1 /* Code to restore the iptables state, from file by ip6tables-save.
2 * Author: Andras Kis-Szabo <kisza@sch.bme.hu>
4 * based on iptables-restore
6 * Harald Welte <laforge@gnumonks.org>
7 * Rusty Russell <rusty@linuxcare.com.au>
8 * This code is distributed under the terms of GNU GPL v2
14 #include <sys/errno.h>
19 #include "ip6tables.h"
21 #include "libiptc/libip6tc.h"
22 #include "ip6tables-multi.h"
25 #define DEBUGP(x, args...) fprintf(stderr, x, ## args)
27 #define DEBUGP(x, args...)
30 static int binary = 0, counters = 0, verbose = 0, noflush = 0;
32 /* Keeping track of external matches and targets. */
33 static const struct option options[] = {
34 {.name = "binary", .has_arg = false, .val = 'b'},
35 {.name = "counters", .has_arg = false, .val = 'c'},
36 {.name = "verbose", .has_arg = false, .val = 'v'},
37 {.name = "test", .has_arg = false, .val = 't'},
38 {.name = "help", .has_arg = false, .val = 'h'},
39 {.name = "noflush", .has_arg = false, .val = 'n'},
40 {.name = "modprobe", .has_arg = true, .val = 'M'},
44 static void print_usage(const char *name, const char *version) __attribute__((noreturn));
46 static void print_usage(const char *name, const char *version)
48 fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n"
55 " [ --modprobe=<command>]\n", name);
60 static struct ip6tc_handle *create_handle(const char *tablename)
62 struct ip6tc_handle *handle;
64 handle = ip6tc_init(tablename);
67 /* try to insmod the module if iptc_init failed */
68 xtables_load_ko(xtables_modprobe_program, false);
69 handle = ip6tc_init(tablename);
73 xtables_error(PARAMETER_PROBLEM, "%s: unable to initialize "
74 "table '%s'\n", ip6tables_globals.program_name,
81 static int parse_counters(char *string, struct ip6t_counters *ctr)
83 unsigned long long pcnt, bcnt;
86 ret = sscanf(string, "[%llu:%llu]",
87 (unsigned long long *)&pcnt,
88 (unsigned long long *)&bcnt);
94 /* global new argv and argc */
95 static char *newargv[255];
98 /* function adding one argument to newargv, updating newargc
99 * returns true if argument added, false otherwise */
100 static int add_argv(char *what) {
101 DEBUGP("add_argv: %s\n", what);
102 if (what && ((newargc + 1) < sizeof(newargv)/sizeof(char *))) {
103 newargv[newargc] = strdup(what);
110 static void free_argv(void) {
113 for (i = 0; i < newargc; i++)
117 #ifdef IPTABLES_MULTI
118 int ip6tables_restore_main(int argc, char *argv[])
120 int main(int argc, char *argv[])
123 struct ip6tc_handle *handle = NULL;
126 char curtable[IP6T_TABLE_MAXNAMELEN + 1];
128 int in_table = 0, testing = 0;
132 ip6tables_globals.program_name = "ip6tables-restore";
133 c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
135 fprintf(stderr, "%s/%s Failed to initialize xtables\n",
136 ip6tables_globals.program_name,
137 ip6tables_globals.program_version);
140 #ifdef NO_SHARED_LIBS
144 while ((c = getopt_long(argc, argv, "bcvthnM:", options, NULL)) != -1) {
159 print_usage("ip6tables-restore",
166 xtables_modprobe_program = optarg;
171 if (optind == argc - 1) {
172 in = fopen(argv[optind], "r");
174 fprintf(stderr, "Can't open %s: %s\n", argv[optind],
179 else if (optind < argc) {
180 fprintf(stderr, "Unknown arguments found on commandline\n");
185 /* Grab standard input. */
186 while (fgets(buffer, sizeof(buffer), in)) {
190 if (buffer[0] == '\n')
192 else if (buffer[0] == '#') {
194 fputs(buffer, stdout);
196 } else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
198 DEBUGP("Calling commit\n");
199 ret = ip6tc_commit(handle);
203 DEBUGP("Not calling commit, testing\n");
207 } else if ((buffer[0] == '*') && (!in_table)) {
211 table = strtok(buffer+1, " \t\n");
212 DEBUGP("line %u, table '%s'\n", line, table);
214 xtables_error(PARAMETER_PROBLEM,
215 "%s: line %u table name invalid\n",
216 ip6tables_globals.program_name,
220 strncpy(curtable, table, IP6T_TABLE_MAXNAMELEN);
221 curtable[IP6T_TABLE_MAXNAMELEN] = '\0';
226 handle = create_handle(table);
228 DEBUGP("Cleaning all chains of table '%s'\n",
230 for_each_chain(flush_entries, verbose, 1,
233 DEBUGP("Deleting all user-defined chains "
234 "of table '%s'\n", table);
235 for_each_chain(delete_chain, verbose, 0,
242 } else if ((buffer[0] == ':') && (in_table)) {
244 char *policy, *chain;
246 chain = strtok(buffer+1, " \t\n");
247 DEBUGP("line %u, chain '%s'\n", line, chain);
249 xtables_error(PARAMETER_PROBLEM,
250 "%s: line %u chain name invalid\n",
251 ip6tables_globals.program_name,
256 if (ip6tc_builtin(chain, handle) <= 0) {
257 if (noflush && ip6tc_is_chain(chain, handle)) {
258 DEBUGP("Flushing existing user defined chain '%s'\n", chain);
259 if (!ip6tc_flush_entries(chain, handle))
260 xtables_error(PARAMETER_PROBLEM,
261 "error flushing chain "
265 DEBUGP("Creating new chain '%s'\n", chain);
266 if (!ip6tc_create_chain(chain, handle))
267 xtables_error(PARAMETER_PROBLEM,
268 "error creating chain "
274 policy = strtok(NULL, " \t\n");
275 DEBUGP("line %u, policy '%s'\n", line, policy);
277 xtables_error(PARAMETER_PROBLEM,
278 "%s: line %u policy invalid\n",
279 ip6tables_globals.program_name,
284 if (strcmp(policy, "-") != 0) {
285 struct ip6t_counters count;
289 ctrs = strtok(NULL, " \t\n");
291 if (!ctrs || !parse_counters(ctrs, &count))
292 xtables_error(PARAMETER_PROBLEM,
293 "invalid policy counters "
294 "for chain '%s'\n", chain);
298 sizeof(struct ip6t_counters));
301 DEBUGP("Setting policy of chain %s to %s\n",
304 if (!ip6tc_set_policy(chain, policy, &count,
306 xtables_error(OTHER_PROBLEM,
307 "Can't set policy `%s'"
308 " on `%s' line %u: %s\n",
310 ip6tc_strerror(errno));
315 } else if (in_table) {
324 int quote_open, escaped;
327 /* reset the newargv */
330 if (buffer[0] == '[') {
331 /* we have counters in our input */
332 ptr = strchr(buffer, ']');
334 xtables_error(PARAMETER_PROBLEM,
335 "Bad line %u: need ]\n",
338 pcnt = strtok(buffer+1, ":");
340 xtables_error(PARAMETER_PROBLEM,
341 "Bad line %u: need :\n",
344 bcnt = strtok(NULL, "]");
346 xtables_error(PARAMETER_PROBLEM,
347 "Bad line %u: need ]\n",
350 /* start command parsing after counter */
351 parsestart = ptr + 1;
353 /* start command parsing at start of line */
359 add_argv((char *) &curtable);
361 if (counters && pcnt && bcnt) {
362 add_argv("--set-counters");
363 add_argv((char *) pcnt);
364 add_argv((char *) bcnt);
367 /* After fighting with strtok enough, here's now
368 * a 'real' parser. According to Rusty I'm now no
369 * longer a real hacker, but I can live with that */
375 for (curchar = parsestart; *curchar; curchar++) {
376 char param_buffer[1024];
380 param_buffer[param_len++] = *curchar;
383 } else if (*curchar == '\\') {
386 } else if (*curchar == '"') {
390 param_buffer[param_len++] = *curchar;
394 if (*curchar == '"') {
402 || * curchar == '\n') {
408 param_buffer[param_len] = '\0';
410 /* check if table name specified */
411 if (!strncmp(param_buffer, "-t", 2)
412 || !strncmp(param_buffer, "--table", 8)) {
413 xtables_error(PARAMETER_PROBLEM,
414 "Line %u seems to have a "
415 "-t table option.\n", line);
419 add_argv(param_buffer);
422 /* regular character, copy to buffer */
423 param_buffer[param_len++] = *curchar;
425 if (param_len >= sizeof(param_buffer))
426 xtables_error(PARAMETER_PROBLEM,
427 "Parameter too long!");
431 DEBUGP("calling do_command6(%u, argv, &%s, handle):\n",
434 for (a = 0; a < newargc; a++)
435 DEBUGP("argv[%u]: %s\n", a, newargv[a]);
437 ret = do_command6(newargc, newargv,
438 &newargv[2], &handle);
444 fprintf(stderr, "%s: line %u failed\n",
445 ip6tables_globals.program_name,
451 fprintf(stderr, "%s: COMMIT expected at line %u\n",
452 ip6tables_globals.program_name,