[PATCH v0 01/10] iptables: Tell prepare_rule_inclusion() rule position

Wed, 13 Mar 2013 09:08:25 -0700 

From: Daniel Wagner <daniel.wag...@bmw-carit.de>

prepare_rule_inclusion() is currently working correct for APPEND
operations.

First let's have a look what it does currently:

- user chains will be ignored by this change, because it head->builtin
  flag is always -1.
- For builtin chains there are two cases to look at
-- chain is emtpy: In this case chain_head == chain_tail->prev holds true
   and we want to 'append' the new rule as chain head right before
   the policy rule which marks the end of the chain.
-- chain is not empty: then we don't have to handle the builtin flag
   update. The only caller is iptables_append_rule which will put the
   new rule before chain_tail->prev anyway.

The next patch brings back iptables_insert_rule() (commit 161efbae1
removed it) but this function will not work for non empty chain. In
this case the condition 'chain_head == chain_tail->prev' is false and
therefore we will not tell via *builtin that this is the new
head. Instead iptables_insert_rule() will insert the new rule at the
second position (see if (builtin == -1) chain_head = chain_head->next)

Therefore we need to tell prepare_rule_inclusion() that the new rule
is always at first position.
---
 src/iptables.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/iptables.c b/src/iptables.c
index 1fd6c42..8454fcb 100644
--- a/src/iptables.c
+++ b/src/iptables.c
@@ -768,7 +768,8 @@ static struct ipt_entry *prepare_rule_inclusion(struct 
connman_iptables *table,
                                struct ipt_ip *ip, const char *chain_name,
                                const char *target_name,
                                struct xtables_target *xt_t,
-                               int *builtin, struct xtables_rule_match *xt_rm)
+                               int *builtin, struct xtables_rule_match *xt_rm,
+                               connman_bool_t insert_first)
 {
        GList *chain_tail, *chain_head;
        struct ipt_entry *new_entry;
@@ -796,7 +797,7 @@ static struct ipt_entry *prepare_rule_inclusion(struct 
connman_iptables *table,
        head = chain_head->data;
        if (head->builtin < 0)
                *builtin = -1;
-       else if (chain_head == chain_tail->prev) {
+       else if (insert_first == TRUE || chain_head == chain_tail->prev) {
                *builtin = head->builtin;
                head->builtin = -1;
        }
@@ -821,7 +822,7 @@ static int iptables_append_rule(struct connman_iptables 
*table,
                return -EINVAL;
 
        new_entry = prepare_rule_inclusion(table, ip, chain_name,
-                                       target_name, xt_t, &builtin, xt_rm);
+                               target_name, xt_t, &builtin, xt_rm, FALSE);
        if (new_entry == NULL)
                return -EINVAL;
 
-- 
1.8.2.rc3.16.gce432ca

_______________________________________________
connman mailing list
connman@connman.net
http://lists.connman.net/listinfo/connman

Reply via email to