[PATCH 28/43] Unifies libip[6]t_tcp.c into libxt_tcp.c.

[PATCH 28/43] Unifies libip[6]t_tcp.c into libxt_tcp.c.

[Yasuyuki KOZAKAI]

Note: libipt_tcp handled '--syn' as '--flags SYN,RST,ACK,FIN SYN', but
      libip6t_tcp handled it as '--flags SYN,RST,ACK SYN'. I keep this
      difference for now.

---
 extensions/Makefile      |    6 +-
 extensions/libip6t_tcp.c |  416 -----------------------------------------
 extensions/libipt_tcp.c  |  416 -----------------------------------------
 extensions/libxt_tcp.c   |  458 ++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 461 insertions(+), 835 deletions(-)
 delete mode 100644 extensions/libip6t_tcp.c
 delete mode 100644 extensions/libipt_tcp.c
 create mode 100644 extensions/libxt_tcp.c

diff --git a/extensions/Makefile b/extensions/Makefile
index b0df81c..d57fabe 100644
--- a/extensions/Makefile
+++ b/extensions/Makefile
@@ -5,9 +5,9 @@
 # header files are present in the include/linux directory of this iptables
 # package (HW)
 #
-PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac owner physdev pkttype policy realm sctp standard state tcp tos ttl unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE REDIRECT REJECT SAME SNAT TCPMSS TOS TTL TRACE ULOG
-PF6_EXT_SLIB:=connlimit connmark eui64 hl icmp6 length limit mac owner physdev policy standard state tcp CONNMARK HL LOG NFQUEUE MARK TCPMSS TRACE
-PFX_EXT_SLIB:=mark multiport tcpmss udp NOTRACK
+PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac owner physdev pkttype policy realm sctp standard state tos ttl unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE REDIRECT REJECT SAME SNAT TCPMSS TOS TTL TRACE ULOG
+PF6_EXT_SLIB:=connlimit connmark eui64 hl icmp6 length limit mac owner physdev policy standard state CONNMARK HL LOG NFQUEUE MARK TCPMSS TRACE
+PFX_EXT_SLIB:=mark multiport tcp tcpmss udp NOTRACK
 
 ifeq ($(DO_SELINUX), 1)
 PF_EXT_SE_SLIB:=SECMARK CONNSECMARK
diff --git a/extensions/libip6t_tcp.c b/extensions/libip6t_tcp.c
deleted file mode 100644
index 15f240e..0000000
--- a/extensions/libip6t_tcp.c
+++ /dev/null
@@ -1,416 +0,0 @@
-/* Shared library add-on to iptables to add TCP support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <ip6tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"TCP v%s options:\n"
-" --tcp-flags [!] mask comp	match when TCP flags & mask == comp\n"
-"				(Flags: SYN ACK FIN RST URG PSH ALL NONE)\n"
-"[!] --syn			match when only SYN flag set\n"
-"				(equivalent to --tcp-flags SYN,RST,ACK SYN)\n"
-" --source-port [!] port[:port]\n"
-" --sport ...\n"
-"				match source port(s)\n"
-" --destination-port [!] port[:port]\n"
-" --dport ...\n"
-"				match destination port(s)\n"
-" --tcp-option [!] number       match if TCP option set\n\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
-	{ "source-port", 1, 0, '1' },
-	{ "sport", 1, 0, '1' }, /* synonym */
-	{ "destination-port", 1, 0, '2' },
-	{ "dport", 1, 0, '2' }, /* synonym */
-	{ "syn", 0, 0, '3' },
-	{ "tcp-flags", 1, 0, '4' },
-	{ "tcp-option", 1, 0, '5' },
-	{0}
-};
-
-static void
-parse_tcp_ports(const char *portstring, u_int16_t *ports)
-{
-	char *buffer;
-	char *cp;
-
-	buffer = strdup(portstring);
-	if ((cp = strchr(buffer, ':')) == NULL)
-		ports[0] = ports[1] = parse_port(buffer, "tcp");
-	else {
-		*cp = '\0';
-		cp++;
-
-		ports[0] = buffer[0] ? parse_port(buffer, "tcp") : 0;
-		ports[1] = cp[0] ? parse_port(cp, "tcp") : 0xFFFF;
-		
-		if (ports[0] > ports[1])
-			exit_error(PARAMETER_PROBLEM, 
-				   "invalid portrange (min > max)");
-	}
-	free(buffer);
-}
-
-struct tcp_flag_names {
-	const char *name;
-	unsigned int flag;
-};
-
-static struct tcp_flag_names tcp_flag_names[]
-= { { "FIN", 0x01 },
-    { "SYN", 0x02 },
-    { "RST", 0x04 },
-    { "PSH", 0x08 },
-    { "ACK", 0x10 },
-    { "URG", 0x20 },
-    { "ALL", 0x3F },
-    { "NONE", 0 },
-};
-
-static unsigned int
-parse_tcp_flag(const char *flags)
-{
-	unsigned int ret = 0;
-	char *ptr;
-	char *buffer;
-
-	buffer = strdup(flags);
-
-	for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
-		unsigned int i;
-		for (i = 0;
-		     i < sizeof(tcp_flag_names)/sizeof(struct tcp_flag_names);
-		     i++) {
-			if (strcasecmp(tcp_flag_names[i].name, ptr) == 0) {
-				ret |= tcp_flag_names[i].flag;
-				break;
-			}
-		}
-		if (i == sizeof(tcp_flag_names)/sizeof(struct tcp_flag_names))
-			exit_error(PARAMETER_PROBLEM,
-				   "Unknown TCP flag `%s'", ptr);
-		}
-
-	free(buffer);
-	return ret;
-}
-
-static void
-parse_tcp_flags(struct ip6t_tcp *tcpinfo,
-		const char *mask,
-		const char *cmp,
-		int invert)
-{
-	tcpinfo->flg_mask = parse_tcp_flag(mask);
-	tcpinfo->flg_cmp = parse_tcp_flag(cmp);
-
-	if (invert)
-		tcpinfo->invflags |= IP6T_TCP_INV_FLAGS;
-}
-
-static void
-parse_tcp_option(const char *option, u_int8_t *result)
-{
-	unsigned int ret;
-
-	if (string_to_number(option, 1, 255, &ret) == -1)
-		exit_error(PARAMETER_PROBLEM, "Bad TCP option `%s'", option);
-
-	*result = (u_int8_t)ret;
-}
-
-/* Initialize the match. */
-static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
-{
-	struct ip6t_tcp *tcpinfo = (struct ip6t_tcp *)m->data;
-
-	tcpinfo->spts[1] = tcpinfo->dpts[1] = 0xFFFF;
-}
-
-#define TCP_SRC_PORTS 0x01
-#define TCP_DST_PORTS 0x02
-#define TCP_FLAGS 0x04
-#define TCP_OPTION	0x08
-
-/* Function which parses command options; returns true if it
-   ate an option. */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const void *entry,
-      unsigned int *nfcache,
-      struct xt_entry_match **match)
-{
-	struct ip6t_tcp *tcpinfo = (struct ip6t_tcp *)(*match)->data;
-
-	switch (c) {
-	case '1':
-		if (*flags & TCP_SRC_PORTS)
-			exit_error(PARAMETER_PROBLEM,
-				   "Only one `--source-port' allowed");
-		check_inverse(optarg, &invert, &optind, 0);
-		parse_tcp_ports(argv[optind-1], tcpinfo->spts);
-		if (invert)
-			tcpinfo->invflags |= IP6T_TCP_INV_SRCPT;
-		*flags |= TCP_SRC_PORTS;
-		break;
-
-	case '2':
-		if (*flags & TCP_DST_PORTS)
-			exit_error(PARAMETER_PROBLEM,
-				   "Only one `--destination-port' allowed");
-		check_inverse(optarg, &invert, &optind, 0);
-		parse_tcp_ports(argv[optind-1], tcpinfo->dpts);
-		if (invert)
-			tcpinfo->invflags |= IP6T_TCP_INV_DSTPT;
-		*flags |= TCP_DST_PORTS;
-		break;
-
-	case '3':
-		if (*flags & TCP_FLAGS)
-			exit_error(PARAMETER_PROBLEM,
-				   "Only one of `--syn' or `--tcp-flags' "
-				   " allowed");
-		parse_tcp_flags(tcpinfo, "SYN,RST,ACK", "SYN", invert);
-		*flags |= TCP_FLAGS;
-		break;
-
-	case '4':
-		if (*flags & TCP_FLAGS)
-			exit_error(PARAMETER_PROBLEM,
-				   "Only one of `--syn' or `--tcp-flags' "
-				   " allowed");
-		check_inverse(optarg, &invert, &optind, 0);
-
-		if (!argv[optind]
-		    || argv[optind][0] == '-' || argv[optind][0] == '!')
-			exit_error(PARAMETER_PROBLEM,
-				   "--tcp-flags requires two args.");
-
-		parse_tcp_flags(tcpinfo, argv[optind-1], argv[optind], 
-				invert);
-		optind++;
-		*flags |= TCP_FLAGS;
-		break;
-
-	case '5':
-		if (*flags & TCP_OPTION)
-			exit_error(PARAMETER_PROBLEM,
-				   "Only one `--tcp-option' allowed");
-		check_inverse(optarg, &invert, &optind, 0);
-		parse_tcp_option(argv[optind-1], &tcpinfo->option);
-		if (invert)
-			tcpinfo->invflags |= IP6T_TCP_INV_OPTION;
-		*flags |= TCP_OPTION;
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-/* Final check; we don't care. */
-static void
-final_check(unsigned int flags)
-{
-}
-
-static char *
-port_to_service(int port)
-{
-	struct servent *service;
-
-	if ((service = getservbyport(htons(port), "tcp")))
-		return service->s_name;
-
-	return NULL;
-}
-
-static void
-print_port(u_int16_t port, int numeric)
-{
-	char *service;
-
-	if (numeric || (service = port_to_service(port)) == NULL)
-		printf("%u", port);
-	else
-		printf("%s", service);
-}
-
-static void
-print_ports(const char *name, u_int16_t min, u_int16_t max,
-	    int invert, int numeric)
-{
-	const char *inv = invert ? "!" : "";
-
-	if (min != 0 || max != 0xFFFF || invert) {
-		printf("%s", name);
-		if (min == max) {
-			printf(":%s", inv);
-			print_port(min, numeric);
-		} else {
-			printf("s:%s", inv);
-			print_port(min, numeric);
-			printf(":");
-			print_port(max, numeric);
-		}
-		printf(" ");
-	}
-}
-
-static void
-print_option(u_int8_t option, int invert, int numeric)
-{
-	if (option || invert)
-		printf("option=%s%u ", invert ? "!" : "", option);
-}
-
-static void
-print_tcpf(u_int8_t flags)
-{
-	int have_flag = 0;
-
-	while (flags) {
-		unsigned int i;
-
-		for (i = 0; (flags & tcp_flag_names[i].flag) == 0; i++);
-
-		if (have_flag)
-			printf(",");
-		printf("%s", tcp_flag_names[i].name);
-		have_flag = 1;
-
-		flags &= ~tcp_flag_names[i].flag;
-	}
-
-	if (!have_flag)
-		printf("NONE");
-}
-
-static void
-print_flags(u_int8_t mask, u_int8_t cmp, int invert, int numeric)
-{
-	if (mask || invert) {
-		printf("flags:%s", invert ? "!" : "");
-		if (numeric)
-			printf("0x%02X/0x%02X ", mask, cmp);
-		else {
-			print_tcpf(mask);
-			printf("/");
-			print_tcpf(cmp);
-			printf(" ");
-		}
-	}
-}
-
-/* Prints out the union ipt_matchinfo. */
-static void
-print(const void *ip,
-      const struct xt_entry_match *match, int numeric)
-{
-	const struct ip6t_tcp *tcp = (struct ip6t_tcp *)match->data;
-
-	printf("tcp ");
-	print_ports("spt", tcp->spts[0], tcp->spts[1],
-		    tcp->invflags & IP6T_TCP_INV_SRCPT,
-		    numeric);
-	print_ports("dpt", tcp->dpts[0], tcp->dpts[1],
-		    tcp->invflags & IP6T_TCP_INV_DSTPT,
-		    numeric);
-	print_option(tcp->option,
-		     tcp->invflags & IP6T_TCP_INV_OPTION,
-		     numeric);
-	print_flags(tcp->flg_mask, tcp->flg_cmp,
-		    tcp->invflags & IP6T_TCP_INV_FLAGS,
-		    numeric);
-	if (tcp->invflags & ~IP6T_TCP_INV_MASK)
-		printf("Unknown invflags: 0x%X ",
-		       tcp->invflags & ~IP6T_TCP_INV_MASK);
-}
-
-/* Saves the union ipt_matchinfo in parsable form to stdout. */
-static void save(const void *ip, const struct xt_entry_match *match)
-{
-	const struct ip6t_tcp *tcpinfo = (struct ip6t_tcp *)match->data;
-
-	if (tcpinfo->spts[0] != 0
-	    || tcpinfo->spts[1] != 0xFFFF) {
-		if (tcpinfo->invflags & IP6T_TCP_INV_SRCPT)
-			printf("! ");
-		if (tcpinfo->spts[0]
-		    != tcpinfo->spts[1])
-			printf("--sport %u:%u ",
-			       tcpinfo->spts[0],
-			       tcpinfo->spts[1]);
-		else
-			printf("--sport %u ",
-			       tcpinfo->spts[0]);
-	}
-
-	if (tcpinfo->dpts[0] != 0
-	    || tcpinfo->dpts[1] != 0xFFFF) {
-		if (tcpinfo->invflags & IP6T_TCP_INV_DSTPT)
-			printf("! ");
-		if (tcpinfo->dpts[0]
-		    != tcpinfo->dpts[1])
-			printf("--dport %u:%u ",
-			       tcpinfo->dpts[0],
-			       tcpinfo->dpts[1]);
-		else
-			printf("--dport %u ",
-			       tcpinfo->dpts[0]);
-	}
-
-	if (tcpinfo->option
-	    || (tcpinfo->invflags & IP6T_TCP_INV_OPTION)) {
-		if (tcpinfo->invflags & IP6T_TCP_INV_OPTION)
-			printf("! ");
-		printf("--tcp-option %u ", tcpinfo->option);
-	}
-
-	if (tcpinfo->flg_mask
-	    || (tcpinfo->invflags & IP6T_TCP_INV_FLAGS)) {
-		if (tcpinfo->invflags & IP6T_TCP_INV_FLAGS)
-			printf("! ");
-
-		printf("--tcp-flags ");
-		if (tcpinfo->flg_mask != 0xFF) {
-			print_tcpf(tcpinfo->flg_mask);
-		}
-		printf(" ");
-		print_tcpf(tcpinfo->flg_cmp);
-		printf(" ");
-	}
-}
-
-static struct ip6tables_match tcp = {
-	.name 		= "tcp",
-	.version	= IPTABLES_VERSION,
-	.size		= IP6T_ALIGN(sizeof(struct ip6t_tcp)),
-	.userspacesize	= IP6T_ALIGN(sizeof(struct ip6t_tcp)),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts,
-};
-
-void
-_init(void)
-{
-	register_match6(&tcp);
-}
diff --git a/extensions/libipt_tcp.c b/extensions/libipt_tcp.c
deleted file mode 100644
index 287b00f..0000000
--- a/extensions/libipt_tcp.c
+++ /dev/null
@@ -1,416 +0,0 @@
-/* Shared library add-on to iptables to add TCP support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"TCP v%s options:\n"
-" --tcp-flags [!] mask comp	match when TCP flags & mask == comp\n"
-"				(Flags: SYN ACK FIN RST URG PSH ALL NONE)\n"
-"[!] --syn			match when only SYN flag set\n"
-"				(equivalent to --tcp-flags SYN,RST,ACK SYN)\n"
-" --source-port [!] port[:port]\n"
-" --sport ...\n"
-"				match source port(s)\n"
-" --destination-port [!] port[:port]\n"
-" --dport ...\n"
-"				match destination port(s)\n"
-" --tcp-option [!] number       match if TCP option set\n\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
-	{ "source-port", 1, 0, '1' },
-	{ "sport", 1, 0, '1' }, /* synonym */
-	{ "destination-port", 1, 0, '2' },
-	{ "dport", 1, 0, '2' }, /* synonym */
-	{ "syn", 0, 0, '3' },
-	{ "tcp-flags", 1, 0, '4' },
-	{ "tcp-option", 1, 0, '5' },
-	{0}
-};
-
-static void
-parse_tcp_ports(const char *portstring, u_int16_t *ports)
-{
-	char *buffer;
-	char *cp;
-
-	buffer = strdup(portstring);
-	if ((cp = strchr(buffer, ':')) == NULL)
-		ports[0] = ports[1] = parse_port(buffer, "tcp");
-	else {
-		*cp = '\0';
-		cp++;
-
-		ports[0] = buffer[0] ? parse_port(buffer, "tcp") : 0;
-		ports[1] = cp[0] ? parse_port(cp, "tcp") : 0xFFFF;
-
-		if (ports[0] > ports[1])
-			exit_error(PARAMETER_PROBLEM,
-				   "invalid portrange (min > max)");
-	}
-	free(buffer);
-}
-
-struct tcp_flag_names {
-	const char *name;
-	unsigned int flag;
-};
-
-static struct tcp_flag_names tcp_flag_names[]
-= { { "FIN", 0x01 },
-    { "SYN", 0x02 },
-    { "RST", 0x04 },
-    { "PSH", 0x08 },
-    { "ACK", 0x10 },
-    { "URG", 0x20 },
-    { "ALL", 0x3F },
-    { "NONE", 0 },
-};
-
-static unsigned int
-parse_tcp_flag(const char *flags)
-{
-	unsigned int ret = 0;
-	char *ptr;
-	char *buffer;
-
-	buffer = strdup(flags);
-
-	for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
-		unsigned int i;
-		for (i = 0;
-		     i < sizeof(tcp_flag_names)/sizeof(struct tcp_flag_names);
-		     i++) {
-			if (strcasecmp(tcp_flag_names[i].name, ptr) == 0) {
-				ret |= tcp_flag_names[i].flag;
-				break;
-			}
-		}
-		if (i == sizeof(tcp_flag_names)/sizeof(struct tcp_flag_names))
-			exit_error(PARAMETER_PROBLEM,
-				   "Unknown TCP flag `%s'", ptr);
-		}
-
-	free(buffer);
-	return ret;
-}
-
-static void
-parse_tcp_flags(struct ipt_tcp *tcpinfo,
-		const char *mask,
-		const char *cmp,
-		int invert)
-{
-	tcpinfo->flg_mask = parse_tcp_flag(mask);
-	tcpinfo->flg_cmp = parse_tcp_flag(cmp);
-
-	if (invert)
-		tcpinfo->invflags |= IPT_TCP_INV_FLAGS;
-}
-
-static void
-parse_tcp_option(const char *option, u_int8_t *result)
-{
-	unsigned int ret;
-
-	if (string_to_number(option, 1, 255, &ret) == -1)
-		exit_error(PARAMETER_PROBLEM, "Bad TCP option `%s'", option);
-
-	*result = (u_int8_t)ret;
-}
-
-/* Initialize the match. */
-static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
-{
-	struct ipt_tcp *tcpinfo = (struct ipt_tcp *)m->data;
-
-	tcpinfo->spts[1] = tcpinfo->dpts[1] = 0xFFFF;
-}
-
-#define TCP_SRC_PORTS 0x01
-#define TCP_DST_PORTS 0x02
-#define TCP_FLAGS 0x04
-#define TCP_OPTION	0x08
-
-/* Function which parses command options; returns true if it
-   ate an option. */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const void *entry,
-      unsigned int *nfcache,
-      struct xt_entry_match **match)
-{
-	struct ipt_tcp *tcpinfo = (struct ipt_tcp *)(*match)->data;
-
-	switch (c) {
-	case '1':
-		if (*flags & TCP_SRC_PORTS)
-			exit_error(PARAMETER_PROBLEM,
-				   "Only one `--source-port' allowed");
-		check_inverse(optarg, &invert, &optind, 0);
-		parse_tcp_ports(argv[optind-1], tcpinfo->spts);
-		if (invert)
-			tcpinfo->invflags |= IPT_TCP_INV_SRCPT;
-		*flags |= TCP_SRC_PORTS;
-		break;
-
-	case '2':
-		if (*flags & TCP_DST_PORTS)
-			exit_error(PARAMETER_PROBLEM,
-				   "Only one `--destination-port' allowed");
-		check_inverse(optarg, &invert, &optind, 0);
-		parse_tcp_ports(argv[optind-1], tcpinfo->dpts);
-		if (invert)
-			tcpinfo->invflags |= IPT_TCP_INV_DSTPT;
-		*flags |= TCP_DST_PORTS;
-		break;
-
-	case '3':
-		if (*flags & TCP_FLAGS)
-			exit_error(PARAMETER_PROBLEM,
-				   "Only one of `--syn' or `--tcp-flags' "
-				   " allowed");
-		parse_tcp_flags(tcpinfo, "SYN,RST,ACK,FIN", "SYN", invert);
-		*flags |= TCP_FLAGS;
-		break;
-
-	case '4':
-		if (*flags & TCP_FLAGS)
-			exit_error(PARAMETER_PROBLEM,
-				   "Only one of `--syn' or `--tcp-flags' "
-				   " allowed");
-		check_inverse(optarg, &invert, &optind, 0);
-
-		if (!argv[optind]
-		    || argv[optind][0] == '-' || argv[optind][0] == '!')
-			exit_error(PARAMETER_PROBLEM,
-				   "--tcp-flags requires two args.");
-
-		parse_tcp_flags(tcpinfo, argv[optind-1], argv[optind],
-				invert);
-		optind++;
-		*flags |= TCP_FLAGS;
-		break;
-
-	case '5':
-		if (*flags & TCP_OPTION)
-			exit_error(PARAMETER_PROBLEM,
-				   "Only one `--tcp-option' allowed");
-		check_inverse(optarg, &invert, &optind, 0);
-		parse_tcp_option(argv[optind-1], &tcpinfo->option);
-		if (invert)
-			tcpinfo->invflags |= IPT_TCP_INV_OPTION;
-		*flags |= TCP_OPTION;
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-/* Final check; we don't care. */
-static void
-final_check(unsigned int flags)
-{
-}
-
-static char *
-port_to_service(int port)
-{
-	struct servent *service;
-
-	if ((service = getservbyport(htons(port), "tcp")))
-		return service->s_name;
-
-	return NULL;
-}
-
-static void
-print_port(u_int16_t port, int numeric)
-{
-	char *service;
-
-	if (numeric || (service = port_to_service(port)) == NULL)
-		printf("%u", port);
-	else
-		printf("%s", service);
-}
-
-static void
-print_ports(const char *name, u_int16_t min, u_int16_t max,
-	    int invert, int numeric)
-{
-	const char *inv = invert ? "!" : "";
-
-	if (min != 0 || max != 0xFFFF || invert) {
-		printf("%s", name);
-		if (min == max) {
-			printf(":%s", inv);
-			print_port(min, numeric);
-		} else {
-			printf("s:%s", inv);
-			print_port(min, numeric);
-			printf(":");
-			print_port(max, numeric);
-		}
-		printf(" ");
-	}
-}
-
-static void
-print_option(u_int8_t option, int invert, int numeric)
-{
-	if (option || invert)
-		printf("option=%s%u ", invert ? "!" : "", option);
-}
-
-static void
-print_tcpf(u_int8_t flags)
-{
-	int have_flag = 0;
-
-	while (flags) {
-		unsigned int i;
-
-		for (i = 0; (flags & tcp_flag_names[i].flag) == 0; i++);
-
-		if (have_flag)
-			printf(",");
-		printf("%s", tcp_flag_names[i].name);
-		have_flag = 1;
-
-		flags &= ~tcp_flag_names[i].flag;
-	}
-
-	if (!have_flag)
-		printf("NONE");
-}
-
-static void
-print_flags(u_int8_t mask, u_int8_t cmp, int invert, int numeric)
-{
-	if (mask || invert) {
-		printf("flags:%s", invert ? "!" : "");
-		if (numeric)
-			printf("0x%02X/0x%02X ", mask, cmp);
-		else {
-			print_tcpf(mask);
-			printf("/");
-			print_tcpf(cmp);
-			printf(" ");
-		}
-	}
-}
-
-/* Prints out the union ipt_matchinfo. */
-static void
-print(const void *ip,
-      const struct xt_entry_match *match, int numeric)
-{
-	const struct ipt_tcp *tcp = (struct ipt_tcp *)match->data;
-
-	printf("tcp ");
-	print_ports("spt", tcp->spts[0], tcp->spts[1],
-		    tcp->invflags & IPT_TCP_INV_SRCPT,
-		    numeric);
-	print_ports("dpt", tcp->dpts[0], tcp->dpts[1],
-		    tcp->invflags & IPT_TCP_INV_DSTPT,
-		    numeric);
-	print_option(tcp->option,
-		     tcp->invflags & IPT_TCP_INV_OPTION,
-		     numeric);
-	print_flags(tcp->flg_mask, tcp->flg_cmp,
-		    tcp->invflags & IPT_TCP_INV_FLAGS,
-		    numeric);
-	if (tcp->invflags & ~IPT_TCP_INV_MASK)
-		printf("Unknown invflags: 0x%X ",
-		       tcp->invflags & ~IPT_TCP_INV_MASK);
-}
-
-/* Saves the union ipt_matchinfo in parsable form to stdout. */
-static void save(const void *ip, const struct xt_entry_match *match)
-{
-	const struct ipt_tcp *tcpinfo = (struct ipt_tcp *)match->data;
-
-	if (tcpinfo->spts[0] != 0
-	    || tcpinfo->spts[1] != 0xFFFF) {
-		if (tcpinfo->invflags & IPT_TCP_INV_SRCPT)
-			printf("! ");
-		if (tcpinfo->spts[0]
-		    != tcpinfo->spts[1])
-			printf("--sport %u:%u ",
-			       tcpinfo->spts[0],
-			       tcpinfo->spts[1]);
-		else
-			printf("--sport %u ",
-			       tcpinfo->spts[0]);
-	}
-
-	if (tcpinfo->dpts[0] != 0
-	    || tcpinfo->dpts[1] != 0xFFFF) {
-		if (tcpinfo->invflags & IPT_TCP_INV_DSTPT)
-			printf("! ");
-		if (tcpinfo->dpts[0]
-		    != tcpinfo->dpts[1])
-			printf("--dport %u:%u ",
-			       tcpinfo->dpts[0],
-			       tcpinfo->dpts[1]);
-		else
-			printf("--dport %u ",
-			       tcpinfo->dpts[0]);
-	}
-
-	if (tcpinfo->option
-	    || (tcpinfo->invflags & IPT_TCP_INV_OPTION)) {
-		if (tcpinfo->invflags & IPT_TCP_INV_OPTION)
-			printf("! ");
-		printf("--tcp-option %u ", tcpinfo->option);
-	}
-
-	if (tcpinfo->flg_mask
-	    || (tcpinfo->invflags & IPT_TCP_INV_FLAGS)) {
-		if (tcpinfo->invflags & IPT_TCP_INV_FLAGS)
-			printf("! ");
-		printf("--tcp-flags ");
-		if (tcpinfo->flg_mask != 0xFF) {
-			print_tcpf(tcpinfo->flg_mask);
-		}
-		printf(" ");
-		print_tcpf(tcpinfo->flg_cmp);
-		printf(" ");
-	}
-}
-
-static struct iptables_match tcp = { 
-	.next		= NULL,
-	.name		= "tcp",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_tcp)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_tcp)),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void
-_init(void)
-{
-	register_match(&tcp);
-}
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
new file mode 100644
index 0000000..0d0eed2
--- /dev/null
+++ b/extensions/libxt_tcp.c
@@ -0,0 +1,458 @@
+/* Shared library add-on to iptables to add TCP support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter/xt_tcpudp.h>
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+	printf(
+"TCP v%s options:\n"
+" --tcp-flags [!] mask comp	match when TCP flags & mask == comp\n"
+"				(Flags: SYN ACK FIN RST URG PSH ALL NONE)\n"
+"[!] --syn			match when only SYN flag set\n"
+"				(equivalent to --tcp-flags SYN,RST,ACK SYN)\n"
+" --source-port [!] port[:port]\n"
+" --sport ...\n"
+"				match source port(s)\n"
+" --destination-port [!] port[:port]\n"
+" --dport ...\n"
+"				match destination port(s)\n"
+" --tcp-option [!] number       match if TCP option set\n\n",
+IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+	{ "source-port", 1, 0, '1' },
+	{ "sport", 1, 0, '1' }, /* synonym */
+	{ "destination-port", 1, 0, '2' },
+	{ "dport", 1, 0, '2' }, /* synonym */
+	{ "syn", 0, 0, '3' },
+	{ "tcp-flags", 1, 0, '4' },
+	{ "tcp-option", 1, 0, '5' },
+	{0}
+};
+
+static void
+parse_tcp_ports(const char *portstring, u_int16_t *ports)
+{
+	char *buffer;
+	char *cp;
+
+	buffer = strdup(portstring);
+	if ((cp = strchr(buffer, ':')) == NULL)
+		ports[0] = ports[1] = parse_port(buffer, "tcp");
+	else {
+		*cp = '\0';
+		cp++;
+
+		ports[0] = buffer[0] ? parse_port(buffer, "tcp") : 0;
+		ports[1] = cp[0] ? parse_port(cp, "tcp") : 0xFFFF;
+
+		if (ports[0] > ports[1])
+			exit_error(PARAMETER_PROBLEM,
+				   "invalid portrange (min > max)");
+	}
+	free(buffer);
+}
+
+struct tcp_flag_names {
+	const char *name;
+	unsigned int flag;
+};
+
+static struct tcp_flag_names tcp_flag_names[]
+= { { "FIN", 0x01 },
+    { "SYN", 0x02 },
+    { "RST", 0x04 },
+    { "PSH", 0x08 },
+    { "ACK", 0x10 },
+    { "URG", 0x20 },
+    { "ALL", 0x3F },
+    { "NONE", 0 },
+};
+
+static unsigned int
+parse_tcp_flag(const char *flags)
+{
+	unsigned int ret = 0;
+	char *ptr;
+	char *buffer;
+
+	buffer = strdup(flags);
+
+	for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
+		unsigned int i;
+		for (i = 0;
+		     i < sizeof(tcp_flag_names)/sizeof(struct tcp_flag_names);
+		     i++) {
+			if (strcasecmp(tcp_flag_names[i].name, ptr) == 0) {
+				ret |= tcp_flag_names[i].flag;
+				break;
+			}
+		}
+		if (i == sizeof(tcp_flag_names)/sizeof(struct tcp_flag_names))
+			exit_error(PARAMETER_PROBLEM,
+				   "Unknown TCP flag `%s'", ptr);
+		}
+
+	free(buffer);
+	return ret;
+}
+
+static void
+parse_tcp_flags(struct xt_tcp *tcpinfo,
+		const char *mask,
+		const char *cmp,
+		int invert)
+{
+	tcpinfo->flg_mask = parse_tcp_flag(mask);
+	tcpinfo->flg_cmp = parse_tcp_flag(cmp);
+
+	if (invert)
+		tcpinfo->invflags |= XT_TCP_INV_FLAGS;
+}
+
+static void
+parse_tcp_option(const char *option, u_int8_t *result)
+{
+	unsigned int ret;
+
+	if (string_to_number(option, 1, 255, &ret) == -1)
+		exit_error(PARAMETER_PROBLEM, "Bad TCP option `%s'", option);
+
+	*result = (u_int8_t)ret;
+}
+
+/* Initialize the match. */
+static void
+init(struct xt_entry_match *m, unsigned int *nfcache)
+{
+	struct xt_tcp *tcpinfo = (struct xt_tcp *)m->data;
+
+	tcpinfo->spts[1] = tcpinfo->dpts[1] = 0xFFFF;
+}
+
+#define TCP_SRC_PORTS 0x01
+#define TCP_DST_PORTS 0x02
+#define TCP_FLAGS 0x04
+#define TCP_OPTION	0x08
+
+/* Function which parses command options; returns true if it
+   ate an option. */
+static int
+__parse(int c, char **argv, int invert, unsigned int *flags,
+	const void *entry,
+	unsigned int *nfcache,
+	struct xt_entry_match **match,
+      u_int16_t pf)
+{
+	struct xt_tcp *tcpinfo = (struct xt_tcp *)(*match)->data;
+
+	switch (c) {
+	case '1':
+		if (*flags & TCP_SRC_PORTS)
+			exit_error(PARAMETER_PROBLEM,
+				   "Only one `--source-port' allowed");
+		check_inverse(optarg, &invert, &optind, 0);
+		parse_tcp_ports(argv[optind-1], tcpinfo->spts);
+		if (invert)
+			tcpinfo->invflags |= XT_TCP_INV_SRCPT;
+		*flags |= TCP_SRC_PORTS;
+		break;
+
+	case '2':
+		if (*flags & TCP_DST_PORTS)
+			exit_error(PARAMETER_PROBLEM,
+				   "Only one `--destination-port' allowed");
+		check_inverse(optarg, &invert, &optind, 0);
+		parse_tcp_ports(argv[optind-1], tcpinfo->dpts);
+		if (invert)
+			tcpinfo->invflags |= XT_TCP_INV_DSTPT;
+		*flags |= TCP_DST_PORTS;
+		break;
+
+	case '3':
+		if (*flags & TCP_FLAGS)
+			exit_error(PARAMETER_PROBLEM,
+				   "Only one of `--syn' or `--tcp-flags' "
+				   " allowed");
+		if (pf == AF_INET)
+			parse_tcp_flags(tcpinfo, "SYN,RST,ACK,FIN", "SYN",
+					invert);
+		else if (pf == AF_INET6)
+			parse_tcp_flags(tcpinfo, "SYN,RST,ACK", "SYN", invert);
+
+		*flags |= TCP_FLAGS;
+		break;
+
+	case '4':
+		if (*flags & TCP_FLAGS)
+			exit_error(PARAMETER_PROBLEM,
+				   "Only one of `--syn' or `--tcp-flags' "
+				   " allowed");
+		check_inverse(optarg, &invert, &optind, 0);
+
+		if (!argv[optind]
+		    || argv[optind][0] == '-' || argv[optind][0] == '!')
+			exit_error(PARAMETER_PROBLEM,
+				   "--tcp-flags requires two args.");
+
+		parse_tcp_flags(tcpinfo, argv[optind-1], argv[optind],
+				invert);
+		optind++;
+		*flags |= TCP_FLAGS;
+		break;
+
+	case '5':
+		if (*flags & TCP_OPTION)
+			exit_error(PARAMETER_PROBLEM,
+				   "Only one `--tcp-option' allowed");
+		check_inverse(optarg, &invert, &optind, 0);
+		parse_tcp_option(argv[optind-1], &tcpinfo->option);
+		if (invert)
+			tcpinfo->invflags |= XT_TCP_INV_OPTION;
+		*flags |= TCP_OPTION;
+		break;
+
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+      const void *entry,
+      unsigned int *nfcache,
+      struct xt_entry_match **match)
+{
+	return __parse(c, argv, invert, flags, entry, nfcache, match, AF_INET);
+}
+
+static int
+parse6(int c, char **argv, int invert, unsigned int *flags,
+       const void *entry,
+       unsigned int *nfcache,
+       struct xt_entry_match **match)
+{
+	return __parse(c, argv, invert, flags, entry, nfcache, match, AF_INET6);
+}
+
+/* Final check; we don't care. */
+static void
+final_check(unsigned int flags)
+{
+}
+
+static char *
+port_to_service(int port)
+{
+	struct servent *service;
+
+	if ((service = getservbyport(htons(port), "tcp")))
+		return service->s_name;
+
+	return NULL;
+}
+
+static void
+print_port(u_int16_t port, int numeric)
+{
+	char *service;
+
+	if (numeric || (service = port_to_service(port)) == NULL)
+		printf("%u", port);
+	else
+		printf("%s", service);
+}
+
+static void
+print_ports(const char *name, u_int16_t min, u_int16_t max,
+	    int invert, int numeric)
+{
+	const char *inv = invert ? "!" : "";
+
+	if (min != 0 || max != 0xFFFF || invert) {
+		printf("%s", name);
+		if (min == max) {
+			printf(":%s", inv);
+			print_port(min, numeric);
+		} else {
+			printf("s:%s", inv);
+			print_port(min, numeric);
+			printf(":");
+			print_port(max, numeric);
+		}
+		printf(" ");
+	}
+}
+
+static void
+print_option(u_int8_t option, int invert, int numeric)
+{
+	if (option || invert)
+		printf("option=%s%u ", invert ? "!" : "", option);
+}
+
+static void
+print_tcpf(u_int8_t flags)
+{
+	int have_flag = 0;
+
+	while (flags) {
+		unsigned int i;
+
+		for (i = 0; (flags & tcp_flag_names[i].flag) == 0; i++);
+
+		if (have_flag)
+			printf(",");
+		printf("%s", tcp_flag_names[i].name);
+		have_flag = 1;
+
+		flags &= ~tcp_flag_names[i].flag;
+	}
+
+	if (!have_flag)
+		printf("NONE");
+}
+
+static void
+print_flags(u_int8_t mask, u_int8_t cmp, int invert, int numeric)
+{
+	if (mask || invert) {
+		printf("flags:%s", invert ? "!" : "");
+		if (numeric)
+			printf("0x%02X/0x%02X ", mask, cmp);
+		else {
+			print_tcpf(mask);
+			printf("/");
+			print_tcpf(cmp);
+			printf(" ");
+		}
+	}
+}
+
+/* Prints out the union ipt_matchinfo. */
+static void
+print(const void *ip,
+      const struct xt_entry_match *match, int numeric)
+{
+	const struct xt_tcp *tcp = (struct xt_tcp *)match->data;
+
+	printf("tcp ");
+	print_ports("spt", tcp->spts[0], tcp->spts[1],
+		    tcp->invflags & XT_TCP_INV_SRCPT,
+		    numeric);
+	print_ports("dpt", tcp->dpts[0], tcp->dpts[1],
+		    tcp->invflags & XT_TCP_INV_DSTPT,
+		    numeric);
+	print_option(tcp->option,
+		     tcp->invflags & XT_TCP_INV_OPTION,
+		     numeric);
+	print_flags(tcp->flg_mask, tcp->flg_cmp,
+		    tcp->invflags & XT_TCP_INV_FLAGS,
+		    numeric);
+	if (tcp->invflags & ~XT_TCP_INV_MASK)
+		printf("Unknown invflags: 0x%X ",
+		       tcp->invflags & ~XT_TCP_INV_MASK);
+}
+
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
+static void save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_tcp *tcpinfo = (struct xt_tcp *)match->data;
+
+	if (tcpinfo->spts[0] != 0
+	    || tcpinfo->spts[1] != 0xFFFF) {
+		if (tcpinfo->invflags & XT_TCP_INV_SRCPT)
+			printf("! ");
+		if (tcpinfo->spts[0]
+		    != tcpinfo->spts[1])
+			printf("--sport %u:%u ",
+			       tcpinfo->spts[0],
+			       tcpinfo->spts[1]);
+		else
+			printf("--sport %u ",
+			       tcpinfo->spts[0]);
+	}
+
+	if (tcpinfo->dpts[0] != 0
+	    || tcpinfo->dpts[1] != 0xFFFF) {
+		if (tcpinfo->invflags & XT_TCP_INV_DSTPT)
+			printf("! ");
+		if (tcpinfo->dpts[0]
+		    != tcpinfo->dpts[1])
+			printf("--dport %u:%u ",
+			       tcpinfo->dpts[0],
+			       tcpinfo->dpts[1]);
+		else
+			printf("--dport %u ",
+			       tcpinfo->dpts[0]);
+	}
+
+	if (tcpinfo->option
+	    || (tcpinfo->invflags & XT_TCP_INV_OPTION)) {
+		if (tcpinfo->invflags & XT_TCP_INV_OPTION)
+			printf("! ");
+		printf("--tcp-option %u ", tcpinfo->option);
+	}
+
+	if (tcpinfo->flg_mask
+	    || (tcpinfo->invflags & XT_TCP_INV_FLAGS)) {
+		if (tcpinfo->invflags & XT_TCP_INV_FLAGS)
+			printf("! ");
+		printf("--tcp-flags ");
+		if (tcpinfo->flg_mask != 0xFF) {
+			print_tcpf(tcpinfo->flg_mask);
+		}
+		printf(" ");
+		print_tcpf(tcpinfo->flg_cmp);
+		printf(" ");
+	}
+}
+
+static struct xtables_match tcp = { 
+	.next		= NULL,
+	.family		= AF_INET,
+	.name		= "tcp",
+	.version	= IPTABLES_VERSION,
+	.size		= XT_ALIGN(sizeof(struct xt_tcp)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_tcp)),
+	.help		= &help,
+	.init		= &init,
+	.parse		= &parse,
+	.final_check	= &final_check,
+	.print		= &print,
+	.save		= &save,
+	.extra_opts	= opts
+};
+ 
+static struct xtables_match tcp6 = { 
+	.next		= NULL,
+	.family		= AF_INET6,
+	.name		= "tcp",
+	.version	= IPTABLES_VERSION,
+	.size		= XT_ALIGN(sizeof(struct xt_tcp)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_tcp)),
+	.help		= &help,
+	.init		= &init,
+	.parse		= &parse6,
+	.final_check	= &final_check,
+	.print		= &print,
+	.save		= &save,
+	.extra_opts	= opts
+};
+ 
+void
+_init(void)
+{
+	xtables_register_match(&tcp);
+	xtables_register_match(&tcp6);
+}
-- 
1.5.2.2

Re: [PATCH 28/43] Unifies libip[6]t_tcp.c into libxt_tcp.c.

[Jan Engelhardt]

Hi,

On Jul 15 2007 03:11, Yasuyuki KOZAKAI wrote:
>
>Note: libipt_tcp handled '--syn' as '--flags SYN,RST,ACK,FIN SYN', but
>      libip6t_tcp handled it as '--flags SYN,RST,ACK SYN'. I keep this
>      difference for now.

Since SYN+FIN does not make much sense (unless the ipv6-tcp protocol _really_
allowed that), libipt_tcp's definition should be used.


	Jan
-- 

Re: [PATCH 28/43] Unifies libip[6]t_tcp.c into libxt_tcp.c.

[Patrick McHardy]

Jan Engelhardt wrote:
> On Jul 15 2007 03:11, Yasuyuki KOZAKAI wrote:
> 
>>Note: libipt_tcp handled '--syn' as '--flags SYN,RST,ACK,FIN SYN', but
>>     libip6t_tcp handled it as '--flags SYN,RST,ACK SYN'. I keep this
>>     difference for now.
> 
> 
> Since SYN+FIN does not make much sense (unless the ipv6-tcp protocol _really_
> allowed that), libipt_tcp's definition should be used.


Agreed, that should work fine for both.

Re: [PATCH 28/43] Unifies libip[6]t_tcp.c into libxt_tcp.c.

[Yasuyuki KOZAKAI]

From: Patrick McHardy <kaber@trash.net>
Date: Sun, 15 Jul 2007 16:36:20 +0200

> Jan Engelhardt wrote:
> > On Jul 15 2007 03:11, Yasuyuki KOZAKAI wrote:
> > 
> >>Note: libipt_tcp handled '--syn' as '--flags SYN,RST,ACK,FIN SYN', but
> >>     libip6t_tcp handled it as '--flags SYN,RST,ACK SYN'. I keep this
> >>     difference for now.
> > 
> > 
> > Since SYN+FIN does not make much sense (unless the ipv6-tcp protocol _really_
> > allowed that), libipt_tcp's definition should be used.
> 
> 
> Agreed, that should work fine for both.

OK, I don't come up with bad impact to current user, too.
I'll fix that before applying xtables pathes.

-- Yasuyuki Kozakai

Re: [PATCH 28/43] Unifies libip[6]t_tcp.c into libxt_tcp.c.

[Yasuyuki KOZAKAI]

From: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>

> > > Since SYN+FIN does not make much sense (unless the ipv6-tcp protocol _really_
> > > allowed that), libipt_tcp's definition should be used.
> > 
> > 
> > Agreed, that should work fine for both.
> 
> OK, I don't come up with bad impact to current user, too.
> I'll fix that before applying xtables pathes.

Well, I found missing FIN in text of help() in libipt_tcp.c then also
fixed. New release is necessary again ? grrr..  If so, I'll change version
in Makefile, and apply xtables patches to main trunk.


-- Yasuyuki Kozakai

[SUBPATCH IPTABLES 0/43]: Unification of ip[6]tables matches/targets #3

[Yasuyuki KOZAKAI]

I've updated libxt_tcp and libxt_multiport according to comments from Jan.
This time I post only updated patches and the undeliverd patch in previous
time due to large patch.

[09-1/43] Fixed warning on compilation of iptables matches/targets
[09-2/43] Fixed warning on compilation of ip6tables matches/targets
[10/43] fixed warning on compilation, part 2
[17/43] Use unified API in multiport match.
[18/43] Split ipt_multport into family dependent parts and others
[19/43] Moves libipt_multiport.c to libxt_multiport.c
[20/43] Unifies libip[6]t_multiport.c into libipxt_multiport.c
[28/43] Unifies libip[6]t_tcp.c into libxt_tcp.c

From: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>

> Well, I found missing FIN in text of help() in libipt_tcp.c then also
> fixed. New release is necessary again ? grrr..  If so, I'll change version
> in Makefile, and apply xtables patches to main trunk.

If no one wants new release again before commiting thse patches,
I'll commit them into main trunk without changing version in Makefile
next week (maybe Tuesday).

-- Yasuyuki Kozakai

[PATCH IPTABLES 0/13]: Unifies rest of ip[6]tables matches/targets

[Yasuyuki KOZAKAI]

Hi all,

From: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>

> From: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>
> 
> > Well, I found missing FIN in text of help() in libipt_tcp.c then also
> > fixed. New release is necessary again ? grrr..  If so, I'll change version
> > in Makefile, and apply xtables patches to main trunk.
> 
> If no one wants new release again before commiting thse patches,
> I'll commit them into main trunk without changing version in Makefile
> next week (maybe Tuesday).

I've commited them. I will commit following for other matches/targets
this weekend. Finally we can save about 3600 lines and add IPv6 support to
13 modules.

This time I post patches generated by 'git-format-patch -M' for ease of
review.

[01/13] Add IPv6 support to CONNMARK match
[02/13] Unifies libip[6]t_CONNSECMARK into libxt_CONNSECMARK
[03/13] Unifies libip[6]t_MARK into libxt_MARK
[04/13] Unifies libip[6]t_hashlimit into libxt_hashlimit
[05/13] Unifies libip[6]t_connmark into libxt_connmark
[06/13] Unifies libip[6]t_state into libxt_state
[07/13] Unifies libip[6]t_NFLOG into libxt_NFLOG
[08/13] Unifies libip[6]t_TRACE into libxt_TRACE
[09/13] Add IPv6 support to CLASSIFY target
[10/13] Add IPv6 support to DSCP target
[11/13] Add IPv6 support to connbytes match
[12/13] Add IPv6 support to helper match
[13/13] Add IPv6 support to statistic match

-- Yasuyuki Kozakai

Unifying ip[6]tables matches/targets: using AF_UNSPEC for l3-independent

[Jan Engelhardt]

Hi to all,


I'm following Yasuyuki's xtableificiation of iptables, and will handle 
the libxt_connlimit and libxt_u32 (huh - libipt_u32 not merged?). A few 
questions/ideas have come up:

Matches seem to require a .family field, even though there are a handful 
which operate l3-independent, such as ipt_u32, xt_string, xt_comment, 
and others. For these, we currently have to supply one 'struct 
xtables_match' per l3 proto. How about this patch demonstrating what 
I mean:

---
 extensions/libxt_string.c |   19 +------------------
 xtables.c                 |    2 +-
 2 files changed, 2 insertions(+), 19 deletions(-)

Index: iptables/extensions/libxt_string.c
===================================================================
--- iptables.orig/extensions/libxt_string.c
+++ iptables/extensions/libxt_string.c
@@ -335,23 +335,7 @@ save(const void *ip, const struct xt_ent
 
 static struct xtables_match string = {
     .name		= "string",
-    .family			= AF_INET,
-    .version		= IPTABLES_VERSION,
-    .size		= XT_ALIGN(sizeof(struct xt_string_info)),
-    .userspacesize	= offsetof(struct xt_string_info, config),
-    .help		= help,
-    .init		= init,
-    .parse		= parse,
-    .final_check	= final_check,
-    .print		= print,
-    .save		= save,
-    .extra_opts		= opts
-};
-
-
-static struct xtables_match string6 = {
-    .name		= "string",
-    .family			= AF_INET6,
+    .family			= AF_UNSPEC,
     .version		= IPTABLES_VERSION,
     .size		= XT_ALIGN(sizeof(struct xt_string_info)),
     .userspacesize	= offsetof(struct xt_string_info, config),
@@ -367,5 +351,4 @@ static struct xtables_match string6 = {
 void _init(void)
 {
 	xtables_register_match(&string);
-	xtables_register_match(&string6);
 }
Index: iptables/xtables.c
===================================================================
--- iptables.orig/xtables.c
+++ iptables/xtables.c
@@ -469,7 +469,7 @@ void xtables_register_match(struct xtabl
 	}
 
 	/* ignore not interested match */
-	if (me->family != afinfo.family)
+	if (me->family != AF_UNSPEC && me->family != afinfo.family)
 		return;
 
 	old = find_match(me->name, DURING_LOAD, NULL);

Re: [PATCH IPTABLES 0/13]: Unifies rest of ip[6]tables matches/targets

[Jan Engelhardt]

iptables svn6960 does not yet search for the libxt_*.so files.


# strace -e open ./iptables -t nat -L
...
open("/ws/iptables/extensions/libipt_tcp.so", O_RDONLY) = -1 ENOENT (No 
such file or directory)
REDIRECT   tcp  --  anywhere             192.168.250.2       UNKNOWN 
match `tcp' redir ports 8080 



	Jan
-- 

Re: [PATCH IPTABLES 0/13]: Unifies rest of ip[6]tables matches/targets

[Yasuyuki KOZAKAI]

From: Jan Engelhardt <jengelh@computergmbh.de>
Date: Tue, 24 Jul 2007 10:54:25 +0200 (CEST)

> iptables svn6960 does not yet search for the libxt_*.so files.
> 
> 
> # strace -e open ./iptables -t nat -L
> ...
> open("/ws/iptables/extensions/libipt_tcp.so", O_RDONLY) = -1 ENOENT (No 
> such file or directory)
> REDIRECT   tcp  --  anywhere             192.168.250.2       UNKNOWN 
> match `tcp' redir ports 8080 

Thanks for report.

I wrote Makefile to make symbolic link from libip[6]t_*.so to libxt_*.so.
How did you make and install iptables ?

-- Yasuyuki Kozakai

Re: [PATCH IPTABLES 0/13]: Unifies rest of ip[6]tables matches/targets

[Jan Engelhardt]

On Jul 24 2007 18:08, Yasuyuki KOZAKAI wrote:
>
>> iptables svn6960 does not yet search for the libxt_*.so files.
>> 
>> 
>> # strace -e open ./iptables -t nat -L
>> ...
>> open("/ws/iptables/extensions/libipt_tcp.so", O_RDONLY) = -1 ENOENT (No 
>> such file or directory)
>> REDIRECT   tcp  --  anywhere             192.168.250.2       UNKNOWN 
>> match `tcp' redir ports 8080 
>
>Thanks for report.
>
>I wrote Makefile to make symbolic link from libip[6]t_*.so to libxt_*.so.
>How did you make and install iptables ?

>From /ws/iptables (svn code dir):

make KERNEL_DIR=/ws/linux/linux-2.6.22 PREFIX=/usr
LIBIPT_DIR=/ws/iptables/extensions

I did not install it, but ran it from /ws/iptables.


	Jan
-- 

Re: [PATCH IPTABLES 0/13]: Unifies rest of ip[6]tables matches/targets

[Yasuyuki KOZAKAI]

From: Jan Engelhardt <jengelh@computergmbh.de>
Date: Tue, 24 Jul 2007 11:12:57 +0200 (CEST)

> On Jul 24 2007 18:08, Yasuyuki KOZAKAI wrote:
> >
> >> iptables svn6960 does not yet search for the libxt_*.so files.
> >> 
> >> 
> >> # strace -e open ./iptables -t nat -L
> >> ...
> >> open("/ws/iptables/extensions/libipt_tcp.so", O_RDONLY) = -1 ENOENT (No 
> >> such file or directory)
> >> REDIRECT   tcp  --  anywhere             192.168.250.2       UNKNOWN 
> >> match `tcp' redir ports 8080 
> >
> >Thanks for report.
> >
> >I wrote Makefile to make symbolic link from libip[6]t_*.so to libxt_*.so.
> >How did you make and install iptables ?
> 
> From /ws/iptables (svn code dir):
> 
> make KERNEL_DIR=/ws/linux/linux-2.6.22 PREFIX=/usr
> LIBIPT_DIR=/ws/iptables/extensions
> 
> I did not install it, but ran it from /ws/iptables.

Wow, I didn't expect such usage. But I'm not sure we should support
this usage. The reason why I employed symbolic link instead of iptables
searching libxt_*.so is to keep codes simple. Actually I'm not familiar
of 'tryload' argument of find_{match,target} so I just kept the behavior of
them :) If I come up with good idea, I will support it.

-- Yasuyuki Kozakai

[PATCH 01/**] libxt_*.so lookup (Re: [PATCH IPTABLES 0/13]: Unifies rest of ip[6]tables matches/targets)

[Jan Engelhardt]

On Jul 24 2007 18:49, Yasuyuki KOZAKAI wrote:
>> 
>> From /ws/iptables (svn code dir):
>> 
>> make KERNEL_DIR=/ws/linux/linux-2.6.22 PREFIX=/usr
>> LIBIPT_DIR=/ws/iptables/extensions
>> 
>> I did not install it, but ran it from /ws/iptables.
>
>Wow, I didn't expect such usage. But I'm not sure we should support
>this usage. The reason why I employed symbolic link instead of iptables
>searching libxt_*.so is to keep codes simple. Actually I'm not familiar
>of 'tryload' argument of find_{match,target} so I just kept the behavior of
>them :) If I come up with good idea, I will support it.

Something like this

===

Let the iptable tools search for libxt modules first,
then for l3-specific modules (libipt, libip6t)

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>

---
 include/xtables.h |    6 ++--
 ip6tables-save.c  |    4 +-
 ip6tables.c       |   22 +++++++--------
 iptables-save.c   |    4 +-
 iptables.c        |   22 +++++++--------
 xtables.c         |   78 +++++++++++++++++++++++++++++++++---------------------
 6 files changed, 78 insertions(+), 58 deletions(-)

Index: iptables/include/xtables.h
===================================================================
--- iptables.orig/include/xtables.h
+++ iptables/include/xtables.h
@@ -191,8 +191,10 @@ extern void xtables_register_match(struc
 extern void xtables_register_target(struct xtables_target *me);
 
 extern struct xtables_match *find_match(const char *name, enum xt_tryload,
-					struct xtables_rule_match **match);
-extern struct xtables_target *find_target(const char *name, enum xt_tryload);
+					struct xtables_rule_match **match,
+					unsigned int family);
+extern struct xtables_target *find_target(const char *name, enum xt_tryload,
+                                          unsigned int family);
 
 extern int string_to_number_ll(const char *s,
 			       unsigned long long min,
Index: iptables/ip6tables-save.c
===================================================================
--- iptables.orig/ip6tables-save.c
+++ iptables/ip6tables-save.c
@@ -100,7 +100,7 @@ static int print_match(const struct ip6t
 			const struct ip6t_ip6 *ip)
 {
 	struct ip6tables_match *match
-		= find_match(e->u.user.name, TRY_LOAD, NULL);
+		= find_match(e->u.user.name, TRY_LOAD, NULL, "ip6t");
 
 	if (match) {
 		printf("-m %s ", e->u.user.name);
@@ -196,7 +196,7 @@ static void print_rule(const struct ip6t
 	t = ip6t_get_target((struct ip6t_entry *)e);
 	if (t->u.user.name[0]) {
 		struct ip6tables_target *target
-			= find_target(t->u.user.name, TRY_LOAD);
+			= find_target(t->u.user.name, TRY_LOAD, AF_INET6);
 
 		if (!target) {
 			fprintf(stderr, "Can't find library for target `%s'\n",
Index: iptables/ip6tables.c
===================================================================
--- iptables.orig/ip6tables.c
+++ iptables/ip6tables.c
@@ -700,9 +700,9 @@ find_proto(const char *pname, enum ip6t_
 		char *protoname = proto_to_name(proto, nolookup);
 
 		if (protoname)
-			return find_match(protoname, tryload, matches);
+			return find_match(protoname, tryload, matches, AF_INET6);
 	} else
-		return find_match(pname, tryload, matches);
+		return find_match(pname, tryload, matches, AF_INET6);
 
 	return NULL;
 }
@@ -926,7 +926,7 @@ print_match(const struct ip6t_entry_matc
 	    const struct ip6t_ip6 *ip,
 	    int numeric)
 {
-	struct ip6tables_match *match = find_match(m->u.user.name, TRY_LOAD, NULL);
+	struct ip6tables_match *match = find_match(m->u.user.name, TRY_LOAD, NULL, AF_INET6);
 
 	if (match) {
 		if (match->print)
@@ -955,9 +955,9 @@ print_firewall(const struct ip6t_entry *
 	char buf[BUFSIZ];
 
 	if (!ip6tc_is_chain(targname, handle))
-		target = find_target(targname, TRY_LOAD);
+		target = find_target(targname, TRY_LOAD, AF_INET6);
 	else
-		target = find_target(IP6T_STANDARD_TARGET, LOAD_MUST_SUCCEED);
+		target = find_target(IP6T_STANDARD_TARGET, LOAD_MUST_SUCCEED, AF_INET6);
 
 	t = ip6t_get_target((struct ip6t_entry *)fw);
 	flags = fw->ipv6.flags;
@@ -1510,7 +1510,7 @@ int do_command6(int argc, char *argv[], 
 				exit_error(PARAMETER_PROBLEM,
 					   "chain name not allowed to start "
 					   "with `%c'\n", *optarg);
-			if (find_target(optarg, TRY_LOAD))
+			if (find_target(optarg, TRY_LOAD, AF_INET6))
 				exit_error(PARAMETER_PROBLEM,
 					   "chain name may not clash "
 					   "with target name\n");
@@ -1561,7 +1561,7 @@ int do_command6(int argc, char *argv[], 
 
 			/* ip6tables -p icmp -h */
 			if (!matches && protocol)
-				find_match(protocol, TRY_LOAD, &matches);
+				find_match(protocol, TRY_LOAD, &matches, AF_INET6);
 
 			exit_printhelp(matches);
 
@@ -1612,7 +1612,7 @@ int do_command6(int argc, char *argv[], 
 				   invert);
 			jumpto = parse_target(optarg);
 			/* TRY_LOAD (may be chain name) */
-			target = find_target(jumpto, TRY_LOAD);
+			target = find_target(jumpto, TRY_LOAD, AF_INET6);
 
 			if (target) {
 				size_t size;
@@ -1662,7 +1662,7 @@ int do_command6(int argc, char *argv[], 
 				exit_error(PARAMETER_PROBLEM,
 					   "unexpected ! flag before --match");
 
-			m = find_match(optarg, LOAD_MUST_SUCCEED, &matches);
+			m = find_match(optarg, LOAD_MUST_SUCCEED, &matches, AF_INET6);
 			size = IP6T_ALIGN(sizeof(struct ip6t_entry_match))
 					 + m->size;
 			m->m = fw_calloc(1, size);
@@ -1937,7 +1937,7 @@ int do_command6(int argc, char *argv[], 
 			size_t size;
 
 			target = find_target(IP6T_STANDARD_TARGET,
-					     LOAD_MUST_SUCCEED);
+					     LOAD_MUST_SUCCEED, AF_INET6);
 
 			size = sizeof(struct ip6t_entry_target)
 				+ target->size;
@@ -1953,7 +1953,7 @@ int do_command6(int argc, char *argv[], 
 			 * We cannot know if the plugin is corrupt, non
 			 * existant OR if the user just misspelled a
 			 * chain. */
-			find_target(jumpto, LOAD_MUST_SUCCEED);
+			find_target(jumpto, LOAD_MUST_SUCCEED, AF_INET6);
 		} else {
 			e = generate_entry(&fw, matches, target->t);
 			free(target->t);
Index: iptables/iptables-save.c
===================================================================
--- iptables.orig/iptables-save.c
+++ iptables/iptables-save.c
@@ -119,7 +119,7 @@ static int print_match(const struct ipt_
 			const struct ipt_ip *ip)
 {
 	struct iptables_match *match
-		= find_match(e->u.user.name, TRY_LOAD, NULL);
+		= find_match(e->u.user.name, TRY_LOAD, NULL, AF_INET);
 
 	if (match) {
 		printf("-m %s ", e->u.user.name);
@@ -207,7 +207,7 @@ static void print_rule(const struct ipt_
 	t = ipt_get_target((struct ipt_entry *)e);
 	if (t->u.user.name[0]) {
 		struct iptables_target *target
-			= find_target(t->u.user.name, TRY_LOAD);
+			= find_target(t->u.user.name, TRY_LOAD, AF_INET);
 
 		if (!target) {
 			fprintf(stderr, "Can't find library for target `%s'\n",
Index: iptables/iptables.c
===================================================================
--- iptables.orig/iptables.c
+++ iptables/iptables.c
@@ -687,9 +687,9 @@ find_proto(const char *pname, enum ipt_t
 		char *protoname = proto_to_name(proto, nolookup);
 
 		if (protoname)
-			return find_match(protoname, tryload, matches);
+			return find_match(protoname, tryload, matches, AF_INET);
 	} else
-		return find_match(pname, tryload, matches);
+		return find_match(pname, tryload, matches, AF_INET);
 
 	return NULL;
 }
@@ -964,7 +964,7 @@ print_match(const struct ipt_entry_match
 	    const struct ipt_ip *ip,
 	    int numeric)
 {
-	struct iptables_match *match = find_match(m->u.user.name, TRY_LOAD, NULL);
+	struct iptables_match *match = find_match(m->u.user.name, TRY_LOAD, NULL, AF_INET);
 
 	if (match) {
 		if (match->print)
@@ -993,9 +993,9 @@ print_firewall(const struct ipt_entry *f
 	char buf[BUFSIZ];
 
 	if (!iptc_is_chain(targname, handle))
-		target = find_target(targname, TRY_LOAD);
+		target = find_target(targname, TRY_LOAD, AF_INET);
 	else
-		target = find_target(IPT_STANDARD_TARGET, LOAD_MUST_SUCCEED);
+		target = find_target(IPT_STANDARD_TARGET, LOAD_MUST_SUCCEED, AF_INET);
 
 	t = ipt_get_target((struct ipt_entry *)fw);
 	flags = fw->ip.flags;
@@ -1566,7 +1566,7 @@ int do_command(int argc, char *argv[], c
 				exit_error(PARAMETER_PROBLEM,
 					   "chain name not allowed to start "
 					   "with `%c'\n", *optarg);
-			if (find_target(optarg, TRY_LOAD))
+			if (find_target(optarg, TRY_LOAD, AF_INET))
 				exit_error(PARAMETER_PROBLEM,
 					   "chain name may not clash "
 					   "with target name\n");
@@ -1617,7 +1617,7 @@ int do_command(int argc, char *argv[], c
 
 			/* iptables -p icmp -h */
 			if (!matches && protocol)
-				find_match(protocol, TRY_LOAD, &matches);
+				find_match(protocol, TRY_LOAD, &matches, AF_INET);
 
 			exit_printhelp(matches);
 
@@ -1670,7 +1670,7 @@ int do_command(int argc, char *argv[], c
 				   invert);
 			jumpto = parse_target(optarg);
 			/* TRY_LOAD (may be chain name) */
-			target = find_target(jumpto, TRY_LOAD);
+			target = find_target(jumpto, TRY_LOAD, AF_INET);
 
 			if (target) {
 				size_t size;
@@ -1728,7 +1728,7 @@ int do_command(int argc, char *argv[], c
 				exit_error(PARAMETER_PROBLEM,
 					   "unexpected ! flag before --match");
 
-			m = find_match(optarg, LOAD_MUST_SUCCEED, &matches);
+			m = find_match(optarg, LOAD_MUST_SUCCEED, &matches, AF_INET);
 			size = IPT_ALIGN(sizeof(struct ipt_entry_match))
 					 + m->size;
 			m->m = fw_calloc(1, size);
@@ -2002,7 +2002,7 @@ int do_command(int argc, char *argv[], c
 			size_t size;
 
 			target = find_target(IPT_STANDARD_TARGET,
-					     LOAD_MUST_SUCCEED);
+					     LOAD_MUST_SUCCEED, AF_INET);
 
 			size = sizeof(struct ipt_entry_target)
 				+ target->size;
@@ -2026,7 +2026,7 @@ int do_command(int argc, char *argv[], c
 				exit_error(PARAMETER_PROBLEM,
 					   "goto '%s' is not a chain\n", jumpto);
 #endif
-			find_target(jumpto, LOAD_MUST_SUCCEED);
+			find_target(jumpto, LOAD_MUST_SUCCEED, AF_INET);
 		} else {
 			e = generate_entry(&fw, matches, target->t);
 			free(target->t);
Index: iptables/xtables.c
===================================================================
--- iptables.orig/xtables.c
+++ iptables/xtables.c
@@ -31,6 +31,7 @@
 
 #include <xtables.h>
 
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x)))
 #define NPROTO	255
 
 #ifndef PROC_SYS_MODPROBE
@@ -255,8 +256,15 @@ void parse_interface(const char *arg, ch
 	}
 }
 
+static const char *const family_prefix[] = {
+	[AF_UNSPEC] = "xt",
+	[AF_INET]   = "ipt",
+	[AF_INET6]  = "ip6t",
+};
+
 struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
-				 struct xtables_rule_match **matches)
+				 struct xtables_rule_match **matches,
+				 unsigned int family)
 {
 	struct xtables_match *ptr;
 	const char *icmp6 = "icmp6";
@@ -292,21 +300,27 @@ struct xtables_match *find_match(const c
 	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
 		char path[strlen(lib_dir) + sizeof("/.so")
 			  + strlen(afinfo.libprefix) + strlen(name)];
-		sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
-			name);
-		if (dlopen(path, RTLD_NOW)) {
-			/* Found library.  If it didn't register itself,
-			   maybe they specified target as match. */
-			ptr = find_match(name, DONT_LOAD, NULL);
-
-			if (!ptr)
-				exit_error(PARAMETER_PROBLEM,
-					   "Couldn't load match `%s'\n",
-					   name);
-		} else if (tryload == LOAD_MUST_SUCCEED)
+
+		snprintf(path, sizeof(path), "%s/lib%s_%s.so", lib_dir,
+		         family_prefix[AF_UNSPEC], name);
+		if (dlopen(path, RTLD_NOW) != NULL)
+			/*
+			 * Library loaded (and its constructors run).
+			 * Try to grab the pointer to the struct.
+			 */
+			ptr = find_match(name, DONT_LOAD, NULL, family);
+
+		if (ptr == NULL && family < ARRAY_SIZE(family_prefix) &&
+		    family_prefix[family] != NULL) {
+			snprintf(path, sizeof(path), "%s/lib%s_%s.so",
+			         lib_dir, family_prefix[family], name);
+			if (dlopen(path, RTLD_NOW) != NULL)
+				ptr = find_match(name, DONT_LOAD, NULL, family);
+		}
+
+		if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
 			exit_error(PARAMETER_PROBLEM,
-				   "Couldn't load match `%s':%s\n",
-				   name, dlerror());
+				   "Couldn't load match `%s'\n", name);
 	}
 #else
 	if (ptr && !ptr->loaded) {
@@ -341,7 +355,8 @@ struct xtables_match *find_match(const c
 }
 
 
-struct xtables_target *find_target(const char *name, enum xt_tryload tryload)
+struct xtables_target *find_target(const char *name, enum xt_tryload tryload,
+                                   unsigned int family)
 {
 	struct xtables_target *ptr;
 
@@ -362,19 +377,22 @@ struct xtables_target *find_target(const
 	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
 		char path[strlen(lib_dir) + sizeof("/.so")
 			  + strlen(afinfo.libprefix) + strlen(name)];
-		sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix, name);
-		if (dlopen(path, RTLD_NOW)) {
-			/* Found library.  If it didn't register itself,
-			   maybe they specified match as a target. */
-			ptr = find_target(name, DONT_LOAD);
-			if (!ptr)
-				exit_error(PARAMETER_PROBLEM,
-					   "Couldn't load target `%s'\n",
-					   name);
-		} else if (tryload == LOAD_MUST_SUCCEED)
+
+		snprintf(path, sizeof(path), "%s/lib%s_%s.so", lib_dir,
+		         family_prefix[AF_UNSPEC], name);
+		if (dlopen(path, RTLD_NOW) != NULL)
+			ptr = find_target(name, DONT_LOAD, family);
+
+		if (ptr == NULL && family < ARRAY_SIZE(family_prefix) &&
+		    family_prefix[family] != NULL) {
+			snprintf(path, sizeof(path), "%s/lib%s_%s.so",
+			         lib_dir, family_prefix[family], name);
+			if (dlopen(path, RTLD_NOW) != NULL)
+				ptr = find_target(name, DONT_LOAD, family);
+		}
+		if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
 			exit_error(PARAMETER_PROBLEM,
-				   "Couldn't load target `%s':%s\n",
-				   name, dlerror());
+				   "Couldn't load target `%s'\n", name);
 	}
 #else
 	if (ptr && !ptr->loaded) {
@@ -472,7 +490,7 @@ void xtables_register_match(struct xtabl
 	if (me->family != afinfo.family)
 		return;
 
-	old = find_match(me->name, DURING_LOAD, NULL);
+	old = find_match(me->name, DURING_LOAD, NULL, me->family);
 	if (old) {
 		if (old->revision == me->revision) {
 			fprintf(stderr,
@@ -538,7 +556,7 @@ void xtables_register_target(struct xtab
 	if (me->family != afinfo.family)
 		return;
 
-	old = find_target(me->name, DURING_LOAD);
+	old = find_target(me->name, DURING_LOAD, me->family);
 	if (old) {
 		struct xtables_target **i;
 

Re: [PATCH 01/**] libxt_*.so lookup

[Yasuyuki KOZAKAI]

Hi,

From: Jan Engelhardt <jengelh@computergmbh.de>

> Let the iptable tools search for libxt modules first,
> then for l3-specific modules (libipt, libip6t)
> 
> Signed-off-by: Jan Engelhardt <jengelh@gmx.de>


> +static const char *const family_prefix[] = {
> +	[AF_UNSPEC] = "xt",
> +	[AF_INET]   = "ipt",
> +	[AF_INET6]  = "ip6t",
> +};
> +

Using AF_UNSPEC is attractive. It can save almost samef xtables_{match,target}
as you proposed in other mail. But I prefer to keep things logical. Other
than IPv4 and IPv6 family cannot support almost 'xt_' matches/targets.

>  struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
> -				 struct xtables_rule_match **matches)
> +				 struct xtables_rule_match **matches,
> +				 unsigned int family)
>  {
>  	struct xtables_match *ptr;
>  	const char *icmp6 = "icmp6";
> @@ -292,21 +300,27 @@ struct xtables_match *find_match(const c
>  	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
>  		char path[strlen(lib_dir) + sizeof("/.so")
>  			  + strlen(afinfo.libprefix) + strlen(name)];
> -		sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
> -			name);
> -		if (dlopen(path, RTLD_NOW)) {
> -			/* Found library.  If it didn't register itself,
> -			   maybe they specified target as match. */
> -			ptr = find_match(name, DONT_LOAD, NULL);
> -
> -			if (!ptr)
> -				exit_error(PARAMETER_PROBLEM,
> -					   "Couldn't load match `%s'\n",
> -					   name);
> -		} else if (tryload == LOAD_MUST_SUCCEED)
> +
> +		snprintf(path, sizeof(path), "%s/lib%s_%s.so", lib_dir,
> +		         family_prefix[AF_UNSPEC], name);

So, here "%s/libxt_%s.so" is enough, and

> +		if (dlopen(path, RTLD_NOW) != NULL)
> +			/*
> +			 * Library loaded (and its constructors run).
> +			 * Try to grab the pointer to the struct.
> +			 */
> +			ptr = find_match(name, DONT_LOAD, NULL, family);
> +
> +		if (ptr == NULL && family < ARRAY_SIZE(family_prefix) &&
> +		    family_prefix[family] != NULL) {
> +			snprintf(path, sizeof(path), "%s/lib%s_%s.so",
> +			         lib_dir, family_prefix[family], name);

let's use afinfo.libprefix.

> +			if (dlopen(path, RTLD_NOW) != NULL)
> +				ptr = find_match(name, DONT_LOAD, NULL, family);
> +		}
> +
> +		if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
>  			exit_error(PARAMETER_PROBLEM,
> -				   "Couldn't load match `%s':%s\n",
> -				   name, dlerror());
> +				   "Couldn't load match `%s'\n", name);
>  	}
>  #else
>  	if (ptr && !ptr->loaded) {

-- Yasuyuki Kozakai

Re: [PATCH 01/**] libxt_*.so lookup

[Jan Engelhardt]

On Jul 31 2007 09:25, Yasuyuki KOZAKAI wrote:
>> +		snprintf(path, sizeof(path), "%s/lib%s_%s.so", lib_dir,
>> +		         family_prefix[AF_UNSPEC], name);
>
>So, here "%s/libxt_%s.so" is enough, and
>
>> +		if (ptr == NULL && family < ARRAY_SIZE(family_prefix) &&
>> +		    family_prefix[family] != NULL) {
>> +			snprintf(path, sizeof(path), "%s/lib%s_%s.so",
>> +			         lib_dir, family_prefix[family], name);
>
>let's use afinfo.libprefix.
>


	Jan
===

Let the iptable tools search for libxt modules first,
then for l3-specific modules (libipt, libip6t)

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>

---
 include/xtables.h |    6 +++-
 ip6tables-save.c  |    4 +--
 ip6tables.c       |   22 ++++++++---------
 iptables-save.c   |    4 +--
 iptables.c        |   22 ++++++++---------
 xtables.c         |   68 ++++++++++++++++++++++++++++++------------------------
 6 files changed, 68 insertions(+), 58 deletions(-)

Index: iptables/include/xtables.h
===================================================================
--- iptables.orig/include/xtables.h
+++ iptables/include/xtables.h
@@ -191,8 +191,10 @@ extern void xtables_register_match(struc
 extern void xtables_register_target(struct xtables_target *me);
 
 extern struct xtables_match *find_match(const char *name, enum xt_tryload,
-					struct xtables_rule_match **match);
-extern struct xtables_target *find_target(const char *name, enum xt_tryload);
+					struct xtables_rule_match **match,
+					unsigned int family);
+extern struct xtables_target *find_target(const char *name, enum xt_tryload,
+                                          unsigned int family);
 
 extern int string_to_number_ll(const char *s,
 			       unsigned long long min,
Index: iptables/ip6tables-save.c
===================================================================
--- iptables.orig/ip6tables-save.c
+++ iptables/ip6tables-save.c
@@ -100,7 +100,7 @@ static int print_match(const struct ip6t
 			const struct ip6t_ip6 *ip)
 {
 	struct ip6tables_match *match
-		= find_match(e->u.user.name, TRY_LOAD, NULL);
+		= find_match(e->u.user.name, TRY_LOAD, NULL, "ip6t");
 
 	if (match) {
 		printf("-m %s ", e->u.user.name);
@@ -196,7 +196,7 @@ static void print_rule(const struct ip6t
 	t = ip6t_get_target((struct ip6t_entry *)e);
 	if (t->u.user.name[0]) {
 		struct ip6tables_target *target
-			= find_target(t->u.user.name, TRY_LOAD);
+			= find_target(t->u.user.name, TRY_LOAD, AF_INET6);
 
 		if (!target) {
 			fprintf(stderr, "Can't find library for target `%s'\n",
Index: iptables/ip6tables.c
===================================================================
--- iptables.orig/ip6tables.c
+++ iptables/ip6tables.c
@@ -700,9 +700,9 @@ find_proto(const char *pname, enum ip6t_
 		char *protoname = proto_to_name(proto, nolookup);
 
 		if (protoname)
-			return find_match(protoname, tryload, matches);
+			return find_match(protoname, tryload, matches, AF_INET6);
 	} else
-		return find_match(pname, tryload, matches);
+		return find_match(pname, tryload, matches, AF_INET6);
 
 	return NULL;
 }
@@ -929,7 +929,7 @@ print_match(const struct ip6t_entry_matc
 	    const struct ip6t_ip6 *ip,
 	    int numeric)
 {
-	struct ip6tables_match *match = find_match(m->u.user.name, TRY_LOAD, NULL);
+	struct ip6tables_match *match = find_match(m->u.user.name, TRY_LOAD, NULL, AF_INET6);
 
 	if (match) {
 		if (match->print)
@@ -958,9 +958,9 @@ print_firewall(const struct ip6t_entry *
 	char buf[BUFSIZ];
 
 	if (!ip6tc_is_chain(targname, handle))
-		target = find_target(targname, TRY_LOAD);
+		target = find_target(targname, TRY_LOAD, AF_INET6);
 	else
-		target = find_target(IP6T_STANDARD_TARGET, LOAD_MUST_SUCCEED);
+		target = find_target(IP6T_STANDARD_TARGET, LOAD_MUST_SUCCEED, AF_INET6);
 
 	t = ip6t_get_target((struct ip6t_entry *)fw);
 	flags = fw->ipv6.flags;
@@ -1513,7 +1513,7 @@ int do_command6(int argc, char *argv[], 
 				exit_error(PARAMETER_PROBLEM,
 					   "chain name not allowed to start "
 					   "with `%c'\n", *optarg);
-			if (find_target(optarg, TRY_LOAD))
+			if (find_target(optarg, TRY_LOAD, AF_INET6))
 				exit_error(PARAMETER_PROBLEM,
 					   "chain name may not clash "
 					   "with target name\n");
@@ -1564,7 +1564,7 @@ int do_command6(int argc, char *argv[], 
 
 			/* ip6tables -p icmp -h */
 			if (!matches && protocol)
-				find_match(protocol, TRY_LOAD, &matches);
+				find_match(protocol, TRY_LOAD, &matches, AF_INET6);
 
 			exit_printhelp(matches);
 
@@ -1615,7 +1615,7 @@ int do_command6(int argc, char *argv[], 
 				   invert);
 			jumpto = parse_target(optarg);
 			/* TRY_LOAD (may be chain name) */
-			target = find_target(jumpto, TRY_LOAD);
+			target = find_target(jumpto, TRY_LOAD, AF_INET6);
 
 			if (target) {
 				size_t size;
@@ -1665,7 +1665,7 @@ int do_command6(int argc, char *argv[], 
 				exit_error(PARAMETER_PROBLEM,
 					   "unexpected ! flag before --match");
 
-			m = find_match(optarg, LOAD_MUST_SUCCEED, &matches);
+			m = find_match(optarg, LOAD_MUST_SUCCEED, &matches, AF_INET6);
 			size = IP6T_ALIGN(sizeof(struct ip6t_entry_match))
 					 + m->size;
 			m->m = fw_calloc(1, size);
@@ -1940,7 +1940,7 @@ int do_command6(int argc, char *argv[], 
 			size_t size;
 
 			target = find_target(IP6T_STANDARD_TARGET,
-					     LOAD_MUST_SUCCEED);
+					     LOAD_MUST_SUCCEED, AF_INET6);
 
 			size = sizeof(struct ip6t_entry_target)
 				+ target->size;
@@ -1956,7 +1956,7 @@ int do_command6(int argc, char *argv[], 
 			 * We cannot know if the plugin is corrupt, non
 			 * existant OR if the user just misspelled a
 			 * chain. */
-			find_target(jumpto, LOAD_MUST_SUCCEED);
+			find_target(jumpto, LOAD_MUST_SUCCEED, AF_INET6);
 		} else {
 			e = generate_entry(&fw, matches, target->t);
 			free(target->t);
Index: iptables/iptables-save.c
===================================================================
--- iptables.orig/iptables-save.c
+++ iptables/iptables-save.c
@@ -119,7 +119,7 @@ static int print_match(const struct ipt_
 			const struct ipt_ip *ip)
 {
 	struct iptables_match *match
-		= find_match(e->u.user.name, TRY_LOAD, NULL);
+		= find_match(e->u.user.name, TRY_LOAD, NULL, AF_INET);
 
 	if (match) {
 		printf("-m %s ", e->u.user.name);
@@ -207,7 +207,7 @@ static void print_rule(const struct ipt_
 	t = ipt_get_target((struct ipt_entry *)e);
 	if (t->u.user.name[0]) {
 		struct iptables_target *target
-			= find_target(t->u.user.name, TRY_LOAD);
+			= find_target(t->u.user.name, TRY_LOAD, AF_INET);
 
 		if (!target) {
 			fprintf(stderr, "Can't find library for target `%s'\n",
Index: iptables/iptables.c
===================================================================
--- iptables.orig/iptables.c
+++ iptables/iptables.c
@@ -687,9 +687,9 @@ find_proto(const char *pname, enum ipt_t
 		char *protoname = proto_to_name(proto, nolookup);
 
 		if (protoname)
-			return find_match(protoname, tryload, matches);
+			return find_match(protoname, tryload, matches, AF_INET);
 	} else
-		return find_match(pname, tryload, matches);
+		return find_match(pname, tryload, matches, AF_INET);
 
 	return NULL;
 }
@@ -967,7 +967,7 @@ print_match(const struct ipt_entry_match
 	    const struct ipt_ip *ip,
 	    int numeric)
 {
-	struct iptables_match *match = find_match(m->u.user.name, TRY_LOAD, NULL);
+	struct iptables_match *match = find_match(m->u.user.name, TRY_LOAD, NULL, AF_INET);
 
 	if (match) {
 		if (match->print)
@@ -996,9 +996,9 @@ print_firewall(const struct ipt_entry *f
 	char buf[BUFSIZ];
 
 	if (!iptc_is_chain(targname, handle))
-		target = find_target(targname, TRY_LOAD);
+		target = find_target(targname, TRY_LOAD, AF_INET);
 	else
-		target = find_target(IPT_STANDARD_TARGET, LOAD_MUST_SUCCEED);
+		target = find_target(IPT_STANDARD_TARGET, LOAD_MUST_SUCCEED, AF_INET);
 
 	t = ipt_get_target((struct ipt_entry *)fw);
 	flags = fw->ip.flags;
@@ -1569,7 +1569,7 @@ int do_command(int argc, char *argv[], c
 				exit_error(PARAMETER_PROBLEM,
 					   "chain name not allowed to start "
 					   "with `%c'\n", *optarg);
-			if (find_target(optarg, TRY_LOAD))
+			if (find_target(optarg, TRY_LOAD, AF_INET))
 				exit_error(PARAMETER_PROBLEM,
 					   "chain name may not clash "
 					   "with target name\n");
@@ -1620,7 +1620,7 @@ int do_command(int argc, char *argv[], c
 
 			/* iptables -p icmp -h */
 			if (!matches && protocol)
-				find_match(protocol, TRY_LOAD, &matches);
+				find_match(protocol, TRY_LOAD, &matches, AF_INET);
 
 			exit_printhelp(matches);
 
@@ -1673,7 +1673,7 @@ int do_command(int argc, char *argv[], c
 				   invert);
 			jumpto = parse_target(optarg);
 			/* TRY_LOAD (may be chain name) */
-			target = find_target(jumpto, TRY_LOAD);
+			target = find_target(jumpto, TRY_LOAD, AF_INET);
 
 			if (target) {
 				size_t size;
@@ -1731,7 +1731,7 @@ int do_command(int argc, char *argv[], c
 				exit_error(PARAMETER_PROBLEM,
 					   "unexpected ! flag before --match");
 
-			m = find_match(optarg, LOAD_MUST_SUCCEED, &matches);
+			m = find_match(optarg, LOAD_MUST_SUCCEED, &matches, AF_INET);
 			size = IPT_ALIGN(sizeof(struct ipt_entry_match))
 					 + m->size;
 			m->m = fw_calloc(1, size);
@@ -2005,7 +2005,7 @@ int do_command(int argc, char *argv[], c
 			size_t size;
 
 			target = find_target(IPT_STANDARD_TARGET,
-					     LOAD_MUST_SUCCEED);
+					     LOAD_MUST_SUCCEED, AF_INET);
 
 			size = sizeof(struct ipt_entry_target)
 				+ target->size;
@@ -2029,7 +2029,7 @@ int do_command(int argc, char *argv[], c
 				exit_error(PARAMETER_PROBLEM,
 					   "goto '%s' is not a chain\n", jumpto);
 #endif
-			find_target(jumpto, LOAD_MUST_SUCCEED);
+			find_target(jumpto, LOAD_MUST_SUCCEED, AF_INET);
 		} else {
 			e = generate_entry(&fw, matches, target->t);
 			free(target->t);
Index: iptables/xtables.c
===================================================================
--- iptables.orig/xtables.c
+++ iptables/xtables.c
@@ -31,6 +31,7 @@
 
 #include <xtables.h>
 
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x)))
 #define NPROTO	255
 
 #ifndef PROC_SYS_MODPROBE
@@ -256,7 +257,8 @@ void parse_interface(const char *arg, ch
 }
 
 struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
-				 struct xtables_rule_match **matches)
+				 struct xtables_rule_match **matches,
+				 unsigned int family)
 {
 	struct xtables_match *ptr;
 	const char *icmp6 = "icmp6";
@@ -292,21 +294,25 @@ struct xtables_match *find_match(const c
 	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
 		char path[strlen(lib_dir) + sizeof("/.so")
 			  + strlen(afinfo.libprefix) + strlen(name)];
-		sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
-			name);
-		if (dlopen(path, RTLD_NOW)) {
-			/* Found library.  If it didn't register itself,
-			   maybe they specified target as match. */
-			ptr = find_match(name, DONT_LOAD, NULL);
-
-			if (!ptr)
-				exit_error(PARAMETER_PROBLEM,
-					   "Couldn't load match `%s'\n",
-					   name);
-		} else if (tryload == LOAD_MUST_SUCCEED)
+
+		snprintf(path, sizeof(path), "%s/libxt_%s.so", lib_dir, name);
+		if (dlopen(path, RTLD_NOW) != NULL)
+			/*
+			 * Library loaded (and its constructors run).
+			 * Try to grab the pointer to the struct.
+			 */
+			ptr = find_match(name, DONT_LOAD, NULL, family);
+
+		if (ptr == NULL) {
+			snprintf(path, sizeof(path), "%s/%s%s.so",
+			         lib_dir, afinfo.libprefix, name);
+			if (dlopen(path, RTLD_NOW) != NULL)
+				ptr = find_match(name, DONT_LOAD, NULL, family);
+		}
+
+		if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
 			exit_error(PARAMETER_PROBLEM,
-				   "Couldn't load match `%s':%s\n",
-				   name, dlerror());
+				   "Couldn't load match `%s'\n", name);
 	}
 #else
 	if (ptr && !ptr->loaded) {
@@ -341,7 +347,8 @@ struct xtables_match *find_match(const c
 }
 
 
-struct xtables_target *find_target(const char *name, enum xt_tryload tryload)
+struct xtables_target *find_target(const char *name, enum xt_tryload tryload,
+                                   unsigned int family)
 {
 	struct xtables_target *ptr;
 
@@ -362,19 +369,20 @@ struct xtables_target *find_target(const
 	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
 		char path[strlen(lib_dir) + sizeof("/.so")
 			  + strlen(afinfo.libprefix) + strlen(name)];
-		sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix, name);
-		if (dlopen(path, RTLD_NOW)) {
-			/* Found library.  If it didn't register itself,
-			   maybe they specified match as a target. */
-			ptr = find_target(name, DONT_LOAD);
-			if (!ptr)
-				exit_error(PARAMETER_PROBLEM,
-					   "Couldn't load target `%s'\n",
-					   name);
-		} else if (tryload == LOAD_MUST_SUCCEED)
+
+		snprintf(path, sizeof(path), "%s/libxt_%s.so", lib_dir, name);
+		if (dlopen(path, RTLD_NOW) != NULL)
+			ptr = find_target(name, DONT_LOAD, family);
+
+		if (ptr == NULL) {
+			snprintf(path, sizeof(path), "%s/%s%s.so",
+			         lib_dir, afinfo.libprefix, name);
+			if (dlopen(path, RTLD_NOW) != NULL)
+				ptr = find_target(name, DONT_LOAD, family);
+		}
+		if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
 			exit_error(PARAMETER_PROBLEM,
-				   "Couldn't load target `%s':%s\n",
-				   name, dlerror());
+				   "Couldn't load target `%s'\n", name);
 	}
 #else
 	if (ptr && !ptr->loaded) {
@@ -472,7 +480,7 @@ void xtables_register_match(struct xtabl
 	if (me->family != afinfo.family)
 		return;
 
-	old = find_match(me->name, DURING_LOAD, NULL);
+	old = find_match(me->name, DURING_LOAD, NULL, me->family);
 	if (old) {
 		if (old->revision == me->revision) {
 			fprintf(stderr,
@@ -538,7 +546,7 @@ void xtables_register_target(struct xtab
 	if (me->family != afinfo.family)
 		return;
 
-	old = find_target(me->name, DURING_LOAD);
+	old = find_target(me->name, DURING_LOAD, me->family);
 	if (old) {
 		struct xtables_target **i;
 

Re: [PATCH 01/**] libxt_*.so lookup

[Yasuyuki KOZAKAI]

From: Jan Engelhardt <jengelh@computergmbh.de>

> 
> On Jul 31 2007 09:25, Yasuyuki KOZAKAI wrote:
> >> +		snprintf(path, sizeof(path), "%s/lib%s_%s.so", lib_dir,
> >> +		         family_prefix[AF_UNSPEC], name);
> >
> >So, here "%s/libxt_%s.so" is enough, and
> >
> >> +		if (ptr == NULL && family < ARRAY_SIZE(family_prefix) &&
> >> +		    family_prefix[family] != NULL) {
> >> +			snprintf(path, sizeof(path), "%s/lib%s_%s.so",
> >> +			         lib_dir, family_prefix[family], name);
> >
> >let's use afinfo.libprefix.
> >



>  struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
> -				 struct xtables_rule_match **matches)
> +				 struct xtables_rule_match **matches,
> +				 unsigned int family)
>  {
>  	struct xtables_match *ptr;
>  	const char *icmp6 = "icmp6";
> @@ -292,21 +294,25 @@ struct xtables_match *find_match(const c
>  	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
>  		char path[strlen(lib_dir) + sizeof("/.so")
>  			  + strlen(afinfo.libprefix) + strlen(name)];
> -		sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
> -			name);
> -		if (dlopen(path, RTLD_NOW)) {
> -			/* Found library.  If it didn't register itself,
> -			   maybe they specified target as match. */
> -			ptr = find_match(name, DONT_LOAD, NULL);
> -
> -			if (!ptr)
> -				exit_error(PARAMETER_PROBLEM,
> -					   "Couldn't load match `%s'\n",
> -					   name);
> -		} else if (tryload == LOAD_MUST_SUCCEED)
> +
> +		snprintf(path, sizeof(path), "%s/libxt_%s.so", lib_dir, name);
> +		if (dlopen(path, RTLD_NOW) != NULL)
> +			/*
> +			 * Library loaded (and its constructors run).
> +			 * Try to grab the pointer to the struct.
> +			 */
> +			ptr = find_match(name, DONT_LOAD, NULL, family);
> +
> +		if (ptr == NULL) {
> +			snprintf(path, sizeof(path), "%s/%s%s.so",
> +			         lib_dir, afinfo.libprefix, name);
> +			if (dlopen(path, RTLD_NOW) != NULL)
> +				ptr = find_match(name, DONT_LOAD, NULL, family);
> +		}
> +
> +		if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
>  			exit_error(PARAMETER_PROBLEM,
> -				   "Couldn't load match `%s':%s\n",
> -				   name, dlerror());
> +				   "Couldn't load match `%s'\n", name);
>  	}
>  #else
>  	if (ptr && !ptr->loaded) {

The argument 'family' has no effect. And this change makes possible to
remove links from libxt_*.so to libip[6]t_*.so as you proposed.

How about following ?


---
 extensions/Makefile |   12 ------------
 xtables.c           |   37 ++++++++++++++++++++++---------------
 2 files changed, 22 insertions(+), 27 deletions(-)

diff --git a/extensions/Makefile b/extensions/Makefile
index 49e95ca..36c9b44 100644
--- a/extensions/Makefile
+++ b/extensions/Makefile
@@ -56,14 +56,12 @@ SHARED_LIBS+=$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).so)
 SHARED_SE_LIBS+=$(foreach T,$(PF_EXT_SE_SLIB),extensions/libipt_$(T).so)
 EXTRA_INSTALLS+=$(foreach T, $(PF_EXT_SLIB), $(DEST_IPT_LIBDIR)/libipt_$(T).so)
 EXTRA_INSTALLS+=$(foreach T, $(PF_EXT_SE_SLIB), $(DEST_IPT_LIBDIR)/libipt_$(T).so)
-EXTRA_INSTALLS+=$(foreach T, $(PFX_EXT_SLIB), $(DEST_IPT_LIBDIR)/libipt_$(T).so)
 
 ifeq ($(DO_IPV6), 1)
 SHARED_LIBS+=$(foreach T,$(PF6_EXT_SLIB),extensions/libip6t_$(T).so)
 SHARED_SE_LIBS+=$(foreach T,$(PF6_EXT_SE_SLIB),extensions/libip6t_$(T).so)
 EXTRA_INSTALLS+=$(foreach T, $(PF6_EXT_SLIB), $(DEST_IPT_LIBDIR)/libip6t_$(T).so)
 EXTRA_INSTALLS+=$(foreach T, $(PF6_EXT_SE_SLIB), $(DEST_IPT_LIBDIR)/libip6t_$(T).so)
-EXTRA_INSTALLS+=$(foreach T, $(PFX_EXT_SLIB), $(DEST_IPT_LIBDIR)/libip6t_$(T).so)
 endif
 
 SHARED_LIBS+=$(foreach T,$(PFX_EXT_SLIB),extensions/libxt_$(T).so)
@@ -192,16 +190,6 @@ extensions/libip6t_matches.man: $(patsubst %, extensions/libip6t_%.man, $(PF6_EX
 	    done ;\
        	fi >>extensions/libip6t_matches.man
 
-PF_XTLIBS=$(foreach T, $(PFX_EXT_SLIB), $(DEST_IPT_LIBDIR)/libipt_$(T).so)
-$(PF_XTLIBS): $(DEST_IPT_LIBDIR)/libipt_%.so : $(DEST_IPT_LIBDIR)/libxt_%.so
-	@[ -d $(DEST_IPT_LIBDIR)/ ] || mkdir -p $(DEST_IPT_LIBDIR)/
-	ln -sf $< $@
-
-PF6_XTLIBS=$(foreach T, $(PFX_EXT_SLIB), $(DEST_IPT_LIBDIR)/libip6t_$(T).so)
-$(PF6_XTLIBS): $(DEST_IPT_LIBDIR)/libip6t_%.so : $(DEST_IPT_LIBDIR)/libxt_%.so
-	@[ -d $(DEST_IPT_LIBDIR)/ ] || mkdir -p $(DEST_IPT_LIBDIR)/
-	ln -sf $< $@
-
 $(DEST_IPT_LIBDIR)/libipt_%.so: extensions/libipt_%.so
 	@[ -d $(DEST_IPT_LIBDIR)/ ] || mkdir -p $(DEST_IPT_LIBDIR)/
 	cp $< $@
diff --git a/xtables.c b/xtables.c
index baee483..58b4e81 100644
--- a/xtables.c
+++ b/xtables.c
@@ -292,18 +292,21 @@ struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
 	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
 		char path[strlen(lib_dir) + sizeof("/.so")
 			  + strlen(afinfo.libprefix) + strlen(name)];
-		sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
-			name);
-		if (dlopen(path, RTLD_NOW)) {
+
+		sprintf(path, "%s/libxt_%s.so", lib_dir, name);
+		if (dlopen(path, RTLD_NOW) != NULL)
 			/* Found library.  If it didn't register itself,
 			   maybe they specified target as match. */
 			ptr = find_match(name, DONT_LOAD, NULL);
 
-			if (!ptr)
-				exit_error(PARAMETER_PROBLEM,
-					   "Couldn't load match `%s'\n",
-					   name);
-		} else if (tryload == LOAD_MUST_SUCCEED)
+		if (ptr == NULL) {
+			sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
+				name);
+			if (dlopen(path, RTLD_NOW) != NULL)
+				ptr = find_match(name, DONT_LOAD, NULL);
+		}
+
+		if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
 			exit_error(PARAMETER_PROBLEM,
 				   "Couldn't load match `%s':%s\n",
 				   name, dlerror());
@@ -362,16 +365,20 @@ struct xtables_target *find_target(const char *name, enum xt_tryload tryload)
 	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
 		char path[strlen(lib_dir) + sizeof("/.so")
 			  + strlen(afinfo.libprefix) + strlen(name)];
-		sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix, name);
-		if (dlopen(path, RTLD_NOW)) {
+
+		sprintf(path, "%s/libxt_%s.so", lib_dir, name);
+		if (dlopen(path, RTLD_NOW) != NULL)
 			/* Found library.  If it didn't register itself,
 			   maybe they specified match as a target. */
 			ptr = find_target(name, DONT_LOAD);
-			if (!ptr)
-				exit_error(PARAMETER_PROBLEM,
-					   "Couldn't load target `%s'\n",
-					   name);
-		} else if (tryload == LOAD_MUST_SUCCEED)
+
+		if (ptr == NULL) {
+			sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
+				name);
+			if (dlopen(path, RTLD_NOW) != NULL)
+				ptr = find_target(name, DONT_LOAD);
+		}
+		if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
 			exit_error(PARAMETER_PROBLEM,
 				   "Couldn't load target `%s':%s\n",
 				   name, dlerror());
-- 
1.5.2.2



-- Yasuyuki Kozakai

Re: [PATCH 01/**] libxt_*.so lookup

[Jan Engelhardt]

On Aug 1 2007 23:40, Yasuyuki KOZAKAI wrote:
>
>The argument 'family' has no effect. And this change makes possible to
>remove links from libxt_*.so to libip[6]t_*.so as you proposed.

Ah indeed.

>index baee483..58b4e81 100644
>--- a/xtables.c
>+++ b/xtables.c
>@@ -292,18 +292,21 @@ struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
> 	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
> 		char path[strlen(lib_dir) + sizeof("/.so")
> 			  + strlen(afinfo.libprefix) + strlen(name)];
>-		sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
>-			name);
>-		if (dlopen(path, RTLD_NOW)) {
>+
>+		sprintf(path, "%s/libxt_%s.so", lib_dir, name);
>+		if (dlopen(path, RTLD_NOW) != NULL)

I'd suggest using snprintf(). (Also elsewhere)
But looks ok otherwise.


	Jan
-- 

Re: [PATCH 01/**] libxt_*.so lookup

[Yasuyuki KOZAKAI]

Hi,

From: Jan Engelhardt <jengelh@computergmbh.de>

> On Aug 1 2007 23:40, Yasuyuki KOZAKAI wrote:
> >
> >The argument 'family' has no effect. And this change makes possible to
> >remove links from libxt_*.so to libip[6]t_*.so as you proposed.
> 
> Ah indeed.

Thanks for review. I'll apply that soon.

> >index baee483..58b4e81 100644
> >--- a/xtables.c
> >+++ b/xtables.c
> >@@ -292,18 +292,21 @@ struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
> > 	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
> > 		char path[strlen(lib_dir) + sizeof("/.so")
> > 			  + strlen(afinfo.libprefix) + strlen(name)];
> >-		sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
> >-			name);
> >-		if (dlopen(path, RTLD_NOW)) {
> >+
> >+		sprintf(path, "%s/libxt_%s.so", lib_dir, name);
> >+		if (dlopen(path, RTLD_NOW) != NULL)
> 
> I'd suggest using snprintf(). (Also elsewhere)
> But looks ok otherwise.

I didn't notice that. But why snprintf is necessary here ? We have always
enough space for path[].

Are you afraid of buffer overflow due to incorrect size of path[] ?
If so, we'd also better to check return value of snprintf().

-- Yasuyuki Kozakai

Re: [PATCH 01/**] libxt_*.so lookup

[Jan Engelhardt]

On Aug 4 2007 12:38, Yasuyuki KOZAKAI wrote:
>> >index baee483..58b4e81 100644
>> >--- a/xtables.c
>> >+++ b/xtables.c
>> >@@ -292,18 +292,21 @@ struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
>> > 	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
>> > 		char path[strlen(lib_dir) + sizeof("/.so")
>> > 			  + strlen(afinfo.libprefix) + strlen(name)];
>> >-		sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
>> >-			name);
>> >-		if (dlopen(path, RTLD_NOW)) {
>> >+
>> >+		sprintf(path, "%s/libxt_%s.so", lib_dir, name);
>> >+		if (dlopen(path, RTLD_NOW) != NULL)
>> 
>> I'd suggest using snprintf(). (Also elsewhere)
>> But looks ok otherwise.
>
>I didn't notice that. But why snprintf is necessary here ? We have always
>enough space for path[].

Better safe than sorry. Right, when you path[strlen...] it of course
suffices, but then again you could just write path[PATH_MAX],
because POSIX does not do longer names anyway.

BTW, there is a bug, which is why snprintf _is_ good after all:

>> > 		char path[strlen(lib_dir) + sizeof("/.so")
>> > 			  + strlen(afinfo.libprefix) + strlen(name)];

strlen("libxt_") might be larger than strlen(afinfo.libprefix).

>Are you afraid of buffer overflow due to incorrect size of path[] ?
>If so, we'd also better to check return value of snprintf().

Possible, but not really needed. If the name was truncated, then
dlopen() will fail and the user wonders "wtf - this is impossible"
and can report the bug.


	Jan
-- 

Re: [PATCH IPTABLES 0/13]: Unifies rest of ip[6]tables matches/targets

[Patrick McHardy]

Yasuyuki KOZAKAI wrote:
> I've commited them. I will commit following for other matches/targets
> this weekend. Finally we can save about 3600 lines and add IPv6 support to
> 13 modules.
>   

Very nice work, thanks a lot :)

> This time I post patches generated by 'git-format-patch -M' for ease of
> review.

Which reminds me how nice it would be to replace SVN by git ...
does anyone know how well the git import works? I recall
seeing some people reporting problems on the git list.

Re: [PATCH IPTABLES 0/13]: Unifies rest of ip[6]tables matches/targets

[Jan Engelhardt]

On Jul 25 2007 03:02, Patrick McHardy wrote:
> Yasuyuki KOZAKAI wrote:
>> I've commited them. I will commit following for other matches/targets
>> this weekend. Finally we can save about 3600 lines and add IPv6 support to
>> 13 modules.
>>   
>
> Very nice work, thanks a lot :)
>
>> This time I post patches generated by 'git-format-patch -M' for ease of
>> review.
>
> Which reminds me how nice it would be to replace SVN by git ...
> does anyone know how well the git import works? I recall
> seeing some people reporting problems on the git list.

Well, I always recommand "add; commit" instead of "import" (at least
for cvs and svn, but I suppose it applies to every SCM) - because
importing does not automatically put the files in your WC like add;ci does.
(And if you don't know how to import - there's add;ci :-))


	Jan
-- 

Re: [PATCH IPTABLES 0/13]: Unifies rest of ip[6]tables matches/targets

[Patrick McHardy]

Jan Engelhardt wrote:
> On Jul 25 2007 03:02, Patrick McHardy wrote:
> 
>>Which reminds me how nice it would be to replace SVN by git ...
>>does anyone know how well the git import works? I recall
>>seeing some people reporting problems on the git list.
> 
> 
> Well, I always recommand "add; commit" instead of "import" (at least
> for cvs and svn, but I suppose it applies to every SCM) - because
> importing does not automatically put the files in your WC like add;ci does.
> (And if you don't know how to import - there's add;ci :-))


I'm talking about a repository including history, not single files.
Ideally with SVN "branches" as real branches.

Re: [PATCH 28/43] Unifies libip[6]t_tcp.c into libxt_tcp.c.

[Pascal Hambourg]

Hello,

Jan Engelhardt a écrit :
> 
> On Jul 15 2007 03:11, Yasuyuki KOZAKAI wrote:
> 
>>Note: libipt_tcp handled '--syn' as '--flags SYN,RST,ACK,FIN SYN', but
>>     libip6t_tcp handled it as '--flags SYN,RST,ACK SYN'. I keep this
>>     difference for now.
> 
> Since SYN+FIN does not make much sense (unless the ipv6-tcp protocol _really_
> allowed that), libipt_tcp's definition should be used.

I just asked about this difference - and the reason why the FIN check 
was not originally present in libiptc_tcp but added later, in 1.3.2 - in 
the netfilter user list a few days ago. No reply yet. IMHO it does not 
matter whether SYN+FIN makes sense or not but whether it is a valid 
combination or not per the RFCs. I have always believed that there is 
some precedence among TCP flags, e.g. :
- RST has precedence over SYN and FIN ; if RST set, ignore SYN and FIN
- SYN has precedence over FIN ; if SYN set, ignore FIN

Have I been wrong all this time ?

Re: [PATCH 28/43] Unifies libip[6]t_tcp.c into libxt_tcp.c.

[Yasuyuki KOZAKAI]

From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Date: Mon, 16 Jul 2007 00:45:16 +0200

> Hello,
> 
> Jan Engelhardt a écrit :
> > 
> > On Jul 15 2007 03:11, Yasuyuki KOZAKAI wrote:
> > 
> >>Note: libipt_tcp handled '--syn' as '--flags SYN,RST,ACK,FIN SYN', but
> >>     libip6t_tcp handled it as '--flags SYN,RST,ACK SYN'. I keep this
> >>     difference for now.
> > 
> > Since SYN+FIN does not make much sense (unless the ipv6-tcp protocol _really_
> > allowed that), libipt_tcp's definition should be used.
> 
> I just asked about this difference - and the reason why the FIN check 
> was not originally present in libiptc_tcp but added later, in 1.3.2 - in 
> the netfilter user list a few days ago. No reply yet. IMHO it does not 

I don't know Harald's intention for that change correctly, sorry.

> matter whether SYN+FIN makes sense or not but whether it is a valid 
> combination or not per the RFCs. I have always believed that there is 
> some precedence among TCP flags, e.g. :
> - RST has precedence over SYN and FIN ; if RST set, ignore SYN and FIN
> - SYN has precedence over FIN ; if SYN set, ignore FIN
> 
> Have I been wrong all this time ?

IIRC RFC797 says nothing about the behavior when receiving such TCP
flags. But I've found

http://www.mail-archive.com/nanog@merit.edu/msg06112.html

-- Yasuyuki Kozakai

Re: [PATCH 28/43] Unifies libip[6]t_tcp.c into libxt_tcp.c.

[Pascal Hambourg]

Yasuyuki KOZAKAI a écrit :
> From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
>>>
>>>Since SYN+FIN does not make much sense (unless the ipv6-tcp protocol _really_
>>>allowed that), libipt_tcp's definition should be used.
>>
>>IMHO it does not 
>>matter whether SYN+FIN makes sense or not but whether it is a valid 
>>combination or not per the RFCs. I have always believed that there is 
>>some precedence among TCP flags, e.g. :
>>- RST has precedence over SYN and FIN ; if RST set, ignore SYN and FIN
>>- SYN has precedence over FIN ; if SYN set, ignore FIN
>>
>>Have I been wrong all this time ?
> 
> IIRC RFC797 says nothing about the behavior when receiving such TCP
> flags.

I suppose you mean RFC973 ? Well, it says that SYN is handled before FIN.

> But I've found
> 
> http://www.mail-archive.com/nanog@merit.edu/msg06112.html

I came across multiple similar discussions worrying about the so-called 
SYN-FIN port scans. They all acknowledge that popular TCP/IP stack 
implementations are "liberal" because they handle SYN+FIN as plain SYN. 
But I do not agreed with them when they claim that packet filters which 
unconditionally allow SYN+FIN through are "liberal" too. IMHO they are 
not liberal but actually broken because they fail to identify SYN+FIN 
either as plain SYN (which they should handle as such) or as an invalid 
combination (which they should drop).

One of my concerns is that with the new conservative definition of 
--syn, you cannot use it any more to drop SYN packets (e.g. to reject 
incoming TCP connection attempts on a stateless packet filter) because 
SYN+FIN won't match. Old rulesets which rely on --syn to detect and drop 
packets become more permissive with the new definition.

However I agree that nowadays any decent packet filter should use TCP 
connection tracking and not rely only on TCP flags. By the way, how does 
the TCP connection tracking in ip_conntrack and nf_conntrack handle 
"odd" flag combinations, i.e. more than one flag in RST, SYN and FIN set 
at the same time ?

Re: [PATCH 28/43] Unifies libip[6]t_tcp.c into libxt_tcp.c.

[Yasuyuki KOZAKAI]

From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

> Yasuyuki KOZAKAI a écrit :
> > From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
> >>>
> >>>Since SYN+FIN does not make much sense (unless the ipv6-tcp protocol _really_
> >>>allowed that), libipt_tcp's definition should be used.
> >>
> >>IMHO it does not 
> >>matter whether SYN+FIN makes sense or not but whether it is a valid 
> >>combination or not per the RFCs. I have always believed that there is 
> >>some precedence among TCP flags, e.g. :
> >>- RST has precedence over SYN and FIN ; if RST set, ignore SYN and FIN
> >>- SYN has precedence over FIN ; if SYN set, ignore FIN
> >>
> >>Have I been wrong all this time ?
> > 
> > IIRC RFC797 says nothing about the behavior when receiving such TCP
> > flags.
> 
> I suppose you mean RFC973 ? Well, it says that SYN is handled before FIN.

No, RFC793 :) Sorry.


> > But I've found
> > 
> > http://www.mail-archive.com/nanog@merit.edu/msg06112.html
> 
> I came across multiple similar discussions worrying about the so-called 
> SYN-FIN port scans. They all acknowledge that popular TCP/IP stack 
> implementations are "liberal" because they handle SYN+FIN as plain SYN. 
> But I do not agreed with them when they claim that packet filters which 
> unconditionally allow SYN+FIN through are "liberal" too. IMHO they are 
> not liberal but actually broken because they fail to identify SYN+FIN 
> either as plain SYN (which they should handle as such) or as an invalid 
> combination (which they should drop).
> 
> One of my concerns is that with the new conservative definition of 
> --syn, you cannot use it any more to drop SYN packets (e.g. to reject 
> incoming TCP connection attempts on a stateless packet filter) because 
> SYN+FIN won't match. Old rulesets which rely on --syn to detect and drop 
> packets become more permissive with the new definition.

Yes, so I think we'd better to add some texts about this change in
the announcement of next version.

And if users want to handle match SYN+FIN, they can use '--tcp-flags'.

> However I agree that nowadays any decent packet filter should use TCP 
> connection tracking and not rely only on TCP flags. By the way, how does 
> the TCP connection tracking in ip_conntrack and nf_conntrack handle 
> "odd" flag combinations, i.e. more than one flag in RST, SYN and FIN set 
> at the same time ?

From nf_conntrack_proto_tcp.c, 

/* table of valid flag combinations - PUSH, ECE and CWR are always valid */
static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) + 1] =
{
        [TH_SYN]                        = 1,
        [TH_SYN|TH_URG]                 = 1,
        [TH_SYN|TH_ACK]                 = 1,
        [TH_RST]                        = 1,
        [TH_RST|TH_ACK]                 = 1,
        [TH_FIN|TH_ACK]                 = 1,
        [TH_FIN|TH_ACK|TH_URG]          = 1,
        [TH_ACK]                        = 1,
        [TH_ACK|TH_URG]                 = 1,
}; 

-- Yasuyuki Kozakai