libiptc:使用基于标记的匹配添加nat规则吗?

时间:2015-12-16 01:18:33

标签: c linux network-programming iptables nat

使用libiptc -library以编程方式操作iptables以添加类似于下面的nat规则。

Rule : iptables -t nat -A POSTROUTING -m mark --mark 0x2/0x3 -j SNAT --to 1.1.1.1

代码如下所示。

我理解iptable nat rules = ipt_entry (IP Header) + ipt_entry_match (match) + ipt_entry_target (target)

// function to create Mark based match 
    struct ipt_entry_match* get_mark_target() {

        struct ipt_entry_match *match;
        struct xt_mark_info *m;
        size_t size;
        size =   IPT_ALIGN(sizeof(struct ipt_entry_match))
            + IPT_ALIGN(sizeof(struct xt_mark_info));

        match = calloc(1, size);
        match->u.match_size = size;
        strncpy(match->u.user.name, "mark", sizeof(match->u.user.name));
        m = (struct xt_mark_info*)match->data;
        m->mark = m->mask = 0xff;
        return match;
    }

//function : to create final ipt_enrty  


  static struct ipt_entry*
    make_entry(const char * iaddr, const char * rhost, const char *chain_target)
    {
   int r = 0;
    struct ipt_entry * e;
    struct ipt_entry_match *match = get_mark_target();
    struct xt_mark_info *m = NULL;
    struct ipt_entry_target *target = NULL;

    e = calloc(1, sizeof(struct ipt_entry));
    //m = calloc(1, sizeof(*m));
    //m->mark = 0xff;
    e->ip.proto = IPPROTO_IP;
    e->nfcache = NFC_IP_DST_PT;
    if (!strcmp(chain_target, "SNAT")) {
        e->ip.src.s_addr = inet_addr(rhost);
        e->ip.smsk.s_addr = INADDR_NONE;
        //e->ip.smsk.s_addr = INADDR_NONE;
        printf("\n SNAT");
        target = get_snat_target(iaddr, 0);
    } else {
        printf("\n DNAT");
        e->ip.dst.s_addr = inet_addr(rhost);
        e->ip.dmsk.s_addr = INADDR_NONE;
        target = get_dnat_target(iaddr, 0);
    }
    e->nfcache |= NFC_UNKNOWN;
    e = realloc(e, sizeof(struct ipt_entry)
            + match->u.match_size + target->u.target_size);
    memcpy(e->elems, match, match->u.match_size);
    memcpy(e->elems + match->u.match_size, target, target->u.target_size);
    e->target_offset = sizeof(struct ipt_entry)
        + match->u.match_size;
    e->next_offset = sizeof(struct ipt_entry)
        + match->u.match_size + target->u.target_size;
#if 0
    e = realloc(e, sizeof(struct ipt_entry) + sizeof(*m));
    //+ target->u.target_size);
    //memcpy(e->elems , target, target->u.target_size);
    memcpy(e->elems , m, sizeof(*m));
    e->target_offset = sizeof(struct ipt_entry);
    e->next_offset = sizeof(struct ipt_entry) + sizeof(*m);
#endif
    free(target);
    //free(m);
    return e;
    }


    static int
    insert_nat_rule (char *src, char *dest, int op, const char *target)
    {
        struct ipt_entry *entry;
        struct xtc_handle *h;
        int ret = 1;
        const char *chain, *table = "nat";
        char *match_mask;

        h = iptc_init (table);
        if (!h) {
            fprintf (stderr, "Could not init IPTC library: %s\n", iptc_strerror (errno));
            goto out;
        }
        if (!strcmp(target, "SNAT")) {
            chain = "POSTROUTING";
        } else  if (!strcmp(target, "DNAT")) {
            chain = "PREROUTING";
        } else {
            //invlid target
            return 0;
        }
        entry = make_entry(src, dest, target);
        if (op) {
            if (!iptc_append_entry (chain, (struct ipt_entry *) entry, h)) {
                fprintf (stderr, "Could not insert a rule in iptables (table %s): "
                                 "%s\n", table, iptc_strerror (errno));
                goto out;
            }
        } else {
            match_mask = (unsigned char *)malloc(entry->next_offset);
            memset(match_mask, 0xFF, entry->next_offset);

            if (!iptc_delete_entry (chain, (struct ipt_entry *) entry,
                                            match_mask, h)) {
                fprintf (stderr, "Could not delete a rule in iptables (table %s): "
                                 "%s\n", table, iptc_strerror (errno));
                goto out;
            }
        }

        if (!iptc_commit (h)) {
            fprintf (stderr, "Could not commit changes in iptables (table %s): %s\n"
                            , table, iptc_strerror (errno));
            goto out;
        }

        ret = 0;
    out:
        if (entry) free(entry);
        if (h) iptc_free (h);

        return ret;
    }

在执行上述程序时,我们收到错误提示“协议错误的套接字类型”。没有基于标记的匹配,这工作正常,我可以添加1对1 SNAT规则没有任何问题。 为基于标记的匹配尝试了多个结构,但这似乎不起作用。

有什么明显的东西让我失踪吗? 将欣赏输入。感谢。

1 个答案:

答案 0 :(得分:1)

很难理解,iptables使用不同的结构来匹配&目标。 API使用" revision"字段,以区分用于此特定匹配/目标的结构。

因此,在下面添加一行,让我的生活更轻松。

match->u.user.revision = 1;