m_ipt.c revision ae665a522bd46bea44c5ea84c89c8b1731954170
1/* 2 * m_ipt.c iptables based targets 3 * utilities mostly ripped from iptables <duh, its the linux way> 4 * 5 * This program is free software; you can distribute it and/or 6 * modify it under the terms of the GNU General Public License 7 * as published by the Free Software Foundation; either version 8 * 2 of the License, or (at your option) any later version. 9 * 10 * Authors: J Hadi Salim (hadi@cyberus.ca) 11 * 12 * TODO: bad bad hardcoding IPT_LIB_DIR and PROC_SYS_MODPROBE 13 * 14*/ 15 16#include <syslog.h> 17#include <sys/socket.h> 18#include <netinet/in.h> 19#include <arpa/inet.h> 20#include <iptables.h> 21#include <linux/netfilter_ipv4/ip_tables.h> 22#include "utils.h" 23#include "tc_util.h" 24#include <linux/tc_act/tc_ipt.h> 25#include <stdio.h> 26#include <dlfcn.h> 27#include <getopt.h> 28#include <errno.h> 29#include <string.h> 30#include <netdb.h> 31#include <stdlib.h> 32#include <ctype.h> 33#include <stdarg.h> 34#include <limits.h> 35#include <unistd.h> 36#include <fcntl.h> 37#include <sys/wait.h> 38 39const char *pname = "tc-ipt"; 40const char *tname = "mangle"; 41const char *pversion = "0.1"; 42 43#ifndef TRUE 44#define TRUE 1 45#endif 46#ifndef FALSE 47#define FALSE 0 48#endif 49 50#ifndef IPT_LIB_DIR 51#define IPT_LIB_DIR "/usr/local/lib/iptables" 52#endif 53 54#ifndef PROC_SYS_MODPROBE 55#define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe" 56#endif 57 58static const char *ipthooks[] = { 59 "NF_IP_PRE_ROUTING", 60 "NF_IP_LOCAL_IN", 61 "NF_IP_FORWARD", 62 "NF_IP_LOCAL_OUT", 63 "NF_IP_POST_ROUTING", 64}; 65 66static struct option original_opts[] = { 67 {"jump", 1, 0, 'j'}, 68 {0, 0, 0, 0} 69}; 70 71static struct iptables_target *t_list = NULL; 72static struct option *opts = original_opts; 73static unsigned int global_option_offset = 0; 74#define OPTION_OFFSET 256 75 76 77void 78register_target(struct iptables_target *me) 79{ 80/* fprintf(stderr, "\nDummy register_target %s \n", me->name); 81*/ 82 me->next = t_list; 83 t_list = me; 84 85} 86 87void 88exit_tryhelp(int status) 89{ 90 fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n", 91 pname, pname); 92 exit(status); 93} 94 95void 96exit_error(enum exittype status, char *msg, ...) 97{ 98 va_list args; 99 100 va_start(args, msg); 101 fprintf(stderr, "%s v%s: ", pname, pversion); 102 vfprintf(stderr, msg, args); 103 va_end(args); 104 fprintf(stderr, "\n"); 105 if (status == PARAMETER_PROBLEM) 106 exit_tryhelp(status); 107 if (status == VERSION_PROBLEM) 108 fprintf(stderr, 109 "Perhaps iptables or your kernel needs to be upgraded.\n"); 110 exit(status); 111} 112 113/* stolen from iptables 1.2.11 114They should really have them as a library so i can link to them 115Email them next time i remember 116*/ 117 118char * 119addr_to_dotted(const struct in_addr *addrp) 120{ 121 static char buf[20]; 122 const unsigned char *bytep; 123 124 bytep = (const unsigned char *) &(addrp->s_addr); 125 sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]); 126 return buf; 127} 128 129int string_to_number_ll(const char *s, unsigned long long min, 130 unsigned long long max, 131 unsigned long long *ret) 132{ 133 unsigned long long number; 134 char *end; 135 136 /* Handle hex, octal, etc. */ 137 errno = 0; 138 number = strtoull(s, &end, 0); 139 if (*end == '\0' && end != s) { 140 /* we parsed a number, let's see if we want this */ 141 if (errno != ERANGE && min <= number && (!max || number <= max)) { 142 *ret = number; 143 return 0; 144 } 145 } 146 return -1; 147} 148 149int string_to_number_l(const char *s, unsigned long min, unsigned long max, 150 unsigned long *ret) 151{ 152 int result; 153 unsigned long long number; 154 155 result = string_to_number_ll(s, min, max, &number); 156 *ret = (unsigned long)number; 157 158 return result; 159} 160 161int string_to_number(const char *s, unsigned int min, unsigned int max, 162 unsigned int *ret) 163{ 164 int result; 165 unsigned long number; 166 167 result = string_to_number_l(s, min, max, &number); 168 *ret = (unsigned int)number; 169 170 return result; 171} 172 173static void free_opts(struct option *opts) 174{ 175 if (opts != original_opts) { 176 free(opts); 177 opts = original_opts; 178 global_option_offset = 0; 179 } 180} 181 182static struct option * 183merge_options(struct option *oldopts, const struct option *newopts, 184 unsigned int *option_offset) 185{ 186 struct option *merge; 187 unsigned int num_old, num_new, i; 188 189 for (num_old = 0; oldopts[num_old].name; num_old++) ; 190 for (num_new = 0; newopts[num_new].name; num_new++) ; 191 192 *option_offset = global_option_offset + OPTION_OFFSET; 193 194 merge = malloc(sizeof (struct option) * (num_new + num_old + 1)); 195 memcpy(merge, oldopts, num_old * sizeof (struct option)); 196 for (i = 0; i < num_new; i++) { 197 merge[num_old + i] = newopts[i]; 198 merge[num_old + i].val += *option_offset; 199 } 200 memset(merge + num_old + num_new, 0, sizeof (struct option)); 201 202 return merge; 203} 204 205static void * 206fw_calloc(size_t count, size_t size) 207{ 208 void *p; 209 210 if ((p = (void *) calloc(count, size)) == NULL) { 211 perror("iptables: calloc failed"); 212 exit(1); 213 } 214 return p; 215} 216 217static struct iptables_target * 218find_t(char *name) 219{ 220 struct iptables_target *m; 221 for (m = t_list; m; m = m->next) { 222 if (strcmp(m->name, name) == 0) 223 return m; 224 } 225 226 return NULL; 227} 228 229static struct iptables_target * 230get_target_name(char *name) 231{ 232 void *handle; 233 char *error; 234 char *new_name, *lname; 235 struct iptables_target *m; 236 237 char path[sizeof (IPT_LIB_DIR) + sizeof ("/libipt_.so") + strlen(name)]; 238 239 new_name = malloc(strlen(name) + 1); 240 lname = malloc(strlen(name) + 1); 241 if (new_name) 242 memset(new_name, '\0', strlen(name) + 1); 243 else 244 exit_error(PARAMETER_PROBLEM, "get_target_name"); 245 246 if (lname) 247 memset(lname, '\0', strlen(name) + 1); 248 else 249 exit_error(PARAMETER_PROBLEM, "get_target_name"); 250 251 strcpy(new_name, name); 252 strcpy(lname, name); 253 254 if (isupper(lname[0])) { 255 int i; 256 for (i = 0; i < strlen(name); i++) { 257 lname[i] = tolower(lname[i]); 258 } 259 } 260 261 if (islower(new_name[0])) { 262 int i; 263 for (i = 0; i < strlen(new_name); i++) { 264 new_name[i] = toupper(new_name[i]); 265 } 266 } 267 268 sprintf(path, IPT_LIB_DIR "/libipt_%s.so", new_name); 269 handle = dlopen(path, RTLD_LAZY); 270 if (!handle) { 271 sprintf(path, IPT_LIB_DIR "/libipt_%s.so", lname); 272 handle = dlopen(path, RTLD_LAZY); 273 if (!handle) { 274 fputs(dlerror(), stderr); 275 printf("\n"); 276 return NULL; 277 } 278 } 279 280 m = dlsym(handle, new_name); 281 if ((error = dlerror()) != NULL) { 282 m = (struct iptables_target *) dlsym(handle, lname); 283 if ((error = dlerror()) != NULL) { 284 m = find_t(new_name); 285 if (NULL == m) { 286 m = find_t(lname); 287 if (NULL == m) { 288 fputs(error, stderr); 289 fprintf(stderr, "\n"); 290 dlclose(handle); 291 return NULL; 292 } 293 } 294 } 295 } 296 297 return m; 298} 299 300 301struct in_addr *dotted_to_addr(const char *dotted) 302{ 303 static struct in_addr addr; 304 unsigned char *addrp; 305 char *p, *q; 306 unsigned int onebyte; 307 int i; 308 char buf[20]; 309 310 /* copy dotted string, because we need to modify it */ 311 strncpy(buf, dotted, sizeof (buf) - 1); 312 addrp = (unsigned char *) &(addr.s_addr); 313 314 p = buf; 315 for (i = 0; i < 3; i++) { 316 if ((q = strchr(p, '.')) == NULL) 317 return (struct in_addr *) NULL; 318 319 *q = '\0'; 320 if (string_to_number(p, 0, 255, &onebyte) == -1) 321 return (struct in_addr *) NULL; 322 323 addrp[i] = (unsigned char) onebyte; 324 p = q + 1; 325 } 326 327 /* we've checked 3 bytes, now we check the last one */ 328 if (string_to_number(p, 0, 255, &onebyte) == -1) 329 return (struct in_addr *) NULL; 330 331 addrp[3] = (unsigned char) onebyte; 332 333 return &addr; 334} 335 336static void set_revision(char *name, u_int8_t revision) 337{ 338 /* Old kernel sources don't have ".revision" field, 339 * but we stole a byte from name. */ 340 name[IPT_FUNCTION_MAXNAMELEN - 2] = '\0'; 341 name[IPT_FUNCTION_MAXNAMELEN - 1] = revision; 342} 343 344/* 345 * we may need to check for version mismatch 346*/ 347int 348build_st(struct iptables_target *target, struct ipt_entry_target *t) 349{ 350 unsigned int nfcache = 0; 351 352 if (target) { 353 size_t size; 354 355 size = 356 IPT_ALIGN(sizeof (struct ipt_entry_target)) + target->size; 357 358 if (NULL == t) { 359 target->t = fw_calloc(1, size); 360 target->t->u.target_size = size; 361 362 if (target->init != NULL) 363 target->init(target->t, &nfcache); 364 set_revision(target->t->u.user.name, target->revision); 365 } else { 366 target->t = t; 367 } 368 strcpy(target->t->u.user.name, target->name); 369 return 0; 370 } 371 372 return -1; 373} 374 375static int parse_ipt(struct action_util *a,int *argc_p, 376 char ***argv_p, int tca_id, struct nlmsghdr *n) 377{ 378 struct iptables_target *m = NULL; 379 struct ipt_entry fw; 380 struct rtattr *tail; 381 int c; 382 int rargc = *argc_p; 383 char **argv = *argv_p; 384 int argc = 0, iargc = 0; 385 char k[16]; 386 int res = -1; 387 int size = 0; 388 int iok = 0, ok = 0; 389 __u32 hook = 0, index = 0; 390 res = 0; 391 392 { 393 int i; 394 for (i = 0; i < rargc; i++) { 395 if (NULL == argv[i] || 0 == strcmp(argv[i], "action")) { 396 break; 397 } 398 } 399 iargc = argc = i; 400 } 401 402 if (argc <= 2) { 403 fprintf(stderr,"bad arguements to ipt %d vs %d \n", argc, rargc); 404 return -1; 405 } 406 407 while (1) { 408 c = getopt_long(argc, argv, "j:", opts, NULL); 409 if (c == -1) 410 break; 411 switch (c) { 412 case 'j': 413 m = get_target_name(optarg); 414 if (NULL != m) { 415 416 if (0 > build_st(m, NULL)) { 417 printf(" %s error \n", m->name); 418 return -1; 419 } 420 opts = 421 merge_options(opts, m->extra_opts, 422 &m->option_offset); 423 } else { 424 fprintf(stderr," failed to find target %s\n\n", optarg); 425 return -1; 426 } 427 ok++; 428 break; 429 430 default: 431 memset(&fw, 0, sizeof (fw)); 432 if (m) { 433 m->parse(c - m->option_offset, argv, 0, 434 &m->tflags, NULL, &m->t); 435 } else { 436 fprintf(stderr," failed to find target %s\n\n", optarg); 437 return -1; 438 439 } 440 ok++; 441 break; 442 443 } 444 } 445 446 if (iargc > optind) { 447 if (matches(argv[optind], "index") == 0) { 448 if (get_u32(&index, argv[optind + 1], 10)) { 449 fprintf(stderr, "Illegal \"index\"\n"); 450 free_opts(opts); 451 return -1; 452 } 453 iok++; 454 455 optind += 2; 456 } 457 } 458 459 if (!ok && !iok) { 460 fprintf(stderr," ipt Parser BAD!! (%s)\n", *argv); 461 return -1; 462 } 463 464 /* check that we passed the correct parameters to the target */ 465 if (m) 466 m->final_check(m->tflags); 467 468 { 469 struct tcmsg *t = NLMSG_DATA(n); 470 if (t->tcm_parent != TC_H_ROOT 471 && t->tcm_parent == TC_H_MAJ(TC_H_INGRESS)) { 472 hook = NF_IP_PRE_ROUTING; 473 } else { 474 hook = NF_IP_POST_ROUTING; 475 } 476 } 477 478 tail = NLMSG_TAIL(n); 479 addattr_l(n, MAX_MSG, tca_id, NULL, 0); 480 fprintf(stdout, "tablename: %s hook: %s\n ", tname, ipthooks[hook]); 481 fprintf(stdout, "\ttarget: "); 482 483 if (m) 484 m->print(NULL, m->t, 0); 485 fprintf(stdout, " index %d\n", index); 486 487 if (strlen(tname) > 16) { 488 size = 16; 489 k[15] = 0; 490 } else { 491 size = 1 + strlen(tname); 492 } 493 strncpy(k, tname, size); 494 495 addattr_l(n, MAX_MSG, TCA_IPT_TABLE, k, size); 496 addattr_l(n, MAX_MSG, TCA_IPT_HOOK, &hook, 4); 497 addattr_l(n, MAX_MSG, TCA_IPT_INDEX, &index, 4); 498 if (m) 499 addattr_l(n, MAX_MSG, TCA_IPT_TARG, m->t, m->t->u.target_size); 500 tail->rta_len = (void *) NLMSG_TAIL(n) - (void *) tail; 501 502 argc -= optind; 503 argv += optind; 504 *argc_p = rargc - iargc; 505 *argv_p = argv; 506 507 optind = 1; 508 free_opts(opts); 509 510 return 0; 511 512} 513 514static int 515print_ipt(struct action_util *au,FILE * f, struct rtattr *arg) 516{ 517 struct rtattr *tb[TCA_IPT_MAX + 1]; 518 struct ipt_entry_target *t = NULL; 519 520 if (arg == NULL) 521 return -1; 522 523 parse_rtattr_nested(tb, TCA_IPT_MAX, arg); 524 525 if (tb[TCA_IPT_TABLE] == NULL) { 526 fprintf(f, "[NULL ipt table name ] assuming mangle "); 527 } else { 528 fprintf(f, "tablename: %s ", 529 (char *) RTA_DATA(tb[TCA_IPT_TABLE])); 530 } 531 532 if (tb[TCA_IPT_HOOK] == NULL) { 533 fprintf(f, "[NULL ipt hook name ]\n "); 534 return -1; 535 } else { 536 __u32 hook; 537 hook = *(__u32 *) RTA_DATA(tb[TCA_IPT_HOOK]); 538 fprintf(f, " hook: %s \n", ipthooks[hook]); 539 } 540 541 if (tb[TCA_IPT_TARG] == NULL) { 542 fprintf(f, "\t[NULL ipt target parameters ] \n"); 543 return -1; 544 } else { 545 struct iptables_target *m = NULL; 546 t = RTA_DATA(tb[TCA_IPT_TARG]); 547 m = get_target_name(t->u.user.name); 548 if (NULL != m) { 549 if (0 > build_st(m, t)) { 550 fprintf(stderr, " %s error \n", m->name); 551 return -1; 552 } 553 554 opts = 555 merge_options(opts, m->extra_opts, 556 &m->option_offset); 557 } else { 558 fprintf(stderr, " failed to find target %s\n\n", 559 t->u.user.name); 560 return -1; 561 } 562 fprintf(f, "\ttarget "); 563 m->print(NULL, m->t, 0); 564 if (tb[TCA_IPT_INDEX] == NULL) { 565 fprintf(f, " [NULL ipt target index ]\n"); 566 } else { 567 __u32 index; 568 index = *(__u32 *) RTA_DATA(tb[TCA_IPT_INDEX]); 569 fprintf(f, " \n\tindex %d", index); 570 } 571 572 if (tb[TCA_IPT_CNT]) { 573 struct tc_cnt *c = RTA_DATA(tb[TCA_IPT_CNT]);; 574 fprintf(f, " ref %d bind %d", c->refcnt, c->bindcnt); 575 } 576 if (show_stats) { 577 if (tb[TCA_IPT_TM]) { 578 struct tcf_t *tm = RTA_DATA(tb[TCA_IPT_TM]); 579 print_tm(f,tm); 580 } 581 } 582 fprintf(f, " \n"); 583 584 } 585 free_opts(opts); 586 587 return 0; 588} 589 590struct action_util ipt_action_util = { 591 .id = "ipt", 592 .parse_aopt = parse_ipt, 593 .print_aopt = print_ipt, 594}; 595 596