contrib/fwd: add fwd_xt_parse_frag(), fwd_xt_append_rule() and fwd_xt_insert_rule...

diff --git a/contrib/fwd/src/fwd_rules.c b/contrib/fwd/src/fwd_rules.c
index 595b1e7f4e4fb00ce5b9f6a9648aebffc9a3cbe3..300939d7f3315c43477f82ad677377a6d42ac976 100644 (file)
--- a/contrib/fwd/src/fwd_rules.c
+++ b/contrib/fwd/src/fwd_rules.c
@@ -45,7 +45,7 @@ static void fwd_r_jump_chain(
        if( (r = fwd_xt_init_rule(h)) != NULL )
        {
                fwd_xt_get_target(r, chain2);
-               fwd_xt_exec_rule(r, chain1);
+               fwd_xt_append_rule(r, chain1);
        }
 }
 
@@ -61,7 +61,7 @@ static void fwd_r_drop_invalid(struct iptc_handle *h, const char *chain)
                {
                        fwd_xt_parse_match(r, m, "--state", "INVALID");
                        fwd_xt_get_target(r, "DROP");
-                       fwd_xt_exec_rule(r, chain);
+                       fwd_xt_append_rule(r, chain);
                }
        }
 }
@@ -78,7 +78,7 @@ static void fwd_r_accept_related(struct iptc_handle *h, const char *chain)
                {
                        fwd_xt_parse_match(r, m, "--state", "RELATED,ESTABLISHED");
                        fwd_xt_get_target(r, "ACCEPT");
-                       fwd_xt_exec_rule(r, chain);
+                       fwd_xt_append_rule(r, chain);
                }
        }
 }
@@ -95,14 +95,14 @@ static void fwd_r_accept_lo(struct iptc_handle *h)
        {
                fwd_xt_parse_in(r, &n, 0);
                fwd_xt_get_target(r, "ACCEPT");
-               fwd_xt_exec_rule(r, "INPUT");
+               fwd_xt_append_rule(r, "INPUT");
        }
 
        if( (r = fwd_xt_init_rule(h)) != NULL )
        {
                fwd_xt_parse_out(r, &n, 0);
                fwd_xt_get_target(r, "ACCEPT");
-               fwd_xt_exec_rule(r, "OUTPUT");
+               fwd_xt_append_rule(r, "OUTPUT");
        }
 }
 
@@ -142,7 +142,7 @@ static void fwd_r_add_synflood(struct iptc_handle *h, struct fwd_defaults *def)
 
                /* -j RETURN; -A syn_flood */
                fwd_xt_get_target(r, "RETURN");
-               fwd_xt_exec_rule(r, "syn_flood");
+               fwd_xt_append_rule(r, "syn_flood");
        }
 
        /* drop rule */
@@ -150,7 +150,7 @@ static void fwd_r_add_synflood(struct iptc_handle *h, struct fwd_defaults *def)
        {       
                /* -j DROP; -A syn_flood */
                fwd_xt_get_target(r, "DROP");
-               fwd_xt_exec_rule(r, "syn_flood");
+               fwd_xt_append_rule(r, "syn_flood");
        }
 
        /* jump to syn_flood rule */
@@ -168,7 +168,7 @@ static void fwd_r_add_synflood(struct iptc_handle *h, struct fwd_defaults *def)
 
                /* -j syn_flood; -A INPUT */
                fwd_xt_get_target(r, "syn_flood");
-               fwd_xt_exec_rule(r, "INPUT");
+               fwd_xt_append_rule(r, "INPUT");
        }
 }
 
@@ -196,7 +196,7 @@ static void fwd_r_handle_reject(struct iptc_handle *h)
                }
 
                /* -A handle_reject */
-               fwd_xt_exec_rule(r, "handle_reject");
+               fwd_xt_append_rule(r, "handle_reject");
        }
 
        /* common reject rule */
@@ -210,7 +210,7 @@ static void fwd_r_handle_reject(struct iptc_handle *h)
                }
 
                /* -A handle_reject */
-               fwd_xt_exec_rule(r, "handle_reject");
+               fwd_xt_append_rule(r, "handle_reject");
        }
 }
 
@@ -227,7 +227,7 @@ static void fwd_r_handle_drop(struct iptc_handle *h)
        {
                /* -j DROP; -A handle_reject */
                fwd_xt_get_target(r, "DROP");
-               fwd_xt_exec_rule(r, "handle_reject");
+               fwd_xt_append_rule(r, "handle_reject");
        }
 }
 
@@ -244,7 +244,7 @@ static void fwd_r_handle_accept(struct iptc_handle *h)
        {
                /* -j ACCEPT; -A handle_accept */
                fwd_xt_get_target(r, "ACCEPT");
-               fwd_xt_exec_rule(r, "handle_accept");
+               fwd_xt_append_rule(r, "handle_accept");
        }
 }
 
@@ -603,7 +603,7 @@ void fwd_ipt_addif(struct fwd_handle *h, const char *net)
                        fwd_xt_parse_out(x, n, 0);                                      /* -o ... */
                        fwd_xt_get_target(x, "MASQUERADE");                     /* -j MASQUERADE */
                        fwd_r_add_comment(x, "masq", z, NULL, n);       /* -m comment ... */
-                       fwd_xt_exec_rule(x, "zonemasq");                        /* -A zonemasq */
+                       fwd_xt_append_rule(x, "zonemasq");                      /* -A zonemasq */
                }
        }
 
@@ -630,7 +630,7 @@ void fwd_ipt_addif(struct fwd_handle *h, const char *net)
                        fwd_r_add_comment(x, "mssfix", z, NULL, n);
 
                        /* -A mssfix */
-                       fwd_xt_exec_rule(x, "mssfix");
+                       fwd_xt_append_rule(x, "mssfix");
                }
        }
 
@@ -650,7 +650,7 @@ void fwd_ipt_addif(struct fwd_handle *h, const char *net)
                                fwd_xt_parse_out(x, n2, 0);                             /* -o ... */
                                fwd_r_add_policytarget(x, z->forward);  /* -j handle_... */
                                fwd_r_add_comment(x, "zone", z, n, n2); /* -m comment ... */
-                               fwd_xt_exec_rule(x, "zones");                   /* -A zones */
+                               fwd_xt_append_rule(x, "zones");                 /* -A zones */
                        }
                }
        }
@@ -672,7 +672,7 @@ void fwd_ipt_addif(struct fwd_handle *h, const char *net)
                                fwd_xt_parse_out(x, n2, 0);                                     /* -o ... */
                                fwd_r_add_policytarget(x, FWD_P_ACCEPT);        /* -j handle_... */
                                fwd_r_add_comment(x, "forward", z, n, n2);      /* -m comment ... */
-                               fwd_xt_exec_rule(x, "forwardings");                     /* -A forwardings */
+                               fwd_xt_append_rule(x, "forwardings");                   /* -A forwardings */
                        }
                }
        }
@@ -695,7 +695,7 @@ void fwd_ipt_addif(struct fwd_handle *h, const char *net)
                        fwd_r_add_srcmac(x, r->src_mac);                        /* -m mac --mac-source ... */
                        fwd_r_add_dnattarget(x, r->dest_ip, r->dest_port);      /* -j DNAT ... */
                        fwd_r_add_comment(x, "redir", z, n, NULL);      /* -m comment ... */
-                       fwd_xt_exec_rule(x, "redirects");                       /* -A redirects */
+                       fwd_xt_append_rule(x, "redirects");                     /* -A redirects */
                }
 
                /* Forward */
@@ -710,7 +710,7 @@ void fwd_ipt_addif(struct fwd_handle *h, const char *net)
                        fwd_r_add_dport(x, r->dest_port);                       /* --dport ... */
                        fwd_r_add_policytarget(x, FWD_P_ACCEPT);        /* -j handle_accept */
                        fwd_r_add_comment(x, "redir", z, n, NULL);      /* -m comment ... */
-                       fwd_xt_exec_rule(x, "redirects");                       /* -A redirects */
+                       fwd_xt_append_rule(x, "redirects");                     /* -A redirects */
                }
 
                /* Add loopback rule if neither src_ip nor src_mac are defined */
@@ -725,7 +725,7 @@ void fwd_ipt_addif(struct fwd_handle *h, const char *net)
                                fwd_r_add_dport(x, r->src_dport);                       /* --dport ... */
                                fwd_xt_get_target(x, "MASQUERADE");                     /* -j MASQUERADE */
                                fwd_r_add_comment(x, "redir", z, n, NULL);      /* -m comment ... */
-                               fwd_xt_exec_rule(x, "loopback");                        /* -A loopback */
+                               fwd_xt_append_rule(x, "loopback");                      /* -A loopback */
                        }
                }
        }
@@ -756,7 +756,7 @@ void fwd_ipt_addif(struct fwd_handle *h, const char *net)
                                        fwd_r_add_dport(x, c->dest_port);               /* --dport ... */
                                        fwd_r_add_policytarget(x, c->target);   /* -j handle_... */
                                        fwd_r_add_comment(x, "rule", z, n, n2); /* -m comment ... */
-                                       fwd_xt_exec_rule(x, "rules");                   /* -A rules */
+                                       fwd_xt_append_rule(x, "rules");                 /* -A rules */
                                }
                        }
                }
@@ -779,7 +779,7 @@ void fwd_ipt_addif(struct fwd_handle *h, const char *net)
                                fwd_r_add_dport(x, c->dest_port);                       /* --dport ... */
                                fwd_r_add_policytarget(x, c->target);           /* -j handle_... */
                                fwd_r_add_comment(x, "rule", z, n, NULL);       /* -m comment ... */
-                               fwd_xt_exec_rule(x, "rules");                           /* -A rules */
+                               fwd_xt_append_rule(x, "rules");                         /* -A rules */
                        }
                }
        }

diff --git a/contrib/fwd/src/fwd_xtables.c b/contrib/fwd/src/fwd_xtables.c
index 6f569fd27ab9333f12c934cb1548dd73f59c6b82..c0a3c582d870144ea51190a30667c1ec21c9d196 100644 (file)
--- a/contrib/fwd/src/fwd_xtables.c
+++ b/contrib/fwd/src/fwd_xtables.c
@@ -82,6 +82,17 @@ struct fwd_xt_rule * fwd_xt_init_rule(struct iptc_handle *h)
        return NULL;
 }
 
+void fwd_xt_parse_frag(
+       struct fwd_xt_rule *r, int frag, int inv
+) {
+       if( frag )
+       {
+               r->entry->ip.flags |= IPT_F_FRAG;
+
+               if( inv )
+                       r->entry->ip.invflags |= IPT_INV_FRAG;
+       }
+}
 
 void fwd_xt_parse_proto(
        struct fwd_xt_rule *r, struct fwd_proto *p, int inv
@@ -312,7 +323,7 @@ void __fwd_xt_parse_target(
 }
 
 
-int fwd_xt_exec_rule(struct fwd_xt_rule *r, const char *chain)
+static int fwd_xt_exec_rule(struct fwd_xt_rule *r, const char *chain, int pos)
 {
        size_t s;
        struct xtables_rule_match *m, *next;
@@ -344,7 +355,10 @@ int fwd_xt_exec_rule(struct fwd_xt_rule *r, const char *chain)
 
                memcpy(e->elems + s, r->target->t, r->target->t->u.target_size);
 
-               rv = iptc_append_entry(chain, e, r->iptc);
+               rv = (pos > -1)
+                       ? iptc_insert_entry(chain, e, (unsigned int) pos, r->iptc)
+                       : iptc_append_entry(chain, e, r->iptc)
+               ;
        }
        else
        {
@@ -383,3 +397,15 @@ int fwd_xt_exec_rule(struct fwd_xt_rule *r, const char *chain)
        return rv;
 }
 
+int fwd_xt_insert_rule(
+       struct fwd_xt_rule *r, const char *chain, unsigned int pos
+) {
+       return fwd_xt_exec_rule(r, chain, pos);
+}
+
+int fwd_xt_append_rule(
+       struct fwd_xt_rule *r, const char *chain
+) {
+       return fwd_xt_exec_rule(r, chain, -1);
+}
+

diff --git a/contrib/fwd/src/fwd_xtables.h b/contrib/fwd/src/fwd_xtables.h
index f894b47e42081f3674f3e170f7dd9fae37b35563..45b638a058ee9a25f6a85c8d1620ca3bcb47046a 100644 (file)
--- a/contrib/fwd/src/fwd_xtables.h
+++ b/contrib/fwd/src/fwd_xtables.h
@@ -54,6 +54,7 @@ void fwd_xt_parse_in(struct fwd_xt_rule *r, struct fwd_network_list *n, int inv)
 void fwd_xt_parse_out(struct fwd_xt_rule *r, struct fwd_network_list *n, int inv);
 void fwd_xt_parse_src(struct fwd_xt_rule *r, struct fwd_cidr *c, int inv);
 void fwd_xt_parse_dest(struct fwd_xt_rule *r, struct fwd_cidr *c, int inv);
+void fwd_xt_parse_frag(struct fwd_xt_rule *r, int frag, int inv);
 
 struct xtables_match * fwd_xt_get_match(struct fwd_xt_rule *r, const char *name);
 void __fwd_xt_parse_match(struct fwd_xt_rule *r, struct xtables_match *m, ...);
@@ -63,6 +64,7 @@ struct xtables_target * fwd_xt_get_target(struct fwd_xt_rule *r, const char *nam
 void __fwd_xt_parse_target(struct fwd_xt_rule *r, struct xtables_target *t, ...);
 #define fwd_xt_parse_target(r, t, ...) __fwd_xt_parse_target(r, t, __VA_ARGS__, NULL)
 
-int fwd_xt_exec_rule(struct fwd_xt_rule *r, const char *chain);
+int fwd_xt_append_rule(struct fwd_xt_rule *r, const char *chain);
+int fwd_xt_insert_rule(struct fwd_xt_rule *r, const char *chain, unsigned int pos);
 
 #endif