1 /* 2 * Argument parser 3 * Copyright Jan Engelhardt, 2011 4 * 5 * This program is free software; you can redistribute it and/or 6 * modify it under the terms of the GNU General Public License as 7 * published by the Free Software Foundation; either version 2 of 8 * the License, or (at your option) any later version. 9 */ 10 #include <ctype.h> 11 #include <errno.h> 12 #include <getopt.h> 13 #include <limits.h> 14 #include <netdb.h> 15 #include <stdbool.h> 16 #include <stdint.h> 17 #include <stdio.h> 18 #include <stdlib.h> 19 #include <string.h> 20 #include <syslog.h> 21 #include <arpa/inet.h> 22 #include <netinet/ip.h> 23 #include "xtables.h" 24 #include "xshared.h" 25 #ifndef IPTOS_NORMALSVC 26 # define IPTOS_NORMALSVC 0 27 #endif 28 29 #define XTOPT_MKPTR(cb) \ 30 ((void *)((char *)(cb)->data + (cb)->entry->ptroff)) 31 32 /** 33 * Simple key-value pairs for syslog levels 34 */ 35 struct syslog_level { 36 char name[8]; 37 uint8_t level; 38 }; 39 40 struct tos_value_mask { 41 uint8_t value, mask; 42 }; 43 44 static const size_t xtopt_psize[] = { 45 /* 46 * All types not listed here, and thus essentially being initialized to 47 * zero have zero on purpose. 48 */ 49 [XTTYPE_UINT8] = sizeof(uint8_t), 50 [XTTYPE_UINT16] = sizeof(uint16_t), 51 [XTTYPE_UINT32] = sizeof(uint32_t), 52 [XTTYPE_UINT64] = sizeof(uint64_t), 53 [XTTYPE_UINT8RC] = sizeof(uint8_t[2]), 54 [XTTYPE_UINT16RC] = sizeof(uint16_t[2]), 55 [XTTYPE_UINT32RC] = sizeof(uint32_t[2]), 56 [XTTYPE_UINT64RC] = sizeof(uint64_t[2]), 57 [XTTYPE_DOUBLE] = sizeof(double), 58 [XTTYPE_STRING] = -1, 59 [XTTYPE_SYSLOGLEVEL] = sizeof(uint8_t), 60 [XTTYPE_HOST] = sizeof(union nf_inet_addr), 61 [XTTYPE_HOSTMASK] = sizeof(union nf_inet_addr), 62 [XTTYPE_PROTOCOL] = sizeof(uint8_t), 63 [XTTYPE_PORT] = sizeof(uint16_t), 64 [XTTYPE_PORTRC] = sizeof(uint16_t[2]), 65 [XTTYPE_PLENMASK] = sizeof(union nf_inet_addr), 66 [XTTYPE_ETHERMAC] = sizeof(uint8_t[6]), 67 }; 68 69 /** 70 * Creates getopt options from the x6-style option map, and assigns each a 71 * getopt id. 72 */ 73 struct option * 74 xtables_options_xfrm(struct option *orig_opts, struct option *oldopts, 75 const struct xt_option_entry *entry, unsigned int *offset) 76 { 77 unsigned int num_orig, num_old = 0, num_new, i; 78 struct option *merge, *mp; 79 80 if (entry == NULL) 81 return oldopts; 82 for (num_orig = 0; orig_opts[num_orig].name != NULL; ++num_orig) 83 ; 84 if (oldopts != NULL) 85 for (num_old = 0; oldopts[num_old].name != NULL; ++num_old) 86 ; 87 for (num_new = 0; entry[num_new].name != NULL; ++num_new) 88 ; 89 90 /* 91 * Since @oldopts also has @orig_opts already (and does so at the 92 * start), skip these entries. 93 */ 94 oldopts += num_orig; 95 num_old -= num_orig; 96 97 merge = malloc(sizeof(*mp) * (num_orig + num_old + num_new + 1)); 98 if (merge == NULL) 99 return NULL; 100 101 /* Let the base options -[ADI...] have precedence over everything */ 102 memcpy(merge, orig_opts, sizeof(*mp) * num_orig); 103 mp = merge + num_orig; 104 105 /* Second, the new options */ 106 xt_params->option_offset += XT_OPTION_OFFSET_SCALE; 107 *offset = xt_params->option_offset; 108 109 for (i = 0; i < num_new; ++i, ++mp, ++entry) { 110 mp->name = entry->name; 111 mp->has_arg = entry->type != XTTYPE_NONE; 112 mp->flag = NULL; 113 mp->val = entry->id + *offset; 114 } 115 116 /* Third, the old options */ 117 memcpy(mp, oldopts, sizeof(*mp) * num_old); 118 mp += num_old; 119 xtables_free_opts(0); 120 121 /* Clear trailing entry */ 122 memset(mp, 0, sizeof(*mp)); 123 return merge; 124 } 125 126 /** 127 * Give the upper limit for a certain type. 128 */ 129 static uintmax_t xtopt_max_by_type(enum xt_option_type type) 130 { 131 switch (type) { 132 case XTTYPE_UINT8: 133 case XTTYPE_UINT8RC: 134 return UINT8_MAX; 135 case XTTYPE_UINT16: 136 case XTTYPE_UINT16RC: 137 return UINT16_MAX; 138 case XTTYPE_UINT32: 139 case XTTYPE_UINT32RC: 140 return UINT32_MAX; 141 case XTTYPE_UINT64: 142 case XTTYPE_UINT64RC: 143 return UINT64_MAX; 144 default: 145 return 0; 146 } 147 } 148 149 /** 150 * Return the size of a single entity based upon a type - predominantly an 151 * XTTYPE_UINT*RC type. 152 */ 153 static size_t xtopt_esize_by_type(enum xt_option_type type) 154 { 155 switch (type) { 156 case XTTYPE_UINT8RC: 157 return xtopt_psize[XTTYPE_UINT8]; 158 case XTTYPE_UINT16RC: 159 return xtopt_psize[XTTYPE_UINT16]; 160 case XTTYPE_UINT32RC: 161 return xtopt_psize[XTTYPE_UINT32]; 162 case XTTYPE_UINT64RC: 163 return xtopt_psize[XTTYPE_UINT64]; 164 default: 165 return xtopt_psize[type]; 166 } 167 } 168 169 /** 170 * Require a simple integer. 171 */ 172 static void xtopt_parse_int(struct xt_option_call *cb) 173 { 174 const struct xt_option_entry *entry = cb->entry; 175 uintmax_t lmin = 0, lmax = xtopt_max_by_type(entry->type); 176 uintmax_t value; 177 178 if (cb->entry->min != 0) 179 lmin = cb->entry->min; 180 if (cb->entry->max != 0) 181 lmax = cb->entry->max; 182 183 if (!xtables_strtoul(cb->arg, NULL, &value, lmin, lmax)) 184 xt_params->exit_err(PARAMETER_PROBLEM, 185 "%s: bad value for option \"--%s\", " 186 "or out of range (%ju-%ju).\n", 187 cb->ext_name, entry->name, lmin, lmax); 188 189 if (entry->type == XTTYPE_UINT8) { 190 cb->val.u8 = value; 191 if (entry->flags & XTOPT_PUT) 192 *(uint8_t *)XTOPT_MKPTR(cb) = cb->val.u8; 193 } else if (entry->type == XTTYPE_UINT16) { 194 cb->val.u16 = value; 195 if (entry->flags & XTOPT_PUT) 196 *(uint16_t *)XTOPT_MKPTR(cb) = cb->val.u16; 197 } else if (entry->type == XTTYPE_UINT32) { 198 cb->val.u32 = value; 199 if (entry->flags & XTOPT_PUT) 200 *(uint32_t *)XTOPT_MKPTR(cb) = cb->val.u32; 201 } else if (entry->type == XTTYPE_UINT64) { 202 cb->val.u64 = value; 203 if (entry->flags & XTOPT_PUT) 204 *(uint64_t *)XTOPT_MKPTR(cb) = cb->val.u64; 205 } 206 } 207 208 /** 209 * Require a simple floating point number. 210 */ 211 static void xtopt_parse_float(struct xt_option_call *cb) 212 { 213 const struct xt_option_entry *entry = cb->entry; 214 double value; 215 char *end; 216 217 value = strtod(cb->arg, &end); 218 if (end == cb->arg || *end != '\0' || 219 (entry->min != entry->max && 220 (value < entry->min || value > entry->max))) 221 xt_params->exit_err(PARAMETER_PROBLEM, 222 "%s: bad value for option \"--%s\", " 223 "or out of range (%u-%u).\n", 224 cb->ext_name, entry->name, entry->min, entry->max); 225 226 cb->val.dbl = value; 227 if (entry->flags & XTOPT_PUT) 228 *(double *)XTOPT_MKPTR(cb) = cb->val.dbl; 229 } 230 231 /** 232 * Copy the parsed value to the appropriate entry in cb->val. 233 */ 234 static void xtopt_mint_value_to_cb(struct xt_option_call *cb, uintmax_t value) 235 { 236 const struct xt_option_entry *entry = cb->entry; 237 238 if (cb->nvals >= ARRAY_SIZE(cb->val.u32_range)) 239 return; 240 if (entry->type == XTTYPE_UINT8RC) 241 cb->val.u8_range[cb->nvals] = value; 242 else if (entry->type == XTTYPE_UINT16RC) 243 cb->val.u16_range[cb->nvals] = value; 244 else if (entry->type == XTTYPE_UINT32RC) 245 cb->val.u32_range[cb->nvals] = value; 246 else if (entry->type == XTTYPE_UINT64RC) 247 cb->val.u64_range[cb->nvals] = value; 248 } 249 250 /** 251 * Copy the parsed value to the data area, using appropriate type access. 252 */ 253 static void xtopt_mint_value_to_ptr(struct xt_option_call *cb, void **datap, 254 uintmax_t value) 255 { 256 const struct xt_option_entry *entry = cb->entry; 257 void *data = *datap; 258 259 if (!(entry->flags & XTOPT_PUT)) 260 return; 261 if (entry->type == XTTYPE_UINT8RC) 262 *(uint8_t *)data = value; 263 else if (entry->type == XTTYPE_UINT16RC) 264 *(uint16_t *)data = value; 265 else if (entry->type == XTTYPE_UINT32RC) 266 *(uint32_t *)data = value; 267 else if (entry->type == XTTYPE_UINT64RC) 268 *(uint64_t *)data = value; 269 data += xtopt_esize_by_type(entry->type); 270 *datap = data; 271 } 272 273 /** 274 * Multiple integer parse routine. 275 * 276 * This function is capable of parsing any number of fields. Only the first 277 * two values from the string will be put into @cb however (and as such, 278 * @cb->val.uXX_range is just that large) to cater for the few extensions that 279 * do not have a range[2] field, but {min, max}, and which cannot use 280 * XTOPT_POINTER. 281 */ 282 static void xtopt_parse_mint(struct xt_option_call *cb) 283 { 284 const struct xt_option_entry *entry = cb->entry; 285 const char *arg = cb->arg; 286 size_t esize = xtopt_esize_by_type(entry->type); 287 const uintmax_t lmax = xtopt_max_by_type(entry->type); 288 void *put = XTOPT_MKPTR(cb); 289 unsigned int maxiter; 290 uintmax_t value; 291 char *end = ""; 292 char sep = ':'; 293 294 maxiter = entry->size / esize; 295 if (maxiter == 0) 296 maxiter = ARRAY_SIZE(cb->val.u32_range); 297 if (entry->size % esize != 0) 298 xt_params->exit_err(OTHER_PROBLEM, "%s: memory block does " 299 "not have proper size\n", __func__); 300 301 cb->nvals = 0; 302 for (arg = cb->arg, end = (char *)arg; ; arg = end + 1) { 303 if (cb->nvals == maxiter) 304 xt_params->exit_err(PARAMETER_PROBLEM, "%s: Too many " 305 "components for option \"--%s\" (max: %u)\n", 306 cb->ext_name, entry->name, maxiter); 307 if (*arg == '\0' || *arg == sep) { 308 /* Default range components when field not spec'd. */ 309 end = (char *)arg; 310 value = (cb->nvals == 1) ? lmax : 0; 311 } else { 312 if (!xtables_strtoul(arg, &end, &value, 0, lmax)) 313 xt_params->exit_err(PARAMETER_PROBLEM, 314 "%s: bad value for option \"--%s\" near " 315 "\"%s\", or out of range (0-%ju).\n", 316 cb->ext_name, entry->name, arg, lmax); 317 if (*end != '\0' && *end != sep) 318 xt_params->exit_err(PARAMETER_PROBLEM, 319 "%s: Argument to \"--%s\" has " 320 "unexpected characters near \"%s\".\n", 321 cb->ext_name, entry->name, end); 322 } 323 xtopt_mint_value_to_cb(cb, value); 324 ++cb->nvals; 325 xtopt_mint_value_to_ptr(cb, &put, value); 326 if (*end == '\0') 327 break; 328 } 329 } 330 331 static void xtopt_parse_string(struct xt_option_call *cb) 332 { 333 const struct xt_option_entry *entry = cb->entry; 334 size_t z = strlen(cb->arg); 335 char *p; 336 337 if (entry->min != 0 && z < entry->min) 338 xt_params->exit_err(PARAMETER_PROBLEM, 339 "Argument must have a minimum length of " 340 "%u characters\n", entry->min); 341 if (entry->max != 0 && z > entry->max) 342 xt_params->exit_err(PARAMETER_PROBLEM, 343 "Argument must have a maximum length of " 344 "%u characters\n", entry->max); 345 if (!(entry->flags & XTOPT_PUT)) 346 return; 347 if (z >= entry->size) 348 z = entry->size - 1; 349 p = XTOPT_MKPTR(cb); 350 strncpy(p, cb->arg, z); 351 p[z] = '\0'; 352 } 353 354 static const struct tos_symbol_info { 355 unsigned char value; 356 const char *name; 357 } tos_symbol_names[] = { 358 {IPTOS_LOWDELAY, "Minimize-Delay"}, 359 {IPTOS_THROUGHPUT, "Maximize-Throughput"}, 360 {IPTOS_RELIABILITY, "Maximize-Reliability"}, 361 {IPTOS_MINCOST, "Minimize-Cost"}, 362 {IPTOS_NORMALSVC, "Normal-Service"}, 363 {}, 364 }; 365 366 /* 367 * tos_parse_numeric - parse a string like "15/255" 368 * 369 * @str: input string 370 * @tvm: (value/mask) tuple 371 * @max: maximum allowed value (must be pow(2,some_int)-1) 372 */ 373 static bool tos_parse_numeric(const char *str, struct xt_option_call *cb, 374 unsigned int max) 375 { 376 unsigned int value; 377 char *end; 378 379 xtables_strtoui(str, &end, &value, 0, max); 380 cb->val.tos_value = value; 381 cb->val.tos_mask = max; 382 383 if (*end == '/') { 384 const char *p = end + 1; 385 386 if (!xtables_strtoui(p, &end, &value, 0, max)) 387 xtables_error(PARAMETER_PROBLEM, "Illegal value: \"%s\"", 388 str); 389 cb->val.tos_mask = value; 390 } 391 392 if (*end != '\0') 393 xtables_error(PARAMETER_PROBLEM, "Illegal value: \"%s\"", str); 394 return true; 395 } 396 397 /** 398 * @str: input string 399 * @tvm: (value/mask) tuple 400 * @def_mask: mask to force when a symbolic name is used 401 */ 402 static void xtopt_parse_tosmask(struct xt_option_call *cb) 403 { 404 const struct tos_symbol_info *symbol; 405 char *tmp; 406 407 if (xtables_strtoui(cb->arg, &tmp, NULL, 0, UINT8_MAX)) { 408 tos_parse_numeric(cb->arg, cb, UINT8_MAX); 409 return; 410 } 411 /* 412 * This is our way we deal with different defaults 413 * for different revisions. 414 */ 415 cb->val.tos_mask = cb->entry->max; 416 for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol) 417 if (strcasecmp(cb->arg, symbol->name) == 0) { 418 cb->val.tos_value = symbol->value; 419 return; 420 } 421 422 xtables_error(PARAMETER_PROBLEM, "Symbolic name \"%s\" is unknown", 423 cb->arg); 424 } 425 426 /** 427 * Validate the input for being conformant to "mark[/mask]". 428 */ 429 static void xtopt_parse_markmask(struct xt_option_call *cb) 430 { 431 unsigned int mark = 0, mask = ~0U; 432 char *end; 433 434 if (!xtables_strtoui(cb->arg, &end, &mark, 0, UINT32_MAX)) 435 xt_params->exit_err(PARAMETER_PROBLEM, 436 "%s: bad mark value for option \"--%s\", " 437 "or out of range.\n", 438 cb->ext_name, cb->entry->name); 439 if (*end == '/' && 440 !xtables_strtoui(end + 1, &end, &mask, 0, UINT32_MAX)) 441 xt_params->exit_err(PARAMETER_PROBLEM, 442 "%s: bad mask value for option \"--%s\", " 443 "or out of range.\n", 444 cb->ext_name, cb->entry->name); 445 if (*end != '\0') 446 xt_params->exit_err(PARAMETER_PROBLEM, 447 "%s: trailing garbage after value " 448 "for option \"--%s\".\n", 449 cb->ext_name, cb->entry->name); 450 cb->val.mark = mark; 451 cb->val.mask = mask; 452 } 453 454 static int xtopt_sysloglvl_compare(const void *a, const void *b) 455 { 456 const char *name = a; 457 const struct syslog_level *entry = b; 458 459 return strcmp(name, entry->name); 460 } 461 462 static void xtopt_parse_sysloglevel(struct xt_option_call *cb) 463 { 464 static const struct syslog_level log_names[] = { /* must be sorted */ 465 {"alert", LOG_ALERT}, 466 {"crit", LOG_CRIT}, 467 {"debug", LOG_DEBUG}, 468 {"emerg", LOG_EMERG}, 469 {"error", LOG_ERR}, /* deprecated */ 470 {"info", LOG_INFO}, 471 {"notice", LOG_NOTICE}, 472 {"panic", LOG_EMERG}, /* deprecated */ 473 {"warning", LOG_WARNING}, 474 }; 475 const struct syslog_level *e; 476 unsigned int num = 0; 477 478 if (!xtables_strtoui(cb->arg, NULL, &num, 0, 7)) { 479 e = bsearch(cb->arg, log_names, ARRAY_SIZE(log_names), 480 sizeof(*log_names), xtopt_sysloglvl_compare); 481 if (e == NULL) 482 xt_params->exit_err(PARAMETER_PROBLEM, 483 "log level \"%s\" unknown\n", cb->arg); 484 num = e->level; 485 } 486 cb->val.syslog_level = num; 487 if (cb->entry->flags & XTOPT_PUT) 488 *(uint8_t *)XTOPT_MKPTR(cb) = num; 489 } 490 491 static void *xtables_sa_host(const void *sa, unsigned int afproto) 492 { 493 if (afproto == AF_INET6) 494 return &((struct sockaddr_in6 *)sa)->sin6_addr; 495 else if (afproto == AF_INET) 496 return &((struct sockaddr_in *)sa)->sin_addr; 497 return (void *)sa; 498 } 499 500 static socklen_t xtables_sa_hostlen(unsigned int afproto) 501 { 502 if (afproto == AF_INET6) 503 return sizeof(struct in6_addr); 504 else if (afproto == AF_INET) 505 return sizeof(struct in_addr); 506 return 0; 507 } 508 509 /** 510 * Accepts: a hostname (DNS), or a single inetaddr - without any mask. The 511 * result is stored in @cb->val.haddr. Additionally, @cb->val.hmask and 512 * @cb->val.hlen are set for completeness to the appropriate values. 513 */ 514 static void xtopt_parse_host(struct xt_option_call *cb) 515 { 516 struct addrinfo hints = {.ai_family = afinfo->family}; 517 unsigned int adcount = 0; 518 struct addrinfo *res, *p; 519 int ret; 520 521 ret = getaddrinfo(cb->arg, NULL, &hints, &res); 522 if (ret != 0) 523 xt_params->exit_err(PARAMETER_PROBLEM, 524 "getaddrinfo: %s\n", gai_strerror(ret)); 525 526 memset(&cb->val.hmask, 0xFF, sizeof(cb->val.hmask)); 527 cb->val.hlen = (afinfo->family == NFPROTO_IPV4) ? 32 : 128; 528 529 for (p = res; p != NULL; p = p->ai_next) { 530 if (adcount == 0) { 531 memset(&cb->val.haddr, 0, sizeof(cb->val.haddr)); 532 memcpy(&cb->val.haddr, 533 xtables_sa_host(p->ai_addr, p->ai_family), 534 xtables_sa_hostlen(p->ai_family)); 535 ++adcount; 536 continue; 537 } 538 if (memcmp(&cb->val.haddr, 539 xtables_sa_host(p->ai_addr, p->ai_family), 540 xtables_sa_hostlen(p->ai_family)) != 0) 541 xt_params->exit_err(PARAMETER_PROBLEM, 542 "%s resolves to more than one address\n", 543 cb->arg); 544 } 545 546 freeaddrinfo(res); 547 if (cb->entry->flags & XTOPT_PUT) 548 /* Validation in xtables_option_metavalidate */ 549 memcpy(XTOPT_MKPTR(cb), &cb->val.haddr, 550 sizeof(cb->val.haddr)); 551 } 552 553 /** 554 * @name: port name, or number as a string (e.g. "http" or "80") 555 * 556 * Resolve a port name to a number. Returns the port number in integral 557 * form on success, or <0 on error. (errno will not be set.) 558 */ 559 static int xtables_getportbyname(const char *name) 560 { 561 struct addrinfo *res = NULL, *p; 562 int ret; 563 564 ret = getaddrinfo(NULL, name, NULL, &res); 565 if (ret != 0) 566 return -1; 567 ret = -1; 568 for (p = res; p != NULL; p = p->ai_next) { 569 if (p->ai_family == AF_INET6) { 570 ret = ((struct sockaddr_in6 *)p->ai_addr)->sin6_port; 571 break; 572 } else if (p->ai_family == AF_INET) { 573 ret = ((struct sockaddr_in *)p->ai_addr)->sin_port; 574 break; 575 } 576 } 577 freeaddrinfo(res); 578 if (ret < 0) 579 return ret; 580 return ntohs(ret); 581 } 582 583 /** 584 * Validate and parse a protocol specification (number or name) by use of 585 * /etc/protocols and put the result into @cb->val.protocol. 586 */ 587 static void xtopt_parse_protocol(struct xt_option_call *cb) 588 { 589 cb->val.protocol = xtables_parse_protocol(cb->arg); 590 if (cb->entry->flags & XTOPT_PUT) 591 *(uint8_t *)XTOPT_MKPTR(cb) = cb->val.protocol; 592 } 593 594 /** 595 * Validate and parse a port specification and put the result into 596 * @cb->val.port. 597 */ 598 static void xtopt_parse_port(struct xt_option_call *cb) 599 { 600 const struct xt_option_entry *entry = cb->entry; 601 int ret; 602 603 ret = xtables_getportbyname(cb->arg); 604 if (ret < 0) 605 xt_params->exit_err(PARAMETER_PROBLEM, 606 "Port \"%s\" does not resolve to anything.\n", 607 cb->arg); 608 if (entry->flags & XTOPT_NBO) 609 ret = htons(ret); 610 cb->val.port = ret; 611 if (entry->flags & XTOPT_PUT) 612 *(uint16_t *)XTOPT_MKPTR(cb) = cb->val.port; 613 } 614 615 static void xtopt_parse_mport(struct xt_option_call *cb) 616 { 617 static const size_t esize = sizeof(uint16_t); 618 const struct xt_option_entry *entry = cb->entry; 619 char *lo_arg, *wp_arg, *arg; 620 unsigned int maxiter; 621 int value; 622 623 wp_arg = lo_arg = strdup(cb->arg); 624 if (lo_arg == NULL) 625 xt_params->exit_err(RESOURCE_PROBLEM, "strdup"); 626 627 maxiter = entry->size / esize; 628 if (maxiter == 0) 629 maxiter = 2; /* ARRAY_SIZE(cb->val.port_range) */ 630 if (entry->size % esize != 0) 631 xt_params->exit_err(OTHER_PROBLEM, "%s: memory block does " 632 "not have proper size\n", __func__); 633 634 cb->val.port_range[0] = 0; 635 cb->val.port_range[1] = UINT16_MAX; 636 cb->nvals = 0; 637 638 while ((arg = strsep(&wp_arg, ":")) != NULL) { 639 if (cb->nvals == maxiter) 640 xt_params->exit_err(PARAMETER_PROBLEM, "%s: Too many " 641 "components for option \"--%s\" (max: %u)\n", 642 cb->ext_name, entry->name, maxiter); 643 if (*arg == '\0') { 644 ++cb->nvals; 645 continue; 646 } 647 648 value = xtables_getportbyname(arg); 649 if (value < 0) 650 xt_params->exit_err(PARAMETER_PROBLEM, 651 "Port \"%s\" does not resolve to " 652 "anything.\n", arg); 653 if (entry->flags & XTOPT_NBO) 654 value = htons(value); 655 if (cb->nvals < ARRAY_SIZE(cb->val.port_range)) 656 cb->val.port_range[cb->nvals] = value; 657 ++cb->nvals; 658 } 659 660 if (cb->nvals == 1) { 661 cb->val.port_range[1] = cb->val.port_range[0]; 662 ++cb->nvals; 663 } 664 if (entry->flags & XTOPT_PUT) 665 memcpy(XTOPT_MKPTR(cb), cb->val.port_range, sizeof(uint16_t) * 666 (cb->nvals <= maxiter ? cb->nvals : maxiter)); 667 free(lo_arg); 668 } 669 670 static int xtopt_parse_mask(struct xt_option_call *cb) 671 { 672 struct addrinfo hints = {.ai_family = afinfo->family, 673 .ai_flags = AI_NUMERICHOST }; 674 struct addrinfo *res; 675 int ret; 676 677 ret = getaddrinfo(cb->arg, NULL, &hints, &res); 678 if (ret != 0) 679 return 0; 680 681 memcpy(&cb->val.hmask, xtables_sa_host(res->ai_addr, res->ai_family), 682 xtables_sa_hostlen(res->ai_family)); 683 684 switch(afinfo->family) { 685 case AF_INET: 686 cb->val.hlen = xtables_ipmask_to_cidr(&cb->val.hmask.in); 687 break; 688 case AF_INET6: 689 cb->val.hlen = xtables_ip6mask_to_cidr(&cb->val.hmask.in6); 690 break; 691 } 692 693 freeaddrinfo(res); 694 return 1; 695 } 696 697 /** 698 * Parse an integer and ensure it is within the address family's prefix length 699 * limits. The result is stored in @cb->val.hlen. 700 */ 701 static void xtopt_parse_plen(struct xt_option_call *cb) 702 { 703 const struct xt_option_entry *entry = cb->entry; 704 unsigned int prefix_len = 128; /* happiness is a warm gcc */ 705 706 cb->val.hlen = (afinfo->family == NFPROTO_IPV4) ? 32 : 128; 707 if (!xtables_strtoui(cb->arg, NULL, &prefix_len, 0, cb->val.hlen)) { 708 /* Is this mask expressed in full format? e.g. 255.255.255.0 */ 709 if (xtopt_parse_mask(cb)) 710 return; 711 712 xt_params->exit_err(PARAMETER_PROBLEM, 713 "%s: bad value for option \"--%s\", " 714 "neither a valid network mask " 715 "nor valid CIDR (%u-%u).\n", 716 cb->ext_name, entry->name, 0, cb->val.hlen); 717 } 718 cb->val.hlen = prefix_len; 719 } 720 721 /** 722 * Reuse xtopt_parse_plen for testing the integer. Afterwards convert this to 723 * a bitmask, and make it available through @cb->val.hmask (hlen remains 724 * valid). If %XTOPT_PUT is used, hmask will be copied to the target area. 725 */ 726 static void xtopt_parse_plenmask(struct xt_option_call *cb) 727 { 728 const struct xt_option_entry *entry = cb->entry; 729 uint32_t *mask = cb->val.hmask.all; 730 731 xtopt_parse_plen(cb); 732 733 memset(mask, 0xFF, sizeof(union nf_inet_addr)); 734 /* This shifting is AF-independent. */ 735 if (cb->val.hlen == 0) { 736 mask[0] = mask[1] = mask[2] = mask[3] = 0; 737 } else if (cb->val.hlen <= 32) { 738 mask[0] <<= 32 - cb->val.hlen; 739 mask[1] = mask[2] = mask[3] = 0; 740 } else if (cb->val.hlen <= 64) { 741 mask[1] <<= 32 - (cb->val.hlen - 32); 742 mask[2] = mask[3] = 0; 743 } else if (cb->val.hlen <= 96) { 744 mask[2] <<= 32 - (cb->val.hlen - 64); 745 mask[3] = 0; 746 } else if (cb->val.hlen <= 128) { 747 mask[3] <<= 32 - (cb->val.hlen - 96); 748 } 749 mask[0] = htonl(mask[0]); 750 mask[1] = htonl(mask[1]); 751 mask[2] = htonl(mask[2]); 752 mask[3] = htonl(mask[3]); 753 if (entry->flags & XTOPT_PUT) 754 memcpy(XTOPT_MKPTR(cb), mask, sizeof(union nf_inet_addr)); 755 } 756 757 static void xtopt_parse_hostmask(struct xt_option_call *cb) 758 { 759 const char *orig_arg = cb->arg; 760 char *work, *p; 761 762 if (strchr(cb->arg, '/') == NULL) { 763 xtopt_parse_host(cb); 764 return; 765 } 766 work = strdup(orig_arg); 767 if (work == NULL) 768 xt_params->exit_err(PARAMETER_PROBLEM, "strdup"); 769 p = strchr(work, '/'); /* by def this can't be NULL now */ 770 *p++ = '\0'; 771 /* 772 * Because xtopt_parse_host and xtopt_parse_plenmask would store 773 * different things in the same target area, XTTYPE_HOSTMASK must 774 * disallow XTOPT_PUT, which it does by forcing its absence, 775 * cf. not being listed in xtopt_psize. 776 */ 777 cb->arg = work; 778 xtopt_parse_host(cb); 779 cb->arg = p; 780 xtopt_parse_plenmask(cb); 781 cb->arg = orig_arg; 782 } 783 784 static void xtopt_parse_ethermac(struct xt_option_call *cb) 785 { 786 const char *arg = cb->arg; 787 unsigned int i; 788 char *end; 789 790 for (i = 0; i < ARRAY_SIZE(cb->val.ethermac) - 1; ++i) { 791 cb->val.ethermac[i] = strtoul(arg, &end, 16); 792 if (*end != ':' || end - arg > 2) 793 goto out; 794 arg = end + 1; 795 } 796 i = ARRAY_SIZE(cb->val.ethermac) - 1; 797 cb->val.ethermac[i] = strtoul(arg, &end, 16); 798 if (*end != '\0' || end - arg > 2) 799 goto out; 800 if (cb->entry->flags & XTOPT_PUT) 801 memcpy(XTOPT_MKPTR(cb), cb->val.ethermac, 802 sizeof(cb->val.ethermac)); 803 return; 804 out: 805 xt_params->exit_err(PARAMETER_PROBLEM, "Invalid MAC address specified."); 806 } 807 808 static void (*const xtopt_subparse[])(struct xt_option_call *) = { 809 [XTTYPE_UINT8] = xtopt_parse_int, 810 [XTTYPE_UINT16] = xtopt_parse_int, 811 [XTTYPE_UINT32] = xtopt_parse_int, 812 [XTTYPE_UINT64] = xtopt_parse_int, 813 [XTTYPE_UINT8RC] = xtopt_parse_mint, 814 [XTTYPE_UINT16RC] = xtopt_parse_mint, 815 [XTTYPE_UINT32RC] = xtopt_parse_mint, 816 [XTTYPE_UINT64RC] = xtopt_parse_mint, 817 [XTTYPE_DOUBLE] = xtopt_parse_float, 818 [XTTYPE_STRING] = xtopt_parse_string, 819 [XTTYPE_TOSMASK] = xtopt_parse_tosmask, 820 [XTTYPE_MARKMASK32] = xtopt_parse_markmask, 821 [XTTYPE_SYSLOGLEVEL] = xtopt_parse_sysloglevel, 822 [XTTYPE_HOST] = xtopt_parse_host, 823 [XTTYPE_HOSTMASK] = xtopt_parse_hostmask, 824 [XTTYPE_PROTOCOL] = xtopt_parse_protocol, 825 [XTTYPE_PORT] = xtopt_parse_port, 826 [XTTYPE_PORTRC] = xtopt_parse_mport, 827 [XTTYPE_PLEN] = xtopt_parse_plen, 828 [XTTYPE_PLENMASK] = xtopt_parse_plenmask, 829 [XTTYPE_ETHERMAC] = xtopt_parse_ethermac, 830 }; 831 832 /** 833 * The master option parsing routine. May be used for the ".x6_parse" 834 * function pointer in extensions if fully automatic parsing is desired. 835 * It may be also called manually from a custom x6_parse function. 836 */ 837 void xtables_option_parse(struct xt_option_call *cb) 838 { 839 const struct xt_option_entry *entry = cb->entry; 840 unsigned int eflag = 1 << cb->entry->id; 841 842 /* 843 * With {.id = P_FOO, .excl = P_FOO} we can have simple double-use 844 * prevention. Though it turned out that this is too much typing (most 845 * of the options are one-time use only), so now we also have 846 * %XTOPT_MULTI. 847 */ 848 if ((!(entry->flags & XTOPT_MULTI) || (entry->excl & eflag)) && 849 cb->xflags & eflag) 850 xt_params->exit_err(PARAMETER_PROBLEM, 851 "%s: option \"--%s\" can only be used once.\n", 852 cb->ext_name, cb->entry->name); 853 if (cb->invert && !(entry->flags & XTOPT_INVERT)) 854 xt_params->exit_err(PARAMETER_PROBLEM, 855 "%s: option \"--%s\" cannot be inverted.\n", 856 cb->ext_name, entry->name); 857 if (entry->type != XTTYPE_NONE && optarg == NULL) 858 xt_params->exit_err(PARAMETER_PROBLEM, 859 "%s: option \"--%s\" requires an argument.\n", 860 cb->ext_name, entry->name); 861 /* 862 * Fill in fallback value for "nvals", in case an extension (as it 863 * happened with libxt_conntrack.2) tries to read it, despite not using 864 * a *RC option type. 865 */ 866 cb->nvals = 1; 867 if (entry->type <= ARRAY_SIZE(xtopt_subparse) && 868 xtopt_subparse[entry->type] != NULL) 869 xtopt_subparse[entry->type](cb); 870 /* Exclusion with other flags tested later in finalize. */ 871 cb->xflags |= 1 << entry->id; 872 } 873 874 /** 875 * Verifies that an extension's option map descriptor is valid, and ought to 876 * be called right after the extension has been loaded, and before option 877 * merging/xfrm. 878 */ 879 void xtables_option_metavalidate(const char *name, 880 const struct xt_option_entry *entry) 881 { 882 for (; entry->name != NULL; ++entry) { 883 if (entry->id >= CHAR_BIT * sizeof(unsigned int) || 884 entry->id >= XT_OPTION_OFFSET_SCALE) 885 xt_params->exit_err(OTHER_PROBLEM, 886 "Extension %s uses invalid ID %u\n", 887 name, entry->id); 888 if (!(entry->flags & XTOPT_PUT)) { 889 if (entry->ptroff != 0) 890 xt_params->exit_err(OTHER_PROBLEM, 891 "%s: ptroff for \"--%s\" is non-" 892 "zero but no XTOPT_PUT is specified. " 893 "Oversight?", name, entry->name); 894 continue; 895 } 896 if (entry->type >= ARRAY_SIZE(xtopt_psize) || 897 xtopt_psize[entry->type] == 0) 898 xt_params->exit_err(OTHER_PROBLEM, 899 "%s: entry type of option \"--%s\" cannot be " 900 "combined with XTOPT_PUT\n", 901 name, entry->name); 902 if (xtopt_psize[entry->type] != -1 && 903 xtopt_psize[entry->type] != entry->size) 904 xt_params->exit_err(OTHER_PROBLEM, 905 "%s: option \"--%s\" points to a memory block " 906 "of wrong size (expected %zu, got %zu)\n", 907 name, entry->name, 908 xtopt_psize[entry->type], entry->size); 909 } 910 } 911 912 /** 913 * Find an option entry by its id. 914 */ 915 static const struct xt_option_entry * 916 xtables_option_lookup(const struct xt_option_entry *entry, unsigned int id) 917 { 918 for (; entry->name != NULL; ++entry) 919 if (entry->id == id) 920 return entry; 921 return NULL; 922 } 923 924 /** 925 * @c: getopt id (i.e. with offset) 926 * @fw: struct ipt_entry or ip6t_entry 927 * 928 * Dispatch arguments to the appropriate parse function, based upon the 929 * extension's choice of API. 930 */ 931 void xtables_option_tpcall(unsigned int c, char **argv, bool invert, 932 struct xtables_target *t, void *fw) 933 { 934 struct xt_option_call cb; 935 936 if (t->x6_parse == NULL) { 937 if (t->parse != NULL) 938 t->parse(c - t->option_offset, argv, invert, 939 &t->tflags, fw, &t->t); 940 return; 941 } 942 943 c -= t->option_offset; 944 cb.entry = xtables_option_lookup(t->x6_options, c); 945 if (cb.entry == NULL) 946 xtables_error(OTHER_PROBLEM, 947 "Extension does not know id %u\n", c); 948 cb.arg = optarg; 949 cb.invert = invert; 950 cb.ext_name = t->name; 951 cb.data = t->t->data; 952 cb.xflags = t->tflags; 953 cb.target = &t->t; 954 cb.xt_entry = fw; 955 cb.udata = t->udata; 956 t->x6_parse(&cb); 957 t->tflags = cb.xflags; 958 } 959 960 /** 961 * @c: getopt id (i.e. with offset) 962 * @fw: struct ipt_entry or ip6t_entry 963 * 964 * Dispatch arguments to the appropriate parse function, based upon the 965 * extension's choice of API. 966 */ 967 void xtables_option_mpcall(unsigned int c, char **argv, bool invert, 968 struct xtables_match *m, void *fw) 969 { 970 struct xt_option_call cb; 971 972 if (m->x6_parse == NULL) { 973 if (m->parse != NULL) 974 m->parse(c - m->option_offset, argv, invert, 975 &m->mflags, fw, &m->m); 976 return; 977 } 978 979 c -= m->option_offset; 980 cb.entry = xtables_option_lookup(m->x6_options, c); 981 if (cb.entry == NULL) 982 xtables_error(OTHER_PROBLEM, 983 "Extension does not know id %u\n", c); 984 cb.arg = optarg; 985 cb.invert = invert; 986 cb.ext_name = m->name; 987 cb.data = m->m->data; 988 cb.xflags = m->mflags; 989 cb.match = &m->m; 990 cb.xt_entry = fw; 991 cb.udata = m->udata; 992 m->x6_parse(&cb); 993 m->mflags = cb.xflags; 994 } 995 996 /** 997 * @name: name of extension 998 * @entry: current option (from all ext's entries) being validated 999 * @xflags: flags the extension has collected 1000 * @i: conflicting option (id) to test for 1001 */ 1002 static void 1003 xtables_option_fcheck2(const char *name, const struct xt_option_entry *entry, 1004 const struct xt_option_entry *other, 1005 unsigned int xflags) 1006 { 1007 unsigned int ef = 1 << entry->id, of = 1 << other->id; 1008 1009 if (entry->also & of && !(xflags & of)) 1010 xt_params->exit_err(PARAMETER_PROBLEM, 1011 "%s: option \"--%s\" also requires \"--%s\".\n", 1012 name, entry->name, other->name); 1013 1014 if (!(entry->excl & of)) 1015 /* Use of entry does not collide with other option, good. */ 1016 return; 1017 if ((xflags & (ef | of)) != (ef | of)) 1018 /* Conflicting options were not used. */ 1019 return; 1020 1021 xt_params->exit_err(PARAMETER_PROBLEM, 1022 "%s: option \"--%s\" cannot be used together with \"--%s\".\n", 1023 name, entry->name, other->name); 1024 } 1025 1026 /** 1027 * @name: name of extension 1028 * @xflags: accumulated flags 1029 * @entry: extension's option table 1030 * 1031 * Check that all option constraints have been met. This effectively replaces 1032 * ->final_check of the older API. 1033 */ 1034 void xtables_options_fcheck(const char *name, unsigned int xflags, 1035 const struct xt_option_entry *table) 1036 { 1037 const struct xt_option_entry *entry, *other; 1038 unsigned int i; 1039 1040 for (entry = table; entry->name != NULL; ++entry) { 1041 if (entry->flags & XTOPT_MAND && 1042 !(xflags & (1 << entry->id))) 1043 xt_params->exit_err(PARAMETER_PROBLEM, 1044 "%s: option \"--%s\" must be specified\n", 1045 name, entry->name); 1046 if (!(xflags & (1 << entry->id))) 1047 /* Not required, not specified, thus skip. */ 1048 continue; 1049 1050 for (i = 0; i < CHAR_BIT * sizeof(entry->id); ++i) { 1051 if (entry->id == i) 1052 /* 1053 * Avoid conflict with self. Multi-use check 1054 * was done earlier in xtables_option_parse. 1055 */ 1056 continue; 1057 other = xtables_option_lookup(table, i); 1058 if (other == NULL) 1059 continue; 1060 xtables_option_fcheck2(name, entry, other, xflags); 1061 } 1062 } 1063 } 1064 1065 /** 1066 * Dispatch arguments to the appropriate final_check function, based upon the 1067 * extension's choice of API. 1068 */ 1069 void xtables_option_tfcall(struct xtables_target *t) 1070 { 1071 if (t->x6_fcheck != NULL) { 1072 struct xt_fcheck_call cb; 1073 1074 cb.ext_name = t->name; 1075 cb.data = t->t->data; 1076 cb.xflags = t->tflags; 1077 cb.udata = t->udata; 1078 t->x6_fcheck(&cb); 1079 } else if (t->final_check != NULL) { 1080 t->final_check(t->tflags); 1081 } 1082 if (t->x6_options != NULL) 1083 xtables_options_fcheck(t->name, t->tflags, t->x6_options); 1084 } 1085 1086 /** 1087 * Dispatch arguments to the appropriate final_check function, based upon the 1088 * extension's choice of API. 1089 */ 1090 void xtables_option_mfcall(struct xtables_match *m) 1091 { 1092 if (m->x6_fcheck != NULL) { 1093 struct xt_fcheck_call cb; 1094 1095 cb.ext_name = m->name; 1096 cb.data = m->m->data; 1097 cb.xflags = m->mflags; 1098 cb.udata = m->udata; 1099 m->x6_fcheck(&cb); 1100 } else if (m->final_check != NULL) { 1101 m->final_check(m->mflags); 1102 } 1103 if (m->x6_options != NULL) 1104 xtables_options_fcheck(m->name, m->mflags, m->x6_options); 1105 } 1106 1107 struct xtables_lmap *xtables_lmap_init(const char *file) 1108 { 1109 struct xtables_lmap *lmap_head = NULL, *lmap_prev = NULL, *lmap_this; 1110 char buf[512]; 1111 FILE *fp; 1112 char *cur, *nxt; 1113 int id; 1114 1115 fp = fopen(file, "re"); 1116 if (fp == NULL) 1117 return NULL; 1118 1119 while (fgets(buf, sizeof(buf), fp) != NULL) { 1120 cur = buf; 1121 while (isspace(*cur)) 1122 ++cur; 1123 if (*cur == '#' || *cur == '\n' || *cur == '\0') 1124 continue; 1125 1126 /* iproute2 allows hex and dec format */ 1127 errno = 0; 1128 id = strtoul(cur, &nxt, strncmp(cur, "0x", 2) == 0 ? 16 : 10); 1129 if (nxt == cur || errno != 0) 1130 continue; 1131 1132 /* same boundaries as in iproute2 */ 1133 if (id < 0 || id > 255) 1134 continue; 1135 cur = nxt; 1136 1137 if (!isspace(*cur)) 1138 continue; 1139 while (isspace(*cur)) 1140 ++cur; 1141 if (*cur == '#' || *cur == '\n' || *cur == '\0') 1142 continue; 1143 nxt = cur; 1144 while (*nxt != '\0' && !isspace(*nxt)) 1145 ++nxt; 1146 if (nxt == cur) 1147 continue; 1148 *nxt = '\0'; 1149 1150 /* found valid data */ 1151 lmap_this = malloc(sizeof(*lmap_this)); 1152 if (lmap_this == NULL) { 1153 perror("malloc"); 1154 goto out; 1155 } 1156 lmap_this->id = id; 1157 lmap_this->name = strdup(cur); 1158 if (lmap_this->name == NULL) { 1159 free(lmap_this); 1160 goto out; 1161 } 1162 lmap_this->next = NULL; 1163 1164 if (lmap_prev != NULL) 1165 lmap_prev->next = lmap_this; 1166 else 1167 lmap_head = lmap_this; 1168 lmap_prev = lmap_this; 1169 } 1170 1171 fclose(fp); 1172 return lmap_head; 1173 out: 1174 fclose(fp); 1175 xtables_lmap_free(lmap_head); 1176 return NULL; 1177 } 1178 1179 void xtables_lmap_free(struct xtables_lmap *head) 1180 { 1181 struct xtables_lmap *next; 1182 1183 for (; head != NULL; head = next) { 1184 next = head->next; 1185 free(head->name); 1186 free(head); 1187 } 1188 } 1189 1190 int xtables_lmap_name2id(const struct xtables_lmap *head, const char *name) 1191 { 1192 for (; head != NULL; head = head->next) 1193 if (strcmp(head->name, name) == 0) 1194 return head->id; 1195 return -1; 1196 } 1197 1198 const char *xtables_lmap_id2name(const struct xtables_lmap *head, int id) 1199 { 1200 for (; head != NULL; head = head->next) 1201 if (head->id == id) 1202 return head->name; 1203 return NULL; 1204 } 1205