strcmp(h->info.name, "drop") == 0) {
- assert(h->info.valid_hooks == (1 << NF_IP_DROPPING));
-
- /* Hook should be first */
- assert(h->info.hook_entry[NF_IP_DROPPING] == 0);
- user_offset = 0;
-#endif
- } else {
- fprintf(stderr, "Unknown table `%s'\n", h->info.name);
- abort();
- }
-
- /* User chain == end of last builtin + policy entry */
- user_offset = get_chain_end(h, user_offset);
- user_offset += get_entry(h, user_offset)->next_offset;
-
- /* Overflows should be end of entry chains, and unconditional
- policy nodes. */
- for (i = 0; i < NUMHOOKS; i++) {
- STRUCT_ENTRY *e;
- STRUCT_STANDARD_TARGET *t;
-
- if (!(h->info.valid_hooks & (1 << i)))
- continue;
- assert(h->info.underflow[i]
- == get_chain_end(h, h->info.hook_entry[i]));
-
- e = get_entry(h, get_chain_end(h, h->info.hook_entry[i]));
- assert(unconditional(&e->ip));
- assert(e->target_offset == sizeof(*e));
- t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
- assert(t->target.u.target_size == ALIGN(sizeof(*t)));
- assert(e->next_offset == sizeof(*e) + ALIGN(sizeof(*t)));
-
- assert(strcmp(t->target.u.user.name, STANDARD_TARGET)==0);
- assert(t->verdict == -NF_DROP-1 || t->verdict == -NF_ACCEPT-1);
-
- /* Hooks and underflows must be valid entries */
- entry2index(h, get_entry(h, h->info.hook_entry[i]));
- entry2index(h, get_entry(h, h->info.underflow[i]));
- }
-
- assert(h->info.size
- >= h->info.num_entries * (sizeof(STRUCT_ENTRY)
- +sizeof(STRUCT_STANDARD_TARGET)));
-
- assert(h->entries.size
- >= (h->new_number
- * (sizeof(STRUCT_ENTRY)
- + sizeof(STRUCT_STANDARD_TARGET))));
- assert(strcmp(h->info.name, h->entries.name) == 0);
-
- i = 0; n = 0;
- was_return = 0;
- /* Check all the entries. */
- ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
- check_entry, &i, &n, user_offset, &was_return, h);
-
- assert(i == h->new_number);
- assert(n == h->entries.size);
-
- /* Final entry must be error node */
- assert(strcmp(GET_TARGET(index2entry(h, h->new_number-1))
- ->u.user.name,
- ERROR_TARGET) == 0);
-}
-#endif /*IPTC_DEBUG*/
+++ /dev/null
-/* Library which manipulates firewall rules. Version 0.1. */
-
-/* Architecture of firewall rules is as follows:
- *
- * Chains go INPUT, FORWARD, OUTPUT then user chains.
- * Each user chain starts with an ERROR node.
- * Every chain ends with an unconditional jump: a RETURN for user chains,
- * and a POLICY for built-ins.
- */
-
-/* (C)1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See
- COPYING for details). */
-
-#include <assert.h>
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <arpa/inet.h>
-
-#ifdef DEBUG_CONNTRACK
-#define inline
-#endif
-
-#if !defined(__GLIBC__) || (__GLIBC__ < 2)
-typedef unsigned int socklen_t;
-#endif
-
-#include "libiptc/libip6tc.h"
-
-#define HOOK_PRE_ROUTING NF_IP6_PRE_ROUTING
-#define HOOK_LOCAL_IN NF_IP6_LOCAL_IN
-#define HOOK_FORWARD NF_IP6_FORWARD
-#define HOOK_LOCAL_OUT NF_IP6_LOCAL_OUT
-#define HOOK_POST_ROUTING NF_IP6_POST_ROUTING
-
-#define STRUCT_ENTRY_TARGET struct ip6t_entry_target
-#define STRUCT_ENTRY struct ip6t_entry
-#define STRUCT_ENTRY_MATCH struct ip6t_entry_match
-#define STRUCT_GETINFO struct ip6t_getinfo
-#define STRUCT_GET_ENTRIES struct ip6t_get_entries
-#define STRUCT_COUNTERS struct ip6t_counters
-#define STRUCT_COUNTERS_INFO struct ip6t_counters_info
-#define STRUCT_STANDARD_TARGET struct ip6t_standard_target
-#define STRUCT_REPLACE struct ip6t_replace
-
-#define STRUCT_TC_HANDLE struct ip6tc_handle
-#define TC_HANDLE_T ip6tc_handle_t
-
-#define ENTRY_ITERATE IP6T_ENTRY_ITERATE
-#define TABLE_MAXNAMELEN IP6T_TABLE_MAXNAMELEN
-#define FUNCTION_MAXNAMELEN IP6T_FUNCTION_MAXNAMELEN
-
-#define GET_TARGET ip6t_get_target
-
-#define ERROR_TARGET IP6T_ERROR_TARGET
-#define NUMHOOKS NF_IP6_NUMHOOKS
-
-#define IPT_CHAINLABEL ip6t_chainlabel
-
-#define TC_DUMP_ENTRIES dump_entries6
-#define TC_IS_CHAIN ip6tc_is_chain
-#define TC_FIRST_CHAIN ip6tc_first_chain
-#define TC_NEXT_CHAIN ip6tc_next_chain
-#define TC_FIRST_RULE ip6tc_first_rule
-#define TC_NEXT_RULE ip6tc_next_rule
-#define TC_GET_TARGET ip6tc_get_target
-#define TC_BUILTIN ip6tc_builtin
-#define TC_GET_POLICY ip6tc_get_policy
-#define TC_INSERT_ENTRY ip6tc_insert_entry
-#define TC_REPLACE_ENTRY ip6tc_replace_entry
-#define TC_APPEND_ENTRY ip6tc_append_entry
-#define TC_DELETE_ENTRY ip6tc_delete_entry
-#define TC_DELETE_NUM_ENTRY ip6tc_delete_num_entry
-#define TC_CHECK_PACKET ip6tc_check_packet
-#define TC_FLUSH_ENTRIES ip6tc_flush_entries
-#define TC_ZERO_ENTRIES ip6tc_zero_entries
-#define TC_ZERO_COUNTER ip6tc_zero_counter
-#define TC_READ_COUNTER ip6tc_read_counter
-#define TC_SET_COUNTER ip6tc_set_counter
-#define TC_CREATE_CHAIN ip6tc_create_chain
-#define TC_GET_REFERENCES ip6tc_get_references
-#define TC_DELETE_CHAIN ip6tc_delete_chain
-#define TC_RENAME_CHAIN ip6tc_rename_chain
-#define TC_SET_POLICY ip6tc_set_policy
-#define TC_GET_RAW_SOCKET ip6tc_get_raw_socket
-#define TC_INIT ip6tc_init
-#define TC_FREE ip6tc_free
-#define TC_COMMIT ip6tc_commit
-#define TC_STRERROR ip6tc_strerror
-
-#define TC_AF AF_INET6
-#define TC_IPPROTO IPPROTO_IPV6
-
-#define SO_SET_REPLACE IP6T_SO_SET_REPLACE
-#define SO_SET_ADD_COUNTERS IP6T_SO_SET_ADD_COUNTERS
-#define SO_GET_INFO IP6T_SO_GET_INFO
-#define SO_GET_ENTRIES IP6T_SO_GET_ENTRIES
-#define SO_GET_VERSION IP6T_SO_GET_VERSION
-
-#define STANDARD_TARGET IP6T_STANDARD_TARGET
-#define LABEL_RETURN IP6TC_LABEL_RETURN
-#define LABEL_ACCEPT IP6TC_LABEL_ACCEPT
-#define LABEL_DROP IP6TC_LABEL_DROP
-#define LABEL_QUEUE IP6TC_LABEL_QUEUE
-
-#define ALIGN IP6T_ALIGN
-#define RETURN IP6T_RETURN
-
-#include "libiptc.c"
-
-#define BIT6(a, l) \
- ((ntohl(a->in6_u.u6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1)
-
-int
-ipv6_prefix_length(const struct in6_addr *a)
-{
- int l, i;
- for (l = 0; l < 128; l++) {
- if (BIT6(a, l) == 0)
- break;
- }
- for (i = l + 1; i < 128; i++) {
- if (BIT6(a, i) == 1)
- return -1;
- }
- return l;
-}
-
-static int
-dump_entry(struct ip6t_entry *e, const ip6tc_handle_t handle)
-{
- size_t i;
- char buf[40];
- int len;
- struct ip6t_entry_target *t;
-
- printf("Entry %u (%lu):\n", entry2index(handle, e),
- entry2offset(handle, e));
- puts("SRC IP: ");
- inet_ntop(AF_INET6, &e->ipv6.src, buf, sizeof buf);
- puts(buf);
- putchar('/');
- len = ipv6_prefix_length(&e->ipv6.smsk);
- if (len != -1)
- printf("%d", len);
- else {
- inet_ntop(AF_INET6, &e->ipv6.smsk, buf, sizeof buf);
- puts(buf);
- }
- putchar('\n');
-
- puts("DST IP: ");
- inet_ntop(AF_INET6, &e->ipv6.dst, buf, sizeof buf);
- puts(buf);
- putchar('/');
- len = ipv6_prefix_length(&e->ipv6.dmsk);
- if (len != -1)
- printf("%d", len);
- else {
- inet_ntop(AF_INET6, &e->ipv6.dmsk, buf, sizeof buf);
- puts(buf);
- }
- putchar('\n');
-
- printf("Interface: `%s'/", e->ipv6.iniface);
- for (i = 0; i < IFNAMSIZ; i++)
- printf("%c", e->ipv6.iniface_mask[i] ? 'X' : '.');
- printf("to `%s'/", e->ipv6.outiface);
- for (i = 0; i < IFNAMSIZ; i++)
- printf("%c", e->ipv6.outiface_mask[i] ? 'X' : '.');
- printf("\nProtocol: %u\n", e->ipv6.proto);
- if (e->ipv6.flags & IP6T_F_TOS)
- printf("TOS: %u\n", e->ipv6.tos);
- printf("Flags: %02X\n", e->ipv6.flags);
- printf("Invflags: %02X\n", e->ipv6.invflags);
- printf("Counters: %llu packets, %llu bytes\n",
- e->counters.pcnt, e->counters.bcnt);
- printf("Cache: %08X ", e->nfcache);
- if (e->nfcache & NFC_ALTERED) printf("ALTERED ");
- if (e->nfcache & NFC_UNKNOWN) printf("UNKNOWN ");
- if (e->nfcache & NFC_IP6_SRC) printf("IP6_SRC ");
- if (e->nfcache & NFC_IP6_DST) printf("IP6_DST ");
- if (e->nfcache & NFC_IP6_IF_IN) printf("IP6_IF_IN ");
- if (e->nfcache & NFC_IP6_IF_OUT) printf("IP6_IF_OUT ");
- if (e->nfcache & NFC_IP6_TOS) printf("IP6_TOS ");
- if (e->nfcache & NFC_IP6_PROTO) printf("IP6_PROTO ");
- if (e->nfcache & NFC_IP6_OPTIONS) printf("IP6_OPTIONS ");
- if (e->nfcache & NFC_IP6_TCPFLAGS) printf("IP6_TCPFLAGS ");
- if (e->nfcache & NFC_IP6_SRC_PT) printf("IP6_SRC_PT ");
- if (e->nfcache & NFC_IP6_DST_PT) printf("IP6_DST_PT ");
- if (e->nfcache & NFC_IP6_PROTO_UNKNOWN) printf("IP6_PROTO_UNKNOWN ");
- printf("\n");
-
- IP6T_MATCH_ITERATE(e, print_match);
-
- t = ip6t_get_target(e);
- printf("Target name: `%s' [%u]\n", t->u.user.name, t->u.target_size);
- if (strcmp(t->u.user.name, IP6T_STANDARD_TARGET) == 0) {
- int pos = *(int *)t->data;
- if (pos < 0)
- printf("verdict=%s\n",
- pos == -NF_ACCEPT-1 ? "NF_ACCEPT"
- : pos == -NF_DROP-1 ? "NF_DROP"
- : pos == IP6T_RETURN ? "RETURN"
- : "UNKNOWN");
- else
- printf("verdict=%u\n", pos);
- } else if (strcmp(t->u.user.name, IP6T_ERROR_TARGET) == 0)
- printf("error=`%s'\n", t->data);
-
- printf("\n");
- return 0;
-}
-
-static int
-is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b,
- unsigned char *matchmask)
-{
- unsigned int i;
- STRUCT_ENTRY_TARGET *ta, *tb;
- unsigned char *mptr;
-
- /* Always compare head structures: ignore mask here. */
- if (memcmp(&a->ipv6.src, &b->ipv6.src, sizeof(struct in6_addr))
- || memcmp(&a->ipv6.dst, &b->ipv6.dst, sizeof(struct in6_addr))
- || memcmp(&a->ipv6.smsk, &b->ipv6.smsk, sizeof(struct in6_addr))
- || memcmp(&a->ipv6.dmsk, &b->ipv6.dmsk, sizeof(struct in6_addr))
- || a->ipv6.proto != b->ipv6.proto
- || a->ipv6.tos != b->ipv6.tos
- || a->ipv6.flags != b->ipv6.flags
- || a->ipv6.invflags != b->ipv6.invflags)
- return 0;
-
- for (i = 0; i < IFNAMSIZ; i++) {
- if (a->ipv6.iniface_mask[i] != b->ipv6.iniface_mask[i])
- return 0;
- if ((a->ipv6.iniface[i] & a->ipv6.iniface_mask[i])
- != (b->ipv6.iniface[i] & b->ipv6.iniface_mask[i]))
- return 0;
- if (a->ipv6.outiface_mask[i] != b->ipv6.outiface_mask[i])
- return 0;
- if ((a->ipv6.outiface[i] & a->ipv6.outiface_mask[i])
- != (b->ipv6.outiface[i] & b->ipv6.outiface_mask[i]))
- return 0;
- }
-
- if (a->nfcache != b->nfcache
- || a->target_offset != b->target_offset
- || a->next_offset != b->next_offset)
- return 0;
-
- mptr = matchmask + sizeof(STRUCT_ENTRY);
- if (IP6T_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
- return 0;
-
- ta = GET_TARGET((STRUCT_ENTRY *)a);
- tb = GET_TARGET((STRUCT_ENTRY *)b);
- if (ta->u.target_size != tb->u.target_size)
- return 0;
- if (strcmp(ta->u.user.name, tb->u.user.name) != 0)
- return 0;
- mptr += sizeof(*ta);
-
- if (target_different(ta->data, tb->data,
- ta->u.target_size - sizeof(*ta), mptr))
- return 0;
-
- return 1;
-}
-
-/* All zeroes == unconditional rule. */
-static inline int
-unconditional(const struct ip6t_ip6 *ipv6)
-{
- unsigned int i;
-
- for (i = 0; i < sizeof(*ipv6); i++)
- if (((char *)ipv6)[i])
- break;
-
- return (i == sizeof(*ipv6));
-}
-
-#ifdef IPTC_DEBUG
-/* Do every conceivable sanity check on the handle */
-static void
-do_check(TC_HANDLE_T h, unsigned int line)
-{
- unsigned int i, n;
- unsigned int user_offset; /* Offset of first user chain */
- int was_return;
-
- assert(h->changed == 0 || h->changed == 1);
- if (strcmp(h->info.name, "filter") == 0) {
- assert(h->info.valid_hooks
- == (1 << NF_IP6_LOCAL_IN
- | 1 << NF_IP6_FORWARD
- | 1 << NF_IP6_LOCAL_OUT));
-
- /* Hooks should be first three */
- assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == 0);
-
- n = get_chain_end(h, 0);
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_FORWARD] == n);
-
- n = get_chain_end(h, n);
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
-
- user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
- } else if (strcmp(h->info.name, "nat") == 0) {
- assert((h->info.valid_hooks
- == (1 << NF_IP6_PRE_ROUTING
- | 1 << NF_IP6_LOCAL_OUT
- | 1 << NF_IP6_POST_ROUTING)) ||
- (h->info.valid_hooks
- == (1 << NF_IP6_PRE_ROUTING
- | 1 << NF_IP6_LOCAL_IN
- | 1 << NF_IP6_LOCAL_OUT
- | 1 << NF_IP6_POST_ROUTING)));
-
- assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0);
-
- n = get_chain_end(h, 0);
-
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_POST_ROUTING] == n);
- n = get_chain_end(h, n);
-
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
- user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
-
- if (h->info.valid_hooks & (1 << NF_IP6_LOCAL_IN)) {
- n = get_chain_end(h, n);
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == n);
- user_offset = h->info.hook_entry[NF_IP6_LOCAL_IN];
- }
-
- } else if (strcmp(h->info.name, "mangle") == 0) {
- /* This code is getting ugly because linux < 2.4.18-pre6 had
- * two mangle hooks, linux >= 2.4.18-pre6 has five mangle hooks
- * */
- assert((h->info.valid_hooks
- == (1 << NF_IP6_PRE_ROUTING
- | 1 << NF_IP6_LOCAL_OUT)) ||
- (h->info.valid_hooks
- == (1 << NF_IP6_PRE_ROUTING
- | 1 << NF_IP6_LOCAL_IN
- | 1 << NF_IP6_FORWARD
- | 1 << NF_IP6_LOCAL_OUT
- | 1 << NF_IP6_POST_ROUTING)));
-
- /* Hooks should be first five */
- assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0);
-
- n = get_chain_end(h, 0);
-
- if (h->info.valid_hooks & (1 << NF_IP6_LOCAL_IN)) {
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == n);
- n = get_chain_end(h, n);
- }
-
- if (h->info.valid_hooks & (1 << NF_IP6_FORWARD)) {
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_FORWARD] == n);
- n = get_chain_end(h, n);
- }
-
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
- user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
-
- if (h->info.valid_hooks & (1 << NF_IP6_POST_ROUTING)) {
- n = get_chain_end(h, n);
- n += get_entry(h, n)->next_offset;
- assert(h->info.hook_entry[NF_IP6_POST_ROUTING] == n);
- user_offset = h->info.hook_entry[NF_IP6_POST_ROUTING];
- }
- } else {
- fprintf(stderr, "Unknown table `%s'\n", h->info.name);
- abort();
- }
-
- /* User chain == end of last builtin + policy entry */
- user_offset = get_chain_end(h, user_offset);
- user_offset += get_entry(h, user_offset)->next_offset;
-
- /* Overflows should be end of entry chains, and unconditional
- policy nodes. */
- for (i = 0; i < NUMHOOKS; i++) {
- STRUCT_ENTRY *e;
- STRUCT_STANDARD_TARGET *t;
-
- if (!(h->info.valid_hooks & (1 << i)))
- continue;
- assert(h->info.underflow[i]
- == get_chain_end(h, h->info.hook_entry[i]));
-
- e = get_entry(h, get_chain_end(h, h->info.hook_entry[i]));
- assert(unconditional(&e->ipv6));
- assert(e->target_offset == sizeof(*e));
- t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
- printf("target_size=%u, align=%u\n",
- t->target.u.target_size, ALIGN(sizeof(*t)));
- assert(t->target.u.target_size == ALIGN(sizeof(*t)));
- assert(e->next_offset == sizeof(*e) + ALIGN(sizeof(*t)));
-
- assert(strcmp(t->target.u.user.name, STANDARD_TARGET)==0);
- assert(t->verdict == -NF_DROP-1 || t->verdict == -NF_ACCEPT-1);
-
- /* Hooks and underflows must be valid entries */
- entry2index(h, get_entry(h, h->info.hook_entry[i]));
- entry2index(h, get_entry(h, h->info.underflow[i]));
- }
-
- assert(h->info.size
- >= h->info.num_entries * (sizeof(STRUCT_ENTRY)
- +sizeof(STRUCT_STANDARD_TARGET)));
-
- assert(h->entries.size
- >= (h->new_number
- * (sizeof(STRUCT_ENTRY)
- + sizeof(STRUCT_STANDARD_TARGET))));
- assert(strcmp(h->info.name, h->entries.name) == 0);
-
- i = 0; n = 0;
- was_return = 0;
-
-#if 0
- /* Check all the entries. */
- ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
- check_entry, &i, &n, user_offset, &was_return, h);
-
- assert(i == h->new_number);
- assert(n == h->entries.size);
-
- /* Final entry must be error node */
- assert(strcmp(GET_TARGET(index2entry(h, h->new_number-1))
- ->u.user.name,
- ERROR_TARGET) == 0);
-#endif
-}
-#endif /*IPTC_DEBUG*/
+++ /dev/null
-/* Library which manipulates firewall rules. Version $Revision: 1.41 $ */
-
-/* Architecture of firewall rules is as follows:
- *
- * Chains go INPUT, FORWARD, OUTPUT then user chains.
- * Each user chain starts with an ERROR node.
- * Every chain ends with an unconditional jump: a RETURN for user chains,
- * and a POLICY for built-ins.
- */
-
-/* (C) 1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See
- * COPYING for details).
- * (C) 2000-2003 by the Netfilter Core Team <coreteam@netfilter.org>
- *
- * 2003-Jun-20: Harald Welte <laforge@netfilter.org>:
- * - Reimplementation of chain cache to use offsets instead of entries
- * 2003-Jun-23: Harald Welte <laforge@netfilter.org>:
- * - speed optimization, sponsored by Astaro AG (http://www.astaro.com/)
- * don't rebuild the chain cache after every operation, instead fix it
- * up after a ruleset change.
- * 2003-Jun-30: Harald Welte <laforge@netfilter.org>:
- * - reimplementation from scratch. *sigh*. I hope nobody has to touch
- * this code ever again.
- */
-#include "linux_listhelp.h"
-
-#ifndef IPT_LIB_DIR
-#define IPT_LIB_DIR "/usr/lib/iptables"
-#endif
-
-static int sockfd = -1;
-static void *iptc_fn = NULL;
-
-static const char *hooknames[]
-= { [HOOK_PRE_ROUTING] "PREROUTING",
- [HOOK_LOCAL_IN] "INPUT",
- [HOOK_FORWARD] "FORWARD",
- [HOOK_LOCAL_OUT] "OUTPUT",
- [HOOK_POST_ROUTING] "POSTROUTING",
-#ifdef HOOK_DROPPING
- [HOOK_DROPPING] "DROPPING"
-#endif
-};
-
-struct counter_map
-{
- enum {
- COUNTER_MAP_NOMAP,
- COUNTER_MAP_NORMAL_MAP,
- COUNTER_MAP_ZEROED,
- COUNTER_MAP_SET
- } maptype;
- unsigned int mappos;
-};
-
-/* Convenience structures */
-struct ipt_error_target
-{
- STRUCT_ENTRY_TARGET t;
- char error[TABLE_MAXNAMELEN];
-};
-
-struct rule_head
-{
- struct list_head list; /* list of rules in chain */
-
- struct chain_head *chain; /* we're part of this chain */
-
- struct chain_head *jumpto; /* target of this rule, in case
- it is a jump rule */
-
- struct counter_map counter_map;
-
- unsigned int size; /* size of rule */
- STRUCT_ENTRY *entry_blob; /* pointer to entry in blob */
- STRUCT_ENTRY entry[0];
-};
-
-struct chain_head
-{
- struct list_head list;
-
- char name[TABLE_MAXNAMELEN];
- unsigned int hooknum;
- struct list_head rules;
- struct rule_head *firstrule; /* first (ERROR) rule */
- struct rule_head *lastrule; /* last (RETURN) rule */
-};
-
-STRUCT_TC_HANDLE
-{
- /* Have changes been made? */
- int changed;
-
- /* linked list of chains in this table */
- struct list_head chains;
-
- /* current position of first_chain() / next_chain() */
- struct chain_head *chain_iterator_cur;
-
- /* current position of first_rule() / next_rule() */
- struct rule_head *rule_iterator_cur;
-
- /* the structure we receive from getsockopt() */
- STRUCT_GETINFO info;
-
- /* Array of hook names */
- const char **hooknames;
-#if 0
- /* Size in here reflects original state. */
-
-
- /* Cached position of chain heads (NULL = no cache). */
- unsigned int cache_num_chains;
- unsigned int cache_num_builtins;
- struct chain_cache *cache_chain_heads;
-
- /* Chain iterator: current chain cache entry. */
- struct chain_cache *cache_chain_iteration;
-
- /* Rule iterator: terminal rule */
- STRUCT_ENTRY *cache_rule_end;
-
- /* Number in here reflects current state. */
- unsigned int new_number;
-#endif
- STRUCT_GET_ENTRIES entries;
-};
-
-static void
-set_changed(TC_HANDLE_T h)
-{
- h->changed = 1;
-}
-
-#ifdef IPTC_DEBUG
-static void do_check(TC_HANDLE_T h, unsigned int line);
-#define CHECK(h) do { if (!getenv("IPTC_NO_CHECK")) do_check((h), __LINE__); } while(0)
-#else
-#define CHECK(h)
-#endif
-
-static struct rule_head *ruleh_alloc(unsigned int size)
-{
- struct rule_head *ruleh = malloc(sizeof(*ruleh)+size);
- if (!ruleh)
- return NULL;
-
- memset(ruleh, 0, sizeof(*ruleh)+size);
- ruleh->size = size;
-
- return ruleh;
-}
-
-static void ruleh_free(struct rule_head *ruleh)
-{
- list_del(&ruleh->list);
- free(ruleh);
-}
-
-static struct chain_head *chainh_alloc(TC_HANDLE_T h, const char *name)
-{
- struct chain_head *chainh = malloc(sizeof(*chainh));
- if (!chainh)
- return NULL;
-
- memset(chainh, 0, sizeof(*chainh));
- strncpy(chainh->name, name, sizeof(&chainh->name));
- list_append(&chainh->list, &h->chains);
-
- return chainh;
-}
-
-static void
-chainh_clean(struct chain_head *chainh)
-{
- /* FIXME */
- struct list_head *cur_item, *item2;
-
- list_for_each_safe(cur_item, item2, &chainh->rules) {
- struct rule_head *ruleh = list_entry(cur_item,
- struct rule_head,
- list);
- ruleh_free(ruleh);
- }
-}
-
-static void
-chainh_free(struct chain_head *chainh)
-{
- chainh_clean(chainh);
- list_del(&chainh->list);
-}
-
-static struct chain_head *
-chainh_find(TC_HANDLE_T h, const IPT_CHAINLABEL name)
-{
- struct list_head *cur;
-
- list_for_each(cur, &h->chains) {
- struct chain_head *ch = list_entry(cur, struct chain_head,
- list);
- if (!strcmp(name, ch->name))
- return ch;
- }
- return NULL;
-}
-
-/* Returns chain head if found, otherwise NULL. */
-static struct chain_head *
-find_label(const char *name, TC_HANDLE_T handle)
-{
- return chainh_find(handle, name);
-}
-
-
-/*
- * functions that directly operate on the blob
- */
-
-static inline unsigned long
-entry2offset(const TC_HANDLE_T h, const STRUCT_ENTRY *e)
-{
- return (void *)e - (void *)h->entries.entrytable;
-}
-
-static inline STRUCT_ENTRY *
-get_entry(TC_HANDLE_T h, unsigned int offset)
-{
- return (STRUCT_ENTRY *)((char *)h->entries.entrytable + offset);
-}
-
-/* needed by entry2index */
-static inline int
-get_number(const STRUCT_ENTRY *i,
- const STRUCT_ENTRY *seek,
- unsigned int *pos)
-{
- if (i == seek)
- return 1;
- (*pos)++;
- return 0;
-}
-
-static unsigned int
-entry2index(const TC_HANDLE_T h, const STRUCT_ENTRY *seek)
-{
- unsigned int pos = 0;
-
- if (ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
- get_number, seek, &pos) == 0) {
- fprintf(stderr, "ERROR: offset %i not an entry!\n",
- (char *)seek - (char *)h->entries.entrytable);
- abort();
- }
- return pos;
-}
-
-static inline int
-get_entry_n(STRUCT_ENTRY *i,
- unsigned int number,
- unsigned int *pos,
- STRUCT_ENTRY **pe)
-{
- if (*pos == number) {
- *pe = i;
- return 1;
- }
- (*pos)++;
- return 0;
-}
-
-static STRUCT_ENTRY *
-index2entry(TC_HANDLE_T h, unsigned int index)
-{
- unsigned int pos = 0;
- STRUCT_ENTRY *ret = NULL;
-
- ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
- get_entry_n, index, &pos, &ret);
-
- return ret;
-}
-
-static inline unsigned long
-index2offset(TC_HANDLE_T h, unsigned int index)
-{
- return entry2offset(h, index2entry(h, index));
-}
-
-static char *
-get_errorlabel(TC_HANDLE_T h, unsigned int offset)
-{
- STRUCT_ENTRY *e;
-
- e = get_entry(h, offset);
- if (strcmp(GET_TARGET(e)->u.user.name, ERROR_TARGET) != 0) {
- fprintf(stderr, "ERROR: offset %u not an error node!\n",
- offset);
- abort();
- }
-
- return (char *)GET_TARGET(e)->data;
-}
-
-#if 0
-static inline STRUCT_ENTRY *
-offset2entry(TC_HANDLE_T h, unsigned int offset)
-{
- return (STRUCT_ENTRY *) ((void *)h->entries.entrytable+offset);
-}
-
-static inline unsigned int
-offset2index(const TC_HANDLE_T h, unsigned int offset)
-{
- return entry2index(h, offset2entry(h, offset));
-}
-
-
-#endif
-
-/* Allocate handle of given size */
-static TC_HANDLE_T
-alloc_tc_handle(const char *tablename, unsigned int size,
- unsigned int num_rules)
-{
- size_t len;
- TC_HANDLE_T h;
-
- len = sizeof(STRUCT_TC_HANDLE)
- + size
- + num_rules * sizeof(struct counter_map);
-
- if ((h = malloc(len)) == NULL) {
- errno = ENOMEM;
- return NULL;
- }
-
- h->changed = 0;
-
- strcpy(h->info.name, tablename);
- strcpy(h->entries.name, tablename);
- INIT_LIST_HEAD(&h->chains);
-
- return h;
-}
-
-/* get the name of the chain that we jump to */
-static char *
-parse_jumptarget(const STRUCT_ENTRY *e, TC_HANDLE_T h)
-{
- STRUCT_ENTRY *jumpto;
- int spos, labelidx;
-
- if (strcmp(GET_TARGET(e)->u.user.name, STANDARD_TARGET) != 0) {
- /* called for non-standard target */
- return "__FIXME";
- }
- /* Standard target: evaluate */
- spos = *(int *)GET_TARGET(e)->data;
- if (spos < 0) {
- return "__FIXME";
- }
-
- jumpto = get_entry(h, spos);
-
- /* Fall through rule */
- if (jumpto == (void *)e + e->next_offset)
- return "";
-
- /* Must point to head of a chain: ie. after error rule */
- /* FIXME: this needs to deal with internal jump targets */
- labelidx = entry2index(h, jumpto) - 1;
- return get_errorlabel(h, index2offset(h, labelidx));
-}
-
-/* parser functions */
-
-struct rule_head *
-append_entrycopy(const STRUCT_ENTRY *e, struct rule_head *prev)
-{
- struct rule_head *ruleh = ruleh_alloc(e->next_offset);
- if (!ruleh)
- return NULL;
-
- memcpy(&ruleh->entry, e, e->next_offset);
- ruleh->chain = prev->chain;
- ruleh->entry_blob = e;
- list_append(&ruleh->list, &prev->list);
-
- return ruleh;
-}
-
-/* have to return 0 on success, bcf ENTRY_ITERATE */
-static inline int
-parse_entry(const STRUCT_ENTRY *e, TC_HANDLE_T h, struct chain_head **curchain)
-{
- int i;
- union tgt_u {
- STRUCT_ENTRY_TARGET ent;
- STRUCT_STANDARD_TARGET std;
- struct ipt_error_target err;
- } *tgt;
-
- struct rule_head *lastrule = list_entry((*curchain)->rules.prev,
- struct rule_head, list);
- struct rule_head *newrule;
-
- tgt = (union tgt_u *) GET_TARGET(e);
-
- if (e->target_offset == sizeof(STRUCT_ENTRY)
- && (strcmp(tgt->ent.u.user.name, IPT_STANDARD_TARGET) == 0)) {
- /* jump to somewhere else */
- char *targname;
- struct chain_head *chainh;
-
- newrule = append_entrycopy(e, lastrule);
-
- targname = parse_jumptarget(e, h);
- if (!(chainh = find_label(targname, h))) {
- chainh = chainh_alloc(h, targname);
- }
- if (!chainh) {
- errno = ENOMEM;
- return 1;
- }
- newrule->jumpto = chainh;
-
- } else if (e->target_offset == sizeof(STRUCT_ENTRY)
- && e->next_offset == sizeof(STRUCT_ENTRY)
- + ALIGN(sizeof(struct ipt_error_target))
- && !strcmp(tgt->ent.u.user.name, ERROR_TARGET)) {
- /* chain head */
- *curchain = chainh_find(h, tgt->err.error);
- if (!(*curchain)) {
- *curchain = chainh_alloc(h, tgt->err.error);
- /* FIXME: error handling */
- }
- newrule = append_entrycopy(e, lastrule);
- (*curchain)->firstrule = newrule;
-
- } else if (e->target_offset == sizeof(STRUCT_ENTRY)
- && e->next_offset == sizeof(STRUCT_ENTRY)
- + ALIGN(sizeof(STRUCT_STANDARD_TARGET))
- && tgt->std.verdict == RETURN) {
- /* chain end */
- newrule = append_entrycopy(e, lastrule);
- (*curchain)->lastrule = newrule;
- *curchain = NULL;
- } else {
- /* normal rule */
- newrule = append_entrycopy(e, lastrule);
- }
-
- /* create counter map entry */
- newrule->counter_map.maptype = COUNTER_MAP_NORMAL_MAP;
- newrule->counter_map.mappos = entry2index(h, e);
-
- /* iterate over hook_entries, needed to connect builtin
- * chains with hook numbers */
- for (i = 0; i < NUMHOOKS; i++) {
- if (!(h->info.valid_hooks & (1 << i)))
- continue;
- if (h->info.hook_entry[i] == entry2offset(h, e)) {
- /* found hook entry point */
- if (*curchain)
- (*curchain)->hooknum = i;
- }
- if (h->info.underflow[i] == entry2offset(h, e)) {
- /* found underflow point */
- }
- }
-
- return 0;
-}
-
-static int parse_ruleset(TC_HANDLE_T h)
-{
- struct chain_head *curchain;
-
- /* iterate over ruleset; create linked list of rule_head/chain_head */
- if (ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
- parse_entry, h, &curchain)) {
- /* some error happened while iterating */
- return 0;
- }
-
- return 1;
-}
-
-TC_HANDLE_T
-TC_INIT(const char *tablename)
-{
- TC_HANDLE_T h;
- STRUCT_GETINFO info;
- int tmp;
- socklen_t s;
-
- iptc_fn = TC_INIT;
-
- if (sockfd != -1) {
- close(sockfd);
- sockfd = -1;
- }
-
- if (strlen(tablename) >= TABLE_MAXNAMELEN) {
- errno = EINVAL;
- return NULL;
- }
-
- sockfd = socket(TC_AF, SOCK_RAW, IPPROTO_RAW);
- if (sockfd < 0)
- return NULL;
-
- s = sizeof(info);
-
- strcpy(info.name, tablename);
- if (getsockopt(sockfd, TC_IPPROTO, SO_GET_INFO, &info, &s) < 0)
- return NULL;
-
- if ((h = alloc_tc_handle(info.name, info.size, info.num_entries))
- == NULL) {
- close(sockfd);
- sockfd = -1;
- return NULL;
- }
-
-/* Too hard --RR */
-#if 0
- sprintf(pathname, "%s/%s", IPT_LIB_DIR, info.name);
- dynlib = dlopen(pathname, RTLD_NOW);
- if (!dynlib) {
- errno = ENOENT;
- return NULL;
- }
- h->hooknames = dlsym(dynlib, "hooknames");
- if (!h->hooknames) {
- errno = ENOENT;
- return NULL;
- }
-#else
- h->hooknames = hooknames;
-#endif
-
- /* Initialize current state */
- h->info = info;
- //h->new_number = h->info.num_entries;
- //
- h->entries.size = h->info.size;
-
- tmp = sizeof(STRUCT_GET_ENTRIES) + h->info.size;
-
- if (getsockopt(sockfd, TC_IPPROTO, SO_GET_ENTRIES, &h->entries,
- &tmp) < 0) {
- close(sockfd);
- sockfd = -1;
- free(h);
- return NULL;
- }
-
- CHECK(h);
- parse_ruleset(h);
-
- return h;
-}
-
-void
-TC_FREE(TC_HANDLE_T *h)
-{
- struct list_head *cur_item, *item2;
-
- close(sockfd);
- sockfd = -1;
-
- /* free all chains */
- list_for_each_safe(cur_item, item2, &(*h)->chains) {
- struct chain_head *chead = list_entry(cur_item,
- struct chain_head,
- list);
- chainh_free(chead);
- }
-
- /* FIXME: free all other ressources we might be using */
-
- free(*h);
- *h = NULL;
-}
-
-static inline int
-print_match(const STRUCT_ENTRY_MATCH *m)
-{
- printf("Match name: `%s'\n", m->u.user.name);
- return 0;
-}
-
-static int dump_entry(STRUCT_ENTRY *e, const TC_HANDLE_T handle);
-
-#if 0
-void
-TC_DUMP_ENTRIES(const TC_HANDLE_T handle)
-{
- CHECK(handle);
-
- printf("libiptc v%s. %u entries, %u bytes.\n",
- IPTABLES_VERSION,
- handle->new_number, handle->entries.size);
- printf("Table `%s'\n", handle->info.name);
- printf("Hooks: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
- handle->info.hook_entry[HOOK_PRE_ROUTING],
- handle->info.hook_entry[HOOK_LOCAL_IN],
- handle->info.hook_entry[HOOK_FORWARD],
- handle->info.hook_entry[HOOK_LOCAL_OUT],
- handle->info.hook_entry[HOOK_POST_ROUTING]);
- printf("Underflows: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
- handle->info.underflow[HOOK_PRE_ROUTING],
- handle->info.underflow[HOOK_LOCAL_IN],
- handle->info.underflow[HOOK_FORWARD],
- handle->info.underflow[HOOK_LOCAL_OUT],
- handle->info.underflow[HOOK_POST_ROUTING]);
-
- ENTRY_ITERATE(handle->entries.entrytable, handle->entries.size,
- dump_entry, handle);
-}
-
-/* Returns 0 if not hook entry, else hooknumber + 1 */
-static inline unsigned int
-is_hook_entry(STRUCT_ENTRY *e, TC_HANDLE_T h)
-{
- unsigned int i;
-
- for (i = 0; i < NUMHOOKS; i++) {
- if ((h->info.valid_hooks & (1 << i))
- && get_entry(h, h->info.hook_entry[i]) == e)
- return i+1;
- }
- return 0;
-}
-
-
-static int alphasort(const void *a, const void *b)
-{
- return strcmp(((struct chain_cache *)a)->name,
- ((struct chain_cache *)b)->name);
-}
-#endif
-
-/* Does this chain exist? */
-int TC_IS_CHAIN(const char *chain, const TC_HANDLE_T handle)
-{
- return find_label(chain, handle) != NULL;
-}
-
-#if 0
-/* Returns the position of the final (ie. unconditional) element. */
-static unsigned int
-get_chain_end(const TC_HANDLE_T handle, unsigned int start)
-{
- unsigned int last_off, off;
- STRUCT_ENTRY *e;
-
- last_off = start;
- e = get_entry(handle, start);
-
- /* Terminate when we meet a error label or a hook entry. */
- for (off = start + e->next_offset;
- off < handle->entries.size;
- last_off = off, off += e->next_offset) {
- STRUCT_ENTRY_TARGET *t;
- unsigned int i;
-
- e = get_entry(handle, off);
-
- /* We hit an entry point. */
- for (i = 0; i < NUMHOOKS; i++) {
- if ((handle->info.valid_hooks & (1 << i))
- && off == handle->info.hook_entry[i])
- return last_off;
- }
-
- /* We hit a user chain label */
- t = GET_TARGET(e);
- if (strcmp(t->u.user.name, ERROR_TARGET) == 0)
- return last_off;
- }
- /* SHOULD NEVER HAPPEN */
- fprintf(stderr, "ERROR: Off end (%u) of chain from %u!\n",
- handle->entries.size, off);
- abort();
-}
-#endif
-
-/* Iterator functions to run through the chains. */
-const char *
-TC_FIRST_CHAIN(TC_HANDLE_T *handle)
-{
- struct chain_head *firsthead = list_entry((*handle)->chains.next,
- struct chain_head, list);
- (*handle)->chain_iterator_cur = firsthead;
-
- return firsthead->name;
-}
-
-/* Iterator functions to run through the chains. Returns NULL at end. */
-const char *
-TC_NEXT_CHAIN(TC_HANDLE_T *handle)
-{
- struct chain_head *next = list_entry(&(*handle)->chain_iterator_cur->list.next, struct chain_head, list);
- (*handle)->chain_iterator_cur = next;
-
- if (&next->list == &(*handle)->chains)
- return NULL;
-
- return next->name;
-}
-
-/* Get first rule in the given chain: NULL for empty chain. */
-const STRUCT_ENTRY *
-TC_FIRST_RULE(const char *chain, TC_HANDLE_T *handle)
-{
- struct chain_head *c;
- struct rule_head *r;
-
- c = find_label(chain, *handle);
- if (!c) {
- errno = ENOENT;
- return NULL;
- }
-
- /* Empty chain: single return/policy rule */
- if (list_empty(&c->rules))
- return NULL;
-
- r = list_entry(c->rules.next, struct rule_head, list);
- (*handle)->rule_iterator_cur = r;
-
- return r->entry;
-}
-
-/* Returns NULL when rules run out. */
-const STRUCT_ENTRY *
-TC_NEXT_RULE(const STRUCT_ENTRY *prev, TC_HANDLE_T *handle)
-{
- struct rule_head *r = list_entry((*handle)->rule_iterator_cur->list.next, struct rule_head, list);
-
- if (&r->list == &r->chain->rules)
- return NULL;
-
- /* NOTE: prev is without any influence ! */
- return r->entry;
-}
-
-#if 0
-/* How many rules in this chain? */
-unsigned int
-TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle)
-{
- unsigned int off = 0;
- STRUCT_ENTRY *start, *end;
-
- CHECK(*handle);
- if (!find_label(&off, chain, *handle)) {
- errno = ENOENT;
- return (unsigned int)-1;
- }
-
- start = get_entry(*handle, off);
- end = get_entry(*handle, get_chain_end(*handle, off));
-
- return entry2index(*handle, end) - entry2index(*handle, start);
-}
-
-/* Get n'th rule in this chain. */
-const STRUCT_ENTRY *TC_GET_RULE(const char *chain,
- unsigned int n,
- TC_HANDLE_T *handle)
-{
- unsigned int pos = 0, chainindex;
-
- CHECK(*handle);
- if (!find_label(&pos, chain, *handle)) {
- errno = ENOENT;
- return NULL;
- }
-
- chainindex = entry2index(*handle, get_entry(*handle, pos));
-
- return index2entry(*handle, chainindex + n);
-}
-#endif
-
-static const char *
-target_name(TC_HANDLE_T handle, const STRUCT_ENTRY *ce)
-{
- int spos;
-
- /* To avoid const warnings */
- STRUCT_ENTRY *e = (STRUCT_ENTRY *)ce;
-
- if (strcmp(GET_TARGET(e)->u.user.name, STANDARD_TARGET) != 0)
- return GET_TARGET(e)->u.user.name;
-
- /* Standard target: evaluate */
- spos = *(int *)GET_TARGET(e)->data;
- if (spos < 0) {
- if (spos == RETURN)
- return LABEL_RETURN;
- else if (spos == -NF_ACCEPT-1)
- return LABEL_ACCEPT;
- else if (spos == -NF_DROP-1)
- return LABEL_DROP;
- else if (spos == -NF_QUEUE-1)
- return LABEL_QUEUE;
-
- fprintf(stderr, "ERROR: entry %p not a valid target (%d)\n",
- e, spos);
- abort();
- }
-
-#if 0
-// jumpto = get_entry(handle, spos);
-
- /* Fall through rule */
- if (jumpto == (void *)e + e->next_offset)
- return "";
-
- /* Must point to head of a chain: ie. after error rule */
- /* FIXME: this needs to deal with internal jump targets */
- labelidx = entry2index(handle, jumpto) - 1;
- return get_errorlabel(handle, index2offset(handle, labelidx));
-#endif
- return "";
-}
-
-/* Returns a pointer to the target name of this position. */
-const char *TC_GET_TARGET(const STRUCT_ENTRY *e,
- TC_HANDLE_T *handle)
-{
- return target_name(*handle, e);
-}
-
-/* Is this a built-in chain? Actually returns hook + 1. */
-int
-TC_BUILTIN(const char *chain, const TC_HANDLE_T handle)
-{
- unsigned int i;
-
- for (i = 0; i < NUMHOOKS; i++) {
- if ((handle->info.valid_hooks & (1 << i))
- && handle->hooknames[i]
- && strcmp(handle->hooknames[i], chain) == 0)
- return i+1;
- }
- return 0;
-}
-
-/* Get the policy of a given built-in chain */
-const char *
-TC_GET_POLICY(const char *chain,
- STRUCT_COUNTERS *counters,
- TC_HANDLE_T *handle)
-{
- STRUCT_ENTRY *e;
- struct chain_head *chainh;
- struct rule_head *ruleh;
- int hook;
-
- hook = TC_BUILTIN(chain, *handle);
- if (hook == 0)
- return NULL;
-
- chainh = find_label(chain, *handle);
- if (!chainh) {
- errno = ENOENT;
- return NULL;
- }
-
- ruleh = chainh->lastrule;
-
- e = ruleh->entry;
- *counters = e->counters;
-
- return target_name(*handle, e);
-}
-
-#if 0
-static int
-correct_verdict(STRUCT_ENTRY *e,
- char *base,
- unsigned int offset, int delta_offset)
-{
- STRUCT_STANDARD_TARGET *t = (void *)GET_TARGET(e);
- unsigned int curr = (char *)e - base;
-
- /* Trap: insert of fall-through rule. Don't change fall-through
- verdict to jump-over-next-rule. */
- if (strcmp(t->target.u.user.name, STANDARD_TARGET) == 0
- && t->verdict > (int)offset
- && !(curr == offset &&
- t->verdict == curr + e->next_offset)) {
- t->verdict += delta_offset;
- }
-
- return 0;
-}
-
-/* Adjusts standard verdict jump positions after an insertion/deletion. */
-static int
-set_verdict(unsigned int offset, int delta_offset, TC_HANDLE_T *handle)
-{
- ENTRY_ITERATE((*handle)->entries.entrytable,
- (*handle)->entries.size,
- correct_verdict, (char *)(*handle)->entries.entrytable,
- offset, delta_offset);
-
- set_changed(*handle);
- return 1;
-}
-#endif
-
-
-
-static int
-standard_map(STRUCT_ENTRY *e, int verdict)
-{
- STRUCT_STANDARD_TARGET *t;
-
- t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
-
- if (t->target.u.target_size
- != ALIGN(sizeof(STRUCT_STANDARD_TARGET))) {
- errno = EINVAL;
- return 0;
- }
- /* memset for memcmp convenience on delete/replace */
- memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
- strcpy(t->target.u.user.name, STANDARD_TARGET);
- t->verdict = verdict;
-
- return 1;
-}
-
-static int
-map_target(const TC_HANDLE_T handle,
- STRUCT_ENTRY *e,
- unsigned int offset,
- STRUCT_ENTRY_TARGET *old)
-{
- STRUCT_ENTRY_TARGET *t = (STRUCT_ENTRY_TARGET *)GET_TARGET(e);
-
- /* Save old target (except data, which we don't change, except for
- standard case, where we don't care). */
- *old = *t;
-
- /* Maybe it's empty (=> fall through) */
- if (strcmp(t->u.user.name, "") == 0)
- return standard_map(e, offset + e->next_offset);
- /* Maybe it's a standard target name... */
- else if (strcmp(t->u.user.name, LABEL_ACCEPT) == 0)
- return standard_map(e, -NF_ACCEPT - 1);
- else if (strcmp(t->u.user.name, LABEL_DROP) == 0)
- return standard_map(e, -NF_DROP - 1);
- else if (strcmp(t->u.user.name, LABEL_QUEUE) == 0)
- return standard_map(e, -NF_QUEUE - 1);
- else if (strcmp(t->u.user.name, LABEL_RETURN) == 0)
- return standard_map(e, RETURN);
- else if (TC_BUILTIN(t->u.user.name, handle)) {
- /* Can't jump to builtins. */
- errno = EINVAL;
- return 0;
- } else {
- /* Maybe it's an existing chain name. */
- struct chain_head *c;
-
-#if 0
- /* FIXME */
- c = find_label(t->u.user.name, handle);
- if (c)
- return standard_map(e, c->start_off);
-#endif
- }
-
- /* Must be a module? If not, kernel will reject... */
- /* memset to all 0 for your memcmp convenience. */
- memset(t->u.user.name + strlen(t->u.user.name),
- 0,
- FUNCTION_MAXNAMELEN - strlen(t->u.user.name));
- return 1;
-}
-
-static void
-unmap_target(STRUCT_ENTRY *e, STRUCT_ENTRY_TARGET *old)
-{
- STRUCT_ENTRY_TARGET *t = GET_TARGET(e);
-
- /* Save old target (except data, which we don't change, except for
- standard case, where we don't care). */
- *t = *old;
-}
-
-static struct rule_head *
-ruleh_get_n(struct chain_head *chead, int rulenum)
-{
- int i = 0;
- struct list_head *list;
-
-
- list_for_each(list, &chead->rules) {
- struct rule_head *rhead = list_entry(list, struct rule_head,
- list);
- i++;
- if (i == rulenum)
- return rhead;
- }
- return NULL;
-}
-
-/* Insert the entry `e' in chain `chain' into position `rulenum'. */
-int
-TC_INSERT_ENTRY(const IPT_CHAINLABEL chain,
- const STRUCT_ENTRY *e,
- unsigned int rulenum,
- TC_HANDLE_T *handle)
-{
- struct chain_head *c;
- struct rule_head *prev;
-
- iptc_fn = TC_INSERT_ENTRY;
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- prev = ruleh_get_n(c, rulenum-1);
- if (!prev) {
- errno = E2BIG;
- return 0;
- }
-
- if (append_entrycopy(e, prev))
- return 1;
-
- return 0;
-}
-
-/* Atomically replace rule `rulenum' in `chain' with `fw'. */
-int
-TC_REPLACE_ENTRY(const IPT_CHAINLABEL chain,
- const STRUCT_ENTRY *e,
- unsigned int rulenum,
- TC_HANDLE_T *handle)
-{
- struct chain_head *c;
- struct rule_head *repl;
-
- iptc_fn = TC_REPLACE_ENTRY;
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- repl = ruleh_get_n(c, rulenum);
- if (!repl) {
- errno = E2BIG;
- return 0;
- }
-
- if (!append_entrycopy(e, repl)) {
- errno = ENOMEM;
- return 0;
- }
-
- ruleh_free(repl);
- return 1;
-}
-
-/* Append entry `e' to chain `chain'. Equivalent to insert with
- rulenum = length of chain. */
-int
-TC_APPEND_ENTRY(const IPT_CHAINLABEL chain,
- const STRUCT_ENTRY *e,
- TC_HANDLE_T *handle)
-{
- struct chain_head *c;
- struct rule_head *rhead;
-
- iptc_fn = TC_APPEND_ENTRY;
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- rhead = list_entry(c->rules.prev, struct rule_head, list);
- if(append_entrycopy(e, rhead))
- return 1;
-
- return 0;
-}
-
-static inline int
-match_different(const STRUCT_ENTRY_MATCH *a,
- const unsigned char *a_elems,
- const unsigned char *b_elems,
- unsigned char **maskptr)
-{
- const STRUCT_ENTRY_MATCH *b;
- unsigned int i;
-
- /* Offset of b is the same as a. */
- b = (void *)b_elems + ((unsigned char *)a - a_elems);
-
- if (a->u.match_size != b->u.match_size)
- return 1;
-
- if (strcmp(a->u.user.name, b->u.user.name) != 0)
- return 1;
-
- *maskptr += ALIGN(sizeof(*a));
-
- for (i = 0; i < a->u.match_size - ALIGN(sizeof(*a)); i++)
- if (((a->data[i] ^ b->data[i]) & (*maskptr)[i]) != 0)
- return 1;
- *maskptr += i;
- return 0;
-}
-
-static inline int
-target_different(const unsigned char *a_targdata,
- const unsigned char *b_targdata,
- unsigned int tdatasize,
- const unsigned char *mask)
-{
- unsigned int i;
- for (i = 0; i < tdatasize; i++)
- if (((a_targdata[i] ^ b_targdata[i]) & mask[i]) != 0)
- return 1;
-
- return 0;
-}
-
-static int
-is_same(const STRUCT_ENTRY *a,
- const STRUCT_ENTRY *b,
- unsigned char *matchmask);
-
-/* Delete the first rule in `chain' which matches `origfw'. */
-int
-TC_DELETE_ENTRY(const IPT_CHAINLABEL chain,
- const STRUCT_ENTRY *origfw,
- unsigned char *matchmask,
- TC_HANDLE_T *handle)
-{
- struct chain_head *c;
- struct list_head *cur, *cur2;
-
- iptc_fn = TC_DELETE_ENTRY;
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- list_for_each_safe(cur, cur2, &c->rules) {
- struct rule_head *rhead = list_entry(cur, struct rule_head,
- list);
- if (is_same(rhead->entry, origfw, matchmask)) {
- ruleh_free(rhead);
- return 1;
- }
- }
-
- errno = ENOENT;
- return 0;
-}
-
-/* Delete the rule in position `rulenum' in `chain'. */
-int
-TC_DELETE_NUM_ENTRY(const IPT_CHAINLABEL chain,
- unsigned int rulenum,
- TC_HANDLE_T *handle)
-{
- struct chain_head *chainh;
- struct rule_head *rhead;
-
- iptc_fn = TC_DELETE_NUM_ENTRY;
-
- if (!(chainh = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- rhead = ruleh_get_n(chainh, rulenum);
- if (!rhead) {
- errno = E2BIG;
- return 0;
- }
-
- ruleh_free(rhead);
-
- return 1;
-}
-
-/* Check the packet `fw' on chain `chain'. Returns the verdict, or
- NULL and sets errno. */
-const char *
-TC_CHECK_PACKET(const IPT_CHAINLABEL chain,
- STRUCT_ENTRY *entry,
- TC_HANDLE_T *handle)
-{
- errno = ENOSYS;
- return NULL;
-}
-
-/* Flushes the entries in the given chain (ie. empties chain). */
-int
-TC_FLUSH_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
-{
- struct list_head *cur, *cur2;
- struct chain_head *chainh;
-
- if (!(chainh = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- list_for_each_safe(cur, cur2, &chainh->rules) {
- struct rule_head *ruleh = list_entry(cur, struct rule_head,
- list);
- /* don't free the entry and policy/return entries */
- if (ruleh != chainh->firstrule && ruleh != chainh->lastrule)
- ruleh_free(ruleh);
- }
- return 1;
-}
-
-/* Zeroes the counters in a chain. */
-int
-TC_ZERO_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
-{
- struct chain_head *c;
- struct list_head *cur;
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- list_for_each(cur, c->rules.next) {
- struct rule_head *r = list_entry(cur, struct rule_head, list);
- if (r->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
- r->counter_map.maptype = COUNTER_MAP_ZEROED;
- }
- set_changed(*handle);
-
- return 1;
-}
-
-STRUCT_COUNTERS *
-TC_READ_COUNTER(const IPT_CHAINLABEL chain,
- unsigned int rulenum,
- TC_HANDLE_T *handle)
-{
- STRUCT_ENTRY *e;
- struct chain_head *c;
- struct rule_head *r;
-
- iptc_fn = TC_READ_COUNTER;
- CHECK(*handle);
-
- if (!(c = find_label(chain, *handle) )
- || !(r = ruleh_get_n(c, rulenum))) {
- errno = ENOENT;
- return NULL;
- }
-
- return &r->entry->counters;
-}
-
-int
-TC_ZERO_COUNTER(const IPT_CHAINLABEL chain,
- unsigned int rulenum,
- TC_HANDLE_T *handle)
-{
- STRUCT_ENTRY *e;
- struct chain_head *c;
- struct rule_head *r;
-
- iptc_fn = TC_ZERO_COUNTER;
- CHECK(*handle);
-
- if (!(c = find_label(chain, *handle))
- || !(r = ruleh_get_n(c, rulenum))) {
- errno = ENOENT;
- return 0;
- }
-
- if (r->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
- r->counter_map.maptype = COUNTER_MAP_ZEROED;
-
- set_changed(*handle);
-
- return 1;
-}
-
-int
-TC_SET_COUNTER(const IPT_CHAINLABEL chain,
- unsigned int rulenum,
- STRUCT_COUNTERS *counters,
- TC_HANDLE_T *handle)
-{
- STRUCT_ENTRY *e;
- struct chain_head *c;
- struct rule_head *r;
-
- iptc_fn = TC_SET_COUNTER;
- CHECK(*handle);
-
- if (!(c = find_label(chain, *handle))
- || !(r = ruleh_get_n(c, rulenum))) {
- errno = ENOENT;
- return 0;
- }
-
- r->counter_map.maptype = COUNTER_MAP_SET;
- memcpy(&r->entry->counters, counters, sizeof(STRUCT_COUNTERS));
-
- set_changed(*handle);
-
- return 1;
-}
-
-/* Creates a new chain. */
-/* To create a chain, create two rules: error node and unconditional
- * return. */
-int
-TC_CREATE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
-{
- int ret;
- struct chainstart {
- STRUCT_ENTRY head;
- struct ipt_error_target name;
- } *newc1;
- struct chainend {
- STRUCT_ENTRY ret;
- STRUCT_STANDARD_TARGET target;
- } *newc2;
- struct rule_head *newr1, *newr2;
- struct chain_head *chead;
-
- iptc_fn = TC_CREATE_CHAIN;
-
- /* find_label doesn't cover built-in targets: DROP, ACCEPT,
- QUEUE, RETURN. */
- if (find_label(chain, *handle)
- || strcmp(chain, LABEL_DROP) == 0
- || strcmp(chain, LABEL_ACCEPT) == 0
- || strcmp(chain, LABEL_QUEUE) == 0
- || strcmp(chain, LABEL_RETURN) == 0) {
- errno = EEXIST;
- return 0;
- }
-
- if (strlen(chain)+1 > sizeof(IPT_CHAINLABEL)) {
- errno = EINVAL;
- return 0;
- }
-
- chead = chainh_alloc(*handle, chain);
- if (!chead) {
- errno = ENOMEM;
- return 0;
- }
-
- newr1 = ruleh_alloc(sizeof(*newc1));
- if (!newr1) {
- chainh_free(chead);
- return 0;
- }
- newc1 = (struct chainstart *) newr1->entry;
-
- newr2 = ruleh_alloc(sizeof(*newc2));
- if (!newr2) {
- chainh_free(chead);
- ruleh_free(newr1);
- return 0;
- }
- newc2 = (struct chainend *) newr2->entry;
-
- newc1->head.target_offset = sizeof(STRUCT_ENTRY);
- newc1->head.next_offset
- = sizeof(STRUCT_ENTRY)
- + ALIGN(sizeof(struct ipt_error_target));
- strcpy(newc1->name.t.u.user.name, ERROR_TARGET);
- newc1->name.t.u.target_size = ALIGN(sizeof(struct ipt_error_target));
- strcpy(newc1->name.error, chain);
-
- newc2->ret.target_offset = sizeof(STRUCT_ENTRY);
- newc2->ret.next_offset
- = sizeof(STRUCT_ENTRY)
- + ALIGN(sizeof(STRUCT_STANDARD_TARGET));
- strcpy(newc2->target.target.u.user.name, STANDARD_TARGET);
- newc2->target.target.u.target_size
- = ALIGN(sizeof(STRUCT_STANDARD_TARGET));
- newc2->target.verdict = RETURN;
-
- list_prepend(&newr1->list, &chead->rules);
- chead->firstrule = newr1;
- list_append(&newr2->list, &chead->rules);
- chead->lastrule = newr2;
-
- return 1;
-}
-
-#if 0
-static int
-count_ref(STRUCT_ENTRY *e, unsigned int offset, unsigned int *ref)
-{
- STRUCT_STANDARD_TARGET *t;
-
- if (strcmp(GET_TARGET(e)->u.user.name, STANDARD_TARGET) == 0) {
- t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
-
- if (t->verdict == offset)
- (*ref)++;
- }
-
- return 0;
-}
-
-/* Get the number of references to this chain. */
-int
-TC_GET_REFERENCES(unsigned int *ref, const IPT_CHAINLABEL chain,
- TC_HANDLE_T *handle)
-{
- struct chain_cache *c;
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- *ref = 0;
- ENTRY_ITERATE((*handle)->entries.entrytable,
- (*handle)->entries.size,
- count_ref, c->start_off, ref);
- return 1;
-}
-#endif
-
-static unsigned int
-count_rules(struct chain_head *chainh)
-{
- unsigned int numrules = 0;
- struct list_head *cur;
-
- list_for_each(cur, &chainh->rules) {
- numrules++;
- }
-
- if (numrules <=2)
- return 0;
- else
- return numrules-2;
-}
-
-/* Deletes a chain. */
-int
-TC_DELETE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
-{
- unsigned int references;
- struct chain_head *chainh;
-
-#if 0
- if (!TC_GET_REFERENCES(&references, chain, handle))
- return 0;
-
- iptc_fn = TC_DELETE_CHAIN;
-
- if (TC_BUILTIN(chain, *handle)) {
- errno = EINVAL;
- return 0;
- }
-
- if (references > 0) {
- errno = EMLINK;
- return 0;
- }
-#endif
-
- if (!(chainh = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- if (!(count_rules(chainh) == 0)) {
- errno = ENOTEMPTY;
- return 0;
- }
-
- chainh_free(chainh);
- return 1;
-}
-
-/* Renames a chain. */
-int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname,
- const IPT_CHAINLABEL newname,
- TC_HANDLE_T *handle)
-{
- struct chain_head *c;
- struct rule_head *ruleh;
- struct ipt_error_target *t;
-
- iptc_fn = TC_RENAME_CHAIN;
-
- /* find_label doesn't cover built-in targets: DROP, ACCEPT,
- QUEUE, RETURN. */
- if (find_label(newname, *handle)
- || strcmp(newname, LABEL_DROP) == 0
- || strcmp(newname, LABEL_ACCEPT) == 0
- || strcmp(newname, LABEL_QUEUE) == 0
- || strcmp(newname, LABEL_RETURN) == 0) {
- errno = EEXIST;
- return 0;
- }
-
- if (!(c = find_label(oldname, *handle))
- || TC_BUILTIN(oldname, *handle)) {
- errno = ENOENT;
- return 0;
- }
-
- if (strlen(newname)+1 > sizeof(IPT_CHAINLABEL)) {
- errno = EINVAL;
- return 0;
- }
-
- ruleh = list_entry(&c->rules.next, struct rule_head, list);
-
- t = (struct ipt_error_target *)
- GET_TARGET(ruleh->entry);
-
- memset(t->error, 0, sizeof(t->error));
- strcpy(t->error, newname);
-
- return 1;
-}
-
-/* Sets the policy on a built-in chain. */
-int
-TC_SET_POLICY(const IPT_CHAINLABEL chain,
- const IPT_CHAINLABEL policy,
- STRUCT_COUNTERS *counters,
- TC_HANDLE_T *handle)
-{
- int ctrindex;
- unsigned int hook;
- struct chain_head *chainh;
- struct rule_head *policyrh;
- STRUCT_ENTRY *e;
- STRUCT_STANDARD_TARGET *t;
-
- iptc_fn = TC_SET_POLICY;
- /* Figure out which chain. */
- hook = TC_BUILTIN(chain, *handle);
- if (hook == 0) {
- errno = ENOENT;
- return 0;
- } else
- hook--;
-
- if (!(chainh = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- policyrh = chainh->lastrule;
- if (policyrh) {
- printf("ERROR: Policy for `%s' non-existant", chain);
- return 0;
- }
-
- t = (STRUCT_STANDARD_TARGET *)GET_TARGET(policyrh->entry);
-
- if (strcmp(policy, LABEL_ACCEPT) == 0)
- t->verdict = -NF_ACCEPT - 1;
- else if (strcmp(policy, LABEL_DROP) == 0)
- t->verdict = -NF_DROP - 1;
- else {
- errno = EINVAL;
- return 0;
- }
-
- ctrindex = entry2index(*handle, e);
-
- if (counters) {
- /* set byte and packet counters */
- memcpy(&e->counters, counters, sizeof(STRUCT_COUNTERS));
-
- policyrh->counter_map.maptype = COUNTER_MAP_SET;
-
- } else {
- policyrh->counter_map.maptype = COUNTER_MAP_NOMAP;
- policyrh->counter_map.mappos = 0;
- }
-
- set_changed(*handle);
-
- return 1;
-}
-
-/* Without this, on gcc 2.7.2.3, we get:
- libiptc.c: In function `TC_COMMIT':
- libiptc.c:833: fixed or forbidden register was spilled.
- This may be due to a compiler bug or to impossible asm
- statements or clauses.
-*/
-static void
-subtract_counters(STRUCT_COUNTERS *answer,
- const STRUCT_COUNTERS *a,
- const STRUCT_COUNTERS *b)
-{
- answer->pcnt = a->pcnt - b->pcnt;
- answer->bcnt = a->bcnt - b->bcnt;
-}
-
-int
-TC_COMMIT(TC_HANDLE_T *handle)
-{
- /* Replace, then map back the counters. */
- STRUCT_REPLACE *repl;
- STRUCT_COUNTERS_INFO *newcounters;
- unsigned int i;
- size_t counterlen;
-
- CHECK(*handle);
-
- counterlen = sizeof(STRUCT_COUNTERS_INFO)
- + sizeof(STRUCT_COUNTERS) * (*handle)->new_number;
-
-#if 0
- TC_DUMP_ENTRIES(*handle);
-#endif
-
- /* Don't commit if nothing changed. */
- if (!(*handle)->changed)
- goto finished;
-
- repl = malloc(sizeof(*repl) + (*handle)->entries.size);
- if (!repl) {
- errno = ENOMEM;
- return 0;
- }
-
- /* These are the old counters we will get from kernel */
- repl->counters = malloc(sizeof(STRUCT_COUNTERS)
- * (*handle)->info.num_entries);
- if (!repl->counters) {
- free(repl);
- errno = ENOMEM;
- return 0;
- }
-
- /* These are the counters we're going to put back, later. */
- newcounters = malloc(counterlen);
- if (!newcounters) {
- free(repl->counters);
- free(repl);
- errno = ENOMEM;
- return 0;
- }
-
- strcpy(repl->name, (*handle)->info.name);
- repl->num_entries = (*handle)->new_number;
- repl->size = (*handle)->entries.size;
- memcpy(repl->hook_entry, (*handle)->info.hook_entry,
- sizeof(repl->hook_entry));
- memcpy(repl->underflow, (*handle)->info.underflow,
- sizeof(repl->underflow));
- repl->num_counters = (*handle)->info.num_entries;
- repl->valid_hooks = (*handle)->info.valid_hooks;
- memcpy(repl->entries, (*handle)->entries.entrytable,
- (*handle)->entries.size);
-
- if (setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, repl,
- sizeof(*repl) + (*handle)->entries.size) < 0) {
- free(repl->counters);
- free(repl);
- free(newcounters);
- return 0;
- }
-
- /* Put counters back. */
- strcpy(newcounters->name, (*handle)->info.name);
- newcounters->num_counters = (*handle)->new_number;
- for (i = 0; i < (*handle)->new_number; i++) {
- unsigned int mappos = (*handle)->counter_map[i].mappos;
- switch ((*handle)->counter_map[i].maptype) {
- case COUNTER_MAP_NOMAP:
- newcounters->counters[i]
- = ((STRUCT_COUNTERS){ 0, 0 });
- break;
-
- case COUNTER_MAP_NORMAL_MAP:
- /* Original read: X.
- * Atomic read on replacement: X + Y.
- * Currently in kernel: Z.
- * Want in kernel: X + Y + Z.
- * => Add in X + Y
- * => Add in replacement read.
- */
- newcounters->counters[i] = repl->counters[mappos];
- break;
-
- case COUNTER_MAP_ZEROED:
- /* Original read: X.
- * Atomic read on replacement: X + Y.
- * Currently in kernel: Z.
- * Want in kernel: Y + Z.
- * => Add in Y.
- * => Add in (replacement read - original read).
- */
- subtract_counters(&newcounters->counters[i],
- &repl->counters[mappos],
- &index2entry(*handle, i)->counters);
- break;
-
- case COUNTER_MAP_SET:
- /* Want to set counter (iptables-restore) */
-
- memcpy(&newcounters->counters[i],
- &index2entry(*handle, i)->counters,
- sizeof(STRUCT_COUNTERS));
-
- break;
- }
- }
-
-#ifdef KERNEL_64_USERSPACE_32
- {
- /* Kernel will think that pointer should be 64-bits, and get
- padding. So we accomodate here (assumption: alignment of
- `counters' is on 64-bit boundary). */
- u_int64_t *kernptr = (u_int64_t *)&newcounters->counters;
- if ((unsigned long)&newcounters->counters % 8 != 0) {
- fprintf(stderr,
- "counters alignment incorrect! Mail rusty!\n");
- abort();
- }
- *kernptr = newcounters->counters;
- }
-#endif /* KERNEL_64_USERSPACE_32 */
-
- if (setsockopt(sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS,
- newcounters, counterlen) < 0) {
- free(repl->counters);
- free(repl);
- free(newcounters);
- return 0;
- }
-
- free(repl->counters);
- free(repl);
- free(newcounters);
-
- finished:
- TC_FREE(handle);
- return 1;
-}
-
-/* Get raw socket. */
-int
-TC_GET_RAW_SOCKET()
-{
- return sockfd;
-}
-
-/* Translates errno numbers into more human-readable form than strerror. */
-const char *
-TC_STRERROR(int err)
-{
- unsigned int i;
- struct table_struct {
- void *fn;
- int err;
- const char *message;
- } table [] =
- { { TC_INIT, EPERM, "Permission denied (you must be root)" },
- { TC_INIT, EINVAL, "Module is wrong version" },
- { TC_INIT, ENOENT,
- "Table does not exist (do you need to insmod?)" },
- { TC_DELETE_CHAIN, ENOTEMPTY, "Chain is not empty" },
- { TC_DELETE_CHAIN, EINVAL, "Can't delete built-in chain" },
- { TC_DELETE_CHAIN, EMLINK,
- "Can't delete chain with references left" },
- { TC_CREATE_CHAIN, EEXIST, "Chain already exists" },
- { TC_INSERT_ENTRY, E2BIG, "Index of insertion too big" },
- { TC_REPLACE_ENTRY, E2BIG, "Index of replacement too big" },
- { TC_DELETE_NUM_ENTRY, E2BIG, "Index of deletion too big" },
- { TC_READ_COUNTER, E2BIG, "Index of counter too big" },
- { TC_ZERO_COUNTER, E2BIG, "Index of counter too big" },
- { TC_INSERT_ENTRY, ELOOP, "Loop found in table" },
- { TC_INSERT_ENTRY, EINVAL, "Target problem" },
- /* EINVAL for CHECK probably means bad interface. */
- { TC_CHECK_PACKET, EINVAL,
- "Bad arguments (does that interface exist?)" },
- { TC_CHECK_PACKET, ENOSYS,
- "Checking will most likely never get implemented" },
- /* ENOENT for DELETE probably means no matching rule */
- { TC_DELETE_ENTRY, ENOENT,
- "Bad rule (does a matching rule exist in that chain?)" },
- { TC_SET_POLICY, ENOENT,
- "Bad built-in chain name" },
- { TC_SET_POLICY, EINVAL,
- "Bad policy name" },
-
- { NULL, 0, "Incompatible with this kernel" },
- { NULL, ENOPROTOOPT, "iptables who? (do you need to insmod?)" },
- { NULL, ENOSYS, "Will be implemented real soon. I promise ;)" },
- { NULL, ENOMEM, "Memory allocation problem" },
- { NULL, ENOENT, "No chain/target/match by that name" },
- };
-
- for (i = 0; i < sizeof(table)/sizeof(struct table_struct); i++) {
- if ((!table[i].fn || table[i].fn == iptc_fn)
- && table[i].err == err)
- return table[i].message;
- }
-
- return strerror(err);
-}
+++ /dev/null
-/* Library which manipulates firewall rules. Version $Revision: 1.40 $ */
-
-/* Architecture of firewall rules is as follows:
- *
- * Chains go INPUT, FORWARD, OUTPUT then user chains.
- * Each user chain starts with an ERROR node.
- * Every chain ends with an unconditional jump: a RETURN for user chains,
- * and a POLICY for built-ins.
- */
-
-/* (C) 1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See
- * COPYING for details).
- * (C) 2000-2003 by the Netfilter Core Team <coreteam@netfilter.org>
- *
- * 2003-Jun-20: Harald Welte <laforge@netfilter.org>:
- * - Reimplementation of chain cache to use offsets instead of entries
- * 2003-Jun-23: Harald Welte <laforge@netfilter.org>:
- * - performance optimization, sponsored by Astaro AG (http://www.astaro.com/)
- * don't rebuild the chain cache after every operation, instead fix it
- * up after a ruleset change.
- */
-
-#ifndef IPT_LIB_DIR
-#define IPT_LIB_DIR "/usr/lib/iptables"
-#endif
-
-#ifndef __OPTIMIZE__
-STRUCT_ENTRY_TARGET *
-GET_TARGET(STRUCT_ENTRY *e)
-{
- return (void *)e + e->target_offset;
-}
-#endif
-
-static int sockfd = -1;
-static void *iptc_fn = NULL;
-
-static const char *hooknames[]
-= { [HOOK_PRE_ROUTING] "PREROUTING",
- [HOOK_LOCAL_IN] "INPUT",
- [HOOK_FORWARD] "FORWARD",
- [HOOK_LOCAL_OUT] "OUTPUT",
- [HOOK_POST_ROUTING] "POSTROUTING",
-#ifdef HOOK_DROPPING
- [HOOK_DROPPING] "DROPPING"
-#endif
-};
-
-struct counter_map
-{
- enum {
- COUNTER_MAP_NOMAP,
- COUNTER_MAP_NORMAL_MAP,
- COUNTER_MAP_ZEROED,
- COUNTER_MAP_SET
- } maptype;
- unsigned int mappos;
-};
-
-/* Convenience structures */
-struct ipt_error_target
-{
- STRUCT_ENTRY_TARGET t;
- char error[TABLE_MAXNAMELEN];
-};
-
-struct chain_cache
-{
- char name[TABLE_MAXNAMELEN];
- /* This is the first rule in chain. */
- unsigned int start_off;
- /* Last rule in chain */
- unsigned int end_off;
-};
-
-STRUCT_TC_HANDLE
-{
- /* Have changes been made? */
- int changed;
- /* Size in here reflects original state. */
- STRUCT_GETINFO info;
-
- struct counter_map *counter_map;
- /* Array of hook names */
- const char **hooknames;
-
- /* Cached position of chain heads (NULL = no cache). */
- unsigned int cache_num_chains;
- unsigned int cache_num_builtins;
- struct chain_cache *cache_chain_heads;
-
- /* Chain iterator: current chain cache entry. */
- struct chain_cache *cache_chain_iteration;
-
- /* Rule iterator: terminal rule */
- STRUCT_ENTRY *cache_rule_end;
-
- /* Number in here reflects current state. */
- unsigned int new_number;
- STRUCT_GET_ENTRIES entries;
-};
-
-static void
-set_changed(TC_HANDLE_T h)
-{
- h->changed = 1;
-}
-
-#ifdef IPTC_DEBUG
-static void do_check(TC_HANDLE_T h, unsigned int line);
-#define CHECK(h) do { if (!getenv("IPTC_NO_CHECK")) do_check((h), __LINE__); } while(0)
-#else
-#define CHECK(h)
-#endif
-
-static inline int
-get_number(const STRUCT_ENTRY *i,
- const STRUCT_ENTRY *seek,
- unsigned int *pos)
-{
- if (i == seek)
- return 1;
- (*pos)++;
- return 0;
-}
-
-static unsigned int
-entry2index(const TC_HANDLE_T h, const STRUCT_ENTRY *seek)
-{
- unsigned int pos = 0;
-
- if (ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
- get_number, seek, &pos) == 0) {
- fprintf(stderr, "ERROR: offset %i not an entry!\n",
- (char *)seek - (char *)h->entries.entrytable);
- abort();
- }
- return pos;
-}
-
-static inline int
-get_entry_n(STRUCT_ENTRY *i,
- unsigned int number,
- unsigned int *pos,
- STRUCT_ENTRY **pe)
-{
- if (*pos == number) {
- *pe = i;
- return 1;
- }
- (*pos)++;
- return 0;
-}
-
-static STRUCT_ENTRY *
-index2entry(TC_HANDLE_T h, unsigned int index)
-{
- unsigned int pos = 0;
- STRUCT_ENTRY *ret = NULL;
-
- ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
- get_entry_n, index, &pos, &ret);
-
- return ret;
-}
-
-static inline STRUCT_ENTRY *
-get_entry(TC_HANDLE_T h, unsigned int offset)
-{
- return (STRUCT_ENTRY *)((char *)h->entries.entrytable + offset);
-}
-
-static inline unsigned long
-entry2offset(const TC_HANDLE_T h, const STRUCT_ENTRY *e)
-{
- return (void *)e - (void *)h->entries.entrytable;
-}
-
-static inline unsigned long
-index2offset(TC_HANDLE_T h, unsigned int index)
-{
- return entry2offset(h, index2entry(h, index));
-}
-
-static inline STRUCT_ENTRY *
-offset2entry(TC_HANDLE_T h, unsigned int offset)
-{
- return (STRUCT_ENTRY *) ((void *)h->entries.entrytable+offset);
-}
-
-static inline unsigned int
-offset2index(const TC_HANDLE_T h, unsigned int offset)
-{
- return entry2index(h, offset2entry(h, offset));
-}
-
-
-static const char *
-get_errorlabel(TC_HANDLE_T h, unsigned int offset)
-{
- STRUCT_ENTRY *e;
-
- e = get_entry(h, offset);
- if (strcmp(GET_TARGET(e)->u.user.name, ERROR_TARGET) != 0) {
- fprintf(stderr, "ERROR: offset %u not an error node!\n",
- offset);
- abort();
- }
-
- return (const char *)GET_TARGET(e)->data;
-}
-
-/* Allocate handle of given size */
-static TC_HANDLE_T
-alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules)
-{
- size_t len;
- TC_HANDLE_T h;
-
- len = sizeof(STRUCT_TC_HANDLE)
- + size
- + num_rules * sizeof(struct counter_map);
-
- if ((h = malloc(len)) == NULL) {
- errno = ENOMEM;
- return NULL;
- }
-
- h->changed = 0;
- h->cache_num_chains = 0;
- h->cache_chain_heads = NULL;
- h->counter_map = (void *)h
- + sizeof(STRUCT_TC_HANDLE)
- + size;
- strcpy(h->info.name, tablename);
- strcpy(h->entries.name, tablename);
-
- return h;
-}
-
-TC_HANDLE_T
-TC_INIT(const char *tablename)
-{
- TC_HANDLE_T h;
- STRUCT_GETINFO info;
- unsigned int i;
- int tmp;
- socklen_t s;
-
- iptc_fn = TC_INIT;
-
- if (sockfd != -1) {
- close(sockfd);
- sockfd = -1;
- }
-
- if (strlen(tablename) >= TABLE_MAXNAMELEN) {
- errno = EINVAL;
- return NULL;
- }
-
- sockfd = socket(TC_AF, SOCK_RAW, IPPROTO_RAW);
- if (sockfd < 0)
- return NULL;
-
- s = sizeof(info);
-
- strcpy(info.name, tablename);
- if (getsockopt(sockfd, TC_IPPROTO, SO_GET_INFO, &info, &s) < 0)
- return NULL;
-
- if ((h = alloc_handle(info.name, info.size, info.num_entries))
- == NULL) {
- close(sockfd);
- sockfd = -1;
- return NULL;
- }
-
-/* Too hard --RR */
-#if 0
- sprintf(pathname, "%s/%s", IPT_LIB_DIR, info.name);
- dynlib = dlopen(pathname, RTLD_NOW);
- if (!dynlib) {
- errno = ENOENT;
- return NULL;
- }
- h->hooknames = dlsym(dynlib, "hooknames");
- if (!h->hooknames) {
- errno = ENOENT;
- return NULL;
- }
-#else
- h->hooknames = hooknames;
-#endif
-
- /* Initialize current state */
- h->info = info;
- h->new_number = h->info.num_entries;
- for (i = 0; i < h->info.num_entries; i++)
- h->counter_map[i]
- = ((struct counter_map){COUNTER_MAP_NORMAL_MAP, i});
-
- h->entries.size = h->info.size;
-
- tmp = sizeof(STRUCT_GET_ENTRIES) + h->info.size;
-
- if (getsockopt(sockfd, TC_IPPROTO, SO_GET_ENTRIES, &h->entries,
- &tmp) < 0) {
- close(sockfd);
- sockfd = -1;
- free(h);
- return NULL;
- }
-
- CHECK(h);
- return h;
-}
-
-void
-TC_FREE(TC_HANDLE_T *h)
-{
- close(sockfd);
- sockfd = -1;
- if ((*h)->cache_chain_heads)
- free((*h)->cache_chain_heads);
- free(*h);
- *h = NULL;
-}
-
-static inline int
-print_match(const STRUCT_ENTRY_MATCH *m)
-{
- printf("Match name: `%s'\n", m->u.user.name);
- return 0;
-}
-
-static int dump_entry(STRUCT_ENTRY *e, const TC_HANDLE_T handle);
-
-void
-TC_DUMP_ENTRIES(const TC_HANDLE_T handle)
-{
- CHECK(handle);
-
- printf("libiptc v%s. %u entries, %u bytes.\n",
- IPTABLES_VERSION,
- handle->new_number, handle->entries.size);
- printf("Table `%s'\n", handle->info.name);
- printf("Hooks: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
- handle->info.hook_entry[HOOK_PRE_ROUTING],
- handle->info.hook_entry[HOOK_LOCAL_IN],
- handle->info.hook_entry[HOOK_FORWARD],
- handle->info.hook_entry[HOOK_LOCAL_OUT],
- handle->info.hook_entry[HOOK_POST_ROUTING]);
- printf("Underflows: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
- handle->info.underflow[HOOK_PRE_ROUTING],
- handle->info.underflow[HOOK_LOCAL_IN],
- handle->info.underflow[HOOK_FORWARD],
- handle->info.underflow[HOOK_LOCAL_OUT],
- handle->info.underflow[HOOK_POST_ROUTING]);
-
- ENTRY_ITERATE(handle->entries.entrytable, handle->entries.size,
- dump_entry, handle);
-}
-
-/* Returns 0 if not hook entry, else hooknumber + 1 */
-static inline unsigned int
-is_hook_entry(STRUCT_ENTRY *e, TC_HANDLE_T h)
-{
- unsigned int i;
-
- for (i = 0; i < NUMHOOKS; i++) {
- if ((h->info.valid_hooks & (1 << i))
- && get_entry(h, h->info.hook_entry[i]) == e)
- return i+1;
- }
- return 0;
-}
-
-static inline int
-add_chain(STRUCT_ENTRY *e, TC_HANDLE_T h, STRUCT_ENTRY **prev)
-{
- unsigned int builtin;
-
- /* Last entry. End it. */
- if (entry2offset(h, e) + e->next_offset == h->entries.size) {
- /* This is the ERROR node at end of the table */
- h->cache_chain_heads[h->cache_num_chains-1].end_off =
- entry2offset(h, *prev);
- return 0;
- }
-
- /* We know this is the start of a new chain if it's an ERROR
- target, or a hook entry point */
- if (strcmp(GET_TARGET(e)->u.user.name, ERROR_TARGET) == 0) {
- /* prev was last entry in previous chain */
- h->cache_chain_heads[h->cache_num_chains-1].end_off
- = entry2offset(h, *prev);
-
- strcpy(h->cache_chain_heads[h->cache_num_chains].name,
- (const char *)GET_TARGET(e)->data);
- h->cache_chain_heads[h->cache_num_chains].start_off
- = entry2offset(h, (void *)e + e->next_offset);
- h->cache_num_chains++;
- } else if ((builtin = is_hook_entry(e, h)) != 0) {
- if (h->cache_num_chains > 0)
- /* prev was last entry in previous chain */
- h->cache_chain_heads[h->cache_num_chains-1].end_off
- = entry2offset(h, *prev);
-
- strcpy(h->cache_chain_heads[h->cache_num_chains].name,
- h->hooknames[builtin-1]);
- h->cache_chain_heads[h->cache_num_chains].start_off
- = entry2offset(h, (void *)e);
- h->cache_num_chains++;
- }
-
- *prev = e;
- return 0;
-}
-
-static int alphasort(const void *a, const void *b)
-{
- return strcmp(((struct chain_cache *)a)->name,
- ((struct chain_cache *)b)->name);
-}
-
-static int populate_cache(TC_HANDLE_T h)
-{
- unsigned int i;
- STRUCT_ENTRY *prev;
-
- /* # chains < # rules / 2 + num builtins - 1 */
- h->cache_chain_heads = malloc((h->new_number / 2 + 4)
- * sizeof(struct chain_cache));
- if (!h->cache_chain_heads) {
- errno = ENOMEM;
- return 0;
- }
-
- h->cache_num_chains = 0;
- h->cache_num_builtins = 0;
-
- /* Count builtins */
- for (i = 0; i < NUMHOOKS; i++) {
- if (h->info.valid_hooks & (1 << i))
- h->cache_num_builtins++;
- }
-
- prev = NULL;
- ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
- add_chain, h, &prev);
-
- qsort(h->cache_chain_heads + h->cache_num_builtins,
- h->cache_num_chains - h->cache_num_builtins,
- sizeof(struct chain_cache), alphasort);
-
- return 1;
-}
-
-static int
-correct_cache(TC_HANDLE_T h, unsigned int offset, int delta)
-{
- int i; /* needs to be signed because deleting first
- chain can make it drop to -1 */
-
- if (!delta)
- return 1;
-
- for (i = 0; i < h->cache_num_chains; i++) {
- struct chain_cache *cc = &h->cache_chain_heads[i];
-
- if (delta < 0) {
- /* take care about deleted chains */
- if (cc->start_off >= offset+delta
- && cc->end_off <= offset) {
- /* this chain is within the deleted range,
- * let's remove it from the cache */
- void *start;
- unsigned int size;
-
- h->cache_num_chains--;
- if (i+1 >= h->cache_num_chains)
- continue;
- start = &h->cache_chain_heads[i+1];
- size = (h->cache_num_chains-i)
- * sizeof(struct chain_cache);
- memmove(cc, start, size);
-
- /* iterate over same index again, since
- * it is now a different chain */
- i--;
- continue;
- }
- }
-
- if (cc->start_off > offset)
- cc->start_off += delta;
-
- if (cc->end_off >= offset)
- cc->end_off += delta;
- }
- /* HW_FIXME: sorting might be needed, but just in case a new chain was
- * added */
-
- return 1;
-}
-
-static int
-add_chain_cache(TC_HANDLE_T h, const char *name, unsigned int start_off,
- unsigned int end_off)
-{
- struct chain_cache *ccs = realloc(h->cache_chain_heads,
- (h->new_number / 2 + 4 + 1)
- * sizeof(struct chain_cache));
- struct chain_cache *newcc;
-
- if (!ccs)
- return 0;
-
- h->cache_chain_heads = ccs;
- newcc = &h->cache_chain_heads[h->cache_num_chains];
- h->cache_num_chains++;
-
- strncpy(newcc->name, name, TABLE_MAXNAMELEN-1);
- newcc->start_off = start_off;
- newcc->end_off = end_off;
-
- return 1;
-}
-
-/* Returns cache ptr if found, otherwise NULL. */
-static struct chain_cache *
-find_label(const char *name, TC_HANDLE_T handle)
-{
- unsigned int i;
-
- if (handle->cache_chain_heads == NULL
- && !populate_cache(handle))
- return NULL;
-
- /* FIXME: Linear search through builtins, then binary --RR */
- for (i = 0; i < handle->cache_num_chains; i++) {
- if (strcmp(handle->cache_chain_heads[i].name, name) == 0)
- return &handle->cache_chain_heads[i];
- }
-
- return NULL;
-}
-
-/* Does this chain exist? */
-int TC_IS_CHAIN(const char *chain, const TC_HANDLE_T handle)
-{
- return find_label(chain, handle) != NULL;
-}
-
-/* Returns the position of the final (ie. unconditional) element. */
-static unsigned int
-get_chain_end(const TC_HANDLE_T handle, unsigned int start)
-{
- unsigned int last_off, off;
- STRUCT_ENTRY *e;
-
- last_off = start;
- e = get_entry(handle, start);
-
- /* Terminate when we meet a error label or a hook entry. */
- for (off = start + e->next_offset;
- off < handle->entries.size;
- last_off = off, off += e->next_offset) {
- STRUCT_ENTRY_TARGET *t;
- unsigned int i;
-
- e = get_entry(handle, off);
-
- /* We hit an entry point. */
- for (i = 0; i < NUMHOOKS; i++) {
- if ((handle->info.valid_hooks & (1 << i))
- && off == handle->info.hook_entry[i])
- return last_off;
- }
-
- /* We hit a user chain label */
- t = GET_TARGET(e);
- if (strcmp(t->u.user.name, ERROR_TARGET) == 0)
- return last_off;
- }
- /* SHOULD NEVER HAPPEN */
- fprintf(stderr, "ERROR: Off end (%u) of chain from %u!\n",
- handle->entries.size, off);
- abort();
-}
-
-/* Iterator functions to run through the chains. */
-const char *
-TC_FIRST_CHAIN(TC_HANDLE_T *handle)
-{
- if ((*handle)->cache_chain_heads == NULL
- && !populate_cache(*handle))
- return NULL;
-
- (*handle)->cache_chain_iteration
- = &(*handle)->cache_chain_heads[0];
-
- return (*handle)->cache_chain_iteration->name;
-}
-
-/* Iterator functions to run through the chains. Returns NULL at end. */
-const char *
-TC_NEXT_CHAIN(TC_HANDLE_T *handle)
-{
- (*handle)->cache_chain_iteration++;
-
- if ((*handle)->cache_chain_iteration - (*handle)->cache_chain_heads
- == (*handle)->cache_num_chains)
- return NULL;
-
- return (*handle)->cache_chain_iteration->name;
-}
-
-/* Get first rule in the given chain: NULL for empty chain. */
-const STRUCT_ENTRY *
-TC_FIRST_RULE(const char *chain, TC_HANDLE_T *handle)
-{
- struct chain_cache *c;
-
- c = find_label(chain, *handle);
- if (!c) {
- errno = ENOENT;
- return NULL;
- }
-
- /* Empty chain: single return/policy rule */
- if (c->start_off == c->end_off)
- return NULL;
-
- (*handle)->cache_rule_end = offset2entry(*handle, c->end_off);
- return offset2entry(*handle, c->start_off);
-}
-
-/* Returns NULL when rules run out. */
-const STRUCT_ENTRY *
-TC_NEXT_RULE(const STRUCT_ENTRY *prev, TC_HANDLE_T *handle)
-{
- if ((void *)prev + prev->next_offset
- == (void *)(*handle)->cache_rule_end)
- return NULL;
-
- return (void *)prev + prev->next_offset;
-}
-
-#if 0
-/* How many rules in this chain? */
-unsigned int
-TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle)
-{
- unsigned int off = 0;
- STRUCT_ENTRY *start, *end;
-
- CHECK(*handle);
- if (!find_label(&off, chain, *handle)) {
- errno = ENOENT;
- return (unsigned int)-1;
- }
-
- start = get_entry(*handle, off);
- end = get_entry(*handle, get_chain_end(*handle, off));
-
- return entry2index(*handle, end) - entry2index(*handle, start);
-}
-
-/* Get n'th rule in this chain. */
-const STRUCT_ENTRY *TC_GET_RULE(const char *chain,
- unsigned int n,
- TC_HANDLE_T *handle)
-{
- unsigned int pos = 0, chainindex;
-
- CHECK(*handle);
- if (!find_label(&pos, chain, *handle)) {
- errno = ENOENT;
- return NULL;
- }
-
- chainindex = entry2index(*handle, get_entry(*handle, pos));
-
- return index2entry(*handle, chainindex + n);
-}
-#endif
-
-static const char *
-target_name(TC_HANDLE_T handle, const STRUCT_ENTRY *ce)
-{
- int spos;
- unsigned int labelidx;
- STRUCT_ENTRY *jumpto;
-
- /* To avoid const warnings */
- STRUCT_ENTRY *e = (STRUCT_ENTRY *)ce;
-
- if (strcmp(GET_TARGET(e)->u.user.name, STANDARD_TARGET) != 0)
- return GET_TARGET(e)->u.user.name;
-
- /* Standard target: evaluate */
- spos = *(int *)GET_TARGET(e)->data;
- if (spos < 0) {
- if (spos == RETURN)
- return LABEL_RETURN;
- else if (spos == -NF_ACCEPT-1)
- return LABEL_ACCEPT;
- else if (spos == -NF_DROP-1)
- return LABEL_DROP;
- else if (spos == -NF_QUEUE-1)
- return LABEL_QUEUE;
-
- fprintf(stderr, "ERROR: off %lu/%u not a valid target (%i)\n",
- entry2offset(handle, e), handle->entries.size,
- spos);
- abort();
- }
-
- jumpto = get_entry(handle, spos);
-
- /* Fall through rule */
- if (jumpto == (void *)e + e->next_offset)
- return "";
-
- /* Must point to head of a chain: ie. after error rule */
- labelidx = entry2index(handle, jumpto) - 1;
- return get_errorlabel(handle, index2offset(handle, labelidx));
-}
-
-/* Returns a pointer to the target name of this position. */
-const char *TC_GET_TARGET(const STRUCT_ENTRY *e,
- TC_HANDLE_T *handle)
-{
- return target_name(*handle, e);
-}
-
-/* Is this a built-in chain? Actually returns hook + 1. */
-int
-TC_BUILTIN(const char *chain, const TC_HANDLE_T handle)
-{
- unsigned int i;
-
- for (i = 0; i < NUMHOOKS; i++) {
- if ((handle->info.valid_hooks & (1 << i))
- && handle->hooknames[i]
- && strcmp(handle->hooknames[i], chain) == 0)
- return i+1;
- }
- return 0;
-}
-
-/* Get the policy of a given built-in chain */
-const char *
-TC_GET_POLICY(const char *chain,
- STRUCT_COUNTERS *counters,
- TC_HANDLE_T *handle)
-{
- unsigned int start;
- STRUCT_ENTRY *e;
- int hook;
-
- hook = TC_BUILTIN(chain, *handle);
- if (hook != 0)
- start = (*handle)->info.hook_entry[hook-1];
- else
- return NULL;
-
- e = get_entry(*handle, get_chain_end(*handle, start));
- *counters = e->counters;
-
- return target_name(*handle, e);
-}
-
-static inline int
-correct_verdict(STRUCT_ENTRY *e,
- char *base,
- unsigned int offset, int delta_offset)
-{
- STRUCT_STANDARD_TARGET *t = (void *)GET_TARGET(e);
- unsigned int curr = (char *)e - base;
-
- /* Trap: insert of fall-through rule. Don't change fall-through
- verdict to jump-over-next-rule. */
- if (strcmp(t->target.u.user.name, STANDARD_TARGET) == 0
- && t->verdict > (int)offset
- && !(curr == offset &&
- t->verdict == curr + e->next_offset)) {
- t->verdict += delta_offset;
- }
-
- return 0;
-}
-
-/* Adjusts standard verdict jump positions after an insertion/deletion. */
-static int
-set_verdict(unsigned int offset, int delta_offset, TC_HANDLE_T *handle)
-{
- ENTRY_ITERATE((*handle)->entries.entrytable,
- (*handle)->entries.size,
- correct_verdict, (char *)(*handle)->entries.entrytable,
- offset, delta_offset);
-
- set_changed(*handle);
- return 1;
-}
-
-/* If prepend is set, then we are prepending to a chain: if the
- * insertion position is an entry point, keep the entry point. */
-static int
-insert_rules(unsigned int num_rules, unsigned int rules_size,
- const STRUCT_ENTRY *insert,
- unsigned int offset, unsigned int num_rules_offset,
- int prepend,
- TC_HANDLE_T *handle)
-{
- TC_HANDLE_T newh;
- STRUCT_GETINFO newinfo;
- unsigned int i;
-
- if (offset >= (*handle)->entries.size) {
- errno = EINVAL;
- return 0;
- }
-
- newinfo = (*handle)->info;
-
- /* Fix up entry points. */
- for (i = 0; i < NUMHOOKS; i++) {
- /* Entry points to START of chain, so keep same if
- inserting on at that point. */
- if ((*handle)->info.hook_entry[i] > offset)
- newinfo.hook_entry[i] += rules_size;
-
- /* Underflow always points to END of chain (policy),
- so if something is inserted at same point, it
- should be advanced. */
- if ((*handle)->info.underflow[i] >= offset)
- newinfo.underflow[i] += rules_size;
- }
-
- newh = alloc_handle((*handle)->info.name,
- (*handle)->entries.size + rules_size,
- (*handle)->new_number + num_rules);
- if (!newh)
- return 0;
- newh->info = newinfo;
-
- /* Copy pre... */
- memcpy(newh->entries.entrytable, (*handle)->entries.entrytable,offset);
- /* ... Insert new ... */
- memcpy((char *)newh->entries.entrytable + offset, insert, rules_size);
- /* ... copy post */
- memcpy((char *)newh->entries.entrytable + offset + rules_size,
- (char *)(*handle)->entries.entrytable + offset,
- (*handle)->entries.size - offset);
-
- /* Move counter map. */
- /* Copy pre... */
- memcpy(newh->counter_map, (*handle)->counter_map,
- sizeof(struct counter_map) * num_rules_offset);
- /* ... copy post */
- memcpy(newh->counter_map + num_rules_offset + num_rules,
- (*handle)->counter_map + num_rules_offset,
- sizeof(struct counter_map) * ((*handle)->new_number
- - num_rules_offset));
- /* Set intermediates to no counter copy */
- for (i = 0; i < num_rules; i++)
- newh->counter_map[num_rules_offset+i]
- = ((struct counter_map){ COUNTER_MAP_SET, 0 });
-
- newh->new_number = (*handle)->new_number + num_rules;
- newh->entries.size = (*handle)->entries.size + rules_size;
- newh->hooknames = (*handle)->hooknames;
-
- newh->cache_chain_heads = (*handle)->cache_chain_heads;
- newh->cache_num_builtins = (*handle)->cache_num_builtins;
- newh->cache_num_chains = (*handle)->cache_num_chains;
- newh->cache_rule_end = (*handle)->cache_rule_end;
- newh->cache_chain_iteration = (*handle)->cache_chain_iteration;
- if (!correct_cache(newh, offset, rules_size)) {
- free(newh);
- return 0;
- }
-
- free(*handle);
- *handle = newh;
-
- return set_verdict(offset, rules_size, handle);
-}
-
-static int
-delete_rules(unsigned int num_rules, unsigned int rules_size,
- unsigned int offset, unsigned int num_rules_offset,
- TC_HANDLE_T *handle)
-{
- unsigned int i;
-
- if (offset + rules_size > (*handle)->entries.size) {
- errno = EINVAL;
- return 0;
- }
-
- /* Fix up entry points. */
- for (i = 0; i < NUMHOOKS; i++) {
- /* In practice, we never delete up to a hook entry,
- since the built-in chains are always first,
- so these two are never equal */
- if ((*handle)->info.hook_entry[i] >= offset + rules_size)
- (*handle)->info.hook_entry[i] -= rules_size;
- else if ((*handle)->info.hook_entry[i] > offset) {
- fprintf(stderr, "ERROR: Deleting entry %u %u %u\n",
- i, (*handle)->info.hook_entry[i], offset);
- abort();
- }
-
- /* Underflow points to policy (terminal) rule in
- built-in, so sequality is valid here (when deleting
- the last rule). */
- if ((*handle)->info.underflow[i] >= offset + rules_size)
- (*handle)->info.underflow[i] -= rules_size;
- else if ((*handle)->info.underflow[i] > offset) {
- fprintf(stderr, "ERROR: Deleting uflow %u %u %u\n",
- i, (*handle)->info.underflow[i], offset);
- abort();
- }
- }
-
- /* Move the rules down. */
- memmove((char *)(*handle)->entries.entrytable + offset,
- (char *)(*handle)->entries.entrytable + offset + rules_size,
- (*handle)->entries.size - (offset + rules_size));
-
- /* Move the counter map down. */
- memmove(&(*handle)->counter_map[num_rules_offset],
- &(*handle)->counter_map[num_rules_offset + num_rules],
- sizeof(struct counter_map)
- * ((*handle)->new_number - (num_rules + num_rules_offset)));
-
- /* Fix numbers */
- (*handle)->new_number -= num_rules;
- (*handle)->entries.size -= rules_size;
-
- /* Fix the chain cache */
- if (!correct_cache(*handle, offset, -(int)rules_size))
- return 0;
-
- return set_verdict(offset, -(int)rules_size, handle);
-}
-
-static int
-standard_map(STRUCT_ENTRY *e, int verdict)
-{
- STRUCT_STANDARD_TARGET *t;
-
- t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
-
- if (t->target.u.target_size
- != ALIGN(sizeof(STRUCT_STANDARD_TARGET))) {
- errno = EINVAL;
- return 0;
- }
- /* memset for memcmp convenience on delete/replace */
- memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
- strcpy(t->target.u.user.name, STANDARD_TARGET);
- t->verdict = verdict;
-
- return 1;
-}
-
-static int
-map_target(const TC_HANDLE_T handle,
- STRUCT_ENTRY *e,
- unsigned int offset,
- STRUCT_ENTRY_TARGET *old)
-{
- STRUCT_ENTRY_TARGET *t = GET_TARGET(e);
-
- /* Save old target (except data, which we don't change, except for
- standard case, where we don't care). */
- *old = *t;
-
- /* Maybe it's empty (=> fall through) */
- if (strcmp(t->u.user.name, "") == 0)
- return standard_map(e, offset + e->next_offset);
- /* Maybe it's a standard target name... */
- else if (strcmp(t->u.user.name, LABEL_ACCEPT) == 0)
- return standard_map(e, -NF_ACCEPT - 1);
- else if (strcmp(t->u.user.name, LABEL_DROP) == 0)
- return standard_map(e, -NF_DROP - 1);
- else if (strcmp(t->u.user.name, LABEL_QUEUE) == 0)
- return standard_map(e, -NF_QUEUE - 1);
- else if (strcmp(t->u.user.name, LABEL_RETURN) == 0)
- return standard_map(e, RETURN);
- else if (TC_BUILTIN(t->u.user.name, handle)) {
- /* Can't jump to builtins. */
- errno = EINVAL;
- return 0;
- } else {
- /* Maybe it's an existing chain name. */
- struct chain_cache *c;
-
- c = find_label(t->u.user.name, handle);
- if (c)
- return standard_map(e, c->start_off);
- }
-
- /* Must be a module? If not, kernel will reject... */
- /* memset to all 0 for your memcmp convenience. */
- memset(t->u.user.name + strlen(t->u.user.name),
- 0,
- FUNCTION_MAXNAMELEN - strlen(t->u.user.name));
- return 1;
-}
-
-static void
-unmap_target(STRUCT_ENTRY *e, STRUCT_ENTRY_TARGET *old)
-{
- STRUCT_ENTRY_TARGET *t = GET_TARGET(e);
-
- /* Save old target (except data, which we don't change, except for
- standard case, where we don't care). */
- *t = *old;
-}
-
-/* Insert the entry `fw' in chain `chain' into position `rulenum'. */
-int
-TC_INSERT_ENTRY(const IPT_CHAINLABEL chain,
- const STRUCT_ENTRY *e,
- unsigned int rulenum,
- TC_HANDLE_T *handle)
-{
- unsigned int chainindex, offset;
- STRUCT_ENTRY_TARGET old;
- struct chain_cache *c;
- STRUCT_ENTRY *tmp;
- int ret;
-
- iptc_fn = TC_INSERT_ENTRY;
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- chainindex = offset2index(*handle, c->start_off);
-
- tmp = index2entry(*handle, chainindex + rulenum);
- if (!tmp || tmp > offset2entry(*handle, c->end_off)) {
- errno = E2BIG;
- return 0;
- }
- offset = index2offset(*handle, chainindex + rulenum);
-
- /* Mapping target actually alters entry, but that's
- transparent to the caller. */
- if (!map_target(*handle, (STRUCT_ENTRY *)e, offset, &old))
- return 0;
-
- ret = insert_rules(1, e->next_offset, e, offset,
- chainindex + rulenum, rulenum == 0, handle);
- unmap_target((STRUCT_ENTRY *)e, &old);
- return ret;
-}
-
-/* Atomically replace rule `rulenum' in `chain' with `fw'. */
-int
-TC_REPLACE_ENTRY(const IPT_CHAINLABEL chain,
- const STRUCT_ENTRY *e,
- unsigned int rulenum,
- TC_HANDLE_T *handle)
-{
- unsigned int chainindex, offset;
- STRUCT_ENTRY_TARGET old;
- struct chain_cache *c;
- STRUCT_ENTRY *tmp;
- int ret;
-
- iptc_fn = TC_REPLACE_ENTRY;
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- chainindex = offset2index(*handle, c->start_off);
-
- tmp = index2entry(*handle, chainindex + rulenum);
- if (!tmp || tmp >= offset2entry(*handle, c->end_off)) {
- errno = E2BIG;
- return 0;
- }
-
- offset = index2offset(*handle, chainindex + rulenum);
- /* Replace = delete and insert. */
- if (!delete_rules(1, get_entry(*handle, offset)->next_offset,
- offset, chainindex + rulenum, handle))
- return 0;
-
- if (!map_target(*handle, (STRUCT_ENTRY *)e, offset, &old))
- return 0;
-
- ret = insert_rules(1, e->next_offset, e, offset,
- chainindex + rulenum, 1, handle);
- unmap_target((STRUCT_ENTRY *)e, &old);
- return ret;
-}
-
-/* Append entry `fw' to chain `chain'. Equivalent to insert with
- rulenum = length of chain. */
-int
-TC_APPEND_ENTRY(const IPT_CHAINLABEL chain,
- const STRUCT_ENTRY *e,
- TC_HANDLE_T *handle)
-{
- struct chain_cache *c;
- STRUCT_ENTRY_TARGET old;
- int ret;
-
- iptc_fn = TC_APPEND_ENTRY;
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- if (!map_target(*handle, (STRUCT_ENTRY *)e,
- c->end_off, &old))
- return 0;
-
- ret = insert_rules(1, e->next_offset, e, c->end_off,
- offset2index(*handle, c->end_off), 0, handle);
- unmap_target((STRUCT_ENTRY *)e, &old);
- return ret;
-}
-
-static inline int
-match_different(const STRUCT_ENTRY_MATCH *a,
- const unsigned char *a_elems,
- const unsigned char *b_elems,
- unsigned char **maskptr)
-{
- const STRUCT_ENTRY_MATCH *b;
- unsigned int i;
-
- /* Offset of b is the same as a. */
- b = (void *)b_elems + ((unsigned char *)a - a_elems);
-
- if (a->u.match_size != b->u.match_size)
- return 1;
-
- if (strcmp(a->u.user.name, b->u.user.name) != 0)
- return 1;
-
- *maskptr += ALIGN(sizeof(*a));
-
- for (i = 0; i < a->u.match_size - ALIGN(sizeof(*a)); i++)
- if (((a->data[i] ^ b->data[i]) & (*maskptr)[i]) != 0)
- return 1;
- *maskptr += i;
- return 0;
-}
-
-static inline int
-target_different(const unsigned char *a_targdata,
- const unsigned char *b_targdata,
- unsigned int tdatasize,
- const unsigned char *mask)
-{
- unsigned int i;
- for (i = 0; i < tdatasize; i++)
- if (((a_targdata[i] ^ b_targdata[i]) & mask[i]) != 0)
- return 1;
-
- return 0;
-}
-
-static int
-is_same(const STRUCT_ENTRY *a,
- const STRUCT_ENTRY *b,
- unsigned char *matchmask);
-
-/* Delete the first rule in `chain' which matches `fw'. */
-int
-TC_DELETE_ENTRY(const IPT_CHAINLABEL chain,
- const STRUCT_ENTRY *origfw,
- unsigned char *matchmask,
- TC_HANDLE_T *handle)
-{
- unsigned int offset;
- struct chain_cache *c;
- STRUCT_ENTRY *e, *fw;
-
- iptc_fn = TC_DELETE_ENTRY;
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- fw = malloc(origfw->next_offset);
- if (fw == NULL) {
- errno = ENOMEM;
- return 0;
- }
-
- for (offset = c->start_off; offset < c->end_off;
- offset += e->next_offset) {
- STRUCT_ENTRY_TARGET discard;
-
- memcpy(fw, origfw, origfw->next_offset);
-
- /* FIXME: handle this in is_same --RR */
- if (!map_target(*handle, fw, offset, &discard)) {
- free(fw);
- return 0;
- }
- e = get_entry(*handle, offset);
-
-#if 0
- printf("Deleting:\n");
- dump_entry(newe);
-#endif
- if (is_same(e, fw, matchmask)) {
- int ret;
- ret = delete_rules(1, e->next_offset,
- offset, entry2index(*handle, e),
- handle);
- free(fw);
- return ret;
- }
- }
-
- free(fw);
- errno = ENOENT;
- return 0;
-}
-
-/* Delete the rule in position `rulenum' in `chain'. */
-int
-TC_DELETE_NUM_ENTRY(const IPT_CHAINLABEL chain,
- unsigned int rulenum,
- TC_HANDLE_T *handle)
-{
- unsigned int index;
- int ret;
- STRUCT_ENTRY *e;
- struct chain_cache *c;
-
- iptc_fn = TC_DELETE_NUM_ENTRY;
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- index = offset2index(*handle, c->start_off) + rulenum;
-
- if (index >= offset2index(*handle, c->end_off)) {
- errno = E2BIG;
- return 0;
- }
-
- e = index2entry(*handle, index);
- if (e == NULL) {
- errno = EINVAL;
- return 0;
- }
-
- ret = delete_rules(1, e->next_offset, entry2offset(*handle, e),
- index, handle);
- return ret;
-}
-
-/* Check the packet `fw' on chain `chain'. Returns the verdict, or
- NULL and sets errno. */
-const char *
-TC_CHECK_PACKET(const IPT_CHAINLABEL chain,
- STRUCT_ENTRY *entry,
- TC_HANDLE_T *handle)
-{
- errno = ENOSYS;
- return NULL;
-}
-
-/* Flushes the entries in the given chain (ie. empties chain). */
-int
-TC_FLUSH_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
-{
- unsigned int startindex, endindex;
- STRUCT_ENTRY *startentry, *endentry;
- struct chain_cache *c;
- int ret;
-
- iptc_fn = TC_FLUSH_ENTRIES;
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
- startindex = offset2index(*handle, c->start_off);
- endindex = offset2index(*handle, c->end_off);
- startentry = offset2entry(*handle, c->start_off);
- endentry = offset2entry(*handle, c->end_off);
-
- ret = delete_rules(endindex - startindex,
- (char *)endentry - (char *)startentry,
- c->start_off, startindex,
- handle);
- return ret;
-}
-
-/* Zeroes the counters in a chain. */
-int
-TC_ZERO_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
-{
- unsigned int i, end;
- struct chain_cache *c;
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- i = offset2index(*handle, c->start_off);
- end = offset2index(*handle, c->end_off);
-
- for (; i <= end; i++) {
- if ((*handle)->counter_map[i].maptype ==COUNTER_MAP_NORMAL_MAP)
- (*handle)->counter_map[i].maptype = COUNTER_MAP_ZEROED;
- }
- set_changed(*handle);
-
- return 1;
-}
-
-STRUCT_COUNTERS *
-TC_READ_COUNTER(const IPT_CHAINLABEL chain,
- unsigned int rulenum,
- TC_HANDLE_T *handle)
-{
- STRUCT_ENTRY *e;
- struct chain_cache *c;
- unsigned int chainindex, end;
-
- iptc_fn = TC_READ_COUNTER;
- CHECK(*handle);
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return NULL;
- }
-
- chainindex = offset2index(*handle, c->start_off);
- end = offset2index(*handle, c->end_off);
-
- if (chainindex + rulenum > end) {
- errno = E2BIG;
- return NULL;
- }
-
- e = index2entry(*handle, chainindex + rulenum);
-
- return &e->counters;
-}
-
-int
-TC_ZERO_COUNTER(const IPT_CHAINLABEL chain,
- unsigned int rulenum,
- TC_HANDLE_T *handle)
-{
- STRUCT_ENTRY *e;
- struct chain_cache *c;
- unsigned int chainindex, end;
-
- iptc_fn = TC_ZERO_COUNTER;
- CHECK(*handle);
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- chainindex = offset2index(*handle, c->start_off);
- end = offset2index(*handle, c->end_off);
-
- if (chainindex + rulenum > end) {
- errno = E2BIG;
- return 0;
- }
-
- e = index2entry(*handle, chainindex + rulenum);
-
- if ((*handle)->counter_map[chainindex + rulenum].maptype
- == COUNTER_MAP_NORMAL_MAP) {
- (*handle)->counter_map[chainindex + rulenum].maptype
- = COUNTER_MAP_ZEROED;
- }
-
- set_changed(*handle);
-
- return 1;
-}
-
-int
-TC_SET_COUNTER(const IPT_CHAINLABEL chain,
- unsigned int rulenum,
- STRUCT_COUNTERS *counters,
- TC_HANDLE_T *handle)
-{
- STRUCT_ENTRY *e;
- struct chain_cache *c;
- unsigned int chainindex, end;
-
- iptc_fn = TC_SET_COUNTER;
- CHECK(*handle);
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- chainindex = offset2index(*handle, c->start_off);
- end = offset2index(*handle, c->end_off);
-
- if (chainindex + rulenum > end) {
- errno = E2BIG;
- return 0;
- }
-
- e = index2entry(*handle, chainindex + rulenum);
-
- (*handle)->counter_map[chainindex + rulenum].maptype
- = COUNTER_MAP_SET;
-
- memcpy(&e->counters, counters, sizeof(STRUCT_COUNTERS));
-
- set_changed(*handle);
-
- return 1;
-}
-
-/* Creates a new chain. */
-/* To create a chain, create two rules: error node and unconditional
- * return. */
-int
-TC_CREATE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
-{
- int ret;
- struct {
- STRUCT_ENTRY head;
- struct ipt_error_target name;
- STRUCT_ENTRY ret;
- STRUCT_STANDARD_TARGET target;
- } newc;
- unsigned int destination;
-
- iptc_fn = TC_CREATE_CHAIN;
-
- /* find_label doesn't cover built-in targets: DROP, ACCEPT,
- QUEUE, RETURN. */
- if (find_label(chain, *handle)
- || strcmp(chain, LABEL_DROP) == 0
- || strcmp(chain, LABEL_ACCEPT) == 0
- || strcmp(chain, LABEL_QUEUE) == 0
- || strcmp(chain, LABEL_RETURN) == 0) {
- errno = EEXIST;
- return 0;
- }
-
- if (strlen(chain)+1 > sizeof(IPT_CHAINLABEL)) {
- errno = EINVAL;
- return 0;
- }
-
- memset(&newc, 0, sizeof(newc));
- newc.head.target_offset = sizeof(STRUCT_ENTRY);
- newc.head.next_offset
- = sizeof(STRUCT_ENTRY)
- + ALIGN(sizeof(struct ipt_error_target));
- strcpy(newc.name.t.u.user.name, ERROR_TARGET);
- newc.name.t.u.target_size = ALIGN(sizeof(struct ipt_error_target));
- strcpy(newc.name.error, chain);
-
- newc.ret.target_offset = sizeof(STRUCT_ENTRY);
- newc.ret.next_offset
- = sizeof(STRUCT_ENTRY)
- + ALIGN(sizeof(STRUCT_STANDARD_TARGET));
- strcpy(newc.target.target.u.user.name, STANDARD_TARGET);
- newc.target.target.u.target_size
- = ALIGN(sizeof(STRUCT_STANDARD_TARGET));
- newc.target.verdict = RETURN;
-
- destination = index2offset(*handle, (*handle)->new_number -1);
-
- /* Add just before terminal entry */
- ret = insert_rules(2, sizeof(newc), &newc.head,
- destination,
- (*handle)->new_number - 1,
- 0, handle);
-
- set_changed(*handle);
-
- /* add chain cache info for this chain */
- add_chain_cache(*handle, chain,
- destination+newc.head.next_offset,
- destination+newc.head.next_offset);
-
- return ret;
-}
-
-static int
-count_ref(STRUCT_ENTRY *e, unsigned int offset, unsigned int *ref)
-{
- STRUCT_STANDARD_TARGET *t;
-
- if (strcmp(GET_TARGET(e)->u.user.name, STANDARD_TARGET) == 0) {
- t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
-
- if (t->verdict == offset)
- (*ref)++;
- }
-
- return 0;
-}
-
-/* Get the number of references to this chain. */
-int
-TC_GET_REFERENCES(unsigned int *ref, const IPT_CHAINLABEL chain,
- TC_HANDLE_T *handle)
-{
- struct chain_cache *c;
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- *ref = 0;
- ENTRY_ITERATE((*handle)->entries.entrytable,
- (*handle)->entries.size,
- count_ref, c->start_off, ref);
- return 1;
-}
-
-/* Deletes a chain. */
-int
-TC_DELETE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
-{
- unsigned int labelidx, labeloff;
- unsigned int references;
- struct chain_cache *c;
- int ret;
- STRUCT_ENTRY *start;
-
- if (!TC_GET_REFERENCES(&references, chain, handle))
- return 0;
-
- iptc_fn = TC_DELETE_CHAIN;
-
- if (TC_BUILTIN(chain, *handle)) {
- errno = EINVAL;
- return 0;
- }
-
- if (references > 0) {
- errno = EMLINK;
- return 0;
- }
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- if (c->start_off != c->end_off) {
- errno = ENOTEMPTY;
- return 0;
- }
-
- /* Need label index: preceeds chain start */
- labelidx = offset2index(*handle, c->start_off) - 1;
- labeloff = index2offset(*handle, labelidx);
-
- start = offset2entry(*handle, c->start_off);
-
- ret = delete_rules(2,
- get_entry(*handle, labeloff)->next_offset
- + start->next_offset,
- labeloff, labelidx, handle);
- return ret;
-}
-
-/* Renames a chain. */
-int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname,
- const IPT_CHAINLABEL newname,
- TC_HANDLE_T *handle)
-{
- unsigned int labeloff, labelidx;
- struct chain_cache *c;
- struct ipt_error_target *t;
-
- iptc_fn = TC_RENAME_CHAIN;
-
- /* find_label doesn't cover built-in targets: DROP, ACCEPT,
- QUEUE, RETURN. */
- if (find_label(newname, *handle)
- || strcmp(newname, LABEL_DROP) == 0
- || strcmp(newname, LABEL_ACCEPT) == 0
- || strcmp(newname, LABEL_QUEUE) == 0
- || strcmp(newname, LABEL_RETURN) == 0) {
- errno = EEXIST;
- return 0;
- }
-
- if (!(c = find_label(oldname, *handle))
- || TC_BUILTIN(oldname, *handle)) {
- errno = ENOENT;
- return 0;
- }
-
- if (strlen(newname)+1 > sizeof(IPT_CHAINLABEL)) {
- errno = EINVAL;
- return 0;
- }
-
- /* Need label index: preceeds chain start */
- labelidx = offset2index(*handle, c->start_off) - 1;
- labeloff = index2offset(*handle, labelidx);
-
- t = (struct ipt_error_target *)
- GET_TARGET(get_entry(*handle, labeloff));
-
- memset(t->error, 0, sizeof(t->error));
- strcpy(t->error, newname);
-
- /* update chain cache */
- memset(c->name, 0, sizeof(c->name));
- strcpy(c->name, newname);
-
- set_changed(*handle);
-
- return 1;
-}
-
-/* Sets the policy on a built-in chain. */
-int
-TC_SET_POLICY(const IPT_CHAINLABEL chain,
- const IPT_CHAINLABEL policy,
- STRUCT_COUNTERS *counters,
- TC_HANDLE_T *handle)
-{
- unsigned int hook;
- unsigned int policyoff, ctrindex;
- STRUCT_ENTRY *e;
- STRUCT_STANDARD_TARGET *t;
-
- iptc_fn = TC_SET_POLICY;
- /* Figure out which chain. */
- hook = TC_BUILTIN(chain, *handle);
- if (hook == 0) {
- errno = ENOENT;
- return 0;
- } else
- hook--;
-
- policyoff = get_chain_end(*handle, (*handle)->info.hook_entry[hook]);
- if (policyoff != (*handle)->info.underflow[hook]) {
- printf("ERROR: Policy for `%s' offset %u != underflow %u\n",
- chain, policyoff, (*handle)->info.underflow[hook]);
- return 0;
- }
-
- e = get_entry(*handle, policyoff);
- t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
-
- if (strcmp(policy, LABEL_ACCEPT) == 0)
- t->verdict = -NF_ACCEPT - 1;
- else if (strcmp(policy, LABEL_DROP) == 0)
- t->verdict = -NF_DROP - 1;
- else {
- errno = EINVAL;
- return 0;
- }
-
- ctrindex = entry2index(*handle, e);
-
- if (counters) {
- /* set byte and packet counters */
- memcpy(&e->counters, counters, sizeof(STRUCT_COUNTERS));
-
- (*handle)->counter_map[ctrindex].maptype
- = COUNTER_MAP_SET;
-
- } else {
- (*handle)->counter_map[ctrindex]
- = ((struct counter_map){ COUNTER_MAP_NOMAP, 0 });
- }
-
- set_changed(*handle);
-
- return 1;
-}
-
-/* Without this, on gcc 2.7.2.3, we get:
- libiptc.c: In function `TC_COMMIT':
- libiptc.c:833: fixed or forbidden register was spilled.
- This may be due to a compiler bug or to impossible asm
- statements or clauses.
-*/
-static void
-subtract_counters(STRUCT_COUNTERS *answer,
- const STRUCT_COUNTERS *a,
- const STRUCT_COUNTERS *b)
-{
- answer->pcnt = a->pcnt - b->pcnt;
- answer->bcnt = a->bcnt - b->bcnt;
-}
-
-int
-TC_COMMIT(TC_HANDLE_T *handle)
-{
- /* Replace, then map back the counters. */
- STRUCT_REPLACE *repl;
- STRUCT_COUNTERS_INFO *newcounters;
- unsigned int i;
- size_t counterlen;
-
- CHECK(*handle);
-
- counterlen = sizeof(STRUCT_COUNTERS_INFO)
- + sizeof(STRUCT_COUNTERS) * (*handle)->new_number;
-
-#if 0
- TC_DUMP_ENTRIES(*handle);
-#endif
-
- /* Don't commit if nothing changed. */
- if (!(*handle)->changed)
- goto finished;
-
- repl = malloc(sizeof(*repl) + (*handle)->entries.size);
- if (!repl) {
- errno = ENOMEM;
- return 0;
- }
-
- /* These are the old counters we will get from kernel */
- repl->counters = malloc(sizeof(STRUCT_COUNTERS)
- * (*handle)->info.num_entries);
- if (!repl->counters) {
- free(repl);
- errno = ENOMEM;
- return 0;
- }
-
- /* These are the counters we're going to put back, later. */
- newcounters = malloc(counterlen);
- if (!newcounters) {
- free(repl->counters);
- free(repl);
- errno = ENOMEM;
- return 0;
- }
-
- strcpy(repl->name, (*handle)->info.name);
- repl->num_entries = (*handle)->new_number;
- repl->size = (*handle)->entries.size;
- memcpy(repl->hook_entry, (*handle)->info.hook_entry,
- sizeof(repl->hook_entry));
- memcpy(repl->underflow, (*handle)->info.underflow,
- sizeof(repl->underflow));
- repl->num_counters = (*handle)->info.num_entries;
- repl->valid_hooks = (*handle)->info.valid_hooks;
- memcpy(repl->entries, (*handle)->entries.entrytable,
- (*handle)->entries.size);
-
- if (setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, repl,
- sizeof(*repl) + (*handle)->entries.size) < 0) {
- free(repl->counters);
- free(repl);
- free(newcounters);
- return 0;
- }
-
- /* Put counters back. */
- strcpy(newcounters->name, (*handle)->info.name);
- newcounters->num_counters = (*handle)->new_number;
- for (i = 0; i < (*handle)->new_number; i++) {
- unsigned int mappos = (*handle)->counter_map[i].mappos;
- switch ((*handle)->counter_map[i].maptype) {
- case COUNTER_MAP_NOMAP:
- newcounters->counters[i]
- = ((STRUCT_COUNTERS){ 0, 0 });
- break;
-
- case COUNTER_MAP_NORMAL_MAP:
- /* Original read: X.
- * Atomic read on replacement: X + Y.
- * Currently in kernel: Z.
- * Want in kernel: X + Y + Z.
- * => Add in X + Y
- * => Add in replacement read.
- */
- newcounters->counters[i] = repl->counters[mappos];
- break;
-
- case COUNTER_MAP_ZEROED:
- /* Original read: X.
- * Atomic read on replacement: X + Y.
- * Currently in kernel: Z.
- * Want in kernel: Y + Z.
- * => Add in Y.
- * => Add in (replacement read - original read).
- */
- subtract_counters(&newcounters->counters[i],
- &repl->counters[mappos],
- &index2entry(*handle, i)->counters);
- break;
-
- case COUNTER_MAP_SET:
- /* Want to set counter (iptables-restore) */
-
- memcpy(&newcounters->counters[i],
- &index2entry(*handle, i)->counters,
- sizeof(STRUCT_COUNTERS));
-
- break;
- }
- }
-
-#ifdef KERNEL_64_USERSPACE_32
- {
- /* Kernel will think that pointer should be 64-bits, and get
- padding. So we accomodate here (assumption: alignment of
- `counters' is on 64-bit boundary). */
- u_int64_t *kernptr = (u_int64_t *)&newcounters->counters;
- if ((unsigned long)&newcounters->counters % 8 != 0) {
- fprintf(stderr,
- "counters alignment incorrect! Mail rusty!\n");
- abort();
- }
- *kernptr = newcounters->counters;
- }
-#endif /* KERNEL_64_USERSPACE_32 */
-
- if (setsockopt(sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS,
- newcounters, counterlen) < 0) {
- free(repl->counters);
- free(repl);
- free(newcounters);
- return 0;
- }
-
- free(repl->counters);
- free(repl);
- free(newcounters);
-
- finished:
- TC_FREE(handle);
- return 1;
-}
-
-/* Get raw socket. */
-int
-TC_GET_RAW_SOCKET()
-{
- return sockfd;
-}
-
-/* Translates errno numbers into more human-readable form than strerror. */
-const char *
-TC_STRERROR(int err)
-{
- unsigned int i;
- struct table_struct {
- void *fn;
- int err;
- const char *message;
- } table [] =
- { { TC_INIT, EPERM, "Permission denied (you must be root)" },
- { TC_INIT, EINVAL, "Module is wrong version" },
- { TC_INIT, ENOENT,
- "Table does not exist (do you need to insmod?)" },
- { TC_DELETE_CHAIN, ENOTEMPTY, "Chain is not empty" },
- { TC_DELETE_CHAIN, EINVAL, "Can't delete built-in chain" },
- { TC_DELETE_CHAIN, EMLINK,
- "Can't delete chain with references left" },
- { TC_CREATE_CHAIN, EEXIST, "Chain already exists" },
- { TC_INSERT_ENTRY, E2BIG, "Index of insertion too big" },
- { TC_REPLACE_ENTRY, E2BIG, "Index of replacement too big" },
- { TC_DELETE_NUM_ENTRY, E2BIG, "Index of deletion too big" },
- { TC_READ_COUNTER, E2BIG, "Index of counter too big" },
- { TC_ZERO_COUNTER, E2BIG, "Index of counter too big" },
- { TC_INSERT_ENTRY, ELOOP, "Loop found in table" },
- { TC_INSERT_ENTRY, EINVAL, "Target problem" },
- /* EINVAL for CHECK probably means bad interface. */
- { TC_CHECK_PACKET, EINVAL,
- "Bad arguments (does that interface exist?)" },
- { TC_CHECK_PACKET, ENOSYS,
- "Checking will most likely never get implemented" },
- /* ENOENT for DELETE probably means no matching rule */
- { TC_DELETE_ENTRY, ENOENT,
- "Bad rule (does a matching rule exist in that chain?)" },
- { TC_SET_POLICY, ENOENT,
- "Bad built-in chain name" },
- { TC_SET_POLICY, EINVAL,
- "Bad policy name" },
-
- { NULL, 0, "Incompatible with this kernel" },
- { NULL, ENOPROTOOPT, "iptables who? (do you need to insmod?)" },
- { NULL, ENOSYS, "Will be implemented real soon. I promise ;)" },
- { NULL, ENOMEM, "Memory allocation problem" },
- { NULL, ENOENT, "No chain/target/match by that name" },
- };
-
- for (i = 0; i < sizeof(table)/sizeof(struct table_struct); i++) {
- if ((!table[i].fn || table[i].fn == iptc_fn)
- && table[i].err == err)
- return table[i].message;
- }
-
- return strerror(err);
-}
+++ /dev/null
-/* Library which manipulates firewall rules. Version $Revision: 1.39 $ */
-
-/* Architecture of firewall rules is as follows:
- *
- * Chains go INPUT, FORWARD, OUTPUT then user chains.
- * Each user chain starts with an ERROR node.
- * Every chain ends with an unconditional jump: a RETURN for user chains,
- * and a POLICY for built-ins.
- */
-
-/* (C) 1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See
- * COPYING for details).
- * (C) 2000-2003 by the Netfilter Core Team <coreteam@netfilter.org>
- *
- * 2003-Jun-20: Harald Welte <laforge@netfilter.org:
- * - Reimplementation of chain cache to use offsets instead of entries
- *
- */
-
-#ifndef IPT_LIB_DIR
-#define IPT_LIB_DIR "/usr/lib/iptables"
-#endif
-
-#ifndef __OPTIMIZE__
-STRUCT_ENTRY_TARGET *
-GET_TARGET(STRUCT_ENTRY *e)
-{
- return (void *)e + e->target_offset;
-}
-#endif
-
-static int sockfd = -1;
-static void *iptc_fn = NULL;
-
-static const char *hooknames[]
-= { [HOOK_PRE_ROUTING] "PREROUTING",
- [HOOK_LOCAL_IN] "INPUT",
- [HOOK_FORWARD] "FORWARD",
- [HOOK_LOCAL_OUT] "OUTPUT",
- [HOOK_POST_ROUTING] "POSTROUTING",
-#ifdef HOOK_DROPPING
- [HOOK_DROPPING] "DROPPING"
-#endif
-};
-
-struct counter_map
-{
- enum {
- COUNTER_MAP_NOMAP,
- COUNTER_MAP_NORMAL_MAP,
- COUNTER_MAP_ZEROED,
- COUNTER_MAP_SET
- } maptype;
- unsigned int mappos;
-};
-
-/* Convenience structures */
-struct ipt_error_target
-{
- STRUCT_ENTRY_TARGET t;
- char error[TABLE_MAXNAMELEN];
-};
-
-struct rule_head
-{
- struct list_head list;
-
- struct chain_head *chain;
-
- unsigned int size;
- STRUCT_ENTRY entry[0];
-}
-
-struct chain_head
-{
- struct list_head list;
-
- char name[TABLE_MAXNAMELEN];
- unsigned int hooknum;
- struct list_head rules;
-};
-
-STRUCT_TC_HANDLE
-{
- /* Have changes been made? */
- int changed;
-
- struct list_head chains;
-
- struct chain_head *chain_iterator_cur;
-
-#if 0
- /* Size in here reflects original state. */
- STRUCT_GETINFO info;
-
- struct counter_map *counter_map;
- /* Array of hook names */
- const char **hooknames;
-
- /* Cached position of chain heads (NULL = no cache). */
- unsigned int cache_num_chains;
- unsigned int cache_num_builtins;
- struct chain_cache *cache_chain_heads;
-
- /* Chain iterator: current chain cache entry. */
- struct chain_cache *cache_chain_iteration;
-
- /* Rule iterator: terminal rule */
- STRUCT_ENTRY *cache_rule_end;
-
- /* Number in here reflects current state. */
- unsigned int new_number;
- STRUCT_GET_ENTRIES entries;
-#endif
-};
-
-static void
-set_changed(TC_HANDLE_T h)
-{
- h->changed = 1;
-}
-
-#ifdef IPTC_DEBUG
-static void do_check(TC_HANDLE_T h, unsigned int line);
-#define CHECK(h) do { if (!getenv("IPTC_NO_CHECK")) do_check((h), __LINE__); } while(0)
-#else
-#define CHECK(h)
-#endif
-
-static inline int
-get_number(const STRUCT_ENTRY *i,
- const STRUCT_ENTRY *seek,
- unsigned int *pos)
-{
- if (i == seek)
- return 1;
- (*pos)++;
- return 0;
-}
-
-static unsigned int
-entry2index(const TC_HANDLE_T h, const STRUCT_ENTRY *seek)
-{
- unsigned int pos = 0;
-
- if (ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
- get_number, seek, &pos) == 0) {
- fprintf(stderr, "ERROR: offset %i not an entry!\n",
- (char *)seek - (char *)h->entries.entrytable);
- abort();
- }
- return pos;
-}
-
-static inline int
-get_entry_n(STRUCT_ENTRY *i,
- unsigned int number,
- unsigned int *pos,
- STRUCT_ENTRY **pe)
-{
- if (*pos == number) {
- *pe = i;
- return 1;
- }
- (*pos)++;
- return 0;
-}
-
-static STRUCT_ENTRY *
-index2entry(TC_HANDLE_T h, unsigned int index)
-{
- unsigned int pos = 0;
- STRUCT_ENTRY *ret = NULL;
-
- ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
- get_entry_n, index, &pos, &ret);
-
- return ret;
-}
-
-static inline STRUCT_ENTRY *
-get_entry(TC_HANDLE_T h, unsigned int offset)
-{
- return (STRUCT_ENTRY *)((char *)h->entries.entrytable + offset);
-}
-
-static inline unsigned long
-entry2offset(const TC_HANDLE_T h, const STRUCT_ENTRY *e)
-{
- return (void *)e - (void *)h->entries.entrytable;
-}
-
-static inline unsigned long
-index2offset(TC_HANDLE_T h, unsigned int index)
-{
- return entry2offset(h, index2entry(h, index));
-}
-
-static inline STRUCT_ENTRY *
-offset2entry(TC_HANDLE_T h, unsigned int offset)
-{
- return (STRUCT_ENTRY *) ((void *)h->entries.entrytable+offset);
-}
-
-static inline unsigned int
-offset2index(const TC_HANDLE_T h, unsigned int offset)
-{
- return entry2index(h, offset2entry(h, offset));
-}
-
-
-static const char *
-get_errorlabel(TC_HANDLE_T h, unsigned int offset)
-{
- STRUCT_ENTRY *e;
-
- e = get_entry(h, offset);
- if (strcmp(GET_TARGET(e)->u.user.name, ERROR_TARGET) != 0) {
- fprintf(stderr, "ERROR: offset %u not an error node!\n",
- offset);
- abort();
- }
-
- return (const char *)GET_TARGET(e)->data;
-}
-
-/* Allocate handle of given size */
-static TC_HANDLE_T
-alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules)
-{
- size_t len;
- TC_HANDLE_T h;
-
- len = sizeof(STRUCT_TC_HANDLE)
- + size
- + num_rules * sizeof(struct counter_map);
-
- if ((h = malloc(len)) == NULL) {
- errno = ENOMEM;
- return NULL;
- }
-
- h->changed = 0;
- h->cache_num_chains = 0;
- h->cache_chain_heads = NULL;
- h->counter_map = (void *)h
- + sizeof(STRUCT_TC_HANDLE)
- + size;
- strcpy(h->info.name, tablename);
- strcpy(h->entries.name, tablename);
-
- return h;
-}
-
-TC_HANDLE_T
-TC_INIT(const char *tablename)
-{
- TC_HANDLE_T h;
- STRUCT_GETINFO info;
- unsigned int i;
- int tmp;
- socklen_t s;
-
- iptc_fn = TC_INIT;
-
- if (sockfd != -1) {
- close(sockfd);
- sockfd = -1;
- }
-
- if (strlen(tablename) >= TABLE_MAXNAMELEN) {
- errno = EINVAL;
- return NULL;
- }
-
- sockfd = socket(TC_AF, SOCK_RAW, IPPROTO_RAW);
- if (sockfd < 0)
- return NULL;
-
- s = sizeof(info);
-
- strcpy(info.name, tablename);
- if (getsockopt(sockfd, TC_IPPROTO, SO_GET_INFO, &info, &s) < 0)
- return NULL;
-
- if ((h = alloc_handle(info.name, info.size, info.num_entries))
- == NULL) {
- close(sockfd);
- sockfd = -1;
- return NULL;
- }
-
-/* Too hard --RR */
-#if 0
- sprintf(pathname, "%s/%s", IPT_LIB_DIR, info.name);
- dynlib = dlopen(pathname, RTLD_NOW);
- if (!dynlib) {
- errno = ENOENT;
- return NULL;
- }
- h->hooknames = dlsym(dynlib, "hooknames");
- if (!h->hooknames) {
- errno = ENOENT;
- return NULL;
- }
-#else
- h->hooknames = hooknames;
-#endif
-
- /* Initialize current state */
- h->info = info;
- h->new_number = h->info.num_entries;
- for (i = 0; i < h->info.num_entries; i++)
- h->counter_map[i]
- = ((struct counter_map){COUNTER_MAP_NORMAL_MAP, i});
-
- h->entries.size = h->info.size;
-
- tmp = sizeof(STRUCT_GET_ENTRIES) + h->info.size;
-
- if (getsockopt(sockfd, TC_IPPROTO, SO_GET_ENTRIES, &h->entries,
- &tmp) < 0) {
- close(sockfd);
- sockfd = -1;
- free(h);
- return NULL;
- }
-
- CHECK(h);
- return h;
-}
-
-void
-TC_FREE(TC_HANDLE_T *h)
-{
- close(sockfd);
- sockfd = -1;
- if ((*h)->cache_chain_heads)
- free((*h)->cache_chain_heads);
- free(*h);
- *h = NULL;
-}
-
-static inline int
-print_match(const STRUCT_ENTRY_MATCH *m)
-{
- printf("Match name: `%s'\n", m->u.user.name);
- return 0;
-}
-
-static int dump_entry(STRUCT_ENTRY *e, const TC_HANDLE_T handle);
-
-void
-TC_DUMP_ENTRIES(const TC_HANDLE_T handle)
-{
- CHECK(handle);
-
- printf("libiptc v%s. %u entries, %u bytes.\n",
- IPTABLES_VERSION,
- handle->new_number, handle->entries.size);
- printf("Table `%s'\n", handle->info.name);
- printf("Hooks: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
- handle->info.hook_entry[HOOK_PRE_ROUTING],
- handle->info.hook_entry[HOOK_LOCAL_IN],
- handle->info.hook_entry[HOOK_FORWARD],
- handle->info.hook_entry[HOOK_LOCAL_OUT],
- handle->info.hook_entry[HOOK_POST_ROUTING]);
- printf("Underflows: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
- handle->info.underflow[HOOK_PRE_ROUTING],
- handle->info.underflow[HOOK_LOCAL_IN],
- handle->info.underflow[HOOK_FORWARD],
- handle->info.underflow[HOOK_LOCAL_OUT],
- handle->info.underflow[HOOK_POST_ROUTING]);
-
- ENTRY_ITERATE(handle->entries.entrytable, handle->entries.size,
- dump_entry, handle);
-}
-
-/* Returns 0 if not hook entry, else hooknumber + 1 */
-static inline unsigned int
-is_hook_entry(STRUCT_ENTRY *e, TC_HANDLE_T h)
-{
- unsigned int i;
-
- for (i = 0; i < NUMHOOKS; i++) {
- if ((h->info.valid_hooks & (1 << i))
- && get_entry(h, h->info.hook_entry[i]) == e)
- return i+1;
- }
- return 0;
-}
-static int alphasort(const void *a, const void *b)
-{
- return strcmp(((struct chain_cache *)a)->name,
- ((struct chain_cache *)b)->name);
-}
-
-/* Returns chain head if found, otherwise NULL. */
-static struct chain_head *
-find_label(const char *name, TC_HANDLE_T handle)
-{
- struct list_head *pos;
-
- if (!handle->chains)
- return NULL;
-
- list_for_each(pos, &handle->chains) {
- struct chain_head *c = list_entry(pos, struct chain_head, list);
- if (!strcmp(c->name, name))
- return c;
- }
-
- return NULL;
-}
-
-/* Does this chain exist? */
-int TC_IS_CHAIN(const char *chain, const TC_HANDLE_T handle)
-{
- return find_label(chain, handle) != NULL;
-}
-
-/* Returns the position of the final (ie. unconditional) element. */
-static unsigned int
-get_chain_end(const TC_HANDLE_T handle, unsigned int start)
-{
- unsigned int last_off, off;
- STRUCT_ENTRY *e;
-
- last_off = start;
- e = get_entry(handle, start);
-
- /* Terminate when we meet a error label or a hook entry. */
- for (off = start + e->next_offset;
- off < handle->entries.size;
- last_off = off, off += e->next_offset) {
- STRUCT_ENTRY_TARGET *t;
- unsigned int i;
-
- e = get_entry(handle, off);
-
- /* We hit an entry point. */
- for (i = 0; i < NUMHOOKS; i++) {
- if ((handle->info.valid_hooks & (1 << i))
- && off == handle->info.hook_entry[i])
- return last_off;
- }
-
- /* We hit a user chain label */
- t = GET_TARGET(e);
- if (strcmp(t->u.user.name, ERROR_TARGET) == 0)
- return last_off;
- }
- /* SHOULD NEVER HAPPEN */
- fprintf(stderr, "ERROR: Off end (%u) of chain from %u!\n",
- handle->entries.size, off);
- abort();
-}
-
-/* Iterator functions to run through the chains. */
-const char *
-TC_FIRST_CHAIN(TC_HANDLE_T *handle)
-{
- (*handle)->chain_iterator_cur = (*handle)->chains;
-
- return (*handle)->chains.name;
-}
-
-/* Iterator functions to run through the chains. Returns NULL at end. */
-const char *
-TC_NEXT_CHAIN(TC_HANDLE_T *handle)
-{
- struct chain_head *next = list_entry(&(*handle)->chain_iterator_cur->list.next, struct chain_head, list);
- (*handle)->chain_iterator_cur = next;
-
- if (next == (*handle)->chains)
- return NULL;
-
- return next->name;
-}
-
-/* Get first rule in the given chain: NULL for empty chain. */
-const STRUCT_ENTRY *
-TC_FIRST_RULE(const char *chain, TC_HANDLE_T *handle)
-{
- struct chain_head *c;
- struct rule_head *r;
-
- c = find_label(chain, *handle);
- if (!c) {
- errno = ENOENT;
- return NULL;
- }
-
- /* Empty chain: single return/policy rule */
- if (list_empty(c->rules))
- return NULL;
-
- r = list_entry(&c->rules.next, struct rule_head, list);
- (*handle)->rule_iterator_cur = r;
-
- return r->entry;
-}
-
-/* Returns NULL when rules run out. */
-const STRUCT_ENTRY *
-TC_NEXT_RULE(const STRUCT_ENTRY *prev, TC_HANDLE_T *handle)
-{
- struct rule_head *r = list_entry((*handle)->rule_iterator_cur->list.next, struct rule_head, list);
-
- if (r == r->chain)
- return NULL;
-
- /* NOTE: prev is without any influence ! */
- return r->entry;
-}
-
-#if 0
-/* How many rules in this chain? */
-unsigned int
-TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle)
-{
- unsigned int off = 0;
- STRUCT_ENTRY *start, *end;
-
- CHECK(*handle);
- if (!find_label(&off, chain, *handle)) {
- errno = ENOENT;
- return (unsigned int)-1;
- }
-
- start = get_entry(*handle, off);
- end = get_entry(*handle, get_chain_end(*handle, off));
-
- return entry2index(*handle, end) - entry2index(*handle, start);
-}
-
-/* Get n'th rule in this chain. */
-const STRUCT_ENTRY *TC_GET_RULE(const char *chain,
- unsigned int n,
- TC_HANDLE_T *handle)
-{
- unsigned int pos = 0, chainindex;
-
- CHECK(*handle);
- if (!find_label(&pos, chain, *handle)) {
- errno = ENOENT;
- return NULL;
- }
-
- chainindex = entry2index(*handle, get_entry(*handle, pos));
-
- return index2entry(*handle, chainindex + n);
-}
-#endif
-
-static const char *
-target_name(TC_HANDLE_T handle, const STRUCT_ENTRY *ce)
-{
- int spos;
- unsigned int labelidx;
- STRUCT_ENTRY *jumpto;
-
- /* To avoid const warnings */
- STRUCT_ENTRY *e = (STRUCT_ENTRY *)ce;
-
- if (strcmp(GET_TARGET(e)->u.user.name, STANDARD_TARGET) != 0)
- return GET_TARGET(e)->u.user.name;
-
- /* Standard target: evaluate */
- spos = *(int *)GET_TARGET(e)->data;
- if (spos < 0) {
- if (spos == RETURN)
- return LABEL_RETURN;
- else if (spos == -NF_ACCEPT-1)
- return LABEL_ACCEPT;
- else if (spos == -NF_DROP-1)
- return LABEL_DROP;
- else if (spos == -NF_QUEUE-1)
- return LABEL_QUEUE;
-
- fprintf(stderr, "ERROR: off %lu/%u not a valid target (%i)\n",
- entry2offset(handle, e), handle->entries.size,
- spos);
- abort();
- }
-
- jumpto = get_entry(handle, spos);
-
- /* Fall through rule */
- if (jumpto == (void *)e + e->next_offset)
- return "";
-
- /* Must point to head of a chain: ie. after error rule */
- labelidx = entry2index(handle, jumpto) - 1;
- return get_errorlabel(handle, index2offset(handle, labelidx));
-}
-
-/* Returns a pointer to the target name of this position. */
-const char *TC_GET_TARGET(const STRUCT_ENTRY *e,
- TC_HANDLE_T *handle)
-{
- return target_name(*handle, e);
-}
-
-/* Is this a built-in chain? Actually returns hook + 1. */
-int
-TC_BUILTIN(const char *chain, const TC_HANDLE_T handle)
-{
- unsigned int i;
-
- for (i = 0; i < NUMHOOKS; i++) {
- if ((handle->info.valid_hooks & (1 << i))
- && handle->hooknames[i]
- && strcmp(handle->hooknames[i], chain) == 0)
- return i+1;
- }
- return 0;
-}
-
-/* Get the policy of a given built-in chain */
-const char *
-TC_GET_POLICY(const char *chain,
- STRUCT_COUNTERS *counters,
- TC_HANDLE_T *handle)
-{
- unsigned int start;
- STRUCT_ENTRY *e;
- int hook;
-
- hook = TC_BUILTIN(chain, *handle);
- if (hook != 0)
- start = (*handle)->info.hook_entry[hook-1];
- else
- return NULL;
-
- e = get_entry(*handle, get_chain_end(*handle, start));
- *counters = e->counters;
-
- return target_name(*handle, e);
-}
-
-static int
-correct_verdict(STRUCT_ENTRY *e,
- char *base,
- unsigned int offset, int delta_offset)
-{
- STRUCT_STANDARD_TARGET *t = (void *)GET_TARGET(e);
- unsigned int curr = (char *)e - base;
-
- /* Trap: insert of fall-through rule. Don't change fall-through
- verdict to jump-over-next-rule. */
- if (strcmp(t->target.u.user.name, STANDARD_TARGET) == 0
- && t->verdict > (int)offset
- && !(curr == offset &&
- t->verdict == curr + e->next_offset)) {
- t->verdict += delta_offset;
- }
-
- return 0;
-}
-
-/* Adjusts standard verdict jump positions after an insertion/deletion. */
-static int
-set_verdict(unsigned int offset, int delta_offset, TC_HANDLE_T *handle)
-{
- ENTRY_ITERATE((*handle)->entries.entrytable,
- (*handle)->entries.size,
- correct_verdict, (char *)(*handle)->entries.entrytable,
- offset, delta_offset);
-
- set_changed(*handle);
- return 1;
-}
-
-/* If prepend is set, then we are prepending to a chain: if the
- * insertion position is an entry point, keep the entry point. */
-static int
-insert_rules(unsigned int num_rules, unsigned int rules_size,
- const STRUCT_ENTRY *insert,
- unsigned int offset, unsigned int num_rules_offset,
- int prepend,
- TC_HANDLE_T *handle)
-{
- TC_HANDLE_T newh;
- STRUCT_GETINFO newinfo;
- unsigned int i;
-
- if (offset >= (*handle)->entries.size) {
- errno = EINVAL;
- return 0;
- }
-
- newinfo = (*handle)->info;
-
- /* Fix up entry points. */
- for (i = 0; i < NUMHOOKS; i++) {
- /* Entry points to START of chain, so keep same if
- inserting on at that point. */
- if ((*handle)->info.hook_entry[i] > offset)
- newinfo.hook_entry[i] += rules_size;
-
- /* Underflow always points to END of chain (policy),
- so if something is inserted at same point, it
- should be advanced. */
- if ((*handle)->info.underflow[i] >= offset)
- newinfo.underflow[i] += rules_size;
- }
-
- newh = alloc_handle((*handle)->info.name,
- (*handle)->entries.size + rules_size,
- (*handle)->new_number + num_rules);
- if (!newh)
- return 0;
- newh->info = newinfo;
-
- /* Copy pre... */
- memcpy(newh->entries.entrytable, (*handle)->entries.entrytable,offset);
- /* ... Insert new ... */
- memcpy((char *)newh->entries.entrytable + offset, insert, rules_size);
- /* ... copy post */
- memcpy((char *)newh->entries.entrytable + offset + rules_size,
- (char *)(*handle)->entries.entrytable + offset,
- (*handle)->entries.size - offset);
-
- /* Move counter map. */
- /* Copy pre... */
- memcpy(newh->counter_map, (*handle)->counter_map,
- sizeof(struct counter_map) * num_rules_offset);
- /* ... copy post */
- memcpy(newh->counter_map + num_rules_offset + num_rules,
- (*handle)->counter_map + num_rules_offset,
- sizeof(struct counter_map) * ((*handle)->new_number
- - num_rules_offset));
- /* Set intermediates to no counter copy */
- for (i = 0; i < num_rules; i++)
- newh->counter_map[num_rules_offset+i]
- = ((struct counter_map){ COUNTER_MAP_SET, 0 });
-
- newh->new_number = (*handle)->new_number + num_rules;
- newh->entries.size = (*handle)->entries.size + rules_size;
- newh->hooknames = (*handle)->hooknames;
-
- if ((*handle)->cache_chain_heads)
- free((*handle)->cache_chain_heads);
- free(*handle);
- *handle = newh;
-
- return set_verdict(offset, rules_size, handle);
-}
-
-static int
-delete_rules(unsigned int num_rules, unsigned int rules_size,
- unsigned int offset, unsigned int num_rules_offset,
- TC_HANDLE_T *handle)
-{
- unsigned int i;
-
- if (offset + rules_size > (*handle)->entries.size) {
- errno = EINVAL;
- return 0;
- }
-
- /* Fix up entry points. */
- for (i = 0; i < NUMHOOKS; i++) {
- /* In practice, we never delete up to a hook entry,
- since the built-in chains are always first,
- so these two are never equal */
- if ((*handle)->info.hook_entry[i] >= offset + rules_size)
- (*handle)->info.hook_entry[i] -= rules_size;
- else if ((*handle)->info.hook_entry[i] > offset) {
- fprintf(stderr, "ERROR: Deleting entry %u %u %u\n",
- i, (*handle)->info.hook_entry[i], offset);
- abort();
- }
-
- /* Underflow points to policy (terminal) rule in
- built-in, so sequality is valid here (when deleting
- the last rule). */
- if ((*handle)->info.underflow[i] >= offset + rules_size)
- (*handle)->info.underflow[i] -= rules_size;
- else if ((*handle)->info.underflow[i] > offset) {
- fprintf(stderr, "ERROR: Deleting uflow %u %u %u\n",
- i, (*handle)->info.underflow[i], offset);
- abort();
- }
- }
-
- /* Move the rules down. */
- memmove((char *)(*handle)->entries.entrytable + offset,
- (char *)(*handle)->entries.entrytable + offset + rules_size,
- (*handle)->entries.size - (offset + rules_size));
-
- /* Move the counter map down. */
- memmove(&(*handle)->counter_map[num_rules_offset],
- &(*handle)->counter_map[num_rules_offset + num_rules],
- sizeof(struct counter_map)
- * ((*handle)->new_number - (num_rules + num_rules_offset)));
-
- /* Fix numbers */
- (*handle)->new_number -= num_rules;
- (*handle)->entries.size -= rules_size;
-
- return set_verdict(offset, -(int)rules_size, handle);
-}
-
-static int
-standard_map(STRUCT_ENTRY *e, int verdict)
-{
- STRUCT_STANDARD_TARGET *t;
-
- t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
-
- if (t->target.u.target_size
- != ALIGN(sizeof(STRUCT_STANDARD_TARGET))) {
- errno = EINVAL;
- return 0;
- }
- /* memset for memcmp convenience on delete/replace */
- memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
- strcpy(t->target.u.user.name, STANDARD_TARGET);
- t->verdict = verdict;
-
- return 1;
-}
-
-static int
-map_target(const TC_HANDLE_T handle,
- STRUCT_ENTRY *e,
- unsigned int offset,
- STRUCT_ENTRY_TARGET *old)
-{
- STRUCT_ENTRY_TARGET *t = GET_TARGET(e);
-
- /* Save old target (except data, which we don't change, except for
- standard case, where we don't care). */
- *old = *t;
-
- /* Maybe it's empty (=> fall through) */
- if (strcmp(t->u.user.name, "") == 0)
- return standard_map(e, offset + e->next_offset);
- /* Maybe it's a standard target name... */
- else if (strcmp(t->u.user.name, LABEL_ACCEPT) == 0)
- return standard_map(e, -NF_ACCEPT - 1);
- else if (strcmp(t->u.user.name, LABEL_DROP) == 0)
- return standard_map(e, -NF_DROP - 1);
- else if (strcmp(t->u.user.name, LABEL_QUEUE) == 0)
- return standard_map(e, -NF_QUEUE - 1);
- else if (strcmp(t->u.user.name, LABEL_RETURN) == 0)
- return standard_map(e, RETURN);
- else if (TC_BUILTIN(t->u.user.name, handle)) {
- /* Can't jump to builtins. */
- errno = EINVAL;
- return 0;
- } else {
- /* Maybe it's an existing chain name. */
- struct chain_cache *c;
-
- c = find_label(t->u.user.name, handle);
- if (c)
- return standard_map(e, c->start_off);
- }
-
- /* Must be a module? If not, kernel will reject... */
- /* memset to all 0 for your memcmp convenience. */
- memset(t->u.user.name + strlen(t->u.user.name),
- 0,
- FUNCTION_MAXNAMELEN - strlen(t->u.user.name));
- return 1;
-}
-
-static void
-unmap_target(STRUCT_ENTRY *e, STRUCT_ENTRY_TARGET *old)
-{
- STRUCT_ENTRY_TARGET *t = GET_TARGET(e);
-
- /* Save old target (except data, which we don't change, except for
- standard case, where we don't care). */
- *t = *old;
-}
-
-/* Insert the entry `fw' in chain `chain' into position `rulenum'. */
-int
-TC_INSERT_ENTRY(const IPT_CHAINLABEL chain,
- const STRUCT_ENTRY *e,
- unsigned int rulenum,
- TC_HANDLE_T *handle)
-{
- unsigned int chainindex, offset;
- STRUCT_ENTRY_TARGET old;
- struct chain_cache *c;
- STRUCT_ENTRY *tmp;
- int ret;
-
- iptc_fn = TC_INSERT_ENTRY;
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- chainindex = offset2index(*handle, c->start_off);
-
- tmp = index2entry(*handle, chainindex + rulenum);
- if (!tmp || tmp > offset2entry(*handle, c->end_off)) {
- errno = E2BIG;
- return 0;
- }
- offset = index2offset(*handle, chainindex + rulenum);
-
- /* Mapping target actually alters entry, but that's
- transparent to the caller. */
- if (!map_target(*handle, (STRUCT_ENTRY *)e, offset, &old))
- return 0;
-
- ret = insert_rules(1, e->next_offset, e, offset,
- chainindex + rulenum, rulenum == 0, handle);
- unmap_target((STRUCT_ENTRY *)e, &old);
- return ret;
-}
-
-/* Atomically replace rule `rulenum' in `chain' with `fw'. */
-int
-TC_REPLACE_ENTRY(const IPT_CHAINLABEL chain,
- const STRUCT_ENTRY *e,
- unsigned int rulenum,
- TC_HANDLE_T *handle)
-{
- unsigned int chainindex, offset;
- STRUCT_ENTRY_TARGET old;
- struct chain_cache *c;
- STRUCT_ENTRY *tmp;
- int ret;
-
- iptc_fn = TC_REPLACE_ENTRY;
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- chainindex = offset2index(*handle, c->start_off);
-
- tmp = index2entry(*handle, chainindex + rulenum);
- if (!tmp || tmp >= offset2entry(*handle, c->end_off)) {
- errno = E2BIG;
- return 0;
- }
-
- offset = index2offset(*handle, chainindex + rulenum);
- /* Replace = delete and insert. */
- if (!delete_rules(1, get_entry(*handle, offset)->next_offset,
- offset, chainindex + rulenum, handle))
- return 0;
-
- if (!map_target(*handle, (STRUCT_ENTRY *)e, offset, &old))
- return 0;
-
- ret = insert_rules(1, e->next_offset, e, offset,
- chainindex + rulenum, 1, handle);
- unmap_target((STRUCT_ENTRY *)e, &old);
- return ret;
-}
-
-/* Append entry `fw' to chain `chain'. Equivalent to insert with
- rulenum = length of chain. */
-int
-TC_APPEND_ENTRY(const IPT_CHAINLABEL chain,
- const STRUCT_ENTRY *e,
- TC_HANDLE_T *handle)
-{
- struct chain_cache *c;
- STRUCT_ENTRY_TARGET old;
- int ret;
-
- iptc_fn = TC_APPEND_ENTRY;
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- if (!map_target(*handle, (STRUCT_ENTRY *)e,
- c->end_off, &old))
- return 0;
-
- ret = insert_rules(1, e->next_offset, e, c->end_off,
- offset2index(*handle, c->end_off), 0, handle);
- unmap_target((STRUCT_ENTRY *)e, &old);
- return ret;
-}
-
-static inline int
-match_different(const STRUCT_ENTRY_MATCH *a,
- const unsigned char *a_elems,
- const unsigned char *b_elems,
- unsigned char **maskptr)
-{
- const STRUCT_ENTRY_MATCH *b;
- unsigned int i;
-
- /* Offset of b is the same as a. */
- b = (void *)b_elems + ((unsigned char *)a - a_elems);
-
- if (a->u.match_size != b->u.match_size)
- return 1;
-
- if (strcmp(a->u.user.name, b->u.user.name) != 0)
- return 1;
-
- *maskptr += ALIGN(sizeof(*a));
-
- for (i = 0; i < a->u.match_size - ALIGN(sizeof(*a)); i++)
- if (((a->data[i] ^ b->data[i]) & (*maskptr)[i]) != 0)
- return 1;
- *maskptr += i;
- return 0;
-}
-
-static inline int
-target_different(const unsigned char *a_targdata,
- const unsigned char *b_targdata,
- unsigned int tdatasize,
- const unsigned char *mask)
-{
- unsigned int i;
- for (i = 0; i < tdatasize; i++)
- if (((a_targdata[i] ^ b_targdata[i]) & mask[i]) != 0)
- return 1;
-
- return 0;
-}
-
-static int
-is_same(const STRUCT_ENTRY *a,
- const STRUCT_ENTRY *b,
- unsigned char *matchmask);
-
-/* Delete the first rule in `chain' which matches `fw'. */
-int
-TC_DELETE_ENTRY(const IPT_CHAINLABEL chain,
- const STRUCT_ENTRY *origfw,
- unsigned char *matchmask,
- TC_HANDLE_T *handle)
-{
- unsigned int offset;
- struct chain_cache *c;
- STRUCT_ENTRY *e, *fw;
-
- iptc_fn = TC_DELETE_ENTRY;
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- fw = malloc(origfw->next_offset);
- if (fw == NULL) {
- errno = ENOMEM;
- return 0;
- }
-
- for (offset = c->start_off; offset < c->end_off;
- offset += e->next_offset) {
- STRUCT_ENTRY_TARGET discard;
-
- memcpy(fw, origfw, origfw->next_offset);
-
- /* FIXME: handle this in is_same --RR */
- if (!map_target(*handle, fw, offset, &discard)) {
- free(fw);
- return 0;
- }
- e = get_entry(*handle, offset);
-
-#if 0
- printf("Deleting:\n");
- dump_entry(newe);
-#endif
- if (is_same(e, fw, matchmask)) {
- int ret;
- ret = delete_rules(1, e->next_offset,
- offset, entry2index(*handle, e),
- handle);
- free(fw);
- return ret;
- }
- }
-
- free(fw);
- errno = ENOENT;
- return 0;
-}
-
-/* Delete the rule in position `rulenum' in `chain'. */
-int
-TC_DELETE_NUM_ENTRY(const IPT_CHAINLABEL chain,
- unsigned int rulenum,
- TC_HANDLE_T *handle)
-{
- unsigned int index;
- int ret;
- STRUCT_ENTRY *e;
- struct chain_cache *c;
-
- iptc_fn = TC_DELETE_NUM_ENTRY;
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- index = offset2index(*handle, c->start_off) + rulenum;
-
- if (index >= offset2index(*handle, c->end_off)) {
- errno = E2BIG;
- return 0;
- }
-
- e = index2entry(*handle, index);
- if (e == NULL) {
- errno = EINVAL;
- return 0;
- }
-
- ret = delete_rules(1, e->next_offset, entry2offset(*handle, e),
- index, handle);
- return ret;
-}
-
-/* Check the packet `fw' on chain `chain'. Returns the verdict, or
- NULL and sets errno. */
-const char *
-TC_CHECK_PACKET(const IPT_CHAINLABEL chain,
- STRUCT_ENTRY *entry,
- TC_HANDLE_T *handle)
-{
- errno = ENOSYS;
- return NULL;
-}
-
-/* Flushes the entries in the given chain (ie. empties chain). */
-int
-TC_FLUSH_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
-{
- unsigned int startindex, endindex;
- STRUCT_ENTRY *startentry, *endentry;
- struct chain_cache *c;
- int ret;
-
- iptc_fn = TC_FLUSH_ENTRIES;
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
- startindex = offset2index(*handle, c->start_off);
- endindex = offset2index(*handle, c->end_off);
- startentry = offset2entry(*handle, c->start_off);
- endentry = offset2entry(*handle, c->end_off);
-
- ret = delete_rules(endindex - startindex,
- (char *)endentry - (char *)startentry,
- c->start_off, startindex,
- handle);
- return ret;
-}
-
-/* Zeroes the counters in a chain. */
-int
-TC_ZERO_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
-{
- unsigned int i, end;
- struct chain_cache *c;
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- i = offset2index(*handle, c->start_off);
- end = offset2index(*handle, c->end_off);
-
- for (; i <= end; i++) {
- if ((*handle)->counter_map[i].maptype ==COUNTER_MAP_NORMAL_MAP)
- (*handle)->counter_map[i].maptype = COUNTER_MAP_ZEROED;
- }
- set_changed(*handle);
-
- return 1;
-}
-
-STRUCT_COUNTERS *
-TC_READ_COUNTER(const IPT_CHAINLABEL chain,
- unsigned int rulenum,
- TC_HANDLE_T *handle)
-{
- STRUCT_ENTRY *e;
- struct chain_cache *c;
- unsigned int chainindex, end;
-
- iptc_fn = TC_READ_COUNTER;
- CHECK(*handle);
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return NULL;
- }
-
- chainindex = offset2index(*handle, c->start_off);
- end = offset2index(*handle, c->end_off);
-
- if (chainindex + rulenum > end) {
- errno = E2BIG;
- return NULL;
- }
-
- e = index2entry(*handle, chainindex + rulenum);
-
- return &e->counters;
-}
-
-int
-TC_ZERO_COUNTER(const IPT_CHAINLABEL chain,
- unsigned int rulenum,
- TC_HANDLE_T *handle)
-{
- STRUCT_ENTRY *e;
- struct chain_cache *c;
- unsigned int chainindex, end;
-
- iptc_fn = TC_ZERO_COUNTER;
- CHECK(*handle);
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- chainindex = offset2index(*handle, c->start_off);
- end = offset2index(*handle, c->end_off);
-
- if (chainindex + rulenum > end) {
- errno = E2BIG;
- return 0;
- }
-
- e = index2entry(*handle, chainindex + rulenum);
-
- if ((*handle)->counter_map[chainindex + rulenum].maptype
- == COUNTER_MAP_NORMAL_MAP) {
- (*handle)->counter_map[chainindex + rulenum].maptype
- = COUNTER_MAP_ZEROED;
- }
-
- set_changed(*handle);
-
- return 1;
-}
-
-int
-TC_SET_COUNTER(const IPT_CHAINLABEL chain,
- unsigned int rulenum,
- STRUCT_COUNTERS *counters,
- TC_HANDLE_T *handle)
-{
- STRUCT_ENTRY *e;
- struct chain_cache *c;
- unsigned int chainindex, end;
-
- iptc_fn = TC_SET_COUNTER;
- CHECK(*handle);
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- chainindex = offset2index(*handle, c->start_off);
- end = offset2index(*handle, c->end_off);
-
- if (chainindex + rulenum > end) {
- errno = E2BIG;
- return 0;
- }
-
- e = index2entry(*handle, chainindex + rulenum);
-
- (*handle)->counter_map[chainindex + rulenum].maptype
- = COUNTER_MAP_SET;
-
- memcpy(&e->counters, counters, sizeof(STRUCT_COUNTERS));
-
- set_changed(*handle);
-
- return 1;
-}
-
-/* Creates a new chain. */
-/* To create a chain, create two rules: error node and unconditional
- * return. */
-int
-TC_CREATE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
-{
- int ret;
- struct {
- STRUCT_ENTRY head;
- struct ipt_error_target name;
- STRUCT_ENTRY ret;
- STRUCT_STANDARD_TARGET target;
- } newc;
-
- iptc_fn = TC_CREATE_CHAIN;
-
- /* find_label doesn't cover built-in targets: DROP, ACCEPT,
- QUEUE, RETURN. */
- if (find_label(chain, *handle)
- || strcmp(chain, LABEL_DROP) == 0
- || strcmp(chain, LABEL_ACCEPT) == 0
- || strcmp(chain, LABEL_QUEUE) == 0
- || strcmp(chain, LABEL_RETURN) == 0) {
- errno = EEXIST;
- return 0;
- }
-
- if (strlen(chain)+1 > sizeof(IPT_CHAINLABEL)) {
- errno = EINVAL;
- return 0;
- }
-
- memset(&newc, 0, sizeof(newc));
- newc.head.target_offset = sizeof(STRUCT_ENTRY);
- newc.head.next_offset
- = sizeof(STRUCT_ENTRY)
- + ALIGN(sizeof(struct ipt_error_target));
- strcpy(newc.name.t.u.user.name, ERROR_TARGET);
- newc.name.t.u.target_size = ALIGN(sizeof(struct ipt_error_target));
- strcpy(newc.name.error, chain);
-
- newc.ret.target_offset = sizeof(STRUCT_ENTRY);
- newc.ret.next_offset
- = sizeof(STRUCT_ENTRY)
- + ALIGN(sizeof(STRUCT_STANDARD_TARGET));
- strcpy(newc.target.target.u.user.name, STANDARD_TARGET);
- newc.target.target.u.target_size
- = ALIGN(sizeof(STRUCT_STANDARD_TARGET));
- newc.target.verdict = RETURN;
-
- /* Add just before terminal entry */
- ret = insert_rules(2, sizeof(newc), &newc.head,
- index2offset(*handle, (*handle)->new_number - 1),
- (*handle)->new_number - 1,
- 0, handle);
- return ret;
-}
-
-static int
-count_ref(STRUCT_ENTRY *e, unsigned int offset, unsigned int *ref)
-{
- STRUCT_STANDARD_TARGET *t;
-
- if (strcmp(GET_TARGET(e)->u.user.name, STANDARD_TARGET) == 0) {
- t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
-
- if (t->verdict == offset)
- (*ref)++;
- }
-
- return 0;
-}
-
-/* Get the number of references to this chain. */
-int
-TC_GET_REFERENCES(unsigned int *ref, const IPT_CHAINLABEL chain,
- TC_HANDLE_T *handle)
-{
- struct chain_cache *c;
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- *ref = 0;
- ENTRY_ITERATE((*handle)->entries.entrytable,
- (*handle)->entries.size,
- count_ref, c->start_off, ref);
- return 1;
-}
-
-/* Deletes a chain. */
-int
-TC_DELETE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
-{
- unsigned int labelidx, labeloff;
- unsigned int references;
- struct chain_cache *c;
- int ret;
- STRUCT_ENTRY *start;
-
- if (!TC_GET_REFERENCES(&references, chain, handle))
- return 0;
-
- iptc_fn = TC_DELETE_CHAIN;
-
- if (TC_BUILTIN(chain, *handle)) {
- errno = EINVAL;
- return 0;
- }
-
- if (references > 0) {
- errno = EMLINK;
- return 0;
- }
-
- if (!(c = find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- if (c->start_off != c->end_off) {
- errno = ENOTEMPTY;
- return 0;
- }
-
- /* Need label index: preceeds chain start */
- labelidx = offset2index(*handle, c->start_off) - 1;
- labeloff = index2offset(*handle, labelidx);
-
- start = offset2entry(*handle, c->start_off);
-
- ret = delete_rules(2,
- get_entry(*handle, labeloff)->next_offset
- + start->next_offset,
- labeloff, labelidx, handle);
- return ret;
-}
-
-/* Renames a chain. */
-int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname,
- const IPT_CHAINLABEL newname,
- TC_HANDLE_T *handle)
-{
- unsigned int labeloff, labelidx;
- struct chain_cache *c;
- struct ipt_error_target *t;
-
- iptc_fn = TC_RENAME_CHAIN;
-
- /* find_label doesn't cover built-in targets: DROP, ACCEPT,
- QUEUE, RETURN. */
- if (find_label(newname, *handle)
- || strcmp(newname, LABEL_DROP) == 0
- || strcmp(newname, LABEL_ACCEPT) == 0
- || strcmp(newname, LABEL_QUEUE) == 0
- || strcmp(newname, LABEL_RETURN) == 0) {
- errno = EEXIST;
- return 0;
- }
-
- if (!(c = find_label(oldname, *handle))
- || TC_BUILTIN(oldname, *handle)) {
- errno = ENOENT;
- return 0;
- }
-
- if (strlen(newname)+1 > sizeof(IPT_CHAINLABEL)) {
- errno = EINVAL;
- return 0;
- }
-
- /* Need label index: preceeds chain start */
- labelidx = offset2index(*handle, c->start_off) - 1;
- labeloff = index2offset(*handle, labelidx);
-
- t = (struct ipt_error_target *)
- GET_TARGET(get_entry(*handle, labeloff));
-
- memset(t->error, 0, sizeof(t->error));
- strcpy(t->error, newname);
- set_changed(*handle);
-
- return 1;
-}
-
-/* Sets the policy on a built-in chain. */
-int
-TC_SET_POLICY(const IPT_CHAINLABEL chain,
- const IPT_CHAINLABEL policy,
- STRUCT_COUNTERS *counters,
- TC_HANDLE_T *handle)
-{
- unsigned int hook;
- unsigned int policyoff, ctrindex;
- STRUCT_ENTRY *e;
- STRUCT_STANDARD_TARGET *t;
-
- iptc_fn = TC_SET_POLICY;
- /* Figure out which chain. */
- hook = TC_BUILTIN(chain, *handle);
- if (hook == 0) {
- errno = ENOENT;
- return 0;
- } else
- hook--;
-
- policyoff = get_chain_end(*handle, (*handle)->info.hook_entry[hook]);
- if (policyoff != (*handle)->info.underflow[hook]) {
- printf("ERROR: Policy for `%s' offset %u != underflow %u\n",
- chain, policyoff, (*handle)->info.underflow[hook]);
- return 0;
- }
-
- e = get_entry(*handle, policyoff);
- t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
-
- if (strcmp(policy, LABEL_ACCEPT) == 0)
- t->verdict = -NF_ACCEPT - 1;
- else if (strcmp(policy, LABEL_DROP) == 0)
- t->verdict = -NF_DROP - 1;
- else {
- errno = EINVAL;
- return 0;
- }
-
- ctrindex = entry2index(*handle, e);
-
- if (counters) {
- /* set byte and packet counters */
- memcpy(&e->counters, counters, sizeof(STRUCT_COUNTERS));
-
- (*handle)->counter_map[ctrindex].maptype
- = COUNTER_MAP_SET;
-
- } else {
- (*handle)->counter_map[ctrindex]
- = ((struct counter_map){ COUNTER_MAP_NOMAP, 0 });
- }
-
- set_changed(*handle);
-
- return 1;
-}
-
-/* Without this, on gcc 2.7.2.3, we get:
- libiptc.c: In function `TC_COMMIT':
- libiptc.c:833: fixed or forbidden register was spilled.
- This may be due to a compiler bug or to impossible asm
- statements or clauses.
-*/
-static void
-subtract_counters(STRUCT_COUNTERS *answer,
- const STRUCT_COUNTERS *a,
- const STRUCT_COUNTERS *b)
-{
- answer->pcnt = a->pcnt - b->pcnt;
- answer->bcnt = a->bcnt - b->bcnt;
-}
-
-int
-TC_COMMIT(TC_HANDLE_T *handle)
-{
- /* Replace, then map back the counters. */
- STRUCT_REPLACE *repl;
- STRUCT_COUNTERS_INFO *newcounters;
- unsigned int i;
- size_t counterlen;
-
- CHECK(*handle);
-
- counterlen = sizeof(STRUCT_COUNTERS_INFO)
- + sizeof(STRUCT_COUNTERS) * (*handle)->new_number;
-
-#if 0
- TC_DUMP_ENTRIES(*handle);
-#endif
-
- /* Don't commit if nothing changed. */
- if (!(*handle)->changed)
- goto finished;
-
- repl = malloc(sizeof(*repl) + (*handle)->entries.size);
- if (!repl) {
- errno = ENOMEM;
- return 0;
- }
-
- /* These are the old counters we will get from kernel */
- repl->counters = malloc(sizeof(STRUCT_COUNTERS)
- * (*handle)->info.num_entries);
- if (!repl->counters) {
- free(repl);
- errno = ENOMEM;
- return 0;
- }
-
- /* These are the counters we're going to put back, later. */
- newcounters = malloc(counterlen);
- if (!newcounters) {
- free(repl->counters);
- free(repl);
- errno = ENOMEM;
- return 0;
- }
-
- strcpy(repl->name, (*handle)->info.name);
- repl->num_entries = (*handle)->new_number;
- repl->size = (*handle)->entries.size;
- memcpy(repl->hook_entry, (*handle)->info.hook_entry,
- sizeof(repl->hook_entry));
- memcpy(repl->underflow, (*handle)->info.underflow,
- sizeof(repl->underflow));
- repl->num_counters = (*handle)->info.num_entries;
- repl->valid_hooks = (*handle)->info.valid_hooks;
- memcpy(repl->entries, (*handle)->entries.entrytable,
- (*handle)->entries.size);
-
- if (setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, repl,
- sizeof(*repl) + (*handle)->entries.size) < 0) {
- free(repl->counters);
- free(repl);
- free(newcounters);
- return 0;
- }
-
- /* Put counters back. */
- strcpy(newcounters->name, (*handle)->info.name);
- newcounters->num_counters = (*handle)->new_number;
- for (i = 0; i < (*handle)->new_number; i++) {
- unsigned int mappos = (*handle)->counter_map[i].mappos;
- switch ((*handle)->counter_map[i].maptype) {
- case COUNTER_MAP_NOMAP:
- newcounters->counters[i]
- = ((STRUCT_COUNTERS){ 0, 0 });
- break;
-
- case COUNTER_MAP_NORMAL_MAP:
- /* Original read: X.
- * Atomic read on replacement: X + Y.
- * Currently in kernel: Z.
- * Want in kernel: X + Y + Z.
- * => Add in X + Y
- * => Add in replacement read.
- */
- newcounters->counters[i] = repl->counters[mappos];
- break;
-
- case COUNTER_MAP_ZEROED:
- /* Original read: X.
- * Atomic read on replacement: X + Y.
- * Currently in kernel: Z.
- * Want in kernel: Y + Z.
- * => Add in Y.
- * => Add in (replacement read - original read).
- */
- subtract_counters(&newcounters->counters[i],
- &repl->counters[mappos],
- &index2entry(*handle, i)->counters);
- break;
-
- case COUNTER_MAP_SET:
- /* Want to set counter (iptables-restore) */
-
- memcpy(&newcounters->counters[i],
- &index2entry(*handle, i)->counters,
- sizeof(STRUCT_COUNTERS));
-
- break;
- }
- }
-
-#ifdef KERNEL_64_USERSPACE_32
- {
- /* Kernel will think that pointer should be 64-bits, and get
- padding. So we accomodate here (assumption: alignment of
- `counters' is on 64-bit boundary). */
- u_int64_t *kernptr = (u_int64_t *)&newcounters->counters;
- if ((unsigned long)&newcounters->counters % 8 != 0) {
- fprintf(stderr,
- "counters alignment incorrect! Mail rusty!\n");
- abort();
- }
- *kernptr = newcounters->counters;
- }
-#endif /* KERNEL_64_USERSPACE_32 */
-
- if (setsockopt(sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS,
- newcounters, counterlen) < 0) {
- free(repl->counters);
- free(repl);
- free(newcounters);
- return 0;
- }
-
- free(repl->counters);
- free(repl);
- free(newcounters);
-
- finished:
- TC_FREE(handle);
- return 1;
-}
-
-/* Get raw socket. */
-int
-TC_GET_RAW_SOCKET()
-{
- return sockfd;
-}
-
-/* Translates errno numbers into more human-readable form than strerror. */
-const char *
-TC_STRERROR(int err)
-{
- unsigned int i;
- struct table_struct {
- void *fn;
- int err;
- const char *message;
- } table [] =
- { { TC_INIT, EPERM, "Permission denied (you must be root)" },
- { TC_INIT, EINVAL, "Module is wrong version" },
- { TC_INIT, ENOENT,
- "Table does not exist (do you need to insmod?)" },
- { TC_DELETE_CHAIN, ENOTEMPTY, "Chain is not empty" },
- { TC_DELETE_CHAIN, EINVAL, "Can't delete built-in chain" },
- { TC_DELETE_CHAIN, EMLINK,
- "Can't delete chain with references left" },
- { TC_CREATE_CHAIN, EEXIST, "Chain already exists" },
- { TC_INSERT_ENTRY, E2BIG, "Index of insertion too big" },
- { TC_REPLACE_ENTRY, E2BIG, "Index of replacement too big" },
- { TC_DELETE_NUM_ENTRY, E2BIG, "Index of deletion too big" },
- { TC_READ_COUNTER, E2BIG, "Index of counter too big" },
- { TC_ZERO_COUNTER, E2BIG, "Index of counter too big" },
- { TC_INSERT_ENTRY, ELOOP, "Loop found in table" },
- { TC_INSERT_ENTRY, EINVAL, "Target problem" },
- /* EINVAL for CHECK probably means bad interface. */
- { TC_CHECK_PACKET, EINVAL,
- "Bad arguments (does that interface exist?)" },
- { TC_CHECK_PACKET, ENOSYS,
- "Checking will most likely never get implemented" },
- /* ENOENT for DELETE probably means no matching rule */
- { TC_DELETE_ENTRY, ENOENT,
- "Bad rule (does a matching rule exist in that chain?)" },
- { TC_SET_POLICY, ENOENT,
- "Bad built-in chain name" },
- { TC_SET_POLICY, EINVAL,
- "Bad policy name" },
-
- { NULL, 0, "Incompatible with this kernel" },
- { NULL, ENOPROTOOPT, "iptables who? (do you need to insmod?)" },
- { NULL, ENOSYS, "Will be implemented real soon. I promise ;)" },
- { NULL, ENOMEM, "Memory allocation problem" },
- { NULL, ENOENT, "No chain/target/match by that name" },
- };
-
- for (i = 0; i < sizeof(table)/sizeof(struct table_struct); i++) {
- if ((!table[i].fn || table[i].fn == iptc_fn)
- && table[i].err == err)
- return table[i].message;
- }
-
- return strerror(err);
-}
+++ /dev/null
-#ifndef _LINUXLIST_H
-#define _LINUXLIST_H
-
-
-/*
- * Simple doubly linked list implementation.
- *
- * Some of the internal functions ("__xxx") are useful when
- * manipulating whole lists rather than single entries, as
- * sometimes we already know the next/prev entries and we can
- * generate better code by using them directly rather than
- * using the generic single-entry routines.
- */
-
-struct list_head {
- struct list_head *next, *prev;
-};
-
-#define LIST_HEAD_INIT(name) { &(name), &(name) }
-
-#define LIST_HEAD(name) \
- struct list_head name = LIST_HEAD_INIT(name)
-
-#define INIT_LIST_HEAD(ptr) do { \
- (ptr)->next = (ptr); (ptr)->prev = (ptr); \
-} while (0)
-
-/*
- * Insert a new entry between two known consecutive entries.
- *
- * This is only for internal list manipulation where we know
- * the prev/next entries already!
- */
-static __inline__ void __list_add(struct list_head * new,
- struct list_head * prev,
- struct list_head * next)
-{
- next->prev = new;
- new->next = next;
- new->prev = prev;
- prev->next = new;
-}
-
-/**
- * list_add - add a new entry
- * @new: new entry to be added
- * @head: list head to add it after
- *
- * Insert a new entry after the specified head.
- * This is good for implementing stacks.
- */
-static __inline__ void list_add(struct list_head *new, struct list_head *head)
-{
- __list_add(new, head, head->next);
-}
-
-/**
- * list_add_tail - add a new entry
- * @new: new entry to be added
- * @head: list head to add it before
- *
- * Insert a new entry before the specified head.
- * This is useful for implementing queues.
- */
-static __inline__ void list_add_tail(struct list_head *new, struct list_head *head)
-{
- __list_add(new, head->prev, head);
-}
-
-/*
- * Delete a list entry by making the prev/next entries
- * point to each other.
- *
- * This is only for internal list manipulation where we know
- * the prev/next entries already!
- */
-static __inline__ void __list_del(struct list_head * prev,
- struct list_head * next)
-{
- next->prev = prev;
- prev->next = next;
-}
-
-/**
- * list_del - deletes entry from list.
- * @entry: the element to delete from the list.
- * Note: list_empty on entry does not return true after this, the entry is in an undefined state.
- */
-static __inline__ void list_del(struct list_head *entry)
-{
- __list_del(entry->prev, entry->next);
-}
-
-/**
- * list_del_init - deletes entry from list and reinitialize it.
- * @entry: the element to delete from the list.
- */
-static __inline__ void list_del_init(struct list_head *entry)
-{
- __list_del(entry->prev, entry->next);
- INIT_LIST_HEAD(entry);
-}
-
-/**
- * list_empty - tests whether a list is empty
- * @head: the list to test.
- */
-static __inline__ int list_empty(struct list_head *head)
-{
- return head->next == head;
-}
-
-/**
- * list_splice - join two lists
- * @list: the new list to add.
- * @head: the place to add it in the first list.
- */
-static __inline__ void list_splice(struct list_head *list, struct list_head *head)
-{
- struct list_head *first = list->next;
-
- if (first != list) {
- struct list_head *last = list->prev;
- struct list_head *at = head->next;
-
- first->prev = head;
- head->next = first;
-
- last->next = at;
- at->prev = last;
- }
-}
-
-/**
- * list_entry - get the struct for this entry
- * @ptr: the &struct list_head pointer.
- * @type: the type of the struct this is embedded in.
- * @member: the name of the list_struct within the struct.
- */
-#define list_entry(ptr, type, member) \
- ((type *)((char *)(ptr)-(unsigned long)(&((type *)0)->member)))
-
-/**
- * list_for_each - iterate over a list
- * @pos: the &struct list_head to use as a loop counter.
- * @head: the head for your list.
- */
-#define list_for_each(pos, head) \
- for (pos = (head)->next; pos != (head); pos = pos->next)
-
-/**
- * list_for_each_safe - iterate over a list safe against removal of list entry
- * @pos: the &struct list_head to use as a loop counter.
- * @n: another &struct list_head to use as temporary storage
- * @head: the head for your list.
- */
-#define list_for_each_safe(pos, n, head) \
- for (pos = (head)->next, n = pos->next; pos != (head); \
- pos = n, n = pos->next)
-
-#endif
+++ /dev/null
-#ifndef _LINUX_LISTHELP_H
-#define _LINUX_LISTHELP_H
-#include <stdlib.h>
-#include <string.h>
-#include "linux_list.h"
-
-/* Header to do more comprehensive job than linux/list.h; assume list
- is first entry in structure. */
-
-/* Return pointer to first true entry, if any, or NULL. A macro
- required to allow inlining of cmpfn. */
-#define LIST_FIND(head, cmpfn, type, args...) \
-({ \
- const struct list_head *__i = (head); \
- \
- do { \
- __i = __i->next; \
- if (__i == (head)) { \
- __i = NULL; \
- break; \
- } \
- } while (!cmpfn((const type)__i , ## args)); \
- (type)__i; \
-})
-
-#define LIST_FIND_W(head, cmpfn, type, args...) \
-({ \
- const struct list_head *__i = (head); \
- \
- do { \
- __i = __i->next; \
- if (__i == (head)) { \
- __i = NULL; \
- break; \
- } \
- } while (!cmpfn((type)__i , ## args)); \
- (type)__i; \
-})
-
-static inline int
-__list_cmp_same(const void *p1, const void *p2) { return p1 == p2; }
-
-/* Is this entry in the list? */
-static inline int
-list_inlist(struct list_head *head, const void *entry)
-{
- return LIST_FIND(head, __list_cmp_same, void *, entry) != NULL;
-}
-
-/* Delete from list. */
-#define LIST_DELETE(head, oldentry) list_del((struct list_head *)oldentry)
-
-/* Append. */
-static inline void
-list_append(struct list_head *head, void *new)
-{
- list_add((new), (head)->prev);
-}
-
-/* Prepend. */
-static inline void
-list_prepend(struct list_head *head, void *new)
-{
- list_add(new, head);
-}
-
-/* Insert according to ordering function; insert before first true. */
-#define LIST_INSERT(head, new, cmpfn) \
-do { \
- struct list_head *__i; \
- for (__i = (head)->next; \
- !cmpfn((new), (typeof (new))__i) && __i != (head); \
- __i = __i->next); \
- list_add((struct list_head *)(new), __i->prev); \
-} while(0)
-
-/* If the field after the list_head is a nul-terminated string, you
- can use these functions. */
-static inline int __list_cmp_name(const void *i, const char *name)
-{
- return strcmp(name, i+sizeof(struct list_head)) == 0;
-}
-
-/* Returns false if same name already in list, otherwise does insert. */
-static inline int
-list_named_insert(struct list_head *head, void *new)
-{
- if (LIST_FIND(head, __list_cmp_name, void *,
- new + sizeof(struct list_head)))
- return 0;
- list_prepend(head, new);
- return 1;
-}
-
-/* Find this named element in the list. */
-#define list_named_find(head, name) \
-LIST_FIND(head, __list_cmp_name, void *, name)
-
-#endif /*_LISTHELP_H*/
git://git.onelab.eu / iptables.git / commitdiff