diff options
Diffstat (limited to 'iptables/xtables-arp.c')
-rw-r--r-- | iptables/xtables-arp.c | 638 |
1 files changed, 17 insertions, 621 deletions
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c index de7c3817..cca19438 100644 --- a/iptables/xtables-arp.c +++ b/iptables/xtables-arp.c @@ -30,35 +30,23 @@ #include "config.h" #include <getopt.h> #include <string.h> -#include <netdb.h> -#include <errno.h> #include <stdio.h> #include <stdlib.h> -#include <inttypes.h> -#include <dlfcn.h> -#include <ctype.h> -#include <stdarg.h> -#include <limits.h> -#include <unistd.h> -#include <fcntl.h> -#include <sys/wait.h> -#include <net/if.h> -#include <netinet/ether.h> -#include <iptables.h> #include <xtables.h> #include "xshared.h" #include "nft.h" #include "nft-arp.h" -#include <linux/netfilter_arp/arp_tables.h> static struct option original_opts[] = { { "append", 1, 0, 'A' }, { "delete", 1, 0, 'D' }, + { "check", 1, 0, 'C'}, { "insert", 1, 0, 'I' }, { "replace", 1, 0, 'R' }, { "list", 2, 0, 'L' }, + { "list-rules", 2, 0, 'S'}, { "flush", 2, 0, 'F' }, { "zero", 2, 0, 'Z' }, { "new-chain", 1, 0, 'N' }, @@ -101,7 +89,7 @@ static void printhelp(const struct xtables_rule_match *m); struct xtables_globals arptables_globals = { .option_offset = 0, .program_version = PACKAGE_VERSION, - .optstring = OPTSTRING_COMMON "R:S::" "h::l:nv" /* "m:" */, + .optstring = OPTSTRING_COMMON "C:R:S::" "h::l:nv" /* "m:" */, .orig_opts = original_opts, .exit_err = xtables_exit_error, .compat_rev = nft_compatible_revision, @@ -109,25 +97,18 @@ struct xtables_globals arptables_globals = { }; static void -exit_tryhelp(int status) -{ - fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n", - arptables_globals.program_name, - arptables_globals.program_version); - exit(status); -} - -static void printhelp(const struct xtables_rule_match *m) { struct xtables_target *t = NULL; int i; printf("%s v%s\n\n" -"Usage: %s -[AD] chain rule-specification [options]\n" -" %s -[RI] chain rulenum rule-specification [options]\n" +"Usage: %s -[ACD] chain rule-specification [options]\n" +" %s -I chain [rulenum] rule-specification [options]\n" +" %s -R chain rulenum rule-specification [options]\n" " %s -D chain rulenum [options]\n" -" %s -[LFZ] [chain] [options]\n" +" %s -[LS] [chain [rulenum]] [options]\n" +" %s -[FZ] [chain] [options]\n" " %s -[NX] chain\n" " %s -E old-chain-name new-chain-name\n" " %s -P chain target [options]\n" @@ -141,11 +122,14 @@ printhelp(const struct xtables_rule_match *m) arptables_globals.program_name, arptables_globals.program_name, arptables_globals.program_name, + arptables_globals.program_name, + arptables_globals.program_name, arptables_globals.program_name); printf( "Commands:\n" "Either long or short options are allowed.\n" " --append -A chain Append to chain\n" +" --check -C chain Check for the existence of a rule\n" " --delete -D chain Delete matching rule from chain\n" " --delete -D chain rulenum\n" " Delete rule rulenum (1 = first) from chain\n" @@ -153,9 +137,13 @@ printhelp(const struct xtables_rule_match *m) " Insert in chain as rulenum (default 1=first)\n" " --replace -R chain rulenum\n" " Replace rule rulenum (1 = first) in chain\n" -" --list -L [chain] List the rules in a chain or all chains\n" +" --list -L [chain [rulenum]]\n" +" List the rules in a chain or all chains\n" +" --list-rules -S [chain [rulenum]]\n" +" Print the rules in a chain or all chains\n" " --flush -F [chain] Delete all rules in chain or all chains\n" -" --zero -Z [chain] Zero counters in chain or all chains\n" +" --zero -Z [chain [rulenum]]\n" +" Zero counters in chain or all chains\n" " --new -N chain Create a new user-defined chain\n" " --delete-chain\n" " -X [chain] Delete a user-defined chain\n" @@ -210,134 +198,6 @@ printhelp(const struct xtables_rule_match *m) } } -static int -check_inverse(const char option[], int *invert, int *optidx, int argc) -{ - if (option && strcmp(option, "!") == 0) { - if (*invert) - xtables_error(PARAMETER_PROBLEM, - "Multiple `!' flags not allowed"); - *invert = true; - if (optidx) { - *optidx = *optidx+1; - if (argc && *optidx > argc) - xtables_error(PARAMETER_PROBLEM, - "no argument following `!'"); - } - - return true; - } - return false; -} - -static int -list_entries(struct nft_handle *h, const char *chain, const char *table, - int rulenum, int verbose, int numeric, int expanded, - int linenumbers) -{ - unsigned int format; - - format = FMT_OPTIONS; - if (!verbose) - format |= FMT_NOCOUNTS; - else - format |= FMT_VIA; - - if (numeric) - format |= FMT_NUMERIC; - - if (!expanded) - format |= FMT_KILOMEGAGIGA; - - if (linenumbers) - format |= FMT_LINENUMBERS; - - return nft_cmd_rule_list(h, chain, table, rulenum, format); -} - -static int -append_entry(struct nft_handle *h, - const char *chain, - const char *table, - struct iptables_command_state *cs, - int rulenum, - unsigned int nsaddrs, - const struct in_addr saddrs[], - const struct in_addr smasks[], - unsigned int ndaddrs, - const struct in_addr daddrs[], - const struct in_addr dmasks[], - bool verbose, bool append) -{ - unsigned int i, j; - int ret = 1; - - for (i = 0; i < nsaddrs; i++) { - cs->arp.arp.src.s_addr = saddrs[i].s_addr; - cs->arp.arp.smsk.s_addr = smasks[i].s_addr; - for (j = 0; j < ndaddrs; j++) { - cs->arp.arp.tgt.s_addr = daddrs[j].s_addr; - cs->arp.arp.tmsk.s_addr = dmasks[j].s_addr; - if (append) { - ret = nft_cmd_rule_append(h, chain, table, cs, NULL, - verbose); - } else { - ret = nft_cmd_rule_insert(h, chain, table, cs, - rulenum, verbose); - } - } - } - - return ret; -} - -static int -replace_entry(const char *chain, - const char *table, - struct iptables_command_state *cs, - unsigned int rulenum, - const struct in_addr *saddr, - const struct in_addr *smask, - const struct in_addr *daddr, - const struct in_addr *dmask, - bool verbose, struct nft_handle *h) -{ - cs->arp.arp.src.s_addr = saddr->s_addr; - cs->arp.arp.tgt.s_addr = daddr->s_addr; - cs->arp.arp.smsk.s_addr = smask->s_addr; - cs->arp.arp.tmsk.s_addr = dmask->s_addr; - - return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose); -} - -static int -delete_entry(const char *chain, - const char *table, - struct iptables_command_state *cs, - unsigned int nsaddrs, - const struct in_addr saddrs[], - const struct in_addr smasks[], - unsigned int ndaddrs, - const struct in_addr daddrs[], - const struct in_addr dmasks[], - bool verbose, struct nft_handle *h) -{ - unsigned int i, j; - int ret = 1; - - for (i = 0; i < nsaddrs; i++) { - cs->arp.arp.src.s_addr = saddrs[i].s_addr; - cs->arp.arp.smsk.s_addr = smasks[i].s_addr; - for (j = 0; j < ndaddrs; j++) { - cs->arp.arp.tgt.s_addr = daddrs[j].s_addr; - cs->arp.arp.tmsk.s_addr = dmasks[j].s_addr; - ret = nft_cmd_rule_delete(h, chain, table, cs, verbose); - } - } - - return ret; -} - int nft_init_arp(struct nft_handle *h, const char *pname) { arptables_globals.program_name = pname; @@ -358,467 +218,3 @@ int nft_init_arp(struct nft_handle *h, const char *pname) return 0; } - -int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table, - bool restore) -{ - struct iptables_command_state cs = { - .jumpto = "", - .arp.arp = { - .arhln = 6, - .arhln_mask = 255, - .arhrd = htons(ARPHRD_ETHER), - .arhrd_mask = 65535, - }, - }; - struct nft_xt_cmd_parse p = { - .table = *table, - }; - struct xtables_args args = { - .family = h->family, - }; - int invert = 0; - int ret = 1; - struct xtables_target *t; - - /* re-set optind to 0 in case do_command gets called - * a second time */ - optind = 0; - - for (t = xtables_targets; t; t = t->next) { - t->tflags = 0; - t->used = 0; - } - - /* Suppress error messages: we may add new options if we - demand-load a protocol. */ - opterr = 0; - - opts = xt_params->orig_opts; - while ((cs.c = getopt_long(argc, argv, xt_params->optstring, - opts, NULL)) != -1) { - switch (cs.c) { - /* - * Command selection - */ - case 'A': - add_command(&p.command, CMD_APPEND, CMD_NONE, - invert); - p.chain = optarg; - break; - - case 'D': - add_command(&p.command, CMD_DELETE, CMD_NONE, - invert); - p.chain = optarg; - if (xs_has_arg(argc, argv)) { - p.rulenum = parse_rulenumber(argv[optind++]); - p.command = CMD_DELETE_NUM; - } - break; - - case 'R': - add_command(&p.command, CMD_REPLACE, CMD_NONE, - invert); - p.chain = optarg; - if (xs_has_arg(argc, argv)) - p.rulenum = parse_rulenumber(argv[optind++]); - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires a rule number", - cmd2char(CMD_REPLACE)); - break; - - case 'I': - add_command(&p.command, CMD_INSERT, CMD_NONE, - invert); - p.chain = optarg; - if (xs_has_arg(argc, argv)) - p.rulenum = parse_rulenumber(argv[optind++]); - else p.rulenum = 1; - break; - - case 'L': - add_command(&p.command, CMD_LIST, CMD_ZERO, - invert); - if (optarg) p.chain = optarg; - else if (xs_has_arg(argc, argv)) - p.chain = argv[optind++]; - break; - - case 'F': - add_command(&p.command, CMD_FLUSH, CMD_NONE, - invert); - if (optarg) p.chain = optarg; - else if (xs_has_arg(argc, argv)) - p.chain = argv[optind++]; - break; - - case 'Z': - add_command(&p.command, CMD_ZERO, CMD_LIST, - invert); - if (optarg) p.chain = optarg; - else if (xs_has_arg(argc, argv)) - p.chain = argv[optind++]; - break; - - case 'N': - if (optarg && *optarg == '-') - xtables_error(PARAMETER_PROBLEM, - "chain name not allowed to start " - "with `-'\n"); - if (xtables_find_target(optarg, XTF_TRY_LOAD)) - xtables_error(PARAMETER_PROBLEM, - "chain name may not clash " - "with target name\n"); - add_command(&p.command, CMD_NEW_CHAIN, CMD_NONE, - invert); - p.chain = optarg; - break; - - case 'X': - add_command(&p.command, CMD_DELETE_CHAIN, CMD_NONE, - invert); - if (optarg) p.chain = optarg; - else if (xs_has_arg(argc, argv)) - p.chain = argv[optind++]; - break; - - case 'E': - add_command(&p.command, CMD_RENAME_CHAIN, CMD_NONE, - invert); - p.chain = optarg; - if (xs_has_arg(argc, argv)) - p.newname = argv[optind++]; - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires old-chain-name and " - "new-chain-name", - cmd2char(CMD_RENAME_CHAIN)); - break; - - case 'P': - add_command(&p.command, CMD_SET_POLICY, CMD_NONE, - invert); - p.chain = optarg; - if (xs_has_arg(argc, argv)) - p.policy = argv[optind++]; - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires a chain and a policy", - cmd2char(CMD_SET_POLICY)); - break; - - case 'h': - if (!optarg) - optarg = argv[optind]; - - xt_params->print_help(NULL); - p.command = CMD_NONE; - break; - case 's': - check_inverse(optarg, &invert, &optind, argc); - set_option(&cs.options, OPT_SOURCE, &args.invflags, - invert); - args.shostnetworkmask = argv[optind-1]; - break; - - case 'd': - check_inverse(optarg, &invert, &optind, argc); - set_option(&cs.options, OPT_DESTINATION, &args.invflags, - invert); - args.dhostnetworkmask = argv[optind-1]; - break; - - case 2:/* src-mac */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&cs.options, OPT_S_MAC, &args.invflags, - invert); - args.src_mac = argv[optind - 1]; - break; - - case 3:/* dst-mac */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&cs.options, OPT_D_MAC, &args.invflags, - invert); - args.dst_mac = argv[optind - 1]; - break; - - case 'l':/* hardware length */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&cs.options, OPT_H_LENGTH, &args.invflags, - invert); - args.arp_hlen = argv[optind - 1]; - break; - - case 8: /* was never supported, not even in arptables-legacy */ - xtables_error(PARAMETER_PROBLEM, "not supported"); - case 4:/* opcode */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&cs.options, OPT_OPCODE, &args.invflags, - invert); - args.arp_opcode = argv[optind - 1]; - break; - - case 5:/* h-type */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&cs.options, OPT_H_TYPE, &args.invflags, - invert); - args.arp_htype = argv[optind - 1]; - break; - - case 6:/* proto-type */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&cs.options, OPT_P_TYPE, &args.invflags, - invert); - args.arp_ptype = argv[optind - 1]; - break; - - case 'j': - set_option(&cs.options, OPT_JUMP, &args.invflags, - invert); - command_jump(&cs, optarg); - break; - - case 'i': - check_inverse(optarg, &invert, &optind, argc); - set_option(&cs.options, OPT_VIANAMEIN, &args.invflags, - invert); - xtables_parse_interface(argv[optind-1], - args.iniface, - args.iniface_mask); - break; - - case 'o': - check_inverse(optarg, &invert, &optind, argc); - set_option(&cs.options, OPT_VIANAMEOUT, &args.invflags, - invert); - xtables_parse_interface(argv[optind-1], - args.outiface, - args.outiface_mask); - break; - - case 'v': - if (!p.verbose) - set_option(&cs.options, OPT_VERBOSE, - &args.invflags, invert); - p.verbose++; - break; - - case 'm': /* ignored by arptables-legacy */ - break; - case 'n': - set_option(&cs.options, OPT_NUMERIC, &args.invflags, - invert); - break; - - case 't': - if (invert) - xtables_error(PARAMETER_PROBLEM, - "unexpected ! flag before --table"); - /* ignore this option. - * arptables-legacy parses it, but libarptc doesn't use it. - * arptables only has a 'filter' table anyway. - */ - break; - - case 'V': - if (invert) - printf("Not %s ;-)\n", arptables_globals.program_version); - else - printf("%s v%s (nf_tables)\n", - arptables_globals.program_name, - arptables_globals.program_version); - exit(0); - - case '0': - set_option(&cs.options, OPT_LINENUMBERS, &args.invflags, - invert); - break; - - case 'M': - //modprobe = optarg; - break; - - case 'c': - - set_option(&cs.options, OPT_COUNTERS, &args.invflags, - invert); - args.pcnt = optarg; - if (xs_has_arg(argc, argv)) - args.bcnt = argv[optind++]; - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires packet and byte counter", - opt2char(OPT_COUNTERS)); - - if (sscanf(args.pcnt, "%llu", &cs.arp.counters.pcnt) != 1) - xtables_error(PARAMETER_PROBLEM, - "-%c packet counter not numeric", - opt2char(OPT_COUNTERS)); - - if (sscanf(args.bcnt, "%llu", &cs.arp.counters.bcnt) != 1) - xtables_error(PARAMETER_PROBLEM, - "-%c byte counter not numeric", - opt2char(OPT_COUNTERS)); - - break; - - - case 1: /* non option */ - if (optarg[0] == '!' && optarg[1] == '\0') { - if (invert) - xtables_error(PARAMETER_PROBLEM, - "multiple consecutive ! not" - " allowed"); - invert = true; - optarg[0] = '\0'; - continue; - } - printf("Bad argument `%s'\n", optarg); - exit_tryhelp(2); - - default: - if (cs.target) { - xtables_option_tpcall(cs.c, argv, - invert, cs.target, &cs.arp); - } - break; - } - invert = false; - } - - if (cs.target) - xtables_option_tfcall(cs.target); - - if (optind < argc) - xtables_error(PARAMETER_PROBLEM, - "unknown arguments found on commandline"); - if (invert) - xtables_error(PARAMETER_PROBLEM, - "nothing appropriate following !"); - - h->ops->post_parse(p.command, &cs, &args); - - if (p.command == CMD_REPLACE && (args.s.naddrs != 1 || args.d.naddrs != 1)) - xtables_error(PARAMETER_PROBLEM, "Replacement rule does not " - "specify a unique address"); - - if (p.chain && strlen(p.chain) > ARPT_FUNCTION_MAXNAMELEN) - xtables_error(PARAMETER_PROBLEM, - "chain name `%s' too long (must be under %i chars)", - p.chain, ARPT_FUNCTION_MAXNAMELEN); - - if (p.command == CMD_APPEND - || p.command == CMD_DELETE - || p.command == CMD_INSERT - || p.command == CMD_REPLACE) { - if (strcmp(p.chain, "PREROUTING") == 0 - || strcmp(p.chain, "INPUT") == 0) { - /* -o not valid with incoming packets. */ - if (cs.options & OPT_VIANAMEOUT) - xtables_error(PARAMETER_PROBLEM, - "Can't use -%c with %s\n", - opt2char(OPT_VIANAMEOUT), - p.chain); - } - - if (strcmp(p.chain, "POSTROUTING") == 0 - || strcmp(p.chain, "OUTPUT") == 0) { - /* -i not valid with outgoing packets */ - if (cs.options & OPT_VIANAMEIN) - xtables_error(PARAMETER_PROBLEM, - "Can't use -%c with %s\n", - opt2char(OPT_VIANAMEIN), - p.chain); - } - } - - switch (p.command) { - case CMD_APPEND: - ret = append_entry(h, p.chain, p.table, &cs, 0, - args.s.naddrs, args.s.addr.v4, args.s.mask.v4, - args.d.naddrs, args.d.addr.v4, args.d.mask.v4, - cs.options&OPT_VERBOSE, true); - break; - case CMD_DELETE: - ret = delete_entry(p.chain, p.table, &cs, - args.s.naddrs, args.s.addr.v4, args.s.mask.v4, - args.d.naddrs, args.d.addr.v4, args.d.mask.v4, - cs.options&OPT_VERBOSE, h); - break; - case CMD_DELETE_NUM: - ret = nft_cmd_rule_delete_num(h, p.chain, p.table, p.rulenum - 1, p.verbose); - break; - case CMD_REPLACE: - ret = replace_entry(p.chain, p.table, &cs, p.rulenum - 1, - args.s.addr.v4, args.s.mask.v4, args.d.addr.v4, args.d.mask.v4, - cs.options&OPT_VERBOSE, h); - break; - case CMD_INSERT: - ret = append_entry(h, p.chain, p.table, &cs, p.rulenum - 1, - args.s.naddrs, args.s.addr.v4, args.s.mask.v4, - args.d.naddrs, args.d.addr.v4, args.d.mask.v4, - cs.options&OPT_VERBOSE, false); - break; - case CMD_LIST: - ret = list_entries(h, p.chain, p.table, - p.rulenum, - cs.options&OPT_VERBOSE, - cs.options&OPT_NUMERIC, - /*cs.options&OPT_EXPANDED*/0, - cs.options&OPT_LINENUMBERS); - break; - case CMD_FLUSH: - ret = nft_cmd_rule_flush(h, p.chain, p.table, cs.options & OPT_VERBOSE); - break; - case CMD_ZERO: - ret = nft_cmd_chain_zero_counters(h, p.chain, p.table, - cs.options & OPT_VERBOSE); - break; - case CMD_LIST|CMD_ZERO: - ret = list_entries(h, p.chain, p.table, p.rulenum, - cs.options&OPT_VERBOSE, - cs.options&OPT_NUMERIC, - /*cs.options&OPT_EXPANDED*/0, - cs.options&OPT_LINENUMBERS); - if (ret) - ret = nft_cmd_chain_zero_counters(h, p.chain, p.table, - cs.options & OPT_VERBOSE); - break; - case CMD_NEW_CHAIN: - ret = nft_cmd_chain_user_add(h, p.chain, p.table); - break; - case CMD_DELETE_CHAIN: - ret = nft_cmd_chain_del(h, p.chain, p.table, - cs.options & OPT_VERBOSE); - break; - case CMD_RENAME_CHAIN: - ret = nft_cmd_chain_user_rename(h, p.chain, p.table, p.newname); - break; - case CMD_SET_POLICY: - ret = nft_cmd_chain_set(h, p.table, p.chain, p.policy, NULL); - if (ret < 0) - xtables_error(PARAMETER_PROBLEM, "Wrong policy `%s'\n", - p.policy); - break; - case CMD_NONE: - break; - default: - /* We should never reach this... */ - exit_tryhelp(2); - } - - free(args.s.addr.v4); - free(args.s.mask.v4); - free(args.d.addr.v4); - free(args.d.mask.v4); - - nft_clear_iptables_command_state(&cs); - xtables_free_opts(1); - -/* if (p.verbose > 1) - dump_entries(*handle);*/ - - return ret; -} |