search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
iptables: refer to dmesg when we hit error
[jleu-iptables.git] / xtables.c
blobabdd283b2773c90a73fddb3a0aba5c67cacff6d0
1 /*
2 * (C) 2000-2006 by the netfilter coreteam <coreteam@netfilter.org>:
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
17 */
18
19 #include <errno.h>
20 #include <fcntl.h>
21 #include <netdb.h>
22 #include <stdarg.h>
23 #include <stdbool.h>
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <unistd.h>
28 #include <sys/socket.h>
29 #include <sys/stat.h>
30 #include <sys/types.h>
31 #include <sys/wait.h>
32 #include <arpa/inet.h>
33
34 #include <xtables.h>
35 #include <libiptc/libxtc.h>
36
37 #ifndef NO_SHARED_LIBS
38 #include <dlfcn.h>
39 #endif
40
41 #define NPROTO 255
42
43 #ifndef PROC_SYS_MODPROBE
44 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
45 #endif
46
47 char *lib_dir;
48
49 /* the path to command to load kernel module */
50 const char *modprobe_program = NULL;
51
52 /* Keeping track of external matches and targets: linked lists. */
53 struct xtables_match *xtables_matches;
54 struct xtables_target *xtables_targets;
55
56 void *fw_calloc(size_t count, size_t size)
57 {
58 void *p;
59
60 if ((p = calloc(count, size)) == NULL) {
61 perror("ip[6]tables: calloc failed");
62 exit(1);
63 }
64
65 return p;
66 }
67
68 void *fw_malloc(size_t size)
69 {
70 void *p;
71
72 if ((p = malloc(size)) == NULL) {
73 perror("ip[6]tables: malloc failed");
74 exit(1);
75 }
76
77 return p;
78 }
79
80 static char *get_modprobe(void)
81 {
82 int procfile;
83 char *ret;
84
85 #define PROCFILE_BUFSIZ 1024
86 procfile = open(PROC_SYS_MODPROBE, O_RDONLY);
87 if (procfile < 0)
88 return NULL;
89
90 ret = (char *) malloc(PROCFILE_BUFSIZ);
91 if (ret) {
92 memset(ret, 0, PROCFILE_BUFSIZ);
93 switch (read(procfile, ret, PROCFILE_BUFSIZ)) {
94 case -1: goto fail;
95 case PROCFILE_BUFSIZ: goto fail; /* Partial read. Wierd */
96 }
97 if (ret[strlen(ret)-1]=='\n')
98 ret[strlen(ret)-1]=0;
99 close(procfile);
100 return ret;
101 }
102 fail:
103 free(ret);
104 close(procfile);
105 return NULL;
106 }
107
108 int xtables_insmod(const char *modname, const char *modprobe, int quiet)
109 {
110 char *buf = NULL;
111 char *argv[4];
112 int status;
113
114 /* If they don't explicitly set it, read out of kernel */
115 if (!modprobe) {
116 buf = get_modprobe();
117 if (!buf)
118 return -1;
119 modprobe = buf;
120 }
121
122 switch (fork()) {
123 case 0:
124 argv[0] = (char *)modprobe;
125 argv[1] = (char *)modname;
126 if (quiet) {
127 argv[2] = "-q";
128 argv[3] = NULL;
129 } else {
130 argv[2] = NULL;
131 argv[3] = NULL;
132 }
133 execv(argv[0], argv);
134
135 /* not usually reached */
136 exit(1);
137 case -1:
138 return -1;
139
140 default: /* parent */
141 wait(&status);
142 }
143
144 free(buf);
145 if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
146 return 0;
147 return -1;
148 }
149
150 int load_xtables_ko(const char *modprobe, int quiet)
151 {
152 static int loaded = 0;
153 static int ret = -1;
154
155 if (!loaded) {
156 ret = xtables_insmod(afinfo.kmod, modprobe, quiet);
157 loaded = (ret == 0);
158 }
159
160 return ret;
161 }
162
163 int string_to_number_ll(const char *s, unsigned long long min,
164 unsigned long long max, unsigned long long *ret)
165 {
166 unsigned long long number;
167 char *end;
168
169 /* Handle hex, octal, etc. */
170 errno = 0;
171 number = strtoull(s, &end, 0);
172 if (*end == '\0' && end != s) {
173 /* we parsed a number, let's see if we want this */
174 if (errno != ERANGE && min <= number && (!max || number <= max)) {
175 *ret = number;
176 return 0;
177 }
178 }
179 return -1;
180 }
181
182 int string_to_number_l(const char *s, unsigned long min, unsigned long max,
183 unsigned long *ret)
184 {
185 int result;
186 unsigned long long number;
187
188 result = string_to_number_ll(s, min, max, &number);
189 *ret = (unsigned long)number;
190
191 return result;
192 }
193
194 int string_to_number(const char *s, unsigned int min, unsigned int max,
195 unsigned int *ret)
196 {
197 int result;
198 unsigned long number;
199
200 result = string_to_number_l(s, min, max, &number);
201 *ret = (unsigned int)number;
202
203 return result;
204 }
205
206 /*
207 * strtonum{,l} - string to number conversion
208 *
209 * If @end is NULL, we assume the caller does not want
210 * a case like "15a", so reject it.
211 */
212 bool strtonuml(const char *s, char **end, unsigned long *value,
213 unsigned long min, unsigned long max)
214 {
215 unsigned long v;
216 char *my_end;
217
218 errno = 0;
219 v = strtoul(s, &my_end, 0);
220
221 if (my_end == s)
222 return false;
223 if (end != NULL)
224 *end = my_end;
225
226 if (errno != ERANGE && min <= v && (max == 0 || v <= max)) {
227 if (value != NULL)
228 *value = v;
229 if (end == NULL)
230 return *my_end == '\0';
231 return true;
232 }
233
234 return false;
235 }
236
237 bool strtonum(const char *s, char **end, unsigned int *value,
238 unsigned int min, unsigned int max)
239 {
240 unsigned long v;
241 bool ret;
242
243 ret = strtonuml(s, end, &v, min, max);
244 if (value != NULL)
245 *value = v;
246 return ret;
247 }
248
249 int service_to_port(const char *name, const char *proto)
250 {
251 struct servent *service;
252
253 if ((service = getservbyname(name, proto)) != NULL)
254 return ntohs((unsigned short) service->s_port);
255
256 return -1;
257 }
258
259 u_int16_t parse_port(const char *port, const char *proto)
260 {
261 unsigned int portnum;
262
263 if ((string_to_number(port, 0, 65535, &portnum)) != -1 ||
264 (portnum = service_to_port(port, proto)) != (unsigned)-1)
265 return (u_int16_t)portnum;
266
267 exit_error(PARAMETER_PROBLEM,
268 "invalid port/service `%s' specified", port);
269 }
270
271 void parse_interface(const char *arg, char *vianame, unsigned char *mask)
272 {
273 int vialen = strlen(arg);
274 unsigned int i;
275
276 memset(mask, 0, IFNAMSIZ);
277 memset(vianame, 0, IFNAMSIZ);
278
279 if (vialen + 1 > IFNAMSIZ)
280 exit_error(PARAMETER_PROBLEM,
281 "interface name `%s' must be shorter than IFNAMSIZ"
282 " (%i)", arg, IFNAMSIZ-1);
283
284 strcpy(vianame, arg);
285 if ((vialen == 0) || (vialen == 1 && vianame[0] == '+'))
286 memset(mask, 0, IFNAMSIZ);
287 else if (vianame[vialen - 1] == '+') {
288 memset(mask, 0xFF, vialen - 1);
289 memset(mask + vialen - 1, 0, IFNAMSIZ - vialen + 1);
290 /* Don't remove `+' here! -HW */
291 } else {
292 /* Include nul-terminator in match */
293 memset(mask, 0xFF, vialen + 1);
294 memset(mask + vialen + 1, 0, IFNAMSIZ - vialen - 1);
295 for (i = 0; vianame[i]; i++) {
296 if (vianame[i] == ':' ||
297 vianame[i] == '!' ||
298 vianame[i] == '*') {
299 fprintf(stderr,
300 "Warning: weird character in interface"
301 " `%s' (No aliases, :, ! or *).\n",
302 vianame);
303 break;
304 }
305 }
306 }
307 }
308
309 #ifndef NO_SHARED_LIBS
310 static void *load_extension(const char *search_path, const char *prefix,
311 const char *name, bool is_target)
312 {
313 const char *dir = search_path, *next;
314 void *ptr = NULL;
315 struct stat sb;
316 char path[256];
317
318 do {
319 next = strchr(dir, ':');
320 if (next == NULL)
321 next = dir + strlen(dir);
322 snprintf(path, sizeof(path), "%.*s/libxt_%s.so",
323 (unsigned int)(next - dir), dir, name);
324
325 if (dlopen(path, RTLD_NOW) != NULL) {
326 /* Found library. If it didn't register itself,
327 maybe they specified target as match. */
328 if (is_target)
329 ptr = find_target(name, DONT_LOAD);
330 else
331 ptr = find_match(name, DONT_LOAD, NULL);
332 } else if (stat(path, &sb) == 0) {
333 fprintf(stderr, "%s: %s\n", path, dlerror());
334 }
335
336 if (ptr != NULL)
337 return ptr;
338
339 snprintf(path, sizeof(path), "%.*s/%s%s.so",
340 (unsigned int)(next - dir), dir, prefix, name);
341 if (dlopen(path, RTLD_NOW) != NULL) {
342 if (is_target)
343 ptr = find_target(name, DONT_LOAD);
344 else
345 ptr = find_match(name, DONT_LOAD, NULL);
346 } else if (stat(path, &sb) == 0) {
347 fprintf(stderr, "%s: %s\n", path, dlerror());
348 }
349
350 if (ptr != NULL)
351 return ptr;
352
353 dir = next + 1;
354 } while (*next != '\0');
355
356 return NULL;
357 }
358 #endif
359
360 struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
361 struct xtables_rule_match **matches)
362 {
363 struct xtables_match *ptr;
364 const char *icmp6 = "icmp6";
365
366 /* This is ugly as hell. Nonetheless, there is no way of changing
367 * this without hurting backwards compatibility */
368 if ( (strcmp(name,"icmpv6") == 0) ||
369 (strcmp(name,"ipv6-icmp") == 0) ||
370 (strcmp(name,"icmp6") == 0) )
371 name = icmp6;
372
373 for (ptr = xtables_matches; ptr; ptr = ptr->next) {
374 if (strcmp(name, ptr->name) == 0) {
375 struct xtables_match *clone;
376
377 /* First match of this type: */
378 if (ptr->m == NULL)
379 break;
380
381 /* Second and subsequent clones */
382 clone = fw_malloc(sizeof(struct xtables_match));
383 memcpy(clone, ptr, sizeof(struct xtables_match));
384 clone->mflags = 0;
385 /* This is a clone: */
386 clone->next = clone;
387
388 ptr = clone;
389 break;
390 }
391 }
392
393 #ifndef NO_SHARED_LIBS
394 if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
395 ptr = load_extension(lib_dir, afinfo.libprefix, name, false);
396
397 if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
398 exit_error(PARAMETER_PROBLEM,
399 "Couldn't load match `%s':%s\n",
400 name, dlerror());
401 }
402 #else
403 if (ptr && !ptr->loaded) {
404 if (tryload != DONT_LOAD)
405 ptr->loaded = 1;
406 else
407 ptr = NULL;
408 }
409 if(!ptr && (tryload == LOAD_MUST_SUCCEED)) {
410 exit_error(PARAMETER_PROBLEM,
411 "Couldn't find match `%s'\n", name);
412 }
413 #endif
414
415 if (ptr && matches) {
416 struct xtables_rule_match **i;
417 struct xtables_rule_match *newentry;
418
419 newentry = fw_malloc(sizeof(struct xtables_rule_match));
420
421 for (i = matches; *i; i = &(*i)->next) {
422 if (strcmp(name, (*i)->match->name) == 0)
423 (*i)->completed = 1;
424 }
425 newentry->match = ptr;
426 newentry->completed = 0;
427 newentry->next = NULL;
428 *i = newentry;
429 }
430
431 return ptr;
432 }
433
434
435 struct xtables_target *find_target(const char *name, enum xt_tryload tryload)
436 {
437 struct xtables_target *ptr;
438
439 /* Standard target? */
440 if (strcmp(name, "") == 0
441 || strcmp(name, XTC_LABEL_ACCEPT) == 0
442 || strcmp(name, XTC_LABEL_DROP) == 0
443 || strcmp(name, XTC_LABEL_QUEUE) == 0
444 || strcmp(name, XTC_LABEL_RETURN) == 0)
445 name = "standard";
446
447 for (ptr = xtables_targets; ptr; ptr = ptr->next) {
448 if (strcmp(name, ptr->name) == 0)
449 break;
450 }
451
452 #ifndef NO_SHARED_LIBS
453 if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
454 ptr = load_extension(lib_dir, afinfo.libprefix, name, true);
455
456 if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
457 exit_error(PARAMETER_PROBLEM,
458 "Couldn't load target `%s':%s\n",
459 name, dlerror());
460 }
461 #else
462 if (ptr && !ptr->loaded) {
463 if (tryload != DONT_LOAD)
464 ptr->loaded = 1;
465 else
466 ptr = NULL;
467 }
468 if(!ptr && (tryload == LOAD_MUST_SUCCEED)) {
469 exit_error(PARAMETER_PROBLEM,
470 "Couldn't find target `%s'\n", name);
471 }
472 #endif
473
474 if (ptr)
475 ptr->used = 1;
476
477 return ptr;
478 }
479
480 static int compatible_revision(const char *name, u_int8_t revision, int opt)
481 {
482 struct xt_get_revision rev;
483 socklen_t s = sizeof(rev);
484 int max_rev, sockfd;
485
486 sockfd = socket(afinfo.family, SOCK_RAW, IPPROTO_RAW);
487 if (sockfd < 0) {
488 if (errno == EPERM) {
489 /* revision 0 is always supported. */
490 if (revision != 0)
491 fprintf(stderr, "Could not determine whether "
492 "revision %u is supported, "
493 "assuming it is.\n",
494 revision);
495 return 1;
496 }
497 fprintf(stderr, "Could not open socket to kernel: %s\n",
498 strerror(errno));
499 exit(1);
500 }
501
502 load_xtables_ko(modprobe_program, 1);
503
504 strcpy(rev.name, name);
505 rev.revision = revision;
506
507 max_rev = getsockopt(sockfd, afinfo.ipproto, opt, &rev, &s);
508 if (max_rev < 0) {
509 /* Definitely don't support this? */
510 if (errno == ENOENT || errno == EPROTONOSUPPORT) {
511 close(sockfd);
512 return 0;
513 } else if (errno == ENOPROTOOPT) {
514 close(sockfd);
515 /* Assume only revision 0 support (old kernel) */
516 return (revision == 0);
517 } else {
518 fprintf(stderr, "getsockopt failed strangely: %s\n",
519 strerror(errno));
520 exit(1);
521 }
522 }
523 close(sockfd);
524 return 1;
525 }
526
527
528 static int compatible_match_revision(const char *name, u_int8_t revision)
529 {
530 return compatible_revision(name, revision, afinfo.so_rev_match);
531 }
532
533 static int compatible_target_revision(const char *name, u_int8_t revision)
534 {
535 return compatible_revision(name, revision, afinfo.so_rev_target);
536 }
537
538 void xtables_register_match(struct xtables_match *me)
539 {
540 struct xtables_match **i, *old;
541
542 if (strcmp(me->version, program_version) != 0) {
543 fprintf(stderr, "%s: match `%s' v%s (I'm v%s).\n",
544 program_name, me->name, me->version, program_version);
545 exit(1);
546 }
547
548 /* Revision field stole a char from name. */
549 if (strlen(me->name) >= XT_FUNCTION_MAXNAMELEN-1) {
550 fprintf(stderr, "%s: target `%s' has invalid name\n",
551 program_name, me->name);
552 exit(1);
553 }
554
555 if (me->family >= NPROTO) {
556 fprintf(stderr,
557 "%s: BUG: match %s has invalid protocol family\n",
558 program_name, me->name);
559 exit(1);
560 }
561
562 /* ignore not interested match */
563 if (me->family != afinfo.family && me->family != AF_UNSPEC)
564 return;
565
566 old = find_match(me->name, DURING_LOAD, NULL);
567 if (old) {
568 if (old->revision == me->revision &&
569 old->family == me->family) {
570 fprintf(stderr,
571 "%s: match `%s' already registered.\n",
572 program_name, me->name);
573 exit(1);
574 }
575
576 /* Now we have two (or more) options, check compatibility. */
577 if (compatible_match_revision(old->name, old->revision)
578 && old->revision > me->revision)
579 return;
580
581 /* See if new match can be used. */
582 if (!compatible_match_revision(me->name, me->revision))
583 return;
584
585 /* Prefer !AF_UNSPEC over AF_UNSPEC for same revision. */
586 if (old->revision == me->revision && me->family == AF_UNSPEC)
587 return;
588
589 /* Delete old one. */
590 for (i = &xtables_matches; *i!=old; i = &(*i)->next);
591 *i = old->next;
592 }
593
594 if (me->size != XT_ALIGN(me->size)) {
595 fprintf(stderr, "%s: match `%s' has invalid size %u.\n",
596 program_name, me->name, (unsigned int)me->size);
597 exit(1);
598 }
599
600 /* Append to list. */
601 for (i = &xtables_matches; *i; i = &(*i)->next);
602 me->next = NULL;
603 *i = me;
604
605 me->m = NULL;
606 me->mflags = 0;
607 }
608
609 void xtables_register_target(struct xtables_target *me)
610 {
611 struct xtables_target *old;
612
613 if (strcmp(me->version, program_version) != 0) {
614 fprintf(stderr, "%s: target `%s' v%s (I'm v%s).\n",
615 program_name, me->name, me->version, program_version);
616 exit(1);
617 }
618
619 /* Revision field stole a char from name. */
620 if (strlen(me->name) >= XT_FUNCTION_MAXNAMELEN-1) {
621 fprintf(stderr, "%s: target `%s' has invalid name\n",
622 program_name, me->name);
623 exit(1);
624 }
625
626 if (me->family >= NPROTO) {
627 fprintf(stderr,
628 "%s: BUG: target %s has invalid protocol family\n",
629 program_name, me->name);
630 exit(1);
631 }
632
633 /* ignore not interested target */
634 if (me->family != afinfo.family && me->family != AF_UNSPEC)
635 return;
636
637 old = find_target(me->name, DURING_LOAD);
638 if (old) {
639 struct xtables_target **i;
640
641 if (old->revision == me->revision &&
642 old->family == me->family) {
643 fprintf(stderr,
644 "%s: target `%s' already registered.\n",
645 program_name, me->name);
646 exit(1);
647 }
648
649 /* Now we have two (or more) options, check compatibility. */
650 if (compatible_target_revision(old->name, old->revision)
651 && old->revision > me->revision)
652 return;
653
654 /* See if new target can be used. */
655 if (!compatible_target_revision(me->name, me->revision))
656 return;
657
658 /* Prefer !AF_UNSPEC over AF_UNSPEC for same revision. */
659 if (old->revision == me->revision && me->family == AF_UNSPEC)
660 return;
661
662 /* Delete old one. */
663 for (i = &xtables_targets; *i!=old; i = &(*i)->next);
664 *i = old->next;
665 }
666
667 if (me->size != XT_ALIGN(me->size)) {
668 fprintf(stderr, "%s: target `%s' has invalid size %u.\n",
669 program_name, me->name, (unsigned int)me->size);
670 exit(1);
671 }
672
673 /* Prepend to list. */
674 me->next = xtables_targets;
675 xtables_targets = me;
676 me->t = NULL;
677 me->tflags = 0;
678 }
679
680 void param_act(unsigned int status, const char *p1, ...)
681 {
682 const char *p2, *p3;
683 va_list args;
684 bool b;
685
686 va_start(args, p1);
687
688 switch (status) {
689 case P_ONLY_ONCE:
690 p2 = va_arg(args, const char *);
691 b = va_arg(args, unsigned int);
692 if (!b)
693 return;
694 exit_error(PARAMETER_PROBLEM,
695 "%s: \"%s\" option may only be specified once",
696 p1, p2);
697 break;
698 case P_NO_INVERT:
699 p2 = va_arg(args, const char *);
700 b = va_arg(args, unsigned int);
701 if (!b)
702 return;
703 exit_error(PARAMETER_PROBLEM,
704 "%s: \"%s\" option cannot be inverted", p1, p2);
705 break;
706 case P_BAD_VALUE:
707 p2 = va_arg(args, const char *);
708 p3 = va_arg(args, const char *);
709 exit_error(PARAMETER_PROBLEM,
710 "%s: Bad value for \"%s\" option: \"%s\"",
711 p1, p2, p3);
712 break;
713 case P_ONE_ACTION:
714 b = va_arg(args, unsigned int);
715 if (!b)
716 return;
717 exit_error(PARAMETER_PROBLEM,
718 "%s: At most one action is possible", p1);
719 break;
720 default:
721 exit_error(status, p1, args);
722 break;
723 }
724
725 va_end(args);
726 }
727
728 const char *ipaddr_to_numeric(const struct in_addr *addrp)
729 {
730 static char buf[20];
731 const unsigned char *bytep = (const void *)&addrp->s_addr;
732
733 sprintf(buf, "%u.%u.%u.%u", bytep[0], bytep[1], bytep[2], bytep[3]);
734 return buf;
735 }
736
737 static const char *ipaddr_to_host(const struct in_addr *addr)
738 {
739 struct hostent *host;
740
741 host = gethostbyaddr(addr, sizeof(struct in_addr), AF_INET);
742 if (host == NULL)
743 return NULL;
744
745 return host->h_name;
746 }
747
748 static const char *ipaddr_to_network(const struct in_addr *addr)
749 {
750 struct netent *net;
751
752 if ((net = getnetbyaddr(ntohl(addr->s_addr), AF_INET)) != NULL)
753 return net->n_name;
754
755 return NULL;
756 }
757
758 const char *ipaddr_to_anyname(const struct in_addr *addr)
759 {
760 const char *name;
761
762 if ((name = ipaddr_to_host(addr)) != NULL ||
763 (name = ipaddr_to_network(addr)) != NULL)
764 return name;
765
766 return ipaddr_to_numeric(addr);
767 }
768
769 const char *ipmask_to_numeric(const struct in_addr *mask)
770 {
771 static char buf[20];
772 uint32_t maskaddr, bits;
773 int i;
774
775 maskaddr = ntohl(mask->s_addr);
776
777 if (maskaddr == 0xFFFFFFFFL)
778 /* we don't want to see "/32" */
779 return "";
780
781 i = 32;
782 bits = 0xFFFFFFFEL;
783 while (--i >= 0 && maskaddr != bits)
784 bits <<= 1;
785 if (i >= 0)
786 sprintf(buf, "/%d", i);
787 else
788 /* mask was not a decent combination of 1's and 0's */
789 sprintf(buf, "/%s", ipaddr_to_numeric(mask));
790
791 return buf;
792 }
793
794 static struct in_addr *__numeric_to_ipaddr(const char *dotted, bool is_mask)
795 {
796 static struct in_addr addr;
797 unsigned char *addrp;
798 unsigned int onebyte;
799 char buf[20], *p, *q;
800 int i;
801
802 /* copy dotted string, because we need to modify it */
803 strncpy(buf, dotted, sizeof(buf) - 1);
804 buf[sizeof(buf) - 1] = '\0';
805 addrp = (void *)&addr.s_addr;
806
807 p = buf;
808 for (i = 0; i < 3; ++i) {
809 if ((q = strchr(p, '.')) == NULL) {
810 if (is_mask)
811 return NULL;
812
813 /* autocomplete, this is a network address */
814 if (!strtonum(p, NULL, &onebyte, 0, 255))
815 return NULL;
816
817 addrp[i] = onebyte;
818 while (i < 3)
819 addrp[++i] = 0;
820
821 return &addr;
822 }
823
824 *q = '\0';
825 if (!strtonum(p, NULL, &onebyte, 0, 255))
826 return NULL;
827
828 addrp[i] = onebyte;
829 p = q + 1;
830 }
831
832 /* we have checked 3 bytes, now we check the last one */
833 if (!strtonum(p, NULL, &onebyte, 0, 255))
834 return NULL;
835
836 addrp[3] = onebyte;
837 return &addr;
838 }
839
840 struct in_addr *numeric_to_ipaddr(const char *dotted)
841 {
842 return __numeric_to_ipaddr(dotted, false);
843 }
844
845 struct in_addr *numeric_to_ipmask(const char *dotted)
846 {
847 return __numeric_to_ipaddr(dotted, true);
848 }
849
850 static struct in_addr *network_to_ipaddr(const char *name)
851 {
852 static struct in_addr addr;
853 struct netent *net;
854
855 if ((net = getnetbyname(name)) != NULL) {
856 if (net->n_addrtype != AF_INET)
857 return NULL;
858 addr.s_addr = htonl(net->n_net);
859 return &addr;
860 }
861
862 return NULL;
863 }
864
865 static struct in_addr *host_to_ipaddr(const char *name, unsigned int *naddr)
866 {
867 struct hostent *host;
868 struct in_addr *addr;
869 unsigned int i;
870
871 *naddr = 0;
872 if ((host = gethostbyname(name)) != NULL) {
873 if (host->h_addrtype != AF_INET ||
874 host->h_length != sizeof(struct in_addr))
875 return NULL;
876
877 while (host->h_addr_list[*naddr] != NULL)
878 ++*naddr;
879 addr = fw_calloc(*naddr, sizeof(struct in_addr) * *naddr);
880 for (i = 0; i < *naddr; i++)
881 memcpy(&addr[i], host->h_addr_list[i],
882 sizeof(struct in_addr));
883 return addr;
884 }
885
886 return NULL;
887 }
888
889 static struct in_addr *
890 ipparse_hostnetwork(const char *name, unsigned int *naddrs)
891 {
892 struct in_addr *addrptmp, *addrp;
893
894 if ((addrptmp = numeric_to_ipaddr(name)) != NULL ||
895 (addrptmp = network_to_ipaddr(name)) != NULL) {
896 addrp = fw_malloc(sizeof(struct in_addr));
897 memcpy(addrp, addrptmp, sizeof(*addrp));
898 *naddrs = 1;
899 return addrp;
900 }
901 if ((addrptmp = host_to_ipaddr(name, naddrs)) != NULL)
902 return addrptmp;
903
904 exit_error(PARAMETER_PROBLEM, "host/network `%s' not found", name);
905 }
906
907 static struct in_addr *parse_ipmask(const char *mask)
908 {
909 static struct in_addr maskaddr;
910 struct in_addr *addrp;
911 unsigned int bits;
912
913 if (mask == NULL) {
914 /* no mask at all defaults to 32 bits */
915 maskaddr.s_addr = 0xFFFFFFFF;
916 return &maskaddr;
917 }
918 if ((addrp = numeric_to_ipmask(mask)) != NULL)
919 /* dotted_to_addr already returns a network byte order addr */
920 return addrp;
921 if (string_to_number(mask, 0, 32, &bits) == -1)
922 exit_error(PARAMETER_PROBLEM,
923 "invalid mask `%s' specified", mask);
924 if (bits != 0) {
925 maskaddr.s_addr = htonl(0xFFFFFFFF << (32 - bits));
926 return &maskaddr;
927 }
928
929 maskaddr.s_addr = 0U;
930 return &maskaddr;
931 }
932
933 void ipparse_hostnetworkmask(const char *name, struct in_addr **addrpp,
934 struct in_addr *maskp, unsigned int *naddrs)
935 {
936 unsigned int i, j, k, n;
937 struct in_addr *addrp;
938 char buf[256], *p;
939
940 strncpy(buf, name, sizeof(buf) - 1);
941 buf[sizeof(buf) - 1] = '\0';
942 if ((p = strrchr(buf, '/')) != NULL) {
943 *p = '\0';
944 addrp = parse_ipmask(p + 1);
945 } else {
946 addrp = parse_ipmask(NULL);
947 }
948 memcpy(maskp, addrp, sizeof(*maskp));
949
950 /* if a null mask is given, the name is ignored, like in "any/0" */
951 if (maskp->s_addr == 0U)
952 strcpy(buf, "0.0.0.0");
953
954 addrp = *addrpp = ipparse_hostnetwork(buf, naddrs);
955 n = *naddrs;
956 for (i = 0, j = 0; i < n; ++i) {
957 addrp[j++].s_addr &= maskp->s_addr;
958 for (k = 0; k < j - 1; ++k)
959 if (addrp[k].s_addr == addrp[j-1].s_addr) {
960 --*naddrs;
961 --j;
962 break;
963 }
964 }
965 }
966
967 const char *ip6addr_to_numeric(const struct in6_addr *addrp)
968 {
969 /* 0000:0000:0000:0000:0000:000.000.000.000
970 * 0000:0000:0000:0000:0000:0000:0000:0000 */
971 static char buf[50+1];
972 return inet_ntop(AF_INET6, addrp, buf, sizeof(buf));
973 }
974
975 static const char *ip6addr_to_host(const struct in6_addr *addr)
976 {
977 static char hostname[NI_MAXHOST];
978 struct sockaddr_in6 saddr;
979 int err;
980
981 memset(&saddr, 0, sizeof(struct sockaddr_in6));
982 memcpy(&saddr.sin6_addr, addr, sizeof(*addr));
983 saddr.sin6_family = AF_INET6;
984
985 err = getnameinfo((const void *)&saddr, sizeof(struct sockaddr_in6),
986 hostname, sizeof(hostname) - 1, NULL, 0, 0);
987 if (err != 0) {
988 #ifdef DEBUG
989 fprintf(stderr,"IP2Name: %s\n",gai_strerror(err));
990 #endif
991 return NULL;
992 }
993
994 #ifdef DEBUG
995 fprintf (stderr, "\naddr2host: %s\n", hostname);
996 #endif
997 return hostname;
998 }
999
1000 const char *ip6addr_to_anyname(const struct in6_addr *addr)
1001 {
1002 const char *name;
1003
1004 if ((name = ip6addr_to_host(addr)) != NULL)
1005 return name;
1006
1007 return ip6addr_to_numeric(addr);
1008 }
1009
1010 static int ip6addr_prefix_length(const struct in6_addr *k)
1011 {
1012 unsigned int bits = 0;
1013 uint32_t a, b, c, d;
1014
1015 a = ntohl(k->s6_addr32[0]);
1016 b = ntohl(k->s6_addr32[1]);
1017 c = ntohl(k->s6_addr32[2]);
1018 d = ntohl(k->s6_addr32[3]);
1019 while (a & 0x80000000U) {
1020 ++bits;
1021 a <<= 1;
1022 a |= (b >> 31) & 1;
1023 b <<= 1;
1024 b |= (c >> 31) & 1;
1025 c <<= 1;
1026 c |= (d >> 31) & 1;
1027 d <<= 1;
1028 }
1029 if (a != 0 || b != 0 || c != 0 || d != 0)
1030 return -1;
1031 return bits;
1032 }
1033
1034 const char *ip6mask_to_numeric(const struct in6_addr *addrp)
1035 {
1036 static char buf[50+2];
1037 int l = ip6addr_prefix_length(addrp);
1038
1039 if (l == -1) {
1040 strcpy(buf, "/");
1041 strcat(buf, ip6addr_to_numeric(addrp));
1042 return buf;
1043 }
1044 sprintf(buf, "/%d", l);
1045 return buf;
1046 }
1047
1048 struct in6_addr *numeric_to_ip6addr(const char *num)
1049 {
1050 static struct in6_addr ap;
1051 int err;
1052
1053 if ((err = inet_pton(AF_INET6, num, &ap)) == 1)
1054 return &ap;
1055 #ifdef DEBUG
1056 fprintf(stderr, "\nnumeric2addr: %d\n", err);
1057 #endif
1058 return NULL;
1059 }
1060
1061 static struct in6_addr *
1062 host_to_ip6addr(const char *name, unsigned int *naddr)
1063 {
1064 static struct in6_addr *addr;
1065 struct addrinfo hints;
1066 struct addrinfo *res;
1067 int err;
1068
1069 memset(&hints, 0, sizeof(hints));
1070 hints.ai_flags = AI_CANONNAME;
1071 hints.ai_family = AF_INET6;
1072 hints.ai_socktype = SOCK_RAW;
1073 hints.ai_protocol = IPPROTO_IPV6;
1074 hints.ai_next = NULL;
1075
1076 *naddr = 0;
1077 if ((err = getaddrinfo(name, NULL, &hints, &res)) != 0) {
1078 #ifdef DEBUG
1079 fprintf(stderr,"Name2IP: %s\n",gai_strerror(err));
1080 #endif
1081 return NULL;
1082 } else {
1083 if (res->ai_family != AF_INET6 ||
1084 res->ai_addrlen != sizeof(struct sockaddr_in6))
1085 return NULL;
1086
1087 #ifdef DEBUG
1088 fprintf(stderr, "resolved: len=%d %s ", res->ai_addrlen,
1089 ip6addr_to_numeric(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr));
1090 #endif
1091 /* Get the first element of the address-chain */
1092 addr = fw_malloc(sizeof(struct in6_addr));
1093 memcpy(addr, &((const struct sockaddr_in6 *)res->ai_addr)->sin6_addr,
1094 sizeof(struct in6_addr));
1095 freeaddrinfo(res);
1096 *naddr = 1;
1097 return addr;
1098 }
1099
1100 return NULL;
1101 }
1102
1103 static struct in6_addr *network_to_ip6addr(const char *name)
1104 {
1105 /* abort();*/
1106 /* TODO: not implemented yet, but the exception breaks the
1107 * name resolvation */
1108 return NULL;
1109 }
1110
1111 static struct in6_addr *
1112 ip6parse_hostnetwork(const char *name, unsigned int *naddrs)
1113 {
1114 struct in6_addr *addrp, *addrptmp;
1115
1116 if ((addrptmp = numeric_to_ip6addr(name)) != NULL ||
1117 (addrptmp = network_to_ip6addr(name)) != NULL) {
1118 addrp = fw_malloc(sizeof(struct in6_addr));
1119 memcpy(addrp, addrptmp, sizeof(*addrp));
1120 *naddrs = 1;
1121 return addrp;
1122 }
1123 if ((addrp = host_to_ip6addr(name, naddrs)) != NULL)
1124 return addrp;
1125
1126 exit_error(PARAMETER_PROBLEM, "host/network `%s' not found", name);
1127 }
1128
1129 static struct in6_addr *parse_ip6mask(char *mask)
1130 {
1131 static struct in6_addr maskaddr;
1132 struct in6_addr *addrp;
1133 unsigned int bits;
1134
1135 if (mask == NULL) {
1136 /* no mask at all defaults to 128 bits */
1137 memset(&maskaddr, 0xff, sizeof maskaddr);
1138 return &maskaddr;
1139 }
1140 if ((addrp = numeric_to_ip6addr(mask)) != NULL)
1141 return addrp;
1142 if (string_to_number(mask, 0, 128, &bits) == -1)
1143 exit_error(PARAMETER_PROBLEM,
1144 "invalid mask `%s' specified", mask);
1145 if (bits != 0) {
1146 char *p = (void *)&maskaddr;
1147 memset(p, 0xff, bits / 8);
1148 memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
1149 p[bits/8] = 0xff << (8 - (bits & 7));
1150 return &maskaddr;
1151 }
1152
1153 memset(&maskaddr, 0, sizeof(maskaddr));
1154 return &maskaddr;
1155 }
1156
1157 void ip6parse_hostnetworkmask(const char *name, struct in6_addr **addrpp,
1158 struct in6_addr *maskp, unsigned int *naddrs)
1159 {
1160 struct in6_addr *addrp;
1161 unsigned int i, j, k, n;
1162 char buf[256], *p;
1163
1164 strncpy(buf, name, sizeof(buf) - 1);
1165 buf[sizeof(buf)-1] = '\0';
1166 if ((p = strrchr(buf, '/')) != NULL) {
1167 *p = '\0';
1168 addrp = parse_ip6mask(p + 1);
1169 } else {
1170 addrp = parse_ip6mask(NULL);
1171 }
1172 memcpy(maskp, addrp, sizeof(*maskp));
1173
1174 /* if a null mask is given, the name is ignored, like in "any/0" */
1175 if (memcmp(maskp, &in6addr_any, sizeof(in6addr_any)) == 0)
1176 strcpy(buf, "::");
1177
1178 addrp = *addrpp = ip6parse_hostnetwork(buf, naddrs);
1179 n = *naddrs;
1180 for (i = 0, j = 0; i < n; ++i) {
1181 for (k = 0; k < 4; ++k)
1182 addrp[j].s6_addr32[k] &= maskp->s6_addr32[k];
1183 ++j;
1184 for (k = 0; k < j - 1; ++k)
1185 if (IN6_ARE_ADDR_EQUAL(&addrp[k], &addrp[j - 1])) {
1186 --*naddrs;
1187 --j;
1188 break;
1189 }
1190 }
1191 }
1192
1193 void save_string(const char *value)
1194 {
1195 static const char no_quote_chars[] = "_-0123456789"
1196 "abcdefghijklmnopqrstuvwxyz"
1197 "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
1198 static const char escape_chars[] = "\"\\'";
1199 size_t length;
1200 const char *p;
1201
1202 length = strcspn(value, no_quote_chars);
1203 if (length > 0 && value[length] == 0) {
1204 /* no quoting required */
1205 fputs(value, stdout);
1206 putchar(' ');
1207 } else {
1208 /* there is at least one dangerous character in the
1209 value, which we have to quote. Write double quotes
1210 around the value and escape special characters with
1211 a backslash */
1212 putchar('"');
1213
1214 for (p = strpbrk(value, escape_chars); p != NULL;
1215 p = strpbrk(value, escape_chars)) {
1216 if (p > value)
1217 fwrite(value, 1, p - value, stdout);
1218 putchar('\\');
1219 putchar(*p);
1220 value = p + 1;
1221 }
1222
1223 /* print the rest and finish the double quoted
1224 string */
1225 fputs(value, stdout);
1226 printf("\" ");
1227 }
1228 }
Various project for iptables