static STRUCT_ENTRY *
index2entry(TC_HANDLE_T h, unsigned int index)
{
unsigned int pos = 0;
STRUCT_ENTRY *ret = NULL;
ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
get_entry_n, index, &pos, &ret);
return ret;
}
static unsigned int
entry2index(const TC_HANDLE_T h, const STRUCT_ENTRY *seek)
{
unsigned int pos = 0;
if (ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
get_number, seek, &pos) == 0) {
fprintf(stderr, "ERROR: offset %i not an entry!\n",
(int)((char *)seek - (char *)h->entries.entrytable));
abort();
}
return pos;
}
/* Do every conceivable sanity check on the handle */
static void
do_check(struct iptc_handle *h, unsigned int line)
{
unsigned int i, n;
unsigned int user_offset; /* Offset of first user chain */
int was_return;
assert(h->changed == 0 || h->changed == 1);
if (strcmp(h->info.name, "filter") == 0) {
assert(h->info.valid_hooks
== (1 << NF_IP_LOCAL_IN
| 1 << NF_IP_FORWARD
| 1 << NF_IP_LOCAL_OUT));
/* Hooks should be first three */
assert(h->info.hook_entry[NF_IP_LOCAL_IN] == 0);
n = get_chain_end(h, 0);
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_FORWARD] == n);
n = get_chain_end(h, n);
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
} else if (strcmp(h->info.name, "nat") == 0) {
assert((h->info.valid_hooks
== (1 << NF_IP_PRE_ROUTING
| 1 << NF_IP_POST_ROUTING
| 1 << NF_IP_LOCAL_OUT)) ||
(h->info.valid_hooks
== (1 << NF_IP_PRE_ROUTING
| 1 << NF_IP_LOCAL_IN
| 1 << NF_IP_POST_ROUTING
| 1 << NF_IP_LOCAL_OUT)));
assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
n = get_chain_end(h, 0);
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_POST_ROUTING] == n);
n = get_chain_end(h, n);
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
if (h->info.valid_hooks & (1 << NF_IP_LOCAL_IN)) {
n = get_chain_end(h, n);
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_LOCAL_IN] == n);
user_offset = h->info.hook_entry[NF_IP_LOCAL_IN];
}
} else if (strcmp(h->info.name, "mangle") == 0) {
/* This code is getting ugly because linux < 2.4.18-pre6 had
* two mangle hooks, linux >= 2.4.18-pre6 has five mangle hooks
* */
assert((h->info.valid_hooks
== (1 << NF_IP_PRE_ROUTING
| 1 << NF_IP_LOCAL_OUT)) ||
(h->info.valid_hooks
== (1 << NF_IP_PRE_ROUTING
| 1 << NF_IP_LOCAL_IN
| 1 << NF_IP_FORWARD
| 1 << NF_IP_LOCAL_OUT
| 1 << NF_IP_POST_ROUTING)));
/* Hooks should be first five */
assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
n = get_chain_end(h, 0);
if (h->info.valid_hooks & (1 << NF_IP_LOCAL_IN)) {
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_LOCAL_IN] == n);
n = get_chain_end(h, n);
}
if (h->info.valid_hooks & (1 << NF_IP_FORWARD)) {
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_FORWARD] == n);
n = get_chain_end(h, n);
}
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
if (h->info.valid_hooks & (1 << NF_IP_POST_ROUTING)) {
n = get_chain_end(h, n);
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_POST_ROUTING] == n);
user_offset = h->info.hook_entry[NF_IP_POST_ROUTING];
}
} else if (strcmp(h->info.name, "raw") == 0) {
assert(h->info.valid_hooks
== (1 << NF_IP_PRE_ROUTING
| 1 << NF_IP_LOCAL_OUT));
/* Hooks should be first three */
assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
n = get_chain_end(h, n);
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
#ifdef NF_IP_DROPPING
} else if (strcmp(h->info.name, "drop") == 0) {
assert(h->info.valid_hooks == (1 << NF_IP_DROPPING));
/* Hook should be first */
assert(h->info.hook_entry[NF_IP_DROPPING] == 0);
user_offset = 0;
#endif
} else {
fprintf(stderr, "Unknown table `%s'\n", h->info.name);
abort();
}
/* User chain == end of last builtin + policy entry */
user_offset = get_chain_end(h, user_offset);
user_offset += get_entry(h, user_offset)->next_offset;
/* Overflows should be end of entry chains, and unconditional
policy nodes. */
for (i = 0; i < NUMHOOKS; i++) {
STRUCT_ENTRY *e;
STRUCT_STANDARD_TARGET *t;
if (!(h->info.valid_hooks & (1 << i)))
continue;
assert(h->info.underflow[i]
== get_chain_end(h, h->info.hook_entry[i]));
e = get_entry(h, get_chain_end(h, h->info.hook_entry[i]));
assert(unconditional(&e->ip));
assert(e->target_offset == sizeof(*e));
t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
assert(t->target.u.target_size == ALIGN(sizeof(*t)));
assert(e->next_offset == sizeof(*e) + ALIGN(sizeof(*t)));
assert(strcmp(t->target.u.user.name, STANDARD_TARGET)==0);
assert(t->verdict == -NF_DROP-1 || t->verdict == -NF_ACCEPT-1);
/* Hooks and underflows must be valid entries */
entry2index(h, get_entry(h, h->info.hook_entry[i]));
entry2index(h, get_entry(h, h->info.underflow[i]));
}
assert(h->info.size
>= h->info.num_entries * (sizeof(STRUCT_ENTRY)
+sizeof(STRUCT_STANDARD_TARGET)));
assert(h->entries.size
>= (h->new_number
* (sizeof(STRUCT_ENTRY)
+ sizeof(STRUCT_STANDARD_TARGET))));
assert(strcmp(h->info.name, h->entries.name) == 0);
i = 0; n = 0;
was_return = 0;
/* Check all the entries. */
ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
check_entry, &i, &n, user_offset, &was_return, h);
assert(i == h->new_number);
assert(n == h->entries.size);
/* Final entry must be error node */
assert(strcmp(GET_TARGET(index2entry(h, h->new_number-1))
->u.user.name,
ERROR_TARGET) == 0);
}
static void
do_check(struct iptc_handle *h, unsigned int line)
{
unsigned int i, n;
unsigned int user_offset;
int was_return;
assert(h->changed == 0 || h->changed == 1);
if (strcmp(h->info.name, "filter") == 0) {
assert(h->info.valid_hooks
== (1 << NF_IP_LOCAL_IN
| 1 << NF_IP_FORWARD
| 1 << NF_IP_LOCAL_OUT));
assert(h->info.hook_entry[NF_IP_LOCAL_IN] == 0);
n = get_chain_end(h, 0);
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_FORWARD] == n);
n = get_chain_end(h, n);
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
} else if (strcmp(h->info.name, "nat") == 0) {
assert((h->info.valid_hooks
== (1 << NF_IP_PRE_ROUTING
| 1 << NF_IP_POST_ROUTING
| 1 << NF_IP_LOCAL_OUT)) ||
(h->info.valid_hooks
== (1 << NF_IP_PRE_ROUTING
| 1 << NF_IP_LOCAL_IN
| 1 << NF_IP_POST_ROUTING
| 1 << NF_IP_LOCAL_OUT)));
assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
n = get_chain_end(h, 0);
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_POST_ROUTING] == n);
n = get_chain_end(h, n);
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
if (h->info.valid_hooks & (1 << NF_IP_LOCAL_IN)) {
n = get_chain_end(h, n);
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_LOCAL_IN] == n);
user_offset = h->info.hook_entry[NF_IP_LOCAL_IN];
}
} else if (strcmp(h->info.name, "mangle") == 0) {
assert((h->info.valid_hooks
== (1 << NF_IP_PRE_ROUTING
| 1 << NF_IP_LOCAL_OUT)) ||
(h->info.valid_hooks
== (1 << NF_IP_PRE_ROUTING
| 1 << NF_IP_LOCAL_IN
| 1 << NF_IP_FORWARD
| 1 << NF_IP_LOCAL_OUT
| 1 << NF_IP_POST_ROUTING)));
assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
n = get_chain_end(h, 0);
if (h->info.valid_hooks & (1 << NF_IP_LOCAL_IN)) {
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_LOCAL_IN] == n);
n = get_chain_end(h, n);
}
if (h->info.valid_hooks & (1 << NF_IP_FORWARD)) {
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_FORWARD] == n);
n = get_chain_end(h, n);
}
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
if (h->info.valid_hooks & (1 << NF_IP_POST_ROUTING)) {
n = get_chain_end(h, n);
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_POST_ROUTING] == n);
user_offset = h->info.hook_entry[NF_IP_POST_ROUTING];
}
} else if (strcmp(h->info.name, "raw") == 0) {
assert(h->info.valid_hooks
== (1 << NF_IP_PRE_ROUTING
| 1 << NF_IP_LOCAL_OUT));
assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
n = get_chain_end(h, n);
n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
#ifdef NF_IP_DROPPING
} else if (strcmp(h->info.name, "drop") == 0) {
assert(h->info.valid_hooks == (1 << NF_IP_DROPPING));
assert(h->info.hook_entry[NF_IP_DROPPING] == 0);
user_offset = 0;
#endif
} else {
fprintf(stderr, "Unknown table `%s'\n", h->info.name);
abort();
}
user_offset = get_chain_end(h, user_offset);
user_offset += get_entry(h, user_offset)->next_offset;
for (i = 0; i < NUMHOOKS; i++) {
STRUCT_ENTRY *e;
STRUCT_STANDARD_TARGET *t;
if (!(h->info.valid_hooks & (1 << i)))
continue;
assert(h->info.underflow[i]
== get_chain_end(h, h->info.hook_entry[i]));
e = get_entry(h, get_chain_end(h, h->info.hook_entry[i]));
assert(unconditional(&e->ip));
assert(e->target_offset == sizeof(*e));
t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
assert(t->target.u.target_size == ALIGN(sizeof(*t)));
assert(e->next_offset == sizeof(*e) + ALIGN(sizeof(*t)));
assert(strcmp(t->target.u.user.name, STANDARD_TARGET)==0);
assert(t->verdict == -NF_DROP-1 || t->verdict == -NF_ACCEPT-1);
entry2index(h, get_entry(h, h->info.hook_entry[i]));
entry2index(h, get_entry(h, h->info.underflow[i]));
}
assert(h->info.size
>= h->info.num_entries * (sizeof(STRUCT_ENTRY)
+sizeof(STRUCT_STANDARD_TARGET)));
assert(h->entries.size
>= (h->new_number
* (sizeof(STRUCT_ENTRY)
+ sizeof(STRUCT_STANDARD_TARGET))));
assert(strcmp(h->info.name, h->entries.name) == 0);
i = 0; n = 0;
was_return = 0;
ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
check_entry, &i, &n, user_offset, &was_return, h);
assert(i == h->new_number);
assert(n == h->entries.size);
assert(strcmp(GET_TARGET(index2entry(h, h->new_number-1))
->u.user.name,
ERROR_TARGET) == 0);
}
