2 * m_ipt.c iptables based targets
3 * utilities mostly ripped from iptables <duh, its the linux way>
5 * This program is free software; you can distribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version
8 * 2 of the License, or (at your option) any later version.
10 * Authors: J Hadi Salim (hadi@cyberus.ca)
14 #include <sys/socket.h>
15 #include <netinet/in.h>
16 #include <arpa/inet.h>
18 #include <linux/netfilter_ipv4/ip_tables.h>
21 #include <linux/tc_act/tc_ipt.h>
36 static const char *pname = "tc-ipt";
37 static const char *tname = "mangle";
38 static const char *pversion = "0.1";
40 static const char *ipthooks[] = {
48 static struct option original_opts[] = {
53 static struct iptables_target *t_list = NULL;
54 static struct option *opts = original_opts;
55 static unsigned int global_option_offset = 0;
56 #define OPTION_OFFSET 256
61 register_target(struct iptables_target *me)
63 /* fprintf(stderr, "\nDummy register_target %s \n", me->name);
71 exit_tryhelp(int status)
73 fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
79 exit_error(enum exittype status, char *msg, ...)
84 fprintf(stderr, "%s v%s: ", pname, pversion);
85 vfprintf(stderr, msg, args);
87 fprintf(stderr, "\n");
88 if (status == PARAMETER_PROBLEM)
90 if (status == VERSION_PROBLEM)
92 "Perhaps iptables or your kernel needs to be upgraded.\n");
96 /* stolen from iptables 1.2.11
97 They should really have them as a library so i can link to them
98 Email them next time i remember
102 addr_to_dotted(const struct in_addr *addrp)
105 const unsigned char *bytep;
107 bytep = (const unsigned char *) &(addrp->s_addr);
108 sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]);
112 int string_to_number_ll(const char *s, unsigned long long min,
113 unsigned long long max,
114 unsigned long long *ret)
116 unsigned long long number;
119 /* Handle hex, octal, etc. */
121 number = strtoull(s, &end, 0);
122 if (*end == '\0' && end != s) {
123 /* we parsed a number, let's see if we want this */
124 if (errno != ERANGE && min <= number && (!max || number <= max)) {
132 int string_to_number_l(const char *s, unsigned long min, unsigned long max,
136 unsigned long long number;
138 result = string_to_number_ll(s, min, max, &number);
139 *ret = (unsigned long)number;
144 int string_to_number(const char *s, unsigned int min, unsigned int max,
148 unsigned long number;
150 result = string_to_number_l(s, min, max, &number);
151 *ret = (unsigned int)number;
156 static void free_opts(struct option *opts)
158 if (opts != original_opts) {
160 opts = original_opts;
161 global_option_offset = 0;
165 static struct option *
166 merge_options(struct option *oldopts, const struct option *newopts,
167 unsigned int *option_offset)
169 struct option *merge;
170 unsigned int num_old, num_new, i;
172 for (num_old = 0; oldopts[num_old].name; num_old++) ;
173 for (num_new = 0; newopts[num_new].name; num_new++) ;
175 *option_offset = global_option_offset + OPTION_OFFSET;
177 merge = malloc(sizeof (struct option) * (num_new + num_old + 1));
178 memcpy(merge, oldopts, num_old * sizeof (struct option));
179 for (i = 0; i < num_new; i++) {
180 merge[num_old + i] = newopts[i];
181 merge[num_old + i].val += *option_offset;
183 memset(merge + num_old + num_new, 0, sizeof (struct option));
189 fw_calloc(size_t count, size_t size)
193 if ((p = (void *) calloc(count, size)) == NULL) {
194 perror("iptables: calloc failed");
200 static struct iptables_target *
203 struct iptables_target *m;
204 for (m = t_list; m; m = m->next) {
205 if (strcmp(m->name, name) == 0)
212 static struct iptables_target *
213 get_target_name(const char *name)
217 char *new_name, *lname;
218 struct iptables_target *m;
219 char path[strlen(lib_dir) + sizeof ("/libipt_.so") + strlen(name)];
221 new_name = malloc(strlen(name) + 1);
222 lname = malloc(strlen(name) + 1);
224 memset(new_name, '\0', strlen(name) + 1);
226 exit_error(PARAMETER_PROBLEM, "get_target_name");
229 memset(lname, '\0', strlen(name) + 1);
231 exit_error(PARAMETER_PROBLEM, "get_target_name");
233 strcpy(new_name, name);
236 if (isupper(lname[0])) {
238 for (i = 0; i < strlen(name); i++) {
239 lname[i] = tolower(lname[i]);
243 if (islower(new_name[0])) {
245 for (i = 0; i < strlen(new_name); i++) {
246 new_name[i] = toupper(new_name[i]);
250 sprintf(path, "%s/libipt_%s.so",lib_dir, new_name);
251 handle = dlopen(path, RTLD_LAZY);
253 sprintf(path, lib_dir, "/libipt_%s.so", lname);
254 handle = dlopen(path, RTLD_LAZY);
256 fputs(dlerror(), stderr);
262 m = dlsym(handle, new_name);
263 if ((error = dlerror()) != NULL) {
264 m = (struct iptables_target *) dlsym(handle, lname);
265 if ((error = dlerror()) != NULL) {
266 m = find_t(new_name);
270 fputs(error, stderr);
271 fprintf(stderr, "\n");
283 struct in_addr *dotted_to_addr(const char *dotted)
285 static struct in_addr addr;
286 unsigned char *addrp;
288 unsigned int onebyte;
292 /* copy dotted string, because we need to modify it */
293 strncpy(buf, dotted, sizeof (buf) - 1);
294 addrp = (unsigned char *) &(addr.s_addr);
297 for (i = 0; i < 3; i++) {
298 if ((q = strchr(p, '.')) == NULL)
299 return (struct in_addr *) NULL;
302 if (string_to_number(p, 0, 255, &onebyte) == -1)
303 return (struct in_addr *) NULL;
305 addrp[i] = (unsigned char) onebyte;
309 /* we've checked 3 bytes, now we check the last one */
310 if (string_to_number(p, 0, 255, &onebyte) == -1)
311 return (struct in_addr *) NULL;
313 addrp[3] = (unsigned char) onebyte;
318 static void set_revision(char *name, u_int8_t revision)
320 /* Old kernel sources don't have ".revision" field,
321 * but we stole a byte from name. */
322 name[IPT_FUNCTION_MAXNAMELEN - 2] = '\0';
323 name[IPT_FUNCTION_MAXNAMELEN - 1] = revision;
327 * we may need to check for version mismatch
330 build_st(struct iptables_target *target, struct ipt_entry_target *t)
332 unsigned int nfcache = 0;
338 IPT_ALIGN(sizeof (struct ipt_entry_target)) + target->size;
341 target->t = fw_calloc(1, size);
342 target->t->u.target_size = size;
344 if (target->init != NULL)
345 target->init(target->t, &nfcache);
346 set_revision(target->t->u.user.name, target->revision);
350 strcpy(target->t->u.user.name, target->name);
357 static int parse_ipt(struct action_util *a,int *argc_p,
358 char ***argv_p, int tca_id, struct nlmsghdr *n)
360 struct iptables_target *m = NULL;
365 char **argv = *argv_p;
366 int argc = 0, iargc = 0;
371 __u32 hook = 0, index = 0;
374 lib_dir = getenv("IPTABLES_LIB_DIR");
376 lib_dir = IPT_LIB_DIR;
380 for (i = 0; i < rargc; i++) {
381 if (NULL == argv[i] || 0 == strcmp(argv[i], "action")) {
389 fprintf(stderr,"bad arguements to ipt %d vs %d \n", argc, rargc);
394 c = getopt_long(argc, argv, "j:", opts, NULL);
399 m = get_target_name(optarg);
402 if (0 > build_st(m, NULL)) {
403 printf(" %s error \n", m->name);
407 merge_options(opts, m->extra_opts,
410 fprintf(stderr," failed to find target %s\n\n", optarg);
417 memset(&fw, 0, sizeof (fw));
419 m->parse(c - m->option_offset, argv, 0,
420 &m->tflags, NULL, &m->t);
422 fprintf(stderr," failed to find target %s\n\n", optarg);
432 if (iargc > optind) {
433 if (matches(argv[optind], "index") == 0) {
434 if (get_u32(&index, argv[optind + 1], 10)) {
435 fprintf(stderr, "Illegal \"index\"\n");
446 fprintf(stderr," ipt Parser BAD!! (%s)\n", *argv);
450 /* check that we passed the correct parameters to the target */
452 m->final_check(m->tflags);
455 struct tcmsg *t = NLMSG_DATA(n);
456 if (t->tcm_parent != TC_H_ROOT
457 && t->tcm_parent == TC_H_MAJ(TC_H_INGRESS)) {
458 hook = NF_IP_PRE_ROUTING;
460 hook = NF_IP_POST_ROUTING;
464 tail = NLMSG_TAIL(n);
465 addattr_l(n, MAX_MSG, tca_id, NULL, 0);
466 fprintf(stdout, "tablename: %s hook: %s\n ", tname, ipthooks[hook]);
467 fprintf(stdout, "\ttarget: ");
470 m->print(NULL, m->t, 0);
471 fprintf(stdout, " index %d\n", index);
473 if (strlen(tname) > 16) {
477 size = 1 + strlen(tname);
479 strncpy(k, tname, size);
481 addattr_l(n, MAX_MSG, TCA_IPT_TABLE, k, size);
482 addattr_l(n, MAX_MSG, TCA_IPT_HOOK, &hook, 4);
483 addattr_l(n, MAX_MSG, TCA_IPT_INDEX, &index, 4);
485 addattr_l(n, MAX_MSG, TCA_IPT_TARG, m->t, m->t->u.target_size);
486 tail->rta_len = (void *) NLMSG_TAIL(n) - (void *) tail;
490 *argc_p = rargc - iargc;
501 print_ipt(struct action_util *au,FILE * f, struct rtattr *arg)
503 struct rtattr *tb[TCA_IPT_MAX + 1];
504 struct ipt_entry_target *t = NULL;
509 lib_dir = getenv("IPTABLES_LIB_DIR");
511 lib_dir = IPT_LIB_DIR;
513 parse_rtattr_nested(tb, TCA_IPT_MAX, arg);
515 if (tb[TCA_IPT_TABLE] == NULL) {
516 fprintf(f, "[NULL ipt table name ] assuming mangle ");
518 fprintf(f, "tablename: %s ",
519 (char *) RTA_DATA(tb[TCA_IPT_TABLE]));
522 if (tb[TCA_IPT_HOOK] == NULL) {
523 fprintf(f, "[NULL ipt hook name ]\n ");
527 hook = *(__u32 *) RTA_DATA(tb[TCA_IPT_HOOK]);
528 fprintf(f, " hook: %s \n", ipthooks[hook]);
531 if (tb[TCA_IPT_TARG] == NULL) {
532 fprintf(f, "\t[NULL ipt target parameters ] \n");
535 struct iptables_target *m = NULL;
536 t = RTA_DATA(tb[TCA_IPT_TARG]);
537 m = get_target_name(t->u.user.name);
539 if (0 > build_st(m, t)) {
540 fprintf(stderr, " %s error \n", m->name);
545 merge_options(opts, m->extra_opts,
548 fprintf(stderr, " failed to find target %s\n\n",
552 fprintf(f, "\ttarget ");
553 m->print(NULL, m->t, 0);
554 if (tb[TCA_IPT_INDEX] == NULL) {
555 fprintf(f, " [NULL ipt target index ]\n");
558 index = *(__u32 *) RTA_DATA(tb[TCA_IPT_INDEX]);
559 fprintf(f, " \n\tindex %d", index);
562 if (tb[TCA_IPT_CNT]) {
563 struct tc_cnt *c = RTA_DATA(tb[TCA_IPT_CNT]);;
564 fprintf(f, " ref %d bind %d", c->refcnt, c->bindcnt);
567 if (tb[TCA_IPT_TM]) {
568 struct tcf_t *tm = RTA_DATA(tb[TCA_IPT_TM]);
580 struct action_util ipt_action_util = {
582 .parse_aopt = parse_ipt,
583 .print_aopt = print_ipt,