2 * libebtc.c, January 2004
4 * Contains the functions with which to make a table in userspace.
6 * Author: Bart De Schuymer
8 * This code is stongly inspired on the iptables code which is
9 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License as
13 * published by the Free Software Foundation; either version 2 of the
14 * License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful, but
17 * WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 * General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
30 #include "include/ebtables_u.h"
31 #include "include/ethernetdb.h"
36 #include <sys/types.h>
39 static void decrease_chain_jumps(struct ebt_u_replace *replace);
40 static int iterate_entries(struct ebt_u_replace *replace, int type);
42 /* The standard names */
43 const char *ebt_hooknames[NF_BR_NUMHOOKS] =
45 [NF_BR_PRE_ROUTING]"PREROUTING",
46 [NF_BR_LOCAL_IN]"INPUT",
47 [NF_BR_FORWARD]"FORWARD",
48 [NF_BR_LOCAL_OUT]"OUTPUT",
49 [NF_BR_POST_ROUTING]"POSTROUTING",
50 [NF_BR_BROUTING]"BROUTING"
53 /* The four target names */
54 const char* ebt_standard_targets[NUM_STANDARD_TARGETS] =
62 /* The lists of supported tables, matches, watchers and targets */
63 struct ebt_u_table *ebt_tables;
64 struct ebt_u_match *ebt_matches;
65 struct ebt_u_watcher *ebt_watchers;
66 struct ebt_u_target *ebt_targets;
68 /* Find the right structure belonging to a name */
69 struct ebt_u_target *ebt_find_target(const char *name)
71 struct ebt_u_target *t = ebt_targets;
73 while (t && strcmp(t->name, name))
78 struct ebt_u_match *ebt_find_match(const char *name)
80 struct ebt_u_match *m = ebt_matches;
82 while (m && strcmp(m->name, name))
87 struct ebt_u_watcher *ebt_find_watcher(const char *name)
89 struct ebt_u_watcher *w = ebt_watchers;
91 while (w && strcmp(w->name, name))
96 struct ebt_u_table *ebt_find_table(const char *name)
98 struct ebt_u_table *t = ebt_tables;
100 while (t && strcmp(t->name, name))
105 /* Prints all registered extensions */
106 void ebt_list_extensions()
108 struct ebt_u_table *tbl = ebt_tables;
109 struct ebt_u_target *t = ebt_targets;
110 struct ebt_u_match *m = ebt_matches;
111 struct ebt_u_watcher *w = ebt_watchers;
114 printf("Loaded userspace extensions:\n\nLoaded tables:\n");
116 printf("%s\n", tbl->name);
119 printf("\nLoaded targets:\n");
121 printf("%s\n", t->name);
124 printf("\nLoaded matches:\n");
126 printf("%s\n", m->name);
129 printf("\nLoaded watchers:\n");
131 printf("%s\n", w->name);
137 #define LOCKDIR "/var/lib/ebtables"
138 #define LOCKFILE LOCKDIR"/lock"
140 static int lockfd = -1, locked;
142 /* Returns 0 on success, -1 when the file is locked by another process
143 * or -2 on any other error. */
144 static int lock_file()
151 /* the SIGINT handler will call unlock_file. To make sure the state
152 * of the variable locked is correct, we need to temporarily mask the
153 * SIGINT interrupt. */
154 sigemptyset(&sigset);
155 sigaddset(&sigset, SIGINT);
156 sigprocmask(SIG_BLOCK, &sigset, NULL);
157 lockfd = open(LOCKFILE, O_CREAT | O_EXCL | O_WRONLY, 00600);
164 if (mkdir(LOCKDIR, 00700))
175 sigprocmask(SIG_UNBLOCK, &sigset, NULL);
187 void __attribute__ ((destructor)) onexit()
192 /* Get the table from the kernel or from a binary file
193 * init: 1 = ask the kernel for the initial contents of a table, i.e. the
194 * way it looks when the table is insmod'ed
195 * 0 = get the current data in the table */
196 int ebt_get_kernel_table(struct ebt_u_replace *replace, int init)
200 if (!ebt_find_table(replace->name)) {
201 ebt_print_error("Bad table name '%s'", replace->name);
204 while (use_lockfd && (ret = lock_file())) {
206 /* if we get an error we can't handle, we exit. This
207 * doesn't break backwards compatibility since using
208 * this file locking is disabled by default. */
209 ebt_print_error2("Unable to create lock file "LOCKFILE);
211 fprintf(stderr, "Trying to obtain lock %s\n", LOCKFILE);
214 /* Get the kernel's information */
215 if (ebt_get_table(replace, init)) {
216 if (ebt_errormsg[0] != '\0')
218 ebtables_insmod("ebtables");
219 if (ebt_get_table(replace, init)) {
220 ebt_print_error("The kernel doesn't support the ebtables '%s' table", replace->name);
227 /* Put sane values into a new entry */
228 void ebt_initialize_entry(struct ebt_u_entry *e)
230 e->bitmask = EBT_NOPROTO;
235 strcpy(e->logical_in, "");
236 strcpy(e->logical_out, "");
239 e->t = (struct ebt_entry_target *)ebt_find_target(EBT_STANDARD_TARGET);
240 ebt_find_target(EBT_STANDARD_TARGET)->used = 1;
241 e->cnt.pcnt = e->cnt.bcnt = e->cnt_surplus.pcnt = e->cnt_surplus.bcnt = 0;
244 ebt_print_bug("Couldn't load standard target");
245 ((struct ebt_standard_target *)((struct ebt_u_target *)e->t)->t)->verdict = EBT_CONTINUE;
248 /* Free up the memory of the table held in userspace, *replace can be reused */
249 void ebt_cleanup_replace(struct ebt_u_replace *replace)
252 struct ebt_u_entries *entries;
253 struct ebt_cntchanges *cc1, *cc2;
254 struct ebt_u_entry *u_e1, *u_e2;
256 replace->name[0] = '\0';
257 replace->valid_hooks = 0;
258 replace->nentries = 0;
259 replace->num_counters = 0;
261 replace->command = 0;
262 replace->selected_chain = -1;
263 free(replace->filename);
264 replace->filename = NULL;
265 free(replace->counters);
266 replace->counters = NULL;
268 for (i = 0; i < replace->num_chains; i++) {
269 if (!(entries = replace->chains[i]))
271 u_e1 = entries->entries->next;
272 while (u_e1 != entries->entries) {
273 ebt_free_u_entry(u_e1);
278 free(entries->entries);
280 replace->chains[i] = NULL;
282 cc1 = replace->cc->next;
283 while (cc1 != replace->cc) {
288 replace->cc->next = replace->cc->prev = replace->cc;
291 /* Should be called, e.g., between 2 rule adds */
292 void ebt_reinit_extensions()
294 struct ebt_u_match *m;
295 struct ebt_u_watcher *w;
296 struct ebt_u_target *t;
299 /* The init functions should determine by themselves whether they are
300 * called for the first time or not (when necessary). */
301 for (m = ebt_matches; m; m = m->next) {
303 size = EBT_ALIGN(m->size) + sizeof(struct ebt_entry_match);
304 m->m = (struct ebt_entry_match *)malloc(size);
307 strcpy(m->m->u.name, m->name);
308 m->m->match_size = EBT_ALIGN(m->size);
311 m->flags = 0; /* An error can occur before used is set, while flags is changed. */
314 for (w = ebt_watchers; w; w = w->next) {
316 size = EBT_ALIGN(w->size) + sizeof(struct ebt_entry_watcher);
317 w->w = (struct ebt_entry_watcher *)malloc(size);
320 strcpy(w->w->u.name, w->name);
321 w->w->watcher_size = EBT_ALIGN(w->size);
327 for (t = ebt_targets; t; t = t->next) {
329 size = EBT_ALIGN(t->size) + sizeof(struct ebt_entry_target);
330 t->t = (struct ebt_entry_target *)malloc(size);
333 strcpy(t->t->u.name, t->name);
334 t->t->target_size = EBT_ALIGN(t->size);
342 /* This doesn't free e, because the calling function might need e->next */
343 void ebt_free_u_entry(struct ebt_u_entry *e)
345 struct ebt_u_match_list *m_l, *m_l2;
346 struct ebt_u_watcher_list *w_l, *w_l2;
365 static char *get_modprobe(void)
370 procfile = open(PROC_SYS_MODPROBE, O_RDONLY);
376 if (read(procfile, ret, 1024) == -1)
378 /* The kernel adds a '\n' */
380 *strchr(ret, '\n') = '\0';
391 /* Try to load the kernel module, analogous to ip_tables.c */
392 int ebtables_insmod(const char *modname)
397 /* If they don't explicitly set it, read out of /proc */
399 buf = get_modprobe();
402 ebt_modprobe = buf; /* Keep the value for possible later use */
407 argv[0] = (char *)ebt_modprobe;
408 argv[1] = (char *)modname;
410 execv(argv[0], argv);
412 /* Not usually reached */
417 default: /* Parent */
424 /* Parse the chain name and return a pointer to the chain base.
425 * Returns NULL on failure. */
426 struct ebt_u_entries *ebt_name_to_chain(const struct ebt_u_replace *replace, const char* arg)
429 struct ebt_u_entries *chain;
431 for (i = 0; i < replace->num_chains; i++) {
432 if (!(chain = replace->chains[i]))
434 if (!strcmp(arg, chain->name))
440 /* Parse the chain name and return the corresponding chain nr
441 * returns -1 on failure */
442 int ebt_get_chainnr(const struct ebt_u_replace *replace, const char* arg)
446 for (i = 0; i < replace->num_chains; i++) {
447 if (!replace->chains[i])
449 if (!strcmp(arg, replace->chains[i]->name))
463 /* Change the policy of selected_chain.
464 * Handing a bad policy to this function is a bug. */
465 void ebt_change_policy(struct ebt_u_replace *replace, int policy)
467 struct ebt_u_entries *entries = ebt_to_chain(replace);
469 if (policy < -NUM_STANDARD_TARGETS || policy == EBT_CONTINUE)
470 ebt_print_bug("Wrong policy: %d", policy);
471 entries->policy = policy;
474 void ebt_delete_cc(struct ebt_cntchanges *cc)
476 if (cc->type == CNT_ADD) {
477 cc->prev->next = cc->next;
478 cc->next->prev = cc->prev;
484 void ebt_empty_chain(struct ebt_u_entries *entries)
486 struct ebt_u_entry *u_e = entries->entries->next, *tmp;
487 while (u_e != entries->entries) {
488 ebt_delete_cc(u_e->cc);
489 ebt_free_u_entry(u_e);
494 entries->entries->next = entries->entries->prev = entries->entries;
495 entries->nentries = 0;
498 /* Flush one chain or the complete table
499 * If selected_chain == -1 then flush the complete table */
500 void ebt_flush_chains(struct ebt_u_replace *replace)
503 struct ebt_u_entries *entries = ebt_to_chain(replace);
505 /* Flush whole table */
507 if (replace->nentries == 0)
509 replace->nentries = 0;
511 /* Free everything and zero (n)entries */
512 for (i = 0; i < replace->num_chains; i++) {
513 if (!(entries = replace->chains[i]))
515 entries->counter_offset = 0;
516 ebt_empty_chain(entries);
521 if (entries->nentries == 0)
523 replace->nentries -= entries->nentries;
524 numdel = entries->nentries;
526 /* Update counter_offset */
527 for (i = replace->selected_chain+1; i < replace->num_chains; i++) {
528 if (!(entries = replace->chains[i]))
530 entries->counter_offset -= numdel;
533 entries = ebt_to_chain(replace);
534 ebt_empty_chain(entries);
537 #define OPT_COUNT 0x1000 /* This value is also defined in ebtables.c */
538 /* Returns the rule number on success (starting from 0), -1 on failure
540 * This function expects the ebt_{match,watcher,target} members of new_entry
541 * to contain pointers to ebt_u_{match,watcher,target} */
542 int ebt_check_rule_exists(struct ebt_u_replace *replace,
543 struct ebt_u_entry *new_entry)
545 struct ebt_u_entry *u_e;
546 struct ebt_u_match_list *m_l, *m_l2;
547 struct ebt_u_match *m;
548 struct ebt_u_watcher_list *w_l, *w_l2;
549 struct ebt_u_watcher *w;
550 struct ebt_u_target *t = (struct ebt_u_target *)new_entry->t;
551 struct ebt_u_entries *entries = ebt_to_chain(replace);
554 u_e = entries->entries->next;
555 /* Check for an existing rule (if there are duplicate rules,
556 * take the first occurance) */
557 for (i = 0; i < entries->nentries; i++, u_e = u_e->next) {
558 if (u_e->ethproto != new_entry->ethproto)
560 if (strcmp(u_e->in, new_entry->in))
562 if (strcmp(u_e->out, new_entry->out))
564 if (strcmp(u_e->logical_in, new_entry->logical_in))
566 if (strcmp(u_e->logical_out, new_entry->logical_out))
568 if (new_entry->bitmask & EBT_SOURCEMAC &&
569 memcmp(u_e->sourcemac, new_entry->sourcemac, ETH_ALEN))
571 if (new_entry->bitmask & EBT_DESTMAC &&
572 memcmp(u_e->destmac, new_entry->destmac, ETH_ALEN))
574 if (new_entry->bitmask != u_e->bitmask ||
575 new_entry->invflags != u_e->invflags)
577 if (replace->flags & OPT_COUNT && (new_entry->cnt.pcnt !=
578 u_e->cnt.pcnt || new_entry->cnt.bcnt != u_e->cnt.bcnt))
580 /* Compare all matches */
581 m_l = new_entry->m_list;
584 m = (struct ebt_u_match *)(m_l->m);
586 while (m_l2 && strcmp(m_l2->m->u.name, m->m->u.name))
588 if (!m_l2 || !m->compare(m->m, m_l2->m))
593 /* Now be sure they have the same nr of matches */
603 /* Compare all watchers */
604 w_l = new_entry->w_list;
607 w = (struct ebt_u_watcher *)(w_l->w);
609 while (w_l2 && strcmp(w_l2->w->u.name, w->w->u.name))
611 if (!w_l2 || !w->compare(w->w, w_l2->w))
624 if (strcmp(t->t->u.name, u_e->t->u.name))
626 if (!t->compare(t->t, u_e->t))
634 /* Add a rule, rule_nr is the rule to update
635 * rule_nr specifies where the rule should be inserted
636 * rule_nr > 0 : insert the rule right before the rule_nr'th rule
637 * (the first rule is rule 1)
638 * rule_nr < 0 : insert the rule right before the (n+rule_nr+1)'th rule,
639 * where n denotes the number of rules in the chain
640 * rule_nr == 0: add a new rule at the end of the chain
642 * This function expects the ebt_{match,watcher,target} members of new_entry
643 * to contain pointers to ebt_u_{match,watcher,target} and updates these
644 * pointers so that they point to ebt_{match,watcher,target}, before adding
645 * the rule to the chain. Don't free() the ebt_{match,watcher,target} and
646 * don't reuse the new_entry after a successful call to ebt_add_rule() */
647 void ebt_add_rule(struct ebt_u_replace *replace, struct ebt_u_entry *new_entry, int rule_nr)
650 struct ebt_u_entry *u_e;
651 struct ebt_u_match_list *m_l;
652 struct ebt_u_watcher_list *w_l;
653 struct ebt_u_entries *entries = ebt_to_chain(replace);
654 struct ebt_cntchanges *cc, *new_cc;
657 rule_nr += entries->nentries;
660 if (rule_nr > entries->nentries || rule_nr < 0) {
661 ebt_print_error("The specified rule number is incorrect");
664 /* Go to the right position in the chain */
665 if (rule_nr == entries->nentries)
666 u_e = entries->entries;
668 u_e = entries->entries->next;
669 for (i = 0; i < rule_nr; i++)
672 /* We're adding one rule */
675 /* Insert the rule */
676 new_entry->next = u_e;
677 new_entry->prev = u_e->prev;
678 u_e->prev->next = new_entry;
679 u_e->prev = new_entry;
680 new_cc = (struct ebt_cntchanges *)malloc(sizeof(struct ebt_cntchanges));
683 new_cc->type = CNT_ADD;
685 if (new_entry->next == entries->entries) {
686 for (i = replace->selected_chain+1; i < replace->num_chains; i++)
687 if (!replace->chains[i] || replace->chains[i]->nentries == 0)
691 if (i == replace->num_chains)
694 cc = replace->chains[i]->entries->next->cc;
696 cc = new_entry->next->cc;
698 new_cc->prev = cc->prev;
699 cc->prev->next = new_cc;
701 new_entry->cc = new_cc;
703 /* Put the ebt_{match, watcher, target} pointers in place */
704 m_l = new_entry->m_list;
706 m_l->m = ((struct ebt_u_match *)m_l->m)->m;
709 w_l = new_entry->w_list;
711 w_l->w = ((struct ebt_u_watcher *)w_l->w)->w;
714 new_entry->t = ((struct ebt_u_target *)new_entry->t)->t;
715 /* Update the counter_offset of chains behind this one */
716 for (i = replace->selected_chain+1; i < replace->num_chains; i++) {
717 entries = replace->chains[i];
718 if (!(entries = replace->chains[i]))
720 entries->counter_offset++;
724 /* If *begin==*end==0 then find the rule corresponding to new_entry,
725 * else make the rule numbers positive (starting from 0) and check
726 * for bad rule numbers. */
727 static int check_and_change_rule_number(struct ebt_u_replace *replace,
728 struct ebt_u_entry *new_entry, int *begin, int *end)
730 struct ebt_u_entries *entries = ebt_to_chain(replace);
733 *begin += entries->nentries + 1;
735 *end += entries->nentries + 1;
737 if (*begin < 0 || *begin > *end || *end > entries->nentries) {
738 ebt_print_error("Sorry, wrong rule numbers");
742 if ((*begin * *end == 0) && (*begin + *end != 0))
743 ebt_print_bug("begin and end should be either both zero, "
744 "either both non-zero");
749 *begin = ebt_check_rule_exists(replace, new_entry);
752 ebt_print_error("Sorry, rule does not exist");
759 /* Delete a rule or rules
760 * begin == end == 0: delete the rule corresponding to new_entry
762 * The first rule has rule nr 1, the last rule has rule nr -1, etc.
763 * This function expects the ebt_{match,watcher,target} members of new_entry
764 * to contain pointers to ebt_u_{match,watcher,target}. */
765 void ebt_delete_rule(struct ebt_u_replace *replace,
766 struct ebt_u_entry *new_entry, int begin, int end)
769 struct ebt_u_entry *u_e, *u_e2, *u_e3;
770 struct ebt_u_entries *entries = ebt_to_chain(replace);
772 if (check_and_change_rule_number(replace, new_entry, &begin, &end))
774 /* We're deleting rules */
775 nr_deletes = end - begin + 1;
776 replace->nentries -= nr_deletes;
777 entries->nentries -= nr_deletes;
778 /* Go to the right position in the chain */
779 u_e = entries->entries->next;
780 for (i = 0; i < begin; i++)
783 /* Remove the rules */
784 for (i = 0; i < nr_deletes; i++) {
786 ebt_delete_cc(u_e2->cc);
788 /* Free everything */
789 ebt_free_u_entry(u_e2);
794 /* Update the counter_offset of chains behind this one */
795 for (i = replace->selected_chain+1; i < replace->num_chains; i++) {
796 if (!(entries = replace->chains[i]))
798 entries->counter_offset -= nr_deletes;
802 /* Change the counters of a rule or rules
803 * begin == end == 0: change counters of the rule corresponding to new_entry
805 * The first rule has rule nr 1, the last rule has rule nr -1, etc.
806 * This function expects the ebt_{match,watcher,target} members of new_entry
807 * to contain pointers to ebt_u_{match,watcher,target}.
808 * The mask denotes the following:
809 * pcnt: mask % 3 = 0 : change; = 1: increment; = 2: decrement
810 * bcnt: mask / 3 = 0 : change; = 1: increment = 2: increment
811 * In daemon mode, mask==0 must hold */
812 void ebt_change_counters(struct ebt_u_replace *replace,
813 struct ebt_u_entry *new_entry, int begin, int end,
814 struct ebt_counter *cnt, int mask)
817 struct ebt_u_entry *u_e;
818 struct ebt_u_entries *entries = ebt_to_chain(replace);
820 if (check_and_change_rule_number(replace, new_entry, &begin, &end))
822 u_e = entries->entries->next;
823 for (i = 0; i < begin; i++)
825 for (i = end-begin+1; i > 0; i--) {
827 u_e->cnt.pcnt = (*cnt).pcnt;
828 u_e->cnt_surplus.pcnt = 0;
831 if (u_e->cc->type != CNT_NORM)
832 ebt_print_bug("cc->type != CNT_NORM");
834 u_e->cnt_surplus.pcnt = (*cnt).pcnt;
838 u_e->cnt.bcnt = (*cnt).bcnt;
839 u_e->cnt_surplus.bcnt = 0;
842 if (u_e->cc->type != CNT_NORM)
843 ebt_print_bug("cc->type != CNT_NORM");
845 u_e->cnt_surplus.bcnt = (*cnt).bcnt;
847 if (u_e->cc->type != CNT_ADD)
848 u_e->cc->type = CNT_CHANGE;
849 u_e->cc->change = mask;
854 /* If selected_chain == -1 then zero all counters,
855 * otherwise, zero the counters of selected_chain */
856 void ebt_zero_counters(struct ebt_u_replace *replace)
858 struct ebt_u_entries *entries = ebt_to_chain(replace);
859 struct ebt_u_entry *next;
863 for (i = 0; i < replace->num_chains; i++) {
864 if (!(entries = replace->chains[i]))
866 next = entries->entries->next;
867 while (next != entries->entries) {
868 if (next->cc->type == CNT_NORM)
869 next->cc->type = CNT_CHANGE;
870 next->cnt.bcnt = next->cnt.pcnt = 0;
871 next->cc->change = 0;
876 if (entries->nentries == 0)
879 next = entries->entries->next;
880 while (next != entries->entries) {
881 if (next->cc->type == CNT_NORM)
882 next->cc->type = CNT_CHANGE;
883 next->cnt.bcnt = next->cnt.pcnt = 0;
889 /* Add a new chain and specify its policy */
890 void ebt_new_chain(struct ebt_u_replace *replace, const char *name, int policy)
892 struct ebt_u_entries *new;
894 if (replace->num_chains == replace->max_chains)
895 ebt_double_chains(replace);
896 new = (struct ebt_u_entries *)malloc(sizeof(struct ebt_u_entries));
899 replace->chains[replace->num_chains++] = new;
901 new->policy = policy;
902 new->counter_offset = replace->nentries;
904 strcpy(new->name, name);
905 new->entries = (struct ebt_u_entry *)malloc(sizeof(struct ebt_u_entry));
908 new->entries->next = new->entries->prev = new->entries;
909 new->kernel_start = NULL;
912 /* returns -1 if the chain is referenced, 0 on success */
913 static int ebt_delete_a_chain(struct ebt_u_replace *replace, int chain, int print_err)
915 int tmp = replace->selected_chain;
916 /* If the chain is referenced, don't delete it,
917 * also decrement jumps to a chain behind the
918 * one we're deleting */
919 replace->selected_chain = chain;
920 if (ebt_check_for_references(replace, print_err))
922 decrease_chain_jumps(replace);
923 ebt_flush_chains(replace);
924 replace->selected_chain = tmp;
925 free(replace->chains[chain]->entries);
926 free(replace->chains[chain]);
927 memmove(replace->chains+chain, replace->chains+chain+1, (replace->num_chains-chain-1)*sizeof(void *));
928 replace->num_chains--;
932 /* Selected_chain == -1: delete all non-referenced udc
933 * selected_chain < NF_BR_NUMHOOKS is illegal */
934 void ebt_delete_chain(struct ebt_u_replace *replace)
936 if (replace->selected_chain != -1 && replace->selected_chain < NF_BR_NUMHOOKS)
937 ebt_print_bug("You can't remove a standard chain");
938 if (replace->selected_chain == -1) {
939 int i = NF_BR_NUMHOOKS;
941 while (i < replace->num_chains)
942 if (ebt_delete_a_chain(replace, i, 0))
945 ebt_delete_a_chain(replace, replace->selected_chain, 1);
948 /* Rename an existing chain. */
949 void ebt_rename_chain(struct ebt_u_replace *replace, const char *name)
951 struct ebt_u_entries *entries = ebt_to_chain(replace);
954 ebt_print_bug("ebt_rename_chain: entries == NULL");
955 strcpy(entries->name, name);
960 *************************
961 *************************
962 **SPECIALIZED*FUNCTIONS**
963 *************************
964 *************************
968 void ebt_double_chains(struct ebt_u_replace *replace)
970 struct ebt_u_entries **new;
972 replace->max_chains *= 2;
973 new = (struct ebt_u_entries **)malloc(replace->max_chains*sizeof(void *));
976 memcpy(new, replace->chains, replace->max_chains/2*sizeof(void *));
977 free(replace->chains);
978 replace->chains = new;
981 /* Executes the final_check() function for all extensions used by the rule
982 * ebt_check_for_loops should have been executed earlier, to make sure the
983 * hook_mask is correct. The time argument to final_check() is set to 1,
984 * meaning it's the second time the final_check() function is executed. */
985 void ebt_do_final_checks(struct ebt_u_replace *replace, struct ebt_u_entry *e,
986 struct ebt_u_entries *entries)
988 struct ebt_u_match_list *m_l;
989 struct ebt_u_watcher_list *w_l;
990 struct ebt_u_target *t;
991 struct ebt_u_match *m;
992 struct ebt_u_watcher *w;
997 m = ebt_find_match(m_l->m->u.name);
998 m->final_check(e, m_l->m, replace->name,
999 entries->hook_mask, 1);
1000 if (ebt_errormsg[0] != '\0')
1005 w = ebt_find_watcher(w_l->w->u.name);
1006 w->final_check(e, w_l->w, replace->name,
1007 entries->hook_mask, 1);
1008 if (ebt_errormsg[0] != '\0')
1012 t = ebt_find_target(e->t->u.name);
1013 t->final_check(e, e->t, replace->name,
1014 entries->hook_mask, 1);
1017 /* Returns 1 (if it returns) when the chain is referenced, 0 when it isn't.
1018 * print_err: 0 (resp. 1) = don't (resp. do) print error when referenced */
1019 int ebt_check_for_references(struct ebt_u_replace *replace, int print_err)
1022 return iterate_entries(replace, 1);
1024 return iterate_entries(replace, 2);
1027 /* chain_nr: nr of the udc (>= NF_BR_NUMHOOKS)
1028 * Returns 1 (if it returns) when the chain is referenced, 0 when it isn't.
1029 * print_err: 0 (resp. 1) = don't (resp. do) print error when referenced */
1030 int ebt_check_for_references2(struct ebt_u_replace *replace, int chain_nr,
1033 int tmp = replace->selected_chain, ret;
1035 replace->selected_chain = chain_nr;
1037 ret = iterate_entries(replace, 1);
1039 ret = iterate_entries(replace, 2);
1040 replace->selected_chain = tmp;
1048 struct ebt_u_entry *e;
1049 struct ebt_u_entries *entries;
1053 * As a by-product, the hook_mask member of each chain is filled in
1054 * correctly. The check functions of the extensions need this hook_mask
1055 * to know from which standard chains they can be called. */
1056 void ebt_check_for_loops(struct ebt_u_replace *replace)
1058 int chain_nr , i, j , k, sp = 0, verdict;
1059 struct ebt_u_entries *entries, *entries2;
1060 struct ebt_u_stack *stack = NULL;
1061 struct ebt_u_entry *e;
1063 /* Initialize hook_mask to 0 */
1064 for (i = 0; i < replace->num_chains; i++) {
1065 if (!(entries = replace->chains[i]))
1067 if (i < NF_BR_NUMHOOKS)
1068 /* (1 << NF_BR_NUMHOOKS) implies it's a standard chain
1069 * (usefull in the final_check() funtions) */
1070 entries->hook_mask = (1 << i) | (1 << NF_BR_NUMHOOKS);
1072 entries->hook_mask = 0;
1074 if (replace->num_chains == NF_BR_NUMHOOKS)
1076 stack = (struct ebt_u_stack *)malloc((replace->num_chains - NF_BR_NUMHOOKS) * sizeof(struct ebt_u_stack));
1080 /* Check for loops, starting from every base chain */
1081 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1082 if (!(entries = replace->chains[i]))
1086 e = entries->entries->next;
1087 for (j = 0; j < entries->nentries; j++) {
1088 if (strcmp(e->t->u.name, EBT_STANDARD_TARGET))
1090 verdict = ((struct ebt_standard_target *)(e->t))->verdict;
1093 /* Now see if we've been here before */
1094 for (k = 0; k < sp; k++)
1095 if (stack[k].chain_nr == verdict + NF_BR_NUMHOOKS) {
1096 ebt_print_error("Loop from chain '%s' to chain '%s'",
1097 replace->chains[chain_nr]->name,
1098 replace->chains[stack[k].chain_nr]->name);
1101 entries2 = replace->chains[verdict + NF_BR_NUMHOOKS];
1102 /* check if we've dealt with this chain already */
1103 if (entries2->hook_mask & (1<<i))
1105 entries2->hook_mask |= entries->hook_mask;
1106 /* Jump to the chain, make sure we know how to get back */
1107 stack[sp].chain_nr = chain_nr;
1109 stack[sp].entries = entries;
1113 e = entries2->entries->next;
1114 chain_nr = verdict + NF_BR_NUMHOOKS;
1120 /* We are at the end of a standard chain */
1123 /* Go back to the chain one level higher */
1126 chain_nr = stack[sp].chain_nr;
1128 entries = stack[sp].entries;
1136 /* The user will use the match, so put it in new_entry. The ebt_u_match
1137 * pointer is put in the ebt_entry_match pointer. ebt_add_rule will
1138 * fill in the final value for new->m. Unless the rule is added to a chain,
1139 * the pointer will keep pointing to the ebt_u_match (until the new_entry
1140 * is freed). I know, I should use a union for these 2 pointer types... */
1141 void ebt_add_match(struct ebt_u_entry *new_entry, struct ebt_u_match *m)
1143 struct ebt_u_match_list **m_list, *new;
1145 for (m_list = &new_entry->m_list; *m_list; m_list = &(*m_list)->next);
1146 new = (struct ebt_u_match_list *)
1147 malloc(sizeof(struct ebt_u_match_list));
1152 new->m = (struct ebt_entry_match *)m;
1155 void ebt_add_watcher(struct ebt_u_entry *new_entry, struct ebt_u_watcher *w)
1157 struct ebt_u_watcher_list **w_list;
1158 struct ebt_u_watcher_list *new;
1160 for (w_list = &new_entry->w_list; *w_list; w_list = &(*w_list)->next);
1161 new = (struct ebt_u_watcher_list *)
1162 malloc(sizeof(struct ebt_u_watcher_list));
1167 new->w = (struct ebt_entry_watcher *)w;
1180 /* type = 0 => update chain jumps
1181 * type = 1 => check for reference, print error when referenced
1182 * type = 2 => check for reference, don't print error when referenced
1184 * Returns 1 when type == 1 and the chain is referenced
1185 * returns 0 otherwise */
1186 static int iterate_entries(struct ebt_u_replace *replace, int type)
1188 int i, j, chain_nr = replace->selected_chain - NF_BR_NUMHOOKS;
1189 struct ebt_u_entries *entries;
1190 struct ebt_u_entry *e;
1193 ebt_print_bug("iterate_entries: udc = %d < 0", chain_nr);
1194 for (i = 0; i < replace->num_chains; i++) {
1195 if (!(entries = replace->chains[i]))
1197 e = entries->entries->next;
1198 for (j = 0; j < entries->nentries; j++) {
1201 if (strcmp(e->t->u.name, EBT_STANDARD_TARGET)) {
1205 chain_jmp = ((struct ebt_standard_target *)e->t)->
1210 if (chain_jmp == chain_nr) {
1213 ebt_print_error("Can't delete the chain '%s', it's referenced in chain '%s', rule %d",
1214 replace->chains[chain_nr + NF_BR_NUMHOOKS]->name, entries->name, j);
1219 /* Adjust the chain jumps when necessary */
1220 if (chain_jmp > chain_nr)
1221 ((struct ebt_standard_target *)e->t)->verdict--;
1230 static void decrease_chain_jumps(struct ebt_u_replace *replace)
1232 iterate_entries(replace, 0);
1235 /* Used in initialization code of modules */
1236 void ebt_register_match(struct ebt_u_match *m)
1238 int size = EBT_ALIGN(m->size) + sizeof(struct ebt_entry_match);
1239 struct ebt_u_match **i;
1241 m->m = (struct ebt_entry_match *)malloc(size);
1244 strcpy(m->m->u.name, m->name);
1245 m->m->match_size = EBT_ALIGN(m->size);
1248 for (i = &ebt_matches; *i; i = &((*i)->next));
1253 void ebt_register_watcher(struct ebt_u_watcher *w)
1255 int size = EBT_ALIGN(w->size) + sizeof(struct ebt_entry_watcher);
1256 struct ebt_u_watcher **i;
1258 w->w = (struct ebt_entry_watcher *)malloc(size);
1261 strcpy(w->w->u.name, w->name);
1262 w->w->watcher_size = EBT_ALIGN(w->size);
1265 for (i = &ebt_watchers; *i; i = &((*i)->next));
1270 void ebt_register_target(struct ebt_u_target *t)
1272 int size = EBT_ALIGN(t->size) + sizeof(struct ebt_entry_target);
1273 struct ebt_u_target **i;
1275 t->t = (struct ebt_entry_target *)malloc(size);
1278 strcpy(t->t->u.name, t->name);
1279 t->t->target_size = EBT_ALIGN(t->size);
1282 for (i = &ebt_targets; *i; i = &((*i)->next));
1287 void ebt_register_table(struct ebt_u_table *t)
1289 t->next = ebt_tables;
1293 void ebt_iterate_matches(void (*f)(struct ebt_u_match *))
1295 struct ebt_u_match *i;
1297 for (i = ebt_matches; i; i = i->next)
1301 void ebt_iterate_watchers(void (*f)(struct ebt_u_watcher *))
1303 struct ebt_u_watcher *i;
1305 for (i = ebt_watchers; i; i = i->next)
1309 void ebt_iterate_targets(void (*f)(struct ebt_u_target *))
1311 struct ebt_u_target *i;
1313 for (i = ebt_targets; i; i = i->next)
1317 /* Don't use this function, use ebt_print_bug() */
1318 void __ebt_print_bug(char *file, int line, char *format, ...)
1322 va_start(l, format);
1323 fprintf(stderr, PROGNAME" v"PROGVERSION":%s:%d:--BUG--: \n", file, line);
1324 vfprintf(stderr, format, l);
1325 fprintf(stderr, "\n");
1330 /* The error messages are put in here when ebt_silent == 1
1331 * ebt_errormsg[0] == '\0' implies there was no error */
1332 char ebt_errormsg[ERRORMSG_MAXLEN];
1333 /* When error messages should not be printed on the screen, after which
1334 * the program exit()s, set ebt_silent to 1. */
1336 /* Don't use this function, use ebt_print_error() */
1337 void __ebt_print_error(char *format, ...)
1341 va_start(l, format);
1342 if (ebt_silent && ebt_errormsg[0] == '\0') {
1343 vsnprintf(ebt_errormsg, ERRORMSG_MAXLEN, format, l);
1346 vfprintf(stderr, format, l);
1347 fprintf(stderr, ".\n");