diff options
Diffstat (limited to 'iptables/xtables-eb.c')
-rw-r--r-- | iptables/xtables-eb.c | 1081 |
1 files changed, 265 insertions, 816 deletions
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 6c58adaa..51c699de 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -42,70 +42,6 @@ #include "nft.h" #include "nft-bridge.h" -/* - * From include/ebtables_u.h - */ -#define ebt_check_option2(flags, mask) EBT_CHECK_OPTION(flags, mask) - -/* - * From useful_functions.c - */ - -/* 0: default - * 1: the inverse '!' of the option has already been specified */ -int ebt_invert = 0; - -static int ebt_check_inverse2(const char option[], int argc, char **argv) -{ - if (!option) - return ebt_invert; - if (strcmp(option, "!") == 0) { - if (ebt_invert == 1) - xtables_error(PARAMETER_PROBLEM, - "Double use of '!' not allowed"); - if (optind >= argc) - optarg = NULL; - else - optarg = argv[optind]; - optind++; - ebt_invert = 1; - return 1; - } - return ebt_invert; -} - -/* - * Glue code to use libxtables - */ -static int parse_rule_number(const char *rule) -{ - unsigned int rule_nr; - - if (!xtables_strtoui(rule, NULL, &rule_nr, 1, INT_MAX)) - xtables_error(PARAMETER_PROBLEM, - "Invalid rule number `%s'", rule); - - return rule_nr; -} - -static int -append_entry(struct nft_handle *h, - const char *chain, - const char *table, - struct iptables_command_state *cs, - int rule_nr, - bool verbose, bool append) -{ - int ret = 1; - - if (append) - ret = nft_cmd_rule_append(h, chain, table, cs, NULL, verbose); - else - ret = nft_cmd_rule_insert(h, chain, table, cs, rule_nr, verbose); - - return ret; -} - static int delete_entry(struct nft_handle *h, const char *chain, @@ -130,48 +66,28 @@ delete_entry(struct nft_handle *h, return ret; } -int ebt_get_current_chain(const char *chain) +static int +change_entry_counters(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + int rule_nr, int rule_nr_end, uint8_t counter_op, + bool verbose) { - if (!chain) - return -1; - - if (strcmp(chain, "PREROUTING") == 0) - return NF_BR_PRE_ROUTING; - else if (strcmp(chain, "INPUT") == 0) - return NF_BR_LOCAL_IN; - else if (strcmp(chain, "FORWARD") == 0) - return NF_BR_FORWARD; - else if (strcmp(chain, "OUTPUT") == 0) - return NF_BR_LOCAL_OUT; - else if (strcmp(chain, "POSTROUTING") == 0) - return NF_BR_POST_ROUTING; - - /* placeholder for user defined chain */ - return NF_BR_NUMHOOKS; -} + int ret = 1; -/* - * The original ebtables parser - */ + if (rule_nr == -1) + return nft_cmd_rule_change_counters(h, chain, table, cs, + rule_nr, counter_op, + verbose); + do { + ret = nft_cmd_rule_change_counters(h, chain, table, cs, + rule_nr, counter_op, + verbose); + rule_nr++; + } while (rule_nr < rule_nr_end); -/* Checks whether a command has already been specified */ -#define OPT_COMMANDS (flags & OPT_COMMAND || flags & OPT_ZERO) - -#define OPT_COMMAND 0x01 -#define OPT_TABLE 0x02 -#define OPT_IN 0x04 -#define OPT_OUT 0x08 -#define OPT_JUMP 0x10 -#define OPT_PROTOCOL 0x20 -#define OPT_SOURCE 0x40 -#define OPT_DEST 0x80 -#define OPT_ZERO 0x100 -#define OPT_LOGICALIN 0x200 -#define OPT_LOGICALOUT 0x400 -#define OPT_KERNELDATA 0x800 /* This value is also defined in ebtablesd.c */ -#define OPT_COUNT 0x1000 /* This value is also defined in libebtc.c */ -#define OPT_CNT_INCR 0x2000 /* This value is also defined in libebtc.c */ -#define OPT_CNT_DECR 0x4000 /* This value is also defined in libebtc.c */ + return ret; +} /* Default command line options. Do not mess around with the already * assigned numbers unless you know what you are doing */ @@ -181,20 +97,21 @@ struct option ebt_original_options[] = { "insert" , required_argument, 0, 'I' }, { "delete" , required_argument, 0, 'D' }, { "list" , optional_argument, 0, 'L' }, - { "Lc" , no_argument , 0, 4 }, - { "Ln" , no_argument , 0, 5 }, - { "Lx" , no_argument , 0, 6 }, + { "Lc" , no_argument , 0, 17 }, + { "Ln" , no_argument , 0, 18 }, + { "Lx" , no_argument , 0, 19 }, { "Lmac2" , no_argument , 0, 12 }, { "zero" , optional_argument, 0, 'Z' }, { "flush" , optional_argument, 0, 'F' }, { "policy" , required_argument, 0, 'P' }, { "in-interface" , required_argument, 0, 'i' }, { "in-if" , required_argument, 0, 'i' }, - { "logical-in" , required_argument, 0, 2 }, - { "logical-out" , required_argument, 0, 3 }, + { "logical-in" , required_argument, 0, 15 }, + { "logical-out" , required_argument, 0, 16 }, { "out-interface" , required_argument, 0, 'o' }, { "out-if" , required_argument, 0, 'o' }, { "version" , no_argument , 0, 'V' }, + { "verbose" , no_argument , 0, 'v' }, { "help" , no_argument , 0, 'h' }, { "jump" , required_argument, 0, 'j' }, { "set-counters" , required_argument, 0, 'c' }, @@ -211,32 +128,22 @@ struct option ebt_original_options[] = { "new-chain" , required_argument, 0, 'N' }, { "rename-chain" , required_argument, 0, 'E' }, { "delete-chain" , optional_argument, 0, 'X' }, - { "atomic-init" , no_argument , 0, 7 }, - { "atomic-commit" , no_argument , 0, 8 }, - { "atomic-file" , required_argument, 0, 9 }, - { "atomic-save" , no_argument , 0, 10 }, { "init-table" , no_argument , 0, 11 }, { "concurrent" , no_argument , 0, 13 }, + { "check" , required_argument, 0, 14 }, { 0 } }; -extern void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3))); struct xtables_globals ebtables_globals = { .option_offset = 0, - .program_version = PACKAGE_VERSION, + .program_version = PACKAGE_VERSION " (nf_tables)", .orig_opts = ebt_original_options, - .exit_err = xtables_exit_error, .compat_rev = nft_compatible_revision, }; -#define opts ebtables_globals.opts #define prog_name ebtables_globals.program_name #define prog_vers ebtables_globals.program_version -/* - * From libebtc.c - */ - /* Prints all registered extensions */ static void ebt_list_extensions(const struct xtables_target *t, const struct xtables_rule_match *m) @@ -262,41 +169,38 @@ static void ebt_list_extensions(const struct xtables_target *t, }*/ } -#define OPTION_OFFSET 256 -static struct option *merge_options(struct option *oldopts, - const struct option *newopts, - unsigned int *options_offset) +void nft_bridge_print_help(struct iptables_command_state *cs) { - unsigned int num_old, num_new, i; - struct option *merge; - - if (!newopts || !oldopts || !options_offset) - return oldopts; - for (num_old = 0; oldopts[num_old].name; num_old++); - for (num_new = 0; newopts[num_new].name; num_new++); - - ebtables_globals.option_offset += OPTION_OFFSET; - *options_offset = ebtables_globals.option_offset; - - merge = malloc(sizeof(struct option) * (num_new + num_old + 1)); - if (!merge) - return NULL; - memcpy(merge, oldopts, num_old * sizeof(struct option)); - for (i = 0; i < num_new; i++) { - merge[num_old + i] = newopts[i]; - merge[num_old + i].val += *options_offset; - } - memset(merge + num_old + num_new, 0, sizeof(struct option)); - /* Only free dynamically allocated stuff */ - if (oldopts != ebt_original_options) - free(oldopts); + const struct xtables_rule_match *m = cs->matches; + struct xtables_target *t = cs->target; - return merge; -} + while (optind < cs->argc) { + /*struct ebt_u_match *m; + struct ebt_u_watcher *w;*/ + + if (!strcasecmp("list_extensions", cs->argv[optind])) { + ebt_list_extensions(xtables_targets, cs->matches); + exit(0); + } + /*if ((m = ebt_find_match(cs->argv[optind]))) + ebt_add_match(new_entry, m); + else if ((w = ebt_find_watcher(cs->argv[optind]))) + ebt_add_watcher(new_entry, w); + else {*/ + if (!(t = xtables_find_target(cs->argv[optind], + XTF_TRY_LOAD))) + xtables_error(PARAMETER_PROBLEM, + "Extension '%s' not found", + cs->argv[optind]); + if (cs->options & OPT_JUMP) + xtables_error(PARAMETER_PROBLEM, + "Sorry, you can only see help for one target extension at a time"); + cs->options |= OPT_JUMP; + cs->target = t; + //} + optind++; + } -static void print_help(const struct xtables_target *t, - const struct xtables_rule_match *m, const char *table) -{ printf("%s %s\n", prog_name, prog_vers); printf( "Usage:\n" @@ -320,22 +224,19 @@ static void print_help(const struct xtables_target *t, "--new-chain -N chain : create a user defined chain\n" "--rename-chain -E old new : rename a chain\n" "--delete-chain -X [chain] : delete a user defined chain\n" -"--atomic-commit : update the kernel w/t table contained in <FILE>\n" -"--atomic-init : put the initial kernel table into <FILE>\n" -"--atomic-save : put the current kernel table into <FILE>\n" -"--atomic-file file : set <FILE> to file\n\n" "Options:\n" -"--proto -p [!] proto : protocol hexadecimal, by name or LENGTH\n" -"--src -s [!] address[/mask]: source mac address\n" -"--dst -d [!] address[/mask]: destination mac address\n" -"--in-if -i [!] name[+] : network input interface name\n" -"--out-if -o [!] name[+] : network output interface name\n" -"--logical-in [!] name[+] : logical bridge input interface name\n" -"--logical-out [!] name[+] : logical bridge output interface name\n" +"[!] --proto -p proto : protocol hexadecimal, by name or LENGTH\n" +"[!] --src -s address[/mask]: source mac address\n" +"[!] --dst -d address[/mask]: destination mac address\n" +"[!] --in-if -i name[+] : network input interface name\n" +"[!] --out-if -o name[+] : network output interface name\n" +"[!] --logical-in name[+] : logical bridge input interface name\n" +"[!] --logical-out name[+] : logical bridge output interface name\n" "--set-counters -c chain\n" " pcnt bcnt : set the counters of the to be added rule\n" "--modprobe -M program : try to insert modules using this program\n" "--concurrent : use a file lock to support concurrent scripts\n" +"--verbose -v : verbose mode\n" "--version -V : print package version\n\n" "Environment variable:\n" /*ATOMIC_ENV_VARIABLE " : if set <FILE> (see above) will equal its value"*/ @@ -348,9 +249,6 @@ static void print_help(const struct xtables_target *t, printf("\n"); t->help(); } - -// if (table->help) -// table->help(ebt_hooknames); } /* Execute command L */ @@ -379,99 +277,10 @@ static int list_rules(struct nft_handle *h, const char *chain, const char *table return nft_cmd_rule_list(h, chain, table, rule_nr, format); } -static int parse_rule_range(const char *argv, int *rule_nr, int *rule_nr_end) -{ - char *colon = strchr(argv, ':'), *buffer; - - if (colon) { - *colon = '\0'; - if (*(colon + 1) == '\0') - *rule_nr_end = -1; /* Until the last rule */ - else { - *rule_nr_end = strtol(colon + 1, &buffer, 10); - if (*buffer != '\0' || *rule_nr_end == 0) - return -1; - } - } - if (colon == argv) - *rule_nr = 1; /* Beginning with the first rule */ - else { - *rule_nr = strtol(argv, &buffer, 10); - if (*buffer != '\0' || *rule_nr == 0) - return -1; - } - if (!colon) - *rule_nr_end = *rule_nr; - return 0; -} - -/* Incrementing or decrementing rules in daemon mode is not supported as the - * involved code overload is not worth it (too annoying to take the increased - * counters in the kernel into account). */ -static int parse_change_counters_rule(int argc, char **argv, int *rule_nr, int *rule_nr_end, struct iptables_command_state *cs) -{ - char *buffer; - int ret = 0; - - if (optind + 1 >= argc || argv[optind][0] == '-' || argv[optind + 1][0] == '-') - xtables_error(PARAMETER_PROBLEM, - "The command -C needs at least 2 arguments"); - if (optind + 2 < argc && (argv[optind + 2][0] != '-' || (argv[optind + 2][1] >= '0' && argv[optind + 2][1] <= '9'))) { - if (optind + 3 != argc) - xtables_error(PARAMETER_PROBLEM, - "No extra options allowed with -C start_nr[:end_nr] pcnt bcnt"); - if (parse_rule_range(argv[optind], rule_nr, rule_nr_end)) - xtables_error(PARAMETER_PROBLEM, - "Something is wrong with the rule number specification '%s'", argv[optind]); - optind++; - } - - if (argv[optind][0] == '+') { - ret += 1; - cs->counters.pcnt = strtoull(argv[optind] + 1, &buffer, 10); - } else if (argv[optind][0] == '-') { - ret += 2; - cs->counters.pcnt = strtoull(argv[optind] + 1, &buffer, 10); - } else - cs->counters.pcnt = strtoull(argv[optind], &buffer, 10); - - if (*buffer != '\0') - goto invalid; - optind++; - if (argv[optind][0] == '+') { - ret += 3; - cs->counters.bcnt = strtoull(argv[optind] + 1, &buffer, 10); - } else if (argv[optind][0] == '-') { - ret += 6; - cs->counters.bcnt = strtoull(argv[optind] + 1, &buffer, 10); - } else - cs->counters.bcnt = strtoull(argv[optind], &buffer, 10); - - if (*buffer != '\0') - goto invalid; - optind++; - return ret; -invalid: - xtables_error(PARAMETER_PROBLEM,"Packet counter '%s' invalid", argv[optind]); -} - -static void ebtables_parse_interface(const char *arg, char *vianame) -{ - unsigned char mask[IFNAMSIZ]; - char *c; - - xtables_parse_interface(arg, vianame, mask); - - if ((c = strchr(vianame, '+'))) { - if (*(c + 1) != '\0') - xtables_error(PARAMETER_PROBLEM, - "Spurious characters after '+' wildcard"); - } -} - /* This code is very similar to iptables/xtables.c:command_match() */ static void ebt_load_match(const char *name) { + struct option *opts = xt_params->opts; struct xtables_match *m; size_t size; @@ -488,19 +297,29 @@ static void ebt_load_match(const char *name) m->m->u.user.revision = m->revision; xs_init_match(m); - opts = merge_options(opts, m->extra_opts, &m->option_offset); + if (m->x6_options != NULL) + opts = xtables_options_xfrm(xt_params->orig_opts, opts, + m->x6_options, &m->option_offset); + else if (m->extra_opts != NULL) + opts = xtables_merge_options(xt_params->orig_opts, opts, + m->extra_opts, &m->option_offset); + else + return; + if (opts == NULL) xtables_error(OTHER_PROBLEM, "Can't alloc memory"); + xt_params->opts = opts; } -static void __ebt_load_watcher(const char *name, const char *typename) +static void ebt_load_watcher(const char *name) { + struct option *opts = xt_params->opts; struct xtables_target *watcher; size_t size; watcher = xtables_find_target(name, XTF_TRY_LOAD); if (!watcher) { - fprintf(stderr, "Unable to load %s %s\n", name, typename); + fprintf(stderr, "Unable to load %s watcher\n", name); return; } @@ -515,25 +334,24 @@ static void __ebt_load_watcher(const char *name, const char *typename) xs_init_target(watcher); - opts = merge_options(opts, watcher->extra_opts, - &watcher->option_offset); + if (watcher->x6_options != NULL) + opts = xtables_options_xfrm(xt_params->orig_opts, opts, + watcher->x6_options, + &watcher->option_offset); + else if (watcher->extra_opts != NULL) + opts = xtables_merge_options(xt_params->orig_opts, opts, + watcher->extra_opts, + &watcher->option_offset); + else + return; + if (opts == NULL) xtables_error(OTHER_PROBLEM, "Can't alloc memory"); + xt_params->opts = opts; } -static void ebt_load_watcher(const char *name) -{ - return __ebt_load_watcher(name, "watcher"); -} - -static void ebt_load_target(const char *name) -{ - return __ebt_load_watcher(name, "target"); -} - -void ebt_load_match_extensions(void) +static void ebt_load_match_extensions(void) { - opts = ebt_original_options; ebt_load_match("802_3"); ebt_load_match("arp"); ebt_load_match("ip"); @@ -547,13 +365,6 @@ void ebt_load_match_extensions(void) ebt_load_watcher("log"); ebt_load_watcher("nflog"); - - ebt_load_target("mark"); - ebt_load_target("dnat"); - ebt_load_target("snat"); - ebt_load_target("arpreply"); - ebt_load_target("redirect"); - ebt_load_target("standard"); } void ebt_add_match(struct xtables_match *m, @@ -579,10 +390,7 @@ void ebt_add_match(struct xtables_match *m, m->mflags = 0; /* glue code for watchers */ - newnode = calloc(1, sizeof(struct ebt_match)); - if (newnode == NULL) - xtables_error(OTHER_PROBLEM, "Unable to alloc memory"); - + newnode = xtables_calloc(1, sizeof(struct ebt_match)); newnode->ismatch = true; newnode->u.match = newm; @@ -611,10 +419,7 @@ void ebt_add_watcher(struct xtables_target *watcher, watcher->tflags = 0; - newnode = calloc(1, sizeof(struct ebt_match)); - if (newnode == NULL) - xtables_error(OTHER_PROBLEM, "Unable to alloc memory"); - + newnode = xtables_calloc(1, sizeof(struct ebt_match)); newnode->u.watcher = clone; for (matchp = &cs->match_list; *matchp; matchp = &(*matchp)->next) @@ -622,56 +427,84 @@ void ebt_add_watcher(struct xtables_target *watcher, *matchp = newnode; } -int ebt_command_default(struct iptables_command_state *cs) +int ebt_command_default(struct iptables_command_state *cs, + struct xtables_globals *unused, bool ebt_invert) { struct xtables_target *t = cs->target; struct xtables_match *m; struct ebt_match *matchp; /* Is it a target option? */ - if (t && t->parse) { - if (t->parse(cs->c - t->option_offset, cs->argv, - ebt_invert, &t->tflags, NULL, &t->t)) - return 0; + if (cs->target != NULL && + (cs->target->parse != NULL || cs->target->x6_parse != NULL) && + cs->c >= cs->target->option_offset && + cs->c < cs->target->option_offset + XT_OPTION_OFFSET_SCALE) { + xtables_option_tpcall(cs->c, cs->argv, ebt_invert, + cs->target, &cs->eb); + return 0; } /* check previously added matches/watchers to this rule first */ for (matchp = cs->match_list; matchp; matchp = matchp->next) { if (matchp->ismatch) { m = matchp->u.match; - if (m->parse && - m->parse(cs->c - m->option_offset, cs->argv, - ebt_invert, &m->mflags, NULL, &m->m)) - return 0; + if (!m->parse && !m->x6_parse) + continue; + if (cs->c < m->option_offset || + cs->c >= m->option_offset + XT_OPTION_OFFSET_SCALE) + continue; + xtables_option_mpcall(cs->c, cs->argv, ebt_invert, + m, &cs->eb); + return 0; } else { t = matchp->u.watcher; - if (t->parse && - t->parse(cs->c - t->option_offset, cs->argv, - ebt_invert, &t->tflags, NULL, &t->t)) - return 0; + if (!t->parse && !t->x6_parse) + continue; + if (cs->c < t->option_offset || + cs->c >= t->option_offset + XT_OPTION_OFFSET_SCALE) + continue; + xtables_option_tpcall(cs->c, cs->argv, ebt_invert, + t, &cs->eb); + return 0; } } /* Is it a match_option? */ for (m = xtables_matches; m; m = m->next) { - if (m->parse && - m->parse(cs->c - m->option_offset, cs->argv, - ebt_invert, &m->mflags, NULL, &m->m)) { - ebt_add_match(m, cs); - return 0; - } + if (!m->parse && !m->x6_parse) + continue; + if (cs->c < m->option_offset || + cs->c >= m->option_offset + XT_OPTION_OFFSET_SCALE) + continue; + xtables_option_mpcall(cs->c, cs->argv, ebt_invert, m, &cs->eb); + ebt_add_match(m, cs); + return 0; } /* Is it a watcher option? */ for (t = xtables_targets; t; t = t->next) { - if (t->parse && - t->parse(cs->c - t->option_offset, cs->argv, - ebt_invert, &t->tflags, NULL, &t->t)) { - ebt_add_watcher(t, cs); - return 0; - } + if (!(t->ext_flags & XTABLES_EXT_WATCHER)) + continue; + + if (!t->parse && !t->x6_parse) + continue; + if (cs->c < t->option_offset || + cs->c >= t->option_offset + XT_OPTION_OFFSET_SCALE) + continue; + xtables_option_tpcall(cs->c, cs->argv, ebt_invert, t, &cs->eb); + ebt_add_watcher(t, cs); + return 0; } - return 1; + if (cs->c == ':') + xtables_error(PARAMETER_PROBLEM, "option \"%s\" " + "requires an argument", cs->argv[optind - 1]); + if (cs->c == '?') { + char optoptstr[3] = {'-', optopt, '\0'}; + + xtables_error(PARAMETER_PROBLEM, "unknown option \"%s\"", + optopt ? optoptstr : cs->argv[optind - 1]); + } + xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg); } int nft_init_eb(struct nft_handle *h, const char *pname) @@ -683,12 +516,10 @@ int nft_init_eb(struct nft_handle *h, const char *pname) ebtables_globals.program_version); exit(1); } - -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + init_extensions(); init_extensionsb(); -#endif - if (nft_init(h, NFPROTO_BRIDGE, xtables_bridge) < 0) + if (nft_init(h, NFPROTO_BRIDGE) < 0) xtables_error(OTHER_PROBLEM, "Could not initialize nftables layer."); @@ -713,7 +544,7 @@ void nft_fini_eb(struct nft_handle *h) free(target->t); } - free(opts); + free(xt_params->opts); nft_fini(h); xtables_fini(); @@ -722,515 +553,133 @@ void nft_fini_eb(struct nft_handle *h) int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, bool restore) { - char *buffer; - int c, i; - int chcounter = 0; /* Needed for -C */ - int rule_nr = 0; - int rule_nr_end = 0; - int ret = 0; - unsigned int flags = 0; - struct xtables_target *t; struct iptables_command_state cs = { + .argc = argc, .argv = argv, .jumpto = "", .eb.bitmask = EBT_NOPROTO, }; - char command = 'h'; - const char *chain = NULL; - const char *policy = NULL; - int selected_chain = -1; - struct xtables_rule_match *xtrm_i; - struct ebt_match *match; - bool table_set = false; - - /* prevent getopt to spoil our error reporting */ - optind = 0; - opterr = false; - - /* Getopt saves the day */ - while ((c = getopt_long(argc, argv, - "-A:D:C:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) { - cs.c = c; - switch (c) { - - case 'A': /* Add a rule */ - case 'D': /* Delete a rule */ - case 'C': /* Change counters */ - case 'P': /* Define policy */ - case 'I': /* Insert a rule */ - case 'N': /* Make a user defined chain */ - case 'E': /* Rename chain */ - case 'X': /* Delete chain */ - /* We allow -N chainname -P policy */ - if (command == 'N' && c == 'P') { - command = c; - optind--; /* No table specified */ - goto handle_P; - } - if (OPT_COMMANDS) - xtables_error(PARAMETER_PROBLEM, - "Multiple commands are not allowed"); - - command = c; - if (optarg && (optarg[0] == '-' || !strcmp(optarg, "!"))) - xtables_error(PARAMETER_PROBLEM, "No chain name specified"); - chain = optarg; - selected_chain = ebt_get_current_chain(chain); - flags |= OPT_COMMAND; - - if (c == 'N') { - ret = nft_cmd_chain_user_add(h, chain, *table); - break; - } else if (c == 'X') { - /* X arg is optional, optarg is NULL */ - if (!chain && optind < argc && argv[optind][0] != '-') { - chain = argv[optind]; - optind++; - } - ret = nft_cmd_chain_user_del(h, chain, *table, 0); - break; - } - - if (c == 'E') { - if (optind >= argc) - xtables_error(PARAMETER_PROBLEM, "No new chain name specified"); - else if (optind < argc - 1) - xtables_error(PARAMETER_PROBLEM, "No extra options allowed with -E"); - else if (strlen(argv[optind]) >= NFT_CHAIN_MAXNAMELEN) - xtables_error(PARAMETER_PROBLEM, "Chain name length can't exceed %d"" characters", NFT_CHAIN_MAXNAMELEN - 1); - else if (strchr(argv[optind], ' ') != NULL) - xtables_error(PARAMETER_PROBLEM, "Use of ' ' not allowed in chain names"); - - errno = 0; - ret = nft_cmd_chain_user_rename(h, chain, *table, - argv[optind]); - if (ret != 0 && errno == ENOENT) - xtables_error(PARAMETER_PROBLEM, "Chain '%s' doesn't exists", chain); - - optind++; - break; - } else if (c == 'D' && optind < argc && (argv[optind][0] != '-' || (argv[optind][1] >= '0' && argv[optind][1] <= '9'))) { - if (optind != argc - 1) - xtables_error(PARAMETER_PROBLEM, - "No extra options allowed with -D start_nr[:end_nr]"); - if (parse_rule_range(argv[optind], &rule_nr, &rule_nr_end)) - xtables_error(PARAMETER_PROBLEM, - "Problem with the specified rule number(s) '%s'", argv[optind]); - optind++; - } else if (c == 'C') { - if ((chcounter = parse_change_counters_rule(argc, argv, &rule_nr, &rule_nr_end, &cs)) == -1) - return -1; - } else if (c == 'I') { - if (optind >= argc || (argv[optind][0] == '-' && (argv[optind][1] < '0' || argv[optind][1] > '9'))) - rule_nr = 1; - else { - rule_nr = parse_rule_number(argv[optind]); - optind++; - } - } else if (c == 'P') { -handle_P: - if (optind >= argc) - xtables_error(PARAMETER_PROBLEM, - "No policy specified"); - for (i = 0; i < NUM_STANDARD_TARGETS; i++) - if (!strcmp(argv[optind], nft_ebt_standard_target(i))) { - policy = argv[optind]; - if (-i-1 == EBT_CONTINUE) - xtables_error(PARAMETER_PROBLEM, - "Wrong policy '%s'", - argv[optind]); - break; - } - if (i == NUM_STANDARD_TARGETS) - xtables_error(PARAMETER_PROBLEM, - "Unknown policy '%s'", argv[optind]); - optind++; - } - break; - case 'L': /* List */ - case 'F': /* Flush */ - case 'Z': /* Zero counters */ - if (c == 'Z') { - if ((flags & OPT_ZERO) || (flags & OPT_COMMAND && command != 'L')) -print_zero: - xtables_error(PARAMETER_PROBLEM, - "Command -Z only allowed together with command -L"); - flags |= OPT_ZERO; - } else { - if (flags & OPT_COMMAND) - xtables_error(PARAMETER_PROBLEM, - "Multiple commands are not allowed"); - command = c; - flags |= OPT_COMMAND; - if (flags & OPT_ZERO && c != 'L') - goto print_zero; - } - - if (optind < argc && argv[optind][0] != '-') { - chain = argv[optind]; - optind++; - } - break; - case 'V': /* Version */ - if (OPT_COMMANDS) - xtables_error(PARAMETER_PROBLEM, - "Multiple commands are not allowed"); - printf("%s %s (nf_tables)\n", prog_name, prog_vers); - exit(0); - case 'h': /* Help */ - if (OPT_COMMANDS) - xtables_error(PARAMETER_PROBLEM, - "Multiple commands are not allowed"); - command = 'h'; - - /* All other arguments should be extension names */ - while (optind < argc) { - /*struct ebt_u_match *m; - struct ebt_u_watcher *w;*/ - - if (!strcasecmp("list_extensions", argv[optind])) { - ebt_list_extensions(xtables_targets, cs.matches); - exit(0); - } - /*if ((m = ebt_find_match(argv[optind]))) - ebt_add_match(new_entry, m); - else if ((w = ebt_find_watcher(argv[optind]))) - ebt_add_watcher(new_entry, w); - else {*/ - if (!(t = xtables_find_target(argv[optind], XTF_TRY_LOAD))) - xtables_error(PARAMETER_PROBLEM,"Extension '%s' not found", argv[optind]); - if (flags & OPT_JUMP) - xtables_error(PARAMETER_PROBLEM,"Sorry, you can only see help for one target extension at a time"); - flags |= OPT_JUMP; - cs.target = t; - //} - optind++; - } - break; - case 't': /* Table */ - ebt_check_option2(&flags, OPT_TABLE); - if (restore && table_set) - xtables_error(PARAMETER_PROBLEM, - "The -t option (seen in line %u) cannot be used in %s.\n", - line, xt_params->program_name); - if (!nft_table_builtin_find(h, optarg)) - xtables_error(VERSION_PROBLEM, - "table '%s' does not exist", - optarg); - *table = optarg; - table_set = true; - break; - case 'i': /* Input interface */ - case 2 : /* Logical input interface */ - case 'o': /* Output interface */ - case 3 : /* Logical output interface */ - case 'j': /* Target */ - case 'p': /* Net family protocol */ - case 's': /* Source mac */ - case 'd': /* Destination mac */ - case 'c': /* Set counters */ - if (!OPT_COMMANDS) - xtables_error(PARAMETER_PROBLEM, - "No command specified"); - if (command != 'A' && command != 'D' && command != 'I' && command != 'C') - xtables_error(PARAMETER_PROBLEM, - "Command and option do not match"); - if (c == 'i') { - ebt_check_option2(&flags, OPT_IN); - if (selected_chain > 2 && selected_chain < NF_BR_BROUTING) - xtables_error(PARAMETER_PROBLEM, - "Use -i only in INPUT, FORWARD, PREROUTING and BROUTING chains"); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_IIN; - - ebtables_parse_interface(optarg, cs.eb.in); - break; - } else if (c == 2) { - ebt_check_option2(&flags, OPT_LOGICALIN); - if (selected_chain > 2 && selected_chain < NF_BR_BROUTING) - xtables_error(PARAMETER_PROBLEM, - "Use --logical-in only in INPUT, FORWARD, PREROUTING and BROUTING chains"); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_ILOGICALIN; - - ebtables_parse_interface(optarg, cs.eb.logical_in); - break; - } else if (c == 'o') { - ebt_check_option2(&flags, OPT_OUT); - if (selected_chain < 2 || selected_chain == NF_BR_BROUTING) - xtables_error(PARAMETER_PROBLEM, - "Use -o only in OUTPUT, FORWARD and POSTROUTING chains"); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_IOUT; - - ebtables_parse_interface(optarg, cs.eb.out); - break; - } else if (c == 3) { - ebt_check_option2(&flags, OPT_LOGICALOUT); - if (selected_chain < 2 || selected_chain == NF_BR_BROUTING) - xtables_error(PARAMETER_PROBLEM, - "Use --logical-out only in OUTPUT, FORWARD and POSTROUTING chains"); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_ILOGICALOUT; - - ebtables_parse_interface(optarg, cs.eb.logical_out); - break; - } else if (c == 'j') { - ebt_check_option2(&flags, OPT_JUMP); - if (strcmp(optarg, "CONTINUE") != 0) { - command_jump(&cs, optarg); - } - break; - } else if (c == 's') { - ebt_check_option2(&flags, OPT_SOURCE); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_ISOURCE; - - if (xtables_parse_mac_and_mask(optarg, - cs.eb.sourcemac, - cs.eb.sourcemsk)) - xtables_error(PARAMETER_PROBLEM, "Problem with specified source mac '%s'", optarg); - cs.eb.bitmask |= EBT_SOURCEMAC; - break; - } else if (c == 'd') { - ebt_check_option2(&flags, OPT_DEST); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_IDEST; - - if (xtables_parse_mac_and_mask(optarg, - cs.eb.destmac, - cs.eb.destmsk)) - xtables_error(PARAMETER_PROBLEM, "Problem with specified destination mac '%s'", optarg); - cs.eb.bitmask |= EBT_DESTMAC; - break; - } else if (c == 'c') { - ebt_check_option2(&flags, OPT_COUNT); - if (ebt_check_inverse2(optarg, argc, argv)) - xtables_error(PARAMETER_PROBLEM, - "Unexpected '!' after -c"); - if (optind >= argc || optarg[0] == '-' || argv[optind][0] == '-') - xtables_error(PARAMETER_PROBLEM, - "Option -c needs 2 arguments"); - - cs.counters.pcnt = strtoull(optarg, &buffer, 10); - if (*buffer != '\0') - xtables_error(PARAMETER_PROBLEM, - "Packet counter '%s' invalid", - optarg); - cs.counters.bcnt = strtoull(argv[optind], &buffer, 10); - if (*buffer != '\0') - xtables_error(PARAMETER_PROBLEM, - "Packet counter '%s' invalid", - argv[optind]); - optind++; - break; - } - ebt_check_option2(&flags, OPT_PROTOCOL); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_IPROTO; - - cs.eb.bitmask &= ~((unsigned int)EBT_NOPROTO); - i = strtol(optarg, &buffer, 16); - if (*buffer == '\0' && (i < 0 || i > 0xFFFF)) - xtables_error(PARAMETER_PROBLEM, - "Problem with the specified protocol"); - if (*buffer != '\0') { - struct xt_ethertypeent *ent; - - if (!strcasecmp(optarg, "LENGTH")) { - cs.eb.bitmask |= EBT_802_3; - break; - } - ent = xtables_getethertypebyname(optarg); - if (!ent) - xtables_error(PARAMETER_PROBLEM, - "Problem with the specified Ethernet protocol '%s', perhaps "XT_PATH_ETHERTYPES " is missing", optarg); - cs.eb.ethproto = ent->e_ethertype; - } else - cs.eb.ethproto = i; - - if (cs.eb.ethproto < 0x0600) - xtables_error(PARAMETER_PROBLEM, - "Sorry, protocols have values above or equal to 0x0600"); - break; - case 4 : /* Lc */ - ebt_check_option2(&flags, LIST_C); - if (command != 'L') - xtables_error(PARAMETER_PROBLEM, - "Use --Lc with -L"); - flags |= LIST_C; - break; - case 5 : /* Ln */ - ebt_check_option2(&flags, LIST_N); - if (command != 'L') - xtables_error(PARAMETER_PROBLEM, - "Use --Ln with -L"); - if (flags & LIST_X) - xtables_error(PARAMETER_PROBLEM, - "--Lx is not compatible with --Ln"); - flags |= LIST_N; - break; - case 6 : /* Lx */ - ebt_check_option2(&flags, LIST_X); - if (command != 'L') - xtables_error(PARAMETER_PROBLEM, - "Use --Lx with -L"); - if (flags & LIST_N) - xtables_error(PARAMETER_PROBLEM, - "--Lx is not compatible with --Ln"); - flags |= LIST_X; - break; - case 12 : /* Lmac2 */ - ebt_check_option2(&flags, LIST_MAC2); - if (command != 'L') - xtables_error(PARAMETER_PROBLEM, - "Use --Lmac2 with -L"); - flags |= LIST_MAC2; - break; - case 8 : /* atomic-commit */ -/* - replace->command = c; - if (OPT_COMMANDS) - ebt_print_error2("Multiple commands are not allowed"); - replace->flags |= OPT_COMMAND; - if (!replace->filename) - ebt_print_error2("No atomic file specified");*/ - /* Get the information from the file */ - /*ebt_get_table(replace, 0);*/ - /* We don't want the kernel giving us its counters, - * they would overwrite the counters extracted from - * the file */ - /*replace->num_counters = 0;*/ - /* Make sure the table will be written to the kernel */ - /*free(replace->filename); - replace->filename = NULL; - break;*/ - /*case 7 :*/ /* atomic-init */ - /*case 10:*/ /* atomic-save */ - case 11: /* init-table */ - nft_cmd_table_flush(h, *table, false); - return 1; - /* - replace->command = c; - if (OPT_COMMANDS) - ebt_print_error2("Multiple commands are not allowed"); - if (c != 11 && !replace->filename) - ebt_print_error2("No atomic file specified"); - replace->flags |= OPT_COMMAND; - { - char *tmp = replace->filename;*/ - - /* Get the kernel table */ - /*replace->filename = NULL; - ebt_get_kernel_table(replace, c == 10 ? 0 : 1); - replace->filename = tmp; - } - break; - case 9 :*/ /* atomic */ - /* - if (OPT_COMMANDS) - ebt_print_error2("--atomic has to come before the command");*/ - /* A possible memory leak here, but this is not - * executed in daemon mode */ - /*replace->filename = (char *)malloc(strlen(optarg) + 1); - strcpy(replace->filename, optarg); - break; */ - case 13 : - break; - case 1 : - if (!strcmp(optarg, "!")) - ebt_check_inverse2(optarg, argc, argv); - else - xtables_error(PARAMETER_PROBLEM, - "Bad argument : '%s'", optarg); - /* ebt_ebt_check_inverse2() did optind++ */ - optind--; - continue; - default: - ebt_check_inverse2(optarg, argc, argv); - - if (ebt_command_default(&cs)) - xtables_error(PARAMETER_PROBLEM, - "Unknown argument: '%s'", - argv[optind]); - - if (command != 'A' && command != 'I' && - command != 'D' && command != 'C') - xtables_error(PARAMETER_PROBLEM, - "Extensions only for -A, -I, -D and -C"); - } - ebt_invert = 0; - } - - /* Just in case we didn't catch an error */ - /*if (ebt_errormsg[0] != '\0') - return -1; + const struct builtin_table *t; + struct xtables_args args = { + .family = h->family, + }; + struct xt_cmd_parse p = { + .table = *table, + .restore = restore, + .line = line, + .rule_ranges = true, + .ops = &h->ops->cmd_parse, + }; + int ret = 0; - if (!(table = ebt_find_table(replace->name))) - ebt_print_error2("Bad table name");*/ + do_parse(argc, argv, &p, &cs, &args); - if (command == 'h' && !(flags & OPT_ZERO)) { - print_help(cs.target, cs.matches, *table); - ret = 1; - } + h->verbose = p.verbose; - /* Do the final checks */ - if (command == 'A' || command == 'I' || - command == 'D' || command == 'C') { - for (xtrm_i = cs.matches; xtrm_i; xtrm_i = xtrm_i->next) - xtables_option_mfcall(xtrm_i->match); + t = nft_table_builtin_find(h, p.table); + if (!t) + xtables_error(VERSION_PROBLEM, + "table '%s' does not exist", p.table); - for (match = cs.match_list; match; match = match->next) { - if (match->ismatch) - continue; - - xtables_option_tfcall(match->u.watcher); + switch (p.command) { + case CMD_NEW_CHAIN: + case CMD_NEW_CHAIN | CMD_SET_POLICY: + ret = nft_cmd_chain_user_add(h, p.chain, p.table); + if (!ret || !(p.command & CMD_SET_POLICY)) + break; + /* fall through */ + case CMD_SET_POLICY: + if (!nft_chain_builtin_find(t, p.chain)) { + ret = ebt_cmd_user_chain_policy(h, p.table, p.chain, + p.policy); + break; } - - if (cs.target != NULL) - xtables_option_tfcall(cs.target); - } - /* So, the extensions can work with the host endian. - * The kernel does not have to do this of course */ - cs.eb.ethproto = htons(cs.eb.ethproto); - - if (command == 'P') { - if (selected_chain >= NF_BR_NUMHOOKS) { - ret = ebt_cmd_user_chain_policy(h, *table, chain, policy); - } else { - if (strcmp(policy, "RETURN") == 0) { - xtables_error(PARAMETER_PROBLEM, - "Policy RETURN only allowed for user defined chains"); - } - ret = nft_cmd_chain_set(h, *table, chain, policy, NULL); - if (ret < 0) - xtables_error(PARAMETER_PROBLEM, "Wrong policy"); + if (strcmp(p.policy, "RETURN") == 0) { + xtables_error(PARAMETER_PROBLEM, + "Policy RETURN only allowed for user defined chains"); } - } else if (command == 'L') { - ret = list_rules(h, chain, *table, rule_nr, - 0, - 0, - /*flags&OPT_EXPANDED*/0, - flags&LIST_N, - flags&LIST_C); + ret = nft_cmd_chain_set(h, p.table, p.chain, p.policy, NULL); + if (ret < 0) + xtables_error(PARAMETER_PROBLEM, "Wrong policy"); + break; + case CMD_LIST: + case CMD_LIST | CMD_ZERO: + case CMD_LIST | CMD_ZERO_NUM: + case CMD_LIST_RULES: + case CMD_LIST_RULES | CMD_ZERO: + case CMD_LIST_RULES | CMD_ZERO_NUM: + if (p.command & CMD_LIST) + ret = list_rules(h, p.chain, p.table, p.rulenum, + cs.options & OPT_VERBOSE, + 0, + /*cs.options&OPT_EXPANDED*/0, + cs.options&OPT_LINENUMBERS, + cs.options&OPT_LIST_C); + else if (p.command & CMD_LIST_RULES) + ret = nft_cmd_rule_list_save(h, p.chain, p.table, + p.rulenum - 1, + cs.options & OPT_VERBOSE); + if (ret && (p.command & CMD_ZERO)) + ret = nft_cmd_chain_zero_counters(h, p.chain, p.table, + cs.options & OPT_VERBOSE); + if (ret && (p.command & CMD_ZERO_NUM)) + ret = nft_cmd_rule_zero_counters(h, p.chain, p.table, + p.rulenum - 1); + break; + case CMD_ZERO: + ret = nft_cmd_chain_zero_counters(h, p.chain, p.table, + cs.options & OPT_VERBOSE); + break; + case CMD_ZERO_NUM: + ret = nft_cmd_rule_zero_counters(h, p.chain, p.table, + p.rulenum - 1); + break; + case CMD_FLUSH: + ret = nft_cmd_rule_flush(h, p.chain, p.table, + cs.options & OPT_VERBOSE); + break; + case CMD_APPEND: + ret = nft_cmd_rule_append(h, p.chain, p.table, &cs, + cs.options & OPT_VERBOSE); + break; + case CMD_INSERT: + ret = nft_cmd_rule_insert(h, p.chain, p.table, &cs, + p.rulenum - 1, + cs.options & OPT_VERBOSE); + break; + case CMD_DELETE: + case CMD_DELETE_NUM: + ret = delete_entry(h, p.chain, p.table, &cs, p.rulenum - 1, + p.rulenum_end, cs.options & OPT_VERBOSE); + break; + case CMD_DELETE_CHAIN: + ret = nft_cmd_chain_del(h, p.chain, p.table, 0); + break; + case CMD_RENAME_CHAIN: + ret = nft_cmd_chain_user_rename(h, p.chain, p.table, p.newname); + break; + case CMD_INIT_TABLE: + ret = nft_cmd_table_flush(h, p.table, false); + break; + case CMD_CHECK: + ret = nft_cmd_rule_check(h, p.chain, p.table, + &cs, cs.options & OPT_VERBOSE); + break; + case CMD_CHANGE_COUNTERS: + ret = change_entry_counters(h, p.chain, p.table, &cs, + p.rulenum - 1, p.rulenum_end, + args.counter_op, + cs.options & OPT_VERBOSE); + break; + case CMD_REPLACE: + ret = nft_cmd_rule_replace(h, p.chain, p.table, &cs, + p.rulenum - 1, + cs.options & OPT_VERBOSE); + break; + default: + /* We should never reach this... */ + exit_tryhelp(2, line); } - if (flags & OPT_ZERO) { - ret = nft_cmd_chain_zero_counters(h, chain, *table, 0); - } else if (command == 'F') { - ret = nft_cmd_rule_flush(h, chain, *table, 0); - } else if (command == 'A') { - ret = append_entry(h, chain, *table, &cs, 0, 0, true); - } else if (command == 'I') { - ret = append_entry(h, chain, *table, &cs, rule_nr - 1, - 0, false); - } else if (command == 'D') { - ret = delete_entry(h, chain, *table, &cs, rule_nr - 1, - rule_nr_end, 0); - } /*else if (replace->command == 'C') { - ebt_change_counters(replace, new_entry, rule_nr, rule_nr_end, &(new_entry->cnt_surplus), chcounter); - if (ebt_errormsg[0] != '\0') - return -1; - }*/ ebt_cs_clean(&cs); return ret; |