| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
xtables_find_match() returns two different kind of pointers.
The first type is pointing to the function pointer table loaded
via dlopen(). The second type is a copy (via plain malloc) of the
first type. xtables_find_match() marks the copies/clones with
m == m->next. So we need to free the struct xtables_match which
point back to themself.
Also fix the issue that we didn't handle multple match instances
at the same time.
The memory leak is only visible when having more than one match
of a kind.
|
|
We will implement the ConnMan iptables specific part in a different
file and leave the iptables.c file as small as possible.
Therefore, we move the flushing part out, but we need a way to
find our chains on bootup (left over from a crash). Let's add an
interater which walks over all chains which allows a higher level
to find the chains it is looking for (e.g. connman-INPUT)
|
|
This was wrongly removed with commit 161efbae
|
|
Add a boolean helper to distinguish between insert and append operations.
When chain_head == chain_tail->prev, the builtin chain is empty which makes
an intended append operation equivalent to an insert operation.
|
|
entry_head and entry_return are allocated via g_try_malloc0().
|
|
After removing one or more rules the builtin hooks need to be updated
accordingly. iptables_flush_chain() and iptables_delete_rule()
share a common code part.
|
|
The list pointer is invalid after remove_table_entry(). Since
we entering the 'if' body only for the first rule in a builtin
chain we can safely update list to point to the next element.
|
|
The second argument is not used anymore, let's remove it. The funciton
name doesn't really match to its implementation, so it's also time
to rename it.
|
|
We need to see a bit more in detail what happens when
CONNMAN_IPTABLES_DEBUG is not set, for example the removing/flushing
during bootup.
Also remove the DBG() from parse_rule_spec() because all callers
already have a DBG(). So not much additional information here.
|
|
pre_load_table() is called always with table == NULL, we end up
keep trying to load the kernel modules even though the table
is already loaded. Therefore, move the lookup one level up.
|
|
Streamline this file with the rest of ConnMan's code base.
|
|
The API changed between 1.4.10 (version code 5) and 1.4.11 (version code 6)
and we needed to workaround with a bunch of ugly ifdefs. 1.4.11 was
released on 26.05.2011 and even Debian testing ships 1.4.14 these days.
|
|
In order to allow our test tool iptables-tests to dump a table
we need an dump function. The only user will be this tool. That allows
the linker to remove this code, so no additional code size.
|
|
Commit ba052f1f "iptables: Add split out iptables commands"
introduced a bug. __connman_iptables_append() should
call iptables_append_rule() instead of iptables_insert_rule().
|
|
|
|
The policy is kept at the end of the chain not at the beginning.
Currently, the code assumes that the builtin chain is empty.
|
|
The linked list is tracking all loading modules. Since we do not
unload once they are loaded (xtables does not support this), we
might up leaving prepare_matches() before we update the
option table. Since we carefully reset the global xtable state
after executing one rule, this check is wrong, e.g. if we add
to similar rules (same matches (mark, nfacct)). In this case
the second rule would not be parsed correctly. Nasty nasty iptables parser!
|
|
|
|
Updating the builtin and hook index is more complex then one
would expect. In order to be able to update them correctly
we need also to pass in the underflow table to the iterate
function. To improve the readability the valid_hook magic
has been moved into next_hook_entry_index() which does exactly
as the name says.
|
|
A fallthrough rule is one which has the default target name,
does not have a verdict and is not a jump rule.
is_fallthrough() is called excluslive from the insert path,
thus the value of verdict will be 0 for a fallthrough rule.
|
|
Both function reset the xtables library. So let's do this
at the same place.
|
|
And also use g_strv_length() to count the number of entries.
Thanks Tomasz!
|
|
We forgot to free the match rules.
|
|
The match or the target might be reused in the next invocation
of iptables and then xtables operates on this invalid pointer.
xt_t->t and xt_m->m are keept alive via the global variables
xtables_targets and xtables_matches.
|
|
xtables modifies the global parse table and allocates additional
memory. If that happens we need to free it afterwards.
|
|
|
|
Currently there exists no API where iptables rules can be set. The flush
code does not touch the default chain policy at the moment. Any pre-
existing iptables rules setting default policy to reject and relying on
individual iptables rules allowing packets going through will prevent
all IP communication. Removing all iptables rules on startup can expose
the device to unwanted traffic as well.
For the time being disable iptables flush on init. Please be careful
with iptables rules and the masquerading ones ConnMan sets when
tethering.
|
|
The builtin value is only valid in the chain head entry and not
in any other entry. That means we need to lookup the head entry
and use that builtin value (== hook id) and then update all
references which follow that chain.
|
|
We need to verify that also the arguments are the same, e.g.
if we have two rules like
-t filter -A INPUT -m mark --mark 1 -j LOG
-t filter -A INPUT -m mark --mark 2 -j LOG
then the matcher and the target would be the same without looking
at '1' or '2'.
When deleting a rule, we would always remove the first
rule which matches the 'match' type and target type, so let's have a
look also on the arguments. iptables does it the same way.
|
|
|
|
|
|
Instead of having a pure string based API, we add two new
main functions, __connman_iptables_append() and
__connman_iptables_remove(). The missing commands will be added later.
To simplify the whole code, the __connman_iptables_command() code
is refactored into smaller pieces: parse_rule_spec() calls a few
functions such as clear_tables_flags() and parse_xt_modules()
which should make the reading of the main parser loop simpler.
Also added a few comments on the parser which is really tricky.
|
|
The implementation is ugly but there is not much we can do about it, the
iptables API is being just plain stupid here.
|
|
If CONNMAN_IPTABLES_DEBUG is set, then print the table when it is loaded
and print it the table which will be written.
Also use DBG() instead of connman_info().
|
|
With removing the table argument the callback can now either
iterate over buffer we get from the kernel or the one we write
to the kernel.
|
|
|
|
Instead implement the iterator loop directly. Since both dump_entry()
and add_entry() have calculated 'builtin' and 'offset' let's pass in
them in as well.
In the next step we are able to remove also the table argument
which will allow us to unify the parsing the table we get
from IPT_SO_GET_ENTRIES and the table we will pass in to the kernel
via IPT_SO_SET_REPLACE.
|
|
That allows the parser to be reentrantable.
|
|
|
|
These are some random notes but should give the next person to debug
iptables some introduction.
|
|
When a socket() has failed and a negative file descriptor has been set,
close() cannot accept a negative number as a parameter.
|
|
In iptables 1.4.9 module loading gives an error even if the module
is built in. Ignore the loading errors because the missing iptables
support is noticed when trying to get the iptables socket options.
|
|
Using -j/-m options without -t one, will segfault due to table not loaded
before hand.
|
|
|
|
|
|
|
|
Netfilter likes to have the address properly masked.
|
|
|
|
|
