modify the way to communicate with kernel. all of the management activities are moved to kernel. by this approach and also because of new structures & command base manner for communicating with kernel, libiptc.c is reimplemented from scratch. he uses 'pktt_command' to communicate with kernel. in each 'add/delete/replace/save/restore' commands just one rule per transaction is transformed between kernel&user Spaces. diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c index d0f51b4..28f6085 100644 --- a/libiptc/libiptc.c +++ b/libiptc/libiptc.c @@ -1,1313 +1,266 @@ -/* Library which manipulates firewall rules. Version $Revision$ */ - -/* Architecture of firewall rules is as follows: - * - * Chains go INPUT, FORWARD, OUTPUT then user chains. - * Each user chain starts with an ERROR node. - * Every chain ends with an unconditional jump: a RETURN for user chains, - * and a POLICY for built-ins. - */ - -/* (C) 1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See - * COPYING for details). - * (C) 2000-2004 by the Netfilter Core Team <coreteam@xxxxxxxxxxxxx> +/* Packet Tables Code - Firewal Manipulation Library * - * 2003-Jun-20: Harald Welte <laforge@xxxxxxxxxxxxx>: - * - Reimplementation of chain cache to use offsets instead of entries - * 2003-Jun-23: Harald Welte <laforge@xxxxxxxxxxxxx>: - * - performance optimization, sponsored by Astaro AG (http://www.astaro.com/) - * don't rebuild the chain cache after every operation, instead fix it - * up after a ruleset change. - * 2004-Aug-18: Harald Welte <laforge@xxxxxxxxxxxxx>: - * - futher performance work: total reimplementation of libiptc. - * - libiptc now has a real internal (linked-list) represntation of the - * ruleset and a parser/compiler from/to this internal representation - * - again sponsored by Astaro AG (http://www.astaro.com/) + * Copyright (C) 2005-2008 Hamid Jafarian(hm.t.) <hamid.jafarian@xxxxxxxxx> + * Licence: GPLv2 */ -#include <sys/types.h> -#include <sys/socket.h> -#include <xtables.h> - -#include "linux_list.h" - -//#define IPTC_DEBUG2 1 -#ifdef IPTC_DEBUG2 -#include <fcntl.h> -#define DEBUGP(x, args...) fprintf(stderr, "%s: " x, __FUNCTION__, ## args) -#define DEBUGP_C(x, args...) fprintf(stderr, x, ## args) -#else -#define DEBUGP(x, args...) -#define DEBUGP_C(x, args...) +#ifndef IPT_LIB_DIR +#define IPT_LIB_DIR "/usr/local/lib/iptables" #endif -#ifdef DEBUG -#define debug(x, args...) fprintf(stderr, x, ## args) -#else -#define debug(x, args...) +#ifndef __OPTIMIZE__ +STRUCT_ENTRY_TARGET * +GET_TARGET(STRUCT_ENTRY *e) +{ + return (void *)e->elems + e->target_offset; +} #endif static int sockfd = -1; -static int sockfd_use = 0; static void *iptc_fn = NULL; -static const char *hooknames[] = { - [HOOK_PRE_ROUTING] = "PREROUTING", - [HOOK_LOCAL_IN] = "INPUT", - [HOOK_FORWARD] = "FORWARD", - [HOOK_LOCAL_OUT] = "OUTPUT", - [HOOK_POST_ROUTING] = "POSTROUTING", +static const char *hooknames[] += { [HOOK_PRE_ROUTING] "PREROUTING", + [HOOK_LOCAL_IN] "INPUT", + [HOOK_FORWARD] "FORWARD", + [HOOK_LOCAL_OUT] "OUTPUT", + [HOOK_POST_ROUTING] "POSTROUTING", #ifdef HOOK_DROPPING - [HOOK_DROPPING] = "DROPPING" + [HOOK_DROPPING] "DROPPING" #endif }; -/* Convenience structures */ -struct ipt_error_target -{ - STRUCT_ENTRY_TARGET t; - char error[TABLE_MAXNAMELEN]; -}; - -struct chain_head; -struct rule_head; - -struct counter_map -{ - enum { - COUNTER_MAP_NOMAP, - COUNTER_MAP_NORMAL_MAP, - COUNTER_MAP_ZEROED, - COUNTER_MAP_SET - } maptype; - unsigned int mappos; -}; - -enum iptcc_rule_type { - IPTCC_R_STANDARD, /* standard target (ACCEPT, ...) */ - IPTCC_R_MODULE, /* extension module (SNAT, ...) */ - IPTCC_R_FALLTHROUGH, /* fallthrough rule */ - IPTCC_R_JUMP, /* jump to other chain */ -}; - -struct rule_head -{ - struct list_head list; - struct chain_head *chain; - struct counter_map counter_map; - - unsigned int index; /* index (needed for counter_map) */ - unsigned int offset; /* offset in rule blob */ - - enum iptcc_rule_type type; - struct chain_head *jump; /* jump target, if IPTCC_R_JUMP */ - - unsigned int size; /* size of entry data */ - STRUCT_ENTRY entry[0]; -}; - -struct chain_head -{ - struct list_head list; - char name[TABLE_MAXNAMELEN]; - unsigned int hooknum; /* hook number+1 if builtin */ - unsigned int references; /* how many jumps reference us */ - int verdict; /* verdict if builtin */ - - STRUCT_COUNTERS counters; /* per-chain counters */ - struct counter_map counter_map; - - unsigned int num_rules; /* number of rules in list */ - struct list_head rules; /* list of rules */ - - unsigned int index; /* index (needed for jump resolval) */ - unsigned int head_offset; /* offset in rule blob */ - unsigned int foot_index; /* index (needed for counter_map) */ - unsigned int foot_offset; /* offset in rule blob */ -}; - STRUCT_TC_HANDLE { - int changed; /* Have changes been made? */ - - struct list_head chains; - - struct chain_head *chain_iterator_cur; - struct rule_head *rule_iterator_cur; - - unsigned int num_chains; /* number of user defined chains */ - - struct chain_head **chain_index; /* array for fast chain list access*/ - unsigned int chain_index_sz;/* size of chain index array */ - - STRUCT_GETINFO info; - STRUCT_GET_ENTRIES *entries; -}; - -/* allocate a new chain head for the cache */ -static struct chain_head *iptcc_alloc_chain_head(const char *name, int hooknum) -{ - struct chain_head *c = malloc(sizeof(*c)); - if (!c) - return NULL; - memset(c, 0, sizeof(*c)); - - strncpy(c->name, name, TABLE_MAXNAMELEN); - c->hooknum = hooknum; - INIT_LIST_HEAD(&c->rules); - - return c; -} + /* Any Changes in the number of the table's Chains */ + int chains_no_changed; + /* Any changes in the number of the table's entries */ + int entries_no_changed; + /* Any changes in the info of the table's entries */ + int entries_info_changed; -/* allocate and initialize a new rule for the cache */ -static struct rule_head *iptcc_alloc_rule(struct chain_head *c, unsigned int size) -{ - struct rule_head *r = malloc(sizeof(*r)+size); - if (!r) - return NULL; - memset(r, 0, sizeof(*r)); + /* this is the table header */ + STRUCT_TABLE_INFO table; - r->chain = c; - r->size = size; - - return r; -} - -/* notify us that the ruleset has been modified by the user */ -static inline void -set_changed(TC_HANDLE_T h) -{ - h->changed = 1; -} + /* this contains the table and its chains headers: table_info|chain#1_info|... */ + STRUCT_TABLE_INFO *table_chains_headers; -#ifdef IPTC_DEBUG -static void do_check(TC_HANDLE_T h, unsigned int line); -#define CHECK(h) do { if (!getenv("IPTC_NO_CHECK")) do_check((h), __LINE__); } while(0) -#else -#define CHECK(h) -#endif + /* chain iterator: point to the current chain */ + STRUCT_CHAIN_INFO *chains_iterator; + /* a cache for entries of a chain */ + /* its memory map: chain-info| entries .. */ + STRUCT_CHAIN_INFO *entries_cache; -/********************************************************************** - * iptc blob utility functions (iptcb_*) - **********************************************************************/ + /* point to the end of the chain entries (stored in "entries_cache"*/ + STRUCT_ENTRY *end_of_entries; -static inline int -iptcb_get_number(const STRUCT_ENTRY *i, - const STRUCT_ENTRY *seek, - unsigned int *pos) -{ - if (i == seek) - return 1; - (*pos)++; - return 0; -} + /* Array of hook names */ + const char **hooknames; -static inline int -iptcb_get_entry_n(STRUCT_ENTRY *i, - unsigned int number, - unsigned int *pos, - STRUCT_ENTRY **pe) -{ - if (*pos == number) { - *pe = i; - return 1; - } - (*pos)++; - return 0; -} + unsigned int cache_num_chains; + unsigned int cache_num_builtins; -static inline STRUCT_ENTRY * -iptcb_get_entry(TC_HANDLE_T h, unsigned int offset) -{ - return (STRUCT_ENTRY *)((char *)h->entries->entrytable + offset); -} +}; -static unsigned int -iptcb_entry2index(const TC_HANDLE_T h, const STRUCT_ENTRY *seek) +static void +set_changed(TC_HANDLE_T h, int who/* 0:chains 1:entries_no 2:entries_info else all*/) { - unsigned int pos = 0; - - if (ENTRY_ITERATE(h->entries->entrytable, h->entries->size, - iptcb_get_number, seek, &pos) == 0) { - fprintf(stderr, "ERROR: offset %u not an entry!\n", - (unsigned int)((char *)seek - (char *)h->entries->entrytable)); - abort(); + switch(who){ + case 0: h->chains_no_changed = 1; + case 1: h->entries_no_changed = 1; + case 2: h->entries_info_changed = 1; break; + default:h->chains_no_changed = h->entries_no_changed = h->entries_info_changed = 1; break; } - return pos; + return; } -static inline STRUCT_ENTRY * -iptcb_offset2entry(TC_HANDLE_T h, unsigned int offset) +/* Allocate handle space */ +static TC_HANDLE_T +alloc_handle() { - return (STRUCT_ENTRY *) ((void *)h->entries->entrytable+offset); -} + size_t len; + TC_HANDLE_T h; + len = sizeof(STRUCT_TC_HANDLE); -static inline unsigned long -iptcb_entry2offset(const TC_HANDLE_T h, const STRUCT_ENTRY *e) -{ - return (void *)e - (void *)h->entries->entrytable; -} + h=malloc(len); + if(!h) {errno = ENOMEM; return NULL;} -static inline unsigned int -iptcb_offset2index(const TC_HANDLE_T h, unsigned int offset) -{ - return iptcb_entry2index(h, iptcb_offset2entry(h, offset)); + h->cache_num_chains = 0; + h->cache_num_builtins = 0; + + h->table_chains_headers = NULL; + h->entries_cache = NULL; + return h; } -/* Returns 0 if not hook entry, else hooknumber + 1 */ -static inline unsigned int -iptcb_ent_is_hook_entry(STRUCT_ENTRY *e, TC_HANDLE_T h) +static int populate_cache(TC_HANDLE_T h) { + STRUCT_COMMAND *cmd; unsigned int i; + socklen_t s; - for (i = 0; i < NUMHOOKS; i++) { - if ((h->info.valid_hooks & (1 << i)) - && iptcb_get_entry(h, h->info.hook_entry[i]) == e) - return i+1; - } - return 0; -} - - -/********************************************************************** - * Chain index (cache utility) functions - ********************************************************************** - * The chain index is an array with pointers into the chain list, with - * CHAIN_INDEX_BUCKET_LEN spacing. This facilitates the ability to - * speedup chain list searching, by find a more optimal starting - * points when searching the linked list. - * - * The starting point can be found fast by using a binary search of - * the chain index. Thus, reducing the previous search complexity of - * O(n) to O(log(n/k) + k) where k is CHAIN_INDEX_BUCKET_LEN. - * - * A nice property of the chain index, is that the "bucket" list - * length is max CHAIN_INDEX_BUCKET_LEN (when just build, inserts will - * change this). Oppose to hashing, where the "bucket" list length can - * vary a lot. - */ -#ifndef CHAIN_INDEX_BUCKET_LEN -#define CHAIN_INDEX_BUCKET_LEN 40 -#endif - -/* Another nice property of the chain index is that inserting/creating - * chains in chain list don't change the correctness of the chain - * index, it only causes longer lists in the buckets. - * - * To mitigate the performance penalty of longer bucket lists and the - * penalty of rebuilding, the chain index is rebuild only when - * CHAIN_INDEX_INSERT_MAX chains has been added. - */ -#ifndef CHAIN_INDEX_INSERT_MAX -#define CHAIN_INDEX_INSERT_MAX 355 -#endif - -static inline unsigned int iptcc_is_builtin(struct chain_head *c); - - -/* Use binary search in the chain index array, to find a chain_head - * pointer closest to the place of the searched name element. - * - * Notes that, binary search (obviously) requires that the chain list - * is sorted by name. - */ -static struct list_head * -iptcc_bsearch_chain_index(const char *name, unsigned int *idx, TC_HANDLE_T handle) -{ - unsigned int pos, end; - int res; - - struct list_head *list_pos; - list_pos=&handle->chains; - - /* Check for empty array, e.g. no user defined chains */ - if (handle->chain_index_sz == 0) { - debug("WARNING: handle->chain_index_sz == 0\n"); - return list_pos; - } - - /* Init */ - end = handle->chain_index_sz; - pos = end / 2; - - debug("bsearch Find chain:%s (pos:%d end:%d)\n", name, pos, end); - - /* Loop */ - loop: - if (!handle->chain_index[pos]) { - fprintf(stderr, "ERROR: NULL pointer chain_index[%d]\n", pos); - return &handle->chains; /* Be safe, return orig start pos */ - } - - res = strcmp(name, handle->chain_index[pos]->name); - list_pos = &handle->chain_index[pos]->list; - *idx = pos; - - debug("bsearch Index[%d] name:%s res:%d ", - pos, handle->chain_index[pos]->name, res); - - if (res == 0) { /* Found element, by direct hit */ - debug("[found] Direct hit pos:%d end:%d\n", pos, end); - return list_pos; - } else if (res < 0) { /* Too far, jump back */ - end = pos; - pos = pos / 2; - - /* Exit case: First element of array */ - if (end == 0) { - debug("[found] Reached first array elem (end%d)\n",end); - return list_pos; - } - debug("jump back to pos:%d (end:%d)\n", pos, end); - goto loop; - } else if (res > 0 ){ /* Not far enough, jump forward */ - - /* Exit case: Last element of array */ - if (pos == handle->chain_index_sz-1) { - debug("[found] Last array elem (end:%d)\n", end); - return list_pos; - } - - /* Exit case: Next index less, thus elem in this list section */ - res = strcmp(name, handle->chain_index[pos+1]->name); - if (res < 0) { - debug("[found] closest list (end:%d)\n", end); - return list_pos; - } - - pos = (pos+end)/2; - debug("jump forward to pos:%d (end:%d)\n", pos, end); - goto loop; - } - - return list_pos; -} - -#ifdef DEBUG -/* Trivial linear search of chain index. Function used for verifying - the output of bsearch function */ -static struct list_head * -iptcc_linearly_search_chain_index(const char *name, TC_HANDLE_T handle) -{ - unsigned int i=0; - int res=0; - - struct list_head *list_pos; - list_pos = &handle->chains; + if(!h->chains_no_changed && !h->entries_no_changed) return 1; - if (handle->chain_index_sz) - list_pos = &handle->chain_index[0]->list; + if(h->chains_no_changed){ + s = (sizeof(STRUCT_COMMAND) > sizeof(STRUCT_TABLE_INFO))? + sizeof(STRUCT_COMMAND):sizeof(STRUCT_TABLE_INFO); - /* Linearly walk of chain index array */ + cmd= malloc(s); + if(!cmd){errno= ENOMEM; return 0;} - for (i=0; i < handle->chain_index_sz; i++) { - if (handle->chain_index[i]) { - res = strcmp(handle->chain_index[i]->name, name); - if (res > 0) - break; // One step too far - list_pos = &handle->chain_index[i]->list; - if (res == 0) - break; // Direct hit + cmd->command = PKTT_TABLE_GET_INFO; + strcpy(cmd->table_name, h->table.name); + cmd->family = TC_AF; + + if (getsockopt(sockfd, TC_IPPROTO, SO_GET_INFO, cmd, &s)< 0){ + errno = EFAULT; free(cmd); + return 0; } + memcpy(&h->table, cmd, sizeof(STRUCT_TABLE_INFO)); + free(cmd); } + h->chains_no_changed = 0; - return list_pos; -} -#endif - -static int iptcc_chain_index_alloc(TC_HANDLE_T h) -{ - unsigned int list_length = CHAIN_INDEX_BUCKET_LEN; - unsigned int array_elems; - unsigned int array_mem; - - /* Allocate memory for the chain index array */ - array_elems = (h->num_chains / list_length) + - (h->num_chains % list_length ? 1 : 0); - array_mem = sizeof(h->chain_index) * array_elems; - - debug("Alloc Chain index, elems:%d mem:%d bytes\n", - array_elems, array_mem); - - h->chain_index = malloc(array_mem); - if (!h->chain_index) { - h->chain_index_sz = 0; - return -ENOMEM; - } - memset(h->chain_index, 0, array_mem); - h->chain_index_sz = array_elems; - - return 1; -} - -static void iptcc_chain_index_free(TC_HANDLE_T h) -{ - h->chain_index_sz = 0; - free(h->chain_index); -} - - -#ifdef DEBUG -static void iptcc_chain_index_dump(TC_HANDLE_T h) -{ - unsigned int i = 0; - - /* Dump: contents of chain index array */ - for (i=0; i < h->chain_index_sz; i++) { - if (h->chain_index[i]) { - fprintf(stderr, "Chain index[%d].name: %s\n", - i, h->chain_index[i]->name); - } + if(h->table_chains_headers){ + free(h->table_chains_headers); + h->table_chains_headers = NULL; } -} -#endif + s= (sizeof(STRUCT_COMMAND) > sizeof(STRUCT_TABLE_INFO))? + sizeof(STRUCT_COMMAND):sizeof(STRUCT_TABLE_INFO); + s+= h->table.num_chains * sizeof(STRUCT_CHAIN_INFO); -/* Build the chain index */ -static int iptcc_chain_index_build(TC_HANDLE_T h) -{ - unsigned int list_length = CHAIN_INDEX_BUCKET_LEN; - unsigned int chains = 0; - unsigned int cindex = 0; - struct chain_head *c; + cmd = malloc(s); + if(!cmd){errno= ENOMEM; return 0;} - /* Build up the chain index array here */ - debug("Building chain index\n"); + h->cache_num_chains = 0; + h->cache_num_builtins = 0; - debug("Number of user defined chains:%d bucket_sz:%d array_sz:%d\n", - h->num_chains, list_length, h->chain_index_sz); + cmd->command = PKTT_TABLE_CHAINS_GET_INFO; + strcpy(cmd->table_name, h->table.name); + cmd->family = TC_AF; - if (h->chain_index_sz == 0) + if(getsockopt(sockfd, TC_IPPROTO, SO_GET_INFO, cmd, &s ) <0 ){ + free(cmd); errno = EFAULT; return 0; - - list_for_each_entry(c, &h->chains, list) { - - /* Issue: The index array needs to start after the - * builtin chains, as they are not sorted */ - if (!iptcc_is_builtin(c)) { - cindex=chains / list_length; - - /* Safe guard, break out on array limit, this - * is useful if chains are added and array is - * rebuild, without realloc of memory. */ - if (cindex >= h->chain_index_sz) - break; - - if ((chains % list_length)== 0) { - debug("\nIndex[%d] Chains:", cindex); - h->chain_index[cindex] = c; - } - chains++; - } - debug("%s, ", c->name); } - debug("\n"); - return 1; -} + h->table_chains_headers= (void *)cmd; + h->cache_num_chains = h->table.num_chains; -static int iptcc_chain_index_rebuild(TC_HANDLE_T h) -{ - debug("REBUILD chain index array\n"); - iptcc_chain_index_free(h); - if ((iptcc_chain_index_alloc(h)) < 0) - return -ENOMEM; - iptcc_chain_index_build(h); + /* Count builtins */ + for (i = 0; i < NUMHOOKS; i++) { + if (h->table.valid_hooks & (1 << i)) + h->cache_num_builtins++; + } + h->entries_no_changed = 0; + return 1; } -/* Delete chain (pointer) from index array. Removing an element from - * the chain list only affects the chain index array, if the chain - * index points-to/uses that list pointer. - * - * There are different strategies, the simple and safe is to rebuild - * the chain index every time. The more advanced is to update the - * array index to point to the next element, but that requires some - * house keeping and boundry checks. The advanced is implemented, as - * the simple approach behaves badly when all chains are deleted - * because list_for_each processing will always hit the first chain - * index, thus causing a rebuild for every chain. - */ -static int iptcc_chain_index_delete_chain(struct chain_head *c, TC_HANDLE_T h) +int check_handle(TC_HANDLE_T handle) { - struct list_head *index_ptr, *index_ptr2, *next; - struct chain_head *c2; - unsigned int idx, idx2; - - index_ptr = iptcc_bsearch_chain_index(c->name, &idx, h); - - debug("Del chain[%s] c->list:%p index_ptr:%p\n", - c->name, &c->list, index_ptr); - - /* Save the next pointer */ - next = c->list.next; - list_del(&c->list); - - if (index_ptr == &c->list) { /* Chain used as index ptr */ - - /* See if its possible to avoid a rebuild, by shifting - * to next pointer. Its possible if the next pointer - * is located in the same index bucket. - */ - c2 = list_entry(next, struct chain_head, list); - index_ptr2 = iptcc_bsearch_chain_index(c2->name, &idx2, h); - if (idx != idx2) { - /* Rebuild needed */ - return iptcc_chain_index_rebuild(h); - } else { - /* Avoiding rebuild */ - debug("Update cindex[%d] with next ptr name:[%s]\n", - idx, c2->name); - h->chain_index[idx]=c2; - return 0; - } - } + if(populate_cache(handle)) return 1; + + fprintf(stderr,"can't update cache info for table %s\n", + handle->table.name); return 0; } - -/********************************************************************** - * iptc cache utility functions (iptcc_*) - **********************************************************************/ - -/* Is the given chain builtin (1) or user-defined (0) */ -static inline unsigned int iptcc_is_builtin(struct chain_head *c) -{ - return (c->hooknum ? 1 : 0); -} - -/* Get a specific rule within a chain */ -static struct rule_head *iptcc_get_rule_num(struct chain_head *c, - unsigned int rulenum) -{ - struct rule_head *r; - unsigned int num = 0; - - list_for_each_entry(r, &c->rules, list) { - num++; - if (num == rulenum) - return r; - } - return NULL; -} - -/* Get a specific rule within a chain backwards */ -static struct rule_head *iptcc_get_rule_num_reverse(struct chain_head *c, - unsigned int rulenum) -{ - struct rule_head *r; - unsigned int num = 0; - - list_for_each_entry_reverse(r, &c->rules, list) { - num++; - if (num == rulenum) - return r; - } - return NULL; -} - -/* Returns chain head if found, otherwise NULL. */ -static struct chain_head * -iptcc_find_chain_by_offset(TC_HANDLE_T handle, unsigned int offset) +/* Returns cache ptr if found, otherwise NULL. */ +static STRUCT_CHAIN_INFO * +find_label(const char *name, TC_HANDLE_T handle) { - struct list_head *pos; - - if (list_empty(&handle->chains)) - return NULL; - - list_for_each(pos, &handle->chains) { - struct chain_head *c = list_entry(pos, struct chain_head, list); - if (offset >= c->head_offset && offset <= c->foot_offset) - return c; - } - - return NULL; -} - -/* Returns chain head if found, otherwise NULL. */ -static struct chain_head * -iptcc_find_label(const char *name, TC_HANDLE_T handle) -{ - struct list_head *pos; - struct list_head *list_start_pos; - unsigned int i=0; - int res; - - if (list_empty(&handle->chains)) - return NULL; - - /* First look at builtin chains */ - list_for_each(pos, &handle->chains) { - struct chain_head *c = list_entry(pos, struct chain_head, list); - if (!iptcc_is_builtin(c)) - break; - if (!strcmp(c->name, name)) - return c; - } - - /* Find a smart place to start the search via chain index */ - //list_start_pos = iptcc_linearly_search_chain_index(name, handle); - list_start_pos = iptcc_bsearch_chain_index(name, &i, handle); - - /* Handel if bsearch bails out early */ - if (list_start_pos == &handle->chains) { - list_start_pos = pos; - } -#ifdef DEBUG - else { - /* Verify result of bsearch against linearly index search */ - struct list_head *test_pos; - struct chain_head *test_c, *tmp_c; - test_pos = iptcc_linearly_search_chain_index(name, handle); - if (list_start_pos != test_pos) { - debug("BUG in chain_index search\n"); - test_c=list_entry(test_pos, struct chain_head,list); - tmp_c =list_entry(list_start_pos,struct chain_head,list); - debug("Verify search found:\n"); - debug(" Chain:%s\n", test_c->name); - debug("BSearch found:\n"); - debug(" Chain:%s\n", tmp_c->name); - exit(42); - } - } -#endif + STRUCT_CHAIN_INFO *ici; + unsigned int i; - /* Initial/special case, no user defined chains */ - if (handle->num_chains == 0) - return NULL; + if(!check_handle(handle)) return NULL; - /* Start searching through the chain list */ - list_for_each(pos, list_start_pos->prev) { - struct chain_head *c = list_entry(pos, struct chain_head, list); - res = strcmp(c->name, name); - debug("List search name:%s == %s res:%d\n", name, c->name, res); - if (res==0) - return c; - - /* We can stop earlier as we know list is sorted */ - if (res>0 && !iptcc_is_builtin(c)) { /* Walked too far*/ - debug(" Not in list, walked too far, sorted list\n"); - return NULL; - } + ici = (void *) handle->table_chains_headers->chains_info; + + for (i = 0; i < handle->cache_num_chains; i++) { + if(strcmp( ici->name, name ) == 0) return ici; - /* Stop on wrap around, if list head is reached */ - if (pos == &handle->chains) { - debug("Stop, list head reached\n"); - return NULL; - } + ici= (void *) ici->entries; } - - debug("List search NOT found name:%s\n", name); + errno = ENOENT; return NULL; } -/* called when rule is to be removed from cache */ -static void iptcc_delete_rule(struct rule_head *r) -{ - DEBUGP("deleting rule %p (offset %u)\n", r, r->offset); - /* clean up reference count of called chain */ - if (r->type == IPTCC_R_JUMP - && r->jump) - r->jump->references--; - - list_del(&r->list); - free(r); -} - - -/********************************************************************** - * RULESET PARSER (blob -> cache) - **********************************************************************/ - -/* Delete policy rule of previous chain, since cache doesn't contain - * chain policy rules. - * WARNING: This function has ugly design and relies on a lot of context, only - * to be called from specific places within the parser */ -static int __iptcc_p_del_policy(TC_HANDLE_T h, unsigned int num) -{ - if (h->chain_iterator_cur) { - /* policy rule is last rule */ - struct rule_head *pr = (struct rule_head *) - h->chain_iterator_cur->rules.prev; - - /* save verdict */ - h->chain_iterator_cur->verdict = - *(int *)GET_TARGET(pr->entry)->data; - - /* save counter and counter_map information */ - h->chain_iterator_cur->counter_map.maptype = - COUNTER_MAP_NORMAL_MAP; - h->chain_iterator_cur->counter_map.mappos = num-1; - memcpy(&h->chain_iterator_cur->counters, &pr->entry->counters, - sizeof(h->chain_iterator_cur->counters)); - - /* foot_offset points to verdict rule */ - h->chain_iterator_cur->foot_index = num; - h->chain_iterator_cur->foot_offset = pr->offset; - - /* delete rule from cache */ - iptcc_delete_rule(pr); - h->chain_iterator_cur->num_rules--; - - return 1; - } - return 0; -} - -/* alphabetically insert a chain into the list */ -static inline void iptc_insert_chain(TC_HANDLE_T h, struct chain_head *c) -{ - struct chain_head *tmp; - struct list_head *list_start_pos; - unsigned int i=1; - - /* Find a smart place to start the insert search */ - list_start_pos = iptcc_bsearch_chain_index(c->name, &i, h); - - /* Handle the case, where chain.name is smaller than index[0] */ - if (i==0 && strcmp(c->name, h->chain_index[0]->name) <= 0) { - h->chain_index[0] = c; /* Update chain index head */ - list_start_pos = h->chains.next; - debug("Update chain_index[0] with %s\n", c->name); - } - - /* Handel if bsearch bails out early */ - if (list_start_pos == &h->chains) { - list_start_pos = h->chains.next; - } - - /* sort only user defined chains */ - if (!c->hooknum) { - list_for_each_entry(tmp, list_start_pos->prev, list) { - if (!tmp->hooknum && strcmp(c->name, tmp->name) <= 0) { - list_add(&c->list, tmp->list.prev); - return; - } - - /* Stop if list head is reached */ - if (&tmp->list == &h->chains) { - debug("Insert, list head reached add to tail\n"); - break; - } - } - } - - /* survived till end of list: add at tail */ - list_add_tail(&c->list, &h->chains); -} - -/* Another ugly helper function split out of cache_add_entry to make it less - * spaghetti code */ -static void __iptcc_p_add_chain(TC_HANDLE_T h, struct chain_head *c, - unsigned int offset, unsigned int *num) -{ - struct list_head *tail = h->chains.prev; - struct chain_head *ctail; - - __iptcc_p_del_policy(h, *num); - - c->head_offset = offset; - c->index = *num; - - /* Chains from kernel are already sorted, as they are inserted - * sorted. But there exists an issue when shifting to 1.4.0 - * from an older version, as old versions allow last created - * chain to be unsorted. - */ - if (iptcc_is_builtin(c)) /* Only user defined chains are sorted*/ - list_add_tail(&c->list, &h->chains); - else { - ctail = list_entry(tail, struct chain_head, list); - if (strcmp(c->name, ctail->name) > 0) - list_add_tail(&c->list, &h->chains);/* Already sorted*/ - else - iptc_insert_chain(h, c);/* Was not sorted */ - } - - h->chain_iterator_cur = c; -} - -/* main parser function: add an entry from the blob to the cache */ -static int cache_add_entry(STRUCT_ENTRY *e, - TC_HANDLE_T h, - STRUCT_ENTRY **prev, - unsigned int *num) -{ - unsigned int builtin; - unsigned int offset = (char *)e - (char *)h->entries->entrytable; - - DEBUGP("entering..."); - - /* Last entry ("policy rule"). End it.*/ - if (iptcb_entry2offset(h,e) + e->next_offset == h->entries->size) { - /* This is the ERROR node at the end of the chain */ - DEBUGP_C("%u:%u: end of table:\n", *num, offset); - - __iptcc_p_del_policy(h, *num); - - h->chain_iterator_cur = NULL; - goto out_inc; - } - - /* We know this is the start of a new chain if it's an ERROR - * target, or a hook entry point */ - - if (strcmp(GET_TARGET(e)->u.user.name, ERROR_TARGET) == 0) { - struct chain_head *c = - iptcc_alloc_chain_head((const char *)GET_TARGET(e)->data, 0); - DEBUGP_C("%u:%u:new userdefined chain %s: %p\n", *num, offset, - (char *)c->name, c); - if (!c) { - errno = -ENOMEM; - return -1; - } - h->num_chains++; /* New user defined chain */ - - __iptcc_p_add_chain(h, c, offset, num); - - } else if ((builtin = iptcb_ent_is_hook_entry(e, h)) != 0) { - struct chain_head *c = - iptcc_alloc_chain_head((char *)hooknames[builtin-1], - builtin); - DEBUGP_C("%u:%u new builtin chain: %p (rules=%p)\n", - *num, offset, c, &c->rules); - if (!c) { - errno = -ENOMEM; - return -1; - } - - c->hooknum = builtin; - - __iptcc_p_add_chain(h, c, offset, num); - - /* FIXME: this is ugly. */ - goto new_rule; - } else { - /* has to be normal rule */ - struct rule_head *r; -new_rule: - - if (!(r = iptcc_alloc_rule(h->chain_iterator_cur, - e->next_offset))) { - errno = ENOMEM; - return -1; - } - DEBUGP_C("%u:%u normal rule: %p: ", *num, offset, r); - - r->index = *num; - r->offset = offset; - memcpy(r->entry, e, e->next_offset); - r->counter_map.maptype = COUNTER_MAP_NORMAL_MAP; - r->counter_map.mappos = r->index; - - /* handling of jumps, etc. */ - if (!strcmp(GET_TARGET(e)->u.user.name, STANDARD_TARGET)) { - STRUCT_STANDARD_TARGET *t; - - t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e); - if (t->target.u.target_size - != ALIGN(sizeof(STRUCT_STANDARD_TARGET))) { - errno = EINVAL; - return -1; - } - - if (t->verdict < 0) { - DEBUGP_C("standard, verdict=%d\n", t->verdict); - r->type = IPTCC_R_STANDARD; - } else if (t->verdict == r->offset+e->next_offset) { - DEBUGP_C("fallthrough\n"); - r->type = IPTCC_R_FALLTHROUGH; - } else { - DEBUGP_C("jump, target=%u\n", t->verdict); - r->type = IPTCC_R_JUMP; - /* Jump target fixup has to be deferred - * until second pass, since we migh not - * yet have parsed the target */ - } - } else { - DEBUGP_C("module, target=%s\n", GET_TARGET(e)->u.user.name); - r->type = IPTCC_R_MODULE; - } - - list_add_tail(&r->list, &h->chain_iterator_cur->rules); - h->chain_iterator_cur->num_rules++; - } -out_inc: - (*num)++; - return 0; -} - - -/* parse an iptables blob into it's pieces */ -static int parse_table(TC_HANDLE_T h) -{ - STRUCT_ENTRY *prev; - unsigned int num = 0; - struct chain_head *c; - - /* First pass: over ruleset blob */ - ENTRY_ITERATE(h->entries->entrytable, h->entries->size, - cache_add_entry, h, &prev, &num); - - /* Build the chain index, used for chain list search speedup */ - if ((iptcc_chain_index_alloc(h)) < 0) - return -ENOMEM; - iptcc_chain_index_build(h); - - /* Second pass: fixup parsed data from first pass */ - list_for_each_entry(c, &h->chains, list) { - struct rule_head *r; - list_for_each_entry(r, &c->rules, list) { - struct chain_head *lc; - STRUCT_STANDARD_TARGET *t; - - if (r->type != IPTCC_R_JUMP) - continue; - - t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry); - lc = iptcc_find_chain_by_offset(h, t->verdict); - if (!lc) - return -1; - r->jump = lc; - lc->references++; - } - } - - /* FIXME: sort chains */ - - return 1; -} - +static int +populate_entries_cache(STRUCT_CHAIN_INFO *chain, TC_HANDLE_T handle){ + STRUCT_COMMAND *cmd; + socklen_t s; -/********************************************************************** - * RULESET COMPILATION (cache -> blob) - **********************************************************************/ + if(handle->entries_cache && !handle->entries_info_changed + && !strcmp(chain->name, handle->entries_cache->name)) + return 1; -/* Convenience structures */ -struct iptcb_chain_start{ - STRUCT_ENTRY e; - struct ipt_error_target name; -}; -#define IPTCB_CHAIN_START_SIZE (sizeof(STRUCT_ENTRY) + \ - ALIGN(sizeof(struct ipt_error_target))) + if(handle->entries_cache) free(handle->entries_cache); + handle->entries_cache = NULL; -struct iptcb_chain_foot { - STRUCT_ENTRY e; - STRUCT_STANDARD_TARGET target; -}; -#define IPTCB_CHAIN_FOOT_SIZE (sizeof(STRUCT_ENTRY) + \ - ALIGN(sizeof(STRUCT_STANDARD_TARGET))) + s= ( sizeof(STRUCT_COMMAND) > sizeof(STRUCT_CHAIN_INFO))? + sizeof(STRUCT_COMMAND) : sizeof(STRUCT_CHAIN_INFO); + s+= chain->size; -struct iptcb_chain_error { - STRUCT_ENTRY entry; - struct ipt_error_target target; -}; -#define IPTCB_CHAIN_ERROR_SIZE (sizeof(STRUCT_ENTRY) + \ - ALIGN(sizeof(struct ipt_error_target))) + cmd= malloc(s); if(cmd == NULL){ errno = ENOMEM; return 0; } - - -/* compile rule from cache into blob */ -static inline int iptcc_compile_rule (TC_HANDLE_T h, STRUCT_REPLACE *repl, struct rule_head *r) -{ - /* handle jumps */ - if (r->type == IPTCC_R_JUMP) { - STRUCT_STANDARD_TARGET *t; - t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry); - /* memset for memcmp convenience on delete/replace */ - memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN); - strcpy(t->target.u.user.name, STANDARD_TARGET); - /* Jumps can only happen to builtin chains, so we - * can safely assume that they always have a header */ - t->verdict = r->jump->head_offset + IPTCB_CHAIN_START_SIZE; - } else if (r->type == IPTCC_R_FALLTHROUGH) { - STRUCT_STANDARD_TARGET *t; - t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry); - t->verdict = r->offset + r->size; - } + cmd->command= PKTT_CHAIN_GET_ENTRIES; + strcpy(cmd->table_name, handle->table.name); + strcpy(cmd->chain_name, chain->name); + cmd->family = TC_AF; - /* copy entry from cache to blob */ - memcpy((char *)repl->entries+r->offset, r->entry, r->size); - - return 1; -} - -/* compile chain from cache into blob */ -static int iptcc_compile_chain(TC_HANDLE_T h, STRUCT_REPLACE *repl, struct chain_head *c) -{ - int ret; - struct rule_head *r; - struct iptcb_chain_start *head; - struct iptcb_chain_foot *foot; - - /* only user-defined chains have heaer */ - if (!iptcc_is_builtin(c)) { - /* put chain header in place */ - head = (void *)repl->entries + c->head_offset; - head->e.target_offset = sizeof(STRUCT_ENTRY); - head->e.next_offset = IPTCB_CHAIN_START_SIZE; - strcpy(head->name.t.u.user.name, ERROR_TARGET); - head->name.t.u.target_size = - ALIGN(sizeof(struct ipt_error_target)); - strcpy(head->name.error, c->name); - } else { - repl->hook_entry[c->hooknum-1] = c->head_offset; - repl->underflow[c->hooknum-1] = c->foot_offset; - } - - /* iterate over rules */ - list_for_each_entry(r, &c->rules, list) { - ret = iptcc_compile_rule(h, repl, r); - if (ret < 0) - return ret; - } - - /* put chain footer in place */ - foot = (void *)repl->entries + c->foot_offset; - foot->e.target_offset = sizeof(STRUCT_ENTRY); - foot->e.next_offset = IPTCB_CHAIN_FOOT_SIZE; - strcpy(foot->target.target.u.user.name, STANDARD_TARGET); - foot->target.target.u.target_size = - ALIGN(sizeof(STRUCT_STANDARD_TARGET)); - /* builtin targets have verdict, others return */ - if (iptcc_is_builtin(c)) - foot->target.verdict = c->verdict; - else - foot->target.verdict = RETURN; - /* set policy-counters */ - memcpy(&foot->e.counters, &c->counters, sizeof(STRUCT_COUNTERS)); - - return 0; -} - -/* calculate offset and number for every rule in the cache */ -static int iptcc_compile_chain_offsets(TC_HANDLE_T h, struct chain_head *c, - unsigned int *offset, unsigned int *num) -{ - struct rule_head *r; - - c->head_offset = *offset; - DEBUGP("%s: chain_head %u, offset=%u\n", c->name, *num, *offset); - - if (!iptcc_is_builtin(c)) { - /* Chain has header */ - *offset += sizeof(STRUCT_ENTRY) - + ALIGN(sizeof(struct ipt_error_target)); - (*num)++; - } - - list_for_each_entry(r, &c->rules, list) { - DEBUGP("rule %u, offset=%u, index=%u\n", *num, *offset, *num); - r->offset = *offset; - r->index = *num; - *offset += r->size; - (*num)++; - } - - DEBUGP("%s; chain_foot %u, offset=%u, index=%u\n", c->name, *num, - *offset, *num); - c->foot_offset = *offset; - c->foot_index = *num; - *offset += sizeof(STRUCT_ENTRY) - + ALIGN(sizeof(STRUCT_STANDARD_TARGET)); - (*num)++; - - return 1; -} - -/* put the pieces back together again */ -static int iptcc_compile_table_prep(TC_HANDLE_T h, unsigned int *size) -{ - struct chain_head *c; - unsigned int offset = 0, num = 0; - int ret = 0; - - /* First pass: calculate offset for every rule */ - list_for_each_entry(c, &h->chains, list) { - ret = iptcc_compile_chain_offsets(h, c, &offset, &num); - if (ret < 0) - return ret; - } - - /* Append one error rule at end of chain */ - num++; - offset += sizeof(STRUCT_ENTRY) - + ALIGN(sizeof(struct ipt_error_target)); - - /* ruleset size is now in offset */ - *size = offset; - return num; -} - -static int iptcc_compile_table(TC_HANDLE_T h, STRUCT_REPLACE *repl) -{ - struct chain_head *c; - struct iptcb_chain_error *error; - - /* Second pass: copy from cache to offsets, fill in jumps */ - list_for_each_entry(c, &h->chains, list) { - int ret = iptcc_compile_chain(h, repl, c); - if (ret < 0) - return ret; + if(getsockopt(sockfd, TC_IPPROTO, SO_GET_ENTRIES, cmd, &s) <0){ + free(cmd); errno = EFAULT; + return 0; } + + handle->entries_cache = (void *) cmd; + handle->end_of_entries = (void *) + ((void *)handle->entries_cache->entries + chain->size); - /* Append error rule at end of chain */ - error = (void *)repl->entries + repl->size - IPTCB_CHAIN_ERROR_SIZE; - error->entry.target_offset = sizeof(STRUCT_ENTRY); - error->entry.next_offset = IPTCB_CHAIN_ERROR_SIZE; - error->target.t.u.user.target_size = - ALIGN(sizeof(struct ipt_error_target)); - strcpy((char *)&error->target.t.u.user.name, ERROR_TARGET); - strcpy((char *)&error->target.error, "ERROR"); - + handle->entries_info_changed = 0; return 1; } -/********************************************************************** - * EXTERNAL API (operates on cache only) - **********************************************************************/ - -/* Allocate handle of given size */ -static TC_HANDLE_T -alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules) -{ - size_t len; - TC_HANDLE_T h; - - len = sizeof(STRUCT_TC_HANDLE) + size; - - h = malloc(sizeof(STRUCT_TC_HANDLE)); - if (!h) { - errno = ENOMEM; - return NULL; - } - memset(h, 0, sizeof(*h)); - INIT_LIST_HEAD(&h->chains); - strcpy(h->info.name, tablename); - - h->entries = malloc(sizeof(STRUCT_GET_ENTRIES) + size); - if (!h->entries) - goto out_free_handle; - - strcpy(h->entries->name, tablename); - h->entries->size = size; - - return h; - -out_free_handle: - free(h); - - return NULL; -} - - TC_HANDLE_T TC_INIT(const char *tablename) { TC_HANDLE_T h; - STRUCT_GETINFO info; - unsigned int tmp; - socklen_t s; iptc_fn = TC_INIT; - if (strlen(tablename) >= TABLE_MAXNAMELEN) { - errno = EINVAL; - return NULL; - } - - if (sockfd_use == 0) { - sockfd = socket(TC_AF, SOCK_RAW, IPPROTO_RAW); - if (sockfd < 0) - return NULL; - } - sockfd_use++; -retry: - s = sizeof(info); - - strcpy(info.name, tablename); - if (getsockopt(sockfd, TC_IPPROTO, SO_GET_INFO, &info, &s) < 0) { - if (--sockfd_use == 0) { - close(sockfd); - sockfd = -1; - } - return NULL; - } - - DEBUGP("valid_hooks=0x%08x, num_entries=%u, size=%u\n", - info.valid_hooks, info.num_entries, info.size); - - if ((h = alloc_handle(info.name, info.size, info.num_entries)) - == NULL) { - if (--sockfd_use == 0) { - close(sockfd); - sockfd = -1; - } - return NULL; - } - - /* Initialize current state */ - h->info = info; + if(strlen(tablename)+1 >= TABLE_MAXNAMELEN){errno = E2BIG; return NULL;} - h->entries->size = h->info.size; + h = alloc_handle(); + if(!h) return NULL; - tmp = sizeof(STRUCT_GET_ENTRIES) + h->info.size; + sockfd = socket(TC_AF, SOCK_RAW, IPPROTO_RAW); + if (sockfd < 0) {free(h); return NULL;} - if (getsockopt(sockfd, TC_IPPROTO, SO_GET_ENTRIES, h->entries, - &tmp) < 0) - goto error; + strcpy(h->table.name, tablename); + set_changed(h, 0); -#ifdef IPTC_DEBUG2 - { - int fd = open("/tmp/libiptc-so_get_entries.blob", - O_CREAT|O_WRONLY); - if (fd >= 0) { - write(fd, h->entries, tmp); - close(fd); - } + if(!populate_cache(h)){ + free(h); close(sockfd); sockfd=-1; + return NULL; } -#endif + h->hooknames=hooknames; - if (parse_table(h) < 0) - goto error; - - CHECK(h); return h; -error: - TC_FREE(&h); - /* A different process changed the ruleset size, retry */ - if (errno == EAGAIN) - goto retry; - return NULL; } void TC_FREE(TC_HANDLE_T *h) { - struct chain_head *c, *tmp; - - iptc_fn = TC_FREE; - if (--sockfd_use == 0) { - close(sockfd); - sockfd = -1; - } - - list_for_each_entry_safe(c, tmp, &(*h)->chains, list) { - struct rule_head *r, *rtmp; - - list_for_each_entry_safe(r, rtmp, &c->rules, list) { - free(r); - } - - free(c); - } - - iptcc_chain_index_free(*h); + if(sockfd!=-1) { close(sockfd); sockfd = -1;} - free((*h)->entries); + if ((*h)->table_chains_headers) + free((*h)->table_chains_headers); + if ((*h)->entries_cache) + free((*h)->entries_cache); free(*h); - *h = NULL; } @@ -1318,369 +271,270 @@ print_match(const STRUCT_ENTRY_MATCH *m) return 0; } -static int dump_entry(STRUCT_ENTRY *e, const TC_HANDLE_T handle); +//static int dump_entry(STRUCT_ENTRY *e, const TC_HANDLE_T handle); void TC_DUMP_ENTRIES(const TC_HANDLE_T handle) { - iptc_fn = TC_DUMP_ENTRIES; - CHECK(handle); - - printf("libiptc v%s. %u bytes.\n", - XTABLES_VERSION, handle->entries->size); - printf("Table `%s'\n", handle->info.name); - printf("Hooks: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n", - handle->info.hook_entry[HOOK_PRE_ROUTING], - handle->info.hook_entry[HOOK_LOCAL_IN], - handle->info.hook_entry[HOOK_FORWARD], - handle->info.hook_entry[HOOK_LOCAL_OUT], - handle->info.hook_entry[HOOK_POST_ROUTING]); - printf("Underflows: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n", - handle->info.underflow[HOOK_PRE_ROUTING], - handle->info.underflow[HOOK_LOCAL_IN], - handle->info.underflow[HOOK_FORWARD], - handle->info.underflow[HOOK_LOCAL_OUT], - handle->info.underflow[HOOK_POST_ROUTING]); - - ENTRY_ITERATE(handle->entries->entrytable, handle->entries->size, - dump_entry, handle); } /* Does this chain exist? */ int TC_IS_CHAIN(const char *chain, const TC_HANDLE_T handle) { - iptc_fn = TC_IS_CHAIN; - return iptcc_find_label(chain, handle) != NULL; -} - -static void iptcc_chain_iterator_advance(TC_HANDLE_T handle) -{ - struct chain_head *c = handle->chain_iterator_cur; - - if (c->list.next == &handle->chains) - handle->chain_iterator_cur = NULL; - else - handle->chain_iterator_cur = - list_entry(c->list.next, struct chain_head, list); + return find_label(chain, handle) != NULL; } /* Iterator functions to run through the chains. */ const char * TC_FIRST_CHAIN(TC_HANDLE_T *handle) { - struct chain_head *c = list_entry((*handle)->chains.next, - struct chain_head, list); - iptc_fn = TC_FIRST_CHAIN; + if(!check_handle(*handle)) return NULL; - if (list_empty(&(*handle)->chains)) { - DEBUGP(": no chains\n"); - return NULL; - } - - (*handle)->chain_iterator_cur = c; - iptcc_chain_iterator_advance(*handle); + (*handle)->chains_iterator + = (void *) &(*handle)->table_chains_headers->chains_info; - DEBUGP(": returning `%s'\n", c->name); - return c->name; + return (*handle)->chains_iterator->name; } /* Iterator functions to run through the chains. Returns NULL at end. */ const char * TC_NEXT_CHAIN(TC_HANDLE_T *handle) { - struct chain_head *c = (*handle)->chain_iterator_cur; + (*handle)->chains_iterator = + (void *) (*handle)->chains_iterator->entries; - iptc_fn = TC_NEXT_CHAIN; - - if (!c) { - DEBUGP(": no more chains\n"); + /* finished or not */ + if ( ( (void *)(*handle)->chains_iterator - + (void *)(*handle)->table_chains_headers->chains_info ) + / sizeof( STRUCT_CHAIN_INFO) == (*handle)->cache_num_chains) return NULL; - } - iptcc_chain_iterator_advance(*handle); - - DEBUGP(": returning `%s'\n", c->name); - return c->name; + return (*handle)->chains_iterator->name; } /* Get first rule in the given chain: NULL for empty chain. */ const STRUCT_ENTRY * TC_FIRST_RULE(const char *chain, TC_HANDLE_T *handle) { - struct chain_head *c; - struct rule_head *r; + STRUCT_CHAIN_INFO *ici; + STRUCT_ENTRY *e; iptc_fn = TC_FIRST_RULE; - DEBUGP("first rule(%s): ", chain); - - c = iptcc_find_label(chain, *handle); - if (!c) { - errno = ENOENT; - return NULL; - } - - /* Empty chain: single return/policy rule */ - if (list_empty(&c->rules)) { - DEBUGP_C("no rules, returning NULL\n"); - return NULL; - } + ici = find_label(chain, *handle); + if (!ici) return NULL; + if (ici->num_entries == 0) {errno=-1; return NULL;} - r = list_entry(c->rules.next, struct rule_head, list); - (*handle)->rule_iterator_cur = r; - DEBUGP_C("%p\n", r); + if(!populate_entries_cache(ici, *handle)) return NULL; - return r->entry; + /* this is first entry */ + e = (void *)(*handle)->entries_cache->entries; + return e; } /* Returns NULL when rules run out. */ const STRUCT_ENTRY * TC_NEXT_RULE(const STRUCT_ENTRY *prev, TC_HANDLE_T *handle) { - struct rule_head *r; - - iptc_fn = TC_NEXT_RULE; - DEBUGP("rule_iterator_cur=%p...", (*handle)->rule_iterator_cur); - - if (!(*handle)->rule_iterator_cur) { - DEBUGP_C("returning NULL\n"); - return NULL; - } - - r = list_entry((*handle)->rule_iterator_cur->list.next, - struct rule_head, list); - - iptc_fn = TC_NEXT_RULE; - - DEBUGP_C("next=%p, head=%p...", &r->list, - &(*handle)->rule_iterator_cur->chain->rules); + STRUCT_ENTRY *e; - if (&r->list == &(*handle)->rule_iterator_cur->chain->rules) { - (*handle)->rule_iterator_cur = NULL; - DEBUGP_C("finished, returning NULL\n"); + if ((void *)prev + prev->size + == (void *)(*handle)->end_of_entries) return NULL; - } - - (*handle)->rule_iterator_cur = r; - /* NOTE: prev is without any influence ! */ - DEBUGP_C("returning rule %p\n", r); - return r->entry; + /* this is next entry */ + e = (void *)prev + prev->size; + return e; } /* How many rules in this chain? */ -static unsigned int +unsigned int TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle) { - struct chain_head *c; + STRUCT_CHAIN_INFO *pci; + iptc_fn = TC_NUM_RULES; - CHECK(*handle); - c = iptcc_find_label(chain, *handle); - if (!c) { - errno = ENOENT; - return (unsigned int)-1; - } - - return c->num_rules; -} + pci = find_label(chain, *handle); + if(!pci) return (unsigned int) -1; -static const STRUCT_ENTRY * -TC_GET_RULE(const char *chain, unsigned int n, TC_HANDLE_T *handle) + return pci->num_entries; +} +/* Get n'th rule in this chain. */ +const STRUCT_ENTRY *TC_GET_RULE(const char *chain, + unsigned int n, + TC_HANDLE_T *handle) { - struct chain_head *c; - struct rule_head *r; - + STRUCT_CHAIN_INFO *pci; + STRUCT_ENTRY *e; + int i; + iptc_fn = TC_GET_RULE; - CHECK(*handle); + pci = find_label(chain, *handle); + if(!pci) return NULL; - c = iptcc_find_label(chain, *handle); - if (!c) { - errno = ENOENT; - return NULL; - } + if(n > pci->num_entries) { errno=E2BIG; return NULL; } + if(!populate_entries_cache(pci, *handle)) return NULL; - r = iptcc_get_rule_num(c, n); - if (!r) - return NULL; - return r->entry; + e= (void *) (*handle)->entries_cache->entries; + for(i=1; i< n; ++i) e = (void*) e + e->size; + return e; } -/* Returns a pointer to the target name of this position. */ -static const char *standard_target_map(int verdict) +static const char * +target_name(TC_HANDLE_T handle, const STRUCT_ENTRY *ce) { - switch (verdict) { - case RETURN: - return LABEL_RETURN; - break; - case -NF_ACCEPT-1: - return LABEL_ACCEPT; - break; - case -NF_DROP-1: - return LABEL_DROP; - break; - case -NF_QUEUE-1: - return LABEL_QUEUE; - break; - default: - fprintf(stderr, "ERROR: %d not a valid target)\n", - verdict); - abort(); - break; - } - /* not reached */ + int verdict; + + /* To avoid const warnings */ + STRUCT_ENTRY *e = (STRUCT_ENTRY *)ce; + + if (strcmp(GET_TARGET(e)->u.user.name, STANDARD_TARGET) != 0) + return GET_TARGET(e)->u.user.name; + + /* Standard target: evaluate */ + verdict = *(int *)GET_TARGET(e)->data; + + if (verdict == RETURN) return LABEL_RETURN; + else if (verdict == CONTINUE ) return LABEL_CONTINUE; + else if (verdict == -NF_ACCEPT-1) return LABEL_ACCEPT; + else if (verdict == -NF_DROP-1) return LABEL_DROP; + else if (verdict == -NF_QUEUE-1) return LABEL_QUEUE; + + fprintf(stderr, "ERROR: not a valid target (%i)\n", verdict); + + abort(); return NULL; } /* Returns a pointer to the target name of this position. */ -const char *TC_GET_TARGET(const STRUCT_ENTRY *ce, +const char *TC_GET_TARGET(const STRUCT_ENTRY *e, TC_HANDLE_T *handle) { - STRUCT_ENTRY *e = (STRUCT_ENTRY *)ce; - struct rule_head *r = container_of(e, struct rule_head, entry[0]); - - iptc_fn = TC_GET_TARGET; - - switch(r->type) { - int spos; - case IPTCC_R_FALLTHROUGH: - return ""; - break; - case IPTCC_R_JUMP: - DEBUGP("r=%p, jump=%p, name=`%s'\n", r, r->jump, r->jump->name); - return r->jump->name; - break; - case IPTCC_R_STANDARD: - spos = *(int *)GET_TARGET(e)->data; - DEBUGP("r=%p, spos=%d'\n", r, spos); - return standard_target_map(spos); - break; - case IPTCC_R_MODULE: - return GET_TARGET(e)->u.user.name; - break; - } - return NULL; -} -/* Is this a built-in chain? Actually returns hook + 1. */ -int -TC_BUILTIN(const char *chain, const TC_HANDLE_T handle) -{ - struct chain_head *c; - - iptc_fn = TC_BUILTIN; - - c = iptcc_find_label(chain, handle); - if (!c) { - errno = ENOENT; - return 0; - } - - return iptcc_is_builtin(c); + return target_name(*handle, e); } -/* Get the policy of a given built-in chain */ +/* Get the policy of a given chain */ const char * TC_GET_POLICY(const char *chain, STRUCT_COUNTERS *counters, TC_HANDLE_T *handle) { - struct chain_head *c; + STRUCT_CHAIN_INFO *ici; - iptc_fn = TC_GET_POLICY; + iptc_fn=TC_GET_POLICY; - DEBUGP("called for chain %s\n", chain); + ici = find_label( chain, *handle ); + if( !ici ) return NULL; - c = iptcc_find_label(chain, *handle); - if (!c) { - errno = ENOENT; - return NULL; - } + (*counters).pcnt = (*counters).bcnt = 0; + if(populate_entries_cache(ici, *handle)){ + STRUCT_ENTRY *e = (void*)(*handle)->entries_cache->entries; + int i; - if (!iptcc_is_builtin(c)) - return NULL; + for(i=0; i< ici->num_entries; ++i) { + (*counters).pcnt += e->counters.pcnt; + (*counters).bcnt += e->counters.bcnt; + e = (void *) e + e->size; + } + } - *counters = c->counters; + switch( ici->policy ){ + case cACCEPT: return LABEL_ACCEPT; + case cDROP: return LABEL_DROP; + case cRETURN: return LABEL_RETURN; + case cQUEUE: return LABEL_QUEUE; + } - return standard_target_map(c->verdict); + return NULL; } static int -iptcc_standard_map(struct rule_head *r, int verdict) +standard_map(STRUCT_ENTRY *e, int verdict) { - STRUCT_ENTRY *e = r->entry; STRUCT_STANDARD_TARGET *t; t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e); if (t->target.u.target_size != ALIGN(sizeof(STRUCT_STANDARD_TARGET))) { - errno = EINVAL; - return 0; + errno = EINVAL; return 0; } /* memset for memcmp convenience on delete/replace */ memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN); strcpy(t->target.u.user.name, STANDARD_TARGET); t->verdict = verdict; - r->type = IPTCC_R_STANDARD; - return 1; } static int -iptcc_map_target(const TC_HANDLE_T handle, - struct rule_head *r) +map_target(const TC_HANDLE_T handle, + STRUCT_ENTRY *e, + STRUCT_ENTRY_TARGET *old) { - STRUCT_ENTRY *e = r->entry; STRUCT_ENTRY_TARGET *t = GET_TARGET(e); + /* Save old target (except data, which we don't change, except for + standard case, where we don't care). */ + *old = *t; + /* Maybe it's empty (=> fall through) */ - if (strcmp(t->u.user.name, "") == 0) { - r->type = IPTCC_R_FALLTHROUGH; - return 1; - } + if (strcmp(t->u.user.name, "") == 0 || + strcmp(t->u.user.name, LABEL_CONTINUE) == 0) + /* yesterday: next offset as a jump ( oook ) + today: be relax, just say continue. + */ + return standard_map(e, CONTINUE); /* Maybe it's a standard target name... */ else if (strcmp(t->u.user.name, LABEL_ACCEPT) == 0) - return iptcc_standard_map(r, -NF_ACCEPT - 1); + return standard_map(e, -NF_ACCEPT - 1); else if (strcmp(t->u.user.name, LABEL_DROP) == 0) - return iptcc_standard_map(r, -NF_DROP - 1); + return standard_map(e, -NF_DROP - 1); else if (strcmp(t->u.user.name, LABEL_QUEUE) == 0) - return iptcc_standard_map(r, -NF_QUEUE - 1); + return standard_map(e, -NF_QUEUE - 1); else if (strcmp(t->u.user.name, LABEL_RETURN) == 0) - return iptcc_standard_map(r, RETURN); - else if (TC_BUILTIN(t->u.user.name, handle)) { - /* Can't jump to builtins. */ - errno = EINVAL; - return 0; - } else { + return standard_map(e, RETURN); + /* yesterday: afraid from builtin chains to take palce as targets + today: can use from every chain as target + */ + else { /* Maybe it's an existing chain name. */ - struct chain_head *c; - DEBUGP("trying to find chain `%s': ", t->u.user.name); - - c = iptcc_find_label(t->u.user.name, handle); - if (c) { - DEBUGP_C("found!\n"); - r->type = IPTCC_R_JUMP; - r->jump = c; - c->references++; + STRUCT_CHAIN_INFO *ici; + + ici = find_label(t->u.user.name, handle); + if (ici) + /* yesterday: using from target offset to jump to him + today: very easy, we send him to kernel, the kernel + will jump in his traces to the appropriate + places + */ return 1; - } - DEBUGP_C("not found :(\n"); } - + /* Must be a module? If not, kernel will reject... */ - /* memset to all 0 for your memcmp convenience: don't clear version */ + /* memset to all 0 for your memcmp convenience. */ memset(t->u.user.name + strlen(t->u.user.name), 0, - FUNCTION_MAXNAMELEN - 1 - strlen(t->u.user.name)); - r->type = IPTCC_R_MODULE; - set_changed(handle); + FUNCTION_MAXNAMELEN - strlen(t->u.user.name)); return 1; } +static void +unmap_target(STRUCT_ENTRY *e, STRUCT_ENTRY_TARGET *old) +{ + STRUCT_ENTRY_TARGET *t = GET_TARGET(e); + + /* Save old target (except data, which we don't change, except for + standard case, where we don't care). */ + *t = *old; +} + +static STRUCT_ENTRY_TARGET save; + /* Insert the entry `fw' in chain `chain' into position `rulenum'. */ int TC_INSERT_ENTRY(const IPT_CHAINLABEL chain, @@ -1688,215 +542,135 @@ TC_INSERT_ENTRY(const IPT_CHAINLABEL chain, unsigned int rulenum, TC_HANDLE_T *handle) { - struct chain_head *c; - struct rule_head *r; - struct list_head *prev; + STRUCT_CHAIN_INFO *ici; + STRUCT_COMMAND *c; + socklen_t s; + int ret; iptc_fn = TC_INSERT_ENTRY; - if (!(c = iptcc_find_label(chain, *handle))) { - errno = ENOENT; - return 0; - } - - /* first rulenum index = 0 - first c->num_rules index = 1 */ - if (rulenum > c->num_rules) { - errno = E2BIG; - return 0; - } + ici= find_label(chain, *handle); + if(!ici) return 0; - /* If we are inserting at the end just take advantage of the - double linked list, insert will happen before the entry - prev points to. */ - if (rulenum == c->num_rules) { - prev = &c->rules; - } else if (rulenum + 1 <= c->num_rules/2) { - r = iptcc_get_rule_num(c, rulenum + 1); - prev = &r->list; - } else { - r = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum); - prev = &r->list; - } + if(rulenum > (ici->num_entries+1) ){errno = E2BIG; return 0;} + ((STRUCT_ENTRY*)e)->family = TC_AF; - if (!(r = iptcc_alloc_rule(c, e->next_offset))) { - errno = ENOMEM; - return 0; - } + s= sizeof(STRUCT_COMMAND) + e->size; + c= malloc(s); + if(!c){errno = ENOMEM; return 0; } - memcpy(r->entry, e, e->next_offset); - r->counter_map.maptype = COUNTER_MAP_SET; + map_target(*handle, (STRUCT_ENTRY *)e, &save); - if (!iptcc_map_target(*handle, r)) { - free(r); - return 0; - } + /* copy entry as payload */ + memcpy((void *)c+sizeof(STRUCT_COMMAND), e, e->size ); - list_add_tail(&r->list, prev); - c->num_rules++; + unmap_target((STRUCT_ENTRY *)e, &save); - set_changed(*handle); + c->command = PKTT_ENTRY_ADD; + strcpy(c->table_name , (*handle)->table.name); + strcpy(c->chain_name , ici->name); + c->ext.ent.rule_number = (rulenum > ici->num_entries)?/*it means append*/ + ici->num_entries+1:rulenum ; + c->family = TC_AF; + if((ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, c, s))<0){ + free(c); errno = EFAULT; + return 0; + } + set_changed(*handle, 1); + + free(c); return 1; } -/* Atomically replace rule `rulenum' in `chain' with `fw'. */ +/* Atomically replace rule `rulenum' in `chain' with `e'. */ int TC_REPLACE_ENTRY(const IPT_CHAINLABEL chain, const STRUCT_ENTRY *e, unsigned int rulenum, TC_HANDLE_T *handle) { - struct chain_head *c; - struct rule_head *r, *old; + STRUCT_CHAIN_INFO *ici; + STRUCT_COMMAND *c; + socklen_t s; + int ret; iptc_fn = TC_REPLACE_ENTRY; - if (!(c = iptcc_find_label(chain, *handle))) { - errno = ENOENT; - return 0; - } + ici = find_label(chain, *handle); + if(!ici) return 0; - if (rulenum >= c->num_rules) { - errno = E2BIG; - return 0; - } + if(rulenum > ici->num_entries) {errno = E2BIG; return 0;} + ((STRUCT_ENTRY*)e)->family = TC_AF; - /* Take advantage of the double linked list if possible. */ - if (rulenum + 1 <= c->num_rules/2) { - old = iptcc_get_rule_num(c, rulenum + 1); - } else { - old = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum); - } + s= sizeof(STRUCT_COMMAND) + e->size; + if(!(c = malloc( s ))){errno = ENOMEM; return 0; } - if (!(r = iptcc_alloc_rule(c, e->next_offset))) { - errno = ENOMEM; - return 0; - } + map_target(*handle, (STRUCT_ENTRY *)e, &save); - memcpy(r->entry, e, e->next_offset); - r->counter_map.maptype = COUNTER_MAP_SET; + /* copy entry as payload */ + memcpy( (void *)c+ sizeof(STRUCT_COMMAND), e, e->size); - if (!iptcc_map_target(*handle, r)) { - free(r); - return 0; - } + unmap_target((STRUCT_ENTRY *)e, &save); - list_add(&r->list, &old->list); - iptcc_delete_rule(old); + c->command = PKTT_ENTRY_REPLACE; + strcpy(c->table_name, (*handle)->table.name); + strcpy(c->chain_name, ici->name ); + c->ext.ent.rule_number = rulenum; + c->family = TC_AF; - set_changed(*handle); + if( (ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, c, s)) <0 ){ + free(c); errno = EFAULT; + return 0; + } + set_changed(*handle, 1); + free(c); return 1; } /* Append entry `fw' to chain `chain'. Equivalent to insert with - rulenum = length of chain. */ + rulenum = (#chain_entries) + 1. */ int TC_APPEND_ENTRY(const IPT_CHAINLABEL chain, const STRUCT_ENTRY *e, TC_HANDLE_T *handle) { - struct chain_head *c; - struct rule_head *r; - + STRUCT_CHAIN_INFO *ici; + STRUCT_COMMAND *c; + socklen_t s; + int ret; iptc_fn = TC_APPEND_ENTRY; - if (!(c = iptcc_find_label(chain, *handle))) { - DEBUGP("unable to find chain `%s'\n", chain); - errno = ENOENT; - return 0; - } - if (!(r = iptcc_alloc_rule(c, e->next_offset))) { - DEBUGP("unable to allocate rule for chain `%s'\n", chain); - errno = ENOMEM; - return 0; - } - - memcpy(r->entry, e, e->next_offset); - r->counter_map.maptype = COUNTER_MAP_SET; - - if (!iptcc_map_target(*handle, r)) { - DEBUGP("unable to map target of rule for chain `%s'\n", chain); - free(r); - return 0; - } - - list_add_tail(&r->list, &c->rules); - c->num_rules++; - - set_changed(*handle); - - return 1; -} - -static inline int -match_different(const STRUCT_ENTRY_MATCH *a, - const unsigned char *a_elems, - const unsigned char *b_elems, - unsigned char **maskptr) -{ - const STRUCT_ENTRY_MATCH *b; - unsigned int i; + ici = find_label(chain, *handle); + if(!ici) return 0; + + ((STRUCT_ENTRY *)e)->family = TC_AF; - /* Offset of b is the same as a. */ - b = (void *)b_elems + ((unsigned char *)a - a_elems); + s= sizeof(STRUCT_COMMAND) + e->size; + if(!(c = malloc( s ))){ errno = ENOMEM; return 0;} - if (a->u.match_size != b->u.match_size) - return 1; + map_target(*handle, (STRUCT_ENTRY *)e, &save); - if (strcmp(a->u.user.name, b->u.user.name) != 0) - return 1; + memcpy( (void *)c + sizeof(STRUCT_COMMAND), e, e->size ); - *maskptr += ALIGN(sizeof(*a)); + unmap_target((STRUCT_ENTRY *)e, &save); - for (i = 0; i < a->u.match_size - ALIGN(sizeof(*a)); i++) - if (((a->data[i] ^ b->data[i]) & (*maskptr)[i]) != 0) - return 1; - *maskptr += i; - return 0; -} + c->command = PKTT_ENTRY_ADD; + strcpy( c->table_name, (*handle)->table.name ); + strcpy( c->chain_name, ici->name); + c->ext.ent.rule_number = ici->num_entries+1; + c->family = TC_AF; -static inline int -target_same(struct rule_head *a, struct rule_head *b,const unsigned char *mask) -{ - unsigned int i; - STRUCT_ENTRY_TARGET *ta, *tb; - - if (a->type != b->type) + if( (ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, c, s))<0){ + free(c); errno = EFAULT; return 0; - - ta = GET_TARGET(a->entry); - tb = GET_TARGET(b->entry); - - switch (a->type) { - case IPTCC_R_FALLTHROUGH: - return 1; - case IPTCC_R_JUMP: - return a->jump == b->jump; - case IPTCC_R_STANDARD: - return ((STRUCT_STANDARD_TARGET *)ta)->verdict - == ((STRUCT_STANDARD_TARGET *)tb)->verdict; - case IPTCC_R_MODULE: - if (ta->u.target_size != tb->u.target_size) - return 0; - if (strcmp(ta->u.user.name, tb->u.user.name) != 0) - return 0; - - for (i = 0; i < ta->u.target_size - sizeof(*ta); i++) - if (((ta->data[i] ^ tb->data[i]) & mask[i]) != 0) - return 0; - return 1; - default: - fprintf(stderr, "ERROR: bad type %i\n", a->type); - abort(); } -} + set_changed(*handle, 1); -static unsigned char * -is_same(const STRUCT_ENTRY *a, - const STRUCT_ENTRY *b, - unsigned char *matchmask); + free(c); + return 1; +} /* Delete the first rule in `chain' which matches `fw'. */ int @@ -1905,112 +679,68 @@ TC_DELETE_ENTRY(const IPT_CHAINLABEL chain, unsigned char *matchmask, TC_HANDLE_T *handle) { - struct chain_head *c; - struct rule_head *r, *i; + STRUCT_CHAIN_INFO *ici; + STRUCT_COMMAND *c; + socklen_t s; + int ret; iptc_fn = TC_DELETE_ENTRY; - if (!(c = iptcc_find_label(chain, *handle))) { - errno = ENOENT; - return 0; - } + if (!(ici = find_label(chain, *handle))) return 0; - /* Create a rule_head from origfw. */ - r = iptcc_alloc_rule(c, origfw->next_offset); - if (!r) { - errno = ENOMEM; - return 0; - } + ((STRUCT_ENTRY*)origfw)->family = TC_AF; - memcpy(r->entry, origfw, origfw->next_offset); - r->counter_map.maptype = COUNTER_MAP_NOMAP; - if (!iptcc_map_target(*handle, r)) { - DEBUGP("unable to map target of rule for chain `%s'\n", chain); - free(r); - return 0; - } else { - /* iptcc_map_target increment target chain references - * since this is a fake rule only used for matching - * the chain references count is decremented again. - */ - if (r->type == IPTCC_R_JUMP - && r->jump) - r->jump->references--; - } + s= sizeof(STRUCT_COMMAND) + origfw->size; + if(!(c = malloc( s ))){ errno = ENOMEM; return 0; } - list_for_each_entry(i, &c->rules, list) { - unsigned char *mask; + map_target(*handle, (STRUCT_ENTRY *)origfw, &save); - mask = is_same(r->entry, i->entry, matchmask); - if (!mask) - continue; + memcpy( (void *)c+sizeof(STRUCT_COMMAND), origfw, origfw->size); - if (!target_same(r, i, mask)) - continue; - - /* If we are about to delete the rule that is the - * current iterator, move rule iterator back. next - * pointer will then point to real next node */ - if (i == (*handle)->rule_iterator_cur) { - (*handle)->rule_iterator_cur = - list_entry((*handle)->rule_iterator_cur->list.prev, - struct rule_head, list); - } + unmap_target((STRUCT_ENTRY *)origfw, &save); - c->num_rules--; - iptcc_delete_rule(i); + c->command = PKTT_ENTRY_DEL_WITH_RULE; + strcpy(c->table_name, (*handle)->table.name); + strcpy(c->chain_name, ici->name); + c->family = TC_AF; - set_changed(*handle); - free(r); - return 1; + if((ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, c, s))<0){ + free(c); errno = EFAULT; + return 0; } + set_changed(*handle, 1); - free(r); - errno = ENOENT; - return 0; + free(c); + return 1; } - /* Delete the rule in position `rulenum' in `chain'. */ int TC_DELETE_NUM_ENTRY(const IPT_CHAINLABEL chain, unsigned int rulenum, TC_HANDLE_T *handle) { - struct chain_head *c; - struct rule_head *r; + STRUCT_CHAIN_INFO *ici; + STRUCT_COMMAND c; + socklen_t s; + int ret; iptc_fn = TC_DELETE_NUM_ENTRY; + if(!(ici = find_label(chain, *handle))) return 0; - if (!(c = iptcc_find_label(chain, *handle))) { - errno = ENOENT; - return 0; - } - - if (rulenum >= c->num_rules) { - errno = E2BIG; - return 0; - } + if(rulenum > ici->num_entries) {errno = E2BIG; return 0;} - /* Take advantage of the double linked list if possible. */ - if (rulenum + 1 <= c->num_rules/2) { - r = iptcc_get_rule_num(c, rulenum + 1); - } else { - r = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum); - } + c.command = PKTT_ENTRY_DEL_WITH_NUM; + strcpy(c.table_name, (*handle)->table.name); + strcpy(c.chain_name, ici->name); + c.ext.ent.rule_number = rulenum; + c.family = TC_AF; - /* If we are about to delete the rule that is the current - * iterator, move rule iterator back. next pointer will then - * point to real next node */ - if (r == (*handle)->rule_iterator_cur) { - (*handle)->rule_iterator_cur = - list_entry((*handle)->rule_iterator_cur->list.prev, - struct rule_head, list); + s= sizeof( STRUCT_COMMAND); + if((ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, &c, s))<0){ + errno = EFAULT; + return 0; } - - c->num_rules--; - iptcc_delete_rule(r); - - set_changed(*handle); + set_changed(*handle, 1); return 1; } @@ -2022,7 +752,6 @@ TC_CHECK_PACKET(const IPT_CHAINLABEL chain, STRUCT_ENTRY *entry, TC_HANDLE_T *handle) { - iptc_fn = TC_CHECK_PACKET; errno = ENOSYS; return NULL; } @@ -2031,49 +760,53 @@ TC_CHECK_PACKET(const IPT_CHAINLABEL chain, int TC_FLUSH_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle) { - struct chain_head *c; - struct rule_head *r, *tmp; + STRUCT_CHAIN_INFO *ici; + STRUCT_COMMAND c; + socklen_t s; + int ret; iptc_fn = TC_FLUSH_ENTRIES; - if (!(c = iptcc_find_label(chain, *handle))) { - errno = ENOENT; - return 0; - } - - list_for_each_entry_safe(r, tmp, &c->rules, list) { - iptcc_delete_rule(r); - } - - c->num_rules = 0; + if(!(ici = find_label(chain, *handle))) return 0; - set_changed(*handle); + c.command = PKTT_CHAIN_FLUSH; + strcpy(c.table_name, (*handle)->table.name); + strcpy(c.chain_name, ici->name); + c.family = TC_AF; + s = sizeof(STRUCT_COMMAND); + if((ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, &c, s))<0){ + errno = EFAULT; + return 0; + } + set_changed(*handle, 1); + return 1; } -/* Zeroes the counters in a chain. */ +/* Zeroes the counters of the entries in a chain. */ int TC_ZERO_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle) { - struct chain_head *c; - struct rule_head *r; + STRUCT_CHAIN_INFO *ici; + STRUCT_COMMAND c; + socklen_t s; + int ret; - iptc_fn = TC_ZERO_ENTRIES; - if (!(c = iptcc_find_label(chain, *handle))) { - errno = ENOENT; - return 0; - } + iptc_fn= TC_ZERO_ENTRIES; + if (!(ici = find_label(chain, *handle))) return 0; - if (c->counter_map.maptype == COUNTER_MAP_NORMAL_MAP) - c->counter_map.maptype = COUNTER_MAP_ZEROED; + c.command = PKTT_CHAIN_ZERO; + strcpy(c.table_name, (*handle)->table.name ); + strcpy(c.chain_name, ici->name ); + c.family = TC_AF; - list_for_each_entry(r, &c->rules, list) { - if (r->counter_map.maptype == COUNTER_MAP_NORMAL_MAP) - r->counter_map.maptype = COUNTER_MAP_ZEROED; + s= sizeof(STRUCT_COMMAND); + if((ret= setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, &c, s))<0){ + errno = EFAULT; + return 0; } - - set_changed(*handle); - + set_changed(*handle, 2); + return 1; } @@ -2082,23 +815,36 @@ TC_READ_COUNTER(const IPT_CHAINLABEL chain, unsigned int rulenum, TC_HANDLE_T *handle) { - struct chain_head *c; - struct rule_head *r; - - iptc_fn = TC_READ_COUNTER; - CHECK(*handle); - - if (!(c = iptcc_find_label(chain, *handle))) { - errno = ENOENT; - return NULL; - } + STRUCT_CHAIN_INFO *ici; + STRUCT_COUNTERS *cnt; + STRUCT_COMMAND *c; + socklen_t s; + int ret; + + iptc_fn= TC_READ_COUNTER; + if(!(ici=find_label(chain, *handle))){ return NULL;} - if (!(r = iptcc_get_rule_num(c, rulenum))) { - errno = E2BIG; - return NULL; + if(rulenum > ici->num_entries) {errno = E2BIG; return NULL;} + + s = (sizeof(STRUCT_COUNTERS) > sizeof(STRUCT_COMMAND))? + sizeof(STRUCT_COUNTERS):sizeof(STRUCT_COMMAND); + if(!(c=malloc(s))){ errno=ENOMEM; return NULL; }; + + c->command = PKTT_ENTRY_GET_COUNTERS; + strcpy(c->table_name, (*handle)->table.name); + strcpy(c->chain_name, ici->name); + c->ext.ent.rule_number = rulenum; + c->family = TC_AF; + + if((ret=getsockopt(sockfd, TC_IPPROTO, SO_GET_ENTRIES, c, &s))<0){ + errno = EFAULT; free(c); + return 0; } + cnt = malloc( sizeof(STRUCT_COUNTERS)); if(!cnt){errno=ENOMEM; free(c); return NULL;} + memcpy(cnt, c, sizeof(STRUCT_COUNTERS)); - return &r->entry[0].counters; + free(c); + return cnt; } int @@ -2106,26 +852,30 @@ TC_ZERO_COUNTER(const IPT_CHAINLABEL chain, unsigned int rulenum, TC_HANDLE_T *handle) { - struct chain_head *c; - struct rule_head *r; - - iptc_fn = TC_ZERO_COUNTER; - CHECK(*handle); + STRUCT_CHAIN_INFO *ici; + STRUCT_COMMAND c; + socklen_t s; + int ret; - if (!(c = iptcc_find_label(chain, *handle))) { - errno = ENOENT; - return 0; - } + iptc_fn= TC_ZERO_COUNTER; + if(!(ici = find_label(chain, *handle))){return 0;} - if (!(r = iptcc_get_rule_num(c, rulenum))) { - errno = E2BIG; - return 0; - } + if(rulenum > ici->num_entries){ errno = E2BIG; return 0;} - if (r->counter_map.maptype == COUNTER_MAP_NORMAL_MAP) - r->counter_map.maptype = COUNTER_MAP_ZEROED; + c.command = PKTT_ENTRY_SET_COUNTER; + strcpy(c.table_name, (*handle)->table.name ); + strcpy(c.chain_name, ici->name ); + c.ext.ent.rule_number = rulenum; + c.ext.ent.counter.bcnt =0; + c.ext.ent.counter.pcnt =0; + c.family = TC_AF; - set_changed(*handle); + s= sizeof(STRUCT_COMMAND); + if((ret=setsockopt(sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS, &c, s))<0){ + errno = EFAULT; + return 0; + } + set_changed(*handle, 2); return 1; } @@ -2136,90 +886,74 @@ TC_SET_COUNTER(const IPT_CHAINLABEL chain, STRUCT_COUNTERS *counters, TC_HANDLE_T *handle) { - struct chain_head *c; - struct rule_head *r; - STRUCT_ENTRY *e; + STRUCT_CHAIN_INFO *ici; + STRUCT_COMMAND c; + socklen_t s; + int ret; - iptc_fn = TC_SET_COUNTER; - CHECK(*handle); + iptc_fn= TC_SET_COUNTER; + if(!(ici= find_label(chain, *handle))){ return 0;} - if (!(c = iptcc_find_label(chain, *handle))) { - errno = ENOENT; - return 0; - } + if(rulenum > ici->num_entries) {errno = E2BIG; return 0;} - if (!(r = iptcc_get_rule_num(c, rulenum))) { - errno = E2BIG; - return 0; - } + c.command = PKTT_ENTRY_SET_COUNTER; + strcpy( c.table_name, (*handle)->table.name ); + strcpy( c.chain_name, ici->name); + c.ext.ent.rule_number= rulenum; + c.ext.ent.counter.bcnt = counters->bcnt; + c.ext.ent.counter.pcnt = counters->pcnt; + c.family = TC_AF; - e = r->entry; - r->counter_map.maptype = COUNTER_MAP_SET; + s = sizeof(STRUCT_COMMAND); + if((ret=setsockopt(sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS, &c, s))<0){ + errno = EFAULT; return 0; + } + set_changed(*handle, 2); - memcpy(&e->counters, counters, sizeof(STRUCT_COUNTERS)); + return 1; +} - set_changed(*handle); +int +TC_BUILTIN(const IPT_CHAINLABEL chain, const TC_HANDLE_T handle) +{ + unsigned int i; + + iptc_fn= TC_BUILTIN; - return 1; + for(i=0; i<NUMHOOKS; ++i){ + if( !(handle->table.valid_hooks & (1<<i)) ) + continue; + if( !strcmp( chain , handle->hooknames[i] ) ) + return 1; + } + return 0; } /* Creates a new chain. */ -/* To create a chain, create two rules: error node and unconditional - * return. */ int TC_CREATE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle) { - static struct chain_head *c; - int capacity; - int exceeded; + STRUCT_CHAIN_INFO *pci; + STRUCT_COMMAND c; + socklen_t s; + int ret; iptc_fn = TC_CREATE_CHAIN; - /* find_label doesn't cover built-in targets: DROP, ACCEPT, - QUEUE, RETURN. */ - if (iptcc_find_label(chain, *handle) - || strcmp(chain, LABEL_DROP) == 0 - || strcmp(chain, LABEL_ACCEPT) == 0 - || strcmp(chain, LABEL_QUEUE) == 0 - || strcmp(chain, LABEL_RETURN) == 0) { - DEBUGP("Chain `%s' already exists\n", chain); - errno = EEXIST; - return 0; - } + pci = find_label(chain, *handle); + if(pci){ errno = EEXIST; return 0;} - if (strlen(chain)+1 > sizeof(IPT_CHAINLABEL)) { - DEBUGP("Chain name `%s' too long\n", chain); - errno = EINVAL; - return 0; - } + c.command = PKTT_CHAIN_NEW; + strcpy(c.table_name, (*handle)->table.name ); + strcpy(c.chain_name, chain ); + c.family = TC_AF; - c = iptcc_alloc_chain_head(chain, 0); - if (!c) { - DEBUGP("Cannot allocate memory for chain `%s'\n", chain); - errno = ENOMEM; + s = sizeof(STRUCT_COMMAND); + if( (ret=setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, &c, s))<0){ + errno = EFAULT; return 0; - - } - (*handle)->num_chains++; /* New user defined chain */ - - DEBUGP("Creating chain `%s'\n", chain); - iptc_insert_chain(*handle, c); /* Insert sorted */ - - /* Inserting chains don't change the correctness of the chain - * index (except if its smaller than index[0], but that - * handled by iptc_insert_chain). It only causes longer lists - * in the buckets. Thus, only rebuild chain index when the - * capacity is exceed with CHAIN_INDEX_INSERT_MAX chains. - */ - capacity = (*handle)->chain_index_sz * CHAIN_INDEX_BUCKET_LEN; - exceeded = ((((*handle)->num_chains)-capacity)); - if (exceeded > CHAIN_INDEX_INSERT_MAX) { - debug("Capacity(%d) exceeded(%d) rebuild (chains:%d)\n", - capacity, exceeded, (*handle)->num_chains); - iptcc_chain_index_rebuild(*handle); } - - set_changed(*handle); + set_changed(*handle, 0); return 1; } @@ -2229,71 +963,53 @@ int TC_GET_REFERENCES(unsigned int *ref, const IPT_CHAINLABEL chain, TC_HANDLE_T *handle) { - struct chain_head *c; + STRUCT_CHAIN_INFO *ici; - iptc_fn = TC_GET_REFERENCES; - if (!(c = iptcc_find_label(chain, *handle))) { - errno = ENOENT; - return 0; - } - - *ref = c->references; + iptc_fn= TC_GET_REFERENCES; + if (!(ici = find_label(chain, *handle))){ return 0;} + *ref = ici->refcnt; return 1; } +/* Get the chain classifier */ +const char * +TC_GET_CLASSIFIER(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle) +{ + STRUCT_CHAIN_INFO *ici; + + iptc_fn = TC_GET_CLASSIFIER; + if(!(ici = find_label(chain, *handle))){ return NULL;} + + return ici->classifier_name; +} + /* Deletes a chain. */ int TC_DELETE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle) { - unsigned int references; - struct chain_head *c; + STRUCT_CHAIN_INFO *ici; + STRUCT_COMMAND c; + socklen_t s; + int ret; iptc_fn = TC_DELETE_CHAIN; + if( !(ici = find_label(chain, *handle)) ){ return 0;} + + if( TC_BUILTIN(chain, *handle ) ){ errno = EINVAL; return 0;} + if( ici->refcnt ) {errno = EMLINK; return 0;} - if (!(c = iptcc_find_label(chain, *handle))) { - DEBUGP("cannot find chain `%s'\n", chain); - errno = ENOENT; - return 0; - } - - if (TC_BUILTIN(chain, *handle)) { - DEBUGP("cannot remove builtin chain `%s'\n", chain); - errno = EINVAL; - return 0; - } - - if (!TC_GET_REFERENCES(&references, chain, handle)) { - DEBUGP("cannot get references on chain `%s'\n", chain); - return 0; - } - - if (references > 0) { - DEBUGP("chain `%s' still has references\n", chain); - errno = EMLINK; - return 0; - } - - if (c->num_rules) { - DEBUGP("chain `%s' is not empty\n", chain); - errno = ENOTEMPTY; + c.command = PKTT_CHAIN_DELETE; + strcpy(c.table_name, (*handle)->table.name); + strcpy(c.chain_name, chain); + c.family = TC_AF; + + s = sizeof( STRUCT_COMMAND ); + if( (ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, &c, s))<0){ + errno = EFAULT; return 0; } - - /* If we are about to delete the chain that is the current - * iterator, move chain iterator forward. */ - if (c == (*handle)->chain_iterator_cur) - iptcc_chain_iterator_advance(*handle); - - (*handle)->num_chains--; /* One user defined chain deleted */ - - //list_del(&c->list); /* Done in iptcc_chain_index_delete_chain() */ - iptcc_chain_index_delete_chain(c, *handle); - free(c); - - DEBUGP("chain `%s' deleted\n", chain); - - set_changed(*handle); + set_changed(*handle, 0); return 1; } @@ -2303,333 +1019,111 @@ int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname, const IPT_CHAINLABEL newname, TC_HANDLE_T *handle) { - struct chain_head *c; + STRUCT_CHAIN_INFO *ici; + STRUCT_COMMAND c; + socklen_t s; + int ret; + iptc_fn = TC_RENAME_CHAIN; + if(!(ici=find_label(oldname, *handle))){ return 0;} - /* find_label doesn't cover built-in targets: DROP, ACCEPT, - QUEUE, RETURN. */ - if (iptcc_find_label(newname, *handle) - || strcmp(newname, LABEL_DROP) == 0 - || strcmp(newname, LABEL_ACCEPT) == 0 - || strcmp(newname, LABEL_QUEUE) == 0 - || strcmp(newname, LABEL_RETURN) == 0) { - errno = EEXIST; - return 0; + if( TC_BUILTIN( oldname, *handle ) ){ + errno = EINVAL; return 0; } - - if (!(c = iptcc_find_label(oldname, *handle)) - || TC_BUILTIN(oldname, *handle)) { - errno = ENOENT; - return 0; + if( (strlen( newname ) +1) > CHAIN_MAXNAMELEN ){ + errno = E2BIG; return 0; } - if (strlen(newname)+1 > sizeof(IPT_CHAINLABEL)) { - errno = EINVAL; + c.command = PKTT_CHAIN_RENAME; + strcpy(c.table_name, (*handle)->table.name); + strcpy(c.chain_name, oldname); + strcpy(c.ext.new_chain_name, newname); + c.family = TC_AF; + + s = sizeof(STRUCT_COMMAND); + if((ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, &c, s))<0){ + errno = EFAULT; return 0; } - - strncpy(c->name, newname, sizeof(IPT_CHAINLABEL)); - - set_changed(*handle); + strcpy(ici->name, newname); return 1; } -/* Sets the policy on a built-in chain. */ +/* Sets the policy on a chain. */ int TC_SET_POLICY(const IPT_CHAINLABEL chain, const IPT_CHAINLABEL policy, STRUCT_COUNTERS *counters, TC_HANDLE_T *handle) { - struct chain_head *c; + STRUCT_CHAIN_INFO *ici; + STRUCT_COMMAND c; + socklen_t s; + int ret; iptc_fn = TC_SET_POLICY; - - if (!(c = iptcc_find_label(chain, *handle))) { - DEBUGP("cannot find chain `%s'\n", chain); - errno = ENOENT; - return 0; - } - - if (!iptcc_is_builtin(c)) { - DEBUGP("cannot set policy of userdefinedchain `%s'\n", chain); - errno = ENOENT; - return 0; - } - - if (strcmp(policy, LABEL_ACCEPT) == 0) - c->verdict = -NF_ACCEPT - 1; - else if (strcmp(policy, LABEL_DROP) == 0) - c->verdict = -NF_DROP - 1; - else { - errno = EINVAL; + if(!(ici=find_label( chain, *handle))){ return 0; } + + c.command = PKTT_CHAIN_SET_POLICY; + strcpy( c.table_name, (*handle)->table.name); + strcpy( c.chain_name, ici->name); + c.family = TC_AF; + + if( !strcmp(policy , LABEL_ACCEPT) ) c.ext.policy=cACCEPT; + else if( !strcmp(policy, LABEL_DROP) ) c.ext.policy=cDROP; + else if( !strcmp(policy, LABEL_QUEUE) ) c.ext.policy=cQUEUE; + else if( !strcmp(policy, LABEL_RETURN) ) c.ext.policy=cRETURN; + else { errno=EINVAL; return 0; } + + s = sizeof(STRUCT_COMMAND); + if((ret= setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, &c, s))<0){ + errno = EFAULT; return 0; } - - if (counters) { - /* set byte and packet counters */ - memcpy(&c->counters, counters, sizeof(STRUCT_COUNTERS)); - c->counter_map.maptype = COUNTER_MAP_SET; - } else { - c->counter_map.maptype = COUNTER_MAP_NOMAP; - } - - set_changed(*handle); + ici->policy = c.ext.policy; return 1; } -/* Without this, on gcc 2.7.2.3, we get: - libiptc.c: In function `TC_COMMIT': - libiptc.c:833: fixed or forbidden register was spilled. - This may be due to a compiler bug or to impossible asm - statements or clauses. -*/ -static void -subtract_counters(STRUCT_COUNTERS *answer, - const STRUCT_COUNTERS *a, - const STRUCT_COUNTERS *b) -{ - answer->pcnt = a->pcnt - b->pcnt; - answer->bcnt = a->bcnt - b->bcnt; -} - - -static void counters_nomap(STRUCT_COUNTERS_INFO *newcounters, unsigned int idx) -{ - newcounters->counters[idx] = ((STRUCT_COUNTERS) { 0, 0}); - DEBUGP_C("NOMAP => zero\n"); -} - -static void counters_normal_map(STRUCT_COUNTERS_INFO *newcounters, - STRUCT_REPLACE *repl, unsigned int idx, - unsigned int mappos) -{ - /* Original read: X. - * Atomic read on replacement: X + Y. - * Currently in kernel: Z. - * Want in kernel: X + Y + Z. - * => Add in X + Y - * => Add in replacement read. - */ - newcounters->counters[idx] = repl->counters[mappos]; - DEBUGP_C("NORMAL_MAP => mappos %u \n", mappos); -} - -static void counters_map_zeroed(STRUCT_COUNTERS_INFO *newcounters, - STRUCT_REPLACE *repl, unsigned int idx, - unsigned int mappos, STRUCT_COUNTERS *counters) +int +TC_CHG_CLASSIFIER(const IPT_CHAINLABEL chain, + const IPT_CHAINLABEL new_classifier, + TC_HANDLE_T *handle) { - /* Original read: X. - * Atomic read on replacement: X + Y. - * Currently in kernel: Z. - * Want in kernel: Y + Z. - * => Add in Y. - * => Add in (replacement read - original read). - */ - subtract_counters(&newcounters->counters[idx], - &repl->counters[mappos], - counters); - DEBUGP_C("ZEROED => mappos %u\n", mappos); -} + STRUCT_CHAIN_INFO *ici; + STRUCT_COMMAND c; + socklen_t s; + int ret; -static void counters_map_set(STRUCT_COUNTERS_INFO *newcounters, - unsigned int idx, STRUCT_COUNTERS *counters) -{ - /* Want to set counter (iptables-restore) */ + iptc_fn = TC_CHG_CLASSIFIER; + if(!(ici = find_label(chain, *handle))){ return 0;} + + c.command = PKTT_CHAIN_CHG_CLASSIFIER; + strcpy(c.table_name, (*handle)->table.name); + strcpy(c.chain_name, ici -> name); + strcpy(c.ext.new_classifier, new_classifier); + c.family = TC_AF; - memcpy(&newcounters->counters[idx], counters, - sizeof(STRUCT_COUNTERS)); + s = sizeof( STRUCT_COMMAND ); + if((ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, &c, s))<0){ + errno = EFAULT; return 0; + } + strcpy( ici->classifier_name, new_classifier); - DEBUGP_C("SET\n"); + return 1; } - int TC_COMMIT(TC_HANDLE_T *handle) { - /* Replace, then map back the counters. */ - STRUCT_REPLACE *repl; - STRUCT_COUNTERS_INFO *newcounters; - struct chain_head *c; - int ret; - size_t counterlen; - int new_number; - unsigned int new_size; - - iptc_fn = TC_COMMIT; - CHECK(*handle); - - /* Don't commit if nothing changed. */ - if (!(*handle)->changed) - goto finished; - - new_number = iptcc_compile_table_prep(*handle, &new_size); - if (new_number < 0) { - errno = ENOMEM; - goto out_zero; - } - - repl = malloc(sizeof(*repl) + new_size); - if (!repl) { - errno = ENOMEM; - goto out_zero; - } - memset(repl, 0, sizeof(*repl) + new_size); - -#if 0 - TC_DUMP_ENTRIES(*handle); -#endif - - counterlen = sizeof(STRUCT_COUNTERS_INFO) - + sizeof(STRUCT_COUNTERS) * new_number; - - /* These are the old counters we will get from kernel */ - repl->counters = malloc(sizeof(STRUCT_COUNTERS) - * (*handle)->info.num_entries); - if (!repl->counters) { - errno = ENOMEM; - goto out_free_repl; - } - /* These are the counters we're going to put back, later. */ - newcounters = malloc(counterlen); - if (!newcounters) { - errno = ENOMEM; - goto out_free_repl_counters; - } - memset(newcounters, 0, counterlen); - - strcpy(repl->name, (*handle)->info.name); - repl->num_entries = new_number; - repl->size = new_size; - - repl->num_counters = (*handle)->info.num_entries; - repl->valid_hooks = (*handle)->info.valid_hooks; - - DEBUGP("num_entries=%u, size=%u, num_counters=%u\n", - repl->num_entries, repl->size, repl->num_counters); - - ret = iptcc_compile_table(*handle, repl); - if (ret < 0) { - errno = ret; - goto out_free_newcounters; - } - - -#ifdef IPTC_DEBUG2 - { - int fd = open("/tmp/libiptc-so_set_replace.blob", - O_CREAT|O_WRONLY); - if (fd >= 0) { - write(fd, repl, sizeof(*repl) + repl->size); - close(fd); - } - } -#endif - - ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, repl, - sizeof(*repl) + repl->size); - if (ret < 0) - goto out_free_newcounters; - - /* Put counters back. */ - strcpy(newcounters->name, (*handle)->info.name); - newcounters->num_counters = new_number; - - list_for_each_entry(c, &(*handle)->chains, list) { - struct rule_head *r; - - /* Builtin chains have their own counters */ - if (iptcc_is_builtin(c)) { - DEBUGP("counter for chain-index %u: ", c->foot_index); - switch(c->counter_map.maptype) { - case COUNTER_MAP_NOMAP: - counters_nomap(newcounters, c->foot_index); - break; - case COUNTER_MAP_NORMAL_MAP: - counters_normal_map(newcounters, repl, - c->foot_index, - c->counter_map.mappos); - break; - case COUNTER_MAP_ZEROED: - counters_map_zeroed(newcounters, repl, - c->foot_index, - c->counter_map.mappos, - &c->counters); - break; - case COUNTER_MAP_SET: - counters_map_set(newcounters, c->foot_index, - &c->counters); - break; - } - } - - list_for_each_entry(r, &c->rules, list) { - DEBUGP("counter for index %u: ", r->index); - switch (r->counter_map.maptype) { - case COUNTER_MAP_NOMAP: - counters_nomap(newcounters, r->index); - break; - - case COUNTER_MAP_NORMAL_MAP: - counters_normal_map(newcounters, repl, - r->index, - r->counter_map.mappos); - break; - - case COUNTER_MAP_ZEROED: - counters_map_zeroed(newcounters, repl, - r->index, - r->counter_map.mappos, - &r->entry->counters); - break; - - case COUNTER_MAP_SET: - counters_map_set(newcounters, r->index, - &r->entry->counters); - break; - } - } - } - -#ifdef IPTC_DEBUG2 - { - int fd = open("/tmp/libiptc-so_set_add_counters.blob", - O_CREAT|O_WRONLY); - if (fd >= 0) { - write(fd, newcounters, counterlen); - close(fd); - } - } -#endif - - ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS, - newcounters, counterlen); - if (ret < 0) - goto out_free_newcounters; - - free(repl->counters); - free(repl); - free(newcounters); - -finished: TC_FREE(handle); return 1; - -out_free_newcounters: - free(newcounters); -out_free_repl_counters: - free(repl->counters); -out_free_repl: - free(repl); -out_zero: - return 0; } /* Get raw socket. */ int -TC_GET_RAW_SOCKET(void) +TC_GET_RAW_SOCKET() { return sockfd; } @@ -2644,40 +1138,36 @@ TC_STRERROR(int err) int err; const char *message; } table [] = - { { TC_INIT, EPERM, "Permission denied (you must be root)" }, - { TC_INIT, EINVAL, "Module is wrong version" }, - { TC_INIT, ENOENT, - "Table does not exist (do you need to insmod?)" }, - { TC_DELETE_CHAIN, ENOTEMPTY, "Chain is not empty" }, + { + { TC_INIT, EPERM, "Permission denied (you must be root)" }, + { TC_INIT, E2BIG, "Table name length is too big" }, + { TC_INIT, EFAULT, "Check table name" }, + { TC_GET_RULE, E2BIG, "Rule index is too big" }, { TC_DELETE_CHAIN, EINVAL, "Can't delete built-in chain" }, { TC_DELETE_CHAIN, EMLINK, "Can't delete chain with references left" }, + { TC_RENAME_CHAIN, EINVAL, "Can't rename built-in chain" }, + { TC_RENAME_CHAIN, E2BIG, "Chain name is too big" }, { TC_CREATE_CHAIN, EEXIST, "Chain already exists" }, { TC_INSERT_ENTRY, E2BIG, "Index of insertion too big" }, + { TC_INSERT_ENTRY, EINVAL, "Target Problem" }, { TC_REPLACE_ENTRY, E2BIG, "Index of replacement too big" }, + { TC_REPLACE_ENTRY, EINVAL, "Target problem" }, { TC_DELETE_NUM_ENTRY, E2BIG, "Index of deletion too big" }, + { TC_DELETE_ENTRY, EFAULT, + "Bad rule (does a matching rule exist in that chain?)" }, { TC_READ_COUNTER, E2BIG, "Index of counter too big" }, { TC_ZERO_COUNTER, E2BIG, "Index of counter too big" }, - { TC_INSERT_ENTRY, ELOOP, "Loop found in table" }, - { TC_INSERT_ENTRY, EINVAL, "Target problem" }, - /* EINVAL for CHECK probably means bad interface. */ - { TC_CHECK_PACKET, EINVAL, - "Bad arguments (does that interface exist?)" }, - { TC_CHECK_PACKET, ENOSYS, - "Checking will most likely never get implemented" }, - /* ENOENT for DELETE probably means no matching rule */ - { TC_DELETE_ENTRY, ENOENT, - "Bad rule (does a matching rule exist in that chain?)" }, - { TC_SET_POLICY, ENOENT, - "Bad built-in chain name" }, - { TC_SET_POLICY, EINVAL, - "Bad policy name" }, - + { TC_SET_COUNTER, E2BIG, "Index of counter too big" }, + { TC_SET_POLICY, EINVAL, "Bad policy name" }, { NULL, 0, "Incompatible with this kernel" }, + { NULL, EPERM, "Permission denied ( you must be root )" }, { NULL, ENOPROTOOPT, "iptables who? (do you need to insmod?)" }, { NULL, ENOSYS, "Will be implemented real soon. I promise ;)" }, { NULL, ENOMEM, "Memory allocation problem" }, { NULL, ENOENT, "No chain/target/match by that name" }, + { NULL, EFAULT, "Some Errors were Rised in Kernel Level"}, + { NULL, EINVAL, "Chain/Table Name is too long"}, }; for (i = 0; i < sizeof(table)/sizeof(struct table_struct); i++) { diff --git a/include/libiptc/libiptc.h b/include/libiptc/libiptc.h index 1f6f95d..895b1d0 100644 --- a/include/libiptc/libiptc.h +++ b/include/libiptc/libiptc.h @@ -25,6 +25,7 @@ typedef char ipt_chainlabel[32]; #define IPTC_LABEL_DROP "DROP" #define IPTC_LABEL_QUEUE "QUEUE" #define IPTC_LABEL_RETURN "RETURN" +#define IPTC_LABEL_CONTINUE "CONTINUE" /* Transparent handle type. */ typedef struct iptc_handle *iptc_handle_t; @@ -59,7 +60,7 @@ int iptc_builtin(const char *chain, const iptc_handle_t handle); /* Get the policy of a given built-in chain */ const char *iptc_get_policy(const char *chain, - struct ipt_counters *counter, + struct pktt_counters *counter, iptc_handle_t *handle); /* These functions return TRUE for OK or 0 and set errno. If errno == @@ -123,19 +124,28 @@ int iptc_rename_chain(const ipt_chainlabel oldname, const ipt_chainlabel newname, iptc_handle_t *handle); -/* Sets the policy on a built-in chain. */ +/* Sets the policy on a chain. */ int iptc_set_policy(const ipt_chainlabel chain, const ipt_chainlabel policy, - struct ipt_counters *counters, + struct pktt_counters *counters, iptc_handle_t *handle); +/* change the chain classifier */ +int iptc_chg_classifier(const ipt_chainlabel chain, + const ipt_chainlabel new_classifier, + iptc_handle_t *handle); + +/* Get the chain classifier */ +const char * iptc_get_classifier(const ipt_chainlabel chain, + iptc_handle_t *handle); + /* Get the number of references to this chain */ int iptc_get_references(unsigned int *ref, const ipt_chainlabel chain, iptc_handle_t *handle); /* read packet and byte counters for a specific rule */ -struct ipt_counters *iptc_read_counter(const ipt_chainlabel chain, +struct pktt_counters *iptc_read_counter(const ipt_chainlabel chain, unsigned int rulenum, iptc_handle_t *handle); @@ -147,7 +157,7 @@ int iptc_zero_counter(const ipt_chainlabel chain, /* set packet and byte counters for a specific rule */ int iptc_set_counter(const ipt_chainlabel chain, unsigned int rulenum, - struct ipt_counters *counters, + struct pktt_counters *counters, iptc_handle_t *handle); /* Makes the actual changes. */ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html