xtables.c revision 50b056ce99517939cc4c0f5e278d32a252b71ee6
1384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* Code to take an iptables-style command line and do it. */ 2384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 3384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* 4384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Author: Paul.Russell@rustcorp.com.au and mneuling@radlogic.com.au 5384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * 6384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * (C) 2000-2002 by the netfilter coreteam <coreteam@netfilter.org>: 7384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Paul 'Rusty' Russell <rusty@rustcorp.com.au> 8384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Marc Boucher <marc+nf@mbsi.ca> 9384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * James Morris <jmorris@intercode.com.au> 10384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Harald Welte <laforge@gnumonks.org> 11384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 12384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * 13384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * This program is free software; you can redistribute it and/or modify 14384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * it under the terms of the GNU General Public License as published by 15384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * the Free Software Foundation; either version 2 of the License, or 16384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * (at your option) any later version. 17384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * 18384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * This program is distributed in the hope that it will be useful, 19384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * but WITHOUT ANY WARRANTY; without even the implied warranty of 20384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 21384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * GNU General Public License for more details. 22384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * 23384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * You should have received a copy of the GNU General Public License 24384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * along with this program; if not, write to the Free Software 25384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 26384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 27384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 28384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <getopt.h> 29384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <string.h> 30384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <netdb.h> 31384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <errno.h> 32384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <stdbool.h> 33384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <stdio.h> 34384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <stdlib.h> 35384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <ctype.h> 36384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <stdarg.h> 37384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <limits.h> 38384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <unistd.h> 39384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <iptables.h> 40384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <xtables.h> 41384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include <fcntl.h> 42384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include "xshared.h" 43077785df023ad8947d44d19769bc6d91e3917633Tomasz Bursztyka#include "nft-shared.h" 44384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#include "nft.h" 45384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 46384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#ifndef TRUE 47384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define TRUE 1 48384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#endif 49384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#ifndef FALSE 50384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define FALSE 0 51384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#endif 52384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 53384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define NUMBER_OF_CMD 16 54384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z', 55384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 'N', 'X', 'P', 'E', 'S', 'Z', 'C' }; 56384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 57384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define OPT_FRAGMENT 0x00800U 58384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define NUMBER_OF_OPT ARRAY_SIZE(optflags) 59384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic const char optflags[] 60384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso= { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c', 'f'}; 61384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 62384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic struct option original_opts[] = { 63384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "append", .has_arg = 1, .val = 'A'}, 64384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "delete", .has_arg = 1, .val = 'D'}, 65384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "check", .has_arg = 1, .val = 'C'}, 66384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "insert", .has_arg = 1, .val = 'I'}, 67384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "replace", .has_arg = 1, .val = 'R'}, 68384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "list", .has_arg = 2, .val = 'L'}, 69384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "list-rules", .has_arg = 2, .val = 'S'}, 70384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "flush", .has_arg = 2, .val = 'F'}, 71384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "zero", .has_arg = 2, .val = 'Z'}, 72384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "new-chain", .has_arg = 1, .val = 'N'}, 73384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "delete-chain", .has_arg = 2, .val = 'X'}, 74384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "rename-chain", .has_arg = 1, .val = 'E'}, 75384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "policy", .has_arg = 1, .val = 'P'}, 76384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "source", .has_arg = 1, .val = 's'}, 77384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "destination", .has_arg = 1, .val = 'd'}, 78384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "src", .has_arg = 1, .val = 's'}, /* synonym */ 79384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "dst", .has_arg = 1, .val = 'd'}, /* synonym */ 80384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "protocol", .has_arg = 1, .val = 'p'}, 81384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "in-interface", .has_arg = 1, .val = 'i'}, 82384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "jump", .has_arg = 1, .val = 'j'}, 83384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "table", .has_arg = 1, .val = 't'}, 84384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "match", .has_arg = 1, .val = 'm'}, 85384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "numeric", .has_arg = 0, .val = 'n'}, 86384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "out-interface", .has_arg = 1, .val = 'o'}, 87384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "verbose", .has_arg = 0, .val = 'v'}, 88aaa4ace72ba1d195bbf436134a336816c33f7bd0Jiri Popelka {.name = "wait", .has_arg = 2, .val = 'w'}, 89384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "exact", .has_arg = 0, .val = 'x'}, 90384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "fragments", .has_arg = 0, .val = 'f'}, 91384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "version", .has_arg = 0, .val = 'V'}, 92384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "help", .has_arg = 2, .val = 'h'}, 93384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "line-numbers", .has_arg = 0, .val = '0'}, 94384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "modprobe", .has_arg = 1, .val = 'M'}, 95384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "set-counters", .has_arg = 1, .val = 'c'}, 96384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "goto", .has_arg = 1, .val = 'g'}, 97384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "ipv4", .has_arg = 0, .val = '4'}, 98384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {.name = "ipv6", .has_arg = 0, .val = '6'}, 99384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso {NULL}, 100384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso}; 101384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1025231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayusovoid xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3))); 103384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 104384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostruct xtables_globals xtables_globals = { 105384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso .option_offset = 0, 106384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso .program_version = IPTABLES_VERSION, 107384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso .orig_opts = original_opts, 1085231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso .exit_err = xtables_exit_error, 109384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso .compat_rev = nft_compatible_revision, 110384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso}; 111384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 112384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* Table of legal combinations of commands and options. If any of the 113384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * given commands make an option legal, that option is legal (applies to 114384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * CMD_LIST and CMD_ZERO only). 115384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Key: 116384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * + compulsory 117384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * x illegal 118384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * optional 119384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 120384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 121384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic const char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] = 122384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* Well, it's better than "Re: Linux vs FreeBSD" */ 123384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 124384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* -n -s -d -p -j -v -x -i -o --line -c -f */ 125384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*INSERT*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' '}, 126384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*DELETE*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' '}, 127384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*DELETE_NUM*/{'x','x','x','x','x',' ','x','x','x','x','x','x'}, 128384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*REPLACE*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' '}, 129384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*APPEND*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' '}, 130384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*LIST*/ {' ','x','x','x','x',' ',' ','x','x',' ','x','x'}, 131384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*FLUSH*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, 132384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*ZERO*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, 133384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*ZERO_NUM*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, 134384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*NEW_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, 135384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*DEL_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, 136384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*SET_POLICY*/{'x','x','x','x','x',' ','x','x','x','x',' ','x'}, 137384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*RENAME*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, 138384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*LIST_RULES*/{'x','x','x','x','x',' ','x','x','x','x','x','x'}, 139384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*CHECK*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' '}, 140384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso}; 141384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 142384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic const int inverse_for_options[NUMBER_OF_OPT] = 143384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 144384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -n */ 0, 145384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -s */ IPT_INV_SRCIP, 146384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -d */ IPT_INV_DSTIP, 147384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -p */ XT_INV_PROTO, 148384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -j */ 0, 149384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -v */ 0, 150384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -x */ 0, 151384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -i */ IPT_INV_VIA_IN, 152384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -o */ IPT_INV_VIA_OUT, 153384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/*--line*/ 0, 154384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -c */ 0, 155384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* -f */ IPT_INV_FRAG, 156384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso}; 157384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 158384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define opts xtables_globals.opts 159384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define prog_name xtables_globals.program_name 160384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#define prog_vers xtables_globals.program_version 161384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 162384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic void __attribute__((noreturn)) 163384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoexit_tryhelp(int status) 164384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 165384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (line != -1) 166384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso fprintf(stderr, "Error occurred at line: %d\n", line); 167384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n", 168384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso prog_name, prog_name); 169384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_free_opts(1); 170384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso exit(status); 171384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 172384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 173384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic void 174384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoexit_printhelp(const struct xtables_rule_match *matches) 175384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 176384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso printf("%s v%s\n\n" 177384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"Usage: %s -[ACD] chain rule-specification [options]\n" 178384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -I chain [rulenum] rule-specification [options]\n" 179384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -R chain rulenum rule-specification [options]\n" 180384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -D chain rulenum [options]\n" 181384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -[LS] [chain [rulenum]] [options]\n" 182384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -[FZ] [chain] [options]\n" 183384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -[NX] chain\n" 184384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -E old-chain-name new-chain-name\n" 185384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -P chain target [options]\n" 186384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" %s -h (print this help information)\n\n", 187384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso prog_name, prog_vers, prog_name, prog_name, 188384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso prog_name, prog_name, prog_name, prog_name, 189384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso prog_name, prog_name, prog_name, prog_name); 190384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 191384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso printf( 192384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"Commands:\n" 193384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"Either long or short options are allowed.\n" 194384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --append -A chain Append to chain\n" 195384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --check -C chain Check for the existence of a rule\n" 196384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --delete -D chain Delete matching rule from chain\n" 197384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --delete -D chain rulenum\n" 198384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" Delete rule rulenum (1 = first) from chain\n" 199384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --insert -I chain [rulenum]\n" 200384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" Insert in chain as rulenum (default 1=first)\n" 201384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --replace -R chain rulenum\n" 202384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" Replace rule rulenum (1 = first) in chain\n" 203384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --list -L [chain [rulenum]]\n" 204384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" List the rules in a chain or all chains\n" 205384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --list-rules -S [chain [rulenum]]\n" 206384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" Print the rules in a chain or all chains\n" 207384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --flush -F [chain] Delete all rules in chain or all chains\n" 208384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --zero -Z [chain [rulenum]]\n" 209384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" Zero counters in chain or all chains\n" 210384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --new -N chain Create a new user-defined chain\n" 211384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --delete-chain\n" 212384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" -X [chain] Delete a user-defined chain\n" 213384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --policy -P chain target\n" 214384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" Change policy on chain to target\n" 215384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --rename-chain\n" 216384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" -E old-chain new-chain\n" 217384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" Change chain name, (moving any references)\n" 218384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 219384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"Options:\n" 220384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --ipv4 -4 Nothing (line is ignored by ip6tables-restore)\n" 221384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --ipv6 -6 Error (line is ignored by iptables-restore)\n" 222384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"[!] --proto -p proto protocol: by number or name, eg. `tcp'\n" 223384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"[!] --source -s address[/mask][...]\n" 224384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" source specification\n" 225384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"[!] --destination -d address[/mask][...]\n" 226384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" destination specification\n" 227384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"[!] --in-interface -i input name[+]\n" 228384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" network interface name ([+] for wildcard)\n" 229384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --jump -j target\n" 230384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" target for rule (may load target extension)\n" 231384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#ifdef IPT_F_GOTO 232384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --goto -g chain\n" 233384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" jump to chain with no return\n" 234384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#endif 235384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --match -m match\n" 236384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" extended match (may load extension)\n" 237384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --numeric -n numeric output of addresses and ports\n" 238384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"[!] --out-interface -o output name[+]\n" 239384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" network interface name ([+] for wildcard)\n" 240384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --table -t table table to manipulate (default: `filter')\n" 241384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --verbose -v verbose mode\n" 242384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --line-numbers print line numbers when listing\n" 243384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --exact -x expand numbers (display exact values)\n" 244384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"[!] --fragment -f match second or further fragments only\n" 245384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --modprobe=<command> try to insert modules using this command\n" 246384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso" --set-counters PKTS BYTES set the counter during insert/append\n" 247384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso"[!] --version -V print package version.\n"); 248384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 249384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso print_extension_helps(xtables_targets, matches); 250384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso exit(0); 251384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 252384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 2535231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayusovoid 2545231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayusoxtables_exit_error(enum xtables_exittype status, const char *msg, ...) 2555231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso{ 2565231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso va_list args; 2575231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso 2585231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso va_start(args, msg); 2595231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso fprintf(stderr, "%s v%s: ", prog_name, prog_vers); 2605231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso vfprintf(stderr, msg, args); 2615231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso va_end(args); 2625231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso fprintf(stderr, "\n"); 2635231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso if (status == PARAMETER_PROBLEM) 2645231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso exit_tryhelp(status); 2655231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso if (status == VERSION_PROBLEM) 2665231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso fprintf(stderr, 2675231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso "Perhaps iptables or your kernel needs to be upgraded.\n"); 2685231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso /* On error paths, make sure that we don't leak memory */ 2695231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso xtables_free_opts(1); 2705231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso exit(status); 2715231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso} 2725231faea0fd5f5d4538a99d8234103a8297ff82fPablo Neira Ayuso 273384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic void 274384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusogeneric_opt_check(int command, int options) 275384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 276384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int i, j, legal = 0; 277384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 278384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* Check that commands are valid with options. Complicated by the 279384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * fact that if an option is legal with *any* command given, it is 280384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * legal overall (ie. -z and -l). 281384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 282384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso for (i = 0; i < NUMBER_OF_OPT; i++) { 283384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso legal = 0; /* -1 => illegal, 1 => legal, 0 => undecided. */ 284384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 285384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso for (j = 0; j < NUMBER_OF_CMD; j++) { 286384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!(command & (1<<j))) 287384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso continue; 288384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 289384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!(options & (1<<i))) { 290384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (commands_v_options[j][i] == '+') 291384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 292384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "You need to supply the `-%c' " 293384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "option for this command\n", 294384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso optflags[i]); 295384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } else { 296384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (commands_v_options[j][i] != 'x') 297384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso legal = 1; 298384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else if (legal == 0) 299384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso legal = -1; 300384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 301384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 302384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (legal == -1) 303384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 304384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Illegal option `-%c' with this command\n", 305384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso optflags[i]); 306384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 307384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 308384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 309384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic char 310384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoopt2char(int option) 311384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 312384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso const char *ptr; 313384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso for (ptr = optflags; option > 1; option >>= 1, ptr++); 314384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 315384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return *ptr; 316384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 317384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 318384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic char 319384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusocmd2char(int option) 320384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 321384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso const char *ptr; 322384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso for (ptr = cmdflags; option > 1; option >>= 1, ptr++); 323384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 324384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return *ptr; 325384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 326384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 327384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic void 328384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoadd_command(unsigned int *cmd, const int newcmd, const int othercmds, 329384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int invert) 330384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 331384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (invert) 332384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, "unexpected ! flag"); 333384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (*cmd & (~othercmds)) 334384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, "Cannot use -%c with -%c\n", 335384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cmd2char(newcmd), cmd2char(*cmd & (~othercmds))); 336384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso *cmd |= newcmd; 337384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 338384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 339384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* 340384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * All functions starting with "parse" should succeed, otherwise 341384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * the program fails. 342384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Most routines return pointers to static data that may change 343384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * between calls to the same or other routines with a few exceptions: 344384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * "host_to_addr", "parse_hostnetwork", and "parse_hostnetworkmask" 345384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * return global static data. 346384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso*/ 347384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 348384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* Christophe Burki wants `-p 6' to imply `-m tcp'. */ 349384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso/* Can't be zero. */ 350384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic int 351384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoparse_rulenumber(const char *rule) 352384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 353384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso unsigned int rulenum; 354384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 355384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!xtables_strtoui(rule, NULL, &rulenum, 1, INT_MAX)) 356384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 357384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Invalid rule number `%s'", rule); 358384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 359384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return rulenum; 360384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 361384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 362384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic const char * 363384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoparse_target(const char *targetname) 364384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 365384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso const char *ptr; 366384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 367384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (strlen(targetname) < 1) 368384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 369384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Invalid target name (too short)"); 370384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 371384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (strlen(targetname) >= XT_EXTENSION_MAXNAMELEN) 372384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 373384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Invalid target name `%s' (%u chars max)", 374384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso targetname, XT_EXTENSION_MAXNAMELEN - 1); 375384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 376384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso for (ptr = targetname; *ptr; ptr++) 377384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (isspace(*ptr)) 378384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 379384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Invalid target name `%s'", targetname); 380384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return targetname; 381384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 382384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 383384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic void 384384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoset_option(unsigned int *options, unsigned int option, uint8_t *invflg, 385384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int invert) 386384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 387384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (*options & option) 388384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, "multiple -%c flags not allowed", 389384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opt2char(option)); 390384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso *options |= option; 391384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 392384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (invert) { 393384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso unsigned int i; 394384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso for (i = 0; 1 << i != option; i++); 395384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 396384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!inverse_for_options[i]) 397384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 398384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "cannot have ! before -%c", 399384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opt2char(option)); 400384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso *invflg |= inverse_for_options[i]; 401384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 402384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 403384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 404384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic int 405384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoadd_entry(const char *chain, 406384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso const char *table, 407384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct iptables_command_state *cs, 408cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso int rulenum, int family, 4090391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka const struct addr_mask s, 4100391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka const struct addr_mask d, 411384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso bool verbose, struct nft_handle *h, bool append) 412384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 413384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso unsigned int i, j; 414384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int ret = 1; 415384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 4160391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (i = 0; i < s.naddrs; i++) { 4170391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka if (family == AF_INET) { 4180391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.src.s_addr = s.addr.v4[i].s_addr; 4190391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.smsk.s_addr = s.mask.v4[i].s_addr; 4200391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (j = 0; j < d.naddrs; j++) { 4210391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.dst.s_addr = d.addr.v4[j].s_addr; 4220391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.dmsk.s_addr = d.mask.v4[j].s_addr; 423384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 424cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso if (append) { 425cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso ret = nft_rule_append(h, chain, table, 426cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso cs, 0, 427cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso verbose); 428cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso } else { 429cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso ret = nft_rule_insert(h, chain, table, 430cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso cs, rulenum, 431cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso verbose); 432cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso } 4330391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } 4340391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } else if (family == AF_INET6) { 4350391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.src, 4360391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &s.addr.v6[i], sizeof(struct in6_addr)); 4370391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.smsk, 4380391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &s.mask.v6[i], sizeof(struct in6_addr)); 4390391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (j = 0; j < d.naddrs; j++) { 4400391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.dst, 4410391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &d.addr.v6[j], sizeof(struct in6_addr)); 4420391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.dmsk, 4430391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &d.mask.v6[j], sizeof(struct in6_addr)); 444cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso if (append) { 445cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso ret = nft_rule_append(h, chain, table, 44696180491d51853a4315ba4eeb29a53505b6515e5Pablo Neira Ayuso cs, 0, 447cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso verbose); 448cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso } else { 449cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso ret = nft_rule_insert(h, chain, table, 450cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso cs, rulenum, 451cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso verbose); 452cf95f347e52ca8badc6a7149045d9c09f4fa666dPablo Neira Ayuso } 4530391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } 454384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 455384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 456384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 457384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return ret; 458384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 459384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 460384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic int 461384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusoreplace_entry(const char *chain, const char *table, 462384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct iptables_command_state *cs, 463384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso unsigned int rulenum, 4640391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka int family, 4650391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka const struct addr_mask s, 4660391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka const struct addr_mask d, 467384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso bool verbose, struct nft_handle *h) 468384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 4690391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka if (family == AF_INET) { 4700391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.src.s_addr = s.addr.v4->s_addr; 4710391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.dst.s_addr = d.addr.v4->s_addr; 4720391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.smsk.s_addr = s.mask.v4->s_addr; 4730391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.dmsk.s_addr = d.mask.v4->s_addr; 4740391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } else if (family == AF_INET6) { 4750391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.src, s.addr.v6, sizeof(struct in6_addr)); 4760391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.dst, d.addr.v6, sizeof(struct in6_addr)); 4770391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.smsk, s.mask.v6, sizeof(struct in6_addr)); 4780391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.dmsk, d.mask.v6, sizeof(struct in6_addr)); 4790391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } else 4800391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka return 1; 481384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 482384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return nft_rule_replace(h, chain, table, cs, rulenum, verbose); 483384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 484384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 485384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic int 486384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusodelete_entry(const char *chain, const char *table, 487384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct iptables_command_state *cs, 4880391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka int family, 4890391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka const struct addr_mask s, 4900391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka const struct addr_mask d, 491384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso bool verbose, 492384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct nft_handle *h) 493384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 494384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso unsigned int i, j; 495384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int ret = 1; 496384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 4970391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (i = 0; i < s.naddrs; i++) { 4980391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka if (family == AF_INET) { 4990391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.src.s_addr = s.addr.v4[i].s_addr; 5000391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.smsk.s_addr = s.mask.v4[i].s_addr; 5010391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (j = 0; j < d.naddrs; j++) { 5020391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.dst.s_addr = d.addr.v4[j].s_addr; 5030391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.dmsk.s_addr = d.mask.v4[j].s_addr; 5040391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka ret = nft_rule_delete(h, chain, 5050391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka table, cs, verbose); 5060391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } 5070391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } else if (family == AF_INET6) { 5080391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.src, 5090391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &s.addr.v6[i], sizeof(struct in6_addr)); 5100391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.smsk, 5110391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &s.mask.v6[i], sizeof(struct in6_addr)); 5120391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (j = 0; j < d.naddrs; j++) { 5130391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.dst, 5140391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &d.addr.v6[j], sizeof(struct in6_addr)); 5150391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.dmsk, 5160391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &d.mask.v6[j], sizeof(struct in6_addr)); 5170391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka ret = nft_rule_delete(h, chain, 5180391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka table, cs, verbose); 5190391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } 520384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 521384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 522384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 523384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return ret; 524384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 525384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 526384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic int 527384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusocheck_entry(const char *chain, const char *table, 528384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct iptables_command_state *cs, 5290391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka int family, 5300391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka const struct addr_mask s, 5310391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka const struct addr_mask d, 532384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso bool verbose, struct nft_handle *h) 533384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 534384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso unsigned int i, j; 535384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int ret = 1; 536384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 5370391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (i = 0; i < s.naddrs; i++) { 5380391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka if (family == AF_INET) { 5390391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.src.s_addr = s.addr.v4[i].s_addr; 5400391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.smsk.s_addr = s.mask.v4[i].s_addr; 5410391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (j = 0; j < d.naddrs; j++) { 5420391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.dst.s_addr = d.addr.v4[j].s_addr; 5430391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka cs->fw.ip.dmsk.s_addr = d.mask.v4[j].s_addr; 5440391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka ret = nft_rule_check(h, chain, 5450391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka table, cs, verbose); 5460391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } 5470391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } else if (family == AF_INET6) { 5480391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.src, 5490391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &s.addr.v6[i], sizeof(struct in6_addr)); 5500391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.smsk, 5510391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &s.mask.v6[i], sizeof(struct in6_addr)); 5520391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka for (j = 0; j < d.naddrs; j++) { 5530391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.dst, 5540391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &d.addr.v6[j], sizeof(struct in6_addr)); 5550391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka memcpy(&cs->fw6.ipv6.dmsk, 5560391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka &d.mask.v6[j], sizeof(struct in6_addr)); 5570391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka ret = nft_rule_check(h, chain, 5580391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka table, cs, verbose); 5590391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } 560384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 561384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 562384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 563384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return ret; 564384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 565384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 566384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic int 567384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusolist_entries(struct nft_handle *h, const char *chain, const char *table, 568384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int rulenum, int verbose, int numeric, int expanded, 569384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int linenumbers) 570384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 571384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso unsigned int format; 572384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 573384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso format = FMT_OPTIONS; 574384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!verbose) 575384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso format |= FMT_NOCOUNTS; 576384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else 577384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso format |= FMT_VIA; 578384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 579384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (numeric) 580384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso format |= FMT_NUMERIC; 581384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 582384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!expanded) 583384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso format |= FMT_KILOMEGAGIGA; 584384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 585384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (linenumbers) 586384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso format |= FMT_LINENUMBERS; 587384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 588384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return nft_rule_list(h, chain, table, rulenum, format); 589384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 590384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 591384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic int 592384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusolist_rules(struct nft_handle *h, const char *chain, const char *table, 593384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso int rulenum, int counters) 594384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 595384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (counters) 596384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso counters = -1; /* iptables -c format */ 597384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 598384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso nft_rule_list_save(h, chain, table, rulenum, counters); 599384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 60010f92fce0a2ea1805c8b269543b8f1738d22bf3dPablo Neira Ayuso /* iptables does not return error if rule number not found */ 601384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return 1; 602384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 603384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 604384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic void command_jump(struct iptables_command_state *cs) 605384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 606384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso size_t size; 607384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 608384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso set_option(&cs->options, OPT_JUMP, &cs->fw.ip.invflags, cs->invert); 609384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cs->jumpto = parse_target(optarg); 610384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* TRY_LOAD (may be chain name) */ 611384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cs->target = xtables_find_target(cs->jumpto, XTF_TRY_LOAD); 612384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 613384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (cs->target == NULL) 614384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return; 615384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 616384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso size = XT_ALIGN(sizeof(struct xt_entry_target)) 617384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso + cs->target->size; 618384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 619384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cs->target->t = xtables_calloc(1, size); 620384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cs->target->t->u.target_size = size; 621384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (cs->target->real_name == NULL) { 622384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso strcpy(cs->target->t->u.user.name, cs->jumpto); 623384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } else { 624384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* Alias support for userspace side */ 625384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso strcpy(cs->target->t->u.user.name, cs->target->real_name); 626384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!(cs->target->ext_flags & XTABLES_EXT_ALIAS)) 627384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso fprintf(stderr, "Notice: The %s target is converted into %s target " 628384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "in rule listing and saving.\n", 629384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cs->jumpto, cs->target->real_name); 630384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 631384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cs->target->t->u.user.revision = cs->target->revision; 632384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xs_init_target(cs->target); 633384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 634384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (cs->target->x6_options != NULL) 6355a1b519d1e26767fa1f0de15b0f7e125531a1719Pablo Neira Ayuso opts = xtables_options_xfrm(xtables_globals.orig_opts, opts, 636384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cs->target->x6_options, 637384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso &cs->target->option_offset); 638384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else 6395a1b519d1e26767fa1f0de15b0f7e125531a1719Pablo Neira Ayuso opts = xtables_merge_options(xtables_globals.orig_opts, opts, 640384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cs->target->extra_opts, 641384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso &cs->target->option_offset); 642384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (opts == NULL) 643384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(OTHER_PROBLEM, "can't alloc memory!"); 644384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 645384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 646384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayusostatic void command_match(struct iptables_command_state *cs) 647384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 648384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct xtables_match *m; 649384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso size_t size; 650384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 651384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (cs->invert) 652384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 653384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "unexpected ! flag before --match"); 654384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 655384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso m = xtables_find_match(optarg, XTF_LOAD_MUST_SUCCEED, &cs->matches); 656384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size; 657384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso m->m = xtables_calloc(1, size); 658384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso m->m->u.match_size = size; 659384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (m->real_name == NULL) { 660384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso strcpy(m->m->u.user.name, m->name); 661384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } else { 662384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso strcpy(m->m->u.user.name, m->real_name); 663384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!(m->ext_flags & XTABLES_EXT_ALIAS)) 664384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso fprintf(stderr, "Notice: the %s match is converted into %s match " 665384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "in rule listing and saving.\n", m->name, m->real_name); 666384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 667384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso m->m->u.user.revision = m->revision; 668384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xs_init_match(m); 669384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (m == m->next) 670384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return; 671384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* Merge options for non-cloned matches */ 672384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (m->x6_options != NULL) 6735a1b519d1e26767fa1f0de15b0f7e125531a1719Pablo Neira Ayuso opts = xtables_options_xfrm(xtables_globals.orig_opts, opts, 674384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso m->x6_options, &m->option_offset); 675384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else if (m->extra_opts != NULL) 6765a1b519d1e26767fa1f0de15b0f7e125531a1719Pablo Neira Ayuso opts = xtables_merge_options(xtables_globals.orig_opts, opts, 677384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso m->extra_opts, &m->option_offset); 678384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (opts == NULL) 679384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(OTHER_PROBLEM, "can't alloc memory!"); 680384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 681384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 68250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayusovoid do_parse(struct nft_handle *h, int argc, char *argv[], 68350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso struct nft_xt_cmd_parse *p, struct iptables_command_state *cs, 68450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso struct xtables_args *args) 685384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso{ 686384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct xtables_match *m; 687384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct xtables_rule_match *matchp; 688384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso struct xtables_target *t; 68950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso int wait = 0; 690384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 69150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso memset(cs, 0, sizeof(*cs)); 69250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->jumpto = ""; 69350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->argv = argv; 694384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 695384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* re-set optind to 0 in case do_command4 gets called 696384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * a second time */ 697384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso optind = 0; 698384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 699384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* clear mflags in case do_command4 gets called a second time 700384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * (we clear the global list of all matches for security)*/ 701384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso for (m = xtables_matches; m; m = m->next) 702384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso m->mflags = 0; 703384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 704384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso for (t = xtables_targets; t; t = t->next) { 705384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso t->tflags = 0; 706384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso t->used = 0; 707384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 708384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 709384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* Suppress error messages: we may add new options if we 710384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso demand-load a protocol. */ 711384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opterr = 0; 712384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 7135cab9c3c8209e9491f0f252e03dd48ae4cb5ab63Pablo Neira Ayuso h->ops = nft_family_ops_lookup(h->family); 7144b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso if (h->ops == NULL) 7154b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, "Unknown family"); 7164b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso 717384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opts = xt_params->orig_opts; 71850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso while ((cs->c = getopt_long(argc, argv, 719aaa4ace72ba1d195bbf436134a336816c33f7bd0Jiri Popelka "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::nt:m:xc:g:46", 720384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opts, NULL)) != -1) { 72150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso switch (cs->c) { 722384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* 723384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Command selection 724384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 725384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'A': 72650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_APPEND, CMD_NONE, 72750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 72850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 729384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 730384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 731384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'C': 73250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_CHECK, CMD_NONE, 73350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 73450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 735384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 736384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 737384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'D': 73850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_DELETE, CMD_NONE, 73950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 74050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 741384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (optind < argc && argv[optind][0] != '-' 742384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso && argv[optind][0] != '!') { 74350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->rulenum = parse_rulenumber(argv[optind++]); 74450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->command = CMD_DELETE_NUM; 745384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 746384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 747384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 748384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'R': 74950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_REPLACE, CMD_NONE, 75050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 75150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 752384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (optind < argc && argv[optind][0] != '-' 753384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso && argv[optind][0] != '!') 75450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->rulenum = parse_rulenumber(argv[optind++]); 755384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else 756384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 757384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "-%c requires a rule number", 758384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cmd2char(CMD_REPLACE)); 759384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 760384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 761384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'I': 76250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_INSERT, CMD_NONE, 76350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 76450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 765384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (optind < argc && argv[optind][0] != '-' 766384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso && argv[optind][0] != '!') 76750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->rulenum = parse_rulenumber(argv[optind++]); 76850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso else 76950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->rulenum = 1; 770384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 771384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 772384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'L': 77350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_LIST, 77450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso CMD_ZERO | CMD_ZERO_NUM, cs->invert); 77550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (optarg) 77650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 777384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else if (optind < argc && argv[optind][0] != '-' 778384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso && argv[optind][0] != '!') 77950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = argv[optind++]; 780384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (optind < argc && argv[optind][0] != '-' 781384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso && argv[optind][0] != '!') 78250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->rulenum = parse_rulenumber(argv[optind++]); 783384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 784384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 785384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'S': 78650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_LIST_RULES, 78750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso CMD_ZERO|CMD_ZERO_NUM, cs->invert); 78850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (optarg) 78950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 790384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else if (optind < argc && argv[optind][0] != '-' 791384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso && argv[optind][0] != '!') 79250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = argv[optind++]; 793384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (optind < argc && argv[optind][0] != '-' 794384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso && argv[optind][0] != '!') 79550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->rulenum = parse_rulenumber(argv[optind++]); 796384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 797384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 798384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'F': 79950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_FLUSH, CMD_NONE, 80050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 80150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (optarg) 80250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 803384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else if (optind < argc && argv[optind][0] != '-' 804384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso && argv[optind][0] != '!') 80550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = argv[optind++]; 806384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 807384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 808384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'Z': 80950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_ZERO, 81050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso CMD_LIST|CMD_LIST_RULES, cs->invert); 81150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (optarg) 81250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 813384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else if (optind < argc && argv[optind][0] != '-' 814384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso && argv[optind][0] != '!') 81550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = argv[optind++]; 816384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (optind < argc && argv[optind][0] != '-' 817384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso && argv[optind][0] != '!') { 81850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->rulenum = parse_rulenumber(argv[optind++]); 81950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->command = CMD_ZERO_NUM; 820384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 821384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 822384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 823384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'N': 824384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (optarg && (*optarg == '-' || *optarg == '!')) 825384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 826384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "chain name not allowed to start " 827384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "with `%c'\n", *optarg); 828384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (xtables_find_target(optarg, XTF_TRY_LOAD)) 829384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 830384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "chain name may not clash " 831384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "with target name\n"); 83250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE, 83350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 83450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 835384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 836384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 837384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'X': 83850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_DELETE_CHAIN, CMD_NONE, 83950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 84050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (optarg) 84150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 842384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else if (optind < argc && argv[optind][0] != '-' 843384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso && argv[optind][0] != '!') 84450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = argv[optind++]; 845384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 846384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 847384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'E': 84850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_RENAME_CHAIN, CMD_NONE, 84950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 85050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 851384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (optind < argc && argv[optind][0] != '-' 852384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso && argv[optind][0] != '!') 85350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->newname = argv[optind++]; 854384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else 855384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 856384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "-%c requires old-chain-name and " 857384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "new-chain-name", 858384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cmd2char(CMD_RENAME_CHAIN)); 859384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 860384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 861384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'P': 86250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso add_command(&p->command, CMD_SET_POLICY, CMD_NONE, 86350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 86450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain = optarg; 865384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (optind < argc && argv[optind][0] != '-' 866384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso && argv[optind][0] != '!') 86750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->policy = argv[optind++]; 868384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else 869384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 870384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "-%c requires a chain and a policy", 871384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso cmd2char(CMD_SET_POLICY)); 872384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 873384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 874384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'h': 875384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (!optarg) 876384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso optarg = argv[optind]; 877384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 878384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* iptables -p icmp -h */ 87950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (!cs->matches && cs->protocol) 88050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso xtables_find_match(cs->protocol, 88150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso XTF_TRY_LOAD, &cs->matches); 882384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 88350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso exit_printhelp(cs->matches); 884384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 885384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* 886384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Option selection 887384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 888384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'p': 88950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_PROTOCOL, 89050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso &args->invflags, cs->invert); 891384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 892384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* Canonicalize into lower case */ 89350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso for (cs->protocol = optarg; *cs->protocol; cs->protocol++) 89450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso *cs->protocol = tolower(*cs->protocol); 895384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 89650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->protocol = optarg; 89750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->proto = xtables_parse_protocol(cs->protocol); 898384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 89950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (args->proto == 0 && 90050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso (args->invflags & XT_INV_PROTO)) 901384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 902384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "rule would never match protocol"); 9034b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso 9044b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso /* This needs to happen here to parse extensions */ 90550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso h->ops->proto_parse(cs, args); 906384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 907384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 908384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 's': 90950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_SOURCE, 91050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso &args->invflags, cs->invert); 91150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->shostnetworkmask = optarg; 912384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 913384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 914384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'd': 91550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_DESTINATION, 91650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso &args->invflags, cs->invert); 91750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->dhostnetworkmask = optarg; 918384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 919384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 920384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#ifdef IPT_F_GOTO 921384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'g': 92250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_JUMP, &args->invflags, 92350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 92450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->goto_set = true; 92550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->jumpto = parse_target(optarg); 926384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 927384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso#endif 928384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 929384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'j': 93050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso command_jump(cs); 931384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 932384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 933384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 934384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'i': 935384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (*optarg == '\0') 936384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 937384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Empty interface is likely to be " 938384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "undesired"); 93950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_VIANAMEIN, 94050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso &args->invflags, cs->invert); 941384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_parse_interface(optarg, 94250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->iniface, 94350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->iniface_mask); 944384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 945384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 946384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'o': 947384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (*optarg == '\0') 948384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 949384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Empty interface is likely to be " 950384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "undesired"); 95150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_VIANAMEOUT, 95250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso &args->invflags, cs->invert); 953384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_parse_interface(optarg, 95450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->outiface, 95550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->outiface_mask); 956384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 957384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 958384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'f': 95950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (args->family == AF_INET6) { 9600391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka xtables_error(PARAMETER_PROBLEM, 9610391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka "`-f' is not supported in IPv6, " 9620391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka "use -m frag instead"); 9630391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } 96450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_FRAGMENT, &args->invflags, 96550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 96650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->flags |= IPT_F_FRAG; 967384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 968384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 969384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'v': 97050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (!p->verbose) 97150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_VERBOSE, 97250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso &args->invflags, cs->invert); 97350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->verbose++; 974384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 975384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 976384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'm': 97750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso command_match(cs); 978384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 979384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 980384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'n': 98150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_NUMERIC, &args->invflags, 98250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 983384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 984384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 985384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 't': 98650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (cs->invert) 987384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 988384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "unexpected ! flag before --table"); 98950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->table = optarg; 990384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 991384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 992384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'x': 99350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_EXPANDED, &args->invflags, 99450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 995384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 996384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 997384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'V': 99850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (cs->invert) 999384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso printf("Not %s ;-)\n", prog_vers); 1000384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso else 1001384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso printf("%s v%s\n", 1002384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso prog_name, prog_vers); 1003384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso exit(0); 1004384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 10057851975e5055381d30f0788d90671485695928e1Tomasz Bursztyka case 'w': 100650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (p->restore) { 10077851975e5055381d30f0788d90671485695928e1Tomasz Bursztyka xtables_error(PARAMETER_PROBLEM, 10087851975e5055381d30f0788d90671485695928e1Tomasz Bursztyka "You cannot use `-w' from " 10097851975e5055381d30f0788d90671485695928e1Tomasz Bursztyka "iptables-restore"); 10107851975e5055381d30f0788d90671485695928e1Tomasz Bursztyka } 1011aaa4ace72ba1d195bbf436134a336816c33f7bd0Jiri Popelka if (optarg) { 1012aaa4ace72ba1d195bbf436134a336816c33f7bd0Jiri Popelka if (sscanf(optarg, "%i", &wait) != 1) 1013aaa4ace72ba1d195bbf436134a336816c33f7bd0Jiri Popelka xtables_error(PARAMETER_PROBLEM, 1014aaa4ace72ba1d195bbf436134a336816c33f7bd0Jiri Popelka "wait seconds not numeric"); 1015aaa4ace72ba1d195bbf436134a336816c33f7bd0Jiri Popelka } else if (optind < argc && argv[optind][0] != '-' 1016aaa4ace72ba1d195bbf436134a336816c33f7bd0Jiri Popelka && argv[optind][0] != '!') 1017aaa4ace72ba1d195bbf436134a336816c33f7bd0Jiri Popelka if (sscanf(argv[optind++], "%i", &wait) != 1) 1018aaa4ace72ba1d195bbf436134a336816c33f7bd0Jiri Popelka xtables_error(PARAMETER_PROBLEM, 1019aaa4ace72ba1d195bbf436134a336816c33f7bd0Jiri Popelka "wait seconds not numeric"); 10207851975e5055381d30f0788d90671485695928e1Tomasz Bursztyka break; 10217851975e5055381d30f0788d90671485695928e1Tomasz Bursztyka 1022384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case '0': 102350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_LINENUMBERS, 102450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso &args->invflags, cs->invert); 1025384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1026384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1027384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'M': 1028384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_modprobe_program = optarg; 1029384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1030384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1031384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 'c': 103250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso set_option(&cs->options, OPT_COUNTERS, &args->invflags, 103350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert); 103450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->pcnt = optarg; 103550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->bcnt = strchr(args->pcnt + 1, ','); 103650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (args->bcnt) 103750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->bcnt++; 103850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (!args->bcnt && optind < argc && 103926d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso argv[optind][0] != '-' && 104026d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso argv[optind][0] != '!') 104150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->bcnt = argv[optind++]; 104250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (!args->bcnt) 1043384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1044384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "-%c requires packet and byte counter", 1045384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opt2char(OPT_COUNTERS)); 1046384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 104750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (sscanf(args->pcnt, "%llu", &args->pcnt_cnt) != 1) 1048384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1049384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "-%c packet counter not numeric", 1050384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opt2char(OPT_COUNTERS)); 1051384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 105250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (sscanf(args->bcnt, "%llu", &args->bcnt_cnt) != 1) 1053384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1054384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "-%c byte counter not numeric", 1055384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opt2char(OPT_COUNTERS)); 1056384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1057384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1058384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case '4': 105950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (args->family != AF_INET) 10600391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka exit_tryhelp(2); 10614b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso 106250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso h->ops = nft_family_ops_lookup(args->family); 1063384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1064384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1065384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case '6': 106650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args->family = AF_INET6; 1067457819b952418501918b6e906bf5e21e3b4f9af8Pablo Neira Ayuso xtables_set_nfproto(AF_INET6); 10684b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso 106950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso h->ops = nft_family_ops_lookup(args->family); 10704b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso if (h->ops == NULL) 10714b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 10724b7a4afaa240e5d2039e612e125b045d5d1cb7faPablo Neira Ayuso "Unknown family"); 10730391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka break; 1074384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1075384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case 1: /* non option */ 1076384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (optarg[0] == '!' && optarg[1] == '\0') { 107750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (cs->invert) 1078384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1079384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "multiple consecutive ! not" 1080384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso " allowed"); 108150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert = TRUE; 1082384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso optarg[0] = '\0'; 1083384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso continue; 1084384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 1085384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso fprintf(stderr, "Bad argument `%s'\n", optarg); 1086384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso exit_tryhelp(2); 1087384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1088384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso default: 108950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (command_default(cs, &xtables_globals) == 1) 1090384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* cf. ip6tables.c */ 1091384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso continue; 1092384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1093384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 109450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs->invert = FALSE; 1095384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 1096384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 109750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (strcmp(p->table, "nat") == 0 && 109850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ((p->policy != NULL && strcmp(p->policy, "DROP") == 0) || 109950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso (cs->jumpto != NULL && strcmp(cs->jumpto, "DROP") == 0))) 1100384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1101384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "\nThe \"nat\" table is not intended for filtering, " 1102384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "the use of DROP is therefore inhibited.\n\n"); 1103384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 110450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso for (matchp = cs->matches; matchp; matchp = matchp->next) 1105384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_option_mfcall(matchp->match); 110650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (cs->target != NULL) 110750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso xtables_option_tfcall(cs->target); 1108384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1109384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* Fix me: must put inverse options checking here --MN */ 1110384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1111384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (optind < argc) 1112384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1113384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "unknown arguments found on commandline"); 111450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (!p->command) 1115384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, "no command specified"); 111650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (cs->invert) 1117384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1118384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "nothing appropriate following !"); 1119384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 11203f7877e6be987bb94897c03a45945725389a6f5cPablo Neira Ayuso /* Set only if required, needed by xtables-restore */ 11213f7877e6be987bb94897c03a45945725389a6f5cPablo Neira Ayuso if (h->family == AF_UNSPEC) 112250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso h->family = args->family; 11233f7877e6be987bb94897c03a45945725389a6f5cPablo Neira Ayuso 112450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso h->ops->post_parse(p->command, cs, args); 11256838a7f51e6d95f904093e05e8bdc75ada70b93fPablo Neira Ayuso 112650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (p->command == CMD_REPLACE && 112750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso (args->s.naddrs != 1 || args->d.naddrs != 1)) 1128384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, "Replacement rule does not " 1129384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "specify a unique address"); 1130384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 113150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso generic_opt_check(p->command, cs->options); 1132384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 113350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (p->chain != NULL && strlen(p->chain) >= XT_EXTENSION_MAXNAMELEN) 1134384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1135384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "chain name `%s' too long (must be under %u chars)", 113650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain, XT_EXTENSION_MAXNAMELEN); 113750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso 113850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (p->command == CMD_APPEND || 113950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->command == CMD_DELETE || 114050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->command == CMD_CHECK || 114150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->command == CMD_INSERT || 114250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->command == CMD_REPLACE) { 114350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (strcmp(p->chain, "PREROUTING") == 0 114450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso || strcmp(p->chain, "INPUT") == 0) { 1145384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* -o not valid with incoming packets. */ 114650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (cs->options & OPT_VIANAMEOUT) 1147384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1148384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Can't use -%c with %s\n", 1149384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opt2char(OPT_VIANAMEOUT), 115050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain); 1151384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 1152384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 115350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (strcmp(p->chain, "POSTROUTING") == 0 115450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso || strcmp(p->chain, "OUTPUT") == 0) { 1155384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* -i not valid with outgoing packets */ 115650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (cs->options & OPT_VIANAMEIN) 1157384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, 1158384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso "Can't use -%c with %s\n", 1159384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso opt2char(OPT_VIANAMEIN), 116050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p->chain); 1161384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 1162384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1163384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* 1164384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * Contrary to what iptables does, we assume that any jumpto 1165384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * is a custom chain jumps (if no target is found). Later on, 1166384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso * nf_table will spot the error if the chain does not exists. 1167384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso */ 1168384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 116950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso} 117050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso 117150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayusoint do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, 117250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso bool restore) 117350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso{ 117450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso int ret = 1; 117550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso struct nft_xt_cmd_parse p = { 117650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso .table = *table, 117750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso .restore = restore, 117850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso }; 117950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso struct iptables_command_state cs; 118050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso struct xtables_args args = { 118150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso .family = h->family, 118250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso }; 118350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso 118450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso do_parse(h, argc, argv, &p, &cs, &args); 1185384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 118650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso switch (p.command) { 1187384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_APPEND: 118850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = add_entry(p.chain, p.table, &cs, 0, h->family, 118950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args.s, args.d, 119050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_VERBOSE, h, true); 1191384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1192384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_DELETE: 119350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = delete_entry(p.chain, p.table, &cs, h->family, 119450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args.s, args.d, 119550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_VERBOSE, h); 1196384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1197384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_DELETE_NUM: 119850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_rule_delete_num(h, p.chain, p.table, 119950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p.rulenum - 1, p.verbose); 1200384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1201384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_CHECK: 120250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = check_entry(p.chain, p.table, &cs, h->family, 120350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso args.s, args.d, 120450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_VERBOSE, h); 1205384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1206384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_REPLACE: 120750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = replace_entry(p.chain, p.table, &cs, p.rulenum - 1, 120826d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso h->family, args.s, args.d, 120950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_VERBOSE, h); 1210384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1211384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_INSERT: 121250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = add_entry(p.chain, p.table, &cs, p.rulenum - 1, 121350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso h->family, args.s, args.d, 121450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options&OPT_VERBOSE, h, false); 1215384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1216384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_FLUSH: 121750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_rule_flush(h, p.chain, p.table); 1218384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1219384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_ZERO: 122050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_chain_zero_counters(h, p.chain, p.table); 1221384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1222384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_ZERO_NUM: 122350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_rule_zero_counters(h, p.chain, p.table, 122450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p.rulenum - 1); 1225384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1226384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_LIST: 1227384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_LIST|CMD_ZERO: 1228384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_LIST|CMD_ZERO_NUM: 122950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = list_entries(h, p.chain, p.table, p.rulenum, 123050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_VERBOSE, 123150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_NUMERIC, 123250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_EXPANDED, 123350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_LINENUMBERS); 123450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (ret && (p.command & CMD_ZERO)) { 123550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_chain_zero_counters(h, p.chain, 123650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p.table); 123750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso } 123850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (ret && (p.command & CMD_ZERO_NUM)) { 123950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_rule_zero_counters(h, p.chain, p.table, 124050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p.rulenum - 1); 124150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso } 1242384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1243384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_LIST_RULES: 1244384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_LIST_RULES|CMD_ZERO: 1245384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_LIST_RULES|CMD_ZERO_NUM: 124650b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = list_rules(h, p.chain, p.table, p.rulenum, 124750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso cs.options & OPT_VERBOSE); 124850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (ret && (p.command & CMD_ZERO)) { 124950b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_chain_zero_counters(h, p.chain, 125050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p.table); 125150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso } 125250b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso if (ret && (p.command & CMD_ZERO_NUM)) { 125350b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_rule_zero_counters(h, p.chain, p.table, 125450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p.rulenum - 1); 125550b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso } 1256384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1257384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_NEW_CHAIN: 125850b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_chain_user_add(h, p.chain, p.table); 1259384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1260384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_DELETE_CHAIN: 126150b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_chain_user_del(h, p.chain, p.table); 1262384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1263384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_RENAME_CHAIN: 126450b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_chain_user_rename(h, p.chain, p.table, p.newname); 1265384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1266384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso case CMD_SET_POLICY: 126750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso ret = nft_chain_set(h, p.table, p.chain, p.policy, NULL); 1268384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso if (ret < 0) 1269384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_error(PARAMETER_PROBLEM, "Wrong policy `%s'\n", 127050b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso p.policy); 1271384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso break; 1272384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso default: 1273384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso /* We should never reach this... */ 1274384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso exit_tryhelp(2); 1275384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso } 1276384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 127750b056ce99517939cc4c0f5e278d32a252b71ee6Pablo Neira Ayuso *table = p.table; 1278384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1279c11ad7cce0d7195e12347bd4a3092ac24e19f8b4Pablo Neira Ayuso xtables_rule_matches_free(&cs.matches); 1280384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 128126d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso if (h->family == AF_INET) { 128226d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso free(args.s.addr.v4); 128326d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso free(args.s.mask.v4); 128426d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso free(args.d.addr.v4); 128526d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso free(args.d.mask.v4); 128626d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso } else if (h->family == AF_INET6) { 128726d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso free(args.s.addr.v6); 128826d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso free(args.s.mask.v6); 128926d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso free(args.d.addr.v6); 129026d3a0d77c67289341361bbd3254f2257eec69a0Pablo Neira Ayuso free(args.d.mask.v6); 12910391677c1a0b28c14d01febd9628a543e8e5fd62Tomasz Bursztyka } 1292384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso xtables_free_opts(1); 1293384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso 1294384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso return ret; 1295384958620abab397062b67fb2763e813b63f74f0Pablo Neira Ayuso} 1296