5 * Copyright (C) 2007-2012 Intel Corporation. All rights reserved.
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
31 #include <sys/errno.h>
32 #include <sys/socket.h>
35 #include <linux/netfilter_ipv4/ip_tables.h>
41 * Some comments on how the iptables API works (some of them from the
42 * source code from iptables and the kernel):
44 * - valid_hooks: bit indicates valid IDs for hook_entry
45 * - hook_entry[ID] offset to the chain start
46 * - overflows should be end of entry chains, and uncodintional policy nodes.
47 * - policy entry: last entry in a chain
48 * - user chain: end of last builtin + policy entry
49 * - final entry must be error node
50 * - Underflows must be unconditional and use the STANDARD target with
52 * - IPT_SO_GET_INFO and IPT_SO_GET_ENTRIES are used to read a table
53 * - IPT_SO_GET_INFO: struct ipt_getinfo (note the lack of table content)
54 * - IPT_SO_GET_ENTRIES: struct ipt_get_entries (contains only parts of the
55 * table header/meta info. The table is appended after the header. The entries
56 * are of the type struct ipt_entry.
57 * - After the ipt_entry the matches are appended. After the matches
58 * the target is appended.
59 * - ipt_entry->target_offset = Size of ipt_entry + matches
60 * - ipt_entry->next_offset = Size of ipt_entry + matches + target
61 * - IPT_SO_SET_REPLACE is used to write a table (contains the complete
62 * - hook_entry and overflow mark the begining and the end of a chain, e.g
63 * entry hook: pre/in/fwd/out/post -1/0/352/504/-1
64 * underflow: pre/in/fwd/out/post -1/200/352/904/-1
65 * means that INPUT starts at offset 0 and ends at 200 (the start offset to
66 * the last element). FORWARD has one entry starting/ending at 352. The entry
67 * has a size of 152. 352 + 152 = 504 which is the start of the OUTPUT chain
68 * which then ends at 904. PREROUTING and POSTROUTING are invalid hooks in
70 * - 'iptables -t filter -A INPUT -m mark --mark 999 -j LOG'
71 * writing that table looks like this:
73 * filter valid_hooks 0x0000000e num_entries 5 size 856
74 * entry hook: pre/in/fwd/out/post -1/0/376/528/-1
75 * underflow: pre/in/fwd/out/post -1/224/376/528/-1
76 * entry 0x699d30 offset 0 size 224
77 * RULE match 0x699da0 target 0x699dd0
78 * match mark match 0x3e7
79 * target LOG flags 0 level 4
82 * entry 0x699e10 offset 224 size 152
83 * RULE match 0x699e80 target 0x699e80
87 * entry 0x699ea8 offset 376 size 152
88 * RULE match 0x699f18 target 0x699f18
92 * entry 0x699f40 offset 528 size 152
93 * RULE match 0x699fb0 target 0x699fb0
97 * entry 0x699fd8 offset 680 size 176
98 * USER CHAIN (ERROR) match 0x69a048 target 0x69a048
100 * Reading the filter table looks like this:
102 * filter valid_hooks 0x0000000e num_entries 5 size 856
103 * entry hook: pre/in/fwd/out/post -1/0/376/528/-1
104 * underflow: pre/in/fwd/out/post -1/224/376/528/-1
105 * entry 0x25fec28 offset 0 size 224
106 * CHAIN (INPUT) match 0x25fec98 target 0x25fecc8
107 * match mark match 0x3e7
108 * target LOG flags 0 level 4
109 * src 0.0.0.0/0.0.0.0
110 * dst 0.0.0.0/0.0.0.0
111 * entry 0x25fed08 offset 224 size 152
112 * RULE match 0x25fed78 target 0x25fed78
114 * src 0.0.0.0/0.0.0.0
115 * dst 0.0.0.0/0.0.0.0
116 * entry 0x25feda0 offset 376 size 152
117 * CHAIN (FORWARD) match 0x25fee10 target 0x25fee10
119 * src 0.0.0.0/0.0.0.0
120 * dst 0.0.0.0/0.0.0.0
121 * entry 0x25fee38 offset 528 size 152
122 * CHAIN (OUTPUT) match 0x25feea8 target 0x25feea8
124 * src 0.0.0.0/0.0.0.0
125 * dst 0.0.0.0/0.0.0.0
126 * entry 0x25feed0 offset 680 size 176
130 static const char *hooknames[] = {
131 [NF_IP_PRE_ROUTING] = "PREROUTING",
132 [NF_IP_LOCAL_IN] = "INPUT",
133 [NF_IP_FORWARD] = "FORWARD",
134 [NF_IP_LOCAL_OUT] = "OUTPUT",
135 [NF_IP_POST_ROUTING] = "POSTROUTING",
138 #define LABEL_ACCEPT "ACCEPT"
139 #define LABEL_DROP "DROP"
140 #define LABEL_QUEUE "QUEUE"
141 #define LABEL_RETURN "RETURN"
143 #define XT_OPTION_OFFSET_SCALE 256
145 #define MIN_ALIGN (__alignof__(struct ipt_entry))
147 #define ALIGN(s) (((s) + ((MIN_ALIGN)-1)) & ~((MIN_ALIGN)-1))
149 struct error_target {
150 struct xt_entry_target t;
151 char error[IPT_TABLE_MAXNAMELEN];
154 struct connman_iptables_entry {
158 struct ipt_entry *entry;
161 struct connman_iptables {
164 struct ipt_getinfo *info;
165 struct ipt_get_entries *blob_entries;
167 unsigned int num_entries;
168 unsigned int old_entries;
171 unsigned int underflow[NF_INET_NUMHOOKS];
172 unsigned int hook_entry[NF_INET_NUMHOOKS];
177 static GHashTable *table_hash = NULL;
178 static gboolean debug_enabled = FALSE;
180 typedef int (*iterate_entries_cb_t)(struct ipt_entry *entry, int builtin,
181 unsigned int hook,size_t size,
182 unsigned int offset, void *user_data);
184 static int iterate_entries(struct ipt_entry *entries,
185 unsigned int valid_hooks,
186 unsigned int *hook_entry,
187 size_t size, iterate_entries_cb_t cb,
192 struct ipt_entry *entry;
194 if (valid_hooks != 0)
195 h = __builtin_ffs(valid_hooks) - 1;
197 h = NF_INET_NUMHOOKS;
199 for (i = 0, entry = entries; i < size;
200 i += entry->next_offset) {
202 entry = (void *)entries + i;
205 * Find next valid hook which offset is higher
206 * or equal with the current offset.
208 if (h < NF_INET_NUMHOOKS) {
209 if (hook_entry[h] < i) {
210 valid_hooks ^= (1 << h);
212 if (valid_hooks != 0)
213 h = __builtin_ffs(valid_hooks) - 1;
215 h = NF_INET_NUMHOOKS;
218 if (hook_entry[h] == i)
222 err = cb(entry, builtin, h, size, i, user_data);
231 static int print_entry(struct ipt_entry *entry, int builtin, unsigned int hook,
232 size_t size, unsigned int offset,
235 iterate_entries_cb_t cb = user_data;
237 DBG("entry %p hook %d offset %d size %d", entry, hook,
238 offset, entry->next_offset);
240 return cb(entry, builtin, hook, size, offset, NULL);
243 static int target_to_verdict(const char *target_name)
245 if (!strcmp(target_name, LABEL_ACCEPT))
246 return -NF_ACCEPT - 1;
248 if (!strcmp(target_name, LABEL_DROP))
251 if (!strcmp(target_name, LABEL_QUEUE))
252 return -NF_QUEUE - 1;
254 if (!strcmp(target_name, LABEL_RETURN))
260 static gboolean is_builtin_target(const char *target_name)
262 if (!strcmp(target_name, LABEL_ACCEPT) ||
263 !strcmp(target_name, LABEL_DROP) ||
264 !strcmp(target_name, LABEL_QUEUE) ||
265 !strcmp(target_name, LABEL_RETURN))
271 static gboolean is_jump(struct connman_iptables_entry *e)
273 struct xt_entry_target *target;
275 target = ipt_get_target(e->entry);
277 if (!strcmp(target->u.user.name, IPT_STANDARD_TARGET)) {
278 struct xt_standard_target *t;
280 t = (struct xt_standard_target *)target;
282 switch (t->verdict) {
298 static gboolean is_chain(struct connman_iptables *table,
299 struct connman_iptables_entry *e)
301 struct ipt_entry *entry;
302 struct xt_entry_target *target;
308 target = ipt_get_target(entry);
309 if (!strcmp(target->u.user.name, IPT_ERROR_TARGET))
315 static GList *find_chain_head(struct connman_iptables *table,
316 const char *chain_name)
319 struct connman_iptables_entry *head;
320 struct ipt_entry *entry;
321 struct xt_entry_target *target;
324 for (list = table->entries; list; list = list->next) {
329 builtin = head->builtin;
330 if (builtin >= 0 && !strcmp(hooknames[builtin], chain_name))
333 /* User defined chain */
334 target = ipt_get_target(entry);
335 if (!strcmp(target->u.user.name, IPT_ERROR_TARGET) &&
336 !strcmp((char *)target->data, chain_name))
343 static GList *find_chain_tail(struct connman_iptables *table,
344 const char *chain_name)
346 struct connman_iptables_entry *tail;
347 GList *chain_head, *list;
349 chain_head = find_chain_head(table, chain_name);
350 if (chain_head == NULL)
353 /* Then we look for the next chain */
354 for (list = chain_head->next; list; list = list->next) {
357 if (is_chain(table, tail))
361 /* Nothing found, we return the table end */
362 return g_list_last(table->entries);
366 static void update_offsets(struct connman_iptables *table)
369 struct connman_iptables_entry *entry, *prev_entry;
371 for (list = table->entries; list; list = list->next) {
374 if (list == table->entries) {
381 prev_entry = prev->data;
383 entry->offset = prev_entry->offset +
384 prev_entry->entry->next_offset;
388 static void update_targets_reference(struct connman_iptables *table,
389 struct connman_iptables_entry *entry_before,
390 struct connman_iptables_entry *modified_entry,
391 gboolean is_removing)
393 struct connman_iptables_entry *tmp;
394 struct xt_standard_target *t;
398 offset = modified_entry->entry->next_offset;
400 for (list = table->entries; list; list = list->next) {
406 t = (struct xt_standard_target *)ipt_get_target(tmp->entry);
408 if (is_removing == TRUE) {
409 if (t->verdict >= entry_before->offset)
410 t->verdict -= offset;
412 if (t->verdict > entry_before->offset)
413 t->verdict += offset;
418 static int iptables_add_entry(struct connman_iptables *table,
419 struct ipt_entry *entry, GList *before,
422 struct connman_iptables_entry *e, *entry_before;
427 e = g_try_malloc0(sizeof(struct connman_iptables_entry));
432 e->builtin = builtin;
434 table->entries = g_list_insert_before(table->entries, before, e);
435 table->num_entries++;
436 table->size += entry->next_offset;
438 if (before == NULL) {
439 e->offset = table->size - entry->next_offset;
444 entry_before = before->data;
447 * We've just appended/insterted a new entry. All references
448 * should be bumped accordingly.
450 update_targets_reference(table, entry_before, e, FALSE);
452 update_offsets(table);
457 static int remove_table_entry(struct connman_iptables *table,
458 struct connman_iptables_entry *entry)
462 table->num_entries--;
463 table->size -= entry->entry->next_offset;
464 removed = entry->entry->next_offset;
466 g_free(entry->entry);
468 table->entries = g_list_remove(table->entries, entry);
473 static int iptables_flush_chain(struct connman_iptables *table,
476 GList *chain_head, *chain_tail, *list, *next;
477 struct connman_iptables_entry *entry;
478 int builtin, removed = 0;
480 chain_head = find_chain_head(table, name);
481 if (chain_head == NULL)
484 chain_tail = find_chain_tail(table, name);
485 if (chain_tail == NULL)
488 entry = chain_head->data;
489 builtin = entry->builtin;
494 list = chain_head->next;
496 if (list == chain_tail->prev)
499 while (list != chain_tail->prev) {
501 next = g_list_next(list);
503 removed += remove_table_entry(table, entry);
509 struct connman_iptables_entry *e;
513 entry->builtin = builtin;
515 table->underflow[builtin] -= removed;
517 for (list = chain_tail; list; list = list->next) {
520 builtin = e->builtin;
524 table->hook_entry[builtin] -= removed;
525 table->underflow[builtin] -= removed;
529 update_offsets(table);
534 static int iptables_add_chain(struct connman_iptables *table,
538 struct ipt_entry *entry_head;
539 struct ipt_entry *entry_return;
540 struct error_target *error;
541 struct ipt_standard_target *standard;
542 u_int16_t entry_head_size, entry_return_size;
544 last = g_list_last(table->entries);
547 * An empty chain is composed of:
548 * - A head entry, with no match and an error target.
549 * The error target data is the chain name.
550 * - A tail entry, with no match and a standard target.
551 * The standard target verdict is XT_RETURN (return to the
556 entry_head_size = sizeof(struct ipt_entry) +
557 sizeof(struct error_target);
558 entry_head = g_try_malloc0(entry_head_size);
559 if (entry_head == NULL)
562 memset(entry_head, 0, entry_head_size);
564 entry_head->target_offset = sizeof(struct ipt_entry);
565 entry_head->next_offset = entry_head_size;
567 error = (struct error_target *) entry_head->elems;
568 strcpy(error->t.u.user.name, IPT_ERROR_TARGET);
569 error->t.u.user.target_size = ALIGN(sizeof(struct error_target));
570 strcpy(error->error, name);
572 if (iptables_add_entry(table, entry_head, last, -1) < 0)
576 entry_return_size = sizeof(struct ipt_entry) +
577 sizeof(struct ipt_standard_target);
578 entry_return = g_try_malloc0(entry_return_size);
579 if (entry_return == NULL)
582 memset(entry_return, 0, entry_return_size);
584 entry_return->target_offset = sizeof(struct ipt_entry);
585 entry_return->next_offset = entry_return_size;
587 standard = (struct ipt_standard_target *) entry_return->elems;
588 standard->target.u.user.target_size =
589 ALIGN(sizeof(struct ipt_standard_target));
590 standard->verdict = XT_RETURN;
592 if (iptables_add_entry(table, entry_return, last, -1) < 0)
598 g_free(entry_return);
605 static int iptables_delete_chain(struct connman_iptables *table,
608 struct connman_iptables_entry *entry;
609 GList *chain_head, *chain_tail;
611 chain_head = find_chain_head(table, name);
612 if (chain_head == NULL)
615 entry = chain_head->data;
617 /* We cannot remove builtin chain */
618 if (entry->builtin >= 0)
621 chain_tail = find_chain_tail(table, name);
622 if (chain_tail == NULL)
625 /* Chain must be flushed */
626 if (chain_head->next != chain_tail->prev)
629 remove_table_entry(table, entry);
631 entry = chain_tail->prev->data;
632 remove_table_entry(table, entry);
634 update_offsets(table);
639 static struct ipt_entry *new_rule(struct ipt_ip *ip,
640 const char *target_name, struct xtables_target *xt_t,
641 struct xtables_rule_match *xt_rm)
643 struct xtables_rule_match *tmp_xt_rm;
644 struct ipt_entry *new_entry;
645 size_t match_size, target_size;
648 for (tmp_xt_rm = xt_rm; tmp_xt_rm != NULL; tmp_xt_rm = tmp_xt_rm->next)
649 match_size += tmp_xt_rm->match->m->u.match_size;
652 target_size = ALIGN(xt_t->t->u.target_size);
654 target_size = ALIGN(sizeof(struct xt_standard_target));
656 new_entry = g_try_malloc0(sizeof(struct ipt_entry) + target_size +
658 if (new_entry == NULL)
661 memcpy(&new_entry->ip, ip, sizeof(struct ipt_ip));
663 new_entry->target_offset = sizeof(struct ipt_entry) + match_size;
664 new_entry->next_offset = sizeof(struct ipt_entry) + target_size +
668 for (tmp_xt_rm = xt_rm; tmp_xt_rm != NULL;
669 tmp_xt_rm = tmp_xt_rm->next) {
670 memcpy(new_entry->elems + match_size, tmp_xt_rm->match->m,
671 tmp_xt_rm->match->m->u.match_size);
672 match_size += tmp_xt_rm->match->m->u.match_size;
676 struct xt_entry_target *entry_target;
678 entry_target = ipt_get_target(new_entry);
679 memcpy(entry_target, xt_t->t, target_size);
685 static void update_hooks(struct connman_iptables *table, GList *chain_head,
686 struct ipt_entry *entry)
689 struct connman_iptables_entry *head, *e;
692 if (chain_head == NULL)
695 head = chain_head->data;
697 builtin = head->builtin;
701 table->underflow[builtin] += entry->next_offset;
703 for (list = chain_head->next; list; list = list->next) {
706 builtin = e->builtin;
710 table->hook_entry[builtin] += entry->next_offset;
711 table->underflow[builtin] += entry->next_offset;
715 static struct ipt_entry *prepare_rule_inclusion(struct connman_iptables *table,
716 struct ipt_ip *ip, const char *chain_name,
717 const char *target_name,
718 struct xtables_target *xt_t,
719 int *builtin, struct xtables_rule_match *xt_rm)
721 GList *chain_tail, *chain_head;
722 struct ipt_entry *new_entry;
723 struct connman_iptables_entry *head;
725 chain_head = find_chain_head(table, chain_name);
726 if (chain_head == NULL)
729 chain_tail = find_chain_tail(table, chain_name);
730 if (chain_tail == NULL)
733 new_entry = new_rule(ip, target_name, xt_t, xt_rm);
734 if (new_entry == NULL)
737 update_hooks(table, chain_head, new_entry);
740 * If the chain is builtin, and does not have any rule,
741 * then the one that we're inserting is becoming the head
742 * and thus needs the builtin flag.
744 head = chain_head->data;
745 if (head->builtin < 0)
747 else if (chain_head == chain_tail->prev) {
748 *builtin = head->builtin;
755 static int iptables_append_rule(struct connman_iptables *table,
756 struct ipt_ip *ip, char *chain_name,
757 char *target_name, struct xtables_target *xt_t,
758 struct xtables_rule_match *xt_rm)
761 struct ipt_entry *new_entry;
762 int builtin = -1, ret;
766 chain_tail = find_chain_tail(table, chain_name);
767 if (chain_tail == NULL)
770 new_entry = prepare_rule_inclusion(table, ip, chain_name,
771 target_name, xt_t, &builtin, xt_rm);
772 if (new_entry == NULL)
775 ret = iptables_add_entry(table, new_entry, chain_tail->prev, builtin);
782 static int iptables_insert_rule(struct connman_iptables *table,
783 struct ipt_ip *ip, const char *chain_name,
784 const char *target_name,
785 struct xtables_target *xt_t,
786 struct xtables_rule_match *xt_rm)
788 struct ipt_entry *new_entry;
789 int builtin = -1, ret;
792 chain_head = find_chain_head(table, chain_name);
793 if (chain_head == NULL)
796 new_entry = prepare_rule_inclusion(table, ip, chain_name,
797 target_name, xt_t, &builtin, xt_rm);
798 if (new_entry == NULL)
802 chain_head = chain_head->next;
804 ret = iptables_add_entry(table, new_entry, chain_head, builtin);
811 static gboolean is_same_ipt_entry(struct ipt_entry *i_e1,
812 struct ipt_entry *i_e2)
814 if (memcmp(&i_e1->ip, &i_e2->ip, sizeof(struct ipt_ip)) != 0)
817 if (i_e1->target_offset != i_e2->target_offset)
820 if (i_e1->next_offset != i_e2->next_offset)
826 static gboolean is_same_target(struct xt_entry_target *xt_e_t1,
827 struct xt_entry_target *xt_e_t2)
829 if (xt_e_t1 == NULL || xt_e_t2 == NULL)
832 if (strcmp(xt_e_t1->u.user.name, IPT_STANDARD_TARGET) == 0) {
833 struct xt_standard_target *xt_s_t1;
834 struct xt_standard_target *xt_s_t2;
836 xt_s_t1 = (struct xt_standard_target *) xt_e_t1;
837 xt_s_t2 = (struct xt_standard_target *) xt_e_t2;
839 if (xt_s_t1->verdict != xt_s_t2->verdict)
842 if (xt_e_t1->u.target_size != xt_e_t2->u.target_size)
845 if (strcmp(xt_e_t1->u.user.name, xt_e_t2->u.user.name) != 0)
852 static gboolean is_same_match(struct xt_entry_match *xt_e_m1,
853 struct xt_entry_match *xt_e_m2)
855 if (xt_e_m1 == NULL || xt_e_m2 == NULL)
858 if (xt_e_m1->u.match_size != xt_e_m2->u.match_size)
861 if (xt_e_m1->u.user.revision != xt_e_m2->u.user.revision)
864 if (strcmp(xt_e_m1->u.user.name, xt_e_m2->u.user.name) != 0)
870 static GList *find_existing_rule(struct connman_iptables *table,
871 struct ipt_ip *ip, const char *chain_name,
872 const char *target_name,
873 struct xtables_target *xt_t,
874 struct xtables_match *xt_m,
875 struct xtables_rule_match *xt_rm)
877 GList *chain_tail, *chain_head, *list;
878 struct xt_entry_target *xt_e_t = NULL;
879 struct xt_entry_match *xt_e_m = NULL;
880 struct connman_iptables_entry *entry;
881 struct ipt_entry *entry_test;
884 chain_head = find_chain_head(table, chain_name);
885 if (chain_head == NULL)
888 chain_tail = find_chain_tail(table, chain_name);
889 if (chain_tail == NULL)
895 entry_test = new_rule(ip, target_name, xt_t, xt_rm);
896 if (entry_test == NULL)
900 xt_e_t = ipt_get_target(entry_test);
902 xt_e_m = (struct xt_entry_match *)entry_test->elems;
904 entry = chain_head->data;
905 builtin = entry->builtin;
910 list = chain_head->next;
912 for (; list != chain_tail->prev; list = list->next) {
913 struct connman_iptables_entry *tmp;
914 struct ipt_entry *tmp_e;
919 if (is_same_ipt_entry(entry_test, tmp_e) == FALSE)
923 struct xt_entry_target *tmp_xt_e_t;
925 tmp_xt_e_t = ipt_get_target(tmp_e);
927 if (!is_same_target(tmp_xt_e_t, xt_e_t))
932 struct xt_entry_match *tmp_xt_e_m;
934 tmp_xt_e_m = (struct xt_entry_match *)tmp_e->elems;
936 if (!is_same_match(tmp_xt_e_m, xt_e_m))
945 if (list != chain_tail->prev)
951 static int iptables_delete_rule(struct connman_iptables *table,
952 struct ipt_ip *ip, const char *chain_name,
953 const char *target_name,
954 struct xtables_target *xt_t,
955 struct xtables_match *xt_m,
956 struct xtables_rule_match *xt_rm)
958 struct connman_iptables_entry *entry;
959 GList *chain_tail, *list;
960 int builtin, removed;
964 chain_tail = find_chain_tail(table, chain_name);
965 if (chain_tail == NULL)
968 list = find_existing_rule(table, ip, chain_name, target_name,
977 builtin = entry->builtin;
979 /* We have deleted a rule,
980 * all references should be bumped accordingly */
981 if (list->next != NULL)
982 update_targets_reference(table, list->next->data,
985 removed += remove_table_entry(table, entry);
991 entry->builtin = builtin;
994 table->underflow[builtin] -= removed;
995 for (list = chain_tail; list; list = list->next) {
998 builtin = entry->builtin;
1002 table->hook_entry[builtin] -= removed;
1003 table->underflow[builtin] -= removed;
1007 update_offsets(table);
1012 static int iptables_compare_rule(struct connman_iptables *table,
1013 struct ipt_ip *ip, const char *chain_name,
1014 const char *target_name,
1015 struct xtables_target *xt_t,
1016 struct xtables_match *xt_m,
1017 struct xtables_rule_match *xt_rm)
1019 struct connman_iptables_entry *entry;
1022 found = find_existing_rule(table, ip, chain_name, target_name,
1027 entry = found->data;
1035 static int iptables_change_policy(struct connman_iptables *table,
1036 const char *chain_name, const char *policy)
1039 struct connman_iptables_entry *entry;
1040 struct xt_entry_target *target;
1041 struct xt_standard_target *t;
1044 verdict = target_to_verdict(policy);
1048 chain_head = find_chain_head(table, chain_name);
1049 if (chain_head == NULL)
1052 entry = chain_head->data;
1053 if (entry->builtin < 0)
1056 target = ipt_get_target(entry->entry);
1058 t = (struct xt_standard_target *)target;
1059 t->verdict = verdict;
1064 static struct ipt_replace *iptables_blob(struct connman_iptables *table)
1066 struct ipt_replace *r;
1068 struct connman_iptables_entry *e;
1069 unsigned char *entry_index;
1071 r = g_try_malloc0(sizeof(struct ipt_replace) + table->size);
1075 memset(r, 0, sizeof(*r) + table->size);
1077 r->counters = g_try_malloc0(sizeof(struct xt_counters)
1078 * table->old_entries);
1079 if (r->counters == NULL) {
1084 strcpy(r->name, table->info->name);
1085 r->num_entries = table->num_entries;
1086 r->size = table->size;
1088 r->num_counters = table->old_entries;
1089 r->valid_hooks = table->info->valid_hooks;
1091 memcpy(r->hook_entry, table->hook_entry, sizeof(table->hook_entry));
1092 memcpy(r->underflow, table->underflow, sizeof(table->underflow));
1094 entry_index = (unsigned char *)r->entries;
1095 for (list = table->entries; list; list = list->next) {
1098 memcpy(entry_index, e->entry, e->entry->next_offset);
1099 entry_index += e->entry->next_offset;
1105 static void dump_ip(struct ipt_entry *entry)
1107 struct ipt_ip *ip = &entry->ip;
1108 char ip_string[INET6_ADDRSTRLEN];
1109 char ip_mask[INET6_ADDRSTRLEN];
1111 if (strlen(ip->iniface))
1112 DBG("\tin %s", ip->iniface);
1114 if (strlen(ip->outiface))
1115 DBG("\tout %s", ip->outiface);
1117 if (inet_ntop(AF_INET, &ip->src, ip_string, INET6_ADDRSTRLEN) != NULL &&
1118 inet_ntop(AF_INET, &ip->smsk,
1119 ip_mask, INET6_ADDRSTRLEN) != NULL)
1120 DBG("\tsrc %s/%s", ip_string, ip_mask);
1122 if (inet_ntop(AF_INET, &ip->dst, ip_string, INET6_ADDRSTRLEN) != NULL &&
1123 inet_ntop(AF_INET, &ip->dmsk,
1124 ip_mask, INET6_ADDRSTRLEN) != NULL)
1125 DBG("\tdst %s/%s", ip_string, ip_mask);
1128 static void dump_target(struct ipt_entry *entry)
1131 struct xtables_target *xt_t;
1132 struct xt_entry_target *target;
1134 target = ipt_get_target(entry);
1136 if (!strcmp(target->u.user.name, IPT_STANDARD_TARGET)) {
1137 struct xt_standard_target *t;
1139 t = (struct xt_standard_target *)target;
1141 switch (t->verdict) {
1143 DBG("\ttarget RETURN");
1146 case -NF_ACCEPT - 1:
1147 DBG("\ttarget ACCEPT");
1151 DBG("\ttarget DROP");
1155 DBG("\ttarget QUEUE");
1159 DBG("\ttarget STOP");
1163 DBG("\tJUMP %u", t->verdict);
1167 xt_t = xtables_find_target(IPT_STANDARD_TARGET,
1168 XTF_LOAD_MUST_SUCCEED);
1170 if(xt_t->print != NULL)
1171 xt_t->print(NULL, target, 1);
1173 xt_t = xtables_find_target(target->u.user.name, XTF_TRY_LOAD);
1175 DBG("\ttarget %s", target->u.user.name);
1179 if(xt_t->print != NULL) {
1181 xt_t->print(NULL, target, 1);
1186 static void dump_match(struct ipt_entry *entry)
1188 struct xtables_match *xt_m;
1189 struct xt_entry_match *match;
1191 if (entry->elems == (unsigned char *)entry + entry->target_offset)
1194 match = (struct xt_entry_match *) entry->elems;
1196 if (!strlen(match->u.user.name))
1199 xt_m = xtables_find_match(match->u.user.name, XTF_TRY_LOAD, NULL);
1203 if(xt_m->print != NULL) {
1205 xt_m->print(NULL, match, 1);
1211 DBG("\tmatch %s", match->u.user.name);
1215 static int dump_entry(struct ipt_entry *entry, int builtin,
1216 unsigned int hook, size_t size, unsigned int offset,
1219 struct xt_entry_target *target;
1221 target = ipt_get_target(entry);
1223 if (offset + entry->next_offset == size) {
1224 DBG("\tEnd of CHAIN");
1228 if (!strcmp(target->u.user.name, IPT_ERROR_TARGET)) {
1229 DBG("\tUSER CHAIN (%s) match %p target %p",
1230 target->data, entry->elems,
1231 (char *)entry + entry->target_offset);
1234 } else if (builtin >= 0) {
1235 DBG("\tCHAIN (%s) match %p target %p",
1236 hooknames[builtin], entry->elems,
1237 (char *)entry + entry->target_offset);
1239 DBG("\tRULE match %p target %p",
1241 (char *)entry + entry->target_offset);
1251 static void dump_table(struct connman_iptables *table)
1253 DBG("%s valid_hooks=0x%08x, num_entries=%u, size=%u",
1255 table->info->valid_hooks, table->info->num_entries,
1258 DBG("entry hook: pre/in/fwd/out/post %d/%d/%d/%d/%d",
1259 table->info->hook_entry[NF_IP_PRE_ROUTING],
1260 table->info->hook_entry[NF_IP_LOCAL_IN],
1261 table->info->hook_entry[NF_IP_FORWARD],
1262 table->info->hook_entry[NF_IP_LOCAL_OUT],
1263 table->info->hook_entry[NF_IP_POST_ROUTING]);
1264 DBG("underflow: pre/in/fwd/out/post %d/%d/%d/%d/%d",
1265 table->info->underflow[NF_IP_PRE_ROUTING],
1266 table->info->underflow[NF_IP_LOCAL_IN],
1267 table->info->underflow[NF_IP_FORWARD],
1268 table->info->underflow[NF_IP_LOCAL_OUT],
1269 table->info->underflow[NF_IP_POST_ROUTING]);
1271 iterate_entries(table->blob_entries->entrytable,
1272 table->info->valid_hooks,
1273 table->info->hook_entry,
1274 table->blob_entries->size,
1275 print_entry, dump_entry);
1278 static void dump_ipt_replace(struct ipt_replace *repl)
1280 DBG("%s valid_hooks 0x%08x num_entries %u size %u",
1281 repl->name, repl->valid_hooks, repl->num_entries,
1284 DBG("entry hook: pre/in/fwd/out/post %d/%d/%d/%d/%d",
1285 repl->hook_entry[NF_IP_PRE_ROUTING],
1286 repl->hook_entry[NF_IP_LOCAL_IN],
1287 repl->hook_entry[NF_IP_FORWARD],
1288 repl->hook_entry[NF_IP_LOCAL_OUT],
1289 repl->hook_entry[NF_IP_POST_ROUTING]);
1290 DBG("underflow: pre/in/fwd/out/post %d/%d/%d/%d/%d",
1291 repl->underflow[NF_IP_PRE_ROUTING],
1292 repl->underflow[NF_IP_LOCAL_IN],
1293 repl->underflow[NF_IP_FORWARD],
1294 repl->underflow[NF_IP_LOCAL_OUT],
1295 repl->underflow[NF_IP_POST_ROUTING]);
1297 iterate_entries(repl->entries, repl->valid_hooks,
1298 repl->hook_entry, repl->size, print_entry, dump_entry);
1301 static int iptables_get_entries(struct connman_iptables *table)
1303 socklen_t entry_size;
1305 entry_size = sizeof(struct ipt_get_entries) + table->info->size;
1307 return getsockopt(table->ipt_sock, IPPROTO_IP, IPT_SO_GET_ENTRIES,
1308 table->blob_entries, &entry_size);
1311 static int iptables_replace(struct connman_iptables *table,
1312 struct ipt_replace *r)
1314 return setsockopt(table->ipt_sock, IPPROTO_IP, IPT_SO_SET_REPLACE, r,
1315 sizeof(*r) + r->size);
1318 static int add_entry(struct ipt_entry *entry, int builtin, unsigned int hook,
1319 size_t size, unsigned offset, void *user_data)
1321 struct connman_iptables *table = user_data;
1322 struct ipt_entry *new_entry;
1324 new_entry = g_try_malloc0(entry->next_offset);
1325 if (new_entry == NULL)
1328 memcpy(new_entry, entry, entry->next_offset);
1330 return iptables_add_entry(table, new_entry, NULL, builtin);
1333 static void table_cleanup(struct connman_iptables *table)
1336 struct connman_iptables_entry *entry;
1341 if (table->ipt_sock >= 0)
1342 close(table->ipt_sock);
1344 for (list = table->entries; list; list = list->next) {
1347 g_free(entry->entry);
1351 g_list_free(table->entries);
1352 g_free(table->info);
1353 g_free(table->blob_entries);
1357 static struct connman_iptables *iptables_init(const char *table_name)
1359 struct connman_iptables *table = NULL;
1360 char *module = NULL;
1363 if (table_name == NULL)
1364 table_name = "filter";
1366 DBG("%s", table_name);
1368 if (xtables_insmod("ip_tables", NULL, TRUE) != 0)
1369 DBG("ip_tables module loading gives error but trying anyway");
1371 module = g_strconcat("iptable_", table_name, NULL);
1375 if (xtables_insmod(module, NULL, TRUE) != 0)
1376 DBG("%s module loading gives error but trying anyway", module);
1380 table = g_hash_table_lookup(table_hash, table_name);
1384 table = g_try_new0(struct connman_iptables, 1);
1388 table->info = g_try_new0(struct ipt_getinfo, 1);
1389 if (table->info == NULL)
1392 table->ipt_sock = socket(AF_INET, SOCK_RAW | SOCK_CLOEXEC, IPPROTO_RAW);
1393 if (table->ipt_sock < 0)
1396 s = sizeof(*table->info);
1397 strcpy(table->info->name, table_name);
1398 if (getsockopt(table->ipt_sock, IPPROTO_IP, IPT_SO_GET_INFO,
1399 table->info, &s) < 0) {
1400 connman_error("iptables support missing error %d (%s)", errno,
1405 table->blob_entries = g_try_malloc0(sizeof(struct ipt_get_entries) +
1407 if (table->blob_entries == NULL)
1410 strcpy(table->blob_entries->name, table_name);
1411 table->blob_entries->size = table->info->size;
1413 if (iptables_get_entries(table) < 0)
1416 table->num_entries = 0;
1417 table->old_entries = table->info->num_entries;
1420 memcpy(table->underflow, table->info->underflow,
1421 sizeof(table->info->underflow));
1422 memcpy(table->hook_entry, table->info->hook_entry,
1423 sizeof(table->info->hook_entry));
1425 iterate_entries(table->blob_entries->entrytable,
1426 table->info->valid_hooks, table->info->hook_entry,
1427 table->blob_entries->size, add_entry, table);
1429 g_hash_table_insert(table_hash, g_strdup(table_name), table);
1431 if (debug_enabled == TRUE)
1437 table_cleanup(table);
1442 static struct option iptables_opts[] = {
1443 {.name = "append", .has_arg = 1, .val = 'A'},
1444 {.name = "compare", .has_arg = 1, .val = 'C'},
1445 {.name = "delete", .has_arg = 1, .val = 'D'},
1446 {.name = "flush-chain", .has_arg = 1, .val = 'F'},
1447 {.name = "insert", .has_arg = 1, .val = 'I'},
1448 {.name = "list", .has_arg = 2, .val = 'L'},
1449 {.name = "new-chain", .has_arg = 1, .val = 'N'},
1450 {.name = "policy", .has_arg = 1, .val = 'P'},
1451 {.name = "delete-chain", .has_arg = 1, .val = 'X'},
1452 {.name = "destination", .has_arg = 1, .val = 'd'},
1453 {.name = "in-interface", .has_arg = 1, .val = 'i'},
1454 {.name = "jump", .has_arg = 1, .val = 'j'},
1455 {.name = "match", .has_arg = 1, .val = 'm'},
1456 {.name = "out-interface", .has_arg = 1, .val = 'o'},
1457 {.name = "source", .has_arg = 1, .val = 's'},
1458 {.name = "table", .has_arg = 1, .val = 't'},
1462 struct xtables_globals iptables_globals = {
1464 .opts = iptables_opts,
1465 .orig_opts = iptables_opts,
1468 static struct xtables_target *prepare_target(struct connman_iptables *table,
1469 const char *target_name)
1471 struct xtables_target *xt_t = NULL;
1472 gboolean is_builtin, is_user_defined;
1473 GList *chain_head = NULL;
1477 is_user_defined = FALSE;
1479 if (is_builtin_target(target_name))
1482 chain_head = find_chain_head(table, target_name);
1483 if (chain_head != NULL && chain_head->next != NULL)
1484 is_user_defined = TRUE;
1487 if (is_builtin || is_user_defined)
1488 xt_t = xtables_find_target(IPT_STANDARD_TARGET,
1489 XTF_LOAD_MUST_SUCCEED);
1491 xt_t = xtables_find_target(target_name, XTF_TRY_LOAD);
1496 target_size = ALIGN(sizeof(struct ipt_entry_target)) + xt_t->size;
1498 xt_t->t = g_try_malloc0(target_size);
1499 if (xt_t->t == NULL)
1502 xt_t->t->u.target_size = target_size;
1504 if (is_builtin || is_user_defined) {
1505 struct xt_standard_target *target;
1507 target = (struct xt_standard_target *)(xt_t->t);
1508 strcpy(target->target.u.user.name, IPT_STANDARD_TARGET);
1510 if (is_builtin == TRUE)
1511 target->verdict = target_to_verdict(target_name);
1512 else if (is_user_defined == TRUE) {
1513 struct connman_iptables_entry *target_rule;
1515 if (chain_head == NULL) {
1520 target_rule = chain_head->next->data;
1521 target->verdict = target_rule->offset;
1524 strcpy(xt_t->t->u.user.name, target_name);
1525 xt_t->t->u.user.revision = xt_t->revision;
1526 if (xt_t->init != NULL)
1527 xt_t->init(xt_t->t);
1530 #if XTABLES_VERSION_CODE > 5
1531 if (xt_t->x6_options != NULL)
1532 iptables_globals.opts =
1533 xtables_options_xfrm(
1534 iptables_globals.orig_opts,
1535 iptables_globals.opts,
1537 &xt_t->option_offset);
1540 iptables_globals.opts =
1541 xtables_merge_options(
1542 #if XTABLES_VERSION_CODE > 5
1543 iptables_globals.orig_opts,
1545 iptables_globals.opts,
1547 &xt_t->option_offset);
1549 if (iptables_globals.opts == NULL) {
1557 static struct xtables_match *prepare_matches(struct connman_iptables *table,
1558 struct xtables_rule_match **xt_rm,
1559 const char *match_name)
1561 struct xtables_match *xt_m;
1564 if (match_name == NULL)
1567 xt_m = xtables_find_match(match_name, XTF_LOAD_MUST_SUCCEED, xt_rm);
1568 match_size = ALIGN(sizeof(struct ipt_entry_match)) + xt_m->size;
1570 xt_m->m = g_try_malloc0(match_size);
1571 if (xt_m->m == NULL)
1574 xt_m->m->u.match_size = match_size;
1575 strcpy(xt_m->m->u.user.name, xt_m->name);
1576 xt_m->m->u.user.revision = xt_m->revision;
1578 if (xt_m->init != NULL)
1579 xt_m->init(xt_m->m);
1581 if (xt_m == xt_m->next)
1584 #if XTABLES_VERSION_CODE > 5
1585 if (xt_m->x6_options != NULL)
1586 iptables_globals.opts =
1587 xtables_options_xfrm(
1588 iptables_globals.orig_opts,
1589 iptables_globals.opts,
1591 &xt_m->option_offset);
1594 iptables_globals.opts =
1595 xtables_merge_options(
1596 #if XTABLES_VERSION_CODE > 5
1597 iptables_globals.orig_opts,
1599 iptables_globals.opts,
1601 &xt_m->option_offset);
1603 if (iptables_globals.opts == NULL) {
1612 static int parse_ip_and_mask(const char *str, struct in_addr *ip, struct in_addr *mask)
1615 uint32_t prefixlength;
1619 tokens = g_strsplit(str, "/", 2);
1623 if (!inet_pton(AF_INET, tokens[0], ip)) {
1628 if (tokens[1] != NULL) {
1629 prefixlength = strtol(tokens[1], NULL, 10);
1630 if (prefixlength > 31) {
1635 tmp = ~(0xffffffff >> prefixlength);
1640 mask->s_addr = htonl(tmp);
1641 ip->s_addr = ip->s_addr & mask->s_addr;
1649 static struct connman_iptables *pre_load_table(const char *table_name,
1650 struct connman_iptables *table)
1655 return iptables_init(table_name);
1658 static void clear_tables_flags(void)
1660 struct xtables_match *xt_m;
1661 struct xtables_target *xt_t;
1664 * Clear all flags because the flags are only valid
1667 for (xt_m = xtables_matches; xt_m != NULL; xt_m = xt_m->next)
1670 for (xt_t = xtables_targets; xt_t != NULL; xt_t = xt_t->next) {
1676 static int iptables_command(int argc, char *argv[])
1678 struct connman_iptables *table;
1679 struct xtables_rule_match *xt_rm, *tmp_xt_rm;
1680 struct xtables_match *xt_m, *xt_m_t;
1681 struct xtables_target *xt_t;
1683 char *table_name, *chain, *new_chain, *match_name, *target_name;
1684 char *flush_chain, *delete_chain, *policy;
1685 int c, ret, in_len, out_len;
1686 gboolean dump, invert, insert, delete, compare;
1696 chain = new_chain = match_name = target_name = NULL;
1697 flush_chain = delete_chain = policy = table_name = NULL;
1698 memset(&ip, 0, sizeof(struct ipt_ip));
1703 /* Default code for options parsing */
1706 clear_tables_flags();
1708 /* extension's options will generate false-positives errors */
1713 while ((c = getopt_long(argc, argv,
1714 "-A:C:D:F:I:L::N:P:X:d:j:i:m:o:s:t:",
1715 iptables_globals.opts, NULL)) != -1) {
1718 /* It is either -A, -C, -D or -I at once */
1726 /* It is either -A, -C, -D or -I at once */
1735 /* It is either -A, -C, -D or -I at once */
1744 flush_chain = optarg;
1748 /* It is either -A, -C, -D or -I at once */
1767 policy = argv[optind++];
1774 delete_chain = optarg;
1778 if (!parse_ip_and_mask(optarg, &ip.dst, &ip.dmsk))
1782 ip.invflags |= IPT_INV_DSTIP;
1787 in_len = strlen(optarg);
1789 if (in_len + 1 > IFNAMSIZ)
1792 strcpy(ip.iniface, optarg);
1793 memset(ip.iniface_mask, 0xff, in_len + 1);
1796 ip.invflags |= IPT_INV_VIA_IN;
1801 target_name = optarg;
1803 table = pre_load_table(table_name, table);
1807 xt_t = prepare_target(table, target_name);
1814 match_name = optarg;
1816 table = pre_load_table(table_name, table);
1820 xt_m = prepare_matches(table, &xt_rm, match_name);
1827 out_len = strlen(optarg);
1829 if (out_len + 1 > IFNAMSIZ)
1832 strcpy(ip.outiface, optarg);
1833 memset(ip.outiface_mask, 0xff, out_len + 1);
1836 ip.invflags |= IPT_INV_VIA_OUT;
1841 if (!parse_ip_and_mask(optarg, &ip.src, &ip.smsk))
1845 ip.invflags |= IPT_INV_SRCIP;
1850 table_name = optarg;
1852 table = pre_load_table(table_name, table);
1859 if (optarg[0] == '!' && optarg[1] == '\0') {
1865 connman_error("Invalid option");
1870 #if XTABLES_VERSION_CODE > 5
1871 if (xt_t != NULL && (xt_t->x6_parse != NULL ||
1872 xt_t->parse != NULL) &&
1873 (c >= (int) xt_t->option_offset &&
1874 c < (int) xt_t->option_offset +
1875 XT_OPTION_OFFSET_SCALE)) {
1876 xtables_option_tpcall(c, argv,
1877 invert, xt_t, NULL);
1882 for (tmp_xt_rm = xt_rm; tmp_xt_rm != NULL;
1883 tmp_xt_rm = tmp_xt_rm->next) {
1884 xt_m_t = tmp_xt_rm->match;
1886 if (tmp_xt_rm->completed ||
1887 (xt_m_t->x6_parse == NULL &&
1888 xt_m_t->parse == NULL))
1891 if (c < (int) xt_m_t->option_offset ||
1892 c >= (int) xt_m_t->option_offset
1893 + XT_OPTION_OFFSET_SCALE)
1896 xtables_option_mpcall(c, argv,
1897 invert, xt_m_t, NULL);
1902 if (xt_t == NULL || xt_t->parse == NULL ||
1903 !xt_t->parse(c - xt_t->option_offset,
1904 argv, invert, &xt_t->tflags, NULL, &xt_t->t)) {
1906 for (tmp_xt_rm = xt_rm; tmp_xt_rm != NULL;
1907 tmp_xt_rm = tmp_xt_rm->next) {
1908 xt_m_t = tmp_xt_rm->match;
1910 if (tmp_xt_rm->completed ||
1911 xt_m_t->parse == NULL)
1914 if (xt_m->parse(c - xt_m->option_offset,
1915 argv, invert, &xt_m->mflags,
1927 #if XTABLES_VERSION_CODE > 5
1928 for (tmp_xt_rm = xt_rm; tmp_xt_rm != NULL;
1929 tmp_xt_rm = tmp_xt_rm->next)
1930 xtables_option_mfcall(tmp_xt_rm->match);
1933 xtables_option_tfcall(xt_t);
1935 for (tmp_xt_rm = xt_rm; tmp_xt_rm != NULL;
1936 tmp_xt_rm = tmp_xt_rm->next)
1937 if (tmp_xt_rm->match->final_check != NULL)
1938 tmp_xt_rm->match->final_check(
1939 tmp_xt_rm->match->mflags);
1941 if (xt_t != NULL && xt_t->final_check != NULL)
1942 xt_t->final_check(xt_t->tflags);
1945 table = pre_load_table(table_name, table);
1949 /* Option parsing went fine, falling back to succes code */
1952 if (delete_chain != NULL) {
1953 printf("Delete chain %s\n", delete_chain);
1955 iptables_delete_chain(table, delete_chain);
1967 DBG("Flush chain %s", flush_chain);
1969 iptables_flush_chain(table, flush_chain);
1974 if (chain && new_chain) {
1980 DBG("New chain %s", new_chain);
1982 ret = iptables_add_chain(table, new_chain);
1987 if (policy != NULL) {
1988 printf("Changing policy of %s to %s\n", chain, policy);
1990 iptables_change_policy(table, chain, policy);
1998 if (compare == TRUE) {
1999 ret = iptables_compare_rule(table, &ip, chain,
2000 target_name, xt_t, xt_m, xt_rm);
2004 if (delete == TRUE) {
2005 DBG("Deleting %s to %s (match %s)\n",
2006 target_name, chain, match_name);
2008 ret = iptables_delete_rule(table, &ip, chain,
2009 target_name, xt_t, xt_m, xt_rm);
2014 if (insert == TRUE) {
2015 DBG("Inserting %s to %s (match %s)",
2016 target_name, chain, match_name);
2018 ret = iptables_insert_rule(table, &ip, chain,
2019 target_name, xt_t, xt_rm);
2023 DBG("Adding %s to %s (match %s)",
2024 target_name, chain, match_name);
2026 ret = iptables_append_rule(table, &ip, chain,
2027 target_name, xt_t, xt_rm);
2043 int __connman_iptables_command(const char *format, ...)
2045 char **argv, **arguments, *command;
2052 va_start(args, format);
2054 command = g_strdup_vprintf(format, args);
2058 if (command == NULL)
2061 arguments = g_strsplit_set(command, " ", -1);
2063 for (argc = 0; arguments[argc]; argc++);
2066 DBG("command %s argc %d", command, argc);
2068 argv = g_try_malloc0(argc * sizeof(char *));
2071 g_strfreev(arguments);
2075 argv[0] = "iptables";
2076 for (i = 1; i < argc; i++)
2077 argv[i] = arguments[i - 1];
2079 ret = iptables_command(argc, argv);
2082 g_strfreev(arguments);
2089 int __connman_iptables_commit(const char *table_name)
2091 struct connman_iptables *table;
2092 struct ipt_replace *repl;
2095 DBG("%s", table_name);
2097 table = g_hash_table_lookup(table_hash, table_name);
2101 repl = iptables_blob(table);
2103 if (debug_enabled == TRUE)
2104 dump_ipt_replace(repl);
2106 err = iptables_replace(table, repl);
2108 g_free(repl->counters);
2114 g_hash_table_remove(table_hash, table_name);
2119 static void remove_table(gpointer user_data)
2121 struct connman_iptables *table = user_data;
2123 table_cleanup(table);
2126 int __connman_iptables_init(void)
2130 if (getenv("CONNMAN_IPTABLES_DEBUG"))
2131 debug_enabled = TRUE;
2133 table_hash = g_hash_table_new_full(g_str_hash, g_str_equal,
2134 g_free, remove_table);
2136 xtables_init_all(&iptables_globals, NFPROTO_IPV4);
2142 void __connman_iptables_cleanup(void)
2146 g_hash_table_destroy(table_hash);
2148 xtables_free_opts(1);
projects / platform / upstream / connman.git / blob