search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Tomato 1.28
[tomato.git] / release / src / router / iptables / libiptc / libiptc.c
blobb866e268115b9eaedc1e16c2866c0298c2bd2c26
1 /* Library which manipulates firewall rules. Version $Revision: 6665 $ */
2
3 /* Architecture of firewall rules is as follows:
4 *
5 * Chains go INPUT, FORWARD, OUTPUT then user chains.
6 * Each user chain starts with an ERROR node.
7 * Every chain ends with an unconditional jump: a RETURN for user chains,
8 * and a POLICY for built-ins.
9 */
10
11 /* (C) 1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See
12 * COPYING for details).
13 * (C) 2000-2004 by the Netfilter Core Team <coreteam@netfilter.org>
14 *
15 * 2003-Jun-20: Harald Welte <laforge@netfilter.org>:
16 * - Reimplementation of chain cache to use offsets instead of entries
17 * 2003-Jun-23: Harald Welte <laforge@netfilter.org>:
18 * - performance optimization, sponsored by Astaro AG (http://www.astaro.com/)
19 * don't rebuild the chain cache after every operation, instead fix it
20 * up after a ruleset change.
21 * 2004-Aug-18: Harald Welte <laforge@netfilter.org>:
22 * - futher performance work: total reimplementation of libiptc.
23 * - libiptc now has a real internal (linked-list) represntation of the
24 * ruleset and a parser/compiler from/to this internal representation
25 * - again sponsored by Astaro AG (http://www.astaro.com/)
26 */
27 #include <sys/types.h>
28 #include <sys/socket.h>
29
30 #include "linux_list.h"
31
32 //#define IPTC_DEBUG2 1
33
34 #ifdef IPTC_DEBUG2
35 #include <fcntl.h>
36 #define DEBUGP(x, args...) fprintf(stderr, "%s: " x, __FUNCTION__, ## args)
37 #define DEBUGP_C(x, args...) fprintf(stderr, x, ## args)
38 #else
39 #define DEBUGP(x, args...)
40 #define DEBUGP_C(x, args...)
41 #endif
42
43 #ifndef IPT_LIB_DIR
44 #define IPT_LIB_DIR "/usr/local/lib/iptables"
45 #endif
46
47 static int sockfd = -1;
48 static int sockfd_use = 0;
49 static void *iptc_fn = NULL;
50
51 static const char *hooknames[]
52 = { [HOOK_PRE_ROUTING] "PREROUTING",
53 [HOOK_LOCAL_IN] "INPUT",
54 [HOOK_FORWARD] "FORWARD",
55 [HOOK_LOCAL_OUT] "OUTPUT",
56 [HOOK_POST_ROUTING] "POSTROUTING",
57 #ifdef HOOK_DROPPING
58 [HOOK_DROPPING] "DROPPING"
59 #endif
60 };
61
62 /* Convenience structures */
63 struct ipt_error_target
64 {
65 STRUCT_ENTRY_TARGET t;
66 char error[TABLE_MAXNAMELEN];
67 };
68
69 struct chain_head;
70 struct rule_head;
71
72 struct counter_map
73 {
74 enum {
75 COUNTER_MAP_NOMAP,
76 COUNTER_MAP_NORMAL_MAP,
77 COUNTER_MAP_ZEROED,
78 COUNTER_MAP_SET
79 } maptype;
80 unsigned int mappos;
81 };
82
83 enum iptcc_rule_type {
84 IPTCC_R_STANDARD, /* standard target (ACCEPT, ...) */
85 IPTCC_R_MODULE, /* extension module (SNAT, ...) */
86 IPTCC_R_FALLTHROUGH, /* fallthrough rule */
87 IPTCC_R_JUMP, /* jump to other chain */
88 };
89
90 struct rule_head
91 {
92 struct list_head list;
93 struct chain_head *chain;
94 struct counter_map counter_map;
95
96 unsigned int index; /* index (needed for counter_map) */
97 unsigned int offset; /* offset in rule blob */
98
99 enum iptcc_rule_type type;
100 struct chain_head *jump; /* jump target, if IPTCC_R_JUMP */
101
102 unsigned int size; /* size of entry data */
103 STRUCT_ENTRY entry[0];
104 };
105
106 struct chain_head
107 {
108 struct list_head list;
109 char name[TABLE_MAXNAMELEN];
110 unsigned int hooknum; /* hook number+1 if builtin */
111 unsigned int references; /* how many jumps reference us */
112 int verdict; /* verdict if builtin */
113
114 STRUCT_COUNTERS counters; /* per-chain counters */
115 struct counter_map counter_map;
116
117 unsigned int num_rules; /* number of rules in list */
118 struct list_head rules; /* list of rules */
119
120 unsigned int index; /* index (needed for jump resolval) */
121 unsigned int head_offset; /* offset in rule blob */
122 unsigned int foot_index; /* index (needed for counter_map) */
123 unsigned int foot_offset; /* offset in rule blob */
124 };
125
126 STRUCT_TC_HANDLE
127 {
128 int changed; /* Have changes been made? */
129
130 struct list_head chains;
131
132 struct chain_head *chain_iterator_cur;
133 struct rule_head *rule_iterator_cur;
134
135 STRUCT_GETINFO info;
136 STRUCT_GET_ENTRIES *entries;
137 };
138
139 /* allocate a new chain head for the cache */
140 static struct chain_head *iptcc_alloc_chain_head(const char *name, int hooknum)
141 {
142 struct chain_head *c = malloc(sizeof(*c));
143 if (!c)
144 return NULL;
145 memset(c, 0, sizeof(*c));
146
147 strncpy(c->name, name, TABLE_MAXNAMELEN);
148 c->hooknum = hooknum;
149 INIT_LIST_HEAD(&c->rules);
150
151 return c;
152 }
153
154 /* allocate and initialize a new rule for the cache */
155 static struct rule_head *iptcc_alloc_rule(struct chain_head *c, unsigned int size)
156 {
157 struct rule_head *r = malloc(sizeof(*r)+size);
158 if (!r)
159 return NULL;
160 memset(r, 0, sizeof(*r));
161
162 r->chain = c;
163 r->size = size;
164
165 return r;
166 }
167
168 /* notify us that the ruleset has been modified by the user */
169 static void
170 set_changed(TC_HANDLE_T h)
171 {
172 h->changed = 1;
173 }
174
175 #ifdef IPTC_DEBUG
176 static void do_check(TC_HANDLE_T h, unsigned int line);
177 #define CHECK(h) do { if (!getenv("IPTC_NO_CHECK")) do_check((h), __LINE__); } while(0)
178 #else
179 #define CHECK(h)
180 #endif
181
182
183 /**********************************************************************
184 * iptc blob utility functions (iptcb_*)
185 **********************************************************************/
186
187 static inline int
188 iptcb_get_number(const STRUCT_ENTRY *i,
189 const STRUCT_ENTRY *seek,
190 unsigned int *pos)
191 {
192 if (i == seek)
193 return 1;
194 (*pos)++;
195 return 0;
196 }
197
198 static inline int
199 iptcb_get_entry_n(STRUCT_ENTRY *i,
200 unsigned int number,
201 unsigned int *pos,
202 STRUCT_ENTRY **pe)
203 {
204 if (*pos == number) {
205 *pe = i;
206 return 1;
207 }
208 (*pos)++;
209 return 0;
210 }
211
212 static inline STRUCT_ENTRY *
213 iptcb_get_entry(TC_HANDLE_T h, unsigned int offset)
214 {
215 return (STRUCT_ENTRY *)((char *)h->entries->entrytable + offset);
216 }
217
218 static unsigned int
219 iptcb_entry2index(const TC_HANDLE_T h, const STRUCT_ENTRY *seek)
220 {
221 unsigned int pos = 0;
222
223 if (ENTRY_ITERATE(h->entries->entrytable, h->entries->size,
224 iptcb_get_number, seek, &pos) == 0) {
225 fprintf(stderr, "ERROR: offset %u not an entry!\n",
226 (unsigned int)((char *)seek - (char *)h->entries->entrytable));
227 abort();
228 }
229 return pos;
230 }
231
232 static inline STRUCT_ENTRY *
233 iptcb_offset2entry(TC_HANDLE_T h, unsigned int offset)
234 {
235 return (STRUCT_ENTRY *) ((void *)h->entries->entrytable+offset);
236 }
237
238
239 static inline unsigned long
240 iptcb_entry2offset(const TC_HANDLE_T h, const STRUCT_ENTRY *e)
241 {
242 return (void *)e - (void *)h->entries->entrytable;
243 }
244
245 static inline unsigned int
246 iptcb_offset2index(const TC_HANDLE_T h, unsigned int offset)
247 {
248 return iptcb_entry2index(h, iptcb_offset2entry(h, offset));
249 }
250
251 /* Returns 0 if not hook entry, else hooknumber + 1 */
252 static inline unsigned int
253 iptcb_ent_is_hook_entry(STRUCT_ENTRY *e, TC_HANDLE_T h)
254 {
255 unsigned int i;
256
257 for (i = 0; i < NUMHOOKS; i++) {
258 if ((h->info.valid_hooks & (1 << i))
259 && iptcb_get_entry(h, h->info.hook_entry[i]) == e)
260 return i+1;
261 }
262 return 0;
263 }
264
265
266 /**********************************************************************
267 * iptc cache utility functions (iptcc_*)
268 **********************************************************************/
269
270 /* Is the given chain builtin (1) or user-defined (0) */
271 static unsigned int iptcc_is_builtin(struct chain_head *c)
272 {
273 return (c->hooknum ? 1 : 0);
274 }
275
276 /* Get a specific rule within a chain */
277 static struct rule_head *iptcc_get_rule_num(struct chain_head *c,
278 unsigned int rulenum)
279 {
280 struct rule_head *r;
281 unsigned int num = 0;
282
283 list_for_each_entry(r, &c->rules, list) {
284 num++;
285 if (num == rulenum)
286 return r;
287 }
288 return NULL;
289 }
290
291 /* Get a specific rule within a chain backwards */
292 static struct rule_head *iptcc_get_rule_num_reverse(struct chain_head *c,
293 unsigned int rulenum)
294 {
295 struct rule_head *r;
296 unsigned int num = 0;
297
298 list_for_each_entry_reverse(r, &c->rules, list) {
299 num++;
300 if (num == rulenum)
301 return r;
302 }
303 return NULL;
304 }
305
306 /* Returns chain head if found, otherwise NULL. */
307 static struct chain_head *
308 iptcc_find_chain_by_offset(TC_HANDLE_T handle, unsigned int offset)
309 {
310 struct list_head *pos;
311
312 if (list_empty(&handle->chains))
313 return NULL;
314
315 list_for_each(pos, &handle->chains) {
316 struct chain_head *c = list_entry(pos, struct chain_head, list);
317 if (offset >= c->head_offset && offset <= c->foot_offset)
318 return c;
319 }
320
321 return NULL;
322 }
323 /* Returns chain head if found, otherwise NULL. */
324 static struct chain_head *
325 iptcc_find_label(const char *name, TC_HANDLE_T handle)
326 {
327 struct list_head *pos;
328
329 if (list_empty(&handle->chains))
330 return NULL;
331
332 list_for_each(pos, &handle->chains) {
333 struct chain_head *c = list_entry(pos, struct chain_head, list);
334 if (!strcmp(c->name, name))
335 return c;
336 }
337
338 return NULL;
339 }
340
341 /* called when rule is to be removed from cache */
342 static void iptcc_delete_rule(struct rule_head *r)
343 {
344 DEBUGP("deleting rule %p (offset %u)\n", r, r->offset);
345 /* clean up reference count of called chain */
346 if (r->type == IPTCC_R_JUMP
347 && r->jump)
348 r->jump->references--;
349
350 list_del(&r->list);
351 free(r);
352 }
353
354
355 /**********************************************************************
356 * RULESET PARSER (blob -> cache)
357 **********************************************************************/
358
359 /* Delete policy rule of previous chain, since cache doesn't contain
360 * chain policy rules.
361 * WARNING: This function has ugly design and relies on a lot of context, only
362 * to be called from specific places within the parser */
363 static int __iptcc_p_del_policy(TC_HANDLE_T h, unsigned int num)
364 {
365 if (h->chain_iterator_cur) {
366 /* policy rule is last rule */
367 struct rule_head *pr = (struct rule_head *)
368 h->chain_iterator_cur->rules.prev;
369
370 /* save verdict */
371 h->chain_iterator_cur->verdict =
372 *(int *)GET_TARGET(pr->entry)->data;
373
374 /* save counter and counter_map information */
375 h->chain_iterator_cur->counter_map.maptype =
376 COUNTER_MAP_NORMAL_MAP;
377 h->chain_iterator_cur->counter_map.mappos = num-1;
378 memcpy(&h->chain_iterator_cur->counters, &pr->entry->counters,
379 sizeof(h->chain_iterator_cur->counters));
380
381 /* foot_offset points to verdict rule */
382 h->chain_iterator_cur->foot_index = num;
383 h->chain_iterator_cur->foot_offset = pr->offset;
384
385 /* delete rule from cache */
386 iptcc_delete_rule(pr);
387 h->chain_iterator_cur->num_rules--;
388
389 return 1;
390 }
391 return 0;
392 }
393
394 /* alphabetically insert a chain into the list */
395 static inline void iptc_insert_chain(TC_HANDLE_T h, struct chain_head *c)
396 {
397 struct chain_head *tmp;
398
399 /* sort only user defined chains */
400 if (!c->hooknum) {
401 list_for_each_entry(tmp, &h->chains, list) {
402 if (!tmp->hooknum && strcmp(c->name, tmp->name) <= 0) {
403 list_add(&c->list, tmp->list.prev);
404 return;
405 }
406 }
407 }
408
409 /* survived till end of list: add at tail */
410 list_add_tail(&c->list, &h->chains);
411 }
412
413 /* Another ugly helper function split out of cache_add_entry to make it less
414 * spaghetti code */
415 static void __iptcc_p_add_chain(TC_HANDLE_T h, struct chain_head *c,
416 unsigned int offset, unsigned int *num)
417 {
418 __iptcc_p_del_policy(h, *num);
419
420 c->head_offset = offset;
421 c->index = *num;
422
423 iptc_insert_chain(h, c);
424
425 h->chain_iterator_cur = c;
426 }
427
428 /* main parser function: add an entry from the blob to the cache */
429 static int cache_add_entry(STRUCT_ENTRY *e,
430 TC_HANDLE_T h,
431 STRUCT_ENTRY **prev,
432 unsigned int *num)
433 {
434 unsigned int builtin;
435 unsigned int offset = (char *)e - (char *)h->entries->entrytable;
436
437 DEBUGP("entering...");
438
439 /* Last entry ("policy rule"). End it.*/
440 if (iptcb_entry2offset(h,e) + e->next_offset == h->entries->size) {
441 /* This is the ERROR node at the end of the chain */
442 DEBUGP_C("%u:%u: end of table:\n", *num, offset);
443
444 __iptcc_p_del_policy(h, *num);
445
446 h->chain_iterator_cur = NULL;
447 goto out_inc;
448 }
449
450 /* We know this is the start of a new chain if it's an ERROR
451 * target, or a hook entry point */
452
453 if (strcmp(GET_TARGET(e)->u.user.name, ERROR_TARGET) == 0) {
454 struct chain_head *c =
455 iptcc_alloc_chain_head((const char *)GET_TARGET(e)->data, 0);
456 DEBUGP_C("%u:%u:new userdefined chain %s: %p\n", *num, offset,
457 (char *)c->name, c);
458 if (!c) {
459 errno = -ENOMEM;
460 return -1;
461 }
462
463 __iptcc_p_add_chain(h, c, offset, num);
464
465 } else if ((builtin = iptcb_ent_is_hook_entry(e, h)) != 0) {
466 struct chain_head *c =
467 iptcc_alloc_chain_head((char *)hooknames[builtin-1],
468 builtin);
469 DEBUGP_C("%u:%u new builtin chain: %p (rules=%p)\n",
470 *num, offset, c, &c->rules);
471 if (!c) {
472 errno = -ENOMEM;
473 return -1;
474 }
475
476 c->hooknum = builtin;
477
478 __iptcc_p_add_chain(h, c, offset, num);
479
480 /* FIXME: this is ugly. */
481 goto new_rule;
482 } else {
483 /* has to be normal rule */
484 struct rule_head *r;
485 new_rule:
486
487 if (!(r = iptcc_alloc_rule(h->chain_iterator_cur,
488 e->next_offset))) {
489 errno = ENOMEM;
490 return -1;
491 }
492 DEBUGP_C("%u:%u normal rule: %p: ", *num, offset, r);
493
494 r->index = *num;
495 r->offset = offset;
496 memcpy(r->entry, e, e->next_offset);
497 r->counter_map.maptype = COUNTER_MAP_NORMAL_MAP;
498 r->counter_map.mappos = r->index;
499
500 /* handling of jumps, etc. */
501 if (!strcmp(GET_TARGET(e)->u.user.name, STANDARD_TARGET)) {
502 STRUCT_STANDARD_TARGET *t;
503
504 t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
505 if (t->target.u.target_size
506 != ALIGN(sizeof(STRUCT_STANDARD_TARGET))) {
507 errno = EINVAL;
508 return -1;
509 }
510
511 if (t->verdict < 0) {
512 DEBUGP_C("standard, verdict=%d\n", t->verdict);
513 r->type = IPTCC_R_STANDARD;
514 } else if (t->verdict == r->offset+e->next_offset) {
515 DEBUGP_C("fallthrough\n");
516 r->type = IPTCC_R_FALLTHROUGH;
517 } else {
518 DEBUGP_C("jump, target=%u\n", t->verdict);
519 r->type = IPTCC_R_JUMP;
520 /* Jump target fixup has to be deferred
521 * until second pass, since we migh not
522 * yet have parsed the target */
523 }
524 } else {
525 DEBUGP_C("module, target=%s\n", GET_TARGET(e)->u.user.name);
526 r->type = IPTCC_R_MODULE;
527 }
528
529 list_add_tail(&r->list, &h->chain_iterator_cur->rules);
530 h->chain_iterator_cur->num_rules++;
531 }
532 out_inc:
533 (*num)++;
534 return 0;
535 }
536
537
538 /* parse an iptables blob into it's pieces */
539 static int parse_table(TC_HANDLE_T h)
540 {
541 STRUCT_ENTRY *prev;
542 unsigned int num = 0;
543 struct chain_head *c;
544
545 /* First pass: over ruleset blob */
546 ENTRY_ITERATE(h->entries->entrytable, h->entries->size,
547 cache_add_entry, h, &prev, &num);
548
549 /* Second pass: fixup parsed data from first pass */
550 list_for_each_entry(c, &h->chains, list) {
551 struct rule_head *r;
552 list_for_each_entry(r, &c->rules, list) {
553 struct chain_head *c;
554 STRUCT_STANDARD_TARGET *t;
555
556 if (r->type != IPTCC_R_JUMP)
557 continue;
558
559 t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
560 c = iptcc_find_chain_by_offset(h, t->verdict);
561 if (!c)
562 return -1;
563 r->jump = c;
564 c->references++;
565 }
566 }
567
568 /* FIXME: sort chains */
569
570 return 1;
571 }
572
573
574 /**********************************************************************
575 * RULESET COMPILATION (cache -> blob)
576 **********************************************************************/
577
578 /* Convenience structures */
579 struct iptcb_chain_start{
580 STRUCT_ENTRY e;
581 struct ipt_error_target name;
582 };
583 #define IPTCB_CHAIN_START_SIZE (sizeof(STRUCT_ENTRY) + \
584 ALIGN(sizeof(struct ipt_error_target)))
585
586 struct iptcb_chain_foot {
587 STRUCT_ENTRY e;
588 STRUCT_STANDARD_TARGET target;
589 };
590 #define IPTCB_CHAIN_FOOT_SIZE (sizeof(STRUCT_ENTRY) + \
591 ALIGN(sizeof(STRUCT_STANDARD_TARGET)))
592
593 struct iptcb_chain_error {
594 STRUCT_ENTRY entry;
595 struct ipt_error_target target;
596 };
597 #define IPTCB_CHAIN_ERROR_SIZE (sizeof(STRUCT_ENTRY) + \
598 ALIGN(sizeof(struct ipt_error_target)))
599
600
601
602 /* compile rule from cache into blob */
603 static inline int iptcc_compile_rule (TC_HANDLE_T h, STRUCT_REPLACE *repl, struct rule_head *r)
604 {
605 /* handle jumps */
606 if (r->type == IPTCC_R_JUMP) {
607 STRUCT_STANDARD_TARGET *t;
608 t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
609 /* memset for memcmp convenience on delete/replace */
610 memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
611 strcpy(t->target.u.user.name, STANDARD_TARGET);
612 /* Jumps can only happen to builtin chains, so we
613 * can safely assume that they always have a header */
614 t->verdict = r->jump->head_offset + IPTCB_CHAIN_START_SIZE;
615 } else if (r->type == IPTCC_R_FALLTHROUGH) {
616 STRUCT_STANDARD_TARGET *t;
617 t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
618 t->verdict = r->offset + r->size;
619 }
620
621 /* copy entry from cache to blob */
622 memcpy((char *)repl->entries+r->offset, r->entry, r->size);
623
624 return 1;
625 }
626
627 /* compile chain from cache into blob */
628 static int iptcc_compile_chain(TC_HANDLE_T h, STRUCT_REPLACE *repl, struct chain_head *c)
629 {
630 int ret;
631 struct rule_head *r;
632 struct iptcb_chain_start *head;
633 struct iptcb_chain_foot *foot;
634
635 /* only user-defined chains have heaer */
636 if (!iptcc_is_builtin(c)) {
637 /* put chain header in place */
638 head = (void *)repl->entries + c->head_offset;
639 head->e.target_offset = sizeof(STRUCT_ENTRY);
640 head->e.next_offset = IPTCB_CHAIN_START_SIZE;
641 strcpy(head->name.t.u.user.name, ERROR_TARGET);
642 head->name.t.u.target_size =
643 ALIGN(sizeof(struct ipt_error_target));
644 strcpy(head->name.error, c->name);
645 } else {
646 repl->hook_entry[c->hooknum-1] = c->head_offset;
647 repl->underflow[c->hooknum-1] = c->foot_offset;
648 }
649
650 /* iterate over rules */
651 list_for_each_entry(r, &c->rules, list) {
652 ret = iptcc_compile_rule(h, repl, r);
653 if (ret < 0)
654 return ret;
655 }
656
657 /* put chain footer in place */
658 foot = (void *)repl->entries + c->foot_offset;
659 foot->e.target_offset = sizeof(STRUCT_ENTRY);
660 foot->e.next_offset = IPTCB_CHAIN_FOOT_SIZE;
661 strcpy(foot->target.target.u.user.name, STANDARD_TARGET);
662 foot->target.target.u.target_size =
663 ALIGN(sizeof(STRUCT_STANDARD_TARGET));
664 /* builtin targets have verdict, others return */
665 if (iptcc_is_builtin(c))
666 foot->target.verdict = c->verdict;
667 else
668 foot->target.verdict = RETURN;
669 /* set policy-counters */
670 memcpy(&foot->e.counters, &c->counters, sizeof(STRUCT_COUNTERS));
671
672 return 0;
673 }
674
675 /* calculate offset and number for every rule in the cache */
676 static int iptcc_compile_chain_offsets(TC_HANDLE_T h, struct chain_head *c,
677 unsigned int *offset, unsigned int *num)
678 {
679 struct rule_head *r;
680
681 c->head_offset = *offset;
682 DEBUGP("%s: chain_head %u, offset=%u\n", c->name, *num, *offset);
683
684 if (!iptcc_is_builtin(c)) {
685 /* Chain has header */
686 *offset += sizeof(STRUCT_ENTRY)
687 + ALIGN(sizeof(struct ipt_error_target));
688 (*num)++;
689 }
690
691 list_for_each_entry(r, &c->rules, list) {
692 DEBUGP("rule %u, offset=%u, index=%u\n", *num, *offset, *num);
693 r->offset = *offset;
694 r->index = *num;
695 *offset += r->size;
696 (*num)++;
697 }
698
699 DEBUGP("%s; chain_foot %u, offset=%u, index=%u\n", c->name, *num,
700 *offset, *num);
701 c->foot_offset = *offset;
702 c->foot_index = *num;
703 *offset += sizeof(STRUCT_ENTRY)
704 + ALIGN(sizeof(STRUCT_STANDARD_TARGET));
705 (*num)++;
706
707 return 1;
708 }
709
710 /* put the pieces back together again */
711 static int iptcc_compile_table_prep(TC_HANDLE_T h, unsigned int *size)
712 {
713 struct chain_head *c;
714 unsigned int offset = 0, num = 0;
715 int ret = 0;
716
717 /* First pass: calculate offset for every rule */
718 list_for_each_entry(c, &h->chains, list) {
719 ret = iptcc_compile_chain_offsets(h, c, &offset, &num);
720 if (ret < 0)
721 return ret;
722 }
723
724 /* Append one error rule at end of chain */
725 num++;
726 offset += sizeof(STRUCT_ENTRY)
727 + ALIGN(sizeof(struct ipt_error_target));
728
729 /* ruleset size is now in offset */
730 *size = offset;
731 return num;
732 }
733
734 static int iptcc_compile_table(TC_HANDLE_T h, STRUCT_REPLACE *repl)
735 {
736 struct chain_head *c;
737 struct iptcb_chain_error *error;
738
739 /* Second pass: copy from cache to offsets, fill in jumps */
740 list_for_each_entry(c, &h->chains, list) {
741 int ret = iptcc_compile_chain(h, repl, c);
742 if (ret < 0)
743 return ret;
744 }
745
746 /* Append error rule at end of chain */
747 error = (void *)repl->entries + repl->size - IPTCB_CHAIN_ERROR_SIZE;
748 error->entry.target_offset = sizeof(STRUCT_ENTRY);
749 error->entry.next_offset = IPTCB_CHAIN_ERROR_SIZE;
750 error->target.t.u.user.target_size =
751 ALIGN(sizeof(struct ipt_error_target));
752 strcpy((char *)&error->target.t.u.user.name, ERROR_TARGET);
753 strcpy((char *)&error->target.error, "ERROR");
754
755 return 1;
756 }
757
758 /**********************************************************************
759 * EXTERNAL API (operates on cache only)
760 **********************************************************************/
761
762 /* Allocate handle of given size */
763 static TC_HANDLE_T
764 alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules)
765 {
766 size_t len;
767 TC_HANDLE_T h;
768
769 len = sizeof(STRUCT_TC_HANDLE) + size;
770
771 h = malloc(sizeof(STRUCT_TC_HANDLE));
772 if (!h) {
773 errno = ENOMEM;
774 return NULL;
775 }
776 memset(h, 0, sizeof(*h));
777 INIT_LIST_HEAD(&h->chains);
778 strcpy(h->info.name, tablename);
779
780 h->entries = malloc(sizeof(STRUCT_GET_ENTRIES) + size);
781 if (!h->entries)
782 goto out_free_handle;
783
784 strcpy(h->entries->name, tablename);
785 h->entries->size = size;
786
787 return h;
788
789 out_free_handle:
790 free(h);
791
792 return NULL;
793 }
794
795
796 TC_HANDLE_T
797 TC_INIT(const char *tablename)
798 {
799 TC_HANDLE_T h;
800 STRUCT_GETINFO info;
801 unsigned int tmp;
802 socklen_t s;
803
804 iptc_fn = TC_INIT;
805
806 if (strlen(tablename) >= TABLE_MAXNAMELEN) {
807 errno = EINVAL;
808 return NULL;
809 }
810
811 if (sockfd_use == 0) {
812 sockfd = socket(TC_AF, SOCK_RAW, IPPROTO_RAW);
813 if (sockfd < 0)
814 return NULL;
815 }
816 sockfd_use++;
817
818 s = sizeof(info);
819
820 strcpy(info.name, tablename);
821 if (getsockopt(sockfd, TC_IPPROTO, SO_GET_INFO, &info, &s) < 0) {
822 if (--sockfd_use == 0) {
823 close(sockfd);
824 sockfd = -1;
825 }
826 return NULL;
827 }
828
829 DEBUGP("valid_hooks=0x%08x, num_entries=%u, size=%u\n",
830 info.valid_hooks, info.num_entries, info.size);
831
832 if ((h = alloc_handle(info.name, info.size, info.num_entries))
833 == NULL) {
834 if (--sockfd_use == 0) {
835 close(sockfd);
836 sockfd = -1;
837 }
838 return NULL;
839 }
840
841 /* Initialize current state */
842 h->info = info;
843
844 h->entries->size = h->info.size;
845
846 tmp = sizeof(STRUCT_GET_ENTRIES) + h->info.size;
847
848 if (getsockopt(sockfd, TC_IPPROTO, SO_GET_ENTRIES, h->entries,
849 &tmp) < 0)
850 goto error;
851
852 #ifdef IPTC_DEBUG2
853 {
854 int fd = open("/tmp/libiptc-so_get_entries.blob",
855 O_CREAT|O_WRONLY);
856 if (fd >= 0) {
857 write(fd, h->entries, tmp);
858 close(fd);
859 }
860 }
861 #endif
862
863 if (parse_table(h) < 0)
864 goto error;
865
866 CHECK(h);
867 return h;
868 error:
869 if (--sockfd_use == 0) {
870 close(sockfd);
871 sockfd = -1;
872 }
873 TC_FREE(&h);
874 return NULL;
875 }
876
877 void
878 TC_FREE(TC_HANDLE_T *h)
879 {
880 struct chain_head *c, *tmp;
881
882 iptc_fn = TC_FREE;
883 if (--sockfd_use == 0) {
884 close(sockfd);
885 sockfd = -1;
886 }
887
888 list_for_each_entry_safe(c, tmp, &(*h)->chains, list) {
889 struct rule_head *r, *rtmp;
890
891 list_for_each_entry_safe(r, rtmp, &c->rules, list) {
892 free(r);
893 }
894
895 free(c);
896 }
897
898 free((*h)->entries);
899 free(*h);
900
901 *h = NULL;
902 }
903
904 static inline int
905 print_match(const STRUCT_ENTRY_MATCH *m)
906 {
907 printf("Match name: `%s'\n", m->u.user.name);
908 return 0;
909 }
910
911 #if 0
912 static int dump_entry(STRUCT_ENTRY *e, const TC_HANDLE_T handle);
913 #endif
914
915 void
916 TC_DUMP_ENTRIES(const TC_HANDLE_T handle)
917 {
918 iptc_fn = TC_DUMP_ENTRIES;
919 CHECK(handle);
920 #if 0
921 printf("libiptc v%s. %u bytes.\n",
922 IPTABLES_VERSION, handle->entries->size);
923 printf("Table `%s'\n", handle->info.name);
924 printf("Hooks: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
925 handle->info.hook_entry[HOOK_PRE_ROUTING],
926 handle->info.hook_entry[HOOK_LOCAL_IN],
927 handle->info.hook_entry[HOOK_FORWARD],
928 handle->info.hook_entry[HOOK_LOCAL_OUT],
929 handle->info.hook_entry[HOOK_POST_ROUTING]);
930 printf("Underflows: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
931 handle->info.underflow[HOOK_PRE_ROUTING],
932 handle->info.underflow[HOOK_LOCAL_IN],
933 handle->info.underflow[HOOK_FORWARD],
934 handle->info.underflow[HOOK_LOCAL_OUT],
935 handle->info.underflow[HOOK_POST_ROUTING]);
936
937 ENTRY_ITERATE(handle->entries->entrytable, handle->entries->size,
938 dump_entry, handle);
939 #endif
940 }
941
942 /* Does this chain exist? */
943 int TC_IS_CHAIN(const char *chain, const TC_HANDLE_T handle)
944 {
945 iptc_fn = TC_IS_CHAIN;
946 return iptcc_find_label(chain, handle) != NULL;
947 }
948
949 static void iptcc_chain_iterator_advance(TC_HANDLE_T handle)
950 {
951 struct chain_head *c = handle->chain_iterator_cur;
952
953 if (c->list.next == &handle->chains)
954 handle->chain_iterator_cur = NULL;
955 else
956 handle->chain_iterator_cur =
957 list_entry(c->list.next, struct chain_head, list);
958 }
959
960 /* Iterator functions to run through the chains. */
961 const char *
962 TC_FIRST_CHAIN(TC_HANDLE_T *handle)
963 {
964 struct chain_head *c = list_entry((*handle)->chains.next,
965 struct chain_head, list);
966
967 iptc_fn = TC_FIRST_CHAIN;
968
969
970 if (list_empty(&(*handle)->chains)) {
971 DEBUGP(": no chains\n");
972 return NULL;
973 }
974
975 (*handle)->chain_iterator_cur = c;
976 iptcc_chain_iterator_advance(*handle);
977
978 DEBUGP(": returning `%s'\n", c->name);
979 return c->name;
980 }
981
982 /* Iterator functions to run through the chains. Returns NULL at end. */
983 const char *
984 TC_NEXT_CHAIN(TC_HANDLE_T *handle)
985 {
986 struct chain_head *c = (*handle)->chain_iterator_cur;
987
988 iptc_fn = TC_NEXT_CHAIN;
989
990 if (!c) {
991 DEBUGP(": no more chains\n");
992 return NULL;
993 }
994
995 iptcc_chain_iterator_advance(*handle);
996
997 DEBUGP(": returning `%s'\n", c->name);
998 return c->name;
999 }
1000
1001 /* Get first rule in the given chain: NULL for empty chain. */
1002 const STRUCT_ENTRY *
1003 TC_FIRST_RULE(const char *chain, TC_HANDLE_T *handle)
1004 {
1005 struct chain_head *c;
1006 struct rule_head *r;
1007
1008 iptc_fn = TC_FIRST_RULE;
1009
1010 DEBUGP("first rule(%s): ", chain);
1011
1012 c = iptcc_find_label(chain, *handle);
1013 if (!c) {
1014 errno = ENOENT;
1015 return NULL;
1016 }
1017
1018 /* Empty chain: single return/policy rule */
1019 if (list_empty(&c->rules)) {
1020 DEBUGP_C("no rules, returning NULL\n");
1021 return NULL;
1022 }
1023
1024 r = list_entry(c->rules.next, struct rule_head, list);
1025 (*handle)->rule_iterator_cur = r;
1026 DEBUGP_C("%p\n", r);
1027
1028 return r->entry;
1029 }
1030
1031 /* Returns NULL when rules run out. */
1032 const STRUCT_ENTRY *
1033 TC_NEXT_RULE(const STRUCT_ENTRY *prev, TC_HANDLE_T *handle)
1034 {
1035 struct rule_head *r;
1036
1037 iptc_fn = TC_NEXT_RULE;
1038 DEBUGP("rule_iterator_cur=%p...", (*handle)->rule_iterator_cur);
1039
1040 if (!(*handle)->rule_iterator_cur) {
1041 DEBUGP_C("returning NULL\n");
1042 return NULL;
1043 }
1044
1045 r = list_entry((*handle)->rule_iterator_cur->list.next,
1046 struct rule_head, list);
1047
1048 iptc_fn = TC_NEXT_RULE;
1049
1050 DEBUGP_C("next=%p, head=%p...", &r->list,
1051 &(*handle)->rule_iterator_cur->chain->rules);
1052
1053 if (&r->list == &(*handle)->rule_iterator_cur->chain->rules) {
1054 (*handle)->rule_iterator_cur = NULL;
1055 DEBUGP_C("finished, returning NULL\n");
1056 return NULL;
1057 }
1058
1059 (*handle)->rule_iterator_cur = r;
1060
1061 /* NOTE: prev is without any influence ! */
1062 DEBUGP_C("returning rule %p\n", r);
1063 return r->entry;
1064 }
1065
1066 /* How many rules in this chain? */
1067 unsigned int
1068 TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle)
1069 {
1070 struct chain_head *c;
1071 iptc_fn = TC_NUM_RULES;
1072 CHECK(*handle);
1073
1074 c = iptcc_find_label(chain, *handle);
1075 if (!c) {
1076 errno = ENOENT;
1077 return (unsigned int)-1;
1078 }
1079
1080 return c->num_rules;
1081 }
1082
1083 const STRUCT_ENTRY *TC_GET_RULE(const char *chain,
1084 unsigned int n,
1085 TC_HANDLE_T *handle)
1086 {
1087 struct chain_head *c;
1088 struct rule_head *r;
1089
1090 iptc_fn = TC_GET_RULE;
1091
1092 CHECK(*handle);
1093
1094 c = iptcc_find_label(chain, *handle);
1095 if (!c) {
1096 errno = ENOENT;
1097 return NULL;
1098 }
1099
1100 r = iptcc_get_rule_num(c, n);
1101 if (!r)
1102 return NULL;
1103 return r->entry;
1104 }
1105
1106 /* Returns a pointer to the target name of this position. */
1107 const char *standard_target_map(int verdict)
1108 {
1109 switch (verdict) {
1110 case RETURN:
1111 return LABEL_RETURN;
1112 break;
1113 case -NF_ACCEPT-1:
1114 return LABEL_ACCEPT;
1115 break;
1116 case -NF_DROP-1:
1117 return LABEL_DROP;
1118 break;
1119 case -NF_QUEUE-1:
1120 return LABEL_QUEUE;
1121 break;
1122 default:
1123 fprintf(stderr, "ERROR: %d not a valid target)\n",
1124 verdict);
1125 abort();
1126 break;
1127 }
1128 /* not reached */
1129 return NULL;
1130 }
1131
1132 /* Returns a pointer to the target name of this position. */
1133 const char *TC_GET_TARGET(const STRUCT_ENTRY *ce,
1134 TC_HANDLE_T *handle)
1135 {
1136 STRUCT_ENTRY *e = (STRUCT_ENTRY *)ce;
1137 struct rule_head *r = container_of(e, struct rule_head, entry[0]);
1138
1139 iptc_fn = TC_GET_TARGET;
1140
1141 switch(r->type) {
1142 int spos;
1143 case IPTCC_R_FALLTHROUGH:
1144 return "";
1145 break;
1146 case IPTCC_R_JUMP:
1147 DEBUGP("r=%p, jump=%p, name=`%s'\n", r, r->jump, r->jump->name);
1148 return r->jump->name;
1149 break;
1150 case IPTCC_R_STANDARD:
1151 spos = *(int *)GET_TARGET(e)->data;
1152 DEBUGP("r=%p, spos=%d'\n", r, spos);
1153 return standard_target_map(spos);
1154 break;
1155 case IPTCC_R_MODULE:
1156 return GET_TARGET(e)->u.user.name;
1157 break;
1158 }
1159 return NULL;
1160 }
1161 /* Is this a built-in chain? Actually returns hook + 1. */
1162 int
1163 TC_BUILTIN(const char *chain, const TC_HANDLE_T handle)
1164 {
1165 struct chain_head *c;
1166
1167 iptc_fn = TC_BUILTIN;
1168
1169 c = iptcc_find_label(chain, handle);
1170 if (!c) {
1171 errno = ENOENT;
1172 return 0;
1173 }
1174
1175 return iptcc_is_builtin(c);
1176 }
1177
1178 /* Get the policy of a given built-in chain */
1179 const char *
1180 TC_GET_POLICY(const char *chain,
1181 STRUCT_COUNTERS *counters,
1182 TC_HANDLE_T *handle)
1183 {
1184 struct chain_head *c;
1185
1186 iptc_fn = TC_GET_POLICY;
1187
1188 DEBUGP("called for chain %s\n", chain);
1189
1190 c = iptcc_find_label(chain, *handle);
1191 if (!c) {
1192 errno = ENOENT;
1193 return NULL;
1194 }
1195
1196 if (!iptcc_is_builtin(c))
1197 return NULL;
1198
1199 *counters = c->counters;
1200
1201 return standard_target_map(c->verdict);
1202 }
1203
1204 static int
1205 iptcc_standard_map(struct rule_head *r, int verdict)
1206 {
1207 STRUCT_ENTRY *e = r->entry;
1208 STRUCT_STANDARD_TARGET *t;
1209
1210 t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
1211
1212 if (t->target.u.target_size
1213 != ALIGN(sizeof(STRUCT_STANDARD_TARGET))) {
1214 errno = EINVAL;
1215 return 0;
1216 }
1217 /* memset for memcmp convenience on delete/replace */
1218 memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
1219 strcpy(t->target.u.user.name, STANDARD_TARGET);
1220 t->verdict = verdict;
1221
1222 r->type = IPTCC_R_STANDARD;
1223
1224 return 1;
1225 }
1226
1227 static int
1228 iptcc_map_target(const TC_HANDLE_T handle,
1229 struct rule_head *r)
1230 {
1231 STRUCT_ENTRY *e = r->entry;
1232 STRUCT_ENTRY_TARGET *t = GET_TARGET(e);
1233
1234 /* Maybe it's empty (=> fall through) */
1235 if (strcmp(t->u.user.name, "") == 0) {
1236 r->type = IPTCC_R_FALLTHROUGH;
1237 return 1;
1238 }
1239 /* Maybe it's a standard target name... */
1240 else if (strcmp(t->u.user.name, LABEL_ACCEPT) == 0)
1241 return iptcc_standard_map(r, -NF_ACCEPT - 1);
1242 else if (strcmp(t->u.user.name, LABEL_DROP) == 0)
1243 return iptcc_standard_map(r, -NF_DROP - 1);
1244 else if (strcmp(t->u.user.name, LABEL_QUEUE) == 0)
1245 return iptcc_standard_map(r, -NF_QUEUE - 1);
1246 else if (strcmp(t->u.user.name, LABEL_RETURN) == 0)
1247 return iptcc_standard_map(r, RETURN);
1248 else if (TC_BUILTIN(t->u.user.name, handle)) {
1249 /* Can't jump to builtins. */
1250 errno = EINVAL;
1251 return 0;
1252 } else {
1253 /* Maybe it's an existing chain name. */
1254 struct chain_head *c;
1255 DEBUGP("trying to find chain `%s': ", t->u.user.name);
1256
1257 c = iptcc_find_label(t->u.user.name, handle);
1258 if (c) {
1259 DEBUGP_C("found!\n");
1260 r->type = IPTCC_R_JUMP;
1261 r->jump = c;
1262 c->references++;
1263 return 1;
1264 }
1265 DEBUGP_C("not found :(\n");
1266 }
1267
1268 /* Must be a module? If not, kernel will reject... */
1269 /* memset to all 0 for your memcmp convenience: don't clear version */
1270 memset(t->u.user.name + strlen(t->u.user.name),
1271 0,
1272 FUNCTION_MAXNAMELEN - 1 - strlen(t->u.user.name));
1273 r->type = IPTCC_R_MODULE;
1274 set_changed(handle);
1275 return 1;
1276 }
1277
1278 /* Insert the entry `fw' in chain `chain' into position `rulenum'. */
1279 int
1280 TC_INSERT_ENTRY(const IPT_CHAINLABEL chain,
1281 const STRUCT_ENTRY *e,
1282 unsigned int rulenum,
1283 TC_HANDLE_T *handle)
1284 {
1285 struct chain_head *c;
1286 struct rule_head *r;
1287 struct list_head *prev;
1288
1289 iptc_fn = TC_INSERT_ENTRY;
1290
1291 if (!(c = iptcc_find_label(chain, *handle))) {
1292 errno = ENOENT;
1293 return 0;
1294 }
1295
1296 /* first rulenum index = 0
1297 first c->num_rules index = 1 */
1298 if (rulenum > c->num_rules) {
1299 errno = E2BIG;
1300 return 0;
1301 }
1302
1303 /* If we are inserting at the end just take advantage of the
1304 double linked list, insert will happen before the entry
1305 prev points to. */
1306 if (rulenum == c->num_rules) {
1307 prev = &c->rules;
1308 } else if (rulenum + 1 <= c->num_rules/2) {
1309 r = iptcc_get_rule_num(c, rulenum + 1);
1310 prev = &r->list;
1311 } else {
1312 r = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum);
1313 prev = &r->list;
1314 }
1315
1316 if (!(r = iptcc_alloc_rule(c, e->next_offset))) {
1317 errno = ENOMEM;
1318 return 0;
1319 }
1320
1321 memcpy(r->entry, e, e->next_offset);
1322 r->counter_map.maptype = COUNTER_MAP_SET;
1323
1324 if (!iptcc_map_target(*handle, r)) {
1325 free(r);
1326 return 0;
1327 }
1328
1329 list_add_tail(&r->list, prev);
1330 c->num_rules++;
1331
1332 set_changed(*handle);
1333
1334 return 1;
1335 }
1336
1337 /* Atomically replace rule `rulenum' in `chain' with `fw'. */
1338 int
1339 TC_REPLACE_ENTRY(const IPT_CHAINLABEL chain,
1340 const STRUCT_ENTRY *e,
1341 unsigned int rulenum,
1342 TC_HANDLE_T *handle)
1343 {
1344 struct chain_head *c;
1345 struct rule_head *r, *old;
1346
1347 iptc_fn = TC_REPLACE_ENTRY;
1348
1349 if (!(c = iptcc_find_label(chain, *handle))) {
1350 errno = ENOENT;
1351 return 0;
1352 }
1353
1354 if (rulenum >= c->num_rules) {
1355 errno = E2BIG;
1356 return 0;
1357 }
1358
1359 /* Take advantage of the double linked list if possible. */
1360 if (rulenum + 1 <= c->num_rules/2) {
1361 old = iptcc_get_rule_num(c, rulenum + 1);
1362 } else {
1363 old = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum);
1364 }
1365
1366 if (!(r = iptcc_alloc_rule(c, e->next_offset))) {
1367 errno = ENOMEM;
1368 return 0;
1369 }
1370
1371 memcpy(r->entry, e, e->next_offset);
1372 r->counter_map.maptype = COUNTER_MAP_SET;
1373
1374 if (!iptcc_map_target(*handle, r)) {
1375 free(r);
1376 return 0;
1377 }
1378
1379 list_add(&r->list, &old->list);
1380 iptcc_delete_rule(old);
1381
1382 set_changed(*handle);
1383
1384 return 1;
1385 }
1386
1387 /* Append entry `fw' to chain `chain'. Equivalent to insert with
1388 rulenum = length of chain. */
1389 int
1390 TC_APPEND_ENTRY(const IPT_CHAINLABEL chain,
1391 const STRUCT_ENTRY *e,
1392 TC_HANDLE_T *handle)
1393 {
1394 struct chain_head *c;
1395 struct rule_head *r;
1396
1397 iptc_fn = TC_APPEND_ENTRY;
1398 if (!(c = iptcc_find_label(chain, *handle))) {
1399 DEBUGP("unable to find chain `%s'\n", chain);
1400 errno = ENOENT;
1401 return 0;
1402 }
1403
1404 if (!(r = iptcc_alloc_rule(c, e->next_offset))) {
1405 DEBUGP("unable to allocate rule for chain `%s'\n", chain);
1406 errno = ENOMEM;
1407 return 0;
1408 }
1409
1410 memcpy(r->entry, e, e->next_offset);
1411 r->counter_map.maptype = COUNTER_MAP_SET;
1412
1413 if (!iptcc_map_target(*handle, r)) {
1414 DEBUGP("unable to map target of rule for chain `%s'\n", chain);
1415 free(r);
1416 return 0;
1417 }
1418
1419 list_add_tail(&r->list, &c->rules);
1420 c->num_rules++;
1421
1422 set_changed(*handle);
1423
1424 return 1;
1425 }
1426
1427 static inline int
1428 match_different(const STRUCT_ENTRY_MATCH *a,
1429 const unsigned char *a_elems,
1430 const unsigned char *b_elems,
1431 unsigned char **maskptr)
1432 {
1433 const STRUCT_ENTRY_MATCH *b;
1434 unsigned int i;
1435
1436 /* Offset of b is the same as a. */
1437 b = (void *)b_elems + ((unsigned char *)a - a_elems);
1438
1439 if (a->u.match_size != b->u.match_size)
1440 return 1;
1441
1442 if (strcmp(a->u.user.name, b->u.user.name) != 0)
1443 return 1;
1444
1445 *maskptr += ALIGN(sizeof(*a));
1446
1447 for (i = 0; i < a->u.match_size - ALIGN(sizeof(*a)); i++)
1448 if (((a->data[i] ^ b->data[i]) & (*maskptr)[i]) != 0)
1449 return 1;
1450 *maskptr += i;
1451 return 0;
1452 }
1453
1454 static inline int
1455 target_same(struct rule_head *a, struct rule_head *b,const unsigned char *mask)
1456 {
1457 unsigned int i;
1458 STRUCT_ENTRY_TARGET *ta, *tb;
1459
1460 if (a->type != b->type)
1461 return 0;
1462
1463 ta = GET_TARGET(a->entry);
1464 tb = GET_TARGET(b->entry);
1465
1466 switch (a->type) {
1467 case IPTCC_R_FALLTHROUGH:
1468 return 1;
1469 case IPTCC_R_JUMP:
1470 return a->jump == b->jump;
1471 case IPTCC_R_STANDARD:
1472 return ((STRUCT_STANDARD_TARGET *)ta)->verdict
1473 == ((STRUCT_STANDARD_TARGET *)tb)->verdict;
1474 case IPTCC_R_MODULE:
1475 if (ta->u.target_size != tb->u.target_size)
1476 return 0;
1477 if (strcmp(ta->u.user.name, tb->u.user.name) != 0)
1478 return 0;
1479
1480 for (i = 0; i < ta->u.target_size - sizeof(*ta); i++)
1481 if (((ta->data[i] ^ tb->data[i]) & mask[i]) != 0)
1482 return 0;
1483 return 1;
1484 default:
1485 fprintf(stderr, "ERROR: bad type %i\n", a->type);
1486 abort();
1487 }
1488 }
1489
1490 static unsigned char *
1491 is_same(const STRUCT_ENTRY *a,
1492 const STRUCT_ENTRY *b,
1493 unsigned char *matchmask);
1494
1495 /* Delete the first rule in `chain' which matches `fw'. */
1496 int
1497 TC_DELETE_ENTRY(const IPT_CHAINLABEL chain,
1498 const STRUCT_ENTRY *origfw,
1499 unsigned char *matchmask,
1500 TC_HANDLE_T *handle)
1501 {
1502 struct chain_head *c;
1503 struct rule_head *r, *i;
1504
1505 iptc_fn = TC_DELETE_ENTRY;
1506 if (!(c = iptcc_find_label(chain, *handle))) {
1507 errno = ENOENT;
1508 return 0;
1509 }
1510
1511 /* Create a rule_head from origfw. */
1512 r = iptcc_alloc_rule(c, origfw->next_offset);
1513 if (!r) {
1514 errno = ENOMEM;
1515 return 0;
1516 }
1517
1518 memcpy(r->entry, origfw, origfw->next_offset);
1519 r->counter_map.maptype = COUNTER_MAP_NOMAP;
1520 if (!iptcc_map_target(*handle, r)) {
1521 DEBUGP("unable to map target of rule for chain `%s'\n", chain);
1522 free(r);
1523 return 0;
1524 } else {
1525 /* iptcc_map_target increment target chain references
1526 * since this is a fake rule only used for matching
1527 * the chain references count is decremented again.
1528 */
1529 if (r->type == IPTCC_R_JUMP
1530 && r->jump)
1531 r->jump->references--;
1532 }
1533
1534 list_for_each_entry(i, &c->rules, list) {
1535 unsigned char *mask;
1536
1537 mask = is_same(r->entry, i->entry, matchmask);
1538 if (!mask)
1539 continue;
1540
1541 if (!target_same(r, i, mask))
1542 continue;
1543
1544 /* If we are about to delete the rule that is the
1545 * current iterator, move rule iterator back. next
1546 * pointer will then point to real next node */
1547 if (i == (*handle)->rule_iterator_cur) {
1548 (*handle)->rule_iterator_cur =
1549 list_entry((*handle)->rule_iterator_cur->list.prev,
1550 struct rule_head, list);
1551 }
1552
1553 c->num_rules--;
1554 iptcc_delete_rule(i);
1555
1556 set_changed(*handle);
1557 free(r);
1558 return 1;
1559 }
1560
1561 free(r);
1562 errno = ENOENT;
1563 return 0;
1564 }
1565
1566
1567 /* Delete the rule in position `rulenum' in `chain'. */
1568 int
1569 TC_DELETE_NUM_ENTRY(const IPT_CHAINLABEL chain,
1570 unsigned int rulenum,
1571 TC_HANDLE_T *handle)
1572 {
1573 struct chain_head *c;
1574 struct rule_head *r;
1575
1576 iptc_fn = TC_DELETE_NUM_ENTRY;
1577
1578 if (!(c = iptcc_find_label(chain, *handle))) {
1579 errno = ENOENT;
1580 return 0;
1581 }
1582
1583 if (rulenum >= c->num_rules) {
1584 errno = E2BIG;
1585 return 0;
1586 }
1587
1588 /* Take advantage of the double linked list if possible. */
1589 if (rulenum + 1 <= c->num_rules/2) {
1590 r = iptcc_get_rule_num(c, rulenum + 1);
1591 } else {
1592 r = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum);
1593 }
1594
1595 /* If we are about to delete the rule that is the current
1596 * iterator, move rule iterator back. next pointer will then
1597 * point to real next node */
1598 if (r == (*handle)->rule_iterator_cur) {
1599 (*handle)->rule_iterator_cur =
1600 list_entry((*handle)->rule_iterator_cur->list.prev,
1601 struct rule_head, list);
1602 }
1603
1604 c->num_rules--;
1605 iptcc_delete_rule(r);
1606
1607 set_changed(*handle);
1608
1609 return 1;
1610 }
1611
1612 /* Check the packet `fw' on chain `chain'. Returns the verdict, or
1613 NULL and sets errno. */
1614 const char *
1615 TC_CHECK_PACKET(const IPT_CHAINLABEL chain,
1616 STRUCT_ENTRY *entry,
1617 TC_HANDLE_T *handle)
1618 {
1619 iptc_fn = TC_CHECK_PACKET;
1620 errno = ENOSYS;
1621 return NULL;
1622 }
1623
1624 /* Flushes the entries in the given chain (ie. empties chain). */
1625 int
1626 TC_FLUSH_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
1627 {
1628 struct chain_head *c;
1629 struct rule_head *r, *tmp;
1630
1631 iptc_fn = TC_FLUSH_ENTRIES;
1632 if (!(c = iptcc_find_label(chain, *handle))) {
1633 errno = ENOENT;
1634 return 0;
1635 }
1636
1637 list_for_each_entry_safe(r, tmp, &c->rules, list) {
1638 iptcc_delete_rule(r);
1639 }
1640
1641 c->num_rules = 0;
1642
1643 set_changed(*handle);
1644
1645 return 1;
1646 }
1647
1648 /* Zeroes the counters in a chain. */
1649 int
1650 TC_ZERO_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
1651 {
1652 struct chain_head *c;
1653 struct rule_head *r;
1654
1655 iptc_fn = TC_ZERO_ENTRIES;
1656 if (!(c = iptcc_find_label(chain, *handle))) {
1657 errno = ENOENT;
1658 return 0;
1659 }
1660
1661 if (c->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
1662 c->counter_map.maptype = COUNTER_MAP_ZEROED;
1663
1664 list_for_each_entry(r, &c->rules, list) {
1665 if (r->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
1666 r->counter_map.maptype = COUNTER_MAP_ZEROED;
1667 }
1668
1669 set_changed(*handle);
1670
1671 return 1;
1672 }
1673
1674 STRUCT_COUNTERS *
1675 TC_READ_COUNTER(const IPT_CHAINLABEL chain,
1676 unsigned int rulenum,
1677 TC_HANDLE_T *handle)
1678 {
1679 struct chain_head *c;
1680 struct rule_head *r;
1681
1682 iptc_fn = TC_READ_COUNTER;
1683 CHECK(*handle);
1684
1685 if (!(c = iptcc_find_label(chain, *handle))) {
1686 errno = ENOENT;
1687 return NULL;
1688 }
1689
1690 if (!(r = iptcc_get_rule_num(c, rulenum))) {
1691 errno = E2BIG;
1692 return NULL;
1693 }
1694
1695 return &r->entry[0].counters;
1696 }
1697
1698 int
1699 TC_ZERO_COUNTER(const IPT_CHAINLABEL chain,
1700 unsigned int rulenum,
1701 TC_HANDLE_T *handle)
1702 {
1703 struct chain_head *c;
1704 struct rule_head *r;
1705
1706 iptc_fn = TC_ZERO_COUNTER;
1707 CHECK(*handle);
1708
1709 if (!(c = iptcc_find_label(chain, *handle))) {
1710 errno = ENOENT;
1711 return 0;
1712 }
1713
1714 if (!(r = iptcc_get_rule_num(c, rulenum))) {
1715 errno = E2BIG;
1716 return 0;
1717 }
1718
1719 if (r->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
1720 r->counter_map.maptype = COUNTER_MAP_ZEROED;
1721
1722 set_changed(*handle);
1723
1724 return 1;
1725 }
1726
1727 int
1728 TC_SET_COUNTER(const IPT_CHAINLABEL chain,
1729 unsigned int rulenum,
1730 STRUCT_COUNTERS *counters,
1731 TC_HANDLE_T *handle)
1732 {
1733 struct chain_head *c;
1734 struct rule_head *r;
1735 STRUCT_ENTRY *e;
1736
1737 iptc_fn = TC_SET_COUNTER;
1738 CHECK(*handle);
1739
1740 if (!(c = iptcc_find_label(chain, *handle))) {
1741 errno = ENOENT;
1742 return 0;
1743 }
1744
1745 if (!(r = iptcc_get_rule_num(c, rulenum))) {
1746 errno = E2BIG;
1747 return 0;
1748 }
1749
1750 e = r->entry;
1751 r->counter_map.maptype = COUNTER_MAP_SET;
1752
1753 memcpy(&e->counters, counters, sizeof(STRUCT_COUNTERS));
1754
1755 set_changed(*handle);
1756
1757 return 1;
1758 }
1759
1760 /* Creates a new chain. */
1761 /* To create a chain, create two rules: error node and unconditional
1762 * return. */
1763 int
1764 TC_CREATE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
1765 {
1766 static struct chain_head *c;
1767
1768 iptc_fn = TC_CREATE_CHAIN;
1769
1770 /* find_label doesn't cover built-in targets: DROP, ACCEPT,
1771 QUEUE, RETURN. */
1772 if (iptcc_find_label(chain, *handle)
1773 || strcmp(chain, LABEL_DROP) == 0
1774 || strcmp(chain, LABEL_ACCEPT) == 0
1775 || strcmp(chain, LABEL_QUEUE) == 0
1776 || strcmp(chain, LABEL_RETURN) == 0) {
1777 DEBUGP("Chain `%s' already exists\n", chain);
1778 errno = EEXIST;
1779 return 0;
1780 }
1781
1782 if (strlen(chain)+1 > sizeof(IPT_CHAINLABEL)) {
1783 DEBUGP("Chain name `%s' too long\n", chain);
1784 errno = EINVAL;
1785 return 0;
1786 }
1787
1788 c = iptcc_alloc_chain_head(chain, 0);
1789 if (!c) {
1790 DEBUGP("Cannot allocate memory for chain `%s'\n", chain);
1791 errno = ENOMEM;
1792 return 0;
1793
1794 }
1795
1796 DEBUGP("Creating chain `%s'\n", chain);
1797 list_add_tail(&c->list, &(*handle)->chains);
1798
1799 set_changed(*handle);
1800
1801 return 1;
1802 }
1803
1804 /* Get the number of references to this chain. */
1805 int
1806 TC_GET_REFERENCES(unsigned int *ref, const IPT_CHAINLABEL chain,
1807 TC_HANDLE_T *handle)
1808 {
1809 struct chain_head *c;
1810
1811 iptc_fn = TC_GET_REFERENCES;
1812 if (!(c = iptcc_find_label(chain, *handle))) {
1813 errno = ENOENT;
1814 return 0;
1815 }
1816
1817 *ref = c->references;
1818
1819 return 1;
1820 }
1821
1822 /* Deletes a chain. */
1823 int
1824 TC_DELETE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
1825 {
1826 unsigned int references;
1827 struct chain_head *c;
1828
1829 iptc_fn = TC_DELETE_CHAIN;
1830
1831 if (!(c = iptcc_find_label(chain, *handle))) {
1832 DEBUGP("cannot find chain `%s'\n", chain);
1833 errno = ENOENT;
1834 return 0;
1835 }
1836
1837 if (TC_BUILTIN(chain, *handle)) {
1838 DEBUGP("cannot remove builtin chain `%s'\n", chain);
1839 errno = EINVAL;
1840 return 0;
1841 }
1842
1843 if (!TC_GET_REFERENCES(&references, chain, handle)) {
1844 DEBUGP("cannot get references on chain `%s'\n", chain);
1845 return 0;
1846 }
1847
1848 if (references > 0) {
1849 DEBUGP("chain `%s' still has references\n", chain);
1850 errno = EMLINK;
1851 return 0;
1852 }
1853
1854 if (c->num_rules) {
1855 DEBUGP("chain `%s' is not empty\n", chain);
1856 errno = ENOTEMPTY;
1857 return 0;
1858 }
1859
1860 /* If we are about to delete the chain that is the current
1861 * iterator, move chain iterator firward. */
1862 if (c == (*handle)->chain_iterator_cur)
1863 iptcc_chain_iterator_advance(*handle);
1864
1865 list_del(&c->list);
1866 free(c);
1867
1868 DEBUGP("chain `%s' deleted\n", chain);
1869
1870 set_changed(*handle);
1871
1872 return 1;
1873 }
1874
1875 /* Renames a chain. */
1876 int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname,
1877 const IPT_CHAINLABEL newname,
1878 TC_HANDLE_T *handle)
1879 {
1880 struct chain_head *c;
1881 iptc_fn = TC_RENAME_CHAIN;
1882
1883 /* find_label doesn't cover built-in targets: DROP, ACCEPT,
1884 QUEUE, RETURN. */
1885 if (iptcc_find_label(newname, *handle)
1886 || strcmp(newname, LABEL_DROP) == 0
1887 || strcmp(newname, LABEL_ACCEPT) == 0
1888 || strcmp(newname, LABEL_QUEUE) == 0
1889 || strcmp(newname, LABEL_RETURN) == 0) {
1890 errno = EEXIST;
1891 return 0;
1892 }
1893
1894 if (!(c = iptcc_find_label(oldname, *handle))
1895 || TC_BUILTIN(oldname, *handle)) {
1896 errno = ENOENT;
1897 return 0;
1898 }
1899
1900 if (strlen(newname)+1 > sizeof(IPT_CHAINLABEL)) {
1901 errno = EINVAL;
1902 return 0;
1903 }
1904
1905 strncpy(c->name, newname, sizeof(IPT_CHAINLABEL));
1906
1907 set_changed(*handle);
1908
1909 return 1;
1910 }
1911
1912 /* Sets the policy on a built-in chain. */
1913 int
1914 TC_SET_POLICY(const IPT_CHAINLABEL chain,
1915 const IPT_CHAINLABEL policy,
1916 STRUCT_COUNTERS *counters,
1917 TC_HANDLE_T *handle)
1918 {
1919 struct chain_head *c;
1920
1921 iptc_fn = TC_SET_POLICY;
1922
1923 if (!(c = iptcc_find_label(chain, *handle))) {
1924 DEBUGP("cannot find chain `%s'\n", chain);
1925 errno = ENOENT;
1926 return 0;
1927 }
1928
1929 if (!iptcc_is_builtin(c)) {
1930 DEBUGP("cannot set policy of userdefinedchain `%s'\n", chain);
1931 errno = ENOENT;
1932 return 0;
1933 }
1934
1935 if (strcmp(policy, LABEL_ACCEPT) == 0)
1936 c->verdict = -NF_ACCEPT - 1;
1937 else if (strcmp(policy, LABEL_DROP) == 0)
1938 c->verdict = -NF_DROP - 1;
1939 else {
1940 errno = EINVAL;
1941 return 0;
1942 }
1943
1944 if (counters) {
1945 /* set byte and packet counters */
1946 memcpy(&c->counters, counters, sizeof(STRUCT_COUNTERS));
1947 c->counter_map.maptype = COUNTER_MAP_SET;
1948 } else {
1949 c->counter_map.maptype = COUNTER_MAP_NOMAP;
1950 }
1951
1952 set_changed(*handle);
1953
1954 return 1;
1955 }
1956
1957 /* Without this, on gcc 2.7.2.3, we get:
1958 libiptc.c: In function `TC_COMMIT':
1959 libiptc.c:833: fixed or forbidden register was spilled.
1960 This may be due to a compiler bug or to impossible asm
1961 statements or clauses.
1962 */
1963 static void
1964 subtract_counters(STRUCT_COUNTERS *answer,
1965 const STRUCT_COUNTERS *a,
1966 const STRUCT_COUNTERS *b)
1967 {
1968 answer->pcnt = a->pcnt - b->pcnt;
1969 answer->bcnt = a->bcnt - b->bcnt;
1970 }
1971
1972
1973 static void counters_nomap(STRUCT_COUNTERS_INFO *newcounters,
1974 unsigned int index)
1975 {
1976 newcounters->counters[index] = ((STRUCT_COUNTERS) { 0, 0});
1977 DEBUGP_C("NOMAP => zero\n");
1978 }
1979
1980 static void counters_normal_map(STRUCT_COUNTERS_INFO *newcounters,
1981 STRUCT_REPLACE *repl,
1982 unsigned int index,
1983 unsigned int mappos)
1984 {
1985 /* Original read: X.
1986 * Atomic read on replacement: X + Y.
1987 * Currently in kernel: Z.
1988 * Want in kernel: X + Y + Z.
1989 * => Add in X + Y
1990 * => Add in replacement read.
1991 */
1992 newcounters->counters[index] = repl->counters[mappos];
1993 DEBUGP_C("NORMAL_MAP => mappos %u \n", mappos);
1994 }
1995
1996 static void counters_map_zeroed(STRUCT_COUNTERS_INFO *newcounters,
1997 STRUCT_REPLACE *repl,
1998 unsigned int index,
1999 unsigned int mappos,
2000 STRUCT_COUNTERS *counters)
2001 {
2002 /* Original read: X.
2003 * Atomic read on replacement: X + Y.
2004 * Currently in kernel: Z.
2005 * Want in kernel: Y + Z.
2006 * => Add in Y.
2007 * => Add in (replacement read - original read).
2008 */
2009 subtract_counters(&newcounters->counters[index],
2010 &repl->counters[mappos],
2011 counters);
2012 DEBUGP_C("ZEROED => mappos %u\n", mappos);
2013 }
2014
2015 static void counters_map_set(STRUCT_COUNTERS_INFO *newcounters,
2016 unsigned int index,
2017 STRUCT_COUNTERS *counters)
2018 {
2019 /* Want to set counter (iptables-restore) */
2020
2021 memcpy(&newcounters->counters[index], counters,
2022 sizeof(STRUCT_COUNTERS));
2023
2024 DEBUGP_C("SET\n");
2025 }
2026
2027
2028 int
2029 TC_COMMIT(TC_HANDLE_T *handle)
2030 {
2031 /* Replace, then map back the counters. */
2032 STRUCT_REPLACE *repl;
2033 STRUCT_COUNTERS_INFO *newcounters;
2034 struct chain_head *c;
2035 int ret;
2036 size_t counterlen;
2037 int new_number;
2038 unsigned int new_size;
2039
2040 iptc_fn = TC_COMMIT;
2041 CHECK(*handle);
2042
2043 /* Don't commit if nothing changed. */
2044 if (!(*handle)->changed)
2045 goto finished;
2046
2047 new_number = iptcc_compile_table_prep(*handle, &new_size);
2048 if (new_number < 0) {
2049 errno = ENOMEM;
2050 goto out_zero;
2051 }
2052
2053 repl = malloc(sizeof(*repl) + new_size);
2054 if (!repl) {
2055 errno = ENOMEM;
2056 goto out_zero;
2057 }
2058 memset(repl, 0, sizeof(*repl) + new_size);
2059
2060 #if 0
2061 TC_DUMP_ENTRIES(*handle);
2062 #endif
2063
2064 counterlen = sizeof(STRUCT_COUNTERS_INFO)
2065 + sizeof(STRUCT_COUNTERS) * new_number;
2066
2067 /* These are the old counters we will get from kernel */
2068 repl->counters = malloc(sizeof(STRUCT_COUNTERS)
2069 * (*handle)->info.num_entries);
2070 if (!repl->counters) {
2071 errno = ENOMEM;
2072 goto out_free_repl;
2073 }
2074 /* These are the counters we're going to put back, later. */
2075 newcounters = malloc(counterlen);
2076 if (!newcounters) {
2077 errno = ENOMEM;
2078 goto out_free_repl_counters;
2079 }
2080 memset(newcounters, 0, counterlen);
2081
2082 strcpy(repl->name, (*handle)->info.name);
2083 repl->num_entries = new_number;
2084 repl->size = new_size;
2085
2086 repl->num_counters = (*handle)->info.num_entries;
2087 repl->valid_hooks = (*handle)->info.valid_hooks;
2088
2089 DEBUGP("num_entries=%u, size=%u, num_counters=%u\n",
2090 repl->num_entries, repl->size, repl->num_counters);
2091
2092 ret = iptcc_compile_table(*handle, repl);
2093 if (ret < 0) {
2094 errno = ret;
2095 goto out_free_newcounters;
2096 }
2097
2098
2099 #ifdef IPTC_DEBUG2
2100 {
2101 int fd = open("/tmp/libiptc-so_set_replace.blob",
2102 O_CREAT|O_WRONLY);
2103 if (fd >= 0) {
2104 write(fd, repl, sizeof(*repl) + repl->size);
2105 close(fd);
2106 }
2107 }
2108 #endif
2109
2110 ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, repl,
2111 sizeof(*repl) + repl->size);
2112 if (ret < 0)
2113 goto out_free_newcounters;
2114
2115 /* Put counters back. */
2116 strcpy(newcounters->name, (*handle)->info.name);
2117 newcounters->num_counters = new_number;
2118
2119 list_for_each_entry(c, &(*handle)->chains, list) {
2120 struct rule_head *r;
2121
2122 /* Builtin chains have their own counters */
2123 if (iptcc_is_builtin(c)) {
2124 DEBUGP("counter for chain-index %u: ", c->foot_index);
2125 switch(c->counter_map.maptype) {
2126 case COUNTER_MAP_NOMAP:
2127 counters_nomap(newcounters, c->foot_index);
2128 break;
2129 case COUNTER_MAP_NORMAL_MAP:
2130 counters_normal_map(newcounters, repl,
2131 c->foot_index,
2132 c->counter_map.mappos);
2133 break;
2134 case COUNTER_MAP_ZEROED:
2135 counters_map_zeroed(newcounters, repl,
2136 c->foot_index,
2137 c->counter_map.mappos,
2138 &c->counters);
2139 break;
2140 case COUNTER_MAP_SET:
2141 counters_map_set(newcounters, c->foot_index,
2142 &c->counters);
2143 break;
2144 }
2145 }
2146
2147 list_for_each_entry(r, &c->rules, list) {
2148 DEBUGP("counter for index %u: ", r->index);
2149 switch (r->counter_map.maptype) {
2150 case COUNTER_MAP_NOMAP:
2151 counters_nomap(newcounters, r->index);
2152 break;
2153
2154 case COUNTER_MAP_NORMAL_MAP:
2155 counters_normal_map(newcounters, repl,
2156 r->index,
2157 r->counter_map.mappos);
2158 break;
2159
2160 case COUNTER_MAP_ZEROED:
2161 counters_map_zeroed(newcounters, repl,
2162 r->index,
2163 r->counter_map.mappos,
2164 &r->entry->counters);
2165 break;
2166
2167 case COUNTER_MAP_SET:
2168 counters_map_set(newcounters, r->index,
2169 &r->entry->counters);
2170 break;
2171 }
2172 }
2173 }
2174
2175
2176 #ifdef KERNEL_64_USERSPACE_32
2177 {
2178 /* Kernel will think that pointer should be 64-bits, and get
2179 padding. So we accomodate here (assumption: alignment of
2180 `counters' is on 64-bit boundary). */
2181 u_int64_t *kernptr = (u_int64_t *)&newcounters->counters;
2182 if ((unsigned long)&newcounters->counters % 8 != 0) {
2183 fprintf(stderr,
2184 "counters alignment incorrect! Mail rusty!\n");
2185 abort();
2186 }
2187 *kernptr = newcounters->counters;
2188 }
2189 #endif /* KERNEL_64_USERSPACE_32 */
2190
2191 #ifdef IPTC_DEBUG2
2192 {
2193 int fd = open("/tmp/libiptc-so_set_add_counters.blob",
2194 O_CREAT|O_WRONLY);
2195 if (fd >= 0) {
2196 write(fd, newcounters, counterlen);
2197 close(fd);
2198 }
2199 }
2200 #endif
2201
2202 ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS,
2203 newcounters, counterlen);
2204 if (ret < 0)
2205 goto out_free_newcounters;
2206
2207 free(repl->counters);
2208 free(repl);
2209 free(newcounters);
2210
2211 finished:
2212 TC_FREE(handle);
2213 return 1;
2214
2215 out_free_newcounters:
2216 free(newcounters);
2217 out_free_repl_counters:
2218 free(repl->counters);
2219 out_free_repl:
2220 free(repl);
2221 out_zero:
2222 return 0;
2223 }
2224
2225 /* Get raw socket. */
2226 int
2227 TC_GET_RAW_SOCKET()
2228 {
2229 return sockfd;
2230 }
2231
2232 /* Translates errno numbers into more human-readable form than strerror. */
2233 const char *
2234 TC_STRERROR(int err)
2235 {
2236 unsigned int i;
2237 struct table_struct {
2238 void *fn;
2239 int err;
2240 const char *message;
2241 } table [] =
2242 { { TC_INIT, EPERM, "Permission denied (you must be root)" },
2243 { TC_INIT, EINVAL, "Module is wrong version" },
2244 { TC_INIT, ENOENT,
2245 "Table does not exist (do you need to insmod?)" },
2246 { TC_DELETE_CHAIN, ENOTEMPTY, "Chain is not empty" },
2247 { TC_DELETE_CHAIN, EINVAL, "Can't delete built-in chain" },
2248 { TC_DELETE_CHAIN, EMLINK,
2249 "Can't delete chain with references left" },
2250 { TC_CREATE_CHAIN, EEXIST, "Chain already exists" },
2251 { TC_INSERT_ENTRY, E2BIG, "Index of insertion too big" },
2252 { TC_REPLACE_ENTRY, E2BIG, "Index of replacement too big" },
2253 { TC_DELETE_NUM_ENTRY, E2BIG, "Index of deletion too big" },
2254 { TC_READ_COUNTER, E2BIG, "Index of counter too big" },
2255 { TC_ZERO_COUNTER, E2BIG, "Index of counter too big" },
2256 { TC_INSERT_ENTRY, ELOOP, "Loop found in table" },
2257 { TC_INSERT_ENTRY, EINVAL, "Target problem" },
2258 /* EINVAL for CHECK probably means bad interface. */
2259 { TC_CHECK_PACKET, EINVAL,
2260 "Bad arguments (does that interface exist?)" },
2261 { TC_CHECK_PACKET, ENOSYS,
2262 "Checking will most likely never get implemented" },
2263 /* ENOENT for DELETE probably means no matching rule */
2264 { TC_DELETE_ENTRY, ENOENT,
2265 "Bad rule (does a matching rule exist in that chain?)" },
2266 { TC_SET_POLICY, ENOENT,
2267 "Bad built-in chain name" },
2268 { TC_SET_POLICY, EINVAL,
2269 "Bad policy name" },
2270
2271 { NULL, 0, "Incompatible with this kernel" },
2272 { NULL, ENOPROTOOPT, "iptables who? (do you need to insmod?)" },
2273 { NULL, ENOSYS, "Will be implemented real soon. I promise ;)" },
2274 { NULL, ENOMEM, "Memory allocation problem" },
2275 { NULL, ENOENT, "No chain/target/match by that name" },
2276 };
2277
2278 for (i = 0; i < sizeof(table)/sizeof(struct table_struct); i++) {
2279 if ((!table[i].fn || table[i].fn == iptc_fn)
2280 && table[i].err == err)
2281 return table[i].message;
2282 }
2283
2284 return strerror(err);
2285 }
Tomato firmware and modifications.