- don't need -DNDEBUG anymore. Instead, use -DIPTC_DEBUG to enable
libiptc debugging. This is to make people at RedHat and Mandrake
happy.
- add debugging code for mangle5hooks table (will break debugging
of iptables >= 1.2.6 on old kernels <= 2.4.18-pre6. *sigh*
diff --git a/libiptc/libip4tc.c b/libiptc/libip4tc.c
index 0d9e439..9a3468c 100644
--- a/libiptc/libip4tc.c
+++ b/libiptc/libip4tc.c
@@ -336,7 +336,7 @@
return 0;
}
-#ifndef NDEBUG
+#ifdef IPTC_DEBUG
/* Do every conceivable sanity check on the handle */
static void
do_check(TC_HANDLE_T h, unsigned int line)
@@ -382,21 +382,35 @@
user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
} else if (strcmp(h->info.name, "mangle") == 0) {
+ /* This code assumes mangle5hooks enabled iptable_mangle,
+ * either by patch-o-matic patch or linux >= 2.4.18-pre6 */
assert(h->info.valid_hooks
== (1 << NF_IP_PRE_ROUTING
- | 1 << NF_IP_POST_ROUTING
| 1 << NF_IP_LOCAL_IN
+ | 1 << NF_IP_FORWARD
| 1 << NF_IP_LOCAL_OUT
- | 1 << NF_IP_FORWARD));
+ | 1 << NF_IP_POST_ROUTING));
- /* Hooks should be first two */
+ /* Hooks should be first five */
assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
n = get_chain_end(h, 0);
n += get_entry(h, n)->next_offset;
+ assert(h->info.hook_entry[NF_IP_LOCAL_IN] == n);
+
+ n = get_chain_end(h, n);
+ n += get_entry(h, n)->next_offset;
+ assert(h->info.hook_entry[NF_IP_FORWARD] == n);
+
+ n = get_chain_end(h, n);
+ n += get_entry(h, n)->next_offset;
assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
- user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
+ n = get_chain_end(h, n);
+ n += get_entry(h, n)->next_offset;
+ assert(h->info.hook_entry[NF_IP_POST_ROUTING] == n);
+
+ user_offset = h->info.hook_entry[NF_IP_POST_ROUTING];
#ifdef NF_IP_DROPPING
} else if (strcmp(h->info.name, "drop") == 0) {
assert(h->info.valid_hooks == (1 << NF_IP_DROPPING));
@@ -464,4 +478,4 @@
->u.user.name,
IPT_ERROR_TARGET) == 0);
}
-#endif /*NDEBUG*/
+#endif /*IPTC_DEBUG*/