diff options
Diffstat (limited to 'iptables/xshared.h')
-rw-r--r-- | iptables/xshared.h | 207 |
1 files changed, 160 insertions, 47 deletions
diff --git a/iptables/xshared.h b/iptables/xshared.h index 9159b2b1..26c492eb 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -6,15 +6,21 @@ #include <stdint.h> #include <netinet/in.h> #include <net/if.h> -#include <sys/time.h> #include <linux/netfilter_arp/arp_tables.h> #include <linux/netfilter_ipv4/ip_tables.h> #include <linux/netfilter_ipv6/ip6_tables.h> #ifdef DEBUG #define DEBUGP(x, args...) fprintf(stderr, x, ## args) +#define DEBUG_HEXDUMP(pfx, data, len) \ + for (int __i = 0; __i < (len); __i++) { \ + if (__i % 16 == 0) \ + printf("%s%s: ", __i ? "\n" : "", (pfx)); \ + printf("%02x ", ((const unsigned char *)data)[__i]); \ + } printf("\n") #else #define DEBUGP(x, args...) +#define DEBUG_HEXDUMP(pfx, data, len) #endif enum { @@ -38,11 +44,14 @@ enum { OPT_OPCODE = 1 << 15, OPT_H_TYPE = 1 << 16, OPT_P_TYPE = 1 << 17, + /* below are for ebtables only */ + OPT_LOGICALIN = 1 << 18, + OPT_LOGICALOUT = 1 << 19, + OPT_LIST_C = 1 << 20, + OPT_LIST_X = 1 << 21, + OPT_LIST_MAC2 = 1 << 22, }; - -#define NUMBER_OF_OPT ARRAY_SIZE(optflags) -static const char optflags[] -= { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c', 'f', 2, 3, 'l', 4, 5, 6 }; +#define NUMBER_OF_OPT 24 enum { CMD_NONE = 0, @@ -61,32 +70,28 @@ enum { CMD_LIST_RULES = 1 << 12, CMD_ZERO_NUM = 1 << 13, CMD_CHECK = 1 << 14, + CMD_CHANGE_COUNTERS = 1 << 15, /* ebtables only */ + CMD_INIT_TABLE = 1 << 16, /* ebtables only */ }; -#define NUMBER_OF_CMD 16 +#define NUMBER_OF_CMD 18 struct xtables_globals; struct xtables_rule_match; struct xtables_target; -/** - * xtables_afinfo - protocol family dependent information - * @kmod: kernel module basename (e.g. "ip_tables") - * @proc_exists: file which exists in procfs when module already loaded - * @libprefix: prefix of .so library name (e.g. "libipt_") - * @family: nfproto family - * @ipproto: used by setsockopt (e.g. IPPROTO_IP) - * @so_rev_match: optname to check revision support of match - * @so_rev_target: optname to check revision support of target +#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:R:S::VX::Z::" "c:d:i:j:o:p:s:t:v" +#define IPT_OPTSTRING OPTSTRING_COMMON "W::" "46bfg:h::m:nw::x" +#define ARPT_OPTSTRING OPTSTRING_COMMON "h::l:nx" /* "m:" */ +#define EBT_OPTSTRING OPTSTRING_COMMON "h" + +/* define invflags which won't collide with IPT ones. + * arptables-nft does NOT use the legacy ARPT_INV_* defines. */ -struct xtables_afinfo { - const char *kmod; - const char *proc_exists; - const char *libprefix; - uint8_t family; - uint8_t ipproto; - int so_rev_match; - int so_rev_target; -}; +#define IPT_INV_SRCDEVADDR 0x0080 +#define IPT_INV_TGTDEVADDR 0x0100 +#define IPT_INV_ARPHLN 0x0200 +#define IPT_INV_ARPOP 0x0400 +#define IPT_INV_ARPHRD 0x0800 /* trick for ebtables-compat, since watchers are targets */ struct ebt_match { @@ -125,7 +130,6 @@ struct iptables_command_state { struct ip6t_entry fw6; struct arpt_entry arp; }; - int invert; int c; unsigned int options; struct xtables_rule_match *matches; @@ -135,10 +139,13 @@ struct iptables_command_state { char *protocol; int proto_used; const char *jumpto; + int argc; char **argv; bool restore; }; +void xtables_clear_iptables_command_state(struct iptables_command_state *cs); + typedef int (*mainfunc_t)(int, char **); struct subcommand { @@ -146,16 +153,6 @@ struct subcommand { mainfunc_t main; }; -enum { - XT_OPTION_OFFSET_SCALE = 256, -}; - -extern void print_extension_helps(const struct xtables_target *, - const struct xtables_rule_match *); -extern const char *proto_to_name(uint8_t, int); -extern int command_default(struct iptables_command_state *, - struct xtables_globals *); -extern struct xtables_match *load_proto(struct iptables_command_state *); extern int subcmd_main(int, char **, const struct subcommand *); extern void xs_init_target(struct xtables_target *); extern void xs_init_match(struct xtables_match *); @@ -179,16 +176,14 @@ enum { XT_LOCK_NOT_ACQUIRED = -3, }; extern void xtables_unlock(int lock); -extern int xtables_lock_or_exit(int wait, struct timeval *tv); +extern int xtables_lock_or_exit(int wait); int parse_wait_time(int argc, char *argv[]); -void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval); +void parse_wait_interval(int argc, char *argv[]); int parse_counters(const char *string, struct xt_counters *ctr); bool tokenize_rule_counters(char **bufferp, char **pcnt, char **bcnt, int line); bool xs_has_arg(int argc, char *argv[]); -extern const struct xtables_afinfo *afinfo; - #define MAX_ARGC 255 struct argv_store { int argc; @@ -206,22 +201,140 @@ void debug_print_argv(struct argv_store *store); # define debug_print_argv(...) /* nothing */ #endif +const char *ipv4_addr_to_string(const struct in_addr *addr, + const struct in_addr *mask, + unsigned int format); +void print_header(unsigned int format, const char *chain, const char *pol, + const struct xt_counters *counters, + int refs, uint32_t entries); void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format); +void save_ipv4_addr(char letter, const struct in_addr *addr, + const struct in_addr *mask, int invert); void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format); +void save_ipv6_addr(char letter, const struct in6_addr *addr, + const struct in6_addr *mask, int invert); void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags, unsigned int format); +void save_iface(char letter, const char *iface, int invert); + +void print_fragment(unsigned int flags, unsigned int invflags, + unsigned int format, bool fake); -void command_match(struct iptables_command_state *cs); -const char *xt_parse_target(const char *targetname); void command_jump(struct iptables_command_state *cs, const char *jumpto); -char cmd2char(int option); -void add_command(unsigned int *cmd, const int newcmd, - const int othercmds, int invert); -int parse_rulenumber(const char *rule); +void assert_valid_chain_name(const char *chainname); + +void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs, + const char *targname, uint8_t proto, uint8_t flags, + uint8_t invflags, unsigned int format); +void save_rule_details(const char *iniface, const char *outiface, + uint16_t proto, int frag, uint8_t invflags); + +int print_match_save(const struct xt_entry_match *e, const void *ip); + +void exit_tryhelp(int status, int line) __attribute__((noreturn)); + +struct addr_mask { + union { + struct in_addr *v4; + struct in6_addr *v6; + void *ptr; + } addr; + + unsigned int naddrs; + + union { + struct in_addr *v4; + struct in6_addr *v6; + void *ptr; + } mask; +}; + +enum { + CTR_OP_INC_PKTS = 1 << 0, + CTR_OP_DEC_PKTS = 1 << 1, + CTR_OP_INC_BYTES = 1 << 2, + CTR_OP_DEC_BYTES = 1 << 3, +}; + +struct xtables_args { + int family; + uint8_t flags; + uint16_t invflags; + char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; + unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; + char bri_iniface[IFNAMSIZ], bri_outiface[IFNAMSIZ]; + bool goto_set; + const char *shostnetworkmask, *dhostnetworkmask; + const char *pcnt, *bcnt; + struct addr_mask s, d; + const char *src_mac, *dst_mac; + const char *arp_hlen, *arp_opcode; + const char *arp_htype, *arp_ptype; + unsigned long long pcnt_cnt, bcnt_cnt; + uint8_t counter_op; + int wait; +}; + +struct xt_cmd_parse_ops { + void (*proto_parse)(struct iptables_command_state *cs, + struct xtables_args *args); + void (*post_parse)(int command, + struct iptables_command_state *cs, + struct xtables_args *args); + const char *(*option_name)(int option); + int (*option_invert)(int option); + int (*command_default)(struct iptables_command_state *cs, + struct xtables_globals *gl, bool invert); + void (*print_help)(struct iptables_command_state *cs); +}; + +struct xt_cmd_parse { + unsigned int command; + unsigned int rulenum; + unsigned int rulenum_end; + char *table; + const char *chain; + const char *newname; + const char *policy; + bool restore; + int line; + int verbose; + bool rule_ranges; + struct xt_cmd_parse_ops *ops; +}; + +void xtables_printhelp(struct iptables_command_state *cs); +const char *ip46t_option_name(int option); +int ip46t_option_invert(int option); +int command_default(struct iptables_command_state *cs, + struct xtables_globals *gl, bool invert); + +void do_parse(int argc, char *argv[], + struct xt_cmd_parse *p, struct iptables_command_state *cs, + struct xtables_args *args); + +void ipv4_proto_parse(struct iptables_command_state *cs, + struct xtables_args *args); +void ipv6_proto_parse(struct iptables_command_state *cs, + struct xtables_args *args); +void ipv4_post_parse(int command, struct iptables_command_state *cs, + struct xtables_args *args); +void ipv6_post_parse(int command, struct iptables_command_state *cs, + struct xtables_args *args); + +extern char *arp_opcodes[]; +#define ARP_NUMOPCODES 9 + +unsigned char *make_delete_mask(const struct xtables_rule_match *matches, + const struct xtables_target *target, + size_t entry_size); + +void iface_to_mask(const char *ifname, unsigned char *mask); + +void xtables_clear_args(struct xtables_args *args); -void generic_opt_check(int command, int options); -char opt2char(int option); +const char *proto_to_name(uint16_t proto, int nolookup); #endif /* IPTABLES_XSHARED_H */ |