Re: iptables patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Kevin,

On Wed, Mar 29, 2023 at 07:29:06AM +0000, Kevin Peeters wrote:
> >> I am using the 'iptables' source code in one of my software projects. More in detail, I am calling libiptc and libxtables from my own software API to add/delete/... iptables firewall rules.
> >> 
> >> While developing, I bumped into one issue while using libxtables and made a patch for it which we now use on our checkout of the 'iptables' repository. We do however use multiple checkouts of this repository in different places and don't want to add the patch to each of those checkouts.
> >> Would it be possible for you to add this patch to the mainline of your repository so we can stop patching it locally?
> >> 
> >> The details about the patch:
> >> In libxtables/xtables.c:
> >> 
> >> The libxtables code uses a xtables_pending_matches, xtables_pending_targets, xtables_matches and xtables_targets pointer list to track all (pending) matches and targets registered to the current iptables command. In my code, I add/delete firewall rules multiple times from one main process (without killing the main process in between) by calling xtables_init_all, xtables_register_target and xtables_register_match every time. When a rule is added, I call xtables_fini to clean up.
> 
> > I don't think you should call xtables_register_{target,match} over and over again. Why don't you follow what iptables does and call xtables_find_{target,match} to lookup an extension? It tries loading the DSO which calls xtables_register_*. After adding the rule, you should free the rule, not deinit the library.
> 
> If I understand correctly, xtables_find_* will only look for the desired match/target in the list of pending matches/targets. If the match/target is never registered up front, the list of pending matches/targets will be empty and xtables_find_* will fail. This is also done in the iptables flow, e.g. in extensions/libxt_tcp.c.

The functions search for the extension in xtables_pending_* list, but if
not found they will call load_extension() unless NO_SHARED_LIBS is
defined. In the latter case, extension code is built-in and extensions'
_init() functions are called from init_extensions*() functions which in
turn are called by iptables at program start.

> I do free the rule after adding it, and it felt reasonable to deinit the library as well, as this is also done for iptables.

The various iptables binaries deinit the library at program exit and
don't reuse it. 

I don't know what you used as blueprint for your implementation, but you
might want to have a look at iptables_restore_main() in
iptables/iptables-restore.c. It basically does:

| xtables_init()
| xtables_set_nfproto()
| 
| init_extensions()
| 
| /* do all the work, repeatedly, unlimited if reading from stdin */
| 
| xtables_fini()
| exit()

Cheers, Phil



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux