iptables doubt

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* iptables doubt
@ 2006-04-26  7:09 varun
  0 siblings, 0 replies; only message in thread
From: varun @ 2006-04-26  7:09 UTC (permalink / raw)
  To: netdev

Hi all,

              Ive been trying to understand iptables kernel code and 
basically how it functions. In doing so i have a few questions.
              In the file ip_tables.c there is call do_replace() which 
is used as the start point entry from sockopt.
               That is this gets called everytime a user entrers 
policies from user. Here that data is given to me in the form of
                void __user *user.
                 This iam copying to kernel space and dereferencing into 
ipt_replace and so on. Am i right?
                  The first question is user seems to send a size as 860 
when trying to add the first policy. Does that mean that user is 
maintaining the offset of the policies added?
                    tmp.size shows as 768 which is (4 default policies x 
sizeof(struct ipt_standard)) + sizeof(struct ipt_error)
                    Am i correct in understanding? If so why should user 
space kernel policy offset?
                         Next thing is i added one extra field (int 
num)in the struct ipt_entry_target . This is added after the  unsigned 
char data[0] field.
struct ipt_entry_target
{
       union {
               struct {
                       u_int16_t target_size;

                       /* Used by userspace */
                       char name[IPT_FUNCTION_MAXNAMELEN-1];

                       u_int8_t revision;
               } user;
               struct {
                       u_int16_t target_size;

                       /* Used inside the kernel */
                       struct ipt_target *target;
               } kernel;

               /* Total length */
               u_int16_t target_size;
       } u;

       unsigned char data[0];
       unsigned int uniqueId;  /*I added this*/
};

    Iam using this field to give a global id from my kernel for every 
policy added excluding the default ones added by kernel. So if someone 
calls for iptables -F or iptables -t filter -D .... then this number 
should not be assigned to the structure.
   I want to know where is the correct place to add this value to 
structure without effecting the functionality.

 Iam also aware that making this change in structure will result in 
segmentation fault un userspace. Ill handel it seperately.
 Can this be done? Please help me in this regard.

 How can i know from the kernel structures if the policy is for -A or -D 
or -F ?
Varun

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2006-04-26  7:01 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-04-26  7:09 iptables doubt varun

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).