1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293 |
- /* Library which manipulates firewall rules. Version $Revision: 1.1 $ */
-
- /* Architecture of firewall rules is as follows:
- *
- * Chains go INPUT, FORWARD, OUTPUT then user chains.
- * Each user chain starts with an ERROR node.
- * Every chain ends with an unconditional jump: a RETURN for user chains,
- * and a POLICY for built-ins.
- */
-
- /* (C) 1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See
- * COPYING for details).
- * (C) 2000-2004 by the Netfilter Core Team <coreteam@netfilter.org>
- *
- * 2003-Jun-20: Harald Welte <laforge@netfilter.org>:
- * - Reimplementation of chain cache to use offsets instead of entries
- * 2003-Jun-23: Harald Welte <laforge@netfilter.org>:
- * - performance optimization, sponsored by Astaro AG (http://www.astaro.com/)
- * don't rebuild the chain cache after every operation, instead fix it
- * up after a ruleset change.
- * 2004-Aug-18: Harald Welte <laforge@netfilter.org>:
- * - futher performance work: total reimplementation of libiptc.
- * - libiptc now has a real internal (linked-list) represntation of the
- * ruleset and a parser/compiler from/to this internal representation
- * - again sponsored by Astaro AG (http://www.astaro.com/)
- */
- #include <sys/types.h>
- #include <sys/socket.h>
-
- #include <linux/version.h>
-
- #include "linux_list.h"
-
- //#define IPTC_DEBUG2 1
-
- #ifdef IPTC_DEBUG2
- #include <fcntl.h>
- #define DEBUGP(x, args...) fprintf(stderr, "%s: " x, __FUNCTION__, ## args)
- #define DEBUGP_C(x, args...) fprintf(stderr, x, ## args)
- #else
- #define DEBUGP(x, args...)
- #define DEBUGP_C(x, args...)
- #endif
-
- #ifndef IPT_LIB_DIR
- #define IPT_LIB_DIR "/usr/local/lib/iptables"
- #endif
-
-
- static int sockfd = -1;
- static int sockfd_use = 0;
- static void *iptc_fn = NULL;
-
- static const char *hooknames[]
- = {[HOOK_PRE_ROUTING] "PREROUTING",
- [HOOK_LOCAL_IN] "INPUT",
- [HOOK_FORWARD] "FORWARD",
- [HOOK_LOCAL_OUT] "OUTPUT",
- [HOOK_POST_ROUTING] "POSTROUTING",
- #ifdef HOOK_DROPPING
- [HOOK_DROPPING] "DROPPING"
- #endif
- };
-
- #if 0
- /* Convenience structures */
- struct ipt_error_target {
- STRUCT_ENTRY_TARGET t;
- char error[TABLE_MAXNAMELEN];
- };
- #endif
-
- struct chain_head;
- struct rule_head;
-
- struct counter_map {
- enum {
- COUNTER_MAP_NOMAP,
- COUNTER_MAP_NORMAL_MAP,
- COUNTER_MAP_ZEROED,
- COUNTER_MAP_SET
- } maptype;
- unsigned int mappos;
- };
-
- enum iptcc_rule_type {
- IPTCC_R_STANDARD, /* standard target (ACCEPT, ...) */
- IPTCC_R_MODULE, /* extension module (SNAT, ...) */
- IPTCC_R_FALLTHROUGH, /* fallthrough rule */
- IPTCC_R_JUMP, /* jump to other chain */
- };
-
- struct rule_head {
- struct list_head list;
- struct chain_head *chain;
- struct counter_map counter_map;
-
- unsigned int index; /* index (needed for counter_map) */
- unsigned int offset; /* offset in rule blob */
-
- enum iptcc_rule_type type;
- struct chain_head *jump; /* jump target, if IPTCC_R_JUMP */
-
- unsigned int size; /* size of entry data */
- STRUCT_ENTRY entry[0];
- };
-
- struct chain_head {
- struct list_head list;
- char name[TABLE_MAXNAMELEN];
- unsigned int hooknum; /* hook number+1 if builtin */
- unsigned int references; /* how many jumps reference us */
- int verdict; /* verdict if builtin */
-
- STRUCT_COUNTERS counters; /* per-chain counters */
- struct counter_map counter_map;
-
- unsigned int num_rules; /* number of rules in list */
- struct list_head rules; /* list of rules */
-
- unsigned int index; /* index (needed for jump resolval) */
- unsigned int head_offset; /* offset in rule blob */
- unsigned int foot_index; /* index (needed for counter_map) */
- unsigned int foot_offset; /* offset in rule blob */
- };
-
- STRUCT_TC_HANDLE {
- int changed; /* Have changes been made? */
-
- struct list_head chains;
-
- struct chain_head *chain_iterator_cur;
- struct rule_head *rule_iterator_cur;
-
- STRUCT_GETINFO info;
- STRUCT_GET_ENTRIES *entries;
- };
-
- /* allocate a new chain head for the cache */
- static struct chain_head *
- iptcc_alloc_chain_head(const char *name, int hooknum)
- {
- struct chain_head *c = malloc(sizeof(*c));
- if (!c)
- return NULL;
- memset(c, 0, sizeof(*c));
-
- strncpy(c->name, name, TABLE_MAXNAMELEN);
- c->hooknum = hooknum;
- INIT_LIST_HEAD(&c->rules);
-
- return c;
- }
-
- /* allocate and initialize a new rule for the cache */
- static struct rule_head *
- iptcc_alloc_rule(struct chain_head *c, unsigned int size)
- {
- struct rule_head *r = malloc(sizeof(*r) + size);
- if (!r)
- return NULL;
- memset(r, 0, sizeof(*r));
-
- r->chain = c;
- r->size = size;
-
- return r;
- }
-
- /* notify us that the ruleset has been modified by the user */
- static void
- set_changed(TC_HANDLE_T h)
- {
- h->changed = 1;
- }
-
- #ifdef IPTC_DEBUG
- static void do_check(TC_HANDLE_T h, unsigned int line);
- #define CHECK(h) do { if (!getenv("IPTC_NO_CHECK")) do_check((h), __LINE__); } while(0)
- #else
- #define CHECK(h)
- #endif
-
-
- /**********************************************************************
- * iptc blob utility functions (iptcb_*)
- **********************************************************************/
-
- static inline int
- iptcb_get_number(const STRUCT_ENTRY * i,
- const STRUCT_ENTRY * seek, unsigned int *pos)
- {
- if (i == seek)
- return 1;
- (*pos)++;
- return 0;
- }
-
- static inline int
- iptcb_get_entry_n(STRUCT_ENTRY * i,
- unsigned int number,
- unsigned int *pos, STRUCT_ENTRY ** pe)
- {
- if (*pos == number) {
- *pe = i;
- return 1;
- }
- (*pos)++;
- return 0;
- }
-
- static inline STRUCT_ENTRY *
- iptcb_get_entry(TC_HANDLE_T h, unsigned int offset)
- {
- return (STRUCT_ENTRY *) ((char *) h->entries->entrytable + offset);
- }
-
- static unsigned int
- iptcb_entry2index(const TC_HANDLE_T h, const STRUCT_ENTRY * seek)
- {
- unsigned int pos = 0;
-
- if (ENTRY_ITERATE(h->entries->entrytable, h->entries->size,
- iptcb_get_number, seek, &pos) == 0) {
- fprintf(stderr, "ERROR: offset %u not an entry!\n",
- (unsigned int) ((char *) seek -
- (char *) h->entries->entrytable));
- abort();
- }
- return pos;
- }
-
- static inline STRUCT_ENTRY *
- iptcb_offset2entry(TC_HANDLE_T h, unsigned int offset)
- {
- return (STRUCT_ENTRY *) ((void *) h->entries->entrytable + offset);
- }
-
-
- static inline unsigned long
- iptcb_entry2offset(const TC_HANDLE_T h, const STRUCT_ENTRY * e)
- {
- return (void *) e - (void *) h->entries->entrytable;
- }
-
- static inline unsigned int
- iptcb_offset2index(const TC_HANDLE_T h, unsigned int offset)
- {
- return iptcb_entry2index(h, iptcb_offset2entry(h, offset));
- }
-
- /* Returns 0 if not hook entry, else hooknumber + 1 */
- static inline unsigned int
- iptcb_ent_is_hook_entry(STRUCT_ENTRY * e, TC_HANDLE_T h)
- {
- unsigned int i;
-
- for (i = 0; i < NUMHOOKS; i++) {
- if ((h->info.valid_hooks & (1 << i))
- && iptcb_get_entry(h, h->info.hook_entry[i]) == e)
- return i + 1;
- }
- return 0;
- }
-
-
- /**********************************************************************
- * iptc cache utility functions (iptcc_*)
- **********************************************************************/
-
- /* Is the given chain builtin (1) or user-defined (0) */
- static unsigned int
- iptcc_is_builtin(struct chain_head *c)
- {
- return (c->hooknum ? 1 : 0);
- }
-
- /* Get a specific rule within a chain */
- static struct rule_head *
- iptcc_get_rule_num(struct chain_head *c, unsigned int rulenum)
- {
- struct rule_head *r;
- unsigned int num = 0;
-
- list_for_each_entry(r, &c->rules, list) {
- num++;
- if (num == rulenum)
- return r;
- }
- return NULL;
- }
-
- /* Get a specific rule within a chain backwards */
- static struct rule_head *
- iptcc_get_rule_num_reverse(struct chain_head *c, unsigned int rulenum)
- {
- struct rule_head *r;
- unsigned int num = 0;
-
- list_for_each_entry_reverse(r, &c->rules, list) {
- num++;
- if (num == rulenum)
- return r;
- }
- return NULL;
- }
-
- /* Returns chain head if found, otherwise NULL. */
- static struct chain_head *
- iptcc_find_chain_by_offset(TC_HANDLE_T handle, unsigned int offset)
- {
- struct list_head *pos;
-
- if (list_empty(&handle->chains))
- return NULL;
-
- list_for_each(pos, &handle->chains) {
- struct chain_head *c = list_entry(pos, struct chain_head, list);
- if (offset >= c->head_offset && offset <= c->foot_offset)
- return c;
- }
-
- return NULL;
- }
-
- /* Returns chain head if found, otherwise NULL. */
- static struct chain_head *
- iptcc_find_label(const char *name, TC_HANDLE_T handle)
- {
- struct list_head *pos;
-
- if (list_empty(&handle->chains))
- return NULL;
-
- list_for_each(pos, &handle->chains) {
- struct chain_head *c = list_entry(pos, struct chain_head, list);
- if (!strcmp(c->name, name))
- return c;
- }
-
- return NULL;
- }
-
- /* called when rule is to be removed from cache */
- static void
- iptcc_delete_rule(struct rule_head *r)
- {
- DEBUGP("deleting rule %p (offset %u)\n", r, r->offset);
- /* clean up reference count of called chain */
- if (r->type == IPTCC_R_JUMP && r->jump)
- r->jump->references--;
-
- list_del(&r->list);
- free(r);
- }
-
-
- /**********************************************************************
- * RULESET PARSER (blob -> cache)
- **********************************************************************/
-
- /* Delete policy rule of previous chain, since cache doesn't contain
- * chain policy rules.
- * WARNING: This function has ugly design and relies on a lot of context, only
- * to be called from specific places within the parser */
- static int
- __iptcc_p_del_policy(TC_HANDLE_T h, unsigned int num)
- {
- if (h->chain_iterator_cur) {
- /* policy rule is last rule */
- struct rule_head *pr = (struct rule_head *)
- h->chain_iterator_cur->rules.prev;
-
- /* save verdict */
- h->chain_iterator_cur->verdict =
- *(int *) GET_TARGET(pr->entry)->data;
-
- /* save counter and counter_map information */
- h->chain_iterator_cur->counter_map.maptype =
- COUNTER_MAP_NORMAL_MAP;
- h->chain_iterator_cur->counter_map.mappos = num - 1;
- memcpy(&h->chain_iterator_cur->counters, &pr->entry->counters,
- sizeof(h->chain_iterator_cur->counters));
-
- /* foot_offset points to verdict rule */
- h->chain_iterator_cur->foot_index = num;
- h->chain_iterator_cur->foot_offset = pr->offset;
-
- /* delete rule from cache */
- iptcc_delete_rule(pr);
- h->chain_iterator_cur->num_rules--;
-
- return 1;
- }
- return 0;
- }
-
- /* alphabetically insert a chain into the list */
- static inline void
- iptc_insert_chain(TC_HANDLE_T h, struct chain_head *c)
- {
- struct chain_head *tmp;
-
- /* sort only user defined chains */
- if (!c->hooknum) {
- list_for_each_entry(tmp, &h->chains, list) {
- if (!tmp->hooknum && strcmp(c->name, tmp->name) <= 0) {
- list_add(&c->list, tmp->list.prev);
- return;
- }
- }
- }
-
- /* survived till end of list: add at tail */
- list_add_tail(&c->list, &h->chains);
- }
-
- /* Another ugly helper function split out of cache_add_entry to make it less
- * spaghetti code */
- static void
- __iptcc_p_add_chain(TC_HANDLE_T h, struct chain_head *c,
- unsigned int offset, unsigned int *num)
- {
- __iptcc_p_del_policy(h, *num);
-
- c->head_offset = offset;
- c->index = *num;
-
- iptc_insert_chain(h, c);
-
- h->chain_iterator_cur = c;
- }
-
- /* main parser function: add an entry from the blob to the cache */
- static int
- cache_add_entry(STRUCT_ENTRY * e,
- TC_HANDLE_T h, STRUCT_ENTRY ** prev, unsigned int *num)
- {
- unsigned int builtin;
- unsigned int offset = (char *) e - (char *) h->entries->entrytable;
-
- DEBUGP("entering...");
-
- /* Last entry ("policy rule"). End it. */
- if (iptcb_entry2offset(h, e) + e->next_offset == h->entries->size) {
- /* This is the ERROR node at the end of the chain */
- DEBUGP_C("%u:%u: end of table:\n", *num, offset);
-
- __iptcc_p_del_policy(h, *num);
-
- h->chain_iterator_cur = NULL;
- goto out_inc;
- }
-
- /* We know this is the start of a new chain if it's an ERROR
- * target, or a hook entry point */
-
- if (strcmp(GET_TARGET(e)->u.user.name, ERROR_TARGET) == 0) {
- struct chain_head *c =
- iptcc_alloc_chain_head((const char *) GET_TARGET(e)->data, 0);
- DEBUGP_C("%u:%u:new userdefined chain %s: %p\n", *num, offset,
- (char *) c->name, c);
- if (!c) {
- errno = -ENOMEM;
- return -1;
- }
-
- __iptcc_p_add_chain(h, c, offset, num);
-
- } else if ((builtin = iptcb_ent_is_hook_entry(e, h)) != 0) {
- struct chain_head *c =
- iptcc_alloc_chain_head((char *) hooknames[builtin - 1],
- builtin);
- DEBUGP_C("%u:%u new builtin chain: %p (rules=%p)\n",
- *num, offset, c, &c->rules);
- if (!c) {
- errno = -ENOMEM;
- return -1;
- }
-
- c->hooknum = builtin;
-
- __iptcc_p_add_chain(h, c, offset, num);
-
- /* FIXME: this is ugly. */
- goto new_rule;
- } else {
- /* has to be normal rule */
- struct rule_head *r;
- new_rule:
-
- if (!(r = iptcc_alloc_rule(h->chain_iterator_cur, e->next_offset))) {
- errno = ENOMEM;
- return -1;
- }
- DEBUGP_C("%u:%u normal rule: %p: ", *num, offset, r);
-
- r->index = *num;
- r->offset = offset;
- memcpy(r->entry, e, e->next_offset);
- r->counter_map.maptype = COUNTER_MAP_NORMAL_MAP;
- r->counter_map.mappos = r->index;
-
- /* handling of jumps, etc. */
- if (!strcmp(GET_TARGET(e)->u.user.name, STANDARD_TARGET)) {
- STRUCT_STANDARD_TARGET *t;
-
- t = (STRUCT_STANDARD_TARGET *) GET_TARGET(e);
- if (t->target.u.target_size
- != ALIGN(sizeof(STRUCT_STANDARD_TARGET))) {
- free(r);
- errno = EINVAL;
- return -1;
- }
-
- if (t->verdict < 0) {
- DEBUGP_C("standard, verdict=%d\n", t->verdict);
- r->type = IPTCC_R_STANDARD;
- } else if (t->verdict == r->offset + e->next_offset) {
- DEBUGP_C("fallthrough\n");
- r->type = IPTCC_R_FALLTHROUGH;
- } else {
- DEBUGP_C("jump, target=%u\n", t->verdict);
- r->type = IPTCC_R_JUMP;
- /* Jump target fixup has to be deferred
- * until second pass, since we migh not
- * yet have parsed the target */
- }
- } else {
- DEBUGP_C("module, target=%s\n", GET_TARGET(e)->u.user.name);
- r->type = IPTCC_R_MODULE;
- }
-
- list_add_tail(&r->list, &h->chain_iterator_cur->rules);
- h->chain_iterator_cur->num_rules++;
- }
- out_inc:
- (*num)++;
- return 0;
- }
-
-
- /* parse an iptables blob into it's pieces */
- static int
- parse_table(TC_HANDLE_T h)
- {
- STRUCT_ENTRY *prev;
- unsigned int num = 0;
- struct chain_head *c;
-
- /* First pass: over ruleset blob */
- ENTRY_ITERATE(h->entries->entrytable, h->entries->size,
- cache_add_entry, h, &prev, &num);
-
- /* Second pass: fixup parsed data from first pass */
- list_for_each_entry(c, &h->chains, list) {
- struct rule_head *r;
- list_for_each_entry(r, &c->rules, list) {
- struct chain_head *c;
- STRUCT_STANDARD_TARGET *t;
-
- if (r->type != IPTCC_R_JUMP)
- continue;
-
- t = (STRUCT_STANDARD_TARGET *) GET_TARGET(r->entry);
- c = iptcc_find_chain_by_offset(h, t->verdict);
- if (!c)
- return -1;
- r->jump = c;
- c->references++;
- }
- }
-
- /* FIXME: sort chains */
-
- return 1;
- }
-
-
- /**********************************************************************
- * RULESET COMPILATION (cache -> blob)
- **********************************************************************/
-
- /* Convenience structures */
- struct iptcb_chain_start {
- STRUCT_ENTRY e;
- struct ipt_error_target name;
- };
- #define IPTCB_CHAIN_START_SIZE (sizeof(STRUCT_ENTRY) + \
- ALIGN(sizeof(struct ipt_error_target)))
-
- struct iptcb_chain_foot {
- STRUCT_ENTRY e;
- STRUCT_STANDARD_TARGET target;
- };
- #define IPTCB_CHAIN_FOOT_SIZE (sizeof(STRUCT_ENTRY) + \
- ALIGN(sizeof(STRUCT_STANDARD_TARGET)))
-
- struct iptcb_chain_error {
- STRUCT_ENTRY entry;
- struct ipt_error_target target;
- };
- #define IPTCB_CHAIN_ERROR_SIZE (sizeof(STRUCT_ENTRY) + \
- ALIGN(sizeof(struct ipt_error_target)))
-
-
-
- /* compile rule from cache into blob */
- static inline int
- iptcc_compile_rule(TC_HANDLE_T h, STRUCT_REPLACE * repl,
- struct rule_head *r)
- {
- /* handle jumps */
- if (r->type == IPTCC_R_JUMP) {
- STRUCT_STANDARD_TARGET *t;
- t = (STRUCT_STANDARD_TARGET *) GET_TARGET(r->entry);
- /* memset for memcmp convenience on delete/replace */
- memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
- strcpy(t->target.u.user.name, STANDARD_TARGET);
- /* Jumps can only happen to builtin chains, so we
- * can safely assume that they always have a header */
- t->verdict = r->jump->head_offset + IPTCB_CHAIN_START_SIZE;
- } else if (r->type == IPTCC_R_FALLTHROUGH) {
- STRUCT_STANDARD_TARGET *t;
- t = (STRUCT_STANDARD_TARGET *) GET_TARGET(r->entry);
- t->verdict = r->offset + r->size;
- }
-
- /* copy entry from cache to blob */
- memcpy((char *) repl->entries + r->offset, r->entry, r->size);
-
- return 1;
- }
-
- /* compile chain from cache into blob */
- static int
- iptcc_compile_chain(TC_HANDLE_T h, STRUCT_REPLACE * repl,
- struct chain_head *c)
- {
- int ret;
- struct rule_head *r;
- struct iptcb_chain_start *head;
- struct iptcb_chain_foot *foot;
-
- #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 7, 0)
-
- /* only user-defined chains have heaer */
- if (!iptcc_is_builtin(c)) {
- /* put chain header in place */
- head = (void *) repl->entries + c->head_offset;
- head->e.target_offset = sizeof(STRUCT_ENTRY);
- head->e.next_offset = IPTCB_CHAIN_START_SIZE;
- strcpy(head->name.t.u.user.name, ERROR_TARGET);
- head->name.t.u.target_size =
- ALIGN(sizeof(struct ipt_error_target));
- strcpy(head->name.error, c->name);
- } else {
- repl->hook_entry[c->hooknum - 1] = c->head_offset;
- repl->underflow[c->hooknum - 1] = c->foot_offset;
- }
- #endif
-
- #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 0, 0)
- /* only user-defined chains have heaer */
- if (!iptcc_is_builtin(c)) {
- /* put chain header in place */
- head = (void *) repl->entries + c->head_offset;
- head->e.target_offset = sizeof(STRUCT_ENTRY);
- head->e.next_offset = IPTCB_CHAIN_START_SIZE;
- strcpy(head->name.target.u.user.name, ERROR_TARGET);
- head->name.target.u.target_size =
- ALIGN(sizeof(struct ipt_error_target));
- strcpy(head->name.errorname, c->name);
- } else {
- repl->hook_entry[c->hooknum - 1] = c->head_offset;
- repl->underflow[c->hooknum - 1] = c->foot_offset;
- }
- #endif
-
- /* iterate over rules */
- list_for_each_entry(r, &c->rules, list) {
- ret = iptcc_compile_rule(h, repl, r);
- if (ret < 0)
- return ret;
- }
-
- /* put chain footer in place */
- foot = (void *) repl->entries + c->foot_offset;
- foot->e.target_offset = sizeof(STRUCT_ENTRY);
- foot->e.next_offset = IPTCB_CHAIN_FOOT_SIZE;
- strcpy(foot->target.target.u.user.name, STANDARD_TARGET);
- foot->target.target.u.target_size =
- ALIGN(sizeof(STRUCT_STANDARD_TARGET));
- /* builtin targets have verdict, others return */
- if (iptcc_is_builtin(c))
- foot->target.verdict = c->verdict;
- else
- foot->target.verdict = RETURN;
- /* set policy-counters */
- memcpy(&foot->e.counters, &c->counters, sizeof(STRUCT_COUNTERS));
-
- return 0;
- }
-
- /* calculate offset and number for every rule in the cache */
- static int
- iptcc_compile_chain_offsets(TC_HANDLE_T h, struct chain_head *c,
- unsigned int *offset, unsigned int *num)
- {
- struct rule_head *r;
-
- c->head_offset = *offset;
- DEBUGP("%s: chain_head %u, offset=%u\n", c->name, *num, *offset);
-
- if (!iptcc_is_builtin(c)) {
- /* Chain has header */
- *offset += sizeof(STRUCT_ENTRY)
- + ALIGN(sizeof(struct ipt_error_target));
- (*num)++;
- }
-
- list_for_each_entry(r, &c->rules, list) {
- DEBUGP("rule %u, offset=%u, index=%u\n", *num, *offset, *num);
- r->offset = *offset;
- r->index = *num;
- *offset += r->size;
- (*num)++;
- }
-
- DEBUGP("%s; chain_foot %u, offset=%u, index=%u\n", c->name, *num,
- *offset, *num);
- c->foot_offset = *offset;
- c->foot_index = *num;
- *offset += sizeof(STRUCT_ENTRY)
- + ALIGN(sizeof(STRUCT_STANDARD_TARGET));
- (*num)++;
-
- return 1;
- }
-
- /* put the pieces back together again */
- static int
- iptcc_compile_table_prep(TC_HANDLE_T h, unsigned int *size)
- {
- struct chain_head *c;
- unsigned int offset = 0, num = 0;
- int ret = 0;
-
- /* First pass: calculate offset for every rule */
- list_for_each_entry(c, &h->chains, list) {
- ret = iptcc_compile_chain_offsets(h, c, &offset, &num);
- if (ret < 0)
- return ret;
- }
-
- /* Append one error rule at end of chain */
- num++;
- offset += sizeof(STRUCT_ENTRY)
- + ALIGN(sizeof(struct ipt_error_target));
-
- /* ruleset size is now in offset */
- *size = offset;
- return num;
- }
-
- static int
- iptcc_compile_table(TC_HANDLE_T h, STRUCT_REPLACE * repl)
- {
- struct chain_head *c;
- struct iptcb_chain_error *error;
-
- /* Second pass: copy from cache to offsets, fill in jumps */
- list_for_each_entry(c, &h->chains, list) {
- int ret = iptcc_compile_chain(h, repl, c);
- if (ret < 0)
- return ret;
- }
- #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 7, 0)
- /* Append error rule at end of chain */
- error = (void *) repl->entries + repl->size - IPTCB_CHAIN_ERROR_SIZE;
- error->entry.target_offset = sizeof(STRUCT_ENTRY);
- error->entry.next_offset = IPTCB_CHAIN_ERROR_SIZE;
- error->target.t.u.user.target_size =
- ALIGN(sizeof(struct ipt_error_target));
- strcpy((char *) &error->target.t.u.user.name, ERROR_TARGET);
- strcpy((char *) &error->target.error, "ERROR");
- #endif
-
- #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 0, 0)
- /* Append error rule at end of chain */
- error = (void *) repl->entries + repl->size - IPTCB_CHAIN_ERROR_SIZE;
- error->entry.target_offset = sizeof(STRUCT_ENTRY);
- error->entry.next_offset = IPTCB_CHAIN_ERROR_SIZE;
- error->target.target.u.user.target_size =
- ALIGN(sizeof(struct ipt_error_target));
- strcpy((char *) &error->target.target.u.user.name, ERROR_TARGET);
- strcpy((char *) &error->target.errorname, "ERROR");
- #endif
- return 1;
- }
-
- /**********************************************************************
- * EXTERNAL API (operates on cache only)
- **********************************************************************/
-
- /* Allocate handle of given size */
- static TC_HANDLE_T
- alloc_handle(const char *tablename, unsigned int size,
- unsigned int num_rules)
- {
- TC_HANDLE_T h;
-
- h = malloc(sizeof(STRUCT_TC_HANDLE));
- if (!h) {
- errno = ENOMEM;
- return NULL;
- }
- memset(h, 0, sizeof(*h));
- INIT_LIST_HEAD(&h->chains);
- strcpy(h->info.name, tablename);
-
- h->entries = malloc(sizeof(STRUCT_GET_ENTRIES) + size);
- if (!h->entries)
- goto out_free_handle;
-
- strcpy(h->entries->name, tablename);
- h->entries->size = size;
-
- return h;
-
- out_free_handle:
- free(h);
-
- return NULL;
- }
-
-
- TC_HANDLE_T
- TC_INIT(const char *tablename)
- {
- TC_HANDLE_T h;
- STRUCT_GETINFO info;
- unsigned int tmp;
- socklen_t s;
-
- iptc_fn = TC_INIT;
-
- if (strlen(tablename) >= TABLE_MAXNAMELEN) {
- errno = EINVAL;
- return NULL;
- }
-
- if (sockfd_use == 0) {
- sockfd = socket(TC_AF, SOCK_RAW, IPPROTO_RAW);
- if (sockfd < 0)
- return NULL;
- }
- sockfd_use++;
-
- s = sizeof(info);
-
- strcpy(info.name, tablename);
- if (getsockopt(sockfd, TC_IPPROTO, SO_GET_INFO, &info, &s) < 0) {
- if (--sockfd_use == 0) {
- close(sockfd);
- sockfd = -1;
- }
- return NULL;
- }
-
- DEBUGP("valid_hooks=0x%08x, num_entries=%u, size=%u\n",
- info.valid_hooks, info.num_entries, info.size);
-
- if ((h = alloc_handle(info.name, info.size, info.num_entries))
- == NULL) {
- if (--sockfd_use == 0) {
- close(sockfd);
- sockfd = -1;
- }
- return NULL;
- }
-
- /* Initialize current state */
- h->info = info;
-
- h->entries->size = h->info.size;
-
- tmp = sizeof(STRUCT_GET_ENTRIES) + h->info.size;
-
- if (getsockopt(sockfd, TC_IPPROTO, SO_GET_ENTRIES, h->entries,
- &tmp) < 0)
- goto error;
-
- #ifdef IPTC_DEBUG2
- {
- int fd = open("/tmp/libiptc-so_get_entries.blob",
- O_CREAT | O_WRONLY);
- if (fd >= 0) {
- write(fd, h->entries, tmp);
- close(fd);
- }
- }
- #endif
-
- if (parse_table(h) < 0)
- goto error;
-
- CHECK(h);
- return h;
- error:
- if (--sockfd_use == 0) {
- close(sockfd);
- sockfd = -1;
- }
- TC_FREE(&h);
- return NULL;
- }
-
- void
- TC_FREE(TC_HANDLE_T * h)
- {
- struct chain_head *c, *tmp;
-
- iptc_fn = TC_FREE;
- if (--sockfd_use == 0) {
- close(sockfd);
- sockfd = -1;
- }
-
- list_for_each_entry_safe(c, tmp, &(*h)->chains, list) {
- struct rule_head *r, *rtmp;
-
- list_for_each_entry_safe(r, rtmp, &c->rules, list) {
- free(r);
- }
-
- free(c);
- }
-
- free((*h)->entries);
- free(*h);
-
- *h = NULL;
- }
-
- static inline int
- print_match(const STRUCT_ENTRY_MATCH * m)
- {
- printf("Match name: `%s'\n", m->u.user.name);
- return 0;
- }
-
- /*static int dump_entry(STRUCT_ENTRY *e, const TC_HANDLE_T handle);*/
-
- void
- TC_DUMP_ENTRIES(const TC_HANDLE_T handle)
- {
- iptc_fn = TC_DUMP_ENTRIES;
- CHECK(handle);
- #if 0
- printf("libiptc v%s. %u bytes.\n",
- IPTABLES_VERSION, handle->entries->size);
- printf("Table `%s'\n", handle->info.name);
- printf("Hooks: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
- handle->info.hook_entry[HOOK_PRE_ROUTING],
- handle->info.hook_entry[HOOK_LOCAL_IN],
- handle->info.hook_entry[HOOK_FORWARD],
- handle->info.hook_entry[HOOK_LOCAL_OUT],
- handle->info.hook_entry[HOOK_POST_ROUTING]);
- printf("Underflows: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
- handle->info.underflow[HOOK_PRE_ROUTING],
- handle->info.underflow[HOOK_LOCAL_IN],
- handle->info.underflow[HOOK_FORWARD],
- handle->info.underflow[HOOK_LOCAL_OUT],
- handle->info.underflow[HOOK_POST_ROUTING]);
-
- ENTRY_ITERATE(handle->entries->entrytable, handle->entries->size,
- dump_entry, handle);
- #endif
- }
-
- /* Does this chain exist? */
- int
- TC_IS_CHAIN(const char *chain, const TC_HANDLE_T handle)
- {
- iptc_fn = TC_IS_CHAIN;
- return iptcc_find_label(chain, handle) != NULL;
- }
-
- static void
- iptcc_chain_iterator_advance(TC_HANDLE_T handle)
- {
- struct chain_head *c = handle->chain_iterator_cur;
-
- if (c->list.next == &handle->chains)
- handle->chain_iterator_cur = NULL;
- else
- handle->chain_iterator_cur =
- list_entry(c->list.next, struct chain_head, list);
- }
-
- /* Iterator functions to run through the chains. */
- const char *
- TC_FIRST_CHAIN(TC_HANDLE_T * handle)
- {
- struct chain_head *c = list_entry((*handle)->chains.next,
- struct chain_head, list);
-
- iptc_fn = TC_FIRST_CHAIN;
-
-
- if (list_empty(&(*handle)->chains)) {
- DEBUGP(": no chains\n");
- return NULL;
- }
-
- (*handle)->chain_iterator_cur = c;
- iptcc_chain_iterator_advance(*handle);
-
- DEBUGP(": returning `%s'\n", c->name);
- return c->name;
- }
-
- /* Iterator functions to run through the chains. Returns NULL at end. */
- const char *
- TC_NEXT_CHAIN(TC_HANDLE_T * handle)
- {
- struct chain_head *c = (*handle)->chain_iterator_cur;
-
- iptc_fn = TC_NEXT_CHAIN;
-
- if (!c) {
- DEBUGP(": no more chains\n");
- return NULL;
- }
-
- iptcc_chain_iterator_advance(*handle);
-
- DEBUGP(": returning `%s'\n", c->name);
- return c->name;
- }
-
- /* Get first rule in the given chain: NULL for empty chain. */
- const STRUCT_ENTRY *
- TC_FIRST_RULE(const char *chain, TC_HANDLE_T * handle)
- {
- struct chain_head *c;
- struct rule_head *r;
-
- iptc_fn = TC_FIRST_RULE;
-
- DEBUGP("first rule(%s): ", chain);
-
- c = iptcc_find_label(chain, *handle);
- if (!c) {
- errno = ENOENT;
- return NULL;
- }
-
- /* Empty chain: single return/policy rule */
- if (list_empty(&c->rules)) {
- DEBUGP_C("no rules, returning NULL\n");
- return NULL;
- }
-
- r = list_entry(c->rules.next, struct rule_head, list);
- (*handle)->rule_iterator_cur = r;
- DEBUGP_C("%p\n", r);
-
- return r->entry;
- }
-
- /* Returns NULL when rules run out. */
- const STRUCT_ENTRY *
- TC_NEXT_RULE(const STRUCT_ENTRY * prev, TC_HANDLE_T * handle)
- {
- struct rule_head *r;
-
- iptc_fn = TC_NEXT_RULE;
- DEBUGP("rule_iterator_cur=%p...", (*handle)->rule_iterator_cur);
-
- if (!(*handle)->rule_iterator_cur) {
- DEBUGP_C("returning NULL\n");
- return NULL;
- }
-
- r = list_entry((*handle)->rule_iterator_cur->list.next,
- struct rule_head, list);
-
- iptc_fn = TC_NEXT_RULE;
-
- DEBUGP_C("next=%p, head=%p...", &r->list,
- &(*handle)->rule_iterator_cur->chain->rules);
-
- if (&r->list == &(*handle)->rule_iterator_cur->chain->rules) {
- (*handle)->rule_iterator_cur = NULL;
- DEBUGP_C("finished, returning NULL\n");
- return NULL;
- }
-
- (*handle)->rule_iterator_cur = r;
-
- /* NOTE: prev is without any influence ! */
- DEBUGP_C("returning rule %p\n", r);
- return r->entry;
- }
-
- /* How many rules in this chain? */
- unsigned int
- TC_NUM_RULES(const char *chain, TC_HANDLE_T * handle)
- {
- struct chain_head *c;
- iptc_fn = TC_NUM_RULES;
- CHECK(*handle);
-
- c = iptcc_find_label(chain, *handle);
- if (!c) {
- errno = ENOENT;
- return (unsigned int) -1;
- }
-
- return c->num_rules;
- }
-
- const STRUCT_ENTRY *
- TC_GET_RULE(const char *chain, unsigned int n, TC_HANDLE_T * handle)
- {
- struct chain_head *c;
- struct rule_head *r;
-
- iptc_fn = TC_GET_RULE;
-
- CHECK(*handle);
-
- c = iptcc_find_label(chain, *handle);
- if (!c) {
- errno = ENOENT;
- return NULL;
- }
-
- r = iptcc_get_rule_num(c, n);
- if (!r)
- return NULL;
- return r->entry;
- }
-
- /* Returns a pointer to the target name of this position. */
- const char *
- standard_target_map(int verdict)
- {
- switch (verdict) {
- case RETURN:
- return LABEL_RETURN;
- break;
- case -NF_ACCEPT - 1:
- return LABEL_ACCEPT;
- break;
- case -NF_DROP - 1:
- return LABEL_DROP;
- break;
- case -NF_QUEUE - 1:
- return LABEL_QUEUE;
- break;
- default:
- fprintf(stderr, "ERROR: %d not a valid target)\n", verdict);
- abort();
- break;
- }
- /* not reached */
- return NULL;
- }
-
- /* Returns a pointer to the target name of this position. */
- const char *
- TC_GET_TARGET(const STRUCT_ENTRY * ce, TC_HANDLE_T * handle)
- {
- STRUCT_ENTRY *e = (STRUCT_ENTRY *) ce;
- struct rule_head *r = container_of(e, struct rule_head, entry[0]);
-
- iptc_fn = TC_GET_TARGET;
-
- switch (r->type) {
- int spos;
- case IPTCC_R_FALLTHROUGH:
- return "";
- break;
- case IPTCC_R_JUMP:
- DEBUGP("r=%p, jump=%p, name=`%s'\n", r, r->jump, r->jump->name);
- return r->jump->name;
- break;
- case IPTCC_R_STANDARD:
- spos = *(int *) GET_TARGET(e)->data;
- DEBUGP("r=%p, spos=%d'\n", r, spos);
- return standard_target_map(spos);
- break;
- case IPTCC_R_MODULE:
- return GET_TARGET(e)->u.user.name;
- break;
- }
- return NULL;
- }
-
- /* Is this a built-in chain? Actually returns hook + 1. */
- int
- TC_BUILTIN(const char *chain, const TC_HANDLE_T handle)
- {
- struct chain_head *c;
-
- iptc_fn = TC_BUILTIN;
-
- c = iptcc_find_label(chain, handle);
- if (!c) {
- errno = ENOENT;
- return 0;
- }
-
- return iptcc_is_builtin(c);
- }
-
- /* Get the policy of a given built-in chain */
- const char *
- TC_GET_POLICY(const char *chain,
- STRUCT_COUNTERS * counters, TC_HANDLE_T * handle)
- {
- struct chain_head *c;
-
- iptc_fn = TC_GET_POLICY;
-
- DEBUGP("called for chain %s\n", chain);
-
- c = iptcc_find_label(chain, *handle);
- if (!c) {
- errno = ENOENT;
- return NULL;
- }
-
- if (!iptcc_is_builtin(c))
- return NULL;
-
- *counters = c->counters;
-
- return standard_target_map(c->verdict);
- }
-
- static int
- iptcc_standard_map(struct rule_head *r, int verdict)
- {
- STRUCT_ENTRY *e = r->entry;
- STRUCT_STANDARD_TARGET *t;
-
- t = (STRUCT_STANDARD_TARGET *) GET_TARGET(e);
-
- if (t->target.u.target_size != ALIGN(sizeof(STRUCT_STANDARD_TARGET))) {
- errno = EINVAL;
- return 0;
- }
- /* memset for memcmp convenience on delete/replace */
- memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
- strcpy(t->target.u.user.name, STANDARD_TARGET);
- t->verdict = verdict;
-
- r->type = IPTCC_R_STANDARD;
-
- return 1;
- }
-
- static int
- iptcc_map_target(const TC_HANDLE_T handle, struct rule_head *r)
- {
- STRUCT_ENTRY *e = r->entry;
- STRUCT_ENTRY_TARGET *t = GET_TARGET(e);
-
- /* Maybe it's empty (=> fall through) */
- if (strcmp(t->u.user.name, "") == 0) {
- r->type = IPTCC_R_FALLTHROUGH;
- return 1;
- }
- /* Maybe it's a standard target name... */
- else if (strcmp(t->u.user.name, LABEL_ACCEPT) == 0)
- return iptcc_standard_map(r, -NF_ACCEPT - 1);
- else if (strcmp(t->u.user.name, LABEL_DROP) == 0)
- return iptcc_standard_map(r, -NF_DROP - 1);
- else if (strcmp(t->u.user.name, LABEL_QUEUE) == 0)
- return iptcc_standard_map(r, -NF_QUEUE - 1);
- else if (strcmp(t->u.user.name, LABEL_RETURN) == 0)
- return iptcc_standard_map(r, RETURN);
- else if (TC_BUILTIN(t->u.user.name, handle)) {
- /* Can't jump to builtins. */
- errno = EINVAL;
- return 0;
- } else {
- /* Maybe it's an existing chain name. */
- struct chain_head *c;
- DEBUGP("trying to find chain `%s': ", t->u.user.name);
-
- c = iptcc_find_label(t->u.user.name, handle);
- if (c) {
- DEBUGP_C("found!\n");
- r->type = IPTCC_R_JUMP;
- r->jump = c;
- c->references++;
- return 1;
- }
- DEBUGP_C("not found :(\n");
- }
-
- /* Must be a module? If not, kernel will reject... */
- /* memset to all 0 for your memcmp convenience: don't clear version */
- memset(t->u.user.name + strlen(t->u.user.name),
- 0, FUNCTION_MAXNAMELEN - 1 - strlen(t->u.user.name));
- r->type = IPTCC_R_MODULE;
- set_changed(handle);
- return 1;
- }
-
- /* Insert the entry `fw' in chain `chain' into position `rulenum'. */
- int
- TC_INSERT_ENTRY(const IPT_CHAINLABEL chain,
- const STRUCT_ENTRY * e,
- unsigned int rulenum, TC_HANDLE_T * handle)
- {
- struct chain_head *c;
- struct rule_head *r;
- struct list_head *prev;
-
- iptc_fn = TC_INSERT_ENTRY;
-
- if (!(c = iptcc_find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- /* first rulenum index = 0
- first c->num_rules index = 1 */
- if (rulenum > c->num_rules) {
- errno = E2BIG;
- return 0;
- }
-
- /* If we are inserting at the end just take advantage of the
- double linked list, insert will happen before the entry
- prev points to. */
- if (rulenum == c->num_rules) {
- prev = &c->rules;
- } else if (rulenum + 1 <= c->num_rules / 2) {
- r = iptcc_get_rule_num(c, rulenum + 1);
- prev = &r->list;
- } else {
- r = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum);
- prev = &r->list;
- }
-
- if (!(r = iptcc_alloc_rule(c, e->next_offset))) {
- errno = ENOMEM;
- return 0;
- }
-
- memcpy(r->entry, e, e->next_offset);
- r->counter_map.maptype = COUNTER_MAP_SET;
-
- if (!iptcc_map_target(*handle, r)) {
- free(r);
- return 0;
- }
-
- list_add_tail(&r->list, prev);
- c->num_rules++;
-
- set_changed(*handle);
-
- return 1;
- }
-
- /* Atomically replace rule `rulenum' in `chain' with `fw'. */
- int
- TC_REPLACE_ENTRY(const IPT_CHAINLABEL chain,
- const STRUCT_ENTRY * e,
- unsigned int rulenum, TC_HANDLE_T * handle)
- {
- struct chain_head *c;
- struct rule_head *r, *old;
-
- iptc_fn = TC_REPLACE_ENTRY;
-
- if (!(c = iptcc_find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- if (rulenum >= c->num_rules) {
- errno = E2BIG;
- return 0;
- }
-
- /* Take advantage of the double linked list if possible. */
- if (rulenum + 1 <= c->num_rules / 2) {
- old = iptcc_get_rule_num(c, rulenum + 1);
- } else {
- old = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum);
- }
-
- if (!(r = iptcc_alloc_rule(c, e->next_offset))) {
- errno = ENOMEM;
- return 0;
- }
-
- memcpy(r->entry, e, e->next_offset);
- r->counter_map.maptype = COUNTER_MAP_SET;
-
- if (!iptcc_map_target(*handle, r)) {
- free(r);
- return 0;
- }
-
- list_add(&r->list, &old->list);
- iptcc_delete_rule(old);
-
- set_changed(*handle);
-
- return 1;
- }
-
- /* Append entry `fw' to chain `chain'. Equivalent to insert with
- rulenum = length of chain. */
- int
- TC_APPEND_ENTRY(const IPT_CHAINLABEL chain,
- const STRUCT_ENTRY * e, TC_HANDLE_T * handle)
- {
- struct chain_head *c;
- struct rule_head *r;
-
- iptc_fn = TC_APPEND_ENTRY;
- if (!(c = iptcc_find_label(chain, *handle))) {
- DEBUGP("unable to find chain `%s'\n", chain);
- errno = ENOENT;
- return 0;
- }
-
- if (!(r = iptcc_alloc_rule(c, e->next_offset))) {
- DEBUGP("unable to allocate rule for chain `%s'\n", chain);
- errno = ENOMEM;
- return 0;
- }
-
- memcpy(r->entry, e, e->next_offset);
- r->counter_map.maptype = COUNTER_MAP_SET;
-
- if (!iptcc_map_target(*handle, r)) {
- DEBUGP("unable to map target of rule for chain `%s'\n", chain);
- free(r);
- return 0;
- }
-
- list_add_tail(&r->list, &c->rules);
- c->num_rules++;
-
- set_changed(*handle);
-
- return 1;
- }
-
- static inline int
- match_different(const STRUCT_ENTRY_MATCH * a,
- const unsigned char *a_elems,
- const unsigned char *b_elems, unsigned char **maskptr)
- {
- const STRUCT_ENTRY_MATCH *b;
- unsigned int i;
-
- /* Offset of b is the same as a. */
- b = (void *) b_elems + ((unsigned char *) a - a_elems);
-
- if (a->u.match_size != b->u.match_size)
- return 1;
-
- if (strcmp(a->u.user.name, b->u.user.name) != 0)
- return 1;
-
- *maskptr += ALIGN(sizeof(*a));
-
- for (i = 0; i < a->u.match_size - ALIGN(sizeof(*a)); i++)
- if (((a->data[i] ^ b->data[i]) & (*maskptr)[i]) != 0)
- return 1;
- *maskptr += i;
- return 0;
- }
-
- static inline int
- target_same(struct rule_head *a, struct rule_head *b,
- const unsigned char *mask)
- {
- unsigned int i;
- STRUCT_ENTRY_TARGET *ta, *tb;
-
- if (a->type != b->type)
- return 0;
-
- ta = GET_TARGET(a->entry);
- tb = GET_TARGET(b->entry);
-
- switch (a->type) {
- case IPTCC_R_FALLTHROUGH:
- return 1;
- case IPTCC_R_JUMP:
- return a->jump == b->jump;
- case IPTCC_R_STANDARD:
- return ((STRUCT_STANDARD_TARGET *) ta)->verdict
- == ((STRUCT_STANDARD_TARGET *) tb)->verdict;
- case IPTCC_R_MODULE:
- if (ta->u.target_size != tb->u.target_size)
- return 0;
- if (strcmp(ta->u.user.name, tb->u.user.name) != 0)
- return 0;
-
- for (i = 0; i < ta->u.target_size - sizeof(*ta); i++)
- if (((ta->data[i] ^ tb->data[i]) & mask[i]) != 0)
- return 0;
- return 1;
- default:
- fprintf(stderr, "ERROR: bad type %i\n", a->type);
- abort();
- }
- }
-
- static unsigned char *is_same(const STRUCT_ENTRY * a,
- const STRUCT_ENTRY * b,
- unsigned char *matchmask);
-
- /* Delete the first rule in `chain' which matches `fw'. */
- int
- TC_DELETE_ENTRY(const IPT_CHAINLABEL chain,
- const STRUCT_ENTRY * origfw,
- unsigned char *matchmask, TC_HANDLE_T * handle)
- {
- struct chain_head *c;
- struct rule_head *r, *i;
-
- iptc_fn = TC_DELETE_ENTRY;
- if (!(c = iptcc_find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- /* Create a rule_head from origfw. */
- r = iptcc_alloc_rule(c, origfw->next_offset);
- if (!r) {
- errno = ENOMEM;
- return 0;
- }
-
- memcpy(r->entry, origfw, origfw->next_offset);
- r->counter_map.maptype = COUNTER_MAP_NOMAP;
- if (!iptcc_map_target(*handle, r)) {
- DEBUGP("unable to map target of rule for chain `%s'\n", chain);
- free(r);
- return 0;
- }
-
- list_for_each_entry(i, &c->rules, list) {
- unsigned char *mask;
-
- mask = is_same(r->entry, i->entry, matchmask);
- if (!mask)
- continue;
-
- if (!target_same(r, i, mask))
- continue;
-
- /* If we are about to delete the rule that is the
- * current iterator, move rule iterator back. next
- * pointer will then point to real next node */
- if (i == (*handle)->rule_iterator_cur) {
- (*handle)->rule_iterator_cur =
- list_entry((*handle)->rule_iterator_cur->list.prev,
- struct rule_head, list);
- }
-
- c->num_rules--;
- iptcc_delete_rule(i);
-
- set_changed(*handle);
- free(r);
- return 1;
- }
-
- free(r);
- errno = ENOENT;
- return 0;
- }
-
-
- /* Delete the rule in position `rulenum' in `chain'. */
- int
- TC_DELETE_NUM_ENTRY(const IPT_CHAINLABEL chain,
- unsigned int rulenum, TC_HANDLE_T * handle)
- {
- struct chain_head *c;
- struct rule_head *r;
-
- iptc_fn = TC_DELETE_NUM_ENTRY;
-
- if (!(c = iptcc_find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- if (rulenum >= c->num_rules) {
- errno = E2BIG;
- return 0;
- }
-
- /* Take advantage of the double linked list if possible. */
- if (rulenum + 1 <= c->num_rules / 2) {
- r = iptcc_get_rule_num(c, rulenum + 1);
- } else {
- r = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum);
- }
-
- /* If we are about to delete the rule that is the current
- * iterator, move rule iterator back. next pointer will then
- * point to real next node */
- if (r == (*handle)->rule_iterator_cur) {
- (*handle)->rule_iterator_cur =
- list_entry((*handle)->rule_iterator_cur->list.prev,
- struct rule_head, list);
- }
-
- c->num_rules--;
- iptcc_delete_rule(r);
-
- set_changed(*handle);
-
- return 1;
- }
-
- /* Check the packet `fw' on chain `chain'. Returns the verdict, or
- NULL and sets errno. */
- const char *
- TC_CHECK_PACKET(const IPT_CHAINLABEL chain,
- STRUCT_ENTRY * entry, TC_HANDLE_T * handle)
- {
- iptc_fn = TC_CHECK_PACKET;
- errno = ENOSYS;
- return NULL;
- }
-
- /* Flushes the entries in the given chain (ie. empties chain). */
- int
- TC_FLUSH_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T * handle)
- {
- struct chain_head *c;
- struct rule_head *r, *tmp;
-
- iptc_fn = TC_FLUSH_ENTRIES;
- if (!(c = iptcc_find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- list_for_each_entry_safe(r, tmp, &c->rules, list) {
- iptcc_delete_rule(r);
- }
-
- c->num_rules = 0;
-
- set_changed(*handle);
-
- return 1;
- }
-
- /* Zeroes the counters in a chain. */
- int
- TC_ZERO_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T * handle)
- {
- struct chain_head *c;
- struct rule_head *r;
-
- iptc_fn = TC_ZERO_ENTRIES;
- if (!(c = iptcc_find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- list_for_each_entry(r, &c->rules, list) {
- if (r->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
- r->counter_map.maptype = COUNTER_MAP_ZEROED;
- }
-
- set_changed(*handle);
-
- return 1;
- }
-
- STRUCT_COUNTERS *
- TC_READ_COUNTER(const IPT_CHAINLABEL chain,
- unsigned int rulenum, TC_HANDLE_T * handle)
- {
- struct chain_head *c;
- struct rule_head *r;
-
- iptc_fn = TC_READ_COUNTER;
- CHECK(*handle);
-
- if (!(c = iptcc_find_label(chain, *handle))) {
- errno = ENOENT;
- return NULL;
- }
-
- if (!(r = iptcc_get_rule_num(c, rulenum))) {
- errno = E2BIG;
- return NULL;
- }
-
- return &r->entry[0].counters;
- }
-
- int
- TC_ZERO_COUNTER(const IPT_CHAINLABEL chain,
- unsigned int rulenum, TC_HANDLE_T * handle)
- {
- struct chain_head *c;
- struct rule_head *r;
-
- iptc_fn = TC_ZERO_COUNTER;
- CHECK(*handle);
-
- if (!(c = iptcc_find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- if (!(r = iptcc_get_rule_num(c, rulenum))) {
- errno = E2BIG;
- return 0;
- }
-
- if (r->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
- r->counter_map.maptype = COUNTER_MAP_ZEROED;
-
- set_changed(*handle);
-
- return 1;
- }
-
- int
- TC_SET_COUNTER(const IPT_CHAINLABEL chain,
- unsigned int rulenum,
- STRUCT_COUNTERS * counters, TC_HANDLE_T * handle)
- {
- struct chain_head *c;
- struct rule_head *r;
- STRUCT_ENTRY *e;
-
- iptc_fn = TC_SET_COUNTER;
- CHECK(*handle);
-
- if (!(c = iptcc_find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- if (!(r = iptcc_get_rule_num(c, rulenum))) {
- errno = E2BIG;
- return 0;
- }
-
- e = r->entry;
- r->counter_map.maptype = COUNTER_MAP_SET;
-
- memcpy(&e->counters, counters, sizeof(STRUCT_COUNTERS));
-
- set_changed(*handle);
-
- return 1;
- }
-
- /* Creates a new chain. */
- /* To create a chain, create two rules: error node and unconditional
- * return. */
- int
- TC_CREATE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T * handle)
- {
- static struct chain_head *c;
-
- iptc_fn = TC_CREATE_CHAIN;
-
- /* find_label doesn't cover built-in targets: DROP, ACCEPT,
- QUEUE, RETURN. */
- if (iptcc_find_label(chain, *handle)
- || strcmp(chain, LABEL_DROP) == 0
- || strcmp(chain, LABEL_ACCEPT) == 0
- || strcmp(chain, LABEL_QUEUE) == 0
- || strcmp(chain, LABEL_RETURN) == 0) {
- DEBUGP("Chain `%s' already exists\n", chain);
- errno = EEXIST;
- return 0;
- }
-
- if (strlen(chain) + 1 > sizeof(IPT_CHAINLABEL)) {
- DEBUGP("Chain name `%s' too long\n", chain);
- errno = EINVAL;
- return 0;
- }
-
- c = iptcc_alloc_chain_head(chain, 0);
- if (!c) {
- DEBUGP("Cannot allocate memory for chain `%s'\n", chain);
- errno = ENOMEM;
- return 0;
-
- }
-
- DEBUGP("Creating chain `%s'\n", chain);
- list_add_tail(&c->list, &(*handle)->chains);
-
- set_changed(*handle);
-
- return 1;
- }
-
- /* Get the number of references to this chain. */
- int
- TC_GET_REFERENCES(unsigned int *ref, const IPT_CHAINLABEL chain,
- TC_HANDLE_T * handle)
- {
- struct chain_head *c;
-
- iptc_fn = TC_GET_REFERENCES;
- if (!(c = iptcc_find_label(chain, *handle))) {
- errno = ENOENT;
- return 0;
- }
-
- *ref = c->references;
-
- return 1;
- }
-
- /* Deletes a chain. */
- int
- TC_DELETE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T * handle)
- {
- unsigned int references;
- struct chain_head *c;
-
- iptc_fn = TC_DELETE_CHAIN;
-
- if (!(c = iptcc_find_label(chain, *handle))) {
- DEBUGP("cannot find chain `%s'\n", chain);
- errno = ENOENT;
- return 0;
- }
-
- if (TC_BUILTIN(chain, *handle)) {
- DEBUGP("cannot remove builtin chain `%s'\n", chain);
- errno = EINVAL;
- return 0;
- }
-
- if (!TC_GET_REFERENCES(&references, chain, handle)) {
- DEBUGP("cannot get references on chain `%s'\n", chain);
- return 0;
- }
-
- if (references > 0) {
- DEBUGP("chain `%s' still has references\n", chain);
- errno = EMLINK;
- return 0;
- }
-
- if (c->num_rules) {
- DEBUGP("chain `%s' is not empty\n", chain);
- errno = ENOTEMPTY;
- return 0;
- }
-
- /* If we are about to delete the chain that is the current
- * iterator, move chain iterator firward. */
- if (c == (*handle)->chain_iterator_cur)
- iptcc_chain_iterator_advance(*handle);
-
- list_del(&c->list);
- free(c);
-
- DEBUGP("chain `%s' deleted\n", chain);
-
- set_changed(*handle);
-
- return 1;
- }
-
- /* Renames a chain. */
- int
- TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname,
- const IPT_CHAINLABEL newname, TC_HANDLE_T * handle)
- {
- struct chain_head *c;
- iptc_fn = TC_RENAME_CHAIN;
-
- /* find_label doesn't cover built-in targets: DROP, ACCEPT,
- QUEUE, RETURN. */
- if (iptcc_find_label(newname, *handle)
- || strcmp(newname, LABEL_DROP) == 0
- || strcmp(newname, LABEL_ACCEPT) == 0
- || strcmp(newname, LABEL_QUEUE) == 0
- || strcmp(newname, LABEL_RETURN) == 0) {
- errno = EEXIST;
- return 0;
- }
-
- if (!(c = iptcc_find_label(oldname, *handle))
- || TC_BUILTIN(oldname, *handle)) {
- errno = ENOENT;
- return 0;
- }
-
- if (strlen(newname) + 1 > sizeof(IPT_CHAINLABEL)) {
- errno = EINVAL;
- return 0;
- }
-
- strncpy(c->name, newname, sizeof(IPT_CHAINLABEL));
-
- set_changed(*handle);
-
- return 1;
- }
-
- /* Sets the policy on a built-in chain. */
- int
- TC_SET_POLICY(const IPT_CHAINLABEL chain,
- const IPT_CHAINLABEL policy,
- STRUCT_COUNTERS * counters, TC_HANDLE_T * handle)
- {
- struct chain_head *c;
-
- iptc_fn = TC_SET_POLICY;
-
- if (!(c = iptcc_find_label(chain, *handle))) {
- DEBUGP("cannot find chain `%s'\n", chain);
- errno = ENOENT;
- return 0;
- }
-
- if (!iptcc_is_builtin(c)) {
- DEBUGP("cannot set policy of userdefinedchain `%s'\n", chain);
- errno = ENOENT;
- return 0;
- }
-
- if (strcmp(policy, LABEL_ACCEPT) == 0)
- c->verdict = -NF_ACCEPT - 1;
- else if (strcmp(policy, LABEL_DROP) == 0)
- c->verdict = -NF_DROP - 1;
- else {
- errno = EINVAL;
- return 0;
- }
-
- if (counters) {
- /* set byte and packet counters */
- memcpy(&c->counters, counters, sizeof(STRUCT_COUNTERS));
- c->counter_map.maptype = COUNTER_MAP_SET;
- } else {
- c->counter_map.maptype = COUNTER_MAP_NOMAP;
- }
-
- set_changed(*handle);
-
- return 1;
- }
-
- /* Without this, on gcc 2.7.2.3, we get:
- libiptc.c: In function `TC_COMMIT':
- libiptc.c:833: fixed or forbidden register was spilled.
- This may be due to a compiler bug or to impossible asm
- statements or clauses.
- */
- static void
- subtract_counters(STRUCT_COUNTERS * answer,
- const STRUCT_COUNTERS * a, const STRUCT_COUNTERS * b)
- {
- answer->pcnt = a->pcnt - b->pcnt;
- answer->bcnt = a->bcnt - b->bcnt;
- }
-
-
- static void
- counters_nomap(STRUCT_COUNTERS_INFO * newcounters, unsigned int index)
- {
- newcounters->counters[index] = ((STRUCT_COUNTERS) {
- 0, 0});
- DEBUGP_C("NOMAP => zero\n");
- }
-
- static void
- counters_normal_map(STRUCT_COUNTERS_INFO * newcounters,
- STRUCT_REPLACE * repl,
- unsigned int index, unsigned int mappos)
- {
- /* Original read: X.
- * Atomic read on replacement: X + Y.
- * Currently in kernel: Z.
- * Want in kernel: X + Y + Z.
- * => Add in X + Y
- * => Add in replacement read.
- */
- newcounters->counters[index] = repl->counters[mappos];
- DEBUGP_C("NORMAL_MAP => mappos %u \n", mappos);
- }
-
- static void
- counters_map_zeroed(STRUCT_COUNTERS_INFO * newcounters,
- STRUCT_REPLACE * repl,
- unsigned int index,
- unsigned int mappos, STRUCT_COUNTERS * counters)
- {
- /* Original read: X.
- * Atomic read on replacement: X + Y.
- * Currently in kernel: Z.
- * Want in kernel: Y + Z.
- * => Add in Y.
- * => Add in (replacement read - original read).
- */
- subtract_counters(&newcounters->counters[index],
- &repl->counters[mappos], counters);
- DEBUGP_C("ZEROED => mappos %u\n", mappos);
- }
-
- static void
- counters_map_set(STRUCT_COUNTERS_INFO * newcounters,
- unsigned int index, STRUCT_COUNTERS * counters)
- {
- /* Want to set counter (iptables-restore) */
-
- memcpy(&newcounters->counters[index], counters,
- sizeof(STRUCT_COUNTERS));
-
- DEBUGP_C("SET\n");
- }
-
-
- int
- TC_COMMIT(TC_HANDLE_T * handle)
- {
- /* Replace, then map back the counters. */
- STRUCT_REPLACE *repl;
- STRUCT_COUNTERS_INFO *newcounters;
- struct chain_head *c;
- int ret;
- size_t counterlen;
- int new_number;
- unsigned int new_size;
-
- iptc_fn = TC_COMMIT;
- CHECK(*handle);
-
- /* Don't commit if nothing changed. */
- if (!(*handle)->changed)
- goto finished;
-
- new_number = iptcc_compile_table_prep(*handle, &new_size);
- if (new_number < 0) {
- errno = ENOMEM;
- return 0;
- }
-
- repl = malloc(sizeof(*repl) + new_size);
- if (!repl) {
- errno = ENOMEM;
- return 0;
- }
- memset(repl, 0, sizeof(*repl) + new_size);
-
- #if 0
- TC_DUMP_ENTRIES(*handle);
- #endif
-
- counterlen = sizeof(STRUCT_COUNTERS_INFO)
- + sizeof(STRUCT_COUNTERS) * new_number;
-
- /* These are the old counters we will get from kernel */
- repl->counters = malloc(sizeof(STRUCT_COUNTERS)
- * (*handle)->info.num_entries);
- if (!repl->counters) {
- free(repl);
- errno = ENOMEM;
- return 0;
- }
- /* These are the counters we're going to put back, later. */
- newcounters = malloc(counterlen);
- if (!newcounters) {
- free(repl->counters);
- free(repl);
- errno = ENOMEM;
- return 0;
- }
- memset(newcounters, 0, counterlen);
-
- strcpy(repl->name, (*handle)->info.name);
- repl->num_entries = new_number;
- repl->size = new_size;
-
- repl->num_counters = (*handle)->info.num_entries;
- repl->valid_hooks = (*handle)->info.valid_hooks;
-
- DEBUGP("num_entries=%u, size=%u, num_counters=%u\n",
- repl->num_entries, repl->size, repl->num_counters);
-
- ret = iptcc_compile_table(*handle, repl);
- if (ret < 0) {
- errno = ret;
- free(repl->counters);
- free(repl);
- free(newcounters);
- return 0;
- }
-
- #ifdef IPTC_DEBUG2
- {
- int fd = open("/tmp/libiptc-so_set_replace.blob",
- O_CREAT | O_WRONLY);
- if (fd >= 0) {
- write(fd, repl, sizeof(*repl) + repl->size);
- close(fd);
- }
- }
- #endif
-
- if (setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, repl,
- sizeof(*repl) + repl->size) < 0) {
- free(repl->counters);
- free(repl);
- free(newcounters);
- return 0;
- }
-
- /* Put counters back. */
- strcpy(newcounters->name, (*handle)->info.name);
- newcounters->num_counters = new_number;
-
- list_for_each_entry(c, &(*handle)->chains, list) {
- struct rule_head *r;
-
- /* Builtin chains have their own counters */
- if (iptcc_is_builtin(c)) {
- DEBUGP("counter for chain-index %u: ", c->foot_index);
- switch (c->counter_map.maptype) {
- case COUNTER_MAP_NOMAP:
- counters_nomap(newcounters, c->foot_index);
- break;
- case COUNTER_MAP_NORMAL_MAP:
- counters_normal_map(newcounters, repl,
- c->foot_index, c->counter_map.mappos);
- break;
- case COUNTER_MAP_ZEROED:
- counters_map_zeroed(newcounters, repl,
- c->foot_index,
- c->counter_map.mappos, &c->counters);
- break;
- case COUNTER_MAP_SET:
- counters_map_set(newcounters, c->foot_index, &c->counters);
- break;
- }
- }
-
- list_for_each_entry(r, &c->rules, list) {
- DEBUGP("counter for index %u: ", r->index);
- switch (r->counter_map.maptype) {
- case COUNTER_MAP_NOMAP:
- counters_nomap(newcounters, r->index);
- break;
-
- case COUNTER_MAP_NORMAL_MAP:
- counters_normal_map(newcounters, repl,
- r->index, r->counter_map.mappos);
- break;
-
- case COUNTER_MAP_ZEROED:
- counters_map_zeroed(newcounters, repl,
- r->index,
- r->counter_map.mappos,
- &r->entry->counters);
- break;
-
- case COUNTER_MAP_SET:
- counters_map_set(newcounters, r->index,
- &r->entry->counters);
- break;
- }
- }
- }
-
-
- #ifdef KERNEL_64_USERSPACE_32
- {
- /* Kernel will think that pointer should be 64-bits, and get
- padding. So we accomodate here (assumption: alignment of
- `counters' is on 64-bit boundary). */
- u_int64_t *kernptr = (u_int64_t *) & newcounters->counters;
- if ((unsigned long) &newcounters->counters % 8 != 0) {
- fprintf(stderr, "counters alignment incorrect! Mail rusty!\n");
- abort();
- }
- *kernptr = newcounters->counters;
- }
- #endif /* KERNEL_64_USERSPACE_32 */
-
- #ifdef IPTC_DEBUG2
- {
- int fd = open("/tmp/libiptc-so_set_add_counters.blob",
- O_CREAT | O_WRONLY);
- if (fd >= 0) {
- write(fd, newcounters, counterlen);
- close(fd);
- }
- }
- #endif
-
- if (setsockopt(sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS,
- newcounters, counterlen) < 0) {
- free(repl->counters);
- free(repl);
- free(newcounters);
- return 0;
- }
-
- free(repl->counters);
- free(repl);
- free(newcounters);
-
- finished:
- TC_FREE(handle);
- return 1;
- }
-
- /* Get raw socket. */
- int
- TC_GET_RAW_SOCKET()
- {
- return sockfd;
- }
-
- /* Translates errno numbers into more human-readable form than strerror. */
- const char *
- TC_STRERROR(int err)
- {
- unsigned int i;
- struct table_struct {
- void *fn;
- int err;
- const char *message;
- } table[] = { {
- TC_INIT, EPERM, "Permission denied (you must be root)"}, {
- TC_INIT, EINVAL, "Module is wrong version"}, {
- TC_INIT, ENOENT, "Table does not exist (do you need to insmod?)"}, {
- TC_DELETE_CHAIN, ENOTEMPTY, "Chain is not empty"}, {
- TC_DELETE_CHAIN, EINVAL, "Can't delete built-in chain"}, {
- TC_DELETE_CHAIN, EMLINK, "Can't delete chain with references left"}, {
- TC_CREATE_CHAIN, EEXIST, "Chain already exists"}, {
- TC_INSERT_ENTRY, E2BIG, "Index of insertion too big"}, {
- TC_REPLACE_ENTRY, E2BIG, "Index of replacement too big"}, {
- TC_DELETE_NUM_ENTRY, E2BIG, "Index of deletion too big"}, {
- TC_READ_COUNTER, E2BIG, "Index of counter too big"}, {
- TC_ZERO_COUNTER, E2BIG, "Index of counter too big"}, {
- TC_INSERT_ENTRY, ELOOP, "Loop found in table"}, {
- TC_INSERT_ENTRY, EINVAL, "Target problem"},
- /* EINVAL for CHECK probably means bad interface. */
- {
- TC_CHECK_PACKET, EINVAL,
- "Bad arguments (does that interface exist?)"}, {
- TC_CHECK_PACKET, ENOSYS,
- "Checking will most likely never get implemented"},
- /* ENOENT for DELETE probably means no matching rule */
- {
- TC_DELETE_ENTRY, ENOENT,
- "Bad rule (does a matching rule exist in that chain?)"}, {
- TC_SET_POLICY, ENOENT, "Bad built-in chain name"}, {
- TC_SET_POLICY, EINVAL, "Bad policy name"}, {
- NULL, 0, "Incompatible with this kernel"}, {
- NULL, ENOPROTOOPT, "iptables who? (do you need to insmod?)"}, {
- NULL, ENOSYS, "Will be implemented real soon. I promise ;)"}, {
- NULL, ENOMEM, "Memory allocation problem"}, {
- NULL, ENOENT, "No chain/target/match by that name"},};
-
- for (i = 0; i < sizeof(table) / sizeof(struct table_struct); i++) {
- if ((!table[i].fn || table[i].fn == iptc_fn)
- && table[i].err == err)
- return table[i].message;
- }
-
- return strerror(err);
- }
|