Ana Sayfa Keşfet Yardım
Giriş Yap
SoftwareDesign
/
csu3_am335x
8
0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Dal: master
Dallar Biçim İmleri
csu3_am335x
/
EVSE
/
GPL
/
iptables-1.4.18
/
libiptc
/
libip6tc.c

libip6tc.c 13 KB
Kalıcı Bağlantı Geçmiş Ham

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436 
  1. /* Library which manipulates firewall rules.  Version 0.1. */
    2. 

  2. 

  3. /* Architecture of firewall rules is as follows:
    4. 

  4.  *
    5. 

  5.  * Chains go INPUT, FORWARD, OUTPUT then user chains.
    6. 

  6.  * Each user chain starts with an ERROR node.
    7. 

  7.  * Every chain ends with an unconditional jump: a RETURN for user chains,
    8. 

  8.  * and a POLICY for built-ins.
    9. 

  9.  */
    10. 

  10. 

  11. /* (C)1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See
    12. 

  12.    COPYING for details). */
    13. 

  13. 

  14. #include <assert.h>
    15. 

  15. #include <string.h>
    16. 

  16. #include <errno.h>
    17. 

  17. #include <stdlib.h>
    18. 

  18. #include <stdio.h>
    19. 

  19. #include <unistd.h>
    20. 

  20. #include <arpa/inet.h>
    21. 

  21. 

  22. #ifdef DEBUG_CONNTRACK
    23. 

  23. #define inline
    24. 

  24. #endif
    25. 

  25. 

  26. #if !defined(__GLIBC__) || (__GLIBC__ < 2)
    27. 

  27. typedef unsigned int socklen_t;
    28. 

  28. #endif
    29. 

  29. 

  30. #include "libiptc/libip6tc.h"
    31. 

  31. 

  32. #define HOOK_PRE_ROUTING	NF_IP6_PRE_ROUTING
    33. 

  33. #define HOOK_LOCAL_IN		NF_IP6_LOCAL_IN
    34. 

  34. #define HOOK_FORWARD		NF_IP6_FORWARD
    35. 

  35. #define HOOK_LOCAL_OUT		NF_IP6_LOCAL_OUT
    36. 

  36. #define HOOK_POST_ROUTING	NF_IP6_POST_ROUTING
    37. 

  37. 

  38. #define STRUCT_ENTRY_TARGET	struct xt_entry_target
    39. 

  39. #define STRUCT_ENTRY		struct ip6t_entry
    40. 

  40. #define STRUCT_ENTRY_MATCH	struct xt_entry_match
    41. 

  41. #define STRUCT_GETINFO		struct ip6t_getinfo
    42. 

  42. #define STRUCT_GET_ENTRIES	struct ip6t_get_entries
    43. 

  43. #define STRUCT_COUNTERS		struct xt_counters
    44. 

  44. #define STRUCT_COUNTERS_INFO	struct xt_counters_info
    45. 

  45. #define STRUCT_STANDARD_TARGET	struct xt_standard_target
    46. 

  46. #define STRUCT_REPLACE		struct ip6t_replace
    47. 

  47. 

  48. #define ENTRY_ITERATE		IP6T_ENTRY_ITERATE
    49. 

  49. #define TABLE_MAXNAMELEN	XT_TABLE_MAXNAMELEN
    50. 

  50. #define FUNCTION_MAXNAMELEN	XT_FUNCTION_MAXNAMELEN
    51. 

  51. 

  52. #define GET_TARGET		ip6t_get_target
    53. 

  53. 

  54. #define ERROR_TARGET		XT_ERROR_TARGET
    55. 

  55. #define NUMHOOKS		NF_IP6_NUMHOOKS
    56. 

  56. 

  57. #define IPT_CHAINLABEL		xt_chainlabel
    58. 

  58. 

  59. #define TC_DUMP_ENTRIES		dump_entries6
    60. 

  60. #define TC_IS_CHAIN		ip6tc_is_chain
    61. 

  61. #define TC_FIRST_CHAIN		ip6tc_first_chain
    62. 

  62. #define TC_NEXT_CHAIN		ip6tc_next_chain
    63. 

  63. #define TC_FIRST_RULE		ip6tc_first_rule
    64. 

  64. #define TC_NEXT_RULE		ip6tc_next_rule
    65. 

  65. #define TC_GET_TARGET		ip6tc_get_target
    66. 

  66. #define TC_BUILTIN		ip6tc_builtin
    67. 

  67. #define TC_GET_POLICY		ip6tc_get_policy
    68. 

  68. #define TC_INSERT_ENTRY		ip6tc_insert_entry
    69. 

  69. #define TC_REPLACE_ENTRY	ip6tc_replace_entry
    70. 

  70. #define TC_APPEND_ENTRY		ip6tc_append_entry
    71. 

  71. #define TC_CHECK_ENTRY		ip6tc_check_entry
    72. 

  72. #define TC_DELETE_ENTRY		ip6tc_delete_entry
    73. 

  73. #define TC_DELETE_NUM_ENTRY	ip6tc_delete_num_entry
    74. 

  74. #define TC_FLUSH_ENTRIES	ip6tc_flush_entries
    75. 

  75. #define TC_ZERO_ENTRIES		ip6tc_zero_entries
    76. 

  76. #define TC_ZERO_COUNTER		ip6tc_zero_counter
    77. 

  77. #define TC_READ_COUNTER		ip6tc_read_counter
    78. 

  78. #define TC_SET_COUNTER		ip6tc_set_counter
    79. 

  79. #define TC_CREATE_CHAIN		ip6tc_create_chain
    80. 

  80. #define TC_GET_REFERENCES	ip6tc_get_references
    81. 

  81. #define TC_DELETE_CHAIN		ip6tc_delete_chain
    82. 

  82. #define TC_RENAME_CHAIN		ip6tc_rename_chain
    83. 

  83. #define TC_SET_POLICY		ip6tc_set_policy
    84. 

  84. #define TC_GET_RAW_SOCKET	ip6tc_get_raw_socket
    85. 

  85. #define TC_INIT			ip6tc_init
    86. 

  86. #define TC_FREE			ip6tc_free
    87. 

  87. #define TC_COMMIT		ip6tc_commit
    88. 

  88. #define TC_STRERROR		ip6tc_strerror
    89. 

  89. #define TC_NUM_RULES		ip6tc_num_rules
    90. 

  90. #define TC_GET_RULE		ip6tc_get_rule
    91. 

  91. #define TC_OPS			ip6tc_ops
    92. 

  92. 

  93. #define TC_AF			AF_INET6
    94. 

  94. #define TC_IPPROTO		IPPROTO_IPV6
    95. 

  95. 

  96. #define SO_SET_REPLACE		IP6T_SO_SET_REPLACE
    97. 

  97. #define SO_SET_ADD_COUNTERS	IP6T_SO_SET_ADD_COUNTERS
    98. 

  98. #define SO_GET_INFO		IP6T_SO_GET_INFO
    99. 

  99. #define SO_GET_ENTRIES		IP6T_SO_GET_ENTRIES
    100. 

  100. #define SO_GET_VERSION		IP6T_SO_GET_VERSION
    101. 

  101. 

  102. #define STANDARD_TARGET		XT_STANDARD_TARGET
    103. 

  103. #define LABEL_RETURN		IP6TC_LABEL_RETURN
    104. 

  104. #define LABEL_ACCEPT		IP6TC_LABEL_ACCEPT
    105. 

  105. #define LABEL_DROP		IP6TC_LABEL_DROP
    106. 

  106. #define LABEL_QUEUE		IP6TC_LABEL_QUEUE
    107. 

  107. 

  108. #define ALIGN			XT_ALIGN
    109. 

  109. #define RETURN			XT_RETURN
    110. 

  110. 

  111. #include "libiptc.c"
    112. 

  112. 

  113. #define BIT6(a, l) \
    114. 

  114.  ((ntohl(a->s6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1)
    115. 

  115. 

  116. int
    117. 

  117. ipv6_prefix_length(const struct in6_addr *a)
    118. 

  118. {
    119. 

  119. 	int l, i;
    120. 

  120. 	for (l = 0; l < 128; l++) {
    121. 

  121. 		if (BIT6(a, l) == 0)
    122. 

  122. 			break;
    123. 

  123. 	}
    124. 

  124. 	for (i = l + 1; i < 128; i++) {
    125. 

  125. 		if (BIT6(a, i) == 1)
    126. 

  126. 			return -1;
    127. 

  127. 	}
    128. 

  128. 	return l;
    129. 

  129. }
    130. 

  130. 

  131. static int
    132. 

  132. dump_entry(struct ip6t_entry *e, struct xtc_handle *const handle)
    133. 

  133. {
    134. 

  134. 	size_t i;
    135. 

  135. 	char buf[40];
    136. 

  136. 	int len;
    137. 

  137. 	struct xt_entry_target *t;
    138. 

  138. 	
    139. 

  139. 	printf("Entry %u (%lu):\n", iptcb_entry2index(handle, e),
    140. 

  140. 	       iptcb_entry2offset(handle, e));
    141. 

  141. 	puts("SRC IP: ");
    142. 

  142. 	inet_ntop(AF_INET6, &e->ipv6.src, buf, sizeof buf);
    143. 

  143. 	puts(buf);
    144. 

  144. 	putchar('/');
    145. 

  145. 	len = ipv6_prefix_length(&e->ipv6.smsk);
    146. 

  146. 	if (len != -1)
    147. 

  147. 		printf("%d", len);
    148. 

  148. 	else {
    149. 

  149. 		inet_ntop(AF_INET6, &e->ipv6.smsk, buf, sizeof buf);
    150. 

  150. 		puts(buf);
    151. 

  151. 	}
    152. 

  152. 	putchar('\n');
    153. 

  153. 	
    154. 

  154. 	puts("DST IP: ");
    155. 

  155. 	inet_ntop(AF_INET6, &e->ipv6.dst, buf, sizeof buf);
    156. 

  156. 	puts(buf);
    157. 

  157. 	putchar('/');
    158. 

  158. 	len = ipv6_prefix_length(&e->ipv6.dmsk);
    159. 

  159. 	if (len != -1)
    160. 

  160. 		printf("%d", len);
    161. 

  161. 	else {
    162. 

  162. 		inet_ntop(AF_INET6, &e->ipv6.dmsk, buf, sizeof buf);
    163. 

  163. 		puts(buf);
    164. 

  164. 	}
    165. 

  165. 	putchar('\n');
    166. 

  166. 	
    167. 

  167. 	printf("Interface: `%s'/", e->ipv6.iniface);
    168. 

  168. 	for (i = 0; i < IFNAMSIZ; i++)
    169. 

  169. 		printf("%c", e->ipv6.iniface_mask[i] ? 'X' : '.');
    170. 

  170. 	printf("to `%s'/", e->ipv6.outiface);
    171. 

  171. 	for (i = 0; i < IFNAMSIZ; i++)
    172. 

  172. 		printf("%c", e->ipv6.outiface_mask[i] ? 'X' : '.');
    173. 

  173. 	printf("\nProtocol: %u\n", e->ipv6.proto);
    174. 

  174. 	if (e->ipv6.flags & IP6T_F_TOS)
    175. 

  175. 		printf("TOS: %u\n", e->ipv6.tos);
    176. 

  176. 	printf("Flags: %02X\n", e->ipv6.flags);
    177. 

  177. 	printf("Invflags: %02X\n", e->ipv6.invflags);
    178. 

  178. 	printf("Counters: %llu packets, %llu bytes\n",
    179. 

  179. 	       (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
    180. 

  180. 	printf("Cache: %08X\n", e->nfcache);
    181. 

  181. 	
    182. 

  182. 	IP6T_MATCH_ITERATE(e, print_match);
    183. 

  183. 

  184. 	t = ip6t_get_target(e);
    185. 

  185. 	printf("Target name: `%s' [%u]\n", t->u.user.name, t->u.target_size);
    186. 

  186. 	if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0) {
    187. 

  187. 		const unsigned char *data = t->data;
    188. 

  188. 		int pos = *(const int *)data;
    189. 

  189. 		if (pos < 0)
    190. 

  190. 			printf("verdict=%s\n",
    191. 

  191. 			       pos == -NF_ACCEPT-1 ? "NF_ACCEPT"
    192. 

  192. 			       : pos == -NF_DROP-1 ? "NF_DROP"
    193. 

  193. 			       : pos == XT_RETURN ? "RETURN"
    194. 

  194. 			       : "UNKNOWN");
    195. 

  195. 		else
    196. 

  196. 			printf("verdict=%u\n", pos);
    197. 

  197. 	} else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0)
    198. 

  198. 		printf("error=`%s'\n", t->data);
    199. 

  199. 

  200. 	printf("\n");
    201. 

  201. 	return 0;
    202. 

  202. }
    203. 

  203. 

  204. static unsigned char *
    205. 

  205. is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b,
    206. 

  206. 	unsigned char *matchmask)
    207. 

  207. {
    208. 

  208. 	unsigned int i;
    209. 

  209. 	unsigned char *mptr;
    210. 

  210. 

  211. 	/* Always compare head structures: ignore mask here. */
    212. 

  212. 	if (memcmp(&a->ipv6.src, &b->ipv6.src, sizeof(struct in6_addr))
    213. 

  213. 	    || memcmp(&a->ipv6.dst, &b->ipv6.dst, sizeof(struct in6_addr))
    214. 

  214. 	    || memcmp(&a->ipv6.smsk, &b->ipv6.smsk, sizeof(struct in6_addr))
    215. 

  215. 	    || memcmp(&a->ipv6.dmsk, &b->ipv6.dmsk, sizeof(struct in6_addr))
    216. 

  216. 	    || a->ipv6.proto != b->ipv6.proto
    217. 

  217. 	    || a->ipv6.tos != b->ipv6.tos
    218. 

  218. 	    || a->ipv6.flags != b->ipv6.flags
    219. 

  219. 	    || a->ipv6.invflags != b->ipv6.invflags)
    220. 

  220. 		return NULL;
    221. 

  221. 

  222. 	for (i = 0; i < IFNAMSIZ; i++) {
    223. 

  223. 		if (a->ipv6.iniface_mask[i] != b->ipv6.iniface_mask[i])
    224. 

  224. 			return NULL;
    225. 

  225. 		if ((a->ipv6.iniface[i] & a->ipv6.iniface_mask[i])
    226. 

  226. 		    != (b->ipv6.iniface[i] & b->ipv6.iniface_mask[i]))
    227. 

  227. 			return NULL;
    228. 

  228. 		if (a->ipv6.outiface_mask[i] != b->ipv6.outiface_mask[i])
    229. 

  229. 			return NULL;
    230. 

  230. 		if ((a->ipv6.outiface[i] & a->ipv6.outiface_mask[i])
    231. 

  231. 		    != (b->ipv6.outiface[i] & b->ipv6.outiface_mask[i]))
    232. 

  232. 			return NULL;
    233. 

  233. 	}
    234. 

  234. 

  235. 	if (a->target_offset != b->target_offset
    236. 

  236. 	    || a->next_offset != b->next_offset)
    237. 

  237. 		return NULL;
    238. 

  238. 

  239. 	mptr = matchmask + sizeof(STRUCT_ENTRY);
    240. 

  240. 	if (IP6T_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
    241. 

  241. 		return NULL;
    242. 

  242. 	mptr += XT_ALIGN(sizeof(struct xt_entry_target));
    243. 

  243. 

  244. 	return mptr;
    245. 

  245. }
    246. 

  246. 

  247. /* All zeroes == unconditional rule. */
    248. 

  248. static inline int
    249. 

  249. unconditional(const struct ip6t_ip6 *ipv6)
    250. 

  250. {
    251. 

  251. 	unsigned int i;
    252. 

  252. 

  253. 	for (i = 0; i < sizeof(*ipv6); i++)
    254. 

  254. 		if (((char *)ipv6)[i])
    255. 

  255. 			break;
    256. 

  256. 

  257. 	return (i == sizeof(*ipv6));
    258. 

  258. }
    259. 

  259. 

  260. #ifdef IPTC_DEBUG
    261. 

  261. /* Do every conceivable sanity check on the handle */
    262. 

  262. static void
    263. 

  263. do_check(struct xtc_handle *h, unsigned int line)
    264. 

  264. {
    265. 

  265. 	unsigned int i, n;
    266. 

  266. 	unsigned int user_offset; /* Offset of first user chain */
    267. 

  267. 	int was_return;
    268. 

  268. 

  269. 	assert(h->changed == 0 || h->changed == 1);
    270. 

  270. 	if (strcmp(h->info.name, "filter") == 0) {
    271. 

  271. 		assert(h->info.valid_hooks
    272. 

  272. 		       == (1 << NF_IP6_LOCAL_IN
    273. 

  273. 			   | 1 << NF_IP6_FORWARD
    274. 

  274. 			   | 1 << NF_IP6_LOCAL_OUT));
    275. 

  275. 

  276. 		/* Hooks should be first three */
    277. 

  277. 		assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == 0);
    278. 

  278. 

  279. 		n = get_chain_end(h, 0);
    280. 

  280. 		n += get_entry(h, n)->next_offset;
    281. 

  281. 		assert(h->info.hook_entry[NF_IP6_FORWARD] == n);
    282. 

  282. 

  283. 		n = get_chain_end(h, n);
    284. 

  284. 		n += get_entry(h, n)->next_offset;
    285. 

  285. 		assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
    286. 

  286. 

  287. 		user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
    288. 

  288. 	} else if (strcmp(h->info.name, "nat") == 0) {
    289. 

  289. 		assert((h->info.valid_hooks
    290. 

  290. 			== (1 << NF_IP6_PRE_ROUTING
    291. 

  291. 			    | 1 << NF_IP6_LOCAL_OUT
    292. 

  292. 			    | 1 << NF_IP6_POST_ROUTING)) ||
    293. 

  293. 		       (h->info.valid_hooks
    294. 

  294. 			== (1 << NF_IP6_PRE_ROUTING
    295. 

  295. 			    | 1 << NF_IP6_LOCAL_IN
    296. 

  296. 			    | 1 << NF_IP6_LOCAL_OUT
    297. 

  297. 			    | 1 << NF_IP6_POST_ROUTING)));
    298. 

  298. 

  299. 		assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0);
    300. 

  300. 

  301. 		n = get_chain_end(h, 0);
    302. 

  302. 

  303. 		n += get_entry(h, n)->next_offset;
    304. 

  304. 		assert(h->info.hook_entry[NF_IP6_POST_ROUTING] == n);
    305. 

  305. 		n = get_chain_end(h, n);
    306. 

  306. 

  307. 		n += get_entry(h, n)->next_offset;
    308. 

  308. 		assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
    309. 

  309. 		user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
    310. 

  310. 

  311. 		if (h->info.valid_hooks & (1 << NF_IP6_LOCAL_IN)) {
    312. 

  312. 			n = get_chain_end(h, n);
    313. 

  313. 			n += get_entry(h, n)->next_offset;
    314. 

  314. 			assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == n);
    315. 

  315. 			user_offset = h->info.hook_entry[NF_IP6_LOCAL_IN];
    316. 

  316. 		}
    317. 

  317. 

  318. 	} else if (strcmp(h->info.name, "mangle") == 0) {
    319. 

  319. 		/* This code is getting ugly because linux < 2.4.18-pre6 had
    320. 

  320. 		 * two mangle hooks, linux >= 2.4.18-pre6 has five mangle hooks
    321. 

  321. 		 * */
    322. 

  322. 		assert((h->info.valid_hooks
    323. 

  323. 			== (1 << NF_IP6_PRE_ROUTING
    324. 

  324. 			    | 1 << NF_IP6_LOCAL_OUT)) ||
    325. 

  325. 		       (h->info.valid_hooks
    326. 

  326. 			== (1 << NF_IP6_PRE_ROUTING
    327. 

  327. 			    | 1 << NF_IP6_LOCAL_IN
    328. 

  328. 			    | 1 << NF_IP6_FORWARD
    329. 

  329. 			    | 1 << NF_IP6_LOCAL_OUT
    330. 

  330. 			    | 1 << NF_IP6_POST_ROUTING)));
    331. 

  331. 

  332. 		/* Hooks should be first five */
    333. 

  333. 		assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0);
    334. 

  334. 

  335. 		n = get_chain_end(h, 0);
    336. 

  336. 

  337. 		if (h->info.valid_hooks & (1 << NF_IP6_LOCAL_IN)) {
    338. 

  338. 			n += get_entry(h, n)->next_offset;
    339. 

  339. 			assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == n);
    340. 

  340. 			n = get_chain_end(h, n);
    341. 

  341. 		}
    342. 

  342. 

  343. 		if (h->info.valid_hooks & (1 << NF_IP6_FORWARD)) {
    344. 

  344. 			n += get_entry(h, n)->next_offset;
    345. 

  345. 			assert(h->info.hook_entry[NF_IP6_FORWARD] == n);
    346. 

  346. 			n = get_chain_end(h, n);
    347. 

  347. 		}
    348. 

  348. 

  349. 		n += get_entry(h, n)->next_offset;
    350. 

  350. 		assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
    351. 

  351. 		user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
    352. 

  352. 

  353. 		if (h->info.valid_hooks & (1 << NF_IP6_POST_ROUTING)) {
    354. 

  354. 			n = get_chain_end(h, n);
    355. 

  355. 			n += get_entry(h, n)->next_offset;
    356. 

  356. 			assert(h->info.hook_entry[NF_IP6_POST_ROUTING] == n);
    357. 

  357. 			user_offset = h->info.hook_entry[NF_IP6_POST_ROUTING];
    358. 

  358. 		}
    359. 

  359. 	} else if (strcmp(h->info.name, "raw") == 0) {
    360. 

  360. 		assert(h->info.valid_hooks
    361. 

  361. 		       == (1 << NF_IP6_PRE_ROUTING
    362. 

  362. 			   | 1 << NF_IP6_LOCAL_OUT));
    363. 

  363. 

  364. 		/* Hooks should be first three */
    365. 

  365. 		assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0);
    366. 

  366. 

  367. 		n = get_chain_end(h, n);
    368. 

  368. 		n += get_entry(h, n)->next_offset;
    369. 

  369. 		assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
    370. 

  370. 

  371. 		user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
    372. 

  372. 	} else {
    373. 

  373.                 fprintf(stderr, "Unknown table `%s'\n", h->info.name);
    374. 

  374. 		abort();
    375. 

  375. 	}
    376. 

  376. 

  377. 	/* User chain == end of last builtin + policy entry */
    378. 

  378. 	user_offset = get_chain_end(h, user_offset);
    379. 

  379. 	user_offset += get_entry(h, user_offset)->next_offset;
    380. 

  380. 

  381. 	/* Overflows should be end of entry chains, and unconditional
    382. 

  382.            policy nodes. */
    383. 

  383. 	for (i = 0; i < NUMHOOKS; i++) {
    384. 

  384. 		STRUCT_ENTRY *e;
    385. 

  385. 		STRUCT_STANDARD_TARGET *t;
    386. 

  386. 

  387. 		if (!(h->info.valid_hooks & (1 << i)))
    388. 

  388. 			continue;
    389. 

  389. 		assert(h->info.underflow[i]
    390. 

  390. 		       == get_chain_end(h, h->info.hook_entry[i]));
    391. 

  391. 

  392. 		e = get_entry(h, get_chain_end(h, h->info.hook_entry[i]));
    393. 

  393. 		assert(unconditional(&e->ipv6));
    394. 

  394. 		assert(e->target_offset == sizeof(*e));
    395. 

  395. 		t = (STRUCT_STANDARD_TARGET *)GET_TARGET(e);
    396. 

  396. 		printf("target_size=%u, align=%u\n",
    397. 

  397. 			t->target.u.target_size, ALIGN(sizeof(*t)));
    398. 

  398. 		assert(t->target.u.target_size == ALIGN(sizeof(*t)));
    399. 

  399. 		assert(e->next_offset == sizeof(*e) + ALIGN(sizeof(*t)));
    400. 

  400. 

  401. 		assert(strcmp(t->target.u.user.name, STANDARD_TARGET)==0);
    402. 

  402. 		assert(t->verdict == -NF_DROP-1 || t->verdict == -NF_ACCEPT-1);
    403. 

  403. 

  404. 		/* Hooks and underflows must be valid entries */
    405. 

  405. 		iptcb_entry2index(h, get_entry(h, h->info.hook_entry[i]));
    406. 

  406. 		iptcb_entry2index(h, get_entry(h, h->info.underflow[i]));
    407. 

  407. 	}
    408. 

  408. 

  409. 	assert(h->info.size
    410. 

  410. 	       >= h->info.num_entries * (sizeof(STRUCT_ENTRY)
    411. 

  411. 					 +sizeof(STRUCT_STANDARD_TARGET)));
    412. 

  412. 

  413. 	assert(h->entries.size
    414. 

  414. 	       >= (h->new_number
    415. 

  415. 		   * (sizeof(STRUCT_ENTRY)
    416. 

  416. 		      + sizeof(STRUCT_STANDARD_TARGET))));
    417. 

  417. 	assert(strcmp(h->info.name, h->entries.name) == 0);
    418. 

  418. 

  419. 	i = 0; n = 0;
    420. 

  420. 	was_return = 0;
    421. 

  421. 

  422. #if 0
    423. 

  423. 	/* Check all the entries. */
    424. 

  424. 	ENTRY_ITERATE(h->entries.entrytable, h->entries.size,
    425. 

  425. 		      check_entry, &i, &n, user_offset, &was_return, h);
    426. 

  426. 

  427. 	assert(i == h->new_number);
    428. 

  428. 	assert(n == h->entries.size);
    429. 

  429. 

  430. 	/* Final entry must be error node */
    431. 

  431. 	assert(strcmp(GET_TARGET(index2entry(h, h->new_number-1))
    432. 

  432. 		      ->u.user.name,
    433. 

  433. 		      ERROR_TARGET) == 0);
    434. 

  434. #endif
    435. 

  435. }
    436. 

  436. #endif /*IPTC_DEBUG*/
    437.