使用libiptc -library以编程方式操作iptables以添加类似于下面的nat规则。
Rule : iptables -t nat -A POSTROUTING -m mark --mark 0x2/0x3 -j SNAT --to 1.1.1.1
代码如下所示。
我理解iptable nat rules = ipt_entry (IP Header) + ipt_entry_match (match) + ipt_entry_target (target)。
// function to create Mark based match
struct ipt_entry_match* get_mark_target() {
struct ipt_entry_match *match;
struct xt_mark_info *m;
size_t size;
size = IPT_ALIGN(sizeof(struct ipt_entry_match))
+ IPT_ALIGN(sizeof(struct xt_mark_info));
match = calloc(1, size);
match->u.match_size = size;
strncpy(match->u.user.name, "mark", sizeof(match->u.user.name));
m = (struct xt_mark_info*)match->data;
m->mark = m->mask = 0xff;
return match;
}
//function : to create final ipt_enrty
static struct ipt_entry*
make_entry(const char * iaddr, const char * rhost, const char *chain_target)
{
int r = 0;
struct ipt_entry * e;
struct ipt_entry_match *match = get_mark_target();
struct xt_mark_info *m = NULL;
struct ipt_entry_target *target = NULL;
e = calloc(1, sizeof(struct ipt_entry));
//m = calloc(1, sizeof(*m));
//m->mark = 0xff;
e->ip.proto = IPPROTO_IP;
e->nfcache = NFC_IP_DST_PT;
if (!strcmp(chain_target, "SNAT")) {
e->ip.src.s_addr = inet_addr(rhost);
e->ip.smsk.s_addr = INADDR_NONE;
//e->ip.smsk.s_addr = INADDR_NONE;
printf("\n SNAT");
target = get_snat_target(iaddr, 0);
} else {
printf("\n DNAT");
e->ip.dst.s_addr = inet_addr(rhost);
e->ip.dmsk.s_addr = INADDR_NONE;
target = get_dnat_target(iaddr, 0);
}
e->nfcache |= NFC_UNKNOWN;
e = realloc(e, sizeof(struct ipt_entry)
+ match->u.match_size + target->u.target_size);
memcpy(e->elems, match, match->u.match_size);
memcpy(e->elems + match->u.match_size, target, target->u.target_size);
e->target_offset = sizeof(struct ipt_entry)
+ match->u.match_size;
e->next_offset = sizeof(struct ipt_entry)
+ match->u.match_size + target->u.target_size;
#if 0
e = realloc(e, sizeof(struct ipt_entry) + sizeof(*m));
//+ target->u.target_size);
//memcpy(e->elems , target, target->u.target_size);
memcpy(e->elems , m, sizeof(*m));
e->target_offset = sizeof(struct ipt_entry);
e->next_offset = sizeof(struct ipt_entry) + sizeof(*m);
#endif
free(target);
//free(m);
return e;
}
static int
insert_nat_rule (char *src, char *dest, int op, const char *target)
{
struct ipt_entry *entry;
struct xtc_handle *h;
int ret = 1;
const char *chain, *table = "nat";
char *match_mask;
h = iptc_init (table);
if (!h) {
fprintf (stderr, "Could not init IPTC library: %s\n", iptc_strerror (errno));
goto out;
}
if (!strcmp(target, "SNAT")) {
chain = "POSTROUTING";
} else if (!strcmp(target, "DNAT")) {
chain = "PREROUTING";
} else {
//invlid target
return 0;
}
entry = make_entry(src, dest, target);
if (op) {
if (!iptc_append_entry (chain, (struct ipt_entry *) entry, h)) {
fprintf (stderr, "Could not insert a rule in iptables (table %s): "
"%s\n", table, iptc_strerror (errno));
goto out;
}
} else {
match_mask = (unsigned char *)malloc(entry->next_offset);
memset(match_mask, 0xFF, entry->next_offset);
if (!iptc_delete_entry (chain, (struct ipt_entry *) entry,
match_mask, h)) {
fprintf (stderr, "Could not delete a rule in iptables (table %s): "
"%s\n", table, iptc_strerror (errno));
goto out;
}
}
if (!iptc_commit (h)) {
fprintf (stderr, "Could not commit changes in iptables (table %s): %s\n"
, table, iptc_strerror (errno));
goto out;
}
ret = 0;
out:
if (entry) free(entry);
if (h) iptc_free (h);
return ret;
}
在执行上述程序时,我们收到错误提示“协议错误的套接字类型”。没有基于标记的匹配,这工作正常,我可以添加1对1 SNAT规则没有任何问题。 为基于标记的匹配尝试了多个结构,但这似乎不起作用。
有什么明显的东西让我失踪吗? 将欣赏输入。感谢。
答案 0 :(得分:1)
很难理解,iptables使用不同的结构来匹配&目标。 API使用" revision"字段,以区分用于此特定匹配/目标的结构。
因此,在下面添加一行,让我的生活更轻松。
match->u.user.revision = 1;