我有以下 C 代码来添加防火墙规则
ip6tables -A OUTPUT -t filter -s 2001:db8:222:2::/64 -j DROP
C代码:
struct ip6tc_handle *h;
const ip6t_chainlabel chain = "OUTPUT";
const char *tablename = "filter";
struct ip6t_entry * e;
struct ip6t_entry_target * target;
unsigned int size_ip6t_entry, size_ip6t_entry_target, total_length;
size_ip6t_entry = XT_ALIGN(sizeof(struct ip6t_entry));
size_ip6t_entry_target = 36;
total_length = size_ip6t_entry + size_ip6t_entry_target ;
//memory allocation for all structs that represent the netfilter rule we want to insert
e = calloc(1, total_length);
if(e == NULL)
{
printf("malloc failure");
exit(1);
}
e->target_offset = size_ip6t_entry ;
//next "e" struct, end of the current one
e->next_offset = total_length;
char *temps = malloc(128);
temps = "2001:db8:222:2::";
inet_pton(AF_INET6, temps, &e->ipv6.dst);
char *temps2 = malloc(128);
temps2 = "FFFF:FFFF:FFFF:FFFF::";
inet_pton(AF_INET6, temps2, &e->ipv6.dmsk);
strcpy(e->ipv6.iniface, "eth1");
//target struct
target = (struct ip6t_entry_target *) e->elems;
target->u.target_size = size_ip6t_entry_target;
strcpy(target->u.user.name, "DROP");
//All the functions, mentioned below could be found in "Querying libiptc HOWTO" manual
h = ip6tc_init(tablename);
if ( !h )
{
printf("Error initializing: %s\n", iptc_strerror(errno));
exit(errno);
}
int x = ip6tc_append_entry(chain, e, h);
if (!x)
{
printf("Error append_entry: %s\n", iptc_strerror(errno));
exit(errno);
}
printf("%s", target->data);
int y = ip6tc_commit(h);
if (!y)
{
printf("Error commit: %s\n", iptc_strerror(errno));
exit(errno);
}
exit(0);
我想扩展此代码以设置匹配的 IPv6 数据包的 TOS 值,如下所示
ip6tables -A OUTPUT -t mangle -s 2001:db8:222:2::/64 -p icmpv6 -j TOS --set-tos 0x20
有任何想法吗?