Commit c2d7e04a authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

Update upstream source from tag 'upstream/1.8.1'

Update to upstream version '1.8.1'
with Debian dir f7eefdbc289bc01f3d8a1522cd469a3564de9051
parents 698f2511 dab1e98e
......@@ -205,6 +205,7 @@ static const struct xt_option_entry hashlimit_mt_opts_v2[] = {
{.name = "hashlimit-mode", .id = O_MODE, .type = XTTYPE_STRING},
{.name = "hashlimit-name", .id = O_NAME, .type = XTTYPE_STRING,
.flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, name), .min = 1},
XTOPT_TABLEEND,
};
#undef s
......
......@@ -126,19 +126,19 @@ static void ipvs_mt_dump_addr(const union nf_inet_addr *addr,
const union nf_inet_addr *mask,
unsigned int family, bool numeric)
{
char buf[BUFSIZ];
if (family == NFPROTO_IPV4) {
if (!numeric && addr->ip == 0) {
printf(" anywhere");
return;
}
if (numeric)
strcpy(buf, xtables_ipaddr_to_numeric(&addr->in));
printf(" %s%s",
xtables_ipaddr_to_numeric(&addr->in),
xtables_ipmask_to_numeric(&mask->in));
else
strcpy(buf, xtables_ipaddr_to_anyname(&addr->in));
strcat(buf, xtables_ipmask_to_numeric(&mask->in));
printf(" %s", buf);
printf(" %s%s",
xtables_ipaddr_to_anyname(&addr->in),
xtables_ipmask_to_numeric(&mask->in));
} else if (family == NFPROTO_IPV6) {
if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 &&
addr->ip6[2] == 0 && addr->ip6[3] == 0) {
......@@ -146,11 +146,13 @@ static void ipvs_mt_dump_addr(const union nf_inet_addr *addr,
return;
}
if (numeric)
strcpy(buf, xtables_ip6addr_to_numeric(&addr->in6));
printf(" %s%s",
xtables_ip6addr_to_numeric(&addr->in6),
xtables_ip6mask_to_numeric(&mask->in6));
else
strcpy(buf, xtables_ip6addr_to_anyname(&addr->in6));
strcat(buf, xtables_ip6mask_to_numeric(&mask->in6));
printf(" %s", buf);
printf(" %s%s",
xtables_ip6addr_to_anyname(&addr->in6),
xtables_ip6mask_to_numeric(&mask->in6));
}
}
......
......@@ -6,6 +6,8 @@
#define _BSD_SOURCE 1
#define _DEFAULT_SOURCE 1
#define _ISOC99_SOURCE 1
#include <errno.h>
#include <getopt.h>
#include <math.h>
#include <stdio.h>
#include <string.h>
......@@ -13,6 +15,8 @@
#include <xtables.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_limit.h>
#include "iptables/nft.h"
#include "iptables/nft-bridge.h"
#define XT_LIMIT_AVG "3/hour"
#define XT_LIMIT_BURST 5
......@@ -191,22 +195,100 @@ static int limit_xlate(struct xt_xlate *xl,
return 1;
}
static struct xtables_match limit_match = {
.family = NFPROTO_UNSPEC,
.name = "limit",
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateinfo)),
.userspacesize = offsetof(struct xt_rateinfo, prev),
.help = limit_help,
.init = limit_init,
.x6_parse = limit_parse,
.print = limit_print,
.save = limit_save,
.x6_options = limit_opts,
.xlate = limit_xlate,
static int limit_xlate_eb(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
limit_xlate(xl, params);
xt_xlate_add(xl, " ");
return 1;
}
#define FLAG_LIMIT 0x01
#define FLAG_LIMIT_BURST 0x02
#define ARG_LIMIT '1'
#define ARG_LIMIT_BURST '2'
static int brlimit_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
struct xt_rateinfo *r = (struct xt_rateinfo *)(*match)->data;
uintmax_t num;
switch (c) {
case ARG_LIMIT:
EBT_CHECK_OPTION(flags, FLAG_LIMIT);
if (invert)
xtables_error(PARAMETER_PROBLEM,
"Unexpected `!' after --limit");
if (!parse_rate(optarg, &r->avg))
xtables_error(PARAMETER_PROBLEM,
"bad rate `%s'", optarg);
break;
case ARG_LIMIT_BURST:
EBT_CHECK_OPTION(flags, FLAG_LIMIT_BURST);
if (invert)
xtables_error(PARAMETER_PROBLEM,
"Unexpected `!' after --limit-burst");
if (!xtables_strtoul(optarg, NULL, &num, 0, 10000))
xtables_error(PARAMETER_PROBLEM,
"bad --limit-burst `%s'", optarg);
r->burst = num;
break;
default:
return 0;
}
return 1;
}
static void brlimit_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
const struct xt_rateinfo *r = (struct xt_rateinfo *)match->data;
printf("--limit");
print_rate(r->avg);
printf(" --limit-burst %u ", r->burst);
}
static const struct option brlimit_opts[] =
{
{ .name = "limit", .has_arg = true, .val = ARG_LIMIT },
{ .name = "limit-burst",.has_arg = true, .val = ARG_LIMIT_BURST },
XT_GETOPT_TABLEEND,
};
static struct xtables_match limit_match[] = {
{
.family = NFPROTO_UNSPEC,
.name = "limit",
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateinfo)),
.userspacesize = offsetof(struct xt_rateinfo, prev),
.help = limit_help,
.init = limit_init,
.x6_parse = limit_parse,
.print = limit_print,
.save = limit_save,
.x6_options = limit_opts,
.xlate = limit_xlate,
},
{
.family = NFPROTO_BRIDGE,
.name = "limit",
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateinfo)),
.userspacesize = offsetof(struct xt_rateinfo, prev),
.help = limit_help,
.init = limit_init,
.parse = brlimit_parse,
.print = brlimit_print,
.extra_opts = brlimit_opts,
.xlate = limit_xlate_eb,
},
};
void _init(void)
{
xtables_register_match(&limit_match);
xtables_register_matches(limit_match, ARRAY_SIZE(limit_match));
}
/*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published
* by the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* Authors:
* Libarptc code from: Bart De Schuymer <bdschuym@pandora.be>
* Port to libxtables: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
*/
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <limits.h>
#include <getopt.h>
#include <errno.h>
#include <netinet/ether.h>
#include <xtables.h>
#include <linux/netfilter_arp/arpt_mangle.h>
static void mangle_help(void)
{
printf(
"mangle target options:\n"
"--mangle-ip-s IP address\n"
"--mangle-ip-d IP address\n"
"--mangle-mac-s MAC address\n"
"--mangle-mac-d MAC address\n"
"--mangle-target target (DROP, CONTINUE or ACCEPT -- default is ACCEPT)\n"
);
}
enum {
MANGLE_IPS = 0,
MANGLE_IPT = 1,
MANGLE_DEVS = 2,
MANGLE_DEVT = 3,
MANGLE_TARGET = 4,
};
static const struct xt_option_entry mangle_opts[] = {
{ .name = "mangle-ip-s", .id = MANGLE_IPS, .type = XTTYPE_STRING },
{ .name = "mangle-ip-d", .id = MANGLE_IPT, .type = XTTYPE_STRING },
{ .name = "mangle-mac-s", .id = MANGLE_DEVS, .type = XTTYPE_STRING },
{ .name = "mangle-mac-d", .id = MANGLE_DEVT, .type = XTTYPE_STRING },
{ .name = "mangle-target", .id = MANGLE_TARGET,
.type = XTTYPE_STRING },
XTOPT_TABLEEND,
};
static struct in_addr *network_to_addr(const char *name)
{
struct netent *net;
static struct in_addr addr;
if ((net = getnetbyname(name)) != NULL) {
if (net->n_addrtype != AF_INET)
return (struct in_addr *) NULL;
addr.s_addr = htonl((unsigned long) net->n_net);
return &addr;
}
return (struct in_addr *) NULL;
}
static void inaddrcpy(struct in_addr *dst, struct in_addr *src)
{
dst->s_addr = src->s_addr;
}
static struct in_addr *host_to_addr(const char *name, unsigned int *naddr)
{
struct in_addr *addr;
struct addrinfo hints;
struct addrinfo *res, *p;
int err;
unsigned int i;
memset(&hints, 0, sizeof(hints));
hints.ai_flags = AI_CANONNAME;
hints.ai_family = AF_INET;
hints.ai_socktype = SOCK_RAW;
*naddr = 0;
err = getaddrinfo(name, NULL, &hints, &res);
if (err != 0)
return NULL;
else {
for (p = res; p != NULL; p = p->ai_next)
(*naddr)++;
addr = xtables_calloc(*naddr, sizeof(struct in_addr));
for (i = 0, p = res; p != NULL; p = p->ai_next)
memcpy(&addr[i++],
&((const struct sockaddr_in *)p->ai_addr)->sin_addr,
sizeof(struct in_addr));
freeaddrinfo(res);
return addr;
}
return (struct in_addr *) NULL;
}
static int string_to_number(const char *s, unsigned int min,
unsigned int max, unsigned int *ret)
{
long number;
char *end;
/* Handle hex, octal, etc. */
errno = 0;
number = strtol(s, &end, 0);
if (*end == '\0' && end != s) {
/* we parsed a number, let's see if we want this */
if (errno != ERANGE && min <= number && number <= max) {
*ret = number;
return 0;
}
}
return -1;
}
static struct in_addr *dotted_to_addr(const char *dotted)
{
static struct in_addr addr;
unsigned char *addrp;
char *p, *q;
unsigned int onebyte;
int i;
char buf[20];
/* copy dotted string, because we need to modify it */
strncpy(buf, dotted, sizeof(buf) - 1);
addrp = (unsigned char *) &(addr.s_addr);
p = buf;
for (i = 0; i < 3; i++) {
if ((q = strchr(p, '.')) == NULL)
return (struct in_addr *) NULL;
*q = '\0';
if (string_to_number(p, 0, 255, &onebyte) == -1)
return (struct in_addr *) NULL;
addrp[i] = (unsigned char) onebyte;
p = q + 1;
}
/* we've checked 3 bytes, now we check the last one */
if (string_to_number(p, 0, 255, &onebyte) == -1)
return (struct in_addr *) NULL;
addrp[3] = (unsigned char) onebyte;
return &addr;
}
static struct in_addr *parse_hostnetwork(const char *name,
unsigned int *naddrs)
{
struct in_addr *addrp, *addrptmp;
if ((addrptmp = dotted_to_addr(name)) != NULL ||
(addrptmp = network_to_addr(name)) != NULL) {
addrp = xtables_malloc(sizeof(struct in_addr));
inaddrcpy(addrp, addrptmp);
*naddrs = 1;
return addrp;
}
if ((addrp = host_to_addr(name, naddrs)) != NULL)
return addrp;
xtables_error(PARAMETER_PROBLEM, "host/network `%s' not found", name);
}
static void mangle_parse(struct xt_option_call *cb)
{
const struct arpt_entry *e = cb->xt_entry;
struct arpt_mangle *mangle = cb->data;
struct in_addr *ipaddr;
struct ether_addr *macaddr;
/* mangle target is by default "ACCEPT". Setting it here,
* since original arpt_mangle.c init() no longer exists*/
mangle->target = NF_ACCEPT;
xtables_option_parse(cb);
switch (cb->entry->id) {
case MANGLE_IPS:
/*
if (e->arp.arpln_mask == 0)
xtables_error(PARAMETER_PROBLEM, "no pln defined");
if (e->arp.invflags & ARPT_INV_ARPPLN)
xtables_error(PARAMETER_PROBLEM,
"! pln not allowed for --mangle-ip-s");
*/
/*
if (e->arp.arpln != 4)
xtables_error(PARAMETER_PROBLEM, "only pln=4 supported");
*/
{
unsigned int nr;
ipaddr = parse_hostnetwork(cb->arg, &nr);
}
mangle->u_s.src_ip.s_addr = ipaddr->s_addr;
free(ipaddr);
mangle->flags |= ARPT_MANGLE_SIP;
break;
case MANGLE_IPT:
/*
if (e->arp.arpln_mask == 0)
xtables_error(PARAMETER_PROBLEM, "no pln defined");
if (e->arp.invflags & ARPT_INV_ARPPLN)
xtables_error(PARAMETER_PROBLEM,
"! pln not allowed for --mangle-ip-d");
*/
/*
if (e->arp.arpln != 4)
xtables_error(PARAMETER_PROBLEM, "only pln=4 supported");
*/
{
unsigned int nr;
ipaddr = parse_hostnetwork(cb->arg, &nr);
}
mangle->u_t.tgt_ip.s_addr = ipaddr->s_addr;
free(ipaddr);
mangle->flags |= ARPT_MANGLE_TIP;
break;
case MANGLE_DEVS:
if (e->arp.arhln_mask == 0)
xtables_error(PARAMETER_PROBLEM,
"no --h-length defined");
if (e->arp.invflags & ARPT_INV_ARPHLN)
xtables_error(PARAMETER_PROBLEM,
"! --h-length not allowed for "
"--mangle-mac-s");
if (e->arp.arhln != 6)
xtables_error(PARAMETER_PROBLEM,
"only --h-length 6 supported");
macaddr = ether_aton(cb->arg);
if (macaddr == NULL)
xtables_error(PARAMETER_PROBLEM, "invalid source MAC");
memcpy(mangle->src_devaddr, macaddr, e->arp.arhln);
mangle->flags |= ARPT_MANGLE_SDEV;
break;
case MANGLE_DEVT:
if (e->arp.arhln_mask == 0)
xtables_error(PARAMETER_PROBLEM,
"no --h-length defined");
if (e->arp.invflags & ARPT_INV_ARPHLN)
xtables_error(PARAMETER_PROBLEM,
"! hln not allowed for --mangle-mac-d");
if (e->arp.arhln != 6)
xtables_error(PARAMETER_PROBLEM,
"only --h-length 6 supported");
macaddr = ether_aton(cb->arg);
if (macaddr == NULL)
xtables_error(PARAMETER_PROBLEM, "invalid target MAC");
memcpy(mangle->tgt_devaddr, macaddr, e->arp.arhln);
mangle->flags |= ARPT_MANGLE_TDEV;
break;
case MANGLE_TARGET:
if (!strcmp(cb->arg, "DROP"))
mangle->target = NF_DROP;
else if (!strcmp(cb->arg, "ACCEPT"))
mangle->target = NF_ACCEPT;
else if (!strcmp(cb->arg, "CONTINUE"))
mangle->target = ARPT_CONTINUE;
else
xtables_error(PARAMETER_PROBLEM,
"bad target for --mangle-target");
break;
}
}
static void mangle_fcheck(struct xt_fcheck_call *cb)
{
}
static char *addr_to_dotted(const struct in_addr *addrp)
{
static char buf[20];
const unsigned char *bytep;
bytep = (const unsigned char *) &(addrp->s_addr);
sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]);
return buf;
}
static char *addr_to_host(const struct in_addr *addr)
{
struct hostent *host;
if ((host = gethostbyaddr((char *) addr,
sizeof(struct in_addr), AF_INET)) != NULL)
return (char *) host->h_name;
return (char *) NULL;
}
static char *addr_to_network(const struct in_addr *addr)
{
struct netent *net;
if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL)
return (char *) net->n_name;
return (char *) NULL;
}
static char *addr_to_anyname(const struct in_addr *addr)
{
char *name;
if ((name = addr_to_host(addr)) != NULL ||
(name = addr_to_network(addr)) != NULL)
return name;
return addr_to_dotted(addr);
}
static void print_mac(const unsigned char *mac, int l)
{
int j;
for (j = 0; j < l; j++)
printf("%02x%s", mac[j],
(j==l-1) ? "" : ":");
}
static void mangle_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
const struct arpt_mangle *m = (const void *)target;
char buf[100];
if (m->flags & ARPT_MANGLE_SIP) {
if (numeric)
sprintf(buf, "%s", addr_to_dotted(&(m->u_s.src_ip)));
else
sprintf(buf, "%s", addr_to_anyname(&(m->u_s.src_ip)));
printf("--mangle-ip-s %s ", buf);
}
if (m->flags & ARPT_MANGLE_SDEV) {
printf("--mangle-mac-s ");
print_mac((unsigned char *)m->src_devaddr, 6);
printf(" ");
}
if (m->flags & ARPT_MANGLE_TIP) {
if (numeric)
sprintf(buf, "%s", addr_to_dotted(&(m->u_t.tgt_ip)));
else
sprintf(buf, "%s", addr_to_anyname(&(m->u_t.tgt_ip)));
printf("--mangle-ip-d %s ", buf);
}
if (m->flags & ARPT_MANGLE_TDEV) {
printf("--mangle-mac-d ");
print_mac((unsigned char *)m->tgt_devaddr, 6);
printf(" ");
}
if (m->target != NF_ACCEPT) {
printf("--mangle-target ");
if (m->target == NF_DROP)
printf("DROP ");
else
printf("CONTINUE ");
}
}
static void mangle_save(const void *ip, const struct xt_entry_target *target)
{
}
static struct xtables_target mangle_tg_reg = {
.family = NFPROTO_ARP,
.name = "mangle",
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct arpt_mangle)),
.userspacesize = XT_ALIGN(sizeof(struct arpt_mangle)),
.help = mangle_help,
.x6_parse = mangle_parse,
.x6_fcheck = mangle_fcheck,
.print = mangle_print,
.save = mangle_save,
.x6_options = mangle_opts,
};
void _init(void)
{
xtables_register_target(&mangle_tg_reg);
}
......@@ -60,6 +60,7 @@ set_parse_v0(int c, char **argv, int invert, unsigned int *flags,
case '2':
fprintf(stderr,
"--set option deprecated, please use --match-set\n");
/* fall through */
case '1': /* --match-set <set> <flag>[,<flag> */
if (info->u.flags[0])
xtables_error(PARAMETER_PROBLEM,
......@@ -140,6 +141,7 @@ set_parse_v1(int c, char **argv, int invert, unsigned int *flags,
case '2':
fprintf(stderr,
"--set option deprecated, please use --match-set\n");
/* fall through */
case '1': /* --match-set <set> <flag>[,<flag> */
if (info->dim)
xtables_error(PARAMETER_PROBLEM,
......@@ -238,6 +240,7 @@ set_parse_v2(int c, char **argv, int invert, unsigned int *flags,
case '2':
fprintf(stderr,
"--set option deprecated, please use --match-set\n");
/* fall through */
case '1': /* --match-set <set> <flag>[,<flag> */
if (info->dim)
xtables_error(PARAMETER_PROBLEM,
......@@ -415,6 +418,7 @@ set_parse_v3(int c, char **argv, int invert, unsigned int *flags,
case '2':
fprintf(stderr,
"--set option deprecated, please use --match-set\n");
/* fall through */
case '1': /* --match-set <set> <flag>[,<flag> */
if (info->match_set.dim)
xtables_error(PARAMETER_PROBLEM,
......@@ -583,6 +587,7 @@ set_parse_v4(int c, char **argv, int invert, unsigned int *flags,
case '2':
fprintf(stderr,
"--set option deprecated, please use --match-set\n");
/* fall through */
case '1': /* --match-set <set> <flag>[,<flag> */
if (info->match_set.dim)
xtables_error(PARAMETER_PROBLEM,
......
......@@ -8,12 +8,6 @@
#include <errno.h>
#include "../iptables/xshared.h"
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x , ## args)
#else
#define DEBUGP(x, args...)
#endif
static int
get_version(unsigned *version)
{
......
......@@ -103,6 +103,9 @@ parse_hex_string(const char *s, struct xt_string_info *info)
}
while (i < slen) {
if (sindex >= XT_STRING_MAX_PATTERN_SIZE)
xtables_error(PARAMETER_PROBLEM,
"STRING too long \"%s\"", s);
if (s[i] == '\\' && !hex_f) {
literal_f = 1;
} else if (s[i] == '\\') {
......@@ -159,8 +162,6 @@ parse_hex_string(const char *s, struct xt_string_info *info)
info->pattern[sindex] = s[i];
i++;
}
if (sindex > XT_STRING_MAX_PATTERN_SIZE)
xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
sindex++;
}
info->patlen = sindex;
......
......@@ -88,10 +88,10 @@ static void time_init(struct xt_entry_match *m)
info->date_stop = INT_MAX;
}
static time_t time_parse_date(const char *s, bool end)
static time_t time_parse_date(const char *s)
{
unsigned int month = 1, day = 1, hour = 0, minute = 0, second = 0;
unsigned int year = end ? 2038 : 1970;
unsigned int year;
const char *os = s;
struct tm tm;
time_t ret;
......@@ -265,10 +265,10 @@ static void time_parse(struct xt_option_call *cb)
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_DATE_START:
info->date_start = time_parse_date(cb->arg, false);
info->date_start = time_parse_date(cb->arg);
break;
case O_DATE_STOP:
info->date_stop = time_parse_date(cb->arg, true);
info->date_stop = time_parse_date(cb->arg);
break;
case O_TIME_START:
info->daytime_start = time_parse_minutes(cb->arg);
......
......@@ -40,18 +40,23 @@ A is of type \fBchar *\fP, initially the address of the IP header
B and C are unsigned 32 bit integers, initially zero
.PP
The instructions are:
.IP
number B = number;
.TP
.B number
B = number;
.IP
C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3)
.IP
&number C = C & number
.IP
<< number C = C << number
.IP
>> number C = C >> number
.IP
@number A = A + C; then do the instruction number
.TP
.B &number
C = C & number
.TP
.B << number
C = C << number
.TP
.B >> number
C = C >> number
.TP
.B @number
A = A + C; then do the instruction number
.PP
Any access of memory outside [skb\->data,skb\->end] causes the match to fail.
Otherwise the result of the computation is the final value of C.
......
/*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/* All data returned by the network data base library are supplied in
host order and returned in network order (suitable for use in
system calls). */
#ifndef _ETHERNETDB_H
#define _ETHERNETDB_H 1
#include <features.h>
#include <netinet/in.h>
#include <stdint.h>
/* Absolute file name for network data base files. */
#ifndef _PATH_ETHERTYPES
#define _PATH_ETHERTYPES "/etc/ethertypes"
#endif /* _PATH_ETHERTYPES */
struct ethertypeent {
char *e_name; /* Official ethernet type name. */
char **e_aliases; /* Alias list. */
int e_ethertype; /* Ethernet type number. */
};
/* Open ethertype data base files and mark them as staying open even
after a later search if STAY_OPEN is non-zero. */
extern void setethertypeent(int __stay_open);
/* Close ethertype data base files and clear `stay open' flag. */
extern void endethertypeent(void);
/* Get next entry from ethertype data base file. Open data base if
necessary. */
extern struct ethertypeent *getethertypeent(void);
/* Return entry from ethertype data base for network with NAME. */
extern struct ethertypeent *getethertypebyname(__const char *__name);
/* Return entry from ethertype data base which number is PROTO. */
extern struct ethertypeent *getethertypebynumber(int __ethertype);
#endif /* ethernetdb.h */
#ifndef _XT_CGROUP_H
#define _XT_CGROUP_H
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
#ifndef _UAPI_XT_CGROUP_H
#define _UAPI_XT_CGROUP_H
#include <linux/types.h>
#include <linux/limits.h>
......@@ -21,4 +22,20 @@ struct xt_cgroup_info_v1 {
void *priv __attribute__((aligned(8)));
};
#endif /* _XT_CGROUP_H */
#define XT_CGROUP_PATH_MAX 512
struct xt_cgroup_info_v2 {
__u8 has_path;
__u8 has_classid;
__u8 invert_path;
__u8 invert_classid;
union {
char path[XT_CGROUP_PATH_MAX];
__u32 classid;
};
/* kernel internal data */
void *priv __attribute__((aligned(8)));
};
#endif /* _UAPI_XT_CGROUP_H */
......@@ -521,6 +521,18 @@ extern void xtables_ip6parse_any(const char *, struct in6_addr **,
extern void xtables_ip6parse_multiple(const char *, struct in6_addr **,
struct in6_addr **, unsigned int *);
/* Absolute file name for network data base files. */
#define XT_PATH_ETHERTYPES "/etc/ethertypes"
struct xt_ethertypeent {
char *e_name; /* Official ethernet type name. */
char **e_aliases; /* Alias list. */
int e_ethertype; /* Ethernet type number. */
};
extern struct xt_ethertypeent *xtables_getethertypebyname(const char *name);
extern struct xt_ethertypeent *xtables_getethertypebynumber(int ethertype);
/**
* Print the specified value to standard output, quoting dangerous
* characters if required.
......@@ -536,6 +548,8 @@ extern void xtables_save_string(const char *value);
#define FMT_VIA 0x0040
#define FMT_NONEWLINE 0x0080
#define FMT_LINENUMBERS 0x0100
#define FMT_EBT_SAVE 0x0200
#define FMT_C_COUNTS 0x0400
#define FMT_PRINT_RULE (FMT_NOCOUNTS | FMT_OPTIONS | FMT_VIA \
| FMT_NUMERIC | FMT_NOTABLE)
......
......@@ -14,6 +14,8 @@
/iptables-xml
/iptables-xml.1
/xtables-multi
/xtables-legacy-multi
/xtables-nft-multi
/xtables-config-parser.c
/xtables-config-parser.h
/xtables-config-syntax.c
......
......@@ -43,7 +43,7 @@ xtables_nft_multi_SOURCES += xtables-save.c xtables-restore.c \
nft-shared.c nft-ipv4.c nft-ipv6.c nft-arp.c \
xtables-monitor.c \
xtables-arp-standalone.c xtables-arp.c \
getethertype.c nft-bridge.c \
nft-bridge.c \
xtables-eb-standalone.c xtables-eb.c \
xtables-eb-translate.c \
xtables-translate.c
......@@ -80,7 +80,13 @@ x_sbin_links = iptables-nft iptables-nft-restore iptables-nft-save \
ip6tables-nft ip6tables-nft-restore ip6tables-nft-save \
iptables-translate ip6tables-translate \
iptables-restore-translate ip6tables-restore-translate \
arptables ebtables xtables-monitor
arptables-nft arptables \
arptables-nft-restore arptables-restore \
arptables-nft-save arptables-save \
ebtables-nft ebtables \
ebtables-nft-restore ebtables-restore \
ebtables-nft-save ebtables-save \
xtables-monitor
endif
iptables-extensions.8: iptables-extensions.8.tmpl ../extensions/matches.man ../extensions/targets.man
......
......@@ -159,9 +159,8 @@ am__xtables_nft_multi_SOURCES_DIST = xtables-nft-multi.c \
xtables-save.c xtables-restore.c xtables-standalone.c \
xtables.c nft.c nft-shared.c nft-ipv4.c nft-ipv6.c nft-arp.c \
xtables-monitor.c xtables-arp-standalone.c xtables-arp.c \
getethertype.c nft-bridge.c xtables-eb-standalone.c \
xtables-eb.c xtables-eb-translate.c xtables-translate.c \
xshared.c
nft-bridge.c xtables-eb-standalone.c xtables-eb.c \
xtables-eb-translate.c xtables-translate.c xshared.c
@ENABLE_NFTABLES_TRUE@am_xtables_nft_multi_OBJECTS = xtables_nft_multi-xtables-nft-multi.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-iptables-xml.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-config-parser.$(OBJEXT) \
......@@ -178,7 +177,6 @@ am__xtables_nft_multi_SOURCES_DIST = xtables-nft-multi.c \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-monitor.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-arp-standalone.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-arp.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-getethertype.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-bridge.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-eb-standalone.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-eb.$(OBJEXT) \
......@@ -489,9 +487,8 @@ xtables_legacy_multi_LDADD = ../extensions/libext.a $(am__append_4) \
@ENABLE_NFTABLES_TRUE@ xtables.c nft.c nft-shared.c nft-ipv4.c \
@ENABLE_NFTABLES_TRUE@ nft-ipv6.c nft-arp.c xtables-monitor.c \
@ENABLE_NFTABLES_TRUE@ xtables-arp-standalone.c xtables-arp.c \
@ENABLE_NFTABLES_TRUE@ getethertype.c nft-bridge.c \
@ENABLE_NFTABLES_TRUE@ xtables-eb-standalone.c xtables-eb.c \
@ENABLE_NFTABLES_TRUE@ xtables-eb-translate.c \
@ENABLE_NFTABLES_TRUE@ nft-bridge.c xtables-eb-standalone.c \
@ENABLE_NFTABLES_TRUE@ xtables-eb.c xtables-eb-translate.c \
@ENABLE_NFTABLES_TRUE@ xtables-translate.c xshared.c
@ENABLE_NFTABLES_TRUE@xtables_nft_multi_CFLAGS = ${AM_CFLAGS} \
@ENABLE_NFTABLES_TRUE@ $(am__append_9) -DENABLE_NFTABLES \
......@@ -526,7 +523,13 @@ vx_bin_links = iptables-xml
@ENABLE_NFTABLES_TRUE@ ip6tables-nft ip6tables-nft-restore ip6tables-nft-save \
@ENABLE_NFTABLES_TRUE@ iptables-translate ip6tables-translate \
@ENABLE_NFTABLES_TRUE@ iptables-restore-translate ip6tables-restore-translate \
@ENABLE_NFTABLES_TRUE@ arptables ebtables xtables-monitor
@ENABLE_NFTABLES_TRUE@ arptables-nft arptables \
@ENABLE_NFTABLES_TRUE@ arptables-nft-restore arptables-restore \
@ENABLE_NFTABLES_TRUE@ arptables-nft-save arptables-save \
@ENABLE_NFTABLES_TRUE@ ebtables-nft ebtables \
@ENABLE_NFTABLES_TRUE@ ebtables-nft-restore ebtables-restore \
@ENABLE_NFTABLES_TRUE@ ebtables-nft-save ebtables-save \
@ENABLE_NFTABLES_TRUE@ xtables-monitor
pkgconfig_DATA = xtables.pc
all: $(BUILT_SOURCES)
......@@ -657,7 +660,6 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-iptables.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-xshared.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-xtables-legacy-multi.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-getethertype.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-iptables-xml.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-arp.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-bridge.Po@am__quote@
......@@ -1080,20 +1082,6 @@ xtables_nft_multi-xtables-arp.obj: xtables-arp.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-arp.obj `if test -f 'xtables-arp.c'; then $(CYGPATH_W) 'xtables-arp.c'; else $(CYGPATH_W) '$(srcdir)/xtables-arp.c'; fi`
xtables_nft_multi-getethertype.o: getethertype.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-getethertype.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-getethertype.Tpo -c -o xtables_nft_multi-getethertype.o `test -f 'getethertype.c' || echo '$(srcdir)/'`getethertype.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-getethertype.Tpo $(DEPDIR)/xtables_nft_multi-getethertype.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='getethertype.c' object='xtables_nft_multi-getethertype.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-getethertype.o `test -f 'getethertype.c' || echo '$(srcdir)/'`getethertype.c
xtables_nft_multi-getethertype.obj: getethertype.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-getethertype.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-getethertype.Tpo -c -o xtables_nft_multi-getethertype.obj `if test -f 'getethertype.c'; then $(CYGPATH_W) 'getethertype.c'; else $(CYGPATH_W) '$(srcdir)/getethertype.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-getethertype.Tpo $(DEPDIR)/xtables_nft_multi-getethertype.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='getethertype.c' object='xtables_nft_multi-getethertype.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-getethertype.obj `if test -f 'getethertype.c'; then $(CYGPATH_W) 'getethertype.c'; else $(CYGPATH_W) '$(srcdir)/getethertype.c'; fi`
xtables_nft_multi-nft-bridge.o: nft-bridge.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-bridge.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-bridge.Tpo -c -o xtables_nft_multi-nft-bridge.o `test -f 'nft-bridge.c' || echo '$(srcdir)/'`nft-bridge.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-bridge.Tpo $(DEPDIR)/xtables_nft_multi-nft-bridge.Po
......
......@@ -20,12 +20,6 @@
#include "libiptc/libip6tc.h"
#include "ip6tables-multi.h"
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
#else
#define DEBUGP(x, args...)
#endif
static int counters, verbose, noflush, wait;
static struct timeval wait_interval = {
......@@ -85,116 +79,12 @@ static struct xtc_handle *create_handle(const char *tablename)
return handle;
}
static int parse_counters(char *string, struct xt_counters *ctr)
{
unsigned long long pcnt, bcnt;
int ret;
ret = sscanf(string, "[%llu:%llu]", &pcnt, &bcnt);
ctr->pcnt = pcnt;
ctr->bcnt = bcnt;
return ret == 2;
}
/* global new argv and argc */
static char *newargv[255];
static int newargc;
/* function adding one argument to newargv, updating newargc
* returns true if argument added, false otherwise */
static int add_argv(char *what) {
DEBUGP("add_argv: %s\n", what);
if (what && newargc + 1 < ARRAY_SIZE(newargv)) {
newargv[newargc] = strdup(what);
newargv[++newargc] = NULL;
return 1;
} else {
xtables_error(PARAMETER_PROBLEM,
"Parser cannot handle more arguments\n");
return 0;
}
}
static void free_argv(void) {
int i;
for (i = 0; i < newargc; i++)
free(newargv[i]);
}
static void add_param_to_argv(char *parsestart)
{
int quote_open = 0, escaped = 0, param_len = 0;
char param_buffer[1024], *curchar;
/* After fighting with strtok enough, here's now
* a 'real' parser. According to Rusty I'm now no
* longer a real hacker, but I can live with that */
for (curchar = parsestart; *curchar; curchar++) {
if (quote_open) {
if (escaped) {
param_buffer[param_len++] = *curchar;
escaped = 0;
continue;
} else if (*curchar == '\\') {
escaped = 1;
continue;
} else if (*curchar == '"') {
quote_open = 0;
*curchar = ' ';
} else {
param_buffer[param_len++] = *curchar;
continue;
}
} else {
if (*curchar == '"') {
quote_open = 1;
continue;
}
}
if (*curchar == ' '
|| *curchar == '\t'
|| * curchar == '\n') {
if (!param_len) {
/* two spaces? */
continue;
}
param_buffer[param_len] = '\0';
/* check if table name specified */
if ((param_buffer[0] == '-' &&
param_buffer[1] != '-' &&
strchr(param_buffer, 't')) ||
(!strncmp(param_buffer, "--t", 3) &&
!strncmp(param_buffer, "--table", strlen(param_buffer)))) {
xtables_error(PARAMETER_PROBLEM,
"The -t option (seen in line %u) cannot be "
"used in ip6tables-restore.\n", line);
exit(1);
}
add_argv(param_buffer);
param_len = 0;
} else {
/* regular character, copy to buffer */
param_buffer[param_len++] = *curchar;
if (param_len >= sizeof(param_buffer))
xtables_error(PARAMETER_PROBLEM,
"Parameter too long!");
}
}
}
int ip6tables_restore_main(int argc, char *argv[])
{
struct xtc_handle *handle = NULL;
char buffer[10240];
int c, lock;
char curtable[XT_TABLE_MAXNAMELEN + 1];
char curtable[XT_TABLE_MAXNAMELEN + 1] = {};
FILE *in;
int in_table = 0, testing = 0;
const char *tablename = NULL;
......@@ -325,8 +215,13 @@ int ip6tables_restore_main(int argc, char *argv[])
strncpy(curtable, table, XT_TABLE_MAXNAMELEN);
curtable[XT_TABLE_MAXNAMELEN] = '\0';
if (tablename != NULL && strcmp(tablename, table) != 0)
if (tablename != NULL && strcmp(tablename, table) != 0) {
if (lock >= 0) {
xtables_unlock(lock);
lock = XT_LOCK_NOT_ACQUIRED;
}
continue;
}
if (handle)
ops->free(handle);
......@@ -393,7 +288,7 @@ int ip6tables_restore_main(int argc, char *argv[])
}
if (strcmp(policy, "-") != 0) {
struct xt_counters count;
struct xt_counters count = {};
if (counters) {
char *ctrs;
......@@ -403,9 +298,6 @@ int ip6tables_restore_main(int argc, char *argv[])
xtables_error(PARAMETER_PROBLEM,
"invalid policy counters "
"for chain '%s'\n", chain);
} else {
memset(&count, 0, sizeof(count));
}
DEBUGP("Setting policy of chain %s to %s\n",
......@@ -424,17 +316,14 @@ int ip6tables_restore_main(int argc, char *argv[])
} else if (in_table) {
int a;
char *ptr = buffer;
char *pcnt = NULL;
char *bcnt = NULL;
char *parsestart;
/* reset the newargv */
newargc = 0;
if (buffer[0] == '[') {
/* we have counters in our input */
ptr = strchr(buffer, ']');
char *ptr = strchr(buffer, ']');
if (!ptr)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need ]\n",
......@@ -459,17 +348,17 @@ int ip6tables_restore_main(int argc, char *argv[])
parsestart = buffer;
}
add_argv(argv[0]);
add_argv("-t");
add_argv(curtable);
add_argv(argv[0], 0);
add_argv("-t", 0);
add_argv(curtable, 0);
if (counters && pcnt && bcnt) {
add_argv("--set-counters");
add_argv((char *) pcnt);
add_argv((char *) bcnt);
add_argv("--set-counters", 0);
add_argv((char *) pcnt, 0);
add_argv((char *) bcnt, 0);
}
add_param_to_argv(parsestart);
add_param_to_argv(parsestart, line);
DEBUGP("calling do_command6(%u, argv, &%s, handle):\n",
newargc, curtable);
......
......@@ -420,27 +420,6 @@ parse_chain(const char *chainname)
"Invalid chain name `%s'", chainname);
}
static const char *
parse_target(const char *targetname)
{
const char *ptr;
if (strlen(targetname) < 1)
xtables_error(PARAMETER_PROBLEM,
"Invalid target name (too short)");
if (strlen(targetname) >= XT_EXTENSION_MAXNAMELEN)
xtables_error(PARAMETER_PROBLEM,
"Invalid target name `%s' (%u chars max)",
targetname, XT_EXTENSION_MAXNAMELEN - 1);
for (ptr = targetname; *ptr; ptr++)
if (isspace(*ptr))
xtables_error(PARAMETER_PROBLEM,
"Invalid target name `%s'", targetname);
return targetname;
}
static void
set_option(unsigned int *options, unsigned int option, uint8_t *invflg,
int invert)
......@@ -550,7 +529,6 @@ print_firewall(const struct ip6t_entry *fw,
{
struct xtables_target *target, *tg;
const struct xt_entry_target *t;
char buf[BUFSIZ];
if (!ip6tc_is_chain(targname, handle))
target = xtables_find_target(targname, XTF_TRY_LOAD);
......@@ -588,61 +566,10 @@ print_firewall(const struct ip6t_entry *fw,
fputc(' ', stdout);
}
if (format & FMT_VIA) {
char iface[IFNAMSIZ+2];
if (fw->ipv6.invflags & IP6T_INV_VIA_IN) {
iface[0] = '!';
iface[1] = '\0';
}
else iface[0] = '\0';
if (fw->ipv6.iniface[0] != '\0') {
strcat(iface, fw->ipv6.iniface);
}
else if (format & FMT_NUMERIC) strcat(iface, "*");
else strcat(iface, "any");
printf(FMT(" %-6s ","in %s "), iface);
if (fw->ipv6.invflags & IP6T_INV_VIA_OUT) {
iface[0] = '!';
iface[1] = '\0';
}
else iface[0] = '\0';
if (fw->ipv6.outiface[0] != '\0') {
strcat(iface, fw->ipv6.outiface);
}
else if (format & FMT_NUMERIC) strcat(iface, "*");
else strcat(iface, "any");
printf(FMT("%-6s ","out %s "), iface);
}
fputc(fw->ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout);
if (!memcmp(&fw->ipv6.smsk, &in6addr_any, sizeof in6addr_any)
&& !(format & FMT_NUMERIC))
printf(FMT("%-19s ","%s "), "anywhere");
else {
if (format & FMT_NUMERIC)
strcpy(buf, xtables_ip6addr_to_numeric(&fw->ipv6.src));
else
strcpy(buf, xtables_ip6addr_to_anyname(&fw->ipv6.src));
strcat(buf, xtables_ip6mask_to_numeric(&fw->ipv6.smsk));
printf(FMT("%-19s ","%s "), buf);
}
print_ifaces(fw->ipv6.iniface, fw->ipv6.outiface,
fw->ipv6.invflags, format);
fputc(fw->ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout);
if (!memcmp(&fw->ipv6.dmsk, &in6addr_any, sizeof in6addr_any)
&& !(format & FMT_NUMERIC))
printf(FMT("%-19s ","-> %s"), "anywhere");
else {
if (format & FMT_NUMERIC)
strcpy(buf, xtables_ip6addr_to_numeric(&fw->ipv6.dst));
else
strcpy(buf, xtables_ip6addr_to_anyname(&fw->ipv6.dst));
strcat(buf, xtables_ip6mask_to_numeric(&fw->ipv6.dmsk));
printf(FMT("%-19s ","-> %s"), buf);
}
print_ipv6_addresses(fw, format);
if (format & FMT_NOTABLE)
fputs(" ", stdout);
......@@ -1273,85 +1200,13 @@ generate_entry(const struct ip6t_entry *fw,
return e;
}
static void command_jump(struct iptables_command_state *cs)
{
size_t size;
set_option(&cs->options, OPT_JUMP, &cs->fw6.ipv6.invflags, cs->invert);
cs->jumpto = parse_target(optarg);
/* TRY_LOAD (may be chain name) */
cs->target = xtables_find_target(cs->jumpto, XTF_TRY_LOAD);
if (cs->target == NULL)
return;
size = XT_ALIGN(sizeof(struct xt_entry_target)) + cs->target->size;
cs->target->t = xtables_calloc(1, size);
cs->target->t->u.target_size = size;
if (cs->target->real_name == NULL) {
strcpy(cs->target->t->u.user.name, cs->jumpto);
} else {
strcpy(cs->target->t->u.user.name, cs->target->real_name);
if (!(cs->target->ext_flags & XTABLES_EXT_ALIAS))
fprintf(stderr, "Notice: The %s target is converted into %s target "
"in rule listing and saving.\n",
cs->jumpto, cs->target->real_name);
}
cs->target->t->u.user.revision = cs->target->revision;
xs_init_target(cs->target);
if (cs->target->x6_options != NULL)
opts = xtables_options_xfrm(ip6tables_globals.orig_opts, opts,
cs->target->x6_options,
&cs->target->option_offset);
else
opts = xtables_merge_options(ip6tables_globals.orig_opts, opts,
cs->target->extra_opts,
&cs->target->option_offset);
if (opts == NULL)
xtables_error(OTHER_PROBLEM, "can't alloc memory!");
}
static void command_match(struct iptables_command_state *cs)
{
struct xtables_match *m;
size_t size;
if (cs->invert)
xtables_error(PARAMETER_PROBLEM,
"unexpected ! flag before --match");
m = xtables_find_match(optarg, XTF_LOAD_MUST_SUCCEED, &cs->matches);
size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size;
m->m = xtables_calloc(1, size);
m->m->u.match_size = size;
if (m->real_name == NULL) {
strcpy(m->m->u.user.name, m->name);
} else {
strcpy(m->m->u.user.name, m->real_name);
if (!(m->ext_flags & XTABLES_EXT_ALIAS))
fprintf(stderr, "Notice: The %s match is converted into %s match "
"in rule listing and saving.\n", m->name, m->real_name);
}
m->m->u.user.revision = m->revision;
xs_init_match(m);
if (m == m->next)
return;
/* Merge options for non-cloned matches */
if (m->x6_options != NULL)
opts = xtables_options_xfrm(ip6tables_globals.orig_opts, opts,
m->x6_options, &m->option_offset);
else if (m->extra_opts != NULL)
opts = xtables_merge_options(ip6tables_globals.orig_opts, opts,
m->extra_opts, &m->option_offset);
}
int do_command6(int argc, char *argv[], char **table,
struct xtc_handle **handle, bool restore)
{
struct iptables_command_state cs;
struct iptables_command_state cs = {
.jumpto = "",
.argv = argv,
};
struct ip6t_entry *e = NULL;
unsigned int nsaddrs = 0, ndaddrs = 0;
struct in6_addr *saddrs = NULL, *daddrs = NULL;
......@@ -1374,10 +1229,6 @@ int do_command6(int argc, char *argv[], char **table,
struct xtables_target *t;
unsigned long long cnt;
memset(&cs, 0, sizeof(cs));
cs.jumpto = "";
cs.argv = argv;
/* re-set optind to 0 in case do_command6 gets called
* a second time */
optind = 0;
......@@ -1583,11 +1434,13 @@ int do_command6(int argc, char *argv[], char **table,
set_option(&cs.options, OPT_JUMP, &cs.fw6.ipv6.invflags,
cs.invert);
cs.fw6.ipv6.flags |= IP6T_F_GOTO;
cs.jumpto = parse_target(optarg);
cs.jumpto = xt_parse_target(optarg);
break;
#endif
case 'j':
set_option(&cs.options, OPT_JUMP, &cs.fw6.ipv6.invflags,
cs.invert);
command_jump(&cs);
break;
......
......@@ -123,7 +123,8 @@ done
umask 0700
TMPFILE=$(tempfile -p iptap)
trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15
trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \
FPE USR1 SEGV USR2 PIPE ALRM TERM
if ! "$SAVE" >"$TMPFILE"; then
if ! grep -q ipt /proc/modules 2>/dev/null; then
......@@ -143,7 +144,7 @@ if ! "$RESTORE" <"$FILE"; then
echo "E: unknown error applying new iptables ruleset." >&2
exit 5
else
echo done.
echo "done."
fi
echo -n "Can you establish NEW connections to the machine? (y/N) "
......@@ -152,7 +153,7 @@ read -n1 -t "${TIMEOUT:-15}" ret 2>&1 || :
case "${ret:-}" in
(y*|Y*)
echo
echo ... then my job is done. See you next time.
echo "... then my job is done. See you next time."
;;
(*)
if [[ -z "${ret:-}" ]]; then
......@@ -163,7 +164,7 @@ case "${ret:-}" in
echo "Timeout. Something happened (or did not). Better play it safe..."
echo -n "Reverting to old ruleset... "
"$RESTORE" <"$TMPFILE";
echo done.
echo "done."
exit 255
;;
esac
......
......@@ -17,12 +17,6 @@
#include "libiptc/libiptc.h"
#include "iptables-multi.h"
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
#else
#define DEBUGP(x, args...)
#endif
static int counters, verbose, noflush, wait;
static struct timeval wait_interval = {
......@@ -82,117 +76,13 @@ static struct xtc_handle *create_handle(const char *tablename)
return handle;
}
static int parse_counters(char *string, struct xt_counters *ctr)
{
unsigned long long pcnt, bcnt;
int ret;
ret = sscanf(string, "[%llu:%llu]", &pcnt, &bcnt);
ctr->pcnt = pcnt;
ctr->bcnt = bcnt;
return ret == 2;
}
/* global new argv and argc */
static char *newargv[255];
static int newargc;
/* function adding one argument to newargv, updating newargc
* returns true if argument added, false otherwise */
static int add_argv(char *what) {
DEBUGP("add_argv: %s\n", what);
if (what && newargc + 1 < ARRAY_SIZE(newargv)) {
newargv[newargc] = strdup(what);
newargv[++newargc] = NULL;
return 1;
} else {
xtables_error(PARAMETER_PROBLEM,
"Parser cannot handle more arguments\n");
return 0;
}
}
static void free_argv(void) {
int i;
for (i = 0; i < newargc; i++)
free(newargv[i]);
}
static void add_param_to_argv(char *parsestart)
{
int quote_open = 0, escaped = 0, param_len = 0;
char param_buffer[1024], *curchar;
/* After fighting with strtok enough, here's now
* a 'real' parser. According to Rusty I'm now no
* longer a real hacker, but I can live with that */
for (curchar = parsestart; *curchar; curchar++) {
if (quote_open) {
if (escaped) {
param_buffer[param_len++] = *curchar;
escaped = 0;
continue;
} else if (*curchar == '\\') {
escaped = 1;
continue;
} else if (*curchar == '"') {
quote_open = 0;
*curchar = ' ';
} else {
param_buffer[param_len++] = *curchar;
continue;
}
} else {
if (*curchar == '"') {
quote_open = 1;
continue;
}
}
if (*curchar == ' '
|| *curchar == '\t'
|| * curchar == '\n') {
if (!param_len) {
/* two spaces? */
continue;
}
param_buffer[param_len] = '\0';
/* check if table name specified */
if ((param_buffer[0] == '-' &&
param_buffer[1] != '-' &&
strchr(param_buffer, 't')) ||
(!strncmp(param_buffer, "--t", 3) &&
!strncmp(param_buffer, "--table", strlen(param_buffer)))) {
xtables_error(PARAMETER_PROBLEM,
"The -t option (seen in line %u) cannot be "
"used in iptables-restore.\n", line);
exit(1);
}
add_argv(param_buffer);
param_len = 0;
} else {
/* regular character, copy to buffer */
param_buffer[param_len++] = *curchar;
if (param_len >= sizeof(param_buffer))
xtables_error(PARAMETER_PROBLEM,
"Parameter too long!");
}
}
}
int
iptables_restore_main(int argc, char *argv[])
{
struct xtc_handle *handle = NULL;
char buffer[10240];
int c, lock;
char curtable[XT_TABLE_MAXNAMELEN + 1];
char curtable[XT_TABLE_MAXNAMELEN + 1] = {};
FILE *in;
int in_table = 0, testing = 0;
const char *tablename = NULL;
......@@ -323,8 +213,13 @@ iptables_restore_main(int argc, char *argv[])
strncpy(curtable, table, XT_TABLE_MAXNAMELEN);
curtable[XT_TABLE_MAXNAMELEN] = '\0';
if (tablename && (strcmp(tablename, table) != 0))
if (tablename && (strcmp(tablename, table) != 0)) {
if (lock >= 0) {
xtables_unlock(lock);
lock = XT_LOCK_NOT_ACQUIRED;
}
continue;
}
if (handle)
ops->free(handle);
......@@ -391,7 +286,7 @@ iptables_restore_main(int argc, char *argv[])
}
if (strcmp(policy, "-") != 0) {
struct xt_counters count;
struct xt_counters count = {};
if (counters) {
char *ctrs;
......@@ -401,9 +296,6 @@ iptables_restore_main(int argc, char *argv[])
xtables_error(PARAMETER_PROBLEM,
"invalid policy counters "
"for chain '%s'\n", chain);
} else {
memset(&count, 0, sizeof(count));
}
DEBUGP("Setting policy of chain %s to %s\n",
......@@ -422,17 +314,14 @@ iptables_restore_main(int argc, char *argv[])
} else if (in_table) {
int a;
char *ptr = buffer;
char *pcnt = NULL;
char *bcnt = NULL;
char *parsestart;
/* reset the newargv */
newargc = 0;
if (buffer[0] == '[') {
/* we have counters in our input */
ptr = strchr(buffer, ']');
char *ptr = strchr(buffer, ']');
if (!ptr)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need ]\n",
......@@ -457,17 +346,17 @@ iptables_restore_main(int argc, char *argv[])
parsestart = buffer;
}
add_argv(argv[0]);
add_argv("-t");
add_argv(curtable);
add_argv(argv[0], 0);
add_argv("-t", 0);
add_argv(curtable, 0);
if (counters && pcnt && bcnt) {
add_argv("--set-counters");
add_argv((char *) pcnt);
add_argv((char *) bcnt);
add_argv("--set-counters", 0);
add_argv((char *) pcnt, 0);
add_argv((char *) bcnt, 0);
}
add_param_to_argv(parsestart);
add_param_to_argv(parsestart, line);
DEBUGP("calling do_command4(%u, argv, &%s, handle):\n",
newargc, curtable);
......
......@@ -16,12 +16,7 @@
#include "libiptc/libiptc.h"
#include "xtables-multi.h"
#include <xtables.h>
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
#else
#define DEBUGP(x, args...)
#endif
#include "xshared.h"
struct xtables_globals iptables_xml_globals = {
.option_offset = 0,
......@@ -55,32 +50,6 @@ print_usage(const char *name, const char *version)
exit(1);
}
static int
parse_counters(char *string, struct xt_counters *ctr)
{
__u64 *pcnt, *bcnt;
if (string != NULL) {
pcnt = &ctr->pcnt;
bcnt = &ctr->bcnt;
return (sscanf
(string, "[%llu:%llu]",
(unsigned long long *)pcnt,
(unsigned long long *)bcnt) == 2);
} else
return (0 == 2);
}
/* global new argv and argc */
static char *newargv[255];
static unsigned int newargc;
static char *oldargv[255];
static unsigned int oldargc;
/* arg meta data, were they quoted, frinstance */
static int newargvattr[255];
#define XT_CHAIN_MAXNAMELEN XT_TABLE_MAXNAMELEN
static char closeActionTag[XT_TABLE_MAXNAMELEN + 1];
static char closeRuleTag[XT_TABLE_MAXNAMELEN + 1];
......@@ -98,57 +67,6 @@ struct chain {
static struct chain chains[maxChains];
static int nextChain;
/* funCtion adding one argument to newargv, updating newargc
* returns true if argument added, false otherwise */
static int
add_argv(char *what, int quoted)
{
DEBUGP("add_argv: %d %s\n", newargc, what);
if (what && newargc + 1 < ARRAY_SIZE(newargv)) {
newargv[newargc] = strdup(what);
newargvattr[newargc] = quoted;
newargc++;
return 1;
} else
return 0;
}
static void
free_argv(void)
{
unsigned int i;
for (i = 0; i < newargc; i++) {
free(newargv[i]);
newargv[i] = NULL;
}
newargc = 0;
for (i = 0; i < oldargc; i++) {
free(oldargv[i]);
oldargv[i] = NULL;
}
oldargc = 0;
}
/* Save parsed rule for comparison with next rule to perform action aggregation
* on duplicate conditions.
*/
static void
save_argv(void)
{
unsigned int i;
for (i = 0; i < oldargc; i++)
free(oldargv[i]);
oldargc = newargc;
newargc = 0;
for (i = 0; i < oldargc; i++) {
oldargv[i] = newargv[i];
newargv[i] = NULL;
}
}
/* like puts but with xml encoding */
static void
xmlEncode(char *text)
......@@ -730,7 +648,6 @@ iptables_xml_main(int argc, char *argv[])
ret = 1;
} else if (curTable[0]) {
unsigned int a;
char *ptr = buffer;
char *pcnt = NULL;
char *bcnt = NULL;
char *parsestart;
......@@ -741,12 +658,10 @@ iptables_xml_main(int argc, char *argv[])
int quote_open, quoted;
char param_buffer[1024];
/* reset the newargv */
newargc = 0;
if (buffer[0] == '[') {
/* we have counters in our input */
ptr = strchr(buffer, ']');
char *ptr = strchr(buffer, ']');
if (!ptr)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need ]\n",
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment