xt_target checkentry()/destroy() semantics

Richard Weinberger <richard@xxxxxx> · Wed, 11 Jan 2012 02:32:48 +0100

Hi!

I always thought that checkentry()/destroy() are being called upon rule insertion/deletion.
So I assumed that this command sequence prints three times "test_tg_check" and then three times
"test_tg_destroy". But it's not the case.

$ iptables -A INPUT -j TEST
$ iptables -A INPUT -j TEST
$ iptables -A INPUT -j TEST
$ iptables -D INPUT -j TEST
$ iptables -D INPUT -j TEST
$ iptables -D INPUT -j TEST

This is the real output:
(On 3.2.0-rc6)

[90330.168306] test_tg_destroy
[90330.171099] test_tg_destroy
[90330.173901] test_tg_destroy
[90343.768654] test_tg_check
[90345.773073] test_tg_check
[90345.775691] test_tg_check
[90345.778330] test_tg_destroy
[90347.782798] test_tg_check
[90347.785417] test_tg_check
[90347.788044] test_tg_check
[90347.790663] test_tg_destroy
[90347.793454] test_tg_destroy
[90372.581020] test_tg_check
[90372.583639] test_tg_check
[90372.586275] test_tg_destroy
[90372.589059] test_tg_destroy
[90372.591843] test_tg_destroy
[90374.596452] test_tg_check
[90374.599080] test_tg_destroy
[90374.601875] test_tg_destroy
[90376.606409] test_tg_destroy

How comes that?
Is there a way to detect the insertion/removal of a rule using my TEST target?

The comments in x_tables.h are not really helpful.
        /* Called when user tries to insert an entry of this type:
           hook_mask is a bitmask of hooks from which it can be
           called. */
        /* Should return 0 on success or an error code otherwise (-Exxxx). */
        int (*checkentry)(const struct xt_tgchk_param *);

        /* Called when entry of this type deleted. */
        void (*destroy)(const struct xt_tgdtor_param *);

Thanks,
//richard

P.s: The TEST target is attached.

---
static unsigned int
test_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
        return XT_CONTINUE;
}

static int test_tg_check(const struct xt_tgchk_param *par)
{
        printk(KERN_ERR "test_tg_check\n");
        return 0;
}

static void test_tg_destroy(const struct xt_tgdtor_param *par)
{
        printk(KERN_ERR "test_tg_destroy\n");
}

static struct xt_target test_tg_reg __read_mostly = {
        .name           = "TEST",
        .family         = NFPROTO_IPV4,
        .target         = test_tg,
        .targetsize     = 0,
        .checkentry     = test_tg_check,
        .destroy        = test_tg_destroy,
        .me             = THIS_MODULE,
};

static void __exit test_exit(void)
{
        xt_unregister_target(&test_tg_reg);
}
module_exit(test_exit);

static int __init test_init(void)
{
        return xt_register_target(&test_tg_reg);
}
module_init(test_init);

Attachment:
signature.asc

Description: OpenPGP digital signature