1 #include <config.h> 2 #include <getopt.h> 3 #include <errno.h> 4 #include <libgen.h> 5 #include <netdb.h> 6 #include <stdbool.h> 7 #include <stdint.h> 8 #include <stdio.h> 9 #include <stdlib.h> 10 #include <string.h> 11 #include <sys/file.h> 12 #include <sys/socket.h> 13 #include <sys/un.h> 14 #include <sys/time.h> 15 #include <unistd.h> 16 #include <fcntl.h> 17 #include <xtables.h> 18 #include <math.h> 19 #include "xshared.h" 20 21 /* 22 * Print out any special helps. A user might like to be able to add a --help 23 * to the commandline, and see expected results. So we call help for all 24 * specified matches and targets. 25 */ 26 void print_extension_helps(const struct xtables_target *t, 27 const struct xtables_rule_match *m) 28 { 29 for (; t != NULL; t = t->next) { 30 if (t->used) { 31 printf("\n"); 32 if (t->help == NULL) 33 printf("%s does not take any options\n", 34 t->name); 35 else 36 t->help(); 37 } 38 } 39 for (; m != NULL; m = m->next) { 40 printf("\n"); 41 if (m->match->help == NULL) 42 printf("%s does not take any options\n", 43 m->match->name); 44 else 45 m->match->help(); 46 } 47 } 48 49 const char * 50 proto_to_name(uint8_t proto, int nolookup) 51 { 52 unsigned int i; 53 54 if (proto && !nolookup) { 55 struct protoent *pent = getprotobynumber(proto); 56 if (pent) 57 return pent->p_name; 58 } 59 60 for (i = 0; xtables_chain_protos[i].name != NULL; ++i) 61 if (xtables_chain_protos[i].num == proto) 62 return xtables_chain_protos[i].name; 63 64 return NULL; 65 } 66 67 static struct xtables_match * 68 find_proto(const char *pname, enum xtables_tryload tryload, 69 int nolookup, struct xtables_rule_match **matches) 70 { 71 unsigned int proto; 72 73 if (xtables_strtoui(pname, NULL, &proto, 0, UINT8_MAX)) { 74 const char *protoname = proto_to_name(proto, nolookup); 75 76 if (protoname) 77 return xtables_find_match(protoname, tryload, matches); 78 } else 79 return xtables_find_match(pname, tryload, matches); 80 81 return NULL; 82 } 83 84 /* 85 * Some explanations (after four different bugs in 3 different releases): If 86 * we encounter a parameter, that has not been parsed yet, it's not an option 87 * of an explicitly loaded match or a target. However, we support implicit 88 * loading of the protocol match extension. '-p tcp' means 'l4 proto 6' and at 89 * the same time 'load tcp protocol match on demand if we specify --dport'. 90 * 91 * To make this work, we need to make sure: 92 * - the parameter has not been parsed by a match (m above) 93 * - a protocol has been specified 94 * - the protocol extension has not been loaded yet, or is loaded and unused 95 * [think of ip6tables-restore!] 96 * - the protocol extension can be successively loaded 97 */ 98 static bool should_load_proto(struct iptables_command_state *cs) 99 { 100 if (cs->protocol == NULL) 101 return false; 102 if (find_proto(cs->protocol, XTF_DONT_LOAD, 103 cs->options & OPT_NUMERIC, NULL) == NULL) 104 return true; 105 return !cs->proto_used; 106 } 107 108 struct xtables_match *load_proto(struct iptables_command_state *cs) 109 { 110 if (!should_load_proto(cs)) 111 return NULL; 112 return find_proto(cs->protocol, XTF_TRY_LOAD, 113 cs->options & OPT_NUMERIC, &cs->matches); 114 } 115 116 int command_default(struct iptables_command_state *cs, 117 struct xtables_globals *gl) 118 { 119 struct xtables_rule_match *matchp; 120 struct xtables_match *m; 121 122 if (cs->target != NULL && 123 (cs->target->parse != NULL || cs->target->x6_parse != NULL) && 124 cs->c >= cs->target->option_offset && 125 cs->c < cs->target->option_offset + XT_OPTION_OFFSET_SCALE) { 126 xtables_option_tpcall(cs->c, cs->argv, cs->invert, 127 cs->target, &cs->fw); 128 return 0; 129 } 130 131 for (matchp = cs->matches; matchp; matchp = matchp->next) { 132 m = matchp->match; 133 134 if (matchp->completed || 135 (m->x6_parse == NULL && m->parse == NULL)) 136 continue; 137 if (cs->c < matchp->match->option_offset || 138 cs->c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE) 139 continue; 140 xtables_option_mpcall(cs->c, cs->argv, cs->invert, m, &cs->fw); 141 return 0; 142 } 143 144 /* Try loading protocol */ 145 m = load_proto(cs); 146 if (m != NULL) { 147 size_t size; 148 149 cs->proto_used = 1; 150 151 size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size; 152 153 m->m = xtables_calloc(1, size); 154 m->m->u.match_size = size; 155 strcpy(m->m->u.user.name, m->name); 156 m->m->u.user.revision = m->revision; 157 xs_init_match(m); 158 159 if (m->x6_options != NULL) 160 gl->opts = xtables_options_xfrm(gl->orig_opts, 161 gl->opts, 162 m->x6_options, 163 &m->option_offset); 164 else 165 gl->opts = xtables_merge_options(gl->orig_opts, 166 gl->opts, 167 m->extra_opts, 168 &m->option_offset); 169 if (gl->opts == NULL) 170 xtables_error(OTHER_PROBLEM, "can't alloc memory!"); 171 optind--; 172 /* Indicate to rerun getopt *immediately* */ 173 return 1; 174 } 175 176 if (cs->c == ':') 177 xtables_error(PARAMETER_PROBLEM, "option \"%s\" " 178 "requires an argument", cs->argv[optind-1]); 179 if (cs->c == '?') 180 xtables_error(PARAMETER_PROBLEM, "unknown option " 181 "\"%s\"", cs->argv[optind-1]); 182 xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg); 183 return 0; 184 } 185 186 static mainfunc_t subcmd_get(const char *cmd, const struct subcommand *cb) 187 { 188 for (; cb->name != NULL; ++cb) 189 if (strcmp(cb->name, cmd) == 0) 190 return cb->main; 191 return NULL; 192 } 193 194 int subcmd_main(int argc, char **argv, const struct subcommand *cb) 195 { 196 const char *cmd = basename(*argv); 197 mainfunc_t f = subcmd_get(cmd, cb); 198 199 if (f == NULL && argc > 1) { 200 /* 201 * Unable to find a main method for our command name? 202 * Let's try again with the first argument! 203 */ 204 ++argv; 205 --argc; 206 f = subcmd_get(*argv, cb); 207 } 208 209 /* now we should have a valid function pointer */ 210 if (f != NULL) 211 return f(argc, argv); 212 213 fprintf(stderr, "ERROR: No valid subcommand given.\nValid subcommands:\n"); 214 for (; cb->name != NULL; ++cb) 215 fprintf(stderr, " * %s\n", cb->name); 216 exit(EXIT_FAILURE); 217 } 218 219 void xs_init_target(struct xtables_target *target) 220 { 221 if (target->udata_size != 0) { 222 free(target->udata); 223 target->udata = calloc(1, target->udata_size); 224 if (target->udata == NULL) 225 xtables_error(RESOURCE_PROBLEM, "malloc"); 226 } 227 if (target->init != NULL) 228 target->init(target->t); 229 } 230 231 void xs_init_match(struct xtables_match *match) 232 { 233 if (match->udata_size != 0) { 234 /* 235 * As soon as a subsequent instance of the same match 236 * is used, e.g. "-m time -m time", the first instance 237 * is no longer reachable anyway, so we can free udata. 238 * Same goes for target. 239 */ 240 free(match->udata); 241 match->udata = calloc(1, match->udata_size); 242 if (match->udata == NULL) 243 xtables_error(RESOURCE_PROBLEM, "malloc"); 244 } 245 if (match->init != NULL) 246 match->init(match->m); 247 } 248 249 static int xtables_lock(int wait, struct timeval *wait_interval) 250 { 251 struct timeval time_left, wait_time; 252 int fd, i = 0; 253 254 time_left.tv_sec = wait; 255 time_left.tv_usec = 0; 256 257 fd = open(XT_LOCK_NAME, O_CREAT, 0600); 258 if (fd < 0) { 259 fprintf(stderr, "Fatal: can't open lock file %s: %s\n", 260 XT_LOCK_NAME, strerror(errno)); 261 return XT_LOCK_FAILED; 262 } 263 264 if (wait == -1) { 265 if (flock(fd, LOCK_EX) == 0) 266 return fd; 267 268 fprintf(stderr, "Can't lock %s: %s\n", XT_LOCK_NAME, 269 strerror(errno)); 270 return XT_LOCK_BUSY; 271 } 272 273 while (1) { 274 if (flock(fd, LOCK_EX | LOCK_NB) == 0) 275 return fd; 276 else if (timercmp(&time_left, wait_interval, <)) 277 return XT_LOCK_BUSY; 278 279 if (++i % 10 == 0) { 280 fprintf(stderr, "Another app is currently holding the xtables lock; " 281 "still %lds %ldus time ahead to have a chance to grab the lock...\n", 282 time_left.tv_sec, time_left.tv_usec); 283 } 284 285 wait_time = *wait_interval; 286 select(0, NULL, NULL, NULL, &wait_time); 287 timersub(&time_left, wait_interval, &time_left); 288 } 289 } 290 291 void xtables_unlock(int lock) 292 { 293 if (lock >= 0) 294 close(lock); 295 } 296 297 int xtables_lock_or_exit(int wait, struct timeval *wait_interval) 298 { 299 int lock = xtables_lock(wait, wait_interval); 300 301 if (lock == XT_LOCK_FAILED) { 302 xtables_free_opts(1); 303 exit(RESOURCE_PROBLEM); 304 } 305 306 if (lock == XT_LOCK_BUSY) { 307 fprintf(stderr, "Another app is currently holding the xtables lock. "); 308 if (wait == 0) 309 fprintf(stderr, "Perhaps you want to use the -w option?\n"); 310 else 311 fprintf(stderr, "Stopped waiting after %ds.\n", wait); 312 xtables_free_opts(1); 313 exit(RESOURCE_PROBLEM); 314 } 315 316 return lock; 317 } 318 319 int parse_wait_time(int argc, char *argv[]) 320 { 321 int wait = -1; 322 323 if (optarg) { 324 if (sscanf(optarg, "%i", &wait) != 1) 325 xtables_error(PARAMETER_PROBLEM, 326 "wait seconds not numeric"); 327 } else if (xs_has_arg(argc, argv)) 328 if (sscanf(argv[optind++], "%i", &wait) != 1) 329 xtables_error(PARAMETER_PROBLEM, 330 "wait seconds not numeric"); 331 332 return wait; 333 } 334 335 void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval) 336 { 337 const char *arg; 338 unsigned int usec; 339 int ret; 340 341 if (optarg) 342 arg = optarg; 343 else if (xs_has_arg(argc, argv)) 344 arg = argv[optind++]; 345 else 346 return; 347 348 ret = sscanf(arg, "%u", &usec); 349 if (ret == 1) { 350 if (usec > 999999) 351 xtables_error(PARAMETER_PROBLEM, 352 "too long usec wait %u > 999999 usec", 353 usec); 354 355 wait_interval->tv_sec = 0; 356 wait_interval->tv_usec = usec; 357 return; 358 } 359 xtables_error(PARAMETER_PROBLEM, "wait interval not numeric"); 360 } 361 362 inline bool xs_has_arg(int argc, char *argv[]) 363 { 364 return optind < argc && 365 argv[optind][0] != '-' && 366 argv[optind][0] != '!'; 367 } 368
