[PATCH] goto port to ipv6

[PATCH] goto port to ipv6

[Jonas Berlin]

[-- Attachment #1: Type: text/plain, Size: 506 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I ported the goto patch to ipv6.

The attached files are meant to be placed in patch-o-matic-ng/goto/ to
extend the current module with ipv6 functionality. The set of modified
files is naturally mutually exclusive with that of the existing goto
patches.

- --
- - xkr47
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCXNIzxyF48ZTvn+4RAtgcAJ0U44zwA60pYDhc5RvIb38AQ9Gj0QCgu2zg
EQ3ui5RT2whIvz8KUU3UurM=
=BqS0
-----END PGP SIGNATURE-----

[-- Attachment #2: iptables.patch_5-ipv6 --]
[-- Type: text/plain, Size: 3809 bytes --]

diff -Np -ur orig-iptables-1.3.1/ip6tables-save.c iptables-1.3.1/ip6tables-save.c
--- orig-iptables-1.3.1/ip6tables-save.c	2005-03-26 17:32:13.000000000 +0200
+++ iptables-1.3.1/ip6tables-save.c	2005-04-13 10:40:36.000000000 +0300
@@ -190,7 +190,7 @@ static void print_rule(const struct ip6t
 	/* Print target name */	
 	target_name = ip6tc_get_target(e, h);
 	if (target_name && (*target_name != '\0'))
-		printf("-j %s ", target_name);
+		printf("-%c %s ", e->ipv6.flags & IP6T_F_GOTO ? 'g' : 'j', target_name);
 
 	/* Print targinfo part */
 	t = ip6t_get_target((struct ip6t_entry *)e);
diff -Np -ur orig-iptables-1.3.1/ip6tables.8.in iptables-1.3.1/ip6tables.8.in
--- orig-iptables-1.3.1/ip6tables.8.in	2005-03-26 17:32:13.000000000 +0200
+++ iptables-1.3.1/ip6tables.8.in	2005-04-13 10:39:08.000000000 +0300
@@ -267,10 +267,18 @@ one this rule is in), one of the special
 the fate of the packet immediately, or an extension (see
 .B EXTENSIONS
 below).  If this
-option is omitted in a rule, then matching the rule will have no
+option is omitted in a rule (and
+.B -g
+is not used), then matching the rule will have no
 effect on the packet's fate, but the counters on the rule will be
 incremented.
 .TP
+.BI "-g, --goto " "chain"
+This specifies that the processing should continue in a user
+specified chain. Unlike the --jump option return will not continue
+processing in this chain but instead in the chain that called us via
+--jump.
+.TP
 .BR "-i, --in-interface " "[!] \fIname\fP"
 Name of an interface via which a packet is going to be received (only for
 packets entering the 
diff -Np -ur orig-iptables-1.3.1/ip6tables.c iptables-1.3.1/ip6tables.c
--- orig-iptables-1.3.1/ip6tables.c	2005-04-13 10:27:11.000000000 +0300
+++ iptables-1.3.1/ip6tables.c	2005-04-13 10:41:07.000000000 +0300
@@ -134,6 +134,7 @@ static struct option original_opts[] = {
 	{ "line-numbers", 0, 0, '0' },
 	{ "modprobe", 1, 0, 'M' },
 	{ "set-counters", 1, 0, 'c' },
+	{ "goto", 1, 0, 'g' },
 	{ 0 }
 };
 
@@ -331,6 +332,10 @@ exit_printhelp(struct ip6tables_rule_mat
 "				network interface name ([+] for wildcard)\n"
 "  --jump	-j target\n"
 "				target for rule (may load target extension)\n"
+#ifdef IP6T_F_GOTO
+"  --goto      -g chain\n"
+"				jump to chain with no return\n"
+#endif
 "  --match	-m match\n"
 "				extended match (may load extension)\n"
 "  --numeric	-n		numeric output of addresses and ports\n"
@@ -1296,6 +1301,9 @@ print_firewall(const struct ip6t_entry *
 	if (format & FMT_NOTABLE)
 		fputs("  ", stdout);
 
+	if(fw->ipv6.flags & IP6T_F_GOTO)
+		printf("[goto] ");
+
 	IP6T_MATCH_ITERATE(fw, print_match, &fw->ipv6, format & FMT_NUMERIC);
 
 	if (target) {
@@ -1731,7 +1739,7 @@ int do_command6(int argc, char *argv[], 
 	opterr = 0;
 
 	while ((c = getopt_long(argc, argv,
-	   "-A:D:R:I:L::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:",
+	   "-A:D:R:I:L::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:g:",
 					   opts, NULL)) != -1) {
 		switch (c) {
 			/*
@@ -1902,6 +1910,15 @@ int do_command6(int argc, char *argv[], 
 			dhostnetworkmask = argv[optind-1];
 			break;
 
+#ifdef IP6T_F_GOTO
+		case 'g':
+			set_option(&options, OPT_JUMP, &fw.ipv6.invflags,
+				   invert);
+			fw.ipv6.flags |= IP6T_F_GOTO;
+			jumpto = parse_target(optarg);
+			break;
+#endif
+
 		case 'j':
 			set_option(&options, OPT_JUMP, &fw.ipv6.invflags,
 				   invert);
@@ -2243,6 +2260,11 @@ int do_command6(int argc, char *argv[], 
 			 * We cannot know if the plugin is corrupt, non
 			 * existant OR if the user just misspelled a
 			 * chain. */
+#ifdef IP6T_F_GOTO
+			if (fw.ipv6.flags & IP6T_F_GOTO)
+				exit_error(PARAMETER_PROBLEM,
+					   "goto '%s' is not a chain\n", jumpto);
+#endif
 			find_target(jumpto, LOAD_MUST_SUCCEED);
 		} else {
 			e = generate_entry(&fw, matches, target->t);

[-- Attachment #3: linux.patch_5-ipv6 --]
[-- Type: text/plain, Size: 1437 bytes --]

diff -ur --exclude-from=/tmp/srcdiff.excludes.hsvBiq -N orig-linux-2.6.11/include/linux/netfilter_ipv6/ip6_tables.h linux-2.6.11/include/linux/netfilter_ipv6/ip6_tables.h
--- orig-linux-2.6.11/include/linux/netfilter_ipv6/ip6_tables.h	2005-03-14 13:40:33.000000000 +0200
+++ linux-2.6.11/include/linux/netfilter_ipv6/ip6_tables.h	2005-03-15 04:09:12.197387923 +0200
@@ -111,7 +111,8 @@
 #define IP6T_F_PROTO		0x01	/* Set if rule cares about upper 
 					   protocols */
 #define IP6T_F_TOS		0x02	/* Match the TOS. */
-#define IP6T_F_MASK		0x03	/* All possible flag bits mask. */
+#define IP6T_F_GOTO		0x04	/* Set if jump is a goto */
+#define IP6T_F_MASK		0x07	/* All possible flag bits mask. */
 
 /* Values for "inv" field in struct ip6t_ip6. */
 #define IP6T_INV_VIA_IN		0x01	/* Invert the sense of IN IFACE. */
diff -ur --exclude-from=/tmp/srcdiff.excludes.hsvBiq -N orig-linux-2.6.11/net/ipv6/netfilter/ip6_tables.c linux-2.6.11/net/ipv6/netfilter/ip6_tables.c
--- orig-linux-2.6.11/net/ipv6/netfilter/ip6_tables.c	2005-03-14 13:40:34.000000000 +0200
+++ linux-2.6.11/net/ipv6/netfilter/ip6_tables.c	2005-03-15 03:51:43.298086457 +0200
@@ -436,7 +436,7 @@
 					continue;
 				}
 				if (table_base + v
-				    != (void *)e + e->next_offset) {
+				    != (void *)e + e->next_offset && !(e->ipv6.flags & IP6T_F_GOTO)) {
 					/* Save old back ptr in next entry */
 					struct ip6t_entry *next
 						= (void *)e + e->next_offset;

Re: [PATCH] goto port to ipv6

[Patrick McHardy]

Jonas Berlin wrote:
> I ported the goto patch to ipv6.

BTW: Can anyone remeber why it was decided not to submit the
goto patch at last years workshop?

Regards
Patrick

Re: [PATCH] goto port to ipv6

[Henrik Nordstrom]

On Mon, 18 Apr 2005, Patrick McHardy wrote:

> Jonas Berlin wrote:
>> I ported the goto patch to ipv6.
>
> BTW: Can anyone remeber why it was decided not to submit the
> goto patch at last years workshop?

I don't remember exacly, but I think it wasn't considered an important 
feature to have.

Regards
Henrik

Re: [PATCH] goto port to ipv6

[Patrick McHardy]

Henrik Nordstrom wrote:
> On Mon, 18 Apr 2005, Patrick McHardy wrote:
>
>> BTW: Can anyone remeber why it was decided not to submit the
>> goto patch at last years workshop?
> 
> 
> I don't remember exacly, but I think it wasn't considered an important 
> feature to have.

But it's a useful feature. If this was the only reason, I think we
should submit it for both IPv4 and IPv6.

Regards
Patrick

Re: [PATCH] goto port to ipv6

[Jonas Berlin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quoting Patrick McHardy on 2005-04-18 01:44 UTC:

> But it's a useful feature. If this was the only reason, I think we
> should submit it for both IPv4 and IPv6.

What's your opinion of my fix included in this IPv6 port (which I fixed
for IPv4 separately and Harald accepted last friday) to indicate "goto"
targets in iptables -L listings with a [goto] in the match extension part?

One alternative could be adding some special character(s) around the
jump target itself, like *SUBCHAIN or SUBCHAIN* or ->SUBCHAIN or
something.. Also I have no idea whether one should consider the output
possibly being used by scripts etc, so I'd appreciate if people could
give their opinion on this (before it goes upstream :) ..

- --
- - xkr47
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCY1N3xyF48ZTvn+4RAugMAJ9MWEACo1ybJIKs4p2Fr7hT/n1EHwCeLc4T
wnNUQ7dzH231Extu+SK0YrY=
=t9Wg
-----END PGP SIGNATURE-----

Re: [PATCH] goto port to ipv6

[Patrick Schaaf]

> What's your opinion of my fix included in this IPv6 port (which I fixed
> for IPv4 separately and Harald accepted last friday) to indicate "goto"
> targets in iptables -L listings with a [goto] in the match extension part?
> 
> One alternative could be adding some special character(s) around the
> jump target itself, like *SUBCHAIN or SUBCHAIN* or ->SUBCHAIN or
> something.. Also I have no idea whether one should consider the output
> possibly being used by scripts etc, so I'd appreciate if people could
> give their opinion on this (before it goes upstream :) ...

Hmm. Isn't iptables-save considered the parse-this-in-scripts format?
Such code will have to learn about '-g', right? I have no idea how
many scripts or GUI visualizers would break. :)

Regarding the first column of -L output, from your list I would
choose SUBCHAIN*. I sometimes 'iptables -L | grep ^thischain',
and with a magic character suffix, this reflex will continue
to work.

Now, what magic character to use...

imap_in*    tcp  --  anywhere             anywhere            tcp dpt:imap
ssh_in)    tcp  --  anywhere             anywhere            tcp dpt:ssh
smtp_in.   tcp  --  anywhere             anywhere            tcp dpt:smtp
pop3_in!   tcp  --  anywhere             anywhere            tcp dpt:pop3

Hmm...

best regards
  Patrick

Re: [PATCH] goto port to ipv6

[Henrik Nordstrom]

On Mon, 18 Apr 2005, Patrick Schaaf wrote:

>> What's your opinion of my fix included in this IPv6 port (which I fixed
>> for IPv4 separately and Harald accepted last friday) to indicate "goto"
>> targets in iptables -L listings with a [goto] in the match extension part?
>>
>> One alternative could be adding some special character(s) around the
>> jump target itself, like *SUBCHAIN or SUBCHAIN* or ->SUBCHAIN or
>> something.. Also I have no idea whether one should consider the output
>> possibly being used by scripts etc, so I'd appreciate if people could
>> give their opinion on this (before it goes upstream :) ...
>
> Hmm. Isn't iptables-save considered the parse-this-in-scripts format?

He is talking about iptables -L, not iptables-save.

iptable-save already prints it proper as a -g.

> Now, what magic character to use...
>
> imap_in*    tcp  --  anywhere             anywhere            tcp dpt:imap
> ssh_in)    tcp  --  anywhere             anywhere            tcp dpt:ssh
> smtp_in.   tcp  --  anywhere             anywhere            tcp dpt:smtp
> pop3_in!   tcp  --  anywhere             anywhere            tcp dpt:pop3

Unfortunately all of these is swallowed as chain names.. but hopefully 
this should not be a problem. Nobody in his sane mind uses such chain 
names, righth?

I think I prefer the *. Or maybe #. Much better than having a goto flag at 
the end of the line.

! is not a good choice as this looks like a negation of some form..

. may be confusing as I suspect there is many already using . in chain 
names..

) feels like the chain got isolated somehow, which isn't really what it is 
aout. Goto is about terminating this chain.

The > symbol is better than ) I think if this type of "isolation" symbol 
is desired. > indicates to me some form of direction which is closer to 
what the goto is about.

Regards
Henrik

Re: [PATCH] goto port to ipv6

[Patrick McHardy]

Henrik Nordstrom wrote:
> I think I prefer the *. Or maybe #. Much better than having a goto flag 
> at the end of the line.

What's so bad about having "goto" or "jump" at the end of the line?
Of the other suggestions I like ">" best, but this could just as well
mean a jump.

Regards
Patrick

Re: [PATCH] goto port to ipv6

[Henrik Nordstrom]

On Sun, 24 Apr 2005, Patrick McHardy wrote:

> Henrik Nordstrom wrote:
>> I think I prefer the *. Or maybe #. Much better than having a goto flag at 
>> the end of the line.
>
> What's so bad about having "goto" or "jump" at the end of the line?

Nothing inherently bad with it, but looks a bit strange. But it's better 
than nothing.

Regards
Henrik

Re: [PATCH] goto port to ipv6

[Henrik Nordstrom]

On Mon, 18 Apr 2005, Patrick McHardy wrote:

> But it's a useful feature. If this was the only reason, I think we
> should submit it for both IPv4 and IPv6.

I am not against this.

I wrote the patch because someone asked if it was possible, and if people 
find good uses of it then I am very happy B)

>From what I remember the patch is very non-intrusive and shouldn't cost 
more than tree more instruction bytes in the kernel.. Only note of caution 
is that I don't remember if old kernels rejects rulesets with goto or 
silently accepts the goto as a jump. I think it is silently accepted 
reading the goto as a jump, but hopefully the ruleset is rejected when the 
kernel does not support goto (depends on how good the iptables kernel 
verifies the content of the flags field)

Regards
Henrik

Re: [PATCH] goto port to ipv6

[Patrick McHardy]

Henrik Nordstrom wrote:
> From what I remember the patch is very non-intrusive and shouldn't cost 
> 
> more than tree more instruction bytes in the kernel.. Only note of 
> caution is that I don't remember if old kernels rejects rulesets with 
> goto or silently accepts the goto as a jump. I think it is silently 
> accepted reading the goto as a jump, but hopefully the ruleset is 
> rejected when the kernel does not support goto (depends on how good the 
> iptables kernel verifies the content of the flags field)

It verifies that all unknown bits are set to 0, so old kernels should
reject rulesets with goto.

Regards
Patrick