2 * This file was imported from the iptables sources.
3 * Copyright (C) 1999-2008 Netfilter Core Team
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; only version 2 of the License is applicable.
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
14 * You should have received a copy of the GNU General Public License along
15 * with this program; if not, write to the Free Software Foundation, Inc.,
16 * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
19 /* Library which manipulates firewall rules. Version $Revision: 7138 $ */
21 /* Architecture of firewall rules is as follows:
23 * Chains go INPUT, FORWARD, OUTPUT then user chains.
24 * Each user chain starts with an ERROR node.
25 * Every chain ends with an unconditional jump: a RETURN for user chains,
26 * and a POLICY for built-ins.
29 /* (C) 1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See
30 * COPYING for details).
31 * (C) 2000-2004 by the Netfilter Core Team <coreteam@netfilter.org>
33 * 2003-Jun-20: Harald Welte <laforge@netfilter.org>:
34 * - Reimplementation of chain cache to use offsets instead of entries
35 * 2003-Jun-23: Harald Welte <laforge@netfilter.org>:
36 * - performance optimization, sponsored by Astaro AG (http://www.astaro.com/)
37 * don't rebuild the chain cache after every operation, instead fix it
38 * up after a ruleset change.
39 * 2004-Aug-18: Harald Welte <laforge@netfilter.org>:
40 * - futher performance work: total reimplementation of libiptc.
41 * - libiptc now has a real internal (linked-list) represntation of the
42 * ruleset and a parser/compiler from/to this internal representation
43 * - again sponsored by Astaro AG (http://www.astaro.com/)
45 #include <sys/types.h>
46 #include <sys/socket.h>
48 #include "linux_list.h"
50 //#define IPTC_DEBUG2 1
54 #define DEBUGP(x, args...) fprintf(stderr, "%s: " x, __FUNCTION__, ## args)
55 #define DEBUGP_C(x, args...) fprintf(stderr, x, ## args)
57 #define DEBUGP(x, args...)
58 #define DEBUGP_C(x, args...)
62 #define IPT_LIB_DIR "/usr/local/lib/iptables"
65 static int sockfd = -1;
66 static int sockfd_use = 0;
67 static void *iptc_fn = NULL;
69 static const char *hooknames[] = {
70 [HOOK_PRE_ROUTING] = "PREROUTING",
71 [HOOK_LOCAL_IN] = "INPUT",
72 [HOOK_FORWARD] = "FORWARD",
73 [HOOK_LOCAL_OUT] = "OUTPUT",
74 [HOOK_POST_ROUTING] = "POSTROUTING",
76 [HOOK_DROPPING] = "DROPPING"
80 /* Convenience structures */
81 struct ipt_error_target
83 STRUCT_ENTRY_TARGET t;
84 char error[TABLE_MAXNAMELEN];
94 COUNTER_MAP_NORMAL_MAP,
101 enum iptcc_rule_type {
102 IPTCC_R_STANDARD, /* standard target (ACCEPT, ...) */
103 IPTCC_R_MODULE, /* extension module (SNAT, ...) */
104 IPTCC_R_FALLTHROUGH, /* fallthrough rule */
105 IPTCC_R_JUMP, /* jump to other chain */
110 struct list_head list;
111 struct chain_head *chain;
112 struct counter_map counter_map;
114 unsigned int index; /* index (needed for counter_map) */
115 unsigned int offset; /* offset in rule blob */
117 enum iptcc_rule_type type;
118 struct chain_head *jump; /* jump target, if IPTCC_R_JUMP */
120 unsigned int size; /* size of entry data */
121 STRUCT_ENTRY entry[0];
126 struct list_head list;
127 char name[TABLE_MAXNAMELEN];
128 unsigned int hooknum; /* hook number+1 if builtin */
129 unsigned int references; /* how many jumps reference us */
130 int verdict; /* verdict if builtin */
132 STRUCT_COUNTERS counters; /* per-chain counters */
133 struct counter_map counter_map;
135 unsigned int num_rules; /* number of rules in list */
136 struct list_head rules; /* list of rules */
138 unsigned int index; /* index (needed for jump resolval) */
139 unsigned int head_offset; /* offset in rule blob */
140 unsigned int foot_index; /* index (needed for counter_map) */
141 unsigned int foot_offset; /* offset in rule blob */
146 int changed; /* Have changes been made? */
148 struct list_head chains;
150 struct chain_head *chain_iterator_cur;
151 struct rule_head *rule_iterator_cur;
154 STRUCT_GET_ENTRIES *entries;
157 /* allocate a new chain head for the cache */
158 static struct chain_head *iptcc_alloc_chain_head(const char *name, int hooknum)
160 struct chain_head *c = malloc(sizeof(*c));
163 memset(c, 0, sizeof(*c));
165 strncpy(c->name, name, TABLE_MAXNAMELEN);
166 c->hooknum = hooknum;
167 INIT_LIST_HEAD(&c->rules);
172 /* allocate and initialize a new rule for the cache */
173 static struct rule_head *iptcc_alloc_rule(struct chain_head *c, unsigned int size)
175 struct rule_head *r = malloc(sizeof(*r)+size);
178 memset(r, 0, sizeof(*r));
186 /* notify us that the ruleset has been modified by the user */
188 set_changed(TC_HANDLE_T h)
194 static void do_check(TC_HANDLE_T h, unsigned int line);
195 #define CHECK(h) do { if (!getenv("IPTC_NO_CHECK")) do_check((h), __LINE__); } while(0)
201 /**********************************************************************
202 * iptc blob utility functions (iptcb_*)
203 **********************************************************************/
206 iptcb_get_number(const STRUCT_ENTRY *i,
207 const STRUCT_ENTRY *seek,
217 iptcb_get_entry_n(STRUCT_ENTRY *i,
222 if (*pos == number) {
230 static inline STRUCT_ENTRY *
231 iptcb_get_entry(TC_HANDLE_T h, unsigned int offset)
233 return (STRUCT_ENTRY *)((char *)h->entries->entrytable + offset);
237 iptcb_entry2index(const TC_HANDLE_T h, const STRUCT_ENTRY *seek)
239 unsigned int pos = 0;
241 if (ENTRY_ITERATE(h->entries->entrytable, h->entries->size,
242 iptcb_get_number, seek, &pos) == 0) {
243 fprintf(stderr, "ERROR: offset %u not an entry!\n",
244 (unsigned int)((char *)seek - (char *)h->entries->entrytable));
250 static inline STRUCT_ENTRY *
251 iptcb_offset2entry(TC_HANDLE_T h, unsigned int offset)
253 return (STRUCT_ENTRY *) ((void *)h->entries->entrytable+offset);
257 static inline unsigned long
258 iptcb_entry2offset(const TC_HANDLE_T h, const STRUCT_ENTRY *e)
260 return (void *)e - (void *)h->entries->entrytable;
263 static inline unsigned int
264 iptcb_offset2index(const TC_HANDLE_T h, unsigned int offset)
266 return iptcb_entry2index(h, iptcb_offset2entry(h, offset));
269 /* Returns 0 if not hook entry, else hooknumber + 1 */
270 static inline unsigned int
271 iptcb_ent_is_hook_entry(STRUCT_ENTRY *e, TC_HANDLE_T h)
275 for (i = 0; i < NUMHOOKS; i++) {
276 if ((h->info.valid_hooks & (1 << i))
277 && iptcb_get_entry(h, h->info.hook_entry[i]) == e)
284 /**********************************************************************
285 * iptc cache utility functions (iptcc_*)
286 **********************************************************************/
288 /* Is the given chain builtin (1) or user-defined (0) */
289 static unsigned int iptcc_is_builtin(struct chain_head *c)
291 return (c->hooknum ? 1 : 0);
294 /* Get a specific rule within a chain */
295 static struct rule_head *iptcc_get_rule_num(struct chain_head *c,
296 unsigned int rulenum)
299 unsigned int num = 0;
301 list_for_each_entry(r, &c->rules, list) {
309 /* Get a specific rule within a chain backwards */
310 static struct rule_head *iptcc_get_rule_num_reverse(struct chain_head *c,
311 unsigned int rulenum)
314 unsigned int num = 0;
316 list_for_each_entry_reverse(r, &c->rules, list) {
324 /* Returns chain head if found, otherwise NULL. */
325 static struct chain_head *
326 iptcc_find_chain_by_offset(TC_HANDLE_T handle, unsigned int offset)
328 struct list_head *pos;
330 if (list_empty(&handle->chains))
333 list_for_each(pos, &handle->chains) {
334 struct chain_head *c = list_entry(pos, struct chain_head, list);
335 if (offset >= c->head_offset && offset <= c->foot_offset)
341 /* Returns chain head if found, otherwise NULL. */
342 static struct chain_head *
343 iptcc_find_label(const char *name, TC_HANDLE_T handle)
345 struct list_head *pos;
347 if (list_empty(&handle->chains))
350 list_for_each(pos, &handle->chains) {
351 struct chain_head *c = list_entry(pos, struct chain_head, list);
352 if (!strcmp(c->name, name))
359 /* called when rule is to be removed from cache */
360 static void iptcc_delete_rule(struct rule_head *r)
362 DEBUGP("deleting rule %p (offset %u)\n", r, r->offset);
363 /* clean up reference count of called chain */
364 if (r->type == IPTCC_R_JUMP
366 r->jump->references--;
373 /**********************************************************************
374 * RULESET PARSER (blob -> cache)
375 **********************************************************************/
377 /* Delete policy rule of previous chain, since cache doesn't contain
378 * chain policy rules.
379 * WARNING: This function has ugly design and relies on a lot of context, only
380 * to be called from specific places within the parser */
381 static int __iptcc_p_del_policy(TC_HANDLE_T h, unsigned int num)
383 if (h->chain_iterator_cur) {
384 /* policy rule is last rule */
385 struct rule_head *pr = (struct rule_head *)
386 h->chain_iterator_cur->rules.prev;
389 h->chain_iterator_cur->verdict =
390 *(int *)GET_TARGET(pr->entry)->data;
392 /* save counter and counter_map information */
393 h->chain_iterator_cur->counter_map.maptype =
394 COUNTER_MAP_NORMAL_MAP;
395 h->chain_iterator_cur->counter_map.mappos = num-1;
396 memcpy(&h->chain_iterator_cur->counters, &pr->entry->counters,
397 sizeof(h->chain_iterator_cur->counters));
399 /* foot_offset points to verdict rule */
400 h->chain_iterator_cur->foot_index = num;
401 h->chain_iterator_cur->foot_offset = pr->offset;
403 /* delete rule from cache */
404 iptcc_delete_rule(pr);
405 h->chain_iterator_cur->num_rules--;
412 /* alphabetically insert a chain into the list */
413 static inline void iptc_insert_chain(TC_HANDLE_T h, struct chain_head *c)
415 struct chain_head *tmp;
417 /* sort only user defined chains */
419 list_for_each_entry(tmp, &h->chains, list) {
420 if (!tmp->hooknum && strcmp(c->name, tmp->name) <= 0) {
421 list_add(&c->list, tmp->list.prev);
427 /* survived till end of list: add at tail */
428 list_add_tail(&c->list, &h->chains);
431 /* Another ugly helper function split out of cache_add_entry to make it less
433 static void __iptcc_p_add_chain(TC_HANDLE_T h, struct chain_head *c,
434 unsigned int offset, unsigned int *num)
436 struct list_head *tail = h->chains.prev;
437 struct chain_head *ctail;
439 __iptcc_p_del_policy(h, *num);
441 c->head_offset = offset;
444 /* Chains from kernel are already sorted, as they are inserted
445 * sorted. But there exists an issue when shifting to 1.4.0
446 * from an older version, as old versions allow last created
447 * chain to be unsorted.
449 if (iptcc_is_builtin(c)) /* Only user defined chains are sorted*/
450 list_add_tail(&c->list, &h->chains);
452 ctail = list_entry(tail, struct chain_head, list);
453 if (strcmp(c->name, ctail->name) > 0)
454 list_add_tail(&c->list, &h->chains);/* Already sorted*/
456 iptc_insert_chain(h, c);/* Was not sorted */
459 h->chain_iterator_cur = c;
462 /* main parser function: add an entry from the blob to the cache */
463 static int cache_add_entry(STRUCT_ENTRY *e,
468 unsigned int builtin;
469 unsigned int offset = (char *)e - (char *)h->entries->entrytable;
471 DEBUGP("entering...");
473 /* Last entry ("policy rule"). End it.*/
474 if (iptcb_entry2offset(h,e) + e->next_offset == h->entries->size) {
475 /* This is the ERROR node at the end of the chain */
476 DEBUGP_C("%u:%u: end of table:\n", *num, offset);
478 __iptcc_p_del_policy(h, *num);
480 h->chain_iterator_cur = NULL;
484 /* We know this is the start of a new chain if it's an ERROR
485 * target, or a hook entry point */
487 if (strcmp(GET_TARGET(e)->u.user.name, ERROR_TARGET) == 0) {
488 struct chain_head *c =
489 iptcc_alloc_chain_head((const char *)GET_TARGET(e)->data, 0);
490 DEBUGP_C("%u:%u:new userdefined chain %s: %p\n", *num, offset,
497 __iptcc_p_add_chain(h, c, offset, num);
499 } else if ((builtin = iptcb_ent_is_hook_entry(e, h)) != 0) {
500 struct chain_head *c =
501 iptcc_alloc_chain_head((char *)hooknames[builtin-1],
503 DEBUGP_C("%u:%u new builtin chain: %p (rules=%p)\n",
504 *num, offset, c, &c->rules);
510 c->hooknum = builtin;
512 __iptcc_p_add_chain(h, c, offset, num);
514 /* FIXME: this is ugly. */
517 /* has to be normal rule */
521 if (!(r = iptcc_alloc_rule(h->chain_iterator_cur,
526 DEBUGP_C("%u:%u normal rule: %p: ", *num, offset, r);
530 memcpy(r->entry, e, e->next_offset);
531 r->counter_map.maptype = COUNTER_MAP_NORMAL_MAP;
532 r->counter_map.mappos = r->index;
534 /* handling of jumps, etc. */
535 if (!strcmp(GET_TARGET(e)->u.user.name, STANDARD_TARGET)) {
536 STRUCT_STANDARD_TARGET *t;
538 t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
539 if (t->target.u.target_size
540 != ALIGN(sizeof(STRUCT_STANDARD_TARGET))) {
545 if (t->verdict < 0) {
546 DEBUGP_C("standard, verdict=%d\n", t->verdict);
547 r->type = IPTCC_R_STANDARD;
548 } else if (t->verdict == r->offset+e->next_offset) {
549 DEBUGP_C("fallthrough\n");
550 r->type = IPTCC_R_FALLTHROUGH;
552 DEBUGP_C("jump, target=%u\n", t->verdict);
553 r->type = IPTCC_R_JUMP;
554 /* Jump target fixup has to be deferred
555 * until second pass, since we migh not
556 * yet have parsed the target */
559 DEBUGP_C("module, target=%s\n", GET_TARGET(e)->u.user.name);
560 r->type = IPTCC_R_MODULE;
563 list_add_tail(&r->list, &h->chain_iterator_cur->rules);
564 h->chain_iterator_cur->num_rules++;
572 /* parse an iptables blob into it's pieces */
573 static int parse_table(TC_HANDLE_T h)
576 unsigned int num = 0;
577 struct chain_head *c;
579 /* First pass: over ruleset blob */
580 ENTRY_ITERATE(h->entries->entrytable, h->entries->size,
581 cache_add_entry, h, &prev, &num);
583 /* Second pass: fixup parsed data from first pass */
584 list_for_each_entry(c, &h->chains, list) {
586 list_for_each_entry(r, &c->rules, list) {
587 struct chain_head *c;
588 STRUCT_STANDARD_TARGET *t;
590 if (r->type != IPTCC_R_JUMP)
593 t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
594 c = iptcc_find_chain_by_offset(h, t->verdict);
602 /* FIXME: sort chains */
608 /**********************************************************************
609 * RULESET COMPILATION (cache -> blob)
610 **********************************************************************/
612 /* Convenience structures */
613 struct iptcb_chain_start{
615 struct ipt_error_target name;
617 #define IPTCB_CHAIN_START_SIZE (sizeof(STRUCT_ENTRY) + \
618 ALIGN(sizeof(struct ipt_error_target)))
620 struct iptcb_chain_foot {
622 STRUCT_STANDARD_TARGET target;
624 #define IPTCB_CHAIN_FOOT_SIZE (sizeof(STRUCT_ENTRY) + \
625 ALIGN(sizeof(STRUCT_STANDARD_TARGET)))
627 struct iptcb_chain_error {
629 struct ipt_error_target target;
631 #define IPTCB_CHAIN_ERROR_SIZE (sizeof(STRUCT_ENTRY) + \
632 ALIGN(sizeof(struct ipt_error_target)))
636 /* compile rule from cache into blob */
637 static inline int iptcc_compile_rule (TC_HANDLE_T h, STRUCT_REPLACE *repl, struct rule_head *r)
640 if (r->type == IPTCC_R_JUMP) {
641 STRUCT_STANDARD_TARGET *t;
642 t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
643 /* memset for memcmp convenience on delete/replace */
644 memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
645 strcpy(t->target.u.user.name, STANDARD_TARGET);
646 /* Jumps can only happen to builtin chains, so we
647 * can safely assume that they always have a header */
648 t->verdict = r->jump->head_offset + IPTCB_CHAIN_START_SIZE;
649 } else if (r->type == IPTCC_R_FALLTHROUGH) {
650 STRUCT_STANDARD_TARGET *t;
651 t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
652 t->verdict = r->offset + r->size;
655 /* copy entry from cache to blob */
656 memcpy((char *)repl->entries+r->offset, r->entry, r->size);
661 /* compile chain from cache into blob */
662 static int iptcc_compile_chain(TC_HANDLE_T h, STRUCT_REPLACE *repl, struct chain_head *c)
666 struct iptcb_chain_start *head;
667 struct iptcb_chain_foot *foot;
669 /* only user-defined chains have heaer */
670 if (!iptcc_is_builtin(c)) {
671 /* put chain header in place */
672 head = (void *)repl->entries + c->head_offset;
673 head->e.target_offset = sizeof(STRUCT_ENTRY);
674 head->e.next_offset = IPTCB_CHAIN_START_SIZE;
675 strcpy(head->name.t.u.user.name, ERROR_TARGET);
676 head->name.t.u.target_size =
677 ALIGN(sizeof(struct ipt_error_target));
678 strcpy(head->name.error, c->name);
680 repl->hook_entry[c->hooknum-1] = c->head_offset;
681 repl->underflow[c->hooknum-1] = c->foot_offset;
684 /* iterate over rules */
685 list_for_each_entry(r, &c->rules, list) {
686 ret = iptcc_compile_rule(h, repl, r);
691 /* put chain footer in place */
692 foot = (void *)repl->entries + c->foot_offset;
693 foot->e.target_offset = sizeof(STRUCT_ENTRY);
694 foot->e.next_offset = IPTCB_CHAIN_FOOT_SIZE;
695 strcpy(foot->target.target.u.user.name, STANDARD_TARGET);
696 foot->target.target.u.target_size =
697 ALIGN(sizeof(STRUCT_STANDARD_TARGET));
698 /* builtin targets have verdict, others return */
699 if (iptcc_is_builtin(c))
700 foot->target.verdict = c->verdict;
702 foot->target.verdict = RETURN;
703 /* set policy-counters */
704 memcpy(&foot->e.counters, &c->counters, sizeof(STRUCT_COUNTERS));
709 /* calculate offset and number for every rule in the cache */
710 static int iptcc_compile_chain_offsets(TC_HANDLE_T h, struct chain_head *c,
711 unsigned int *offset, unsigned int *num)
715 c->head_offset = *offset;
716 DEBUGP("%s: chain_head %u, offset=%u\n", c->name, *num, *offset);
718 if (!iptcc_is_builtin(c)) {
719 /* Chain has header */
720 *offset += sizeof(STRUCT_ENTRY)
721 + ALIGN(sizeof(struct ipt_error_target));
725 list_for_each_entry(r, &c->rules, list) {
726 DEBUGP("rule %u, offset=%u, index=%u\n", *num, *offset, *num);
733 DEBUGP("%s; chain_foot %u, offset=%u, index=%u\n", c->name, *num,
735 c->foot_offset = *offset;
736 c->foot_index = *num;
737 *offset += sizeof(STRUCT_ENTRY)
738 + ALIGN(sizeof(STRUCT_STANDARD_TARGET));
744 /* put the pieces back together again */
745 static int iptcc_compile_table_prep(TC_HANDLE_T h, unsigned int *size)
747 struct chain_head *c;
748 unsigned int offset = 0, num = 0;
751 /* First pass: calculate offset for every rule */
752 list_for_each_entry(c, &h->chains, list) {
753 ret = iptcc_compile_chain_offsets(h, c, &offset, &num);
758 /* Append one error rule at end of chain */
760 offset += sizeof(STRUCT_ENTRY)
761 + ALIGN(sizeof(struct ipt_error_target));
763 /* ruleset size is now in offset */
768 static int iptcc_compile_table(TC_HANDLE_T h, STRUCT_REPLACE *repl)
770 struct chain_head *c;
771 struct iptcb_chain_error *error;
773 /* Second pass: copy from cache to offsets, fill in jumps */
774 list_for_each_entry(c, &h->chains, list) {
775 int ret = iptcc_compile_chain(h, repl, c);
780 /* Append error rule at end of chain */
781 error = (void *)repl->entries + repl->size - IPTCB_CHAIN_ERROR_SIZE;
782 error->entry.target_offset = sizeof(STRUCT_ENTRY);
783 error->entry.next_offset = IPTCB_CHAIN_ERROR_SIZE;
784 error->target.t.u.user.target_size =
785 ALIGN(sizeof(struct ipt_error_target));
786 strcpy((char *)&error->target.t.u.user.name, ERROR_TARGET);
787 strcpy((char *)&error->target.error, "ERROR");
792 /**********************************************************************
793 * EXTERNAL API (operates on cache only)
794 **********************************************************************/
796 /* Allocate handle of given size */
798 alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules)
803 len = sizeof(STRUCT_TC_HANDLE) + size;
805 h = malloc(sizeof(STRUCT_TC_HANDLE));
810 memset(h, 0, sizeof(*h));
811 INIT_LIST_HEAD(&h->chains);
812 strcpy(h->info.name, tablename);
814 h->entries = malloc(sizeof(STRUCT_GET_ENTRIES) + size);
816 goto out_free_handle;
818 strcpy(h->entries->name, tablename);
819 h->entries->size = size;
831 TC_INIT(const char *tablename)
840 if (strlen(tablename) >= TABLE_MAXNAMELEN) {
845 if (sockfd_use == 0) {
846 sockfd = socket(TC_AF, SOCK_RAW, IPPROTO_RAW);
854 strcpy(info.name, tablename);
855 if (getsockopt(sockfd, TC_IPPROTO, SO_GET_INFO, &info, &s) < 0) {
856 if (--sockfd_use == 0) {
863 DEBUGP("valid_hooks=0x%08x, num_entries=%u, size=%u\n",
864 info.valid_hooks, info.num_entries, info.size);
866 if ((h = alloc_handle(info.name, info.size, info.num_entries))
868 if (--sockfd_use == 0) {
875 /* Initialize current state */
878 h->entries->size = h->info.size;
880 tmp = sizeof(STRUCT_GET_ENTRIES) + h->info.size;
882 if (getsockopt(sockfd, TC_IPPROTO, SO_GET_ENTRIES, h->entries,
888 int fd = open("/tmp/libiptc-so_get_entries.blob",
891 write(fd, h->entries, tmp);
897 if (parse_table(h) < 0)
908 TC_FREE(TC_HANDLE_T *h)
910 struct chain_head *c, *tmp;
913 if (--sockfd_use == 0) {
918 list_for_each_entry_safe(c, tmp, &(*h)->chains, list) {
919 struct rule_head *r, *rtmp;
921 list_for_each_entry_safe(r, rtmp, &c->rules, list) {
935 print_match(const STRUCT_ENTRY_MATCH *m)
937 printf("Match name: `%s'\n", m->u.user.name);
941 static int dump_entry(STRUCT_ENTRY *e, const TC_HANDLE_T handle);
944 TC_DUMP_ENTRIES(const TC_HANDLE_T handle)
946 iptc_fn = TC_DUMP_ENTRIES;
949 printf("libiptc v%s. %u bytes.\n",
950 IPTABLES_VERSION, handle->entries->size);
951 printf("Table `%s'\n", handle->info.name);
952 printf("Hooks: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
953 handle->info.hook_entry[HOOK_PRE_ROUTING],
954 handle->info.hook_entry[HOOK_LOCAL_IN],
955 handle->info.hook_entry[HOOK_FORWARD],
956 handle->info.hook_entry[HOOK_LOCAL_OUT],
957 handle->info.hook_entry[HOOK_POST_ROUTING]);
958 printf("Underflows: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
959 handle->info.underflow[HOOK_PRE_ROUTING],
960 handle->info.underflow[HOOK_LOCAL_IN],
961 handle->info.underflow[HOOK_FORWARD],
962 handle->info.underflow[HOOK_LOCAL_OUT],
963 handle->info.underflow[HOOK_POST_ROUTING]);
965 ENTRY_ITERATE(handle->entries->entrytable, handle->entries->size,
969 /* Does this chain exist? */
970 int TC_IS_CHAIN(const char *chain, const TC_HANDLE_T handle)
972 iptc_fn = TC_IS_CHAIN;
973 return iptcc_find_label(chain, handle) != NULL;
976 static void iptcc_chain_iterator_advance(TC_HANDLE_T handle)
978 struct chain_head *c = handle->chain_iterator_cur;
980 if (c->list.next == &handle->chains)
981 handle->chain_iterator_cur = NULL;
983 handle->chain_iterator_cur =
984 list_entry(c->list.next, struct chain_head, list);
987 /* Iterator functions to run through the chains. */
989 TC_FIRST_CHAIN(TC_HANDLE_T *handle)
991 struct chain_head *c = list_entry((*handle)->chains.next,
992 struct chain_head, list);
994 iptc_fn = TC_FIRST_CHAIN;
997 if (list_empty(&(*handle)->chains)) {
998 DEBUGP(": no chains\n");
1002 (*handle)->chain_iterator_cur = c;
1003 iptcc_chain_iterator_advance(*handle);
1005 DEBUGP(": returning `%s'\n", c->name);
1009 /* Iterator functions to run through the chains. Returns NULL at end. */
1011 TC_NEXT_CHAIN(TC_HANDLE_T *handle)
1013 struct chain_head *c = (*handle)->chain_iterator_cur;
1015 iptc_fn = TC_NEXT_CHAIN;
1018 DEBUGP(": no more chains\n");
1022 iptcc_chain_iterator_advance(*handle);
1024 DEBUGP(": returning `%s'\n", c->name);
1028 /* Get first rule in the given chain: NULL for empty chain. */
1029 const STRUCT_ENTRY *
1030 TC_FIRST_RULE(const char *chain, TC_HANDLE_T *handle)
1032 struct chain_head *c;
1033 struct rule_head *r;
1035 iptc_fn = TC_FIRST_RULE;
1037 DEBUGP("first rule(%s): ", chain);
1039 c = iptcc_find_label(chain, *handle);
1045 /* Empty chain: single return/policy rule */
1046 if (list_empty(&c->rules)) {
1047 DEBUGP_C("no rules, returning NULL\n");
1051 r = list_entry(c->rules.next, struct rule_head, list);
1052 (*handle)->rule_iterator_cur = r;
1053 DEBUGP_C("%p\n", r);
1058 /* Returns NULL when rules run out. */
1059 const STRUCT_ENTRY *
1060 TC_NEXT_RULE(const STRUCT_ENTRY *prev, TC_HANDLE_T *handle)
1062 struct rule_head *r;
1064 iptc_fn = TC_NEXT_RULE;
1065 DEBUGP("rule_iterator_cur=%p...", (*handle)->rule_iterator_cur);
1067 if (!(*handle)->rule_iterator_cur) {
1068 DEBUGP_C("returning NULL\n");
1072 r = list_entry((*handle)->rule_iterator_cur->list.next,
1073 struct rule_head, list);
1075 iptc_fn = TC_NEXT_RULE;
1077 DEBUGP_C("next=%p, head=%p...", &r->list,
1078 &(*handle)->rule_iterator_cur->chain->rules);
1080 if (&r->list == &(*handle)->rule_iterator_cur->chain->rules) {
1081 (*handle)->rule_iterator_cur = NULL;
1082 DEBUGP_C("finished, returning NULL\n");
1086 (*handle)->rule_iterator_cur = r;
1088 /* NOTE: prev is without any influence ! */
1089 DEBUGP_C("returning rule %p\n", r);
1093 /* How many rules in this chain? */
1095 TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle)
1097 struct chain_head *c;
1098 iptc_fn = TC_NUM_RULES;
1101 c = iptcc_find_label(chain, *handle);
1104 return (unsigned int)-1;
1107 return c->num_rules;
1110 const STRUCT_ENTRY *TC_GET_RULE(const char *chain,
1112 TC_HANDLE_T *handle)
1114 struct chain_head *c;
1115 struct rule_head *r;
1117 iptc_fn = TC_GET_RULE;
1121 c = iptcc_find_label(chain, *handle);
1127 r = iptcc_get_rule_num(c, n);
1133 /* Returns a pointer to the target name of this position. */
1134 static const char *standard_target_map(int verdict)
1138 return LABEL_RETURN;
1141 return LABEL_ACCEPT;
1150 fprintf(stderr, "ERROR: %d not a valid target)\n",
1159 /* Returns a pointer to the target name of this position. */
1160 const char *TC_GET_TARGET(const STRUCT_ENTRY *ce,
1161 TC_HANDLE_T *handle)
1163 STRUCT_ENTRY *e = (STRUCT_ENTRY *)ce;
1164 struct rule_head *r = container_of(e, struct rule_head, entry[0]);
1166 iptc_fn = TC_GET_TARGET;
1170 case IPTCC_R_FALLTHROUGH:
1174 DEBUGP("r=%p, jump=%p, name=`%s'\n", r, r->jump, r->jump->name);
1175 return r->jump->name;
1177 case IPTCC_R_STANDARD:
1178 spos = *(int *)GET_TARGET(e)->data;
1179 DEBUGP("r=%p, spos=%d'\n", r, spos);
1180 return standard_target_map(spos);
1182 case IPTCC_R_MODULE:
1183 return GET_TARGET(e)->u.user.name;
1188 /* Is this a built-in chain? Actually returns hook + 1. */
1190 TC_BUILTIN(const char *chain, const TC_HANDLE_T handle)
1192 struct chain_head *c;
1194 iptc_fn = TC_BUILTIN;
1196 c = iptcc_find_label(chain, handle);
1202 return iptcc_is_builtin(c);
1205 /* Get the policy of a given built-in chain */
1207 TC_GET_POLICY(const char *chain,
1208 STRUCT_COUNTERS *counters,
1209 TC_HANDLE_T *handle)
1211 struct chain_head *c;
1213 iptc_fn = TC_GET_POLICY;
1215 DEBUGP("called for chain %s\n", chain);
1217 c = iptcc_find_label(chain, *handle);
1223 if (!iptcc_is_builtin(c))
1226 *counters = c->counters;
1228 return standard_target_map(c->verdict);
1232 iptcc_standard_map(struct rule_head *r, int verdict)
1234 STRUCT_ENTRY *e = r->entry;
1235 STRUCT_STANDARD_TARGET *t;
1237 t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
1239 if (t->target.u.target_size
1240 != ALIGN(sizeof(STRUCT_STANDARD_TARGET))) {
1244 /* memset for memcmp convenience on delete/replace */
1245 memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
1246 strcpy(t->target.u.user.name, STANDARD_TARGET);
1247 t->verdict = verdict;
1249 r->type = IPTCC_R_STANDARD;
1255 iptcc_map_target(const TC_HANDLE_T handle,
1256 struct rule_head *r)
1258 STRUCT_ENTRY *e = r->entry;
1259 STRUCT_ENTRY_TARGET *t = GET_TARGET(e);
1261 /* Maybe it's empty (=> fall through) */
1262 if (strcmp(t->u.user.name, "") == 0) {
1263 r->type = IPTCC_R_FALLTHROUGH;
1266 /* Maybe it's a standard target name... */
1267 else if (strcmp(t->u.user.name, LABEL_ACCEPT) == 0)
1268 return iptcc_standard_map(r, -NF_ACCEPT - 1);
1269 else if (strcmp(t->u.user.name, LABEL_DROP) == 0)
1270 return iptcc_standard_map(r, -NF_DROP - 1);
1271 else if (strcmp(t->u.user.name, LABEL_QUEUE) == 0)
1272 return iptcc_standard_map(r, -NF_QUEUE - 1);
1273 else if (strcmp(t->u.user.name, LABEL_RETURN) == 0)
1274 return iptcc_standard_map(r, RETURN);
1275 else if (TC_BUILTIN(t->u.user.name, handle)) {
1276 /* Can't jump to builtins. */
1280 /* Maybe it's an existing chain name. */
1281 struct chain_head *c;
1282 DEBUGP("trying to find chain `%s': ", t->u.user.name);
1284 c = iptcc_find_label(t->u.user.name, handle);
1286 DEBUGP_C("found!\n");
1287 r->type = IPTCC_R_JUMP;
1292 DEBUGP_C("not found :(\n");
1295 /* Must be a module? If not, kernel will reject... */
1296 /* memset to all 0 for your memcmp convenience: don't clear version */
1297 memset(t->u.user.name + strlen(t->u.user.name),
1299 FUNCTION_MAXNAMELEN - 1 - strlen(t->u.user.name));
1300 r->type = IPTCC_R_MODULE;
1301 set_changed(handle);
1305 /* Insert the entry `fw' in chain `chain' into position `rulenum'. */
1307 TC_INSERT_ENTRY(const IPT_CHAINLABEL chain,
1308 const STRUCT_ENTRY *e,
1309 unsigned int rulenum,
1310 TC_HANDLE_T *handle)
1312 struct chain_head *c;
1313 struct rule_head *r;
1314 struct list_head *prev;
1316 iptc_fn = TC_INSERT_ENTRY;
1318 if (!(c = iptcc_find_label(chain, *handle))) {
1323 /* first rulenum index = 0
1324 first c->num_rules index = 1 */
1325 if (rulenum > c->num_rules) {
1330 /* If we are inserting at the end just take advantage of the
1331 double linked list, insert will happen before the entry
1333 if (rulenum == c->num_rules) {
1335 } else if (rulenum + 1 <= c->num_rules/2) {
1336 r = iptcc_get_rule_num(c, rulenum + 1);
1339 r = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum);
1343 if (!(r = iptcc_alloc_rule(c, e->next_offset))) {
1348 memcpy(r->entry, e, e->next_offset);
1349 r->counter_map.maptype = COUNTER_MAP_SET;
1351 if (!iptcc_map_target(*handle, r)) {
1356 list_add_tail(&r->list, prev);
1359 set_changed(*handle);
1364 /* Atomically replace rule `rulenum' in `chain' with `fw'. */
1366 TC_REPLACE_ENTRY(const IPT_CHAINLABEL chain,
1367 const STRUCT_ENTRY *e,
1368 unsigned int rulenum,
1369 TC_HANDLE_T *handle)
1371 struct chain_head *c;
1372 struct rule_head *r, *old;
1374 iptc_fn = TC_REPLACE_ENTRY;
1376 if (!(c = iptcc_find_label(chain, *handle))) {
1381 if (rulenum >= c->num_rules) {
1386 /* Take advantage of the double linked list if possible. */
1387 if (rulenum + 1 <= c->num_rules/2) {
1388 old = iptcc_get_rule_num(c, rulenum + 1);
1390 old = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum);
1393 if (!(r = iptcc_alloc_rule(c, e->next_offset))) {
1398 memcpy(r->entry, e, e->next_offset);
1399 r->counter_map.maptype = COUNTER_MAP_SET;
1401 if (!iptcc_map_target(*handle, r)) {
1406 list_add(&r->list, &old->list);
1407 iptcc_delete_rule(old);
1409 set_changed(*handle);
1414 /* Append entry `fw' to chain `chain'. Equivalent to insert with
1415 rulenum = length of chain. */
1417 TC_APPEND_ENTRY(const IPT_CHAINLABEL chain,
1418 const STRUCT_ENTRY *e,
1419 TC_HANDLE_T *handle)
1421 struct chain_head *c;
1422 struct rule_head *r;
1424 iptc_fn = TC_APPEND_ENTRY;
1425 if (!(c = iptcc_find_label(chain, *handle))) {
1426 DEBUGP("unable to find chain `%s'\n", chain);
1431 if (!(r = iptcc_alloc_rule(c, e->next_offset))) {
1432 DEBUGP("unable to allocate rule for chain `%s'\n", chain);
1437 memcpy(r->entry, e, e->next_offset);
1438 r->counter_map.maptype = COUNTER_MAP_SET;
1440 if (!iptcc_map_target(*handle, r)) {
1441 DEBUGP("unable to map target of rule for chain `%s'\n", chain);
1446 list_add_tail(&r->list, &c->rules);
1449 set_changed(*handle);
1455 match_different(const STRUCT_ENTRY_MATCH *a,
1456 const unsigned char *a_elems,
1457 const unsigned char *b_elems,
1458 unsigned char **maskptr)
1460 const STRUCT_ENTRY_MATCH *b;
1463 /* Offset of b is the same as a. */
1464 b = (void *)b_elems + ((unsigned char *)a - a_elems);
1466 if (a->u.match_size != b->u.match_size)
1469 if (strcmp(a->u.user.name, b->u.user.name) != 0)
1472 *maskptr += ALIGN(sizeof(*a));
1474 for (i = 0; i < a->u.match_size - ALIGN(sizeof(*a)); i++)
1475 if (((a->data[i] ^ b->data[i]) & (*maskptr)[i]) != 0)
1482 target_same(struct rule_head *a, struct rule_head *b,const unsigned char *mask)
1485 STRUCT_ENTRY_TARGET *ta, *tb;
1487 if (a->type != b->type)
1490 ta = GET_TARGET(a->entry);
1491 tb = GET_TARGET(b->entry);
1494 case IPTCC_R_FALLTHROUGH:
1497 return a->jump == b->jump;
1498 case IPTCC_R_STANDARD:
1499 return ((STRUCT_STANDARD_TARGET *)ta)->verdict
1500 == ((STRUCT_STANDARD_TARGET *)tb)->verdict;
1501 case IPTCC_R_MODULE:
1502 if (ta->u.target_size != tb->u.target_size)
1504 if (strcmp(ta->u.user.name, tb->u.user.name) != 0)
1507 for (i = 0; i < ta->u.target_size - sizeof(*ta); i++)
1508 if (((ta->data[i] ^ tb->data[i]) & mask[i]) != 0)
1512 fprintf(stderr, "ERROR: bad type %i\n", a->type);
1517 static unsigned char *
1518 is_same(const STRUCT_ENTRY *a,
1519 const STRUCT_ENTRY *b,
1520 unsigned char *matchmask);
1522 /* Delete the first rule in `chain' which matches `fw'. */
1524 TC_DELETE_ENTRY(const IPT_CHAINLABEL chain,
1525 const STRUCT_ENTRY *origfw,
1526 unsigned char *matchmask,
1527 TC_HANDLE_T *handle)
1529 struct chain_head *c;
1530 struct rule_head *r, *i;
1532 iptc_fn = TC_DELETE_ENTRY;
1533 if (!(c = iptcc_find_label(chain, *handle))) {
1538 /* Create a rule_head from origfw. */
1539 r = iptcc_alloc_rule(c, origfw->next_offset);
1545 memcpy(r->entry, origfw, origfw->next_offset);
1546 r->counter_map.maptype = COUNTER_MAP_NOMAP;
1547 if (!iptcc_map_target(*handle, r)) {
1548 DEBUGP("unable to map target of rule for chain `%s'\n", chain);
1552 /* iptcc_map_target increment target chain references
1553 * since this is a fake rule only used for matching
1554 * the chain references count is decremented again.
1556 if (r->type == IPTCC_R_JUMP
1558 r->jump->references--;
1561 list_for_each_entry(i, &c->rules, list) {
1562 unsigned char *mask;
1564 mask = is_same(r->entry, i->entry, matchmask);
1568 if (!target_same(r, i, mask))
1571 /* If we are about to delete the rule that is the
1572 * current iterator, move rule iterator back. next
1573 * pointer will then point to real next node */
1574 if (i == (*handle)->rule_iterator_cur) {
1575 (*handle)->rule_iterator_cur =
1576 list_entry((*handle)->rule_iterator_cur->list.prev,
1577 struct rule_head, list);
1581 iptcc_delete_rule(i);
1583 set_changed(*handle);
1594 /* Delete the rule in position `rulenum' in `chain'. */
1596 TC_DELETE_NUM_ENTRY(const IPT_CHAINLABEL chain,
1597 unsigned int rulenum,
1598 TC_HANDLE_T *handle)
1600 struct chain_head *c;
1601 struct rule_head *r;
1603 iptc_fn = TC_DELETE_NUM_ENTRY;
1605 if (!(c = iptcc_find_label(chain, *handle))) {
1610 if (rulenum >= c->num_rules) {
1615 /* Take advantage of the double linked list if possible. */
1616 if (rulenum + 1 <= c->num_rules/2) {
1617 r = iptcc_get_rule_num(c, rulenum + 1);
1619 r = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum);
1622 /* If we are about to delete the rule that is the current
1623 * iterator, move rule iterator back. next pointer will then
1624 * point to real next node */
1625 if (r == (*handle)->rule_iterator_cur) {
1626 (*handle)->rule_iterator_cur =
1627 list_entry((*handle)->rule_iterator_cur->list.prev,
1628 struct rule_head, list);
1632 iptcc_delete_rule(r);
1634 set_changed(*handle);
1639 /* Check the packet `fw' on chain `chain'. Returns the verdict, or
1640 NULL and sets errno. */
1642 TC_CHECK_PACKET(const IPT_CHAINLABEL chain,
1643 STRUCT_ENTRY *entry,
1644 TC_HANDLE_T *handle)
1646 iptc_fn = TC_CHECK_PACKET;
1651 /* Flushes the entries in the given chain (ie. empties chain). */
1653 TC_FLUSH_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
1655 struct chain_head *c;
1656 struct rule_head *r, *tmp;
1658 iptc_fn = TC_FLUSH_ENTRIES;
1659 if (!(c = iptcc_find_label(chain, *handle))) {
1664 list_for_each_entry_safe(r, tmp, &c->rules, list) {
1665 iptcc_delete_rule(r);
1670 set_changed(*handle);
1675 /* Zeroes the counters in a chain. */
1677 TC_ZERO_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
1679 struct chain_head *c;
1680 struct rule_head *r;
1682 iptc_fn = TC_ZERO_ENTRIES;
1683 if (!(c = iptcc_find_label(chain, *handle))) {
1688 if (c->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
1689 c->counter_map.maptype = COUNTER_MAP_ZEROED;
1691 list_for_each_entry(r, &c->rules, list) {
1692 if (r->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
1693 r->counter_map.maptype = COUNTER_MAP_ZEROED;
1696 set_changed(*handle);
1702 TC_READ_COUNTER(const IPT_CHAINLABEL chain,
1703 unsigned int rulenum,
1704 TC_HANDLE_T *handle)
1706 struct chain_head *c;
1707 struct rule_head *r;
1709 iptc_fn = TC_READ_COUNTER;
1712 if (!(c = iptcc_find_label(chain, *handle))) {
1717 if (!(r = iptcc_get_rule_num(c, rulenum))) {
1722 return &r->entry[0].counters;
1726 TC_ZERO_COUNTER(const IPT_CHAINLABEL chain,
1727 unsigned int rulenum,
1728 TC_HANDLE_T *handle)
1730 struct chain_head *c;
1731 struct rule_head *r;
1733 iptc_fn = TC_ZERO_COUNTER;
1736 if (!(c = iptcc_find_label(chain, *handle))) {
1741 if (!(r = iptcc_get_rule_num(c, rulenum))) {
1746 if (r->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
1747 r->counter_map.maptype = COUNTER_MAP_ZEROED;
1749 set_changed(*handle);
1755 TC_SET_COUNTER(const IPT_CHAINLABEL chain,
1756 unsigned int rulenum,
1757 STRUCT_COUNTERS *counters,
1758 TC_HANDLE_T *handle)
1760 struct chain_head *c;
1761 struct rule_head *r;
1764 iptc_fn = TC_SET_COUNTER;
1767 if (!(c = iptcc_find_label(chain, *handle))) {
1772 if (!(r = iptcc_get_rule_num(c, rulenum))) {
1778 r->counter_map.maptype = COUNTER_MAP_SET;
1780 memcpy(&e->counters, counters, sizeof(STRUCT_COUNTERS));
1782 set_changed(*handle);
1787 /* Creates a new chain. */
1788 /* To create a chain, create two rules: error node and unconditional
1791 TC_CREATE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
1793 static struct chain_head *c;
1795 iptc_fn = TC_CREATE_CHAIN;
1797 /* find_label doesn't cover built-in targets: DROP, ACCEPT,
1799 if (iptcc_find_label(chain, *handle)
1800 || strcmp(chain, LABEL_DROP) == 0
1801 || strcmp(chain, LABEL_ACCEPT) == 0
1802 || strcmp(chain, LABEL_QUEUE) == 0
1803 || strcmp(chain, LABEL_RETURN) == 0) {
1804 DEBUGP("Chain `%s' already exists\n", chain);
1809 if (strlen(chain)+1 > sizeof(IPT_CHAINLABEL)) {
1810 DEBUGP("Chain name `%s' too long\n", chain);
1815 c = iptcc_alloc_chain_head(chain, 0);
1817 DEBUGP("Cannot allocate memory for chain `%s'\n", chain);
1823 DEBUGP("Creating chain `%s'\n", chain);
1824 iptc_insert_chain(*handle, c); /* Insert sorted */
1826 set_changed(*handle);
1831 /* Get the number of references to this chain. */
1833 TC_GET_REFERENCES(unsigned int *ref, const IPT_CHAINLABEL chain,
1834 TC_HANDLE_T *handle)
1836 struct chain_head *c;
1838 iptc_fn = TC_GET_REFERENCES;
1839 if (!(c = iptcc_find_label(chain, *handle))) {
1844 *ref = c->references;
1849 /* Deletes a chain. */
1851 TC_DELETE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
1853 unsigned int references;
1854 struct chain_head *c;
1856 iptc_fn = TC_DELETE_CHAIN;
1858 if (!(c = iptcc_find_label(chain, *handle))) {
1859 DEBUGP("cannot find chain `%s'\n", chain);
1864 if (TC_BUILTIN(chain, *handle)) {
1865 DEBUGP("cannot remove builtin chain `%s'\n", chain);
1870 if (!TC_GET_REFERENCES(&references, chain, handle)) {
1871 DEBUGP("cannot get references on chain `%s'\n", chain);
1875 if (references > 0) {
1876 DEBUGP("chain `%s' still has references\n", chain);
1882 DEBUGP("chain `%s' is not empty\n", chain);
1887 /* If we are about to delete the chain that is the current
1888 * iterator, move chain iterator firward. */
1889 if (c == (*handle)->chain_iterator_cur)
1890 iptcc_chain_iterator_advance(*handle);
1895 DEBUGP("chain `%s' deleted\n", chain);
1897 set_changed(*handle);
1902 /* Renames a chain. */
1903 int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname,
1904 const IPT_CHAINLABEL newname,
1905 TC_HANDLE_T *handle)
1907 struct chain_head *c;
1908 iptc_fn = TC_RENAME_CHAIN;
1910 /* find_label doesn't cover built-in targets: DROP, ACCEPT,
1912 if (iptcc_find_label(newname, *handle)
1913 || strcmp(newname, LABEL_DROP) == 0
1914 || strcmp(newname, LABEL_ACCEPT) == 0
1915 || strcmp(newname, LABEL_QUEUE) == 0
1916 || strcmp(newname, LABEL_RETURN) == 0) {
1921 if (!(c = iptcc_find_label(oldname, *handle))
1922 || TC_BUILTIN(oldname, *handle)) {
1927 if (strlen(newname)+1 > sizeof(IPT_CHAINLABEL)) {
1932 strncpy(c->name, newname, sizeof(IPT_CHAINLABEL));
1934 set_changed(*handle);
1939 /* Sets the policy on a built-in chain. */
1941 TC_SET_POLICY(const IPT_CHAINLABEL chain,
1942 const IPT_CHAINLABEL policy,
1943 STRUCT_COUNTERS *counters,
1944 TC_HANDLE_T *handle)
1946 struct chain_head *c;
1948 iptc_fn = TC_SET_POLICY;
1950 if (!(c = iptcc_find_label(chain, *handle))) {
1951 DEBUGP("cannot find chain `%s'\n", chain);
1956 if (!iptcc_is_builtin(c)) {
1957 DEBUGP("cannot set policy of userdefinedchain `%s'\n", chain);
1962 if (strcmp(policy, LABEL_ACCEPT) == 0)
1963 c->verdict = -NF_ACCEPT - 1;
1964 else if (strcmp(policy, LABEL_DROP) == 0)
1965 c->verdict = -NF_DROP - 1;
1972 /* set byte and packet counters */
1973 memcpy(&c->counters, counters, sizeof(STRUCT_COUNTERS));
1974 c->counter_map.maptype = COUNTER_MAP_SET;
1976 c->counter_map.maptype = COUNTER_MAP_NOMAP;
1979 set_changed(*handle);
1984 /* Without this, on gcc 2.7.2.3, we get:
1985 libiptc.c: In function `TC_COMMIT':
1986 libiptc.c:833: fixed or forbidden register was spilled.
1987 This may be due to a compiler bug or to impossible asm
1988 statements or clauses.
1991 subtract_counters(STRUCT_COUNTERS *answer,
1992 const STRUCT_COUNTERS *a,
1993 const STRUCT_COUNTERS *b)
1995 answer->pcnt = a->pcnt - b->pcnt;
1996 answer->bcnt = a->bcnt - b->bcnt;
2000 static void counters_nomap(STRUCT_COUNTERS_INFO *newcounters,
2003 newcounters->counters[index] = ((STRUCT_COUNTERS) { 0, 0});
2004 DEBUGP_C("NOMAP => zero\n");
2007 static void counters_normal_map(STRUCT_COUNTERS_INFO *newcounters,
2008 STRUCT_REPLACE *repl,
2010 unsigned int mappos)
2012 /* Original read: X.
2013 * Atomic read on replacement: X + Y.
2014 * Currently in kernel: Z.
2015 * Want in kernel: X + Y + Z.
2017 * => Add in replacement read.
2019 newcounters->counters[index] = repl->counters[mappos];
2020 DEBUGP_C("NORMAL_MAP => mappos %u \n", mappos);
2023 static void counters_map_zeroed(STRUCT_COUNTERS_INFO *newcounters,
2024 STRUCT_REPLACE *repl,
2026 unsigned int mappos,
2027 STRUCT_COUNTERS *counters)
2029 /* Original read: X.
2030 * Atomic read on replacement: X + Y.
2031 * Currently in kernel: Z.
2032 * Want in kernel: Y + Z.
2034 * => Add in (replacement read - original read).
2036 subtract_counters(&newcounters->counters[index],
2037 &repl->counters[mappos],
2039 DEBUGP_C("ZEROED => mappos %u\n", mappos);
2042 static void counters_map_set(STRUCT_COUNTERS_INFO *newcounters,
2044 STRUCT_COUNTERS *counters)
2046 /* Want to set counter (iptables-restore) */
2048 memcpy(&newcounters->counters[index], counters,
2049 sizeof(STRUCT_COUNTERS));
2056 TC_COMMIT(TC_HANDLE_T *handle)
2058 /* Replace, then map back the counters. */
2059 STRUCT_REPLACE *repl;
2060 STRUCT_COUNTERS_INFO *newcounters;
2061 struct chain_head *c;
2065 unsigned int new_size;
2067 iptc_fn = TC_COMMIT;
2070 /* Don't commit if nothing changed. */
2071 if (!(*handle)->changed)
2074 new_number = iptcc_compile_table_prep(*handle, &new_size);
2075 if (new_number < 0) {
2080 repl = malloc(sizeof(*repl) + new_size);
2085 memset(repl, 0, sizeof(*repl) + new_size);
2088 TC_DUMP_ENTRIES(*handle);
2091 counterlen = sizeof(STRUCT_COUNTERS_INFO)
2092 + sizeof(STRUCT_COUNTERS) * new_number;
2094 /* These are the old counters we will get from kernel */
2095 repl->counters = malloc(sizeof(STRUCT_COUNTERS)
2096 * (*handle)->info.num_entries);
2097 if (!repl->counters) {
2101 /* These are the counters we're going to put back, later. */
2102 newcounters = malloc(counterlen);
2105 goto out_free_repl_counters;
2107 memset(newcounters, 0, counterlen);
2109 strcpy(repl->name, (*handle)->info.name);
2110 repl->num_entries = new_number;
2111 repl->size = new_size;
2113 repl->num_counters = (*handle)->info.num_entries;
2114 repl->valid_hooks = (*handle)->info.valid_hooks;
2116 DEBUGP("num_entries=%u, size=%u, num_counters=%u\n",
2117 repl->num_entries, repl->size, repl->num_counters);
2119 ret = iptcc_compile_table(*handle, repl);
2122 goto out_free_newcounters;
2128 int fd = open("/tmp/libiptc-so_set_replace.blob",
2131 write(fd, repl, sizeof(*repl) + repl->size);
2137 ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, repl,
2138 sizeof(*repl) + repl->size);
2140 goto out_free_newcounters;
2142 /* Put counters back. */
2143 strcpy(newcounters->name, (*handle)->info.name);
2144 newcounters->num_counters = new_number;
2146 list_for_each_entry(c, &(*handle)->chains, list) {
2147 struct rule_head *r;
2149 /* Builtin chains have their own counters */
2150 if (iptcc_is_builtin(c)) {
2151 DEBUGP("counter for chain-index %u: ", c->foot_index);
2152 switch(c->counter_map.maptype) {
2153 case COUNTER_MAP_NOMAP:
2154 counters_nomap(newcounters, c->foot_index);
2156 case COUNTER_MAP_NORMAL_MAP:
2157 counters_normal_map(newcounters, repl,
2159 c->counter_map.mappos);
2161 case COUNTER_MAP_ZEROED:
2162 counters_map_zeroed(newcounters, repl,
2164 c->counter_map.mappos,
2167 case COUNTER_MAP_SET:
2168 counters_map_set(newcounters, c->foot_index,
2174 list_for_each_entry(r, &c->rules, list) {
2175 DEBUGP("counter for index %u: ", r->index);
2176 switch (r->counter_map.maptype) {
2177 case COUNTER_MAP_NOMAP:
2178 counters_nomap(newcounters, r->index);
2181 case COUNTER_MAP_NORMAL_MAP:
2182 counters_normal_map(newcounters, repl,
2184 r->counter_map.mappos);
2187 case COUNTER_MAP_ZEROED:
2188 counters_map_zeroed(newcounters, repl,
2190 r->counter_map.mappos,
2191 &r->entry->counters);
2194 case COUNTER_MAP_SET:
2195 counters_map_set(newcounters, r->index,
2196 &r->entry->counters);
2204 int fd = open("/tmp/libiptc-so_set_add_counters.blob",
2207 write(fd, newcounters, counterlen);
2213 ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS,
2214 newcounters, counterlen);
2216 goto out_free_newcounters;
2218 free(repl->counters);
2226 out_free_newcounters:
2228 out_free_repl_counters:
2229 free(repl->counters);
2236 /* Get raw socket. */
2238 TC_GET_RAW_SOCKET(void)
2243 /* Translates errno numbers into more human-readable form than strerror. */
2245 TC_STRERROR(int err)
2248 struct table_struct {
2251 const char *message;
2253 { { TC_INIT, EPERM, "Permission denied (you must be root)" },
2254 { TC_INIT, EINVAL, "Module is wrong version" },
2256 "Table does not exist (do you need to insmod?)" },
2257 { TC_DELETE_CHAIN, ENOTEMPTY, "Chain is not empty" },
2258 { TC_DELETE_CHAIN, EINVAL, "Can't delete built-in chain" },
2259 { TC_DELETE_CHAIN, EMLINK,
2260 "Can't delete chain with references left" },
2261 { TC_CREATE_CHAIN, EEXIST, "Chain already exists" },
2262 { TC_INSERT_ENTRY, E2BIG, "Index of insertion too big" },
2263 { TC_REPLACE_ENTRY, E2BIG, "Index of replacement too big" },
2264 { TC_DELETE_NUM_ENTRY, E2BIG, "Index of deletion too big" },
2265 { TC_READ_COUNTER, E2BIG, "Index of counter too big" },
2266 { TC_ZERO_COUNTER, E2BIG, "Index of counter too big" },
2267 { TC_INSERT_ENTRY, ELOOP, "Loop found in table" },
2268 { TC_INSERT_ENTRY, EINVAL, "Target problem" },
2269 /* EINVAL for CHECK probably means bad interface. */
2270 { TC_CHECK_PACKET, EINVAL,
2271 "Bad arguments (does that interface exist?)" },
2272 { TC_CHECK_PACKET, ENOSYS,
2273 "Checking will most likely never get implemented" },
2274 /* ENOENT for DELETE probably means no matching rule */
2275 { TC_DELETE_ENTRY, ENOENT,
2276 "Bad rule (does a matching rule exist in that chain?)" },
2277 { TC_SET_POLICY, ENOENT,
2278 "Bad built-in chain name" },
2279 { TC_SET_POLICY, EINVAL,
2280 "Bad policy name" },
2282 { NULL, 0, "Incompatible with this kernel" },
2283 { NULL, ENOPROTOOPT, "iptables who? (do you need to insmod?)" },
2284 { NULL, ENOSYS, "Will be implemented real soon. I promise ;)" },
2285 { NULL, ENOMEM, "Memory allocation problem" },
2286 { NULL, ENOENT, "No chain/target/match by that name" },
2289 for (i = 0; i < sizeof(table)/sizeof(struct table_struct); i++) {
2290 if ((!table[i].fn || table[i].fn == iptc_fn)
2291 && table[i].err == err)
2292 return table[i].message;
2295 return strerror(err);
projects / collectd.git / blob