C code rule modifying

C code rule modifying

[Charles Romestant]

Hello, anyone happen to have some C sample code to modify existing
ruleset, can t seem to get it to work with
popen ( get segfault) even running as root.

Thank you

Charles

Re: C code rule modifying

[Jan Engelhardt]

On Tuesday 2008-04-22 00:05, Charles Romestant wrote:

>Hello, anyone happen to have some C sample code to modify existing
>ruleset, can t seem to get it to work with
>popen ( get segfault) even running as root.

Uh, if you get a segfault with a simple popen, there's likely
a bug in your code. (Suggestion to post the offending lines.)

Re: C code rule modifying

[Charles Romestant]

Ok im trying to add the rule to a table named charz, here is the code :

char *command;
        FILE *fp = popen("/sbin/iptables",'w');
        if (fp==NULL){
        printf("\nerror opening pipe\n");
        return -1;
        }else{
        sprintf(command,"-A charz -p tcp --dport %s --source %s -j
%s\0",port,currentIp,action2);
        printf("\n\n\n%s\n\n\n",command);
        fwrite(command,strlen(command),1,fp);
        pclose(fp);


that is all...
commenting out the popen code and just printing command gives out
folowing output:

-A charz -p tcp --dport 22 --source 10.0.1.197 -j ACCEPT


thank you for your answer

ps: this is just a sample of the code, since there are pcap modules
and crypto modules also.
On Tue, Apr 22, 2008 at 6:12 PM, Jan Engelhardt <jengelh@computergmbh.de> wrote:
>
>  On Tuesday 2008-04-22 00:05, Charles Romestant wrote:
>
>  >Hello, anyone happen to have some C sample code to modify existing
>  >ruleset, can t seem to get it to work with
>  >popen ( get segfault) even running as root.
>
>  Uh, if you get a segfault with a simple popen, there's likely
>  a bug in your code. (Suggestion to post the offending lines.)
>



-- 
Charz

Re: C code rule modifying

[Philip Craig]

Charles Romestant wrote:
> Ok im trying to add the rule to a table named charz, here is the code :
> 
> char *command;
>         FILE *fp = popen("/sbin/iptables",'w');

That should be "w" (a string, not a char).

>         if (fp==NULL){
>         printf("\nerror opening pipe\n");
>         return -1;
>         }else{
>         sprintf(command,"-A charz -p tcp --dport %s --source %s -j
> %s\0",port,currentIp,action2);
>         printf("\n\n\n%s\n\n\n",command);
>         fwrite(command,strlen(command),1,fp);
>         pclose(fp);

If that still doesn't fix it then use valgrind to find the
exact line number.

Re: C code rule modifying

[Ming-Ching Tiew]

Charles Romestant wrote:
> Ok im trying to add the rule to a table named charz, here is the code
> : 
> 
> char *command;
>         FILE *fp = popen("/sbin/iptables",'w');
>         if (fp==NULL){
>         printf("\nerror opening pipe\n");
>         return -1;
>         }else{
>         sprintf(command,"-A charz -p tcp --dport %s --source %s -j
> %s\0",port,currentIp,action2);
>         printf("\n\n\n%s\n\n\n",command);
>         fwrite(command,strlen(command),1,fp);
>         pclose(fp);
> 
> 

Oh my, this is not netfilter at all ! Please post it to C programming
for beginners please ! There are quite a few bugs in these few lines,
the compiler would already have warned you !

Re: C code rule modifying

[Charles M. Romestant F.]

Actually no compile errors whatsoever.  Not at computer at the momment  
so can't  try the character w.
Ming original email was for advice on how to change the rules, it did  
spin off to a debug my code post,I apologize. Thank you all for the help

Sent from my iPhone.

On Apr 21, 2008, at 20:46, "Ming-Ching Tiew"  
<mingching.tiew@redtone.com> wrote:

> Charles Romestant wrote:
>> Ok im trying to add the rule to a table named charz, here is the code
>> :
>>
>> char *command;
>>        FILE *fp = popen("/sbin/iptables",'w');
>>        if (fp==NULL){
>>        printf("\nerror opening pipe\n");
>>        return -1;
>>        }else{
>>        sprintf(command,"-A charz -p tcp --dport %s --source %s -j
>> %s\0",port,currentIp,action2);
>>        printf("\n\n\n%s\n\n\n",command);
>>        fwrite(command,strlen(command),1,fp);
>>        pclose(fp);
>>
>>
>
> Oh my, this is not netfilter at all ! Please post it to C programming
> for beginners please ! There are quite a few bugs in these few lines,
> the compiler would already have warned you !
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter"  
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: C code rule modifying

[Bernd Petrovitsch]

On Mon, 2008-04-21 at 21:03 -0430, Charles M. Romestant F. wrote:
> Actually no compile errors whatsoever.  Not at computer at the momment 

add at least "-Wall -Wextra -Werror" to the gcc-command line and fix the
found errors.
Caveat emptor: if your gcc doesn't understand "-Wextra", try to get a
more current one.
[...]

	Bernd
-- 
Firmix Software GmbH                   http://www.firmix.at/
mobil: +43 664 4416156                 fax: +43 1 7890849-55
          Embedded Linux Development and Services

Re: C code rule modifying

[Charles Romestant]

thanks all, got it to work

On Tue, Apr 22, 2008 at 4:48 AM, Bernd Petrovitsch <bernd@firmix.at> wrote:
> On Mon, 2008-04-21 at 21:03 -0430, Charles M. Romestant F. wrote:
>  > Actually no compile errors whatsoever.  Not at computer at the momment
>
>  add at least "-Wall -Wextra -Werror" to the gcc-command line and fix the
>  found errors.
>  Caveat emptor: if your gcc doesn't understand "-Wextra", try to get a
>  more current one.
>  [...]
>
>         Bernd
>  --
>  Firmix Software GmbH                   http://www.firmix.at/
>  mobil: +43 664 4416156                 fax: +43 1 7890849-55
>           Embedded Linux Development and Services
>
>
>



-- 
Charz

Re: C code rule modifying

[Покотиленко Костик]

В Вто, 22/04/2008 в 18:43 +0000, Charles Romestant пишет:
> Ok im trying to add the rule to a table named charz, here is the code :
> 
> char *command;

This is first segfault, change to this:

char command[1024];

>         FILE *fp = popen("/sbin/iptables",'w');
>         if (fp==NULL){
>         printf("\nerror opening pipe\n");
>         return -1;
>         }else{
>         sprintf(command,"-A charz -p tcp --dport %s --source %s -j
> %s\0",port,currentIp,action2);
>         printf("\n\n\n%s\n\n\n",command);
>         fwrite(command,strlen(command),1,fp);
>         pclose(fp);

-- 
Покотиленко Костик <casper@meteor.dp.ua>

Re: C code rule modifying

[Jan Engelhardt]

On Tuesday 2008-04-22 01:13, Charles Romestant wrote:
>Ok im trying to add the rule to a table named charz, here is the code :
>
>char *command;
>        FILE *fp = popen("/sbin/iptables",'w');
>        if (fp==NULL){
>        printf("\nerror opening pipe\n");
>        return -1;
>        }else{
>        sprintf(command,"-A charz -p tcp --dport %s --source %s -j
>%s\0",port,currentIp,action2);
>        printf("\n\n\n%s\n\n\n",command);
>        fwrite(command,strlen(command),1,fp);
>        pclose(fp);

(1) sprintf may overflow here
(2) do not call pclose() with fp==NULL (but I suppose it's entirely
in the else block anyway)

but most importantly:
(3) iptables does not read from stdin, so fwrite() is the wrong thing
to start with.