iptables-test: Support for user defined chain jumps
[platform/upstream/connman.git] / tools / iptables-test.c
1 /*
2  *  Connection Manager
3  *
4  *  Copyright (C) 2007-2010  Intel Corporation. All rights reserved.
5  *
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License version 2 as
8  *  published by the Free Software Foundation.
9  *
10  *  This program is distributed in the hope that it will be useful,
11  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
12  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13  *  GNU General Public License for more details.
14  *
15  *  You should have received a copy of the GNU General Public License
16  *  along with this program; if not, write to the Free Software
17  *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
18  *
19  */
20
21 #include <getopt.h>
22 #include <stdlib.h>
23 #include <stdio.h>
24 #include <string.h>
25 #include <unistd.h>
26 #include <sys/errno.h>
27 #include <sys/socket.h>
28 #include <xtables.h>
29
30 #include <linux/netfilter_ipv4/ip_tables.h>
31
32 #include <glib.h>
33
34 static const char *hooknames[] = {
35         [NF_IP_PRE_ROUTING]     = "PREROUTING",
36         [NF_IP_LOCAL_IN]        = "INPUT",
37         [NF_IP_FORWARD]         = "FORWARD",
38         [NF_IP_LOCAL_OUT]       = "OUTPUT",
39         [NF_IP_POST_ROUTING]    = "POSTROUTING",
40 };
41
42 #define LABEL_ACCEPT  "ACCEPT"
43 #define LABEL_DROP    "DROP"
44 #define LABEL_QUEUE   "QUEUE"
45 #define LABEL_RETURN  "RETURN"
46
47 /* fn returns 0 to continue iteration */
48 #define _XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
49 ({                                                              \
50         unsigned int __i;                                       \
51         int __n;                                                \
52         int __ret = 0;                                          \
53         type *__entry;                                          \
54                                                                 \
55         for (__i = 0, __n = 0; __i < (size);                    \
56              __i += __entry->next_offset, __n++) {              \
57                 __entry = (void *)(entries) + __i;              \
58                 if (__n < n)                                    \
59                         continue;                               \
60                                                                 \
61                 __ret = fn(__entry,  ## args);                  \
62                 if (__ret != 0)                                 \
63                         break;                                  \
64         }                                                       \
65         __ret;                                                  \
66 })
67
68 /* fn returns 0 to continue iteration */
69 #define _XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
70         _XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
71
72 #define ENTRY_ITERATE(entries, size, fn, args...) \
73         _XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
74
75 #define MIN_ALIGN (__alignof__(struct ipt_entry))
76
77 #define ALIGN(s) (((s) + ((MIN_ALIGN)-1)) & ~((MIN_ALIGN)-1))
78
79 struct ipt_error_target {
80         struct xt_entry_target t;
81         char error[IPT_TABLE_MAXNAMELEN];
82 };
83
84 struct connman_iptables_entry {
85         int offset;
86
87         struct ipt_entry *entry;
88 };
89
90 struct connman_iptables {
91         int ipt_sock;
92
93         struct ipt_getinfo *info;
94         struct ipt_get_entries *blob_entries;
95
96         unsigned int num_entries;
97         unsigned int old_entries;
98         unsigned int size;
99
100         GList *entries;
101 };
102
103
104 static struct ipt_entry *get_entry(struct connman_iptables *table,
105                                         unsigned int offset)
106 {
107         return (struct ipt_entry *)((char *)table->blob_entries->entrytable +
108                                                                         offset);
109 }
110
111 static int is_hook_entry(struct connman_iptables *table,
112                                 struct ipt_entry *entry)
113 {
114         unsigned int i;
115
116         for (i = 0; i < NF_INET_NUMHOOKS; i++) {
117                 if ((table->info->valid_hooks & (1 << i))
118                 && get_entry(table, table->info->hook_entry[i]) == entry)
119                         return i;
120         }
121
122         return -1;
123 }
124
125 static unsigned long entry_to_offset(struct connman_iptables *table,
126                                         struct ipt_entry *entry)
127 {
128         return (void *)entry - (void *)table->blob_entries->entrytable;
129 }
130
131 static int target_to_verdict(char *target_name)
132 {
133         if (!strcmp(target_name, LABEL_ACCEPT))
134                 return -NF_ACCEPT - 1;
135
136         if (!strcmp(target_name, LABEL_DROP))
137                 return -NF_DROP - 1;
138
139         if (!strcmp(target_name, LABEL_QUEUE))
140                 return -NF_QUEUE - 1;
141
142         if (!strcmp(target_name, LABEL_RETURN))
143                 return XT_RETURN;
144
145         return 0;
146 }
147
148 static gboolean is_builtin_target(char *target_name)
149 {
150         if (!strcmp(target_name, LABEL_ACCEPT) ||
151                 !strcmp(target_name, LABEL_DROP) ||
152                 !strcmp(target_name, LABEL_QUEUE) ||
153                 !strcmp(target_name, LABEL_RETURN))
154                 return TRUE;
155
156         return FALSE;
157 }
158
159 static gboolean is_jump(struct connman_iptables_entry *e)
160 {
161         struct xt_entry_target *target;
162
163         target = ipt_get_target(e->entry);
164
165         if (!strcmp(target->u.user.name, IPT_STANDARD_TARGET)) {
166                 struct xt_standard_target *t;
167
168                 t = (struct xt_standard_target *)target;
169
170                 switch (t->verdict) {
171                 case XT_RETURN:
172                 case -NF_ACCEPT - 1:
173                 case -NF_DROP - 1:
174                 case -NF_QUEUE - 1:
175                 case -NF_STOP - 1:
176                         return false;
177
178                 default:
179                         return true;
180                 }
181         }
182
183         return false;
184 }
185
186 static gboolean is_chain(struct connman_iptables *table,
187                                 struct connman_iptables_entry *e)
188 {
189         int builtin;
190         struct ipt_entry *entry;
191         struct xt_entry_target *target;
192
193         entry = e->entry;
194         builtin = is_hook_entry(table, entry);
195         if (builtin >= 0)
196                 return TRUE;
197
198         target = ipt_get_target(entry);
199         if (!strcmp(target->u.user.name, IPT_ERROR_TARGET))
200                 return TRUE;
201
202         return FALSE;
203 }
204
205 static GList *find_chain_head(struct connman_iptables *table,
206                                 char *chain_name)
207 {
208         GList *list;
209         struct connman_iptables_entry *head;
210         struct ipt_entry *entry;
211         struct xt_entry_target *target;
212         int builtin;
213
214         for (list = table->entries; list; list = list->next) {
215                 head = list->data;
216                 entry = head->entry;
217
218                 /* Buit-in chain */
219                 builtin = is_hook_entry(table, entry);
220                 if (builtin >= 0 && !strcmp(hooknames[builtin], chain_name))
221                         break;
222
223                 /* User defined chain */
224                 target = ipt_get_target(entry);
225                 if (!strcmp(target->u.user.name, IPT_ERROR_TARGET) &&
226                     !strcmp((char *)target->data, chain_name))
227                         break;
228         }
229
230         return list;
231 }
232
233 static GList *find_chain_tail(struct connman_iptables *table,
234                                 char *chain_name)
235 {
236         GList *chain_head, *list;
237         struct connman_iptables_entry *head, *tail;
238         struct ipt_entry *entry;
239         struct xt_entry_target *target;
240         int builtin;
241
242         /* First we look for the head */
243         for (list = table->entries; list; list = list->next) {
244                 head = list->data;
245                 entry = head->entry;
246
247                 /* Buit-in chain */
248                 builtin = is_hook_entry(table, entry);
249                 if (builtin >= 0 && !strcmp(hooknames[builtin], chain_name))
250                         break;
251
252                 /* User defined chain */
253                 target = ipt_get_target(entry);
254                 if (!strcmp(target->u.user.name, IPT_ERROR_TARGET) &&
255                     !strcmp((char *)target->data, chain_name))
256                         break;
257         }
258
259         if (list == NULL)
260                 return NULL;
261
262         chain_head = list;
263
264         /* Then we look for the next chain */
265         for (list = chain_head->next; list; list = list->next) {
266                 tail = list->data;
267                 entry = tail->entry;
268
269                 if (is_chain(table, tail))
270                         return list;
271         }
272
273         /* Nothing found, we return the table end */
274         return g_list_last(table->entries);
275 }
276
277 static void update_offsets(struct connman_iptables *table)
278 {
279         GList *list, *prev;
280         struct connman_iptables_entry *entry, *prev_entry;
281
282         for (list = table->entries; list; list = list->next) {
283                 entry = list->data;
284
285                 if (list == table->entries) {
286                         entry->offset = 0;
287
288                         continue;
289                 }
290
291                 prev = list->prev;
292                 prev_entry = prev->data;
293
294                 entry->offset = prev_entry->offset +
295                                         prev_entry->entry->next_offset;
296         }
297 }
298
299 static int connman_add_entry(struct connman_iptables *table,
300                                 struct ipt_entry *entry, GList *before)
301 {
302         GList *list;
303         struct connman_iptables_entry *e, *tmp, *entry_before;
304         struct xt_standard_target *t;
305
306         if (table == NULL)
307                 return -1;
308
309         e = g_try_malloc0(sizeof(struct connman_iptables_entry));
310         if (e == NULL)
311                 return -1;
312
313         e->entry = entry;
314
315         table->entries = g_list_insert_before(table->entries, before, e);
316         table->num_entries++;
317         table->size += entry->next_offset;
318
319         if (before == NULL) {
320                 e->offset = table->size - entry->next_offset;
321
322                 return 0;
323         }
324
325         entry_before = before->data;
326
327         /*
328          * We've just insterted a new entry. All references before it
329          * should be bumped accordingly.
330          */
331         for (list = table->entries; list != before; list = list->next) {
332                 tmp = list->data;
333
334                 if (!is_jump(tmp))
335                         continue;
336
337                 t = (struct xt_standard_target *)ipt_get_target(tmp->entry);
338
339                 if (t->verdict >= entry_before->offset)
340                         t->verdict += entry->next_offset;
341         }
342
343         update_offsets(table);
344
345         return 0;
346 }
347
348 static int connman_iptables_add_chain(struct connman_iptables *table,
349                                         char *name)
350 {
351         GList *last;
352         struct ipt_entry *entry_head;
353         struct ipt_entry *entry_return;
354         struct ipt_error_target *error;
355         struct ipt_standard_target *standard;
356         u_int16_t entry_head_size, entry_return_size;
357
358         last = g_list_last(table->entries);
359
360         /*
361          * An empty chain is composed of:
362          * - A head entry, with no match and an error target.
363          *   The error target data is the chain name.
364          * - A tail entry, with no match and a standard target.
365          *   The standard target verdict is XT_RETURN (return to the
366          *   caller).
367          */
368
369         /* head entry */
370         entry_head_size = sizeof(struct ipt_entry) +
371                                 sizeof(struct ipt_error_target);
372         entry_head = g_try_malloc0(entry_head_size);
373         if (entry_head == NULL)
374                 goto err;
375
376         memset(entry_head, 0, entry_head_size);
377
378         entry_head->target_offset = sizeof(struct ipt_entry);
379         entry_head->next_offset = entry_head_size;
380
381         error = (struct ipt_error_target *) entry_head->elems;
382         strcpy(error->t.u.user.name, IPT_ERROR_TARGET);
383         error->t.u.user.target_size = ALIGN(sizeof(struct ipt_error_target));
384         strcpy(error->error, name);
385
386         if (connman_add_entry(table, entry_head, last) < 0)
387                 goto err;
388
389         /* tail entry */
390         entry_return_size = sizeof(struct ipt_entry) +
391                                 sizeof(struct ipt_standard_target);
392         entry_return = g_try_malloc0(entry_return_size);
393         if (entry_return == NULL)
394                 goto err;
395
396         memset(entry_return, 0, entry_return_size);
397
398         entry_return->target_offset = sizeof(struct ipt_entry);
399         entry_return->next_offset = entry_return_size;
400
401         standard = (struct ipt_standard_target *) entry_return->elems;
402         standard->target.u.user.target_size =
403                                 ALIGN(sizeof(struct ipt_standard_target));
404         standard->verdict = XT_RETURN;
405
406         if (connman_add_entry(table, entry_return, last) < 0)
407                 goto err;
408
409         return 0;
410
411 err:
412         g_free(entry_head);
413         g_free(entry_return);
414
415         return -ENOMEM;
416 }
417
418 static struct ipt_entry *
419 new_rule(struct connman_iptables *table,
420                 char *target_name, struct xtables_target *xt_t,
421                 char *match_name, struct xtables_match *xt_m)
422 {
423         struct ipt_entry *new_entry;
424         size_t match_size, target_size;
425         int is_builtin = is_builtin_target(target_name);
426
427         if (xt_m)
428                 match_size = xt_m->m->u.match_size;
429         else
430                 match_size = 0;
431
432         if (xt_t)
433                 target_size = ALIGN(xt_t->t->u.target_size);
434         else
435                 target_size = ALIGN(sizeof(struct xt_standard_target));
436
437         new_entry = g_try_malloc0(sizeof(struct ipt_entry) + target_size +
438                                                                 match_size);
439         if (new_entry == NULL)
440                 return NULL;
441
442         new_entry->target_offset = sizeof(struct ipt_entry) + match_size;
443         new_entry->next_offset = sizeof(struct ipt_entry) + target_size +
444                                                                 match_size;
445         if (xt_m) {
446                 struct xt_entry_match *entry_match;
447
448                 entry_match = (struct xt_entry_match *)new_entry->elems;
449                 memcpy(entry_match, xt_m->m, match_size);
450         }
451
452         if (xt_t) {
453                 struct xt_entry_target *entry_target;
454
455                 if (is_builtin) {
456                         struct xt_standard_target *target;
457
458                         target = (struct xt_standard_target *)(xt_t->t);
459                         strcpy(target->target.u.user.name, IPT_STANDARD_TARGET);
460                         target->verdict = target_to_verdict(target_name);
461                 }
462
463                 entry_target = ipt_get_target(new_entry);
464                 memcpy(entry_target, xt_t->t, target_size);
465         } else {
466                 struct connman_iptables_entry *target_rule;
467                 struct xt_standard_target *target;
468                 GList *chain_head;
469
470                 /*
471                  * This is a user defined target, i.e. a chain jump.
472                  * We search for the chain head, and the target verdict
473                  * is the first rule's offset on this chain.
474                  * The offset is from the beginning of the table.
475                  */
476
477                 chain_head = find_chain_head(table, target_name);
478                 if (chain_head == NULL || chain_head->next == NULL) {
479                         g_free(new_entry);
480                         return NULL;
481                 }
482
483                 target_rule = chain_head->next->data;
484
485                 target = (struct xt_standard_target *)ipt_get_target(new_entry);
486                 strcpy(target->target.u.user.name, IPT_STANDARD_TARGET);
487                 target->target.u.user.target_size = target_size;
488                 target->verdict = target_rule->offset;
489         }
490
491         return new_entry;
492 }
493
494 static int
495 connman_iptables_add_rule(struct connman_iptables *table, char *chain_name,
496                                 char *target_name, struct xtables_target *xt_t,
497                                 char *match_name, struct xtables_match *xt_m)
498 {
499         GList *chain_tail;
500         struct ipt_entry *new_entry;
501
502         chain_tail = find_chain_tail(table, chain_name);
503         if (chain_tail == NULL)
504                 return -EINVAL;
505
506         new_entry = new_rule(table,
507                                 target_name, xt_t,
508                                 match_name, xt_m);
509         if (new_entry == NULL)
510                 return -EINVAL;
511
512         return connman_add_entry(table, new_entry, chain_tail->prev);
513 }
514
515 static struct ipt_replace *
516 connman_iptables_blob(struct connman_iptables *table)
517 {
518         struct ipt_replace *r;
519         GList *list;
520         struct connman_iptables_entry *e;
521         unsigned char *entry_index;
522
523         r = g_try_malloc0(sizeof(struct ipt_replace) + table->size);
524         if (r == NULL)
525                 return NULL;
526
527         memset(r, 0, sizeof(*r) + table->size);
528
529         r->counters = g_try_malloc0(sizeof(struct xt_counters)
530                                 * table->num_entries);
531         if (r->counters == NULL) {
532                 g_free(r);
533                 return NULL;
534         }
535
536         strcpy(r->name, table->info->name);
537         r->num_entries = table->num_entries;
538         r->size = table->size;
539
540         r->num_counters = table->old_entries;
541         r->valid_hooks  = table->info->valid_hooks;
542
543         memcpy(r->hook_entry, table->info->hook_entry,
544                                 sizeof(table->info->hook_entry));
545         memcpy(r->underflow, table->info->underflow,
546                                 sizeof(table->info->underflow));
547
548         entry_index = (unsigned char *)r->entries;
549         for (list = table->entries; list; list = list->next) {
550                 e = list->data;
551
552                 memcpy(entry_index, e->entry, e->entry->next_offset);
553                 entry_index += e->entry->next_offset;
554         }
555
556         return r;
557 }
558
559 static void dump_target(struct connman_iptables *table,
560                                 struct ipt_entry *entry)
561
562 {
563         struct xtables_target *xt_t;
564         struct xt_entry_target *target;
565
566         target = ipt_get_target(entry);
567
568         if (!strcmp(target->u.user.name, IPT_STANDARD_TARGET)) {
569                 struct xt_standard_target *t;
570
571                 t = (struct xt_standard_target *)target;
572
573                 switch (t->verdict) {
574                 case XT_RETURN:
575                         printf("\ttarget RETURN\n");
576                         break;
577
578                 case -NF_ACCEPT - 1:
579                         printf("\ttarget ACCEPT\n");
580                         break;
581
582                 case -NF_DROP - 1:
583                         printf("\ttarget DROP\n");
584                         break;
585
586                 case -NF_QUEUE - 1:
587                         printf("\ttarget QUEUE\n");
588                         break;
589
590                 case -NF_STOP - 1:
591                         printf("\ttarget STOP\n");
592                         break;
593
594                 default:
595                         printf("\tJUMP @%p (0x%x)\n",
596                                 (char*)table->blob_entries->entrytable +
597                                 t->verdict, t->verdict);
598                         break;
599                 }
600
601                 xt_t = xtables_find_target(IPT_STANDARD_TARGET,
602                                                 XTF_LOAD_MUST_SUCCEED);
603
604                 if(xt_t->print != NULL)
605                         xt_t->print(NULL, target, 1);
606         } else {
607                 xt_t = xtables_find_target(target->u.user.name, XTF_TRY_LOAD);
608                 if (xt_t == NULL) {
609                         printf("\ttarget %s\n", target->u.user.name);
610                         return;
611                 }
612
613                 if(xt_t->print != NULL) {
614                         printf("\ttarget ");
615                         xt_t->print(NULL, target, 1);
616                         printf("\n");
617                 }
618         }
619 }
620
621 static void dump_match(struct connman_iptables *table, struct ipt_entry *entry)
622 {
623         struct xtables_match *xt_m;
624         struct xt_entry_match *match;
625
626         if (entry->elems == (unsigned char *)entry + entry->target_offset)
627                 return;
628
629         match = (struct xt_entry_match *) entry->elems;
630
631         if (!strlen(match->u.user.name))
632                 return;
633
634         xt_m = xtables_find_match(match->u.user.name, XTF_TRY_LOAD, NULL);
635         if (xt_m == NULL)
636                 goto out;
637
638         if(xt_m->print != NULL) {
639                 printf("\tmatch ");
640                 xt_m->print(NULL, match, 1);
641                 printf("\n");
642
643                 return;
644         }
645
646 out:
647         printf("\tmatch %s\n", match->u.user.name);
648
649 }
650
651 static int connman_iptables_dump_entry(struct ipt_entry *entry,
652                                         struct connman_iptables *table)
653 {
654         struct xt_entry_target *target;
655         unsigned int offset;
656         int builtin;
657
658         offset = (char *)entry - (char *)table->blob_entries->entrytable;
659         target = ipt_get_target(entry);
660         builtin = is_hook_entry(table, entry);
661
662         if (entry_to_offset(table, entry) + entry->next_offset ==
663                                         table->blob_entries->size) {
664                 printf("End of CHAIN 0x%x\n", offset);
665                 return 0;
666         }
667
668         if (!strcmp(target->u.user.name, IPT_ERROR_TARGET)) {
669                 printf("USER CHAIN (%s) %p  match %p  target %p  size %d\n",
670                         target->data, entry, entry->elems,
671                         (char *)entry + entry->target_offset,
672                                 entry->next_offset);
673
674                 return 0;
675         } else if (builtin >= 0) {
676                 printf("CHAIN (%s) %p  match %p  target %p  size %d\n",
677                         hooknames[builtin], entry, entry->elems,
678                         (char *)entry + entry->target_offset,
679                                 entry->next_offset);
680         } else {
681                 printf("RULE %p  match %p  target %p  size %d\n", entry,
682                         entry->elems,
683                         (char *)entry + entry->target_offset,
684                                 entry->next_offset);
685         }
686
687         dump_match(table, entry);
688         dump_target(table, entry);
689
690         return 0;
691 }
692
693 static void connman_iptables_dump(struct connman_iptables *table)
694 {
695         printf("%s valid_hooks=0x%08x, num_entries=%u, size=%u\n",
696                 table->info->name,
697                 table->info->valid_hooks, table->info->num_entries,
698                 table->info->size);
699
700         ENTRY_ITERATE(table->blob_entries->entrytable,
701                         table->blob_entries->size,
702                         connman_iptables_dump_entry, table);
703
704 }
705
706 static int connman_iptables_get_entries(struct connman_iptables *table)
707 {
708         socklen_t entry_size;
709
710         entry_size = sizeof(struct ipt_get_entries) + table->info->size;
711
712         return getsockopt(table->ipt_sock, IPPROTO_IP, IPT_SO_GET_ENTRIES,
713                                 table->blob_entries, &entry_size);
714 }
715
716 static int connman_iptables_replace(struct connman_iptables *table,
717                                         struct ipt_replace *r)
718 {
719         return setsockopt(table->ipt_sock, IPPROTO_IP, IPT_SO_SET_REPLACE, r,
720                          sizeof(*r) + r->size);
721 }
722
723 static void connman_iptables_cleanup(struct connman_iptables *table)
724 {
725         close(table->ipt_sock);
726         g_free(table->info);
727         g_free(table->blob_entries);
728         g_free(table);
729
730         xtables_free_opts(1);
731 }
732
733 static int connman_iptables_commit(struct connman_iptables *table)
734 {
735         struct ipt_replace *repl;
736
737         repl = connman_iptables_blob(table);
738
739         return connman_iptables_replace(table, repl);
740 }
741
742 static int add_entry(struct ipt_entry *entry, struct connman_iptables *table)
743 {
744         return connman_add_entry(table, entry, NULL);
745 }
746
747 static struct connman_iptables *connman_iptables_init(const char *table_name)
748 {
749         struct connman_iptables *table;
750         socklen_t s;
751
752         table =  g_try_new0(struct connman_iptables, 1);
753         if (table == NULL)
754                 return NULL;
755
756         table->info =  g_try_new0(struct ipt_getinfo, 1);
757         if (table->info == NULL)
758                 goto err;
759
760         table->ipt_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
761         if (table->ipt_sock < 0)
762                 goto err;
763
764         s = sizeof(*table->info);
765         strcpy(table->info->name, table_name);
766         if (getsockopt(table->ipt_sock, IPPROTO_IP, IPT_SO_GET_INFO,
767                                                 table->info, &s) < 0)
768                 goto err;
769
770         table->blob_entries = g_try_malloc0(sizeof(struct ipt_get_entries) +
771                                                 table->info->size);
772         if (table->blob_entries == NULL)
773                 goto err;
774
775         strcpy(table->blob_entries->name, table_name);
776         table->blob_entries->size = table->info->size;
777
778         if (connman_iptables_get_entries(table) < 0)
779                 goto err;
780
781         table->num_entries = 0;
782         table->old_entries = table->info->num_entries;
783         table->size = 0;
784
785         ENTRY_ITERATE(table->blob_entries->entrytable,
786                         table->blob_entries->size,
787                                 add_entry, table);
788
789
790         return table;
791
792 err:
793
794         connman_iptables_cleanup(table);
795
796         return NULL;
797 }
798
799
800 static struct option connman_iptables_opts[] = {
801         {.name = "append",        .has_arg = 1, .val = 'A'},
802         {.name = "list",          .has_arg = 2, .val = 'L'},
803         {.name = "new-chain",     .has_arg = 1, .val = 'N'},
804         {.name = "in-interface",  .has_arg = 1, .val = 'i'},
805         {.name = "jump",          .has_arg = 1, .val = 'j'},
806         {.name = "match",         .has_arg = 1, .val = 'm'},
807         {.name = "out-interface", .has_arg = 1, .val = 'o'},
808         {.name = "table",         .has_arg = 1, .val = 't'},
809         {NULL},
810 };
811
812 struct xtables_globals connman_iptables_globals = {
813         .option_offset = 0,
814         .opts = connman_iptables_opts,
815         .orig_opts = connman_iptables_opts,
816 };
817
818 int main(int argc, char *argv[])
819 {
820         struct connman_iptables *table;
821         struct xtables_match *xt_m;
822         struct xtables_target *xt_t;
823         char *table_name, *chain, *new_chain, *match_name, *target_name;
824         int c;
825         size_t size;
826         gboolean dump, invert;
827
828         xtables_init_all(&connman_iptables_globals, NFPROTO_IPV4);
829
830         dump = FALSE;
831         invert = FALSE;
832         table_name = chain = new_chain = match_name = target_name = NULL;
833         table = NULL;
834         xt_m = NULL;
835         xt_t = NULL;
836
837         while ((c = getopt_long(argc, argv,
838            "-A:L::N:j:i:m:o:t:", connman_iptables_globals.opts, NULL)) != -1) {
839                 switch (c) {
840                 case 'A':
841                         chain = optarg;
842                         break;
843
844                 case 'L':
845                         dump = TRUE;
846                         break;
847
848                 case 'N':
849                         new_chain = optarg;
850                         break;
851
852                 case 'j':
853                         target_name = optarg;
854                         xt_t = xtables_find_target(target_name, XTF_TRY_LOAD);
855
856                         if (xt_t == NULL)
857                                 break;
858
859                         size = ALIGN(sizeof(struct ipt_entry_target)) + xt_t->size;
860
861                         xt_t->t = g_try_malloc0(size);
862                         if (xt_t->t == NULL)
863                                 goto out;
864                         xt_t->t->u.target_size = size;
865                         strcpy(xt_t->t->u.user.name, target_name);
866                         xt_t->t->u.user.revision = xt_t->revision;
867                         if (xt_t->init != NULL)
868                                 xt_t->init(xt_t->t);
869                         connman_iptables_globals.opts =
870                                 xtables_merge_options(connman_iptables_globals.opts,
871                                                      xt_t->extra_opts,
872                                                      &xt_t->option_offset);
873                         if (connman_iptables_globals.opts == NULL)
874                                 goto out;
875
876                         break;
877
878                 case 'i':
879                         break;
880
881                 case 'm':
882                         match_name = optarg;
883
884                         xt_m = xtables_find_match(optarg, XTF_LOAD_MUST_SUCCEED, NULL);
885                         size = ALIGN(sizeof(struct ipt_entry_match)) + xt_m->size;
886                         xt_m->m = g_try_malloc0(size);
887                         if (xt_m == NULL)
888                                 goto out;
889                         xt_m->m->u.match_size = size;
890                         strcpy(xt_m->m->u.user.name, xt_m->name);
891                         xt_m->m->u.user.revision = xt_m->revision;
892                         if (xt_m->init != NULL)
893                                 xt_m->init(xt_m->m);
894                         if (xt_m != xt_m->next) {
895                                 connman_iptables_globals.opts =
896                                         xtables_merge_options(connman_iptables_globals.opts,
897                                                 xt_m->extra_opts,
898                                                 &xt_m->option_offset);
899                                 if (connman_iptables_globals.opts == NULL)
900                                         goto out;
901                         }
902
903                         break;
904
905                 case 'o':
906                         break;
907
908                 case 't':
909                         table_name = optarg;
910                         break;
911
912                 case 1:
913                         if (optarg[0] == '!' && optarg[1] == '\0') {
914                                 if (invert)
915                                         printf("Consecutive ! not allowed\n");
916
917                                 invert = TRUE;
918                                 optarg[0] = '\0';
919                                 continue;
920                         }
921
922                         printf("Invalid option\n");
923
924                         return -1;
925
926                 default:
927                         if (xt_t == NULL || xt_t->parse == NULL ||
928                             !xt_t->parse(c - xt_t->option_offset, argv, invert,
929                                         &xt_t->tflags, NULL, &xt_t->t)) {
930                                 if (xt_m == NULL || xt_m->parse == NULL)
931                                         break;
932
933                                 xt_m->parse(c - xt_m->option_offset, argv,
934                                         invert, &xt_m->mflags, NULL, &xt_m->m);
935                         }
936
937                         break;
938                 }
939         }
940
941         if (table_name == NULL)
942                 table_name = "filter";
943
944         table = connman_iptables_init(table_name);
945         if (table == NULL)
946                 return -1;
947
948         if (dump) {
949                 connman_iptables_dump(table);
950
951                 return 0;
952         }
953
954         if (chain && new_chain)
955                 return -1;
956
957         if (new_chain) {
958                 printf("New chain %s\n", new_chain);
959
960                 connman_iptables_add_chain(table, new_chain);
961
962                 goto commit;
963         }
964
965         if (chain) {
966                 if (target_name == NULL)
967                         return -1;
968
969                 printf("Adding %s to %s (match %s)\n", target_name, chain, match_name);
970
971                 connman_iptables_add_rule(table, chain, target_name, xt_t,
972                                         match_name, xt_m);
973
974                 goto commit;
975         }
976
977 commit:
978
979         connman_iptables_commit(table);
980
981 out:
982         connman_iptables_cleanup(table);
983
984         if (xt_t)
985                 g_free(xt_t->t);
986
987         if (xt_m)
988                 g_free(xt_m->m);
989
990         return 0;
991 }