[PATCH 1/2] extensions: libxt_rateest: output all options in save hook

[PATCH 1/2] extensions: libxt_rateest: output all options in save hook

[Florian Westphal]

ipt-restore fails to parse the ipt-save output:
zmatches -m rateest --rateest RE1 --rateest-pps --rateest-lt 5
(should be "--rateest-pps 5 --rateest-lt").  Also, the "delta" option
was never shown in -save output, but twice in some cases when using
"iptables -L".

Also, the "b/pps1" option must be shown when "delta" option is used with
relative mode.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 extensions/libxt_rateest.c |   55 +++++++++++++++++++++++++++----------------
 1 files changed, 34 insertions(+), 21 deletions(-)

diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c
index 86bbb06..185a813 100644
--- a/extensions/libxt_rateest.c
+++ b/extensions/libxt_rateest.c
@@ -348,8 +348,8 @@ rateest_print(const void *ip, const struct xt_entry_match *match, int numeric)
 		if (info->flags & XT_RATEEST_MATCH_DELTA)
 			rateest_print_rate(info->bps1, numeric);
 		if (info->flags & XT_RATEEST_MATCH_ABS) {
-			rateest_print_mode(info, "");
 			rateest_print_rate(info->bps2, numeric);
+			rateest_print_mode(info, "");
 		}
 	}
 	if (info->flags & XT_RATEEST_MATCH_PPS) {
@@ -366,8 +366,6 @@ rateest_print(const void *ip, const struct xt_entry_match *match, int numeric)
 		rateest_print_mode(info, "");
 
 		printf(" %s", info->name2);
-		if (info->flags & XT_RATEEST_MATCH_DELTA)
-			printf(" delta");
 
 		if (info->flags & XT_RATEEST_MATCH_BPS) {
 			printf(" bps");
@@ -382,33 +380,48 @@ rateest_print(const void *ip, const struct xt_entry_match *match, int numeric)
 	}
 }
 
+static void __rateest_save_rate(const struct xt_rateest_match_info *info,
+                                const char *name, uint32_t r1, uint32_t r2,
+                                int numeric)
+{
+	if (info->flags & XT_RATEEST_MATCH_DELTA) {
+		printf(" --rateest-%s1", name);
+		rateest_print_rate(r1, numeric);
+		rateest_print_mode(info, "--rateest-");
+		printf(" --rateest-%s2", name);
+	} else {
+		rateest_print_mode(info, "--rateest-");
+		printf(" --rateest-%s", name);
+	}
+
+	if (info->flags & (XT_RATEEST_MATCH_ABS|XT_RATEEST_MATCH_DELTA))
+		rateest_print_rate(r2, numeric);
+}
+
+static void rateest_save_rates(const struct xt_rateest_match_info *info)
+{
+	if (info->flags & XT_RATEEST_MATCH_BPS)
+		__rateest_save_rate(info, "bps", info->bps1, info->bps2, 0);
+	if (info->flags & XT_RATEEST_MATCH_PPS)
+		__rateest_save_rate(info, "pps", info->pps1, info->pps2, 1);
+}
+
+
 static void
 rateest_save(const void *ip, const struct xt_entry_match *match)
 {
 	const struct xt_rateest_match_info *info = (const void *)match->data;
 
+	if (info->flags & XT_RATEEST_MATCH_DELTA)
+		printf(" --rateest-delta");
+
 	if (info->flags & XT_RATEEST_MATCH_REL) {
 		printf(" --rateest1 %s", info->name1);
-		if (info->flags & XT_RATEEST_MATCH_BPS)
-			printf(" --rateest-bps");
-		if (info->flags & XT_RATEEST_MATCH_PPS)
-			printf(" --rateest-pps");
-		rateest_print_mode(info, " --rateest-");
+		rateest_save_rates(info);
 		printf(" --rateest2 %s", info->name2);
-	} else {
+	} else { /* XT_RATEEST_MATCH_ABS */
 		printf(" --rateest %s", info->name1);
-		if (info->flags & XT_RATEEST_MATCH_BPS) {
-			printf(" --rateest-bps1");
-			rateest_print_rate(info->bps1, 0);
-			printf(" --rateest-bps2");
-			rateest_print_rate(info->bps2, 0);
-			rateest_print_mode(info, "--rateest-");
-		}
-		if (info->flags & XT_RATEEST_MATCH_PPS) {
-			printf(" --rateest-pps");
-			rateest_print_mode(info, "--rateest-");
-			printf(" %u", info->pps2);
-		}
+		rateest_save_rates(info);
 	}
 }
 
-- 
1.7.3.4

[PATCH 2/2] tests: add rateest match rules

[Florian Westphal]

also, -p mobility gets us EINVAL from kernel, use -p ipv6-mh instead.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 tests/options-most.rules |   28 ++++++++++++----------------
 1 files changed, 12 insertions(+), 16 deletions(-)

diff --git a/tests/options-most.rules b/tests/options-most.rules
index 7573361..30dac16 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -54,8 +54,7 @@
 -A INPUT -p tcp -m tcpmss --mss 1:2 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4/0
 -A INPUT
--A INPUT -p mobility
--A INPUT -p mobility -m mh --mh-type 3
+-A INPUT -p ipv6-mh -m mh --mh-type 3
 -A OUTPUT -m owner --socket-exists --uid-owner 1-2 --gid-owner 2-3
 -A OUTPUT -m owner ! --socket-exists ! --uid-owner 0 ! --gid-owner 0
 -A matches -m connbytes --connbytes 1 --connbytes-mode bytes --connbytes-dir both
@@ -184,20 +183,17 @@
 -A ntarg
 -A ntarg -j RATEEST --rateest-name RE2 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
 -A ntarg
-#-A zmatches -m rateest --rateest RE1 --rateest-lt --rateest-bps 8bit
-#-A zmatches -m rateest --rateest RE1 --rateest-eq --rateest-bps 8bit
-#-A zmatches -m rateest --rateest RE1 --rateest-gt --rateest-bps 8bit
-#-A zmatches -m rateest --rateest RE1 --rateest-lt --rateest-pps 5
-#-A zmatches -m rateest --rateest RE1 --rateest-eq --rateest-pps 5
-#-A zmatches -m rateest --rateest RE1 --rateest-gt --rateest-pps 5
-#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-lt --rateest-bps2 16bit
-#-A zmatches -m rateest --rateest1 RE1 --rateest-lt --rateest2 RE2 --bytes
-#-A zmatches -m rateest --rateest1 RE1 --rateest-lt --rateest2 RE2 --packets
-#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-eq --rateest-bps2 16bit
-#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-gt --rateest-bps2 16bit
-#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-lt --rateest-pps2 9
-#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-eq --rateest-pps2 9
-#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-gt --rateest-pps2 9
+-A zmatches -m rateest --rateest RE1 --rateest-lt --rateest-bps 8bit
+-A zmatches -m rateest --rateest RE1 --rateest-eq --rateest-pps 5
+-A zmatches -m rateest --rateest RE1 --rateest-gt --rateest-bps 5kbit
+-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-lt --rateest-bps2 16bit
+-A zmatches -m rateest --rateest1 RE1 --rateest-lt --rateest-bps --rateest2 RE2
+-A zmatches -m rateest --rateest-delta --rateest1 RE1 --rateest-lt --rateest2 RE2 --rateest-pps2 42
+-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-eq --rateest-bps2 16bit
+-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-gt --rateest-bps2 16bit
+-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-lt --rateest-pps2 9
+-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-eq --rateest-pps2 9
+-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-gt --rateest-pps2 9
 COMMIT
 *mangle
 :PREROUTING ACCEPT [0:0]
-- 
1.7.3.4

Re: [PATCH 2/2] tests: add rateest match rules

[Pablo Neira Ayuso]

On Thu, May 17, 2012 at 01:03:09PM +0200, Florian Westphal wrote:
> also, -p mobility gets us EINVAL from kernel, use -p ipv6-mh instead.

/etc/services in debian uses mobility-header instead mobility.

Better, use -p 135 and add some comment telling that this is IPv6
mobility until distributors agree.

http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml

IANA also seems to use mobility-header, btw.

Would you re-send me this patch, please?

Re: [PATCH 1/2] extensions: libxt_rateest: output all options in save hook

[Pablo Neira Ayuso]

On Thu, May 17, 2012 at 01:03:08PM +0200, Florian Westphal wrote:
> ipt-restore fails to parse the ipt-save output:
> zmatches -m rateest --rateest RE1 --rateest-pps --rateest-lt 5
> (should be "--rateest-pps 5 --rateest-lt").  Also, the "delta" option
> was never shown in -save output, but twice in some cases when using
> "iptables -L".
> 
> Also, the "b/pps1" option must be shown when "delta" option is used with
> relative mode.

Applied, thanks.

iptables release will follow-up soon, including this fix.

Re: [PATCH 2/2] tests: add rateest match rules

[Florian Westphal]

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Thu, May 17, 2012 at 01:03:09PM +0200, Florian Westphal wrote:
> > also, -p mobility gets us EINVAL from kernel, use -p ipv6-mh instead.
> 
> /etc/services in debian uses mobility-header instead mobility.

Should still work, iptables has ipv6-mh hardwired as fallback,
see xtables_parse_protocol() in libxtables/xtables.c .

Do you still want me to resend it with -p 135?

Re: [PATCH 2/2] tests: add rateest match rules

[Pablo Neira Ayuso]

On Tue, May 22, 2012 at 09:10:03PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Thu, May 17, 2012 at 01:03:09PM +0200, Florian Westphal wrote:
> > > also, -p mobility gets us EINVAL from kernel, use -p ipv6-mh instead.
> > 
> > /etc/services in debian uses mobility-header instead mobility.
> 
> Should still work, iptables has ipv6-mh hardwired as fallback,
> see xtables_parse_protocol() in libxtables/xtables.c .
> 
> Do you still want me to resend it with -p 135?

No, as long as it still works. No need to resend, thanks.