libiptc : adding nat rule with mark based match?

Question

Am using libiptc -library to manipulate the iptables programatically to add nat rule similar to below.

Rule : iptables -t nat -A POSTROUTING -m mark --mark 0x2/0x3 -j SNAT --to 1.1.1.1

The code looks like below.

I understand that iptable nat rules = ipt_entry (IP Header) + ipt_entry_match (match) + ipt_entry_target (target).

// function to create Mark based match 
    struct ipt_entry_match* get_mark_target() {

        struct ipt_entry_match *match;
        struct xt_mark_info *m;
        size_t size;
        size =   IPT_ALIGN(sizeof(struct ipt_entry_match))
            + IPT_ALIGN(sizeof(struct xt_mark_info));

        match = calloc(1, size);
        match->u.match_size = size;
        strncpy(match->u.user.name, "mark", sizeof(match->u.user.name));
        m = (struct xt_mark_info*)match->data;
        m->mark = m->mask = 0xff;
        return match;
    }

//function : to create final ipt_enrty  


  static struct ipt_entry*
    make_entry(const char * iaddr, const char * rhost, const char *chain_target)
    {
   int r = 0;
    struct ipt_entry * e;
    struct ipt_entry_match *match = get_mark_target();
    struct xt_mark_info *m = NULL;
    struct ipt_entry_target *target = NULL;

    e = calloc(1, sizeof(struct ipt_entry));
    //m = calloc(1, sizeof(*m));
    //m->mark = 0xff;
    e->ip.proto = IPPROTO_IP;
    e->nfcache = NFC_IP_DST_PT;
    if (!strcmp(chain_target, "SNAT")) {
        e->ip.src.s_addr = inet_addr(rhost);
        e->ip.smsk.s_addr = INADDR_NONE;
        //e->ip.smsk.s_addr = INADDR_NONE;
        printf("\n SNAT");
        target = get_snat_target(iaddr, 0);
    } else {
        printf("\n DNAT");
        e->ip.dst.s_addr = inet_addr(rhost);
        e->ip.dmsk.s_addr = INADDR_NONE;
        target = get_dnat_target(iaddr, 0);
    }
    e->nfcache |= NFC_UNKNOWN;
    e = realloc(e, sizeof(struct ipt_entry)
            + match->u.match_size + target->u.target_size);
    memcpy(e->elems, match, match->u.match_size);
    memcpy(e->elems + match->u.match_size, target, target->u.target_size);
    e->target_offset = sizeof(struct ipt_entry)
        + match->u.match_size;
    e->next_offset = sizeof(struct ipt_entry)
        + match->u.match_size + target->u.target_size;
#if 0
    e = realloc(e, sizeof(struct ipt_entry) + sizeof(*m));
    //+ target->u.target_size);
    //memcpy(e->elems , target, target->u.target_size);
    memcpy(e->elems , m, sizeof(*m));
    e->target_offset = sizeof(struct ipt_entry);
    e->next_offset = sizeof(struct ipt_entry) + sizeof(*m);
#endif
    free(target);
    //free(m);
    return e;
    }


    static int
    insert_nat_rule (char *src, char *dest, int op, const char *target)
    {
        struct ipt_entry *entry;
        struct xtc_handle *h;
        int ret = 1;
        const char *chain, *table = "nat";
        char *match_mask;

        h = iptc_init (table);
        if (!h) {
            fprintf (stderr, "Could not init IPTC library: %s\n", iptc_strerror (errno));
            goto out;
        }
        if (!strcmp(target, "SNAT")) {
            chain = "POSTROUTING";
        } else  if (!strcmp(target, "DNAT")) {
            chain = "PREROUTING";
        } else {
            //invlid target
            return 0;
        }
        entry = make_entry(src, dest, target);
        if (op) {
            if (!iptc_append_entry (chain, (struct ipt_entry *) entry, h)) {
                fprintf (stderr, "Could not insert a rule in iptables (table %s): "
                                 "%s\n", table, iptc_strerror (errno));
                goto out;
            }
        } else {
            match_mask = (unsigned char *)malloc(entry->next_offset);
            memset(match_mask, 0xFF, entry->next_offset);

            if (!iptc_delete_entry (chain, (struct ipt_entry *) entry,
                                            match_mask, h)) {
                fprintf (stderr, "Could not delete a rule in iptables (table %s): "
                                 "%s\n", table, iptc_strerror (errno));
                goto out;
            }
        }

        if (!iptc_commit (h)) {
            fprintf (stderr, "Could not commit changes in iptables (table %s): %s\n"
                            , table, iptc_strerror (errno));
            goto out;
        }

        ret = 0;
    out:
        if (entry) free(entry);
        if (h) iptc_free (h);

        return ret;
    }

On executing the above program, we get an error saying "Protocol wrong type for socket". Without the mark based match this works fine, am able to add 1 to 1 SNAT rules without any problems. Tried multiple structures for mark based match, but that does not seem to work.

Is there something obvious that I am missing ? Will Appreciate the inputs. Thanks.

Answer 1

Learnt it the hard way, that iptables uses different structures for match & target. The API uses "revision" field to differentiate which structures to use for this particular match/ target.

So adding a line below, made my life easier.

match->u.user.revision = 1;