error at run-time invalid mask `' specified

Linh · 02-13-2004, 05:08 PM

Error when running an iptables bash command within a C program.

The program did compiled but it crashed at run-time.

root:/home# ./firewall-test2

root:/home# invalid mask `' specified
Try `iptables -h' or 'iptables --help' for more information.

========================

Code:


#include <stdio.h>         /* standard library. a minimum 

start_processes()
 {
    FILE *fp_ETH0;

    char SRCADDR[16] = "216.143.22.145";
    char SRCMASK[16] = "255.255.255.0";

    fp_ETH0 = popen ("iptables -t nat -A OUTPUT -p tcp -d \"$SRCADDR/
                                   $SRCMASK\" -j ACCEPT", "r");

/*******************************************/

main()
  {
    start_processes();
  }

codedv · 02-14-2004, 07:43 AM

What language is this??

It looks to me like a cross between PHP and C. You can't just insert variables into a string using $VARNAME. The reason for your program failing is because of this line:

"iptables -t nat -A OUTPUT -p tcp -d \"$SRCADDR/$SRCMASK\" -j ACCEPT"

It will simply pass the string as you wrote it to iptables and it will attempt to read the string "$SRCADDR" on the command line and as a result produce an error.

You can use the sprintf() function to tie strings together like this though. Heres how:

Code:

start_processes()
{
    FILE *fp_ETH0;

    char SRCADDR[16] = "216.143.22.145";
    char SRCMASK[16] = "255.255.255.0";

    char buf[81];
 
    /* use this function to combine the strings */
    sprintf (buf, "iptables -t nat -A OUTPUT -p tcp -d \"%s/%s\" -j ACCEPT", SRCADDR, SRCMASK);

    fp_ETH0 = popen (buf, "r");
}

Linh · 02-16-2004, 02:37 PM

Hi Codedv. Thank you for your help. Your code works.
The code is in C. There is no php code.

Below is the code where there is a \"$NIC_ADDRESS\".
If you issue the command iptables -L, you will see that port 10 did open.

char string1[100] = "iptables -A INPUT -i \"$NIC_ADDRESS\" -p tcp --dport 10 -j ACCEPT";
fp = popen (string1, "r"); <-- THIS CODE RUN

-----------------------------------------------------------

On the second code, it did not work with \"$SRCADDR\"/\"$SRCMASK\" because there is a / between the two variable.
\"$SRCADDR\" and \"$SRCMASK\"

fp_ETH0 = popen ("iptables -t nat -A OUTPUT -p tcp -d \"$SRCADDR\"/\"$SRCMASK\" -j ACCEPT", "r");

==========================================

Code:

#include <stdio.h>         /* standard library. a minimum                      */
#include <stdlib.h>        /* for oct_long = strtoul (six_oct_char, NULL, 8)   */
#include <string.h>        /* for strcmp, strcpy functions                     */


start_processes()
 {

   char NIC_ADDRESS[16] = "216.143.22.145";
   char string1[100] = "iptables -A INPUT -i \"$NIC_ADDRESS\" -p tcp --dport 10 -j ACCEPT";
   FILE *fp;

   FILE *fp_ETH0;
   char SRCADDR[16] = "216.143.22.145";
   char SRCMASK[16] = "255.255.255.0";

/* THE CODE BELOW WORKS IF THE CODE char NIC_ADDRESS[16] = "216.143.22.145" IS DECLARED */
   fp = popen (string1, "r");


/* THE CODE BELOW DID NOT WORK */
   FILE *fp_ETH0;
   char SRCADDR[16] = "216.143.22.145";
   char SRCMASK[16] = "255.255.255.0"; 
   fp_ETH0 = popen ("iptables -t nat -A OUTPUT -p tcp -d \"$SRCADDR\"/\"$SRCMASK\" -j ACCEPT", "r"); 

 }

/*******************************************/

main()
  {
    start_processes();
  }

codedv · 02-16-2004, 05:36 PM

Quote:

Hi Codedv. Thank you for your help. Your code works.
The code is in C. There is no php code.

Below is the code where there is a \"$NIC_ADDRESS\".
If you issue the command iptables -L, you will see that port 10 did open.

char string1[100] = "iptables -A INPUT -i \"$NIC_ADDRESS\" -p tcp --dport 10 -j ACCEPT";
fp = popen (string1, "r"); <-- THIS CODE RUN

I'm sure it did run. However, the value of the variable NIC_ADDRESS would not have been passed to the popen() function. As I said in my previous post you cannot use variable names in the middle of a string. The command you passed would produce the following iptables rule:

Code:

pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere           tcp dpt:10

As you can see the in column has the word any which refers to any interface. If the variable had been passed in the program it would show up as the IP address you assigned to the NIC_ADDRESS variable.

Again C does not allow you to insert variables into the middle of strings by prefixing them with a $ dollar symbol. This can only be done with the use of a function. Rembmber that C treats a string as an array of character variables with a terminating null character.

Linh · 02-16-2004, 06:42 PM

Hi Codedv. Thank you for your reply.

When I used the code below it works.
I used "iptables -t nat -n -L" but Linux did not showed
the column in and out.
1) What option would I use so that the in and out column would display ?

You said that if the code below is used, then the in column would showed the IP address value and in this case it would be "216.144.52.145". I just want to see the in and out column to learn from this.

sprintf (buf, "iptables -A INPUT -i %s -p tcp --dport 10 -j ACCEPT",
SRCADDR);

==========================

Code:

start_processes()
{
    FILE *fp_ETH0;
    char SRCADDR[16] = "216.144.52.145";
    char buf[81];
 
    /* use this function to combine the strings */
    sprintf (buf, "iptables -A INPUT -i  %s  -p tcp --dport 10 -j 
                ACCEPT",  SRCADDR);

    fp_ETH0 = popen (buf, "r");

/*******************************************/

main()
  {
    start_processes();
  }

}

codedv · 02-17-2004, 12:03 PM

The -i argument is used to specify the network interface which the rule applies to. This is described in the iptables man page:

Code:

       -i, --in-interface [!] name
              Name of an interface via which a packet is going to
              be received (only for packets entering  the  INPUT,
              FORWARD and PREROUTING chains).  When the "!" argu_
              ment is used before the interface name,  the  sense
              is  inverted.  If the interface name ends in a "+",
              then any interface which begins with this name will
              match.   If  this  option is omitted, any interface
              name will match.

If you supply this argument it should be the name of the network interface you want to allow packets for that port through on. e.g. eth0 or ppp0