summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile12
-rw-r--r--extensions/libipt_REDIRECT.c2
-rw-r--r--extensions/libipt_limit.c2
-rw-r--r--include/libiptc/libiptc.h23
-rw-r--r--libiptc/libiptc.c69
5 files changed, 27 insertions, 81 deletions
diff --git a/Makefile b/Makefile
index 4b709b3..615fb59 100644
--- a/Makefile
+++ b/Makefile
@@ -4,15 +4,15 @@ TOPLEVEL_INCLUDED=YES
ifndef KERNEL_DIR
KERNEL_DIR=/usr/src/linux
endif
-NETFILTER_VERSION:=1.0.0
-OLD_NETFILTER_VERSION:=1.0.0beta
+NETFILTER_VERSION:=1.0.1
+OLD_NETFILTER_VERSION:=1.0.0
LIBDIR:=/usr/local/lib
BINDIR:=/usr/local/bin
MANDIR:=/usr/local/man
-COPT_FLAGS:=-O2
-CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -Iinclude/ -I$(KERNEL_DIR)/include -DNETFILTER_VERSION=\"$(NETFILTER_VERSION)\" #-g -pg
+COPT_FLAGS:=-O #-O2
+CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -Iinclude/ -I$(KERNEL_DIR)/include -DNETFILTER_VERSION=\"$(NETFILTER_VERSION)\" -g #-pg # -DNDEBUG
DEPFILES := $(SHARED_LIBS:%.so=%.d)
SH_CFLAGS:=$(CFLAGS) -fPIC
@@ -68,8 +68,10 @@ distrib: check nowhitespace distclean delrelease /home/public/netfilter/iptables
# Makefile must not define:
# -g -pg
+# And must define -NDEBUG
check:
- @if echo $(CFLAGS) | egrep 'DEBUG|-g|-pg' >/dev/null; then echo Remove debugging flags; exit 1; else exit 0; fi
+ @if echo $(CFLAGS) | egrep -e '-g|-pg' >/dev/null; then echo Remove debugging flags; exit 1; else exit 0; fi
+ @if echo $(CFLAGS) | egrep -e NDEBUG >/dev/null; then exit 0; else echo Define -DNDEBUG; exit 1; fi
nowhitespace:
@if grep -n ' $$' `find . -name 'Makefile' -o -name '*.[ch]'`; then exit 1; else exit 0; fi
diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c
index 32b8c6f..dd70243 100644
--- a/extensions/libipt_REDIRECT.c
+++ b/extensions/libipt_REDIRECT.c
@@ -121,8 +121,8 @@ print(const struct ipt_ip *ip,
= (struct ip_nat_multi_range *)target->data;
struct ip_nat_range *r = &mr->range[0];
- printf("REDIRECT ");
if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) {
+ printf("redir ports ");
printf("%hu", ntohs(r->min.tcp.port));
if (r->max.tcp.port != r->min.tcp.port)
printf("-%hu", ntohs(r->max.tcp.port));
diff --git a/extensions/libipt_limit.c b/extensions/libipt_limit.c
index 24875ef..e7dda7b 100644
--- a/extensions/libipt_limit.c
+++ b/extensions/libipt_limit.c
@@ -8,7 +8,7 @@
#include <stdlib.h>
#include <getopt.h>
#include <iptables.h>
-#include <linux/stddef.h>
+#include <stddef.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_limit.h>
diff --git a/include/libiptc/libiptc.h b/include/libiptc/libiptc.h
index 0a49107..9058cff 100644
--- a/include/libiptc/libiptc.h
+++ b/include/libiptc/libiptc.h
@@ -26,21 +26,20 @@ int iptc_is_chain(const char *chain, const iptc_handle_t handle);
/* Take a snapshot of the rules. Returns NULL on error. */
iptc_handle_t iptc_init(const char *tablename);
-/* Iterator functions to run through the chains; prev = NULL means
- first chain. Returns NULL at end. */
-const char *iptc_next_chain(const char *prev, iptc_handle_t *handle);
+/* Iterator functions to run through the chains. Returns NULL at end. */
+const char *iptc_first_chain(iptc_handle_t *handle);
+const char *iptc_next_chain(iptc_handle_t *handle);
-/* How many rules in this chain? */
-unsigned int iptc_num_rules(const char *chain, iptc_handle_t *handle);
+/* Get first rule in the given chain: NULL for empty chain. */
+const struct ipt_entry *iptc_first_rule(const char *chain,
+ iptc_handle_t *handle);
-/* Get n'th rule in this chain. */
-const struct ipt_entry *iptc_get_rule(const char *chain,
- unsigned int n,
- iptc_handle_t *handle);
+/* Returns NULL when rules run out. */
+const struct ipt_entry *iptc_next_rule(const struct ipt_entry *prev,
+ iptc_handle_t *handle);
-/* Returns a pointer to the target name of this position. */
-const char *iptc_get_target(const char *chain,
- unsigned int n,
+/* Returns a pointer to the target name of this entry. */
+const char *iptc_get_target(const struct ipt_entry *e,
iptc_handle_t *handle);
/* Is this a built-in chain? */
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index 6c7f563..fee3a04 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -119,7 +119,7 @@ set_changed(iptc_handle_t h)
#ifndef NDEBUG
static void do_check(iptc_handle_t h, unsigned int line);
-#define CHECK(h) do_check((h), __LINE__)
+#define CHECK(h) do { if (!getenv("IPTC_NO_CHECK")) do_check((h), __LINE__); } while(0)
#else
#define CHECK(h)
#endif
@@ -459,14 +459,12 @@ add_chain(struct ipt_entry *e, iptc_handle_t h, struct ipt_entry **prev)
return 0;
}
-
static int alphasort(const void *a, const void *b)
{
return strcmp(((struct chain_cache *)a)->name,
((struct chain_cache *)b)->name);
}
-
static int populate_cache(iptc_handle_t h)
{
unsigned int i;
@@ -493,7 +491,6 @@ static int populate_cache(iptc_handle_t h)
IPT_ENTRY_ITERATE(h->entries.entries, h->entries.size,
add_chain, h, &prev);
- /* Sort users by alphabetical: */
qsort(h->cache_chain_heads + h->cache_num_builtins,
h->cache_num_chains - h->cache_num_builtins,
sizeof(struct chain_cache), alphasort);
@@ -505,48 +502,24 @@ static int populate_cache(iptc_handle_t h)
static struct chain_cache *
find_label(const char *name, iptc_handle_t handle)
{
- unsigned int start, end;
+ unsigned int i;
if (handle->cache_chain_heads == NULL
&& !populate_cache(handle))
return NULL;
- /* Linear search through builtins, then binary */
- for (start = 0; start < handle->cache_num_builtins; start++) {
- if (strcmp(handle->cache_chain_heads[start].name, name) == 0)
- return &handle->cache_chain_heads[start];
+ /* FIXME: Linear search through builtins, then binary --RR */
+ for (i = 0; i < handle->cache_num_chains; i++) {
+ if (strcmp(handle->cache_chain_heads[i].name, name) == 0)
+ return &handle->cache_chain_heads[i];
}
- /* Binary search. */
- end = handle->cache_num_chains - 1;
- while (start < end) {
- struct chain_cache *mid;
- int res;
-
- mid = &handle->cache_chain_heads[(start + end) / 2];
-
- res = strcmp(name, mid->name);
- if (res == 0) {
- return mid;
- } else if (res > 0)
- start = (start + end + 1) / 2;
- else
- end = (start + end) / 2;
- }
- if (strcmp(name, handle->cache_chain_heads[start].name) == 0)
- return &handle->cache_chain_heads[start];
- else
- return NULL;
+ return NULL;
}
/* Does this chain exist? */
int iptc_is_chain(const char *chain, const iptc_handle_t handle)
{
- /* avoid infinite recursion */
-#if 0
- CHECK(handle);
-#endif
-
return find_label(chain, handle) != NULL;
}
@@ -591,8 +564,6 @@ get_chain_end(const iptc_handle_t handle, unsigned int start)
const char *
iptc_first_chain(iptc_handle_t *handle)
{
- CHECK(*handle);
-
if ((*handle)->cache_chain_heads == NULL
&& !populate_cache(*handle))
return NULL;
@@ -732,7 +703,6 @@ target_name(iptc_handle_t handle, const struct ipt_entry *ce)
const char *iptc_get_target(const struct ipt_entry *e,
iptc_handle_t *handle)
{
- CHECK(*handle);
return target_name(*handle, e);
}
@@ -761,7 +731,6 @@ iptc_get_policy(const char *chain,
struct ipt_entry *e;
int hook;
- CHECK(*handle);
hook = iptc_builtin(chain, *handle);
if (hook != 0)
start = (*handle)->info.hook_entry[hook-1];
@@ -1024,7 +993,6 @@ iptc_insert_entry(const ipt_chainlabel chain,
struct chain_cache *c;
int ret;
- CHECK(*handle);
iptc_fn = iptc_insert_entry;
if (!(c = find_label(chain, *handle))) {
errno = ENOENT;
@@ -1047,7 +1015,6 @@ iptc_insert_entry(const ipt_chainlabel chain,
ret = insert_rules(1, e->next_offset, e, offset,
chainindex + rulenum, rulenum == 0, handle);
unmap_target((struct ipt_entry *)e, &old);
- CHECK(*handle);
return ret;
}
@@ -1063,7 +1030,6 @@ iptc_replace_entry(const ipt_chainlabel chain,
struct chain_cache *c;
int ret;
- CHECK(*handle);
iptc_fn = iptc_replace_entry;
if (!(c = find_label(chain, *handle))) {
@@ -1086,12 +1052,10 @@ iptc_replace_entry(const ipt_chainlabel chain,
if (!map_target(*handle, (struct ipt_entry *)e, offset, &old))
return 0;
- CHECK(*handle);
ret = insert_rules(1, e->next_offset, e, offset,
chainindex + rulenum, 1, handle);
unmap_target((struct ipt_entry *)e, &old);
- CHECK(*handle);
return ret;
}
@@ -1106,7 +1070,6 @@ iptc_append_entry(const ipt_chainlabel chain,
struct ipt_entry_target old;
int ret;
- CHECK(*handle);
iptc_fn = iptc_append_entry;
if (!(c = find_label(chain, *handle))) {
errno = ENOENT;
@@ -1122,7 +1085,6 @@ iptc_append_entry(const ipt_chainlabel chain,
entry2index(*handle, c->end),
0, handle);
unmap_target((struct ipt_entry *)e, &old);
- CHECK(*handle);
return ret;
}
@@ -1233,7 +1195,6 @@ iptc_delete_entry(const ipt_chainlabel chain,
struct chain_cache *c;
struct ipt_entry *e, *fw;
- CHECK(*handle);
iptc_fn = iptc_delete_entry;
if (!(c = find_label(chain, *handle))) {
errno = ENOENT;
@@ -1270,7 +1231,6 @@ iptc_delete_entry(const ipt_chainlabel chain,
offset, entry2index(*handle, e),
handle);
free(fw);
- CHECK(*handle);
return ret;
}
}
@@ -1291,7 +1251,6 @@ iptc_delete_num_entry(const ipt_chainlabel chain,
struct ipt_entry *e;
struct chain_cache *c;
- CHECK(*handle);
iptc_fn = iptc_delete_num_entry;
if (!(c = find_label(chain, *handle))) {
errno = ENOENT;
@@ -1313,7 +1272,6 @@ iptc_delete_num_entry(const ipt_chainlabel chain,
ret = delete_rules(1, e->next_offset, entry2offset(*handle, e),
index, handle);
- CHECK(*handle);
return ret;
}
@@ -1336,7 +1294,6 @@ iptc_flush_entries(const ipt_chainlabel chain, iptc_handle_t *handle)
struct chain_cache *c;
int ret;
- CHECK(*handle);
iptc_fn = iptc_flush_entries;
if (!(c = find_label(chain, *handle))) {
errno = ENOENT;
@@ -1349,7 +1306,6 @@ iptc_flush_entries(const ipt_chainlabel chain, iptc_handle_t *handle)
(char *)c->end - (char *)c->start,
entry2offset(*handle, c->start), startindex,
handle);
- CHECK(*handle);
return ret;
}
@@ -1360,7 +1316,6 @@ iptc_zero_entries(const ipt_chainlabel chain, iptc_handle_t *handle)
unsigned int i, end;
struct chain_cache *c;
- CHECK(*handle);
if (!(c = find_label(chain, *handle))) {
errno = ENOENT;
return 0;
@@ -1375,7 +1330,6 @@ iptc_zero_entries(const ipt_chainlabel chain, iptc_handle_t *handle)
}
set_changed(*handle);
- CHECK(*handle);
return 1;
}
@@ -1393,7 +1347,6 @@ iptc_create_chain(const ipt_chainlabel chain, iptc_handle_t *handle)
struct ipt_standard_target target;
} newc;
- CHECK(*handle);
iptc_fn = iptc_create_chain;
/* find_label doesn't cover built-in targets: DROP, ACCEPT,
@@ -1432,7 +1385,6 @@ iptc_create_chain(const ipt_chainlabel chain, iptc_handle_t *handle)
index2offset(*handle, (*handle)->new_number - 1),
(*handle)->new_number - 1,
0, handle);
- CHECK(*handle);
return ret;
}
@@ -1458,7 +1410,6 @@ iptc_get_references(unsigned int *ref, const ipt_chainlabel chain,
{
struct chain_cache *c;
- CHECK(*handle);
if (!(c = find_label(chain, *handle))) {
errno = ENOENT;
return 0;
@@ -1480,7 +1431,6 @@ iptc_delete_chain(const ipt_chainlabel chain, iptc_handle_t *handle)
struct chain_cache *c;
int ret;
- CHECK(*handle);
if (!iptc_get_references(&references, chain, handle))
return 0;
@@ -1514,7 +1464,6 @@ iptc_delete_chain(const ipt_chainlabel chain, iptc_handle_t *handle)
get_entry(*handle, labeloff)->next_offset
+ c->start->next_offset,
labeloff, labelidx, handle);
- CHECK(*handle);
return ret;
}
@@ -1527,7 +1476,6 @@ int iptc_rename_chain(const ipt_chainlabel oldname,
struct chain_cache *c;
struct ipt_error_target *t;
- CHECK(*handle);
iptc_fn = iptc_rename_chain;
/* find_label doesn't cover built-in targets: DROP, ACCEPT
@@ -1562,7 +1510,6 @@ int iptc_rename_chain(const ipt_chainlabel oldname,
strcpy(t->error, newname);
set_changed(*handle);
- CHECK(*handle);
return 1;
}
@@ -1577,7 +1524,6 @@ iptc_set_policy(const ipt_chainlabel chain,
struct ipt_entry *e;
struct ipt_standard_target *t;
- CHECK(*handle);
iptc_fn = iptc_set_policy;
/* Figure out which chain. */
hook = iptc_builtin(chain, *handle);
@@ -1609,7 +1555,6 @@ iptc_set_policy(const ipt_chainlabel chain,
= ((struct counter_map){ COUNTER_MAP_NOMAP, 0 });
set_changed(*handle);
- CHECK(*handle);
return 1;
}