1/* 2 * Argument parser 3 * Copyright �� Jan Engelhardt, 2011 4 * 5 * This program is free software; you can redistribute it and/or 6 * modify it under the terms of the GNU General Public License as 7 * published by the Free Software Foundation; either version 2 of 8 * the License, or (at your option) any later version. 9 */ 10#include <ctype.h> 11#include <errno.h> 12#include <getopt.h> 13#include <limits.h> 14#include <netdb.h> 15#include <stdbool.h> 16#include <stdint.h> 17#include <stdio.h> 18#include <stdlib.h> 19#include <string.h> 20#include <syslog.h> 21#include <arpa/inet.h> 22#include <netinet/ip.h> 23#include "xtables.h" 24#include "xshared.h" 25#ifndef IPTOS_NORMALSVC 26# define IPTOS_NORMALSVC 0 27#endif 28 29#define XTOPT_MKPTR(cb) \ 30 ((void *)((char *)(cb)->data + (cb)->entry->ptroff)) 31 32/** 33 * Simple key-value pairs for syslog levels 34 */ 35struct syslog_level { 36 char name[8]; 37 uint8_t level; 38}; 39 40struct tos_value_mask { 41 uint8_t value, mask; 42}; 43 44static const size_t xtopt_psize[] = { 45 /* 46 * All types not listed here, and thus essentially being initialized to 47 * zero have zero on purpose. 48 */ 49 [XTTYPE_UINT8] = sizeof(uint8_t), 50 [XTTYPE_UINT16] = sizeof(uint16_t), 51 [XTTYPE_UINT32] = sizeof(uint32_t), 52 [XTTYPE_UINT64] = sizeof(uint64_t), 53 [XTTYPE_UINT8RC] = sizeof(uint8_t[2]), 54 [XTTYPE_UINT16RC] = sizeof(uint16_t[2]), 55 [XTTYPE_UINT32RC] = sizeof(uint32_t[2]), 56 [XTTYPE_UINT64RC] = sizeof(uint64_t[2]), 57 [XTTYPE_DOUBLE] = sizeof(double), 58 [XTTYPE_STRING] = -1, 59 [XTTYPE_SYSLOGLEVEL] = sizeof(uint8_t), 60 [XTTYPE_HOST] = sizeof(union nf_inet_addr), 61 [XTTYPE_HOSTMASK] = sizeof(union nf_inet_addr), 62 [XTTYPE_PROTOCOL] = sizeof(uint8_t), 63 [XTTYPE_PORT] = sizeof(uint16_t), 64 [XTTYPE_PORTRC] = sizeof(uint16_t[2]), 65 [XTTYPE_PLENMASK] = sizeof(union nf_inet_addr), 66 [XTTYPE_ETHERMAC] = sizeof(uint8_t[6]), 67}; 68 69/** 70 * Creates getopt options from the x6-style option map, and assigns each a 71 * getopt id. 72 */ 73struct option * 74xtables_options_xfrm(struct option *orig_opts, struct option *oldopts, 75 const struct xt_option_entry *entry, unsigned int *offset) 76{ 77 unsigned int num_orig, num_old = 0, num_new, i; 78 struct option *merge, *mp; 79 80 if (entry == NULL) 81 return oldopts; 82 for (num_orig = 0; orig_opts[num_orig].name != NULL; ++num_orig) 83 ; 84 if (oldopts != NULL) 85 for (num_old = 0; oldopts[num_old].name != NULL; ++num_old) 86 ; 87 for (num_new = 0; entry[num_new].name != NULL; ++num_new) 88 ; 89 90 /* 91 * Since @oldopts also has @orig_opts already (and does so at the 92 * start), skip these entries. 93 */ 94 oldopts += num_orig; 95 num_old -= num_orig; 96 97 merge = malloc(sizeof(*mp) * (num_orig + num_old + num_new + 1)); 98 if (merge == NULL) 99 return NULL; 100 101 /* Let the base options -[ADI...] have precedence over everything */ 102 memcpy(merge, orig_opts, sizeof(*mp) * num_orig); 103 mp = merge + num_orig; 104 105 /* Second, the new options */ 106 xt_params->option_offset += XT_OPTION_OFFSET_SCALE; 107 *offset = xt_params->option_offset; 108 109 for (i = 0; i < num_new; ++i, ++mp, ++entry) { 110 mp->name = entry->name; 111 mp->has_arg = entry->type != XTTYPE_NONE; 112 mp->flag = NULL; 113 mp->val = entry->id + *offset; 114 } 115 116 /* Third, the old options */ 117 memcpy(mp, oldopts, sizeof(*mp) * num_old); 118 mp += num_old; 119 xtables_free_opts(0); 120 121 /* Clear trailing entry */ 122 memset(mp, 0, sizeof(*mp)); 123 return merge; 124} 125 126/** 127 * Give the upper limit for a certain type. 128 */ 129static uintmax_t xtopt_max_by_type(enum xt_option_type type) 130{ 131 switch (type) { 132 case XTTYPE_UINT8: 133 case XTTYPE_UINT8RC: 134 return UINT8_MAX; 135 case XTTYPE_UINT16: 136 case XTTYPE_UINT16RC: 137 return UINT16_MAX; 138 case XTTYPE_UINT32: 139 case XTTYPE_UINT32RC: 140 return UINT32_MAX; 141 case XTTYPE_UINT64: 142 case XTTYPE_UINT64RC: 143 return UINT64_MAX; 144 default: 145 return 0; 146 } 147} 148 149/** 150 * Return the size of a single entity based upon a type - predominantly an 151 * XTTYPE_UINT*RC type. 152 */ 153static size_t xtopt_esize_by_type(enum xt_option_type type) 154{ 155 switch (type) { 156 case XTTYPE_UINT8RC: 157 return xtopt_psize[XTTYPE_UINT8]; 158 case XTTYPE_UINT16RC: 159 return xtopt_psize[XTTYPE_UINT16]; 160 case XTTYPE_UINT32RC: 161 return xtopt_psize[XTTYPE_UINT32]; 162 case XTTYPE_UINT64RC: 163 return xtopt_psize[XTTYPE_UINT64]; 164 default: 165 return xtopt_psize[type]; 166 } 167} 168 169/** 170 * Require a simple integer. 171 */ 172static void xtopt_parse_int(struct xt_option_call *cb) 173{ 174 const struct xt_option_entry *entry = cb->entry; 175 uintmax_t lmin = 0, lmax = xtopt_max_by_type(entry->type); 176 uintmax_t value; 177 178 if (cb->entry->min != 0) 179 lmin = cb->entry->min; 180 if (cb->entry->max != 0) 181 lmax = cb->entry->max; 182 183 if (!xtables_strtoul(cb->arg, NULL, &value, lmin, lmax)) 184 xt_params->exit_err(PARAMETER_PROBLEM, 185 "%s: bad value for option \"--%s\", " 186 "or out of range (%ju-%ju).\n", 187 cb->ext_name, entry->name, lmin, lmax); 188 189 if (entry->type == XTTYPE_UINT8) { 190 cb->val.u8 = value; 191 if (entry->flags & XTOPT_PUT) 192 *(uint8_t *)XTOPT_MKPTR(cb) = cb->val.u8; 193 } else if (entry->type == XTTYPE_UINT16) { 194 cb->val.u16 = value; 195 if (entry->flags & XTOPT_PUT) 196 *(uint16_t *)XTOPT_MKPTR(cb) = cb->val.u16; 197 } else if (entry->type == XTTYPE_UINT32) { 198 cb->val.u32 = value; 199 if (entry->flags & XTOPT_PUT) 200 *(uint32_t *)XTOPT_MKPTR(cb) = cb->val.u32; 201 } else if (entry->type == XTTYPE_UINT64) { 202 cb->val.u64 = value; 203 if (entry->flags & XTOPT_PUT) 204 *(uint64_t *)XTOPT_MKPTR(cb) = cb->val.u64; 205 } 206} 207 208/** 209 * Require a simple floating point number. 210 */ 211static void xtopt_parse_float(struct xt_option_call *cb) 212{ 213 const struct xt_option_entry *entry = cb->entry; 214 double value; 215 char *end; 216 217 value = strtod(cb->arg, &end); 218 if (end == cb->arg || *end != '\0' || 219 (entry->min != entry->max && 220 (value < entry->min || value > entry->max))) 221 xt_params->exit_err(PARAMETER_PROBLEM, 222 "%s: bad value for option \"--%s\", " 223 "or out of range (%u-%u).\n", 224 cb->ext_name, entry->name, entry->min, entry->max); 225 226 cb->val.dbl = value; 227 if (entry->flags & XTOPT_PUT) 228 *(double *)XTOPT_MKPTR(cb) = cb->val.dbl; 229} 230 231/** 232 * Copy the parsed value to the appropriate entry in cb->val. 233 */ 234static void xtopt_mint_value_to_cb(struct xt_option_call *cb, uintmax_t value) 235{ 236 const struct xt_option_entry *entry = cb->entry; 237 238 if (cb->nvals >= ARRAY_SIZE(cb->val.u32_range)) 239 return; 240 if (entry->type == XTTYPE_UINT8RC) 241 cb->val.u8_range[cb->nvals] = value; 242 else if (entry->type == XTTYPE_UINT16RC) 243 cb->val.u16_range[cb->nvals] = value; 244 else if (entry->type == XTTYPE_UINT32RC) 245 cb->val.u32_range[cb->nvals] = value; 246 else if (entry->type == XTTYPE_UINT64RC) 247 cb->val.u64_range[cb->nvals] = value; 248} 249 250/** 251 * Copy the parsed value to the data area, using appropriate type access. 252 */ 253static void xtopt_mint_value_to_ptr(struct xt_option_call *cb, void **datap, 254 uintmax_t value) 255{ 256 const struct xt_option_entry *entry = cb->entry; 257 void *data = *datap; 258 259 if (!(entry->flags & XTOPT_PUT)) 260 return; 261 if (entry->type == XTTYPE_UINT8RC) 262 *(uint8_t *)data = value; 263 else if (entry->type == XTTYPE_UINT16RC) 264 *(uint16_t *)data = value; 265 else if (entry->type == XTTYPE_UINT32RC) 266 *(uint32_t *)data = value; 267 else if (entry->type == XTTYPE_UINT64RC) 268 *(uint64_t *)data = value; 269 data += xtopt_esize_by_type(entry->type); 270 *datap = data; 271} 272 273/** 274 * Multiple integer parse routine. 275 * 276 * This function is capable of parsing any number of fields. Only the first 277 * two values from the string will be put into @cb however (and as such, 278 * @cb->val.uXX_range is just that large) to cater for the few extensions that 279 * do not have a range[2] field, but {min, max}, and which cannot use 280 * XTOPT_POINTER. 281 */ 282static void xtopt_parse_mint(struct xt_option_call *cb) 283{ 284 const struct xt_option_entry *entry = cb->entry; 285 const char *arg = cb->arg; 286 size_t esize = xtopt_esize_by_type(entry->type); 287 const uintmax_t lmax = xtopt_max_by_type(entry->type); 288 void *put = XTOPT_MKPTR(cb); 289 unsigned int maxiter; 290 uintmax_t value; 291 char *end = ""; 292 char sep = ':'; 293 294 maxiter = entry->size / esize; 295 if (maxiter == 0) 296 maxiter = ARRAY_SIZE(cb->val.u32_range); 297 if (entry->size % esize != 0) 298 xt_params->exit_err(OTHER_PROBLEM, "%s: memory block does " 299 "not have proper size\n", __func__); 300 301 cb->nvals = 0; 302 for (arg = cb->arg, end = (char *)arg; ; arg = end + 1) { 303 if (cb->nvals == maxiter) 304 xt_params->exit_err(PARAMETER_PROBLEM, "%s: Too many " 305 "components for option \"--%s\" (max: %u)\n", 306 cb->ext_name, entry->name, maxiter); 307 if (*arg == '\0' || *arg == sep) { 308 /* Default range components when field not spec'd. */ 309 end = (char *)arg; 310 value = (cb->nvals == 1) ? lmax : 0; 311 } else { 312 if (!xtables_strtoul(arg, &end, &value, 0, lmax)) 313 xt_params->exit_err(PARAMETER_PROBLEM, 314 "%s: bad value for option \"--%s\" near " 315 "\"%s\", or out of range (0-%ju).\n", 316 cb->ext_name, entry->name, arg, lmax); 317 if (*end != '\0' && *end != sep) 318 xt_params->exit_err(PARAMETER_PROBLEM, 319 "%s: Argument to \"--%s\" has " 320 "unexpected characters near \"%s\".\n", 321 cb->ext_name, entry->name, end); 322 } 323 xtopt_mint_value_to_cb(cb, value); 324 ++cb->nvals; 325 xtopt_mint_value_to_ptr(cb, &put, value); 326 if (*end == '\0') 327 break; 328 } 329} 330 331static void xtopt_parse_string(struct xt_option_call *cb) 332{ 333 const struct xt_option_entry *entry = cb->entry; 334 size_t z = strlen(cb->arg); 335 char *p; 336 337 if (entry->min != 0 && z < entry->min) 338 xt_params->exit_err(PARAMETER_PROBLEM, 339 "Argument must have a minimum length of " 340 "%u characters\n", entry->min); 341 if (entry->max != 0 && z > entry->max) 342 xt_params->exit_err(PARAMETER_PROBLEM, 343 "Argument must have a maximum length of " 344 "%u characters\n", entry->max); 345 if (!(entry->flags & XTOPT_PUT)) 346 return; 347 if (z >= entry->size) 348 z = entry->size - 1; 349 p = XTOPT_MKPTR(cb); 350 strncpy(p, cb->arg, z); 351 p[z] = '\0'; 352} 353 354static const struct tos_symbol_info { 355 unsigned char value; 356 const char *name; 357} tos_symbol_names[] = { 358 {IPTOS_LOWDELAY, "Minimize-Delay"}, 359 {IPTOS_THROUGHPUT, "Maximize-Throughput"}, 360 {IPTOS_RELIABILITY, "Maximize-Reliability"}, 361 {IPTOS_MINCOST, "Minimize-Cost"}, 362 {IPTOS_NORMALSVC, "Normal-Service"}, 363 {}, 364}; 365 366/* 367 * tos_parse_numeric - parse a string like "15/255" 368 * 369 * @str: input string 370 * @tvm: (value/mask) tuple 371 * @max: maximum allowed value (must be pow(2,some_int)-1) 372 */ 373static bool tos_parse_numeric(const char *str, struct xt_option_call *cb, 374 unsigned int max) 375{ 376 unsigned int value; 377 char *end; 378 379 xtables_strtoui(str, &end, &value, 0, max); 380 cb->val.tos_value = value; 381 cb->val.tos_mask = max; 382 383 if (*end == '/') { 384 const char *p = end + 1; 385 386 if (!xtables_strtoui(p, &end, &value, 0, max)) 387 xtables_error(PARAMETER_PROBLEM, "Illegal value: \"%s\"", 388 str); 389 cb->val.tos_mask = value; 390 } 391 392 if (*end != '\0') 393 xtables_error(PARAMETER_PROBLEM, "Illegal value: \"%s\"", str); 394 return true; 395} 396 397/** 398 * @str: input string 399 * @tvm: (value/mask) tuple 400 * @def_mask: mask to force when a symbolic name is used 401 */ 402static void xtopt_parse_tosmask(struct xt_option_call *cb) 403{ 404 const struct tos_symbol_info *symbol; 405 char *tmp; 406 407 if (xtables_strtoui(cb->arg, &tmp, NULL, 0, UINT8_MAX)) { 408 tos_parse_numeric(cb->arg, cb, UINT8_MAX); 409 return; 410 } 411 /* 412 * This is our way we deal with different defaults 413 * for different revisions. 414 */ 415 cb->val.tos_mask = cb->entry->max; 416 for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol) 417 if (strcasecmp(cb->arg, symbol->name) == 0) { 418 cb->val.tos_value = symbol->value; 419 return; 420 } 421 422 xtables_error(PARAMETER_PROBLEM, "Symbolic name \"%s\" is unknown", 423 cb->arg); 424} 425 426/** 427 * Validate the input for being conformant to "mark[/mask]". 428 */ 429static void xtopt_parse_markmask(struct xt_option_call *cb) 430{ 431 unsigned int mark = 0, mask = ~0U; 432 char *end; 433 434 if (!xtables_strtoui(cb->arg, &end, &mark, 0, UINT32_MAX)) 435 xt_params->exit_err(PARAMETER_PROBLEM, 436 "%s: bad mark value for option \"--%s\", " 437 "or out of range.\n", 438 cb->ext_name, cb->entry->name); 439 if (*end == '/' && 440 !xtables_strtoui(end + 1, &end, &mask, 0, UINT32_MAX)) 441 xt_params->exit_err(PARAMETER_PROBLEM, 442 "%s: bad mask value for option \"--%s\", " 443 "or out of range.\n", 444 cb->ext_name, cb->entry->name); 445 if (*end != '\0') 446 xt_params->exit_err(PARAMETER_PROBLEM, 447 "%s: trailing garbage after value " 448 "for option \"--%s\".\n", 449 cb->ext_name, cb->entry->name); 450 cb->val.mark = mark; 451 cb->val.mask = mask; 452} 453 454static int xtopt_sysloglvl_compare(const void *a, const void *b) 455{ 456 const char *name = a; 457 const struct syslog_level *entry = b; 458 459 return strcmp(name, entry->name); 460} 461 462static void xtopt_parse_sysloglevel(struct xt_option_call *cb) 463{ 464 static const struct syslog_level log_names[] = { /* must be sorted */ 465 {"alert", LOG_ALERT}, 466 {"crit", LOG_CRIT}, 467 {"debug", LOG_DEBUG}, 468 {"emerg", LOG_EMERG}, 469 {"error", LOG_ERR}, /* deprecated */ 470 {"info", LOG_INFO}, 471 {"notice", LOG_NOTICE}, 472 {"panic", LOG_EMERG}, /* deprecated */ 473 {"warning", LOG_WARNING}, 474 }; 475 const struct syslog_level *e; 476 unsigned int num = 0; 477 478 if (!xtables_strtoui(cb->arg, NULL, &num, 0, 7)) { 479 e = bsearch(cb->arg, log_names, ARRAY_SIZE(log_names), 480 sizeof(*log_names), xtopt_sysloglvl_compare); 481 if (e == NULL) 482 xt_params->exit_err(PARAMETER_PROBLEM, 483 "log level \"%s\" unknown\n", cb->arg); 484 num = e->level; 485 } 486 cb->val.syslog_level = num; 487 if (cb->entry->flags & XTOPT_PUT) 488 *(uint8_t *)XTOPT_MKPTR(cb) = num; 489} 490 491static void *xtables_sa_host(const void *sa, unsigned int afproto) 492{ 493 if (afproto == AF_INET6) 494 return &((struct sockaddr_in6 *)sa)->sin6_addr; 495 else if (afproto == AF_INET) 496 return &((struct sockaddr_in *)sa)->sin_addr; 497 return (void *)sa; 498} 499 500static socklen_t xtables_sa_hostlen(unsigned int afproto) 501{ 502 if (afproto == AF_INET6) 503 return sizeof(struct in6_addr); 504 else if (afproto == AF_INET) 505 return sizeof(struct in_addr); 506 return 0; 507} 508 509/** 510 * Accepts: a hostname (DNS), or a single inetaddr - without any mask. The 511 * result is stored in @cb->val.haddr. Additionally, @cb->val.hmask and 512 * @cb->val.hlen are set for completeness to the appropriate values. 513 */ 514static void xtopt_parse_host(struct xt_option_call *cb) 515{ 516 struct addrinfo hints = {.ai_family = afinfo->family}; 517 unsigned int adcount = 0; 518 struct addrinfo *res, *p; 519 int ret; 520 521 ret = getaddrinfo(cb->arg, NULL, &hints, &res); 522 if (ret < 0) 523 xt_params->exit_err(PARAMETER_PROBLEM, 524 "getaddrinfo: %s\n", gai_strerror(ret)); 525 526 memset(&cb->val.hmask, 0xFF, sizeof(cb->val.hmask)); 527 cb->val.hlen = (afinfo->family == NFPROTO_IPV4) ? 32 : 128; 528 529 for (p = res; p != NULL; p = p->ai_next) { 530 if (adcount == 0) { 531 memset(&cb->val.haddr, 0, sizeof(cb->val.haddr)); 532 memcpy(&cb->val.haddr, 533 xtables_sa_host(p->ai_addr, p->ai_family), 534 xtables_sa_hostlen(p->ai_family)); 535 ++adcount; 536 continue; 537 } 538 if (memcmp(&cb->val.haddr, 539 xtables_sa_host(p->ai_addr, p->ai_family), 540 xtables_sa_hostlen(p->ai_family)) != 0) 541 xt_params->exit_err(PARAMETER_PROBLEM, 542 "%s resolves to more than one address\n", 543 cb->arg); 544 } 545 546 freeaddrinfo(res); 547 if (cb->entry->flags & XTOPT_PUT) 548 /* Validation in xtables_option_metavalidate */ 549 memcpy(XTOPT_MKPTR(cb), &cb->val.haddr, 550 sizeof(cb->val.haddr)); 551} 552 553/** 554 * @name: port name, or number as a string (e.g. "http" or "80") 555 * 556 * Resolve a port name to a number. Returns the port number in integral 557 * form on success, or <0 on error. (errno will not be set.) 558 */ 559static int xtables_getportbyname(const char *name) 560{ 561 struct addrinfo *res = NULL, *p; 562 int ret; 563 int port = -1; 564 char *c; 565 566 ret = getaddrinfo(NULL, name, NULL, &res); 567 if (ret == EAI_SERVICE) { 568 port = strtoul(name, &c, 10); 569 if (*c == '\0' && port > 0) 570 return port; 571 } 572 if (ret < 0) 573 return -1; 574 ret = -1; 575 for (p = res; p != NULL; p = p->ai_next) { 576 if (p->ai_family == AF_INET6) { 577 ret = ((struct sockaddr_in6 *)p->ai_addr)->sin6_port; 578 break; 579 } else if (p->ai_family == AF_INET) { 580 ret = ((struct sockaddr_in *)p->ai_addr)->sin_port; 581 break; 582 } 583 } 584 freeaddrinfo(res); 585 if (ret < 0) 586 return ret; 587 return ntohs(ret); 588} 589 590/** 591 * Validate and parse a protocol specification (number or name) by use of 592 * /etc/protocols and put the result into @cb->val.protocol. 593 */ 594static void xtopt_parse_protocol(struct xt_option_call *cb) 595{ 596 cb->val.protocol = xtables_parse_protocol(cb->arg); 597 if (cb->entry->flags & XTOPT_PUT) 598 *(uint8_t *)XTOPT_MKPTR(cb) = cb->val.protocol; 599} 600 601/** 602 * Validate and parse a port specification and put the result into 603 * @cb->val.port. 604 */ 605static void xtopt_parse_port(struct xt_option_call *cb) 606{ 607 const struct xt_option_entry *entry = cb->entry; 608 int ret; 609 610 ret = xtables_getportbyname(cb->arg); 611 if (ret < 0) 612 xt_params->exit_err(PARAMETER_PROBLEM, 613 "Port \"%s\" does not resolve to anything.\n", 614 cb->arg); 615 if (entry->flags & XTOPT_NBO) 616 ret = htons(ret); 617 cb->val.port = ret; 618 if (entry->flags & XTOPT_PUT) 619 *(uint16_t *)XTOPT_MKPTR(cb) = cb->val.port; 620} 621 622static void xtopt_parse_mport(struct xt_option_call *cb) 623{ 624 static const size_t esize = sizeof(uint16_t); 625 const struct xt_option_entry *entry = cb->entry; 626 char *lo_arg, *wp_arg, *arg; 627 unsigned int maxiter; 628 int value; 629 630 wp_arg = lo_arg = strdup(cb->arg); 631 if (lo_arg == NULL) 632 xt_params->exit_err(RESOURCE_PROBLEM, "strdup"); 633 634 maxiter = entry->size / esize; 635 if (maxiter == 0) 636 maxiter = 2; /* ARRAY_SIZE(cb->val.port_range) */ 637 if (entry->size % esize != 0) 638 xt_params->exit_err(OTHER_PROBLEM, "%s: memory block does " 639 "not have proper size\n", __func__); 640 641 cb->val.port_range[0] = 0; 642 cb->val.port_range[1] = UINT16_MAX; 643 cb->nvals = 0; 644 645 while ((arg = strsep(&wp_arg, ":")) != NULL) { 646 if (cb->nvals == maxiter) 647 xt_params->exit_err(PARAMETER_PROBLEM, "%s: Too many " 648 "components for option \"--%s\" (max: %u)\n", 649 cb->ext_name, entry->name, maxiter); 650 if (*arg == '\0') { 651 ++cb->nvals; 652 continue; 653 } 654 655 value = xtables_getportbyname(arg); 656 if (value < 0) 657 xt_params->exit_err(PARAMETER_PROBLEM, 658 "Port \"%s\" does not resolve to " 659 "anything.\n", arg); 660 if (entry->flags & XTOPT_NBO) 661 value = htons(value); 662 if (cb->nvals < ARRAY_SIZE(cb->val.port_range)) 663 cb->val.port_range[cb->nvals] = value; 664 ++cb->nvals; 665 } 666 667 if (cb->nvals == 1) { 668 cb->val.port_range[1] = cb->val.port_range[0]; 669 ++cb->nvals; 670 } 671 if (entry->flags & XTOPT_PUT) 672 memcpy(XTOPT_MKPTR(cb), cb->val.port_range, sizeof(uint16_t) * 673 (cb->nvals <= maxiter ? cb->nvals : maxiter)); 674 free(lo_arg); 675} 676 677/** 678 * Parse an integer and ensure it is within the address family's prefix length 679 * limits. The result is stored in @cb->val.hlen. 680 */ 681static void xtopt_parse_plen(struct xt_option_call *cb) 682{ 683 const struct xt_option_entry *entry = cb->entry; 684 unsigned int prefix_len = 128; /* happiness is a warm gcc */ 685 686 cb->val.hlen = (afinfo->family == NFPROTO_IPV4) ? 32 : 128; 687 if (!xtables_strtoui(cb->arg, NULL, &prefix_len, 0, cb->val.hlen)) 688 xt_params->exit_err(PARAMETER_PROBLEM, 689 "%s: bad value for option \"--%s\", " 690 "or out of range (%u-%u).\n", 691 cb->ext_name, entry->name, 0, cb->val.hlen); 692 693 cb->val.hlen = prefix_len; 694} 695 696/** 697 * Reuse xtopt_parse_plen for testing the integer. Afterwards convert this to 698 * a bitmask, and make it available through @cb->val.hmask (hlen remains 699 * valid). If %XTOPT_PUT is used, hmask will be copied to the target area. 700 */ 701static void xtopt_parse_plenmask(struct xt_option_call *cb) 702{ 703 const struct xt_option_entry *entry = cb->entry; 704 uint32_t *mask = cb->val.hmask.all; 705 706 xtopt_parse_plen(cb); 707 708 memset(mask, 0xFF, sizeof(union nf_inet_addr)); 709 /* This shifting is AF-independent. */ 710 if (cb->val.hlen == 0) { 711 mask[0] = mask[1] = mask[2] = mask[3] = 0; 712 } else if (cb->val.hlen <= 32) { 713 mask[0] <<= 32 - cb->val.hlen; 714 mask[1] = mask[2] = mask[3] = 0; 715 } else if (cb->val.hlen <= 64) { 716 mask[1] <<= 32 - (cb->val.hlen - 32); 717 mask[2] = mask[3] = 0; 718 } else if (cb->val.hlen <= 96) { 719 mask[2] <<= 32 - (cb->val.hlen - 64); 720 mask[3] = 0; 721 } else if (cb->val.hlen <= 128) { 722 mask[3] <<= 32 - (cb->val.hlen - 96); 723 } 724 mask[0] = htonl(mask[0]); 725 mask[1] = htonl(mask[1]); 726 mask[2] = htonl(mask[2]); 727 mask[3] = htonl(mask[3]); 728 if (entry->flags & XTOPT_PUT) 729 memcpy(XTOPT_MKPTR(cb), mask, sizeof(union nf_inet_addr)); 730} 731 732static void xtopt_parse_hostmask(struct xt_option_call *cb) 733{ 734 const char *orig_arg = cb->arg; 735 char *work, *p; 736 737 if (strchr(cb->arg, '/') == NULL) { 738 xtopt_parse_host(cb); 739 return; 740 } 741 work = strdup(orig_arg); 742 if (work == NULL) 743 xt_params->exit_err(PARAMETER_PROBLEM, "strdup"); 744 p = strchr(work, '/'); /* by def this can't be NULL now */ 745 *p++ = '\0'; 746 /* 747 * Because xtopt_parse_host and xtopt_parse_plenmask would store 748 * different things in the same target area, XTTYPE_HOSTMASK must 749 * disallow XTOPT_PUT, which it does by forcing its absence, 750 * cf. not being listed in xtopt_psize. 751 */ 752 cb->arg = work; 753 xtopt_parse_host(cb); 754 cb->arg = p; 755 xtopt_parse_plenmask(cb); 756 cb->arg = orig_arg; 757} 758 759static void xtopt_parse_ethermac(struct xt_option_call *cb) 760{ 761 const char *arg = cb->arg; 762 unsigned int i; 763 char *end; 764 765 for (i = 0; i < ARRAY_SIZE(cb->val.ethermac) - 1; ++i) { 766 cb->val.ethermac[i] = strtoul(arg, &end, 16); 767 if (*end != ':' || end - arg > 2) 768 goto out; 769 arg = end + 1; 770 } 771 i = ARRAY_SIZE(cb->val.ethermac) - 1; 772 cb->val.ethermac[i] = strtoul(arg, &end, 16); 773 if (*end != '\0' || end - arg > 2) 774 goto out; 775 if (cb->entry->flags & XTOPT_PUT) 776 memcpy(XTOPT_MKPTR(cb), cb->val.ethermac, 777 sizeof(cb->val.ethermac)); 778 return; 779 out: 780 xt_params->exit_err(PARAMETER_PROBLEM, "ether"); 781} 782 783static void (*const xtopt_subparse[])(struct xt_option_call *) = { 784 [XTTYPE_UINT8] = xtopt_parse_int, 785 [XTTYPE_UINT16] = xtopt_parse_int, 786 [XTTYPE_UINT32] = xtopt_parse_int, 787 [XTTYPE_UINT64] = xtopt_parse_int, 788 [XTTYPE_UINT8RC] = xtopt_parse_mint, 789 [XTTYPE_UINT16RC] = xtopt_parse_mint, 790 [XTTYPE_UINT32RC] = xtopt_parse_mint, 791 [XTTYPE_UINT64RC] = xtopt_parse_mint, 792 [XTTYPE_DOUBLE] = xtopt_parse_float, 793 [XTTYPE_STRING] = xtopt_parse_string, 794 [XTTYPE_TOSMASK] = xtopt_parse_tosmask, 795 [XTTYPE_MARKMASK32] = xtopt_parse_markmask, 796 [XTTYPE_SYSLOGLEVEL] = xtopt_parse_sysloglevel, 797 [XTTYPE_HOST] = xtopt_parse_host, 798 [XTTYPE_HOSTMASK] = xtopt_parse_hostmask, 799 [XTTYPE_PROTOCOL] = xtopt_parse_protocol, 800 [XTTYPE_PORT] = xtopt_parse_port, 801 [XTTYPE_PORTRC] = xtopt_parse_mport, 802 [XTTYPE_PLEN] = xtopt_parse_plen, 803 [XTTYPE_PLENMASK] = xtopt_parse_plenmask, 804 [XTTYPE_ETHERMAC] = xtopt_parse_ethermac, 805}; 806 807/** 808 * The master option parsing routine. May be used for the ".x6_parse" 809 * function pointer in extensions if fully automatic parsing is desired. 810 * It may be also called manually from a custom x6_parse function. 811 */ 812void xtables_option_parse(struct xt_option_call *cb) 813{ 814 const struct xt_option_entry *entry = cb->entry; 815 unsigned int eflag = 1 << cb->entry->id; 816 817 /* 818 * With {.id = P_FOO, .excl = P_FOO} we can have simple double-use 819 * prevention. Though it turned out that this is too much typing (most 820 * of the options are one-time use only), so now we also have 821 * %XTOPT_MULTI. 822 */ 823 if ((!(entry->flags & XTOPT_MULTI) || (entry->excl & eflag)) && 824 cb->xflags & eflag) 825 xt_params->exit_err(PARAMETER_PROBLEM, 826 "%s: option \"--%s\" can only be used once.\n", 827 cb->ext_name, cb->entry->name); 828 if (cb->invert && !(entry->flags & XTOPT_INVERT)) 829 xt_params->exit_err(PARAMETER_PROBLEM, 830 "%s: option \"--%s\" cannot be inverted.\n", 831 cb->ext_name, entry->name); 832 if (entry->type != XTTYPE_NONE && optarg == NULL) 833 xt_params->exit_err(PARAMETER_PROBLEM, 834 "%s: option \"--%s\" requires an argument.\n", 835 cb->ext_name, entry->name); 836 if (entry->type <= ARRAY_SIZE(xtopt_subparse) && 837 xtopt_subparse[entry->type] != NULL) 838 xtopt_subparse[entry->type](cb); 839 /* Exclusion with other flags tested later in finalize. */ 840 cb->xflags |= 1 << entry->id; 841} 842 843/** 844 * Verifies that an extension's option map descriptor is valid, and ought to 845 * be called right after the extension has been loaded, and before option 846 * merging/xfrm. 847 */ 848void xtables_option_metavalidate(const char *name, 849 const struct xt_option_entry *entry) 850{ 851 for (; entry->name != NULL; ++entry) { 852 if (entry->id >= CHAR_BIT * sizeof(unsigned int) || 853 entry->id >= XT_OPTION_OFFSET_SCALE) 854 xt_params->exit_err(OTHER_PROBLEM, 855 "Extension %s uses invalid ID %u\n", 856 name, entry->id); 857 if (!(entry->flags & XTOPT_PUT)) { 858 if (entry->ptroff != 0) 859 xt_params->exit_err(OTHER_PROBLEM, 860 "%s: ptroff for \"--%s\" is non-" 861 "zero but no XTOPT_PUT is specified. " 862 "Oversight?", name, entry->name); 863 continue; 864 } 865 if (entry->type >= ARRAY_SIZE(xtopt_psize) || 866 xtopt_psize[entry->type] == 0) 867 xt_params->exit_err(OTHER_PROBLEM, 868 "%s: entry type of option \"--%s\" cannot be " 869 "combined with XTOPT_PUT\n", 870 name, entry->name); 871 if (xtopt_psize[entry->type] != -1 && 872 xtopt_psize[entry->type] != entry->size) 873 xt_params->exit_err(OTHER_PROBLEM, 874 "%s: option \"--%s\" points to a memory block " 875 "of wrong size (expected %zu, got %zu)\n", 876 name, entry->name, 877 xtopt_psize[entry->type], entry->size); 878 } 879} 880 881/** 882 * Find an option entry by its id. 883 */ 884static const struct xt_option_entry * 885xtables_option_lookup(const struct xt_option_entry *entry, unsigned int id) 886{ 887 for (; entry->name != NULL; ++entry) 888 if (entry->id == id) 889 return entry; 890 return NULL; 891} 892 893/** 894 * @c: getopt id (i.e. with offset) 895 * @fw: struct ipt_entry or ip6t_entry 896 * 897 * Dispatch arguments to the appropriate parse function, based upon the 898 * extension's choice of API. 899 */ 900void xtables_option_tpcall(unsigned int c, char **argv, bool invert, 901 struct xtables_target *t, void *fw) 902{ 903 struct xt_option_call cb; 904 905 if (t->x6_parse == NULL) { 906 if (t->parse != NULL) 907 t->parse(c - t->option_offset, argv, invert, 908 &t->tflags, fw, &t->t); 909 return; 910 } 911 912 c -= t->option_offset; 913 cb.entry = xtables_option_lookup(t->x6_options, c); 914 if (cb.entry == NULL) 915 xtables_error(OTHER_PROBLEM, 916 "Extension does not know id %u\n", c); 917 cb.arg = optarg; 918 cb.invert = invert; 919 cb.ext_name = t->name; 920 cb.data = t->t->data; 921 cb.xflags = t->tflags; 922 cb.target = &t->t; 923 cb.xt_entry = fw; 924 cb.udata = t->udata; 925 t->x6_parse(&cb); 926 t->tflags = cb.xflags; 927} 928 929/** 930 * @c: getopt id (i.e. with offset) 931 * @fw: struct ipt_entry or ip6t_entry 932 * 933 * Dispatch arguments to the appropriate parse function, based upon the 934 * extension's choice of API. 935 */ 936void xtables_option_mpcall(unsigned int c, char **argv, bool invert, 937 struct xtables_match *m, void *fw) 938{ 939 struct xt_option_call cb; 940 941 if (m->x6_parse == NULL) { 942 if (m->parse != NULL) 943 m->parse(c - m->option_offset, argv, invert, 944 &m->mflags, fw, &m->m); 945 return; 946 } 947 948 c -= m->option_offset; 949 cb.entry = xtables_option_lookup(m->x6_options, c); 950 if (cb.entry == NULL) 951 xtables_error(OTHER_PROBLEM, 952 "Extension does not know id %u\n", c); 953 cb.arg = optarg; 954 cb.invert = invert; 955 cb.ext_name = m->name; 956 cb.data = m->m->data; 957 cb.xflags = m->mflags; 958 cb.match = &m->m; 959 cb.xt_entry = fw; 960 cb.udata = m->udata; 961 m->x6_parse(&cb); 962 m->mflags = cb.xflags; 963} 964 965/** 966 * @name: name of extension 967 * @entry: current option (from all ext's entries) being validated 968 * @xflags: flags the extension has collected 969 * @i: conflicting option (id) to test for 970 */ 971static void 972xtables_option_fcheck2(const char *name, const struct xt_option_entry *entry, 973 const struct xt_option_entry *other, 974 unsigned int xflags) 975{ 976 unsigned int ef = 1 << entry->id, of = 1 << other->id; 977 978 if (entry->also & of && !(xflags & of)) 979 xt_params->exit_err(PARAMETER_PROBLEM, 980 "%s: option \"--%s\" also requires \"--%s\".\n", 981 name, entry->name, other->name); 982 983 if (!(entry->excl & of)) 984 /* Use of entry does not collide with other option, good. */ 985 return; 986 if ((xflags & (ef | of)) != (ef | of)) 987 /* Conflicting options were not used. */ 988 return; 989 990 xt_params->exit_err(PARAMETER_PROBLEM, 991 "%s: option \"--%s\" cannot be used together with \"--%s\".\n", 992 name, entry->name, other->name); 993} 994 995/** 996 * @name: name of extension 997 * @xflags: accumulated flags 998 * @entry: extension's option table 999 * 1000 * Check that all option constraints have been met. This effectively replaces 1001 * ->final_check of the older API. 1002 */ 1003void xtables_options_fcheck(const char *name, unsigned int xflags, 1004 const struct xt_option_entry *table) 1005{ 1006 const struct xt_option_entry *entry, *other; 1007 unsigned int i; 1008 1009 for (entry = table; entry->name != NULL; ++entry) { 1010 if (entry->flags & XTOPT_MAND && 1011 !(xflags & (1 << entry->id))) 1012 xt_params->exit_err(PARAMETER_PROBLEM, 1013 "%s: option \"--%s\" must be specified\n", 1014 name, entry->name); 1015 if (!(xflags & (1 << entry->id))) 1016 /* Not required, not specified, thus skip. */ 1017 continue; 1018 1019 for (i = 0; i < CHAR_BIT * sizeof(entry->id); ++i) { 1020 if (entry->id == i) 1021 /* 1022 * Avoid conflict with self. Multi-use check 1023 * was done earlier in xtables_option_parse. 1024 */ 1025 continue; 1026 other = xtables_option_lookup(table, i); 1027 if (other == NULL) 1028 continue; 1029 xtables_option_fcheck2(name, entry, other, xflags); 1030 } 1031 } 1032} 1033 1034/** 1035 * Dispatch arguments to the appropriate final_check function, based upon the 1036 * extension's choice of API. 1037 */ 1038void xtables_option_tfcall(struct xtables_target *t) 1039{ 1040 if (t->x6_fcheck != NULL) { 1041 struct xt_fcheck_call cb; 1042 1043 cb.ext_name = t->name; 1044 cb.data = t->t->data; 1045 cb.xflags = t->tflags; 1046 cb.udata = t->udata; 1047 t->x6_fcheck(&cb); 1048 } else if (t->final_check != NULL) { 1049 t->final_check(t->tflags); 1050 } 1051 if (t->x6_options != NULL) 1052 xtables_options_fcheck(t->name, t->tflags, t->x6_options); 1053} 1054 1055/** 1056 * Dispatch arguments to the appropriate final_check function, based upon the 1057 * extension's choice of API. 1058 */ 1059void xtables_option_mfcall(struct xtables_match *m) 1060{ 1061 if (m->x6_fcheck != NULL) { 1062 struct xt_fcheck_call cb; 1063 1064 cb.ext_name = m->name; 1065 cb.data = m->m->data; 1066 cb.xflags = m->mflags; 1067 cb.udata = m->udata; 1068 m->x6_fcheck(&cb); 1069 } else if (m->final_check != NULL) { 1070 m->final_check(m->mflags); 1071 } 1072 if (m->x6_options != NULL) 1073 xtables_options_fcheck(m->name, m->mflags, m->x6_options); 1074} 1075 1076struct xtables_lmap *xtables_lmap_init(const char *file) 1077{ 1078 struct xtables_lmap *lmap_head = NULL, *lmap_prev = NULL, *lmap_this; 1079 char buf[512]; 1080 FILE *fp; 1081 char *cur, *nxt; 1082 int id; 1083 1084 fp = fopen(file, "re"); 1085 if (fp == NULL) 1086 return NULL; 1087 1088 while (fgets(buf, sizeof(buf), fp) != NULL) { 1089 cur = buf; 1090 while (isspace(*cur)) 1091 ++cur; 1092 if (*cur == '#' || *cur == '\n' || *cur == '\0') 1093 continue; 1094 1095 /* iproute2 allows hex and dec format */ 1096 errno = 0; 1097 id = strtoul(cur, &nxt, strncmp(cur, "0x", 2) == 0 ? 16 : 10); 1098 if (nxt == cur || errno != 0) 1099 continue; 1100 1101 /* same boundaries as in iproute2 */ 1102 if (id < 0 || id > 255) 1103 continue; 1104 cur = nxt; 1105 1106 if (!isspace(*cur)) 1107 continue; 1108 while (isspace(*cur)) 1109 ++cur; 1110 if (*cur == '#' || *cur == '\n' || *cur == '\0') 1111 continue; 1112 nxt = cur; 1113 while (*nxt != '\0' && !isspace(*nxt)) 1114 ++nxt; 1115 if (nxt == cur) 1116 continue; 1117 *nxt = '\0'; 1118 1119 /* found valid data */ 1120 lmap_this = malloc(sizeof(*lmap_this)); 1121 if (lmap_this == NULL) { 1122 perror("malloc"); 1123 goto out; 1124 } 1125 lmap_this->id = id; 1126 lmap_this->name = strdup(cur); 1127 if (lmap_this->name == NULL) { 1128 free(lmap_this); 1129 goto out; 1130 } 1131 lmap_this->next = NULL; 1132 1133 if (lmap_prev != NULL) 1134 lmap_prev->next = lmap_this; 1135 else 1136 lmap_head = lmap_this; 1137 lmap_prev = lmap_this; 1138 } 1139 1140 fclose(fp); 1141 return lmap_head; 1142 out: 1143 xtables_lmap_free(lmap_head); 1144 return NULL; 1145} 1146 1147void xtables_lmap_free(struct xtables_lmap *head) 1148{ 1149 struct xtables_lmap *next; 1150 1151 for (; head != NULL; head = next) { 1152 next = head->next; 1153 free(head->name); 1154 free(head); 1155 } 1156} 1157 1158int xtables_lmap_name2id(const struct xtables_lmap *head, const char *name) 1159{ 1160 for (; head != NULL; head = head->next) 1161 if (strcmp(head->name, name) == 0) 1162 return head->id; 1163 return -1; 1164} 1165 1166const char *xtables_lmap_id2name(const struct xtables_lmap *head, int id) 1167{ 1168 for (; head != NULL; head = head->next) 1169 if (head->id == id) 1170 return head->name; 1171 return NULL; 1172} 1173