Google Git
Sign in
android / platform / external / iptables / 3b8a6a6f / . / iptables / iptables.c
blob: edde604cf2367cd8a66d362b59f2707cd9376f88 [file] [log] [blame]
/* Code to take an iptables-style command line and do it. */
/*
* Author: Paul.Russell@rustcorp.com.au and mneuling@radlogic.com.au
*
* (C) 2000-2002 by the netfilter coreteam <coreteam@netfilter.org>:
* Paul 'Rusty' Russell <rusty@rustcorp.com.au>
* Marc Boucher <marc+nf@mbsi.ca>
* James Morris <jmorris@intercode.com.au>
* Harald Welte <laforge@gnumonks.org>
* Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "config.h"
#include <getopt.h>
#include <string.h>
#include <netdb.h>
#include <errno.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <stdarg.h>
#include <limits.h>
#include <unistd.h>
#include <iptables.h>
#include <xtables.h>
#include <fcntl.h>
#include "xshared.h"
static const char unsupported_rev[] = " [unsupported revision]";
static struct option original_opts[] = {
{.name = "append", .has_arg = 1, .val = 'A'},
{.name = "delete", .has_arg = 1, .val = 'D'},
{.name = "check", .has_arg = 1, .val = 'C'},
{.name = "insert", .has_arg = 1, .val = 'I'},
{.name = "replace", .has_arg = 1, .val = 'R'},
{.name = "list", .has_arg = 2, .val = 'L'},
{.name = "list-rules", .has_arg = 2, .val = 'S'},
{.name = "flush", .has_arg = 2, .val = 'F'},
{.name = "zero", .has_arg = 2, .val = 'Z'},
{.name = "new-chain", .has_arg = 1, .val = 'N'},
{.name = "delete-chain", .has_arg = 2, .val = 'X'},
{.name = "rename-chain", .has_arg = 1, .val = 'E'},
{.name = "policy", .has_arg = 1, .val = 'P'},
{.name = "source", .has_arg = 1, .val = 's'},
{.name = "destination", .has_arg = 1, .val = 'd'},
{.name = "src", .has_arg = 1, .val = 's'}, /* synonym */
{.name = "dst", .has_arg = 1, .val = 'd'}, /* synonym */
{.name = "protocol", .has_arg = 1, .val = 'p'},
{.name = "in-interface", .has_arg = 1, .val = 'i'},
{.name = "jump", .has_arg = 1, .val = 'j'},
{.name = "table", .has_arg = 1, .val = 't'},
{.name = "match", .has_arg = 1, .val = 'm'},
{.name = "numeric", .has_arg = 0, .val = 'n'},
{.name = "out-interface", .has_arg = 1, .val = 'o'},
{.name = "verbose", .has_arg = 0, .val = 'v'},
{.name = "wait", .has_arg = 2, .val = 'w'},
{.name = "wait-interval", .has_arg = 2, .val = 'W'},
{.name = "exact", .has_arg = 0, .val = 'x'},
{.name = "fragments", .has_arg = 0, .val = 'f'},
{.name = "version", .has_arg = 0, .val = 'V'},
{.name = "help", .has_arg = 2, .val = 'h'},
{.name = "line-numbers", .has_arg = 0, .val = '0'},
{.name = "modprobe", .has_arg = 1, .val = 'M'},
{.name = "set-counters", .has_arg = 1, .val = 'c'},
{.name = "goto", .has_arg = 1, .val = 'g'},
{.name = "ipv4", .has_arg = 0, .val = '4'},
{.name = "ipv6", .has_arg = 0, .val = '6'},
{NULL},
};
struct xtables_globals iptables_globals = {
.option_offset = 0,
.program_version = PACKAGE_VERSION " (legacy)",
.optstring = OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x",
.orig_opts = original_opts,
.compat_rev = xtables_compatible_revision,
};
/*
* All functions starting with "parse" should succeed, otherwise
* the program fails.
* Most routines return pointers to static data that may change
* between calls to the same or other routines with a few exceptions:
* "host_to_addr", "parse_hostnetwork", and "parse_hostnetworkmask"
* return global static data.
*/
/* Christophe Burki wants `-p 6' to imply `-m tcp'. */
static int
print_match(const struct xt_entry_match *m,
const struct ipt_ip *ip,
int numeric)
{
const char *name = m->u.user.name;
const int revision = m->u.user.revision;
struct xtables_match *match, *mt;
match = xtables_find_match(name, XTF_TRY_LOAD, NULL);
if (match) {
mt = xtables_find_match_revision(name, XTF_TRY_LOAD,
match, revision);
if (mt && mt->print)
mt->print(ip, m, numeric);
else if (match->print)
printf("%s%s ", match->name, unsupported_rev);
else
printf("%s ", match->name);
} else {
if (name[0])
printf("UNKNOWN match `%s' ", name);
}
/* Don't stop iterating. */
return 0;
}
/* e is called `fw' here for historical reasons */
static void
print_firewall(const struct ipt_entry *fw,
const char *targname,
unsigned int num,
unsigned int format,
struct xtc_handle *const handle)
{
struct xtables_target *target, *tg;
const struct xt_entry_target *t;
if (!iptc_is_chain(targname, handle))
target = xtables_find_target(targname, XTF_TRY_LOAD);
else
target = xtables_find_target(XT_STANDARD_TARGET,
XTF_LOAD_MUST_SUCCEED);
t = ipt_get_target((struct ipt_entry *)fw);
print_rule_details(num, &fw->counters, targname, fw->ip.proto,
fw->ip.flags, fw->ip.invflags, format);
print_fragment(fw->ip.flags, fw->ip.invflags, format, false);
print_ifaces(fw->ip.iniface, fw->ip.outiface, fw->ip.invflags, format);
print_ipv4_addresses(fw, format);
if (format & FMT_NOTABLE)
fputs(" ", stdout);
#ifdef IPT_F_GOTO
if(fw->ip.flags & IPT_F_GOTO)
printf("[goto] ");
#endif
IPT_MATCH_ITERATE(fw, print_match, &fw->ip, format & FMT_NUMERIC);
if (target) {
const int revision = t->u.user.revision;
tg = xtables_find_target_revision(targname, XTF_TRY_LOAD,
target, revision);
if (tg && tg->print)
/* Print the target information. */
tg->print(&fw->ip, t, format & FMT_NUMERIC);
else if (target->print)
printf(" %s%s", target->name, unsupported_rev);
} else if (t->u.target_size != sizeof(*t))
printf("[%u bytes of unknown target data] ",
(unsigned int)(t->u.target_size - sizeof(*t)));
if (!(format & FMT_NONEWLINE))
fputc('\n', stdout);
}
static void
print_firewall_line(const struct ipt_entry *fw,
struct xtc_handle *const h)
{
struct xt_entry_target *t;
t = ipt_get_target((struct ipt_entry *)fw);
print_firewall(fw, t->u.user.name, 0, FMT_PRINT_RULE, h);
}
static int
append_entry(const xt_chainlabel chain,
struct ipt_entry *fw,
unsigned int nsaddrs,
const struct in_addr saddrs[],
const struct in_addr smasks[],
unsigned int ndaddrs,
const struct in_addr daddrs[],
const struct in_addr dmasks[],
int verbose,
struct xtc_handle *handle)
{
unsigned int i, j;
int ret = 1;
for (i = 0; i < nsaddrs; i++) {
fw->ip.src.s_addr = saddrs[i].s_addr;
fw->ip.smsk.s_addr = smasks[i].s_addr;
for (j = 0; j < ndaddrs; j++) {
fw->ip.dst.s_addr = daddrs[j].s_addr;
fw->ip.dmsk.s_addr = dmasks[j].s_addr;
if (verbose)
print_firewall_line(fw, handle);
ret &= iptc_append_entry(chain, fw, handle);
}
}
return ret;
}
static int
replace_entry(const xt_chainlabel chain,
struct ipt_entry *fw,
unsigned int rulenum,
const struct in_addr *saddr, const struct in_addr *smask,
const struct in_addr *daddr, const struct in_addr *dmask,
int verbose,
struct xtc_handle *handle)
{
fw->ip.src.s_addr = saddr->s_addr;
fw->ip.dst.s_addr = daddr->s_addr;
fw->ip.smsk.s_addr = smask->s_addr;
fw->ip.dmsk.s_addr = dmask->s_addr;
if (verbose)
print_firewall_line(fw, handle);
return iptc_replace_entry(chain, fw, rulenum, handle);
}
static int
insert_entry(const xt_chainlabel chain,
struct ipt_entry *fw,
unsigned int rulenum,
unsigned int nsaddrs,
const struct in_addr saddrs[],
const struct in_addr smasks[],
unsigned int ndaddrs,
const struct in_addr daddrs[],
const struct in_addr dmasks[],
int verbose,
struct xtc_handle *handle)
{
unsigned int i, j;
int ret = 1;
for (i = 0; i < nsaddrs; i++) {
fw->ip.src.s_addr = saddrs[i].s_addr;
fw->ip.smsk.s_addr = smasks[i].s_addr;
for (j = 0; j < ndaddrs; j++) {
fw->ip.dst.s_addr = daddrs[j].s_addr;
fw->ip.dmsk.s_addr = dmasks[j].s_addr;
if (verbose)
print_firewall_line(fw, handle);
ret &= iptc_insert_entry(chain, fw, rulenum, handle);
}
}
return ret;
}
static unsigned char *
make_delete_mask(const struct xtables_rule_match *matches,
const struct xtables_target *target)
{
/* Establish mask for comparison */
unsigned int size;
const struct xtables_rule_match *matchp;
unsigned char *mask, *mptr;
size = sizeof(struct ipt_entry);
for (matchp = matches; matchp; matchp = matchp->next)
size += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size;
mask = xtables_calloc(1, size
+ XT_ALIGN(sizeof(struct xt_entry_target))
+ target->size);
memset(mask, 0xFF, sizeof(struct ipt_entry));
mptr = mask + sizeof(struct ipt_entry);
for (matchp = matches; matchp; matchp = matchp->next) {
memset(mptr, 0xFF,
XT_ALIGN(sizeof(struct xt_entry_match))
+ matchp->match->userspacesize);
mptr += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size;
}
memset(mptr, 0xFF,
XT_ALIGN(sizeof(struct xt_entry_target))
+ target->userspacesize);
return mask;
}
static int
delete_entry(const xt_chainlabel chain,
struct ipt_entry *fw,
unsigned int nsaddrs,
const struct in_addr saddrs[],
const struct in_addr smasks[],
unsigned int ndaddrs,
const struct in_addr daddrs[],
const struct in_addr dmasks[],
int verbose,
struct xtc_handle *handle,
struct xtables_rule_match *matches,
const struct xtables_target *target)
{
unsigned int i, j;
int ret = 1;
unsigned char *mask;
mask = make_delete_mask(matches, target);
for (i = 0; i < nsaddrs; i++) {
fw->ip.src.s_addr = saddrs[i].s_addr;
fw->ip.smsk.s_addr = smasks[i].s_addr;
for (j = 0; j < ndaddrs; j++) {
fw->ip.dst.s_addr = daddrs[j].s_addr;
fw->ip.dmsk.s_addr = dmasks[j].s_addr;
if (verbose)
print_firewall_line(fw, handle);
ret &= iptc_delete_entry(chain, fw, mask, handle);
}
}
free(mask);
return ret;
}
static int
check_entry(const xt_chainlabel chain, struct ipt_entry *fw,
unsigned int nsaddrs, const struct in_addr *saddrs,
const struct in_addr *smasks, unsigned int ndaddrs,
const struct in_addr *daddrs, const struct in_addr *dmasks,
bool verbose, struct xtc_handle *handle,
struct xtables_rule_match *matches,
const struct xtables_target *target)
{
unsigned int i, j;
int ret = 1;
unsigned char *mask;
mask = make_delete_mask(matches, target);
for (i = 0; i < nsaddrs; i++) {
fw->ip.src.s_addr = saddrs[i].s_addr;
fw->ip.smsk.s_addr = smasks[i].s_addr;
for (j = 0; j < ndaddrs; j++) {
fw->ip.dst.s_addr = daddrs[j].s_addr;
fw->ip.dmsk.s_addr = dmasks[j].s_addr;
if (verbose)
print_firewall_line(fw, handle);
ret &= iptc_check_entry(chain, fw, mask, handle);
}
}
free(mask);
return ret;
}
int
for_each_chain4(int (*fn)(const xt_chainlabel, int, struct xtc_handle *),
int verbose, int builtinstoo, struct xtc_handle *handle)
{
int ret = 1;
const char *chain;
char *chains;
unsigned int i, chaincount = 0;
chain = iptc_first_chain(handle);
while (chain) {
chaincount++;
chain = iptc_next_chain(handle);
}
chains = xtables_malloc(sizeof(xt_chainlabel) * chaincount);
i = 0;
chain = iptc_first_chain(handle);
while (chain) {
strcpy(chains + i*sizeof(xt_chainlabel), chain);
i++;
chain = iptc_next_chain(handle);
}
for (i = 0; i < chaincount; i++) {
if (!builtinstoo
&& iptc_builtin(chains + i*sizeof(xt_chainlabel),
handle) == 1)
continue;
ret &= fn(chains + i*sizeof(xt_chainlabel), verbose, handle);
}
free(chains);
return ret;
}
int
flush_entries4(const xt_chainlabel chain, int verbose,
struct xtc_handle *handle)
{
if (!chain)
return for_each_chain4(flush_entries4, verbose, 1, handle);
if (verbose)
fprintf(stdout, "Flushing chain `%s'\n", chain);
return iptc_flush_entries(chain, handle);
}
static int
zero_entries(const xt_chainlabel chain, int verbose,
struct xtc_handle *handle)
{
if (!chain)
return for_each_chain4(zero_entries, verbose, 1, handle);
if (verbose)
fprintf(stdout, "Zeroing chain `%s'\n", chain);
return iptc_zero_entries(chain, handle);
}
int
delete_chain4(const xt_chainlabel chain, int verbose,
struct xtc_handle *handle)
{
if (!chain)
return for_each_chain4(delete_chain4, verbose, 0, handle);
if (verbose)
fprintf(stdout, "Deleting chain `%s'\n", chain);
return iptc_delete_chain(chain, handle);
}
static int
list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
int expanded, int linenumbers, struct xtc_handle *handle)
{
int found = 0;
unsigned int format;
const char *this;
format = FMT_OPTIONS;
if (!verbose)
format |= FMT_NOCOUNTS;
else
format |= FMT_VIA;
if (numeric)
format |= FMT_NUMERIC;
if (!expanded)
format |= FMT_KILOMEGAGIGA;
if (linenumbers)
format |= FMT_LINENUMBERS;
for (this = iptc_first_chain(handle);
this;
this = iptc_next_chain(handle)) {
const struct ipt_entry *i;
unsigned int num;
if (chain && strcmp(chain, this) != 0)
continue;
if (found) printf("\n");
if (!rulenum) {
struct xt_counters counters;
unsigned int urefs;
const char *pol;
int refs = -1;
pol = iptc_get_policy(this, &counters, handle);
if (!pol && iptc_get_references(&urefs, this, handle))
refs = urefs;
print_header(format, this, pol, &counters, refs, 0);
}
i = iptc_first_rule(this, handle);
num = 0;
while (i) {
num++;
if (!rulenum || num == rulenum)
print_firewall(i,
iptc_get_target(i, handle),
num,
format,
handle);
i = iptc_next_rule(i, handle);
}
found = 1;
}
errno = ENOENT;
return found;
}
#define IP_PARTS_NATIVE(n) \
(unsigned int)((n)>>24)&0xFF, \
(unsigned int)((n)>>16)&0xFF, \
(unsigned int)((n)>>8)&0xFF, \
(unsigned int)((n)&0xFF)
#define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n))
/* We want this to be readable, so only print out necessary fields.
* Because that's the kind of world I want to live in.
*/
void print_rule4(const struct ipt_entry *e,
struct xtc_handle *h, const char *chain, int counters)
{
const struct xt_entry_target *t;
const char *target_name;
/* print counters for iptables-save */
if (counters > 0)
printf("[%llu:%llu] ", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
/* print chain name */
printf("-A %s", chain);
/* Print IP part. */
save_ipv4_addr('s', &e->ip.src, &e->ip.smsk,
e->ip.invflags & IPT_INV_SRCIP);
save_ipv4_addr('d', &e->ip.dst, &e->ip.dmsk,
e->ip.invflags & IPT_INV_DSTIP);
save_rule_details(e->ip.iniface, e->ip.iniface_mask,
e->ip.outiface, e->ip.outiface_mask,
e->ip.proto, e->ip.flags & IPT_F_FRAG,
e->ip.invflags);
/* Print matchinfo part */
if (e->target_offset)
IPT_MATCH_ITERATE(e, print_match_save, &e->ip);
/* print counters for iptables -R */
if (counters < 0)
printf(" -c %llu %llu", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
/* Print target name and targinfo part */
target_name = iptc_get_target(e, h);
t = ipt_get_target((struct ipt_entry *)e);
if (t->u.user.name[0]) {
const char *name = t->u.user.name;
const int revision = t->u.user.revision;
struct xtables_target *target, *tg, *tg2;
target = xtables_find_target(name, XTF_TRY_LOAD);
if (!target) {
fprintf(stderr, "Can't find library for target `%s'\n",
name);
exit(1);
}
tg = tg2 = xtables_find_target_revision(name, XTF_TRY_LOAD,
target, revision);
if (!tg2)
tg2 = target;
printf(" -j %s", tg2->alias ? tg2->alias(t) : target_name);
if (tg && tg->save)
tg->save(&e->ip, t);
else if (target->save)
printf(unsupported_rev);
else {
/* If the target size is greater than xt_entry_target
* there is something to be saved, we just don't know
* how to print it */
if (t->u.target_size !=
sizeof(struct xt_entry_target)) {
fprintf(stderr, "Target `%s' is missing "
"save function\n",
name);
exit(1);
}
}
} else if (target_name && (*target_name != '\0'))
#ifdef IPT_F_GOTO
printf(" -%c %s", e->ip.flags & IPT_F_GOTO ? 'g' : 'j', target_name);
#else
printf(" -j %s", target_name);
#endif
printf("\n");
}
static int
list_rules(const xt_chainlabel chain, int rulenum, int counters,
struct xtc_handle *handle)
{
const char *this = NULL;
int found = 0;
if (counters)
counters = -1; /* iptables -c format */
/* Dump out chain names first,
* thereby preventing dependency conflicts */
if (!rulenum) for (this = iptc_first_chain(handle);
this;
this = iptc_next_chain(handle)) {
if (chain && strcmp(this, chain) != 0)
continue;
if (iptc_builtin(this, handle)) {
struct xt_counters count;
printf("-P %s %s", this, iptc_get_policy(this, &count, handle));
if (counters)
printf(" -c %llu %llu", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
printf("\n");
} else {
printf("-N %s\n", this);
}
}
for (this = iptc_first_chain(handle);
this;
this = iptc_next_chain(handle)) {
const struct ipt_entry *e;
int num = 0;
if (chain && strcmp(this, chain) != 0)
continue;
/* Dump out rules */
e = iptc_first_rule(this, handle);
while(e) {
num++;
if (!rulenum || num == rulenum)
print_rule4(e, handle, this, counters);
e = iptc_next_rule(e, handle);
}
found = 1;
}
errno = ENOENT;
return found;
}
static struct ipt_entry *
generate_entry(const struct ipt_entry *fw,
struct xtables_rule_match *matches,
struct xt_entry_target *target)
{
unsigned int size;
struct xtables_rule_match *matchp;
struct ipt_entry *e;
size = sizeof(struct ipt_entry);
for (matchp = matches; matchp; matchp = matchp->next)
size += matchp->match->m->u.match_size;
e = xtables_malloc(size + target->u.target_size);
*e = *fw;
e->target_offset = size;
e->next_offset = size + target->u.target_size;
size = 0;
for (matchp = matches; matchp; matchp = matchp->next) {
memcpy(e->elems + size, matchp->match->m, matchp->match->m->u.match_size);
size += matchp->match->m->u.match_size;
}
memcpy(e->elems + size, target, target->u.target_size);
return e;
}
int do_command4(int argc, char *argv[], char **table,
struct xtc_handle **handle, bool restore)
{
struct xt_cmd_parse_ops cmd_parse_ops = {
.proto_parse = ipv4_proto_parse,
.post_parse = ipv4_post_parse,
};
struct xt_cmd_parse p = {
.table = *table,
.restore = restore,
.line = line,
.ops = &cmd_parse_ops,
};
struct iptables_command_state cs = {
.jumpto = "",
.argv = argv,
};
struct xtables_args args = {
.family = AF_INET,
};
struct ipt_entry *e = NULL;
unsigned int nsaddrs = 0, ndaddrs = 0;
struct in_addr *saddrs = NULL, *smasks = NULL;
struct in_addr *daddrs = NULL, *dmasks = NULL;
int verbose = 0;
int wait = 0;
const char *chain = NULL;
const char *policy = NULL, *newname = NULL;
unsigned int rulenum = 0, command = 0;
int ret = 1;
do_parse(argc, argv, &p, &cs, &args);
command = p.command;
chain = p.chain;
*table = p.table;
rulenum = p.rulenum;
policy = p.policy;
newname = p.newname;
verbose = p.verbose;
wait = args.wait;
nsaddrs = args.s.naddrs;
ndaddrs = args.d.naddrs;
saddrs = args.s.addr.v4;
daddrs = args.d.addr.v4;
smasks = args.s.mask.v4;
dmasks = args.d.mask.v4;
/* Attempt to acquire the xtables lock */
if (!restore)
xtables_lock_or_exit(wait);
/* only allocate handle if we weren't called with a handle */
if (!*handle)
*handle = iptc_init(*table);
/* try to insmod the module if iptc_init failed */
if (!*handle && xtables_load_ko(xtables_modprobe_program, false) != -1)
*handle = iptc_init(*table);
if (!*handle)
xtables_error(VERSION_PROBLEM,
"can't initialize iptables table `%s': %s",
*table, iptc_strerror(errno));
if (command == CMD_APPEND
|| command == CMD_DELETE
|| command == CMD_CHECK
|| command == CMD_INSERT
|| command == CMD_REPLACE) {
if (cs.target && iptc_is_chain(cs.jumpto, *handle)) {
fprintf(stderr,
"Warning: using chain %s, not extension\n",
cs.jumpto);
if (cs.target->t)
free(cs.target->t);
cs.target = NULL;
}
/* If they didn't specify a target, or it's a chain
name, use standard. */
if (!cs.target
&& (strlen(cs.jumpto) == 0
|| iptc_is_chain(cs.jumpto, *handle))) {
size_t size;
cs.target = xtables_find_target(XT_STANDARD_TARGET,
XTF_LOAD_MUST_SUCCEED);
size = sizeof(struct xt_entry_target)
+ cs.target->size;
cs.target->t = xtables_calloc(1, size);
cs.target->t->u.target_size = size;
strcpy(cs.target->t->u.user.name, cs.jumpto);
if (!iptc_is_chain(cs.jumpto, *handle))
cs.target->t->u.user.revision = cs.target->revision;
xs_init_target(cs.target);
}
if (!cs.target) {
/* It is no chain, and we can't load a plugin.
* We cannot know if the plugin is corrupt, non
* existent OR if the user just misspelled a
* chain.
*/
#ifdef IPT_F_GOTO
if (cs.fw.ip.flags & IPT_F_GOTO)
xtables_error(PARAMETER_PROBLEM,
"goto '%s' is not a chain\n",
cs.jumpto);
#endif
xtables_find_target(cs.jumpto, XTF_LOAD_MUST_SUCCEED);
} else {
e = generate_entry(&cs.fw, cs.matches, cs.target->t);
free(cs.target->t);
}
}
switch (command) {
case CMD_APPEND:
ret = append_entry(chain, e,
nsaddrs, saddrs, smasks,
ndaddrs, daddrs, dmasks,
cs.options&OPT_VERBOSE,
*handle);
break;
case CMD_DELETE:
ret = delete_entry(chain, e,
nsaddrs, saddrs, smasks,
ndaddrs, daddrs, dmasks,
cs.options&OPT_VERBOSE,
*handle, cs.matches, cs.target);
break;
case CMD_DELETE_NUM:
ret = iptc_delete_num_entry(chain, rulenum - 1, *handle);
break;
case CMD_CHECK:
ret = check_entry(chain, e,
nsaddrs, saddrs, smasks,
ndaddrs, daddrs, dmasks,
cs.options&OPT_VERBOSE,
*handle, cs.matches, cs.target);
break;
case CMD_REPLACE:
ret = replace_entry(chain, e, rulenum - 1,
saddrs, smasks, daddrs, dmasks,
cs.options&OPT_VERBOSE, *handle);
break;
case CMD_INSERT:
ret = insert_entry(chain, e, rulenum - 1,
nsaddrs, saddrs, smasks,
ndaddrs, daddrs, dmasks,
cs.options&OPT_VERBOSE,
*handle);
break;
case CMD_FLUSH:
ret = flush_entries4(chain, cs.options&OPT_VERBOSE, *handle);
break;
case CMD_ZERO:
ret = zero_entries(chain, cs.options&OPT_VERBOSE, *handle);
break;
case CMD_ZERO_NUM:
ret = iptc_zero_counter(chain, rulenum, *handle);
break;
case CMD_LIST:
case CMD_LIST|CMD_ZERO:
case CMD_LIST|CMD_ZERO_NUM:
ret = list_entries(chain,
rulenum,
cs.options&OPT_VERBOSE,
cs.options&OPT_NUMERIC,
cs.options&OPT_EXPANDED,
cs.options&OPT_LINENUMBERS,
*handle);
if (ret && (command & CMD_ZERO))
ret = zero_entries(chain,
cs.options&OPT_VERBOSE, *handle);
if (ret && (command & CMD_ZERO_NUM))
ret = iptc_zero_counter(chain, rulenum, *handle);
break;
case CMD_LIST_RULES:
case CMD_LIST_RULES|CMD_ZERO:
case CMD_LIST_RULES|CMD_ZERO_NUM:
ret = list_rules(chain,
rulenum,
cs.options&OPT_VERBOSE,
*handle);
if (ret && (command & CMD_ZERO))
ret = zero_entries(chain,
cs.options&OPT_VERBOSE, *handle);
if (ret && (command & CMD_ZERO_NUM))
ret = iptc_zero_counter(chain, rulenum, *handle);
break;
case CMD_NEW_CHAIN:
ret = iptc_create_chain(chain, *handle);
break;
case CMD_DELETE_CHAIN:
ret = delete_chain4(chain, cs.options&OPT_VERBOSE, *handle);
break;
case CMD_RENAME_CHAIN:
ret = iptc_rename_chain(chain, newname, *handle);
break;
case CMD_SET_POLICY:
ret = iptc_set_policy(chain, policy, cs.options&OPT_COUNTERS ? &cs.fw.counters : NULL, *handle);
break;
case CMD_NONE:
/* do_parse ignored the line (eg: -4 with ip6tables-restore) */
break;
default:
/* We should never reach this... */
exit_tryhelp(2, line);
}
if (verbose > 1)
dump_entries(*handle);
xtables_rule_matches_free(&cs.matches);
if (e != NULL) {
free(e);
e = NULL;
}
free(saddrs);
free(smasks);
free(daddrs);
free(dmasks);
xtables_free_opts(1);
return ret;
}