Name: stc-iptables
Summary: STC(Smart Traffic Control) iptables
-Version: 0.0.16
+Version: 0.0.17
Release: 0
Group: Network & Connectivity/Other
License: GPL-2.0 and Apache-2.0
mkdir -p /opt/usr/data/network
chmod 755 /opt/usr/data/network
chown network_fw:network_fw /opt/usr/data/network
+#/usr/sbin/setcap cap_net_bind_service,cap_net_raw,cap_net_admin=ei %{_bindir}/stc-iptables
%files
%manifest %{name}.manifest
#include <linux/netfilter/xt_cgroup.h>
#include <linux/netfilter/xt_nfacct.h>
//#include <linux/netfilter/xt_iprange.h>
+#include <linux/netfilter/xt_NFLOG.h>
+#include <linux/netfilter_ipv6/ip6t_LOG.h>
#include "helper-ip6tables.h"
#include "stc-iptables-util.h"
-#define IP6T_ALIGN XT_ALIGN
-#define IP6TC_TABLE "filter"
-#define IP6TC_TCP "tcp"
-#define IP6TC_UDP "udp"
-#define IP6TC_CGROUP "cgroup"
-#define IP6TC_NFACCT "nfacct"
+#define IP6T_ALIGN XT_ALIGN
+#define IP6TC_TABLE "filter"
+#define IP6TC_TCP "tcp"
+#define IP6TC_UDP "udp"
+#define IP6TC_CGROUP "cgroup"
+#define IP6TC_NFACCT "nfacct"
+#define IP6TC_IPRANGE "iprange"
+#define IP6TC_LOG "LOG"
+#define IP6TC_NFLOG "NFLOG"
#define IP6TC_MASK "FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF"
typedef struct xt_nfacct_match_info ip6t_nfacct_info_t;
typedef struct xt_iprange_mtinfo ip6t_iprange_info_t;
+/* target */
+typedef struct ip6t_log_info ip6t_log_info_t;
+typedef struct xt_nflog_info ip6t_nflog_info_t;
+
#define SIZE_ENTRY IP6T_ALIGN(sizeof(ip6t_entry_t))
#define SIZE_TCP_MATCH IP6T_ALIGN(sizeof(ip6t_entry_match_t)) + IP6T_ALIGN(sizeof(ip6t_tcp_info_t))
#define SIZE_UDP_MATCH IP6T_ALIGN(sizeof(ip6t_entry_match_t)) + IP6T_ALIGN(sizeof(ip6t_udp_info_t))
#define SIZE_NFACCT_MATCH IP6T_ALIGN(sizeof(ip6t_entry_match_t)) + IP6T_ALIGN(sizeof(ip6t_nfacct_info_t))
//#define SIZE_IPRANGE_MATCH IP6T_ALIGN(sizeof(ip6t_entry_match_t)) + IP6T_ALIGN(sizeof(ip6t_iprange_info_t))
#define SIZE_TARGET IP6T_ALIGN(sizeof(ip6t_entry_target_t)) + IP6T_ALIGN(sizeof(int))
+#define SIZE_TARGET_LOG IP6T_ALIGN(sizeof(ip6t_log_info_t))
+#define SIZE_TARGET_NFLOG IP6T_ALIGN(sizeof(ip6t_nflog_info_t))
#define SIZE_TOTAL SIZE_ENTRY + SIZE_TCP_MATCH + SIZE_UDP_MATCH + SIZE_CGROUP_MATCH \
- + SIZE_NFACCT_MATCH + SIZE_TARGET
+ + SIZE_NFACCT_MATCH + SIZE_TARGET \
+ + SIZE_TARGET_LOG + SIZE_TARGET_NFLOG
// + SIZE_NFACCT_MATCH + SIZE_IPRANGE_MATCH + SIZE_TARGET
static unsigned int __add_match(const char *name, ip6t_entry_match_t *start, size_t size, void *data)
return match->u.match_size;
}
+static unsigned int __add_target(const char *name, ip6t_entry_target_t *start, size_t size, void *data)
+{
+ ip6t_entry_target_t *target = start;
+
+ target->u.target_size = IP6T_ALIGN(sizeof(ip6t_entry_target_t)) + IP6T_ALIGN(size);
+
+ g_strlcpy(target->u.user.name, name, XT_EXTENSION_MAXNAMELEN);
+ memcpy(target->data, data, size);
+
+ return target->u.target_size;
+}
+
static unsigned int __add_port_match(ip6tables_protocol_type_e prot_type,
ip6tables_port_type_e sport_type, unsigned short sport1, unsigned short sport2,
ip6tables_port_type_e dport_type, unsigned short dport1, unsigned short dport2,
return __add_match(IP6TC_NFACCT, start, sizeof(ip6t_nfacct_info_t), &nfacct);
}
+static unsigned int __add_log_target(unsigned char level, const char *prefix,
+ ip6t_entry_target_t *start)
+{
+ /* log => "--log-level --log-prefix" */
+ ip6t_log_info_t log;
+ memset(&log, 0, sizeof(ip6t_log_info_t));
+ log.level = level;
+ g_strlcpy(log.prefix, prefix, 30);
+ /* target_log */
+ return __add_target(IP6TC_LOG, start, sizeof(ip6t_log_info_t), &log);
+}
+
+static unsigned int __add_nflog_target(unsigned int group, const char *prefix,
+ unsigned int range, unsigned int threshold, ip6t_entry_target_t *start)
+{
+ /* nflog => "--nflog-group --nflog-prefix --nflog-range --nflog-threshold" */
+ ip6t_nflog_info_t nflog;
+ memset(&nflog, 0, sizeof(ip6t_nflog_info_t));
+ nflog.group = group;
+ g_strlcpy(nflog.prefix, prefix, 64);
+ nflog.len = range;
+ nflog.threshold = threshold;
+ /* target_nflog */
+ return __add_target(IP6TC_NFLOG, start, sizeof(ip6t_nflog_info_t), &nflog);
+}
+
static int __create_entry_data(unsigned char *entry, unsigned char *mask,
ip6tables_rule_s *rule)
{
e->next_offset = SIZE_ENTRY;
size_mask = sizeof(ip6t_entry_t);
- if (rule->ifname) {
+ if (rule->ifname && rule->ifname[0] != '\0') {
switch (rule->direction) {
case IP6TABLES_DIRECTION_IN:
/* entry => "-i wlan0" */
}
/* -m nfacct --nfacct-name c2_1_33_seth_w0 */
- if (rule->nfacct_name) {
+ if (rule->nfacct_name && rule->nfacct_name[0] != '\0') {
size_match += __add_nfacct_match(rule->nfacct_name, (ip6t_entry_match_t *) (e->elems + size_match));
size_mask += sizeof(ip6t_entry_match_t);
e->target_offset += SIZE_NFACCT_MATCH;
/* target => "-j ACCEPT" */
target = (ip6t_entry_target_t *) (e->elems + size_match);
- target->u.target_size = SIZE_TARGET;
- if (rule->target) {
- g_strlcpy(target->u.user.name, rule->target, XT_EXTENSION_MAXNAMELEN);
+ switch (rule->target_type) {
+ case IP6TABLES_ACTION_LOG:
+ e->next_offset += __add_log_target(rule->log_level, rule->log_prefix, target);
+ break;
+ case IP6TABLES_ACTION_NFLOG:
+ e->next_offset += __add_nflog_target(rule->nflog_group,
+ rule->nflog_prefix, rule->nflog_range, rule->nflog_threshold, target);
+ break;
+ default:
+ target->u.target_size = SIZE_TARGET;
+ if (rule->target && rule->target[0] != '\0')
+ g_strlcpy(target->u.user.name, rule->target, XT_EXTENSION_MAXNAMELEN);
e->next_offset += SIZE_TARGET;
+ break;
}
memset(mask, 0xFF, size_mask);
} ip6tables_protocol_type_e;
typedef enum {
+ IP6TABLES_ACTION_NONE,
IP6TABLES_ACTION_ACCEPT,
- IP6TABLES_ACTION_DROP
+ IP6TABLES_ACTION_DROP,
+ IP6TABLES_ACTION_LOG,
+ IP6TABLES_ACTION_NFLOG,
} ip6tables_target_action_e;
typedef struct {
int classid;
char *nfacct_name;
char *target;
+ ip6tables_target_action_e target_type;
+ unsigned char log_level;
+ char *log_prefix;
+ unsigned int nflog_group;
+ char *nflog_prefix;
+ unsigned int nflog_range;
+ unsigned int nflog_threshold;
} ip6tables_rule_s;
/**
#include <linux/netfilter/xt_cgroup.h>
#include <linux/netfilter/xt_nfacct.h>
#include <linux/netfilter/xt_iprange.h>
+#include <linux/netfilter/xt_NFLOG.h>
+#include <linux/netfilter_ipv4/ipt_LOG.h>
#include "helper-iptables.h"
#include "stc-iptables-util.h"
#define IPTC_CGROUP "cgroup"
#define IPTC_NFACCT "nfacct"
#define IPTC_IPRANGE "iprange"
+#define IPTC_LOG "LOG"
+#define IPTC_NFLOG "NFLOG"
#define IPTC_MASK "255.255.255.255"
typedef struct xt_nfacct_match_info ipt_nfacct_info_t;
typedef struct xt_iprange_mtinfo ipt_iprange_info_t;
+/* target */
+typedef struct ipt_log_info ipt_log_info_t;
+typedef struct xt_nflog_info ipt_nflog_info_t;
+
#define SIZE_ENTRY IPT_ALIGN(sizeof(ipt_entry_t))
#define SIZE_TCP_MATCH IPT_ALIGN(sizeof(ipt_entry_match_t)) + IPT_ALIGN(sizeof(ipt_tcp_info_t))
#define SIZE_UDP_MATCH IPT_ALIGN(sizeof(ipt_entry_match_t)) + IPT_ALIGN(sizeof(ipt_udp_info_t))
#define SIZE_NFACCT_MATCH IPT_ALIGN(sizeof(ipt_entry_match_t)) + IPT_ALIGN(sizeof(ipt_nfacct_info_t))
#define SIZE_IPRANGE_MATCH IPT_ALIGN(sizeof(ipt_entry_match_t)) + IPT_ALIGN(sizeof(ipt_iprange_info_t))
#define SIZE_TARGET IPT_ALIGN(sizeof(ipt_entry_target_t)) + IPT_ALIGN(sizeof(int))
+#define SIZE_TARGET_LOG IPT_ALIGN(sizeof(ipt_log_info_t))
+#define SIZE_TARGET_NFLOG IPT_ALIGN(sizeof(ipt_nflog_info_t))
#define SIZE_TOTAL SIZE_ENTRY + SIZE_TCP_MATCH + SIZE_UDP_MATCH + SIZE_CGROUP_MATCH \
- + SIZE_NFACCT_MATCH + SIZE_IPRANGE_MATCH + SIZE_TARGET
+ + SIZE_NFACCT_MATCH + SIZE_IPRANGE_MATCH + SIZE_TARGET \
+ + SIZE_TARGET_LOG + SIZE_TARGET_NFLOG
static unsigned int __add_match(const char *name, ipt_entry_match_t *start, size_t size, void *data)
{
return match->u.match_size;
}
+static unsigned int __add_target(const char *name, ipt_entry_target_t *start, size_t size, void *data)
+{
+ ipt_entry_target_t *target = start;
+
+ target->u.target_size = IPT_ALIGN(sizeof(ipt_entry_target_t)) + IPT_ALIGN(size);
+
+ g_strlcpy(target->u.user.name, name, XT_EXTENSION_MAXNAMELEN);
+ memcpy(target->data, data, size);
+
+ return target->u.target_size;
+}
+
static unsigned int __add_iprange_match(iptables_ip_type_e sip_type,
struct in_addr sip1, struct in_addr sip2, iptables_ip_type_e dip_type,
struct in_addr dip1, struct in_addr dip2, ipt_entry_match_t *start)
return __add_match(IPTC_NFACCT, start, sizeof(ipt_nfacct_info_t), &nfacct);
}
+static unsigned int __add_log_target(unsigned char level, const char *prefix,
+ ipt_entry_target_t *start)
+{
+ /* log => "--log-level --log-prefix" */
+ ipt_log_info_t log;
+ memset(&log, 0, sizeof(ipt_log_info_t));
+ log.level = level;
+ g_strlcpy(log.prefix, prefix, 30);
+ /* target_log */
+ return __add_target(IPTC_LOG, start, sizeof(ipt_log_info_t), &log);
+}
+
+static unsigned int __add_nflog_target(unsigned int group, const char *prefix,
+ unsigned int range, unsigned int threshold, ipt_entry_target_t *start)
+{
+ /* nflog => "--nflog-group --nflog-prefix --nflog-range --nflog-threshold" */
+ ipt_nflog_info_t nflog;
+ memset(&nflog, 0, sizeof(ipt_nflog_info_t));
+ nflog.group = group;
+ g_strlcpy(nflog.prefix, prefix, 64);
+ nflog.len = range;
+ nflog.threshold = threshold;
+ /* target_nflog */
+ return __add_target(IPTC_NFLOG, start, sizeof(ipt_nflog_info_t), &nflog);
+}
+
static int __create_entry_data(unsigned char *entry, unsigned char *mask,
iptables_rule_s *rule)
{
e->next_offset = SIZE_ENTRY;
size_mask = sizeof(ipt_entry_t);
- if (rule->ifname) {
+ if (rule->ifname && rule->ifname[0] != '\0') {
switch (rule->direction) {
case IPTABLES_DIRECTION_IN:
/* -i wlan0 */
}
/* -m nfacct --nfacct-name c2_1_33_seth_w0 */
- if (rule->nfacct_name) {
+ if (rule->nfacct_name && rule->nfacct_name[0] != '\0') {
size_match += __add_nfacct_match(rule->nfacct_name,
(ipt_entry_match_t *) (e->elems + size_match));
size_mask += sizeof(ipt_entry_match_t);
/* target => "-j ACCEPT" */
target = (ipt_entry_target_t *) (e->elems + size_match);
- target->u.target_size = SIZE_TARGET;
- if (rule->target) {
- g_strlcpy(target->u.user.name, rule->target, XT_EXTENSION_MAXNAMELEN);
+ switch (rule->target_type) {
+ case IPTABLES_ACTION_LOG:
+ e->next_offset += __add_log_target(rule->log_level, rule->log_prefix, target);
+ break;
+ case IPTABLES_ACTION_NFLOG:
+ e->next_offset += __add_nflog_target(rule->nflog_group,
+ rule->nflog_prefix, rule->nflog_range, rule->nflog_threshold, target);
+ break;
+ default:
+ target->u.target_size = SIZE_TARGET;
+ if (rule->target && rule->target[0] != '\0')
+ g_strlcpy(target->u.user.name, rule->target, XT_EXTENSION_MAXNAMELEN);
e->next_offset += SIZE_TARGET;
+ break;
}
memset(mask, 0xFF, size_mask);
IPTABLES_ACTION_NONE,
IPTABLES_ACTION_ACCEPT,
IPTABLES_ACTION_DROP,
- IPTABLES_ACTION_LOG
+ IPTABLES_ACTION_LOG,
+ IPTABLES_ACTION_NFLOG,
} iptables_target_action_e;
typedef struct {
int classid;
char *nfacct_name;
char *target;
+ iptables_target_action_e target_type;
+ unsigned char log_level;
+ char *log_prefix;
+ unsigned int nflog_group;
+ char *nflog_prefix;
+ unsigned int nflog_range;
+ unsigned int nflog_threshold;
} iptables_rule_s;
/**
#define RULE_NFACCT "nfacct"
#define RULE_PROTOCOL "protocol"
#define RULE_TARGET "target"
+#define RULE_TARGETTYPE "target_type"
#define RULE_FAMILY "family"
#define RULE_SIPTYPE "s_ip_type"
#define RULE_DPORT1 "d_port1"
#define RULE_DPORT2 "d_port2"
+#define RULE_LOG_LEVEL "log_level"
+#define RULE_LOG_PREFIX "log_prefix"
+#define RULE_NFLOG_GROUP "nflog_group"
+#define RULE_NFLOG_PREFIX "nflog_prefix"
+#define RULE_NFLOG_RANGE "nflog_range"
+#define RULE_NFLOG_THRESHOLD "nflog_threshold"
+
#define STC_IPTABLES_DBUS_ERROR_NAME "net.stc.iptables.Error.Failed"
#define STC_IPTABLES_DBUS_REPLY(invocation, parameters) \
STC_LOGD("%s: [%u]", RULE_DPORTTYPE, rule->d_port_type);
} else if (!g_strcmp0(key, RULE_SIP1)) {
- rule->s_ip1.s_addr = g_variant_get_uint32(value);
- STC_LOGD("%s: [%08x]", RULE_SIP1, rule->s_ip1.s_addr);
+ if (rule->s_ip_type != IPTABLES_IP_NONE) {
+ rule->s_ip1.s_addr = g_variant_get_uint32(value);
+ STC_LOGD("%s: [%08x]", RULE_SIP1, rule->s_ip1.s_addr);
+ }
} else if (!g_strcmp0(key, RULE_SIP2)) {
- rule->s_ip2.s_addr = g_variant_get_uint32(value);
- STC_LOGD("%s: [%08x]", RULE_SIP2, rule->s_ip2.s_addr);
+ if (rule->s_ip_type != IPTABLES_IP_NONE) {
+ rule->s_ip2.s_addr = g_variant_get_uint32(value);
+ STC_LOGD("%s: [%08x]", RULE_SIP2, rule->s_ip2.s_addr);
+ }
} else if (!g_strcmp0(key, RULE_DIP1)) {
- rule->d_ip1.s_addr = g_variant_get_uint32(value);
- STC_LOGD("%s: [%08x]", RULE_DIP1, rule->d_ip1.s_addr);
+ if (rule->d_ip_type != IPTABLES_IP_NONE) {
+ rule->d_ip1.s_addr = g_variant_get_uint32(value);
+ STC_LOGD("%s: [%08x]", RULE_DIP1, rule->d_ip1.s_addr);
+ }
} else if (!g_strcmp0(key, RULE_DIP2)) {
- rule->d_ip2.s_addr = g_variant_get_uint32(value);
- STC_LOGD("%s: [%08x]", RULE_DIP2, rule->d_ip2.s_addr);
+ if (rule->d_ip_type != IPTABLES_IP_NONE) {
+ rule->d_ip2.s_addr = g_variant_get_uint32(value);
+ STC_LOGD("%s: [%08x]", RULE_DIP2, rule->d_ip2.s_addr);
+ }
} else if (!g_strcmp0(key, RULE_SPORT1)) {
- rule->s_port1 = g_variant_get_uint32(value);
- STC_LOGD("%s: [%04x]", RULE_SPORT1, rule->s_port1);
+ if (rule->s_ip_type != IPTABLES_IP_NONE) {
+ rule->s_port1 = g_variant_get_uint32(value);
+ STC_LOGD("%s: [%04x]", RULE_SPORT1, rule->s_port1);
+ }
} else if (!g_strcmp0(key, RULE_SPORT2)) {
- rule->s_port2 = g_variant_get_uint32(value);
- STC_LOGD("%s: [%04x]", RULE_SPORT2, rule->s_port2);
+ if (rule->s_ip_type != IPTABLES_IP_NONE) {
+ rule->s_port2 = g_variant_get_uint32(value);
+ STC_LOGD("%s: [%04x]", RULE_SPORT2, rule->s_port2);
+ }
} else if (!g_strcmp0(key, RULE_DPORT1)) {
- rule->d_port1 = g_variant_get_uint32(value);
- STC_LOGD("%s: [%04x]", RULE_DPORT1, rule->d_port1);
+ if (rule->d_ip_type != IPTABLES_IP_NONE) {
+ rule->d_port1 = g_variant_get_uint32(value);
+ STC_LOGD("%s: [%04x]", RULE_DPORT1, rule->d_port1);
+ }
} else if (!g_strcmp0(key, RULE_DPORT2)) {
- rule->d_port2 = g_variant_get_uint32(value);
- STC_LOGD("%s: [%04x]", RULE_DPORT2, rule->d_port2);
+ if (rule->d_ip_type != IPTABLES_IP_NONE) {
+ rule->d_port2 = g_variant_get_uint32(value);
+ STC_LOGD("%s: [%04x]", RULE_DPORT2, rule->d_port2);
+ }
} else if (!g_strcmp0(key, RULE_IFNAME)) {
- gsize len = 0;
- rule->ifname = g_variant_dup_string(value, &len);
- STC_LOGD("%s: [%s]", RULE_IFNAME, rule->ifname);
+ if (rule->direction != IPTABLES_DIRECTION_NONE) {
+ gsize len = 0;
+ rule->ifname = g_variant_dup_string(value, &len);
+ STC_LOGD("%s: [%s]", RULE_IFNAME, rule->ifname);
+ }
} else if (!g_strcmp0(key, RULE_CGROUP)) {
rule->classid = g_variant_get_uint32(value);
rule->target = g_variant_dup_string(value, &len);
STC_LOGD("%s: [%s]", RULE_TARGET, rule->target);
+ } else if (!g_strcmp0(key, RULE_TARGETTYPE)) {
+ rule->target_type = g_variant_get_uint16(value);
+ STC_LOGD("%s: [%u]", RULE_TARGETTYPE, rule->target_type);
+
+ } else if (!g_strcmp0(key, RULE_LOG_LEVEL)) {
+ if (rule->target_type == IPTABLES_ACTION_LOG) {
+ rule->log_level = g_variant_get_uint16(value);
+ STC_LOGD("%s: [%u]", RULE_LOG_LEVEL, rule->log_level);
+ }
+
+ } else if (!g_strcmp0(key, RULE_LOG_PREFIX)) {
+ if (rule->target_type == IPTABLES_ACTION_LOG) {
+ gsize len = 0;
+ rule->log_prefix = g_variant_dup_string(value, &len);
+ STC_LOGD("%s: [%s]", RULE_LOG_PREFIX, rule->log_prefix);
+ }
+
+ } else if (!g_strcmp0(key, RULE_NFLOG_GROUP)) {
+ if (rule->target_type == IPTABLES_ACTION_NFLOG) {
+ rule->nflog_group = g_variant_get_uint16(value);
+ STC_LOGD("%s: [%u]", RULE_NFLOG_GROUP, rule->nflog_group);
+ }
+
+ } else if (!g_strcmp0(key, RULE_NFLOG_PREFIX)) {
+ if (rule->target_type == IPTABLES_ACTION_NFLOG) {
+ gsize len = 0;
+ rule->nflog_prefix = g_variant_dup_string(value, &len);
+ STC_LOGD("%s: [%s]", RULE_NFLOG_PREFIX, rule->nflog_prefix);
+ }
+
+ } else if (!g_strcmp0(key, RULE_NFLOG_RANGE)) {
+ if (rule->target_type == IPTABLES_ACTION_NFLOG) {
+ rule->nflog_range = g_variant_get_uint16(value);
+ STC_LOGD("%s: [%u]", RULE_NFLOG_RANGE, rule->nflog_range);
+ }
+
+ } else if (!g_strcmp0(key, RULE_NFLOG_THRESHOLD)) {
+ if (rule->target_type == IPTABLES_ACTION_NFLOG) {
+ rule->nflog_threshold = g_variant_get_uint16(value);
+ STC_LOGD("%s: [%u]", RULE_NFLOG_THRESHOLD, rule->nflog_threshold);
+ }
+
} else {
STC_LOGD("Unknown rule [%s]", key); //LCOV_EXCL_LINE
}
rule->target = g_variant_dup_string(value, &len);
STC_LOGD("%s: [%s]", RULE_TARGET, rule->target);
+ } else if (!g_strcmp0(key, RULE_TARGETTYPE)) {
+ rule->target_type = g_variant_get_uint16(value);
+ STC_LOGD("%s: [%u]", RULE_TARGETTYPE, rule->target_type);
+
+ } else if (!g_strcmp0(key, RULE_LOG_LEVEL)) {
+ rule->log_level = g_variant_get_uint16(value);
+ STC_LOGD("%s: [%u]", RULE_LOG_LEVEL, rule->log_level);
+
+ } else if (!g_strcmp0(key, RULE_LOG_PREFIX)) {
+ gsize len = 0;
+ rule->log_prefix = g_variant_dup_string(value, &len);
+ STC_LOGD("%s: [%s]", RULE_LOG_PREFIX, rule->log_prefix);
+
+ } else if (!g_strcmp0(key, RULE_NFLOG_GROUP)) {
+ rule->nflog_group = g_variant_get_uint16(value);
+ STC_LOGD("%s: [%u]", RULE_NFLOG_GROUP, rule->nflog_group);
+
+ } else if (!g_strcmp0(key, RULE_NFLOG_PREFIX)) {
+ gsize len = 0;
+ rule->nflog_prefix = g_variant_dup_string(value, &len);
+ STC_LOGD("%s: [%s]", RULE_NFLOG_PREFIX, rule->nflog_prefix);
+
+ } else if (!g_strcmp0(key, RULE_NFLOG_RANGE)) {
+ rule->nflog_range = g_variant_get_uint16(value);
+ STC_LOGD("%s: [%u]", RULE_NFLOG_RANGE, rule->nflog_range);
+
+ } else if (!g_strcmp0(key, RULE_NFLOG_THRESHOLD)) {
+ rule->nflog_threshold = g_variant_get_uint16(value);
+ STC_LOGD("%s: [%u]", RULE_NFLOG_THRESHOLD, rule->nflog_threshold);
+
} else {
STC_LOGD("Unknown rule [%s]", key); //LCOV_EXCL_LINE
}
FREE(rule->ifname);
FREE(rule->nfacct_name);
FREE(rule->target);
+ FREE(rule->log_prefix);
+ FREE(rule->nflog_prefix);
+ FREE(rule);
}
static void __free_6_rule(ip6tables_rule_s *rule)
FREE(rule->ifname);
FREE(rule->nfacct_name);
FREE(rule->target);
+ FREE(rule->log_prefix);
+ FREE(rule->nflog_prefix);
+ FREE(rule);
}
gboolean handle_iptables_stop(StcManager *object,
} ipt_rule_s;
static char g_rule_chain[MENU_DATA_SIZE] = "STC_CHAIN";
-static char g_rule_direction[MENU_DATA_SIZE] = "0";
+static char g_rule_direction[MENU_DATA_SIZE] = "1";
static char g_rule_ifname[MENU_DATA_SIZE] = "seth_w0";
static char g_rule_cgroup[MENU_DATA_SIZE] = "0";
static char g_rule_nfacct[MENU_DATA_SIZE] = "";
static char g_rule_s_port1[MENU_DATA_SIZE] = "80";
static char g_rule_s_port2[MENU_DATA_SIZE] = "0";
static char g_rule_d_port_type[MENU_DATA_SIZE] = "2";
-static char g_rule_d_port1[MENU_DATA_SIZE] = "0";
+static char g_rule_d_port1[MENU_DATA_SIZE] = "10024";
static char g_rule_d_port2[MENU_DATA_SIZE] = "59136";
/* ipv6 */
static char g_rule_s_ip6_type[MENU_DATA_SIZE] = "2";
static struct menu_data menu_set[] = {
{ "1", "chain name", NULL, NULL, g_rule_chain},
- { "2", "direction (0.IN/1.OUT)", NULL, NULL, g_rule_direction},
+ { "2", "direction (0.None/1.IN/2.OUT)", NULL, NULL, g_rule_direction},
{ "3", "interface name", NULL, NULL, g_rule_ifname},
{ "4", "family", NULL, NULL, g_rule_family},
{ "5", "[IPv4]", menu_set_ipv4, NULL, NULL},