0

我有以下 C 代码来添加防火墙规则
ip6tables -A OUTPUT -t filter -s 2001:db8:222:2::/64 -j DROP

C代码:

    struct ip6tc_handle *h;
    const ip6t_chainlabel chain = "OUTPUT";
    const char *tablename = "filter";

    struct ip6t_entry * e;
    struct ip6t_entry_target * target;

    unsigned int size_ip6t_entry, size_ip6t_entry_target, total_length;

    size_ip6t_entry = XT_ALIGN(sizeof(struct ip6t_entry));
    size_ip6t_entry_target = 36;
    total_length =  size_ip6t_entry +  size_ip6t_entry_target ;

    //memory allocation for all structs that represent the netfilter rule we want to insert
    e = calloc(1, total_length);
    if(e == NULL)
    {
            printf("malloc failure");
            exit(1);
    }


    e->target_offset = size_ip6t_entry ;
    //next "e" struct, end of the current one
    e->next_offset = total_length;

char *temps = malloc(128);
temps = "2001:db8:222:2::";
inet_pton(AF_INET6, temps, &e->ipv6.dst);
char *temps2 = malloc(128);
temps2 = "FFFF:FFFF:FFFF:FFFF::";
inet_pton(AF_INET6, temps2, &e->ipv6.dmsk);
    strcpy(e->ipv6.iniface, "eth1");


    //target struct
    target = (struct ip6t_entry_target *) e->elems; 
    target->u.target_size = size_ip6t_entry_target;
    strcpy(target->u.user.name, "DROP");


    //All the functions, mentioned below could be found in "Querying libiptc HOWTO" manual
    h = ip6tc_init(tablename);
    if ( !h )
    {
          printf("Error initializing: %s\n", iptc_strerror(errno));
          exit(errno);
    }


int x = ip6tc_append_entry(chain, e, h);

    if (!x)
    {
            printf("Error append_entry: %s\n", iptc_strerror(errno));
            exit(errno);
    }
    printf("%s", target->data);
    int y = ip6tc_commit(h);
    if (!y)
    {
            printf("Error commit: %s\n", iptc_strerror(errno));
            exit(errno);
    }

    exit(0);

我想扩展此代码以设置匹配的 IPv6 数据包的 TOS 值,如下所示
ip6tables -A OUTPUT -t mangle -s 2001:db8:222:2::/64 -p icmpv6 -j TOS --set-tos 0x20

有任何想法吗?

4

1 回答 1

0

找到答案了,分享给大家

struct ip6tc_handle *h;
    const ip6t_chainlabel chain = "OUTPUT";
    const char *tablename = "mangle";

    struct ip6t_entry * e;
    struct ip6t_entry_target * target;
struct xt_DSCP_info *my_dscp;

    unsigned int size_ip6t_entry, size_ip6t_entry_target,  size_my_dscp, total_length; 

    size_ip6t_entry = XT_ALIGN(sizeof(struct ip6t_entry));
    size_ip6t_entry_target = 36;
size_my_dscp = XT_ALIGN(sizeof(struct xt_DSCP_info));

    total_length =  size_ip6t_entry +  size_ip6t_entry_target + size_my_dscp ;

    //memory allocation for all structs that represent the netfilter rule we want to insert
    e = calloc(1, total_length);
    if(e == NULL)
    {
            printf("malloc failure");
            exit(1);
    }

    //offsets to the other bits:
    //target struct begining
    e->target_offset = size_ip6t_entry ;
    //next "e" struct, end of the current one
    e->next_offset = total_length;

    //set up packet matching rules: “-s 156.145.1.3 -d 168.220.1.9 -i eth0” part
    //of our desirable rule
char *temps = malloc(128);
temps = "2001:db8:222:2::";
inet_pton(AF_INET6, temps, &e->ipv6.src);
char *temps2 = malloc(128);
temps2 = "FFFF:FFFF:FFFF:FFFF::";
inet_pton(AF_INET6, temps2, &e->ipv6.smsk);
e->ipv6.proto = 58/*IP6T_F_PROTO*/ ;
    strcpy(e->ipv6.iniface, "wlan1");


    //target struct
    //”-j ACCEPT” part of our desirable rule
    target = (struct ip6t_entry_target *) e->elems; 
    target->u.target_size = size_ip6t_entry_target;
strcpy(target->u.user.name, "DSCP");        

my_dscp = (struct xt_DSCP_info *) target->data;
my_dscp->dscp = 8;



    //All the functions, mentioned below could be found in "Querying libiptc HOWTO" manual
    h = ip6tc_init(tablename);
    if ( !h )
    {
          printf("Error initializing: %s\n", iptc_strerror(errno));
          exit(errno);
    }

    //analogous to “iptables -A INPUT” part of our desirable rule + the rule itself         
    //inside of the e struct
int x = ip6tc_append_entry(chain, e, h);

    if (!x)
    {
            printf("Error append_entry: %s\n", iptc_strerror(errno));
            exit(errno);
    }
    printf("%s", target->data);
    int y = ip6tc_commit(h);
    if (!y)
    {
            printf("Error commit: %s\n", iptc_strerror(errno));
            exit(errno);
    }

    exit(0);
于 2014-05-22T09:36:06.887 回答