Lines Matching refs:entry
39 #define for_each_ipt_match(match, entry) \
40 for ((match) = (struct ipt_entry_match *) &(entry)->elems[0]; \
41 (int) (match) < (int) (entry) + (entry)->target_offset; \
101 target_num(const struct ipt_entry *entry, iptc_handle_t *handle)
103 const char *name = iptc_get_target(entry, handle);
142 const struct ipt_entry *entry;
167 for (entry = iptc_first_rule(chain, &handle); entry; entry = iptc_next_rule(entry, &handle)) {
168 int num = target_num(entry, &handle);
181 if (!netconf_valid_ipproto(entry->ip.proto))
206 fw->match.src.ipaddr.s_addr = entry->ip.src.s_addr;
207 fw->match.src.netmask.s_addr = entry->ip.smsk.s_addr;
208 fw->match.dst.ipaddr.s_addr = entry->ip.dst.s_addr;
209 fw->match.dst.netmask.s_addr = entry->ip.dmsk.s_addr;
210 fw->match.flags |= (entry->ip.invflags & IPT_INV_SRCIP) ? NETCONF_INV_SRCIP : 0;
211 fw->match.flags |= (entry->ip.invflags & IPT_INV_DSTIP) ? NETCONF_INV_DSTIP : 0;
214 strncpy(fw->match.in.name, entry->ip.iniface, IFNAMSIZ);
215 strncpy(fw->match.out.name, entry->ip.outiface, IFNAMSIZ);
216 fw->match.flags |= (entry->ip.invflags & IPT_INV_VIA_IN) ? NETCONF_INV_IN : 0;
217 fw->match.flags |= (entry->ip.invflags & IPT_INV_VIA_OUT) ? NETCONF_INV_OUT : 0;
220 if (entry->ip.proto == IPPROTO_TCP) {
223 for_each_ipt_match(match, entry) {
244 else if (entry->ip.proto == IPPROTO_UDP) {
247 for_each_ipt_match(match, entry) {
268 else if (entry->ip.proto != IPPROTO_IP) {
269 fw->match.ipproto = entry->ip.proto;
273 for_each_ipt_match(match, entry) {
286 for_each_ipt_match(match, entry) {
301 for_each_ipt_match(match, entry) {
324 target = (struct ipt_entry_target *) ((int) entry + entry->target_offset);
341 if (entry->ip.proto == IPPROTO_TCP) {
347 else if (entry->ip.proto == IPPROTO_UDP) {
386 * Get the index of a firewall entry
387 * @param fw firewall entry to look for
388 * @return index of firewall entry or <0 if not found or an error occurred
398 const struct ipt_entry *entry = NULL;
448 for (ret = 0, entry = iptc_first_rule(chain, &handle); entry; ret++, entry = iptc_next_rule(entry, &handle)) {
456 if (entry->ip.proto != fw->match.ipproto)
460 if (entry->ip.src.s_addr != fw->match.src.ipaddr.s_addr ||
461 entry->ip.smsk.s_addr != fw->match.src.netmask.s_addr ||
462 entry->ip.dst.s_addr != fw->match.dst.ipaddr.s_addr ||
463 entry->ip.dmsk.s_addr != fw->match.dst.netmask.s_addr)
466 if (lxor(entry->ip.invflags & IPT_INV_SRCIP, fw->match.flags & NETCONF_INV_SRCIP) ||
467 lxor(entry->ip.invflags & IPT_INV_DSTIP, fw->match.flags & NETCONF_INV_DSTIP))
471 if (strncmp(fw->match.in.name, entry->ip.iniface, IFNAMSIZ) != 0 ||
472 strncmp(fw->match.out.name, entry->ip.outiface, IFNAMSIZ) != 0)
479 for_each_ipt_match(match, entry) {
504 for_each_ipt_match(match, entry) {
527 for_each_ipt_match(match, entry) {
544 for_each_ipt_match(match, entry) {
562 for_each_ipt_match(match, entry) {
589 if (fw->target != target_num(entry, &handle))
591 target = (struct ipt_entry_target *) ((int) entry + entry->target_offset);
632 if (entry)
641 if (entry)
645 return (entry ? ret : -ENOENT);
649 * See if a given firewall entry already exists
650 * @param nat NAT entry to look for
651 * @return whether NAT entry exists
669 struct ipt_entry *entry;
676 if (!(entry = realloc(*pentry, (*pentry)->next_offset + match_size))) {
681 match = (struct ipt_entry_match *) ((int) entry + entry->next_offset);
682 entry->next_offset += match_size;
683 entry->target_offset += match_size;
689 *pentry = entry;
703 struct ipt_entry *entry;
710 if (!(entry = realloc(*pentry, (*pentry)->next_offset + target_size))) {
715 target = (struct ipt_entry_target *) ((int) entry + entry->next_offset);
716 entry->next_offset += target_size;
722 *pentry = entry;
727 * Insert an entry into a reasonable location in the chain
729 * @param entry iptables entry
734 insert_entry(const char *chain, struct ipt_entry *entry, iptc_handle_t *handle)
741 target = (struct ipt_entry_target *) ((int) entry + entry->target_offset);
745 if (entry->target_offset == sizeof(struct ipt_entry) &&
746 !memcmp(&entry->ip, &blank, sizeof(struct ipt_ip)))
747 return iptc_append_entry(chain, entry, handle);
750 if (!strcmp(iptc_get_target(entry, handle), "DROP") ||
751 !strcmp(iptc_get_target(entry, handle), "logdrop"))
752 return iptc_insert_entry(chain, entry, 0, handle);
755 else if (!strcmp(iptc_get_target(entry, handle), "ACCEPT") ||
756 !strcmp(iptc_get_target(entry, handle), "logaccept")) {
764 return iptc_insert_entry(chain, entry, i, handle);
769 return iptc_append_entry(chain, entry, handle);
773 * Add a firewall entry
774 * @param fw firewall entry
784 struct ipt_entry *entry;
809 /* Allocate entry */
810 if (!(entry = calloc(1, sizeof(struct ipt_entry)))) {
815 /* Initialize entry parameters */
816 entry->nfcache |= NFC_UNKNOWN;
817 entry->next_offset = entry->target_offset = sizeof(struct ipt_entry);
821 entry->ip.src.s_addr = fw->match.src.ipaddr.s_addr;
822 entry->ip.smsk.s_addr = fw->match.src.netmask.s_addr;
823 entry->nfcache |= NFC_IP_SRC;
824 entry->ip.invflags |= (fw->match.flags & NETCONF_INV_SRCIP) ? IPT_INV_SRCIP : 0;
827 entry->ip.dst.s_addr = fw->match.dst.ipaddr.s_addr;
828 entry->ip.dmsk.s_addr = fw->match.dst.netmask.s_addr;
829 entry->nfcache |= NFC_IP_DST;
830 entry->ip.invflags |= (fw->match.flags & NETCONF_INV_DSTIP) ? IPT_INV_DSTIP : 0;
835 strncpy(entry->ip.iniface, fw->match.in.name, IFNAMSIZ);
836 memset(&entry->ip.iniface_mask, 0, IFNAMSIZ);
837 memset(&entry->ip.iniface_mask, 0xff, strlen(fw->match.in.name) + 1);
838 entry->ip.invflags |= (fw->match.flags & NETCONF_INV_IN) ? IPT_INV_VIA_IN : 0;
839 entry->nfcache |= NFC_IP_IF_IN;
842 strncpy(entry->ip.outiface, fw->match.out.name, IFNAMSIZ);
843 memset(&entry->ip.outiface_mask, 0, IFNAMSIZ);
844 memset(&entry->ip.outiface_mask, 0xff, strlen(fw->match.in.name) + 1);
845 entry->ip.invflags |= (fw->match.flags & NETCONF_INV_IN) ? IPT_INV_VIA_OUT : 0;
846 entry->nfcache |= NFC_IP_IF_OUT;
853 if (!(match = netconf_append_match(&entry, "tcp", sizeof(struct ipt_tcp))))
857 entry->ip.proto = IPPROTO_TCP;
858 entry->nfcache |= NFC_IP_PROTO;
864 entry->nfcache |= (tcp->spts[0] != 0 || tcp->spts[1] != 0xffff) ? NFC_IP_SRC_PT : 0;
870 entry->nfcache |= (tcp->dpts[0] != 0 || tcp->dpts[1] != 0xffff) ? NFC_IP_DST_PT : 0;
877 if (!(match = netconf_append_match(&entry, "udp", sizeof(struct ipt_udp))))
881 entry->ip.proto = IPPROTO_UDP;
882 entry->nfcache |= NFC_IP_PROTO;
888 entry->nfcache |= (udp->spts[0] != 0 || udp->spts[1] != 0xffff) ? NFC_IP_SRC_PT : 0;
894 entry->nfcache |= (udp->dpts[0] != 0 || udp->dpts[1] != 0xffff) ? NFC_IP_DST_PT : 0;
899 entry->ip.proto = fw->match.ipproto;
900 entry->nfcache |= NFC_IP_PROTO;
907 if (!(match = netconf_append_match(&entry, "mac", sizeof(struct ipt_mac_info))))
919 if (!(match = netconf_append_match(&entry, "state", sizeof(struct ipt_state_info))))
943 if (!(match = netconf_append_match(&entry, "time", sizeof(struct ipt_time_info) + 8)))
961 if (!(match = netconf_append_match(&entry, "webstr", sizeof(struct ipt_webstr_info))))
968 entry->nfcache |= NFC_UNKNOWN;
973 if (!(target = netconf_append_target(&entry, ipt_target_name[fw->target], ipt_target_size[fw->target])))
988 if (!insert_entry(ipt_filter_chain_name[filter->dir], entry, &handle)) {
1021 if (!insert_entry(ipt_nat_chain_name[fw->target], entry, &handle)) {
1036 if (!insert_entry("PREROUTING", entry, &handle)) {
1047 free(entry);
1053 free(entry);
1058 * Delete a firewall entry
1059 * @param fw firewall entry
1095 * Add or delete a firewall entry or list of firewall entries
1096 * @param fw_list firewall entry or list of firewall entries
1106 /* Single firewall entry */
1120 * Add a NAT entry or list of NAT entries
1121 * @param nat_list NAT entry or list of NAT entries
1131 * Delete a NAT entry or list of NAT entries
1132 * @param nat_list NAT entry or list of NAT entries
1173 * Add a filter entry or list of filter entries
1174 * @param filter_list filter entry or list of filter entries
1184 * Delete a filter entry or list of filter entries
1185 * @param filter_list filter entry or list of filter entries
1239 struct ipt_entry *entry;
1243 /* Allocate entry */
1244 if (!(entry = calloc(1, sizeof(struct ipt_entry)))) {
1249 /* Initialize entry parameters */
1250 entry->next_offset = entry->target_offset = sizeof(struct ipt_entry);
1254 if (!(match = netconf_append_match(&entry, match_name, match_data_size)))
1260 if (!(target = netconf_append_target(&entry, target_name, target_data_size)))
1264 return entry;
1267 free(entry);
1307 struct ipt_entry *entry = NULL;
1338 if (!(entry = netconf_generate_entry("state", &state, sizeof(state), "LOG", &log, sizeof(log))))
1340 entry->nfcache |= NFC_UNKNOWN;
1342 !iptc_insert_entry("logdrop", entry, 0, &handle) ||
1345 free(entry);
1348 if (!(entry = netconf_generate_entry(NULL, NULL, 0, "DROP", &unused, sizeof(unused))))
1350 entry->nfcache |= NFC_UNKNOWN;
1352 !iptc_insert_entry("logdrop", entry, 1, &handle) ||
1355 free(entry);
1359 if (!(entry = netconf_generate_entry("state", &state, sizeof(state), "LOG", &log, sizeof(log))))
1361 entry->nfcache |= NFC_UNKNOWN;
1363 !iptc_insert_entry("logaccept", entry, 0, &handle) ||
1366 free(entry);
1369 if (!(entry = netconf_generate_entry(NULL, NULL, 0, "ACCEPT", &unused, sizeof(unused))))
1371 entry->nfcache |= NFC_UNKNOWN;
1373 !iptc_insert_entry("logaccept", entry, 1, &handle) ||
1376 free(entry);
1381 if (entry)
1382 free(entry);
1399 struct ipt_entry *entry;
1414 /* Generate and complete the entry */
1415 if (!(entry = netconf_generate_entry("tcp", &tcp, sizeof(tcp), "TCPMSS", &tcpmss, sizeof(tcpmss))))
1417 entry->ip.proto = IPPROTO_TCP;
1418 entry->nfcache |= NFC_IP_PROTO | NFC_IP_TCPFLAGS;
1422 !iptc_insert_entry("FORWARD", entry, 0, &handle) ||
1425 free(entry);
1429 free(entry);