2 * m_ipt.c iptables based targets
3 * utilities mostly ripped from iptables <duh, its the linux way>
5 * This program is free software; you can distribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version
8 * 2 of the License, or (at your option) any later version.
10 * Authors: J Hadi Salim (hadi@cyberus.ca)
12 * TODO: bad bad hardcoding IPT_LIB_DIR and PROC_SYS_MODPROBE
17 #include <sys/socket.h>
18 #include <netinet/in.h>
19 #include <arpa/inet.h>
21 #include <linux/netfilter_ipv4/ip_tables.h>
24 #include <linux/tc_act/tc_ipt.h>
39 const char *pname
= "tc-ipt";
40 const char *tname
= "mangle";
41 const char *pversion
= "0.1";
51 #define IPT_LIB_DIR "/usr/local/lib/iptables"
54 #ifndef PROC_SYS_MODPROBE
55 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
58 static const char *ipthooks
[] = {
66 static struct option original_opts
[] = {
71 static struct iptables_target
*t_list
= NULL
;
72 static unsigned int global_option_offset
= 0;
73 #define OPTION_OFFSET 256
76 /* no clue why register match is within targets
77 figure out later. Talk to Harald -- JHS
80 register_match(struct iptables_match
*me
)
82 /* fprintf(stderr, "\nDummy register_match\n"); */
86 register_target(struct iptables_target
*me
)
88 /* fprintf(stderr, "\nDummy register_target %s \n", me->name);
97 exit_tryhelp(int status
)
99 fprintf(stderr
, "Try `%s -h' or '%s --help' for more information.\n",
105 exit_error(enum exittype status
, char *msg
, ...)
110 fprintf(stderr
, "%s v%s: ", pname
, pversion
);
111 vfprintf(stderr
, msg
, args
);
113 fprintf(stderr
, "\n");
114 if (status
== PARAMETER_PROBLEM
)
115 exit_tryhelp(status
);
116 if (status
== VERSION_PROBLEM
)
118 "Perhaps iptables or your kernel needs to be upgraded.\n");
122 /* stolen from iptables 1.2.11
123 They should really have them as a library so i can link to them
124 Email them next time i remember
128 addr_to_dotted(const struct in_addr
*addrp
)
131 const unsigned char *bytep
;
133 bytep
= (const unsigned char *) &(addrp
->s_addr
);
134 sprintf(buf
, "%d.%d.%d.%d", bytep
[0], bytep
[1], bytep
[2], bytep
[3]);
138 int string_to_number_ll(const char *s
, unsigned long long min
,
139 unsigned long long max
,
140 unsigned long long *ret
)
142 unsigned long long number
;
145 /* Handle hex, octal, etc. */
147 number
= strtoull(s
, &end
, 0);
148 if (*end
== '\0' && end
!= s
) {
149 /* we parsed a number, let's see if we want this */
150 if (errno
!= ERANGE
&& min
<= number
&& (!max
|| number
<= max
)) {
158 int string_to_number_l(const char *s
, unsigned long min
, unsigned long max
,
162 unsigned long long number
;
164 result
= string_to_number_ll(s
, min
, max
, &number
);
165 *ret
= (unsigned long)number
;
170 int string_to_number(const char *s
, unsigned int min
, unsigned int max
,
174 unsigned long number
;
176 result
= string_to_number_l(s
, min
, max
, &number
);
177 *ret
= (unsigned int)number
;
184 string_to_number(const char *s
, unsigned int min
, unsigned int max
,
190 /* Handle hex, octal, etc. */
192 number
= strtol(s
, &end
, 0);
193 if (*end
== '\0' && end
!= s
) {
194 /* we parsed a number, let's see if we want this */
195 if (errno
!= ERANGE
&& min
<= number
&& number
<= max
) {
204 static struct option
*
205 copy_options(struct option
*oldopts
)
207 struct option
*merge
;
208 unsigned int num_old
;
209 for (num_old
= 0; oldopts
[num_old
].name
; num_old
++) ;
210 merge
= malloc(sizeof (struct option
) * (num_old
+ 1));
213 memcpy(merge
, oldopts
, num_old
* sizeof (struct option
));
214 memset(merge
+ num_old
, 0, sizeof (struct option
));
218 static struct option
*
219 merge_options(struct option
*oldopts
, const struct option
*newopts
,
220 unsigned int *option_offset
)
222 struct option
*merge
;
223 unsigned int num_old
, num_new
, i
;
225 for (num_old
= 0; oldopts
[num_old
].name
; num_old
++) ;
226 for (num_new
= 0; newopts
[num_new
].name
; num_new
++) ;
228 *option_offset
= global_option_offset
+ OPTION_OFFSET
;
230 merge
= malloc(sizeof (struct option
) * (num_new
+ num_old
+ 1));
231 memcpy(merge
, oldopts
, num_old
* sizeof (struct option
));
232 for (i
= 0; i
< num_new
; i
++) {
233 merge
[num_old
+ i
] = newopts
[i
];
234 merge
[num_old
+ i
].val
+= *option_offset
;
236 memset(merge
+ num_old
+ num_new
, 0, sizeof (struct option
));
242 fw_calloc(size_t count
, size_t size
)
246 if ((p
= (void *) calloc(count
, size
)) == NULL
) {
247 perror("iptables: calloc failed");
255 fw_malloc(size_t size
)
259 if ((p
= (void *) malloc(size
)) == NULL
) {
260 perror("iptables: malloc failed");
267 check_inverse(const char option
[], int *invert
)
269 if (option
&& strcmp(option
, "!") == 0) {
271 exit_error(PARAMETER_PROBLEM
,
272 "Multiple `!' flags not allowed");
281 static struct iptables_target
*
284 struct iptables_target
*m
;
285 for (m
= t_list
; m
; m
= m
->next
) {
286 if (strcmp(m
->name
, name
) == 0)
293 static struct iptables_target
*
294 get_target_name(char *name
)
298 char *new_name
, *lname
;
299 struct iptables_target
*m
;
301 char path
[sizeof (IPT_LIB_DIR
) + sizeof ("/libipt_.so") + strlen(name
)];
303 new_name
= malloc(strlen(name
) + 1);
304 lname
= malloc(strlen(name
) + 1);
306 memset(new_name
, '\0', strlen(name
) + 1);
308 exit_error(PARAMETER_PROBLEM
, "get_target_name");
311 memset(lname
, '\0', strlen(name
) + 1);
313 exit_error(PARAMETER_PROBLEM
, "get_target_name");
315 strcpy(new_name
, name
);
318 if (isupper(lname
[0])) {
320 for (i
= 0; i
< strlen(name
); i
++) {
321 lname
[i
] = tolower(lname
[i
]);
325 if (islower(new_name
[0])) {
327 for (i
= 0; i
< strlen(new_name
); i
++) {
328 new_name
[i
] = toupper(new_name
[i
]);
332 sprintf(path
, IPT_LIB_DIR
"/libipt_%s.so", new_name
);
333 handle
= dlopen(path
, RTLD_LAZY
);
335 sprintf(path
, IPT_LIB_DIR
"/libipt_%s.so", lname
);
336 handle
= dlopen(path
, RTLD_LAZY
);
338 fputs(dlerror(), stderr
);
344 m
= dlsym(handle
, new_name
);
345 if ((error
= dlerror()) != NULL
) {
346 m
= (struct iptables_target
*) dlsym(handle
, lname
);
347 if ((error
= dlerror()) != NULL
) {
348 m
= find_t(new_name
);
352 fputs(error
, stderr
);
353 fprintf(stderr
, "\n");
366 addr_to_dotted(const struct in_addr
*addrp
)
369 const unsigned char *bytep
;
371 bytep
= (const unsigned char *) &(addrp
->s_addr
);
372 sprintf(buf
, "%d.%d.%d.%d", bytep
[0], bytep
[1], bytep
[2], bytep
[3]);
377 struct in_addr
*dotted_to_addr(const char *dotted
)
379 static struct in_addr addr
;
380 unsigned char *addrp
;
382 unsigned int onebyte
;
386 /* copy dotted string, because we need to modify it */
387 strncpy(buf
, dotted
, sizeof (buf
) - 1);
388 addrp
= (unsigned char *) &(addr
.s_addr
);
391 for (i
= 0; i
< 3; i
++) {
392 if ((q
= strchr(p
, '.')) == NULL
)
393 return (struct in_addr
*) NULL
;
396 if (string_to_number(p
, 0, 255, &onebyte
) == -1)
397 return (struct in_addr
*) NULL
;
399 addrp
[i
] = (unsigned char) onebyte
;
403 /* we've checked 3 bytes, now we check the last one */
404 if (string_to_number(p
, 0, 255, &onebyte
) == -1)
405 return (struct in_addr
*) NULL
;
407 addrp
[3] = (unsigned char) onebyte
;
413 build_st(struct iptables_target
*target
, struct ipt_entry_target
*t
)
415 unsigned int nfcache
= 0;
421 IPT_ALIGN(sizeof (struct ipt_entry_target
)) + target
->size
;
424 target
->t
= fw_calloc(1, size
);
425 target
->init(target
->t
, &nfcache
);
426 target
->t
->u
.target_size
= size
;
430 strcpy(target
->t
->u
.user
.name
, target
->name
);
437 static int parse_ipt(struct action_util
*a
,int *argc_p
,
438 char ***argv_p
, int tca_id
, struct nlmsghdr
*n
)
440 struct iptables_target
*m
= NULL
;
445 char **argv
= *argv_p
;
447 int argc
= 0, iargc
= 0;
452 __u32 hook
= 0, index
= 0;
457 for (i
= 0; i
< rargc
; i
++) {
458 if (NULL
== argv
[i
] || 0 == strcmp(argv
[i
], "action")) {
466 fprintf(stderr
,"bad arguements to ipt %d vs %d \n", argc
, rargc
);
470 opts
= copy_options(original_opts
);
476 c
= getopt_long(argc
, argv
, "j:", opts
, NULL
);
481 m
= get_target_name(optarg
);
484 if (0 > build_st(m
, NULL
)) {
485 printf(" %s error \n", m
->name
);
489 merge_options(opts
, m
->extra_opts
,
492 fprintf(stderr
," failed to find target %s\n\n", optarg
);
499 memset(&fw
, 0, sizeof (fw
));
501 unsigned int fake_flags
= 0;
502 m
->parse(c
- m
->option_offset
, argv
, 0,
503 &fake_flags
, NULL
, &m
->t
);
505 fprintf(stderr
," failed to find target %s\n\n", optarg
);
511 /*m->final_check(m->t); -- Is this necessary?
512 ** useful when theres depencies
513 ** eg ipt_TCPMSS.c has have the TCP match loaded
514 ** before this can be used;
515 ** also seems the ECN target needs it
523 if (iargc
> optind
) {
524 if (matches(argv
[optind
], "index") == 0) {
525 if (get_u32(&index
, argv
[optind
+ 1], 10)) {
526 fprintf(stderr
, "Illegal \"index\"\n");
536 fprintf(stderr
," ipt Parser BAD!! (%s)\n", *argv
);
541 struct tcmsg
*t
= NLMSG_DATA(n
);
542 if (t
->tcm_parent
!= TC_H_ROOT
543 && t
->tcm_parent
== TC_H_MAJ(TC_H_INGRESS
)) {
544 hook
= NF_IP_PRE_ROUTING
;
546 hook
= NF_IP_POST_ROUTING
;
550 tail
= NLMSG_TAIL(n
);
551 addattr_l(n
, MAX_MSG
, tca_id
, NULL
, 0);
552 fprintf(stdout
, "tablename: %s hook: %s\n ", tname
, ipthooks
[hook
]);
553 fprintf(stdout
, "\ttarget: ");
556 m
->print(NULL
, m
->t
, 0);
557 fprintf(stdout
, " index %d\n", index
);
559 if (strlen(tname
) > 16) {
563 size
= 1 + strlen(tname
);
565 strncpy(k
, tname
, size
);
567 addattr_l(n
, MAX_MSG
, TCA_IPT_TABLE
, k
, size
);
568 addattr_l(n
, MAX_MSG
, TCA_IPT_HOOK
, &hook
, 4);
569 addattr_l(n
, MAX_MSG
, TCA_IPT_INDEX
, &index
, 4);
571 addattr_l(n
, MAX_MSG
, TCA_IPT_TARG
, m
->t
, m
->t
->u
.target_size
);
572 tail
->rta_len
= (void *) NLMSG_TAIL(n
) - (void *) tail
;
576 *argc_p
= rargc
- iargc
;
586 print_ipt(struct action_util
*au
,FILE * f
, struct rtattr
*arg
)
588 struct rtattr
*tb
[TCA_IPT_MAX
+ 1];
589 struct ipt_entry_target
*t
= NULL
;
595 opts
= copy_options(original_opts
);
599 memset(tb
, 0, sizeof (tb
));
600 parse_rtattr(tb
, TCA_IPT_MAX
, RTA_DATA(arg
), RTA_PAYLOAD(arg
));
602 if (tb
[TCA_IPT_TABLE
] == NULL
) {
603 fprintf(f
, "[NULL ipt table name ] assuming mangle ");
605 fprintf(f
, "tablename: %s ",
606 (char *) RTA_DATA(tb
[TCA_IPT_TABLE
]));
609 if (tb
[TCA_IPT_HOOK
] == NULL
) {
610 fprintf(f
, "[NULL ipt hook name ]\n ");
614 hook
= *(__u32
*) RTA_DATA(tb
[TCA_IPT_HOOK
]);
615 fprintf(f
, " hook: %s \n", ipthooks
[hook
]);
618 if (tb
[TCA_IPT_TARG
] == NULL
) {
619 fprintf(f
, "\t[NULL ipt target parameters ] \n");
622 struct iptables_target
*m
= NULL
;
623 t
= RTA_DATA(tb
[TCA_IPT_TARG
]);
624 m
= get_target_name(t
->u
.user
.name
);
626 if (0 > build_st(m
, t
)) {
627 fprintf(stderr
, " %s error \n", m
->name
);
632 merge_options(opts
, m
->extra_opts
,
635 fprintf(stderr
, " failed to find target %s\n\n",
639 fprintf(f
, "\ttarget ");
640 m
->print(NULL
, m
->t
, 0);
641 if (tb
[TCA_IPT_INDEX
] == NULL
) {
642 fprintf(f
, " [NULL ipt target index ]\n");
645 index
= *(__u32
*) RTA_DATA(tb
[TCA_IPT_INDEX
]);
646 fprintf(f
, " \n\tindex %d", index
);
649 if (tb
[TCA_IPT_CNT
]) {
650 struct tc_cnt
*c
= RTA_DATA(tb
[TCA_IPT_CNT
]);;
651 fprintf(f
, " ref %d bind %d", c
->refcnt
, c
->bindcnt
);
654 if (tb
[TCA_IPT_TM
]) {
655 struct tcf_t
*tm
= RTA_DATA(tb
[TCA_IPT_TM
]);
666 struct action_util ipt_action_util
= {
668 .parse_aopt
= parse_ipt
,
669 .print_aopt
= print_ipt
,