return new_entry;
}
-static int iptables_append_rule(struct connman_iptables *table,
- struct ipt_ip *ip, char *chain_name,
- char *target_name, struct xtables_target *xt_t,
- struct xtables_rule_match *xt_rm)
-{
- GList *chain_tail;
- struct ipt_entry *new_entry;
- int builtin = -1, ret;
-
- DBG("");
-
- chain_tail = find_chain_tail(table, chain_name);
- if (chain_tail == NULL)
- return -EINVAL;
-
- new_entry = prepare_rule_inclusion(table, ip, chain_name,
- target_name, xt_t, &builtin, xt_rm);
- if (new_entry == NULL)
- return -EINVAL;
-
- ret = iptables_add_entry(table, new_entry, chain_tail->prev, builtin);
- if (ret < 0)
- g_free(new_entry);
-
- return ret;
-}
-
static int iptables_insert_rule(struct connman_iptables *table,
struct ipt_ip *ip, const char *chain_name,
const char *target_name,
return 0;
}
-static int iptables_compare_rule(struct connman_iptables *table,
- struct ipt_ip *ip, const char *chain_name,
- const char *target_name,
- struct xtables_target *xt_t,
- struct xtables_match *xt_m,
- struct xtables_rule_match *xt_rm)
-{
- struct connman_iptables_entry *entry;
- GList *found;
-
- found = find_existing_rule(table, ip, chain_name, target_name,
- xt_t, xt_m, xt_rm);
- if (found == NULL)
- return -EINVAL;
-
- entry = found->data;
- if (entry == NULL)
- return -EINVAL;
-
- return 0;
-}
-
-
static int iptables_change_policy(struct connman_iptables *table,
const char *chain_name, const char *policy)
{
}
}
-static int iptables_command(int argc, char *argv[])
-{
- struct connman_iptables *table;
- struct xtables_rule_match *xt_rm, *tmp_xt_rm;
- struct xtables_match *xt_m, *xt_m_t;
- struct xtables_target *xt_t;
- struct ipt_ip ip;
- char *table_name, *chain, *new_chain, *match_name, *target_name;
- char *flush_chain, *delete_chain, *policy;
- int c, ret, in_len, out_len;
- gboolean dump, invert, insert, delete, compare;
-
- if (argc == 0)
- return -EINVAL;
-
- dump = FALSE;
- invert = FALSE;
- insert = FALSE;
- delete = FALSE;
- compare = FALSE;
- chain = new_chain = match_name = target_name = NULL;
- flush_chain = delete_chain = policy = table_name = NULL;
- memset(&ip, 0, sizeof(struct ipt_ip));
- table = NULL;
- xt_rm = NULL;
- xt_m = NULL;
- xt_t = NULL;
- /* Default code for options parsing */
- ret = -EINVAL;
-
- clear_tables_flags();
-
- /* extension's options will generate false-positives errors */
- opterr = 0;
-
- optind = 0;
-
- while ((c = getopt_long(argc, argv,
- "-A:C:D:F:I:L::N:P:X:d:j:i:m:o:s:t:",
- iptables_globals.opts, NULL)) != -1) {
- switch (c) {
- case 'A':
- /* It is either -A, -C, -D or -I at once */
- if (chain)
- goto out;
-
- chain = optarg;
- break;
-
- case 'C':
- /* It is either -A, -C, -D or -I at once */
- if (chain)
- goto out;
-
- chain = optarg;
- compare = TRUE;
- break;
-
- case 'D':
- /* It is either -A, -C, -D or -I at once */
- if (chain)
- goto out;
-
- chain = optarg;
- delete = TRUE;
- break;
-
- case 'F':
- flush_chain = optarg;
- break;
-
- case 'I':
- /* It is either -A, -C, -D or -I at once */
- if (chain)
- goto out;
-
- chain = optarg;
- insert = TRUE;
- break;
-
- case 'L':
- dump = TRUE;
- break;
-
- case 'N':
- new_chain = optarg;
- break;
-
- case 'P':
- chain = optarg;
- if (optind < argc)
- policy = argv[optind++];
- else
- goto out;
-
- break;
-
- case 'X':
- delete_chain = optarg;
- break;
-
- case 'd':
- if (!parse_ip_and_mask(optarg, &ip.dst, &ip.dmsk))
- break;
-
- if (invert)
- ip.invflags |= IPT_INV_DSTIP;
-
- break;
-
- case 'i':
- in_len = strlen(optarg);
-
- if (in_len + 1 > IFNAMSIZ)
- break;
-
- strcpy(ip.iniface, optarg);
- memset(ip.iniface_mask, 0xff, in_len + 1);
-
- if (invert)
- ip.invflags |= IPT_INV_VIA_IN;
-
- break;
-
- case 'j':
- target_name = optarg;
-
- table = pre_load_table(table_name, table);
- if (table == NULL)
- goto out;
-
- xt_t = prepare_target(table, target_name);
- if (xt_t == NULL)
- goto out;
-
- break;
-
- case 'm':
- match_name = optarg;
-
- table = pre_load_table(table_name, table);
- if (table == NULL)
- goto out;
-
- xt_m = prepare_matches(table, &xt_rm, match_name);
- if (xt_m == NULL)
- goto out;
-
- break;
-
- case 'o':
- out_len = strlen(optarg);
-
- if (out_len + 1 > IFNAMSIZ)
- break;
-
- strcpy(ip.outiface, optarg);
- memset(ip.outiface_mask, 0xff, out_len + 1);
-
- if (invert)
- ip.invflags |= IPT_INV_VIA_OUT;
-
- break;
-
- case 's':
- if (!parse_ip_and_mask(optarg, &ip.src, &ip.smsk))
- break;
-
- if (invert)
- ip.invflags |= IPT_INV_SRCIP;
-
- break;
-
- case 't':
- table_name = optarg;
-
- table = pre_load_table(table_name, table);
- if (table == NULL)
- goto out;
-
- break;
-
- case 1:
- if (optarg[0] == '!' && optarg[1] == '\0') {
- invert = TRUE;
- optarg[0] = '\0';
- continue;
- }
-
- connman_error("Invalid option");
-
- goto out;
-
- default:
-#if XTABLES_VERSION_CODE > 5
- if (xt_t != NULL && (xt_t->x6_parse != NULL ||
- xt_t->parse != NULL) &&
- (c >= (int) xt_t->option_offset &&
- c < (int) xt_t->option_offset +
- XT_OPTION_OFFSET_SCALE)) {
- xtables_option_tpcall(c, argv,
- invert, xt_t, NULL);
-
- break;
- }
-
- for (tmp_xt_rm = xt_rm; tmp_xt_rm != NULL;
- tmp_xt_rm = tmp_xt_rm->next) {
- xt_m_t = tmp_xt_rm->match;
-
- if (tmp_xt_rm->completed ||
- (xt_m_t->x6_parse == NULL &&
- xt_m_t->parse == NULL))
- continue;
-
- if (c < (int) xt_m_t->option_offset ||
- c >= (int) xt_m_t->option_offset
- + XT_OPTION_OFFSET_SCALE)
- continue;
-
- xtables_option_mpcall(c, argv,
- invert, xt_m_t, NULL);
-
- break;
- }
-#else
- if (xt_t == NULL || xt_t->parse == NULL ||
- !xt_t->parse(c - xt_t->option_offset,
- argv, invert, &xt_t->tflags, NULL, &xt_t->t)) {
-
- for (tmp_xt_rm = xt_rm; tmp_xt_rm != NULL;
- tmp_xt_rm = tmp_xt_rm->next) {
- xt_m_t = tmp_xt_rm->match;
-
- if (tmp_xt_rm->completed ||
- xt_m_t->parse == NULL)
- continue;
-
- if (xt_m->parse(c - xt_m->option_offset,
- argv, invert, &xt_m->mflags,
- NULL, &xt_m->m))
- break;
- }
- }
-#endif
- break;
- }
-
- invert = FALSE;
- }
-
-#if XTABLES_VERSION_CODE > 5
- for (tmp_xt_rm = xt_rm; tmp_xt_rm != NULL;
- tmp_xt_rm = tmp_xt_rm->next)
- xtables_option_mfcall(tmp_xt_rm->match);
-
- if (xt_t != NULL)
- xtables_option_tfcall(xt_t);
-#else
- for (tmp_xt_rm = xt_rm; tmp_xt_rm != NULL;
- tmp_xt_rm = tmp_xt_rm->next)
- if (tmp_xt_rm->match->final_check != NULL)
- tmp_xt_rm->match->final_check(
- tmp_xt_rm->match->mflags);
-
- if (xt_t != NULL && xt_t->final_check != NULL)
- xt_t->final_check(xt_t->tflags);
-#endif
-
- table = pre_load_table(table_name, table);
- if (table == NULL)
- goto out;
-
- /* Option parsing went fine, falling back to succes code */
- ret = 0;
-
- if (delete_chain != NULL) {
- printf("Delete chain %s\n", delete_chain);
-
- iptables_delete_chain(table, delete_chain);
-
- goto out;
- }
-
- if (dump) {
- dump_table(table);
-
- goto out;
- }
-
- if (flush_chain) {
- DBG("Flush chain %s", flush_chain);
-
- iptables_flush_chain(table, flush_chain);
-
- goto out;
- }
-
- if (chain && new_chain) {
- ret = -EINVAL;
- goto out;
- }
-
- if (new_chain) {
- DBG("New chain %s", new_chain);
-
- ret = iptables_add_chain(table, new_chain);
- goto out;
- }
-
- if (chain) {
- if (policy != NULL) {
- printf("Changing policy of %s to %s\n", chain, policy);
-
- iptables_change_policy(table, chain, policy);
-
- goto out;
- }
-
- if (xt_t == NULL)
- goto out;
-
- if (compare == TRUE) {
- ret = iptables_compare_rule(table, &ip, chain,
- target_name, xt_t, xt_m, xt_rm);
- goto out;
- }
-
- if (delete == TRUE) {
- DBG("Deleting %s to %s (match %s)\n",
- target_name, chain, match_name);
-
- ret = iptables_delete_rule(table, &ip, chain,
- target_name, xt_t, xt_m, xt_rm);
-
- goto out;
- }
-
- if (insert == TRUE) {
- DBG("Inserting %s to %s (match %s)",
- target_name, chain, match_name);
-
- ret = iptables_insert_rule(table, &ip, chain,
- target_name, xt_t, xt_rm);
-
- goto out;
- } else {
- DBG("Adding %s to %s (match %s)",
- target_name, chain, match_name);
-
- ret = iptables_append_rule(table, &ip, chain,
- target_name, xt_t, xt_rm);
-
- goto out;
- }
- }
-
-out:
- if (xt_t)
- g_free(xt_t->t);
-
- if (xt_m)
- g_free(xt_m->m);
-
- return ret;
-}
-
-int __connman_iptables_command(const char *format, ...)
-{
- char **argv, **arguments, *command;
- int argc, i, ret;
- va_list args;
-
- if (format == NULL)
- return -EINVAL;
-
- va_start(args, format);
-
- command = g_strdup_vprintf(format, args);
-
- va_end(args);
-
- if (command == NULL)
- return -ENOMEM;
-
- arguments = g_strsplit_set(command, " ", -1);
-
- for (argc = 0; arguments[argc]; argc++);
- ++argc;
-
- DBG("command %s argc %d", command, argc);
-
- argv = g_try_malloc0(argc * sizeof(char *));
- if (argv == NULL) {
- g_free(command);
- g_strfreev(arguments);
- return -ENOMEM;
- }
-
- argv[0] = "iptables";
- for (i = 1; i < argc; i++)
- argv[i] = arguments[i - 1];
-
- ret = iptables_command(argc, argv);
-
- g_free(command);
- g_strfreev(arguments);
- g_free(argv);
-
- return ret;
-}
-
struct parse_context {
int argc;
char **argv;
#include "../src/connman.h"
-static void test_iptables_basic0(void)
-{
- int err;
-
- err = __connman_iptables_command("-t filter -A INPUT "
- "-m mark --mark 1 -j LOG");
- g_assert(err == 0);
-
- err = __connman_iptables_commit("filter");
- g_assert(err == 0);
-
- err = __connman_iptables_command("-t filter -D INPUT "
- "-m mark --mark 1 -j LOG");
- g_assert(err == 0);
-
- err = __connman_iptables_commit("filter");
- g_assert(err == 0);
-}
-
-static void test_iptables_basic1(void)
-{
- int err;
-
- /* Test if we can do NAT stuff */
-
- err = __connman_iptables_command("-t nat -A POSTROUTING "
- "-s 10.10.1.0/24 -o eth0 -j MASQUERADE");
-
- err = __connman_iptables_commit("nat");
- g_assert(err == 0);
-
- err = __connman_iptables_command("-t nat -D POSTROUTING "
- "-s 10.10.1.0/24 -o eth0 -j MASQUERADE");
-
- err = __connman_iptables_commit("nat");
- g_assert(err == 0);
-}
-
-static void test_iptables_basic2(void)
-{
- int err;
-
- /* Test if the right rule is removed */
-
- err = __connman_iptables_command("-t filter -A INPUT "
- "-m mark --mark 1 -j LOG");
- g_assert(err == 0);
-
- err = __connman_iptables_commit("filter");
- g_assert(err == 0);
-
- err = __connman_iptables_command("-t filter -A INPUT "
- "-m mark --mark 2 -j LOG");
- g_assert(err == 0);
-
- err = __connman_iptables_commit("filter");
- g_assert(err == 0);
-
- err = __connman_iptables_command("-t filter -D INPUT "
- "-m mark --mark 2 -j LOG");
- g_assert(err == 0);
-
- err = __connman_iptables_commit("filter");
- g_assert(err == 0);
-
- err = __connman_iptables_command("-t filter -D INPUT "
- "-m mark --mark 1 -j LOG");
- g_assert(err == 0);
-
- err = __connman_iptables_commit("filter");
- g_assert(err == 0);
-}
-
static void test_iptables_chain0(void)
{
int err;
__connman_iptables_init();
__connman_nat_init();
- g_test_add_func("/iptables/basic0", test_iptables_basic0);
- g_test_add_func("/iptables/basic1", test_iptables_basic1);
- g_test_add_func("/iptables/basic2", test_iptables_basic2);
g_test_add_func("/iptables/chain0", test_iptables_chain0);
g_test_add_func("/iptables/chain1", test_iptables_chain1);
g_test_add_func("/iptables/chain2", test_iptables_chain2);
projects / platform / upstream / connman.git / commitdiff