summaryrefslogtreecommitdiffstats
path: root/libiptc
diff options
context:
space:
mode:
Diffstat (limited to 'libiptc')
-rw-r--r--libiptc/Makefile.am4
-rw-r--r--libiptc/libip4tc.c56
-rw-r--r--libiptc/libip6tc.c38
-rw-r--r--libiptc/libiptc.c54
4 files changed, 69 insertions, 83 deletions
diff --git a/libiptc/Makefile.am b/libiptc/Makefile.am
index c170cb21..f789d34e 100644
--- a/libiptc/Makefile.am
+++ b/libiptc/Makefile.am
@@ -10,6 +10,6 @@ libiptc_la_SOURCES =
libiptc_la_LIBADD = libip4tc.la libip6tc.la
libiptc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2}
libip4tc_la_SOURCES = libip4tc.c
-libip4tc_la_LDFLAGS = -version-info 0:0:0
+libip4tc_la_LDFLAGS = -version-info 1:0:1
libip6tc_la_SOURCES = libip6tc.c
-libip6tc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2}
+libip6tc_la_LDFLAGS = -version-info 1:0:1 ${libiptc_LDFLAGS2}
diff --git a/libiptc/libip4tc.c b/libiptc/libip4tc.c
index cf66709e..dd599516 100644
--- a/libiptc/libip4tc.c
+++ b/libiptc/libip4tc.c
@@ -36,33 +36,27 @@ typedef unsigned int socklen_t;
#define HOOK_FORWARD NF_IP_FORWARD
#define HOOK_LOCAL_OUT NF_IP_LOCAL_OUT
#define HOOK_POST_ROUTING NF_IP_POST_ROUTING
-#ifdef NF_IP_DROPPING
-#define HOOK_DROPPING NF_IP_DROPPING
-#endif
-#define STRUCT_ENTRY_TARGET struct ipt_entry_target
+#define STRUCT_ENTRY_TARGET struct xt_entry_target
#define STRUCT_ENTRY struct ipt_entry
-#define STRUCT_ENTRY_MATCH struct ipt_entry_match
+#define STRUCT_ENTRY_MATCH struct xt_entry_match
#define STRUCT_GETINFO struct ipt_getinfo
#define STRUCT_GET_ENTRIES struct ipt_get_entries
-#define STRUCT_COUNTERS struct ipt_counters
-#define STRUCT_COUNTERS_INFO struct ipt_counters_info
-#define STRUCT_STANDARD_TARGET struct ipt_standard_target
+#define STRUCT_COUNTERS struct xt_counters
+#define STRUCT_COUNTERS_INFO struct xt_counters_info
+#define STRUCT_STANDARD_TARGET struct xt_standard_target
#define STRUCT_REPLACE struct ipt_replace
-#define STRUCT_TC_HANDLE struct iptc_handle
-#define xtc_handle iptc_handle
-
#define ENTRY_ITERATE IPT_ENTRY_ITERATE
-#define TABLE_MAXNAMELEN IPT_TABLE_MAXNAMELEN
-#define FUNCTION_MAXNAMELEN IPT_FUNCTION_MAXNAMELEN
+#define TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+#define FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define GET_TARGET ipt_get_target
-#define ERROR_TARGET IPT_ERROR_TARGET
+#define ERROR_TARGET XT_ERROR_TARGET
#define NUMHOOKS NF_IP_NUMHOOKS
-#define IPT_CHAINLABEL ipt_chainlabel
+#define IPT_CHAINLABEL xt_chainlabel
#define TC_DUMP_ENTRIES dump_entries
#define TC_IS_CHAIN iptc_is_chain
@@ -96,6 +90,7 @@ typedef unsigned int socklen_t;
#define TC_STRERROR iptc_strerror
#define TC_NUM_RULES iptc_num_rules
#define TC_GET_RULE iptc_get_rule
+#define TC_OPS iptc_ops
#define TC_AF AF_INET
#define TC_IPPROTO IPPROTO_IP
@@ -106,14 +101,14 @@ typedef unsigned int socklen_t;
#define SO_GET_ENTRIES IPT_SO_GET_ENTRIES
#define SO_GET_VERSION IPT_SO_GET_VERSION
-#define STANDARD_TARGET IPT_STANDARD_TARGET
+#define STANDARD_TARGET XT_STANDARD_TARGET
#define LABEL_RETURN IPTC_LABEL_RETURN
#define LABEL_ACCEPT IPTC_LABEL_ACCEPT
#define LABEL_DROP IPTC_LABEL_DROP
#define LABEL_QUEUE IPTC_LABEL_QUEUE
#define ALIGN XT_ALIGN
-#define RETURN IPT_RETURN
+#define RETURN XT_RETURN
#include "libiptc.c"
@@ -126,7 +121,7 @@ typedef unsigned int socklen_t;
#define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n))
static int
-dump_entry(struct ipt_entry *e, struct iptc_handle *const handle)
+dump_entry(struct ipt_entry *e, struct xtc_handle *const handle)
{
size_t i;
STRUCT_ENTRY_TARGET *t;
@@ -166,7 +161,7 @@ dump_entry(struct ipt_entry *e, struct iptc_handle *const handle)
: "UNKNOWN");
else
printf("verdict=%u\n", pos);
- } else if (strcmp(t->u.user.name, IPT_ERROR_TARGET) == 0)
+ } else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0)
printf("error=`%s'\n", t->data);
printf("\n");
@@ -209,7 +204,7 @@ is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b, unsigned char *matchmask)
mptr = matchmask + sizeof(STRUCT_ENTRY);
if (IPT_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
return NULL;
- mptr += XT_ALIGN(sizeof(struct ipt_entry_target));
+ mptr += XT_ALIGN(sizeof(struct xt_entry_target));
return mptr;
}
@@ -241,7 +236,7 @@ check_match(const STRUCT_ENTRY_MATCH *m, unsigned int *off)
static inline int
check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off,
unsigned int user_offset, int *was_return,
- struct iptc_handle *h)
+ struct xtc_handle *h)
{
unsigned int toff;
STRUCT_STANDARD_TARGET *t;
@@ -277,14 +272,14 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off,
idx = iptcb_entry2index(h, te);
assert(strcmp(GET_TARGET(te)->u.user.name,
- IPT_ERROR_TARGET)
+ XT_ERROR_TARGET)
!= 0);
assert(te != e);
/* Prior node must be error node, or this node. */
assert(t->verdict == iptcb_entry2offset(h, e)+e->next_offset
|| strcmp(GET_TARGET(index2entry(h, idx-1))
- ->u.user.name, IPT_ERROR_TARGET)
+ ->u.user.name, XT_ERROR_TARGET)
== 0);
}
@@ -294,7 +289,7 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off,
*was_return = 1;
else
*was_return = 0;
- } else if (strcmp(t->target.u.user.name, IPT_ERROR_TARGET) == 0) {
+ } else if (strcmp(t->target.u.user.name, XT_ERROR_TARGET) == 0) {
assert(t->target.u.target_size
== ALIGN(sizeof(struct ipt_error_target)));
@@ -307,7 +302,7 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off,
else *was_return = 0;
if (*off == user_offset)
- assert(strcmp(t->target.u.user.name, IPT_ERROR_TARGET) == 0);
+ assert(strcmp(t->target.u.user.name, XT_ERROR_TARGET) == 0);
(*off) += e->next_offset;
(*i)++;
@@ -317,7 +312,7 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off,
#ifdef IPTC_DEBUG
/* Do every conceivable sanity check on the handle */
static void
-do_check(struct iptc_handle *h, unsigned int line)
+do_check(struct xtc_handle *h, unsigned int line)
{
unsigned int i, n;
unsigned int user_offset; /* Offset of first user chain */
@@ -426,15 +421,6 @@ do_check(struct iptc_handle *h, unsigned int line)
assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
-
-#ifdef NF_IP_DROPPING
- } else if (strcmp(h->info.name, "drop") == 0) {
- assert(h->info.valid_hooks == (1 << NF_IP_DROPPING));
-
- /* Hook should be first */
- assert(h->info.hook_entry[NF_IP_DROPPING] == 0);
- user_offset = 0;
-#endif
} else {
fprintf(stderr, "Unknown table `%s'\n", h->info.name);
abort();
diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c
index 0f8a889d..7128e1cf 100644
--- a/libiptc/libip6tc.c
+++ b/libiptc/libip6tc.c
@@ -35,29 +35,26 @@ typedef unsigned int socklen_t;
#define HOOK_LOCAL_OUT NF_IP6_LOCAL_OUT
#define HOOK_POST_ROUTING NF_IP6_POST_ROUTING
-#define STRUCT_ENTRY_TARGET struct ip6t_entry_target
+#define STRUCT_ENTRY_TARGET struct xt_entry_target
#define STRUCT_ENTRY struct ip6t_entry
-#define STRUCT_ENTRY_MATCH struct ip6t_entry_match
+#define STRUCT_ENTRY_MATCH struct xt_entry_match
#define STRUCT_GETINFO struct ip6t_getinfo
#define STRUCT_GET_ENTRIES struct ip6t_get_entries
-#define STRUCT_COUNTERS struct ip6t_counters
-#define STRUCT_COUNTERS_INFO struct ip6t_counters_info
-#define STRUCT_STANDARD_TARGET struct ip6t_standard_target
+#define STRUCT_COUNTERS struct xt_counters
+#define STRUCT_COUNTERS_INFO struct xt_counters_info
+#define STRUCT_STANDARD_TARGET struct xt_standard_target
#define STRUCT_REPLACE struct ip6t_replace
-#define STRUCT_TC_HANDLE struct ip6tc_handle
-#define xtc_handle ip6tc_handle
-
#define ENTRY_ITERATE IP6T_ENTRY_ITERATE
-#define TABLE_MAXNAMELEN IP6T_TABLE_MAXNAMELEN
-#define FUNCTION_MAXNAMELEN IP6T_FUNCTION_MAXNAMELEN
+#define TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+#define FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define GET_TARGET ip6t_get_target
-#define ERROR_TARGET IP6T_ERROR_TARGET
+#define ERROR_TARGET XT_ERROR_TARGET
#define NUMHOOKS NF_IP6_NUMHOOKS
-#define IPT_CHAINLABEL ip6t_chainlabel
+#define IPT_CHAINLABEL xt_chainlabel
#define TC_DUMP_ENTRIES dump_entries6
#define TC_IS_CHAIN ip6tc_is_chain
@@ -91,6 +88,7 @@ typedef unsigned int socklen_t;
#define TC_STRERROR ip6tc_strerror
#define TC_NUM_RULES ip6tc_num_rules
#define TC_GET_RULE ip6tc_get_rule
+#define TC_OPS ip6tc_ops
#define TC_AF AF_INET6
#define TC_IPPROTO IPPROTO_IPV6
@@ -101,14 +99,14 @@ typedef unsigned int socklen_t;
#define SO_GET_ENTRIES IP6T_SO_GET_ENTRIES
#define SO_GET_VERSION IP6T_SO_GET_VERSION
-#define STANDARD_TARGET IP6T_STANDARD_TARGET
+#define STANDARD_TARGET XT_STANDARD_TARGET
#define LABEL_RETURN IP6TC_LABEL_RETURN
#define LABEL_ACCEPT IP6TC_LABEL_ACCEPT
#define LABEL_DROP IP6TC_LABEL_DROP
#define LABEL_QUEUE IP6TC_LABEL_QUEUE
#define ALIGN XT_ALIGN
-#define RETURN IP6T_RETURN
+#define RETURN XT_RETURN
#include "libiptc.c"
@@ -131,12 +129,12 @@ ipv6_prefix_length(const struct in6_addr *a)
}
static int
-dump_entry(struct ip6t_entry *e, struct ip6tc_handle *const handle)
+dump_entry(struct ip6t_entry *e, struct xtc_handle *const handle)
{
size_t i;
char buf[40];
int len;
- struct ip6t_entry_target *t;
+ struct xt_entry_target *t;
printf("Entry %u (%lu):\n", iptcb_entry2index(handle, e),
iptcb_entry2offset(handle, e));
@@ -185,18 +183,18 @@ dump_entry(struct ip6t_entry *e, struct ip6tc_handle *const handle)
t = ip6t_get_target(e);
printf("Target name: `%s' [%u]\n", t->u.user.name, t->u.target_size);
- if (strcmp(t->u.user.name, IP6T_STANDARD_TARGET) == 0) {
+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0) {
const unsigned char *data = t->data;
int pos = *(const int *)data;
if (pos < 0)
printf("verdict=%s\n",
pos == -NF_ACCEPT-1 ? "NF_ACCEPT"
: pos == -NF_DROP-1 ? "NF_DROP"
- : pos == IP6T_RETURN ? "RETURN"
+ : pos == XT_RETURN ? "RETURN"
: "UNKNOWN");
else
printf("verdict=%u\n", pos);
- } else if (strcmp(t->u.user.name, IP6T_ERROR_TARGET) == 0)
+ } else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0)
printf("error=`%s'\n", t->data);
printf("\n");
@@ -241,7 +239,7 @@ is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b,
mptr = matchmask + sizeof(STRUCT_ENTRY);
if (IP6T_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
return NULL;
- mptr += XT_ALIGN(sizeof(struct ip6t_entry_target));
+ mptr += XT_ALIGN(sizeof(struct xt_entry_target));
return mptr;
}
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index 42d9784a..63fcfc2a 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -33,6 +33,7 @@
#include <sys/socket.h>
#include <stdbool.h>
#include <xtables.h>
+#include <libiptc/xtcshared.h>
#include "linux_list.h"
@@ -61,18 +62,9 @@ static const char *hooknames[] = {
[HOOK_FORWARD] = "FORWARD",
[HOOK_LOCAL_OUT] = "OUTPUT",
[HOOK_POST_ROUTING] = "POSTROUTING",
-#ifdef HOOK_DROPPING
- [HOOK_DROPPING] = "DROPPING"
-#endif
};
/* Convenience structures */
-struct ipt_error_target
-{
- STRUCT_ENTRY_TARGET t;
- char error[TABLE_MAXNAMELEN];
-};
-
struct chain_head;
struct rule_head;
@@ -130,8 +122,7 @@ struct chain_head
unsigned int foot_offset; /* offset in rule blob */
};
-STRUCT_TC_HANDLE
-{
+struct xtc_handle {
int sockfd;
int changed; /* Have changes been made? */
@@ -1092,10 +1083,10 @@ static int parse_table(struct xtc_handle *h)
/* Convenience structures */
struct iptcb_chain_start{
STRUCT_ENTRY e;
- struct ipt_error_target name;
+ struct xt_error_target name;
};
#define IPTCB_CHAIN_START_SIZE (sizeof(STRUCT_ENTRY) + \
- ALIGN(sizeof(struct ipt_error_target)))
+ ALIGN(sizeof(struct xt_error_target)))
struct iptcb_chain_foot {
STRUCT_ENTRY e;
@@ -1106,10 +1097,10 @@ struct iptcb_chain_foot {
struct iptcb_chain_error {
STRUCT_ENTRY entry;
- struct ipt_error_target target;
+ struct xt_error_target target;
};
#define IPTCB_CHAIN_ERROR_SIZE (sizeof(STRUCT_ENTRY) + \
- ALIGN(sizeof(struct ipt_error_target)))
+ ALIGN(sizeof(struct xt_error_target)))
@@ -1152,10 +1143,10 @@ static int iptcc_compile_chain(struct xtc_handle *h, STRUCT_REPLACE *repl, struc
head = (void *)repl->entries + c->head_offset;
head->e.target_offset = sizeof(STRUCT_ENTRY);
head->e.next_offset = IPTCB_CHAIN_START_SIZE;
- strcpy(head->name.t.u.user.name, ERROR_TARGET);
- head->name.t.u.target_size =
- ALIGN(sizeof(struct ipt_error_target));
- strcpy(head->name.error, c->name);
+ strcpy(head->name.target.u.user.name, ERROR_TARGET);
+ head->name.target.u.target_size =
+ ALIGN(sizeof(struct xt_error_target));
+ strcpy(head->name.errorname, c->name);
} else {
repl->hook_entry[c->hooknum-1] = c->head_offset;
repl->underflow[c->hooknum-1] = c->foot_offset;
@@ -1198,7 +1189,7 @@ static int iptcc_compile_chain_offsets(struct xtc_handle *h, struct chain_head *
if (!iptcc_is_builtin(c)) {
/* Chain has header */
*offset += sizeof(STRUCT_ENTRY)
- + ALIGN(sizeof(struct ipt_error_target));
+ + ALIGN(sizeof(struct xt_error_target));
(*num)++;
}
@@ -1238,7 +1229,7 @@ static int iptcc_compile_table_prep(struct xtc_handle *h, unsigned int *size)
/* Append one error rule at end of chain */
num++;
offset += sizeof(STRUCT_ENTRY)
- + ALIGN(sizeof(struct ipt_error_target));
+ + ALIGN(sizeof(struct xt_error_target));
/* ruleset size is now in offset */
*size = offset;
@@ -1261,10 +1252,10 @@ static int iptcc_compile_table(struct xtc_handle *h, STRUCT_REPLACE *repl)
error = (void *)repl->entries + repl->size - IPTCB_CHAIN_ERROR_SIZE;
error->entry.target_offset = sizeof(STRUCT_ENTRY);
error->entry.next_offset = IPTCB_CHAIN_ERROR_SIZE;
- error->target.t.u.user.target_size =
- ALIGN(sizeof(struct ipt_error_target));
- strcpy((char *)&error->target.t.u.user.name, ERROR_TARGET);
- strcpy((char *)&error->target.error, "ERROR");
+ error->target.target.u.user.target_size =
+ ALIGN(sizeof(struct xt_error_target));
+ strcpy((char *)&error->target.target.u.user.name, ERROR_TARGET);
+ strcpy((char *)&error->target.errorname, "ERROR");
return 1;
}
@@ -1279,7 +1270,7 @@ alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules)
{
struct xtc_handle *h;
- h = malloc(sizeof(STRUCT_TC_HANDLE));
+ h = malloc(sizeof(*h));
if (!h) {
errno = ENOMEM;
return NULL;
@@ -2741,3 +2732,14 @@ TC_STRERROR(int err)
return strerror(err);
}
+
+const struct xtc_ops TC_OPS = {
+ .commit = TC_COMMIT,
+ .free = TC_FREE,
+ .builtin = TC_BUILTIN,
+ .is_chain = TC_IS_CHAIN,
+ .flush_entries = TC_FLUSH_ENTRIES,
+ .create_chain = TC_CREATE_CHAIN,
+ .set_policy = TC_SET_POLICY,
+ .strerror = TC_STRERROR,
+};