patch for iptables

patch for iptables

[Massimiliano Hofer]

[-- Attachment #1: Type: text/plain, Size: 501 bytes --]

Hi,
I was so careful testing my new version of condition for binary compatiblity 
that I didnt't notice it breaks recompilation of the userspace utilities. :)

Here is a patch that uses the new include for the XT version. While I was at 
it, I updated the sanity checks in order to match the module ones.

One caveat: I break compatibility with older kernels that don't have XT. 
What's the policy for backward compatibility in iptables? Shall I put a few 
#ifdefs?

-- 
Saluti,
   Massimiliano Hofer

[-- Attachment #2: iptables-1.3.5-20060820-xt_condition.patch --]
[-- Type: text/x-diff, Size: 6436 bytes --]

diff -Nru iptables-1.3.5-20060820.orig/extensions/.condition-test iptables-1.3.5-20060820/extensions/.condition-test
--- iptables-1.3.5-20060820.orig/extensions/.condition-test	2006-08-21 02:22:24.000000000 +0200
+++ iptables-1.3.5-20060820/extensions/.condition-test	2006-08-21 02:39:15.000000000 +0200
@@ -1,3 +1,3 @@
 #!/bin/sh
 # True if condition is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h ] && echo condition
+[ -f $KERNEL_DIR/include/linux/netfilter/xt_condition.h ] && echo condition
diff -Nru iptables-1.3.5-20060820.orig/extensions/.condition-test6 iptables-1.3.5-20060820/extensions/.condition-test6
--- iptables-1.3.5-20060820.orig/extensions/.condition-test6	2006-08-21 02:22:25.000000000 +0200
+++ iptables-1.3.5-20060820/extensions/.condition-test6	2006-08-21 02:39:27.000000000 +0200
@@ -1,3 +1,3 @@
 #!/bin/sh
 # True if condition6 is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h ] && echo condition
+[ -f $KERNEL_DIR/include/linux/netfilter/xt_condition.h ] && echo condition
diff -Nru iptables-1.3.5-20060820.orig/extensions/libip6t_condition.c iptables-1.3.5-20060820/extensions/libip6t_condition.c
--- iptables-1.3.5-20060820.orig/extensions/libip6t_condition.c	2006-08-21 02:22:25.000000000 +0200
+++ iptables-1.3.5-20060820/extensions/libip6t_condition.c	2006-08-21 03:24:13.000000000 +0200
@@ -5,8 +5,7 @@
 #include <getopt.h>
 #include <ip6tables.h>
 
-#include<linux/netfilter_ipv6/ip6_tables.h>
-#include<linux/netfilter_ipv6/ip6t_condition.h>
+#include<linux/netfilter/xt_condition.h>
 
 
 static void
@@ -29,8 +28,12 @@
       const struct ip6t_entry *entry, unsigned int *nfcache,
       struct ip6t_entry_match **match)
 {
-	struct condition6_info *info =
-	    (struct condition6_info *) (*match)->data;
+	static const char * const forbidden_names[]={ "", ".", ".." };
+	const char *name;
+	int i;
+
+	struct condition_info *info =
+	    (struct condition_info *) (*match)->data;
 
 	if (c == 'X') {
 		if (*flags)
@@ -39,12 +42,26 @@
 
 		check_inverse(optarg, &invert, &optind, 0);
 
-		if (strlen(argv[optind - 1]) < CONDITION6_NAME_LEN)
-			strcpy(info->name, argv[optind - 1]);
-		else
+		name = argv[optind - 1];
+		/* We don't want a '/' in a proc file name. */
+		for (i=0; i < CONDITION_NAME_LEN && name[i] != '\0'; i++)
+			if (name[i] == '/')
+				exit_error(PARAMETER_PROBLEM,
+					   "Can't have a '/' in a condition name");
+
+		/* We can't handle file names longer than CONDITION_NAME_LEN and */
+		/* we want a NULL terminated string. */
+		if (i == CONDITION_NAME_LEN)
 			exit_error(PARAMETER_PROBLEM,
 				   "File name too long");
 
+		/* We don't want certain reserved names. */
+		for (i=0; i < sizeof(forbidden_names)/sizeof(char *); i++)
+			if(strcmp(name, forbidden_names[i])==0)
+				exit_error(PARAMETER_PROBLEM,
+					   "Forbidden condition name");
+
+		strcpy(info->name, name);
 		info->invert = invert;
 		*flags = 1;
 		return 1;
@@ -67,8 +84,8 @@
 print(const struct ip6t_ip6 *ip,
 		  const struct ip6t_entry_match *match, int numeric)
 {
-	const struct condition6_info *info =
-	    (const struct condition6_info *) match->data;
+	const struct condition_info *info =
+	    (const struct condition_info *) match->data;
 
 	printf("condition %s%s ", (info->invert) ? "!" : "", info->name);
 }
@@ -78,8 +95,8 @@
 save(const struct ip6t_ip6 *ip,
 		 const struct ip6t_entry_match *match)
 {
-	const struct condition6_info *info =
-	    (const struct condition6_info *) match->data;
+	const struct condition_info *info =
+	    (const struct condition_info *) match->data;
 
 	printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
 }
@@ -88,8 +105,8 @@
 static struct ip6tables_match condition = {
 	.name = "condition",
 	.version = IPTABLES_VERSION,
-	.size = IP6T_ALIGN(sizeof(struct condition6_info)),
-	.userspacesize = IP6T_ALIGN(sizeof(struct condition6_info)),
+	.size = IP6T_ALIGN(sizeof(struct condition_info)),
+	.userspacesize = IP6T_ALIGN(sizeof(struct condition_info)),
 	.help = &help,
 	.parse = &parse,
 	.final_check = &final_check,
diff -Nru iptables-1.3.5-20060820.orig/extensions/libipt_condition.c iptables-1.3.5-20060820/extensions/libipt_condition.c
--- iptables-1.3.5-20060820.orig/extensions/libipt_condition.c	2006-08-21 02:22:24.000000000 +0200
+++ iptables-1.3.5-20060820/extensions/libipt_condition.c	2006-08-21 03:18:01.000000000 +0200
@@ -5,8 +5,7 @@
 #include <getopt.h>
 #include <iptables.h>
 
-#include<linux/netfilter_ipv4/ip_tables.h>
-#include<linux/netfilter_ipv4/ipt_condition.h>
+#include<linux/netfilter/xt_condition.h>
 
 
 static void
@@ -29,6 +28,10 @@
       const struct ipt_entry *entry, unsigned int *nfcache,
       struct ipt_entry_match **match)
 {
+	static const char * const forbidden_names[]={ "", ".", ".." };
+	const char *name;
+	int i;
+
 	struct condition_info *info =
 	    (struct condition_info *) (*match)->data;
 
@@ -39,12 +42,26 @@
 
 		check_inverse(optarg, &invert, &optind, 0);
 
-		if (strlen(argv[optind - 1]) < CONDITION_NAME_LEN)
-			strcpy(info->name, argv[optind - 1]);
-		else
+		name = argv[optind - 1];
+		/* We don't want a '/' in a proc file name. */
+		for (i=0; i < CONDITION_NAME_LEN && name[i] != '\0'; i++)
+			if (name[i] == '/')
+				exit_error(PARAMETER_PROBLEM,
+					   "Can't have a '/' in a condition name");
+
+		/* We can't handle file names longer than CONDITION_NAME_LEN and */
+		/* we want a NULL terminated string. */
+		if (i == CONDITION_NAME_LEN)
 			exit_error(PARAMETER_PROBLEM,
 				   "File name too long");
 
+		/* We don't want certain reserved names. */
+		for (i=0; i < sizeof(forbidden_names)/sizeof(char *); i++)
+			if(strcmp(name, forbidden_names[i])==0)
+				exit_error(PARAMETER_PROBLEM,
+					   "Forbidden condition name");
+
+		strcpy(info->name, name);
 		info->invert = invert;
 		*flags = 1;
 		return 1;
diff -Nru iptables-1.3.5-20060820.orig/include/linux/netfilter/xt_condition.h iptables-1.3.5-20060820/include/linux/netfilter/xt_condition.h
--- iptables-1.3.5-20060820.orig/include/linux/netfilter/xt_condition.h	1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.5-20060820/include/linux/netfilter/xt_condition.h	2006-08-21 02:37:54.000000000 +0200
@@ -0,0 +1,11 @@
+#ifndef _XT_CONDITION_H
+#define _XT_CONDITION_H
+
+#define CONDITION_NAME_LEN  32
+
+struct condition_info {
+	char name[CONDITION_NAME_LEN];
+	int  invert;
+};
+
+#endif /* _XT_CONDITION_H */

Re: patch for iptables

[Massimiliano Hofer]

[-- Attachment #1: Type: text/plain, Size: 343 bytes --]

On Tuesday 22 August 2006 4:34 pm, Massimiliano Hofer wrote:

> Here is a patch that uses the new include for the XT version. While I was
> at it, I updated the sanity checks in order to match the module ones.

Please disregard this patch. I uploaded a version made before a cleanup.
This is the real patch.

-- 
Saluti,
   Massimiliano Hofer

[-- Attachment #2: iptables-1.3.5-20060820-xt_condition.patch --]
[-- Type: text/x-diff, Size: 5872 bytes --]

diff -Nru iptables-1.3.5-20060820.orig/extensions/.condition-test iptables-1.3.5-20060820/extensions/.condition-test
--- iptables-1.3.5-20060820.orig/extensions/.condition-test	2006-08-21 02:22:24.000000000 +0200
+++ iptables-1.3.5-20060820/extensions/.condition-test	2006-08-21 02:39:15.000000000 +0200
@@ -1,3 +1,3 @@
 #!/bin/sh
 # True if condition is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h ] && echo condition
+[ -f $KERNEL_DIR/include/linux/netfilter/xt_condition.h ] && echo condition
diff -Nru iptables-1.3.5-20060820.orig/extensions/.condition-test6 iptables-1.3.5-20060820/extensions/.condition-test6
--- iptables-1.3.5-20060820.orig/extensions/.condition-test6	2006-08-21 02:22:25.000000000 +0200
+++ iptables-1.3.5-20060820/extensions/.condition-test6	2006-08-21 02:39:27.000000000 +0200
@@ -1,3 +1,3 @@
 #!/bin/sh
 # True if condition6 is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h ] && echo condition
+[ -f $KERNEL_DIR/include/linux/netfilter/xt_condition.h ] && echo condition
diff -Nru iptables-1.3.5-20060820.orig/extensions/libip6t_condition.c iptables-1.3.5-20060820/extensions/libip6t_condition.c
--- iptables-1.3.5-20060820.orig/extensions/libip6t_condition.c	2006-08-21 02:22:25.000000000 +0200
+++ iptables-1.3.5-20060820/extensions/libip6t_condition.c	2006-08-21 03:24:13.000000000 +0200
@@ -5,8 +5,7 @@
 #include <getopt.h>
 #include <ip6tables.h>
 
-#include<linux/netfilter_ipv6/ip6_tables.h>
-#include<linux/netfilter_ipv6/ip6t_condition.h>
+#include<linux/netfilter/xt_condition.h>
 
 
 static void
@@ -29,8 +28,12 @@
       const struct ip6t_entry *entry, unsigned int *nfcache,
       struct ip6t_entry_match **match)
 {
-	struct condition6_info *info =
-	    (struct condition6_info *) (*match)->data;
+	static const char * const forbidden_names[]={ "", ".", ".." };
+	const char *name;
+	int i;
+
+	struct condition_info *info =
+	    (struct condition_info *) (*match)->data;
 
 	if (c == 'X') {
 		if (*flags)
@@ -39,12 +42,26 @@
 
 		check_inverse(optarg, &invert, &optind, 0);
 
-		if (strlen(argv[optind - 1]) < CONDITION6_NAME_LEN)
-			strcpy(info->name, argv[optind - 1]);
-		else
+		name = argv[optind - 1];
+		/* We don't want a '/' in a proc file name. */
+		for (i=0; i < CONDITION_NAME_LEN && name[i] != '\0'; i++)
+			if (name[i] == '/')
+				exit_error(PARAMETER_PROBLEM,
+					   "Can't have a '/' in a condition name");
+
+		/* We can't handle file names longer than CONDITION_NAME_LEN and */
+		/* we want a NULL terminated string. */
+		if (i == CONDITION_NAME_LEN)
 			exit_error(PARAMETER_PROBLEM,
 				   "File name too long");
 
+		/* We don't want certain reserved names. */
+		for (i=0; i < sizeof(forbidden_names)/sizeof(char *); i++)
+			if(strcmp(name, forbidden_names[i])==0)
+				exit_error(PARAMETER_PROBLEM,
+					   "Forbidden condition name");
+
+		strcpy(info->name, name);
 		info->invert = invert;
 		*flags = 1;
 		return 1;
@@ -67,8 +84,8 @@
 print(const struct ip6t_ip6 *ip,
 		  const struct ip6t_entry_match *match, int numeric)
 {
-	const struct condition6_info *info =
-	    (const struct condition6_info *) match->data;
+	const struct condition_info *info =
+	    (const struct condition_info *) match->data;
 
 	printf("condition %s%s ", (info->invert) ? "!" : "", info->name);
 }
@@ -78,8 +95,8 @@
 save(const struct ip6t_ip6 *ip,
 		 const struct ip6t_entry_match *match)
 {
-	const struct condition6_info *info =
-	    (const struct condition6_info *) match->data;
+	const struct condition_info *info =
+	    (const struct condition_info *) match->data;
 
 	printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
 }
@@ -88,8 +105,8 @@
 static struct ip6tables_match condition = {
 	.name = "condition",
 	.version = IPTABLES_VERSION,
-	.size = IP6T_ALIGN(sizeof(struct condition6_info)),
-	.userspacesize = IP6T_ALIGN(sizeof(struct condition6_info)),
+	.size = IP6T_ALIGN(sizeof(struct condition_info)),
+	.userspacesize = IP6T_ALIGN(sizeof(struct condition_info)),
 	.help = &help,
 	.parse = &parse,
 	.final_check = &final_check,
diff -Nru iptables-1.3.5-20060820.orig/extensions/libipt_condition.c iptables-1.3.5-20060820/extensions/libipt_condition.c
--- iptables-1.3.5-20060820.orig/extensions/libipt_condition.c	2006-08-21 02:22:24.000000000 +0200
+++ iptables-1.3.5-20060820/extensions/libipt_condition.c	2006-08-21 03:18:01.000000000 +0200
@@ -5,8 +5,7 @@
 #include <getopt.h>
 #include <iptables.h>
 
-#include<linux/netfilter_ipv4/ip_tables.h>
-#include<linux/netfilter_ipv4/ipt_condition.h>
+#include<linux/netfilter/xt_condition.h>
 
 
 static void
@@ -29,6 +28,10 @@
       const struct ipt_entry *entry, unsigned int *nfcache,
       struct ipt_entry_match **match)
 {
+	static const char * const forbidden_names[]={ "", ".", ".." };
+	const char *name;
+	int i;
+
 	struct condition_info *info =
 	    (struct condition_info *) (*match)->data;
 
@@ -39,12 +42,26 @@
 
 		check_inverse(optarg, &invert, &optind, 0);
 
-		if (strlen(argv[optind - 1]) < CONDITION_NAME_LEN)
-			strcpy(info->name, argv[optind - 1]);
-		else
+		name = argv[optind - 1];
+		/* We don't want a '/' in a proc file name. */
+		for (i=0; i < CONDITION_NAME_LEN && name[i] != '\0'; i++)
+			if (name[i] == '/')
+				exit_error(PARAMETER_PROBLEM,
+					   "Can't have a '/' in a condition name");
+
+		/* We can't handle file names longer than CONDITION_NAME_LEN and */
+		/* we want a NULL terminated string. */
+		if (i == CONDITION_NAME_LEN)
 			exit_error(PARAMETER_PROBLEM,
 				   "File name too long");
 
+		/* We don't want certain reserved names. */
+		for (i=0; i < sizeof(forbidden_names)/sizeof(char *); i++)
+			if(strcmp(name, forbidden_names[i])==0)
+				exit_error(PARAMETER_PROBLEM,
+					   "Forbidden condition name");
+
+		strcpy(info->name, name);
 		info->invert = invert;
 		*flags = 1;
 		return 1;

Re: patch for iptables

[Pablo Neira Ayuso]

Massimiliano Hofer wrote:
> I was so careful testing my new version of condition for binary compatiblity 
> that I didnt't notice it breaks recompilation of the userspace utilities. :)
> 
> Here is a patch that uses the new include for the XT version. While I was at 
> it, I updated the sanity checks in order to match the module ones.
> 
> One caveat: I break compatibility with older kernels that don't have XT. 
> What's the policy for backward compatibility in iptables? Shall I put a few 
> #ifdefs?

The official policy is "do not break backward" :). IHMO, if we want to 
go further with iptables we need to think about providing a netlink API.

For out-of-tree stuff the thing can be different, I have seen breakages 
if it really required it. For example, the string match is not 
compatible with the old and broken match for 2.4.

Please see below a comment about your patch:

> ------------------------------------------------------------------------
> 
> diff -Nru iptables-1.3.5-20060820.orig/extensions/.condition-test iptables-1.3.5-20060820/extensions/.condition-test
> --- iptables-1.3.5-20060820.orig/extensions/.condition-test	2006-08-21 02:22:24.000000000 +0200
> +++ iptables-1.3.5-20060820/extensions/.condition-test	2006-08-21 02:39:15.000000000 +0200
> @@ -1,3 +1,3 @@
>  #!/bin/sh
>  # True if condition is applied.
> -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h ] && echo condition
> +[ -f $KERNEL_DIR/include/linux/netfilter/xt_condition.h ] && echo condition

You don't need to break it. Just put a dummy ipt_condition.h file that 
points to xt_condition.h

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of 
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

Re: patch for iptables

[Massimiliano Hofer]

On Tuesday 22 August 2006 4:53 pm, Pablo Neira Ayuso wrote:

> The official policy is "do not break backward" :). IHMO, if we want to
> go further with iptables we need to think about providing a netlink API.
>
> For out-of-tree stuff the thing can be different, I have seen breakages
> if it really required it. For example, the string match is not
> compatible with the old and broken match for 2.4.

OK. I will send a backward compatible version in a few hours.
With new things as XT, however, many things may move on the kernel side and 
there's no reason for the userspace build system to meddle in the kernel 
includes.
Maybe we sould just do a non-mandatory check in $KERNEL/.config 
(or /proc/config.gz where available) and just keep a coherent set of includes 
with proper structures and associated version numbers?

-- 
Saluti,
   Massimiliano Hofer
        Nucleus

Re: patch for iptables

[Massimiliano Hofer]

On Tuesday 22 August 2006 4:53 pm, Pablo Neira Ayuso wrote:

> The official policy is "do not break backward" :). IHMO, if we want to
> go further with iptables we need to think about providing a netlink API.
>
> For out-of-tree stuff the thing can be different, I have seen breakages
> if it really required it. For example, the string match is not
> compatible with the old and broken match for 2.4.

I'd like to make it backward compatible, but, so far, I've seen only these 
possibilities:
a) put a legacy include in the kernel part (ugly);
b) put a kernel version #ifdef in the userspace part (invasive of the build 
system, since, as far as I can tell, no such #defines are present);
c) drop support (it's... well... unsupportive :)).

Of course you could add "d) you're boneheaded and there's a great solution, 
it's just that you can't find it". :)

To be frank, I'm not a great fan of userspace build systems that meddle too 
much in the kernel, especially if it's just a few structures and you're 
committed to keep backward compatibility anyway. It would be more convinient 
if, for example, I could build iptables with lots of extension I don't have 
in my kernel. It would be even more convenient if I tried to package an RPM 
and I didn't want to depend on specific kernel patches being installed.

Anyway, I'd tend to discard a) and would like not to choose c).
Would you accept a patch that introduces kernel version #defines?
Do you have better solutions?

-- 
Saluti,
   Massimiliano Hofer
        Nucleus

Re: patch for iptables

[Pablo Neira Ayuso]

Massimiliano Hofer wrote:
> On Tuesday 22 August 2006 4:53 pm, Pablo Neira Ayuso wrote:
> 
>> The official policy is "do not break backward" :). IHMO, if we want to
>> go further with iptables we need to think about providing a netlink API.
>>
>> For out-of-tree stuff the thing can be different, I have seen breakages
>> if it really required it. For example, the string match is not
>> compatible with the old and broken match for 2.4.
> 
> I'd like to make it backward compatible, but, so far, I've seen only these 
> possibilities:
> a) put a legacy include in the kernel part (ugly);
> b) put a kernel version #ifdef in the userspace part (invasive of the build 
> system, since, as far as I can tell, no such #defines are present);
> c) drop support (it's... well... unsupportive :)).
> 
> Of course you could add "d) you're boneheaded and there's a great solution, 
> it's just that you can't find it". :)
> 
> To be frank, I'm not a great fan of userspace build systems that meddle too 
> much in the kernel,

Nor me but this is something that we have to live with. I think we all
have learnt the lesson: the new netlink libraries for queue, log,
conntrack don't share whole structures between kernel and userspace, so
we don't need to get fixed to a certain layout.

> especially if it's just a few structures and you're 
> committed to keep backward compatibility anyway. It would be more convinient 
> if, for example, I could build iptables with lots of extension I don't have 
> in my kernel. It would be even more convenient if I tried to package an RPM 
> and I didn't want to depend on specific kernel patches being installed.

I understand your situation but breaking backward compatibility is not
the solution. About the possibility of including the version support, I
proposed the revision thing for matches/targets time ago and I must
confess that I don't like it so much: it was a hack, we need it for
popular revisions of multiport and mark but we decided that people might
have really good reasons to add a new version. So, introducing another
revision thing is not something that I like.

> Anyway, I'd tend to discard a) and would like not to choose c).
> Would you accept a patch that introduces kernel version #defines?
> Do you have better solutions?

To implement a netlink interface for iptables.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

Re: patch for iptables

[Massimiliano Hofer]

[-- Attachment #1: Type: text/plain, Size: 1298 bytes --]

On Tuesday 26 September 2006 1:25 am, Pablo Neira Ayuso wrote:

> I understand your situation but breaking backward compatibility is not
> the solution. About the possibility of including the version support, I
> proposed the revision thing for matches/targets time ago and I must
> confess that I don't like it so much: it was a hack, we need it for
> popular revisions of multiport and mark but we decided that people might
> have really good reasons to add a new version. So, introducing another
> revision thing is not something that I like.

I wasn't all that convinced myself. We would end up with multiple userspace 
revision support in kernel and multiple kernel revision support in userspace. 
This has the potential of becoming a real mess.

I found a better hack (but a hack nonetheless) using #defines and I attach it.
It's been tested with kernels 2.6.1[5-8].

Please consider it for inclusion in the current iptables.

> > Anyway, I'd tend to discard a) and would like not to choose c).
> > Would you accept a patch that introduces kernel version #defines?
> > Do you have better solutions?
>
> To implement a netlink interface for iptables.

I hoped for something less drastic and more immediate. In the long run you may 
be right.

-- 
Saluti,
   Massimiliano Hofer
        Nucleus

[-- Attachment #2: iptables-1.3.5-20060922.patch --]
[-- Type: text/x-diff, Size: 7374 bytes --]

diff -Nru iptables-1.3.5-20060922.orig/extensions/.condition-test iptables-1.3.5-20060922.new/extensions/.condition-test
--- iptables-1.3.5-20060922.orig/extensions/.condition-test	2002-11-02 16:00:15.000000000 +0100
+++ iptables-1.3.5-20060922.new/extensions/.condition-test	2006-09-26 12:56:01.000000000 +0200
@@ -1,3 +1,5 @@
 #!/bin/sh
 # True if condition is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h ] && echo condition
+( [ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h ] ||
+  [ -f $KERNEL_DIR/include/linux/netfilter/xt_condition.h ] ) &&
+ echo condition
diff -Nru iptables-1.3.5-20060922.orig/extensions/.condition-test6 iptables-1.3.5-20060922.new/extensions/.condition-test6
--- iptables-1.3.5-20060922.orig/extensions/.condition-test6	2003-02-25 12:54:56.000000000 +0100
+++ iptables-1.3.5-20060922.new/extensions/.condition-test6	2006-09-26 12:55:23.000000000 +0200
@@ -1,3 +1,5 @@
 #!/bin/sh
 # True if condition6 is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h ] && echo condition
+( [ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h ] ||
+  [ -f $KERNEL_DIR/include/linux/netfilter/xt_condition.h ] ) &&
+ echo condition
diff -Nru iptables-1.3.5-20060922.orig/extensions/libip6t_condition.c iptables-1.3.5-20060922.new/extensions/libip6t_condition.c
--- iptables-1.3.5-20060922.orig/extensions/libip6t_condition.c	2005-02-14 14:13:04.000000000 +0100
+++ iptables-1.3.5-20060922.new/extensions/libip6t_condition.c	2006-09-26 13:04:09.000000000 +0200
@@ -6,7 +6,14 @@
 #include <ip6tables.h>
 
 #include<linux/netfilter_ipv6/ip6_tables.h>
+
+#ifndef _X_TABLES_H
 #include<linux/netfilter_ipv6/ip6t_condition.h>
+#define condition_info condition6_info
+#define CONDITION_NAME_LEN CONDITION6_NAME_LEN
+#else
+#include<linux/netfilter/xt_condition.h>
+#endif
 
 
 static void
@@ -29,8 +36,12 @@
       const struct ip6t_entry *entry, unsigned int *nfcache,
       struct ip6t_entry_match **match)
 {
-	struct condition6_info *info =
-	    (struct condition6_info *) (*match)->data;
+	static const char * const forbidden_names[]={ "", ".", ".." };
+	const char *name;
+	int i;
+
+	struct condition_info *info =
+	    (struct condition_info *) (*match)->data;
 
 	if (c == 'X') {
 		if (*flags)
@@ -39,12 +50,26 @@
 
 		check_inverse(optarg, &invert, &optind, 0);
 
-		if (strlen(argv[optind - 1]) < CONDITION6_NAME_LEN)
-			strcpy(info->name, argv[optind - 1]);
-		else
+		name = argv[optind - 1];
+		/* We don't want a '/' in a proc file name. */
+		for (i=0; i < CONDITION_NAME_LEN && name[i] != '\0'; i++)
+			if (name[i] == '/')
+				exit_error(PARAMETER_PROBLEM,
+					   "Can't have a '/' in a condition name");
+
+		/* We can't handle file names longer than CONDITION_NAME_LEN and */
+		/* we want a NULL terminated string. */
+		if (i == CONDITION_NAME_LEN)
 			exit_error(PARAMETER_PROBLEM,
 				   "File name too long");
 
+		/* We don't want certain reserved names. */
+		for (i=0; i < sizeof(forbidden_names)/sizeof(char *); i++)
+			if(strcmp(name, forbidden_names[i])==0)
+				exit_error(PARAMETER_PROBLEM,
+					   "Forbidden condition name");
+
+		strcpy(info->name, name);
 		info->invert = invert;
 		*flags = 1;
 		return 1;
@@ -67,8 +92,8 @@
 print(const struct ip6t_ip6 *ip,
 		  const struct ip6t_entry_match *match, int numeric)
 {
-	const struct condition6_info *info =
-	    (const struct condition6_info *) match->data;
+	const struct condition_info *info =
+	    (const struct condition_info *) match->data;
 
 	printf("condition %s%s ", (info->invert) ? "!" : "", info->name);
 }
@@ -78,8 +103,8 @@
 save(const struct ip6t_ip6 *ip,
 		 const struct ip6t_entry_match *match)
 {
-	const struct condition6_info *info =
-	    (const struct condition6_info *) match->data;
+	const struct condition_info *info =
+	    (const struct condition_info *) match->data;
 
 	printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
 }
@@ -88,8 +113,8 @@
 static struct ip6tables_match condition = {
 	.name = "condition",
 	.version = IPTABLES_VERSION,
-	.size = IP6T_ALIGN(sizeof(struct condition6_info)),
-	.userspacesize = IP6T_ALIGN(sizeof(struct condition6_info)),
+	.size = IP6T_ALIGN(sizeof(struct condition_info)),
+	.userspacesize = IP6T_ALIGN(sizeof(struct condition_info)),
 	.help = &help,
 	.parse = &parse,
 	.final_check = &final_check,
diff -Nru iptables-1.3.5-20060922.orig/extensions/libip6t_condition.man iptables-1.3.5-20060922.new/extensions/libip6t_condition.man
--- iptables-1.3.5-20060922.orig/extensions/libip6t_condition.man	2006-01-30 09:50:09.000000000 +0100
+++ iptables-1.3.5-20060922.new/extensions/libip6t_condition.man	2006-09-26 09:31:40.000000000 +0200
@@ -1,4 +1,4 @@
 This matches if a specific /proc filename is '0' or '1'.
 .TP
 .BR "--condition " "[!] \fIfilename"
-Match on boolean value stored in /proc/net/ip6t_condition/filename file
+Match on boolean value stored in /proc/net/nf_condition/filename file
diff -Nru iptables-1.3.5-20060922.orig/extensions/libipt_condition.c iptables-1.3.5-20060922.new/extensions/libipt_condition.c
--- iptables-1.3.5-20060922.orig/extensions/libipt_condition.c	2005-02-14 14:13:04.000000000 +0100
+++ iptables-1.3.5-20060922.new/extensions/libipt_condition.c	2006-09-26 12:01:57.000000000 +0200
@@ -6,7 +6,12 @@
 #include <iptables.h>
 
 #include<linux/netfilter_ipv4/ip_tables.h>
+
+#ifndef _X_TABLES_H
 #include<linux/netfilter_ipv4/ipt_condition.h>
+#else
+#include<linux/netfilter/xt_condition.h>
+#endif
 
 
 static void
@@ -29,6 +34,10 @@
       const struct ipt_entry *entry, unsigned int *nfcache,
       struct ipt_entry_match **match)
 {
+	static const char * const forbidden_names[]={ "", ".", ".." };
+	const char *name;
+	int i;
+
 	struct condition_info *info =
 	    (struct condition_info *) (*match)->data;
 
@@ -39,12 +48,26 @@
 
 		check_inverse(optarg, &invert, &optind, 0);
 
-		if (strlen(argv[optind - 1]) < CONDITION_NAME_LEN)
-			strcpy(info->name, argv[optind - 1]);
-		else
+		name = argv[optind - 1];
+		/* We don't want a '/' in a proc file name. */
+		for (i=0; i < CONDITION_NAME_LEN && name[i] != '\0'; i++)
+			if (name[i] == '/')
+				exit_error(PARAMETER_PROBLEM,
+					   "Can't have a '/' in a condition name");
+
+		/* We can't handle file names longer than CONDITION_NAME_LEN and */
+		/* we want a NULL terminated string. */
+		if (i == CONDITION_NAME_LEN)
 			exit_error(PARAMETER_PROBLEM,
 				   "File name too long");
 
+		/* We don't want certain reserved names. */
+		for (i=0; i < sizeof(forbidden_names)/sizeof(char *); i++)
+			if(strcmp(name, forbidden_names[i])==0)
+				exit_error(PARAMETER_PROBLEM,
+					   "Forbidden condition name");
+
+		strcpy(info->name, name);
 		info->invert = invert;
 		*flags = 1;
 		return 1;
diff -Nru iptables-1.3.5-20060922.orig/extensions/libipt_condition.man iptables-1.3.5-20060922.new/extensions/libipt_condition.man
--- iptables-1.3.5-20060922.orig/extensions/libipt_condition.man	2006-01-30 09:50:09.000000000 +0100
+++ iptables-1.3.5-20060922.new/extensions/libipt_condition.man	2006-09-26 09:31:42.000000000 +0200
@@ -1,4 +1,4 @@
 This matches if a specific /proc filename is '0' or '1'.
 .TP
 .BI "--condition " "[!] \fIfilename\fP"
-Match on boolean value stored in /proc/net/ipt_condition/filename file
+Match on boolean value stored in /proc/net/nf_condition/filename file

Re: Patch for iptables

[Yasuyuki KOZAKAI]

Hi,

From: "Khem Raj" <raj.khem@gmail.com>
Date: Tue, 29 Apr 2008 11:01:03 -0700

> Hello Yasuyuki-san
> 
> I am not a regular contributor to iptables. However this is what I
> noticed errors when I compiled latest iptables release on glibc 2.8
> iptables is using union ip6_u directly which has been changed in
> glibc. Usually it is preferred that these unions are accessed via the
> provided macros that way any change in glibc headers is not affecting
> the package the following patch works  and I have tested it on
> OpenEmbedded.

Thank you for sending patch. I've fixed up it to apply to the recent
iptables. Please send patches to netfilter-devel@vger.kernel.org from next
time.

Patrick, please apply the following patch.

Regards,

-- Yasuyuki Kozakai

>From 8a0ecbad5da56d9bad612bc44f2d143ca498491d Mon Sep 17 00:00:00 2001
From: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Date: Wed, 4 Jun 2008 08:07:05 +0900
Subject: Use s6_addr32 to access bits in int6_addr instead of incompatible name

Spotted by Khem Raj <raj.khem@gmail.com>

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
---
 libiptc/libip6tc.c |    2 +-
 xtables.c          |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c
index effbd44..71e262e 100644
--- a/libiptc/libip6tc.c
+++ b/libiptc/libip6tc.c
@@ -113,7 +113,7 @@ typedef unsigned int socklen_t;
 #include "libiptc.c"
 
 #define BIT6(a, l) \
- ((ntohl(a->in6_u.u6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1)
+ ((ntohl(a->s6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1)
 
 int
 ipv6_prefix_length(const struct in6_addr *a)
diff --git a/xtables.c b/xtables.c
index 743c07b..8241687 100644
--- a/xtables.c
+++ b/xtables.c
@@ -1178,7 +1178,7 @@ void ip6parse_hostnetworkmask(const char *name, struct in6_addr **addrpp,
 	n = *naddrs;
 	for (i = 0, j = 0; i < n; ++i) {
 		for (k = 0; k < 4; ++k)
-			addrp[j].in6_u.u6_addr32[k] &= maskp->in6_u.u6_addr32[k];
+			addrp[j].s6_addr32[k] &= maskp->s6_addr32[k];
 		++j;
 		for (k = 0; k < j - 1; ++k)
 			if (IN6_ARE_ADDR_EQUAL(&addrp[k], &addrp[j - 1])) {
-- 
1.5.3.6

Re: Patch for iptables

[Patrick McHardy]

Yasuyuki KOZAKAI wrote:
> Hi,
> 
> From: "Khem Raj" <raj.khem@gmail.com>
> Date: Tue, 29 Apr 2008 11:01:03 -0700
> 
>> Hello Yasuyuki-san
>>
>> I am not a regular contributor to iptables. However this is what I
>> noticed errors when I compiled latest iptables release on glibc 2.8
>> iptables is using union ip6_u directly which has been changed in
>> glibc. Usually it is preferred that these unions are accessed via the
>> provided macros that way any change in glibc headers is not affecting
>> the package the following patch works  and I have tested it on
>> OpenEmbedded.
> 
> Thank you for sending patch. I've fixed up it to apply to the recent
> iptables. Please send patches to netfilter-devel@vger.kernel.org from next
> time.
> 
> Patrick, please apply the following patch.

Done, thanks. Is git not working properly for you?