| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame] | 1 | /* | 
|  | 2 | * (C) 2000-2006 by the netfilter coreteam <coreteam@netfilter.org>: | 
|  | 3 | * | 
|  | 4 | *	This program is free software; you can redistribute it and/or modify | 
|  | 5 | *	it under the terms of the GNU General Public License as published by | 
|  | 6 | *	the Free Software Foundation; either version 2 of the License, or | 
|  | 7 | *	(at your option) any later version. | 
|  | 8 | * | 
|  | 9 | *	This program is distributed in the hope that it will be useful, | 
|  | 10 | *	but WITHOUT ANY WARRANTY; without even the implied warranty of | 
|  | 11 | *	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the | 
|  | 12 | *	GNU General Public License for more details. | 
|  | 13 | * | 
|  | 14 | *	You should have received a copy of the GNU General Public License | 
|  | 15 | *	along with this program; if not, write to the Free Software | 
|  | 16 | *	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | 
|  | 17 | */ | 
|  | 18 |  | 
|  | 19 | #include <errno.h> | 
|  | 20 | #include <fcntl.h> | 
|  | 21 | #include <netdb.h> | 
|  | 22 | #include <stdarg.h> | 
|  | 23 | #include <stdbool.h> | 
|  | 24 | #include <stdio.h> | 
|  | 25 | #include <stdlib.h> | 
|  | 26 | #include <string.h> | 
|  | 27 | #include <unistd.h> | 
|  | 28 | #include <sys/socket.h> | 
|  | 29 | #include <sys/stat.h> | 
|  | 30 | #include <sys/types.h> | 
|  | 31 | #include <sys/wait.h> | 
|  | 32 | #include <arpa/inet.h> | 
|  | 33 |  | 
|  | 34 | #include <xtables.h> | 
|  | 35 | #include <limits.h> /* INT_MAX in ip_tables.h/ip6_tables.h */ | 
|  | 36 | #include <linux/netfilter_ipv4/ip_tables.h> | 
|  | 37 | #include <linux/netfilter_ipv6/ip6_tables.h> | 
|  | 38 | #include <libiptc/libxtc.h> | 
|  | 39 |  | 
|  | 40 | #ifndef NO_SHARED_LIBS | 
|  | 41 | #include <dlfcn.h> | 
|  | 42 | #endif | 
|  | 43 | #ifndef IPT_SO_GET_REVISION_MATCH /* Old kernel source. */ | 
|  | 44 | #	define IPT_SO_GET_REVISION_MATCH	(IPT_BASE_CTL + 2) | 
|  | 45 | #	define IPT_SO_GET_REVISION_TARGET	(IPT_BASE_CTL + 3) | 
|  | 46 | #endif | 
|  | 47 | #ifndef IP6T_SO_GET_REVISION_MATCH /* Old kernel source. */ | 
|  | 48 | #	define IP6T_SO_GET_REVISION_MATCH	68 | 
|  | 49 | #	define IP6T_SO_GET_REVISION_TARGET	69 | 
|  | 50 | #endif | 
|  | 51 | #include <getopt.h> | 
|  | 52 |  | 
|  | 53 |  | 
|  | 54 | #define NPROTO	255 | 
|  | 55 |  | 
|  | 56 | #ifndef PROC_SYS_MODPROBE | 
|  | 57 | #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe" | 
|  | 58 | #endif | 
|  | 59 |  | 
|  | 60 | void basic_exit_err(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3))); | 
|  | 61 |  | 
|  | 62 | struct xtables_globals *xt_params = NULL; | 
|  | 63 |  | 
|  | 64 | void basic_exit_err(enum xtables_exittype status, const char *msg, ...) | 
|  | 65 | { | 
|  | 66 | va_list args; | 
|  | 67 |  | 
|  | 68 | va_start(args, msg); | 
|  | 69 | fprintf(stderr, "%s v%s: ", xt_params->program_name, xt_params->program_version); | 
|  | 70 | vfprintf(stderr, msg, args); | 
|  | 71 | va_end(args); | 
|  | 72 | fprintf(stderr, "\n"); | 
|  | 73 | exit(status); | 
|  | 74 | } | 
|  | 75 |  | 
|  | 76 |  | 
|  | 77 | void xtables_free_opts(int reset_offset) | 
|  | 78 | { | 
|  | 79 | if (xt_params->opts != xt_params->orig_opts) { | 
|  | 80 | free(xt_params->opts); | 
|  | 81 | xt_params->opts = xt_params->orig_opts; | 
|  | 82 | if (reset_offset) | 
|  | 83 | xt_params->option_offset = 0; | 
|  | 84 | } | 
|  | 85 | } | 
|  | 86 |  | 
|  | 87 | struct option *xtables_merge_options(struct option *oldopts, | 
|  | 88 | const struct option *newopts, | 
|  | 89 | unsigned int *option_offset) | 
|  | 90 | { | 
|  | 91 | unsigned int num_old, num_new, i; | 
|  | 92 | struct option *merge; | 
|  | 93 |  | 
|  | 94 | if (newopts == NULL) | 
|  | 95 | return oldopts; | 
|  | 96 |  | 
|  | 97 | for (num_old = 0; oldopts[num_old].name; num_old++) ; | 
|  | 98 | for (num_new = 0; newopts[num_new].name; num_new++) ; | 
|  | 99 |  | 
|  | 100 | xt_params->option_offset += 256; | 
|  | 101 | *option_offset = xt_params->option_offset; | 
|  | 102 |  | 
|  | 103 | merge = malloc(sizeof(struct option) * (num_new + num_old + 1)); | 
|  | 104 | if (merge == NULL) | 
|  | 105 | return NULL; | 
|  | 106 | memcpy(merge, oldopts, num_old * sizeof(struct option)); | 
|  | 107 | xtables_free_opts(0);	/* Release any old options merged  */ | 
|  | 108 | for (i = 0; i < num_new; i++) { | 
|  | 109 | merge[num_old + i] = newopts[i]; | 
|  | 110 | merge[num_old + i].val += *option_offset; | 
|  | 111 | } | 
|  | 112 | memset(merge + num_old + num_new, 0, sizeof(struct option)); | 
|  | 113 |  | 
|  | 114 | return merge; | 
|  | 115 | } | 
|  | 116 |  | 
|  | 117 | void xtables_set_revision(char *name, u_int8_t revision) | 
|  | 118 | { | 
|  | 119 | /* Old kernel sources don't have ".revision" field, | 
|  | 120 | *            but we stole a byte from name. */ | 
|  | 121 | name[XT_FUNCTION_MAXNAMELEN - 2] = '\0'; | 
|  | 122 | name[XT_FUNCTION_MAXNAMELEN - 1] = revision; | 
|  | 123 | } | 
|  | 124 |  | 
|  | 125 | /** | 
|  | 126 | * xtables_afinfo - protocol family dependent information | 
|  | 127 | * @kmod:		kernel module basename (e.g. "ip_tables") | 
|  | 128 | * @libprefix:		prefix of .so library name (e.g. "libipt_") | 
|  | 129 | * @family:		nfproto family | 
|  | 130 | * @ipproto:		used by setsockopt (e.g. IPPROTO_IP) | 
|  | 131 | * @so_rev_match:	optname to check revision support of match | 
|  | 132 | * @so_rev_target:	optname to check revision support of target | 
|  | 133 | */ | 
|  | 134 | struct xtables_afinfo { | 
|  | 135 | const char *kmod; | 
|  | 136 | const char *libprefix; | 
|  | 137 | uint8_t family; | 
|  | 138 | uint8_t ipproto; | 
|  | 139 | int so_rev_match; | 
|  | 140 | int so_rev_target; | 
|  | 141 | }; | 
|  | 142 |  | 
|  | 143 | static const struct xtables_afinfo afinfo_ipv4 = { | 
|  | 144 | .kmod          = "ip_tables", | 
|  | 145 | .libprefix     = "libipt_", | 
|  | 146 | .family	       = NFPROTO_IPV4, | 
|  | 147 | .ipproto       = IPPROTO_IP, | 
|  | 148 | .so_rev_match  = IPT_SO_GET_REVISION_MATCH, | 
|  | 149 | .so_rev_target = IPT_SO_GET_REVISION_TARGET, | 
|  | 150 | }; | 
|  | 151 |  | 
|  | 152 | static const struct xtables_afinfo afinfo_ipv6 = { | 
|  | 153 | .kmod          = "ip6_tables", | 
|  | 154 | .libprefix     = "libip6t_", | 
|  | 155 | .family        = NFPROTO_IPV6, | 
|  | 156 | .ipproto       = IPPROTO_IPV6, | 
|  | 157 | .so_rev_match  = IP6T_SO_GET_REVISION_MATCH, | 
|  | 158 | .so_rev_target = IP6T_SO_GET_REVISION_TARGET, | 
|  | 159 | }; | 
|  | 160 |  | 
|  | 161 | static const struct xtables_afinfo *afinfo; | 
|  | 162 |  | 
|  | 163 | /* Search path for Xtables .so files */ | 
|  | 164 | static const char *xtables_libdir; | 
|  | 165 |  | 
|  | 166 | /* the path to command to load kernel module */ | 
|  | 167 | const char *xtables_modprobe_program; | 
|  | 168 |  | 
|  | 169 | /* Keeping track of external matches and targets: linked lists.  */ | 
|  | 170 | struct xtables_match *xtables_matches; | 
|  | 171 | struct xtables_target *xtables_targets; | 
|  | 172 |  | 
|  | 173 | void xtables_init(void) | 
|  | 174 | { | 
|  | 175 | xtables_libdir = getenv("XTABLES_LIBDIR"); | 
|  | 176 | if (xtables_libdir != NULL) | 
|  | 177 | return; | 
|  | 178 | xtables_libdir = getenv("IPTABLES_LIB_DIR"); | 
|  | 179 | if (xtables_libdir != NULL) { | 
|  | 180 | fprintf(stderr, "IPTABLES_LIB_DIR is deprecated, " | 
|  | 181 | "use XTABLES_LIBDIR.\n"); | 
|  | 182 | return; | 
|  | 183 | } | 
|  | 184 | /* | 
|  | 185 | * Well yes, IP6TABLES_LIB_DIR is of lower priority over | 
|  | 186 | * IPTABLES_LIB_DIR since this moved to libxtables; I think that is ok | 
|  | 187 | * for these env vars are deprecated anyhow, and in light of the | 
|  | 188 | * (shared) libxt_*.so files, makes less sense to have | 
|  | 189 | * IPTABLES_LIB_DIR != IP6TABLES_LIB_DIR. | 
|  | 190 | */ | 
|  | 191 | xtables_libdir = getenv("IP6TABLES_LIB_DIR"); | 
|  | 192 | if (xtables_libdir != NULL) { | 
|  | 193 | fprintf(stderr, "IP6TABLES_LIB_DIR is deprecated, " | 
|  | 194 | "use XTABLES_LIBDIR.\n"); | 
|  | 195 | return; | 
|  | 196 | } | 
|  | 197 | xtables_libdir = XTABLES_LIBDIR; | 
|  | 198 | } | 
|  | 199 |  | 
|  | 200 | void xtables_set_nfproto(uint8_t nfproto) | 
|  | 201 | { | 
|  | 202 | switch (nfproto) { | 
|  | 203 | case NFPROTO_IPV4: | 
|  | 204 | afinfo = &afinfo_ipv4; | 
|  | 205 | break; | 
|  | 206 | case NFPROTO_IPV6: | 
|  | 207 | afinfo = &afinfo_ipv6; | 
|  | 208 | break; | 
|  | 209 | default: | 
|  | 210 | fprintf(stderr, "libxtables: unhandled NFPROTO in %s\n", | 
|  | 211 | __func__); | 
|  | 212 | } | 
|  | 213 | } | 
|  | 214 |  | 
|  | 215 | /** | 
|  | 216 | * xtables_set_params - set the global parameters used by xtables | 
|  | 217 | * @xtp:	input xtables_globals structure | 
|  | 218 | * | 
|  | 219 | * The app is expected to pass a valid xtables_globals data-filled | 
|  | 220 | * with proper values | 
|  | 221 | * @xtp cannot be NULL | 
|  | 222 | * | 
|  | 223 | * Returns -1 on failure to set and 0 on success | 
|  | 224 | */ | 
|  | 225 | int xtables_set_params(struct xtables_globals *xtp) | 
|  | 226 | { | 
|  | 227 | if (!xtp) { | 
|  | 228 | fprintf(stderr, "%s: Illegal global params\n",__func__); | 
|  | 229 | return -1; | 
|  | 230 | } | 
|  | 231 |  | 
|  | 232 | xt_params = xtp; | 
|  | 233 |  | 
|  | 234 | if (!xt_params->exit_err) | 
|  | 235 | xt_params->exit_err = basic_exit_err; | 
|  | 236 |  | 
|  | 237 | return 0; | 
|  | 238 | } | 
|  | 239 |  | 
|  | 240 | int xtables_init_all(struct xtables_globals *xtp, uint8_t nfproto) | 
|  | 241 | { | 
|  | 242 | xtables_init(); | 
|  | 243 | xtables_set_nfproto(nfproto); | 
|  | 244 | return xtables_set_params(xtp); | 
|  | 245 | } | 
|  | 246 |  | 
|  | 247 | /** | 
|  | 248 | * xtables_*alloc - wrappers that exit on failure | 
|  | 249 | */ | 
|  | 250 | void *xtables_calloc(size_t count, size_t size) | 
|  | 251 | { | 
|  | 252 | void *p; | 
|  | 253 |  | 
|  | 254 | if ((p = calloc(count, size)) == NULL) { | 
|  | 255 | perror("ip[6]tables: calloc failed"); | 
|  | 256 | exit(1); | 
|  | 257 | } | 
|  | 258 |  | 
|  | 259 | return p; | 
|  | 260 | } | 
|  | 261 |  | 
|  | 262 | void *xtables_malloc(size_t size) | 
|  | 263 | { | 
|  | 264 | void *p; | 
|  | 265 |  | 
|  | 266 | if ((p = malloc(size)) == NULL) { | 
|  | 267 | perror("ip[6]tables: malloc failed"); | 
|  | 268 | exit(1); | 
|  | 269 | } | 
|  | 270 |  | 
|  | 271 | return p; | 
|  | 272 | } | 
|  | 273 |  | 
|  | 274 | static char *get_modprobe(void) | 
|  | 275 | { | 
|  | 276 | int procfile; | 
|  | 277 | char *ret; | 
|  | 278 |  | 
|  | 279 | #define PROCFILE_BUFSIZ	1024 | 
|  | 280 | procfile = open(PROC_SYS_MODPROBE, O_RDONLY); | 
|  | 281 | if (procfile < 0) | 
|  | 282 | return NULL; | 
|  | 283 |  | 
|  | 284 | ret = (char *) malloc(PROCFILE_BUFSIZ); | 
|  | 285 | if (ret) { | 
|  | 286 | memset(ret, 0, PROCFILE_BUFSIZ); | 
|  | 287 | switch (read(procfile, ret, PROCFILE_BUFSIZ)) { | 
|  | 288 | case -1: goto fail; | 
|  | 289 | case PROCFILE_BUFSIZ: goto fail; /* Partial read.  Wierd */ | 
|  | 290 | } | 
|  | 291 | if (ret[strlen(ret)-1]=='\n') | 
|  | 292 | ret[strlen(ret)-1]=0; | 
|  | 293 | close(procfile); | 
|  | 294 | return ret; | 
|  | 295 | } | 
|  | 296 | fail: | 
|  | 297 | free(ret); | 
|  | 298 | close(procfile); | 
|  | 299 | return NULL; | 
|  | 300 | } | 
|  | 301 |  | 
|  | 302 | int xtables_insmod(const char *modname, const char *modprobe, bool quiet) | 
|  | 303 | { | 
|  | 304 | char *buf = NULL; | 
|  | 305 | char *argv[4]; | 
|  | 306 | int status; | 
|  | 307 |  | 
|  | 308 | /* If they don't explicitly set it, read out of kernel */ | 
|  | 309 | if (!modprobe) { | 
|  | 310 | buf = get_modprobe(); | 
|  | 311 | if (!buf) | 
|  | 312 | return -1; | 
|  | 313 | modprobe = buf; | 
|  | 314 | } | 
|  | 315 |  | 
|  | 316 | argv[0] = (char *)modprobe; | 
|  | 317 | argv[1] = (char *)modname; | 
|  | 318 | if (quiet) { | 
|  | 319 | argv[2] = "-q"; | 
|  | 320 | argv[3] = NULL; | 
|  | 321 | } else { | 
|  | 322 | argv[2] = NULL; | 
|  | 323 | argv[3] = NULL; | 
|  | 324 | } | 
|  | 325 |  | 
|  | 326 | /* | 
|  | 327 | * Need to flush the buffer, or the child may output it again | 
|  | 328 | * when switching the program thru execv. | 
|  | 329 | */ | 
|  | 330 | fflush(stdout); | 
|  | 331 |  | 
|  | 332 | #ifdef __uClinux__ | 
|  | 333 | switch (vfork()) | 
|  | 334 | #else | 
|  | 335 | switch (fork()) | 
|  | 336 | #endif | 
|  | 337 | { | 
|  | 338 | case 0: | 
|  | 339 | execv(argv[0], argv); | 
|  | 340 | /* not usually reached */ | 
|  | 341 | #ifdef __uClinux__ | 
|  | 342 | _exit(1); | 
|  | 343 | #else | 
|  | 344 | exit(1); | 
|  | 345 | #endif | 
|  | 346 | case -1: | 
|  | 347 | return -1; | 
|  | 348 |  | 
|  | 349 | default: /* parent */ | 
|  | 350 | wait(&status); | 
|  | 351 | } | 
|  | 352 |  | 
|  | 353 | free(buf); | 
|  | 354 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0) | 
|  | 355 | return 0; | 
|  | 356 | return -1; | 
|  | 357 | } | 
|  | 358 |  | 
|  | 359 | int xtables_load_ko(const char *modprobe, bool quiet) | 
|  | 360 | { | 
|  | 361 | static bool loaded = false; | 
|  | 362 | static int ret = -1; | 
|  | 363 |  | 
|  | 364 | if (!loaded) { | 
|  | 365 | ret = xtables_insmod(afinfo->kmod, modprobe, quiet); | 
|  | 366 | loaded = (ret == 0); | 
|  | 367 | } | 
|  | 368 |  | 
|  | 369 | return ret; | 
|  | 370 | } | 
|  | 371 |  | 
|  | 372 | /** | 
|  | 373 | * xtables_strtou{i,l} - string to number conversion | 
|  | 374 | * @s:	input string | 
|  | 375 | * @end:	like strtoul's "end" pointer | 
|  | 376 | * @value:	pointer for result | 
|  | 377 | * @min:	minimum accepted value | 
|  | 378 | * @max:	maximum accepted value | 
|  | 379 | * | 
|  | 380 | * If @end is NULL, we assume the caller wants a "strict strtoul", and hence | 
|  | 381 | * "15a" is rejected. | 
|  | 382 | * In either case, the value obtained is compared for min-max compliance. | 
|  | 383 | * Base is always 0, i.e. autodetect depending on @s. | 
|  | 384 | * | 
|  | 385 | * Returns true/false whether number was accepted. On failure, *value has | 
|  | 386 | * undefined contents. | 
|  | 387 | */ | 
|  | 388 | bool xtables_strtoul(const char *s, char **end, unsigned long *value, | 
|  | 389 | unsigned long min, unsigned long max) | 
|  | 390 | { | 
|  | 391 | unsigned long v; | 
|  | 392 | char *my_end; | 
|  | 393 |  | 
|  | 394 | errno = 0; | 
|  | 395 | v = strtoul(s, &my_end, 0); | 
|  | 396 |  | 
|  | 397 | if (my_end == s) | 
|  | 398 | return false; | 
|  | 399 | if (end != NULL) | 
|  | 400 | *end = my_end; | 
|  | 401 |  | 
|  | 402 | if (errno != ERANGE && min <= v && (max == 0 || v <= max)) { | 
|  | 403 | if (value != NULL) | 
|  | 404 | *value = v; | 
|  | 405 | if (end == NULL) | 
|  | 406 | return *my_end == '\0'; | 
|  | 407 | return true; | 
|  | 408 | } | 
|  | 409 |  | 
|  | 410 | return false; | 
|  | 411 | } | 
|  | 412 |  | 
|  | 413 | bool xtables_strtoui(const char *s, char **end, unsigned int *value, | 
|  | 414 | unsigned int min, unsigned int max) | 
|  | 415 | { | 
|  | 416 | unsigned long v; | 
|  | 417 | bool ret; | 
|  | 418 |  | 
|  | 419 | ret = xtables_strtoul(s, end, &v, min, max); | 
|  | 420 | if (value != NULL) | 
|  | 421 | *value = v; | 
|  | 422 | return ret; | 
|  | 423 | } | 
|  | 424 |  | 
|  | 425 | int xtables_service_to_port(const char *name, const char *proto) | 
|  | 426 | { | 
|  | 427 | struct servent *service; | 
|  | 428 |  | 
|  | 429 | if ((service = getservbyname(name, proto)) != NULL) | 
|  | 430 | return ntohs((unsigned short) service->s_port); | 
|  | 431 |  | 
|  | 432 | return -1; | 
|  | 433 | } | 
|  | 434 |  | 
|  | 435 | u_int16_t xtables_parse_port(const char *port, const char *proto) | 
|  | 436 | { | 
|  | 437 | unsigned int portnum; | 
|  | 438 |  | 
|  | 439 | if (xtables_strtoui(port, NULL, &portnum, 0, UINT16_MAX) || | 
|  | 440 | (portnum = xtables_service_to_port(port, proto)) != (unsigned)-1) | 
|  | 441 | return portnum; | 
|  | 442 |  | 
|  | 443 | xt_params->exit_err(PARAMETER_PROBLEM, | 
|  | 444 | "invalid port/service `%s' specified", port); | 
|  | 445 | } | 
|  | 446 |  | 
|  | 447 | void xtables_parse_interface(const char *arg, char *vianame, | 
|  | 448 | unsigned char *mask) | 
|  | 449 | { | 
|  | 450 | int vialen = strlen(arg); | 
|  | 451 | unsigned int i; | 
|  | 452 |  | 
|  | 453 | memset(mask, 0, IFNAMSIZ); | 
|  | 454 | memset(vianame, 0, IFNAMSIZ); | 
|  | 455 |  | 
|  | 456 | if (vialen + 1 > IFNAMSIZ) | 
|  | 457 | xt_params->exit_err(PARAMETER_PROBLEM, | 
|  | 458 | "interface name `%s' must be shorter than IFNAMSIZ" | 
|  | 459 | " (%i)", arg, IFNAMSIZ-1); | 
|  | 460 |  | 
|  | 461 | strcpy(vianame, arg); | 
|  | 462 | if ((vialen == 0) || (vialen == 1 && vianame[0] == '+')) | 
|  | 463 | memset(mask, 0, IFNAMSIZ); | 
|  | 464 | else if (vianame[vialen - 1] == '+') { | 
|  | 465 | memset(mask, 0xFF, vialen - 1); | 
|  | 466 | memset(mask + vialen - 1, 0, IFNAMSIZ - vialen + 1); | 
|  | 467 | /* Don't remove `+' here! -HW */ | 
|  | 468 | } else { | 
|  | 469 | /* Include nul-terminator in match */ | 
|  | 470 | memset(mask, 0xFF, vialen + 1); | 
|  | 471 | memset(mask + vialen + 1, 0, IFNAMSIZ - vialen - 1); | 
|  | 472 | for (i = 0; vianame[i]; i++) { | 
|  | 473 | if (vianame[i] == ':' || | 
|  | 474 | vianame[i] == '!' || | 
|  | 475 | vianame[i] == '*') { | 
|  | 476 | fprintf(stderr, | 
|  | 477 | "Warning: weird character in interface" | 
|  | 478 | " `%s' (No aliases, :, ! or *).\n", | 
|  | 479 | vianame); | 
|  | 480 | break; | 
|  | 481 | } | 
|  | 482 | } | 
|  | 483 | } | 
|  | 484 | } | 
|  | 485 |  | 
|  | 486 | #ifndef NO_SHARED_LIBS | 
|  | 487 | static void *load_extension(const char *search_path, const char *prefix, | 
|  | 488 | const char *name, bool is_target) | 
|  | 489 | { | 
|  | 490 | const char *dir = search_path, *next; | 
|  | 491 | void *ptr = NULL; | 
|  | 492 | struct stat sb; | 
|  | 493 | char path[256]; | 
|  | 494 |  | 
|  | 495 | do { | 
|  | 496 | next = strchr(dir, ':'); | 
|  | 497 | if (next == NULL) | 
|  | 498 | next = dir + strlen(dir); | 
|  | 499 | snprintf(path, sizeof(path), "%.*s/libxt_%s.so", | 
|  | 500 | (unsigned int)(next - dir), dir, name); | 
|  | 501 |  | 
|  | 502 | if (dlopen(path, RTLD_NOW) != NULL) { | 
|  | 503 | /* Found library.  If it didn't register itself, | 
|  | 504 | maybe they specified target as match. */ | 
|  | 505 | if (is_target) | 
|  | 506 | ptr = xtables_find_target(name, XTF_DONT_LOAD); | 
|  | 507 | else | 
|  | 508 | ptr = xtables_find_match(name, | 
|  | 509 | XTF_DONT_LOAD, NULL); | 
|  | 510 | } else if (stat(path, &sb) == 0) { | 
|  | 511 | fprintf(stderr, "%s: %s\n", path, dlerror()); | 
|  | 512 | } | 
|  | 513 |  | 
|  | 514 | if (ptr != NULL) | 
|  | 515 | return ptr; | 
|  | 516 |  | 
|  | 517 | snprintf(path, sizeof(path), "%.*s/%s%s.so", | 
|  | 518 | (unsigned int)(next - dir), dir, prefix, name); | 
|  | 519 | if (dlopen(path, RTLD_NOW) != NULL) { | 
|  | 520 | if (is_target) | 
|  | 521 | ptr = xtables_find_target(name, XTF_DONT_LOAD); | 
|  | 522 | else | 
|  | 523 | ptr = xtables_find_match(name, | 
|  | 524 | XTF_DONT_LOAD, NULL); | 
|  | 525 | } else if (stat(path, &sb) == 0) { | 
|  | 526 | fprintf(stderr, "%s: %s\n", path, dlerror()); | 
|  | 527 | } | 
|  | 528 |  | 
|  | 529 | if (ptr != NULL) | 
|  | 530 | return ptr; | 
|  | 531 |  | 
|  | 532 | dir = next + 1; | 
|  | 533 | } while (*next != '\0'); | 
|  | 534 |  | 
|  | 535 | return NULL; | 
|  | 536 | } | 
|  | 537 | #endif | 
|  | 538 |  | 
|  | 539 | struct xtables_match * | 
|  | 540 | xtables_find_match(const char *name, enum xtables_tryload tryload, | 
|  | 541 | struct xtables_rule_match **matches) | 
|  | 542 | { | 
|  | 543 | struct xtables_match *ptr; | 
|  | 544 | const char *icmp6 = "icmp6"; | 
|  | 545 |  | 
|  | 546 | /* This is ugly as hell. Nonetheless, there is no way of changing | 
|  | 547 | * this without hurting backwards compatibility */ | 
|  | 548 | if ( (strcmp(name,"icmpv6") == 0) || | 
|  | 549 | (strcmp(name,"ipv6-icmp") == 0) || | 
|  | 550 | (strcmp(name,"icmp6") == 0) ) | 
|  | 551 | name = icmp6; | 
|  | 552 |  | 
|  | 553 | for (ptr = xtables_matches; ptr; ptr = ptr->next) { | 
|  | 554 | if (strcmp(name, ptr->name) == 0) { | 
|  | 555 | struct xtables_match *clone; | 
|  | 556 |  | 
|  | 557 | /* First match of this type: */ | 
|  | 558 | if (ptr->m == NULL) | 
|  | 559 | break; | 
|  | 560 |  | 
|  | 561 | /* Second and subsequent clones */ | 
|  | 562 | clone = xtables_malloc(sizeof(struct xtables_match)); | 
|  | 563 | memcpy(clone, ptr, sizeof(struct xtables_match)); | 
|  | 564 | clone->mflags = 0; | 
|  | 565 | /* This is a clone: */ | 
|  | 566 | clone->next = clone; | 
|  | 567 |  | 
|  | 568 | ptr = clone; | 
|  | 569 | break; | 
|  | 570 | } | 
|  | 571 | } | 
|  | 572 |  | 
|  | 573 | #ifndef NO_SHARED_LIBS | 
|  | 574 | if (!ptr && tryload != XTF_DONT_LOAD && tryload != XTF_DURING_LOAD) { | 
|  | 575 | ptr = load_extension(xtables_libdir, afinfo->libprefix, | 
|  | 576 | name, false); | 
|  | 577 |  | 
|  | 578 | if (ptr == NULL && tryload == XTF_LOAD_MUST_SUCCEED) | 
|  | 579 | xt_params->exit_err(PARAMETER_PROBLEM, | 
|  | 580 | "Couldn't load match `%s':%s\n", | 
|  | 581 | name, dlerror()); | 
|  | 582 | } | 
|  | 583 | #else | 
|  | 584 | if(!ptr && (tryload == XTF_LOAD_MUST_SUCCEED)) { | 
|  | 585 | xt_params->exit_err(PARAMETER_PROBLEM, | 
|  | 586 | "Couldn't find match `%s'\n", name); | 
|  | 587 | } | 
|  | 588 | #endif | 
|  | 589 |  | 
|  | 590 | if (ptr && matches) { | 
|  | 591 | struct xtables_rule_match **i; | 
|  | 592 | struct xtables_rule_match *newentry; | 
|  | 593 |  | 
|  | 594 | newentry = xtables_malloc(sizeof(struct xtables_rule_match)); | 
|  | 595 |  | 
|  | 596 | for (i = matches; *i; i = &(*i)->next) { | 
|  | 597 | if (strcmp(name, (*i)->match->name) == 0) | 
|  | 598 | (*i)->completed = true; | 
|  | 599 | } | 
|  | 600 | newentry->match = ptr; | 
|  | 601 | newentry->completed = false; | 
|  | 602 | newentry->next = NULL; | 
|  | 603 | *i = newentry; | 
|  | 604 | } | 
|  | 605 |  | 
|  | 606 | return ptr; | 
|  | 607 | } | 
|  | 608 |  | 
|  | 609 | struct xtables_target * | 
|  | 610 | xtables_find_target(const char *name, enum xtables_tryload tryload) | 
|  | 611 | { | 
|  | 612 | struct xtables_target *ptr; | 
|  | 613 |  | 
|  | 614 | /* Standard target? */ | 
|  | 615 | if (strcmp(name, "") == 0 | 
|  | 616 | || strcmp(name, XTC_LABEL_ACCEPT) == 0 | 
|  | 617 | || strcmp(name, XTC_LABEL_DROP) == 0 | 
|  | 618 | || strcmp(name, XTC_LABEL_QUEUE) == 0 | 
|  | 619 | || strcmp(name, XTC_LABEL_RETURN) == 0) | 
|  | 620 | name = "standard"; | 
|  | 621 |  | 
|  | 622 | for (ptr = xtables_targets; ptr; ptr = ptr->next) { | 
|  | 623 | if (strcmp(name, ptr->name) == 0) | 
|  | 624 | break; | 
|  | 625 | } | 
|  | 626 |  | 
|  | 627 | #ifndef NO_SHARED_LIBS | 
|  | 628 | if (!ptr && tryload != XTF_DONT_LOAD && tryload != XTF_DURING_LOAD) { | 
|  | 629 | ptr = load_extension(xtables_libdir, afinfo->libprefix, | 
|  | 630 | name, true); | 
|  | 631 |  | 
|  | 632 | if (ptr == NULL && tryload == XTF_LOAD_MUST_SUCCEED) | 
|  | 633 | xt_params->exit_err(PARAMETER_PROBLEM, | 
|  | 634 | "Couldn't load target `%s':%s\n", | 
|  | 635 | name, dlerror()); | 
|  | 636 | } | 
|  | 637 | #else | 
|  | 638 | if (ptr == NULL && tryload == XTF_LOAD_MUST_SUCCEED) { | 
|  | 639 | xt_params->exit_err(PARAMETER_PROBLEM, | 
|  | 640 | "Couldn't find target `%s'\n", name); | 
|  | 641 | } | 
|  | 642 | #endif | 
|  | 643 |  | 
|  | 644 | if (ptr) | 
|  | 645 | ptr->used = 1; | 
|  | 646 |  | 
|  | 647 | return ptr; | 
|  | 648 | } | 
|  | 649 |  | 
|  | 650 | static int compatible_revision(const char *name, u_int8_t revision, int opt) | 
|  | 651 | { | 
|  | 652 | struct xt_get_revision rev; | 
|  | 653 | socklen_t s = sizeof(rev); | 
|  | 654 | int max_rev, sockfd; | 
|  | 655 |  | 
|  | 656 | sockfd = socket(afinfo->family, SOCK_RAW, IPPROTO_RAW); | 
|  | 657 | if (sockfd < 0) { | 
|  | 658 | if (errno == EPERM) { | 
|  | 659 | /* revision 0 is always supported. */ | 
|  | 660 | if (revision != 0) | 
|  | 661 | fprintf(stderr, "Could not determine whether " | 
|  | 662 | "revision %u is supported, " | 
|  | 663 | "assuming it is.\n", | 
|  | 664 | revision); | 
|  | 665 | return 1; | 
|  | 666 | } | 
|  | 667 | fprintf(stderr, "Could not open socket to kernel: %s\n", | 
|  | 668 | strerror(errno)); | 
|  | 669 | exit(1); | 
|  | 670 | } | 
|  | 671 |  | 
|  | 672 | xtables_load_ko(xtables_modprobe_program, true); | 
|  | 673 |  | 
|  | 674 | strcpy(rev.name, name); | 
|  | 675 | rev.revision = revision; | 
|  | 676 |  | 
|  | 677 | max_rev = getsockopt(sockfd, afinfo->ipproto, opt, &rev, &s); | 
|  | 678 | if (max_rev < 0) { | 
|  | 679 | /* Definitely don't support this? */ | 
|  | 680 | if (errno == ENOENT || errno == EPROTONOSUPPORT) { | 
|  | 681 | close(sockfd); | 
|  | 682 | return 0; | 
|  | 683 | } else if (errno == ENOPROTOOPT) { | 
|  | 684 | close(sockfd); | 
|  | 685 | /* Assume only revision 0 support (old kernel) */ | 
|  | 686 | return (revision == 0); | 
|  | 687 | } else { | 
|  | 688 | fprintf(stderr, "getsockopt failed strangely: %s\n", | 
|  | 689 | strerror(errno)); | 
|  | 690 | exit(1); | 
|  | 691 | } | 
|  | 692 | } | 
|  | 693 | close(sockfd); | 
|  | 694 | return 1; | 
|  | 695 | } | 
|  | 696 |  | 
|  | 697 |  | 
|  | 698 | static int compatible_match_revision(const char *name, u_int8_t revision) | 
|  | 699 | { | 
|  | 700 | return compatible_revision(name, revision, afinfo->so_rev_match); | 
|  | 701 | } | 
|  | 702 |  | 
|  | 703 | static int compatible_target_revision(const char *name, u_int8_t revision) | 
|  | 704 | { | 
|  | 705 | return compatible_revision(name, revision, afinfo->so_rev_target); | 
|  | 706 | } | 
|  | 707 |  | 
|  | 708 | void xtables_register_match(struct xtables_match *me) | 
|  | 709 | { | 
|  | 710 | struct xtables_match **i, *old; | 
|  | 711 |  | 
|  | 712 | if (strcmp(me->version, XTABLES_VERSION) != 0) { | 
|  | 713 | fprintf(stderr, "%s: match \"%s\" has version \"%s\", " | 
|  | 714 | "but \"%s\" is required.\n", | 
|  | 715 | xt_params->program_name, me->name, | 
|  | 716 | me->version, XTABLES_VERSION); | 
|  | 717 | exit(1); | 
|  | 718 | } | 
|  | 719 |  | 
|  | 720 | /* Revision field stole a char from name. */ | 
|  | 721 | if (strlen(me->name) >= XT_FUNCTION_MAXNAMELEN-1) { | 
|  | 722 | fprintf(stderr, "%s: target `%s' has invalid name\n", | 
|  | 723 | xt_params->program_name, me->name); | 
|  | 724 | exit(1); | 
|  | 725 | } | 
|  | 726 |  | 
|  | 727 | if (me->family >= NPROTO) { | 
|  | 728 | fprintf(stderr, | 
|  | 729 | "%s: BUG: match %s has invalid protocol family\n", | 
|  | 730 | xt_params->program_name, me->name); | 
|  | 731 | exit(1); | 
|  | 732 | } | 
|  | 733 |  | 
|  | 734 | /* ignore not interested match */ | 
|  | 735 | if (me->family != afinfo->family && me->family != AF_UNSPEC) | 
|  | 736 | return; | 
|  | 737 |  | 
|  | 738 | old = xtables_find_match(me->name, XTF_DURING_LOAD, NULL); | 
|  | 739 | if (old) { | 
|  | 740 | if (old->revision == me->revision && | 
|  | 741 | old->family == me->family) { | 
|  | 742 | fprintf(stderr, | 
|  | 743 | "%s: match `%s' already registered.\n", | 
|  | 744 | xt_params->program_name, me->name); | 
|  | 745 | exit(1); | 
|  | 746 | } | 
|  | 747 |  | 
|  | 748 | /* Now we have two (or more) options, check compatibility. */ | 
|  | 749 | if (compatible_match_revision(old->name, old->revision) | 
|  | 750 | && old->revision > me->revision) | 
|  | 751 | return; | 
|  | 752 |  | 
|  | 753 | /* See if new match can be used. */ | 
|  | 754 | if (!compatible_match_revision(me->name, me->revision)) | 
|  | 755 | return; | 
|  | 756 |  | 
|  | 757 | /* Prefer !AF_UNSPEC over AF_UNSPEC for same revision. */ | 
|  | 758 | if (old->revision == me->revision && me->family == AF_UNSPEC) | 
|  | 759 | return; | 
|  | 760 |  | 
|  | 761 | /* Delete old one. */ | 
|  | 762 | for (i = &xtables_matches; *i!=old; i = &(*i)->next); | 
|  | 763 | *i = old->next; | 
|  | 764 | } | 
|  | 765 |  | 
|  | 766 | if (me->size != XT_ALIGN(me->size)) { | 
|  | 767 | fprintf(stderr, "%s: match `%s' has invalid size %u.\n", | 
|  | 768 | xt_params->program_name, me->name, | 
|  | 769 | (unsigned int)me->size); | 
|  | 770 | exit(1); | 
|  | 771 | } | 
|  | 772 |  | 
|  | 773 | /* Append to list. */ | 
|  | 774 | for (i = &xtables_matches; *i; i = &(*i)->next); | 
|  | 775 | me->next = NULL; | 
|  | 776 | *i = me; | 
|  | 777 |  | 
|  | 778 | me->m = NULL; | 
|  | 779 | me->mflags = 0; | 
|  | 780 | } | 
|  | 781 |  | 
|  | 782 | void xtables_register_target(struct xtables_target *me) | 
|  | 783 | { | 
|  | 784 | struct xtables_target *old; | 
|  | 785 |  | 
|  | 786 | if (strcmp(me->version, XTABLES_VERSION) != 0) { | 
|  | 787 | fprintf(stderr, "%s: target \"%s\" has version \"%s\", " | 
|  | 788 | "but \"%s\" is required.\n", | 
|  | 789 | xt_params->program_name, me->name, | 
|  | 790 | me->version, XTABLES_VERSION); | 
|  | 791 | exit(1); | 
|  | 792 | } | 
|  | 793 |  | 
|  | 794 | /* Revision field stole a char from name. */ | 
|  | 795 | if (strlen(me->name) >= XT_FUNCTION_MAXNAMELEN-1) { | 
|  | 796 | fprintf(stderr, "%s: target `%s' has invalid name\n", | 
|  | 797 | xt_params->program_name, me->name); | 
|  | 798 | exit(1); | 
|  | 799 | } | 
|  | 800 |  | 
|  | 801 | if (me->family >= NPROTO) { | 
|  | 802 | fprintf(stderr, | 
|  | 803 | "%s: BUG: target %s has invalid protocol family\n", | 
|  | 804 | xt_params->program_name, me->name); | 
|  | 805 | exit(1); | 
|  | 806 | } | 
|  | 807 |  | 
|  | 808 | /* ignore not interested target */ | 
|  | 809 | if (me->family != afinfo->family && me->family != AF_UNSPEC) | 
|  | 810 | return; | 
|  | 811 |  | 
|  | 812 | old = xtables_find_target(me->name, XTF_DURING_LOAD); | 
|  | 813 | if (old) { | 
|  | 814 | struct xtables_target **i; | 
|  | 815 |  | 
|  | 816 | if (old->revision == me->revision && | 
|  | 817 | old->family == me->family) { | 
|  | 818 | fprintf(stderr, | 
|  | 819 | "%s: target `%s' already registered.\n", | 
|  | 820 | xt_params->program_name, me->name); | 
|  | 821 | exit(1); | 
|  | 822 | } | 
|  | 823 |  | 
|  | 824 | /* Now we have two (or more) options, check compatibility. */ | 
|  | 825 | if (compatible_target_revision(old->name, old->revision) | 
|  | 826 | && old->revision > me->revision) | 
|  | 827 | return; | 
|  | 828 |  | 
|  | 829 | /* See if new target can be used. */ | 
|  | 830 | if (!compatible_target_revision(me->name, me->revision)) | 
|  | 831 | return; | 
|  | 832 |  | 
|  | 833 | /* Prefer !AF_UNSPEC over AF_UNSPEC for same revision. */ | 
|  | 834 | if (old->revision == me->revision && me->family == AF_UNSPEC) | 
|  | 835 | return; | 
|  | 836 |  | 
|  | 837 | /* Delete old one. */ | 
|  | 838 | for (i = &xtables_targets; *i!=old; i = &(*i)->next); | 
|  | 839 | *i = old->next; | 
|  | 840 | } | 
|  | 841 |  | 
|  | 842 | if (me->size != XT_ALIGN(me->size)) { | 
|  | 843 | fprintf(stderr, "%s: target `%s' has invalid size %u.\n", | 
|  | 844 | xt_params->program_name, me->name, | 
|  | 845 | (unsigned int)me->size); | 
|  | 846 | exit(1); | 
|  | 847 | } | 
|  | 848 |  | 
|  | 849 | /* Prepend to list. */ | 
|  | 850 | me->next = xtables_targets; | 
|  | 851 | xtables_targets = me; | 
|  | 852 | me->t = NULL; | 
|  | 853 | me->tflags = 0; | 
|  | 854 | } | 
|  | 855 |  | 
|  | 856 | /** | 
|  | 857 | * xtables_param_act - act on condition | 
|  | 858 | * @status:	a constant from enum xtables_exittype | 
|  | 859 | * | 
|  | 860 | * %XTF_ONLY_ONCE: print error message that option may only be used once. | 
|  | 861 | * @p1:		module name (e.g. "mark") | 
|  | 862 | * @p2(...):	option in conflict (e.g. "--mark") | 
|  | 863 | * @p3(...):	condition to match on (see extensions/ for examples) | 
|  | 864 | * | 
|  | 865 | * %XTF_NO_INVERT: option does not support inversion | 
|  | 866 | * @p1:		module name | 
|  | 867 | * @p2:		option in conflict | 
|  | 868 | * @p3:		condition to match on | 
|  | 869 | * | 
|  | 870 | * %XTF_BAD_VALUE: bad value for option | 
|  | 871 | * @p1:		module name | 
|  | 872 | * @p2:		option with which the problem occured (e.g. "--mark") | 
|  | 873 | * @p3:		string the user passed in (e.g. "99999999999999") | 
|  | 874 | * | 
|  | 875 | * %XTF_ONE_ACTION: two mutually exclusive actions have been specified | 
|  | 876 | * @p1:		module name | 
|  | 877 | * | 
|  | 878 | * Displays an error message and exits the program. | 
|  | 879 | */ | 
|  | 880 | void xtables_param_act(unsigned int status, const char *p1, ...) | 
|  | 881 | { | 
|  | 882 | const char *p2, *p3; | 
|  | 883 | va_list args; | 
|  | 884 | bool b; | 
|  | 885 |  | 
|  | 886 | va_start(args, p1); | 
|  | 887 |  | 
|  | 888 | switch (status) { | 
|  | 889 | case XTF_ONLY_ONCE: | 
|  | 890 | p2 = va_arg(args, const char *); | 
|  | 891 | b  = va_arg(args, unsigned int); | 
|  | 892 | if (!b) | 
|  | 893 | return; | 
|  | 894 | xt_params->exit_err(PARAMETER_PROBLEM, | 
|  | 895 | "%s: \"%s\" option may only be specified once", | 
|  | 896 | p1, p2); | 
|  | 897 | break; | 
|  | 898 | case XTF_NO_INVERT: | 
|  | 899 | p2 = va_arg(args, const char *); | 
|  | 900 | b  = va_arg(args, unsigned int); | 
|  | 901 | if (!b) | 
|  | 902 | return; | 
|  | 903 | xt_params->exit_err(PARAMETER_PROBLEM, | 
|  | 904 | "%s: \"%s\" option cannot be inverted", p1, p2); | 
|  | 905 | break; | 
|  | 906 | case XTF_BAD_VALUE: | 
|  | 907 | p2 = va_arg(args, const char *); | 
|  | 908 | p3 = va_arg(args, const char *); | 
|  | 909 | xt_params->exit_err(PARAMETER_PROBLEM, | 
|  | 910 | "%s: Bad value for \"%s\" option: \"%s\"", | 
|  | 911 | p1, p2, p3); | 
|  | 912 | break; | 
|  | 913 | case XTF_ONE_ACTION: | 
|  | 914 | b = va_arg(args, unsigned int); | 
|  | 915 | if (!b) | 
|  | 916 | return; | 
|  | 917 | xt_params->exit_err(PARAMETER_PROBLEM, | 
|  | 918 | "%s: At most one action is possible", p1); | 
|  | 919 | break; | 
|  | 920 | default: | 
|  | 921 | xt_params->exit_err(status, p1, args); | 
|  | 922 | break; | 
|  | 923 | } | 
|  | 924 |  | 
|  | 925 | va_end(args); | 
|  | 926 | } | 
|  | 927 |  | 
|  | 928 | const char *xtables_ipaddr_to_numeric(const struct in_addr *addrp) | 
|  | 929 | { | 
|  | 930 | static char buf[20]; | 
|  | 931 | const unsigned char *bytep = (const void *)&addrp->s_addr; | 
|  | 932 |  | 
|  | 933 | sprintf(buf, "%u.%u.%u.%u", bytep[0], bytep[1], bytep[2], bytep[3]); | 
|  | 934 | return buf; | 
|  | 935 | } | 
|  | 936 |  | 
|  | 937 | static const char *ipaddr_to_host(const struct in_addr *addr) | 
|  | 938 | { | 
|  | 939 | struct hostent *host; | 
|  | 940 |  | 
|  | 941 | host = gethostbyaddr(addr, sizeof(struct in_addr), AF_INET); | 
|  | 942 | if (host == NULL) | 
|  | 943 | return NULL; | 
|  | 944 |  | 
|  | 945 | return host->h_name; | 
|  | 946 | } | 
|  | 947 |  | 
|  | 948 | static const char *ipaddr_to_network(const struct in_addr *addr) | 
|  | 949 | { | 
|  | 950 | struct netent *net; | 
|  | 951 |  | 
|  | 952 | if ((net = getnetbyaddr(ntohl(addr->s_addr), AF_INET)) != NULL) | 
|  | 953 | return net->n_name; | 
|  | 954 |  | 
|  | 955 | return NULL; | 
|  | 956 | } | 
|  | 957 |  | 
|  | 958 | const char *xtables_ipaddr_to_anyname(const struct in_addr *addr) | 
|  | 959 | { | 
|  | 960 | const char *name; | 
|  | 961 |  | 
|  | 962 | if ((name = ipaddr_to_host(addr)) != NULL || | 
|  | 963 | (name = ipaddr_to_network(addr)) != NULL) | 
|  | 964 | return name; | 
|  | 965 |  | 
|  | 966 | return xtables_ipaddr_to_numeric(addr); | 
|  | 967 | } | 
|  | 968 |  | 
|  | 969 | const char *xtables_ipmask_to_numeric(const struct in_addr *mask) | 
|  | 970 | { | 
|  | 971 | static char buf[20]; | 
|  | 972 | uint32_t maskaddr, bits; | 
|  | 973 | int i; | 
|  | 974 |  | 
|  | 975 | maskaddr = ntohl(mask->s_addr); | 
|  | 976 |  | 
|  | 977 | if (maskaddr == 0xFFFFFFFFL) | 
|  | 978 | /* we don't want to see "/32" */ | 
|  | 979 | return ""; | 
|  | 980 |  | 
|  | 981 | i = 32; | 
|  | 982 | bits = 0xFFFFFFFEL; | 
|  | 983 | while (--i >= 0 && maskaddr != bits) | 
|  | 984 | bits <<= 1; | 
|  | 985 | if (i >= 0) | 
|  | 986 | sprintf(buf, "/%d", i); | 
|  | 987 | else | 
|  | 988 | /* mask was not a decent combination of 1's and 0's */ | 
|  | 989 | sprintf(buf, "/%s", xtables_ipaddr_to_numeric(mask)); | 
|  | 990 |  | 
|  | 991 | return buf; | 
|  | 992 | } | 
|  | 993 |  | 
|  | 994 | static struct in_addr *__numeric_to_ipaddr(const char *dotted, bool is_mask) | 
|  | 995 | { | 
|  | 996 | static struct in_addr addr; | 
|  | 997 | unsigned char *addrp; | 
|  | 998 | unsigned int onebyte; | 
|  | 999 | char buf[20], *p, *q; | 
|  | 1000 | int i; | 
|  | 1001 |  | 
|  | 1002 | /* copy dotted string, because we need to modify it */ | 
|  | 1003 | strncpy(buf, dotted, sizeof(buf) - 1); | 
|  | 1004 | buf[sizeof(buf) - 1] = '\0'; | 
|  | 1005 | addrp = (void *)&addr.s_addr; | 
|  | 1006 |  | 
|  | 1007 | p = buf; | 
|  | 1008 | for (i = 0; i < 3; ++i) { | 
|  | 1009 | if ((q = strchr(p, '.')) == NULL) { | 
|  | 1010 | if (is_mask) | 
|  | 1011 | return NULL; | 
|  | 1012 |  | 
|  | 1013 | /* autocomplete, this is a network address */ | 
|  | 1014 | if (!xtables_strtoui(p, NULL, &onebyte, 0, UINT8_MAX)) | 
|  | 1015 | return NULL; | 
|  | 1016 |  | 
|  | 1017 | addrp[i] = onebyte; | 
|  | 1018 | while (i < 3) | 
|  | 1019 | addrp[++i] = 0; | 
|  | 1020 |  | 
|  | 1021 | return &addr; | 
|  | 1022 | } | 
|  | 1023 |  | 
|  | 1024 | *q = '\0'; | 
|  | 1025 | if (!xtables_strtoui(p, NULL, &onebyte, 0, UINT8_MAX)) | 
|  | 1026 | return NULL; | 
|  | 1027 |  | 
|  | 1028 | addrp[i] = onebyte; | 
|  | 1029 | p = q + 1; | 
|  | 1030 | } | 
|  | 1031 |  | 
|  | 1032 | /* we have checked 3 bytes, now we check the last one */ | 
|  | 1033 | if (!xtables_strtoui(p, NULL, &onebyte, 0, UINT8_MAX)) | 
|  | 1034 | return NULL; | 
|  | 1035 |  | 
|  | 1036 | addrp[3] = onebyte; | 
|  | 1037 | return &addr; | 
|  | 1038 | } | 
|  | 1039 |  | 
|  | 1040 | struct in_addr *xtables_numeric_to_ipaddr(const char *dotted) | 
|  | 1041 | { | 
|  | 1042 | return __numeric_to_ipaddr(dotted, false); | 
|  | 1043 | } | 
|  | 1044 |  | 
|  | 1045 | struct in_addr *xtables_numeric_to_ipmask(const char *dotted) | 
|  | 1046 | { | 
|  | 1047 | return __numeric_to_ipaddr(dotted, true); | 
|  | 1048 | } | 
|  | 1049 |  | 
|  | 1050 | static struct in_addr *network_to_ipaddr(const char *name) | 
|  | 1051 | { | 
|  | 1052 | static struct in_addr addr; | 
|  | 1053 | struct netent *net; | 
|  | 1054 |  | 
|  | 1055 | if ((net = getnetbyname(name)) != NULL) { | 
|  | 1056 | if (net->n_addrtype != AF_INET) | 
|  | 1057 | return NULL; | 
|  | 1058 | addr.s_addr = htonl(net->n_net); | 
|  | 1059 | return &addr; | 
|  | 1060 | } | 
|  | 1061 |  | 
|  | 1062 | return NULL; | 
|  | 1063 | } | 
|  | 1064 |  | 
|  | 1065 | static struct in_addr *host_to_ipaddr(const char *name, unsigned int *naddr) | 
|  | 1066 | { | 
|  | 1067 | struct hostent *host; | 
|  | 1068 | struct in_addr *addr; | 
|  | 1069 | unsigned int i; | 
|  | 1070 |  | 
|  | 1071 | *naddr = 0; | 
|  | 1072 | if ((host = gethostbyname(name)) != NULL) { | 
|  | 1073 | if (host->h_addrtype != AF_INET || | 
|  | 1074 | host->h_length != sizeof(struct in_addr)) | 
|  | 1075 | return NULL; | 
|  | 1076 |  | 
|  | 1077 | while (host->h_addr_list[*naddr] != NULL) | 
|  | 1078 | ++*naddr; | 
|  | 1079 | addr = xtables_calloc(*naddr, sizeof(struct in_addr) * *naddr); | 
|  | 1080 | for (i = 0; i < *naddr; i++) | 
|  | 1081 | memcpy(&addr[i], host->h_addr_list[i], | 
|  | 1082 | sizeof(struct in_addr)); | 
|  | 1083 | return addr; | 
|  | 1084 | } | 
|  | 1085 |  | 
|  | 1086 | return NULL; | 
|  | 1087 | } | 
|  | 1088 |  | 
|  | 1089 | static struct in_addr * | 
|  | 1090 | ipparse_hostnetwork(const char *name, unsigned int *naddrs) | 
|  | 1091 | { | 
|  | 1092 | struct in_addr *addrptmp, *addrp; | 
|  | 1093 |  | 
|  | 1094 | if ((addrptmp = xtables_numeric_to_ipaddr(name)) != NULL || | 
|  | 1095 | (addrptmp = network_to_ipaddr(name)) != NULL) { | 
|  | 1096 | addrp = xtables_malloc(sizeof(struct in_addr)); | 
|  | 1097 | memcpy(addrp, addrptmp, sizeof(*addrp)); | 
|  | 1098 | *naddrs = 1; | 
|  | 1099 | return addrp; | 
|  | 1100 | } | 
|  | 1101 | if ((addrptmp = host_to_ipaddr(name, naddrs)) != NULL) | 
|  | 1102 | return addrptmp; | 
|  | 1103 |  | 
|  | 1104 | xt_params->exit_err(PARAMETER_PROBLEM, "host/network `%s' not found", name); | 
|  | 1105 | } | 
|  | 1106 |  | 
|  | 1107 | static struct in_addr *parse_ipmask(const char *mask) | 
|  | 1108 | { | 
|  | 1109 | static struct in_addr maskaddr; | 
|  | 1110 | struct in_addr *addrp; | 
|  | 1111 | unsigned int bits; | 
|  | 1112 |  | 
|  | 1113 | if (mask == NULL) { | 
|  | 1114 | /* no mask at all defaults to 32 bits */ | 
|  | 1115 | maskaddr.s_addr = 0xFFFFFFFF; | 
|  | 1116 | return &maskaddr; | 
|  | 1117 | } | 
|  | 1118 | if ((addrp = xtables_numeric_to_ipmask(mask)) != NULL) | 
|  | 1119 | /* dotted_to_addr already returns a network byte order addr */ | 
|  | 1120 | return addrp; | 
|  | 1121 | if (!xtables_strtoui(mask, NULL, &bits, 0, 32)) | 
|  | 1122 | xt_params->exit_err(PARAMETER_PROBLEM, | 
|  | 1123 | "invalid mask `%s' specified", mask); | 
|  | 1124 | if (bits != 0) { | 
|  | 1125 | maskaddr.s_addr = htonl(0xFFFFFFFF << (32 - bits)); | 
|  | 1126 | return &maskaddr; | 
|  | 1127 | } | 
|  | 1128 |  | 
|  | 1129 | maskaddr.s_addr = 0U; | 
|  | 1130 | return &maskaddr; | 
|  | 1131 | } | 
|  | 1132 |  | 
|  | 1133 | /** | 
|  | 1134 | * xtables_ipparse_any - transform arbitrary name to in_addr | 
|  | 1135 | * | 
|  | 1136 | * Possible inputs (pseudo regex): | 
|  | 1137 | * 	m{^($hostname|$networkname|$ipaddr)(/$mask)?} | 
|  | 1138 | * "1.2.3.4/5", "1.2.3.4", "hostname", "networkname" | 
|  | 1139 | */ | 
|  | 1140 | void xtables_ipparse_any(const char *name, struct in_addr **addrpp, | 
|  | 1141 | struct in_addr *maskp, unsigned int *naddrs) | 
|  | 1142 | { | 
|  | 1143 | unsigned int i, j, k, n; | 
|  | 1144 | struct in_addr *addrp; | 
|  | 1145 | char buf[256], *p; | 
|  | 1146 |  | 
|  | 1147 | strncpy(buf, name, sizeof(buf) - 1); | 
|  | 1148 | buf[sizeof(buf) - 1] = '\0'; | 
|  | 1149 | if ((p = strrchr(buf, '/')) != NULL) { | 
|  | 1150 | *p = '\0'; | 
|  | 1151 | addrp = parse_ipmask(p + 1); | 
|  | 1152 | } else { | 
|  | 1153 | addrp = parse_ipmask(NULL); | 
|  | 1154 | } | 
|  | 1155 | memcpy(maskp, addrp, sizeof(*maskp)); | 
|  | 1156 |  | 
|  | 1157 | /* if a null mask is given, the name is ignored, like in "any/0" */ | 
|  | 1158 | if (maskp->s_addr == 0U) | 
|  | 1159 | strcpy(buf, "0.0.0.0"); | 
|  | 1160 |  | 
|  | 1161 | addrp = *addrpp = ipparse_hostnetwork(buf, naddrs); | 
|  | 1162 | n = *naddrs; | 
|  | 1163 | for (i = 0, j = 0; i < n; ++i) { | 
|  | 1164 | addrp[j++].s_addr &= maskp->s_addr; | 
|  | 1165 | for (k = 0; k < j - 1; ++k) | 
|  | 1166 | if (addrp[k].s_addr == addrp[j-1].s_addr) { | 
|  | 1167 | --*naddrs; | 
|  | 1168 | --j; | 
|  | 1169 | break; | 
|  | 1170 | } | 
|  | 1171 | } | 
|  | 1172 | } | 
|  | 1173 |  | 
|  | 1174 | const char *xtables_ip6addr_to_numeric(const struct in6_addr *addrp) | 
|  | 1175 | { | 
|  | 1176 | /* 0000:0000:0000:0000:0000:000.000.000.000 | 
|  | 1177 | * 0000:0000:0000:0000:0000:0000:0000:0000 */ | 
|  | 1178 | static char buf[50+1]; | 
|  | 1179 | return inet_ntop(AF_INET6, addrp, buf, sizeof(buf)); | 
|  | 1180 | } | 
|  | 1181 |  | 
|  | 1182 | static const char *ip6addr_to_host(const struct in6_addr *addr) | 
|  | 1183 | { | 
|  | 1184 | static char hostname[NI_MAXHOST]; | 
|  | 1185 | struct sockaddr_in6 saddr; | 
|  | 1186 | int err; | 
|  | 1187 |  | 
|  | 1188 | memset(&saddr, 0, sizeof(struct sockaddr_in6)); | 
|  | 1189 | memcpy(&saddr.sin6_addr, addr, sizeof(*addr)); | 
|  | 1190 | saddr.sin6_family = AF_INET6; | 
|  | 1191 |  | 
|  | 1192 | err = getnameinfo((const void *)&saddr, sizeof(struct sockaddr_in6), | 
|  | 1193 | hostname, sizeof(hostname) - 1, NULL, 0, 0); | 
|  | 1194 | if (err != 0) { | 
|  | 1195 | #ifdef DEBUG | 
|  | 1196 | fprintf(stderr,"IP2Name: %s\n",gai_strerror(err)); | 
|  | 1197 | #endif | 
|  | 1198 | return NULL; | 
|  | 1199 | } | 
|  | 1200 |  | 
|  | 1201 | #ifdef DEBUG | 
|  | 1202 | fprintf (stderr, "\naddr2host: %s\n", hostname); | 
|  | 1203 | #endif | 
|  | 1204 | return hostname; | 
|  | 1205 | } | 
|  | 1206 |  | 
|  | 1207 | const char *xtables_ip6addr_to_anyname(const struct in6_addr *addr) | 
|  | 1208 | { | 
|  | 1209 | const char *name; | 
|  | 1210 |  | 
|  | 1211 | if ((name = ip6addr_to_host(addr)) != NULL) | 
|  | 1212 | return name; | 
|  | 1213 |  | 
|  | 1214 | return xtables_ip6addr_to_numeric(addr); | 
|  | 1215 | } | 
|  | 1216 |  | 
|  | 1217 | static int ip6addr_prefix_length(const struct in6_addr *k) | 
|  | 1218 | { | 
|  | 1219 | unsigned int bits = 0; | 
|  | 1220 | uint32_t a, b, c, d; | 
|  | 1221 |  | 
|  | 1222 | a = ntohl(k->s6_addr32[0]); | 
|  | 1223 | b = ntohl(k->s6_addr32[1]); | 
|  | 1224 | c = ntohl(k->s6_addr32[2]); | 
|  | 1225 | d = ntohl(k->s6_addr32[3]); | 
|  | 1226 | while (a & 0x80000000U) { | 
|  | 1227 | ++bits; | 
|  | 1228 | a <<= 1; | 
|  | 1229 | a  |= (b >> 31) & 1; | 
|  | 1230 | b <<= 1; | 
|  | 1231 | b  |= (c >> 31) & 1; | 
|  | 1232 | c <<= 1; | 
|  | 1233 | c  |= (d >> 31) & 1; | 
|  | 1234 | d <<= 1; | 
|  | 1235 | } | 
|  | 1236 | if (a != 0 || b != 0 || c != 0 || d != 0) | 
|  | 1237 | return -1; | 
|  | 1238 | return bits; | 
|  | 1239 | } | 
|  | 1240 |  | 
|  | 1241 | const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp) | 
|  | 1242 | { | 
|  | 1243 | static char buf[50+2]; | 
|  | 1244 | int l = ip6addr_prefix_length(addrp); | 
|  | 1245 |  | 
|  | 1246 | if (l == -1) { | 
|  | 1247 | strcpy(buf, "/"); | 
|  | 1248 | strcat(buf, xtables_ip6addr_to_numeric(addrp)); | 
|  | 1249 | return buf; | 
|  | 1250 | } | 
|  | 1251 | sprintf(buf, "/%d", l); | 
|  | 1252 | return buf; | 
|  | 1253 | } | 
|  | 1254 |  | 
|  | 1255 | struct in6_addr *xtables_numeric_to_ip6addr(const char *num) | 
|  | 1256 | { | 
|  | 1257 | static struct in6_addr ap; | 
|  | 1258 | int err; | 
|  | 1259 |  | 
|  | 1260 | if ((err = inet_pton(AF_INET6, num, &ap)) == 1) | 
|  | 1261 | return ≈ | 
|  | 1262 | #ifdef DEBUG | 
|  | 1263 | fprintf(stderr, "\nnumeric2addr: %d\n", err); | 
|  | 1264 | #endif | 
|  | 1265 | return NULL; | 
|  | 1266 | } | 
|  | 1267 |  | 
|  | 1268 | static struct in6_addr * | 
|  | 1269 | host_to_ip6addr(const char *name, unsigned int *naddr) | 
|  | 1270 | { | 
|  | 1271 | static struct in6_addr *addr; | 
|  | 1272 | struct addrinfo hints; | 
|  | 1273 | struct addrinfo *res; | 
|  | 1274 | int err; | 
|  | 1275 |  | 
|  | 1276 | memset(&hints, 0, sizeof(hints)); | 
|  | 1277 | hints.ai_flags    = AI_CANONNAME; | 
|  | 1278 | hints.ai_family   = AF_INET6; | 
|  | 1279 | hints.ai_socktype = SOCK_RAW; | 
|  | 1280 | hints.ai_protocol = IPPROTO_IPV6; | 
|  | 1281 | hints.ai_next     = NULL; | 
|  | 1282 |  | 
|  | 1283 | *naddr = 0; | 
|  | 1284 | if ((err = getaddrinfo(name, NULL, &hints, &res)) != 0) { | 
|  | 1285 | #ifdef DEBUG | 
|  | 1286 | fprintf(stderr,"Name2IP: %s\n",gai_strerror(err)); | 
|  | 1287 | #endif | 
|  | 1288 | return NULL; | 
|  | 1289 | } else { | 
|  | 1290 | if (res->ai_family != AF_INET6 || | 
|  | 1291 | res->ai_addrlen != sizeof(struct sockaddr_in6)) | 
|  | 1292 | return NULL; | 
|  | 1293 |  | 
|  | 1294 | #ifdef DEBUG | 
|  | 1295 | fprintf(stderr, "resolved: len=%d  %s ", res->ai_addrlen, | 
|  | 1296 | ip6addr_to_numeric(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)); | 
|  | 1297 | #endif | 
|  | 1298 | /* Get the first element of the address-chain */ | 
|  | 1299 | addr = xtables_malloc(sizeof(struct in6_addr)); | 
|  | 1300 | memcpy(addr, &((const struct sockaddr_in6 *)res->ai_addr)->sin6_addr, | 
|  | 1301 | sizeof(struct in6_addr)); | 
|  | 1302 | freeaddrinfo(res); | 
|  | 1303 | *naddr = 1; | 
|  | 1304 | return addr; | 
|  | 1305 | } | 
|  | 1306 |  | 
|  | 1307 | return NULL; | 
|  | 1308 | } | 
|  | 1309 |  | 
|  | 1310 | static struct in6_addr *network_to_ip6addr(const char *name) | 
|  | 1311 | { | 
|  | 1312 | /*	abort();*/ | 
|  | 1313 | /* TODO: not implemented yet, but the exception breaks the | 
|  | 1314 | *       name resolvation */ | 
|  | 1315 | return NULL; | 
|  | 1316 | } | 
|  | 1317 |  | 
|  | 1318 | static struct in6_addr * | 
|  | 1319 | ip6parse_hostnetwork(const char *name, unsigned int *naddrs) | 
|  | 1320 | { | 
|  | 1321 | struct in6_addr *addrp, *addrptmp; | 
|  | 1322 |  | 
|  | 1323 | if ((addrptmp = xtables_numeric_to_ip6addr(name)) != NULL || | 
|  | 1324 | (addrptmp = network_to_ip6addr(name)) != NULL) { | 
|  | 1325 | addrp = xtables_malloc(sizeof(struct in6_addr)); | 
|  | 1326 | memcpy(addrp, addrptmp, sizeof(*addrp)); | 
|  | 1327 | *naddrs = 1; | 
|  | 1328 | return addrp; | 
|  | 1329 | } | 
|  | 1330 | if ((addrp = host_to_ip6addr(name, naddrs)) != NULL) | 
|  | 1331 | return addrp; | 
|  | 1332 |  | 
|  | 1333 | xt_params->exit_err(PARAMETER_PROBLEM, "host/network `%s' not found", name); | 
|  | 1334 | } | 
|  | 1335 |  | 
|  | 1336 | static struct in6_addr *parse_ip6mask(char *mask) | 
|  | 1337 | { | 
|  | 1338 | static struct in6_addr maskaddr; | 
|  | 1339 | struct in6_addr *addrp; | 
|  | 1340 | unsigned int bits; | 
|  | 1341 |  | 
|  | 1342 | if (mask == NULL) { | 
|  | 1343 | /* no mask at all defaults to 128 bits */ | 
|  | 1344 | memset(&maskaddr, 0xff, sizeof maskaddr); | 
|  | 1345 | return &maskaddr; | 
|  | 1346 | } | 
|  | 1347 | if ((addrp = xtables_numeric_to_ip6addr(mask)) != NULL) | 
|  | 1348 | return addrp; | 
|  | 1349 | if (!xtables_strtoui(mask, NULL, &bits, 0, 128)) | 
|  | 1350 | xt_params->exit_err(PARAMETER_PROBLEM, | 
|  | 1351 | "invalid mask `%s' specified", mask); | 
|  | 1352 | if (bits != 0) { | 
|  | 1353 | char *p = (void *)&maskaddr; | 
|  | 1354 | memset(p, 0xff, bits / 8); | 
|  | 1355 | memset(p + (bits / 8) + 1, 0, (128 - bits) / 8); | 
|  | 1356 | p[bits/8] = 0xff << (8 - (bits & 7)); | 
|  | 1357 | return &maskaddr; | 
|  | 1358 | } | 
|  | 1359 |  | 
|  | 1360 | memset(&maskaddr, 0, sizeof(maskaddr)); | 
|  | 1361 | return &maskaddr; | 
|  | 1362 | } | 
|  | 1363 |  | 
|  | 1364 | void xtables_ip6parse_any(const char *name, struct in6_addr **addrpp, | 
|  | 1365 | struct in6_addr *maskp, unsigned int *naddrs) | 
|  | 1366 | { | 
|  | 1367 | static const struct in6_addr zero_addr; | 
|  | 1368 | struct in6_addr *addrp; | 
|  | 1369 | unsigned int i, j, k, n; | 
|  | 1370 | char buf[256], *p; | 
|  | 1371 |  | 
|  | 1372 | strncpy(buf, name, sizeof(buf) - 1); | 
|  | 1373 | buf[sizeof(buf)-1] = '\0'; | 
|  | 1374 | if ((p = strrchr(buf, '/')) != NULL) { | 
|  | 1375 | *p = '\0'; | 
|  | 1376 | addrp = parse_ip6mask(p + 1); | 
|  | 1377 | } else { | 
|  | 1378 | addrp = parse_ip6mask(NULL); | 
|  | 1379 | } | 
|  | 1380 | memcpy(maskp, addrp, sizeof(*maskp)); | 
|  | 1381 |  | 
|  | 1382 | /* if a null mask is given, the name is ignored, like in "any/0" */ | 
|  | 1383 | if (memcmp(maskp, &zero_addr, sizeof(zero_addr)) == 0) | 
|  | 1384 | strcpy(buf, "::"); | 
|  | 1385 |  | 
|  | 1386 | addrp = *addrpp = ip6parse_hostnetwork(buf, naddrs); | 
|  | 1387 | n = *naddrs; | 
|  | 1388 | for (i = 0, j = 0; i < n; ++i) { | 
|  | 1389 | for (k = 0; k < 4; ++k) | 
|  | 1390 | addrp[j].s6_addr32[k] &= maskp->s6_addr32[k]; | 
|  | 1391 | ++j; | 
|  | 1392 | for (k = 0; k < j - 1; ++k) | 
|  | 1393 | if (IN6_ARE_ADDR_EQUAL(&addrp[k], &addrp[j - 1])) { | 
|  | 1394 | --*naddrs; | 
|  | 1395 | --j; | 
|  | 1396 | break; | 
|  | 1397 | } | 
|  | 1398 | } | 
|  | 1399 | } | 
|  | 1400 |  | 
|  | 1401 | void xtables_save_string(const char *value) | 
|  | 1402 | { | 
|  | 1403 | static const char no_quote_chars[] = "_-0123456789" | 
|  | 1404 | "abcdefghijklmnopqrstuvwxyz" | 
|  | 1405 | "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; | 
|  | 1406 | static const char escape_chars[] = "\"\\'"; | 
|  | 1407 | size_t length; | 
|  | 1408 | const char *p; | 
|  | 1409 |  | 
|  | 1410 | length = strcspn(value, no_quote_chars); | 
|  | 1411 | if (length > 0 && value[length] == 0) { | 
|  | 1412 | /* no quoting required */ | 
|  | 1413 | fputs(value, stdout); | 
|  | 1414 | putchar(' '); | 
|  | 1415 | } else { | 
|  | 1416 | /* there is at least one dangerous character in the | 
|  | 1417 | value, which we have to quote.  Write double quotes | 
|  | 1418 | around the value and escape special characters with | 
|  | 1419 | a backslash */ | 
|  | 1420 | putchar('"'); | 
|  | 1421 |  | 
|  | 1422 | for (p = strpbrk(value, escape_chars); p != NULL; | 
|  | 1423 | p = strpbrk(value, escape_chars)) { | 
|  | 1424 | if (p > value) | 
|  | 1425 | fwrite(value, 1, p - value, stdout); | 
|  | 1426 | putchar('\\'); | 
|  | 1427 | putchar(*p); | 
|  | 1428 | value = p + 1; | 
|  | 1429 | } | 
|  | 1430 |  | 
|  | 1431 | /* print the rest and finish the double quoted | 
|  | 1432 | string */ | 
|  | 1433 | fputs(value, stdout); | 
|  | 1434 | printf("\" "); | 
|  | 1435 | } | 
|  | 1436 | } | 
|  | 1437 |  | 
|  | 1438 | /** | 
|  | 1439 | * Check for option-intrapositional negation. | 
|  | 1440 | * Do not use in new code. | 
|  | 1441 | */ | 
|  | 1442 | int xtables_check_inverse(const char option[], int *invert, | 
|  | 1443 | int *my_optind, int argc) | 
|  | 1444 | { | 
|  | 1445 | if (option && strcmp(option, "!") == 0) { | 
|  | 1446 | fprintf(stderr, "Using intrapositioned negation " | 
|  | 1447 | "(`--option ! this`) is deprecated in favor of " | 
|  | 1448 | "extrapositioned (`! --option this`).\n"); | 
|  | 1449 |  | 
|  | 1450 | if (*invert) | 
|  | 1451 | xt_params->exit_err(PARAMETER_PROBLEM, | 
|  | 1452 | "Multiple `!' flags not allowed"); | 
|  | 1453 | *invert = true; | 
|  | 1454 | if (my_optind != NULL) { | 
|  | 1455 | ++*my_optind; | 
|  | 1456 | if (argc && *my_optind > argc) | 
|  | 1457 | xt_params->exit_err(PARAMETER_PROBLEM, | 
|  | 1458 | "no argument following `!'"); | 
|  | 1459 | } | 
|  | 1460 |  | 
|  | 1461 | return true; | 
|  | 1462 | } | 
|  | 1463 | return false; | 
|  | 1464 | } | 
|  | 1465 |  | 
|  | 1466 | const struct xtables_pprot xtables_chain_protos[] = { | 
|  | 1467 | {"tcp",       IPPROTO_TCP}, | 
|  | 1468 | {"sctp",      IPPROTO_SCTP}, | 
|  | 1469 | {"udp",       IPPROTO_UDP}, | 
|  | 1470 | {"udplite",   IPPROTO_UDPLITE}, | 
|  | 1471 | {"icmp",      IPPROTO_ICMP}, | 
|  | 1472 | {"icmpv6",    IPPROTO_ICMPV6}, | 
|  | 1473 | {"ipv6-icmp", IPPROTO_ICMPV6}, | 
|  | 1474 | {"esp",       IPPROTO_ESP}, | 
|  | 1475 | {"ah",        IPPROTO_AH}, | 
|  | 1476 | {"ipv6-mh",   IPPROTO_MH}, | 
|  | 1477 | {"mh",        IPPROTO_MH}, | 
|  | 1478 | {"all",       0}, | 
|  | 1479 | {NULL}, | 
|  | 1480 | }; | 
|  | 1481 |  | 
|  | 1482 | u_int16_t | 
|  | 1483 | xtables_parse_protocol(const char *s) | 
|  | 1484 | { | 
|  | 1485 | unsigned int proto; | 
|  | 1486 |  | 
|  | 1487 | if (!xtables_strtoui(s, NULL, &proto, 0, UINT8_MAX)) { | 
|  | 1488 | struct protoent *pent; | 
|  | 1489 |  | 
|  | 1490 | /* first deal with the special case of 'all' to prevent | 
|  | 1491 | * people from being able to redefine 'all' in nsswitch | 
|  | 1492 | * and/or provoke expensive [not working] ldap/nis/... | 
|  | 1493 | * lookups */ | 
|  | 1494 | if (!strcmp(s, "all")) | 
|  | 1495 | return 0; | 
|  | 1496 |  | 
|  | 1497 | if ((pent = getprotobyname(s))) | 
|  | 1498 | proto = pent->p_proto; | 
|  | 1499 | else { | 
|  | 1500 | unsigned int i; | 
|  | 1501 | for (i = 0; i < ARRAY_SIZE(xtables_chain_protos); ++i) { | 
|  | 1502 | if(xtables_chain_protos[i].name == NULL) | 
|  | 1503 | { | 
|  | 1504 | continue; | 
|  | 1505 | } | 
|  | 1506 |  | 
|  | 1507 | if ( strcmp(s, xtables_chain_protos[i].name) == 0) { | 
|  | 1508 | proto = xtables_chain_protos[i].num; | 
|  | 1509 | break; | 
|  | 1510 | } | 
|  | 1511 | } | 
|  | 1512 | if (i == ARRAY_SIZE(xtables_chain_protos)) | 
|  | 1513 | xt_params->exit_err(PARAMETER_PROBLEM, | 
|  | 1514 | "unknown protocol `%s' specified", | 
|  | 1515 | s); | 
|  | 1516 | } | 
|  | 1517 | } | 
|  | 1518 |  | 
|  | 1519 | return proto; | 
|  | 1520 | } |