Date: Wed Apr 26 2006 - 03:03:22 EST
Ive been trying to understand iptables kernel code and
basically how it functions. In doing so i have a few questions.
In the file ip_tables.c there is call do_replace() which is
used as the start point entry from sockopt.
That is this gets called everytime a user entrers policies
from user. Here that data is given to me in the form of
void __user *user.
This iam copying to kernel space and dereferencing into
ipt_replace and so on. Am i right?
The first question is user seems to send a size as 860
when trying to add the first policy. Does that mean that user is
maintaining the offset of the policies added?
tmp.size shows as 768 which is (4 default policies x
sizeof(struct ipt_standard)) + sizeof(struct ipt_error)
Am i correct in understanding? If so why should user
space kernel policy offset?
Next thing is i added one extra field (int
num)in the struct ipt_entry_target . This is added after the unsigned
char data field.
/* Used by userspace */
/* Used inside the kernel */
struct ipt_target *target;
/* Total length */
unsigned char data;
unsigned int uniqueId; /*I added this*/
Iam using this field to give a global id from my kernel for every
policy added excluding the default ones added by kernel. So if someone
calls for iptables -F or iptables -t filter -D .... then this number
should not be assigned to the structure.
I want to know where is the correct place to add this value to
structure without effecting the functionality.
Iam also aware that making this change in structure will result in
segmentation fault un userspace. Ill handel it seperately.
Can this be done? Please help me in this regard.
How can i know from the kernel structures if the policy is for -A or -D
or -F ?
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html