summaryrefslogtreecommitdiffstats
path: root/libiptc
diff options
context:
space:
mode:
authorlaforge <laforge>2002-02-13 23:13:23 +0000
committerlaforge <laforge>2002-02-13 23:13:23 +0000
commit2789115599b8ba35f013da02899af24b1c3a930c (patch)
tree6414e1fefd7ef5197e951c224edffa32727c7bf9 /libiptc
parent11392ade5977289f1ff3386fffb79861d051e741 (diff)
explicitly check for two possible sets of hooks in case of nat and mangle
Diffstat (limited to 'libiptc')
-rw-r--r--libiptc/libip4tc.c40
-rw-r--r--libiptc/libip6tc.c40
2 files changed, 56 insertions, 24 deletions
diff --git a/libiptc/libip4tc.c b/libiptc/libip4tc.c
index 1dc414d..d221e74 100644
--- a/libiptc/libip4tc.c
+++ b/libiptc/libip4tc.c
@@ -365,32 +365,48 @@ do_check(TC_HANDLE_T h, unsigned int line)
user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
} else if (strcmp(h->info.name, "nat") == 0) {
- assert(h->info.valid_hooks
- == (1 << NF_IP_PRE_ROUTING
- | 1 << NF_IP_POST_ROUTING
- | 1 << NF_IP_LOCAL_OUT));
+ assert((h->info.valid_hooks
+ == (1 << NF_IP_PRE_ROUTING
+ | 1 << NF_IP_POST_ROUTING
+ | 1 << NF_IP_LOCAL_OUT)) ||
+ (h->info.valid_hooks
+ == (1 << NF_IP_PRE_ROUTING
+ | 1 << NF_IP_LOCAL_IN
+ | 1 << NF_IP_POST_ROUTING
+ | 1 << NF_IP_LOCAL_OUT)));
assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
n = get_chain_end(h, 0);
+
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_POST_ROUTING] == n);
-
n = get_chain_end(h, n);
+
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
-
user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
+
+ if (h->info.valid_hooks & (1 << NF_IP_LOCAL_IN)) {
+ n = get_chain_end(h, n);
+ n += get_entry(h, n)->next_offset;
+ assert(h->info.hook_entry[NF_IP_LOCAL_IN] == n);
+ user_offset = h->info.hook_entry[NF_IP_LOCAL_IN];
+ }
+
} else if (strcmp(h->info.name, "mangle") == 0) {
/* This code is getting ugly because linux < 2.4.18-pre6 had
* two mangle hooks, linux >= 2.4.18-pre6 has five mangle hooks
* */
- assert((h->info.valid_hooks &
- ~(1 << NF_IP_LOCAL_IN
- | 1 << NF_IP_FORWARD
- | 1 << NF_IP_POST_ROUTING))
- == (1 << NF_IP_PRE_ROUTING
- | 1 << NF_IP_LOCAL_OUT));
+ assert((h->info.valid_hooks
+ == (1 << NF_IP_PRE_ROUTING
+ | 1 << NF_IP_LOCAL_OUT)) ||
+ (h->info.valid_hooks
+ == (1 << NF_IP_PRE_ROUTING
+ | 1 << NF_IP_LOCAL_IN
+ | 1 << NF_IP_FORWARD
+ | 1 << NF_IP_LOCAL_OUT
+ | 1 << NF_IP_POST_ROUTING)));
/* Hooks should be first five */
assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c
index 6f6fa6c..7a88efd 100644
--- a/libiptc/libip6tc.c
+++ b/libiptc/libip6tc.c
@@ -311,32 +311,48 @@ do_check(TC_HANDLE_T h, unsigned int line)
user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
} else if (strcmp(h->info.name, "nat") == 0) {
- assert(h->info.valid_hooks
- == (1 << NF_IP6_PRE_ROUTING
- | 1 << NF_IP6_POST_ROUTING
- | 1 << NF_IP6_LOCAL_OUT));
+ assert((h->info.valid_hooks
+ == (1 << NF_IP6_PRE_ROUTING
+ | 1 << NF_IP6_LOCAL_OUT
+ | 1 << NF_IP6_POST_ROUTING)) ||
+ (h->info.valid_hooks
+ == (1 << NF_IP6_PRE_ROUTING
+ | 1 << NF_IP6_LOCAL_IN
+ | 1 << NF_IP6_LOCAL_OUT
+ | 1 << NF_IP6_POST_ROUTING)));
assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0);
n = get_chain_end(h, 0);
+
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP6_POST_ROUTING] == n);
-
n = get_chain_end(h, n);
+
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
-
user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
+
+ if (h->info.valid_hooks & (1 << NF_IP6_LOCAL_IN)) {
+ n = get_chain_end(h, n);
+ n += get_entry(h, n)->next_offset;
+ assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == n);
+ user_offset = h->info.hook_entry[NF_IP6_LOCAL_IN];
+ }
+
} else if (strcmp(h->info.name, "mangle") == 0) {
/* This code is getting ugly because linux < 2.4.18-pre6 had
* two mangle hooks, linux >= 2.4.18-pre6 has five mangle hooks
* */
- assert((h->info.valid_hooks &
- ~(1 << NF_IP6_LOCAL_IN
- | 1 << NF_IP6_FORWARD
- | 1 << NF_IP6_POST_ROUTING))
- == (1 << NF_IP6_PRE_ROUTING
- | 1 << NF_IP6_LOCAL_OUT));
+ assert((h->info.valid_hooks
+ == (1 << NF_IP6_PRE_ROUTING
+ | 1 << NF_IP6_LOCAL_OUT)) ||
+ (h->info.valid_hooks
+ == (1 << NF_IP6_PRE_ROUTING
+ | 1 << NF_IP6_LOCAL_IN
+ | 1 << NF_IP6_FORWARD
+ | 1 << NF_IP6_LOCAL_OUT
+ | 1 << NF_IP6_POST_ROUTING)));
/* Hooks should be first five */
assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0);