我有以下C代码添加防火墙规则
ip6tables -A输出-t过滤器-s 2001:db8:222:2 :: // 64 -j DROP
C代码:
struct ip6tc_handle *h;
const ip6t_chainlabel chain = "OUTPUT";
const char *tablename = "filter";
struct ip6t_entry * e;
struct ip6t_entry_target * target;
unsigned int size_ip6t_entry, size_ip6t_entry_target, total_length;
size_ip6t_entry = XT_ALIGN(sizeof(struct ip6t_entry));
size_ip6t_entry_target = 36;
total_length = size_ip6t_entry + size_ip6t_entry_target ;
//memory allocation for all structs that represent the netfilter rule we want to insert
e = calloc(1, total_length);
if(e == NULL)
{
printf("malloc failure");
exit(1);
}
e->target_offset = size_ip6t_entry ;
//next "e" struct, end of the current one
e->next_offset = total_length;
char *temps = malloc(128);
temps = "2001:db8:222:2::";
inet_pton(AF_INET6, temps, &e->ipv6.dst);
char *temps2 = malloc(128);
temps2 = "FFFF:FFFF:FFFF:FFFF::";
inet_pton(AF_INET6, temps2, &e->ipv6.dmsk);
strcpy(e->ipv6.iniface, "eth1");
//target struct
target = (struct ip6t_entry_target *) e->elems;
target->u.target_size = size_ip6t_entry_target;
strcpy(target->u.user.name, "DROP");
//All the functions, mentioned below could be found in "Querying libiptc HOWTO" manual
h = ip6tc_init(tablename);
if ( !h )
{
printf("Error initializing: %s\n", iptc_strerror(errno));
exit(errno);
}
int x = ip6tc_append_entry(chain, e, h);
if (!x)
{
printf("Error append_entry: %s\n", iptc_strerror(errno));
exit(errno);
}
printf("%s", target->data);
int y = ip6tc_commit(h);
if (!y)
{
printf("Error commit: %s\n", iptc_strerror(errno));
exit(errno);
}
exit(0);
我想扩展此代码以设置匹配的IPv6数据包的TOS值,如下所示
ip6tables -A输出-t mangle -s 2001:db8:222:2 :: / 64 -p icmpv6 -j TOS --set-tos 0x20
有任何想法吗?
最佳答案
我找到了答案,让我分享
struct ip6tc_handle *h;
const ip6t_chainlabel chain = "OUTPUT";
const char *tablename = "mangle";
struct ip6t_entry * e;
struct ip6t_entry_target * target;
struct xt_DSCP_info *my_dscp;
unsigned int size_ip6t_entry, size_ip6t_entry_target, size_my_dscp, total_length;
size_ip6t_entry = XT_ALIGN(sizeof(struct ip6t_entry));
size_ip6t_entry_target = 36;
size_my_dscp = XT_ALIGN(sizeof(struct xt_DSCP_info));
total_length = size_ip6t_entry + size_ip6t_entry_target + size_my_dscp ;
//memory allocation for all structs that represent the netfilter rule we want to insert
e = calloc(1, total_length);
if(e == NULL)
{
printf("malloc failure");
exit(1);
}
//offsets to the other bits:
//target struct begining
e->target_offset = size_ip6t_entry ;
//next "e" struct, end of the current one
e->next_offset = total_length;
//set up packet matching rules: “-s 156.145.1.3 -d 168.220.1.9 -i eth0” part
//of our desirable rule
char *temps = malloc(128);
temps = "2001:db8:222:2::";
inet_pton(AF_INET6, temps, &e->ipv6.src);
char *temps2 = malloc(128);
temps2 = "FFFF:FFFF:FFFF:FFFF::";
inet_pton(AF_INET6, temps2, &e->ipv6.smsk);
e->ipv6.proto = 58/*IP6T_F_PROTO*/ ;
strcpy(e->ipv6.iniface, "wlan1");
//target struct
//”-j ACCEPT” part of our desirable rule
target = (struct ip6t_entry_target *) e->elems;
target->u.target_size = size_ip6t_entry_target;
strcpy(target->u.user.name, "DSCP");
my_dscp = (struct xt_DSCP_info *) target->data;
my_dscp->dscp = 8;
//All the functions, mentioned below could be found in "Querying libiptc HOWTO" manual
h = ip6tc_init(tablename);
if ( !h )
{
printf("Error initializing: %s\n", iptc_strerror(errno));
exit(errno);
}
//analogous to “iptables -A INPUT” part of our desirable rule + the rule itself
//inside of the e struct
int x = ip6tc_append_entry(chain, e, h);
if (!x)
{
printf("Error append_entry: %s\n", iptc_strerror(errno));
exit(errno);
}
printf("%s", target->data);
int y = ip6tc_commit(h);
if (!y)
{
printf("Error commit: %s\n", iptc_strerror(errno));
exit(errno);
}
exit(0);