- don't need -DNDEBUG anymore. Instead, use -DIPTC_DEBUG to enable

	  libiptc debugging.  This is to make people at RedHat and Mandrake
	  happy.

	- add debugging code for mangle5hooks table (will break debugging
	  of iptables >= 1.2.6 on old kernels <= 2.4.18-pre6. *sigh*

diff --git a/Makefile b/Makefile
index 762c13e3699462d85166ad04dd7238adfa23bea2..a4dc2b682a349b0a8fe031b6b41606e1992fc361 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -29,8 +29,8 @@ ifeq ($(shell [ -f /usr/include/netinet/ip6.h ] && echo YES), YES)
 DO_IPV6=1
 endif
 
-COPT_FLAGS:=-O2 -DNDEBUG
-CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -Iinclude/ -DNETFILTER_VERSION=\"$(NETFILTER_VERSION)\" #-g #-pg
+COPT_FLAGS:=-O2
+CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -Iinclude/ -DNETFILTER_VERSION=\"$(NETFILTER_VERSION)\" #-g #-pg # -DIPTC_DEBUG
 
 ifdef NO_SHARED_LIBS
 CFLAGS += -DNO_SHARED_LIBS=1
@@ -187,12 +187,10 @@ most-of-pom:
 distrib: check distclean delrelease $(RELEASE_DIR)/iptables-$(NETFILTER_VERSION).tar.bz2 diff md5sums # nowhitespace
 
 # Makefile must not define:
-# -g -pg
-# And must define -NDEBUG
+# -g -pg -DIPTC_DEBUG
 .PHONY: check
 check:
-       @if echo $(CFLAGS) | egrep -e '-g|-pg' >/dev/null; then echo Remove debugging flags; exit 1; else exit 0; fi
-       @if echo $(CFLAGS) | egrep -e NDEBUG >/dev/null; then exit 0; else echo Define -DNDEBUG; exit 1; fi
+       @if echo $(CFLAGS) | egrep -e '-g|-pg|IPTC_DEBUG' >/dev/null; then echo Remove debugging flags; exit 1; else exit 0; fi
 
 .PHONY: nowhitespace
 nowhitespace:

diff --git a/libiptc/libip4tc.c b/libiptc/libip4tc.c
index 0d9e439b2afb89e2575107d6751afd825b276b86..9a3468c3b6a4bf694c5a77c0b5f8e9f04a7495e7 100644 (file)
--- a/libiptc/libip4tc.c
+++ b/libiptc/libip4tc.c
@@ -336,7 +336,7 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off,
        return 0;
 }
 
-#ifndef NDEBUG
+#ifdef IPTC_DEBUG
 /* Do every conceivable sanity check on the handle */
 static void
 do_check(TC_HANDLE_T h, unsigned int line)
@@ -382,21 +382,35 @@ do_check(TC_HANDLE_T h, unsigned int line)
 
                user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
        } else if (strcmp(h->info.name, "mangle") == 0) {
+               /* This code assumes mangle5hooks enabled iptable_mangle,
+                * either by patch-o-matic patch or linux >= 2.4.18-pre6 */
                assert(h->info.valid_hooks
                       == (1 << NF_IP_PRE_ROUTING
-                          | 1 << NF_IP_POST_ROUTING
                           | 1 << NF_IP_LOCAL_IN
+                          | 1 << NF_IP_FORWARD
                           | 1 << NF_IP_LOCAL_OUT
-                          | 1 << NF_IP_FORWARD));
+                          | 1 << NF_IP_POST_ROUTING));
 
-               /* Hooks should be first two */
+               /* Hooks should be first five */
                assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
 
                n = get_chain_end(h, 0);
                n += get_entry(h, n)->next_offset;
+               assert(h->info.hook_entry[NF_IP_LOCAL_IN] == n);
+
+               n = get_chain_end(h, n);
+               n += get_entry(h, n)->next_offset;
+               assert(h->info.hook_entry[NF_IP_FORWARD] == n);
+
+               n = get_chain_end(h, n);
+               n += get_entry(h, n)->next_offset;
                assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
 
-               user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
+               n = get_chain_end(h, n);
+               n += get_entry(h, n)->next_offset;
+               assert(h->info.hook_entry[NF_IP_POST_ROUTING] == n);
+
+               user_offset = h->info.hook_entry[NF_IP_POST_ROUTING];
 #ifdef NF_IP_DROPPING
        } else if (strcmp(h->info.name, "drop") == 0) {
                assert(h->info.valid_hooks == (1 << NF_IP_DROPPING));
@@ -464,4 +478,4 @@ do_check(TC_HANDLE_T h, unsigned int line)
                      ->u.user.name,
                      IPT_ERROR_TARGET) == 0);
 }
-#endif /*NDEBUG*/
+#endif /*IPTC_DEBUG*/

diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c
index 91cd01c786e506878713e5f74a13230e7ed2ac1d..105fdfa459b82ea22400d245635ff1b503fa549c 100644 (file)
--- a/libiptc/libip6tc.c
+++ b/libiptc/libip6tc.c
@@ -282,7 +282,7 @@ unconditional(const struct ip6t_ip6 *ipv6)
        return (i == sizeof(*ipv6));
 }
 
-#ifndef NDEBUG
+#ifdef IPTC_DEBUG
 /* Do every conceivable sanity check on the handle */
 static void
 do_check(TC_HANDLE_T h, unsigned int line)
@@ -328,21 +328,35 @@ do_check(TC_HANDLE_T h, unsigned int line)
 
                user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
        } else if (strcmp(h->info.name, "mangle") == 0) {
+                /* This code assumes mangle5hooks enabled iptable_mangle,
+                 * either by patch-o-matic patch or linux >= 2.4.18-pre6 */
                assert(h->info.valid_hooks
                       == (1 << NF_IP6_PRE_ROUTING
-                          | 1 << NF_IP6_POST_ROUTING
                           | 1 << NF_IP6_LOCAL_IN
+                          | 1 << NF_IP6_FORWARD
                           | 1 << NF_IP6_LOCAL_OUT
-                          | 1 << NF_IP6_FORWARD));
+                          | 1 << NF_IP6_POST_ROUTING));
 
-               /* Hooks should be first three */
+               /* Hooks should be first five */
                assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0);
 
                n = get_chain_end(h, 0);
                n += get_entry(h, n)->next_offset;
+               assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == n);
+
+               n = get_chain_end(h, n);
+               n += get_entry(h, n)->next_offset;
+               assert(h->info.hook_entry[NF_IP6_FORWARD] == n);
+
+               n = get_chain_end(h, n);
+               n += get_entry(h, n)->next_offset;
                assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
 
-               user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
+               n = get_chain_end(h, n);
+               n += get_entry(h, n)->next_offset;
+               assert(h->info.hook_entry[NF_IP6_POST_ROUTING] == n);
+
+               user_offset = h->info.hook_entry[NF_IP6_POST_ROUTING];
        } else
                abort();
 
@@ -403,4 +417,4 @@ do_check(TC_HANDLE_T h, unsigned int line)
                      ERROR_TARGET) == 0);
 #endif
 }
-#endif /*NDEBUG*/
+#endif /*IPTC_DEBUG*/

diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index 3574ac8d0cce184bb81855f86a1b5aa487a4b77b..395b8c74bcf6911d7a184a641d7401550dbc6114 100644 (file)
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -1,4 +1,4 @@
-/* Library which manipulates firewall rules.  Version $Revision: 1.32 $ */
+/* Library which manipulates firewall rules.  Version $Revision: 1.33 $ */
 
 /* Architecture of firewall rules is as follows:
  *
@@ -104,7 +104,7 @@ set_changed(TC_HANDLE_T h)
        h->changed = 1;
 }
 
-#ifndef NDEBUG
+#ifdef IPTC_DEBUG
 static void do_check(TC_HANDLE_T h, unsigned int line);
 #define CHECK(h) do { if (!getenv("IPTC_NO_CHECK")) do_check((h), __LINE__); } while(0)
 #else