5 * Copyright (C) 2007-2012 Intel Corporation. All rights reserved.
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
31 #include <sys/errno.h>
32 #include <sys/socket.h>
35 #include <linux/netfilter_ipv4/ip_tables.h>
41 * Some comments on how the iptables API works (some of them from the
42 * source code from iptables and the kernel):
44 * - valid_hooks: bit indicates valid IDs for hook_entry
45 * - hook_entry[ID] offset to the chain start
46 * - overflows should be end of entry chains, and uncodintional policy nodes.
47 * - policy entry: last entry in a chain
48 * - user chain: end of last builtin + policy entry
49 * - final entry must be error node
50 * - Underflows must be unconditional and use the STANDARD target with
52 * - IPT_SO_GET_INFO and IPT_SO_GET_ENTRIES are used to read a table
53 * - IPT_SO_GET_INFO: struct ipt_getinfo (note the lack of table content)
54 * - IPT_SO_GET_ENTRIES: struct ipt_get_entries (contains only parts of the
55 * table header/meta info. The table is appended after the header. The entries
56 * are of the type struct ipt_entry.
57 * - After the ipt_entry the matches are appended. After the matches
58 * the target is appended.
59 * - ipt_entry->target_offset = Size of ipt_entry + matches
60 * - ipt_entry->next_offset = Size of ipt_entry + matches + target
61 * - IPT_SO_SET_REPLACE is used to write a table (contains the complete
62 * - hook_entry and overflow mark the begining and the end of a chain, e.g
63 * entry hook: pre/in/fwd/out/post -1/0/352/504/-1
64 * underflow: pre/in/fwd/out/post -1/200/352/904/-1
65 * means that INPUT starts at offset 0 and ends at 200 (the start offset to
66 * the last element). FORWARD has one entry starting/ending at 352. The entry
67 * has a size of 152. 352 + 152 = 504 which is the start of the OUTPUT chain
68 * which then ends at 904. PREROUTING and POSTROUTING are invalid hooks in
70 * - 'iptables -t filter -A INPUT -m mark --mark 999 -j LOG'
71 * writing that table looks like this:
73 * filter valid_hooks 0x0000000e num_entries 5 size 856
74 * entry hook: pre/in/fwd/out/post -1/0/376/528/-1
75 * underflow: pre/in/fwd/out/post -1/224/376/528/-1
76 * entry 0x699d30 offset 0 size 224
77 * RULE match 0x699da0 target 0x699dd0
78 * match mark match 0x3e7
79 * target LOG flags 0 level 4
82 * entry 0x699e10 offset 224 size 152
83 * RULE match 0x699e80 target 0x699e80
87 * entry 0x699ea8 offset 376 size 152
88 * RULE match 0x699f18 target 0x699f18
92 * entry 0x699f40 offset 528 size 152
93 * RULE match 0x699fb0 target 0x699fb0
97 * entry 0x699fd8 offset 680 size 176
98 * USER CHAIN (ERROR) match 0x69a048 target 0x69a048
100 * Reading the filter table looks like this:
102 * filter valid_hooks 0x0000000e num_entries 5 size 856
103 * entry hook: pre/in/fwd/out/post -1/0/376/528/-1
104 * underflow: pre/in/fwd/out/post -1/224/376/528/-1
105 * entry 0x25fec28 offset 0 size 224
106 * CHAIN (INPUT) match 0x25fec98 target 0x25fecc8
107 * match mark match 0x3e7
108 * target LOG flags 0 level 4
109 * src 0.0.0.0/0.0.0.0
110 * dst 0.0.0.0/0.0.0.0
111 * entry 0x25fed08 offset 224 size 152
112 * RULE match 0x25fed78 target 0x25fed78
114 * src 0.0.0.0/0.0.0.0
115 * dst 0.0.0.0/0.0.0.0
116 * entry 0x25feda0 offset 376 size 152
117 * CHAIN (FORWARD) match 0x25fee10 target 0x25fee10
119 * src 0.0.0.0/0.0.0.0
120 * dst 0.0.0.0/0.0.0.0
121 * entry 0x25fee38 offset 528 size 152
122 * CHAIN (OUTPUT) match 0x25feea8 target 0x25feea8
124 * src 0.0.0.0/0.0.0.0
125 * dst 0.0.0.0/0.0.0.0
126 * entry 0x25feed0 offset 680 size 176
130 static const char *hooknames[] = {
131 [NF_IP_PRE_ROUTING] = "PREROUTING",
132 [NF_IP_LOCAL_IN] = "INPUT",
133 [NF_IP_FORWARD] = "FORWARD",
134 [NF_IP_LOCAL_OUT] = "OUTPUT",
135 [NF_IP_POST_ROUTING] = "POSTROUTING",
138 #define LABEL_ACCEPT "ACCEPT"
139 #define LABEL_DROP "DROP"
140 #define LABEL_QUEUE "QUEUE"
141 #define LABEL_RETURN "RETURN"
143 #define XT_OPTION_OFFSET_SCALE 256
145 #define MIN_ALIGN (__alignof__(struct ipt_entry))
147 #define ALIGN(s) (((s) + ((MIN_ALIGN)-1)) & ~((MIN_ALIGN)-1))
149 struct error_target {
150 struct xt_entry_target t;
151 char error[IPT_TABLE_MAXNAMELEN];
154 struct connman_iptables_entry {
158 struct ipt_entry *entry;
161 struct connman_iptables {
164 struct ipt_getinfo *info;
165 struct ipt_get_entries *blob_entries;
167 unsigned int num_entries;
168 unsigned int old_entries;
171 unsigned int underflow[NF_INET_NUMHOOKS];
172 unsigned int hook_entry[NF_INET_NUMHOOKS];
177 static GHashTable *table_hash = NULL;
179 typedef int (*iterate_entries_cb_t)(struct ipt_entry *entry, int builtin,
180 unsigned int hook,size_t size,
181 unsigned int offset, void *user_data);
183 static int iterate_entries(struct ipt_entry *entries,
184 unsigned int valid_hooks,
185 unsigned int *hook_entry,
186 size_t size, iterate_entries_cb_t cb,
191 struct ipt_entry *entry;
193 if (valid_hooks != 0)
194 h = __builtin_ffs(valid_hooks) - 1;
196 h = NF_INET_NUMHOOKS;
198 for (i = 0, entry = entries; i < size;
199 i += entry->next_offset) {
201 entry = (void *)entries + i;
204 * Find next valid hook which offset is higher
205 * or equal with the current offset.
207 if (h < NF_INET_NUMHOOKS) {
208 if (hook_entry[h] < i) {
209 valid_hooks ^= (1 << h);
211 if (valid_hooks != 0)
212 h = __builtin_ffs(valid_hooks) - 1;
214 h = NF_INET_NUMHOOKS;
217 if (hook_entry[h] == i)
221 err = cb(entry, builtin, h, size, i, user_data);
230 static int target_to_verdict(const char *target_name)
232 if (!strcmp(target_name, LABEL_ACCEPT))
233 return -NF_ACCEPT - 1;
235 if (!strcmp(target_name, LABEL_DROP))
238 if (!strcmp(target_name, LABEL_QUEUE))
239 return -NF_QUEUE - 1;
241 if (!strcmp(target_name, LABEL_RETURN))
247 static gboolean is_builtin_target(const char *target_name)
249 if (!strcmp(target_name, LABEL_ACCEPT) ||
250 !strcmp(target_name, LABEL_DROP) ||
251 !strcmp(target_name, LABEL_QUEUE) ||
252 !strcmp(target_name, LABEL_RETURN))
258 static gboolean is_jump(struct connman_iptables_entry *e)
260 struct xt_entry_target *target;
262 target = ipt_get_target(e->entry);
264 if (!strcmp(target->u.user.name, IPT_STANDARD_TARGET)) {
265 struct xt_standard_target *t;
267 t = (struct xt_standard_target *)target;
269 switch (t->verdict) {
285 static gboolean is_chain(struct connman_iptables *table,
286 struct connman_iptables_entry *e)
288 struct ipt_entry *entry;
289 struct xt_entry_target *target;
295 target = ipt_get_target(entry);
296 if (!strcmp(target->u.user.name, IPT_ERROR_TARGET))
302 static GList *find_chain_head(struct connman_iptables *table,
303 const char *chain_name)
306 struct connman_iptables_entry *head;
307 struct ipt_entry *entry;
308 struct xt_entry_target *target;
311 for (list = table->entries; list; list = list->next) {
316 builtin = head->builtin;
317 if (builtin >= 0 && !strcmp(hooknames[builtin], chain_name))
320 /* User defined chain */
321 target = ipt_get_target(entry);
322 if (!strcmp(target->u.user.name, IPT_ERROR_TARGET) &&
323 !strcmp((char *)target->data, chain_name))
330 static GList *find_chain_tail(struct connman_iptables *table,
331 const char *chain_name)
333 struct connman_iptables_entry *tail;
334 GList *chain_head, *list;
336 chain_head = find_chain_head(table, chain_name);
337 if (chain_head == NULL)
340 /* Then we look for the next chain */
341 for (list = chain_head->next; list; list = list->next) {
344 if (is_chain(table, tail))
348 /* Nothing found, we return the table end */
349 return g_list_last(table->entries);
353 static void update_offsets(struct connman_iptables *table)
356 struct connman_iptables_entry *entry, *prev_entry;
358 for (list = table->entries; list; list = list->next) {
361 if (list == table->entries) {
368 prev_entry = prev->data;
370 entry->offset = prev_entry->offset +
371 prev_entry->entry->next_offset;
375 static void update_targets_reference(struct connman_iptables *table,
376 struct connman_iptables_entry *entry_before,
377 struct connman_iptables_entry *modified_entry,
378 gboolean is_removing)
380 struct connman_iptables_entry *tmp;
381 struct xt_standard_target *t;
385 offset = modified_entry->entry->next_offset;
387 for (list = table->entries; list; list = list->next) {
393 t = (struct xt_standard_target *)ipt_get_target(tmp->entry);
395 if (is_removing == TRUE) {
396 if (t->verdict >= entry_before->offset)
397 t->verdict -= offset;
399 if (t->verdict > entry_before->offset)
400 t->verdict += offset;
405 static int iptables_add_entry(struct connman_iptables *table,
406 struct ipt_entry *entry, GList *before,
409 struct connman_iptables_entry *e, *entry_before;
414 e = g_try_malloc0(sizeof(struct connman_iptables_entry));
419 e->builtin = builtin;
421 table->entries = g_list_insert_before(table->entries, before, e);
422 table->num_entries++;
423 table->size += entry->next_offset;
425 if (before == NULL) {
426 e->offset = table->size - entry->next_offset;
431 entry_before = before->data;
434 * We've just appended/insterted a new entry. All references
435 * should be bumped accordingly.
437 update_targets_reference(table, entry_before, e, FALSE);
439 update_offsets(table);
444 static int remove_table_entry(struct connman_iptables *table,
445 struct connman_iptables_entry *entry)
449 table->num_entries--;
450 table->size -= entry->entry->next_offset;
451 removed = entry->entry->next_offset;
453 g_free(entry->entry);
455 table->entries = g_list_remove(table->entries, entry);
460 static int iptables_flush_chain(struct connman_iptables *table,
463 GList *chain_head, *chain_tail, *list, *next;
464 struct connman_iptables_entry *entry;
465 int builtin, removed = 0;
467 chain_head = find_chain_head(table, name);
468 if (chain_head == NULL)
471 chain_tail = find_chain_tail(table, name);
472 if (chain_tail == NULL)
475 entry = chain_head->data;
476 builtin = entry->builtin;
481 list = chain_head->next;
483 if (list == chain_tail->prev)
486 while (list != chain_tail->prev) {
488 next = g_list_next(list);
490 removed += remove_table_entry(table, entry);
496 struct connman_iptables_entry *e;
500 entry->builtin = builtin;
502 table->underflow[builtin] -= removed;
504 for (list = chain_tail; list; list = list->next) {
507 builtin = e->builtin;
511 table->hook_entry[builtin] -= removed;
512 table->underflow[builtin] -= removed;
516 update_offsets(table);
521 static int iptables_add_chain(struct connman_iptables *table,
525 struct ipt_entry *entry_head;
526 struct ipt_entry *entry_return;
527 struct error_target *error;
528 struct ipt_standard_target *standard;
529 u_int16_t entry_head_size, entry_return_size;
531 last = g_list_last(table->entries);
534 * An empty chain is composed of:
535 * - A head entry, with no match and an error target.
536 * The error target data is the chain name.
537 * - A tail entry, with no match and a standard target.
538 * The standard target verdict is XT_RETURN (return to the
543 entry_head_size = sizeof(struct ipt_entry) +
544 sizeof(struct error_target);
545 entry_head = g_try_malloc0(entry_head_size);
546 if (entry_head == NULL)
549 memset(entry_head, 0, entry_head_size);
551 entry_head->target_offset = sizeof(struct ipt_entry);
552 entry_head->next_offset = entry_head_size;
554 error = (struct error_target *) entry_head->elems;
555 strcpy(error->t.u.user.name, IPT_ERROR_TARGET);
556 error->t.u.user.target_size = ALIGN(sizeof(struct error_target));
557 strcpy(error->error, name);
559 if (iptables_add_entry(table, entry_head, last, -1) < 0)
563 entry_return_size = sizeof(struct ipt_entry) +
564 sizeof(struct ipt_standard_target);
565 entry_return = g_try_malloc0(entry_return_size);
566 if (entry_return == NULL)
569 memset(entry_return, 0, entry_return_size);
571 entry_return->target_offset = sizeof(struct ipt_entry);
572 entry_return->next_offset = entry_return_size;
574 standard = (struct ipt_standard_target *) entry_return->elems;
575 standard->target.u.user.target_size =
576 ALIGN(sizeof(struct ipt_standard_target));
577 standard->verdict = XT_RETURN;
579 if (iptables_add_entry(table, entry_return, last, -1) < 0)
585 g_free(entry_return);
592 static int iptables_delete_chain(struct connman_iptables *table,
595 struct connman_iptables_entry *entry;
596 GList *chain_head, *chain_tail;
598 chain_head = find_chain_head(table, name);
599 if (chain_head == NULL)
602 entry = chain_head->data;
604 /* We cannot remove builtin chain */
605 if (entry->builtin >= 0)
608 chain_tail = find_chain_tail(table, name);
609 if (chain_tail == NULL)
612 /* Chain must be flushed */
613 if (chain_head->next != chain_tail->prev)
616 remove_table_entry(table, entry);
618 entry = chain_tail->prev->data;
619 remove_table_entry(table, entry);
621 update_offsets(table);
626 static struct ipt_entry *new_rule(struct ipt_ip *ip,
627 const char *target_name, struct xtables_target *xt_t,
628 struct xtables_rule_match *xt_rm)
630 struct xtables_rule_match *tmp_xt_rm;
631 struct ipt_entry *new_entry;
632 size_t match_size, target_size;
635 for (tmp_xt_rm = xt_rm; tmp_xt_rm != NULL; tmp_xt_rm = tmp_xt_rm->next)
636 match_size += tmp_xt_rm->match->m->u.match_size;
639 target_size = ALIGN(xt_t->t->u.target_size);
641 target_size = ALIGN(sizeof(struct xt_standard_target));
643 new_entry = g_try_malloc0(sizeof(struct ipt_entry) + target_size +
645 if (new_entry == NULL)
648 memcpy(&new_entry->ip, ip, sizeof(struct ipt_ip));
650 new_entry->target_offset = sizeof(struct ipt_entry) + match_size;
651 new_entry->next_offset = sizeof(struct ipt_entry) + target_size +
655 for (tmp_xt_rm = xt_rm; tmp_xt_rm != NULL;
656 tmp_xt_rm = tmp_xt_rm->next) {
657 memcpy(new_entry->elems + match_size, tmp_xt_rm->match->m,
658 tmp_xt_rm->match->m->u.match_size);
659 match_size += tmp_xt_rm->match->m->u.match_size;
663 struct xt_entry_target *entry_target;
665 entry_target = ipt_get_target(new_entry);
666 memcpy(entry_target, xt_t->t, target_size);
672 static void update_hooks(struct connman_iptables *table, GList *chain_head,
673 struct ipt_entry *entry)
676 struct connman_iptables_entry *head, *e;
679 if (chain_head == NULL)
682 head = chain_head->data;
684 builtin = head->builtin;
688 table->underflow[builtin] += entry->next_offset;
690 for (list = chain_head->next; list; list = list->next) {
693 builtin = e->builtin;
697 table->hook_entry[builtin] += entry->next_offset;
698 table->underflow[builtin] += entry->next_offset;
702 static struct ipt_entry *prepare_rule_inclusion(struct connman_iptables *table,
703 struct ipt_ip *ip, const char *chain_name,
704 const char *target_name,
705 struct xtables_target *xt_t,
706 int *builtin, struct xtables_rule_match *xt_rm)
708 GList *chain_tail, *chain_head;
709 struct ipt_entry *new_entry;
710 struct connman_iptables_entry *head;
712 chain_head = find_chain_head(table, chain_name);
713 if (chain_head == NULL)
716 chain_tail = find_chain_tail(table, chain_name);
717 if (chain_tail == NULL)
720 new_entry = new_rule(ip, target_name, xt_t, xt_rm);
721 if (new_entry == NULL)
724 update_hooks(table, chain_head, new_entry);
727 * If the chain is builtin, and does not have any rule,
728 * then the one that we're inserting is becoming the head
729 * and thus needs the builtin flag.
731 head = chain_head->data;
732 if (head->builtin < 0)
734 else if (chain_head == chain_tail->prev) {
735 *builtin = head->builtin;
742 static int iptables_append_rule(struct connman_iptables *table,
743 struct ipt_ip *ip, char *chain_name,
744 char *target_name, struct xtables_target *xt_t,
745 struct xtables_rule_match *xt_rm)
748 struct ipt_entry *new_entry;
749 int builtin = -1, ret;
753 chain_tail = find_chain_tail(table, chain_name);
754 if (chain_tail == NULL)
757 new_entry = prepare_rule_inclusion(table, ip, chain_name,
758 target_name, xt_t, &builtin, xt_rm);
759 if (new_entry == NULL)
762 ret = iptables_add_entry(table, new_entry, chain_tail->prev, builtin);
769 static int iptables_insert_rule(struct connman_iptables *table,
770 struct ipt_ip *ip, const char *chain_name,
771 const char *target_name,
772 struct xtables_target *xt_t,
773 struct xtables_rule_match *xt_rm)
775 struct ipt_entry *new_entry;
776 int builtin = -1, ret;
779 chain_head = find_chain_head(table, chain_name);
780 if (chain_head == NULL)
783 new_entry = prepare_rule_inclusion(table, ip, chain_name,
784 target_name, xt_t, &builtin, xt_rm);
785 if (new_entry == NULL)
789 chain_head = chain_head->next;
791 ret = iptables_add_entry(table, new_entry, chain_head, builtin);
798 static gboolean is_same_ipt_entry(struct ipt_entry *i_e1,
799 struct ipt_entry *i_e2)
801 if (memcmp(&i_e1->ip, &i_e2->ip, sizeof(struct ipt_ip)) != 0)
804 if (i_e1->target_offset != i_e2->target_offset)
807 if (i_e1->next_offset != i_e2->next_offset)
813 static gboolean is_same_target(struct xt_entry_target *xt_e_t1,
814 struct xt_entry_target *xt_e_t2)
816 if (xt_e_t1 == NULL || xt_e_t2 == NULL)
819 if (strcmp(xt_e_t1->u.user.name, IPT_STANDARD_TARGET) == 0) {
820 struct xt_standard_target *xt_s_t1;
821 struct xt_standard_target *xt_s_t2;
823 xt_s_t1 = (struct xt_standard_target *) xt_e_t1;
824 xt_s_t2 = (struct xt_standard_target *) xt_e_t2;
826 if (xt_s_t1->verdict != xt_s_t2->verdict)
829 if (xt_e_t1->u.target_size != xt_e_t2->u.target_size)
832 if (strcmp(xt_e_t1->u.user.name, xt_e_t2->u.user.name) != 0)
839 static gboolean is_same_match(struct xt_entry_match *xt_e_m1,
840 struct xt_entry_match *xt_e_m2)
842 if (xt_e_m1 == NULL || xt_e_m2 == NULL)
845 if (xt_e_m1->u.match_size != xt_e_m2->u.match_size)
848 if (xt_e_m1->u.user.revision != xt_e_m2->u.user.revision)
851 if (strcmp(xt_e_m1->u.user.name, xt_e_m2->u.user.name) != 0)
857 static GList *find_existing_rule(struct connman_iptables *table,
858 struct ipt_ip *ip, const char *chain_name,
859 const char *target_name,
860 struct xtables_target *xt_t,
861 struct xtables_match *xt_m,
862 struct xtables_rule_match *xt_rm)
864 GList *chain_tail, *chain_head, *list;
865 struct xt_entry_target *xt_e_t = NULL;
866 struct xt_entry_match *xt_e_m = NULL;
867 struct connman_iptables_entry *entry;
868 struct ipt_entry *entry_test;
871 chain_head = find_chain_head(table, chain_name);
872 if (chain_head == NULL)
875 chain_tail = find_chain_tail(table, chain_name);
876 if (chain_tail == NULL)
882 entry_test = new_rule(ip, target_name, xt_t, xt_rm);
883 if (entry_test == NULL)
887 xt_e_t = ipt_get_target(entry_test);
889 xt_e_m = (struct xt_entry_match *)entry_test->elems;
891 entry = chain_head->data;
892 builtin = entry->builtin;
897 list = chain_head->next;
899 for (; list != chain_tail->prev; list = list->next) {
900 struct connman_iptables_entry *tmp;
901 struct ipt_entry *tmp_e;
906 if (is_same_ipt_entry(entry_test, tmp_e) == FALSE)
910 struct xt_entry_target *tmp_xt_e_t;
912 tmp_xt_e_t = ipt_get_target(tmp_e);
914 if (!is_same_target(tmp_xt_e_t, xt_e_t))
919 struct xt_entry_match *tmp_xt_e_m;
921 tmp_xt_e_m = (struct xt_entry_match *)tmp_e->elems;
923 if (!is_same_match(tmp_xt_e_m, xt_e_m))
932 if (list != chain_tail->prev)
938 static int iptables_delete_rule(struct connman_iptables *table,
939 struct ipt_ip *ip, const char *chain_name,
940 const char *target_name,
941 struct xtables_target *xt_t,
942 struct xtables_match *xt_m,
943 struct xtables_rule_match *xt_rm)
945 struct connman_iptables_entry *entry;
946 GList *chain_tail, *list;
947 int builtin, removed;
951 chain_tail = find_chain_tail(table, chain_name);
952 if (chain_tail == NULL)
955 list = find_existing_rule(table, ip, chain_name, target_name,
964 builtin = entry->builtin;
966 /* We have deleted a rule,
967 * all references should be bumped accordingly */
968 if (list->next != NULL)
969 update_targets_reference(table, list->next->data,
972 removed += remove_table_entry(table, entry);
978 entry->builtin = builtin;
981 table->underflow[builtin] -= removed;
982 for (list = chain_tail; list; list = list->next) {
985 builtin = entry->builtin;
989 table->hook_entry[builtin] -= removed;
990 table->underflow[builtin] -= removed;
994 update_offsets(table);
999 static int iptables_compare_rule(struct connman_iptables *table,
1000 struct ipt_ip *ip, const char *chain_name,
1001 const char *target_name,
1002 struct xtables_target *xt_t,
1003 struct xtables_match *xt_m,
1004 struct xtables_rule_match *xt_rm)
1006 struct connman_iptables_entry *entry;
1009 found = find_existing_rule(table, ip, chain_name, target_name,
1014 entry = found->data;
1022 static int iptables_change_policy(struct connman_iptables *table,
1023 const char *chain_name, const char *policy)
1026 struct connman_iptables_entry *entry;
1027 struct xt_entry_target *target;
1028 struct xt_standard_target *t;
1031 verdict = target_to_verdict(policy);
1035 chain_head = find_chain_head(table, chain_name);
1036 if (chain_head == NULL)
1039 entry = chain_head->data;
1040 if (entry->builtin < 0)
1043 target = ipt_get_target(entry->entry);
1045 t = (struct xt_standard_target *)target;
1046 t->verdict = verdict;
1051 static struct ipt_replace *iptables_blob(struct connman_iptables *table)
1053 struct ipt_replace *r;
1055 struct connman_iptables_entry *e;
1056 unsigned char *entry_index;
1058 r = g_try_malloc0(sizeof(struct ipt_replace) + table->size);
1062 memset(r, 0, sizeof(*r) + table->size);
1064 r->counters = g_try_malloc0(sizeof(struct xt_counters)
1065 * table->old_entries);
1066 if (r->counters == NULL) {
1071 strcpy(r->name, table->info->name);
1072 r->num_entries = table->num_entries;
1073 r->size = table->size;
1075 r->num_counters = table->old_entries;
1076 r->valid_hooks = table->info->valid_hooks;
1078 memcpy(r->hook_entry, table->hook_entry, sizeof(table->hook_entry));
1079 memcpy(r->underflow, table->underflow, sizeof(table->underflow));
1081 entry_index = (unsigned char *)r->entries;
1082 for (list = table->entries; list; list = list->next) {
1085 memcpy(entry_index, e->entry, e->entry->next_offset);
1086 entry_index += e->entry->next_offset;
1092 static void dump_ip(struct ipt_entry *entry)
1094 struct ipt_ip *ip = &entry->ip;
1095 char ip_string[INET6_ADDRSTRLEN];
1096 char ip_mask[INET6_ADDRSTRLEN];
1098 if (strlen(ip->iniface))
1099 connman_info("\tin %s", ip->iniface);
1101 if (strlen(ip->outiface))
1102 connman_info("\tout %s", ip->outiface);
1104 if (inet_ntop(AF_INET, &ip->src, ip_string, INET6_ADDRSTRLEN) != NULL &&
1105 inet_ntop(AF_INET, &ip->smsk,
1106 ip_mask, INET6_ADDRSTRLEN) != NULL)
1107 connman_info("\tsrc %s/%s", ip_string, ip_mask);
1109 if (inet_ntop(AF_INET, &ip->dst, ip_string, INET6_ADDRSTRLEN) != NULL &&
1110 inet_ntop(AF_INET, &ip->dmsk,
1111 ip_mask, INET6_ADDRSTRLEN) != NULL)
1112 connman_info("\tdst %s/%s", ip_string, ip_mask);
1115 static void dump_target(struct ipt_entry *entry)
1118 struct xtables_target *xt_t;
1119 struct xt_entry_target *target;
1121 target = ipt_get_target(entry);
1123 if (!strcmp(target->u.user.name, IPT_STANDARD_TARGET)) {
1124 struct xt_standard_target *t;
1126 t = (struct xt_standard_target *)target;
1128 switch (t->verdict) {
1130 connman_info("\ttarget RETURN");
1133 case -NF_ACCEPT - 1:
1134 connman_info("\ttarget ACCEPT");
1138 connman_info("\ttarget DROP");
1142 connman_info("\ttarget QUEUE");
1146 connman_info("\ttarget STOP");
1150 connman_info("\tJUMP (0x%x)", t->verdict);
1154 xt_t = xtables_find_target(IPT_STANDARD_TARGET,
1155 XTF_LOAD_MUST_SUCCEED);
1157 if(xt_t->print != NULL)
1158 xt_t->print(NULL, target, 1);
1160 xt_t = xtables_find_target(target->u.user.name, XTF_TRY_LOAD);
1162 connman_info("\ttarget %s", target->u.user.name);
1166 if(xt_t->print != NULL) {
1167 connman_info("\ttarget ");
1168 xt_t->print(NULL, target, 1);
1173 static void dump_match(struct ipt_entry *entry)
1175 struct xtables_match *xt_m;
1176 struct xt_entry_match *match;
1178 if (entry->elems == (unsigned char *)entry + entry->target_offset)
1181 match = (struct xt_entry_match *) entry->elems;
1183 if (!strlen(match->u.user.name))
1186 xt_m = xtables_find_match(match->u.user.name, XTF_TRY_LOAD, NULL);
1190 if(xt_m->print != NULL) {
1191 connman_info("\tmatch ");
1192 xt_m->print(NULL, match, 1);
1198 connman_info("\tmatch %s", match->u.user.name);
1202 static int dump_entry(struct ipt_entry *entry, int builtin,
1203 unsigned int hook, size_t size, unsigned int offset,
1206 struct xt_entry_target *target;
1208 target = ipt_get_target(entry);
1210 if (offset + entry->next_offset == size) {
1211 connman_info("End of CHAIN 0x%x", offset);
1215 if (!strcmp(target->u.user.name, IPT_ERROR_TARGET)) {
1216 connman_info("USER CHAIN (%s) %p match %p target %p size %d",
1217 target->data, entry, entry->elems,
1218 (char *)entry + entry->target_offset,
1219 entry->next_offset);
1222 } else if (builtin >= 0) {
1223 connman_info("CHAIN (%s) %p match %p target %p size %d",
1224 hooknames[builtin], entry, entry->elems,
1225 (char *)entry + entry->target_offset,
1226 entry->next_offset);
1228 connman_info("RULE %p match %p target %p size %d", entry,
1230 (char *)entry + entry->target_offset,
1231 entry->next_offset);
1241 static void iptables_dump(struct connman_iptables *table)
1243 connman_info("%s valid_hooks=0x%08x, num_entries=%u, size=%u",
1245 table->info->valid_hooks, table->info->num_entries,
1248 iterate_entries(table->blob_entries->entrytable,
1249 table->info->valid_hooks,
1250 table->info->hook_entry,
1251 table->blob_entries->size,
1256 static int iptables_get_entries(struct connman_iptables *table)
1258 socklen_t entry_size;
1260 entry_size = sizeof(struct ipt_get_entries) + table->info->size;
1262 return getsockopt(table->ipt_sock, IPPROTO_IP, IPT_SO_GET_ENTRIES,
1263 table->blob_entries, &entry_size);
1266 static int iptables_replace(struct connman_iptables *table,
1267 struct ipt_replace *r)
1269 return setsockopt(table->ipt_sock, IPPROTO_IP, IPT_SO_SET_REPLACE, r,
1270 sizeof(*r) + r->size);
1273 static int add_entry(struct ipt_entry *entry, int builtin, unsigned int hook,
1274 size_t size, unsigned offset, void *user_data)
1276 struct connman_iptables *table = user_data;
1277 struct ipt_entry *new_entry;
1279 new_entry = g_try_malloc0(entry->next_offset);
1280 if (new_entry == NULL)
1283 memcpy(new_entry, entry, entry->next_offset);
1285 return iptables_add_entry(table, new_entry, NULL, builtin);
1288 static void table_cleanup(struct connman_iptables *table)
1291 struct connman_iptables_entry *entry;
1296 if (table->ipt_sock >= 0)
1297 close(table->ipt_sock);
1299 for (list = table->entries; list; list = list->next) {
1302 g_free(entry->entry);
1306 g_list_free(table->entries);
1307 g_free(table->info);
1308 g_free(table->blob_entries);
1312 static struct connman_iptables *iptables_init(const char *table_name)
1314 struct connman_iptables *table = NULL;
1315 char *module = NULL;
1318 if (table_name == NULL)
1319 table_name = "filter";
1321 DBG("%s", table_name);
1323 if (xtables_insmod("ip_tables", NULL, TRUE) != 0)
1324 DBG("ip_tables module loading gives error but trying anyway");
1326 module = g_strconcat("iptable_", table_name, NULL);
1330 if (xtables_insmod(module, NULL, TRUE) != 0)
1331 DBG("%s module loading gives error but trying anyway", module);
1335 table = g_hash_table_lookup(table_hash, table_name);
1339 table = g_try_new0(struct connman_iptables, 1);
1343 table->info = g_try_new0(struct ipt_getinfo, 1);
1344 if (table->info == NULL)
1347 table->ipt_sock = socket(AF_INET, SOCK_RAW | SOCK_CLOEXEC, IPPROTO_RAW);
1348 if (table->ipt_sock < 0)
1351 s = sizeof(*table->info);
1352 strcpy(table->info->name, table_name);
1353 if (getsockopt(table->ipt_sock, IPPROTO_IP, IPT_SO_GET_INFO,
1354 table->info, &s) < 0) {
1355 connman_error("iptables support missing error %d (%s)", errno,
1360 table->blob_entries = g_try_malloc0(sizeof(struct ipt_get_entries) +
1362 if (table->blob_entries == NULL)
1365 strcpy(table->blob_entries->name, table_name);
1366 table->blob_entries->size = table->info->size;
1368 if (iptables_get_entries(table) < 0)
1371 table->num_entries = 0;
1372 table->old_entries = table->info->num_entries;
1375 memcpy(table->underflow, table->info->underflow,
1376 sizeof(table->info->underflow));
1377 memcpy(table->hook_entry, table->info->hook_entry,
1378 sizeof(table->info->hook_entry));
1380 iterate_entries(table->blob_entries->entrytable,
1381 table->info->valid_hooks, table->info->hook_entry,
1382 table->blob_entries->size, add_entry, table);
1384 g_hash_table_insert(table_hash, g_strdup(table_name), table);
1389 table_cleanup(table);
1394 static struct option iptables_opts[] = {
1395 {.name = "append", .has_arg = 1, .val = 'A'},
1396 {.name = "compare", .has_arg = 1, .val = 'C'},
1397 {.name = "delete", .has_arg = 1, .val = 'D'},
1398 {.name = "flush-chain", .has_arg = 1, .val = 'F'},
1399 {.name = "insert", .has_arg = 1, .val = 'I'},
1400 {.name = "list", .has_arg = 2, .val = 'L'},
1401 {.name = "new-chain", .has_arg = 1, .val = 'N'},
1402 {.name = "policy", .has_arg = 1, .val = 'P'},
1403 {.name = "delete-chain", .has_arg = 1, .val = 'X'},
1404 {.name = "destination", .has_arg = 1, .val = 'd'},
1405 {.name = "in-interface", .has_arg = 1, .val = 'i'},
1406 {.name = "jump", .has_arg = 1, .val = 'j'},
1407 {.name = "match", .has_arg = 1, .val = 'm'},
1408 {.name = "out-interface", .has_arg = 1, .val = 'o'},
1409 {.name = "source", .has_arg = 1, .val = 's'},
1410 {.name = "table", .has_arg = 1, .val = 't'},
1414 struct xtables_globals iptables_globals = {
1416 .opts = iptables_opts,
1417 .orig_opts = iptables_opts,
1420 static struct xtables_target *prepare_target(struct connman_iptables *table,
1421 const char *target_name)
1423 struct xtables_target *xt_t = NULL;
1424 gboolean is_builtin, is_user_defined;
1425 GList *chain_head = NULL;
1429 is_user_defined = FALSE;
1431 if (is_builtin_target(target_name))
1434 chain_head = find_chain_head(table, target_name);
1435 if (chain_head != NULL && chain_head->next != NULL)
1436 is_user_defined = TRUE;
1439 if (is_builtin || is_user_defined)
1440 xt_t = xtables_find_target(IPT_STANDARD_TARGET,
1441 XTF_LOAD_MUST_SUCCEED);
1443 xt_t = xtables_find_target(target_name, XTF_TRY_LOAD);
1448 target_size = ALIGN(sizeof(struct ipt_entry_target)) + xt_t->size;
1450 xt_t->t = g_try_malloc0(target_size);
1451 if (xt_t->t == NULL)
1454 xt_t->t->u.target_size = target_size;
1456 if (is_builtin || is_user_defined) {
1457 struct xt_standard_target *target;
1459 target = (struct xt_standard_target *)(xt_t->t);
1460 strcpy(target->target.u.user.name, IPT_STANDARD_TARGET);
1462 if (is_builtin == TRUE)
1463 target->verdict = target_to_verdict(target_name);
1464 else if (is_user_defined == TRUE) {
1465 struct connman_iptables_entry *target_rule;
1467 if (chain_head == NULL) {
1472 target_rule = chain_head->next->data;
1473 target->verdict = target_rule->offset;
1476 strcpy(xt_t->t->u.user.name, target_name);
1477 xt_t->t->u.user.revision = xt_t->revision;
1478 if (xt_t->init != NULL)
1479 xt_t->init(xt_t->t);
1482 #if XTABLES_VERSION_CODE > 5
1483 if (xt_t->x6_options != NULL)
1484 iptables_globals.opts =
1485 xtables_options_xfrm(
1486 iptables_globals.orig_opts,
1487 iptables_globals.opts,
1489 &xt_t->option_offset);
1492 iptables_globals.opts =
1493 xtables_merge_options(
1494 #if XTABLES_VERSION_CODE > 5
1495 iptables_globals.orig_opts,
1497 iptables_globals.opts,
1499 &xt_t->option_offset);
1501 if (iptables_globals.opts == NULL) {
1509 static struct xtables_match *prepare_matches(struct connman_iptables *table,
1510 struct xtables_rule_match **xt_rm,
1511 const char *match_name)
1513 struct xtables_match *xt_m;
1516 if (match_name == NULL)
1519 xt_m = xtables_find_match(match_name, XTF_LOAD_MUST_SUCCEED, xt_rm);
1520 match_size = ALIGN(sizeof(struct ipt_entry_match)) + xt_m->size;
1522 xt_m->m = g_try_malloc0(match_size);
1523 if (xt_m->m == NULL)
1526 xt_m->m->u.match_size = match_size;
1527 strcpy(xt_m->m->u.user.name, xt_m->name);
1528 xt_m->m->u.user.revision = xt_m->revision;
1530 if (xt_m->init != NULL)
1531 xt_m->init(xt_m->m);
1533 if (xt_m == xt_m->next)
1536 #if XTABLES_VERSION_CODE > 5
1537 if (xt_m->x6_options != NULL)
1538 iptables_globals.opts =
1539 xtables_options_xfrm(
1540 iptables_globals.orig_opts,
1541 iptables_globals.opts,
1543 &xt_m->option_offset);
1546 iptables_globals.opts =
1547 xtables_merge_options(
1548 #if XTABLES_VERSION_CODE > 5
1549 iptables_globals.orig_opts,
1551 iptables_globals.opts,
1553 &xt_m->option_offset);
1555 if (iptables_globals.opts == NULL) {
1564 static int parse_ip_and_mask(const char *str, struct in_addr *ip, struct in_addr *mask)
1567 uint32_t prefixlength;
1571 tokens = g_strsplit(str, "/", 2);
1575 if (!inet_pton(AF_INET, tokens[0], ip)) {
1580 if (tokens[1] != NULL) {
1581 prefixlength = strtol(tokens[1], NULL, 10);
1582 if (prefixlength > 31) {
1587 tmp = ~(0xffffffff >> prefixlength);
1592 mask->s_addr = htonl(tmp);
1593 ip->s_addr = ip->s_addr & mask->s_addr;
1601 static struct connman_iptables *pre_load_table(const char *table_name,
1602 struct connman_iptables *table)
1607 return iptables_init(table_name);
1610 static void clear_tables_flags(void)
1612 struct xtables_match *xt_m;
1613 struct xtables_target *xt_t;
1616 * Clear all flags because the flags are only valid
1619 for (xt_m = xtables_matches; xt_m != NULL; xt_m = xt_m->next)
1622 for (xt_t = xtables_targets; xt_t != NULL; xt_t = xt_t->next) {
1628 static int iptables_command(int argc, char *argv[])
1630 struct connman_iptables *table;
1631 struct xtables_rule_match *xt_rm, *tmp_xt_rm;
1632 struct xtables_match *xt_m, *xt_m_t;
1633 struct xtables_target *xt_t;
1635 char *table_name, *chain, *new_chain, *match_name, *target_name;
1636 char *flush_chain, *delete_chain, *policy;
1637 int c, ret, in_len, out_len;
1638 gboolean dump, invert, insert, delete, compare;
1648 chain = new_chain = match_name = target_name = NULL;
1649 flush_chain = delete_chain = policy = table_name = NULL;
1650 memset(&ip, 0, sizeof(struct ipt_ip));
1655 /* Default code for options parsing */
1658 clear_tables_flags();
1660 /* extension's options will generate false-positives errors */
1665 while ((c = getopt_long(argc, argv,
1666 "-A:C:D:F:I:L::N:P:X:d:j:i:m:o:s:t:",
1667 iptables_globals.opts, NULL)) != -1) {
1670 /* It is either -A, -C, -D or -I at once */
1678 /* It is either -A, -C, -D or -I at once */
1687 /* It is either -A, -C, -D or -I at once */
1696 flush_chain = optarg;
1700 /* It is either -A, -C, -D or -I at once */
1719 policy = argv[optind++];
1726 delete_chain = optarg;
1730 if (!parse_ip_and_mask(optarg, &ip.dst, &ip.dmsk))
1734 ip.invflags |= IPT_INV_DSTIP;
1739 in_len = strlen(optarg);
1741 if (in_len + 1 > IFNAMSIZ)
1744 strcpy(ip.iniface, optarg);
1745 memset(ip.iniface_mask, 0xff, in_len + 1);
1748 ip.invflags |= IPT_INV_VIA_IN;
1753 target_name = optarg;
1755 table = pre_load_table(table_name, table);
1759 xt_t = prepare_target(table, target_name);
1766 match_name = optarg;
1768 table = pre_load_table(table_name, table);
1772 xt_m = prepare_matches(table, &xt_rm, match_name);
1779 out_len = strlen(optarg);
1781 if (out_len + 1 > IFNAMSIZ)
1784 strcpy(ip.outiface, optarg);
1785 memset(ip.outiface_mask, 0xff, out_len + 1);
1788 ip.invflags |= IPT_INV_VIA_OUT;
1793 if (!parse_ip_and_mask(optarg, &ip.src, &ip.smsk))
1797 ip.invflags |= IPT_INV_SRCIP;
1802 table_name = optarg;
1804 table = pre_load_table(table_name, table);
1811 if (optarg[0] == '!' && optarg[1] == '\0') {
1817 connman_error("Invalid option");
1822 #if XTABLES_VERSION_CODE > 5
1823 if (xt_t != NULL && (xt_t->x6_parse != NULL ||
1824 xt_t->parse != NULL) &&
1825 (c >= (int) xt_t->option_offset &&
1826 c < (int) xt_t->option_offset +
1827 XT_OPTION_OFFSET_SCALE)) {
1828 xtables_option_tpcall(c, argv,
1829 invert, xt_t, NULL);
1834 for (tmp_xt_rm = xt_rm; tmp_xt_rm != NULL;
1835 tmp_xt_rm = tmp_xt_rm->next) {
1836 xt_m_t = tmp_xt_rm->match;
1838 if (tmp_xt_rm->completed ||
1839 (xt_m_t->x6_parse == NULL &&
1840 xt_m_t->parse == NULL))
1843 if (c < (int) xt_m_t->option_offset ||
1844 c >= (int) xt_m_t->option_offset
1845 + XT_OPTION_OFFSET_SCALE)
1848 xtables_option_mpcall(c, argv,
1849 invert, xt_m_t, NULL);
1854 if (xt_t == NULL || xt_t->parse == NULL ||
1855 !xt_t->parse(c - xt_t->option_offset,
1856 argv, invert, &xt_t->tflags, NULL, &xt_t->t)) {
1858 for (tmp_xt_rm = xt_rm; tmp_xt_rm != NULL;
1859 tmp_xt_rm = tmp_xt_rm->next) {
1860 xt_m_t = tmp_xt_rm->match;
1862 if (tmp_xt_rm->completed ||
1863 xt_m_t->parse == NULL)
1866 if (xt_m->parse(c - xt_m->option_offset,
1867 argv, invert, &xt_m->mflags,
1879 #if XTABLES_VERSION_CODE > 5
1880 for (tmp_xt_rm = xt_rm; tmp_xt_rm != NULL;
1881 tmp_xt_rm = tmp_xt_rm->next)
1882 xtables_option_mfcall(tmp_xt_rm->match);
1885 xtables_option_tfcall(xt_t);
1887 for (tmp_xt_rm = xt_rm; tmp_xt_rm != NULL;
1888 tmp_xt_rm = tmp_xt_rm->next)
1889 if (tmp_xt_rm->match->final_check != NULL)
1890 tmp_xt_rm->match->final_check(
1891 tmp_xt_rm->match->mflags);
1893 if (xt_t != NULL && xt_t->final_check != NULL)
1894 xt_t->final_check(xt_t->tflags);
1897 table = pre_load_table(table_name, table);
1901 /* Option parsing went fine, falling back to succes code */
1904 if (delete_chain != NULL) {
1905 printf("Delete chain %s\n", delete_chain);
1907 iptables_delete_chain(table, delete_chain);
1913 iptables_dump(table);
1919 DBG("Flush chain %s", flush_chain);
1921 iptables_flush_chain(table, flush_chain);
1926 if (chain && new_chain) {
1932 DBG("New chain %s", new_chain);
1934 ret = iptables_add_chain(table, new_chain);
1939 if (policy != NULL) {
1940 printf("Changing policy of %s to %s\n", chain, policy);
1942 iptables_change_policy(table, chain, policy);
1950 if (compare == TRUE) {
1951 ret = iptables_compare_rule(table, &ip, chain,
1952 target_name, xt_t, xt_m, xt_rm);
1956 if (delete == TRUE) {
1957 DBG("Deleting %s to %s (match %s)\n",
1958 target_name, chain, match_name);
1960 ret = iptables_delete_rule(table, &ip, chain,
1961 target_name, xt_t, xt_m, xt_rm);
1966 if (insert == TRUE) {
1967 DBG("Inserting %s to %s (match %s)",
1968 target_name, chain, match_name);
1970 ret = iptables_insert_rule(table, &ip, chain,
1971 target_name, xt_t, xt_rm);
1975 DBG("Adding %s to %s (match %s)",
1976 target_name, chain, match_name);
1978 ret = iptables_append_rule(table, &ip, chain,
1979 target_name, xt_t, xt_rm);
1995 int __connman_iptables_command(const char *format, ...)
1997 char **argv, **arguments, *command;
2004 va_start(args, format);
2006 command = g_strdup_vprintf(format, args);
2010 if (command == NULL)
2013 arguments = g_strsplit_set(command, " ", -1);
2015 for (argc = 0; arguments[argc]; argc++);
2018 DBG("command %s argc %d", command, argc);
2020 argv = g_try_malloc0(argc * sizeof(char *));
2023 g_strfreev(arguments);
2027 argv[0] = "iptables";
2028 for (i = 1; i < argc; i++)
2029 argv[i] = arguments[i - 1];
2031 ret = iptables_command(argc, argv);
2034 g_strfreev(arguments);
2041 int __connman_iptables_commit(const char *table_name)
2043 struct connman_iptables *table;
2044 struct ipt_replace *repl;
2047 DBG("%s", table_name);
2049 table = g_hash_table_lookup(table_hash, table_name);
2053 repl = iptables_blob(table);
2055 err = iptables_replace(table, repl);
2057 g_free(repl->counters);
2063 g_hash_table_remove(table_hash, table_name);
2068 static void remove_table(gpointer user_data)
2070 struct connman_iptables *table = user_data;
2072 table_cleanup(table);
2075 int __connman_iptables_init(void)
2079 table_hash = g_hash_table_new_full(g_str_hash, g_str_equal,
2080 g_free, remove_table);
2082 xtables_init_all(&iptables_globals, NFPROTO_IPV4);
2088 void __connman_iptables_cleanup(void)
2092 g_hash_table_destroy(table_hash);
2094 xtables_free_opts(1);