extensions/libipt_set.c

   1 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
   2  *                         Patrick Schaaf <bof@bof.de>
   3  *                         Martin Josefsson <gandalf@wlug.westbo.se>
   4  * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
   5  *
   6  * This program is free software; you can redistribute it and/or modify
   7  * it under the terms of the GNU General Public License version 2 as
   8  * published by the Free Software Foundation.
   9  */
  10
  11 /* Shared library add-on to iptables to add IP set matching. */
  12 #include <stdio.h>
  13 #include <netdb.h>
  14 #include <string.h>
  15 #include <stdlib.h>
  16 #include <getopt.h>
  17 #include <ctype.h>
  18 #include <errno.h>
  19
  20 #include <xtables.h>
  21 #include <linux/netfilter_ipv4/ipt_set.h>
  22 #include "libipt_set.h"
  23
  24 static void set_help(void)
  25 {
  26         printf("set match options:\n"
  27                " [!] --set     name flags\n"
  28                "                'name' is the set name from to match,\n"
  29                "                'flags' are the comma separated list of\n"
  30                "                'src' and 'dst'.\n");
  31 }
  32
  33 static const struct option set_opts[] = {
  34         {"set", 1, NULL, '1'},
  35         { }
  36 };
  37
  38 static void set_init(struct xt_entry_match *match)
  39 {
  40         struct ipt_set_info_match *info =
  41                 (struct ipt_set_info_match *) match->data;
  42
  43
  44         memset(info, 0, sizeof(struct ipt_set_info_match));
  45
  46 }
  47
  48 static int set_parse(int c, char **argv, int invert, unsigned int *flags,
  49                      const void *entry, struct xt_entry_match **match)
  50 {
  51         struct ipt_set_info_match *myinfo =
  52                 (struct ipt_set_info_match *) (*match)->data;
  53         struct ipt_set_info *info = &myinfo->match_set;
  54
  55         switch (c) {
  56         case '1':               /* --set <set> <flag>[,<flag> */
  57                 if (info->flags[0])
  58                         xtables_error(PARAMETER_PROBLEM,
  59                                    "--set can be specified only once");
  60
  61                 xtables_check_inverse(optarg, &invert, &optind, 0);
  62                 if (invert)
  63                         info->flags[0] |= IPSET_MATCH_INV;
  64
  65                 if (!argv[optind]
  66                     || argv[optind][0] == '-'
  67                     || argv[optind][0] == '!')
  68                         xtables_error(PARAMETER_PROBLEM,
  69                                    "--set requires two args.");
  70
  71                 if (strlen(argv[optind-1]) > IP_SET_MAXNAMELEN - 1)
  72                         xtables_error(PARAMETER_PROBLEM,
  73                                    "setname `%s' too long, max %d characters.",
  74                                    argv[optind-1], IP_SET_MAXNAMELEN - 1);
  75
  76                 get_set_byname(argv[optind - 1], info);
  77                 parse_bindings(argv[optind], info);
  78                 DEBUGP("parse: set index %u\n", info->index);
  79                 optind++;
  80
  81                 *flags = 1;
  82                 break;
  83
  84         default:
  85                 return 0;
  86         }
  87
  88         return 1;
  89 }
  90
  91 static void set_check(unsigned int flags)
  92 {
  93         if (!flags)
  94                 xtables_error(PARAMETER_PROBLEM,
  95                            "You must specify `--set' with proper arguments");
  96         DEBUGP("final check OK\n");
  97 }
  98
  99 static void
 100 print_match(const char *prefix, const struct ipt_set_info *info)
 101 {
 102         int i;
 103         char setname[IP_SET_MAXNAMELEN];
 104
 105         get_set_byid(setname, info->index);
 106         printf("%s%s %s",
 107                (info->flags[0] & IPSET_MATCH_INV) ? "! " : "",
 108                prefix,
 109                setname);
 110         for (i = 0; i < IP_SET_MAX_BINDINGS; i++) {
 111                 if (!info->flags[i])
 112                         break;
 113                 printf("%s%s",
 114                        i == 0 ? " " : ",",
 115                        info->flags[i] & IPSET_SRC ? "src" : "dst");
 116         }
 117         printf(" ");
 118 }
 119
 120 /* Prints out the matchinfo. */
 121 static void set_print(const void *ip, const struct xt_entry_match *match,
 122                       int numeric)
 123 {
 124         const struct ipt_set_info_match *info = (const void *)match->data;
 125
 126         print_match("set", &info->match_set);
 127 }
 128
 129 static void set_save(const void *ip, const struct xt_entry_match *match)
 130 {
 131         const struct ipt_set_info_match *info = (const void *)match->data;
 132
 133         print_match("--set", &info->match_set);
 134 }
 135
 136 static struct xtables_match set_mt_reg = {
 137         .name           = "set",
 138         .version        = XTABLES_VERSION,
 139         .family         = NFPROTO_IPV4,
 140         .size           = XT_ALIGN(sizeof(struct ipt_set_info_match)),
 141         .userspacesize  = XT_ALIGN(sizeof(struct ipt_set_info_match)),
 142         .help           = set_help,
 143         .init           = set_init,
 144         .parse          = set_parse,
 145         .final_check    = set_check,
 146         .print          = set_print,
 147         .save           = set_save,
 148         .extra_opts     = set_opts,
 149 };
 150
 151 void _init(void)
 152 {
 153         xtables_register_match(&set_mt_reg);
 154 }