5 * Copyright (C) 2007-2013 Intel Corporation. All rights reserved.
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
32 #include <sys/socket.h>
37 #include <linux/netfilter_ipv4/ip_tables.h>
38 #include <linux/netfilter_ipv6/ip6_tables.h>
41 #include "src/shared/util.h"
44 * Some comments on how the iptables API works (some of them from the
45 * source code from iptables and the kernel):
47 * - valid_hooks: bit indicates valid IDs for hook_entry
48 * - hook_entry[ID] offset to the chain start
49 * - overflows should be end of entry chains, and uncodintional policy nodes.
50 * - policy entry: last entry in a chain
51 * - user chain: end of last builtin + policy entry
52 * - final entry must be error node
53 * - Underflows must be unconditional and use the STANDARD target with
55 * - IPT_SO_GET_INFO and IPT_SO_GET_ENTRIES are used to read a table
56 * - IPT_SO_GET_INFO: struct ipt_getinfo (note the lack of table content)
57 * - IPT_SO_GET_ENTRIES: struct ipt_get_entries (contains only parts of the
58 * table header/meta info. The table is appended after the header. The entries
59 * are of the type struct ipt_entry.
60 * - After the ipt_entry the matches are appended. After the matches
61 * the target is appended.
62 * - ipt_entry->target_offset = Size of ipt_entry + matches
63 * - ipt_entry->next_offset = Size of ipt_entry + matches + target
64 * - IPT_SO_SET_REPLACE is used to write a table (contains the complete
65 * - hook_entry and overflow mark the beginning and the end of a chain, e.g
66 * entry hook: pre/in/fwd/out/post -1/0/352/504/-1
67 * underflow: pre/in/fwd/out/post -1/200/352/904/-1
68 * means that INPUT starts at offset 0 and ends at 200 (the start offset to
69 * the last element). FORWARD has one entry starting/ending at 352. The entry
70 * has a size of 152. 352 + 152 = 504 which is the start of the OUTPUT chain
71 * which then ends at 904. PREROUTING and POSTROUTING are invalid hooks in
73 * - 'iptables -t filter -A INPUT -m mark --mark 999 -j LOG'
74 * writing that table looks like this:
76 * filter valid_hooks 0x0000000e num_entries 5 size 856
77 * entry hook: pre/in/fwd/out/post -1/0/376/528/-1
78 * underflow: pre/in/fwd/out/post -1/224/376/528/-1
79 * entry 0x699d30 offset 0 size 224
80 * RULE match 0x699da0 target 0x699dd0
81 * match mark match 0x3e7
82 * target LOG flags 0 level 4
85 * entry 0x699e10 offset 224 size 152
86 * RULE match 0x699e80 target 0x699e80
90 * entry 0x699ea8 offset 376 size 152
91 * RULE match 0x699f18 target 0x699f18
95 * entry 0x699f40 offset 528 size 152
96 * RULE match 0x699fb0 target 0x699fb0
100 * entry 0x699fd8 offset 680 size 176
101 * USER CHAIN (ERROR) match 0x69a048 target 0x69a048
103 * Reading the filter table looks like this:
105 * filter valid_hooks 0x0000000e num_entries 5 size 856
106 * entry hook: pre/in/fwd/out/post -1/0/376/528/-1
107 * underflow: pre/in/fwd/out/post -1/224/376/528/-1
108 * entry 0x25fec28 offset 0 size 224
109 * CHAIN (INPUT) match 0x25fec98 target 0x25fecc8
110 * match mark match 0x3e7
111 * target LOG flags 0 level 4
112 * src 0.0.0.0/0.0.0.0
113 * dst 0.0.0.0/0.0.0.0
114 * entry 0x25fed08 offset 224 size 152
115 * RULE match 0x25fed78 target 0x25fed78
117 * src 0.0.0.0/0.0.0.0
118 * dst 0.0.0.0/0.0.0.0
119 * entry 0x25feda0 offset 376 size 152
120 * CHAIN (FORWARD) match 0x25fee10 target 0x25fee10
122 * src 0.0.0.0/0.0.0.0
123 * dst 0.0.0.0/0.0.0.0
124 * entry 0x25fee38 offset 528 size 152
125 * CHAIN (OUTPUT) match 0x25feea8 target 0x25feea8
127 * src 0.0.0.0/0.0.0.0
128 * dst 0.0.0.0/0.0.0.0
129 * entry 0x25feed0 offset 680 size 176
134 * Values for the index values used here are defined as equal for both IPv4
135 * and IPv6 (NF_IP_* and NF_IP6_*) in Netfilter headers.
137 static const char *hooknames[] = {
138 [NF_IP_PRE_ROUTING] = "PREROUTING",
139 [NF_IP_LOCAL_IN] = "INPUT",
140 [NF_IP_FORWARD] = "FORWARD",
141 [NF_IP_LOCAL_OUT] = "OUTPUT",
142 [NF_IP_POST_ROUTING] = "POSTROUTING",
145 #define LABEL_ACCEPT "ACCEPT"
146 #define LABEL_DROP "DROP"
147 #define LABEL_QUEUE "QUEUE"
148 #define LABEL_RETURN "RETURN"
150 #define XT_OPTION_OFFSET_SCALE 256
152 struct connman_iptables_entry {
158 struct ipt_entry *entry;
159 struct ip6t_entry *entry6;
162 struct connman_iptables {
167 struct ipt_getinfo *info;
168 struct ipt_get_entries *blob_entries;
169 struct ip6t_getinfo *info6;
170 struct ip6t_get_entries *blob_entries6;
172 unsigned int num_entries;
173 unsigned int old_entries;
176 unsigned int underflow[NF_INET_NUMHOOKS];
177 unsigned int hook_entry[NF_INET_NUMHOOKS];
182 static GHashTable *table_hash = NULL;
183 static GHashTable *table_hash_ipv6 = NULL;
184 static bool debug_enabled = false;
189 struct ip6t_ip6 *ip6;
192 struct iptables_replace {
194 struct ipt_replace *r;
195 struct ip6t_replace *r6;
198 static jmp_buf env_state;
199 static bool jmp_set = false;
201 static void enable_jmp()
206 static void disable_jmp()
211 static bool can_jmp()
213 DBG("%s", jmp_set ? "true" : "false");
217 typedef int (*iterate_entries_cb_t)(struct connman_iptables_entry *entry,
218 int builtin, unsigned int hook,
219 size_t size, unsigned int offset,
222 static u_int16_t iptables_entry_get_next_offset(
223 struct connman_iptables_entry *entry)
228 switch (entry->type) {
230 return entry->entry ? entry->entry->next_offset : 0;
232 return entry->entry6 ? entry->entry6->next_offset : 0;
238 static u_int16_t iptables_entry_get_target_offset(
239 struct connman_iptables_entry *entry)
244 switch (entry->type) {
246 return entry->entry ? entry->entry->target_offset : 0;
248 return entry->entry6 ? entry->entry6->target_offset : 0;
254 static unsigned char *iptables_entry_get_elems(
255 struct connman_iptables_entry *entry)
260 switch (entry->type) {
262 return entry->entry ? entry->entry->elems : NULL;
264 return entry->entry6 ? entry->entry6->elems : NULL;
270 static struct xt_entry_target *iptables_entry_get_target(
271 struct connman_iptables_entry *entry)
276 switch (entry->type) {
278 return entry->entry ? ipt_get_target(entry->entry) : NULL;
280 return entry->entry6 ? ip6t_get_target(entry->entry6) : NULL;
286 static struct xt_counters *iptables_entry_get_counters(
287 struct connman_iptables_entry *entry)
292 switch (entry->type) {
294 return entry->entry ? &entry->entry->counters : NULL;
296 return entry->entry6 ? &entry->entry6->counters : NULL;
302 static void iptables_entry_free(struct connman_iptables_entry *entry)
307 g_free(entry->entry);
308 g_free(entry->entry6);
312 static const char *iptables_table_get_info_name(struct connman_iptables* table)
317 switch (table->type) {
319 return table->info->name;
321 return table->info6->name;
327 static unsigned int iptables_table_get_info_num_entries(
328 struct connman_iptables* table)
333 switch (table->type) {
335 return table->info->num_entries;
337 return table->info6->num_entries;
343 static unsigned int iptables_table_get_info_size(struct connman_iptables* table)
348 switch (table->type) {
350 return table->info->size;
352 return table->info6->size;
358 static unsigned int iptables_table_get_info_valid_hooks(
359 struct connman_iptables* table)
364 switch (table->type) {
366 return table->info->valid_hooks;
368 return table->info6->valid_hooks;
374 static unsigned int *iptables_table_get_info_hook_entry(
375 struct connman_iptables* table)
380 switch (table->type) {
382 return table->info->hook_entry;
384 return table->info6->hook_entry;
390 static unsigned int *iptables_table_get_info_underflow(
391 struct connman_iptables* table)
396 switch (table->type) {
398 return table->info->underflow;
400 return table->info6->underflow;
406 static unsigned int iptables_table_get_entries_size(
407 struct connman_iptables* table)
412 switch (table->type) {
414 return table->blob_entries->size;
416 return table->blob_entries6->size;
422 static const char *get_error_target(int type)
426 return IPT_ERROR_TARGET;
428 return IP6T_ERROR_TARGET;
430 return XT_ERROR_TARGET;
434 static const char *get_standard_target(int type)
438 return IPT_STANDARD_TARGET;
440 return IP6T_STANDARD_TARGET;
442 return XT_STANDARD_TARGET;
446 static struct connman_iptables *hash_table_lookup(int type,
447 const char *table_name) {
451 return g_hash_table_lookup(table_hash, table_name);
453 return g_hash_table_lookup(table_hash_ipv6, table_name);
459 static bool hash_table_replace(int type,
461 struct connman_iptables *table) {
465 return g_hash_table_replace(table_hash, table_name, table);
467 return g_hash_table_replace(table_hash_ipv6, table_name, table);
473 static bool hash_table_remove(int type, const char *table_name)
477 return g_hash_table_remove(table_hash, table_name);
479 return g_hash_table_remove(table_hash_ipv6, table_name);
485 static unsigned int next_hook_entry_index(unsigned int *valid_hooks)
489 if (*valid_hooks == 0)
490 return NF_INET_NUMHOOKS;
492 h = __builtin_ffs(*valid_hooks) - 1;
493 *valid_hooks ^= (1 << h);
498 static int iterate_entries(struct connman_iptables_entry *entries,
499 unsigned int valid_hooks,
500 unsigned int *hook_entry,
501 unsigned int *underflow,
502 size_t size, iterate_entries_cb_t cb,
505 unsigned int offset, h, hook;
507 struct connman_iptables_entry entry;
512 switch (entries->type) {
519 if (!entries->entry6)
527 h = next_hook_entry_index(&valid_hooks);
530 entry.type = entries->type;
531 entry.entry = entries->entry;
532 entry.entry6 = entries->entry6;
534 for (offset = 0; offset < size;
535 offset += iptables_entry_get_next_offset(&entry)) {
538 switch (entries->type) {
540 entry.entry = (void* )entries->entry + offset;
543 entry.entry6 = (void* )entries->entry6 + offset;
548 * Updating builtin, hook and h is very tricky.
550 * - builtin is only set to the current hook number
551 * if the current entry is the hook entry (aka chain
552 * head). And only for builtin chains, never for
554 * - hook is the current hook number. If we
555 * look at user chains it needs to be NF_INET_NETNUMHOOKS.
556 * - h is the next hook entry. Thous we need to be carefully
557 * not to access the table when h is NF_INET_NETNUMHOOKS.
559 if (h < NF_INET_NUMHOOKS && hook_entry[h] == offset) {
564 if (h == NF_INET_NUMHOOKS)
567 if (h < NF_INET_NUMHOOKS && underflow[h] <= offset)
568 h = next_hook_entry_index(&valid_hooks);
570 err = cb(&entry, builtin, hook, size, offset, user_data);
578 static int print_entry(struct connman_iptables_entry *entry, int builtin,
579 unsigned int hook, size_t size,
580 unsigned int offset, void *user_data)
582 iterate_entries_cb_t cb;
583 struct xt_counters *counters;
586 counters = iptables_entry_get_counters(entry);
588 DBG("entry %p hook %u offset %u size %u packets %"PRIu64" "
589 "bytes %"PRIu64, entry, hook, offset,
590 iptables_entry_get_next_offset(entry),
591 (uint64_t) counters->pcnt, (uint64_t) counters->bcnt);
593 return cb(entry, builtin, hook, size, offset, NULL);
596 static int target_to_verdict(const char *target_name)
598 if (!g_strcmp0(target_name, LABEL_ACCEPT))
599 return -NF_ACCEPT - 1;
601 if (!g_strcmp0(target_name, LABEL_DROP))
604 if (!g_strcmp0(target_name, LABEL_QUEUE))
605 return -NF_QUEUE - 1;
607 if (!g_strcmp0(target_name, LABEL_RETURN))
613 static bool is_builtin_target(const char *target_name)
615 if (!g_strcmp0(target_name, LABEL_ACCEPT) ||
616 !g_strcmp0(target_name, LABEL_DROP) ||
617 !g_strcmp0(target_name, LABEL_QUEUE) ||
618 !g_strcmp0(target_name, LABEL_RETURN))
624 static bool is_jump(struct connman_iptables_entry *e)
626 struct xt_entry_target *target;
628 target = iptables_entry_get_target(e);
633 if (!g_strcmp0(target->u.user.name, get_standard_target(e->type))) {
634 struct xt_standard_target *t;
636 t = (struct xt_standard_target *)target;
638 switch (t->verdict) {
654 static bool is_fallthrough(struct connman_iptables_entry *e)
656 struct xt_entry_target *target;
658 target = iptables_entry_get_target(e);
663 if (!g_strcmp0(target->u.user.name, get_standard_target(e->type))) {
664 struct xt_standard_target *t;
666 t = (struct xt_standard_target *)target;
673 static bool is_chain(struct connman_iptables *table,
674 struct connman_iptables_entry *e)
676 struct xt_entry_target *target;
684 target = iptables_entry_get_target(e);
689 if (!g_strcmp0(target->u.user.name, get_error_target(e->type)))
695 static GList *find_chain_head(struct connman_iptables *table,
696 const char *chain_name)
699 struct connman_iptables_entry *head;
700 struct xt_entry_target *target;
703 switch (table->type) {
711 for (list = table->entries; list; list = list->next) {
715 builtin = head->builtin;
717 if (builtin >= 0 && !g_strcmp0(hooknames[builtin], chain_name))
720 /* User defined chain */
721 target = iptables_entry_get_target(head);
726 if (!g_strcmp0(target->u.user.name,
727 get_error_target(table->type)) &&
728 !g_strcmp0((char *)target->data, chain_name))
735 static GList *find_chain_tail(struct connman_iptables *table,
736 const char *chain_name)
738 struct connman_iptables_entry *tail;
739 GList *chain_head, *list;
741 chain_head = find_chain_head(table, chain_name);
745 /* Then we look for the next chain */
746 for (list = chain_head->next; list; list = list->next) {
749 if (is_chain(table, tail))
753 /* Nothing found, we return the table end */
754 return g_list_last(table->entries);
757 static void update_offsets(struct connman_iptables *table)
760 struct connman_iptables_entry *entry, *prev_entry;
762 for (list = table->entries; list; list = list->next) {
765 if (list == table->entries) {
772 prev_entry = prev->data;
774 entry->offset = prev_entry->offset +
775 iptables_entry_get_next_offset(
780 static void update_targets_reference(struct connman_iptables *table,
781 struct connman_iptables_entry *entry_before,
782 struct connman_iptables_entry *modified_entry,
785 struct connman_iptables_entry *tmp;
786 struct xt_standard_target *t;
790 offset = iptables_entry_get_next_offset(modified_entry);
792 for (list = table->entries; list; list = list->next) {
798 t = (struct xt_standard_target *)
799 iptables_entry_get_target(tmp);
805 if (t->verdict >= entry_before->offset)
806 t->verdict -= offset;
808 if (t->verdict > entry_before->offset)
809 t->verdict += offset;
813 if (is_fallthrough(modified_entry)) {
814 t = (struct xt_standard_target *)
815 iptables_entry_get_target(modified_entry);
820 t->verdict = entry_before->offset +
821 iptables_entry_get_target_offset(modified_entry) +
822 XT_ALIGN(sizeof(struct xt_standard_target));
823 t->target.u.target_size =
824 XT_ALIGN(sizeof(struct xt_standard_target));
828 static int iptables_add_entry(struct connman_iptables *table,
829 struct connman_iptables_entry *entry,
830 GList *before, int builtin, int counter_idx)
832 struct connman_iptables_entry *e, *entry_before;
838 e = g_try_malloc0(sizeof(struct connman_iptables_entry));
842 switch (table->type) {
844 e->entry = entry->entry;
847 e->entry6 = entry->entry6;
854 e->type = entry->type;
855 e->builtin = builtin;
856 e->counter_idx = counter_idx;
858 table->entries = g_list_insert_before(table->entries, before, e);
859 table->num_entries++;
860 table->size += iptables_entry_get_next_offset(e);
863 e->offset = table->size -
864 iptables_entry_get_next_offset(e);
868 entry_before = before->data;
871 * We've just appended/inserted a new entry. All references
872 * should be bumped accordingly.
874 update_targets_reference(table, entry_before, e, false);
876 update_offsets(table);
881 static int remove_table_entry(struct connman_iptables *table,
882 struct connman_iptables_entry *entry)
885 u_int16_t next_offset;
887 next_offset = iptables_entry_get_next_offset(entry);
888 table->num_entries--;
890 table->size -= next_offset;
891 removed = next_offset;
893 table->entries = g_list_remove(table->entries, entry);
895 iptables_entry_free(entry);
900 static void delete_update_hooks(struct connman_iptables *table,
901 int builtin, GList *chain_head,
904 struct connman_iptables_entry *e;
907 e = chain_head->data;
908 e->builtin = builtin;
910 table->underflow[builtin] -= removed;
912 for (list = chain_head->next; list; list = list->next) {
918 table->hook_entry[e->builtin] -= removed;
919 table->underflow[e->builtin] -= removed;
923 static int iptables_flush_chain(struct connman_iptables *table,
926 GList *chain_head, *chain_tail, *list, *next;
927 struct connman_iptables_entry *entry;
928 int builtin, removed = 0;
930 DBG("table %s chain %s", table->name, name);
932 chain_head = find_chain_head(table, name);
936 chain_tail = find_chain_tail(table, name);
940 entry = chain_head->data;
941 builtin = entry->builtin;
946 list = chain_head->next;
948 if (list == chain_tail->prev)
951 while (list != chain_tail->prev) {
953 next = g_list_next(list);
955 removed += remove_table_entry(table, entry);
961 delete_update_hooks(table, builtin, chain_tail->prev, removed);
963 update_offsets(table);
968 static int iptables_add_chain(struct connman_iptables *table,
972 struct ipt_entry *entry_head = NULL;
973 struct ipt_entry *entry_return = NULL;
974 struct ip6t_entry *entry6_head = NULL;
975 struct ip6t_entry *entry6_return = NULL;
976 struct connman_iptables_entry entry = { 0 };
977 struct xt_error_target *error = NULL;
978 struct ipt_standard_target *standard = NULL;
979 u_int16_t entry_head_size, entry_return_size;
980 size_t entry_struct_size = 0;
981 size_t xt_error_target_size = 0;
982 size_t standard_target_size = 0;
984 DBG("table %s chain %s", table->name, name);
986 entry.type = table->type;
988 /* Do not allow to add duplicate chains */
989 if (find_chain_head(table, name))
992 last = g_list_last(table->entries);
994 xt_error_target_size = XT_ALIGN(sizeof(struct xt_error_target));
997 * An empty chain is composed of:
998 * - A head entry, with no match and an error target.
999 * The error target data is the chain name.
1000 * - A tail entry, with no match and a standard target.
1001 * The standard target verdict is XT_RETURN (return to the
1006 switch (entry.type) {
1008 entry_struct_size = XT_ALIGN(sizeof(struct ipt_entry));
1009 entry_head_size = entry_struct_size + xt_error_target_size;
1011 entry_head = g_try_malloc0(entry_head_size);
1015 entry_head->target_offset = entry_struct_size;
1016 entry_head->next_offset = entry_head_size;
1018 error = (struct xt_error_target *) entry_head->elems;
1020 entry.entry = entry_head;
1023 entry_struct_size = XT_ALIGN(sizeof(struct ip6t_entry));
1024 entry_head_size = entry_struct_size + xt_error_target_size;
1026 entry6_head = g_try_malloc0(entry_head_size);
1030 entry6_head->target_offset = entry_struct_size;
1031 entry6_head->next_offset = entry_head_size;
1033 error = (struct xt_error_target *) entry6_head->elems;
1035 entry.entry6 = entry6_head;
1041 g_stpcpy(error->target.u.user.name, get_error_target(entry.type));
1042 error->target.u.user.target_size = xt_error_target_size;
1043 g_stpcpy(error->errorname, name);
1045 if (iptables_add_entry(table, &entry, last, -1, -1) < 0)
1048 standard_target_size = XT_ALIGN(sizeof(struct ipt_standard_target));
1049 entry_return_size = entry_struct_size + standard_target_size;
1052 switch (entry.type) {
1054 entry_return = g_try_malloc0(entry_return_size);
1058 entry_return->target_offset = entry_struct_size;
1059 entry_return->next_offset = entry_return_size;
1061 standard = (struct ipt_standard_target *) entry_return->elems;
1063 entry.entry = entry_return;
1066 entry6_return = g_try_malloc0(entry_return_size);
1070 entry6_return->target_offset = entry_struct_size;
1071 entry6_return->next_offset = entry_return_size;
1073 standard = (struct ipt_standard_target *) entry6_return->elems;
1075 entry.entry6 = entry6_return;
1079 standard->target.u.user.target_size = standard_target_size;
1080 standard->verdict = XT_RETURN;
1082 if (iptables_add_entry(table, &entry, last, -1, -1) < 0)
1088 g_free(entry_return);
1089 g_free(entry6_return);
1092 g_free(entry6_head);
1097 static int iptables_delete_chain(struct connman_iptables *table,
1100 struct connman_iptables_entry *entry;
1101 GList *chain_head, *chain_tail;
1103 DBG("table %s chain %s", table->name, name);
1105 chain_head = find_chain_head(table, name);
1109 entry = chain_head->data;
1111 /* We cannot remove builtin chain */
1112 if (entry->builtin >= 0)
1115 chain_tail = find_chain_tail(table, name);
1119 /* Chain must be flushed */
1120 if (chain_head->next != chain_tail->prev)
1123 remove_table_entry(table, entry);
1125 entry = chain_tail->prev->data;
1126 remove_table_entry(table, entry);
1128 update_offsets(table);
1133 static struct connman_iptables_entry *new_rule(struct iptables_ip *ip,
1134 const char *target_name, struct xtables_target *xt_t,
1135 struct xtables_rule_match *xt_rm)
1137 struct xtables_rule_match *tmp_xt_rm;
1138 struct connman_iptables_entry *new_entry;
1139 size_t match_size, target_size;
1141 new_entry = g_try_malloc0(sizeof(struct connman_iptables_entry));
1146 new_entry->type = ip->type;
1149 for (tmp_xt_rm = xt_rm; tmp_xt_rm; tmp_xt_rm = tmp_xt_rm->next)
1150 match_size += tmp_xt_rm->match->m->u.match_size;
1153 target_size = xt_t->t->u.target_size;
1155 target_size = XT_ALIGN(sizeof(struct xt_standard_target));
1159 new_entry->entry = g_try_malloc0(
1160 XT_ALIGN(sizeof(struct ipt_entry)) +
1161 target_size + match_size);
1162 if (!new_entry->entry)
1165 memcpy(&new_entry->entry->ip, ip->ip, sizeof(struct ipt_ip));
1167 new_entry->entry->target_offset =
1168 XT_ALIGN(sizeof(struct ipt_entry)) +
1170 new_entry->entry->next_offset =
1171 XT_ALIGN(sizeof(struct ipt_entry)) +
1172 target_size + match_size;
1175 new_entry->entry6 = g_try_malloc0(
1176 XT_ALIGN(sizeof(struct ip6t_entry)) +
1177 target_size + match_size);
1178 if (!new_entry->entry6)
1181 memcpy(&new_entry->entry6->ipv6, ip->ip6,
1182 sizeof(struct ip6t_ip6));
1184 new_entry->entry6->target_offset =
1185 XT_ALIGN(sizeof(struct ip6t_entry)) +
1187 new_entry->entry6->next_offset =
1188 XT_ALIGN(sizeof(struct ip6t_entry)) +
1189 target_size + match_size;
1196 for (tmp_xt_rm = xt_rm; tmp_xt_rm;
1197 tmp_xt_rm = tmp_xt_rm->next) {
1199 switch (new_entry->type) {
1201 memcpy(new_entry->entry->elems + match_size,
1202 tmp_xt_rm->match->m,
1203 tmp_xt_rm->match->m->u.match_size);
1206 memcpy(new_entry->entry6->elems + match_size,
1207 tmp_xt_rm->match->m,
1208 tmp_xt_rm->match->m->u.match_size);
1211 match_size += tmp_xt_rm->match->m->u.match_size;
1215 struct xt_entry_target *entry_target;
1217 entry_target = iptables_entry_get_target(new_entry);
1218 memcpy(entry_target, xt_t->t, target_size);
1229 static void update_hooks(struct connman_iptables *table, GList *chain_head,
1230 struct connman_iptables_entry *entry)
1233 struct connman_iptables_entry *head, *e;
1235 u_int16_t next_offset;
1237 if (!table || !chain_head)
1240 head = chain_head->data;
1242 builtin = head->builtin;
1246 next_offset = iptables_entry_get_next_offset(entry);
1248 table->underflow[builtin] += next_offset;
1250 for (list = chain_head->next; list; list = list->next) {
1253 builtin = e->builtin;
1257 table->hook_entry[builtin] += next_offset;
1258 table->underflow[builtin] += next_offset;
1262 static struct connman_iptables_entry *prepare_rule_inclusion(
1263 struct connman_iptables *table,
1264 struct iptables_ip *ip,
1265 const char *chain_name,
1266 const char *target_name,
1267 struct xtables_target *xt_t,
1269 struct xtables_rule_match *xt_rm,
1272 GList *chain_tail, *chain_head;
1273 struct connman_iptables_entry *head;
1274 struct connman_iptables_entry *new_entry;
1276 chain_head = find_chain_head(table, chain_name);
1280 chain_tail = find_chain_tail(table, chain_name);
1284 new_entry = new_rule(ip, target_name, xt_t, xt_rm);
1286 switch (new_entry->type) {
1288 if (new_entry->entry)
1291 if (new_entry->entry6)
1297 update_hooks(table, chain_head, new_entry);
1300 * If the chain is builtin, and does not have any rule,
1301 * then the one that we're inserting is becoming the head
1302 * and thus needs the builtin flag.
1304 head = chain_head->data;
1305 if (head->builtin < 0)
1307 else if (insert || chain_head == chain_tail->prev) {
1308 *builtin = head->builtin;
1320 static int iptables_append_rule(struct connman_iptables *table,
1321 struct iptables_ip *ip,
1322 const char *chain_name,
1323 const char *target_name,
1324 struct xtables_target *xt_t,
1325 struct xtables_rule_match *xt_rm)
1327 struct connman_iptables_entry *new_entry;
1328 int builtin = -1, ret;
1331 DBG("table %s chain %s", table->name, chain_name);
1333 chain_tail = find_chain_tail(table, chain_name);
1337 new_entry = prepare_rule_inclusion(table, ip, chain_name, target_name,
1338 xt_t, &builtin, xt_rm, false);
1343 switch (new_entry->type) {
1345 if (new_entry->entry)
1348 if (new_entry->entry6)
1355 ret = iptables_add_entry(table, new_entry, chain_tail->prev,
1361 * Free only the container, not the content iptables_add_entry()
1362 * allocates new containers for entries.
1369 iptables_entry_free(new_entry);
1374 static int iptables_insert_rule(struct connman_iptables *table,
1375 struct iptables_ip *ip,
1376 const char *chain_name,
1377 const char *target_name,
1378 struct xtables_target *xt_t,
1379 struct xtables_rule_match *xt_rm)
1381 struct connman_iptables_entry *new_entry;
1382 int builtin = -1, ret;
1385 DBG("table %s chain %s", table->name, chain_name);
1387 chain_head = find_chain_head(table, chain_name);
1391 new_entry = prepare_rule_inclusion(table, ip, chain_name, target_name,
1392 xt_t, &builtin, xt_rm, true);
1397 switch (new_entry->type) {
1399 if (new_entry->entry)
1402 if (new_entry->entry6)
1410 chain_head = chain_head->next;
1412 ret = iptables_add_entry(table, new_entry, chain_head, builtin, -1);
1417 * Free only the container, not the content iptables_add_entry()
1418 * allocates new containers for entries.
1425 iptables_entry_free(new_entry);
1430 static bool is_same_ipt_entry(struct ipt_entry *i_e1,
1431 struct ipt_entry *i_e2)
1433 if (memcmp(&i_e1->ip, &i_e2->ip, sizeof(struct ipt_ip)) != 0)
1436 if (i_e1->target_offset != i_e2->target_offset)
1439 if (i_e1->next_offset != i_e2->next_offset)
1445 /* A copy of is_same_ipt_entry with IPv6 structures */
1446 static bool is_same_ip6t_entry(struct ip6t_entry *i_e1,
1447 struct ip6t_entry *i_e2)
1449 if (memcmp(&i_e1->ipv6, &i_e2->ipv6, sizeof(struct ip6t_ip6)) != 0)
1452 if (i_e1->target_offset != i_e2->target_offset)
1455 if (i_e1->next_offset != i_e2->next_offset)
1461 static bool is_same_iptables_entry(struct connman_iptables_entry *e1,
1462 struct connman_iptables_entry *e2)
1464 if (e1->type != e2->type)
1469 return is_same_ipt_entry(e1->entry, e2->entry);
1471 return is_same_ip6t_entry(e1->entry6, e2->entry6);
1477 static bool is_same_target(struct xt_entry_target *xt_e_t1,
1478 struct xt_entry_target *xt_e_t2)
1482 if (!xt_e_t1 || !xt_e_t2)
1485 if (g_strcmp0(xt_e_t1->u.user.name, "") == 0 &&
1486 g_strcmp0(xt_e_t2->u.user.name, "") == 0) {
1491 * IPT_STANDARD_TARGET and IP6T_STANDARD_TARGET are defined by
1492 * XT_STANDARD_TARGET
1494 } else if (g_strcmp0(xt_e_t1->u.user.name, XT_STANDARD_TARGET) == 0) {
1495 struct xt_standard_target *xt_s_t1;
1496 struct xt_standard_target *xt_s_t2;
1498 xt_s_t1 = (struct xt_standard_target *) xt_e_t1;
1499 xt_s_t2 = (struct xt_standard_target *) xt_e_t2;
1501 if (xt_s_t1->verdict != xt_s_t2->verdict)
1504 if (xt_e_t1->u.target_size != xt_e_t2->u.target_size)
1507 if (g_strcmp0(xt_e_t1->u.user.name, xt_e_t2->u.user.name) != 0)
1510 for (i = 0; i < xt_e_t1->u.target_size -
1511 sizeof(struct xt_standard_target); i++) {
1512 if ((xt_e_t1->data[i] ^ xt_e_t2->data[i]) != 0)
1520 static bool is_same_match(struct xt_entry_match *xt_e_m1,
1521 struct xt_entry_match *xt_e_m2)
1525 if (!xt_e_m1 || !xt_e_m2)
1528 if (xt_e_m1->u.match_size != xt_e_m2->u.match_size)
1531 if (xt_e_m1->u.user.revision != xt_e_m2->u.user.revision)
1534 if (g_strcmp0(xt_e_m1->u.user.name, xt_e_m2->u.user.name) != 0)
1537 for (i = 0; i < xt_e_m1->u.match_size - sizeof(struct xt_entry_match);
1539 if ((xt_e_m1->data[i] ^ xt_e_m2->data[i]) != 0)
1546 static GList *find_existing_rule(struct connman_iptables *table,
1547 struct iptables_ip *ip,
1548 const char *chain_name,
1549 const char *target_name,
1550 struct xtables_target *xt_t,
1552 struct xtables_rule_match *xt_rm)
1554 GList *chain_tail, *chain_head, *list;
1555 struct xt_entry_target *xt_e_t = NULL;
1556 struct xt_entry_match *xt_e_m = NULL;
1557 struct connman_iptables_entry *entry;
1558 struct connman_iptables_entry *entry_test;
1561 chain_head = find_chain_head(table, chain_name);
1565 chain_tail = find_chain_tail(table, chain_name);
1569 if (!xt_t && !matches)
1572 entry_test = new_rule(ip, target_name, xt_t, xt_rm);
1574 switch (entry_test->type) {
1576 if (!entry_test->entry)
1580 if (!entry_test->entry6)
1588 xt_e_t = iptables_entry_get_target(entry_test);
1590 xt_e_m = (struct xt_entry_match *)
1591 iptables_entry_get_elems(entry_test);
1593 entry = chain_head->data;
1594 builtin = entry->builtin;
1599 list = chain_head->next;
1601 for (; list != chain_tail->prev; list = list->next) {
1602 struct connman_iptables_entry *tmp;
1606 if (!is_same_iptables_entry(entry_test, tmp))
1610 struct xt_entry_target *tmp_xt_e_t = NULL;
1612 tmp_xt_e_t = iptables_entry_get_target(tmp);
1614 if (!is_same_target(tmp_xt_e_t, xt_e_t))
1619 struct xt_entry_match *tmp_xt_e_m;
1621 tmp_xt_e_m = (struct xt_entry_match *)
1622 iptables_entry_get_elems(tmp);
1624 if (!is_same_match(tmp_xt_e_m, xt_e_m))
1631 iptables_entry_free(entry_test);
1633 if (list != chain_tail->prev)
1639 static int iptables_delete_rule(struct connman_iptables *table,
1640 struct iptables_ip *ip,
1641 const char *chain_name,
1642 const char *target_name,
1643 struct xtables_target *xt_t,
1645 struct xtables_rule_match *xt_rm)
1647 struct connman_iptables_entry *entry;
1648 GList *chain_head, *chain_tail, *list;
1649 int builtin, removed;
1651 DBG("table %s chain %s", table->name, chain_name);
1655 chain_head = find_chain_head(table, chain_name);
1659 chain_tail = find_chain_tail(table, chain_name);
1663 list = find_existing_rule(table, ip, chain_name, target_name,
1664 xt_t, matches, xt_rm);
1669 entry = chain_head->data;
1670 builtin = entry->builtin;
1672 if (builtin >= 0 && list == chain_head) {
1674 * We are about to remove the first rule in the
1675 * chain. In this case we need to store the builtin
1676 * value to the new chain_head.
1678 * Note, for builtin chains, chain_head->next is
1679 * always valid. A builtin chain has always a policy
1682 chain_head = chain_head->next;
1684 entry = chain_head->data;
1685 entry->builtin = builtin;
1692 /* We have deleted a rule,
1693 * all references should be bumped accordingly */
1695 update_targets_reference(table, list->next->data,
1698 removed += remove_table_entry(table, entry);
1701 delete_update_hooks(table, builtin, chain_head, removed);
1703 update_offsets(table);
1708 static int iptables_change_policy(struct connman_iptables *table,
1709 const char *chain_name, const char *policy)
1711 GList *chain_head, *chain_tail;
1712 struct connman_iptables_entry *entry;
1713 struct xt_entry_target *target;
1714 struct xt_standard_target *t;
1717 DBG("table %s chain %s policy %s", table->name, chain_name, policy);
1719 verdict = target_to_verdict(policy);
1721 case -NF_ACCEPT - 1:
1728 chain_head = find_chain_head(table, chain_name);
1732 entry = chain_head->data;
1733 if (entry->builtin < 0)
1736 chain_tail = find_chain_tail(table, chain_name);
1740 entry = chain_tail->prev->data;
1742 target = iptables_entry_get_target(entry);
1747 t = (struct xt_standard_target *)target;
1748 if (t->verdict != verdict)
1749 entry->counter_idx = -1;
1750 t->verdict = verdict;
1755 static struct ipt_replace *iptables_blob(struct connman_iptables *table)
1757 struct ipt_replace *r;
1759 struct connman_iptables_entry *e;
1760 unsigned char *entry_index;
1762 r = g_try_malloc0(sizeof(struct ipt_replace) + table->size);
1766 memset(r, 0, sizeof(*r) + table->size);
1768 r->counters = g_try_malloc0(sizeof(struct xt_counters)
1769 * table->old_entries);
1775 g_stpcpy(r->name, table->info->name);
1776 r->num_entries = table->num_entries;
1777 r->size = table->size;
1779 r->num_counters = table->old_entries;
1780 r->valid_hooks = table->info->valid_hooks;
1782 memcpy(r->hook_entry, table->hook_entry, sizeof(table->hook_entry));
1783 memcpy(r->underflow, table->underflow, sizeof(table->underflow));
1785 entry_index = (unsigned char *)r->entries;
1786 for (list = table->entries; list; list = list->next) {
1789 memcpy(entry_index, e->entry, e->entry->next_offset);
1790 entry_index += e->entry->next_offset;
1796 /* A copy of iptables_blob() with IPv6 structures */
1797 static struct ip6t_replace *ip6tables_blob(struct connman_iptables *table)
1799 struct ip6t_replace *r;
1801 struct connman_iptables_entry *e;
1802 unsigned char *entry_index;
1804 r = g_try_malloc0(sizeof(struct ip6t_replace) + table->size);
1808 memset(r, 0, sizeof(*r) + table->size);
1810 r->counters = g_try_malloc0(sizeof(struct xt_counters)
1811 * table->old_entries);
1817 g_stpcpy(r->name, table->info6->name);
1818 r->num_entries = table->num_entries;
1819 r->size = table->size;
1821 r->num_counters = table->old_entries;
1822 r->valid_hooks = table->info6->valid_hooks;
1824 memcpy(r->hook_entry, table->hook_entry, sizeof(table->hook_entry));
1825 memcpy(r->underflow, table->underflow, sizeof(table->underflow));
1827 entry_index = (unsigned char *)r->entries;
1828 for (list = table->entries; list; list = list->next) {
1831 memcpy(entry_index, e->entry6, e->entry6->next_offset);
1832 entry_index += e->entry6->next_offset;
1838 static void dump_ip(struct connman_iptables_entry *entry)
1840 char *iniface, *outiface;
1841 char ip_string[INET6_ADDRSTRLEN];
1842 char ip_mask[INET6_ADDRSTRLEN];
1844 switch (entry->type) {
1846 iniface = entry->entry->ip.iniface;
1847 outiface = entry->entry->ip.outiface;
1850 iniface = entry->entry6->ipv6.iniface;
1851 outiface = entry->entry6->ipv6.outiface;
1857 if (strlen(iniface))
1858 DBG("\tin %s", iniface);
1860 if (strlen(outiface))
1861 DBG("\tout %s", outiface);
1863 if (entry->type == AF_INET) {
1864 if (inet_ntop(entry->type, &entry->entry->ip.src, ip_string,
1865 INET6_ADDRSTRLEN) && inet_ntop(entry->type,
1866 &entry->entry->ip.smsk, ip_mask,
1868 DBG("\tsrc %s/%s", ip_string, ip_mask);
1870 if (inet_ntop(entry->type, &entry->entry->ip.dst, ip_string,
1871 INET6_ADDRSTRLEN) && inet_ntop(entry->type,
1872 &entry->entry->ip.dmsk, ip_mask,
1874 DBG("\tdst %s/%s", ip_string, ip_mask);
1877 if (entry->type == AF_INET6) {
1878 if (inet_ntop(entry->type, &entry->entry6->ipv6.src, ip_string,
1879 INET6_ADDRSTRLEN) && inet_ntop(entry->type,
1880 &entry->entry6->ipv6.smsk, ip_mask,
1882 DBG("\tsrc %s/%s", ip_string, ip_mask);
1884 if (inet_ntop(entry->type, &entry->entry6->ipv6.dst, ip_string,
1885 INET6_ADDRSTRLEN) && inet_ntop(entry->type,
1886 &entry->entry6->ipv6.dmsk, ip_mask,
1888 DBG("\tdst %s/%s", ip_string, ip_mask);
1892 static void dump_target(struct connman_iptables_entry *entry)
1894 struct xtables_target *xt_t;
1895 struct xt_entry_target *target;
1898 target = iptables_entry_get_target(entry);
1903 if (!g_strcmp0(target->u.user.name, get_standard_target(entry->type))) {
1904 struct xt_standard_target *t;
1906 t = (struct xt_standard_target *)target;
1908 switch (t->verdict) {
1910 DBG("\ttarget RETURN");
1913 case -NF_ACCEPT - 1:
1914 DBG("\ttarget ACCEPT");
1918 DBG("\ttarget DROP");
1922 DBG("\ttarget QUEUE");
1926 DBG("\ttarget STOP");
1930 DBG("\tJUMP %u", t->verdict);
1936 if ((err = setjmp(env_state)) != 0) {
1937 DBG("setjmp() called by longjmp() with value %d", err);
1942 xt_t = xtables_find_target(get_standard_target(entry->type),
1943 XTF_LOAD_MUST_SUCCEED);
1948 xt_t->print(NULL, target, 1);
1952 if ((err = setjmp(env_state)) != 0) {
1953 DBG("setjmp() called by longjmp() with value %d", err);
1958 xt_t = xtables_find_target(target->u.user.name, XTF_TRY_LOAD);
1963 DBG("\ttarget %s", target->u.user.name);
1969 xt_t->print(NULL, target, 1);
1973 if (xt_t == xt_t->next)
1977 static void dump_match(struct connman_iptables_entry *entry)
1979 struct xtables_match *xt_m;
1980 struct xt_entry_match *match;
1981 u_int16_t target_offset;
1984 target_offset = iptables_entry_get_target_offset(entry);
1986 switch (entry->type) {
1988 if (entry->entry->elems == (unsigned char *)entry->entry +
1993 if (entry->entry6->elems == (unsigned char *)entry->entry6 +
2001 match = (struct xt_entry_match *) iptables_entry_get_elems(entry);
2003 if (!strlen(match->u.user.name))
2008 if ((err = setjmp(env_state)) != 0) {
2009 DBG("setjmp() called by longjmp() with value %d", err);
2014 xt_m = xtables_find_match(match->u.user.name, XTF_TRY_LOAD, NULL);
2023 xt_m->print(NULL, match, 1);
2027 if (xt_m == xt_m->next)
2031 DBG("\tmatch %s", match->u.user.name);
2035 static int dump_entry(struct connman_iptables_entry *entry, int builtin,
2036 unsigned int hook, size_t size, unsigned int offset,
2039 struct xt_entry_target *target;
2042 target = iptables_entry_get_target(entry);
2047 if (offset + iptables_entry_get_next_offset(entry) == size) {
2048 DBG("\tEnd of CHAIN");
2052 switch (entry->type) {
2054 char_entry = (char *)entry->entry;
2057 char_entry = (char *)entry->entry6;
2063 if (!g_strcmp0(target->u.user.name, IPT_ERROR_TARGET)) {
2064 DBG("\tUSER CHAIN (%s) match %p target %p",
2065 target->data, iptables_entry_get_elems(entry),
2066 char_entry + iptables_entry_get_target_offset(entry));
2069 } else if (builtin >= 0) {
2070 DBG("\tCHAIN (%s) match %p target %p",
2071 hooknames[builtin], iptables_entry_get_elems(entry),
2072 char_entry + iptables_entry_get_target_offset(entry));
2074 DBG("\tRULE match %p target %p",
2075 iptables_entry_get_elems(entry),
2076 char_entry + iptables_entry_get_target_offset(entry));
2086 static void dump_table(struct connman_iptables *table)
2088 struct connman_iptables_entry entry = { 0 };
2089 unsigned int *hook_entry;
2090 unsigned int *underflow;
2091 unsigned int valid_hooks;
2094 hook_entry = iptables_table_get_info_hook_entry(table);
2095 underflow = iptables_table_get_info_underflow(table);
2096 valid_hooks = iptables_table_get_info_valid_hooks(table);
2097 size = iptables_table_get_info_size(table);
2099 DBG("%s valid_hooks=0x%08x, num_entries=%u, size=%u",
2100 iptables_table_get_info_name(table),
2102 iptables_table_get_info_num_entries(table),
2105 DBG("entry hook: pre/in/fwd/out/post %d/%d/%d/%d/%d",
2106 hook_entry[NF_IP_PRE_ROUTING],
2107 hook_entry[NF_IP_LOCAL_IN],
2108 hook_entry[NF_IP_FORWARD],
2109 hook_entry[NF_IP_LOCAL_OUT],
2110 hook_entry[NF_IP_POST_ROUTING]);
2111 DBG("underflow: pre/in/fwd/out/post %d/%d/%d/%d/%d",
2112 underflow[NF_IP_PRE_ROUTING],
2113 underflow[NF_IP_LOCAL_IN],
2114 underflow[NF_IP_FORWARD],
2115 underflow[NF_IP_LOCAL_OUT],
2116 underflow[NF_IP_POST_ROUTING]);
2118 entry.type = table->type;
2120 switch (table->type) {
2122 entry.entry = table->blob_entries->entrytable;
2125 entry.entry6 = table->blob_entries6->entrytable;
2128 iterate_entries(&entry,
2133 print_entry, dump_entry);
2136 static const char *iptables_replace_get_name(struct iptables_replace *replace)
2141 switch (replace->type) {
2143 return replace->r->name;
2145 return replace->r6->name;
2151 static unsigned int iptables_replace_get_valid_hooks(
2152 struct iptables_replace *replace)
2157 switch (replace->type) {
2159 return replace->r->valid_hooks;
2161 return replace->r6->valid_hooks;
2167 static unsigned int iptables_replace_get_num_entries(
2168 struct iptables_replace *replace)
2173 switch (replace->type) {
2175 return replace->r->num_entries;
2177 return replace->r6->num_entries;
2183 static unsigned int *iptables_replace_get_hook_entry(
2184 struct iptables_replace *replace)
2189 switch (replace->type) {
2191 return replace->r->hook_entry;
2193 return replace->r6->hook_entry;
2199 static unsigned int *iptables_replace_get_underflow(
2200 struct iptables_replace *replace)
2205 switch (replace->type) {
2207 return replace->r->underflow;
2209 return replace->r6->underflow;
2215 static unsigned int iptables_replace_get_size(struct iptables_replace *replace)
2220 switch (replace->type) {
2222 return replace->r->size;
2224 return replace->r6->size;
2230 static void dump_replace(struct iptables_replace *repl)
2232 struct connman_iptables_entry entry = { 0 };
2233 unsigned int *hook_entry;
2234 unsigned int *underflow;
2235 unsigned int valid_hooks;
2238 hook_entry = iptables_replace_get_hook_entry(repl);
2239 underflow = iptables_replace_get_underflow(repl);
2240 valid_hooks = iptables_replace_get_valid_hooks(repl);
2241 size = iptables_replace_get_size(repl);
2243 switch (repl->type) {
2245 entry.entry = repl->r->entries;
2248 entry.entry6 = repl->r6->entries;
2254 DBG("%s valid_hooks 0x%08x num_entries %u size %u",
2255 iptables_replace_get_name(repl),
2257 iptables_replace_get_num_entries(repl), size);
2259 DBG("entry hook: pre/in/fwd/out/post %d/%d/%d/%d/%d",
2260 hook_entry[NF_IP_PRE_ROUTING],
2261 hook_entry[NF_IP_LOCAL_IN],
2262 hook_entry[NF_IP_FORWARD],
2263 hook_entry[NF_IP_LOCAL_OUT],
2264 hook_entry[NF_IP_POST_ROUTING]);
2265 DBG("underflow: pre/in/fwd/out/post %d/%d/%d/%d/%d",
2266 underflow[NF_IP_PRE_ROUTING],
2267 underflow[NF_IP_LOCAL_IN],
2268 underflow[NF_IP_FORWARD],
2269 underflow[NF_IP_LOCAL_OUT],
2270 underflow[NF_IP_POST_ROUTING]);
2272 iterate_entries(&entry, valid_hooks, hook_entry, underflow,
2273 size, print_entry, dump_entry);
2276 static int iptables_get_entries(struct connman_iptables *table)
2278 socklen_t entry_size;
2281 switch (table->type) {
2283 entry_size = sizeof(struct ipt_get_entries) + table->info->size;
2285 err = getsockopt(table->ipt_sock, IPPROTO_IP,
2286 IPT_SO_GET_ENTRIES, table->blob_entries,
2290 entry_size = sizeof(struct ip6t_get_entries) +
2293 err = getsockopt(table->ipt_sock, IPPROTO_IPV6,
2294 IP6T_SO_GET_ENTRIES, table->blob_entries6,
2307 static int iptables_replace(struct connman_iptables *table,
2308 struct iptables_replace *r)
2317 err = setsockopt(table->ipt_sock, IPPROTO_IP,
2318 IPT_SO_SET_REPLACE, r->r,
2319 sizeof(*r->r) + r->r->size);
2325 err = setsockopt(table->ipt_sock, IPPROTO_IPV6,
2326 IP6T_SO_SET_REPLACE, r->r6,
2327 sizeof(*r->r6) + r->r6->size);
2339 static int iptables_add_counters(struct connman_iptables *table,
2340 struct xt_counters_info *c)
2346 switch (table->type) {
2349 optname = IPT_SO_SET_ADD_COUNTERS;
2352 level = IPPROTO_IPV6;
2353 optname = IP6T_SO_SET_ADD_COUNTERS;
2359 err = setsockopt(table->ipt_sock, level, optname, c,
2360 sizeof(*c) + sizeof(struct xt_counters) * c->num_counters);
2368 static int add_entry(struct connman_iptables_entry *entry, int builtin,
2369 unsigned int hook, size_t size, unsigned offset,
2372 struct connman_iptables *table = user_data;
2373 struct connman_iptables_entry new_entry = { 0 };
2374 u_int16_t next_offset;
2376 new_entry.type = entry->type;
2377 next_offset = iptables_entry_get_next_offset(entry);
2379 switch (entry->type) {
2381 new_entry.entry = g_try_malloc0(next_offset);
2382 if (!new_entry.entry)
2385 memcpy(new_entry.entry, entry->entry, next_offset);
2388 new_entry.entry6 = g_try_malloc0(next_offset);
2389 if (!new_entry.entry6)
2392 memcpy(new_entry.entry6, entry->entry6, next_offset);
2398 return iptables_add_entry(table, &new_entry, NULL, builtin,
2399 table->num_entries);
2402 static void table_cleanup(struct connman_iptables *table)
2405 struct connman_iptables_entry *entry;
2410 if (table->ipt_sock >= 0)
2411 close(table->ipt_sock);
2413 for (list = table->entries; list; list = list->next) {
2416 iptables_entry_free(entry);
2419 g_list_free(table->entries);
2420 g_free(table->name);
2422 if (table->type == AF_INET) {
2423 g_free(table->info);
2424 g_free(table->blob_entries);
2427 if (table->type == AF_INET6) {
2428 g_free(table->info6);
2429 g_free(table->blob_entries6);
2435 static int setup_xtables(int type);
2436 static void reset_xtables();
2438 static struct connman_iptables *iptables_init(int type, const char *table_name)
2440 struct connman_iptables *table = NULL;
2441 struct connman_iptables_entry entry = { 0 };
2442 char *iptables_mod = NULL;
2443 char *module = NULL;
2448 iptables_mod = g_strdup("ip_tables");
2449 module = g_strconcat("iptable_", table_name, NULL);
2452 iptables_mod = g_strdup("ip6_tables");
2453 module = g_strconcat("ip6table_", table_name, NULL);
2459 DBG("%d %s", type, table_name);
2461 if (setup_xtables(type))
2464 if (xtables_insmod(iptables_mod, NULL, TRUE) != 0)
2465 DBG("%s module loading gives error but trying anyway",
2468 g_free(iptables_mod);
2470 if (xtables_insmod(module, NULL, TRUE) != 0)
2471 DBG("%s module loading gives error but trying anyway", module);
2475 table = g_try_new0(struct connman_iptables, 1);
2479 table->type = entry.type = type;
2481 table->ipt_sock = socket(type, SOCK_RAW | SOCK_CLOEXEC, IPPROTO_RAW);
2482 if (table->ipt_sock < 0)
2487 table->info = g_try_new0(struct ipt_getinfo, 1);
2491 s = sizeof(*table->info);
2492 g_stpcpy(table->info->name, table_name);
2494 if (getsockopt(table->ipt_sock, IPPROTO_IP, IPT_SO_GET_INFO,
2495 table->info, &s) < 0) {
2496 connman_error("iptables support missing error %d (%s)",
2497 errno, strerror(errno));
2501 table->blob_entries = g_try_malloc0(
2502 sizeof(struct ipt_get_entries) +
2504 if (!table->blob_entries)
2507 g_stpcpy(table->blob_entries->name, table_name);
2508 table->blob_entries->size = table->info->size;
2512 table->info6 = g_try_new0(struct ip6t_getinfo, 1);
2516 s = sizeof(*table->info6);
2517 g_stpcpy(table->info6->name, table_name);
2519 if (getsockopt(table->ipt_sock, IPPROTO_IPV6, IP6T_SO_GET_INFO,
2520 table->info6, &s) < 0) {
2521 connman_error("ip6tables support missing error %d (%s)",
2522 errno, strerror(errno));
2526 table->blob_entries6 = g_try_malloc0(
2527 sizeof(struct ip6t_get_entries) +
2528 table->info6->size);
2529 if (!table->blob_entries6)
2532 g_stpcpy(table->blob_entries6->name, table_name);
2533 table->blob_entries6->size = table->info6->size;
2538 if (iptables_get_entries(table) < 0)
2541 table->num_entries = 0;
2546 table->old_entries = table->info->num_entries;
2548 memcpy(table->underflow, table->info->underflow,
2549 sizeof(table->info->underflow));
2550 memcpy(table->hook_entry, table->info->hook_entry,
2551 sizeof(table->info->hook_entry));
2553 entry.entry = table->blob_entries->entrytable;
2556 table->old_entries = table->info6->num_entries;
2558 memcpy(table->underflow, table->info6->underflow,
2559 sizeof(table->info6->underflow));
2560 memcpy(table->hook_entry, table->info6->hook_entry,
2561 sizeof(table->info6->hook_entry));
2563 entry.entry6 = table->blob_entries6->entrytable;
2567 iterate_entries(&entry,
2568 iptables_table_get_info_valid_hooks(table),
2569 iptables_table_get_info_hook_entry(table),
2570 iptables_table_get_info_underflow(table),
2571 iptables_table_get_entries_size(table),
2583 table_cleanup(table);
2589 static struct option iptables_opts[] = {
2590 {.name = "append", .has_arg = 1, .val = 'A'},
2591 {.name = "compare", .has_arg = 1, .val = 'C'},
2592 {.name = "delete", .has_arg = 1, .val = 'D'},
2593 {.name = "flush-chain", .has_arg = 1, .val = 'F'},
2594 {.name = "insert", .has_arg = 1, .val = 'I'},
2595 {.name = "list", .has_arg = 2, .val = 'L'},
2596 {.name = "new-chain", .has_arg = 1, .val = 'N'},
2597 {.name = "policy", .has_arg = 1, .val = 'P'},
2598 {.name = "delete-chain", .has_arg = 1, .val = 'X'},
2599 {.name = "destination", .has_arg = 1, .val = 'd'},
2600 {.name = "in-interface", .has_arg = 1, .val = 'i'},
2601 {.name = "jump", .has_arg = 1, .val = 'j'},
2602 {.name = "match", .has_arg = 1, .val = 'm'},
2603 {.name = "out-interface", .has_arg = 1, .val = 'o'},
2604 {.name = "source", .has_arg = 1, .val = 's'},
2605 {.name = "table", .has_arg = 1, .val = 't'},
2606 {.name = "protocol", .has_arg = 1, .val = 'p'},
2610 void iptables_exit(enum xtables_exittype status, const char *msg, ...)
2611 __attribute__((noreturn, format(printf,2,3)));
2613 void iptables_exit(enum xtables_exittype status, const char *msg, ...)
2616 gchar str[256] = { 0 };
2620 DBG("OTHER_PROBLEM");
2622 case PARAMETER_PROBLEM:
2623 DBG("PARAMETER_PROBLEM");
2625 case VERSION_PROBLEM:
2626 DBG("VERSION_PROBLEM");
2628 case RESOURCE_PROBLEM:
2629 DBG("RESOURCE_PROBLEM");
2632 DBG("XTF_ONLY_ONCE");
2635 DBG("XTF_NO_INVERT");
2638 DBG("XTF_BAD_VALUE");
2640 case XTF_ONE_ACTION:
2641 DBG("XTF_ONE_ACTION");
2645 va_start(args, msg);
2646 vsnprintf(str, 256, msg, args);
2649 connman_error("iptables rule error: %s", str);
2652 DBG("calling longjmp()");
2653 /* enum xtables_exittype begins from 1 */
2654 longjmp(env_state, status);
2657 connman_error("exit because of iptables error");
2662 struct xtables_globals iptables_globals = {
2664 .opts = iptables_opts,
2665 .orig_opts = iptables_opts,
2666 .exit_err = iptables_exit,
2667 #if XTABLES_VERSION_CODE > 10
2668 .compat_rev = xtables_compatible_revision,
2672 struct xtables_globals ip6tables_globals = {
2674 .opts = iptables_opts,
2675 .orig_opts = iptables_opts,
2676 .exit_err = iptables_exit,
2677 #if XTABLES_VERSION_CODE > 10
2678 .compat_rev = xtables_compatible_revision,
2682 static struct xtables_target *prepare_target(struct connman_iptables *table,
2683 const char *target_name)
2685 struct xtables_target *xt_t = NULL;
2686 bool is_builtin, is_user_defined;
2687 GList *chain_head = NULL;
2692 is_user_defined = false;
2694 DBG("target %s", target_name);
2699 if (is_builtin_target(target_name))
2702 chain_head = find_chain_head(table, target_name);
2703 if (chain_head && chain_head->next)
2704 is_user_defined = true;
2709 if ((err = setjmp(env_state)) != 0) {
2710 DBG("setjmp() called by longjmp() with value %d", err);
2715 if (is_builtin || is_user_defined)
2716 xt_t = xtables_find_target(get_standard_target(table->type),
2717 XTF_LOAD_MUST_SUCCEED);
2719 xt_t = xtables_find_target(target_name, XTF_TRY_LOAD);
2726 switch (table->type) {
2728 target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) +
2732 target_size = XT_ALIGN(sizeof(struct ip6t_entry_target)) +
2739 xt_t->t = g_try_malloc0(target_size);
2743 xt_t->t->u.target_size = target_size;
2745 if (is_builtin || is_user_defined) {
2746 struct xt_standard_target *target;
2748 target = (struct xt_standard_target *)(xt_t->t);
2749 g_stpcpy(target->target.u.user.name,
2750 get_standard_target(table->type));
2753 target->verdict = target_to_verdict(target_name);
2754 else if (is_user_defined) {
2755 struct connman_iptables_entry *target_rule;
2757 target_rule = chain_head->next->data;
2758 target->verdict = target_rule->offset;
2761 g_stpcpy(xt_t->t->u.user.name, target_name);
2762 xt_t->t->u.user.revision = xt_t->revision;
2764 xt_t->init(xt_t->t);
2767 switch (table->type) {
2769 if (xt_t->x6_options)
2770 iptables_globals.opts =
2771 xtables_options_xfrm(
2772 iptables_globals.orig_opts,
2773 iptables_globals.opts,
2775 &xt_t->option_offset);
2777 iptables_globals.opts =
2778 xtables_merge_options(
2779 iptables_globals.orig_opts,
2780 iptables_globals.opts,
2782 &xt_t->option_offset);
2784 if (!iptables_globals.opts) {
2791 if (xt_t->x6_options)
2792 ip6tables_globals.opts =
2793 xtables_options_xfrm(
2794 ip6tables_globals.orig_opts,
2795 ip6tables_globals.opts,
2797 &xt_t->option_offset);
2799 ip6tables_globals.opts =
2800 xtables_merge_options(
2801 ip6tables_globals.orig_opts,
2802 ip6tables_globals.opts,
2804 &xt_t->option_offset);
2806 if (!ip6tables_globals.opts) {
2817 static struct xtables_match *prepare_matches(struct connman_iptables *table,
2818 struct xtables_rule_match **xt_rm,
2819 const char *match_name)
2821 struct xtables_match *xt_m;
2825 if (!table || !match_name)
2830 if ((err = setjmp(env_state)) != 0) {
2831 DBG("setjmp() called by longjmp() with value %d", err);
2836 xt_m = xtables_find_match(match_name, XTF_LOAD_MUST_SUCCEED, xt_rm);
2840 switch (table->type) {
2842 match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) +
2846 match_size = XT_ALIGN(sizeof(struct ip6t_entry_match)) +
2853 xt_m->m = g_try_malloc0(match_size);
2857 xt_m->m->u.match_size = match_size;
2858 g_stpcpy(xt_m->m->u.user.name, xt_m->name);
2859 xt_m->m->u.user.revision = xt_m->revision;
2862 xt_m->init(xt_m->m);
2864 switch (table->type) {
2866 if (xt_m->x6_options)
2867 iptables_globals.opts =
2868 xtables_options_xfrm(
2869 iptables_globals.orig_opts,
2870 iptables_globals.opts,
2872 &xt_m->option_offset);
2874 iptables_globals.opts =
2875 xtables_merge_options(
2876 iptables_globals.orig_opts,
2877 iptables_globals.opts,
2879 &xt_m->option_offset);
2881 if (!iptables_globals.opts) {
2884 if (xt_m == xt_m->next)
2892 if (xt_m->x6_options)
2893 ip6tables_globals.opts =
2894 xtables_options_xfrm(
2895 ip6tables_globals.orig_opts,
2896 ip6tables_globals.opts,
2898 &xt_m->option_offset);
2900 ip6tables_globals.opts =
2901 xtables_merge_options(
2902 ip6tables_globals.orig_opts,
2903 ip6tables_globals.opts,
2905 &xt_m->option_offset);
2907 if (!ip6tables_globals.opts) {
2910 if (xt_m == xt_m->next)
2922 static int parse_ip_and_mask(const char *str, struct in_addr *ip,
2923 struct in_addr *mask)
2926 uint32_t prefixlength;
2930 tokens = g_strsplit(str, "/", 2);
2934 if (!inet_pton(AF_INET, tokens[0], ip)) {
2940 prefixlength = strtol(tokens[1], NULL, 10);
2941 if (prefixlength > 32) {
2944 } else if (prefixlength == 32) {
2947 tmp = ~(0xffffffff >> prefixlength);
2953 mask->s_addr = htonl(tmp);
2954 ip->s_addr = ip->s_addr & mask->s_addr;
2962 static int parse_ipv6_and_mask(const char *str, struct in6_addr *ip,
2963 struct in6_addr *mask)
2966 uint32_t prefixlength;
2967 struct in6_addr in6;
2971 tokens = g_strsplit(str, "/", 2);
2975 if (!inet_pton(AF_INET6, tokens[0], ip)) {
2981 prefixlength = strtol(tokens[1], NULL, 10);
2982 if (prefixlength > 128) {
2991 * This part was adapted from (no need to re-invent the wheel):
2992 * https://gitlab.com/ipcalc/ipcalc/blob/master/ipcalc.c#L733
2994 memset(&in6, 0, sizeof(struct in6_addr));
2996 for (i = prefixlength, j = 0; i > 0; i -= 8, j++) {
2998 in6.s6_addr[j] = 0xff;
3000 in6.s6_addr[j] = (unsigned long)(0xffU << (8 - i));
3003 memcpy(mask, &in6, sizeof(struct in6_addr));
3005 for (i = 0; i < 16 ; i++)
3006 ip->s6_addr[i] = ip->s6_addr[i] & mask->s6_addr[i];
3015 static struct connman_iptables *get_table(int type, const char *table_name)
3017 struct connman_iptables *table = NULL;
3020 table_name = "filter";
3022 table = hash_table_lookup(type, table_name);
3027 table = iptables_init(type, table_name);
3033 g_free(table->name);
3035 table->name = g_strdup(table_name);
3037 hash_table_replace(type, table->name, table);
3042 struct parse_context {
3047 struct ip6t_ip6 *ipv6;
3048 struct xtables_target *xt_t;
3050 struct xtables_rule_match *xt_rm;
3054 static int prepare_getopt_args(const char *str, struct parse_context *ctx)
3059 tokens = g_strsplit_set(str, " ", -1);
3061 i = g_strv_length(tokens);
3063 /* Add space for the argv[0] value */
3066 /* Don't forget the last NULL entry */
3067 ctx->argv = g_try_malloc0((ctx->argc + 1) * sizeof(char *));
3074 * getopt_long() jumps over the first token; we need to add some
3075 * random argv[0] entry.
3077 ctx->argv[0] = g_strdup("argh");
3078 for (i = 1; i < ctx->argc; i++)
3079 ctx->argv[i] = tokens[i - 1];
3086 static int parse_xt_modules(int c, bool invert,
3087 struct parse_context *ctx)
3089 struct xtables_match *m;
3090 struct xtables_rule_match *rm;
3091 struct ipt_entry fw;
3092 struct ip6t_entry fw6;
3095 switch (ctx->type) {
3097 memset(&fw, 0, sizeof(fw));
3099 /* The SNAT parser wants to know the protocol. */
3100 if (ctx->proto == 0)
3101 ctx->proto = IPPROTO_IP;
3103 fw.ip.proto = ctx->proto;
3106 memset(&fw6, 0, sizeof(fw6));
3108 if (ctx->proto == 0)
3109 ctx->proto = IPPROTO_IPV6;
3111 fw6.ipv6.proto = ctx->proto;
3113 /* Flags must be set for IPv6 if protocol is set. */
3114 fw6.ipv6.flags |= IP6T_F_PROTO;
3121 for (rm = ctx->xt_rm; rm; rm = rm->next) {
3122 if (rm->completed != 0)
3127 if (!m->x6_parse && !m->parse)
3130 if (c < (int) m->option_offset ||
3131 c >= (int) m->option_offset
3132 + XT_OPTION_OFFSET_SCALE)
3137 if ((err = setjmp(env_state)) != 0) {
3138 DBG("setjmp() called by longjmp() with value %d", err);
3143 switch (ctx->type) {
3145 xtables_option_mpcall(c, ctx->argv, invert, m, &fw);
3148 xtables_option_mpcall(c, ctx->argv, invert, m, &fw6);
3158 if (!ctx->xt_t->x6_parse && !ctx->xt_t->parse)
3161 if (c < (int) ctx->xt_t->option_offset ||
3162 c >= (int) ctx->xt_t->option_offset
3163 + XT_OPTION_OFFSET_SCALE)
3168 if ((err = setjmp(env_state)) != 0) {
3169 DBG("setjmp() called by longjmp() with value %d", err);
3174 switch (ctx->type) {
3176 xtables_option_tpcall(c, ctx->argv, invert, ctx->xt_t, &fw);
3179 xtables_option_tpcall(c, ctx->argv, invert, ctx->xt_t, &fw6);
3188 static int final_check_xt_modules(struct parse_context *ctx)
3190 struct xtables_rule_match *rm;
3193 for (rm = ctx->xt_rm; rm; rm = rm->next) {
3196 if ((err = setjmp(env_state)) != 0) {
3197 DBG("setjmp() called by longjmp() with value %d", err);
3202 xtables_option_mfcall(rm->match);
3209 if ((err = setjmp(env_state)) != 0) {
3210 DBG("setjmp() called by longjmp() with value %d", err);
3216 xtables_option_tfcall(ctx->xt_t);
3223 static int parse_rule_spec(struct connman_iptables *table,
3224 struct parse_context *ctx)
3227 * How the parser works:
3229 * - If getopt finds 's', 'd', 'i', 'o'.
3230 * just extract the information.
3231 * - if '!' is found, set the invert flag to true and
3232 * removes the '!' from the optarg string and jumps
3233 * back to getopt to reparse the current optarg string.
3234 * After reparsing the invert flag is reset to false.
3235 * - If 'm' or 'j' is found then call either
3236 * prepare_matches() or prepare_target(). Those function
3237 * will modify (extend) the longopts for getopt_long.
3238 * That means getopt will change its matching context according
3239 * the loaded target.
3241 * Here an example with iptables-test
3243 * argv[0] = ./tools/iptables-test
3255 * getopt found 'm' then the optarg is "mark" and optind 7
3256 * The longopts array containts before hitting the `case 'm'`
3258 * val A has_arg 1 name append
3259 * val C has_arg 1 name compare
3260 * val D has_arg 1 name delete
3261 * val F has_arg 1 name flush-chain
3262 * val I has_arg 1 name insert
3263 * val L has_arg 2 name list
3264 * val N has_arg 1 name new-chain
3265 * val P has_arg 1 name policy
3266 * val X has_arg 1 name delete-chain
3267 * val d has_arg 1 name destination
3268 * val i has_arg 1 name in-interface
3269 * val j has_arg 1 name jump
3270 * val m has_arg 1 name match
3271 * val o has_arg 1 name out-interface
3272 * val s has_arg 1 name source
3273 * val t has_arg 1 name table
3275 * After executing the `case 'm'` block longopts is
3277 * val A has_arg 1 name append
3278 * val C has_arg 1 name compare
3279 * val D has_arg 1 name delete
3280 * val F has_arg 1 name flush-chain
3281 * val I has_arg 1 name insert
3282 * val L has_arg 2 name list
3283 * val N has_arg 1 name new-chain
3284 * val P has_arg 1 name policy
3285 * val X has_arg 1 name delete-chain
3286 * val d has_arg 1 name destination
3287 * val i has_arg 1 name in-interface
3288 * val j has_arg 1 name jump
3289 * val m has_arg 1 name match
3290 * val o has_arg 1 name out-interface
3291 * val s has_arg 1 name source
3292 * val t has_arg 1 name table
3293 * val has_arg 1 name mark
3295 * So the 'mark' matcher has added the 'mark' options
3296 * and getopt will then return c '256' optarg "999" optind 9
3297 * And we will hit the 'default' statement which then
3298 * will call the matchers parser (xt_m->parser() or
3299 * xtables_option_mpcall() depending on which version
3300 * of libxtables is found.
3302 struct xtables_match *xt_m;
3303 bool invert = false;
3306 if (ctx->type != table->type) {
3307 DBG("ctx->type %d does not match table->type %d", ctx->type,
3312 switch (ctx->type) {
3314 ctx->ip = g_try_new0(struct ipt_ip, 1);
3320 ctx->ipv6 = g_try_new0(struct ip6t_ip6, 1);
3330 * Tell getopt_long not to generate error messages for unknown
3331 * options and also reset optind back to 0.
3336 while ((c = getopt_long(ctx->argc, ctx->argv,
3338 ctx->type == AF_INET ?
3339 iptables_globals.opts :
3340 ip6tables_globals.opts,
3344 if (ctx->type == AF_INET) {
3345 /* Source specification */
3346 if (!parse_ip_and_mask(optarg,
3352 ctx->ip->invflags |= IPT_INV_SRCIP;
3355 if (ctx->type == AF_INET6) {
3356 if (!parse_ipv6_and_mask(optarg,
3362 ctx->ipv6->invflags |= IP6T_INV_SRCIP;
3367 if (ctx->type == AF_INET) {
3368 /* Destination specification */
3369 if (!parse_ip_and_mask(optarg,
3375 ctx->ip->invflags |= IPT_INV_DSTIP;
3378 if (ctx->type == AF_INET6) {
3379 /* Destination specification */
3380 if (!parse_ipv6_and_mask(optarg,
3386 ctx->ip->invflags |= IP6T_INV_DSTIP;
3391 /* In interface specification */
3392 len = strlen(optarg);
3394 if (len + 1 > IFNAMSIZ)
3397 if (ctx->type == AF_INET) {
3398 g_stpcpy(ctx->ip->iniface, optarg);
3399 memset(ctx->ip->iniface_mask, 0xff, len + 1);
3402 ctx->ip->invflags |= IPT_INV_VIA_IN;
3405 if (ctx->type == AF_INET6) {
3406 g_stpcpy(ctx->ipv6->iniface, optarg);
3407 memset(ctx->ipv6->iniface_mask, 0xff, len + 1);
3410 ctx->ipv6->invflags |= IP6T_INV_VIA_IN;
3415 /* Out interface specification */
3416 len = strlen(optarg);
3418 if (len + 1 > IFNAMSIZ)
3421 if (ctx->type == AF_INET) {
3422 g_stpcpy(ctx->ip->outiface, optarg);
3423 memset(ctx->ip->outiface_mask, 0xff, len + 1);
3426 ctx->ip->invflags |= IPT_INV_VIA_OUT;
3429 if (ctx->type == AF_INET6) {
3430 g_stpcpy(ctx->ipv6->outiface, optarg);
3431 memset(ctx->ipv6->outiface_mask, 0xff, len + 1);
3434 ctx->ipv6->invflags |= IP6T_INV_VIA_OUT;
3440 xt_m = prepare_matches(table, &ctx->xt_rm, optarg);
3445 ctx->xt_m = g_list_append(ctx->xt_m, xt_m);
3451 if ((err = setjmp(env_state)) != 0) {
3452 DBG("setjmp() called by longjmp() with value "
3456 /* Errors from parse_rule_spec are negative */
3461 ctx->proto = xtables_parse_protocol(optarg);
3466 * If protocol was set add it to ipt_ip.
3467 * xtables_parse_protocol() returns 0 or
3468 * UINT16_MAX (-1) on error
3470 if (ctx->proto > 0 && ctx->proto < UINT16_MAX) {
3471 if (ctx->type == AF_INET)
3472 ctx->ip->proto = ctx->proto;
3474 if (ctx->type == AF_INET6) {
3475 ctx->ipv6->proto = ctx->proto;
3478 * Flags must be set for IPv6 if
3481 ctx->ipv6->flags |= IP6T_F_PROTO;
3487 ctx->xt_t = prepare_target(table, optarg);
3495 if (optarg[0] == '!' && optarg[1] == '\0') {
3498 /* Remove the '!' from the optarg */
3502 * And recall getopt_long without resetting
3510 err = parse_xt_modules(c, invert, ctx);
3513 else if (err == -EINVAL)
3522 err = final_check_xt_modules(ctx);
3528 static int current_type = -1;
3530 static int setup_xtables(int type)
3536 if (type == current_type)
3539 if (current_type != -1)
3544 err = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
3547 err = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
3554 current_type = type;
3556 connman_error("error initializing xtables");
3564 static void reset_xtables(void)
3566 struct xtables_match *xt_m;
3567 struct xtables_target *xt_t;
3570 * As side effect parsing a rule sets some global flags
3571 * which will be evaluated/verified. Let's reset them
3572 * to ensure we can parse more than one rule.
3574 * Clear all flags because the flags are only valid
3577 for (xt_m = xtables_matches; xt_m; xt_m = xt_m->next)
3580 for (xt_t = xtables_targets; xt_t; xt_t = xt_t->next) {
3586 * We need also to free the memory implicitly allocated
3587 * during parsing (see xtables_options_xfrm()).
3588 * Note xt_params is actually iptables_globals.
3590 if (xt_params->opts != xt_params->orig_opts) {
3591 g_free(xt_params->opts);
3592 xt_params->opts = xt_params->orig_opts;
3594 xt_params->option_offset = 0;
3597 static void cleanup_parse_context(struct parse_context *ctx)
3599 struct xtables_rule_match *rm, *tmp;
3602 g_strfreev(ctx->argv);
3608 g_free(ctx->xt_t->t);
3609 ctx->xt_t->t = NULL;
3612 for (list = ctx->xt_m; list; list = list->next) {
3613 struct xtables_match *xt_m = list->data;
3617 if (xt_m != xt_m->next)
3622 g_list_free(ctx->xt_m);
3624 for (tmp = NULL, rm = ctx->xt_rm; rm; rm = rm->next) {
3634 int __connman_iptables_dump(int type, const char *table_name)
3636 struct connman_iptables *table;
3638 DBG("%d -t %s -L", type, table_name);
3640 table = get_table(type, table_name);
3649 int __connman_iptables_new_chain(int type,
3650 const char *table_name,
3653 struct connman_iptables *table;
3655 DBG("%d -t %s -N %s", type, table_name, chain);
3657 table = get_table(type, table_name);
3665 return iptables_add_chain(table, chain);
3671 int __connman_iptables_delete_chain(int type,
3672 const char *table_name,
3675 struct connman_iptables *table;
3677 DBG("%d -t %s -X %s", type, table_name, chain);
3679 table = get_table(type, table_name);
3683 return iptables_delete_chain(table, chain);
3686 int __connman_iptables_flush_chain(int type,
3687 const char *table_name,
3690 struct connman_iptables *table;
3692 DBG("%d -t %s -F %s", type, table_name, chain);
3694 table = get_table(type, table_name);
3698 return iptables_flush_chain(table, chain);
3701 int __connman_iptables_find_chain(int type,
3702 const char *table_name,
3705 struct connman_iptables *table;
3707 DBG("%d -t %s -F %s", type, table_name, chain);
3709 table = get_table(type, table_name);
3713 if(!find_chain_head(table, chain))
3714 return -ENOENT; // Not Found
3719 int __connman_iptables_change_policy(int type,
3720 const char *table_name,
3724 struct connman_iptables *table;
3726 DBG("%d -t %s -F %s", type, table_name, chain);
3728 table = get_table(type, table_name);
3732 return iptables_change_policy(table, chain, policy);
3735 static void iptables_ip_setup(struct iptables_ip *ip, struct parse_context *ctx)
3740 ip->type = ctx->type;
3742 ip->ip6 = ctx->ipv6;
3745 int __connman_iptables_append(int type,
3746 const char *table_name,
3748 const char *rule_spec)
3750 struct connman_iptables *table;
3751 struct parse_context *ctx;
3752 struct iptables_ip ip = { 0 };
3753 const char *target_name;
3756 err = setup_xtables(type);
3761 ctx = g_try_new0(struct parse_context, 1);
3767 DBG("%d -t %s -A %s %s", type, table_name, chain, rule_spec);
3769 err = prepare_getopt_args(rule_spec, ctx);
3773 table = get_table(type, table_name);
3779 err = parse_rule_spec(table, ctx);
3786 target_name = ctx->xt_t->name;
3788 iptables_ip_setup(&ip, ctx);
3790 err = iptables_append_rule(table, &ip, chain, target_name, ctx->xt_t,
3793 cleanup_parse_context(ctx);
3799 int __connman_iptables_insert(int type,
3800 const char *table_name,
3802 const char *rule_spec)
3804 struct connman_iptables *table;
3805 struct parse_context *ctx;
3806 struct iptables_ip ip = { 0 };
3807 const char *target_name;
3810 err = setup_xtables(type);
3815 ctx = g_try_new0(struct parse_context, 1);
3821 DBG("%d -t %s -I %s %s", type, table_name, chain, rule_spec);
3823 err = prepare_getopt_args(rule_spec, ctx);
3827 table = get_table(type, table_name);
3833 err = parse_rule_spec(table, ctx);
3840 target_name = ctx->xt_t->name;
3842 iptables_ip_setup(&ip, ctx);
3844 err = iptables_insert_rule(table, &ip, chain, target_name, ctx->xt_t,
3847 cleanup_parse_context(ctx);
3853 int __connman_iptables_delete(int type,
3854 const char *table_name,
3856 const char *rule_spec)
3858 struct connman_iptables *table;
3859 struct parse_context *ctx;
3860 struct iptables_ip ip = { 0 };
3861 const char *target_name;
3864 err = setup_xtables(type);
3869 ctx = g_try_new0(struct parse_context, 1);
3875 DBG("%d -t %s -D %s %s", type, table_name, chain, rule_spec);
3877 err = prepare_getopt_args(rule_spec, ctx);
3881 table = get_table(type, table_name);
3887 err = parse_rule_spec(table, ctx);
3894 target_name = ctx->xt_t->name;
3896 iptables_ip_setup(&ip, ctx);
3898 err = iptables_delete_rule(table, &ip, chain, target_name, ctx->xt_t,
3899 ctx->xt_m, ctx->xt_rm);
3901 cleanup_parse_context(ctx);
3907 int __connman_iptables_commit(int type, const char *table_name)
3909 struct connman_iptables *table;
3910 struct iptables_replace repl = { 0 };
3912 struct xt_counters_info *counters;
3913 struct connman_iptables_entry *e;
3917 err = setup_xtables(type);
3922 DBG("%d %s", type, table_name);
3926 table = hash_table_lookup(type, table_name);
3932 repl.r = iptables_blob(table);
3938 repl.r6 = ip6tables_blob(table);
3944 dump_replace(&repl);
3946 err = iptables_replace(table, &repl);
3951 counters = g_try_malloc0(sizeof(*counters) +
3952 sizeof(struct xt_counters) * table->num_entries);
3955 goto out_hash_remove;
3957 g_stpcpy(counters->name, iptables_table_get_info_name(table));
3958 counters->num_counters = table->num_entries;
3959 for (list = table->entries, cnt = 0; list; list = list->next, cnt++) {
3961 if (e->counter_idx >= 0) {
3965 counters->counters[cnt] =
3966 repl.r->counters[e->counter_idx];
3969 counters->counters[cnt] =
3970 repl.r6->counters[e->counter_idx];
3975 err = iptables_add_counters(table, counters);
3979 goto out_hash_remove;
3984 hash_table_remove(type, table_name);
3986 if (type == AF_INET && repl.r)
3987 g_free(repl.r->counters);
3989 if (type == AF_INET6 && repl.r6)
3990 g_free(repl.r6->counters);
4000 static void remove_table(gpointer user_data)
4002 struct connman_iptables *table = user_data;
4004 table_cleanup(table);
4007 static int iterate_chains_cb(struct connman_iptables_entry *entry, int builtin,
4008 unsigned int hook, size_t size,
4009 unsigned int offset, void *user_data)
4011 struct cb_data *cbd = user_data;
4012 connman_iptables_iterate_chains_cb_t cb = cbd->cb;
4013 struct xt_entry_target *target;
4015 if (offset + iptables_entry_get_next_offset(entry) == size)
4018 target = iptables_entry_get_target(entry);
4020 if (!g_strcmp0(target->u.user.name, get_error_target(entry->type))) {
4021 (*cb)((const char *)target->data, cbd->user_data);
4022 } else if (builtin >= 0) {
4023 (*cb)(hooknames[builtin], cbd->user_data);
4029 int __connman_iptables_iterate_chains(int type, const char *table_name,
4030 connman_iptables_iterate_chains_cb_t cb,
4033 struct cb_data *cbd = cb_data_new(cb, user_data);
4034 struct connman_iptables *table;
4035 struct connman_iptables_entry entry = { 0 };
4038 err = setup_xtables(type);
4043 table = get_table(type, table_name);
4051 if (type == AF_INET)
4052 entry.entry = table->blob_entries->entrytable;
4054 if (type == AF_INET6)
4055 entry.entry6 = table->blob_entries6->entrytable;
4057 iterate_entries(&entry,
4058 iptables_table_get_info_valid_hooks(table),
4059 iptables_table_get_info_hook_entry(table),
4060 iptables_table_get_info_underflow(table),
4061 iptables_table_get_entries_size(table),
4062 iterate_chains_cb, cbd);
4071 int __connman_iptables_init(void)
4075 if (getenv("CONNMAN_IPTABLES_DEBUG"))
4076 debug_enabled = true;
4078 table_hash = g_hash_table_new_full(g_str_hash, g_str_equal,
4079 NULL, remove_table);
4081 table_hash_ipv6 = g_hash_table_new_full(g_str_hash, g_str_equal,
4082 NULL, remove_table);
4087 void __connman_iptables_cleanup(void)
4091 g_hash_table_destroy(table_hash);
4092 g_hash_table_destroy(table_hash_ipv6);
projects / platform / upstream / connman.git / blob