- 论坛徽章:
- 0
|
输出规则
print_firewall 函数用于规则的输出:
print_firewall(i, iptc_get_target(i, handle), num++,format,*handle);
i:当前的规则;
iptc_get_target(i, handle):用于规则的target部份的处理;
num:规则序号;
format:输出格式;
handler:表的信息;
/* e is called `fw' here for hysterical raisins */
static void
print_firewall(const struct ipt_entry *fw,
const char *targname,
unsigned int num,
unsigned int format,
const iptc_handle_t handle)
{
struct iptables_target *target = NULL;
const struct ipt_entry_target *t;
u_int8_t flags;
char buf[BUFSIZ];
if (!iptc_is_chain(targname, handle))
target = find_target(targname, TRY_LOAD);
else
target = find_target(IPT_STANDARD_TARGET, LOAD_MUST_SUCCEED);
t = ipt_get_target((struct ipt_entry *)fw);
flags = fw->ip.flags;
if (format & FMT_LINENUMBERS) /*输出行号*/
printf(FMT("%-4u ", "%u "), num+1);
if (!(format & FMT_NOCOUNTS)) { /*详细模式,列出计数器*/
print_num(fw->counters.pcnt, format); /*匹配当前规则的数据包个数*/
print_num(fw->counters.bcnt, format); /*--------------------大小*/
}
/*输出目标名称*/
if (!(format & FMT_NOTARGET)) /*目标名称,即拦截、通过等动作*/
printf(FMT("%-9s ", "%s "), targname);
/*输出协议名*/
fputc(fw->ip.invflags & IPT_INV_PROTO ? '!' : ' ', stdout);
{
char *pname = proto_to_name(fw->ip.proto, format&FMT_NUMERIC);
if (pname)
printf(FMT("%-5s", "%s "), pname);
else
printf(FMT("%-5hu", "%hu "), fw->ip.proto);
}
/*输出选项字段*/
if (format & FMT_OPTIONS) {
if (format & FMT_NOTABLE)
fputs("opt ", stdout);
fputc(fw->ip.invflags & IPT_INV_FRAG ? '!' : '-', stdout); //#define IP_FW_INV_FRAG 0x0080 /* Invert the sense of IP_FW_F_FRAG. */
fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout); //#define IP_FW_F_FRAG 0x0004 /* Set if rule is a fragment rule */
fputc(' ', stdout);
}
if (format & FMT_VIA) {
char iface[IFNAMSIZ+2];
if (fw->ip.invflags & IPT_INV_VIA_IN) { /*输入端口取反标志*/
iface[0] = '!'; /*设置取反标志符*/
iface[1] = '\0';
}
else iface[0] = '\0';
if (fw->ip.iniface[0] != '\0') {
strcat(iface, fw->ip.iniface);
}
else if (format & FMT_NUMERIC) strcat(iface, "*");
else strcat(iface, "any");
printf(FMT(" %-6s ","in %s "), iface); /*输出输入端口*/
if (fw->ip.invflags & IPT_INV_VIA_OUT) { /*输出端口取反标志*/
iface[0] = '!'; /*设置取反标志符*/
iface[1] = '\0';
}
else iface[0] = '\0';
if (fw->ip.outiface[0] != '\0') {
strcat(iface, fw->ip.outiface);
}
else if (format & FMT_NUMERIC) strcat(iface, "*");
else strcat(iface, "any");
printf(FMT("%-6s ","out %s "), iface); /*输出输出端口*/
} /*end print in/out interface */
/*输出源地址及掩码*/
fputc(fw->ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout); /*源地址取反标志*/
if (fw->ip.smsk.s_addr == 0L && !(format & FMT_NUMERIC)) /*源地址为任意*/
printf(FMT("%-19s ","%s "), "anywhere");
else {
if (format & FMT_NUMERIC)
sprintf(buf, "%s", addr_to_dotted(&(fw->ip.src)));
else
sprintf(buf, "%s", addr_to_anyname(&(fw->ip.src)));
strcat(buf, mask_to_dotted(&(fw->ip.smsk)));
printf(FMT("%-19s ","%s "), buf);
}
/*输出目的地址及掩码*/
fputc(fw->ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout);
if (fw->ip.dmsk.s_addr == 0L && !(format & FMT_NUMERIC))
printf(FMT("%-19s","-> %s"), "anywhere");
else {
if (format & FMT_NUMERIC)
sprintf(buf, "%s", addr_to_dotted(&(fw->ip.dst)));
else
sprintf(buf, "%s", addr_to_anyname(&(fw->ip.dst)));
strcat(buf, mask_to_dotted(&(fw->ip.dmsk)));
printf(FMT("%-19s","-> %s"), buf);
}
if (format & FMT_NOTABLE)
fputs(" ", stdout);
/*输出扩展的MATCH*/
IPT_MATCH_ITERATE(fw, print_match, &fw->ip, format & FMT_NUMERIC);
/*输出扩展的TARGET*/
if (target) {
if (target->print)
/* Print the target information. */
target->print(&fw->ip, t, format & FMT_NUMERIC);
} else if (t->u.target_size != sizeof(*t))
printf("[%u bytes of unknown target data] ",
t->u.target_size - sizeof(*t));
if (!(format & FMT_NONEWLINE))
fputc('\n', stdout);
}
函数分为三部份:
输出标准的match部份;
输出扩展的match部份,调用IPT_MATCH_ITERATE实现;
调用对应的target的print函数输出target部份。 |
|