1 /* Code to restore the iptables state, from file by ip6tables-save.
2 * Author: Andras Kis-Szabo <kisza@sch.bme.hu>
4 * based on iptables-restore
6 * Harald Welte <laforge@gnumonks.org>
7 * Rusty Russell <rusty@linuxcare.com.au>
8 * This code is distributed under the terms of GNU GPL v2
14 #include <sys/errno.h>
18 #include "ip6tables.h"
20 #include "libiptc/libip6tc.h"
21 #include "ip6tables-multi.h"
24 #define DEBUGP(x, args...) fprintf(stderr, x, ## args)
26 #define DEBUGP(x, args...)
29 static int binary
= 0, counters
= 0, verbose
= 0, noflush
= 0;
31 /* Keeping track of external matches and targets. */
32 static const struct option options
[] = {
33 {.name
= "binary", .has_arg
= false, .val
= 'b'},
34 {.name
= "counters", .has_arg
= false, .val
= 'c'},
35 {.name
= "verbose", .has_arg
= false, .val
= 'v'},
36 {.name
= "test", .has_arg
= false, .val
= 't'},
37 {.name
= "help", .has_arg
= false, .val
= 'h'},
38 {.name
= "noflush", .has_arg
= false, .val
= 'n'},
39 {.name
= "modprobe", .has_arg
= true, .val
= 'M'},
43 static void print_usage(const char *name
, const char *version
) __attribute__((noreturn
));
45 static void print_usage(const char *name
, const char *version
)
47 fprintf(stderr
, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n"
54 " [ --modprobe=<command>]\n", name
);
59 static struct ip6tc_handle
*create_handle(const char *tablename
)
61 struct ip6tc_handle
*handle
;
63 handle
= ip6tc_init(tablename
);
66 /* try to insmod the module if iptc_init failed */
67 load_xtables_ko(modprobe_program
, 0);
68 handle
= ip6tc_init(tablename
);
72 exit_error(PARAMETER_PROBLEM
, "%s: unable to initialize "
73 "table '%s'\n", program_name
, tablename
);
79 static int parse_counters(char *string
, struct ip6t_counters
*ctr
)
81 unsigned long long pcnt
, bcnt
;
84 ret
= sscanf(string
, "[%llu:%llu]",
85 (unsigned long long *)&pcnt
,
86 (unsigned long long *)&bcnt
);
92 /* global new argv and argc */
93 static char *newargv
[255];
96 /* function adding one argument to newargv, updating newargc
97 * returns true if argument added, false otherwise */
98 static int add_argv(char *what
) {
99 DEBUGP("add_argv: %s\n", what
);
100 if (what
&& ((newargc
+ 1) < sizeof(newargv
)/sizeof(char *))) {
101 newargv
[newargc
] = strdup(what
);
108 static void free_argv(void) {
111 for (i
= 0; i
< newargc
; i
++)
115 #ifdef IPTABLES_MULTI
116 int ip6tables_restore_main(int argc
, char *argv
[])
118 int main(int argc
, char *argv
[])
121 struct ip6tc_handle
*handle
= NULL
;
124 char curtable
[IP6T_TABLE_MAXNAMELEN
+ 1];
126 int in_table
= 0, testing
= 0;
128 program_name
= "ip6tables-restore";
129 program_version
= XTABLES_VERSION
;
132 lib_dir
= getenv("XTABLES_LIBDIR");
133 if (lib_dir
== NULL
) {
134 lib_dir
= getenv("IP6TABLES_LIB_DIR");
136 fprintf(stderr
, "IP6TABLES_LIB_DIR is deprecated\n");
139 lib_dir
= XTABLES_LIBDIR
;
141 #ifdef NO_SHARED_LIBS
145 while ((c
= getopt_long(argc
, argv
, "bcvthnM:", options
, NULL
)) != -1) {
160 print_usage("ip6tables-restore",
167 modprobe_program
= optarg
;
172 if (optind
== argc
- 1) {
173 in
= fopen(argv
[optind
], "r");
175 fprintf(stderr
, "Can't open %s: %s\n", argv
[optind
],
180 else if (optind
< argc
) {
181 fprintf(stderr
, "Unknown arguments found on commandline\n");
186 /* Grab standard input. */
187 while (fgets(buffer
, sizeof(buffer
), in
)) {
191 if (buffer
[0] == '\n')
193 else if (buffer
[0] == '#') {
195 fputs(buffer
, stdout
);
197 } else if ((strcmp(buffer
, "COMMIT\n") == 0) && (in_table
)) {
199 DEBUGP("Calling commit\n");
200 ret
= ip6tc_commit(handle
);
204 DEBUGP("Not calling commit, testing\n");
208 } else if ((buffer
[0] == '*') && (!in_table
)) {
212 table
= strtok(buffer
+1, " \t\n");
213 DEBUGP("line %u, table '%s'\n", line
, table
);
215 exit_error(PARAMETER_PROBLEM
,
216 "%s: line %u table name invalid\n",
220 strncpy(curtable
, table
, IP6T_TABLE_MAXNAMELEN
);
221 curtable
[IP6T_TABLE_MAXNAMELEN
] = '\0';
226 handle
= create_handle(table
);
228 DEBUGP("Cleaning all chains of table '%s'\n",
230 for_each_chain(flush_entries
, verbose
, 1,
233 DEBUGP("Deleting all user-defined chains "
234 "of table '%s'\n", table
);
235 for_each_chain(delete_chain
, verbose
, 0,
242 } else if ((buffer
[0] == ':') && (in_table
)) {
244 char *policy
, *chain
;
246 chain
= strtok(buffer
+1, " \t\n");
247 DEBUGP("line %u, chain '%s'\n", line
, chain
);
249 exit_error(PARAMETER_PROBLEM
,
250 "%s: line %u chain name invalid\n",
255 if (ip6tc_builtin(chain
, handle
) <= 0) {
256 if (noflush
&& ip6tc_is_chain(chain
, handle
)) {
257 DEBUGP("Flushing existing user defined chain '%s'\n", chain
);
258 if (!ip6tc_flush_entries(chain
, handle
))
259 exit_error(PARAMETER_PROBLEM
,
260 "error flushing chain "
264 DEBUGP("Creating new chain '%s'\n", chain
);
265 if (!ip6tc_create_chain(chain
, handle
))
266 exit_error(PARAMETER_PROBLEM
,
267 "error creating chain "
273 policy
= strtok(NULL
, " \t\n");
274 DEBUGP("line %u, policy '%s'\n", line
, policy
);
276 exit_error(PARAMETER_PROBLEM
,
277 "%s: line %u policy invalid\n",
282 if (strcmp(policy
, "-") != 0) {
283 struct ip6t_counters count
;
287 ctrs
= strtok(NULL
, " \t\n");
289 if (!ctrs
|| !parse_counters(ctrs
, &count
))
290 exit_error(PARAMETER_PROBLEM
,
291 "invalid policy counters "
292 "for chain '%s'\n", chain
);
296 sizeof(struct ip6t_counters
));
299 DEBUGP("Setting policy of chain %s to %s\n",
302 if (!ip6tc_set_policy(chain
, policy
, &count
,
304 exit_error(OTHER_PROBLEM
,
305 "Can't set policy `%s'"
306 " on `%s' line %u: %s\n",
308 ip6tc_strerror(errno
));
313 } else if (in_table
) {
322 int quote_open
, escaped
;
325 /* reset the newargv */
328 if (buffer
[0] == '[') {
329 /* we have counters in our input */
330 ptr
= strchr(buffer
, ']');
332 exit_error(PARAMETER_PROBLEM
,
333 "Bad line %u: need ]\n",
336 pcnt
= strtok(buffer
+1, ":");
338 exit_error(PARAMETER_PROBLEM
,
339 "Bad line %u: need :\n",
342 bcnt
= strtok(NULL
, "]");
344 exit_error(PARAMETER_PROBLEM
,
345 "Bad line %u: need ]\n",
348 /* start command parsing after counter */
349 parsestart
= ptr
+ 1;
351 /* start command parsing at start of line */
357 add_argv((char *) &curtable
);
359 if (counters
&& pcnt
&& bcnt
) {
360 add_argv("--set-counters");
361 add_argv((char *) pcnt
);
362 add_argv((char *) bcnt
);
365 /* After fighting with strtok enough, here's now
366 * a 'real' parser. According to Rusty I'm now no
367 * longer a real hacker, but I can live with that */
373 for (curchar
= parsestart
; *curchar
; curchar
++) {
374 char param_buffer
[1024];
378 param_buffer
[param_len
++] = *curchar
;
381 } else if (*curchar
== '\\') {
384 } else if (*curchar
== '"') {
388 param_buffer
[param_len
++] = *curchar
;
392 if (*curchar
== '"') {
400 || * curchar
== '\n') {
406 param_buffer
[param_len
] = '\0';
408 /* check if table name specified */
409 if (!strncmp(param_buffer
, "-t", 2)
410 || !strncmp(param_buffer
, "--table", 8)) {
411 exit_error(PARAMETER_PROBLEM
,
412 "Line %u seems to have a "
413 "-t table option.\n", line
);
417 add_argv(param_buffer
);
420 /* regular character, copy to buffer */
421 param_buffer
[param_len
++] = *curchar
;
423 if (param_len
>= sizeof(param_buffer
))
424 exit_error(PARAMETER_PROBLEM
,
425 "Parameter too long!");
429 DEBUGP("calling do_command6(%u, argv, &%s, handle):\n",
432 for (a
= 0; a
< newargc
; a
++)
433 DEBUGP("argv[%u]: %s\n", a
, newargv
[a
]);
435 ret
= do_command6(newargc
, newargv
,
436 &newargv
[2], &handle
);
442 fprintf(stderr
, "%s: line %u failed\n",
448 fprintf(stderr
, "%s: COMMIT expected at line %u\n",
449 program_name
, line
+ 1);