- don't need -DNDEBUG anymore. Instead, use -DIPTC_DEBUG to enable
libiptc debugging. This is to make people at RedHat and Mandrake
happy.
- add debugging code for mangle5hooks table (will break debugging
of iptables >= 1.2.6 on old kernels <= 2.4.18-pre6. *sigh*
diff --git a/Makefile b/Makefile
index 762c13e..a4dc2b6 100644
--- a/Makefile
+++ b/Makefile
@@ -29,8 +29,8 @@
DO_IPV6=1
endif
-COPT_FLAGS:=-O2 -DNDEBUG
-CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -Iinclude/ -DNETFILTER_VERSION=\"$(NETFILTER_VERSION)\" #-g #-pg
+COPT_FLAGS:=-O2
+CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -Iinclude/ -DNETFILTER_VERSION=\"$(NETFILTER_VERSION)\" #-g #-pg # -DIPTC_DEBUG
ifdef NO_SHARED_LIBS
CFLAGS += -DNO_SHARED_LIBS=1
@@ -187,12 +187,10 @@
distrib: check distclean delrelease $(RELEASE_DIR)/iptables-$(NETFILTER_VERSION).tar.bz2 diff md5sums # nowhitespace
# Makefile must not define:
-# -g -pg
-# And must define -NDEBUG
+# -g -pg -DIPTC_DEBUG
.PHONY: check
check:
- @if echo $(CFLAGS) | egrep -e '-g|-pg' >/dev/null; then echo Remove debugging flags; exit 1; else exit 0; fi
- @if echo $(CFLAGS) | egrep -e NDEBUG >/dev/null; then exit 0; else echo Define -DNDEBUG; exit 1; fi
+ @if echo $(CFLAGS) | egrep -e '-g|-pg|IPTC_DEBUG' >/dev/null; then echo Remove debugging flags; exit 1; else exit 0; fi
.PHONY: nowhitespace
nowhitespace:
diff --git a/libiptc/libip4tc.c b/libiptc/libip4tc.c
index 0d9e439..9a3468c 100644
--- a/libiptc/libip4tc.c
+++ b/libiptc/libip4tc.c
@@ -336,7 +336,7 @@
return 0;
}
-#ifndef NDEBUG
+#ifdef IPTC_DEBUG
/* Do every conceivable sanity check on the handle */
static void
do_check(TC_HANDLE_T h, unsigned int line)
@@ -382,21 +382,35 @@
user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
} else if (strcmp(h->info.name, "mangle") == 0) {
+ /* This code assumes mangle5hooks enabled iptable_mangle,
+ * either by patch-o-matic patch or linux >= 2.4.18-pre6 */
assert(h->info.valid_hooks
== (1 << NF_IP_PRE_ROUTING
- | 1 << NF_IP_POST_ROUTING
| 1 << NF_IP_LOCAL_IN
+ | 1 << NF_IP_FORWARD
| 1 << NF_IP_LOCAL_OUT
- | 1 << NF_IP_FORWARD));
+ | 1 << NF_IP_POST_ROUTING));
- /* Hooks should be first two */
+ /* Hooks should be first five */
assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
n = get_chain_end(h, 0);
n += get_entry(h, n)->next_offset;
+ assert(h->info.hook_entry[NF_IP_LOCAL_IN] == n);
+
+ n = get_chain_end(h, n);
+ n += get_entry(h, n)->next_offset;
+ assert(h->info.hook_entry[NF_IP_FORWARD] == n);
+
+ n = get_chain_end(h, n);
+ n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
- user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
+ n = get_chain_end(h, n);
+ n += get_entry(h, n)->next_offset;
+ assert(h->info.hook_entry[NF_IP_POST_ROUTING] == n);
+
+ user_offset = h->info.hook_entry[NF_IP_POST_ROUTING];
#ifdef NF_IP_DROPPING
} else if (strcmp(h->info.name, "drop") == 0) {
assert(h->info.valid_hooks == (1 << NF_IP_DROPPING));
@@ -464,4 +478,4 @@
->u.user.name,
IPT_ERROR_TARGET) == 0);
}
-#endif /*NDEBUG*/
+#endif /*IPTC_DEBUG*/
diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c
index 91cd01c..105fdfa 100644
--- a/libiptc/libip6tc.c
+++ b/libiptc/libip6tc.c
@@ -282,7 +282,7 @@
return (i == sizeof(*ipv6));
}
-#ifndef NDEBUG
+#ifdef IPTC_DEBUG
/* Do every conceivable sanity check on the handle */
static void
do_check(TC_HANDLE_T h, unsigned int line)
@@ -328,21 +328,35 @@
user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
} else if (strcmp(h->info.name, "mangle") == 0) {
+ /* This code assumes mangle5hooks enabled iptable_mangle,
+ * either by patch-o-matic patch or linux >= 2.4.18-pre6 */
assert(h->info.valid_hooks
== (1 << NF_IP6_PRE_ROUTING
- | 1 << NF_IP6_POST_ROUTING
| 1 << NF_IP6_LOCAL_IN
+ | 1 << NF_IP6_FORWARD
| 1 << NF_IP6_LOCAL_OUT
- | 1 << NF_IP6_FORWARD));
+ | 1 << NF_IP6_POST_ROUTING));
- /* Hooks should be first three */
+ /* Hooks should be first five */
assert(h->info.hook_entry[NF_IP6_PRE_ROUTING] == 0);
n = get_chain_end(h, 0);
n += get_entry(h, n)->next_offset;
+ assert(h->info.hook_entry[NF_IP6_LOCAL_IN] == n);
+
+ n = get_chain_end(h, n);
+ n += get_entry(h, n)->next_offset;
+ assert(h->info.hook_entry[NF_IP6_FORWARD] == n);
+
+ n = get_chain_end(h, n);
+ n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP6_LOCAL_OUT] == n);
- user_offset = h->info.hook_entry[NF_IP6_LOCAL_OUT];
+ n = get_chain_end(h, n);
+ n += get_entry(h, n)->next_offset;
+ assert(h->info.hook_entry[NF_IP6_POST_ROUTING] == n);
+
+ user_offset = h->info.hook_entry[NF_IP6_POST_ROUTING];
} else
abort();
@@ -403,4 +417,4 @@
ERROR_TARGET) == 0);
#endif
}
-#endif /*NDEBUG*/
+#endif /*IPTC_DEBUG*/
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index 3574ac8..395b8c7 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -1,4 +1,4 @@
-/* Library which manipulates firewall rules. Version $Revision: 1.32 $ */
+/* Library which manipulates firewall rules. Version $Revision: 1.33 $ */
/* Architecture of firewall rules is as follows:
*
@@ -104,7 +104,7 @@
h->changed = 1;
}
-#ifndef NDEBUG
+#ifdef IPTC_DEBUG
static void do_check(TC_HANDLE_T h, unsigned int line);
#define CHECK(h) do { if (!getenv("IPTC_NO_CHECK")) do_check((h), __LINE__); } while(0)
#else