1 commit 99364c70a7039ed496dbe429fb86ee41e464fc76
2 Author: Florian Forster <octo@collectd.org>
3 Date: Sun Apr 3 09:17:26 2011 -0700
5 iptables plugin: Remove the shipped version of libiptc.
7 Since libiptc is now publicly available as a shared library, we don't really
8 have any need to ship it with collectd anymore.
10 diff --git a/configure.in b/configure.in
11 index 8db24ca..8043d9a 100644
14 @@ -1764,21 +1764,16 @@ AM_CONDITIONAL(BUILD_WITH_LIBGCRYPT, test "x$with_libgcrypt" = "xyes")
18 -with_own_libiptc="no"
19 AC_ARG_WITH(libiptc, [AS_HELP_STRING([--with-libiptc@<:@=PREFIX@:>@], [Path to libiptc.])],
21 - if test "x$withval" = "xshipped"
23 - with_own_libiptc="yes"
25 - else if test "x$withval" != "xno" && test "x$withval" != "xyes"
26 + if test "x$withval" != "xno" && test "x$withval" != "xyes"
28 LIBIPTC_CPPFLAGS="$LIBIPTC_CPPFLAGS -I$withval/include"
29 LIBIPTC_LDFLAGS="$LIBIPTC_LDFLAGS -L$withval/lib"
32 with_libiptc="$withval"
37 if test "x$ac_system" = "xLinux"
38 @@ -1793,32 +1788,22 @@ SAVE_LDFLAGS="$LDFLAGS"
39 CPPFLAGS="$CPPFLAGS $LIBIPTC_CPPFLAGS"
40 LDFLAGS="$LDFLAGS $LIBIPTC_LDFLAGS"
41 # check whether the header file for libiptc is available.
42 -if test "x$with_libiptc" = "xyes" && test "x$with_own_libiptc" = "xno"
43 +if test "x$with_libiptc" = "xyes"
45 AC_CHECK_HEADERS(libiptc/libiptc.h,
47 - AC_DEFINE(HAVE_LIBIPTC_LIBIPTC_H, 1, [Define to 1 if you have the <libiptc/libiptc.h> header file.])
51 - with_own_libiptc="yes"
53 + [with_libiptc="yes"],
54 + [with_libiptc="no (libiptc/libiptc.h not found)"])
56 -if test "x$with_libiptc" = "xyes" && test "x$with_own_libiptc" = "xno"
57 +if test "x$with_libiptc" = "xyes"
59 AC_CHECK_HEADERS(libiptc/libip6tc.h,
61 - AC_DEFINE(HAVE_LIBIPTC_LIBIP6TC_H, 1, [Define to 1 if you have the <libiptc/libip6tc.h> header file.])
65 - with_own_libiptc="yes"
67 + [with_libiptc="yes"],
68 + [with_libiptc="no (libiptc/libip6tc.h not found)"])
70 # If the header file is available, check for the required type declaractions.
71 # They may be missing in old versions of libiptc. In that case, they will be
72 # declared in the iptables plugin.
73 -if test "x$with_libiptc" = "xyes" && test "x$with_own_libiptc" = "xno"
74 +if test "x$with_libiptc" = "xyes"
76 AC_CHECK_TYPES([iptc_handle_t, ip6tc_handle_t], [], [],
78 @@ -1832,32 +1817,13 @@ then
81 # Check for the iptc_init symbol in the library.
82 -if test "x$with_libiptc" = "xyes" && test "x$with_own_libiptc" = "xno"
83 +if test "x$with_libiptc" = "xyes"
85 AC_CHECK_LIB(iptc, iptc_init,
87 - AC_DEFINE(HAVE_LIBIPTC, 1, [Define to 1 if you have the iptc library (-liptc).])
91 - with_own_libiptc="yes"
94 -# The system wide version failed for some reason. Check if we have the required
95 -# headers to build the shipped version.
96 -if test "x$with_libiptc" = "xyes" && test "x$with_own_libiptc" = "xyes"
98 - AC_CHECK_HEADERS(linux/netfilter_ipv4/ip_tables.h linux/netfilter_ipv6/ip6_tables.h linux/netfilter/x_tables.h, [],
100 - with_libiptc="no (Linux iptables headers not found)"
101 - with_own_libiptc="no"
104 -#include "$srcdir/src/owniptc/ipt_kernel_headers.h"
106 + [with_libiptc="yes"],
107 + [with_libiptc="no (symbol 'iptc_init' not found)"])
109 AM_CONDITIONAL(BUILD_WITH_LIBIPTC, test "x$with_libiptc" = "xyes")
110 -AM_CONDITIONAL(BUILD_WITH_OWN_LIBIPTC, test "x$with_own_libiptc" = "xyes")
111 if test "x$with_libiptc" = "xyes"
113 BUILD_WITH_LIBIPTC_CPPFLAGS="$LIBIPTC_CPPFLAGS"
114 @@ -1865,10 +1831,6 @@ then
115 AC_SUBST(BUILD_WITH_LIBIPTC_CPPFLAGS)
116 AC_SUBST(BUILD_WITH_LIBIPTC_LDFLAGS)
118 -if test "x$with_own_libiptc" = "xyes"
120 - AC_DEFINE(OWN_LIBIPTC, 1, [Define to 1 if we use the shipped iptc library.])
122 CPPFLAGS="$SAVE_CPPFLAGS"
123 LDFLAGS="$SAVE_LDFLAGS"
125 @@ -4859,11 +4821,6 @@ then
126 with_librrd="yes (warning: librrd is not thread-safe)"
129 -if test "x$with_libiptc" = "xyes" && test "x$with_own_libiptc" = "xyes"
131 - with_libiptc="yes (shipped version)"
134 if test "x$with_libperl" = "xyes"
136 with_libperl="yes (version `$perl_interpreter -MConfig -e 'print $Config{version};'`)"
137 diff --git a/src/Makefile.am b/src/Makefile.am
138 index 5728144..795de57 100644
139 --- a/src/Makefile.am
140 +++ b/src/Makefile.am
142 SUBDIRS = libcollectdclient
143 -if BUILD_WITH_OWN_LIBIPTC
146 if BUILD_WITH_OWN_LIBOCONFIG
147 SUBDIRS += liboconfig
149 @@ -440,12 +437,7 @@ pkglib_LTLIBRARIES += iptables.la
150 iptables_la_SOURCES = iptables.c
151 iptables_la_CPPFLAGS = $(AM_CPPFLAGS) $(BUILD_WITH_LIBIPTC_CPPFLAGS)
152 iptables_la_LDFLAGS = -module -avoid-version $(BUILD_WITH_LIBIPTC_LDFLAGS)
153 -if BUILD_WITH_OWN_LIBIPTC
154 -iptables_la_LIBADD = owniptc/libiptc.la
155 -iptables_la_DEPENDENCIES = owniptc/libiptc.la
157 iptables_la_LIBADD = -liptc
159 collectd_LDADD += "-dlopen" iptables.la
160 collectd_DEPENDENCIES += iptables.la
162 diff --git a/src/iptables.c b/src/iptables.c
163 index c39aff8..49454f0 100644
168 #include <sys/socket.h>
171 -# include "owniptc/libiptc.h"
172 -# include "owniptc/libip6tc.h"
174 -# define HAVE_IPTC_HANDLE_T 1
175 -# define HAVE_IP6TC_HANDLE_T 1
177 -#else /* if !OWN_LIBIPTC */
178 -# include <libiptc/libiptc.h>
179 -# include <libiptc/libip6tc.h>
180 +#include <libiptc/libiptc.h>
181 +#include <libiptc/libip6tc.h>
184 * iptc_handle_t was available before libiptc was officially available as a
186 * this is somewhat hacky, I didn't find better way to solve that :-/
189 -# ifndef HAVE_IPTC_HANDLE_T
190 +#ifndef HAVE_IPTC_HANDLE_T
191 typedef struct iptc_handle iptc_handle_t;
193 -# ifndef HAVE_IP6TC_HANDLE_T
195 +#ifndef HAVE_IP6TC_HANDLE_T
196 typedef struct ip6tc_handle ip6tc_handle_t;
198 -#endif /* !OWN_LIBIPTC */
202 * (Module-)Global variables
203 diff --git a/src/owniptc/Makefile.am b/src/owniptc/Makefile.am
204 deleted file mode 100644
205 index d51e993..0000000
206 --- a/src/owniptc/Makefile.am
209 -AUTOMAKE_OPTIONS = foreign no-dependencies
211 -EXTRA_DIST = libiptc.c README.collectd
214 -AM_CFLAGS = -Wall -Werror
217 -noinst_LTLIBRARIES = libiptc.la
219 -libiptc_la_SOURCES = libip4tc.c libip6tc.c \
220 - ipt_kernel_headers.h libip6tc.h libiptc.h linux_list.h \
223 diff --git a/src/owniptc/README.collectd b/src/owniptc/README.collectd
224 deleted file mode 100644
225 index adb53b0..0000000
226 --- a/src/owniptc/README.collectd
229 - libiptc (IPTables Chains) in collectd
230 -=======================================
231 -http://netfilter.org/
232 -http://collectd.org/
237 - This is libiptc taken from the iptables source distribution. As it is not
238 - meant to be a public interface by upstream it is not shipped in some binary
239 - distributions. Thus, collectd ships its own copy as a fall-back.
241 - The presently available version was imported from iptables 1.4.1.1.
243 -Changes to the iptables upstream sources:
244 ------------------------------------------
246 - * Added copyright headers mentioning the "Netfilter Core Team" as copyright
249 - * Changed "libiptc/*" includes to "*".
251 - * Use the shipped copy of "xtables.h" instead of the one possibly available
254 diff --git a/src/owniptc/ipt_kernel_headers.h b/src/owniptc/ipt_kernel_headers.h
255 deleted file mode 100644
256 index bf81f6e..0000000
257 --- a/src/owniptc/ipt_kernel_headers.h
261 - * This file was imported from the iptables sources.
262 - * Copyright (C) 1999-2008 Netfilter Core Team
264 - * This program is free software; you can redistribute it and/or modify it
265 - * under the terms of the GNU General Public License as published by the
266 - * Free Software Foundation; only version 2 of the License is applicable.
268 - * This program is distributed in the hope that it will be useful, but
269 - * WITHOUT ANY WARRANTY; without even the implied warranty of
270 - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
271 - * General Public License for more details.
273 - * You should have received a copy of the GNU General Public License along
274 - * with this program; if not, write to the Free Software Foundation, Inc.,
275 - * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
278 -/* This is the userspace/kernel interface for Generic IP Chains,
279 - required for libc6. */
280 -#ifndef _FWCHAINS_KERNEL_HEADERS_H
281 -#define _FWCHAINS_KERNEL_HEADERS_H
285 -#if defined(__GLIBC__) && __GLIBC__ == 2
286 -#include <netinet/ip.h>
287 -#include <netinet/in.h>
288 -#include <netinet/ip_icmp.h>
289 -#include <netinet/tcp.h>
290 -#include <netinet/udp.h>
292 -#include <sys/types.h>
294 -#include <sys/socket.h>
295 -#include <linux/ip.h>
296 -#include <linux/in.h>
297 -#include <linux/if.h>
298 -#include <linux/icmp.h>
299 -#include <linux/tcp.h>
300 -#include <linux/udp.h>
301 -#include <linux/types.h>
302 -#include <linux/in6.h>
305 diff --git a/src/owniptc/libip4tc.c b/src/owniptc/libip4tc.c
306 deleted file mode 100644
307 index bf7327c..0000000
308 --- a/src/owniptc/libip4tc.c
312 - * This file was imported from the iptables sources.
313 - * Copyright (C) 1999-2008 Netfilter Core Team
315 - * This program is free software; you can redistribute it and/or modify it
316 - * under the terms of the GNU General Public License as published by the
317 - * Free Software Foundation; only version 2 of the License is applicable.
319 - * This program is distributed in the hope that it will be useful, but
320 - * WITHOUT ANY WARRANTY; without even the implied warranty of
321 - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
322 - * General Public License for more details.
324 - * You should have received a copy of the GNU General Public License along
325 - * with this program; if not, write to the Free Software Foundation, Inc.,
326 - * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
329 -/* Library which manipulates firewall rules. Version 0.1. */
331 -/* Architecture of firewall rules is as follows:
333 - * Chains go INPUT, FORWARD, OUTPUT then user chains.
334 - * Each user chain starts with an ERROR node.
335 - * Every chain ends with an unconditional jump: a RETURN for user chains,
336 - * and a POLICY for built-ins.
339 -/* (C)1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See
340 - COPYING for details). */
349 -#ifdef DEBUG_CONNTRACK
353 -#if !defined(__GLIBC__) || (__GLIBC__ < 2)
354 -typedef unsigned int socklen_t;
357 -#include "libiptc.h"
359 -#define IP_VERSION 4
360 -#define IP_OFFSET 0x1FFF
362 -#define HOOK_PRE_ROUTING NF_IP_PRE_ROUTING
363 -#define HOOK_LOCAL_IN NF_IP_LOCAL_IN
364 -#define HOOK_FORWARD NF_IP_FORWARD
365 -#define HOOK_LOCAL_OUT NF_IP_LOCAL_OUT
366 -#define HOOK_POST_ROUTING NF_IP_POST_ROUTING
367 -#ifdef NF_IP_DROPPING
368 -#define HOOK_DROPPING NF_IP_DROPPING
371 -#define STRUCT_ENTRY_TARGET struct ipt_entry_target
372 -#define STRUCT_ENTRY struct ipt_entry
373 -#define STRUCT_ENTRY_MATCH struct ipt_entry_match
374 -#define STRUCT_GETINFO struct ipt_getinfo
375 -#define STRUCT_GET_ENTRIES struct ipt_get_entries
376 -#define STRUCT_COUNTERS struct ipt_counters
377 -#define STRUCT_COUNTERS_INFO struct ipt_counters_info
378 -#define STRUCT_STANDARD_TARGET struct ipt_standard_target
379 -#define STRUCT_REPLACE struct ipt_replace
381 -#define STRUCT_TC_HANDLE struct iptc_handle
382 -#define TC_HANDLE_T iptc_handle_t
384 -#define ENTRY_ITERATE IPT_ENTRY_ITERATE
385 -#define TABLE_MAXNAMELEN IPT_TABLE_MAXNAMELEN
386 -#define FUNCTION_MAXNAMELEN IPT_FUNCTION_MAXNAMELEN
388 -#define GET_TARGET ipt_get_target
390 -#define ERROR_TARGET IPT_ERROR_TARGET
391 -#define NUMHOOKS NF_IP_NUMHOOKS
393 -#define IPT_CHAINLABEL ipt_chainlabel
395 -#define TC_DUMP_ENTRIES dump_entries
396 -#define TC_IS_CHAIN iptc_is_chain
397 -#define TC_FIRST_CHAIN iptc_first_chain
398 -#define TC_NEXT_CHAIN iptc_next_chain
399 -#define TC_FIRST_RULE iptc_first_rule
400 -#define TC_NEXT_RULE iptc_next_rule
401 -#define TC_GET_TARGET iptc_get_target
402 -#define TC_BUILTIN iptc_builtin
403 -#define TC_GET_POLICY iptc_get_policy
404 -#define TC_INSERT_ENTRY iptc_insert_entry
405 -#define TC_REPLACE_ENTRY iptc_replace_entry
406 -#define TC_APPEND_ENTRY iptc_append_entry
407 -#define TC_DELETE_ENTRY iptc_delete_entry
408 -#define TC_DELETE_NUM_ENTRY iptc_delete_num_entry
409 -#define TC_CHECK_PACKET iptc_check_packet
410 -#define TC_FLUSH_ENTRIES iptc_flush_entries
411 -#define TC_ZERO_ENTRIES iptc_zero_entries
412 -#define TC_READ_COUNTER iptc_read_counter
413 -#define TC_ZERO_COUNTER iptc_zero_counter
414 -#define TC_SET_COUNTER iptc_set_counter
415 -#define TC_CREATE_CHAIN iptc_create_chain
416 -#define TC_GET_REFERENCES iptc_get_references
417 -#define TC_DELETE_CHAIN iptc_delete_chain
418 -#define TC_RENAME_CHAIN iptc_rename_chain
419 -#define TC_SET_POLICY iptc_set_policy
420 -#define TC_GET_RAW_SOCKET iptc_get_raw_socket
421 -#define TC_INIT iptc_init
422 -#define TC_FREE iptc_free
423 -#define TC_COMMIT iptc_commit
424 -#define TC_STRERROR iptc_strerror
425 -#define TC_NUM_RULES iptc_num_rules
426 -#define TC_GET_RULE iptc_get_rule
428 -#define TC_AF AF_INET
429 -#define TC_IPPROTO IPPROTO_IP
431 -#define SO_SET_REPLACE IPT_SO_SET_REPLACE
432 -#define SO_SET_ADD_COUNTERS IPT_SO_SET_ADD_COUNTERS
433 -#define SO_GET_INFO IPT_SO_GET_INFO
434 -#define SO_GET_ENTRIES IPT_SO_GET_ENTRIES
435 -#define SO_GET_VERSION IPT_SO_GET_VERSION
437 -#define STANDARD_TARGET IPT_STANDARD_TARGET
438 -#define LABEL_RETURN IPTC_LABEL_RETURN
439 -#define LABEL_ACCEPT IPTC_LABEL_ACCEPT
440 -#define LABEL_DROP IPTC_LABEL_DROP
441 -#define LABEL_QUEUE IPTC_LABEL_QUEUE
443 -#define ALIGN IPT_ALIGN
444 -#define RETURN IPT_RETURN
446 -#include "libiptc.c"
448 -#define IP_PARTS_NATIVE(n) \
449 -(unsigned int)((n)>>24)&0xFF, \
450 -(unsigned int)((n)>>16)&0xFF, \
451 -(unsigned int)((n)>>8)&0xFF, \
452 -(unsigned int)((n)&0xFF)
454 -#define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n))
457 -dump_entry(STRUCT_ENTRY *e, const TC_HANDLE_T handle)
460 - STRUCT_ENTRY_TARGET *t;
462 - printf("Entry %u (%lu):\n", iptcb_entry2index(handle, e),
463 - iptcb_entry2offset(handle, e));
464 - printf("SRC IP: %u.%u.%u.%u/%u.%u.%u.%u\n",
465 - IP_PARTS(e->ip.src.s_addr),IP_PARTS(e->ip.smsk.s_addr));
466 - printf("DST IP: %u.%u.%u.%u/%u.%u.%u.%u\n",
467 - IP_PARTS(e->ip.dst.s_addr),IP_PARTS(e->ip.dmsk.s_addr));
468 - printf("Interface: `%s'/", e->ip.iniface);
469 - for (i = 0; i < IFNAMSIZ; i++)
470 - printf("%c", e->ip.iniface_mask[i] ? 'X' : '.');
471 - printf("to `%s'/", e->ip.outiface);
472 - for (i = 0; i < IFNAMSIZ; i++)
473 - printf("%c", e->ip.outiface_mask[i] ? 'X' : '.');
474 - printf("\nProtocol: %u\n", e->ip.proto);
475 - printf("Flags: %02X\n", e->ip.flags);
476 - printf("Invflags: %02X\n", e->ip.invflags);
477 - printf("Counters: %llu packets, %llu bytes\n",
478 - (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
479 - printf("Cache: %08X\n", e->nfcache);
481 - IPT_MATCH_ITERATE(e, print_match);
484 - printf("Target name: `%s' [%u]\n", t->u.user.name, t->u.target_size);
485 - if (strcmp(t->u.user.name, STANDARD_TARGET) == 0) {
486 - const unsigned char *data = t->data;
487 - int pos = *(const int *)data;
489 - printf("verdict=%s\n",
490 - pos == -NF_ACCEPT-1 ? "NF_ACCEPT"
491 - : pos == -NF_DROP-1 ? "NF_DROP"
492 - : pos == -NF_QUEUE-1 ? "NF_QUEUE"
493 - : pos == RETURN ? "RETURN"
496 - printf("verdict=%u\n", pos);
497 - } else if (strcmp(t->u.user.name, IPT_ERROR_TARGET) == 0)
498 - printf("error=`%s'\n", t->data);
504 -static unsigned char *
505 -is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b, unsigned char *matchmask)
508 - unsigned char *mptr;
510 - /* Always compare head structures: ignore mask here. */
511 - if (a->ip.src.s_addr != b->ip.src.s_addr
512 - || a->ip.dst.s_addr != b->ip.dst.s_addr
513 - || a->ip.smsk.s_addr != b->ip.smsk.s_addr
514 - || a->ip.dmsk.s_addr != b->ip.dmsk.s_addr
515 - || a->ip.proto != b->ip.proto
516 - || a->ip.flags != b->ip.flags
517 - || a->ip.invflags != b->ip.invflags)
520 - for (i = 0; i < IFNAMSIZ; i++) {
521 - if (a->ip.iniface_mask[i] != b->ip.iniface_mask[i])
523 - if ((a->ip.iniface[i] & a->ip.iniface_mask[i])
524 - != (b->ip.iniface[i] & b->ip.iniface_mask[i]))
526 - if (a->ip.outiface_mask[i] != b->ip.outiface_mask[i])
528 - if ((a->ip.outiface[i] & a->ip.outiface_mask[i])
529 - != (b->ip.outiface[i] & b->ip.outiface_mask[i]))
533 - if (a->target_offset != b->target_offset
534 - || a->next_offset != b->next_offset)
537 - mptr = matchmask + sizeof(STRUCT_ENTRY);
538 - if (IPT_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
540 - mptr += IPT_ALIGN(sizeof(struct ipt_entry_target));
546 -/***************************** DEBUGGING ********************************/
548 -unconditional(const struct ipt_ip *ip)
552 - for (i = 0; i < sizeof(*ip)/sizeof(u_int32_t); i++)
553 - if (((u_int32_t *)ip)[i])
560 -check_match(const STRUCT_ENTRY_MATCH *m, unsigned int *off)
562 - assert(m->u.match_size >= sizeof(STRUCT_ENTRY_MATCH));
563 - assert(ALIGN(m->u.match_size) == m->u.match_size);
565 - (*off) += m->u.match_size;
570 -check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off,
571 - unsigned int user_offset, int *was_return,
575 - STRUCT_STANDARD_TARGET *t;
577 - assert(e->target_offset >= sizeof(STRUCT_ENTRY));
578 - assert(e->next_offset >= e->target_offset
579 - + sizeof(STRUCT_ENTRY_TARGET));
580 - toff = sizeof(STRUCT_ENTRY);
581 - IPT_MATCH_ITERATE(e, check_match, &toff);
583 - assert(toff == e->target_offset);
585 - t = (STRUCT_STANDARD_TARGET *)
586 - GET_TARGET((STRUCT_ENTRY *)e);
587 - /* next_offset will have to be multiple of entry alignment. */
588 - assert(e->next_offset == ALIGN(e->next_offset));
589 - assert(e->target_offset == ALIGN(e->target_offset));
590 - assert(t->target.u.target_size == ALIGN(t->target.u.target_size));
591 - assert(!TC_IS_CHAIN(t->target.u.user.name, h));
593 - if (strcmp(t->target.u.user.name, STANDARD_TARGET) == 0) {
594 - assert(t->target.u.target_size
595 - == ALIGN(sizeof(STRUCT_STANDARD_TARGET)));
597 - assert(t->verdict == -NF_DROP-1
598 - || t->verdict == -NF_ACCEPT-1
599 - || t->verdict == RETURN
600 - || t->verdict < (int)h->entries->size);
602 - if (t->verdict >= 0) {
603 - STRUCT_ENTRY *te = get_entry(h, t->verdict);
606 - idx = iptcb_entry2index(h, te);
607 - assert(strcmp(GET_TARGET(te)->u.user.name,
612 - /* Prior node must be error node, or this node. */
613 - assert(t->verdict == iptcb_entry2offset(h, e)+e->next_offset
614 - || strcmp(GET_TARGET(index2entry(h, idx-1))
615 - ->u.user.name, IPT_ERROR_TARGET)
619 - if (t->verdict == RETURN
620 - && unconditional(&e->ip)
621 - && e->target_offset == sizeof(*e))
625 - } else if (strcmp(t->target.u.user.name, IPT_ERROR_TARGET) == 0) {
626 - assert(t->target.u.target_size
627 - == ALIGN(sizeof(struct ipt_error_target)));
629 - /* If this is in user area, previous must have been return */
630 - if (*off > user_offset)
631 - assert(*was_return);
635 - else *was_return = 0;
637 - if (*off == user_offset)
638 - assert(strcmp(t->target.u.user.name, IPT_ERROR_TARGET) == 0);
640 - (*off) += e->next_offset;
646 -/* Do every conceivable sanity check on the handle */
648 -do_check(TC_HANDLE_T h, unsigned int line)
651 - unsigned int user_offset; /* Offset of first user chain */
654 - assert(h->changed == 0 || h->changed == 1);
655 - if (strcmp(h->info.name, "filter") == 0) {
656 - assert(h->info.valid_hooks
657 - == (1 << NF_IP_LOCAL_IN
658 - | 1 << NF_IP_FORWARD
659 - | 1 << NF_IP_LOCAL_OUT));
661 - /* Hooks should be first three */
662 - assert(h->info.hook_entry[NF_IP_LOCAL_IN] == 0);
664 - n = get_chain_end(h, 0);
665 - n += get_entry(h, n)->next_offset;
666 - assert(h->info.hook_entry[NF_IP_FORWARD] == n);
668 - n = get_chain_end(h, n);
669 - n += get_entry(h, n)->next_offset;
670 - assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
672 - user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
673 - } else if (strcmp(h->info.name, "nat") == 0) {
674 - assert((h->info.valid_hooks
675 - == (1 << NF_IP_PRE_ROUTING
676 - | 1 << NF_IP_POST_ROUTING
677 - | 1 << NF_IP_LOCAL_OUT)) ||
678 - (h->info.valid_hooks
679 - == (1 << NF_IP_PRE_ROUTING
680 - | 1 << NF_IP_LOCAL_IN
681 - | 1 << NF_IP_POST_ROUTING
682 - | 1 << NF_IP_LOCAL_OUT)));
684 - assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
686 - n = get_chain_end(h, 0);
688 - n += get_entry(h, n)->next_offset;
689 - assert(h->info.hook_entry[NF_IP_POST_ROUTING] == n);
690 - n = get_chain_end(h, n);
692 - n += get_entry(h, n)->next_offset;
693 - assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
694 - user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
696 - if (h->info.valid_hooks & (1 << NF_IP_LOCAL_IN)) {
697 - n = get_chain_end(h, n);
698 - n += get_entry(h, n)->next_offset;
699 - assert(h->info.hook_entry[NF_IP_LOCAL_IN] == n);
700 - user_offset = h->info.hook_entry[NF_IP_LOCAL_IN];
703 - } else if (strcmp(h->info.name, "mangle") == 0) {
704 - /* This code is getting ugly because linux < 2.4.18-pre6 had
705 - * two mangle hooks, linux >= 2.4.18-pre6 has five mangle hooks
707 - assert((h->info.valid_hooks
708 - == (1 << NF_IP_PRE_ROUTING
709 - | 1 << NF_IP_LOCAL_OUT)) ||
710 - (h->info.valid_hooks
711 - == (1 << NF_IP_PRE_ROUTING
712 - | 1 << NF_IP_LOCAL_IN
713 - | 1 << NF_IP_FORWARD
714 - | 1 << NF_IP_LOCAL_OUT
715 - | 1 << NF_IP_POST_ROUTING)));
717 - /* Hooks should be first five */
718 - assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
720 - n = get_chain_end(h, 0);
722 - if (h->info.valid_hooks & (1 << NF_IP_LOCAL_IN)) {
723 - n += get_entry(h, n)->next_offset;
724 - assert(h->info.hook_entry[NF_IP_LOCAL_IN] == n);
725 - n = get_chain_end(h, n);
728 - if (h->info.valid_hooks & (1 << NF_IP_FORWARD)) {
729 - n += get_entry(h, n)->next_offset;
730 - assert(h->info.hook_entry[NF_IP_FORWARD] == n);
731 - n = get_chain_end(h, n);
734 - n += get_entry(h, n)->next_offset;
735 - assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
736 - user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
738 - if (h->info.valid_hooks & (1 << NF_IP_POST_ROUTING)) {
739 - n = get_chain_end(h, n);
740 - n += get_entry(h, n)->next_offset;
741 - assert(h->info.hook_entry[NF_IP_POST_ROUTING] == n);
742 - user_offset = h->info.hook_entry[NF_IP_POST_ROUTING];
744 - } else if (strcmp(h->info.name, "raw") == 0) {
745 - assert(h->info.valid_hooks
746 - == (1 << NF_IP_PRE_ROUTING
747 - | 1 << NF_IP_LOCAL_OUT));
749 - /* Hooks should be first three */
750 - assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
752 - n = get_chain_end(h, n);
753 - n += get_entry(h, n)->next_offset;
754 - assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
756 - user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
758 -#ifdef NF_IP_DROPPING
759 - } else if (strcmp(h->info.name, "drop") == 0) {
760 - assert(h->info.valid_hooks == (1 << NF_IP_DROPPING));
762 - /* Hook should be first */
763 - assert(h->info.hook_entry[NF_IP_DROPPING] == 0);
767 - fprintf(stderr, "Unknown table `%s'\n", h->info.name);
771 - /* User chain == end of last builtin + policy entry */
772 - user_offset = get_chain_end(h, user_offset);
773 - user_offset += get_entry(h, user_offset)->next_offset;
775 - /* Overflows should be end of entry chains, and unconditional
777 - for (i = 0; i < NUMHOOKS; i++) {
779 - STRUCT_STANDARD_TARGET *t;
781 - if (!(h->info.valid_hooks & (1 << i)))
783 - assert(h->info.underflow[i]
784 - == get_chain_end(h, h->info.hook_entry[i]));
786 - e = get_entry(h, get_chain_end(h, h->info.hook_entry[i]));
787 - assert(unconditional(&e->ip));
788 - assert(e->target_offset == sizeof(*e));
789 - t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
790 - assert(t->target.u.target_size == ALIGN(sizeof(*t)));
791 - assert(e->next_offset == sizeof(*e) + ALIGN(sizeof(*t)));
793 - assert(strcmp(t->target.u.user.name, STANDARD_TARGET)==0);
794 - assert(t->verdict == -NF_DROP-1 || t->verdict == -NF_ACCEPT-1);
796 - /* Hooks and underflows must be valid entries */
797 - entry2index(h, get_entry(h, h->info.hook_entry[i]));
798 - entry2index(h, get_entry(h, h->info.underflow[i]));
801 - assert(h->info.size
802 - >= h->info.num_entries * (sizeof(STRUCT_ENTRY)
803 - +sizeof(STRUCT_STANDARD_TARGET)));
805 - assert(h->entries.size
807 - * (sizeof(STRUCT_ENTRY)
808 - + sizeof(STRUCT_STANDARD_TARGET))));
809 - assert(strcmp(h->info.name, h->entries.name) == 0);
813 - /* Check all the entries. */
814 - ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
815 - check_entry, &i, &n, user_offset, &was_return, h);
817 - assert(i == h->new_number);
818 - assert(n == h->entries.size);
820 - /* Final entry must be error node */
821 - assert(strcmp(GET_TARGET(index2entry(h, h->new_number-1))
823 - ERROR_TARGET) == 0);
825 -#endif /*IPTC_DEBUG*/
828 diff --git a/src/owniptc/libip6tc.c b/src/owniptc/libip6tc.c
829 deleted file mode 100644
830 index 672dae1..0000000
831 --- a/src/owniptc/libip6tc.c
835 - * This file was imported from the iptables sources.
836 - * Copyright (C) 1999-2008 Netfilter Core Team
838 - * This program is free software; you can redistribute it and/or modify it
839 - * under the terms of the GNU General Public License as published by the
840 - * Free Software Foundation; only version 2 of the License is applicable.
842 - * This program is distributed in the hope that it will be useful, but
843 - * WITHOUT ANY WARRANTY; without even the implied warranty of
844 - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
845 - * General Public License for more details.
847 - * You should have received a copy of the GNU General Public License along
848 - * with this program; if not, write to the Free Software Foundation, Inc.,
849 - * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
852 -/* Library which manipulates firewall rules. Version 0.1. */
854 -/* Architecture of firewall rules is as follows:
856 - * Chains go INPUT, FORWARD, OUTPUT then user chains.
857 - * Each user chain starts with an ERROR node.
858 - * Every chain ends with an unconditional jump: a RETURN for user chains,
859 - * and a POLICY for built-ins.
862 -/* (C)1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See
863 - COPYING for details). */
871 -#include <arpa/inet.h>
873 -#ifdef DEBUG_CONNTRACK
877 -#if !defined(__GLIBC__) || (__GLIBC__ < 2)
878 -typedef unsigned int socklen_t;
881 -#include "libip6tc.h"
883 -#define HOOK_PRE_ROUTING NF_IP6_PRE_ROUTING
884 -#define HOOK_LOCAL_IN NF_IP6_LOCAL_IN
885 -#define HOOK_FORWARD NF_IP6_FORWARD
886 -#define HOOK_LOCAL_OUT NF_IP6_LOCAL_OUT
887 -#define HOOK_POST_ROUTING NF_IP6_POST_ROUTING
889 -#define STRUCT_ENTRY_TARGET struct ip6t_entry_target
890 -#define STRUCT_ENTRY struct ip6t_entry
891 -#define STRUCT_ENTRY_MATCH struct ip6t_entry_match
892 -#define STRUCT_GETINFO struct ip6t_getinfo
893 -#define STRUCT_GET_ENTRIES struct ip6t_get_entries
894 -#define STRUCT_COUNTERS struct ip6t_counters
895 -#define STRUCT_COUNTERS_INFO struct ip6t_counters_info
896 -#define STRUCT_STANDARD_TARGET struct ip6t_standard_target
897 -#define STRUCT_REPLACE struct ip6t_replace
899 -#define STRUCT_TC_HANDLE struct ip6tc_handle
900 -#define TC_HANDLE_T ip6tc_handle_t
902 -#define ENTRY_ITERATE IP6T_ENTRY_ITERATE
903 -#define TABLE_MAXNAMELEN IP6T_TABLE_MAXNAMELEN
904 -#define FUNCTION_MAXNAMELEN IP6T_FUNCTION_MAXNAMELEN
906 -#define GET_TARGET ip6t_get_target
908 -#define ERROR_TARGET IP6T_ERROR_TARGET
909 -#define NUMHOOKS NF_IP6_NUMHOOKS
911 -#define IPT_CHAINLABEL ip6t_chainlabel
913 -#define TC_DUMP_ENTRIES dump_entries6
914 -#define TC_IS_CHAIN ip6tc_is_chain
915 -#define TC_FIRST_CHAIN ip6tc_first_chain
916 -#define TC_NEXT_CHAIN ip6tc_next_chain
917 -#define TC_FIRST_RULE ip6tc_first_rule
918 -#define TC_NEXT_RULE ip6tc_next_rule
919 -#define TC_GET_TARGET ip6tc_get_target
920 -#define TC_BUILTIN ip6tc_builtin
921 -#define TC_GET_POLICY ip6tc_get_policy
922 -#define TC_INSERT_ENTRY ip6tc_insert_entry
923 -#define TC_REPLACE_ENTRY ip6tc_replace_entry
924 -#define TC_APPEND_ENTRY ip6tc_append_entry
925 -#define TC_DELETE_ENTRY ip6tc_delete_entry
926 -#define TC_DELETE_NUM_ENTRY ip6tc_delete_num_entry
927 -#define TC_CHECK_PACKET ip6tc_check_packet
928 -#define TC_FLUSH_ENTRIES ip6tc_flush_entries
929 -#define TC_ZERO_ENTRIES ip6tc_zero_entries
930 -#define TC_ZERO_COUNTER ip6tc_zero_counter
931 -#define TC_READ_COUNTER ip6tc_read_counter
932 -#define TC_SET_COUNTER ip6tc_set_counter
933 -#define TC_CREATE_CHAIN ip6tc_create_chain
934 -#define TC_GET_REFERENCES ip6tc_get_references
935 -#define TC_DELETE_CHAIN ip6tc_delete_chain
936 -#define TC_RENAME_CHAIN ip6tc_rename_chain
937 -#define TC_SET_POLICY ip6tc_set_policy
938 -#define TC_GET_RAW_SOCKET ip6tc_get_raw_socket
939 -#define TC_INIT ip6tc_init
940 -#define TC_FREE ip6tc_free
941 -#define TC_COMMIT ip6tc_commit
942 -#define TC_STRERROR ip6tc_strerror
943 -#define TC_NUM_RULES ip6tc_num_rules
944 -#define TC_GET_RULE ip6tc_get_rule
946 -#define TC_AF AF_INET6
947 -#define TC_IPPROTO IPPROTO_IPV6
949 -#define SO_SET_REPLACE IP6T_SO_SET_REPLACE
950 -#define SO_SET_ADD_COUNTERS IP6T_SO_SET_ADD_COUNTERS
951 -#define SO_GET_INFO IP6T_SO_GET_INFO
952 -#define SO_GET_ENTRIES IP6T_SO_GET_ENTRIES
953 -#define SO_GET_VERSION IP6T_SO_GET_VERSION
955 -#define STANDARD_TARGET IP6T_STANDARD_TARGET
956 -#define LABEL_RETURN IP6TC_LABEL_RETURN
957 -#define LABEL_ACCEPT IP6TC_LABEL_ACCEPT
958 -#define LABEL_DROP IP6TC_LABEL_DROP
959 -#define LABEL_QUEUE IP6TC_LABEL_QUEUE
961 -#define ALIGN IP6T_ALIGN
962 -#define RETURN IP6T_RETURN
964 -#include "libiptc.c"
966 -#define BIT6(a, l) \
967 - ((ntohl(a->s6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1)
970 -ipv6_prefix_length(const struct in6_addr *a)
973 - for (l = 0; l < 128; l++) {
974 - if (BIT6(a, l) == 0)
977 - for (i = l + 1; i < 128; i++) {
978 - if (BIT6(a, i) == 1)
985 -dump_entry(struct ip6t_entry *e, const ip6tc_handle_t handle)
990 - struct ip6t_entry_target *t;
992 - printf("Entry %u (%lu):\n", iptcb_entry2index(handle, e),
993 - iptcb_entry2offset(handle, e));
995 - inet_ntop(AF_INET6, &e->ipv6.src, buf, sizeof buf);
998 - len = ipv6_prefix_length(&e->ipv6.smsk);
1000 - printf("%d", len);
1002 - inet_ntop(AF_INET6, &e->ipv6.smsk, buf, sizeof buf);
1008 - inet_ntop(AF_INET6, &e->ipv6.dst, buf, sizeof buf);
1011 - len = ipv6_prefix_length(&e->ipv6.dmsk);
1013 - printf("%d", len);
1015 - inet_ntop(AF_INET6, &e->ipv6.dmsk, buf, sizeof buf);
1020 - printf("Interface: `%s'/", e->ipv6.iniface);
1021 - for (i = 0; i < IFNAMSIZ; i++)
1022 - printf("%c", e->ipv6.iniface_mask[i] ? 'X' : '.');
1023 - printf("to `%s'/", e->ipv6.outiface);
1024 - for (i = 0; i < IFNAMSIZ; i++)
1025 - printf("%c", e->ipv6.outiface_mask[i] ? 'X' : '.');
1026 - printf("\nProtocol: %u\n", e->ipv6.proto);
1027 - if (e->ipv6.flags & IP6T_F_TOS)
1028 - printf("TOS: %u\n", e->ipv6.tos);
1029 - printf("Flags: %02X\n", e->ipv6.flags);
1030 - printf("Invflags: %02X\n", e->ipv6.invflags);
1031 - printf("Counters: %llu packets, %llu bytes\n",
1032 - (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
1033 - printf("Cache: %08X\n", e->nfcache);
1035 - IP6T_MATCH_ITERATE(e, print_match);
1037 - t = ip6t_get_target(e);
1038 - printf("Target name: `%s' [%u]\n", t->u.user.name, t->u.target_size);
1039 - if (strcmp(t->u.user.name, IP6T_STANDARD_TARGET) == 0) {
1040 - const unsigned char *data = t->data;
1041 - int pos = *(const int *)data;
1043 - printf("verdict=%s\n",
1044 - pos == -NF_ACCEPT-1 ? "NF_ACCEPT"
1045 - : pos == -NF_DROP-1 ? "NF_DROP"
1046 - : pos == IP6T_RETURN ? "RETURN"
1049 - printf("verdict=%u\n", pos);
1050 - } else if (strcmp(t->u.user.name, IP6T_ERROR_TARGET) == 0)
1051 - printf("error=`%s'\n", t->data);
1057 -static unsigned char *
1058 -is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b,
1059 - unsigned char *matchmask)
1062 - unsigned char *mptr;
1064 - /* Always compare head structures: ignore mask here. */
1065 - if (memcmp(&a->ipv6.src, &b->ipv6.src, sizeof(struct in6_addr))
1066 - || memcmp(&a->ipv6.dst, &b->ipv6.dst, sizeof(struct in6_addr))
1067 - || memcmp(&a->ipv6.smsk, &b->ipv6.smsk, sizeof(struct in6_addr))
1068 - || memcmp(&a->ipv6.dmsk, &b->ipv6.dmsk, sizeof(struct in6_addr))
1069 - || a->ipv6.proto != b->ipv6.proto
1070 - || a->ipv6.tos != b->ipv6.tos
1071 - || a->ipv6.flags != b->ipv6.flags
1072 - || a->ipv6.invflags != b->ipv6.invflags)
1075 - for (i = 0; i < IFNAMSIZ; i++) {
1076 - if (a->ipv6.iniface_mask[i] != b->ipv6.iniface_mask[i])
1078 - if ((a->ipv6.iniface[i] & a->ipv6.iniface_mask[i])
1079 - != (b->ipv6.iniface[i] & b->ipv6.iniface_mask[i]))
1081 - if (a->ipv6.outiface_mask[i] != b->ipv6.outiface_mask[i])
1083 - if ((a->ipv6.outiface[i] & a->ipv6.outiface_mask[i])
1084 - != (b->ipv6.outiface[i] & b->ipv6.outiface_mask[i]))
1088 - if (a->target_offset != b->target_offset
1089 - || a->next_offset != b->next_offset)
1092 - mptr = matchmask + sizeof(STRUCT_ENTRY);
1093 - if (IP6T_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
1095 - mptr += IP6T_ALIGN(sizeof(struct ip6t_entry_target));
1100 -/* All zeroes == unconditional rule. */
1102 -unconditional(const struct ip6t_ip6 *ipv6)
1106 - for (i = 0; i < sizeof(*ipv6); i++)
1107 - if (((char *)ipv6)[i])
1110 - return (i == sizeof(*ipv6));
1114 -/* Do every conceivable sanity check on the handle */
1116 -do_check(TC_HANDLE_T h, unsigned int line)
1118 - unsigned int i, n;
1119 - unsigned int user_offset; /* Offset of first user chain */
1122 - assert(h->changed == 0 || h->changed == 1);
1123 - if (strcmp(h->info.name, "filter") == 0) {
1124 - assert(h->info.valid_hooks
1125 - == (1 << NF_IP6_LOCAL_IN
1126 - | 1 << NF_IP6_FORWARD
1127 - | 1 << NF_IP6_LOCAL_OUT));
1129 - /* Hooks should be first three */
1130 - assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == 0);
1132 - n = get_chain_end(h, 0);
1133 - n += get_entry(h, n)->next_offset;
1134 - assert(h->info.hook_entry[NF_IP6_FORWARD] == n);
1136 - n = get_chain_end(h, n);
1137 - n += get_entry(h, n)->next_offset;
1138 - assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
1140 - user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
1141 - } else if (strcmp(h->info.name, "nat") == 0) {
1142 - assert((h->info.valid_hooks
1143 - == (1 << NF_IP6_PRE_ROUTING
1144 - | 1 << NF_IP6_LOCAL_OUT
1145 - | 1 << NF_IP6_POST_ROUTING)) ||
1146 - (h->info.valid_hooks
1147 - == (1 << NF_IP6_PRE_ROUTING
1148 - | 1 << NF_IP6_LOCAL_IN
1149 - | 1 << NF_IP6_LOCAL_OUT
1150 - | 1 << NF_IP6_POST_ROUTING)));
1152 - assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0);
1154 - n = get_chain_end(h, 0);
1156 - n += get_entry(h, n)->next_offset;
1157 - assert(h->info.hook_entry[NF_IP6_POST_ROUTING] == n);
1158 - n = get_chain_end(h, n);
1160 - n += get_entry(h, n)->next_offset;
1161 - assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
1162 - user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
1164 - if (h->info.valid_hooks & (1 << NF_IP6_LOCAL_IN)) {
1165 - n = get_chain_end(h, n);
1166 - n += get_entry(h, n)->next_offset;
1167 - assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == n);
1168 - user_offset = h->info.hook_entry[NF_IP6_LOCAL_IN];
1171 - } else if (strcmp(h->info.name, "mangle") == 0) {
1172 - /* This code is getting ugly because linux < 2.4.18-pre6 had
1173 - * two mangle hooks, linux >= 2.4.18-pre6 has five mangle hooks
1175 - assert((h->info.valid_hooks
1176 - == (1 << NF_IP6_PRE_ROUTING
1177 - | 1 << NF_IP6_LOCAL_OUT)) ||
1178 - (h->info.valid_hooks
1179 - == (1 << NF_IP6_PRE_ROUTING
1180 - | 1 << NF_IP6_LOCAL_IN
1181 - | 1 << NF_IP6_FORWARD
1182 - | 1 << NF_IP6_LOCAL_OUT
1183 - | 1 << NF_IP6_POST_ROUTING)));
1185 - /* Hooks should be first five */
1186 - assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0);
1188 - n = get_chain_end(h, 0);
1190 - if (h->info.valid_hooks & (1 << NF_IP6_LOCAL_IN)) {
1191 - n += get_entry(h, n)->next_offset;
1192 - assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == n);
1193 - n = get_chain_end(h, n);
1196 - if (h->info.valid_hooks & (1 << NF_IP6_FORWARD)) {
1197 - n += get_entry(h, n)->next_offset;
1198 - assert(h->info.hook_entry[NF_IP6_FORWARD] == n);
1199 - n = get_chain_end(h, n);
1202 - n += get_entry(h, n)->next_offset;
1203 - assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
1204 - user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
1206 - if (h->info.valid_hooks & (1 << NF_IP6_POST_ROUTING)) {
1207 - n = get_chain_end(h, n);
1208 - n += get_entry(h, n)->next_offset;
1209 - assert(h->info.hook_entry[NF_IP6_POST_ROUTING] == n);
1210 - user_offset = h->info.hook_entry[NF_IP6_POST_ROUTING];
1212 - } else if (strcmp(h->info.name, "raw") == 0) {
1213 - assert(h->info.valid_hooks
1214 - == (1 << NF_IP6_PRE_ROUTING
1215 - | 1 << NF_IP6_LOCAL_OUT));
1217 - /* Hooks should be first three */
1218 - assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0);
1220 - n = get_chain_end(h, n);
1221 - n += get_entry(h, n)->next_offset;
1222 - assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
1224 - user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
1226 - fprintf(stderr, "Unknown table `%s'\n", h->info.name);
1230 - /* User chain == end of last builtin + policy entry */
1231 - user_offset = get_chain_end(h, user_offset);
1232 - user_offset += get_entry(h, user_offset)->next_offset;
1234 - /* Overflows should be end of entry chains, and unconditional
1236 - for (i = 0; i < NUMHOOKS; i++) {
1238 - STRUCT_STANDARD_TARGET *t;
1240 - if (!(h->info.valid_hooks & (1 << i)))
1242 - assert(h->info.underflow[i]
1243 - == get_chain_end(h, h->info.hook_entry[i]));
1245 - e = get_entry(h, get_chain_end(h, h->info.hook_entry[i]));
1246 - assert(unconditional(&e->ipv6));
1247 - assert(e->target_offset == sizeof(*e));
1248 - t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
1249 - printf("target_size=%u, align=%u\n",
1250 - t->target.u.target_size, ALIGN(sizeof(*t)));
1251 - assert(t->target.u.target_size == ALIGN(sizeof(*t)));
1252 - assert(e->next_offset == sizeof(*e) + ALIGN(sizeof(*t)));
1254 - assert(strcmp(t->target.u.user.name, STANDARD_TARGET)==0);
1255 - assert(t->verdict == -NF_DROP-1 || t->verdict == -NF_ACCEPT-1);
1257 - /* Hooks and underflows must be valid entries */
1258 - iptcb_entry2index(h, get_entry(h, h->info.hook_entry[i]));
1259 - iptcb_entry2index(h, get_entry(h, h->info.underflow[i]));
1262 - assert(h->info.size
1263 - >= h->info.num_entries * (sizeof(STRUCT_ENTRY)
1264 - +sizeof(STRUCT_STANDARD_TARGET)));
1266 - assert(h->entries.size
1268 - * (sizeof(STRUCT_ENTRY)
1269 - + sizeof(STRUCT_STANDARD_TARGET))));
1270 - assert(strcmp(h->info.name, h->entries.name) == 0);
1276 - /* Check all the entries. */
1277 - ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
1278 - check_entry, &i, &n, user_offset, &was_return, h);
1280 - assert(i == h->new_number);
1281 - assert(n == h->entries.size);
1283 - /* Final entry must be error node */
1284 - assert(strcmp(GET_TARGET(index2entry(h, h->new_number-1))
1286 - ERROR_TARGET) == 0);
1289 -#endif /*IPTC_DEBUG*/
1290 diff --git a/src/owniptc/libip6tc.h b/src/owniptc/libip6tc.h
1291 deleted file mode 100644
1292 index 9253e11..0000000
1293 --- a/src/owniptc/libip6tc.h
1297 - * This file was imported from the iptables sources.
1298 - * Copyright (C) 1999-2008 Netfilter Core Team
1300 - * This program is free software; you can redistribute it and/or modify it
1301 - * under the terms of the GNU General Public License as published by the
1302 - * Free Software Foundation; only version 2 of the License is applicable.
1304 - * This program is distributed in the hope that it will be useful, but
1305 - * WITHOUT ANY WARRANTY; without even the implied warranty of
1306 - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
1307 - * General Public License for more details.
1309 - * You should have received a copy of the GNU General Public License along
1310 - * with this program; if not, write to the Free Software Foundation, Inc.,
1311 - * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
1314 -#ifndef _LIBIP6TC_H
1315 -#define _LIBIP6TC_H
1316 -/* Library which manipulates firewall rules. Version 0.2. */
1318 -#include <linux/types.h>
1319 -#include "ipt_kernel_headers.h"
1320 -#include <linux/netfilter_ipv6/ip6_tables.h>
1322 -#ifndef IP6T_MIN_ALIGN
1323 -#define IP6T_MIN_ALIGN (__alignof__(struct ip6t_entry))
1325 -#define IP6T_ALIGN(s) (((s) + (IP6T_MIN_ALIGN-1)) & ~(IP6T_MIN_ALIGN-1))
1327 -typedef char ip6t_chainlabel[32];
1329 -#define IP6TC_LABEL_ACCEPT "ACCEPT"
1330 -#define IP6TC_LABEL_DROP "DROP"
1331 -#define IP6TC_LABEL_QUEUE "QUEUE"
1332 -#define IP6TC_LABEL_RETURN "RETURN"
1334 -/* Transparent handle type. */
1335 -typedef struct ip6tc_handle *ip6tc_handle_t;
1337 -/* Does this chain exist? */
1338 -int ip6tc_is_chain(const char *chain, const ip6tc_handle_t handle);
1340 -/* Take a snapshot of the rules. Returns NULL on error. */
1341 -ip6tc_handle_t ip6tc_init(const char *tablename);
1343 -/* Cleanup after ip6tc_init(). */
1344 -void ip6tc_free(ip6tc_handle_t *h);
1346 -/* Iterator functions to run through the chains. Returns NULL at end. */
1347 -const char *ip6tc_first_chain(ip6tc_handle_t *handle);
1348 -const char *ip6tc_next_chain(ip6tc_handle_t *handle);
1350 -/* Get first rule in the given chain: NULL for empty chain. */
1351 -const struct ip6t_entry *ip6tc_first_rule(const char *chain,
1352 - ip6tc_handle_t *handle);
1354 -/* Returns NULL when rules run out. */
1355 -const struct ip6t_entry *ip6tc_next_rule(const struct ip6t_entry *prev,
1356 - ip6tc_handle_t *handle);
1358 -/* Returns a pointer to the target name of this position. */
1359 -const char *ip6tc_get_target(const struct ip6t_entry *e,
1360 - ip6tc_handle_t *handle);
1362 -/* Is this a built-in chain? */
1363 -int ip6tc_builtin(const char *chain, const ip6tc_handle_t handle);
1365 -/* Get the policy of a given built-in chain */
1366 -const char *ip6tc_get_policy(const char *chain,
1367 - struct ip6t_counters *counters,
1368 - ip6tc_handle_t *handle);
1370 -/* These functions return TRUE for OK or 0 and set errno. If errno ==
1371 - 0, it means there was a version error (ie. upgrade libiptc). */
1372 -/* Rule numbers start at 1 for the first rule. */
1374 -/* Insert the entry `fw' in chain `chain' into position `rulenum'. */
1375 -int ip6tc_insert_entry(const ip6t_chainlabel chain,
1376 - const struct ip6t_entry *e,
1377 - unsigned int rulenum,
1378 - ip6tc_handle_t *handle);
1380 -/* Atomically replace rule `rulenum' in `chain' with `fw'. */
1381 -int ip6tc_replace_entry(const ip6t_chainlabel chain,
1382 - const struct ip6t_entry *e,
1383 - unsigned int rulenum,
1384 - ip6tc_handle_t *handle);
1386 -/* Append entry `fw' to chain `chain'. Equivalent to insert with
1387 - rulenum = length of chain. */
1388 -int ip6tc_append_entry(const ip6t_chainlabel chain,
1389 - const struct ip6t_entry *e,
1390 - ip6tc_handle_t *handle);
1392 -/* Delete the first rule in `chain' which matches `fw'. */
1393 -int ip6tc_delete_entry(const ip6t_chainlabel chain,
1394 - const struct ip6t_entry *origfw,
1395 - unsigned char *matchmask,
1396 - ip6tc_handle_t *handle);
1398 -/* Delete the rule in position `rulenum' in `chain'. */
1399 -int ip6tc_delete_num_entry(const ip6t_chainlabel chain,
1400 - unsigned int rulenum,
1401 - ip6tc_handle_t *handle);
1403 -/* Check the packet `fw' on chain `chain'. Returns the verdict, or
1404 - NULL and sets errno. */
1405 -const char *ip6tc_check_packet(const ip6t_chainlabel chain,
1406 - struct ip6t_entry *,
1407 - ip6tc_handle_t *handle);
1409 -/* Flushes the entries in the given chain (ie. empties chain). */
1410 -int ip6tc_flush_entries(const ip6t_chainlabel chain,
1411 - ip6tc_handle_t *handle);
1413 -/* Zeroes the counters in a chain. */
1414 -int ip6tc_zero_entries(const ip6t_chainlabel chain,
1415 - ip6tc_handle_t *handle);
1417 -/* Creates a new chain. */
1418 -int ip6tc_create_chain(const ip6t_chainlabel chain,
1419 - ip6tc_handle_t *handle);
1421 -/* Deletes a chain. */
1422 -int ip6tc_delete_chain(const ip6t_chainlabel chain,
1423 - ip6tc_handle_t *handle);
1425 -/* Renames a chain. */
1426 -int ip6tc_rename_chain(const ip6t_chainlabel oldname,
1427 - const ip6t_chainlabel newname,
1428 - ip6tc_handle_t *handle);
1430 -/* Sets the policy on a built-in chain. */
1431 -int ip6tc_set_policy(const ip6t_chainlabel chain,
1432 - const ip6t_chainlabel policy,
1433 - struct ip6t_counters *counters,
1434 - ip6tc_handle_t *handle);
1436 -/* Get the number of references to this chain */
1437 -int ip6tc_get_references(unsigned int *ref, const ip6t_chainlabel chain,
1438 - ip6tc_handle_t *handle);
1440 -/* read packet and byte counters for a specific rule */
1441 -struct ip6t_counters *ip6tc_read_counter(const ip6t_chainlabel chain,
1442 - unsigned int rulenum,
1443 - ip6tc_handle_t *handle);
1445 -/* zero packet and byte counters for a specific rule */
1446 -int ip6tc_zero_counter(const ip6t_chainlabel chain,
1447 - unsigned int rulenum,
1448 - ip6tc_handle_t *handle);
1450 -/* set packet and byte counters for a specific rule */
1451 -int ip6tc_set_counter(const ip6t_chainlabel chain,
1452 - unsigned int rulenum,
1453 - struct ip6t_counters *counters,
1454 - ip6tc_handle_t *handle);
1456 -/* Makes the actual changes. */
1457 -int ip6tc_commit(ip6tc_handle_t *handle);
1459 -/* Get raw socket. */
1460 -int ip6tc_get_raw_socket(void);
1462 -/* Translates errno numbers into more human-readable form than strerror. */
1463 -const char *ip6tc_strerror(int err);
1465 -/* Return prefix length, or -1 if not contiguous */
1466 -int ipv6_prefix_length(const struct in6_addr *a);
1468 -extern void dump_entries6(const ip6tc_handle_t);
1470 -#endif /* _LIBIP6TC_H */
1471 diff --git a/src/owniptc/libiptc.c b/src/owniptc/libiptc.c
1472 deleted file mode 100644
1473 index 8f0b0f0..0000000
1474 --- a/src/owniptc/libiptc.c
1478 - * This file was imported from the iptables sources.
1479 - * Copyright (C) 1999-2008 Netfilter Core Team
1481 - * This program is free software; you can redistribute it and/or modify it
1482 - * under the terms of the GNU General Public License as published by the
1483 - * Free Software Foundation; only version 2 of the License is applicable.
1485 - * This program is distributed in the hope that it will be useful, but
1486 - * WITHOUT ANY WARRANTY; without even the implied warranty of
1487 - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
1488 - * General Public License for more details.
1490 - * You should have received a copy of the GNU General Public License along
1491 - * with this program; if not, write to the Free Software Foundation, Inc.,
1492 - * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
1495 -/* Library which manipulates firewall rules. Version $Revision$ */
1497 -/* Architecture of firewall rules is as follows:
1499 - * Chains go INPUT, FORWARD, OUTPUT then user chains.
1500 - * Each user chain starts with an ERROR node.
1501 - * Every chain ends with an unconditional jump: a RETURN for user chains,
1502 - * and a POLICY for built-ins.
1505 -/* (C) 1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See
1506 - * COPYING for details).
1507 - * (C) 2000-2004 by the Netfilter Core Team <coreteam@netfilter.org>
1509 - * 2003-Jun-20: Harald Welte <laforge@netfilter.org>:
1510 - * - Reimplementation of chain cache to use offsets instead of entries
1511 - * 2003-Jun-23: Harald Welte <laforge@netfilter.org>:
1512 - * - performance optimization, sponsored by Astaro AG (http://www.astaro.com/)
1513 - * don't rebuild the chain cache after every operation, instead fix it
1514 - * up after a ruleset change.
1515 - * 2004-Aug-18: Harald Welte <laforge@netfilter.org>:
1516 - * - futher performance work: total reimplementation of libiptc.
1517 - * - libiptc now has a real internal (linked-list) represntation of the
1518 - * ruleset and a parser/compiler from/to this internal representation
1519 - * - again sponsored by Astaro AG (http://www.astaro.com/)
1521 -#include <sys/types.h>
1522 -#include <sys/socket.h>
1523 -#include "xtables.h"
1525 -#include "linux_list.h"
1527 -//#define IPTC_DEBUG2 1
1531 -#define DEBUGP(x, args...) fprintf(stderr, "%s: " x, __FUNCTION__, ## args)
1532 -#define DEBUGP_C(x, args...) fprintf(stderr, x, ## args)
1534 -#define DEBUGP(x, args...)
1535 -#define DEBUGP_C(x, args...)
1539 -#define debug(x, args...) fprintf(stderr, x, ## args)
1541 -#define debug(x, args...)
1544 -static int sockfd = -1;
1545 -static int sockfd_use = 0;
1546 -static void *iptc_fn = NULL;
1548 -static const char *hooknames[] = {
1549 - [HOOK_PRE_ROUTING] = "PREROUTING",
1550 - [HOOK_LOCAL_IN] = "INPUT",
1551 - [HOOK_FORWARD] = "FORWARD",
1552 - [HOOK_LOCAL_OUT] = "OUTPUT",
1553 - [HOOK_POST_ROUTING] = "POSTROUTING",
1554 -#ifdef HOOK_DROPPING
1555 - [HOOK_DROPPING] = "DROPPING"
1559 -/* Convenience structures */
1560 -struct ipt_error_target
1562 - STRUCT_ENTRY_TARGET t;
1563 - char error[TABLE_MAXNAMELEN];
1572 - COUNTER_MAP_NOMAP,
1573 - COUNTER_MAP_NORMAL_MAP,
1574 - COUNTER_MAP_ZEROED,
1577 - unsigned int mappos;
1580 -enum iptcc_rule_type {
1581 - IPTCC_R_STANDARD, /* standard target (ACCEPT, ...) */
1582 - IPTCC_R_MODULE, /* extension module (SNAT, ...) */
1583 - IPTCC_R_FALLTHROUGH, /* fallthrough rule */
1584 - IPTCC_R_JUMP, /* jump to other chain */
1589 - struct list_head list;
1590 - struct chain_head *chain;
1591 - struct counter_map counter_map;
1593 - unsigned int index; /* index (needed for counter_map) */
1594 - unsigned int offset; /* offset in rule blob */
1596 - enum iptcc_rule_type type;
1597 - struct chain_head *jump; /* jump target, if IPTCC_R_JUMP */
1599 - unsigned int size; /* size of entry data */
1600 - STRUCT_ENTRY entry[0];
1605 - struct list_head list;
1606 - char name[TABLE_MAXNAMELEN];
1607 - unsigned int hooknum; /* hook number+1 if builtin */
1608 - unsigned int references; /* how many jumps reference us */
1609 - int verdict; /* verdict if builtin */
1611 - STRUCT_COUNTERS counters; /* per-chain counters */
1612 - struct counter_map counter_map;
1614 - unsigned int num_rules; /* number of rules in list */
1615 - struct list_head rules; /* list of rules */
1617 - unsigned int index; /* index (needed for jump resolval) */
1618 - unsigned int head_offset; /* offset in rule blob */
1619 - unsigned int foot_index; /* index (needed for counter_map) */
1620 - unsigned int foot_offset; /* offset in rule blob */
1625 - int changed; /* Have changes been made? */
1627 - struct list_head chains;
1629 - struct chain_head *chain_iterator_cur;
1630 - struct rule_head *rule_iterator_cur;
1632 - unsigned int num_chains; /* number of user defined chains */
1634 - struct chain_head **chain_index; /* array for fast chain list access*/
1635 - unsigned int chain_index_sz;/* size of chain index array */
1637 - STRUCT_GETINFO info;
1638 - STRUCT_GET_ENTRIES *entries;
1641 -/* allocate a new chain head for the cache */
1642 -static struct chain_head *iptcc_alloc_chain_head(const char *name, int hooknum)
1644 - struct chain_head *c = malloc(sizeof(*c));
1647 - memset(c, 0, sizeof(*c));
1649 - strncpy(c->name, name, TABLE_MAXNAMELEN);
1650 - c->hooknum = hooknum;
1651 - INIT_LIST_HEAD(&c->rules);
1656 -/* allocate and initialize a new rule for the cache */
1657 -static struct rule_head *iptcc_alloc_rule(struct chain_head *c, unsigned int size)
1659 - struct rule_head *r = malloc(sizeof(*r)+size);
1662 - memset(r, 0, sizeof(*r));
1670 -/* notify us that the ruleset has been modified by the user */
1672 -set_changed(TC_HANDLE_T h)
1678 -static void do_check(TC_HANDLE_T h, unsigned int line);
1679 -#define CHECK(h) do { if (!getenv("IPTC_NO_CHECK")) do_check((h), __LINE__); } while(0)
1685 -/**********************************************************************
1686 - * iptc blob utility functions (iptcb_*)
1687 - **********************************************************************/
1690 -iptcb_get_number(const STRUCT_ENTRY *i,
1691 - const STRUCT_ENTRY *seek,
1692 - unsigned int *pos)
1701 -iptcb_get_entry_n(STRUCT_ENTRY *i,
1702 - unsigned int number,
1703 - unsigned int *pos,
1704 - STRUCT_ENTRY **pe)
1706 - if (*pos == number) {
1714 -static inline STRUCT_ENTRY *
1715 -iptcb_get_entry(TC_HANDLE_T h, unsigned int offset)
1717 - return (STRUCT_ENTRY *)((char *)h->entries->entrytable + offset);
1720 -static unsigned int
1721 -iptcb_entry2index(const TC_HANDLE_T h, const STRUCT_ENTRY *seek)
1723 - unsigned int pos = 0;
1725 - if (ENTRY_ITERATE(h->entries->entrytable, h->entries->size,
1726 - iptcb_get_number, seek, &pos) == 0) {
1727 - fprintf(stderr, "ERROR: offset %u not an entry!\n",
1728 - (unsigned int)((char *)seek - (char *)h->entries->entrytable));
1734 -static inline STRUCT_ENTRY *
1735 -iptcb_offset2entry(TC_HANDLE_T h, unsigned int offset)
1737 - return (STRUCT_ENTRY *) ((void *)h->entries->entrytable+offset);
1741 -static inline unsigned long
1742 -iptcb_entry2offset(const TC_HANDLE_T h, const STRUCT_ENTRY *e)
1744 - return (void *)e - (void *)h->entries->entrytable;
1747 -static inline unsigned int
1748 -iptcb_offset2index(const TC_HANDLE_T h, unsigned int offset)
1750 - return iptcb_entry2index(h, iptcb_offset2entry(h, offset));
1753 -/* Returns 0 if not hook entry, else hooknumber + 1 */
1754 -static inline unsigned int
1755 -iptcb_ent_is_hook_entry(STRUCT_ENTRY *e, TC_HANDLE_T h)
1759 - for (i = 0; i < NUMHOOKS; i++) {
1760 - if ((h->info.valid_hooks & (1 << i))
1761 - && iptcb_get_entry(h, h->info.hook_entry[i]) == e)
1768 -/**********************************************************************
1769 - * Chain index (cache utility) functions
1770 - **********************************************************************
1771 - * The chain index is an array with pointers into the chain list, with
1772 - * CHAIN_INDEX_BUCKET_LEN spacing. This facilitates the ability to
1773 - * speedup chain list searching, by find a more optimal starting
1774 - * points when searching the linked list.
1776 - * The starting point can be found fast by using a binary search of
1777 - * the chain index. Thus, reducing the previous search complexity of
1778 - * O(n) to O(log(n/k) + k) where k is CHAIN_INDEX_BUCKET_LEN.
1780 - * A nice property of the chain index, is that the "bucket" list
1781 - * length is max CHAIN_INDEX_BUCKET_LEN (when just build, inserts will
1782 - * change this). Oppose to hashing, where the "bucket" list length can
1785 -#ifndef CHAIN_INDEX_BUCKET_LEN
1786 -#define CHAIN_INDEX_BUCKET_LEN 40
1789 -/* Another nice property of the chain index is that inserting/creating
1790 - * chains in chain list don't change the correctness of the chain
1791 - * index, it only causes longer lists in the buckets.
1793 - * To mitigate the performance penalty of longer bucket lists and the
1794 - * penalty of rebuilding, the chain index is rebuild only when
1795 - * CHAIN_INDEX_INSERT_MAX chains has been added.
1797 -#ifndef CHAIN_INDEX_INSERT_MAX
1798 -#define CHAIN_INDEX_INSERT_MAX 355
1801 -static inline unsigned int iptcc_is_builtin(struct chain_head *c);
1804 -/* Use binary search in the chain index array, to find a chain_head
1805 - * pointer closest to the place of the searched name element.
1807 - * Notes that, binary search (obviously) requires that the chain list
1808 - * is sorted by name.
1810 -static struct list_head *
1811 -iptcc_bsearch_chain_index(const char *name, unsigned int *idx, TC_HANDLE_T handle)
1813 - unsigned int pos, end;
1816 - struct list_head *list_pos;
1817 - list_pos=&handle->chains;
1819 - /* Check for empty array, e.g. no user defined chains */
1820 - if (handle->chain_index_sz == 0) {
1821 - debug("WARNING: handle->chain_index_sz == 0\n");
1826 - end = handle->chain_index_sz;
1829 - debug("bsearch Find chain:%s (pos:%d end:%d)\n", name, pos, end);
1833 - if (!handle->chain_index[pos]) {
1834 - fprintf(stderr, "ERROR: NULL pointer chain_index[%d]\n", pos);
1835 - return &handle->chains; /* Be safe, return orig start pos */
1838 - res = strcmp(name, handle->chain_index[pos]->name);
1839 - list_pos = &handle->chain_index[pos]->list;
1842 - debug("bsearch Index[%d] name:%s res:%d ",
1843 - pos, handle->chain_index[pos]->name, res);
1845 - if (res == 0) { /* Found element, by direct hit */
1846 - debug("[found] Direct hit pos:%d end:%d\n", pos, end);
1848 - } else if (res < 0) { /* Too far, jump back */
1852 - /* Exit case: First element of array */
1854 - debug("[found] Reached first array elem (end%d)\n",end);
1857 - debug("jump back to pos:%d (end:%d)\n", pos, end);
1859 - } else if (res > 0 ){ /* Not far enough, jump forward */
1861 - /* Exit case: Last element of array */
1862 - if (pos == handle->chain_index_sz-1) {
1863 - debug("[found] Last array elem (end:%d)\n", end);
1867 - /* Exit case: Next index less, thus elem in this list section */
1868 - res = strcmp(name, handle->chain_index[pos+1]->name);
1870 - debug("[found] closest list (end:%d)\n", end);
1874 - pos = (pos+end)/2;
1875 - debug("jump forward to pos:%d (end:%d)\n", pos, end);
1883 -/* Trivial linear search of chain index. Function used for verifying
1884 - the output of bsearch function */
1885 -static struct list_head *
1886 -iptcc_linearly_search_chain_index(const char *name, TC_HANDLE_T handle)
1891 - struct list_head *list_pos;
1892 - list_pos = &handle->chains;
1894 - if (handle->chain_index_sz)
1895 - list_pos = &handle->chain_index[0]->list;
1897 - /* Linearly walk of chain index array */
1899 - for (i=0; i < handle->chain_index_sz; i++) {
1900 - if (handle->chain_index[i]) {
1901 - res = strcmp(handle->chain_index[i]->name, name);
1903 - break; // One step too far
1904 - list_pos = &handle->chain_index[i]->list;
1906 - break; // Direct hit
1914 -static int iptcc_chain_index_alloc(TC_HANDLE_T h)
1916 - unsigned int list_length = CHAIN_INDEX_BUCKET_LEN;
1917 - unsigned int array_elems;
1918 - unsigned int array_mem;
1920 - /* Allocate memory for the chain index array */
1921 - array_elems = (h->num_chains / list_length) +
1922 - (h->num_chains % list_length ? 1 : 0);
1923 - array_mem = sizeof(h->chain_index) * array_elems;
1925 - debug("Alloc Chain index, elems:%d mem:%d bytes\n",
1926 - array_elems, array_mem);
1928 - h->chain_index = malloc(array_mem);
1929 - if (!h->chain_index) {
1930 - h->chain_index_sz = 0;
1933 - memset(h->chain_index, 0, array_mem);
1934 - h->chain_index_sz = array_elems;
1939 -static void iptcc_chain_index_free(TC_HANDLE_T h)
1941 - h->chain_index_sz = 0;
1942 - free(h->chain_index);
1947 -static void iptcc_chain_index_dump(TC_HANDLE_T h)
1949 - unsigned int i = 0;
1951 - /* Dump: contents of chain index array */
1952 - for (i=0; i < h->chain_index_sz; i++) {
1953 - if (h->chain_index[i]) {
1954 - fprintf(stderr, "Chain index[%d].name: %s\n",
1955 - i, h->chain_index[i]->name);
1961 -/* Build the chain index */
1962 -static int iptcc_chain_index_build(TC_HANDLE_T h)
1964 - unsigned int list_length = CHAIN_INDEX_BUCKET_LEN;
1965 - unsigned int chains = 0;
1966 - unsigned int cindex = 0;
1967 - struct chain_head *c;
1969 - /* Build up the chain index array here */
1970 - debug("Building chain index\n");
1972 - debug("Number of user defined chains:%d bucket_sz:%d array_sz:%d\n",
1973 - h->num_chains, list_length, h->chain_index_sz);
1975 - if (h->chain_index_sz == 0)
1978 - list_for_each_entry(c, &h->chains, list) {
1980 - /* Issue: The index array needs to start after the
1981 - * builtin chains, as they are not sorted */
1982 - if (!iptcc_is_builtin(c)) {
1983 - cindex=chains / list_length;
1985 - /* Safe guard, break out on array limit, this
1986 - * is useful if chains are added and array is
1987 - * rebuild, without realloc of memory. */
1988 - if (cindex >= h->chain_index_sz)
1991 - if ((chains % list_length)== 0) {
1992 - debug("\nIndex[%d] Chains:", cindex);
1993 - h->chain_index[cindex] = c;
1997 - debug("%s, ", c->name);
2004 -static int iptcc_chain_index_rebuild(TC_HANDLE_T h)
2006 - debug("REBUILD chain index array\n");
2007 - iptcc_chain_index_free(h);
2008 - if ((iptcc_chain_index_alloc(h)) < 0)
2010 - iptcc_chain_index_build(h);
2014 -/* Delete chain (pointer) from index array. Removing an element from
2015 - * the chain list only affects the chain index array, if the chain
2016 - * index points-to/uses that list pointer.
2018 - * There are different strategies, the simple and safe is to rebuild
2019 - * the chain index every time. The more advanced is to update the
2020 - * array index to point to the next element, but that requires some
2021 - * house keeping and boundry checks. The advanced is implemented, as
2022 - * the simple approach behaves badly when all chains are deleted
2023 - * because list_for_each processing will always hit the first chain
2024 - * index, thus causing a rebuild for every chain.
2026 -static int iptcc_chain_index_delete_chain(struct chain_head *c, TC_HANDLE_T h)
2028 - struct list_head *index_ptr, *index_ptr2, *next;
2029 - struct chain_head *c2;
2030 - unsigned int idx, idx2;
2032 - index_ptr = iptcc_bsearch_chain_index(c->name, &idx, h);
2034 - debug("Del chain[%s] c->list:%p index_ptr:%p\n",
2035 - c->name, &c->list, index_ptr);
2037 - /* Save the next pointer */
2038 - next = c->list.next;
2039 - list_del(&c->list);
2041 - if (index_ptr == &c->list) { /* Chain used as index ptr */
2043 - /* See if its possible to avoid a rebuild, by shifting
2044 - * to next pointer. Its possible if the next pointer
2045 - * is located in the same index bucket.
2047 - c2 = list_entry(next, struct chain_head, list);
2048 - index_ptr2 = iptcc_bsearch_chain_index(c2->name, &idx2, h);
2049 - if (idx != idx2) {
2050 - /* Rebuild needed */
2051 - return iptcc_chain_index_rebuild(h);
2053 - /* Avoiding rebuild */
2054 - debug("Update cindex[%d] with next ptr name:[%s]\n",
2056 - h->chain_index[idx]=c2;
2064 -/**********************************************************************
2065 - * iptc cache utility functions (iptcc_*)
2066 - **********************************************************************/
2068 -/* Is the given chain builtin (1) or user-defined (0) */
2069 -static inline unsigned int iptcc_is_builtin(struct chain_head *c)
2071 - return (c->hooknum ? 1 : 0);
2074 -/* Get a specific rule within a chain */
2075 -static struct rule_head *iptcc_get_rule_num(struct chain_head *c,
2076 - unsigned int rulenum)
2078 - struct rule_head *r;
2079 - unsigned int num = 0;
2081 - list_for_each_entry(r, &c->rules, list) {
2083 - if (num == rulenum)
2089 -/* Get a specific rule within a chain backwards */
2090 -static struct rule_head *iptcc_get_rule_num_reverse(struct chain_head *c,
2091 - unsigned int rulenum)
2093 - struct rule_head *r;
2094 - unsigned int num = 0;
2096 - list_for_each_entry_reverse(r, &c->rules, list) {
2098 - if (num == rulenum)
2104 -/* Returns chain head if found, otherwise NULL. */
2105 -static struct chain_head *
2106 -iptcc_find_chain_by_offset(TC_HANDLE_T handle, unsigned int offset)
2108 - struct list_head *pos;
2110 - if (list_empty(&handle->chains))
2113 - list_for_each(pos, &handle->chains) {
2114 - struct chain_head *c = list_entry(pos, struct chain_head, list);
2115 - if (offset >= c->head_offset && offset <= c->foot_offset)
2122 -/* Returns chain head if found, otherwise NULL. */
2123 -static struct chain_head *
2124 -iptcc_find_label(const char *name, TC_HANDLE_T handle)
2126 - struct list_head *pos;
2127 - struct list_head *list_start_pos;
2131 - if (list_empty(&handle->chains))
2134 - /* First look at builtin chains */
2135 - list_for_each(pos, &handle->chains) {
2136 - struct chain_head *c = list_entry(pos, struct chain_head, list);
2137 - if (!iptcc_is_builtin(c))
2139 - if (!strcmp(c->name, name))
2143 - /* Find a smart place to start the search via chain index */
2144 - //list_start_pos = iptcc_linearly_search_chain_index(name, handle);
2145 - list_start_pos = iptcc_bsearch_chain_index(name, &i, handle);
2147 - /* Handel if bsearch bails out early */
2148 - if (list_start_pos == &handle->chains) {
2149 - list_start_pos = pos;
2153 - /* Verify result of bsearch against linearly index search */
2154 - struct list_head *test_pos;
2155 - struct chain_head *test_c, *tmp_c;
2156 - test_pos = iptcc_linearly_search_chain_index(name, handle);
2157 - if (list_start_pos != test_pos) {
2158 - debug("BUG in chain_index search\n");
2159 - test_c=list_entry(test_pos, struct chain_head,list);
2160 - tmp_c =list_entry(list_start_pos,struct chain_head,list);
2161 - debug("Verify search found:\n");
2162 - debug(" Chain:%s\n", test_c->name);
2163 - debug("BSearch found:\n");
2164 - debug(" Chain:%s\n", tmp_c->name);
2170 - /* Initial/special case, no user defined chains */
2171 - if (handle->num_chains == 0)
2174 - /* Start searching through the chain list */
2175 - list_for_each(pos, list_start_pos->prev) {
2176 - struct chain_head *c = list_entry(pos, struct chain_head, list);
2177 - res = strcmp(c->name, name);
2178 - debug("List search name:%s == %s res:%d\n", name, c->name, res);
2182 - /* We can stop earlier as we know list is sorted */
2183 - if (res>0 && !iptcc_is_builtin(c)) { /* Walked too far*/
2184 - debug(" Not in list, walked too far, sorted list\n");
2188 - /* Stop on wrap around, if list head is reached */
2189 - if (pos == &handle->chains) {
2190 - debug("Stop, list head reached\n");
2195 - debug("List search NOT found name:%s\n", name);
2199 -/* called when rule is to be removed from cache */
2200 -static void iptcc_delete_rule(struct rule_head *r)
2202 - DEBUGP("deleting rule %p (offset %u)\n", r, r->offset);
2203 - /* clean up reference count of called chain */
2204 - if (r->type == IPTCC_R_JUMP
2206 - r->jump->references--;
2208 - list_del(&r->list);
2213 -/**********************************************************************
2214 - * RULESET PARSER (blob -> cache)
2215 - **********************************************************************/
2217 -/* Delete policy rule of previous chain, since cache doesn't contain
2218 - * chain policy rules.
2219 - * WARNING: This function has ugly design and relies on a lot of context, only
2220 - * to be called from specific places within the parser */
2221 -static int __iptcc_p_del_policy(TC_HANDLE_T h, unsigned int num)
2223 - const unsigned char *data;
2225 - if (h->chain_iterator_cur) {
2226 - /* policy rule is last rule */
2227 - struct rule_head *pr = (struct rule_head *)
2228 - h->chain_iterator_cur->rules.prev;
2230 - /* save verdict */
2231 - data = GET_TARGET(pr->entry)->data;
2232 - h->chain_iterator_cur->verdict = *(const int *)data;
2234 - /* save counter and counter_map information */
2235 - h->chain_iterator_cur->counter_map.maptype =
2236 - COUNTER_MAP_NORMAL_MAP;
2237 - h->chain_iterator_cur->counter_map.mappos = num-1;
2238 - memcpy(&h->chain_iterator_cur->counters, &pr->entry->counters,
2239 - sizeof(h->chain_iterator_cur->counters));
2241 - /* foot_offset points to verdict rule */
2242 - h->chain_iterator_cur->foot_index = num;
2243 - h->chain_iterator_cur->foot_offset = pr->offset;
2245 - /* delete rule from cache */
2246 - iptcc_delete_rule(pr);
2247 - h->chain_iterator_cur->num_rules--;
2254 -/* alphabetically insert a chain into the list */
2255 -static inline void iptc_insert_chain(TC_HANDLE_T h, struct chain_head *c)
2257 - struct chain_head *tmp;
2258 - struct list_head *list_start_pos;
2261 - /* Find a smart place to start the insert search */
2262 - list_start_pos = iptcc_bsearch_chain_index(c->name, &i, h);
2264 - /* Handle the case, where chain.name is smaller than index[0] */
2265 - if (i==0 && strcmp(c->name, h->chain_index[0]->name) <= 0) {
2266 - h->chain_index[0] = c; /* Update chain index head */
2267 - list_start_pos = h->chains.next;
2268 - debug("Update chain_index[0] with %s\n", c->name);
2271 - /* Handel if bsearch bails out early */
2272 - if (list_start_pos == &h->chains) {
2273 - list_start_pos = h->chains.next;
2276 - /* sort only user defined chains */
2277 - if (!c->hooknum) {
2278 - list_for_each_entry(tmp, list_start_pos->prev, list) {
2279 - if (!tmp->hooknum && strcmp(c->name, tmp->name) <= 0) {
2280 - list_add(&c->list, tmp->list.prev);
2284 - /* Stop if list head is reached */
2285 - if (&tmp->list == &h->chains) {
2286 - debug("Insert, list head reached add to tail\n");
2292 - /* survived till end of list: add at tail */
2293 - list_add_tail(&c->list, &h->chains);
2296 -/* Another ugly helper function split out of cache_add_entry to make it less
2297 - * spaghetti code */
2298 -static void __iptcc_p_add_chain(TC_HANDLE_T h, struct chain_head *c,
2299 - unsigned int offset, unsigned int *num)
2301 - struct list_head *tail = h->chains.prev;
2302 - struct chain_head *ctail;
2304 - __iptcc_p_del_policy(h, *num);
2306 - c->head_offset = offset;
2309 - /* Chains from kernel are already sorted, as they are inserted
2310 - * sorted. But there exists an issue when shifting to 1.4.0
2311 - * from an older version, as old versions allow last created
2312 - * chain to be unsorted.
2314 - if (iptcc_is_builtin(c)) /* Only user defined chains are sorted*/
2315 - list_add_tail(&c->list, &h->chains);
2317 - ctail = list_entry(tail, struct chain_head, list);
2318 - if (strcmp(c->name, ctail->name) > 0)
2319 - list_add_tail(&c->list, &h->chains);/* Already sorted*/
2321 - iptc_insert_chain(h, c);/* Was not sorted */
2324 - h->chain_iterator_cur = c;
2327 -/* main parser function: add an entry from the blob to the cache */
2328 -static int cache_add_entry(STRUCT_ENTRY *e,
2330 - STRUCT_ENTRY **prev,
2331 - unsigned int *num)
2333 - unsigned int builtin;
2334 - unsigned int offset = (char *)e - (char *)h->entries->entrytable;
2336 - DEBUGP("entering...");
2338 - /* Last entry ("policy rule"). End it.*/
2339 - if (iptcb_entry2offset(h,e) + e->next_offset == h->entries->size) {
2340 - /* This is the ERROR node at the end of the chain */
2341 - DEBUGP_C("%u:%u: end of table:\n", *num, offset);
2343 - __iptcc_p_del_policy(h, *num);
2345 - h->chain_iterator_cur = NULL;
2349 - /* We know this is the start of a new chain if it's an ERROR
2350 - * target, or a hook entry point */
2352 - if (strcmp(GET_TARGET(e)->u.user.name, ERROR_TARGET) == 0) {
2353 - struct chain_head *c =
2354 - iptcc_alloc_chain_head((const char *)GET_TARGET(e)->data, 0);
2355 - DEBUGP_C("%u:%u:new userdefined chain %s: %p\n", *num, offset,
2356 - (char *)c->name, c);
2361 - h->num_chains++; /* New user defined chain */
2363 - __iptcc_p_add_chain(h, c, offset, num);
2365 - } else if ((builtin = iptcb_ent_is_hook_entry(e, h)) != 0) {
2366 - struct chain_head *c =
2367 - iptcc_alloc_chain_head((char *)hooknames[builtin-1],
2369 - DEBUGP_C("%u:%u new builtin chain: %p (rules=%p)\n",
2370 - *num, offset, c, &c->rules);
2376 - c->hooknum = builtin;
2378 - __iptcc_p_add_chain(h, c, offset, num);
2380 - /* FIXME: this is ugly. */
2383 - /* has to be normal rule */
2384 - struct rule_head *r;
2387 - if (!(r = iptcc_alloc_rule(h->chain_iterator_cur,
2388 - e->next_offset))) {
2392 - DEBUGP_C("%u:%u normal rule: %p: ", *num, offset, r);
2395 - r->offset = offset;
2396 - memcpy(r->entry, e, e->next_offset);
2397 - r->counter_map.maptype = COUNTER_MAP_NORMAL_MAP;
2398 - r->counter_map.mappos = r->index;
2400 - /* handling of jumps, etc. */
2401 - if (!strcmp(GET_TARGET(e)->u.user.name, STANDARD_TARGET)) {
2402 - STRUCT_STANDARD_TARGET *t;
2404 - t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
2405 - if (t->target.u.target_size
2406 - != ALIGN(sizeof(STRUCT_STANDARD_TARGET))) {
2411 - if (t->verdict < 0) {
2412 - DEBUGP_C("standard, verdict=%d\n", t->verdict);
2413 - r->type = IPTCC_R_STANDARD;
2414 - } else if (t->verdict == r->offset+e->next_offset) {
2415 - DEBUGP_C("fallthrough\n");
2416 - r->type = IPTCC_R_FALLTHROUGH;
2418 - DEBUGP_C("jump, target=%u\n", t->verdict);
2419 - r->type = IPTCC_R_JUMP;
2420 - /* Jump target fixup has to be deferred
2421 - * until second pass, since we migh not
2422 - * yet have parsed the target */
2425 - DEBUGP_C("module, target=%s\n", GET_TARGET(e)->u.user.name);
2426 - r->type = IPTCC_R_MODULE;
2429 - list_add_tail(&r->list, &h->chain_iterator_cur->rules);
2430 - h->chain_iterator_cur->num_rules++;
2438 -/* parse an iptables blob into it's pieces */
2439 -static int parse_table(TC_HANDLE_T h)
2441 - STRUCT_ENTRY *prev;
2442 - unsigned int num = 0;
2443 - struct chain_head *c;
2445 - /* First pass: over ruleset blob */
2446 - ENTRY_ITERATE(h->entries->entrytable, h->entries->size,
2447 - cache_add_entry, h, &prev, &num);
2449 - /* Build the chain index, used for chain list search speedup */
2450 - if ((iptcc_chain_index_alloc(h)) < 0)
2452 - iptcc_chain_index_build(h);
2454 - /* Second pass: fixup parsed data from first pass */
2455 - list_for_each_entry(c, &h->chains, list) {
2456 - struct rule_head *r;
2457 - list_for_each_entry(r, &c->rules, list) {
2458 - struct chain_head *lc;
2459 - STRUCT_STANDARD_TARGET *t;
2461 - if (r->type != IPTCC_R_JUMP)
2464 - t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
2465 - lc = iptcc_find_chain_by_offset(h, t->verdict);
2473 - /* FIXME: sort chains */
2479 -/**********************************************************************
2480 - * RULESET COMPILATION (cache -> blob)
2481 - **********************************************************************/
2483 -/* Convenience structures */
2484 -struct iptcb_chain_start{
2486 - struct ipt_error_target name;
2488 -#define IPTCB_CHAIN_START_SIZE (sizeof(STRUCT_ENTRY) + \
2489 - ALIGN(sizeof(struct ipt_error_target)))
2491 -struct iptcb_chain_foot {
2493 - STRUCT_STANDARD_TARGET target;
2495 -#define IPTCB_CHAIN_FOOT_SIZE (sizeof(STRUCT_ENTRY) + \
2496 - ALIGN(sizeof(STRUCT_STANDARD_TARGET)))
2498 -struct iptcb_chain_error {
2499 - STRUCT_ENTRY entry;
2500 - struct ipt_error_target target;
2502 -#define IPTCB_CHAIN_ERROR_SIZE (sizeof(STRUCT_ENTRY) + \
2503 - ALIGN(sizeof(struct ipt_error_target)))
2507 -/* compile rule from cache into blob */
2508 -static inline int iptcc_compile_rule (TC_HANDLE_T h, STRUCT_REPLACE *repl, struct rule_head *r)
2510 - /* handle jumps */
2511 - if (r->type == IPTCC_R_JUMP) {
2512 - STRUCT_STANDARD_TARGET *t;
2513 - t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
2514 - /* memset for memcmp convenience on delete/replace */
2515 - memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
2516 - strcpy(t->target.u.user.name, STANDARD_TARGET);
2517 - /* Jumps can only happen to builtin chains, so we
2518 - * can safely assume that they always have a header */
2519 - t->verdict = r->jump->head_offset + IPTCB_CHAIN_START_SIZE;
2520 - } else if (r->type == IPTCC_R_FALLTHROUGH) {
2521 - STRUCT_STANDARD_TARGET *t;
2522 - t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
2523 - t->verdict = r->offset + r->size;
2526 - /* copy entry from cache to blob */
2527 - memcpy((char *)repl->entries+r->offset, r->entry, r->size);
2532 -/* compile chain from cache into blob */
2533 -static int iptcc_compile_chain(TC_HANDLE_T h, STRUCT_REPLACE *repl, struct chain_head *c)
2536 - struct rule_head *r;
2537 - struct iptcb_chain_start *head;
2538 - struct iptcb_chain_foot *foot;
2540 - /* only user-defined chains have heaer */
2541 - if (!iptcc_is_builtin(c)) {
2542 - /* put chain header in place */
2543 - head = (void *)repl->entries + c->head_offset;
2544 - head->e.target_offset = sizeof(STRUCT_ENTRY);
2545 - head->e.next_offset = IPTCB_CHAIN_START_SIZE;
2546 - strcpy(head->name.t.u.user.name, ERROR_TARGET);
2547 - head->name.t.u.target_size =
2548 - ALIGN(sizeof(struct ipt_error_target));
2549 - strcpy(head->name.error, c->name);
2551 - repl->hook_entry[c->hooknum-1] = c->head_offset;
2552 - repl->underflow[c->hooknum-1] = c->foot_offset;
2555 - /* iterate over rules */
2556 - list_for_each_entry(r, &c->rules, list) {
2557 - ret = iptcc_compile_rule(h, repl, r);
2562 - /* put chain footer in place */
2563 - foot = (void *)repl->entries + c->foot_offset;
2564 - foot->e.target_offset = sizeof(STRUCT_ENTRY);
2565 - foot->e.next_offset = IPTCB_CHAIN_FOOT_SIZE;
2566 - strcpy(foot->target.target.u.user.name, STANDARD_TARGET);
2567 - foot->target.target.u.target_size =
2568 - ALIGN(sizeof(STRUCT_STANDARD_TARGET));
2569 - /* builtin targets have verdict, others return */
2570 - if (iptcc_is_builtin(c))
2571 - foot->target.verdict = c->verdict;
2573 - foot->target.verdict = RETURN;
2574 - /* set policy-counters */
2575 - memcpy(&foot->e.counters, &c->counters, sizeof(STRUCT_COUNTERS));
2580 -/* calculate offset and number for every rule in the cache */
2581 -static int iptcc_compile_chain_offsets(TC_HANDLE_T h, struct chain_head *c,
2582 - unsigned int *offset, unsigned int *num)
2584 - struct rule_head *r;
2586 - c->head_offset = *offset;
2587 - DEBUGP("%s: chain_head %u, offset=%u\n", c->name, *num, *offset);
2589 - if (!iptcc_is_builtin(c)) {
2590 - /* Chain has header */
2591 - *offset += sizeof(STRUCT_ENTRY)
2592 - + ALIGN(sizeof(struct ipt_error_target));
2596 - list_for_each_entry(r, &c->rules, list) {
2597 - DEBUGP("rule %u, offset=%u, index=%u\n", *num, *offset, *num);
2598 - r->offset = *offset;
2600 - *offset += r->size;
2604 - DEBUGP("%s; chain_foot %u, offset=%u, index=%u\n", c->name, *num,
2606 - c->foot_offset = *offset;
2607 - c->foot_index = *num;
2608 - *offset += sizeof(STRUCT_ENTRY)
2609 - + ALIGN(sizeof(STRUCT_STANDARD_TARGET));
2615 -/* put the pieces back together again */
2616 -static int iptcc_compile_table_prep(TC_HANDLE_T h, unsigned int *size)
2618 - struct chain_head *c;
2619 - unsigned int offset = 0, num = 0;
2622 - /* First pass: calculate offset for every rule */
2623 - list_for_each_entry(c, &h->chains, list) {
2624 - ret = iptcc_compile_chain_offsets(h, c, &offset, &num);
2629 - /* Append one error rule at end of chain */
2631 - offset += sizeof(STRUCT_ENTRY)
2632 - + ALIGN(sizeof(struct ipt_error_target));
2634 - /* ruleset size is now in offset */
2639 -static int iptcc_compile_table(TC_HANDLE_T h, STRUCT_REPLACE *repl)
2641 - struct chain_head *c;
2642 - struct iptcb_chain_error *error;
2644 - /* Second pass: copy from cache to offsets, fill in jumps */
2645 - list_for_each_entry(c, &h->chains, list) {
2646 - int ret = iptcc_compile_chain(h, repl, c);
2651 - /* Append error rule at end of chain */
2652 - error = (void *)repl->entries + repl->size - IPTCB_CHAIN_ERROR_SIZE;
2653 - error->entry.target_offset = sizeof(STRUCT_ENTRY);
2654 - error->entry.next_offset = IPTCB_CHAIN_ERROR_SIZE;
2655 - error->target.t.u.user.target_size =
2656 - ALIGN(sizeof(struct ipt_error_target));
2657 - strcpy((char *)&error->target.t.u.user.name, ERROR_TARGET);
2658 - strcpy((char *)&error->target.error, "ERROR");
2663 -/**********************************************************************
2664 - * EXTERNAL API (operates on cache only)
2665 - **********************************************************************/
2667 -/* Allocate handle of given size */
2669 -alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules)
2674 - len = sizeof(STRUCT_TC_HANDLE) + size;
2676 - h = malloc(sizeof(STRUCT_TC_HANDLE));
2681 - memset(h, 0, sizeof(*h));
2682 - INIT_LIST_HEAD(&h->chains);
2683 - strcpy(h->info.name, tablename);
2685 - h->entries = malloc(sizeof(STRUCT_GET_ENTRIES) + size);
2687 - goto out_free_handle;
2689 - strcpy(h->entries->name, tablename);
2690 - h->entries->size = size;
2702 -TC_INIT(const char *tablename)
2705 - STRUCT_GETINFO info;
2709 - iptc_fn = TC_INIT;
2711 - if (strlen(tablename) >= TABLE_MAXNAMELEN) {
2716 - if (sockfd_use == 0) {
2717 - sockfd = socket(TC_AF, SOCK_RAW, IPPROTO_RAW);
2725 - strcpy(info.name, tablename);
2726 - if (getsockopt(sockfd, TC_IPPROTO, SO_GET_INFO, &info, &s) < 0) {
2727 - if (--sockfd_use == 0) {
2734 - DEBUGP("valid_hooks=0x%08x, num_entries=%u, size=%u\n",
2735 - info.valid_hooks, info.num_entries, info.size);
2737 - if ((h = alloc_handle(info.name, info.size, info.num_entries))
2739 - if (--sockfd_use == 0) {
2746 - /* Initialize current state */
2749 - h->entries->size = h->info.size;
2751 - tmp = sizeof(STRUCT_GET_ENTRIES) + h->info.size;
2753 - if (getsockopt(sockfd, TC_IPPROTO, SO_GET_ENTRIES, h->entries,
2759 - int fd = open("/tmp/libiptc-so_get_entries.blob",
2760 - O_CREAT|O_WRONLY);
2762 - write(fd, h->entries, tmp);
2768 - if (parse_table(h) < 0)
2775 - /* A different process changed the ruleset size, retry */
2776 - if (errno == EAGAIN)
2782 -TC_FREE(TC_HANDLE_T *h)
2784 - struct chain_head *c, *tmp;
2786 - iptc_fn = TC_FREE;
2787 - if (--sockfd_use == 0) {
2792 - list_for_each_entry_safe(c, tmp, &(*h)->chains, list) {
2793 - struct rule_head *r, *rtmp;
2795 - list_for_each_entry_safe(r, rtmp, &c->rules, list) {
2802 - iptcc_chain_index_free(*h);
2804 - free((*h)->entries);
2811 -print_match(const STRUCT_ENTRY_MATCH *m)
2813 - printf("Match name: `%s'\n", m->u.user.name);
2817 -static int dump_entry(STRUCT_ENTRY *e, const TC_HANDLE_T handle);
2820 -TC_DUMP_ENTRIES(const TC_HANDLE_T handle)
2822 - iptc_fn = TC_DUMP_ENTRIES;
2825 - printf("libiptc v%s. %u bytes.\n",
2826 - XTABLES_VERSION, handle->entries->size);
2827 - printf("Table `%s'\n", handle->info.name);
2828 - printf("Hooks: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
2829 - handle->info.hook_entry[HOOK_PRE_ROUTING],
2830 - handle->info.hook_entry[HOOK_LOCAL_IN],
2831 - handle->info.hook_entry[HOOK_FORWARD],
2832 - handle->info.hook_entry[HOOK_LOCAL_OUT],
2833 - handle->info.hook_entry[HOOK_POST_ROUTING]);
2834 - printf("Underflows: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
2835 - handle->info.underflow[HOOK_PRE_ROUTING],
2836 - handle->info.underflow[HOOK_LOCAL_IN],
2837 - handle->info.underflow[HOOK_FORWARD],
2838 - handle->info.underflow[HOOK_LOCAL_OUT],
2839 - handle->info.underflow[HOOK_POST_ROUTING]);
2841 - ENTRY_ITERATE(handle->entries->entrytable, handle->entries->size,
2842 - dump_entry, handle);
2845 -/* Does this chain exist? */
2846 -int TC_IS_CHAIN(const char *chain, const TC_HANDLE_T handle)
2848 - iptc_fn = TC_IS_CHAIN;
2849 - return iptcc_find_label(chain, handle) != NULL;
2852 -static void iptcc_chain_iterator_advance(TC_HANDLE_T handle)
2854 - struct chain_head *c = handle->chain_iterator_cur;
2856 - if (c->list.next == &handle->chains)
2857 - handle->chain_iterator_cur = NULL;
2859 - handle->chain_iterator_cur =
2860 - list_entry(c->list.next, struct chain_head, list);
2863 -/* Iterator functions to run through the chains. */
2865 -TC_FIRST_CHAIN(TC_HANDLE_T *handle)
2867 - struct chain_head *c = list_entry((*handle)->chains.next,
2868 - struct chain_head, list);
2870 - iptc_fn = TC_FIRST_CHAIN;
2873 - if (list_empty(&(*handle)->chains)) {
2874 - DEBUGP(": no chains\n");
2878 - (*handle)->chain_iterator_cur = c;
2879 - iptcc_chain_iterator_advance(*handle);
2881 - DEBUGP(": returning `%s'\n", c->name);
2885 -/* Iterator functions to run through the chains. Returns NULL at end. */
2887 -TC_NEXT_CHAIN(TC_HANDLE_T *handle)
2889 - struct chain_head *c = (*handle)->chain_iterator_cur;
2891 - iptc_fn = TC_NEXT_CHAIN;
2894 - DEBUGP(": no more chains\n");
2898 - iptcc_chain_iterator_advance(*handle);
2900 - DEBUGP(": returning `%s'\n", c->name);
2904 -/* Get first rule in the given chain: NULL for empty chain. */
2905 -const STRUCT_ENTRY *
2906 -TC_FIRST_RULE(const char *chain, TC_HANDLE_T *handle)
2908 - struct chain_head *c;
2909 - struct rule_head *r;
2911 - iptc_fn = TC_FIRST_RULE;
2913 - DEBUGP("first rule(%s): ", chain);
2915 - c = iptcc_find_label(chain, *handle);
2921 - /* Empty chain: single return/policy rule */
2922 - if (list_empty(&c->rules)) {
2923 - DEBUGP_C("no rules, returning NULL\n");
2927 - r = list_entry(c->rules.next, struct rule_head, list);
2928 - (*handle)->rule_iterator_cur = r;
2929 - DEBUGP_C("%p\n", r);
2934 -/* Returns NULL when rules run out. */
2935 -const STRUCT_ENTRY *
2936 -TC_NEXT_RULE(const STRUCT_ENTRY *prev, TC_HANDLE_T *handle)
2938 - struct rule_head *r;
2940 - iptc_fn = TC_NEXT_RULE;
2941 - DEBUGP("rule_iterator_cur=%p...", (*handle)->rule_iterator_cur);
2943 - if (!(*handle)->rule_iterator_cur) {
2944 - DEBUGP_C("returning NULL\n");
2948 - r = list_entry((*handle)->rule_iterator_cur->list.next,
2949 - struct rule_head, list);
2951 - iptc_fn = TC_NEXT_RULE;
2953 - DEBUGP_C("next=%p, head=%p...", &r->list,
2954 - &(*handle)->rule_iterator_cur->chain->rules);
2956 - if (&r->list == &(*handle)->rule_iterator_cur->chain->rules) {
2957 - (*handle)->rule_iterator_cur = NULL;
2958 - DEBUGP_C("finished, returning NULL\n");
2962 - (*handle)->rule_iterator_cur = r;
2964 - /* NOTE: prev is without any influence ! */
2965 - DEBUGP_C("returning rule %p\n", r);
2969 -/* How many rules in this chain? */
2971 -static unsigned int
2972 -TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle)
2974 - struct chain_head *c;
2975 - iptc_fn = TC_NUM_RULES;
2978 - c = iptcc_find_label(chain, *handle);
2981 - return (unsigned int)-1;
2984 - return c->num_rules;
2989 -static const STRUCT_ENTRY *
2990 -TC_GET_RULE(const char *chain, unsigned int n, TC_HANDLE_T *handle)
2992 - struct chain_head *c;
2993 - struct rule_head *r;
2995 - iptc_fn = TC_GET_RULE;
2999 - c = iptcc_find_label(chain, *handle);
3005 - r = iptcc_get_rule_num(c, n);
3012 -/* Returns a pointer to the target name of this position. */
3013 -static const char *standard_target_map(int verdict)
3015 - switch (verdict) {
3017 - return LABEL_RETURN;
3019 - case -NF_ACCEPT-1:
3020 - return LABEL_ACCEPT;
3023 - return LABEL_DROP;
3026 - return LABEL_QUEUE;
3029 - fprintf(stderr, "ERROR: %d not a valid target)\n",
3038 -/* Returns a pointer to the target name of this position. */
3039 -const char *TC_GET_TARGET(const STRUCT_ENTRY *ce,
3040 - TC_HANDLE_T *handle)
3042 - STRUCT_ENTRY *e = (STRUCT_ENTRY *)ce;
3043 - struct rule_head *r = container_of(e, struct rule_head, entry[0]);
3044 - const unsigned char *data;
3046 - iptc_fn = TC_GET_TARGET;
3050 - case IPTCC_R_FALLTHROUGH:
3053 - case IPTCC_R_JUMP:
3054 - DEBUGP("r=%p, jump=%p, name=`%s'\n", r, r->jump, r->jump->name);
3055 - return r->jump->name;
3057 - case IPTCC_R_STANDARD:
3058 - data = GET_TARGET(e)->data;
3059 - spos = *(const int *)data;
3060 - DEBUGP("r=%p, spos=%d'\n", r, spos);
3061 - return standard_target_map(spos);
3063 - case IPTCC_R_MODULE:
3064 - return GET_TARGET(e)->u.user.name;
3069 -/* Is this a built-in chain? Actually returns hook + 1. */
3071 -TC_BUILTIN(const char *chain, const TC_HANDLE_T handle)
3073 - struct chain_head *c;
3075 - iptc_fn = TC_BUILTIN;
3077 - c = iptcc_find_label(chain, handle);
3083 - return iptcc_is_builtin(c);
3086 -/* Get the policy of a given built-in chain */
3088 -TC_GET_POLICY(const char *chain,
3089 - STRUCT_COUNTERS *counters,
3090 - TC_HANDLE_T *handle)
3092 - struct chain_head *c;
3094 - iptc_fn = TC_GET_POLICY;
3096 - DEBUGP("called for chain %s\n", chain);
3098 - c = iptcc_find_label(chain, *handle);
3104 - if (!iptcc_is_builtin(c))
3107 - *counters = c->counters;
3109 - return standard_target_map(c->verdict);
3113 -iptcc_standard_map(struct rule_head *r, int verdict)
3115 - STRUCT_ENTRY *e = r->entry;
3116 - STRUCT_STANDARD_TARGET *t;
3118 - t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
3120 - if (t->target.u.target_size
3121 - != ALIGN(sizeof(STRUCT_STANDARD_TARGET))) {
3125 - /* memset for memcmp convenience on delete/replace */
3126 - memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
3127 - strcpy(t->target.u.user.name, STANDARD_TARGET);
3128 - t->verdict = verdict;
3130 - r->type = IPTCC_R_STANDARD;
3136 -iptcc_map_target(const TC_HANDLE_T handle,
3137 - struct rule_head *r)
3139 - STRUCT_ENTRY *e = r->entry;
3140 - STRUCT_ENTRY_TARGET *t = GET_TARGET(e);
3142 - /* Maybe it's empty (=> fall through) */
3143 - if (strcmp(t->u.user.name, "") == 0) {
3144 - r->type = IPTCC_R_FALLTHROUGH;
3147 - /* Maybe it's a standard target name... */
3148 - else if (strcmp(t->u.user.name, LABEL_ACCEPT) == 0)
3149 - return iptcc_standard_map(r, -NF_ACCEPT - 1);
3150 - else if (strcmp(t->u.user.name, LABEL_DROP) == 0)
3151 - return iptcc_standard_map(r, -NF_DROP - 1);
3152 - else if (strcmp(t->u.user.name, LABEL_QUEUE) == 0)
3153 - return iptcc_standard_map(r, -NF_QUEUE - 1);
3154 - else if (strcmp(t->u.user.name, LABEL_RETURN) == 0)
3155 - return iptcc_standard_map(r, RETURN);
3156 - else if (TC_BUILTIN(t->u.user.name, handle)) {
3157 - /* Can't jump to builtins. */
3161 - /* Maybe it's an existing chain name. */
3162 - struct chain_head *c;
3163 - DEBUGP("trying to find chain `%s': ", t->u.user.name);
3165 - c = iptcc_find_label(t->u.user.name, handle);
3167 - DEBUGP_C("found!\n");
3168 - r->type = IPTCC_R_JUMP;
3173 - DEBUGP_C("not found :(\n");
3176 - /* Must be a module? If not, kernel will reject... */
3177 - /* memset to all 0 for your memcmp convenience: don't clear version */
3178 - memset(t->u.user.name + strlen(t->u.user.name),
3180 - FUNCTION_MAXNAMELEN - 1 - strlen(t->u.user.name));
3181 - r->type = IPTCC_R_MODULE;
3182 - set_changed(handle);
3186 -/* Insert the entry `fw' in chain `chain' into position `rulenum'. */
3188 -TC_INSERT_ENTRY(const IPT_CHAINLABEL chain,
3189 - const STRUCT_ENTRY *e,
3190 - unsigned int rulenum,
3191 - TC_HANDLE_T *handle)
3193 - struct chain_head *c;
3194 - struct rule_head *r;
3195 - struct list_head *prev;
3197 - iptc_fn = TC_INSERT_ENTRY;
3199 - if (!(c = iptcc_find_label(chain, *handle))) {
3204 - /* first rulenum index = 0
3205 - first c->num_rules index = 1 */
3206 - if (rulenum > c->num_rules) {
3211 - /* If we are inserting at the end just take advantage of the
3212 - double linked list, insert will happen before the entry
3213 - prev points to. */
3214 - if (rulenum == c->num_rules) {
3216 - } else if (rulenum + 1 <= c->num_rules/2) {
3217 - r = iptcc_get_rule_num(c, rulenum + 1);
3220 - r = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum);
3224 - if (!(r = iptcc_alloc_rule(c, e->next_offset))) {
3229 - memcpy(r->entry, e, e->next_offset);
3230 - r->counter_map.maptype = COUNTER_MAP_SET;
3232 - if (!iptcc_map_target(*handle, r)) {
3237 - list_add_tail(&r->list, prev);
3240 - set_changed(*handle);
3245 -/* Atomically replace rule `rulenum' in `chain' with `fw'. */
3247 -TC_REPLACE_ENTRY(const IPT_CHAINLABEL chain,
3248 - const STRUCT_ENTRY *e,
3249 - unsigned int rulenum,
3250 - TC_HANDLE_T *handle)
3252 - struct chain_head *c;
3253 - struct rule_head *r, *old;
3255 - iptc_fn = TC_REPLACE_ENTRY;
3257 - if (!(c = iptcc_find_label(chain, *handle))) {
3262 - if (rulenum >= c->num_rules) {
3267 - /* Take advantage of the double linked list if possible. */
3268 - if (rulenum + 1 <= c->num_rules/2) {
3269 - old = iptcc_get_rule_num(c, rulenum + 1);
3271 - old = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum);
3274 - if (!(r = iptcc_alloc_rule(c, e->next_offset))) {
3279 - memcpy(r->entry, e, e->next_offset);
3280 - r->counter_map.maptype = COUNTER_MAP_SET;
3282 - if (!iptcc_map_target(*handle, r)) {
3287 - list_add(&r->list, &old->list);
3288 - iptcc_delete_rule(old);
3290 - set_changed(*handle);
3295 -/* Append entry `fw' to chain `chain'. Equivalent to insert with
3296 - rulenum = length of chain. */
3298 -TC_APPEND_ENTRY(const IPT_CHAINLABEL chain,
3299 - const STRUCT_ENTRY *e,
3300 - TC_HANDLE_T *handle)
3302 - struct chain_head *c;
3303 - struct rule_head *r;
3305 - iptc_fn = TC_APPEND_ENTRY;
3306 - if (!(c = iptcc_find_label(chain, *handle))) {
3307 - DEBUGP("unable to find chain `%s'\n", chain);
3312 - if (!(r = iptcc_alloc_rule(c, e->next_offset))) {
3313 - DEBUGP("unable to allocate rule for chain `%s'\n", chain);
3318 - memcpy(r->entry, e, e->next_offset);
3319 - r->counter_map.maptype = COUNTER_MAP_SET;
3321 - if (!iptcc_map_target(*handle, r)) {
3322 - DEBUGP("unable to map target of rule for chain `%s'\n", chain);
3327 - list_add_tail(&r->list, &c->rules);
3330 - set_changed(*handle);
3336 -match_different(const STRUCT_ENTRY_MATCH *a,
3337 - const unsigned char *a_elems,
3338 - const unsigned char *b_elems,
3339 - unsigned char **maskptr)
3341 - const STRUCT_ENTRY_MATCH *b;
3344 - /* Offset of b is the same as a. */
3345 - b = (void *)b_elems + ((unsigned char *)a - a_elems);
3347 - if (a->u.match_size != b->u.match_size)
3350 - if (strcmp(a->u.user.name, b->u.user.name) != 0)
3353 - *maskptr += ALIGN(sizeof(*a));
3355 - for (i = 0; i < a->u.match_size - ALIGN(sizeof(*a)); i++)
3356 - if (((a->data[i] ^ b->data[i]) & (*maskptr)[i]) != 0)
3363 -target_same(struct rule_head *a, struct rule_head *b,const unsigned char *mask)
3366 - STRUCT_ENTRY_TARGET *ta, *tb;
3368 - if (a->type != b->type)
3371 - ta = GET_TARGET(a->entry);
3372 - tb = GET_TARGET(b->entry);
3374 - switch (a->type) {
3375 - case IPTCC_R_FALLTHROUGH:
3377 - case IPTCC_R_JUMP:
3378 - return a->jump == b->jump;
3379 - case IPTCC_R_STANDARD:
3380 - return ((STRUCT_STANDARD_TARGET *)ta)->verdict
3381 - == ((STRUCT_STANDARD_TARGET *)tb)->verdict;
3382 - case IPTCC_R_MODULE:
3383 - if (ta->u.target_size != tb->u.target_size)
3385 - if (strcmp(ta->u.user.name, tb->u.user.name) != 0)
3388 - for (i = 0; i < ta->u.target_size - sizeof(*ta); i++)
3389 - if (((ta->data[i] ^ tb->data[i]) & mask[i]) != 0)
3393 - fprintf(stderr, "ERROR: bad type %i\n", a->type);
3398 -static unsigned char *
3399 -is_same(const STRUCT_ENTRY *a,
3400 - const STRUCT_ENTRY *b,
3401 - unsigned char *matchmask);
3403 -/* Delete the first rule in `chain' which matches `fw'. */
3405 -TC_DELETE_ENTRY(const IPT_CHAINLABEL chain,
3406 - const STRUCT_ENTRY *origfw,
3407 - unsigned char *matchmask,
3408 - TC_HANDLE_T *handle)
3410 - struct chain_head *c;
3411 - struct rule_head *r, *i;
3413 - iptc_fn = TC_DELETE_ENTRY;
3414 - if (!(c = iptcc_find_label(chain, *handle))) {
3419 - /* Create a rule_head from origfw. */
3420 - r = iptcc_alloc_rule(c, origfw->next_offset);
3426 - memcpy(r->entry, origfw, origfw->next_offset);
3427 - r->counter_map.maptype = COUNTER_MAP_NOMAP;
3428 - if (!iptcc_map_target(*handle, r)) {
3429 - DEBUGP("unable to map target of rule for chain `%s'\n", chain);
3433 - /* iptcc_map_target increment target chain references
3434 - * since this is a fake rule only used for matching
3435 - * the chain references count is decremented again.
3437 - if (r->type == IPTCC_R_JUMP
3439 - r->jump->references--;
3442 - list_for_each_entry(i, &c->rules, list) {
3443 - unsigned char *mask;
3445 - mask = is_same(r->entry, i->entry, matchmask);
3449 - if (!target_same(r, i, mask))
3452 - /* If we are about to delete the rule that is the
3453 - * current iterator, move rule iterator back. next
3454 - * pointer will then point to real next node */
3455 - if (i == (*handle)->rule_iterator_cur) {
3456 - (*handle)->rule_iterator_cur =
3457 - list_entry((*handle)->rule_iterator_cur->list.prev,
3458 - struct rule_head, list);
3462 - iptcc_delete_rule(i);
3464 - set_changed(*handle);
3475 -/* Delete the rule in position `rulenum' in `chain'. */
3477 -TC_DELETE_NUM_ENTRY(const IPT_CHAINLABEL chain,
3478 - unsigned int rulenum,
3479 - TC_HANDLE_T *handle)
3481 - struct chain_head *c;
3482 - struct rule_head *r;
3484 - iptc_fn = TC_DELETE_NUM_ENTRY;
3486 - if (!(c = iptcc_find_label(chain, *handle))) {
3491 - if (rulenum >= c->num_rules) {
3496 - /* Take advantage of the double linked list if possible. */
3497 - if (rulenum + 1 <= c->num_rules/2) {
3498 - r = iptcc_get_rule_num(c, rulenum + 1);
3500 - r = iptcc_get_rule_num_reverse(c, c->num_rules - rulenum);
3503 - /* If we are about to delete the rule that is the current
3504 - * iterator, move rule iterator back. next pointer will then
3505 - * point to real next node */
3506 - if (r == (*handle)->rule_iterator_cur) {
3507 - (*handle)->rule_iterator_cur =
3508 - list_entry((*handle)->rule_iterator_cur->list.prev,
3509 - struct rule_head, list);
3513 - iptcc_delete_rule(r);
3515 - set_changed(*handle);
3520 -/* Check the packet `fw' on chain `chain'. Returns the verdict, or
3521 - NULL and sets errno. */
3523 -TC_CHECK_PACKET(const IPT_CHAINLABEL chain,
3524 - STRUCT_ENTRY *entry,
3525 - TC_HANDLE_T *handle)
3527 - iptc_fn = TC_CHECK_PACKET;
3532 -/* Flushes the entries in the given chain (ie. empties chain). */
3534 -TC_FLUSH_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
3536 - struct chain_head *c;
3537 - struct rule_head *r, *tmp;
3539 - iptc_fn = TC_FLUSH_ENTRIES;
3540 - if (!(c = iptcc_find_label(chain, *handle))) {
3545 - list_for_each_entry_safe(r, tmp, &c->rules, list) {
3546 - iptcc_delete_rule(r);
3551 - set_changed(*handle);
3556 -/* Zeroes the counters in a chain. */
3558 -TC_ZERO_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
3560 - struct chain_head *c;
3561 - struct rule_head *r;
3563 - iptc_fn = TC_ZERO_ENTRIES;
3564 - if (!(c = iptcc_find_label(chain, *handle))) {
3569 - if (c->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
3570 - c->counter_map.maptype = COUNTER_MAP_ZEROED;
3572 - list_for_each_entry(r, &c->rules, list) {
3573 - if (r->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
3574 - r->counter_map.maptype = COUNTER_MAP_ZEROED;
3577 - set_changed(*handle);
3583 -TC_READ_COUNTER(const IPT_CHAINLABEL chain,
3584 - unsigned int rulenum,
3585 - TC_HANDLE_T *handle)
3587 - struct chain_head *c;
3588 - struct rule_head *r;
3590 - iptc_fn = TC_READ_COUNTER;
3593 - if (!(c = iptcc_find_label(chain, *handle))) {
3598 - if (!(r = iptcc_get_rule_num(c, rulenum))) {
3603 - return &r->entry[0].counters;
3607 -TC_ZERO_COUNTER(const IPT_CHAINLABEL chain,
3608 - unsigned int rulenum,
3609 - TC_HANDLE_T *handle)
3611 - struct chain_head *c;
3612 - struct rule_head *r;
3614 - iptc_fn = TC_ZERO_COUNTER;
3617 - if (!(c = iptcc_find_label(chain, *handle))) {
3622 - if (!(r = iptcc_get_rule_num(c, rulenum))) {
3627 - if (r->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
3628 - r->counter_map.maptype = COUNTER_MAP_ZEROED;
3630 - set_changed(*handle);
3636 -TC_SET_COUNTER(const IPT_CHAINLABEL chain,
3637 - unsigned int rulenum,
3638 - STRUCT_COUNTERS *counters,
3639 - TC_HANDLE_T *handle)
3641 - struct chain_head *c;
3642 - struct rule_head *r;
3645 - iptc_fn = TC_SET_COUNTER;
3648 - if (!(c = iptcc_find_label(chain, *handle))) {
3653 - if (!(r = iptcc_get_rule_num(c, rulenum))) {
3659 - r->counter_map.maptype = COUNTER_MAP_SET;
3661 - memcpy(&e->counters, counters, sizeof(STRUCT_COUNTERS));
3663 - set_changed(*handle);
3668 -/* Creates a new chain. */
3669 -/* To create a chain, create two rules: error node and unconditional
3672 -TC_CREATE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
3674 - static struct chain_head *c;
3678 - iptc_fn = TC_CREATE_CHAIN;
3680 - /* find_label doesn't cover built-in targets: DROP, ACCEPT,
3682 - if (iptcc_find_label(chain, *handle)
3683 - || strcmp(chain, LABEL_DROP) == 0
3684 - || strcmp(chain, LABEL_ACCEPT) == 0
3685 - || strcmp(chain, LABEL_QUEUE) == 0
3686 - || strcmp(chain, LABEL_RETURN) == 0) {
3687 - DEBUGP("Chain `%s' already exists\n", chain);
3692 - if (strlen(chain)+1 > sizeof(IPT_CHAINLABEL)) {
3693 - DEBUGP("Chain name `%s' too long\n", chain);
3698 - c = iptcc_alloc_chain_head(chain, 0);
3700 - DEBUGP("Cannot allocate memory for chain `%s'\n", chain);
3705 - (*handle)->num_chains++; /* New user defined chain */
3707 - DEBUGP("Creating chain `%s'\n", chain);
3708 - iptc_insert_chain(*handle, c); /* Insert sorted */
3710 - /* Inserting chains don't change the correctness of the chain
3711 - * index (except if its smaller than index[0], but that
3712 - * handled by iptc_insert_chain). It only causes longer lists
3713 - * in the buckets. Thus, only rebuild chain index when the
3714 - * capacity is exceed with CHAIN_INDEX_INSERT_MAX chains.
3716 - capacity = (*handle)->chain_index_sz * CHAIN_INDEX_BUCKET_LEN;
3717 - exceeded = ((((*handle)->num_chains)-capacity));
3718 - if (exceeded > CHAIN_INDEX_INSERT_MAX) {
3719 - debug("Capacity(%d) exceeded(%d) rebuild (chains:%d)\n",
3720 - capacity, exceeded, (*handle)->num_chains);
3721 - iptcc_chain_index_rebuild(*handle);
3724 - set_changed(*handle);
3729 -/* Get the number of references to this chain. */
3731 -TC_GET_REFERENCES(unsigned int *ref, const IPT_CHAINLABEL chain,
3732 - TC_HANDLE_T *handle)
3734 - struct chain_head *c;
3736 - iptc_fn = TC_GET_REFERENCES;
3737 - if (!(c = iptcc_find_label(chain, *handle))) {
3742 - *ref = c->references;
3747 -/* Deletes a chain. */
3749 -TC_DELETE_CHAIN(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
3751 - unsigned int references;
3752 - struct chain_head *c;
3754 - iptc_fn = TC_DELETE_CHAIN;
3756 - if (!(c = iptcc_find_label(chain, *handle))) {
3757 - DEBUGP("cannot find chain `%s'\n", chain);
3762 - if (TC_BUILTIN(chain, *handle)) {
3763 - DEBUGP("cannot remove builtin chain `%s'\n", chain);
3768 - if (!TC_GET_REFERENCES(&references, chain, handle)) {
3769 - DEBUGP("cannot get references on chain `%s'\n", chain);
3773 - if (references > 0) {
3774 - DEBUGP("chain `%s' still has references\n", chain);
3779 - if (c->num_rules) {
3780 - DEBUGP("chain `%s' is not empty\n", chain);
3781 - errno = ENOTEMPTY;
3785 - /* If we are about to delete the chain that is the current
3786 - * iterator, move chain iterator forward. */
3787 - if (c == (*handle)->chain_iterator_cur)
3788 - iptcc_chain_iterator_advance(*handle);
3790 - (*handle)->num_chains--; /* One user defined chain deleted */
3792 - //list_del(&c->list); /* Done in iptcc_chain_index_delete_chain() */
3793 - iptcc_chain_index_delete_chain(c, *handle);
3796 - DEBUGP("chain `%s' deleted\n", chain);
3798 - set_changed(*handle);
3803 -/* Renames a chain. */
3804 -int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname,
3805 - const IPT_CHAINLABEL newname,
3806 - TC_HANDLE_T *handle)
3808 - struct chain_head *c;
3809 - iptc_fn = TC_RENAME_CHAIN;
3811 - /* find_label doesn't cover built-in targets: DROP, ACCEPT,
3813 - if (iptcc_find_label(newname, *handle)
3814 - || strcmp(newname, LABEL_DROP) == 0
3815 - || strcmp(newname, LABEL_ACCEPT) == 0
3816 - || strcmp(newname, LABEL_QUEUE) == 0
3817 - || strcmp(newname, LABEL_RETURN) == 0) {
3822 - if (!(c = iptcc_find_label(oldname, *handle))
3823 - || TC_BUILTIN(oldname, *handle)) {
3828 - if (strlen(newname)+1 > sizeof(IPT_CHAINLABEL)) {
3833 - strncpy(c->name, newname, sizeof(IPT_CHAINLABEL));
3835 - set_changed(*handle);
3840 -/* Sets the policy on a built-in chain. */
3842 -TC_SET_POLICY(const IPT_CHAINLABEL chain,
3843 - const IPT_CHAINLABEL policy,
3844 - STRUCT_COUNTERS *counters,
3845 - TC_HANDLE_T *handle)
3847 - struct chain_head *c;
3849 - iptc_fn = TC_SET_POLICY;
3851 - if (!(c = iptcc_find_label(chain, *handle))) {
3852 - DEBUGP("cannot find chain `%s'\n", chain);
3857 - if (!iptcc_is_builtin(c)) {
3858 - DEBUGP("cannot set policy of userdefinedchain `%s'\n", chain);
3863 - if (strcmp(policy, LABEL_ACCEPT) == 0)
3864 - c->verdict = -NF_ACCEPT - 1;
3865 - else if (strcmp(policy, LABEL_DROP) == 0)
3866 - c->verdict = -NF_DROP - 1;
3873 - /* set byte and packet counters */
3874 - memcpy(&c->counters, counters, sizeof(STRUCT_COUNTERS));
3875 - c->counter_map.maptype = COUNTER_MAP_SET;
3877 - c->counter_map.maptype = COUNTER_MAP_NOMAP;
3880 - set_changed(*handle);
3885 -/* Without this, on gcc 2.7.2.3, we get:
3886 - libiptc.c: In function `TC_COMMIT':
3887 - libiptc.c:833: fixed or forbidden register was spilled.
3888 - This may be due to a compiler bug or to impossible asm
3889 - statements or clauses.
3892 -subtract_counters(STRUCT_COUNTERS *answer,
3893 - const STRUCT_COUNTERS *a,
3894 - const STRUCT_COUNTERS *b)
3896 - answer->pcnt = a->pcnt - b->pcnt;
3897 - answer->bcnt = a->bcnt - b->bcnt;
3901 -static void counters_nomap(STRUCT_COUNTERS_INFO *newcounters, unsigned int idx)
3903 - newcounters->counters[idx] = ((STRUCT_COUNTERS) { 0, 0});
3904 - DEBUGP_C("NOMAP => zero\n");
3907 -static void counters_normal_map(STRUCT_COUNTERS_INFO *newcounters,
3908 - STRUCT_REPLACE *repl, unsigned int idx,
3909 - unsigned int mappos)
3911 - /* Original read: X.
3912 - * Atomic read on replacement: X + Y.
3913 - * Currently in kernel: Z.
3914 - * Want in kernel: X + Y + Z.
3916 - * => Add in replacement read.
3918 - newcounters->counters[idx] = repl->counters[mappos];
3919 - DEBUGP_C("NORMAL_MAP => mappos %u \n", mappos);
3922 -static void counters_map_zeroed(STRUCT_COUNTERS_INFO *newcounters,
3923 - STRUCT_REPLACE *repl, unsigned int idx,
3924 - unsigned int mappos, STRUCT_COUNTERS *counters)
3926 - /* Original read: X.
3927 - * Atomic read on replacement: X + Y.
3928 - * Currently in kernel: Z.
3929 - * Want in kernel: Y + Z.
3931 - * => Add in (replacement read - original read).
3933 - subtract_counters(&newcounters->counters[idx],
3934 - &repl->counters[mappos],
3936 - DEBUGP_C("ZEROED => mappos %u\n", mappos);
3939 -static void counters_map_set(STRUCT_COUNTERS_INFO *newcounters,
3940 - unsigned int idx, STRUCT_COUNTERS *counters)
3942 - /* Want to set counter (iptables-restore) */
3944 - memcpy(&newcounters->counters[idx], counters,
3945 - sizeof(STRUCT_COUNTERS));
3947 - DEBUGP_C("SET\n");
3952 -TC_COMMIT(TC_HANDLE_T *handle)
3954 - /* Replace, then map back the counters. */
3955 - STRUCT_REPLACE *repl;
3956 - STRUCT_COUNTERS_INFO *newcounters;
3957 - struct chain_head *c;
3959 - size_t counterlen;
3961 - unsigned int new_size;
3963 - iptc_fn = TC_COMMIT;
3966 - /* Don't commit if nothing changed. */
3967 - if (!(*handle)->changed)
3970 - new_number = iptcc_compile_table_prep(*handle, &new_size);
3971 - if (new_number < 0) {
3976 - repl = malloc(sizeof(*repl) + new_size);
3981 - memset(repl, 0, sizeof(*repl) + new_size);
3984 - TC_DUMP_ENTRIES(*handle);
3987 - counterlen = sizeof(STRUCT_COUNTERS_INFO)
3988 - + sizeof(STRUCT_COUNTERS) * new_number;
3990 - /* These are the old counters we will get from kernel */
3991 - repl->counters = malloc(sizeof(STRUCT_COUNTERS)
3992 - * (*handle)->info.num_entries);
3993 - if (!repl->counters) {
3995 - goto out_free_repl;
3997 - /* These are the counters we're going to put back, later. */
3998 - newcounters = malloc(counterlen);
3999 - if (!newcounters) {
4001 - goto out_free_repl_counters;
4003 - memset(newcounters, 0, counterlen);
4005 - strcpy(repl->name, (*handle)->info.name);
4006 - repl->num_entries = new_number;
4007 - repl->size = new_size;
4009 - repl->num_counters = (*handle)->info.num_entries;
4010 - repl->valid_hooks = (*handle)->info.valid_hooks;
4012 - DEBUGP("num_entries=%u, size=%u, num_counters=%u\n",
4013 - repl->num_entries, repl->size, repl->num_counters);
4015 - ret = iptcc_compile_table(*handle, repl);
4018 - goto out_free_newcounters;
4024 - int fd = open("/tmp/libiptc-so_set_replace.blob",
4025 - O_CREAT|O_WRONLY);
4027 - write(fd, repl, sizeof(*repl) + repl->size);
4033 - ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, repl,
4034 - sizeof(*repl) + repl->size);
4036 - goto out_free_newcounters;
4038 - /* Put counters back. */
4039 - strcpy(newcounters->name, (*handle)->info.name);
4040 - newcounters->num_counters = new_number;
4042 - list_for_each_entry(c, &(*handle)->chains, list) {
4043 - struct rule_head *r;
4045 - /* Builtin chains have their own counters */
4046 - if (iptcc_is_builtin(c)) {
4047 - DEBUGP("counter for chain-index %u: ", c->foot_index);
4048 - switch(c->counter_map.maptype) {
4049 - case COUNTER_MAP_NOMAP:
4050 - counters_nomap(newcounters, c->foot_index);
4052 - case COUNTER_MAP_NORMAL_MAP:
4053 - counters_normal_map(newcounters, repl,
4055 - c->counter_map.mappos);
4057 - case COUNTER_MAP_ZEROED:
4058 - counters_map_zeroed(newcounters, repl,
4060 - c->counter_map.mappos,
4063 - case COUNTER_MAP_SET:
4064 - counters_map_set(newcounters, c->foot_index,
4070 - list_for_each_entry(r, &c->rules, list) {
4071 - DEBUGP("counter for index %u: ", r->index);
4072 - switch (r->counter_map.maptype) {
4073 - case COUNTER_MAP_NOMAP:
4074 - counters_nomap(newcounters, r->index);
4077 - case COUNTER_MAP_NORMAL_MAP:
4078 - counters_normal_map(newcounters, repl,
4080 - r->counter_map.mappos);
4083 - case COUNTER_MAP_ZEROED:
4084 - counters_map_zeroed(newcounters, repl,
4086 - r->counter_map.mappos,
4087 - &r->entry->counters);
4090 - case COUNTER_MAP_SET:
4091 - counters_map_set(newcounters, r->index,
4092 - &r->entry->counters);
4100 - int fd = open("/tmp/libiptc-so_set_add_counters.blob",
4101 - O_CREAT|O_WRONLY);
4103 - write(fd, newcounters, counterlen);
4109 - ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS,
4110 - newcounters, counterlen);
4112 - goto out_free_newcounters;
4114 - free(repl->counters);
4116 - free(newcounters);
4122 -out_free_newcounters:
4123 - free(newcounters);
4124 -out_free_repl_counters:
4125 - free(repl->counters);
4132 -/* Get raw socket. */
4134 -TC_GET_RAW_SOCKET(void)
4139 -/* Translates errno numbers into more human-readable form than strerror. */
4141 -TC_STRERROR(int err)
4144 - struct table_struct {
4147 - const char *message;
4149 - { { TC_INIT, EPERM, "Permission denied (you must be root)" },
4150 - { TC_INIT, EINVAL, "Module is wrong version" },
4151 - { TC_INIT, ENOENT,
4152 - "Table does not exist (do you need to insmod?)" },
4153 - { TC_DELETE_CHAIN, ENOTEMPTY, "Chain is not empty" },
4154 - { TC_DELETE_CHAIN, EINVAL, "Can't delete built-in chain" },
4155 - { TC_DELETE_CHAIN, EMLINK,
4156 - "Can't delete chain with references left" },
4157 - { TC_CREATE_CHAIN, EEXIST, "Chain already exists" },
4158 - { TC_INSERT_ENTRY, E2BIG, "Index of insertion too big" },
4159 - { TC_REPLACE_ENTRY, E2BIG, "Index of replacement too big" },
4160 - { TC_DELETE_NUM_ENTRY, E2BIG, "Index of deletion too big" },
4161 - { TC_READ_COUNTER, E2BIG, "Index of counter too big" },
4162 - { TC_ZERO_COUNTER, E2BIG, "Index of counter too big" },
4163 - { TC_INSERT_ENTRY, ELOOP, "Loop found in table" },
4164 - { TC_INSERT_ENTRY, EINVAL, "Target problem" },
4165 - /* EINVAL for CHECK probably means bad interface. */
4166 - { TC_CHECK_PACKET, EINVAL,
4167 - "Bad arguments (does that interface exist?)" },
4168 - { TC_CHECK_PACKET, ENOSYS,
4169 - "Checking will most likely never get implemented" },
4170 - /* ENOENT for DELETE probably means no matching rule */
4171 - { TC_DELETE_ENTRY, ENOENT,
4172 - "Bad rule (does a matching rule exist in that chain?)" },
4173 - { TC_SET_POLICY, ENOENT,
4174 - "Bad built-in chain name" },
4175 - { TC_SET_POLICY, EINVAL,
4176 - "Bad policy name" },
4178 - { NULL, 0, "Incompatible with this kernel" },
4179 - { NULL, ENOPROTOOPT, "iptables who? (do you need to insmod?)" },
4180 - { NULL, ENOSYS, "Will be implemented real soon. I promise ;)" },
4181 - { NULL, ENOMEM, "Memory allocation problem" },
4182 - { NULL, ENOENT, "No chain/target/match by that name" },
4185 - for (i = 0; i < sizeof(table)/sizeof(struct table_struct); i++) {
4186 - if ((!table[i].fn || table[i].fn == iptc_fn)
4187 - && table[i].err == err)
4188 - return table[i].message;
4191 - return strerror(err);
4193 diff --git a/src/owniptc/libiptc.h b/src/owniptc/libiptc.h
4194 deleted file mode 100644
4195 index 3fc25b6..0000000
4196 --- a/src/owniptc/libiptc.h
4200 - * This file was imported from the iptables sources.
4201 - * Copyright (C) 1999-2008 Netfilter Core Team
4203 - * This program is free software; you can redistribute it and/or modify it
4204 - * under the terms of the GNU General Public License as published by the
4205 - * Free Software Foundation; only version 2 of the License is applicable.
4207 - * This program is distributed in the hope that it will be useful, but
4208 - * WITHOUT ANY WARRANTY; without even the implied warranty of
4209 - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
4210 - * General Public License for more details.
4212 - * You should have received a copy of the GNU General Public License along
4213 - * with this program; if not, write to the Free Software Foundation, Inc.,
4214 - * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
4219 -/* Library which manipulates filtering rules. */
4221 -#include <linux/types.h>
4222 -#include "ipt_kernel_headers.h"
4223 -#include <linux/netfilter_ipv4/ip_tables.h>
4229 -#ifndef IPT_MIN_ALIGN
4230 -/* ipt_entry has pointers and u_int64_t's in it, so if you align to
4231 - it, you'll also align to any crazy matches and targets someone
4233 -#define IPT_MIN_ALIGN (__alignof__(struct ipt_entry))
4236 -#define IPT_ALIGN(s) (((s) + ((IPT_MIN_ALIGN)-1)) & ~((IPT_MIN_ALIGN)-1))
4238 -typedef char ipt_chainlabel[32];
4240 -#define IPTC_LABEL_ACCEPT "ACCEPT"
4241 -#define IPTC_LABEL_DROP "DROP"
4242 -#define IPTC_LABEL_QUEUE "QUEUE"
4243 -#define IPTC_LABEL_RETURN "RETURN"
4245 -/* Transparent handle type. */
4246 -typedef struct iptc_handle *iptc_handle_t;
4248 -/* Does this chain exist? */
4249 -int iptc_is_chain(const char *chain, const iptc_handle_t handle);
4251 -/* Take a snapshot of the rules. Returns NULL on error. */
4252 -iptc_handle_t iptc_init(const char *tablename);
4254 -/* Cleanup after iptc_init(). */
4255 -void iptc_free(iptc_handle_t *h);
4257 -/* Iterator functions to run through the chains. Returns NULL at end. */
4258 -const char *iptc_first_chain(iptc_handle_t *handle);
4259 -const char *iptc_next_chain(iptc_handle_t *handle);
4261 -/* Get first rule in the given chain: NULL for empty chain. */
4262 -const struct ipt_entry *iptc_first_rule(const char *chain,
4263 - iptc_handle_t *handle);
4265 -/* Returns NULL when rules run out. */
4266 -const struct ipt_entry *iptc_next_rule(const struct ipt_entry *prev,
4267 - iptc_handle_t *handle);
4269 -/* Returns a pointer to the target name of this entry. */
4270 -const char *iptc_get_target(const struct ipt_entry *e,
4271 - iptc_handle_t *handle);
4273 -/* Is this a built-in chain? */
4274 -int iptc_builtin(const char *chain, const iptc_handle_t handle);
4276 -/* Get the policy of a given built-in chain */
4277 -const char *iptc_get_policy(const char *chain,
4278 - struct ipt_counters *counter,
4279 - iptc_handle_t *handle);
4281 -/* These functions return TRUE for OK or 0 and set errno. If errno ==
4282 - 0, it means there was a version error (ie. upgrade libiptc). */
4283 -/* Rule numbers start at 1 for the first rule. */
4285 -/* Insert the entry `e' in chain `chain' into position `rulenum'. */
4286 -int iptc_insert_entry(const ipt_chainlabel chain,
4287 - const struct ipt_entry *e,
4288 - unsigned int rulenum,
4289 - iptc_handle_t *handle);
4291 -/* Atomically replace rule `rulenum' in `chain' with `e'. */
4292 -int iptc_replace_entry(const ipt_chainlabel chain,
4293 - const struct ipt_entry *e,
4294 - unsigned int rulenum,
4295 - iptc_handle_t *handle);
4297 -/* Append entry `e' to chain `chain'. Equivalent to insert with
4298 - rulenum = length of chain. */
4299 -int iptc_append_entry(const ipt_chainlabel chain,
4300 - const struct ipt_entry *e,
4301 - iptc_handle_t *handle);
4303 -/* Delete the first rule in `chain' which matches `e', subject to
4304 - matchmask (array of length == origfw) */
4305 -int iptc_delete_entry(const ipt_chainlabel chain,
4306 - const struct ipt_entry *origfw,
4307 - unsigned char *matchmask,
4308 - iptc_handle_t *handle);
4310 -/* Delete the rule in position `rulenum' in `chain'. */
4311 -int iptc_delete_num_entry(const ipt_chainlabel chain,
4312 - unsigned int rulenum,
4313 - iptc_handle_t *handle);
4315 -/* Check the packet `e' on chain `chain'. Returns the verdict, or
4316 - NULL and sets errno. */
4317 -const char *iptc_check_packet(const ipt_chainlabel chain,
4318 - struct ipt_entry *entry,
4319 - iptc_handle_t *handle);
4321 -/* Flushes the entries in the given chain (ie. empties chain). */
4322 -int iptc_flush_entries(const ipt_chainlabel chain,
4323 - iptc_handle_t *handle);
4325 -/* Zeroes the counters in a chain. */
4326 -int iptc_zero_entries(const ipt_chainlabel chain,
4327 - iptc_handle_t *handle);
4329 -/* Creates a new chain. */
4330 -int iptc_create_chain(const ipt_chainlabel chain,
4331 - iptc_handle_t *handle);
4333 -/* Deletes a chain. */
4334 -int iptc_delete_chain(const ipt_chainlabel chain,
4335 - iptc_handle_t *handle);
4337 -/* Renames a chain. */
4338 -int iptc_rename_chain(const ipt_chainlabel oldname,
4339 - const ipt_chainlabel newname,
4340 - iptc_handle_t *handle);
4342 -/* Sets the policy on a built-in chain. */
4343 -int iptc_set_policy(const ipt_chainlabel chain,
4344 - const ipt_chainlabel policy,
4345 - struct ipt_counters *counters,
4346 - iptc_handle_t *handle);
4348 -/* Get the number of references to this chain */
4349 -int iptc_get_references(unsigned int *ref,
4350 - const ipt_chainlabel chain,
4351 - iptc_handle_t *handle);
4353 -/* read packet and byte counters for a specific rule */
4354 -struct ipt_counters *iptc_read_counter(const ipt_chainlabel chain,
4355 - unsigned int rulenum,
4356 - iptc_handle_t *handle);
4358 -/* zero packet and byte counters for a specific rule */
4359 -int iptc_zero_counter(const ipt_chainlabel chain,
4360 - unsigned int rulenum,
4361 - iptc_handle_t *handle);
4363 -/* set packet and byte counters for a specific rule */
4364 -int iptc_set_counter(const ipt_chainlabel chain,
4365 - unsigned int rulenum,
4366 - struct ipt_counters *counters,
4367 - iptc_handle_t *handle);
4369 -/* Makes the actual changes. */
4370 -int iptc_commit(iptc_handle_t *handle);
4372 -/* Get raw socket. */
4373 -int iptc_get_raw_socket(void);
4375 -/* Translates errno numbers into more human-readable form than strerror. */
4376 -const char *iptc_strerror(int err);
4378 -extern void dump_entries(const iptc_handle_t);
4385 -#endif /* _LIBIPTC_H */
4386 diff --git a/src/owniptc/libxtc.h b/src/owniptc/libxtc.h
4387 deleted file mode 100644
4388 index 2ed03f4..0000000
4389 --- a/src/owniptc/libxtc.h
4393 - * This file was imported from the iptables sources.
4394 - * Copyright (C) 1999-2008 Netfilter Core Team
4396 - * This program is free software; you can redistribute it and/or modify it
4397 - * under the terms of the GNU General Public License as published by the
4398 - * Free Software Foundation; only version 2 of the License is applicable.
4400 - * This program is distributed in the hope that it will be useful, but
4401 - * WITHOUT ANY WARRANTY; without even the implied warranty of
4402 - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
4403 - * General Public License for more details.
4405 - * You should have received a copy of the GNU General Public License along
4406 - * with this program; if not, write to the Free Software Foundation, Inc.,
4407 - * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
4412 -/* Library which manipulates filtering rules. */
4414 -#include "ipt_kernel_headers.h"
4415 -#include <linux/netfilter/x_tables.h>
4421 -#ifndef XT_MIN_ALIGN
4422 -/* xt_entry has pointers and u_int64_t's in it, so if you align to
4423 - it, you'll also align to any crazy matches and targets someone
4425 -#define XT_MIN_ALIGN (__alignof__(struct xt_entry))
4429 -#define XT_ALIGN(s) (((s) + ((XT_MIN_ALIGN)-1)) & ~((XT_MIN_ALIGN)-1))
4432 -typedef char xt_chainlabel[32];
4434 -#define XTC_LABEL_ACCEPT "ACCEPT"
4435 -#define XTC_LABEL_DROP "DROP"
4436 -#define XTC_LABEL_QUEUE "QUEUE"
4437 -#define XTC_LABEL_RETURN "RETURN"
4444 -#endif /* _LIBXTC_H */
4445 diff --git a/src/owniptc/linux_list.h b/src/owniptc/linux_list.h
4446 deleted file mode 100644
4447 index 56d9a26..0000000
4448 --- a/src/owniptc/linux_list.h
4452 - * This file was imported from the iptables sources.
4453 - * Copyright (C) 1999-2008 Netfilter Core Team
4455 - * This program is free software; you can redistribute it and/or modify it
4456 - * under the terms of the GNU General Public License as published by the
4457 - * Free Software Foundation; only version 2 of the License is applicable.
4459 - * This program is distributed in the hope that it will be useful, but
4460 - * WITHOUT ANY WARRANTY; without even the implied warranty of
4461 - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
4462 - * General Public License for more details.
4464 - * You should have received a copy of the GNU General Public License along
4465 - * with this program; if not, write to the Free Software Foundation, Inc.,
4466 - * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
4469 -#ifndef _LINUX_LIST_H
4470 -#define _LINUX_LIST_H
4473 -#define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER)
4476 - * container_of - cast a member of a structure out to the containing structure
4478 - * @ptr: the pointer to the member.
4479 - * @type: the type of the container struct this is embedded in.
4480 - * @member: the name of the member within the struct.
4483 -#define container_of(ptr, type, member) ({ \
4484 - const typeof( ((type *)0)->member ) *__mptr = (ptr); \
4485 - (type *)( (char *)__mptr - offsetof(type,member) );})
4488 - * Check at compile time that something is of a particular type.
4489 - * Always evaluates to 1 so you may use it easily in comparisons.
4491 -#define typecheck(type,x) \
4493 - typeof(x) __dummy2; \
4494 - (void)(&__dummy == &__dummy2); \
4498 -#define prefetch(x) 1
4500 -/* empty define to make this work in userspace -HW */
4504 - * These are non-NULL pointers that will result in page faults
4505 - * under normal circumstances, used to verify that nobody uses
4506 - * non-initialized list entries.
4508 -#define LIST_POISON1 ((void *) 0x00100100)
4509 -#define LIST_POISON2 ((void *) 0x00200200)
4512 - * Simple doubly linked list implementation.
4514 - * Some of the internal functions ("__xxx") are useful when
4515 - * manipulating whole lists rather than single entries, as
4516 - * sometimes we already know the next/prev entries and we can
4517 - * generate better code by using them directly rather than
4518 - * using the generic single-entry routines.
4522 - struct list_head *next, *prev;
4525 -#define LIST_HEAD_INIT(name) { &(name), &(name) }
4527 -#define LIST_HEAD(name) \
4528 - struct list_head name = LIST_HEAD_INIT(name)
4530 -#define INIT_LIST_HEAD(ptr) do { \
4531 - (ptr)->next = (ptr); (ptr)->prev = (ptr); \
4535 - * Insert a new entry between two known consecutive entries.
4537 - * This is only for internal list manipulation where we know
4538 - * the prev/next entries already!
4540 -static inline void __list_add(struct list_head *new,
4541 - struct list_head *prev,
4542 - struct list_head *next)
4551 - * list_add - add a new entry
4552 - * @new: new entry to be added
4553 - * @head: list head to add it after
4555 - * Insert a new entry after the specified head.
4556 - * This is good for implementing stacks.
4558 -static inline void list_add(struct list_head *new, struct list_head *head)
4560 - __list_add(new, head, head->next);
4564 - * list_add_tail - add a new entry
4565 - * @new: new entry to be added
4566 - * @head: list head to add it before
4568 - * Insert a new entry before the specified head.
4569 - * This is useful for implementing queues.
4571 -static inline void list_add_tail(struct list_head *new, struct list_head *head)
4573 - __list_add(new, head->prev, head);
4577 - * Insert a new entry between two known consecutive entries.
4579 - * This is only for internal list manipulation where we know
4580 - * the prev/next entries already!
4582 -static inline void __list_add_rcu(struct list_head * new,
4583 - struct list_head * prev, struct list_head * next)
4593 - * list_add_rcu - add a new entry to rcu-protected list
4594 - * @new: new entry to be added
4595 - * @head: list head to add it after
4597 - * Insert a new entry after the specified head.
4598 - * This is good for implementing stacks.
4600 - * The caller must take whatever precautions are necessary
4601 - * (such as holding appropriate locks) to avoid racing
4602 - * with another list-mutation primitive, such as list_add_rcu()
4603 - * or list_del_rcu(), running on this same list.
4604 - * However, it is perfectly legal to run concurrently with
4605 - * the _rcu list-traversal primitives, such as
4606 - * list_for_each_entry_rcu().
4608 -static inline void list_add_rcu(struct list_head *new, struct list_head *head)
4610 - __list_add_rcu(new, head, head->next);
4614 - * list_add_tail_rcu - add a new entry to rcu-protected list
4615 - * @new: new entry to be added
4616 - * @head: list head to add it before
4618 - * Insert a new entry before the specified head.
4619 - * This is useful for implementing queues.
4621 - * The caller must take whatever precautions are necessary
4622 - * (such as holding appropriate locks) to avoid racing
4623 - * with another list-mutation primitive, such as list_add_tail_rcu()
4624 - * or list_del_rcu(), running on this same list.
4625 - * However, it is perfectly legal to run concurrently with
4626 - * the _rcu list-traversal primitives, such as
4627 - * list_for_each_entry_rcu().
4629 -static inline void list_add_tail_rcu(struct list_head *new,
4630 - struct list_head *head)
4632 - __list_add_rcu(new, head->prev, head);
4636 - * Delete a list entry by making the prev/next entries
4637 - * point to each other.
4639 - * This is only for internal list manipulation where we know
4640 - * the prev/next entries already!
4642 -static inline void __list_del(struct list_head * prev, struct list_head * next)
4644 - next->prev = prev;
4645 - prev->next = next;
4649 - * list_del - deletes entry from list.
4650 - * @entry: the element to delete from the list.
4651 - * Note: list_empty on entry does not return true after this, the entry is
4652 - * in an undefined state.
4654 -static inline void list_del(struct list_head *entry)
4656 - __list_del(entry->prev, entry->next);
4657 - entry->next = LIST_POISON1;
4658 - entry->prev = LIST_POISON2;
4662 - * list_del_rcu - deletes entry from list without re-initialization
4663 - * @entry: the element to delete from the list.
4665 - * Note: list_empty on entry does not return true after this,
4666 - * the entry is in an undefined state. It is useful for RCU based
4667 - * lockfree traversal.
4669 - * In particular, it means that we can not poison the forward
4670 - * pointers that may still be used for walking the list.
4672 - * The caller must take whatever precautions are necessary
4673 - * (such as holding appropriate locks) to avoid racing
4674 - * with another list-mutation primitive, such as list_del_rcu()
4675 - * or list_add_rcu(), running on this same list.
4676 - * However, it is perfectly legal to run concurrently with
4677 - * the _rcu list-traversal primitives, such as
4678 - * list_for_each_entry_rcu().
4680 - * Note that the caller is not permitted to immediately free
4681 - * the newly deleted entry. Instead, either synchronize_kernel()
4682 - * or call_rcu() must be used to defer freeing until an RCU
4683 - * grace period has elapsed.
4685 -static inline void list_del_rcu(struct list_head *entry)
4687 - __list_del(entry->prev, entry->next);
4688 - entry->prev = LIST_POISON2;
4692 - * list_del_init - deletes entry from list and reinitialize it.
4693 - * @entry: the element to delete from the list.
4695 -static inline void list_del_init(struct list_head *entry)
4697 - __list_del(entry->prev, entry->next);
4698 - INIT_LIST_HEAD(entry);
4702 - * list_move - delete from one list and add as another's head
4703 - * @list: the entry to move
4704 - * @head: the head that will precede our entry
4706 -static inline void list_move(struct list_head *list, struct list_head *head)
4708 - __list_del(list->prev, list->next);
4709 - list_add(list, head);
4713 - * list_move_tail - delete from one list and add as another's tail
4714 - * @list: the entry to move
4715 - * @head: the head that will follow our entry
4717 -static inline void list_move_tail(struct list_head *list,
4718 - struct list_head *head)
4720 - __list_del(list->prev, list->next);
4721 - list_add_tail(list, head);
4725 - * list_empty - tests whether a list is empty
4726 - * @head: the list to test.
4728 -static inline int list_empty(const struct list_head *head)
4730 - return head->next == head;
4734 - * list_empty_careful - tests whether a list is
4735 - * empty _and_ checks that no other CPU might be
4736 - * in the process of still modifying either member
4738 - * NOTE: using list_empty_careful() without synchronization
4739 - * can only be safe if the only activity that can happen
4740 - * to the list entry is list_del_init(). Eg. it cannot be used
4741 - * if another CPU could re-list_add() it.
4743 - * @head: the list to test.
4745 -static inline int list_empty_careful(const struct list_head *head)
4747 - struct list_head *next = head->next;
4748 - return (next == head) && (next == head->prev);
4751 -static inline void __list_splice(struct list_head *list,
4752 - struct list_head *head)
4754 - struct list_head *first = list->next;
4755 - struct list_head *last = list->prev;
4756 - struct list_head *at = head->next;
4758 - first->prev = head;
4759 - head->next = first;
4766 - * list_splice - join two lists
4767 - * @list: the new list to add.
4768 - * @head: the place to add it in the first list.
4770 -static inline void list_splice(struct list_head *list, struct list_head *head)
4772 - if (!list_empty(list))
4773 - __list_splice(list, head);
4777 - * list_splice_init - join two lists and reinitialise the emptied list.
4778 - * @list: the new list to add.
4779 - * @head: the place to add it in the first list.
4781 - * The list at @list is reinitialised
4783 -static inline void list_splice_init(struct list_head *list,
4784 - struct list_head *head)
4786 - if (!list_empty(list)) {
4787 - __list_splice(list, head);
4788 - INIT_LIST_HEAD(list);
4793 - * list_entry - get the struct for this entry
4794 - * @ptr: the &struct list_head pointer.
4795 - * @type: the type of the struct this is embedded in.
4796 - * @member: the name of the list_struct within the struct.
4798 -#define list_entry(ptr, type, member) \
4799 - container_of(ptr, type, member)
4802 - * list_for_each - iterate over a list
4803 - * @pos: the &struct list_head to use as a loop counter.
4804 - * @head: the head for your list.
4806 -#define list_for_each(pos, head) \
4807 - for (pos = (head)->next, prefetch(pos->next); pos != (head); \
4808 - pos = pos->next, prefetch(pos->next))
4811 - * __list_for_each - iterate over a list
4812 - * @pos: the &struct list_head to use as a loop counter.
4813 - * @head: the head for your list.
4815 - * This variant differs from list_for_each() in that it's the
4816 - * simplest possible list iteration code, no prefetching is done.
4817 - * Use this for code that knows the list to be very short (empty
4818 - * or 1 entry) most of the time.
4820 -#define __list_for_each(pos, head) \
4821 - for (pos = (head)->next; pos != (head); pos = pos->next)
4824 - * list_for_each_prev - iterate over a list backwards
4825 - * @pos: the &struct list_head to use as a loop counter.
4826 - * @head: the head for your list.
4828 -#define list_for_each_prev(pos, head) \
4829 - for (pos = (head)->prev, prefetch(pos->prev); pos != (head); \
4830 - pos = pos->prev, prefetch(pos->prev))
4833 - * list_for_each_safe - iterate over a list safe against removal of list entry
4834 - * @pos: the &struct list_head to use as a loop counter.
4835 - * @n: another &struct list_head to use as temporary storage
4836 - * @head: the head for your list.
4838 -#define list_for_each_safe(pos, n, head) \
4839 - for (pos = (head)->next, n = pos->next; pos != (head); \
4840 - pos = n, n = pos->next)
4843 - * list_for_each_entry - iterate over list of given type
4844 - * @pos: the type * to use as a loop counter.
4845 - * @head: the head for your list.
4846 - * @member: the name of the list_struct within the struct.
4848 -#define list_for_each_entry(pos, head, member) \
4849 - for (pos = list_entry((head)->next, typeof(*pos), member), \
4850 - prefetch(pos->member.next); \
4851 - &pos->member != (head); \
4852 - pos = list_entry(pos->member.next, typeof(*pos), member), \
4853 - prefetch(pos->member.next))
4856 - * list_for_each_entry_reverse - iterate backwards over list of given type.
4857 - * @pos: the type * to use as a loop counter.
4858 - * @head: the head for your list.
4859 - * @member: the name of the list_struct within the struct.
4861 -#define list_for_each_entry_reverse(pos, head, member) \
4862 - for (pos = list_entry((head)->prev, typeof(*pos), member), \
4863 - prefetch(pos->member.prev); \
4864 - &pos->member != (head); \
4865 - pos = list_entry(pos->member.prev, typeof(*pos), member), \
4866 - prefetch(pos->member.prev))
4869 - * list_prepare_entry - prepare a pos entry for use as a start point in
4870 - * list_for_each_entry_continue
4871 - * @pos: the type * to use as a start point
4872 - * @head: the head of the list
4873 - * @member: the name of the list_struct within the struct.
4875 -#define list_prepare_entry(pos, head, member) \
4876 - ((pos) ? : list_entry(head, typeof(*pos), member))
4879 - * list_for_each_entry_continue - iterate over list of given type
4880 - * continuing after existing point
4881 - * @pos: the type * to use as a loop counter.
4882 - * @head: the head for your list.
4883 - * @member: the name of the list_struct within the struct.
4885 -#define list_for_each_entry_continue(pos, head, member) \
4886 - for (pos = list_entry(pos->member.next, typeof(*pos), member), \
4887 - prefetch(pos->member.next); \
4888 - &pos->member != (head); \
4889 - pos = list_entry(pos->member.next, typeof(*pos), member), \
4890 - prefetch(pos->member.next))
4893 - * list_for_each_entry_safe - iterate over list of given type safe against removal of list entry
4894 - * @pos: the type * to use as a loop counter.
4895 - * @n: another type * to use as temporary storage
4896 - * @head: the head for your list.
4897 - * @member: the name of the list_struct within the struct.
4899 -#define list_for_each_entry_safe(pos, n, head, member) \
4900 - for (pos = list_entry((head)->next, typeof(*pos), member), \
4901 - n = list_entry(pos->member.next, typeof(*pos), member); \
4902 - &pos->member != (head); \
4903 - pos = n, n = list_entry(n->member.next, typeof(*n), member))
4906 - * list_for_each_rcu - iterate over an rcu-protected list
4907 - * @pos: the &struct list_head to use as a loop counter.
4908 - * @head: the head for your list.
4910 - * This list-traversal primitive may safely run concurrently with
4911 - * the _rcu list-mutation primitives such as list_add_rcu()
4912 - * as long as the traversal is guarded by rcu_read_lock().
4914 -#define list_for_each_rcu(pos, head) \
4915 - for (pos = (head)->next, prefetch(pos->next); pos != (head); \
4916 - pos = pos->next, ({ smp_read_barrier_depends(); 0;}), prefetch(pos->next))
4918 -#define __list_for_each_rcu(pos, head) \
4919 - for (pos = (head)->next; pos != (head); \
4920 - pos = pos->next, ({ smp_read_barrier_depends(); 0;}))
4923 - * list_for_each_safe_rcu - iterate over an rcu-protected list safe
4924 - * against removal of list entry
4925 - * @pos: the &struct list_head to use as a loop counter.
4926 - * @n: another &struct list_head to use as temporary storage
4927 - * @head: the head for your list.
4929 - * This list-traversal primitive may safely run concurrently with
4930 - * the _rcu list-mutation primitives such as list_add_rcu()
4931 - * as long as the traversal is guarded by rcu_read_lock().
4933 -#define list_for_each_safe_rcu(pos, n, head) \
4934 - for (pos = (head)->next, n = pos->next; pos != (head); \
4935 - pos = n, ({ smp_read_barrier_depends(); 0;}), n = pos->next)
4938 - * list_for_each_entry_rcu - iterate over rcu list of given type
4939 - * @pos: the type * to use as a loop counter.
4940 - * @head: the head for your list.
4941 - * @member: the name of the list_struct within the struct.
4943 - * This list-traversal primitive may safely run concurrently with
4944 - * the _rcu list-mutation primitives such as list_add_rcu()
4945 - * as long as the traversal is guarded by rcu_read_lock().
4947 -#define list_for_each_entry_rcu(pos, head, member) \
4948 - for (pos = list_entry((head)->next, typeof(*pos), member), \
4949 - prefetch(pos->member.next); \
4950 - &pos->member != (head); \
4951 - pos = list_entry(pos->member.next, typeof(*pos), member), \
4952 - ({ smp_read_barrier_depends(); 0;}), \
4953 - prefetch(pos->member.next))
4957 - * list_for_each_continue_rcu - iterate over an rcu-protected list
4958 - * continuing after existing point.
4959 - * @pos: the &struct list_head to use as a loop counter.
4960 - * @head: the head for your list.
4962 - * This list-traversal primitive may safely run concurrently with
4963 - * the _rcu list-mutation primitives such as list_add_rcu()
4964 - * as long as the traversal is guarded by rcu_read_lock().
4966 -#define list_for_each_continue_rcu(pos, head) \
4967 - for ((pos) = (pos)->next, prefetch((pos)->next); (pos) != (head); \
4968 - (pos) = (pos)->next, ({ smp_read_barrier_depends(); 0;}), prefetch((pos)->next))
4971 - * Double linked lists with a single pointer list head.
4972 - * Mostly useful for hash tables where the two pointer list head is
4974 - * You lose the ability to access the tail in O(1).
4977 -struct hlist_head {
4978 - struct hlist_node *first;
4981 -struct hlist_node {
4982 - struct hlist_node *next, **pprev;
4985 -#define HLIST_HEAD_INIT { .first = NULL }
4986 -#define HLIST_HEAD(name) struct hlist_head name = { .first = NULL }
4987 -#define INIT_HLIST_HEAD(ptr) ((ptr)->first = NULL)
4988 -#define INIT_HLIST_NODE(ptr) ((ptr)->next = NULL, (ptr)->pprev = NULL)
4990 -static inline int hlist_unhashed(const struct hlist_node *h)
4995 -static inline int hlist_empty(const struct hlist_head *h)
5000 -static inline void __hlist_del(struct hlist_node *n)
5002 - struct hlist_node *next = n->next;
5003 - struct hlist_node **pprev = n->pprev;
5006 - next->pprev = pprev;
5009 -static inline void hlist_del(struct hlist_node *n)
5012 - n->next = LIST_POISON1;
5013 - n->pprev = LIST_POISON2;
5017 - * hlist_del_rcu - deletes entry from hash list without re-initialization
5018 - * @n: the element to delete from the hash list.
5020 - * Note: list_unhashed() on entry does not return true after this,
5021 - * the entry is in an undefined state. It is useful for RCU based
5022 - * lockfree traversal.
5024 - * In particular, it means that we can not poison the forward
5025 - * pointers that may still be used for walking the hash list.
5027 - * The caller must take whatever precautions are necessary
5028 - * (such as holding appropriate locks) to avoid racing
5029 - * with another list-mutation primitive, such as hlist_add_head_rcu()
5030 - * or hlist_del_rcu(), running on this same list.
5031 - * However, it is perfectly legal to run concurrently with
5032 - * the _rcu list-traversal primitives, such as
5033 - * hlist_for_each_entry().
5035 -static inline void hlist_del_rcu(struct hlist_node *n)
5038 - n->pprev = LIST_POISON2;
5041 -static inline void hlist_del_init(struct hlist_node *n)
5045 - INIT_HLIST_NODE(n);
5049 -#define hlist_del_rcu_init hlist_del_init
5051 -static inline void hlist_add_head(struct hlist_node *n, struct hlist_head *h)
5053 - struct hlist_node *first = h->first;
5056 - first->pprev = &n->next;
5058 - n->pprev = &h->first;
5063 - * hlist_add_head_rcu - adds the specified element to the specified hlist,
5064 - * while permitting racing traversals.
5065 - * @n: the element to add to the hash list.
5066 - * @h: the list to add to.
5068 - * The caller must take whatever precautions are necessary
5069 - * (such as holding appropriate locks) to avoid racing
5070 - * with another list-mutation primitive, such as hlist_add_head_rcu()
5071 - * or hlist_del_rcu(), running on this same list.
5072 - * However, it is perfectly legal to run concurrently with
5073 - * the _rcu list-traversal primitives, such as
5074 - * hlist_for_each_entry(), but only if smp_read_barrier_depends()
5075 - * is used to prevent memory-consistency problems on Alpha CPUs.
5076 - * Regardless of the type of CPU, the list-traversal primitive
5077 - * must be guarded by rcu_read_lock().
5079 - * OK, so why don't we have an hlist_for_each_entry_rcu()???
5081 -static inline void hlist_add_head_rcu(struct hlist_node *n,
5082 - struct hlist_head *h)
5084 - struct hlist_node *first = h->first;
5086 - n->pprev = &h->first;
5089 - first->pprev = &n->next;
5093 -/* next must be != NULL */
5094 -static inline void hlist_add_before(struct hlist_node *n,
5095 - struct hlist_node *next)
5097 - n->pprev = next->pprev;
5099 - next->pprev = &n->next;
5103 -static inline void hlist_add_after(struct hlist_node *n,
5104 - struct hlist_node *next)
5106 - next->next = n->next;
5108 - next->pprev = &n->next;
5111 - next->next->pprev = &next->next;
5114 -#define hlist_entry(ptr, type, member) container_of(ptr,type,member)
5116 -#define hlist_for_each(pos, head) \
5117 - for (pos = (head)->first; pos && ({ prefetch(pos->next); 1; }); \
5120 -#define hlist_for_each_safe(pos, n, head) \
5121 - for (pos = (head)->first; pos && ({ n = pos->next; 1; }); \
5125 - * hlist_for_each_entry - iterate over list of given type
5126 - * @tpos: the type * to use as a loop counter.
5127 - * @pos: the &struct hlist_node to use as a loop counter.
5128 - * @head: the head for your list.
5129 - * @member: the name of the hlist_node within the struct.
5131 -#define hlist_for_each_entry(tpos, pos, head, member) \
5132 - for (pos = (head)->first; \
5133 - pos && ({ prefetch(pos->next); 1;}) && \
5134 - ({ tpos = hlist_entry(pos, typeof(*tpos), member); 1;}); \
5138 - * hlist_for_each_entry_continue - iterate over a hlist continuing after existing point
5139 - * @tpos: the type * to use as a loop counter.
5140 - * @pos: the &struct hlist_node to use as a loop counter.
5141 - * @member: the name of the hlist_node within the struct.
5143 -#define hlist_for_each_entry_continue(tpos, pos, member) \
5144 - for (pos = (pos)->next; \
5145 - pos && ({ prefetch(pos->next); 1;}) && \
5146 - ({ tpos = hlist_entry(pos, typeof(*tpos), member); 1;}); \
5150 - * hlist_for_each_entry_from - iterate over a hlist continuing from existing point
5151 - * @tpos: the type * to use as a loop counter.
5152 - * @pos: the &struct hlist_node to use as a loop counter.
5153 - * @member: the name of the hlist_node within the struct.
5155 -#define hlist_for_each_entry_from(tpos, pos, member) \
5156 - for (; pos && ({ prefetch(pos->next); 1;}) && \
5157 - ({ tpos = hlist_entry(pos, typeof(*tpos), member); 1;}); \
5161 - * hlist_for_each_entry_safe - iterate over list of given type safe against removal of list entry
5162 - * @tpos: the type * to use as a loop counter.
5163 - * @pos: the &struct hlist_node to use as a loop counter.
5164 - * @n: another &struct hlist_node to use as temporary storage
5165 - * @head: the head for your list.
5166 - * @member: the name of the hlist_node within the struct.
5168 -#define hlist_for_each_entry_safe(tpos, pos, n, head, member) \
5169 - for (pos = (head)->first; \
5170 - pos && ({ n = pos->next; 1; }) && \
5171 - ({ tpos = hlist_entry(pos, typeof(*tpos), member); 1;}); \
5175 - * hlist_for_each_entry_rcu - iterate over rcu list of given type
5176 - * @pos: the type * to use as a loop counter.
5177 - * @pos: the &struct hlist_node to use as a loop counter.
5178 - * @head: the head for your list.
5179 - * @member: the name of the hlist_node within the struct.
5181 - * This list-traversal primitive may safely run concurrently with
5182 - * the _rcu list-mutation primitives such as hlist_add_rcu()
5183 - * as long as the traversal is guarded by rcu_read_lock().
5185 -#define hlist_for_each_entry_rcu(tpos, pos, head, member) \
5186 - for (pos = (head)->first; \
5187 - pos && ({ prefetch(pos->next); 1;}) && \
5188 - ({ tpos = hlist_entry(pos, typeof(*tpos), member); 1;}); \
5189 - pos = pos->next, ({ smp_read_barrier_depends(); 0; }) )
5192 diff --git a/src/owniptc/xtables.h b/src/owniptc/xtables.h
5193 deleted file mode 100644
5194 index 47e47dc..0000000
5195 --- a/src/owniptc/xtables.h
5199 - * This file was imported from the iptables sources.
5200 - * Copyright (C) 1999-2008 Netfilter Core Team
5202 - * This program is free software; you can redistribute it and/or modify it
5203 - * under the terms of the GNU General Public License as published by the
5204 - * Free Software Foundation; only version 2 of the License is applicable.
5206 - * This program is distributed in the hope that it will be useful, but
5207 - * WITHOUT ANY WARRANTY; without even the implied warranty of
5208 - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5209 - * General Public License for more details.
5211 - * You should have received a copy of the GNU General Public License along
5212 - * with this program; if not, write to the Free Software Foundation, Inc.,
5213 - * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
5219 -#include <sys/types.h>
5220 -#include <linux/types.h>
5221 -#include <linux/netfilter/x_tables.h>
5222 -#include "libxtc.h"
5223 -#include <stdbool.h>
5225 -#ifndef IPPROTO_SCTP
5226 -#define IPPROTO_SCTP 132
5228 -#ifndef IPPROTO_DCCP
5229 -#define IPPROTO_DCCP 33
5231 -#ifndef IPPROTO_UDPLITE
5232 -#define IPPROTO_UDPLITE 136
5235 -#define XTABLES_VERSION "1.4.1.1"
5236 -#define XTABLES_VERSION_CODE (0x10000 * 1 + 0x100 * 4 + 1)
5238 -#define XTABLES_API_VERSION(x,y,z) (0x10000*(x) + 0x100*(y) + z)
5240 -/* Include file for additions: new matches and targets. */
5241 -struct xtables_match
5243 - struct xtables_match *next;
5245 - xt_chainlabel name;
5247 - /* Revision of match (0 by default). */
5248 - u_int8_t revision;
5252 - const char *version;
5254 - /* Size of match data. */
5257 - /* Size of match data relevent for userspace comparison purposes */
5258 - size_t userspacesize;
5260 - /* Function which prints out usage message. */
5261 - void (*help)(void);
5263 - /* Initialize the match. */
5264 - void (*init)(struct xt_entry_match *m);
5266 - /* Function which parses command options; returns true if it
5268 - /* entry is struct ipt_entry for example */
5269 - int (*parse)(int c, char **argv, int invert, unsigned int *flags,
5270 - const void *entry,
5271 - struct xt_entry_match **match);
5273 - /* Final check; exit if not ok. */
5274 - void (*final_check)(unsigned int flags);
5276 - /* Prints out the match iff non-NULL: put space at end */
5277 - /* ip is struct ipt_ip * for example */
5278 - void (*print)(const void *ip,
5279 - const struct xt_entry_match *match, int numeric);
5281 - /* Saves the match info in parsable form to stdout. */
5282 - /* ip is struct ipt_ip * for example */
5283 - void (*save)(const void *ip, const struct xt_entry_match *match);
5285 - /* Pointer to list of extra command-line options */
5286 - const struct option *extra_opts;
5288 - /* Ignore these men behind the curtain: */
5289 - unsigned int option_offset;
5290 - struct xt_entry_match *m;
5291 - unsigned int mflags;
5292 -#ifdef NO_SHARED_LIBS
5293 - unsigned int loaded; /* simulate loading so options are merged properly */
5297 -struct xtables_target
5299 - struct xtables_target *next;
5301 - xt_chainlabel name;
5303 - /* Revision of target (0 by default). */
5304 - u_int8_t revision;
5308 - const char *version;
5310 - /* Size of target data. */
5313 - /* Size of target data relevent for userspace comparison purposes */
5314 - size_t userspacesize;
5316 - /* Function which prints out usage message. */
5317 - void (*help)(void);
5319 - /* Initialize the target. */
5320 - void (*init)(struct xt_entry_target *t);
5322 - /* Function which parses command options; returns true if it
5324 - /* entry is struct ipt_entry for example */
5325 - int (*parse)(int c, char **argv, int invert, unsigned int *flags,
5326 - const void *entry,
5327 - struct xt_entry_target **targetinfo);
5329 - /* Final check; exit if not ok. */
5330 - void (*final_check)(unsigned int flags);
5332 - /* Prints out the target iff non-NULL: put space at end */
5333 - void (*print)(const void *ip,
5334 - const struct xt_entry_target *target, int numeric);
5336 - /* Saves the targinfo in parsable form to stdout. */
5337 - void (*save)(const void *ip,
5338 - const struct xt_entry_target *target);
5340 - /* Pointer to list of extra command-line options */
5341 - const struct option *extra_opts;
5343 - /* Ignore these men behind the curtain: */
5344 - unsigned int option_offset;
5345 - struct xt_entry_target *t;
5346 - unsigned int tflags;
5347 - unsigned int used;
5348 -#ifdef NO_SHARED_LIBS
5349 - unsigned int loaded; /* simulate loading so options are merged properly */
5353 -/* Your shared library should call one of these. */
5354 -extern void xtables_register_match(struct xtables_match *me);
5355 -extern void xtables_register_target(struct xtables_target *me);
5357 -extern int string_to_number_ll(const char *s,
5358 - unsigned long long min,
5359 - unsigned long long max,
5360 - unsigned long long *ret);
5361 -extern int string_to_number_l(const char *s,
5362 - unsigned long min,
5363 - unsigned long max,
5364 - unsigned long *ret);
5365 -extern int string_to_number(const char *s,
5368 - unsigned int *ret);
5369 -extern bool strtonuml(const char *, char **, unsigned long *,
5370 - unsigned long, unsigned long);
5371 -extern bool strtonum(const char *, char **, unsigned int *,
5372 - unsigned int, unsigned int);
5373 -extern int service_to_port(const char *name, const char *proto);
5374 -extern u_int16_t parse_port(const char *port, const char *proto);
5376 -parse_interface(const char *arg, char *vianame, unsigned char *mask);
5379 - OTHER_PROBLEM = 1,
5380 - PARAMETER_PROBLEM,
5389 -/* this is a special 64bit data type that is 8-byte aligned */
5390 -#define aligned_u64 u_int64_t __attribute__((aligned(8)))
5392 -int check_inverse(const char option[], int *invert, int *my_optind, int argc);
5393 -void exit_error(enum exittype, const char *, ...)__attribute__((noreturn,
5394 - format(printf,2,3)));
5395 -extern void param_act(unsigned int, const char *, ...);
5396 -extern const char *program_name, *program_version;
5398 -extern const char *ipaddr_to_numeric(const struct in_addr *);
5399 -extern const char *ipaddr_to_anyname(const struct in_addr *);
5400 -extern const char *ipmask_to_numeric(const struct in_addr *);
5401 -extern struct in_addr *numeric_to_ipaddr(const char *);
5402 -extern struct in_addr *numeric_to_ipmask(const char *);
5403 -extern void ipparse_hostnetworkmask(const char *, struct in_addr **,
5404 - struct in_addr *, unsigned int *);
5406 -extern struct in6_addr *numeric_to_ip6addr(const char *);
5407 -extern const char *ip6addr_to_numeric(const struct in6_addr *);
5408 -extern const char *ip6addr_to_anyname(const struct in6_addr *);
5409 -extern const char *ip6mask_to_numeric(const struct in6_addr *);
5410 -extern void ip6parse_hostnetworkmask(const char *, struct in6_addr **,
5411 - struct in6_addr *, unsigned int *);
5414 - * Print the specified value to standard output, quoting dangerous
5415 - * characters if required.
5417 -extern void save_string(const char *value);
5419 -#ifdef NO_SHARED_LIBS
5422 -# define _init _INIT
5424 - extern void init_extensions(void);
5426 -# define _init __attribute__((constructor)) _INIT
5429 -/* Present in both iptables.c and ip6tables.c */
5430 -extern u_int16_t parse_protocol(const char *s);
5432 -#ifdef XTABLES_INTERNAL
5433 -# include <xtables/internal.h>
5436 -#endif /* _XTABLES_H */
5437 commit 698837f250f754e93cfec3fcd7461f272c91f6f5
5438 Author: Sebastian Harl <sh@tokkee.org>
5439 Date: Thu Jun 16 11:11:40 2011 +0200
5441 configure: Removed last traces of 'owniptc'.
5443 E.g., autoconf still tried to generated src/owniptc/Makefile in AC_OUTPUT(),
5444 which obviously fails if owniptc is no longer there.
5446 diff --git a/configure.in b/configure.in
5447 index 8043d9a..f240466 100644
5450 @@ -1807,13 +1807,8 @@ if test "x$with_libiptc" = "xyes"
5452 AC_CHECK_TYPES([iptc_handle_t, ip6tc_handle_t], [], [],
5455 -# include "$srcdir/src/owniptc/libiptc.h"
5456 -# include "$srcdir/src/owniptc/libip6tc.h"
5458 -# include <libiptc/libiptc.h>
5459 -# include <libiptc/libip6tc.h>
5461 +#include <libiptc/libiptc.h>
5462 +#include <libiptc/libip6tc.h>
5465 # Check for the iptc_init symbol in the library.
5466 @@ -4813,7 +4808,7 @@ AC_SUBST(LCC_VERSION_STRING)
5468 AC_CONFIG_FILES(src/libcollectdclient/lcc_features.h)
5470 -AC_OUTPUT(Makefile src/Makefile src/collectd.conf src/owniptc/Makefile src/libcollectdclient/Makefile src/libcollectdclient/libcollectdclient.pc src/liboconfig/Makefile bindings/Makefile bindings/java/Makefile)
5471 +AC_OUTPUT(Makefile src/Makefile src/collectd.conf src/libcollectdclient/Makefile src/libcollectdclient/libcollectdclient.pc src/liboconfig/Makefile bindings/Makefile bindings/java/Makefile)
5473 if test "x$with_librrd" = "xyes" \
5474 && test "x$librrd_threadsafe" != "xyes"