summaryrefslogtreecommitdiffstats
path: root/iptables-restore.c
blob: f9a95952d0e273176f9640a9a035a6792c74e0b4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
/* Code to restore the iptables state, from file by iptables-save. */
#include <getopt.h>
#include <sys/errno.h>
#include <string.h>
#include <stdio.h>
#include "packet-filter/userspace/iptables.h"
#include "packet-filter/userspace/libiptc/libiptc.h"

/* Keeping track of external matches and targets.  */
static struct option options[] = {
	{ "binary", 1, 0, 'b' },
	{ "counters", 1, 0, 'c' },
	{ "verbose", 1, 0, 'v' },
	{ "help", 1, 0, 'h' },
	{ 0 }
};

static void print_usage(const char *name, const char *version) __attribute__((noreturn));

static void print_usage(const char *name, const char *version)
{
	fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-h]\n", name);
	exit(1);
}

static int clean_slate(iptc_handle_t *handle)
{
	/* Skip over builtins. */
	const char *i, *last = IPTC_LABEL_OUTPUT;

	/* Be careful iterating: it isn't safe during delete. */
	/* Re-iterate after each delete successful */
	while ((i = iptc_next_chain(last, handle)) != NULL) {
		if (!iptc_flush_entries(i, handle)
		    || !iptc_delete_chain(i, handle))
			return 0;
	}
	return 1;
}

int main(int argc, char *argv[])
{
	iptc_handle_t handle;
	char buffer[10240];
	int counters = 0, binary = 0, verbose = 0;
	unsigned int line = 0;
	int c;
	const char *chain;
	FILE *in;

	program_name = "iptables-restore";
	program_version = NETFILTER_VERSION;

	/* Don't use getopt here; it would interfere 8-(. */
	if (optind == argc - 1) {
		in = fopen(argv[optind], "r");
		if (!in) {
			fprintf(stderr, "Can't open %s: %s", argv[optind],
				strerror(errno));
			exit(1);
		}
	}
	else if (optind < argc) {
		fprintf(stderr, "Unknown arguments found on commandline");
		exit(1);
	}
	else in = stdin;

	handle = iptc_init();
	if (!handle)
		exit_error(VERSION_PROBLEM,
			   "can't initialize iptables-restore: %s",
			   iptc_strerror(errno));

	if (!clean_slate(&handle))
		exit_error(OTHER_PROBLEM, "Deleting old chains: %s",
			   iptc_strerror(errno));

	/* Grab standard input. */
	while (fgets(buffer, sizeof(buffer), in)) {
		int ret;

		line++;
		if (buffer[0] == '\n') continue;
		else if (buffer[0] == '#') {
			if (verbose) fputs(buffer, stdout);
			continue;
		} else if (strcmp(buffer, "COMMIT\n") == 0)
			ret = iptc_commit(&handle);
		else if (buffer[0] == ':') {
			/* New chain. */
			char *chain, *policy;

			/* FIXME: Don't ignore counters. */
			chain = strtok(buffer+1, " \t\n");
			if (!chain) {
				exit_error(PARAMETER_PROBLEM,
					   "%s: line %u chain name invalid\n",
					   program_name, line);
				exit(1);
			}
			policy = strtok(NULL, " \t\n");
			if (!policy) {
				exit_error(PARAMETER_PROBLEM,
					   "%s: line %u policy invalid\n",
					   program_name, line);
				exit(1);
			}
			if (strcmp(policy, "-") != 0
			    && !iptc_set_policy(chain, policy, &handle))
				exit_error(OTHER_PROBLEM,
					   "Can't set policy `%s'"
					   " on `%s' line %u: %s\n",
					   chain, policy, line,
					   iptc_strerror(errno));
		} else {
			char *newargv[1024];
			int i;
			char *ptr = buffer;

			/* FIXME: Don't ignore counters. */
			if (buffer[0] == '[') {
				ptr = strchr(buffer, ']');
				if (!ptr)
					exit_error(PARAMETER_PROBLEM,
						   "Bad line %u: need ]\n",
						   line);
			}

			/* strtok: a function only a coder could love */
			newargv[0] = argv[0];
			for (i = 1; i < sizeof(newargv)/sizeof(char *); i++) {
				if (!(newargv[i] = strtok(ptr, " \t\n")))
					break;
				ptr = NULL;
			}
			if (i == sizeof(newargv)/sizeof(char *)) {
				fprintf(stderr,
					"%s: line %u too many arguments\n",
					program_name, line);
				exit(1);
			}

			ret = do_command(i, newargv, &handle);
		}
		if (!ret) {
			fprintf(stderr, "%s: line %u failed\n",
					program_name, line);
			exit(1);
		}
	}

	return 0;
}