Or, as an alternative way of saying the same thing, can someone please
explain why this doesn't delete all rules from my INPUT chain:
extern "C" {
#include <libiptc/libiptc.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter/xt_comment.h>
}
#include <iostream>
#include <cstring>
using namespace std;
int main() {
auto h = iptc_init("filter");
if (h == 0) {
std::cout << "iptc_init failed\n";
return 0;
}
for(auto chain = iptc_first_chain(h); chain; chain = iptc_next_chain(h)) {
if (strcmp(chain, "INPUT")) {
continue;
}
std::cout << "Chain: " << chain << "\n";
for(auto rule = iptc_first_rule("INPUT", h); rule; rule =
iptc_next_rule(rule, h)) {
size_t size = rule->next_offset;
uint8_t *mask = new uint8_t[size];
memset(mask, 0xff, size);
iptc_delete_entry(chain, rule, mask, h);
}
}
}
I've added some trace into libiptc.c:delete_entry and the functions it
calls. This shows that the `rule` I'm passing as the second parameter
of iptc_delete_entry is a pointer to a different address than the one
delete_entry is comparing it to. But that `rule` pointer is just the
pointer that's been returned by iptc_next_rule!
Because they're pointers to different things, the surrounding
rule_head structure is also different and has a different target type,
which is the immediate cause of the failure to delete the rule. But
that leaves me wondering, how am I supposed to get a pointer to a rule
that I can actually use to delete it?
Regards,
Tom
On Wed, Nov 14, 2018 at 8:15 PM Tom Cook <tom.k.cook@xxxxxxxxx> wrote:
>
> For a `struct ipt_entry` that I have retrieved using iptc_next_rule
> and which I want to delete from its table, how should I construct the
> matchmask parameter to iptc_delete_entry?
>
> As far as I can tell from reading make_delete_mask, the mask should be
> the same size as the ipt_entry (including all its trailing values -the
> elements, target) and every byte of it should be 0xff. But obviously
> that doesn't work, or I wouldn't be here asking.
>
> Here is a hex dump of the ipt_struct I'm trying to delete form a chain:
>
> 00 00 00 00 09 09 09 00 00 00 00 00 ff ff ff 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00
> 00 c0 01 e8 01 02 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 74 63 70 00 00
> 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 88 13 88
> 13 00 00 00 00 00 00 00 00
> 20 01 63 6f 6d 6d 65 6e 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00
> 41 20 74 65 73 74 20 72 75 6c 65 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00
> 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00
> ff ff ff ff 00 00 00 00
>
> And here is the mask I'm trying to use:
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff
>
> Any suggestions on why this doesn't work would be gratefully received.
>
> Tom
