Hi Tomasz,
On 03/06/2013 02:11 PM, Tomasz Bursztyka wrote:
The orignal code assumes that the builtin chain is empty which is
obviously always the right assumption :).
That is actually the bug in the original code: it might not be empty. If
it is, it does the right change, if not it modifies the 1 rule in the
chain.
I am looking at the current behaviour of __connman_iptables_append() and
I think it is broken. No patches applied nor have I have touched this
code in previous patches.
iptables.c is written that it assumes it does insert at first position,
e.g. see iptables_insert_rule() and prepare_rule_inclusion().
iptables_insert_rule():
chain_head = find_chain_head(table, chain_name);
[...]
ret = iptables_add_entry(table, new_entry, chain_head, builtin);
iptables_add_entry inserts the new rule *before* chain_head (and that is
why I have sent a patch which renames chain_head to 'before' so that
reader sees what's going on.
By calling __connman_iptables_append() the rule will not be appended.
Instead it ends up either at position 1 if the chain was empty or at
postion 2 if it was not empty.
So I can now write a 'fix' which makes out iptables_insert_rule() a
iptables_append_rule() function or rename __connman_iptables_append() to
__connman_iptables_insert() and then send another patch which gives you
__connman_iptables_append().
cheers,
daniel
_______________________________________________
connman mailing list
[email protected]
http://lists.connman.net/listinfo/connman
