1
/* Code to restore the iptables state, from file by iptables-save.
2
* (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
3
* based on previous code from Rusty Russell <rusty@linuxcare.com.au>
5
* This code is distributed under the terms of GNU GPL v2
7
* $Id: iptables-restore.c 6706 2006-12-09 13:06:04Z /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=yasuyuki/emailAddress=yasuyuki@netfilter.org $
11
#include <sys/errno.h>
16
#include "libiptc/libiptc.h"
19
#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
21
#define DEBUGP(x, args...)
24
static int binary = 0, counters = 0, verbose = 0, noflush = 0;
26
/* Keeping track of external matches and targets. */
27
static struct option options[] = {
28
{ "binary", 0, 0, 'b' },
29
{ "counters", 0, 0, 'c' },
30
{ "verbose", 0, 0, 'v' },
31
{ "test", 0, 0, 't' },
32
{ "help", 0, 0, 'h' },
33
{ "noflush", 0, 0, 'n'},
34
{ "modprobe", 1, 0, 'M'},
38
static void print_usage(const char *name, const char *version) __attribute__((noreturn));
40
static void print_usage(const char *name, const char *version)
42
fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n"
49
" [ --modprobe=<command>]\n", name);
54
iptc_handle_t create_handle(const char *tablename, const char* modprobe )
58
handle = iptc_init(tablename);
61
/* try to insmod the module if iptc_init failed */
62
iptables_insmod("ip_tables", modprobe);
63
handle = iptc_init(tablename);
67
exit_error(PARAMETER_PROBLEM, "%s: unable to initialize"
68
"table '%s'\n", program_name, tablename);
74
static int parse_counters(char *string, struct ipt_counters *ctr)
76
return (sscanf(string, "[%llu:%llu]", (unsigned long long *)&ctr->pcnt, (unsigned long long *)&ctr->bcnt) == 2);
79
/* global new argv and argc */
80
static char *newargv[255];
83
/* function adding one argument to newargv, updating newargc
84
* returns true if argument added, false otherwise */
85
static int add_argv(char *what) {
86
DEBUGP("add_argv: %s\n", what);
87
if (what && ((newargc + 1) < sizeof(newargv)/sizeof(char *))) {
88
newargv[newargc] = strdup(what);
95
static void free_argv(void) {
98
for (i = 0; i < newargc; i++)
102
#ifdef IPTABLES_MULTI
104
iptables_restore_main(int argc, char *argv[])
107
main(int argc, char *argv[])
110
iptc_handle_t handle = NULL;
113
char curtable[IPT_TABLE_MAXNAMELEN + 1];
115
const char *modprobe = 0;
116
int in_table = 0, testing = 0;
118
program_name = "iptables-restore";
119
program_version = IPTABLES_VERSION;
122
lib_dir = getenv("IPTABLES_LIB_DIR");
124
lib_dir = IPT_LIB_DIR;
126
#ifdef NO_SHARED_LIBS
130
while ((c = getopt_long(argc, argv, "bcvthnM:", options, NULL)) != -1) {
145
print_usage("iptables-restore",
157
if (optind == argc - 1) {
158
in = fopen(argv[optind], "r");
160
fprintf(stderr, "Can't open %s: %s", argv[optind],
165
else if (optind < argc) {
166
fprintf(stderr, "Unknown arguments found on commandline");
171
/* Grab standard input. */
172
while (fgets(buffer, sizeof(buffer), in)) {
176
if (buffer[0] == '\n')
178
else if (buffer[0] == '#') {
180
fputs(buffer, stdout);
182
} else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
184
DEBUGP("Calling commit\n");
185
ret = iptc_commit(&handle);
187
DEBUGP("Not calling commit, testing\n");
191
} else if ((buffer[0] == '*') && (!in_table)) {
195
table = strtok(buffer+1, " \t\n");
196
DEBUGP("line %u, table '%s'\n", line, table);
198
exit_error(PARAMETER_PROBLEM,
199
"%s: line %u table name invalid\n",
203
strncpy(curtable, table, IPT_TABLE_MAXNAMELEN);
204
curtable[IPT_TABLE_MAXNAMELEN] = '\0';
209
handle = create_handle(table, modprobe);
211
DEBUGP("Cleaning all chains of table '%s'\n",
213
for_each_chain(flush_entries, verbose, 1,
216
DEBUGP("Deleting all user-defined chains "
217
"of table '%s'\n", table);
218
for_each_chain(delete_chain, verbose, 0,
225
} else if ((buffer[0] == ':') && (in_table)) {
227
char *policy, *chain;
229
chain = strtok(buffer+1, " \t\n");
230
DEBUGP("line %u, chain '%s'\n", line, chain);
232
exit_error(PARAMETER_PROBLEM,
233
"%s: line %u chain name invalid\n",
238
if (iptc_builtin(chain, handle) <= 0) {
239
if (noflush && iptc_is_chain(chain, handle)) {
240
DEBUGP("Flushing existing user defined chain '%s'\n", chain);
241
if (!iptc_flush_entries(chain, &handle))
242
exit_error(PARAMETER_PROBLEM,
243
"error flushing chain "
247
DEBUGP("Creating new chain '%s'\n", chain);
248
if (!iptc_create_chain(chain, &handle))
249
exit_error(PARAMETER_PROBLEM,
250
"error creating chain "
256
policy = strtok(NULL, " \t\n");
257
DEBUGP("line %u, policy '%s'\n", line, policy);
259
exit_error(PARAMETER_PROBLEM,
260
"%s: line %u policy invalid\n",
265
if (strcmp(policy, "-") != 0) {
266
struct ipt_counters count;
270
ctrs = strtok(NULL, " \t\n");
272
if (!ctrs || !parse_counters(ctrs, &count))
273
exit_error(PARAMETER_PROBLEM,
274
"invalid policy counters "
275
"for chain '%s'\n", chain);
279
sizeof(struct ipt_counters));
282
DEBUGP("Setting policy of chain %s to %s\n",
285
if (!iptc_set_policy(chain, policy, &count,
287
exit_error(OTHER_PROBLEM,
288
"Can't set policy `%s'"
289
" on `%s' line %u: %s\n",
291
iptc_strerror(errno));
296
} else if (in_table) {
304
char *param_start, *curchar;
307
/* reset the newargv */
310
if (buffer[0] == '[') {
311
/* we have counters in our input */
312
ptr = strchr(buffer, ']');
314
exit_error(PARAMETER_PROBLEM,
315
"Bad line %u: need ]\n",
318
pcnt = strtok(buffer+1, ":");
320
exit_error(PARAMETER_PROBLEM,
321
"Bad line %u: need :\n",
324
bcnt = strtok(NULL, "]");
326
exit_error(PARAMETER_PROBLEM,
327
"Bad line %u: need ]\n",
330
/* start command parsing after counter */
331
parsestart = ptr + 1;
333
/* start command parsing at start of line */
339
add_argv((char *) &curtable);
341
if (counters && pcnt && bcnt) {
342
add_argv("--set-counters");
343
add_argv((char *) pcnt);
344
add_argv((char *) bcnt);
347
/* After fighting with strtok enough, here's now
348
* a 'real' parser. According to Rusty I'm now no
349
* longer a real hacker, but I can live with that */
352
param_start = parsestart;
354
for (curchar = parsestart; *curchar; curchar++) {
355
if (*curchar == '"') {
356
/* quote_open cannot be true if there
357
* was no previous character. Thus,
358
* curchar-1 has to be within bounds */
360
*(curchar-1) != '\\') {
370
|| * curchar == '\n') {
371
char param_buffer[1024];
372
int param_len = curchar-param_start;
383
/* end of one parameter */
384
strncpy(param_buffer, param_start,
386
*(param_buffer+param_len) = '\0';
388
/* check if table name specified */
389
if (!strncmp(param_buffer, "-t", 3)
390
|| !strncmp(param_buffer, "--table", 8)) {
391
exit_error(PARAMETER_PROBLEM,
392
"Line %u seems to have a "
393
"-t table option.\n", line);
397
add_argv(param_buffer);
398
param_start += param_len + 1;
400
/* regular character, skip */
404
DEBUGP("calling do_command(%u, argv, &%s, handle):\n",
407
for (a = 0; a < newargc; a++)
408
DEBUGP("argv[%u]: %s\n", a, newargv[a]);
410
ret = do_command(newargc, newargv,
411
&newargv[2], &handle);
416
fprintf(stderr, "%s: line %u failed\n",
422
fprintf(stderr, "%s: COMMIT expected at line %u\n",
423
program_name, line + 1);
added
removed
iptables-restore.c.orig
