2 * m_ipt.c iptables based targets
3 * utilities mostly ripped from iptables <duh, its the linux way>
5 * This program is free software; you can distribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version
8 * 2 of the License, or (at your option) any later version.
10 * Authors: J Hadi Salim (hadi@cyberus.ca)
14 #include <sys/socket.h>
15 #include <netinet/in.h>
16 #include <arpa/inet.h>
19 #include <linux/netfilter.h>
20 #include <linux/netfilter_ipv4/ip_tables.h>
23 #include <linux/tc_act/tc_ipt.h>
38 static const char *pname
= "tc-ipt";
39 static const char *tname
= "mangle";
40 static const char *pversion
= "0.1";
42 static const char *ipthooks
[] = {
50 static struct option original_opts
[] = {
55 static struct iptables_target
*t_list
= NULL
;
56 static struct option
*opts
= original_opts
;
57 static unsigned int global_option_offset
= 0;
58 #define OPTION_OFFSET 256
63 register_target(struct iptables_target
*me
)
65 /* fprintf(stderr, "\nDummy register_target %s \n", me->name);
73 xtables_register_target(struct iptables_target
*me
)
80 exit_tryhelp(int status
)
82 fprintf(stderr
, "Try `%s -h' or '%s --help' for more information.\n",
88 exit_error(enum exittype status
, char *msg
, ...)
93 fprintf(stderr
, "%s v%s: ", pname
, pversion
);
94 vfprintf(stderr
, msg
, args
);
96 fprintf(stderr
, "\n");
97 if (status
== PARAMETER_PROBLEM
)
99 if (status
== VERSION_PROBLEM
)
101 "Perhaps iptables or your kernel needs to be upgraded.\n");
105 /* stolen from iptables 1.2.11
106 They should really have them as a library so i can link to them
107 Email them next time i remember
111 addr_to_dotted(const struct in_addr
*addrp
)
114 const unsigned char *bytep
;
116 bytep
= (const unsigned char *) &(addrp
->s_addr
);
117 sprintf(buf
, "%d.%d.%d.%d", bytep
[0], bytep
[1], bytep
[2], bytep
[3]);
121 int string_to_number_ll(const char *s
, unsigned long long min
,
122 unsigned long long max
,
123 unsigned long long *ret
)
125 unsigned long long number
;
128 /* Handle hex, octal, etc. */
130 number
= strtoull(s
, &end
, 0);
131 if (*end
== '\0' && end
!= s
) {
132 /* we parsed a number, let's see if we want this */
133 if (errno
!= ERANGE
&& min
<= number
&& (!max
|| number
<= max
)) {
141 int string_to_number_l(const char *s
, unsigned long min
, unsigned long max
,
145 unsigned long long number
;
147 result
= string_to_number_ll(s
, min
, max
, &number
);
148 *ret
= (unsigned long)number
;
153 int string_to_number(const char *s
, unsigned int min
, unsigned int max
,
157 unsigned long number
;
159 result
= string_to_number_l(s
, min
, max
, &number
);
160 *ret
= (unsigned int)number
;
165 static void free_opts(struct option
*opts
)
167 if (opts
!= original_opts
) {
169 opts
= original_opts
;
170 global_option_offset
= 0;
174 static struct option
*
175 merge_options(struct option
*oldopts
, const struct option
*newopts
,
176 unsigned int *option_offset
)
178 struct option
*merge
;
179 unsigned int num_old
, num_new
, i
;
181 for (num_old
= 0; oldopts
[num_old
].name
; num_old
++) ;
182 for (num_new
= 0; newopts
[num_new
].name
; num_new
++) ;
184 *option_offset
= global_option_offset
+ OPTION_OFFSET
;
186 merge
= malloc(sizeof (struct option
) * (num_new
+ num_old
+ 1));
187 memcpy(merge
, oldopts
, num_old
* sizeof (struct option
));
188 for (i
= 0; i
< num_new
; i
++) {
189 merge
[num_old
+ i
] = newopts
[i
];
190 merge
[num_old
+ i
].val
+= *option_offset
;
192 memset(merge
+ num_old
+ num_new
, 0, sizeof (struct option
));
198 fw_calloc(size_t count
, size_t size
)
202 if ((p
= (void *) calloc(count
, size
)) == NULL
) {
203 perror("iptables: calloc failed");
209 static struct iptables_target
*
212 struct iptables_target
*m
;
213 for (m
= t_list
; m
; m
= m
->next
) {
214 if (strcmp(m
->name
, name
) == 0)
221 static struct iptables_target
*
222 get_target_name(const char *name
)
226 char *new_name
, *lname
;
227 struct iptables_target
*m
;
228 char path
[strlen(lib_dir
) + sizeof ("/libipt_.so") + strlen(name
)];
230 new_name
= malloc(strlen(name
) + 1);
231 lname
= malloc(strlen(name
) + 1);
233 memset(new_name
, '\0', strlen(name
) + 1);
235 exit_error(PARAMETER_PROBLEM
, "get_target_name");
238 memset(lname
, '\0', strlen(name
) + 1);
240 exit_error(PARAMETER_PROBLEM
, "get_target_name");
242 strcpy(new_name
, name
);
245 if (isupper(lname
[0])) {
247 for (i
= 0; i
< strlen(name
); i
++) {
248 lname
[i
] = tolower(lname
[i
]);
252 if (islower(new_name
[0])) {
254 for (i
= 0; i
< strlen(new_name
); i
++) {
255 new_name
[i
] = toupper(new_name
[i
]);
259 /* try libxt_xx first */
260 sprintf(path
, "%s/libxt_%s.so", lib_dir
, new_name
);
261 handle
= dlopen(path
, RTLD_LAZY
);
263 /* try libipt_xx next */
264 sprintf(path
, "%s/libipt_%s.so", lib_dir
, new_name
);
265 handle
= dlopen(path
, RTLD_LAZY
);
268 sprintf(path
, "%s/libxt_%s.so", lib_dir
, lname
);
269 handle
= dlopen(path
, RTLD_LAZY
);
273 sprintf(path
, "%s/libipt_%s.so", lib_dir
, lname
);
274 handle
= dlopen(path
, RTLD_LAZY
);
276 /* ok, lets give up .. */
278 fputs(dlerror(), stderr
);
285 m
= dlsym(handle
, new_name
);
286 if ((error
= dlerror()) != NULL
) {
287 m
= (struct iptables_target
*) dlsym(handle
, lname
);
288 if ((error
= dlerror()) != NULL
) {
289 m
= find_t(new_name
);
293 fputs(error
, stderr
);
294 fprintf(stderr
, "\n");
308 struct in_addr
*dotted_to_addr(const char *dotted
)
310 static struct in_addr addr
;
311 unsigned char *addrp
;
313 unsigned int onebyte
;
317 /* copy dotted string, because we need to modify it */
318 strncpy(buf
, dotted
, sizeof (buf
) - 1);
319 addrp
= (unsigned char *) &(addr
.s_addr
);
322 for (i
= 0; i
< 3; i
++) {
323 if ((q
= strchr(p
, '.')) == NULL
)
324 return (struct in_addr
*) NULL
;
327 if (string_to_number(p
, 0, 255, &onebyte
) == -1)
328 return (struct in_addr
*) NULL
;
330 addrp
[i
] = (unsigned char) onebyte
;
334 /* we've checked 3 bytes, now we check the last one */
335 if (string_to_number(p
, 0, 255, &onebyte
) == -1)
336 return (struct in_addr
*) NULL
;
338 addrp
[3] = (unsigned char) onebyte
;
343 static void set_revision(char *name
, u_int8_t revision
)
345 /* Old kernel sources don't have ".revision" field,
346 * but we stole a byte from name. */
347 name
[IPT_FUNCTION_MAXNAMELEN
- 2] = '\0';
348 name
[IPT_FUNCTION_MAXNAMELEN
- 1] = revision
;
352 * we may need to check for version mismatch
355 build_st(struct iptables_target
*target
, struct ipt_entry_target
*t
)
357 unsigned int nfcache
= 0;
363 IPT_ALIGN(sizeof (struct ipt_entry_target
)) + target
->size
;
366 target
->t
= fw_calloc(1, size
);
367 target
->t
->u
.target_size
= size
;
369 if (target
->init
!= NULL
)
370 target
->init(target
->t
, &nfcache
);
371 set_revision(target
->t
->u
.user
.name
, target
->revision
);
375 strcpy(target
->t
->u
.user
.name
, target
->name
);
382 static int parse_ipt(struct action_util
*a
,int *argc_p
,
383 char ***argv_p
, int tca_id
, struct nlmsghdr
*n
)
385 struct iptables_target
*m
= NULL
;
390 char **argv
= *argv_p
;
391 int argc
= 0, iargc
= 0;
396 __u32 hook
= 0, index
= 0;
399 lib_dir
= getenv("IPTABLES_LIB_DIR");
401 lib_dir
= IPT_LIB_DIR
;
405 for (i
= 0; i
< rargc
; i
++) {
406 if (NULL
== argv
[i
] || 0 == strcmp(argv
[i
], "action")) {
414 fprintf(stderr
,"bad arguements to ipt %d vs %d \n", argc
, rargc
);
419 c
= getopt_long(argc
, argv
, "j:", opts
, NULL
);
424 m
= get_target_name(optarg
);
427 if (0 > build_st(m
, NULL
)) {
428 printf(" %s error \n", m
->name
);
432 merge_options(opts
, m
->extra_opts
,
435 fprintf(stderr
," failed to find target %s\n\n", optarg
);
442 memset(&fw
, 0, sizeof (fw
));
444 m
->parse(c
- m
->option_offset
, argv
, 0,
445 &m
->tflags
, NULL
, &m
->t
);
447 fprintf(stderr
," failed to find target %s\n\n", optarg
);
457 if (iargc
> optind
) {
458 if (matches(argv
[optind
], "index") == 0) {
459 if (get_u32(&index
, argv
[optind
+ 1], 10)) {
460 fprintf(stderr
, "Illegal \"index\"\n");
471 fprintf(stderr
," ipt Parser BAD!! (%s)\n", *argv
);
475 /* check that we passed the correct parameters to the target */
477 m
->final_check(m
->tflags
);
480 struct tcmsg
*t
= NLMSG_DATA(n
);
481 if (t
->tcm_parent
!= TC_H_ROOT
482 && t
->tcm_parent
== TC_H_MAJ(TC_H_INGRESS
)) {
483 hook
= NF_IP_PRE_ROUTING
;
485 hook
= NF_IP_POST_ROUTING
;
489 tail
= NLMSG_TAIL(n
);
490 addattr_l(n
, MAX_MSG
, tca_id
, NULL
, 0);
491 fprintf(stdout
, "tablename: %s hook: %s\n ", tname
, ipthooks
[hook
]);
492 fprintf(stdout
, "\ttarget: ");
495 m
->print(NULL
, m
->t
, 0);
496 fprintf(stdout
, " index %d\n", index
);
498 if (strlen(tname
) > 16) {
502 size
= 1 + strlen(tname
);
504 strncpy(k
, tname
, size
);
506 addattr_l(n
, MAX_MSG
, TCA_IPT_TABLE
, k
, size
);
507 addattr_l(n
, MAX_MSG
, TCA_IPT_HOOK
, &hook
, 4);
508 addattr_l(n
, MAX_MSG
, TCA_IPT_INDEX
, &index
, 4);
510 addattr_l(n
, MAX_MSG
, TCA_IPT_TARG
, m
->t
, m
->t
->u
.target_size
);
511 tail
->rta_len
= (void *) NLMSG_TAIL(n
) - (void *) tail
;
515 *argc_p
= rargc
- iargc
;
520 /* Clear flags if target will be used again */
523 /* Free allocated memory */
533 print_ipt(struct action_util
*au
,FILE * f
, struct rtattr
*arg
)
535 struct rtattr
*tb
[TCA_IPT_MAX
+ 1];
536 struct ipt_entry_target
*t
= NULL
;
541 lib_dir
= getenv("IPTABLES_LIB_DIR");
543 lib_dir
= IPT_LIB_DIR
;
545 parse_rtattr_nested(tb
, TCA_IPT_MAX
, arg
);
547 if (tb
[TCA_IPT_TABLE
] == NULL
) {
548 fprintf(f
, "[NULL ipt table name ] assuming mangle ");
550 fprintf(f
, "tablename: %s ",
551 (char *) RTA_DATA(tb
[TCA_IPT_TABLE
]));
554 if (tb
[TCA_IPT_HOOK
] == NULL
) {
555 fprintf(f
, "[NULL ipt hook name ]\n ");
559 hook
= *(__u32
*) RTA_DATA(tb
[TCA_IPT_HOOK
]);
560 fprintf(f
, " hook: %s \n", ipthooks
[hook
]);
563 if (tb
[TCA_IPT_TARG
] == NULL
) {
564 fprintf(f
, "\t[NULL ipt target parameters ] \n");
567 struct iptables_target
*m
= NULL
;
568 t
= RTA_DATA(tb
[TCA_IPT_TARG
]);
569 m
= get_target_name(t
->u
.user
.name
);
571 if (0 > build_st(m
, t
)) {
572 fprintf(stderr
, " %s error \n", m
->name
);
577 merge_options(opts
, m
->extra_opts
,
580 fprintf(stderr
, " failed to find target %s\n\n",
584 fprintf(f
, "\ttarget ");
585 m
->print(NULL
, m
->t
, 0);
586 if (tb
[TCA_IPT_INDEX
] == NULL
) {
587 fprintf(f
, " [NULL ipt target index ]\n");
590 index
= *(__u32
*) RTA_DATA(tb
[TCA_IPT_INDEX
]);
591 fprintf(f
, " \n\tindex %d", index
);
594 if (tb
[TCA_IPT_CNT
]) {
595 struct tc_cnt
*c
= RTA_DATA(tb
[TCA_IPT_CNT
]);;
596 fprintf(f
, " ref %d bind %d", c
->refcnt
, c
->bindcnt
);
599 if (tb
[TCA_IPT_TM
]) {
600 struct tcf_t
*tm
= RTA_DATA(tb
[TCA_IPT_TM
]);
612 struct action_util ipt_action_util
= {
614 .parse_aopt
= parse_ipt
,
615 .print_aopt
= print_ipt
,