1384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* Code to take an iptables-style command line and do it. */ 2384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 3384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* 4384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Author: Paul.Russell@rustcorp.com.au and mneuling@radlogic.com.au 5384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * 6384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * (C) 2000-2002 by the netfilter coreteam <coreteam@netfilter.org>: 7384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Paul 'Rusty' Russell <rusty@rustcorp.com.au> 8384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Marc Boucher <marc+nf@mbsi.ca> 9384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * James Morris <jmorris@intercode.com.au> 10384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Harald Welte <laforge@gnumonks.org> 11384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 12384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * 13384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * This program is free software; you can redistribute it and/or modify 14384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * it under the terms of the GNU General Public License as published by 15384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * the Free Software Foundation; either version 2 of the License, or 16384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * (at your option) any later version. 17384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * 18384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * This program is distributed in the hope that it will be useful, 19384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * but WITHOUT ANY WARRANTY; without even the implied warranty of 20384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 21384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * GNU General Public License for more details. 22384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * 23384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * You should have received a copy of the GNU General Public License 24384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * along with this program; if not, write to the Free Software 25384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 26384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 27384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 28384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <getopt.h> 29384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <string.h> 30384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <netdb.h> 31384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <errno.h> 32384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <stdbool.h> 33384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <stdio.h> 34384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <stdlib.h> 35384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <ctype.h> 36384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <stdarg.h> 37384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <limits.h> 38384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <unistd.h> 39384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <iptables.h> 40384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <xtables.h> 41384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <fcntl.h> 42384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include "xshared.h" 43077785df023ad8947d44d19769bc6d91e3917633Tomasz Bursztyka#include "nft-shared.h" 44384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include "nft.h" 45384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 46384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#ifndef TRUE 47384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define TRUE 1 48384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#endif 49384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#ifndef FALSE 50384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define FALSE 0 51384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#endif 52384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 53384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define NUMBER_OF_CMD 16 54384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z', 55384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 'N', 'X', 'P', 'E', 'S', 'Z', 'C' }; 56384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 57384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define OPT_FRAGMENT 0x00800U 58384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define NUMBER_OF_OPT ARRAY_SIZE(optflags) 59384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic const char optflags[] 60384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso= { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c', 'f'}; 61384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 62384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic struct option original_opts[] = { 63384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "append", .has_arg = 1, .val = 'A'}, 64384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "delete", .has_arg = 1, .val = 'D'}, 65384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "check", .has_arg = 1, .val = 'C'}, 66384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "insert", .has_arg = 1, .val = 'I'}, 67384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "replace", .has_arg = 1, .val = 'R'}, 68384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "list", .has_arg = 2, .val = 'L'}, 69384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "list-rules", .has_arg = 2, .val = 'S'}, 70384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "flush", .has_arg = 2, .val = 'F'}, 71384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "zero", .has_arg = 2, .val = 'Z'}, 72384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "new-chain", .has_arg = 1, .val = 'N'}, 73384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "delete-chain", .has_arg = 2, .val = 'X'}, 74384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "rename-chain", .has_arg = 1, .val = 'E'}, 75384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "policy", .has_arg = 1, .val = 'P'}, 76384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "source", .has_arg = 1, .val = 's'}, 77384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "destination", .has_arg = 1, .val = 'd'}, 78384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "src", .has_arg = 1, .val = 's'}, /* synonym */ 79384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "dst", .has_arg = 1, .val = 'd'}, /* synonym */ 80384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "protocol", .has_arg = 1, .val = 'p'}, 81384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "in-interface", .has_arg = 1, .val = 'i'}, 82384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "jump", .has_arg = 1, .val = 'j'}, 83384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "table", .has_arg = 1, .val = 't'}, 84384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "match", .has_arg = 1, .val = 'm'}, 85384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "numeric", .has_arg = 0, .val = 'n'}, 86384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "out-interface", .has_arg = 1, .val = 'o'}, 87384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "verbose", .has_arg = 0, .val = 'v'}, 88aaa4ace72ba1d195bbf436134a336816c33f7bd0Jiri Popelka {.name = "wait", .has_arg = 2, .val = 'w'}, 89e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan {.name = "wait-interval", .has_arg = 2, .val = 'W'}, 90384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "exact", .has_arg = 0, .val = 'x'}, 91384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "fragments", .has_arg = 0, .val = 'f'}, 92384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "version", .has_arg = 0, .val = 'V'}, 93384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "help", .has_arg = 2, .val = 'h'}, 94384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "line-numbers", .has_arg = 0, .val = '0'}, 95384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "modprobe", .has_arg = 1, .val = 'M'}, 96384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "set-counters", .has_arg = 1, .val = 'c'}, 97384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "goto", .has_arg = 1, .val = 'g'}, 98384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "ipv4", .has_arg = 0, .val = '4'}, 99384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "ipv6", .has_arg = 0, .val = '6'}, 100384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {NULL}, 101384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso}; 102384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1035231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayusovoid xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3))); 104384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 105384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostruct xtables_globals xtables_globals = { 106384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso .option_offset = 0, 107384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso .program_version = IPTABLES_VERSION, 108384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso .orig_opts = original_opts, 1095231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso .exit_err = xtables_exit_error, 110384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso .compat_rev = nft_compatible_revision, 111384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso}; 112384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 113384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* Table of legal combinations of commands and options. If any of the 114384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * given commands make an option legal, that option is legal (applies to 115384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * CMD_LIST and CMD_ZERO only). 116384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Key: 117384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * + compulsory 118384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * x illegal 119384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * optional 120384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 121384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 122384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic const char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] = 123384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* Well, it's better than "Re: Linux vs FreeBSD" */ 124384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 125384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* -n -s -d -p -j -v -x -i -o --line -c -f */ 126384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*INSERT*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' '}, 127384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*DELETE*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' '}, 128384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*DELETE_NUM*/{'x','x','x','x','x',' ','x','x','x','x','x','x'}, 129384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*REPLACE*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' '}, 130384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*APPEND*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' '}, 131384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*LIST*/ {' ','x','x','x','x',' ',' ','x','x',' ','x','x'}, 132384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*FLUSH*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, 133384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*ZERO*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, 134384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*ZERO_NUM*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, 135384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*NEW_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, 136384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*DEL_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, 137384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*SET_POLICY*/{'x','x','x','x','x',' ','x','x','x','x',' ','x'}, 138384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*RENAME*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, 139384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*LIST_RULES*/{'x','x','x','x','x',' ','x','x','x','x','x','x'}, 140384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*CHECK*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' '}, 141384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso}; 142384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 143384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic const int inverse_for_options[NUMBER_OF_OPT] = 144384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 145384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -n */ 0, 146384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -s */ IPT_INV_SRCIP, 147384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -d */ IPT_INV_DSTIP, 148384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -p */ XT_INV_PROTO, 149384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -j */ 0, 150384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -v */ 0, 151384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -x */ 0, 152384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -i */ IPT_INV_VIA_IN, 153384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -o */ IPT_INV_VIA_OUT, 154384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*--line*/ 0, 155384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -c */ 0, 156384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -f */ IPT_INV_FRAG, 157384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso}; 158384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 159384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define opts xtables_globals.opts 160384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define prog_name xtables_globals.program_name 161384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define prog_vers xtables_globals.program_version 162384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 163384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic void __attribute__((noreturn)) 164384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoexit_tryhelp(int status) 165384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 166384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (line != -1) 167384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso fprintf(stderr, "Error occurred at line: %d\n", line); 168384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n", 169384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso prog_name, prog_name); 170384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_free_opts(1); 171384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso exit(status); 172384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 173384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 174384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic void 175384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoexit_printhelp(const struct xtables_rule_match *matches) 176384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 177384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso printf("%s v%s\n\n" 178384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"Usage: %s -[ACD] chain rule-specification [options]\n" 179384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -I chain [rulenum] rule-specification [options]\n" 180384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -R chain rulenum rule-specification [options]\n" 181384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -D chain rulenum [options]\n" 182384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -[LS] [chain [rulenum]] [options]\n" 183384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -[FZ] [chain] [options]\n" 184384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -[NX] chain\n" 185384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -E old-chain-name new-chain-name\n" 186384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -P chain target [options]\n" 187384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -h (print this help information)\n\n", 188384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso prog_name, prog_vers, prog_name, prog_name, 189384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso prog_name, prog_name, prog_name, prog_name, 190384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso prog_name, prog_name, prog_name, prog_name); 191384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 192384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso printf( 193384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"Commands:\n" 194384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"Either long or short options are allowed.\n" 195384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --append -A chain Append to chain\n" 196384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --check -C chain Check for the existence of a rule\n" 197384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --delete -D chain Delete matching rule from chain\n" 198384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --delete -D chain rulenum\n" 199384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" Delete rule rulenum (1 = first) from chain\n" 200384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --insert -I chain [rulenum]\n" 201384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" Insert in chain as rulenum (default 1=first)\n" 202384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --replace -R chain rulenum\n" 203384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" Replace rule rulenum (1 = first) in chain\n" 204384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --list -L [chain [rulenum]]\n" 205384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" List the rules in a chain or all chains\n" 206384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --list-rules -S [chain [rulenum]]\n" 207384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" Print the rules in a chain or all chains\n" 208384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --flush -F [chain] Delete all rules in chain or all chains\n" 209384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --zero -Z [chain [rulenum]]\n" 210384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" Zero counters in chain or all chains\n" 211384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --new -N chain Create a new user-defined chain\n" 212384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --delete-chain\n" 213384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" -X [chain] Delete a user-defined chain\n" 214384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --policy -P chain target\n" 215384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" Change policy on chain to target\n" 216384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --rename-chain\n" 217384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" -E old-chain new-chain\n" 218384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" Change chain name, (moving any references)\n" 219384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 220384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"Options:\n" 221384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --ipv4 -4 Nothing (line is ignored by ip6tables-restore)\n" 222384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --ipv6 -6 Error (line is ignored by iptables-restore)\n" 223384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"[!] --proto -p proto protocol: by number or name, eg. `tcp'\n" 224384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"[!] --source -s address[/mask][...]\n" 225384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" source specification\n" 226384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"[!] --destination -d address[/mask][...]\n" 227384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" destination specification\n" 228384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"[!] --in-interface -i input name[+]\n" 229384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" network interface name ([+] for wildcard)\n" 230384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --jump -j target\n" 231384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" target for rule (may load target extension)\n" 232384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#ifdef IPT_F_GOTO 233384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --goto -g chain\n" 234384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" jump to chain with no return\n" 235384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#endif 236384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --match -m match\n" 237384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" extended match (may load extension)\n" 238384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --numeric -n numeric output of addresses and ports\n" 239384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"[!] --out-interface -o output name[+]\n" 240384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" network interface name ([+] for wildcard)\n" 241384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --table -t table table to manipulate (default: `filter')\n" 242384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --verbose -v verbose mode\n" 243e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan" --wait -w [seconds] maximum wait to acquire xtables lock before give up\n" 244e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan" --wait-interval -W [usecs] wait time to try to acquire xtables lock\n" 245e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan" default is 1 second\n" 246384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --line-numbers print line numbers when listing\n" 247384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --exact -x expand numbers (display exact values)\n" 248384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"[!] --fragment -f match second or further fragments only\n" 249384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --modprobe=<command> try to insert modules using this command\n" 250384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --set-counters PKTS BYTES set the counter during insert/append\n" 251384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"[!] --version -V print package version.\n"); 252384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 253384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso print_extension_helps(xtables_targets, matches); 254384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso exit(0); 255384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 256384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 2575231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayusovoid 2585231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayusoxtables_exit_error(enum xtables_exittype status, const char *msg, ...) 2595231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso{ 2605231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso va_list args; 2615231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso 2625231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso va_start(args, msg); 2635231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso fprintf(stderr, "%s v%s: ", prog_name, prog_vers); 2645231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso vfprintf(stderr, msg, args); 2655231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso va_end(args); 2665231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso fprintf(stderr, "\n"); 2675231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso if (status == PARAMETER_PROBLEM) 2685231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso exit_tryhelp(status); 2695231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso if (status == VERSION_PROBLEM) 2705231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso fprintf(stderr, 2715231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso "Perhaps iptables or your kernel needs to be upgraded.\n"); 2725231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso /* On error paths, make sure that we don't leak memory */ 2735231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso xtables_free_opts(1); 2745231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso exit(status); 2755231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso} 2765231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso 277384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic void 278384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusogeneric_opt_check(int command, int options) 279384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 280384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int i, j, legal = 0; 281384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 282384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* Check that commands are valid with options. Complicated by the 283384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * fact that if an option is legal with *any* command given, it is 284384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * legal overall (ie. -z and -l). 285384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 286384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso for (i = 0; i < NUMBER_OF_OPT; i++) { 287384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso legal = 0; /* -1 => illegal, 1 => legal, 0 => undecided. */ 288384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 289384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso for (j = 0; j < NUMBER_OF_CMD; j++) { 290384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!(command & (1<<j))) 291384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso continue; 292384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 293384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!(options & (1<<i))) { 294384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (commands_v_options[j][i] == '+') 295384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 296384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "You need to supply the `-%c' " 297384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "option for this command\n", 298384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso optflags[i]); 299384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } else { 300384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (commands_v_options[j][i] != 'x') 301384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso legal = 1; 302384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else if (legal == 0) 303384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso legal = -1; 304384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 305384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 306384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (legal == -1) 307384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 308384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Illegal option `-%c' with this command\n", 309384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso optflags[i]); 310384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 311384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 312384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 313384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic char 314384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoopt2char(int option) 315384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 316384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso const char *ptr; 317384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso for (ptr = optflags; option > 1; option >>= 1, ptr++); 318384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 319384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return *ptr; 320384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 321384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 322384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic char 323384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusocmd2char(int option) 324384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 325384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso const char *ptr; 326384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso for (ptr = cmdflags; option > 1; option >>= 1, ptr++); 327384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 328384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return *ptr; 329384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 330384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 331384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic void 332384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoadd_command(unsigned int *cmd, const int newcmd, const int othercmds, 333384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int invert) 334384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 335384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (invert) 336384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, "unexpected ! flag"); 337384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (*cmd & (~othercmds)) 338384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, "Cannot use -%c with -%c\n", 339384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cmd2char(newcmd), cmd2char(*cmd & (~othercmds))); 340384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso *cmd |= newcmd; 341384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 342384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 343384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* 344384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * All functions starting with "parse" should succeed, otherwise 345384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * the program fails. 346384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Most routines return pointers to static data that may change 347384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * between calls to the same or other routines with a few exceptions: 348384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * "host_to_addr", "parse_hostnetwork", and "parse_hostnetworkmask" 349384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * return global static data. 350384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso*/ 351384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 352384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* Christophe Burki wants `-p 6' to imply `-m tcp'. */ 353384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* Can't be zero. */ 354384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic int 355384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoparse_rulenumber(const char *rule) 356384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 357384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso unsigned int rulenum; 358384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 359384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!xtables_strtoui(rule, NULL, &rulenum, 1, INT_MAX)) 360384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 361384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Invalid rule number `%s'", rule); 362384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 363384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return rulenum; 364384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 365384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 366384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic const char * 367384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoparse_target(const char *targetname) 368384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 369384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso const char *ptr; 370384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 371384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (strlen(targetname) < 1) 372384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 373384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Invalid target name (too short)"); 374384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 375384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (strlen(targetname) >= XT_EXTENSION_MAXNAMELEN) 376384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 377384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Invalid target name `%s' (%u chars max)", 378384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso targetname, XT_EXTENSION_MAXNAMELEN - 1); 379384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 380384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso for (ptr = targetname; *ptr; ptr++) 381384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (isspace(*ptr)) 382384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 383384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Invalid target name `%s'", targetname); 384384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return targetname; 385384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 386384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 387384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic void 388384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoset_option(unsigned int *options, unsigned int option, uint8_t *invflg, 389384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int invert) 390384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 391384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (*options & option) 392384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, "multiple -%c flags not allowed", 393384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opt2char(option)); 394384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso *options |= option; 395384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 396384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (invert) { 397384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso unsigned int i; 398384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso for (i = 0; 1 << i != option; i++); 399384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 400384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!inverse_for_options[i]) 401384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 402384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "cannot have ! before -%c", 403384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opt2char(option)); 404384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso *invflg |= inverse_for_options[i]; 405384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 406384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 407384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 408384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic int 409384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoadd_entry(const char *chain, 410384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso const char *table, 411384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct iptables_command_state *cs, 412cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso int rulenum, int family, 4130391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka const struct addr_mask s, 4140391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka const struct addr_mask d, 415384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso bool verbose, struct nft_handle *h, bool append) 416384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 417384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso unsigned int i, j; 418384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int ret = 1; 419384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 4200391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (i = 0; i < s.naddrs; i++) { 4210391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka if (family == AF_INET) { 4220391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.src.s_addr = s.addr.v4[i].s_addr; 4230391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.smsk.s_addr = s.mask.v4[i].s_addr; 4240391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (j = 0; j < d.naddrs; j++) { 4250391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.dst.s_addr = d.addr.v4[j].s_addr; 4260391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.dmsk.s_addr = d.mask.v4[j].s_addr; 427384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 428cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso if (append) { 429cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso ret = nft_rule_append(h, chain, table, 430cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso cs, 0, 431cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso verbose); 432cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso } else { 433cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso ret = nft_rule_insert(h, chain, table, 434cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso cs, rulenum, 435cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso verbose); 436cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso } 4370391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } 4380391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } else if (family == AF_INET6) { 4390391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.src, 4400391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &s.addr.v6[i], sizeof(struct in6_addr)); 4410391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.smsk, 4420391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &s.mask.v6[i], sizeof(struct in6_addr)); 4430391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (j = 0; j < d.naddrs; j++) { 4440391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.dst, 4450391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &d.addr.v6[j], sizeof(struct in6_addr)); 4460391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.dmsk, 4470391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &d.mask.v6[j], sizeof(struct in6_addr)); 448cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso if (append) { 449cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso ret = nft_rule_append(h, chain, table, 45096180491d51853a4315ba4eeb29a53505b6515e5Pablo Neira Ayuso cs, 0, 451cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso verbose); 452cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso } else { 453cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso ret = nft_rule_insert(h, chain, table, 454cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso cs, rulenum, 455cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso verbose); 456cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso } 4570391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } 458384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 459384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 460384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 461384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return ret; 462384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 463384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 464384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic int 465384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoreplace_entry(const char *chain, const char *table, 466384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct iptables_command_state *cs, 467384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso unsigned int rulenum, 4680391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka int family, 4690391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka const struct addr_mask s, 4700391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka const struct addr_mask d, 471384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso bool verbose, struct nft_handle *h) 472384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 4730391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka if (family == AF_INET) { 4740391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.src.s_addr = s.addr.v4->s_addr; 4750391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.dst.s_addr = d.addr.v4->s_addr; 4760391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.smsk.s_addr = s.mask.v4->s_addr; 4770391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.dmsk.s_addr = d.mask.v4->s_addr; 4780391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } else if (family == AF_INET6) { 4790391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.src, s.addr.v6, sizeof(struct in6_addr)); 4800391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.dst, d.addr.v6, sizeof(struct in6_addr)); 4810391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.smsk, s.mask.v6, sizeof(struct in6_addr)); 4820391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.dmsk, d.mask.v6, sizeof(struct in6_addr)); 4830391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } else 4840391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka return 1; 485384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 486384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return nft_rule_replace(h, chain, table, cs, rulenum, verbose); 487384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 488384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 489384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic int 490384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusodelete_entry(const char *chain, const char *table, 491384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct iptables_command_state *cs, 4920391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka int family, 4930391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka const struct addr_mask s, 4940391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka const struct addr_mask d, 495384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso bool verbose, 496384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct nft_handle *h) 497384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 498384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso unsigned int i, j; 499384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int ret = 1; 500384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 5010391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (i = 0; i < s.naddrs; i++) { 5020391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka if (family == AF_INET) { 5030391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.src.s_addr = s.addr.v4[i].s_addr; 5040391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.smsk.s_addr = s.mask.v4[i].s_addr; 5050391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (j = 0; j < d.naddrs; j++) { 5060391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.dst.s_addr = d.addr.v4[j].s_addr; 5070391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.dmsk.s_addr = d.mask.v4[j].s_addr; 5080391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka ret = nft_rule_delete(h, chain, 5090391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka table, cs, verbose); 5100391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } 5110391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } else if (family == AF_INET6) { 5120391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.src, 5130391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &s.addr.v6[i], sizeof(struct in6_addr)); 5140391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.smsk, 5150391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &s.mask.v6[i], sizeof(struct in6_addr)); 5160391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (j = 0; j < d.naddrs; j++) { 5170391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.dst, 5180391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &d.addr.v6[j], sizeof(struct in6_addr)); 5190391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.dmsk, 5200391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &d.mask.v6[j], sizeof(struct in6_addr)); 5210391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka ret = nft_rule_delete(h, chain, 5220391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka table, cs, verbose); 5230391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } 524384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 525384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 526384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 527384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return ret; 528384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 529384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 530384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic int 531384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusocheck_entry(const char *chain, const char *table, 532384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct iptables_command_state *cs, 5330391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka int family, 5340391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka const struct addr_mask s, 5350391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka const struct addr_mask d, 536384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso bool verbose, struct nft_handle *h) 537384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 538384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso unsigned int i, j; 539384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int ret = 1; 540384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 5410391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (i = 0; i < s.naddrs; i++) { 5420391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka if (family == AF_INET) { 5430391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.src.s_addr = s.addr.v4[i].s_addr; 5440391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.smsk.s_addr = s.mask.v4[i].s_addr; 5450391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (j = 0; j < d.naddrs; j++) { 5460391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.dst.s_addr = d.addr.v4[j].s_addr; 5470391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.dmsk.s_addr = d.mask.v4[j].s_addr; 5480391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka ret = nft_rule_check(h, chain, 5490391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka table, cs, verbose); 5500391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } 5510391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } else if (family == AF_INET6) { 5520391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.src, 5530391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &s.addr.v6[i], sizeof(struct in6_addr)); 5540391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.smsk, 5550391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &s.mask.v6[i], sizeof(struct in6_addr)); 5560391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (j = 0; j < d.naddrs; j++) { 5570391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.dst, 5580391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &d.addr.v6[j], sizeof(struct in6_addr)); 5590391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.dmsk, 5600391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &d.mask.v6[j], sizeof(struct in6_addr)); 5610391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka ret = nft_rule_check(h, chain, 5620391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka table, cs, verbose); 5630391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } 564384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 565384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 566384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 567384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return ret; 568384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 569384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 570384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic int 571384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusolist_entries(struct nft_handle *h, const char *chain, const char *table, 572384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int rulenum, int verbose, int numeric, int expanded, 573384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int linenumbers) 574384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 575384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso unsigned int format; 576384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 577384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso format = FMT_OPTIONS; 578384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!verbose) 579384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso format |= FMT_NOCOUNTS; 580384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else 581384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso format |= FMT_VIA; 582384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 583384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (numeric) 584384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso format |= FMT_NUMERIC; 585384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 586384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!expanded) 587384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso format |= FMT_KILOMEGAGIGA; 588384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 589384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (linenumbers) 590384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso format |= FMT_LINENUMBERS; 591384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 592384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return nft_rule_list(h, chain, table, rulenum, format); 593384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 594384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 595384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic int 596384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusolist_rules(struct nft_handle *h, const char *chain, const char *table, 597384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int rulenum, int counters) 598384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 599384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (counters) 600384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso counters = -1; /* iptables -c format */ 601384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 602384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso nft_rule_list_save(h, chain, table, rulenum, counters); 603384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 60410f92fce0a2ea1805c8b269543b8f1738d22bf3dPablo Neira Ayuso /* iptables does not return error if rule number not found */ 605384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return 1; 606384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 607384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 608384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic void command_jump(struct iptables_command_state *cs) 609384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 610384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso size_t size; 611384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 612384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso set_option(&cs->options, OPT_JUMP, &cs->fw.ip.invflags, cs->invert); 613384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cs->jumpto = parse_target(optarg); 614384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* TRY_LOAD (may be chain name) */ 615384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cs->target = xtables_find_target(cs->jumpto, XTF_TRY_LOAD); 616384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 617384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (cs->target == NULL) 618384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return; 619384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 620384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso size = XT_ALIGN(sizeof(struct xt_entry_target)) 621384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso + cs->target->size; 622384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 623384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cs->target->t = xtables_calloc(1, size); 624384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cs->target->t->u.target_size = size; 625384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (cs->target->real_name == NULL) { 626384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso strcpy(cs->target->t->u.user.name, cs->jumpto); 627384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } else { 628384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* Alias support for userspace side */ 629384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso strcpy(cs->target->t->u.user.name, cs->target->real_name); 630384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!(cs->target->ext_flags & XTABLES_EXT_ALIAS)) 631384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso fprintf(stderr, "Notice: The %s target is converted into %s target " 632384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "in rule listing and saving.\n", 633384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cs->jumpto, cs->target->real_name); 634384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 635384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cs->target->t->u.user.revision = cs->target->revision; 636384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xs_init_target(cs->target); 637384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 638384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (cs->target->x6_options != NULL) 6395a1b519d1e26767fa1f0de15b0f7e125531a1719Pablo Neira Ayuso opts = xtables_options_xfrm(xtables_globals.orig_opts, opts, 640384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cs->target->x6_options, 641384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso &cs->target->option_offset); 642384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else 6435a1b519d1e26767fa1f0de15b0f7e125531a1719Pablo Neira Ayuso opts = xtables_merge_options(xtables_globals.orig_opts, opts, 644384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cs->target->extra_opts, 645384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso &cs->target->option_offset); 646384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (opts == NULL) 647384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(OTHER_PROBLEM, "can't alloc memory!"); 648384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 649384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 650384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic void command_match(struct iptables_command_state *cs) 651384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 652384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct xtables_match *m; 653384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso size_t size; 654384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 655384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (cs->invert) 656384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 657384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "unexpected ! flag before --match"); 658384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 659384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso m = xtables_find_match(optarg, XTF_LOAD_MUST_SUCCEED, &cs->matches); 660384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size; 661384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso m->m = xtables_calloc(1, size); 662384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso m->m->u.match_size = size; 663384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (m->real_name == NULL) { 664384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso strcpy(m->m->u.user.name, m->name); 665384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } else { 666384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso strcpy(m->m->u.user.name, m->real_name); 667384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!(m->ext_flags & XTABLES_EXT_ALIAS)) 668384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso fprintf(stderr, "Notice: the %s match is converted into %s match " 669384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "in rule listing and saving.\n", m->name, m->real_name); 670384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 671384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso m->m->u.user.revision = m->revision; 672384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xs_init_match(m); 673384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (m == m->next) 674384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return; 675384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* Merge options for non-cloned matches */ 676384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (m->x6_options != NULL) 6775a1b519d1e26767fa1f0de15b0f7e125531a1719Pablo Neira Ayuso opts = xtables_options_xfrm(xtables_globals.orig_opts, opts, 678384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso m->x6_options, &m->option_offset); 679384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else if (m->extra_opts != NULL) 6805a1b519d1e26767fa1f0de15b0f7e125531a1719Pablo Neira Ayuso opts = xtables_merge_options(xtables_globals.orig_opts, opts, 681384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso m->extra_opts, &m->option_offset); 682384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (opts == NULL) 683384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(OTHER_PROBLEM, "can't alloc memory!"); 684384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 685384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 68650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayusovoid do_parse(struct nft_handle *h, int argc, char *argv[], 68750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso struct nft_xt_cmd_parse *p, struct iptables_command_state *cs, 68850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso struct xtables_args *args) 689384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 690384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct xtables_match *m; 691384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct xtables_rule_match *matchp; 692e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan bool wait_interval_set = false; 693e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan struct timeval wait_interval; 694384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct xtables_target *t; 69550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso int wait = 0; 696384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 69750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso memset(cs, 0, sizeof(*cs)); 69850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->jumpto = ""; 69950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->argv = argv; 700384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 701384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* re-set optind to 0 in case do_command4 gets called 702384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * a second time */ 703384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso optind = 0; 704384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 705384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* clear mflags in case do_command4 gets called a second time 706384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * (we clear the global list of all matches for security)*/ 707384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso for (m = xtables_matches; m; m = m->next) 708384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso m->mflags = 0; 709384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 710384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso for (t = xtables_targets; t; t = t->next) { 711384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso t->tflags = 0; 712384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso t->used = 0; 713384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 714384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 715384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* Suppress error messages: we may add new options if we 716384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso demand-load a protocol. */ 717384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opterr = 0; 718384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 7195cab9c3c8209e9491f0f252e03dd48ae4cb5ab63Pablo Neira Ayuso h->ops = nft_family_ops_lookup(h->family); 7204b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso if (h->ops == NULL) 7214b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, "Unknown family"); 7224b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso 723384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opts = xt_params->orig_opts; 72450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso while ((cs->c = getopt_long(argc, argv, 725e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::W::nt:m:xc:g:46", 726384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opts, NULL)) != -1) { 72750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso switch (cs->c) { 728384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* 729384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Command selection 730384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 731384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'A': 73250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_APPEND, CMD_NONE, 73350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 73450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 735384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 736384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 737384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'C': 73850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_CHECK, CMD_NONE, 73950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 74050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 741384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 742384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 743384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'D': 74450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_DELETE, CMD_NONE, 74550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 74650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 747097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti if (xs_has_arg(argc, argv)) { 74850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->rulenum = parse_rulenumber(argv[optind++]); 74950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->command = CMD_DELETE_NUM; 750384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 751384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 752384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 753384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'R': 75450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_REPLACE, CMD_NONE, 75550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 75650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 757097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti if (xs_has_arg(argc, argv)) 75850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->rulenum = parse_rulenumber(argv[optind++]); 759384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else 760384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 761384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "-%c requires a rule number", 762384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cmd2char(CMD_REPLACE)); 763384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 764384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 765384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'I': 76650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_INSERT, CMD_NONE, 76750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 76850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 769097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti if (xs_has_arg(argc, argv)) 77050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->rulenum = parse_rulenumber(argv[optind++]); 77150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso else 77250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->rulenum = 1; 773384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 774384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 775384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'L': 77650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_LIST, 77750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso CMD_ZERO | CMD_ZERO_NUM, cs->invert); 77850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (optarg) 77950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 780097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti else if (xs_has_arg(argc, argv)) 78150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = argv[optind++]; 782097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti if (xs_has_arg(argc, argv)) 78350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->rulenum = parse_rulenumber(argv[optind++]); 784384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 785384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 786384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'S': 78750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_LIST_RULES, 78850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso CMD_ZERO|CMD_ZERO_NUM, cs->invert); 78950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (optarg) 79050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 791097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti else if (xs_has_arg(argc, argv)) 79250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = argv[optind++]; 793097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti if (xs_has_arg(argc, argv)) 79450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->rulenum = parse_rulenumber(argv[optind++]); 795384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 796384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 797384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'F': 79850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_FLUSH, CMD_NONE, 79950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 80050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (optarg) 80150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 802097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti else if (xs_has_arg(argc, argv)) 80350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = argv[optind++]; 804384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 805384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 806384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'Z': 80750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_ZERO, 80850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso CMD_LIST|CMD_LIST_RULES, cs->invert); 80950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (optarg) 81050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 811097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti else if (xs_has_arg(argc, argv)) 81250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = argv[optind++]; 813097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti if (xs_has_arg(argc, argv)) { 81450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->rulenum = parse_rulenumber(argv[optind++]); 81550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->command = CMD_ZERO_NUM; 816384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 817384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 818384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 819384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'N': 820384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (optarg && (*optarg == '-' || *optarg == '!')) 821384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 822384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "chain name not allowed to start " 823384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "with `%c'\n", *optarg); 824384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (xtables_find_target(optarg, XTF_TRY_LOAD)) 825384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 826384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "chain name may not clash " 827384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "with target name\n"); 82850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE, 82950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 83050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 831384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 832384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 833384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'X': 83450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_DELETE_CHAIN, CMD_NONE, 83550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 83650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (optarg) 83750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 838097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti else if (xs_has_arg(argc, argv)) 83950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = argv[optind++]; 840384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 841384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 842384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'E': 84350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_RENAME_CHAIN, CMD_NONE, 84450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 84550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 846097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti if (xs_has_arg(argc, argv)) 84750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->newname = argv[optind++]; 848384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else 849384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 850384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "-%c requires old-chain-name and " 851384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "new-chain-name", 852384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cmd2char(CMD_RENAME_CHAIN)); 853384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 854384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 855384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'P': 85650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_SET_POLICY, CMD_NONE, 85750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 85850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 859097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti if (xs_has_arg(argc, argv)) 86050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->policy = argv[optind++]; 861384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else 862384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 863384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "-%c requires a chain and a policy", 864384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cmd2char(CMD_SET_POLICY)); 865384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 866384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 867384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'h': 868384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!optarg) 869384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso optarg = argv[optind]; 870384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 871384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* iptables -p icmp -h */ 87250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (!cs->matches && cs->protocol) 87350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso xtables_find_match(cs->protocol, 87450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso XTF_TRY_LOAD, &cs->matches); 875384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 87650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso exit_printhelp(cs->matches); 877384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 878384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* 879384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Option selection 880384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 881384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'p': 88250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_PROTOCOL, 88350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso &args->invflags, cs->invert); 884384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 885384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* Canonicalize into lower case */ 88650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso for (cs->protocol = optarg; *cs->protocol; cs->protocol++) 88750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso *cs->protocol = tolower(*cs->protocol); 888384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 88950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->protocol = optarg; 89050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->proto = xtables_parse_protocol(cs->protocol); 891384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 89250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (args->proto == 0 && 89350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso (args->invflags & XT_INV_PROTO)) 894384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 895384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "rule would never match protocol"); 8964b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso 8974b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso /* This needs to happen here to parse extensions */ 89850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso h->ops->proto_parse(cs, args); 899384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 900384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 901384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 's': 90250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_SOURCE, 90350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso &args->invflags, cs->invert); 90450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->shostnetworkmask = optarg; 905384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 906384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 907384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'd': 90850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_DESTINATION, 90950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso &args->invflags, cs->invert); 91050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->dhostnetworkmask = optarg; 911384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 912384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 913384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#ifdef IPT_F_GOTO 914384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'g': 91550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_JUMP, &args->invflags, 91650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 91750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->goto_set = true; 91850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->jumpto = parse_target(optarg); 919384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 920384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#endif 921384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 922384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'j': 92350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso command_jump(cs); 924384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 925384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 926384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 927384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'i': 928384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (*optarg == '\0') 929384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 930384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Empty interface is likely to be " 931384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "undesired"); 93250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_VIANAMEIN, 93350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso &args->invflags, cs->invert); 934384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_parse_interface(optarg, 93550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->iniface, 93650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->iniface_mask); 937384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 938384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 939384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'o': 940384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (*optarg == '\0') 941384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 942384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Empty interface is likely to be " 943384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "undesired"); 94450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_VIANAMEOUT, 94550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso &args->invflags, cs->invert); 946384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_parse_interface(optarg, 94750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->outiface, 94850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->outiface_mask); 949384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 950384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 951384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'f': 95250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (args->family == AF_INET6) { 9530391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka xtables_error(PARAMETER_PROBLEM, 9540391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka "`-f' is not supported in IPv6, " 9550391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka "use -m frag instead"); 9560391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } 95750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_FRAGMENT, &args->invflags, 95850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 95950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->flags |= IPT_F_FRAG; 960384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 961384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 962384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'v': 96350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (!p->verbose) 96450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_VERBOSE, 96550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso &args->invflags, cs->invert); 96650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->verbose++; 967384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 968384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 969384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'm': 97050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso command_match(cs); 971384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 972384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 973384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'n': 97450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_NUMERIC, &args->invflags, 97550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 976384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 977384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 978384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 't': 97950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (cs->invert) 980384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 981384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "unexpected ! flag before --table"); 98250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->table = optarg; 983384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 984384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 985384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'x': 98650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_EXPANDED, &args->invflags, 98750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 988384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 989384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 990384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'V': 99150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (cs->invert) 992384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso printf("Not %s ;-)\n", prog_vers); 993384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else 994384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso printf("%s v%s\n", 995384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso prog_name, prog_vers); 996384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso exit(0); 997384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 9987851975e5055381d30f0788d90671485695928e1Tomasz Bursztyka case 'w': 99950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (p->restore) { 10007851975e5055381d30f0788d90671485695928e1Tomasz Bursztyka xtables_error(PARAMETER_PROBLEM, 10017851975e5055381d30f0788d90671485695928e1Tomasz Bursztyka "You cannot use `-w' from " 10027851975e5055381d30f0788d90671485695928e1Tomasz Bursztyka "iptables-restore"); 10037851975e5055381d30f0788d90671485695928e1Tomasz Bursztyka } 1004097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti 1005097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti wait = parse_wait_time(argc, argv); 10067851975e5055381d30f0788d90671485695928e1Tomasz Bursztyka break; 10077851975e5055381d30f0788d90671485695928e1Tomasz Bursztyka 1008e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan case 'W': 1009e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan if (p->restore) { 1010e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan xtables_error(PARAMETER_PROBLEM, 1011e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan "You cannot use `-W' from " 1012e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan "iptables-restore"); 1013e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan } 1014e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan 1015097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti parse_wait_interval(argc, argv, &wait_interval); 1016e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan wait_interval_set = true; 1017e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan break; 1018e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan 1019384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case '0': 102050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_LINENUMBERS, 102150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso &args->invflags, cs->invert); 1022384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1023384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1024384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'M': 1025384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_modprobe_program = optarg; 1026384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1027384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1028384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'c': 102950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_COUNTERS, &args->invflags, 103050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 103150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->pcnt = optarg; 103250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->bcnt = strchr(args->pcnt + 1, ','); 103350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (args->bcnt) 103450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->bcnt++; 1035097d6bee9cb25c94e288ad72099c51bab7fe113cLorenzo Colitti if (!args->bcnt && xs_has_arg(argc, argv)) 103650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->bcnt = argv[optind++]; 103750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (!args->bcnt) 1038384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1039384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "-%c requires packet and byte counter", 1040384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opt2char(OPT_COUNTERS)); 1041384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 104250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (sscanf(args->pcnt, "%llu", &args->pcnt_cnt) != 1) 1043384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1044384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "-%c packet counter not numeric", 1045384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opt2char(OPT_COUNTERS)); 1046384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 104750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (sscanf(args->bcnt, "%llu", &args->bcnt_cnt) != 1) 1048384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1049384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "-%c byte counter not numeric", 1050384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opt2char(OPT_COUNTERS)); 1051384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1052384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1053384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case '4': 105450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (args->family != AF_INET) 10550391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka exit_tryhelp(2); 10564b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso 105750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso h->ops = nft_family_ops_lookup(args->family); 1058384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1059384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1060384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case '6': 106150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->family = AF_INET6; 1062457819b952418501918b6e906bf5e21e3b4f9af8Pablo Neira Ayuso xtables_set_nfproto(AF_INET6); 10634b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso 106450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso h->ops = nft_family_ops_lookup(args->family); 10654b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso if (h->ops == NULL) 10664b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 10674b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso "Unknown family"); 10680391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka break; 1069384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1070384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 1: /* non option */ 1071384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (optarg[0] == '!' && optarg[1] == '\0') { 107250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (cs->invert) 1073384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1074384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "multiple consecutive ! not" 1075384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso " allowed"); 107650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert = TRUE; 1077384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso optarg[0] = '\0'; 1078384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso continue; 1079384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 1080384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso fprintf(stderr, "Bad argument `%s'\n", optarg); 1081384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso exit_tryhelp(2); 1082384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1083384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso default: 108450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (command_default(cs, &xtables_globals) == 1) 1085384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* cf. ip6tables.c */ 1086384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso continue; 1087384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1088384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 108950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert = FALSE; 1090384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 1091384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 109250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (strcmp(p->table, "nat") == 0 && 109350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ((p->policy != NULL && strcmp(p->policy, "DROP") == 0) || 109450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso (cs->jumpto != NULL && strcmp(cs->jumpto, "DROP") == 0))) 1095384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1096384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "\nThe \"nat\" table is not intended for filtering, " 1097384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "the use of DROP is therefore inhibited.\n\n"); 1098384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1099e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan if (!wait && wait_interval_set) 1100e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan xtables_error(PARAMETER_PROBLEM, 1101e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan "--wait-interval only makes sense with --wait\n"); 1102e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1Subash Abhinov Kasiviswanathan 110350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso for (matchp = cs->matches; matchp; matchp = matchp->next) 1104384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_option_mfcall(matchp->match); 110550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (cs->target != NULL) 110650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso xtables_option_tfcall(cs->target); 1107384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1108384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* Fix me: must put inverse options checking here --MN */ 1109384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1110384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (optind < argc) 1111384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1112384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "unknown arguments found on commandline"); 111350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (!p->command) 1114384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, "no command specified"); 111550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (cs->invert) 1116384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1117384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "nothing appropriate following !"); 1118384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 11193f7877e6be987bb94897c03a45945725389a6f5cPablo Neira Ayuso /* Set only if required, needed by xtables-restore */ 11203f7877e6be987bb94897c03a45945725389a6f5cPablo Neira Ayuso if (h->family == AF_UNSPEC) 112150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso h->family = args->family; 11223f7877e6be987bb94897c03a45945725389a6f5cPablo Neira Ayuso 112350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso h->ops->post_parse(p->command, cs, args); 11246838a7f51e6d95f904093e05e8bdc75ada70b93fPablo Neira Ayuso 112550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (p->command == CMD_REPLACE && 112650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso (args->s.naddrs != 1 || args->d.naddrs != 1)) 1127384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, "Replacement rule does not " 1128384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "specify a unique address"); 1129384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 113050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso generic_opt_check(p->command, cs->options); 1131384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 113250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (p->chain != NULL && strlen(p->chain) >= XT_EXTENSION_MAXNAMELEN) 1133384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1134384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "chain name `%s' too long (must be under %u chars)", 113550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain, XT_EXTENSION_MAXNAMELEN); 113650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso 113750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (p->command == CMD_APPEND || 113850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->command == CMD_DELETE || 113950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->command == CMD_CHECK || 114050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->command == CMD_INSERT || 114150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->command == CMD_REPLACE) { 114250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (strcmp(p->chain, "PREROUTING") == 0 114350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso || strcmp(p->chain, "INPUT") == 0) { 1144384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* -o not valid with incoming packets. */ 114550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (cs->options & OPT_VIANAMEOUT) 1146384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1147384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Can't use -%c with %s\n", 1148384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opt2char(OPT_VIANAMEOUT), 114950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain); 1150384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 1151384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 115250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (strcmp(p->chain, "POSTROUTING") == 0 115350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso || strcmp(p->chain, "OUTPUT") == 0) { 1154384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* -i not valid with outgoing packets */ 115550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (cs->options & OPT_VIANAMEIN) 1156384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1157384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Can't use -%c with %s\n", 1158384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opt2char(OPT_VIANAMEIN), 115950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain); 1160384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 1161384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1162384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* 1163384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Contrary to what iptables does, we assume that any jumpto 1164384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * is a custom chain jumps (if no target is found). Later on, 1165384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * nf_table will spot the error if the chain does not exists. 1166384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 1167384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 116850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso} 116950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso 117050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayusoint do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, 117150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso bool restore) 117250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso{ 117350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso int ret = 1; 117450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso struct nft_xt_cmd_parse p = { 117550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso .table = *table, 117650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso .restore = restore, 117750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso }; 117850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso struct iptables_command_state cs; 117950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso struct xtables_args args = { 118050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso .family = h->family, 118150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso }; 118250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso 118350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso do_parse(h, argc, argv, &p, &cs, &args); 1184384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 118550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso switch (p.command) { 1186384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_APPEND: 118750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = add_entry(p.chain, p.table, &cs, 0, h->family, 118850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args.s, args.d, 118950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_VERBOSE, h, true); 1190384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1191384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_DELETE: 119250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = delete_entry(p.chain, p.table, &cs, h->family, 119350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args.s, args.d, 119450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_VERBOSE, h); 1195384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1196384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_DELETE_NUM: 119750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_rule_delete_num(h, p.chain, p.table, 119850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p.rulenum - 1, p.verbose); 1199384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1200384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_CHECK: 120150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = check_entry(p.chain, p.table, &cs, h->family, 120250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args.s, args.d, 120350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_VERBOSE, h); 1204384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1205384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_REPLACE: 120650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = replace_entry(p.chain, p.table, &cs, p.rulenum - 1, 120726d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso h->family, args.s, args.d, 120850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_VERBOSE, h); 1209384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1210384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_INSERT: 121150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = add_entry(p.chain, p.table, &cs, p.rulenum - 1, 121250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso h->family, args.s, args.d, 121350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options&OPT_VERBOSE, h, false); 1214384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1215384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_FLUSH: 121650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_rule_flush(h, p.chain, p.table); 1217384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1218384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_ZERO: 121950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_chain_zero_counters(h, p.chain, p.table); 1220384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1221384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_ZERO_NUM: 122250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_rule_zero_counters(h, p.chain, p.table, 122350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p.rulenum - 1); 1224384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1225384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_LIST: 1226384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_LIST|CMD_ZERO: 1227384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_LIST|CMD_ZERO_NUM: 12284b791044cd0984c9a1771e86fa77fce9d309d9e7Pablo M. Bermudo Garay if (nft_is_ruleset_compatible(h) == 1) { 12294b791044cd0984c9a1771e86fa77fce9d309d9e7Pablo M. Bermudo Garay printf("ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.\n"); 12304b791044cd0984c9a1771e86fa77fce9d309d9e7Pablo M. Bermudo Garay exit(EXIT_FAILURE); 12314b791044cd0984c9a1771e86fa77fce9d309d9e7Pablo M. Bermudo Garay } 12324b791044cd0984c9a1771e86fa77fce9d309d9e7Pablo M. Bermudo Garay 123350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = list_entries(h, p.chain, p.table, p.rulenum, 123450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_VERBOSE, 123550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_NUMERIC, 123650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_EXPANDED, 123750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_LINENUMBERS); 123850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (ret && (p.command & CMD_ZERO)) { 123950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_chain_zero_counters(h, p.chain, 124050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p.table); 124150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso } 124250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (ret && (p.command & CMD_ZERO_NUM)) { 124350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_rule_zero_counters(h, p.chain, p.table, 124450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p.rulenum - 1); 124550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso } 1246384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1247384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_LIST_RULES: 1248384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_LIST_RULES|CMD_ZERO: 1249384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_LIST_RULES|CMD_ZERO_NUM: 125050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = list_rules(h, p.chain, p.table, p.rulenum, 125150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_VERBOSE); 125250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (ret && (p.command & CMD_ZERO)) { 125350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_chain_zero_counters(h, p.chain, 125450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p.table); 125550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso } 125650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (ret && (p.command & CMD_ZERO_NUM)) { 125750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_rule_zero_counters(h, p.chain, p.table, 125850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p.rulenum - 1); 125950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso } 1260384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1261384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_NEW_CHAIN: 126250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_chain_user_add(h, p.chain, p.table); 1263384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1264384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_DELETE_CHAIN: 126550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_chain_user_del(h, p.chain, p.table); 1266384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1267384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_RENAME_CHAIN: 126850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_chain_user_rename(h, p.chain, p.table, p.newname); 1269384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1270384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_SET_POLICY: 127150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_chain_set(h, p.table, p.chain, p.policy, NULL); 1272384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (ret < 0) 1273384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, "Wrong policy `%s'\n", 127450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p.policy); 1275384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1276384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso default: 1277384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* We should never reach this... */ 1278384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso exit_tryhelp(2); 1279384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 1280384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 128150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso *table = p.table; 1282384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1283c11ad7cce0d7195e12347bd4a3092ac24e19f8b4Pablo Neira Ayuso xtables_rule_matches_free(&cs.matches); 1284384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 128526d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso if (h->family == AF_INET) { 128626d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso free(args.s.addr.v4); 128726d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso free(args.s.mask.v4); 128826d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso free(args.d.addr.v4); 128926d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso free(args.d.mask.v4); 129026d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso } else if (h->family == AF_INET6) { 129126d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso free(args.s.addr.v6); 129226d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso free(args.s.mask.v6); 129326d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso free(args.d.addr.v6); 129426d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso free(args.d.mask.v6); 12950391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } 1296384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_free_opts(1); 1297384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1298384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return ret; 1299384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 1300