ip6tables-restore.c revision f643eb37e49a212d40eb060bcdfafbc366c0d616 
1/* Code to restore the iptables state, from file by ip6tables-save.
2 * Author:  Andras Kis-Szabo <kisza@sch.bme.hu>
3 *
4 * based on iptables-restore
5 * Authors:
6 *      Harald Welte <laforge@gnumonks.org>
7 *      Rusty Russell <rusty@linuxcare.com.au>
8 * This code is distributed under the terms of GNU GPL v2
9 */
10
11#include <getopt.h>
12#include <sys/errno.h>
13#include <stdbool.h>
14#include <string.h>
15#include <stdio.h>
16#include <stdlib.h>
17#include "ip6tables.h"
18#include "xtables.h"
19#include "libiptc/libip6tc.h"
20#include "ip6tables-multi.h"
21
22#ifdef DEBUG
23#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
24#else
25#define DEBUGP(x, args...)
26#endif
27
28static int binary = 0, counters = 0, verbose = 0, noflush = 0;
29
30/* Keeping track of external matches and targets.  */
31static const struct option options[] = {
32	{.name = "binary",   .has_arg = false, .val = 'b'},
33	{.name = "counters", .has_arg = false, .val = 'c'},
34	{.name = "verbose",  .has_arg = false, .val = 'v'},
35	{.name = "test",     .has_arg = false, .val = 't'},
36	{.name = "help",     .has_arg = false, .val = 'h'},
37	{.name = "noflush",  .has_arg = false, .val = 'n'},
38	{.name = "modprobe", .has_arg = true,  .val = 'M'},
39	{NULL},
40};
41
42static void print_usage(const char *name, const char *version) __attribute__((noreturn));
43
44static void print_usage(const char *name, const char *version)
45{
46	fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n"
47			"	   [ --binary ]\n"
48			"	   [ --counters ]\n"
49			"	   [ --verbose ]\n"
50			"	   [ --test ]\n"
51			"	   [ --help ]\n"
52			"	   [ --noflush ]\n"
53			"          [ --modprobe=<command>]\n", name);
54
55	exit(1);
56}
57
58static struct ip6tc_handle *create_handle(const char *tablename)
59{
60	struct ip6tc_handle *handle;
61
62	handle = ip6tc_init(tablename);
63
64	if (!handle) {
65		/* try to insmod the module if iptc_init failed */
66		xtables_load_ko(xtables_modprobe_program, false);
67		handle = ip6tc_init(tablename);
68	}
69
70	if (!handle) {
71		xtables_error(PARAMETER_PROBLEM, "%s: unable to initialize "
72			"table '%s'\n", ip6tables_globals.program_name,
73			tablename);
74		exit(1);
75	}
76	return handle;
77}
78
79static int parse_counters(char *string, struct ip6t_counters *ctr)
80{
81	unsigned long long pcnt, bcnt;
82	int ret;
83
84	ret = sscanf(string, "[%llu:%llu]", &pcnt, &bcnt);
85	ctr->pcnt = pcnt;
86	ctr->bcnt = bcnt;
87	return ret == 2;
88}
89
90/* global new argv and argc */
91static char *newargv[255];
92static int newargc;
93
94/* function adding one argument to newargv, updating newargc
95 * returns true if argument added, false otherwise */
96static int add_argv(char *what) {
97	DEBUGP("add_argv: %s\n", what);
98	if (what && newargc + 1 < ARRAY_SIZE(newargv)) {
99		newargv[newargc] = strdup(what);
100		newargc++;
101		return 1;
102	} else {
103		xtables_error(PARAMETER_PROBLEM,
104			"Parser cannot handle more arguments\n");
105		return 0;
106	}
107}
108
109static void free_argv(void) {
110	int i;
111
112	for (i = 0; i < newargc; i++)
113		free(newargv[i]);
114}
115
116int ip6tables_restore_main(int argc, char *argv[])
117{
118	struct ip6tc_handle *handle = NULL;
119	char buffer[10240];
120	int c;
121	char curtable[IP6T_TABLE_MAXNAMELEN + 1];
122	FILE *in;
123	int in_table = 0, testing = 0;
124
125	line = 0;
126
127	ip6tables_globals.program_name = "ip6tables-restore";
128	c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
129	if (c < 0) {
130		fprintf(stderr, "%s/%s Failed to initialize xtables\n",
131				ip6tables_globals.program_name,
132				ip6tables_globals.program_version);
133		exit(1);
134	}
135#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
136	init_extensions();
137	init_extensions6();
138#endif
139
140	while ((c = getopt_long(argc, argv, "bcvthnM:", options, NULL)) != -1) {
141		switch (c) {
142			case 'b':
143				binary = 1;
144				break;
145			case 'c':
146				counters = 1;
147				break;
148			case 'v':
149				verbose = 1;
150				break;
151			case 't':
152				testing = 1;
153				break;
154			case 'h':
155				print_usage("ip6tables-restore",
156					    IPTABLES_VERSION);
157				break;
158			case 'n':
159				noflush = 1;
160				break;
161			case 'M':
162				xtables_modprobe_program = optarg;
163				break;
164		}
165	}
166
167	if (optind == argc - 1) {
168		in = fopen(argv[optind], "re");
169		if (!in) {
170			fprintf(stderr, "Can't open %s: %s\n", argv[optind],
171				strerror(errno));
172			exit(1);
173		}
174	}
175	else if (optind < argc) {
176		fprintf(stderr, "Unknown arguments found on commandline\n");
177		exit(1);
178	}
179	else in = stdin;
180
181	/* Grab standard input. */
182	while (fgets(buffer, sizeof(buffer), in)) {
183		int ret = 0;
184
185		line++;
186		if (buffer[0] == '\n')
187			continue;
188		else if (buffer[0] == '#') {
189			if (verbose)
190				fputs(buffer, stdout);
191			continue;
192		} else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
193			if (!testing) {
194				DEBUGP("Calling commit\n");
195				ret = ip6tc_commit(handle);
196				ip6tc_free(handle);
197				handle = NULL;
198			} else {
199				DEBUGP("Not calling commit, testing\n");
200				ret = 1;
201			}
202			in_table = 0;
203		} else if ((buffer[0] == '*') && (!in_table)) {
204			/* New table */
205			char *table;
206
207			table = strtok(buffer+1, " \t\n");
208			DEBUGP("line %u, table '%s'\n", line, table);
209			if (!table) {
210				xtables_error(PARAMETER_PROBLEM,
211					"%s: line %u table name invalid\n",
212					ip6tables_globals.program_name,
213					line);
214				exit(1);
215			}
216			strncpy(curtable, table, IP6T_TABLE_MAXNAMELEN);
217			curtable[IP6T_TABLE_MAXNAMELEN] = '\0';
218
219			if (handle)
220				ip6tc_free(handle);
221
222			handle = create_handle(table);
223			if (noflush == 0) {
224				DEBUGP("Cleaning all chains of table '%s'\n",
225					table);
226				for_each_chain6(flush_entries6, verbose, 1,
227						handle);
228
229				DEBUGP("Deleting all user-defined chains "
230				       "of table '%s'\n", table);
231				for_each_chain6(delete_chain6, verbose, 0,
232						handle);
233			}
234
235			ret = 1;
236			in_table = 1;
237
238		} else if ((buffer[0] == ':') && (in_table)) {
239			/* New chain. */
240			char *policy, *chain;
241
242			chain = strtok(buffer+1, " \t\n");
243			DEBUGP("line %u, chain '%s'\n", line, chain);
244			if (!chain) {
245				xtables_error(PARAMETER_PROBLEM,
246					   "%s: line %u chain name invalid\n",
247					   ip6tables_globals.program_name,
248					   line);
249				exit(1);
250			}
251
252			if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
253				xtables_error(PARAMETER_PROBLEM,
254					   "Invalid chain name `%s' "
255					   "(%u chars max)",
256					   chain, XT_EXTENSION_MAXNAMELEN - 1);
257
258			if (ip6tc_builtin(chain, handle) <= 0) {
259				if (noflush && ip6tc_is_chain(chain, handle)) {
260					DEBUGP("Flushing existing user defined chain '%s'\n", chain);
261					if (!ip6tc_flush_entries(chain, handle))
262						xtables_error(PARAMETER_PROBLEM,
263							   "error flushing chain "
264							   "'%s':%s\n", chain,
265							   strerror(errno));
266				} else {
267					DEBUGP("Creating new chain '%s'\n", chain);
268					if (!ip6tc_create_chain(chain, handle))
269						xtables_error(PARAMETER_PROBLEM,
270							   "error creating chain "
271							   "'%s':%s\n", chain,
272							   strerror(errno));
273				}
274			}
275
276			policy = strtok(NULL, " \t\n");
277			DEBUGP("line %u, policy '%s'\n", line, policy);
278			if (!policy) {
279				xtables_error(PARAMETER_PROBLEM,
280					   "%s: line %u policy invalid\n",
281					   ip6tables_globals.program_name,
282					   line);
283				exit(1);
284			}
285
286			if (strcmp(policy, "-") != 0) {
287				struct ip6t_counters count;
288
289				if (counters) {
290					char *ctrs;
291					ctrs = strtok(NULL, " \t\n");
292
293					if (!ctrs || !parse_counters(ctrs, &count))
294						xtables_error(PARAMETER_PROBLEM,
295							  "invalid policy counters "
296							  "for chain '%s'\n", chain);
297
298				} else {
299					memset(&count, 0,
300					       sizeof(struct ip6t_counters));
301				}
302
303				DEBUGP("Setting policy of chain %s to %s\n",
304					chain, policy);
305
306				if (!ip6tc_set_policy(chain, policy, &count,
307						     handle))
308					xtables_error(OTHER_PROBLEM,
309						"Can't set policy `%s'"
310						" on `%s' line %u: %s\n",
311						policy, chain, line,
312						ip6tc_strerror(errno));
313			}
314
315			ret = 1;
316
317		} else if (in_table) {
318			int a;
319			char *ptr = buffer;
320			char *pcnt = NULL;
321			char *bcnt = NULL;
322			char *parsestart;
323
324			/* the parser */
325			char *curchar;
326			int quote_open, escaped;
327			size_t param_len;
328
329			/* reset the newargv */
330			newargc = 0;
331
332			if (buffer[0] == '[') {
333				/* we have counters in our input */
334				ptr = strchr(buffer, ']');
335				if (!ptr)
336					xtables_error(PARAMETER_PROBLEM,
337						   "Bad line %u: need ]\n",
338						   line);
339
340				pcnt = strtok(buffer+1, ":");
341				if (!pcnt)
342					xtables_error(PARAMETER_PROBLEM,
343						   "Bad line %u: need :\n",
344						   line);
345
346				bcnt = strtok(NULL, "]");
347				if (!bcnt)
348					xtables_error(PARAMETER_PROBLEM,
349						   "Bad line %u: need ]\n",
350						   line);
351
352				/* start command parsing after counter */
353				parsestart = ptr + 1;
354			} else {
355				/* start command parsing at start of line */
356				parsestart = buffer;
357			}
358
359			add_argv(argv[0]);
360			add_argv("-t");
361			add_argv(curtable);
362
363			if (counters && pcnt && bcnt) {
364				add_argv("--set-counters");
365				add_argv((char *) pcnt);
366				add_argv((char *) bcnt);
367			}
368
369			/* After fighting with strtok enough, here's now
370			 * a 'real' parser. According to Rusty I'm now no
371			 * longer a real hacker, but I can live with that */
372
373			quote_open = 0;
374			escaped = 0;
375			param_len = 0;
376
377			for (curchar = parsestart; *curchar; curchar++) {
378				char param_buffer[1024];
379
380				if (quote_open) {
381					if (escaped) {
382						param_buffer[param_len++] = *curchar;
383						escaped = 0;
384						continue;
385					} else if (*curchar == '\\') {
386						escaped = 1;
387						continue;
388					} else if (*curchar == '"') {
389						quote_open = 0;
390						*curchar = ' ';
391					} else {
392						param_buffer[param_len++] = *curchar;
393						continue;
394					}
395				} else {
396					if (*curchar == '"') {
397						quote_open = 1;
398						continue;
399					}
400				}
401
402				if (*curchar == ' '
403				    || *curchar == '\t'
404				    || * curchar == '\n') {
405					if (!param_len) {
406						/* two spaces? */
407						continue;
408					}
409
410					param_buffer[param_len] = '\0';
411
412					/* check if table name specified */
413					if (!strncmp(param_buffer, "-t", 2)
414                                            || !strncmp(param_buffer, "--table", 8)) {
415						xtables_error(PARAMETER_PROBLEM,
416						   "Line %u seems to have a "
417						   "-t table option.\n", line);
418						exit(1);
419					}
420
421					add_argv(param_buffer);
422					param_len = 0;
423				} else {
424					/* regular character, copy to buffer */
425					param_buffer[param_len++] = *curchar;
426
427					if (param_len >= sizeof(param_buffer))
428						xtables_error(PARAMETER_PROBLEM,
429						   "Parameter too long!");
430				}
431			}
432
433			DEBUGP("calling do_command6(%u, argv, &%s, handle):\n",
434				newargc, curtable);
435
436			for (a = 0; a < newargc; a++)
437				DEBUGP("argv[%u]: %s\n", a, newargv[a]);
438
439			ret = do_command6(newargc, newargv,
440					 &newargv[2], &handle);
441
442			free_argv();
443			fflush(stdout);
444		}
445		if (!ret) {
446			fprintf(stderr, "%s: line %u failed\n",
447					ip6tables_globals.program_name,
448					line);
449			exit(1);
450		}
451	}
452	if (in_table) {
453		fprintf(stderr, "%s: COMMIT expected at line %u\n",
454				ip6tables_globals.program_name,
455				line + 1);
456		exit(1);
457	}
458
459	fclose(in);
460	return 0;
461}
462