diff options
Diffstat (limited to 'libiptc')
-rw-r--r-- | libiptc/Makefile.am | 4 | ||||
-rw-r--r-- | libiptc/libip4tc.c | 56 | ||||
-rw-r--r-- | libiptc/libip6tc.c | 38 | ||||
-rw-r--r-- | libiptc/libiptc.c | 54 |
4 files changed, 69 insertions, 83 deletions
diff --git a/libiptc/Makefile.am b/libiptc/Makefile.am index c170cb21..f789d34e 100644 --- a/libiptc/Makefile.am +++ b/libiptc/Makefile.am @@ -10,6 +10,6 @@ libiptc_la_SOURCES = libiptc_la_LIBADD = libip4tc.la libip6tc.la libiptc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2} libip4tc_la_SOURCES = libip4tc.c -libip4tc_la_LDFLAGS = -version-info 0:0:0 +libip4tc_la_LDFLAGS = -version-info 1:0:1 libip6tc_la_SOURCES = libip6tc.c -libip6tc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2} +libip6tc_la_LDFLAGS = -version-info 1:0:1 ${libiptc_LDFLAGS2} diff --git a/libiptc/libip4tc.c b/libiptc/libip4tc.c index cf66709e..dd599516 100644 --- a/libiptc/libip4tc.c +++ b/libiptc/libip4tc.c @@ -36,33 +36,27 @@ typedef unsigned int socklen_t; #define HOOK_FORWARD NF_IP_FORWARD #define HOOK_LOCAL_OUT NF_IP_LOCAL_OUT #define HOOK_POST_ROUTING NF_IP_POST_ROUTING -#ifdef NF_IP_DROPPING -#define HOOK_DROPPING NF_IP_DROPPING -#endif -#define STRUCT_ENTRY_TARGET struct ipt_entry_target +#define STRUCT_ENTRY_TARGET struct xt_entry_target #define STRUCT_ENTRY struct ipt_entry -#define STRUCT_ENTRY_MATCH struct ipt_entry_match +#define STRUCT_ENTRY_MATCH struct xt_entry_match #define STRUCT_GETINFO struct ipt_getinfo #define STRUCT_GET_ENTRIES struct ipt_get_entries -#define STRUCT_COUNTERS struct ipt_counters -#define STRUCT_COUNTERS_INFO struct ipt_counters_info -#define STRUCT_STANDARD_TARGET struct ipt_standard_target +#define STRUCT_COUNTERS struct xt_counters +#define STRUCT_COUNTERS_INFO struct xt_counters_info +#define STRUCT_STANDARD_TARGET struct xt_standard_target #define STRUCT_REPLACE struct ipt_replace -#define STRUCT_TC_HANDLE struct iptc_handle -#define xtc_handle iptc_handle - #define ENTRY_ITERATE IPT_ENTRY_ITERATE -#define TABLE_MAXNAMELEN IPT_TABLE_MAXNAMELEN -#define FUNCTION_MAXNAMELEN IPT_FUNCTION_MAXNAMELEN +#define TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN +#define FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN #define GET_TARGET ipt_get_target -#define ERROR_TARGET IPT_ERROR_TARGET +#define ERROR_TARGET XT_ERROR_TARGET #define NUMHOOKS NF_IP_NUMHOOKS -#define IPT_CHAINLABEL ipt_chainlabel +#define IPT_CHAINLABEL xt_chainlabel #define TC_DUMP_ENTRIES dump_entries #define TC_IS_CHAIN iptc_is_chain @@ -96,6 +90,7 @@ typedef unsigned int socklen_t; #define TC_STRERROR iptc_strerror #define TC_NUM_RULES iptc_num_rules #define TC_GET_RULE iptc_get_rule +#define TC_OPS iptc_ops #define TC_AF AF_INET #define TC_IPPROTO IPPROTO_IP @@ -106,14 +101,14 @@ typedef unsigned int socklen_t; #define SO_GET_ENTRIES IPT_SO_GET_ENTRIES #define SO_GET_VERSION IPT_SO_GET_VERSION -#define STANDARD_TARGET IPT_STANDARD_TARGET +#define STANDARD_TARGET XT_STANDARD_TARGET #define LABEL_RETURN IPTC_LABEL_RETURN #define LABEL_ACCEPT IPTC_LABEL_ACCEPT #define LABEL_DROP IPTC_LABEL_DROP #define LABEL_QUEUE IPTC_LABEL_QUEUE #define ALIGN XT_ALIGN -#define RETURN IPT_RETURN +#define RETURN XT_RETURN #include "libiptc.c" @@ -126,7 +121,7 @@ typedef unsigned int socklen_t; #define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n)) static int -dump_entry(struct ipt_entry *e, struct iptc_handle *const handle) +dump_entry(struct ipt_entry *e, struct xtc_handle *const handle) { size_t i; STRUCT_ENTRY_TARGET *t; @@ -166,7 +161,7 @@ dump_entry(struct ipt_entry *e, struct iptc_handle *const handle) : "UNKNOWN"); else printf("verdict=%u\n", pos); - } else if (strcmp(t->u.user.name, IPT_ERROR_TARGET) == 0) + } else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0) printf("error=`%s'\n", t->data); printf("\n"); @@ -209,7 +204,7 @@ is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b, unsigned char *matchmask) mptr = matchmask + sizeof(STRUCT_ENTRY); if (IPT_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr)) return NULL; - mptr += XT_ALIGN(sizeof(struct ipt_entry_target)); + mptr += XT_ALIGN(sizeof(struct xt_entry_target)); return mptr; } @@ -241,7 +236,7 @@ check_match(const STRUCT_ENTRY_MATCH *m, unsigned int *off) static inline int check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off, unsigned int user_offset, int *was_return, - struct iptc_handle *h) + struct xtc_handle *h) { unsigned int toff; STRUCT_STANDARD_TARGET *t; @@ -277,14 +272,14 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off, idx = iptcb_entry2index(h, te); assert(strcmp(GET_TARGET(te)->u.user.name, - IPT_ERROR_TARGET) + XT_ERROR_TARGET) != 0); assert(te != e); /* Prior node must be error node, or this node. */ assert(t->verdict == iptcb_entry2offset(h, e)+e->next_offset || strcmp(GET_TARGET(index2entry(h, idx-1)) - ->u.user.name, IPT_ERROR_TARGET) + ->u.user.name, XT_ERROR_TARGET) == 0); } @@ -294,7 +289,7 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off, *was_return = 1; else *was_return = 0; - } else if (strcmp(t->target.u.user.name, IPT_ERROR_TARGET) == 0) { + } else if (strcmp(t->target.u.user.name, XT_ERROR_TARGET) == 0) { assert(t->target.u.target_size == ALIGN(sizeof(struct ipt_error_target))); @@ -307,7 +302,7 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off, else *was_return = 0; if (*off == user_offset) - assert(strcmp(t->target.u.user.name, IPT_ERROR_TARGET) == 0); + assert(strcmp(t->target.u.user.name, XT_ERROR_TARGET) == 0); (*off) += e->next_offset; (*i)++; @@ -317,7 +312,7 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off, #ifdef IPTC_DEBUG /* Do every conceivable sanity check on the handle */ static void -do_check(struct iptc_handle *h, unsigned int line) +do_check(struct xtc_handle *h, unsigned int line) { unsigned int i, n; unsigned int user_offset; /* Offset of first user chain */ @@ -426,15 +421,6 @@ do_check(struct iptc_handle *h, unsigned int line) assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n); user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT]; - -#ifdef NF_IP_DROPPING - } else if (strcmp(h->info.name, "drop") == 0) { - assert(h->info.valid_hooks == (1 << NF_IP_DROPPING)); - - /* Hook should be first */ - assert(h->info.hook_entry[NF_IP_DROPPING] == 0); - user_offset = 0; -#endif } else { fprintf(stderr, "Unknown table `%s'\n", h->info.name); abort(); diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c index 0f8a889d..7128e1cf 100644 --- a/libiptc/libip6tc.c +++ b/libiptc/libip6tc.c @@ -35,29 +35,26 @@ typedef unsigned int socklen_t; #define HOOK_LOCAL_OUT NF_IP6_LOCAL_OUT #define HOOK_POST_ROUTING NF_IP6_POST_ROUTING -#define STRUCT_ENTRY_TARGET struct ip6t_entry_target +#define STRUCT_ENTRY_TARGET struct xt_entry_target #define STRUCT_ENTRY struct ip6t_entry -#define STRUCT_ENTRY_MATCH struct ip6t_entry_match +#define STRUCT_ENTRY_MATCH struct xt_entry_match #define STRUCT_GETINFO struct ip6t_getinfo #define STRUCT_GET_ENTRIES struct ip6t_get_entries -#define STRUCT_COUNTERS struct ip6t_counters -#define STRUCT_COUNTERS_INFO struct ip6t_counters_info -#define STRUCT_STANDARD_TARGET struct ip6t_standard_target +#define STRUCT_COUNTERS struct xt_counters +#define STRUCT_COUNTERS_INFO struct xt_counters_info +#define STRUCT_STANDARD_TARGET struct xt_standard_target #define STRUCT_REPLACE struct ip6t_replace -#define STRUCT_TC_HANDLE struct ip6tc_handle -#define xtc_handle ip6tc_handle - #define ENTRY_ITERATE IP6T_ENTRY_ITERATE -#define TABLE_MAXNAMELEN IP6T_TABLE_MAXNAMELEN -#define FUNCTION_MAXNAMELEN IP6T_FUNCTION_MAXNAMELEN +#define TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN +#define FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN #define GET_TARGET ip6t_get_target -#define ERROR_TARGET IP6T_ERROR_TARGET +#define ERROR_TARGET XT_ERROR_TARGET #define NUMHOOKS NF_IP6_NUMHOOKS -#define IPT_CHAINLABEL ip6t_chainlabel +#define IPT_CHAINLABEL xt_chainlabel #define TC_DUMP_ENTRIES dump_entries6 #define TC_IS_CHAIN ip6tc_is_chain @@ -91,6 +88,7 @@ typedef unsigned int socklen_t; #define TC_STRERROR ip6tc_strerror #define TC_NUM_RULES ip6tc_num_rules #define TC_GET_RULE ip6tc_get_rule +#define TC_OPS ip6tc_ops #define TC_AF AF_INET6 #define TC_IPPROTO IPPROTO_IPV6 @@ -101,14 +99,14 @@ typedef unsigned int socklen_t; #define SO_GET_ENTRIES IP6T_SO_GET_ENTRIES #define SO_GET_VERSION IP6T_SO_GET_VERSION -#define STANDARD_TARGET IP6T_STANDARD_TARGET +#define STANDARD_TARGET XT_STANDARD_TARGET #define LABEL_RETURN IP6TC_LABEL_RETURN #define LABEL_ACCEPT IP6TC_LABEL_ACCEPT #define LABEL_DROP IP6TC_LABEL_DROP #define LABEL_QUEUE IP6TC_LABEL_QUEUE #define ALIGN XT_ALIGN -#define RETURN IP6T_RETURN +#define RETURN XT_RETURN #include "libiptc.c" @@ -131,12 +129,12 @@ ipv6_prefix_length(const struct in6_addr *a) } static int -dump_entry(struct ip6t_entry *e, struct ip6tc_handle *const handle) +dump_entry(struct ip6t_entry *e, struct xtc_handle *const handle) { size_t i; char buf[40]; int len; - struct ip6t_entry_target *t; + struct xt_entry_target *t; printf("Entry %u (%lu):\n", iptcb_entry2index(handle, e), iptcb_entry2offset(handle, e)); @@ -185,18 +183,18 @@ dump_entry(struct ip6t_entry *e, struct ip6tc_handle *const handle) t = ip6t_get_target(e); printf("Target name: `%s' [%u]\n", t->u.user.name, t->u.target_size); - if (strcmp(t->u.user.name, IP6T_STANDARD_TARGET) == 0) { + if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0) { const unsigned char *data = t->data; int pos = *(const int *)data; if (pos < 0) printf("verdict=%s\n", pos == -NF_ACCEPT-1 ? "NF_ACCEPT" : pos == -NF_DROP-1 ? "NF_DROP" - : pos == IP6T_RETURN ? "RETURN" + : pos == XT_RETURN ? "RETURN" : "UNKNOWN"); else printf("verdict=%u\n", pos); - } else if (strcmp(t->u.user.name, IP6T_ERROR_TARGET) == 0) + } else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0) printf("error=`%s'\n", t->data); printf("\n"); @@ -241,7 +239,7 @@ is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b, mptr = matchmask + sizeof(STRUCT_ENTRY); if (IP6T_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr)) return NULL; - mptr += XT_ALIGN(sizeof(struct ip6t_entry_target)); + mptr += XT_ALIGN(sizeof(struct xt_entry_target)); return mptr; } diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c index 42d9784a..63fcfc2a 100644 --- a/libiptc/libiptc.c +++ b/libiptc/libiptc.c @@ -33,6 +33,7 @@ #include <sys/socket.h> #include <stdbool.h> #include <xtables.h> +#include <libiptc/xtcshared.h> #include "linux_list.h" @@ -61,18 +62,9 @@ static const char *hooknames[] = { [HOOK_FORWARD] = "FORWARD", [HOOK_LOCAL_OUT] = "OUTPUT", [HOOK_POST_ROUTING] = "POSTROUTING", -#ifdef HOOK_DROPPING - [HOOK_DROPPING] = "DROPPING" -#endif }; /* Convenience structures */ -struct ipt_error_target -{ - STRUCT_ENTRY_TARGET t; - char error[TABLE_MAXNAMELEN]; -}; - struct chain_head; struct rule_head; @@ -130,8 +122,7 @@ struct chain_head unsigned int foot_offset; /* offset in rule blob */ }; -STRUCT_TC_HANDLE -{ +struct xtc_handle { int sockfd; int changed; /* Have changes been made? */ @@ -1092,10 +1083,10 @@ static int parse_table(struct xtc_handle *h) /* Convenience structures */ struct iptcb_chain_start{ STRUCT_ENTRY e; - struct ipt_error_target name; + struct xt_error_target name; }; #define IPTCB_CHAIN_START_SIZE (sizeof(STRUCT_ENTRY) + \ - ALIGN(sizeof(struct ipt_error_target))) + ALIGN(sizeof(struct xt_error_target))) struct iptcb_chain_foot { STRUCT_ENTRY e; @@ -1106,10 +1097,10 @@ struct iptcb_chain_foot { struct iptcb_chain_error { STRUCT_ENTRY entry; - struct ipt_error_target target; + struct xt_error_target target; }; #define IPTCB_CHAIN_ERROR_SIZE (sizeof(STRUCT_ENTRY) + \ - ALIGN(sizeof(struct ipt_error_target))) + ALIGN(sizeof(struct xt_error_target))) @@ -1152,10 +1143,10 @@ static int iptcc_compile_chain(struct xtc_handle *h, STRUCT_REPLACE *repl, struc head = (void *)repl->entries + c->head_offset; head->e.target_offset = sizeof(STRUCT_ENTRY); head->e.next_offset = IPTCB_CHAIN_START_SIZE; - strcpy(head->name.t.u.user.name, ERROR_TARGET); - head->name.t.u.target_size = - ALIGN(sizeof(struct ipt_error_target)); - strcpy(head->name.error, c->name); + strcpy(head->name.target.u.user.name, ERROR_TARGET); + head->name.target.u.target_size = + ALIGN(sizeof(struct xt_error_target)); + strcpy(head->name.errorname, c->name); } else { repl->hook_entry[c->hooknum-1] = c->head_offset; repl->underflow[c->hooknum-1] = c->foot_offset; @@ -1198,7 +1189,7 @@ static int iptcc_compile_chain_offsets(struct xtc_handle *h, struct chain_head * if (!iptcc_is_builtin(c)) { /* Chain has header */ *offset += sizeof(STRUCT_ENTRY) - + ALIGN(sizeof(struct ipt_error_target)); + + ALIGN(sizeof(struct xt_error_target)); (*num)++; } @@ -1238,7 +1229,7 @@ static int iptcc_compile_table_prep(struct xtc_handle *h, unsigned int *size) /* Append one error rule at end of chain */ num++; offset += sizeof(STRUCT_ENTRY) - + ALIGN(sizeof(struct ipt_error_target)); + + ALIGN(sizeof(struct xt_error_target)); /* ruleset size is now in offset */ *size = offset; @@ -1261,10 +1252,10 @@ static int iptcc_compile_table(struct xtc_handle *h, STRUCT_REPLACE *repl) error = (void *)repl->entries + repl->size - IPTCB_CHAIN_ERROR_SIZE; error->entry.target_offset = sizeof(STRUCT_ENTRY); error->entry.next_offset = IPTCB_CHAIN_ERROR_SIZE; - error->target.t.u.user.target_size = - ALIGN(sizeof(struct ipt_error_target)); - strcpy((char *)&error->target.t.u.user.name, ERROR_TARGET); - strcpy((char *)&error->target.error, "ERROR"); + error->target.target.u.user.target_size = + ALIGN(sizeof(struct xt_error_target)); + strcpy((char *)&error->target.target.u.user.name, ERROR_TARGET); + strcpy((char *)&error->target.errorname, "ERROR"); return 1; } @@ -1279,7 +1270,7 @@ alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules) { struct xtc_handle *h; - h = malloc(sizeof(STRUCT_TC_HANDLE)); + h = malloc(sizeof(*h)); if (!h) { errno = ENOMEM; return NULL; @@ -2741,3 +2732,14 @@ TC_STRERROR(int err) return strerror(err); } + +const struct xtc_ops TC_OPS = { + .commit = TC_COMMIT, + .free = TC_FREE, + .builtin = TC_BUILTIN, + .is_chain = TC_IS_CHAIN, + .flush_entries = TC_FLUSH_ENTRIES, + .create_chain = TC_CREATE_CHAIN, + .set_policy = TC_SET_POLICY, + .strerror = TC_STRERROR, +}; |