• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 #ifndef IPTABLES_XSHARED_H
2 #define IPTABLES_XSHARED_H 1
3 
4 #include <limits.h>
5 #include <stdbool.h>
6 #include <stdint.h>
7 #include <netinet/in.h>
8 #include <net/if.h>
9 #include <sys/time.h>
10 #include <linux/netfilter_arp/arp_tables.h>
11 #include <linux/netfilter_ipv4/ip_tables.h>
12 #include <linux/netfilter_ipv6/ip6_tables.h>
13 
14 #ifdef DEBUG
15 #define DEBUGP(x, args...) fprintf(stderr, x, ## args)
16 #else
17 #define DEBUGP(x, args...)
18 #endif
19 
20 enum {
21 	OPT_NONE        = 0,
22 	OPT_NUMERIC     = 1 << 0,
23 	OPT_SOURCE      = 1 << 1,
24 	OPT_DESTINATION = 1 << 2,
25 	OPT_PROTOCOL    = 1 << 3,
26 	OPT_JUMP        = 1 << 4,
27 	OPT_VERBOSE     = 1 << 5,
28 	OPT_EXPANDED    = 1 << 6,
29 	OPT_VIANAMEIN   = 1 << 7,
30 	OPT_VIANAMEOUT  = 1 << 8,
31 	OPT_LINENUMBERS = 1 << 9,
32 	OPT_COUNTERS    = 1 << 10,
33 	OPT_FRAGMENT	= 1 << 11,
34 	/* below are for arptables only */
35 	OPT_S_MAC	= 1 << 12,
36 	OPT_D_MAC	= 1 << 13,
37 	OPT_H_LENGTH	= 1 << 14,
38 	OPT_OPCODE	= 1 << 15,
39 	OPT_H_TYPE	= 1 << 16,
40 	OPT_P_TYPE	= 1 << 17,
41 };
42 
43 #define NUMBER_OF_OPT	ARRAY_SIZE(optflags)
44 static const char optflags[]
45 = { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c', 'f', 2, 3, 'l', 4, 5, 6 };
46 
47 enum {
48 	CMD_NONE		= 0,
49 	CMD_INSERT		= 1 << 0,
50 	CMD_DELETE		= 1 << 1,
51 	CMD_DELETE_NUM		= 1 << 2,
52 	CMD_REPLACE		= 1 << 3,
53 	CMD_APPEND		= 1 << 4,
54 	CMD_LIST		= 1 << 5,
55 	CMD_FLUSH		= 1 << 6,
56 	CMD_ZERO		= 1 << 7,
57 	CMD_NEW_CHAIN		= 1 << 8,
58 	CMD_DELETE_CHAIN	= 1 << 9,
59 	CMD_SET_POLICY		= 1 << 10,
60 	CMD_RENAME_CHAIN	= 1 << 11,
61 	CMD_LIST_RULES		= 1 << 12,
62 	CMD_ZERO_NUM		= 1 << 13,
63 	CMD_CHECK		= 1 << 14,
64 };
65 #define NUMBER_OF_CMD		16
66 
67 struct xtables_globals;
68 struct xtables_rule_match;
69 struct xtables_target;
70 
71 /**
72  * xtables_afinfo - protocol family dependent information
73  * @kmod:		kernel module basename (e.g. "ip_tables")
74  * @proc_exists:	file which exists in procfs when module already loaded
75  * @libprefix:		prefix of .so library name (e.g. "libipt_")
76  * @family:		nfproto family
77  * @ipproto:		used by setsockopt (e.g. IPPROTO_IP)
78  * @so_rev_match:	optname to check revision support of match
79  * @so_rev_target:	optname to check revision support of target
80  */
81 struct xtables_afinfo {
82 	const char *kmod;
83 	const char *proc_exists;
84 	const char *libprefix;
85 	uint8_t family;
86 	uint8_t ipproto;
87 	int so_rev_match;
88 	int so_rev_target;
89 };
90 
91 /* trick for ebtables-compat, since watchers are targets */
92 struct ebt_match {
93 	struct ebt_match			*next;
94 	union {
95 		struct xtables_match		*match;
96 		struct xtables_target		*watcher;
97 	} u;
98 	bool					ismatch;
99 };
100 
101 /* Fake ebt_entry */
102 struct ebt_entry {
103 	/* this needs to be the first field */
104 	unsigned int bitmask;
105 	unsigned int invflags;
106 	uint16_t ethproto;
107 	/* the physical in-dev */
108 	char in[IFNAMSIZ];
109 	/* the logical in-dev */
110 	char logical_in[IFNAMSIZ];
111 	/* the physical out-dev */
112 	char out[IFNAMSIZ];
113 	/* the logical out-dev */
114 	char logical_out[IFNAMSIZ];
115 	unsigned char sourcemac[6];
116 	unsigned char sourcemsk[6];
117 	unsigned char destmac[6];
118 	unsigned char destmsk[6];
119 };
120 
121 struct iptables_command_state {
122 	union {
123 		struct ebt_entry eb;
124 		struct ipt_entry fw;
125 		struct ip6t_entry fw6;
126 		struct arpt_entry arp;
127 	};
128 	int invert;
129 	int c;
130 	unsigned int options;
131 	struct xtables_rule_match *matches;
132 	struct ebt_match *match_list;
133 	struct xtables_target *target;
134 	struct xt_counters counters;
135 	char *protocol;
136 	int proto_used;
137 	const char *jumpto;
138 	char **argv;
139 	bool restore;
140 };
141 
142 typedef int (*mainfunc_t)(int, char **);
143 
144 struct subcommand {
145 	const char *name;
146 	mainfunc_t main;
147 };
148 
149 enum {
150 	XT_OPTION_OFFSET_SCALE = 256,
151 };
152 
153 extern void print_extension_helps(const struct xtables_target *,
154 	const struct xtables_rule_match *);
155 extern const char *proto_to_name(uint8_t, int);
156 extern int command_default(struct iptables_command_state *,
157 	struct xtables_globals *);
158 extern struct xtables_match *load_proto(struct iptables_command_state *);
159 extern int subcmd_main(int, char **, const struct subcommand *);
160 extern void xs_init_target(struct xtables_target *);
161 extern void xs_init_match(struct xtables_match *);
162 
163 /**
164  * Values for the iptables lock.
165  *
166  * A value >= 0 indicates the lock filedescriptor. Other values are:
167  *
168  * XT_LOCK_FAILED : The lock could not be acquired.
169  *
170  * XT_LOCK_BUSY : The lock was held by another process. xtables_lock only
171  * returns this value when |wait| == false. If |wait| == true, xtables_lock
172  * will not return unless the lock has been acquired.
173  *
174  * XT_LOCK_NOT_ACQUIRED : We have not yet attempted to acquire the lock.
175  */
176 enum {
177 	XT_LOCK_BUSY = -1,
178 	XT_LOCK_FAILED = -2,
179 	XT_LOCK_NOT_ACQUIRED  = -3,
180 };
181 extern void xtables_unlock(int lock);
182 extern int xtables_lock_or_exit(int wait, struct timeval *tv);
183 
184 int parse_wait_time(int argc, char *argv[]);
185 void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval);
186 int parse_counters(const char *string, struct xt_counters *ctr);
187 bool tokenize_rule_counters(char **bufferp, char **pcnt, char **bcnt, int line);
188 bool xs_has_arg(int argc, char *argv[]);
189 
190 extern const struct xtables_afinfo *afinfo;
191 
192 #define MAX_ARGC	255
193 struct argv_store {
194 	int argc;
195 	char *argv[MAX_ARGC];
196 	int argvattr[MAX_ARGC];
197 };
198 
199 void add_argv(struct argv_store *store, const char *what, int quoted);
200 void free_argv(struct argv_store *store);
201 void save_argv(struct argv_store *dst, struct argv_store *src);
202 void add_param_to_argv(struct argv_store *store, char *parsestart, int line);
203 #ifdef DEBUG
204 void debug_print_argv(struct argv_store *store);
205 #else
206 #  define debug_print_argv(...) /* nothing */
207 #endif
208 
209 void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
210 void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
211 
212 void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
213 		  unsigned int format);
214 
215 void command_match(struct iptables_command_state *cs);
216 const char *xt_parse_target(const char *targetname);
217 void command_jump(struct iptables_command_state *cs, const char *jumpto);
218 
219 char cmd2char(int option);
220 void add_command(unsigned int *cmd, const int newcmd,
221 		 const int othercmds, int invert);
222 int parse_rulenumber(const char *rule);
223 
224 void generic_opt_check(int command, int options);
225 char opt2char(int option);
226 
227 #endif /* IPTABLES_XSHARED_H */
228