1 #include <config.h>
2 #include <getopt.h>
3 #include <errno.h>
4 #include <libgen.h>
5 #include <netdb.h>
6 #include <stdbool.h>
7 #include <stdint.h>
8 #include <stdio.h>
9 #include <stdlib.h>
10 #include <string.h>
11 #include <sys/file.h>
12 #include <sys/socket.h>
13 #include <sys/un.h>
14 #include <sys/time.h>
15 #include <unistd.h>
16 #include <fcntl.h>
17 #include <xtables.h>
18 #include <math.h>
19 #include "xshared.h"
20 
21 /*
22  * Print out any special helps. A user might like to be able to add a --help
23  * to the commandline, and see expected results. So we call help for all
24  * specified matches and targets.
25  */
print_extension_helps(const struct xtables_target * t,const struct xtables_rule_match * m)26 void print_extension_helps(const struct xtables_target *t,
27     const struct xtables_rule_match *m)
28 {
29 	for (; t != NULL; t = t->next) {
30 		if (t->used) {
31 			printf("\n");
32 			if (t->help == NULL)
33 				printf("%s does not take any options\n",
34 				       t->name);
35 			else
36 				t->help();
37 		}
38 	}
39 	for (; m != NULL; m = m->next) {
40 		printf("\n");
41 		if (m->match->help == NULL)
42 			printf("%s does not take any options\n",
43 			       m->match->name);
44 		else
45 			m->match->help();
46 	}
47 }
48 
49 const char *
proto_to_name(uint8_t proto,int nolookup)50 proto_to_name(uint8_t proto, int nolookup)
51 {
52 	unsigned int i;
53 
54 	if (proto && !nolookup) {
55 		struct protoent *pent = getprotobynumber(proto);
56 		if (pent)
57 			return pent->p_name;
58 	}
59 
60 	for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
61 		if (xtables_chain_protos[i].num == proto)
62 			return xtables_chain_protos[i].name;
63 
64 	return NULL;
65 }
66 
67 static struct xtables_match *
find_proto(const char * pname,enum xtables_tryload tryload,int nolookup,struct xtables_rule_match ** matches)68 find_proto(const char *pname, enum xtables_tryload tryload,
69 	   int nolookup, struct xtables_rule_match **matches)
70 {
71 	unsigned int proto;
72 
73 	if (xtables_strtoui(pname, NULL, &proto, 0, UINT8_MAX)) {
74 		const char *protoname = proto_to_name(proto, nolookup);
75 
76 		if (protoname)
77 			return xtables_find_match(protoname, tryload, matches);
78 	} else
79 		return xtables_find_match(pname, tryload, matches);
80 
81 	return NULL;
82 }
83 
84 /*
85  * Some explanations (after four different bugs in 3 different releases): If
86  * we encounter a parameter, that has not been parsed yet, it's not an option
87  * of an explicitly loaded match or a target. However, we support implicit
88  * loading of the protocol match extension. '-p tcp' means 'l4 proto 6' and at
89  * the same time 'load tcp protocol match on demand if we specify --dport'.
90  *
91  * To make this work, we need to make sure:
92  * - the parameter has not been parsed by a match (m above)
93  * - a protocol has been specified
94  * - the protocol extension has not been loaded yet, or is loaded and unused
95  *   [think of ip6tables-restore!]
96  * - the protocol extension can be successively loaded
97  */
should_load_proto(struct iptables_command_state * cs)98 static bool should_load_proto(struct iptables_command_state *cs)
99 {
100 	if (cs->protocol == NULL)
101 		return false;
102 	if (find_proto(cs->protocol, XTF_DONT_LOAD,
103 	    cs->options & OPT_NUMERIC, NULL) == NULL)
104 		return true;
105 	return !cs->proto_used;
106 }
107 
load_proto(struct iptables_command_state * cs)108 struct xtables_match *load_proto(struct iptables_command_state *cs)
109 {
110 	if (!should_load_proto(cs))
111 		return NULL;
112 	return find_proto(cs->protocol, XTF_TRY_LOAD,
113 			  cs->options & OPT_NUMERIC, &cs->matches);
114 }
115 
command_default(struct iptables_command_state * cs,struct xtables_globals * gl)116 int command_default(struct iptables_command_state *cs,
117 		    struct xtables_globals *gl)
118 {
119 	struct xtables_rule_match *matchp;
120 	struct xtables_match *m;
121 
122 	if (cs->target != NULL &&
123 	    (cs->target->parse != NULL || cs->target->x6_parse != NULL) &&
124 	    cs->c >= cs->target->option_offset &&
125 	    cs->c < cs->target->option_offset + XT_OPTION_OFFSET_SCALE) {
126 		xtables_option_tpcall(cs->c, cs->argv, cs->invert,
127 				      cs->target, &cs->fw);
128 		return 0;
129 	}
130 
131 	for (matchp = cs->matches; matchp; matchp = matchp->next) {
132 		m = matchp->match;
133 
134 		if (matchp->completed ||
135 		    (m->x6_parse == NULL && m->parse == NULL))
136 			continue;
137 		if (cs->c < matchp->match->option_offset ||
138 		    cs->c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
139 			continue;
140 		xtables_option_mpcall(cs->c, cs->argv, cs->invert, m, &cs->fw);
141 		return 0;
142 	}
143 
144 	/* Try loading protocol */
145 	m = load_proto(cs);
146 	if (m != NULL) {
147 		size_t size;
148 
149 		cs->proto_used = 1;
150 
151 		size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size;
152 
153 		m->m = xtables_calloc(1, size);
154 		m->m->u.match_size = size;
155 		strcpy(m->m->u.user.name, m->name);
156 		m->m->u.user.revision = m->revision;
157 		xs_init_match(m);
158 
159 		if (m->x6_options != NULL)
160 			gl->opts = xtables_options_xfrm(gl->orig_opts,
161 							gl->opts,
162 							m->x6_options,
163 							&m->option_offset);
164 		else
165 			gl->opts = xtables_merge_options(gl->orig_opts,
166 							 gl->opts,
167 							 m->extra_opts,
168 							 &m->option_offset);
169 		if (gl->opts == NULL)
170 			xtables_error(OTHER_PROBLEM, "can't alloc memory!");
171 		optind--;
172 		/* Indicate to rerun getopt *immediately* */
173  		return 1;
174 	}
175 
176 	if (cs->c == ':')
177 		xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
178 		              "requires an argument", cs->argv[optind-1]);
179 	if (cs->c == '?')
180 		xtables_error(PARAMETER_PROBLEM, "unknown option "
181 			      "\"%s\"", cs->argv[optind-1]);
182 	xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg);
183 	return 0;
184 }
185 
subcmd_get(const char * cmd,const struct subcommand * cb)186 static mainfunc_t subcmd_get(const char *cmd, const struct subcommand *cb)
187 {
188 	for (; cb->name != NULL; ++cb)
189 		if (strcmp(cb->name, cmd) == 0)
190 			return cb->main;
191 	return NULL;
192 }
193 
subcmd_main(int argc,char ** argv,const struct subcommand * cb)194 int subcmd_main(int argc, char **argv, const struct subcommand *cb)
195 {
196 	const char *cmd = basename(*argv);
197 	mainfunc_t f = subcmd_get(cmd, cb);
198 
199 	if (f == NULL && argc > 1) {
200 		/*
201 		 * Unable to find a main method for our command name?
202 		 * Let's try again with the first argument!
203 		 */
204 		++argv;
205 		--argc;
206 		f = subcmd_get(*argv, cb);
207 	}
208 
209 	/* now we should have a valid function pointer */
210 	if (f != NULL)
211 		return f(argc, argv);
212 
213 	fprintf(stderr, "ERROR: No valid subcommand given.\nValid subcommands:\n");
214 	for (; cb->name != NULL; ++cb)
215 		fprintf(stderr, " * %s\n", cb->name);
216 	exit(EXIT_FAILURE);
217 }
218 
xs_init_target(struct xtables_target * target)219 void xs_init_target(struct xtables_target *target)
220 {
221 	if (target->udata_size != 0) {
222 		free(target->udata);
223 		target->udata = calloc(1, target->udata_size);
224 		if (target->udata == NULL)
225 			xtables_error(RESOURCE_PROBLEM, "malloc");
226 	}
227 	if (target->init != NULL)
228 		target->init(target->t);
229 }
230 
xs_init_match(struct xtables_match * match)231 void xs_init_match(struct xtables_match *match)
232 {
233 	if (match->udata_size != 0) {
234 		/*
235 		 * As soon as a subsequent instance of the same match
236 		 * is used, e.g. "-m time -m time", the first instance
237 		 * is no longer reachable anyway, so we can free udata.
238 		 * Same goes for target.
239 		 */
240 		free(match->udata);
241 		match->udata = calloc(1, match->udata_size);
242 		if (match->udata == NULL)
243 			xtables_error(RESOURCE_PROBLEM, "malloc");
244 	}
245 	if (match->init != NULL)
246 		match->init(match->m);
247 }
248 
xtables_lock(int wait,struct timeval * wait_interval)249 static int xtables_lock(int wait, struct timeval *wait_interval)
250 {
251 	struct timeval time_left, wait_time;
252 	int fd, i = 0;
253 
254 	time_left.tv_sec = wait;
255 	time_left.tv_usec = 0;
256 
257 	fd = open(XT_LOCK_NAME, O_CREAT, 0600);
258 	if (fd < 0) {
259 		fprintf(stderr, "Fatal: can't open lock file %s: %s\n",
260 			XT_LOCK_NAME, strerror(errno));
261 		return XT_LOCK_FAILED;
262 	}
263 
264 	if (wait == -1) {
265 		if (flock(fd, LOCK_EX) == 0)
266 			return fd;
267 
268 		fprintf(stderr, "Can't lock %s: %s\n", XT_LOCK_NAME,
269 			strerror(errno));
270 		return XT_LOCK_BUSY;
271 	}
272 
273 	while (1) {
274 		if (flock(fd, LOCK_EX | LOCK_NB) == 0)
275 			return fd;
276 		else if (timercmp(&time_left, wait_interval, <))
277 			return XT_LOCK_BUSY;
278 
279 		if (++i % 10 == 0) {
280 			fprintf(stderr, "Another app is currently holding the xtables lock; "
281 				"still %lds %ldus time ahead to have a chance to grab the lock...\n",
282 				time_left.tv_sec, time_left.tv_usec);
283 		}
284 
285 		wait_time = *wait_interval;
286 		select(0, NULL, NULL, NULL, &wait_time);
287 		timersub(&time_left, wait_interval, &time_left);
288 	}
289 }
290 
xtables_unlock(int lock)291 void xtables_unlock(int lock)
292 {
293 	if (lock >= 0)
294 		close(lock);
295 }
296 
xtables_lock_or_exit(int wait,struct timeval * wait_interval)297 int xtables_lock_or_exit(int wait, struct timeval *wait_interval)
298 {
299 	int lock = xtables_lock(wait, wait_interval);
300 
301 	if (lock == XT_LOCK_FAILED) {
302 		xtables_free_opts(1);
303 		exit(RESOURCE_PROBLEM);
304 	}
305 
306 	if (lock == XT_LOCK_BUSY) {
307 		fprintf(stderr, "Another app is currently holding the xtables lock. ");
308 		if (wait == 0)
309 			fprintf(stderr, "Perhaps you want to use the -w option?\n");
310 		else
311 			fprintf(stderr, "Stopped waiting after %ds.\n", wait);
312 		xtables_free_opts(1);
313 		exit(RESOURCE_PROBLEM);
314 	}
315 
316 	return lock;
317 }
318 
parse_wait_time(int argc,char * argv[])319 int parse_wait_time(int argc, char *argv[])
320 {
321 	int wait = -1;
322 
323 	if (optarg) {
324 		if (sscanf(optarg, "%i", &wait) != 1)
325 			xtables_error(PARAMETER_PROBLEM,
326 				"wait seconds not numeric");
327 	} else if (xs_has_arg(argc, argv))
328 		if (sscanf(argv[optind++], "%i", &wait) != 1)
329 			xtables_error(PARAMETER_PROBLEM,
330 				"wait seconds not numeric");
331 
332 	return wait;
333 }
334 
parse_wait_interval(int argc,char * argv[],struct timeval * wait_interval)335 void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval)
336 {
337 	const char *arg;
338 	unsigned int usec;
339 	int ret;
340 
341 	if (optarg)
342 		arg = optarg;
343 	else if (xs_has_arg(argc, argv))
344 		arg = argv[optind++];
345 	else
346 		return;
347 
348 	ret = sscanf(arg, "%u", &usec);
349 	if (ret == 1) {
350 		if (usec > 999999)
351 			xtables_error(PARAMETER_PROBLEM,
352 				      "too long usec wait %u > 999999 usec",
353 				      usec);
354 
355 		wait_interval->tv_sec = 0;
356 		wait_interval->tv_usec = usec;
357 		return;
358 	}
359 	xtables_error(PARAMETER_PROBLEM, "wait interval not numeric");
360 }
361 
xs_has_arg(int argc,char * argv[])362 inline bool xs_has_arg(int argc, char *argv[])
363 {
364 	return optind < argc &&
365 	       argv[optind][0] != '-' &&
366 	       argv[optind][0] != '!';
367 }
368