[netfilter-cvslog] r3419 - in trunk: iptables/libiptc
nfsim-testsuite/01iptables
rusty at netfilter.org
rusty at netfilter.org
Thu Dec 16 15:22:23 CET 2004
Author: rusty at netfilter.org
Date: 2004-12-16 15:22:23 +0100 (Thu, 16 Dec 2004)
New Revision: 3419
Added:
trunk/nfsim-testsuite/01iptables/02delete-by-rule.sim
Modified:
trunk/iptables/libiptc/libip4tc.c
trunk/iptables/libiptc/libip6tc.c
trunk/iptables/libiptc/libiptc.c
Log:
Make "is_same" test basics and entries only: targets are generic.
Make target testing aware of different kinds of rules.
Change reverse logic: target_different now target_same.
Set type to MODULE in iptcc_map_target.
Add testcase for this.
Modified: trunk/iptables/libiptc/libip4tc.c
===================================================================
--- trunk/iptables/libiptc/libip4tc.c 2004-12-16 13:21:44 UTC (rev 3418)
+++ trunk/iptables/libiptc/libip4tc.c 2004-12-16 14:22:23 UTC (rev 3419)
@@ -184,11 +184,10 @@
return 0;
}
-static int
+static unsigned char *
is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b, unsigned char *matchmask)
{
unsigned int i;
- STRUCT_ENTRY_TARGET *ta, *tb;
unsigned char *mptr;
/* Always compare head structures: ignore mask here. */
@@ -199,43 +198,31 @@
|| a->ip.proto != b->ip.proto
|| a->ip.flags != b->ip.flags
|| a->ip.invflags != b->ip.invflags)
- return 0;
+ return NULL;
for (i = 0; i < IFNAMSIZ; i++) {
if (a->ip.iniface_mask[i] != b->ip.iniface_mask[i])
- return 0;
+ return NULL;
if ((a->ip.iniface[i] & a->ip.iniface_mask[i])
!= (b->ip.iniface[i] & b->ip.iniface_mask[i]))
- return 0;
+ return NULL;
if (a->ip.outiface_mask[i] != b->ip.outiface_mask[i])
- return 0;
+ return NULL;
if ((a->ip.outiface[i] & a->ip.outiface_mask[i])
!= (b->ip.outiface[i] & b->ip.outiface_mask[i]))
- return 0;
+ return NULL;
}
if (a->nfcache != b->nfcache
|| a->target_offset != b->target_offset
|| a->next_offset != b->next_offset)
- return 0;
+ return NULL;
mptr = matchmask + sizeof(STRUCT_ENTRY);
if (IPT_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
- return 0;
+ return NULL;
- ta = GET_TARGET((STRUCT_ENTRY *)a);
- tb = GET_TARGET((STRUCT_ENTRY *)b);
- if (ta->u.target_size != tb->u.target_size)
- return 0;
- if (strcmp(ta->u.user.name, tb->u.user.name) != 0)
- return 0;
-
- mptr += sizeof(*ta);
- if (target_different(ta->data, tb->data,
- ta->u.target_size - sizeof(*ta), mptr))
- return 0;
-
- return 1;
+ return mptr;
}
#if 0
Modified: trunk/iptables/libiptc/libip6tc.c
===================================================================
--- trunk/iptables/libiptc/libip6tc.c 2004-12-16 13:21:44 UTC (rev 3418)
+++ trunk/iptables/libiptc/libip6tc.c 2004-12-16 14:22:23 UTC (rev 3419)
@@ -214,12 +214,11 @@
return 0;
}
-static int
+static unsigned char *
is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b,
unsigned char *matchmask)
{
unsigned int i;
- STRUCT_ENTRY_TARGET *ta, *tb;
unsigned char *mptr;
/* Always compare head structures: ignore mask here. */
@@ -231,43 +230,31 @@
|| a->ipv6.tos != b->ipv6.tos
|| a->ipv6.flags != b->ipv6.flags
|| a->ipv6.invflags != b->ipv6.invflags)
- return 0;
+ return NULL;
for (i = 0; i < IFNAMSIZ; i++) {
if (a->ipv6.iniface_mask[i] != b->ipv6.iniface_mask[i])
- return 0;
+ return NULL;
if ((a->ipv6.iniface[i] & a->ipv6.iniface_mask[i])
!= (b->ipv6.iniface[i] & b->ipv6.iniface_mask[i]))
- return 0;
+ return NULL;
if (a->ipv6.outiface_mask[i] != b->ipv6.outiface_mask[i])
- return 0;
+ return NULL;
if ((a->ipv6.outiface[i] & a->ipv6.outiface_mask[i])
!= (b->ipv6.outiface[i] & b->ipv6.outiface_mask[i]))
- return 0;
+ return NULL;
}
if (a->nfcache != b->nfcache
|| a->target_offset != b->target_offset
|| a->next_offset != b->next_offset)
- return 0;
+ return NULL;
mptr = matchmask + sizeof(STRUCT_ENTRY);
if (IP6T_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
- return 0;
+ return NULL;
- ta = GET_TARGET((STRUCT_ENTRY *)a);
- tb = GET_TARGET((STRUCT_ENTRY *)b);
- if (ta->u.target_size != tb->u.target_size)
- return 0;
- if (strcmp(ta->u.user.name, tb->u.user.name) != 0)
- return 0;
- mptr += sizeof(*ta);
-
- if (target_different(ta->data, tb->data,
- ta->u.target_size - sizeof(*ta), mptr))
- return 0;
-
- return 1;
+ return mptr;
}
/* All zeroes == unconditional rule. */
Modified: trunk/iptables/libiptc/libiptc.c
===================================================================
--- trunk/iptables/libiptc/libiptc.c 2004-12-16 13:21:44 UTC (rev 3418)
+++ trunk/iptables/libiptc/libiptc.c 2004-12-16 14:22:23 UTC (rev 3419)
@@ -1238,7 +1238,7 @@
memset(t->u.user.name + strlen(t->u.user.name),
0,
FUNCTION_MAXNAMELEN - strlen(t->u.user.name));
-
+ r->type = IPTCC_R_MODULE;
set_changed(handle);
return 1;
}
@@ -1413,20 +1413,42 @@
}
static inline int
-target_different(const unsigned char *a_targdata,
- const unsigned char *b_targdata,
- unsigned int tdatasize,
- const unsigned char *mask)
+target_same(struct rule_head *a, struct rule_head *b,const unsigned char *mask)
{
unsigned int i;
- for (i = 0; i < tdatasize; i++)
- if (((a_targdata[i] ^ b_targdata[i]) & mask[i]) != 0)
- return 1;
+ STRUCT_ENTRY_TARGET *ta, *tb;
- return 0;
+ if (a->type != b->type)
+ return 0;
+
+ ta = GET_TARGET(a->entry);
+ tb = GET_TARGET(b->entry);
+
+ switch (a->type) {
+ case IPTCC_R_FALLTHROUGH:
+ return 1;
+ case IPTCC_R_JUMP:
+ return a->jump == b->jump;
+ case IPTCC_R_STANDARD:
+ return ((STRUCT_STANDARD_TARGET *)ta)->verdict
+ == ((STRUCT_STANDARD_TARGET *)tb)->verdict;
+ case IPTCC_R_MODULE:
+ if (ta->u.target_size != tb->u.target_size)
+ return 0;
+ if (strcmp(ta->u.user.name, tb->u.user.name) != 0)
+ return 0;
+
+ for (i = 0; i < ta->u.target_size - sizeof(*ta); i++)
+ if (((ta->data[i] ^ ta->data[i]) & mask[i]) != 0)
+ return 0;
+ return 1;
+ default:
+ fprintf(stderr, "ERROR: bad type %i\n", a->type);
+ abort();
+ }
}
-static int
+static unsigned char *
is_same(const STRUCT_ENTRY *a,
const STRUCT_ENTRY *b,
unsigned char *matchmask);
@@ -1463,24 +1485,30 @@
}
list_for_each_entry(i, &c->rules, list) {
- if (r->type == i->type
- && is_same(r->entry, i->entry, matchmask)) {
- /* If we are about to delete the rule that is the
- * current iterator, move rule iterator back. next
- * pointer will then point to real next node */
- if (i == (*handle)->rule_iterator_cur) {
- (*handle)->rule_iterator_cur =
- list_entry((*handle)->rule_iterator_cur->list.prev,
- struct rule_head, list);
- }
+ unsigned char *mask;
- c->num_rules--;
- iptcc_delete_rule(i);
+ mask = is_same(r->entry, i->entry, matchmask);
+ if (!mask)
+ continue;
- set_changed(*handle);
- free(r);
- return 1;
+ if (!target_same(r, i, mask))
+ continue;
+
+ /* If we are about to delete the rule that is the
+ * current iterator, move rule iterator back. next
+ * pointer will then point to real next node */
+ if (i == (*handle)->rule_iterator_cur) {
+ (*handle)->rule_iterator_cur =
+ list_entry((*handle)->rule_iterator_cur->list.prev,
+ struct rule_head, list);
}
+
+ c->num_rules--;
+ iptcc_delete_rule(i);
+
+ set_changed(*handle);
+ free(r);
+ return 1;
}
free(r);
Added: trunk/nfsim-testsuite/01iptables/02delete-by-rule.sim
===================================================================
--- trunk/nfsim-testsuite/01iptables/02delete-by-rule.sim 2004-12-16 13:21:44 UTC (rev 3418)
+++ trunk/nfsim-testsuite/01iptables/02delete-by-rule.sim 2004-12-16 14:22:23 UTC (rev 3419)
@@ -0,0 +1,119 @@
+# We've had issues with delete-by-rule.
+
+iptables -N CHAINTARGET
+iptables -N CHAIN
+
+# No target
+iptables -A FORWARD -s 192.168.0.2
+iptables -D FORWARD -s 192.168.0.2
+
+# Standard targets
+iptables -A FORWARD -s 192.168.0.2 -j ACCEPT
+iptables -D FORWARD -s 192.168.0.2 -j ACCEPT
+
+iptables -A FORWARD -s 192.168.0.2 -j DROP
+iptables -D FORWARD -s 192.168.0.2 -j DROP
+
+iptables -A FORWARD -s 192.168.0.2 -j RETURN
+iptables -D FORWARD -s 192.168.0.2 -j RETURN
+
+iptables -A FORWARD -s 192.168.0.2 -j QUEUE
+iptables -D FORWARD -s 192.168.0.2 -j QUEUE
+
+# To an extension.
+iptables -A FORWARD -s 192.168.0.2 -j REJECT
+iptables -D FORWARD -s 192.168.0.2 -j REJECT
+
+# To a chain.
+iptables -A FORWARD -s 192.168.0.2 -j CHAINTARGET
+iptables -D FORWARD -s 192.168.0.2 -j CHAINTARGET
+
+# With matches.
+iptables -A FORWARD -m mark --mark 1
+iptables -D FORWARD -m mark --mark 1
+
+iptables -A FORWARD -s 192.168.0.2 -m mark --mark 1
+iptables -D FORWARD -s 192.168.0.2 -m mark --mark 1
+
+iptables -A FORWARD -s 192.168.0.2 -m mark --mark 1 -m tos --tos Minimize-Delay
+iptables -D FORWARD -s 192.168.0.2 -m mark --mark 1 -m tos --tos Minimize-Delay
+
+# With matches to an extension.
+iptables -A FORWARD -m mark --mark 1 -j REJECT
+iptables -D FORWARD -m mark --mark 1 -j REJECT
+
+iptables -A FORWARD -s 192.168.0.2 -m mark --mark 1 -j REJECT
+iptables -D FORWARD -s 192.168.0.2 -m mark --mark 1 -j REJECT
+
+iptables -A FORWARD -s 192.168.0.2 -m mark --mark 1 -m tos --tos Minimize-Delay -j REJECT
+iptables -D FORWARD -s 192.168.0.2 -m mark --mark 1 -m tos --tos Minimize-Delay -j REJECT
+
+# With matches to a chain.
+iptables -A FORWARD -m mark --mark 1 -j CHAINTARGET
+iptables -D FORWARD -m mark --mark 1 -j CHAINTARGET
+
+iptables -A FORWARD -s 192.168.0.2 -m mark --mark 1 -j CHAINTARGET
+iptables -D FORWARD -s 192.168.0.2 -m mark --mark 1 -j CHAINTARGET
+
+iptables -A FORWARD -s 192.168.0.2 -m mark --mark 1 -m tos --tos Minimize-Delay -j CHAINTARGET
+iptables -D FORWARD -s 192.168.0.2 -m mark --mark 1 -m tos --tos Minimize-Delay -j CHAINTARGET
+
+## On a non-builtin chain.
+
+# No target
+iptables -A CHAIN -s 192.168.0.2
+iptables -D CHAIN -s 192.168.0.2
+
+# Standard targets
+iptables -A CHAIN -s 192.168.0.2 -j ACCEPT
+iptables -D CHAIN -s 192.168.0.2 -j ACCEPT
+
+iptables -A CHAIN -s 192.168.0.2 -j DROP
+iptables -D CHAIN -s 192.168.0.2 -j DROP
+
+iptables -A CHAIN -s 192.168.0.2 -j RETURN
+iptables -D CHAIN -s 192.168.0.2 -j RETURN
+
+iptables -A CHAIN -s 192.168.0.2 -j QUEUE
+iptables -D CHAIN -s 192.168.0.2 -j QUEUE
+
+# To an extension.
+iptables -A CHAIN -s 192.168.0.2 -j REJECT
+iptables -D CHAIN -s 192.168.0.2 -j REJECT
+
+# To a chain.
+iptables -A CHAIN -s 192.168.0.2 -j CHAINTARGET
+iptables -D CHAIN -s 192.168.0.2 -j CHAINTARGET
+
+# With matches.
+iptables -A CHAIN -m mark --mark 1
+iptables -D CHAIN -m mark --mark 1
+
+iptables -A CHAIN -s 192.168.0.2 -m mark --mark 1
+iptables -D CHAIN -s 192.168.0.2 -m mark --mark 1
+
+iptables -A CHAIN -s 192.168.0.2 -m mark --mark 1 -m tos --tos Minimize-Delay
+iptables -D CHAIN -s 192.168.0.2 -m mark --mark 1 -m tos --tos Minimize-Delay
+
+# With matches to an extension.
+iptables -A CHAIN -m mark --mark 1 -j REJECT
+iptables -D CHAIN -m mark --mark 1 -j REJECT
+
+iptables -A CHAIN -s 192.168.0.2 -m mark --mark 1 -j REJECT
+iptables -D CHAIN -s 192.168.0.2 -m mark --mark 1 -j REJECT
+
+iptables -A CHAIN -s 192.168.0.2 -m mark --mark 1 -m tos --tos Minimize-Delay -j REJECT
+iptables -D CHAIN -s 192.168.0.2 -m mark --mark 1 -m tos --tos Minimize-Delay -j REJECT
+
+# With matches to a chain.
+iptables -A CHAIN -m mark --mark 1 -j CHAINTARGET
+iptables -D CHAIN -m mark --mark 1 -j CHAINTARGET
+
+iptables -A CHAIN -s 192.168.0.2 -m mark --mark 1 -j CHAINTARGET
+iptables -D CHAIN -s 192.168.0.2 -m mark --mark 1 -j CHAINTARGET
+
+iptables -A CHAIN -s 192.168.0.2 -m mark --mark 1 -m tos --tos Minimize-Delay -j CHAINTARGET
+iptables -D CHAIN -s 192.168.0.2 -m mark --mark 1 -m tos --tos Minimize-Delay -j CHAINTARGET
+
+iptables -X CHAINTARGET
+iptables -X CHAIN
More information about the netfilter-cvslog
mailing list