You're here: Snippet Directory » C/C++ (495)
Language:

libiptc samples: creating an entry in the FORWARD chain

Language: English
Programming Language: C
Published by: mmanchip [not registered]
Last Update: 5/15/2006
Views: 172


Description

This code was written to give netfilter libiptc users a fast idea on how to start interfacing with libiptc. Libiptc provides a userspace API to using iptables under linux 2.4 The code adds an ACCEPT rule to the FORWARD chain of the filter table: ensure the table is loaded by doing iptables -L before running the code.Compile using: gcc -o listchain listchain.c -liptc I ammichaelm@s3group.comMail me and let me know if this was useful! The code time was sponsored by: http://www.s3group.com

Code

1 // sample code appending a new rule to the FORWARD chain in the filter table 2 3 4 5 6 7 #include <libiptc/libiptc.h> 8 #include <errno.h> 9 #include <stdio.h> 10 #include <stdlib.h> 11 #include <linux/netfilter.h> 12 13 14 15 struct ipt_standard_target target; 16 17 int main (long argno, char argv[]) 18 { 19 long result = 0; 20 iptc_handle_t handle; 21 22 struct ipt_entry *chain_entry; 23 ipt_chainlabel labelit; 24 25 26 27 long size=0; 28 29 /* configuring the entry we'll make: 30 we want to append a rule to the forward chain in the filter table 31 this rule is simple: accept everything that reaches this point in the chain 32 */ 33 34 printf("size of standard target: %d\n", sizeof(target)); 35 chain_entry = NULL; 36 37 38 /* the target of this rule is ACCEPT */ 39 strncpy(&target.target.u.user.name[0], "ACCEPT", 30); // other std rules would include DROP etc 40 /* set the target size!! */ 41 target.target.u.user.target_size=sizeof(target); 42 43 chain_entry = malloc(sizeof(struct ipt_entry) + sizeof(target)); 44 memset(chain_entry, 0, sizeof(chain_entry)); /* zero it out */ 45 46 // these could be used to specify ip addresses to be matched for the target, here the src address is being matched 47 //chain_entry->ip.src.s_addr=inet_addr("193.120.89.103"); /* src address */ 48 //chain_entry->ip.smsk.s_addr=inet_addr("255.255.255.255"); /* mask */ 49 //chain_entry->ip.proto=0; /* any protocol */ 50 51 52 /* assuming matches do not need to be taken into account, as we are matching everything! */ 53 size=sizeof(struct ipt_entry); 54 printf("sizeof chain_target_offset: %d\n", size); 55 chain_entry->target_offset=size; 56 chain_entry->next_offset= size + sizeof(target); /* next target is the next rule (offset is size of current entry) */ 57 printf("value of chain entry next offset: %d\n", chain_entry->next_offset); 58 59 memcpy(chain_entry->elems, &target, sizeof(target)); 60 61 62 /* standard is the name given to any of the system defined targets, like DROP, ACCEPT, REJECT, QUEUE, RETURN */ 63 64 65 66 67 68 handle = iptc_init("filter"); /* check if table is loaded */ 69 if (handle == NULL) 70 { 71 printf("error: table not loaded!\n"); 72 exit(0); 73 } 74 else 75 { 76 printf("table exists\n"); 77 } 78 result = iptc_is_chain("FORWARD", handle); 79 if(result) 80 { 81 printf("chain exists\n"); 82 } 83 else 84 { 85 printf("error: chain does not exist!\n"); 86 exit(0); 87 } 88 89 // set the name of the chain we want to append to 90 strncpy(&labelit, "FORWARD", 30); 91 92 result = iptc_append_entry(labelit, chain_entry, &handle); 93 if(result == 0) 94 printf("append error: %s\n", iptc_strerror(errno)); 95 96 result=iptc_commit(&handle); 97 if(result == 0) 98 printf("commit error: %s\n", iptc_strerror(errno)); 99 else 100 printf("appended new rule to block successfully\n"); 101 102 free(chain_entry); 103 return 0; 104 } 105 106 107 108 109

No comments avaiable

Add a comment

Name *  

Email (won't be displayed) *    

Website  

Comment *  

Sicherheitscode Security Code *    

RSS