X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=tools%2Fiptables-test.c;h=a7193c2e8a30519621bf589f9e2720451724c5ed;hb=a16d6c316722e340947219de8fea6ebb3b8dce04;hp=f3481bb949e9cca3e8c99e6c4d10979acefd67fe;hpb=5649904ce39fbe14d9160b616ba4a97cbbae5e6f;p=framework%2Fconnectivity%2Fconnman.git diff --git a/tools/iptables-test.c b/tools/iptables-test.c index f3481bb..a7193c2 100644 --- a/tools/iptables-test.c +++ b/tools/iptables-test.c @@ -278,13 +278,41 @@ static void update_offsets(struct connman_iptables *table) } } +static void update_targets_reference(struct connman_iptables *table, + struct connman_iptables_entry *entry_before, + struct connman_iptables_entry *modified_entry, + gboolean is_removing) +{ + struct connman_iptables_entry *tmp; + struct xt_standard_target *t; + GList *list; + int offset; + + offset = modified_entry->entry->next_offset; + + for (list = table->entries; list; list = list->next) { + tmp = list->data; + + if (!is_jump(tmp)) + continue; + + t = (struct xt_standard_target *)ipt_get_target(tmp->entry); + + if (is_removing == TRUE) { + if (t->verdict >= entry_before->offset) + t->verdict -= offset; + } else { + if (t->verdict > entry_before->offset) + t->verdict += offset; + } + } +} + static int connman_add_entry(struct connman_iptables *table, struct ipt_entry *entry, GList *before, int builtin) { - GList *list; - struct connman_iptables_entry *e, *tmp, *entry_before; - struct xt_standard_target *t; + struct connman_iptables_entry *e, *entry_before; if (table == NULL) return -1; @@ -312,17 +340,7 @@ static int connman_add_entry(struct connman_iptables *table, * We've just appended/insterted a new entry. All references * should be bumped accordingly. */ - for (list = table->entries; list; list = list->next) { - tmp = list->data; - - if (!is_jump(tmp)) - continue; - - t = (struct xt_standard_target *)ipt_get_target(tmp->entry); - - if (t->verdict > entry_before->offset) - t->verdict += entry->next_offset; - } + update_targets_reference(table, entry_before, e, FALSE); update_offsets(table); @@ -512,13 +530,12 @@ err_head: } static struct ipt_entry * -new_rule(struct connman_iptables *table, struct ipt_ip *ip, - char *target_name, struct xtables_target *xt_t, +new_rule(struct ipt_ip *ip, char *target_name, + struct xtables_target *xt_t, char *match_name, struct xtables_match *xt_m) { struct ipt_entry *new_entry; size_t match_size, target_size; - int is_builtin = is_builtin_target(target_name); if (xt_m) match_size = xt_m->m->u.match_size; @@ -550,40 +567,8 @@ new_rule(struct connman_iptables *table, struct ipt_ip *ip, if (xt_t) { struct xt_entry_target *entry_target; - if (is_builtin) { - struct xt_standard_target *target; - - target = (struct xt_standard_target *)(xt_t->t); - strcpy(target->target.u.user.name, IPT_STANDARD_TARGET); - target->verdict = target_to_verdict(target_name); - } - entry_target = ipt_get_target(new_entry); memcpy(entry_target, xt_t->t, target_size); - } else { - struct connman_iptables_entry *target_rule; - struct xt_standard_target *target; - GList *chain_head; - - /* - * This is a user defined target, i.e. a chain jump. - * We search for the chain head, and the target verdict - * is the first rule's offset on this chain. - * The offset is from the beginning of the table. - */ - - chain_head = find_chain_head(table, target_name); - if (chain_head == NULL || chain_head->next == NULL) { - g_free(new_entry); - return NULL; - } - - target_rule = chain_head->next->data; - - target = (struct xt_standard_target *)ipt_get_target(new_entry); - strcpy(target->target.u.user.name, IPT_STANDARD_TARGET); - target->target.u.user.target_size = target_size; - target->verdict = target_rule->offset; } return new_entry; @@ -637,7 +622,7 @@ static struct ipt_entry *prepare_rule_inclusion(struct connman_iptables *table, if (chain_tail == NULL) return NULL; - new_entry = new_rule(table, ip, target_name, xt_t, match_name, xt_m); + new_entry = new_rule(ip, target_name, xt_t, match_name, xt_m); if (new_entry == NULL) return NULL; @@ -710,6 +695,177 @@ static int connman_iptables_insert_rule(struct connman_iptables *table, return ret; } +static gboolean is_same_ipt_entry(struct ipt_entry *i_e1, + struct ipt_entry *i_e2) +{ + if (memcmp(&i_e1->ip, &i_e2->ip, sizeof(struct ipt_ip)) != 0) + return FALSE; + + if (i_e1->target_offset != i_e2->target_offset) + return FALSE; + + if (i_e1->next_offset != i_e2->next_offset) + return FALSE; + + return TRUE; +} + +static gboolean is_same_target(struct xt_entry_target *xt_e_t1, + struct xt_entry_target *xt_e_t2) +{ + if (xt_e_t1 == NULL || xt_e_t2 == NULL) + return FALSE; + + if (strcmp(xt_e_t1->u.user.name, IPT_STANDARD_TARGET) == 0) { + struct xt_standard_target *xt_s_t1; + struct xt_standard_target *xt_s_t2; + + xt_s_t1 = (struct xt_standard_target *) xt_e_t1; + xt_s_t2 = (struct xt_standard_target *) xt_e_t2; + + if (xt_s_t1->verdict != xt_s_t2->verdict) + return FALSE; + } else { + if (xt_e_t1->u.target_size != xt_e_t2->u.target_size) + return FALSE; + + if (strcmp(xt_e_t1->u.user.name, xt_e_t2->u.user.name) != 0) + return FALSE; + } + + return TRUE; +} + +static gboolean is_same_match(struct xt_entry_match *xt_e_m1, + struct xt_entry_match *xt_e_m2) +{ + if (xt_e_m1 == NULL || xt_e_m2 == NULL) + return FALSE; + + if (xt_e_m1->u.match_size != xt_e_m2->u.match_size) + return FALSE; + + if (xt_e_m1->u.user.revision != xt_e_m2->u.user.revision) + return FALSE; + + if (strcmp(xt_e_m1->u.user.name, xt_e_m2->u.user.name) != 0) + return FALSE; + + return TRUE; +} + +static int connman_iptables_delete_rule(struct connman_iptables *table, + struct ipt_ip *ip, char *chain_name, + char *target_name, struct xtables_target *xt_t, + char *match_name, struct xtables_match *xt_m) +{ + GList *chain_tail, *chain_head, *list; + struct xt_entry_target *xt_e_t = NULL; + struct xt_entry_match *xt_e_m = NULL; + struct connman_iptables_entry *entry; + struct ipt_entry *entry_test; + int builtin, removed; + + removed = 0; + + chain_head = find_chain_head(table, chain_name); + if (chain_head == NULL) + return -EINVAL; + + chain_tail = find_chain_tail(table, chain_name); + if (chain_tail == NULL) + return -EINVAL; + + if (!xt_t && !xt_m) + return -EINVAL; + + entry_test = new_rule(ip, target_name, xt_t, match_name, xt_m); + if (entry_test == NULL) + return -EINVAL; + + if (xt_t != NULL) + xt_e_t = ipt_get_target(entry_test); + if (xt_m != NULL) + xt_e_m = (struct xt_entry_match *)entry_test->elems; + + entry = chain_head->data; + builtin = entry->builtin; + + if (builtin >= 0) + list = chain_head; + else + list = chain_head->next; + + for (entry = NULL; list != chain_tail->prev; list = list->next) { + struct connman_iptables_entry *tmp; + struct ipt_entry *tmp_e; + + tmp = list->data; + tmp_e = tmp->entry; + + if (is_same_ipt_entry(entry_test, tmp_e) == FALSE) + continue; + + if (xt_t != NULL) { + struct xt_entry_target *tmp_xt_e_t; + + tmp_xt_e_t = ipt_get_target(tmp_e); + + if (!is_same_target(tmp_xt_e_t, xt_e_t)) + continue; + } + + if (xt_m != NULL) { + struct xt_entry_match *tmp_xt_e_m; + + tmp_xt_e_m = (struct xt_entry_match *)tmp_e->elems; + + if (!is_same_match(tmp_xt_e_m, xt_e_m)) + continue; + } + + entry = tmp; + break; + } + + if (entry == NULL) { + g_free(entry_test); + return -EINVAL; + } + + /* We have deleted a rule, + * all references should be bumped accordingly */ + if (list->next != NULL) + update_targets_reference(table, list->next->data, + list->data, TRUE); + + removed += remove_table_entry(table, entry); + + if (builtin >= 0) { + list = list->next; + if (list) { + entry = list->data; + entry->builtin = builtin; + } + + table->underflow[builtin] -= removed; + for (list = chain_tail; list; list = list->next) { + entry = list->data; + + builtin = entry->builtin; + if (builtin < 0) + continue; + + table->hook_entry[builtin] -= removed; + table->underflow[builtin] -= removed; + } + } + + update_offsets(table); + + return 0; +} + static struct ipt_replace * connman_iptables_blob(struct connman_iptables *table) { @@ -1036,9 +1192,74 @@ err: return NULL; } +static struct xtables_target *prepare_target(struct connman_iptables *table, + char *target_name) +{ + struct xtables_target *xt_t = NULL; + gboolean is_builtin, is_user_defined; + GList *chain_head = NULL; + size_t target_size; + + is_builtin = FALSE; + is_user_defined = FALSE; + + if (is_builtin_target(target_name)) + is_builtin = TRUE; + else { + chain_head = find_chain_head(table, target_name); + if (chain_head != NULL && chain_head->next != NULL) + is_user_defined = TRUE; + } + + if (is_builtin || is_user_defined) + xt_t = xtables_find_target(IPT_STANDARD_TARGET, + XTF_LOAD_MUST_SUCCEED); + else + xt_t = xtables_find_target(target_name, XTF_TRY_LOAD); + + if (xt_t == NULL) + return NULL; + + target_size = ALIGN(sizeof(struct ipt_entry_target)) + xt_t->size; + + xt_t->t = g_try_malloc0(target_size); + if (xt_t->t == NULL) + return NULL; + + xt_t->t->u.target_size = target_size; + + if (is_builtin || is_user_defined) { + struct xt_standard_target *target; + + target = (struct xt_standard_target *)(xt_t->t); + strcpy(target->target.u.user.name, IPT_STANDARD_TARGET); + + if (is_builtin == TRUE) + target->verdict = target_to_verdict(target_name); + else if (is_user_defined == TRUE) { + struct connman_iptables_entry *target_rule; + + if (chain_head == NULL) { + g_free(xt_t->t); + return NULL; + } + + target_rule = chain_head->next->data; + target->verdict = target_rule->offset; + } + } else { + strcpy(xt_t->t->u.user.name, target_name); + xt_t->t->u.user.revision = xt_t->revision; + if (xt_t->init != NULL) + xt_t->init(xt_t->t); + } + + return xt_t; +} static struct option connman_iptables_opts[] = { {.name = "append", .has_arg = 1, .val = 'A'}, + {.name = "delete", .has_arg = 1, .val = 'D'}, {.name = "flush-chain", .has_arg = 1, .val = 'F'}, {.name = "insert", .has_arg = 1, .val = 'I'}, {.name = "list", .has_arg = 2, .val = 'L'}, @@ -1070,7 +1291,7 @@ int main(int argc, char *argv[]) char *delete_chain, *flush_chain; int c, in_len, out_len; size_t size; - gboolean dump, invert, delete, insert; + gboolean dump, invert, delete, insert, delete_rule; struct in_addr src, dst; xtables_init_all(&connman_iptables_globals, NFPROTO_IPV4); @@ -1079,6 +1300,7 @@ int main(int argc, char *argv[]) invert = FALSE; delete = FALSE; insert = FALSE; + delete_rule = FALSE; table_name = chain = new_chain = match_name = target_name = NULL; delete_chain = flush_chain = NULL; memset(&ip, 0, sizeof(struct ipt_ip)); @@ -1086,7 +1308,7 @@ int main(int argc, char *argv[]) xt_m = NULL; xt_t = NULL; - while ((c = getopt_long(argc, argv, "-A:F:I:L::N:X:d:i:j:m:o:s:t:", + while ((c = getopt_long(argc, argv, "-A:D:F:I:L::N:X:d:i:j:m:o:s:t:", connman_iptables_globals.opts, NULL)) != -1) { switch (c) { case 'A': @@ -1097,6 +1319,15 @@ int main(int argc, char *argv[]) chain = optarg; break; + case 'D': + /* It is either -A, -D or -I at once */ + if (chain) + goto out; + + chain = optarg; + delete_rule = TRUE; + break; + case 'F': flush_chain = optarg; break; @@ -1151,32 +1382,6 @@ int main(int argc, char *argv[]) case 'j': target_name = optarg; - xt_t = xtables_find_target(target_name, XTF_TRY_LOAD); - - if (xt_t == NULL) - break; - - size = ALIGN(sizeof(struct ipt_entry_target)) + xt_t->size; - - xt_t->t = g_try_malloc0(size); - if (xt_t->t == NULL) - goto out; - xt_t->t->u.target_size = size; - strcpy(xt_t->t->u.user.name, target_name); - xt_t->t->u.user.revision = xt_t->revision; - if (xt_t->init != NULL) - xt_t->init(xt_t->t); - connman_iptables_globals.opts = - xtables_merge_options( -#if XTABLES_VERSION_CODE > 5 - connman_iptables_globals.orig_opts, -#endif - connman_iptables_globals.opts, - xt_t->extra_opts, - &xt_t->option_offset); - if (connman_iptables_globals.opts == NULL) - goto out; - break; case 'm': @@ -1310,8 +1515,30 @@ int main(int argc, char *argv[]) } if (chain) { - if (target_name == NULL) - return -1; + xt_t = prepare_target(table, target_name); + if (xt_t == NULL) + goto out; + + connman_iptables_globals.opts = + xtables_merge_options( +#if XTABLES_VERSION_CODE > 5 + connman_iptables_globals.orig_opts, +#endif + connman_iptables_globals.opts, + xt_t->extra_opts, + &xt_t->option_offset); + if (connman_iptables_globals.opts == NULL) + goto out; + + if (delete_rule == TRUE) { + printf("Deleting %s to %s (match %s)\n", target_name, + chain, match_name); + + connman_iptables_delete_rule(table, &ip, chain, + target_name, xt_t, match_name, xt_m); + + goto commit; + } if (insert == TRUE) { printf("Inserting %s to %s (match %s)\n", target_name,