1 /* 2 * MiniUPnP project 3 * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ 4 * (c) 2015 Tomofumi Hayashi 5 * (c) 2019 Paul Chambers 6 * (c) 2020 Thomas Bernard 7 * 8 * This software is subject to the conditions detailed 9 * in the LICENCE file provided within the distribution. 10 */ 11 #include <sys/queue.h> 12 13 extern const char * nft_table; 14 extern const char * nft_prerouting_chain; 15 extern const char * nft_postrouting_chain; 16 extern const char * nft_forward_chain; 17 18 #define NFT_DESCR_SIZE 1024 19 20 enum rule_reg_type { 21 RULE_REG_NONE, 22 RULE_REG_IIF, 23 RULE_REG_OIF, 24 RULE_REG_IP_SRC_ADDR, 25 RULE_REG_IP_DEST_ADDR, 26 RULE_REG_IP_SD_ADDR, /* source & dest */ 27 RULE_REG_IP6_SRC_ADDR, 28 RULE_REG_IP6_DEST_ADDR, 29 RULE_REG_IP6_SD_ADDR, /* source & dest */ 30 RULE_REG_IP_PROTO, 31 RULE_REG_IP6_PROTO, 32 RULE_REG_TCP_DPORT, 33 RULE_REG_TCP_SD_PORT, /* source & dest */ 34 RULE_REG_IMM_VAL, /* immediate */ 35 RULE_REG_MAX, 36 }; 37 38 enum rule_type { 39 RULE_NONE, 40 RULE_NAT, 41 RULE_FILTER, 42 RULE_COUNTER, 43 }; 44 45 enum rule_chain_type { 46 RULE_CHAIN_FILTER, 47 RULE_CHAIN_PEER, 48 RULE_CHAIN_REDIRECT, 49 }; 50 51 typedef struct rule_t { 52 LIST_ENTRY(rule_t) entry; 53 char * table; 54 char * chain; 55 uint64_t handle; 56 enum rule_type type; 57 uint32_t nat_type; 58 uint32_t filter_action; 59 uint32_t family; 60 uint32_t ingress_ifidx; 61 uint32_t egress_ifidx; 62 in_addr_t eaddr; 63 in_addr_t iaddr; 64 in_addr_t rhost; 65 struct in6_addr iaddr6; 66 struct in6_addr rhost6; 67 uint16_t eport; 68 uint16_t iport; 69 uint16_t rport; 70 uint8_t proto; 71 enum rule_reg_type reg1_type; 72 enum rule_reg_type reg2_type; 73 uint32_t reg1_val; 74 uint32_t reg2_val; 75 uint64_t packets; 76 uint64_t bytes; 77 char * desc; 78 uint32_t desc_len; 79 } rule_t; 80 81 LIST_HEAD(rule_list, rule_t); 82 extern struct rule_list head_filter; 83 extern struct rule_list head_redirect; 84 extern struct rule_list head_peer; 85 86 /** called at initialization. 87 * establishes persistent connection to mnl/netfilter socket, needs elevated privilege */ 88 int 89 nft_mnl_connect(void); 90 91 /** called at shutdown, to release the mnl/netfilter socket */ 92 void 93 nft_mnl_disconnect(void); 94 95 #ifdef DEBUG 96 void 97 print_rule(const char *func, int line, const struct nftnl_rule *rule); 98 99 void 100 print_redirect_rules(const char * ifname); 101 102 #define debug_rule(rule) do { print_rule(__func__, __LINE__, rule); } while (0) 103 104 #else 105 #define debug_rule(rule) 106 #endif 107 108 int 109 nft_send_rule(struct nftnl_rule * rule, uint16_t cmd, enum rule_chain_type type); 110 struct nftnl_rule * 111 rule_set_dnat(uint8_t family, const char * ifname, uint8_t proto, 112 in_addr_t rhost, unsigned short eport, 113 in_addr_t ihost, uint32_t iport, 114 const char *descr, 115 const char *handle); 116 struct nftnl_rule * 117 rule_set_snat(uint8_t family, uint8_t proto, 118 in_addr_t rhost, unsigned short rport, 119 in_addr_t ehost, unsigned short eport, 120 in_addr_t ihost, unsigned short iport, 121 const char *descr, 122 const char *handle); 123 struct nftnl_rule * 124 rule_set_filter(uint8_t family, const char * ifname, uint8_t proto, 125 in_addr_t rhost, in_addr_t iaddr, 126 unsigned short eport, unsigned short iport, 127 unsigned short rport, const char * descr, const char *handle); 128 struct nftnl_rule * 129 rule_set_filter6(uint8_t family, const char * ifname, uint8_t proto, 130 struct in6_addr *rhost6, struct in6_addr *iaddr6, 131 unsigned short eport, unsigned short iport, 132 unsigned short rport, const char *descr, const char *handle); 133 struct nftnl_rule * 134 rule_set_filter_common(struct nftnl_rule *r, uint8_t family, const char * ifname, 135 uint8_t proto, unsigned short eport, unsigned short iport, 136 unsigned short rport, const char *descr, const char *handle); 137 struct nftnl_rule *rule_del_handle(rule_t *r); 138 int refresh_nft_cache_filter(void); 139 int refresh_nft_cache_redirect(void); 140 int refresh_nft_cache_peer(void); 141 int refresh_nft_cache(struct rule_list *head, const char *table, const char *chain, uint32_t family, enum rule_type type); 142 143 int 144 table_op(enum nf_tables_msg_types op, uint16_t family, const char * name); 145 int 146 chain_op(enum nf_tables_msg_types op, uint16_t family, const char * table, 147 const char * name, const char * type, uint32_t hooknum, signed int priority ); 148 149 struct mnl_nlmsg_batch * 150 start_batch( char *buf, size_t buf_size); 151 int 152 send_batch(struct mnl_nlmsg_batch * batch); 153