• Jussi Laakkonen's avatar
    [connman] Unroll stack in case of iptables error. JB#43924 · 9a3876f6
    Jussi Laakkonen authored
    This commit introduces a mechanism to catch iptables errors if the
    iptables rule is not valid and to restore the previous state before the
    error. This is implemented with setjmp() to save the environment (stack)
    and longjmp() in iptables.c:iptables_exit() to restore the saved
    environment and ignore the invalid rule. This avoids exit() for connman
    in such situation and allows to ignore the invalid rules.
    The iptables_exit() is added to the iptables_globals as exit
    function and this is called when iptables encounters an error with rule
    or commit. The environment is saved in each place where xtables
    functions, which may result in exit_err() to be called (see
    iptables/xtables.c). Furthermore the exit_err() is also called by
    xtables_error() directly as it is defined in xtables.h: #define
    xtables_error (xt_params->exit_err).
    The enum xtables_exittype, which starts from 1, is used as value for the
    longjmp() to indicate that an error has occurred.
    This commit introduces the following. Before calling any iptables
    function do enable_jmp() before calling setjmp(), and if setjmp()
    returns from longjmp() via iptables error the error is handled properly
    and disable_jmp() is called to disallow further use. The same
    disable_jmp() is called after the xtables/iptables operation is
    completed without errors.
    And to avoid looping, can_jmp() is also checked before iptables_exit()
    can call longjmp(). If the jmp state is not saved connman has to exit().
iptables.c 85.9 KB