1 #ifndef IPTABLES_XSHARED_H 2 #define IPTABLES_XSHARED_H 1 3 4 #include <limits.h> 5 #include <stdbool.h> 6 #include <stdint.h> 7 #include <netinet/in.h> 8 #include <net/if.h> 9 #include <linux/netfilter_arp/arp_tables.h> 10 #include <linux/netfilter_ipv4/ip_tables.h> 11 #include <linux/netfilter_ipv6/ip6_tables.h> 12 13 #ifdef DEBUG 14 #define DEBUGP(x, args...) fprintf(stderr, x, ## args) 15 #define DEBUG_HEXDUMP(pfx, data, len) \ 16 for (int __i = 0; __i < (len); __i++) { \ 17 if (__i % 16 == 0) \ 18 printf("%s%s: ", __i ? "\n" : "", (pfx)); \ 19 printf("%02x ", ((const unsigned char *)data)[__i]); \ 20 } printf("\n") 21 #else 22 #define DEBUGP(x, args...) 23 #define DEBUG_HEXDUMP(pfx, data, len) 24 #endif 25 26 enum { 27 OPT_NONE = 0, 28 OPT_NUMERIC = 1 << 0, 29 OPT_SOURCE = 1 << 1, 30 OPT_DESTINATION = 1 << 2, 31 OPT_PROTOCOL = 1 << 3, 32 OPT_JUMP = 1 << 4, 33 OPT_VERBOSE = 1 << 5, 34 OPT_EXPANDED = 1 << 6, 35 OPT_VIANAMEIN = 1 << 7, 36 OPT_VIANAMEOUT = 1 << 8, 37 OPT_LINENUMBERS = 1 << 9, 38 OPT_COUNTERS = 1 << 10, 39 OPT_FRAGMENT = 1 << 11, 40 /* below are for arptables only */ 41 OPT_S_MAC = 1 << 12, 42 OPT_D_MAC = 1 << 13, 43 OPT_H_LENGTH = 1 << 14, 44 OPT_OPCODE = 1 << 15, 45 OPT_H_TYPE = 1 << 16, 46 OPT_P_TYPE = 1 << 17, 47 /* below are for ebtables only */ 48 OPT_LOGICALIN = 1 << 18, 49 OPT_LOGICALOUT = 1 << 19, 50 OPT_LIST_C = 1 << 20, 51 OPT_LIST_X = 1 << 21, 52 OPT_LIST_MAC2 = 1 << 22, 53 }; 54 #define NUMBER_OF_OPT 24 55 56 enum { 57 CMD_NONE = 0, 58 CMD_INSERT = 1 << 0, 59 CMD_DELETE = 1 << 1, 60 CMD_DELETE_NUM = 1 << 2, 61 CMD_REPLACE = 1 << 3, 62 CMD_APPEND = 1 << 4, 63 CMD_LIST = 1 << 5, 64 CMD_FLUSH = 1 << 6, 65 CMD_ZERO = 1 << 7, 66 CMD_NEW_CHAIN = 1 << 8, 67 CMD_DELETE_CHAIN = 1 << 9, 68 CMD_SET_POLICY = 1 << 10, 69 CMD_RENAME_CHAIN = 1 << 11, 70 CMD_LIST_RULES = 1 << 12, 71 CMD_ZERO_NUM = 1 << 13, 72 CMD_CHECK = 1 << 14, 73 CMD_CHANGE_COUNTERS = 1 << 15, /* ebtables only */ 74 CMD_INIT_TABLE = 1 << 16, /* ebtables only */ 75 }; 76 #define NUMBER_OF_CMD 18 77 78 struct xtables_globals; 79 struct xtables_rule_match; 80 struct xtables_target; 81 82 #define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:R:S::VX::Z::" "c:d:i:j:o:p:s:t:v" 83 #define IPT_OPTSTRING OPTSTRING_COMMON "W::" "46fg:h::m:nw::x" 84 #define ARPT_OPTSTRING OPTSTRING_COMMON "h::l:nx" /* "m:" */ 85 #define EBT_OPTSTRING OPTSTRING_COMMON "h" 86 87 /* define invflags which won't collide with IPT ones. 88 * arptables-nft does NOT use the legacy ARPT_INV_* defines. 89 */ 90 #define IPT_INV_SRCDEVADDR 0x0080 91 #define IPT_INV_TGTDEVADDR 0x0100 92 #define IPT_INV_ARPHLN 0x0200 93 #define IPT_INV_ARPOP 0x0400 94 #define IPT_INV_ARPHRD 0x0800 95 96 /* trick for ebtables-compat, since watchers are targets */ 97 struct ebt_match { 98 struct ebt_match *next; 99 union { 100 struct xtables_match *match; 101 struct xtables_target *watcher; 102 } u; 103 bool ismatch; 104 }; 105 106 /* Fake ebt_entry */ 107 struct ebt_entry { 108 /* this needs to be the first field */ 109 unsigned int bitmask; 110 unsigned int invflags; 111 uint16_t ethproto; 112 /* the physical in-dev */ 113 char in[IFNAMSIZ]; 114 /* the logical in-dev */ 115 char logical_in[IFNAMSIZ]; 116 /* the physical out-dev */ 117 char out[IFNAMSIZ]; 118 /* the logical out-dev */ 119 char logical_out[IFNAMSIZ]; 120 unsigned char sourcemac[6]; 121 unsigned char sourcemsk[6]; 122 unsigned char destmac[6]; 123 unsigned char destmsk[6]; 124 }; 125 126 struct iptables_command_state { 127 union { 128 struct ebt_entry eb; 129 struct ipt_entry fw; 130 struct ip6t_entry fw6; 131 struct arpt_entry arp; 132 }; 133 int c; 134 unsigned int options; 135 struct xtables_rule_match *matches; 136 struct ebt_match *match_list; 137 struct xtables_target *target; 138 struct xt_counters counters; 139 char *protocol; 140 int proto_used; 141 const char *jumpto; 142 int argc; 143 char **argv; 144 bool restore; 145 }; 146 147 void xtables_clear_iptables_command_state(struct iptables_command_state *cs); 148 149 typedef int (*mainfunc_t)(int, char **); 150 151 struct subcommand { 152 const char *name; 153 mainfunc_t main; 154 }; 155 156 extern int subcmd_main(int, char **, const struct subcommand *); 157 extern void xs_init_target(struct xtables_target *); 158 extern void xs_init_match(struct xtables_match *); 159 160 /** 161 * Values for the iptables lock. 162 * 163 * A value >= 0 indicates the lock filedescriptor. Other values are: 164 * 165 * XT_LOCK_FAILED : The lock could not be acquired. 166 * 167 * XT_LOCK_BUSY : The lock was held by another process. xtables_lock only 168 * returns this value when |wait| == false. If |wait| == true, xtables_lock 169 * will not return unless the lock has been acquired. 170 * 171 * XT_LOCK_NOT_ACQUIRED : We have not yet attempted to acquire the lock. 172 */ 173 enum { 174 XT_LOCK_BUSY = -1, 175 XT_LOCK_FAILED = -2, 176 XT_LOCK_NOT_ACQUIRED = -3, 177 }; 178 extern void xtables_unlock(int lock); 179 extern int xtables_lock_or_exit(int wait); 180 181 int parse_wait_time(int argc, char *argv[]); 182 void parse_wait_interval(int argc, char *argv[]); 183 int parse_counters(const char *string, struct xt_counters *ctr); 184 bool tokenize_rule_counters(char **bufferp, char **pcnt, char **bcnt, int line); 185 bool xs_has_arg(int argc, char *argv[]); 186 187 #define MAX_ARGC 255 188 struct argv_store { 189 int argc; 190 char *argv[MAX_ARGC]; 191 int argvattr[MAX_ARGC]; 192 }; 193 194 void add_argv(struct argv_store *store, const char *what, int quoted); 195 void free_argv(struct argv_store *store); 196 void save_argv(struct argv_store *dst, struct argv_store *src); 197 void add_param_to_argv(struct argv_store *store, char *parsestart, int line); 198 #ifdef DEBUG 199 void debug_print_argv(struct argv_store *store); 200 #else 201 # define debug_print_argv(...) /* nothing */ 202 #endif 203 204 const char *ipv4_addr_to_string(const struct in_addr *addr, 205 const struct in_addr *mask, 206 unsigned int format); 207 void print_header(unsigned int format, const char *chain, const char *pol, 208 const struct xt_counters *counters, 209 int refs, uint32_t entries); 210 void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format); 211 void save_ipv4_addr(char letter, const struct in_addr *addr, 212 const struct in_addr *mask, int invert); 213 void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format); 214 void save_ipv6_addr(char letter, const struct in6_addr *addr, 215 const struct in6_addr *mask, int invert); 216 217 void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags, 218 unsigned int format); 219 220 void print_fragment(unsigned int flags, unsigned int invflags, 221 unsigned int format, bool fake); 222 223 void command_jump(struct iptables_command_state *cs, const char *jumpto); 224 225 void assert_valid_chain_name(const char *chainname); 226 227 void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs, 228 const char *targname, uint8_t proto, uint8_t flags, 229 uint8_t invflags, unsigned int format); 230 void save_rule_details(const char *iniface, const char *outiface, 231 uint16_t proto, int frag, uint8_t invflags); 232 233 int print_match_save(const struct xt_entry_match *e, const void *ip); 234 235 void exit_tryhelp(int status, int line) __attribute__((noreturn)); 236 237 struct addr_mask { 238 union { 239 struct in_addr *v4; 240 struct in6_addr *v6; 241 void *ptr; 242 } addr; 243 244 unsigned int naddrs; 245 246 union { 247 struct in_addr *v4; 248 struct in6_addr *v6; 249 void *ptr; 250 } mask; 251 }; 252 253 enum { 254 CTR_OP_INC_PKTS = 1 << 0, 255 CTR_OP_DEC_PKTS = 1 << 1, 256 CTR_OP_INC_BYTES = 1 << 2, 257 CTR_OP_DEC_BYTES = 1 << 3, 258 }; 259 260 struct xtables_args { 261 int family; 262 uint8_t flags; 263 uint16_t invflags; 264 char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; 265 char bri_iniface[IFNAMSIZ], bri_outiface[IFNAMSIZ]; 266 bool goto_set; 267 const char *shostnetworkmask, *dhostnetworkmask; 268 const char *pcnt, *bcnt; 269 struct addr_mask s, d; 270 const char *src_mac, *dst_mac; 271 const char *arp_hlen, *arp_opcode; 272 const char *arp_htype, *arp_ptype; 273 unsigned long long pcnt_cnt, bcnt_cnt; 274 uint8_t counter_op; 275 int wait; 276 }; 277 278 struct xt_cmd_parse_ops { 279 void (*proto_parse)(struct iptables_command_state *cs, 280 struct xtables_args *args); 281 void (*post_parse)(int command, 282 struct iptables_command_state *cs, 283 struct xtables_args *args); 284 const char *(*option_name)(int option); 285 int (*option_invert)(int option); 286 int (*command_default)(struct iptables_command_state *cs, 287 struct xtables_globals *gl, bool invert); 288 void (*print_help)(struct iptables_command_state *cs); 289 }; 290 291 struct xt_cmd_parse { 292 unsigned int command; 293 unsigned int rulenum; 294 unsigned int rulenum_end; 295 char *table; 296 const char *chain; 297 const char *newname; 298 const char *policy; 299 bool restore; 300 int line; 301 int verbose; 302 bool rule_ranges; 303 struct xt_cmd_parse_ops *ops; 304 }; 305 306 void xtables_printhelp(struct iptables_command_state *cs); 307 const char *ip46t_option_name(int option); 308 int ip46t_option_invert(int option); 309 int command_default(struct iptables_command_state *cs, 310 struct xtables_globals *gl, bool invert); 311 312 void do_parse(int argc, char *argv[], 313 struct xt_cmd_parse *p, struct iptables_command_state *cs, 314 struct xtables_args *args); 315 316 void ipv4_proto_parse(struct iptables_command_state *cs, 317 struct xtables_args *args); 318 void ipv6_proto_parse(struct iptables_command_state *cs, 319 struct xtables_args *args); 320 void ipv4_post_parse(int command, struct iptables_command_state *cs, 321 struct xtables_args *args); 322 void ipv6_post_parse(int command, struct iptables_command_state *cs, 323 struct xtables_args *args); 324 325 extern char *arp_opcodes[]; 326 #define ARP_NUMOPCODES 9 327 328 unsigned char *make_delete_mask(const struct xtables_rule_match *matches, 329 const struct xtables_target *target, 330 size_t entry_size); 331 332 void iface_to_mask(const char *ifname, unsigned char *mask); 333 334 void xtables_clear_args(struct xtables_args *args); 335 336 const char *proto_to_name(uint16_t proto, int nolookup); 337 338 #endif /* IPTABLES_XSHARED_H */ 339