← Back to branch summary

~ubuntu-branches/ubuntu/quantal/iptables/quantal-proposed

« back to all changes in this revision

Viewing changes to extensions/libip6t_policy.c

  • Committer: Bazaar Package Importer
  • Author(s): Nicolas Valcárcel Scerpella
  • Date: 2009-05-06 16:35:21 UTC
  • mfrom: (5.1.6 upstream) (2.1.2 lenny)
  • Revision ID: james.westby@ubuntu.com-20090506163521-2hbruo0m33h04wxf
Tags: 1.4.3.2-2ubuntu1
https://launchpad.net/bugs/372920
* Merge from debian unstable (LP: #372920), remaining changes:
  - Don't fail to run iptables-save if iptables module isn't loaded.
  - debian/patches/0901-build-libipq_pic.a.patch - Build libipq_pic.a with
    -fPIC. Upstream changed build system and patch modified accordingly.
  - Revert changes between 1.4.1.1-3 and 1.4.1.1-4, thus bringing back
    the howtos.
* Droped unexistent patches from debian/patches/series
* Droped 0903-autoload-module-in-iptables-save.diff, fixed upstream
* Added linuxdoc-tools to Build-Depends
* Modified debian/iptables{,-dev}.install to match DM syntax 
  (removed debian/tmp)

Show diffs side-by-side

added added

removed removed

Lines of Context:
extensions/libip6t_policy.c
1
 
/* Shared library add-on to iptables to add policy support. */
2
 
 
 
1
/* Shared library add-on to ip6tables to add policy support. */
3
2
#include <stdio.h>
4
3
#include <netdb.h>
5
4
#include <string.h>
11
10
#include <sys/socket.h>
12
11
#include <netinet/in.h>
13
12
#include <arpa/inet.h>
14
 
#include <ip6tables.h>
15
 
 
16
 
#include <linux/netfilter_ipv6/ip6_tables.h>
17
 
#include "../include/linux/netfilter_ipv6/ip6t_policy.h"
 
13
#include <xtables.h>
 
14
#include <libiptc/libip6tc.h>
 
15
#include <linux/netfilter_ipv6/ip6t_policy.h>
18
16
 
19
17
/*
20
18
 * HACK: global pointer to current matchinfo for making
131
129
                return IP6T_POLICY_MATCH_IN;
132
130
        if (strcmp(s, "out") == 0)
133
131
                return IP6T_POLICY_MATCH_OUT;
134
 
        exit_error(PARAMETER_PROBLEM, "policy_match: invalid dir `%s'", s);
 
132
        xtables_error(PARAMETER_PROBLEM, "policy_match: invalid dir \"%s\"", s);
135
133
}
136
134
 
137
135
static int parse_policy(char *s)
140
138
                return IP6T_POLICY_MATCH_NONE;
141
139
        if (strcmp(s, "ipsec") == 0)
142
140
                return 0;
143
 
        exit_error(PARAMETER_PROBLEM, "policy match: invalid policy `%s'", s);
 
141
        xtables_error(PARAMETER_PROBLEM, "policy match: invalid policy \"%s\"", s);
144
142
}
145
143
 
146
144
static int parse_mode(char *s)
149
147
                return IP6T_POLICY_MODE_TRANSPORT;
150
148
        if (strcmp(s, "tunnel") == 0)
151
149
                return IP6T_POLICY_MODE_TUNNEL;
152
 
        exit_error(PARAMETER_PROBLEM, "policy match: invalid mode `%s'", s);
 
150
        xtables_error(PARAMETER_PROBLEM, "policy match: invalid mode \"%s\"", s);
153
151
}
154
152
 
155
153
static int policy_parse(int c, char **argv, int invert, unsigned int *flags,
158
156
        struct ip6t_policy_info *info = (void *)(*match)->data;
159
157
        struct ip6t_policy_elem *e = &info->pol[info->len];
160
158
        struct in6_addr *addr = NULL, mask;
161
 
        unsigned int naddr = 0;
 
159
        unsigned int naddr = 0, num;
162
160
        int mode;
163
161
 
164
 
        check_inverse(optarg, &invert, &optind, 0);
 
162
        xtables_check_inverse(optarg, &invert, &optind, 0);
165
163
 
166
164
        switch (c) {
167
165
        case '1':
168
166
                if (info->flags & (IP6T_POLICY_MATCH_IN|IP6T_POLICY_MATCH_OUT))
169
 
                        exit_error(PARAMETER_PROBLEM,
 
167
                        xtables_error(PARAMETER_PROBLEM,
170
168
                                   "policy match: double --dir option");
171
169
                if (invert)
172
 
                        exit_error(PARAMETER_PROBLEM,
 
170
                        xtables_error(PARAMETER_PROBLEM,
173
171
                                   "policy match: can't invert --dir option");
174
172
 
175
173
                info->flags |= parse_direction(argv[optind-1]);
176
174
                break;
177
175
        case '2':
178
176
                if (invert)
179
 
                        exit_error(PARAMETER_PROBLEM,
 
177
                        xtables_error(PARAMETER_PROBLEM,
180
178
                                   "policy match: can't invert --policy option");
181
179
 
182
180
                info->flags |= parse_policy(argv[optind-1]);
183
181
                break;
184
182
        case '3':
185
183
                if (info->flags & IP6T_POLICY_MATCH_STRICT)
186
 
                        exit_error(PARAMETER_PROBLEM,
 
184
                        xtables_error(PARAMETER_PROBLEM,
187
185
                                   "policy match: double --strict option");
188
186
 
189
187
                if (invert)
190
 
                        exit_error(PARAMETER_PROBLEM,
 
188
                        xtables_error(PARAMETER_PROBLEM,
191
189
                                   "policy match: can't invert --strict option");
192
190
 
193
191
                info->flags |= IP6T_POLICY_MATCH_STRICT;
194
192
                break;
195
193
        case '4':
196
194
                if (e->match.reqid)
197
 
                        exit_error(PARAMETER_PROBLEM,
 
195
                        xtables_error(PARAMETER_PROBLEM,
198
196
                                   "policy match: double --reqid option");
199
197
 
200
198
                e->match.reqid = 1;
201
199
                e->invert.reqid = invert;
202
 
                e->reqid = strtol(argv[optind-1], NULL, 10);
 
200
                if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX))
 
201
                        xtables_param_act(XTF_BAD_VALUE, "policy", "--reqid", optarg);
 
202
                e->reqid = num;
203
203
                break;
204
204
        case '5':
205
205
                if (e->match.spi)
206
 
                        exit_error(PARAMETER_PROBLEM,
 
206
                        xtables_error(PARAMETER_PROBLEM,
207
207
                                   "policy match: double --spi option");
208
208
 
209
209
                e->match.spi = 1;
210
210
                e->invert.spi = invert;
211
 
                e->spi = strtol(argv[optind-1], NULL, 0x10);
 
211
                if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX))
 
212
                        xtables_param_act(XTF_BAD_VALUE, "policy", "--spi", optarg);
 
213
                e->spi = num;
212
214
                break;
213
215
        case '6':
214
216
                if (e->match.saddr)
215
 
                        exit_error(PARAMETER_PROBLEM,
 
217
                        xtables_error(PARAMETER_PROBLEM,
216
218
                                   "policy match: double --tunnel-src option");
217
219
 
218
 
                ip6parse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr);
 
220
                xtables_ip6parse_any(argv[optind-1], &addr, &mask, &naddr);
219
221
                if (naddr > 1)
220
 
                        exit_error(PARAMETER_PROBLEM,
 
222
                        xtables_error(PARAMETER_PROBLEM,
221
223
                                   "policy match: name resolves to multiple IPs");
222
224
 
223
225
                e->match.saddr = 1;
227
229
                break;
228
230
        case '7':
229
231
                if (e->match.daddr)
230
 
                        exit_error(PARAMETER_PROBLEM,
 
232
                        xtables_error(PARAMETER_PROBLEM,
231
233
                                   "policy match: double --tunnel-dst option");
232
234
 
233
 
                ip6parse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr);
 
235
                xtables_ip6parse_any(argv[optind-1], &addr, &mask, &naddr);
234
236
                if (naddr > 1)
235
 
                        exit_error(PARAMETER_PROBLEM,
 
237
                        xtables_error(PARAMETER_PROBLEM,
236
238
                                   "policy match: name resolves to multiple IPs");
237
239
 
238
240
                e->match.daddr = 1;
242
244
                break;
243
245
        case '8':
244
246
                if (e->match.proto)
245
 
                        exit_error(PARAMETER_PROBLEM,
 
247
                        xtables_error(PARAMETER_PROBLEM,
246
248
                                   "policy match: double --proto option");
247
249
 
248
 
                e->proto = parse_protocol(argv[optind-1]);
 
250
                e->proto = xtables_parse_protocol(argv[optind-1]);
249
251
                if (e->proto != IPPROTO_AH && e->proto != IPPROTO_ESP &&
250
252
                    e->proto != IPPROTO_COMP)
251
 
                        exit_error(PARAMETER_PROBLEM,
 
253
                        xtables_error(PARAMETER_PROBLEM,
252
254
                                   "policy match: protocol must ah/esp/ipcomp");
253
255
                e->match.proto = 1;
254
256
                e->invert.proto = invert;
255
257
                break;
256
258
        case '9':
257
259
                if (e->match.mode)
258
 
                        exit_error(PARAMETER_PROBLEM,
 
260
                        xtables_error(PARAMETER_PROBLEM,
259
261
                                   "policy match: double --mode option");
260
262
 
261
263
                mode = parse_mode(argv[optind-1]);
265
267
                break;
266
268
        case 'a':
267
269
                if (invert)
268
 
                        exit_error(PARAMETER_PROBLEM,
 
270
                        xtables_error(PARAMETER_PROBLEM,
269
271
                                   "policy match: can't invert --next option");
270
272
 
271
273
                if (++info->len == IP6T_POLICY_MAX_ELEM)
272
 
                        exit_error(PARAMETER_PROBLEM,
 
274
                        xtables_error(PARAMETER_PROBLEM,
273
275
                                   "policy match: maximum policy depth reached");
274
276
                break;
275
277
        default:
287
289
        int i;
288
290
 
289
291
        if (info == NULL)
290
 
                exit_error(PARAMETER_PROBLEM,
 
292
                xtables_error(PARAMETER_PROBLEM,
291
293
                           "policy match: no parameters given");
292
294
 
293
295
        if (!(info->flags & (IP6T_POLICY_MATCH_IN|IP6T_POLICY_MATCH_OUT)))
294
 
                exit_error(PARAMETER_PROBLEM,
 
296
                xtables_error(PARAMETER_PROBLEM,
295
297
                           "policy match: neither --in nor --out specified");
296
298
 
297
299
        if (info->flags & IP6T_POLICY_MATCH_NONE) {
298
300
                if (info->flags & IP6T_POLICY_MATCH_STRICT)
299
 
                        exit_error(PARAMETER_PROBLEM,
 
301
                        xtables_error(PARAMETER_PROBLEM,
300
302
                                   "policy match: policy none but --strict given");
301
303
 
302
304
                if (info->len != 0)
303
 
                        exit_error(PARAMETER_PROBLEM,
 
305
                        xtables_error(PARAMETER_PROBLEM,
304
306
                                   "policy match: policy none but policy given");
305
307
        } else
306
308
                info->len++;    /* increase len by 1, no --next after last element */
307
309
 
308
310
        if (!(info->flags & IP6T_POLICY_MATCH_STRICT) && info->len > 1)
309
 
                exit_error(PARAMETER_PROBLEM,
 
311
                xtables_error(PARAMETER_PROBLEM,
310
312
                           "policy match: multiple elements but no --strict");
311
313
 
312
314
        for (i = 0; i < info->len; i++) {
315
317
                if (info->flags & IP6T_POLICY_MATCH_STRICT &&
316
318
                    !(e->match.reqid || e->match.spi || e->match.saddr ||
317
319
                      e->match.daddr || e->match.proto || e->match.mode))
318
 
                        exit_error(PARAMETER_PROBLEM,
 
320
                        xtables_error(PARAMETER_PROBLEM,
319
321
                                   "policy match: empty policy element");
320
322
 
321
323
                if ((e->match.saddr || e->match.daddr)
322
324
                    && ((e->mode == IP6T_POLICY_MODE_TUNNEL && e->invert.mode) ||
323
325
                        (e->mode == IP6T_POLICY_MODE_TRANSPORT && !e->invert.mode)))
324
 
                        exit_error(PARAMETER_PROBLEM,
 
326
                        xtables_error(PARAMETER_PROBLEM,
325
327
                                   "policy match: --tunnel-src/--tunnel-dst "
326
328
                                   "is only valid in tunnel mode");
327
329
        }
445
447
static struct xtables_match policy_mt6_reg = {
446
448
        .name           = "policy",
447
449
        .version        = XTABLES_VERSION,
448
 
        .family         = PF_INET6,
 
450
        .family         = NFPROTO_IPV6,
449
451
        .size           = XT_ALIGN(sizeof(struct ip6t_policy_info)),
450
452
        .userspacesize  = XT_ALIGN(sizeof(struct ip6t_policy_info)),
451
453
        .help           = policy_help,