explicitly check for two possible sets of hooks in case of nat and mangle

diff --git a/libiptc/libip4tc.c b/libiptc/libip4tc.c
index 1dc414d22a9cf8cd53bf4e39eae592a16ac4ab40..d221e74c2bbaa1898d8f3e1bf7a527a292a5c487 100644 (file)
--- a/libiptc/libip4tc.c
+++ b/libiptc/libip4tc.c
@@ -365,32 +365,48 @@ do_check(TC_HANDLE_T h, unsigned int line)
 
                user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
        } else if (strcmp(h->info.name, "nat") == 0) {
-               assert(h->info.valid_hooks
-                      == (1 << NF_IP_PRE_ROUTING
-                          | 1 << NF_IP_POST_ROUTING
-                          | 1 << NF_IP_LOCAL_OUT));
+               assert((h->info.valid_hooks
+                       == (1 << NF_IP_PRE_ROUTING
+                           | 1 << NF_IP_POST_ROUTING
+                           | 1 << NF_IP_LOCAL_OUT)) ||
+                      (h->info.valid_hooks
+                       == (1 << NF_IP_PRE_ROUTING
+                           | 1 << NF_IP_LOCAL_IN
+                           | 1 << NF_IP_POST_ROUTING
+                           | 1 << NF_IP_LOCAL_OUT)));
 
                assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
 
                n = get_chain_end(h, 0);
+
                n += get_entry(h, n)->next_offset;
                assert(h->info.hook_entry[NF_IP_POST_ROUTING] == n);
-
                n = get_chain_end(h, n);
+
                n += get_entry(h, n)->next_offset;
                assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
-
                user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
+
+               if (h->info.valid_hooks & (1 << NF_IP_LOCAL_IN)) {
+                       n = get_chain_end(h, n);
+                       n += get_entry(h, n)->next_offset;
+                       assert(h->info.hook_entry[NF_IP_LOCAL_IN] == n);
+                       user_offset = h->info.hook_entry[NF_IP_LOCAL_IN];
+               }
+
        } else if (strcmp(h->info.name, "mangle") == 0) {
                /* This code is getting ugly because linux < 2.4.18-pre6 had
                 * two mangle hooks, linux >= 2.4.18-pre6 has five mangle hooks
                 * */
-               assert((h->info.valid_hooks &
-                       ~(1 << NF_IP_LOCAL_IN
-                         | 1 << NF_IP_FORWARD
-                         | 1 << NF_IP_POST_ROUTING))
-                      == (1 << NF_IP_PRE_ROUTING
-                          | 1 << NF_IP_LOCAL_OUT));
+               assert((h->info.valid_hooks
+                       == (1 << NF_IP_PRE_ROUTING
+                           | 1 << NF_IP_LOCAL_OUT)) || 
+                      (h->info.valid_hooks
+                       == (1 << NF_IP_PRE_ROUTING
+                           | 1 << NF_IP_LOCAL_IN
+                           | 1 << NF_IP_FORWARD
+                           | 1 << NF_IP_LOCAL_OUT
+                           | 1 << NF_IP_POST_ROUTING)));
 
                /* Hooks should be first five */
                assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);

diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c
index 6f6fa6c7bade036cfce27335fa45595f4ec472b7..7a88efdad21cae5101653eec180c14f5f20833da 100644 (file)
--- a/libiptc/libip6tc.c
+++ b/libiptc/libip6tc.c
@@ -311,32 +311,48 @@ do_check(TC_HANDLE_T h, unsigned int line)
 
                user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
        } else if (strcmp(h->info.name, "nat") == 0) {
-               assert(h->info.valid_hooks
-                      == (1 << NF_IP6_PRE_ROUTING
-                          | 1 << NF_IP6_POST_ROUTING
-                          | 1 << NF_IP6_LOCAL_OUT));
+               assert((h->info.valid_hooks
+                       == (1 << NF_IP6_PRE_ROUTING
+                           | 1 << NF_IP6_LOCAL_OUT
+                           | 1 << NF_IP6_POST_ROUTING)) ||
+                      (h->info.valid_hooks
+                       == (1 << NF_IP6_PRE_ROUTING
+                           | 1 << NF_IP6_LOCAL_IN
+                           | 1 << NF_IP6_LOCAL_OUT
+                           | 1 << NF_IP6_POST_ROUTING)));
 
                assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0);
 
                n = get_chain_end(h, 0);
+
                n += get_entry(h, n)->next_offset;
                assert(h->info.hook_entry[NF_IP6_POST_ROUTING] == n);
-
                n = get_chain_end(h, n);
+
                n += get_entry(h, n)->next_offset;
                assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
-
                user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
+
+               if (h->info.valid_hooks & (1 << NF_IP6_LOCAL_IN)) {
+                       n = get_chain_end(h, n);
+                       n += get_entry(h, n)->next_offset;
+                       assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == n);
+                       user_offset = h->info.hook_entry[NF_IP6_LOCAL_IN];
+               }
+
        } else if (strcmp(h->info.name, "mangle") == 0) {
                /* This code is getting ugly because linux < 2.4.18-pre6 had
                 * two mangle hooks, linux >= 2.4.18-pre6 has five mangle hooks
                 * */
-               assert((h->info.valid_hooks &
-                       ~(1 << NF_IP6_LOCAL_IN
-                         | 1 << NF_IP6_FORWARD
-                         | 1 << NF_IP6_POST_ROUTING))
-                      == (1 << NF_IP6_PRE_ROUTING
-                          | 1 << NF_IP6_LOCAL_OUT));
+               assert((h->info.valid_hooks
+                       == (1 << NF_IP6_PRE_ROUTING
+                           | 1 << NF_IP6_LOCAL_OUT)) ||
+                      (h->info.valid_hooks
+                       == (1 << NF_IP6_PRE_ROUTING
+                           | 1 << NF_IP6_LOCAL_IN
+                           | 1 << NF_IP6_FORWARD
+                           | 1 << NF_IP6_LOCAL_OUT
+                           | 1 << NF_IP6_POST_ROUTING)));
 
                /* Hooks should be first five */
                assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0);