5 * Copyright (C) 2007-2013 Intel Corporation. All rights reserved.
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
32 #include <sys/socket.h>
37 #include <linux/netfilter_ipv4/ip_tables.h>
38 #include <linux/netfilter_ipv6/ip6_tables.h>
41 #include "src/shared/util.h"
44 * Some comments on how the iptables API works (some of them from the
45 * source code from iptables and the kernel):
47 * - valid_hooks: bit indicates valid IDs for hook_entry
48 * - hook_entry[ID] offset to the chain start
49 * - overflows should be end of entry chains, and uncodintional policy nodes.
50 * - policy entry: last entry in a chain
51 * - user chain: end of last builtin + policy entry
52 * - final entry must be error node
53 * - Underflows must be unconditional and use the STANDARD target with
55 * - IPT_SO_GET_INFO and IPT_SO_GET_ENTRIES are used to read a table
56 * - IPT_SO_GET_INFO: struct ipt_getinfo (note the lack of table content)
57 * - IPT_SO_GET_ENTRIES: struct ipt_get_entries (contains only parts of the
58 * table header/meta info. The table is appended after the header. The entries
59 * are of the type struct ipt_entry.
60 * - After the ipt_entry the matches are appended. After the matches
61 * the target is appended.
62 * - ipt_entry->target_offset = Size of ipt_entry + matches
63 * - ipt_entry->next_offset = Size of ipt_entry + matches + target
64 * - IPT_SO_SET_REPLACE is used to write a table (contains the complete
65 * - hook_entry and overflow mark the beginning and the end of a chain, e.g
66 * entry hook: pre/in/fwd/out/post -1/0/352/504/-1
67 * underflow: pre/in/fwd/out/post -1/200/352/904/-1
68 * means that INPUT starts at offset 0 and ends at 200 (the start offset to
69 * the last element). FORWARD has one entry starting/ending at 352. The entry
70 * has a size of 152. 352 + 152 = 504 which is the start of the OUTPUT chain
71 * which then ends at 904. PREROUTING and POSTROUTING are invalid hooks in
73 * - 'iptables -t filter -A INPUT -m mark --mark 999 -j LOG'
74 * writing that table looks like this:
76 * filter valid_hooks 0x0000000e num_entries 5 size 856
77 * entry hook: pre/in/fwd/out/post -1/0/376/528/-1
78 * underflow: pre/in/fwd/out/post -1/224/376/528/-1
79 * entry 0x699d30 offset 0 size 224
80 * RULE match 0x699da0 target 0x699dd0
81 * match mark match 0x3e7
82 * target LOG flags 0 level 4
85 * entry 0x699e10 offset 224 size 152
86 * RULE match 0x699e80 target 0x699e80
90 * entry 0x699ea8 offset 376 size 152
91 * RULE match 0x699f18 target 0x699f18
95 * entry 0x699f40 offset 528 size 152
96 * RULE match 0x699fb0 target 0x699fb0
100 * entry 0x699fd8 offset 680 size 176
101 * USER CHAIN (ERROR) match 0x69a048 target 0x69a048
103 * Reading the filter table looks like this:
105 * filter valid_hooks 0x0000000e num_entries 5 size 856
106 * entry hook: pre/in/fwd/out/post -1/0/376/528/-1
107 * underflow: pre/in/fwd/out/post -1/224/376/528/-1
108 * entry 0x25fec28 offset 0 size 224
109 * CHAIN (INPUT) match 0x25fec98 target 0x25fecc8
110 * match mark match 0x3e7
111 * target LOG flags 0 level 4
112 * src 0.0.0.0/0.0.0.0
113 * dst 0.0.0.0/0.0.0.0
114 * entry 0x25fed08 offset 224 size 152
115 * RULE match 0x25fed78 target 0x25fed78
117 * src 0.0.0.0/0.0.0.0
118 * dst 0.0.0.0/0.0.0.0
119 * entry 0x25feda0 offset 376 size 152
120 * CHAIN (FORWARD) match 0x25fee10 target 0x25fee10
122 * src 0.0.0.0/0.0.0.0
123 * dst 0.0.0.0/0.0.0.0
124 * entry 0x25fee38 offset 528 size 152
125 * CHAIN (OUTPUT) match 0x25feea8 target 0x25feea8
127 * src 0.0.0.0/0.0.0.0
128 * dst 0.0.0.0/0.0.0.0
129 * entry 0x25feed0 offset 680 size 176
134 * Values for the index values used here are defined as equal for both IPv4
135 * and IPv6 (NF_IP_* and NF_IP6_*) in Netfilter headers.
137 static const char *hooknames[] = {
138 [NF_IP_PRE_ROUTING] = "PREROUTING",
139 [NF_IP_LOCAL_IN] = "INPUT",
140 [NF_IP_FORWARD] = "FORWARD",
141 [NF_IP_LOCAL_OUT] = "OUTPUT",
142 [NF_IP_POST_ROUTING] = "POSTROUTING",
145 #define LABEL_ACCEPT "ACCEPT"
146 #define LABEL_DROP "DROP"
147 #define LABEL_QUEUE "QUEUE"
148 #define LABEL_RETURN "RETURN"
150 #define XT_OPTION_OFFSET_SCALE 256
152 struct connman_iptables_entry {
158 struct ipt_entry *entry;
159 struct ip6t_entry *entry6;
162 struct connman_iptables {
167 struct ipt_getinfo *info;
168 struct ipt_get_entries *blob_entries;
169 struct ip6t_getinfo *info6;
170 struct ip6t_get_entries *blob_entries6;
172 unsigned int num_entries;
173 unsigned int old_entries;
176 unsigned int underflow[NF_INET_NUMHOOKS];
177 unsigned int hook_entry[NF_INET_NUMHOOKS];
182 static GHashTable *table_hash = NULL;
183 static GHashTable *table_hash_ipv6 = NULL;
184 static bool debug_enabled = false;
189 struct ip6t_ip6 *ip6;
192 struct iptables_replace {
194 struct ipt_replace *r;
195 struct ip6t_replace *r6;
198 static jmp_buf env_state;
199 static bool jmp_set = false;
201 static void enable_jmp()
206 static void disable_jmp()
211 static bool can_jmp()
213 DBG("%s", jmp_set ? "true" : "false");
217 typedef int (*iterate_entries_cb_t)(struct connman_iptables_entry *entry,
218 int builtin, unsigned int hook,
219 size_t size, unsigned int offset,
222 static u_int16_t iptables_entry_get_next_offset(
223 struct connman_iptables_entry *entry)
228 switch (entry->type) {
230 return entry->entry ? entry->entry->next_offset : 0;
232 return entry->entry6 ? entry->entry6->next_offset : 0;
238 static u_int16_t iptables_entry_get_target_offset(
239 struct connman_iptables_entry *entry)
244 switch (entry->type) {
246 return entry->entry ? entry->entry->target_offset : 0;
248 return entry->entry6 ? entry->entry6->target_offset : 0;
254 static unsigned char *iptables_entry_get_elems(
255 struct connman_iptables_entry *entry)
260 switch (entry->type) {
262 return entry->entry ? entry->entry->elems : NULL;
264 return entry->entry6 ? entry->entry6->elems : NULL;
270 static struct xt_entry_target *iptables_entry_get_target(
271 struct connman_iptables_entry *entry)
276 switch (entry->type) {
278 return entry->entry ? ipt_get_target(entry->entry) : NULL;
280 return entry->entry6 ? ip6t_get_target(entry->entry6) : NULL;
286 static struct xt_counters *iptables_entry_get_counters(
287 struct connman_iptables_entry *entry)
292 switch (entry->type) {
294 return entry->entry ? &entry->entry->counters : NULL;
296 return entry->entry6 ? &entry->entry6->counters : NULL;
302 static void iptables_entry_free(struct connman_iptables_entry *entry)
307 g_free(entry->entry);
308 g_free(entry->entry6);
312 static const char *iptables_table_get_info_name(struct connman_iptables* table)
317 switch (table->type) {
319 return table->info->name;
321 return table->info6->name;
327 static unsigned int iptables_table_get_info_num_entries(
328 struct connman_iptables* table)
333 switch (table->type) {
335 return table->info->num_entries;
337 return table->info6->num_entries;
343 static unsigned int iptables_table_get_info_size(struct connman_iptables* table)
348 switch (table->type) {
350 return table->info->size;
352 return table->info6->size;
358 static unsigned int iptables_table_get_info_valid_hooks(
359 struct connman_iptables* table)
364 switch (table->type) {
366 return table->info->valid_hooks;
368 return table->info6->valid_hooks;
374 static unsigned int *iptables_table_get_info_hook_entry(
375 struct connman_iptables* table)
380 switch (table->type) {
382 return table->info->hook_entry;
384 return table->info6->hook_entry;
390 static unsigned int *iptables_table_get_info_underflow(
391 struct connman_iptables* table)
396 switch (table->type) {
398 return table->info->underflow;
400 return table->info6->underflow;
406 static unsigned int iptables_table_get_entries_size(
407 struct connman_iptables* table)
412 switch (table->type) {
414 return table->blob_entries->size;
416 return table->blob_entries6->size;
422 static const char *get_error_target(int type)
426 return IPT_ERROR_TARGET;
428 return IP6T_ERROR_TARGET;
430 return XT_ERROR_TARGET;
434 static const char *get_standard_target(int type)
438 return IPT_STANDARD_TARGET;
440 return IP6T_STANDARD_TARGET;
442 return XT_STANDARD_TARGET;
446 static struct connman_iptables *hash_table_lookup(int type,
447 const char *table_name) {
451 return g_hash_table_lookup(table_hash, table_name);
453 return g_hash_table_lookup(table_hash_ipv6, table_name);
459 static bool hash_table_replace(int type,
461 struct connman_iptables *table) {
465 return g_hash_table_replace(table_hash, table_name, table);
467 return g_hash_table_replace(table_hash_ipv6, table_name, table);
473 static bool hash_table_remove(int type, const char *table_name)
477 return g_hash_table_remove(table_hash, table_name);
479 return g_hash_table_remove(table_hash_ipv6, table_name);
485 static unsigned int next_hook_entry_index(unsigned int *valid_hooks)
489 if (*valid_hooks == 0)
490 return NF_INET_NUMHOOKS;
492 h = __builtin_ffs(*valid_hooks) - 1;
493 *valid_hooks ^= (1 << h);
498 static int iterate_entries(struct connman_iptables_entry *entries,
499 unsigned int valid_hooks,
500 unsigned int *hook_entry,
501 unsigned int *underflow,
502 size_t size, iterate_entries_cb_t cb,
505 unsigned int offset, h, hook;
507 struct connman_iptables_entry entry;
512 switch (entries->type) {
519 if (!entries->entry6)
527 h = next_hook_entry_index(&valid_hooks);
530 entry.type = entries->type;
531 entry.entry = entries->entry;
532 entry.entry6 = entries->entry6;
534 for (offset = 0; offset < size;
535 offset += iptables_entry_get_next_offset(&entry)) {
538 switch (entries->type) {
540 entry.entry = (void* )entries->entry + offset;
543 entry.entry6 = (void* )entries->entry6 + offset;
548 * Updating builtin, hook and h is very tricky.
550 * - builtin is only set to the current hook number
551 * if the current entry is the hook entry (aka chain
552 * head). And only for builtin chains, never for
554 * - hook is the current hook number. If we
555 * look at user chains it needs to be NF_INET_NETNUMHOOKS.
556 * - h is the next hook entry. Thous we need to be carefully
557 * not to access the table when h is NF_INET_NETNUMHOOKS.
559 if (h < NF_INET_NUMHOOKS && hook_entry[h] == offset) {
564 if (h == NF_INET_NUMHOOKS)
567 if (h < NF_INET_NUMHOOKS && underflow[h] <= offset)
568 h = next_hook_entry_index(&valid_hooks);
570 err = cb(&entry, builtin, hook, size, offset, user_data);
578 static int print_entry(struct connman_iptables_entry *entry, int builtin,
579 unsigned int hook, size_t size,
580 unsigned int offset, void *user_data)
582 iterate_entries_cb_t cb;
583 struct xt_counters *counters;
586 counters = iptables_entry_get_counters(entry);
588 DBG("entry %p hook %u offset %u size %u packets %"PRIu64" "
589 "bytes %"PRIu64, entry, hook, offset,
590 iptables_entry_get_next_offset(entry),
591 (uint64_t) counters->pcnt, (uint64_t) counters->bcnt);
593 return cb(entry, builtin, hook, size, offset, NULL);
596 static int target_to_verdict(const char *target_name)
598 if (!g_strcmp0(target_name, LABEL_ACCEPT))
599 return -NF_ACCEPT - 1;
601 if (!g_strcmp0(target_name, LABEL_DROP))
604 if (!g_strcmp0(target_name, LABEL_QUEUE))
605 return -NF_QUEUE - 1;
607 if (!g_strcmp0(target_name, LABEL_RETURN))
613 static bool is_builtin_target(const char *target_name)
615 if (!g_strcmp0(target_name, LABEL_ACCEPT) ||
616 !g_strcmp0(target_name, LABEL_DROP) ||
617 !g_strcmp0(target_name, LABEL_QUEUE) ||
618 !g_strcmp0(target_name, LABEL_RETURN))
624 static bool is_jump(struct connman_iptables_entry *e)
626 struct xt_entry_target *target;
628 target = iptables_entry_get_target(e);
633 if (!g_strcmp0(target->u.user.name, get_standard_target(e->type))) {
634 struct xt_standard_target *t;
636 t = (struct xt_standard_target *)target;
638 switch (t->verdict) {
654 static bool is_fallthrough(struct connman_iptables_entry *e)
656 struct xt_entry_target *target;
658 target = iptables_entry_get_target(e);
663 if (!g_strcmp0(target->u.user.name, get_standard_target(e->type))) {
664 struct xt_standard_target *t;
666 t = (struct xt_standard_target *)target;
673 static bool is_chain(struct connman_iptables *table,
674 struct connman_iptables_entry *e)
676 struct xt_entry_target *target;
684 target = iptables_entry_get_target(e);
689 if (!g_strcmp0(target->u.user.name, get_error_target(e->type)))
695 static GList *find_chain_head(struct connman_iptables *table,
696 const char *chain_name)
699 struct connman_iptables_entry *head;
700 struct xt_entry_target *target;
703 switch (table->type) {
711 for (list = table->entries; list; list = list->next) {
715 builtin = head->builtin;
717 if (builtin >= 0 && !g_strcmp0(hooknames[builtin], chain_name))
720 /* User defined chain */
721 target = iptables_entry_get_target(head);
726 if (!g_strcmp0(target->u.user.name,
727 get_error_target(table->type)) &&
728 !g_strcmp0((char *)target->data, chain_name))
735 static GList *find_chain_tail(struct connman_iptables *table,
736 const char *chain_name)
738 struct connman_iptables_entry *tail;
739 GList *chain_head, *list;
741 chain_head = find_chain_head(table, chain_name);
745 /* Then we look for the next chain */
746 for (list = chain_head->next; list; list = list->next) {
749 if (is_chain(table, tail))
753 /* Nothing found, we return the table end */
754 return g_list_last(table->entries);
757 static void update_offsets(struct connman_iptables *table)
760 struct connman_iptables_entry *entry, *prev_entry;
762 for (list = table->entries; list; list = list->next) {
765 if (list == table->entries) {
772 prev_entry = prev->data;
774 entry->offset = prev_entry->offset +
775 iptables_entry_get_next_offset(
780 static void update_targets_reference(struct connman_iptables *table,
781 struct connman_iptables_entry *entry_before,
782 struct connman_iptables_entry *modified_entry,
785 struct connman_iptables_entry *tmp;
786 struct xt_standard_target *t;
790 offset = iptables_entry_get_next_offset(modified_entry);
792 for (list = table->entries; list; list = list->next) {
798 t = (struct xt_standard_target *)
799 iptables_entry_get_target(tmp);
805 if (t->verdict >= entry_before->offset)
806 t->verdict -= offset;
808 if (t->verdict > entry_before->offset)
809 t->verdict += offset;
813 if (is_fallthrough(modified_entry)) {
814 t = (struct xt_standard_target *)
815 iptables_entry_get_target(modified_entry);
820 t->verdict = entry_before->offset +
821 iptables_entry_get_target_offset(modified_entry) +
822 XT_ALIGN(sizeof(struct xt_standard_target));
823 t->target.u.target_size =
824 XT_ALIGN(sizeof(struct xt_standard_target));
828 static int iptables_add_entry(struct connman_iptables *table,
829 struct connman_iptables_entry *entry,
830 GList *before, int builtin, int counter_idx)
832 struct connman_iptables_entry *e, *entry_before;
838 e = g_try_malloc0(sizeof(struct connman_iptables_entry));
842 switch (table->type) {
844 e->entry = entry->entry;
847 e->entry6 = entry->entry6;
854 e->type = entry->type;
855 e->builtin = builtin;
856 e->counter_idx = counter_idx;
858 table->entries = g_list_insert_before(table->entries, before, e);
859 table->num_entries++;
860 table->size += iptables_entry_get_next_offset(e);
863 e->offset = table->size -
864 iptables_entry_get_next_offset(e);
868 entry_before = before->data;
871 * We've just appended/inserted a new entry. All references
872 * should be bumped accordingly.
874 update_targets_reference(table, entry_before, e, false);
876 update_offsets(table);
881 static int remove_table_entry(struct connman_iptables *table,
882 struct connman_iptables_entry *entry)
885 u_int16_t next_offset;
887 next_offset = iptables_entry_get_next_offset(entry);
888 table->num_entries--;
890 table->size -= next_offset;
891 removed = next_offset;
893 table->entries = g_list_remove(table->entries, entry);
895 iptables_entry_free(entry);
900 static void delete_update_hooks(struct connman_iptables *table,
901 int builtin, GList *chain_head,
904 struct connman_iptables_entry *e;
907 e = chain_head->data;
908 e->builtin = builtin;
910 table->underflow[builtin] -= removed;
912 for (list = chain_head->next; list; list = list->next) {
918 table->hook_entry[e->builtin] -= removed;
919 table->underflow[e->builtin] -= removed;
923 static int iptables_flush_chain(struct connman_iptables *table,
926 GList *chain_head, *chain_tail, *list, *next;
927 struct connman_iptables_entry *entry;
928 int builtin, removed = 0;
930 DBG("table %s chain %s", table->name, name);
932 chain_head = find_chain_head(table, name);
936 chain_tail = find_chain_tail(table, name);
940 entry = chain_head->data;
941 builtin = entry->builtin;
946 list = chain_head->next;
948 if (list == chain_tail->prev)
951 while (list != chain_tail->prev) {
953 next = g_list_next(list);
955 removed += remove_table_entry(table, entry);
961 delete_update_hooks(table, builtin, chain_tail->prev, removed);
963 update_offsets(table);
968 static int iptables_add_chain(struct connman_iptables *table,
972 struct ipt_entry *entry_head = NULL;
973 struct ipt_entry *entry_return = NULL;
974 struct ip6t_entry *entry6_head = NULL;
975 struct ip6t_entry *entry6_return = NULL;
976 struct connman_iptables_entry entry = { 0 };
977 struct xt_error_target *error = NULL;
978 struct ipt_standard_target *standard = NULL;
979 u_int16_t entry_head_size, entry_return_size;
980 size_t entry_struct_size = 0;
981 size_t xt_error_target_size = 0;
982 size_t standard_target_size = 0;
984 DBG("table %s chain %s", table->name, name);
986 entry.type = table->type;
988 /* Do not allow to add duplicate chains */
989 if (find_chain_head(table, name))
992 last = g_list_last(table->entries);
994 xt_error_target_size = XT_ALIGN(sizeof(struct xt_error_target));
997 * An empty chain is composed of:
998 * - A head entry, with no match and an error target.
999 * The error target data is the chain name.
1000 * - A tail entry, with no match and a standard target.
1001 * The standard target verdict is XT_RETURN (return to the
1006 switch (entry.type) {
1008 entry_struct_size = XT_ALIGN(sizeof(struct ipt_entry));
1009 entry_head_size = entry_struct_size + xt_error_target_size;
1011 entry_head = g_try_malloc0(entry_head_size);
1015 entry_head->target_offset = entry_struct_size;
1016 entry_head->next_offset = entry_head_size;
1018 error = (struct xt_error_target *) entry_head->elems;
1020 entry.entry = entry_head;
1023 entry_struct_size = XT_ALIGN(sizeof(struct ip6t_entry));
1024 entry_head_size = entry_struct_size + xt_error_target_size;
1026 entry6_head = g_try_malloc0(entry_head_size);
1030 entry6_head->target_offset = entry_struct_size;
1031 entry6_head->next_offset = entry_head_size;
1033 error = (struct xt_error_target *) entry6_head->elems;
1035 entry.entry6 = entry6_head;
1041 g_stpcpy(error->target.u.user.name, get_error_target(entry.type));
1042 error->target.u.user.target_size = xt_error_target_size;
1043 g_stpcpy(error->errorname, name);
1045 if (iptables_add_entry(table, &entry, last, -1, -1) < 0)
1048 standard_target_size = XT_ALIGN(sizeof(struct ipt_standard_target));
1049 entry_return_size = entry_struct_size + standard_target_size;
1052 switch (entry.type) {
1054 entry_return = g_try_malloc0(entry_return_size);
1058 entry_return->target_offset = entry_struct_size;
1059 entry_return->next_offset = entry_return_size;
1061 standard = (struct ipt_standard_target *) entry_return->elems;
1063 entry.entry = entry_return;
1066 entry6_return = g_try_malloc0(entry_return_size);
1070 entry6_return->target_offset = entry_struct_size;
1071 entry6_return->next_offset = entry_return_size;
1073 standard = (struct ipt_standard_target *) entry6_return->elems;
1075 entry.entry6 = entry6_return;
1079 standard->target.u.user.target_size = standard_target_size;
1080 standard->verdict = XT_RETURN;
1082 if (iptables_add_entry(table, &entry, last, -1, -1) < 0)
1088 g_free(entry_return);
1089 g_free(entry6_return);
1092 g_free(entry6_head);
1097 static int iptables_delete_chain(struct connman_iptables *table,
1100 struct connman_iptables_entry *entry;
1101 GList *chain_head, *chain_tail;
1103 DBG("table %s chain %s", table->name, name);
1105 chain_head = find_chain_head(table, name);
1109 entry = chain_head->data;
1111 /* We cannot remove builtin chain */
1112 if (entry->builtin >= 0)
1115 chain_tail = find_chain_tail(table, name);
1119 /* Chain must be flushed */
1120 if (chain_head->next != chain_tail->prev)
1123 remove_table_entry(table, entry);
1125 entry = chain_tail->prev->data;
1126 remove_table_entry(table, entry);
1128 update_offsets(table);
1133 static struct connman_iptables_entry *new_rule(struct iptables_ip *ip,
1134 const char *target_name, struct xtables_target *xt_t,
1135 struct xtables_rule_match *xt_rm)
1137 struct xtables_rule_match *tmp_xt_rm;
1138 struct connman_iptables_entry *new_entry;
1139 size_t match_size, target_size;
1141 new_entry = g_try_malloc0(sizeof(struct connman_iptables_entry));
1146 new_entry->type = ip->type;
1149 for (tmp_xt_rm = xt_rm; tmp_xt_rm; tmp_xt_rm = tmp_xt_rm->next)
1150 match_size += tmp_xt_rm->match->m->u.match_size;
1153 target_size = xt_t->t->u.target_size;
1155 target_size = XT_ALIGN(sizeof(struct xt_standard_target));
1159 new_entry->entry = g_try_malloc0(
1160 XT_ALIGN(sizeof(struct ipt_entry)) +
1161 target_size + match_size);
1162 if (!new_entry->entry)
1165 memcpy(&new_entry->entry->ip, ip->ip, sizeof(struct ipt_ip));
1167 new_entry->entry->target_offset =
1168 XT_ALIGN(sizeof(struct ipt_entry)) +
1170 new_entry->entry->next_offset =
1171 XT_ALIGN(sizeof(struct ipt_entry)) +
1172 target_size + match_size;
1175 new_entry->entry6 = g_try_malloc0(
1176 XT_ALIGN(sizeof(struct ip6t_entry)) +
1177 target_size + match_size);
1178 if (!new_entry->entry6)
1181 memcpy(&new_entry->entry6->ipv6, ip->ip6,
1182 sizeof(struct ip6t_ip6));
1184 new_entry->entry6->target_offset =
1185 XT_ALIGN(sizeof(struct ip6t_entry)) +
1187 new_entry->entry6->next_offset =
1188 XT_ALIGN(sizeof(struct ip6t_entry)) +
1189 target_size + match_size;
1196 for (tmp_xt_rm = xt_rm; tmp_xt_rm;
1197 tmp_xt_rm = tmp_xt_rm->next) {
1199 switch (new_entry->type) {
1201 memcpy(new_entry->entry->elems + match_size,
1202 tmp_xt_rm->match->m,
1203 tmp_xt_rm->match->m->u.match_size);
1206 memcpy(new_entry->entry6->elems + match_size,
1207 tmp_xt_rm->match->m,
1208 tmp_xt_rm->match->m->u.match_size);
1211 match_size += tmp_xt_rm->match->m->u.match_size;
1215 struct xt_entry_target *entry_target;
1217 entry_target = iptables_entry_get_target(new_entry);
1218 memcpy(entry_target, xt_t->t, target_size);
1229 static void update_hooks(struct connman_iptables *table, GList *chain_head,
1230 struct connman_iptables_entry *entry)
1233 struct connman_iptables_entry *head, *e;
1235 u_int16_t next_offset;
1237 if (!table || !chain_head)
1240 head = chain_head->data;
1242 builtin = head->builtin;
1246 next_offset = iptables_entry_get_next_offset(entry);
1248 table->underflow[builtin] += next_offset;
1250 for (list = chain_head->next; list; list = list->next) {
1253 builtin = e->builtin;
1257 table->hook_entry[builtin] += next_offset;
1258 table->underflow[builtin] += next_offset;
1262 static struct connman_iptables_entry *prepare_rule_inclusion(
1263 struct connman_iptables *table,
1264 struct iptables_ip *ip,
1265 const char *chain_name,
1266 const char *target_name,
1267 struct xtables_target *xt_t,
1269 struct xtables_rule_match *xt_rm,
1272 GList *chain_tail, *chain_head;
1273 struct connman_iptables_entry *head;
1274 struct connman_iptables_entry *new_entry;
1276 chain_head = find_chain_head(table, chain_name);
1280 chain_tail = find_chain_tail(table, chain_name);
1284 new_entry = new_rule(ip, target_name, xt_t, xt_rm);
1286 switch (new_entry->type) {
1288 if (new_entry->entry)
1291 if (new_entry->entry6)
1297 update_hooks(table, chain_head, new_entry);
1300 * If the chain is builtin, and does not have any rule,
1301 * then the one that we're inserting is becoming the head
1302 * and thus needs the builtin flag.
1304 head = chain_head->data;
1305 if (head->builtin < 0)
1307 else if (insert || chain_head == chain_tail->prev) {
1308 *builtin = head->builtin;
1320 static int iptables_append_rule(struct connman_iptables *table,
1321 struct iptables_ip *ip,
1322 const char *chain_name,
1323 const char *target_name,
1324 struct xtables_target *xt_t,
1325 struct xtables_rule_match *xt_rm)
1327 struct connman_iptables_entry *new_entry;
1328 int builtin = -1, ret;
1331 DBG("table %s chain %s", table->name, chain_name);
1333 chain_tail = find_chain_tail(table, chain_name);
1337 new_entry = prepare_rule_inclusion(table, ip, chain_name, target_name,
1338 xt_t, &builtin, xt_rm, false);
1343 switch (new_entry->type) {
1345 if (new_entry->entry)
1348 if (new_entry->entry6)
1355 ret = iptables_add_entry(table, new_entry, chain_tail->prev,
1361 * Free only the container, not the content iptables_add_entry()
1362 * allocates new containers for entries.
1369 iptables_entry_free(new_entry);
1374 static int iptables_insert_rule(struct connman_iptables *table,
1375 struct iptables_ip *ip,
1376 const char *chain_name,
1377 const char *target_name,
1378 struct xtables_target *xt_t,
1379 struct xtables_rule_match *xt_rm)
1381 struct connman_iptables_entry *new_entry;
1382 int builtin = -1, ret;
1385 DBG("table %s chain %s", table->name, chain_name);
1387 chain_head = find_chain_head(table, chain_name);
1391 new_entry = prepare_rule_inclusion(table, ip, chain_name, target_name,
1392 xt_t, &builtin, xt_rm, true);
1397 switch (new_entry->type) {
1399 if (new_entry->entry)
1402 if (new_entry->entry6)
1410 chain_head = chain_head->next;
1412 ret = iptables_add_entry(table, new_entry, chain_head, builtin, -1);
1417 * Free only the container, not the content iptables_add_entry()
1418 * allocates new containers for entries.
1425 iptables_entry_free(new_entry);
1430 static bool is_same_ipt_entry(struct ipt_entry *i_e1,
1431 struct ipt_entry *i_e2)
1433 if (memcmp(&i_e1->ip, &i_e2->ip, sizeof(struct ipt_ip)) != 0)
1436 if (i_e1->target_offset != i_e2->target_offset)
1439 if (i_e1->next_offset != i_e2->next_offset)
1445 /* A copy of is_same_ipt_entry with IPv6 structures */
1446 static bool is_same_ip6t_entry(struct ip6t_entry *i_e1,
1447 struct ip6t_entry *i_e2)
1449 if (memcmp(&i_e1->ipv6, &i_e2->ipv6, sizeof(struct ip6t_ip6)) != 0)
1452 if (i_e1->target_offset != i_e2->target_offset)
1455 if (i_e1->next_offset != i_e2->next_offset)
1461 static bool is_same_iptables_entry(struct connman_iptables_entry *e1,
1462 struct connman_iptables_entry *e2)
1464 if (e1->type != e2->type)
1469 return is_same_ipt_entry(e1->entry, e2->entry);
1471 return is_same_ip6t_entry(e1->entry6, e2->entry6);
1477 static bool is_same_target(struct xt_entry_target *xt_e_t1,
1478 struct xt_entry_target *xt_e_t2)
1482 if (!xt_e_t1 || !xt_e_t2)
1485 if (g_strcmp0(xt_e_t1->u.user.name, "") == 0 &&
1486 g_strcmp0(xt_e_t2->u.user.name, "") == 0) {
1491 * IPT_STANDARD_TARGET and IP6T_STANDARD_TARGET are defined by
1492 * XT_STANDARD_TARGET
1494 } else if (g_strcmp0(xt_e_t1->u.user.name, XT_STANDARD_TARGET) == 0) {
1495 struct xt_standard_target *xt_s_t1;
1496 struct xt_standard_target *xt_s_t2;
1498 xt_s_t1 = (struct xt_standard_target *) xt_e_t1;
1499 xt_s_t2 = (struct xt_standard_target *) xt_e_t2;
1501 if (xt_s_t1->verdict != xt_s_t2->verdict)
1504 if (xt_e_t1->u.target_size != xt_e_t2->u.target_size)
1507 if (g_strcmp0(xt_e_t1->u.user.name, xt_e_t2->u.user.name) != 0)
1510 for (i = 0; i < xt_e_t1->u.target_size -
1511 sizeof(struct xt_standard_target); i++) {
1512 if ((xt_e_t1->data[i] ^ xt_e_t2->data[i]) != 0)
1520 static bool is_same_match(struct xt_entry_match *xt_e_m1,
1521 struct xt_entry_match *xt_e_m2)
1525 if (!xt_e_m1 || !xt_e_m2)
1528 if (xt_e_m1->u.match_size != xt_e_m2->u.match_size)
1531 if (xt_e_m1->u.user.revision != xt_e_m2->u.user.revision)
1534 if (g_strcmp0(xt_e_m1->u.user.name, xt_e_m2->u.user.name) != 0)
1537 for (i = 0; i < xt_e_m1->u.match_size - sizeof(struct xt_entry_match);
1539 if ((xt_e_m1->data[i] ^ xt_e_m2->data[i]) != 0)
1546 static GList *find_existing_rule(struct connman_iptables *table,
1547 struct iptables_ip *ip,
1548 const char *chain_name,
1549 const char *target_name,
1550 struct xtables_target *xt_t,
1552 struct xtables_rule_match *xt_rm)
1554 GList *chain_tail, *chain_head, *list;
1555 struct xt_entry_target *xt_e_t = NULL;
1556 struct xt_entry_match *xt_e_m = NULL;
1557 struct connman_iptables_entry *entry;
1558 struct connman_iptables_entry *entry_test;
1561 chain_head = find_chain_head(table, chain_name);
1565 chain_tail = find_chain_tail(table, chain_name);
1569 if (!xt_t && !matches)
1572 entry_test = new_rule(ip, target_name, xt_t, xt_rm);
1574 switch (entry_test->type) {
1576 if (!entry_test->entry) {
1577 #if defined TIZEN_EXT
1578 iptables_entry_free(entry_test);
1584 if (!entry_test->entry6) {
1585 #if defined TIZEN_EXT
1586 iptables_entry_free(entry_test);
1592 #if defined TIZEN_EXT
1593 iptables_entry_free(entry_test);
1599 xt_e_t = iptables_entry_get_target(entry_test);
1601 xt_e_m = (struct xt_entry_match *)
1602 iptables_entry_get_elems(entry_test);
1604 entry = chain_head->data;
1605 builtin = entry->builtin;
1610 list = chain_head->next;
1612 for (; list != chain_tail->prev; list = list->next) {
1613 struct connman_iptables_entry *tmp;
1617 if (!is_same_iptables_entry(entry_test, tmp))
1621 struct xt_entry_target *tmp_xt_e_t = NULL;
1623 tmp_xt_e_t = iptables_entry_get_target(tmp);
1625 if (!is_same_target(tmp_xt_e_t, xt_e_t))
1630 struct xt_entry_match *tmp_xt_e_m;
1632 tmp_xt_e_m = (struct xt_entry_match *)
1633 iptables_entry_get_elems(tmp);
1635 if (!is_same_match(tmp_xt_e_m, xt_e_m))
1642 iptables_entry_free(entry_test);
1644 if (list != chain_tail->prev)
1650 static int iptables_delete_rule(struct connman_iptables *table,
1651 struct iptables_ip *ip,
1652 const char *chain_name,
1653 const char *target_name,
1654 struct xtables_target *xt_t,
1656 struct xtables_rule_match *xt_rm)
1658 struct connman_iptables_entry *entry;
1659 GList *chain_head, *chain_tail, *list;
1660 int builtin, removed;
1662 DBG("table %s chain %s", table->name, chain_name);
1666 chain_head = find_chain_head(table, chain_name);
1670 chain_tail = find_chain_tail(table, chain_name);
1674 list = find_existing_rule(table, ip, chain_name, target_name,
1675 xt_t, matches, xt_rm);
1680 entry = chain_head->data;
1681 builtin = entry->builtin;
1683 if (builtin >= 0 && list == chain_head) {
1685 * We are about to remove the first rule in the
1686 * chain. In this case we need to store the builtin
1687 * value to the new chain_head.
1689 * Note, for builtin chains, chain_head->next is
1690 * always valid. A builtin chain has always a policy
1693 chain_head = chain_head->next;
1695 entry = chain_head->data;
1696 entry->builtin = builtin;
1703 /* We have deleted a rule,
1704 * all references should be bumped accordingly */
1706 update_targets_reference(table, list->next->data,
1709 removed += remove_table_entry(table, entry);
1712 delete_update_hooks(table, builtin, chain_head, removed);
1714 update_offsets(table);
1719 static int iptables_change_policy(struct connman_iptables *table,
1720 const char *chain_name, const char *policy)
1722 GList *chain_head, *chain_tail;
1723 struct connman_iptables_entry *entry;
1724 struct xt_entry_target *target;
1725 struct xt_standard_target *t;
1728 DBG("table %s chain %s policy %s", table->name, chain_name, policy);
1730 verdict = target_to_verdict(policy);
1732 case -NF_ACCEPT - 1:
1739 chain_head = find_chain_head(table, chain_name);
1743 entry = chain_head->data;
1744 if (entry->builtin < 0)
1747 chain_tail = find_chain_tail(table, chain_name);
1751 entry = chain_tail->prev->data;
1753 target = iptables_entry_get_target(entry);
1758 t = (struct xt_standard_target *)target;
1759 if (t->verdict != verdict)
1760 entry->counter_idx = -1;
1761 t->verdict = verdict;
1766 static struct ipt_replace *iptables_blob(struct connman_iptables *table)
1768 struct ipt_replace *r;
1770 struct connman_iptables_entry *e;
1771 unsigned char *entry_index;
1773 r = g_try_malloc0(sizeof(struct ipt_replace) + table->size);
1777 memset(r, 0, sizeof(*r) + table->size);
1779 r->counters = g_try_malloc0(sizeof(struct xt_counters)
1780 * table->old_entries);
1786 g_stpcpy(r->name, table->info->name);
1787 r->num_entries = table->num_entries;
1788 r->size = table->size;
1790 r->num_counters = table->old_entries;
1791 r->valid_hooks = table->info->valid_hooks;
1793 memcpy(r->hook_entry, table->hook_entry, sizeof(table->hook_entry));
1794 memcpy(r->underflow, table->underflow, sizeof(table->underflow));
1796 entry_index = (unsigned char *)r->entries;
1797 for (list = table->entries; list; list = list->next) {
1800 memcpy(entry_index, e->entry, e->entry->next_offset);
1801 entry_index += e->entry->next_offset;
1807 /* A copy of iptables_blob() with IPv6 structures */
1808 static struct ip6t_replace *ip6tables_blob(struct connman_iptables *table)
1810 struct ip6t_replace *r;
1812 struct connman_iptables_entry *e;
1813 unsigned char *entry_index;
1815 r = g_try_malloc0(sizeof(struct ip6t_replace) + table->size);
1819 memset(r, 0, sizeof(*r) + table->size);
1821 r->counters = g_try_malloc0(sizeof(struct xt_counters)
1822 * table->old_entries);
1828 g_stpcpy(r->name, table->info6->name);
1829 r->num_entries = table->num_entries;
1830 r->size = table->size;
1832 r->num_counters = table->old_entries;
1833 r->valid_hooks = table->info6->valid_hooks;
1835 memcpy(r->hook_entry, table->hook_entry, sizeof(table->hook_entry));
1836 memcpy(r->underflow, table->underflow, sizeof(table->underflow));
1838 entry_index = (unsigned char *)r->entries;
1839 for (list = table->entries; list; list = list->next) {
1842 memcpy(entry_index, e->entry6, e->entry6->next_offset);
1843 entry_index += e->entry6->next_offset;
1849 static void dump_ip(struct connman_iptables_entry *entry)
1851 char *iniface, *outiface;
1852 char ip_string[INET6_ADDRSTRLEN];
1853 char ip_mask[INET6_ADDRSTRLEN];
1855 switch (entry->type) {
1857 iniface = entry->entry->ip.iniface;
1858 outiface = entry->entry->ip.outiface;
1861 iniface = entry->entry6->ipv6.iniface;
1862 outiface = entry->entry6->ipv6.outiface;
1868 if (strlen(iniface))
1869 DBG("\tin %s", iniface);
1871 if (strlen(outiface))
1872 DBG("\tout %s", outiface);
1874 if (entry->type == AF_INET) {
1875 if (inet_ntop(entry->type, &entry->entry->ip.src, ip_string,
1876 INET6_ADDRSTRLEN) && inet_ntop(entry->type,
1877 &entry->entry->ip.smsk, ip_mask,
1879 DBG("\tsrc %s/%s", ip_string, ip_mask);
1881 if (inet_ntop(entry->type, &entry->entry->ip.dst, ip_string,
1882 INET6_ADDRSTRLEN) && inet_ntop(entry->type,
1883 &entry->entry->ip.dmsk, ip_mask,
1885 DBG("\tdst %s/%s", ip_string, ip_mask);
1888 if (entry->type == AF_INET6) {
1889 if (inet_ntop(entry->type, &entry->entry6->ipv6.src, ip_string,
1890 INET6_ADDRSTRLEN) && inet_ntop(entry->type,
1891 &entry->entry6->ipv6.smsk, ip_mask,
1893 DBG("\tsrc %s/%s", ip_string, ip_mask);
1895 if (inet_ntop(entry->type, &entry->entry6->ipv6.dst, ip_string,
1896 INET6_ADDRSTRLEN) && inet_ntop(entry->type,
1897 &entry->entry6->ipv6.dmsk, ip_mask,
1899 DBG("\tdst %s/%s", ip_string, ip_mask);
1903 static void dump_target(struct connman_iptables_entry *entry)
1905 struct xtables_target *xt_t;
1906 struct xt_entry_target *target;
1909 target = iptables_entry_get_target(entry);
1914 if (!g_strcmp0(target->u.user.name, get_standard_target(entry->type))) {
1915 struct xt_standard_target *t;
1917 t = (struct xt_standard_target *)target;
1919 switch (t->verdict) {
1921 DBG("\ttarget RETURN");
1924 case -NF_ACCEPT - 1:
1925 DBG("\ttarget ACCEPT");
1929 DBG("\ttarget DROP");
1933 DBG("\ttarget QUEUE");
1937 DBG("\ttarget STOP");
1941 DBG("\tJUMP %u", t->verdict);
1947 if ((err = setjmp(env_state)) != 0) {
1948 DBG("setjmp() called by longjmp() with value %d", err);
1953 xt_t = xtables_find_target(get_standard_target(entry->type),
1954 XTF_LOAD_MUST_SUCCEED);
1959 xt_t->print(NULL, target, 1);
1963 if ((err = setjmp(env_state)) != 0) {
1964 DBG("setjmp() called by longjmp() with value %d", err);
1969 xt_t = xtables_find_target(target->u.user.name, XTF_TRY_LOAD);
1974 DBG("\ttarget %s", target->u.user.name);
1980 xt_t->print(NULL, target, 1);
1984 if (xt_t == xt_t->next)
1988 static void dump_match(struct connman_iptables_entry *entry)
1990 struct xtables_match *xt_m;
1991 struct xt_entry_match *match;
1992 u_int16_t target_offset;
1995 target_offset = iptables_entry_get_target_offset(entry);
1997 switch (entry->type) {
1999 if (entry->entry->elems == (unsigned char *)entry->entry +
2004 if (entry->entry6->elems == (unsigned char *)entry->entry6 +
2012 match = (struct xt_entry_match *) iptables_entry_get_elems(entry);
2014 if (!strlen(match->u.user.name))
2019 if ((err = setjmp(env_state)) != 0) {
2020 DBG("setjmp() called by longjmp() with value %d", err);
2025 xt_m = xtables_find_match(match->u.user.name, XTF_TRY_LOAD, NULL);
2034 xt_m->print(NULL, match, 1);
2038 if (xt_m == xt_m->next)
2042 DBG("\tmatch %s", match->u.user.name);
2046 static int dump_entry(struct connman_iptables_entry *entry, int builtin,
2047 unsigned int hook, size_t size, unsigned int offset,
2050 struct xt_entry_target *target;
2053 target = iptables_entry_get_target(entry);
2058 if (offset + iptables_entry_get_next_offset(entry) == size) {
2059 DBG("\tEnd of CHAIN");
2063 switch (entry->type) {
2065 char_entry = (char *)entry->entry;
2068 char_entry = (char *)entry->entry6;
2074 if (!g_strcmp0(target->u.user.name, IPT_ERROR_TARGET)) {
2075 DBG("\tUSER CHAIN (%s) match %p target %p",
2076 target->data, iptables_entry_get_elems(entry),
2077 char_entry + iptables_entry_get_target_offset(entry));
2080 } else if (builtin >= 0) {
2081 DBG("\tCHAIN (%s) match %p target %p",
2082 hooknames[builtin], iptables_entry_get_elems(entry),
2083 char_entry + iptables_entry_get_target_offset(entry));
2085 DBG("\tRULE match %p target %p",
2086 iptables_entry_get_elems(entry),
2087 char_entry + iptables_entry_get_target_offset(entry));
2097 static void dump_table(struct connman_iptables *table)
2099 struct connman_iptables_entry entry = { 0 };
2100 unsigned int *hook_entry;
2101 unsigned int *underflow;
2102 unsigned int valid_hooks;
2105 hook_entry = iptables_table_get_info_hook_entry(table);
2106 underflow = iptables_table_get_info_underflow(table);
2107 valid_hooks = iptables_table_get_info_valid_hooks(table);
2108 size = iptables_table_get_info_size(table);
2110 DBG("%s valid_hooks=0x%08x, num_entries=%u, size=%u",
2111 iptables_table_get_info_name(table),
2113 iptables_table_get_info_num_entries(table),
2116 DBG("entry hook: pre/in/fwd/out/post %d/%d/%d/%d/%d",
2117 hook_entry[NF_IP_PRE_ROUTING],
2118 hook_entry[NF_IP_LOCAL_IN],
2119 hook_entry[NF_IP_FORWARD],
2120 hook_entry[NF_IP_LOCAL_OUT],
2121 hook_entry[NF_IP_POST_ROUTING]);
2122 DBG("underflow: pre/in/fwd/out/post %d/%d/%d/%d/%d",
2123 underflow[NF_IP_PRE_ROUTING],
2124 underflow[NF_IP_LOCAL_IN],
2125 underflow[NF_IP_FORWARD],
2126 underflow[NF_IP_LOCAL_OUT],
2127 underflow[NF_IP_POST_ROUTING]);
2129 entry.type = table->type;
2131 switch (table->type) {
2133 entry.entry = table->blob_entries->entrytable;
2136 entry.entry6 = table->blob_entries6->entrytable;
2139 iterate_entries(&entry,
2144 print_entry, dump_entry);
2147 static const char *iptables_replace_get_name(struct iptables_replace *replace)
2152 switch (replace->type) {
2154 return replace->r->name;
2156 return replace->r6->name;
2162 static unsigned int iptables_replace_get_valid_hooks(
2163 struct iptables_replace *replace)
2168 switch (replace->type) {
2170 return replace->r->valid_hooks;
2172 return replace->r6->valid_hooks;
2178 static unsigned int iptables_replace_get_num_entries(
2179 struct iptables_replace *replace)
2184 switch (replace->type) {
2186 return replace->r->num_entries;
2188 return replace->r6->num_entries;
2194 static unsigned int *iptables_replace_get_hook_entry(
2195 struct iptables_replace *replace)
2200 switch (replace->type) {
2202 return replace->r->hook_entry;
2204 return replace->r6->hook_entry;
2210 static unsigned int *iptables_replace_get_underflow(
2211 struct iptables_replace *replace)
2216 switch (replace->type) {
2218 return replace->r->underflow;
2220 return replace->r6->underflow;
2226 static unsigned int iptables_replace_get_size(struct iptables_replace *replace)
2231 switch (replace->type) {
2233 return replace->r->size;
2235 return replace->r6->size;
2241 static void dump_replace(struct iptables_replace *repl)
2243 struct connman_iptables_entry entry = { 0 };
2244 unsigned int *hook_entry;
2245 unsigned int *underflow;
2246 unsigned int valid_hooks;
2249 hook_entry = iptables_replace_get_hook_entry(repl);
2250 underflow = iptables_replace_get_underflow(repl);
2251 valid_hooks = iptables_replace_get_valid_hooks(repl);
2252 size = iptables_replace_get_size(repl);
2254 switch (repl->type) {
2256 entry.entry = repl->r->entries;
2259 entry.entry6 = repl->r6->entries;
2265 DBG("%s valid_hooks 0x%08x num_entries %u size %u",
2266 iptables_replace_get_name(repl),
2268 iptables_replace_get_num_entries(repl), size);
2270 DBG("entry hook: pre/in/fwd/out/post %d/%d/%d/%d/%d",
2271 hook_entry[NF_IP_PRE_ROUTING],
2272 hook_entry[NF_IP_LOCAL_IN],
2273 hook_entry[NF_IP_FORWARD],
2274 hook_entry[NF_IP_LOCAL_OUT],
2275 hook_entry[NF_IP_POST_ROUTING]);
2276 DBG("underflow: pre/in/fwd/out/post %d/%d/%d/%d/%d",
2277 underflow[NF_IP_PRE_ROUTING],
2278 underflow[NF_IP_LOCAL_IN],
2279 underflow[NF_IP_FORWARD],
2280 underflow[NF_IP_LOCAL_OUT],
2281 underflow[NF_IP_POST_ROUTING]);
2283 iterate_entries(&entry, valid_hooks, hook_entry, underflow,
2284 size, print_entry, dump_entry);
2287 static int iptables_get_entries(struct connman_iptables *table)
2289 socklen_t entry_size;
2292 switch (table->type) {
2294 entry_size = sizeof(struct ipt_get_entries) + table->info->size;
2296 err = getsockopt(table->ipt_sock, IPPROTO_IP,
2297 IPT_SO_GET_ENTRIES, table->blob_entries,
2301 entry_size = sizeof(struct ip6t_get_entries) +
2304 err = getsockopt(table->ipt_sock, IPPROTO_IPV6,
2305 IP6T_SO_GET_ENTRIES, table->blob_entries6,
2318 static int iptables_replace(struct connman_iptables *table,
2319 struct iptables_replace *r)
2328 err = setsockopt(table->ipt_sock, IPPROTO_IP,
2329 IPT_SO_SET_REPLACE, r->r,
2330 sizeof(*r->r) + r->r->size);
2336 err = setsockopt(table->ipt_sock, IPPROTO_IPV6,
2337 IP6T_SO_SET_REPLACE, r->r6,
2338 sizeof(*r->r6) + r->r6->size);
2350 static int iptables_add_counters(struct connman_iptables *table,
2351 struct xt_counters_info *c)
2357 switch (table->type) {
2360 optname = IPT_SO_SET_ADD_COUNTERS;
2363 level = IPPROTO_IPV6;
2364 optname = IP6T_SO_SET_ADD_COUNTERS;
2370 err = setsockopt(table->ipt_sock, level, optname, c,
2371 sizeof(*c) + sizeof(struct xt_counters) * c->num_counters);
2379 static int add_entry(struct connman_iptables_entry *entry, int builtin,
2380 unsigned int hook, size_t size, unsigned offset,
2383 struct connman_iptables *table = user_data;
2384 struct connman_iptables_entry new_entry = { 0 };
2385 u_int16_t next_offset;
2387 new_entry.type = entry->type;
2388 next_offset = iptables_entry_get_next_offset(entry);
2390 switch (entry->type) {
2392 new_entry.entry = g_try_malloc0(next_offset);
2393 if (!new_entry.entry)
2396 memcpy(new_entry.entry, entry->entry, next_offset);
2399 new_entry.entry6 = g_try_malloc0(next_offset);
2400 if (!new_entry.entry6)
2403 memcpy(new_entry.entry6, entry->entry6, next_offset);
2409 return iptables_add_entry(table, &new_entry, NULL, builtin,
2410 table->num_entries);
2413 static void table_cleanup(struct connman_iptables *table)
2416 struct connman_iptables_entry *entry;
2421 if (table->ipt_sock >= 0)
2422 close(table->ipt_sock);
2424 for (list = table->entries; list; list = list->next) {
2427 iptables_entry_free(entry);
2430 g_list_free(table->entries);
2431 g_free(table->name);
2433 if (table->type == AF_INET) {
2434 g_free(table->info);
2435 g_free(table->blob_entries);
2438 if (table->type == AF_INET6) {
2439 g_free(table->info6);
2440 g_free(table->blob_entries6);
2446 static int setup_xtables(int type);
2447 static void reset_xtables();
2449 static struct connman_iptables *iptables_init(int type, const char *table_name)
2451 struct connman_iptables *table = NULL;
2452 struct connman_iptables_entry entry = { 0 };
2453 char *iptables_mod = NULL;
2454 char *module = NULL;
2459 iptables_mod = g_strdup("ip_tables");
2460 module = g_strconcat("iptable_", table_name, NULL);
2463 iptables_mod = g_strdup("ip6_tables");
2464 module = g_strconcat("ip6table_", table_name, NULL);
2470 DBG("%d %s", type, table_name);
2472 if (setup_xtables(type)) {
2473 #if defined TIZEN_EXT
2474 g_free(iptables_mod);
2480 if (xtables_insmod(iptables_mod, NULL, TRUE) != 0)
2481 DBG("%s module loading gives error but trying anyway",
2484 g_free(iptables_mod);
2486 if (xtables_insmod(module, NULL, TRUE) != 0)
2487 DBG("%s module loading gives error but trying anyway", module);
2491 table = g_try_new0(struct connman_iptables, 1);
2495 table->type = entry.type = type;
2497 table->ipt_sock = socket(type, SOCK_RAW | SOCK_CLOEXEC, IPPROTO_RAW);
2498 if (table->ipt_sock < 0)
2503 table->info = g_try_new0(struct ipt_getinfo, 1);
2507 s = sizeof(*table->info);
2508 g_stpcpy(table->info->name, table_name);
2510 if (getsockopt(table->ipt_sock, IPPROTO_IP, IPT_SO_GET_INFO,
2511 table->info, &s) < 0) {
2512 connman_error("iptables support missing error %d (%s)",
2513 errno, strerror(errno));
2517 table->blob_entries = g_try_malloc0(
2518 sizeof(struct ipt_get_entries) +
2520 if (!table->blob_entries)
2523 g_stpcpy(table->blob_entries->name, table_name);
2524 table->blob_entries->size = table->info->size;
2528 table->info6 = g_try_new0(struct ip6t_getinfo, 1);
2532 s = sizeof(*table->info6);
2533 g_stpcpy(table->info6->name, table_name);
2535 if (getsockopt(table->ipt_sock, IPPROTO_IPV6, IP6T_SO_GET_INFO,
2536 table->info6, &s) < 0) {
2537 connman_error("ip6tables support missing error %d (%s)",
2538 errno, strerror(errno));
2542 table->blob_entries6 = g_try_malloc0(
2543 sizeof(struct ip6t_get_entries) +
2544 table->info6->size);
2545 if (!table->blob_entries6)
2548 g_stpcpy(table->blob_entries6->name, table_name);
2549 table->blob_entries6->size = table->info6->size;
2554 if (iptables_get_entries(table) < 0)
2557 table->num_entries = 0;
2562 table->old_entries = table->info->num_entries;
2564 memcpy(table->underflow, table->info->underflow,
2565 sizeof(table->info->underflow));
2566 memcpy(table->hook_entry, table->info->hook_entry,
2567 sizeof(table->info->hook_entry));
2569 entry.entry = table->blob_entries->entrytable;
2572 table->old_entries = table->info6->num_entries;
2574 memcpy(table->underflow, table->info6->underflow,
2575 sizeof(table->info6->underflow));
2576 memcpy(table->hook_entry, table->info6->hook_entry,
2577 sizeof(table->info6->hook_entry));
2579 entry.entry6 = table->blob_entries6->entrytable;
2583 iterate_entries(&entry,
2584 iptables_table_get_info_valid_hooks(table),
2585 iptables_table_get_info_hook_entry(table),
2586 iptables_table_get_info_underflow(table),
2587 iptables_table_get_entries_size(table),
2599 table_cleanup(table);
2605 static struct option iptables_opts[] = {
2606 {.name = "append", .has_arg = 1, .val = 'A'},
2607 {.name = "compare", .has_arg = 1, .val = 'C'},
2608 {.name = "delete", .has_arg = 1, .val = 'D'},
2609 {.name = "flush-chain", .has_arg = 1, .val = 'F'},
2610 {.name = "insert", .has_arg = 1, .val = 'I'},
2611 {.name = "list", .has_arg = 2, .val = 'L'},
2612 {.name = "new-chain", .has_arg = 1, .val = 'N'},
2613 {.name = "policy", .has_arg = 1, .val = 'P'},
2614 {.name = "delete-chain", .has_arg = 1, .val = 'X'},
2615 {.name = "destination", .has_arg = 1, .val = 'd'},
2616 {.name = "in-interface", .has_arg = 1, .val = 'i'},
2617 {.name = "jump", .has_arg = 1, .val = 'j'},
2618 {.name = "match", .has_arg = 1, .val = 'm'},
2619 {.name = "out-interface", .has_arg = 1, .val = 'o'},
2620 {.name = "source", .has_arg = 1, .val = 's'},
2621 {.name = "table", .has_arg = 1, .val = 't'},
2622 {.name = "protocol", .has_arg = 1, .val = 'p'},
2626 void iptables_exit(enum xtables_exittype status, const char *msg, ...)
2627 __attribute__((noreturn, format(printf,2,3)));
2629 void iptables_exit(enum xtables_exittype status, const char *msg, ...)
2632 gchar str[256] = { 0 };
2636 DBG("OTHER_PROBLEM");
2638 case PARAMETER_PROBLEM:
2639 DBG("PARAMETER_PROBLEM");
2641 case VERSION_PROBLEM:
2642 DBG("VERSION_PROBLEM");
2644 case RESOURCE_PROBLEM:
2645 DBG("RESOURCE_PROBLEM");
2648 DBG("XTF_ONLY_ONCE");
2651 DBG("XTF_NO_INVERT");
2654 DBG("XTF_BAD_VALUE");
2656 case XTF_ONE_ACTION:
2657 DBG("XTF_ONE_ACTION");
2661 va_start(args, msg);
2662 vsnprintf(str, 256, msg, args);
2665 connman_error("iptables rule error: %s", str);
2668 DBG("calling longjmp()");
2669 /* enum xtables_exittype begins from 1 */
2670 longjmp(env_state, status);
2673 connman_error("exit because of iptables error");
2678 struct xtables_globals iptables_globals = {
2680 .opts = iptables_opts,
2681 .orig_opts = iptables_opts,
2682 .exit_err = iptables_exit,
2683 #if XTABLES_VERSION_CODE > 10
2684 .compat_rev = xtables_compatible_revision,
2688 struct xtables_globals ip6tables_globals = {
2690 .opts = iptables_opts,
2691 .orig_opts = iptables_opts,
2692 .exit_err = iptables_exit,
2693 #if XTABLES_VERSION_CODE > 10
2694 .compat_rev = xtables_compatible_revision,
2698 static struct xtables_target *prepare_target(struct connman_iptables *table,
2699 const char *target_name)
2701 struct xtables_target *xt_t = NULL;
2702 bool is_builtin, is_user_defined;
2703 GList *chain_head = NULL;
2708 is_user_defined = false;
2710 DBG("target %s", target_name);
2715 if (is_builtin_target(target_name))
2718 chain_head = find_chain_head(table, target_name);
2719 if (chain_head && chain_head->next)
2720 is_user_defined = true;
2725 if ((err = setjmp(env_state)) != 0) {
2726 DBG("setjmp() called by longjmp() with value %d", err);
2731 if (is_builtin || is_user_defined)
2732 xt_t = xtables_find_target(get_standard_target(table->type),
2733 XTF_LOAD_MUST_SUCCEED);
2735 xt_t = xtables_find_target(target_name, XTF_TRY_LOAD);
2742 switch (table->type) {
2744 target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) +
2748 target_size = XT_ALIGN(sizeof(struct ip6t_entry_target)) +
2755 xt_t->t = g_try_malloc0(target_size);
2759 xt_t->t->u.target_size = target_size;
2761 if (is_builtin || is_user_defined) {
2762 struct xt_standard_target *target;
2764 target = (struct xt_standard_target *)(xt_t->t);
2765 g_stpcpy(target->target.u.user.name,
2766 get_standard_target(table->type));
2769 target->verdict = target_to_verdict(target_name);
2770 else if (is_user_defined) {
2771 struct connman_iptables_entry *target_rule;
2773 target_rule = chain_head->next->data;
2774 target->verdict = target_rule->offset;
2777 g_stpcpy(xt_t->t->u.user.name, target_name);
2778 xt_t->t->u.user.revision = xt_t->revision;
2780 xt_t->init(xt_t->t);
2783 switch (table->type) {
2785 if (xt_t->x6_options)
2786 iptables_globals.opts =
2787 xtables_options_xfrm(
2788 iptables_globals.orig_opts,
2789 iptables_globals.opts,
2791 &xt_t->option_offset);
2793 iptables_globals.opts =
2794 xtables_merge_options(
2795 iptables_globals.orig_opts,
2796 iptables_globals.opts,
2798 &xt_t->option_offset);
2800 if (!iptables_globals.opts) {
2807 if (xt_t->x6_options)
2808 ip6tables_globals.opts =
2809 xtables_options_xfrm(
2810 ip6tables_globals.orig_opts,
2811 ip6tables_globals.opts,
2813 &xt_t->option_offset);
2815 ip6tables_globals.opts =
2816 xtables_merge_options(
2817 ip6tables_globals.orig_opts,
2818 ip6tables_globals.opts,
2820 &xt_t->option_offset);
2822 if (!ip6tables_globals.opts) {
2833 static struct xtables_match *prepare_matches(struct connman_iptables *table,
2834 struct xtables_rule_match **xt_rm,
2835 const char *match_name)
2837 struct xtables_match *xt_m;
2841 if (!table || !match_name)
2846 if ((err = setjmp(env_state)) != 0) {
2847 DBG("setjmp() called by longjmp() with value %d", err);
2852 xt_m = xtables_find_match(match_name, XTF_LOAD_MUST_SUCCEED, xt_rm);
2856 switch (table->type) {
2858 match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) +
2862 match_size = XT_ALIGN(sizeof(struct ip6t_entry_match)) +
2869 xt_m->m = g_try_malloc0(match_size);
2873 xt_m->m->u.match_size = match_size;
2874 g_stpcpy(xt_m->m->u.user.name, xt_m->name);
2875 xt_m->m->u.user.revision = xt_m->revision;
2878 xt_m->init(xt_m->m);
2880 switch (table->type) {
2882 if (xt_m->x6_options)
2883 iptables_globals.opts =
2884 xtables_options_xfrm(
2885 iptables_globals.orig_opts,
2886 iptables_globals.opts,
2888 &xt_m->option_offset);
2890 iptables_globals.opts =
2891 xtables_merge_options(
2892 iptables_globals.orig_opts,
2893 iptables_globals.opts,
2895 &xt_m->option_offset);
2897 if (!iptables_globals.opts) {
2900 if (xt_m == xt_m->next)
2908 if (xt_m->x6_options)
2909 ip6tables_globals.opts =
2910 xtables_options_xfrm(
2911 ip6tables_globals.orig_opts,
2912 ip6tables_globals.opts,
2914 &xt_m->option_offset);
2916 ip6tables_globals.opts =
2917 xtables_merge_options(
2918 ip6tables_globals.orig_opts,
2919 ip6tables_globals.opts,
2921 &xt_m->option_offset);
2923 if (!ip6tables_globals.opts) {
2926 if (xt_m == xt_m->next)
2938 static int parse_ip_and_mask(const char *str, struct in_addr *ip,
2939 struct in_addr *mask)
2942 uint32_t prefixlength;
2946 tokens = g_strsplit(str, "/", 2);
2950 if (!inet_pton(AF_INET, tokens[0], ip)) {
2956 prefixlength = strtol(tokens[1], NULL, 10);
2957 if (prefixlength > 32) {
2960 } else if (prefixlength == 32) {
2963 tmp = ~(0xffffffff >> prefixlength);
2969 mask->s_addr = htonl(tmp);
2970 ip->s_addr = ip->s_addr & mask->s_addr;
2978 static int parse_ipv6_and_mask(const char *str, struct in6_addr *ip,
2979 struct in6_addr *mask)
2982 uint32_t prefixlength;
2983 struct in6_addr in6;
2987 tokens = g_strsplit(str, "/", 2);
2991 if (!inet_pton(AF_INET6, tokens[0], ip)) {
2997 prefixlength = strtol(tokens[1], NULL, 10);
2998 if (prefixlength > 128) {
3007 * This part was adapted from (no need to re-invent the wheel):
3008 * https://gitlab.com/ipcalc/ipcalc/blob/master/ipcalc.c#L733
3010 memset(&in6, 0, sizeof(struct in6_addr));
3012 for (i = prefixlength, j = 0; i > 0; i -= 8, j++) {
3014 in6.s6_addr[j] = 0xff;
3016 in6.s6_addr[j] = (unsigned long)(0xffU << (8 - i));
3019 memcpy(mask, &in6, sizeof(struct in6_addr));
3021 for (i = 0; i < 16 ; i++)
3022 ip->s6_addr[i] = ip->s6_addr[i] & mask->s6_addr[i];
3031 static struct connman_iptables *get_table(int type, const char *table_name)
3033 struct connman_iptables *table = NULL;
3036 table_name = "filter";
3038 table = hash_table_lookup(type, table_name);
3043 table = iptables_init(type, table_name);
3049 g_free(table->name);
3051 table->name = g_strdup(table_name);
3053 hash_table_replace(type, table->name, table);
3058 struct parse_context {
3063 struct ip6t_ip6 *ipv6;
3064 struct xtables_target *xt_t;
3066 struct xtables_rule_match *xt_rm;
3070 static int prepare_getopt_args(const char *str, struct parse_context *ctx)
3075 tokens = g_strsplit_set(str, " ", -1);
3077 i = g_strv_length(tokens);
3079 /* Add space for the argv[0] value */
3082 /* Don't forget the last NULL entry */
3083 ctx->argv = g_try_malloc0((ctx->argc + 1) * sizeof(char *));
3090 * getopt_long() jumps over the first token; we need to add some
3091 * random argv[0] entry.
3093 ctx->argv[0] = g_strdup("argh");
3094 for (i = 1; i < ctx->argc; i++)
3095 ctx->argv[i] = tokens[i - 1];
3102 static int parse_xt_modules(int c, bool invert,
3103 struct parse_context *ctx)
3105 struct xtables_match *m;
3106 struct xtables_rule_match *rm;
3107 struct ipt_entry fw;
3108 struct ip6t_entry fw6;
3111 switch (ctx->type) {
3113 memset(&fw, 0, sizeof(fw));
3115 /* The SNAT parser wants to know the protocol. */
3116 if (ctx->proto == 0)
3117 ctx->proto = IPPROTO_IP;
3119 fw.ip.proto = ctx->proto;
3122 memset(&fw6, 0, sizeof(fw6));
3124 if (ctx->proto == 0)
3125 ctx->proto = IPPROTO_IPV6;
3127 fw6.ipv6.proto = ctx->proto;
3129 /* Flags must be set for IPv6 if protocol is set. */
3130 fw6.ipv6.flags |= IP6T_F_PROTO;
3137 for (rm = ctx->xt_rm; rm; rm = rm->next) {
3138 if (rm->completed != 0)
3143 if (!m->x6_parse && !m->parse)
3146 if (c < (int) m->option_offset ||
3147 c >= (int) m->option_offset
3148 + XT_OPTION_OFFSET_SCALE)
3153 if ((err = setjmp(env_state)) != 0) {
3154 DBG("setjmp() called by longjmp() with value %d", err);
3159 switch (ctx->type) {
3161 xtables_option_mpcall(c, ctx->argv, invert, m, &fw);
3164 xtables_option_mpcall(c, ctx->argv, invert, m, &fw6);
3174 if (!ctx->xt_t->x6_parse && !ctx->xt_t->parse)
3177 if (c < (int) ctx->xt_t->option_offset ||
3178 c >= (int) ctx->xt_t->option_offset
3179 + XT_OPTION_OFFSET_SCALE)
3184 if ((err = setjmp(env_state)) != 0) {
3185 DBG("setjmp() called by longjmp() with value %d", err);
3190 switch (ctx->type) {
3192 xtables_option_tpcall(c, ctx->argv, invert, ctx->xt_t, &fw);
3195 xtables_option_tpcall(c, ctx->argv, invert, ctx->xt_t, &fw6);
3204 static int final_check_xt_modules(struct parse_context *ctx)
3206 struct xtables_rule_match *rm;
3209 for (rm = ctx->xt_rm; rm; rm = rm->next) {
3212 if ((err = setjmp(env_state)) != 0) {
3213 DBG("setjmp() called by longjmp() with value %d", err);
3218 xtables_option_mfcall(rm->match);
3225 if ((err = setjmp(env_state)) != 0) {
3226 DBG("setjmp() called by longjmp() with value %d", err);
3232 xtables_option_tfcall(ctx->xt_t);
3239 static int parse_rule_spec(struct connman_iptables *table,
3240 struct parse_context *ctx)
3243 * How the parser works:
3245 * - If getopt finds 's', 'd', 'i', 'o'.
3246 * just extract the information.
3247 * - if '!' is found, set the invert flag to true and
3248 * removes the '!' from the optarg string and jumps
3249 * back to getopt to reparse the current optarg string.
3250 * After reparsing the invert flag is reset to false.
3251 * - If 'm' or 'j' is found then call either
3252 * prepare_matches() or prepare_target(). Those function
3253 * will modify (extend) the longopts for getopt_long.
3254 * That means getopt will change its matching context according
3255 * the loaded target.
3257 * Here an example with iptables-test
3259 * argv[0] = ./tools/iptables-test
3271 * getopt found 'm' then the optarg is "mark" and optind 7
3272 * The longopts array containts before hitting the `case 'm'`
3274 * val A has_arg 1 name append
3275 * val C has_arg 1 name compare
3276 * val D has_arg 1 name delete
3277 * val F has_arg 1 name flush-chain
3278 * val I has_arg 1 name insert
3279 * val L has_arg 2 name list
3280 * val N has_arg 1 name new-chain
3281 * val P has_arg 1 name policy
3282 * val X has_arg 1 name delete-chain
3283 * val d has_arg 1 name destination
3284 * val i has_arg 1 name in-interface
3285 * val j has_arg 1 name jump
3286 * val m has_arg 1 name match
3287 * val o has_arg 1 name out-interface
3288 * val s has_arg 1 name source
3289 * val t has_arg 1 name table
3291 * After executing the `case 'm'` block longopts is
3293 * val A has_arg 1 name append
3294 * val C has_arg 1 name compare
3295 * val D has_arg 1 name delete
3296 * val F has_arg 1 name flush-chain
3297 * val I has_arg 1 name insert
3298 * val L has_arg 2 name list
3299 * val N has_arg 1 name new-chain
3300 * val P has_arg 1 name policy
3301 * val X has_arg 1 name delete-chain
3302 * val d has_arg 1 name destination
3303 * val i has_arg 1 name in-interface
3304 * val j has_arg 1 name jump
3305 * val m has_arg 1 name match
3306 * val o has_arg 1 name out-interface
3307 * val s has_arg 1 name source
3308 * val t has_arg 1 name table
3309 * val has_arg 1 name mark
3311 * So the 'mark' matcher has added the 'mark' options
3312 * and getopt will then return c '256' optarg "999" optind 9
3313 * And we will hit the 'default' statement which then
3314 * will call the matchers parser (xt_m->parser() or
3315 * xtables_option_mpcall() depending on which version
3316 * of libxtables is found.
3318 struct xtables_match *xt_m;
3319 bool invert = false;
3322 if (ctx->type != table->type) {
3323 DBG("ctx->type %d does not match table->type %d", ctx->type,
3328 switch (ctx->type) {
3330 ctx->ip = g_try_new0(struct ipt_ip, 1);
3336 ctx->ipv6 = g_try_new0(struct ip6t_ip6, 1);
3346 * Tell getopt_long not to generate error messages for unknown
3347 * options and also reset optind back to 0.
3352 while ((c = getopt_long(ctx->argc, ctx->argv,
3354 ctx->type == AF_INET ?
3355 iptables_globals.opts :
3356 ip6tables_globals.opts,
3360 if (ctx->type == AF_INET) {
3361 /* Source specification */
3362 if (!parse_ip_and_mask(optarg,
3368 ctx->ip->invflags |= IPT_INV_SRCIP;
3371 if (ctx->type == AF_INET6) {
3372 if (!parse_ipv6_and_mask(optarg,
3378 ctx->ipv6->invflags |= IP6T_INV_SRCIP;
3383 if (ctx->type == AF_INET) {
3384 /* Destination specification */
3385 if (!parse_ip_and_mask(optarg,
3391 ctx->ip->invflags |= IPT_INV_DSTIP;
3394 if (ctx->type == AF_INET6) {
3395 /* Destination specification */
3396 if (!parse_ipv6_and_mask(optarg,
3402 ctx->ip->invflags |= IP6T_INV_DSTIP;
3407 /* In interface specification */
3408 len = strlen(optarg);
3410 if (len + 1 > IFNAMSIZ)
3413 if (ctx->type == AF_INET) {
3414 g_stpcpy(ctx->ip->iniface, optarg);
3415 memset(ctx->ip->iniface_mask, 0xff, len + 1);
3418 ctx->ip->invflags |= IPT_INV_VIA_IN;
3421 if (ctx->type == AF_INET6) {
3422 g_stpcpy(ctx->ipv6->iniface, optarg);
3423 memset(ctx->ipv6->iniface_mask, 0xff, len + 1);
3426 ctx->ipv6->invflags |= IP6T_INV_VIA_IN;
3431 /* Out interface specification */
3432 len = strlen(optarg);
3434 if (len + 1 > IFNAMSIZ)
3437 if (ctx->type == AF_INET) {
3438 g_stpcpy(ctx->ip->outiface, optarg);
3439 memset(ctx->ip->outiface_mask, 0xff, len + 1);
3442 ctx->ip->invflags |= IPT_INV_VIA_OUT;
3445 if (ctx->type == AF_INET6) {
3446 g_stpcpy(ctx->ipv6->outiface, optarg);
3447 memset(ctx->ipv6->outiface_mask, 0xff, len + 1);
3450 ctx->ipv6->invflags |= IP6T_INV_VIA_OUT;
3456 xt_m = prepare_matches(table, &ctx->xt_rm, optarg);
3461 ctx->xt_m = g_list_append(ctx->xt_m, xt_m);
3467 if ((err = setjmp(env_state)) != 0) {
3468 DBG("setjmp() called by longjmp() with value "
3472 /* Errors from parse_rule_spec are negative */
3477 ctx->proto = xtables_parse_protocol(optarg);
3482 * If protocol was set add it to ipt_ip.
3483 * xtables_parse_protocol() returns 0 or
3484 * UINT16_MAX (-1) on error
3486 if (ctx->proto > 0 && ctx->proto < UINT16_MAX) {
3487 if (ctx->type == AF_INET)
3488 ctx->ip->proto = ctx->proto;
3490 if (ctx->type == AF_INET6) {
3491 ctx->ipv6->proto = ctx->proto;
3494 * Flags must be set for IPv6 if
3497 ctx->ipv6->flags |= IP6T_F_PROTO;
3503 ctx->xt_t = prepare_target(table, optarg);
3511 if (optarg[0] == '!' && optarg[1] == '\0') {
3514 /* Remove the '!' from the optarg */
3518 * And recall getopt_long without resetting
3526 err = parse_xt_modules(c, invert, ctx);
3529 else if (err == -EINVAL)
3538 err = final_check_xt_modules(ctx);
3544 static int current_type = -1;
3546 static int setup_xtables(int type)
3552 if (type == current_type)
3555 if (current_type != -1)
3560 err = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
3563 err = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
3570 current_type = type;
3572 connman_error("error initializing xtables");
3580 static void reset_xtables(void)
3582 struct xtables_match *xt_m;
3583 struct xtables_target *xt_t;
3586 * As side effect parsing a rule sets some global flags
3587 * which will be evaluated/verified. Let's reset them
3588 * to ensure we can parse more than one rule.
3590 * Clear all flags because the flags are only valid
3593 for (xt_m = xtables_matches; xt_m; xt_m = xt_m->next)
3596 for (xt_t = xtables_targets; xt_t; xt_t = xt_t->next) {
3602 * We need also to free the memory implicitly allocated
3603 * during parsing (see xtables_options_xfrm()).
3604 * Note xt_params is actually iptables_globals.
3606 if (xt_params->opts != xt_params->orig_opts) {
3607 g_free(xt_params->opts);
3608 xt_params->opts = xt_params->orig_opts;
3610 xt_params->option_offset = 0;
3613 static void cleanup_parse_context(struct parse_context *ctx)
3615 struct xtables_rule_match *rm, *tmp;
3618 g_strfreev(ctx->argv);
3624 g_free(ctx->xt_t->t);
3625 ctx->xt_t->t = NULL;
3628 for (list = ctx->xt_m; list; list = list->next) {
3629 struct xtables_match *xt_m = list->data;
3633 if (xt_m != xt_m->next)
3638 g_list_free(ctx->xt_m);
3640 for (tmp = NULL, rm = ctx->xt_rm; rm; rm = rm->next) {
3650 int __connman_iptables_dump(int type, const char *table_name)
3652 struct connman_iptables *table;
3654 DBG("%d -t %s -L", type, table_name);
3656 table = get_table(type, table_name);
3665 int __connman_iptables_new_chain(int type,
3666 const char *table_name,
3669 struct connman_iptables *table;
3671 DBG("%d -t %s -N %s", type, table_name, chain);
3673 table = get_table(type, table_name);
3681 return iptables_add_chain(table, chain);
3687 int __connman_iptables_delete_chain(int type,
3688 const char *table_name,
3691 struct connman_iptables *table;
3693 DBG("%d -t %s -X %s", type, table_name, chain);
3695 table = get_table(type, table_name);
3699 return iptables_delete_chain(table, chain);
3702 int __connman_iptables_flush_chain(int type,
3703 const char *table_name,
3706 struct connman_iptables *table;
3708 DBG("%d -t %s -F %s", type, table_name, chain);
3710 table = get_table(type, table_name);
3714 return iptables_flush_chain(table, chain);
3717 int __connman_iptables_find_chain(int type,
3718 const char *table_name,
3721 struct connman_iptables *table;
3723 DBG("%d -t %s -F %s", type, table_name, chain);
3725 table = get_table(type, table_name);
3729 if(!find_chain_head(table, chain))
3730 return -ENOENT; // Not Found
3735 int __connman_iptables_change_policy(int type,
3736 const char *table_name,
3740 struct connman_iptables *table;
3742 DBG("%d -t %s -F %s", type, table_name, chain);
3744 table = get_table(type, table_name);
3748 return iptables_change_policy(table, chain, policy);
3751 static void iptables_ip_setup(struct iptables_ip *ip, struct parse_context *ctx)
3756 ip->type = ctx->type;
3758 ip->ip6 = ctx->ipv6;
3761 int __connman_iptables_append(int type,
3762 const char *table_name,
3764 const char *rule_spec)
3766 struct connman_iptables *table;
3767 struct parse_context *ctx;
3768 struct iptables_ip ip = { 0 };
3769 const char *target_name;
3772 err = setup_xtables(type);
3777 ctx = g_try_new0(struct parse_context, 1);
3783 DBG("%d -t %s -A %s %s", type, table_name, chain, rule_spec);
3785 err = prepare_getopt_args(rule_spec, ctx);
3789 table = get_table(type, table_name);
3795 err = parse_rule_spec(table, ctx);
3802 target_name = ctx->xt_t->name;
3804 iptables_ip_setup(&ip, ctx);
3806 err = iptables_append_rule(table, &ip, chain, target_name, ctx->xt_t,
3809 cleanup_parse_context(ctx);
3815 int __connman_iptables_insert(int type,
3816 const char *table_name,
3818 const char *rule_spec)
3820 struct connman_iptables *table;
3821 struct parse_context *ctx;
3822 struct iptables_ip ip = { 0 };
3823 const char *target_name;
3826 err = setup_xtables(type);
3831 ctx = g_try_new0(struct parse_context, 1);
3837 DBG("%d -t %s -I %s %s", type, table_name, chain, rule_spec);
3839 err = prepare_getopt_args(rule_spec, ctx);
3843 table = get_table(type, table_name);
3849 err = parse_rule_spec(table, ctx);
3856 target_name = ctx->xt_t->name;
3858 iptables_ip_setup(&ip, ctx);
3860 err = iptables_insert_rule(table, &ip, chain, target_name, ctx->xt_t,
3863 cleanup_parse_context(ctx);
3869 int __connman_iptables_delete(int type,
3870 const char *table_name,
3872 const char *rule_spec)
3874 struct connman_iptables *table;
3875 struct parse_context *ctx;
3876 struct iptables_ip ip = { 0 };
3877 const char *target_name;
3880 err = setup_xtables(type);
3885 ctx = g_try_new0(struct parse_context, 1);
3891 DBG("%d -t %s -D %s %s", type, table_name, chain, rule_spec);
3893 err = prepare_getopt_args(rule_spec, ctx);
3897 table = get_table(type, table_name);
3903 err = parse_rule_spec(table, ctx);
3910 target_name = ctx->xt_t->name;
3912 iptables_ip_setup(&ip, ctx);
3914 err = iptables_delete_rule(table, &ip, chain, target_name, ctx->xt_t,
3915 ctx->xt_m, ctx->xt_rm);
3917 cleanup_parse_context(ctx);
3923 int __connman_iptables_commit(int type, const char *table_name)
3925 struct connman_iptables *table;
3926 struct iptables_replace repl = { 0 };
3928 struct xt_counters_info *counters;
3929 struct connman_iptables_entry *e;
3933 err = setup_xtables(type);
3938 DBG("%d %s", type, table_name);
3942 table = hash_table_lookup(type, table_name);
3948 repl.r = iptables_blob(table);
3954 repl.r6 = ip6tables_blob(table);
3960 dump_replace(&repl);
3962 err = iptables_replace(table, &repl);
3967 counters = g_try_malloc0(sizeof(*counters) +
3968 sizeof(struct xt_counters) * table->num_entries);
3971 goto out_hash_remove;
3973 g_stpcpy(counters->name, iptables_table_get_info_name(table));
3974 counters->num_counters = table->num_entries;
3975 for (list = table->entries, cnt = 0; list; list = list->next, cnt++) {
3977 if (e->counter_idx >= 0) {
3981 counters->counters[cnt] =
3982 repl.r->counters[e->counter_idx];
3985 counters->counters[cnt] =
3986 repl.r6->counters[e->counter_idx];
3991 err = iptables_add_counters(table, counters);
3995 goto out_hash_remove;
4000 hash_table_remove(type, table_name);
4002 if (type == AF_INET && repl.r)
4003 g_free(repl.r->counters);
4005 if (type == AF_INET6 && repl.r6)
4006 g_free(repl.r6->counters);
4016 static void remove_table(gpointer user_data)
4018 struct connman_iptables *table = user_data;
4020 table_cleanup(table);
4023 static int iterate_chains_cb(struct connman_iptables_entry *entry, int builtin,
4024 unsigned int hook, size_t size,
4025 unsigned int offset, void *user_data)
4027 struct cb_data *cbd = user_data;
4028 connman_iptables_iterate_chains_cb_t cb = cbd->cb;
4029 struct xt_entry_target *target;
4031 if (offset + iptables_entry_get_next_offset(entry) == size)
4034 target = iptables_entry_get_target(entry);
4036 if (!g_strcmp0(target->u.user.name, get_error_target(entry->type))) {
4037 (*cb)((const char *)target->data, cbd->user_data);
4038 } else if (builtin >= 0) {
4039 (*cb)(hooknames[builtin], cbd->user_data);
4045 int __connman_iptables_iterate_chains(int type, const char *table_name,
4046 connman_iptables_iterate_chains_cb_t cb,
4049 struct cb_data *cbd = cb_data_new(cb, user_data);
4050 struct connman_iptables *table;
4051 struct connman_iptables_entry entry = { 0 };
4054 err = setup_xtables(type);
4055 #if defined TIZEN_EXT
4065 table = get_table(type, table_name);
4073 if (type == AF_INET)
4074 entry.entry = table->blob_entries->entrytable;
4076 if (type == AF_INET6)
4077 entry.entry6 = table->blob_entries6->entrytable;
4079 iterate_entries(&entry,
4080 iptables_table_get_info_valid_hooks(table),
4081 iptables_table_get_info_hook_entry(table),
4082 iptables_table_get_info_underflow(table),
4083 iptables_table_get_entries_size(table),
4084 iterate_chains_cb, cbd);
4093 int __connman_iptables_init(void)
4097 if (getenv("CONNMAN_IPTABLES_DEBUG"))
4098 debug_enabled = true;
4100 table_hash = g_hash_table_new_full(g_str_hash, g_str_equal,
4101 NULL, remove_table);
4103 table_hash_ipv6 = g_hash_table_new_full(g_str_hash, g_str_equal,
4104 NULL, remove_table);
4109 void __connman_iptables_cleanup(void)
4113 g_hash_table_destroy(table_hash);
4114 g_hash_table_destroy(table_hash_ipv6);
projects / platform / upstream / connman.git / blob