*
*/
-// All the userspace/kernel communication is in this file.
-// The other code should not have to know anything about the way the
-// kernel likes the structure of the table data.
-// The other code works with linked lists, lots of linked lists.
-// So, the translation is done here.
+/*
+ * All the userspace/kernel communication is in this file.
+ * The other code should not have to know anything about the way the
+ * kernel likes the structure of the table data.
+ * The other code works with linked lists, lots of linked lists.
+ * So, the translation is done here.
+ */
#include <getopt.h>
#include <string.h>
new->nentries = u_repl->nentries;
new->num_counters = u_repl->num_counters;
new->counters = u_repl->counters;
- // determine nr of udc
+ /* determine nr of udc */
i = 0;
cl = u_repl->udc;
while (cl) {
}
i += NF_BR_NUMHOOKS;
chain_offsets = (unsigned int *)malloc(i * sizeof(unsigned int));
- // determine size
+ /* determine size */
i = 0;
cl = u_repl->udc;
while (1) {
sizeof(struct ebt_entry_target);
e = e->next;
}
- // a little sanity check
+ /* a little sanity check */
if (j != entries->nentries)
print_bug("Wrong nentries: %d != %d, hook = %s", j,
entries->nentries, entries->name);
if (!new->entries)
print_memory();
- // put everything in one block
+ /* put everything in one block */
p = new->entries;
i = 0;
cl = u_repl->udc;
hlp->policy = entries->policy;
strcpy(hlp->name, entries->name);
hlp->counter_offset = entries->counter_offset;
- hlp->distinguisher = 0; // make the kernel see the light
+ hlp->distinguisher = 0; /* make the kernel see the light */
p += sizeof(struct ebt_entries);
e = entries->entries;
while (e) {
if (!strcmp(e->t->u.name, EBT_STANDARD_TARGET)) {
struct ebt_standard_target *st =
(struct ebt_standard_target *)p;
- // translate the jump to a udc
+ /* translate the jump to a udc */
if (st->verdict >= 0)
st->verdict = chain_offsets
[st->verdict + NF_BR_NUMHOOKS];
i++;
}
- // sanity check
+ /* sanity check */
if (p - new->entries != new->entries_size)
print_bug("Entries_size bug");
free(chain_offsets);
int size;
FILE *file;
- // start from an empty file with right priviliges
+ /* start from an empty file with right priviliges */
command = (char *)malloc(strlen(filename) + 15);
if (!command)
print_memory();
memcpy(data, repl, sizeof(struct ebt_replace));
memcpy(data + sizeof(struct ebt_replace), repl->entries,
repl->entries_size);
- // initialize counters to zero, deliver_counters() can update them
+ /* initialize counters to zero, deliver_counters() can update them */
memset(data + sizeof(struct ebt_replace) + repl->entries_size,
0, repl->nentries * sizeof(struct ebt_counter));
if (!(file = fopen(filename, "wb")))
socklen_t optlen;
struct ebt_replace *repl;
- // translate the struct ebt_u_replace to a struct ebt_replace
+ /* translate the struct ebt_u_replace to a struct ebt_replace */
repl = translate_user2kernel(u_repl);
if (u_repl->filename != NULL) {
store_table_in_file(u_repl->filename, repl);
return;
}
- // give the data to the kernel
+ /* give the data to the kernel */
optlen = sizeof(struct ebt_replace) + repl->entries_size;
get_sockfd();
if (setsockopt(sockfd, IPPROTO_IP, EBT_SO_SET_ENTRIES, repl, optlen))
if (!(file = fopen(filename, "r+b")))
print_error("Could not open file %s", filename);
- // find out entries_size and then set the file pointer to the counters
+ /*
+ * find out entries_size and then set the file pointer to the
+ * counters
+ */
if (fseek(file, (char *)(&hlp.entries_size) - (char *)(&hlp), SEEK_SET)
|| fread(&entries_size, sizeof(char), sizeof(unsigned int), file) !=
sizeof(unsigned int) ||
fclose(file);
}
-// gets executed after deliver_table
-void
-deliver_counters(struct ebt_u_replace *u_repl)
+/* gets executed after deliver_table */
+void deliver_counters(struct ebt_u_replace *u_repl)
{
unsigned short *point;
struct ebt_counter *old, *new, *newcounters;
point = counterchanges;
while (*point != CNT_END) {
if (*point == CNT_NORM) {
- // 'normal' rule, meaning we didn't do anything to it
- // So, we just copy
+ /*
+ *'normal' rule, meaning we didn't do anything to it
+ * So, we just copy
+ */
new->pcnt = old->pcnt;
- // we've used an old counter
+ /* we've used an old counter */
old++;
- // we've set a new counter
+ /* we've set a new counter */
new++;
} else if (*point == CNT_DEL) {
- // don't use this old counter
+ /* don't use this old counter */
old++;
} else if (*point == CNT_ADD) {
- // new counter, let it stay 0
+ /* new counter, let it stay 0 */
new++;
} else {
- // zero it (let it stay 0)
+ /* zero it (let it stay 0) */
old++;
new++;
}
}
optlen = u_repl->nentries * sizeof(struct ebt_counter) +
sizeof(struct ebt_replace);
- // now put the stuff in the kernel's struct ebt_replace
+ /* now put the stuff in the kernel's struct ebt_replace */
repl.counters = u_repl->counters;
repl.num_counters = u_repl->num_counters;
memcpy(repl.name, u_repl->name, sizeof(repl.name));
int *totalcnt, struct ebt_u_entry ***u_e, struct ebt_u_replace *u_repl,
unsigned int valid_hooks, char *base)
{
- // an entry
+ /* an entry */
if (e->bitmask & EBT_ENTRY_OR_ENTRIES) {
struct ebt_u_entry *new;
struct ebt_u_match_list **m_l;
if (!new)
print_memory();
new->bitmask = e->bitmask;
- // plain userspace code doesn't know about EBT_ENTRY_OR_ENTRIES
+ /*
+ * plain userspace code doesn't know about
+ * EBT_ENTRY_OR_ENTRIES
+ */
new->bitmask &= ~EBT_ENTRY_OR_ENTRIES;
new->invflags = e->invflags;
new->ethproto = e->ethproto;
"userspace tool", t->u.name);
memcpy(new->t, t, t->target_size +
sizeof(struct ebt_entry_target));
- // deal with jumps to udc
+ /* deal with jumps to udc */
if (!strcmp(t->u.name, EBT_STANDARD_TARGET)) {
char *tmp = base;
int verdict = ((struct ebt_standard_target *)t)->verdict;
}
}
- // I love pointers
+ /* I love pointers */
**u_e = new;
*u_e = &new->next;
(*cnt)++;
(*totalcnt)++;
return 0;
- } else { // a new chain
+ } else { /* a new chain */
int i;
struct ebt_entries *entries = (struct ebt_entries *)e;
struct ebt_u_chain_list *cl;
if (valid_hooks & (1 << i))
break;
*hook = i;
- // makes use of fact that standard chains come before udc
- if (i >= NF_BR_NUMHOOKS) { // udc
+ /* makes use of fact that standard chains come before udc */
+ if (i >= NF_BR_NUMHOOKS) { /* udc */
i -= NF_BR_NUMHOOKS;
cl = u_repl->udc;
while (i-- > 0)
}
}
-// initialize all chain headers
+/* initialize all chain headers */
static int
ebt_translate_chains(struct ebt_entry *e, unsigned int *hook,
struct ebt_u_replace *u_repl, unsigned int valid_hooks)
for (i = *hook + 1; i < NF_BR_NUMHOOKS; i++)
if (valid_hooks & (1 << i))
break;
- // makes use of fact that standard chains come before udc
- if (i >= NF_BR_NUMHOOKS) { // udc
+ /* makes use of fact that standard chains come before udc */
+ if (i >= NF_BR_NUMHOOKS) { /* udc */
chain_list = &u_repl->udc;
- // add in the back
+ /* add in the back */
while (*chain_list)
chain_list = &((*chain_list)->next);
*chain_list = (struct ebt_u_chain_list *)
if (!((*chain_list)->udc))
print_memory();
new = (*chain_list)->udc;
- // ebt_translate_entry depends on this for knowing
- // to which chain is being jumped
+ /*
+ * ebt_translate_entry depends on this for knowing
+ * to which chain is being jumped
+ */
(*chain_list)->kernel_start = (char *)e;
} else {
*hook = i;
if (!(file = fopen(filename, "r+b")))
print_error("Could not open file %s", filename);
- // make sure table name is right if command isn't -L or --atomic-commit
+ /*
+ * make sure table name is right if command isn't -L or --atomic-commit
+ */
if (command != 'L' && command != 8) {
hlp = (char *)malloc(strlen(repl->name) + 1);
if (!hlp)
print_memory();
} else
repl->counters = NULL;
- // copy entries and counters
+ /* copy entries and counters */
if (fseek(file, sizeof(struct ebt_replace), SEEK_SET) ||
fread(repl->entries, sizeof(char), repl->entries_size, file)
!= repl->entries_size ||
optlen = sizeof(struct ebt_replace);
get_sockfd();
- // --atomic-init || --init-table
+ /* --atomic-init || --init-table */
if (command == 7 || command == 11)
optname = EBT_SO_GET_INIT_INFO;
else
else
repl->counters = NULL;
- // we want to receive the counters
+ /* we want to receive the counters */
repl->num_counters = repl->nentries;
optlen += repl->entries_size + repl->num_counters *
sizeof(struct ebt_counter);
strcpy(repl.name, u_repl->name);
if (u_repl->filename != NULL) {
retrieve_from_file(u_repl->filename, &repl, u_repl->command);
- // -L with a wrong table name should be dealt with silently
+ /*
+ * -L with a wrong table name should be dealt with silently
+ */
strcpy(u_repl->name, repl.name);
} else if (retrieve_from_kernel(&repl, u_repl->command) == -1)
return -1;
- // translate the struct ebt_replace to a struct ebt_u_replace
+ /* translate the struct ebt_replace to a struct ebt_u_replace */
u_repl->valid_hooks = repl.valid_hooks;
u_repl->nentries = repl.nentries;
u_repl->num_counters = repl.num_counters;
hook = -1;
EBT_ENTRY_ITERATE(repl.entries, repl.entries_size, ebt_translate_chains,
&hook, u_repl, u_repl->valid_hooks);
- i = 0; // holds the expected nr. of entries for the chain
- j = 0; // holds the up to now counted entries for the chain
- k = 0; // holds the total nr. of entries,
- // should equal u_repl->nentries afterwards
+ i = 0; /* holds the expected nr. of entries for the chain */
+ j = 0; /* holds the up to now counted entries for the chain */
+ /*
+ * holds the total nr. of entries,
+ * should equal u_repl->nentries afterwards
+ */
+ k = 0;
hook = -1;
EBT_ENTRY_ITERATE(repl.entries, repl.entries_size, ebt_translate_entry,
&hook, &i, &j, &k, &u_e, u_repl, u_repl->valid_hooks, repl.entries);
* ebtables ebt_ip: IP extension module for userspace
*
* Authors:
- * Bart De Schuymer <bart.de.schuymer@pandora.be>
+ * Bart De Schuymer <bdschuym@pandora.be>
*
* Changes:
* added ip-sport and ip-dport; parsing of port arguments is
#define IP_SOURCE '1'
#define IP_DEST '2'
-#define IP_myTOS '3' // include/bits/in.h seems to already define IP_TOS
+#define IP_myTOS '3' /* include/bits/in.h seems to already define IP_TOS */
#define IP_PROTO '4'
#define IP_SPORT '5'
#define IP_DPORT '6'
{ 0 }
};
-struct protoent *pe;
-
-// put the ip string into 4 bytes
+/* put the ip string into 4 bytes */
static int undot_ip(char *ip, unsigned char *ip2)
{
char *p, *q, *end;
return 0;
}
-// put the mask into 4 bytes
+/* put the mask into 4 bytes */
static int ip_mask(char *mask, unsigned char *mask2)
{
char *end;
uint32_t mask22;
if (undot_ip(mask, mask2)) {
- // not the /a.b.c.e format, maybe the /x format
+ /* not the /a.b.c.e format, maybe the /x format */
bits = strtol(mask, &end, 10);
if (*end != '\0' || bits > 32 || bits < 0)
return -1;
return 0;
}
-// set the ip mask and ip address
+/* set the ip mask and ip address */
void parse_ip_address(char *address, uint32_t *addr, uint32_t *msk)
{
char *p;
- // first the mask
+ /* first the mask */
if ((p = strrchr(address, '/')) != NULL) {
*p = '\0';
if (ip_mask(p + 1, (unsigned char *)msk))
*addr = *addr & *msk;
}
-// transform the ip mask into a string ready for output
+/* transform the ip mask into a string ready for output */
char *mask_to_dotted(uint32_t mask)
{
int i;
maskaddr = ntohl(mask);
- // don't print /32
+ /* don't print /32 */
if (mask == 0xFFFFFFFFL) {
*buf = '\0';
return buf;
}
i = 32;
- bits = 0xFFFFFFFEL; // case 0xFFFFFFFF has just been dealt with
+ bits = 0xFFFFFFFEL; /* case 0xFFFFFFFF has just been dealt with */
while (--i >= 0 && maskaddr != bits)
bits <<= 1;
else if (!i)
*buf = '\0';
else
- // mask was not a decent combination of 1's and 0's
+ /* mask was not a decent combination of 1's and 0's */
sprintf(buf, "/%d.%d.%d.%d", ((unsigned char *)&mask)[0],
((unsigned char *)&mask)[1], ((unsigned char *)&mask)[2],
((unsigned char *)&mask)[3]);
return buf;
}
-// transform a protocol and service name into a port number
+/* transform a protocol and service name into a port number */
static uint16_t parse_port(const char *protocol, const char *name)
{
struct servent *service;
print_error("Missing IP protocol argument");
(unsigned char) i = strtoul(argv[optind - 1], &end, 10);
if (*end != '\0') {
+ struct protoent *pe;
+
pe = getprotobyname(argv[optind - 1]);
if (pe == NULL)
print_error
printf("0x%02X ", ipinfo->tos);
}
if (ipinfo->bitmask & EBT_IP_PROTO) {
+ struct protoent *pe;
+
printf("--ip-proto ");
if (ipinfo->invflags & EBT_IP_PROTO)
printf("! ");
{
int policy;
unsigned int nentries;
- // counter offset for this chain
+ /* counter offset for this chain */
unsigned int counter_offset;
- // used for udc
+ /* used for udc */
unsigned int hook_mask;
char name[EBT_CHAIN_MAXNAMELEN];
struct ebt_u_entry *entries;
{
struct ebt_u_entries *udc;
struct ebt_u_chain_list *next;
- // this is only used internally, in communication.c
+ /* this is only used internally, in communication.c */
char *kernel_start;
};
{
char name[EBT_TABLE_MAXNAMELEN];
unsigned int valid_hooks;
- // nr of rules in the table
+ /* nr of rules in the table */
unsigned int nentries;
struct ebt_u_entries *hook_entry[NF_BR_NUMHOOKS];
- // user defined chains (udc) list
+ /* user defined chains (udc) list */
struct ebt_u_chain_list *udc;
- // nr of counters userspace expects back
+ /* nr of counters userspace expects back */
unsigned int num_counters;
- // where the kernel will put the old counters
+ /* where the kernel will put the old counters */
struct ebt_counter *counters;
- // can be used e.g. to know if a standard option
- // has been specified twice
+ /*
+ * can be used e.g. to know if a standard option
+ * has been specified twice
+ */
unsigned int flags;
- // we stick the specified command (e.g. -A) in here
+ /* we stick the specified command (e.g. -A) in here */
char command;
- // here we stick the hook to do our thing on (can be -1 if unspecified)
+ /*
+ * here we stick the hook to do our thing on (can be -1 if unspecified)
+ */
int selected_hook;
- // used for the atomic option
+ /* used for the atomic option */
char *filename;
- // tells what happened to the old rules
+ /* tells what happened to the old rules */
unsigned short *counterchanges;
};
struct ebt_u_match
{
char name[EBT_FUNCTION_MAXNAMELEN];
- // size of the real match data
+ /* size of the real match data */
unsigned int size;
void (*help)(void);
void (*init)(struct ebt_entry_match *m);
int (*compare)(const struct ebt_entry_match *m1,
const struct ebt_entry_match *m2);
const struct option *extra_ops;
- // can be used e.g. to check for multiple occurance of the same option
+ /*
+ * can be used e.g. to check for multiple occurance of the same option
+ */
unsigned int flags;
unsigned int option_offset;
struct ebt_entry_match *m;
- // if used == 1 we no longer have to add it to
- // the match chain of the new entry
+ /*
+ * if used == 1 we no longer have to add it to
+ * the match chain of the new entry
+ */
unsigned int used;
struct ebt_u_match *next;
};
#define print_memory() {printf("Ebtables: " __FILE__ " " __FUNCTION__ \
" %d :Out of memory.\n", __LINE__); exit(-1);}
-// used for keeping the rule counters right during rule adds or deletes
+/* used for keeping the rule counters right during rule adds or deletes */
#define CNT_NORM 0
#define CNT_DEL 1
#define CNT_ADD 2
#define CNT_ZERO 4
extern char *standard_targets[NUM_STANDARD_TARGETS];
-// Transforms a target string into the right integer,
-// returns 0 on success.
+/*
+ * Transforms a target string into the right integer,
+ * returns 0 on success.
+ */
#define FILL_TARGET(_str, _pos) ({ \
int _i, _ret = 0; \
for (_i = 0; _i < NUM_STANDARD_TARGETS; _i++) \
_ret; \
})
-// Transforms the target value to an index into standard_targets[]
+/* Transforms the target value to an index into standard_targets[] */
#define TARGET_INDEX(_value) (-_value - 1)
-// Returns a target string corresponding to the value
+/* Returns a target string corresponding to the value */
#define TARGET_NAME(_value) (standard_targets[TARGET_INDEX(_value)])
-// True if the hook mask denotes that the rule is in a base chain
+/* True if the hook mask denotes that the rule is in a base chain */
#define BASE_CHAIN (hookmask & (1 << NF_BR_NUMHOOKS))
-// Clear the bit in the hook_mask that tells if the rule is on a base chain
+/* Clear the bit in the hook_mask that tells if the rule is on a base chain */
#define CLEAR_BASE_CHAIN_BIT (hookmask &= ~(1 << NF_BR_NUMHOOKS))
#endif /* EBTABLES_U_H */