m_ipt.c revision 53c017880b311d7d68926109d4248c900286f6b7
1c5cede9ae108bb15f6b7a8aea21c7e1fefa2834cBen Murdoch/* 2c5cede9ae108bb15f6b7a8aea21c7e1fefa2834cBen Murdoch * m_ipt.c iptables based targets 3c5cede9ae108bb15f6b7a8aea21c7e1fefa2834cBen Murdoch * utilities mostly ripped from iptables <duh, its the linux way> 4c5cede9ae108bb15f6b7a8aea21c7e1fefa2834cBen Murdoch * 5c5cede9ae108bb15f6b7a8aea21c7e1fefa2834cBen Murdoch * This program is free software; you can distribute it and/or 6c5cede9ae108bb15f6b7a8aea21c7e1fefa2834cBen Murdoch * modify it under the terms of the GNU General Public License 7c5cede9ae108bb15f6b7a8aea21c7e1fefa2834cBen Murdoch * as published by the Free Software Foundation; either version 8c5cede9ae108bb15f6b7a8aea21c7e1fefa2834cBen Murdoch * 2 of the License, or (at your option) any later version. 9c5cede9ae108bb15f6b7a8aea21c7e1fefa2834cBen Murdoch * 10c5cede9ae108bb15f6b7a8aea21c7e1fefa2834cBen Murdoch * Authors: J Hadi Salim (hadi@cyberus.ca) 11c5cede9ae108bb15f6b7a8aea21c7e1fefa2834cBen Murdoch */ 12bb1529ce867d8845a77ec7cdf3e3003ef1771a40Ben Murdoch 13bb1529ce867d8845a77ec7cdf3e3003ef1771a40Ben Murdoch#include <syslog.h> 14bb1529ce867d8845a77ec7cdf3e3003ef1771a40Ben Murdoch#include <sys/socket.h> 15bb1529ce867d8845a77ec7cdf3e3003ef1771a40Ben Murdoch#include <netinet/in.h> 16bb1529ce867d8845a77ec7cdf3e3003ef1771a40Ben Murdoch#include <arpa/inet.h> 17bb1529ce867d8845a77ec7cdf3e3003ef1771a40Ben Murdoch#include <linux/if.h> 18bb1529ce867d8845a77ec7cdf3e3003ef1771a40Ben Murdoch#include <iptables.h> 19bb1529ce867d8845a77ec7cdf3e3003ef1771a40Ben Murdoch#include <linux/netfilter_ipv4/ip_tables.h> 20c5cede9ae108bb15f6b7a8aea21c7e1fefa2834cBen Murdoch#include "utils.h" 21#include "tc_util.h" 22#include <linux/tc_act/tc_ipt.h> 23#include <stdio.h> 24#include <dlfcn.h> 25#include <getopt.h> 26#include <errno.h> 27#include <string.h> 28#include <netdb.h> 29#include <stdlib.h> 30#include <ctype.h> 31#include <stdarg.h> 32#include <limits.h> 33#include <unistd.h> 34#include <fcntl.h> 35#include <sys/wait.h> 36 37static const char *pname = "tc-ipt"; 38static const char *tname = "mangle"; 39static const char *pversion = "0.1"; 40 41static const char *ipthooks[] = { 42 "NF_IP_PRE_ROUTING", 43 "NF_IP_LOCAL_IN", 44 "NF_IP_FORWARD", 45 "NF_IP_LOCAL_OUT", 46 "NF_IP_POST_ROUTING", 47}; 48 49static struct option original_opts[] = { 50 {"jump", 1, 0, 'j'}, 51 {0, 0, 0, 0} 52}; 53 54static struct iptables_target *t_list = NULL; 55static struct option *opts = original_opts; 56static unsigned int global_option_offset = 0; 57#define OPTION_OFFSET 256 58 59char *lib_dir; 60 61void 62register_target(struct iptables_target *me) 63{ 64/* fprintf(stderr, "\nDummy register_target %s \n", me->name); 65*/ 66 me->next = t_list; 67 t_list = me; 68 69} 70 71void 72xtables_register_target(struct iptables_target *me) 73{ 74 me->next = t_list; 75 t_list = me; 76} 77 78void 79exit_tryhelp(int status) 80{ 81 fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n", 82 pname, pname); 83 exit(status); 84} 85 86void 87exit_error(enum exittype status, char *msg, ...) 88{ 89 va_list args; 90 91 va_start(args, msg); 92 fprintf(stderr, "%s v%s: ", pname, pversion); 93 vfprintf(stderr, msg, args); 94 va_end(args); 95 fprintf(stderr, "\n"); 96 if (status == PARAMETER_PROBLEM) 97 exit_tryhelp(status); 98 if (status == VERSION_PROBLEM) 99 fprintf(stderr, 100 "Perhaps iptables or your kernel needs to be upgraded.\n"); 101 exit(status); 102} 103 104/* stolen from iptables 1.2.11 105They should really have them as a library so i can link to them 106Email them next time i remember 107*/ 108 109char * 110addr_to_dotted(const struct in_addr *addrp) 111{ 112 static char buf[20]; 113 const unsigned char *bytep; 114 115 bytep = (const unsigned char *) &(addrp->s_addr); 116 sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]); 117 return buf; 118} 119 120int string_to_number_ll(const char *s, unsigned long long min, 121 unsigned long long max, 122 unsigned long long *ret) 123{ 124 unsigned long long number; 125 char *end; 126 127 /* Handle hex, octal, etc. */ 128 errno = 0; 129 number = strtoull(s, &end, 0); 130 if (*end == '\0' && end != s) { 131 /* we parsed a number, let's see if we want this */ 132 if (errno != ERANGE && min <= number && (!max || number <= max)) { 133 *ret = number; 134 return 0; 135 } 136 } 137 return -1; 138} 139 140int string_to_number_l(const char *s, unsigned long min, unsigned long max, 141 unsigned long *ret) 142{ 143 int result; 144 unsigned long long number; 145 146 result = string_to_number_ll(s, min, max, &number); 147 *ret = (unsigned long)number; 148 149 return result; 150} 151 152int string_to_number(const char *s, unsigned int min, unsigned int max, 153 unsigned int *ret) 154{ 155 int result; 156 unsigned long number; 157 158 result = string_to_number_l(s, min, max, &number); 159 *ret = (unsigned int)number; 160 161 return result; 162} 163 164static void free_opts(struct option *opts) 165{ 166 if (opts != original_opts) { 167 free(opts); 168 opts = original_opts; 169 global_option_offset = 0; 170 } 171} 172 173static struct option * 174merge_options(struct option *oldopts, const struct option *newopts, 175 unsigned int *option_offset) 176{ 177 struct option *merge; 178 unsigned int num_old, num_new, i; 179 180 for (num_old = 0; oldopts[num_old].name; num_old++) ; 181 for (num_new = 0; newopts[num_new].name; num_new++) ; 182 183 *option_offset = global_option_offset + OPTION_OFFSET; 184 185 merge = malloc(sizeof (struct option) * (num_new + num_old + 1)); 186 memcpy(merge, oldopts, num_old * sizeof (struct option)); 187 for (i = 0; i < num_new; i++) { 188 merge[num_old + i] = newopts[i]; 189 merge[num_old + i].val += *option_offset; 190 } 191 memset(merge + num_old + num_new, 0, sizeof (struct option)); 192 193 return merge; 194} 195 196static void * 197fw_calloc(size_t count, size_t size) 198{ 199 void *p; 200 201 if ((p = (void *) calloc(count, size)) == NULL) { 202 perror("iptables: calloc failed"); 203 exit(1); 204 } 205 return p; 206} 207 208static struct iptables_target * 209find_t(char *name) 210{ 211 struct iptables_target *m; 212 for (m = t_list; m; m = m->next) { 213 if (strcmp(m->name, name) == 0) 214 return m; 215 } 216 217 return NULL; 218} 219 220static struct iptables_target * 221get_target_name(const char *name) 222{ 223 void *handle; 224 char *error; 225 char *new_name, *lname; 226 struct iptables_target *m; 227 char path[strlen(lib_dir) + sizeof ("/libipt_.so") + strlen(name)]; 228 229 new_name = malloc(strlen(name) + 1); 230 lname = malloc(strlen(name) + 1); 231 if (new_name) 232 memset(new_name, '\0', strlen(name) + 1); 233 else 234 exit_error(PARAMETER_PROBLEM, "get_target_name"); 235 236 if (lname) 237 memset(lname, '\0', strlen(name) + 1); 238 else 239 exit_error(PARAMETER_PROBLEM, "get_target_name"); 240 241 strcpy(new_name, name); 242 strcpy(lname, name); 243 244 if (isupper(lname[0])) { 245 int i; 246 for (i = 0; i < strlen(name); i++) { 247 lname[i] = tolower(lname[i]); 248 } 249 } 250 251 if (islower(new_name[0])) { 252 int i; 253 for (i = 0; i < strlen(new_name); i++) { 254 new_name[i] = toupper(new_name[i]); 255 } 256 } 257 258 /* try libxt_xx first */ 259 sprintf(path, "%s/libxt_%s.so", lib_dir, new_name); 260 handle = dlopen(path, RTLD_LAZY); 261 if (!handle) { 262 /* try libipt_xx next */ 263 sprintf(path, "%s/libipt_%s.so", lib_dir, new_name); 264 handle = dlopen(path, RTLD_LAZY); 265 266 if (!handle) { 267 sprintf(path, "%s/libxt_%s.so", lib_dir , lname); 268 handle = dlopen(path, RTLD_LAZY); 269 } 270 271 if (!handle) { 272 sprintf(path, "%s/libipt_%s.so", lib_dir , lname); 273 handle = dlopen(path, RTLD_LAZY); 274 } 275 /* ok, lets give up .. */ 276 if (!handle) { 277 fputs(dlerror(), stderr); 278 printf("\n"); 279 return NULL; 280 } 281 } 282 283 m = dlsym(handle, new_name); 284 if ((error = dlerror()) != NULL) { 285 m = (struct iptables_target *) dlsym(handle, lname); 286 if ((error = dlerror()) != NULL) { 287 m = find_t(new_name); 288 if (NULL == m) { 289 m = find_t(lname); 290 if (NULL == m) { 291 fputs(error, stderr); 292 fprintf(stderr, "\n"); 293 dlclose(handle); 294 return NULL; 295 } 296 } 297 } 298 } 299 300 return m; 301} 302 303 304struct in_addr *dotted_to_addr(const char *dotted) 305{ 306 static struct in_addr addr; 307 unsigned char *addrp; 308 char *p, *q; 309 unsigned int onebyte; 310 int i; 311 char buf[20]; 312 313 /* copy dotted string, because we need to modify it */ 314 strncpy(buf, dotted, sizeof (buf) - 1); 315 addrp = (unsigned char *) &(addr.s_addr); 316 317 p = buf; 318 for (i = 0; i < 3; i++) { 319 if ((q = strchr(p, '.')) == NULL) 320 return (struct in_addr *) NULL; 321 322 *q = '\0'; 323 if (string_to_number(p, 0, 255, &onebyte) == -1) 324 return (struct in_addr *) NULL; 325 326 addrp[i] = (unsigned char) onebyte; 327 p = q + 1; 328 } 329 330 /* we've checked 3 bytes, now we check the last one */ 331 if (string_to_number(p, 0, 255, &onebyte) == -1) 332 return (struct in_addr *) NULL; 333 334 addrp[3] = (unsigned char) onebyte; 335 336 return &addr; 337} 338 339static void set_revision(char *name, u_int8_t revision) 340{ 341 /* Old kernel sources don't have ".revision" field, 342 * but we stole a byte from name. */ 343 name[IPT_FUNCTION_MAXNAMELEN - 2] = '\0'; 344 name[IPT_FUNCTION_MAXNAMELEN - 1] = revision; 345} 346 347/* 348 * we may need to check for version mismatch 349*/ 350int 351build_st(struct iptables_target *target, struct ipt_entry_target *t) 352{ 353 unsigned int nfcache = 0; 354 355 if (target) { 356 size_t size; 357 358 size = 359 IPT_ALIGN(sizeof (struct ipt_entry_target)) + target->size; 360 361 if (NULL == t) { 362 target->t = fw_calloc(1, size); 363 target->t->u.target_size = size; 364 365 if (target->init != NULL) 366 target->init(target->t, &nfcache); 367 set_revision(target->t->u.user.name, target->revision); 368 } else { 369 target->t = t; 370 } 371 strcpy(target->t->u.user.name, target->name); 372 return 0; 373 } 374 375 return -1; 376} 377 378static int parse_ipt(struct action_util *a,int *argc_p, 379 char ***argv_p, int tca_id, struct nlmsghdr *n) 380{ 381 struct iptables_target *m = NULL; 382 struct ipt_entry fw; 383 struct rtattr *tail; 384 int c; 385 int rargc = *argc_p; 386 char **argv = *argv_p; 387 int argc = 0, iargc = 0; 388 char k[16]; 389 int res = -1; 390 int size = 0; 391 int iok = 0, ok = 0; 392 __u32 hook = 0, index = 0; 393 res = 0; 394 395 lib_dir = getenv("IPTABLES_LIB_DIR"); 396 if (!lib_dir) 397 lib_dir = IPT_LIB_DIR; 398 399 { 400 int i; 401 for (i = 0; i < rargc; i++) { 402 if (NULL == argv[i] || 0 == strcmp(argv[i], "action")) { 403 break; 404 } 405 } 406 iargc = argc = i; 407 } 408 409 if (argc <= 2) { 410 fprintf(stderr,"bad arguements to ipt %d vs %d \n", argc, rargc); 411 return -1; 412 } 413 414 while (1) { 415 c = getopt_long(argc, argv, "j:", opts, NULL); 416 if (c == -1) 417 break; 418 switch (c) { 419 case 'j': 420 m = get_target_name(optarg); 421 if (NULL != m) { 422 423 if (0 > build_st(m, NULL)) { 424 printf(" %s error \n", m->name); 425 return -1; 426 } 427 opts = 428 merge_options(opts, m->extra_opts, 429 &m->option_offset); 430 } else { 431 fprintf(stderr," failed to find target %s\n\n", optarg); 432 return -1; 433 } 434 ok++; 435 break; 436 437 default: 438 memset(&fw, 0, sizeof (fw)); 439 if (m) { 440 m->parse(c - m->option_offset, argv, 0, 441 &m->tflags, NULL, &m->t); 442 } else { 443 fprintf(stderr," failed to find target %s\n\n", optarg); 444 return -1; 445 446 } 447 ok++; 448 break; 449 450 } 451 } 452 453 if (iargc > optind) { 454 if (matches(argv[optind], "index") == 0) { 455 if (get_u32(&index, argv[optind + 1], 10)) { 456 fprintf(stderr, "Illegal \"index\"\n"); 457 free_opts(opts); 458 return -1; 459 } 460 iok++; 461 462 optind += 2; 463 } 464 } 465 466 if (!ok && !iok) { 467 fprintf(stderr," ipt Parser BAD!! (%s)\n", *argv); 468 return -1; 469 } 470 471 /* check that we passed the correct parameters to the target */ 472 if (m) 473 m->final_check(m->tflags); 474 475 { 476 struct tcmsg *t = NLMSG_DATA(n); 477 if (t->tcm_parent != TC_H_ROOT 478 && t->tcm_parent == TC_H_MAJ(TC_H_INGRESS)) { 479 hook = NF_IP_PRE_ROUTING; 480 } else { 481 hook = NF_IP_POST_ROUTING; 482 } 483 } 484 485 tail = NLMSG_TAIL(n); 486 addattr_l(n, MAX_MSG, tca_id, NULL, 0); 487 fprintf(stdout, "tablename: %s hook: %s\n ", tname, ipthooks[hook]); 488 fprintf(stdout, "\ttarget: "); 489 490 if (m) 491 m->print(NULL, m->t, 0); 492 fprintf(stdout, " index %d\n", index); 493 494 if (strlen(tname) > 16) { 495 size = 16; 496 k[15] = 0; 497 } else { 498 size = 1 + strlen(tname); 499 } 500 strncpy(k, tname, size); 501 502 addattr_l(n, MAX_MSG, TCA_IPT_TABLE, k, size); 503 addattr_l(n, MAX_MSG, TCA_IPT_HOOK, &hook, 4); 504 addattr_l(n, MAX_MSG, TCA_IPT_INDEX, &index, 4); 505 if (m) 506 addattr_l(n, MAX_MSG, TCA_IPT_TARG, m->t, m->t->u.target_size); 507 tail->rta_len = (void *) NLMSG_TAIL(n) - (void *) tail; 508 509 argc -= optind; 510 argv += optind; 511 *argc_p = rargc - iargc; 512 *argv_p = argv; 513 514 optind = 1; 515 free_opts(opts); 516 517 return 0; 518 519} 520 521static int 522print_ipt(struct action_util *au,FILE * f, struct rtattr *arg) 523{ 524 struct rtattr *tb[TCA_IPT_MAX + 1]; 525 struct ipt_entry_target *t = NULL; 526 527 if (arg == NULL) 528 return -1; 529 530 lib_dir = getenv("IPTABLES_LIB_DIR"); 531 if (!lib_dir) 532 lib_dir = IPT_LIB_DIR; 533 534 parse_rtattr_nested(tb, TCA_IPT_MAX, arg); 535 536 if (tb[TCA_IPT_TABLE] == NULL) { 537 fprintf(f, "[NULL ipt table name ] assuming mangle "); 538 } else { 539 fprintf(f, "tablename: %s ", 540 (char *) RTA_DATA(tb[TCA_IPT_TABLE])); 541 } 542 543 if (tb[TCA_IPT_HOOK] == NULL) { 544 fprintf(f, "[NULL ipt hook name ]\n "); 545 return -1; 546 } else { 547 __u32 hook; 548 hook = *(__u32 *) RTA_DATA(tb[TCA_IPT_HOOK]); 549 fprintf(f, " hook: %s \n", ipthooks[hook]); 550 } 551 552 if (tb[TCA_IPT_TARG] == NULL) { 553 fprintf(f, "\t[NULL ipt target parameters ] \n"); 554 return -1; 555 } else { 556 struct iptables_target *m = NULL; 557 t = RTA_DATA(tb[TCA_IPT_TARG]); 558 m = get_target_name(t->u.user.name); 559 if (NULL != m) { 560 if (0 > build_st(m, t)) { 561 fprintf(stderr, " %s error \n", m->name); 562 return -1; 563 } 564 565 opts = 566 merge_options(opts, m->extra_opts, 567 &m->option_offset); 568 } else { 569 fprintf(stderr, " failed to find target %s\n\n", 570 t->u.user.name); 571 return -1; 572 } 573 fprintf(f, "\ttarget "); 574 m->print(NULL, m->t, 0); 575 if (tb[TCA_IPT_INDEX] == NULL) { 576 fprintf(f, " [NULL ipt target index ]\n"); 577 } else { 578 __u32 index; 579 index = *(__u32 *) RTA_DATA(tb[TCA_IPT_INDEX]); 580 fprintf(f, " \n\tindex %d", index); 581 } 582 583 if (tb[TCA_IPT_CNT]) { 584 struct tc_cnt *c = RTA_DATA(tb[TCA_IPT_CNT]);; 585 fprintf(f, " ref %d bind %d", c->refcnt, c->bindcnt); 586 } 587 if (show_stats) { 588 if (tb[TCA_IPT_TM]) { 589 struct tcf_t *tm = RTA_DATA(tb[TCA_IPT_TM]); 590 print_tm(f,tm); 591 } 592 } 593 fprintf(f, " \n"); 594 595 } 596 free_opts(opts); 597 598 return 0; 599} 600 601struct action_util ipt_action_util = { 602 .id = "ipt", 603 .parse_aopt = parse_ipt, 604 .print_aopt = print_ipt, 605}; 606 607