[thirdparty/systemd.git] / src / shared / firewall-util.c

/***
  This file is part of systemd.

  Copyright 2015 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <alloca.h>
#include <arpa/inet.h>
#include <endian.h>
#include <errno.h>
#include <net/if.h>
#include <stddef.h>
#include <string.h>
#include <sys/socket.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter/nf_nat.h>
#include <linux/netfilter/xt_addrtype.h>
#include <libiptc/libiptc.h>

#include "alloc-util.h"
#include "firewall-util.h"
#include "in-addr-util.h"
#include "macro.h"

DEFINE_TRIVIAL_CLEANUP_FUNC(struct xtc_handle*, iptc_free);

static int entry_fill_basics(
                struct ipt_entry *entry,
                int protocol,
                const char *in_interface,
                const union in_addr_union *source,
                unsigned source_prefixlen,
                const char *out_interface,
                const union in_addr_union *destination,
                unsigned destination_prefixlen) {

        assert(entry);

        if (out_interface && strlen(out_interface) >= IFNAMSIZ)
                return -EINVAL;

        if (in_interface && strlen(in_interface) >= IFNAMSIZ)
                return -EINVAL;

        entry->ip.proto = protocol;

        if (in_interface) {
                strcpy(entry->ip.iniface, in_interface);
                memset(entry->ip.iniface_mask, 0xFF, strlen(in_interface)+1);
        }
        if (source) {
                entry->ip.src = source->in;
                in_addr_prefixlen_to_netmask(&entry->ip.smsk, source_prefixlen);
        }

        if (out_interface) {
                strcpy(entry->ip.outiface, out_interface);
                memset(entry->ip.outiface_mask, 0xFF, strlen(out_interface)+1);
        }
        if (destination) {
                entry->ip.dst = destination->in;
                in_addr_prefixlen_to_netmask(&entry->ip.dmsk, destination_prefixlen);
        }

        return 0;
}

int fw_add_masquerade(
                bool add,
                int af,
                int protocol,
                const union in_addr_union *source,
                unsigned source_prefixlen,
                const char *out_interface,
                const union in_addr_union *destination,
                unsigned destination_prefixlen) {

        _cleanup_(iptc_freep) struct xtc_handle *h = NULL;
        struct ipt_entry *entry, *mask;
        struct ipt_entry_target *t;
        size_t sz;
        struct nf_nat_ipv4_multi_range_compat *mr;
        int r;

        if (af != AF_INET)
                return -EOPNOTSUPP;

        if (protocol != 0 && protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
                return -EOPNOTSUPP;

        h = iptc_init("nat");
        if (!h)
                return -errno;

        sz = XT_ALIGN(sizeof(struct ipt_entry)) +
             XT_ALIGN(sizeof(struct ipt_entry_target)) +
             XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));

        /* Put together the entry we want to add or remove */
        entry = alloca0(sz);
        entry->next_offset = sz;
        entry->target_offset = XT_ALIGN(sizeof(struct ipt_entry));
        r = entry_fill_basics(entry, protocol, NULL, source, source_prefixlen, out_interface, destination, destination_prefixlen);
        if (r < 0)
                return r;

        /* Fill in target part */
        t = ipt_get_target(entry);
        t->u.target_size =
                XT_ALIGN(sizeof(struct ipt_entry_target)) +
                XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
        strncpy(t->u.user.name, "MASQUERADE", sizeof(t->u.user.name));
        mr = (struct nf_nat_ipv4_multi_range_compat*) t->data;
        mr->rangesize = 1;

        /* Create a search mask entry */
        mask = alloca(sz);
        memset(mask, 0xFF, sz);

        if (add) {
                if (iptc_check_entry("POSTROUTING", entry, (unsigned char*) mask, h))
                        return 0;
                if (errno != ENOENT) /* if other error than not existing yet, fail */
                        return -errno;

                if (!iptc_insert_entry("POSTROUTING", entry, 0, h))
                        return -errno;
        } else {
                if (!iptc_delete_entry("POSTROUTING", entry, (unsigned char*) mask, h)) {
                        if (errno == ENOENT) /* if it's already gone, all is good! */
                                return 0;

                        return -errno;
                }
        }

        if (!iptc_commit(h))
                return -errno;

        return 0;
}

int fw_add_local_dnat(
                bool add,
                int af,
                int protocol,
                const char *in_interface,
                const union in_addr_union *source,
                unsigned source_prefixlen,
                const union in_addr_union *destination,
                unsigned destination_prefixlen,
                uint16_t local_port,
                const union in_addr_union *remote,
                uint16_t remote_port,
                const union in_addr_union *previous_remote) {


        _cleanup_(iptc_freep) struct xtc_handle *h = NULL;
        struct ipt_entry *entry, *mask;
        struct ipt_entry_target *t;
        struct ipt_entry_match *m;
        struct xt_addrtype_info_v1 *at;
        struct nf_nat_ipv4_multi_range_compat *mr;
        size_t sz, msz;
        int r;

        assert(add || !previous_remote);

        if (af != AF_INET)
                return -EOPNOTSUPP;

        if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
                return -EOPNOTSUPP;

        if (local_port <= 0)
                return -EINVAL;

        if (remote_port <= 0)
                return -EINVAL;

        h = iptc_init("nat");
        if (!h)
                return -errno;

        sz = XT_ALIGN(sizeof(struct ipt_entry)) +
             XT_ALIGN(sizeof(struct ipt_entry_match)) +
             XT_ALIGN(sizeof(struct xt_addrtype_info_v1)) +
             XT_ALIGN(sizeof(struct ipt_entry_target)) +
             XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));

        if (protocol == IPPROTO_TCP)
                msz = XT_ALIGN(sizeof(struct ipt_entry_match)) +
                      XT_ALIGN(sizeof(struct xt_tcp));
        else
                msz = XT_ALIGN(sizeof(struct ipt_entry_match)) +
                      XT_ALIGN(sizeof(struct xt_udp));

        sz += msz;

        /* Fill in basic part */
        entry = alloca0(sz);
        entry->next_offset = sz;
        entry->target_offset =
                XT_ALIGN(sizeof(struct ipt_entry)) +
                XT_ALIGN(sizeof(struct ipt_entry_match)) +
                XT_ALIGN(sizeof(struct xt_addrtype_info_v1)) +
                msz;
        r = entry_fill_basics(entry, protocol, in_interface, source, source_prefixlen, NULL, destination, destination_prefixlen);
        if (r < 0)
                return r;

        /* Fill in first match */
        m = (struct ipt_entry_match*) ((uint8_t*) entry + XT_ALIGN(sizeof(struct ipt_entry)));
        m->u.match_size = msz;
        if (protocol == IPPROTO_TCP) {
                struct xt_tcp *tcp;

                strncpy(m->u.user.name, "tcp", sizeof(m->u.user.name));
                tcp = (struct xt_tcp*) m->data;
                tcp->dpts[0] = tcp->dpts[1] = local_port;
                tcp->spts[0] = 0;
                tcp->spts[1] = 0xFFFF;

        } else {
                struct xt_udp *udp;

                strncpy(m->u.user.name, "udp", sizeof(m->u.user.name));
                udp = (struct xt_udp*) m->data;
                udp->dpts[0] = udp->dpts[1] = local_port;
                udp->spts[0] = 0;
                udp->spts[1] = 0xFFFF;
        }

        /* Fill in second match */
        m = (struct ipt_entry_match*) ((uint8_t*) entry + XT_ALIGN(sizeof(struct ipt_entry)) + msz);
        m->u.match_size =
                XT_ALIGN(sizeof(struct ipt_entry_match)) +
                XT_ALIGN(sizeof(struct xt_addrtype_info_v1));
        strncpy(m->u.user.name, "addrtype", sizeof(m->u.user.name));
        m->u.user.revision = 1;
        at = (struct xt_addrtype_info_v1*) m->data;
        at->dest = XT_ADDRTYPE_LOCAL;

        /* Fill in target part */
        t = ipt_get_target(entry);
        t->u.target_size =
                XT_ALIGN(sizeof(struct ipt_entry_target)) +
                XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
        strncpy(t->u.user.name, "DNAT", sizeof(t->u.user.name));
        mr = (struct nf_nat_ipv4_multi_range_compat*) t->data;
        mr->rangesize = 1;
        mr->range[0].flags = NF_NAT_RANGE_PROTO_SPECIFIED|NF_NAT_RANGE_MAP_IPS;
        mr->range[0].min_ip = mr->range[0].max_ip = remote->in.s_addr;
        if (protocol == IPPROTO_TCP)
                mr->range[0].min.tcp.port = mr->range[0].max.tcp.port = htons(remote_port);
        else
                mr->range[0].min.udp.port = mr->range[0].max.udp.port = htons(remote_port);

        mask = alloca0(sz);
        memset(mask, 0xFF, sz);

        if (add) {
                /* Add the PREROUTING rule, if it is missing so far */
                if (!iptc_check_entry("PREROUTING", entry, (unsigned char*) mask, h)) {
                        if (errno != ENOENT)
                                return -EINVAL;

                        if (!iptc_insert_entry("PREROUTING", entry, 0, h))
                                return -errno;
                }

                /* If a previous remote is set, remove its entry */
                if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) {
                        mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr;

                        if (!iptc_delete_entry("PREROUTING", entry, (unsigned char*) mask, h)) {
                                if (errno != ENOENT)
                                        return -errno;
                        }

                        mr->range[0].min_ip = mr->range[0].max_ip = remote->in.s_addr;
                }

                /* Add the OUTPUT rule, if it is missing so far */
                if (!in_interface) {

                        /* Don't apply onto loopback addresses */
                        if (!destination) {
                                entry->ip.dst.s_addr = htobe32(0x7F000000);
                                entry->ip.dmsk.s_addr = htobe32(0xFF000000);
                                entry->ip.invflags = IPT_INV_DSTIP;
                        }

                        if (!iptc_check_entry("OUTPUT", entry, (unsigned char*) mask, h)) {
                                if (errno != ENOENT)
                                        return -errno;

                                if (!iptc_insert_entry("OUTPUT", entry, 0, h))
                                        return -errno;
                        }

                        /* If a previous remote is set, remove its entry */
                        if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) {
                                mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr;

                                if (!iptc_delete_entry("OUTPUT", entry, (unsigned char*) mask, h)) {
                                        if (errno != ENOENT)
                                                return -errno;
                                }
                        }
                }
        } else {
                if (!iptc_delete_entry("PREROUTING", entry, (unsigned char*) mask, h)) {
                        if (errno != ENOENT)
                                return -errno;
                }

                if (!in_interface) {
                        if (!destination) {
                                entry->ip.dst.s_addr = htobe32(0x7F000000);
                                entry->ip.dmsk.s_addr = htobe32(0xFF000000);
                                entry->ip.invflags = IPT_INV_DSTIP;
                        }

                        if (!iptc_delete_entry("OUTPUT", entry, (unsigned char*) mask, h)) {
                                if (errno != ENOENT)
                                        return -errno;
                        }
                }
        }

        if (!iptc_commit(h))
                return -errno;

        return 0;
}
Commit	Line	Data
76917807 LP	1	/***
	2	This file is part of systemd.
	3
	4	Copyright 2015 Lennart Poettering
	5
	6	systemd is free software; you can redistribute it and/or modify it
	7	under the terms of the GNU Lesser General Public License as published by
	8	the Free Software Foundation; either version 2.1 of the License, or
	9	(at your option) any later version.
	10
	11	systemd is distributed in the hope that it will be useful, but
	12	WITHOUT ANY WARRANTY; without even the implied warranty of
	13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	Lesser General Public License for more details.
	15
	16	You should have received a copy of the GNU Lesser General Public License
	17	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	18	***/
	19
a8fbdf54	20	#include <alloca.h>
76917807	21	#include <arpa/inet.h>
a8fbdf54 TA	22	#include <endian.h>
a8fbdf54 TA	23	#include <errno.h>
76917807	24	#include <net/if.h>
a8fbdf54 TA	25	#include <stddef.h>
	26	#include <string.h>
	27	#include <sys/socket.h>
76917807 LP	28	#include <linux/netfilter_ipv4/ip_tables.h>
	29	#include <linux/netfilter/nf_nat.h>
	30	#include <linux/netfilter/xt_addrtype.h>
	31	#include <libiptc/libiptc.h>
	32
b5efdb8a	33	#include "alloc-util.h"
12c2884c	34	#include "firewall-util.h"
a8fbdf54 TA	35	#include "in-addr-util.h"
a8fbdf54 TA	36	#include "macro.h"
76917807 LP	37
	38	DEFINE_TRIVIAL_CLEANUP_FUNC(struct xtc_handle*, iptc_free);
	39
	40	static int entry_fill_basics(
	41	struct ipt_entry *entry,
	42	int protocol,
	43	const char *in_interface,
	44	const union in_addr_union *source,
	45	unsigned source_prefixlen,
	46	const char *out_interface,
	47	const union in_addr_union *destination,
	48	unsigned destination_prefixlen) {
	49
	50	assert(entry);
	51
	52	if (out_interface && strlen(out_interface) >= IFNAMSIZ)
	53	return -EINVAL;
	54
	55	if (in_interface && strlen(in_interface) >= IFNAMSIZ)
	56	return -EINVAL;
	57
	58	entry->ip.proto = protocol;
	59
	60	if (in_interface) {
	61	strcpy(entry->ip.iniface, in_interface);
	62	memset(entry->ip.iniface_mask, 0xFF, strlen(in_interface)+1);
	63	}
	64	if (source) {
	65	entry->ip.src = source->in;
	66	in_addr_prefixlen_to_netmask(&entry->ip.smsk, source_prefixlen);
	67	}
	68
	69	if (out_interface) {
	70	strcpy(entry->ip.outiface, out_interface);
	71	memset(entry->ip.outiface_mask, 0xFF, strlen(out_interface)+1);
	72	}
	73	if (destination) {
	74	entry->ip.dst = destination->in;
	75	in_addr_prefixlen_to_netmask(&entry->ip.dmsk, destination_prefixlen);
	76	}
	77
	78	return 0;
	79	}
	80
	81	int fw_add_masquerade(
	82	bool add,
	83	int af,
	84	int protocol,
	85	const union in_addr_union *source,
	86	unsigned source_prefixlen,
	87	const char *out_interface,
	88	const union in_addr_union *destination,
	89	unsigned destination_prefixlen) {
	90
	91	_cleanup_(iptc_freep) struct xtc_handle *h = NULL;
	92	struct ipt_entry entry, mask;
	93	struct ipt_entry_target *t;
	94	size_t sz;
	95	struct nf_nat_ipv4_multi_range_compat *mr;
	96	int r;
	97
	98	if (af != AF_INET)
15411c0c	99	return -EOPNOTSUPP;
76917807 LP	100
76917807 LP	101	if (protocol != 0 && protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
15411c0c	102	return -EOPNOTSUPP;
76917807 LP	103
	104	h = iptc_init("nat");
	105	if (!h)
	106	return -errno;
	107
	108	sz = XT_ALIGN(sizeof(struct ipt_entry)) +
	109	XT_ALIGN(sizeof(struct ipt_entry_target)) +
	110	XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
	111
	112	/* Put together the entry we want to add or remove */
	113	entry = alloca0(sz);
	114	entry->next_offset = sz;
	115	entry->target_offset = XT_ALIGN(sizeof(struct ipt_entry));
	116	r = entry_fill_basics(entry, protocol, NULL, source, source_prefixlen, out_interface, destination, destination_prefixlen);
	117	if (r < 0)
	118	return r;
	119
	120	/* Fill in target part */
	121	t = ipt_get_target(entry);
	122	t->u.target_size =
	123	XT_ALIGN(sizeof(struct ipt_entry_target)) +
	124	XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
	125	strncpy(t->u.user.name, "MASQUERADE", sizeof(t->u.user.name));
	126	mr = (struct nf_nat_ipv4_multi_range_compat*) t->data;
	127	mr->rangesize = 1;
	128
	129	/* Create a search mask entry */
	130	mask = alloca(sz);
	131	memset(mask, 0xFF, sz);
	132
	133	if (add) {
	134	if (iptc_check_entry("POSTROUTING", entry, (unsigned char*) mask, h))
	135	return 0;
	136	if (errno != ENOENT) /* if other error than not existing yet, fail */
	137	return -errno;
	138
	139	if (!iptc_insert_entry("POSTROUTING", entry, 0, h))
	140	return -errno;
	141	} else {
	142	if (!iptc_delete_entry("POSTROUTING", entry, (unsigned char*) mask, h)) {
	143	if (errno == ENOENT) /* if it's already gone, all is good! */
	144	return 0;
	145
	146	return -errno;
	147	}
	148	}
	149
	150	if (!iptc_commit(h))
	151	return -errno;
	152
	153	return 0;
	154	}
	155
	156	int fw_add_local_dnat(
	157	bool add,
	158	int af,
	159	int protocol,
	160	const char *in_interface,
	161	const union in_addr_union *source,
	162	unsigned source_prefixlen,
	163	const union in_addr_union *destination,
	164	unsigned destination_prefixlen,
	165	uint16_t local_port,
	166	const union in_addr_union *remote,
167	uint16_t remote_port,
168	const union in_addr_union *previous_remote) {
169
170
171	_cleanup_(iptc_freep) struct xtc_handle *h = NULL;
172	struct ipt_entry entry, mask;
173	struct ipt_entry_target *t;
174	struct ipt_entry_match *m;
175	struct xt_addrtype_info_v1 *at;
176	struct nf_nat_ipv4_multi_range_compat *mr;
177	size_t sz, msz;
178	int r;
179
180	assert(add \|\| !previous_remote);
181
182	if (af != AF_INET)
15411c0c	183	return -EOPNOTSUPP;
76917807 LP	184
76917807 LP	185	if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
15411c0c	186	return -EOPNOTSUPP;
76917807 LP	187
	188	if (local_port <= 0)
	189	return -EINVAL;
	190
	191	if (remote_port <= 0)
	192	return -EINVAL;
	193
	194	h = iptc_init("nat");
	195	if (!h)
	196	return -errno;
	197
	198	sz = XT_ALIGN(sizeof(struct ipt_entry)) +
	199	XT_ALIGN(sizeof(struct ipt_entry_match)) +
	200	XT_ALIGN(sizeof(struct xt_addrtype_info_v1)) +
	201	XT_ALIGN(sizeof(struct ipt_entry_target)) +
	202	XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
	203
	204	if (protocol == IPPROTO_TCP)
	205	msz = XT_ALIGN(sizeof(struct ipt_entry_match)) +
	206	XT_ALIGN(sizeof(struct xt_tcp));
	207	else
	208	msz = XT_ALIGN(sizeof(struct ipt_entry_match)) +
	209	XT_ALIGN(sizeof(struct xt_udp));
	210
	211	sz += msz;
	212
	213	/* Fill in basic part */
	214	entry = alloca0(sz);
	215	entry->next_offset = sz;
	216	entry->target_offset =
	217	XT_ALIGN(sizeof(struct ipt_entry)) +
	218	XT_ALIGN(sizeof(struct ipt_entry_match)) +
	219	XT_ALIGN(sizeof(struct xt_addrtype_info_v1)) +
	220	msz;
	221	r = entry_fill_basics(entry, protocol, in_interface, source, source_prefixlen, NULL, destination, destination_prefixlen);
	222	if (r < 0)
	223	return r;
	224
	225	/* Fill in first match */
	226	m = (struct ipt_entry_match) ((uint8_t) entry + XT_ALIGN(sizeof(struct ipt_entry)));
	227	m->u.match_size = msz;
	228	if (protocol == IPPROTO_TCP) {
	229	struct xt_tcp *tcp;
	230
	231	strncpy(m->u.user.name, "tcp", sizeof(m->u.user.name));
	232	tcp = (struct xt_tcp*) m->data;
	233	tcp->dpts[0] = tcp->dpts[1] = local_port;
	234	tcp->spts[0] = 0;
	235	tcp->spts[1] = 0xFFFF;
	236
	237	} else {
	238	struct xt_udp *udp;
	239
	240	strncpy(m->u.user.name, "udp", sizeof(m->u.user.name));
	241	udp = (struct xt_udp*) m->data;
	242	udp->dpts[0] = udp->dpts[1] = local_port;
	243	udp->spts[0] = 0;
	244	udp->spts[1] = 0xFFFF;
	245	}
	246
	247	/* Fill in second match */
	248	m = (struct ipt_entry_match) ((uint8_t) entry + XT_ALIGN(sizeof(struct ipt_entry)) + msz);
	249	m->u.match_size =
	250	XT_ALIGN(sizeof(struct ipt_entry_match)) +
251	XT_ALIGN(sizeof(struct xt_addrtype_info_v1));
252	strncpy(m->u.user.name, "addrtype", sizeof(m->u.user.name));
253	m->u.user.revision = 1;
254	at = (struct xt_addrtype_info_v1*) m->data;
255	at->dest = XT_ADDRTYPE_LOCAL;
256
257	/* Fill in target part */
258	t = ipt_get_target(entry);
259	t->u.target_size =
260	XT_ALIGN(sizeof(struct ipt_entry_target)) +
261	XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
262	strncpy(t->u.user.name, "DNAT", sizeof(t->u.user.name));
263	mr = (struct nf_nat_ipv4_multi_range_compat*) t->data;
264	mr->rangesize = 1;
265	mr->range[0].flags = NF_NAT_RANGE_PROTO_SPECIFIED\|NF_NAT_RANGE_MAP_IPS;
266	mr->range[0].min_ip = mr->range[0].max_ip = remote->in.s_addr;
267	if (protocol == IPPROTO_TCP)
268	mr->range[0].min.tcp.port = mr->range[0].max.tcp.port = htons(remote_port);
269	else
270	mr->range[0].min.udp.port = mr->range[0].max.udp.port = htons(remote_port);
271
272	mask = alloca0(sz);
273	memset(mask, 0xFF, sz);
274
275	if (add) {
276	/* Add the PREROUTING rule, if it is missing so far */
277	if (!iptc_check_entry("PREROUTING", entry, (unsigned char*) mask, h)) {
278	if (errno != ENOENT)
279	return -EINVAL;
280
281	if (!iptc_insert_entry("PREROUTING", entry, 0, h))
282	return -errno;
283	}
284
285	/* If a previous remote is set, remove its entry */
286	if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) {
287	mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr;
288
289	if (!iptc_delete_entry("PREROUTING", entry, (unsigned char*) mask, h)) {
290	if (errno != ENOENT)
291	return -errno;
292	}
293
294	mr->range[0].min_ip = mr->range[0].max_ip = remote->in.s_addr;
295	}
296
297	/* Add the OUTPUT rule, if it is missing so far */
298	if (!in_interface) {
299
300	/* Don't apply onto loopback addresses */
301	if (!destination) {
302	entry->ip.dst.s_addr = htobe32(0x7F000000);
303	entry->ip.dmsk.s_addr = htobe32(0xFF000000);
304	entry->ip.invflags = IPT_INV_DSTIP;
305	}
306
307	if (!iptc_check_entry("OUTPUT", entry, (unsigned char*) mask, h)) {
308	if (errno != ENOENT)
309	return -errno;
310
311	if (!iptc_insert_entry("OUTPUT", entry, 0, h))
312	return -errno;
313	}
314
315	/* If a previous remote is set, remove its entry */
316	if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) {
317	mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr;
318
319	if (!iptc_delete_entry("OUTPUT", entry, (unsigned char*) mask, h)) {
320	if (errno != ENOENT)
321	return -errno;
322	}
323	}
324	}
325	} else {
326	if (!iptc_delete_entry("PREROUTING", entry, (unsigned char*) mask, h)) {
327	if (errno != ENOENT)
328	return -errno;
329	}
330
331	if (!in_interface) {
332	if (!destination) {
333	entry->ip.dst.s_addr = htobe32(0x7F000000);
334	entry->ip.dmsk.s_addr = htobe32(0xFF000000);
335	entry->ip.invflags = IPT_INV_DSTIP;
336	}
337
338	if (!iptc_delete_entry("OUTPUT", entry, (unsigned char*) mask, h)) {
339	if (errno != ENOENT)
340	return -errno;
341	}
342	}
343	}
344
345	if (!iptc_commit(h))
346	return -errno;
347
348	return 0;
349	}