2
* This file was imported from the iptables sources.
3
* Copyright (C) 1999-2008 Netfilter Core Team
5
* This program is free software; you can redistribute it and/or modify it
6
* under the terms of the GNU General Public License as published by the
7
* Free Software Foundation; only version 2 of the License is applicable.
9
* This program is distributed in the hope that it will be useful, but
10
* WITHOUT ANY WARRANTY; without even the implied warranty of
11
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12
* General Public License for more details.
14
* You should have received a copy of the GNU General Public License along
15
* with this program; if not, write to the Free Software Foundation, Inc.,
16
* 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
19
/* Library which manipulates firewall rules. Version $Revision: 7138 $ */
21
/* Architecture of firewall rules is as follows:
23
* Chains go INPUT, FORWARD, OUTPUT then user chains.
24
* Each user chain starts with an ERROR node.
25
* Every chain ends with an unconditional jump: a RETURN for user chains,
26
* and a POLICY for built-ins.
29
/* (C) 1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See
30
* COPYING for details).
31
* (C) 2000-2004 by the Netfilter Core Team <coreteam@netfilter.org>
33
* 2003-Jun-20: Harald Welte <laforge@netfilter.org>:
34
* - Reimplementation of chain cache to use offsets instead of entries
35
* 2003-Jun-23: Harald Welte <laforge@netfilter.org>:
36
* - performance optimization, sponsored by Astaro AG (http://www.astaro.com/)
37
* don't rebuild the chain cache after every operation, instead fix it
38
* up after a ruleset change.
39
* 2004-Aug-18: Harald Welte <laforge@netfilter.org>:
40
* - futher performance work: total reimplementation of libiptc.
41
* - libiptc now has a real internal (linked-list) represntation of the
42
* ruleset and a parser/compiler from/to this internal representation
43
* - again sponsored by Astaro AG (http://www.astaro.com/)
45
#include <sys/types.h>
46
#include <sys/socket.h>
48
#include "linux_list.h"
50
//#define IPTC_DEBUG2 1
54
#define DEBUGP(x, args...) fprintf(stderr, "%s: " x, __FUNCTION__, ## args)
55
#define DEBUGP_C(x, args...) fprintf(stderr, x, ## args)
57
#define DEBUGP(x, args...)
58
#define DEBUGP_C(x, args...)
62
#define IPT_LIB_DIR "/usr/local/lib/iptables"
65
static int sockfd = -1;
66
static int sockfd_use = 0;
67
static void *iptc_fn = NULL;
69
static const char *hooknames[] = {
70
[HOOK_PRE_ROUTING] = "PREROUTING",
71
[HOOK_LOCAL_IN] = "INPUT",
72
[HOOK_FORWARD] = "FORWARD",
73
[HOOK_LOCAL_OUT] = "OUTPUT",
74
[HOOK_POST_ROUTING] = "POSTROUTING",
76
[HOOK_DROPPING] = "DROPPING"
80
/* Convenience structures */
81
struct ipt_error_target
83
STRUCT_ENTRY_TARGET t;
84
char error[TABLE_MAXNAMELEN];
94
COUNTER_MAP_NORMAL_MAP,
101
enum iptcc_rule_type {
102
IPTCC_R_STANDARD, /* standard target (ACCEPT, ...) */
103
IPTCC_R_MODULE, /* extension module (SNAT, ...) */
104
IPTCC_R_FALLTHROUGH, /* fallthrough rule */
105
IPTCC_R_JUMP, /* jump to other chain */
110
struct list_head list;
111
struct chain_head *chain;
112
struct counter_map counter_map;
114
unsigned int index; /* index (needed for counter_map) */
115
unsigned int offset; /* offset in rule blob */
117
enum iptcc_rule_type type;
118
struct chain_head *jump; /* jump target, if IPTCC_R_JUMP */
120
unsigned int size; /* size of entry data */
121
STRUCT_ENTRY entry[0];
126
struct list_head list;
127
char name[TABLE_MAXNAMELEN];
128
unsigned int hooknum; /* hook number+1 if builtin */
129
unsigned int references; /* how many jumps reference us */
130
int verdict; /* verdict if builtin */
132
STRUCT_COUNTERS counters; /* per-chain counters */
133
struct counter_map counter_map;
135
unsigned int num_rules; /* number of rules in list */
136
struct list_head rules; /* list of rules */
138
unsigned int index; /* index (needed for jump resolval) */
139
unsigned int head_offset; /* offset in rule blob */
140
unsigned int foot_index; /* index (needed for counter_map) */
141
unsigned int foot_offset; /* offset in rule blob */
146
int changed; /* Have changes been made? */
148
struct list_head chains;
150
struct chain_head *chain_iterator_cur;
151
struct rule_head *rule_iterator_cur;
154
STRUCT_GET_ENTRIES *entries;
157
/* allocate a new chain head for the cache */
158
static struct chain_head *iptcc_alloc_chain_head(const char *name, int hooknum)
160
struct chain_head *c = malloc(sizeof(*c));
163
memset(c, 0, sizeof(*c));
165
strncpy(c->name, name, TABLE_MAXNAMELEN);
166
c->hooknum = hooknum;
167
INIT_LIST_HEAD(&c->rules);
172
/* allocate and initialize a new rule for the cache */
173
static struct rule_head *iptcc_alloc_rule(struct chain_head *c, unsigned int size)
175
struct rule_head *r = malloc(sizeof(*r)+size);
178
memset(r, 0, sizeof(*r));
186
/* notify us that the ruleset has been modified by the user */
188
set_changed(TC_HANDLE_T h)
194
static void do_check(TC_HANDLE_T h, unsigned int line);
195
#define CHECK(h) do { if (!getenv("IPTC_NO_CHECK")) do_check((h), __LINE__); } while(0)
201
/**********************************************************************
202
* iptc blob utility functions (iptcb_*)
203
**********************************************************************/
206
iptcb_get_number(const STRUCT_ENTRY *i,
207
const STRUCT_ENTRY *seek,
217
iptcb_get_entry_n(STRUCT_ENTRY *i,
222
if (*pos == number) {
230
static inline STRUCT_ENTRY *
231
iptcb_get_entry(TC_HANDLE_T h, unsigned int offset)
233
return (STRUCT_ENTRY *)((char *)h->entries->entrytable + offset);
237
iptcb_entry2index(const TC_HANDLE_T h, const STRUCT_ENTRY *seek)
239
unsigned int pos = 0;
241
if (ENTRY_ITERATE(h->entries->entrytable, h->entries->size,
242
iptcb_get_number, seek, &pos) == 0) {
243
fprintf(stderr, "ERROR: offset %u not an entry!\n",
244
(unsigned int)((char *)seek - (char *)h->entries->entrytable));
250
static inline STRUCT_ENTRY *
251
iptcb_offset2entry(TC_HANDLE_T h, unsigned int offset)
253
return (STRUCT_ENTRY *) ((void *)h->entries->entrytable+offset);
257
static inline unsigned long
258
iptcb_entry2offset(const TC_HANDLE_T h, const STRUCT_ENTRY *e)
260
return (void *)e - (void *)h->entries->entrytable;
263
static inline unsigned int
264
iptcb_offset2index(const TC_HANDLE_T h, unsigned int offset)
266
return iptcb_entry2index(h, iptcb_offset2entry(h, offset));
269
/* Returns 0 if not hook entry, else hooknumber + 1 */
270
static inline unsigned int
271
iptcb_ent_is_hook_entry(STRUCT_ENTRY *e, TC_HANDLE_T h)
275
for (i = 0; i < NUMHOOKS; i++) {
276
if ((h->info.valid_hooks & (1 << i))
277
&& iptcb_get_entry(h, h->info.hook_entry[i]) == e)
284
/**********************************************************************
285
* iptc cache utility functions (iptcc_*)
286
**********************************************************************/
288
/* Is the given chain builtin (1) or user-defined (0) */
289
static unsigned int iptcc_is_builtin(struct chain_head *c)
291
return (c->hooknum ? 1 : 0);
294
/* Get a specific rule within a chain */
295
static struct rule_head *iptcc_get_rule_num(struct chain_head *c,
296
unsigned int rulenum)
299
unsigned int num = 0;
301
list_for_each_entry(r, &c->rules, list) {
309
/* Get a specific rule within a chain backwards */
310
static struct rule_head *iptcc_get_rule_num_reverse(struct chain_head *c,
311
unsigned int rulenum)
314
unsigned int num = 0;
316
list_for_each_entry_reverse(r, &c->rules, list) {
324
/* Returns chain head if found, otherwise NULL. */
325
static struct chain_head *
326
iptcc_find_chain_by_offset(TC_HANDLE_T handle, unsigned int offset)
328
struct list_head *pos;
330
if (list_empty(&handle->chains))
333
list_for_each(pos, &handle->chains) {
334
struct chain_head *c = list_entry(pos, struct chain_head, list);
335
if (offset >= c->head_offset && offset <= c->foot_offset)
341
/* Returns chain head if found, otherwise NULL. */
342
static struct chain_head *
343
iptcc_find_label(const char *name, TC_HANDLE_T handle)
345
struct list_head *pos;
347
if (list_empty(&handle->chains))
350
list_for_each(pos, &handle->chains) {
351
struct chain_head *c = list_entry(pos, struct chain_head, list);
352
if (!strcmp(c->name, name))
359
/* called when rule is to be removed from cache */
360
static void iptcc_delete_rule(struct rule_head *r)
362
DEBUGP("deleting rule %p (offset %u)\n", r, r->offset);
363
/* clean up reference count of called chain */
364
if (r->type == IPTCC_R_JUMP
366
r->jump->references--;
373
/**********************************************************************
374
* RULESET PARSER (blob -> cache)
375
**********************************************************************/
377
/* Delete policy rule of previous chain, since cache doesn't contain
378
* chain policy rules.
379
* WARNING: This function has ugly design and relies on a lot of context, only
380
* to be called from specific places within the parser */
381
static int __iptcc_p_del_policy(TC_HANDLE_T h, unsigned int num)
383
if (h->chain_iterator_cur) {
384
/* policy rule is last rule */
385
struct rule_head *pr = (struct rule_head *)
386
h->chain_iterator_cur->rules.prev;
389
h->chain_iterator_cur->verdict =
390
*(int *)GET_TARGET(pr->entry)->data;
392
/* save counter and counter_map information */
393
h->chain_iterator_cur->counter_map.maptype =
394
COUNTER_MAP_NORMAL_MAP;
395
h->chain_iterator_cur->counter_map.mappos = num-1;
396
memcpy(&h->chain_iterator_cur->counters, &pr->entry->counters,
397
sizeof(h->chain_iterator_cur->counters));
399
/* foot_offset points to verdict rule */
400
h->chain_iterator_cur->foot_index = num;
401
h->chain_iterator_cur->foot_offset = pr->offset;
403
/* delete rule from cache */
404
iptcc_delete_rule(pr);
405
h->chain_iterator_cur->num_rules--;
412
/* alphabetically insert a chain into the list */
413
static inline void iptc_insert_chain(TC_HANDLE_T h, struct chain_head *c)
415
struct chain_head *tmp;
417
/* sort only user defined chains */
419
list_for_each_entry(tmp, &h->chains, list) {
420
if (!tmp->hooknum && strcmp(c->name, tmp->name) <= 0) {
421
list_add(&c->list, tmp->list.prev);
427
/* survived till end of list: add at tail */
428
list_add_tail(&c->list, &h->chains);
431
/* Another ugly helper function split out of cache_add_entry to make it less
433
static void __iptcc_p_add_chain(TC_HANDLE_T h, struct chain_head *c,
434
unsigned int offset, unsigned int *num)
436
struct list_head *tail = h->chains.prev;
437
struct chain_head *ctail;
439
__iptcc_p_del_policy(h, *num);
441
c->head_offset = offset;
444
/* Chains from kernel are already sorted, as they are inserted
445
* sorted. But there exists an issue when shifting to 1.4.0
446
* from an older version, as old versions allow last created
447
* chain to be unsorted.
449
if (iptcc_is_builtin(c)) /* Only user defined chains are sorted*/
450
list_add_tail(&c->list, &h->chains);
452
ctail = list_entry(tail, struct chain_head, list);
453
if (strcmp(c->name, ctail->name) > 0)
454
list_add_tail(&c->list, &h->chains);/* Already sorted*/
456
iptc_insert_chain(h, c);/* Was not sorted */
459
h->chain_iterator_cur = c;
462
/* main parser function: add an entry from the blob to the cache */
463
static int cache_add_entry(STRUCT_ENTRY *e,
468
unsigned int builtin;
469
unsigned int offset = (char *)e - (char *)h->entries->entrytable;
471
DEBUGP("entering...");
473
/* Last entry ("policy rule"). End it.*/
474
if (iptcb_entry2offset(h,e) + e->next_offset == h->entries->size) {
475
/* This is the ERROR node at the end of the chain */
476
DEBUGP_C("%u:%u: end of table:\n", *num, offset);
478
__iptcc_p_del_policy(h, *num);
480
h->chain_iterator_cur = NULL;
484
/* We know this is the start of a new chain if it's an ERROR
485
* target, or a hook entry point */
487
if (strcmp(GET_TARGET(e)->u.user.name, ERROR_TARGET) == 0) {
488
struct chain_head *c =
489
iptcc_alloc_chain_head((const char *)GET_TARGET(e)->data, 0);
490
DEBUGP_C("%u:%u:new userdefined chain %s: %p\n", *num, offset,
497
__iptcc_p_add_chain(h, c, offset, num);
499
} else if ((builtin = iptcb_ent_is_hook_entry(e, h)) != 0) {
500
struct chain_head *c =
501
iptcc_alloc_chain_head((char *)hooknames[builtin-1],
503
DEBUGP_C("%u:%u new builtin chain: %p (rules=%p)\n",
504
*num, offset, c, &c->rules);
510
c->hooknum = builtin;
512
__iptcc_p_add_chain(h, c, offset, num);
514
/* FIXME: this is ugly. */
517
/* has to be normal rule */
521
if (!(r = iptcc_alloc_rule(h->chain_iterator_cur,
526
DEBUGP_C("%u:%u normal rule: %p: ", *num, offset, r);
530
memcpy(r->entry, e, e->next_offset);
531
r->counter_map.maptype = COUNTER_MAP_NORMAL_MAP;
532
r->counter_map.mappos = r->index;
534
/* handling of jumps, etc. */
535
if (!strcmp(GET_TARGET(e)->u.user.name, STANDARD_TARGET)) {
536
STRUCT_STANDARD_TARGET *t;
538
t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
539
if (t->target.u.target_size
540
!= ALIGN(sizeof(STRUCT_STANDARD_TARGET))) {
545
if (t->verdict < 0) {
546
DEBUGP_C("standard, verdict=%d\n", t->verdict);
547
r->type = IPTCC_R_STANDARD;
548
} else if (t->verdict == r->offset+e->next_offset) {
549
DEBUGP_C("fallthrough\n");
550
r->type = IPTCC_R_FALLTHROUGH;
552
DEBUGP_C("jump, target=%u\n", t->verdict);
553
r->type = IPTCC_R_JUMP;
554
/* Jump target fixup has to be deferred
555
* until second pass, since we migh not
556
* yet have parsed the target */
559
DEBUGP_C("module, target=%s\n", GET_TARGET(e)->u.user.name);
560
r->type = IPTCC_R_MODULE;
563
list_add_tail(&r->list, &h->chain_iterator_cur->rules);
564
h->chain_iterator_cur->num_rules++;
572
/* parse an iptables blob into it's pieces */
573
static int parse_table(TC_HANDLE_T h)
576
unsigned int num = 0;
577
struct chain_head *c;
579
/* First pass: over ruleset blob */
580
ENTRY_ITERATE(h->entries->entrytable, h->entries->size,
581
cache_add_entry, h, &prev, &num);
583
/* Second pass: fixup parsed data from first pass */
584
list_for_each_entry(c, &h->chains, list) {
586
list_for_each_entry(r, &c->rules, list) {
587
struct chain_head *c;
588
STRUCT_STANDARD_TARGET *t;
590
if (r->type != IPTCC_R_JUMP)
593
t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
594
c = iptcc_find_chain_by_offset(h, t->verdict);
602
/* FIXME: sort chains */
608
/**********************************************************************
609
* RULESET COMPILATION (cache -> blob)
610
**********************************************************************/
612
/* Convenience structures */
613
struct iptcb_chain_start{
615
struct ipt_error_target name;
617
#define IPTCB_CHAIN_START_SIZE (sizeof(STRUCT_ENTRY) + \
618
ALIGN(sizeof(struct ipt_error_target)))
620
struct iptcb_chain_foot {
622
STRUCT_STANDARD_TARGET target;
624
#define IPTCB_CHAIN_FOOT_SIZE (sizeof(STRUCT_ENTRY) + \
625
ALIGN(sizeof(STRUCT_STANDARD_TARGET)))
627
struct iptcb_chain_error {
629
struct ipt_error_target target;
631
#define IPTCB_CHAIN_ERROR_SIZE (sizeof(STRUCT_ENTRY) + \
632
ALIGN(sizeof(struct ipt_error_target)))
636
/* compile rule from cache into blob */
637
static inline int iptcc_compile_rule (TC_HANDLE_T h, STRUCT_REPLACE *repl, struct rule_head *r)
640
if (r->type == IPTCC_R_JUMP) {
641
STRUCT_STANDARD_TARGET *t;
642
t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
643
/* memset for memcmp convenience on delete/replace */
644
memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
645
strcpy(t->target.u.user.name, STANDARD_TARGET);
646
/* Jumps can only happen to builtin chains, so we
647
* can safely assume that they always have a header */
648
t->verdict = r->jump->head_offset + IPTCB_CHAIN_START_SIZE;
649
} else if (r->type == IPTCC_R_FALLTHROUGH) {
650
STRUCT_STANDARD_TARGET *t;
651
t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
652
t->verdict = r->offset + r->size;
655
/* copy entry from cache to blob */
656
memcpy((char *)repl->entries+r->offset, r->entry, r->size);
661
/* compile chain from cache into blob */
662
static int iptcc_compile_chain(TC_HANDLE_T h, STRUCT_REPLACE *repl, struct chain_head *c)
666
struct iptcb_chain_start *head;
667
struct iptcb_chain_foot *foot;
669
/* only user-defined chains have heaer */
670
if (!iptcc_is_builtin(c)) {
671
/* put chain header in place */
672
head = (void *)repl->entries + c->head_offset;
673
head->e.target_offset = sizeof(STRUCT_ENTRY);
674
head->e.next_offset = IPTCB_CHAIN_START_SIZE;
675
strcpy(head->name.t.u.user.name, ERROR_TARGET);
676
head->name.t.u.target_size =
677
ALIGN(sizeof(struct ipt_error_target));
678
strcpy(head->name.error, c->name);
680
repl->hook_entry[c->hooknum-1] = c->head_offset;
681
repl->underflow[c->hooknum-1] = c->foot_offset;
684
/* iterate over rules */
685
list_for_each_entry(r, &c->rules, list) {
686
ret = iptcc_compile_rule(h, repl, r);
691
/* put chain footer in place */
692
foot = (void *)repl->entries + c->foot_offset;
693
foot->e.target_offset = sizeof(STRUCT_ENTRY);
694
foot->e.next_offset = IPTCB_CHAIN_FOOT_SIZE;
695
strcpy(foot->target.target.u.user.name, STANDARD_TARGET);
696
foot->target.target.u.target_size =
697
ALIGN(sizeof(STRUCT_STANDARD_TARGET));
698
/* builtin targets have verdict, others return */
699
if (iptcc_is_builtin(c))
700
foot->target.verdict = c->verdict;
702
foot->target.verdict = RETURN;
703
/* set policy-counters */
704
memcpy(&foot->e.counters, &c->counters, sizeof(STRUCT_COUNTERS));
709
/* calculate offset and number for every rule in the cache */
710
static int iptcc_compile_chain_offsets(TC_HANDLE_T h, struct chain_head *c,
711
unsigned int *offset, unsigned int *num)
715
c->head_offset = *offset;
716
DEBUGP("%s: chain_head %u, offset=%u\n", c->name, *num, *offset);
718
if (!iptcc_is_builtin(c)) {
719
/* Chain has header */
720
*offset += sizeof(STRUCT_ENTRY)
721
+ ALIGN(sizeof(struct ipt_error_target));
725
list_for_each_entry(r, &c->rules, list) {
726
DEBUGP("rule %u, offset=%u, index=%u\n", *num, *offset, *num);
733
DEBUGP("%s; chain_foot %u, offset=%u, index=%u\n", c->name, *num,
735
c->foot_offset = *offset;
736
c->foot_index = *num;
737
*offset += sizeof(STRUCT_ENTRY)
738
+ ALIGN(sizeof(STRUCT_STANDARD_TARGET));
744
/* put the pieces back together again */
745
static int iptcc_compile_table_prep(TC_HANDLE_T h, unsigned int *size)
747
struct chain_head *c;
748
unsigned int offset = 0, num = 0;
751
/* First pass: calculate offset for every rule */
752
list_for_each_entry(c, &h->chains, list) {
753
ret = iptcc_compile_chain_offsets(h, c, &offset, &num);
758
/* Append one error rule at end of chain */
760
offset += sizeof(STRUCT_ENTRY)
761
+ ALIGN(sizeof(struct ipt_error_target));
763
/* ruleset size is now in offset */
768
static int iptcc_compile_table(TC_HANDLE_T h, STRUCT_REPLACE *repl)
770
struct chain_head *c;
771
struct iptcb_chain_error *error;
773
/* Second pass: copy from cache to offsets, fill in jumps */
774
list_for_each_entry(c, &h->chains, list) {
775
int ret = iptcc_compile_chain(h, repl, c);
780
/* Append error rule at end of chain */
781
error = (void *)repl->entries + repl->size - IPTCB_CHAIN_ERROR_SIZE;
782
error->entry.target_offset = sizeof(STRUCT_ENTRY);
783
error->entry.next_offset = IPTCB_CHAIN_ERROR_SIZE;
784
error->target.t.u.user.target_size =
785
ALIGN(sizeof(struct ipt_error_target));
786
strcpy((char *)&error->target.t.u.user.name, ERROR_TARGET);
787
strcpy((char *)&error->target.error, "ERROR");
792
/**********************************************************************
793
* EXTERNAL API (operates on cache only)
794
**********************************************************************/
796
/* Allocate handle of given size */
798
alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules)
803
len = sizeof(STRUCT_TC_HANDLE) + size;
805
h = malloc(sizeof(STRUCT_TC_HANDLE));
810
memset(h, 0, sizeof(*h));
811
INIT_LIST_HEAD(&h->chains);
812
strcpy(h->info.name, tablename);
814
h->entries = malloc(sizeof(STRUCT_GET_ENTRIES) + size);
816
goto out_free_handle;
818
strcpy(h->entries->name, tablename);
819
h->entries->size = size;
831
TC_INIT(const char *tablename)
840
if (strlen(tablename) >= TABLE_MAXNAMELEN) {
845
if (sockfd_use == 0) {
846
sockfd = socket(TC_AF, SOCK_RAW, IPPROTO_RAW);
854
strcpy(info.name, tablename);
855
if (getsockopt(sockfd, TC_IPPROTO, SO_GET_INFO, &info, &s) < 0) {
856
if (--sockfd_use == 0) {
863
DEBUGP("valid_hooks=0x%08x, num_entries=%u, size=%u\n",
864
info.valid_hooks, info.num_entries, info.size);
866
if ((h = alloc_handle(info.name, info.size, info.num_entries))
868
if (--sockfd_use == 0) {
875
/* Initialize current state */
878
h->entries->size = h->info.size;
880
tmp = sizeof(STRUCT_GET_ENTRIES) + h->info.size;
882
if (getsockopt(sockfd, TC_IPPROTO, SO_GET_ENTRIES, h->entries,
888
int fd = open("/tmp/libiptc-so_get_entries.blob",
891
write(fd, h->entries, tmp);
897
if (parse_table(h) < 0)
908
TC_FREE(TC_HANDLE_T *h)
910
struct chain_head *c, *tmp;
913
if (--sockfd_use == 0) {
918
list_for_each_entry_safe(c, tmp, &(*h)->chains, list) {
919
struct rule_head *r, *rtmp;
921
list_for_each_entry_safe(r, rtmp, &c->rules, list) {
935
print_match(const STRUCT_ENTRY_MATCH *m)
937
printf("Match name: `%s'\n", m->u.user.name);
941
static int dump_entry(STRUCT_ENTRY *e, const TC_HANDLE_T handle);
944
TC_DUMP_ENTRIES(const TC_HANDLE_T handle)
946
iptc_fn = TC_DUMP_ENTRIES;
949
printf("libiptc v%s. %u bytes.\n",
950
IPTABLES_VERSION, handle->entries->size);
951
printf("Table `%s'\n", handle->info.name);
952
printf("Hooks: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
953
handle->info.hook_entry[HOOK_PRE_ROUTING],
954
handle->info.hook_entry[HOOK_LOCAL_IN],
955
handle->info.hook_entry[HOOK_FORWARD],
956
handle->info.hook_entry[HOOK_LOCAL_OUT],
957
handle->info.hook_entry[HOOK_POST_ROUTING]);
958
printf("Underflows: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
959
handle->info.underflow[HOOK_PRE_ROUTING],
960
handle->info.underflow[HOOK_LOCAL_IN],
961
handle->info.underflow[HOOK_FORWARD],
962
handle->info.underflow[HOOK_LOCAL_OUT],
963
handle->info.underflow[HOOK_POST_ROUTING]);
965
ENTRY_ITERATE(handle->entries->entrytable, handle->entries->size,
969
/* Does this chain exist? */
970
int TC_IS_CHAIN(const char *chain, const TC_HANDLE_T handle)
972
iptc_fn = TC_IS_CHAIN;
973
return iptcc_find_label(chain, handle) != NULL;
976
static void iptcc_chain_iterator_advance(TC_HANDLE_T handle)
978
struct chain_head *c = handle->chain_iterator_cur;
980
if (c->list.next == &handle->chains)
981
handle->chain_iterator_cur = NULL;
983
handle->chain_iterator_cur =
984
list_entry(c->list.next, struct chain_head, list);
987
/* Iterator functions to run through the chains. */
989
TC_FIRST_CHAIN(TC_HANDLE_T *handle)
991
struct chain_head *c = list_entry((*handle)->chains.next,
992
struct chain_head, list);
994
iptc_fn = TC_FIRST_CHAIN;
997
if (list_empty(&(*handle)->chains)) {
998
DEBUGP(": no chains\n");
1002
(*handle)->chain_iterator_cur = c;
1003
iptcc_chain_iterator_advance(*handle);
1005
DEBUGP(": returning `%s'\n", c->name);
1009
/* Iterator functions to run through the chains. Returns NULL at end. */
1011
TC_NEXT_CHAIN(TC_HANDLE_T *handle)
1013
struct chain_head *c = (*handle)->chain_iterator_cur;
1015
iptc_fn = TC_NEXT_CHAIN;
1018
DEBUGP(": no more chains\n");
1022
iptcc_chain_iterator_advance(*handle);
1024
DEBUGP(": returning `%s'\n", c->name);
1028
/* Get first rule in the given chain: NULL for empty chain. */
1029
const STRUCT_ENTRY *
1030
TC_FIRST_RULE(const char *chain, TC_HANDLE_T *handle)
1032
struct chain_head *c;
1033
struct rule_head *r;
1035
iptc_fn = TC_FIRST_RULE;
1037
DEBUGP("first rule(%s): ", chain);
1039
c = iptcc_find_label(chain, *handle);
1045
/* Empty chain: single return/policy rule */
1046
if (list_empty(&c->rules)) {
1047
DEBUGP_C("no rules, returning NULL\n");
1051
r = list_entry(c->rules.next, struct rule_head, list);
1052
(*handle)->rule_iterator_cur = r;
1053
DEBUGP_C("%p\n", r);
1058
/* Returns NULL when rules run out. */
1059
const STRUCT_ENTRY *
1060
TC_NEXT_RULE(const STRUCT_ENTRY *prev, TC_HANDLE_T *handle)
1062
struct rule_head *r;
1064
iptc_fn = TC_NEXT_RULE;
1065
DEBUGP("rule_iterator_cur=%p...", (*handle)->rule_iterator_cur);
1067
if (!(*handle)->rule_iterator_cur) {
1068
DEBUGP_C("returning NULL\n");
1072
r = list_entry((*handle)->rule_iterator_cur->list.next,
1073
struct rule_head, list);
1075
iptc_fn = TC_NEXT_RULE;
1077
DEBUGP_C("next=%p, head=%p...", &r->list,
1078
&(*handle)->rule_iterator_cur->chain->rules);
1080
if (&r->list == &(*handle)->rule_iterator_cur->chain->rules) {
1081
(*handle)->rule_iterator_cur = NULL;
1082
DEBUGP_C("finished, returning NULL\n");
1086
(*handle)->rule_iterator_cur = r;
1088
/* NOTE: prev is without any influence ! */
1089
DEBUGP_C("returning rule %p\n", r);
1093
/* How many rules in this chain? */
1095
TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle)
1097
struct chain_head *c;
1098
iptc_fn = TC_NUM_RULES;
1101
c = iptcc_find_label(chain, *handle);
1104
return (unsigned int)-1;
1107
return c->num_rules;
1110
const STRUCT_ENTRY *TC_GET_RULE(const char *chain,
1112
TC_HANDLE_T *handle)
1114
struct chain_head *c;
1115
struct rule_head *r;
1117
iptc_fn = TC_GET_RULE;
1121
c = iptcc_find_label(chain, *handle);
1127
r = iptcc_get_rule_num(c, n);
1133
/* Returns a pointer to the target name of this position. */
1134
static const char *standard_target_map(int verdict)
1138
return LABEL_RETURN;
1141
return LABEL_ACCEPT;
1150
fprintf(stderr, "ERROR: %d not a valid target)\n",
1159
/* Returns a pointer to the target name of this position. */
1160
const char *TC_GET_TARGET(const STRUCT_ENTRY *ce,
1161
TC_HANDLE_T *handle)
1163
STRUCT_ENTRY *e = (STRUCT_ENTRY *)ce;
1164
struct rule_head *r = container_of(e, struct rule_head, entry[0]);
1166
iptc_fn = TC_GET_TARGET;
1170
case IPTCC_R_FALLTHROUGH:
1174
DEBUGP("r=%p, jump=%p, name=`%s'\n", r, r->jump, r->jump->name);
1175
return r->jump->name;
1177
case IPTCC_R_STANDARD:
1178
spos = *(int *)GET_TARGET(e)->data;
1179
DEBUGP("r=%p, spos=%d'\n", r, spos);
1180
return standard_target_map(spos);
1182
case IPTCC_R_MODULE:
1183
return GET_TARGET(e)->u.user.name;
1188
/* Is this a built-in chain? Actually returns hook + 1. */
1190
TC_BUILTIN(const char *chain, const TC_HANDLE_T handle)
1192
struct chain_head *c;
1194
iptc_fn = TC_BUILTIN;
1196
c = iptcc_find_label(chain, handle);
1202
return iptcc_is_builtin(c);
1205
/* Get the policy of a given built-in chain */
1207
TC_GET_POLICY(const char *chain,
1208
STRUCT_COUNTERS *counters,
1209
TC_HANDLE_T *handle)
1211
struct chain_head *c;
1213
iptc_fn = TC_GET_POLICY;
1215
DEBUGP("called for chain %s\n", chain);
1217
c = iptcc_find_label(chain, *handle);
1223
if (!iptcc_is_builtin(c))
1226
*counters = c->counters;
1228
return standard_target_map(c->verdict);
1232
iptcc_standard_map(struct rule_head *r, int verdict)
1234
STRUCT_ENTRY *e = r->entry;
1235
STRUCT_STANDARD_TARGET *t;
1237
t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
1239
if (t->target.u.target_size
1240
!= ALIGN(sizeof(STRUCT_STANDARD_TARGET))) {
1244
/* memset for memcmp convenience on delete/replace */
1245
memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
1246
strcpy(t->target.u.user.name, STANDARD_TARGET);
1247
t->verdict = verdict;
1249
r->type = IPTCC_R_STANDARD;
1255
iptcc_map_target(const TC_HANDLE_T handle,
1256
struct rule_head *r)
1258
STRUCT_ENTRY *e = r->entry;
1259
STRUCT_ENTRY_TARGET *t = GET_TARGET(e);
1261
/* Maybe it's empty (=> fall through) */
1262
if (strcmp(t->u.user.name, "") == 0) {
1263
r->type = IPTCC_R_FALLTHROUGH;
1266
/* Maybe it's a standard target name... */
1267
else if (strcmp(t->u.user.name, LABEL_ACCEPT) == 0)
1268
return iptcc_standard_map(r, -NF_ACCEPT - 1);
1269
else if (strcmp(t->u.user.name, LABEL_DROP) == 0)
1270
return iptcc_standard_map(r, -NF_DROP - 1);
1271
else if (strcmp(t->u.user.name, LABEL_QUEUE) == 0)
1272
return iptcc_standard_map(r, -NF_QUEUE - 1);
1273
else if (strcmp(t->u.user.name, LABEL_RETURN) == 0)
1274
return iptcc_standard_map(r, RETURN);
1275
else if (TC_BUILTIN(t->u.user.name, handle)) {
1276
/* Can't jump to builtins. */
1280
/* Maybe it's an existing chain name. */
1281
struct chain_head *c;
1282
DEBUGP("trying to find chain `%s': ", t->u.user.name);
1284
c = iptcc_find_label(t->u.user.name, handle);
1286
DEBUGP_C("found!\n");
1287
r->type = IPTCC_R_JUMP;
1292
DEBUGP_C("not found :(\n");
1295
/* Must be a module? If not, kernel will reject... */
1296
/* memset to all 0 for your memcmp convenience: don't clear version */
1297
memset(t->u.user.name + strlen(t->u.user.name),
1299
FUNCTION_MAXNAMELEN - 1 - strlen(t->u.user.name));
1300
r->type = IPTCC_R_MODULE;
1301
set_changed(handle);
1305
/* Insert the entry `fw' in chain `chain' into position `rulenum'. */
1307
TC_INSERT_ENTRY(const IPT_CHAINLABEL chain,
1308
const STRUCT_ENTRY *e,
1309
unsigned int rulenum,
1310
TC_HANDLE_T *handle)
1312
struct chain_head *c;
1313
struct rule_head *r;
1314
struct list_head *prev;
1316
iptc_fn = TC_INSERT_ENTRY;
1318
if (!(c = iptcc_find_label(chain, *handle))) {
1323
/* first rulenum index = 0
1324
first c->num_rules index = 1 */
1325
if (rulenum > c->num_rules) {
1330
/* If we are inserting at the end just take advantage of the
1331
double linked list, insert will happen before the entry
1333
if (rulenum == c->num_rules) {
1335
} else if (rulenum + 1 <= c->num_rules/2) {
1336
r = iptcc_get_rule_num(c, rulenum + 1);
1339
r = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum);
1343
if (!(r = iptcc_alloc_rule(c, e->next_offset))) {
1348
memcpy(r->entry, e, e->next_offset);
1349
r->counter_map.maptype = COUNTER_MAP_SET;
1351
if (!iptcc_map_target(*handle, r)) {
1356
list_add_tail(&r->list, prev);
1359
set_changed(*handle);
1364
/* Atomically replace rule `rulenum' in `chain' with `fw'. */
1366
TC_REPLACE_ENTRY(const IPT_CHAINLABEL chain,
1367
const STRUCT_ENTRY *e,
1368
unsigned int rulenum,
1369
TC_HANDLE_T *handle)
1371
struct chain_head *c;
1372
struct rule_head *r, *old;
1374
iptc_fn = TC_REPLACE_ENTRY;
1376
if (!(c = iptcc_find_label(chain, *handle))) {
1381
if (rulenum >= c->num_rules) {
1386
/* Take advantage of the double linked list if possible. */
1387
if (rulenum + 1 <= c->num_rules/2) {
1388
old = iptcc_get_rule_num(c, rulenum + 1);
1390
old = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum);
1393
if (!(r = iptcc_alloc_rule(c, e->next_offset))) {
1398
memcpy(r->entry, e, e->next_offset);
1399
r->counter_map.maptype = COUNTER_MAP_SET;
1401
if (!iptcc_map_target(*handle, r)) {
1406
list_add(&r->list, &old->list);
1407
iptcc_delete_rule(old);
1409
set_changed(*handle);
1414
/* Append entry `fw' to chain `chain'. Equivalent to insert with
1415
rulenum = length of chain. */
1417
TC_APPEND_ENTRY(const IPT_CHAINLABEL chain,
1418
const STRUCT_ENTRY *e,
1419
TC_HANDLE_T *handle)
1421
struct chain_head *c;
1422
struct rule_head *r;
1424
iptc_fn = TC_APPEND_ENTRY;
1425
if (!(c = iptcc_find_label(chain, *handle))) {
1426
DEBUGP("unable to find chain `%s'\n", chain);
1431
if (!(r = iptcc_alloc_rule(c, e->next_offset))) {
1432
DEBUGP("unable to allocate rule for chain `%s'\n", chain);
1437
memcpy(r->entry, e, e->next_offset);
1438
r->counter_map.maptype = COUNTER_MAP_SET;
1440
if (!iptcc_map_target(*handle, r)) {
1441
DEBUGP("unable to map target of rule for chain `%s'\n", chain);
1446
list_add_tail(&r->list, &c->rules);
1449
set_changed(*handle);
1455
match_different(const STRUCT_ENTRY_MATCH *a,
1456
const unsigned char *a_elems,
1457
const unsigned char *b_elems,
1458
unsigned char **maskptr)
1460
const STRUCT_ENTRY_MATCH *b;
1463
/* Offset of b is the same as a. */
1464
b = (void *)b_elems + ((unsigned char *)a - a_elems);
1466
if (a->u.match_size != b->u.match_size)
1469
if (strcmp(a->u.user.name, b->u.user.name) != 0)
1472
*maskptr += ALIGN(sizeof(*a));
1474
for (i = 0; i < a->u.match_size - ALIGN(sizeof(*a)); i++)
1475
if (((a->data[i] ^ b->data[i]) & (*maskptr)[i]) != 0)
1482
target_same(struct rule_head *a, struct rule_head *b,const unsigned char *mask)
1485
STRUCT_ENTRY_TARGET *ta, *tb;
1487
if (a->type != b->type)
1490
ta = GET_TARGET(a->entry);
1491
tb = GET_TARGET(b->entry);
1494
case IPTCC_R_FALLTHROUGH:
1497
return a->jump == b->jump;
1498
case IPTCC_R_STANDARD:
1499
return ((STRUCT_STANDARD_TARGET *)ta)->verdict
1500
== ((STRUCT_STANDARD_TARGET *)tb)->verdict;
1501
case IPTCC_R_MODULE:
1502
if (ta->u.target_size != tb->u.target_size)
1504
if (strcmp(ta->u.user.name, tb->u.user.name) != 0)
1507
for (i = 0; i < ta->u.target_size - sizeof(*ta); i++)
1508
if (((ta->data[i] ^ tb->data[i]) & mask[i]) != 0)
1512
fprintf(stderr, "ERROR: bad type %i\n", a->type);
1517
static unsigned char *
1518
is_same(const STRUCT_ENTRY *a,
1519
const STRUCT_ENTRY *b,
1520
unsigned char *matchmask);
1522
/* Delete the first rule in `chain' which matches `fw'. */
1524
TC_DELETE_ENTRY(const IPT_CHAINLABEL chain,
1525
const STRUCT_ENTRY *origfw,
1526
unsigned char *matchmask,
1527
TC_HANDLE_T *handle)
1529
struct chain_head *c;
1530
struct rule_head *r, *i;
1532
iptc_fn = TC_DELETE_ENTRY;
1533
if (!(c = iptcc_find_label(chain, *handle))) {
1538
/* Create a rule_head from origfw. */
1539
r = iptcc_alloc_rule(c, origfw->next_offset);
1545
memcpy(r->entry, origfw, origfw->next_offset);
1546
r->counter_map.maptype = COUNTER_MAP_NOMAP;
1547
if (!iptcc_map_target(*handle, r)) {
1548
DEBUGP("unable to map target of rule for chain `%s'\n", chain);
1552
/* iptcc_map_target increment target chain references
1553
* since this is a fake rule only used for matching
1554
* the chain references count is decremented again.
1556
if (r->type == IPTCC_R_JUMP
1558
r->jump->references--;
1561
list_for_each_entry(i, &c->rules, list) {
1562
unsigned char *mask;
1564
mask = is_same(r->entry, i->entry, matchmask);
1568
if (!target_same(r, i, mask))
1571
/* If we are about to delete the rule that is the
1572
* current iterator, move rule iterator back. next
1573
* pointer will then point to real next node */
1574
if (i == (*handle)->rule_iterator_cur) {
1575
(*handle)->rule_iterator_cur =
1576
list_entry((*handle)->rule_iterator_cur->list.prev,
1577
struct rule_head, list);
1581
iptcc_delete_rule(i);
1583
set_changed(*handle);
1594
/* Delete the rule in position `rulenum' in `chain'. */
1596
TC_DELETE_NUM_ENTRY(const IPT_CHAINLABEL chain,
1597
unsigned int rulenum,
1598
TC_HANDLE_T *handle)
1600
struct chain_head *c;
1601
struct rule_head *r;
1603
iptc_fn = TC_DELETE_NUM_ENTRY;
1605
if (!(c = iptcc_find_label(chain, *handle))) {
1610
if (rulenum >= c->num_rules) {
1615
/* Take advantage of the double linked list if possible. */
1616
if (rulenum + 1 <= c->num_rules/2) {
1617
r = iptcc_get_rule_num(c, rulenum + 1);
1619
r = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum);
1622
/* If we are about to delete the rule that is the current
1623
* iterator, move rule iterator back. next pointer will then
1624
* point to real next node */
1625
if (r == (*handle)->rule_iterator_cur) {
1626
(*handle)->rule_iterator_cur =
1627
list_entry((*handle)->rule_iterator_cur->list.prev,
1628
struct rule_head, list);
1632
iptcc_delete_rule(r);
1634
set_changed(*handle);
1639
/* Check the packet `fw' on chain `chain'. Returns the verdict, or
1640
NULL and sets errno. */
1642
TC_CHECK_PACKET(const IPT_CHAINLABEL chain,
1643
STRUCT_ENTRY *entry,
1644
TC_HANDLE_T *handle)
1646
iptc_fn = TC_CHECK_PACKET;
1651
/* Flushes the entries in the given chain (ie. empties chain). */
1653
TC_FLUSH_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
1655
struct chain_head *c;
1656
struct rule_head *r, *tmp;
1658
iptc_fn = TC_FLUSH_ENTRIES;
1659
if (!(c = iptcc_find_label(chain, *handle))) {
1664
list_for_each_entry_safe(r, tmp, &c->rules, list) {
1665
iptcc_delete_rule(r);
1670
set_changed(*handle);
1675
/* Zeroes the counters in a chain. */
1677
TC_ZERO_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
1679
struct chain_head *c;
1680
struct rule_head *r;
1682
iptc_fn = TC_ZERO_ENTRIES;
1683
if (!(c = iptcc_find_label(chain, *handle))) {
1688
if (c->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
1689
c->counter_map.maptype = COUNTER_MAP_ZEROED;
1691
list_for_each_entry(r, &c->rules, list) {
1692
if (r->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
1693
r->counter_map.maptype = COUNTER_MAP_ZEROED;
1696
set_changed(*handle);
1702
TC_READ_COUNTER(const IPT_CHAINLABEL chain,
1703
unsigned int rulenum,
1704
TC_HANDLE_T *handle)
1706
struct chain_head *c;
1707
struct rule_head *r;
1709
iptc_fn = TC_READ_COUNTER;
1712
if (!(c = iptcc_find_label(chain, *handle))) {
1717
if (!(r = iptcc_get_rule_num(c, rulenum))) {
1722
return &r->entry[0].counters;
1726
TC_ZERO_COUNTER(const IPT_CHAINLABEL chain,
1727
unsigned int rulenum,
1728
TC_HANDLE_T *handle)
1730
struct chain_head *c;
1731
struct rule_head *r;
1733
iptc_fn = TC_ZERO_COUNTER;
1736
if (!(c = iptcc_find_label(chain, *handle))) {
1741
if (!(r = iptcc_get_rule_num(c, rulenum))) {
1746
if (r->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
1747
r->counter_map.maptype = COUNTER_MAP_ZEROED;
1749
set_changed(*handle);
1755
TC_SET_COUNTER(const IPT_CHAINLABEL chain,
1756
unsigned int rulenum,
1757
STRUCT_COUNTERS *counters,
1758
TC_HANDLE_T *handle)
1760
struct chain_head *c;
1761
struct rule_head *r;
1764
iptc_fn = TC_SET_COUNTER;
1767
if (!(c = iptcc_find_label(chain, *handle))) {
1772
if (!(r = iptcc_get_rule_num(c, rulenum))) {
1778
r->counter_map.maptype = COUNTER_MAP_SET;
1780
memcpy(&e->counters, counters, sizeof(STRUCT_COUNTERS));
1782
set_changed(*handle);
1787
/* Creates a new chain. */
1788
/* To create a chain, create two rules: error node and unconditional
1791
TC_CREATE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
1793
static struct chain_head *c;
1795
iptc_fn = TC_CREATE_CHAIN;
1797
/* find_label doesn't cover built-in targets: DROP, ACCEPT,
1799
if (iptcc_find_label(chain, *handle)
1800
|| strcmp(chain, LABEL_DROP) == 0
1801
|| strcmp(chain, LABEL_ACCEPT) == 0
1802
|| strcmp(chain, LABEL_QUEUE) == 0
1803
|| strcmp(chain, LABEL_RETURN) == 0) {
1804
DEBUGP("Chain `%s' already exists\n", chain);
1809
if (strlen(chain)+1 > sizeof(IPT_CHAINLABEL)) {
1810
DEBUGP("Chain name `%s' too long\n", chain);
1815
c = iptcc_alloc_chain_head(chain, 0);
1817
DEBUGP("Cannot allocate memory for chain `%s'\n", chain);
1823
DEBUGP("Creating chain `%s'\n", chain);
1824
iptc_insert_chain(*handle, c); /* Insert sorted */
1826
set_changed(*handle);
1831
/* Get the number of references to this chain. */
1833
TC_GET_REFERENCES(unsigned int *ref, const IPT_CHAINLABEL chain,
1834
TC_HANDLE_T *handle)
1836
struct chain_head *c;
1838
iptc_fn = TC_GET_REFERENCES;
1839
if (!(c = iptcc_find_label(chain, *handle))) {
1844
*ref = c->references;
1849
/* Deletes a chain. */
1851
TC_DELETE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
1853
unsigned int references;
1854
struct chain_head *c;
1856
iptc_fn = TC_DELETE_CHAIN;
1858
if (!(c = iptcc_find_label(chain, *handle))) {
1859
DEBUGP("cannot find chain `%s'\n", chain);
1864
if (TC_BUILTIN(chain, *handle)) {
1865
DEBUGP("cannot remove builtin chain `%s'\n", chain);
1870
if (!TC_GET_REFERENCES(&references, chain, handle)) {
1871
DEBUGP("cannot get references on chain `%s'\n", chain);
1875
if (references > 0) {
1876
DEBUGP("chain `%s' still has references\n", chain);
1882
DEBUGP("chain `%s' is not empty\n", chain);
1887
/* If we are about to delete the chain that is the current
1888
* iterator, move chain iterator firward. */
1889
if (c == (*handle)->chain_iterator_cur)
1890
iptcc_chain_iterator_advance(*handle);
1895
DEBUGP("chain `%s' deleted\n", chain);
1897
set_changed(*handle);
1902
/* Renames a chain. */
1903
int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname,
1904
const IPT_CHAINLABEL newname,
1905
TC_HANDLE_T *handle)
1907
struct chain_head *c;
1908
iptc_fn = TC_RENAME_CHAIN;
1910
/* find_label doesn't cover built-in targets: DROP, ACCEPT,
1912
if (iptcc_find_label(newname, *handle)
1913
|| strcmp(newname, LABEL_DROP) == 0
1914
|| strcmp(newname, LABEL_ACCEPT) == 0
1915
|| strcmp(newname, LABEL_QUEUE) == 0
1916
|| strcmp(newname, LABEL_RETURN) == 0) {
1921
if (!(c = iptcc_find_label(oldname, *handle))
1922
|| TC_BUILTIN(oldname, *handle)) {
1927
if (strlen(newname)+1 > sizeof(IPT_CHAINLABEL)) {
1932
strncpy(c->name, newname, sizeof(IPT_CHAINLABEL));
1934
set_changed(*handle);
1939
/* Sets the policy on a built-in chain. */
1941
TC_SET_POLICY(const IPT_CHAINLABEL chain,
1942
const IPT_CHAINLABEL policy,
1943
STRUCT_COUNTERS *counters,
1944
TC_HANDLE_T *handle)
1946
struct chain_head *c;
1948
iptc_fn = TC_SET_POLICY;
1950
if (!(c = iptcc_find_label(chain, *handle))) {
1951
DEBUGP("cannot find chain `%s'\n", chain);
1956
if (!iptcc_is_builtin(c)) {
1957
DEBUGP("cannot set policy of userdefinedchain `%s'\n", chain);
1962
if (strcmp(policy, LABEL_ACCEPT) == 0)
1963
c->verdict = -NF_ACCEPT - 1;
1964
else if (strcmp(policy, LABEL_DROP) == 0)
1965
c->verdict = -NF_DROP - 1;
1972
/* set byte and packet counters */
1973
memcpy(&c->counters, counters, sizeof(STRUCT_COUNTERS));
1974
c->counter_map.maptype = COUNTER_MAP_SET;
1976
c->counter_map.maptype = COUNTER_MAP_NOMAP;
1979
set_changed(*handle);
1984
/* Without this, on gcc 2.7.2.3, we get:
1985
libiptc.c: In function `TC_COMMIT':
1986
libiptc.c:833: fixed or forbidden register was spilled.
1987
This may be due to a compiler bug or to impossible asm
1988
statements or clauses.
1991
subtract_counters(STRUCT_COUNTERS *answer,
1992
const STRUCT_COUNTERS *a,
1993
const STRUCT_COUNTERS *b)
1995
answer->pcnt = a->pcnt - b->pcnt;
1996
answer->bcnt = a->bcnt - b->bcnt;
2000
static void counters_nomap(STRUCT_COUNTERS_INFO *newcounters,
2003
newcounters->counters[index] = ((STRUCT_COUNTERS) { 0, 0});
2004
DEBUGP_C("NOMAP => zero\n");
2007
static void counters_normal_map(STRUCT_COUNTERS_INFO *newcounters,
2008
STRUCT_REPLACE *repl,
2010
unsigned int mappos)
2012
/* Original read: X.
2013
* Atomic read on replacement: X + Y.
2014
* Currently in kernel: Z.
2015
* Want in kernel: X + Y + Z.
2017
* => Add in replacement read.
2019
newcounters->counters[index] = repl->counters[mappos];
2020
DEBUGP_C("NORMAL_MAP => mappos %u \n", mappos);
2023
static void counters_map_zeroed(STRUCT_COUNTERS_INFO *newcounters,
2024
STRUCT_REPLACE *repl,
2026
unsigned int mappos,
2027
STRUCT_COUNTERS *counters)
2029
/* Original read: X.
2030
* Atomic read on replacement: X + Y.
2031
* Currently in kernel: Z.
2032
* Want in kernel: Y + Z.
2034
* => Add in (replacement read - original read).
2036
subtract_counters(&newcounters->counters[index],
2037
&repl->counters[mappos],
2039
DEBUGP_C("ZEROED => mappos %u\n", mappos);
2042
static void counters_map_set(STRUCT_COUNTERS_INFO *newcounters,
2044
STRUCT_COUNTERS *counters)
2046
/* Want to set counter (iptables-restore) */
2048
memcpy(&newcounters->counters[index], counters,
2049
sizeof(STRUCT_COUNTERS));
2056
TC_COMMIT(TC_HANDLE_T *handle)
2058
/* Replace, then map back the counters. */
2059
STRUCT_REPLACE *repl;
2060
STRUCT_COUNTERS_INFO *newcounters;
2061
struct chain_head *c;
2065
unsigned int new_size;
2067
iptc_fn = TC_COMMIT;
2070
/* Don't commit if nothing changed. */
2071
if (!(*handle)->changed)
2074
new_number = iptcc_compile_table_prep(*handle, &new_size);
2075
if (new_number < 0) {
2080
repl = malloc(sizeof(*repl) + new_size);
2085
memset(repl, 0, sizeof(*repl) + new_size);
2088
TC_DUMP_ENTRIES(*handle);
2091
counterlen = sizeof(STRUCT_COUNTERS_INFO)
2092
+ sizeof(STRUCT_COUNTERS) * new_number;
2094
/* These are the old counters we will get from kernel */
2095
repl->counters = malloc(sizeof(STRUCT_COUNTERS)
2096
* (*handle)->info.num_entries);
2097
if (!repl->counters) {
2101
/* These are the counters we're going to put back, later. */
2102
newcounters = malloc(counterlen);
2105
goto out_free_repl_counters;
2107
memset(newcounters, 0, counterlen);
2109
strcpy(repl->name, (*handle)->info.name);
2110
repl->num_entries = new_number;
2111
repl->size = new_size;
2113
repl->num_counters = (*handle)->info.num_entries;
2114
repl->valid_hooks = (*handle)->info.valid_hooks;
2116
DEBUGP("num_entries=%u, size=%u, num_counters=%u\n",
2117
repl->num_entries, repl->size, repl->num_counters);
2119
ret = iptcc_compile_table(*handle, repl);
2122
goto out_free_newcounters;
2128
int fd = open("/tmp/libiptc-so_set_replace.blob",
2131
write(fd, repl, sizeof(*repl) + repl->size);
2137
ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, repl,
2138
sizeof(*repl) + repl->size);
2140
goto out_free_newcounters;
2142
/* Put counters back. */
2143
strcpy(newcounters->name, (*handle)->info.name);
2144
newcounters->num_counters = new_number;
2146
list_for_each_entry(c, &(*handle)->chains, list) {
2147
struct rule_head *r;
2149
/* Builtin chains have their own counters */
2150
if (iptcc_is_builtin(c)) {
2151
DEBUGP("counter for chain-index %u: ", c->foot_index);
2152
switch(c->counter_map.maptype) {
2153
case COUNTER_MAP_NOMAP:
2154
counters_nomap(newcounters, c->foot_index);
2156
case COUNTER_MAP_NORMAL_MAP:
2157
counters_normal_map(newcounters, repl,
2159
c->counter_map.mappos);
2161
case COUNTER_MAP_ZEROED:
2162
counters_map_zeroed(newcounters, repl,
2164
c->counter_map.mappos,
2167
case COUNTER_MAP_SET:
2168
counters_map_set(newcounters, c->foot_index,
2174
list_for_each_entry(r, &c->rules, list) {
2175
DEBUGP("counter for index %u: ", r->index);
2176
switch (r->counter_map.maptype) {
2177
case COUNTER_MAP_NOMAP:
2178
counters_nomap(newcounters, r->index);
2181
case COUNTER_MAP_NORMAL_MAP:
2182
counters_normal_map(newcounters, repl,
2184
r->counter_map.mappos);
2187
case COUNTER_MAP_ZEROED:
2188
counters_map_zeroed(newcounters, repl,
2190
r->counter_map.mappos,
2191
&r->entry->counters);
2194
case COUNTER_MAP_SET:
2195
counters_map_set(newcounters, r->index,
2196
&r->entry->counters);
2204
int fd = open("/tmp/libiptc-so_set_add_counters.blob",
2207
write(fd, newcounters, counterlen);
2213
ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS,
2214
newcounters, counterlen);
2216
goto out_free_newcounters;
2218
free(repl->counters);
2226
out_free_newcounters:
2228
out_free_repl_counters:
2229
free(repl->counters);
2236
/* Get raw socket. */
2238
TC_GET_RAW_SOCKET(void)
2243
/* Translates errno numbers into more human-readable form than strerror. */
2245
TC_STRERROR(int err)
2248
struct table_struct {
2251
const char *message;
2253
{ { TC_INIT, EPERM, "Permission denied (you must be root)" },
2254
{ TC_INIT, EINVAL, "Module is wrong version" },
2256
"Table does not exist (do you need to insmod?)" },
2257
{ TC_DELETE_CHAIN, ENOTEMPTY, "Chain is not empty" },
2258
{ TC_DELETE_CHAIN, EINVAL, "Can't delete built-in chain" },
2259
{ TC_DELETE_CHAIN, EMLINK,
2260
"Can't delete chain with references left" },
2261
{ TC_CREATE_CHAIN, EEXIST, "Chain already exists" },
2262
{ TC_INSERT_ENTRY, E2BIG, "Index of insertion too big" },
2263
{ TC_REPLACE_ENTRY, E2BIG, "Index of replacement too big" },
2264
{ TC_DELETE_NUM_ENTRY, E2BIG, "Index of deletion too big" },
2265
{ TC_READ_COUNTER, E2BIG, "Index of counter too big" },
2266
{ TC_ZERO_COUNTER, E2BIG, "Index of counter too big" },
2267
{ TC_INSERT_ENTRY, ELOOP, "Loop found in table" },
2268
{ TC_INSERT_ENTRY, EINVAL, "Target problem" },
2269
/* EINVAL for CHECK probably means bad interface. */
2270
{ TC_CHECK_PACKET, EINVAL,
2271
"Bad arguments (does that interface exist?)" },
2272
{ TC_CHECK_PACKET, ENOSYS,
2273
"Checking will most likely never get implemented" },
2274
/* ENOENT for DELETE probably means no matching rule */
2275
{ TC_DELETE_ENTRY, ENOENT,
2276
"Bad rule (does a matching rule exist in that chain?)" },
2277
{ TC_SET_POLICY, ENOENT,
2278
"Bad built-in chain name" },
2279
{ TC_SET_POLICY, EINVAL,
2280
"Bad policy name" },
2282
{ NULL, 0, "Incompatible with this kernel" },
2283
{ NULL, ENOPROTOOPT, "iptables who? (do you need to insmod?)" },
2284
{ NULL, ENOSYS, "Will be implemented real soon. I promise ;)" },
2285
{ NULL, ENOMEM, "Memory allocation problem" },
2286
{ NULL, ENOENT, "No chain/target/match by that name" },
2289
for (i = 0; i < sizeof(table)/sizeof(struct table_struct); i++) {
2290
if ((!table[i].fn || table[i].fn == iptc_fn)
2291
&& table[i].err == err)
2292
return table[i].message;
2295
return strerror(err);