diff options
author | laforge <laforge> | 2002-02-13 23:13:23 +0000 |
---|---|---|
committer | laforge <laforge> | 2002-02-13 23:13:23 +0000 |
commit | 2789115599b8ba35f013da02899af24b1c3a930c (patch) | |
tree | 6414e1fefd7ef5197e951c224edffa32727c7bf9 /libiptc | |
parent | 11392ade5977289f1ff3386fffb79861d051e741 (diff) |
explicitly check for two possible sets of hooks in case of nat and mangle
Diffstat (limited to 'libiptc')
-rw-r--r-- | libiptc/libip4tc.c | 40 | ||||
-rw-r--r-- | libiptc/libip6tc.c | 40 |
2 files changed, 56 insertions, 24 deletions
diff --git a/libiptc/libip4tc.c b/libiptc/libip4tc.c index 1dc414d..d221e74 100644 --- a/libiptc/libip4tc.c +++ b/libiptc/libip4tc.c @@ -365,32 +365,48 @@ do_check(TC_HANDLE_T h, unsigned int line) user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT]; } else if (strcmp(h->info.name, "nat") == 0) { - assert(h->info.valid_hooks - == (1 << NF_IP_PRE_ROUTING - | 1 << NF_IP_POST_ROUTING - | 1 << NF_IP_LOCAL_OUT)); + assert((h->info.valid_hooks + == (1 << NF_IP_PRE_ROUTING + | 1 << NF_IP_POST_ROUTING + | 1 << NF_IP_LOCAL_OUT)) || + (h->info.valid_hooks + == (1 << NF_IP_PRE_ROUTING + | 1 << NF_IP_LOCAL_IN + | 1 << NF_IP_POST_ROUTING + | 1 << NF_IP_LOCAL_OUT))); assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0); n = get_chain_end(h, 0); + n += get_entry(h, n)->next_offset; assert(h->info.hook_entry[NF_IP_POST_ROUTING] == n); - n = get_chain_end(h, n); + n += get_entry(h, n)->next_offset; assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n); - user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT]; + + if (h->info.valid_hooks & (1 << NF_IP_LOCAL_IN)) { + n = get_chain_end(h, n); + n += get_entry(h, n)->next_offset; + assert(h->info.hook_entry[NF_IP_LOCAL_IN] == n); + user_offset = h->info.hook_entry[NF_IP_LOCAL_IN]; + } + } else if (strcmp(h->info.name, "mangle") == 0) { /* This code is getting ugly because linux < 2.4.18-pre6 had * two mangle hooks, linux >= 2.4.18-pre6 has five mangle hooks * */ - assert((h->info.valid_hooks & - ~(1 << NF_IP_LOCAL_IN - | 1 << NF_IP_FORWARD - | 1 << NF_IP_POST_ROUTING)) - == (1 << NF_IP_PRE_ROUTING - | 1 << NF_IP_LOCAL_OUT)); + assert((h->info.valid_hooks + == (1 << NF_IP_PRE_ROUTING + | 1 << NF_IP_LOCAL_OUT)) || + (h->info.valid_hooks + == (1 << NF_IP_PRE_ROUTING + | 1 << NF_IP_LOCAL_IN + | 1 << NF_IP_FORWARD + | 1 << NF_IP_LOCAL_OUT + | 1 << NF_IP_POST_ROUTING))); /* Hooks should be first five */ assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0); diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c index 6f6fa6c..7a88efd 100644 --- a/libiptc/libip6tc.c +++ b/libiptc/libip6tc.c @@ -311,32 +311,48 @@ do_check(TC_HANDLE_T h, unsigned int line) user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT]; } else if (strcmp(h->info.name, "nat") == 0) { - assert(h->info.valid_hooks - == (1 << NF_IP6_PRE_ROUTING - | 1 << NF_IP6_POST_ROUTING - | 1 << NF_IP6_LOCAL_OUT)); + assert((h->info.valid_hooks + == (1 << NF_IP6_PRE_ROUTING + | 1 << NF_IP6_LOCAL_OUT + | 1 << NF_IP6_POST_ROUTING)) || + (h->info.valid_hooks + == (1 << NF_IP6_PRE_ROUTING + | 1 << NF_IP6_LOCAL_IN + | 1 << NF_IP6_LOCAL_OUT + | 1 << NF_IP6_POST_ROUTING))); assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0); n = get_chain_end(h, 0); + n += get_entry(h, n)->next_offset; assert(h->info.hook_entry[NF_IP6_POST_ROUTING] == n); - n = get_chain_end(h, n); + n += get_entry(h, n)->next_offset; assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n); - user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT]; + + if (h->info.valid_hooks & (1 << NF_IP6_LOCAL_IN)) { + n = get_chain_end(h, n); + n += get_entry(h, n)->next_offset; + assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == n); + user_offset = h->info.hook_entry[NF_IP6_LOCAL_IN]; + } + } else if (strcmp(h->info.name, "mangle") == 0) { /* This code is getting ugly because linux < 2.4.18-pre6 had * two mangle hooks, linux >= 2.4.18-pre6 has five mangle hooks * */ - assert((h->info.valid_hooks & - ~(1 << NF_IP6_LOCAL_IN - | 1 << NF_IP6_FORWARD - | 1 << NF_IP6_POST_ROUTING)) - == (1 << NF_IP6_PRE_ROUTING - | 1 << NF_IP6_LOCAL_OUT)); + assert((h->info.valid_hooks + == (1 << NF_IP6_PRE_ROUTING + | 1 << NF_IP6_LOCAL_OUT)) || + (h->info.valid_hooks + == (1 << NF_IP6_PRE_ROUTING + | 1 << NF_IP6_LOCAL_IN + | 1 << NF_IP6_FORWARD + | 1 << NF_IP6_LOCAL_OUT + | 1 << NF_IP6_POST_ROUTING))); /* Hooks should be first five */ assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0); |