|
Packit Service |
d1fe03 |
/* Code to take an iptables-style command line and do it. */
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/*
|
|
Packit Service |
d1fe03 |
* Author: Paul.Russell@rustcorp.com.au and mneuling@radlogic.com.au
|
|
Packit Service |
d1fe03 |
*
|
|
Packit Service |
d1fe03 |
* (C) 2000-2002 by the netfilter coreteam <coreteam@netfilter.org>:
|
|
Packit Service |
d1fe03 |
* Paul 'Rusty' Russell <rusty@rustcorp.com.au>
|
|
Packit Service |
d1fe03 |
* Marc Boucher <marc+nf@mbsi.ca>
|
|
Packit Service |
d1fe03 |
* James Morris <jmorris@intercode.com.au>
|
|
Packit Service |
d1fe03 |
* Harald Welte <laforge@gnumonks.org>
|
|
Packit Service |
d1fe03 |
* Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
Packit Service |
d1fe03 |
*
|
|
Packit Service |
d1fe03 |
* This program is free software; you can redistribute it and/or modify
|
|
Packit Service |
d1fe03 |
* it under the terms of the GNU General Public License as published by
|
|
Packit Service |
d1fe03 |
* the Free Software Foundation; either version 2 of the License, or
|
|
Packit Service |
d1fe03 |
* (at your option) any later version.
|
|
Packit Service |
d1fe03 |
*
|
|
Packit Service |
d1fe03 |
* This program is distributed in the hope that it will be useful,
|
|
Packit Service |
d1fe03 |
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
d1fe03 |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit Service |
d1fe03 |
* GNU General Public License for more details.
|
|
Packit Service |
d1fe03 |
*
|
|
Packit Service |
d1fe03 |
* You should have received a copy of the GNU General Public License
|
|
Packit Service |
d1fe03 |
* along with this program; if not, write to the Free Software
|
|
Packit Service |
d1fe03 |
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
Packit Service |
d1fe03 |
*/
|
|
Packit Service |
d1fe03 |
#include "config.h"
|
|
Packit Service |
d1fe03 |
#include <getopt.h>
|
|
Packit Service |
d1fe03 |
#include <string.h>
|
|
Packit Service |
d1fe03 |
#include <netdb.h>
|
|
Packit Service |
d1fe03 |
#include <errno.h>
|
|
Packit Service |
d1fe03 |
#include <stdbool.h>
|
|
Packit Service |
d1fe03 |
#include <stdio.h>
|
|
Packit Service |
d1fe03 |
#include <stdlib.h>
|
|
Packit Service |
d1fe03 |
#include <ctype.h>
|
|
Packit Service |
d1fe03 |
#include <stdarg.h>
|
|
Packit Service |
d1fe03 |
#include <limits.h>
|
|
Packit Service |
d1fe03 |
#include <unistd.h>
|
|
Packit Service |
d1fe03 |
#include <iptables.h>
|
|
Packit Service |
d1fe03 |
#include <xtables.h>
|
|
Packit Service |
d1fe03 |
#include <fcntl.h>
|
|
Packit Service |
d1fe03 |
#include "xshared.h"
|
|
Packit Service |
d1fe03 |
#include "nft-shared.h"
|
|
Packit Service |
d1fe03 |
#include "nft.h"
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
#define OPT_FRAGMENT 0x00800U
|
|
Packit Service |
d1fe03 |
#define NUMBER_OF_OPT ARRAY_SIZE(optflags)
|
|
Packit Service |
d1fe03 |
static const char optflags[]
|
|
Packit Service |
d1fe03 |
= { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c', 'f'};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static struct option original_opts[] = {
|
|
Packit Service |
d1fe03 |
{.name = "append", .has_arg = 1, .val = 'A'},
|
|
Packit Service |
d1fe03 |
{.name = "delete", .has_arg = 1, .val = 'D'},
|
|
Packit Service |
d1fe03 |
{.name = "check", .has_arg = 1, .val = 'C'},
|
|
Packit Service |
d1fe03 |
{.name = "insert", .has_arg = 1, .val = 'I'},
|
|
Packit Service |
d1fe03 |
{.name = "replace", .has_arg = 1, .val = 'R'},
|
|
Packit Service |
d1fe03 |
{.name = "list", .has_arg = 2, .val = 'L'},
|
|
Packit Service |
d1fe03 |
{.name = "list-rules", .has_arg = 2, .val = 'S'},
|
|
Packit Service |
d1fe03 |
{.name = "flush", .has_arg = 2, .val = 'F'},
|
|
Packit Service |
d1fe03 |
{.name = "zero", .has_arg = 2, .val = 'Z'},
|
|
Packit Service |
d1fe03 |
{.name = "new-chain", .has_arg = 1, .val = 'N'},
|
|
Packit Service |
d1fe03 |
{.name = "delete-chain", .has_arg = 2, .val = 'X'},
|
|
Packit Service |
d1fe03 |
{.name = "rename-chain", .has_arg = 1, .val = 'E'},
|
|
Packit Service |
d1fe03 |
{.name = "policy", .has_arg = 1, .val = 'P'},
|
|
Packit Service |
d1fe03 |
{.name = "source", .has_arg = 1, .val = 's'},
|
|
Packit Service |
d1fe03 |
{.name = "destination", .has_arg = 1, .val = 'd'},
|
|
Packit Service |
d1fe03 |
{.name = "src", .has_arg = 1, .val = 's'}, /* synonym */
|
|
Packit Service |
d1fe03 |
{.name = "dst", .has_arg = 1, .val = 'd'}, /* synonym */
|
|
Packit Service |
d1fe03 |
{.name = "protocol", .has_arg = 1, .val = 'p'},
|
|
Packit Service |
d1fe03 |
{.name = "in-interface", .has_arg = 1, .val = 'i'},
|
|
Packit Service |
d1fe03 |
{.name = "jump", .has_arg = 1, .val = 'j'},
|
|
Packit Service |
d1fe03 |
{.name = "table", .has_arg = 1, .val = 't'},
|
|
Packit Service |
d1fe03 |
{.name = "match", .has_arg = 1, .val = 'm'},
|
|
Packit Service |
d1fe03 |
{.name = "numeric", .has_arg = 0, .val = 'n'},
|
|
Packit Service |
d1fe03 |
{.name = "out-interface", .has_arg = 1, .val = 'o'},
|
|
Packit Service |
d1fe03 |
{.name = "verbose", .has_arg = 0, .val = 'v'},
|
|
Packit Service |
d1fe03 |
{.name = "wait", .has_arg = 2, .val = 'w'},
|
|
Packit Service |
d1fe03 |
{.name = "wait-interval", .has_arg = 2, .val = 'W'},
|
|
Packit Service |
d1fe03 |
{.name = "exact", .has_arg = 0, .val = 'x'},
|
|
Packit Service |
d1fe03 |
{.name = "fragments", .has_arg = 0, .val = 'f'},
|
|
Packit Service |
d1fe03 |
{.name = "version", .has_arg = 0, .val = 'V'},
|
|
Packit Service |
d1fe03 |
{.name = "help", .has_arg = 2, .val = 'h'},
|
|
Packit Service |
d1fe03 |
{.name = "line-numbers", .has_arg = 0, .val = '0'},
|
|
Packit Service |
d1fe03 |
{.name = "modprobe", .has_arg = 1, .val = 'M'},
|
|
Packit Service |
d1fe03 |
{.name = "set-counters", .has_arg = 1, .val = 'c'},
|
|
Packit Service |
d1fe03 |
{.name = "goto", .has_arg = 1, .val = 'g'},
|
|
Packit Service |
d1fe03 |
{.name = "ipv4", .has_arg = 0, .val = '4'},
|
|
Packit Service |
d1fe03 |
{.name = "ipv6", .has_arg = 0, .val = '6'},
|
|
Packit Service |
d1fe03 |
{NULL},
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
struct xtables_globals xtables_globals = {
|
|
Packit Service |
d1fe03 |
.option_offset = 0,
|
|
Packit Service |
d1fe03 |
.program_version = PACKAGE_VERSION,
|
|
Packit Service |
d1fe03 |
.orig_opts = original_opts,
|
|
Packit Service |
d1fe03 |
.exit_err = xtables_exit_error,
|
|
Packit Service |
d1fe03 |
.compat_rev = nft_compatible_revision,
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/* Table of legal combinations of commands and options. If any of the
|
|
Packit Service |
d1fe03 |
* given commands make an option legal, that option is legal (applies to
|
|
Packit Service |
d1fe03 |
* CMD_LIST and CMD_ZERO only).
|
|
Packit Service |
d1fe03 |
* Key:
|
|
Packit Service |
d1fe03 |
* + compulsory
|
|
Packit Service |
d1fe03 |
* x illegal
|
|
Packit Service |
d1fe03 |
* optional
|
|
Packit Service |
d1fe03 |
*/
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static const char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
|
|
Packit Service |
d1fe03 |
/* Well, it's better than "Re: Linux vs FreeBSD" */
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
/* -n -s -d -p -j -v -x -i -o --line -c -f */
|
|
Packit Service |
d1fe03 |
/*INSERT*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' '},
|
|
Packit Service |
d1fe03 |
/*DELETE*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' '},
|
|
Packit Service |
d1fe03 |
/*DELETE_NUM*/{'x','x','x','x','x',' ','x','x','x','x','x','x'},
|
|
Packit Service |
d1fe03 |
/*REPLACE*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' '},
|
|
Packit Service |
d1fe03 |
/*APPEND*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' '},
|
|
Packit Service |
d1fe03 |
/*LIST*/ {' ','x','x','x','x',' ',' ','x','x',' ','x','x'},
|
|
Packit Service |
d1fe03 |
/*FLUSH*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
|
|
Packit Service |
d1fe03 |
/*ZERO*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
|
|
Packit Service |
d1fe03 |
/*ZERO_NUM*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
|
|
Packit Service |
d1fe03 |
/*NEW_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
|
|
Packit Service |
d1fe03 |
/*DEL_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
|
|
Packit Service |
d1fe03 |
/*SET_POLICY*/{'x','x','x','x','x',' ','x','x','x','x',' ','x'},
|
|
Packit Service |
d1fe03 |
/*RENAME*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
|
|
Packit Service |
d1fe03 |
/*LIST_RULES*/{'x','x','x','x','x',' ','x','x','x','x','x','x'},
|
|
Packit Service |
d1fe03 |
/*CHECK*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' '},
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static const int inverse_for_options[NUMBER_OF_OPT] =
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
/* -n */ 0,
|
|
Packit Service |
d1fe03 |
/* -s */ IPT_INV_SRCIP,
|
|
Packit Service |
d1fe03 |
/* -d */ IPT_INV_DSTIP,
|
|
Packit Service |
d1fe03 |
/* -p */ XT_INV_PROTO,
|
|
Packit Service |
d1fe03 |
/* -j */ 0,
|
|
Packit Service |
d1fe03 |
/* -v */ 0,
|
|
Packit Service |
d1fe03 |
/* -x */ 0,
|
|
Packit Service |
d1fe03 |
/* -i */ IPT_INV_VIA_IN,
|
|
Packit Service |
d1fe03 |
/* -o */ IPT_INV_VIA_OUT,
|
|
Packit Service |
d1fe03 |
/*--line*/ 0,
|
|
Packit Service |
d1fe03 |
/* -c */ 0,
|
|
Packit Service |
d1fe03 |
/* -f */ IPT_INV_FRAG,
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
#define opts xt_params->opts
|
|
Packit Service |
d1fe03 |
#define prog_name xt_params->program_name
|
|
Packit Service |
d1fe03 |
#define prog_vers xt_params->program_version
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static void __attribute__((noreturn))
|
|
Packit Service |
d1fe03 |
exit_tryhelp(int status)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
if (line != -1)
|
|
Packit Service |
d1fe03 |
fprintf(stderr, "Error occurred at line: %d\n", line);
|
|
Packit Service |
d1fe03 |
fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
|
|
Packit Service |
d1fe03 |
prog_name, prog_name);
|
|
Packit Service |
d1fe03 |
xtables_free_opts(1);
|
|
Packit Service |
d1fe03 |
exit(status);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static void
|
|
Packit Service |
d1fe03 |
exit_printhelp(const struct xtables_rule_match *matches)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
printf("%s v%s\n\n"
|
|
Packit Service |
d1fe03 |
"Usage: %s -[ACD] chain rule-specification [options]\n"
|
|
Packit Service |
d1fe03 |
" %s -I chain [rulenum] rule-specification [options]\n"
|
|
Packit Service |
d1fe03 |
" %s -R chain rulenum rule-specification [options]\n"
|
|
Packit Service |
d1fe03 |
" %s -D chain rulenum [options]\n"
|
|
Packit Service |
d1fe03 |
" %s -[LS] [chain [rulenum]] [options]\n"
|
|
Packit Service |
d1fe03 |
" %s -[FZ] [chain] [options]\n"
|
|
Packit Service |
d1fe03 |
" %s -[NX] chain\n"
|
|
Packit Service |
d1fe03 |
" %s -E old-chain-name new-chain-name\n"
|
|
Packit Service |
d1fe03 |
" %s -P chain target [options]\n"
|
|
Packit Service |
d1fe03 |
" %s -h (print this help information)\n\n",
|
|
Packit Service |
d1fe03 |
prog_name, prog_vers, prog_name, prog_name,
|
|
Packit Service |
d1fe03 |
prog_name, prog_name, prog_name, prog_name,
|
|
Packit Service |
d1fe03 |
prog_name, prog_name, prog_name, prog_name);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
printf(
|
|
Packit Service |
d1fe03 |
"Commands:\n"
|
|
Packit Service |
d1fe03 |
"Either long or short options are allowed.\n"
|
|
Packit Service |
d1fe03 |
" --append -A chain Append to chain\n"
|
|
Packit Service |
d1fe03 |
" --check -C chain Check for the existence of a rule\n"
|
|
Packit Service |
d1fe03 |
" --delete -D chain Delete matching rule from chain\n"
|
|
Packit Service |
d1fe03 |
" --delete -D chain rulenum\n"
|
|
Packit Service |
d1fe03 |
" Delete rule rulenum (1 = first) from chain\n"
|
|
Packit Service |
d1fe03 |
" --insert -I chain [rulenum]\n"
|
|
Packit Service |
d1fe03 |
" Insert in chain as rulenum (default 1=first)\n"
|
|
Packit Service |
d1fe03 |
" --replace -R chain rulenum\n"
|
|
Packit Service |
d1fe03 |
" Replace rule rulenum (1 = first) in chain\n"
|
|
Packit Service |
d1fe03 |
" --list -L [chain [rulenum]]\n"
|
|
Packit Service |
d1fe03 |
" List the rules in a chain or all chains\n"
|
|
Packit Service |
d1fe03 |
" --list-rules -S [chain [rulenum]]\n"
|
|
Packit Service |
d1fe03 |
" Print the rules in a chain or all chains\n"
|
|
Packit Service |
d1fe03 |
" --flush -F [chain] Delete all rules in chain or all chains\n"
|
|
Packit Service |
d1fe03 |
" --zero -Z [chain [rulenum]]\n"
|
|
Packit Service |
d1fe03 |
" Zero counters in chain or all chains\n"
|
|
Packit Service |
d1fe03 |
" --new -N chain Create a new user-defined chain\n"
|
|
Packit Service |
d1fe03 |
" --delete-chain\n"
|
|
Packit Service |
d1fe03 |
" -X [chain] Delete a user-defined chain\n"
|
|
Packit Service |
d1fe03 |
" --policy -P chain target\n"
|
|
Packit Service |
d1fe03 |
" Change policy on chain to target\n"
|
|
Packit Service |
d1fe03 |
" --rename-chain\n"
|
|
Packit Service |
d1fe03 |
" -E old-chain new-chain\n"
|
|
Packit Service |
d1fe03 |
" Change chain name, (moving any references)\n"
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
"Options:\n"
|
|
Packit Service |
d1fe03 |
" --ipv4 -4 Nothing (line is ignored by ip6tables-restore)\n"
|
|
Packit Service |
d1fe03 |
" --ipv6 -6 Error (line is ignored by iptables-restore)\n"
|
|
Packit Service |
d1fe03 |
"[!] --proto -p proto protocol: by number or name, eg. `tcp'\n"
|
|
Packit Service |
d1fe03 |
"[!] --source -s address[/mask][...]\n"
|
|
Packit Service |
d1fe03 |
" source specification\n"
|
|
Packit Service |
d1fe03 |
"[!] --destination -d address[/mask][...]\n"
|
|
Packit Service |
d1fe03 |
" destination specification\n"
|
|
Packit Service |
d1fe03 |
"[!] --in-interface -i input name[+]\n"
|
|
Packit Service |
d1fe03 |
" network interface name ([+] for wildcard)\n"
|
|
Packit Service |
d1fe03 |
" --jump -j target\n"
|
|
Packit Service |
d1fe03 |
" target for rule (may load target extension)\n"
|
|
Packit Service |
d1fe03 |
#ifdef IPT_F_GOTO
|
|
Packit Service |
d1fe03 |
" --goto -g chain\n"
|
|
Packit Service |
d1fe03 |
" jump to chain with no return\n"
|
|
Packit Service |
d1fe03 |
#endif
|
|
Packit Service |
d1fe03 |
" --match -m match\n"
|
|
Packit Service |
d1fe03 |
" extended match (may load extension)\n"
|
|
Packit Service |
d1fe03 |
" --numeric -n numeric output of addresses and ports\n"
|
|
Packit Service |
d1fe03 |
"[!] --out-interface -o output name[+]\n"
|
|
Packit Service |
d1fe03 |
" network interface name ([+] for wildcard)\n"
|
|
Packit Service |
d1fe03 |
" --table -t table table to manipulate (default: `filter')\n"
|
|
Packit Service |
d1fe03 |
" --verbose -v verbose mode\n"
|
|
Packit Service |
d1fe03 |
" --wait -w [seconds] maximum wait to acquire xtables lock before give up\n"
|
|
Packit Service |
d1fe03 |
" --wait-interval -W [usecs] wait time to try to acquire xtables lock\n"
|
|
Packit Service |
d1fe03 |
" default is 1 second\n"
|
|
Packit Service |
d1fe03 |
" --line-numbers print line numbers when listing\n"
|
|
Packit Service |
d1fe03 |
" --exact -x expand numbers (display exact values)\n"
|
|
Packit Service |
d1fe03 |
"[!] --fragment -f match second or further fragments only\n"
|
|
Packit Service |
d1fe03 |
" --modprobe=<command> try to insert modules using this command\n"
|
|
Packit Service |
d1fe03 |
" --set-counters PKTS BYTES set the counter during insert/append\n"
|
|
Packit Service |
d1fe03 |
"[!] --version -V print package version.\n");
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
print_extension_helps(xtables_targets, matches);
|
|
Packit Service |
d1fe03 |
exit(0);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
void
|
|
Packit Service |
d1fe03 |
xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
va_list args;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
va_start(args, msg);
|
|
Packit Service |
d1fe03 |
fprintf(stderr, "%s v%s (nf_tables): ", prog_name, prog_vers);
|
|
Packit Service |
d1fe03 |
vfprintf(stderr, msg, args);
|
|
Packit Service |
d1fe03 |
va_end(args);
|
|
Packit Service |
d1fe03 |
fprintf(stderr, "\n");
|
|
Packit Service |
d1fe03 |
if (status == PARAMETER_PROBLEM)
|
|
Packit Service |
d1fe03 |
exit_tryhelp(status);
|
|
Packit Service |
d1fe03 |
if (status == VERSION_PROBLEM)
|
|
Packit Service |
d1fe03 |
fprintf(stderr,
|
|
Packit Service |
d1fe03 |
"Perhaps iptables or your kernel needs to be upgraded.\n");
|
|
Packit Service |
d1fe03 |
/* On error paths, make sure that we don't leak memory */
|
|
Packit Service |
d1fe03 |
xtables_free_opts(1);
|
|
Packit Service |
d1fe03 |
exit(status);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static void
|
|
Packit Service |
d1fe03 |
generic_opt_check(int command, int options)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
int i, j, legal = 0;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/* Check that commands are valid with options. Complicated by the
|
|
Packit Service |
d1fe03 |
* fact that if an option is legal with *any* command given, it is
|
|
Packit Service |
d1fe03 |
* legal overall (ie. -z and -l).
|
|
Packit Service |
d1fe03 |
*/
|
|
Packit Service |
d1fe03 |
for (i = 0; i < NUMBER_OF_OPT; i++) {
|
|
Packit Service |
d1fe03 |
legal = 0; /* -1 => illegal, 1 => legal, 0 => undecided. */
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
for (j = 0; j < NUMBER_OF_CMD; j++) {
|
|
Packit Service |
d1fe03 |
if (!(command & (1<
|
|
Packit Service |
d1fe03 |
continue;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (!(options & (1<
|
|
Packit Service |
d1fe03 |
if (commands_v_options[j][i] == '+')
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"You need to supply the `-%c' "
|
|
Packit Service |
d1fe03 |
"option for this command\n",
|
|
Packit Service |
d1fe03 |
optflags[i]);
|
|
Packit Service |
d1fe03 |
} else {
|
|
Packit Service |
d1fe03 |
if (commands_v_options[j][i] != 'x')
|
|
Packit Service |
d1fe03 |
legal = 1;
|
|
Packit Service |
d1fe03 |
else if (legal == 0)
|
|
Packit Service |
d1fe03 |
legal = -1;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
if (legal == -1)
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"Illegal option `-%c' with this command\n",
|
|
Packit Service |
d1fe03 |
optflags[i]);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static char
|
|
Packit Service |
d1fe03 |
opt2char(int option)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
const char *ptr;
|
|
Packit Service |
d1fe03 |
for (ptr = optflags; option > 1; option >>= 1, ptr++);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
return *ptr;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/*
|
|
Packit Service |
d1fe03 |
* All functions starting with "parse" should succeed, otherwise
|
|
Packit Service |
d1fe03 |
* the program fails.
|
|
Packit Service |
d1fe03 |
* Most routines return pointers to static data that may change
|
|
Packit Service |
d1fe03 |
* between calls to the same or other routines with a few exceptions:
|
|
Packit Service |
d1fe03 |
* "host_to_addr", "parse_hostnetwork", and "parse_hostnetworkmask"
|
|
Packit Service |
d1fe03 |
* return global static data.
|
|
Packit Service |
d1fe03 |
*/
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/* Christophe Burki wants `-p 6' to imply `-m tcp'. */
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static void
|
|
Packit Service |
d1fe03 |
set_option(unsigned int *options, unsigned int option, uint8_t *invflg,
|
|
Packit Service |
d1fe03 |
int invert)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
if (*options & option)
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM, "multiple -%c flags not allowed",
|
|
Packit Service |
d1fe03 |
opt2char(option));
|
|
Packit Service |
d1fe03 |
*options |= option;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (invert) {
|
|
Packit Service |
d1fe03 |
unsigned int i;
|
|
Packit Service |
d1fe03 |
for (i = 0; 1 << i != option; i++);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (!inverse_for_options[i])
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"cannot have ! before -%c",
|
|
Packit Service |
d1fe03 |
opt2char(option));
|
|
Packit Service |
d1fe03 |
*invflg |= inverse_for_options[i];
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static int
|
|
Packit Service |
d1fe03 |
add_entry(const char *chain,
|
|
Packit Service |
d1fe03 |
const char *table,
|
|
Packit Service |
d1fe03 |
struct iptables_command_state *cs,
|
|
Packit Service |
d1fe03 |
int rulenum, int family,
|
|
Packit Service |
d1fe03 |
const struct addr_mask s,
|
|
Packit Service |
d1fe03 |
const struct addr_mask d,
|
|
Packit Service |
d1fe03 |
bool verbose, struct nft_handle *h, bool append)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
unsigned int i, j;
|
|
Packit Service |
d1fe03 |
int ret = 1;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
for (i = 0; i < s.naddrs; i++) {
|
|
Packit Service |
d1fe03 |
if (family == AF_INET) {
|
|
Packit Service |
d1fe03 |
cs->fw.ip.src.s_addr = s.addr.v4[i].s_addr;
|
|
Packit Service |
d1fe03 |
cs->fw.ip.smsk.s_addr = s.mask.v4[i].s_addr;
|
|
Packit Service |
d1fe03 |
for (j = 0; j < d.naddrs; j++) {
|
|
Packit Service |
d1fe03 |
cs->fw.ip.dst.s_addr = d.addr.v4[j].s_addr;
|
|
Packit Service |
d1fe03 |
cs->fw.ip.dmsk.s_addr = d.mask.v4[j].s_addr;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (append) {
|
|
Packit Service |
d1fe03 |
ret = nft_rule_append(h, chain, table,
|
|
Packit Service |
d1fe03 |
cs, NULL,
|
|
Packit Service |
d1fe03 |
verbose);
|
|
Packit Service |
d1fe03 |
} else {
|
|
Packit Service |
d1fe03 |
ret = nft_rule_insert(h, chain, table,
|
|
Packit Service |
d1fe03 |
cs, rulenum,
|
|
Packit Service |
d1fe03 |
verbose);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
} else if (family == AF_INET6) {
|
|
Packit Service |
d1fe03 |
memcpy(&cs->fw6.ipv6.src,
|
|
Packit Service |
d1fe03 |
&s.addr.v6[i], sizeof(struct in6_addr));
|
|
Packit Service |
d1fe03 |
memcpy(&cs->fw6.ipv6.smsk,
|
|
Packit Service |
d1fe03 |
&s.mask.v6[i], sizeof(struct in6_addr));
|
|
Packit Service |
d1fe03 |
for (j = 0; j < d.naddrs; j++) {
|
|
Packit Service |
d1fe03 |
memcpy(&cs->fw6.ipv6.dst,
|
|
Packit Service |
d1fe03 |
&d.addr.v6[j], sizeof(struct in6_addr));
|
|
Packit Service |
d1fe03 |
memcpy(&cs->fw6.ipv6.dmsk,
|
|
Packit Service |
d1fe03 |
&d.mask.v6[j], sizeof(struct in6_addr));
|
|
Packit Service |
d1fe03 |
if (append) {
|
|
Packit Service |
d1fe03 |
ret = nft_rule_append(h, chain, table,
|
|
Packit Service |
d1fe03 |
cs, NULL,
|
|
Packit Service |
d1fe03 |
verbose);
|
|
Packit Service |
d1fe03 |
} else {
|
|
Packit Service |
d1fe03 |
ret = nft_rule_insert(h, chain, table,
|
|
Packit Service |
d1fe03 |
cs, rulenum,
|
|
Packit Service |
d1fe03 |
verbose);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
return ret;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static int
|
|
Packit Service |
d1fe03 |
replace_entry(const char *chain, const char *table,
|
|
Packit Service |
d1fe03 |
struct iptables_command_state *cs,
|
|
Packit Service |
d1fe03 |
unsigned int rulenum,
|
|
Packit Service |
d1fe03 |
int family,
|
|
Packit Service |
d1fe03 |
const struct addr_mask s,
|
|
Packit Service |
d1fe03 |
const struct addr_mask d,
|
|
Packit Service |
d1fe03 |
bool verbose, struct nft_handle *h)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
if (family == AF_INET) {
|
|
Packit Service |
d1fe03 |
cs->fw.ip.src.s_addr = s.addr.v4->s_addr;
|
|
Packit Service |
d1fe03 |
cs->fw.ip.dst.s_addr = d.addr.v4->s_addr;
|
|
Packit Service |
d1fe03 |
cs->fw.ip.smsk.s_addr = s.mask.v4->s_addr;
|
|
Packit Service |
d1fe03 |
cs->fw.ip.dmsk.s_addr = d.mask.v4->s_addr;
|
|
Packit Service |
d1fe03 |
} else if (family == AF_INET6) {
|
|
Packit Service |
d1fe03 |
memcpy(&cs->fw6.ipv6.src, s.addr.v6, sizeof(struct in6_addr));
|
|
Packit Service |
d1fe03 |
memcpy(&cs->fw6.ipv6.dst, d.addr.v6, sizeof(struct in6_addr));
|
|
Packit Service |
d1fe03 |
memcpy(&cs->fw6.ipv6.smsk, s.mask.v6, sizeof(struct in6_addr));
|
|
Packit Service |
d1fe03 |
memcpy(&cs->fw6.ipv6.dmsk, d.mask.v6, sizeof(struct in6_addr));
|
|
Packit Service |
d1fe03 |
} else
|
|
Packit Service |
d1fe03 |
return 1;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
return nft_rule_replace(h, chain, table, cs, rulenum, verbose);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static int
|
|
Packit Service |
d1fe03 |
delete_entry(const char *chain, const char *table,
|
|
Packit Service |
d1fe03 |
struct iptables_command_state *cs,
|
|
Packit Service |
d1fe03 |
int family,
|
|
Packit Service |
d1fe03 |
const struct addr_mask s,
|
|
Packit Service |
d1fe03 |
const struct addr_mask d,
|
|
Packit Service |
d1fe03 |
bool verbose,
|
|
Packit Service |
d1fe03 |
struct nft_handle *h)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
unsigned int i, j;
|
|
Packit Service |
d1fe03 |
int ret = 1;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
for (i = 0; i < s.naddrs; i++) {
|
|
Packit Service |
d1fe03 |
if (family == AF_INET) {
|
|
Packit Service |
d1fe03 |
cs->fw.ip.src.s_addr = s.addr.v4[i].s_addr;
|
|
Packit Service |
d1fe03 |
cs->fw.ip.smsk.s_addr = s.mask.v4[i].s_addr;
|
|
Packit Service |
d1fe03 |
for (j = 0; j < d.naddrs; j++) {
|
|
Packit Service |
d1fe03 |
cs->fw.ip.dst.s_addr = d.addr.v4[j].s_addr;
|
|
Packit Service |
d1fe03 |
cs->fw.ip.dmsk.s_addr = d.mask.v4[j].s_addr;
|
|
Packit Service |
d1fe03 |
ret = nft_rule_delete(h, chain,
|
|
Packit Service |
d1fe03 |
table, cs, verbose);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
} else if (family == AF_INET6) {
|
|
Packit Service |
d1fe03 |
memcpy(&cs->fw6.ipv6.src,
|
|
Packit Service |
d1fe03 |
&s.addr.v6[i], sizeof(struct in6_addr));
|
|
Packit Service |
d1fe03 |
memcpy(&cs->fw6.ipv6.smsk,
|
|
Packit Service |
d1fe03 |
&s.mask.v6[i], sizeof(struct in6_addr));
|
|
Packit Service |
d1fe03 |
for (j = 0; j < d.naddrs; j++) {
|
|
Packit Service |
d1fe03 |
memcpy(&cs->fw6.ipv6.dst,
|
|
Packit Service |
d1fe03 |
&d.addr.v6[j], sizeof(struct in6_addr));
|
|
Packit Service |
d1fe03 |
memcpy(&cs->fw6.ipv6.dmsk,
|
|
Packit Service |
d1fe03 |
&d.mask.v6[j], sizeof(struct in6_addr));
|
|
Packit Service |
d1fe03 |
ret = nft_rule_delete(h, chain,
|
|
Packit Service |
d1fe03 |
table, cs, verbose);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
return ret;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static int
|
|
Packit Service |
d1fe03 |
check_entry(const char *chain, const char *table,
|
|
Packit Service |
d1fe03 |
struct iptables_command_state *cs,
|
|
Packit Service |
d1fe03 |
int family,
|
|
Packit Service |
d1fe03 |
const struct addr_mask s,
|
|
Packit Service |
d1fe03 |
const struct addr_mask d,
|
|
Packit Service |
d1fe03 |
bool verbose, struct nft_handle *h)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
unsigned int i, j;
|
|
Packit Service |
d1fe03 |
int ret = 1;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
for (i = 0; i < s.naddrs; i++) {
|
|
Packit Service |
d1fe03 |
if (family == AF_INET) {
|
|
Packit Service |
d1fe03 |
cs->fw.ip.src.s_addr = s.addr.v4[i].s_addr;
|
|
Packit Service |
d1fe03 |
cs->fw.ip.smsk.s_addr = s.mask.v4[i].s_addr;
|
|
Packit Service |
d1fe03 |
for (j = 0; j < d.naddrs; j++) {
|
|
Packit Service |
d1fe03 |
cs->fw.ip.dst.s_addr = d.addr.v4[j].s_addr;
|
|
Packit Service |
d1fe03 |
cs->fw.ip.dmsk.s_addr = d.mask.v4[j].s_addr;
|
|
Packit Service |
d1fe03 |
ret = nft_rule_check(h, chain,
|
|
Packit Service |
d1fe03 |
table, cs, verbose);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
} else if (family == AF_INET6) {
|
|
Packit Service |
d1fe03 |
memcpy(&cs->fw6.ipv6.src,
|
|
Packit Service |
d1fe03 |
&s.addr.v6[i], sizeof(struct in6_addr));
|
|
Packit Service |
d1fe03 |
memcpy(&cs->fw6.ipv6.smsk,
|
|
Packit Service |
d1fe03 |
&s.mask.v6[i], sizeof(struct in6_addr));
|
|
Packit Service |
d1fe03 |
for (j = 0; j < d.naddrs; j++) {
|
|
Packit Service |
d1fe03 |
memcpy(&cs->fw6.ipv6.dst,
|
|
Packit Service |
d1fe03 |
&d.addr.v6[j], sizeof(struct in6_addr));
|
|
Packit Service |
d1fe03 |
memcpy(&cs->fw6.ipv6.dmsk,
|
|
Packit Service |
d1fe03 |
&d.mask.v6[j], sizeof(struct in6_addr));
|
|
Packit Service |
d1fe03 |
ret = nft_rule_check(h, chain,
|
|
Packit Service |
d1fe03 |
table, cs, verbose);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
return ret;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static int
|
|
Packit Service |
d1fe03 |
list_entries(struct nft_handle *h, const char *chain, const char *table,
|
|
Packit Service |
d1fe03 |
int rulenum, int verbose, int numeric, int expanded,
|
|
Packit Service |
d1fe03 |
int linenumbers)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
unsigned int format;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
format = FMT_OPTIONS;
|
|
Packit Service |
d1fe03 |
if (!verbose)
|
|
Packit Service |
d1fe03 |
format |= FMT_NOCOUNTS;
|
|
Packit Service |
d1fe03 |
else
|
|
Packit Service |
d1fe03 |
format |= FMT_VIA;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (numeric)
|
|
Packit Service |
d1fe03 |
format |= FMT_NUMERIC;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (!expanded)
|
|
Packit Service |
d1fe03 |
format |= FMT_KILOMEGAGIGA;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (linenumbers)
|
|
Packit Service |
d1fe03 |
format |= FMT_LINENUMBERS;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
return nft_rule_list(h, chain, table, rulenum, format);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
static int
|
|
Packit Service |
d1fe03 |
list_rules(struct nft_handle *h, const char *chain, const char *table,
|
|
Packit Service |
d1fe03 |
int rulenum, int counters)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
if (counters)
|
|
Packit Service |
d1fe03 |
counters = -1; /* iptables -c format */
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
return nft_rule_list_save(h, chain, table, rulenum, counters);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
void do_parse(struct nft_handle *h, int argc, char *argv[],
|
|
Packit Service |
d1fe03 |
struct nft_xt_cmd_parse *p, struct iptables_command_state *cs,
|
|
Packit Service |
d1fe03 |
struct xtables_args *args)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
struct xtables_match *m;
|
|
Packit Service |
d1fe03 |
struct xtables_rule_match *matchp;
|
|
Packit Service |
d1fe03 |
bool wait_interval_set = false;
|
|
Packit Service |
d1fe03 |
struct timeval wait_interval;
|
|
Packit Service |
d1fe03 |
struct xtables_target *t;
|
|
Packit Service |
d1fe03 |
bool table_set = false;
|
|
Packit Service |
d1fe03 |
int wait = 0;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
memset(cs, 0, sizeof(*cs));
|
|
Packit Service |
d1fe03 |
cs->jumpto = "";
|
|
Packit Service |
d1fe03 |
cs->argv = argv;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/* re-set optind to 0 in case do_command4 gets called
|
|
Packit Service |
d1fe03 |
* a second time */
|
|
Packit Service |
d1fe03 |
optind = 0;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/* clear mflags in case do_command4 gets called a second time
|
|
Packit Service |
d1fe03 |
* (we clear the global list of all matches for security)*/
|
|
Packit Service |
d1fe03 |
for (m = xtables_matches; m; m = m->next)
|
|
Packit Service |
d1fe03 |
m->mflags = 0;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
for (t = xtables_targets; t; t = t->next) {
|
|
Packit Service |
d1fe03 |
t->tflags = 0;
|
|
Packit Service |
d1fe03 |
t->used = 0;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/* Suppress error messages: we may add new options if we
|
|
Packit Service |
d1fe03 |
demand-load a protocol. */
|
|
Packit Service |
d1fe03 |
opterr = 0;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
opts = xt_params->orig_opts;
|
|
Packit Service |
d1fe03 |
while ((cs->c = getopt_long(argc, argv,
|
|
Packit Service |
d1fe03 |
"-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::W::nt:m:xc:g:46",
|
|
Packit Service |
d1fe03 |
opts, NULL)) != -1) {
|
|
Packit Service |
d1fe03 |
switch (cs->c) {
|
|
Packit Service |
d1fe03 |
/*
|
|
Packit Service |
d1fe03 |
* Command selection
|
|
Packit Service |
d1fe03 |
*/
|
|
Packit Service |
d1fe03 |
case 'A':
|
|
Packit Service |
d1fe03 |
add_command(&p->command, CMD_APPEND, CMD_NONE,
|
|
Packit Service |
d1fe03 |
cs->invert);
|
|
Packit Service |
d1fe03 |
p->chain = optarg;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'C':
|
|
Packit Service |
d1fe03 |
add_command(&p->command, CMD_CHECK, CMD_NONE,
|
|
Packit Service |
d1fe03 |
cs->invert);
|
|
Packit Service |
d1fe03 |
p->chain = optarg;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'D':
|
|
Packit Service |
d1fe03 |
add_command(&p->command, CMD_DELETE, CMD_NONE,
|
|
Packit Service |
d1fe03 |
cs->invert);
|
|
Packit Service |
d1fe03 |
p->chain = optarg;
|
|
Packit Service |
d1fe03 |
if (xs_has_arg(argc, argv)) {
|
|
Packit Service |
d1fe03 |
p->rulenum = parse_rulenumber(argv[optind++]);
|
|
Packit Service |
d1fe03 |
p->command = CMD_DELETE_NUM;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'R':
|
|
Packit Service |
d1fe03 |
add_command(&p->command, CMD_REPLACE, CMD_NONE,
|
|
Packit Service |
d1fe03 |
cs->invert);
|
|
Packit Service |
d1fe03 |
p->chain = optarg;
|
|
Packit Service |
d1fe03 |
if (xs_has_arg(argc, argv))
|
|
Packit Service |
d1fe03 |
p->rulenum = parse_rulenumber(argv[optind++]);
|
|
Packit Service |
d1fe03 |
else
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"-%c requires a rule number",
|
|
Packit Service |
d1fe03 |
cmd2char(CMD_REPLACE));
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'I':
|
|
Packit Service |
d1fe03 |
add_command(&p->command, CMD_INSERT, CMD_NONE,
|
|
Packit Service |
d1fe03 |
cs->invert);
|
|
Packit Service |
d1fe03 |
p->chain = optarg;
|
|
Packit Service |
d1fe03 |
if (xs_has_arg(argc, argv))
|
|
Packit Service |
d1fe03 |
p->rulenum = parse_rulenumber(argv[optind++]);
|
|
Packit Service |
d1fe03 |
else
|
|
Packit Service |
d1fe03 |
p->rulenum = 1;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'L':
|
|
Packit Service |
d1fe03 |
add_command(&p->command, CMD_LIST,
|
|
Packit Service |
d1fe03 |
CMD_ZERO | CMD_ZERO_NUM, cs->invert);
|
|
Packit Service |
d1fe03 |
if (optarg)
|
|
Packit Service |
d1fe03 |
p->chain = optarg;
|
|
Packit Service |
d1fe03 |
else if (xs_has_arg(argc, argv))
|
|
Packit Service |
d1fe03 |
p->chain = argv[optind++];
|
|
Packit Service |
d1fe03 |
if (xs_has_arg(argc, argv))
|
|
Packit Service |
d1fe03 |
p->rulenum = parse_rulenumber(argv[optind++]);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'S':
|
|
Packit Service |
d1fe03 |
add_command(&p->command, CMD_LIST_RULES,
|
|
Packit Service |
d1fe03 |
CMD_ZERO|CMD_ZERO_NUM, cs->invert);
|
|
Packit Service |
d1fe03 |
if (optarg)
|
|
Packit Service |
d1fe03 |
p->chain = optarg;
|
|
Packit Service |
d1fe03 |
else if (xs_has_arg(argc, argv))
|
|
Packit Service |
d1fe03 |
p->chain = argv[optind++];
|
|
Packit Service |
d1fe03 |
if (xs_has_arg(argc, argv))
|
|
Packit Service |
d1fe03 |
p->rulenum = parse_rulenumber(argv[optind++]);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'F':
|
|
Packit Service |
d1fe03 |
add_command(&p->command, CMD_FLUSH, CMD_NONE,
|
|
Packit Service |
d1fe03 |
cs->invert);
|
|
Packit Service |
d1fe03 |
if (optarg)
|
|
Packit Service |
d1fe03 |
p->chain = optarg;
|
|
Packit Service |
d1fe03 |
else if (xs_has_arg(argc, argv))
|
|
Packit Service |
d1fe03 |
p->chain = argv[optind++];
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'Z':
|
|
Packit Service |
d1fe03 |
add_command(&p->command, CMD_ZERO,
|
|
Packit Service |
d1fe03 |
CMD_LIST|CMD_LIST_RULES, cs->invert);
|
|
Packit Service |
d1fe03 |
if (optarg)
|
|
Packit Service |
d1fe03 |
p->chain = optarg;
|
|
Packit Service |
d1fe03 |
else if (xs_has_arg(argc, argv))
|
|
Packit Service |
d1fe03 |
p->chain = argv[optind++];
|
|
Packit Service |
d1fe03 |
if (xs_has_arg(argc, argv)) {
|
|
Packit Service |
d1fe03 |
p->rulenum = parse_rulenumber(argv[optind++]);
|
|
Packit Service |
d1fe03 |
p->command = CMD_ZERO_NUM;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'N':
|
|
Packit Service |
d1fe03 |
if (optarg && (*optarg == '-' || *optarg == '!'))
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"chain name not allowed to start "
|
|
Packit Service |
d1fe03 |
"with `%c'\n", *optarg);
|
|
Packit Service |
d1fe03 |
if (xtables_find_target(optarg, XTF_TRY_LOAD))
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"chain name may not clash "
|
|
Packit Service |
d1fe03 |
"with target name\n");
|
|
Packit Service |
d1fe03 |
add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE,
|
|
Packit Service |
d1fe03 |
cs->invert);
|
|
Packit Service |
d1fe03 |
p->chain = optarg;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'X':
|
|
Packit Service |
d1fe03 |
add_command(&p->command, CMD_DELETE_CHAIN, CMD_NONE,
|
|
Packit Service |
d1fe03 |
cs->invert);
|
|
Packit Service |
d1fe03 |
if (optarg)
|
|
Packit Service |
d1fe03 |
p->chain = optarg;
|
|
Packit Service |
d1fe03 |
else if (xs_has_arg(argc, argv))
|
|
Packit Service |
d1fe03 |
p->chain = argv[optind++];
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'E':
|
|
Packit Service |
d1fe03 |
add_command(&p->command, CMD_RENAME_CHAIN, CMD_NONE,
|
|
Packit Service |
d1fe03 |
cs->invert);
|
|
Packit Service |
d1fe03 |
p->chain = optarg;
|
|
Packit Service |
d1fe03 |
if (xs_has_arg(argc, argv))
|
|
Packit Service |
d1fe03 |
p->newname = argv[optind++];
|
|
Packit Service |
d1fe03 |
else
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"-%c requires old-chain-name and "
|
|
Packit Service |
d1fe03 |
"new-chain-name",
|
|
Packit Service |
d1fe03 |
cmd2char(CMD_RENAME_CHAIN));
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'P':
|
|
Packit Service |
d1fe03 |
add_command(&p->command, CMD_SET_POLICY, CMD_NONE,
|
|
Packit Service |
d1fe03 |
cs->invert);
|
|
Packit Service |
d1fe03 |
p->chain = optarg;
|
|
Packit Service |
d1fe03 |
if (xs_has_arg(argc, argv))
|
|
Packit Service |
d1fe03 |
p->policy = argv[optind++];
|
|
Packit Service |
d1fe03 |
else
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"-%c requires a chain and a policy",
|
|
Packit Service |
d1fe03 |
cmd2char(CMD_SET_POLICY));
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'h':
|
|
Packit Service |
d1fe03 |
if (!optarg)
|
|
Packit Service |
d1fe03 |
optarg = argv[optind];
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/* iptables -p icmp -h */
|
|
Packit Service |
d1fe03 |
if (!cs->matches && cs->protocol)
|
|
Packit Service |
d1fe03 |
xtables_find_match(cs->protocol,
|
|
Packit Service |
d1fe03 |
XTF_TRY_LOAD, &cs->matches);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
exit_printhelp(cs->matches);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/*
|
|
Packit Service |
d1fe03 |
* Option selection
|
|
Packit Service |
d1fe03 |
*/
|
|
Packit Service |
d1fe03 |
case 'p':
|
|
Packit Service |
d1fe03 |
set_option(&cs->options, OPT_PROTOCOL,
|
|
Packit Service |
d1fe03 |
&args->invflags, cs->invert);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/* Canonicalize into lower case */
|
|
Packit Service |
d1fe03 |
for (cs->protocol = optarg; *cs->protocol; cs->protocol++)
|
|
Packit Service |
d1fe03 |
*cs->protocol = tolower(*cs->protocol);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
cs->protocol = optarg;
|
|
Packit Service |
d1fe03 |
args->proto = xtables_parse_protocol(cs->protocol);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (args->proto == 0 &&
|
|
Packit Service |
d1fe03 |
(args->invflags & XT_INV_PROTO))
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"rule would never match protocol");
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/* This needs to happen here to parse extensions */
|
|
Packit Service |
d1fe03 |
h->ops->proto_parse(cs, args);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 's':
|
|
Packit Service |
d1fe03 |
set_option(&cs->options, OPT_SOURCE,
|
|
Packit Service |
d1fe03 |
&args->invflags, cs->invert);
|
|
Packit Service |
d1fe03 |
args->shostnetworkmask = optarg;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'd':
|
|
Packit Service |
d1fe03 |
set_option(&cs->options, OPT_DESTINATION,
|
|
Packit Service |
d1fe03 |
&args->invflags, cs->invert);
|
|
Packit Service |
d1fe03 |
args->dhostnetworkmask = optarg;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
#ifdef IPT_F_GOTO
|
|
Packit Service |
d1fe03 |
case 'g':
|
|
Packit Service |
d1fe03 |
set_option(&cs->options, OPT_JUMP, &args->invflags,
|
|
Packit Service |
d1fe03 |
cs->invert);
|
|
Packit Service |
d1fe03 |
args->goto_set = true;
|
|
Packit Service |
d1fe03 |
cs->jumpto = xt_parse_target(optarg);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
#endif
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'j':
|
|
Packit Service |
d1fe03 |
set_option(&cs->options, OPT_JUMP, &cs->fw.ip.invflags,
|
|
Packit Service |
d1fe03 |
cs->invert);
|
|
Packit Service |
d1fe03 |
command_jump(cs, optarg);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'i':
|
|
Packit Service |
d1fe03 |
if (*optarg == '\0')
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"Empty interface is likely to be "
|
|
Packit Service |
d1fe03 |
"undesired");
|
|
Packit Service |
d1fe03 |
set_option(&cs->options, OPT_VIANAMEIN,
|
|
Packit Service |
d1fe03 |
&args->invflags, cs->invert);
|
|
Packit Service |
d1fe03 |
xtables_parse_interface(optarg,
|
|
Packit Service |
d1fe03 |
args->iniface,
|
|
Packit Service |
d1fe03 |
args->iniface_mask);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'o':
|
|
Packit Service |
d1fe03 |
if (*optarg == '\0')
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"Empty interface is likely to be "
|
|
Packit Service |
d1fe03 |
"undesired");
|
|
Packit Service |
d1fe03 |
set_option(&cs->options, OPT_VIANAMEOUT,
|
|
Packit Service |
d1fe03 |
&args->invflags, cs->invert);
|
|
Packit Service |
d1fe03 |
xtables_parse_interface(optarg,
|
|
Packit Service |
d1fe03 |
args->outiface,
|
|
Packit Service |
d1fe03 |
args->outiface_mask);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'f':
|
|
Packit Service |
d1fe03 |
if (args->family == AF_INET6) {
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"`-f' is not supported in IPv6, "
|
|
Packit Service |
d1fe03 |
"use -m frag instead");
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
set_option(&cs->options, OPT_FRAGMENT, &args->invflags,
|
|
Packit Service |
d1fe03 |
cs->invert);
|
|
Packit Service |
d1fe03 |
args->flags |= IPT_F_FRAG;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'v':
|
|
Packit Service |
d1fe03 |
if (!p->verbose)
|
|
Packit Service |
d1fe03 |
set_option(&cs->options, OPT_VERBOSE,
|
|
Packit Service |
d1fe03 |
&args->invflags, cs->invert);
|
|
Packit Service |
d1fe03 |
p->verbose++;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'm':
|
|
Packit Service |
d1fe03 |
command_match(cs);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'n':
|
|
Packit Service |
d1fe03 |
set_option(&cs->options, OPT_NUMERIC, &args->invflags,
|
|
Packit Service |
d1fe03 |
cs->invert);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 't':
|
|
Packit Service |
d1fe03 |
if (cs->invert)
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"unexpected ! flag before --table");
|
|
Packit Service |
d1fe03 |
if (p->restore && table_set)
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"The -t option (seen in line %u) cannot be used in %s.\n",
|
|
Packit Service |
d1fe03 |
line, xt_params->program_name);
|
|
Packit Service |
d1fe03 |
if (!nft_table_builtin_find(h, optarg))
|
|
Packit Service |
d1fe03 |
xtables_error(VERSION_PROBLEM,
|
|
Packit Service |
d1fe03 |
"table '%s' does not exist",
|
|
Packit Service |
d1fe03 |
optarg);
|
|
Packit Service |
d1fe03 |
p->table = optarg;
|
|
Packit Service |
d1fe03 |
table_set = true;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'x':
|
|
Packit Service |
d1fe03 |
set_option(&cs->options, OPT_EXPANDED, &args->invflags,
|
|
Packit Service |
d1fe03 |
cs->invert);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'V':
|
|
Packit Service |
d1fe03 |
if (cs->invert)
|
|
Packit Service |
d1fe03 |
printf("Not %s ;-)\n", prog_vers);
|
|
Packit Service |
d1fe03 |
else
|
|
Packit Service |
d1fe03 |
printf("%s v%s (nf_tables)\n",
|
|
Packit Service |
d1fe03 |
prog_name, prog_vers);
|
|
Packit Service |
d1fe03 |
exit(0);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'w':
|
|
Packit Service |
d1fe03 |
if (p->restore) {
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"You cannot use `-w' from "
|
|
Packit Service |
d1fe03 |
"iptables-restore");
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
wait = parse_wait_time(argc, argv);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'W':
|
|
Packit Service |
d1fe03 |
if (p->restore) {
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"You cannot use `-W' from "
|
|
Packit Service |
d1fe03 |
"iptables-restore");
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
parse_wait_interval(argc, argv, &wait_interval);
|
|
Packit Service |
d1fe03 |
wait_interval_set = true;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case '0':
|
|
Packit Service |
d1fe03 |
set_option(&cs->options, OPT_LINENUMBERS,
|
|
Packit Service |
d1fe03 |
&args->invflags, cs->invert);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'M':
|
|
Packit Service |
d1fe03 |
xtables_modprobe_program = optarg;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 'c':
|
|
Packit Service |
d1fe03 |
set_option(&cs->options, OPT_COUNTERS, &args->invflags,
|
|
Packit Service |
d1fe03 |
cs->invert);
|
|
Packit Service |
d1fe03 |
args->pcnt = optarg;
|
|
Packit Service |
d1fe03 |
args->bcnt = strchr(args->pcnt + 1, ',');
|
|
Packit Service |
d1fe03 |
if (args->bcnt)
|
|
Packit Service |
d1fe03 |
args->bcnt++;
|
|
Packit Service |
d1fe03 |
if (!args->bcnt && xs_has_arg(argc, argv))
|
|
Packit Service |
d1fe03 |
args->bcnt = argv[optind++];
|
|
Packit Service |
d1fe03 |
if (!args->bcnt)
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"-%c requires packet and byte counter",
|
|
Packit Service |
d1fe03 |
opt2char(OPT_COUNTERS));
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (sscanf(args->pcnt, "%llu", &args->pcnt_cnt) != 1)
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"-%c packet counter not numeric",
|
|
Packit Service |
d1fe03 |
opt2char(OPT_COUNTERS));
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (sscanf(args->bcnt, "%llu", &args->bcnt_cnt) != 1)
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"-%c byte counter not numeric",
|
|
Packit Service |
d1fe03 |
opt2char(OPT_COUNTERS));
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case '4':
|
|
Packit Service |
3bbf1d |
if (args->family == AF_INET)
|
|
Packit Service |
3bbf1d |
break;
|
|
Packit Service |
3bbf1d |
|
|
Packit Service |
d1fe03 |
if (p->restore && args->family == AF_INET6)
|
|
Packit Service |
d1fe03 |
return;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
3bbf1d |
exit_tryhelp(2);
|
|
Packit Service |
06e338 |
|
|
Packit Service |
ae2aec |
case '6':
|
|
Packit Service |
3bbf1d |
if (args->family == AF_INET6)
|
|
Packit Service |
3bbf1d |
break;
|
|
Packit Service |
3bbf1d |
|
|
Packit Service |
d1fe03 |
if (p->restore && args->family == AF_INET)
|
|
Packit Service |
d1fe03 |
return;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
3bbf1d |
exit_tryhelp(2);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
case 1: /* non option */
|
|
Packit Service |
d1fe03 |
if (optarg[0] == '!' && optarg[1] == '\0') {
|
|
Packit Service |
d1fe03 |
if (cs->invert)
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"multiple consecutive ! not"
|
|
Packit Service |
d1fe03 |
" allowed");
|
|
Packit Service |
d1fe03 |
cs->invert = true;
|
|
Packit Service |
d1fe03 |
optarg[0] = '\0';
|
|
Packit Service |
d1fe03 |
continue;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
fprintf(stderr, "Bad argument `%s'\n", optarg);
|
|
Packit Service |
d1fe03 |
exit_tryhelp(2);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
default:
|
|
Packit Service |
d1fe03 |
if (command_default(cs, &xtables_globals) == 1)
|
|
Packit Service |
d1fe03 |
/* cf. ip6tables.c */
|
|
Packit Service |
d1fe03 |
continue;
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
cs->invert = false;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (strcmp(p->table, "nat") == 0 &&
|
|
Packit Service |
d1fe03 |
((p->policy != NULL && strcmp(p->policy, "DROP") == 0) ||
|
|
Packit Service |
d1fe03 |
(cs->jumpto != NULL && strcmp(cs->jumpto, "DROP") == 0)))
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"\nThe \"nat\" table is not intended for filtering, "
|
|
Packit Service |
d1fe03 |
"the use of DROP is therefore inhibited.\n\n");
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (!wait && wait_interval_set)
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"--wait-interval only makes sense with --wait\n");
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
for (matchp = cs->matches; matchp; matchp = matchp->next)
|
|
Packit Service |
d1fe03 |
xtables_option_mfcall(matchp->match);
|
|
Packit Service |
d1fe03 |
if (cs->target != NULL)
|
|
Packit Service |
d1fe03 |
xtables_option_tfcall(cs->target);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/* Fix me: must put inverse options checking here --MN */
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (optind < argc)
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"unknown arguments found on commandline");
|
|
Packit Service |
d1fe03 |
if (!p->command)
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM, "no command specified");
|
|
Packit Service |
d1fe03 |
if (cs->invert)
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"nothing appropriate following !");
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
/* Set only if required, needed by xtables-restore */
|
|
Packit Service |
d1fe03 |
if (h->family == AF_UNSPEC)
|
|
Packit Service |
d1fe03 |
h->family = args->family;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
h->ops->post_parse(p->command, cs, args);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (p->command == CMD_REPLACE &&
|
|
Packit Service |
d1fe03 |
(args->s.naddrs != 1 || args->d.naddrs != 1))
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM, "Replacement rule does not "
|
|
Packit Service |
d1fe03 |
"specify a unique address");
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
generic_opt_check(p->command, cs->options);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (p->chain != NULL && strlen(p->chain) >= XT_EXTENSION_MAXNAMELEN)
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"chain name `%s' too long (must be under %u chars)",
|
|
Packit Service |
d1fe03 |
p->chain, XT_EXTENSION_MAXNAMELEN);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (p->command == CMD_APPEND ||
|
|
Packit Service |
d1fe03 |
p->command == CMD_DELETE ||
|
|
Packit Service |
d1fe03 |
p->command == CMD_DELETE_NUM ||
|
|
Packit Service |
d1fe03 |
p->command == CMD_CHECK ||
|
|
Packit Service |
d1fe03 |
p->command == CMD_INSERT ||
|
|
Packit Service |
d1fe03 |
p->command == CMD_REPLACE) {
|
|
Packit Service |
d1fe03 |
if (strcmp(p->chain, "PREROUTING") == 0
|
|
Packit Service |
d1fe03 |
|| strcmp(p->chain, "INPUT") == 0) {
|
|
Packit Service |
d1fe03 |
/* -o not valid with incoming packets. */
|
|
Packit Service |
d1fe03 |
if (cs->options & OPT_VIANAMEOUT)
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"Can't use -%c with %s\n",
|
|
Packit Service |
d1fe03 |
opt2char(OPT_VIANAMEOUT),
|
|
Packit Service |
d1fe03 |
p->chain);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (strcmp(p->chain, "POSTROUTING") == 0
|
|
Packit Service |
d1fe03 |
|| strcmp(p->chain, "OUTPUT") == 0) {
|
|
Packit Service |
d1fe03 |
/* -i not valid with outgoing packets */
|
|
Packit Service |
d1fe03 |
if (cs->options & OPT_VIANAMEIN)
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"Can't use -%c with %s\n",
|
|
Packit Service |
d1fe03 |
opt2char(OPT_VIANAMEIN),
|
|
Packit Service |
d1fe03 |
p->chain);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (!p->xlate && !cs->target && strlen(cs->jumpto) > 0 &&
|
|
Packit Service |
d1fe03 |
!nft_chain_exists(h, p->table, cs->jumpto))
|
|
Packit Service |
d1fe03 |
xtables_error(PARAMETER_PROBLEM,
|
|
Packit Service |
d1fe03 |
"Chain '%s' does not exist", cs->jumpto);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
|
|
Packit Service |
d1fe03 |
bool restore)
|
|
Packit Service |
d1fe03 |
{
|
|
Packit Service |
d1fe03 |
int ret = 1;
|
|
Packit Service |
d1fe03 |
struct nft_xt_cmd_parse p = {
|
|
Packit Service |
d1fe03 |
.table = *table,
|
|
Packit Service |
d1fe03 |
.restore = restore,
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
struct iptables_command_state cs;
|
|
Packit Service |
d1fe03 |
struct xtables_args args = {
|
|
Packit Service |
d1fe03 |
.family = h->family,
|
|
Packit Service |
d1fe03 |
};
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
do_parse(h, argc, argv, &p, &cs, &args);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
switch (p.command) {
|
|
Packit Service |
d1fe03 |
case CMD_APPEND:
|
|
Packit Service |
d1fe03 |
ret = add_entry(p.chain, p.table, &cs, 0, h->family,
|
|
Packit Service |
d1fe03 |
args.s, args.d,
|
|
Packit Service |
d1fe03 |
cs.options & OPT_VERBOSE, h, true);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case CMD_DELETE:
|
|
Packit Service |
d1fe03 |
ret = delete_entry(p.chain, p.table, &cs, h->family,
|
|
Packit Service |
d1fe03 |
args.s, args.d,
|
|
Packit Service |
d1fe03 |
cs.options & OPT_VERBOSE, h);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case CMD_DELETE_NUM:
|
|
Packit Service |
d1fe03 |
ret = nft_rule_delete_num(h, p.chain, p.table,
|
|
Packit Service |
d1fe03 |
p.rulenum - 1, p.verbose);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case CMD_CHECK:
|
|
Packit Service |
d1fe03 |
ret = check_entry(p.chain, p.table, &cs, h->family,
|
|
Packit Service |
d1fe03 |
args.s, args.d,
|
|
Packit Service |
d1fe03 |
cs.options & OPT_VERBOSE, h);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case CMD_REPLACE:
|
|
Packit Service |
d1fe03 |
ret = replace_entry(p.chain, p.table, &cs, p.rulenum - 1,
|
|
Packit Service |
d1fe03 |
h->family, args.s, args.d,
|
|
Packit Service |
d1fe03 |
cs.options & OPT_VERBOSE, h);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case CMD_INSERT:
|
|
Packit Service |
d1fe03 |
ret = add_entry(p.chain, p.table, &cs, p.rulenum - 1,
|
|
Packit Service |
d1fe03 |
h->family, args.s, args.d,
|
|
Packit Service |
d1fe03 |
cs.options&OPT_VERBOSE, h, false);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case CMD_FLUSH:
|
|
Packit Service |
d1fe03 |
ret = nft_rule_flush(h, p.chain, p.table,
|
|
Packit Service |
d1fe03 |
cs.options & OPT_VERBOSE);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case CMD_ZERO:
|
|
Packit Service |
d1fe03 |
ret = nft_chain_zero_counters(h, p.chain, p.table,
|
|
Packit Service |
d1fe03 |
cs.options & OPT_VERBOSE);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case CMD_ZERO_NUM:
|
|
Packit Service |
d1fe03 |
ret = nft_rule_zero_counters(h, p.chain, p.table,
|
|
Packit Service |
d1fe03 |
p.rulenum - 1);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case CMD_LIST:
|
|
Packit Service |
d1fe03 |
case CMD_LIST|CMD_ZERO:
|
|
Packit Service |
d1fe03 |
case CMD_LIST|CMD_ZERO_NUM:
|
|
Packit Service |
d1fe03 |
ret = list_entries(h, p.chain, p.table, p.rulenum,
|
|
Packit Service |
d1fe03 |
cs.options & OPT_VERBOSE,
|
|
Packit Service |
d1fe03 |
cs.options & OPT_NUMERIC,
|
|
Packit Service |
d1fe03 |
cs.options & OPT_EXPANDED,
|
|
Packit Service |
d1fe03 |
cs.options & OPT_LINENUMBERS);
|
|
Packit Service |
d1fe03 |
if (ret && (p.command & CMD_ZERO)) {
|
|
Packit Service |
d1fe03 |
ret = nft_chain_zero_counters(h, p.chain, p.table,
|
|
Packit Service |
d1fe03 |
cs.options & OPT_VERBOSE);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
if (ret && (p.command & CMD_ZERO_NUM)) {
|
|
Packit Service |
d1fe03 |
ret = nft_rule_zero_counters(h, p.chain, p.table,
|
|
Packit Service |
d1fe03 |
p.rulenum - 1);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
nft_check_xt_legacy(h->family, false);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case CMD_LIST_RULES:
|
|
Packit Service |
d1fe03 |
case CMD_LIST_RULES|CMD_ZERO:
|
|
Packit Service |
d1fe03 |
case CMD_LIST_RULES|CMD_ZERO_NUM:
|
|
Packit Service |
d1fe03 |
ret = list_rules(h, p.chain, p.table, p.rulenum,
|
|
Packit Service |
d1fe03 |
cs.options & OPT_VERBOSE);
|
|
Packit Service |
d1fe03 |
if (ret && (p.command & CMD_ZERO)) {
|
|
Packit Service |
d1fe03 |
ret = nft_chain_zero_counters(h, p.chain, p.table,
|
|
Packit Service |
d1fe03 |
cs.options & OPT_VERBOSE);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
if (ret && (p.command & CMD_ZERO_NUM)) {
|
|
Packit Service |
d1fe03 |
ret = nft_rule_zero_counters(h, p.chain, p.table,
|
|
Packit Service |
d1fe03 |
p.rulenum - 1);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
nft_check_xt_legacy(h->family, false);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case CMD_NEW_CHAIN:
|
|
Packit Service |
d1fe03 |
ret = nft_chain_user_add(h, p.chain, p.table);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case CMD_DELETE_CHAIN:
|
|
Packit Service |
d1fe03 |
ret = nft_chain_user_del(h, p.chain, p.table,
|
|
Packit Service |
d1fe03 |
cs.options & OPT_VERBOSE);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case CMD_RENAME_CHAIN:
|
|
Packit Service |
d1fe03 |
ret = nft_chain_user_rename(h, p.chain, p.table, p.newname);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case CMD_SET_POLICY:
|
|
Packit Service |
d1fe03 |
ret = nft_chain_set(h, p.table, p.chain, p.policy, NULL);
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
case CMD_NONE:
|
|
Packit Service |
d1fe03 |
/* do_parse ignored the line (eg: -4 with ip6tables-restore) */
|
|
Packit Service |
d1fe03 |
break;
|
|
Packit Service |
d1fe03 |
default:
|
|
Packit Service |
d1fe03 |
/* We should never reach this... */
|
|
Packit Service |
d1fe03 |
exit_tryhelp(2);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
*table = p.table;
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
xtables_rule_matches_free(&cs.matches);
|
|
Packit Service |
d1fe03 |
if (cs.target) {
|
|
Packit Service |
d1fe03 |
free(cs.target->t);
|
|
Packit Service |
d1fe03 |
cs.target->t = NULL;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
if (h->family == AF_INET) {
|
|
Packit Service |
d1fe03 |
free(args.s.addr.v4);
|
|
Packit Service |
d1fe03 |
free(args.s.mask.v4);
|
|
Packit Service |
d1fe03 |
free(args.d.addr.v4);
|
|
Packit Service |
d1fe03 |
free(args.d.mask.v4);
|
|
Packit Service |
d1fe03 |
} else if (h->family == AF_INET6) {
|
|
Packit Service |
d1fe03 |
free(args.s.addr.v6);
|
|
Packit Service |
d1fe03 |
free(args.s.mask.v6);
|
|
Packit Service |
d1fe03 |
free(args.d.addr.v6);
|
|
Packit Service |
d1fe03 |
free(args.d.mask.v6);
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
xtables_free_opts(1);
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
return ret;
|
|
Packit Service |
d1fe03 |
}
|