iptables doubt

From: varun
Date: Wed Apr 26 2006 - 03:03:22 EST


Hi all,

Ive been trying to understand iptables kernel code and basically how it functions. In doing so i have a few questions.
In the file ip_tables.c there is call do_replace() which is used as the start point entry from sockopt.
That is this gets called everytime a user entrers policies from user. Here that data is given to me in the form of
void __user *user.
This iam copying to kernel space and dereferencing into ipt_replace and so on. Am i right?
The first question is user seems to send a size as 860 when trying to add the first policy. Does that mean that user is maintaining the offset of the policies added?
tmp.size shows as 768 which is (4 default policies x sizeof(struct ipt_standard)) + sizeof(struct ipt_error)
Am i correct in understanding? If so why should user space kernel policy offset?
Next thing is i added one extra field (int num)in the struct ipt_entry_target . This is added after the unsigned char data[0] field.
struct ipt_entry_target
{
union {
struct {
u_int16_t target_size;

/* Used by userspace */
char name[IPT_FUNCTION_MAXNAMELEN-1];

u_int8_t revision;
} user;
struct {
u_int16_t target_size;

/* Used inside the kernel */
struct ipt_target *target;
} kernel;

/* Total length */
u_int16_t target_size;
} u;

unsigned char data[0];
unsigned int uniqueId; /*I added this*/
};

Iam using this field to give a global id from my kernel for every policy added excluding the default ones added by kernel. So if someone calls for iptables -F or iptables -t filter -D .... then this number should not be assigned to the structure.
I want to know where is the correct place to add this value to structure without effecting the functionality.

Iam also aware that making this change in structure will result in segmentation fault un userspace. Ill handel it seperately.
Can this be done? Please help me in this regard.

How can i know from the kernel structures if the policy is for -A or -D or -F ?
Varun
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html