1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
#include <netdb.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <xtables.h>
#include "xshared.h"
/*
* Print out any special helps. A user might like to be able to add a --help
* to the commandline, and see expected results. So we call help for all
* specified matches and targets.
*/
void print_extension_helps(const struct xtables_target *t,
const struct xtables_rule_match *m)
{
for (; t != NULL; t = t->next) {
if (t->used) {
printf("\n");
if (t->help == NULL)
printf("%s does not take any options\n",
t->name);
else
t->help();
}
}
for (; m != NULL; m = m->next) {
printf("\n");
if (m->match->help == NULL)
printf("%s does not take any options\n",
m->match->name);
else
m->match->help();
}
}
const char *
proto_to_name(uint8_t proto, int nolookup)
{
unsigned int i;
if (proto && !nolookup) {
struct protoent *pent = getprotobynumber(proto);
if (pent)
return pent->p_name;
}
for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
if (xtables_chain_protos[i].num == proto)
return xtables_chain_protos[i].name;
return NULL;
}
static struct xtables_match *
find_proto(const char *pname, enum xtables_tryload tryload,
int nolookup, struct xtables_rule_match **matches)
{
unsigned int proto;
if (xtables_strtoui(pname, NULL, &proto, 0, UINT8_MAX)) {
const char *protoname = proto_to_name(proto, nolookup);
if (protoname)
return xtables_find_match(protoname, tryload, matches);
} else
return xtables_find_match(pname, tryload, matches);
return NULL;
}
/*
* Some explanations (after four different bugs in 3 different releases): If
* we encounter a parameter, that has not been parsed yet, it's not an option
* of an explicitly loaded match or a target. However, we support implicit
* loading of the protocol match extension. '-p tcp' means 'l4 proto 6' and at
* the same time 'load tcp protocol match on demand if we specify --dport'.
*
* To make this work, we need to make sure:
* - the parameter has not been parsed by a match (m above)
* - a protocol has been specified
* - the protocol extension has not been loaded yet, or is loaded and unused
* [think of ip6tables-restore!]
* - the protocol extension can be successively loaded
*/
static bool should_load_proto(struct iptables_command_state *cs)
{
if (cs->protocol == NULL)
return false;
if (find_proto(cs->protocol, XTF_DONT_LOAD,
cs->options & OPT_NUMERIC, NULL) == NULL)
return true;
return cs->proto_used;
}
struct xtables_match *load_proto(struct iptables_command_state *cs)
{
if (!should_load_proto(cs))
return NULL;
return find_proto(cs->protocol, XTF_TRY_LOAD,
cs->options & OPT_NUMERIC, &cs->matches);
}
|
