9 #include <sys/socket.h>
15 #define XT_SOCKET_NAME "xtables"
16 #define XT_SOCKET_LEN 8
19 * Print out any special helps. A user might like to be able to add a --help
20 * to the commandline, and see expected results. So we call help for all
21 * specified matches and targets.
23 void print_extension_helps(const struct xtables_target *t,
24 const struct xtables_rule_match *m)
26 for (; t != NULL; t = t->next) {
30 printf("%s does not take any options\n",
36 for (; m != NULL; m = m->next) {
38 if (m->match->help == NULL)
39 printf("%s does not take any options\n",
47 proto_to_name(uint8_t proto, int nolookup)
51 if (proto && !nolookup) {
52 struct protoent *pent = getprotobynumber(proto);
57 for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
58 if (xtables_chain_protos[i].num == proto)
59 return xtables_chain_protos[i].name;
64 static struct xtables_match *
65 find_proto(const char *pname, enum xtables_tryload tryload,
66 int nolookup, struct xtables_rule_match **matches)
70 if (xtables_strtoui(pname, NULL, &proto, 0, UINT8_MAX)) {
71 const char *protoname = proto_to_name(proto, nolookup);
74 return xtables_find_match(protoname, tryload, matches);
76 return xtables_find_match(pname, tryload, matches);
82 * Some explanations (after four different bugs in 3 different releases): If
83 * we encounter a parameter, that has not been parsed yet, it's not an option
84 * of an explicitly loaded match or a target. However, we support implicit
85 * loading of the protocol match extension. '-p tcp' means 'l4 proto 6' and at
86 * the same time 'load tcp protocol match on demand if we specify --dport'.
88 * To make this work, we need to make sure:
89 * - the parameter has not been parsed by a match (m above)
90 * - a protocol has been specified
91 * - the protocol extension has not been loaded yet, or is loaded and unused
92 * [think of ip6tables-restore!]
93 * - the protocol extension can be successively loaded
95 static bool should_load_proto(struct iptables_command_state *cs)
97 if (cs->protocol == NULL)
99 if (find_proto(cs->protocol, XTF_DONT_LOAD,
100 cs->options & OPT_NUMERIC, NULL) == NULL)
102 return !cs->proto_used;
105 struct xtables_match *load_proto(struct iptables_command_state *cs)
107 if (!should_load_proto(cs))
109 return find_proto(cs->protocol, XTF_TRY_LOAD,
110 cs->options & OPT_NUMERIC, &cs->matches);
113 int command_default(struct iptables_command_state *cs,
114 struct xtables_globals *gl)
116 struct xtables_rule_match *matchp;
117 struct xtables_match *m;
119 if (cs->target != NULL &&
120 (cs->target->parse != NULL || cs->target->x6_parse != NULL) &&
121 cs->c >= cs->target->option_offset &&
122 cs->c < cs->target->option_offset + XT_OPTION_OFFSET_SCALE) {
123 xtables_option_tpcall(cs->c, cs->argv, cs->invert,
124 cs->target, &cs->fw);
128 for (matchp = cs->matches; matchp; matchp = matchp->next) {
131 if (matchp->completed ||
132 (m->x6_parse == NULL && m->parse == NULL))
134 if (cs->c < matchp->match->option_offset ||
135 cs->c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
137 xtables_option_mpcall(cs->c, cs->argv, cs->invert, m, &cs->fw);
141 /* Try loading protocol */
148 size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size;
150 m->m = xtables_calloc(1, size);
151 m->m->u.match_size = size;
152 strcpy(m->m->u.user.name, m->name);
153 m->m->u.user.revision = m->revision;
156 if (m->x6_options != NULL)
157 gl->opts = xtables_options_xfrm(gl->orig_opts,
162 gl->opts = xtables_merge_options(gl->orig_opts,
166 if (gl->opts == NULL)
167 xtables_error(OTHER_PROBLEM, "can't alloc memory!");
169 /* Indicate to rerun getopt *immediately* */
174 xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
175 "requires an argument", cs->argv[optind-1]);
177 xtables_error(PARAMETER_PROBLEM, "unknown option "
178 "\"%s\"", cs->argv[optind-1]);
179 xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg);
183 static mainfunc_t subcmd_get(const char *cmd, const struct subcommand *cb)
185 for (; cb->name != NULL; ++cb)
186 if (strcmp(cb->name, cmd) == 0)
191 int subcmd_main(int argc, char **argv, const struct subcommand *cb)
193 const char *cmd = basename(*argv);
194 mainfunc_t f = subcmd_get(cmd, cb);
196 if (f == NULL && argc > 1) {
198 * Unable to find a main method for our command name?
199 * Let's try again with the first argument!
203 f = subcmd_get(*argv, cb);
206 /* now we should have a valid function pointer */
208 return f(argc, argv);
210 fprintf(stderr, "ERROR: No valid subcommand given.\nValid subcommands:\n");
211 for (; cb->name != NULL; ++cb)
212 fprintf(stderr, " * %s\n", cb->name);
216 void xs_init_target(struct xtables_target *target)
218 if (target->udata_size != 0) {
220 target->udata = calloc(1, target->udata_size);
221 if (target->udata == NULL)
222 xtables_error(RESOURCE_PROBLEM, "malloc");
224 if (target->init != NULL)
225 target->init(target->t);
228 void xs_init_match(struct xtables_match *match)
230 if (match->udata_size != 0) {
232 * As soon as a subsequent instance of the same match
233 * is used, e.g. "-m time -m time", the first instance
234 * is no longer reachable anyway, so we can free udata.
235 * Same goes for target.
238 match->udata = calloc(1, match->udata_size);
239 if (match->udata == NULL)
240 xtables_error(RESOURCE_PROBLEM, "malloc");
242 if (match->init != NULL)
243 match->init(match->m);
246 bool xtables_lock(bool wait)
248 int i = 0, ret, xt_socket;
249 struct sockaddr_un xt_addr;
251 memset(&xt_addr, 0, sizeof(xt_addr));
252 xt_addr.sun_family = AF_UNIX;
253 strcpy(xt_addr.sun_path+1, XT_SOCKET_NAME);
254 xt_socket = socket(AF_UNIX, SOCK_STREAM, 0);
255 /* If we can't even create a socket, fall back to prior (lockless) behavior */
260 ret = bind(xt_socket, (struct sockaddr*)&xt_addr,
261 offsetof(struct sockaddr_un, sun_path)+XT_SOCKET_LEN);
264 else if (wait == false)
267 fprintf(stderr, "Another app is currently holding the xtables lock; "
268 "waiting for it to exit...\n");