1 #ifndef IPTABLES_XSHARED_H 2 #define IPTABLES_XSHARED_H 1 3 4 #include <limits.h> 5 #include <stdbool.h> 6 #include <stdint.h> 7 #include <netinet/in.h> 8 #include <net/if.h> 9 #include <sys/time.h> 10 #include <linux/netfilter_arp/arp_tables.h> 11 #include <linux/netfilter_ipv4/ip_tables.h> 12 #include <linux/netfilter_ipv6/ip6_tables.h> 13 14 #ifdef DEBUG 15 #define DEBUGP(x, args...) fprintf(stderr, x, ## args) 16 #else 17 #define DEBUGP(x, args...) 18 #endif 19 20 enum { 21 OPT_NONE = 0, 22 OPT_NUMERIC = 1 << 0, 23 OPT_SOURCE = 1 << 1, 24 OPT_DESTINATION = 1 << 2, 25 OPT_PROTOCOL = 1 << 3, 26 OPT_JUMP = 1 << 4, 27 OPT_VERBOSE = 1 << 5, 28 OPT_EXPANDED = 1 << 6, 29 OPT_VIANAMEIN = 1 << 7, 30 OPT_VIANAMEOUT = 1 << 8, 31 OPT_LINENUMBERS = 1 << 9, 32 OPT_COUNTERS = 1 << 10, 33 OPT_FRAGMENT = 1 << 11, 34 /* below are for arptables only */ 35 OPT_S_MAC = 1 << 12, 36 OPT_D_MAC = 1 << 13, 37 OPT_H_LENGTH = 1 << 14, 38 OPT_OPCODE = 1 << 15, 39 OPT_H_TYPE = 1 << 16, 40 OPT_P_TYPE = 1 << 17, 41 }; 42 43 #define NUMBER_OF_OPT ARRAY_SIZE(optflags) 44 static const char optflags[] 45 = { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c', 'f', 2, 3, 'l', 4, 5, 6 }; 46 47 enum { 48 CMD_NONE = 0, 49 CMD_INSERT = 1 << 0, 50 CMD_DELETE = 1 << 1, 51 CMD_DELETE_NUM = 1 << 2, 52 CMD_REPLACE = 1 << 3, 53 CMD_APPEND = 1 << 4, 54 CMD_LIST = 1 << 5, 55 CMD_FLUSH = 1 << 6, 56 CMD_ZERO = 1 << 7, 57 CMD_NEW_CHAIN = 1 << 8, 58 CMD_DELETE_CHAIN = 1 << 9, 59 CMD_SET_POLICY = 1 << 10, 60 CMD_RENAME_CHAIN = 1 << 11, 61 CMD_LIST_RULES = 1 << 12, 62 CMD_ZERO_NUM = 1 << 13, 63 CMD_CHECK = 1 << 14, 64 }; 65 #define NUMBER_OF_CMD 16 66 67 struct xtables_globals; 68 struct xtables_rule_match; 69 struct xtables_target; 70 71 /** 72 * xtables_afinfo - protocol family dependent information 73 * @kmod: kernel module basename (e.g. "ip_tables") 74 * @proc_exists: file which exists in procfs when module already loaded 75 * @libprefix: prefix of .so library name (e.g. "libipt_") 76 * @family: nfproto family 77 * @ipproto: used by setsockopt (e.g. IPPROTO_IP) 78 * @so_rev_match: optname to check revision support of match 79 * @so_rev_target: optname to check revision support of target 80 */ 81 struct xtables_afinfo { 82 const char *kmod; 83 const char *proc_exists; 84 const char *libprefix; 85 uint8_t family; 86 uint8_t ipproto; 87 int so_rev_match; 88 int so_rev_target; 89 }; 90 91 /* trick for ebtables-compat, since watchers are targets */ 92 struct ebt_match { 93 struct ebt_match *next; 94 union { 95 struct xtables_match *match; 96 struct xtables_target *watcher; 97 } u; 98 bool ismatch; 99 }; 100 101 /* Fake ebt_entry */ 102 struct ebt_entry { 103 /* this needs to be the first field */ 104 unsigned int bitmask; 105 unsigned int invflags; 106 uint16_t ethproto; 107 /* the physical in-dev */ 108 char in[IFNAMSIZ]; 109 /* the logical in-dev */ 110 char logical_in[IFNAMSIZ]; 111 /* the physical out-dev */ 112 char out[IFNAMSIZ]; 113 /* the logical out-dev */ 114 char logical_out[IFNAMSIZ]; 115 unsigned char sourcemac[6]; 116 unsigned char sourcemsk[6]; 117 unsigned char destmac[6]; 118 unsigned char destmsk[6]; 119 }; 120 121 struct iptables_command_state { 122 union { 123 struct ebt_entry eb; 124 struct ipt_entry fw; 125 struct ip6t_entry fw6; 126 struct arpt_entry arp; 127 }; 128 int invert; 129 int c; 130 unsigned int options; 131 struct xtables_rule_match *matches; 132 struct ebt_match *match_list; 133 struct xtables_target *target; 134 struct xt_counters counters; 135 char *protocol; 136 int proto_used; 137 const char *jumpto; 138 char **argv; 139 bool restore; 140 }; 141 142 typedef int (*mainfunc_t)(int, char **); 143 144 struct subcommand { 145 const char *name; 146 mainfunc_t main; 147 }; 148 149 enum { 150 XT_OPTION_OFFSET_SCALE = 256, 151 }; 152 153 extern void print_extension_helps(const struct xtables_target *, 154 const struct xtables_rule_match *); 155 extern const char *proto_to_name(uint8_t, int); 156 extern int command_default(struct iptables_command_state *, 157 struct xtables_globals *); 158 extern struct xtables_match *load_proto(struct iptables_command_state *); 159 extern int subcmd_main(int, char **, const struct subcommand *); 160 extern void xs_init_target(struct xtables_target *); 161 extern void xs_init_match(struct xtables_match *); 162 163 /** 164 * Values for the iptables lock. 165 * 166 * A value >= 0 indicates the lock filedescriptor. Other values are: 167 * 168 * XT_LOCK_FAILED : The lock could not be acquired. 169 * 170 * XT_LOCK_BUSY : The lock was held by another process. xtables_lock only 171 * returns this value when |wait| == false. If |wait| == true, xtables_lock 172 * will not return unless the lock has been acquired. 173 * 174 * XT_LOCK_NOT_ACQUIRED : We have not yet attempted to acquire the lock. 175 */ 176 enum { 177 XT_LOCK_BUSY = -1, 178 XT_LOCK_FAILED = -2, 179 XT_LOCK_NOT_ACQUIRED = -3, 180 }; 181 extern void xtables_unlock(int lock); 182 extern int xtables_lock_or_exit(int wait, struct timeval *tv); 183 184 int parse_wait_time(int argc, char *argv[]); 185 void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval); 186 int parse_counters(const char *string, struct xt_counters *ctr); 187 bool tokenize_rule_counters(char **bufferp, char **pcnt, char **bcnt, int line); 188 bool xs_has_arg(int argc, char *argv[]); 189 190 extern const struct xtables_afinfo *afinfo; 191 192 #define MAX_ARGC 255 193 struct argv_store { 194 int argc; 195 char *argv[MAX_ARGC]; 196 int argvattr[MAX_ARGC]; 197 }; 198 199 void add_argv(struct argv_store *store, const char *what, int quoted); 200 void free_argv(struct argv_store *store); 201 void save_argv(struct argv_store *dst, struct argv_store *src); 202 void add_param_to_argv(struct argv_store *store, char *parsestart, int line); 203 #ifdef DEBUG 204 void debug_print_argv(struct argv_store *store); 205 #else 206 # define debug_print_argv(...) /* nothing */ 207 #endif 208 209 void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format); 210 void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format); 211 212 void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags, 213 unsigned int format); 214 215 void command_match(struct iptables_command_state *cs); 216 const char *xt_parse_target(const char *targetname); 217 void command_jump(struct iptables_command_state *cs, const char *jumpto); 218 219 char cmd2char(int option); 220 void add_command(unsigned int *cmd, const int newcmd, 221 const int othercmds, int invert); 222 int parse_rulenumber(const char *rule); 223 224 void generic_opt_check(int command, int options); 225 char opt2char(int option); 226 227 #endif /* IPTABLES_XSHARED_H */ 228