diff options
Diffstat (limited to 'iptables/iptables.c')
-rw-r--r-- | iptables/iptables.c | 66 |
1 files changed, 20 insertions, 46 deletions
diff --git a/iptables/iptables.c b/iptables/iptables.c index e5207ba1..8eb043e9 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -122,6 +122,9 @@ print_match(const struct xt_entry_match *m, printf("%s%s ", match->name, unsupported_rev); else printf("%s ", match->name); + + if (match->next == match) + free(match); } else { if (name[0]) printf("UNKNOWN match `%s' ", name); @@ -178,6 +181,9 @@ print_firewall(const struct ipt_entry *fw, tg->print(&fw->ip, t, format & FMT_NUMERIC); else if (target->print) printf(" %s%s", target->name, unsupported_rev); + + if (target->next == target) + free(target); } else if (t->u.target_size != sizeof(*t)) printf("[%u bytes of unknown target data] ", (unsigned int)(t->u.target_size - sizeof(*t))); @@ -276,40 +282,6 @@ insert_entry(const xt_chainlabel chain, return ret; } -static unsigned char * -make_delete_mask(const struct xtables_rule_match *matches, - const struct xtables_target *target) -{ - /* Establish mask for comparison */ - unsigned int size; - const struct xtables_rule_match *matchp; - unsigned char *mask, *mptr; - - size = sizeof(struct ipt_entry); - for (matchp = matches; matchp; matchp = matchp->next) - size += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size; - - mask = xtables_calloc(1, size - + XT_ALIGN(sizeof(struct xt_entry_target)) - + target->size); - - memset(mask, 0xFF, sizeof(struct ipt_entry)); - mptr = mask + sizeof(struct ipt_entry); - - for (matchp = matches; matchp; matchp = matchp->next) { - memset(mptr, 0xFF, - XT_ALIGN(sizeof(struct xt_entry_match)) - + matchp->match->userspacesize); - mptr += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size; - } - - memset(mptr, 0xFF, - XT_ALIGN(sizeof(struct xt_entry_target)) - + target->userspacesize); - - return mask; -} - static int delete_entry(const xt_chainlabel chain, struct ipt_entry *fw, @@ -328,7 +300,7 @@ delete_entry(const xt_chainlabel chain, int ret = 1; unsigned char *mask; - mask = make_delete_mask(matches, target); + mask = make_delete_mask(matches, target, sizeof(*fw)); for (i = 0; i < nsaddrs; i++) { fw->ip.src.s_addr = saddrs[i].s_addr; fw->ip.smsk.s_addr = smasks[i].s_addr; @@ -358,7 +330,7 @@ check_entry(const xt_chainlabel chain, struct ipt_entry *fw, int ret = 1; unsigned char *mask; - mask = make_delete_mask(matches, target); + mask = make_delete_mask(matches, target, sizeof(*fw)); for (i = 0; i < nsaddrs; i++) { fw->ip.src.s_addr = saddrs[i].s_addr; fw->ip.smsk.s_addr = smasks[i].s_addr; @@ -544,8 +516,7 @@ void print_rule4(const struct ipt_entry *e, save_ipv4_addr('d', &e->ip.dst, &e->ip.dmsk, e->ip.invflags & IPT_INV_DSTIP); - save_rule_details(e->ip.iniface, e->ip.iniface_mask, - e->ip.outiface, e->ip.outiface_mask, + save_rule_details(e->ip.iniface, e->ip.outiface, e->ip.proto, e->ip.flags & IPT_F_FRAG, e->ip.invflags); @@ -691,6 +662,10 @@ int do_command4(int argc, char *argv[], char **table, struct xt_cmd_parse_ops cmd_parse_ops = { .proto_parse = ipv4_proto_parse, .post_parse = ipv4_post_parse, + .option_name = ip46t_option_name, + .option_invert = ip46t_option_invert, + .command_default = command_default, + .print_help = xtables_printhelp, }; struct xt_cmd_parse p = { .table = *table, @@ -733,6 +708,9 @@ int do_command4(int argc, char *argv[], char **table, smasks = args.s.mask.v4; dmasks = args.d.mask.v4; + iface_to_mask(cs.fw.ip.iniface, cs.fw.ip.iniface_mask); + iface_to_mask(cs.fw.ip.outiface, cs.fw.ip.outiface_mask); + /* Attempt to acquire the xtables lock */ if (!restore) xtables_lock_or_exit(wait); @@ -795,13 +773,12 @@ int do_command4(int argc, char *argv[], char **table, #ifdef IPT_F_GOTO if (cs.fw.ip.flags & IPT_F_GOTO) xtables_error(PARAMETER_PROBLEM, - "goto '%s' is not a chain\n", - cs.jumpto); + "goto '%s' is not a chain", + cs.jumpto); #endif xtables_find_target(cs.jumpto, XTF_LOAD_MUST_SUCCEED); } else { e = generate_entry(&cs.fw, cs.matches, cs.target->t); - free(cs.target->t); } } @@ -903,17 +880,14 @@ int do_command4(int argc, char *argv[], char **table, if (verbose > 1) dump_entries(*handle); - xtables_rule_matches_free(&cs.matches); + xtables_clear_iptables_command_state(&cs); if (e != NULL) { free(e); e = NULL; } - free(saddrs); - free(smasks); - free(daddrs); - free(dmasks); + xtables_clear_args(&args); xtables_free_opts(1); return ret; |