+ xt_s_t1 = (struct xt_standard_target *) xt_e_t1;
+ xt_s_t2 = (struct xt_standard_target *) xt_e_t2;
+
+ if (xt_s_t1->verdict != xt_s_t2->verdict)
+ return FALSE;
+ } else {
+ if (xt_e_t1->u.target_size != xt_e_t2->u.target_size)
+ return FALSE;
+
+ if (strcmp(xt_e_t1->u.user.name, xt_e_t2->u.user.name) != 0)
+ return FALSE;
+
+ for (i = 0; i < xt_e_t1->u.target_size -
+ sizeof(struct xt_standard_target); i++) {
+ if ((xt_e_t1->data[i] ^ xt_e_t2->data[i]) != 0)
+ return FALSE;
+ }
+ }
+
+ return TRUE;
+}
+
+static gboolean is_same_match(struct xt_entry_match *xt_e_m1,
+ struct xt_entry_match *xt_e_m2)
+{
+ unsigned int i;
+
+ if (xt_e_m1 == NULL || xt_e_m2 == NULL)
+ return FALSE;
+
+ if (xt_e_m1->u.match_size != xt_e_m2->u.match_size)
+ return FALSE;
+
+ if (xt_e_m1->u.user.revision != xt_e_m2->u.user.revision)
+ return FALSE;
+
+ if (strcmp(xt_e_m1->u.user.name, xt_e_m2->u.user.name) != 0)
+ return FALSE;
+
+ for (i = 0; i < xt_e_m1->u.match_size - sizeof(struct xt_entry_match);
+ i++) {
+ if ((xt_e_m1->data[i] ^ xt_e_m2->data[i]) != 0)
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+static GList *find_existing_rule(struct connman_iptables *table,
+ struct ipt_ip *ip, const char *chain_name,
+ const char *target_name,
+ struct xtables_target *xt_t,
+ struct xtables_match *xt_m,
+ struct xtables_rule_match *xt_rm)
+{
+ GList *chain_tail, *chain_head, *list;
+ struct xt_entry_target *xt_e_t = NULL;
+ struct xt_entry_match *xt_e_m = NULL;
+ struct connman_iptables_entry *entry;
+ struct ipt_entry *entry_test;
+ int builtin;
+
+ chain_head = find_chain_head(table, chain_name);
+ if (chain_head == NULL)
+ return NULL;
+
+ chain_tail = find_chain_tail(table, chain_name);
+ if (chain_tail == NULL)
+ return NULL;
+
+ if (!xt_t && !xt_m)
+ return NULL;
+
+ entry_test = new_rule(ip, target_name, xt_t, xt_rm);
+ if (entry_test == NULL)
+ return NULL;
+
+ if (xt_t != NULL)
+ xt_e_t = ipt_get_target(entry_test);
+ if (xt_m != NULL)
+ xt_e_m = (struct xt_entry_match *)entry_test->elems;
+
+ entry = chain_head->data;
+ builtin = entry->builtin;
+
+ if (builtin >= 0)
+ list = chain_head;
+ else
+ list = chain_head->next;
+
+ for (; list != chain_tail->prev; list = list->next) {
+ struct connman_iptables_entry *tmp;
+ struct ipt_entry *tmp_e;
+
+ tmp = list->data;
+ tmp_e = tmp->entry;
+
+ if (is_same_ipt_entry(entry_test, tmp_e) == FALSE)
+ continue;
+
+ if (xt_t != NULL) {
+ struct xt_entry_target *tmp_xt_e_t;
+
+ tmp_xt_e_t = ipt_get_target(tmp_e);
+
+ if (!is_same_target(tmp_xt_e_t, xt_e_t))
+ continue;
+ }
+
+ if (xt_m != NULL) {
+ struct xt_entry_match *tmp_xt_e_m;
+
+ tmp_xt_e_m = (struct xt_entry_match *)tmp_e->elems;
+
+ if (!is_same_match(tmp_xt_e_m, xt_e_m))
+ continue;
+ }
+
+ break;
+ }
+
+ g_free(entry_test);
+
+ if (list != chain_tail->prev)
+ return list;
+
+ return NULL;
+}
+
+static int iptables_delete_rule(struct connman_iptables *table,
+ struct ipt_ip *ip, const char *chain_name,
+ const char *target_name,
+ struct xtables_target *xt_t,
+ struct xtables_match *xt_m,
+ struct xtables_rule_match *xt_rm)
+{
+ struct connman_iptables_entry *entry;
+ GList *chain_head, *chain_tail, *list;
+ int builtin, removed;
+
+ removed = 0;
+
+ chain_head = find_chain_head(table, chain_name);
+ if (chain_head == NULL)
+ return -EINVAL;
+
+ chain_tail = find_chain_tail(table, chain_name);
+ if (chain_tail == NULL)
+ return -EINVAL;
+
+ list = find_existing_rule(table, ip, chain_name, target_name,
+ xt_t, xt_m, xt_rm);
+ if (list == NULL)
+ return -EINVAL;
+
+ entry = chain_head->data;
+ builtin = entry->builtin;
+
+ entry = list->data;
+ if (entry == NULL)
+ return -EINVAL;
+
+ /* We have deleted a rule,
+ * all references should be bumped accordingly */
+ if (list->next != NULL)
+ update_targets_reference(table, list->next->data,
+ list->data, TRUE);
+
+ removed += remove_table_entry(table, entry);
+
+ if (builtin >= 0) {
+ list = list->next;
+ if (list) {
+ entry = list->data;
+ entry->builtin = builtin;
+ }
+
+ table->underflow[builtin] -= removed;
+ for (list = chain_tail; list; list = list->next) {
+ entry = list->data;
+
+ builtin = entry->builtin;
+ if (builtin < 0)
+ continue;
+
+ table->hook_entry[builtin] -= removed;
+ table->underflow[builtin] -= removed;
+ }
+ }
+
+ update_offsets(table);
+
+ return 0;
+}
+
+static int iptables_change_policy(struct connman_iptables *table,
+ const char *chain_name, const char *policy)
+{
+ GList *chain_head, *chain_tail;
+ struct connman_iptables_entry *entry;
+ struct xt_entry_target *target;
+ struct xt_standard_target *t;
+ int verdict;
+
+ verdict = target_to_verdict(policy);
+ if (verdict == 0)
+ return -EINVAL;
+
+ chain_head = find_chain_head(table, chain_name);
+ if (chain_head == NULL)
+ return -EINVAL;
+
+ entry = chain_head->data;
+ if (entry->builtin < 0)
+ return -EINVAL;
+
+ chain_tail = find_chain_tail(table, chain_name);
+ if (chain_tail == NULL)
+ return -EINVAL;
+
+ entry = chain_tail->prev->data;
+ target = ipt_get_target(entry->entry);
+
+ t = (struct xt_standard_target *)target;
+ t->verdict = verdict;
+
+ return 0;
+}
+
+static struct ipt_replace *iptables_blob(struct connman_iptables *table)
+{
+ struct ipt_replace *r;
+ GList *list;
+ struct connman_iptables_entry *e;
+ unsigned char *entry_index;
+
+ r = g_try_malloc0(sizeof(struct ipt_replace) + table->size);
+ if (r == NULL)
+ return NULL;
+
+ memset(r, 0, sizeof(*r) + table->size);
+
+ r->counters = g_try_malloc0(sizeof(struct xt_counters)
+ * table->old_entries);
+ if (r->counters == NULL) {
+ g_free(r);
+ return NULL;
+ }
+
+ strcpy(r->name, table->info->name);
+ r->num_entries = table->num_entries;
+ r->size = table->size;
+
+ r->num_counters = table->old_entries;
+ r->valid_hooks = table->info->valid_hooks;
+
+ memcpy(r->hook_entry, table->hook_entry, sizeof(table->hook_entry));
+ memcpy(r->underflow, table->underflow, sizeof(table->underflow));
+
+ entry_index = (unsigned char *)r->entries;
+ for (list = table->entries; list; list = list->next) {
+ e = list->data;
+
+ memcpy(entry_index, e->entry, e->entry->next_offset);
+ entry_index += e->entry->next_offset;
+ }
+
+ return r;
+}
+
+static void dump_ip(struct ipt_entry *entry)
+{
+ struct ipt_ip *ip = &entry->ip;
+ char ip_string[INET6_ADDRSTRLEN];
+ char ip_mask[INET6_ADDRSTRLEN];
+
+ if (strlen(ip->iniface))
+ DBG("\tin %s", ip->iniface);
+
+ if (strlen(ip->outiface))
+ DBG("\tout %s", ip->outiface);
+
+ if (inet_ntop(AF_INET, &ip->src, ip_string, INET6_ADDRSTRLEN) != NULL &&
+ inet_ntop(AF_INET, &ip->smsk,
+ ip_mask, INET6_ADDRSTRLEN) != NULL)
+ DBG("\tsrc %s/%s", ip_string, ip_mask);
+
+ if (inet_ntop(AF_INET, &ip->dst, ip_string, INET6_ADDRSTRLEN) != NULL &&
+ inet_ntop(AF_INET, &ip->dmsk,
+ ip_mask, INET6_ADDRSTRLEN) != NULL)
+ DBG("\tdst %s/%s", ip_string, ip_mask);
+}
+
+static void dump_target(struct ipt_entry *entry)
+
+{
+ struct xtables_target *xt_t;
+ struct xt_entry_target *target;
+
+ target = ipt_get_target(entry);
+
+ if (!strcmp(target->u.user.name, IPT_STANDARD_TARGET)) {
+ struct xt_standard_target *t;
+
+ t = (struct xt_standard_target *)target;
+
+ switch (t->verdict) {
+ case XT_RETURN:
+ DBG("\ttarget RETURN");
+ break;
+
+ case -NF_ACCEPT - 1:
+ DBG("\ttarget ACCEPT");
+ break;
+
+ case -NF_DROP - 1:
+ DBG("\ttarget DROP");
+ break;
+
+ case -NF_QUEUE - 1:
+ DBG("\ttarget QUEUE");